BUG: unable to handle kernel paging request in clear_page_erms (4)
12 views
Skip to first unread message
syzbot
Oct 28, 2021, 9:05:32 PM10/28/21
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 6c62666d8879 Merge tag 'sched_urgent_for_v5.15_rc7' of git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=114cdaf8b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=59f3ef2b4077575
dashboard link: https://syzkaller.appspot.com/bug?extid=1d31a1e01bc7df57fe44
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
CC: [ak...@linux-foundation.org aneesh...@linux.ibm.com linux...@vger.kernel.org linux-...@vger.kernel.org linu...@kvack.org npi...@gmail.com pet...@infradead.org wi...@kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1d31a1...@syzkaller.appspotmail.com
BUG: unable to handle page fault for address: ffff888142bbc000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 10e01067 P4D 10e01067 PUD 146fb7063 PMD 12a063 PTE 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8018 Comm: syz-executor.2 Not tainted 5.15.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:clear_page_erms+0x7/0x10
Code: 48 89 47 18 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 b9 00 10 00 00 31 c0 <f3> aa c3 cc cc cc cc cc cc 55 41 57 41 56 41 55 41 54 53 48 83 ec
RSP: 0018:ffffc900062370e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880b1c216b8 RCX: 0000000000001000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888142bbc000
RBP: 1ffff110163842d7 R08: dffffc0000000000 R09: ffffed1028577800
R10: fffff94000a15de7 R11: 0000000000000000 R12: 0000000000000001
R13: 0005088000000000 R14: ffffea00050aef00 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888142bbc000 CR3: 000000003a28d000 CR4: 00000000003506e0
Call Trace:
clear_page arch/x86/include/asm/page_64.h:49 [inline]
clear_highpage include/linux/highmem.h:181 [inline]
kernel_init_free_pages+0x8c/0x100 mm/page_alloc.c:1278
post_alloc_hook+0x102/0x220 mm/page_alloc.c:2414
prep_new_page mm/page_alloc.c:2424 [inline]
get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4153
__alloc_pages+0x255/0x580 mm/page_alloc.c:5375
__get_free_pages+0x8/0x30 mm/page_alloc.c:5412
tlb_next_batch mm/mmu_gather.c:29 [inline]
__tlb_remove_page_size+0x1f5/0x3d0 mm/mmu_gather.c:83
__tlb_remove_page include/asm-generic/tlb.h:440 [inline]
zap_pte_range+0x9b0/0x1b90 mm/memory.c:1365
zap_pmd_range mm/memory.c:1481 [inline]
zap_pud_range mm/memory.c:1510 [inline]
zap_p4d_range mm/memory.c:1531 [inline]
unmap_page_range+0x745/0xa20 mm/memory.c:1552
unmap_vmas+0x202/0x390 mm/memory.c:1629
exit_mmap+0x3c6/0x6f0 mm/mmap.c:3171
__mmput+0x111/0x3a0 kernel/fork.c:1115
exit_mm+0x63e/0x7a0 kernel/exit.c:501
do_exit+0x682/0x24e0 kernel/exit.c:812
do_group_exit+0x168/0x2d0 kernel/exit.c:922
get_signal+0x16b0/0x2090 kernel/signal.c:2855
arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300
do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f6065e0aa39
Code: Unable to access opcode bytes at RIP 0x7f6065e0aa0f.
RSP: 002b:00007f6063380218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007f6065f0df68 RCX: 00007f6065e0aa39
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f6065f0df6c
RBP: 00007f6065f0df60 R08: 000000000000000e R09: 0000000000000000
R10: 0000000000000040 R11: 0000000000000246 R12: 00007f6065f0df6c
R13: 00007ffcc282387f R14: 00007f6063380300 R15: 0000000000022000
Modules linked in:
CR2: ffff888142bbc000
---[ end trace 02cb942355cce065 ]---
RIP: 0010:clear_page_erms+0x7/0x10
Code: 48 89 47 18 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 b9 00 10 00 00 31 c0 <f3> aa c3 cc cc cc cc cc cc 55 41 57 41 56 41 55 41 54 53 48 83 ec
RSP: 0018:ffffc900062370e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880b1c216b8 RCX: 0000000000001000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888142bbc000
RBP: 1ffff110163842d7 R08: dffffc0000000000 R09: ffffed1028577800
R10: fffff94000a15de7 R11: 0000000000000000 R12: 0000000000000001
R13: 0005088000000000 R14: ffffea00050aef00 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888142bbc000 CR3: 000000003a28d000 CR4: 00000000003506e0
----------------
Code disassembly (best guess):
0: 48 89 47 18 mov %rax,0x18(%rdi)
4: 48 89 47 20 mov %rax,0x20(%rdi)
8: 48 89 47 28 mov %rax,0x28(%rdi)
c: 48 89 47 30 mov %rax,0x30(%rdi)
10: 48 89 47 38 mov %rax,0x38(%rdi)
14: 48 8d 7f 40 lea 0x40(%rdi),%rdi
18: 75 d9 jne 0xfffffff3
1a: 90 nop
1b: c3 retq
1c: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
23: b9 00 10 00 00 mov $0x1000,%ecx
28: 31 c0 xor %eax,%eax
* 2a: f3 aa rep stos %al,%es:(%rdi) <-- trapping instruction
2c: c3 retq
2d: cc int3
2e: cc int3
2f: cc int3
30: cc int3
31: cc int3
32: cc int3
33: 55 push %rbp
34: 41 57 push %r15
36: 41 56 push %r14
38: 41 55 push %r13
3a: 41 54 push %r12
3c: 53 push %rbx
3d: 48 rex.W
3e: 83 .byte 0x83
3f: ec in (%dx),%al
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 6c62666d8879 Merge tag 'sched_urgent_for_v5.15_rc7' of git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=114cdaf8b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=59f3ef2b4077575
dashboard link: https://syzkaller.appspot.com/bug?extid=1d31a1e01bc7df57fe44
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
CC: [ak...@linux-foundation.org aneesh...@linux.ibm.com linux...@vger.kernel.org linux-...@vger.kernel.org linu...@kvack.org npi...@gmail.com pet...@infradead.org wi...@kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1d31a1...@syzkaller.appspotmail.com
BUG: unable to handle page fault for address: ffff888142bbc000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 10e01067 P4D 10e01067 PUD 146fb7063 PMD 12a063 PTE 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8018 Comm: syz-executor.2 Not tainted 5.15.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:clear_page_erms+0x7/0x10
Code: 48 89 47 18 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 b9 00 10 00 00 31 c0 <f3> aa c3 cc cc cc cc cc cc 55 41 57 41 56 41 55 41 54 53 48 83 ec
RSP: 0018:ffffc900062370e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880b1c216b8 RCX: 0000000000001000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888142bbc000
RBP: 1ffff110163842d7 R08: dffffc0000000000 R09: ffffed1028577800
R10: fffff94000a15de7 R11: 0000000000000000 R12: 0000000000000001
R13: 0005088000000000 R14: ffffea00050aef00 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888142bbc000 CR3: 000000003a28d000 CR4: 00000000003506e0
Call Trace:
clear_page arch/x86/include/asm/page_64.h:49 [inline]
clear_highpage include/linux/highmem.h:181 [inline]
kernel_init_free_pages+0x8c/0x100 mm/page_alloc.c:1278
post_alloc_hook+0x102/0x220 mm/page_alloc.c:2414
prep_new_page mm/page_alloc.c:2424 [inline]
get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4153
__alloc_pages+0x255/0x580 mm/page_alloc.c:5375
__get_free_pages+0x8/0x30 mm/page_alloc.c:5412
tlb_next_batch mm/mmu_gather.c:29 [inline]
__tlb_remove_page_size+0x1f5/0x3d0 mm/mmu_gather.c:83
__tlb_remove_page include/asm-generic/tlb.h:440 [inline]
zap_pte_range+0x9b0/0x1b90 mm/memory.c:1365
zap_pmd_range mm/memory.c:1481 [inline]
zap_pud_range mm/memory.c:1510 [inline]
zap_p4d_range mm/memory.c:1531 [inline]
unmap_page_range+0x745/0xa20 mm/memory.c:1552
unmap_vmas+0x202/0x390 mm/memory.c:1629
exit_mmap+0x3c6/0x6f0 mm/mmap.c:3171
__mmput+0x111/0x3a0 kernel/fork.c:1115
exit_mm+0x63e/0x7a0 kernel/exit.c:501
do_exit+0x682/0x24e0 kernel/exit.c:812
do_group_exit+0x168/0x2d0 kernel/exit.c:922
get_signal+0x16b0/0x2090 kernel/signal.c:2855
arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300
do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f6065e0aa39
Code: Unable to access opcode bytes at RIP 0x7f6065e0aa0f.
RSP: 002b:00007f6063380218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007f6065f0df68 RCX: 00007f6065e0aa39
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f6065f0df6c
RBP: 00007f6065f0df60 R08: 000000000000000e R09: 0000000000000000
R10: 0000000000000040 R11: 0000000000000246 R12: 00007f6065f0df6c
R13: 00007ffcc282387f R14: 00007f6063380300 R15: 0000000000022000
Modules linked in:
CR2: ffff888142bbc000
---[ end trace 02cb942355cce065 ]---
RIP: 0010:clear_page_erms+0x7/0x10
Code: 48 89 47 18 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 b9 00 10 00 00 31 c0 <f3> aa c3 cc cc cc cc cc cc 55 41 57 41 56 41 55 41 54 53 48 83 ec
RSP: 0018:ffffc900062370e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880b1c216b8 RCX: 0000000000001000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888142bbc000
RBP: 1ffff110163842d7 R08: dffffc0000000000 R09: ffffed1028577800
R10: fffff94000a15de7 R11: 0000000000000000 R12: 0000000000000001
R13: 0005088000000000 R14: ffffea00050aef00 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888142bbc000 CR3: 000000003a28d000 CR4: 00000000003506e0
----------------
Code disassembly (best guess):
0: 48 89 47 18 mov %rax,0x18(%rdi)
4: 48 89 47 20 mov %rax,0x20(%rdi)
8: 48 89 47 28 mov %rax,0x28(%rdi)
c: 48 89 47 30 mov %rax,0x30(%rdi)
10: 48 89 47 38 mov %rax,0x38(%rdi)
14: 48 8d 7f 40 lea 0x40(%rdi),%rdi
18: 75 d9 jne 0xfffffff3
1a: 90 nop
1b: c3 retq
1c: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
23: b9 00 10 00 00 mov $0x1000,%ecx
28: 31 c0 xor %eax,%eax
* 2a: f3 aa rep stos %al,%es:(%rdi) <-- trapping instruction
2c: c3 retq
2d: cc int3
2e: cc int3
2f: cc int3
30: cc int3
31: cc int3
32: cc int3
33: 55 push %rbp
34: 41 57 push %r15
36: 41 56 push %r14
38: 41 55 push %r13
3a: 41 54 push %r12
3c: 53 push %rbx
3d: 48 rex.W
3e: 83 .byte 0x83
3f: ec in (%dx),%al
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jan 22, 2022, 7:56:21 PM1/22/22
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages