assert "next != NULL && next->start <= entry->end" failed in uvm_fault.c
2 views
Skip to first unread message
syzbot
Dec 27, 2018, 6:45:05 AM12/27/18
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 01cfcf25097a move client/server SSH-* banners to buffers u..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1231a49f400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=b8e7faf688f8c9d341b1
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b8e7fa...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "next != NULL && next->start <=
entry->end" failed:
file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_fault.c", line 1354
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
* 8626 36715 0 0 0x4000000 0K syz-executor1
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff8132b5f4,ffff8000211c1530,20008000,20011000) at
__assert+0x24 sys/kern/subr_prf.c:155
uvm_fault_unwire_locked(20000000,20011000,0) at
uvm_fault_unwire_locked+0x1f9 sys/uvm/uvm_fault.c:1351
uvm_fault_unwire(10000,ffffff0078053b00,10000) at uvm_fault_unwire+0x3b
sys/uvm/uvm_fault.c:1314
physio(ffff8000211c1828,ffffff005e9aae50,ffffff005e9aae50,ffff8000211c1828,ffff8000211c16f8)
at
physio+0x2ba sys/kern/kern_physio.c:183
spec_read(0) at spec_read+0xa5 sys/kern/spec_vnops.c:223
VOP_READ(ffff8000211c1828,ffffff005e9aae50,ffffff00685e4e20,0) at
VOP_READ+0x5e sys/kern/vfs_vops.c:247
vn_read(ffffff00685e4e20,ffff8000210a3080,fffffe73) at vn_read+0x130
sys/kern/vfs_vnops.c:365
dofilereadv(ffff8000210a3080,ffff8000211c18d0,fffffe73,ffff8000211c18e8,363ce240ac8)
at
dofilereadv+0x14f sys/kern/sys_generic.c:235
sys_read(30,ffff8000210a3080,0) at sys_read+0x6e sys/kern/sys_generic.c:155
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,ffffffffffffffb9,0,3,3613cb70010) at Xsyscall+0x128
end of kernel
end trace frame: 0x363ce240b50, count: 2
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> show panic
kernel diagnostic assertion "next != NULL && next->start <= entry->end"
failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_fault.c",
line 1354
ddb{0}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff8132b5f4,ffff8000211c1530,20008000,20011000) at
__assert+0x24 sys/kern/subr_prf.c:155
uvm_fault_unwire_locked(20000000,20011000,0) at
uvm_fault_unwire_locked+0x1f9 sys/uvm/uvm_fault.c:1351
uvm_fault_unwire(10000,ffffff0078053b00,10000) at uvm_fault_unwire+0x3b
sys/uvm/uvm_fault.c:1314
physio(ffff8000211c1828,ffffff005e9aae50,ffffff005e9aae50,ffff8000211c1828,ffff8000211c16f8)
at
physio+0x2ba sys/kern/kern_physio.c:183
spec_read(0) at spec_read+0xa5 sys/kern/spec_vnops.c:223
VOP_READ(ffff8000211c1828,ffffff005e9aae50,ffffff00685e4e20,0) at
VOP_READ+0x5e
sys/kern/vfs_vops.c:247vn_read(ffffff00685e4e20,ffff8000210a3080,fffffe73)
at vn_read+0x130
dofilereadv(ffff8000210a3080,ffff8000211c18d0,fffffe73,ffff8000211c18e8,363ce240ac8)
at
dofilereadv+0x14f sys/kern/sys_generic.c:235
sys_read(30,ffff8000210a3080,0) at sys_read+0x6e sys/kern/sys_generic.c:155
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,ffffffffffffffb9,0,3,3613cb70010) at Xsyscall+0x128
end of kernel
end trace frame: 0x363ce240b50, count: -13
ddb{0}> show registers
rdi 0xffffffff81e27170 kprintf_mutex
rsi 0xffffffff818e4fe9 db_enter+0x9
rbp 0xffff8000211c1490
rbx 0xffff8000211c1530
rdx 0xffff8000016d8000
rcx 0x69ab __ALIGN_SIZE+0x59ab
rax 0xffff8000016d8000
r8 0xffff8000211c1460
r9 0x8080808080808080
r10 0
r11 0xffffffff812f8ba0 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff8000211c14a0
r14 0x100
r15 0xffffffff81bf514e cmd0646_9_tim_udma+0x1eab3
rip 0xffffffff818e4fea db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff8000211c1490
ss 0x10
db_enter+0xa: popq %rbp
ddb{0}> show proc
PROC (syz-executor1) pid=8626 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=17, usrpri=82, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a2bd0,0xffff8000210a3c48
process=0xffff8000210b7c90 user=0xffff8000211bc000,
vmspace=0xffffff007f125108
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
36715 156254 20653 0 3 0x80 nanosleep syz-executor1
*36715 8626 20653 0 7 0x4000000 syz-executor1
36715 119801 20653 0 3 0x4000080 fsleep syz-executor1
51414 410891 90886 0 3 0x80 nanosleep syz-executor0
51414 497061 90886 0 3 0x4000080 fifor syz-executor0
51414 380196 90886 0 3 0x4000080 fifor syz-executor0
51414 234752 90886 0 3 0x4000080 fsleep syz-executor0
87929 77004 0 0 3 0x14200 bored sosplice
76065 158995 1 0 3 0x100083 ttyin getty
20653 294811 20427 0 3 0x82 nanosleep syz-executor1
90886 498931 20427 0 3 0x82 nanosleep syz-executor0
20427 22442 40981 0 3 0x82 thrsleep syz-fuzzer
20427 915 40981 0 3 0x4000082 thrsleep syz-fuzzer
20427 492298 40981 0 3 0x4000082 thrsleep syz-fuzzer
20427 396314 40981 0 3 0x4000082 thrsleep syz-fuzzer
20427 364536 40981 0 3 0x4000082 thrsleep syz-fuzzer
20427 16330 40981 0 3 0x4000082 thrsleep syz-fuzzer
20427 287495 40981 0 3 0x4000082 thrsleep syz-fuzzer
20427 41688 40981 0 3 0x4000082 kqread syz-fuzzer
20427 249406 40981 0 3 0x4000082 thrsleep syz-fuzzer
20427 355770 40981 0 3 0x4000082 thrsleep syz-fuzzer
40981 320259 60371 0 3 0x10008a pause ksh
60371 167707 2602 0 3 0x92 select sshd
2602 163968 1 0 3 0x80 select sshd
12219 53945 59586 73 3 0x100090 kqread syslogd
59586 479814 1 0 3 0x100082 netio syslogd
69030 449404 1 77 3 0x100090 poll dhclient
70027 505907 1 0 3 0x80 poll dhclient
39411 513527 0 0 3 0x14200 pgzero zerothread
88934 186997 0 0 3 0x14200 aiodoned aiodoned
17108 444864 0 0 3 0x14200 syncer update
73688 102978 0 0 3 0x14200 cleaner cleaner
87288 299673 0 0 3 0x14200 reaper reaper
47084 487387 0 0 3 0x14200 pgdaemon pagedaemon
27226 198758 0 0 3 0x14200 bored crynlk
33606 402459 0 0 3 0x14200 bored crypto
3097 303292 0 0 3 0x40014200 acpi0 acpi0
38934 217832 0 0 7 0x40014200 idle1
36582 502502 0 0 3 0x14200 bored softnet
2299 127865 0 0 3 0x14200 bored systqmp
25401 193032 0 0 3 0x14200 bored systq
62753 91399 0 0 3 0x40014200 bored softclock
13117 314437 0 0 3 0x40014200 idle0
1 148627 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: 01cfcf25097a move client/server SSH-* banners to buffers u..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1231a49f400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=b8e7faf688f8c9d341b1
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b8e7fa...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "next != NULL && next->start <=
entry->end" failed:
file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_fault.c", line 1354
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
* 8626 36715 0 0 0x4000000 0K syz-executor1
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff8132b5f4,ffff8000211c1530,20008000,20011000) at
__assert+0x24 sys/kern/subr_prf.c:155
uvm_fault_unwire_locked(20000000,20011000,0) at
uvm_fault_unwire_locked+0x1f9 sys/uvm/uvm_fault.c:1351
uvm_fault_unwire(10000,ffffff0078053b00,10000) at uvm_fault_unwire+0x3b
sys/uvm/uvm_fault.c:1314
physio(ffff8000211c1828,ffffff005e9aae50,ffffff005e9aae50,ffff8000211c1828,ffff8000211c16f8)
at
physio+0x2ba sys/kern/kern_physio.c:183
spec_read(0) at spec_read+0xa5 sys/kern/spec_vnops.c:223
VOP_READ(ffff8000211c1828,ffffff005e9aae50,ffffff00685e4e20,0) at
VOP_READ+0x5e sys/kern/vfs_vops.c:247
vn_read(ffffff00685e4e20,ffff8000210a3080,fffffe73) at vn_read+0x130
sys/kern/vfs_vnops.c:365
dofilereadv(ffff8000210a3080,ffff8000211c18d0,fffffe73,ffff8000211c18e8,363ce240ac8)
at
dofilereadv+0x14f sys/kern/sys_generic.c:235
sys_read(30,ffff8000210a3080,0) at sys_read+0x6e sys/kern/sys_generic.c:155
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,ffffffffffffffb9,0,3,3613cb70010) at Xsyscall+0x128
end of kernel
end trace frame: 0x363ce240b50, count: 2
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> show panic
kernel diagnostic assertion "next != NULL && next->start <= entry->end"
failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_fault.c",
line 1354
ddb{0}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff8132b5f4,ffff8000211c1530,20008000,20011000) at
__assert+0x24 sys/kern/subr_prf.c:155
uvm_fault_unwire_locked(20000000,20011000,0) at
uvm_fault_unwire_locked+0x1f9 sys/uvm/uvm_fault.c:1351
uvm_fault_unwire(10000,ffffff0078053b00,10000) at uvm_fault_unwire+0x3b
sys/uvm/uvm_fault.c:1314
physio(ffff8000211c1828,ffffff005e9aae50,ffffff005e9aae50,ffff8000211c1828,ffff8000211c16f8)
at
physio+0x2ba sys/kern/kern_physio.c:183
spec_read(0) at spec_read+0xa5 sys/kern/spec_vnops.c:223
VOP_READ(ffff8000211c1828,ffffff005e9aae50,ffffff00685e4e20,0) at
VOP_READ+0x5e
sys/kern/vfs_vops.c:247vn_read(ffffff00685e4e20,ffff8000210a3080,fffffe73)
at vn_read+0x130
dofilereadv(ffff8000210a3080,ffff8000211c18d0,fffffe73,ffff8000211c18e8,363ce240ac8)
at
dofilereadv+0x14f sys/kern/sys_generic.c:235
sys_read(30,ffff8000210a3080,0) at sys_read+0x6e sys/kern/sys_generic.c:155
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,ffffffffffffffb9,0,3,3613cb70010) at Xsyscall+0x128
end of kernel
end trace frame: 0x363ce240b50, count: -13
ddb{0}> show registers
rdi 0xffffffff81e27170 kprintf_mutex
rsi 0xffffffff818e4fe9 db_enter+0x9
rbp 0xffff8000211c1490
rbx 0xffff8000211c1530
rdx 0xffff8000016d8000
rcx 0x69ab __ALIGN_SIZE+0x59ab
rax 0xffff8000016d8000
r8 0xffff8000211c1460
r9 0x8080808080808080
r10 0
r11 0xffffffff812f8ba0 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff8000211c14a0
r14 0x100
r15 0xffffffff81bf514e cmd0646_9_tim_udma+0x1eab3
rip 0xffffffff818e4fea db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff8000211c1490
ss 0x10
db_enter+0xa: popq %rbp
ddb{0}> show proc
PROC (syz-executor1) pid=8626 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=17, usrpri=82, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a2bd0,0xffff8000210a3c48
process=0xffff8000210b7c90 user=0xffff8000211bc000,
vmspace=0xffffff007f125108
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
36715 156254 20653 0 3 0x80 nanosleep syz-executor1
*36715 8626 20653 0 7 0x4000000 syz-executor1
36715 119801 20653 0 3 0x4000080 fsleep syz-executor1
51414 410891 90886 0 3 0x80 nanosleep syz-executor0
51414 497061 90886 0 3 0x4000080 fifor syz-executor0
51414 380196 90886 0 3 0x4000080 fifor syz-executor0
51414 234752 90886 0 3 0x4000080 fsleep syz-executor0
87929 77004 0 0 3 0x14200 bored sosplice
76065 158995 1 0 3 0x100083 ttyin getty
20653 294811 20427 0 3 0x82 nanosleep syz-executor1
90886 498931 20427 0 3 0x82 nanosleep syz-executor0
20427 22442 40981 0 3 0x82 thrsleep syz-fuzzer
20427 915 40981 0 3 0x4000082 thrsleep syz-fuzzer
20427 492298 40981 0 3 0x4000082 thrsleep syz-fuzzer
20427 396314 40981 0 3 0x4000082 thrsleep syz-fuzzer
20427 364536 40981 0 3 0x4000082 thrsleep syz-fuzzer
20427 16330 40981 0 3 0x4000082 thrsleep syz-fuzzer
20427 287495 40981 0 3 0x4000082 thrsleep syz-fuzzer
20427 41688 40981 0 3 0x4000082 kqread syz-fuzzer
20427 249406 40981 0 3 0x4000082 thrsleep syz-fuzzer
20427 355770 40981 0 3 0x4000082 thrsleep syz-fuzzer
40981 320259 60371 0 3 0x10008a pause ksh
60371 167707 2602 0 3 0x92 select sshd
2602 163968 1 0 3 0x80 select sshd
12219 53945 59586 73 3 0x100090 kqread syslogd
59586 479814 1 0 3 0x100082 netio syslogd
69030 449404 1 77 3 0x100090 poll dhclient
70027 505907 1 0 3 0x80 poll dhclient
39411 513527 0 0 3 0x14200 pgzero zerothread
88934 186997 0 0 3 0x14200 aiodoned aiodoned
17108 444864 0 0 3 0x14200 syncer update
73688 102978 0 0 3 0x14200 cleaner cleaner
87288 299673 0 0 3 0x14200 reaper reaper
47084 487387 0 0 3 0x14200 pgdaemon pagedaemon
27226 198758 0 0 3 0x14200 bored crynlk
33606 402459 0 0 3 0x14200 bored crypto
3097 303292 0 0 3 0x40014200 acpi0 acpi0
38934 217832 0 0 7 0x40014200 idle1
36582 502502 0 0 3 0x14200 bored softnet
2299 127865 0 0 3 0x14200 bored systqmp
25401 193032 0 0 3 0x14200 bored systq
62753 91399 0 0 3 0x40014200 bored softclock
13117 314437 0 0 3 0x40014200 idle0
1 148627 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
Dec 27, 2018, 8:30:05 AM12/27/18
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 01cfcf25097a move client/server SSH-* banners to buffers u..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=14c06ddd400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10748bfb400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b8e7fa...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "next != NULL && next->start <=
entry->end" failed:
file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_fault.c", line 1354
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
* 10269 83986 0 0 0x4000000 1K syz-executor8120
sys/uvm/uvm_fault.c:1314
physio(ffff80002111b648,ffffff006d8ca968,ffffff006d8ca968,ffff80002111b648,ffff80002111b518)
VOP_READ+0x5e sys/kern/vfs_vops.c:247
vn_read(ffffff006e4a42d8,ffff8000210f4010,fffffe73) at vn_read+0x130
sys/kern/vfs_vnops.c:365
dofilereadv(ffff8000210f4010,ffff80002111b6f0,fffffe73,ffff80002111b708,b53815ff038)
at
dofilereadv+0x14f sys/kern/sys_generic.c:235
sys_read(30,ffff8000210f4010,0) at sys_read+0x6e sys/kern/sys_generic.c:155
end of kernel
end trace frame: 0xb53815ff060, count: 2
ddb{1}> set $lines = 0
ddb{1}> show panic
sys/uvm/uvm_fault.c:1314
physio(ffff80002111b648,ffffff006d8ca968,ffffff006d8ca968,ffff80002111b648,ffff80002111b518)
VOP_READ+0x5e
sys/kern/vfs_vops.c:247vn_read(ffffff006e4a42d8,ffff8000210f4010,fffffe73)
at vn_read+0x130
dofilereadv(ffff8000210f4010,ffff80002111b6f0,fffffe73,ffff80002111b708,b53815ff038)
at
dofilereadv+0x14f sys/kern/sys_generic.c:235
sys_read(30,ffff8000210f4010,0) at sys_read+0x6e sys/kern/sys_generic.c:155
end of kernel
end trace frame: 0xb53815ff060, count: -13
ddb{1}> show registers
rdi 0xffffffff81e27170 kprintf_mutex
rsi 0x5
rbp 0xffff80002111b2b0
rbx 0xffff80002111b350
rdx 0x3fd
rcx 0
rax 0x1
r8 0xffff80002111b280
PROC (syz-executor8120) pid=10269 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=17, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff8000210f4bc8,0xffff8000210f44d0
process=0xffff800021070fd0 user=0xffff800021116000,
vmspace=0xffffff007f125c60
estcpu=36, cpticks=2, pctcpu=0.0
user=0, sys=2, intr=0
ddb{1}> ps
*83986 10269 6606 0 7 0x4000000 syz-executor8120
83986 110087 6606 0 3 0x4000080 fsleep syz-executor8120
6606 9747 92253 0 3 0x82 nanosleep syz-executor8120
92253 305578 74197 0 3 0x10008a pause ksh
74197 266486 46347 0 3 0x92 select sshd
19217 329309 1 0 3 0x100083 ttyin getty
46347 395782 1 0 3 0x80 select sshd
36461 389446 40994 73 3 0x100090 kqread syslogd
40994 370430 1 0 3 0x100082 netio syslogd
891 46690 1 77 3 0x100090 poll dhclient
26508 42021 1 0 3 0x80 poll dhclient
77262 10265 0 0 3 0x14200 pgzero zerothread
95597 17271 0 0 3 0x14200 aiodoned aiodoned
77622 160427 0 0 3 0x14200 syncer update
376 159265 0 0 3 0x14200 cleaner cleaner
55143 500485 0 0 3 0x14200 reaper reaper
26165 61597 0 0 3 0x14200 pgdaemon pagedaemon
95905 217790 0 0 3 0x14200 bored crynlk
49743 436122 0 0 3 0x14200 bored crypto
1655 477308 0 0 3 0x40014200 acpi0 acpi0
79504 274047 0 0 3 0x40014200 idle1
19847 84012 0 0 3 0x14200 bored softnet
38359 168216 0 0 3 0x14200 bored systqmp
21912 331360 0 0 3 0x14200 bored systq
25658 142620 0 0 3 0x40014200 bored softclock
23784 325256 0 0 7 0x40014200 idle0
1 341806 0 0 3 0x82 wait init
HEAD commit: 01cfcf25097a move client/server SSH-* banners to buffers u..
git tree: openbsd
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=b8e7faf688f8c9d341b1
compiler:
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16578bed400000
dashboard link: https://syzkaller.appspot.com/bug?extid=b8e7faf688f8c9d341b1
compiler:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10748bfb400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b8e7fa...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "next != NULL && next->start <=
entry->end" failed:
file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_fault.c", line 1354
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff8132b5f4,ffff80002111b350,20008000,20011000) at
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert+0x24 sys/kern/subr_prf.c:155
uvm_fault_unwire_locked(20000000,20011000,0) at
uvm_fault_unwire_locked+0x1f9 sys/uvm/uvm_fault.c:1351
uvm_fault_unwire(10000,ffffff006d2bf800,10000) at uvm_fault_unwire+0x3b
uvm_fault_unwire_locked(20000000,20011000,0) at
uvm_fault_unwire_locked+0x1f9 sys/uvm/uvm_fault.c:1351
sys/uvm/uvm_fault.c:1314
physio(ffff80002111b648,ffffff006d8ca968,ffffff006d8ca968,ffff80002111b648,ffff80002111b518)
at
physio+0x2ba sys/kern/kern_physio.c:183
spec_read(0) at spec_read+0xa5 sys/kern/spec_vnops.c:223
VOP_READ(ffff80002111b648,ffffff006d8ca968,ffffff006e4a42d8,0) at
physio+0x2ba sys/kern/kern_physio.c:183
spec_read(0) at spec_read+0xa5 sys/kern/spec_vnops.c:223
VOP_READ+0x5e sys/kern/vfs_vops.c:247
vn_read(ffffff006e4a42d8,ffff8000210f4010,fffffe73) at vn_read+0x130
sys/kern/vfs_vnops.c:365
dofilereadv(ffff8000210f4010,ffff80002111b6f0,fffffe73,ffff80002111b708,b53815ff038)
at
dofilereadv+0x14f sys/kern/sys_generic.c:235
sys_read(30,ffff8000210f4010,0) at sys_read+0x6e sys/kern/sys_generic.c:155
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,b53975ed0a0,0,b50d7474098,b50d7474090) at Xsyscall+0x128
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
end of kernel
end trace frame: 0xb53815ff060, count: 2
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}> set $lines = 0
ddb{1}> show panic
kernel diagnostic assertion "next != NULL && next->start <= entry->end"
failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_fault.c",
line 1354
ddb{1}> trace
failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_fault.c",
line 1354
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff8132b5f4,ffff80002111b350,20008000,20011000) at
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert+0x24 sys/kern/subr_prf.c:155
uvm_fault_unwire_locked(20000000,20011000,0) at
uvm_fault_unwire_locked+0x1f9 sys/uvm/uvm_fault.c:1351
uvm_fault_unwire(10000,ffffff006d2bf800,10000) at uvm_fault_unwire+0x3b
uvm_fault_unwire_locked(20000000,20011000,0) at
uvm_fault_unwire_locked+0x1f9 sys/uvm/uvm_fault.c:1351
sys/uvm/uvm_fault.c:1314
physio(ffff80002111b648,ffffff006d8ca968,ffffff006d8ca968,ffff80002111b648,ffff80002111b518)
at
physio+0x2ba sys/kern/kern_physio.c:183
spec_read(0) at spec_read+0xa5 sys/kern/spec_vnops.c:223
VOP_READ(ffff80002111b648,ffffff006d8ca968,ffffff006e4a42d8,0) at
physio+0x2ba sys/kern/kern_physio.c:183
spec_read(0) at spec_read+0xa5 sys/kern/spec_vnops.c:223
VOP_READ+0x5e
sys/kern/vfs_vops.c:247vn_read(ffffff006e4a42d8,ffff8000210f4010,fffffe73)
at vn_read+0x130
dofilereadv(ffff8000210f4010,ffff80002111b6f0,fffffe73,ffff80002111b708,b53815ff038)
at
dofilereadv+0x14f sys/kern/sys_generic.c:235
sys_read(30,ffff8000210f4010,0) at sys_read+0x6e sys/kern/sys_generic.c:155
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,b53975ed0a0,0,b50d7474098,b50d7474090) at Xsyscall+0x128
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
end of kernel
end trace frame: 0xb53815ff060, count: -13
ddb{1}> show registers
rdi 0xffffffff81e27170 kprintf_mutex
rsi 0x5
rbp 0xffff80002111b2b0
rbx 0xffff80002111b350
rdx 0x3fd
rcx 0
rax 0x1
r8 0xffff80002111b280
r9 0x8080808080808080
r10 0
r11 0xffffffff812f8ba0 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff80002111b2c0
r10 0
r11 0xffffffff812f8ba0 x86_bus_space_io_read_1
r12 0x3000000008
r14 0x100
r15 0xffffffff81bf514e cmd0646_9_tim_udma+0x1eab3
rip 0xffffffff818e4fea db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff80002111b2b0
r15 0xffffffff81bf514e cmd0646_9_tim_udma+0x1eab3
rip 0xffffffff818e4fea db_enter+0xa
cs 0x8
rflags 0x202
ss 0x10
db_enter+0xa: popq %rbp
ddb{1}> show proc
db_enter+0xa: popq %rbp
PROC (syz-executor8120) pid=10269 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=17, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff8000210f4bc8,0xffff8000210f44d0
process=0xffff800021070fd0 user=0xffff800021116000,
vmspace=0xffffff007f125c60
estcpu=36, cpticks=2, pctcpu=0.0
user=0, sys=2, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
83986 12042 6606 0 3 0x80 nanosleep syz-executor8120
*83986 10269 6606 0 7 0x4000000 syz-executor8120
83986 110087 6606 0 3 0x4000080 fsleep syz-executor8120
6606 9747 92253 0 3 0x82 nanosleep syz-executor8120
92253 305578 74197 0 3 0x10008a pause ksh
74197 266486 46347 0 3 0x92 select sshd
19217 329309 1 0 3 0x100083 ttyin getty
46347 395782 1 0 3 0x80 select sshd
36461 389446 40994 73 3 0x100090 kqread syslogd
40994 370430 1 0 3 0x100082 netio syslogd
891 46690 1 77 3 0x100090 poll dhclient
26508 42021 1 0 3 0x80 poll dhclient
77262 10265 0 0 3 0x14200 pgzero zerothread
95597 17271 0 0 3 0x14200 aiodoned aiodoned
77622 160427 0 0 3 0x14200 syncer update
376 159265 0 0 3 0x14200 cleaner cleaner
55143 500485 0 0 3 0x14200 reaper reaper
26165 61597 0 0 3 0x14200 pgdaemon pagedaemon
95905 217790 0 0 3 0x14200 bored crynlk
49743 436122 0 0 3 0x14200 bored crypto
1655 477308 0 0 3 0x40014200 acpi0 acpi0
79504 274047 0 0 3 0x40014200 idle1
19847 84012 0 0 3 0x14200 bored softnet
38359 168216 0 0 3 0x14200 bored systqmp
21912 331360 0 0 3 0x14200 bored systq
25658 142620 0 0 3 0x40014200 bored softclock
23784 325256 0 0 7 0x40014200 idle0
1 341806 0 0 3 0x82 wait init
Reply all
Reply to author
Forward
0 new messages