kernel panic: Proc-ful Page Fault in thPe Keroc-furnel at 0x00l ADDR!Pa
3 views
Skip to first unread message
syzbot
Jul 18, 2018, 8:00:04 PM7/18/18
to aka...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: bf9a9ba0d6af Add panic_hwtf() for kernel faults
git tree: https://github.com/akaros/akaros.git/master
console output: https://syzkaller.appspot.com/x/log.txt?x=125c9bb2400000
kernel config: https://syzkaller.appspot.com/x/.config?x=efef8cf2939304d3
dashboard link: https://syzkaller.appspot.com/bug?extid=eb9f5bbd0a113cc4efc6
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+eb9f5b...@syzkaller.appspotmail.com
kernel panic at kern/arch/x86/trap.c:309, from core 3: Proc-ful Page Fault
in thPe Keroc-furnel at 0x00l 007f80096a3bd0!Pa
gHWe at TRAP 0xf framefffff f000070cc0a on cotre 3
0090xfffffff000070cc0 on core 3
6 rax 0x0a3bd0!00[ker07f7nfffa01200
e rl]b user addr 0 badx000000002 0x rcx 0xffff80000324e870
f ffffff000070 rddx 0f0x
f00f0fffff000140070 0df0
(+ rbp 0xfffffff000070d88
0x rsi 0d97x00007f80096a3bd0
rdi 0xffff800002186dc0
d r8 0bx00e7e0000009b7a900000001
697 r9 0x0000000000000000
) r10 0x000010000000a4c0
r11 0x0000000000000206
i r12 0xffff800002186dc0
n r13 0xffff800002186dc0
r14 0xfffffff000070df0
20:14:25 executing program 2:
openat$net_ether0_1_ctl(0xffffffffffffff9c,
&(0x7f0000000000)='/net/ether0/1/ctl\x00', 0x12, 0x3, 0x0)
20:14:25 executing program 0:
openat$net_tcp_1_ctl(0xffffffffffffff9c,
&(0x7f0000000040)='/net/tcp/1/ctl\x00', 0xf, 0x3, 0x0)
r0 = openat$net_tcp_1_ctl(0xffffffffffffff9c,
&(0x7f0000000000)='/net/tcp/1/ctl\x00', 0xf, 0x3, 0x0)
fcntl$F_GETFL(r0, 0x3)
20:14:25 executing program 3:
r0 = openat$net_ether0_1_data(0xffffffffffffff9c,
&(0x7f0000000000)='/net/ether0/1/data\x00', 0x13, 0x3, 0x0)
fcntl$F_GETFD(r0, 0x1)
20:14:25 executing program 1:
r0 = openat$dev_pid(0xffffffffffffff9c, &(0x7f0000000540)='/dev/pid\x00',
0x9, 0x1, 0x0)
close(r0)
openat$dev_caphash(0xffffffffffffff9c,
&(0x7f0000000000)='/dev/caphash\x00', 0xd, 0x3, 0x0)
openat$dev_hostowner(0xffffffffffffff9c,
&(0x7f0000000040)='/dev/hostowner\x00', 0xf, 0x3, 0x0)
20:14:25 executing program 5:
openat$dev_user(0xffffffffffffff9c, &(0x7f0000000000)='/dev/user\x00', 0xa,
0x3, 0x0)
r0 = openat$net_ether0_stats(0xffffffffffffff9c,
&(0x7f0000000100)='/net/ether0/stats\x00', 0x2f5, 0x1, 0x0)
openat$net_ether0_2_data(0xffffffffffffff9c,
&(0x7f0000000080)='/net/ether0/2/data\x00', 0x13, 0x3, 0x0)
fstat(r0, &(0x7f0000000140))
openat$dev_stdout(0xffffffffffffff9c, &(0x7f0000000040)='/dev/stdout\x00',
0xc, 0x3, 0x0)
s r15 0x0000000000000008
y trap 0x0000000e Page Fault
s gsbs 0xffffffffc8668140
_ fsbs 0x0000000000000000
fd2path (user bug)
[kernel] bad user addr 0x0000000020000140 (+0xd97dbe7e9b7a9697) k
sys_fd2path (in sys_fd2path (user bug)
user bug)
20:14:25 executing program 7:
r0 = openat$proc_self_strace_traceset(0xffffffffffffff9c,
&(0x7f0000000000)='/proc/self/strace_traceset\x00', 0x1b, 0x3, 0x0)
openat$dev_swap(0xffffffffffffff9c, &(0x7f0000000100)='/dev/swap\x00', 0xa,
0x3, 0x0)
close(r0)
openat$proc_self_ctl(0xffffffffffffff9c,
&(0x7f0000000040)='/proc/self/ctl\x00', 0xf, 0x3, 0x0)
openat$net_ether0_2_data(0xffffffffffffff9c,
&(0x7f0000000080)='/net/ether0/2/data\x00', 0x13, 0x3, 0x0)
rip 0xffffffffc2007019
cs 0x------------0008
flag 0x0000000000010286
rsp 0xfffffff000070d88
ss 0x------------0010
Backtrace of kernel context on Core 3:
#01 [<0xffffffffc2007019>] in post_ev_msg.isra.1 at src/event.c:82
#02 [< [inline] >] in post_vc_msg at src/event.c:106
#02 [<0xffffffffc2007896>] in post_vcore_event at src/event.c:489
#03 [<0xffffffffc20571c2>] in sys_self_notify at src/syscall.c:1506
#04 [<0xffffffffc20593c9>] in syscall at src/syscall.c:2528
#05 [<0xffffffffc2059584>] in run_local_syscall at src/syscall.c:2563
#06 [<0xffffffffc2059ab9>] in prep_syscalls at src/syscall.c:2583
#07 [<0xffffffffc20ab29a>] in sysenter_callwrapper at arch/x86/trap.c:851
20:14:29 executing program 6:
r0 = openat$net_ipifc_1_data(0xffffffffffffff9c,
&(0x7f0000000200)='/net/ipifc/1/data\x00', 0x12, 0x3, 0x0)
openat$proc_self_user(0xffffffffffffff9c,
&(0x7f0000000100)='/proc/self/user\x00', 0x10, 0x1, 0x0)
openat$dev_user(0xffffffffffffff9c, &(0x7f0000000140)='/dev/user\x00',
0x2f3, 0x3, 0x0)
fcntl$F_GETFL(r0, 0x3)
self_notify(0x6, 0x1d, &(0x7f0000000080)={0x6, 0x1ff, 0x3,
&(0x7f0000000040)="d19b3c768abe105fa479192ab95b6876ac0bc539cff59543fecac91ffa0d023e24ac140005d906dca3c022b0f8d87635b1ba876f01409c75",
0x1}, 0x1)
openat$proc_self_core(0xffffffffffffff9c,
&(0x7f00000000c0)='/proc/self/core\x00', 0x10, 0x1, 0x0)
20:14:29 executing program 1:
openat$net_tcp_0_status(0xffffffffffffff9c,
&(0x7f00000000c0)='/net/tcp/0/status\x00', 0xfffffffffffffde6, 0x1, 0x0)
openat$prof_kptrace(0xffffffffffffff9c,
&(0x7f0000000000)='/prof/kptrace\x00', 0xe, 0x3, 0x0)
openat$dev_zero(0xffffffffffffff9c, &(0x7f0000000040)='/dev/zero\x00', 0xa,
0x1, 0x0)
20:14:29 executing program 4:
r0 = openat$net_tcp_2_err(0xffffffffffffff9c,
&(0x7f0000000040)='/net/tcp/2/err\x00', 0xf, 0x3, 0x0)
r1 = openat$net_ether0_stats(0xffffffffffffff9c,
&(0x7f00000000c0)='/net/ether0/stats\x00', 0x12, 0x1, 0x0)
fcntl$F_DUPFD(r1, 0x0, r0, 0x0)
openat$net_ether0_0_ifstats(0xffffffffffffff9c,
&(0x7f0000000000)='/net/ether0/0/ifstats\x00', 0x16, 0x1, 0x0)
20:14:29 executing program 2:
openat$net_tcp_0_listen(0xffffffffffffff9c,
&(0x7f0000000040)='/net/tcp/0/listen\x00', 0x12, 0x3, 0x0)
r0 = openat$net_ether0_0_type(0xffffffffffffff9c,
&(0x7f0000000000)='/net/ether0/0/type\x00', 0x13, 0x1, 0x0)
mmap(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0xffffffffffffffff, 0x1110, r0,
0x1)
20:14:30 executing program 3:
openat$net_icmpv6_clone(0xffffffffffffff9c,
&(0x7f0000000000)='/net/icmpv6/clone\x00', 0x12, 0x3, 0x0)
openat$dev_time(0xffffffffffffff9c, &(0x7f0000000040)='/dev/time\x00', 0xa,
0x3, 0x0)
r0 = openat$proc_self_note(0xffffffffffffff9c,
&(0x7f0000000080)='/proc/self/note\x00', 0x10, 0x1, 0x0)
mmap(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x1000000, 0x9030, r0, 0x0)
20:14:30 executing program 5:
openat$net_ipselftab(0xffffffffffffff9c,
&(0x7f0000000080)='/net/ipselftab\x00', 0xf, 0x1, 0x0)
openat$prof_kpdata(0xffffffffffffff9c,
&(0x7f0000000040)='/prof/kpdata\x00', 0xd, 0x3, 0x0)
r0 = openat$net_iprouter(0xffffffffffffff9c,
&(0x7f0000000000)='/net/iprouter\x00', 0xe, 0x3, 0x0)
fcntl$F_SETFL(r0, 0x4, 0xc00)
20:14:31 executing program 0:
r0 = openat$net_icmp_clone(0xffffffffffffff9c,
&(0x7f0000000040)='/net/icmp/clone\x00', 0x10, 0x3, 0x0)
openat$dev_capuse(0xffffffffffffff9c, &(0x7f0000000000)='/dev/capuse\x00',
0xc, 0x3, 0x0)
mmap(&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x12032, r0, 0x0)
20:14:31 executing program 7:
r0 = openat$prof_empty(0xffffffffffffff9c,
&(0x7f0000000040)='/prof/.empty\x00', 0xd, 0x3, 0x0)
tcgetattr(r0, &(0x7f00000000c0))
openat$proc_self_note(0xffffffffffffff9c,
&(0x7f0000000080)='/proc/self/note\x00', 0x10, 0x1, 0x0)
openat$proc_self_status(0xffffffffffffff9c,
&(0x7f0000000100)='/proc/self/status\x00', 0x12, 0x1, 0x0)
openat$proc_self_status(0xffffffffffffff9c,
&(0x7f0000000000)='/proc/self/status\x00', 0x12, 0x1, 0x0)
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: bf9a9ba0d6af Add panic_hwtf() for kernel faults
git tree: https://github.com/akaros/akaros.git/master
console output: https://syzkaller.appspot.com/x/log.txt?x=125c9bb2400000
kernel config: https://syzkaller.appspot.com/x/.config?x=efef8cf2939304d3
dashboard link: https://syzkaller.appspot.com/bug?extid=eb9f5bbd0a113cc4efc6
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+eb9f5b...@syzkaller.appspotmail.com
kernel panic at kern/arch/x86/trap.c:309, from core 3: Proc-ful Page Fault
in thPe Keroc-furnel at 0x00l 007f80096a3bd0!Pa
gHWe at TRAP 0xf framefffff f000070cc0a on cotre 3
0090xfffffff000070cc0 on core 3
6 rax 0x0a3bd0!00[ker07f7nfffa01200
e rl]b user addr 0 badx000000002 0x rcx 0xffff80000324e870
f ffffff000070 rddx 0f0x
f00f0fffff000140070 0df0
(+ rbp 0xfffffff000070d88
0x rsi 0d97x00007f80096a3bd0
rdi 0xffff800002186dc0
d r8 0bx00e7e0000009b7a900000001
697 r9 0x0000000000000000
) r10 0x000010000000a4c0
r11 0x0000000000000206
i r12 0xffff800002186dc0
n r13 0xffff800002186dc0
r14 0xfffffff000070df0
20:14:25 executing program 2:
openat$net_ether0_1_ctl(0xffffffffffffff9c,
&(0x7f0000000000)='/net/ether0/1/ctl\x00', 0x12, 0x3, 0x0)
20:14:25 executing program 0:
openat$net_tcp_1_ctl(0xffffffffffffff9c,
&(0x7f0000000040)='/net/tcp/1/ctl\x00', 0xf, 0x3, 0x0)
r0 = openat$net_tcp_1_ctl(0xffffffffffffff9c,
&(0x7f0000000000)='/net/tcp/1/ctl\x00', 0xf, 0x3, 0x0)
fcntl$F_GETFL(r0, 0x3)
20:14:25 executing program 3:
r0 = openat$net_ether0_1_data(0xffffffffffffff9c,
&(0x7f0000000000)='/net/ether0/1/data\x00', 0x13, 0x3, 0x0)
fcntl$F_GETFD(r0, 0x1)
20:14:25 executing program 1:
r0 = openat$dev_pid(0xffffffffffffff9c, &(0x7f0000000540)='/dev/pid\x00',
0x9, 0x1, 0x0)
close(r0)
openat$dev_caphash(0xffffffffffffff9c,
&(0x7f0000000000)='/dev/caphash\x00', 0xd, 0x3, 0x0)
openat$dev_hostowner(0xffffffffffffff9c,
&(0x7f0000000040)='/dev/hostowner\x00', 0xf, 0x3, 0x0)
20:14:25 executing program 5:
openat$dev_user(0xffffffffffffff9c, &(0x7f0000000000)='/dev/user\x00', 0xa,
0x3, 0x0)
r0 = openat$net_ether0_stats(0xffffffffffffff9c,
&(0x7f0000000100)='/net/ether0/stats\x00', 0x2f5, 0x1, 0x0)
openat$net_ether0_2_data(0xffffffffffffff9c,
&(0x7f0000000080)='/net/ether0/2/data\x00', 0x13, 0x3, 0x0)
fstat(r0, &(0x7f0000000140))
openat$dev_stdout(0xffffffffffffff9c, &(0x7f0000000040)='/dev/stdout\x00',
0xc, 0x3, 0x0)
s r15 0x0000000000000008
y trap 0x0000000e Page Fault
s gsbs 0xffffffffc8668140
_ fsbs 0x0000000000000000
fd2path (user bug)
[kernel] bad user addr 0x0000000020000140 (+0xd97dbe7e9b7a9697) k
sys_fd2path (in sys_fd2path (user bug)
user bug)
20:14:25 executing program 7:
r0 = openat$proc_self_strace_traceset(0xffffffffffffff9c,
&(0x7f0000000000)='/proc/self/strace_traceset\x00', 0x1b, 0x3, 0x0)
openat$dev_swap(0xffffffffffffff9c, &(0x7f0000000100)='/dev/swap\x00', 0xa,
0x3, 0x0)
close(r0)
openat$proc_self_ctl(0xffffffffffffff9c,
&(0x7f0000000040)='/proc/self/ctl\x00', 0xf, 0x3, 0x0)
openat$net_ether0_2_data(0xffffffffffffff9c,
&(0x7f0000000080)='/net/ether0/2/data\x00', 0x13, 0x3, 0x0)
rip 0xffffffffc2007019
cs 0x------------0008
flag 0x0000000000010286
rsp 0xfffffff000070d88
ss 0x------------0010
Backtrace of kernel context on Core 3:
#01 [<0xffffffffc2007019>] in post_ev_msg.isra.1 at src/event.c:82
#02 [< [inline] >] in post_vc_msg at src/event.c:106
#02 [<0xffffffffc2007896>] in post_vcore_event at src/event.c:489
#03 [<0xffffffffc20571c2>] in sys_self_notify at src/syscall.c:1506
#04 [<0xffffffffc20593c9>] in syscall at src/syscall.c:2528
#05 [<0xffffffffc2059584>] in run_local_syscall at src/syscall.c:2563
#06 [<0xffffffffc2059ab9>] in prep_syscalls at src/syscall.c:2583
#07 [<0xffffffffc20ab29a>] in sysenter_callwrapper at arch/x86/trap.c:851
20:14:29 executing program 6:
r0 = openat$net_ipifc_1_data(0xffffffffffffff9c,
&(0x7f0000000200)='/net/ipifc/1/data\x00', 0x12, 0x3, 0x0)
openat$proc_self_user(0xffffffffffffff9c,
&(0x7f0000000100)='/proc/self/user\x00', 0x10, 0x1, 0x0)
openat$dev_user(0xffffffffffffff9c, &(0x7f0000000140)='/dev/user\x00',
0x2f3, 0x3, 0x0)
fcntl$F_GETFL(r0, 0x3)
self_notify(0x6, 0x1d, &(0x7f0000000080)={0x6, 0x1ff, 0x3,
&(0x7f0000000040)="d19b3c768abe105fa479192ab95b6876ac0bc539cff59543fecac91ffa0d023e24ac140005d906dca3c022b0f8d87635b1ba876f01409c75",
0x1}, 0x1)
openat$proc_self_core(0xffffffffffffff9c,
&(0x7f00000000c0)='/proc/self/core\x00', 0x10, 0x1, 0x0)
20:14:29 executing program 1:
openat$net_tcp_0_status(0xffffffffffffff9c,
&(0x7f00000000c0)='/net/tcp/0/status\x00', 0xfffffffffffffde6, 0x1, 0x0)
openat$prof_kptrace(0xffffffffffffff9c,
&(0x7f0000000000)='/prof/kptrace\x00', 0xe, 0x3, 0x0)
openat$dev_zero(0xffffffffffffff9c, &(0x7f0000000040)='/dev/zero\x00', 0xa,
0x1, 0x0)
20:14:29 executing program 4:
r0 = openat$net_tcp_2_err(0xffffffffffffff9c,
&(0x7f0000000040)='/net/tcp/2/err\x00', 0xf, 0x3, 0x0)
r1 = openat$net_ether0_stats(0xffffffffffffff9c,
&(0x7f00000000c0)='/net/ether0/stats\x00', 0x12, 0x1, 0x0)
fcntl$F_DUPFD(r1, 0x0, r0, 0x0)
openat$net_ether0_0_ifstats(0xffffffffffffff9c,
&(0x7f0000000000)='/net/ether0/0/ifstats\x00', 0x16, 0x1, 0x0)
20:14:29 executing program 2:
openat$net_tcp_0_listen(0xffffffffffffff9c,
&(0x7f0000000040)='/net/tcp/0/listen\x00', 0x12, 0x3, 0x0)
r0 = openat$net_ether0_0_type(0xffffffffffffff9c,
&(0x7f0000000000)='/net/ether0/0/type\x00', 0x13, 0x1, 0x0)
mmap(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0xffffffffffffffff, 0x1110, r0,
0x1)
20:14:30 executing program 3:
openat$net_icmpv6_clone(0xffffffffffffff9c,
&(0x7f0000000000)='/net/icmpv6/clone\x00', 0x12, 0x3, 0x0)
openat$dev_time(0xffffffffffffff9c, &(0x7f0000000040)='/dev/time\x00', 0xa,
0x3, 0x0)
r0 = openat$proc_self_note(0xffffffffffffff9c,
&(0x7f0000000080)='/proc/self/note\x00', 0x10, 0x1, 0x0)
mmap(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x1000000, 0x9030, r0, 0x0)
20:14:30 executing program 5:
openat$net_ipselftab(0xffffffffffffff9c,
&(0x7f0000000080)='/net/ipselftab\x00', 0xf, 0x1, 0x0)
openat$prof_kpdata(0xffffffffffffff9c,
&(0x7f0000000040)='/prof/kpdata\x00', 0xd, 0x3, 0x0)
r0 = openat$net_iprouter(0xffffffffffffff9c,
&(0x7f0000000000)='/net/iprouter\x00', 0xe, 0x3, 0x0)
fcntl$F_SETFL(r0, 0x4, 0xc00)
20:14:31 executing program 0:
r0 = openat$net_icmp_clone(0xffffffffffffff9c,
&(0x7f0000000040)='/net/icmp/clone\x00', 0x10, 0x3, 0x0)
openat$dev_capuse(0xffffffffffffff9c, &(0x7f0000000000)='/dev/capuse\x00',
0xc, 0x3, 0x0)
mmap(&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x12032, r0, 0x0)
20:14:31 executing program 7:
r0 = openat$prof_empty(0xffffffffffffff9c,
&(0x7f0000000040)='/prof/.empty\x00', 0xd, 0x3, 0x0)
tcgetattr(r0, &(0x7f00000000c0))
openat$proc_self_note(0xffffffffffffff9c,
&(0x7f0000000080)='/proc/self/note\x00', 0x10, 0x1, 0x0)
openat$proc_self_status(0xffffffffffffff9c,
&(0x7f0000000100)='/proc/self/status\x00', 0x12, 0x1, 0x0)
openat$proc_self_status(0xffffffffffffff9c,
&(0x7f0000000000)='/proc/self/status\x00', 0x12, 0x1, 0x0)
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
Barret Rhoden
Jul 19, 2018, 4:24:55 PM7/19/18
to syzbot, aka...@googlegroups.com
On 2018-07-18 at 17:00 syzbot
#syz invalid
Reply all
Reply to author
Forward
0 new messages