| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Mar 2024 10:55:36 +0800 From: cheung wall <zzqq0103.hey@...il.com> To: Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org, linux-kernel@...r.kernel.org Cc: "cc: H. Peter Anvin" <hpa@...or.com>, Masahiro Yamada <masahiroy@...nel.org>, Vincent Whitchurch <vincent.whitchurch@...s.com> Subject: BUG: unable to handle kernel paging request in swiotlb_bounce Hello, when using Healer to fuzz the latest Linux Kernel, the following crash was triggered on: HEAD commit: 90d35da658da8cff0d4ecbb5113f5fac9d00eb72 (tag: v6.8-rc7) git tree: upstream console output: https://drive.google.com/file/d/1BQCubjzbGYPIVK4so6wEMwMfwp4bzcoW/view?usp=drive_link kernel config: https://drive.google.com/file/d/19VXB1YKwoBFpzjqTmm02jVi4-N9tNIvm/view?usp=drive_link C reproducer: https://drive.google.com/file/d/1CU_h8zSE9anV6gzteBK7_jbBMKKm_wBf/view?usp=drive_link Syzlang reproducer: https://drive.google.com/file/d/1J9VtUKKMwozBjqK2JgjMZ1b6H4lB9f22/view?usp=drive_link If you fix this issue, please add the following tag to the commit: Reported-by: Qiang Zhang <zzqq0103.hey@...il.com> ---------------------------------------------------------- BUG: unable to handle page fault for address: ffff888108a50000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 61c01067 P4D 61c01067 PUD 1008ee063 PMD 108a51063 PTE 800ffffef75af060 Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 9 Comm: kworker/0:0H Not tainted 6.8.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: kblockd blk_mq_run_work_fn RIP: 0010:memcpy_orig+0x1e/0x140 arch/x86/lib/memcpy_64.S:65 Code: 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 89 f8 48 83 fa 20 0f 82 86 00 00 00 40 38 fe 7c 35 48 83 ea 20 48 83 ea 20 <4c> 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 4c 89 07 RSP: 0018:ffff888100307498 EFLAGS: 00010006 RAX: ffff8880bc51f000 RBX: ffff8880bbfdf000 RCX: ffffffffb98de085 RDX: 0000000000000fc0 RSI: ffff888108a50000 RDI: ffff8880bc51f000 RBP: ffff888100dfe0b8 R08: ffff8881c03ccc10 R09: fffffbfff7d61b01 R10: fffffbfff7d61b00 R11: ffffffffbeb0d807 R12: ffff888108a50000 R13: ffffffffbeb0d7a0 R14: ffff8880bc51f000 R15: ffff888108a50000 FS: 0000000000000000(0000) GS:ffff8881c0000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff888108a50000 CR3: 0000000105330004 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> swiotlb_bounce+0x314/0x560 kernel/dma/swiotlb.c:899 swiotlb_tbl_map_single+0xc67/0xfd0 kernel/dma/swiotlb.c:1343 swiotlb_map+0x17a/0x700 kernel/dma/swiotlb.c:1480 dma_direct_map_page kernel/dma/direct.h:95 [inline] dma_direct_map_sg+0x293/0x810 kernel/dma/direct.c:492 __dma_map_sg_attrs+0xbb/0x1e0 kernel/dma/mapping.c:199 dma_map_sg_attrs+0x34/0x50 kernel/dma/mapping.c:236 ata_sg_setup drivers/ata/libata-core.c:4741 [inline] ata_qc_issue+0x5e9/0xb30 drivers/ata/libata-core.c:5043 ata_scsi_translate drivers/ata/libata-scsi.c:1717 [inline] __ata_scsi_queuecmd+0x8de/0x11d0 drivers/ata/libata-scsi.c:4153 ata_scsi_queuecmd+0xad/0x170 drivers/ata/libata-scsi.c:4198 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1518 [inline] scsi_queue_rq+0xc07/0x2ac0 drivers/scsi/scsi_lib.c:1760 blk_mq_dispatch_rq_list+0x3b6/0x1bd0 block/blk-mq.c:2070 __blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline] blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline] __blk_mq_sched_dispatch_requests+0xbd4/0x14b0 block/blk-mq-sched.c:309 blk_mq_sched_dispatch_requests+0xb2/0x110 block/blk-mq-sched.c:331 blk_mq_run_work_fn+0x131/0x190 block/blk-mq.c:2455 process_one_work kernel/workqueue.c:2633 [inline] process_scheduled_works+0x252/0xe10 kernel/workqueue.c:2706 worker_thread+0x56c/0xc10 kernel/workqueue.c:2787 kthread+0x2c8/0x3c0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:243 </TASK> Modules linked in: CR2: ffff888108a50000 ---[ end trace 0000000000000000 ]--- RIP: 0010:memcpy_orig+0x1e/0x140 arch/x86/lib/memcpy_64.S:65 Code: 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 89 f8 48 83 fa 20 0f 82 86 00 00 00 40 38 fe 7c 35 48 83 ea 20 48 83 ea 20 <4c> 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 4c 89 07 RSP: 0018:ffff888100307498 EFLAGS: 00010006 RAX: ffff8880bc51f000 RBX: ffff8880bbfdf000 RCX: ffffffffb98de085 RDX: 0000000000000fc0 RSI: ffff888108a50000 RDI: ffff8880bc51f000 RBP: ffff888100dfe0b8 R08: ffff8881c03ccc10 R09: fffffbfff7d61b01 R10: fffffbfff7d61b00 R11: ffffffffbeb0d807 R12: ffff888108a50000 R13: ffffffffbeb0d7a0 R14: ffff8880bc51f000 R15: ffff888108a50000 FS: 0000000000000000(0000) GS:ffff8881c0000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff888108a50000 CR3: 0000000105330004 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 note: kworker/0:0H[9] exited with irqs disabled note: kworker/0:0H[9] exited with preempt_count 1
Powered by blists - more mailing lists