pool: double put: mcl64k
5 views
Skip to first unread message
syzbot
Dec 1, 2018, 4:06:03 AM12/1/18
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: e9b93a3e5ebc Remove erroneous quote added in previous
git tree: https://github.com/openbsd/src.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=137b812b400000
dashboard link: https://syzkaller.appspot.com/bug?extid=383ee27894d032857c57
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+383ee2...@syzkaller.appspotmail.com
login: panic: pool_do_put: mcl64k: double pool_put: 0xffffff007082d000
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*478795 30599 0 0 0x4000000 0 syz-executor0
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_do_put(ffffff007082d000,ffffffff81eb9968) at pool_do_put+0x2e2
pool_put(0,ffffff007163c700) at pool_put+0x37
m_extfree(88ee6d8204e1bf39) at m_extfree+0xb1
m_free(ffffff007163c700) at m_free+0xee
m_freem(16) at m_freem+0x2d
soreceive(0,ffffff0064499918,ffff80002118a330,1000,ffff80002118a3c0,ffff80002118a2d0)
at
soreceive+0x1131
recvit(ffff80002118a3f0,ffff80002118a4f8,ffff80002118a4e0,ffff8000ffffc968,0)
at
recvit+0x28c
sys_recvmsg(ffff80002118a580,ffff8000ffffc968,ffff80002105fca8) at
sys_recvmsg+0x120
syscall(0) at syscall+0x3e4
Xsyscall(6,0,ffffffffffffffbf,0,3,15ba3060010) at Xsyscall+0x128
end of kernel
end trace frame: 0x15df7061db0, count: 3
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> show panic
pool_do_put: mcl64k: double pool_put: 0xffffff007082d000
ddb> trace
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_do_put(ffffff007082d000,ffffffff81eb9968) at pool_do_put+0x2e2
pool_put(0,ffffff007163c700) at pool_put+0x37
m_extfree(88ee6d8204e1bf39) at m_extfree+0xb1
m_free(ffffff007163c700) at m_free+0xee
m_freem(16) at m_freem+0x2d
soreceive(0,ffffff0064499918,ffff80002118a330,1000,ffff80002118a3c0,ffff80002118a2d0)
at
soreceive+0x1131
recvit(ffff80002118a3f0,ffff80002118a4f8,ffff80002118a4e0,ffff8000ffffc968,0)
at
recvit+0x28c
sys_recvmsg(ffff80002118a580,ffff8000ffffc968,ffff80002105fca8) at
sys_recvmsg+0x120
syscall(0) at syscall+0x3e4
Xsyscall(6,0,ffffffffffffffbf,0,3,15ba3060010) at Xsyscall+0x128
end of kernel
end trace frame: 0x15df7061db0, count: -12
ddb> show registers
rdi 0xffffffff81e1c208 kprintf_mutex
rsi 0xffffffff81030129 db_enter+0x9
rbp 0xffff80002118a030
rbx 0xffff80002118a0d0
rdx 0xffff800000ace000
rcx 0x1b7a __ALIGN_SIZE+0xb7a
rax 0xffff800000ace000
r8 0xffff80002118a000
r9 0x8080808080808080
r10 0x88ee6d8204e1bf39
r11 0xffffffff81110b20 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff80002118a040
r14 0x100
r15 0xffffffff81c39f85 cy_pio_rec+0x56d5
rip 0xffffffff8103012a db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff80002118a030
ss 0x10
db_enter+0xa: popq %rbp
ddb> show proc
PROC (syz-executor0) pid=478795 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=58, usrpri=58, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffffd2c8,0xffffffff81e98cf0
process=0xffff80002105fca8 user=0xffff800021185000,
vmspace=0xffffff007f12b000
estcpu=36, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
30599 293643 91416 0 2 0 syz-executor0
*30599 478795 91416 0 7 0x4000000 syz-executor0
56412 35413 93377 0 2 0 syz-executor1
56412 141156 93377 0 3 0x4000080 netio syz-executor1
2031 19278 1 0 3 0x100083 ttyin getty
33565 300042 0 0 3 0x14200 bored sosplice
91416 116120 50627 0 3 0x82 nanosleep syz-executor0
93377 410358 50627 0 3 0x82 nanosleep syz-executor1
50627 473457 56383 0 3 0x82 thrsleep syz-fuzzer
50627 288879 56383 0 3 0x4000082 thrsleep syz-fuzzer
50627 130340 56383 0 3 0x4000082 thrsleep syz-fuzzer
50627 233446 56383 0 3 0x4000082 thrsleep syz-fuzzer
50627 93820 56383 0 3 0x4000082 kqread syz-fuzzer
50627 316446 56383 0 3 0x4000082 thrsleep syz-fuzzer
50627 132184 56383 0 3 0x4000082 thrsleep syz-fuzzer
56383 335117 78351 0 3 0x10008a pause ksh
78351 123696 68321 0 3 0x92 select sshd
68321 254116 1 0 3 0x80 select sshd
43616 14139 84592 73 3 0x100090 kqread syslogd
84592 170273 1 0 3 0x100082 netio syslogd
82364 156182 1 77 3 0x100090 poll dhclient
99255 445825 1 0 3 0x80 poll dhclient
39777 181340 0 0 2 0x14200 zerothread
25811 469387 0 0 3 0x14200 aiodoned aiodoned
35900 213564 0 0 3 0x14200 syncer update
49581 215029 0 0 3 0x14200 cleaner cleaner
41475 368105 0 0 3 0x14200 reaper reaper
54221 355084 0 0 3 0x14200 pgdaemon pagedaemon
30131 136807 0 0 3 0x14200 bored crynlk
70757 454169 0 0 3 0x14200 bored crypto
2767 346309 0 0 3 0x40014200 acpi0 acpi0
59158 359793 0 0 3 0x14200 bored softnet
43830 338839 0 0 3 0x14200 bored systqmp
96819 386430 0 0 3 0x14200 bored systq
43339 264482 0 0 3 0x40014200 bored softclock
67871 161666 0 0 3 0x40014200 idle0
1 456308 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: e9b93a3e5ebc Remove erroneous quote added in previous
git tree: https://github.com/openbsd/src.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=137b812b400000
dashboard link: https://syzkaller.appspot.com/bug?extid=383ee27894d032857c57
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+383ee2...@syzkaller.appspotmail.com
login: panic: pool_do_put: mcl64k: double pool_put: 0xffffff007082d000
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*478795 30599 0 0 0x4000000 0 syz-executor0
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_do_put(ffffff007082d000,ffffffff81eb9968) at pool_do_put+0x2e2
pool_put(0,ffffff007163c700) at pool_put+0x37
m_extfree(88ee6d8204e1bf39) at m_extfree+0xb1
m_free(ffffff007163c700) at m_free+0xee
m_freem(16) at m_freem+0x2d
soreceive(0,ffffff0064499918,ffff80002118a330,1000,ffff80002118a3c0,ffff80002118a2d0)
at
soreceive+0x1131
recvit(ffff80002118a3f0,ffff80002118a4f8,ffff80002118a4e0,ffff8000ffffc968,0)
at
recvit+0x28c
sys_recvmsg(ffff80002118a580,ffff8000ffffc968,ffff80002105fca8) at
sys_recvmsg+0x120
syscall(0) at syscall+0x3e4
Xsyscall(6,0,ffffffffffffffbf,0,3,15ba3060010) at Xsyscall+0x128
end of kernel
end trace frame: 0x15df7061db0, count: 3
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> show panic
pool_do_put: mcl64k: double pool_put: 0xffffff007082d000
ddb> trace
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_do_put(ffffff007082d000,ffffffff81eb9968) at pool_do_put+0x2e2
pool_put(0,ffffff007163c700) at pool_put+0x37
m_extfree(88ee6d8204e1bf39) at m_extfree+0xb1
m_free(ffffff007163c700) at m_free+0xee
m_freem(16) at m_freem+0x2d
soreceive(0,ffffff0064499918,ffff80002118a330,1000,ffff80002118a3c0,ffff80002118a2d0)
at
soreceive+0x1131
recvit(ffff80002118a3f0,ffff80002118a4f8,ffff80002118a4e0,ffff8000ffffc968,0)
at
recvit+0x28c
sys_recvmsg(ffff80002118a580,ffff8000ffffc968,ffff80002105fca8) at
sys_recvmsg+0x120
syscall(0) at syscall+0x3e4
Xsyscall(6,0,ffffffffffffffbf,0,3,15ba3060010) at Xsyscall+0x128
end of kernel
end trace frame: 0x15df7061db0, count: -12
ddb> show registers
rdi 0xffffffff81e1c208 kprintf_mutex
rsi 0xffffffff81030129 db_enter+0x9
rbp 0xffff80002118a030
rbx 0xffff80002118a0d0
rdx 0xffff800000ace000
rcx 0x1b7a __ALIGN_SIZE+0xb7a
rax 0xffff800000ace000
r8 0xffff80002118a000
r9 0x8080808080808080
r10 0x88ee6d8204e1bf39
r11 0xffffffff81110b20 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff80002118a040
r14 0x100
r15 0xffffffff81c39f85 cy_pio_rec+0x56d5
rip 0xffffffff8103012a db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff80002118a030
ss 0x10
db_enter+0xa: popq %rbp
ddb> show proc
PROC (syz-executor0) pid=478795 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=58, usrpri=58, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffffd2c8,0xffffffff81e98cf0
process=0xffff80002105fca8 user=0xffff800021185000,
vmspace=0xffffff007f12b000
estcpu=36, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
30599 293643 91416 0 2 0 syz-executor0
*30599 478795 91416 0 7 0x4000000 syz-executor0
56412 35413 93377 0 2 0 syz-executor1
56412 141156 93377 0 3 0x4000080 netio syz-executor1
2031 19278 1 0 3 0x100083 ttyin getty
33565 300042 0 0 3 0x14200 bored sosplice
91416 116120 50627 0 3 0x82 nanosleep syz-executor0
93377 410358 50627 0 3 0x82 nanosleep syz-executor1
50627 473457 56383 0 3 0x82 thrsleep syz-fuzzer
50627 288879 56383 0 3 0x4000082 thrsleep syz-fuzzer
50627 130340 56383 0 3 0x4000082 thrsleep syz-fuzzer
50627 233446 56383 0 3 0x4000082 thrsleep syz-fuzzer
50627 93820 56383 0 3 0x4000082 kqread syz-fuzzer
50627 316446 56383 0 3 0x4000082 thrsleep syz-fuzzer
50627 132184 56383 0 3 0x4000082 thrsleep syz-fuzzer
56383 335117 78351 0 3 0x10008a pause ksh
78351 123696 68321 0 3 0x92 select sshd
68321 254116 1 0 3 0x80 select sshd
43616 14139 84592 73 3 0x100090 kqread syslogd
84592 170273 1 0 3 0x100082 netio syslogd
82364 156182 1 77 3 0x100090 poll dhclient
99255 445825 1 0 3 0x80 poll dhclient
39777 181340 0 0 2 0x14200 zerothread
25811 469387 0 0 3 0x14200 aiodoned aiodoned
35900 213564 0 0 3 0x14200 syncer update
49581 215029 0 0 3 0x14200 cleaner cleaner
41475 368105 0 0 3 0x14200 reaper reaper
54221 355084 0 0 3 0x14200 pgdaemon pagedaemon
30131 136807 0 0 3 0x14200 bored crynlk
70757 454169 0 0 3 0x14200 bored crypto
2767 346309 0 0 3 0x40014200 acpi0 acpi0
59158 359793 0 0 3 0x14200 bored softnet
43830 338839 0 0 3 0x14200 bored systqmp
96819 386430 0 0 3 0x14200 bored systq
43339 264482 0 0 3 0x40014200 bored softclock
67871 161666 0 0 3 0x40014200 idle0
1 456308 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
May 30, 2019, 5:06:03 AM5/30/19
to syzkaller-o...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages