malloc: free list modified: free (4)
0 views
Skip to first unread message
syzbot
Jul 13, 2023, 5:12:49 AM7/13/23
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: aa8d54b2e065 address incomplete validation of ELF program ..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=121de628a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=1bc15e68cd2a49e5
dashboard link: https://syzkaller.appspot.com/bug?extid=58e7661fea8a101c4e3c
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8ac355fcf787/disk-aa8d54b2.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/bdc25372d005/bsd-aa8d54b2.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3a670c81151d/kernel-aa8d54b2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+58e766...@syzkaller.appspotmail.com
panic: Data modified on freelist: word 4 of object 0xffff800000e09600 size 0x200 previous type free (0x6563 != 0xdeafbead)
Starting stack trace...
panic(ffffffff8276969b) at panic+0x159 sys/kern/subr_prf.c:229
malloc(200,2,1) at malloc+0xa85 sys/kern/kern_malloc.c:362
spkropen(1b00,8001,2000,ffff800021704b10) at spkropen+0xc0 sys/dev/isa/spkr.c:414
spec_open(ffff80002172e7b8) at spec_open+0x3e3 sys/kern/spec_vnops.c:150
VOP_OPEN(fffffd806eda5718,8001,fffffd807f7d76e8,ffff800021704b10) at VOP_OPEN+0x70 sys/kern/vfs_vops.c:138
vn_open(ffff80002172ea08,8001,0) at vn_open+0x452 sys/kern/vfs_vnops.c:177
doopenat(ffff800021704b10,ffffff9c,20002e00,8000,0,ffff80002172ebe0) at doopenat+0x26e sys/kern/vfs_syscalls.c:1126
syscall(ffff80002172ec60) at syscall+0x4a8 sys/arch/amd64/amd64/trap.c:623
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x4ad2af419a0, count: 248
End of stack trace.
syncing disks...11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 giving up
dump to dev 4,1 not possible
rebooting...
SeaBIOS (version 1.8.2-google)
Total RAM Size = 0x0000000080000000 = 2048 MiB
CPUs found: 2 Max CPUs supported: 2
SeaBIOS (version 1.8.2-google)
Machine UUID db0dc653-7a57-7afa-fd77-d87c02d918a4
found virtio-scsi at 0:3
virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0 removable=0
virtio-scsi blksize=512 sectors=4194304 = 2048 MiB
drive 0x000f2850: PCHS=0/0/0 translation=lba LCHS=520/128/63 s=4194304
Sending Seabios boot VM event.
Booting from Hard Disk 0...
>> OpenBSD/amd64 BOOT 3.56
boot> show malloc
boot: illegal argument malloc
boot> show all pools
boot> machine ddbcpu 0
machine: syntax error
boot> trace
boot> machine ddbcpu 1
machine: syntax error
boot> trace
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: aa8d54b2e065 address incomplete validation of ELF program ..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=121de628a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=1bc15e68cd2a49e5
dashboard link: https://syzkaller.appspot.com/bug?extid=58e7661fea8a101c4e3c
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8ac355fcf787/disk-aa8d54b2.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/bdc25372d005/bsd-aa8d54b2.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3a670c81151d/kernel-aa8d54b2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+58e766...@syzkaller.appspotmail.com
panic: Data modified on freelist: word 4 of object 0xffff800000e09600 size 0x200 previous type free (0x6563 != 0xdeafbead)
Starting stack trace...
panic(ffffffff8276969b) at panic+0x159 sys/kern/subr_prf.c:229
malloc(200,2,1) at malloc+0xa85 sys/kern/kern_malloc.c:362
spkropen(1b00,8001,2000,ffff800021704b10) at spkropen+0xc0 sys/dev/isa/spkr.c:414
spec_open(ffff80002172e7b8) at spec_open+0x3e3 sys/kern/spec_vnops.c:150
VOP_OPEN(fffffd806eda5718,8001,fffffd807f7d76e8,ffff800021704b10) at VOP_OPEN+0x70 sys/kern/vfs_vops.c:138
vn_open(ffff80002172ea08,8001,0) at vn_open+0x452 sys/kern/vfs_vnops.c:177
doopenat(ffff800021704b10,ffffff9c,20002e00,8000,0,ffff80002172ebe0) at doopenat+0x26e sys/kern/vfs_syscalls.c:1126
syscall(ffff80002172ec60) at syscall+0x4a8 sys/arch/amd64/amd64/trap.c:623
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x4ad2af419a0, count: 248
End of stack trace.
syncing disks...11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 giving up
dump to dev 4,1 not possible
rebooting...
SeaBIOS (version 1.8.2-google)
Total RAM Size = 0x0000000080000000 = 2048 MiB
CPUs found: 2 Max CPUs supported: 2
SeaBIOS (version 1.8.2-google)
Machine UUID db0dc653-7a57-7afa-fd77-d87c02d918a4
found virtio-scsi at 0:3
virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0 removable=0
virtio-scsi blksize=512 sectors=4194304 = 2048 MiB
drive 0x000f2850: PCHS=0/0/0 translation=lba LCHS=520/128/63 s=4194304
Sending Seabios boot VM event.
Booting from Hard Disk 0...
>> OpenBSD/amd64 BOOT 3.56
boot> show malloc
boot: illegal argument malloc
boot> show all pools
boot> machine ddbcpu 0
machine: syntax error
boot> trace
boot> machine ddbcpu 1
machine: syntax error
boot> trace
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jul 13, 2023, 11:57:46 PM7/13/23
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 996ed212dfaa bcmp(3) tries to return length, which is a si..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=118860b0a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=160f6d7aa80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/42480778cc69/disk-996ed212.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/f48f867446d5/bsd-996ed212.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/365718df41e6/kernel-996ed212.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+58e766...@syzkaller.appspotmail.com
panic: Data modified on freelist: word 4 of object 0xffff800000cc8c00 size 0x194 previous type free (0x6563 != 0xdeadbeef)
Stopped at db_enter+0x1c: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*416028 48250 0 0 0 0 syz-executor2850578658
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8277078e) at panic+0x165 sys/kern/subr_prf.c:198
malloc(194,2,a) at malloc+0xa85 sys/kern/kern_malloc.c:362
disk_attach(ffff8000006b5000,ffff8000006b5048) at disk_attach+0x8e sys/kern/subr_disk.c:1082
vndioctl(2902,c0384600,ffff8000216f4150,1,ffff8000ffff2db8) at vndioctl+0xeb6 sys/dev/vnd.c:539
VOP_IOCTL(fffffd806ede1eb8,c0384600,ffff8000216f4150,1,fffffd807f7d77b8,ffff8000ffff2db8) at VOP_IOCTL+0x91 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd806f89af00,c0384600,ffff8000216f4150,ffff8000ffff2db8) at vn_ioctl+0xbb sys/kern/vfs_vnops.c:525
sys_ioctl(ffff8000ffff2db8,ffff8000216f4260,ffff8000216f42b0) at sys_ioctl+0x49e
syscall(ffff8000216f4330) at syscall+0x4a8 sys/arch/amd64/amd64/trap.c:623
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
*cpu0: Data modified on freelist: word 4 of object 0xffff800000cc8c00 size 0x194 previous type free (0x6563 != 0xdeadbeef)
ddb> trace
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8277078e) at panic+0x165 sys/kern/subr_prf.c:198
malloc(194,2,a) at malloc+0xa85 sys/kern/kern_malloc.c:362
disk_attach(ffff8000006b5000,ffff8000006b5048) at disk_attach+0x8e sys/kern/subr_disk.c:1082
vndioctl(2902,c0384600,ffff8000216f4150,1,ffff8000ffff2db8) at vndioctl+0xeb6 sys/dev/vnd.c:539
VOP_IOCTL(fffffd806ede1eb8,c0384600,ffff8000216f4150,1,fffffd807f7d77b8,ffff8000ffff2db8) at VOP_IOCTL+0x91 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd806f89af00,c0384600,ffff8000216f4150,ffff8000ffff2db8) at vn_ioctl+0xbb sys/kern/vfs_vnops.c:525
sys_ioctl(ffff8000ffff2db8,ffff8000216f4260,ffff8000216f42b0) at sys_ioctl+0x49e
syscall(ffff8000216f4330) at syscall+0x4a8 sys/arch/amd64/amd64/trap.c:623
ddb> show registers
rdi 0
rsi 0x1
rbp 0xffff8000216f3730
rbx 0xffff800000cc8c00
rdx 0x3fd
rcx 0
rax 0x7c
r8 0x101010101010101
r9 0x8080808080808080
r10 0xf3a5b7cd13330902
r11 0x241d597687c0be36
r12 0
r13 0x51
r14 0
r15 0x1
rip 0xffffffff8162a3fc db_enter+0x1c
cs 0x8
rflags 0x246
rsp 0xffff8000216f3720
ss 0x10
db_enter+0x1c: addq $0x8,%rsp
ddb> show proc
PROC (syz-executor2850578658) pid=416028 stat=onproc
flags process=0 proc=0
pri=51, usrpri=51, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffff3070,0xffff8000ffff2b10
process=0xffff8000ffff0000 user=0xffff8000216ef000, vmspace=0xfffffd806c4ff740
estcpu=2, cpticks=2, pctcpu=0.0
user=0, sys=1, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
59715 353826 9277 0 3 0 biowait syz-executor2850578658
74739 305723 66721 0 3 0 biowait syz-executor2850578658
*48250 416028 39420 0 7 0 syz-executor2850578658
82911 266861 82839 0 3 0x80 nanoslp syz-executor2850578658
18738 468578 82839 0 3 0 biowait syz-executor2850578658
39420 445428 82839 0 3 0x80 nanoslp syz-executor2850578658
31976 485573 82839 0 3 0 getblk syz-executor2850578658
66472 450083 82839 0 3 0 getblk syz-executor2850578658
66721 96257 82839 0 3 0x80 nanoslp syz-executor2850578658
96910 67381 82839 0 3 0 getblk syz-executor2850578658
9277 124124 82839 0 3 0x80 nanoslp syz-executor2850578658
82839 306711 77128 0 3 0x82 nanoslp syz-executor2850578658
77128 109598 24205 0 3 0x10008a sigsusp ksh
24205 142820 67500 0 3 0x9a kqread sshd
1559 30100 1 0 3 0x100083 ttyin getty
67500 340612 1 0 3 0x88 kqread sshd
36769 240094 93725 73 3 0x1100090 kqread syslogd
93725 57840 1 0 3 0x100082 netio syslogd
97807 515231 1 0 3 0x100080 kqread resolvd
1482 36110 6684 77 3 0x100092 kqread dhcpleased
91784 295896 6684 77 3 0x100092 kqread dhcpleased
6684 303770 1 0 3 0x80 kqread dhcpleased
63590 147435 0 0 3 0x14200 bored smr
8828 357404 0 0 2 0x14200 zerothread
12171 505880 0 0 3 0x14200 aiodoned aiodoned
60183 291702 0 0 3 0x14200 syncer update
97966 493393 0 0 3 0x14200 cleaner cleaner
17030 290903 0 0 3 0x14200 reaper reaper
71299 207533 0 0 3 0x14200 pgdaemon pagedaemon
13991 79174 0 0 3 0x14200 bored viomb
74055 232697 0 0 3 0x40014200 acpi0 acpi0
95827 455559 0 0 3 0x14200 bored softnet3
88594 147395 0 0 3 0x14200 bored softnet2
85658 276053 0 0 3 0x14200 bored softnet1
97591 117395 0 0 3 0x14200 bored softnet0
18087 484541 0 0 3 0x14200 bored systqmp
52884 381598 0 0 3 0x14200 bored systq
47554 120322 0 0 3 0x40014200 bored softclock
94510 89207 0 0 3 0x40014200 idle0
1 290386 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10133 6382K 6412K 78643K 11215 0
pcb 13 8K 8K 78643K 13 0
rtable 58 1K 2K 78643K 110 0
pf 12 6K 6K 78643K 12 0
ifaddr 11 5K 5K 78643K 11 0
ifgroup 17 1K 1K 78643K 17 0
counters 20 16K 16K 78643K 20 0
ioctlops 0 0K 2K 78643K 21 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 4 0
vnodes 1174 73K 74K 78643K 1188 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 1K 78643K 2 0
VM map 2 1K 1K 78643K 2 0
sem 2 0K 0K 78643K 2 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 1 0K 0K 78643K 1 0
proc 55 58K 59K 78643K 246 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
in_multi 11 0K 0K 78643K 11 0
ether_multi 1 0K 0K 78643K 1 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 25 122K 122K 78643K 25 0
exec 0 0K 1K 78643K 243 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 8 62K 64K 78643K 10 0
UVM amap 128 69K 69K 78643K 2185 0
UVM aobj 3 2K 2K 78643K 3 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
NDP 3 0K 0K 78643K 3 0
temp 1 5844K 5908K 78643K 2761 0
kqueue 11 16K 18K 78643K 24 0
SYN cache 2 16K 16K 78643K 2 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
rtpcb 120 20 0 17 1 0 1 1 0 8 0
rtentry 112 23 0 1 1 0 1 1 0 8 0
unpcb 144 33 0 20 1 0 1 1 0 8 0
syncache 296 5 0 5 2 1 1 1 0 8 1
tcpqe 32 61 0 61 1 1 0 1 0 8 0
tcpcb 808 8 0 5 1 0 1 1 0 8 0
arp 88 2 0 0 1 0 1 1 0 8 0
inpcb 336 26 0 20 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 97 0 0 7 0 7 7 0 8 0
art_table 32 98 0 0 1 0 1 1 0 8 0
art_node 16 22 0 2 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 1456 0 52 88 0 88 88 0 8 0
ffsino 240 1457 0 52 83 0 83 83 0 8 0
nchpl 144 1664 0 87 59 0 59 59 0 8 0
uvmvnodes 80 1467 0 0 30 0 30 30 0 8 0
vnodes 216 1467 0 0 82 0 82 82 0 8 0
namei 1024 4372 0 4370 3 1 2 2 0 8 1
kstatmem 264 6 0 0 1 0 1 1 0 8 0
scxspl 216 5708 0 5649 25 18 7 8 0 8 3
plimitpl 152 24 0 10 1 0 1 1 0 8 0
sigapl 424 329 0 288 5 0 5 5 0 8 0
knotepl 120 3377 0 3348 3 1 2 2 0 8 1
kqueuepl 184 20 0 13 1 0 1 1 0 8 0
pipepl 288 87 0 84 2 1 1 1 0 8 0
fdescpl 432 313 0 289 3 0 3 3 0 8 0
filepl 120 1160 0 1101 2 0 2 2 0 8 0
lockfpl 104 6 0 4 1 0 1 1 0 8 0
lockfspl 48 4 0 2 1 0 1 1 0 8 0
sessionpl 144 25 0 9 1 0 1 1 0 8 0
pgrppl 48 25 0 9 1 0 1 1 0 8 0
ucredpl 104 71 0 60 1 0 1 1 0 8 0
zombiepl 144 289 0 288 2 1 1 1 0 8 0
processpl 1008 329 0 288 7 1 6 6 0 8 0
procpl 696 329 0 288 5 1 4 4 0 8 0
sockpl 456 79 0 57 3 0 3 3 0 8 0
mcl8k 8192 9 0 9 2 1 1 1 0 8 1
mcl4k 4096 5 0 5 2 1 1 1 0 8 1
mcl2k 2048 10799 0 10761 34 24 10 30 0 8 4
mtagpl 96 4 0 4 1 1 0 1 0 8 0
mbufpl 256 17386 0 17344 17 11 6 17 0 8 0
bufpl 288 3155 0 92 219 0 219 219 0 8 0
anonpl 24 173333 0 171070 28 11 17 23 0 188 1
amapchunkpl 152 8142 0 7936 9 1 8 8 0 158 0
amappl16 200 5098 0 5068 8 5 3 5 0 8 0
amappl15 192 14 0 14 1 1 0 1 0 8 0
amappl14 184 127 0 118 1 0 1 1 0 8 0
amappl13 176 22 0 22 1 1 0 1 0 8 0
amappl12 168 801 0 781 1 0 1 1 0 8 0
amappl11 160 53 0 43 1 0 1 1 0 8 0
amappl10 152 27 0 27 2 1 1 1 0 8 1
amappl9 144 125 0 125 1 1 0 1 0 8 0
amappl8 136 44 0 42 1 0 1 1 0 8 0
amappl7 128 32 0 27 1 0 1 1 0 8 0
amappl6 120 151 0 140 1 0 1 1 0 8 0
amappl5 112 81 0 74 1 0 1 1 0 8 0
amappl4 104 455 0 418 2 0 2 2 0 8 1
amappl3 96 2223 0 2178 2 0 2 2 0 8 0
amappl2 88 464 0 422 2 1 1 2 0 8 0
amappl1 80 9018 0 8570 14 3 11 11 0 8 0
amappl 88 1907 0 1824 2 0 2 2 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 2 0 0 1 0 1 1 0 8 0
uaddrrnd 24 313 0 289 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 313 0 289 1 0 1 1 0 8 0
vmmpekpl 168 6912 0 6897 1 0 1 1 0 8 0
vmmpepl 168 33791 0 32589 58 3 55 55 0 357 0
vmsppl 368 312 0 289 3 0 3 3 0 8 0
rwobjpl 24 18520 0 16363 15 1 14 14 0 8 0
pdppl 4096 633 0 578 81 22 59 59 0 8 4
pvpl 32 267435 0 262493 59 15 44 51 0 265 1
pmappl 216 312 0 289 2 0 2 2 0 8 0
