panic: pfi_dynaddr_setup: dyn is 0x8000

1 Aufruf

Direkt zur ersten ungelesenen Nachricht

syzbot

ungelesen,

30.04.2020, 05:01:1630.04.20

an syzkaller-f...@googlegroups.com

Hello,

syzbot found the following crash on:

HEAD commit: 2338a28d Add nhop to the ifa_rtrequest() callback.
git tree: freebsd
console output: https://syzkaller.appspot.com/x/log.txt?x=167eb5f8100000
dashboard link: https://syzkaller.appspot.com/bug?extid=bb71e7bc5455377014e5

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+bb71e7...@syzkaller.appspotmail.com

panic: pfi_dynaddr_setup: dyn is 0x8000
cpuid = 1
time = 1588237242
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe0025a36110
vpanic() at vpanic+0x1c7/frame 0xfffffe0025a36170
panic() at panic+0x43/frame 0xfffffe0025a361d0
pfi_dynaddr_setup() at pfi_dynaddr_setup+0x590/frame 0xfffffe0025a36260
pfioctl() at pfioctl+0x6e4f/frame 0xfffffe0025a36790
devfs_ioctl() at devfs_ioctl+0x14e/frame 0xfffffe0025a367f0
VOP_IOCTL_APV() at VOP_IOCTL_APV+0x78/frame 0xfffffe0025a36820
vn_ioctl() at vn_ioctl+0x27c/frame 0xfffffe0025a36940
devfs_ioctl_f() at devfs_ioctl_f+0x47/frame 0xfffffe0025a36980
kern_ioctl() at kern_ioctl+0x3d4/frame 0xfffffe0025a369f0
sys_ioctl() at sys_ioctl+0x22b/frame 0xfffffe0025a36ac0
amd64_syscall() at amd64_syscall+0x262/frame 0xfffffe0025a36bf0
fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0025a36bf0
--- syscall (198, FreeBSD ELF64, nosys), rip = 0x80071d48a, rsp = 0x7fffdfffdf38, rbp = 0x3 ---
KDB: enter: panic
[ thread pid 1104 tid 100601 ]
Stopped at kdb_enter+0x67: movq $0,0x14a96a6(%rip)
db>
db> set $lines = 0
db> set $maxwidth = 0
db> show registers
cs 0x20
ds 0x3b ll+0x1a
es 0x3b ll+0x1a
fs 0x13
gs 0x1b
ss 0x28 ll+0x7
rax 0x12
rcx 0xfffffe002a000000
rdx 0x3ffff
rbx 0
rsp 0xfffffe0025a360f0
rbp 0xfffffe0025a36110
rsi 0x40001
rdi 0xffffffff810b8f46 vprintf+0x176
r8 0
r9 0xffffffff
r10 0
r11 0xfffffe0025845800
r12 0xffffffff82068ea0 ddb_dbbe
r13 0
r14 0xffffffff8194403f
r15 0xffffffff8194403f
rip 0xffffffff810ae1c7 kdb_enter+0x67
rflags 0x86 ll+0x65
kdb_enter+0x67: movq $0,0x14a96a6(%rip)
db> show proc
Process 1104 (syz-executor.3) at 0xfffff800134bb520:
state: NORMAL
uid: 0 gids: 0, 0, 5
parent: pid 1097 at 0xfffff80003cb5a40
ABI: FreeBSD ELF64
arguments: /root/syz-executor.3
reaper: 0xfffff80003304000 reapsubtree: 1
sigparent: 20
vmspace: 0xfffffe002583d000
(map 0xfffffe002583d000)
(map.pmap 0xfffffe002583d0c0)
(pmap 0xfffffe002583d120)
threads: 3
100101 Run CPU 0 syz-executor.3
100601 Run CPU 1 syz-executor.3
100602 S uwait 0xfffff80013b11b00 syz-executor.3
db> ps
pid ppid pgrp uid state wmesg wchan cmd
1104 1097 1097 0 R (threaded) syz-executor.3
100101 Run CPU 0 syz-executor.3
100601 Run CPU 1 syz-executor.3
100602 S uwait 0xfffff80013b11b00 syz-executor.3
1097 776 1097 0 Ss nanslp 0xffffffff8252c1e0 syz-executor.3
1079 776 1079 0 Ss piperd 0xfffff80003cc52f8 syz-executor.1
1070 1064 1070 0 Ss select 0xfffff80003a323c0 dhclient
1067 1 1067 0 Ss select 0xfffff8000380dbc0 dhclient
1064 1057 424 65 S select 0xfffff8000380dac0 dhclient
1057 424 424 0 S wait 0xfffff800134f1000 sh
1009 776 1009 0 Ss piperd 0xfffff80013b81000 syz-executor.2
905 776 905 0 Ss piperd 0xfffff80003cc18e8 syz-executor.0
776 774 774 0 S (threaded) syz-fuzzer
100108 S uwait 0xfffff80003a31880 syz-fuzzer
100111 S uwait 0xfffff80003a31c00 syz-fuzzer
100112 S uwait 0xfffff80003a31d00 syz-fuzzer
100113 S uwait 0xfffff80003a32c80 syz-fuzzer
100114 S uwait 0xfffff8000380c680 syz-fuzzer
100115 S uwait 0xfffff8000380c780 syz-fuzzer
100116 S uwait 0xfffff80003a32680 syz-fuzzer
100117 S uwait 0xfffff80003a32780 syz-fuzzer
100118 S uwait 0xfffff80003a32d80 syz-fuzzer
100119 S kqread 0xfffff80003cb7c00 syz-fuzzer
100120 S uwait 0xfffff80003a31080 syz-fuzzer
774 772 774 0 Ss pause 0xfffff800136580a8 csh
772 682 772 0 Ss select 0xfffff8000380c840 sshd
748 1 748 0 Ss+ ttyin 0xfffff80003805cb0 getty
747 1 747 0 Ss+ ttyin 0xfffff80003b068b0 getty
746 1 746 0 Ss+ ttyin 0xfffff80003b06cb0 getty
745 1 745 0 Ss+ ttyin 0xfffff80003b050b0 getty
744 1 744 0 Ss+ ttyin 0xfffff80003b054b0 getty
743 1 743 0 Ss+ ttyin 0xfffff80003b058b0 getty
742 1 742 0 Ss+ ttyin 0xfffff80003b05cb0 getty
741 1 741 0 Ss+ ttyin 0xfffff80003b080b0 getty
740 1 740 0 Ss+ ttyin 0xfffff80003b084b0 getty
738 1 24 0 S+ piperd 0xfffff80003cc7000 logger
737 736 24 0 S+ nanslp 0xffffffff8252c1e0 sleep
736 1 24 0 S+ wait 0xfffff800132ab520 sh
686 1 686 0 Ss nanslp 0xffffffff8252c1e0 cron
682 1 682 0 Ss select 0xfffff8000380b5c0 sshd
495 1 495 0 Ss select 0xfffff8000380bec0 syslogd
424 1 424 0 Ss wait 0xfffff80003cb4000 devd
423 1 423 65 Ss select 0xfffff80003a31940 dhclient
338 1 338 0 Ss select 0xfffff80003a34240 dhclient
335 1 335 0 Ss select 0xfffff8000380be40 dhclient
23 0 0 0 DL syncer 0xffffffff82618118 [syncer]
22 0 0 0 DL vlruwt 0xfffff800033c6a40 [vnlru]
21 0 0 0 DL (threaded) [bufdaemon]
100069 D qsleep 0xffffffff82617438 [bufdaemon]
100076 D - 0xffffffff8200aa00 [bufspacedaemon-0]
100085 D sdflush 0xfffff80003806ce8 [/ worker]
20 0 0 0 DL psleep 0xffffffff8263e308 [vmdaemon]
19 0 0 0 DL (threaded) [pagedaemon]
100067 D psleep 0xffffffff826328d8 [dom0]
100074 D launds 0xffffffff826328e4 [laundry: dom0]
100075 D umarcl 0xffffffff81545a10 [uma]
18 0 0 0 DL - 0xffffffff8235fe20 [rand_harvestq]
17 0 0 0 DL pftm 0xffffffff82c353a0 [pf purge]
16 0 0 0 DL waiting 0xffffffff8261a890 [sctp_iterator]
15 0 0 0 DL - 0xffffffff82616a2c [soaiod4]
9 0 0 0 DL - 0xffffffff82616a2c [soaiod3]
8 0 0 0 DL - 0xffffffff82616a2c [soaiod2]
7 0 0 0 DL - 0xffffffff82616a2c [soaiod1]
6 0 0 0 DL (threaded) [cam]
100033 D - 0xffffffff82237b40 [doneq0]
100066 D - 0xffffffff82237a10 [scanner]
5 0 0 0 DL crypto_ 0xfffff80003202d90 [crypto returns 1]
4 0 0 0 DL crypto_ 0xfffff80003202d30 [crypto returns 0]
3 0 0 0 DL crypto_ 0xffffffff826300c0 [crypto]
14 0 0 0 DL seqstat 0xfffff80003351488 [sequencer 00]
13 0 0 0 DL (threaded) [geom]
100024 D - 0xffffffff8250b180 [g_event]
100025 D - 0xffffffff8250b188 [g_up]
100026 D - 0xffffffff8250b190 [g_down]
2 0 0 0 DL (threaded) [KTLS]
100017 D - 0xfffff800032fac80 [thr_0]
100018 D - 0xfffff800032facc0 [thr_1]
12 0 0 0 WL (threaded) [intr]
100010 I [swi6: Giant taskq]
100013 I [swi5: fast taskq]
100016 I [swi6: task queue]
100019 I [swi3: vm]
100020 I [swi4: clock (0)]
100021 I [swi4: clock (1)]
100022 I [swi1: netisr 0]
100034 I [irq24: virtio_pci0]
100035 I [irq25: virtio_pci0]
100036 I [irq26: virtio_pci0]
100037 I [irq27: virtio_pci0]
100038 I [irq28: virtio_pci1]
100039 I [irq29: virtio_pci1]
100040 I [irq30: virtio_pci1]
100041 I [irq31: virtio_pci1]
100042 I [irq32: virtio_pci1]
100047 I [irq10: virtio_pci2]
100049 I [irq1: atkbd0]
100050 I [irq12: psm0]
100051 I [swi0: uart uart++]
100060 I [swi1: pf send]
100072 I [swi1: hpts]
100073 I [swi1: hpts]
11 0 0 0 RL (threaded) [idle]
100003 CanRun [idle: cpu0]
100004 CanRun [idle: cpu1]
1 0 1 0 SLs wait 0xfffff80003304000 [init]
10 0 0 0 DL audit_w 0xffffffff82630598 [audit]
0 0 0 0 DLs (threaded) [kernel]
100000 D swapin 0xffffffff8250b710 [swapper]
100005 D - 0xfffff80003325000 [if_config_tqg_0]
100006 D - 0xfffff80003326e00 [softirq_0]
100007 D - 0xfffff80003326d00 [softirq_1]
100008 D - 0xfffff80003326c00 [if_io_tqg_0]
100009 D - 0xfffff80003326b00 [if_io_tqg_1]
100011 D - 0xfffff80003333600 [in6m_free taskq]
100012 D - 0xfffff80003333500 [thread taskq]
100014 D - 0xfffff80003333200 [kqueue_ctx taskq]
100015 D - 0xfffff80003333100 [aiod_kick taskq]
100023 D - 0xfffff80003334800 [firmware taskq]
100028 D - 0xfffff80003331c00 [crypto_0]
100029 D - 0xfffff80003331c00 [crypto_1]
100043 D - 0xfffff80003562c00 [vtnet0 rxq 0]
100044 D - 0xfffff80003562b00 [vtnet0 txq 0]
100045 D - 0xfffff80003562a00 [vtnet0 rxq 1]
100046 D - 0xfffff80003562900 [vtnet0 txq 1]
100048 D vtbslp 0xfffff80003522680 [virtio_balloon]
100052 D - 0xfffff80003335700 [mca taskq]
100056 D - 0xffffffff81ce7760 [deadlkres]
100062 D - 0xfffff80003331800 [acpi_task_0]
100063 D - 0xfffff80003331800 [acpi_task_1]
100064 D - 0xfffff80003331800 [acpi_task_2]
100065 D - 0xfffff80003331500 [CAM taskq]
db> show all locks
Process 1104 (syz-executor.3) thread 0xfffffe0025845300 (100601)
exclusive rm pf rulesets (pf rulesets) r = 0 (0xffffffff82c87290) locked @ /syzkaller/managers/main/kernel/sys/netpfil/pf/pf_ioctl.c:1585
db> show malloc
Type InUse MemUse Requests
pf_hash 5 11524K 5
devbuf 4213 4851K 4238
tcp_hpts 5 3201K 5
vtbuf 24 1968K 46
sysctloid 28335 1653K 28399
kobj 332 1328K 488
newblk 36 1033K 3476
vfscache 4 1025K 4
pcb 31 546K 445
inodedep 12 518K 540
ufs_quota 1 512K 1
vfs_hash 1 512K 1
callout 2 512K 2
intr 4 388K 4
subproc 128 257K 1178
acpica 1674 185K 52709
vnet_data 1 168K 1
pagedep 11 131K 301
tfo_ccache 1 128K 1
sem 4 106K 4
DEVFS1 105 105K 122
filedesc 16 105K 503
linker 244 92K 301
bus 998 80K 3408
mtx_pool 2 72K 2
syncache 1 68K 1
acpitask 1 64K 1
ddb_capture 1 64K 1
module 497 63K 497
umtx 324 41K 324
temp 37 37K 2661
BPF 22 36K 38
kdtrace 176 34K 2746
hostcache 1 32K 1
shm 1 32K 3
DEVFS3 124 31K 134
msg 4 30K 4
DEVFS_RULE 56 27K 56
gtaskqueue 18 26K 18
ifaddr 71 24K 99
vmem 3 22K 4
kbdmux 6 22K 6
ufs_mount 3 17K 4
proc 3 17K 3
lltable 44 16K 86
tty 16 16K 16
tidhash 1 16K 1
ithread 98 16K 98
ether_multi 172 14K 381
bus-sc 30 14K 1431
KTRACE 100 13K 100
ifnet 7 13K 7
kenv 95 12K 99
eventhandler 132 12K 132
in6_multi 89 11K 205
pfs_nodes 20 10K 20
GEOM 60 10K 487
rman 82 10K 423
bmsafemap 3 9K 413
UART 12 9K 12
devstat 4 9K 4
rpc 2 8K 2
shmfd 1 8K 5
pfs_vncache 1 8K 1
routetbl 54 8K 108
audit_evclass 233 8K 291
CAM DEV 3 6K 510
cred 24 6K 244
kqueue 57 6K 1109
vt 11 6K 11
sctp_timw 22 6K 22
plimit 22 6K 543
sglist 5 6K 5
CAM queue 5 6K 1528
pf_rule 5 5K 13
taskqueue 45 5K 45
ufs_dirhash 24 5K 24
pf_ifnet 11 5K 24
DEVFSP 72 5K 224
memdesc 1 4K 1
MCA 32 4K 32
UMA 249 4K 249
sctp_atcl 8 4K 177
sctp_stro 4 4K 44
ioctlops 1 4K 289
evdev 4 4K 4
kcovinfo 64 4K 204
select 29 4K 29
freework 15 4K 569
session 26 4K 50
pgrp 26 4K 50
lockf 31 4K 492
hhook 13 4K 13
acpisem 22 3K 22
terminal 11 3K 11
proc-args 47 3K 716
ip6ndp 14 3K 37
uidinfo 4 3K 10
sctp_ifa 17 3K 41
pf_table 1 2K 1
local_apic 1 2K 1
io_apic 1 2K 1
ipsec-saq 2 2K 2
Unitno 29 2K 45
CAM XPT 22 2K 543
in_multi 6 2K 15
acpidev 20 2K 20
msi 9 2K 9
mkdir 9 2K 412
tun 7 2K 7
softdep 1 1K 1
ipsecpolicy 1 1K 1
sahead 1 1K 1
secasvar 1 1K 1
clone 8 1K 8
vnodemarker 2 1K 216
NFSD session 1 1K 1
CAM periph 4 1K 271
newdirblk 6 1K 206
diradd 6 1K 324
mld 6 1K 6
sctp_ifn 6 1K 14
igmp 6 1K 6
nhops 6 1K 6
toponodes 6 1K 6
isadev 6 1K 6
mount 16 1K 86
pci_link 10 1K 10
crypto 3 1K 3
freeblks 2 1K 248
sctp_atky 12 1K 221
pfil 4 1K 4
chacha20random 1 1K 1
CAM SIM 2 1K 2
epoch 4 1K 4
cdev 2 1K 2
encap_export_host 8 1K 8
osd 3 1K 9
inpcbpolicy 9 1K 849
dirrem 1 1K 254
freefile 2 1K 245
indirdep 1 1K 479
vnodes 1 1K 3
NFSD lckfile 1 1K 1
NFSD V4client 1 1K 1
DEVFS 9 1K 10
feeder 7 1K 7
ip6_msource 3 1K 3
tcpfunc 3 1K 3
loginclass 3 1K 6
CAM dev queue 2 1K 2
CAM I/O Scheduler 1 1K 1
apmdev 1 1K 1
atkbddev 2 1K 2
CAM path 4 1K 1034
sctp_athm 8 1K 177
sctp_map 8 1K 88
ktls 1 1K 1
pmchooks 1 1K 1
prison 4 1K 4
filecaps 5 1K 90
soname 4 1K 6032
nexusdev 5 1K 5
entropy 2 1K 49
sctp_vrf 1 1K 1
vnet 1 1K 1
acpiintr 1 1K 1
pmc 1 1K 1
cpus 2 1K 2
vnet_data_free 1 1K 1
Per-cpu 1 1K 1
p1003.1b 1 1K 1
pf_altq 0 0K 0
pf_osfp 0 0K 0
pf_temp 0 0K 0
ath_hal 0 0K 0
madt_table 0 0K 2
athdev 0 0K 0
ata_pci 0 0K 0
ata_dma 0 0K 0
ata_generic 0 0K 0
amr 0 0K 0
scsi_da 0 0K 69
ata_da 0 0K 0
pvscsi 0 0K 0
smartpqi 0 0K 0
scsi_ch 0 0K 0
scsi_cd 0 0K 0
USBdev 0 0K 0
USB 0 0K 0
AHCI driver 0 0K 0
agp 0 0K 0
iavf 0 0K 0
ixl 0 0K 0
nvme_da 0 0K 0
acpipwr 0 0K 0
twsbuf 0 0K 0
twe_commands 0 0K 0
twa_commands 0 0K 0
tcp_log_dev 0 0K 8
midi buffers 0 0K 0
fpukern_ctx 0 0K 0
mixer 0 0K 0
xen_intr 0 0K 0
ac97 0 0K 0
xen_hvm 0 0K 0
legacydrv 0 0K 0
qpidrv 0 0K 0
hdacc 0 0K 0
hdac 0 0K 0
dmar_idpgtbl 0 0K 0
dmar_dom 0 0K 0
dmar_ctx 0 0K 0
dmar_dmamap 0 0K 0
hdaa 0 0K 0
acpi_perf 0 0K 0
acpicmbat 0 0K 0
isci 0 0K 0
bxe_ilt 0 0K 0
xenbus 0 0K 0
SIIS driver 0 0K 0
vm_fictitious 0 0K 0
CAM CCB 0 0K 10282
PUC 0 0K 0
ppbusdev 0 0K 0
agtiapi_MemAlloc malloc 0 0K 0
osti_cacheable 0 0K 0
tempbuff 0 0K 0
tempbuff 0 0K 0
UMAHash 0 0K 0
ag_tgt_map_t malloc 0 0K 0
ag_slr_map_t malloc 0 0K 0
vm_pgdata 0 0K 0
jblocks 0 0K 0
savedino 0 0K 239
sentinel 0 0K 0
jfsync 0 0K 0
jtrunc 0 0K 0
sbdep 0 0K 105
jsegdep 0 0K 0
jseg 0 0K 0
jfreefrag 0 0K 0
jfreeblk 0 0K 0
jnewblk 0 0K 0
jmvref 0 0K 0
jremref 0 0K 0
jaddref 0 0K 0
freedep 0 0K 0
freefrag 0 0K 18
allocindir 0 0K 0
allocdirect 0 0K 0
ufs_trim 0 0K 0
mactemp 0 0K 0
audit_trigger 0 0K 0
audit_pipe_presel 0 0K 0
audit_pipeent 0 0K 0
audit_pipe 0 0K 0
audit_evname 0 0K 0
audit_bsm 0 0K 0
audit_gidset 0 0K 0
audit_text 0 0K 0
audit_path 0 0K 0
audit_data 0 0K 0
audit_cred 0 0K 0
xform 0 0K 0
NLM 0 0K 0
ipsec-spdcache 0 0K 0
ipsec-reg 0 0K 0
ipsec-misc 0 0K 0
ipsecrequest 0 0K 0
ip6opt 0 0K 5
ip6_moptions 0 0K 4
in6_mfilter 0 0K 8
frag6 0 0K 0
tcplog 0 0K 0
lDevFlags * malloc 0 0K 0
LRO 0 0K 0
sctp_mcore 0 0K 0
sctp_socko 0 0K 111
sctp_iter 0 0K 35
sctp_mvrf 0 0K 0
sctp_cpal 0 0K 0
sctp_cmsg 0 0K 0
sctp_stre 0 0K 0
sctp_athi 0 0K 0
sctp_a_it 0 0K 35
sctp_aadr 0 0K 0
sctp_stri 0 0K 0
newreno data 0 0K 0
ip_msource 0 0K 0
ip_moptions 0 0K 1
in_mfilter 0 0K 0
ipid 0 0K 0
80211scan 0 0K 0
80211ratectl 0 0K 0
80211power 0 0K 0
80211nodeie 0 0K 0
80211node 0 0K 0
80211mesh_gt 0 0K 0
80211mesh_rt 0 0K 0
80211perr 0 0K 0
80211prep 0 0K 0
80211preq 0 0K 0
80211dfs 0 0K 0
80211crypto 0 0K 0
80211vap 0 0K 0
iflib 0 0K 0
vlan 0 0K 0
gif 0 0K 0
ifdescr 0 0K 0
zlib 0 0K 0
fadvise 0 0K 0
tiDeviceHandle_t * malloc 0 0K 0
statfs 0 0K 360
export_host 0 0K 0
cl_savebuf 0 0K 5
ag_portal_data_t malloc 0 0K 0
ag_device_t malloc 0 0K 0
STLock malloc 0 0K 0
CCB List 0 0K 0
sr_iov 0 0K 0
OCS 0 0K 0
OCS 0 0K 0
nvme 0 0K 0
nvd 0 0K 0
netmap 0 0K 0
mwldev 0 0K 0
MVS driver 0 0K 0
CAM ccb queue 0 0K 0
mrsasbuf 0 0K 0
mpt_user 0 0K 0
mps_user 0 0K 0
biobuf 0 0K 0
aios 0 0K 0
lio 0 0K 0
acl 0 0K 0
MPSSAS 0 0K 0
mbuf_tag 0 0K 371
accf 0 0K 0
pts 0 0K 0
iov 0 0K 15583
Witness 0 0K 0
stack 0 0K 0
mps 0 0K 0
mpr_user 0 0K 0
MPRSAS 0 0K 0
mpr 0 0K 0
mfibuf 0 0K 0
md_sectors 0 0K 0
sbuf 0 0K 288
md_disk 0 0K 0
compressor 0 0K 0
malodev 0 0K 0
SWAP 0 0K 0
LED 0 0K 0
sysctltmp 0 0K 663
sysctl 0 0K 1
ekcd 0 0K 0
dumper 0 0K 0
sendfile 0 0K 0
rctl 0 0K 0
ix_sriov 0 0K 0
aacraidcam 0 0K 0
ix 0 0K 0
ipsbuf 0 0K 0
iirbuf 0 0K 0
cache 0 0K 0
aacraid_buf 0 0K 0
prison_racct 0 0K 0
Fail Points 0 0K 0
sigio 0 0K 1
filedesc_to_leader 0 0K 0
pwd 0 0K 0
tty console 0 0K 0
aaccam 0 0K 0
aacbuf 0 0K 0
zstd 0 0K 0
nvlist 0 0K 0
SCSI ENC 0 0K 0
SCSI sa 0 0K 0
isofs_node 0 0K 0
isofs_mount 0 0K 0
tr_raid5_data 0 0K 0
tr_raid1e_data 0 0K 0
tr_raid1_data 0 0K 0
tr_raid0_data 0 0K 0
tr_concat_data 0 0K 0
md_sii_data 0 0K 0
md_promise_data 0 0K 0
md_nvidia_data 0 0K 0
md_jmicron_data 0 0K 0
md_intel_data 0 0K 0
md_ddf_data 0 0K 0
raid_data 0 0K 72
geom_flashmap 0 0K 0
NFS FHA 0 0K 0
newnfsmnt 0 0K 0
newnfsclient_req 0 0K 0
NFSCL layrecall 0 0K 0
NFSCL session 0 0K 0
NFSCL sockreq 0 0K 0
NFSCL devinfo 0 0K 0
NFSCL flayout 0 0K 0
NFSCL layout 0 0K 0
NFSD rollback 0 0K 0
NFSCL diroffdiroff 0 0K 0
NEWdirectio 0 0K 0
NEWNFSnode 0 0K 0
NFSCL lck 0 0K 0
NFSCL lckown 0 0K 0
NFSCL client 0 0K 0
NFSCL deleg 0 0K 0
NFSCL open 0 0K 0
NFSCL owner 0 0K 0
NFS fh 0 0K 0
NFS req 0 0K 0
NFSD usrgroup 0 0K 0
NFSD string 0 0K 0
NFSD V4lock 0 0K 0
NFSD V4state 0 0K 0
NFSD srvcache 0 0K 0
msdosfs_fat 0 0K 0
msdosfs_mount 0 0K 0
msdosfs_node 0 0K 0
DEVFS4 0 0K 0
DEVFS2 0 0K 0
gntdev 0 0K 0
privcmd_dev 0 0K 0
evtchn_dev 0 0K 0
xenstore 0 0K 0
scsi_pass 0 0K 0
ciss_data 0 0K 0
xnb 0 0K 0
xbbd 0 0K 0
xbd 0 0K 0
Balloon 0 0K 0
sysmouse 0 0K 0
vtfont 0 0K 0
db> show ktr
No such command; use "help" to list available commands

---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

syzbot

ungelesen,

30.04.2020, 05:28:1630.04.20

an syzkaller-f...@googlegroups.com

syzbot has found a reproducer for the following crash on:

HEAD commit: 2338a28d Add nhop to the ifa_rtrequest() callback.
git tree: freebsd

console output: https://syzkaller.appspot.com/x/log.txt?x=17eb7918100000
dashboard link: https://syzkaller.appspot.com/bug?extid=bb71e7bc5455377014e5
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fb2a9c100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11be2d40100000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+bb71e7...@syzkaller.appspotmail.com

login: panic: pfi_dynaddr_setup: dyn is 0x8000
cpuid = 0
time = 1588238712
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe0025a3b110
vpanic() at vpanic+0x1c7/frame 0xfffffe0025a3b170
panic() at panic+0x43/frame 0xfffffe0025a3b1d0
pfi_dynaddr_setup() at pfi_dynaddr_setup+0x590/frame 0xfffffe0025a3b260
pfioctl() at pfioctl+0x6e4f/frame 0xfffffe0025a3b790
devfs_ioctl() at devfs_ioctl+0x14e/frame 0xfffffe0025a3b7f0
VOP_IOCTL_APV() at VOP_IOCTL_APV+0x78/frame 0xfffffe0025a3b820
vn_ioctl() at vn_ioctl+0x27c/frame 0xfffffe0025a3b940
devfs_ioctl_f() at devfs_ioctl_f+0x47/frame 0xfffffe0025a3b980
kern_ioctl() at kern_ioctl+0x3d4/frame 0xfffffe0025a3b9f0
sys_ioctl() at sys_ioctl+0x22b/frame 0xfffffe0025a3bac0
amd64_syscall() at amd64_syscall+0x262/frame 0xfffffe0025a3bbf0
fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0025a3bbf0
--- syscall (0, FreeBSD ELF64, nosys), rip = 0x8008482ea, rsp = 0x7fffffffea78, rbp = 0x7fffffffead0 ---
KDB: enter: panic
[ thread pid 775 tid 100104 ]

Stopped at kdb_enter+0x67: movq $0,0x14a96a6(%rip)
db>
db> set $lines = 0
db> set $maxwidth = 0
db> show registers
cs 0x20
ds 0x3b ll+0x1a
es 0x3b ll+0x1a
fs 0x13
gs 0x1b
ss 0x28 ll+0x7
rax 0x12

rcx 0x80 ll+0x5f
rdx 0xffffffff818a400b
rbx 0
rsp 0xfffffe0025a3b0f0
rbp 0xfffffe0025a3b110
rsi 0x1
rdi 0

r8 0
r9 0xffffffff
r10 0

r11 0xfffffe0023993d00

r12 0xffffffff82068ea0 ddb_dbbe
r13 0
r14 0xffffffff8194403f
r15 0xffffffff8194403f
rip 0xffffffff810ae1c7 kdb_enter+0x67
rflags 0x86 ll+0x65
kdb_enter+0x67: movq $0,0x14a96a6(%rip)
db> show proc

Process 775 (syz-executor1341990) at 0xfffff80013632000:

state: NORMAL
uid: 0 gids: 0, 0, 5

parent: pid 773 at 0xfffff80013632520
ABI: FreeBSD ELF64
arguments: ./syz-executor134199032

reaper: 0xfffff80003304000 reapsubtree: 1
sigparent: 20

vmspace: 0xfffffe0025837000
(map 0xfffffe0025837000)
(map.pmap 0xfffffe00258370c0)
(pmap 0xfffffe0025837120)
threads: 1
100104 Run CPU 0 syz-executor1341990

db> ps
pid ppid pgrp uid state wmesg wchan cmd

775 773 773 0 R CPU 0 syz-executor1341990
773 771 773 0 Ss pause 0xfffff800136325c8 csh
771 682 771 0 Ss select 0xfffff8000380c5c0 sshd

748 1 748 0 Ss+ ttyin 0xfffff80003805cb0 getty
747 1 747 0 Ss+ ttyin 0xfffff80003b068b0 getty
746 1 746 0 Ss+ ttyin 0xfffff80003b06cb0 getty
745 1 745 0 Ss+ ttyin 0xfffff80003b050b0 getty
744 1 744 0 Ss+ ttyin 0xfffff80003b054b0 getty
743 1 743 0 Ss+ ttyin 0xfffff80003b058b0 getty
742 1 742 0 Ss+ ttyin 0xfffff80003b05cb0 getty
741 1 741 0 Ss+ ttyin 0xfffff80003b080b0 getty
740 1 740 0 Ss+ ttyin 0xfffff80003b084b0 getty

738 1 24 0 S+ piperd 0xfffff80003ccfbe0 logger
737 736 24 0 S+ nanslp 0xffffffff8252c1e1 sleep
736 1 24 0 S+ wait 0xfffff800132b4000 sh

686 1 686 0 Ss nanslp 0xffffffff8252c1e0 cron

682 1 682 0 Ss select 0xfffff8000380e840 sshd
495 1 495 0 Ss select 0xfffff80003a31ec0 syslogd
424 1 424 0 Ss select 0xfffff80003a31dc0 devd
423 1 423 65 Ss select 0xfffff80003a311c0 dhclient
338 1 338 0 Ss select 0xfffff8000380ea40 dhclient
335 1 335 0 Ss select 0xfffff80003a31bc0 dhclient

100004 Run CPU 1 [idle: cpu1]

1 0 1 0 SLs wait 0xfffff80003304000 [init]
10 0 0 0 DL audit_w 0xffffffff82630598 [audit]
0 0 0 0 DLs (threaded) [kernel]
100000 D swapin 0xffffffff8250b710 [swapper]
100005 D - 0xfffff80003325000 [if_config_tqg_0]
100006 D - 0xfffff80003326e00 [softirq_0]
100007 D - 0xfffff80003326d00 [softirq_1]
100008 D - 0xfffff80003326c00 [if_io_tqg_0]
100009 D - 0xfffff80003326b00 [if_io_tqg_1]
100011 D - 0xfffff80003333600 [in6m_free taskq]
100012 D - 0xfffff80003333500 [thread taskq]
100014 D - 0xfffff80003333200 [kqueue_ctx taskq]
100015 D - 0xfffff80003333100 [aiod_kick taskq]
100023 D - 0xfffff80003334800 [firmware taskq]
100028 D - 0xfffff80003331c00 [crypto_0]
100029 D - 0xfffff80003331c00 [crypto_1]
100043 D - 0xfffff80003562c00 [vtnet0 rxq 0]
100044 D - 0xfffff80003562b00 [vtnet0 txq 0]
100045 D - 0xfffff80003562a00 [vtnet0 rxq 1]
100046 D - 0xfffff80003562900 [vtnet0 txq 1]
100048 D vtbslp 0xfffff80003522680 [virtio_balloon]
100052 D - 0xfffff80003335700 [mca taskq]

100056 D - 0xffffffff81ce7761 [deadlkres]

100062 D - 0xfffff80003331800 [acpi_task_0]
100063 D - 0xfffff80003331800 [acpi_task_1]
100064 D - 0xfffff80003331800 [acpi_task_2]
100065 D - 0xfffff80003331500 [CAM taskq]
db> show all locks

Process 775 (syz-executor1341990) thread 0xfffffe0023993800 (100104)

exclusive rm pf rulesets (pf rulesets) r = 0 (0xffffffff82c87290) locked @ /syzkaller/managers/main/kernel/sys/netpfil/pf/pf_ioctl.c:1585
db> show malloc
Type InUse MemUse Requests
pf_hash 5 11524K 5
devbuf 4213 4851K 4238
tcp_hpts 5 3201K 5
vtbuf 24 1968K 46
sysctloid 28335 1653K 28399
kobj 332 1328K 488

newblk 192 1072K 208
vfscache 4 1025K 4
pcb 21 537K 75
inodedep 48 536K 71

ufs_quota 1 512K 1
vfs_hash 1 512K 1
callout 2 512K 2
intr 4 388K 4

subproc 104 213K 834

acpica 1674 185K 52709
vnet_data 1 168K 1

pagedep 14 132K 18

tfo_ccache 1 128K 1
sem 4 106K 4

DEVFS1 101 101K 110
linker 244 92K 265
bus 964 78K 3344

mtx_pool 2 72K 2
syncache 1 68K 1
acpitask 1 64K 1
ddb_capture 1 64K 1
module 497 63K 497

temp 18 33K 1545
hostcache 1 32K 1
shm 1 32K 1
msg 4 30K 4
DEVFS3 120 30K 130
umtx 234 30K 234
kdtrace 146 28K 1606

DEVFS_RULE 56 27K 56
gtaskqueue 18 26K 18

vmem 3 22K 4
kbdmux 6 22K 6

BPF 10 18K 10

ufs_mount 3 17K 4
proc 3 17K 3

tty 16 16K 16
tidhash 1 16K 1
ithread 98 16K 98

bus-sc 30 14K 1431
KTRACE 100 13K 100

ifaddr 30 12K 32

kenv 95 12K 99
eventhandler 132 12K 132

pfs_nodes 20 10K 20
GEOM 60 10K 487
rman 82 10K 423

bmsafemap 3 9K 40

UART 12 9K 12
devstat 4 9K 4
rpc 2 8K 2

shmfd 1 8K 1
pfs_vncache 1 8K 1

audit_evclass 233 8K 291
CAM DEV 3 6K 510

vt 11 6K 11
cred 21 6K 244

sglist 5 6K 5
CAM queue 5 6K 1528

taskqueue 45 5K 45
ufs_dirhash 24 5K 24

routetbl 28 5K 32
dirrem 17 5K 28
plimit 17 5K 337
ifnet 3 5K 3

memdesc 1 4K 1
MCA 32 4K 32
UMA 249 4K 249

ioctlops 1 4K 88
evdev 4 4K 4
filedesc 1 4K 1
lltable 11 4K 11
hhook 13 4K 13
ether_multi 40 4K 45
diradd 25 4K 36
pf_ifnet 5 3K 6
in6_multi 25 3K 25
kqueue 46 3K 778

acpisem 22 3K 22
terminal 11 3K 11

session 20 3K 32
pgrp 20 3K 32
select 18 3K 18
uidinfo 3 3K 9

local_apic 1 2K 1
io_apic 1 2K 1
ipsec-saq 2 2K 2

lockf 16 2K 26
proc-args 39 2K 475

CAM XPT 22 2K 543

Unitno 25 2K 37

acpidev 20 2K 20
msi 9 2K 9

pf_rule 1 1K 1

softdep 1 1K 1
ipsecpolicy 1 1K 1
sahead 1 1K 1
secasvar 1 1K 1
clone 8 1K 8

vnodemarker 2 1K 6

NFSD session 1 1K 1
CAM periph 4 1K 271

nhops 6 1K 6
toponodes 6 1K 6
isadev 6 1K 6
mount 16 1K 86
pci_link 10 1K 10

ip6ndp 4 1K 5
sctp_ifa 5 1K 5
crypto 3 1K 3
newdirblk 4 1K 8
mkdir 4 1K 16
in_multi 2 1K 3

pfil 4 1K 4
chacha20random 1 1K 1
CAM SIM 2 1K 2
epoch 4 1K 4
cdev 2 1K 2
encap_export_host 8 1K 8
osd 3 1K 9

indirdep 1 1K 1
mld 2 1K 2
sctp_ifn 2 1K 2
igmp 2 1K 2
vnodes 1 1K 1

NFSD lckfile 1 1K 1
NFSD V4client 1 1K 1
DEVFS 9 1K 10
feeder 7 1K 7

inpcbpolicy 6 1K 131
tcpfunc 3 1K 3
loginclass 3 1K 7

CAM dev queue 2 1K 2
CAM I/O Scheduler 1 1K 1
apmdev 1 1K 1
atkbddev 2 1K 2
CAM path 4 1K 1034

ktls 1 1K 1
pmchooks 1 1K 1
prison 4 1K 4

DEVFSP 2 1K 2
soname 4 1K 5791
filecaps 4 1K 66
tun 3 1K 3
nexusdev 5 1K 5
entropy 2 1K 35

sctp_vrf 1 1K 1
vnet 1 1K 1
acpiintr 1 1K 1
pmc 1 1K 1
cpus 2 1K 2
vnet_data_free 1 1K 1
Per-cpu 1 1K 1

freework 1 1K 26
p1003.1b 1 1K 1
pf_table 0 0K 0

tcp_log_dev 0 0K 0

midi buffers 0 0K 0
fpukern_ctx 0 0K 0
mixer 0 0K 0
xen_intr 0 0K 0
ac97 0 0K 0
xen_hvm 0 0K 0
legacydrv 0 0K 0
qpidrv 0 0K 0
hdacc 0 0K 0
hdac 0 0K 0
dmar_idpgtbl 0 0K 0
dmar_dom 0 0K 0
dmar_ctx 0 0K 0
dmar_dmamap 0 0K 0
hdaa 0 0K 0
acpi_perf 0 0K 0
acpicmbat 0 0K 0
isci 0 0K 0
bxe_ilt 0 0K 0
xenbus 0 0K 0
SIIS driver 0 0K 0
vm_fictitious 0 0K 0

CAM CCB 0 0K 1713

PUC 0 0K 0
ppbusdev 0 0K 0
agtiapi_MemAlloc malloc 0 0K 0
osti_cacheable 0 0K 0
tempbuff 0 0K 0
tempbuff 0 0K 0
UMAHash 0 0K 0
ag_tgt_map_t malloc 0 0K 0
ag_slr_map_t malloc 0 0K 0
vm_pgdata 0 0K 0
jblocks 0 0K 0

savedino 0 0K 13

sentinel 0 0K 0
jfsync 0 0K 0
jtrunc 0 0K 0

sbdep 0 0K 2

jsegdep 0 0K 0
jseg 0 0K 0
jfreefrag 0 0K 0
jfreeblk 0 0K 0
jnewblk 0 0K 0
jmvref 0 0K 0
jremref 0 0K 0
jaddref 0 0K 0
freedep 0 0K 0

freefile 0 0K 9
freeblks 0 0K 25
freefrag 0 0K 5

allocindir 0 0K 0
allocdirect 0 0K 0
ufs_trim 0 0K 0
mactemp 0 0K 0
audit_trigger 0 0K 0
audit_pipe_presel 0 0K 0
audit_pipeent 0 0K 0
audit_pipe 0 0K 0
audit_evname 0 0K 0
audit_bsm 0 0K 0
audit_gidset 0 0K 0
audit_text 0 0K 0
audit_path 0 0K 0
audit_data 0 0K 0
audit_cred 0 0K 0
xform 0 0K 0
NLM 0 0K 0
ipsec-spdcache 0 0K 0
ipsec-reg 0 0K 0
ipsec-misc 0 0K 0
ipsecrequest 0 0K 0

ip6opt 0 0K 3
ip6_msource 0 0K 0
ip6_moptions 0 0K 0
in6_mfilter 0 0K 0

frag6 0 0K 0
tcplog 0 0K 0
lDevFlags * malloc 0 0K 0
LRO 0 0K 0
sctp_mcore 0 0K 0

sctp_socko 0 0K 0
sctp_iter 0 0K 3
sctp_mvrf 0 0K 0
sctp_timw 0 0K 0

sctp_cpal 0 0K 0
sctp_cmsg 0 0K 0
sctp_stre 0 0K 0
sctp_athi 0 0K 0

sctp_athm 0 0K 0
sctp_atky 0 0K 0
sctp_atcl 0 0K 0
sctp_a_it 0 0K 3
sctp_aadr 0 0K 0
sctp_stro 0 0K 0
sctp_stri 0 0K 0
sctp_map 0 0K 0

newreno data 0 0K 0
ip_msource 0 0K 0

ip_moptions 0 0K 0

in_mfilter 0 0K 0
ipid 0 0K 0
80211scan 0 0K 0
80211ratectl 0 0K 0
80211power 0 0K 0
80211nodeie 0 0K 0
80211node 0 0K 0
80211mesh_gt 0 0K 0
80211mesh_rt 0 0K 0
80211perr 0 0K 0
80211prep 0 0K 0
80211preq 0 0K 0
80211dfs 0 0K 0
80211crypto 0 0K 0
80211vap 0 0K 0
iflib 0 0K 0
vlan 0 0K 0
gif 0 0K 0
ifdescr 0 0K 0
zlib 0 0K 0
fadvise 0 0K 0
tiDeviceHandle_t * malloc 0 0K 0

statfs 0 0K 197
export_host 0 0K 0
cl_savebuf 0 0K 2

ag_portal_data_t malloc 0 0K 0
ag_device_t malloc 0 0K 0
STLock malloc 0 0K 0
CCB List 0 0K 0
sr_iov 0 0K 0
OCS 0 0K 0
OCS 0 0K 0
nvme 0 0K 0
nvd 0 0K 0
netmap 0 0K 0
mwldev 0 0K 0
MVS driver 0 0K 0
CAM ccb queue 0 0K 0
mrsasbuf 0 0K 0
mpt_user 0 0K 0
mps_user 0 0K 0
biobuf 0 0K 0
aios 0 0K 0
lio 0 0K 0
acl 0 0K 0
MPSSAS 0 0K 0

mbuf_tag 0 0K 25

accf 0 0K 0
pts 0 0K 0

iov 0 0K 12688

Witness 0 0K 0
stack 0 0K 0
mps 0 0K 0
mpr_user 0 0K 0
MPRSAS 0 0K 0
mpr 0 0K 0
mfibuf 0 0K 0
md_sectors 0 0K 0
sbuf 0 0K 288
md_disk 0 0K 0
compressor 0 0K 0
malodev 0 0K 0
SWAP 0 0K 0
LED 0 0K 0

sysctltmp 0 0K 575

sysctl 0 0K 1
ekcd 0 0K 0
dumper 0 0K 0
sendfile 0 0K 0
rctl 0 0K 0
ix_sriov 0 0K 0
aacraidcam 0 0K 0
ix 0 0K 0
ipsbuf 0 0K 0
iirbuf 0 0K 0
cache 0 0K 0
aacraid_buf 0 0K 0

kcovinfo 0 0K 0

Mark Johnston

ungelesen,

30.04.2020, 10:25:3430.04.20

an syzbot, syzkaller-f...@googlegroups.com

#syz dup: panic: pfi_dynaddr_setup: dyn is ADDR (2)

Allen antworten

Antwort an Autor

Weiterleiten

0 neue Nachrichten