BUG: unable to handle kernel paging request in __task_pid_nr_ns
From: Wei Chen
Date: Sun Oct 30 2022 - 06:03:24 EST
Dear Linux Developer,
Recently when using our tool to fuzz kernel, the following crash was triggered:
HEAD commit: 64570fbc14f8 Linux 5.15-rc5
git tree: upstream
compiler: gcc 8.0.1
console output:
https://drive.google.com/file/d/1TvkFjO_yttSdzHIvGPGgqrmtOIqta6WR/view?usp=share_link
kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <harperchen1110@xxxxxxxxx>
BUG: unable to handle page fault for address: 0000000200000081
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 15145 Comm: systemd-udevd Not tainted 5.15.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:__task_pid_nr_ns+0xc3/0x310
Code: 1b e8 c1 94 08 00 31 ff 41 89 c5 89 c6 e8 45 1a 13 00 45 85 ed
0f 84 d0 00 00 00 e8 37 19 13 00 48 85 db 74 23 e8 2d 19 13 00 <41> 8b
84 24 80 00 00 00 44 8b 6b 04 41 89 c6 89 c7 44 89 ee e8 94
RSP: 0018:ffffc900037bbf08 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88811486d400 RCX: ffff888104839b80
RDX: 0000000000000000 RSI: ffff888104839b80 RDI: 0000000000000002
RBP: ffffc900037bbf28 R08: ffffffff812a5a33 R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000001 R12: 0000000200000001
R13: 0000000000000001 R14: ffff88800ab84200 R15: 0000000000000000
FS: 00007f09bf51c8c0(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000200000081 CR3: 0000000014217000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__do_sys_getpid+0x1a/0x20
do_syscall_64+0x34/0xb0
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f09be36cf17
Code: ff ff ff 48 8b 4d a0 0f b7 51 fe 48 8b 4d a8 66 89 54 08 fe e9
1a ff ff ff 66 2e 0f 1f 84 00 00 00 00 00 b8 27 00 00 00 0f 05 <c3> 0f
1f 84 00 00 00 00 00 b8 6e 00 00 00 0f 05 c3 0f 1f 84 00 00
RSP: 002b:00007ffd28a87fe8 EFLAGS: 00000282 ORIG_RAX: 0000000000000027
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f09be36cf17
RDX: 00000136b6f159e4 RSI: 00002928bb089855 RDI: 000055e10338c4f7
RBP: 00000136b6f159e4 R08: 000000000000c0c0 R09: 0000000000000030
R10: 0000000000000000 R11: 0000000000000282 R12: 000055e10338c4f5
R13: 8421084210842109 R14: 00000000000800c2 R15: 00007f09be41d540
Modules linked in:
CR2: 0000000200000081
---[ end trace 0e559acc68de055e ]---
RIP: 0010:__task_pid_nr_ns+0xc3/0x310
Code: 1b e8 c1 94 08 00 31 ff 41 89 c5 89 c6 e8 45 1a 13 00 45 85 ed
0f 84 d0 00 00 00 e8 37 19 13 00 48 85 db 74 23 e8 2d 19 13 00 <41> 8b
84 24 80 00 00 00 44 8b 6b 04 41 89 c6 89 c7 44 89 ee e8 94
RSP: 0018:ffffc900037bbf08 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88811486d400 RCX: ffff888104839b80
RDX: 0000000000000000 RSI: ffff888104839b80 RDI: 0000000000000002
RBP: ffffc900037bbf28 R08: ffffffff812a5a33 R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000001 R12: 0000000200000001
R13: 0000000000000001 R14: ffff88800ab84200 R15: 0000000000000000
FS: 00007f09bf51c8c0(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000200000081 CR3: 0000000014217000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 1b e8 sbb %eax,%ebp
2: c1 94 08 00 31 ff 41 rcll $0x89,0x41ff3100(%rax,%rcx,1)
9: 89
a: c5 89 c6 e8 45 vshufpd $0x45,%xmm0,%xmm14,%xmm5
f: 1a 13 sbb (%rbx),%dl
11: 00 45 85 add %al,-0x7b(%rbp)
14: ed in (%dx),%eax
15: 0f 84 d0 00 00 00 je 0xeb
1b: e8 37 19 13 00 callq 0x131957
20: 48 85 db test %rbx,%rbx
23: 74 23 je 0x48
25: e8 2d 19 13 00 callq 0x131957
* 2a: 41 8b 84 24 80 00 00 mov 0x80(%r12),%eax <-- trapping instruction
31: 00
32: 44 8b 6b 04 mov 0x4(%rbx),%r13d
36: 41 89 c6 mov %eax,%r14d
39: 89 c7 mov %eax,%edi
3b: 44 89 ee mov %r13d,%esi
3e: e8 .byte 0xe8
3f: 94 xchg %eax,%esp
Best,
Wei