assert "m->m_pkthdr.pf.prio <= IFQ_MAXPRIO" failed in ifq.c

1 view

Skip to first unread message

syzbot

unread,

Feb 10, 2022, 5:52:26 AM2/10/22

to syzkaller-o...@googlegroups.com

Hello,

syzbot found the following issue on:

HEAD commit: 4e4477fd5c2f Don't unregister firmware if we can't fetch t..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1740451c700000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d
dashboard link: https://syzkaller.appspot.com/bug?extid=a8f8e24a44b441e71d93

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a8f8e2...@syzkaller.appspotmail.com

panic: kernel diagnostic assertion "m->m_pkthdr.pf.prio <= IFQ_MAXPRIO" failed: file "/syzkaller/managers/multicore/kernel/sys/net/ifq.c", line 858
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*496459 43534 0 0 0x4000000 0 syz-executor.5
285252 79874 0 0x14000 0x200 1 reaper
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825739a5) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff825e91ae,ffffffff825cdabe,35a,ffffffff82591901) at __assert+0x25 sys/kern/subr_prf.c:161
priq_enq(ffff80000019f558,fffffd807e01aa00) at priq_enq+0x2ae sys/net/ifq.c:858
ifq_enqueue(ffff80000019f558,fffffd807e01aa00) at ifq_enqueue+0x48 sys/net/ifq.c:365
if_enqueue_ifq(ffff80000019f2a8,fffffd807e01aa00) at if_enqueue_ifq+0x7e sys/net/if.c:725
ether_output(ffff80000019f2a8,fffffd807e01aa00,ffff8000006c6650,fffffd806f6653f0) at ether_output+0xb7 sys/net/if_ethersubr.c:358
ip_output(fffffd807e01aa00,0,fffffd806f67f070,800,0,fffffd806f67f000,426cfd956ffd8cc9) at ip_output+0x106b sys/netinet/ip_output.c:468
tcp_output(ffff800000bc4e60) at tcp_output+0x247d sys/netinet/tcp_output.c:1046
tcp_usrreq(fffffd807ddbf230,4,0,fffffd805bca2300,0,ffff800022c4c000) at tcp_usrreq+0x43f
sys_connect(ffff800022c4c000,ffff80002e3a91a8,ffff80002e3a9200) at sys_connect+0x1da sys/kern/uipc_syscalls.c:378
syscall(ffff80002e3a9270) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff80002e3a9270) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xcd9e796f5c0, count: 2
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu0: kernel diagnostic assertion "m->m_pkthdr.pf.prio <= IFQ_MAXPRIO" failed: file "/syzkaller/managers/multicore/kernel/sys/net/ifq.c", line 858
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825739a5) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff825e91ae,ffffffff825cdabe,35a,ffffffff82591901) at __assert+0x25 sys/kern/subr_prf.c:161
priq_enq(ffff80000019f558,fffffd807e01aa00) at priq_enq+0x2ae sys/net/ifq.c:858
ifq_enqueue(ffff80000019f558,fffffd807e01aa00) at ifq_enqueue+0x48 sys/net/ifq.c:365
if_enqueue_ifq(ffff80000019f2a8,fffffd807e01aa00) at if_enqueue_ifq+0x7e sys/net/if.c:725
ether_output(ffff80000019f2a8,fffffd807e01aa00,ffff8000006c6650,fffffd806f6653f0) at ether_output+0xb7 sys/net/if_ethersubr.c:358
ip_output(fffffd807e01aa00,0,fffffd806f67f070,800,0,fffffd806f67f000,426cfd956ffd8cc9) at ip_output+0x106b sys/netinet/ip_output.c:468
tcp_output(ffff800000bc4e60) at tcp_output+0x247d sys/netinet/tcp_output.c:1046
tcp_usrreq(fffffd807ddbf230,4,0,fffffd805bca2300,0,ffff800022c4c000) at tcp_usrreq+0x43f
sys_connect(ffff800022c4c000,ffff80002e3a91a8,ffff80002e3a9200) at sys_connect+0x1da sys/kern/uipc_syscalls.c:378
syscall(ffff80002e3a9270) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff80002e3a9270) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xcd9e796f5c0, count: -13
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff80002e3a8b70
rbx 0xffffffff82920bff cpu_info_full_primary+0x2bff
rdx 0
rcx 0
rax 0xffff800022c4c000
r8 0x101010101010101
r9 0x8080808080808080
r10 0xb5711e47faa7b09
r11 0x68ea71df97b9bad8
r12 0xffffffff82920a00 cpu_info_full_primary+0x2a00
r13 0
r14 0
r15 0x1
rip 0xffffffff8147cfe8 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff80002e3a8b60
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor.5) pid=496459 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff800022c4d500,0xffff800022c4c7f0
process=0xffff80002e4d1d38 user=0xffff80002e3a4000, vmspace=0xfffffd806a8bc5d0
estcpu=36, cpticks=2, pctcpu=0.0
user=0, sys=2, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
3417 255808 65705 0 2 0 syz-executor.6
43534 434262 98806 0 2 0 syz-executor.5
*43534 496459 98806 0 7 0x4000000 syz-executor.5
22678 243873 42645 0 2 0 syz-executor.7
22678 410159 42645 0 3 0x4000080 fsleep syz-executor.7
33420 266517 24839 60928 2 0x10 syz-executor.1
33420 150314 24839 60928 3 0x4000090 fsleep syz-executor.1
33420 169731 24839 60928 3 0x4000090 fsleep syz-executor.1
10478 496615 48936 0 2 0 syz-executor.4
10478 282601 48936 0 2 0x4000000 syz-executor.4
22741 43343 19374 0 2 0 syz-executor.0
22741 371732 19374 0 3 0x4000080 fsleep syz-executor.0
22741 295155 19374 0 3 0x4000080 fsleep syz-executor.0
12181 514219 74674 0 3 0x82 nanoslp syz-executor.3
65705 157139 74674 0 3 0x82 nanoslp syz-executor.6
89951 168064 74674 0 3 0x82 piperd syz-executor.2
42645 101623 74674 0 3 0x82 nanoslp syz-executor.7
19374 438361 74674 0 3 0x82 nanoslp syz-executor.0
98806 9812 74674 0 3 0x82 nanoslp syz-executor.5
2946 365285 0 0 3 0x14200 bored sosplice
2550 338695 0 0 3 0x14280 nfsidl nfsio
4522 115201 0 0 3 0x14280 nfsidl nfsio
61330 4573 0 0 3 0x14280 nfsidl nfsio
57657 252220 0 0 3 0x14280 nfsidl nfsio
48023 200228 0 0 3 0x14280 nfsidl nfsio
65977 300141 0 0 3 0x14280 nfsidl nfsio
39416 244399 0 0 3 0x14280 nfsidl nfsio
8279 121428 0 0 3 0x14280 nfsidl nfsio
6316 450010 0 0 3 0x14280 nfsidl nfsio
94041 37948 0 0 3 0x14280 nfsidl nfsio
49757 444660 0 0 3 0x14280 nfsidl nfsio
87904 104484 0 0 3 0x14280 nfsidl nfsio
74990 54844 0 0 3 0x14280 nfsidl nfsio
15882 381602 0 0 3 0x14280 nfsidl nfsio
29989 306889 0 0 3 0x14280 nfsidl nfsio
40063 307019 0 0 3 0x14280 nfsidl nfsio
73052 337970 0 0 3 0x14280 nfsidl nfsio
15399 510621 0 0 3 0x14280 nfsidl nfsio
62118 84634 0 0 3 0x14280 nfsidl nfsio
50837 392126 0 0 3 0x14280 nfsidl nfsio
48936 490083 74674 0 3 0x82 nanoslp syz-executor.4
24839 513837 74674 0 3 0x82 nanoslp syz-executor.1
74674 489659 2858 0 3 0x82 thrsleep syz-fuzzer
74674 67139 2858 0 3 0x4000082 nanoslp syz-fuzzer
74674 106475 2858 0 3 0x4000082 thrsleep syz-fuzzer
74674 401511 2858 0 3 0x4000082 thrsleep syz-fuzzer
74674 53572 2858 0 2 0x4000002 syz-fuzzer
74674 353238 2858 0 3 0x4000082 thrsleep syz-fuzzer
74674 324955 2858 0 3 0x4000082 nanoslp syz-fuzzer
74674 386540 2858 0 3 0x4000082 thrsleep syz-fuzzer
74674 125216 2858 0 3 0x4000082 thrsleep syz-fuzzer
2858 291989 97182 0 3 0x10008a sigsusp ksh
97182 290844 47950 0 3 0x9a kqread sshd
93499 263598 1 0 3 0x100083 ttyin getty
47950 477013 1 0 3 0x88 kqread sshd
8369 410069 51949 74 3 0x100092 bpf pflogd
51949 156905 1 0 3 0x80 netio pflogd
75532 231170 3107 73 3 0x100090 kqread syslogd
3107 498558 1 0 3 0x100082 netio syslogd
81355 461185 1 0 3 0x100080 kqread resolvd
47333 482913 33011 77 3 0x100092 kqread dhcpleased
22391 497171 33011 77 3 0x100092 kqread dhcpleased
33011 258690 1 0 3 0x80 kqread dhcpleased
47751 29362 0 0 3 0x14200 bored smr
81617 395261 0 0 2 0x14200 zerothread
98100 415980 0 0 3 0x14200 aiodoned aiodoned
31754 304385 0 0 3 0x14200 syncer update
4373 147081 0 0 3 0x14200 cleaner cleaner
79874 285252 0 0 7 0x14200 reaper
93314 207052 0 0 3 0x14200 pgdaemon pagedaemon
69894 16008 0 0 3 0x14200 bored viomb
66470 142215 0 0 3 0x40014200 acpi0 acpi0
10195 368517 0 0 3 0x40014200 idle1
67343 289940 0 0 3 0x14200 bored softnet
35284 11096 0 0 3 0x14200 bored systqmp
9000 20254 0 0 3 0x14200 bored systq
71089 316193 0 0 3 0x40014200 bored softclock
7383 73906 0 0 3 0x40014200 idle0
1 464907 0 0 3 0x80082 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
CPU 0:
exclusive mutex &ifq->ifq_mtx r = 0 (0xffff80000019f580)
#0 witness_lock+0x44d
#1 mtx_enter_try+0x100
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 ifq_enqueue+0x34 sys/net/ifq.c:365
#4 if_enqueue_ifq+0x7e sys/net/if.c:725
#5 ether_output+0xb7 sys/net/if_ethersubr.c:358
#6 ip_output+0x106b sys/netinet/ip_output.c:468
#7 tcp_output+0x247d sys/netinet/tcp_output.c:1046
#8 tcp_usrreq+0x43f
#9 sys_connect+0x1da sys/kern/uipc_syscalls.c:378
#10 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#10 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#11 Xsyscall+0x128
Process 43534 (syz-executor.5) thread 0xffff800022c4c000 (496459)
exclusive rwlock netlock r = 0 (0xffffffff828e4ab0)
#0 witness_lock+0x44d
#1 solock+0x86 sys/kern/uipc_socket2.c:295
#2 sys_connect+0x18d sys/kern/uipc_syscalls.c:368
#3 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#3 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#4 Xsyscall+0x128
exclusive mutex &ifq->ifq_mtx r = 0 (0xffff80000019f580)
#0 witness_lock+0x44d
#1 mtx_enter_try+0x100
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 ifq_enqueue+0x34 sys/net/ifq.c:365
#4 if_enqueue_ifq+0x7e sys/net/if.c:725
#5 ether_output+0xb7 sys/net/if_ethersubr.c:358
#6 ip_output+0x106b sys/netinet/ip_output.c:468
#7 tcp_output+0x247d sys/netinet/tcp_output.c:1046
#8 tcp_usrreq+0x43f
#9 sys_connect+0x1da sys/kern/uipc_syscalls.c:378
#10 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#10 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#11 Xsyscall+0x128
Process 79874 (reaper) thread 0xffff8000210f9a40 (285252)
exclusive kernel: protection fault trap, code=0
Faulted in DDB; continuing...
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10220 6495K 6903K 78643K 20808 0
pcb 13 18K 20K 78643K 1151 0
rtable 238 16K 19K 78643K 6014 0
ifaddr 111 23K 24K 78643K 2257 0
sysctl 2 0K 0K 78643K 2 0
counters 58 35K 36K 78643K 128 0
ioctlops 0 0K 8K 78643K 14877 0
iov 0 0K 16K 78643K 718 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 5 0
vnodes 1384 86K 87K 78643K 7240 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 5K 78643K 52 0
VM map 2 1K 1K 78643K 2 0
sem 12 1K 1K 78643K 20 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 16 57K 93K 78643K 11930 0
sigio 0 0K 0K 78643K 31 0
proc 70 87K 111K 78643K 1370 0
subproc 104 6K 6K 78643K 338 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 1317 0
in_multi 86 5K 6K 78643K 4069 0
ether_multi 1 0K 0K 78643K 463 0
mrt 2 0K 0K 78643K 48 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 241 1076K 1076K 78643K 241 0
exec 0 0K 2K 78643K 3301 0
pfkey data 0 0K 0K 78643K 3 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 495 536K 536K 78643K 153261 0
UVM aobj 131 7K 7K 78643K 134 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 0K 78643K 833 0
NDP 14 0K 2K 78643K 640 0
temp 174 4769K 4835K 78643K 57654 0
kqueue 12 18K 26K 78643K 420 0
SYN cache 2 16K 16K 78643K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtpcb 120 450 0 447 6 5 1 3 0 8 0
rtentry 112 2522 0 2436 4 1 3 4 0 8 0
unpcb 136 3771 0 3751 30 29 1 6 0 8 0
syncache 296 23 0 23 8 8 0 1 0 8 0
tcpqe 32 8 0 8 4 4 0 1 0 8 0
tcpcb 736 5845 0 5839 125 117 8 13 0 8 7
arp 120 56 0 41 1 0 1 1 0 8 0
inpcb 304 14744 0 14732 144 135 9 12 0 8 8
rttmr 72 12 0 12 6 5 1 1 0 8 1
nd6 48 632 0 610 1 0 1 1 0 8 0
pkpcb 40 7 0 7 2 2 0 1 0 8 0
kcovpl 48 26 0 18 1 0 1 1 0 8 0
ppxss 1248 9 0 8 1 0 1 1 0 8 0
pfstscr 40 15 0 15 4 3 1 1 0 8 1
pffrag 232 61 0 60 4 3 1 1 0 482 0
pffrnode 88 60 0 59 4 3 1 1 0 8 0
pffrent 40 140 0 139 5 4 1 1 0 8 0
pfosfp 40 1432 0 1007 5 0 5 5 0 8 0
pfosfpen 112 1432 0 714 21 0 21 21 0 8 0
pfrke_plain 168 4 0 2 2 1 1 1 0 8 0
pfrktable 1344 195 0 177 7 4 3 3 0 8 1
pftag 88 27 0 18 3 2 1 1 0 8 0
pfstitem 24 24 0 22 1 0 1 1 0 8 0
pfstkey 112 54 0 52 1 0 1 1 0 8 0
pfstate 320 37 0 35 2 1 1 2 0 8 0
pfrule 1360 7674 0 5561 178 1 177 177 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 14643 0 14203 39 11 28 29 0 8 0
art_table 32 14644 0 14203 4 0 4 4 0 8 0
art_node 16 2508 0 2431 1 0 1 1 0 8 0
semupl 112 5 0 5 2 2 0 1 0 8 0
semapl 112 14 0 4 1 0 1 1 0 8 0
shmpl 112 131 0 3 4 0 4 4 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 18626 0 17172 92 0 92 92 0 8 0
ffsino 272 18626 0 17172 98 0 98 98 0 8 0
nchpl 144 33698 0 32073 63 0 63 63 0 8 0
rtmask 32 8 0 6 2 1 1 1 0 8 0
uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0
vnodes 224 5926 0 0 349 0 349 349 0 8 0
namei 1024 119867 0 119867 9 8 1 2 0 8 1
percpumem 16 76 0 35 1 0 1 1 0 8 0
vcpupl 2048 103 0 0 13 0 13 13 0 8 0
vmpool 560 122 0 19 10 2 8 8 0 8 0
pfiaddrpl 120 73 0 57 1 0 1 1 0 8 0
scsiplug 72 3 0 3 1 1 0 1 0 8 0
scxspl 216 96143 0 96143 21 20 1 6 0 8 1
plimitpl 152 703 0 688 1 0 1 1 0 8 0
sigapl 424 12217 0 12153 8 0 8 8 0 8 0
futexpl 64 124338 0 124333 6 5 1 1 0 8 0
knotepl 120 265 0 0 7 2 5 6 0 8 0
kqueuepl 216 3479 0 3471 50 42 8 8 0 8 7
pipepl 336 15113 0 15084 142 136 6 17 0 8 3
fdescpl 496 12182 0 12153 5 1 4 5 0 8 0
filepl 152 113735 0 113476 157 139 18 24 0 8 8
lockfpl 104 1805 0 1803 3 2 1 2 0 8 0
lockfspl 48 516 0 514 1 0 1 1 0 8 0
sessionpl 144 42 0 25 1 0 1 1 0 8 0
pgrppl 48 46 0 29 1 0 1 1 0 8 0
ucredpl 96 18775 0 18761 1 0 1 1 0 8 0
zombiepl 144 12153 0 12152 5 4 1 1 0 8 0
processpl 1064 12217 0 12152 5 0 5 5 0 8 0
