panic: m_zero: M_READONLY

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 3756733c7afe static on global vars, const on handler table..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=161b429f400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=c578107d70008715d41f
compiler:

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c57810...@syzkaller.appspotmail.com

panic: m_zero: M_READONLY
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*271432 38420 65534 0x10 0 0K syz-executor1
243159 34145 0 0x14000 0x200 1 reaper
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
m_free(ffffff007a550700) at m_free+0x17a sys/kern/uipc_mbuf.c:1267
m_freem(ffffffff) at m_freem+0x2d sys/kern/uipc_mbuf.c:525
vio_txeof(ffff800000173290) at vio_txeof+0x104 sys/dev/pv/if_vio.c:1140
vio_tx_intr(ffff800000173110) at vio_tx_intr+0x25 sys/dev/pv/if_vio.c:1116
intr_handler(a,ffff80000064d280) at intr_handler+0x6b
sys/arch/amd64/amd64/intr.c:529
Xintr_ioapic_edge20_untramp(0,ffffffff813e62f0,0,18041969,a,0) at
Xintr_ioapic_edge20_untramp+0x19f
Xspllower(7f7ffffcb000,ffffff007f1246c0,0,1,ffffffff812ed8db,7f7fffecb000)
at Xspllower+0xc
pmap_write_protect(ffffff007a6afa10,ffffff0069a0ebf0,7f7fffecb000,1) at
pmap_write_protect+0x311 sys/arch/amd64/amd64/pmap.c:1889
uvm_mapent_forkcopy(7f7fffecb000,7f7fffecb000,ffffff007a61d858,100000,ffffff007a6afa10)
at
uvm_mapent_forkcopy+0x19d pmap_protect
sys/arch/amd64/compile/SYZKALLER/obj/machine/pmap.h:470 [inline]
uvm_mapent_forkcopy(7f7fffecb000,7f7fffecb000,ffffff007a61d858,100000,ffffff007a6afa10)
at
uvm_mapent_forkcopy+0x19d sys/uvm/uvm_map.c:3809
uvmspace_fork(ffff8000210b6668) at uvmspace_fork+0x1c9
sys/uvm/uvm_map.c:3939
process_new(ffffffff81acd080,1,ffff8000210a2978) at process_new+0x1d9
sys/kern/kern_fork.c:272
fork1() at fork1+0x26d sys/kern/kern_fork.c:392
end trace frame: 0xffff8000211695d0, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> show panic
m_zero: M_READONLY
ddb{0}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
m_free(ffffff007a550700) at m_free+0x17a sys/kern/uipc_mbuf.c:1267
m_freem(ffffffff) at m_freem+0x2d sys/kern/uipc_mbuf.c:525
vio_txeof(ffff800000173290) at vio_txeof+0x104 sys/dev/pv/if_vio.c:1140
vio_tx_intr(ffff800000173110) at vio_tx_intr+0x25 sys/dev/pv/if_vio.c:1116
intr_handler(a,ffff80000064d280) at intr_handler+0x6b
sys/arch/amd64/amd64/intr.c:529
Xintr_ioapic_edge20_untramp(0,ffffffff813e62f0,0,18041969,a,0) at
Xintr_ioapic_edge20_untramp+0x19f
Xspllower(7f7ffffcb000,ffffff007f1246c0,0,1,ffffffff812ed8db,7f7fffecb000)
at Xspllower+0xc
pmap_write_protect(ffffff007a6afa10,ffffff0069a0ebf0,7f7fffecb000,1) at
pmap_write_protect+0x311 sys/arch/amd64/amd64/pmap.c:1889
uvm_mapent_forkcopy(7f7fffecb000,7f7fffecb000,ffffff007a61d858,100000,ffffff007a6afa10)
at
uvm_mapent_forkcopy+0x19d pmap_protect
sys/arch/amd64/compile/SYZKALLER/obj/machine/pmap.h:470 [inline]
uvm_mapent_forkcopy(7f7fffecb000,7f7fffecb000,ffffff007a61d858,100000,ffffff007a6afa10)
at
uvm_mapent_forkcopy+0x19d sys/uvm/uvm_map.c:3809
uvmspace_fork(ffff8000210b6668) at uvmspace_fork+0x1c9
sys/uvm/uvm_map.c:3939
process_new(ffffffff81acd080,1,ffff8000210a2978) at process_new+0x1d9
sys/kern/kern_fork.c:272
fork1() at fork1+0x26d sys/kern/kern_fork.c:392
syscall(0) at syscall+0x466 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x466 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,2,0,2,0,7f7ffffca290) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffca240, count: -16
ddb{0}> show registers
rdi 0xffffffff81e323f0 kprintf_mutex
rsi 0x5
rbp 0xffff800021169098
rbx 0xffff800021169138
rdx 0x3fd
rcx 0
rax 0xffffffff81e14ff0 cpu_info_full_primary+0x1ff0
r8 0xffff800021169068
r9 0
r10 0xffff8000211692e8
r11 0xffffff007a54f870
r12 0x3000000008
r13 0xffff8000211690a8
r14 0x100
r15 0xffffffff81bed177 apollo_pio_rec+0x6e0d
rip 0xffffffff811b599a db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff800021169098
ss 0x10
db_enter+0xa: popq %rbp
ddb{0}> show proc
PROC (syz-executor1) pid=271432 stat=onproc
flags process=10<SUGID> proc=0
pri=51, usrpri=51, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a3c38,0xffff8000210a2be0
process=0xffff8000210b6668 user=0xffff800021164000,
vmspace=0xffffff007a61d648
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=0, intr=1
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
81109 15067 73278 65534 3 0x90 nanosleep syz-executor0
73278 256925 71996 0 3 0x82 wait syz-executor0
*38420 271432 97081 65534 7 0x10 syz-executor1
97081 229749 71996 0 3 0x82 wait syz-executor1
89345 176319 0 0 3 0x14200 bored sosplice
71996 516837 18428 0 3 0x82 thrsleep syz-fuzzer
71996 355042 18428 0 3 0x4000082 nanosleep syz-fuzzer
71996 445212 18428 0 3 0x4000082 thrsleep syz-fuzzer
71996 190866 18428 0 2 0x4000082 syz-fuzzer
71996 52366 18428 0 3 0x4000082 thrsleep syz-fuzzer
71996 185877 18428 0 3 0x4000082 thrsleep syz-fuzzer
71996 323059 18428 0 3 0x4000082 nanosleep syz-fuzzer
71996 137239 18428 0 3 0x4000082 thrsleep syz-fuzzer
71996 271634 18428 0 3 0x4000082 thrsleep syz-fuzzer
71996 464063 18428 0 3 0x4000082 thrsleep syz-fuzzer
18428 177841 40744 0 3 0x10008a pause ksh
40744 302406 66287 0 3 0x92 select sshd
68098 311158 1 0 3 0x100083 ttyin getty
66287 429190 1 0 3 0x80 select sshd
87188 114645 87106 73 3 0x100090 kqread syslogd
87106 121873 1 0 3 0x100082 netio syslogd
32599 247974 1 77 3 0x100090 poll dhclient
10522 289304 1 0 3 0x80 poll dhclient
55251 387744 0 0 3 0x14200 pgzero zerothread
86336 473417 0 0 3 0x14200 aiodoned aiodoned
51998 192629 0 0 3 0x14200 syncer update
57640 411886 0 0 3 0x14200 cleaner cleaner
34145 243159 0 0 7 0x14200 reaper
35643 319513 0 0 3 0x14200 pgdaemon pagedaemon
22832 377428 0 0 3 0x14200 bored crynlk
91215 408185 0 0 3 0x14200 bored crypto
82510 429895 0 0 3 0x40014200 acpi0 acpi0
45021 419610 0 0 3 0x40014200 idle1
71982 81480 0 0 3 0x14200 bored softnet
69704 143110 0 0 3 0x14200 bored systqmp
5836 215615 0 0 3 0x14200 bored systq
12019 417903 0 0 3 0x40014200 bored softclock
46439 215715 0 0 3 0x40014200 idle0
1 462081 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: 3756733c7afe static on global vars, const on handler table..
git tree: openbsd

console output: https://syzkaller.appspot.com/x/log.txt?x=172e54d7400000

kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=c578107d70008715d41f
compiler:

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14cec480c00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136e8ce3400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c57810...@syzkaller.appspotmail.com

login: panic: m_zero: M_READONLY

Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND

db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208

m_free(ffffff006d632b00) at m_free+0x17a sys/kern/uipc_mbuf.c:1267

m_freem(ffffffff) at m_freem+0x2d sys/kern/uipc_mbuf.c:525
vio_txeof(ffff800000173290) at vio_txeof+0x104 sys/dev/pv/if_vio.c:1140
vio_tx_intr(ffff800000173110) at vio_tx_intr+0x25 sys/dev/pv/if_vio.c:1116

intr_handler(0,ffff80000064d280) at intr_handler+0x6b
sys/arch/amd64/amd64/intr.c:529
Xintr_ioapic_edge20_untramp(0,0,1388,0,ffff800000022a00,ffff800000022a00)
at Xintr_ioapic_edge20_untramp+0x19f
acpicpu_idle() at acpicpu_idle+0x251 sys/dev/acpi/acpicpu.c:1187
sched_idle(0) at sched_idle+0x374 sys/kern/kern_sched.c:177
end trace frame: 0x0, count: 5

https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> show panic
m_zero: M_READONLY
ddb{0}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208

m_free(ffffff006d632b00) at m_free+0x17a sys/kern/uipc_mbuf.c:1267

m_freem(ffffffff) at m_freem+0x2d sys/kern/uipc_mbuf.c:525
vio_txeof(ffff800000173290) at vio_txeof+0x104 sys/dev/pv/if_vio.c:1140
vio_tx_intr(ffff800000173110) at vio_tx_intr+0x25 sys/dev/pv/if_vio.c:1116

intr_handler(0,ffff80000064d280) at intr_handler+0x6b
sys/arch/amd64/amd64/intr.c:529
Xintr_ioapic_edge20_untramp(0,0,1388,0,ffff800000022a00,ffff800000022a00)
at Xintr_ioapic_edge20_untramp+0x19f
acpicpu_idle() at acpicpu_idle+0x251 sys/dev/acpi/acpicpu.c:1187
sched_idle(0) at sched_idle+0x374 sys/kern/kern_sched.c:177
end trace frame: 0x0, count: -10

ddb{0}> show registers
rdi 0xffffffff81e323f0 kprintf_mutex
rsi 0x5

rbp 0xffff8000210391e0
rbx 0xffff800021039280
rdx 0x3fd
rcx 0
rax 0x1
r8 0xffff8000210391b0
r9 0
r10 0
r11 0xffffff006ee56c70
r12 0x3000000008
r13 0xffff8000210391f0

r14 0x100
r15 0xffffffff81bed177 apollo_pio_rec+0x6e0d
rip 0xffffffff811b599a db_enter+0xa
cs 0x8
rflags 0x202

rsp 0xffff8000210391e0

ss 0x10
db_enter+0xa: popq %rbp
ddb{0}> show proc

PROC (idle0) pid=363638 stat=onproc
flags process=14000<NOZOMBIE,SYSTEM> proc=40000200<SYSTEM,CPUPEG>
pri=0, usrpri=60, nice=20
forw=0x9647fc485d43f271, list=0xffff8000210319c8,0xffff8000210312d0
process=0xffff800021032fc8 user=0xffff800021034000,
vmspace=0xffffffff81ee0e58
estcpu=10, cpticks=42, pctcpu=15.84
user=0, sys=0, intr=0

ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND

35409 225926 1297 0 3 0x82 nanosleep syz-executor3385
1297 216120 38812 0 3 0x10008a pause ksh
38812 113021 60312 0 3 0x92 select sshd
80119 439021 1 0 3 0x100083 ttyin getty
60312 78105 1 0 3 0x80 select sshd
93729 240715 80566 73 3 0x100090 kqread syslogd
80566 355707 1 0 3 0x100082 netio syslogd
56552 309071 1 77 3 0x100090 poll dhclient
21394 165464 1 0 3 0x80 poll dhclient
54833 506270 0 0 3 0x14200 pgzero zerothread
17091 299971 0 0 3 0x14200 aiodoned aiodoned
48397 461218 0 0 3 0x14200 syncer update
19301 82229 0 0 3 0x14200 cleaner cleaner
10792 188620 0 0 3 0x14200 reaper reaper
80033 162513 0 0 3 0x14200 pgdaemon pagedaemon
75501 468094 0 0 3 0x14200 bored crynlk
35533 423539 0 0 3 0x14200 bored crypto
75201 268160 0 0 3 0x40014200 acpi0 acpi0
67561 284554 0 0 7 0x40014200 idle1
47483 80162 0 0 3 0x14200 bored softnet
82786 148819 0 0 3 0x14200 bored systqmp
41914 105710 0 0 3 0x14200 bored systq
26025 275892 0 0 3 0x40014200 bored softclock
*83616 363638 0 0 7 0x40014200 idle0
1 202268 0 0 3 0x82 wait init

0 0 -1 0 3 0x10200 scheduler swapper

ddb{0}>