Fatal trap 12: page fault in inp_freemoptions (2)

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: c7cdb4a8 Another partial revert of r301289.
git tree: freebsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1476fa86a00000
dashboard link: https://syzkaller.appspot.com/bug?extid=195c396f06b3d19e25db

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+195c39...@syzkaller.appspotmail.com

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0x18
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff81286147
stack pointer = 0x28:0xfffffe0016b2e8c0
frame pointer = 0x28:0xfffffe0016b2e900
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 0 (softirq_0)
trap number = 12
panic: page fault
cpuid = 0
time = 39
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame
0xfffffe0016b2e520
vpanic() at vpanic+0x1e0/frame 0xfffffe0016b2e580
panic() at panic+0x43/frame 0xfffffe0016b2e5e0
trap_fatal() at trap_fatal+0x4c6/frame 0xfffffe0016b2e660
trap_pfault() at trap_pfault+0x9f/frame 0xfffffe0016b2e6d0
trap() at trap+0x44d/frame 0xfffffe0016b2e7f0
calltrap() at calltrap+0x8/frame 0xfffffe0016b2e7f0
--- trap 0xc, rip = 0xffffffff81286147, rsp = 0xfffffe0016b2e8c0, rbp =
0xfffffe0016b2e900 ---
inp_freemoptions() at inp_freemoptions+0x177/frame 0xfffffe0016b2e900
in_pcbfree_deferred() at in_pcbfree_deferred+0x2a9/frame 0xfffffe0016b2e960
epoch_call_task() at epoch_call_task+0x262/frame 0xfffffe0016b2e9c0
gtaskqueue_run_locked() at gtaskqueue_run_locked+0x13e/frame
0xfffffe0016b2ea20
gtaskqueue_thread_loop() at gtaskqueue_thread_loop+0xdd/frame
0xfffffe0016b2ea60
fork_exit() at fork_exit+0xb0/frame 0xfffffe0016b2eab0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0016b2eab0
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
KDB: enter: panic
[ thread pid 0 tid 100015 ]
Stopped at kdb_enter+0x6a: movq $0,kdb_why


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: 2b3f398e Modify mountd so that it incrementally updates th..
git tree: freebsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1049c292a00000
dashboard link: https://syzkaller.appspot.com/bug?extid=195c396f06b3d19e25db
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17c52b16a00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+195c39...@syzkaller.appspotmail.com

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0x18
fault code = supervisor read data, page not present

instruction pointer = 0x20:0xffffffff81286187

stack pointer = 0x28:0xfffffe0016b2e8c0
frame pointer = 0x28:0xfffffe0016b2e900
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 0 (softirq_0)
trap number = 12
panic: page fault
cpuid = 0

time = 1559624356

KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame
0xfffffe0016b2e520
vpanic() at vpanic+0x1e0/frame 0xfffffe0016b2e580
panic() at panic+0x43/frame 0xfffffe0016b2e5e0
trap_fatal() at trap_fatal+0x4c6/frame 0xfffffe0016b2e660
trap_pfault() at trap_pfault+0x9f/frame 0xfffffe0016b2e6d0
trap() at trap+0x44d/frame 0xfffffe0016b2e7f0
calltrap() at calltrap+0x8/frame 0xfffffe0016b2e7f0

--- trap 0xc, rip = 0xffffffff81286187, rsp = 0xfffffe0016b2e8c0, rbp =

[Mark Johnston]

#syz fix: Convert all IPv4 and IPv6 multicast memberships into using a STAILQ

[syzbot]

This bug is marked as fixed by commit:

Convert all IPv4 and IPv6 multicast memberships into using a STAILQ

But I can't find it in any tested tree for more than 90 days.
Is it a correct commit? Please update it by replying:
#syz fix: exact-commit-title
Until then the bug is still considered open and
new crashes with the same signature are ignored.

[c...@freebsd.org]

#syz fix: Convert all IPv4 and IPv6 multicast memberships into using a STAILQ instead of a linear array.

(Syzkaller uses the 2nd line of 'git log -n 1 --format=%H%n%s%n%ae%n%an%n%ad%n%b <hash>' to determine title, which unwraps lines until it finds a blank one.[1])

$ git log -n 1 --format=%H%n%s%n%ae%n%an%n%ad%n%b 1a5fd513af7e

1a5fd513af7e3801164aea50e6e53cd0b12075d8

Convert all IPv4 and IPv6 multicast memberships into using a STAILQ instead of a linear array.

hsel...@FreeBSD.org

...

Best,

Conrad

[1]: https://github.com/google/syzkaller/blob/master/pkg/vcs/git.go#L155-L236

[syzbot]

> #syz fix: Convert all IPv4 and IPv6 multicast memberships into using a

I see the command but can't find the corresponding bug.
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the bug report (also present in the Reported-by tag).

> --
> You received this message because you are subscribed to the Google
> Groups "syzkaller-freebsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-freebsd...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-freebsd-bugs/e3afaf99-334e-4134-8404-5ad2cbaa0368%40googlegroups.com.

[c...@freebsd.org]

On Monday, June 3, 2019 at 2:29:05 PM UTC-7, syzbot wrote:

Hello,

syzbot found the following crash on:

HEAD commit:    c7cdb4a8 Another partial revert of r301289.
git tree:       freebsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1476fa86a00000
dashboard link: https://syzkaller.appspot.com/bug?extid=195c396f06b3d19e25db

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:

Reported-by: syz...@syzkaller.appspotmail.com

#syz fix: Convert all IPv4 and IPv6 multicast memberships into using a STAILQ instead of a linear array. 

[syzbot]

> On Monday, June 3, 2019 at 2:29:05 PM UTC-7, syzbot wrote:

>> Hello,

>> syzbot found the following crash on:

>> HEAD commit: c7cdb4a8 Another partial revert of r301289.
>> git tree: freebsd
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1476fa86a00000
>> dashboard link:
>> https://syzkaller.appspot.com/bug?extid=195c396f06b3d19e25db

>> Unfortunately, I don't have any reproducer for this crash yet.

>> IMPORTANT: if you fix the bug, please add the following tag to the
>> commit:

>> Reported-by: syz...@syzkaller.appspotmail.com <javascript:>

I see the command but can't find the corresponding bug.
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the bug report (also present in the Reported-by tag).

> STAILQ instead of a linear array.

> --
> You received this message because you are subscribed to the Google
> Groups "syzkaller-freebsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-freebsd...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/syzkaller-freebsd-bugs/7d5dbee6-42a7-4cbd-922b-83d42bec3a18%40googlegroups.com.

[Conrad Meyer]

#syz fix: Convert all IPv4 and IPv6 multicast memberships into using a

STAILQ instead of a linear array.

One more try...

[Mark Johnston]

#syz fix: Convert all IPv4 and IPv6 multicast memberships into using a STAILQ instead of a linear array.

Fifth time's the charm...