uvm_fault: tun_dev_read
1 view
Skip to first unread message
syzbot
Dec 6, 2018, 1:37:04 PM12/6/18
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 7d03a16b0321 usb_block_allocmem() won't sleep.
git tree: https://github.com/openbsd/src.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=13e52125400000
dashboard link: https://syzkaller.appspot.com/bug?extid=ce2a53be1a47b142379f
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ce2a53...@syzkaller.appspotmail.com
uvm_fault(0xffffff007f12b000, 0x6000118, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at tun_dev_read+0x1fa: movl 0x18(%r15),%ebx
ddb>
ddb> set $lines = 0
ddb> show panic
kernel page fault
uvm_fault(0xffffff007f12b000, 0x6000118, 0, 1) -> e
tun_dev_read(ffff80002116ca88,ffffff00750eccf0,ffffff00750eccf0) at
tun_dev_read+0x1fa
end trace frame: 0xffff80002116c940, count: 0
ddb> trace
tun_dev_read(ffff80002116ca88,ffffff00750eccf0,ffffff00750eccf0) at
tun_dev_read+0x1fa
spec_read(10) at spec_read+0x9d
VOP_READ(ffff80002116ca88,ffffff00750eccf0,ffffff0068d5abc8,0) at
VOP_READ+0x5evn_read(ffffff0068d5abc8,ffff8000ffffce18,3e8) at vn_read+0x130
dofilereadv(ffff8000ffffce18,ffff80002116cb30,3e8,ffff80002116cb40,9a0d3083e98)
at
dofilereadv+0x14f
sys_read(ffff80002116cbd0,ffff8000ffffce18,ffff80002105f980) at
sys_read+0x6e
syscall(0) at syscall+0x3e4
Xsyscall(6,3,0,3,1,9a0b83ffe00) at Xsyscall+0x128
end of kernel
end trace frame: 0x9a0d3083eb0, count: -8
ddb> show registers
rdi 0
rsi 0xffffffff817e7b34 tun_dev_read+0x244
rbp 0xffff80002116c8a0
rbx 0
rdx 0xffff800002ad0000
rcx 0x305
rax 0x336
r8 0x7f7fffffc000
r9 0
r10 0
r11 0xffffffff81400350 pool_lock_mtx_leave
r12 0xffff80002116ca88
r13 0x5
r14 0xffff800000aca800
r15 0x6000100 __kernel_end_phys+0x4000100
rip 0xffffffff817e7aea tun_dev_read+0x1fa
cs 0x8
rflags 0x10206 __ALIGN_SIZE+0xf206
rsp 0xffff80002116c860
ss 0x10
tun_dev_read+0x1fa: movl 0x18(%r15),%ebx
ddb> show proc
PROC (syz-executor0) pid=155844 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=81, usrpri=81, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffffd778,0xffffffff81edbd78
process=0xffff80002105f980 user=0xffff800021167000,
vmspace=0xffffff007f12b000
estcpu=36, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
61032 134867 39951 0 2 0 syz-executor0
*61032 155844 39951 0 7 0x4000000 syz-executor0
29158 345973 85054 0 2 0 syz-executor1
29158 26367 85054 0 3 0x4000080 ttyout syz-executor1
79627 42673 0 0 3 0x14200 bored sosplice
39951 155312 70346 0 3 0x82 nanosleep syz-executor0
85054 218852 70346 0 3 0x82 nanosleep syz-executor1
70346 279760 82343 0 3 0x82 thrsleep syz-fuzzer
70346 110808 82343 0 3 0x4000082 thrsleep syz-fuzzer
70346 246376 82343 0 3 0x4000082 thrsleep syz-fuzzer
70346 233525 82343 0 3 0x4000082 thrsleep syz-fuzzer
70346 138122 82343 0 3 0x4000082 thrsleep syz-fuzzer
70346 23855 82343 0 3 0x4000082 thrsleep syz-fuzzer
70346 317508 82343 0 3 0x4000082 kqread syz-fuzzer
82343 145213 89659 0 3 0x10008a pause ksh
89659 149143 32298 0 3 0x92 select sshd
32298 76377 1 0 3 0x80 select sshd
20270 102708 26764 73 2 0x100090 syslogd
26764 453341 1 0 3 0x100082 netio syslogd
4716 457570 0 0 2 0x14200 zerothread
65442 317673 0 0 3 0x14200 aiodoned aiodoned
10194 289214 0 0 3 0x14200 syncer update
6338 352788 0 0 3 0x14200 cleaner cleaner
44363 206792 0 0 3 0x14200 reaper reaper
49896 18331 0 0 3 0x14200 pgdaemon pagedaemon
64008 60694 0 0 3 0x14200 bored crynlk
88607 65866 0 0 3 0x14200 bored crypto
64547 83218 0 0 3 0x40014200 acpi0 acpi0
10677 59964 0 0 3 0x14200 bored softnet
4491 376065 0 0 3 0x14200 bored systqmp
25273 415587 0 0 3 0x14200 bored systq
73530 353725 0 0 3 0x40014200 bored softclock
8398 514451 0 0 3 0x40014200 idle0
1 209873 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: 7d03a16b0321 usb_block_allocmem() won't sleep.
git tree: https://github.com/openbsd/src.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=13e52125400000
dashboard link: https://syzkaller.appspot.com/bug?extid=ce2a53be1a47b142379f
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ce2a53...@syzkaller.appspotmail.com
uvm_fault(0xffffff007f12b000, 0x6000118, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at tun_dev_read+0x1fa: movl 0x18(%r15),%ebx
ddb>
ddb> set $lines = 0
ddb> show panic
kernel page fault
uvm_fault(0xffffff007f12b000, 0x6000118, 0, 1) -> e
tun_dev_read(ffff80002116ca88,ffffff00750eccf0,ffffff00750eccf0) at
tun_dev_read+0x1fa
end trace frame: 0xffff80002116c940, count: 0
ddb> trace
tun_dev_read(ffff80002116ca88,ffffff00750eccf0,ffffff00750eccf0) at
tun_dev_read+0x1fa
spec_read(10) at spec_read+0x9d
VOP_READ(ffff80002116ca88,ffffff00750eccf0,ffffff0068d5abc8,0) at
VOP_READ+0x5evn_read(ffffff0068d5abc8,ffff8000ffffce18,3e8) at vn_read+0x130
dofilereadv(ffff8000ffffce18,ffff80002116cb30,3e8,ffff80002116cb40,9a0d3083e98)
at
dofilereadv+0x14f
sys_read(ffff80002116cbd0,ffff8000ffffce18,ffff80002105f980) at
sys_read+0x6e
syscall(0) at syscall+0x3e4
Xsyscall(6,3,0,3,1,9a0b83ffe00) at Xsyscall+0x128
end of kernel
end trace frame: 0x9a0d3083eb0, count: -8
ddb> show registers
rdi 0
rsi 0xffffffff817e7b34 tun_dev_read+0x244
rbp 0xffff80002116c8a0
rbx 0
rdx 0xffff800002ad0000
rcx 0x305
rax 0x336
r8 0x7f7fffffc000
r9 0
r10 0
r11 0xffffffff81400350 pool_lock_mtx_leave
r12 0xffff80002116ca88
r13 0x5
r14 0xffff800000aca800
r15 0x6000100 __kernel_end_phys+0x4000100
rip 0xffffffff817e7aea tun_dev_read+0x1fa
cs 0x8
rflags 0x10206 __ALIGN_SIZE+0xf206
rsp 0xffff80002116c860
ss 0x10
tun_dev_read+0x1fa: movl 0x18(%r15),%ebx
ddb> show proc
PROC (syz-executor0) pid=155844 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=81, usrpri=81, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffffd778,0xffffffff81edbd78
process=0xffff80002105f980 user=0xffff800021167000,
vmspace=0xffffff007f12b000
estcpu=36, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
61032 134867 39951 0 2 0 syz-executor0
*61032 155844 39951 0 7 0x4000000 syz-executor0
29158 345973 85054 0 2 0 syz-executor1
29158 26367 85054 0 3 0x4000080 ttyout syz-executor1
79627 42673 0 0 3 0x14200 bored sosplice
39951 155312 70346 0 3 0x82 nanosleep syz-executor0
85054 218852 70346 0 3 0x82 nanosleep syz-executor1
70346 279760 82343 0 3 0x82 thrsleep syz-fuzzer
70346 110808 82343 0 3 0x4000082 thrsleep syz-fuzzer
70346 246376 82343 0 3 0x4000082 thrsleep syz-fuzzer
70346 233525 82343 0 3 0x4000082 thrsleep syz-fuzzer
70346 138122 82343 0 3 0x4000082 thrsleep syz-fuzzer
70346 23855 82343 0 3 0x4000082 thrsleep syz-fuzzer
70346 317508 82343 0 3 0x4000082 kqread syz-fuzzer
82343 145213 89659 0 3 0x10008a pause ksh
89659 149143 32298 0 3 0x92 select sshd
32298 76377 1 0 3 0x80 select sshd
20270 102708 26764 73 2 0x100090 syslogd
26764 453341 1 0 3 0x100082 netio syslogd
4716 457570 0 0 2 0x14200 zerothread
65442 317673 0 0 3 0x14200 aiodoned aiodoned
10194 289214 0 0 3 0x14200 syncer update
6338 352788 0 0 3 0x14200 cleaner cleaner
44363 206792 0 0 3 0x14200 reaper reaper
49896 18331 0 0 3 0x14200 pgdaemon pagedaemon
64008 60694 0 0 3 0x14200 bored crynlk
88607 65866 0 0 3 0x14200 bored crypto
64547 83218 0 0 3 0x40014200 acpi0 acpi0
10677 59964 0 0 3 0x14200 bored softnet
4491 376065 0 0 3 0x14200 bored systqmp
25273 415587 0 0 3 0x14200 bored systq
73530 353725 0 0 3 0x40014200 bored softclock
8398 514451 0 0 3 0x40014200 idle0
1 209873 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
Jun 5, 2019, 6:47:03 PM6/5/19
to syzkaller-o...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages