panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr ADDR+24 ADDR!=ADDR
6 views
Skip to first unread message
syzbot
Dec 8, 2018, 5:02:03 AM12/8/18
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 013d15613728 Merge branch 'master' of https://github.com/o..
git tree: https://github.com/blackgnezdo/src.git multicore
console output: https://syzkaller.appspot.com/x/log.txt?x=14bdd7eb400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=caa28d9603f1c0a3a8bf
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+caa28d...@syzkaller.appspotmail.com
panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item
addr 0xffffff007e25c900+24 0xd86d7e451e21edf6!=0xd86d7e457d26fdf6
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
232343 5785 0 0 0 1 syz-executor0
*441246 5785 0 0 0x4000000 0K syz-executor0
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_cache_get(2) at pool_cache_get+0x2bf
pool_get(1,2) at pool_get+0x60
m_get(10000,ff6eff92) at m_get+0x2f
switchwrite(ffffff0072bd3658,ffffff0072bd3658,ffff8000211793e8) at
switchwrite+0x1d3
spec_write(ffffffff81e4c3d0) at spec_write+0xa8
VOP_WRITE(1,ffffff0072bd3658,1,ffffff0067f75d30) at VOP_WRITE+0x65
vn_write(ffffff0067f75d30,ffff8000211793e8,ffffff91) at vn_write+0x161
dofilewritev(ffff800021179510,1,ffff800021179528,ffff8000210a2720,0) at
dofilewritev+0x13e
sys_pwritev(10c0,ffff8000210a2720,0) at sys_pwritev+0xbf
syscall(0) at syscall+0x489
Xsyscall(6,0,ffffffffffffffb8,0,4,c95880e80d8) at Xsyscall+0x128
end of kernel
end trace frame: 0xc97caf55440, count: 2
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> show panic
pool_cache_item_magic_check: mbufpl cpu free list modified: item addr
0xffffff007e25c900+24 0xd86d7e451e21edf6!=0xd86d7e457d26fdf6
ddb{0}> trace
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_cache_get(2) at pool_cache_get+0x2bf
pool_get(1,2) at pool_get+0x60
m_get(10000,ff6eff92) at m_get+0x2f
switchwrite(ffffff0072bd3658,ffffff0072bd3658,ffff8000211793e8) at
switchwrite+0x1d3
spec_write(ffffffff81e4c3d0) at spec_write+0xa8
VOP_WRITE(1,ffffff0072bd3658,1,ffffff0067f75d30) at VOP_WRITE+0x65
vn_write(ffffff0067f75d30,ffff8000211793e8,ffffff91) at vn_write+0x161
dofilewritev(ffff800021179510,1,ffff800021179528,ffff8000210a2720,0) at
dofilewritev+0x13e
sys_pwritev(10c0,ffff8000210a2720,0) at sys_pwritev+0xbf
syscall(0) at syscall+0x489
Xsyscall(6,0,ffffffffffffffb8,0,4,c95880e80d8) at Xsyscall+0x128
end of kernel
end trace frame: 0xc97caf55440, count: -13
ddb{0}> show registers
rdi 0xffffffff81e2ec58 kprintf_mutex
rsi 0xffffffff81b67d99 db_enter+0x9
rbp 0xffff800021179040
rbx 0xffff8000211790e0
rdx 0xffff800000cd6000
rcx 0x6946 __ALIGN_SIZE+0x5946
rax 0xffff800000cd6000
r8 0xffff800021179010
r9 0x8080808080808080
r10 0
r11 0xffffffff819e6130 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800021179050
r14 0x100
r15 0xffffffff81bf5517 cmd0646_9_tim_udma+0x220e6
rip 0xffffffff81b67d9a db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff800021179040
ss 0x10
db_enter+0xa: popq %rbp
ddb{0}> show proc
PROC (syz-executor0) pid=441246 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=81, usrpri=81, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a3c38,0xffffffff81eac508
process=0xffff8000210b7630 user=0xffff800021174000,
vmspace=0xffffff007f124948
estcpu=31, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
5785 232343 3705 0 7 0 syz-executor0
5785 459701 3705 0 2 0x4000000 syz-executor0
* 5785 441246 3705 0 7 0x4000000 syz-executor0
77447 31610 1 0 3 0x100083 ttyin getty
90798 419219 0 0 3 0x14200 bored sosplice
71706 130022 47224 0 2 0x2 syz-executor1
3705 55903 47224 0 3 0x82 nanosleep syz-executor0
47224 265923 35423 0 3 0x82 thrsleep syz-fuzzer
47224 371565 35423 0 3 0x4000082 nanosleep syz-fuzzer
47224 424314 35423 0 3 0x4000082 thrsleep syz-fuzzer
47224 134701 35423 0 3 0x4000082 thrsleep syz-fuzzer
47224 406224 35423 0 3 0x4000082 thrsleep syz-fuzzer
47224 61387 35423 0 3 0x4000082 thrsleep syz-fuzzer
47224 322378 35423 0 3 0x4000082 thrsleep syz-fuzzer
47224 203310 35423 0 3 0x4000082 thrsleep syz-fuzzer
47224 332071 35423 0 3 0x4000082 kqread syz-fuzzer
47224 22535 35423 0 3 0x4000082 thrsleep syz-fuzzer
35423 50945 5197 0 3 0x10008a pause ksh
5197 371683 70359 0 3 0x92 select sshd
70359 209008 1 0 3 0x80 select sshd
87356 261614 91516 73 3 0x100090 kqread syslogd
91516 475210 1 0 3 0x100082 netio syslogd
53049 99505 1 77 3 0x100090 poll dhclient
33011 280405 1 0 3 0x80 poll dhclient
59377 412355 0 0 3 0x14200 pgzero zerothread
91894 181692 0 0 3 0x14200 aiodoned aiodoned
12289 73505 0 0 3 0x14200 syncer update
44981 329915 0 0 3 0x14200 cleaner cleaner
48093 264055 0 0 3 0x14200 reaper reaper
59967 309912 0 0 3 0x14200 pgdaemon pagedaemon
39172 94286 0 0 3 0x14200 bored crynlk
12196 513369 0 0 3 0x14200 bored crypto
56615 162629 0 0 3 0x40014200 acpi0 acpi0
48453 93394 0 0 3 0x40014200 idle1
58924 354782 0 0 3 0x14200 bored softnet
71488 363243 0 0 3 0x14200 bored systqmp
32655 372307 0 0 3 0x14200 bored systq
38060 321260 0 0 3 0x40014200 bored softclock
85677 131408 0 0 3 0x40014200 idle0
1 155733 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: 013d15613728 Merge branch 'master' of https://github.com/o..
git tree: https://github.com/blackgnezdo/src.git multicore
console output: https://syzkaller.appspot.com/x/log.txt?x=14bdd7eb400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
dashboard link: https://syzkaller.appspot.com/bug?extid=caa28d9603f1c0a3a8bf
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+caa28d...@syzkaller.appspotmail.com
panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item
addr 0xffffff007e25c900+24 0xd86d7e451e21edf6!=0xd86d7e457d26fdf6
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
232343 5785 0 0 0 1 syz-executor0
*441246 5785 0 0 0x4000000 0K syz-executor0
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_cache_get(2) at pool_cache_get+0x2bf
pool_get(1,2) at pool_get+0x60
m_get(10000,ff6eff92) at m_get+0x2f
switchwrite(ffffff0072bd3658,ffffff0072bd3658,ffff8000211793e8) at
switchwrite+0x1d3
spec_write(ffffffff81e4c3d0) at spec_write+0xa8
VOP_WRITE(1,ffffff0072bd3658,1,ffffff0067f75d30) at VOP_WRITE+0x65
vn_write(ffffff0067f75d30,ffff8000211793e8,ffffff91) at vn_write+0x161
dofilewritev(ffff800021179510,1,ffff800021179528,ffff8000210a2720,0) at
dofilewritev+0x13e
sys_pwritev(10c0,ffff8000210a2720,0) at sys_pwritev+0xbf
syscall(0) at syscall+0x489
Xsyscall(6,0,ffffffffffffffb8,0,4,c95880e80d8) at Xsyscall+0x128
end of kernel
end trace frame: 0xc97caf55440, count: 2
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> show panic
pool_cache_item_magic_check: mbufpl cpu free list modified: item addr
0xffffff007e25c900+24 0xd86d7e451e21edf6!=0xd86d7e457d26fdf6
ddb{0}> trace
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_cache_get(2) at pool_cache_get+0x2bf
pool_get(1,2) at pool_get+0x60
m_get(10000,ff6eff92) at m_get+0x2f
switchwrite(ffffff0072bd3658,ffffff0072bd3658,ffff8000211793e8) at
switchwrite+0x1d3
spec_write(ffffffff81e4c3d0) at spec_write+0xa8
VOP_WRITE(1,ffffff0072bd3658,1,ffffff0067f75d30) at VOP_WRITE+0x65
vn_write(ffffff0067f75d30,ffff8000211793e8,ffffff91) at vn_write+0x161
dofilewritev(ffff800021179510,1,ffff800021179528,ffff8000210a2720,0) at
dofilewritev+0x13e
sys_pwritev(10c0,ffff8000210a2720,0) at sys_pwritev+0xbf
syscall(0) at syscall+0x489
Xsyscall(6,0,ffffffffffffffb8,0,4,c95880e80d8) at Xsyscall+0x128
end of kernel
end trace frame: 0xc97caf55440, count: -13
ddb{0}> show registers
rdi 0xffffffff81e2ec58 kprintf_mutex
rsi 0xffffffff81b67d99 db_enter+0x9
rbp 0xffff800021179040
rbx 0xffff8000211790e0
rdx 0xffff800000cd6000
rcx 0x6946 __ALIGN_SIZE+0x5946
rax 0xffff800000cd6000
r8 0xffff800021179010
r9 0x8080808080808080
r10 0
r11 0xffffffff819e6130 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800021179050
r14 0x100
r15 0xffffffff81bf5517 cmd0646_9_tim_udma+0x220e6
rip 0xffffffff81b67d9a db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff800021179040
ss 0x10
db_enter+0xa: popq %rbp
ddb{0}> show proc
PROC (syz-executor0) pid=441246 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=81, usrpri=81, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a3c38,0xffffffff81eac508
process=0xffff8000210b7630 user=0xffff800021174000,
vmspace=0xffffff007f124948
estcpu=31, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
5785 232343 3705 0 7 0 syz-executor0
5785 459701 3705 0 2 0x4000000 syz-executor0
* 5785 441246 3705 0 7 0x4000000 syz-executor0
77447 31610 1 0 3 0x100083 ttyin getty
90798 419219 0 0 3 0x14200 bored sosplice
71706 130022 47224 0 2 0x2 syz-executor1
3705 55903 47224 0 3 0x82 nanosleep syz-executor0
47224 265923 35423 0 3 0x82 thrsleep syz-fuzzer
47224 371565 35423 0 3 0x4000082 nanosleep syz-fuzzer
47224 424314 35423 0 3 0x4000082 thrsleep syz-fuzzer
47224 134701 35423 0 3 0x4000082 thrsleep syz-fuzzer
47224 406224 35423 0 3 0x4000082 thrsleep syz-fuzzer
47224 61387 35423 0 3 0x4000082 thrsleep syz-fuzzer
47224 322378 35423 0 3 0x4000082 thrsleep syz-fuzzer
47224 203310 35423 0 3 0x4000082 thrsleep syz-fuzzer
47224 332071 35423 0 3 0x4000082 kqread syz-fuzzer
47224 22535 35423 0 3 0x4000082 thrsleep syz-fuzzer
35423 50945 5197 0 3 0x10008a pause ksh
5197 371683 70359 0 3 0x92 select sshd
70359 209008 1 0 3 0x80 select sshd
87356 261614 91516 73 3 0x100090 kqread syslogd
91516 475210 1 0 3 0x100082 netio syslogd
53049 99505 1 77 3 0x100090 poll dhclient
33011 280405 1 0 3 0x80 poll dhclient
59377 412355 0 0 3 0x14200 pgzero zerothread
91894 181692 0 0 3 0x14200 aiodoned aiodoned
12289 73505 0 0 3 0x14200 syncer update
44981 329915 0 0 3 0x14200 cleaner cleaner
48093 264055 0 0 3 0x14200 reaper reaper
59967 309912 0 0 3 0x14200 pgdaemon pagedaemon
39172 94286 0 0 3 0x14200 bored crynlk
12196 513369 0 0 3 0x14200 bored crypto
56615 162629 0 0 3 0x40014200 acpi0 acpi0
48453 93394 0 0 3 0x40014200 idle1
58924 354782 0 0 3 0x14200 bored softnet
71488 363243 0 0 3 0x14200 bored systqmp
32655 372307 0 0 3 0x14200 bored systq
38060 321260 0 0 3 0x40014200 bored softclock
85677 131408 0 0 3 0x40014200 idle0
1 155733 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
Anton Lindqvist
Jan 2, 2019, 4:02:47 PM1/2/19
to syzbot, syzkaller-o...@googlegroups.com
#syz dup: panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr ADDR+16 0x0!=ADDR
Reply all
Reply to author
Forward
0 new messages