[uml-devel] kernel BUG: while fuzzying a 32 bit Linux user mode guest with trinity

Sat, 03 May 2014 09:06:00 -0700 

I could force a crash using latest kernel tree (v3.15-rc3-159-g6c6ca9c with 
applied fix3.patch for the mremap syscall) and latest trinity tree 
(1.1-1349-g18ebf71).

The backtrace of the core dump gives :

tfoerste@n22 ~/tmp $ gdb /home/tfoerste/devel/linux/linux 
--core=/mnt/ramdisk/core -batch -ex 'thread apply all bt'
[New LWP 23912]

warning: Could not load shared library symbols for linux-gate.so.1.
Do you need "set solib-search-path" or "set sysroot"?
Core was generated by `/home/tfoerste/devel/linux/linux earlyprintk 
ubda=/home/tfoerste/virtual/uml/tr'.
Program terminated with signal 6, Aborted.
#0  0xb7741424 in __kernel_vsyscall ()

Thread 1 (LWP 23912):
#0  0xb7741424 in __kernel_vsyscall ()
#1  0x0848ac75 in kill ()
#2  0x08072a5d in uml_abort () at arch/um/os-Linux/util.c:93
#3  0x08072d95 in os_dump_core () at arch/um/os-Linux/util.c:148
#4  0x0806257d in panic_exit (self=0x86c9618 <panic_exit_notifier>, unused1=0, 
unused2=0x8700960 <buf.17019>) at arch/um/kernel/um_arch.c:240
#5  0x0809a266 in notifier_call_chain (nl=0x0, val=0, v=0x8700960 <buf.17019>, 
nr_to_call=-2, nr_calls=0x0) at kernel/notifier.c:93
#6  0x0809a381 in __atomic_notifier_call_chain (nh=0x8700944 
<panic_notifier_list>, val=0, v=0x8700960 <buf.17019>, nr_to_call=0, 
nr_calls=0x0) at kernel/notifier.c:182
#7  0x0809a3bf in atomic_notifier_call_chain (nh=0x0, val=0, v=0x0) at 
kernel/notifier.c:191
#8  0x084e742c in panic (fmt=0x0) at kernel/panic.c:130
#9  0x080cc265 in __delete_from_page_cache (page=0xa303520, shadow=0x0) at 
mm/filemap.c:202
#10 0x080cc32b in delete_from_page_cache (page=0xa303520) at mm/filemap.c:234
#11 0x080d7af7 in truncate_complete_page (page=<optimized out>, 
mapping=<optimized out>) at mm/truncate.c:145
#12 truncate_inode_page (mapping=0x4592c974, page=0xa303520) at 
mm/truncate.c:180
#13 0x080de69d in shmem_undo_range (inode=0x4592c8bc, lstart=26525858516, 
lend=3247232753107730432, unfalloc=false) at mm/shmem.c:429
#14 0x080df591 in shmem_truncate_range (inode=0x4592c8bc, lstart=0, 
lend=3247230382285783040) at mm/shmem.c:526
#15 0x080df6a8 in shmem_fallocate (file=0x0, mode=3, offset=0, len=1048576) at 
mm/shmem.c:1741
#16 0x081045da in do_fallocate (file=0x458bf300, mode=3, offset=0, len=1048576) 
at fs/open.c:298
#17 0x080e6b91 in madvise_remove (end=<optimized out>, start=<optimized out>, 
prev=<optimized out>, vma=<optimized out>) at mm/madvise.c:332
#18 madvise_vma (behavior=<optimized out>, end=<optimized out>, 
start=<optimized out>, prev=<optimized out>, vma=<optimized out>) at 
mm/madvise.c:384
#19 SYSC_madvise (behavior=<optimized out>, len_in=<optimized out>, 
start=<optimized out>) at mm/madvise.c:534
#20 SyS_madvise (start=1076387840, len_in=1048576, behavior=9) at 
mm/madvise.c:465
#21 0x08062b34 in handle_syscall (r=0x2d38e3e0) at 
arch/um/kernel/skas/syscall.c:35
#22 0x08074875 in handle_trap (local_using_sysemu=<optimized out>, 
regs=<optimized out>, pid=<optimized out>) at 
arch/um/os-Linux/skas/process.c:193
#23 userspace (regs=0x2d38e3e0) at arch/um/os-Linux/skas/process.c:426
#24 0x0805f770 in fork_handler () at arch/um/kernel/process.c:149
#25 0x00000000 in ?? ()



The output of the UML guest is :


Kernel panic - not syncing: BUG!
CPU: 0 PID: 1988 Comm: trinity-c2 Not tainted 3.15.0-rc3-00159-g6c6ca9c-dirty #8
Stack:
 085a4f54 085a4f54 2d107bbc 00000004 086c8547 0a303520 0000003f 4592c974
 2d107bcc 084eafa5 00000000 00000000 2d107bf4 084e7410 085b08ec 08700960
 085a1ca5 2d107c00 00000000 0a303520 0000003f 4592c974 2d107c2c 080cc265
Call Trace:
 [<080cc265>] ? __delete_from_page_cache+0x215/0x270
 [<084eafa5>] dump_stack+0x26/0x28
 [<084e7410>] panic+0x7a/0x194
 [<080cc265>] __delete_from_page_cache+0x215/0x270
 [<080cc32b>] delete_from_page_cache+0x6b/0x90
 [<080d7af7>] truncate_inode_page+0x97/0xb0
 [<080de69d>] shmem_undo_range+0x1bd/0x620
 [<080df591>] shmem_truncate_range+0x31/0x60
 [<080df6a8>] shmem_fallocate+0xe8/0x360
 [<0849a605>] ? __gettimeofday+0x15/0x30
 [<08071dfe>] ? set_signals+0x1e/0x40
 [<081045da>] do_fallocate+0x14a/0x1d0
 [<080e6b91>] SyS_madvise+0x1d1/0x720
 [<080aef0d>] ? __getnstimeofday+0x3d/0x100
 [<0807fa68>] ? SyS_gettimeofday+0x38/0x80
 [<08062b34>] handle_syscall+0x64/0x80
 [<0849d621>] ? ptrace+0x31/0x80
 [<08079802>] ? get_fp_registers+0x22/0x40
 [<08074875>] userspace+0x475/0x5f0
 [<0849d621>] ? ptrace+0x31/0x80
 [<08079d66>] ? os_set_thread_area+0x26/0x40
 [<08078d30>] ? do_set_thread_area+0x20/0x50
 [<08078ea8>] ? arch_switch_tls+0xb8/0x100
 [<0805f770>] fork_handler+0x60/0x70
/home/tfoerste/workspace/bin/start_uml.sh: line 110: 23912 Aborted              
   (core dumped) $LINUX earlyprintk ubda=$ROOTFS ubdb=$SWAP eth0=$NET mem=$MEM 
$TTY umid=uml_$NAME rootfstype=ext4 "$ARGS"
[3g        




There's no trinity log available, I lost it, sry.

FWIW the host system is a stable 32 bit Gentoo Linux with kernel 3.14.2.

-- 
Toralf


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
User-mode-linux-devel mailing list
User-mode-linux-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel

Reply via email to