BUG: unable to handle kernel paging request in kmem_cache_alloc (2)
20 views
Skip to first unread message
syzbot
Jul 15, 2018, 11:09:03 PM7/15/18
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 13f7432bdd8e Merge branch 'bpf-tcp-listen-cb'
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=16e04d62400000
kernel config: https://syzkaller.appspot.com/x/.config?x=a501a01deaf0fe9
dashboard link: https://syzkaller.appspot.com/bug?extid=f6d9c74dc35d6e0cb6c9
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
CC: [linux-...@vger.kernel.org linux-...@vger.kernel.org
vi...@zeniv.linux.org.uk]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f6d9c7...@syzkaller.appspotmail.com
BUG: unable to handle kernel paging request at ffff8801bf06a5c0
PGD b4e1067 P4D b4e1067 PUD 1b6204063 PMD 199ce6063 PTE ffff880199ce6538
Oops: 0002 [#1] SMP KASAN
CPU: 1 PID: 6484 Comm: udevd Not tainted 4.18.0-rc3+ #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:set_track mm/kasan/kasan.c:459 [inline]
RIP: 0010:kasan_kmalloc+0xbb/0xe0 mm/kasan/kasan.c:553
Code: 89 55 c8 e8 07 1a 00 00 48 8b 55 c8 eb 84 49 63 85 f8 00 00 00 8b 7d
d4 49 01 c4 65 48 8b 04 25 40 ee 01 00 8b 80 90 04 00 00 <41> 89 04 24 e8
fc fa ff ff 41 89 44 24 04 48 83 c4 10 5b 41 5c 41
RSP: 0018:ffff8801abfef5f8 EFLAGS: 00010286
RAX: 0000000000001954 RBX: ffff8801bf06a5c0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 00000000000000fc RDI: 00000000006000c0
RBP: ffff8801abfef630 R08: 000060fe24e0e1d0 R09: ffffed0037e0d4b8
R10: 0000000000000000 R11: dffffc0000000000 R12: ffff8801bf06a5c0
R13: ffff8801d945d480 R14: 0000000000000000 R15: ffff8801bf06a5bf
FS: 00007fa5a4f507a0(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8801bf06a5c0 CR3: 00000001cba9d000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
slab_post_alloc_hook mm/slab.h:444 [inline]
slab_alloc mm/slab.c:3392 [inline]
kmem_cache_alloc+0x11b/0x760 mm/slab.c:3552
ep_insert+0x279/0x1c20 fs/eventpoll.c:1428
__do_sys_epoll_ctl fs/eventpoll.c:2113 [inline]
__se_sys_epoll_ctl fs/eventpoll.c:1999 [inline]
__x64_sys_epoll_ctl+0xf00/0x10a0 fs/eventpoll.c:1999
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fa5a466490a
Code: 48 8b 0d 31 85 2a 00 31 d2 48 29 c2 64 89 11 48 83 c8 ff eb ea 90 90
90 90 90 90 90 90 90 90 90 49 89 ca b8 e9 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 01 c3 48 8b 0d fe 84 2a 00 31 d2 48 29 c2 64
RSP: 002b:00007ffc2fb93218 EFLAGS: 00000206 ORIG_RAX: 00000000000000e9
RAX: ffffffffffffffda RBX: 0000000000a89250 RCX: 00007fa5a466490a
RDX: 0000000000000005 RSI: 0000000000000001 RDI: 0000000000000007
RBP: 0000000000625500 R08: 0000000000001954 R09: 0000000000001954
R10: 00007ffc2fb932c0 R11: 0000000000000206 R12: 0000000000a8a380
R13: 00007ffc2fb94337 R14: 0000000000000005 R15: 0000000000a89250
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
CR2: ffff8801bf06a5c0
---[ end trace f71636425aff89f9 ]---
BUG: unable to handle kernel paging request at ffff8801cd2a8cb4
PGD b4e1067
RIP: 0010:set_track mm/kasan/kasan.c:459 [inline]
RIP: 0010:kasan_kmalloc+0xbb/0xe0 mm/kasan/kasan.c:553
P4D b4e1067
Code: 89
PUD 1d9488063
55
PMD 198200063
c8 e8
==================================================================
07
BUG: KASAN: stack-out-of-bounds in pte_val
arch/x86/include/asm/paravirt.h:384 [inline]
BUG: KASAN: stack-out-of-bounds in dump_pagetable+0x95c/0x970
arch/x86/mm/fault.c:559
1a
Read of size 8 at addr ffff880198200540 by task syz-executor0/12519
00
00 48
CPU: 0 PID: 12519 Comm: syz-executor0 Tainted: G D
4.18.0-rc3+ #55
8b
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
55
Call Trace:
c8 eb
<IRQ>
84
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
49
63 85
f8
00
00
print_address_description+0x6c/0x20b mm/kasan/report.c:256
00
8b
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
7d d4
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
49 01
pte_val arch/x86/include/asm/paravirt.h:384 [inline]
dump_pagetable+0x95c/0x970 arch/x86/mm/fault.c:559
c4
65
48 8b
04
25
40
ee
01 00
show_fault_oops arch/x86/mm/fault.c:675 [inline]
no_context.cold.36+0x76/0x98 arch/x86/mm/fault.c:798
8b
80 90
04
00
__bad_area_nosemaphore+0x33b/0x3f0 arch/x86/mm/fault.c:902
00
<41> 89
04
bad_area_nosemaphore+0x33/0x40 arch/x86/mm/fault.c:909
24
__do_page_fault+0x1db/0xe50 arch/x86/mm/fault.c:1328
e8
fc
fa
ff ff
do_page_fault+0xf6/0x8c0 arch/x86/mm/fault.c:1471
41
89
44
24
04
48 83
c4
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1160
10
RIP: 0010:__should_failslab+0x114/0x180 mm/failslab.c:32
5b
Code:
41
48
5c
8d
41
7b 74
RSP: 0018:ffff8801abfef5f8 EFLAGS: 00010286
48 b8
00 00
RAX: 0000000000001954 RBX: ffff8801bf06a5c0 RCX: 0000000000000000
00
RDX: 0000000000000000 RSI: 00000000000000fc RDI: 00000000006000c0
00 00
RBP: ffff8801abfef630 R08: 000060fe24e0e1d0 R09: ffffed0037e0d4b8
fc
R10: 0000000000000000 R11: dffffc0000000000 R12: ffff8801bf06a5c0
ff
R13: ffff8801d945d480 R14: 0000000000000000 R15: ffff8801bf06a5bf
df 48
FS: 00007fa5a4f507a0(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
89 fa
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
48
CR2: ffff8801bf06a5c0 CR3: 00000001cba9d000 CR4: 00000000001406e0
c1
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
ea 03
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
0f b6
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: 13f7432bdd8e Merge branch 'bpf-tcp-listen-cb'
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=16e04d62400000
kernel config: https://syzkaller.appspot.com/x/.config?x=a501a01deaf0fe9
dashboard link: https://syzkaller.appspot.com/bug?extid=f6d9c74dc35d6e0cb6c9
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
CC: [linux-...@vger.kernel.org linux-...@vger.kernel.org
vi...@zeniv.linux.org.uk]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f6d9c7...@syzkaller.appspotmail.com
BUG: unable to handle kernel paging request at ffff8801bf06a5c0
PGD b4e1067 P4D b4e1067 PUD 1b6204063 PMD 199ce6063 PTE ffff880199ce6538
Oops: 0002 [#1] SMP KASAN
CPU: 1 PID: 6484 Comm: udevd Not tainted 4.18.0-rc3+ #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:set_track mm/kasan/kasan.c:459 [inline]
RIP: 0010:kasan_kmalloc+0xbb/0xe0 mm/kasan/kasan.c:553
Code: 89 55 c8 e8 07 1a 00 00 48 8b 55 c8 eb 84 49 63 85 f8 00 00 00 8b 7d
d4 49 01 c4 65 48 8b 04 25 40 ee 01 00 8b 80 90 04 00 00 <41> 89 04 24 e8
fc fa ff ff 41 89 44 24 04 48 83 c4 10 5b 41 5c 41
RSP: 0018:ffff8801abfef5f8 EFLAGS: 00010286
RAX: 0000000000001954 RBX: ffff8801bf06a5c0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 00000000000000fc RDI: 00000000006000c0
RBP: ffff8801abfef630 R08: 000060fe24e0e1d0 R09: ffffed0037e0d4b8
R10: 0000000000000000 R11: dffffc0000000000 R12: ffff8801bf06a5c0
R13: ffff8801d945d480 R14: 0000000000000000 R15: ffff8801bf06a5bf
FS: 00007fa5a4f507a0(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8801bf06a5c0 CR3: 00000001cba9d000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
slab_post_alloc_hook mm/slab.h:444 [inline]
slab_alloc mm/slab.c:3392 [inline]
kmem_cache_alloc+0x11b/0x760 mm/slab.c:3552
ep_insert+0x279/0x1c20 fs/eventpoll.c:1428
__do_sys_epoll_ctl fs/eventpoll.c:2113 [inline]
__se_sys_epoll_ctl fs/eventpoll.c:1999 [inline]
__x64_sys_epoll_ctl+0xf00/0x10a0 fs/eventpoll.c:1999
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fa5a466490a
Code: 48 8b 0d 31 85 2a 00 31 d2 48 29 c2 64 89 11 48 83 c8 ff eb ea 90 90
90 90 90 90 90 90 90 90 90 49 89 ca b8 e9 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 01 c3 48 8b 0d fe 84 2a 00 31 d2 48 29 c2 64
RSP: 002b:00007ffc2fb93218 EFLAGS: 00000206 ORIG_RAX: 00000000000000e9
RAX: ffffffffffffffda RBX: 0000000000a89250 RCX: 00007fa5a466490a
RDX: 0000000000000005 RSI: 0000000000000001 RDI: 0000000000000007
RBP: 0000000000625500 R08: 0000000000001954 R09: 0000000000001954
R10: 00007ffc2fb932c0 R11: 0000000000000206 R12: 0000000000a8a380
R13: 00007ffc2fb94337 R14: 0000000000000005 R15: 0000000000a89250
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
CR2: ffff8801bf06a5c0
---[ end trace f71636425aff89f9 ]---
BUG: unable to handle kernel paging request at ffff8801cd2a8cb4
PGD b4e1067
RIP: 0010:set_track mm/kasan/kasan.c:459 [inline]
RIP: 0010:kasan_kmalloc+0xbb/0xe0 mm/kasan/kasan.c:553
P4D b4e1067
Code: 89
PUD 1d9488063
55
PMD 198200063
c8 e8
==================================================================
07
BUG: KASAN: stack-out-of-bounds in pte_val
arch/x86/include/asm/paravirt.h:384 [inline]
BUG: KASAN: stack-out-of-bounds in dump_pagetable+0x95c/0x970
arch/x86/mm/fault.c:559
1a
Read of size 8 at addr ffff880198200540 by task syz-executor0/12519
00
00 48
CPU: 0 PID: 12519 Comm: syz-executor0 Tainted: G D
4.18.0-rc3+ #55
8b
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
55
Call Trace:
c8 eb
<IRQ>
84
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
49
63 85
f8
00
00
print_address_description+0x6c/0x20b mm/kasan/report.c:256
00
8b
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
7d d4
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
49 01
pte_val arch/x86/include/asm/paravirt.h:384 [inline]
dump_pagetable+0x95c/0x970 arch/x86/mm/fault.c:559
c4
65
48 8b
04
25
40
ee
01 00
show_fault_oops arch/x86/mm/fault.c:675 [inline]
no_context.cold.36+0x76/0x98 arch/x86/mm/fault.c:798
8b
80 90
04
00
__bad_area_nosemaphore+0x33b/0x3f0 arch/x86/mm/fault.c:902
00
<41> 89
04
bad_area_nosemaphore+0x33/0x40 arch/x86/mm/fault.c:909
24
__do_page_fault+0x1db/0xe50 arch/x86/mm/fault.c:1328
e8
fc
fa
ff ff
do_page_fault+0xf6/0x8c0 arch/x86/mm/fault.c:1471
41
89
44
24
04
48 83
c4
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1160
10
RIP: 0010:__should_failslab+0x114/0x180 mm/failslab.c:32
5b
Code:
41
48
5c
8d
41
7b 74
RSP: 0018:ffff8801abfef5f8 EFLAGS: 00010286
48 b8
00 00
RAX: 0000000000001954 RBX: ffff8801bf06a5c0 RCX: 0000000000000000
00
RDX: 0000000000000000 RSI: 00000000000000fc RDI: 00000000006000c0
00 00
RBP: ffff8801abfef630 R08: 000060fe24e0e1d0 R09: ffffed0037e0d4b8
fc
R10: 0000000000000000 R11: dffffc0000000000 R12: ffff8801bf06a5c0
ff
R13: ffff8801d945d480 R14: 0000000000000000 R15: ffff8801bf06a5bf
df 48
FS: 00007fa5a4f507a0(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
89 fa
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
48
CR2: ffff8801bf06a5c0 CR3: 00000001cba9d000 CR4: 00000000001406e0
c1
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
ea 03
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
0f b6
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
Oct 9, 2019, 9:17:08 AM10/9/19
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages