panic: kmem_free(ADDR, NUM) != allocated size NUM; overwrote?

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: ac44c67317ab Provide _GNU_SOURCE for t_clone now that is r..
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1309f83e080000
kernel config: https://syzkaller.appspot.com/x/.config?x=739e57438eb9ed9e
dashboard link: https://syzkaller.appspot.com/bug?extid=619594123012278666e0
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+619594...@syzkaller.appspotmail.com

[ 168.7528436] panic: kmem_free(0xffffca8013aa96a0, 16) != allocated size 2; overwrote?
[ 168.7642248] cpu0: Begin traceback...
[ 168.7828192] vpanic() at netbsd:vpanic+0xc9d
[ 168.8328207] panic() at netbsd:panic+0x1b3 sys/kern/subr_prf.c:210
[ 168.8828178] kmem_intr_free() at netbsd:kmem_intr_free+0x82f sys/kern/subr_kmem.c:365
[ 168.9428232] compat_30_sys_getdents() at netbsd:compat_30_sys_getdents+0x1372
[ 168.9928231] sys___syscall() at netbsd:sys___syscall+0x2c6 sys/kern/sys_syscall.c:90
[ 169.0528205] syscall() at netbsd:syscall+0x60c sy_invoke sys/sys/syscallvar.h:94 [inline]
[ 169.0528205] syscall() at netbsd:syscall+0x60c sys/arch/x86/x86/syscall.c:138
[ 169.0729818] --- syscall (number 272 via SYS_syscall) ---
[ 169.0828173] netbsd:syscall+0x60c:
[ 169.0943198] cpu0: End traceback...
[ 169.0943198] fatal breakpoint trap in supervisor mode
[ 169.1034131] trap type 1 code 0 rip 0xffffffff802228ad cs 0x8 rflags 0x286 cr2 0 ilevel 0 rsp 0xffffca8090dc0820
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dc0210
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbfc00
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbf5f0
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbefe0
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbe9d0
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbe3c0
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbddb0
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbd7a0
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbd190
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbcb80
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbc570
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbbf60
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: ac44c67317ab Provide _GNU_SOURCE for t_clone now that is r..
git tree: netbsd

console output: https://syzkaller.appspot.com/x/log.txt?x=12d423b1080000

kernel config: https://syzkaller.appspot.com/x/.config?x=739e57438eb9ed9e
dashboard link: https://syzkaller.appspot.com/bug?extid=619594123012278666e0
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1104b91e080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13aea1a6080000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+619594...@syzkaller.appspotmail.com

[ 41.8847116] panic: kmem_free(0xffffe4801328db40, 16) != allocated size 2; overwrote?
[ 41.8847116] cpu1: Begin traceback...
[ 41.9047074] vpanic() at netbsd:vpanic+0xc9d
[ 41.9447062] panic() at netbsd:panic+0x1b3 sys/kern/subr_prf.c:210
[ 41.9947390] kmem_intr_free() at netbsd:kmem_intr_free+0x82f sys/kern/subr_kmem.c:365
[ 42.0447762] compat_30_sys_getdents() at netbsd:compat_30_sys_getdents+0x1372
[ 42.0947810] sys_syscall() at netbsd:sys_syscall+0x2c5 sys/kern/sys_syscall.c:90
[ 42.1547856] syscall() at netbsd:syscall+0x60c sy_invoke sys/sys/syscallvar.h:94 [inline]
[ 42.1547856] syscall() at netbsd:syscall+0x60c sys/arch/x86/x86/syscall.c:138
[ 42.1647756] --- syscall (number 272 via SYS_syscall) ---
[ 42.1847773] netbsd:syscall+0x60c:
[ 42.1847773] cpu1: End traceback...
[ 42.1847773] fatal breakpoint trap in supervisor mode
[ 42.1947747] trap type 1 code 0 rip 0xffffffff802228ad cs 0x8 rflags 0x286 cr2 0 ilevel 0 rsp 0xffffe480878cb820
[ 42.2047977] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0
[ 42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[ 42.2148011] fatal page fault in supervisor mode
[ 42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878cb210
[ 42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0

kernel: page fault trap, code=0

[ 42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[ 42.2148011] fatal page fault in supervisor mode
[ 42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878cac00
[ 42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0

kernel: page fault trap, code=0

[ 42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[ 42.2148011] fatal page fault in supervisor mode
[ 42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878ca5f0
[ 42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0

kernel: page fault trap, code=0

[ 42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[ 42.2148011] fatal page fault in supervisor mode
[ 42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c9fe0
[ 42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0

kernel: page fault trap, code=0

[ 42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[ 42.2148011] fatal page fault in supervisor mode
[ 42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c99d0
[ 42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0

kernel: page fault trap, code=0

[ 42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[ 42.2148011] fatal page fault in supervisor mode
[ 42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c93c0
[ 42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0

kernel: page fault trap, code=0

[ 42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[ 42.2148011] fatal page fault in supervisor mode
[ 42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c8db0
[ 42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0

kernel: page fault trap, code=0

[ 42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[ 42.2148011] fatal page fault in supervisor mode
[ 42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c87a0
[ 42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0

kernel: page fault trap, code=0

[ 42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[ 42.2148011] fatal page fault in supervisor mode
[ 42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c8190
[ 42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0

kernel: page fault trap, code=0

[ 42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[ 42.2148011] fatal page fault in supervisor mode
[ 42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c7b80
[ 42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0

kernel: page fault trap, code=0

[ 42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[ 42.2148011] fatal page fault in supervisor mode
[ 42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c7570
[ 42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0

kernel: page fault trap, code=0

[ 42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[ 42.2148011] fatal page fault in supervisor mode
[ 42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c6f60
[ 42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0

[Taylor R Campbell]

#syz fix: ptyfs: Don't copy out cookies past end of buffer.

https://syzkaller.appspot.com/bug?id=61e38beecae36fbb6c0c1aa05b74e6785f09ad52
https://mail-index.netbsd.org/source-changes/2022/08/05/msg140125.html