extentpl 40 56 0 38 1 0 1 1 0 8 0
phpool 112 550 0 63 14 0 14 14 0 8 0
ddb> machine ddbcpu 0
No such command
ddb> trace
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8277078e) at panic+0x165 sys/kern/subr_prf.c:198
malloc(194,2,a) at malloc+0xa85 sys/kern/kern_malloc.c:362
disk_attach(ffff8000006b5000,ffff8000006b5048) at disk_attach+0x8e sys/kern/subr_disk.c:1082
vndioctl(2902,c0384600,ffff8000216f4150,1,ffff8000ffff2db8) at vndioctl+0xeb6 sys/dev/vnd.c:539
VOP_IOCTL(fffffd806ede1eb8,c0384600,ffff8000216f4150,1,fffffd807f7d77b8,ffff8000ffff2db8) at VOP_IOCTL+0x91 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd806f89af00,c0384600,ffff8000216f4150,ffff8000ffff2db8) at vn_ioctl+0xbb sys/kern/vfs_vnops.c:525
sys_ioctl(ffff8000ffff2db8,ffff8000216f4260,ffff8000216f42b0) at sys_ioctl+0x49e
syscall(ffff8000216f4330) at syscall+0x4a8 sys/arch/amd64/amd64/trap.c:623
ddb> machine ddbcpu 1
No such command
ddb> trace
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8277078e) at panic+0x165 sys/kern/subr_prf.c:198
malloc(194,2,a) at malloc+0xa85 sys/kern/kern_malloc.c:362
disk_attach(ffff8000006b5000,ffff8000006b5048) at disk_attach+0x8e sys/kern/subr_disk.c:1082
vndioctl(2902,c0384600,ffff8000216f4150,1,ffff8000ffff2db8) at vndioctl+0xeb6 sys/dev/vnd.c:539
VOP_IOCTL(fffffd806ede1eb8,c0384600,ffff8000216f4150,1,fffffd807f7d77b8,ffff8000ffff2db8) at VOP_IOCTL+0x91 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd806f89af00,c0384600,ffff8000216f4150,ffff8000ffff2db8) at vn_ioctl+0xbb sys/kern/vfs_vnops.c:525
sys_ioctl(ffff8000ffff2db8,ffff8000216f4260,ffff8000216f42b0) at sys_ioctl+0x49e
syscall(ffff8000216f4330) at syscall+0x4a8 sys/arch/amd64/amd64/trap.c:623
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 996ed212dfaa bcmp(3) tries to return length, which is a si..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=118860b0a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=1bc15e68cd2a49e5
dashboard link: https://syzkaller.appspot.com/bug?extid=58e7661fea8a101c4e3c
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=176f6deaa80000
dashboard link: https://syzkaller.appspot.com/bug?extid=58e7661fea8a101c4e3c
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=160f6d7aa80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/42480778cc69/disk-996ed212.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/f48f867446d5/bsd-996ed212.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/365718df41e6/kernel-996ed212.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+58e766...@syzkaller.appspotmail.com
Stopped at db_enter+0x1c: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*416028 48250 0 0 0 0 syz-executor2850578658
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8277078e) at panic+0x165 sys/kern/subr_prf.c:198
malloc(194,2,a) at malloc+0xa85 sys/kern/kern_malloc.c:362
disk_attach(ffff8000006b5000,ffff8000006b5048) at disk_attach+0x8e sys/kern/subr_disk.c:1082
vndioctl(2902,c0384600,ffff8000216f4150,1,ffff8000ffff2db8) at vndioctl+0xeb6 sys/dev/vnd.c:539
VOP_IOCTL(fffffd806ede1eb8,c0384600,ffff8000216f4150,1,fffffd807f7d77b8,ffff8000ffff2db8) at VOP_IOCTL+0x91 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd806f89af00,c0384600,ffff8000216f4150,ffff8000ffff2db8) at vn_ioctl+0xbb sys/kern/vfs_vnops.c:525
sys_ioctl(ffff8000ffff2db8,ffff8000216f4260,ffff8000216f42b0) at sys_ioctl+0x49e
syscall(ffff8000216f4330) at syscall+0x4a8 sys/arch/amd64/amd64/trap.c:623
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7d2a35df6d40, count: 5
end of kernel
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
*cpu0: Data modified on freelist: word 4 of object 0xffff800000cc8c00 size 0x194 previous type free (0x6563 != 0xdeadbeef)
ddb> trace
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8277078e) at panic+0x165 sys/kern/subr_prf.c:198
malloc(194,2,a) at malloc+0xa85 sys/kern/kern_malloc.c:362
disk_attach(ffff8000006b5000,ffff8000006b5048) at disk_attach+0x8e sys/kern/subr_disk.c:1082
vndioctl(2902,c0384600,ffff8000216f4150,1,ffff8000ffff2db8) at vndioctl+0xeb6 sys/dev/vnd.c:539
VOP_IOCTL(fffffd806ede1eb8,c0384600,ffff8000216f4150,1,fffffd807f7d77b8,ffff8000ffff2db8) at VOP_IOCTL+0x91 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd806f89af00,c0384600,ffff8000216f4150,ffff8000ffff2db8) at vn_ioctl+0xbb sys/kern/vfs_vnops.c:525
sys_ioctl(ffff8000ffff2db8,ffff8000216f4260,ffff8000216f42b0) at sys_ioctl+0x49e
syscall(ffff8000216f4330) at syscall+0x4a8 sys/arch/amd64/amd64/trap.c:623
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7d2a35df6d40, count: -10
end of kernel
ddb> show registers
rdi 0
rsi 0x1
rbp 0xffff8000216f3730
rbx 0xffff800000cc8c00
rdx 0x3fd
rcx 0
rax 0x7c
r8 0x101010101010101
r9 0x8080808080808080
r10 0xf3a5b7cd13330902
r11 0x241d597687c0be36
r12 0
r13 0x51
r14 0
r15 0x1
rip 0xffffffff8162a3fc db_enter+0x1c
cs 0x8
rflags 0x246
rsp 0xffff8000216f3720
ss 0x10
db_enter+0x1c: addq $0x8,%rsp
ddb> show proc
PROC (syz-executor2850578658) pid=416028 stat=onproc
flags process=0 proc=0
pri=51, usrpri=51, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffff3070,0xffff8000ffff2b10
process=0xffff8000ffff0000 user=0xffff8000216ef000, vmspace=0xfffffd806c4ff740
estcpu=2, cpticks=2, pctcpu=0.0
user=0, sys=1, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
59715 353826 9277 0 3 0 biowait syz-executor2850578658
74739 305723 66721 0 3 0 biowait syz-executor2850578658
*48250 416028 39420 0 7 0 syz-executor2850578658
82911 266861 82839 0 3 0x80 nanoslp syz-executor2850578658
18738 468578 82839 0 3 0 biowait syz-executor2850578658
39420 445428 82839 0 3 0x80 nanoslp syz-executor2850578658
31976 485573 82839 0 3 0 getblk syz-executor2850578658
66472 450083 82839 0 3 0 getblk syz-executor2850578658
66721 96257 82839 0 3 0x80 nanoslp syz-executor2850578658
96910 67381 82839 0 3 0 getblk syz-executor2850578658
9277 124124 82839 0 3 0x80 nanoslp syz-executor2850578658
82839 306711 77128 0 3 0x82 nanoslp syz-executor2850578658
77128 109598 24205 0 3 0x10008a sigsusp ksh
24205 142820 67500 0 3 0x9a kqread sshd
1559 30100 1 0 3 0x100083 ttyin getty
67500 340612 1 0 3 0x88 kqread sshd
36769 240094 93725 73 3 0x1100090 kqread syslogd
93725 57840 1 0 3 0x100082 netio syslogd
97807 515231 1 0 3 0x100080 kqread resolvd
1482 36110 6684 77 3 0x100092 kqread dhcpleased
91784 295896 6684 77 3 0x100092 kqread dhcpleased
6684 303770 1 0 3 0x80 kqread dhcpleased
63590 147435 0 0 3 0x14200 bored smr
8828 357404 0 0 2 0x14200 zerothread
12171 505880 0 0 3 0x14200 aiodoned aiodoned
60183 291702 0 0 3 0x14200 syncer update
97966 493393 0 0 3 0x14200 cleaner cleaner
17030 290903 0 0 3 0x14200 reaper reaper
71299 207533 0 0 3 0x14200 pgdaemon pagedaemon
13991 79174 0 0 3 0x14200 bored viomb
74055 232697 0 0 3 0x40014200 acpi0 acpi0
95827 455559 0 0 3 0x14200 bored softnet3
88594 147395 0 0 3 0x14200 bored softnet2
85658 276053 0 0 3 0x14200 bored softnet1
97591 117395 0 0 3 0x14200 bored softnet0
18087 484541 0 0 3 0x14200 bored systqmp
52884 381598 0 0 3 0x14200 bored systq
47554 120322 0 0 3 0x40014200 bored softclock
94510 89207 0 0 3 0x40014200 idle0
1 290386 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10133 6382K 6412K 78643K 11215 0
pcb 13 8K 8K 78643K 13 0
rtable 58 1K 2K 78643K 110 0
pf 12 6K 6K 78643K 12 0
ifaddr 11 5K 5K 78643K 11 0
ifgroup 17 1K 1K 78643K 17 0
counters 20 16K 16K 78643K 20 0
ioctlops 0 0K 2K 78643K 21 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 4 0
vnodes 1174 73K 74K 78643K 1188 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 1K 78643K 2 0
VM map 2 1K 1K 78643K 2 0
sem 2 0K 0K 78643K 2 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 1 0K 0K 78643K 1 0
proc 55 58K 59K 78643K 246 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
in_multi 11 0K 0K 78643K 11 0
ether_multi 1 0K 0K 78643K 1 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 25 122K 122K 78643K 25 0
exec 0 0K 1K 78643K 243 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 8 62K 64K 78643K 10 0
UVM amap 128 69K 69K 78643K 2185 0
UVM aobj 3 2K 2K 78643K 3 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
NDP 3 0K 0K 78643K 3 0
temp 1 5844K 5908K 78643K 2761 0
kqueue 11 16K 18K 78643K 24 0
SYN cache 2 16K 16K 78643K 2 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
rtpcb 120 20 0 17 1 0 1 1 0 8 0
rtentry 112 23 0 1 1 0 1 1 0 8 0
unpcb 144 33 0 20 1 0 1 1 0 8 0
syncache 296 5 0 5 2 1 1 1 0 8 1
tcpqe 32 61 0 61 1 1 0 1 0 8 0
tcpcb 808 8 0 5 1 0 1 1 0 8 0
arp 88 2 0 0 1 0 1 1 0 8 0
inpcb 336 26 0 20 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 97 0 0 7 0 7 7 0 8 0
art_table 32 98 0 0 1 0 1 1 0 8 0
art_node 16 22 0 2 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 1456 0 52 88 0 88 88 0 8 0
ffsino 240 1457 0 52 83 0 83 83 0 8 0
nchpl 144 1664 0 87 59 0 59 59 0 8 0
uvmvnodes 80 1467 0 0 30 0 30 30 0 8 0
vnodes 216 1467 0 0 82 0 82 82 0 8 0
namei 1024 4372 0 4370 3 1 2 2 0 8 1
kstatmem 264 6 0 0 1 0 1 1 0 8 0
scxspl 216 5708 0 5649 25 18 7 8 0 8 3
plimitpl 152 24 0 10 1 0 1 1 0 8 0
sigapl 424 329 0 288 5 0 5 5 0 8 0
knotepl 120 3377 0 3348 3 1 2 2 0 8 1
kqueuepl 184 20 0 13 1 0 1 1 0 8 0
pipepl 288 87 0 84 2 1 1 1 0 8 0
fdescpl 432 313 0 289 3 0 3 3 0 8 0
filepl 120 1160 0 1101 2 0 2 2 0 8 0
lockfpl 104 6 0 4 1 0 1 1 0 8 0
lockfspl 48 4 0 2 1 0 1 1 0 8 0
sessionpl 144 25 0 9 1 0 1 1 0 8 0
pgrppl 48 25 0 9 1 0 1 1 0 8 0
ucredpl 104 71 0 60 1 0 1 1 0 8 0
zombiepl 144 289 0 288 2 1 1 1 0 8 0
processpl 1008 329 0 288 7 1 6 6 0 8 0
procpl 696 329 0 288 5 1 4 4 0 8 0
sockpl 456 79 0 57 3 0 3 3 0 8 0
mcl8k 8192 9 0 9 2 1 1 1 0 8 1
mcl4k 4096 5 0 5 2 1 1 1 0 8 1
mcl2k 2048 10799 0 10761 34 24 10 30 0 8 4
mtagpl 96 4 0 4 1 1 0 1 0 8 0
mbufpl 256 17386 0 17344 17 11 6 17 0 8 0
bufpl 288 3155 0 92 219 0 219 219 0 8 0
anonpl 24 173333 0 171070 28 11 17 23 0 188 1
amapchunkpl 152 8142 0 7936 9 1 8 8 0 158 0
amappl16 200 5098 0 5068 8 5 3 5 0 8 0
amappl15 192 14 0 14 1 1 0 1 0 8 0
amappl14 184 127 0 118 1 0 1 1 0 8 0
amappl13 176 22 0 22 1 1 0 1 0 8 0
amappl12 168 801 0 781 1 0 1 1 0 8 0
amappl11 160 53 0 43 1 0 1 1 0 8 0
amappl10 152 27 0 27 2 1 1 1 0 8 1
amappl9 144 125 0 125 1 1 0 1 0 8 0
amappl8 136 44 0 42 1 0 1 1 0 8 0
amappl7 128 32 0 27 1 0 1 1 0 8 0
amappl6 120 151 0 140 1 0 1 1 0 8 0
amappl5 112 81 0 74 1 0 1 1 0 8 0
amappl4 104 455 0 418 2 0 2 2 0 8 1
amappl3 96 2223 0 2178 2 0 2 2 0 8 0
amappl2 88 464 0 422 2 1 1 2 0 8 0
amappl1 80 9018 0 8570 14 3 11 11 0 8 0
amappl 88 1907 0 1824 2 0 2 2 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 2 0 0 1 0 1 1 0 8 0
uaddrrnd 24 313 0 289 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 313 0 289 1 0 1 1 0 8 0
vmmpekpl 168 6912 0 6897 1 0 1 1 0 8 0
vmmpepl 168 33791 0 32589 58 3 55 55 0 357 0
vmsppl 368 312 0 289 3 0 3 3 0 8 0
rwobjpl 24 18520 0 16363 15 1 14 14 0 8 0
pdppl 4096 633 0 578 81 22 59 59 0 8 4
pvpl 32 267435 0 262493 59 15 44 51 0 265 1
pmappl 216 312 0 289 2 0 2 2 0 8 0
extentpl 40 56 0 38 1 0 1 1 0 8 0
phpool 112 550 0 63 14 0 14 14 0 8 0
ddb> machine ddbcpu 0
No such command
ddb> trace
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8277078e) at panic+0x165 sys/kern/subr_prf.c:198
malloc(194,2,a) at malloc+0xa85 sys/kern/kern_malloc.c:362
disk_attach(ffff8000006b5000,ffff8000006b5048) at disk_attach+0x8e sys/kern/subr_disk.c:1082
vndioctl(2902,c0384600,ffff8000216f4150,1,ffff8000ffff2db8) at vndioctl+0xeb6 sys/dev/vnd.c:539
VOP_IOCTL(fffffd806ede1eb8,c0384600,ffff8000216f4150,1,fffffd807f7d77b8,ffff8000ffff2db8) at VOP_IOCTL+0x91 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd806f89af00,c0384600,ffff8000216f4150,ffff8000ffff2db8) at vn_ioctl+0xbb sys/kern/vfs_vnops.c:525
sys_ioctl(ffff8000ffff2db8,ffff8000216f4260,ffff8000216f42b0) at sys_ioctl+0x49e
syscall(ffff8000216f4330) at syscall+0x4a8 sys/arch/amd64/amd64/trap.c:623
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7d2a35df6d40, count: -10
end of kernel
ddb> machine ddbcpu 1
No such command
ddb> trace
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8277078e) at panic+0x165 sys/kern/subr_prf.c:198
malloc(194,2,a) at malloc+0xa85 sys/kern/kern_malloc.c:362
disk_attach(ffff8000006b5000,ffff8000006b5048) at disk_attach+0x8e sys/kern/subr_disk.c:1082
vndioctl(2902,c0384600,ffff8000216f4150,1,ffff8000ffff2db8) at vndioctl+0xeb6 sys/dev/vnd.c:539
VOP_IOCTL(fffffd806ede1eb8,c0384600,ffff8000216f4150,1,fffffd807f7d77b8,ffff8000ffff2db8) at VOP_IOCTL+0x91 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd806f89af00,c0384600,ffff8000216f4150,ffff8000ffff2db8) at vn_ioctl+0xbb sys/kern/vfs_vnops.c:525
sys_ioctl(ffff8000ffff2db8,ffff8000216f4260,ffff8000216f42b0) at sys_ioctl+0x49e
syscall(ffff8000216f4330) at syscall+0x4a8 sys/arch/amd64/amd64/trap.c:623
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7d2a35df6d40, count: -10
end of kernel
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages