Re: kernel page fault in vm_teardown
Looking at src changes this is probably expected, Nov 20 snapshot is still
affected.
login: uvm_fault(0x81cbc100, 0x80b6e000, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at uvm_unmap_remove+0x212: movq0x100(%r13),%r8
ddb{7}> set $lines = 0
ddb{7}> show panic
kernel page fault
uvm_fault(0x81cbc100, 0x80b6e000, 0, 1) -> e
uvm_unmap_remove(f3660549fcbefe8b,ff03996f0b60,80b6df00,ff03996f0b50,800022286480,0)
at uvm_unmap_remove+0x212
end trace frame: 0x8000222a50c0, count: 0
ddb{7}> trace
uvm_unmap_remove(f3660549fcbefe8b,ff03996f0b60,80b6df00,ff03996f0b50,800022286480,0)
at uvm_unmap_remove+0x212
uvm_map_deallocate(c213623cf2be5b6) at uvm_map_deallocate+0x5e
vm_teardown(ff03996f0990) at vm_teardown+0xf0
vm_run(f3660549fca69a0f) at vm_run+0x226
VOP_IOCTL(703dbe68b198b2f2,ff03d3ba3c30,a50318ed4b52f246,800022280338,ff043f7ca4e0,3)
at VOP_IOCTL+0x5a
vn_ioctl(51b27f479be0b418,ff03c287f178,800022280338,20) at
vn_ioctl+0x6b
sys_ioctl(f1ce120ec2c9a54e,360,800022280338) at sys_ioctl+0x3ec
syscall(33dbf1b60169518) at syscall+0x32a
Xsyscall(0,36,0,36,118700b52d0,11870035000) at Xsyscall+0x128
end of kernel
end trace frame: 0x11a7a41b340, count: -9
On Sun, Nov 11, 2018 at 9:56 AM Greg Steuck wrote:
> Hi Mike,
>
> > Known issue. And the parameters in the list aren't right (there needs to
> be
> > something added to clang/llvm to support reading the params properly).
>
> This is happening often enough to create toil for running syzkaller with
> VMM. Is there a workaround that you know of? As things stand I end up
> monitoring this machine and rebooting on crashes. While I can automate this
> with some work, it feels deeply unsatisfying.
>
> Thanks
> Greg
>
Re: kernel page fault in vm_teardown
Hi Mike, > Known issue. And the parameters in the list aren't right (there needs to be > something added to clang/llvm to support reading the params properly). This is happening often enough to create toil for running syzkaller with VMM. Is there a workaround that you know of? As things stand I end up monitoring this machine and rebooting on crashes. While I can automate this with some work, it feels deeply unsatisfying. Thanks Greg
Re: kernel page fault in vm_teardown
On Tue, Oct 30, 2018 at 09:17:19PM -0700, Greg Steuck wrote:
> My syzkaller machine running a recent snapshot just crashed. The value
> 0x415efd243b54d319 passed into uvm_map_deallocate looks quite fishy to me.
>
Known issue. And the parameters in the list aren't right (there needs to be
something added to clang/llvm to support reading the params properly).
-ml
> Some hopefully useful info below.
>
> ddb{4}> trace
> uvm_unmap_remove(c05f7f8cd1633180,ff036f57f5a8,80b85f00,ff036f57f598,8000222b8040,0)
> at uvm_unmap_remove+0x212
> uvm_map_deallocate(415efd243b54d319) at uvm_map_deallocate+0x5e
> vm_teardown(ff036f57f3d8) at vm_teardown+0xf0
> vm_run(a186e3e68e0c8d2d) at vm_run+0x226
> VOP_IOCTL(d3bfd0b457c4b224,ff03c9c6f5f0,32269d81b8d394bf,8000222b4968,ff043f7ca420,3)
> at VOP_IOCTL+0x5a
> vn_ioctl(d3bfd0b4579725f3,ff03ca9e15b0,8000222b4968,20) at
> vn_ioctl+0x6b
> sys_ioctl(7867d986861f8ba2,360,8000222b4968) at sys_ioctl+0x3ec
> syscall(3871e5d148df7b3d) at syscall+0x32a
> Xsyscall(0,36,0,36,1fc2fafb52d0,1fc2faf35000) at Xsyscall+0x128
> end of kernel
> end trace frame: 0x1fc5a67a25b0, count: -9
> ddb{4}> show proc
> PROC (vmd) pid=51765 stat=onproc
> flags process=100010 proc=400
> pri=86, usrpri=86, nice=20
> forw=0x, list=0x8000222b5520,0x8000222b4270
> process=0x8000fffecfc8 user=0x80002237d000,
> vmspace=0xff03c12e9
> c70
> estcpu=36, cpticks=110340, pctcpu=13.31
> user=0, sys=110290, intr=0
> ddb{4}> show registers
> rdi 0x313679acpi_pdirpa+0x2ff4e1
> rsi 0x20656874203a7374
> rbp 0x800022382510
> rbx 0x8000223824d0
> rdx 0x11f010acpi_pdirpa+0x10ae78
> rcx0
> rax 0xff01189c9c80
> r8 0x3
> r9 0xaacpi_pdirpa+0x8be68
> r10 0x843d1fe10f0343b5
> r11 0x871ebb2341e37234
> r12 0xff036df6f800
> r13 0x80b85f00
> r14 0xff036df6f560
> r15 0x2000
> rip 0x81253ea2uvm_unmap_remove+0x212
> cs 0x8
> rflags 0x10246__ALIGN_SIZE+0xf246
> rsp 0x8000223824c0
> ss 0x10
> uvm_unmap_remove+0x212: movq0x100(%r13),%r8
> ddb{4}> ps
>PID TID PPIDUID S FLAGS WAIT COMMAND
> 17768 177047 33715 1000 30x100082 netio vmctl
> 29298 159270 33715 1000 30x100082 selectssh
> 64908 229787 65965107 30x100090 fsleepvmd
> *64908 51765 65965107 7 0x4100010vmd
> 64908 303902 65965107 3 0x4100090 kqreadvmd
> 13897 386612 33715 1000 30x100082 kqreadcu
> 73064 419314 33715 1000 30x100082 selectssh
> 4542 45446 33715 1000 30x100082 selectssh
> 68055 103187 65965107 30x100090 fsleepvmd
> 68055 234837 65965107 7 0x4100010vmd
> 68055 264629 65965107 3 0x4100090 kqreadvmd
> 52273 63673 33715 1000 30x100082 kqreadcu
> 66423 519194 65965107 30x100090 fsleepvmd
> 66423 290968 65965107 7 0x4100010vmd
> 66423 87324 65965107 3 0x4100090 kqreadvmd
> 99721 216090 33715 1000 30x100082 kqreadcu
> 94925 180901 59444 1000 30x100083 ttyin ksh
> 59444 245156 97608 1000 30x90 selectsshd
> 97608 190596 7060 0 30x92 poll sshd
> 33715 486116 47331 1000 30x82 thrsleep syz-manager
> 33715 476656 47331 1000 3 0x482 nanosleep syz-manager
> 33715 250648 47331 1000 3 0x482 thrsleep syz-manager
> 33715 416559 47331 1000 3 0x482 thrsleep syz-manager
> 33715 446496 47331 1000 3 0x482 thrsleep syz-manager
> 33715 28430 47331 1000 3 0x482 wait syz-manager
> 33715 416959 47331 1000 3 0x482 thrsleep syz-manager
> 33715 35863 47331 1000 3 0x482 thrsleep syz-manager
> 33715 12026 47331 1000 3 0x482 thrsleep syz-manager
> 33715 50683 47331 1000 3 0x482 thrsleep syz-manager
> 33715 263314 47331 1000 3 0x482 thrsleep syz-manager
> 33715 270714 47331 1000 3 0x482 thrsleep syz-manager
> 33715 504545 47331 1000 3 0x482 thrsleep syz-manager
> 33715 37212 47331 1000 3 0x482 thrsleep syz-manager
> 33715 487285 47331 1000 3 0x482 kqreadsyz-manager
> 33715 367916 47331 1000 3 0x482 thrsleep syz-manager
kernel page fault in vm_teardown
My syzkaller machine running a recent snapshot just crashed. The value
0x415efd243b54d319 passed into uvm_map_deallocate looks quite fishy to me.
Some hopefully useful info below.
ddb{4}> trace
uvm_unmap_remove(c05f7f8cd1633180,ff036f57f5a8,80b85f00,ff036f57f598,8000222b8040,0)
at uvm_unmap_remove+0x212
uvm_map_deallocate(415efd243b54d319) at uvm_map_deallocate+0x5e
vm_teardown(ff036f57f3d8) at vm_teardown+0xf0
vm_run(a186e3e68e0c8d2d) at vm_run+0x226
VOP_IOCTL(d3bfd0b457c4b224,ff03c9c6f5f0,32269d81b8d394bf,8000222b4968,ff043f7ca420,3)
at VOP_IOCTL+0x5a
vn_ioctl(d3bfd0b4579725f3,ff03ca9e15b0,8000222b4968,20) at
vn_ioctl+0x6b
sys_ioctl(7867d986861f8ba2,360,8000222b4968) at sys_ioctl+0x3ec
syscall(3871e5d148df7b3d) at syscall+0x32a
Xsyscall(0,36,0,36,1fc2fafb52d0,1fc2faf35000) at Xsyscall+0x128
end of kernel
end trace frame: 0x1fc5a67a25b0, count: -9
ddb{4}> show proc
PROC (vmd) pid=51765 stat=onproc
flags process=100010 proc=400
pri=86, usrpri=86, nice=20
forw=0x, list=0x8000222b5520,0x8000222b4270
process=0x8000fffecfc8 user=0x80002237d000,
vmspace=0xff03c12e9
c70
estcpu=36, cpticks=110340, pctcpu=13.31
user=0, sys=110290, intr=0
ddb{4}> show registers
rdi 0x313679acpi_pdirpa+0x2ff4e1
rsi 0x20656874203a7374
rbp 0x800022382510
rbx 0x8000223824d0
rdx 0x11f010acpi_pdirpa+0x10ae78
rcx0
rax 0xff01189c9c80
r8 0x3
r9 0xaacpi_pdirpa+0x8be68
r10 0x843d1fe10f0343b5
r11 0x871ebb2341e37234
r12 0xff036df6f800
r13 0x80b85f00
r14 0xff036df6f560
r15 0x2000
rip 0x81253ea2uvm_unmap_remove+0x212
cs 0x8
rflags 0x10246__ALIGN_SIZE+0xf246
rsp 0x8000223824c0
ss 0x10
uvm_unmap_remove+0x212: movq0x100(%r13),%r8
ddb{4}> ps
PID TID PPIDUID S FLAGS WAIT COMMAND
17768 177047 33715 1000 30x100082 netio vmctl
29298 159270 33715 1000 30x100082 selectssh
64908 229787 65965107 30x100090 fsleepvmd
*64908 51765 65965107 7 0x4100010vmd
64908 303902 65965107 3 0x4100090 kqreadvmd
13897 386612 33715 1000 30x100082 kqreadcu
73064 419314 33715 1000 30x100082 selectssh
4542 45446 33715 1000 30x100082 selectssh
68055 103187 65965107 30x100090 fsleepvmd
68055 234837 65965107 7 0x4100010vmd
68055 264629 65965107 3 0x4100090 kqreadvmd
52273 63673 33715 1000 30x100082 kqreadcu
66423 519194 65965107 30x100090 fsleepvmd
66423 290968 65965107 7 0x4100010vmd
66423 87324 65965107 3 0x4100090 kqreadvmd
99721 216090 33715 1000 30x100082 kqreadcu
94925 180901 59444 1000 30x100083 ttyin ksh
59444 245156 97608 1000 30x90 selectsshd
97608 190596 7060 0 30x92 poll sshd
33715 486116 47331 1000 30x82 thrsleep syz-manager
33715 476656 47331 1000 3 0x482 nanosleep syz-manager
33715 250648 47331 1000 3 0x482 thrsleep syz-manager
33715 416559 47331 1000 3 0x482 thrsleep syz-manager
33715 446496 47331 1000 3 0x482 thrsleep syz-manager
33715 28430 47331 1000 3 0x482 wait syz-manager
33715 416959 47331 1000 3 0x482 thrsleep syz-manager
33715 35863 47331 1000 3 0x482 thrsleep syz-manager
33715 12026 47331 1000 3 0x482 thrsleep syz-manager
33715 50683 47331 1000 3 0x482 thrsleep syz-manager
33715 263314 47331 1000 3 0x482 thrsleep syz-manager
33715 270714 47331 1000 3 0x482 thrsleep syz-manager
33715 504545 47331 1000 3 0x482 thrsleep syz-manager
33715 37212 47331 1000 3 0x482 thrsleep syz-manager
33715 487285 47331 1000 3 0x482 kqreadsyz-manager
33715 367916 47331 1000 3 0x482 thrsleep syz-manager
33715 365101 47331 1000 3 0x482 thrsleep syz-manager
33715 175614 47331 1000 3 0x482 thrsleep syz-manager
33715 86128 47331 1000 3 0x482 thrsleep syz-manager
33715 243048 47331 1000 3 0x482 thrsleep syz-manager
33715 65128 47331 1000 3 0x482 thrsleep syz-manager
7782 391573 1 0 3
