panic: kernel diagnostic assertion "ps->ps_uvncount == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/kern/kern_
3 views
Skip to first unread message
syzbot
Dec 15, 2018, 7:31:03 AM12/15/18
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: ff5089e6ea58 Revisit the optimization for unbuffered I/O. ..
git tree: https://github.com/openbsd/src.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=11d3bb6d400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=09848fd94b475dfb2e90
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+09848f...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "ps->ps_uvncount == 0" failed:
file "/syzkaller/managers/setuid/kernel/sys/kern/kern_unveil.c", line 195
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff8104ab04,ffff80002119bc50,ffff800004ae8000,60) at
__assert+0x24 sys/kern/subr_prf.c:155
unveil_destroy(ffff8000210b7630) at unveil_destroy+0x158
sys/kern/kern_unveil.c:195
exit1(10,ffff8000210a3080,0) at exit1+0x280 sys/kern/kern_exit.c:215
sys_exit(ffffffff810c0ae3,ffff80002119bd00,10) at sys_exit+0x13
sys/kern/kern_exit.c:94
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,1,0,1,0,7f7ffffdf720) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffdf6d0, count: 7
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
kernel diagnostic assertion "ps->ps_uvncount == 0" failed:
file "/syzkaller/managers/setuid/kernel/sys/kern/kern_unveil.c", line 195
ddb{1}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff8104ab04,ffff80002119bc50,ffff800004ae8000,60) at
__assert+0x24 sys/kern/subr_prf.c:155
unveil_destroy(ffff8000210b7630) at unveil_destroy+0x158
sys/kern/kern_unveil.c:195
exit1(10,ffff8000210a3080,0) at exit1+0x280 sys/kern/kern_exit.c:215
sys_exit(ffffffff810c0ae3,ffff80002119bd00,10) at sys_exit+0x13
sys/kern/kern_exit.c:94
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,1,0,1,0,7f7ffffdf720) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffdf6d0, count: -8
ddb{1}> show registers
rdi 0xffffffff81e172e8 kprintf_mutex
rsi 0x5
rbp 0xffff80002119bbb0
rbx 0xffff80002119bc50
rdx 0x3fd
rcx 0
rax 0
r8 0xffff80002119bb80
r9 0x8080808080808080
r10 0
r11 0xffffffff813f0580 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff80002119bbc0
r14 0x100
r15 0xffffffff81bf1914 cmd0646_9_tim_udma+0x1eccb
rip 0xffffffff81837e9a db_enter+0xa
cs 0x8
rflags 0x246
rsp 0xffff80002119bbb0
ss 0x10
db_enter+0xa: popq %rbp
ddb{1}> show proc
PROC (syz-executor1) pid=238839 stat=onproc
flags process=1018<EXITING,SUGID,SINGLEEXIT> proc=2000<WEXIT>
pri=50, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a3788,0xffff8000210a2280
process=0xffff8000210b7630 user=0xffff800021196000,
vmspace=0xffffff0065823c68
estcpu=36, cpticks=6, pctcpu=0.0
user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
31929 116507 62519 0 3 0x2 biowait syz-executor0
84739 14168 95474 65534 3 0x90 nanosleep syz-executor1
95474 344105 62519 0 3 0x82 wait syz-executor1
66849 179484 0 0 3 0x14200 bored sosplice
62519 118950 91777 0 3 0x82 thrsleep syz-fuzzer
62519 316117 91777 0 3 0x4000082 nanosleep syz-fuzzer
62519 405589 91777 0 3 0x4000082 thrsleep syz-fuzzer
62519 522214 91777 0 3 0x4000082 kqread syz-fuzzer
62519 510364 91777 0 3 0x4000082 thrsleep syz-fuzzer
62519 179436 91777 0 3 0x4000082 thrsleep syz-fuzzer
62519 172136 91777 0 3 0x4000082 nanosleep syz-fuzzer
62519 314705 91777 0 3 0x4000082 thrsleep syz-fuzzer
62519 154482 91777 0 3 0x4000082 thrsleep syz-fuzzer
62519 486952 91777 0 3 0x4000082 thrsleep syz-fuzzer
91777 4182 7452 0 3 0x10008a pause ksh
7452 347835 64799 0 3 0x92 select sshd
34906 417495 1 0 3 0x100083 ttyin getty
64799 325993 1 0 3 0x80 select sshd
15754 523911 89260 73 3 0x100090 kqread syslogd
89260 36675 1 0 3 0x100082 netio syslogd
41563 12219 1 77 3 0x100090 poll dhclient
2130 370214 1 0 3 0x80 poll dhclient
16270 303262 0 0 3 0x14200 pgzero zerothread
95041 181528 0 0 3 0x14200 aiodoned aiodoned
34494 344881 0 0 3 0x14200 syncer update
97960 317925 0 0 3 0x14200 cleaner cleaner
20097 431698 0 0 3 0x14200 reaper reaper
77175 39781 0 0 3 0x14200 pgdaemon pagedaemon
52519 393392 0 0 3 0x14200 bored crynlk
50688 311137 0 0 3 0x14200 bored crypto
6019 472667 0 0 3 0x40014200 acpi0 acpi0
30116 358176 0 0 3 0x40014200 idle1
70920 382792 0 0 3 0x14200 bored softnet
38810 20841 0 0 3 0x14200 bored systqmp
76574 288057 0 0 3 0x14200 bored systq
18256 350034 0 0 3 0x40014200 bored softclock
38264 39962 0 0 7 0x40014200 idle0
1 320911 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: ff5089e6ea58 Revisit the optimization for unbuffered I/O. ..
git tree: https://github.com/openbsd/src.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=11d3bb6d400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=09848fd94b475dfb2e90
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+09848f...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "ps->ps_uvncount == 0" failed:
file "/syzkaller/managers/setuid/kernel/sys/kern/kern_unveil.c", line 195
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff8104ab04,ffff80002119bc50,ffff800004ae8000,60) at
__assert+0x24 sys/kern/subr_prf.c:155
unveil_destroy(ffff8000210b7630) at unveil_destroy+0x158
sys/kern/kern_unveil.c:195
exit1(10,ffff8000210a3080,0) at exit1+0x280 sys/kern/kern_exit.c:215
sys_exit(ffffffff810c0ae3,ffff80002119bd00,10) at sys_exit+0x13
sys/kern/kern_exit.c:94
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,1,0,1,0,7f7ffffdf720) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffdf6d0, count: 7
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
kernel diagnostic assertion "ps->ps_uvncount == 0" failed:
file "/syzkaller/managers/setuid/kernel/sys/kern/kern_unveil.c", line 195
ddb{1}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff8104ab04,ffff80002119bc50,ffff800004ae8000,60) at
__assert+0x24 sys/kern/subr_prf.c:155
unveil_destroy(ffff8000210b7630) at unveil_destroy+0x158
sys/kern/kern_unveil.c:195
exit1(10,ffff8000210a3080,0) at exit1+0x280 sys/kern/kern_exit.c:215
sys_exit(ffffffff810c0ae3,ffff80002119bd00,10) at sys_exit+0x13
sys/kern/kern_exit.c:94
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,1,0,1,0,7f7ffffdf720) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffdf6d0, count: -8
ddb{1}> show registers
rdi 0xffffffff81e172e8 kprintf_mutex
rsi 0x5
rbp 0xffff80002119bbb0
rbx 0xffff80002119bc50
rdx 0x3fd
rcx 0
rax 0
r8 0xffff80002119bb80
r9 0x8080808080808080
r10 0
r11 0xffffffff813f0580 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff80002119bbc0
r14 0x100
r15 0xffffffff81bf1914 cmd0646_9_tim_udma+0x1eccb
rip 0xffffffff81837e9a db_enter+0xa
cs 0x8
rflags 0x246
rsp 0xffff80002119bbb0
ss 0x10
db_enter+0xa: popq %rbp
ddb{1}> show proc
PROC (syz-executor1) pid=238839 stat=onproc
flags process=1018<EXITING,SUGID,SINGLEEXIT> proc=2000<WEXIT>
pri=50, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a3788,0xffff8000210a2280
process=0xffff8000210b7630 user=0xffff800021196000,
vmspace=0xffffff0065823c68
estcpu=36, cpticks=6, pctcpu=0.0
user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
31929 116507 62519 0 3 0x2 biowait syz-executor0
84739 14168 95474 65534 3 0x90 nanosleep syz-executor1
95474 344105 62519 0 3 0x82 wait syz-executor1
66849 179484 0 0 3 0x14200 bored sosplice
62519 118950 91777 0 3 0x82 thrsleep syz-fuzzer
62519 316117 91777 0 3 0x4000082 nanosleep syz-fuzzer
62519 405589 91777 0 3 0x4000082 thrsleep syz-fuzzer
62519 522214 91777 0 3 0x4000082 kqread syz-fuzzer
62519 510364 91777 0 3 0x4000082 thrsleep syz-fuzzer
62519 179436 91777 0 3 0x4000082 thrsleep syz-fuzzer
62519 172136 91777 0 3 0x4000082 nanosleep syz-fuzzer
62519 314705 91777 0 3 0x4000082 thrsleep syz-fuzzer
62519 154482 91777 0 3 0x4000082 thrsleep syz-fuzzer
62519 486952 91777 0 3 0x4000082 thrsleep syz-fuzzer
91777 4182 7452 0 3 0x10008a pause ksh
7452 347835 64799 0 3 0x92 select sshd
34906 417495 1 0 3 0x100083 ttyin getty
64799 325993 1 0 3 0x80 select sshd
15754 523911 89260 73 3 0x100090 kqread syslogd
89260 36675 1 0 3 0x100082 netio syslogd
41563 12219 1 77 3 0x100090 poll dhclient
2130 370214 1 0 3 0x80 poll dhclient
16270 303262 0 0 3 0x14200 pgzero zerothread
95041 181528 0 0 3 0x14200 aiodoned aiodoned
34494 344881 0 0 3 0x14200 syncer update
97960 317925 0 0 3 0x14200 cleaner cleaner
20097 431698 0 0 3 0x14200 reaper reaper
77175 39781 0 0 3 0x14200 pgdaemon pagedaemon
52519 393392 0 0 3 0x14200 bored crynlk
50688 311137 0 0 3 0x14200 bored crypto
6019 472667 0 0 3 0x40014200 acpi0 acpi0
30116 358176 0 0 3 0x40014200 idle1
70920 382792 0 0 3 0x14200 bored softnet
38810 20841 0 0 3 0x14200 bored systqmp
76574 288057 0 0 3 0x14200 bored systq
18256 350034 0 0 3 0x40014200 bored softclock
38264 39962 0 0 7 0x40014200 idle0
1 320911 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
Greg Steuck
Dec 17, 2018, 11:05:51 PM12/17/18
to syzbot, be...@openbsd.org, syzkaller-o...@googlegroups.com
Bob, just in case you are curious, this kernel diagnostic assertion "ps->ps_uvncount == 0" failed:
--
You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/0000000000008e8c78057d0eb8de%40google.com.
For more options, visit https://groups.google.com/d/optout.
nest.cx is Gmail hosted, use PGP for anything private. Key: http://goo.gl/6dMsr
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
Anton Lindqvist
Dec 31, 2018, 11:38:50 AM12/31/18
to syzbot, syzkaller-o...@googlegroups.com
#syz dup: assert "ps->ps_uvncount == 0" failed in kern_unveil.c
Reply all
Reply to author
Forward
0 new messages