kernel: protection fault trap, code=0 (2)
7 views
Skip to first unread message
syzbot
Dec 29, 2018, 4:25:05 AM12/29/18
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: fb1fb638fae9 Fix dino at uturn attachment. From miod@
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1572f49f400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=d5540a236382f50f1dac
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d5540a...@syzkaller.appspotmail.com
kernel: protection fault trap, code=0
Stopped at lf_findoverlap+0xab: movq 0x18(%rbx),%rax
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
the kernel did not panic
ddb{1}> trace
lf_findoverlap(0,ffffff00664c5101,ffff8000018d7c60,ffffff0069e78790,0) at
lf_findoverlap+0xab sys/kern/vfs_lockf.c:621
lf_setlock() at lf_setlock+0xad lf_getblock sys/kern/vfs_lockf.c:586
[inline]
lf_setlock() at lf_setlock+0xad sys/kern/vfs_lockf.c:314
VOP_ADVLOCK(ffffff0071037bd0,b,3,ffffff00664c51c8,ffffff007f7c6000) at
VOP_ADVLOCK+0x67 sys/kern/vfs_vops.c:699
sys_flock(830,ffff8000210a24c8,0) at sys_flock+0x156
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,ffffffffffffff4f,0,2,e90387d40d8) at Xsyscall+0x128
end of kernel
end trace frame: 0xe92a4d0b960, count: -6
ddb{1}> show registers
rdi 0xdeaf4152deaf4152
rsi 0xffffffff815f7ca5 lf_findoverlap+0x85
rbp 0xffff8000211fae30
rbx 0xdeaf4152deaf4152
rdx 0xffff8000024da000
rcx 0xcbf
rax 0xffff8000024da000
r8 0xffff8000211fae70
r9 0x1
r10 0x54485bb9d3129cdf
r11 0xffffffff8178b9c0 pvclock_get_timecount
r12 0x2
r13 0xffffff0069e78790
r14 0xffff8000211fae70
r15 0
rip 0xffffffff815f7ccb lf_findoverlap+0xab
cs 0x8
rflags 0x10202 __ALIGN_SIZE+0xf202
rsp 0xffff8000211fade0
ss 0x10
lf_findoverlap+0xab: movq 0x18(%rbx),%rax
ddb{1}> show proc
PROC (syz-executor0) pid=127161 stat=onproc
flags process=10<SUGID> proc=4000000<THREAD>
pri=40, usrpri=72, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a3c38,0xffff8000210a3540
process=0xffff8000210b7630 user=0xffff8000211f6000,
vmspace=0xffffff007f124d68
estcpu=22, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
92885 212553 61184 65534 2 0x10 syz-executor0
92885 262755 61184 65534 3 0x4000090 lockf syz-executor0
*92885 127161 61184 65534 7 0x4000010 syz-executor0
92885 319803 61184 65534 7 0x4000010 syz-executor0
92885 309581 61184 65534 2 0x4000010 syz-executor0
95828 394962 57967 65534 3 0x90 piperd syz-executor1
57967 433908 41851 0 3 0x82 wait syz-executor1
61184 109028 78987 65534 3 0x90 nanosleep syz-executor0
78987 43726 41851 0 3 0x82 wait syz-executor0
81049 511135 0 0 3 0x14200 bored sosplice
41851 310115 2366 0 3 0x82 thrsleep syz-fuzzer
41851 61186 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 513050 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 47321 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 182317 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 515952 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 30475 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 338093 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 17014 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 163025 2366 0 3 0x4000082 kqread syz-fuzzer
41851 272680 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 482460 2366 0 3 0x4000082 thrsleep syz-fuzzer
2366 509975 91625 0 3 0x10008a pause ksh
91625 200312 35478 0 3 0x92 select sshd
66913 349467 1 0 3 0x100083 ttyin getty
35478 358471 1 0 3 0x80 select sshd
50398 119423 60611 73 3 0x100090 kqread syslogd
60611 254976 1 0 3 0x100082 netio syslogd
92430 87697 1 77 3 0x100090 poll dhclient
33263 134000 1 0 3 0x80 poll dhclient
78632 18326 0 0 3 0x14200 pgzero zerothread
78125 456155 0 0 3 0x14200 aiodoned aiodoned
38525 486747 0 0 3 0x14200 syncer update
7732 35543 0 0 3 0x14200 cleaner cleaner
8427 75372 0 0 3 0x14200 reaper reaper
66650 273740 0 0 3 0x14200 pgdaemon pagedaemon
44459 514210 0 0 3 0x14200 bored crynlk
64457 442970 0 0 3 0x14200 bored crypto
26957 239366 0 0 3 0x40014200 acpi0 acpi0
93881 151035 0 0 3 0x40014200 idle1
25630 271577 0 0 3 0x14200 bored softnet
29640 459466 0 0 3 0x14200 bored systqmp
21314 58456 0 0 3 0x14200 bored systq
83807 388645 0 0 3 0x40014200 bored softclock
86919 109076 0 0 3 0x40014200 idle0
1 281493 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: fb1fb638fae9 Fix dino at uturn attachment. From miod@
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1572f49f400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=d5540a236382f50f1dac
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d5540a...@syzkaller.appspotmail.com
kernel: protection fault trap, code=0
Stopped at lf_findoverlap+0xab: movq 0x18(%rbx),%rax
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
the kernel did not panic
ddb{1}> trace
lf_findoverlap(0,ffffff00664c5101,ffff8000018d7c60,ffffff0069e78790,0) at
lf_findoverlap+0xab sys/kern/vfs_lockf.c:621
lf_setlock() at lf_setlock+0xad lf_getblock sys/kern/vfs_lockf.c:586
[inline]
lf_setlock() at lf_setlock+0xad sys/kern/vfs_lockf.c:314
VOP_ADVLOCK(ffffff0071037bd0,b,3,ffffff00664c51c8,ffffff007f7c6000) at
VOP_ADVLOCK+0x67 sys/kern/vfs_vops.c:699
sys_flock(830,ffff8000210a24c8,0) at sys_flock+0x156
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,ffffffffffffff4f,0,2,e90387d40d8) at Xsyscall+0x128
end of kernel
end trace frame: 0xe92a4d0b960, count: -6
ddb{1}> show registers
rdi 0xdeaf4152deaf4152
rsi 0xffffffff815f7ca5 lf_findoverlap+0x85
rbp 0xffff8000211fae30
rbx 0xdeaf4152deaf4152
rdx 0xffff8000024da000
rcx 0xcbf
rax 0xffff8000024da000
r8 0xffff8000211fae70
r9 0x1
r10 0x54485bb9d3129cdf
r11 0xffffffff8178b9c0 pvclock_get_timecount
r12 0x2
r13 0xffffff0069e78790
r14 0xffff8000211fae70
r15 0
rip 0xffffffff815f7ccb lf_findoverlap+0xab
cs 0x8
rflags 0x10202 __ALIGN_SIZE+0xf202
rsp 0xffff8000211fade0
ss 0x10
lf_findoverlap+0xab: movq 0x18(%rbx),%rax
ddb{1}> show proc
PROC (syz-executor0) pid=127161 stat=onproc
flags process=10<SUGID> proc=4000000<THREAD>
pri=40, usrpri=72, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a3c38,0xffff8000210a3540
process=0xffff8000210b7630 user=0xffff8000211f6000,
vmspace=0xffffff007f124d68
estcpu=22, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
92885 212553 61184 65534 2 0x10 syz-executor0
92885 262755 61184 65534 3 0x4000090 lockf syz-executor0
*92885 127161 61184 65534 7 0x4000010 syz-executor0
92885 319803 61184 65534 7 0x4000010 syz-executor0
92885 309581 61184 65534 2 0x4000010 syz-executor0
95828 394962 57967 65534 3 0x90 piperd syz-executor1
57967 433908 41851 0 3 0x82 wait syz-executor1
61184 109028 78987 65534 3 0x90 nanosleep syz-executor0
78987 43726 41851 0 3 0x82 wait syz-executor0
81049 511135 0 0 3 0x14200 bored sosplice
41851 310115 2366 0 3 0x82 thrsleep syz-fuzzer
41851 61186 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 513050 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 47321 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 182317 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 515952 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 30475 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 338093 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 17014 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 163025 2366 0 3 0x4000082 kqread syz-fuzzer
41851 272680 2366 0 3 0x4000082 thrsleep syz-fuzzer
41851 482460 2366 0 3 0x4000082 thrsleep syz-fuzzer
2366 509975 91625 0 3 0x10008a pause ksh
91625 200312 35478 0 3 0x92 select sshd
66913 349467 1 0 3 0x100083 ttyin getty
35478 358471 1 0 3 0x80 select sshd
50398 119423 60611 73 3 0x100090 kqread syslogd
60611 254976 1 0 3 0x100082 netio syslogd
92430 87697 1 77 3 0x100090 poll dhclient
33263 134000 1 0 3 0x80 poll dhclient
78632 18326 0 0 3 0x14200 pgzero zerothread
78125 456155 0 0 3 0x14200 aiodoned aiodoned
38525 486747 0 0 3 0x14200 syncer update
7732 35543 0 0 3 0x14200 cleaner cleaner
8427 75372 0 0 3 0x14200 reaper reaper
66650 273740 0 0 3 0x14200 pgdaemon pagedaemon
44459 514210 0 0 3 0x14200 bored crynlk
64457 442970 0 0 3 0x14200 bored crypto
26957 239366 0 0 3 0x40014200 acpi0 acpi0
93881 151035 0 0 3 0x40014200 idle1
25630 271577 0 0 3 0x14200 bored softnet
29640 459466 0 0 3 0x14200 bored systqmp
21314 58456 0 0 3 0x14200 bored systq
83807 388645 0 0 3 0x40014200 bored softclock
86919 109076 0 0 3 0x40014200 idle0
1 281493 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
Dec 29, 2018, 10:15:04 PM12/29/18
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 9f55cdeb1a13 Remove the hand-rolled maximum segment size h..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=150997fb400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d5540a...@syzkaller.appspotmail.com
login: kernel: protection fault trap, code=0
ddb{0}>
HEAD commit: 9f55cdeb1a13 Remove the hand-rolled maximum segment size h..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=150997fb400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=d5540a236382f50f1dac
compiler:
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13adb700c00000
dashboard link: https://syzkaller.appspot.com/bug?extid=d5540a236382f50f1dac
compiler:
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d5540a...@syzkaller.appspotmail.com
Stopped at lf_findoverlap+0xab: movq 0x18(%rbx),%rax
ddb{0}>
ddb{0}>
Reply all
Reply to author
Forward
0 new messages