pool: free list modified: mcl2k
8 views
Skip to first unread message
syzbot
Oct 26, 2018, 3:35:02 PM10/26/18
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 63a6c5601c3d remove a misleading comment; ok ratchov@
git tree: https://github.com/openbsd/src.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=158b8999400000
dashboard link: https://syzkaller.appspot.com/bug?extid=c2543ae6b6692a5843e3
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c2543a...@syzkaller.appspotmail.com
login: panic: pool_do_get: mcl2k free list modified: page
0xffffff001a066000; item addr 0xffffff001a068800; offset
0x0=0x6440d50447c18eeb != 0x6440d5048562fa9b
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
* 40756 32885 0 0x14000 0x200 0 softnet
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_do_get(2,ffffffff81eaaf50,ffffffff81eaaf50) at pool_do_get+0x3ae
pool_get(ffffff001bdf4600,2) at pool_get+0x77
m_clget(4e,ffff800000029000,1) at m_clget+0x1e0
vio_populate_rx_mbufs(ffff800000029050) at vio_populate_rx_mbufs+0xd4
vio_rx_intr(ffffffff) at vio_rx_intr+0x4d
virtio_check_vqs(0) at virtio_check_vqs+0x166
virtio_pci_legacy_intr(ffff80000001cc00) at virtio_pci_legacy_intr+0x74
intr_handler(4,ffff800000039100) at intr_handler+0x3f
Xintr_legacy6_untramp(4,ffffffff81a48c20,4,18041969,4,d) at
Xintr_legacy6_untramp+0x1b3
Xspllower(0,ffffffff81eac6e8,ffffffff81eac6d0,ffffffff81e0fff0,ffffffff81636401,ffff800000021280)
at
Xspllower+0xc
softintr_dispatch(0) at softintr_dispatch+0xca
Xsoftclock(ffff800000029560,ffff8000000294e8,ffffffff812aec70,38c33adba839fd,ffffffff81636401,ffff800000029588)
at
Xsoftclock+0x1f
end trace frame: 0xffff80000e25d7d0, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
--db_more-- reports. Insufficient info
makes it difficult to find and fix bugs.
ddb> trace
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_do_get(2,ffffffff81eaaf50,ffffffff81eaaf50) at pool_do_get+0x3ae
pool_get(ffffff001bdf4600,2) at pool_get+0x77
m_clget(4e,ffff800000029000,1) at m_clget+0x1e0
vio_populate_rx_mbufs(ffff800000029050) at vio_populate_rx_mbufs+0xd4
vio_rx_intr(ffffffff) at vio_rx_intr+0x4d
virtio_check_vqs(0) at virtio_check_vqs+0x166
virtio_pci_legacy_intr(ffff80000001cc00) at virtio_pci_legacy_intr+0x74
intr_handler(4,ffff800000039100) at intr_handler+0x3f
Xintr_legacy6_untramp(4,ffffffff81a48c20,4,18041969,4,d) at
Xintr_legacy6_untramp+0x1b3
Xspllower(0,ffffffff81eac6e8,ffffffff81eac6d0,ffffffff81e0fff0,ffffffff81636401,ffff800000021280)
at
Xspllower+0xc
softintr_dispatch(0) at softintr_dispatch+0xca
Xsoftclock(ffff800000029560,ffff8000000294e8,ffffffff812aec70,38c33adba839fd,ffffffff81636401,ffff800000029588)
at
Xsoftclock+0x1f
ifq_serialize(ffff8000000294e8,0) at ifq_serialize+0x123
if_enqueue(ffff800000029290,ffffff001bdf4a00) at if_enqueue+0xc6
ether_output(ffffff001bdf4a00,ffffff001bdc52a0,ffffff001bdf4ab0,ffff800000029290)
at
ether_output+0x25c
ip_output(43e0,0,ffff8000004d2ee0,ffffff001bdf4a00,ffff8000004d2ee0,38c33adba83--db_more--
9fd)
at ip_output+0xcdc
--db_more-- tcp_output(0) at
tcp_output+0x1d5f
--db_more--
tcp_input(ffff80000e25dc88,ffff80000e25dc88,2,6) at
tcp_input+0x1946
--db_more--
ip_deliver(ffff80000e25dc84,ffff80000e25dc88,ffff800000021040,ffffff001bdf4600)
--db_more-- at ip_deliver+0x23b
ipintr() at ipintr+0x71
if_netisr(ffffffff8129a8d0) at if_netisr+0x9e
taskq_thread(0) at taskq_thread+0x72
end trace frame: 0x0, count: -24
ddb> registers
No such command
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: 63a6c5601c3d remove a misleading comment; ok ratchov@
git tree: https://github.com/openbsd/src.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=158b8999400000
dashboard link: https://syzkaller.appspot.com/bug?extid=c2543ae6b6692a5843e3
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c2543a...@syzkaller.appspotmail.com
login: panic: pool_do_get: mcl2k free list modified: page
0xffffff001a066000; item addr 0xffffff001a068800; offset
0x0=0x6440d50447c18eeb != 0x6440d5048562fa9b
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
* 40756 32885 0 0x14000 0x200 0 softnet
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_do_get(2,ffffffff81eaaf50,ffffffff81eaaf50) at pool_do_get+0x3ae
pool_get(ffffff001bdf4600,2) at pool_get+0x77
m_clget(4e,ffff800000029000,1) at m_clget+0x1e0
vio_populate_rx_mbufs(ffff800000029050) at vio_populate_rx_mbufs+0xd4
vio_rx_intr(ffffffff) at vio_rx_intr+0x4d
virtio_check_vqs(0) at virtio_check_vqs+0x166
virtio_pci_legacy_intr(ffff80000001cc00) at virtio_pci_legacy_intr+0x74
intr_handler(4,ffff800000039100) at intr_handler+0x3f
Xintr_legacy6_untramp(4,ffffffff81a48c20,4,18041969,4,d) at
Xintr_legacy6_untramp+0x1b3
Xspllower(0,ffffffff81eac6e8,ffffffff81eac6d0,ffffffff81e0fff0,ffffffff81636401,ffff800000021280)
at
Xspllower+0xc
softintr_dispatch(0) at softintr_dispatch+0xca
Xsoftclock(ffff800000029560,ffff8000000294e8,ffffffff812aec70,38c33adba839fd,ffffffff81636401,ffff800000029588)
at
Xsoftclock+0x1f
end trace frame: 0xffff80000e25d7d0, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
--db_more-- reports. Insufficient info
makes it difficult to find and fix bugs.
ddb> trace
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_do_get(2,ffffffff81eaaf50,ffffffff81eaaf50) at pool_do_get+0x3ae
pool_get(ffffff001bdf4600,2) at pool_get+0x77
m_clget(4e,ffff800000029000,1) at m_clget+0x1e0
vio_populate_rx_mbufs(ffff800000029050) at vio_populate_rx_mbufs+0xd4
vio_rx_intr(ffffffff) at vio_rx_intr+0x4d
virtio_check_vqs(0) at virtio_check_vqs+0x166
virtio_pci_legacy_intr(ffff80000001cc00) at virtio_pci_legacy_intr+0x74
intr_handler(4,ffff800000039100) at intr_handler+0x3f
Xintr_legacy6_untramp(4,ffffffff81a48c20,4,18041969,4,d) at
Xintr_legacy6_untramp+0x1b3
Xspllower(0,ffffffff81eac6e8,ffffffff81eac6d0,ffffffff81e0fff0,ffffffff81636401,ffff800000021280)
at
Xspllower+0xc
softintr_dispatch(0) at softintr_dispatch+0xca
Xsoftclock(ffff800000029560,ffff8000000294e8,ffffffff812aec70,38c33adba839fd,ffffffff81636401,ffff800000029588)
at
Xsoftclock+0x1f
ifq_serialize(ffff8000000294e8,0) at ifq_serialize+0x123
if_enqueue(ffff800000029290,ffffff001bdf4a00) at if_enqueue+0xc6
ether_output(ffffff001bdf4a00,ffffff001bdc52a0,ffffff001bdf4ab0,ffff800000029290)
at
ether_output+0x25c
ip_output(43e0,0,ffff8000004d2ee0,ffffff001bdf4a00,ffff8000004d2ee0,38c33adba83--db_more--
9fd)
at ip_output+0xcdc
--db_more-- tcp_output(0) at
tcp_output+0x1d5f
--db_more--
tcp_input(ffff80000e25dc88,ffff80000e25dc88,2,6) at
tcp_input+0x1946
--db_more--
ip_deliver(ffff80000e25dc84,ffff80000e25dc88,ffff800000021040,ffffff001bdf4600)
--db_more-- at ip_deliver+0x23b
ipintr() at ipintr+0x71
if_netisr(ffffffff8129a8d0) at if_netisr+0x9e
taskq_thread(0) at taskq_thread+0x72
end trace frame: 0x0, count: -24
ddb> registers
No such command
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
Dec 19, 2018, 5:10:03 PM12/19/18
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 838c75a0c5d5 get rid of a prototype for if_enqueue_try()
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1123955d400000
kernel config: https://syzkaller.appspot.com/x/.config?x=906264fb5874384d
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=121ec8ed400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14aa3a8b400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c2543a...@syzkaller.appspotmail.com
login: panic: pool_do_get: mcl2k free list modified: page
0xffffff00040b6000; item addr 0xffffff00040b6800; offset
0x0=0x999da37b978b69ca != 0x999da37bf87ddaef
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
pool_do_get(2,ffffffff81eb5100,ffffffff81eb5100) at pool_do_get+0x3ae
sys/kern/subr_pool.c:752
pool_get(ffffff0036f5d100,2) at pool_get+0x77 sys/kern/subr_pool.c:587
m_clget(ffffff00360b5350,ffff800014a32268,ffffff0036f5d100) at
m_clget+0x1e0 sys/kern/uipc_mbuf.c:394
sys_setsockopt(ffff800014a70e00,ffff800014a32268,ffff800014a15338) at
sys_setsockopt+0x105 sys/kern/uipc_syscalls.c:957
syscall(0) at syscall+0x3e4
Xsyscall(6,0,0,0,0,7f7ffffde844) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffde830, count: 7
ddb> show panic
pool_do_get: mcl2k free list modified: page 0xffffff00040b6000; item addr
0xffffff00040b6800; offset 0x0=0x999da37b978b69ca != 0x999da37bf87ddaef
ddb> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
pool_do_get(2,ffffffff81eb5100,ffffffff81eb5100) at pool_do_get+0x3ae
sys/kern/subr_pool.c:752
pool_get(ffffff0036f5d100,2) at pool_get+0x77 sys/kern/subr_pool.c:587
m_clget(ffffff00360b5350,ffff800014a32268,ffffff0036f5d100) at
m_clget+0x1e0 sys/kern/uipc_mbuf.c:394
sys_setsockopt(ffff800014a70e00,ffff800014a32268,ffff800014a15338) at
sys_setsockopt+0x105 sys/kern/uipc_syscalls.c:957
syscall(0) at syscall+0x3e4
Xsyscall(6,0,0,0,0,7f7ffffde844) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffde830, count: -8
ddb> show registers
rdi 0xffffffff81e38b38 kprintf_mutex
rsi 0x5
rbp 0xffff800014a70b20
rbx 0xffff800014a70bc0
rdx 0x3fd
rcx 0
rax 0x1
r8 0xffff800014a70af0
r9 0x8080808080808080
r10 0x999da37b978b69ca
r11 0xffffffff81687d20 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800014a70b30
r14 0x100
r15 0xffffffff81c47d22 cy_pio_rec+0xf15f
rip 0xffffffff814c7f1a db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff800014a70b20
ss 0x10
db_enter+0xa: popq %rbp
ddb> show proc
PROC (syz-executor3031) pid=341156 stat=onproc
flags process=0 proc=0
pri=50, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff800014a324c0,0xffffffff81e92b98
process=0xffff800014a15338 user=0xffff800014a6b000,
vmspace=0xffffff003f12b108
estcpu=0, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
*33589 341156 61777 0 7 0 syz-executor3031
61777 292124 89307 0 3 0x82 nanosleep syz-executor3031
89307 95530 8664 0 3 0x10008a pause ksh
8664 409694 89304 0 3 0x92 select sshd
84182 90455 1 0 3 0x100083 ttyin getty
89304 210066 1 0 3 0x80 select sshd
61081 495008 23702 73 3 0x100090 kqread syslogd
23702 175307 1 0 3 0x100082 netio syslogd
4684 231992 1 77 3 0x100090 poll dhclient
36182 341702 1 0 3 0x80 poll dhclient
10934 41642 0 0 2 0x14200 zerothread
11148 4773 0 0 3 0x14200 aiodoned aiodoned
29028 63812 0 0 3 0x14200 syncer update
67240 188355 0 0 3 0x14200 cleaner cleaner
92205 219826 0 0 3 0x14200 reaper reaper
40842 349776 0 0 3 0x14200 pgdaemon pagedaemon
84649 476393 0 0 3 0x14200 bored crynlk
15197 279130 0 0 3 0x14200 bored crypto
85725 27827 0 0 3 0x40014200 acpi0 acpi0
78372 404472 0 0 3 0x14200 bored softnet
63471 171491 0 0 3 0x14200 bored systqmp
72978 482 0 0 3 0x14200 bored systq
62287 309622 0 0 3 0x40014200 bored softclock
39694 256938 0 0 3 0x40014200 idle0
1 223189 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
HEAD commit: 838c75a0c5d5 get rid of a prototype for if_enqueue_try()
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1123955d400000
kernel config: https://syzkaller.appspot.com/x/.config?x=906264fb5874384d
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=121ec8ed400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14aa3a8b400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c2543a...@syzkaller.appspotmail.com
login: panic: pool_do_get: mcl2k free list modified: page
0x0=0x999da37b978b69ca != 0x999da37bf87ddaef
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*341156 33589 0 0 0 0 syz-executor3031
TID PID UID PRFLAGS PFLAGS CPU COMMAND
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
pool_do_get(2,ffffffff81eb5100,ffffffff81eb5100) at pool_do_get+0x3ae
sys/kern/subr_pool.c:752
pool_get(ffffff0036f5d100,2) at pool_get+0x77 sys/kern/subr_pool.c:587
m_clget(ffffff00360b5350,ffff800014a32268,ffffff0036f5d100) at
m_clget+0x1e0 sys/kern/uipc_mbuf.c:394
sys_setsockopt(ffff800014a70e00,ffff800014a32268,ffff800014a15338) at
sys_setsockopt+0x105 sys/kern/uipc_syscalls.c:957
syscall(0) at syscall+0x3e4
Xsyscall(6,0,0,0,0,7f7ffffde844) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffde830, count: 7
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb>
ddb> show panic
pool_do_get: mcl2k free list modified: page 0xffffff00040b6000; item addr
0xffffff00040b6800; offset 0x0=0x999da37b978b69ca != 0x999da37bf87ddaef
ddb> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
pool_do_get(2,ffffffff81eb5100,ffffffff81eb5100) at pool_do_get+0x3ae
sys/kern/subr_pool.c:752
pool_get(ffffff0036f5d100,2) at pool_get+0x77 sys/kern/subr_pool.c:587
m_clget(ffffff00360b5350,ffff800014a32268,ffffff0036f5d100) at
m_clget+0x1e0 sys/kern/uipc_mbuf.c:394
sys_setsockopt(ffff800014a70e00,ffff800014a32268,ffff800014a15338) at
sys_setsockopt+0x105 sys/kern/uipc_syscalls.c:957
syscall(0) at syscall+0x3e4
Xsyscall(6,0,0,0,0,7f7ffffde844) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffde830, count: -8
ddb> show registers
rdi 0xffffffff81e38b38 kprintf_mutex
rsi 0x5
rbp 0xffff800014a70b20
rbx 0xffff800014a70bc0
rdx 0x3fd
rcx 0
rax 0x1
r8 0xffff800014a70af0
r9 0x8080808080808080
r10 0x999da37b978b69ca
r11 0xffffffff81687d20 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800014a70b30
r14 0x100
r15 0xffffffff81c47d22 cy_pio_rec+0xf15f
rip 0xffffffff814c7f1a db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff800014a70b20
ss 0x10
db_enter+0xa: popq %rbp
ddb> show proc
PROC (syz-executor3031) pid=341156 stat=onproc
flags process=0 proc=0
pri=50, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff800014a324c0,0xffffffff81e92b98
process=0xffff800014a15338 user=0xffff800014a6b000,
vmspace=0xffffff003f12b108
estcpu=0, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
*33589 341156 61777 0 7 0 syz-executor3031
61777 292124 89307 0 3 0x82 nanosleep syz-executor3031
89307 95530 8664 0 3 0x10008a pause ksh
8664 409694 89304 0 3 0x92 select sshd
84182 90455 1 0 3 0x100083 ttyin getty
89304 210066 1 0 3 0x80 select sshd
61081 495008 23702 73 3 0x100090 kqread syslogd
23702 175307 1 0 3 0x100082 netio syslogd
4684 231992 1 77 3 0x100090 poll dhclient
36182 341702 1 0 3 0x80 poll dhclient
10934 41642 0 0 2 0x14200 zerothread
11148 4773 0 0 3 0x14200 aiodoned aiodoned
29028 63812 0 0 3 0x14200 syncer update
67240 188355 0 0 3 0x14200 cleaner cleaner
92205 219826 0 0 3 0x14200 reaper reaper
40842 349776 0 0 3 0x14200 pgdaemon pagedaemon
84649 476393 0 0 3 0x14200 bored crynlk
15197 279130 0 0 3 0x14200 bored crypto
85725 27827 0 0 3 0x40014200 acpi0 acpi0
78372 404472 0 0 3 0x14200 bored softnet
63471 171491 0 0 3 0x14200 bored systqmp
72978 482 0 0 3 0x14200 bored systq
62287 309622 0 0 3 0x40014200 bored softclock
39694 256938 0 0 3 0x40014200 idle0
1 223189 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
Reply all
Reply to author
Forward
0 new messages