kernel panic: Proc-ful Page Fault in the Kernel at ADDR!P
0 views
Skip to first unread message
syzbot
Jul 18, 2018, 2:44:02 PM7/18/18
to aka...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: bf9a9ba0d6af Add panic_hwtf() for kernel faults
git tree: https://github.com/akaros/akaros.git/master
console output: https://syzkaller.appspot.com/x/log.txt?x=11a9a9a4400000
kernel config: https://syzkaller.appspot.com/x/.config?x=efef8cf2939304d3
dashboard link: https://syzkaller.appspot.com/bug?extid=fa66287dd2d09cb5b288
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fa6628...@syzkaller.appspotmail.com
kernel panic at kern/arch/x86/trap.c:309, from core 1: Proc-ful Page Fault
in the Kernel at 0x000000000000001b!P
rHW TRAP frame at 0xfffffff000127d30 on core 1
rax 0x0000000000000000
a rbx 0xffff8000049868e0
x 0xfffffff000127ea0
rcx 0xfffffff000127ea0
000127d30 on core 1
00000001b!mnt: pro current->texc current->text 18446744072670170541:
mismatch ft 1844674407rom #pipe./data1 /net/cs rep 0x0xffff80000 rsi
0x0000000000000000
d404020 rsi 0x0000000000000000
rdi 0xfffffff000127ea0
t r8 0x0000000000000001
a r9 0xffffffg ffc8790880
2 fid 27 r10 0x0000000000000040
4 r11 T112 R111 rp0xffff800003c8ef20
r12 0xffff800002182ac0
2 r13 0x00000000200000c0
r14 0x00000000000000718m r15 0x0000000000000039
446744072670170541: mismatch from #pip e./data1 /net/cs rep
0x0xffff80000d404020. tag 2 fid 274 T120 R11/3 rp 2
p 2
18:43:26 executing program 3:
openat$net_ipifc_0_status(0xffffffffffffff9c,
&(0x7f0000000000)='/net/ipifc/0/status\x00', 0x14, 0x1, 0x0)
mmap(&(0x7f000054b000/0x2000)=nil, 0x2000, 0x6, 0x8000002035,
0xffffffffffffff9c, 0x0)
1 /net/cs rep 0x0xf trap 0x0000000e Page Fault
gsbs 0xffffffffc8667c40
fsbs 0x0000000000000000
err 0x--------00000000
rip 0xffffffffc20583b4
cs 0x------------0008
flag 0x0000000000010246
rsp 0xfffffff000127df8
ss 0x------------0010
Backtrace of kernel context on Core 1:
#01 [<0xffffffffc20583b4>] in sys_readlink at src/syscall.c:2037
#02 [<0xffffffffc20593c9>] in syscall at src/syscall.c:2528
#03 [<0xffffffffc2059584>] in run_local_syscall at src/syscall.c:2563
#04 [<0xffffffffc2059ab9>] in prep_syscalls at src/syscall.c:2583
#05 [<0xffffffffc20ab29a>] in sysenter_callwrapper at arch/x86/trap.c:851
kernel panic at kern/arch/x86/trap.c:309, from core 2: Proc-ful Page Fault
in the Kernel at 0x000000000000001b!
HW TRAP frame at 0xfffffff0000b8d30 on core 2
rax 0x0000000000000000
rbx 0xffff800014e622e0
rcx 0xfffffff0000b8ea0
rdx 0xfffffff0000b8d6c
rbp 0xfffffff0000b8e38
rsi 0x0000000000000000
rdi 0xfffffff0000b8ea0
r8 0x0000000000000001
r9 0xffffffffc8790880
r10 0x0000000000000030
18:43:29 executing program 5:
r0 = openat$dev_zero(0xffffffffffffff9c, &(0x7f0000000040)='/dev/zero\x00',
0x1f0, 0x1, 0x0)
openat$net_tcp_2_ctl(0xffffffffffffff9c,
&(0x7f0000000140)='/net/tcp/2/ctl\x00', 0xf, 0x3, 0x0)
openat$proc_self_args(0xffffffffffffff9c,
&(0x7f0000000080)='/proc/self/args\x00', 0x10, 0x3, 0x0)
tcgetattr(r0, &(0x7f0000000100))
r11 0xffff800015aee3a0
r12 0xffff800002175e80
18:43:29 executing program 2:
mprotect(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x0)
openat$net_tcp_1_listen(0xffffffffffffff9c,
&(0x7f0000000100)='/net/tcp/1/listen\x00', 0x12, 0x3, 0x0)
openat$prof_mpstat_raw(0xffffffffffffff9c,
&(0x7f0000000000)='/prof/mpstat-raw\x00', 0x11, 0x3, 0x0)
openat$net_tcp_2_data(0xffffffffffffff9c,
&(0x7f0000000040)='/net/tcp/2/data\x00', 0x10, 0x3, 0x0)
18:43:29 executing program 4:
r0 = openat$net_ether0_1_ifstats(0xffffffffffffff9c,
&(0x7f0000000000)='/net/ether0/1/ifstats\x00', 0x1bb, 0x1, 0x0)
llseek(r0, 0x3, 0xfffffffffffffe00, &(0x7f0000000040), 0x0)
18:43:29 executing program 0:
r0 = openat$net_icmpv6_stats(0xffffffffffffff9c,
&(0x7f0000000240)='/net/icmpv6/stats\x00', 0x12, 0x1, 0x0)
fd2path(r0, &(0x7f00000012c0)=""/4096, 0x1f13)
r1 = openat$dev_drivers(0xffffffffffffff9c,
&(0x7f0000000000)='/dev/drivers\x00', 0xd, 0x1, 0x0)
openat$prof_kpdata(0xffffffffffffff9c,
&(0x7f0000000100)='/prof/kpdata\x00', 0xd, 0x3, 0x0)
openat$dev_caphash(0xffffffffffffff9c,
&(0x7f0000000140)='/dev/caphash\x00', 0xd, 0x3, 0x0)
openat$net_cs(0xffffffffffffff9c, &(0x7f0000000180)='/net/cs\x00', 0x8,
0x3, 0x0)
r2 = proc_create(&(0x7f0000000040)='./file0\x00', 0x8,
&(0x7f0000000080)='\x00', 0x1, 0x0)
dup_fds_to(r2, &(0x7f00000000c0)=[{r0}, {r1}], 0x2)
r13 0x0000000020000300
18:43:29 executing program 7:
r0 = openat(0xffffffffffffffff, &(0x7f00000000c0)='./file0\x00', 0x8,
0x11040, 0x0)
openat$proc_self_maps(0xffffffffffffff9c,
&(0x7f0000000200)='/proc/self/maps\x00', 0x10, 0x1, 0x0)
openat(r0, &(0x7f0000000180)='./file0\x00', 0x8, 0xc0, 0xc4)
nbind(&(0x7f0000000000)='./file0\x00', 0xfffffffffffffe0d,
&(0x7f0000000080)='./file0/file1\x00', 0xffffffffffffff11, 0x1)
nbind(&(0x7f0000000140)='./file0/file1\x00', 0xb,
&(0x7f0000000100)='./file0/file0\x00', 0xe, 0x0)
openat$net_udp_0_status(0xffffffffffffff9c,
&(0x7f0000000040)='/net/udp/0/status\x00', 0x12, 0x1, 0x0)
openat$dev_time(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/time\x00', 0xa,
0x3, 0x0)
18:43:29 executing program 6:
openat$dev_urandom(0xffffffffffffff9c,
&(0x7f0000000040)='/dev/urandom\x00', 0xd, 0x1, 0x0)
openat$net_ipifc_0_ctl(0xffffffffffffff9c,
&(0x7f0000000000)='/net/ipifc/0/ctl\x00', 0xfffffffffffffd81, 0x3, 0x0)
18:43:29 executing program 1:
r0 = openat$net_tcp_stats(0xffffffffffffff9c,
&(0x7f00000000c0)='/net/tcp/stats\x00', 0xf, 0x1, 0x0)
openat$prof_mpstat(0xffffffffffffff9c,
&(0x7f0000000000)='/prof/mpstat\x00', 0xd, 0x3, 0x0)
fcntl$F_SETFL(r0, 0x4, 0x0)
openat$proc_self_fd(0xffffffffffffff9c,
&(0x7f0000000080)='/proc/self/fd\x00', 0xe, 0x1, 0x0)
r14 0x0000000000000073
r15 0x0000000000000012
trap 0x0000000e Page Fault
gsbs 0xffffffffc8667ec0
fsbs 0x0000000000000000
err 0x--------00000000
rip 0xffffffffc20583b4
cs 0x------------0008
flag 0x0000000000010246
rsp 0xfffffff0000b8df8
ss 0x------------0010
Backtrace of kernel context on Core 2:
#01 [<0xffffffffc20583b4>] in sys_readlink at src/syscall.c:2037
#02 [<0xffffffffc20593c9>] in syscall at src/syscall.c:2528
#03 [<0xffffffffc2059584>] in run_local_syscall at src/syscall.c:2563
#04 [<0xffffffffc2059ab9>] in prep_syscalls at src/syscall.c:2583
#05 [<0xffffffffc20ab29a>] in sysenter_callwrapper at arch/x86/trap.c:851
18:43:32 executing program 3:
r0 = openat$net_ipifc_0_status(0xffffffffffffff9c,
&(0x7f0000000080)='/net/ipifc/0/status\x00', 0x14, 0x1, 0x0)
fchdir(0x0, r0)
stat(&(0x7f0000000140)='./file0\x00', 0xfffffffffffffe0d, &(0x7f0000000340))
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: bf9a9ba0d6af Add panic_hwtf() for kernel faults
git tree: https://github.com/akaros/akaros.git/master
console output: https://syzkaller.appspot.com/x/log.txt?x=11a9a9a4400000
kernel config: https://syzkaller.appspot.com/x/.config?x=efef8cf2939304d3
dashboard link: https://syzkaller.appspot.com/bug?extid=fa66287dd2d09cb5b288
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fa6628...@syzkaller.appspotmail.com
kernel panic at kern/arch/x86/trap.c:309, from core 1: Proc-ful Page Fault
in the Kernel at 0x000000000000001b!P
rHW TRAP frame at 0xfffffff000127d30 on core 1
rax 0x0000000000000000
a rbx 0xffff8000049868e0
x 0xfffffff000127ea0
rcx 0xfffffff000127ea0
000127d30 on core 1
00000001b!mnt: pro current->texc current->text 18446744072670170541:
mismatch ft 1844674407rom #pipe./data1 /net/cs rep 0x0xffff80000 rsi
0x0000000000000000
d404020 rsi 0x0000000000000000
rdi 0xfffffff000127ea0
t r8 0x0000000000000001
a r9 0xffffffg ffc8790880
2 fid 27 r10 0x0000000000000040
4 r11 T112 R111 rp0xffff800003c8ef20
r12 0xffff800002182ac0
2 r13 0x00000000200000c0
r14 0x00000000000000718m r15 0x0000000000000039
446744072670170541: mismatch from #pip e./data1 /net/cs rep
0x0xffff80000d404020. tag 2 fid 274 T120 R11/3 rp 2
p 2
18:43:26 executing program 3:
openat$net_ipifc_0_status(0xffffffffffffff9c,
&(0x7f0000000000)='/net/ipifc/0/status\x00', 0x14, 0x1, 0x0)
mmap(&(0x7f000054b000/0x2000)=nil, 0x2000, 0x6, 0x8000002035,
0xffffffffffffff9c, 0x0)
1 /net/cs rep 0x0xf trap 0x0000000e Page Fault
gsbs 0xffffffffc8667c40
fsbs 0x0000000000000000
err 0x--------00000000
rip 0xffffffffc20583b4
cs 0x------------0008
flag 0x0000000000010246
rsp 0xfffffff000127df8
ss 0x------------0010
Backtrace of kernel context on Core 1:
#01 [<0xffffffffc20583b4>] in sys_readlink at src/syscall.c:2037
#02 [<0xffffffffc20593c9>] in syscall at src/syscall.c:2528
#03 [<0xffffffffc2059584>] in run_local_syscall at src/syscall.c:2563
#04 [<0xffffffffc2059ab9>] in prep_syscalls at src/syscall.c:2583
#05 [<0xffffffffc20ab29a>] in sysenter_callwrapper at arch/x86/trap.c:851
kernel panic at kern/arch/x86/trap.c:309, from core 2: Proc-ful Page Fault
in the Kernel at 0x000000000000001b!
HW TRAP frame at 0xfffffff0000b8d30 on core 2
rax 0x0000000000000000
rbx 0xffff800014e622e0
rcx 0xfffffff0000b8ea0
rdx 0xfffffff0000b8d6c
rbp 0xfffffff0000b8e38
rsi 0x0000000000000000
rdi 0xfffffff0000b8ea0
r8 0x0000000000000001
r9 0xffffffffc8790880
r10 0x0000000000000030
18:43:29 executing program 5:
r0 = openat$dev_zero(0xffffffffffffff9c, &(0x7f0000000040)='/dev/zero\x00',
0x1f0, 0x1, 0x0)
openat$net_tcp_2_ctl(0xffffffffffffff9c,
&(0x7f0000000140)='/net/tcp/2/ctl\x00', 0xf, 0x3, 0x0)
openat$proc_self_args(0xffffffffffffff9c,
&(0x7f0000000080)='/proc/self/args\x00', 0x10, 0x3, 0x0)
tcgetattr(r0, &(0x7f0000000100))
r11 0xffff800015aee3a0
r12 0xffff800002175e80
18:43:29 executing program 2:
mprotect(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x0)
openat$net_tcp_1_listen(0xffffffffffffff9c,
&(0x7f0000000100)='/net/tcp/1/listen\x00', 0x12, 0x3, 0x0)
openat$prof_mpstat_raw(0xffffffffffffff9c,
&(0x7f0000000000)='/prof/mpstat-raw\x00', 0x11, 0x3, 0x0)
openat$net_tcp_2_data(0xffffffffffffff9c,
&(0x7f0000000040)='/net/tcp/2/data\x00', 0x10, 0x3, 0x0)
18:43:29 executing program 4:
r0 = openat$net_ether0_1_ifstats(0xffffffffffffff9c,
&(0x7f0000000000)='/net/ether0/1/ifstats\x00', 0x1bb, 0x1, 0x0)
llseek(r0, 0x3, 0xfffffffffffffe00, &(0x7f0000000040), 0x0)
18:43:29 executing program 0:
r0 = openat$net_icmpv6_stats(0xffffffffffffff9c,
&(0x7f0000000240)='/net/icmpv6/stats\x00', 0x12, 0x1, 0x0)
fd2path(r0, &(0x7f00000012c0)=""/4096, 0x1f13)
r1 = openat$dev_drivers(0xffffffffffffff9c,
&(0x7f0000000000)='/dev/drivers\x00', 0xd, 0x1, 0x0)
openat$prof_kpdata(0xffffffffffffff9c,
&(0x7f0000000100)='/prof/kpdata\x00', 0xd, 0x3, 0x0)
openat$dev_caphash(0xffffffffffffff9c,
&(0x7f0000000140)='/dev/caphash\x00', 0xd, 0x3, 0x0)
openat$net_cs(0xffffffffffffff9c, &(0x7f0000000180)='/net/cs\x00', 0x8,
0x3, 0x0)
r2 = proc_create(&(0x7f0000000040)='./file0\x00', 0x8,
&(0x7f0000000080)='\x00', 0x1, 0x0)
dup_fds_to(r2, &(0x7f00000000c0)=[{r0}, {r1}], 0x2)
r13 0x0000000020000300
18:43:29 executing program 7:
r0 = openat(0xffffffffffffffff, &(0x7f00000000c0)='./file0\x00', 0x8,
0x11040, 0x0)
openat$proc_self_maps(0xffffffffffffff9c,
&(0x7f0000000200)='/proc/self/maps\x00', 0x10, 0x1, 0x0)
openat(r0, &(0x7f0000000180)='./file0\x00', 0x8, 0xc0, 0xc4)
nbind(&(0x7f0000000000)='./file0\x00', 0xfffffffffffffe0d,
&(0x7f0000000080)='./file0/file1\x00', 0xffffffffffffff11, 0x1)
nbind(&(0x7f0000000140)='./file0/file1\x00', 0xb,
&(0x7f0000000100)='./file0/file0\x00', 0xe, 0x0)
openat$net_udp_0_status(0xffffffffffffff9c,
&(0x7f0000000040)='/net/udp/0/status\x00', 0x12, 0x1, 0x0)
openat$dev_time(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/time\x00', 0xa,
0x3, 0x0)
18:43:29 executing program 6:
openat$dev_urandom(0xffffffffffffff9c,
&(0x7f0000000040)='/dev/urandom\x00', 0xd, 0x1, 0x0)
openat$net_ipifc_0_ctl(0xffffffffffffff9c,
&(0x7f0000000000)='/net/ipifc/0/ctl\x00', 0xfffffffffffffd81, 0x3, 0x0)
18:43:29 executing program 1:
r0 = openat$net_tcp_stats(0xffffffffffffff9c,
&(0x7f00000000c0)='/net/tcp/stats\x00', 0xf, 0x1, 0x0)
openat$prof_mpstat(0xffffffffffffff9c,
&(0x7f0000000000)='/prof/mpstat\x00', 0xd, 0x3, 0x0)
fcntl$F_SETFL(r0, 0x4, 0x0)
openat$proc_self_fd(0xffffffffffffff9c,
&(0x7f0000000080)='/proc/self/fd\x00', 0xe, 0x1, 0x0)
r14 0x0000000000000073
r15 0x0000000000000012
trap 0x0000000e Page Fault
gsbs 0xffffffffc8667ec0
fsbs 0x0000000000000000
err 0x--------00000000
rip 0xffffffffc20583b4
cs 0x------------0008
flag 0x0000000000010246
rsp 0xfffffff0000b8df8
ss 0x------------0010
Backtrace of kernel context on Core 2:
#01 [<0xffffffffc20583b4>] in sys_readlink at src/syscall.c:2037
#02 [<0xffffffffc20593c9>] in syscall at src/syscall.c:2528
#03 [<0xffffffffc2059584>] in run_local_syscall at src/syscall.c:2563
#04 [<0xffffffffc2059ab9>] in prep_syscalls at src/syscall.c:2583
#05 [<0xffffffffc20ab29a>] in sysenter_callwrapper at arch/x86/trap.c:851
18:43:32 executing program 3:
r0 = openat$net_ipifc_0_status(0xffffffffffffff9c,
&(0x7f0000000080)='/net/ipifc/0/status\x00', 0x14, 0x1, 0x0)
fchdir(0x0, r0)
stat(&(0x7f0000000140)='./file0\x00', 0xfffffffffffffe0d, &(0x7f0000000340))
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
Barret Rhoden
Jul 19, 2018, 4:25:18 PM7/19/18
to syzbot, aka...@googlegroups.com
On 2018-07-18 at 11:44 syzbot
#syz invalid
Reply all
Reply to author
Forward
0 new messages