panic: kernel diagnostic assertion "pg->wire_count == 1" failed: file "/syzkaller/managers/setuid/kernel/sys/kern/vfs_bi
1 view
Skip to first unread message
syzbot
Dec 19, 2018, 3:41:03 AM12/19/18
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: f26abd72fe13 use Sq for single chars, and escape ";" prope..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=178b9393400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=e9d383f78ba316be843c
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e9d383...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "pg->wire_count == 1" failed:
file "/syzkaller/managers/setuid/kernel/sys/kern/vfs_biomem.c", line 329
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*400665 61826 65534 0x10 0 1K syz-executor1
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff813e52b4,ffff80002118b670,ffffffff81ee05d8,ffffff0068381200)
at
__assert+0x24 sys/kern/subr_prf.c:155
buf_free_pages(ffff800020a97000) at buf_free_pages+0x167
sys/kern/vfs_biomem.c:318
buf_dealloc_mem(ffffff0068381100) at buf_dealloc_mem+0xb6
sys/kern/vfs_biomem.c:194
buf_put(ffffff0068381200) at buf_put+0x11f sys/kern/vfs_bio.c:130
brelse(2) at brelse+0x19f sys/kern/vfs_bio.c:921
vinvalbuf(0,ffffff007a8db2d8,ffffff007a8db2f0,0,ffff80000066f800,11) at
vinvalbuf+0x2e2 sys/kern/vfs_subr.c:1925
ffs_truncate(ffffff006815ca08,ffffff007a9860d0,ffffff006a289a50,ffffff007a8db2d8)
at
ffs_truncate+0xc93 sys/ufs/ffs/ffs_inode.c:325
ufs_rmdir(ffffff006815ca08) at ufs_rmdir+0x277 sys/ufs/ufs/ufs_vnops.c:1354
VOP_RMDIR(0,ffffff007a9860d0,8) at VOP_RMDIR+0x6a sys/kern/vfs_vops.c:469
dounlinkat(890,ffff8000210a3788,0,ffff80002118bbe0) at dounlinkat+0xf5
sys/kern/vfs_syscalls.c:1695
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,89,7f7ffffcaf00,89,cb8bb132080,7f7ffffcb350) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffcb340, count: 1
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
kernel diagnostic assertion "pg->wire_count == 1" failed:
file "/syzkaller/managers/setuid/kernel/sys/kern/vfs_biomem.c", line 329
ddb{1}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff813e52b4,ffff80002118b670,ffffffff81ee05d8,ffffff0068381200)
at
__assert+0x24 sys/kern/subr_prf.c:155
buf_free_pages(ffff800020a97000) at buf_free_pages+0x167
sys/kern/vfs_biomem.c:318
buf_dealloc_mem(ffffff0068381100) at buf_dealloc_mem+0xb6
sys/kern/vfs_biomem.c:194
buf_put(ffffff0068381200) at buf_put+0x11f sys/kern/vfs_bio.c:130
brelse(2) at brelse+0x19f sys/kern/vfs_bio.c:921
vinvalbuf(0,ffffff007a8db2d8,ffffff007a8db2f0,0,ffff80000066f800,11) at
vinvalbuf+0x2e2 sys/kern/vfs_subr.c:1925
ffs_truncate(ffffff006815ca08,ffffff007a9860d0,ffffff006a289a50,ffffff007a8db2d8)
at
ffs_truncate+0xc93 sys/ufs/ffs/ffs_inode.c:325
ufs_rmdir(ffffff006815ca08) at ufs_rmdir+0x277 sys/ufs/ufs/ufs_vnops.c:1354
VOP_RMDIR(0,ffffff007a9860d0,8) at VOP_RMDIR+0x6a sys/kern/vfs_vops.c:469
dounlinkat(890,ffff8000210a3788,0,ffff80002118bbe0) at dounlinkat+0xf5
sys/kern/vfs_syscalls.c:1695
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,89,7f7ffffcaf00,89,cb8bb132080,7f7ffffcb350) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffcb340, count: -14
ddb{1}> show registers
rdi 0xffffffff81e291a8 kprintf_mutex
rsi 0x5
rbp 0xffff80002118b5d0
rbx 0xffff80002118b670
rdx 0x3fd
rcx 0
rax 0
r8 0xffff80002118b5a0
r9 0x8080808080808080
r10 0xd96e072616acd64e
r11 0xffffffff813a7780 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff80002118b5e0
r14 0x100
r15 0xffffffff81bf3c19 cmd0646_9_tim_udma+0x20790
rip 0xffffffff81a8b5ca db_enter+0xa
cs 0x8
rflags 0x246
rsp 0xffff80002118b5d0
ss 0x10
db_enter+0xa: popq %rbp
ddb{1}> show proc
PROC (syz-executor1) pid=400665 stat=onproc
flags process=10<SUGID> proc=0
pri=17, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a2978,0xffffffff81edc2c0
process=0xffff8000210b7c80 user=0xffff800021186000,
vmspace=0xffffff007f125738
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
*61826 400665 1 65534 7 0x10 syz-executor1
86660 408216 1 65534 3 0x10 biowait syz-executor0
63253 9342 0 0 3 0x14200 bored sosplice
236 114025 34901 0 3 0x82 thrsleep syz-fuzzer
236 49873 34901 0 3 0x4000082 thrsleep syz-fuzzer
236 155923 34901 0 3 0x4000082 thrsleep syz-fuzzer
236 517270 34901 0 3 0x4000082 thrsleep syz-fuzzer
236 213068 34901 0 3 0x4000082 thrsleep syz-fuzzer
236 328995 34901 0 3 0x4000082 thrsleep syz-fuzzer
236 388526 34901 0 3 0x4000082 thrsleep syz-fuzzer
236 477948 34901 0 3 0x4000082 thrsleep syz-fuzzer
236 453652 34901 0 3 0x4000082 kqread syz-fuzzer
236 101530 34901 0 3 0x4000082 thrsleep syz-fuzzer
34901 273595 64629 0 3 0x10008a pause ksh
64629 118960 97309 0 3 0x92 select sshd
46319 313549 1 0 3 0x100083 ttyin getty
97309 224281 1 0 3 0x80 select sshd
32807 17625 13828 73 3 0x100010 ffs_fsync syslogd
13828 379658 1 0 3 0x100082 netio syslogd
7541 437434 1 77 3 0x100090 poll dhclient
76993 343249 1 0 3 0x80 poll dhclient
86093 418653 0 0 3 0x14200 pgzero zerothread
85911 208652 0 0 3 0x14200 aiodoned aiodoned
30437 514306 0 0 3 0x14200 syncer update
42024 180596 0 0 3 0x14200 cleaner cleaner
9782 333839 0 0 3 0x14200 reaper reaper
57405 176098 0 0 3 0x14200 pgdaemon pagedaemon
66014 448084 0 0 3 0x14200 bored crynlk
14680 419461 0 0 3 0x14200 bored crypto
10324 92402 0 0 3 0x40014200 acpi0 acpi0
87416 161894 0 0 3 0x40014200 idle1
59281 251091 0 0 3 0x14200 bored softnet
6416 340926 0 0 3 0x14200 bored systqmp
59992 185646 0 0 3 0x14200 bored systq
57536 436857 0 0 3 0x40014200 bored softclock
60433 441224 0 0 7 0x40014200 idle0
1 305146 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: f26abd72fe13 use Sq for single chars, and escape ";" prope..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=178b9393400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=e9d383f78ba316be843c
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e9d383...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "pg->wire_count == 1" failed:
file "/syzkaller/managers/setuid/kernel/sys/kern/vfs_biomem.c", line 329
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*400665 61826 65534 0x10 0 1K syz-executor1
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff813e52b4,ffff80002118b670,ffffffff81ee05d8,ffffff0068381200)
at
__assert+0x24 sys/kern/subr_prf.c:155
buf_free_pages(ffff800020a97000) at buf_free_pages+0x167
sys/kern/vfs_biomem.c:318
buf_dealloc_mem(ffffff0068381100) at buf_dealloc_mem+0xb6
sys/kern/vfs_biomem.c:194
buf_put(ffffff0068381200) at buf_put+0x11f sys/kern/vfs_bio.c:130
brelse(2) at brelse+0x19f sys/kern/vfs_bio.c:921
vinvalbuf(0,ffffff007a8db2d8,ffffff007a8db2f0,0,ffff80000066f800,11) at
vinvalbuf+0x2e2 sys/kern/vfs_subr.c:1925
ffs_truncate(ffffff006815ca08,ffffff007a9860d0,ffffff006a289a50,ffffff007a8db2d8)
at
ffs_truncate+0xc93 sys/ufs/ffs/ffs_inode.c:325
ufs_rmdir(ffffff006815ca08) at ufs_rmdir+0x277 sys/ufs/ufs/ufs_vnops.c:1354
VOP_RMDIR(0,ffffff007a9860d0,8) at VOP_RMDIR+0x6a sys/kern/vfs_vops.c:469
dounlinkat(890,ffff8000210a3788,0,ffff80002118bbe0) at dounlinkat+0xf5
sys/kern/vfs_syscalls.c:1695
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,89,7f7ffffcaf00,89,cb8bb132080,7f7ffffcb350) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffcb340, count: 1
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
kernel diagnostic assertion "pg->wire_count == 1" failed:
file "/syzkaller/managers/setuid/kernel/sys/kern/vfs_biomem.c", line 329
ddb{1}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff813e52b4,ffff80002118b670,ffffffff81ee05d8,ffffff0068381200)
at
__assert+0x24 sys/kern/subr_prf.c:155
buf_free_pages(ffff800020a97000) at buf_free_pages+0x167
sys/kern/vfs_biomem.c:318
buf_dealloc_mem(ffffff0068381100) at buf_dealloc_mem+0xb6
sys/kern/vfs_biomem.c:194
buf_put(ffffff0068381200) at buf_put+0x11f sys/kern/vfs_bio.c:130
brelse(2) at brelse+0x19f sys/kern/vfs_bio.c:921
vinvalbuf(0,ffffff007a8db2d8,ffffff007a8db2f0,0,ffff80000066f800,11) at
vinvalbuf+0x2e2 sys/kern/vfs_subr.c:1925
ffs_truncate(ffffff006815ca08,ffffff007a9860d0,ffffff006a289a50,ffffff007a8db2d8)
at
ffs_truncate+0xc93 sys/ufs/ffs/ffs_inode.c:325
ufs_rmdir(ffffff006815ca08) at ufs_rmdir+0x277 sys/ufs/ufs/ufs_vnops.c:1354
VOP_RMDIR(0,ffffff007a9860d0,8) at VOP_RMDIR+0x6a sys/kern/vfs_vops.c:469
dounlinkat(890,ffff8000210a3788,0,ffff80002118bbe0) at dounlinkat+0xf5
sys/kern/vfs_syscalls.c:1695
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,89,7f7ffffcaf00,89,cb8bb132080,7f7ffffcb350) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffcb340, count: -14
ddb{1}> show registers
rdi 0xffffffff81e291a8 kprintf_mutex
rsi 0x5
rbp 0xffff80002118b5d0
rbx 0xffff80002118b670
rdx 0x3fd
rcx 0
rax 0
r8 0xffff80002118b5a0
r9 0x8080808080808080
r10 0xd96e072616acd64e
r11 0xffffffff813a7780 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff80002118b5e0
r14 0x100
r15 0xffffffff81bf3c19 cmd0646_9_tim_udma+0x20790
rip 0xffffffff81a8b5ca db_enter+0xa
cs 0x8
rflags 0x246
rsp 0xffff80002118b5d0
ss 0x10
db_enter+0xa: popq %rbp
ddb{1}> show proc
PROC (syz-executor1) pid=400665 stat=onproc
flags process=10<SUGID> proc=0
pri=17, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a2978,0xffffffff81edc2c0
process=0xffff8000210b7c80 user=0xffff800021186000,
vmspace=0xffffff007f125738
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
*61826 400665 1 65534 7 0x10 syz-executor1
86660 408216 1 65534 3 0x10 biowait syz-executor0
63253 9342 0 0 3 0x14200 bored sosplice
236 114025 34901 0 3 0x82 thrsleep syz-fuzzer
236 49873 34901 0 3 0x4000082 thrsleep syz-fuzzer
236 155923 34901 0 3 0x4000082 thrsleep syz-fuzzer
236 517270 34901 0 3 0x4000082 thrsleep syz-fuzzer
236 213068 34901 0 3 0x4000082 thrsleep syz-fuzzer
236 328995 34901 0 3 0x4000082 thrsleep syz-fuzzer
236 388526 34901 0 3 0x4000082 thrsleep syz-fuzzer
236 477948 34901 0 3 0x4000082 thrsleep syz-fuzzer
236 453652 34901 0 3 0x4000082 kqread syz-fuzzer
236 101530 34901 0 3 0x4000082 thrsleep syz-fuzzer
34901 273595 64629 0 3 0x10008a pause ksh
64629 118960 97309 0 3 0x92 select sshd
46319 313549 1 0 3 0x100083 ttyin getty
97309 224281 1 0 3 0x80 select sshd
32807 17625 13828 73 3 0x100010 ffs_fsync syslogd
13828 379658 1 0 3 0x100082 netio syslogd
7541 437434 1 77 3 0x100090 poll dhclient
76993 343249 1 0 3 0x80 poll dhclient
86093 418653 0 0 3 0x14200 pgzero zerothread
85911 208652 0 0 3 0x14200 aiodoned aiodoned
30437 514306 0 0 3 0x14200 syncer update
42024 180596 0 0 3 0x14200 cleaner cleaner
9782 333839 0 0 3 0x14200 reaper reaper
57405 176098 0 0 3 0x14200 pgdaemon pagedaemon
66014 448084 0 0 3 0x14200 bored crynlk
14680 419461 0 0 3 0x14200 bored crypto
10324 92402 0 0 3 0x40014200 acpi0 acpi0
87416 161894 0 0 3 0x40014200 idle1
59281 251091 0 0 3 0x14200 bored softnet
6416 340926 0 0 3 0x14200 bored systqmp
59992 185646 0 0 3 0x14200 bored systq
57536 436857 0 0 3 0x40014200 bored softclock
60433 441224 0 0 7 0x40014200 idle0
1 305146 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
Greg Steuck
Dec 26, 2018, 9:18:38 PM12/26/18
to syzbot, syzkaller-o...@googlegroups.com
#syz dup: assert "pg->wire_count == 1" failed in vfs_biomem.c
--
You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/000000000000637b91057d5bf9e7%40google.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages