panic: pool_cache_item_magic_chekcek:r nmbeluf:p pl rcotpue ctfrioeen lfaiusltt m otrdiapf,ie cdo: dei=t0e
0 views
Skip to first unread message
syzbot
Apr 30, 2020, 1:01:22 PM4/30/20
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 69c4b8fe drm/amd/display: Not doing optimize bandwidth if ..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=11135540100000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d
dashboard link: https://syzkaller.appspot.com/bug?extid=c5af07f030fa2e6f8780
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c5af07...@syzkaller.appspotmail.com
panic: pool_cache_item_magic_chekcek:r nmbeluf:p pl rcotpue ctfrioeen lfaiusltt m otrdiapf,ie cdo: dei=t0e
m
Stopped at in_delmulti+0x8d: movl 0xc(%r14),%r15d
TID PID UID PRFLAGS PFLAGS CPU COMMAND
295 7498 0 0x12 0 1 sshd
in_delmulti(fbfffffdffffffff) at in_delmulti+0x8d sys/netinet/in.c:914
in_purgeaddr(ffff800000aa5800) at in_purgeaddr+0x156 sys/netinet/in.c:760
in_ifdetach(ffff8000009d5000) at in_ifdetach+0x74 sys/netinet/in.c:971
if_detach(ffff8000009d5000) at if_detach+0x140 sys/net/if.c:1149
tun_clone_destroy(ffff8000009d5000) at tun_clone_destroy+0x1f2 sys/net/if_tun.c:329
tun_dev_close(5d00,7) at tun_dev_close+0x160 sys/net/if_tun.c:480
spec_close(ffff800020f6af00) at spec_close+0x311 sys/kern/spec_vnops.c:555
VOP_CLOSE(fffffd806e40e4e8,7,fffffd807f7bf960,ffff800020e6c008) at VOP_CLOSE+0xc0 sys/kern/vfs_vops.c:174
vn_closefile(fffffd8067e2f868,ffff800020e6c008) at vn_closefile+0xd7 vn_close sys/kern/vfs_vnops.c:298 [inline]
vn_closefile(fffffd8067e2f868,ffff800020e6c008) at vn_closefile+0xd7 sys/kern/vfs_vnops.c:614
fdrop(fffffd8067e2f868,ffff800020e6c008) at fdrop+0xc2 sys/kern/kern_descrip.c:1276
closef(fffffd8067e2f868,ffff800020e6c008) at closef+0x11c sys/kern/kern_descrip.c:1260
fdfree(ffff800020e6c008) at fdfree+0x101 sys/kern/kern_descrip.c:1192
exit1(ffff800020e6c008,0,19,1) at exit1+0x32c sys/kern/kern_exit.c:197
postsig(ffff800020e6c008,19) at postsig+0x4ed sigexit sys/kern/kern_sig.c:1483 [inline]
postsig(ffff800020e6c008,19) at postsig+0x4ed sys/kern/kern_sig.c:1415
end trace frame: 0xffff800020f6b2a0, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806f2e3500+16 0x0!=0x178230a9f63d95bc
ddb{0}> trace
in_delmulti(fbfffffdffffffff) at in_delmulti+0x8d sys/netinet/in.c:914
in_purgeaddr(ffff800000aa5800) at in_purgeaddr+0x156 sys/netinet/in.c:760
in_ifdetach(ffff8000009d5000) at in_ifdetach+0x74 sys/netinet/in.c:971
if_detach(ffff8000009d5000) at if_detach+0x140 sys/net/if.c:1149
tun_clone_destroy(ffff8000009d5000) at tun_clone_destroy+0x1f2 sys/net/if_tun.c:329
tun_dev_close(5d00,7) at tun_dev_close+0x160 sys/net/if_tun.c:480
spec_close(ffff800020f6af00) at spec_close+0x311 sys/kern/spec_vnops.c:555
VOP_CLOSE(fffffd806e40e4e8,7,fffffd807f7bf960,ffff800020e6c008) at VOP_CLOSE+0xc0 sys/kern/vfs_vops.c:174
vn_closefile(fffffd8067e2f868,ffff800020e6c008) at vn_closefile+0xd7 vn_close sys/kern/vfs_vnops.c:298 [inline]
vn_closefile(fffffd8067e2f868,ffff800020e6c008) at vn_closefile+0xd7 sys/kern/vfs_vnops.c:614
fdrop(fffffd8067e2f868,ffff800020e6c008) at fdrop+0xc2 sys/kern/kern_descrip.c:1276
closef(fffffd8067e2f868,ffff800020e6c008) at closef+0x11c sys/kern/kern_descrip.c:1260
fdfree(ffff800020e6c008) at fdfree+0x101 sys/kern/kern_descrip.c:1192
exit1(ffff800020e6c008,0,19,1) at exit1+0x32c sys/kern/kern_exit.c:197
postsig(ffff800020e6c008,19) at postsig+0x4ed sigexit sys/kern/kern_sig.c:1483 [inline]
postsig(ffff800020e6c008,19) at postsig+0x4ed sys/kern/kern_sig.c:1415
userret(ffff800020e6c008) at userret+0x199 sys/kern/kern_sig.c:1867
syscall(ffff800020f6b380) at syscall+0x55f mi_syscall_return sys/sys/syscall_mi.h:129 [inline]
syscall(ffff800020f6b380) at syscall+0x55f sys/arch/amd64/amd64/trap.c:592
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffd8bb0, count: -17
ddb{0}> show registers
rdi 0x2
rsi 0
rbp 0xffff800020f6acd0
rbx 0
rdx 0xffff800020e6c008
rcx 0
rax 0
r8 0xffffffff8157a113 rt_ifa_purge+0x153
r9 0x5
r10 0x2f
r11 0xbe02784f7f89155c
r12 0
r13 0
r14 0xfbfffffdffffffff
r15 0x1
rip 0xffffffff81b9300d in_delmulti+0x8d
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff800020f6ac70
ss 0x10
in_delmulti+0x8d: movl 0xc(%r14),%r15d
ddb{0}> show proc
PROC (syz-executor.0) pid=323246 stat=onproc
flags process=a<EXEC,EXITING,8ORPHAN> proc=2000<WEXIT>
pri=17, usrpri=82, nice=20
forw=0xffffffffffffffff, list=0xffff800020e6c278,0xffff800020ed7d68
process=0xffff800020e80f70 user=0xffff800020f66000, vmspace=0xfffffd807efffa10
estcpu=36, cpticks=1, pctcpu=0.1
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
23673 332070 0 0 3 0x14200 bored sosplice
66899 472371 1 0 3 0x100083 ttyin getty
17301 403347 0 0 3 0x14200 acct acct
50248 381466 66519 0 2 0x2 syz-executor.1
66519 428085 26999 0 3 0x82 nanosleep syz-fuzzer
66519 455523 26999 0 3 0x4000082 nanosleep syz-fuzzer
66519 38797 26999 0 3 0x4000082 thrsleep syz-fuzzer
66519 60749 26999 0 2 0x4000082 syz-fuzzer
66519 76538 26999 0 3 0x4000082 thrsleep syz-fuzzer
66519 223248 26999 0 3 0x4000082 thrsleep syz-fuzzer
66519 486990 26999 0 3 0x4000082 thrsleep syz-fuzzer
66519 127078 26999 0 3 0x4000082 thrsleep syz-fuzzer
66519 448787 26999 0 3 0x4000082 thrsleep syz-fuzzer
66519 120441 26999 0 3 0x4000082 thrsleep syz-fuzzer
26999 212793 7498 0 3 0x10008a pause ksh
7498 295 58952 0 7 0x12 sshd
58952 359756 1 0 3 0x80 select sshd
45002 384931 49530 74 3 0x100092 bpf pflogd
49530 135999 1 0 3 0x80 netio pflogd
7716 253990 92994 73 3 0x100090 kqread syslogd
92994 104323 1 0 3 0x100082 netio syslogd
86891 495311 1 77 3 0x100090 poll dhclient
71465 152365 1 0 3 0x80 poll dhclient
93118 445825 0 0 3 0x14200 bored smr
35699 457056 0 0 2 0x14200 zerothread
58760 446847 0 0 3 0x14200 aiodoned aiodoned
12685 120711 0 0 3 0x14200 syncer update
58081 220846 0 0 3 0x14200 cleaner cleaner
64815 244451 0 0 3 0x14200 reaper reaper
53996 585 0 0 3 0x14200 pgdaemon pagedaemon
86256 129386 0 0 3 0x14200 bored crynlk
44481 374012 0 0 3 0x14200 bored crypto
23110 204216 0 0 3 0x40014200 acpi0 acpi0
1916 446553 0 0 3 0x40014200 idle1
98698 338971 0 0 2 0x14200 softnet
85019 429258 0 0 2 0x14200 systqmp
22264 35086 0 0 3 0x14200 bored systq
32077 349709 0 0 3 0x40014200 bored softclock
70526 339667 0 0 3 0x40014200 idle0
1 215926 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 50248 (syz-executor.1) thread 0xffff800020ed7d58 (381466)
exclusive rrwlock inode r = 0 (0xfffffd80645f0f88)
#0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1 rw_enter+0x453 sys/kern/kern_rwlock.c:311
#2 rrw_enter+0x88 sys/kern/kern_rwlock.c:462
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:603
#4 vn_lock+0x81 sys/kern/vfs_vnops.c:575
#5 vget+0x1c8 sys/kern/vfs_subr.c:671
#6 ufs_ihashget+0x141 sys/ufs/ufs/ufs_ihash.c:119
#7 ffs_vget+0x74 sys/ufs/ffs/ffs_vfsops.c:1329
#8 ufs_lookup+0x14b7 sys/ufs/ufs/ufs_lookup.c:487
#9 VOP_LOOKUP+0x5b sys/kern/vfs_vops.c:90
#10 vfs_lookup+0x7a6 sys/kern/vfs_lookup.c:568
#11 namei+0x63c sys/kern/vfs_lookup.c:249
#12 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1853
#13 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#13 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806b32e098)
#0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1 rw_enter+0x453 sys/kern/kern_rwlock.c:311
#2 rrw_enter+0x88 sys/kern/kern_rwlock.c:462
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:603
#4 vn_lock+0x81 sys/kern/vfs_vnops.c:575
#5 vfs_lookup+0xe6 sys/kern/vfs_lookup.c:419
#6 namei+0x63c sys/kern/vfs_lookup.c:249
#7 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1853
#8 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#8 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#9 Xsyscall+0x128
Process 7498 (sshd) thread 0xffff800020ede760 (295)
exclusive rwlock netlock r = 0 (0xffffffff82536e78)
#0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1 solock+0x5a sys/kern/uipc_socket2.c:282
#2 sosend+0x559 sys/kern/uipc_socket.c:537
#3 dofilewritev+0x1b6 sys/kern/sys_generic.c:365
#4 sys_write+0x83 sys/kern/sys_generic.c:285
#5 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#5 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#6 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 9527 6436K 6928K 78643K 10937 0
pcb 13 8K 8K 78643K 93 0
rtable 93 4K 4K 78643K 314 0
ifaddr 85 16K 16K 78643K 139 0
counters 43 33K 34K 78643K 59 0
ioctlops 0 0K 4K 78643K 1473 0
iov 0 0K 16K 78643K 36 0
mount 1 1K 1K 78643K 1 0
vnodes 1216 76K 77K 78643K 1350 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 5K 78643K 7 0
VM map 2 1K 1K 78643K 2 0
sem 12 1K 1K 78643K 35 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1809 196K 290K 78643K 12766 0
file desc 4 9K 25K 78643K 231 0
sigio 0 0K 0K 78643K 2 0
proc 62 63K 95K 78643K 468 0
subproc 23 1K 2K 78643K 34 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 22 0
in_multi 59 2K 3K 78643K 110 0
ether_multi 1 0K 0K 78643K 11 0
mrt 0 0K 0K 78643K 4 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 43 201K 201K 78643K 43 0
exec 0 0K 1K 78643K 227 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 110 22K 23K 78643K 1708 0
UVM aobj 16 2K 2K 78643K 18 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 0K 78643K 37 0
NDP 14 0K 0K 78643K 28 0
temp 107 3038K 3106K 78643K 15660 0
kqueue 3 4K 8K 78643K 13 0
SYN cache 2 16K 16K 78643K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp 64 7 0 3 1 0 1 1 0 8 0
plcache 128 20 0 0 1 0 1 1 0 8 0
rtpcb 80 30 0 28 1 0 1 1 0 8 0
rtentry 112 59 0 24 2 0 2 2 0 8 0
unpcb 120 101 0 91 1 0 1 1 0 8 0
syncache 264 6 0 6 2 1 1 1 0 8 1
tcpqe 32 106 0 106 1 1 0 1 0 8 0
tcpcb 544 118 0 114 1 0 1 1 0 8 0
ipq 40 1 0 1 1 1 0 1 0 8 0
ipqe 40 2 0 2 1 1 0 1 0 8 0
inpcb 280 361 0 354 3 1 2 2 0 8 1
rttmr 72 2 0 2 1 0 1 1 0 8 1
nd6 48 8 0 6 1 0 1 1 0 8 0
pkpcb 40 2 0 2 1 1 0 1 0 8 0
ppxss 1128 1 0 1 1 0 1 1 0 8 1
pffrag 232 1 0 1 1 1 0 1 0 482 0
pffrnode 88 1 0 1 1 1 0 1 0 8 0
pffrent 40 45 0 45 1 1 0 1 0 8 0
pfosfp 40 846 0 423 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 34 0 16 1 0 1 1 0 8 0
pfstkey 112 34 0 16 1 0 1 1 0 8 0
pfstate 328 34 0 16 3 0 3 3 0 8 0
pfrule 1360 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 4 0 1 4 1 3 3 0 8 0
art_heap4 256 272 0 90 13 0 13 13 0 8 0
art_table 32 276 0 91 2 0 2 2 0 8 0
art_node 16 58 0 24 1 0 1 1 0 8 0
sysvmsgpl 40 6 0 2 1 0 1 1 0 8 0
semupl 112 1 0 1 1 1 0 1 0 8 0
semapl 112 26 0 16 1 0 1 1 0 8 0
shmpl 112 16 0 2 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 1750 0 345 89 0 89 89 0 8 0
ffsino 272 1750 0 345 96 1 95 95 0 8 0
nchpl 144 2354 0 748 60 0 60 60 0 8 0
uvmvnodes 72 1862 0 0 34 0 34 34 0 8 0
vnodes 208 1862 0 0 98 0 98 98 0 8 0
namei 1024 6386 0 6386 3 2 1 1 0 8 1
percpumem 16 40 0 8 1 0 1 1 0 8 0
vmpool 560 2 0 2 1 0 1 1 0 8 1
scxspl 192 6141 0 6141 9 8 1 7 0 8 1
plimitpl 152 41 0 33 1 0 1 1 0 8 0
sigapl 424 449 0 417 4 0 4 4 0 8 0
futexpl 56 3457 0 3457 2 1 1 1 0 8 1
knotepl 112 74 0 55 1 0 1 1 0 8 0
kqueuepl 144 25 0 23 1 0 1 1 0 8 0
pipelkpl 48 94 0 84 1 0 1 1 0 8 0
pipepl 120 188 0 170 1 0 1 1 0 8 0
fdescpl 496 432 0 417 3 0 3 3 0 8 0
filepl 152 2679 0 2589 5 0 5 5 0 8 0
lockfpl 104 50 0 49 1 0 1 1 0 8 0
lockfspl 48 15 0 14 1 0 1 1 0 8 0
sessionpl 112 19 0 8 1 0 1 1 0 8 0
pgrppl 48 20 0 9 1 0 1 1 0 8 0
ucredpl 96 234 0 225 1 0 1 1 0 8 0
zombiepl 144 418 0 417 3 2 1 1 0 8 0
processpl 984 449 0 417 5 0 5 5 0 8 0
procpl 624 933 0 892 4 0 4 4 0 8 0
srpgc 64 2 0 2 1 1 0 1 0 8 0
sosppl 128 2 0 2 1 0 1 1 0 8 1
sockpl 400 495 0 476 4 1 3 3 0 8 1
mcl64k 65536 9 0 0 2 0 2 2 0 8 0
mcl16k 16384 1 0 0 1 0 1 1 0 8 0
mcl12k 12288 6 0 0 1 0 1 1 0 8 0
mcl9k 9216 2 0 0 1 0 1 1 0 8 0
mcl8k 8192 2 0 0 1 0 1 1 0 8 0
mcl4k 4096 6 0 0 1 0 1 1 0 8 0
mcl2k2 2112 1 0 0 1 0 1 1 0 8 0
mcl2k 2048 182 0 0 22 0 22 22 0 8 0
mtagpl 80 14 0 0 1 0 1 1 0 8 0
mbufpl 256 247 0 0 15 0 15 15 0 8 0
bufpl 280 3835 0 132 265 0 265 265 0 8 0
anonpl 16 56116 0 40751 78 4 74 77 0 124 7
amapchunkpl 152 2073 0 1938 8 0 8 8 0 158 0
amappl16 192 2096 0 1271 52 4 48 52 0 8 5
amappl15 184 2 0 1 1 0 1 1 0 8 0
amappl14 176 36 0 30 1 0 1 1 0 8 0
amappl13 168 26 0 25 1 0 1 1 0 8 0
amappl12 160 13 0 8 1 0 1 1 0 8 0
amappl11 152 60 0 45 1 0 1 1 0 8 0
amappl10 144 120 0 112 1 0 1 1 0 8 0
amappl9 136 481 0 479 1 0 1 1 0 8 0
amappl8 128 451 0 415 2 0 2 2 0 8 0
amappl7 120 221 0 210 1 0 1 1 0 8 0
amappl6 112 23 0 20 1 0 1 1 0 8 0
amappl5 104 334 0 317 1 0 1 1 0 8 0
amappl4 96 485 0 457 1 0 1 1 0 8 0
amappl3 88 111 0 106 1 0 1 1 0 8 0
amappl2 80 2496 0 2434 2 0 2 2 0 8 0
amappl1 72 19373 0 18946 23 13 10 18 0 8 0
amappl 80 1189 0 1147 2 0 2 2 0 84 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 64 17 0 2 1 0 1 1 0 8 0
uaddrrnd 24 434 0 419 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 434 0 419 1 0 1 1 0 8 0
vmmpekpl 168 7441 0 7409 2 0 2 2 0 8 0
vmmpepl 168 59272 0 57395 122 29 93 112 0 357 3
vmsppl 368 433 0 419 2 0 2 2 0 8 0
pdppl 4096 876 0 838 6 0 6 6 0 8 0
pvpl 32 183758 0 165307 179 3 176 179 0 265 20
pmappl 232 433 0 419 3 1 2 2 0 8 1
extentpl 40 46 0 29 1 0 1 1 0 8 0
phpool 112 271 0 8 8 0 8 8 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
in_delmulti(fbfffffdffffffff) at in_delmulti+0x8d sys/netinet/in.c:914
in_purgeaddr(ffff800000aa5800) at in_purgeaddr+0x156 sys/netinet/in.c:760
in_ifdetach(ffff8000009d5000) at in_ifdetach+0x74 sys/netinet/in.c:971
if_detach(ffff8000009d5000) at if_detach+0x140 sys/net/if.c:1149
tun_clone_destroy(ffff8000009d5000) at tun_clone_destroy+0x1f2 sys/net/if_tun.c:329
tun_dev_close(5d00,7) at tun_dev_close+0x160 sys/net/if_tun.c:480
spec_close(ffff800020f6af00) at spec_close+0x311 sys/kern/spec_vnops.c:555
VOP_CLOSE(fffffd806e40e4e8,7,fffffd807f7bf960,ffff800020e6c008) at VOP_CLOSE+0xc0 sys/kern/vfs_vops.c:174
vn_closefile(fffffd8067e2f868,ffff800020e6c008) at vn_closefile+0xd7 vn_close sys/kern/vfs_vnops.c:298 [inline]
vn_closefile(fffffd8067e2f868,ffff800020e6c008) at vn_closefile+0xd7 sys/kern/vfs_vnops.c:614
fdrop(fffffd8067e2f868,ffff800020e6c008) at fdrop+0xc2 sys/kern/kern_descrip.c:1276
closef(fffffd8067e2f868,ffff800020e6c008) at closef+0x11c sys/kern/kern_descrip.c:1260
fdfree(ffff800020e6c008) at fdfree+0x101 sys/kern/kern_descrip.c:1192
exit1(ffff800020e6c008,0,19,1) at exit1+0x32c sys/kern/kern_exit.c:197
postsig(ffff800020e6c008,19) at postsig+0x4ed sigexit sys/kern/kern_sig.c:1483 [inline]
postsig(ffff800020e6c008,19) at postsig+0x4ed sys/kern/kern_sig.c:1415
userret(ffff800020e6c008) at userret+0x199 sys/kern/kern_sig.c:1867
syscall(ffff800020f6b380) at syscall+0x55f mi_syscall_return sys/sys/syscall_mi.h:129 [inline]
syscall(ffff800020f6b380) at syscall+0x55f sys/arch/amd64/amd64/trap.c:592
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffd8bb0, count: -17
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffff800020e00ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352
x86_ipi_handler() at x86_ipi_handler+0xc6 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_read_1(3f8,5) at x86_bus_space_io_read_1+0x3c sys/arch/amd64/amd64/bus_space.c:639
comcnputc(800,20) at comcnputc+0xb8 sys/dev/ic/com.c:1250
cnputc(20) at cnputc+0x4c sys/dev/cons.c:239
kputchar(20,5,0) at kputchar+0x219 sys/kern/subr_prf.c:343
kprintf() at kprintf+0x15c sys/kern/subr_prf.c:700
panic(ffffffff821f8f5b) at panic+0xf3 vprintf sys/kern/subr_prf.c:528 [inline]
panic(ffffffff821f8f5b) at panic+0xf3 sys/kern/subr_prf.c:197
pool_cache_get(ffffffff82667c68) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline]
pool_cache_get(ffffffff82667c68) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884
pool_get(ffffffff82667c68,2) at pool_get+0x91 sys/kern/subr_pool.c:572
m_copym(fffffd806b246800,135c,580,2) at m_copym+0x174 m_get sys/kern/uipc_mbuf.c:250 [inline]
m_copym(fffffd806b246800,135c,580,2) at m_copym+0x174 sys/kern/uipc_mbuf.c:667
tcp_output(ffff800000a0b760) at tcp_output+0x15ba sys/netinet/tcp_output.c:673
tcp_usrreq(fffffd806eb37968,9,fffffd806f2e3c00,0,0,ffff800020ede760) at tcp_usrreq+0xa55
end trace frame: 0xffff800020e91a90, count: 0
ddb{1}> trace
x86_ipi_db(ffff800020e00ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352
x86_ipi_handler() at x86_ipi_handler+0xc6 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_read_1(3f8,5) at x86_bus_space_io_read_1+0x3c sys/arch/amd64/amd64/bus_space.c:639
comcnputc(800,20) at comcnputc+0xb8 sys/dev/ic/com.c:1250
cnputc(20) at cnputc+0x4c sys/dev/cons.c:239
kputchar(20,5,0) at kputchar+0x219 sys/kern/subr_prf.c:343
kprintf() at kprintf+0x15c sys/kern/subr_prf.c:700
panic(ffffffff821f8f5b) at panic+0xf3 vprintf sys/kern/subr_prf.c:528 [inline]
panic(ffffffff821f8f5b) at panic+0xf3 sys/kern/subr_prf.c:197
pool_cache_get(ffffffff82667c68) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline]
pool_cache_get(ffffffff82667c68) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884
pool_get(ffffffff82667c68,2) at pool_get+0x91 sys/kern/subr_pool.c:572
m_copym(fffffd806b246800,135c,580,2) at m_copym+0x174 m_get sys/kern/uipc_mbuf.c:250 [inline]
m_copym(fffffd806b246800,135c,580,2) at m_copym+0x174 sys/kern/uipc_mbuf.c:667
tcp_output(ffff800000a0b760) at tcp_output+0x15ba sys/netinet/tcp_output.c:673
tcp_usrreq(fffffd806eb37968,9,fffffd806f2e3c00,0,0,ffff800020ede760) at tcp_usrreq+0xa55
sosend(fffffd806eb37968,0,ffff800020e91b58,0,0,80) at sosend+0x671 sys/kern/uipc_socket.c:549
dofilewritev(ffff800020ede760,4,ffff800020e91b58,0,ffff800020e91c40) at dofilewritev+0x1b6 sys/kern/sys_generic.c:365
sys_write(ffff800020ede760,ffff800020e91bf0,ffff800020e91c40) at sys_write+0x83 sys/kern/sys_generic.c:285
syscall(ffff800020e91cc0) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800020e91cc0) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffc00b0, count: -19
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 69c4b8fe drm/amd/display: Not doing optimize bandwidth if ..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=11135540100000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d
dashboard link: https://syzkaller.appspot.com/bug?extid=c5af07f030fa2e6f8780
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c5af07...@syzkaller.appspotmail.com
panic: pool_cache_item_magic_chekcek:r nmbeluf:p pl rcotpue ctfrioeen lfaiusltt m otrdiapf,ie cdo: dei=t0e
m
Stopped at in_delmulti+0x8d: movl 0xc(%r14),%r15d
TID PID UID PRFLAGS PFLAGS CPU COMMAND
295 7498 0 0x12 0 1 sshd
in_delmulti(fbfffffdffffffff) at in_delmulti+0x8d sys/netinet/in.c:914
in_purgeaddr(ffff800000aa5800) at in_purgeaddr+0x156 sys/netinet/in.c:760
in_ifdetach(ffff8000009d5000) at in_ifdetach+0x74 sys/netinet/in.c:971
if_detach(ffff8000009d5000) at if_detach+0x140 sys/net/if.c:1149
tun_clone_destroy(ffff8000009d5000) at tun_clone_destroy+0x1f2 sys/net/if_tun.c:329
tun_dev_close(5d00,7) at tun_dev_close+0x160 sys/net/if_tun.c:480
spec_close(ffff800020f6af00) at spec_close+0x311 sys/kern/spec_vnops.c:555
VOP_CLOSE(fffffd806e40e4e8,7,fffffd807f7bf960,ffff800020e6c008) at VOP_CLOSE+0xc0 sys/kern/vfs_vops.c:174
vn_closefile(fffffd8067e2f868,ffff800020e6c008) at vn_closefile+0xd7 vn_close sys/kern/vfs_vnops.c:298 [inline]
vn_closefile(fffffd8067e2f868,ffff800020e6c008) at vn_closefile+0xd7 sys/kern/vfs_vnops.c:614
fdrop(fffffd8067e2f868,ffff800020e6c008) at fdrop+0xc2 sys/kern/kern_descrip.c:1276
closef(fffffd8067e2f868,ffff800020e6c008) at closef+0x11c sys/kern/kern_descrip.c:1260
fdfree(ffff800020e6c008) at fdfree+0x101 sys/kern/kern_descrip.c:1192
exit1(ffff800020e6c008,0,19,1) at exit1+0x32c sys/kern/kern_exit.c:197
postsig(ffff800020e6c008,19) at postsig+0x4ed sigexit sys/kern/kern_sig.c:1483 [inline]
postsig(ffff800020e6c008,19) at postsig+0x4ed sys/kern/kern_sig.c:1415
end trace frame: 0xffff800020f6b2a0, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806f2e3500+16 0x0!=0x178230a9f63d95bc
ddb{0}> trace
in_delmulti(fbfffffdffffffff) at in_delmulti+0x8d sys/netinet/in.c:914
in_purgeaddr(ffff800000aa5800) at in_purgeaddr+0x156 sys/netinet/in.c:760
in_ifdetach(ffff8000009d5000) at in_ifdetach+0x74 sys/netinet/in.c:971
if_detach(ffff8000009d5000) at if_detach+0x140 sys/net/if.c:1149
tun_clone_destroy(ffff8000009d5000) at tun_clone_destroy+0x1f2 sys/net/if_tun.c:329
tun_dev_close(5d00,7) at tun_dev_close+0x160 sys/net/if_tun.c:480
spec_close(ffff800020f6af00) at spec_close+0x311 sys/kern/spec_vnops.c:555
VOP_CLOSE(fffffd806e40e4e8,7,fffffd807f7bf960,ffff800020e6c008) at VOP_CLOSE+0xc0 sys/kern/vfs_vops.c:174
vn_closefile(fffffd8067e2f868,ffff800020e6c008) at vn_closefile+0xd7 vn_close sys/kern/vfs_vnops.c:298 [inline]
vn_closefile(fffffd8067e2f868,ffff800020e6c008) at vn_closefile+0xd7 sys/kern/vfs_vnops.c:614
fdrop(fffffd8067e2f868,ffff800020e6c008) at fdrop+0xc2 sys/kern/kern_descrip.c:1276
closef(fffffd8067e2f868,ffff800020e6c008) at closef+0x11c sys/kern/kern_descrip.c:1260
fdfree(ffff800020e6c008) at fdfree+0x101 sys/kern/kern_descrip.c:1192
exit1(ffff800020e6c008,0,19,1) at exit1+0x32c sys/kern/kern_exit.c:197
postsig(ffff800020e6c008,19) at postsig+0x4ed sigexit sys/kern/kern_sig.c:1483 [inline]
postsig(ffff800020e6c008,19) at postsig+0x4ed sys/kern/kern_sig.c:1415
userret(ffff800020e6c008) at userret+0x199 sys/kern/kern_sig.c:1867
syscall(ffff800020f6b380) at syscall+0x55f mi_syscall_return sys/sys/syscall_mi.h:129 [inline]
syscall(ffff800020f6b380) at syscall+0x55f sys/arch/amd64/amd64/trap.c:592
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffd8bb0, count: -17
ddb{0}> show registers
rdi 0x2
rsi 0
rbp 0xffff800020f6acd0
rbx 0
rdx 0xffff800020e6c008
rcx 0
rax 0
r8 0xffffffff8157a113 rt_ifa_purge+0x153
r9 0x5
r10 0x2f
r11 0xbe02784f7f89155c
r12 0
r13 0
r14 0xfbfffffdffffffff
r15 0x1
rip 0xffffffff81b9300d in_delmulti+0x8d
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff800020f6ac70
ss 0x10
in_delmulti+0x8d: movl 0xc(%r14),%r15d
ddb{0}> show proc
PROC (syz-executor.0) pid=323246 stat=onproc
flags process=a<EXEC,EXITING,8ORPHAN> proc=2000<WEXIT>
pri=17, usrpri=82, nice=20
forw=0xffffffffffffffff, list=0xffff800020e6c278,0xffff800020ed7d68
process=0xffff800020e80f70 user=0xffff800020f66000, vmspace=0xfffffd807efffa10
estcpu=36, cpticks=1, pctcpu=0.1
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
23673 332070 0 0 3 0x14200 bored sosplice
66899 472371 1 0 3 0x100083 ttyin getty
17301 403347 0 0 3 0x14200 acct acct
50248 381466 66519 0 2 0x2 syz-executor.1
66519 428085 26999 0 3 0x82 nanosleep syz-fuzzer
66519 455523 26999 0 3 0x4000082 nanosleep syz-fuzzer
66519 38797 26999 0 3 0x4000082 thrsleep syz-fuzzer
66519 60749 26999 0 2 0x4000082 syz-fuzzer
66519 76538 26999 0 3 0x4000082 thrsleep syz-fuzzer
66519 223248 26999 0 3 0x4000082 thrsleep syz-fuzzer
66519 486990 26999 0 3 0x4000082 thrsleep syz-fuzzer
66519 127078 26999 0 3 0x4000082 thrsleep syz-fuzzer
66519 448787 26999 0 3 0x4000082 thrsleep syz-fuzzer
66519 120441 26999 0 3 0x4000082 thrsleep syz-fuzzer
26999 212793 7498 0 3 0x10008a pause ksh
7498 295 58952 0 7 0x12 sshd
58952 359756 1 0 3 0x80 select sshd
45002 384931 49530 74 3 0x100092 bpf pflogd
49530 135999 1 0 3 0x80 netio pflogd
7716 253990 92994 73 3 0x100090 kqread syslogd
92994 104323 1 0 3 0x100082 netio syslogd
86891 495311 1 77 3 0x100090 poll dhclient
71465 152365 1 0 3 0x80 poll dhclient
93118 445825 0 0 3 0x14200 bored smr
35699 457056 0 0 2 0x14200 zerothread
58760 446847 0 0 3 0x14200 aiodoned aiodoned
12685 120711 0 0 3 0x14200 syncer update
58081 220846 0 0 3 0x14200 cleaner cleaner
64815 244451 0 0 3 0x14200 reaper reaper
53996 585 0 0 3 0x14200 pgdaemon pagedaemon
86256 129386 0 0 3 0x14200 bored crynlk
44481 374012 0 0 3 0x14200 bored crypto
23110 204216 0 0 3 0x40014200 acpi0 acpi0
1916 446553 0 0 3 0x40014200 idle1
98698 338971 0 0 2 0x14200 softnet
85019 429258 0 0 2 0x14200 systqmp
22264 35086 0 0 3 0x14200 bored systq
32077 349709 0 0 3 0x40014200 bored softclock
70526 339667 0 0 3 0x40014200 idle0
1 215926 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 50248 (syz-executor.1) thread 0xffff800020ed7d58 (381466)
exclusive rrwlock inode r = 0 (0xfffffd80645f0f88)
#0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1 rw_enter+0x453 sys/kern/kern_rwlock.c:311
#2 rrw_enter+0x88 sys/kern/kern_rwlock.c:462
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:603
#4 vn_lock+0x81 sys/kern/vfs_vnops.c:575
#5 vget+0x1c8 sys/kern/vfs_subr.c:671
#6 ufs_ihashget+0x141 sys/ufs/ufs/ufs_ihash.c:119
#7 ffs_vget+0x74 sys/ufs/ffs/ffs_vfsops.c:1329
#8 ufs_lookup+0x14b7 sys/ufs/ufs/ufs_lookup.c:487
#9 VOP_LOOKUP+0x5b sys/kern/vfs_vops.c:90
#10 vfs_lookup+0x7a6 sys/kern/vfs_lookup.c:568
#11 namei+0x63c sys/kern/vfs_lookup.c:249
#12 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1853
#13 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#13 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806b32e098)
#0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1 rw_enter+0x453 sys/kern/kern_rwlock.c:311
#2 rrw_enter+0x88 sys/kern/kern_rwlock.c:462
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:603
#4 vn_lock+0x81 sys/kern/vfs_vnops.c:575
#5 vfs_lookup+0xe6 sys/kern/vfs_lookup.c:419
#6 namei+0x63c sys/kern/vfs_lookup.c:249
#7 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1853
#8 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#8 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#9 Xsyscall+0x128
Process 7498 (sshd) thread 0xffff800020ede760 (295)
exclusive rwlock netlock r = 0 (0xffffffff82536e78)
#0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1 solock+0x5a sys/kern/uipc_socket2.c:282
#2 sosend+0x559 sys/kern/uipc_socket.c:537
#3 dofilewritev+0x1b6 sys/kern/sys_generic.c:365
#4 sys_write+0x83 sys/kern/sys_generic.c:285
#5 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#5 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#6 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 9527 6436K 6928K 78643K 10937 0
pcb 13 8K 8K 78643K 93 0
rtable 93 4K 4K 78643K 314 0
ifaddr 85 16K 16K 78643K 139 0
counters 43 33K 34K 78643K 59 0
ioctlops 0 0K 4K 78643K 1473 0
iov 0 0K 16K 78643K 36 0
mount 1 1K 1K 78643K 1 0
vnodes 1216 76K 77K 78643K 1350 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 5K 78643K 7 0
VM map 2 1K 1K 78643K 2 0
sem 12 1K 1K 78643K 35 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1809 196K 290K 78643K 12766 0
file desc 4 9K 25K 78643K 231 0
sigio 0 0K 0K 78643K 2 0
proc 62 63K 95K 78643K 468 0
subproc 23 1K 2K 78643K 34 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 22 0
in_multi 59 2K 3K 78643K 110 0
ether_multi 1 0K 0K 78643K 11 0
mrt 0 0K 0K 78643K 4 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 43 201K 201K 78643K 43 0
exec 0 0K 1K 78643K 227 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 110 22K 23K 78643K 1708 0
UVM aobj 16 2K 2K 78643K 18 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 0K 78643K 37 0
NDP 14 0K 0K 78643K 28 0
temp 107 3038K 3106K 78643K 15660 0
kqueue 3 4K 8K 78643K 13 0
SYN cache 2 16K 16K 78643K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp 64 7 0 3 1 0 1 1 0 8 0
plcache 128 20 0 0 1 0 1 1 0 8 0
rtpcb 80 30 0 28 1 0 1 1 0 8 0
rtentry 112 59 0 24 2 0 2 2 0 8 0
unpcb 120 101 0 91 1 0 1 1 0 8 0
syncache 264 6 0 6 2 1 1 1 0 8 1
tcpqe 32 106 0 106 1 1 0 1 0 8 0
tcpcb 544 118 0 114 1 0 1 1 0 8 0
ipq 40 1 0 1 1 1 0 1 0 8 0
ipqe 40 2 0 2 1 1 0 1 0 8 0
inpcb 280 361 0 354 3 1 2 2 0 8 1
rttmr 72 2 0 2 1 0 1 1 0 8 1
nd6 48 8 0 6 1 0 1 1 0 8 0
pkpcb 40 2 0 2 1 1 0 1 0 8 0
ppxss 1128 1 0 1 1 0 1 1 0 8 1
pffrag 232 1 0 1 1 1 0 1 0 482 0
pffrnode 88 1 0 1 1 1 0 1 0 8 0
pffrent 40 45 0 45 1 1 0 1 0 8 0
pfosfp 40 846 0 423 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 34 0 16 1 0 1 1 0 8 0
pfstkey 112 34 0 16 1 0 1 1 0 8 0
pfstate 328 34 0 16 3 0 3 3 0 8 0
pfrule 1360 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 4 0 1 4 1 3 3 0 8 0
art_heap4 256 272 0 90 13 0 13 13 0 8 0
art_table 32 276 0 91 2 0 2 2 0 8 0
art_node 16 58 0 24 1 0 1 1 0 8 0
sysvmsgpl 40 6 0 2 1 0 1 1 0 8 0
semupl 112 1 0 1 1 1 0 1 0 8 0
semapl 112 26 0 16 1 0 1 1 0 8 0
shmpl 112 16 0 2 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 1750 0 345 89 0 89 89 0 8 0
ffsino 272 1750 0 345 96 1 95 95 0 8 0
nchpl 144 2354 0 748 60 0 60 60 0 8 0
uvmvnodes 72 1862 0 0 34 0 34 34 0 8 0
vnodes 208 1862 0 0 98 0 98 98 0 8 0
namei 1024 6386 0 6386 3 2 1 1 0 8 1
percpumem 16 40 0 8 1 0 1 1 0 8 0
vmpool 560 2 0 2 1 0 1 1 0 8 1
scxspl 192 6141 0 6141 9 8 1 7 0 8 1
plimitpl 152 41 0 33 1 0 1 1 0 8 0
sigapl 424 449 0 417 4 0 4 4 0 8 0
futexpl 56 3457 0 3457 2 1 1 1 0 8 1
knotepl 112 74 0 55 1 0 1 1 0 8 0
kqueuepl 144 25 0 23 1 0 1 1 0 8 0
pipelkpl 48 94 0 84 1 0 1 1 0 8 0
pipepl 120 188 0 170 1 0 1 1 0 8 0
fdescpl 496 432 0 417 3 0 3 3 0 8 0
filepl 152 2679 0 2589 5 0 5 5 0 8 0
lockfpl 104 50 0 49 1 0 1 1 0 8 0
lockfspl 48 15 0 14 1 0 1 1 0 8 0
sessionpl 112 19 0 8 1 0 1 1 0 8 0
pgrppl 48 20 0 9 1 0 1 1 0 8 0
ucredpl 96 234 0 225 1 0 1 1 0 8 0
zombiepl 144 418 0 417 3 2 1 1 0 8 0
processpl 984 449 0 417 5 0 5 5 0 8 0
procpl 624 933 0 892 4 0 4 4 0 8 0
srpgc 64 2 0 2 1 1 0 1 0 8 0
sosppl 128 2 0 2 1 0 1 1 0 8 1
sockpl 400 495 0 476 4 1 3 3 0 8 1
mcl64k 65536 9 0 0 2 0 2 2 0 8 0
mcl16k 16384 1 0 0 1 0 1 1 0 8 0
mcl12k 12288 6 0 0 1 0 1 1 0 8 0
mcl9k 9216 2 0 0 1 0 1 1 0 8 0
mcl8k 8192 2 0 0 1 0 1 1 0 8 0
mcl4k 4096 6 0 0 1 0 1 1 0 8 0
mcl2k2 2112 1 0 0 1 0 1 1 0 8 0
mcl2k 2048 182 0 0 22 0 22 22 0 8 0
mtagpl 80 14 0 0 1 0 1 1 0 8 0
mbufpl 256 247 0 0 15 0 15 15 0 8 0
bufpl 280 3835 0 132 265 0 265 265 0 8 0
anonpl 16 56116 0 40751 78 4 74 77 0 124 7
amapchunkpl 152 2073 0 1938 8 0 8 8 0 158 0
amappl16 192 2096 0 1271 52 4 48 52 0 8 5
amappl15 184 2 0 1 1 0 1 1 0 8 0
amappl14 176 36 0 30 1 0 1 1 0 8 0
amappl13 168 26 0 25 1 0 1 1 0 8 0
amappl12 160 13 0 8 1 0 1 1 0 8 0
amappl11 152 60 0 45 1 0 1 1 0 8 0
amappl10 144 120 0 112 1 0 1 1 0 8 0
amappl9 136 481 0 479 1 0 1 1 0 8 0
amappl8 128 451 0 415 2 0 2 2 0 8 0
amappl7 120 221 0 210 1 0 1 1 0 8 0
amappl6 112 23 0 20 1 0 1 1 0 8 0
amappl5 104 334 0 317 1 0 1 1 0 8 0
amappl4 96 485 0 457 1 0 1 1 0 8 0
amappl3 88 111 0 106 1 0 1 1 0 8 0
amappl2 80 2496 0 2434 2 0 2 2 0 8 0
amappl1 72 19373 0 18946 23 13 10 18 0 8 0
amappl 80 1189 0 1147 2 0 2 2 0 84 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 64 17 0 2 1 0 1 1 0 8 0
uaddrrnd 24 434 0 419 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 434 0 419 1 0 1 1 0 8 0
vmmpekpl 168 7441 0 7409 2 0 2 2 0 8 0
vmmpepl 168 59272 0 57395 122 29 93 112 0 357 3
vmsppl 368 433 0 419 2 0 2 2 0 8 0
pdppl 4096 876 0 838 6 0 6 6 0 8 0
pvpl 32 183758 0 165307 179 3 176 179 0 265 20
pmappl 232 433 0 419 3 1 2 2 0 8 1
extentpl 40 46 0 29 1 0 1 1 0 8 0
phpool 112 271 0 8 8 0 8 8 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
in_delmulti(fbfffffdffffffff) at in_delmulti+0x8d sys/netinet/in.c:914
in_purgeaddr(ffff800000aa5800) at in_purgeaddr+0x156 sys/netinet/in.c:760
in_ifdetach(ffff8000009d5000) at in_ifdetach+0x74 sys/netinet/in.c:971
if_detach(ffff8000009d5000) at if_detach+0x140 sys/net/if.c:1149
tun_clone_destroy(ffff8000009d5000) at tun_clone_destroy+0x1f2 sys/net/if_tun.c:329
tun_dev_close(5d00,7) at tun_dev_close+0x160 sys/net/if_tun.c:480
spec_close(ffff800020f6af00) at spec_close+0x311 sys/kern/spec_vnops.c:555
VOP_CLOSE(fffffd806e40e4e8,7,fffffd807f7bf960,ffff800020e6c008) at VOP_CLOSE+0xc0 sys/kern/vfs_vops.c:174
vn_closefile(fffffd8067e2f868,ffff800020e6c008) at vn_closefile+0xd7 vn_close sys/kern/vfs_vnops.c:298 [inline]
vn_closefile(fffffd8067e2f868,ffff800020e6c008) at vn_closefile+0xd7 sys/kern/vfs_vnops.c:614
fdrop(fffffd8067e2f868,ffff800020e6c008) at fdrop+0xc2 sys/kern/kern_descrip.c:1276
closef(fffffd8067e2f868,ffff800020e6c008) at closef+0x11c sys/kern/kern_descrip.c:1260
fdfree(ffff800020e6c008) at fdfree+0x101 sys/kern/kern_descrip.c:1192
exit1(ffff800020e6c008,0,19,1) at exit1+0x32c sys/kern/kern_exit.c:197
postsig(ffff800020e6c008,19) at postsig+0x4ed sigexit sys/kern/kern_sig.c:1483 [inline]
postsig(ffff800020e6c008,19) at postsig+0x4ed sys/kern/kern_sig.c:1415
userret(ffff800020e6c008) at userret+0x199 sys/kern/kern_sig.c:1867
syscall(ffff800020f6b380) at syscall+0x55f mi_syscall_return sys/sys/syscall_mi.h:129 [inline]
syscall(ffff800020f6b380) at syscall+0x55f sys/arch/amd64/amd64/trap.c:592
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffd8bb0, count: -17
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffff800020e00ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352
x86_ipi_handler() at x86_ipi_handler+0xc6 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_read_1(3f8,5) at x86_bus_space_io_read_1+0x3c sys/arch/amd64/amd64/bus_space.c:639
comcnputc(800,20) at comcnputc+0xb8 sys/dev/ic/com.c:1250
cnputc(20) at cnputc+0x4c sys/dev/cons.c:239
kputchar(20,5,0) at kputchar+0x219 sys/kern/subr_prf.c:343
kprintf() at kprintf+0x15c sys/kern/subr_prf.c:700
panic(ffffffff821f8f5b) at panic+0xf3 vprintf sys/kern/subr_prf.c:528 [inline]
panic(ffffffff821f8f5b) at panic+0xf3 sys/kern/subr_prf.c:197
pool_cache_get(ffffffff82667c68) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline]
pool_cache_get(ffffffff82667c68) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884
pool_get(ffffffff82667c68,2) at pool_get+0x91 sys/kern/subr_pool.c:572
m_copym(fffffd806b246800,135c,580,2) at m_copym+0x174 m_get sys/kern/uipc_mbuf.c:250 [inline]
m_copym(fffffd806b246800,135c,580,2) at m_copym+0x174 sys/kern/uipc_mbuf.c:667
tcp_output(ffff800000a0b760) at tcp_output+0x15ba sys/netinet/tcp_output.c:673
tcp_usrreq(fffffd806eb37968,9,fffffd806f2e3c00,0,0,ffff800020ede760) at tcp_usrreq+0xa55
end trace frame: 0xffff800020e91a90, count: 0
ddb{1}> trace
x86_ipi_db(ffff800020e00ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352
x86_ipi_handler() at x86_ipi_handler+0xc6 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_read_1(3f8,5) at x86_bus_space_io_read_1+0x3c sys/arch/amd64/amd64/bus_space.c:639
comcnputc(800,20) at comcnputc+0xb8 sys/dev/ic/com.c:1250
cnputc(20) at cnputc+0x4c sys/dev/cons.c:239
kputchar(20,5,0) at kputchar+0x219 sys/kern/subr_prf.c:343
kprintf() at kprintf+0x15c sys/kern/subr_prf.c:700
panic(ffffffff821f8f5b) at panic+0xf3 vprintf sys/kern/subr_prf.c:528 [inline]
panic(ffffffff821f8f5b) at panic+0xf3 sys/kern/subr_prf.c:197
pool_cache_get(ffffffff82667c68) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline]
pool_cache_get(ffffffff82667c68) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884
pool_get(ffffffff82667c68,2) at pool_get+0x91 sys/kern/subr_pool.c:572
m_copym(fffffd806b246800,135c,580,2) at m_copym+0x174 m_get sys/kern/uipc_mbuf.c:250 [inline]
m_copym(fffffd806b246800,135c,580,2) at m_copym+0x174 sys/kern/uipc_mbuf.c:667
tcp_output(ffff800000a0b760) at tcp_output+0x15ba sys/netinet/tcp_output.c:673
tcp_usrreq(fffffd806eb37968,9,fffffd806f2e3c00,0,0,ffff800020ede760) at tcp_usrreq+0xa55
sosend(fffffd806eb37968,0,ffff800020e91b58,0,0,80) at sosend+0x671 sys/kern/uipc_socket.c:549
dofilewritev(ffff800020ede760,4,ffff800020e91b58,0,ffff800020e91c40) at dofilewritev+0x1b6 sys/kern/sys_generic.c:365
sys_write(ffff800020ede760,ffff800020e91bf0,ffff800020e91c40) at sys_write+0x83 sys/kern/sys_generic.c:285
syscall(ffff800020e91cc0) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800020e91cc0) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffc00b0, count: -19
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Greg Steuck
Apr 30, 2020, 2:30:56 PM4/30/20
to syzbot, syzkaller-o...@googlegroups.com
#syz dup: pool: cpu free list modified: mbufpl
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/00000000000069120405a48503a1%40google.com.
--
nest.cx is Gmail hosted, use PGP: https://pgp.key-server.io/0x0B1542BD8DF5A1B0
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
> You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/00000000000069120405a48503a1%40google.com.
--
nest.cx is Gmail hosted, use PGP: https://pgp.key-server.io/0x0B1542BD8DF5A1B0
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
Reply all
Reply to author
Forward
0 new messages