assert failed: size > 0

5 views

Skip to first unread message

syzbot

unread,

Jul 12, 2020, 9:45:16 AM7/12/20

to syzkaller-...@googlegroups.com

Hello,

syzbot found the following crash on:

HEAD commit: 35e7f6a3 Use symbolic constants for SR and CCR init values..
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=162b1263100000
kernel config: https://syzkaller.appspot.com/x/.config?x=1420f906d33d9f1f
dashboard link: https://syzkaller.appspot.com/bug?extid=49ffac4c5b65f2b481d6
compiler: g++ (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+49ffac...@syzkaller.appspotmail.com

./file0 � ./file0 � ./file0 � ./file0 � ./file0 � ./file0 � ./file0 � [ 133.6330440] panic: kernel diagnostic assertion "size > 0" failed: file "/syzkaller/managers/netbsd-kubsan/kernel/sys/uvm/uvm_map.c", line 1145
[ 133.6464316] cpu0: Begin traceback...
[ 133.6930153] vpanic() at netbsd:vpanic+0x2d3 sys/kern/subr_prf.c:290
[ 133.8230167] db_print_address.cold.0() at netbsd:db_print_address.cold.0
[ 133.9630151] uvm_map_prepare() at netbsd:uvm_map_prepare+0x66a sys/uvm/uvm_map.c:1145
[ 134.0930182] uvm_map() at netbsd:uvm_map+0xd2 sys/uvm/uvm_map.c:1096
[ 134.2130218] uvm_km_alloc() at netbsd:uvm_km_alloc+0x1a7 sys/uvm/uvm_km.c:629
[ 134.3330184] vmapbuf() at netbsd:vmapbuf+0x106 sys/arch/x86/x86/vm_machdep.c:304
[ 134.4530167] physio() at netbsd:physio+0x79a sys/kern/kern_physio.c:362
[ 134.5830167] cdev_write() at netbsd:cdev_write+0x147 sys/kern/subr_devsw.c:919
[ 134.7130150] spec_write() at netbsd:spec_write+0x26c sys/miscfs/specfs/spec_vnops.c:778
[ 134.8330172] VOP_WRITE() at netbsd:VOP_WRITE+0x138 sys/kern/vnode_if.c:540
[ 134.9730180] vn_write() at netbsd:vn_write+0x308 sys/kern/vfs_vnops.c:612
[ 135.1130166] do_filewritev.part.1() at netbsd:do_filewritev.part.1+0x4a0
[ 135.2430144] sys_writev() at netbsd:sys_writev+0x5e do_filewritev sys/kern/sys_generic.c:381 [inline]
[ 135.2430144] sys_writev() at netbsd:sys_writev+0x5e sys/kern/sys_generic.c:381
[ 135.3630144] sys___syscall() at netbsd:sys___syscall+0x1cf sy_call sys/sys/syscallvar.h:66 [inline]
[ 135.3630144] sys___syscall() at netbsd:sys___syscall+0x1cf sys/kern/sys_syscall.c:77
[ 135.5030172] syscall() at netbsd:syscall+0x2d5 sy_call sys/sys/syscallvar.h:65 [inline]
[ 135.5030172] syscall() at netbsd:syscall+0x2d5 sy_invoke sys/sys/syscallvar.h:94 [inline]
[ 135.5030172] syscall() at netbsd:syscall+0x2d5 sys/arch/x86/x86/syscall.c:138
[ 135.5230162] --- syscall (number 198) ---
[ 135.5630157] netbsd:syscall+0x2d5:
[ 135.5739451] cpu0: End traceback...
[ 135.5739451] fatal breakpoint trap in supervisor mode
[ 135.5832439] trap type 1 code 0 rip 0xffffffff80221a85 cs 0x8 rflags 0x246 cr2 0x7ecbc127cc50 ilevel 0 rsp 0xffffb080cb47b880
[ 135.5946123] curlwp 0xffff89503c841a80 pid 6341.7225 lowest kstack 0xffffb080cb4772c0
Stopped in pid 6341.7225 (syz-executor.1) at netbsd:breakpoint+0x5: leave
?
breakpoint() at netbsd:breakpoint+0x5
db_panic() at netbsd:db_panic+0xec sys/ddb/db_panic.c:67
vpanic() at netbsd:vpanic+0x2d3 sys/kern/subr_prf.c:290
db_print_address.cold.0() at netbsd:db_print_address.cold.0
uvm_map_prepare() at netbsd:uvm_map_prepare+0x66a sys/uvm/uvm_map.c:1145
uvm_map() at netbsd:uvm_map+0xd2 sys/uvm/uvm_map.c:1096
uvm_km_alloc() at netbsd:uvm_km_alloc+0x1a7 sys/uvm/uvm_km.c:629
vmapbuf() at netbsd:vmapbuf+0x106 sys/arch/x86/x86/vm_machdep.c:304
physio() at netbsd:physio+0x79a sys/kern/kern_physio.c:362
cdev_write() at netbsd:cdev_write+0x147 sys/kern/subr_devsw.c:919
spec_write() at netbsd:spec_write+0x26c sys/miscfs/specfs/spec_vnops.c:778
VOP_WRITE() at netbsd:VOP_WRITE+0x138 sys/kern/vnode_if.c:540
vn_write() at netbsd:vn_write+0x308 sys/kern/vfs_vnops.c:612
do_filewritev.part.1() at netbsd:do_filewritev.part.1+0x4a0
sys_writev() at netbsd:sys_writev+0x5e do_filewritev sys/kern/sys_generic.c:381 [inline]
sys_writev() at netbsd:sys_writev+0x5e sys/kern/sys_generic.c:381
sys___syscall() at netbsd:sys___syscall+0x1cf sy_call sys/sys/syscallvar.h:66 [inline]
sys___syscall() at netbsd:sys___syscall+0x1cf sys/kern/sys_syscall.c:77
syscall() at netbsd:syscall+0x2d5 sy_call sys/sys/syscallvar.h:65 [inline]
syscall() at netbsd:syscall+0x2d5 sy_invoke sys/sys/syscallvar.h:94 [inline]
syscall() at netbsd:syscall+0x2d5 sys/arch/x86/x86/syscall.c:138
--- syscall (number 198) ---
netbsd:syscall+0x2d5:
Panic string: kernel diagnostic assertion "size > 0" failed: file "/syzkaller/managers/netbsd-kubsan/kernel/sys/uvm/uvm_map.c", line 1145
PID LID S CPU FLAGS STRUCT LWP * NAME WAIT
6952 7369 2 0 0 ffff89503d1cc300 syz-executor.3
6952 7495 2 0 0 ffff89502d26a340 syz-executor.3
6952 6952 2 1 10000000 ffff89503b7060c0 syz-executor.3
7210 6963 2 0 0 ffff89503cdeb340 syz-executor.4
7210 7210 2 0 10000000 ffff89502d0a92c0 syz-executor.4
7505 6979 2 0 0 ffff89503d5718c0 syz-executor.2
7505 7505 2 1 10000000 ffff89503ce9cb40 syz-executor.2
6341 >7225 7 0 0 ffff89503c841a80 syz-executor.1
6341 6341 2 0 10000000 ffff89503d2cf080 syz-executor.1
6470 7139 2 0 0 ffff89502ce3a6c0 syz-executor.0
6470 6470 2 0 10000000 ffff89502dc048c0 syz-executor.0
7355 7127 2 0 0 ffff89503b706500 syz-executor.5
7355 7355 2 0 10000000 ffff89502dcbc080 syz-executor.5
418 418 2 1 40 ffff89502dddc500 syz-executor.4
1077 1077 2 1 40 ffff895030fe8a40 syz-executor.5
1082 1082 2 0 40 ffff895030fe8600 syz-executor.1
1078 1078 2 1 40 ffff895030fe81c0 syz-executor.3
1067 1067 2 0 40 ffff89502daaf980 syz-executor.2
1092 1092 2 0 40 ffff89502ce3a280 syz-executor.0
1254 1100 3 1 80 ffff89502f7b05c0 syz-fuzzer parked
1254 1076 3 0 c0 ffff89502f7b0a00 syz-fuzzer parked
1254 1068 3 1 80 ffff89502daaf540 syz-fuzzer parked
1254 1253 3 1 80 ffff89502dddc940 syz-fuzzer parked
1254 1070 3 1 80 ffff8950244102c0 syz-fuzzer parked
1254 1250 2 0 40 ffff89502c662600 syz-fuzzer
1254 1065 2 0 40 ffff89502f698580 syz-fuzzer
1254 1254 3 0 80 ffff89502f7b0180 syz-fuzzer parked
1249 1249 3 0 80 ffff89502f6989c0 sshd select
1127 1127 3 1 80 ffff89502f698140 getty nanoslp
1096 1096 3 0 80 ffff89502ca81240 getty nanoslp
1110 1110 3 1 80 ffff89502ca81680 getty nanoslp
722 722 3 0 c0 ffff89502c69ea80 getty ttyraw
941 941 3 1 80 ffff89502dddc0c0 sshd select
853 853 3 0 80 ffff89502daaf100 powerd kqueue
734 734 3 1 80 ffff89502d26abc0 syslogd kqueue
592 592 3 0 80 ffff89502dc04040 dhcpcd poll
590 590 3 1 80 ffff89502d0a9b40 dhcpcd poll
589 589 3 1 80 ffff89502cc74300 dhcpcd poll
545 545 3 1 80 ffff89502d26a780 dhcpcd poll
347 347 3 0 80 ffff89502cc74b80 dhcpcd poll
346 346 3 0 80 ffff89502cc74740 dhcpcd poll
345 345 3 0 80 ffff89502d0a9700 dhcpcd poll
1 1 3 0 80 ffff8950244b9940 init wait
0 1216 3 0 200 ffff89503c6e5240 acctwatch actwat
0 815 3 0 200 ffff89502c662a40 physiod physiod
0 165 2 1 240 ffff89502c69e640 ioflush
0 164 3 0 200 ffff895024410700 pooldrain pooldrain
0 163 3 1 240 ffff89502c69e200 pgdaemon pgdaemon
0 160 3 0 200 ffff89502c6621c0 usb7 usbevt
0 31 3 0 200 ffff8950295f5a00 usb6 usbevt
0 63 2 1 240 ffff8950295f55c0 usb5
0 126 3 0 200 ffff8950295f5180 usb4 usbevt
0 125 3 0 200 ffff8950265909c0 usb3 usbevt
0 124 3 0 200 ffff895026590580 usb2 usbevt
0 123 3 1 200 ffff895026590140 usb1 usbevt
0 122 3 1 200 ffff895025541980 usb0 usbevt
0 121 3 1 200 ffff895025541540 usbtask-dr usbtsk
0 120 3 1 200 ffff895025541100 usbtask-hc usbtsk
0 119 3 1 200 ffff895021922ac0 npfgc0 npfgcw
0 118 3 1 200 ffff8950244b9500 rt_free rt_free
0 117 3 1 200 ffff8950244b90c0 unpgc unpgc
0 116 2 0 200 ffff8950244ac900 key_timehandler
0 115 3 1 200 ffff8950244ac4c0 icmp6_wqinput/1 icmp6_wqinput
0 114 3 0 200 ffff8950244ac080 icmp6_wqinput/0 icmp6_wqinput
0 113 2 0 200 ffff89502447f8c0 nd6_timer
0 112 3 1 200 ffff89502447f480 carp6_wqinput/1 carp6_wqinput
0 111 3 0 200 ffff89502447f040 carp6_wqinput/0 carp6_wqinput
0 110 3 1 200 ffff895024462bc0 carp_wqinput/1 carp_wqinput
0 109 3 0 200 ffff895024462780 carp_wqinput/0 carp_wqinput
0 108 3 1 200 ffff895024462340 icmp_wqinput/1 icmp_wqinput
0 107 3 0 200 ffff895024419b80 icmp_wqinput/0 icmp_wqinput
0 106 2 0 200 ffff895024419740 rt_timer
0 105 3 0 200 ffff895024419300 vmem_rehash vmem_rehash
0 104 3 0 200 ffff895024410b40 entbutler entropy
0 30 3 1 200 ffff895023d906c0 vioif0_txrx/1 vioif0_txrx
0 29 3 0 200 ffff895023d90280 vioif0_txrx/0 vioif0_txrx
0 27 3 0 200 ffff895021922680 scsibus0 sccomp
0 26 3 0 200 ffff895021922240 pms0 pmsreset
0 25 3 1 200 ffff89502187ca80 xcall/1 xcall
0 24 1 1 200 ffff89502187c640 softser/1
0 23 1 1 200 ffff89502187c200 softclk/1
0 22 1 1 200 ffff895021847a40 softbio/1
0 21 1 1 200 ffff895021847600 softnet/1
0 20 1 1 201 ffff8950218471c0 idle/1
0 19 3 0 200 ffff89513178ba00 lnxpwrwq lnxpwrwq
0 18 3 0 200 ffff89513178b5c0 lnxlngwq lnxlngwq
0 17 3 0 200 ffff89513178b180 lnxsyswq lnxsyswq
0 16 3 0 200 ffff8951317a49c0 lnxrcugc lnxrcugc
0 15 3 0 200 ffff8951317a4580 sysmon smtaskq
0 14 3 0 200 ffff8951317a4140 pmfsuspend pmfsuspend
0 13 3 0 200 ffff8951317b5980 pmfevent pmfevent
0 12 3 0 200 ffff8951317b5540 sopendfree sopendfr
0 11 3 0 200 ffff8951317b5100 iflnkst iflnkst
0 10 3 0 200 ffff8951327e0940 nfssilly nfssilly
0 9 3 0 200 ffff8951327e0500 vdrain vdrain
0 8 3 0 200 ffff8951327e00c0 modunload mod_unld
0 7 3 0 200 ffff89513280f900 xcall/0 xcall
0 6 1 0 200 ffff89513280f4c0 softser/0
0 5 1 0 200 ffff89513280f080 softclk/0
0 4 1 0 200 ffff8951328398c0 softbio/0
0 3 1 0 200 ffff895132839480 softnet/0
0 2 1 0 201 ffff895132839040 idle/0
0 > 0 7 1 240 ffffffff85eed080 swapper
[Locks tracked through LWPs]

****** LWP 6952.6952 (syz-executor.3) @ 0xffff89503b7060c0, l_stat=2

*** Locks held:

* Lock 0 (initialized at amap_alloc1)
lock address : 0xffff89502c9eb7c0 type : sleep/adaptive
initialized : 0xffffffff830cfdfc
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffff89503b7060c0 last held: 0xffff89503b7060c0
last locked* : 0xffffffff830f350c unlocked : 0xffffffff830efa48
owner/count : 000000000000000000 flags : 000000000000000000
Turnstile: no active turnstile for this lock.

*** Locks wanted:

* Lock 0 (initialized at pmap_ctor)
lock address : 0xffff89503baabb80 type : sleep/adaptive
initialized : 0xffffffff80f822a3
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 1
relevant cpu : 1 last held: 1
relevant lwp : 0xffff89503b7060c0 last held: 000000000000000000
last locked : 0xffffffff80f81ea5 unlocked*: 0xffffffff80f81fe4
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.

****** LWP 7355.7127 (syz-executor.5) @ 0xffff89503b706500, l_stat=2

*** Locks held:

* Lock 0 (initialized at vcache_alloc)
lock address : 0xffff89503d40a540 type : sleep/adaptive
initialized : 0xffffffff834d0b5e
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffff89503b706500 last held: 0xffff89503b706500
last locked* : 0xffffffff8352aca1 unlocked : 0xffffffff8352aa38
owner/count : 0xffff89503b706500 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.

* Lock 1 (initialized at vcache_alloc)
lock address : 0xffff89503c494c40 type : sleep/adaptive
initialized : 0xffffffff834d0b5e
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffff89503b706500 last held: 0xffff89503b706500
last locked* : 0xffffffff8352aca1 unlocked : 000000000000000000
owner/count : 0xffff89503b706500 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.

*** Locks wanted: none

****** LWP 590.590 (dhcpcd) @ 0xffff89502d0a9b40, l_stat=3

*** Locks held: none

*** Locks wanted:

* Lock 0 (initialized at module_hook_init)
lock address : 0xffffffff862eb480 type : sleep/adaptive
initialized : 0xffffffff8321b1f0
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 0
relevant lwp : 0xffff89502d0a9b40 last held: 000000000000000000
last locked : 000000000000000000 unlocked*: 000000000000000000
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.

****** LWP 589.589 (dhcpcd) @ 0xffff89502cc74300, l_stat=3

*** Locks held: none

*** Locks wanted:

* Lock 0 (initialized at module_hook_init)
lock address : 0xffffffff862eb480 type : sleep/adaptive
initialized : 0xffffffff8321b1f0
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 0
relevant lwp : 0xffff89502cc74300 last held: 000000000000000000
last locked : 000000000000000000 unlocked*: 000000000000000000
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.

****** LWP 346.346 (dhcpcd) @ 0xffff89502cc74740, l_stat=3

*** Locks held: none

*** Locks wanted:

* Lock 0 (initialized at module_hook_init)
lock address : 0xffffffff862eb480 type : sleep/adaptive
initialized : 0xffffffff8321b1f0
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffff89502cc74740 last held: 000000000000000000
last locked : 000000000000000000 unlocked*: 000000000000000000
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.

****** LWP 345.345 (dhcpcd) @ 0xffff89502d0a9700, l_stat=3

*** Locks held: none

*** Locks wanted:

* Lock 0 (initialized at module_hook_init)
lock address : 0xffffffff862eb480 type : sleep/adaptive
initialized : 0xffffffff8321b1f0
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffff89502d0a9700 last held: 000000000000000000
last locked : 000000000000000000 unlocked*: 000000000000000000
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.

****** LWP 0.11 (iflnkst) @ 0xffff8951317b5100, l_stat=3

*** Locks held: none

*** Locks wanted:

* Lock 0 (initialized at module_hook_init)
lock address : 0xffffffff862eb480 type : sleep/adaptive
initialized : 0xffffffff8321b1f0
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffff8951317b5100 last held: 000000000000000000
last locked : 000000000000000000 unlocked*: 000000000000000000
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.

****** LWP 0.5 (softclk/0) @ 0xffff89513280f080, l_stat=1

*** Locks held: none

*** Locks wanted:

* Lock 0 (initialized at module_hook_init)
lock address : 0xffffffff862eb480 type : sleep/adaptive
initialized : 0xffffffff8321b1f0
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffff89513280f080 last held: 000000000000000000
last locked : 000000000000000000 unlocked*: 000000000000000000
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.

[Locks tracked through CPUs]

******* Locks held on cpu0:

* Lock 0 (initialized at main)
lock address : 0xffffffff862eb380 type : spin
initialized : 0xffffffff839f6bcd
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffff89503c841a80 last held: 0xffff89503c841a80
last locked* : 0xffffffff832fd1b2 unlocked : 0xffffffff831c8927
curcpu holds : 1 wanted by: 000000000000000000

PAGE FLAG PQ UOBJECT UANON
0xffffb08000006180 0045 00000000 0x0 0x0
0xffffb08000006200 0045 00000000 0x0 0x0
0xffffb08000006280 0045 00000000 0x0 0x0
0xffffb08000006300 0045 00000000 0x0 0x0
0xffffb08000006380 0045 00000000 0x0 0x0
0xffffb08000006400 0045 00000000 0x0 0x0
0xffffb08000006480 0045 00000000 0x0 0x0
0xffffb08000006500 0045 00000000 0x0 0x0
0xffffb08000006580 0041 00000000 0x0 0x0
0xffffb08000006600 0041 00000000 0x0 0x0
0xffffb08000006680 0041 00000000 0x0 0x0
0xffffb08000006700 0041 00000000 0x0 0x0
0xffffb08000006780 0041 00000000 0x0 0x0
0xffffb08000006800 0041 00000000 0x0 0x0
0xffffb08000006880 0041 00000000 0x0 0x0
0xffffb08000006900 0041 00000000 0x0 0x0
0xffffb08000006980 0041 00000000 0x0 0x0
0xffffb08000006a00 0041 00000000 0x0 0x0
0xffffb08000006a80 0041 00000000 0x0 0x0
0xffffb08000006b00 0041 00000000 0x0 0x0
0xffffb08000006b80 0041 00000000 0x0 0x0
0xffffb08000006c00 0041 00000000 0x0 0x0
0xffffb08000006c80 0041 00000000 0x0 0x0
0xffffb08000006d00 0041 00000000 0x0 0x0
0xffffb08000006d80 0041 00000000 0x0 0x0
0xffffb08000006e00 0041 00000000 0x0 0x0
0xffffb08000006e80 0041 00000000 0x0 0x0
0xffffb08000006f00 0041 00000000 0x0 0x0
0xffffb08000006f80 0041 00000000 0x0 0x0
0xffffb08000007000 0041 00000000 0x0 0x0
0xffffb08000007080 0041 00000000 0x0 0x0
0xffffb08000007100 0041 00000000 0x0 0x0
0xffffb08000007180 0041 00000000 0x0 0x0
0xffffb08000007200 0045 00000000 0x0 0x0
0xffffb08000007280 0041 00000000 0x0 0x0
0xffffb08000007300 0041 00000000 0x0 0x0
0xffffb08000007380 0041 00000000 0x0 0x0
0xffffb08000007400 0041 00000000 0x0 0x0
0xffffb08000007480 0041 00000000 0x0 0x0
0xffffb08000007500 0041 00000000 0x0 0x0
0xffffb08000007580 0041 00000000 0x0 0x0
0xffffb08000007600 0041 00000000 0x0 0x0
0xffffb08000007680 0045 00000000 0x0 0x0
0xffffb08000007700 0041 00000000 0x0 0x0
0xffffb08000007780 0041 00000000 0x0 0x0
0xffffb08000007800 0041 00000000 0x0 0x0
0xffffb08000007880 0041 00000000 0x0 0x0
0xffffb08000007900 0041 00000000 0x0 0x0
0xffffb08000007980 0041 00000000 0x0 0x0
0xffffb08000007a00 0041 00000000 0x0 0x0
0xffffb08000007a80 0041 00000000 0x0 0x0
0xffffb08000007b00 0045 00000000 0x0 0x0
0xffffb08000007b80 0041 00000000 0x0 0x0
0xffffb08000007c00 0041 00000000 0x0 0x0
0xffffb08000007c80 0041 00000000 0x0 0x0
0xffffb08000007d00 0041 00000000 0x0 0x0
0xffffb08000007d80 0041 00000000 0x0 0x0
0xffffb08000007e00 0041 00000000 0x0 0x0
0xffffb08000007e80 0041 00000000 0x0 0x0
0xffffb08000007f00 0041 00000000 0x0 0x0
0xffffb08000007f80 0041 00000000 0x0 0x0
0xffffb08000008000 0041 00000000 0x0 0x0
0xffffb08000008080 0041 00000000 0x0 0x0
0xffffb08000008100 0041 00000000 0x0 0x0
0xffffb08000008180 0041 00000000 0x0 0x0
0xffffb08000008200 0041 00000000 0x0 0x0
0xffffb08000008280 0041 00000000 0x0 0x0
0xffffb08000008300 0041 00000000 0x0 0x0
0xffffb08000008380 0041 00000000 0x0 0x0
0xffffb08000008400 0041 00000000 0x0 0x0
0xffffb08000008480 0041 00000000 0x0 0x0
0xffffb08000008500 0041 00000000 0x0 0x0
0xffffb08000008580 0045 00000000 0x0 0x0
0xffffb08000008600 0041 00000000 0x0 0x0
0xffffb08000008680 0041 00000000 0x0 0x0
0xffffb08000008700 0041 00000000 0x0 0x0
0xffffb08000008780 0041 00000000 0x0 0x0
0xffffb08000008800 0041 00000000 0x0 0x0
0xffffb08000008880 0041 00000000 0x0 0x0
0xffffb08000008900 0041 00000000 0x0 0x0
0xffffb08000008980 0041 00000000 0x0 0x0
0xffffb08000008a00 0041 00000000 0x0 0x0
0xffffb08000008a80 0041 00000000 0x0 0x0
0xffffb08000008b00 0041 00000000 0x0 0x0
0xffffb08000008b80 0041 00000000 0x0 0x0
0xffffb08000008c00 0041 00000000 0x0 0x0
0xffffb08000008c80 0041 00000000

---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

syzbot

unread,

Jul 12, 2020, 9:58:18 AM7/12/20

to syzkaller-...@googlegroups.com

syzbot has found a reproducer for the following crash on:

HEAD commit: 35e7f6a3 Use symbolic constants for SR and CCR init values..
git tree: netbsd

console output: https://syzkaller.appspot.com/x/log.txt?x=17146efb100000

kernel config: https://syzkaller.appspot.com/x/.config?x=1420f906d33d9f1f
dashboard link: https://syzkaller.appspot.com/bug?extid=49ffac4c5b65f2b481d6
compiler: g++ (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10b89ddb100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1679f08b100000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+49ffac...@syzkaller.appspotmail.com

[ 46.1245235] panic: kernel diagnostic assertion "size > 0" failed: file "/syzkaller/managers/netbsd-kubsan/kernel/sys/uvm/uvm_map.c", line 1145
[ 46.1444974] cpu1: Begin traceback...
[ 46.1744999] vpanic() at netbsd:vpanic+0x2d3 sys/kern/subr_prf.c:290
[ 46.2545049] db_print_address.cold.0() at netbsd:db_print_address.cold.0
[ 46.3245011] uvm_map_prepare() at netbsd:uvm_map_prepare+0x66a sys/uvm/uvm_map.c:1145
[ 46.4045017] uvm_map() at netbsd:uvm_map+0xd2 sys/uvm/uvm_map.c:1096
[ 46.4745038] uvm_km_alloc() at netbsd:uvm_km_alloc+0x1a7 sys/uvm/uvm_km.c:629
[ 46.5445019] vmapbuf() at netbsd:vmapbuf+0x106 sys/arch/x86/x86/vm_machdep.c:304
[ 46.6145039] physio() at netbsd:physio+0x79a sys/kern/kern_physio.c:362
[ 46.6945066] cdev_write() at netbsd:cdev_write+0x147 sys/kern/subr_devsw.c:919
[ 46.7744979] spec_write() at netbsd:spec_write+0x26c sys/miscfs/specfs/spec_vnops.c:778
[ 46.8445017] VOP_WRITE() at netbsd:VOP_WRITE+0x138 sys/kern/vnode_if.c:540
[ 46.9345094] vn_write() at netbsd:vn_write+0x308 sys/kern/vfs_vnops.c:612
[ 47.0045051] do_filewritev.part.1() at netbsd:do_filewritev.part.1+0x4a0
[ 47.0845038] sys_writev() at netbsd:sys_writev+0x5e do_filewritev sys/kern/sys_generic.c:381 [inline]
[ 47.0845038] sys_writev() at netbsd:sys_writev+0x5e sys/kern/sys_generic.c:381
[ 47.1645060] sys_syscall() at netbsd:sys_syscall+0x1cf sy_call sys/sys/syscallvar.h:66 [inline]
[ 47.1645060] sys_syscall() at netbsd:sys_syscall+0x1cf sys/kern/sys_syscall.c:77
[ 47.2345068] syscall() at netbsd:syscall+0x2d5 sy_call sys/sys/syscallvar.h:65 [inline]
[ 47.2345068] syscall() at netbsd:syscall+0x2d5 sy_invoke sys/sys/syscallvar.h:94 [inline]
[ 47.2345068] syscall() at netbsd:syscall+0x2d5 sys/arch/x86/x86/syscall.c:138
[ 47.2545124] --- syscall (number 0) ---
[ 47.2845061] netbsd:syscall+0x2d5:
[ 47.2845061] cpu1: End traceback...
[ 47.2845061] fatal breakpoint trap in supervisor mode
[ 47.2945052] trap type 1 code 0 rip 0xffffffff80221a85 cs 0x8 rflags 0x246 cr2 0x705968582eb7 ilevel 0 rsp 0xffffa580bf3b4880
[ 47.3045007] curlwp 0xffffe0155e348a40 pid 1066.1066 lowest kstack 0xffffa580bf3b02c0
Stopped in pid 1066.1066 (syz-executor6331) at netbsd:breakpoint+0x5: leave

?
breakpoint() at netbsd:breakpoint+0x5
db_panic() at netbsd:db_panic+0xec sys/ddb/db_panic.c:67
vpanic() at netbsd:vpanic+0x2d3 sys/kern/subr_prf.c:290
db_print_address.cold.0() at netbsd:db_print_address.cold.0
uvm_map_prepare() at netbsd:uvm_map_prepare+0x66a sys/uvm/uvm_map.c:1145
uvm_map() at netbsd:uvm_map+0xd2 sys/uvm/uvm_map.c:1096
uvm_km_alloc() at netbsd:uvm_km_alloc+0x1a7 sys/uvm/uvm_km.c:629
vmapbuf() at netbsd:vmapbuf+0x106 sys/arch/x86/x86/vm_machdep.c:304
physio() at netbsd:physio+0x79a sys/kern/kern_physio.c:362
cdev_write() at netbsd:cdev_write+0x147 sys/kern/subr_devsw.c:919
spec_write() at netbsd:spec_write+0x26c sys/miscfs/specfs/spec_vnops.c:778
VOP_WRITE() at netbsd:VOP_WRITE+0x138 sys/kern/vnode_if.c:540
vn_write() at netbsd:vn_write+0x308 sys/kern/vfs_vnops.c:612
do_filewritev.part.1() at netbsd:do_filewritev.part.1+0x4a0
sys_writev() at netbsd:sys_writev+0x5e do_filewritev sys/kern/sys_generic.c:381 [inline]
sys_writev() at netbsd:sys_writev+0x5e sys/kern/sys_generic.c:381

sys_syscall() at netbsd:sys_syscall+0x1cf sy_call sys/sys/syscallvar.h:66 [inline]
sys_syscall() at netbsd:sys_syscall+0x1cf sys/kern/sys_syscall.c:77

syscall() at netbsd:syscall+0x2d5 sy_call sys/sys/syscallvar.h:65 [inline]
syscall() at netbsd:syscall+0x2d5 sy_invoke sys/sys/syscallvar.h:94 [inline]
syscall() at netbsd:syscall+0x2d5 sys/arch/x86/x86/syscall.c:138

--- syscall (number 0) ---

netbsd:syscall+0x2d5:
Panic string: kernel diagnostic assertion "size > 0" failed: file "/syzkaller/managers/netbsd-kubsan/kernel/sys/uvm/uvm_map.c", line 1145
PID LID S CPU FLAGS STRUCT LWP * NAME WAIT

419 419 2 0 0 ffffe0155c66f100 syz-executor6331
1071 1071 2 0 0 ffffe0155d484140 syz-executor6331
1077 1077 2 1 0 ffffe0155df91200 syz-executor6331
1082 1082 2 0 0 ffffe0155d484580 syz-executor6331
1067 1067 2 0 0 ffffe0155d45e180 syz-executor6331
1091 1091 2 0 0 ffffe0155d45ea00 syz-executor6331
1066 >1066 7 1 0 ffffe0155e348a40 syz-executor6331
1075 1075 2 1 40 ffffe0155c66f980 syz-executor6331
945 > 945 7 0 40 ffffe0155b71f240 syz-executor6331
1250 1250 2 0 40 ffffe0155b4d8640 syz-executor6331
1253 1253 3 0 40080 ffffe0155e3481c0 syz-executor6331 nanoslp
1065 1065 3 1 80 ffffe0155e348600 sshd select
948 948 3 1 80 ffffe0155b4d8a80 getty nanoslp
1088 1088 3 1 80 ffffe0155d4849c0 getty nanoslp
1095 1095 3 1 80 ffffe0155b24c5c0 getty nanoslp
1058 1058 3 1 c0 ffffe0155b4d8200 getty ttyraw
940 940 3 1 80 ffffe0155d45e5c0 sshd select
843 843 3 1 80 ffffe0155c66f540 powerd kqueue
734 734 3 0 80 ffffe0155bf00b00 syslogd kqueue
590 590 3 0 80 ffffe0155c7e5040 dhcpcd poll
589 589 3 1 80 ffffe0155ba862c0 dhcpcd poll
585 585 3 0 80 ffffe0155bf00280 dhcpcd poll
412 412 3 0 80 ffffe0155bf006c0 dhcpcd poll
347 347 3 0 80 ffffe0155bbfd300 dhcpcd poll
346 346 3 1 80 ffffe0155ba86700 dhcpcd poll
345 345 3 0 80 ffffe0155ba86b40 dhcpcd poll
1 1 3 0 80 ffffe0155309b900 init wait
0 816 3 0 200 ffffe0155b24ca00 physiod physiod
0 166 3 0 200 ffffe0155b2b6a40 ioflush syncer
0 165 3 0 200 ffffe0155b2b6600 pooldrain pooldrain
0 164 3 1 200 ffffe0155b2b61c0 pgdaemon pgdaemon
0 161 3 1 200 ffffe0155b24c180 usb7 usbevt
0 31 3 0 200 ffffe015581bf9c0 usb6 usbevt
0 63 3 1 200 ffffe015581bf580 usb5 usbevt
0 126 3 1 200 ffffe015581bf140 usb4 usbevt
0 125 3 1 200 ffffe0155518a980 usb3 usbevt
0 124 3 1 200 ffffe0155518a540 usb2 usbevt
0 123 3 1 200 ffffe0155518a100 usb1 usbevt
0 122 3 0 200 ffffe01554161940 usb0 usbevt
0 121 3 1 200 ffffe01554161500 usbtask-dr usbtsk
0 120 3 1 200 ffffe015541610c0 usbtask-hc usbtsk
0 119 3 0 200 ffffe01550522ac0 npfgc0 npfgcw
0 118 3 1 200 ffffe0155309b4c0 rt_free rt_free
0 117 3 1 200 ffffe0155309b080 unpgc unpgc
0 116 3 0 200 ffffe015530668c0 key_timehandler key_timehandler
0 115 3 1 200 ffffe01553066480 icmp6_wqinput/1 icmp6_wqinput
0 114 3 0 200 ffffe01553066040 icmp6_wqinput/0 icmp6_wqinput
0 113 3 0 200 ffffe01553099bc0 nd6_timer nd6_timer
0 112 3 1 200 ffffe01553099780 carp6_wqinput/1 carp6_wqinput
0 111 3 0 200 ffffe01553099340 carp6_wqinput/0 carp6_wqinput
0 110 3 1 200 ffffe0155301db80 carp_wqinput/1 carp_wqinput
0 109 3 0 200 ffffe0155301d740 carp_wqinput/0 carp_wqinput
0 108 3 1 200 ffffe01553010700 icmp_wqinput/1 icmp_wqinput
0 107 3 0 200 ffffe015530102c0 icmp_wqinput/0 icmp_wqinput
0 106 3 0 200 ffffe01553010b40 rt_timer rt_timer
0 105 3 0 200 ffffe0155301d300 vmem_rehash vmem_rehash
0 104 3 0 200 ffffe01552990b00 entbutler entropy
0 30 3 1 200 ffffe015529906c0 vioif0_txrx/1 vioif0_txrx
0 29 3 0 200 ffffe01552990280 vioif0_txrx/0 vioif0_txrx
0 27 3 0 200 ffffe01550522680 scsibus0 sccomp
0 26 3 0 200 ffffe01550522240 pms0 pmsreset
0 25 3 1 200 ffffe0155047ca80 xcall/1 xcall
0 24 1 1 200 ffffe0155047c640 softser/1
0 23 1 1 200 ffffe0155047c200 softclk/1
0 22 1 1 200 ffffe01550447a40 softbio/1
0 21 1 1 200 ffffe01550447600 softnet/1
0 20 1 1 201 ffffe015504471c0 idle/1
0 19 3 0 200 ffffe0166038ba00 lnxpwrwq lnxpwrwq
0 18 3 0 200 ffffe0166038b5c0 lnxlngwq lnxlngwq
0 17 3 0 200 ffffe0166038b180 lnxsyswq lnxsyswq
0 16 3 0 200 ffffe016603a49c0 lnxrcugc lnxrcugc
0 15 3 0 200 ffffe016603a4580 sysmon smtaskq
0 14 3 0 200 ffffe016603a4140 pmfsuspend pmfsuspend
0 13 3 0 200 ffffe016603b5980 pmfevent pmfevent
0 12 3 0 200 ffffe016603b5540 sopendfree sopendfr
0 11 3 0 200 ffffe016603b5100 iflnkst iflnkst
0 10 3 0 200 ffffe016613e0940 nfssilly nfssilly
0 9 3 0 200 ffffe016613e0500 vdrain vdrain
0 8 3 0 200 ffffe016613e00c0 modunload mod_unld
0 7 3 0 200 ffffe0166140f900 xcall/0 xcall
0 6 1 0 200 ffffe0166140f4c0 softser/0
0 5 1 0 200 ffffe0166140f080 softclk/0
0 4 1 0 200 ffffe016614398c0 softbio/0
0 3 1 0 200 ffffe01661439480 softnet/0
0 2 1 0 201 ffffe01661439040 idle/0
0 0 2 1 240 ffffffff85eed080 swapper
[Locks tracked through LWPs]

****** LWP 1077.1077 (syz-executor6331) @ 0xffffe0155df91200, l_stat=2

*** Locks held: none

*** Locks wanted:

* Lock 0 (initialized at pmap_ctor)
lock address : 0xffffe0155b85b180 type : sleep/adaptive

initialized : 0xffffffff80f822a3
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 1
relevant cpu : 1 last held: 1

relevant lwp : 0xffffe0155df91200 last held: 000000000000000000
last locked : 0xffffffff80f84957 unlocked*: 0xffffffff80f8504c
owner field : 0xffffe0155df91200 wait/spin: 0/0

Turnstile: no active turnstile for this lock.

****** LWP 1082.1082 (syz-executor6331) @ 0xffffe0155d484580, l_stat=2

*** Locks held:

* Lock 0 (initialized at pmap_ctor)
lock address : 0xffffe0155c78fd80 type : sleep/adaptive
initialized : 0xffffffff80f822a3

shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0

relevant lwp : 0xffffe0155d484580 last held: 0xffffe0155d484580
last locked* : 0xffffffff80f81ea5 unlocked : 0xffffffff80f8504c

owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.

*** Locks wanted: none

****** LWP 1067.1067 (syz-executor6331) @ 0xffffe0155d45e180, l_stat=2

*** Locks held:

* Lock 0 (initialized at pmap_ctor)
lock address : 0xffffe015530a7f80 type : sleep/adaptive
initialized : 0xffffffff80f822a3

shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0

relevant lwp : 0xffffe0155d45e180 last held: 0xffffe0155d45e180
last locked* : 0xffffffff80f84957 unlocked : 0xffffffff80f81fe4
owner field : 0xffffe0155d45e180 wait/spin: 0/0

Turnstile: no active turnstile for this lock.

*** Locks wanted: none

****** LWP 1091.1091 (syz-executor6331) @ 0xffffe0155d45ea00, l_stat=2

*** Locks held:

* Lock 0 (initialized at pmap_ctor)
lock address : 0xffffe0155baf1f80 type : sleep/adaptive
initialized : 0xffffffff80f822a3

shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0

relevant lwp : 0xffffe0155d45ea00 last held: 0xffffe0155d45ea00
last locked* : 0xffffffff80f81ea5 unlocked : 0xffffffff80f81fe4
owner field : 0xffffe0155d45ea00 wait/spin: 0/0

Turnstile: no active turnstile for this lock.

*** Locks wanted: none

****** LWP 589.589 (dhcpcd) @ 0xffffe0155ba862c0, l_stat=3

*** Locks held: none

*** Locks wanted:

* Lock 0 (initialized at module_hook_init)
lock address : 0xffffffff862eb480 type : sleep/adaptive
initialized : 0xffffffff8321b1f0
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 0

relevant lwp : 0xffffe0155ba862c0 last held: 000000000000000000