uvm_fault: m_free
瀏覽次數:3 次
跳到第一則未讀訊息
syzbot
2018年12月4日 清晨7:30:022018/12/4
收件者:syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: f939acc2595a DT_MIPS_RLD_MAP is an offset, so relocate it ..
git tree: https://github.com/openbsd/src.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1490bbeb400000
dashboard link: https://syzkaller.appspot.com/bug?extid=fed3bb2b9049007f7f34
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fed3bb...@syzkaller.appspotmail.com
uvm_fault(0xffffff007f12b420, 0x600011c, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at m_free+0x2a: movswq 0x1c(%r14),%rdx
ddb>
ddb> set $lines = 0
ddb> show panic
kernel page fault
uvm_fault(0xffffff007f12b420, 0x600011c, 0, 1) -> e
m_free(6000100) at m_free+0x2a
end trace frame: 0xffff800021160690, count: 0
ddb> trace
m_free(6000100) at m_free+0x2a
mq_purge(ffff800001b04f00) at mq_purge+0x6d
switchclose(ffff8000ffffcbc0,ffff800021160708,ffffffff818e10a7,ffff8000211606b0)
at
switchclose+0x77
spec_close(ffffffff81dfb940) at spec_close+0x271
VOP_CLOSE(ffffff0075b57c68,ffff8000ffffcbc0,ffffff007f7c7b40,3) at
VOP_CLOSE+0x5f
vn_closefile(ffff8000ffffcbc0,ffffff0068978b50) at vn_closefile+0xfc
fdrop(ffffff0068978b50,ffff8000ffffcbc0) at fdrop+0xa4
closef(ffff8000ffffcbc0,ffffff006e99e008) at closef+0xd5
fdfree(ffff80002105f330) at fdfree+0x98
exit1(ffff8000211609d0,ffff8000ffffcbc0,ffff80002105f330) at exit1+0x22f
sys_exit(ffffffff81ab3003,ffff8000211608f0,ffff8000211609d0) at
sys_exit+0x13
syscall(0) at syscall+0x3e4
Xsyscall(6,1,0,1,0,7f7ffffc2ef0) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffc2ea0, count: -13
ddb> show registers
rdi 0x7
rsi 0xf0
rbp 0xffff800021160660
rbx 0xffffffff818e1030 switchclose
rdx 0xffff800021160570
rcx 0xffffffff81e8e3b0 mbstat_boot_boot_cpumem
rax 0
r8 0
r9 0
r10 0
r11 0xffffffff816a34a0 pool_lock_mtx_leave
r12 0xffffff0063eac100
r13 0x236161bd
r14 0x6000100 __kernel_end_phys+0x4000100
r15 0x6000100 __kernel_end_phys+0x4000100
rip 0xffffffff81adbd1a m_free+0x2a
cs 0x8
rflags 0x10286 __ALIGN_SIZE+0xf286
rsp 0xffff800021160640
ss 0x10
m_free+0x2a: movswq 0x1c(%r14),%rdx
ddb> show proc
PROC (syz-executor1) pid=43277 stat=onproc
flags process=1008<EXITING,SINGLEEXIT> proc=2000<WEXIT>
pri=50, usrpri=81, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffffc008,0xffffffff81eafaa0
process=0xffff80002105f330 user=0xffff80002115b000,
vmspace=0xffffff007f12b420
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=0, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
69283 285090 0 0 3 0x14200 bored sosplice
40675 133050 8208 0 3 0x82 nanosleep syz-executor1
12431 299199 8208 0 3 0x2 biowait syz-executor0
8208 144878 187 0 3 0x82 thrsleep syz-fuzzer
8208 424370 187 0 3 0x4000082 thrsleep syz-fuzzer
8208 467693 187 0 3 0x4000082 thrsleep syz-fuzzer
8208 336013 187 0 3 0x4000082 thrsleep syz-fuzzer
8208 156490 187 0 3 0x4000082 thrsleep syz-fuzzer
8208 431951 187 0 3 0x4000082 thrsleep syz-fuzzer
8208 55761 187 0 3 0x4000082 kqread syz-fuzzer
187 80829 77337 0 3 0x10008a pause ksh
77337 156218 95879 0 3 0x92 select sshd
59503 344140 1 0 3 0x100083 ttyin getty
95879 348332 1 0 3 0x80 select sshd
65876 205744 96405 73 2 0x100090 syslogd
96405 127479 1 0 3 0x100082 netio syslogd
84389 403982 1 77 3 0x100090 poll dhclient
62268 353033 1 0 3 0x80 poll dhclient
75448 39788 0 0 2 0x14200 zerothread
8199 111984 0 0 3 0x14200 aiodoned aiodoned
45212 33680 0 0 3 0x14200 syncer update
49386 180950 0 0 3 0x14200 cleaner cleaner
48458 105990 0 0 3 0x14200 reaper reaper
29221 14615 0 0 3 0x14200 pgdaemon pagedaemon
97490 176819 0 0 3 0x14200 bored crynlk
57876 133425 0 0 3 0x14200 bored crypto
50188 12871 0 0 3 0x40014200 acpi0 acpi0
56166 74423 0 0 3 0x14200 bored softnet
35576 139235 0 0 3 0x14200 bored systqmp
68787 497851 0 0 3 0x14200 bored systq
95371 474703 0 0 3 0x40014200 bored softclock
40366 397606 0 0 3 0x40014200 idle0
1 904 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: f939acc2595a DT_MIPS_RLD_MAP is an offset, so relocate it ..
git tree: https://github.com/openbsd/src.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1490bbeb400000
dashboard link: https://syzkaller.appspot.com/bug?extid=fed3bb2b9049007f7f34
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fed3bb...@syzkaller.appspotmail.com
uvm_fault(0xffffff007f12b420, 0x600011c, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at m_free+0x2a: movswq 0x1c(%r14),%rdx
ddb>
ddb> set $lines = 0
ddb> show panic
kernel page fault
uvm_fault(0xffffff007f12b420, 0x600011c, 0, 1) -> e
m_free(6000100) at m_free+0x2a
end trace frame: 0xffff800021160690, count: 0
ddb> trace
m_free(6000100) at m_free+0x2a
mq_purge(ffff800001b04f00) at mq_purge+0x6d
switchclose(ffff8000ffffcbc0,ffff800021160708,ffffffff818e10a7,ffff8000211606b0)
at
switchclose+0x77
spec_close(ffffffff81dfb940) at spec_close+0x271
VOP_CLOSE(ffffff0075b57c68,ffff8000ffffcbc0,ffffff007f7c7b40,3) at
VOP_CLOSE+0x5f
vn_closefile(ffff8000ffffcbc0,ffffff0068978b50) at vn_closefile+0xfc
fdrop(ffffff0068978b50,ffff8000ffffcbc0) at fdrop+0xa4
closef(ffff8000ffffcbc0,ffffff006e99e008) at closef+0xd5
fdfree(ffff80002105f330) at fdfree+0x98
exit1(ffff8000211609d0,ffff8000ffffcbc0,ffff80002105f330) at exit1+0x22f
sys_exit(ffffffff81ab3003,ffff8000211608f0,ffff8000211609d0) at
sys_exit+0x13
syscall(0) at syscall+0x3e4
Xsyscall(6,1,0,1,0,7f7ffffc2ef0) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffc2ea0, count: -13
ddb> show registers
rdi 0x7
rsi 0xf0
rbp 0xffff800021160660
rbx 0xffffffff818e1030 switchclose
rdx 0xffff800021160570
rcx 0xffffffff81e8e3b0 mbstat_boot_boot_cpumem
rax 0
r8 0
r9 0
r10 0
r11 0xffffffff816a34a0 pool_lock_mtx_leave
r12 0xffffff0063eac100
r13 0x236161bd
r14 0x6000100 __kernel_end_phys+0x4000100
r15 0x6000100 __kernel_end_phys+0x4000100
rip 0xffffffff81adbd1a m_free+0x2a
cs 0x8
rflags 0x10286 __ALIGN_SIZE+0xf286
rsp 0xffff800021160640
ss 0x10
m_free+0x2a: movswq 0x1c(%r14),%rdx
ddb> show proc
PROC (syz-executor1) pid=43277 stat=onproc
flags process=1008<EXITING,SINGLEEXIT> proc=2000<WEXIT>
pri=50, usrpri=81, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffffc008,0xffffffff81eafaa0
process=0xffff80002105f330 user=0xffff80002115b000,
vmspace=0xffffff007f12b420
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=0, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
69283 285090 0 0 3 0x14200 bored sosplice
40675 133050 8208 0 3 0x82 nanosleep syz-executor1
12431 299199 8208 0 3 0x2 biowait syz-executor0
8208 144878 187 0 3 0x82 thrsleep syz-fuzzer
8208 424370 187 0 3 0x4000082 thrsleep syz-fuzzer
8208 467693 187 0 3 0x4000082 thrsleep syz-fuzzer
8208 336013 187 0 3 0x4000082 thrsleep syz-fuzzer
8208 156490 187 0 3 0x4000082 thrsleep syz-fuzzer
8208 431951 187 0 3 0x4000082 thrsleep syz-fuzzer
8208 55761 187 0 3 0x4000082 kqread syz-fuzzer
187 80829 77337 0 3 0x10008a pause ksh
77337 156218 95879 0 3 0x92 select sshd
59503 344140 1 0 3 0x100083 ttyin getty
95879 348332 1 0 3 0x80 select sshd
65876 205744 96405 73 2 0x100090 syslogd
96405 127479 1 0 3 0x100082 netio syslogd
84389 403982 1 77 3 0x100090 poll dhclient
62268 353033 1 0 3 0x80 poll dhclient
75448 39788 0 0 2 0x14200 zerothread
8199 111984 0 0 3 0x14200 aiodoned aiodoned
45212 33680 0 0 3 0x14200 syncer update
49386 180950 0 0 3 0x14200 cleaner cleaner
48458 105990 0 0 3 0x14200 reaper reaper
29221 14615 0 0 3 0x14200 pgdaemon pagedaemon
97490 176819 0 0 3 0x14200 bored crynlk
57876 133425 0 0 3 0x14200 bored crypto
50188 12871 0 0 3 0x40014200 acpi0 acpi0
56166 74423 0 0 3 0x14200 bored softnet
35576 139235 0 0 3 0x14200 bored systqmp
68787 497851 0 0 3 0x14200 bored systq
95371 474703 0 0 3 0x40014200 bored softclock
40366 397606 0 0 3 0x40014200 idle0
1 904 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
Anton Lindqvist
2019年1月6日 清晨5:15:482019/1/6
收件者:syzbot、syzkaller-o...@googlegroups.com
#syz fix: Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a...@syzkaller.appspotmail.com test akoshibe@; OK claudio@
Let's see if this fix is enough to close all switch related panics.
Let's see if this fix is enough to close all switch related panics.
回覆所有人
回覆作者
轉寄
0 則新訊息