ASan: Unauthorized Access in ufs_rmdir
3 views
Skip to first unread message
syzbot
Oct 1, 2023, 6:16:51 PM10/1/23
to syzkaller-...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 23ee83f7c0ae c.7: mention that C11 and C17 have been publi..
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=11072062680000
kernel config: https://syzkaller.appspot.com/x/.config?x=fab579639ba4bf0a
dashboard link: https://syzkaller.appspot.com/bug?extid=b8c4bd86b8f1fdc3605f
compiler: g++ (Debian 12.2.0-14) 12.2.0
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11ca8701680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/81063a77eb5b/disk-23ee83f7.raw.xz
netbsd.gdb: https://storage.googleapis.com/syzbot-assets/4a112bb444b0/netbsd-23ee83f7.gdb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b8c4bd...@syzkaller.appspotmail.com
[ 73.2620970] panic: ASan: Unauthorized Access In 0xffffffff81a82f19: Addr 0xffffc28013f6f182 [2 bytes, read, PoolRedZone]
[ 73.2720958] cpu1: Begin traceback...
[ 73.2921150] vpanic() at netbsd:vpanic+0x282 sys/kern/subr_prf.c:292
[ 73.3620870] panic() at netbsd:panic+0x9e sys/kern/subr_prf.c:1088
[ 73.4220853] kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:169 [inline]
[ 73.4220853] kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:201
[ 73.4720852] __asan_load2() at netbsd:__asan_load2+0x8c kasan_shadow_2byte_isvalid sys/kern/subr_asan.c:331 [inline]
[ 73.4720852] __asan_load2() at netbsd:__asan_load2+0x8c kasan_shadow_check sys/kern/subr_asan.c:415 [inline]
[ 73.4720852] __asan_load2() at netbsd:__asan_load2+0x8c sys/kern/subr_asan.c:1206
[ 73.5120848] ufs_rmdir() at netbsd:ufs_rmdir+0xc1 sys/ufs/ufs/ufs_vnops.c:1428
[ 73.5620853] VOP_RMDIR() at netbsd:VOP_RMDIR+0x173 sys/kern/vnode_if.c:1382
[ 73.6021031] union_rmdir() at netbsd:union_rmdir+0x15e sys/fs/union/union_vnops.c:1485
[ 73.6420842] VOP_RMDIR() at netbsd:VOP_RMDIR+0x173 sys/kern/vnode_if.c:1382
[ 73.6920846] do_sys_unlinkat() at netbsd:do_sys_unlinkat+0x64d sys/kern/vfs_syscalls.c:2890
[ 73.7420886] syscall() at netbsd:syscall+0x25a sy_call sys/sys/syscallvar.h:65 [inline]
[ 73.7420886] syscall() at netbsd:syscall+0x25a sy_invoke sys/sys/syscallvar.h:94 [inline]
[ 73.7420886] syscall() at netbsd:syscall+0x25a sys/arch/x86/x86/syscall.c:138
[ 73.7521133] --- syscall (number 137) ---
[ 73.7721031] netbsd:syscall+0x25a:
[ 73.7721031] cpu1: End traceback...
[ 73.7820894] fatal breakpoint trap in supervisor mode
[ 73.7820894] trap type 1 code 0 rip 0xffffffff8023241d cs 0x8 rflags 0x286 cr2 0x7f7fffd56fe0 ilevel 0 rsp 0xffffc282486c4960
[ 73.7920830] curlwp 0xffffc28012ad30c0 pid 2024.2024 lowest kstack 0xffffc282486bd2c0
Stopped in pid 2024.2024 (syz-executor.4) at netbsd:breakpoint+0x5: leave
?
breakpoint() at netbsd:breakpoint+0x5
db_panic() at netbsd:db_panic+0x105 sys/ddb/db_panic.c:69
vpanic() at netbsd:vpanic+0x282 sys/kern/subr_prf.c:292
panic() at netbsd:panic+0x9e sys/kern/subr_prf.c:1088
kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:169 [inline]
kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:201
__asan_load2() at netbsd:__asan_load2+0x8c kasan_shadow_2byte_isvalid sys/kern/subr_asan.c:331 [inline]
__asan_load2() at netbsd:__asan_load2+0x8c kasan_shadow_check sys/kern/subr_asan.c:415 [inline]
__asan_load2() at netbsd:__asan_load2+0x8c sys/kern/subr_asan.c:1206
ufs_rmdir() at netbsd:ufs_rmdir+0xc1 sys/ufs/ufs/ufs_vnops.c:1428
VOP_RMDIR() at netbsd:VOP_RMDIR+0x173 sys/kern/vnode_if.c:1382
union_rmdir() at netbsd:union_rmdir+0x15e sys/fs/union/union_vnops.c:1485
VOP_RMDIR() at netbsd:VOP_RMDIR+0x173 sys/kern/vnode_if.c:1382
do_sys_unlinkat() at netbsd:do_sys_unlinkat+0x64d sys/kern/vfs_syscalls.c:2890
syscall() at netbsd:syscall+0x25a sy_call sys/sys/syscallvar.h:65 [inline]
syscall() at netbsd:syscall+0x25a sy_invoke sys/sys/syscallvar.h:94 [inline]
syscall() at netbsd:syscall+0x25a sys/arch/x86/x86/syscall.c:138
--- syscall (number 137) ---
netbsd:syscall+0x25a:
Panic string: ASan: Unauthorized Access In 0xffffffff81a82f19: Addr 0xffffc28013f6f182 [2 bytes, read, PoolRedZone]
PID LID S CPU FLAGS STRUCT LWP * NAME WAIT
1977 2087 3 0 0 ffffc28012d27b00 syz-executor.0 tstile
1977 2122 3 0 0 ffffc280133a3180 syz-executor.0 tstile
1977 1977 2 0 10000000 ffffc28012c28680 syz-executor.0
1099 1099 2 0 40000 ffffc28012cfe600 syz-executor.0
2024 >2024 7 1 40 ffffc28012ad30c0 syz-executor.4
942 1205 2 1 100 ffffc28013dc1b40 syz-execprog
942 941 3 0 180 ffffc28013d13a80 syz-execprog parked
942 1237 3 1 180 ffffc28013d13640 syz-execprog wait
942 930 3 1 180 ffffc28013d13200 syz-execprog parked
942 1245 3 1 180 ffffc28013d0fa40 syz-execprog parked
942 991 3 0 180 ffffc28013d0f600 syz-execprog parked
942 1240 3 0 180 ffffc28013d0f1c0 syz-execprog wait
942 1242 3 1 180 ffffc28012c7ab80 syz-execprog parked
942 1067 3 1 180 ffffc28012bcf180 syz-execprog parked
942 829 2 1 140 ffffc28013431700 syz-execprog
942 1244 3 0 180 ffffc280134312c0 syz-execprog parked
942 > 449 7 0 140 ffffc280133d4ac0 syz-execprog
942 942 3 1 180 ffffc28012b7a100 syz-execprog parked
1080 1080 3 0 180 ffffc28012b7a540 sshd select
1224 1224 3 0 180 ffffc280126eb780 getty nanoslp
1216 1216 3 1 180 ffffc280126eb340 getty nanoslp
1225 1225 3 1 180 ffffc280134b65c0 getty nanoslp
1184 1184 3 0 1c0 ffffc280134b6180 getty ttyraw
1103 1103 3 0 180 ffffc280133b7600 sshd select
954 954 3 0 180 ffffc28012d82040 powerd kqueue
876 876 3 0 180 ffffc28012d45b80 syslogd kqueue
559 559 3 0 180 ffffc28012c28ac0 dhcpcd poll
746 746 3 1 180 ffffc28012cd1100 dhcpcd poll
745 745 3 0 180 ffffc28012c386c0 dhcpcd poll
599 599 3 0 180 ffffc28012c94bc0 dhcpcd poll
487 487 3 0 180 ffffc28012dc70c0 dhcpcd poll
292 292 3 0 180 ffffc28012dad900 dhcpcd poll
485 485 3 0 180 ffffc28012dad4c0 dhcpcd poll
1 1 3 0 180 ffffc28012879180 init wait
0 673 3 0 200 ffffc280129a26c0 physiod physiod
0 196 3 1 200 ffffc280129a4700 pooldrain pooldrain
0 195 3 0 240 ffffc280129a42c0 ioflush tstile
0 194 3 0 200 ffffc280129a2b00 pgdaemon pgdaemon
0 169 3 0 200 ffffc28012962ac0 usb7 usbevt
0 172 3 0 200 ffffc28012962680 usb6 usbevt
