assert failed: l->l_cpu == ci
0 views
Skip to first unread message
syzbot
Dec 8, 2019, 7:00:11 PM12/8/19
to syzkaller-...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 79bebca3 sys/atomic.h for membar_*
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=176f2aeae00000
kernel config: https://syzkaller.appspot.com/x/.config?x=824b23e1f4b6c76b
dashboard link: https://syzkaller.appspot.com/bug?extid=0a61307c141174ea43de
compiler: g++ (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10a80232e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10043196e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0a6130...@syzkaller.appspotmail.com
login: [ 798.1062188] panic: kernel diagnostic assertion "l->l_cpu == ci"
failed:
file "/syzkaller/managers/netbsd-kubsan/kernel/sys/kern/kern_synch.c", line
768
[ 798.1214927] cpu0: Begin traceback...
[ 798.1462767] vpanic() at netbsd:vpanic+0x2aa sys/kern/subr_prf.c:336
[ 798.2063869] kern_assert() at netbsd:kern_assert+0x63
[ 798.2564831] mi_switch() at netbsd:mi_switch+0x10e9
sys/kern/kern_synch.c:768
[ 798.3165926] sleepq_block() at netbsd:sleepq_block+0x1c6
sys/kern/kern_sleepq.c:281
[ 798.3767051] cv_timedwait() at netbsd:cv_timedwait+0x279
sys/kern/kern_condvar.c:294
[ 798.4368152] bbusy() at netbsd:bbusy+0x2ba bbusy sys/kern/vfs_bio.c:2161
[inline]
[ 798.4368152] bbusy() at netbsd:bbusy+0x2ba sys/kern/vfs_bio.c:2144
[ 798.4969259] getblk() at netbsd:getblk+0x6b sys/kern/vfs_bio.c:1202
[ 798.5570390] bio_doread() at netbsd:bio_doread+0x35 sys/kern/vfs_bio.c:697
[ 798.6171493] bread() at netbsd:bread+0x35 sys/kern/vfs_bio.c:759
[ 798.6672443] Mutex error: mutex_vector_enter,731: assertion failed:
MUTEX_OWNER(mtx->mtx_owner) == curthread
[ 798.6772614[ ] 7l98oc.k6 7a7d2d6r1e4]ss f:f s_0xufpfdfaftfef()f fa85t
eb0f40 type : sleep/adaptive
[ 798.6772614] initialized : 0xffffffff82288285
[ 798.6872779] snheatrbesdd :hffolsd_su p:da t e + 0 x 4 6 a
[
798.6872779] 0 exclusive: 0
[ 798.6972965] shares wanted: 0
exclusive: 0
[ 798.7073185] current cpu : 1 last
held: 1
[ 798.7073185] current lwp : 0xffffc525dcf0e9a0 last held:
000000000000000000
[ 798.7173357] last locked : 0xffffffff8224fb74 unlocked*:
0xffffffff8224fb88
[ 798.7273526] owner field : 000000000000000000 wait/spin:
0/0
[ 798.7273526] Turnstile chain at 0xffffffff85eb8628 with mutex
0xffffc526e7c32140.
[[ 779988..77337733771155]] =u>f sN_mok adcitri(v) e attu rnstile for
this lock.
[ 798.7574103] netbsd:ufs_mkdir+0xced
[ 798.8075035] VOP_MKDIR() at netbsd:VOP_MKDIR+0x123
sys/kern/vnode_if.c:1003
[ 798.8676166] do_sys_mkdirat() at netbsd:do_sys_mkdirat+0x1a4
sys/kern/vfs_syscalls.c:4619
[ 798.9377432] syscall() at netbsd:syscall+0x29a sy_call
sys/sys/syscallvar.h:65 [inline]
[ 798.9377432] syscall() at netbsd:syscall+0x29a sy_invoke
sys/sys/syscallvar.h:94 [inline]
[ 798.9377432] syscall() at netbsd:syscall+0x29a
sys/arch/x86/x86/syscall.c:138
[ 798.9577808] --- syscall (number 136) ---
[ 798.9679977] Skipping crash dump on recursive panic
[ 798.9679977] panic: UBSan: Undefined Behavior in
/syzkaller/managers/netbsd-kubsan/kernel/sys/arch/amd64/amd64/db_machdep.c:153:24,
member access within misaligned address 0xffffffff for type 'struct
x86_64_frame' which requires 8 byte alignment
[ 798.9943610] Faulted in mid-traceback; aborting...
[ 798.9992253] fatal breakpoint trap in supervisor mode
[ 798.9992253] trap type 1 code 0 rip 0xffffffff8021dd9d cs 0x8 rflags
0x286 cr2 0x7362627f8a98 ilevel 0 rsp 0xffffa300a6a35b00
[ 799.0153602] curlwp 0xffffc525d94b8b60 pid 620.1 lowest kstack
0xffffa300a6a332c0
Stopped in pid 620.1 (syz-executor2255) at netbsd:breakpoint+0x5:
leave
?
breakpoint() at netbsd:breakpoint+0x5
db_panic() at netbsd:db_panic+0xd1 sys/ddb/db_panic.c:67
vpanic() at netbsd:vpanic+0x2aa sys/kern/subr_prf.c:336
isAlreadyReported() at netbsd:isAlreadyReported
HandleTypeMismatch.part.1() at netbsd:HandleTypeMismatch.part.1+0xcc
HandleTypeMismatch() at netbsd:HandleTypeMismatch+0x7b
sys/../common/lib/libc/misc/ubsan.c:408
db_nextframe() at netbsd:db_nextframe+0x6f6
sys/arch/amd64/amd64/db_machdep.c:153
db_stack_trace_print() at netbsd:db_stack_trace_print+0x2c4
sys/arch/x86/x86/db_trace.c:277
db_panic() at netbsd:db_panic+0x8b x86_curcpu
sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:67 [inline]
db_panic() at netbsd:db_panic+0x8b sys/ddb/db_panic.c:57
vpanic() at netbsd:vpanic+0x2aa sys/kern/subr_prf.c:336
kern_assert() at netbsd:kern_assert+0x63
mi_switch() at netbsd:mi_switch+0x10e9 sys/kern/kern_synch.c:768
sleepq_block() at netbsd:sleepq_block+0x1c6 sys/kern/kern_sleepq.c:281
cv_timedwait() at netbsd:cv_timedwait+0x279 sys/kern/kern_condvar.c:294
bbusy() at netbsd:bbusy+0x2ba bbusy sys/kern/vfs_bio.c:2161 [inline]
bbusy() at netbsd:bbusy+0x2ba sys/kern/vfs_bio.c:2144
getblk() at netbsd:getblk+0x6b sys/kern/vfs_bio.c:1202
bio_doread() at netbsd:bio_doread+0x35 sys/kern/vfs_bio.c:697
bread() at netbsd:bread+0x35 sys/kern/vfs_bio.c:759
ffs_update() at netbsd:ffs_update+0x46a sys/ufs/ffs/ffs_inode.c:150
ufs_mkdir() at netbsd:ufs_mkdir+0xced sys/ufs/ufs/ufs_vnops.c:1015
VOP_MKDIR() at netbsd:VOP_MKDIR+0x123 sys/kern/vnode_if.c:1003
do_sys_mkdirat() at netbsd:do_sys_mkdirat+0x1a4 sys/kern/vfs_syscalls.c:4619
syscall() at netbsd:syscall+0x29a sy_call sys/sys/syscallvar.h:65 [inline]
syscall() at netbsd:syscall+0x29a sy_invoke sys/sys/syscallvar.h:94 [inline]
syscall() at netbsd:syscall+0x29a sys/arch/x86/x86/syscall.c:138
--- syscall (number 136) ---
[ 799.0227387] Skipping crash dump on recursive panic
[ 799.0227387] panic: UBSan: Undefined Behavior in
/syzkaller/managers/netbsd-kubsan/kernel/sys/arch/amd64/amd64/db_machdep.c:154:14,
member access within misaligned address 0xffffffff for type 'struct
x86_64_frame' which requires 8 byte alignment
[ 799.0227387] Faulted in mid-traceback; aborting...
[ 799.0227387] fatal breakpoint trap in supervisor mode
[ 799.0227387] trap type 1 code 0 rip 0xffffffff8021dd9d cs 0x8 rflags
0x286 cr2 0x7362627f8a98 ilevel 0x8 rsp 0xffffa300a6a34800
[ 799.0227387] curlwp 0xffffc525d94b8b60 pid 620.1 lowest kstack
0xffffa300a6a332c0
Stopped in pid 620.1 (syz-executor2255) at netbsd:breakpoint+0x5:
leave
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 79bebca3 sys/atomic.h for membar_*
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=176f2aeae00000
kernel config: https://syzkaller.appspot.com/x/.config?x=824b23e1f4b6c76b
dashboard link: https://syzkaller.appspot.com/bug?extid=0a61307c141174ea43de
compiler: g++ (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10a80232e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10043196e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0a6130...@syzkaller.appspotmail.com
login: [ 798.1062188] panic: kernel diagnostic assertion "l->l_cpu == ci"
failed:
file "/syzkaller/managers/netbsd-kubsan/kernel/sys/kern/kern_synch.c", line
768
[ 798.1214927] cpu0: Begin traceback...
[ 798.1462767] vpanic() at netbsd:vpanic+0x2aa sys/kern/subr_prf.c:336
[ 798.2063869] kern_assert() at netbsd:kern_assert+0x63
[ 798.2564831] mi_switch() at netbsd:mi_switch+0x10e9
sys/kern/kern_synch.c:768
[ 798.3165926] sleepq_block() at netbsd:sleepq_block+0x1c6
sys/kern/kern_sleepq.c:281
[ 798.3767051] cv_timedwait() at netbsd:cv_timedwait+0x279
sys/kern/kern_condvar.c:294
[ 798.4368152] bbusy() at netbsd:bbusy+0x2ba bbusy sys/kern/vfs_bio.c:2161
[inline]
[ 798.4368152] bbusy() at netbsd:bbusy+0x2ba sys/kern/vfs_bio.c:2144
[ 798.4969259] getblk() at netbsd:getblk+0x6b sys/kern/vfs_bio.c:1202
[ 798.5570390] bio_doread() at netbsd:bio_doread+0x35 sys/kern/vfs_bio.c:697
[ 798.6171493] bread() at netbsd:bread+0x35 sys/kern/vfs_bio.c:759
[ 798.6672443] Mutex error: mutex_vector_enter,731: assertion failed:
MUTEX_OWNER(mtx->mtx_owner) == curthread
[ 798.6772614[ ] 7l98oc.k6 7a7d2d6r1e4]ss f:f s_0xufpfdfaftfef()f fa85t
eb0f40 type : sleep/adaptive
[ 798.6772614] initialized : 0xffffffff82288285
[ 798.6872779] snheatrbesdd :hffolsd_su p:da t e + 0 x 4 6 a
[
798.6872779] 0 exclusive: 0
[ 798.6972965] shares wanted: 0
exclusive: 0
[ 798.7073185] current cpu : 1 last
held: 1
[ 798.7073185] current lwp : 0xffffc525dcf0e9a0 last held:
000000000000000000
[ 798.7173357] last locked : 0xffffffff8224fb74 unlocked*:
0xffffffff8224fb88
[ 798.7273526] owner field : 000000000000000000 wait/spin:
0/0
[ 798.7273526] Turnstile chain at 0xffffffff85eb8628 with mutex
0xffffc526e7c32140.
[[ 779988..77337733771155]] =u>f sN_mok adcitri(v) e attu rnstile for
this lock.
[ 798.7574103] netbsd:ufs_mkdir+0xced
[ 798.8075035] VOP_MKDIR() at netbsd:VOP_MKDIR+0x123
sys/kern/vnode_if.c:1003
[ 798.8676166] do_sys_mkdirat() at netbsd:do_sys_mkdirat+0x1a4
sys/kern/vfs_syscalls.c:4619
[ 798.9377432] syscall() at netbsd:syscall+0x29a sy_call
sys/sys/syscallvar.h:65 [inline]
[ 798.9377432] syscall() at netbsd:syscall+0x29a sy_invoke
sys/sys/syscallvar.h:94 [inline]
[ 798.9377432] syscall() at netbsd:syscall+0x29a
sys/arch/x86/x86/syscall.c:138
[ 798.9577808] --- syscall (number 136) ---
[ 798.9679977] Skipping crash dump on recursive panic
[ 798.9679977] panic: UBSan: Undefined Behavior in
/syzkaller/managers/netbsd-kubsan/kernel/sys/arch/amd64/amd64/db_machdep.c:153:24,
member access within misaligned address 0xffffffff for type 'struct
x86_64_frame' which requires 8 byte alignment
[ 798.9943610] Faulted in mid-traceback; aborting...
[ 798.9992253] fatal breakpoint trap in supervisor mode
[ 798.9992253] trap type 1 code 0 rip 0xffffffff8021dd9d cs 0x8 rflags
0x286 cr2 0x7362627f8a98 ilevel 0 rsp 0xffffa300a6a35b00
[ 799.0153602] curlwp 0xffffc525d94b8b60 pid 620.1 lowest kstack
0xffffa300a6a332c0
Stopped in pid 620.1 (syz-executor2255) at netbsd:breakpoint+0x5:
leave
?
breakpoint() at netbsd:breakpoint+0x5
db_panic() at netbsd:db_panic+0xd1 sys/ddb/db_panic.c:67
vpanic() at netbsd:vpanic+0x2aa sys/kern/subr_prf.c:336
isAlreadyReported() at netbsd:isAlreadyReported
HandleTypeMismatch.part.1() at netbsd:HandleTypeMismatch.part.1+0xcc
HandleTypeMismatch() at netbsd:HandleTypeMismatch+0x7b
sys/../common/lib/libc/misc/ubsan.c:408
db_nextframe() at netbsd:db_nextframe+0x6f6
sys/arch/amd64/amd64/db_machdep.c:153
db_stack_trace_print() at netbsd:db_stack_trace_print+0x2c4
sys/arch/x86/x86/db_trace.c:277
db_panic() at netbsd:db_panic+0x8b x86_curcpu
sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:67 [inline]
db_panic() at netbsd:db_panic+0x8b sys/ddb/db_panic.c:57
vpanic() at netbsd:vpanic+0x2aa sys/kern/subr_prf.c:336
kern_assert() at netbsd:kern_assert+0x63
mi_switch() at netbsd:mi_switch+0x10e9 sys/kern/kern_synch.c:768
sleepq_block() at netbsd:sleepq_block+0x1c6 sys/kern/kern_sleepq.c:281
cv_timedwait() at netbsd:cv_timedwait+0x279 sys/kern/kern_condvar.c:294
bbusy() at netbsd:bbusy+0x2ba bbusy sys/kern/vfs_bio.c:2161 [inline]
bbusy() at netbsd:bbusy+0x2ba sys/kern/vfs_bio.c:2144
getblk() at netbsd:getblk+0x6b sys/kern/vfs_bio.c:1202
bio_doread() at netbsd:bio_doread+0x35 sys/kern/vfs_bio.c:697
bread() at netbsd:bread+0x35 sys/kern/vfs_bio.c:759
ffs_update() at netbsd:ffs_update+0x46a sys/ufs/ffs/ffs_inode.c:150
ufs_mkdir() at netbsd:ufs_mkdir+0xced sys/ufs/ufs/ufs_vnops.c:1015
VOP_MKDIR() at netbsd:VOP_MKDIR+0x123 sys/kern/vnode_if.c:1003
do_sys_mkdirat() at netbsd:do_sys_mkdirat+0x1a4 sys/kern/vfs_syscalls.c:4619
syscall() at netbsd:syscall+0x29a sy_call sys/sys/syscallvar.h:65 [inline]
syscall() at netbsd:syscall+0x29a sy_invoke sys/sys/syscallvar.h:94 [inline]
syscall() at netbsd:syscall+0x29a sys/arch/x86/x86/syscall.c:138
--- syscall (number 136) ---
[ 799.0227387] Skipping crash dump on recursive panic
[ 799.0227387] panic: UBSan: Undefined Behavior in
/syzkaller/managers/netbsd-kubsan/kernel/sys/arch/amd64/amd64/db_machdep.c:154:14,
member access within misaligned address 0xffffffff for type 'struct
x86_64_frame' which requires 8 byte alignment
[ 799.0227387] Faulted in mid-traceback; aborting...
[ 799.0227387] fatal breakpoint trap in supervisor mode
[ 799.0227387] trap type 1 code 0 rip 0xffffffff8021dd9d cs 0x8 rflags
0x286 cr2 0x7362627f8a98 ilevel 0x8 rsp 0xffffa300a6a34800
[ 799.0227387] curlwp 0xffffc525d94b8b60 pid 620.1 lowest kstack
0xffffa300a6a332c0
Stopped in pid 620.1 (syz-executor2255) at netbsd:breakpoint+0x5:
leave
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Kamil Rytarowski
Dec 9, 2019, 9:21:36 AM12/9/19
to syzbot, syzkaller-...@googlegroups.com
#syz fix: mi_switch: move an over eager KASSERT defeated by kernel
preemption.
preemption.
Maxime Villard
Dec 12, 2019, 3:58:18 AM12/12/19
to Kamil Rytarowski, syzbot, syzkaller-...@googlegroups.com
Le 09/12/2019 à 15:21, Kamil Rytarowski a écrit :
> #syz fix: mi_switch: move an over eager KASSERT defeated by kernel
> preemption.
actually, dismiss, temporary breakage, not a real bug
> #syz fix: mi_switch: move an over eager KASSERT defeated by kernel
> preemption.
#syz invalid
Reply all
Reply to author
Forward
0 new messages