corrupted report (3)
7 views
Skip to first unread message
syzbot
May 31, 2020, 3:06:16 PM5/31/20
to syzkaller-...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 210304d1 Use device_xname() to access dv_xname
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=11eecade100000
kernel config: https://syzkaller.appspot.com/x/.config?x=5702129db7f7788d
dashboard link: https://syzkaller.appspot.com/bug?extid=f30ca5c71662f47309fe
compiler: g++ (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f30ca5...@syzkaller.appspotmail.com
[ 65.8769555] panic: tcp_output: no template
[ 65.8769555] cpu0: Begin traceback...
[ 65.8869407] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
[ 65.9069356] snprintf() at netbsd:snprintf
[ 65.9269337] tcp_output() at netbsd:tcp_output+0x5527 sys/netinet/tcp_output.c:1261
[ 65.9569357] tcp_sendoob_wrapper() at netbsd:tcp_sendoob_wrapper+0x249 tcp_sendoob sys/netinet/tcp_usrreq.c:1178 [inline]
[ 65.9569357] tcp_sendoob_wrapper() at netbsd:tcp_sendoob_wrapper+0x249 sys/netinet/tcp_usrreq.c:2450
[ 65.9869377] sosend() at netbsd:sosend+0x8c4 sys/kern/uipc_socket.c:1056
[ 66.0069375] do_sys_sendmsg_so() at netbsd:do_sys_sendmsg_so+0x527 sys/kern/uipc_syscalls.c:629
[ 66.0269345] do_sys_sendmsg() at netbsd:do_sys_sendmsg+0x15a sys/kern/uipc_syscalls.c:679
[ 66.0469359] sys_sendmsg() at netbsd:sys_sendmsg+0x117 sys/kern/uipc_syscalls.c:533
[ 66.0769354] sys___syscall() at netbsd:sys___syscall+0xde sy_call sys/sys/syscallvar.h:65 [inline]
[ 66.0769354] sys___syscall() at netbsd:sys___syscall+0xde sys/kern/sys_syscall.c:77
[ 66.0969356] syscall() at netbsd:syscall+0x553 sy_call sys/sys/syscallvar.h:65 [inline]
[ 66.0969356] syscall() at netbsd:syscall+0x553 sy_invoke sys/sys/syscallvar.h:94 [inline]
[ 66.0969356] syscall() at netbsd:syscall+0x553 sys/arch/x86/x86/syscall.c:138
[ 66.1069348] --- syscall (number 198) ---
[ 66.1169349] netbsd:syscall+0x553:
[ 66.1169349] cpu0: End traceback...
[ 66.1285114] fatal breakpoint trap in supervisor mode
[ 66.1285114] trap type 1 code 0 rip 0xffffffff8022094d cs 0x8 rflags 0x282 cr2 0x78fafb442000 ilevel 0x4 rsp 0xffffbb818c5f7270
[ 66.1448034] curlwp 0xffffbb80144eb4c0 pid 2404.1354 lowest kstack 0xffffbb818c5f02c0
Stopped in pid 2404.1354 (syz-executor.3) at netbsd:breakpoint+0x5: leave
?
breakpoint() at netbsd:breakpoint+0x5
db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67
vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
snprintf() at netbsd:snprintf
tcp_output() at netbsd:tcp_output+0x5527 sys/netinet/tcp_output.c:1261
tcp_sendoob_wrapper() at netbsd:tcp_sendoob_wrapper+0x249 tcp_sendoob sys/netinet/tcp_usrreq.c:1178 [inline]
tcp_sendoob_wrapper() at netbsd:tcp_sendoob_wrapper+0x249 sys/netinet/tcp_usrreq.c:2450
sosend() at netbsd:sosend+0x8c4 sys/kern/uipc_socket.c:1056
do_sys_sendmsg_so() at netbsd:do_sys_sendmsg_so+0x527 sys/kern/uipc_syscalls.c:629
do_sys_sendmsg() at netbsd:do_sys_sendmsg+0x15a sys/kern/uipc_syscalls.c:679
sys_sendmsg() at netbsd:sys_sendmsg+0x117 sys/kern/uipc_syscalls.c:533
sys___syscall() at netbsd:sys___syscall+0xde sy_call sys/sys/syscallvar.h:65 [inline]
sys___syscall() at netbsd:sys___syscall+0xde sys/kern/sys_syscall.c:77
syscall() at netbsd:syscall+0x553 sy_call sys/sys/syscallvar.h:65 [inline]
syscall() at netbsd:syscall+0x553 sy_invoke sys/sys/syscallvar.h:94 [inline]
syscall() at netbsd:syscall+0x553 sys/arch/x86/x86/syscall.c:138
--- syscall (number 198) ---
netbsd:syscall+0x553:
ds eb40
es eb40
fs 7250
gs 72a0
rdi ffffffff82bd8bc0 db_onpanic
rsi 1ffffffff057b178
rbp ffffbb818c5f7270
rbx ffffffff829b4f80 cpu_info_primary
rdx ffffbb8181560000
rcx ffffffff8126f839 db_panic+0xd5
rax 3ffff
r8 4
r9 1ffffffff057b178
r10 ffffffff82bd8bc3 db_onpanic+0x3
r11 10
r12 ffffbb816e6aa000
r13 ffffffff821cb540 __func__.16577+0x720
r14 ffffbb818c5f7300
r15 ffffbb816e699060
rip ffffffff8022094d breakpoint+0x5
cs 8
rflags 282
rsp ffffbb818c5f7270
ss 10
netbsd:breakpoint+0x5: leave
PID LID S CPU FLAGS STRUCT LWP * NAME WAIT
1568 1568 2 1 0 ffffbb8012a04680 syz-executor.2
1338 1338 2 0 0 ffffbb8012bf8a00 syz-executor.0
2404 2343 3 0 80 ffffbb8012c2e640 syz-executor.3 parked
2404 >1354 7 0 0 ffffbb80144eb4c0 syz-executor.3
2404 2404 2 0 10040000 ffffbb8012bf8180 syz-executor.3
1328 1369 3 1 80 ffffbb8012c5a280 syz-executor.5 parked
1328 1490 2 1 0 ffffbb8012ba1500 syz-executor.5
1328 1328 2 1 10040000 ffffbb8012a04240 syz-executor.5
1953 1953 3 0 80 ffffbb8014419240 syz-executor.0 parked
1473 1473 3 0 40080 ffffbb80143fe640 syz-executor.0 parked
806 806 3 1 40080 ffffbb8014419ac0 syz-executor.0 parked
2268 2268 3 0 80 ffffbb80144eb080 syz-executor.0 parked
1364 1364 3 0 40080 ffffbb80144d7480 syz-executor.2 parked
1227 1227 3 1 80 ffffbb8012a04ac0 syz-executor.3 parked
543 543 3 1 80 ffffbb801386b740 syz-executor.5 parked
1197 1197 3 0 80 ffffbb801384d240 syz-executor.5 parked
1086 1086 3 0 80 ffffbb8012cb0940 syz-executor.5 parked
1084 1084 3 0 80 ffffbb80137cd580 syz-executor.5 parked
1246 1246 3 0 80 ffffbb8012d84b80 syz-executor.5 parked
1698 1698 3 0 80 ffffbb80142d45c0 syz-executor.5 nanoslp
815 815 3 0 80 ffffbb80142d4180 syz-executor.3 nanoslp
829 829 3 0 80 ffffbb80142979c0 syz-executor.4 nanoslp
824 > 824 7 1 40 ffffbb8014297140 syz-executor.1
814 814 3 0 80 ffffbb8014277980 syz-executor.2 nanoslp
811 811 3 0 80 ffffbb8014277100 syz-executor.0 nanoslp
855 1531 3 0 80 ffffbb8014297580 syz-fuzzer parked
855 695 3 1 80 ffffbb8014277540 syz-fuzzer parked
855 853 2 1 0 ffffbb8012b36780 syz-fuzzer
855 1211 3 0 80 ffffbb8014130500 syz-fuzzer kqueue
855 810 3 1 80 ffffbb80141300c0 syz-fuzzer parked
855 706 3 1 80 ffffbb8013841a80 syz-fuzzer parked
855 1895 3 0 80 ffffbb8013841640 syz-fuzzer parked
855 809 3 0 80 ffffbb8013841200 syz-fuzzer parked
855 808 3 0 80 ffffbb80137e25c0 syz-fuzzer nanoslp
855 855 3 0 80 ffffbb8012a93740 syz-fuzzer parked
1315 1315 3 1 80 ffffbb8012b36340 sshd select
858 858 3 0 80 ffffbb8012747740 getty nanoslp
719 719 3 0 80 ffffbb8012747300 getty nanoslp
851 851 3 1 80 ffffbb80138ba080 getty nanoslp
1505 1505 3 0 c0 ffffbb80129ce640 getty ttyraw
576 576 3 1 80 ffffbb80137c2100 sshd select
592 592 3 1 80 ffffbb8012d2c680 powerd kqueue
435 435 3 1 80 ffffbb8013857b00 syslogd kqueue
308 308 3 0 80 ffffbb8012c43ac0 dhcpcd kqueue
310 310 3 1 80 ffffbb8012c85340 dhcpcd kqueue
306 306 3 1 80 ffffbb8012c43240 dhcpcd kqueue
349 349 3 0 80 ffffbb8012c43680 dhcpcd kqueue
204 204 3 1 80 ffffbb80136e9bc0 dhcpcd kqueue
200 200 3 0 80 ffffbb8012d84740 dhcpcd kqueue
199 199 3 1 80 ffffbb8012d84300 dhcpcd kqueue
198 198 3 1 80 ffffbb8012d64b40 dhcpcd kqueue
1 1 3 0 80 ffffbb80128e8980 init wait
0 1123 3 0 200 ffffbb80129655c0 physiod physiod
0 63 3 0 200 ffffbb8012967600 pooldrain pooldrain
0 126 3 0 200 ffffbb80129671c0 ioflush syncer
0 125 3 1 200 ffffbb8012965a00 pgdaemon pgdaemon
0 122 3 1 200 ffffbb80128fe9c0 usb0 usbevt
0 121 3 1 200 ffffbb80128fe580 usbtask-dr usbtsk
0 120 3 0 200 ffffbb800fe5cac0 usbtask-hc usbtsk
0 119 3 0 200 ffffbb80128fe140 npfgc0 npfgcw
0 118 3 1 200 ffffbb80128e8540 rt_free rt_free
0 117 3 1 200 ffffbb80128e8100 unpgc unpgc
0 116 3 0 200 ffffbb80128df940 key_timehandler key_timehandler
0 115 3 1 200 ffffbb80128df500 icmp6_wqinput/1 icmp6_wqinput
0 114 3 0 200 ffffbb80128df0c0 icmp6_wqinput/0 icmp6_wqinput
0 113 3 0 200 ffffbb80128d6900 nd6_timer nd6_timer
0 112 3 1 200 ffffbb80128d64c0 carp6_wqinput/1 carp6_wqinput
0 111 3 0 200 ffffbb80128d6080 carp6_wqinput/0 carp6_wqinput
0 110 3 1 200 ffffbb80127598c0 carp_wqinput/1 carp_wqinput
0 109 3 0 200 ffffbb8012759480 carp_wqinput/0 carp_wqinput
0 108 3 1 200 ffffbb8012759040 icmp_wqinput/1 icmp_wqinput
0 107 3 0 200 ffffbb8012748bc0 icmp_wqinput/0 icmp_wqinput
0 106 3 0 200 ffffbb8012748340 rt_timer rt_timer
0 105 3 1 200 ffffbb8012748780 vmem_rehash vmem_rehash
0 104 3 0 200 ffffbb8012744b40 entbutler entropy
0 30 3 1 200 ffffbb80121626c0 vioif0_txrx/1 vioif0_txrx
0 29 3 0 200 ffffbb8012162280 vioif0_txrx/0 vioif0_txrx
0 27 3 0 200 ffffbb800fe5c680 scsibus0 sccomp
0 26 3 0 200 ffffbb800fe5c240 pms0 pmsreset
0 25 3 1 200 ffffbb800fd9da80 xcall/1 xcall
0 24 1 1 200 ffffbb800fd9d640 softser/1
0 23 1 1 200 ffffbb800fd9d200 softclk/1
0 22 1 1 200 ffffbb800fd9ba40 softbio/1
0 21 1 1 200 ffffbb800fd9b600 softnet/1
0 20 1 1 201 ffffbb800fd9b1c0 idle/1
0 19 3 0 200 ffffbb800e80aa00 lnxpwrwq lnxpwrwq
0 18 3 0 200 ffffbb800e80a5c0 lnxlngwq lnxlngwq
0 17 3 0 200 ffffbb800e80a180 lnxsyswq lnxsyswq
0 16 3 0 200 ffffbb800e8049c0 lnxrcugc lnxrcugc
0 15 3 0 200 ffffbb800e804580 sysmon smtaskq
0 14 3 0 200 ffffbb800e804140 pmfsuspend pmfsuspend
0 13 3 0 200 ffffbb800e7ff980 pmfevent pmfevent
0 12 3 0 200 ffffbb800e7ff540 sopendfree sopendfr
0 11 3 0 200 ffffbb800e7ff100 iflnkst iflnkst
0 10 3 0 200 ffffbb800e7f3940 nfssilly nfssilly
0 9 3 0 200 ffffbb800e7f3500 vdrain vdrain
0 8 3 0 200 ffffbb800e7f30c0 modunload mod_unld
0 7 3 0 200 ffffbb800e7e6900 xcall/0 xcall
0 6 1 0 200 ffffbb800e7e64c0 softser/0
0 5 1 0 200 ffffbb800e7e6080 softclk/0
0 4 1 0 200 ffffbb800e7e48c0 softbio/0
0 3 1 0 200 ffffbb800e7e4480 softnet/0
0 2 1 0 201 ffffbb800e7e4040 idle/0
0 0 3 1 200 ffffffff82ca4080 swapper uvm
[Locks tracked through LWPs]
****** LWP 2404.1354 (syz-executor.3) @ 0xffffbb80144eb4c0, l_stat=7
*** Locks held:
* Lock 0 (initialized at soinit)
lock address : 0xffffbb800e733080 type : sleep/adaptive
initialized : 0xffffffff817d6a47
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffbb80144eb4c0 last held: 0xffffbb80144eb4c0
last locked* : 0xffffffff817d5c6c unlocked : 0xffffffff817d5cec
owner field : 0xffffbb80144eb4c0 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
*** Locks wanted: none
****** LWP 1328.1490 (syz-executor.5) @ 0xffffbb8012ba1500, l_stat=2
*** Locks held:
* Lock 0 (initialized at filedesc_ctor)
lock address : 0xffffbb801450f680 type : sleep/adaptive
initialized : 0xffffffff81699b11
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffbb8012ba1500 last held: 0xffffbb8012ba1500
last locked* : 0xffffffff8169c5e4 unlocked : 0xffffffff8169cd9d
owner field : 0xffffbb8012ba1500 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
*** Locks wanted: none
****** LWP 824.824 (syz-executor.1) @ 0xffffbb8014297140, l_stat=7
*** Locks held:
* Lock 0 (initialized at vcache_alloc)
lock address : 0xffffbb801429de80 type : sleep/adaptive
initialized : 0xffffffff81827c83
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffbb8014297140 last held: 0xffffbb8014297140
last locked* : 0xffffffff81856a7f unlocked : 0xffffffff81856ae1
owner/count : 0xffffbb8014297140 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
* Lock 1 (initialized at vcache_alloc)
lock address : 0xffffbb8012955280 type : sleep/adaptive
initialized : 0xffffffff81827c83
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffbb8014297140 last held: 0xffffbb8014297140
last locked* : 0xffffffff81856a7f unlocked : 0xffffffff81856ae1
[ 66.1525171] Skipping crash dump on recursive panic
[ 66.1525171] panic: ASan: Unauthorized Access In 0xffffffff816f2f20: Addr 0xffffbb8012955280 [8 bytes, read, PoolUseAfterFree]
[ 66.1525171] cpu0: Begin traceback...
[ 66.1525171] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
[ 66.1525171] snprintf() at netbsd:snprintf
[ 66.1525171] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline]
[ 66.1525171] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197
[ 66.1525171] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline]
[ 66.1525171] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline]
[ 66.1525171] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline]
[ 66.1525171] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210
[ 66.1525171] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:186
[ 66.1525171] lockdebug_dump() at netbsd:lockdebug_dump+0x205 sys/kern/subr_lockdebug.c:759
[ 66.1525171] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb7 sys/kern/subr_lockdebug.c:839
[ 66.1525171] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:877 [inline]
[ 66.1525171] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a sys/kern/subr_lockdebug.c:941
[ 66.1525171] db_command() at netbsd:db_command+0x2ad sys/ddb/db_command.c:942
[ 66.1525171] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:439 [inline]
[ 66.1525171] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:589
[ 66.1525171] db_trap() at netbsd:db_trap+0x206 sys/ddb/db_trap.c:94
[ 66.1525171] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:248
[ 66.1525171] trap() at netbsd:trap+0x579 sys/arch/amd64/amd64/trap.c:315
[ 66.1525171] --- trap (number 1) ---
[ 66.1525171] breakpoint() at netbsd:breakpoint+0x5
[ 66.1525171] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67
[ 66.1525171] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
[ 66.1525171] snprintf() at netbsd:snprintf
[ 66.1525171] tcp_output() at netbsd:tcp_output+0x5527 sys/netinet/tcp_output.c:1261
[ 66.1525171] tcp_sendoob_wrapper() at netbsd:tcp_sendoob_wrapper+0x249 tcp_sendoob sys/netinet/tcp_usrreq.c:1178 [inline]
[ 66.1525171] tcp_sendoob_wrapper() at netbsd:tcp_sendoob_wrapper+0x249 sys/netinet/tcp_usrreq.c:2450
[ 66.1525171] sosend() at netbsd:sosend+0x8c4 sys/kern/uipc_socket.c:1056
[ 66.1525171] do_sys_sendmsg_so() at netbsd:do_sys_sendmsg_so+0x527 sys/kern/uipc_syscalls.c:629
[ 66.1525171] do_sys_sendmsg() at netbsd:do_sys_sendmsg+0x15a sys/kern/uipc_syscalls.c:679
[ 66.1525171] sys_sendmsg() at netbsd:sys_sendmsg+0x117 sys/kern/uipc_syscalls.c:533
[ 66.1525171] sys___syscall() at netbsd:sys___syscall+0xde sy_call sys/sys/syscallvar.h:65 [inline]
[ 66.1525171] sys___syscall() at netbsd:sys___syscall+0xde sys/kern/sys_syscall.c:77
[ 66.1525171] syscall() at netbsd:syscall+0x553 sy_call sys/sys/syscallvar.h:65 [inline]
[ 66.1525171] syscall() at netbsd:syscall+0x553 sy_invoke sys/sys/syscallvar.h:94 [inline]
[ 66.1525171] syscall() at netbsd:syscall+0x553 sys/arch/x86/x86/syscall.c:138
[ 66.1525171] --- syscall (number 198) ---
[ 66.1525171] netbsd:syscall+0x553:
[ 66.1525171] cpu0: End traceback...
[ 66.1525171] fatal breakpoint trap in supervisor mode
[ 66.1525171] trap type 1 code 0 rip 0xffffffff8022094d cs 0x8 rflags 0x282 cr2 0x78fafb442000 ilevel 0x8 rsp 0xffffbb818c5f6810
[ 66.1525171] curlwp 0xffffbb80144eb4c0 pid 2404.1354 lowest kstack 0xffffbb818c5f02c0
Stopped in pid 2404.1354 (syz-executor.3) at netbsd:breakpoint+0x5: leave
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 210304d1 Use device_xname() to access dv_xname
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=11eecade100000
kernel config: https://syzkaller.appspot.com/x/.config?x=5702129db7f7788d
dashboard link: https://syzkaller.appspot.com/bug?extid=f30ca5c71662f47309fe
compiler: g++ (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f30ca5...@syzkaller.appspotmail.com
[ 65.8769555] panic: tcp_output: no template
[ 65.8769555] cpu0: Begin traceback...
[ 65.8869407] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
[ 65.9069356] snprintf() at netbsd:snprintf
[ 65.9269337] tcp_output() at netbsd:tcp_output+0x5527 sys/netinet/tcp_output.c:1261
[ 65.9569357] tcp_sendoob_wrapper() at netbsd:tcp_sendoob_wrapper+0x249 tcp_sendoob sys/netinet/tcp_usrreq.c:1178 [inline]
[ 65.9569357] tcp_sendoob_wrapper() at netbsd:tcp_sendoob_wrapper+0x249 sys/netinet/tcp_usrreq.c:2450
[ 65.9869377] sosend() at netbsd:sosend+0x8c4 sys/kern/uipc_socket.c:1056
[ 66.0069375] do_sys_sendmsg_so() at netbsd:do_sys_sendmsg_so+0x527 sys/kern/uipc_syscalls.c:629
[ 66.0269345] do_sys_sendmsg() at netbsd:do_sys_sendmsg+0x15a sys/kern/uipc_syscalls.c:679
[ 66.0469359] sys_sendmsg() at netbsd:sys_sendmsg+0x117 sys/kern/uipc_syscalls.c:533
[ 66.0769354] sys___syscall() at netbsd:sys___syscall+0xde sy_call sys/sys/syscallvar.h:65 [inline]
[ 66.0769354] sys___syscall() at netbsd:sys___syscall+0xde sys/kern/sys_syscall.c:77
[ 66.0969356] syscall() at netbsd:syscall+0x553 sy_call sys/sys/syscallvar.h:65 [inline]
[ 66.0969356] syscall() at netbsd:syscall+0x553 sy_invoke sys/sys/syscallvar.h:94 [inline]
[ 66.0969356] syscall() at netbsd:syscall+0x553 sys/arch/x86/x86/syscall.c:138
[ 66.1069348] --- syscall (number 198) ---
[ 66.1169349] netbsd:syscall+0x553:
[ 66.1169349] cpu0: End traceback...
[ 66.1285114] fatal breakpoint trap in supervisor mode
[ 66.1285114] trap type 1 code 0 rip 0xffffffff8022094d cs 0x8 rflags 0x282 cr2 0x78fafb442000 ilevel 0x4 rsp 0xffffbb818c5f7270
[ 66.1448034] curlwp 0xffffbb80144eb4c0 pid 2404.1354 lowest kstack 0xffffbb818c5f02c0
Stopped in pid 2404.1354 (syz-executor.3) at netbsd:breakpoint+0x5: leave
?
breakpoint() at netbsd:breakpoint+0x5
db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67
vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
snprintf() at netbsd:snprintf
tcp_output() at netbsd:tcp_output+0x5527 sys/netinet/tcp_output.c:1261
tcp_sendoob_wrapper() at netbsd:tcp_sendoob_wrapper+0x249 tcp_sendoob sys/netinet/tcp_usrreq.c:1178 [inline]
tcp_sendoob_wrapper() at netbsd:tcp_sendoob_wrapper+0x249 sys/netinet/tcp_usrreq.c:2450
sosend() at netbsd:sosend+0x8c4 sys/kern/uipc_socket.c:1056
do_sys_sendmsg_so() at netbsd:do_sys_sendmsg_so+0x527 sys/kern/uipc_syscalls.c:629
do_sys_sendmsg() at netbsd:do_sys_sendmsg+0x15a sys/kern/uipc_syscalls.c:679
sys_sendmsg() at netbsd:sys_sendmsg+0x117 sys/kern/uipc_syscalls.c:533
sys___syscall() at netbsd:sys___syscall+0xde sy_call sys/sys/syscallvar.h:65 [inline]
sys___syscall() at netbsd:sys___syscall+0xde sys/kern/sys_syscall.c:77
syscall() at netbsd:syscall+0x553 sy_call sys/sys/syscallvar.h:65 [inline]
syscall() at netbsd:syscall+0x553 sy_invoke sys/sys/syscallvar.h:94 [inline]
syscall() at netbsd:syscall+0x553 sys/arch/x86/x86/syscall.c:138
--- syscall (number 198) ---
netbsd:syscall+0x553:
ds eb40
es eb40
fs 7250
gs 72a0
rdi ffffffff82bd8bc0 db_onpanic
rsi 1ffffffff057b178
rbp ffffbb818c5f7270
rbx ffffffff829b4f80 cpu_info_primary
rdx ffffbb8181560000
rcx ffffffff8126f839 db_panic+0xd5
rax 3ffff
r8 4
r9 1ffffffff057b178
r10 ffffffff82bd8bc3 db_onpanic+0x3
r11 10
r12 ffffbb816e6aa000
r13 ffffffff821cb540 __func__.16577+0x720
r14 ffffbb818c5f7300
r15 ffffbb816e699060
rip ffffffff8022094d breakpoint+0x5
cs 8
rflags 282
rsp ffffbb818c5f7270
ss 10
netbsd:breakpoint+0x5: leave
PID LID S CPU FLAGS STRUCT LWP * NAME WAIT
1568 1568 2 1 0 ffffbb8012a04680 syz-executor.2
1338 1338 2 0 0 ffffbb8012bf8a00 syz-executor.0
2404 2343 3 0 80 ffffbb8012c2e640 syz-executor.3 parked
2404 >1354 7 0 0 ffffbb80144eb4c0 syz-executor.3
2404 2404 2 0 10040000 ffffbb8012bf8180 syz-executor.3
1328 1369 3 1 80 ffffbb8012c5a280 syz-executor.5 parked
1328 1490 2 1 0 ffffbb8012ba1500 syz-executor.5
1328 1328 2 1 10040000 ffffbb8012a04240 syz-executor.5
1953 1953 3 0 80 ffffbb8014419240 syz-executor.0 parked
1473 1473 3 0 40080 ffffbb80143fe640 syz-executor.0 parked
806 806 3 1 40080 ffffbb8014419ac0 syz-executor.0 parked
2268 2268 3 0 80 ffffbb80144eb080 syz-executor.0 parked
1364 1364 3 0 40080 ffffbb80144d7480 syz-executor.2 parked
1227 1227 3 1 80 ffffbb8012a04ac0 syz-executor.3 parked
543 543 3 1 80 ffffbb801386b740 syz-executor.5 parked
1197 1197 3 0 80 ffffbb801384d240 syz-executor.5 parked
1086 1086 3 0 80 ffffbb8012cb0940 syz-executor.5 parked
1084 1084 3 0 80 ffffbb80137cd580 syz-executor.5 parked
1246 1246 3 0 80 ffffbb8012d84b80 syz-executor.5 parked
1698 1698 3 0 80 ffffbb80142d45c0 syz-executor.5 nanoslp
815 815 3 0 80 ffffbb80142d4180 syz-executor.3 nanoslp
829 829 3 0 80 ffffbb80142979c0 syz-executor.4 nanoslp
824 > 824 7 1 40 ffffbb8014297140 syz-executor.1
814 814 3 0 80 ffffbb8014277980 syz-executor.2 nanoslp
811 811 3 0 80 ffffbb8014277100 syz-executor.0 nanoslp
855 1531 3 0 80 ffffbb8014297580 syz-fuzzer parked
855 695 3 1 80 ffffbb8014277540 syz-fuzzer parked
855 853 2 1 0 ffffbb8012b36780 syz-fuzzer
855 1211 3 0 80 ffffbb8014130500 syz-fuzzer kqueue
855 810 3 1 80 ffffbb80141300c0 syz-fuzzer parked
855 706 3 1 80 ffffbb8013841a80 syz-fuzzer parked
855 1895 3 0 80 ffffbb8013841640 syz-fuzzer parked
855 809 3 0 80 ffffbb8013841200 syz-fuzzer parked
855 808 3 0 80 ffffbb80137e25c0 syz-fuzzer nanoslp
855 855 3 0 80 ffffbb8012a93740 syz-fuzzer parked
1315 1315 3 1 80 ffffbb8012b36340 sshd select
858 858 3 0 80 ffffbb8012747740 getty nanoslp
719 719 3 0 80 ffffbb8012747300 getty nanoslp
851 851 3 1 80 ffffbb80138ba080 getty nanoslp
1505 1505 3 0 c0 ffffbb80129ce640 getty ttyraw
576 576 3 1 80 ffffbb80137c2100 sshd select
592 592 3 1 80 ffffbb8012d2c680 powerd kqueue
435 435 3 1 80 ffffbb8013857b00 syslogd kqueue
308 308 3 0 80 ffffbb8012c43ac0 dhcpcd kqueue
310 310 3 1 80 ffffbb8012c85340 dhcpcd kqueue
306 306 3 1 80 ffffbb8012c43240 dhcpcd kqueue
349 349 3 0 80 ffffbb8012c43680 dhcpcd kqueue
204 204 3 1 80 ffffbb80136e9bc0 dhcpcd kqueue
200 200 3 0 80 ffffbb8012d84740 dhcpcd kqueue
199 199 3 1 80 ffffbb8012d84300 dhcpcd kqueue
198 198 3 1 80 ffffbb8012d64b40 dhcpcd kqueue
1 1 3 0 80 ffffbb80128e8980 init wait
0 1123 3 0 200 ffffbb80129655c0 physiod physiod
0 63 3 0 200 ffffbb8012967600 pooldrain pooldrain
0 126 3 0 200 ffffbb80129671c0 ioflush syncer
0 125 3 1 200 ffffbb8012965a00 pgdaemon pgdaemon
0 122 3 1 200 ffffbb80128fe9c0 usb0 usbevt
0 121 3 1 200 ffffbb80128fe580 usbtask-dr usbtsk
0 120 3 0 200 ffffbb800fe5cac0 usbtask-hc usbtsk
0 119 3 0 200 ffffbb80128fe140 npfgc0 npfgcw
0 118 3 1 200 ffffbb80128e8540 rt_free rt_free
0 117 3 1 200 ffffbb80128e8100 unpgc unpgc
0 116 3 0 200 ffffbb80128df940 key_timehandler key_timehandler
0 115 3 1 200 ffffbb80128df500 icmp6_wqinput/1 icmp6_wqinput
0 114 3 0 200 ffffbb80128df0c0 icmp6_wqinput/0 icmp6_wqinput
0 113 3 0 200 ffffbb80128d6900 nd6_timer nd6_timer
0 112 3 1 200 ffffbb80128d64c0 carp6_wqinput/1 carp6_wqinput
0 111 3 0 200 ffffbb80128d6080 carp6_wqinput/0 carp6_wqinput
0 110 3 1 200 ffffbb80127598c0 carp_wqinput/1 carp_wqinput
0 109 3 0 200 ffffbb8012759480 carp_wqinput/0 carp_wqinput
0 108 3 1 200 ffffbb8012759040 icmp_wqinput/1 icmp_wqinput
0 107 3 0 200 ffffbb8012748bc0 icmp_wqinput/0 icmp_wqinput
0 106 3 0 200 ffffbb8012748340 rt_timer rt_timer
0 105 3 1 200 ffffbb8012748780 vmem_rehash vmem_rehash
0 104 3 0 200 ffffbb8012744b40 entbutler entropy
0 30 3 1 200 ffffbb80121626c0 vioif0_txrx/1 vioif0_txrx
0 29 3 0 200 ffffbb8012162280 vioif0_txrx/0 vioif0_txrx
0 27 3 0 200 ffffbb800fe5c680 scsibus0 sccomp
0 26 3 0 200 ffffbb800fe5c240 pms0 pmsreset
0 25 3 1 200 ffffbb800fd9da80 xcall/1 xcall
0 24 1 1 200 ffffbb800fd9d640 softser/1
0 23 1 1 200 ffffbb800fd9d200 softclk/1
0 22 1 1 200 ffffbb800fd9ba40 softbio/1
0 21 1 1 200 ffffbb800fd9b600 softnet/1
0 20 1 1 201 ffffbb800fd9b1c0 idle/1
0 19 3 0 200 ffffbb800e80aa00 lnxpwrwq lnxpwrwq
0 18 3 0 200 ffffbb800e80a5c0 lnxlngwq lnxlngwq
0 17 3 0 200 ffffbb800e80a180 lnxsyswq lnxsyswq
0 16 3 0 200 ffffbb800e8049c0 lnxrcugc lnxrcugc
0 15 3 0 200 ffffbb800e804580 sysmon smtaskq
0 14 3 0 200 ffffbb800e804140 pmfsuspend pmfsuspend
0 13 3 0 200 ffffbb800e7ff980 pmfevent pmfevent
0 12 3 0 200 ffffbb800e7ff540 sopendfree sopendfr
0 11 3 0 200 ffffbb800e7ff100 iflnkst iflnkst
0 10 3 0 200 ffffbb800e7f3940 nfssilly nfssilly
0 9 3 0 200 ffffbb800e7f3500 vdrain vdrain
0 8 3 0 200 ffffbb800e7f30c0 modunload mod_unld
0 7 3 0 200 ffffbb800e7e6900 xcall/0 xcall
0 6 1 0 200 ffffbb800e7e64c0 softser/0
0 5 1 0 200 ffffbb800e7e6080 softclk/0
0 4 1 0 200 ffffbb800e7e48c0 softbio/0
0 3 1 0 200 ffffbb800e7e4480 softnet/0
0 2 1 0 201 ffffbb800e7e4040 idle/0
0 0 3 1 200 ffffffff82ca4080 swapper uvm
[Locks tracked through LWPs]
****** LWP 2404.1354 (syz-executor.3) @ 0xffffbb80144eb4c0, l_stat=7
*** Locks held:
* Lock 0 (initialized at soinit)
lock address : 0xffffbb800e733080 type : sleep/adaptive
initialized : 0xffffffff817d6a47
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffbb80144eb4c0 last held: 0xffffbb80144eb4c0
last locked* : 0xffffffff817d5c6c unlocked : 0xffffffff817d5cec
owner field : 0xffffbb80144eb4c0 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
*** Locks wanted: none
****** LWP 1328.1490 (syz-executor.5) @ 0xffffbb8012ba1500, l_stat=2
*** Locks held:
* Lock 0 (initialized at filedesc_ctor)
lock address : 0xffffbb801450f680 type : sleep/adaptive
initialized : 0xffffffff81699b11
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffbb8012ba1500 last held: 0xffffbb8012ba1500
last locked* : 0xffffffff8169c5e4 unlocked : 0xffffffff8169cd9d
owner field : 0xffffbb8012ba1500 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
*** Locks wanted: none
****** LWP 824.824 (syz-executor.1) @ 0xffffbb8014297140, l_stat=7
*** Locks held:
* Lock 0 (initialized at vcache_alloc)
lock address : 0xffffbb801429de80 type : sleep/adaptive
initialized : 0xffffffff81827c83
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffbb8014297140 last held: 0xffffbb8014297140
last locked* : 0xffffffff81856a7f unlocked : 0xffffffff81856ae1
owner/count : 0xffffbb8014297140 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
* Lock 1 (initialized at vcache_alloc)
lock address : 0xffffbb8012955280 type : sleep/adaptive
initialized : 0xffffffff81827c83
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffbb8014297140 last held: 0xffffbb8014297140
last locked* : 0xffffffff81856a7f unlocked : 0xffffffff81856ae1
[ 66.1525171] Skipping crash dump on recursive panic
[ 66.1525171] panic: ASan: Unauthorized Access In 0xffffffff816f2f20: Addr 0xffffbb8012955280 [8 bytes, read, PoolUseAfterFree]
[ 66.1525171] cpu0: Begin traceback...
[ 66.1525171] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
[ 66.1525171] snprintf() at netbsd:snprintf
[ 66.1525171] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline]
[ 66.1525171] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197
[ 66.1525171] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline]
[ 66.1525171] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline]
[ 66.1525171] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline]
[ 66.1525171] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210
[ 66.1525171] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:186
[ 66.1525171] lockdebug_dump() at netbsd:lockdebug_dump+0x205 sys/kern/subr_lockdebug.c:759
[ 66.1525171] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb7 sys/kern/subr_lockdebug.c:839
[ 66.1525171] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:877 [inline]
[ 66.1525171] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a sys/kern/subr_lockdebug.c:941
[ 66.1525171] db_command() at netbsd:db_command+0x2ad sys/ddb/db_command.c:942
[ 66.1525171] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:439 [inline]
[ 66.1525171] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:589
[ 66.1525171] db_trap() at netbsd:db_trap+0x206 sys/ddb/db_trap.c:94
[ 66.1525171] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:248
[ 66.1525171] trap() at netbsd:trap+0x579 sys/arch/amd64/amd64/trap.c:315
[ 66.1525171] --- trap (number 1) ---
[ 66.1525171] breakpoint() at netbsd:breakpoint+0x5
[ 66.1525171] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67
[ 66.1525171] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
[ 66.1525171] snprintf() at netbsd:snprintf
[ 66.1525171] tcp_output() at netbsd:tcp_output+0x5527 sys/netinet/tcp_output.c:1261
[ 66.1525171] tcp_sendoob_wrapper() at netbsd:tcp_sendoob_wrapper+0x249 tcp_sendoob sys/netinet/tcp_usrreq.c:1178 [inline]
[ 66.1525171] tcp_sendoob_wrapper() at netbsd:tcp_sendoob_wrapper+0x249 sys/netinet/tcp_usrreq.c:2450
[ 66.1525171] sosend() at netbsd:sosend+0x8c4 sys/kern/uipc_socket.c:1056
[ 66.1525171] do_sys_sendmsg_so() at netbsd:do_sys_sendmsg_so+0x527 sys/kern/uipc_syscalls.c:629
[ 66.1525171] do_sys_sendmsg() at netbsd:do_sys_sendmsg+0x15a sys/kern/uipc_syscalls.c:679
[ 66.1525171] sys_sendmsg() at netbsd:sys_sendmsg+0x117 sys/kern/uipc_syscalls.c:533
[ 66.1525171] sys___syscall() at netbsd:sys___syscall+0xde sy_call sys/sys/syscallvar.h:65 [inline]
[ 66.1525171] sys___syscall() at netbsd:sys___syscall+0xde sys/kern/sys_syscall.c:77
[ 66.1525171] syscall() at netbsd:syscall+0x553 sy_call sys/sys/syscallvar.h:65 [inline]
[ 66.1525171] syscall() at netbsd:syscall+0x553 sy_invoke sys/sys/syscallvar.h:94 [inline]
[ 66.1525171] syscall() at netbsd:syscall+0x553 sys/arch/x86/x86/syscall.c:138
[ 66.1525171] --- syscall (number 198) ---
[ 66.1525171] netbsd:syscall+0x553:
[ 66.1525171] cpu0: End traceback...
[ 66.1525171] fatal breakpoint trap in supervisor mode
[ 66.1525171] trap type 1 code 0 rip 0xffffffff8022094d cs 0x8 rflags 0x282 cr2 0x78fafb442000 ilevel 0x8 rsp 0xffffbb818c5f6810
[ 66.1525171] curlwp 0xffffbb80144eb4c0 pid 2404.1354 lowest kstack 0xffffbb818c5f02c0
Stopped in pid 2404.1354 (syz-executor.3) at netbsd:breakpoint+0x5: leave
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Jaromír Doleček
Jun 24, 2020, 2:26:52 PM6/24/20
to syzbot, syzkaller-...@googlegroups.com
#syz dup: ASan: Unauthorized Access in exit1
Le dim. 31 mai 2020 à 21:06, syzbot
<syzbot+f30ca5...@syzkaller.appspotmail.com> a écrit :
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-netbsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-netbsd...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-netbsd-bugs/0000000000005eee8e05a6f65f19%40google.com.
Le dim. 31 mai 2020 à 21:06, syzbot
<syzbot+f30ca5...@syzkaller.appspotmail.com> a écrit :
> You received this message because you are subscribed to the Google Groups "syzkaller-netbsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-netbsd...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-netbsd-bugs/0000000000005eee8e05a6f65f19%40google.com.
Maxime Villard
Jun 25, 2020, 2:32:49 AM6/25/20
to Jaromír Doleček, syzbot, syzkaller-...@googlegroups.com
"corrupted report" is a fallback report where all the bugs that couldn't be
parsed end up. Shouldn't be dup of anything, should just be closed until
another one is re-opened:
#syz undup
#syz invalid
parsed end up. Shouldn't be dup of anything, should just be closed until
another one is re-opened:
#syz undup
#syz invalid
syzbot
Sep 28, 2021, 5:07:13 PM9/28/21
to jaromir...@gmail.com, m...@m00nbsd.net, syzkaller-...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages