assert "pg->wire_count == 1" failed in vfs_biomem.c
2 views
Skip to first unread message
syzbot
Dec 26, 2018, 9:03:03 PM12/26/18
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 8ff5027431d5 simplify code
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=17d0c153400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=8f5c11b768b0bef5f299
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8f5c11...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "pg->wire_count == 1" failed:
file "/syzkaller/managers/setuid/kernel/sys/kern/vfs_biomem.c", line 329
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*510546 66097 65534 0x10 0 1K syz-executor0
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff81791f54,ffff8000211692a0,ffffffff81ecbca0,ffffff00798e0700)
at
__assert+0x24 sys/kern/subr_prf.c:155
buf_free_pages(ffff800020c17000) at buf_free_pages+0x167
sys/kern/vfs_biomem.c:318
buf_dealloc_mem(ffffff00798e0200) at buf_dealloc_mem+0xb6
sys/kern/vfs_biomem.c:194
buf_put(ffffff00798e0700) at buf_put+0x11f sys/kern/vfs_bio.c:130
brelse(2) at brelse+0x19f sys/kern/vfs_bio.c:921
vinvalbuf(0,ffffff0069c196a0,ffffff0069c196b8,0,ffff80000066f800,11) at
vinvalbuf+0x2e2 sys/kern/vfs_subr.c:1934
ffs_truncate(ffffff0065fc3098,ffffff0075825ae0,ffffff006f56b780,ffffff0069c196a0)
at
ffs_truncate+0xc93 sys/ufs/ffs/ffs_inode.c:325
ufs_rmdir(ffffff0065fc3098) at ufs_rmdir+0x277 sys/ufs/ufs/ufs_vnops.c:1357
VOP_RMDIR(0,ffffff0075825ae0,8) at VOP_RMDIR+0x6a sys/kern/vfs_vops.c:469
dounlinkat(890,ffff8000210a2978,0,ffff800021169810) at dounlinkat+0xf5
sys/kern/vfs_syscalls.c:1694
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,89,7f7ffffdf200,89,259d1a66240,7f7ffffdf650) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffdf640, count: 1
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
kernel diagnostic assertion "pg->wire_count == 1" failed:
file "/syzkaller/managers/setuid/kernel/sys/kern/vfs_biomem.c", line 329
ddb{1}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff81791f54,ffff8000211692a0,ffffffff81ecbca0,ffffff00798e0700)
at
__assert+0x24 sys/kern/subr_prf.c:155
buf_free_pages(ffff800020c17000) at buf_free_pages+0x167
sys/kern/vfs_biomem.c:318
buf_dealloc_mem(ffffff00798e0200) at buf_dealloc_mem+0xb6
sys/kern/vfs_biomem.c:194
buf_put(ffffff00798e0700) at buf_put+0x11f sys/kern/vfs_bio.c:130
brelse(2) at brelse+0x19f sys/kern/vfs_bio.c:921
vinvalbuf(0,ffffff0069c196a0,ffffff0069c196b8,0,ffff80000066f800,11) at
vinvalbuf+0x2e2 sys/kern/vfs_subr.c:1934
ffs_truncate(ffffff0065fc3098,ffffff0075825ae0,ffffff006f56b780,ffffff0069c196a0)
at
ffs_truncate+0xc93 sys/ufs/ffs/ffs_inode.c:325
ufs_rmdir(ffffff0065fc3098) at ufs_rmdir+0x277 sys/ufs/ufs/ufs_vnops.c:1357
VOP_RMDIR(0,ffffff0075825ae0,8) at VOP_RMDIR+0x6a sys/kern/vfs_vops.c:469
dounlinkat(890,ffff8000210a2978,0,ffff800021169810) at dounlinkat+0xf5
sys/kern/vfs_syscalls.c:1694
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,89,7f7ffffdf200,89,259d1a66240,7f7ffffdf650) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffdf640, count: -14
ddb{1}> show registers
rdi 0xffffffff81e3c100 kprintf_mutex
rsi 0x5
rbp 0xffff800021169200
rbx 0xffff8000211692a0
rdx 0x3fd
rcx 0
rax 0
r8 0xffff8000211691d0
r9 0x8080808080808080
r10 0xc457f0b0759f65a6
r11 0xffffffff810f4fa0 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800021169210
r14 0x100
r15 0xffffffff81bf7167 cmd0646_9_tim_udma+0x1fe4a
rip 0xffffffff81511eaa db_enter+0xa
cs 0x8
rflags 0x246
rsp 0xffff800021169200
ss 0x10
db_enter+0xa: popq %rbp
ddb{1}> show proc
PROC (syz-executor0) pid=510546 stat=onproc
flags process=10<SUGID> proc=0
pri=17, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a2018,0xffffffff81eb2248
process=0xffff800021070fd0 user=0xffff800021164000,
vmspace=0xffffff00657ca110
estcpu=30, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
*66097 510546 1 65534 7 0x10 syz-executor0
72223 497781 1 65534 3 0x10 biowait syz-executor1
85233 305003 0 0 3 0x14200 bored sosplice
59 134677 37545 0 3 0x82 thrsleep syz-fuzzer
59 308673 37545 0 3 0x4000082 thrsleep syz-fuzzer
59 423152 37545 0 3 0x4000082 thrsleep syz-fuzzer
59 92097 37545 0 3 0x4000082 thrsleep syz-fuzzer
59 446041 37545 0 3 0x4000082 thrsleep syz-fuzzer
59 198366 37545 0 3 0x4000082 thrsleep syz-fuzzer
59 18442 37545 0 3 0x4000082 thrsleep syz-fuzzer
59 300913 37545 0 3 0x4000082 thrsleep syz-fuzzer
59 461082 37545 0 3 0x4000082 thrsleep syz-fuzzer
59 212055 37545 0 3 0x4000082 kqread syz-fuzzer
37545 23025 11165 0 3 0x10008a pause ksh
11165 61233 57508 0 3 0x92 select sshd
67723 405039 1 0 3 0x100083 ttyin getty
57508 254284 1 0 3 0x80 select sshd
9312 511077 21537 73 3 0x100010 ffs_fsync syslogd
21537 409310 1 0 3 0x100082 netio syslogd
78499 315962 1 77 3 0x100090 poll dhclient
19058 381155 1 0 3 0x80 poll dhclient
5830 35817 0 0 3 0x14200 pgzero zerothread
42443 109806 0 0 3 0x14200 aiodoned aiodoned
45384 515116 0 0 3 0x14200 syncer update
50855 362326 0 0 3 0x14200 cleaner cleaner
74129 495561 0 0 3 0x14200 reaper reaper
93268 42054 0 0 3 0x14200 pgdaemon pagedaemon
59516 273676 0 0 3 0x14200 bored crynlk
9919 12584 0 0 3 0x14200 bored crypto
21560 225375 0 0 3 0x40014200 acpi0 acpi0
81279 306352 0 0 3 0x40014200 idle1
36072 384156 0 0 3 0x14200 bored softnet
60760 154284 0 0 3 0x14200 bored systqmp
57229 393513 0 0 3 0x14200 bored systq
48128 36326 0 0 3 0x40014200 bored softclock
58400 474042 0 0 7 0x40014200 idle0
1 178984 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: 8ff5027431d5 simplify code
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=17d0c153400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=8f5c11b768b0bef5f299
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8f5c11...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "pg->wire_count == 1" failed:
file "/syzkaller/managers/setuid/kernel/sys/kern/vfs_biomem.c", line 329
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*510546 66097 65534 0x10 0 1K syz-executor0
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff81791f54,ffff8000211692a0,ffffffff81ecbca0,ffffff00798e0700)
at
__assert+0x24 sys/kern/subr_prf.c:155
buf_free_pages(ffff800020c17000) at buf_free_pages+0x167
sys/kern/vfs_biomem.c:318
buf_dealloc_mem(ffffff00798e0200) at buf_dealloc_mem+0xb6
sys/kern/vfs_biomem.c:194
buf_put(ffffff00798e0700) at buf_put+0x11f sys/kern/vfs_bio.c:130
brelse(2) at brelse+0x19f sys/kern/vfs_bio.c:921
vinvalbuf(0,ffffff0069c196a0,ffffff0069c196b8,0,ffff80000066f800,11) at
vinvalbuf+0x2e2 sys/kern/vfs_subr.c:1934
ffs_truncate(ffffff0065fc3098,ffffff0075825ae0,ffffff006f56b780,ffffff0069c196a0)
at
ffs_truncate+0xc93 sys/ufs/ffs/ffs_inode.c:325
ufs_rmdir(ffffff0065fc3098) at ufs_rmdir+0x277 sys/ufs/ufs/ufs_vnops.c:1357
VOP_RMDIR(0,ffffff0075825ae0,8) at VOP_RMDIR+0x6a sys/kern/vfs_vops.c:469
dounlinkat(890,ffff8000210a2978,0,ffff800021169810) at dounlinkat+0xf5
sys/kern/vfs_syscalls.c:1694
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,89,7f7ffffdf200,89,259d1a66240,7f7ffffdf650) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffdf640, count: 1
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
kernel diagnostic assertion "pg->wire_count == 1" failed:
file "/syzkaller/managers/setuid/kernel/sys/kern/vfs_biomem.c", line 329
ddb{1}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff81791f54,ffff8000211692a0,ffffffff81ecbca0,ffffff00798e0700)
at
__assert+0x24 sys/kern/subr_prf.c:155
buf_free_pages(ffff800020c17000) at buf_free_pages+0x167
sys/kern/vfs_biomem.c:318
buf_dealloc_mem(ffffff00798e0200) at buf_dealloc_mem+0xb6
sys/kern/vfs_biomem.c:194
buf_put(ffffff00798e0700) at buf_put+0x11f sys/kern/vfs_bio.c:130
brelse(2) at brelse+0x19f sys/kern/vfs_bio.c:921
vinvalbuf(0,ffffff0069c196a0,ffffff0069c196b8,0,ffff80000066f800,11) at
vinvalbuf+0x2e2 sys/kern/vfs_subr.c:1934
ffs_truncate(ffffff0065fc3098,ffffff0075825ae0,ffffff006f56b780,ffffff0069c196a0)
at
ffs_truncate+0xc93 sys/ufs/ffs/ffs_inode.c:325
ufs_rmdir(ffffff0065fc3098) at ufs_rmdir+0x277 sys/ufs/ufs/ufs_vnops.c:1357
VOP_RMDIR(0,ffffff0075825ae0,8) at VOP_RMDIR+0x6a sys/kern/vfs_vops.c:469
dounlinkat(890,ffff8000210a2978,0,ffff800021169810) at dounlinkat+0xf5
sys/kern/vfs_syscalls.c:1694
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,89,7f7ffffdf200,89,259d1a66240,7f7ffffdf650) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffdf640, count: -14
ddb{1}> show registers
rdi 0xffffffff81e3c100 kprintf_mutex
rsi 0x5
rbp 0xffff800021169200
rbx 0xffff8000211692a0
rdx 0x3fd
rcx 0
rax 0
r8 0xffff8000211691d0
r9 0x8080808080808080
r10 0xc457f0b0759f65a6
r11 0xffffffff810f4fa0 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800021169210
r14 0x100
r15 0xffffffff81bf7167 cmd0646_9_tim_udma+0x1fe4a
rip 0xffffffff81511eaa db_enter+0xa
cs 0x8
rflags 0x246
rsp 0xffff800021169200
ss 0x10
db_enter+0xa: popq %rbp
ddb{1}> show proc
PROC (syz-executor0) pid=510546 stat=onproc
flags process=10<SUGID> proc=0
pri=17, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a2018,0xffffffff81eb2248
process=0xffff800021070fd0 user=0xffff800021164000,
vmspace=0xffffff00657ca110
estcpu=30, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
*66097 510546 1 65534 7 0x10 syz-executor0
72223 497781 1 65534 3 0x10 biowait syz-executor1
85233 305003 0 0 3 0x14200 bored sosplice
59 134677 37545 0 3 0x82 thrsleep syz-fuzzer
59 308673 37545 0 3 0x4000082 thrsleep syz-fuzzer
59 423152 37545 0 3 0x4000082 thrsleep syz-fuzzer
59 92097 37545 0 3 0x4000082 thrsleep syz-fuzzer
59 446041 37545 0 3 0x4000082 thrsleep syz-fuzzer
59 198366 37545 0 3 0x4000082 thrsleep syz-fuzzer
59 18442 37545 0 3 0x4000082 thrsleep syz-fuzzer
59 300913 37545 0 3 0x4000082 thrsleep syz-fuzzer
59 461082 37545 0 3 0x4000082 thrsleep syz-fuzzer
59 212055 37545 0 3 0x4000082 kqread syz-fuzzer
37545 23025 11165 0 3 0x10008a pause ksh
11165 61233 57508 0 3 0x92 select sshd
67723 405039 1 0 3 0x100083 ttyin getty
57508 254284 1 0 3 0x80 select sshd
9312 511077 21537 73 3 0x100010 ffs_fsync syslogd
21537 409310 1 0 3 0x100082 netio syslogd
78499 315962 1 77 3 0x100090 poll dhclient
19058 381155 1 0 3 0x80 poll dhclient
5830 35817 0 0 3 0x14200 pgzero zerothread
42443 109806 0 0 3 0x14200 aiodoned aiodoned
45384 515116 0 0 3 0x14200 syncer update
50855 362326 0 0 3 0x14200 cleaner cleaner
74129 495561 0 0 3 0x14200 reaper reaper
93268 42054 0 0 3 0x14200 pgdaemon pagedaemon
59516 273676 0 0 3 0x14200 bored crynlk
9919 12584 0 0 3 0x14200 bored crypto
21560 225375 0 0 3 0x40014200 acpi0 acpi0
81279 306352 0 0 3 0x40014200 idle1
36072 384156 0 0 3 0x14200 bored softnet
60760 154284 0 0 3 0x14200 bored systqmp
57229 393513 0 0 3 0x14200 bored systq
48128 36326 0 0 3 0x40014200 bored softclock
58400 474042 0 0 7 0x40014200 idle0
1 178984 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
Feb 14, 2020, 10:28:06 PM2/14/20
to syzkaller-o...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages