panic: Memory modified after free ADDR(256) val=0 @ ADDR
7 views
Skip to first unread message
syzbot
May 10, 2019, 8:28:06 PM5/10/19
to syzkaller-f...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: fbc304aa Bind TCP HPTS (pacer) threads to NUMA domains
git tree: freebsd
console output: https://syzkaller.appspot.com/x/log.txt?x=17dfa5c8a00000
dashboard link: https://syzkaller.appspot.com/bug?extid=f82c67821f14f6e2cc50
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1209e7d0a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f82c67...@syzkaller.appspotmail.com
#15 0xffffffff811158bd at dofilewrite+0xpanic: Memory modified after free
0xfffff80004993900(256) val=0 @ 0xfffff80004993900
cpuid = 0
time = 1557533462
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame
0xfffffe0021294690
vpanic() at vpanic+0x1e0/frame 0xfffffe00212946f0
panic() at panic+0x43/frame 0xfffffe0021294750
trash_ctor() at trash_ctor+0xaa/frame 0xfffffe0021294790
mb_ctor_mbuf() at mb_ctor_mbuf+0x30/frame 0xfffffe00212947d0
uma_zalloc_arg() at uma_zalloc_arg+0x1036/frame 0xfffffe0021294880
m_getm2() at m_getm2+0x213/frame 0xfffffe00212948f0
sctp_get_mbuf_for_msg() at sctp_get_mbuf_for_msg+0x4a/frame
0xfffffe0021294930
sctp_lowlevel_chunk_output() at sctp_lowlevel_chunk_output+0x164/frame
0xfffffe0021294a80
sctp_med_chunk_output() at sctp_med_chunk_output+0x45ca/frame
0xfffffe0021295470
sctp_lower_sosend() at sctp_lower_sosend+0x4465/frame 0xfffffe0021295670
sctp_sosend() at sctp_sosend+0x510/frame 0xfffffe00212957a0
sosend() at sosend+0xc6/frame 0xfffffe0021295810
kern_sendit() at kern_sendit+0x35e/frame 0xfffffe00212958c0
sendit() at sendit+0x226/frame 0xfffffe0021295920
sys_sendmsg() at sys_sendmsg+0x8b/frame 0xfffffe0021295980
amd64_syscall() at amd64_syscall+0x436/frame 0xfffffe0021295ab0
fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0021295ab0
--- syscall (198, FreeBSD ELF64, nosys), rip = 0x41309a, rsp =
0x7fffdffdcf38, rbp = 0x3 ---
KDB: enter: panic
[ thread pid 814 tid 100123 ]
Stopped at kdb_enter+0x6a: movq $0,kdb_why
db>
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: fbc304aa Bind TCP HPTS (pacer) threads to NUMA domains
git tree: freebsd
console output: https://syzkaller.appspot.com/x/log.txt?x=17dfa5c8a00000
dashboard link: https://syzkaller.appspot.com/bug?extid=f82c67821f14f6e2cc50
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1209e7d0a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f82c67...@syzkaller.appspotmail.com
#15 0xffffffff811158bd at dofilewrite+0xpanic: Memory modified after free
0xfffff80004993900(256) val=0 @ 0xfffff80004993900
cpuid = 0
time = 1557533462
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame
0xfffffe0021294690
vpanic() at vpanic+0x1e0/frame 0xfffffe00212946f0
panic() at panic+0x43/frame 0xfffffe0021294750
trash_ctor() at trash_ctor+0xaa/frame 0xfffffe0021294790
mb_ctor_mbuf() at mb_ctor_mbuf+0x30/frame 0xfffffe00212947d0
uma_zalloc_arg() at uma_zalloc_arg+0x1036/frame 0xfffffe0021294880
m_getm2() at m_getm2+0x213/frame 0xfffffe00212948f0
sctp_get_mbuf_for_msg() at sctp_get_mbuf_for_msg+0x4a/frame
0xfffffe0021294930
sctp_lowlevel_chunk_output() at sctp_lowlevel_chunk_output+0x164/frame
0xfffffe0021294a80
sctp_med_chunk_output() at sctp_med_chunk_output+0x45ca/frame
0xfffffe0021295470
sctp_lower_sosend() at sctp_lower_sosend+0x4465/frame 0xfffffe0021295670
sctp_sosend() at sctp_sosend+0x510/frame 0xfffffe00212957a0
sosend() at sosend+0xc6/frame 0xfffffe0021295810
kern_sendit() at kern_sendit+0x35e/frame 0xfffffe00212958c0
sendit() at sendit+0x226/frame 0xfffffe0021295920
sys_sendmsg() at sys_sendmsg+0x8b/frame 0xfffffe0021295980
amd64_syscall() at amd64_syscall+0x436/frame 0xfffffe0021295ab0
fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0021295ab0
--- syscall (198, FreeBSD ELF64, nosys), rip = 0x41309a, rsp =
0x7fffdffdcf38, rbp = 0x3 ---
KDB: enter: panic
[ thread pid 814 tid 100123 ]
Stopped at kdb_enter+0x6a: movq $0,kdb_why
db>
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages