fault in supervisor mode (2)
4 views
Skip to first unread message
syzbot
May 15, 2020, 5:46:16 PM5/15/20
to syzkaller-...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 43a1479c Fix typo
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=12e71402100000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b25cb6dc8b37ae
dashboard link: https://syzkaller.appspot.com/bug?extid=9fc0d507815b11e56b5b
compiler: g++ (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9fc0d5...@syzkaller.appspotmail.com
[ 55.5790223] fatal double fault in supervisor mode
[ 55.5790223] trap type 13 code 0 rip 0xffffffff83102b89 cs 0x8 rflags 0x10246 cr2 0xffffcf00c2a0bff8 ilevel 0x8 rsp 0xffffcf00c2a0c000
[ 55.5790223] curlwp 0xffff812f6020e8c0 pid 3130.3130 lowest kstack 0xffffcf00c2a0a2c0
kernel: double fault trap, code=0
Stopped in pid 3130.3130 (syz-executor.1) at netbsd:__sanitizer_cov_trace_pc+0x18: pushq %rbx
?
__sanitizer_cov_trace_pc() at netbsd:__sanitizer_cov_trace_pc+0x18 sys/kern/subr_kcov.c:358
kpreempt_disable() at netbsd:kpreempt_disable+0xc x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline]
kpreempt_disable() at netbsd:kpreempt_disable+0xc sys/kern/kern_synch.c:479
percpu_getref() at netbsd:percpu_getref+0x1a x86_curcpu sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:56 [inline]
percpu_getref() at netbsd:percpu_getref+0x1a sys/kern/subr_percpu.c:441
rnd_add_data_1() at netbsd:rnd_add_data_1+0x13b entropy_enter_intr sys/kern/kern_entropy.c:839 [inline]
rnd_add_data_1() at netbsd:rnd_add_data_1+0x13b sys/kern/kern_entropy.c:1822
rnd_add_data() at netbsd:rnd_add_data+0x185 sys/kern/kern_entropy.c:1794
_rnd_add_uint32() at netbsd:_rnd_add_uint32+0x27 sys/kern/kern_entropy.c:1731
dk_done1() at netbsd:dk_done1+0x2b6 sys/dev/dksubr.c:472
sddone() at netbsd:sddone+0x1d0 sys/dev/scsipi/sd.c:859
scsipi_complete() at netbsd:scsipi_complete+0x4a9 sys/dev/scsipi/scsipi_base.c:1947
scsipi_done() at netbsd:scsipi_done+0xa8a sys/dev/scsipi/scsipi_base.c:1690
vioscsi_vq_done() at netbsd:vioscsi_vq_done+0x39e vioscsi_req_done sys/dev/pci/vioscsi.c:498 [inline]
vioscsi_vq_done() at netbsd:vioscsi_vq_done+0x39e sys/dev/pci/vioscsi.c:537
virtio_vq_intr_common() at netbsd:virtio_vq_intr_common+0x195 virtio_vq_intr_common sys/dev/pci/virtio.c:307 [inline]
virtio_vq_intr_common() at netbsd:virtio_vq_intr_common+0x195 sys/dev/pci/virtio.c:294
virtio_vq_intr() at netbsd:virtio_vq_intr+0x68 sys/dev/pci/virtio.c:321
virtio_pci_msix_queue_intr() at netbsd:virtio_pci_msix_queue_intr+0x98 sys/dev/pci/virtio_pci.c:794
intr_biglock_wrapper() at netbsd:intr_biglock_wrapper+0x4e sys/arch/x86/x86/intr.c:647
Xhandle_ioapic_edge17() at netbsd:Xhandle_ioapic_edge17+0x74
--- interrupt ---
__sanitizer_cov_trace_pc() at netbsd:__sanitizer_cov_trace_pc+0xf sys/kern/subr_kcov.c:358
uvm_page_array_fill() at netbsd:uvm_page_array_fill+0x52a sys/uvm/uvm_page_array.c:158
uvm_page_array_fill_and_peek() at netbsd:uvm_page_array_fill_and_peek+0x67 sys/uvm/uvm_page_array.c:208
uvn_findpage() at netbsd:uvn_findpage+0x110 sys/uvm/uvm_vnode.c:315
uvn_findpages() at netbsd:uvn_findpages+0xeb sys/uvm/uvm_vnode.c:255
genfs_getpages() at netbsd:genfs_getpages+0x1665 sys/miscfs/genfs/genfs_io.c:378
VOP_GETPAGES() at netbsd:VOP_GETPAGES+0x13d sys/kern/vnode_if.c:1596
uvn_get() at netbsd:uvn_get+0x2d0 sys/uvm/uvm_vnode.c:191
uvm_fault_internal() at netbsd:uvm_fault_internal+0x390c uvm_fault_lower_io sys/uvm/uvm_fault.c:2185 [inline]
uvm_fault_internal() at netbsd:uvm_fault_internal+0x390c uvm_fault_lower sys/uvm/uvm_fault.c:1940 [inline]
uvm_fault_internal() at netbsd:uvm_fault_internal+0x390c sys/uvm/uvm_fault.c:939
trap() at netbsd:trap+0xdfb sys/arch/amd64/amd64/trap.c:520
--- trap (number 6) ---
copyin() at netbsd:copyin+0x2f
copyin_proc() at netbsd:copyin_proc+0x5d sys/kern/subr_copy.c:280
coredump_getseghdrs_elf64() at netbsd:coredump_getseghdrs_elf64+0x200 sys/kern/core_elf32.c:325
uvm_coredump_walkmap() at netbsd:uvm_coredump_walkmap+0x2f9 sys/uvm/uvm_coredump.c:193
coredump_elf64() at netbsd:coredump_elf64+0xa14 sys/kern/core_elf32.c:225
coredump() at netbsd:coredump+0xd19 sys/kern/kern_core.c:266
sigexit() at netbsd:sigexit+0x738 sys/kern/kern_sig.c:2312
sendsig_siginfo() at netbsd:sendsig_siginfo+0x7fb sys/arch/amd64/amd64/machdep.c:625
sendsig() at netbsd:sendsig+0x10c sys/kern/kern_sig.c:2183
trapsignal() at netbsd:trapsignal+0xb13 sys/kern/kern_sig.c:972
trap() at netbsd:trap+0x1600 sys/arch/amd64/amd64/trap.c:651
--- trap (number 6) ---
[ 55.5790223] panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/arch/amd64/amd64/db_machdep.c:154:24, member access within misaligned address 0x2 for type 'struct x86_64_frame' which requires 8 byte alignment
[ 55.5790223] cpu0: Begin traceback...
[ 55.5790223] vpanic() at netbsd:vpanic+0x29d sys/kern/subr_prf.c:290
[ 55.5790223] isAlreadyReported() at netbsd:isAlreadyReported
[ 55.5790223] HandleTypeMismatch.part.1() at netbsd:HandleTypeMismatch.part.1+0xcc
[ 55.5790223] HandleTypeMismatch() at netbsd:HandleTypeMismatch+0x7b sys/../common/lib/libc/misc/ubsan.c:417
[ 55.5790223] db_nextframe() at netbsd:db_nextframe+0x793 sys/arch/amd64/amd64/db_machdep.c:154
[ 55.5790223] db_stack_trace_print() at netbsd:db_stack_trace_print+0x26e sys/arch/x86/x86/db_trace.c:277
[ 55.5790223] db_command() at netbsd:db_command+0x1e9 sys/ddb/db_command.c:942
[ 55.5790223] db_command_loop() at netbsd:db_command_loop+0x1be db_execute_commandlist sys/ddb/db_command.c:439 [inline]
[ 55.5790223] db_command_loop() at netbsd:db_command_loop+0x1be sys/ddb/db_command.c:589
[ 55.5790223] db_trap() at netbsd:db_trap+0x212 sys/ddb/db_trap.c:94
[ 55.5790223] kdb_trap() at netbsd:kdb_trap+0x154 sys/arch/amd64/amd64/db_interface.c:248
[ 55.5790223] doubletrap() at netbsd:doubletrap+0x31 sys/arch/amd64/amd64/trap.c:237
[ 55.5790223] Bad frame pointer: 0xffffcf00c2a0c018
[ 55.5790223] cpu0: End traceback...
[ 55.5790223] fatal breakpoint trap in supervisor mode
[ 55.5790223] trap type 1 code 0 rip 0xffffffff80221a3d cs 0x8 rflags 0x46 cr2 0xffffcf00c2a0bff8 ilevel 0x8 rsp 0xffffff0000015d50
[ 55.5790223] curlwp 0xffff812f6020e8c0 pid 3130.3130 lowest kstack 0xffffcf00c2a0a2c0
Stopped in pid 3130.3130 (syz-executor.1) at netbsd:breakpoint+0x5: leave
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 43a1479c Fix typo
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=12e71402100000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b25cb6dc8b37ae
dashboard link: https://syzkaller.appspot.com/bug?extid=9fc0d507815b11e56b5b
compiler: g++ (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9fc0d5...@syzkaller.appspotmail.com
[ 55.5790223] fatal double fault in supervisor mode
[ 55.5790223] trap type 13 code 0 rip 0xffffffff83102b89 cs 0x8 rflags 0x10246 cr2 0xffffcf00c2a0bff8 ilevel 0x8 rsp 0xffffcf00c2a0c000
[ 55.5790223] curlwp 0xffff812f6020e8c0 pid 3130.3130 lowest kstack 0xffffcf00c2a0a2c0
kernel: double fault trap, code=0
Stopped in pid 3130.3130 (syz-executor.1) at netbsd:__sanitizer_cov_trace_pc+0x18: pushq %rbx
?
__sanitizer_cov_trace_pc() at netbsd:__sanitizer_cov_trace_pc+0x18 sys/kern/subr_kcov.c:358
kpreempt_disable() at netbsd:kpreempt_disable+0xc x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline]
kpreempt_disable() at netbsd:kpreempt_disable+0xc sys/kern/kern_synch.c:479
percpu_getref() at netbsd:percpu_getref+0x1a x86_curcpu sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:56 [inline]
percpu_getref() at netbsd:percpu_getref+0x1a sys/kern/subr_percpu.c:441
rnd_add_data_1() at netbsd:rnd_add_data_1+0x13b entropy_enter_intr sys/kern/kern_entropy.c:839 [inline]
rnd_add_data_1() at netbsd:rnd_add_data_1+0x13b sys/kern/kern_entropy.c:1822
rnd_add_data() at netbsd:rnd_add_data+0x185 sys/kern/kern_entropy.c:1794
_rnd_add_uint32() at netbsd:_rnd_add_uint32+0x27 sys/kern/kern_entropy.c:1731
dk_done1() at netbsd:dk_done1+0x2b6 sys/dev/dksubr.c:472
sddone() at netbsd:sddone+0x1d0 sys/dev/scsipi/sd.c:859
scsipi_complete() at netbsd:scsipi_complete+0x4a9 sys/dev/scsipi/scsipi_base.c:1947
scsipi_done() at netbsd:scsipi_done+0xa8a sys/dev/scsipi/scsipi_base.c:1690
vioscsi_vq_done() at netbsd:vioscsi_vq_done+0x39e vioscsi_req_done sys/dev/pci/vioscsi.c:498 [inline]
vioscsi_vq_done() at netbsd:vioscsi_vq_done+0x39e sys/dev/pci/vioscsi.c:537
virtio_vq_intr_common() at netbsd:virtio_vq_intr_common+0x195 virtio_vq_intr_common sys/dev/pci/virtio.c:307 [inline]
virtio_vq_intr_common() at netbsd:virtio_vq_intr_common+0x195 sys/dev/pci/virtio.c:294
virtio_vq_intr() at netbsd:virtio_vq_intr+0x68 sys/dev/pci/virtio.c:321
virtio_pci_msix_queue_intr() at netbsd:virtio_pci_msix_queue_intr+0x98 sys/dev/pci/virtio_pci.c:794
intr_biglock_wrapper() at netbsd:intr_biglock_wrapper+0x4e sys/arch/x86/x86/intr.c:647
Xhandle_ioapic_edge17() at netbsd:Xhandle_ioapic_edge17+0x74
--- interrupt ---
__sanitizer_cov_trace_pc() at netbsd:__sanitizer_cov_trace_pc+0xf sys/kern/subr_kcov.c:358
uvm_page_array_fill() at netbsd:uvm_page_array_fill+0x52a sys/uvm/uvm_page_array.c:158
uvm_page_array_fill_and_peek() at netbsd:uvm_page_array_fill_and_peek+0x67 sys/uvm/uvm_page_array.c:208
uvn_findpage() at netbsd:uvn_findpage+0x110 sys/uvm/uvm_vnode.c:315
uvn_findpages() at netbsd:uvn_findpages+0xeb sys/uvm/uvm_vnode.c:255
genfs_getpages() at netbsd:genfs_getpages+0x1665 sys/miscfs/genfs/genfs_io.c:378
VOP_GETPAGES() at netbsd:VOP_GETPAGES+0x13d sys/kern/vnode_if.c:1596
uvn_get() at netbsd:uvn_get+0x2d0 sys/uvm/uvm_vnode.c:191
uvm_fault_internal() at netbsd:uvm_fault_internal+0x390c uvm_fault_lower_io sys/uvm/uvm_fault.c:2185 [inline]
uvm_fault_internal() at netbsd:uvm_fault_internal+0x390c uvm_fault_lower sys/uvm/uvm_fault.c:1940 [inline]
uvm_fault_internal() at netbsd:uvm_fault_internal+0x390c sys/uvm/uvm_fault.c:939
trap() at netbsd:trap+0xdfb sys/arch/amd64/amd64/trap.c:520
--- trap (number 6) ---
copyin() at netbsd:copyin+0x2f
copyin_proc() at netbsd:copyin_proc+0x5d sys/kern/subr_copy.c:280
coredump_getseghdrs_elf64() at netbsd:coredump_getseghdrs_elf64+0x200 sys/kern/core_elf32.c:325
uvm_coredump_walkmap() at netbsd:uvm_coredump_walkmap+0x2f9 sys/uvm/uvm_coredump.c:193
coredump_elf64() at netbsd:coredump_elf64+0xa14 sys/kern/core_elf32.c:225
coredump() at netbsd:coredump+0xd19 sys/kern/kern_core.c:266
sigexit() at netbsd:sigexit+0x738 sys/kern/kern_sig.c:2312
sendsig_siginfo() at netbsd:sendsig_siginfo+0x7fb sys/arch/amd64/amd64/machdep.c:625
sendsig() at netbsd:sendsig+0x10c sys/kern/kern_sig.c:2183
trapsignal() at netbsd:trapsignal+0xb13 sys/kern/kern_sig.c:972
trap() at netbsd:trap+0x1600 sys/arch/amd64/amd64/trap.c:651
--- trap (number 6) ---
[ 55.5790223] panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/arch/amd64/amd64/db_machdep.c:154:24, member access within misaligned address 0x2 for type 'struct x86_64_frame' which requires 8 byte alignment
[ 55.5790223] cpu0: Begin traceback...
[ 55.5790223] vpanic() at netbsd:vpanic+0x29d sys/kern/subr_prf.c:290
[ 55.5790223] isAlreadyReported() at netbsd:isAlreadyReported
[ 55.5790223] HandleTypeMismatch.part.1() at netbsd:HandleTypeMismatch.part.1+0xcc
[ 55.5790223] HandleTypeMismatch() at netbsd:HandleTypeMismatch+0x7b sys/../common/lib/libc/misc/ubsan.c:417
[ 55.5790223] db_nextframe() at netbsd:db_nextframe+0x793 sys/arch/amd64/amd64/db_machdep.c:154
[ 55.5790223] db_stack_trace_print() at netbsd:db_stack_trace_print+0x26e sys/arch/x86/x86/db_trace.c:277
[ 55.5790223] db_command() at netbsd:db_command+0x1e9 sys/ddb/db_command.c:942
[ 55.5790223] db_command_loop() at netbsd:db_command_loop+0x1be db_execute_commandlist sys/ddb/db_command.c:439 [inline]
[ 55.5790223] db_command_loop() at netbsd:db_command_loop+0x1be sys/ddb/db_command.c:589
[ 55.5790223] db_trap() at netbsd:db_trap+0x212 sys/ddb/db_trap.c:94
[ 55.5790223] kdb_trap() at netbsd:kdb_trap+0x154 sys/arch/amd64/amd64/db_interface.c:248
[ 55.5790223] doubletrap() at netbsd:doubletrap+0x31 sys/arch/amd64/amd64/trap.c:237
[ 55.5790223] Bad frame pointer: 0xffffcf00c2a0c018
[ 55.5790223] cpu0: End traceback...
[ 55.5790223] fatal breakpoint trap in supervisor mode
[ 55.5790223] trap type 1 code 0 rip 0xffffffff80221a3d cs 0x8 rflags 0x46 cr2 0xffffcf00c2a0bff8 ilevel 0x8 rsp 0xffffff0000015d50
[ 55.5790223] curlwp 0xffff812f6020e8c0 pid 3130.3130 lowest kstack 0xffffcf00c2a0a2c0
Stopped in pid 3130.3130 (syz-executor.1) at netbsd:breakpoint+0x5: leave
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Aug 7, 2020, 12:40:15 AM8/7/20
to syzkaller-...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: f0cc7819 make(1): use consistent name for result of Cmd_Exec
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=17de3dc6900000
kernel config: https://syzkaller.appspot.com/x/.config?x=fab579639ba4bf0a
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13af5e34900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9fc0d5...@syzkaller.appspotmail.com
[ 55.2318152] fatal page faultfatal double fault in supervisor mode
[ 55.2318152] trap type 13 code 0 rip 0xffffffff8020100b cs 0x8 rflags 0x10086 cr2 0xffff940187569f58 ilevel 0 rsp 0xffff940187569f60
[ 55.2318152] curlwp 0xffff940014210200 pid 1097.957 lowest kstack 0xffff9401875682c0
k einr neslu:p edrovuibsloer fmoaudle
t
ttrraapp , tycopdee =60 c
[Stopped in pid 1097.957 (syz-executor1911) at netbsd:Xintr_legacy13+0xb: movq %rdi,0(%rsp)
?
Xintr_legacy13() at netbsd:Xintr_legacy13+0xb
--- interrupt ---
HEAD commit: f0cc7819 make(1): use consistent name for result of Cmd_Exec
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=17de3dc6900000
kernel config: https://syzkaller.appspot.com/x/.config?x=fab579639ba4bf0a
dashboard link: https://syzkaller.appspot.com/bug?extid=9fc0d507815b11e56b5b
compiler: g++ (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1764c22c900000
compiler: g++ (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13af5e34900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9fc0d5...@syzkaller.appspotmail.com
[ 55.2318152] fatal page faultfatal double fault in supervisor mode
[ 55.2318152] trap type 13 code 0 rip 0xffffffff8020100b cs 0x8 rflags 0x10086 cr2 0xffff940187569f58 ilevel 0 rsp 0xffff940187569f60
[ 55.2318152] curlwp 0xffff940014210200 pid 1097.957 lowest kstack 0xffff9401875682c0
k einr neslu:p edrovuibsloer fmoaudle
t
ttrraapp , tycopdee =60 c
[Stopped in pid 1097.957 (syz-executor1911) at netbsd:Xintr_legacy13+0xb: movq %rdi,0(%rsp)
?
Xintr_legacy13() at netbsd:Xintr_legacy13+0xb
--- interrupt ---
Reply all
Reply to author
Forward
0 new messages