panic: receive 3: so ADDR, so_type 1, m ADDR, m_type 6
10 views
Skip to first unread message
syzbot
Dec 8, 2018, 11:25:03 PM12/8/18
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 737f2a163501 anton@: Do not trace before kcovopen() has be..
git tree: https://github.com/blackgnezdo/src.git anton-kcov-dec8
console output: https://syzkaller.appspot.com/x/log.txt?x=139a9a43400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=613db18acc3d2149ab94
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+613db1...@syzkaller.appspotmail.com
panic: receive 3: so 0xffffff007b7b3968, so_type 1, m 0xffffff006d8f0a00,
m_type 6
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
521684 11222 65534 0x10 0 0 syz-executor0
* 48731 11222 65534 0x10 0x4000000 1K syz-executor0
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
soreceive(0,ffffff007b7b3968,ffff800021178ee0,120d,ffff800021178f70,ffffff007b7b3968)
at
soreceive+0x12d8 sys/kern/uipc_socket.c:933
recvit(ffff800021178fa0,ffff8000211790a8,ffff800021179090,ffff8000210a24c8,0)
at
recvit+0x28d sys/kern/uipc_syscalls.c:822
sys_recvmsg(1b0,ffff8000210a24c8,1) at sys_recvmsg+0x120
sys/kern/uipc_syscalls.c:758
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,ffffffffffffffc1,0,3,3782db2a010) at Xsyscall+0x128
end of kernel
end trace frame: 0x37a755a1e90, count: 8
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
receive 3: so 0xffffff007b7b3968, so_type 1, m 0xffffff006d8f0a00, m_type 6
ddb{1}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
soreceive(0,ffffff007b7b3968,ffff800021178ee0,120d,ffff800021178f70,ffffff007b7b3968)
at
soreceive+0x12d8 sys/kern/uipc_socket.c:933
recvit(ffff800021178fa0,ffff8000211790a8,ffff800021179090,ffff8000210a24c8,0)
at
recvit+0x28d sys/kern/uipc_syscalls.c:822
sys_recvmsg(1b0,ffff8000210a24c8,1) at sys_recvmsg+0x120
sys/kern/uipc_syscalls.c:758
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,ffffffffffffffc1,0,3,3782db2a010) at Xsyscall+0x128
end of kernel
end trace frame: 0x37a755a1e90, count: -7
ddb{1}> show registers
rdi 0xffffffff81e337f8 kprintf_mutex
rsi 0xffffffff81696879 db_enter+0x9
rbp 0xffff800021178d30
rbx 0xffff800021178dd0
rdx 0xffff800001ed7000
rcx 0x24cf __ALIGN_SIZE+0x14cf
rax 0xffff800001ed7000
r8 0xffff800021178d00
r9 0x1
r10 0
r11 0xffffffff8181f470 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800021178d40
r14 0x100
r15 0xffffffff81bdc2ec cmd0646_9_tim_udma+0x65fa
rip 0xffffffff8169687a db_enter+0xa
cs 0x8
rflags 0x206
rsp 0xffff800021178d30
ss 0x10
db_enter+0xa: popq %rbp
ddb{1}> show proc
PROC (syz-executor0) pid=48731 stat=onproc
flags process=10<SUGID> proc=4000000<THREAD>
pri=24, usrpri=78, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a3080,0xffff8000210a2028
process=0xffff8000210b7630 user=0xffff800021174000,
vmspace=0xffffff0065b61008
estcpu=28, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
11222 521684 14076 65534 7 0x10 syz-executor0
*11222 48731 14076 65534 7 0x4000010 syz-executor0
11222 179203 14076 65534 3 0x4000090 fsleep syz-executor0
11222 323481 14076 65534 2 0x4000010 syz-executor0
89894 280444 75090 65534 3 0x90 piperd syz-executor1
75090 282662 13149 0 3 0x82 wait syz-executor1
14076 80091 40599 65534 3 0x90 nanosleep syz-executor0
40599 355716 13149 0 3 0x82 wait syz-executor0
50526 324449 0 0 3 0x14200 bored sosplice
13149 200260 4649 0 3 0x82 thrsleep syz-fuzzer
13149 125819 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 230151 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 227809 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 283688 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 200955 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 139105 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 70928 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 170519 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 482957 4649 0 3 0x4000082 kqread syz-fuzzer
13149 221521 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 277828 4649 0 3 0x4000082 thrsleep syz-fuzzer
4649 147926 30184 0 3 0x10008a pause ksh
30184 422934 36983 0 3 0x92 select sshd
85412 449362 1 0 3 0x100083 ttyin getty
36983 478379 1 0 3 0x80 select sshd
67414 349143 87318 73 3 0x100090 kqread syslogd
87318 25464 1 0 3 0x100082 netio syslogd
51967 234058 1 77 3 0x100090 poll dhclient
39487 400526 1 0 3 0x80 poll dhclient
77144 445327 0 0 3 0x14200 pgzero zerothread
97175 381311 0 0 3 0x14200 aiodoned aiodoned
66378 523883 0 0 3 0x14200 syncer update
52407 461900 0 0 3 0x14200 cleaner cleaner
59060 278313 0 0 3 0x14200 reaper reaper
8244 346818 0 0 3 0x14200 pgdaemon pagedaemon
26440 235016 0 0 3 0x14200 bored crynlk
18806 427711 0 0 3 0x14200 bored crypto
7534 192303 0 0 3 0x40014200 acpi0 acpi0
80756 294424 0 0 3 0x40014200 idle1
45839 326789 0 0 3 0x14200 bored softnet
35077 187174 0 0 3 0x14200 bored systqmp
72790 274068 0 0 3 0x14200 bored systq
82868 405744 0 0 3 0x40014200 bored softclock
45095 23796 0 0 3 0x40014200 idle0
1 194659 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: 737f2a163501 anton@: Do not trace before kcovopen() has be..
git tree: https://github.com/blackgnezdo/src.git anton-kcov-dec8
console output: https://syzkaller.appspot.com/x/log.txt?x=139a9a43400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=613db18acc3d2149ab94
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+613db1...@syzkaller.appspotmail.com
panic: receive 3: so 0xffffff007b7b3968, so_type 1, m 0xffffff006d8f0a00,
m_type 6
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
521684 11222 65534 0x10 0 0 syz-executor0
* 48731 11222 65534 0x10 0x4000000 1K syz-executor0
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
soreceive(0,ffffff007b7b3968,ffff800021178ee0,120d,ffff800021178f70,ffffff007b7b3968)
at
soreceive+0x12d8 sys/kern/uipc_socket.c:933
recvit(ffff800021178fa0,ffff8000211790a8,ffff800021179090,ffff8000210a24c8,0)
at
recvit+0x28d sys/kern/uipc_syscalls.c:822
sys_recvmsg(1b0,ffff8000210a24c8,1) at sys_recvmsg+0x120
sys/kern/uipc_syscalls.c:758
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,ffffffffffffffc1,0,3,3782db2a010) at Xsyscall+0x128
end of kernel
end trace frame: 0x37a755a1e90, count: 8
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
receive 3: so 0xffffff007b7b3968, so_type 1, m 0xffffff006d8f0a00, m_type 6
ddb{1}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
soreceive(0,ffffff007b7b3968,ffff800021178ee0,120d,ffff800021178f70,ffffff007b7b3968)
at
soreceive+0x12d8 sys/kern/uipc_socket.c:933
recvit(ffff800021178fa0,ffff8000211790a8,ffff800021179090,ffff8000210a24c8,0)
at
recvit+0x28d sys/kern/uipc_syscalls.c:822
sys_recvmsg(1b0,ffff8000210a24c8,1) at sys_recvmsg+0x120
sys/kern/uipc_syscalls.c:758
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,ffffffffffffffc1,0,3,3782db2a010) at Xsyscall+0x128
end of kernel
end trace frame: 0x37a755a1e90, count: -7
ddb{1}> show registers
rdi 0xffffffff81e337f8 kprintf_mutex
rsi 0xffffffff81696879 db_enter+0x9
rbp 0xffff800021178d30
rbx 0xffff800021178dd0
rdx 0xffff800001ed7000
rcx 0x24cf __ALIGN_SIZE+0x14cf
rax 0xffff800001ed7000
r8 0xffff800021178d00
r9 0x1
r10 0
r11 0xffffffff8181f470 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800021178d40
r14 0x100
r15 0xffffffff81bdc2ec cmd0646_9_tim_udma+0x65fa
rip 0xffffffff8169687a db_enter+0xa
cs 0x8
rflags 0x206
rsp 0xffff800021178d30
ss 0x10
db_enter+0xa: popq %rbp
ddb{1}> show proc
PROC (syz-executor0) pid=48731 stat=onproc
flags process=10<SUGID> proc=4000000<THREAD>
pri=24, usrpri=78, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a3080,0xffff8000210a2028
process=0xffff8000210b7630 user=0xffff800021174000,
vmspace=0xffffff0065b61008
estcpu=28, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
11222 521684 14076 65534 7 0x10 syz-executor0
*11222 48731 14076 65534 7 0x4000010 syz-executor0
11222 179203 14076 65534 3 0x4000090 fsleep syz-executor0
11222 323481 14076 65534 2 0x4000010 syz-executor0
89894 280444 75090 65534 3 0x90 piperd syz-executor1
75090 282662 13149 0 3 0x82 wait syz-executor1
14076 80091 40599 65534 3 0x90 nanosleep syz-executor0
40599 355716 13149 0 3 0x82 wait syz-executor0
50526 324449 0 0 3 0x14200 bored sosplice
13149 200260 4649 0 3 0x82 thrsleep syz-fuzzer
13149 125819 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 230151 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 227809 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 283688 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 200955 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 139105 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 70928 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 170519 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 482957 4649 0 3 0x4000082 kqread syz-fuzzer
13149 221521 4649 0 3 0x4000082 thrsleep syz-fuzzer
13149 277828 4649 0 3 0x4000082 thrsleep syz-fuzzer
4649 147926 30184 0 3 0x10008a pause ksh
30184 422934 36983 0 3 0x92 select sshd
85412 449362 1 0 3 0x100083 ttyin getty
36983 478379 1 0 3 0x80 select sshd
67414 349143 87318 73 3 0x100090 kqread syslogd
87318 25464 1 0 3 0x100082 netio syslogd
51967 234058 1 77 3 0x100090 poll dhclient
39487 400526 1 0 3 0x80 poll dhclient
77144 445327 0 0 3 0x14200 pgzero zerothread
97175 381311 0 0 3 0x14200 aiodoned aiodoned
66378 523883 0 0 3 0x14200 syncer update
52407 461900 0 0 3 0x14200 cleaner cleaner
59060 278313 0 0 3 0x14200 reaper reaper
8244 346818 0 0 3 0x14200 pgdaemon pagedaemon
26440 235016 0 0 3 0x14200 bored crynlk
18806 427711 0 0 3 0x14200 bored crypto
7534 192303 0 0 3 0x40014200 acpi0 acpi0
80756 294424 0 0 3 0x40014200 idle1
45839 326789 0 0 3 0x14200 bored softnet
35077 187174 0 0 3 0x14200 bored systqmp
72790 274068 0 0 3 0x14200 bored systq
82868 405744 0 0 3 0x40014200 bored softclock
45095 23796 0 0 3 0x40014200 idle0
1 194659 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
Dec 13, 2018, 4:07:05 AM12/13/18
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 918267856206 document show-indexed
git tree: https://github.com/openbsd/src.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1075dba3400000
kernel config: https://syzkaller.appspot.com/x/.config?x=906264fb5874384d
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1654315d400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+613db1...@syzkaller.appspotmail.com
login: panic: receive 3: so 0xffffff0036f10c00, so_type 1, m
0xffffff0037cb8400, m_type 6
soreceive+0x1288 sys/kern/uipc_socket.c:933
recvit(ffff800014adc1a0,ffff800014adc2a8,ffff800014adc290,ffff8000ffffc710,0)
at
recvit+0x28c sys/kern/uipc_syscalls.c:822
sys_recvmsg(ffff800014adc330,ffff8000ffffc710,ffff800014a15010) at
sys_recvmsg+0x120 sys/kern/uipc_syscalls.c:758
syscall(0) at syscall+0x3e4
Xsyscall(6,0,ffffffffffffffc1,0,3,dee49aa8010) at Xsyscall+0x128
end of kernel
end trace frame: 0xdf0e6d2eb90, count: 8
ddb> show panic
receive 3: so 0xffffff0036f10c00, so_type 1, m 0xffffff0037cb8400, m_type 6
ddb> trace
soreceive+0x1288 sys/kern/uipc_socket.c:933
recvit(ffff800014adc1a0,ffff800014adc2a8,ffff800014adc290,ffff8000ffffc710,0)
at
recvit+0x28c sys/kern/uipc_syscalls.c:822
sys_recvmsg(ffff800014adc330,ffff8000ffffc710,ffff800014a15010) at
sys_recvmsg+0x120 sys/kern/uipc_syscalls.c:758
syscall(0) at syscall+0x3e4
Xsyscall(6,0,ffffffffffffffc1,0,3,dee49aa8010) at Xsyscall+0x128
end of kernel
end trace frame: 0xdf0e6d2eb90, count: -7
ddb> show registers
rdi 0xffffffff81e142a0 kprintf_mutex
rsi 0x5
rbp 0xffff800014adbf30
rbx 0xffff800014adbfd0
rdx 0x3fd
rcx 0
rax 0x1
r8 0xffff800014adbf00
r9 0
r10 0xfcf73b1ead661cdf
r11 0xffffffff81923d20 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800014adbf40
r14 0x100
r15 0xffffffff81bc5de3 cmd0646_9_tim_udma+0x925d
rip 0xffffffff81b0d86a db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff800014adbf30
PROC (syz-executor0) pid=131206 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=24, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffffc008,0xffff8000ffffce28
process=0xffff800014a15010 user=0xffff800014ad7000,
vmspace=0xffffff003f12c000
estcpu=0, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb> ps
*39170 131206 1433 0 7 0x4000000 syz-executor0
39170 241643 1433 0 3 0x4000080 fsleep syz-executor0
39170 155409 1433 0 3 0x4000080 netlck syz-executor0
39170 292872 1433 0 2 0x4000000 syz-executor0
87591 426937 87001 0 3 0x3000 suspend syz-executor1
87591 153834 87001 0 2 0x4081000 syz-executor1
87001 282317 82154 0 3 0x82 nanosleep syz-executor1
1433 395538 82154 0 3 0x82 nanosleep syz-executor0
82154 395140 25320 0 3 0x82 thrsleep syz-execprog
82154 70944 25320 0 3 0x4000082 thrsleep syz-execprog
82154 459870 25320 0 3 0x4000082 thrsleep syz-execprog
82154 462347 25320 0 3 0x4000082 thrsleep syz-execprog
82154 156408 25320 0 3 0x4000082 kqread syz-execprog
82154 346662 25320 0 3 0x4000082 thrsleep syz-execprog
82154 336836 25320 0 3 0x4000082 thrsleep syz-execprog
25320 78013 57357 0 3 0x10008a pause ksh
57357 137376 32404 0 3 0x92 select sshd
46769 251103 1 0 3 0x100083 ttyin getty
32404 292256 1 0 3 0x80 select sshd
90920 470109 21791 73 3 0x100090 kqread syslogd
21791 457595 1 0 3 0x100082 netio syslogd
36408 263705 1 77 3 0x100090 poll dhclient
67487 153267 1 0 3 0x80 poll dhclient
37210 291091 0 0 2 0x14200 zerothread
30344 451247 0 0 3 0x14200 aiodoned aiodoned
67467 432326 0 0 3 0x14200 syncer update
33898 68195 0 0 3 0x14200 cleaner cleaner
31763 279885 0 0 3 0x14200 reaper reaper
80912 73183 0 0 3 0x14200 pgdaemon pagedaemon
26400 203534 0 0 3 0x14200 bored crynlk
96518 375969 0 0 3 0x14200 bored crypto
7481 433926 0 0 3 0x40014200 acpi0 acpi0
30862 166764 0 0 3 0x14200 bored softnet
82005 238529 0 0 3 0x14200 bored systqmp
93816 143418 0 0 3 0x14200 bored systq
15199 264900 0 0 3 0x40014200 bored softclock
52029 182646 0 0 3 0x40014200 idle0
1 95489 0 0 3 0x82 wait init
HEAD commit: 918267856206 document show-indexed
git tree: https://github.com/openbsd/src.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1075dba3400000
kernel config: https://syzkaller.appspot.com/x/.config?x=906264fb5874384d
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1654315d400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+613db1...@syzkaller.appspotmail.com
0xffffff0037cb8400, m_type 6
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*131206 39170 0 0 0x4000000 0 syz-executor0
TID PID UID PRFLAGS PFLAGS CPU COMMAND
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
soreceive(0,ffffff0036f10c00,0,1088,ffff800014adc170,842) at
panic() at panic+0x147 sys/kern/subr_prf.c:208
soreceive+0x1288 sys/kern/uipc_socket.c:933
recvit(ffff800014adc1a0,ffff800014adc2a8,ffff800014adc290,ffff8000ffffc710,0)
at
recvit+0x28c sys/kern/uipc_syscalls.c:822
sys_recvmsg(ffff800014adc330,ffff8000ffffc710,ffff800014a15010) at
sys_recvmsg+0x120 sys/kern/uipc_syscalls.c:758
syscall(0) at syscall+0x3e4
Xsyscall(6,0,ffffffffffffffc1,0,3,dee49aa8010) at Xsyscall+0x128
end of kernel
end trace frame: 0xdf0e6d2eb90, count: 8
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> show panic
receive 3: so 0xffffff0036f10c00, so_type 1, m 0xffffff0037cb8400, m_type 6
ddb> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
soreceive(0,ffffff0036f10c00,0,1088,ffff800014adc170,842) at
panic() at panic+0x147 sys/kern/subr_prf.c:208
soreceive+0x1288 sys/kern/uipc_socket.c:933
recvit(ffff800014adc1a0,ffff800014adc2a8,ffff800014adc290,ffff8000ffffc710,0)
at
recvit+0x28c sys/kern/uipc_syscalls.c:822
sys_recvmsg(ffff800014adc330,ffff8000ffffc710,ffff800014a15010) at
sys_recvmsg+0x120 sys/kern/uipc_syscalls.c:758
syscall(0) at syscall+0x3e4
Xsyscall(6,0,ffffffffffffffc1,0,3,dee49aa8010) at Xsyscall+0x128
end of kernel
end trace frame: 0xdf0e6d2eb90, count: -7
ddb> show registers
rdi 0xffffffff81e142a0 kprintf_mutex
rsi 0x5
rbp 0xffff800014adbf30
rbx 0xffff800014adbfd0
rdx 0x3fd
rcx 0
rax 0x1
r8 0xffff800014adbf00
r9 0
r10 0xfcf73b1ead661cdf
r11 0xffffffff81923d20 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800014adbf40
r14 0x100
r15 0xffffffff81bc5de3 cmd0646_9_tim_udma+0x925d
rip 0xffffffff81b0d86a db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff800014adbf30
ss 0x10
db_enter+0xa: popq %rbp
ddb> show proc
db_enter+0xa: popq %rbp
PROC (syz-executor0) pid=131206 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=24, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffffc008,0xffff8000ffffce28
process=0xffff800014a15010 user=0xffff800014ad7000,
vmspace=0xffffff003f12c000
estcpu=0, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
39170 176644 1433 0 2 0 syz-executor0
*39170 131206 1433 0 7 0x4000000 syz-executor0
39170 241643 1433 0 3 0x4000080 fsleep syz-executor0
39170 155409 1433 0 3 0x4000080 netlck syz-executor0
39170 292872 1433 0 2 0x4000000 syz-executor0
87591 426937 87001 0 3 0x3000 suspend syz-executor1
87591 153834 87001 0 2 0x4081000 syz-executor1
87001 282317 82154 0 3 0x82 nanosleep syz-executor1
1433 395538 82154 0 3 0x82 nanosleep syz-executor0
82154 395140 25320 0 3 0x82 thrsleep syz-execprog
82154 70944 25320 0 3 0x4000082 thrsleep syz-execprog
82154 459870 25320 0 3 0x4000082 thrsleep syz-execprog
82154 462347 25320 0 3 0x4000082 thrsleep syz-execprog
82154 156408 25320 0 3 0x4000082 kqread syz-execprog
82154 346662 25320 0 3 0x4000082 thrsleep syz-execprog
82154 336836 25320 0 3 0x4000082 thrsleep syz-execprog
25320 78013 57357 0 3 0x10008a pause ksh
57357 137376 32404 0 3 0x92 select sshd
46769 251103 1 0 3 0x100083 ttyin getty
32404 292256 1 0 3 0x80 select sshd
90920 470109 21791 73 3 0x100090 kqread syslogd
21791 457595 1 0 3 0x100082 netio syslogd
36408 263705 1 77 3 0x100090 poll dhclient
67487 153267 1 0 3 0x80 poll dhclient
37210 291091 0 0 2 0x14200 zerothread
30344 451247 0 0 3 0x14200 aiodoned aiodoned
67467 432326 0 0 3 0x14200 syncer update
33898 68195 0 0 3 0x14200 cleaner cleaner
31763 279885 0 0 3 0x14200 reaper reaper
80912 73183 0 0 3 0x14200 pgdaemon pagedaemon
26400 203534 0 0 3 0x14200 bored crynlk
96518 375969 0 0 3 0x14200 bored crypto
7481 433926 0 0 3 0x40014200 acpi0 acpi0
30862 166764 0 0 3 0x14200 bored softnet
82005 238529 0 0 3 0x14200 bored systqmp
93816 143418 0 0 3 0x14200 bored systq
15199 264900 0 0 3 0x40014200 bored softclock
52029 182646 0 0 3 0x40014200 idle0
1 95489 0 0 3 0x82 wait init
syzbot
Dec 13, 2018, 6:59:04 PM12/13/18
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: c8b13bcdae05 Use a faster, more reliable way to figure out..
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10a5c28b400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+613db1...@syzkaller.appspotmail.com
login: panic: receive 3: so 0xffffff006e712a88, so_type 1, m
0xffffff006d9d2400, m_type 6
*222691 44778 0 0x2 0x4000000 1K syz-executor7360
soreceive+0x12d8 sys/kern/uipc_socket.c:933
recvit(ffff8000210f44c0,ffff800021115b60,0,ffff800021115b78,ae7c960f268) at
recvit+0x28d sys/kern/uipc_syscalls.c:822
sys_recvfrom(1d0,ffff8000210f44c0,1) at sys_recvfrom+0xbc
sys/kern/uipc_syscalls.c:722
end of kernel
end trace frame: 0xae7c960f280, count: 8
soreceive+0x12d8 sys/kern/uipc_socket.c:933
recvit(ffff8000210f44c0,ffff800021115b60,0,ffff800021115b78,ae7c960f268) at
recvit+0x28d sys/kern/uipc_syscalls.c:822
sys_recvfrom(1d0,ffff8000210f44c0,1) at sys_recvfrom+0xbc
sys/kern/uipc_syscalls.c:722
end of kernel
end trace frame: 0xae7c960f280, count: -7
ddb{1}> show registers
rdi 0xffffffff81e24a88 kprintf_mutex
rsi 0x5
rbp 0xffff800021115880
rbx 0xffff800021115920
r9 0x1
r10 0
r11 0xffffffff8181ffb0 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800021115890
r14 0x100
r15 0xffffffff81bdb731 cmd0646_9_tim_udma+0x5099
rip 0xffffffff81572dea db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff800021115880
flags process=2<EXEC> proc=4000000<THREAD>
pri=24, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff8000210f5078,0xffff8000210f4980
process=0xffff8000210be660 user=0xffff800021110000,
vmspace=0xffffff007f125528
estcpu=0, cpticks=1, pctcpu=0.0
*44778 222691 32262 0 7 0x4000002 syz-executor7360
44778 482528 32262 0 3 0x4000082 fsleep syz-executor7360
44778 61637 32262 0 2 0x4000002 syz-executor7360
32262 280502 47567 0 3 0x10008a pause ksh
47567 255622 26380 0 3 0x92 select sshd
64220 288868 1 0 3 0x100083 ttyin getty
26380 290595 1 0 3 0x80 select sshd
2320 257292 99985 73 3 0x100090 kqread syslogd
99985 402626 1 0 3 0x100082 netio syslogd
85652 158266 1 77 3 0x100090 poll dhclient
45156 360504 1 0 3 0x80 poll dhclient
59167 43889 0 0 3 0x14200 pgzero zerothread
67162 292654 0 0 3 0x14200 aiodoned aiodoned
79224 491365 0 0 3 0x14200 syncer update
22387 437433 0 0 3 0x14200 cleaner cleaner
54262 288353 0 0 3 0x14200 reaper reaper
56367 487157 0 0 3 0x14200 pgdaemon pagedaemon
42123 457304 0 0 3 0x14200 bored crynlk
61013 487984 0 0 3 0x14200 bored crypto
12148 288726 0 0 3 0x40014200 acpi0 acpi0
11228 25460 0 0 3 0x40014200 idle1
2114 128692 0 0 3 0x14200 bored softnet
4125 307921 0 0 3 0x14200 bored systqmp
52595 108251 0 0 3 0x14200 bored systq
50144 473570 0 0 3 0x40014200 bored softclock
26918 149941 0 0 3 0x40014200 idle0
1 455980 0 0 3 0x82 wait init
HEAD commit: c8b13bcdae05 Use a faster, more reliable way to figure out..
git tree: https://github.com/openbsd/src.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1309381b400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=613db18acc3d2149ab94
compiler:
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1268895d400000
dashboard link: https://syzkaller.appspot.com/bug?extid=613db18acc3d2149ab94
compiler:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10a5c28b400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+613db1...@syzkaller.appspotmail.com
0xffffff006d9d2400, m_type 6
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
73615 44778 0 0x2 0 0 syz-executor7360
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*222691 44778 0 0x2 0x4000000 1K syz-executor7360
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
soreceive(0,ffffff006e712a88,0,9,ffff800021115ac8,ffffff006e712a88) at
panic() at panic+0x147 sys/kern/subr_prf.c:208
soreceive+0x12d8 sys/kern/uipc_socket.c:933
recvit(ffff8000210f44c0,ffff800021115b60,0,ffff800021115b78,ae7c960f268) at
recvit+0x28d sys/kern/uipc_syscalls.c:822
sys_recvfrom(1d0,ffff8000210f44c0,1) at sys_recvfrom+0xbc
sys/kern/uipc_syscalls.c:722
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,ae7dc87d0a0,0,ae4dd3a1098,ae4dd3a1090) at Xsyscall+0x128
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
end of kernel
end trace frame: 0xae7c960f280, count: 8
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
receive 3: so 0xffffff006e712a88, so_type 1, m 0xffffff006d9d2400, m_type 6
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
ddb{1}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
soreceive(0,ffffff006e712a88,0,9,ffff800021115ac8,ffffff006e712a88) at
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
soreceive+0x12d8 sys/kern/uipc_socket.c:933
recvit(ffff8000210f44c0,ffff800021115b60,0,ffff800021115b78,ae7c960f268) at
recvit+0x28d sys/kern/uipc_syscalls.c:822
sys_recvfrom(1d0,ffff8000210f44c0,1) at sys_recvfrom+0xbc
sys/kern/uipc_syscalls.c:722
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,ae7dc87d0a0,0,ae4dd3a1098,ae4dd3a1090) at Xsyscall+0x128
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
end of kernel
end trace frame: 0xae7c960f280, count: -7
ddb{1}> show registers
rdi 0xffffffff81e24a88 kprintf_mutex
rsi 0x5
rbp 0xffff800021115880
rbx 0xffff800021115920
rdx 0x3fd
rcx 0
rax 0x1
r8 0xffff800021115850
rcx 0
rax 0x1
r9 0x1
r10 0
r11 0xffffffff8181ffb0 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800021115890
r14 0x100
r15 0xffffffff81bdb731 cmd0646_9_tim_udma+0x5099
rip 0xffffffff81572dea db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff800021115880
ss 0x10
db_enter+0xa: popq %rbp
ddb{1}> show proc
PROC (syz-executor7360) pid=222691 stat=onproc
db_enter+0xa: popq %rbp
ddb{1}> show proc
flags process=2<EXEC> proc=4000000<THREAD>
pri=24, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff8000210f5078,0xffff8000210f4980
process=0xffff8000210be660 user=0xffff800021110000,
vmspace=0xffffff007f125528
estcpu=0, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
44778 73615 32262 0 7 0x2 syz-executor7360
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
*44778 222691 32262 0 7 0x4000002 syz-executor7360
44778 482528 32262 0 3 0x4000082 fsleep syz-executor7360
44778 61637 32262 0 2 0x4000002 syz-executor7360
32262 280502 47567 0 3 0x10008a pause ksh
47567 255622 26380 0 3 0x92 select sshd
64220 288868 1 0 3 0x100083 ttyin getty
26380 290595 1 0 3 0x80 select sshd
2320 257292 99985 73 3 0x100090 kqread syslogd
99985 402626 1 0 3 0x100082 netio syslogd
85652 158266 1 77 3 0x100090 poll dhclient
45156 360504 1 0 3 0x80 poll dhclient
59167 43889 0 0 3 0x14200 pgzero zerothread
67162 292654 0 0 3 0x14200 aiodoned aiodoned
79224 491365 0 0 3 0x14200 syncer update
22387 437433 0 0 3 0x14200 cleaner cleaner
54262 288353 0 0 3 0x14200 reaper reaper
56367 487157 0 0 3 0x14200 pgdaemon pagedaemon
42123 457304 0 0 3 0x14200 bored crynlk
61013 487984 0 0 3 0x14200 bored crypto
12148 288726 0 0 3 0x40014200 acpi0 acpi0
11228 25460 0 0 3 0x40014200 idle1
2114 128692 0 0 3 0x14200 bored softnet
4125 307921 0 0 3 0x14200 bored systqmp
52595 108251 0 0 3 0x14200 bored systq
50144 473570 0 0 3 0x40014200 bored softclock
26918 149941 0 0 3 0x40014200 idle0
1 455980 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}>
Anton Lindqvist
Dec 18, 2018, 1:51:48 PM12/18/18
to syzbot, syzkaller-o...@googlegroups.com
#syz fix: When using MSG_WAITALL, soreceive() can sleep while processing the
Reply all
Reply to author
Forward
0 new messages