Hello,
syzbot found the following crash on:
HEAD commit: 0d1bbdcdb407 add mpip(4)
git tree: openbsd
console output:
https://syzkaller.appspot.com/x/log.txt?x=120998aac00000
kernel config:
https://syzkaller.appspot.com/x/.config?x=ffa1da4399f74b2b
dashboard link:
https://syzkaller.appspot.com/bug?extid=a33f137d7d3c0197fe86
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+a33f13...@syzkaller.appspotmail.com
kernel: protection fault trap, code=0
Stopped at mrouter6_rtwalk_delete+0x2b: movl 0x5c(%r15),%r12d
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
the kernel did not panic
ddb> trace
mrouter6_rtwalk_delete(5153e11fff8a8470,0,0) at mrouter6_rtwalk_delete+0x2b
sys/netinet6/ip6_mroute.c:497
rtable_walk_helper(fffffd8036dddb20,ffff800014957c00) at
rtable_walk_helper+0x58 sys/net/rtable.c:682
art_table_walk(ffff800000074780,fffffd8036ddc220,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x226 art_walk_apply sys/net/art.c:707 [inline]
art_table_walk(ffff800000074780,fffffd8036ddc220,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x226 sys/net/art.c:679
art_table_walk(ffff800000074780,fffffd8036ddc1e0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc180,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc140,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc120,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc100,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc0e0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc080,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc060,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc020,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc000,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc040,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc0a0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc0c0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc160,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc1a0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc1c0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc200,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc240,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc260,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc280,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc2a0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc2c0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc2e0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc300,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc320,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc380,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc3a0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc3c0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc440,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc4a0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddcf20,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_walk(ffff800000074780,ffffffff8178b4f0,ffff800014957c00) at
art_walk+0xcf sys/net/art.c:626
rtable_walk(0,18,ffffffff8122ec00,0) at rtable_walk+0xd7
sys/net/rtable.c:706
ip6_mrouter_done(fffffd803982c180) at ip6_mrouter_done+0xc4
sys/netinet6/ip6_mroute.c:526
rip6_detach(fffffd803982c180) at rip6_detach+0x56 sys/netinet6/raw_ip6.c:748
soclose(fffffd803982c180,0) at soclose+0xb2 sys/kern/uipc_socket.c:292
soo_close(fffffd8039c20b58,ffff8000149d4270) at soo_close+0x40
fdrop(fffffd8039c20b58,ffff8000149d4270) at fdrop+0xc9
sys/kern/kern_descrip.c:1260
closef(fffffd8039c20b58,ffff8000149d4270) at closef+0x124
sys/kern/kern_descrip.c:1244
fdfree(ffff8000149d4270) at fdfree+0xe7 sys/kern/kern_descrip.c:1176
exit1(ffff8000149d4270,0,1) at exit1+0x2f4 sys/kern/kern_exit.c:194
sys_exit(ffff8000149d4270,ffff8000149580e0,ffff8000149580d0) at
sys_exit+0x17 sys/kern/kern_exit.c:94
syscall(ffff800014958180) at syscall+0x541
Xsyscall(6,1,0,1,0,7f7ffffe13a4) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffe1370, count: -47
ddb> show registers
rdi 0x5153e11fff8a8470
rsi 0
rbp 0xffff800014956940
rbx 0xffff800000074788
rdx 0
rcx 0
rax 0x204
r8 0
r9 0x5
r10 0
r11 0x5fc5adf50e8daba6
r12 0
r13 0xfffffd8036ddc220
r14 0
r15 0x5153e11fff8a8470
rip 0xffffffff8122ec2b mrouter6_rtwalk_delete+0x2b
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff800014956900
ss 0x10
mrouter6_rtwalk_delete+0x2b: movl 0x5c(%r15),%r12d
ddb> show proc
PROC (syz-executor.1) pid=484813 stat=onproc
flags process=1008<EXITING,SINGLEEXIT> proc=2000<WEXIT>
pri=50, usrpri=78, nice=20
forw=0xffffffffffffffff, list=0xffff8000149d4bd0,0xffffffff82264bc8
process=0xffff8000ffff69e8 user=0xffff800014953000,
vmspace=0xfffffd803f015d68
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
19959 483335 1 0 3 0x100083 ttyin getty
2989 517760 0 0 3 0x14200 bored sosplice
31500 429419 63020 0 3 0x2 biowait syz-executor.0
59158 112605 63020 0 3 0x82 nanosleep syz-executor.1
63020 6625 50092 0 3 0x82 thrsleep syz-fuzzer
63020 190560 50092 0 3 0x4000082 nanosleep syz-fuzzer
63020 43389 50092 0 3 0x4000082 thrsleep syz-fuzzer
63020 110269 50092 0 3 0x4000082 kqread syz-fuzzer
63020 441551 50092 0 3 0x4000082 thrsleep syz-fuzzer
63020 286069 50092 0 3 0x4000082 thrsleep syz-fuzzer
63020 439753 50092 0 3 0x4000082 thrsleep syz-fuzzer
50092 375479 15116 0 3 0x10008a pause ksh
15116 62073 95523 0 3 0x92 select sshd
95523 93770 1 0 3 0x80 select sshd
74798 16928 7021 73 3 0x100090 kqread syslogd
7021 477313 1 0 3 0x100082 netio syslogd
41605 131787 1 77 3 0x100090 poll dhclient
53474 59062 1 0 3 0x80 poll dhclient
81561 289761 0 0 2 0x14200 zerothread
1532 371719 0 0 3 0x14200 aiodoned aiodoned
46288 66984 0 0 3 0x14200 syncer update
65478 19388 0 0 3 0x14200 cleaner cleaner
26152 479804 0 0 3 0x14200 reaper reaper
93601 337232 0 0 3 0x14200 pgdaemon pagedaemon
23210 512129 0 0 3 0x14200 bored crynlk
58596 377782 0 0 3 0x14200 bored crypto
97237 32077 0 0 3 0x40014200 acpi0 acpi0
72696 407874 0 0 3 0x14200 bored softnet
64821 357827 0 0 2 0x14200 systqmp
58811 392995 0 0 3 0x14200 bored systq
26778 245622 0 0 3 0x40014200 bored softclock
91754 407002 0 0 3 0x40014200 idle0
43311 110841 0 0 3 0x14200 bored smr
1 131226 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9556 8412K 8433K 78643K 12392 0 0
pcb 25 9K 11K 78643K 2873 0 0
rtable 101 3K 3K 78643K 1112 0 0
ifaddr 67 17K 19K 78643K 637 0 0
counters 19 16K 16K 78643K 19 0 0
ioctlops 0 0K 2K 78643K 80 0 0
iov 0 0K 24K 78643K 727 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1201 75K 76K 78643K 4299 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 5K 78643K 78 0 0
VM map 2 0K 0K 78643K 2 0 0
sem 12 1K 1K 78643K 146 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1777 193K 286K 78643K 12501 0 0
file desc 5 13K 25K 78643K 5471 0 0
sigio 1 0K 0K 78643K 76 0 0
proc 42 30K 54K 78643K 912 0 0
subproc 64 65538K 69634K 78643K 106 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
ip_moptions 0 0K 0K 78643K 1917 0 0
in_multi 33 2K 2K 78643K 783 0 0
ether_multi 1 0K 0K 78643K 42 0 0
mrt 1 0K 0K 78643K 11 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 132 583K 583K 78643K 132 0 0
exec 0 0K 1K 78643K 729 0 0
pfkey data 0 0K 0K 78643K 2 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 106 22K 42K 78643K 14143 0 0
UVM aobj 130 5K 5K 78643K 155 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
ip6_options 0 0K 0K 78643K 185 0 0
NDP 15 0K 0K 78643K 168 0 0
temp 192 2360K 2487K 78643K 17493 0 0
kqueue 0 0K 0K 78643K 47 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 4 0 0 1 0 1 1 0
8 0
inpcbpl 280 3159 0 3150 1 0 1 1 0
8 0
plimitpl 152 76 0 69 1 0 1 1 0
8 0
rtentry 112 42 0 2 2 0 2 2 0
8 0
syncache 264 4 0 4 1 1 0 1 0
8 0
tcpqe 32 8 0 8 1 1 0 1 0
8 0
tcpcb 544 877 0 873 1 0 1 1 0
8 0
rttmr 72 1 0 1 1 0 1 1 0
8 1
nd6 48 4 0 0 1 0 1 1 0
8 0
ppxss 1128 129 0 129 31 30 1 1 0
8 1
art_heap8 4096 1 0 0 1 0 1 1 0
8 0
art_heap4 256 186 0 0 12 0 12 12 0
8 0
art_table 32 187 0 0 2 0 2 2 0
8 0
art_node 16 41 0 6 1 0 1 1 0
8 0
sysvmsgpl 40 105 0 96 1 0 1 1 0
8 0
semapl 112 144 0 134 1 0 1 1 0
8 0
shmpl 112 153 0 25 4 0 4 4 0
8 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0
dino1pl 128 11776 0 10305 48 0 48 48 0
8 0
ffsino 240 11776 0 10305 88 1 87 87 0
8 0
nchpl 144 20867 0 19243 61 0 61 61 0
8 0
uvmvnodes 72 5926 0 0 108 0 108 108 0
8 0
vnodes 200 5926 0 0 312 0 312 312 0
8 0
namei 1024 63090 0 63089 2 1 1 1 0
8 0
scsiplug 64 7 0 7 6 6 0 1 0
8 0
scxspl 192 71925 0 71924 31 29 2 6 0
8 1
sigapl 432 5642 0 5629 2 0 2 2 0
8 0
futexpl 56 102472 0 102472 1 0 1 1 0
8 1
knotepl 112 1320 0 1293 2 0 2 2 0
8 0
kqueuepl 104 1649 0 1647 1 0 1 1 0
8 0
pipepl 112 5958 0 5939 19 17 2 2 0
8 1
fdescpl 424 5643 0 5629 2 0 2 2 0
8 0
filepl 120 39024 0 38928 14 9 5 5 0
8 1
lockfpl 104 1937 0 1937 8 7 1 1 0
8 1
lockfspl 32 2758 0 2758 8 7 1 1 0
8 1
sessionpl 112 20 0 10 1 0 1 1 0
8 0
pgrppl 48 92 0 82 1 0 1 1 0
8 0
ucredpl 96 11702 0 11695 1 0 1 1 0
8 0
zombiepl 144 5630 0 5629 3 2 1 1 0
8 0
processpl 840 5658 0 5629 4 0 4 4 0
8 0
procpl 600 13177 0 13142 4 0 4 4 0
8 0
sosppl 128 93 0 93 23 22 1 1 0
8 1
sockpl 384 5703 0 5684 16 12 4 4 0
8 2
mcl64k 65536 3001 0 3001 295 295 0 47 0
8 0
mcl16k 16384 17 0 17 14 14 0 1 0
8 0
mcl12k 12288 129 0 129 30 29 1 1 0
8 1
mcl9k 9216 93 0 93 38 38 0 1 0
8 0
mcl8k 8192 82 0 82 31 31 0 1 0
8 0
mcl4k 4096 265 0 265 24 23 1 1 0
8 1
mcl2k2 2112 38 0 38 22 22 0 1 0
8 0
mcl2k 2048 53799 0 53768 11 6 5 8 0
8 0
mtagpl 80 4 0 4 2 2 0 1 0
8 0
mbufpl 256 117934 0 117878 154 149 5 28 0
8 0
bufpl 256 20169 0 14686 344 0 344 344 0
8 0
anonpl 16 590894 0 582214 314 271 43 59 0
62 7
amapchunkpl 152 33145 0 33066 231 203 28 96 0 158
23
amappl16 192 35652 0 35187 311 286 25 40 0
8 1
amappl15 184 2 0 0 1 0 1 1 0
8 0
amappl14 176 2645 0 2644 2 1 1 1 0
8 0
amappl13 168 23 0 20 1 0 1 1 0
8 0
amappl12 160 26 0 22 1 0 1 1 0
8 0
amappl11 152 177 0 168 1 0 1 1 0
8 0
amappl10 144 60 0 58 2 1 1 1 0
8 0
amappl9 136 351 0 346 1 0 1 1 0
8 0
amappl8 128 2979 0 2940 2 0 2 2 0
8 0
amappl7 120 26 0 22 1 0 1 1 0
8 0
amappl6 112 2686 0 2679 1 0 1 1 0
8 0
amappl5 104 165 0 153 1 0 1 1 0
8 0
amappl4 96 306 0 282 2 1 1 2 0
8 0
amappl3 88 400 0 394 1 0 1 1 0
8 0
amappl2 80 58620 0 58566 2 0 2 2 0
8 0
amappl1 72 108706 0 108293 25 16 9 18 0
8 0
amappl 72 13504 0 13473 1 0 1 1 0
75 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 154 0 25 3 0 3 3 0
8 0
uaddrrnd 24 5643 0 5629 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 5643 0 5629 1 0 1 1 0
8 0
vmmpekpl 168 45321 0 45302 2 0 2 2 0
8 0
vmmpepl 168 593937 0 592522 245 177 68 80 0
357 1
vmsppl 264 5642 0 5629 2 1 1 2 0
8 0
pdppl 4096 11292 0 11258 6 1 5 6 0
8 0
pvpl 32 1801247 0 1789518 577 448 129 208 0 265
32
pmappl 192 5642 0 5629 1 0 1 1 0
8 0
extentpl 40 39 0 25 1 0 1 1 0
8 0
phpool 112 988 0 523 16 0 16 16 0
8 0
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.