page fault in uvm_pgflcache_alloc
6 views
Skip to first unread message
syzbot
Jul 9, 2023, 12:28:46 PM7/9/23
to syzkaller-...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: b2782b14a8e5 libm: Add missing fma(3) and friends for sh3.
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=16144354a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=739e57438eb9ed9e
dashboard link: https://syzkaller.appspot.com/bug?extid=0d7184ae7e8a5224d791
compiler: Debian clang version 15.0.7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10bfb56ca80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d67622a80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d4fd14f03742/disk-b2782b14.raw.xz
netbsd.gdb: https://storage.googleapis.com/syzbot-assets/8801e6e6d74f/netbsd-b2782b14.gdb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0d7184...@syzkaller.appspotmail.com
[ 55.4764735] fatal page faultfatal page fault in supervisor mode
[ 55.4854072] trap type 6 code 0 rip 0xffffffff85073c54 cs 0x8 rflags 0x10246 cr2 0xffff9a80173814c0 ilevel 0x6 rsp 0xffff9a80c7aa25b0
[ 55.4854072] in supervisor mode
[ 55.5002233] curlwp 0xffff9a8013440540 pid 1246.1246 lowest kstack 0xffff9a80c7a9b2c0
[ k er55ne.l5:0 0p2a2g3e3 ] fatrualpt ttyrpaep ,6 c cooded=e0 [
Stopped in pid 1246.1246 (syz-executor4027) at netbsd:uvm_pgflcache_alloc+0x154: movq 0(%rbx),%r14
?
uvm_pgflcache_alloc() at netbsd:uvm_pgflcache_alloc+0x154 sys/uvm/uvm_pgflcache.c:220
uvm_pagealloc_pgfl() at netbsd:uvm_pagealloc_pgfl+0xe2
uvm_pagealloc_strat() at netbsd:uvm_pagealloc_strat+0x2f34
pmap_enter_ma() at netbsd:pmap_enter_ma+0x1950 pmap_get_ptp sys/arch/x86/x86/pmap.c:2561 [inline]
pmap_enter_ma() at netbsd:pmap_enter_ma+0x1950 sys/arch/x86/x86/pmap.c:5052
pmap_enter_default() at netbsd:pmap_enter_default+0x158 sys/arch/x86/x86/pmap.c:4963
uvm_fault_internal() at netbsd:uvm_fault_internal+0x61e5 uvm_fault_lower_lookup sys/uvm/uvm_fault.c:2029 [inline]
uvm_fault_internal() at netbsd:uvm_fault_internal+0x61e5 uvm_fault_lower sys/uvm/uvm_fault.c:1867 [inline]
uvm_fault_internal() at netbsd:uvm_fault_internal+0x61e5 sys/uvm/uvm_fault.c:936
trap() at netbsd:trap+0x23bd
--- trap (number 6) ---
7f7e2b80a70a:
Panic string: (null)
PID LID S CPU FLAGS STRUCT LWP * NAME WAIT
1246 >1246 7 0 0 ffff9a8013440540 syz-executor4027
1244 1244 3 0 0 ffff9a8013440100 syz-executor4027 tstile
1240 1240 3 1 0 ffff9a8012c94940 syz-executor4027 tstile
991 991 3 0 0 ffff9a8012c94500 syz-executor4027 tstile
950 950 2 0 0 ffff9a8012c940c0 syz-executor4027
1241 >1241 7 1 0 ffff9a8012bd6900 syz-executor4027
829 829 2 1 140 ffff9a8012bd64c0 syz-executor4027
930 930 3 1 180 ffff9a8012bd6080 syz-executor4027 nanoslp
449 449 3 1 180 ffff9a801251e300 syz-executor4027 nanoslp
942 942 3 0 40180 ffff9a80123922c0 syz-executor4027 nanoslp
1235 1235 3 0 180 ffff9a80123006c0 sshd select
1222 1222 3 0 180 ffff9a8012300b00 getty nanoslp
1084 1084 3 0 180 ffff9a8012300280 getty nanoslp
1224 1224 3 1 180 ffff9a80121ffac0 getty nanoslp
1216 1216 3 0 1c0 ffff9a80121fc200 getty ttyraw
1103 1103 3 0 180 ffff9a8012ba88c0 sshd select
685 685 3 1 180 ffff9a80125e6780 powerd kqueue
693 693 3 0 180 ffff9a8012ba8480 syslogd kqueue
559 559 3 0 180 ffff9a8012ba8040 dhcpcd poll
746 746 3 1 180 ffff9a801251e740 dhcpcd poll
745 745 3 1 180 ffff9a8012392700 dhcpcd poll
599 599 3 1 180 ffff9a80125e6bc0 dhcpcd poll
487 487 3 0 180 ffff9a80125e6340 dhcpcd poll
292 292 3 1 180 ffff9a8012392b40 dhcpcd poll
485 485 2 0 100 ffff9a801251eb80 dhcpcd
1 1 3 0 180 ffff9a8011ede100 init wait
0 859 3 0 200 ffff9a80121fc640 physiod physiod
0 196 3 1 200 ffff9a80121ff680 pooldrain pooldrain
0 195 3 0 200 ffff9a80121ff240 ioflush syncer
0 194 3 0 121fc920 ffff9a80121fca80 pgdaemon pgdaemon
0 167 3 0 200 ffff9a801216ca40 usb7 usbevt
0 172 3 0 200 ffff9a801216c600 usb6 usbevt
0 170 3 0 200 ffff9a801216c1c0 usb5 usbevt
0 168 3 0 200 ffff9a801213ca00 usb4 usbevt
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: b2782b14a8e5 libm: Add missing fma(3) and friends for sh3.
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=16144354a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=739e57438eb9ed9e
dashboard link: https://syzkaller.appspot.com/bug?extid=0d7184ae7e8a5224d791
compiler: Debian clang version 15.0.7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10bfb56ca80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d67622a80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d4fd14f03742/disk-b2782b14.raw.xz
netbsd.gdb: https://storage.googleapis.com/syzbot-assets/8801e6e6d74f/netbsd-b2782b14.gdb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0d7184...@syzkaller.appspotmail.com
[ 55.4764735] fatal page faultfatal page fault in supervisor mode
[ 55.4854072] trap type 6 code 0 rip 0xffffffff85073c54 cs 0x8 rflags 0x10246 cr2 0xffff9a80173814c0 ilevel 0x6 rsp 0xffff9a80c7aa25b0
[ 55.4854072] in supervisor mode
[ 55.5002233] curlwp 0xffff9a8013440540 pid 1246.1246 lowest kstack 0xffff9a80c7a9b2c0
[ k er55ne.l5:0 0p2a2g3e3 ] fatrualpt ttyrpaep ,6 c cooded=e0 [
Stopped in pid 1246.1246 (syz-executor4027) at netbsd:uvm_pgflcache_alloc+0x154: movq 0(%rbx),%r14
?
uvm_pgflcache_alloc() at netbsd:uvm_pgflcache_alloc+0x154 sys/uvm/uvm_pgflcache.c:220
uvm_pagealloc_pgfl() at netbsd:uvm_pagealloc_pgfl+0xe2
uvm_pagealloc_strat() at netbsd:uvm_pagealloc_strat+0x2f34
pmap_enter_ma() at netbsd:pmap_enter_ma+0x1950 pmap_get_ptp sys/arch/x86/x86/pmap.c:2561 [inline]
pmap_enter_ma() at netbsd:pmap_enter_ma+0x1950 sys/arch/x86/x86/pmap.c:5052
pmap_enter_default() at netbsd:pmap_enter_default+0x158 sys/arch/x86/x86/pmap.c:4963
uvm_fault_internal() at netbsd:uvm_fault_internal+0x61e5 uvm_fault_lower_lookup sys/uvm/uvm_fault.c:2029 [inline]
uvm_fault_internal() at netbsd:uvm_fault_internal+0x61e5 uvm_fault_lower sys/uvm/uvm_fault.c:1867 [inline]
uvm_fault_internal() at netbsd:uvm_fault_internal+0x61e5 sys/uvm/uvm_fault.c:936
trap() at netbsd:trap+0x23bd
--- trap (number 6) ---
7f7e2b80a70a:
Panic string: (null)
PID LID S CPU FLAGS STRUCT LWP * NAME WAIT
1246 >1246 7 0 0 ffff9a8013440540 syz-executor4027
1244 1244 3 0 0 ffff9a8013440100 syz-executor4027 tstile
1240 1240 3 1 0 ffff9a8012c94940 syz-executor4027 tstile
991 991 3 0 0 ffff9a8012c94500 syz-executor4027 tstile
950 950 2 0 0 ffff9a8012c940c0 syz-executor4027
1241 >1241 7 1 0 ffff9a8012bd6900 syz-executor4027
829 829 2 1 140 ffff9a8012bd64c0 syz-executor4027
930 930 3 1 180 ffff9a8012bd6080 syz-executor4027 nanoslp
449 449 3 1 180 ffff9a801251e300 syz-executor4027 nanoslp
942 942 3 0 40180 ffff9a80123922c0 syz-executor4027 nanoslp
1235 1235 3 0 180 ffff9a80123006c0 sshd select
1222 1222 3 0 180 ffff9a8012300b00 getty nanoslp
1084 1084 3 0 180 ffff9a8012300280 getty nanoslp
1224 1224 3 1 180 ffff9a80121ffac0 getty nanoslp
1216 1216 3 0 1c0 ffff9a80121fc200 getty ttyraw
1103 1103 3 0 180 ffff9a8012ba88c0 sshd select
685 685 3 1 180 ffff9a80125e6780 powerd kqueue
693 693 3 0 180 ffff9a8012ba8480 syslogd kqueue
559 559 3 0 180 ffff9a8012ba8040 dhcpcd poll
746 746 3 1 180 ffff9a801251e740 dhcpcd poll
745 745 3 1 180 ffff9a8012392700 dhcpcd poll
599 599 3 1 180 ffff9a80125e6bc0 dhcpcd poll
487 487 3 0 180 ffff9a80125e6340 dhcpcd poll
292 292 3 1 180 ffff9a8012392b40 dhcpcd poll
485 485 2 0 100 ffff9a801251eb80 dhcpcd
1 1 3 0 180 ffff9a8011ede100 init wait
0 859 3 0 200 ffff9a80121fc640 physiod physiod
0 196 3 1 200 ffff9a80121ff680 pooldrain pooldrain
0 195 3 0 200 ffff9a80121ff240 ioflush syncer
0 194 3 0 121fc920 ffff9a80121fca80 pgdaemon pgdaemon
0 167 3 0 200 ffff9a801216ca40 usb7 usbevt
0 172 3 0 200 ffff9a801216c600 usb6 usbevt
0 170 3 0 200 ffff9a801216c1c0 usb5 usbevt
0 168 3 0 200 ffff9a801213ca00 usb4 usbevt
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages