kernel BUG at ./include/linux/mm.h:LINE!
13 views
Skip to first unread message
syzbot
May 16, 2019, 10:26:06 AM5/16/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1237b854a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=0d40b93dcc59437fc353
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0d40b9...@syzkaller.appspotmail.com
page:ffffea0000171e00 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4080(slab|head)
page dumped because: VM_BUG_ON_PAGE(PageSlab(page))
------------[ cut here ]------------
kernel BUG at ./include/linux/mm.h:533!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 13607 Comm: syz-executor.4 Not tainted 4.9.141+ #23
task: ffff880151c6af80 task.stack: ffff88000f880000
RIP: 0010:[<ffffffff8148381c>] [<ffffffff8148381c>] page_mapcount
include/linux/mm.h:533 [inline]
RIP: 0010:[<ffffffff8148381c>] [<ffffffff8148381c>]
isolate_migratepages_block+0x14dc/0x1af0 mm/compaction.c:818
RSP: 0018:ffff88000f886960 EFLAGS: 00010246
RAX: 00000000006e8000 RBX: ffffea0000171e00 RCX: ffffc900006e8000
RDX: 0000000000040000 RSI: ffffffff814fe94c RDI: ffff880151c6b82c
RBP: ffff88000f886ab0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: dffffc0000000000
R13: 0000000000005c78 R14: ffff88000f886c40 R15: ffffea0000170000
FS: 0000000000000000(0000) GS:ffff8801db700000(0063) knlGS:00000000f55a7b40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000000002de39000 CR3: 0000000012d0c000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffffffff833d3b50 ffffffff833d3e60 ffff88000f886988 ffff88000f886c90
0000000c00000001 1ffff10001f10d3d 0000000000005c00 ffffea0000171e00
ffffed0001f10d92 ffffea0000171e20 ffffea0000171e18 ffffffff833d3600
Call Trace:
[<ffffffff81485b0f>] isolate_migratepages mm/compaction.c:1242 [inline]
[<ffffffff81485b0f>] compact_zone+0x95f/0x2300 mm/compaction.c:1532
[<ffffffff814875bf>] compact_zone_order+0x10f/0x180 mm/compaction.c:1656
[<ffffffff81488c14>] try_to_compact_pages+0x214/0x710 mm/compaction.c:1703
[<ffffffff814273eb>] __alloc_pages_direct_compact+0xbb/0x310
mm/page_alloc.c:3175
[<ffffffff81428e3e>] __alloc_pages_slowpath mm/page_alloc.c:3703 [inline]
[<ffffffff81428e3e>] __alloc_pages_nodemask+0xdbe/0x1bd0
mm/page_alloc.c:3862
[<ffffffff814eb7e7>] __alloc_pages include/linux/gfp.h:433 [inline]
[<ffffffff814eb7e7>] __alloc_pages_node include/linux/gfp.h:446 [inline]
[<ffffffff814eb7e7>] alloc_slab_page mm/slub.c:1408 [inline]
[<ffffffff814eb7e7>] allocate_slab mm/slub.c:1557 [inline]
[<ffffffff814eb7e7>] new_slab+0x367/0x3d0 mm/slub.c:1635
[<ffffffff814ed97d>] new_slab_objects mm/slub.c:2419 [inline]
[<ffffffff814ed97d>] ___slab_alloc.constprop.33+0x2ed/0x470 mm/slub.c:2576
[<ffffffff814edb50>] __slab_alloc.isra.25.constprop.32+0x50/0xa0
mm/slub.c:2618
[<ffffffff814f15f6>] slab_alloc_node mm/slub.c:2681 [inline]
[<ffffffff814f15f6>] slab_alloc mm/slub.c:2723 [inline]
[<ffffffff814f15f6>] __kmalloc_track_caller+0x236/0x2d0 mm/slub.c:4232
[<ffffffff822c2ee3>] __kmalloc_reserve.isra.5+0x33/0xc0
net/core/skbuff.c:138
[<ffffffff822c308a>] __alloc_skb+0x11a/0x5b0 net/core/skbuff.c:231
[<ffffffff822c35cf>] alloc_skb include/linux/skbuff.h:924 [inline]
[<ffffffff822c35cf>] alloc_skb_with_frags+0xaf/0x4e0 net/core/skbuff.c:4707
[<ffffffff822aabee>] sock_alloc_send_pskb+0x59e/0x740 net/core/sock.c:1893
[<ffffffff81ecd8ba>] tun_alloc_skb drivers/net/tun.c:1166 [inline]
[<ffffffff81ecd8ba>] tun_get_user+0x53a/0x2460 drivers/net/tun.c:1263
[<ffffffff81ecf9f5>] tun_chr_write_iter+0xd5/0x190 drivers/net/tun.c:1353
[<ffffffff81508347>] new_sync_write fs/read_write.c:496 [inline]
[<ffffffff81508347>] __vfs_write+0x3d7/0x580 fs/read_write.c:509
[<ffffffff815085e8>] __kernel_write+0xf8/0x350 fs/read_write.c:529
[<ffffffff815ac79d>] write_pipe_buf+0x15d/0x1f0 fs/splice.c:816
[<ffffffff815ad926>] splice_from_pipe_feed fs/splice.c:521 [inline]
[<ffffffff815ad926>] __splice_from_pipe+0x316/0x710 fs/splice.c:645
[<ffffffff815af439>] splice_from_pipe+0xf9/0x170 fs/splice.c:680
[<ffffffff815af53c>] default_file_splice_write+0x3c/0x80 fs/splice.c:828
[<ffffffff815a9ab8>] do_splice_from fs/splice.c:870 [inline]
[<ffffffff815a9ab8>] direct_splice_actor+0x128/0x190 fs/splice.c:1037
[<ffffffff815ab6c1>] splice_direct_to_actor+0x2c1/0x7e0 fs/splice.c:992
[<ffffffff815abd83>] do_splice_direct+0x1a3/0x270 fs/splice.c:1080
[<ffffffff8150d780>] do_sendfile+0x4f0/0xc30 fs/read_write.c:1393
[<ffffffff8150f951>] C_SYSC_sendfile fs/read_write.c:1469 [inline]
[<ffffffff8150f951>] compat_SyS_sendfile+0xd1/0x160 fs/read_write.c:1458
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
Code: ff ff e8 68 82 e9 ff 48 8b 85 e8 fe ff ff 48 8d 50 ff e9 f6 f6 ff ff
e8 53 82 e9 ff 48 c7 c6 a0 32 aa 82 48 89 df e8 64 b5 00 00 <0f> 0b 48 89
95 e8 fe ff ff e8 36 82 e9 ff 48 8b 95 e8 fe ff ff
RIP [<ffffffff8148381c>] page_mapcount include/linux/mm.h:533 [inline]
RIP [<ffffffff8148381c>] isolate_migratepages_block+0x14dc/0x1af0
mm/compaction.c:818
RSP <ffff88000f886960>
ip6_tunnel: ip6tnl2 xmit: Local address not yet configured!
---[ end trace 06be764bb377088f ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1237b854a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=0d40b93dcc59437fc353
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0d40b9...@syzkaller.appspotmail.com
page:ffffea0000171e00 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4080(slab|head)
page dumped because: VM_BUG_ON_PAGE(PageSlab(page))
------------[ cut here ]------------
kernel BUG at ./include/linux/mm.h:533!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 13607 Comm: syz-executor.4 Not tainted 4.9.141+ #23
task: ffff880151c6af80 task.stack: ffff88000f880000
RIP: 0010:[<ffffffff8148381c>] [<ffffffff8148381c>] page_mapcount
include/linux/mm.h:533 [inline]
RIP: 0010:[<ffffffff8148381c>] [<ffffffff8148381c>]
isolate_migratepages_block+0x14dc/0x1af0 mm/compaction.c:818
RSP: 0018:ffff88000f886960 EFLAGS: 00010246
RAX: 00000000006e8000 RBX: ffffea0000171e00 RCX: ffffc900006e8000
RDX: 0000000000040000 RSI: ffffffff814fe94c RDI: ffff880151c6b82c
RBP: ffff88000f886ab0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: dffffc0000000000
R13: 0000000000005c78 R14: ffff88000f886c40 R15: ffffea0000170000
FS: 0000000000000000(0000) GS:ffff8801db700000(0063) knlGS:00000000f55a7b40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000000002de39000 CR3: 0000000012d0c000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffffffff833d3b50 ffffffff833d3e60 ffff88000f886988 ffff88000f886c90
0000000c00000001 1ffff10001f10d3d 0000000000005c00 ffffea0000171e00
ffffed0001f10d92 ffffea0000171e20 ffffea0000171e18 ffffffff833d3600
Call Trace:
[<ffffffff81485b0f>] isolate_migratepages mm/compaction.c:1242 [inline]
[<ffffffff81485b0f>] compact_zone+0x95f/0x2300 mm/compaction.c:1532
[<ffffffff814875bf>] compact_zone_order+0x10f/0x180 mm/compaction.c:1656
[<ffffffff81488c14>] try_to_compact_pages+0x214/0x710 mm/compaction.c:1703
[<ffffffff814273eb>] __alloc_pages_direct_compact+0xbb/0x310
mm/page_alloc.c:3175
[<ffffffff81428e3e>] __alloc_pages_slowpath mm/page_alloc.c:3703 [inline]
[<ffffffff81428e3e>] __alloc_pages_nodemask+0xdbe/0x1bd0
mm/page_alloc.c:3862
[<ffffffff814eb7e7>] __alloc_pages include/linux/gfp.h:433 [inline]
[<ffffffff814eb7e7>] __alloc_pages_node include/linux/gfp.h:446 [inline]
[<ffffffff814eb7e7>] alloc_slab_page mm/slub.c:1408 [inline]
[<ffffffff814eb7e7>] allocate_slab mm/slub.c:1557 [inline]
[<ffffffff814eb7e7>] new_slab+0x367/0x3d0 mm/slub.c:1635
[<ffffffff814ed97d>] new_slab_objects mm/slub.c:2419 [inline]
[<ffffffff814ed97d>] ___slab_alloc.constprop.33+0x2ed/0x470 mm/slub.c:2576
[<ffffffff814edb50>] __slab_alloc.isra.25.constprop.32+0x50/0xa0
mm/slub.c:2618
[<ffffffff814f15f6>] slab_alloc_node mm/slub.c:2681 [inline]
[<ffffffff814f15f6>] slab_alloc mm/slub.c:2723 [inline]
[<ffffffff814f15f6>] __kmalloc_track_caller+0x236/0x2d0 mm/slub.c:4232
[<ffffffff822c2ee3>] __kmalloc_reserve.isra.5+0x33/0xc0
net/core/skbuff.c:138
[<ffffffff822c308a>] __alloc_skb+0x11a/0x5b0 net/core/skbuff.c:231
[<ffffffff822c35cf>] alloc_skb include/linux/skbuff.h:924 [inline]
[<ffffffff822c35cf>] alloc_skb_with_frags+0xaf/0x4e0 net/core/skbuff.c:4707
[<ffffffff822aabee>] sock_alloc_send_pskb+0x59e/0x740 net/core/sock.c:1893
[<ffffffff81ecd8ba>] tun_alloc_skb drivers/net/tun.c:1166 [inline]
[<ffffffff81ecd8ba>] tun_get_user+0x53a/0x2460 drivers/net/tun.c:1263
[<ffffffff81ecf9f5>] tun_chr_write_iter+0xd5/0x190 drivers/net/tun.c:1353
[<ffffffff81508347>] new_sync_write fs/read_write.c:496 [inline]
[<ffffffff81508347>] __vfs_write+0x3d7/0x580 fs/read_write.c:509
[<ffffffff815085e8>] __kernel_write+0xf8/0x350 fs/read_write.c:529
[<ffffffff815ac79d>] write_pipe_buf+0x15d/0x1f0 fs/splice.c:816
[<ffffffff815ad926>] splice_from_pipe_feed fs/splice.c:521 [inline]
[<ffffffff815ad926>] __splice_from_pipe+0x316/0x710 fs/splice.c:645
[<ffffffff815af439>] splice_from_pipe+0xf9/0x170 fs/splice.c:680
[<ffffffff815af53c>] default_file_splice_write+0x3c/0x80 fs/splice.c:828
[<ffffffff815a9ab8>] do_splice_from fs/splice.c:870 [inline]
[<ffffffff815a9ab8>] direct_splice_actor+0x128/0x190 fs/splice.c:1037
[<ffffffff815ab6c1>] splice_direct_to_actor+0x2c1/0x7e0 fs/splice.c:992
[<ffffffff815abd83>] do_splice_direct+0x1a3/0x270 fs/splice.c:1080
[<ffffffff8150d780>] do_sendfile+0x4f0/0xc30 fs/read_write.c:1393
[<ffffffff8150f951>] C_SYSC_sendfile fs/read_write.c:1469 [inline]
[<ffffffff8150f951>] compat_SyS_sendfile+0xd1/0x160 fs/read_write.c:1458
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
Code: ff ff e8 68 82 e9 ff 48 8b 85 e8 fe ff ff 48 8d 50 ff e9 f6 f6 ff ff
e8 53 82 e9 ff 48 c7 c6 a0 32 aa 82 48 89 df e8 64 b5 00 00 <0f> 0b 48 89
95 e8 fe ff ff e8 36 82 e9 ff 48 8b 95 e8 fe ff ff
RIP [<ffffffff8148381c>] page_mapcount include/linux/mm.h:533 [inline]
RIP [<ffffffff8148381c>] isolate_migratepages_block+0x14dc/0x1af0
mm/compaction.c:818
RSP <ffff88000f886960>
ip6_tunnel: ip6tnl2 xmit: Local address not yet configured!
---[ end trace 06be764bb377088f ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Nov 8, 2019, 7:23:06 AM11/8/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages