kernel panic: Proc-ful Page Fault in thProc-ful Page Fault in the Kernel eat ADDR![kernel] Vcoreid ADDR unsafe! ((too b
1 view
Skip to first unread message
syzbot
Jul 18, 2018, 2:00:04 PM7/18/18
to aka...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: bf9a9ba0d6af Add panic_hwtf() for kernel faults
git tree: https://github.com/akaros/akaros.git/master
console output: https://syzkaller.appspot.com/x/log.txt?x=17ab0768400000
kernel config: https://syzkaller.appspot.com/x/.config?x=efef8cf2939304d3
dashboard link: https://syzkaller.appspot.com/bug?extid=6137a5c5f48c7a693a68
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6137a5...@syzkaller.appspotmail.com
kernel panic at kern/arch/x86/trap.c:309, from core 1: Proc-ful Page Fault
in thProc-ful Page Fault in the Kernel eat 0x000000000000001b![kernel]
Vcoreid 134217728 unsafe! ((too big?)
toaf[kernel] Vcoreid 134217728 unsafe! (too big?)
e! (too big?)
17:55:04 executing program 7:
openat$net_tcp_2_status(0xffffffffffffff9c,
&(0x7f0000000040)='/net/tcp/2/status\x00', 0x12, 0x1, 0x0)
openat$dev_osversion(0xffffffffffffff9c,
&(0x7f0000000000)='/dev/osversion\x00', 0xf, 0x1, 0x0)
r0 = openat$proc_self_ctl(0xffffffffffffff9c,
&(0x7f0000000140)='/proc/self/ctl\x00', 0xf, 0x3, 0x0)
fstat(r0, &(0x7f0000000280))
openat$proc_self_syscall(0xffffffffffffff9c,
&(0x7f0000000100)='/proc/self/syscall\x00', 0x13, 0x1, 0x0)
00000001b!
HW TRAP frame at 0xfffffff000109d30 on core 1
rax 0x0000000000000000
rbx 0xffff8000159d4ae0
rcx 0xfffffff000109ea0
rdx 0xfffffff000109d6c
rbp 0xfffffff000109e38
rsi 0x0000000000000000
rdi 0xfffffff000109ea0
r8 0x0000000000000001
r9 0xffffffffc8790880
r10 0x0000000000000030
r11 0xffff800014e4d420
r12 0xffff800002182ac0
r13 0x0000000020000080
r14 0x0000000000000073
r15 0x0000000000000032
trap 0x0000000e Page Fault
gsbs 0xffffffffc8667c40
fsbs 0x0000000000000000
err 0x--------00000000
rip 0xffffffffc20583b4
cs 0x------------0008
flag 0x0000000000010246
rsp 0xfffffff000109df8
ss 0x------------0010
Backtrace of kernel context on Core 1:
#01 [<0xffffffffc20583b4>] in sys_readlink at src/syscall.c:2037
#02 [<0xffffffffc20593c9>] in syscall at src/syscall.c:2528
#03 [<0xffffffffc2059584>] in run_local_syscall at src/syscall.c:2563
#04 [<0xffffffffc2059ab9>] in prep_syscalls at src/syscall.c:2583
#05 [<0xffffffffc20ab29a>] in sysenter_callwrapper at arch/x86/trap.c:851
kernel panic at kern/arch/x86/trap.c:309, from core 2: Proc-ful Page Fault
in the Kernel at 0x00000002deadbac6!
HW TRAP frame at 0xfffffff0000cad00 on core 2
rax 0x0000000000000001
rbx 0x00000002deadbabe
rcx 0x0000000000000002
rdx 0x00000002deadbac6
rbp 0xfffffff0000cadc8
rsi 0x00000000ffffffff
rdi 0x00000002deadbac6
r8 0x0000000000000000
r9 0x0000000000000000
r10 0x000010000000a4c0
r11 0x0000000000000206
r12 0xffff800014ea4e60
r13 0x00000000ffffffff
r14 0x0000000000000002
r15 0xffff800014ea4ac0
trap 0x0000000e Page Fault
gsbs 0xffffffffc8667ec0
fsbs 0x0000000000000000
err 0x--------00000000
rip 0xffffffffc2007b17
cs 0x------------0008
flag 0x0000000000010206
rsp 0xfffffff0000cadc8
ss 0x------------0010
Backtrace of kernel context on Core 2:
#01 [<0xffffffffc2007b17>] in kref_put at include/kref.h:67
#02 [<0xffffffffc2007e96>] in remove_fd_tap at src/fdtap.c:136
#03 [< [inline] >] in handle_tap_req at src/syscall.c:2391
#03 [<0xffffffffc205870c>] in sys_tap_fds at src/syscall.c:2411
#04 [<0xffffffffc20593c9>] in syscall at src/syscall.c:2528
#05 [<0xffffffffc2059584>] in run_local_syscall at src/syscall.c:2563
#06 [<0xffffffffc2059ab9>] in prep_syscalls at src/syscall.c:2583
#07 [<0xffffffffc20ab29a>] in sysenter_callwrapper at arch/x86/trap.c:851
17:55:10 executing program 2:
r0 = openat$net_tcp_0_data(0xffffffffffffff9c,
&(0x7f0000000000)='/net/tcp/0/data\x00', 0x10, 0x3, 0x0)
fstat(r0, &(0x7f0000000140))
tcgetattr(r0, &(0x7f0000000080))
openat$net_ether0_1_ifstats(0xffffffffffffff9c,
&(0x7f0000000040)='/net/ether0/1/ifstats\x00', 0x16, 0x1, 0x0)
__get_km_tag bad canary: 00000000@0xffff800014f96018, buf
0xffff800014f96020, expected deadbabe
8ffff800014f96000:f 000f800014f96000:ected deadbabe
20E 00 00ntering Nanwan's Dungeon on Cor e 1 (Ints off):
pT00e 'help' for a list of commands.
ROS(Core 1)> OS 00(Cor0e 10) 00> 01 a 00nwa 00n 00' 00s Dungeon on Core
2 00( Ints off):
0p 00 . ..............
ffff800014f96010: 40 a7 00 c2 ff ff ff ff 00 00 00 00 00 00 00 00
@...............
ffff800014f96020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
...
ffff800014f96070: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
ffff800014f96080: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00
00 ................
ffff800014f96090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
...
kernel panic at kern/src/kmalloc.c:138, from core 0: Bad canary
Stack Backtrace on Core 0:
#01 [<0xffffffffc200a3e7>] in backtrace at src/kdebug.c:219
#02 [<0xffffffffc2009bb2>] in _panic at src/init.c:273
#03 [<0xffffffffc200a816>] in __get_km_tag at src/kmalloc.c:138
#04 [<0xffffffffc200ac0b>] in kfree at src/kmalloc.c:236
#05 [< [inline] >] in free_fd_set at src/ns/sysfile.c:1690
#05 [<0xffffffffc2041b1c>] in close_fdt at src/ns/sysfile.c:1833
#06 [<0xffffffffc204cfdf>] in proc_destroy at src/process.c:918
#07 [<0xffffffffc2056cc6>] in sys_proc_destroy at src/syscall.c:909
#08 [<0xffffffffc20593c9>] in syscall at src/syscall.c:2528
#09 [<0xffffffffc2059584>] in run_local_syscall at src/syscall.c:2563
#10 [<0xffffffffc2059ab9>] in prep_syscalls at src/syscall.c:2583
#11 [<0xffffffffc20ab29a>] in sysenter_callwrapper at arch/x86/trap.c:851
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: bf9a9ba0d6af Add panic_hwtf() for kernel faults
git tree: https://github.com/akaros/akaros.git/master
console output: https://syzkaller.appspot.com/x/log.txt?x=17ab0768400000
kernel config: https://syzkaller.appspot.com/x/.config?x=efef8cf2939304d3
dashboard link: https://syzkaller.appspot.com/bug?extid=6137a5c5f48c7a693a68
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6137a5...@syzkaller.appspotmail.com
kernel panic at kern/arch/x86/trap.c:309, from core 1: Proc-ful Page Fault
in thProc-ful Page Fault in the Kernel eat 0x000000000000001b![kernel]
Vcoreid 134217728 unsafe! ((too big?)
toaf[kernel] Vcoreid 134217728 unsafe! (too big?)
e! (too big?)
17:55:04 executing program 7:
openat$net_tcp_2_status(0xffffffffffffff9c,
&(0x7f0000000040)='/net/tcp/2/status\x00', 0x12, 0x1, 0x0)
openat$dev_osversion(0xffffffffffffff9c,
&(0x7f0000000000)='/dev/osversion\x00', 0xf, 0x1, 0x0)
r0 = openat$proc_self_ctl(0xffffffffffffff9c,
&(0x7f0000000140)='/proc/self/ctl\x00', 0xf, 0x3, 0x0)
fstat(r0, &(0x7f0000000280))
openat$proc_self_syscall(0xffffffffffffff9c,
&(0x7f0000000100)='/proc/self/syscall\x00', 0x13, 0x1, 0x0)
00000001b!
HW TRAP frame at 0xfffffff000109d30 on core 1
rax 0x0000000000000000
rbx 0xffff8000159d4ae0
rcx 0xfffffff000109ea0
rdx 0xfffffff000109d6c
rbp 0xfffffff000109e38
rsi 0x0000000000000000
rdi 0xfffffff000109ea0
r8 0x0000000000000001
r9 0xffffffffc8790880
r10 0x0000000000000030
r11 0xffff800014e4d420
r12 0xffff800002182ac0
r13 0x0000000020000080
r14 0x0000000000000073
r15 0x0000000000000032
trap 0x0000000e Page Fault
gsbs 0xffffffffc8667c40
fsbs 0x0000000000000000
err 0x--------00000000
rip 0xffffffffc20583b4
cs 0x------------0008
flag 0x0000000000010246
rsp 0xfffffff000109df8
ss 0x------------0010
Backtrace of kernel context on Core 1:
#01 [<0xffffffffc20583b4>] in sys_readlink at src/syscall.c:2037
#02 [<0xffffffffc20593c9>] in syscall at src/syscall.c:2528
#03 [<0xffffffffc2059584>] in run_local_syscall at src/syscall.c:2563
#04 [<0xffffffffc2059ab9>] in prep_syscalls at src/syscall.c:2583
#05 [<0xffffffffc20ab29a>] in sysenter_callwrapper at arch/x86/trap.c:851
kernel panic at kern/arch/x86/trap.c:309, from core 2: Proc-ful Page Fault
in the Kernel at 0x00000002deadbac6!
HW TRAP frame at 0xfffffff0000cad00 on core 2
rax 0x0000000000000001
rbx 0x00000002deadbabe
rcx 0x0000000000000002
rdx 0x00000002deadbac6
rbp 0xfffffff0000cadc8
rsi 0x00000000ffffffff
rdi 0x00000002deadbac6
r8 0x0000000000000000
r9 0x0000000000000000
r10 0x000010000000a4c0
r11 0x0000000000000206
r12 0xffff800014ea4e60
r13 0x00000000ffffffff
r14 0x0000000000000002
r15 0xffff800014ea4ac0
trap 0x0000000e Page Fault
gsbs 0xffffffffc8667ec0
fsbs 0x0000000000000000
err 0x--------00000000
rip 0xffffffffc2007b17
cs 0x------------0008
flag 0x0000000000010206
rsp 0xfffffff0000cadc8
ss 0x------------0010
Backtrace of kernel context on Core 2:
#01 [<0xffffffffc2007b17>] in kref_put at include/kref.h:67
#02 [<0xffffffffc2007e96>] in remove_fd_tap at src/fdtap.c:136
#03 [< [inline] >] in handle_tap_req at src/syscall.c:2391
#03 [<0xffffffffc205870c>] in sys_tap_fds at src/syscall.c:2411
#04 [<0xffffffffc20593c9>] in syscall at src/syscall.c:2528
#05 [<0xffffffffc2059584>] in run_local_syscall at src/syscall.c:2563
#06 [<0xffffffffc2059ab9>] in prep_syscalls at src/syscall.c:2583
#07 [<0xffffffffc20ab29a>] in sysenter_callwrapper at arch/x86/trap.c:851
17:55:10 executing program 2:
r0 = openat$net_tcp_0_data(0xffffffffffffff9c,
&(0x7f0000000000)='/net/tcp/0/data\x00', 0x10, 0x3, 0x0)
fstat(r0, &(0x7f0000000140))
tcgetattr(r0, &(0x7f0000000080))
openat$net_ether0_1_ifstats(0xffffffffffffff9c,
&(0x7f0000000040)='/net/ether0/1/ifstats\x00', 0x16, 0x1, 0x0)
__get_km_tag bad canary: 00000000@0xffff800014f96018, buf
0xffff800014f96020, expected deadbabe
8ffff800014f96000:f 000f800014f96000:ected deadbabe
20E 00 00ntering Nanwan's Dungeon on Cor e 1 (Ints off):
pT00e 'help' for a list of commands.
ROS(Core 1)> OS 00(Cor0e 10) 00> 01 a 00nwa 00n 00' 00s Dungeon on Core
2 00( Ints off):
0p 00 . ..............
ffff800014f96010: 40 a7 00 c2 ff ff ff ff 00 00 00 00 00 00 00 00
@...............
ffff800014f96020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
...
ffff800014f96070: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
ffff800014f96080: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00
00 ................
ffff800014f96090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
...
kernel panic at kern/src/kmalloc.c:138, from core 0: Bad canary
Stack Backtrace on Core 0:
#01 [<0xffffffffc200a3e7>] in backtrace at src/kdebug.c:219
#02 [<0xffffffffc2009bb2>] in _panic at src/init.c:273
#03 [<0xffffffffc200a816>] in __get_km_tag at src/kmalloc.c:138
#04 [<0xffffffffc200ac0b>] in kfree at src/kmalloc.c:236
#05 [< [inline] >] in free_fd_set at src/ns/sysfile.c:1690
#05 [<0xffffffffc2041b1c>] in close_fdt at src/ns/sysfile.c:1833
#06 [<0xffffffffc204cfdf>] in proc_destroy at src/process.c:918
#07 [<0xffffffffc2056cc6>] in sys_proc_destroy at src/syscall.c:909
#08 [<0xffffffffc20593c9>] in syscall at src/syscall.c:2528
#09 [<0xffffffffc2059584>] in run_local_syscall at src/syscall.c:2563
#10 [<0xffffffffc2059ab9>] in prep_syscalls at src/syscall.c:2583
#11 [<0xffffffffc20ab29a>] in sysenter_callwrapper at arch/x86/trap.c:851
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
Barret Rhoden
Jul 19, 2018, 4:25:48 PM7/19/18
to syzbot, aka...@googlegroups.com
On 2018-07-18 at 11:00 syzbot
#syz invalid
Reply all
Reply to author
Forward
0 new messages