uvm_fault: pmap_page_remove
15 views
Skip to first unread message
syzbot
Jan 6, 2019, 5:45:04 AM1/6/19
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 260aa4b1b9f1 In no-fill mode, avoid bogus blank lines in t..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1586994b400000
kernel config: https://syzkaller.appspot.com/x/.config?x=67702c30ce8f1b56
dashboard link: https://syzkaller.appspot.com/bug?extid=afdd01b0a652da2a5dee
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+afdd01...@syzkaller.appspotmail.com
uvm_fault(0xffffffff81ea04f0, 0x7f810a0c1cb0, 0, 2) -> e
kernel: page fault trap, code=0
Stopped at pmap_page_remove+0x295: xchgq %rax,0(%r12,%rcx,1)
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
kernel page fault
uvm_fault(0xffffffff81ea04f0, 0x7f810a0c1cb0, 0, 2) -> e
pmap_page_remove(ffffff0005b61c00) at pmap_page_remove+0x295
_atomic_swap_64 sys/arch/amd64/compile/SYZKALLER/obj/machine/atomic.h:117
[inline]
pmap_page_remove(ffffff0005b61c00) at pmap_page_remove+0x295
sys/arch/amd64/amd64/pmap.c:1740
end trace frame: 0xffff800021077aa0, count: 0
ddb{1}> trace
pmap_page_remove(ffffff0005b61c00) at pmap_page_remove+0x295
_atomic_swap_64 sys/arch/amd64/compile/SYZKALLER/obj/machine/atomic.h:117
[inline]
pmap_page_remove(ffffff0005b61c00) at pmap_page_remove+0x295
sys/arch/amd64/amd64/pmap.c:1740
uvm_anfree(0) at uvm_anfree+0x33 sys/uvm/uvm_anon.c:104
amap_wipeout(ffff800021077b30) at amap_wipeout+0x11d sys/uvm/uvm_amap.c:455
uvm_unmap_detach(0,ffffff006617a850) at uvm_unmap_detach+0xb7
sys/uvm/uvm_map.c:1549
uvm_map_teardown(ffff8000210a24c8) at uvm_map_teardown+0x22c
sys/uvm/uvm_map.c:2650
uvmspace_free(ffff8000210b72e0) at uvmspace_free+0x4c sys/uvm/uvm_map.c:3501
uvm_exit(ffff8000210b72e0) at uvm_exit+0x1b sys/uvm/uvm_glue.c:289
reaper(0) at reaper+0x163 sys/kern/kern_exit.c:430
end trace frame: 0x0, count: -8
ddb{1}> show registers
rdi 0xa
rsi 0
rbp 0xffff800021077a70
rbx 0xffffff007f123700
rdx 0x1
rcx 0x7f8000000000
rax 0
r8 0xffffff0005130480
r9 0xffff800021077ae8
r10 0
r11 0xffffff00745f8eb8
r12 0x10a0c1cb0
r13 0xffffff006145b540
r14 0x80000000020c7000
r15 0xffffff0005b61c68
rip 0xffffffff812cbbe5 pmap_page_remove+0x295
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff800021077a20
ss 0x10
pmap_page_remove+0x295: xchgq %rax,0(%r12,%rcx,1)
ddb{1}> show proc
PROC (reaper) pid=286958 stat=onproc
flags process=14000<NOZOMBIE,SYSTEM> proc=200<SYSTEM>
pri=84, usrpri=84, nice=20
forw=0xffffffffffffffff, list=0xffff800021031518,0xffff8000210319d8
process=0xffff8000210715e8 user=0xffff800021072000,
vmspace=0xffffffff81ea04f0
estcpu=34, cpticks=3, pctcpu=34.71
user=0, sys=3, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
76424 25545 1 65534 3 0x10 biowait syz-executor0
36705 132862 0 0 3 0x14200 bored sosplice
23807 371373 1 65534 3 0x90 wait syz-executor1
72994 94476 99001 0 3 0x82 thrsleep syz-fuzzer
72994 263664 99001 0 3 0x4000082 nanosleep syz-fuzzer
72994 472858 99001 0 3 0x4000082 kqread syz-fuzzer
72994 184322 99001 0 3 0x4000082 thrsleep syz-fuzzer
72994 228928 99001 0 3 0x4000082 thrsleep syz-fuzzer
72994 49399 99001 0 3 0x4000082 thrsleep syz-fuzzer
72994 121519 99001 0 3 0x4000082 nanosleep syz-fuzzer
72994 359320 99001 0 3 0x4000082 thrsleep syz-fuzzer
72994 336975 99001 0 3 0x4000082 thrsleep syz-fuzzer
72994 491055 99001 0 3 0x4000082 thrsleep syz-fuzzer
72994 290561 99001 0 3 0x4000082 thrsleep syz-fuzzer
99001 372160 25220 0 3 0x10008a pause ksh
25220 329458 54434 0 3 0x92 select sshd
74131 119592 1 0 3 0x100083 ttyin getty
54434 518637 1 0 3 0x80 select sshd
31944 297955 42137 73 3 0x100010 biowait syslogd
42137 470970 1 0 3 0x100082 netio syslogd
91531 309773 1 77 3 0x100090 poll dhclient
22368 9159 1 0 3 0x80 poll dhclient
63780 316553 0 0 3 0x14200 pgzero zerothread
80598 332500 0 0 3 0x14200 aiodoned aiodoned
39732 39341 0 0 3 0x14200 syncer update
88414 20240 0 0 3 0x14200 cleaner cleaner
*56242 286958 0 0 7 0x14200 reaper
16071 398448 0 0 3 0x14200 pgdaemon pagedaemon
19417 411010 0 0 3 0x14200 bored crynlk
77432 472171 0 0 3 0x14200 bored crypto
81419 251464 0 0 3 0x40014200 acpi0 acpi0
99041 128618 0 0 3 0x40014200 idle1
79315 387302 0 0 3 0x14200 bored softnet
80823 369376 0 0 3 0x14200 bored systqmp
67918 193968 0 0 3 0x14200 bored systq
83060 239326 0 0 3 0x40014200 bored softclock
33362 86125 0 0 7 0x40014200 idle0
1 492271 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: 260aa4b1b9f1 In no-fill mode, avoid bogus blank lines in t..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1586994b400000
kernel config: https://syzkaller.appspot.com/x/.config?x=67702c30ce8f1b56
dashboard link: https://syzkaller.appspot.com/bug?extid=afdd01b0a652da2a5dee
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+afdd01...@syzkaller.appspotmail.com
uvm_fault(0xffffffff81ea04f0, 0x7f810a0c1cb0, 0, 2) -> e
kernel: page fault trap, code=0
Stopped at pmap_page_remove+0x295: xchgq %rax,0(%r12,%rcx,1)
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
kernel page fault
uvm_fault(0xffffffff81ea04f0, 0x7f810a0c1cb0, 0, 2) -> e
pmap_page_remove(ffffff0005b61c00) at pmap_page_remove+0x295
_atomic_swap_64 sys/arch/amd64/compile/SYZKALLER/obj/machine/atomic.h:117
[inline]
pmap_page_remove(ffffff0005b61c00) at pmap_page_remove+0x295
sys/arch/amd64/amd64/pmap.c:1740
end trace frame: 0xffff800021077aa0, count: 0
ddb{1}> trace
pmap_page_remove(ffffff0005b61c00) at pmap_page_remove+0x295
_atomic_swap_64 sys/arch/amd64/compile/SYZKALLER/obj/machine/atomic.h:117
[inline]
pmap_page_remove(ffffff0005b61c00) at pmap_page_remove+0x295
sys/arch/amd64/amd64/pmap.c:1740
uvm_anfree(0) at uvm_anfree+0x33 sys/uvm/uvm_anon.c:104
amap_wipeout(ffff800021077b30) at amap_wipeout+0x11d sys/uvm/uvm_amap.c:455
uvm_unmap_detach(0,ffffff006617a850) at uvm_unmap_detach+0xb7
sys/uvm/uvm_map.c:1549
uvm_map_teardown(ffff8000210a24c8) at uvm_map_teardown+0x22c
sys/uvm/uvm_map.c:2650
uvmspace_free(ffff8000210b72e0) at uvmspace_free+0x4c sys/uvm/uvm_map.c:3501
uvm_exit(ffff8000210b72e0) at uvm_exit+0x1b sys/uvm/uvm_glue.c:289
reaper(0) at reaper+0x163 sys/kern/kern_exit.c:430
end trace frame: 0x0, count: -8
ddb{1}> show registers
rdi 0xa
rsi 0
rbp 0xffff800021077a70
rbx 0xffffff007f123700
rdx 0x1
rcx 0x7f8000000000
rax 0
r8 0xffffff0005130480
r9 0xffff800021077ae8
r10 0
r11 0xffffff00745f8eb8
r12 0x10a0c1cb0
r13 0xffffff006145b540
r14 0x80000000020c7000
r15 0xffffff0005b61c68
rip 0xffffffff812cbbe5 pmap_page_remove+0x295
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff800021077a20
ss 0x10
pmap_page_remove+0x295: xchgq %rax,0(%r12,%rcx,1)
ddb{1}> show proc
PROC (reaper) pid=286958 stat=onproc
flags process=14000<NOZOMBIE,SYSTEM> proc=200<SYSTEM>
pri=84, usrpri=84, nice=20
forw=0xffffffffffffffff, list=0xffff800021031518,0xffff8000210319d8
process=0xffff8000210715e8 user=0xffff800021072000,
vmspace=0xffffffff81ea04f0
estcpu=34, cpticks=3, pctcpu=34.71
user=0, sys=3, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
76424 25545 1 65534 3 0x10 biowait syz-executor0
36705 132862 0 0 3 0x14200 bored sosplice
23807 371373 1 65534 3 0x90 wait syz-executor1
72994 94476 99001 0 3 0x82 thrsleep syz-fuzzer
72994 263664 99001 0 3 0x4000082 nanosleep syz-fuzzer
72994 472858 99001 0 3 0x4000082 kqread syz-fuzzer
72994 184322 99001 0 3 0x4000082 thrsleep syz-fuzzer
72994 228928 99001 0 3 0x4000082 thrsleep syz-fuzzer
72994 49399 99001 0 3 0x4000082 thrsleep syz-fuzzer
72994 121519 99001 0 3 0x4000082 nanosleep syz-fuzzer
72994 359320 99001 0 3 0x4000082 thrsleep syz-fuzzer
72994 336975 99001 0 3 0x4000082 thrsleep syz-fuzzer
72994 491055 99001 0 3 0x4000082 thrsleep syz-fuzzer
72994 290561 99001 0 3 0x4000082 thrsleep syz-fuzzer
99001 372160 25220 0 3 0x10008a pause ksh
25220 329458 54434 0 3 0x92 select sshd
74131 119592 1 0 3 0x100083 ttyin getty
54434 518637 1 0 3 0x80 select sshd
31944 297955 42137 73 3 0x100010 biowait syslogd
42137 470970 1 0 3 0x100082 netio syslogd
91531 309773 1 77 3 0x100090 poll dhclient
22368 9159 1 0 3 0x80 poll dhclient
63780 316553 0 0 3 0x14200 pgzero zerothread
80598 332500 0 0 3 0x14200 aiodoned aiodoned
39732 39341 0 0 3 0x14200 syncer update
88414 20240 0 0 3 0x14200 cleaner cleaner
*56242 286958 0 0 7 0x14200 reaper
16071 398448 0 0 3 0x14200 pgdaemon pagedaemon
19417 411010 0 0 3 0x14200 bored crynlk
77432 472171 0 0 3 0x14200 bored crypto
81419 251464 0 0 3 0x40014200 acpi0 acpi0
99041 128618 0 0 3 0x40014200 idle1
79315 387302 0 0 3 0x14200 bored softnet
80823 369376 0 0 3 0x14200 bored systqmp
67918 193968 0 0 3 0x14200 bored systq
83060 239326 0 0 3 0x40014200 bored softclock
33362 86125 0 0 7 0x40014200 idle0
1 492271 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
Dec 19, 2019, 12:38:07 AM12/19/19
to syzkaller-o...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages