panic: pool_cache_item_magic_check: mcl2k cpu free list modified: item addr ADDR+24 ADDR!=ADDR
14 views
Skip to first unread message
syzbot
Dec 18, 2018, 9:38:04 AM12/18/18
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 9257d67bbd0d split tests into multiple make targets
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=16632efb400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=c47701254ab2fc72b5d8
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c47701...@syzkaller.appspotmail.com
panic: pool_cache_item_magic_check: mcl2k cpu free list modified: item addr
0xffffff0005ff0800+24 0x470a1ed9891e12b2!=0x470a1ed98f1e62b2
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
112107 39847 65534 0x10 0 1 syz-executor0
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
pool_cache_get(2) at pool_cache_get+0x2bf pool_cache_item_magic_check
sys/kern/subr_pool.c:1789 [inline]
pool_cache_get(2) at pool_cache_get+0x2bf sys/kern/subr_pool.c:1892
pool_get(ffffff006efb9900,2) at pool_get+0x60 sys/kern/subr_pool.c:577
m_clget(10,ffff800000173000,1) at m_clget+0x204 sys/kern/uipc_mbuf.c:394
vio_populate_rx_mbufs(ffff800000173050) at vio_populate_rx_mbufs+0xd4
vio_add_rx_mbuf sys/dev/pv/if_vio.c:906 [inline]
vio_populate_rx_mbufs(ffff800000173050) at vio_populate_rx_mbufs+0xd4
sys/dev/pv/if_vio.c:950
vio_rx_intr(ffff80000064d200) at vio_rx_intr+0x4d sys/dev/pv/if_vio.c:1062
intr_handler(0,ffff80000064d180) at intr_handler+0x70
sys/arch/amd64/amd64/intr.c:529
Xintr_ioapic_edge19_untramp(0,0,1388,18041969,ffff800000022a00,ffff800000022a00)
at
Xintr_ioapic_edge19_untramp+0x19f
acpicpu_idle() at acpicpu_idle+0x251 sys/dev/acpi/acpicpu.c:1187
sched_idle(0) at sched_idle+0x374 sys/kern/kern_sched.c:177
end trace frame: 0x0, count: 4
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> show panic
pool_cache_item_magic_check: mcl2k cpu free list modified: item addr
0xffffff0005ff0800+24 0x470a1ed9891e12b2!=0x470a1ed98f1e62b2
ddb{0}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
pool_cache_get(2) at pool_cache_get+0x2bf pool_cache_item_magic_check
sys/kern/subr_pool.c:1789 [inline]
pool_cache_get(2) at pool_cache_get+0x2bf sys/kern/subr_pool.c:1892
pool_get(ffffff006efb9900,2) at pool_get+0x60 sys/kern/subr_pool.c:577
m_clget(10,ffff800000173000,1) at m_clget+0x204 sys/kern/uipc_mbuf.c:394
vio_populate_rx_mbufs(ffff800000173050) at vio_populate_rx_mbufs+0xd4
vio_add_rx_mbuf sys/dev/pv/if_vio.c:906 [inline]
vio_populate_rx_mbufs(ffff800000173050) at vio_populate_rx_mbufs+0xd4
sys/dev/pv/if_vio.c:950
vio_rx_intr(ffff80000064d200) at vio_rx_intr+0x4d sys/dev/pv/if_vio.c:1062
intr_handler(0,ffff80000064d180) at intr_handler+0x70
sys/arch/amd64/amd64/intr.c:529
Xintr_ioapic_edge19_untramp(0,0,1388,18041969,ffff800000022a00,ffff800000022a00)
at
Xintr_ioapic_edge19_untramp+0x19f
acpicpu_idle() at acpicpu_idle+0x251 sys/dev/acpi/acpicpu.c:1187
sched_idle(0) at sched_idle+0x374 sys/kern/kern_sched.c:177
end trace frame: 0x0, count: -11
ddb{0}> show registers
rdi 0xffffffff81e53648 kprintf_mutex
rsi 0x5
rbp 0xffff800021039b30
rbx 0xffff800021039bd0
rdx 0x3fd
rcx 0
rax 0xffffffff81e40ff0 cpu_info_full_primary+0x1ff0
r8 0xffff800021039b00
r9 0x8080808080808080
r10 0
r11 0xffffffff811c6fd0 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800021039b40
r14 0x100
r15 0xffffffff81bf6405 cmd0646_9_tim_udma+0x1db0b
rip 0xffffffff81711a9a db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff800021039b30
ss 0x10
db_enter+0xa: popq %rbp
ddb{0}> show proc
PROC (idle0) pid=262793 stat=onproc
flags process=14000<NOZOMBIE,SYSTEM> proc=40000200<SYSTEM,CPUPEG>
pri=0, usrpri=86, nice=20
forw=0xf020c0138211c8a3, list=0xffff800021031770,0xffff800021030bc8
process=0xffff8000210332f0 user=0xffff800021034000,
vmspace=0xffffffff81ec6008
estcpu=36, cpticks=188362, pctcpu=0.0
user=0, sys=0, intr=1
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
39847 112107 33109 65534 7 0x10 syz-executor0
62824 435401 70508 65534 3 0x10 biowait syz-executor1
70508 251766 80055 0 3 0x82 wait syz-executor1
33109 110118 78900 65534 3 0x90 nanosleep syz-executor0
78900 74026 80055 0 3 0x82 wait syz-executor0
29202 148140 0 0 3 0x14200 bored sosplice
80055 67422 55568 0 3 0x82 thrsleep syz-fuzzer
80055 48350 55568 0 3 0x4000082 nanosleep syz-fuzzer
80055 83683 55568 0 3 0x4000082 thrsleep syz-fuzzer
80055 101438 55568 0 3 0x4000082 kqread syz-fuzzer
80055 163128 55568 0 3 0x4000082 thrsleep syz-fuzzer
80055 454700 55568 0 3 0x4000082 thrsleep syz-fuzzer
80055 207280 55568 0 3 0x4000082 thrsleep syz-fuzzer
80055 249698 55568 0 3 0x4000082 nanosleep syz-fuzzer
80055 284324 55568 0 3 0x4000082 thrsleep syz-fuzzer
80055 226592 55568 0 3 0x4000082 thrsleep syz-fuzzer
55568 62581 15992 0 3 0x10008a pause ksh
15992 312713 86149 0 3 0x92 select sshd
13541 59165 1 0 3 0x100083 ttyin getty
86149 243509 1 0 3 0x80 select sshd
66019 442565 19526 73 3 0x100090 kqread syslogd
19526 413874 1 0 3 0x100082 netio syslogd
83616 352584 1 77 3 0x100090 poll dhclient
26573 161556 1 0 3 0x80 poll dhclient
5090 59519 0 0 2 0x14200 zerothread
75075 75751 0 0 3 0x14200 aiodoned aiodoned
54607 188728 0 0 3 0x14200 syncer update
71534 470214 0 0 3 0x14200 cleaner cleaner
13053 55157 0 0 3 0x14200 reaper reaper
63093 150174 0 0 3 0x14200 pgdaemon pagedaemon
87552 491003 0 0 3 0x14200 bored crynlk
83553 428191 0 0 3 0x14200 bored crypto
90493 280458 0 0 3 0x40014200 acpi0 acpi0
19516 478681 0 0 3 0x40014200 idle1
79885 37459 0 0 2 0x14200 softnet
20543 266593 0 0 3 0x14200 bored systqmp
86567 355122 0 0 3 0x14200 bored systq
84542 234435 0 0 3 0x40014200 bored softclock
*79507 262793 0 0 7 0x40014200 idle0
1 432109 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: 9257d67bbd0d split tests into multiple make targets
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=16632efb400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=c47701254ab2fc72b5d8
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c47701...@syzkaller.appspotmail.com
panic: pool_cache_item_magic_check: mcl2k cpu free list modified: item addr
0xffffff0005ff0800+24 0x470a1ed9891e12b2!=0x470a1ed98f1e62b2
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
112107 39847 65534 0x10 0 1 syz-executor0
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
pool_cache_get(2) at pool_cache_get+0x2bf pool_cache_item_magic_check
sys/kern/subr_pool.c:1789 [inline]
pool_cache_get(2) at pool_cache_get+0x2bf sys/kern/subr_pool.c:1892
pool_get(ffffff006efb9900,2) at pool_get+0x60 sys/kern/subr_pool.c:577
m_clget(10,ffff800000173000,1) at m_clget+0x204 sys/kern/uipc_mbuf.c:394
vio_populate_rx_mbufs(ffff800000173050) at vio_populate_rx_mbufs+0xd4
vio_add_rx_mbuf sys/dev/pv/if_vio.c:906 [inline]
vio_populate_rx_mbufs(ffff800000173050) at vio_populate_rx_mbufs+0xd4
sys/dev/pv/if_vio.c:950
vio_rx_intr(ffff80000064d200) at vio_rx_intr+0x4d sys/dev/pv/if_vio.c:1062
intr_handler(0,ffff80000064d180) at intr_handler+0x70
sys/arch/amd64/amd64/intr.c:529
Xintr_ioapic_edge19_untramp(0,0,1388,18041969,ffff800000022a00,ffff800000022a00)
at
Xintr_ioapic_edge19_untramp+0x19f
acpicpu_idle() at acpicpu_idle+0x251 sys/dev/acpi/acpicpu.c:1187
sched_idle(0) at sched_idle+0x374 sys/kern/kern_sched.c:177
end trace frame: 0x0, count: 4
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> show panic
pool_cache_item_magic_check: mcl2k cpu free list modified: item addr
0xffffff0005ff0800+24 0x470a1ed9891e12b2!=0x470a1ed98f1e62b2
ddb{0}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
pool_cache_get(2) at pool_cache_get+0x2bf pool_cache_item_magic_check
sys/kern/subr_pool.c:1789 [inline]
pool_cache_get(2) at pool_cache_get+0x2bf sys/kern/subr_pool.c:1892
pool_get(ffffff006efb9900,2) at pool_get+0x60 sys/kern/subr_pool.c:577
m_clget(10,ffff800000173000,1) at m_clget+0x204 sys/kern/uipc_mbuf.c:394
vio_populate_rx_mbufs(ffff800000173050) at vio_populate_rx_mbufs+0xd4
vio_add_rx_mbuf sys/dev/pv/if_vio.c:906 [inline]
vio_populate_rx_mbufs(ffff800000173050) at vio_populate_rx_mbufs+0xd4
sys/dev/pv/if_vio.c:950
vio_rx_intr(ffff80000064d200) at vio_rx_intr+0x4d sys/dev/pv/if_vio.c:1062
intr_handler(0,ffff80000064d180) at intr_handler+0x70
sys/arch/amd64/amd64/intr.c:529
Xintr_ioapic_edge19_untramp(0,0,1388,18041969,ffff800000022a00,ffff800000022a00)
at
Xintr_ioapic_edge19_untramp+0x19f
acpicpu_idle() at acpicpu_idle+0x251 sys/dev/acpi/acpicpu.c:1187
sched_idle(0) at sched_idle+0x374 sys/kern/kern_sched.c:177
end trace frame: 0x0, count: -11
ddb{0}> show registers
rdi 0xffffffff81e53648 kprintf_mutex
rsi 0x5
rbp 0xffff800021039b30
rbx 0xffff800021039bd0
rdx 0x3fd
rcx 0
rax 0xffffffff81e40ff0 cpu_info_full_primary+0x1ff0
r8 0xffff800021039b00
r9 0x8080808080808080
r10 0
r11 0xffffffff811c6fd0 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800021039b40
r14 0x100
r15 0xffffffff81bf6405 cmd0646_9_tim_udma+0x1db0b
rip 0xffffffff81711a9a db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff800021039b30
ss 0x10
db_enter+0xa: popq %rbp
ddb{0}> show proc
PROC (idle0) pid=262793 stat=onproc
flags process=14000<NOZOMBIE,SYSTEM> proc=40000200<SYSTEM,CPUPEG>
pri=0, usrpri=86, nice=20
forw=0xf020c0138211c8a3, list=0xffff800021031770,0xffff800021030bc8
process=0xffff8000210332f0 user=0xffff800021034000,
vmspace=0xffffffff81ec6008
estcpu=36, cpticks=188362, pctcpu=0.0
user=0, sys=0, intr=1
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
39847 112107 33109 65534 7 0x10 syz-executor0
62824 435401 70508 65534 3 0x10 biowait syz-executor1
70508 251766 80055 0 3 0x82 wait syz-executor1
33109 110118 78900 65534 3 0x90 nanosleep syz-executor0
78900 74026 80055 0 3 0x82 wait syz-executor0
29202 148140 0 0 3 0x14200 bored sosplice
80055 67422 55568 0 3 0x82 thrsleep syz-fuzzer
80055 48350 55568 0 3 0x4000082 nanosleep syz-fuzzer
80055 83683 55568 0 3 0x4000082 thrsleep syz-fuzzer
80055 101438 55568 0 3 0x4000082 kqread syz-fuzzer
80055 163128 55568 0 3 0x4000082 thrsleep syz-fuzzer
80055 454700 55568 0 3 0x4000082 thrsleep syz-fuzzer
80055 207280 55568 0 3 0x4000082 thrsleep syz-fuzzer
80055 249698 55568 0 3 0x4000082 nanosleep syz-fuzzer
80055 284324 55568 0 3 0x4000082 thrsleep syz-fuzzer
80055 226592 55568 0 3 0x4000082 thrsleep syz-fuzzer
55568 62581 15992 0 3 0x10008a pause ksh
15992 312713 86149 0 3 0x92 select sshd
13541 59165 1 0 3 0x100083 ttyin getty
86149 243509 1 0 3 0x80 select sshd
66019 442565 19526 73 3 0x100090 kqread syslogd
19526 413874 1 0 3 0x100082 netio syslogd
83616 352584 1 77 3 0x100090 poll dhclient
26573 161556 1 0 3 0x80 poll dhclient
5090 59519 0 0 2 0x14200 zerothread
75075 75751 0 0 3 0x14200 aiodoned aiodoned
54607 188728 0 0 3 0x14200 syncer update
71534 470214 0 0 3 0x14200 cleaner cleaner
13053 55157 0 0 3 0x14200 reaper reaper
63093 150174 0 0 3 0x14200 pgdaemon pagedaemon
87552 491003 0 0 3 0x14200 bored crynlk
83553 428191 0 0 3 0x14200 bored crypto
90493 280458 0 0 3 0x40014200 acpi0 acpi0
19516 478681 0 0 3 0x40014200 idle1
79885 37459 0 0 2 0x14200 softnet
20543 266593 0 0 3 0x14200 bored systqmp
86567 355122 0 0 3 0x14200 bored systq
84542 234435 0 0 3 0x40014200 bored softclock
*79507 262793 0 0 7 0x40014200 idle0
1 432109 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
Greg Steuck
Dec 20, 2018, 12:38:37 AM12/20/18
to syzbot, syzkaller-o...@googlegroups.com
The same repro generates somewhat different crashes. E.g. this:
ci-openbsd-multicore-repro# /home/syzkaller/q
uvm_fault(0xffffffff81ec6788, 0x7f8000100000, 0, 2) -> e
kernel: page fault trap, code=0
Stopped at pmap_page_remove+0x295: xchgq %rax,0(%r12,%rcx,1)
ddb{1}> bt
pmap_page_remove(ffffff000551cb00) at pmap_page_remove+0x295
uvm_anfree(0) at uvm_anfree+0x33
amap_wipeout(ffff800021077600) at amap_wipeout+0x11d
uvm_unmap_detach(0,ffffff007f124108) at uvm_unmap_detach+0xb7
uvm_map_teardown(0) at uvm_map_teardown+0x22c
uvmspace_free(ffff8000210712f8) at uvmspace_free+0x4c
uvm_exit(ffff8000210712f8) at uvm_exit+0x1b
reaper(0) at reaper+0x163
end trace frame: 0x0, count: -8
ddb{1}> show registers
rdi 0xa
rsi 0
rbp 0xffff800021077540
rbx 0xffffff007f123400
rdx 0x10
rcx 0x7f8000000000
rax 0
r8 0xffffff000551f680
r9 0
r10 0
r11 0xffffffff816b6a70 pool_lock_mtx_leave
r12 0x100000 acpi_pdirpa+0xebe68
r13 0xffffff0074ff0628
r14 0x80000000020df000
r15 0xffffff000551cb68
rip 0xffffffff8184b565 pmap_page_remove+0x295
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff8000210774f0
ss 0x10
pmap_page_remove+0x295: xchgq %rax,0(%r12,%rcx,1)
ddb{1}>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/0000000000004e88ff057d4cd83f%40google.com.
> For more options, visit https://groups.google.com/d/optout.
--
nest.cx is Gmail hosted, use PGP for anything private. Key: http://goo.gl/6dMsr
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
ci-openbsd-multicore-repro# /home/syzkaller/q
uvm_fault(0xffffffff81ec6788, 0x7f8000100000, 0, 2) -> e
kernel: page fault trap, code=0
Stopped at pmap_page_remove+0x295: xchgq %rax,0(%r12,%rcx,1)
ddb{1}> bt
pmap_page_remove(ffffff000551cb00) at pmap_page_remove+0x295
uvm_anfree(0) at uvm_anfree+0x33
amap_wipeout(ffff800021077600) at amap_wipeout+0x11d
uvm_unmap_detach(0,ffffff007f124108) at uvm_unmap_detach+0xb7
uvm_map_teardown(0) at uvm_map_teardown+0x22c
uvmspace_free(ffff8000210712f8) at uvmspace_free+0x4c
uvm_exit(ffff8000210712f8) at uvm_exit+0x1b
reaper(0) at reaper+0x163
end trace frame: 0x0, count: -8
ddb{1}> show registers
rdi 0xa
rsi 0
rbp 0xffff800021077540
rbx 0xffffff007f123400
rdx 0x10
rcx 0x7f8000000000
rax 0
r8 0xffffff000551f680
r9 0
r10 0
r11 0xffffffff816b6a70 pool_lock_mtx_leave
r12 0x100000 acpi_pdirpa+0xebe68
r13 0xffffff0074ff0628
r14 0x80000000020df000
r15 0xffffff000551cb68
rip 0xffffffff8184b565 pmap_page_remove+0x295
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff8000210774f0
ss 0x10
pmap_page_remove+0x295: xchgq %rax,0(%r12,%rcx,1)
ddb{1}>
> You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/0000000000004e88ff057d4cd83f%40google.com.
> For more options, visit https://groups.google.com/d/optout.
--
nest.cx is Gmail hosted, use PGP for anything private. Key: http://goo.gl/6dMsr
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
syzbot
Jun 16, 2019, 10:38:04 AM6/16/19
to gr...@nest.cx, syzkaller-o...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages