Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 733003 Details for
Bug 808408
guppy (ia64 dev box) needs a patch to avoid vmalloc() corruption
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
0001-ia64-ignore-VM_FLUSH_RESET_PERMS-to-survive-strace.patch
0001-ia64-ignore-VM_FLUSH_RESET_PERMS-to-survive-strace.patch (text/plain), 4.62 KB, created by
Sergei Trofimovich
on 2021-08-15 08:52:54 UTC
(
hide
)
Description:
0001-ia64-ignore-VM_FLUSH_RESET_PERMS-to-survive-strace.patch
Filename:
MIME Type:
Creator:
Sergei Trofimovich
Created:
2021-08-15 08:52:54 UTC
Size:
4.62 KB
patch
obsolete
>From 7bca794d43ede4f73a09fd452bd9fe5b7362a53b Mon Sep 17 00:00:00 2001 >From: Sergei Trofimovich <slyich@gmail.com> >Date: Sat, 24 Apr 2021 22:35:39 +0000 >Subject: [PATCH] ia64: ignore VM_FLUSH_RESET_PERMS to survive strace > >It's a workaround for https://bugs.gentoo.org/769614#c25 bug >where on ia64 VM_FLUSH_RESET_PERMS somehow manages to corrupt >cmalloc()ed memory. My theory is that ia64 lack TLB flush >somewhere. But I don't know where yet. > >The reroducer is simple (extracted from strace testsuite): > > #include <unistd.h> > #include <netinet/in.h> > #include <sys/socket.h> > #include <linux/filter.h> > int > main(void) > { > struct sock_filter bpf_filter[] = { > BPF_STMT(BPF_RET|BPF_K, 0) > }; > struct sock_fprog prog = { > .len = 1, > .filter = bpf_filter, > }; > int fd = socket(AF_INET, SOCK_DGRAM, 0); > setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &prog, sizeof(prog)); > return 0; > } > > $ gcc bug.c -o bug; while ./bug; do echo again; done > >Crashes ia64 box within seconds with: > > Unable to handle kernel NULL pointer dereference (address 0000000000000088) > CPU: 0 PID: 9024 Comm: bash Not tainted 5.12.0-rc5-00115-ga85f4ff49085-dirty #256 > psr : 0000121008026030 ifs : 8000000000000288 ip : [<a00000010023b4e1>] Not tainted (5.12.0-rc5-00115-ga85f4ff49085-dirty) > ip is at bpf_prog_free+0x21/0xe0 > unat: 0000000000000000 pfs : 0000000000000307 rsc : 0000000000000003 > rnat: 0000000000000000 bsps: 0000000000000000 pr : 696a6a56956a6955 > ldrs: 0000000000000000 ccv : 0000000000000200 fpsr: 0009804c0270033f > csd : 0000000000000000 ssd : 0000000000000000 > b0 : a000000100e97780 b6 : a000000100e976e0 b7 : a00000010000cf70 > f6 : 1003e0000000000000001 f7 : 1003e0000000002e6cf0f > f8 : 1003e0000000000000001 f9 : 1003e0000000000000098 > f10 : 1003e0000000000000098 f11 : 1003efffffffffffffff0 > r1 : a00000010194ebc0 r2 : a000000211048004 r3 : 0000000000000000 > r8 : 0000000000000008 r9 : e0000001274f0a80 r10 : a0000001017586c4 > r11 : a000000101492bf8 r12 : e000000127e4fb60 r13 : e000000127e40000 > r14 : 0000000000000088 r15 : a000000211048040 r16 : a000000100e976e0 > r17 : fffffffffffcce50 r18 : 0000001008022030 r19 : 0000000000000000 > r20 : e000000127e4fb50 r21 : 0000000000004000 r22 : e000000127e410a0 > r23 : 0000000000000101 r24 : 0000000000000100 r25 : 9e1f8354bb6453a3 > r26 : 9e1f8354bb6453a3 r27 : 100b4f27010000e0 r28 : 8e14cc73ba645343 > r29 : 0000000000000000 r30 : e0000001274f0a80 r31 : e0000001274f0a80 > b0: sk_filter_release_rcu+0xa0/0x120 > Call Trace: > [<a000000100015110>] show_stack+0x90/0xc0 > [<a000000100015850>] show_regs+0x710/0xa80 > [<a000000100028940>] die+0x1e0/0x3c0 > [<a00000010005d800>] ia64_do_page_fault+0x820/0xb80 > [<a00000010000c960>] ia64_leave_kernel+0x0/0x270 > [<a00000010023b4e0>] bpf_prog_free+0x20/0xe0 > [<a000000100e97780>] sk_filter_release_rcu+0xa0/0x120 > [<a00000010018f480>] rcu_core+0x8c0/0x1440 > [<a000000100190020>] rcu_core_si+0x20/0x40 > [<a00000010118c3d0>] __do_softirq+0x230/0x650 > [<a000000100079670>] irq_exit+0x170/0x200 > [<a000000100013970>] ia64_handle_irq+0x1b0/0x360 > [<a00000010000c960>] ia64_leave_kernel+0x0/0x270 > [<a0000001008e2320>] memset+0x160/0x420 > [<a0000001003f1970>] __kernel_poison_pages+0xd0/0x140 > [<a0000001003baff0>] free_pcp_prepare+0x530/0x600 > [<a0000001003c0770>] free_unref_page_list+0x90/0x480 > [<a0000001003097a0>] release_pages+0xd40/0x13e0 > [<a0000001003d5190>] free_pages_and_swap_cache+0x110/0x2c0 > [<a000000100398660>] tlb_finish_mmu+0x100/0x2e0 > [<a000000100392460>] exit_mmap+0x180/0x320 > [<a000000100061f60>] mmput+0xc0/0x240 > [<a000000100463340>] begin_new_exec+0xfa0/0x1d20 > [<a000000100584120>] load_elf_binary+0x400/0x2a40 > [<a000000100461240>] bprm_execve+0x560/0xde0 > [<a000000100461d70>] do_execveat_common+0x2b0/0x320 > [<a000000100464100>] sys_execve+0x40/0x60 > [<a00000010000bee0>] ia64_execve+0x20/0x120 > [<a00000010000c7e0>] ia64_ret_from_syscall+0x0/0x20 > [<a000000000040720>] ia64_ivt+0xffffffff00040720/0x400 >--- > mm/vmalloc.c | 3 +++ > 1 file changed, 3 insertions(+) > >diff --git a/mm/vmalloc.c b/mm/vmalloc.c >index 9569b2b36233..c526379ac33d 100644 >--- a/mm/vmalloc.c >+++ b/mm/vmalloc.c >@@ -2511,6 +2511,9 @@ static void vm_remove_mappings(struct vm_struct *area, int deallocate_pages) > > remove_vm_area(area->addr); > >+ /* workaround mysterious double-free on vmalloc() for bpf. */ >+ return; >+ > /* If this is not VM_FLUSH_RESET_PERMS memory, no need for the below. */ > if (!flush_reset) > return; >-- >2.32.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=733003">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 808408
: 733003
