uvm_fault: wsmuxclose
1 view
Skip to first unread message
syzbot
Dec 30, 2018, 2:36:04 PM12/30/18
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: ef327be8754b remove unused F_ANN_DYNAMIC/F_PREFIX_ANNOUNCE..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=105d81fd400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=654b00696fbc8da8cfcb
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+654b00...@syzkaller.appspotmail.com
uvm_fault(0xffffff007f124528, 0x8f, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at wsmuxclose+0x65: cmpq %r12,0x90(%r15)
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
kernel page fault
uvm_fault(0xffffff007f124528, 0x8f, 0, 1) -> e
wsmuxclose(ffff8000210a2bd0,ffff8000211bd6e8,ffffff00625a20d0,0) at
wsmuxclose+0x65 wsmux_do_close sys/dev/wscons/wsmux.c:307 [inline]
wsmuxclose(ffff8000210a2bd0,ffff8000211bd6e8,ffffff00625a20d0,0) at
wsmuxclose+0x65 sys/dev/wscons/wsmux.c:277
end trace frame: 0xffff8000211bd6d0, count: 0
ddb{1}> trace
wsmuxclose(ffff8000210a2bd0,ffff8000211bd6e8,ffffff00625a20d0,0) at
wsmuxclose+0x65 wsmux_do_close sys/dev/wscons/wsmux.c:307 [inline]
wsmuxclose(ffff8000210a2bd0,ffff8000211bd6e8,ffffff00625a20d0,0) at
wsmuxclose+0x65 sys/dev/wscons/wsmux.c:277
spec_close(ffffffff81e27f68) at spec_close+0x271 sys/kern/spec_vnops.c:553
VOP_CLOSE(ffffff00625a20d0,ffff8000210a2bd0,ffffff007f7c7ba0,1) at
VOP_CLOSE+0x5f sys/kern/vfs_vops.c:174
vn_closefile(ffff8000210a2bd0,ffffff00665269e8) at vn_closefile+0x10c
vn_close sys/kern/vfs_vnops.c:289 [inline]
vn_closefile(ffff8000210a2bd0,ffffff00665269e8) at vn_closefile+0x10c
sys/kern/vfs_vnops.c:575
fdrop(ffffff00665269e8,ffff8000210a2bd0) at fdrop+0xa4
sys/kern/kern_descrip.c:1260
closef(ffff8000210a2bd0,ffffff006e92e008) at closef+0xd7
sys/kern/kern_descrip.c:1244
fdfree(ffff8000210b6998) at fdfree+0x99 sys/kern/kern_descrip.c:1176
exit1(10,ffff8000210a2bd0,0) at exit1+0x22f sys/kern/kern_exit.c:194
sys_exit(ffffffff81b9fc13,ffff8000211bd8d0,10) at sys_exit+0x13
sys/kern/kern_exit.c:94
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,1,0,1,0,7f7ffffde200) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffde1b0, count: -11
ddb{1}> show registers
rdi 0
rsi 0
rbp 0xffff8000211bd690
rbx 0xffffffff81796990 wsmuxclose
rdx 0x64
rcx 0xffff800021018ff0
rax 0
r8 0x7f7fffffc000
r9 0x1
r10 0xffff8000211bd4b8
r11 0xffffffff814108a0 x86_bus_space_io_write_1
r12 0xffff80000064f200
r13 0x4501 __ALIGN_SIZE+0x3501
r14 0xffff80000064f250
r15 0xffffffffffffffff
rip 0xffffffff817969f5 wsmuxclose+0x65
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff8000211bd670
ss 0x10
wsmuxclose+0x65: cmpq %r12,0x90(%r15)
ddb{1}> show proc
PROC (syz-executor1) pid=507082 stat=onproc
flags process=1008<EXITING,SINGLEEXIT> proc=2000<WEXIT>
pri=0, usrpri=78, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a2e28,0xffff8000210a3090
process=0xffff8000210b6998 user=0xffff8000211b8000,
vmspace=0xffffff007f124528
estcpu=28, cpticks=2, pctcpu=0.0
user=0, sys=2, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
1917 297873 32658 0 2 0 syz-executor0
1917 261074 32658 0 2 0x4000000 syz-executor0
569 145625 1 0 3 0x100083 ttyin getty
44861 127338 0 0 3 0x14200 bored sosplice
12856 278885 81153 0 2 0x482 syz-executor1
32658 142332 81153 0 2 0x482 syz-executor0
81153 476057 60374 0 3 0x82 thrsleep syz-fuzzer
81153 155730 60374 0 2 0x4000482 syz-fuzzer
81153 329633 60374 0 3 0x4000082 thrsleep syz-fuzzer
81153 333670 60374 0 3 0x4000082 thrsleep syz-fuzzer
81153 165913 60374 0 3 0x4000082 thrsleep syz-fuzzer
81153 396983 60374 0 3 0x4000082 thrsleep syz-fuzzer
81153 115873 60374 0 3 0x4000082 thrsleep syz-fuzzer
81153 475179 60374 0 3 0x4000082 kqread syz-fuzzer
81153 206088 60374 0 2 0x4000482 syz-fuzzer
81153 273692 60374 0 3 0x4000082 thrsleep syz-fuzzer
60374 130582 58264 0 3 0x10008a pause ksh
58264 513131 68983 0 3 0x92 select sshd
68983 67098 1 0 3 0x80 select sshd
59408 289724 4515 73 2 0x100090 syslogd
4515 233848 1 0 3 0x100082 netio syslogd
77980 503072 1 77 3 0x100090 poll dhclient
91834 346792 1 0 3 0x80 poll dhclient
34848 410603 0 0 3 0x14200 pgzero zerothread
72262 281739 0 0 3 0x14200 aiodoned aiodoned
18967 113475 0 0 2 0x14200 update
66764 494208 0 0 3 0x14200 cleaner cleaner
90301 124817 0 0 3 0x14200 reaper reaper
6466 442084 0 0 3 0x14200 pgdaemon pagedaemon
21412 409689 0 0 3 0x14200 bored crynlk
59013 246123 0 0 3 0x14200 bored crypto
53093 405795 0 0 3 0x40014200 acpi0 acpi0
72912 521041 0 0 3 0x40014200 idle1
41164 324260 0 0 2 0x14200 softnet
94474 427565 0 0 2 0x14200 systqmp
3634 318134 0 0 3 0x14200 bored systq
32350 275376 0 0 7 0x40014200 softclock
50665 54869 0 0 3 0x40014200 idle0
1 320285 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: ef327be8754b remove unused F_ANN_DYNAMIC/F_PREFIX_ANNOUNCE..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=105d81fd400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=654b00696fbc8da8cfcb
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+654b00...@syzkaller.appspotmail.com
uvm_fault(0xffffff007f124528, 0x8f, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at wsmuxclose+0x65: cmpq %r12,0x90(%r15)
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
kernel page fault
uvm_fault(0xffffff007f124528, 0x8f, 0, 1) -> e
wsmuxclose(ffff8000210a2bd0,ffff8000211bd6e8,ffffff00625a20d0,0) at
wsmuxclose+0x65 wsmux_do_close sys/dev/wscons/wsmux.c:307 [inline]
wsmuxclose(ffff8000210a2bd0,ffff8000211bd6e8,ffffff00625a20d0,0) at
wsmuxclose+0x65 sys/dev/wscons/wsmux.c:277
end trace frame: 0xffff8000211bd6d0, count: 0
ddb{1}> trace
wsmuxclose(ffff8000210a2bd0,ffff8000211bd6e8,ffffff00625a20d0,0) at
wsmuxclose+0x65 wsmux_do_close sys/dev/wscons/wsmux.c:307 [inline]
wsmuxclose(ffff8000210a2bd0,ffff8000211bd6e8,ffffff00625a20d0,0) at
wsmuxclose+0x65 sys/dev/wscons/wsmux.c:277
spec_close(ffffffff81e27f68) at spec_close+0x271 sys/kern/spec_vnops.c:553
VOP_CLOSE(ffffff00625a20d0,ffff8000210a2bd0,ffffff007f7c7ba0,1) at
VOP_CLOSE+0x5f sys/kern/vfs_vops.c:174
vn_closefile(ffff8000210a2bd0,ffffff00665269e8) at vn_closefile+0x10c
vn_close sys/kern/vfs_vnops.c:289 [inline]
vn_closefile(ffff8000210a2bd0,ffffff00665269e8) at vn_closefile+0x10c
sys/kern/vfs_vnops.c:575
fdrop(ffffff00665269e8,ffff8000210a2bd0) at fdrop+0xa4
sys/kern/kern_descrip.c:1260
closef(ffff8000210a2bd0,ffffff006e92e008) at closef+0xd7
sys/kern/kern_descrip.c:1244
fdfree(ffff8000210b6998) at fdfree+0x99 sys/kern/kern_descrip.c:1176
exit1(10,ffff8000210a2bd0,0) at exit1+0x22f sys/kern/kern_exit.c:194
sys_exit(ffffffff81b9fc13,ffff8000211bd8d0,10) at sys_exit+0x13
sys/kern/kern_exit.c:94
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,1,0,1,0,7f7ffffde200) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffde1b0, count: -11
ddb{1}> show registers
rdi 0
rsi 0
rbp 0xffff8000211bd690
rbx 0xffffffff81796990 wsmuxclose
rdx 0x64
rcx 0xffff800021018ff0
rax 0
r8 0x7f7fffffc000
r9 0x1
r10 0xffff8000211bd4b8
r11 0xffffffff814108a0 x86_bus_space_io_write_1
r12 0xffff80000064f200
r13 0x4501 __ALIGN_SIZE+0x3501
r14 0xffff80000064f250
r15 0xffffffffffffffff
rip 0xffffffff817969f5 wsmuxclose+0x65
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff8000211bd670
ss 0x10
wsmuxclose+0x65: cmpq %r12,0x90(%r15)
ddb{1}> show proc
PROC (syz-executor1) pid=507082 stat=onproc
flags process=1008<EXITING,SINGLEEXIT> proc=2000<WEXIT>
pri=0, usrpri=78, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a2e28,0xffff8000210a3090
process=0xffff8000210b6998 user=0xffff8000211b8000,
vmspace=0xffffff007f124528
estcpu=28, cpticks=2, pctcpu=0.0
user=0, sys=2, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
1917 297873 32658 0 2 0 syz-executor0
1917 261074 32658 0 2 0x4000000 syz-executor0
569 145625 1 0 3 0x100083 ttyin getty
44861 127338 0 0 3 0x14200 bored sosplice
12856 278885 81153 0 2 0x482 syz-executor1
32658 142332 81153 0 2 0x482 syz-executor0
81153 476057 60374 0 3 0x82 thrsleep syz-fuzzer
81153 155730 60374 0 2 0x4000482 syz-fuzzer
81153 329633 60374 0 3 0x4000082 thrsleep syz-fuzzer
81153 333670 60374 0 3 0x4000082 thrsleep syz-fuzzer
81153 165913 60374 0 3 0x4000082 thrsleep syz-fuzzer
81153 396983 60374 0 3 0x4000082 thrsleep syz-fuzzer
81153 115873 60374 0 3 0x4000082 thrsleep syz-fuzzer
81153 475179 60374 0 3 0x4000082 kqread syz-fuzzer
81153 206088 60374 0 2 0x4000482 syz-fuzzer
81153 273692 60374 0 3 0x4000082 thrsleep syz-fuzzer
60374 130582 58264 0 3 0x10008a pause ksh
58264 513131 68983 0 3 0x92 select sshd
68983 67098 1 0 3 0x80 select sshd
59408 289724 4515 73 2 0x100090 syslogd
4515 233848 1 0 3 0x100082 netio syslogd
77980 503072 1 77 3 0x100090 poll dhclient
91834 346792 1 0 3 0x80 poll dhclient
34848 410603 0 0 3 0x14200 pgzero zerothread
72262 281739 0 0 3 0x14200 aiodoned aiodoned
18967 113475 0 0 2 0x14200 update
66764 494208 0 0 3 0x14200 cleaner cleaner
90301 124817 0 0 3 0x14200 reaper reaper
6466 442084 0 0 3 0x14200 pgdaemon pagedaemon
21412 409689 0 0 3 0x14200 bored crynlk
59013 246123 0 0 3 0x14200 bored crypto
53093 405795 0 0 3 0x40014200 acpi0 acpi0
72912 521041 0 0 3 0x40014200 idle1
41164 324260 0 0 2 0x14200 softnet
94474 427565 0 0 2 0x14200 systqmp
3634 318134 0 0 3 0x14200 bored systq
32350 275376 0 0 7 0x40014200 softclock
50665 54869 0 0 3 0x40014200 idle0
1 320285 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
Anton Lindqvist
Jan 27, 2019, 6:19:02 AM1/27/19
to syzbot, syzkaller-o...@googlegroups.com
#syz dup: uvm_fault: wsmux_mux_close
Reply all
Reply to author
Forward
0 new messages