assert "len >= NUM && !M_READONLY(m)" failed in uipc_mbuf.c
1 view
Skip to first unread message
syzbot
Feb 5, 2022, 8:40:24 AM2/5/22
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: b807ad8bb125 make bpf_movein align the packet payload.
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1261e984700000
kernel config: https://syzkaller.appspot.com/x/.config?x=fe55924c11e64b0a
dashboard link: https://syzkaller.appspot.com/bug?extid=6f29d23eca959c5a9705
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6f29d2...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "len >= 0 && !M_READONLY(m)" failed: file "/syzkaller/managers/main/kernel/sys/kern/uipc_mbuf.c", line 1384
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*391647 98914 0 0 0x4000000 0 syz-executor.4
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff8254be5b) at panic+0x161 sys/kern/subr_prf.c:202
__assert(ffffffff825bbf89,ffffffff825cdd9d,568,ffffffff8255ec6a) at __assert+0x25 sys/kern/subr_prf.c:161
m_align(fffffd80684fe900,ffffffeb) at m_align+0x1a0 sys/kern/uipc_mbuf.c:1385
bpf_movein(ffff800027f335c8,ffff800000bf8800,ffff800027f33328,ffff800027f33228) at bpf_movein+0x25e sys/net/bpf.c:228
bpfwrite(41700,ffff800027f335c8,1) at bpfwrite+0x128 sys/net/bpf.c:648
spec_write(ffff800027f33420) at spec_write+0xcb sys/kern/spec_vnops.c:309
VOP_WRITE(fffffd8073332b08,ffff800027f335c8,1,fffffd807f7d8480) at VOP_WRITE+0xbf sys/kern/vfs_vops.c:245
vn_write(fffffd8067d9f978,ffff800027f335c8,0) at vn_write+0x152 sys/kern/vfs_vnops.c:414
dofilewritev(ffff80002161ea80,3,ffff800027f335c8,0,ffff800027f336c0) at dofilewritev+0x19c sys/kern/sys_generic.c:380
sys_write(ffff80002161ea80,ffff800027f33668,ffff800027f336c0) at sys_write+0x83 sys/kern/sys_generic.c:300
syscall(ffff800027f33730) at syscall+0x44e sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xa8b00ac8f10, count: 2
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
*cpu0: kernel diagnostic assertion "len >= 0 && !M_READONLY(m)" failed: file "/syzkaller/managers/main/kernel/sys/kern/uipc_mbuf.c", line 1384
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff8254be5b) at panic+0x161 sys/kern/subr_prf.c:202
__assert(ffffffff825bbf89,ffffffff825cdd9d,568,ffffffff8255ec6a) at __assert+0x25 sys/kern/subr_prf.c:161
m_align(fffffd80684fe900,ffffffeb) at m_align+0x1a0 sys/kern/uipc_mbuf.c:1385
bpf_movein(ffff800027f335c8,ffff800000bf8800,ffff800027f33328,ffff800027f33228) at bpf_movein+0x25e sys/net/bpf.c:228
bpfwrite(41700,ffff800027f335c8,1) at bpfwrite+0x128 sys/net/bpf.c:648
spec_write(ffff800027f33420) at spec_write+0xcb sys/kern/spec_vnops.c:309
VOP_WRITE(fffffd8073332b08,ffff800027f335c8,1,fffffd807f7d8480) at VOP_WRITE+0xbf sys/kern/vfs_vops.c:245
vn_write(fffffd8067d9f978,ffff800027f335c8,0) at vn_write+0x152 sys/kern/vfs_vnops.c:414
dofilewritev(ffff80002161ea80,3,ffff800027f335c8,0,ffff800027f336c0) at dofilewritev+0x19c sys/kern/sys_generic.c:380
sys_write(ffff80002161ea80,ffff800027f33668,ffff800027f336c0) at sys_write+0x83 sys/kern/sys_generic.c:300
syscall(ffff800027f33730) at syscall+0x44e sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xa8b00ac8f10, count: -13
ddb> show registers
rdi 0
rsi 0x1
rbp 0xffff800027f33050
rbx 0x30
rdx 0xffff800000bc2600
rcx 0
rax 0xffff80002161ea80
r8 0
r9 0x8080808080808080
r10 0xdafc4fff50aac5fd
r11 0x9493992ae9870271
r12 0
r13 0xffffffeb
r14 0
r15 0x1
rip 0xffffffff8172f728 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800027f33040
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb> show proc
PROC (syz-executor.4) pid=391647 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff800028b6c2b0,0xffffffff829b39d0
process=0xffff800024aedb88 user=0xffff800027f2e000, vmspace=0xfffffd807f018660
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
56883 457330 10465 0 2 0 syz-executor.0
56883 430643 10465 0 3 0x4000080 fifow syz-executor.0
56883 255451 10465 0 3 0x4000080 fsleep syz-executor.0
56883 284320 10465 0 3 0x4000080 fsleep syz-executor.0
66330 243483 38732 0 2 0x480 syz-executor.1
66330 466084 38732 0 3 0x4000080 fsleep syz-executor.1
98914 421931 26585 0 2 0 syz-executor.4
*98914 391647 26585 0 7 0x4000000 syz-executor.4
88255 454814 634 0 2 0x480 syz-executor.7
88255 325926 634 0 3 0x4000080 netcon syz-executor.7
88255 37642 634 0 3 0x4000080 netcon syz-executor.7
88255 479718 634 0 3 0x4000080 fsleep syz-executor.7
39354 247315 67188 0 2 0x2 syz-executor.3
10465 324652 67188 0 3 0x82 nanoslp syz-executor.0
634 105485 67188 0 2 0x482 syz-executor.7
27603 268716 0 0 3 0x14280 nfsidl nfsio
36244 16737 0 0 3 0x14280 nfsidl nfsio
78324 373873 0 0 3 0x14280 nfsidl nfsio
24826 63336 0 0 3 0x14280 nfsidl nfsio
81087 113383 0 0 3 0x14280 nfsidl nfsio
98694 17758 0 0 3 0x14280 nfsidl nfsio
49964 271063 0 0 3 0x14200 bored sosplice
16454 375348 67188 0 2 0x2 syz-executor.6
53847 272912 67188 0 2 0x482 syz-executor.5
26585 515405 67188 0 3 0x82 nanoslp syz-executor.4
38732 391484 67188 0 2 0x482 syz-executor.1
89665 427791 67188 0 2 0x482 syz-executor.2
67188 331006 23099 0 3 0x82 thrsleep syz-fuzzer
67188 372167 23099 0 3 0x4000082 nanoslp syz-fuzzer
67188 424195 23099 0 3 0x4000082 thrsleep syz-fuzzer
67188 2373 23099 0 3 0x4000082 kqread syz-fuzzer
67188 182217 23099 0 3 0x4000082 thrsleep syz-fuzzer
67188 35798 23099 0 3 0x4000082 thrsleep syz-fuzzer
67188 356756 23099 0 3 0x4000082 thrsleep syz-fuzzer
67188 429971 23099 0 3 0x4000082 thrsleep syz-fuzzer
67188 206945 23099 0 3 0x4000082 thrsleep syz-fuzzer
23099 486287 1425 0 3 0x10008a sigsusp ksh
1425 411083 80406 0 3 0x9a poll sshd
21538 104676 1 0 3 0x100083 ttyin getty
80406 519700 1 0 3 0x88 poll sshd
92153 44724 21279 73 3 0x100090 kqread syslogd
21279 200516 1 0 3 0x100082 netio syslogd
75286 264191 1 0 3 0x100080 kqread resolvd
46612 294112 510 77 3 0x100092 kqread dhcpleased
43197 32440 510 77 3 0x100092 kqread dhcpleased
510 164747 1 0 3 0x80 kqread dhcpleased
31943 380432 0 0 3 0x14200 bored smr
29745 214436 0 0 2 0x14200 zerothread
1383 103860 0 0 3 0x14200 aiodoned aiodoned
87561 230387 0 0 3 0x14200 syncer update
19808 254644 0 0 3 0x14200 cleaner cleaner
31627 378 0 0 3 0x14200 reaper reaper
19262 210304 0 0 3 0x14200 pgdaemon pagedaemon
27823 103146 0 0 3 0x14200 bored viomb
83237 441508 0 0 3 0x40014200 acpi0 acpi0
94628 366994 0 0 3 0x14200 bored softnet
58912 409040 0 0 3 0x14200 bored systqmp
52300 396248 0 0 3 0x14200 bored systq
7172 311557 0 0 2 0x40014200 softclock
67204 469251 0 0 3 0x40014200 idle0
1 355720 0 0 3 0x80082 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10195 6597K 7504K 78643K 15688 0
pcb 13 12K 14K 78643K 213 0
rtable 270 13K 16K 78643K 742 0
ifaddr 87 18K 19K 78643K 288 0
sysctl 2 0K 0K 78643K 2 0
counters 27 17K 17K 78643K 44 0
ioctlops 0 0K 4K 78643K 518 0
iov 0 0K 16K 78643K 151 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 4 0
vnodes 1347 84K 84K 78643K 3019 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 9K 78643K 24 0
VM map 2 0K 0K 78643K 2 0
sem 12 0K 0K 78643K 200 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 14 49K 77K 78643K 1186 0
sigio 0 0K 0K 78643K 48 0
proc 61 55K 71K 78643K 643 0
subproc 104 6K 6K 78643K 169 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 37 0
in_multi 99 6K 6K 78643K 166 0
ether_multi 1 0K 0K 78643K 10 0
mrt 0 0K 0K 78643K 6 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 151 678K 678K 78643K 151 0
exec 0 0K 2K 78643K 953 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 317 211K 1057K 78643K 15686 0
UVM aobj 93 3K 3K 78643K 95 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 0K 78643K 18 0
NDP 11 0K 1K 78643K 54 0
temp 129 4699K 4763K 78643K 14127 0
kqueue 10 14K 20K 78643K 72 0
SYN cache 2 16K 16K 78643K 2 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
rtpcb 120 226 0 223 5 2 3 3 0 8 2
rtentry 112 179 0 66 4 0 4 4 0 8 0
unpcb 136 1232 0 1217 11 10 1 9 0 8 0
syncache 296 11 0 11 3 3 0 1 0 8 0
tcpqe 32 1 0 1 1 1 0 1 0 8 0
tcpcb 736 199 0 192 9 7 2 8 0 8 0
arp 88 31 0 13 1 0 1 1 0 8 0
inpcb 304 847 0 838 11 5 6 6 0 8 5
nd6 48 43 0 16 1 0 1 1 0 8 0
kcovpl 48 13 0 5 1 0 1 1 0 8 0
ppxss 1152 3 0 3 1 0 1 1 0 8 1
pfstscr 40 6 0 5 1 0 1 1 0 8 0
pfrktable 1344 76 0 65 3 1 2 2 0 8 0
pftag 88 1 0 0 1 0 1 1 0 8 0
pfstitem 24 8 0 6 1 0 1 1 0 8 0
pfstkey 112 12 0 10 1 0 1 1 0 8 0
pfstate 320 6 0 5 1 0 1 1 0 8 0
pfrule 1360 131 0 115 3 1 2 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 696 0 226 30 0 30 30 0 8 0
art_table 32 697 0 226 4 0 4 4 0 8 0
art_node 16 178 0 75 1 0 1 1 0 8 0
sysvmsgpl 40 2 0 0 1 0 1 1 0 8 0
semapl 112 198 0 188 1 0 1 1 0 8 0
shmpl 112 92 0 2 4 1 3 3 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 3074 0 1636 91 0 91 91 0 8 0
ffsino 240 3074 0 1636 85 0 85 85 0 8 0
nchpl 144 4763 0 3137 63 0 63 63 0 8 0
uvmvnodes 80 4609 0 0 95 0 95 95 0 8 0
vnodes 224 4609 0 0 272 0 272 272 0 8 0
namei 1024 19480 0 19478 2 1 1 2 0 8 0
vcpupl 1984 9 0 0 2 0 2 2 0 8 0
vmpool 528 12 0 3 1 0 1 1 0 8 0
pfiaddrpl 120 31 0 18 2 1 1 1 0 8 0
scxspl 216 14448 0 14448 10 9 1 8 0 8 1
plimitpl 152 139 0 125 1 0 1 1 0 8 0
sigapl 424 1468 0 1423 7 1 6 6 0 8 0
futexpl 64 11908 0 11904 1 0 1 1 0 8 0
knotepl 112 722 0 648 3 0 3 3 0 8 0
kqueuepl 184 322 0 314 5 3 2 4 0 8 1
pipepl 304 249 0 220 8 5 3 8 0 8 0
fdescpl 432 1448 0 1423 4 0 4 4 0 8 0
filepl 120 11247 0 10999 27 13 14 20 0 8 6
lockfpl 104 561 0 558 2 1 1 2 0 8 0
lockfspl 48 86 0 83 1 0 1 1 0 8 0
sessionpl 144 28 0 12 1 0 1 1 0 8 0
pgrppl 48 48 0 32 1 0 1 1 0 8 0
ucredpl 96 1455 0 1445 1 0 1 1 0 8 0
zombiepl 144 1423 0 1421 1 0 1 1 0 8 0
processpl 1000 1468 0 1421 7 0 7 7 0 8 0
procpl 672 3119 0 3056 8 1 7 7 0 8 1
sosppl 168 11 0 11 2 2 0 1 0 8 0
sockpl 448 2307 0 2280 52 41 11 30 0 8 7
mcl64k 65536 93 0 93 2 1 1 1 0 8 1
mcl16k 16384 18 0 18 3 2 1 1 0 8 1
mcl12k 12288 51 0 51 2 1 1 1 0 8 1
mcl9k 9216 17 0 17 3 2 1 1 0 8 1
mcl8k 8192 80 0 80 2 1 1 1 0 8 1
mcl4k 4096 133 0 133 2 1 1 1 0 8 1
mcl2k2 2112 10 0 10 3 2 1 1 0 8 1
mcl2k 2048 77141 0 77025 19 3 16 16 0 8 0
mtagpl 96 234 0 63 6 1 5 5 0 8 0
mbufpl 256 129506 0 129119 49 17 32 48 0 8 5
bufpl 288 6181 0 143 432 0 432 432 0 8 0
anonpl 24 375250 0 358051 144 24 120 141 0 188 3
amapchunkpl 152 364979 0 364210 4899 4737 162 4423 0 158 129
amappl16 200 3599 0 2986 46 12 34 46 0 8 0
amappl15 192 393 0 384 1 0 1 1 0 8 0
amappl14 184 45 0 42 1 0 1 1 0 8 0
amappl13 176 112 0 110 1 0 1 1 0 8 0
amappl12 168 204 0 200 1 0 1 1 0 8 0
amappl11 160 208 0 196 1 0 1 1 0 8 0
amappl10 152 27 0 25 1 0 1 1 0 8 0
amappl9 144 829 0 821 1 0 1 1 0 8 0
amappl8 136 676 0 622 2 0 2 2 0 8 0
amappl7 128 153 0 143 1 0 1 1 0 8 0
amappl6 120 580 0 559 2 1 1 2 0 8 0
amappl5 112 992 0 978 1 0 1 1 0 8 0
amappl4 104 1162 0 1131 2 0 2 2 0 8 0
amappl3 96 460 0 447 1 0 1 1 0 8 0
amappl2 88 796 0 750 3 1 2 3 0 8 0
amappl1 80 28757 0 28215 19 6 13 18 0 8 0
amappl 88 15135 0 14907 8 1 7 7 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 94 0 2 2 0 2 2 0 8 0
uaddrrnd 24 1460 0 1426 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 1460 0 1426 1 0 1 1 0 8 0
vmmpekpl 168 14627 0 14574 3 0 3 3 0 8 0
vmmpepl 168 138564 0 136207 131 8 123 126 0 357 7
vmsppl 272 1459 0 1426 4 1 3 3 0 8 0
rwobjpl 24 37966 0 31724 38 0 38 38 0 8 0
pdppl 4096 2926 0 2861 153 80 73 73 0 8 8
pvpl 32 744663 0 723727 240 43 197 238 0 265 7
pmappl 216 1459 0 1426 3 0 3 3 0 8 0
extentpl 40 58 0 38 1 0 1 1 0 8 0
phpool 112 945 0 158 23 0 23 23 0 8 0
ddb> machine ddbcpu 0
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff8254be5b) at panic+0x161 sys/kern/subr_prf.c:202
__assert(ffffffff825bbf89,ffffffff825cdd9d,568,ffffffff8255ec6a) at __assert+0x25 sys/kern/subr_prf.c:161
m_align(fffffd80684fe900,ffffffeb) at m_align+0x1a0 sys/kern/uipc_mbuf.c:1385
bpf_movein(ffff800027f335c8,ffff800000bf8800,ffff800027f33328,ffff800027f33228) at bpf_movein+0x25e sys/net/bpf.c:228
bpfwrite(41700,ffff800027f335c8,1) at bpfwrite+0x128 sys/net/bpf.c:648
spec_write(ffff800027f33420) at spec_write+0xcb sys/kern/spec_vnops.c:309
VOP_WRITE(fffffd8073332b08,ffff800027f335c8,1,fffffd807f7d8480) at VOP_WRITE+0xbf sys/kern/vfs_vops.c:245
vn_write(fffffd8067d9f978,ffff800027f335c8,0) at vn_write+0x152 sys/kern/vfs_vnops.c:414
dofilewritev(ffff80002161ea80,3,ffff800027f335c8,0,ffff800027f336c0) at dofilewritev+0x19c sys/kern/sys_generic.c:380
sys_write(ffff80002161ea80,ffff800027f33668,ffff800027f336c0) at sys_write+0x83 sys/kern/sys_generic.c:300
syscall(ffff800027f33730) at syscall+0x44e sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xa8b00ac8f10, count: -13
ddb> machine ddbcpu 1
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff8254be5b) at panic+0x161 sys/kern/subr_prf.c:202
__assert(ffffffff825bbf89,ffffffff825cdd9d,568,ffffffff8255ec6a) at __assert+0x25 sys/kern/subr_prf.c:161
m_align(fffffd80684fe900,ffffffeb) at m_align+0x1a0 sys/kern/uipc_mbuf.c:1385
bpf_movein(ffff800027f335c8,ffff800000bf8800,ffff800027f33328,ffff800027f33228) at bpf_movein+0x25e sys/net/bpf.c:228
bpfwrite(41700,ffff800027f335c8,1) at bpfwrite+0x128 sys/net/bpf.c:648
spec_write(ffff800027f33420) at spec_write+0xcb sys/kern/spec_vnops.c:309
VOP_WRITE(fffffd8073332b08,ffff800027f335c8,1,fffffd807f7d8480) at VOP_WRITE+0xbf sys/kern/vfs_vops.c:245
vn_write(fffffd8067d9f978,ffff800027f335c8,0) at vn_write+0x152 sys/kern/vfs_vnops.c:414
dofilewritev(ffff80002161ea80,3,ffff800027f335c8,0,ffff800027f336c0) at dofilewritev+0x19c sys/kern/sys_generic.c:380
sys_write(ffff80002161ea80,ffff800027f33668,ffff800027f336c0) at sys_write+0x83 sys/kern/sys_generic.c:300
syscall(ffff800027f33730) at syscall+0x44e sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xa8b00ac8f10, count: -13
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: b807ad8bb125 make bpf_movein align the packet payload.
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1261e984700000
kernel config: https://syzkaller.appspot.com/x/.config?x=fe55924c11e64b0a
dashboard link: https://syzkaller.appspot.com/bug?extid=6f29d23eca959c5a9705
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6f29d2...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "len >= 0 && !M_READONLY(m)" failed: file "/syzkaller/managers/main/kernel/sys/kern/uipc_mbuf.c", line 1384
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*391647 98914 0 0 0x4000000 0 syz-executor.4
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff8254be5b) at panic+0x161 sys/kern/subr_prf.c:202
__assert(ffffffff825bbf89,ffffffff825cdd9d,568,ffffffff8255ec6a) at __assert+0x25 sys/kern/subr_prf.c:161
m_align(fffffd80684fe900,ffffffeb) at m_align+0x1a0 sys/kern/uipc_mbuf.c:1385
bpf_movein(ffff800027f335c8,ffff800000bf8800,ffff800027f33328,ffff800027f33228) at bpf_movein+0x25e sys/net/bpf.c:228
bpfwrite(41700,ffff800027f335c8,1) at bpfwrite+0x128 sys/net/bpf.c:648
spec_write(ffff800027f33420) at spec_write+0xcb sys/kern/spec_vnops.c:309
VOP_WRITE(fffffd8073332b08,ffff800027f335c8,1,fffffd807f7d8480) at VOP_WRITE+0xbf sys/kern/vfs_vops.c:245
vn_write(fffffd8067d9f978,ffff800027f335c8,0) at vn_write+0x152 sys/kern/vfs_vnops.c:414
dofilewritev(ffff80002161ea80,3,ffff800027f335c8,0,ffff800027f336c0) at dofilewritev+0x19c sys/kern/sys_generic.c:380
sys_write(ffff80002161ea80,ffff800027f33668,ffff800027f336c0) at sys_write+0x83 sys/kern/sys_generic.c:300
syscall(ffff800027f33730) at syscall+0x44e sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xa8b00ac8f10, count: 2
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
*cpu0: kernel diagnostic assertion "len >= 0 && !M_READONLY(m)" failed: file "/syzkaller/managers/main/kernel/sys/kern/uipc_mbuf.c", line 1384
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff8254be5b) at panic+0x161 sys/kern/subr_prf.c:202
__assert(ffffffff825bbf89,ffffffff825cdd9d,568,ffffffff8255ec6a) at __assert+0x25 sys/kern/subr_prf.c:161
m_align(fffffd80684fe900,ffffffeb) at m_align+0x1a0 sys/kern/uipc_mbuf.c:1385
bpf_movein(ffff800027f335c8,ffff800000bf8800,ffff800027f33328,ffff800027f33228) at bpf_movein+0x25e sys/net/bpf.c:228
bpfwrite(41700,ffff800027f335c8,1) at bpfwrite+0x128 sys/net/bpf.c:648
spec_write(ffff800027f33420) at spec_write+0xcb sys/kern/spec_vnops.c:309
VOP_WRITE(fffffd8073332b08,ffff800027f335c8,1,fffffd807f7d8480) at VOP_WRITE+0xbf sys/kern/vfs_vops.c:245
vn_write(fffffd8067d9f978,ffff800027f335c8,0) at vn_write+0x152 sys/kern/vfs_vnops.c:414
dofilewritev(ffff80002161ea80,3,ffff800027f335c8,0,ffff800027f336c0) at dofilewritev+0x19c sys/kern/sys_generic.c:380
sys_write(ffff80002161ea80,ffff800027f33668,ffff800027f336c0) at sys_write+0x83 sys/kern/sys_generic.c:300
syscall(ffff800027f33730) at syscall+0x44e sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xa8b00ac8f10, count: -13
ddb> show registers
rdi 0
rsi 0x1
rbp 0xffff800027f33050
rbx 0x30
rdx 0xffff800000bc2600
rcx 0
rax 0xffff80002161ea80
r8 0
r9 0x8080808080808080
r10 0xdafc4fff50aac5fd
r11 0x9493992ae9870271
r12 0
r13 0xffffffeb
r14 0
r15 0x1
rip 0xffffffff8172f728 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800027f33040
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb> show proc
PROC (syz-executor.4) pid=391647 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff800028b6c2b0,0xffffffff829b39d0
process=0xffff800024aedb88 user=0xffff800027f2e000, vmspace=0xfffffd807f018660
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
56883 457330 10465 0 2 0 syz-executor.0
56883 430643 10465 0 3 0x4000080 fifow syz-executor.0
56883 255451 10465 0 3 0x4000080 fsleep syz-executor.0
56883 284320 10465 0 3 0x4000080 fsleep syz-executor.0
66330 243483 38732 0 2 0x480 syz-executor.1
66330 466084 38732 0 3 0x4000080 fsleep syz-executor.1
98914 421931 26585 0 2 0 syz-executor.4
*98914 391647 26585 0 7 0x4000000 syz-executor.4
88255 454814 634 0 2 0x480 syz-executor.7
88255 325926 634 0 3 0x4000080 netcon syz-executor.7
88255 37642 634 0 3 0x4000080 netcon syz-executor.7
88255 479718 634 0 3 0x4000080 fsleep syz-executor.7
39354 247315 67188 0 2 0x2 syz-executor.3
10465 324652 67188 0 3 0x82 nanoslp syz-executor.0
634 105485 67188 0 2 0x482 syz-executor.7
27603 268716 0 0 3 0x14280 nfsidl nfsio
36244 16737 0 0 3 0x14280 nfsidl nfsio
78324 373873 0 0 3 0x14280 nfsidl nfsio
24826 63336 0 0 3 0x14280 nfsidl nfsio
81087 113383 0 0 3 0x14280 nfsidl nfsio
98694 17758 0 0 3 0x14280 nfsidl nfsio
49964 271063 0 0 3 0x14200 bored sosplice
16454 375348 67188 0 2 0x2 syz-executor.6
53847 272912 67188 0 2 0x482 syz-executor.5
26585 515405 67188 0 3 0x82 nanoslp syz-executor.4
38732 391484 67188 0 2 0x482 syz-executor.1
89665 427791 67188 0 2 0x482 syz-executor.2
67188 331006 23099 0 3 0x82 thrsleep syz-fuzzer
67188 372167 23099 0 3 0x4000082 nanoslp syz-fuzzer
67188 424195 23099 0 3 0x4000082 thrsleep syz-fuzzer
67188 2373 23099 0 3 0x4000082 kqread syz-fuzzer
67188 182217 23099 0 3 0x4000082 thrsleep syz-fuzzer
67188 35798 23099 0 3 0x4000082 thrsleep syz-fuzzer
67188 356756 23099 0 3 0x4000082 thrsleep syz-fuzzer
67188 429971 23099 0 3 0x4000082 thrsleep syz-fuzzer
67188 206945 23099 0 3 0x4000082 thrsleep syz-fuzzer
23099 486287 1425 0 3 0x10008a sigsusp ksh
1425 411083 80406 0 3 0x9a poll sshd
21538 104676 1 0 3 0x100083 ttyin getty
80406 519700 1 0 3 0x88 poll sshd
92153 44724 21279 73 3 0x100090 kqread syslogd
21279 200516 1 0 3 0x100082 netio syslogd
75286 264191 1 0 3 0x100080 kqread resolvd
46612 294112 510 77 3 0x100092 kqread dhcpleased
43197 32440 510 77 3 0x100092 kqread dhcpleased
510 164747 1 0 3 0x80 kqread dhcpleased
31943 380432 0 0 3 0x14200 bored smr
29745 214436 0 0 2 0x14200 zerothread
1383 103860 0 0 3 0x14200 aiodoned aiodoned
87561 230387 0 0 3 0x14200 syncer update
19808 254644 0 0 3 0x14200 cleaner cleaner
31627 378 0 0 3 0x14200 reaper reaper
19262 210304 0 0 3 0x14200 pgdaemon pagedaemon
27823 103146 0 0 3 0x14200 bored viomb
83237 441508 0 0 3 0x40014200 acpi0 acpi0
94628 366994 0 0 3 0x14200 bored softnet
58912 409040 0 0 3 0x14200 bored systqmp
52300 396248 0 0 3 0x14200 bored systq
7172 311557 0 0 2 0x40014200 softclock
67204 469251 0 0 3 0x40014200 idle0
1 355720 0 0 3 0x80082 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10195 6597K 7504K 78643K 15688 0
pcb 13 12K 14K 78643K 213 0
rtable 270 13K 16K 78643K 742 0
ifaddr 87 18K 19K 78643K 288 0
sysctl 2 0K 0K 78643K 2 0
counters 27 17K 17K 78643K 44 0
ioctlops 0 0K 4K 78643K 518 0
iov 0 0K 16K 78643K 151 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 4 0
vnodes 1347 84K 84K 78643K 3019 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 9K 78643K 24 0
VM map 2 0K 0K 78643K 2 0
sem 12 0K 0K 78643K 200 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 14 49K 77K 78643K 1186 0
sigio 0 0K 0K 78643K 48 0
proc 61 55K 71K 78643K 643 0
subproc 104 6K 6K 78643K 169 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 37 0
in_multi 99 6K 6K 78643K 166 0
ether_multi 1 0K 0K 78643K 10 0
mrt 0 0K 0K 78643K 6 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 151 678K 678K 78643K 151 0
exec 0 0K 2K 78643K 953 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 317 211K 1057K 78643K 15686 0
UVM aobj 93 3K 3K 78643K 95 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 0K 78643K 18 0
NDP 11 0K 1K 78643K 54 0
temp 129 4699K 4763K 78643K 14127 0
kqueue 10 14K 20K 78643K 72 0
SYN cache 2 16K 16K 78643K 2 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
rtpcb 120 226 0 223 5 2 3 3 0 8 2
rtentry 112 179 0 66 4 0 4 4 0 8 0
unpcb 136 1232 0 1217 11 10 1 9 0 8 0
syncache 296 11 0 11 3 3 0 1 0 8 0
tcpqe 32 1 0 1 1 1 0 1 0 8 0
tcpcb 736 199 0 192 9 7 2 8 0 8 0
arp 88 31 0 13 1 0 1 1 0 8 0
inpcb 304 847 0 838 11 5 6 6 0 8 5
nd6 48 43 0 16 1 0 1 1 0 8 0
kcovpl 48 13 0 5 1 0 1 1 0 8 0
ppxss 1152 3 0 3 1 0 1 1 0 8 1
pfstscr 40 6 0 5 1 0 1 1 0 8 0
pfrktable 1344 76 0 65 3 1 2 2 0 8 0
pftag 88 1 0 0 1 0 1 1 0 8 0
pfstitem 24 8 0 6 1 0 1 1 0 8 0
pfstkey 112 12 0 10 1 0 1 1 0 8 0
pfstate 320 6 0 5 1 0 1 1 0 8 0
pfrule 1360 131 0 115 3 1 2 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 696 0 226 30 0 30 30 0 8 0
art_table 32 697 0 226 4 0 4 4 0 8 0
art_node 16 178 0 75 1 0 1 1 0 8 0
sysvmsgpl 40 2 0 0 1 0 1 1 0 8 0
semapl 112 198 0 188 1 0 1 1 0 8 0
shmpl 112 92 0 2 4 1 3 3 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 3074 0 1636 91 0 91 91 0 8 0
ffsino 240 3074 0 1636 85 0 85 85 0 8 0
nchpl 144 4763 0 3137 63 0 63 63 0 8 0
uvmvnodes 80 4609 0 0 95 0 95 95 0 8 0
vnodes 224 4609 0 0 272 0 272 272 0 8 0
namei 1024 19480 0 19478 2 1 1 2 0 8 0
vcpupl 1984 9 0 0 2 0 2 2 0 8 0
vmpool 528 12 0 3 1 0 1 1 0 8 0
pfiaddrpl 120 31 0 18 2 1 1 1 0 8 0
scxspl 216 14448 0 14448 10 9 1 8 0 8 1
plimitpl 152 139 0 125 1 0 1 1 0 8 0
sigapl 424 1468 0 1423 7 1 6 6 0 8 0
futexpl 64 11908 0 11904 1 0 1 1 0 8 0
knotepl 112 722 0 648 3 0 3 3 0 8 0
kqueuepl 184 322 0 314 5 3 2 4 0 8 1
pipepl 304 249 0 220 8 5 3 8 0 8 0
fdescpl 432 1448 0 1423 4 0 4 4 0 8 0
filepl 120 11247 0 10999 27 13 14 20 0 8 6
lockfpl 104 561 0 558 2 1 1 2 0 8 0
lockfspl 48 86 0 83 1 0 1 1 0 8 0
sessionpl 144 28 0 12 1 0 1 1 0 8 0
pgrppl 48 48 0 32 1 0 1 1 0 8 0
ucredpl 96 1455 0 1445 1 0 1 1 0 8 0
zombiepl 144 1423 0 1421 1 0 1 1 0 8 0
processpl 1000 1468 0 1421 7 0 7 7 0 8 0
procpl 672 3119 0 3056 8 1 7 7 0 8 1
sosppl 168 11 0 11 2 2 0 1 0 8 0
sockpl 448 2307 0 2280 52 41 11 30 0 8 7
mcl64k 65536 93 0 93 2 1 1 1 0 8 1
mcl16k 16384 18 0 18 3 2 1 1 0 8 1
mcl12k 12288 51 0 51 2 1 1 1 0 8 1
mcl9k 9216 17 0 17 3 2 1 1 0 8 1
mcl8k 8192 80 0 80 2 1 1 1 0 8 1
mcl4k 4096 133 0 133 2 1 1 1 0 8 1
mcl2k2 2112 10 0 10 3 2 1 1 0 8 1
mcl2k 2048 77141 0 77025 19 3 16 16 0 8 0
mtagpl 96 234 0 63 6 1 5 5 0 8 0
mbufpl 256 129506 0 129119 49 17 32 48 0 8 5
bufpl 288 6181 0 143 432 0 432 432 0 8 0
anonpl 24 375250 0 358051 144 24 120 141 0 188 3
amapchunkpl 152 364979 0 364210 4899 4737 162 4423 0 158 129
amappl16 200 3599 0 2986 46 12 34 46 0 8 0
amappl15 192 393 0 384 1 0 1 1 0 8 0
amappl14 184 45 0 42 1 0 1 1 0 8 0
amappl13 176 112 0 110 1 0 1 1 0 8 0
amappl12 168 204 0 200 1 0 1 1 0 8 0
amappl11 160 208 0 196 1 0 1 1 0 8 0
amappl10 152 27 0 25 1 0 1 1 0 8 0
amappl9 144 829 0 821 1 0 1 1 0 8 0
amappl8 136 676 0 622 2 0 2 2 0 8 0
amappl7 128 153 0 143 1 0 1 1 0 8 0
amappl6 120 580 0 559 2 1 1 2 0 8 0
amappl5 112 992 0 978 1 0 1 1 0 8 0
amappl4 104 1162 0 1131 2 0 2 2 0 8 0
amappl3 96 460 0 447 1 0 1 1 0 8 0
amappl2 88 796 0 750 3 1 2 3 0 8 0
amappl1 80 28757 0 28215 19 6 13 18 0 8 0
amappl 88 15135 0 14907 8 1 7 7 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 94 0 2 2 0 2 2 0 8 0
uaddrrnd 24 1460 0 1426 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 1460 0 1426 1 0 1 1 0 8 0
vmmpekpl 168 14627 0 14574 3 0 3 3 0 8 0
vmmpepl 168 138564 0 136207 131 8 123 126 0 357 7
vmsppl 272 1459 0 1426 4 1 3 3 0 8 0
rwobjpl 24 37966 0 31724 38 0 38 38 0 8 0
pdppl 4096 2926 0 2861 153 80 73 73 0 8 8
pvpl 32 744663 0 723727 240 43 197 238 0 265 7
pmappl 216 1459 0 1426 3 0 3 3 0 8 0
extentpl 40 58 0 38 1 0 1 1 0 8 0
phpool 112 945 0 158 23 0 23 23 0 8 0
ddb> machine ddbcpu 0
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff8254be5b) at panic+0x161 sys/kern/subr_prf.c:202
__assert(ffffffff825bbf89,ffffffff825cdd9d,568,ffffffff8255ec6a) at __assert+0x25 sys/kern/subr_prf.c:161
m_align(fffffd80684fe900,ffffffeb) at m_align+0x1a0 sys/kern/uipc_mbuf.c:1385
bpf_movein(ffff800027f335c8,ffff800000bf8800,ffff800027f33328,ffff800027f33228) at bpf_movein+0x25e sys/net/bpf.c:228
bpfwrite(41700,ffff800027f335c8,1) at bpfwrite+0x128 sys/net/bpf.c:648
spec_write(ffff800027f33420) at spec_write+0xcb sys/kern/spec_vnops.c:309
VOP_WRITE(fffffd8073332b08,ffff800027f335c8,1,fffffd807f7d8480) at VOP_WRITE+0xbf sys/kern/vfs_vops.c:245
vn_write(fffffd8067d9f978,ffff800027f335c8,0) at vn_write+0x152 sys/kern/vfs_vnops.c:414
dofilewritev(ffff80002161ea80,3,ffff800027f335c8,0,ffff800027f336c0) at dofilewritev+0x19c sys/kern/sys_generic.c:380
sys_write(ffff80002161ea80,ffff800027f33668,ffff800027f336c0) at sys_write+0x83 sys/kern/sys_generic.c:300
syscall(ffff800027f33730) at syscall+0x44e sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xa8b00ac8f10, count: -13
ddb> machine ddbcpu 1
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff8254be5b) at panic+0x161 sys/kern/subr_prf.c:202
__assert(ffffffff825bbf89,ffffffff825cdd9d,568,ffffffff8255ec6a) at __assert+0x25 sys/kern/subr_prf.c:161
m_align(fffffd80684fe900,ffffffeb) at m_align+0x1a0 sys/kern/uipc_mbuf.c:1385
bpf_movein(ffff800027f335c8,ffff800000bf8800,ffff800027f33328,ffff800027f33228) at bpf_movein+0x25e sys/net/bpf.c:228
bpfwrite(41700,ffff800027f335c8,1) at bpfwrite+0x128 sys/net/bpf.c:648
spec_write(ffff800027f33420) at spec_write+0xcb sys/kern/spec_vnops.c:309
VOP_WRITE(fffffd8073332b08,ffff800027f335c8,1,fffffd807f7d8480) at VOP_WRITE+0xbf sys/kern/vfs_vops.c:245
vn_write(fffffd8067d9f978,ffff800027f335c8,0) at vn_write+0x152 sys/kern/vfs_vnops.c:414
dofilewritev(ffff80002161ea80,3,ffff800027f335c8,0,ffff800027f336c0) at dofilewritev+0x19c sys/kern/sys_generic.c:380
sys_write(ffff80002161ea80,ffff800027f33668,ffff800027f336c0) at sys_write+0x83 sys/kern/sys_generic.c:300
syscall(ffff800027f33730) at syscall+0x44e sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xa8b00ac8f10, count: -13
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Feb 5, 2022, 8:51:22 AM2/5/22
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: b807ad8bb125 make bpf_movein align the packet payload.
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1669ba62700000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d
dashboard link: https://syzkaller.appspot.com/bug?extid=6f29d23eca959c5a9705
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e77494700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6f29d2...@syzkaller.appspotmail.com
login: panic: kernel diagnostic assertion "len >= 0 && !M_READONLY(m)" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/uipc_mbuf.c", line 1384
*370516 70867 0 0 0x4000000 1K syz-executor.0
__assert(ffffffff825eb323,ffffffff825605fb,568,ffffffff8258ec0b) at __assert+0x25 sys/kern/subr_prf.c:161
m_align(fffffd806f2e1600,ffffffc5) at m_align+0x1a0 sys/kern/uipc_mbuf.c:1385
bpf_movein(ffff800021204690,ffff800000ba4000,ffff8000212043f8,ffff8000212042f8) at bpf_movein+0x25e sys/net/bpf.c:228
bpfwrite(31700,ffff800021204690,1) at bpfwrite+0x169 sys/net/bpf.c:648
spec_write(ffff8000212044f0) at spec_write+0xd4 sys/kern/spec_vnops.c:309
VOP_WRITE(fffffd806a964be0,ffff800021204690,1,fffffd807f7d8a80) at VOP_WRITE+0xbf sys/kern/vfs_vops.c:245
vn_write(fffffd806e534e50,ffff800021204690,1) at vn_write+0x1a1 sys/kern/vfs_vnops.c:414
dofilewritev(ffff8000ffff6540,3,ffff800021204690,1,ffff800021204790) at dofilewritev+0x19c sys/kern/sys_generic.c:380
sys_pad_pwrite(ffff8000ffff6540,ffff800021204738,ffff800021204790) at sys_pad_pwrite+0x92 sys_pwrite sys/kern/vfs_syscalls.c:3354 [inline]
sys_pad_pwrite(ffff8000ffff6540,ffff800021204738,ffff800021204790) at sys_pad_pwrite+0x92 sys/kern/vfs_syscalls.c:3426
syscall(ffff800021204800) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800021204800) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: kernel diagnostic assertion "len >= 0 && !M_READONLY(m)" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/uipc_mbuf.c", line 1384
ddb{1}> trace
__assert(ffffffff825eb323,ffffffff825605fb,568,ffffffff8258ec0b) at __assert+0x25 sys/kern/subr_prf.c:161
m_align(fffffd806f2e1600,ffffffc5) at m_align+0x1a0 sys/kern/uipc_mbuf.c:1385
bpf_movein(ffff800021204690,ffff800000ba4000,ffff8000212043f8,ffff8000212042f8) at bpf_movein+0x25e sys/net/bpf.c:228
bpfwrite(31700,ffff800021204690,1) at bpfwrite+0x169 sys/net/bpf.c:648
spec_write(ffff8000212044f0) at spec_write+0xd4 sys/kern/spec_vnops.c:309
VOP_WRITE(fffffd806a964be0,ffff800021204690,1,fffffd807f7d8a80) at VOP_WRITE+0xbf sys/kern/vfs_vops.c:245
vn_write(fffffd806e534e50,ffff800021204690,1) at vn_write+0x1a1 sys/kern/vfs_vnops.c:414
dofilewritev(ffff8000ffff6540,3,ffff800021204690,1,ffff800021204790) at dofilewritev+0x19c sys/kern/sys_generic.c:380
sys_pad_pwrite(ffff8000ffff6540,ffff800021204738,ffff800021204790) at sys_pad_pwrite+0x92 sys_pwrite sys/kern/vfs_syscalls.c:3354 [inline]
sys_pad_pwrite(ffff8000ffff6540,ffff800021204738,ffff800021204790) at sys_pad_pwrite+0x92 sys/kern/vfs_syscalls.c:3426
syscall(ffff800021204800) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800021204800) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
ddb{1}> show registers
rdi 0
rsi 0x1
rbp 0xffff800021204110
rbx 0xffff800020ce9bff
rdx 0x3fd
rcx 0
rax 0x94
r8 0x101010101010101
r9 0x8080808080808080
r10 0x17ffe1dc0e6303cd
r11 0x921269a3e7d0a8fb
r12 0xffff800020ce9a00
r13 0
r14 0
r15 0x1
rip 0xffffffff812d1e98 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800021204100
PROC (syz-executor.0) pid=370516 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=51, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffff67e0,0xffffffff82b00788
process=0xffff8000ffff8008 user=0xffff8000211ff000, vmspace=0xfffffd800871a450
*70867 370516 622 0 7 0x4000000 syz-executor.0
622 383275 925 0 3 0x82 nanoslp syz-executor.0
925 451377 97589 0 3 0x82 thrsleep syz-execprog
925 240038 97589 0 3 0x4000082 nanoslp syz-execprog
925 121277 97589 0 3 0x4000082 thrsleep syz-execprog
925 75962 97589 0 3 0x4000082 nanoslp syz-execprog
925 420919 97589 0 3 0x4000082 thrsleep syz-execprog
925 362924 97589 0 3 0x4000082 thrsleep syz-execprog
925 83485 97589 0 3 0x4000082 thrsleep syz-execprog
925 82179 97589 0 3 0x4000082 kqread syz-execprog
925 258085 97589 0 3 0x4000082 thrsleep syz-execprog
97589 113512 25578 0 3 0x10008a sigsusp ksh
25578 182779 75965 0 3 0x9a poll sshd
97542 281352 1 0 3 0x100083 ttyin getty
75965 349727 1 0 3 0x88 poll sshd
86274 477726 69915 74 3 0x100092 bpf pflogd
69915 84823 1 0 3 0x80 netio pflogd
25412 413556 72343 73 3 0x100090 kqread syslogd
72343 470272 1 0 3 0x100082 netio syslogd
48789 184045 1 0 3 0x100080 kqread resolvd
74588 140931 12895 77 3 0x100092 kqread dhcpleased
56701 512227 12895 77 3 0x100092 kqread dhcpleased
12895 219634 1 0 3 0x80 kqread dhcpleased
87070 92338 0 0 3 0x14200 bored smr
67285 292136 0 0 2 0x14200 zerothread
32870 157306 0 0 3 0x14200 aiodoned aiodoned
62107 275194 0 0 3 0x14200 syncer update
66488 494866 0 0 3 0x14200 cleaner cleaner
34109 183525 0 0 3 0x14200 reaper reaper
24006 363874 0 0 3 0x14200 pgdaemon pagedaemon
33632 3206 0 0 3 0x14200 bored viomb
96972 197009 0 0 3 0x40014200 acpi0 acpi0
98811 517573 0 0 3 0x40014200 idle1
74736 420634 0 0 3 0x14200 bored softnet
14376 91968 0 0 3 0x14200 bored systqmp
11225 18728 0 0 3 0x14200 bored systq
20510 63620 0 0 3 0x40014200 bored softclock
47195 280129 0 0 3 0x40014200 idle0
1 451534 0 0 3 0x82 wait init
Process 70867 (syz-executor.0) thread 0xffff8000ffff6540 (370516)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82ac6568)
#0 witness_lock+0x44d
#1 vn_write+0x42 sys/kern/vfs_vnops.c:399
#2 dofilewritev+0x19c sys/kern/sys_generic.c:380
#3 sys_pad_pwrite+0x92 sys_pwrite sys/kern/vfs_syscalls.c:3354 [inline]
#3 sys_pad_pwrite+0x92 sys/kern/vfs_syscalls.c:3426
#4 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#4 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#5 Xsyscall+0x128
ddb{1}> show malloc
pcb 13 8K 8K 78643K 13 0
rtable 84 2K 3K 78643K 142 0
ifaddr 37 9K 9K 78643K 40 0
counters 42 33K 33K 78643K 42 0
ioctlops 0 0K 4K 78643K 1480 0
vnodes 1168 73K 73K 78643K 1181 0
VM map 2 1K 1K 78643K 2 0
sem 2 0K 0K 78643K 2 0
proc 67 87K 99K 78643K 310 0
ether_multi 1 0K 0K 78643K 1 0
exec 0 0K 2K 78643K 481 0
UVM aobj 3 2K 2K 78643K 3 0
temp 29 4682K 4745K 78643K 3591 0
kqueue 10 14K 14K 78643K 10 0
rtpcb 120 19 0 16 1 0 1 1 0 8 0
rtentry 112 34 0 1 1 0 1 1 0 8 0
unpcb 136 35 0 20 1 0 1 1 0 8 0
syncache 296 5 0 5 2 1 1 1 0 8 1
tcpcb 736 8 0 5 1 0 1 1 0 8 0
arp 120 4 0 0 1 0 1 1 0 8 0
inpcb 304 36 0 30 1 0 1 1 0 8 0
nd6 48 3 0 0 1 0 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 11 0 2 1 0 1 1 0 8 0
pfstkey 112 11 0 2 1 0 1 1 0 8 0
pfstate 320 11 0 2 1 0 1 1 0 8 0
pfrule 1360 21 0 16 2 1 1 2 0 8 0
art_table 32 145 0 0 2 0 2 2 0 8 0
art_node 16 33 0 3 1 0 1 1 0 8 0
ffsino 272 1451 0 49 94 0 94 94 0 8 0
nchpl 144 1679 0 59 60 0 60 60 0 8 0
uvmvnodes 80 1462 0 0 30 0 30 30 0 8 0
vnodes 224 1462 0 0 86 0 86 86 0 8 0
namei 1024 5145 0 5145 3 1 2 2 0 8 2
percpumem 16 33 0 0 1 0 1 1 0 8 0
scxspl 216 5404 0 5404 10 8 2 8 0 8 2
plimitpl 152 17 0 9 1 0 1 1 0 8 0
sigapl 424 347 0 316 5 0 5 5 0 8 1
futexpl 64 1 0 1 1 0 1 1 0 8 1
knotepl 112 50 0 0 2 0 2 2 0 8 0
kqueuepl 216 6 0 0 1 0 1 1 0 8 0
pipepl 336 106 0 99 2 1 1 1 0 8 0
fdescpl 496 333 0 316 4 0 4 4 0 8 1
filepl 152 1350 0 1279 4 0 4 4 0 8 1
lockfpl 104 6 0 4 1 0 1 1 0 8 0
lockfspl 48 4 0 2 1 0 1 1 0 8 0
sessionpl 144 19 0 9 1 0 1 1 0 8 0
pgrppl 48 19 0 9 1 0 1 1 0 8 0
ucredpl 96 69 0 57 1 0 1 1 0 8 0
zombiepl 144 316 0 316 2 1 1 1 0 8 1
processpl 1064 347 0 316 3 0 3 3 0 8 0
procpl 672 356 0 316 4 0 4 4 0 8 0
sockpl 480 90 0 66 5 1 4 4 0 8 0
mcl8k 8192 4 0 0 1 0 1 1 0 8 0
mcl4k 4096 5 0 0 1 0 1 1 0 8 0
mcl2k 2048 62 0 0 8 1 7 8 0 8 0
mtagpl 96 2 0 0 1 0 1 1 0 8 0
mbufpl 256 120 0 0 7 0 7 7 0 8 0
bufpl 288 3566 0 146 245 0 245 245 0 8 0
anonpl 24 49123 0 45178 50 4 46 46 0 186 21
amapchunkpl 152 4935 0 4597 20 0 20 20 0 158 6
amappl16 200 145 0 87 6 1 5 5 0 8 0
amappl15 192 85 0 80 1 0 1 1 0 8 0
amappl14 184 4 0 3 1 0 1 1 0 8 0
amappl13 176 51 0 48 2 1 1 1 0 8 0
amappl12 168 7 0 6 2 1 1 1 0 8 0
amappl11 160 49 0 34 1 0 1 1 0 8 0
amappl10 152 23 0 20 1 0 1 1 0 8 0
amappl9 144 439 0 436 1 0 1 1 0 8 0
amappl8 136 435 0 410 2 0 2 2 0 8 0
amappl7 128 94 0 84 1 0 1 1 0 8 0
amappl6 120 182 0 164 2 0 2 2 0 8 1
amappl5 112 162 0 149 1 0 1 1 0 8 0
amappl4 104 700 0 679 2 0 2 2 0 8 1
amappl3 96 145 0 135 1 0 1 1 0 8 0
amappl2 88 481 0 437 3 0 3 3 0 8 1
amappl1 80 9675 0 9246 20 2 18 18 0 8 9
amappl 88 2139 0 2027 4 0 4 4 0 92 1
uaddrrnd 24 333 0 316 1 0 1 1 0 8 0
vmmpekpl 168 8047 0 8027 2 0 2 2 0 8 0
vmmpepl 168 31840 0 30674 96 5 91 91 0 357 40
vmsppl 368 332 0 316 3 0 3 3 0 8 1
rwobjpl 56 10812 0 8614 41 0 41 41 0 8 6
pdppl 4096 673 0 632 77 20 57 57 0 8 16
pvpl 32 216096 0 209205 268 7 261 261 0 265 201
pmappl 248 332 0 316 2 0 2 2 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffffffff82952ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__mp_lock(ffffffff82ac6360) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82ac6360) at __mp_lock+0x122 sys/kern/kern_lock.c:147
softintr_dispatch(0) at softintr_dispatch+0x4e sys/arch/amd64/amd64/softintr.c:88
Xsoftclock() at Xsoftclock+0x1f
end of kernel
end trace frame: 0x7f7ffffcfe00, count: 9
ddb{0}> trace
x86_ipi_db(ffffffff82952ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__mp_lock(ffffffff82ac6360) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82ac6360) at __mp_lock+0x122 sys/kern/kern_lock.c:147
softintr_dispatch(0) at softintr_dispatch+0x4e sys/arch/amd64/amd64/softintr.c:88
Xsoftclock() at Xsoftclock+0x1f
end of kernel
end trace frame: 0x7f7ffffcfe00, count: -6
ddb{0}> machine ddbcpu 1
__assert(ffffffff825eb323,ffffffff825605fb,568,ffffffff8258ec0b) at __assert+0x25 sys/kern/subr_prf.c:161
m_align(fffffd806f2e1600,ffffffc5) at m_align+0x1a0 sys/kern/uipc_mbuf.c:1385
bpf_movein(ffff800021204690,ffff800000ba4000,ffff8000212043f8,ffff8000212042f8) at bpf_movein+0x25e sys/net/bpf.c:228
bpfwrite(31700,ffff800021204690,1) at bpfwrite+0x169 sys/net/bpf.c:648
spec_write(ffff8000212044f0) at spec_write+0xd4 sys/kern/spec_vnops.c:309
VOP_WRITE(fffffd806a964be0,ffff800021204690,1,fffffd807f7d8a80) at VOP_WRITE+0xbf sys/kern/vfs_vops.c:245
vn_write(fffffd806e534e50,ffff800021204690,1) at vn_write+0x1a1 sys/kern/vfs_vnops.c:414
dofilewritev(ffff8000ffff6540,3,ffff800021204690,1,ffff800021204790) at dofilewritev+0x19c sys/kern/sys_generic.c:380
sys_pad_pwrite(ffff8000ffff6540,ffff800021204738,ffff800021204790) at sys_pad_pwrite+0x92 sys_pwrite sys/kern/vfs_syscalls.c:3354 [inline]
sys_pad_pwrite(ffff8000ffff6540,ffff800021204738,ffff800021204790) at sys_pad_pwrite+0x92 sys/kern/vfs_syscalls.c:3426
syscall(ffff800021204800) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800021204800) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
ddb{1}> trace
__assert(ffffffff825eb323,ffffffff825605fb,568,ffffffff8258ec0b) at __assert+0x25 sys/kern/subr_prf.c:161
m_align(fffffd806f2e1600,ffffffc5) at m_align+0x1a0 sys/kern/uipc_mbuf.c:1385
bpf_movein(ffff800021204690,ffff800000ba4000,ffff8000212043f8,ffff8000212042f8) at bpf_movein+0x25e sys/net/bpf.c:228
bpfwrite(31700,ffff800021204690,1) at bpfwrite+0x169 sys/net/bpf.c:648
spec_write(ffff8000212044f0) at spec_write+0xd4 sys/kern/spec_vnops.c:309
VOP_WRITE(fffffd806a964be0,ffff800021204690,1,fffffd807f7d8a80) at VOP_WRITE+0xbf sys/kern/vfs_vops.c:245
vn_write(fffffd806e534e50,ffff800021204690,1) at vn_write+0x1a1 sys/kern/vfs_vnops.c:414
dofilewritev(ffff8000ffff6540,3,ffff800021204690,1,ffff800021204790) at dofilewritev+0x19c sys/kern/sys_generic.c:380
sys_pad_pwrite(ffff8000ffff6540,ffff800021204738,ffff800021204790) at sys_pad_pwrite+0x92 sys_pwrite sys/kern/vfs_syscalls.c:3354 [inline]
sys_pad_pwrite(ffff8000ffff6540,ffff800021204738,ffff800021204790) at sys_pad_pwrite+0x92 sys/kern/vfs_syscalls.c:3426
syscall(ffff800021204800) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800021204800) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
ddb{1}>
HEAD commit: b807ad8bb125 make bpf_movein align the packet payload.
git tree: openbsd
kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d
dashboard link: https://syzkaller.appspot.com/bug?extid=6f29d23eca959c5a9705
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e77494700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6f29d2...@syzkaller.appspotmail.com
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
371023 70867 0 0 0 0 syz-executor.0
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*370516 70867 0 0 0x4000000 1K syz-executor.0
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff82574ae4) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff825eb323,ffffffff825605fb,568,ffffffff8258ec0b) at __assert+0x25 sys/kern/subr_prf.c:161
m_align(fffffd806f2e1600,ffffffc5) at m_align+0x1a0 sys/kern/uipc_mbuf.c:1385
bpf_movein(ffff800021204690,ffff800000ba4000,ffff8000212043f8,ffff8000212042f8) at bpf_movein+0x25e sys/net/bpf.c:228
bpfwrite(31700,ffff800021204690,1) at bpfwrite+0x169 sys/net/bpf.c:648
spec_write(ffff8000212044f0) at spec_write+0xd4 sys/kern/spec_vnops.c:309
VOP_WRITE(fffffd806a964be0,ffff800021204690,1,fffffd807f7d8a80) at VOP_WRITE+0xbf sys/kern/vfs_vops.c:245
vn_write(fffffd806e534e50,ffff800021204690,1) at vn_write+0x1a1 sys/kern/vfs_vnops.c:414
dofilewritev(ffff8000ffff6540,3,ffff800021204690,1,ffff800021204790) at dofilewritev+0x19c sys/kern/sys_generic.c:380
sys_pad_pwrite(ffff8000ffff6540,ffff800021204738,ffff800021204790) at sys_pad_pwrite+0x92 sys_pwrite sys/kern/vfs_syscalls.c:3354 [inline]
sys_pad_pwrite(ffff8000ffff6540,ffff800021204738,ffff800021204790) at sys_pad_pwrite+0x92 sys/kern/vfs_syscalls.c:3426
syscall(ffff800021204800) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800021204800) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x26956738ad0, count: 2
end of kernel
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: kernel diagnostic assertion "len >= 0 && !M_READONLY(m)" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/uipc_mbuf.c", line 1384
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff82574ae4) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff825eb323,ffffffff825605fb,568,ffffffff8258ec0b) at __assert+0x25 sys/kern/subr_prf.c:161
m_align(fffffd806f2e1600,ffffffc5) at m_align+0x1a0 sys/kern/uipc_mbuf.c:1385
bpf_movein(ffff800021204690,ffff800000ba4000,ffff8000212043f8,ffff8000212042f8) at bpf_movein+0x25e sys/net/bpf.c:228
bpfwrite(31700,ffff800021204690,1) at bpfwrite+0x169 sys/net/bpf.c:648
spec_write(ffff8000212044f0) at spec_write+0xd4 sys/kern/spec_vnops.c:309
VOP_WRITE(fffffd806a964be0,ffff800021204690,1,fffffd807f7d8a80) at VOP_WRITE+0xbf sys/kern/vfs_vops.c:245
vn_write(fffffd806e534e50,ffff800021204690,1) at vn_write+0x1a1 sys/kern/vfs_vnops.c:414
dofilewritev(ffff8000ffff6540,3,ffff800021204690,1,ffff800021204790) at dofilewritev+0x19c sys/kern/sys_generic.c:380
sys_pad_pwrite(ffff8000ffff6540,ffff800021204738,ffff800021204790) at sys_pad_pwrite+0x92 sys_pwrite sys/kern/vfs_syscalls.c:3354 [inline]
sys_pad_pwrite(ffff8000ffff6540,ffff800021204738,ffff800021204790) at sys_pad_pwrite+0x92 sys/kern/vfs_syscalls.c:3426
syscall(ffff800021204800) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800021204800) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x26956738ad0, count: -13
end of kernel
ddb{1}> show registers
rdi 0
rsi 0x1
rbp 0xffff800021204110
rbx 0xffff800020ce9bff
rdx 0x3fd
rcx 0
rax 0x94
r8 0x101010101010101
r9 0x8080808080808080
r10 0x17ffe1dc0e6303cd
r11 0x921269a3e7d0a8fb
r12 0xffff800020ce9a00
r13 0
r14 0
r15 0x1
rip 0xffffffff812d1e98 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800021204100
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{1}> show proc
db_enter+0x18: addq $0x8,%rsp
PROC (syz-executor.0) pid=370516 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=51, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffff67e0,0xffffffff82b00788
process=0xffff8000ffff8008 user=0xffff8000211ff000, vmspace=0xfffffd800871a450
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{1}> ps
user=0, sys=1, intr=0
PID TID PPID UID S FLAGS WAIT COMMAND
70867 371023 622 0 7 0 syz-executor.0
*70867 370516 622 0 7 0x4000000 syz-executor.0
622 383275 925 0 3 0x82 nanoslp syz-executor.0
925 451377 97589 0 3 0x82 thrsleep syz-execprog
925 240038 97589 0 3 0x4000082 nanoslp syz-execprog
925 121277 97589 0 3 0x4000082 thrsleep syz-execprog
925 75962 97589 0 3 0x4000082 nanoslp syz-execprog
925 420919 97589 0 3 0x4000082 thrsleep syz-execprog
925 362924 97589 0 3 0x4000082 thrsleep syz-execprog
925 83485 97589 0 3 0x4000082 thrsleep syz-execprog
925 82179 97589 0 3 0x4000082 kqread syz-execprog
925 258085 97589 0 3 0x4000082 thrsleep syz-execprog
97589 113512 25578 0 3 0x10008a sigsusp ksh
25578 182779 75965 0 3 0x9a poll sshd
97542 281352 1 0 3 0x100083 ttyin getty
75965 349727 1 0 3 0x88 poll sshd
86274 477726 69915 74 3 0x100092 bpf pflogd
69915 84823 1 0 3 0x80 netio pflogd
25412 413556 72343 73 3 0x100090 kqread syslogd
72343 470272 1 0 3 0x100082 netio syslogd
48789 184045 1 0 3 0x100080 kqread resolvd
74588 140931 12895 77 3 0x100092 kqread dhcpleased
56701 512227 12895 77 3 0x100092 kqread dhcpleased
12895 219634 1 0 3 0x80 kqread dhcpleased
87070 92338 0 0 3 0x14200 bored smr
67285 292136 0 0 2 0x14200 zerothread
32870 157306 0 0 3 0x14200 aiodoned aiodoned
62107 275194 0 0 3 0x14200 syncer update
66488 494866 0 0 3 0x14200 cleaner cleaner
34109 183525 0 0 3 0x14200 reaper reaper
24006 363874 0 0 3 0x14200 pgdaemon pagedaemon
33632 3206 0 0 3 0x14200 bored viomb
96972 197009 0 0 3 0x40014200 acpi0 acpi0
98811 517573 0 0 3 0x40014200 idle1
74736 420634 0 0 3 0x14200 bored softnet
14376 91968 0 0 3 0x14200 bored systqmp
11225 18728 0 0 3 0x14200 bored systq
20510 63620 0 0 3 0x40014200 bored softclock
47195 280129 0 0 3 0x40014200 idle0
1 451534 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
Process 70867 (syz-executor.0) thread 0xffff8000ffff6540 (370516)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82ac6568)
#0 witness_lock+0x44d
#1 vn_write+0x42 sys/kern/vfs_vnops.c:399
#2 dofilewritev+0x19c sys/kern/sys_generic.c:380
#3 sys_pad_pwrite+0x92 sys_pwrite sys/kern/vfs_syscalls.c:3354 [inline]
#3 sys_pad_pwrite+0x92 sys/kern/vfs_syscalls.c:3426
#4 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#4 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#5 Xsyscall+0x128
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10157 6522K 6522K 78643K 11247 0
pcb 13 8K 8K 78643K 13 0
rtable 84 2K 3K 78643K 142 0
ifaddr 37 9K 9K 78643K 40 0
counters 42 33K 33K 78643K 42 0
ioctlops 0 0K 4K 78643K 1480 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 5 0
vnodes 1168 73K 73K 78643K 1181 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 1K 78643K 2 0
UFS mount 5 36K 36K 78643K 5 0
VM map 2 1K 1K 78643K 2 0
sem 2 0K 0K 78643K 2 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 4 9K 13K 78643K 21 0
ACPI 1697 195K 286K 78643K 12548 0
proc 67 87K 99K 78643K 310 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
in_multi 22 1K 1K 78643K 22 0
NFS daemon 1 16K 16K 78643K 1 0
ether_multi 1 0K 0K 78643K 1 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 25 122K 122K 78643K 25 0
MSDOSFS mount 1 16K 16K 78643K 1 0
exec 0 0K 2K 78643K 481 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 143 15K 15K 78643K 2473 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM aobj 3 2K 2K 78643K 3 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
NDP 7 0K 0K 78643K 7 0
crypto data 1 1K 1K 78643K 1 0
temp 29 4682K 4745K 78643K 3591 0
kqueue 10 14K 14K 78643K 10 0
SYN cache 2 16K 16K 78643K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtpcb 120 19 0 16 1 0 1 1 0 8 0
rtentry 112 34 0 1 1 0 1 1 0 8 0
unpcb 136 35 0 20 1 0 1 1 0 8 0
syncache 296 5 0 5 2 1 1 1 0 8 1
tcpcb 736 8 0 5 1 0 1 1 0 8 0
arp 120 4 0 0 1 0 1 1 0 8 0
inpcb 304 36 0 30 1 0 1 1 0 8 0
nd6 48 3 0 0 1 0 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 11 0 2 1 0 1 1 0 8 0
pfstkey 112 11 0 2 1 0 1 1 0 8 0
pfstate 320 11 0 2 1 0 1 1 0 8 0
pfrule 1360 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 144 0 0 9 0 9 9 0 8 0
art_table 32 145 0 0 2 0 2 2 0 8 0
art_node 16 33 0 3 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 1451 0 49 88 0 88 88 0 8 0
ffsino 272 1451 0 49 94 0 94 94 0 8 0
nchpl 144 1679 0 59 60 0 60 60 0 8 0
uvmvnodes 80 1462 0 0 30 0 30 30 0 8 0
vnodes 224 1462 0 0 86 0 86 86 0 8 0
namei 1024 5145 0 5145 3 1 2 2 0 8 2
percpumem 16 33 0 0 1 0 1 1 0 8 0
scxspl 216 5404 0 5404 10 8 2 8 0 8 2
plimitpl 152 17 0 9 1 0 1 1 0 8 0
sigapl 424 347 0 316 5 0 5 5 0 8 1
futexpl 64 1 0 1 1 0 1 1 0 8 1
knotepl 112 50 0 0 2 0 2 2 0 8 0
kqueuepl 216 6 0 0 1 0 1 1 0 8 0
pipepl 336 106 0 99 2 1 1 1 0 8 0
fdescpl 496 333 0 316 4 0 4 4 0 8 1
filepl 152 1350 0 1279 4 0 4 4 0 8 1
lockfpl 104 6 0 4 1 0 1 1 0 8 0
lockfspl 48 4 0 2 1 0 1 1 0 8 0
sessionpl 144 19 0 9 1 0 1 1 0 8 0
pgrppl 48 19 0 9 1 0 1 1 0 8 0
ucredpl 96 69 0 57 1 0 1 1 0 8 0
zombiepl 144 316 0 316 2 1 1 1 0 8 1
processpl 1064 347 0 316 3 0 3 3 0 8 0
procpl 672 356 0 316 4 0 4 4 0 8 0
sockpl 480 90 0 66 5 1 4 4 0 8 0
mcl8k 8192 4 0 0 1 0 1 1 0 8 0
mcl4k 4096 5 0 0 1 0 1 1 0 8 0
mcl2k 2048 62 0 0 8 1 7 8 0 8 0
mtagpl 96 2 0 0 1 0 1 1 0 8 0
mbufpl 256 120 0 0 7 0 7 7 0 8 0
bufpl 288 3566 0 146 245 0 245 245 0 8 0
anonpl 24 49123 0 45178 50 4 46 46 0 186 21
amapchunkpl 152 4935 0 4597 20 0 20 20 0 158 6
amappl16 200 145 0 87 6 1 5 5 0 8 0
amappl15 192 85 0 80 1 0 1 1 0 8 0
amappl14 184 4 0 3 1 0 1 1 0 8 0
amappl13 176 51 0 48 2 1 1 1 0 8 0
amappl12 168 7 0 6 2 1 1 1 0 8 0
amappl11 160 49 0 34 1 0 1 1 0 8 0
amappl10 152 23 0 20 1 0 1 1 0 8 0
amappl9 144 439 0 436 1 0 1 1 0 8 0
amappl8 136 435 0 410 2 0 2 2 0 8 0
amappl7 128 94 0 84 1 0 1 1 0 8 0
amappl6 120 182 0 164 2 0 2 2 0 8 1
amappl5 112 162 0 149 1 0 1 1 0 8 0
amappl4 104 700 0 679 2 0 2 2 0 8 1
amappl3 96 145 0 135 1 0 1 1 0 8 0
amappl2 88 481 0 437 3 0 3 3 0 8 1
amappl1 80 9675 0 9246 20 2 18 18 0 8 9
amappl 88 2139 0 2027 4 0 4 4 0 92 1
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 2 0 0 1 0 1 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
uaddrrnd 24 333 0 316 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 333 0 316 1 0 1 1 0 8 0
vmmpekpl 168 8047 0 8027 2 0 2 2 0 8 0
vmmpepl 168 31840 0 30674 96 5 91 91 0 357 40
vmsppl 368 332 0 316 3 0 3 3 0 8 1
rwobjpl 56 10812 0 8614 41 0 41 41 0 8 6
pdppl 4096 673 0 632 77 20 57 57 0 8 16
pvpl 32 216096 0 209205 268 7 261 261 0 265 201
pmappl 248 332 0 316 2 0 2 2 0 8 0
extentpl 40 58 0 38 1 0 1 1 0 8 0
phpool 112 548 0 26 15 0 15 15 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffffffff82952ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__mp_lock(ffffffff82ac6360) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82ac6360) at __mp_lock+0x122 sys/kern/kern_lock.c:147
softintr_dispatch(0) at softintr_dispatch+0x4e sys/arch/amd64/amd64/softintr.c:88
Xsoftclock() at Xsoftclock+0x1f
end of kernel
end trace frame: 0x7f7ffffcfe00, count: 9
ddb{0}> trace
x86_ipi_db(ffffffff82952ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__mp_lock(ffffffff82ac6360) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82ac6360) at __mp_lock+0x122 sys/kern/kern_lock.c:147
softintr_dispatch(0) at softintr_dispatch+0x4e sys/arch/amd64/amd64/softintr.c:88
Xsoftclock() at Xsoftclock+0x1f
end of kernel
end trace frame: 0x7f7ffffcfe00, count: -6
ddb{0}> machine ddbcpu 1
Stopped at db_enter+0x18: addq $0x8,%rsp
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff82574ae4) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff825eb323,ffffffff825605fb,568,ffffffff8258ec0b) at __assert+0x25 sys/kern/subr_prf.c:161
m_align(fffffd806f2e1600,ffffffc5) at m_align+0x1a0 sys/kern/uipc_mbuf.c:1385
bpf_movein(ffff800021204690,ffff800000ba4000,ffff8000212043f8,ffff8000212042f8) at bpf_movein+0x25e sys/net/bpf.c:228
bpfwrite(31700,ffff800021204690,1) at bpfwrite+0x169 sys/net/bpf.c:648
spec_write(ffff8000212044f0) at spec_write+0xd4 sys/kern/spec_vnops.c:309
VOP_WRITE(fffffd806a964be0,ffff800021204690,1,fffffd807f7d8a80) at VOP_WRITE+0xbf sys/kern/vfs_vops.c:245
vn_write(fffffd806e534e50,ffff800021204690,1) at vn_write+0x1a1 sys/kern/vfs_vnops.c:414
dofilewritev(ffff8000ffff6540,3,ffff800021204690,1,ffff800021204790) at dofilewritev+0x19c sys/kern/sys_generic.c:380
sys_pad_pwrite(ffff8000ffff6540,ffff800021204738,ffff800021204790) at sys_pad_pwrite+0x92 sys_pwrite sys/kern/vfs_syscalls.c:3354 [inline]
sys_pad_pwrite(ffff8000ffff6540,ffff800021204738,ffff800021204790) at sys_pad_pwrite+0x92 sys/kern/vfs_syscalls.c:3426
syscall(ffff800021204800) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800021204800) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x26956738ad0, count: 2
end of kernel
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff82574ae4) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff825eb323,ffffffff825605fb,568,ffffffff8258ec0b) at __assert+0x25 sys/kern/subr_prf.c:161
m_align(fffffd806f2e1600,ffffffc5) at m_align+0x1a0 sys/kern/uipc_mbuf.c:1385
bpf_movein(ffff800021204690,ffff800000ba4000,ffff8000212043f8,ffff8000212042f8) at bpf_movein+0x25e sys/net/bpf.c:228
bpfwrite(31700,ffff800021204690,1) at bpfwrite+0x169 sys/net/bpf.c:648
spec_write(ffff8000212044f0) at spec_write+0xd4 sys/kern/spec_vnops.c:309
VOP_WRITE(fffffd806a964be0,ffff800021204690,1,fffffd807f7d8a80) at VOP_WRITE+0xbf sys/kern/vfs_vops.c:245
vn_write(fffffd806e534e50,ffff800021204690,1) at vn_write+0x1a1 sys/kern/vfs_vnops.c:414
dofilewritev(ffff8000ffff6540,3,ffff800021204690,1,ffff800021204790) at dofilewritev+0x19c sys/kern/sys_generic.c:380
sys_pad_pwrite(ffff8000ffff6540,ffff800021204738,ffff800021204790) at sys_pad_pwrite+0x92 sys_pwrite sys/kern/vfs_syscalls.c:3354 [inline]
sys_pad_pwrite(ffff8000ffff6540,ffff800021204738,ffff800021204790) at sys_pad_pwrite+0x92 sys/kern/vfs_syscalls.c:3426
syscall(ffff800021204800) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800021204800) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x26956738ad0, count: -13
end of kernel
ddb{1}>
Greg Steuck
Feb 5, 2022, 10:49:14 PM2/5/22
to syzbot, Claudio Jeker, 'Dmitry Vyukov' via syzkaller-openbsd-bugs
Interesting, looks like the assert was falsified and syzkaller even managed to squeeze a syz repro out of it
m_align(struct mbuf *m, int len)
{1384: KASSERT(len >= 0 && !M_READONLY(m));
--
You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/0000000000009329c605d745a936%40google.com.
--
nest.cx is Gmail hosted, use PGP: https://pgp.key-server.io/0x0B1542BD8DF5A1B0
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
Alexander Bluhm
Feb 7, 2022, 8:10:38 AM2/7/22
to Greg Steuck, David Gwynne, syzbot, Claudio Jeker, 'Dmitry Vyukov' via syzkaller-openbsd-bugs
On Sat, Feb 05, 2022 at 07:49:02PM -0800, Greg Steuck wrote:
> Interesting, looks like the assert was falsified and syzkaller even managed
> to squeeze a syz repro out of it
>
> m_align(struct mbuf *m, int len)
> {
> 1384: KASSERT(len >= 0 && !M_READONLY(m));
The length value in bpf_movein() is casted to from size_t to u_int
> Interesting, looks like the assert was falsified and syzkaller even managed
> to squeeze a syz repro out of it
>
> m_align(struct mbuf *m, int len)
> {
> 1384: KASSERT(len >= 0 && !M_READONLY(m));
and then rounded before checking. I think the easiest way to avoid
overflow is to put the same check before the calculations.
ok?
bluhm
Index: net/bpf.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/bpf.c,v
retrieving revision 1.211
diff -u -p -r1.211 bpf.c
--- net/bpf.c 5 Feb 2022 04:08:27 -0000 1.211
+++ net/bpf.c 7 Feb 2022 12:58:59 -0000
@@ -198,6 +198,8 @@ bpf_movein(struct uio *uio, struct bpf_d
return (EIO);
}
+ if (uio->uio_resid > MAXMCLBYTES)
+ return (EMSGSIZE);
len = uio->uio_resid;
if (len < hlen)
return (EINVAL);
@@ -211,7 +213,6 @@ bpf_movein(struct uio *uio, struct bpf_d
* Allocate enough space for headers and the aligned payload.
*/
mlen = max(max_linkhdr, hlen) + roundup(alen, sizeof(long));
-
if (mlen > MAXMCLBYTES)
return (EMSGSIZE);
Reply all
Reply to author
Forward
0 new messages