protection_fault: sys_msgrcv (2)

0 views

Skip to first unread message

syzbot

unread,

Oct 12, 2022, 9:20:43 PM10/12/22

to syzkaller-o...@googlegroups.com

Hello,

syzbot found the following issue on:

HEAD commit: ddd5e87dd012 use correct type with sizeof ok miod@ kettenis@
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=17e65b84880000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=c80235d951da9769a00f

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2c2c8a2da871/disk-ddd5e87d.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/90df9a94328c/bsd-ddd5e87d.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3ec889ce8666/kernel-ddd5e87d.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c80235...@syzkaller.appspotmail.com

kernel: protection fault trap, code=0
Stopped at sys_msgrcv+0x2df: movq 0x10(%r13),%rdi
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
the kernel did not panic
ddb{1}> trace
sys_msgrcv(ffff800021306010,ffff8000247843d8,ffff800024784420) at sys_msgrcv+0x2df msg_copyout sys/kern/sysv_msg.c:639 [inline]
sys_msgrcv(ffff800021306010,ffff8000247843d8,ffff800024784420) at sys_msgrcv+0x2df sys/kern/sysv_msg.c:349
syscall(ffff8000247844a0) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff8000247844a0) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x3a46a0ce540, count: -3
ddb{1}> show registers
rdi 0xc8
rsi 0x20001388
rbp 0xffff8000247843c0
rbx 0xc8
rdx 0
rcx 0
rax 0xffff800021306010
r8 0x7f7fffffc000
r9 0xfffffd807f7d72d8
r10 0x14b9265f3d5cde4b
r11 0x2b5936945e1d48f0
r12 0xfffffd8064668f28
r13 0xdeadbeefdeadbeef
r14 0xffff800000c55200
r15 0xc2
rip 0xffffffff81f61e6f sys_msgrcv+0x2df
cs 0x8
rflags 0x10206 __ALIGN_SIZE+0xf206
rsp 0xffff800024784330
ss 0x10
sys_msgrcv+0x2df: movq 0x10(%r13),%rdi
ddb{1}> show proc
PROC (syz-executor.7) pid=254898 stat=onproc
flags process=10<SUGID> proc=4000000<THREAD>
pri=32, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff800021306a90,0xffff800021306fe0
process=0xffff8000ffff14e0 user=0xffff80002477f000, vmspace=0xfffffd807effc5c0
estcpu=36, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
29042 87141 35796 0 2 0 syz-executor.4
39146 285755 48201 0 2 0 syz-executor.6
57161 98255 77088 0 2 0 syz-executor.3
62882 283466 49464 0 2 0 syz-executor.5
62882 244286 49464 0 2 0x4000000 syz-executor.5
82518 400414 70605 60928 2 0x10 syz-executor.7
82518 435474 70605 60928 7 0x4000010 syz-executor.7
*82518 254898 70605 60928 7 0x4000010 syz-executor.7
82518 3562 70605 60928 3 0x4000090 fsleep syz-executor.7
85511 447783 32841 0 3 0x80 nanoslp syz-executor.0
85511 85303 32841 0 3 0x4000080 fsleep syz-executor.0
85511 481228 32841 0 2 0x4000000 syz-executor.0
70605 221415 80487 0 3 0x82 nanoslp syz-executor.7
40681 315165 80487 0 2 0x2 syz-executor.2
32841 411050 80487 0 3 0x82 nanoslp syz-executor.0
77088 15322 80487 0 3 0x82 nanoslp syz-executor.3
12418 392187 0 0 3 0x14200 bored sosplice
35796 72840 80487 0 2 0x2 syz-executor.4
48201 470526 80487 0 3 0x82 nanoslp syz-executor.6
49464 523974 80487 0 3 0x82 nanoslp syz-executor.5
45125 215478 80487 0 3 0x2 biowait syz-executor.1
80487 463745 54672 0 3 0x82 wait syz-fuzzer
80487 142899 54672 0 3 0x4000082 nanoslp syz-fuzzer
80487 239254 54672 0 3 0x4000082 thrsleep syz-fuzzer
80487 118385 54672 0 3 0x4000082 wait syz-fuzzer
80487 389375 54672 0 3 0x4000082 thrsleep syz-fuzzer
80487 435875 54672 0 3 0x4000082 wait syz-fuzzer
80487 239052 54672 0 3 0x4000082 wait syz-fuzzer
80487 74164 54672 0 3 0x4000082 wait syz-fuzzer
80487 83627 54672 0 3 0x4000082 thrsleep syz-fuzzer
80487 24025 54672 0 3 0x4000082 thrsleep syz-fuzzer
80487 438431 54672 0 3 0x4000082 kqread syz-fuzzer
80487 159779 54672 0 3 0x4000082 wait syz-fuzzer
80487 183228 54672 0 3 0x4000082 thrsleep syz-fuzzer
80487 374064 54672 0 3 0x4000082 wait syz-fuzzer
80487 491134 54672 0 3 0x4000082 thrsleep syz-fuzzer
80487 218211 54672 0 3 0x4000082 wait syz-fuzzer
54672 494933 12489 0 3 0x10008a sigsusp ksh
12489 95215 65579 0 3 0x9a kqread sshd
2823 118830 1 0 3 0x100083 ttyin getty
65579 163125 1 0 3 0x88 kqread sshd
20303 322791 53367 74 3 0x1100092 bpf pflogd
53367 193056 1 0 3 0x80 netio pflogd
92094 381915 65827 73 3 0x1100090 kqread syslogd
65827 244338 1 0 3 0x100082 netio syslogd
2576 251413 1 0 3 0x100080 kqread resolvd
43324 7610 79024 77 3 0x100092 kqread dhcpleased
15120 290441 79024 77 3 0x100092 kqread dhcpleased
79024 55508 1 0 3 0x80 kqread dhcpleased
80341 285085 0 0 3 0x14200 bored smr
54228 419226 0 0 2 0x14200 zerothread
86591 35481 0 0 3 0x14200 aiodoned aiodoned
25973 294653 0 0 3 0x14200 syncer update
49107 240973 0 0 3 0x14200 cleaner cleaner
57699 386678 0 0 3 0x14200 reaper reaper
9099 338206 0 0 3 0x14200 pgdaemon pagedaemon
11487 384147 0 0 3 0x14200 bored viomb
4196 68408 0 0 3 0x40014200 acpi0 acpi0
68730 338886 0 0 3 0x40014200 idle1
38777 227745 0 0 3 0x14200 bored softnet
87390 33486 0 0 3 0x14200 bored softnet
49112 99591 0 0 3 0x14200 bored softnet
20503 92743 0 0 3 0x14200 bored softnet
4792 95452 0 0 3 0x14200 bored systqmp
12467 433703 0 0 3 0x14200 bored systq
58205 55692 0 0 3 0x40014200 bored softclock
97383 453431 0 0 3 0x40014200 idle0
1 260930 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
Process 82518 (syz-executor.7) thread 0xffff800021306a90 (435474)
exclusive rwlock amaplk r = 0 (0xfffffd8067b132f0)
#0 witness_lock+0x44d
#1 uvm_fault_check+0x422 sys/uvm/uvm_fault.c:783
#2 uvm_fault+0xf2 sys/uvm/uvm_fault.c:601
#3 upageflttrap+0x82 sys/arch/amd64/amd64/trap.c:181
#4 usertrap+0x1aa sys/arch/amd64/amd64/trap.c:403
#5 recall_trap+0x8
shared rwlock vmmaplk r = 0 (0xfffffd807effc5d8)
#0 witness_lock+0x44d
#1 uvmfault_lookup+0xd9 sys/uvm/uvm_fault.c:1772
#2 uvm_fault_check+0x3a sys/uvm/uvm_fault.c:673
#3 uvm_fault+0xf2 sys/uvm/uvm_fault.c:601
#4 upageflttrap+0x82 sys/arch/amd64/amd64/trap.c:181
#5 usertrap+0x1aa sys/arch/amd64/amd64/trap.c:403
#6 recall_trap+0x8
Process 82518 (syz-executor.7) thread 0xffff800021306010 (254898)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82a617d0)
#0 witness_lock+0x44d
#1 __mp_acquire_count+0x48 sys/kern/kern_lock.c:227
#2 mi_switch+0x3bb sys/kern/sched_bsd.c:415
#3 sleep_finish+0x180 sys/kern/kern_synch.c:417
#4 rw_enter+0x35a sys/kern/kern_rwlock.c:286
#5 uvm_fault_check+0x422 sys/uvm/uvm_fault.c:783
#6 uvm_fault+0xf2 sys/uvm/uvm_fault.c:601
#7 kpageflttrap+0x209
#8 kerntrap+0xef sys/arch/amd64/amd64/trap.c:318
#9 alltraps_kern_meltdown+0x7b
#10 copyout+0x53
#11 syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
#11 syscall+0x435 sys/arch/amd64/amd64/trap.c:585
#12 Xsyscall+0x128
Process 45125 (syz-executor.1) thread 0xffff8000212962a8 (215478)
exclusive rrwlock inode r = 0 (0xfffffd806a0962b8)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:465
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:518
#4 ufs_ihashins+0x42 sys/ufs/ufs/ufs_ihash.c:140
#5 ffs_vget+0x141 sys/ufs/ffs/ffs_vfsops.c:1353
#6 ffs_inode_alloc+0x1be sys/ufs/ffs/ffs_alloc.c:394
#7 ufs_mkdir+0xf4 sys/ufs/ufs/ufs_vnops.c:1150
#8 VOP_MKDIR+0xbf sys/kern/vfs_vops.c:388
#9 domkdirat+0x121 sys/kern/vfs_syscalls.c:3112
#10 syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
#10 syscall+0x435 sys/arch/amd64/amd64/trap.c:585
#11 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806a096e68)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:465
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:412
#6 namei+0x36a sys/kern/vfs_lookup.c:244
#7 domkdirat+0x75 sys/kern/vfs_syscalls.c:3097
#8 syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
#8 syscall+0x435 sys/arch/amd64/amd64/trap.c:585
#9 Xsyscall+0x128
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10197 6613K 6739K 78643K 12617 0
pcb 13 12K 14K 78643K 148 0
rtable 160 8K 9K 78643K 554 0
ifaddr 79 17K 18K 78643K 154 0
sysctl 2 0K 0K 78643K 2 0
counters 50 34K 35K 78643K 72 0
ioctlops 0 0K 4K 78643K 1675 0
iov 0 0K 16K 78643K 77 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 4 0
vnodes 1275 80K 80K 78643K 1595 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 5K 78643K 15 0
VM map 2 1K 1K 78643K 2 0
sem 12 0K 0K 78643K 100 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 16 57K 85K 78643K 1090 0
sigio 0 0K 0K 78643K 12 0
proc 70 91K 115K 78643K 674 0
subproc 104 6K 6K 78643K 156 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 31 0
in_multi 63 4K 6K 78643K 170 0
ether_multi 1 0K 0K 78643K 4 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 55 254K 254K 78643K 55 0
exec 0 0K 2K 78643K 824 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 8 62K 64K 78643K 10 0
UVM amap 294 215K 215K 78643K 8332 0
UVM aobj 31 6K 6K 78643K 31 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 0K 78643K 90 0
NDP 10 0K 2K 78643K 46 0
temp 97 4724K 4795K 78643K 14276 0
kqueue 12 18K 26K 78643K 113 0
SYN cache 2 16K 16K 78643K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtpcb 120 178 0 175 3 2 1 2 0 8 0
rtentry 112 171 0 103 4 0 4 4 0 8 0
unpcb 144 690 0 675 9 8 1 6 0 8 0
syncache 296 8 0 8 2 2 0 1 0 8 0
tcpqe 32 58 0 58 1 1 0 1 0 8 0
tcpcb 768 271 0 266 13 11 2 8 0 8 1
arp 120 26 0 14 1 0 1 1 0 8 0
inpcb 368 869 0 862 24 22 2 7 0 8 1
nd6 48 39 0 24 1 0 1 1 0 8 0
kcovpl 48 12 0 4 1 0 1 1 0 8 0
ppxss 1256 2 0 2 1 1 0 1 0 8 0
pppxif 1704 2 0 2 1 1 0 1 0 8 0
pfstscr 40 101 0 100 2 1 1 1 0 8 0
pfosfp 40 1436 0 1011 5 0 5 5 0 8 0
pfosfpen 112 1436 0 720 21 0 21 21 0 8 0
pfrktable 1344 3 0 1 1 0 1 1 0 8 0
pfanchor 1280 1 0 0 1 0 1 1 0 8 0
pfstitem 24 115 0 107 1 0 1 1 0 8 0
pfstkey 120 183 0 175 1 0 1 1 0 8 0
pfstate 336 149 0 141 3 0 3 3 0 8 0
pfrule 1360 25 0 17 2 1 1 2 0 8 0
art_heap8 4096 2 0 1 2 1 1 2 0 8 0
art_heap4 256 775 0 493 31 10 21 29 0 8 0
art_table 32 777 0 494 4 0 4 4 0 8 0
art_node 16 170 0 111 1 0 1 1 0 8 0
sysvmsgpl 40 2 0 2 1 0 1 1 0 8 1
semapl 112 98 0 88 1 0 1 1 0 8 0
shmpl 112 28 0 0 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 2710 0 1268 91 0 91 91 0 8 0
ffsino 272 2710 0 1268 97 0 97 97 0 8 0
nchpl 144 4264 0 2622 63 0 63 63 0 8 0
uvmvnodes 80 3012 0 0 62 0 62 62 0 8 0
vnodes 216 3012 0 0 168 0 168 168 0 8 0
namei 1024 15462 0 15461 3 2 1 2 0 8 0
percpumem 16 48 0 11 1 0 1 1 0 8 0
vcpupl 2048 8 0 0 1 0 1 1 0 8 0
vmpool 568 8 0 0 1 0 1 1 0 8 0
pfiaddrpl 120 1 0 0 1 0 1 1 0 8 0
kstatmem 264 38 0 18 2 0 2 2 0 8 0
scxspl 216 12610 0 12609 9 8 1 8 0 8 0
plimitpl 152 122 0 106 1 0 1 1 0 8 0
sigapl 424 1391 0 1344 7 1 6 6 0 8 0
futexpl 64 8138 0 8136 1 0 1 1 0 8 0
knotepl 120 385 0 0 12 1 11 11 0 8 0
kqueuepl 216 137 0 129 1 0 1 1 0 8 0
pipepl 320 214 0 186 3 0 3 3 0 8 0
fdescpl 496 1373 0 1344 7 3 4 5 0 8 0
filepl 152 7552 0 7312 23 11 12 16 0 8 1
lockfpl 104 325 0 323 2 1 1 2 0 8 0
lockfspl 48 90 0 88 1 0 1 1 0 8 0
sessionpl 144 28 0 11 1 0 1 1 0 8 0
pgrppl 48 28 0 11 1 0 1 1 0 8 0
ucredpl 104 601 0 587 1 0 1 1 0 8 0
zombiepl 144 1344 0 1344 1 0 1 1 0 8 1
processpl 1064 1391 0 1344 4 0 4 4 0 8 0
procpl 672 3441 0 3373 11 4 7 8 0 8 0
srpgc 96 10 0 10 3 3 0 1 0 8 0
sosppl 168 13 0 13 2 2 0 1 0 8 0
sockpl 488 1737 0 1712 39 35 4 20 0 8 0
mcl64k 65536 7 0 0 1 0 1 1 0 8 0
mcl16k 16384 8 0 0 1 0 1 1 0 8 0
mcl12k 12288 10 0 0 1 0 1 1 0 8 0
mcl9k 9216 11 0 0 1 0 1 1 0 8 0
mcl8k 8192 12 0 0 2 0 2 2 0 8 0
mcl4k 4096 17 0 0 3 0 3 3 0 8 0
mcl2k2 2112 2 0 0 1 0 1 1 0 8 0
mcl2k 2048 482 0 0 60 0 60 60 0 8 0
mtagpl 96 91 0 0 3 0 3 3 0 8 0
mbufpl 256 513 0 0 32 0 32 32 0 8 0
bufpl 288 5324 0 139 371 0 371 371 0 8 0
anonpl 24 249274 0 231573 118 7 111 112 0 186 1
amapchunkpl 152 22333 0 21569 38 5 33 35 0 158 0
amappl16 200 2728 0 2205 30 1 29 30 0 8 0
amappl15 192 403 0 390 2 1 1 2 0 8 0
amappl14 184 194 0 189 1 0 1 1 0 8 0
amappl13 176 301 0 296 1 0 1 1 0 8 0
amappl12 168 168 0 162 1 0 1 1 0 8 0
amappl11 160 44 0 30 1 0 1 1 0 8 0
amappl10 152 44 0 40 1 0 1 1 0 8 0
amappl9 144 1083 0 1072 1 0 1 1 0 8 0
amappl8 136 813 0 753 3 0 3 3 0 8 0
amappl7 128 246 0 226 1 0 1 1 0 8 0
amappl6 120 395 0 371 2 1 1 2 0 8 0
amappl5 112 769 0 757 1 0 1 1 0 8 0
amappl4 104 1056 0 1026 2 1 1 2 0 8 0
amappl3 96 3800 0 3745 2 0 2 2 0 8 0
amappl2 88 1701 0 1630 3 1 2 3 0 8 0
amappl1 80 35168 0 34430 23 5 18 23 0 8 0
amappl 88 7755 0 7568 6 1 5 5 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 30 0 0 1 0 1 1 0 8 0
uaddrrnd 24 1381 0 1344 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 1381 0 1344 1 0 1 1 0 8 0
vmmpekpl 168 16495 0 16431 4 0 4 4 0 8 0
vmmpepl 168 139200 0 136485 174 43 131 153 0 357 2
vmsppl 368 1380 0 1344 5 1 4 4 0 8 0
rwobjpl 56 38225 0 33483 68 0 68 68 0 8 0
pdppl 4096 2769 0 2696 172 95 77 79 0 8 4
pvpl 32 610369 0 587134 267 65 202 266 0 265 7
pmappl 248 1380 0 1344 4 1 3 3 0 8 0
extentpl 40 56 0 38 1 0 1 1 0 8 0
phpool 112 908 0 135 23 0 23 23 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
ddb{0}> trace
x86_ipi_db(ffffffff82952ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__mp_lock(ffffffff82a615c8) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82a615c8) at __mp_lock+0x122 sys/kern/kern_lock.c:147
intr_handler(ffff80002b03e620,ffff80000004bd00) at intr_handler+0x5e sys/arch/amd64/amd64/intr.c:532
Xintr_ioapic_edge21_untramp() at Xintr_ioapic_edge21_untramp+0x18f
Xspllower() at Xspllower+0x19
uvm_pmr_getpages(1,0,0,1,0,1,514aebd84ff0fe55,fffffd807c9aa390) at uvm_pmr_getpages+0xde1
uvm_pagealloc(0,0,fffffd807c9aa390,2) at uvm_pagealloc+0x1a4 sys/uvm/uvm_page.c:910
uvm_fault_lower(ffff80002b03eac0,ffff80002b03eaf8,ffff80002b03ea40,0) at uvm_fault_lower+0x1aa
uvm_fault(fffffd807effc5c0,3a463cb1000,0,2) at uvm_fault+0x238
upageflttrap(ffff80002b03ec30,3a463cb1000) at upageflttrap+0x82 sys/arch/amd64/amd64/trap.c:181
usertrap(ffff80002b03ec30) at usertrap+0x1aa sys/arch/amd64/amd64/trap.c:403
recall_trap() at recall_trap+0x8
end of kernel
end trace frame: 0x3a4eed2d570, count: -14
ddb{0}> machine ddbcpu 1
Stopped at sys_msgrcv+0x2df: movq 0x10(%r13),%rdi
ddb{1}> trace
sys_msgrcv(ffff800021306010,ffff8000247843d8,ffff800024784420) at sys_msgrcv+0x2df msg_copyout sys/kern/sysv_msg.c:639 [inline]
sys_msgrcv(ffff800021306010,ffff8000247843d8,ffff800024784420) at sys_msgrcv+0x2df sys/kern/sysv_msg.c:349
syscall(ffff8000247844a0) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff8000247844a0) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x3a46a0ce540, count: -3

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

syzbot

unread,

Dec 20, 2022, 6:38:56 AM12/20/22

to syzkaller-o...@googlegroups.com

syzbot has found a reproducer for the following issue on:

HEAD commit: 4068fef5c65e Remove array reference from sh(1) because sh ..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=14804bdb880000

kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=c80235d951da9769a00f

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1315134f880000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c2ac8f96aaa8/disk-4068fef5.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/cec5d9db3048/bsd-4068fef5.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c25881caeff1/kernel-4068fef5.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c80235...@syzkaller.appspotmail.com

kernel: protection fault trap, code=0
Stopped at sys_msgrcv+0x2df: movq 0x10(%r13),%rdi
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
the kernel did not panic
ddb{1}> trace

sys_msgrcv(ffff800021408d30,ffff80002152da08,ffff80002152da50) at sys_msgrcv+0x2df msg_copyout sys/kern/sysv_msg.c:639 [inline]
sys_msgrcv(ffff800021408d30,ffff80002152da08,ffff80002152da50) at sys_msgrcv+0x2df sys/kern/sysv_msg.c:349
syscall(ffff80002152dad0) at syscall+0x438 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff80002152dad0) at syscall+0x438 sys/arch/amd64/amd64/trap.c:599

Xsyscall() at Xsyscall+0x128
end of kernel

end trace frame: 0xc3a724b2610, count: -3
ddb{1}> show registers
rdi 0x1b
rsi 0x20003b08
rbp 0xffff80002152d9f0
rbx 0x1b
rdx 0xffff800021528000
rcx 0
rax 0
r8 0x7f7fffffc000
r9 0x1
r10 0x2c72ac73f3fb09b8
r11 0xfe99f1c681c60488
r12 0xfffffd807e789b18
r13 0xdeafbeaddeafbead
r14 0xffff800000bff600
r15 0x1b
rip 0xffffffff820ece9f sys_msgrcv+0x2df
cs 0x8
rflags 0x10202 __ALIGN_SIZE+0xf202
rsp 0xffff80002152d960

ss 0x10
sys_msgrcv+0x2df: movq 0x10(%r13),%rdi
ddb{1}> show proc

PROC (syz-executor.1) pid=387735 stat=onproc

flags process=10<SUGID> proc=4000000<THREAD>

pri=36, usrpri=52, nice=20
forw=0xffffffffffffffff, list=0xffff800021409270,0xffff8000214082c0
process=0xffff800021480450 user=0xffff800021528000, vmspace=0xfffffd80716d7018
estcpu=2, cpticks=0, pctcpu=0.0

user=0, sys=0, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND

35489 206354 93335 32767 3 0x90 nanoslp syz-executor.1
35489 96908 93335 32767 3 0x4000090 fsleep syz-executor.1
*35489 387735 93335 32767 7 0x4000010 syz-executor.1
35489 125820 93335 32767 3 0x4000090 fsleep syz-executor.1
35489 449887 93335 32767 3 0x4000090 fsleep syz-executor.1
35489 323714 93335 32767 3 0x4000090 fsleep syz-executor.1
35489 39360 93335 32767 2 0x4000010 syz-executor.1
35489 227818 93335 32767 2 0x4000010 syz-executor.1
35489 28548 93335 32767 3 0x4000090 fsleep syz-executor.1
35489 383270 93335 32767 3 0x4000090 fsleep syz-executor.1
19660 507849 6058 32767 3 0x90 nanoslp syz-executor.5
19660 431052 6058 32767 3 0x4000090 fsleep syz-executor.5
19660 201850 6058 32767 3 0x4000090 fsleep syz-executor.5
19660 33209 6058 32767 3 0x4000090 msgwait syz-executor.5
19660 517466 6058 32767 3 0x4000090 fsleep syz-executor.5
19660 403128 6058 32767 3 0x4000090 fsleep syz-executor.5
19660 123080 6058 32767 3 0x4000090 msgwait syz-executor.5
60071 266306 77884 32767 3 0x90 nanoslp syz-executor.2
60071 151141 77884 32767 3 0x4000090 fsleep syz-executor.2
60071 131086 77884 32767 3 0x4000090 msgwait syz-executor.2
60071 173263 77884 32767 3 0x4000090 fsleep syz-executor.2
60071 405959 77884 32767 3 0x4000090 fsleep syz-executor.2
60071 60862 77884 32767 3 0x4000090 fsleep syz-executor.2
60071 35567 77884 32767 3 0x4000090 fsleep syz-executor.2
60071 76621 77884 32767 3 0x4000090 fsleep syz-executor.2
60071 178625 77884 32767 3 0x4000090 fsleep syz-executor.2
60071 316547 77884 32767 3 0x4000090 msgwait syz-executor.2
56028 198090 26580 32767 3 0x90 nanoslp syz-executor.6
56028 472270 26580 32767 3 0x4000090 fsleep syz-executor.6
56028 180311 26580 32767 3 0x4000090 msgwait syz-executor.6
56028 510090 26580 32767 3 0x4000090 fsleep syz-executor.6
56028 343649 26580 32767 3 0x4000090 fsleep syz-executor.6
56028 198985 26580 32767 3 0x4000090 fsleep syz-executor.6
56028 24355 26580 32767 3 0x4000090 msgwait syz-executor.6
14420 76144 78207 32767 3 0x90 nanoslp syz-executor.0
14420 75394 78207 32767 3 0x4000090 fsleep syz-executor.0
14420 364442 78207 32767 3 0x4000090 fsleep syz-executor.0
14420 422046 78207 32767 3 0x4000090 msgwait syz-executor.0
14420 456666 78207 32767 3 0x4000090 fsleep syz-executor.0
14420 38247 78207 32767 3 0x4000090 fsleep syz-executor.0
14420 189092 78207 32767 3 0x4000090 fsleep syz-executor.0
14420 120496 78207 32767 3 0x4000090 fsleep syz-executor.0
14420 505812 78207 32767 3 0x4000090 msgwait syz-executor.0
270 160963 34538 32767 3 0x90 nanoslp syz-executor.4
270 115359 34538 32767 3 0x4000090 msgwait syz-executor.4
270 138880 34538 32767 3 0x4000090 fsleep syz-executor.4
270 218308 34538 32767 3 0x4000090 fsleep syz-executor.4
270 383969 34538 32767 3 0x4000090 fsleep syz-executor.4
270 245625 34538 32767 3 0x4000090 fsleep syz-executor.4
270 9361 34538 32767 3 0x4000090 fsleep syz-executor.4
270 232175 34538 32767 3 0x4000090 msgwait syz-executor.4
8988 505307 14518 32767 3 0x90 nanoslp syz-executor.3
8988 179681 14518 32767 3 0x4000090 msgwait syz-executor.3
8988 338215 14518 32767 3 0x4000090 fsleep syz-executor.3
8988 141196 14518 32767 3 0x4000090 fsleep syz-executor.3
8988 314824 14518 32767 3 0x4000090 fsleep syz-executor.3
8988 175205 14518 32767 3 0x4000090 msgwait syz-executor.3
8988 313212 14518 32767 3 0x4000090 fsleep syz-executor.3
77884 465398 80925 32767 3 0x90 nanoslp syz-executor.2
93335 481590 896 32767 3 0x90 nanoslp syz-executor.1
80925 460906 91340 0 3 0x82 wait syz-executor.2
26580 278307 82264 32767 3 0x90 nanoslp syz-executor.6
896 297439 91340 0 3 0x82 wait syz-executor.1
82264 523277 91340 0 3 0x82 wait syz-executor.6
6058 510530 63054 32767 3 0x90 nanoslp syz-executor.5
63054 196271 91340 0 3 0x82 wait syz-executor.5
34538 103001 92489 32767 2 0x10 syz-executor.4
14518 441094 50187 32767 7 0x10 syz-executor.3
50187 346369 91340 0 3 0x82 wait syz-executor.3
23638 162625 327 32767 3 0x90 nanoslp syz-executor.7
327 245764 91340 0 3 0x82 wait syz-executor.7
78207 496909 13538 32767 3 0x90 nanoslp syz-executor.0
92489 284242 91340 0 3 0x82 wait syz-executor.4
13538 198348 91340 0 3 0x82 wait syz-executor.0
91340 220763 35226 0 3 0x82 thrsleep syz-execprog
91340 437556 35226 0 3 0x4000082 thrsleep syz-execprog
91340 378609 35226 0 3 0x4000082 wait syz-execprog
91340 263796 35226 0 3 0x4000082 thrsleep syz-execprog
91340 168048 35226 0 3 0x4000082 wait syz-execprog
91340 189976 35226 0 3 0x4000082 wait syz-execprog
91340 198797 35226 0 3 0x4000082 wait syz-execprog
91340 459440 35226 0 3 0x4000082 wait syz-execprog
91340 171982 35226 0 3 0x4000082 thrsleep syz-execprog
91340 106165 35226 0 3 0x4000082 wait syz-execprog
91340 251914 35226 0 3 0x4000082 wait syz-execprog
91340 52554 35226 0 3 0x4000082 wait syz-execprog
91340 109912 35226 0 3 0x4000082 kqread syz-execprog
91340 182365 35226 0 3 0x4000082 thrsleep syz-execprog
91340 319350 35226 0 3 0x4000082 thrsleep syz-execprog
35226 457537 22623 0 3 0x10008a sigsusp ksh
22623 273953 30632 0 3 0x9a kqread sshd
41490 184510 1 0 3 0x100083 ttyin getty
30632 523411 1 0 3 0x88 kqread sshd
89472 291417 68964 73 3 0x1100090 kqread syslogd
68964 137529 1 0 3 0x100082 netio syslogd
9504 219337 1 0 3 0x100080 kqread resolvd
1411 151645 49339 77 3 0x100092 kqread dhcpleased
92352 379192 49339 77 3 0x100092 kqread dhcpleased
49339 357625 1 0 3 0x80 kqread dhcpleased
12424 232914 0 0 3 0x14200 bored smr
35799 509583 0 0 2 0x14200 zerothread
63044 494842 0 0 3 0x14200 aiodoned aiodoned
10710 506829 0 0 3 0x14200 syncer update
28239 210465 0 0 3 0x14200 cleaner cleaner
70066 395905 0 0 3 0x14200 reaper reaper
24134 290963 0 0 3 0x14200 pgdaemon pagedaemon
48058 56410 0 0 3 0x14200 bored viomb
93036 499816 0 0 3 0x40014200 acpi0 acpi0
68629 427195 0 0 3 0x40014200 idle1
76013 302251 0 0 3 0x14200 bored softnet
14102 156373 0 0 3 0x14200 bored softnet
81057 523647 0 0 3 0x14200 bored softnet
63294 522211 0 0 3 0x14200 bored softnet
81041 265467 0 0 3 0x14200 bored systqmp
51452 361516 0 0 3 0x14200 bored systq
49506 95432 0 0 3 0x40014200 bored softclock
53443 227419 0 0 3 0x40014200 idle0
1 18042 0 0 3 0x82 wait init

0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks

Process 35489 (syz-executor.1) thread 0xffff800021408d30 (387735)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82a01680)

#0 witness_lock+0x44d
#1 __mp_acquire_count+0x48 sys/kern/kern_lock.c:227
#2 mi_switch+0x3bb sys/kern/sched_bsd.c:415
#3 sleep_finish+0x180 sys/kern/kern_synch.c:417
#4 rw_enter+0x35a sys/kern/kern_rwlock.c:286

#5 uvmfault_lookup+0xc9 sys/uvm/uvm_fault.c:1773
#6 uvm_fault_check+0x3a sys/uvm/uvm_fault.c:673
#7 uvm_fault+0xf2 sys/uvm/uvm_fault.c:601
#8 kpageflttrap+0x22e sys/arch/amd64/amd64/trap.c:277
#9 kerntrap+0xef sys/arch/amd64/amd64/trap.c:332
#10 alltraps_kern_meltdown+0x7b
#11 copyout+0x53
#12 syscall+0x438 mi_syscall sys/sys/syscall_mi.h:101 [inline]
#12 syscall+0x438 sys/arch/amd64/amd64/trap.c:599
#13 Xsyscall+0x128

ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim

devbuf 10185 6408K 6420K 78643K 11275 0
pcb 13 8K 8K 78643K 13 0
rtable 234 6K 6K 78643K 343 0
ifaddr 71 16K 16K 78643K 73 0
counters 60 35K 35K 78643K 60 0
ioctlops 0 0K 2K 78643K 27 0

mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 4 0

vnodes 1167 73K 73K 78643K 1180 0

UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0

shm 2 1K 1K 78643K 2 0

VM map 2 1K 1K 78643K 2 0

sem 2 0K 0K 78643K 2 0

dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0

file desc 25 93K 121K 78643K 162 0
proc 56 78K 115K 78643K 464 0

NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0

in_multi 99 6K 6K 78643K 99 0
ether_multi 1 0K 0K 78643K 1 0

ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0

ttys 25 122K 122K 78643K 25 0
exec 0 0K 1K 78643K 349 0

tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 8 62K 64K 78643K 10 0

UVM amap 321 76K 76K 78643K 2687 0
UVM aobj 3 2K 2K 78643K 3 0

memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0

NDP 11 0K 2K 78643K 27 0
temp 91 4688K 4752K 78643K 3889 0
kqueue 12 18K 18K 78643K 25 0

SYN cache 2 16K 16K 78643K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0

rtpcb 120 33 0 30 1 0 1 1 0 8 0
rtentry 112 111 0 1 4 0 4 4 0 8 0
unpcb 144 123 0 98 2 0 2 2 0 8 0
syncache 296 5 0 5 1 0 1 1 0 8 1
tcpqe 32 48 0 48 1 1 0 1 0 8 0
tcpcb 776 8 0 5 1 0 1 1 0 8 0
arp 120 18 0 0 1 0 1 1 0 8 0
inpcb 368 57 0 51 1 0 1 1 0 8 0
nd6 48 24 0 0 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 452 0 0 29 0 29 29 0 8 0
art_table 32 453 0 0 4 0 4 4 0 8 0
art_node 16 110 0 10 1 0 1 1 0 8 0
sysvmsgpl 40 84 0 72 1 0 1 1 0 8 0

dirhash 1024 17 0 0 3 0 3 3 0 8 0

dino2pl 256 1492 0 62 90 0 90 90 0 8 0
ffsino 272 1492 0 62 96 0 96 96 0 8 0
nchpl 144 1763 0 95 63 0 63 63 0 8 0
uvmvnodes 80 1501 0 0 31 0 31 31 0 8 0
vnodes 216 1501 0 0 84 0 84 84 0 8 0
namei 1024 5818 0 5818 2 0 2 2 0 8 2
percpumem 16 42 0 0 1 0 1 1 0 8 0
kstatmem 264 22 0 0 2 0 2 2 0 8 0
scxspl 216 5822 0 5822 2 1 1 2 0 8 1
plimitpl 152 33 0 10 1 0 1 1 0 8 0
sigapl 424 445 0 391 7 0 7 7 0 8 0
futexpl 64 309 0 274 1 0 1 1 0 8 0
knotepl 120 110 0 0 4 0 4 4 0 8 0
kqueuepl 216 21 0 13 1 0 1 1 0 8 0
pipepl 320 128 0 100 3 0 3 3 0 8 0
fdescpl 496 428 0 392 7 1 6 6 0 8 0
filepl 152 1595 0 1455 6 0 6 6 0 8 0
lockfpl 104 6 0 4 1 0 1 1 0 8 0
lockfspl 48 4 0 2 1 0 1 1 0 8 0
sessionpl 144 25 0 9 1 0 1 1 0 8 0
pgrppl 48 25 0 9 1 0 1 1 0 8 0
ucredpl 104 90 0 72 1 0 1 1 0 8 0
zombiepl 144 392 0 391 1 0 1 1 0 8 0
processpl 1072 445 0 391 5 0 5 5 0 8 0
procpl 672 609 0 490 11 0 11 11 0 8 0
sockpl 488 213 0 179 5 0 5 5 0 8 0
mcl8k 8192 3 0 0 1 0 1 1 0 8 0
mcl4k 4096 5 0 0 1 0 1 1 0 8 0
mcl2k 2048 254 0 0 32 0 32 32 0 8 0
mtagpl 96 3 0 0 1 0 1 1 0 8 0
mbufpl 256 304 0 0 19 0 19 19 0 8 0
bufpl 288 3983 0 138 275 0 275 275 0 8 0
anonpl 24 121768 0 114304 53 5 48 48 0 186 0
amapchunkpl 152 7085 0 6373 30 1 29 29 0 158 0
amappl16 200 2161 0 2079 9 4 5 5 0 8 0
amappl15 192 6 0 6 1 1 0 1 0 8 0
amappl14 184 155 0 142 2 0 2 2 0 8 1
amappl13 176 5 0 3 1 0 1 1 0 8 0
amappl12 168 396 0 394 1 0 1 1 0 8 0
amappl11 160 50 0 40 1 0 1 1 0 8 0
amappl10 152 31 0 22 2 1 1 1 0 8 0
amappl9 144 941 0 938 1 0 1 1 0 8 0
amappl8 136 127 0 99 2 0 2 2 0 8 0
amappl7 128 122 0 105 2 0 2 2 0 8 0
amappl6 120 151 0 142 1 0 1 1 0 8 0
amappl5 112 113 0 106 1 0 1 1 0 8 0
amappl4 104 467 0 441 3 1 2 3 0 8 1
amappl3 96 696 0 614 3 0 3 3 0 8 0
amappl2 88 744 0 665 3 0 3 3 0 8 1
amappl1 80 12254 0 11374 22 0 22 22 0 8 3
amappl 88 2246 0 2008 6 0 6 6 0 92 0

dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0

aobjpl 72 2 0 0 1 0 1 1 0 8 0
uaddrrnd 24 428 0 392 1 0 1 1 0 8 0

uaddrbest 32 2 0 0 1 0 1 1 0 8 0

uaddr 24 428 0 392 1 0 1 1 0 8 0
vmmpekpl 168 9389 0 9359 2 0 2 2 0 8 0
vmmpepl 168 45129 0 42589 118 3 115 115 0 357 1
vmsppl 368 427 0 392 4 0 4 4 0 8 0
rwobjpl 56 16263 0 13474 45 2 43 43 0 8 3
pdppl 4096 863 0 784 105 18 87 93 0 8 8
pvpl 32 301274 0 287753 261 4 257 257 0 265 146
pmappl 248 427 0 392 4 1 3 3 0 8 0

extentpl 40 56 0 38 1 0 1 1 0 8 0

phpool 112 662 0 20 19 0 19 19 0 8 0

ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
ddb{0}> trace

x86_ipi_db(ffffffff829ceff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393

x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23

__mp_lock(ffffffff82a01478) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82a01478) at __mp_lock+0x122 sys/kern/kern_lock.c:147
syscall(ffff80002139ccf0) at syscall+0x424 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff80002139ccf0) at syscall+0x424 sys/arch/amd64/amd64/trap.c:599

Xsyscall() at Xsyscall+0x128
end of kernel

end trace frame: 0x7f7ffffcd850, count: -6

ddb{0}> machine ddbcpu 1
Stopped at sys_msgrcv+0x2df: movq 0x10(%r13),%rdi
ddb{1}> trace

Xsyscall() at Xsyscall+0x128
end of kernel

end trace frame: 0xc3a724b2610, count: -3
ddb{1}>

syzbot

unread,

Jun 13, 2023, 8:32:05 AM6/13/23

to syzkaller-o...@googlegroups.com

syzbot has found a reproducer for the following issue on:

HEAD commit: fafd6c403a36 Simple seq(1) regress. More tests are needed.
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=120eaa9b280000

kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=c80235d951da9769a00f

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17a1d7c7280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f745dd280000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6e645c5231d6/disk-fafd6c40.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/8adc6efe11c4/bsd-fafd6c40.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5e160bb01448/kernel-fafd6c40.xz

sys_msgrcv(ffff8000211ad310,ffff800021255e20,ffff800021255e70) at sys_msgrcv+0x2df msg_copyout sys/kern/sysv_msg.c:639 [inline]
sys_msgrcv(ffff8000211ad310,ffff800021255e20,ffff800021255e70) at sys_msgrcv+0x2df sys/kern/sysv_msg.c:349
syscall(ffff800021255ef0) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff800021255ef0) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:632

Xsyscall() at Xsyscall+0x128
end of kernel

end trace frame: 0xb2b25878be0, count: -3
ddb{1}> show registers
rdi 0x106e __ALIGN_SIZE+0x6e
rsi 0x20001cc8
rbp 0xffff800021255e10
rbx 0x106e __ALIGN_SIZE+0x6e
rdx 0xffff800021250000

rcx 0
rax 0
r8 0x7f7fffffc000
r9 0

r10 0x48c4a4b947b635c8
r11 0x93397fccc3faa9da
r12 0xfffffd806d676f28
r13 0xdead4110dead4110
r14 0xffff800000cef600
r15 0x8
rip 0xffffffff81bc92bf sys_msgrcv+0x2df

cs 0x8
rflags 0x10202 __ALIGN_SIZE+0xf202

rsp 0xffff800021255d80

ss 0x10
sys_msgrcv+0x2df: movq 0x10(%r13),%rdi
ddb{1}> show proc

PROC (syz-executor4102321349) pid=37580 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=36, usrpri=53, nice=20
forw=0xffffffffffffffff, list=0xffff8000211f3318,0xffff800021237338
process=0xffff8000212225c0 user=0xffff800021250000, vmspace=0xfffffd80089fe740

estcpu=36, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND

70655 235589 43892 0 7 0 syz-executor4102321349
70655 336187 43892 0 3 0x4000080 fsleep syz-executor4102321349
*70655 37580 43892 0 7 0x4000000 syz-executor4102321349
70655 121687 43892 0 3 0x4000080 fsleep syz-executor4102321349
43892 405082 84333 0 3 0x82 nanoslp syz-executor4102321349
84333 321189 98977 0 3 0x10008a sigsusp ksh
98977 316822 55406 0 3 0x9a kqread sshd
63131 114906 1 0 3 0x100083 ttyin getty
55406 417294 1 0 3 0x88 kqread sshd
61067 204932 8680 73 3 0x1100090 kqread syslogd
8680 29466 1 0 3 0x100082 netio syslogd
36873 505284 1 0 3 0x100080 kqread resolvd
57884 377106 75201 77 3 0x100092 kqread dhcpleased
19289 124702 75201 77 3 0x100092 kqread dhcpleased
75201 300176 1 0 3 0x80 kqread dhcpleased
50372 39665 0 0 3 0x14200 bored smr
95571 380244 0 0 3 0x14200 pgzero zerothread
28747 127922 0 0 3 0x14200 aiodoned aiodoned
68852 455372 0 0 3 0x14200 syncer update
45700 472411 0 0 3 0x14200 cleaner cleaner
7118 335248 0 0 3 0x14200 reaper reaper
27733 171833 0 0 3 0x14200 pgdaemon pagedaemon
18108 230277 0 0 3 0x14200 bored viomb
73402 269220 0 0 3 0x40014200 acpi0 acpi0
97473 428126 0 0 3 0x40014200 idle1
39776 132400 0 0 3 0x14200 bored softnet3
88052 519288 0 0 3 0x14200 bored softnet2
63530 162546 0 0 3 0x14200 bored softnet1
71787 47596 0 0 3 0x14200 bored softnet0
6823 154365 0 0 3 0x14200 bored systqmp
23134 469603 0 0 3 0x14200 bored systq
53506 345157 0 0 3 0x40014200 bored softclock
83919 164901 0 0 3 0x40014200 idle0
1 80245 0 0 3 0x82 wait init

0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks

Process 70655 (syz-executor4102321349) thread 0xffff8000211ad310 (37580)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82c80768)

#0 witness_lock+0x44d
#1 __mp_acquire_count+0x48 sys/kern/kern_lock.c:227

#2 mi_switch+0x3c3 sys/kern/sched_bsd.c:405
#3 sleep_finish+0x184 sys/kern/kern_synch.c:417
#4 rw_enter+0x35e sys/kern/kern_rwlock.c:286
#5 uvmfault_lookup+0xd9 sys/uvm/uvm_fault.c:1773
#6 uvm_fault_check+0x3e sys/uvm/uvm_fault.c:673
#7 uvm_fault+0xf2 sys/uvm/uvm_fault.c:601
#8 kpageflttrap+0x23e sys/arch/amd64/amd64/trap.c:286
#9 kerntrap+0xf3 sys/arch/amd64/amd64/trap.c:341
#10 alltraps_kern_meltdown+0x7b
#11 copyout+0x57
#12 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
#12 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:632
#13 Xsyscall+0x128

ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim

devbuf 10147 6388K 6419K 78643K 11237 0

pcb 13 8K 8K 78643K 13 0

rtable 58 1K 2K 78643K 104 0
ifaddr 24 15K 15K 78643K 24 0
counters 44 33K 33K 78643K 44 0
ioctlops 0 0K 2K 78643K 21 0

mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 4 0

vnodes 1174 73K 74K 78643K 1187 0

UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0

shm 2 1K 1K 78643K 2 0

VM map 2 1K 1K 78643K 2 0

sem 3 0K 0K 78643K 18 0

dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0

file desc 1 0K 0K 78643K 1 0
proc 55 78K 79K 78643K 246 0

NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0

in_multi 11 0K 0K 78643K 11 0
ether_multi 1 0K 0K 78643K 1 0

ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0

ttys 25 122K 122K 78643K 25 0

exec 0 0K 1K 78643K 234 0

tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 8 62K 64K 78643K 10 0

UVM amap 95 12K 12K 78643K 2310 0
UVM aobj 3 2K 2K 78643K 3 0

memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0

NDP 3 0K 0K 78643K 3 0
temp 50 5857K 5913K 78643K 2765 0
kqueue 11 16K 18K 78643K 24 0

SYN cache 2 16K 16K 78643K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0

rtpcb 120 17 0 14 1 0 1 1 0 8 0
rtentry 112 23 0 1 1 0 1 1 0 8 0
unpcb 144 125 0 112 1 0 1 1 0 8 0
syncache 296 5 0 5 2 1 1 1 0 8 1
tcpqe 32 229 0 229 1 1 0 1 0 8 0
tcpcb 776 8 0 5 1 0 1 1 0 8 0
arp 120 2 0 0 1 0 1 1 0 8 0
inpcb 368 42 0 35 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 97 0 0 7 0 7 7 0 8 0
art_table 32 98 0 0 1 0 1 1 0 8 0
art_node 16 22 0 2 1 0 1 1 0 8 0
sysvmsgpl 40 47 0 47 1 0 1 1 0 8 1
semapl 112 16 0 15 1 0 1 1 0 8 0

dirhash 1024 17 0 0 3 0 3 3 0 8 0

dino2pl 256 1422 0 37 87 0 87 87 0 8 0
ffsino 272 1422 0 37 93 0 93 93 0 8 0
nchpl 144 1606 0 47 58 0 58 58 0 8 0
uvmvnodes 80 1431 0 0 30 0 30 30 0 8 0
vnodes 216 1431 0 0 80 0 80 80 0 8 0
namei 1024 4239 0 4239 2 1 1 1 0 8 1
percpumem 16 35 0 0 1 0 1 1 0 8 0
kstatmem 264 6 0 0 1 0 1 1 0 8 0
scxspl 216 5000 0 5000 12 11 1 8 0 8 1
plimitpl 152 17 0 10 1 0 1 1 0 8 0
sigapl 424 316 0 285 4 0 4 4 0 8 0
futexpl 64 300 0 298 1 0 1 1 0 8 0
knotepl 120 41 0 0 2 0 2 2 0 8 0
kqueuepl 216 20 0 13 1 0 1 1 0 8 0
pipepl 320 99 0 96 2 1 1 1 0 8 0
fdescpl 496 299 0 285 3 1 2 3 0 8 0
filepl 152 1277 0 1223 3 0 3 3 0 8 0
lockfpl 104 6 0 4 1 0 1 1 0 8 0
lockfspl 48 4 0 2 1 0 1 1 0 8 0
sessionpl 144 17 0 9 1 0 1 1 0 8 0
pgrppl 48 17 0 9 1 0 1 1 0 8 0
ucredpl 104 66 0 56 1 0 1 1 0 8 0
zombiepl 144 285 0 285 2 1 1 1 0 8 1
processpl 1072 316 0 285 3 0 3 3 0 8 0
procpl 696 378 0 344 5 1 4 4 0 8 0
sockpl 488 184 0 161 4 0 4 4 0 8 0
mcl8k 8192 3 0 0 1 0 1 1 0 8 0
mcl4k 4096 5 0 0 1 0 1 1 0 8 0
mcl2k 2048 294 0 0 37 0 37 37 0 8 0
mtagpl 96 3 0 0 1 0 1 1 0 8 0
mbufpl 256 307 0 0 20 0 20 20 0 8 0
bufpl 288 2406 0 92 166 0 166 166 0 8 0
anonpl 24 169088 0 167200 26 13 13 24 0 186 1
amapchunkpl 152 8132 0 7980 7 1 6 7 0 158 0
amappl16 200 4851 0 4849 5 4 1 5 0 8 0
amappl15 192 13 0 12 1 0 1 1 0 8 0
amappl14 184 99 0 90 1 0 1 1 0 8 0
amappl13 176 19 0 18 1 0 1 1 0 8 0
amappl12 168 777 0 764 1 0 1 1 0 8 0
amappl11 160 53 0 43 1 0 1 1 0 8 0
amappl10 152 16 0 16 2 1 1 1 0 8 1
amappl9 144 149 0 149 1 1 0 1 0 8 0
amappl8 136 37 0 35 1 0 1 1 0 8 0
amappl7 128 50 0 43 1 0 1 1 0 8 0
amappl6 120 141 0 130 1 0 1 1 0 8 0
amappl5 112 80 0 74 1 0 1 1 0 8 0
amappl4 104 411 0 386 1 0 1 1 0 8 0
amappl3 96 2097 0 2064 1 0 1 1 0 8 0
amappl2 88 450 0 408 2 1 1 2 0 8 0
amappl1 80 8948 0 8521 13 2 11 11 0 8 0
amappl 88 2057 0 2001 2 0 2 2 0 92 0

aobjpl 72 2 0 0 1 0 1 1 0 8 0
uaddrrnd 24 299 0 285 1 0 1 1 0 8 0

uaddrbest 32 2 0 0 1 0 1 1 0 8 0

uaddr 24 299 0 285 1 0 1 1 0 8 0
vmmpekpl 168 6987 0 6968 1 0 1 1 0 8 0
vmmpepl 168 32874 0 31922 55 9 46 47 0 357 4
vmsppl 464 298 0 285 3 1 2 3 0 8 0
rwobjpl 56 18118 0 16059 31 1 30 31 0 8 0
pdppl 4096 606 0 570 54 18 36 42 0 8 0
pvpl 32 260834 0 256576 58 20 38 52 0 265 0
pmappl 248 298 0 285 2 1 1 2 0 8 0

extentpl 40 56 0 38 1 0 1 1 0 8 0

phpool 112 476 0 21 13 0 13 13 0 8 0

ddb{1}> machine ddbcpu 0

Stopped at x86_ipi_db+0x1e: addq $0x8,%rsp
ddb{0}> trace
x86_ipi_db(ffffffff82c21ff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393

x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23

__mp_lock(ffffffff82c80560) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82c80560) at __mp_lock+0x122 sys/kern/kern_lock.c:147
syscall(ffff80002121f610) at syscall+0x5cd mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff80002121f610) at syscall+0x5cd sys/arch/amd64/amd64/trap.c:632

Xsyscall() at Xsyscall+0x128
end of kernel

end trace frame: 0x7acbb2cc6860, count: -6

ddb{0}> machine ddbcpu 1
Stopped at sys_msgrcv+0x2df: movq 0x10(%r13),%rdi
ddb{1}> trace

Xsyscall() at Xsyscall+0x128
end of kernel

end trace frame: 0xb2b25878be0, count: -3

---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Reply all

Reply to author

Forward

0 new messages