search

SunHao-0 / healer

Kernel fuzzer inspired by Syzkaller.
Apache License 2.0
267 stars 41 forks source link

executor: page allocation failure #20

Closed uestcmahone closed 3 years ago

uestcmahone commented 4 years ago

ran out of memory reported as follows, and I found a syzkaller issue reported the similar problem: https://github.com/google/syzkaller/issues/1267

2020-05-24 05:06:32 WARN fuzzer::fuzzer - ========== Crashed =========
[ 4189.040847][T16267] executor: page allocation failure: order:0, mode:0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0
[ 4189.043302][T16267] CPU: 0 PID: 16267 Comm: executor Not tainted 5.7.0-rc4+ #4
[ 4189.044575][T16267] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[ 4189.046656][T16267] Call Trace:
[ 4189.047321][T16267]  dump_stack+0x11f/0x1b0
[ 4189.048129][T16267]  warn_alloc+0x4cc/0x680
[ 4189.048928][T16267]  ? kmsan_get_shadow_origin_ptr+0x81/0xb0
[ 4189.049950][T16267]  __alloc_pages_nodemask+0x59a4/0x5cc0
[ 4189.050972][T16267]  alloc_pages_current+0x682/0x990
[ 4189.051898][T16267]  pte_alloc_one+0x59/0x1a0
[ 4189.052704][T16267]  __pte_alloc+0x6e/0x4c0
[ 4189.053477][T16267]  ? kmsan_get_metadata+0x11d/0x180
[ 4189.054398][T16267]  __get_locked_pte+0x6b3/0x850
[ 4189.055268][T16267]  vm_insert_page+0x5dd/0xf40
[ 4189.056096][T16267]  ? kmsan_get_shadow_origin_ptr+0x81/0xb0
[ 4189.057134][T16267]  kcov_mmap+0xe9/0x120
[ 4189.057869][T16267]  ? kcov_ioctl+0xc70/0xc70
[ 4189.058671][T16267]  mmap_region+0x2bc4/0x38d0
[ 4189.059518][T16267]  do_mmap+0x153c/0x1fc0
[ 4189.060313][T16267]  vm_mmap_pgoff+0x31a/0x440
[ 4189.061146][T16267]  ksys_mmap_pgoff+0xa58/0xb00
[ 4189.062027][T16267]  __se_sys_mmap+0x172/0x1a0
[ 4189.062857][T16267]  __x64_sys_mmap+0x69/0x90
[ 4189.063670][T16267]  do_syscall_64+0xb7/0x160
[ 4189.064503][T16267]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 4189.065529][T16267] RIP: 0033:0x7fce4c5a564a
[ 4189.066302][T16267] Code: Bad RIP value.
[ 4189.067017][T16267] RSP: 002b:00007ffedc5bba08 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[ 4189.068462][T16267] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fce4c5a564a
[ 4189.069824][T16267] RDX: 0000000000000003 RSI: 0000000000800000 RDI: 0000000000000000
[ 4189.071188][T16267] RBP: 0000000000000004 R08: 0000000000000004 R09: 0000000000000000
[ 4189.072548][T16267] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 4189.073910][T16267] R13: 0000000000800000 R14: 0000000000000001 R15: 0000000000000000
[ 4189.075395][T16267] Mem-Info:
[ 4189.076003][T16267] active_anon:34841 inactive_anon:6293 isolated_anon:0
[ 4189.076003][T16267]  active_file:11 inactive_file:7 isolated_file:0
[ 4189.076003][T16267]  unevictable:0 dirty:0 writeback:0 unstable:0
[ 4189.076003][T16267]  slab_reclaimable:4827 slab_unreclaimable:11736
[ 4189.076003][T16267]  mapped:2523 shmem:6396 pagetables:5382 bounce:0
[ 4189.076003][T16267]  free:3488 free_pcp:198 free_cma:0
[ 4189.082227][T16267] Node 0 active_anon:139364kB inactive_anon:25172kB active_file:44kB inactive_file:28kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:10092kB dirty:0kB writeback:0kB shmem:25584kB shmem_tho
[ 4189.086991][T16267] Node 0 DMA free:1584kB min:200kB low:248kB high:296kB reserved_highatomic:0KB active_anon:2296kB inactive_anon:52kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB maB
[ 4189.091946][T16267] lowmem_reserve[]: 0 372 372 372
[ 4189.092842][T16267] Node 0 DMA32 free:12368kB min:25012kB low:29728kB high:34444kB reserved_highatomic:2048KB active_anon:137068kB inactive_anon:25120kB active_file:44kB inactive_file:28kB unevictable:0kB writepending:0kBB
[ 4189.098327][T16267] lowmem_reserve[]: 0 0 0 0
[ 4189.099131][T16267] Node 0 DMA: 2*4kB (UM) 1*8kB (M) 0*16kB 1*32kB (U) 0*64kB 2*128kB (UM) 1*256kB (U) 2*512kB (UM) 0*1024kB 0*2048kB 0*4096kB = 1584kB
[ 4189.101557][T16267] Node 0 DMA32: 250*4kB (UMEH) 137*8kB (UMEH) 100*16kB (UMEH) 51*32kB (MEH) 28*64kB (UMEH) 25*128kB (UMEH) 8*256kB (MH) 0*512kB 0*1024kB 0*2048kB 0*4096kB = 12368kB
[ 4189.104553][T16267] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=1048576kB
[ 4189.106188][T16267] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
[ 4189.107814][T16267] 6420 total pagecache pages
[ 4189.108608][T16267] 0 pages in swap cache
[ 4189.109332][T16267] Swap cache stats: add 0, delete 0, find 0/0
[ 4189.110367][T16267] Free swap  = 0kB
[ 4189.111052][T16267] Total swap = 0kB
[ 4189.111699][T16267] 524158 pages RAM
[ 4189.112345][T16267] 0 pages HighMem/MovableOnly
[ 4189.113149][T16267] 426872 pages reserved
[ 4189.113867][T16267] 0 pages cma reserved
[ 4189.114642][T16267] ------------[ cut here ]------------
[ 4189.115612][T16267] vm_insert_page() failed
[ 4189.115795][T16267] WARNING: CPU: 0 PID: 16267 at kernel/kcov.c:475 kcov_mmap+0x10b/0x120
[ 4189.117993][T16267] Kernel panic - not syncing: panic_on_warn set ...
[ 4189.119179][T16267] CPU: 0 PID: 16267 Comm: executor Not tainted 5.7.0-rc4+ #4
[ 4189.120442][T16267] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[ 4189.122520][T16267] Call Trace:
[ 4189.123164][T16267]  dump_stack+0x11f/0x1b0
[ 4189.123939][T16267]  panic+0x3d7/0xc3e
[ 4189.124656][T16267]  ? kmsan_get_shadow_origin_ptr+0x81/0xb0
[ 4189.125667][T16267]  __warn+0x3a1/0x520
[ 4189.126371][T16267]  ? kcov_mmap+0x10b/0x120
[ 4189.127193][T16267]  report_bug+0x661/0x860
[ 4189.127959][T16267]  ? kcov_mmap+0x10b/0x120
[ 4189.128739][T16267]  ? kcov_mmap+0x10b/0x120
[ 4189.129540][T16267]  do_invalid_op+0xf8/0x370
[ 4189.130328][T16267]  ? kcov_mmap+0x10b/0x120
[ 4189.131144][T16267]  invalid_op+0x3d/0x50
[ 4189.131879][T16267] RIP: 0010:kcov_mmap+0x10b/0x120
[ 4189.132767][T16267] Code: 48 89 c2 e8 27 8a 4d 00 85 c0 74 d3 80 3d e4 5a 29 0e 00 75 ca c6 05 db 5a 29 0e 01 48 c7 c7 b4 4e 68 a6 31 c0 e8 e5 49 b3 ff <0f> 0b eb b1 45 31 ed e9 73 ff ff ff 66 0f 1f 84 00 00 00 00 00 55
[ 4189.136086][T16267] RSP: 0000:ffffb82300867988 EFLAGS: 00010246
[ 4189.137136][T16267] RAX: c0b20b6fc4630000 RBX: 0000000000443000 RCX: c0b20b6fc4630000
[ 4189.138495][T16267] RDX: 0000000000000000 RSI: 0000000000000286 RDI: 000000000001c8a0
[ 4189.139890][T16267] RBP: ffffb823008679b0 R08: ffffd9ed0000000f R09: ffff9db5bffd3000
[ 4189.141248][T16267] R10: 0000000000000005 R11: 00000000ffffffff R12: 0000000000800000
[ 4189.142608][T16267] R13: 0000000000000000 R14: ffff9db561ce9ed8 R15: ffff9db5460adf40
[ 4189.144010][T16267]  ? kcov_mmap+0x10b/0x120
[ 4189.144786][T16267]  ? kcov_ioctl+0xc70/0xc70
[ 4189.145587][T16267]  mmap_region+0x2bc4/0x38d0
[ 4189.146425][T16267]  do_mmap+0x153c/0x1fc0
[ 4189.147239][T16267]  vm_mmap_pgoff+0x31a/0x440
[ 4189.148071][T16267]  ksys_mmap_pgoff+0xa58/0xb00
[ 4189.148926][T16267]  __se_sys_mmap+0x172/0x1a0
[ 4189.149748][T16267]  __x64_sys_mmap+0x69/0x90
[ 4189.150547][T16267]  do_syscall_64+0xb7/0x160
[ 4189.151379][T16267]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 4189.152398][T16267] RIP: 0033:0x7fce4c5a564a
[ 4189.153172][T16267] Code: Bad RIP value.
[ 4189.153882][T16267] RSP: 002b:00007ffedc5bba08 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[ 4189.155357][T16267] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fce4c5a564a
[ 4189.156717][T16267] RDX: 0000000000000003 RSI: 0000000000800000 RDI: 0000000000000000
[ 4189.158075][T16267] RBP: 0000000000000004 R08: 0000000000000004 R09: 0000000000000000
[ 4189.159480][T16267] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 4189.160841][T16267] R13: 0000000000800000 R14: 0000000000000001 R15: 0000000000000000
[ 4189.162747][T16267] Dumping ftrace buffer:
[ 4189.163551][T16267]    (ftrace buffer empty)
[ 4189.164361][T16267] Kernel Offset: 0x17400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 4189.166363][T16267] Rebooting in 1 seconds..
SunHao-0 commented 4 years ago

Right, this happens a lot. I'll try to sandbox the executor with rlimits or something else.