0 170 3 0 200 ffffc28012962240 usb5 usbevt
0 168 3 0 200 ffffc28012914a80 usb4 usbevt
0 166 3 0 200 ffffc28012914640 usb3 usbevt
0 165 3 0 200 ffffc28012914200 usb2 usbevt
0 31 3 0 200 ffffc280128daa40 usb1 usbevt
0 63 3 0 200 ffffc280128da600 usb0 usbevt
0 126 3 1 200 ffffc280128da1c0 usbtask-dr usbtsk
0 125 3 1 200 ffffc28012879a00 usbtask-hc usbtsk
0 124 3 0 200 ffffc28010d77b00 swwreboot swwreboot
0 123 3 0 200 ffffc280128795c0 npfgc0 npfgcw
0 122 3 1 200 ffffc2801286b9c0 rt_free rt_free
0 121 3 1 200 ffffc2801286b580 unpgc unpgc
0 120 3 0 200 ffffc2801286b140 key_timehandler key_timehandler
0 119 3 1 200 ffffc2801271c980 icmp6_wqinput/1 icmp6_wqinput
0 118 3 0 200 ffffc2801271c540 icmp6_wqinput/0 icmp6_wqinput
0 117 3 0 200 ffffc2801271c100 nd6_timer nd6_timer
0 116 3 1 200 ffffc28012713940 carp6_wqinput/1 carp6_wqinput
0 115 3 0 200 ffffc28012713500 carp6_wqinput/0 carp6_wqinput
0 114 3 1 200 ffffc280127130c0 carp_wqinput/1 carp_wqinput
0 113 3 0 200 ffffc28012705900 carp_wqinput/0 carp_wqinput
0 112 3 1 200 ffffc280127054c0 icmp_wqinput/1 icmp_wqinput
0 111 3 0 200 ffffc28012705080 icmp_wqinput/0 icmp_wqinput
0 110 3 0 200 ffffc280126e8b80 rt_timer rt_timer
0 109 3 0 200 ffffc280126ec8c0 vmem_rehash vmem_rehash
0 100 3 0 200 ffffc280126e8300 entbutler entropy
0 99 3 1 200 ffffc280120beb40 viomb balloon
0 98 3 1 200 ffffc280120be700 vioif0_txrx/1 vioif0_txrx
0 97 3 0 200 ffffc280120be2c0 vioif0_txrx/0 vioif0_txrx
0 30 3 0 200 ffffc28010d776c0 scsibus0 sccomp
0 29 3 0 200 ffffc28010d77280 pms0 pmsreset
0 28 3 1 200 ffffc28010cbdac0 xcall/1 xcall
0 27 1 1 200 ffffc28010cbd680 softser/1
0 26 1 1 200 ffffc28010cbd240 softclk/1
0 25 1 1 200 ffffc28010cb9a80 softbio/1
0 24 1 1 200 ffffc28010cb9640 softnet/1
0 23 1 1 201 ffffc28010cb9200 idle/1
0 22 3 0 200 ffffc2800f756a40 lnxsyswq lnxsyswq
0 21 3 0 200 ffffc2800f756600 lnxubdwq lnxubdwq
0 20 3 0 200 ffffc2800f7561c0 lnxpwrwq lnxpwrwq
0 19 3 0 200 ffffc2800f755a00 lnxlngwq lnxlngwq
0 18 3 0 200 ffffc2800f7555c0 lnxhipwq lnxhipwq
0 17 3 0 200 ffffc2800f755180 lnxrcugc lnxrcugc
0 16 3 0 200 ffffc2800f74e9c0 sysmon smtaskq
0 15 3 0 200 ffffc2800f74e580 pmfsuspend pmfsuspend
0 14 3 0 200 ffffc2800f74e140 pmfevent pmfevent
0 13 3 0 200 ffffc2800f74b980 sopendfree sopendfr
0 12 3 0 200 ffffc2800f74b540 ifwdog ifwdog
0 11 3 1 200 ffffc2800f74b100 iflnkst iflnkst
0 10 3 0 200 ffffc2800f73e940 nfssilly nfssilly
0 9 3 0 200 ffffc2800f73e500 vdrain vdrain
0 8 3 1 200 ffffc2800f73e0c0 modunload mod_unld
0 7 3 0 200 ffffc2800f733900 xcall/0 xcall
0 6 1 0 200 ffffc2800f7334c0 softser/0
0 5 1 0 200 ffffc2800f733080 softclk/0
0 4 1 0 200 ffffc2800f7318c0 softbio/0
0 3 1 0 200 ffffc2800f731480 softnet/0
0 2 1 0 201 ffffc2800f731040 idle/0
0 0 3 0 200 ffffffff83343700 swapper uvm
[Locks tracked through LWPs]
****** LWP 1099.1099 (syz-executor.0) @ 0xffffc28012cfe600, l_stat=2
*** Locks held:
* Lock 0 (initialized at netbsd:amap_ctor+0x39 sys/uvm/uvm_amap.c:265)
lock address : ffffc28013cf5a00
type : sleep/adaptive
initialized : netbsd:amap_ctor+0x39
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffc28012cfe600 last held: 0xffffc28012cfe600
last locked* : netbsd:uvm_fault_internal+0x88a
unlocked : netbsd:uvm_fault_upper_enter+0x366
owner/count : 000000000000000000 flags : 000000000000000000
Turnstile: no active turnstile for this lock.
*** Locks wanted: none
****** LWP 2024.2024 (syz-executor.4) @ 0xffffc28012ad30c0, l_stat=7
*** Locks held:
* Lock 0 (initialized at netbsd:vcache_alloc+0x3e sys/kern/vfs_vnode.c:1376)
lock address : ffffc28013ff4cc0
type : sleep/adaptive
initialized : netbsd:vcache_alloc+0x3e
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffc28012ad30c0 last held: 0xffffc28012ad30c0
last locked* : netbsd:genfs_lock+0x160
unlocked : netbsd:genfs_unlock+0x2a
owner/count : 0xffffc28012ad30c0 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
* Lock 1 (initialized at netbsd:vcache_alloc+0x3e sys/kern/vfs_vnode.c:1376)
lock address : ffffc28013ff8200
type : sleep/adaptive
initialized : netbsd:vcache_alloc+0x3e
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffc28012ad30c0 last held: 0xffffc28012ad30c0
last locked* : netbsd:genfs_lock+0x160
unlocked : netbsd:genfs_unlock+0x2a
owner/count : 0xffffc28012ad30c0 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
*** Locks wanted: none
****** LWP 942.1205 (syz-execprog) @ 0xffffc28013dc1b40, l_stat=2
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at netbsd:vcache_alloc+0x4a sys/kern/vfs_vnode.c:1376)
lock address : ffffc28013fbbd40
type : sleep/adaptive
initialized : netbsd:vcache_alloc+0x4a
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 1
relevant cpu : 1 last held: 1
relevant lwp : 0xffffc28013dc1b40 last held: 000000000000000000
last locked : netbsd:vput+0xee
unlocked* : netbsd:vrelel+0x4ee
owner field : 0xffffc28013dc1b40 wait/spin: 1/0
Turnstile:
=> 0 waiting readers:
=> 1 waiting writers: 0xffffc280129a42c0
****** LWP 746.746 (dhcpcd) @ 0xffffc28012cd1100, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at netbsd:module_hook_init+0x1c sys/kern/kern_module_hook.c:132)
lock address : netbsd:module_hook
type : sleep/adaptive
initialized : netbsd:module_hook_init+0x1c
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 0
relevant lwp : 0xffffc28012cd1100 last held: 000000000000000000
last locked : 0
unlocked* : 0
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 745.745 (dhcpcd) @ 0xffffc28012c386c0, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at netbsd:module_hook_init+0x1c sys/kern/kern_module_hook.c:132)
lock address : netbsd:module_hook
type : sleep/adaptive
initialized : netbsd:module_hook_init+0x1c
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffc28012c386c0 last held: 000000000000000000
last locked : 0
unlocked* : 0
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 292.292 (dhcpcd) @ 0xffffc28012dad900, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at netbsd:module_hook_init+0x1c sys/kern/kern_module_hook.c:132)
lock address : netbsd:module_hook
type : sleep/adaptive
initialized : netbsd:module_hook_init+0x1c
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffc28012dad900 last held: 000000000000000000
last locked : 0
unlocked* : 0
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 485.485 (dhcpcd) @ 0xffffc28012dad4c0, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at netbsd:module_hook_init+0x1c sys/kern/kern_module_hook.c:132)
lock address : netbsd:module_hook
type : sleep/adaptive
initialized : netbsd:module_hook_init+0x1c
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffc28012dad4c0 last held: 000000000000000000
last locked : 0
unlocked* : 0
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 0.11 (iflnkst) @ 0xffffc2800f74b100, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at netbsd:module_hook_init+0x1c sys/kern/kern_module_hook.c:132)
lock address : netbsd:module_hook
type : sleep/adaptive
initialized : netbsd:module_hook_init+0x1c
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 0
relevant lwp : 0xffffc2800f74b100 last held: 000000000000000000
last locked : 0
unlocked* : 0
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 0.5 (softclk/0) @ 0xffffc2800f733080, l_stat=1
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at netbsd:module_hook_init+0x1c sys/kern/kern_module_hook.c:132)
lock address : netbsd:module_hook
type : sleep/adaptive
initialized : netbsd:module_hook_init+0x1c
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffc2800f733080 last held: 000000000000000000
last locked : 0
unlocked* : 0
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 0.0 (swapper) @ 0xffffffff83343700, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at netbsd:module_hook_init+0x1c sys/kern/kern_module_hook.c:132)
lock address : netbsd:module_hook
type : sleep/adaptive
initialized : netbsd:module_hook_init+0x1c
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant c
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 23ee83f7c0ae c.7: mention that C11 and C17 have been publi..
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=11072062680000
kernel config: https://syzkaller.appspot.com/x/.config?x=fab579639ba4bf0a
dashboard link: https://syzkaller.appspot.com/bug?extid=b8c4bd86b8f1fdc3605f
compiler: g++ (Debian 12.2.0-14) 12.2.0
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11ca8701680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/81063a77eb5b/disk-23ee83f7.raw.xz
netbsd.gdb: https://storage.googleapis.com/syzbot-assets/4a112bb444b0/netbsd-23ee83f7.gdb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b8c4bd...@syzkaller.appspotmail.com
[ 73.2620970] panic: ASan: Unauthorized Access In 0xffffffff81a82f19: Addr 0xffffc28013f6f182 [2 bytes, read, PoolRedZone]
[ 73.2720958] cpu1: Begin traceback...
[ 73.2921150] vpanic() at netbsd:vpanic+0x282 sys/kern/subr_prf.c:292
[ 73.3620870] panic() at netbsd:panic+0x9e sys/kern/subr_prf.c:1088
[ 73.4220853] kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:169 [inline]
[ 73.4220853] kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:201
[ 73.4720852] __asan_load2() at netbsd:__asan_load2+0x8c kasan_shadow_2byte_isvalid sys/kern/subr_asan.c:331 [inline]
[ 73.4720852] __asan_load2() at netbsd:__asan_load2+0x8c kasan_shadow_check sys/kern/subr_asan.c:415 [inline]
[ 73.4720852] __asan_load2() at netbsd:__asan_load2+0x8c sys/kern/subr_asan.c:1206
[ 73.5120848] ufs_rmdir() at netbsd:ufs_rmdir+0xc1 sys/ufs/ufs/ufs_vnops.c:1428
[ 73.5620853] VOP_RMDIR() at netbsd:VOP_RMDIR+0x173 sys/kern/vnode_if.c:1382
[ 73.6021031] union_rmdir() at netbsd:union_rmdir+0x15e sys/fs/union/union_vnops.c:1485
[ 73.6420842] VOP_RMDIR() at netbsd:VOP_RMDIR+0x173 sys/kern/vnode_if.c:1382
[ 73.6920846] do_sys_unlinkat() at netbsd:do_sys_unlinkat+0x64d sys/kern/vfs_syscalls.c:2890
[ 73.7420886] syscall() at netbsd:syscall+0x25a sy_call sys/sys/syscallvar.h:65 [inline]
[ 73.7420886] syscall() at netbsd:syscall+0x25a sy_invoke sys/sys/syscallvar.h:94 [inline]
[ 73.7420886] syscall() at netbsd:syscall+0x25a sys/arch/x86/x86/syscall.c:138
[ 73.7521133] --- syscall (number 137) ---
[ 73.7721031] netbsd:syscall+0x25a:
[ 73.7721031] cpu1: End traceback...
[ 73.7820894] fatal breakpoint trap in supervisor mode
[ 73.7820894] trap type 1 code 0 rip 0xffffffff8023241d cs 0x8 rflags 0x286 cr2 0x7f7fffd56fe0 ilevel 0 rsp 0xffffc282486c4960
[ 73.7920830] curlwp 0xffffc28012ad30c0 pid 2024.2024 lowest kstack 0xffffc282486bd2c0
Stopped in pid 2024.2024 (syz-executor.4) at netbsd:breakpoint+0x5: leave
?
breakpoint() at netbsd:breakpoint+0x5
db_panic() at netbsd:db_panic+0x105 sys/ddb/db_panic.c:69
vpanic() at netbsd:vpanic+0x282 sys/kern/subr_prf.c:292
panic() at netbsd:panic+0x9e sys/kern/subr_prf.c:1088
kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:169 [inline]
kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:201
__asan_load2() at netbsd:__asan_load2+0x8c kasan_shadow_2byte_isvalid sys/kern/subr_asan.c:331 [inline]
__asan_load2() at netbsd:__asan_load2+0x8c kasan_shadow_check sys/kern/subr_asan.c:415 [inline]
__asan_load2() at netbsd:__asan_load2+0x8c sys/kern/subr_asan.c:1206
ufs_rmdir() at netbsd:ufs_rmdir+0xc1 sys/ufs/ufs/ufs_vnops.c:1428
VOP_RMDIR() at netbsd:VOP_RMDIR+0x173 sys/kern/vnode_if.c:1382
union_rmdir() at netbsd:union_rmdir+0x15e sys/fs/union/union_vnops.c:1485
VOP_RMDIR() at netbsd:VOP_RMDIR+0x173 sys/kern/vnode_if.c:1382
do_sys_unlinkat() at netbsd:do_sys_unlinkat+0x64d sys/kern/vfs_syscalls.c:2890
syscall() at netbsd:syscall+0x25a sy_call sys/sys/syscallvar.h:65 [inline]
syscall() at netbsd:syscall+0x25a sy_invoke sys/sys/syscallvar.h:94 [inline]
syscall() at netbsd:syscall+0x25a sys/arch/x86/x86/syscall.c:138
--- syscall (number 137) ---
netbsd:syscall+0x25a:
Panic string: ASan: Unauthorized Access In 0xffffffff81a82f19: Addr 0xffffc28013f6f182 [2 bytes, read, PoolRedZone]
PID LID S CPU FLAGS STRUCT LWP * NAME WAIT
1977 2087 3 0 0 ffffc28012d27b00 syz-executor.0 tstile
1977 2122 3 0 0 ffffc280133a3180 syz-executor.0 tstile
1977 1977 2 0 10000000 ffffc28012c28680 syz-executor.0
1099 1099 2 0 40000 ffffc28012cfe600 syz-executor.0
2024 >2024 7 1 40 ffffc28012ad30c0 syz-executor.4
942 1205 2 1 100 ffffc28013dc1b40 syz-execprog
942 941 3 0 180 ffffc28013d13a80 syz-execprog parked
942 1237 3 1 180 ffffc28013d13640 syz-execprog wait
942 930 3 1 180 ffffc28013d13200 syz-execprog parked
942 1245 3 1 180 ffffc28013d0fa40 syz-execprog parked
942 991 3 0 180 ffffc28013d0f600 syz-execprog parked
942 1240 3 0 180 ffffc28013d0f1c0 syz-execprog wait
942 1242 3 1 180 ffffc28012c7ab80 syz-execprog parked
942 1067 3 1 180 ffffc28012bcf180 syz-execprog parked
942 829 2 1 140 ffffc28013431700 syz-execprog
942 1244 3 0 180 ffffc280134312c0 syz-execprog parked
942 > 449 7 0 140 ffffc280133d4ac0 syz-execprog
942 942 3 1 180 ffffc28012b7a100 syz-execprog parked
1080 1080 3 0 180 ffffc28012b7a540 sshd select
1224 1224 3 0 180 ffffc280126eb780 getty nanoslp
1216 1216 3 1 180 ffffc280126eb340 getty nanoslp
1225 1225 3 1 180 ffffc280134b65c0 getty nanoslp
1184 1184 3 0 1c0 ffffc280134b6180 getty ttyraw
1103 1103 3 0 180 ffffc280133b7600 sshd select
954 954 3 0 180 ffffc28012d82040 powerd kqueue
876 876 3 0 180 ffffc28012d45b80 syslogd kqueue
559 559 3 0 180 ffffc28012c28ac0 dhcpcd poll
746 746 3 1 180 ffffc28012cd1100 dhcpcd poll
745 745 3 0 180 ffffc28012c386c0 dhcpcd poll
599 599 3 0 180 ffffc28012c94bc0 dhcpcd poll
487 487 3 0 180 ffffc28012dc70c0 dhcpcd poll
292 292 3 0 180 ffffc28012dad900 dhcpcd poll
485 485 3 0 180 ffffc28012dad4c0 dhcpcd poll
1 1 3 0 180 ffffc28012879180 init wait
0 673 3 0 200 ffffc280129a26c0 physiod physiod
0 196 3 1 200 ffffc280129a4700 pooldrain pooldrain
0 195 3 0 240 ffffc280129a42c0 ioflush tstile
0 194 3 0 200 ffffc280129a2b00 pgdaemon pgdaemon
0 169 3 0 200 ffffc28012962ac0 usb7 usbevt
0 172 3 0 200 ffffc28012962680 usb6 usbevt
0 170 3 0 200 ffffc28012962240 usb5 usbevt
0 168 3 0 200 ffffc28012914a80 usb4 usbevt
0 166 3 0 200 ffffc28012914640 usb3 usbevt
0 165 3 0 200 ffffc28012914200 usb2 usbevt
0 31 3 0 200 ffffc280128daa40 usb1 usbevt
0 63 3 0 200 ffffc280128da600 usb0 usbevt
0 126 3 1 200 ffffc280128da1c0 usbtask-dr usbtsk
0 125 3 1 200 ffffc28012879a00 usbtask-hc usbtsk
0 124 3 0 200 ffffc28010d77b00 swwreboot swwreboot
0 123 3 0 200 ffffc280128795c0 npfgc0 npfgcw
0 122 3 1 200 ffffc2801286b9c0 rt_free rt_free
0 121 3 1 200 ffffc2801286b580 unpgc unpgc
0 120 3 0 200 ffffc2801286b140 key_timehandler key_timehandler
0 119 3 1 200 ffffc2801271c980 icmp6_wqinput/1 icmp6_wqinput
0 118 3 0 200 ffffc2801271c540 icmp6_wqinput/0 icmp6_wqinput
0 117 3 0 200 ffffc2801271c100 nd6_timer nd6_timer
0 116 3 1 200 ffffc28012713940 carp6_wqinput/1 carp6_wqinput
0 115 3 0 200 ffffc28012713500 carp6_wqinput/0 carp6_wqinput
0 114 3 1 200 ffffc280127130c0 carp_wqinput/1 carp_wqinput
0 113 3 0 200 ffffc28012705900 carp_wqinput/0 carp_wqinput
0 112 3 1 200 ffffc280127054c0 icmp_wqinput/1 icmp_wqinput
0 111 3 0 200 ffffc28012705080 icmp_wqinput/0 icmp_wqinput
0 110 3 0 200 ffffc280126e8b80 rt_timer rt_timer
0 109 3 0 200 ffffc280126ec8c0 vmem_rehash vmem_rehash
0 100 3 0 200 ffffc280126e8300 entbutler entropy
0 99 3 1 200 ffffc280120beb40 viomb balloon
0 98 3 1 200 ffffc280120be700 vioif0_txrx/1 vioif0_txrx
0 97 3 0 200 ffffc280120be2c0 vioif0_txrx/0 vioif0_txrx
0 30 3 0 200 ffffc28010d776c0 scsibus0 sccomp
0 29 3 0 200 ffffc28010d77280 pms0 pmsreset
0 28 3 1 200 ffffc28010cbdac0 xcall/1 xcall
0 27 1 1 200 ffffc28010cbd680 softser/1
0 26 1 1 200 ffffc28010cbd240 softclk/1
0 25 1 1 200 ffffc28010cb9a80 softbio/1
0 24 1 1 200 ffffc28010cb9640 softnet/1
0 23 1 1 201 ffffc28010cb9200 idle/1
0 22 3 0 200 ffffc2800f756a40 lnxsyswq lnxsyswq
0 21 3 0 200 ffffc2800f756600 lnxubdwq lnxubdwq
0 20 3 0 200 ffffc2800f7561c0 lnxpwrwq lnxpwrwq
0 19 3 0 200 ffffc2800f755a00 lnxlngwq lnxlngwq
0 18 3 0 200 ffffc2800f7555c0 lnxhipwq lnxhipwq
0 17 3 0 200 ffffc2800f755180 lnxrcugc lnxrcugc
0 16 3 0 200 ffffc2800f74e9c0 sysmon smtaskq
0 15 3 0 200 ffffc2800f74e580 pmfsuspend pmfsuspend
0 14 3 0 200 ffffc2800f74e140 pmfevent pmfevent
0 13 3 0 200 ffffc2800f74b980 sopendfree sopendfr
0 12 3 0 200 ffffc2800f74b540 ifwdog ifwdog
0 11 3 1 200 ffffc2800f74b100 iflnkst iflnkst
0 10 3 0 200 ffffc2800f73e940 nfssilly nfssilly
0 9 3 0 200 ffffc2800f73e500 vdrain vdrain
0 8 3 1 200 ffffc2800f73e0c0 modunload mod_unld
0 7 3 0 200 ffffc2800f733900 xcall/0 xcall
0 6 1 0 200 ffffc2800f7334c0 softser/0
0 5 1 0 200 ffffc2800f733080 softclk/0
0 4 1 0 200 ffffc2800f7318c0 softbio/0
0 3 1 0 200 ffffc2800f731480 softnet/0
0 2 1 0 201 ffffc2800f731040 idle/0
0 0 3 0 200 ffffffff83343700 swapper uvm
[Locks tracked through LWPs]
****** LWP 1099.1099 (syz-executor.0) @ 0xffffc28012cfe600, l_stat=2
*** Locks held:
* Lock 0 (initialized at netbsd:amap_ctor+0x39 sys/uvm/uvm_amap.c:265)
lock address : ffffc28013cf5a00
type : sleep/adaptive
initialized : netbsd:amap_ctor+0x39
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffc28012cfe600 last held: 0xffffc28012cfe600
last locked* : netbsd:uvm_fault_internal+0x88a
unlocked : netbsd:uvm_fault_upper_enter+0x366
owner/count : 000000000000000000 flags : 000000000000000000
Turnstile: no active turnstile for this lock.
*** Locks wanted: none
****** LWP 2024.2024 (syz-executor.4) @ 0xffffc28012ad30c0, l_stat=7
*** Locks held:
* Lock 0 (initialized at netbsd:vcache_alloc+0x3e sys/kern/vfs_vnode.c:1376)
lock address : ffffc28013ff4cc0
type : sleep/adaptive
initialized : netbsd:vcache_alloc+0x3e
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffc28012ad30c0 last held: 0xffffc28012ad30c0
last locked* : netbsd:genfs_lock+0x160
unlocked : netbsd:genfs_unlock+0x2a
owner/count : 0xffffc28012ad30c0 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
* Lock 1 (initialized at netbsd:vcache_alloc+0x3e sys/kern/vfs_vnode.c:1376)
lock address : ffffc28013ff8200
type : sleep/adaptive
initialized : netbsd:vcache_alloc+0x3e
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffc28012ad30c0 last held: 0xffffc28012ad30c0
last locked* : netbsd:genfs_lock+0x160
unlocked : netbsd:genfs_unlock+0x2a
owner/count : 0xffffc28012ad30c0 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
*** Locks wanted: none
****** LWP 942.1205 (syz-execprog) @ 0xffffc28013dc1b40, l_stat=2
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at netbsd:vcache_alloc+0x4a sys/kern/vfs_vnode.c:1376)
lock address : ffffc28013fbbd40
type : sleep/adaptive
initialized : netbsd:vcache_alloc+0x4a
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 1
relevant cpu : 1 last held: 1
relevant lwp : 0xffffc28013dc1b40 last held: 000000000000000000
last locked : netbsd:vput+0xee
unlocked* : netbsd:vrelel+0x4ee
owner field : 0xffffc28013dc1b40 wait/spin: 1/0
Turnstile:
=> 0 waiting readers:
=> 1 waiting writers: 0xffffc280129a42c0
****** LWP 746.746 (dhcpcd) @ 0xffffc28012cd1100, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at netbsd:module_hook_init+0x1c sys/kern/kern_module_hook.c:132)
lock address : netbsd:module_hook
type : sleep/adaptive
initialized : netbsd:module_hook_init+0x1c
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 0
relevant lwp : 0xffffc28012cd1100 last held: 000000000000000000
last locked : 0
unlocked* : 0
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 745.745 (dhcpcd) @ 0xffffc28012c386c0, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at netbsd:module_hook_init+0x1c sys/kern/kern_module_hook.c:132)
lock address : netbsd:module_hook
type : sleep/adaptive
initialized : netbsd:module_hook_init+0x1c
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffc28012c386c0 last held: 000000000000000000
last locked : 0
unlocked* : 0
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 292.292 (dhcpcd) @ 0xffffc28012dad900, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at netbsd:module_hook_init+0x1c sys/kern/kern_module_hook.c:132)
lock address : netbsd:module_hook
type : sleep/adaptive
initialized : netbsd:module_hook_init+0x1c
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffc28012dad900 last held: 000000000000000000
last locked : 0
unlocked* : 0
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 485.485 (dhcpcd) @ 0xffffc28012dad4c0, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at netbsd:module_hook_init+0x1c sys/kern/kern_module_hook.c:132)
lock address : netbsd:module_hook
type : sleep/adaptive
initialized : netbsd:module_hook_init+0x1c
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffc28012dad4c0 last held: 000000000000000000
last locked : 0
unlocked* : 0
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 0.11 (iflnkst) @ 0xffffc2800f74b100, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at netbsd:module_hook_init+0x1c sys/kern/kern_module_hook.c:132)
lock address : netbsd:module_hook
type : sleep/adaptive
initialized : netbsd:module_hook_init+0x1c
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 0
relevant lwp : 0xffffc2800f74b100 last held: 000000000000000000
last locked : 0
unlocked* : 0
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 0.5 (softclk/0) @ 0xffffc2800f733080, l_stat=1
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at netbsd:module_hook_init+0x1c sys/kern/kern_module_hook.c:132)
lock address : netbsd:module_hook
type : sleep/adaptive
initialized : netbsd:module_hook_init+0x1c
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffc2800f733080 last held: 000000000000000000
last locked : 0
unlocked* : 0
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 0.0 (swapper) @ 0xffffffff83343700, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at netbsd:module_hook_init+0x1c sys/kern/kern_module_hook.c:132)
lock address : netbsd:module_hook
type : sleep/adaptive
initialized : netbsd:module_hook_init+0x1c
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant c
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages