Re: BUG: unable to handle kernel paging request in __get_user_4

From: Dmitry Vyukov
Date: Tue Dec 19 2017 - 07:16:18 EST

Next message: Dmitry Vyukov: "Re: BUG: unable to handle kernel paging request in copy_user_handle_tail"
Previous message: Dmitry Vyukov: "Re: BUG: unable to handle kernel paging request in delayed_put_task_struct"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Dec 3, 2017 at 3:23 PM, syzbot
<bot+526b7120b487f61c779d3cadfc1befe4cfe62b54@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
> Hello,
>
> syzkaller hit the following crash on
> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
>
> Unfortunately, I don't have any reproducer for this bug yet.
>
>
> Bearer <> rejected, not supported in standalone mode
> kvm: pic: non byte read
> BUG: unable to handle kernel paging request at 000000009bac8456
> IP: __get_user_4+0x1e/0x30 arch/x86/lib/getuser.S:72
> PGD 5e28067 P4D 5e28067 PUD 5e2a067 PMD 0
> Oops: 0002 [#1] SMP KASAN
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Modules linked in:
> CPU: 0 PID: 5282 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+
> #57
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> task: 00000000aec8ff4d task.stack: 00000000b2f5be93
> RIP: 0010:__get_user_4+0x1e/0x30 arch/x86/lib/getuser.S:72
> RSP: 0018:ffff8801c69f7c98 EFLAGS: 00010283
> RAX: 0000000020000007 RBX: fffffffffffffff2 RCX: ffffffff8199e758
> RDX: 0000000000000078 RSI: ffffc9000376d000 RDI: 0000000000000282
> RBP: ffff8801c69f7f10 R08: ffff8801db41f740 R09: 1ffff10038d3ef68
> R10: ffff8801919ec4c0 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000020000000 R14: ffff8801c69f7e48 R15: 0000000000000000
> FS: 00007f8945789700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: fffffffffffffff8 CR3: 00000001cc3af000 CR4: 00000000001426f0
> DR0: 0000000020000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff1 DR7: 00000000000b0602
> Call Trace:
> SyS_perf_event_open+0x39/0x50 kernel/events/core.c:9825
> entry_SYSCALL_64_fastpath+0x1f/0x96
> RIP: 0033:0x4529d9
> RSP: 002b:00007f8945788c58 EFLAGS: 00000212 ORIG_RAX: 000000000000012a
> RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 00000000004529d9
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000000
> RBP: 00000000000005a8 R08: 0000000000000000 R09: 0000000000000000
> R10: ffffffffffffffff R11: 0000000000000212 R12: 00000000006f5860
> R13: 00000000ffffffff R14: 00007f89457896d4 R15: 0000000000000000
> Code: 00 c3 90 66 2e 0f 1f 84 00 00 00 00 00 48 83 c0 03 72 4f 65 48 8b 14
> 25 40 65 01 00 48 3b 82 a0 15 00 00 73 3d 0f 1f 00 8b 50 fd <31> c0 0f 1f 00
> c3 66 90 66 2e 0f 1f 84 00 00 00 00 00 48 83 c0
> RIP: __get_user_4+0x1e/0x30 arch/x86/lib/getuser.S:72 RSP: ffff8801c69f7c98
> CR2: fffffffffffffff8
> ---[ end trace 8461d08d2284fad0 ]---
> Kernel panic - not syncing: Fatal exception
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..

#syz dup: BUG: unable to handle kernel paging request in __switch_to

> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzkaller@xxxxxxxxxxxxxxxxx
> Please credit me with: Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx>
>
> syzbot will keep track of this bug report.
> Once a fix for this bug is committed, please reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email body.
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxxx
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/94eb2c0810d0dd69a9055f70561f%40google.com.
> For more options, visit https://groups.google.com/d/optout.

Next message: Dmitry Vyukov: "Re: BUG: unable to handle kernel paging request in copy_user_handle_tail"
Previous message: Dmitry Vyukov: "Re: BUG: unable to handle kernel paging request in delayed_put_task_struct"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]