procpl 672 34895 0 34815 20 12 8 9 0 8 0
srpgc 96 18 0 18 2 2 0 1 0 8 0
sosppl 168 58 0 58 9 8 1 1 0 8 1
sockpl 480 18986 0 18951 258 246 12 21 0 8 7
mcl64k 65536 26 0 0 3 0 3 3 0 8 0
mcl16k 16384 17 0 0 3 1 2 3 0 8 0
mcl12k 12288 33 0 0 2 0 2 2 0 8 0
mcl9k 9216 17 0 0 2 0 2 2 0 8 0
mcl8k 8192 33 0 0 5 2 3 3 0 8 0
mcl4k 4096 41 0 0 3 0 3 3 0 8 0
mcl2k2 2112 8 0 0 1 0 1 1 0 8 0
mcl2k 2048 208 0 0 18 0 18 18 0 8 0
mtagpl 96 593 0 0 11 0 11 11 0 8 0
mbufpl 256 1800 0 0 101 1 100 100 0 8 0
bufpl 288 19783 0 13448 453 0 453 453 0 8 0
anonpl 24 3360497 0 3337849 293 139 154 168 0 186 0
amapchunkpl 152 368582 0 367668 92 55 37 48 0 158 0
amappl16 200 29774 0 28946 122 73 49 54 0 8 0
amappl15 192 2939 0 2934 1 0 1 1 0 8 0
amappl14 184 3094 0 3086 1 0 1 1 0 8 0
amappl13 176 783 0 778 1 0 1 1 0 8 0
amappl12 168 925 0 923 2 1 1 1 0 8 0
amappl11 160 1342 0 1324 1 0 1 1 0 8 0
amappl10 152 2564 0 2555 1 0 1 1 0 8 0
amappl9 144 2196 0 2191 1 0 1 1 0 8 0
amappl8 136 1434 0 1303 5 0 5 5 0 8 0
amappl7 128 434 0 420 1 0 1 1 0 8 0
amappl6 120 1994 0 1968 2 1 1 2 0 8 0
amappl5 112 13083 0 13062 1 0 1 1 0 8 0
amappl4 104 4411 0 4374 4 2 2 2 0 8 0
amappl3 96 1694 0 1683 1 0 1 1 0 8 0
amappl2 88 2252 0 2193 3 1 2 3 0 8 0
amappl1 80 222140 0 221549 25 11 14 19 0 8 0
amappl 88 152262 0 151953 9 1 8 8 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 133 0 3 3 0 3 3 0 8 0
uaddrrnd 24 12304 0 12172 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 12304 0 12172 1 0 1 1 0 8 0
vmmpekpl 168 142317 0 142239 6 1 5 6 0 8 0
vmmpepl 168 1096183 0 1092910 304 145 159 166 0 357 8
vmsppl 368 12303 0 12172 14 1 13 13 0 8 0
rwobjpl 56 269591 0 261590 122 7 115 116 0 8 0
pdppl 4096 24615 0 24447 564 391 173 173 0 8 5
pvpl 32 5883059 0 5859256 478 270 208 263 0 265 0
pmappl 248 12303 0 12172 10 1 9 9 0 8 0
extentpl 40 58 0 38 1 0 1 1 0 8 0
phpool 112 1867 0 671 35 0 35 35 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825739a5) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff825e91ae,ffffffff825cdabe,35a,ffffffff82591901) at __assert+0x25 sys/kern/subr_prf.c:161
priq_enq(ffff80000019f558,fffffd807e01aa00) at priq_enq+0x2ae sys/net/ifq.c:858
ifq_enqueue(ffff80000019f558,fffffd807e01aa00) at ifq_enqueue+0x48 sys/net/ifq.c:365
if_enqueue_ifq(ffff80000019f2a8,fffffd807e01aa00) at if_enqueue_ifq+0x7e sys/net/if.c:725
ether_output(ffff80000019f2a8,fffffd807e01aa00,ffff8000006c6650,fffffd806f6653f0) at ether_output+0xb7 sys/net/if_ethersubr.c:358
ip_output(fffffd807e01aa00,0,fffffd806f67f070,800,0,fffffd806f67f000,426cfd956ffd8cc9) at ip_output+0x106b sys/netinet/ip_output.c:468
tcp_output(ffff800000bc4e60) at tcp_output+0x247d sys/netinet/tcp_output.c:1046
tcp_usrreq(fffffd807ddbf230,4,0,fffffd805bca2300,0,ffff800022c4c000) at tcp_usrreq+0x43f
sys_connect(ffff800022c4c000,ffff80002e3a91a8,ffff80002e3a9200) at sys_connect+0x1da sys/kern/uipc_syscalls.c:378
syscall(ffff80002e3a9270) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff80002e3a9270) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xcd9e796f5c0, count: -13
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__sanitizer_cov_trace_const_cmp4(0,0) at __sanitizer_cov_trace_const_cmp4+0x31 kd_curproc sys/dev/kcov.c:578 [inline]
__sanitizer_cov_trace_const_cmp4(0,0) at __sanitizer_cov_trace_const_cmp4+0x31 sys/dev/kcov.c:225
witness_checkorder(ffffffff829914e0,9,0) at witness_checkorder+0x65 sys/kern/subr_witness.c:765
mtx_enter(ffffffff829914d0) at mtx_enter+0x3a sys/kern/kern_lock.c:265
msleep(ffffffff82b4b778,ffffffff829914d0,4,ffffffff826246f7,0) at msleep+0x214
reaper(ffff8000210f9a40) at reaper+0xcb sys/kern/kern_exit.c:433
end trace frame: 0x0, count: 7
ddb{1}> trace
x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__sanitizer_cov_trace_const_cmp4(0,0) at __sanitizer_cov_trace_const_cmp4+0x31 kd_curproc sys/dev/kcov.c:578 [inline]
__sanitizer_cov_trace_const_cmp4(0,0) at __sanitizer_cov_trace_const_cmp4+0x31 sys/dev/kcov.c:225
witness_checkorder(ffffffff829914e0,9,0) at witness_checkorder+0x65 sys/kern/subr_witness.c:765
mtx_enter(ffffffff829914d0) at mtx_enter+0x3a sys/kern/kern_lock.c:265
msleep(ffffffff82b4b778,ffffffff829914d0,4,ffffffff826246f7,0) at msleep+0x214
reaper(ffff8000210f9a40) at reaper+0xcb sys/kern/kern_exit.c:433
end trace frame: 0x0, count: -8

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

syzbot

unread,

Feb 10, 2022, 6:08:18 AM2/10/22

to syzkaller-o...@googlegroups.com

syzbot has found a reproducer for the following issue on:

HEAD commit: 4e4477fd5c2f Don't unregister firmware if we can't fetch t..
git tree: openbsd

console output: https://syzkaller.appspot.com/x/log.txt?x=14fd12f8700000

kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d
dashboard link: https://syzkaller.appspot.com/bug?extid=a8f8e24a44b441e71d93

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1431b4a4700000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a8f8e2...@syzkaller.appspotmail.com

login: panic: kernel diagnostic assertion "m->m_pkthdr.pf.prio <= IFQ_MAXPRIO" failed: file "/syzkaller/managers/multicore/kernel/sys/net/ifq.c", line 858

Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND

*102370 17733 0 0x2 0 1K ifconfig
429331 43069 0 0x100002 0 0 sh

db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825739a5) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff825e91ae,ffffffff825cdabe,35a,ffffffff82591901) at __assert+0x25 sys/kern/subr_prf.c:161

priq_enq(ffff800000bffab0,fffffd80761e0200) at priq_enq+0x2ae sys/net/ifq.c:858
ifq_enqueue(ffff800000bffab0,fffffd80761e0200) at ifq_enqueue+0x48 sys/net/ifq.c:365
tun_enqueue(ffff800000bff800,fffffd80761e0200) at tun_enqueue+0x3a sys/net/if_tun.c:615
ether_output(ffff800000bff800,fffffd80761e0200,ffff800021314588,0) at ether_output+0xb7 sys/net/if_ethersubr.c:358
ip6_output(fffffd80761e0200,0,0,1,ffff800021314728,0) at ip6_output+0x195c sys/netinet6/ip6_output.c:706
nd6_ns_output(ffff800000bff800,0,ffff800000bf2b48,0,1) at nd6_ns_output+0x579 icmp6stat_inc sys/netinet/icmp6.h:584 [inline]
nd6_ns_output(ffff800000bff800,0,ffff800000bf2b48,0,1) at nd6_ns_output+0x579 sys/netinet6/nd6_nbr.c:539
nd6_dad_start(ffff800000bf2b00) at nd6_dad_start+0x341 nd6_dad_ns_output sys/netinet6/nd6_nbr.c:1318 [inline]
nd6_dad_start(ffff800000bf2b00) at nd6_dad_start+0x341 sys/netinet6/nd6_nbr.c:1132
in6_ioctl_change_ifaddr(8080691a,ffff800021314a40,ffff800000bff800) at in6_ioctl_change_ifaddr+0x54f sys/netinet6/in6.c:339
ifioctl(fffffd806d5ff798,8080691a,ffff800021314a40,ffff8000212b6a90) at ifioctl+0xdf4 sys/net/if.c:2261
soo_ioctl(fffffd806a1b0b48,8080691a,ffff800021314a40,ffff8000212b6a90) at soo_ioctl+0x26c
sys_ioctl(ffff8000212b6a90,ffff800021314b50,ffff800021314bb0) at sys_ioctl+0x4a2
end trace frame: 0xffff800021314c10, count: 0

https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.

ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: kernel diagnostic assertion "m->m_pkthdr.pf.prio <= IFQ_MAXPRIO" failed: file "/syzkaller/managers/multicore/kernel/sys/net/ifq.c", line 858
ddb{1}> trace

Xsyscall() at Xsyscall+0x128
end of kernel

end trace frame: 0x7f7ffffc25c0, count: -16
ddb{1}> show registers
rdi 0
rsi 0x1
rbp 0xffff800021314330
rbx 0xffff800020ce9bff
rdx 0x3fd
rcx 0
rax 0x94
r8 0x101010101010101
r9 0x8080808080808080
r10 0xfb8d2089734fcaf
r11 0x6bc825f97bee6713
r12 0xffff800020ce9a00

r13 0
r14 0
r15 0x1
rip 0xffffffff8147cfe8 db_enter+0x18
cs 0x8
rflags 0x246

rsp 0xffff800021314320

ss 0x10
db_enter+0x18: addq $0x8,%rsp

ddb{1}> show proc
PROC (ifconfig) pid=102370 stat=onproc
flags process=2<EXEC> proc=0
pri=50, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff8000212b6010,0xffff8000212b7a60
process=0xffff8000ffff3a48 user=0xffff80002130f000, vmspace=0xfffffd8069c60d08
estcpu=0, cpticks=2, pctcpu=0.0
user=0, sys=2, intr=0
ddb{1}> ps

PID TID PPID UID S FLAGS WAIT COMMAND

79409 481467 43069 0 2 0x100000 sh
85272 381225 268 0 2 0x100000 sh
*17733 102370 43207 0 7 0x2 ifconfig
43207 15466 79541 0 3 0x10008a sigsusp sh
43069 429331 32441 0 7 0x100002 sh
25019 169876 24156 0 2 0x100000 sh
81984 524226 91985 0 2 0x100000 sh
50502 355995 36157 0 2 0x2 ifconfig
36157 292808 63484 0 3 0x10008a sigsusp sh
24156 279690 71650 0 3 0x10008a sigsusp sh
91985 193410 8413 0 3 0x10008a sigsusp sh
32441 463089 1067 0 3 0x82 wait syz-executor.6
79541 165607 1067 0 3 0x82 wait syz-executor.3
63484 210605 1067 0 3 0x82 wait syz-executor.1
268 392158 771 0 3 0x10008a sigsusp sh
771 148795 1067 0 3 0x82 wait syz-executor.7
7267 250687 1067 0 3 0x2 biowait syz-executor.0
8413 252734 1067 0 3 0x82 wait syz-executor.2
71650 450961 1067 0 3 0x82 wait syz-executor.5
87293 220595 1067 0 3 0x2 biowait syz-executor.4
1067 457437 19864 0 3 0x82 kqread syz-execprog
1067 464723 19864 0 3 0x4000082 nanoslp syz-execprog
1067 148652 19864 0 2 0x4000002 syz-execprog
1067 494999 19864 0 3 0x4000082 thrsleep syz-execprog
1067 339793 19864 0 3 0x4000082 thrsleep syz-execprog
1067 435269 19864 0 3 0x4000082 thrsleep syz-execprog
1067 291835 19864 0 3 0x4000082 thrsleep syz-execprog
1067 198493 19864 0 3 0x4000082 thrsleep syz-execprog
1067 336649 19864 0 3 0x4000082 thrsleep syz-execprog
1067 174499 19864 0 3 0x4000082 thrsleep syz-execprog
19864 123535 98199 0 3 0x10008a sigsusp ksh
98199 30018 30015 0 3 0x9a kqread sshd
83202 117659 1 0 3 0x100083 ttyin getty
30015 59992 1 0 3 0x88 kqread sshd
98355 114048 28777 74 3 0x100092 bpf pflogd
28777 411607 1 0 3 0x80 netio pflogd
21095 208952 43554 73 3 0x100090 kqread syslogd
43554 425079 1 0 3 0x100082 netio syslogd
14294 55514 1 0 3 0x100080 kqread resolvd
81344 389447 93014 77 3 0x100092 kqread dhcpleased
65200 14980 93014 77 3 0x100092 kqread dhcpleased
93014 332466 1 0 3 0x80 kqread dhcpleased
20923 56435 0 0 3 0x14200 bored smr
66898 418965 0 0 2 0x14200 zerothread
36896 487104 0 0 3 0x14200 aiodoned aiodoned
31693 216463 0 0 3 0x14200 syncer update
37736 399475 0 0 3 0x14200 cleaner cleaner
92469 145268 0 0 3 0x14200 reaper reaper
22821 446567 0 0 3 0x14200 pgdaemon pagedaemon
23615 322525 0 0 3 0x14200 bored viomb
47384 384396 0 0 3 0x40014200 acpi0 acpi0
82652 339047 0 0 3 0x40014200 idle1
44765 142270 0 0 3 0x14200 bored softnet
56027 425563 0 0 3 0x14200 bored systqmp
61561 505779 0 0 3 0x14200 bored systq
45915 176002 0 0 3 0x40014200 bored softclock
85459 203260 0 0 3 0x40014200 idle0
1 54594 0 0 3 0x82 wait init

0 0 -1 0 3 0x10200 scheduler swapper

ddb{1}> show all locks
CPU 1:
exclusive mutex &ifq->ifq_mtx r = 0 (0xffff800000bffad8)

#0 witness_lock+0x44d
#1 mtx_enter_try+0x100
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 ifq_enqueue+0x34 sys/net/ifq.c:365

exclusive rwlock netlock r = 0 (0xffffffff828e4ab0)
#0 witness_lock+0x44d

#1 in6_ioctl_change_ifaddr+0xba
#2 ifioctl+0xdf4 sys/net/if.c:2261
#3 soo_ioctl+0x26c
#4 sys_ioctl+0x4a2
#5 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#5 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#6 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82a3d4a8)
#0 witness_lock+0x44d
#1 soo_ioctl+0x25a sys/kern/sys_socket.c:136
#2 sys_ioctl+0x4a2

#3 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#3 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#4 Xsyscall+0x128

exclusive mutex &ifq->ifq_mtx r = 0 (0xffff800000bffad8)

#0 witness_lock+0x44d
#1 mtx_enter_try+0x100
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 ifq_enqueue+0x34 sys/net/ifq.c:365

#4 tun_enqueue+0x3a sys/net/if_tun.c:615
#5 ether_output+0xb7 sys/net/if_ethersubr.c:358
#6 ip6_output+0x195c sys/netinet6/ip6_output.c:706
#7 nd6_ns_output+0x579 icmp6stat_inc sys/netinet/icmp6.h:584 [inline]
#7 nd6_ns_output+0x579 sys/netinet6/nd6_nbr.c:539
#8 nd6_dad_start+0x341 nd6_dad_ns_output sys/netinet6/nd6_nbr.c:1318 [inline]
#8 nd6_dad_start+0x341 sys/netinet6/nd6_nbr.c:1132
#9 in6_ioctl_change_ifaddr+0x54f sys/netinet6/in6.c:339
#10 ifioctl+0xdf4 sys/net/if.c:2261
#11 soo_ioctl+0x26c
#12 sys_ioctl+0x4a2
#13 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#13 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#14 Xsyscall+0x128
Process 7267 (syz-executor.0) thread 0xffff8000ffff5500 (250687)
exclusive rrwlock inode r = 0 (0xfffffd806c62a5f8)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:461
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:534
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:579
#5 vget+0x1d3 sys/kern/vfs_subr.c:677
#6 ufs_ihashget+0x121 sys/ufs/ufs/ufs_ihash.c:119
#7 ffs_vget+0x7c sys/ufs/ffs/ffs_vfsops.c:1318
#8 ufs_lookup+0x13ba sys/ufs/ufs/ufs_lookup.c:487
#9 VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
#10 vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:561
#11 namei+0x36a sys/kern/vfs_lookup.c:245
#12 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1849
#13 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#13 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806c384810)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:461
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:534
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:579
#5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:413
#6 namei+0x36a sys/kern/vfs_lookup.c:245
#7 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1849
#8 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#8 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#9 Xsyscall+0x128
Process 87293 (syz-executor.4) thread 0xffff8000ffff4fc0 (220595)
exclusive rrwlock inode r = 0 (0xfffffd806c62a708)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:461
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:534
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:579
#5 vget+0x1d3 sys/kern/vfs_subr.c:677
#6 ufs_ihashget+0x121 sys/ufs/ufs/ufs_ihash.c:119
#7 ffs_vget+0x7c sys/ufs/ffs/ffs_vfsops.c:1318
#8 ufs_lookup+0x13ba sys/ufs/ufs/ufs_lookup.c:487
#9 VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
#10 vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:561
#11 namei+0x36a sys/kern/vfs_lookup.c:245
#12 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1849
#13 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#13 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806c384920)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:461
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:534
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:579
#5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:413
#6 namei+0x36a sys/kern/vfs_lookup.c:245
#7 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1849
#8 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#8 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#9 Xsyscall+0x128
ddb{1}> show malloc

Type InUse MemUse HighUse Limit Requests Type Lim

devbuf 10172 6471K 6471K 78643K 11262 0
pcb 13 8K 8K 78643K 13 0
rtable 148 4K 4K 78643K 226 0
ifaddr 70 14K 14K 78643K 74 0
counters 54 35K 35K 78643K 54 0
ioctlops 0 0K 4K 78643K 1486 0

mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 5 0

vnodes 1167 73K 73K 78643K 1180 0

UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0

shm 2 1K 1K 78643K 2 0

VM map 2 1K 1K 78643K 2 0

sem 2 0K 0K 78643K 2 0

dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0

file desc 22 81K 89K 78643K 107 0
proc 81 111K 124K 78643K 443 0

NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0

in_multi 52 3K 3K 78643K 52 0
ether_multi 1 0K 0K 78643K 1 0

ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0

ttys 25 122K 122K 78643K 25 0
exec 0 0K 2K 78643K 594 0

tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0

UVM amap 237 73K 74K 78643K 2959 0
UVM aobj 3 2K 2K 78643K 3 0

memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0

NDP 18 1K 1K 78643K 18 0
temp 53 4683K 4747K 78643K 4084 0
kqueue 12 18K 18K 78643K 25 0

SYN cache 2 16K 16K 78643K 2 0

ddb{1}> show all pools

Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0

rtpcb 120 24 0 21 1 0 1 1 0 8 0
rtentry 112 66 0 1 2 0 2 2 0 8 0
unpcb 136 35 0 20 1 0 1 1 0 8 0
syncache 296 5 0 5 1 0 1 1 0 8 1
tcpcb 736 8 0 5 1 0 1 1 0 8 0
arp 120 12 0 0 1 0 1 1 0 8 0
inpcb 304 55 0 47 1 0 1 1 0 8 0
nd6 48 9 0 0 1 0 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 12 0 0 1 0 1 1 0 8 0
pfstkey 112 12 0 0 1 0 1 1 0 8 0
pfstate 320 12 0 0 1 0 1 1 0 8 0
pfrule 1360 23 0 16 2 1 1 2 0 8 0

art_heap8 4096 1 0 0 1 0 1 1 0 8 0

art_heap4 256 263 0 0 17 0 17 17 0 8 0
art_table 32 264 0 0 3 0 3 3 0 8 0
art_node 16 65 0 4 1 0 1 1 0 8 0

dirhash 1024 17 0 0 3 0 3 3 0 8 0

dino2pl 256 1480 0 49 90 0 90 90 0 8 0
ffsino 272 1480 0 49 96 0 96 96 0 8 0
nchpl 144 1729 0 63 62 0 62 62 0 8 0
uvmvnodes 80 1490 0 0 31 0 31 31 0 8 0
vnodes 224 1490 0 0 88 0 88 88 0 8 0
namei 1024 5728 0 5728 2 0 2 2 0 8 2
percpumem 16 39 0 0 1 0 1 1 0 8 0
scxspl 216 5270 0 5268 2 1 1 2 0 8 0
plimitpl 152 24 0 9 1 0 1 1 0 8 0
sigapl 424 411 0 362 6 0 6 6 0 8 0
futexpl 64 10 0 10 1 0 1 1 0 8 1
knotepl 120 102 0 0 4 0 4 4 0 8 0
kqueuepl 216 21 0 13 1 0 1 1 0 8 0
pipepl 336 134 0 106 3 0 3 3 0 8 0
fdescpl 496 397 0 362 5 0 5 5 0 8 0
filepl 152 1486 0 1352 6 0 6 6 0 8 0
lockfpl 104 6 0 4 1 0 1 1 0 8 0
lockfspl 48 4 0 2 1 0 1 1 0 8 0
sessionpl 144 26 0 9 1 0 1 1 0 8 0
pgrppl 48 26 0 9 1 0 1 1 0 8 0
ucredpl 96 69 0 57 1 0 1 1 0 8 0
zombiepl 144 362 0 362 1 0 1 1 0 8 1
processpl 1064 411 0 362 4 0 4 4 0 8 0
procpl 672 422 0 364 6 0 6 6 0 8 0
sockpl 480 114 0 88 4 0 4 4 0 8 0
mcl8k 8192 3 0 0 1 0 1 1 0 8 0
mcl4k 4096 2 0 0 1 0 1 1 0 8 0
mcl2k 2048 57 0 0 8 0 8 8 0 8 0
mtagpl 96 3 0 0 1 0 1 1 0 8 0
mbufpl 256 200 0 0 12 0 12 12 0 8 0
bufpl 288 3614 0 139 249 0 249 249 0 8 0
anonpl 24 56483 0 50614 50 4 46 47 0 186 9
amapchunkpl 152 5935 0 5440 20 0 20 20 0 158 0
amappl16 200 225 0 150 6 1 5 5 0 8 0
amappl15 192 97 0 90 1 0 1 1 0 8 0
amappl14 184 26 0 23 1 0 1 1 0 8 0
amappl13 176 96 0 86 1 0 1 1 0 8 0
amappl12 168 15 0 12 1 0 1 1 0 8 0
amappl11 160 48 0 33 1 0 1 1 0 8 0
amappl10 152 40 0 35 1 0 1 1 0 8 0
amappl9 144 444 0 441 1 0 1 1 0 8 0
amappl8 136 519 0 487 2 0 2 2 0 8 0
amappl7 128 107 0 95 1 0 1 1 0 8 0
amappl6 120 211 0 192 2 0 2 2 0 8 1
amappl5 112 191 0 176 1 0 1 1 0 8 0
amappl4 104 808 0 772 2 0 2 2 0 8 0
amappl3 96 160 0 148 1 0 1 1 0 8 0
amappl2 88 517 0 469 3 0 3 3 0 8 1
amappl1 80 10893 0 10291 19 0 19 19 0 8 5
amappl 88 2563 0 2381 5 0 5 5 0 92 0

dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0

aobjpl 72 2 0 0 1 0 1 1 0 8 0
uaddrrnd 24 397 0 362 1 0 1 1 0 8 0

uaddrbest 32 2 0 0 1 0 1 1 0 8 0

uaddr 24 397 0 362 1 0 1 1 0 8 0
vmmpekpl 168 8356 0 8335 2 0 2 2 0 8 0
vmmpepl 168 37432 0 35642 91 0 91 91 0 357 11
vmsppl 368 396 0 362 4 0 4 4 0 8 0
rwobjpl 56 12120 0 9601 41 0 41 41 0 8 4
pdppl 4096 801 0 724 95 14 81 81 0 8 4
pvpl 32 236261 0 226259 262 0 262 262 0 265 178
pmappl 248 396 0 362 3 0 3 3 0 8 0

extentpl 40 58 0 38 1 0 1 1 0 8 0

phpool 112 588 0 17 17 0 17 17 0 8 0
ddb{1}> machine ddbcpu 0

Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp

x86_ipi_db(ffffffff8291fff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393

x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23

__mp_lock(ffffffff82a3d2a0) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82a3d2a0) at __mp_lock+0x122 sys/kern/kern_lock.c:147
intr_handler(ffff8000212e4360,ffff80000004ad00) at intr_handler+0x5e sys/arch/amd64/amd64/intr.c:532
Xintr_ioapic_edge21_untramp() at Xintr_ioapic_edge21_untramp+0x18f
__mp_lock(ffffffff82a3d2a0) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82a3d2a0) at __mp_lock+0x122 sys/kern/kern_lock.c:147
syscall(ffff8000212e4530) at syscall+0x3ef mi_syscall sys/sys/syscall_mi.h:93 [inline]
syscall(ffff8000212e4530) at syscall+0x3ef sys/arch/amd64/amd64/trap.c:585

Xsyscall() at Xsyscall+0x128
end of kernel

end trace frame: 0x7f7ffffdc590, count: 6
ddb{0}> trace
x86_ipi_db(ffffffff8291fff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393

x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23

Xsyscall() at Xsyscall+0x128
end of kernel

end trace frame: 0x7f7ffffdc590, count: -9

ddb{0}> machine ddbcpu 1

Stopped at db_enter+0x18: addq $0x8,%rsp

Xsyscall() at Xsyscall+0x128
end of kernel

end trace frame: 0x7f7ffffc25c0, count: -16
ddb{1}>

Greg Steuck

unread,

Feb 11, 2022, 11:04:20 PM2/11/22

to syzbot, d...@openbsd.org, 'Dmitry Vyukov' via syzkaller-openbsd-bugs

I reproduced this locally. A manually converted reproducer (attached) when running in a loop eventually crashes the kernel.

David, since you added the assert, maybe you'll know what's going on?

--
You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/0000000000009be73f05d7a7f7c6%40google.com.

nest.cx is Gmail hosted, use PGP: https://pgp.key-server.io/0x0B1542BD8DF5A1B0
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0

a8f8e24a44b441e71d93.c

d...@openbsd.org

unread,

Feb 11, 2022, 11:54:48 PM2/11/22

to Greg Steuck, syzbot, 'Dmitry Vyukov' via syzkaller-openbsd-bugs

> On 12 Feb 2022, at 2:04 pm, Greg Steuck <gr...@nest.cx> wrote:
>
> I reproduced this locally. A manually converted reproducer (attached) when running in a loop eventually crashes the kernel.
>
> David, since you added the assert, maybe you'll know what's going on?

I know as much as you about the actual problem at the moment, but I can give some context on what the KASSERT is about: packets have a priority value associated with them as they move through the kernel. That prio value is from 0 to 7 inclusive, where 0 means low priority and 7 is high priority.

This is especially important in the priq (priority queue) code that sits between the network stack and the transmit code in network interface drivers (eg, tun/tap). The priq code has 8 lists (buckets?) for mbufs, one for each priority level. The KASSERT makes sure the mbuf prio value is within the valid range before using it to pick a list to put the mbuf on.

For short packets the metadata (ie, struct pkthdr, which includes the prio) and data are contained in a single mbuf. My guess is some data is being added to a packet badly and manages to overwrite the prio field. That's just a guess though.

> <a8f8e24a44b441e71d93.c>

David Gwynne

unread,

Feb 13, 2022, 10:27:09 PM2/13/22

to d...@openbsd.org, Greg Steuck, syzbot, 'Dmitry Vyukov' via syzkaller-openbsd-bugs

i think this fixes the fire that was making the smoke.

Index: pf_ioctl.c
===================================================================
RCS file: /cvs/src/sys/net/pf_ioctl.c,v
retrieving revision 1.372
diff -u -p -r1.372 pf_ioctl.c
--- pf_ioctl.c 9 Feb 2022 11:42:58 -0000 1.372
+++ pf_ioctl.c 14 Feb 2022 03:22:44 -0000
@@ -1370,15 +1370,6 @@ pfioctl(dev_t dev, u_long cmd, caddr_t a
break;
}

- if (rule->scrub_flags & PFSTATE_SETPRIO &&
- (rule->set_prio[0] > IFQ_MAXPRIO ||
- rule->set_prio[1] > IFQ_MAXPRIO)) {
- error = EINVAL;
- pf_rule_free(rule);
- rule = NULL;
- break;
- }
-
NET_LOCK();
PF_LOCK();
pr->anchor[sizeof(pr->anchor) - 1] = '\0';
@@ -3070,6 +3061,11 @@ int
pf_rule_copyin(struct pf_rule *from, struct pf_rule *to)
{
int i;
+
+ if (from->scrub_flags & PFSTATE_SETPRIO &&
+ (from->set_prio[0] > IFQ_MAXPRIO ||
+ from->set_prio[1] > IFQ_MAXPRIO))
+ return (EINVAL);

to->src = from->src;
to->src.addr.p.tbl = NULL;

Reply all

Reply to author

Forward

0 new messages