uvm_fault: alltraps_kern_meltdown (2)
0 views
Skip to first unread message
syzbot
3:46 AM (15 hours ago) 3:46 AM
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 2a36b3c3c2a3 keypairtest: zero out tls_error before runnin..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1304c4ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=742febd2e60866693d2b
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f6119520ed7c/disk-2a36b3c3.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/c869e1872010/bsd-2a36b3c3.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0a0ed8c5785b/kernel-2a36b3c3.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+742feb...@syzkaller.appspotmail.com
login: uvm_fault(0xfffffd806c4f6020, 0x98, 0, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff813446f8 cs 8 rflags 10246 cr2 98 cpl 0 rsp ffff800034bb8570
gsbase 0xffff8000299bdff0 kgsbase 0x0
panic: trap type 6, code=0, pc=ffffffff813446f8
Starting stack trace...
panic(ffffffff83483d0d) at panic+0x1d0 sys/kern/subr_prf.c:229
kerntrap(ffff800034bb84c0) at kerntrap+0x30b
alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b
dovutimens(ffff8000ffff27e0,fffffd80601fe968,ffff800034bb8680) at dovutimens+0x368 sys/kern/vfs_syscalls.c:2771
sys_futimens(ffff8000ffff27e0,ffff800034bb87d0,ffff800034bb8720) at sys_futimens+0xb3 sys/kern/vfs_syscalls.c:2847
syscall(ffff800034bb87d0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff800034bb87d0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x384cddd26e0, count: 250
End of stack trace.
WARNING: SPL NOT LOWERED ON TRAP EXIT 4 0
Stopped at alltraps_kern_meltdown+0xb8: movl %ebx,%gs:0x688
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*466904 51025 0 0 0x4000000 1 syz-executor
139001 28379 0 0x2 0 0K syz-executor
alltraps_kern_meltdown() at alltraps_kern_meltdown+0xb8
_copyin() at _copyin+0x5b
tun_dev_write(5d07,ffff80002efa6d88,0,2) at tun_dev_write+0x398 sys/net/if_tun.c:1023
spec_write(ffff80002efa6bd0) at spec_write+0x11f sys/kern/spec_vnops.c:302
VOP_WRITE(fffffd806d9b6618,ffff80002efa6d88,11,fffffd80097fd6e8) at VOP_WRITE+0x101 sys/kern/vfs_vops.c:245
vn_write(fffffd806c514680,ffff80002efa6d88,0) at vn_write+0x1d3 sys/kern/vfs_vnops.c:414
dofilewritev(ffff8000ffff3ca0,c8,ffff80002efa6d88,0,ffff80002efa6e40) at dofilewritev+0x2bd sys/kern/sys_generic.c:384
sys_write(ffff8000ffff3ca0,ffff80002efa6ef0,ffff80002efa6e40) at sys_write+0xa2 sys/kern/sys_generic.c:300
syscall(ffff80002efa6ef0) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002efa6ef0) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x38448a199c0, count: 5
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: uvm_fault(0xfffffd806c4f6020, 0x98, 0, 1) -> e
ddb{1}> trace
alltraps_kern_meltdown() at alltraps_kern_meltdown+0xb8
_copyin() at _copyin+0x5b
tun_dev_write(5d07,ffff80002efa6d88,0,2) at tun_dev_write+0x398 sys/net/if_tun.c:1023
spec_write(ffff80002efa6bd0) at spec_write+0x11f sys/kern/spec_vnops.c:302
VOP_WRITE(fffffd806d9b6618,ffff80002efa6d88,11,fffffd80097fd6e8) at VOP_WRITE+0x101 sys/kern/vfs_vops.c:245
vn_write(fffffd806c514680,ffff80002efa6d88,0) at vn_write+0x1d3 sys/kern/vfs_vnops.c:414
dofilewritev(ffff8000ffff3ca0,c8,ffff80002efa6d88,0,ffff80002efa6e40) at dofilewritev+0x2bd sys/kern/sys_generic.c:384
sys_write(ffff8000ffff3ca0,ffff80002efa6ef0,ffff80002efa6e40) at sys_write+0xa2 sys/kern/sys_generic.c:300
syscall(ffff80002efa6ef0) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002efa6ef0) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x38448a199c0, count: -10
ddb{1}> show registers
rdi 0
rsi 0
rbp 0xffff80002efa69b0
rbx 0
rdx 0
rcx 0xffff8000ffff3ca0
rax 0x2a
r8 0xffff80002efa68e0
r9 0x1
r10 0x4d18a5943b7630ab
r11 0x1226aec09c4a18ca
r12 0x2000000000c0
r13 0xffbe __ALIGN_SIZE+0xefbe
r14 0xffff80002efa6d88
r15 0xffbe __ALIGN_SIZE+0xefbe
rip 0xffffffff833b920b alltraps_kern_meltdown+0xb8
cs 0x8
rflags 0x246
rsp 0xffff80002efa6930
ss 0x10
alltraps_kern_meltdown+0xb8: movl %ebx,%gs:0x688
ddb{1}>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 2a36b3c3c2a3 keypairtest: zero out tls_error before runnin..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1304c4ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=742febd2e60866693d2b
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f6119520ed7c/disk-2a36b3c3.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/c869e1872010/bsd-2a36b3c3.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0a0ed8c5785b/kernel-2a36b3c3.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+742feb...@syzkaller.appspotmail.com
login: uvm_fault(0xfffffd806c4f6020, 0x98, 0, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff813446f8 cs 8 rflags 10246 cr2 98 cpl 0 rsp ffff800034bb8570
gsbase 0xffff8000299bdff0 kgsbase 0x0
panic: trap type 6, code=0, pc=ffffffff813446f8
Starting stack trace...
panic(ffffffff83483d0d) at panic+0x1d0 sys/kern/subr_prf.c:229
kerntrap(ffff800034bb84c0) at kerntrap+0x30b
alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b
dovutimens(ffff8000ffff27e0,fffffd80601fe968,ffff800034bb8680) at dovutimens+0x368 sys/kern/vfs_syscalls.c:2771
sys_futimens(ffff8000ffff27e0,ffff800034bb87d0,ffff800034bb8720) at sys_futimens+0xb3 sys/kern/vfs_syscalls.c:2847
syscall(ffff800034bb87d0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff800034bb87d0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x384cddd26e0, count: 250
End of stack trace.
WARNING: SPL NOT LOWERED ON TRAP EXIT 4 0
Stopped at alltraps_kern_meltdown+0xb8: movl %ebx,%gs:0x688
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*466904 51025 0 0 0x4000000 1 syz-executor
139001 28379 0 0x2 0 0K syz-executor
alltraps_kern_meltdown() at alltraps_kern_meltdown+0xb8
_copyin() at _copyin+0x5b
tun_dev_write(5d07,ffff80002efa6d88,0,2) at tun_dev_write+0x398 sys/net/if_tun.c:1023
spec_write(ffff80002efa6bd0) at spec_write+0x11f sys/kern/spec_vnops.c:302
VOP_WRITE(fffffd806d9b6618,ffff80002efa6d88,11,fffffd80097fd6e8) at VOP_WRITE+0x101 sys/kern/vfs_vops.c:245
vn_write(fffffd806c514680,ffff80002efa6d88,0) at vn_write+0x1d3 sys/kern/vfs_vnops.c:414
dofilewritev(ffff8000ffff3ca0,c8,ffff80002efa6d88,0,ffff80002efa6e40) at dofilewritev+0x2bd sys/kern/sys_generic.c:384
sys_write(ffff8000ffff3ca0,ffff80002efa6ef0,ffff80002efa6e40) at sys_write+0xa2 sys/kern/sys_generic.c:300
syscall(ffff80002efa6ef0) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002efa6ef0) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x38448a199c0, count: 5
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: uvm_fault(0xfffffd806c4f6020, 0x98, 0, 1) -> e
ddb{1}> trace
alltraps_kern_meltdown() at alltraps_kern_meltdown+0xb8
_copyin() at _copyin+0x5b
tun_dev_write(5d07,ffff80002efa6d88,0,2) at tun_dev_write+0x398 sys/net/if_tun.c:1023
spec_write(ffff80002efa6bd0) at spec_write+0x11f sys/kern/spec_vnops.c:302
VOP_WRITE(fffffd806d9b6618,ffff80002efa6d88,11,fffffd80097fd6e8) at VOP_WRITE+0x101 sys/kern/vfs_vops.c:245
vn_write(fffffd806c514680,ffff80002efa6d88,0) at vn_write+0x1d3 sys/kern/vfs_vnops.c:414
dofilewritev(ffff8000ffff3ca0,c8,ffff80002efa6d88,0,ffff80002efa6e40) at dofilewritev+0x2bd sys/kern/sys_generic.c:384
sys_write(ffff8000ffff3ca0,ffff80002efa6ef0,ffff80002efa6e40) at sys_write+0xa2 sys/kern/sys_generic.c:300
syscall(ffff80002efa6ef0) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002efa6ef0) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x38448a199c0, count: -10
ddb{1}> show registers
rdi 0
rsi 0
rbp 0xffff80002efa69b0
rbx 0
rdx 0
rcx 0xffff8000ffff3ca0
rax 0x2a
r8 0xffff80002efa68e0
r9 0x1
r10 0x4d18a5943b7630ab
r11 0x1226aec09c4a18ca
r12 0x2000000000c0
r13 0xffbe __ALIGN_SIZE+0xefbe
r14 0xffff80002efa6d88
r15 0xffbe __ALIGN_SIZE+0xefbe
rip 0xffffffff833b920b alltraps_kern_meltdown+0xb8
cs 0x8
rflags 0x246
rsp 0xffff80002efa6930
ss 0x10
alltraps_kern_meltdown+0xb8: movl %ebx,%gs:0x688
ddb{1}>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages