panic: Data modified on freelist: word 5 of object ADDR size 0x100 previous type devbuf (0xd != ADDR)
12 views
Skip to first unread message
syzbot
Sep 12, 2019, 12:09:08 PM9/12/19
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: caeae271 Prepare for the emac/gmac "phy" property being re..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=153f9fc1600000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0fe83f82fe104d4
dashboard link: https://syzkaller.appspot.com/bug?extid=addd846143d57e360675
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+addd84...@syzkaller.appspotmail.com
panic: Data modified on freelist: word 5 of object 0xffff800000a92b00 size
0x100 previous type devbuf (0xd != 0xdead4110)
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*342917 65382 0 0 0x4000000 0 syz-executor.0
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
malloc(100,2,a) at malloc+0xa23 sys/kern/kern_malloc.c:331
bpfopen(31700,1,2000,ffff800016b43650) at bpfopen+0xb5 sys/net/bpf.c:362
spec_open_clone(ffff800016513e18) at spec_open_clone+0x241
sys/kern/spec_vnops.c:737
spec_open(ffff800016513e18) at spec_open+0x40e
VOP_OPEN(fffffd8036ce88f0,1,fffffd803f7c6b40,ffff800016b43650) at
VOP_OPEN+0x6a sys/kern/vfs_vops.c:154
vn_open(ffff800016514058,1,0) at vn_open+0x494 sys/kern/vfs_vnops.c:174
doopenat(ffff800016b43650,ffffff9c,20000040,0,0,ffff800016514250) at
doopenat+0x28e sys/kern/vfs_syscalls.c:1157
syscall(ffff8000165142d0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:555
Xsyscall(6,0,ffffffffffffffa2,0,4,e9dc7a3d0e0) at Xsyscall+0x128
end of kernel
end trace frame: 0xe9ffc5494e0, count: 4
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: caeae271 Prepare for the emac/gmac "phy" property being re..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=153f9fc1600000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0fe83f82fe104d4
dashboard link: https://syzkaller.appspot.com/bug?extid=addd846143d57e360675
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+addd84...@syzkaller.appspotmail.com
panic: Data modified on freelist: word 5 of object 0xffff800000a92b00 size
0x100 previous type devbuf (0xd != 0xdead4110)
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*342917 65382 0 0 0x4000000 0 syz-executor.0
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
malloc(100,2,a) at malloc+0xa23 sys/kern/kern_malloc.c:331
bpfopen(31700,1,2000,ffff800016b43650) at bpfopen+0xb5 sys/net/bpf.c:362
spec_open_clone(ffff800016513e18) at spec_open_clone+0x241
sys/kern/spec_vnops.c:737
spec_open(ffff800016513e18) at spec_open+0x40e
VOP_OPEN(fffffd8036ce88f0,1,fffffd803f7c6b40,ffff800016b43650) at
VOP_OPEN+0x6a sys/kern/vfs_vops.c:154
vn_open(ffff800016514058,1,0) at vn_open+0x494 sys/kern/vfs_vnops.c:174
doopenat(ffff800016b43650,ffffff9c,20000040,0,0,ffff800016514250) at
doopenat+0x28e sys/kern/vfs_syscalls.c:1157
syscall(ffff8000165142d0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:555
Xsyscall(6,0,ffffffffffffffa2,0,4,e9dc7a3d0e0) at Xsyscall+0x128
end of kernel
end trace frame: 0xe9ffc5494e0, count: 4
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Sep 12, 2019, 2:34:07 PM9/12/19
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: caeae271 Prepare for the emac/gmac "phy" property being re..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=122e4c59600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+addd84...@syzkaller.appspotmail.com
panic: Data modified on freelist: word 5 of object 0xffff800000a72700 size
spec_open_clone(ffff800014918808) at spec_open_clone+0x241
sys/kern/spec_vnops.c:737
spec_open(ffff800014918808) at spec_open+0x40e
VOP_OPEN(fffffd8036ce1750,1,fffffd803f7c6b40,ffff8000ffff8280) at
VOP_OPEN+0x6a sys/kern/vfs_vops.c:154
vn_open(ffff800014918a48,1,0) at vn_open+0x494 sys/kern/vfs_vnops.c:174
doopenat(ffff8000ffff8280,ffffff9c,20000040,0,0,ffff800014918c40) at
doopenat+0x28e sys/kern/vfs_syscalls.c:1157
syscall(ffff800014918cc0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:555
Xsyscall(6,0,ffffffffffffffa2,0,4,24bb1b9a010) at Xsyscall+0x128
end of kernel
end trace frame: 0x24dcec5f290, count: 4
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
Data modified on freelist: word 5 of object 0xffff800000a72700 size 0x100
spec_open_clone(ffff800014918808) at spec_open_clone+0x241
sys/kern/spec_vnops.c:737
spec_open(ffff800014918808) at spec_open+0x40e
VOP_OPEN(fffffd8036ce1750,1,fffffd803f7c6b40,ffff8000ffff8280) at
VOP_OPEN+0x6a sys/kern/vfs_vops.c:154
vn_open(ffff800014918a48,1,0) at vn_open+0x494 sys/kern/vfs_vnops.c:174
doopenat(ffff8000ffff8280,ffffff9c,20000040,0,0,ffff800014918c40) at
doopenat+0x28e sys/kern/vfs_syscalls.c:1157
syscall(ffff800014918cc0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:555
Xsyscall(6,0,ffffffffffffffa2,0,4,24bb1b9a010) at Xsyscall+0x128
end of kernel
end trace frame: 0x24dcec5f290, count: -11
ddb> show registers
rdi 0
rsi 0x1
rbp 0xffff800014918510
rbx 0xffff8000149185c0
rdx 0x2
rcx 0x1
rax 0x1
r8 0xffff8000149184d0
r9 0x1
r10 0x1e2a43d0ef48f8b0
r11 0xb5a1fb27050c5138
r12 0x3000000008
r13 0xffff800014918520
r14 0x100
r15 0x1
rip 0xffffffff81defc18 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800014918500
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb>
HEAD commit: caeae271 Prepare for the emac/gmac "phy" property being re..
git tree: openbsd
kernel config: https://syzkaller.appspot.com/x/.config?x=d0fe83f82fe104d4
dashboard link: https://syzkaller.appspot.com/bug?extid=addd846143d57e360675
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13920831600000
dashboard link: https://syzkaller.appspot.com/bug?extid=addd846143d57e360675
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+addd84...@syzkaller.appspotmail.com
0x100 previous type devbuf (0xd != 0xdead4110)
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*252196 60663 0 0 0x4000000 0 syz-executor.0
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
malloc(100,2,a) at malloc+0xa23 sys/kern/kern_malloc.c:331
bpfopen(21700,1,2000,ffff8000ffff8280) at bpfopen+0xb5 sys/net/bpf.c:362
panic() at panic+0x15c sys/kern/subr_prf.c:207
malloc(100,2,a) at malloc+0xa23 sys/kern/kern_malloc.c:331
spec_open_clone(ffff800014918808) at spec_open_clone+0x241
sys/kern/spec_vnops.c:737
spec_open(ffff800014918808) at spec_open+0x40e
VOP_OPEN(fffffd8036ce1750,1,fffffd803f7c6b40,ffff8000ffff8280) at
VOP_OPEN+0x6a sys/kern/vfs_vops.c:154
vn_open(ffff800014918a48,1,0) at vn_open+0x494 sys/kern/vfs_vnops.c:174
doopenat(ffff8000ffff8280,ffffff9c,20000040,0,0,ffff800014918c40) at
doopenat+0x28e sys/kern/vfs_syscalls.c:1157
syscall(ffff800014918cc0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:555
Xsyscall(6,0,ffffffffffffffa2,0,4,24bb1b9a010) at Xsyscall+0x128
end of kernel
end trace frame: 0x24dcec5f290, count: 4
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
reports. Insufficient info makes it difficult to find and fix bugs.
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
Data modified on freelist: word 5 of object 0xffff800000a72700 size 0x100
previous type devbuf (0xd != 0xdead4110)
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
malloc(100,2,a) at malloc+0xa23 sys/kern/kern_malloc.c:331
bpfopen(21700,1,2000,ffff8000ffff8280) at bpfopen+0xb5 sys/net/bpf.c:362
panic() at panic+0x15c sys/kern/subr_prf.c:207
malloc(100,2,a) at malloc+0xa23 sys/kern/kern_malloc.c:331
spec_open_clone(ffff800014918808) at spec_open_clone+0x241
sys/kern/spec_vnops.c:737
spec_open(ffff800014918808) at spec_open+0x40e
VOP_OPEN(fffffd8036ce1750,1,fffffd803f7c6b40,ffff8000ffff8280) at
VOP_OPEN+0x6a sys/kern/vfs_vops.c:154
vn_open(ffff800014918a48,1,0) at vn_open+0x494 sys/kern/vfs_vnops.c:174
doopenat(ffff8000ffff8280,ffffff9c,20000040,0,0,ffff800014918c40) at
doopenat+0x28e sys/kern/vfs_syscalls.c:1157
syscall(ffff800014918cc0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:555
Xsyscall(6,0,ffffffffffffffa2,0,4,24bb1b9a010) at Xsyscall+0x128
end of kernel
end trace frame: 0x24dcec5f290, count: -11
ddb> show registers
rdi 0
rsi 0x1
rbp 0xffff800014918510
rbx 0xffff8000149185c0
rdx 0x2
rcx 0x1
rax 0x1
r8 0xffff8000149184d0
r9 0x1
r10 0x1e2a43d0ef48f8b0
r11 0xb5a1fb27050c5138
r12 0x3000000008
r13 0xffff800014918520
r14 0x100
r15 0x1
rip 0xffffffff81defc18 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800014918500
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb>
Anton Lindqvist
Oct 13, 2019, 10:21:04 AM10/13/19
to syzbot, syzkaller-o...@googlegroups.com
Will likely occur again, next time with a normalized title.
#syz invalid
#syz invalid
Reply all
Reply to author
Forward
0 new messages