BUG: unable to handle kernel paging request in swiotlb_bounce

From: cheung wall
Date: Wed Mar 13 2024 - 00:38:58 EST

Hello,



when using Healer to fuzz the latest Linux Kernel, the following crash

was triggered on:


HEAD commit: 90d35da658da8cff0d4ecbb5113f5fac9d00eb72 (tag: v6.8-rc7)

git tree: upstream

console output:
https://drive.google.com/file/d/1BQCubjzbGYPIVK4so6wEMwMfwp4bzcoW/view?usp=drive_link

kernel config: https://drive.google.com/file/d/19VXB1YKwoBFpzjqTmm02jVi4-N9tNIvm/view?usp=drive_link

C reproducer: https://drive.google.com/file/d/1CU_h8zSE9anV6gzteBK7_jbBMKKm_wBf/view?usp=drive_link

Syzlang reproducer:
https://drive.google.com/file/d/1J9VtUKKMwozBjqK2JgjMZ1b6H4lB9f22/view?usp=drive_link



If you fix this issue, please add the following tag to the commit:

Reported-by: Qiang Zhang <zzqq0103.hey@xxxxxxxxx>

----------------------------------------------------------



BUG: unable to handle page fault for address: ffff888108a50000

#PF: supervisor read access in kernel mode

#PF: error_code(0x0000) - not-present page

PGD 61c01067 P4D 61c01067 PUD 1008ee063 PMD 108a51063 PTE 800ffffef75af060

Oops: 0000 [#1] PREEMPT SMP KASAN PTI

CPU: 0 PID: 9 Comm: kworker/0:0H Not tainted 6.8.0-rc7 #1

Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014

Workqueue: kblockd blk_mq_run_work_fn

RIP: 0010:memcpy_orig+0x1e/0x140 arch/x86/lib/memcpy_64.S:65

Code: 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 89 f8 48 83
fa 20 0f 82 86 00 00 00 40 38 fe 7c 35 48 83 ea 20 48 83 ea 20 <4c> 8b
06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 4c 89 07

RSP: 0018:ffff888100307498 EFLAGS: 00010006

RAX: ffff8880bc51f000 RBX: ffff8880bbfdf000 RCX: ffffffffb98de085

RDX: 0000000000000fc0 RSI: ffff888108a50000 RDI: ffff8880bc51f000

RBP: ffff888100dfe0b8 R08: ffff8881c03ccc10 R09: fffffbfff7d61b01

R10: fffffbfff7d61b00 R11: ffffffffbeb0d807 R12: ffff888108a50000

R13: ffffffffbeb0d7a0 R14: ffff8880bc51f000 R15: ffff888108a50000

FS: 0000000000000000(0000) GS:ffff8881c0000000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: ffff888108a50000 CR3: 0000000105330004 CR4: 0000000000770ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

PKRU: 55555554

Call Trace:

<TASK>

swiotlb_bounce+0x314/0x560 kernel/dma/swiotlb.c:899

swiotlb_tbl_map_single+0xc67/0xfd0 kernel/dma/swiotlb.c:1343

swiotlb_map+0x17a/0x700 kernel/dma/swiotlb.c:1480

dma_direct_map_page kernel/dma/direct.h:95 [inline]

dma_direct_map_sg+0x293/0x810 kernel/dma/direct.c:492

__dma_map_sg_attrs+0xbb/0x1e0 kernel/dma/mapping.c:199

dma_map_sg_attrs+0x34/0x50 kernel/dma/mapping.c:236

ata_sg_setup drivers/ata/libata-core.c:4741 [inline]

ata_qc_issue+0x5e9/0xb30 drivers/ata/libata-core.c:5043

ata_scsi_translate drivers/ata/libata-scsi.c:1717 [inline]

__ata_scsi_queuecmd+0x8de/0x11d0 drivers/ata/libata-scsi.c:4153

ata_scsi_queuecmd+0xad/0x170 drivers/ata/libata-scsi.c:4198

scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1518 [inline]

scsi_queue_rq+0xc07/0x2ac0 drivers/scsi/scsi_lib.c:1760

blk_mq_dispatch_rq_list+0x3b6/0x1bd0 block/blk-mq.c:2070

__blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline]

blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline]

__blk_mq_sched_dispatch_requests+0xbd4/0x14b0 block/blk-mq-sched.c:309

blk_mq_sched_dispatch_requests+0xb2/0x110 block/blk-mq-sched.c:331

blk_mq_run_work_fn+0x131/0x190 block/blk-mq.c:2455

process_one_work kernel/workqueue.c:2633 [inline]

process_scheduled_works+0x252/0xe10 kernel/workqueue.c:2706

worker_thread+0x56c/0xc10 kernel/workqueue.c:2787

kthread+0x2c8/0x3c0 kernel/kthread.c:388

ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147

ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:243

</TASK>

Modules linked in:

CR2: ffff888108a50000

---[ end trace 0000000000000000 ]---

RIP: 0010:memcpy_orig+0x1e/0x140 arch/x86/lib/memcpy_64.S:65

Code: 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 89 f8 48 83
fa 20 0f 82 86 00 00 00 40 38 fe 7c 35 48 83 ea 20 48 83 ea 20 <4c> 8b
06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 4c 89 07

RSP: 0018:ffff888100307498 EFLAGS: 00010006

RAX: ffff8880bc51f000 RBX: ffff8880bbfdf000 RCX: ffffffffb98de085

RDX: 0000000000000fc0 RSI: ffff888108a50000 RDI: ffff8880bc51f000

RBP: ffff888100dfe0b8 R08: ffff8881c03ccc10 R09: fffffbfff7d61b01

R10: fffffbfff7d61b00 R11: ffffffffbeb0d807 R12: ffff888108a50000

R13: ffffffffbeb0d7a0 R14: ffff8880bc51f000 R15: ffff888108a50000

FS: 0000000000000000(0000) GS:ffff8881c0000000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: ffff888108a50000 CR3: 0000000105330004 CR4: 0000000000770ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

PKRU: 55555554

note: kworker/0:0H[9] exited with irqs disabled

note: kworker/0:0H[9] exited with preempt_count 1