panic: broken type ref (2)
1 view
Skip to first unread message
syzbot
May 15, 2020, 5:32:14 PM5/15/20
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 435df798 drm/amdgpu: Change VCE booting with firmware load..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1521e43c100000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d
dashboard link: https://syzkaller.appspot.com/bug?extid=dca384550d60d2d43a22
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+dca384...@syzkaller.appspotmail.com
panic: broken type ref
goroutine 24 [running]:
github.com/google/syzkaller/prog.ArgCommon.Type(...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/prog.go:39
github.com/google/syzkaller/prog.(*ConstArg).Size(0xc002a78150, 0xc002a78150)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/prog.go:59 +0xed
github.com/google/syzkaller/prog.foreachArgImpl(0x9b0760, 0xc0024dc160, 0xc0024a3d68, 0xd35020, 0x7, 0x7, 0xc002a714d0, 0x200, 0x0, 0xc001d9f2e8)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/analysis.go:140 +0x2bb
github.com/google/syzkaller/prog.foreachArgImpl(0x9b0760, 0xc0024dc060, 0xc0024a3d68, 0xd35020, 0x7, 0x7, 0xc002a714d0, 0x158, 0x0, 0xc001d9f2e8)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/analysis.go:139 +0x2a4
github.com/google/syzkaller/prog.foreachArgImpl(0x9b0760, 0xc0024a3d60, 0xc0024a3d28, 0xcc8a60, 0x4, 0x4, 0xc002a714d0, 0x10, 0x0, 0xc001d9f2e8)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/analysis.go:139 +0x2a4
github.com/google/syzkaller/prog.foreachArgImpl(0x9b0760, 0xc0024a3d20, 0xc002a77348, 0xcbf6a0, 0x3, 0x3, 0xc002a714d0, 0x0, 0x0, 0xc001d9f2e8)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/analysis.go:139 +0x2a4
github.com/google/syzkaller/prog.foreachArgImpl(0x9b07a0, 0xc002a714d0, 0xc002a77348, 0xcbf6a0, 0x3, 0x3, 0x0, 0x0, 0x0, 0xc001d9f2e8)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/analysis.go:154 +0x646
github.com/google/syzkaller/prog.ForeachArg(0xc002a77340, 0xc001d9f2e8)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/analysis.go:122 +0x112
github.com/google/syzkaller/prog.getCompatibleResources(0xc002a77300, 0x8fe62f, 0xb, 0xc00267fba0, 0x0, 0x0, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:898 +0xb9
github.com/google/syzkaller/prog.(*randGen).resourceCentric(0xc00267fba0, 0xc0000899a0, 0xca88e0, 0x0, 0x897400, 0x1, 0xc001ef7720, 0xc001d9f4f0, 0x792919)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:846 +0xfe
github.com/google/syzkaller/prog.(*ResourceType).generate(0xca88e0, 0xc00267fba0, 0xc0000899a0, 0x0, 0x9b06e0, 0xc001ef7720, 0x0, 0x0, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:675 +0x27c
github.com/google/syzkaller/prog.(*randGen).generateArgImpl(0xc00267fba0, 0xc0000899a0, 0x9b6a80, 0xca88e0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:664 +0x450
github.com/google/syzkaller/prog.(*randGen).generateArg(...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:614
github.com/google/syzkaller/prog.(*randGen).generateArgs(0xc00267fba0, 0xc0000899a0, 0xd36f80, 0xc, 0xc, 0xaaaaaaaaaaaaaa00, 0x38, 0x8, 0x7, 0x8, ...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:602 +0x116
github.com/google/syzkaller/prog.(*StructType).generate(0xcb1fa0, 0xc00267fba0, 0xc0000899a0, 0x0, 0xd6efe0, 0x40be26, 0xc001c8e600, 0x20, 0x20)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:786 +0x7c
github.com/google/syzkaller/prog.(*randGen).generateArgImpl(0xc00267fba0, 0xc0000899a0, 0x9b6b40, 0xcb1fa0, 0x760000, 0x0, 0x0, 0x0, 0x0, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:664 +0x450
github.com/google/syzkaller/prog.(*randGen).generateArg(...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:614
github.com/google/syzkaller/prog.(*randGen).generateArgs(0xc00267fba0, 0xc0000899a0, 0xcb2120, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:602 +0x116
github.com/google/syzkaller/prog.(*StructType).generate(0xcb20e0, 0xc00267fba0, 0xc0000899a0, 0x0, 0xd6efe0, 0x78b7c1, 0xc00267f8c0, 0x32, 0x2)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:786 +0x7c
github.com/google/syzkaller/prog.(*randGen).generateArgImpl(0xc00267fba0, 0xc0000899a0, 0x9b6b40, 0xcb20e0, 0xd60000, 0x0, 0x0, 0x0, 0x0, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:664 +0x450
github.com/google/syzkaller/prog.(*randGen).generateArg(...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:614
github.com/google/syzkaller/prog.(*UnionType).mutate(0xcab520, 0xc00267fba0, 0xc0000899a0, 0x9b0820, 0xc00267fa40, 0xc00267f908, 0xcb0f20, 0x2, 0x2, 0xc001820420, ...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/mutation.go:474 +0x178
github.com/google/syzkaller/prog.(*Target).mutateArg(0xc0000e0000, 0xc00267fba0, 0xc0000899a0, 0x9b0820, 0xc00267fa40, 0xc00267f908, 0xcb0f20, 0x2, 0x2, 0xc001820420, ...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/mutation.go:246 +0xe3
github.com/google/syzkaller/prog.(*mutator).mutateArg(0xc001d9fec0, 0xa)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/mutation.go:183 +0x322
github.com/google/syzkaller/prog.(*Prog).Mutate(0xc001c04d00, 0x9a9c20, 0xc001820f60, 0x14, 0xc0017e6f80, 0xc002276000, 0x2070, 0x2400)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/mutation.go:47 +0x32c
main.(*Proc).loop(0xc0017e6fc0)
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:95 +0x434
created by main.main
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:258 +0x1155
OpenBSD/amd64 (ci-openbsd-multicore-1.c.syzkaller.internal) (tty00)
login: uvm_fault(0xfffffd807f000cf0, 0x20b, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at in_delmulti+0x8d: movl 0xc(%r14),%r15d
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
kernel page fault
uvm_fault(0xfffffd807f000cf0, 0x20b, 0, 1) -> e
in_delmulti(1ff) at in_delmulti+0x8d sys/netinet/in.c:914
end trace frame: 0xffff800020f6abf0, count: 0
ddb{0}> trace
in_delmulti(1ff) at in_delmulti+0x8d sys/netinet/in.c:914
in_purgeaddr(ffff800000a43300) at in_purgeaddr+0x156 sys/netinet/in.c:760
in_ifdetach(ffff8000009d6000) at in_ifdetach+0x74 sys/netinet/in.c:971
if_detach(ffff8000009d6000) at if_detach+0x140 sys/net/if.c:1149
tun_clone_destroy(ffff8000009d6000) at tun_clone_destroy+0x1f2 sys/net/if_tun.c:329
tun_dev_close(5d00,7) at tun_dev_close+0x160 sys/net/if_tun.c:480
spec_close(ffff800020f6add0) at spec_close+0x311 sys/kern/spec_vnops.c:555
VOP_CLOSE(fffffd806e36f4e8,7,fffffd807f7bf780,ffff800020e6dd48) at VOP_CLOSE+0xc0 sys/kern/vfs_vops.c:174
vn_closefile(fffffd80670a9570,ffff800020e6dd48) at vn_closefile+0xd7 vn_close sys/kern/vfs_vnops.c:298 [inline]
vn_closefile(fffffd80670a9570,ffff800020e6dd48) at vn_closefile+0xd7 sys/kern/vfs_vnops.c:614
fdrop(fffffd80670a9570,ffff800020e6dd48) at fdrop+0xc2 sys/kern/kern_descrip.c:1276
closef(fffffd80670a9570,ffff800020e6dd48) at closef+0x11c sys/kern/kern_descrip.c:1260
fdfree(ffff800020e6dd48) at fdfree+0x101 sys/kern/kern_descrip.c:1192
exit1(ffff800020e6dd48,0,d,1) at exit1+0x32c sys/kern/kern_exit.c:197
postsig(ffff800020e6dd48,d) at postsig+0x4ed sigexit sys/kern/kern_sig.c:1483 [inline]
postsig(ffff800020e6dd48,d) at postsig+0x4ed sys/kern/kern_sig.c:1415
userret(ffff800020e6dd48) at userret+0x199 sys/kern/kern_sig.c:1867
syscall(ffff800020f6b250) at syscall+0x55f mi_syscall_return sys/sys/syscall_mi.h:129 [inline]
syscall(ffff800020f6b250) at syscall+0x55f sys/arch/amd64/amd64/trap.c:592
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7fffff77b0, count: -17
ddb{0}> show registers
rdi 0x2
rsi 0
rbp 0xffff800020f6aba0
rbx 0
rdx 0xffff800020e6dd48
rcx 0
rax 0
r8 0xffffffff8189d363 rt_ifa_purge+0x153
r9 0x5
r10 0x2f
r11 0x6934d6d1a2809417
r12 0
r13 0x3
r14 0x1ff
r15 0x1
rip 0xffffffff81806b4d in_delmulti+0x8d
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff800020f6ab40
ss 0x10
in_delmulti+0x8d: movl 0xc(%r14),%r15d
ddb{0}> show proc
PROC (syz-executor.0) pid=61864 stat=onproc
flags process=a<EXEC,EXITING,8ORPHAN> proc=2000<WEXIT>
pri=32, usrpri=77, nice=20
forw=0xffffffffffffffff, list=0xffff800020ed0c40,0xffff800020ec6778
process=0xffff800020e803e8 user=0xffff800020f66000, vmspace=0xfffffd807f000cf0
estcpu=36, cpticks=2, pctcpu=0.14
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
17799 318900 0 0 3 0x14200 bored sosplice
86195 442598 51971 0 3 0x10008a pause ksh
51971 138374 53393 0 3 0x92 select sshd
49760 264584 1 0 3 0x100083 ttyin getty
53393 93157 1 0 3 0x80 select sshd
68335 440673 5567 74 3 0x100092 bpf pflogd
5567 239893 1 0 3 0x80 netio pflogd
68000 169206 78261 73 3 0x100090 kqread syslogd
78261 85728 1 0 3 0x100082 netio syslogd
52826 511488 1 77 2 0x100090 dhclient
45295 434679 1 0 3 0x80 poll dhclient
19650 49631 0 0 3 0x14200 bored smr
70157 448869 0 0 2 0x14200 zerothread
35588 438014 0 0 3 0x14200 aiodoned aiodoned
65007 377486 0 0 3 0x14200 syncer update
65522 498621 0 0 3 0x14200 cleaner cleaner
81993 168474 0 0 7 0x14200 reaper
89632 305932 0 0 3 0x14200 pgdaemon pagedaemon
85407 20899 0 0 3 0x14200 bored crynlk
84012 213567 0 0 3 0x14200 bored crypto
59046 19260 0 0 3 0x40014200 acpi0 acpi0
21858 45048 0 0 3 0x40014200 idle1
20417 231858 0 0 3 0x14200 bored softnet
63469 329929 0 0 2 0x14200 systqmp
45131 89504 0 0 3 0x14200 bored systq
90308 11833 0 0 3 0x40014200 bored softclock
14766 252816 0 0 3 0x40014200 idle0
1 394291 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 9505 6418K 6932K 78643K 11382 0
pcb 13 8K 8K 78643K 102 0
rtable 90 3K 4K 78643K 290 0
ifaddr 79 17K 17K 78643K 117 0
counters 43 33K 34K 78643K 51 0
ioctlops 0 0K 4K 78643K 1496 0
iov 0 0K 32K 78643K 57 0
mount 1 1K 1K 78643K 1 0
vnodes 1226 77K 77K 78643K 1498 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 5K 78643K 7 0
VM map 2 1K 1K 78643K 2 0
sem 12 0K 0K 78643K 71 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1824 197K 290K 78643K 13058 0
file desc 3 8K 25K 78643K 444 0
sigio 0 0K 0K 78643K 17 0
proc 61 63K 95K 78643K 483 0
subproc 14 0K 2K 78643K 34 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 35 0
in_multi 86 3K 3K 78643K 148 0
ether_multi 1 0K 0K 78643K 17 0
mrt 0 0K 0K 78643K 10 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 61 281K 281K 78643K 61 0
exec 0 0K 1K 78643K 264 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 71 36K 48K 78643K 2450 0
UVM aobj 9 2K 2K 78643K 10 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 0K 78643K 64 0
NDP 10 0K 0K 78643K 22 0
temp 108 3042K 3106K 78643K 4492 0
kqueue 2 2K 8K 78643K 13 0
SYN cache 2 16K 16K 78643K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp 64 7 0 2 1 0 1 1 0 8 0
plcache 128 20 0 0 1 0 1 1 0 8 0
rtpcb 80 40 0 38 1 0 1 1 0 8 0
rtentry 112 67 0 32 2 0 2 2 0 8 0
unpcb 120 170 0 160 1 0 1 1 0 8 0
syncache 264 11 0 11 4 3 1 1 0 8 1
tcpqe 32 3 0 3 2 1 1 1 0 8 1
tcpcb 544 367 0 362 1 0 1 1 0 8 0
inpcb 280 741 0 733 3 1 2 2 0 8 1
rttmr 72 4 0 4 2 1 1 1 0 8 1
ip6q 72 1 0 1 1 1 0 1 0 8 0
ip6af 40 3 0 3 1 1 0 1 0 8 0
nd6 48 11 0 9 1 0 1 1 0 8 0
pkpcb 40 1 0 1 1 1 0 1 0 8 0
ppxss 1128 1 0 1 1 1 0 1 0 8 0
pffrag 232 2 0 2 1 1 0 1 0 482 0
pffrnode 88 2 0 2 1 1 0 1 0 8 0
pffrent 40 50 0 50 2 1 1 1 0 8 1
pfosfp 40 846 0 423 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 47 0 12 1 0 1 1 0 8 0
pfstkey 112 47 0 12 2 0 2 2 0 8 0
pfstate 328 47 0 12 3 0 3 3 0 8 0
pfrule 1360 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 305 0 143 13 2 11 13 0 8 0
art_table 32 306 0 143 2 0 2 2 0 8 0
art_node 16 66 0 29 1 0 1 1 0 8 0
sysvmsgpl 40 7 0 0 1 0 1 1 0 8 0
semapl 112 65 0 55 1 0 1 1 0 8 0
shmpl 112 8 0 1 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 2056 0 656 89 0 89 89 0 8 0
ffsino 272 2056 0 656 94 0 94 94 0 8 0
nchpl 144 2849 0 1253 60 0 60 60 0 8 0
uvmvnodes 72 2286 0 0 42 0 42 42 0 8 0
vnodes 208 2286 0 0 121 0 121 121 0 8 0
namei 1024 7919 0 7919 1 0 1 1 0 8 1
percpumem 16 36 0 4 1 0 1 1 0 8 0
vcpupl 1984 2 0 0 1 0 1 1 0 8 0
vmpool 560 5 0 3 2 1 1 1 0 8 0
scxspl 192 8800 0 8800 10 7 3 7 0 8 3
plimitpl 152 40 0 32 1 0 1 1 0 8 0
sigapl 424 660 0 630 4 0 4 4 0 8 0
futexpl 56 7802 0 7802 1 0 1 1 0 8 1
knotepl 112 74 0 69 1 0 1 1 0 8 0
kqueuepl 144 100 0 99 1 0 1 1 0 8 0
pipelkpl 48 152 0 144 1 0 1 1 0 8 0
pipepl 120 304 0 293 1 0 1 1 0 8 0
fdescpl 496 644 0 630 3 0 3 3 0 8 0
filepl 152 3989 0 3921 5 0 5 5 0 8 1
lockfpl 104 106 0 105 1 0 1 1 0 8 0
lockfspl 48 40 0 39 1 0 1 1 0 8 0
sessionpl 112 18 0 7 1 0 1 1 0 8 0
pgrppl 48 28 0 17 1 0 1 1 0 8 0
ucredpl 96 438 0 429 1 0 1 1 0 8 0
zombiepl 144 632 0 629 1 0 1 1 0 8 0
processpl 984 660 0 629 5 0 5 5 0 8 0
procpl 624 1654 0 1623 4 0 4 4 0 8 0
sosppl 128 11 0 11 2 1 1 1 0 8 1
sockpl 400 952 0 932 6 2 4 4 0 8 1
mcl64k 65536 7 0 0 1 0 1 1 0 8 0
mcl16k 16384 2 0 0 1 0 1 1 0 8 0
mcl12k 12288 4 0 0 1 0 1 1 0 8 0
mcl9k 9216 1 0 0 1 0 1 1 0 8 0
mcl8k 8192 3 0 0 1 0 1 1 0 8 0
mcl4k 4096 10 0 0 2 0 2 2 0 8 0
mcl2k2 2112 1 0 0 1 0 1 1 0 8 0
mcl2k 2048 161 0 0 20 0 20 20 0 8 1
mtagpl 80 42 0 0 1 0 1 1 0 8 0
mbufpl 256 277 0 0 15 0 15 15 0 8 0
bufpl 280 4339 0 139 300 0 300 300 0 8 0
anonpl 16 74737 0 73430 81 7 74 74 0 124 55
amapchunkpl 152 4395 0 4356 22 2 20 20 0 158 17
amappl16 192 3232 0 3214 60 21 39 50 0 8 31
amappl15 184 2 0 1 1 0 1 1 0 8 0
amappl14 176 32 0 28 1 0 1 1 0 8 0
amappl13 168 36 0 34 1 0 1 1 0 8 0
amappl12 160 8 0 6 2 1 1 1 0 8 0
amappl11 152 56 0 41 1 0 1 1 0 8 0
amappl10 144 216 0 212 1 0 1 1 0 8 0
amappl9 136 597 0 595 1 0 1 1 0 8 0
amappl8 128 562 0 561 2 0 2 2 0 8 1
amappl7 120 313 0 305 1 0 1 1 0 8 0
amappl6 112 23 0 23 1 0 1 1 0 8 1
amappl5 104 549 0 532 1 0 1 1 0 8 0
amappl4 96 491 0 468 1 0 1 1 0 8 0
amappl3 88 110 0 105 1 0 1 1 0 8 0
amappl2 80 4226 0 4168 2 0 2 2 0 8 0
amappl1 72 23817 0 23390 23 13 10 18 0 8 0
amappl 80 1913 0 1888 2 0 2 2 0 84 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 64 9 0 1 1 0 1 1 0 8 0
uaddrrnd 24 649 0 633 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 649 0 633 1 0 1 1 0 8 0
vmmpekpl 168 8889 0 8857 2 0 2 2 0 8 0
vmmpepl 168 86023 0 85066 119 19 100 105 0 357 44
vmsppl 368 648 0 632 2 0 2 2 0 8 0
pdppl 4096 1306 0 1266 6 0 6 6 0 8 0
pvpl 32 243419 0 240280 184 6 178 178 0 265 119
pmappl 232 648 0 632 3 1 2 2 0 8 1
extentpl 40 53 0 36 1 0 1 1 0 8 0
phpool 112 264 0 7 8 0 8 8 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
in_delmulti(1ff) at in_delmulti+0x8d sys/netinet/in.c:914
in_purgeaddr(ffff800000a43300) at in_purgeaddr+0x156 sys/netinet/in.c:760
in_ifdetach(ffff8000009d6000) at in_ifdetach+0x74 sys/netinet/in.c:971
if_detach(ffff8000009d6000) at if_detach+0x140 sys/net/if.c:1149
tun_clone_destroy(ffff8000009d6000) at tun_clone_destroy+0x1f2 sys/net/if_tun.c:329
tun_dev_close(5d00,7) at tun_dev_close+0x160 sys/net/if_tun.c:480
spec_close(ffff800020f6add0) at spec_close+0x311 sys/kern/spec_vnops.c:555
VOP_CLOSE(fffffd806e36f4e8,7,fffffd807f7bf780,ffff800020e6dd48) at VOP_CLOSE+0xc0 sys/kern/vfs_vops.c:174
vn_closefile(fffffd80670a9570,ffff800020e6dd48) at vn_closefile+0xd7 vn_close sys/kern/vfs_vnops.c:298 [inline]
vn_closefile(fffffd80670a9570,ffff800020e6dd48) at vn_closefile+0xd7 sys/kern/vfs_vnops.c:614
fdrop(fffffd80670a9570,ffff800020e6dd48) at fdrop+0xc2 sys/kern/kern_descrip.c:1276
closef(fffffd80670a9570,ffff800020e6dd48) at closef+0x11c sys/kern/kern_descrip.c:1260
fdfree(ffff800020e6dd48) at fdfree+0x101 sys/kern/kern_descrip.c:1192
exit1(ffff800020e6dd48,0,d,1) at exit1+0x32c sys/kern/kern_exit.c:197
postsig(ffff800020e6dd48,d) at postsig+0x4ed sigexit sys/kern/kern_sig.c:1483 [inline]
postsig(ffff800020e6dd48,d) at postsig+0x4ed sys/kern/kern_sig.c:1415
userret(ffff800020e6dd48) at userret+0x199 sys/kern/kern_sig.c:1867
syscall(ffff800020f6b250) at syscall+0x55f mi_syscall_return sys/sys/syscall_mi.h:129 [inline]
syscall(ffff800020f6b250) at syscall+0x55f sys/arch/amd64/amd64/trap.c:592
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7fffff77b0, count: -17
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
ddb{1}> trace
x86_ipi_db(ffff800020e00ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352
x86_ipi_handler() at x86_ipi_handler+0xc6 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__sanitizer_cov_trace_cmp4(ffffffff82667c28,ffffffff82667c28) at __sanitizer_cov_trace_cmp4+0xb sys/dev/kcov.c:169
uvm_map_teardown(fffffd806e94a738) at uvm_map_teardown+0x261 sys/uvm/uvm_map.c:2759
uvmspace_free(fffffd806e94a738) at uvmspace_free+0x86 sys/uvm/uvm_map.c:3646
uvm_exit(ffff800020ec9728) at uvm_exit+0x29 sys/uvm/uvm_glue.c:297
reaper(ffff800020e19380) at reaper+0x189 sys/kern/kern_exit.c:456
end trace frame: 0x0, count: -8
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 435df798 drm/amdgpu: Change VCE booting with firmware load..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1521e43c100000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d
dashboard link: https://syzkaller.appspot.com/bug?extid=dca384550d60d2d43a22
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+dca384...@syzkaller.appspotmail.com
panic: broken type ref
goroutine 24 [running]:
github.com/google/syzkaller/prog.ArgCommon.Type(...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/prog.go:39
github.com/google/syzkaller/prog.(*ConstArg).Size(0xc002a78150, 0xc002a78150)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/prog.go:59 +0xed
github.com/google/syzkaller/prog.foreachArgImpl(0x9b0760, 0xc0024dc160, 0xc0024a3d68, 0xd35020, 0x7, 0x7, 0xc002a714d0, 0x200, 0x0, 0xc001d9f2e8)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/analysis.go:140 +0x2bb
github.com/google/syzkaller/prog.foreachArgImpl(0x9b0760, 0xc0024dc060, 0xc0024a3d68, 0xd35020, 0x7, 0x7, 0xc002a714d0, 0x158, 0x0, 0xc001d9f2e8)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/analysis.go:139 +0x2a4
github.com/google/syzkaller/prog.foreachArgImpl(0x9b0760, 0xc0024a3d60, 0xc0024a3d28, 0xcc8a60, 0x4, 0x4, 0xc002a714d0, 0x10, 0x0, 0xc001d9f2e8)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/analysis.go:139 +0x2a4
github.com/google/syzkaller/prog.foreachArgImpl(0x9b0760, 0xc0024a3d20, 0xc002a77348, 0xcbf6a0, 0x3, 0x3, 0xc002a714d0, 0x0, 0x0, 0xc001d9f2e8)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/analysis.go:139 +0x2a4
github.com/google/syzkaller/prog.foreachArgImpl(0x9b07a0, 0xc002a714d0, 0xc002a77348, 0xcbf6a0, 0x3, 0x3, 0x0, 0x0, 0x0, 0xc001d9f2e8)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/analysis.go:154 +0x646
github.com/google/syzkaller/prog.ForeachArg(0xc002a77340, 0xc001d9f2e8)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/analysis.go:122 +0x112
github.com/google/syzkaller/prog.getCompatibleResources(0xc002a77300, 0x8fe62f, 0xb, 0xc00267fba0, 0x0, 0x0, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:898 +0xb9
github.com/google/syzkaller/prog.(*randGen).resourceCentric(0xc00267fba0, 0xc0000899a0, 0xca88e0, 0x0, 0x897400, 0x1, 0xc001ef7720, 0xc001d9f4f0, 0x792919)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:846 +0xfe
github.com/google/syzkaller/prog.(*ResourceType).generate(0xca88e0, 0xc00267fba0, 0xc0000899a0, 0x0, 0x9b06e0, 0xc001ef7720, 0x0, 0x0, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:675 +0x27c
github.com/google/syzkaller/prog.(*randGen).generateArgImpl(0xc00267fba0, 0xc0000899a0, 0x9b6a80, 0xca88e0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:664 +0x450
github.com/google/syzkaller/prog.(*randGen).generateArg(...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:614
github.com/google/syzkaller/prog.(*randGen).generateArgs(0xc00267fba0, 0xc0000899a0, 0xd36f80, 0xc, 0xc, 0xaaaaaaaaaaaaaa00, 0x38, 0x8, 0x7, 0x8, ...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:602 +0x116
github.com/google/syzkaller/prog.(*StructType).generate(0xcb1fa0, 0xc00267fba0, 0xc0000899a0, 0x0, 0xd6efe0, 0x40be26, 0xc001c8e600, 0x20, 0x20)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:786 +0x7c
github.com/google/syzkaller/prog.(*randGen).generateArgImpl(0xc00267fba0, 0xc0000899a0, 0x9b6b40, 0xcb1fa0, 0x760000, 0x0, 0x0, 0x0, 0x0, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:664 +0x450
github.com/google/syzkaller/prog.(*randGen).generateArg(...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:614
github.com/google/syzkaller/prog.(*randGen).generateArgs(0xc00267fba0, 0xc0000899a0, 0xcb2120, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:602 +0x116
github.com/google/syzkaller/prog.(*StructType).generate(0xcb20e0, 0xc00267fba0, 0xc0000899a0, 0x0, 0xd6efe0, 0x78b7c1, 0xc00267f8c0, 0x32, 0x2)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:786 +0x7c
github.com/google/syzkaller/prog.(*randGen).generateArgImpl(0xc00267fba0, 0xc0000899a0, 0x9b6b40, 0xcb20e0, 0xd60000, 0x0, 0x0, 0x0, 0x0, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:664 +0x450
github.com/google/syzkaller/prog.(*randGen).generateArg(...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:614
github.com/google/syzkaller/prog.(*UnionType).mutate(0xcab520, 0xc00267fba0, 0xc0000899a0, 0x9b0820, 0xc00267fa40, 0xc00267f908, 0xcb0f20, 0x2, 0x2, 0xc001820420, ...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/mutation.go:474 +0x178
github.com/google/syzkaller/prog.(*Target).mutateArg(0xc0000e0000, 0xc00267fba0, 0xc0000899a0, 0x9b0820, 0xc00267fa40, 0xc00267f908, 0xcb0f20, 0x2, 0x2, 0xc001820420, ...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/mutation.go:246 +0xe3
github.com/google/syzkaller/prog.(*mutator).mutateArg(0xc001d9fec0, 0xa)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/mutation.go:183 +0x322
github.com/google/syzkaller/prog.(*Prog).Mutate(0xc001c04d00, 0x9a9c20, 0xc001820f60, 0x14, 0xc0017e6f80, 0xc002276000, 0x2070, 0x2400)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/mutation.go:47 +0x32c
main.(*Proc).loop(0xc0017e6fc0)
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:95 +0x434
created by main.main
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:258 +0x1155
OpenBSD/amd64 (ci-openbsd-multicore-1.c.syzkaller.internal) (tty00)
login: uvm_fault(0xfffffd807f000cf0, 0x20b, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at in_delmulti+0x8d: movl 0xc(%r14),%r15d
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
kernel page fault
uvm_fault(0xfffffd807f000cf0, 0x20b, 0, 1) -> e
in_delmulti(1ff) at in_delmulti+0x8d sys/netinet/in.c:914
end trace frame: 0xffff800020f6abf0, count: 0
ddb{0}> trace
in_delmulti(1ff) at in_delmulti+0x8d sys/netinet/in.c:914
in_purgeaddr(ffff800000a43300) at in_purgeaddr+0x156 sys/netinet/in.c:760
in_ifdetach(ffff8000009d6000) at in_ifdetach+0x74 sys/netinet/in.c:971
if_detach(ffff8000009d6000) at if_detach+0x140 sys/net/if.c:1149
tun_clone_destroy(ffff8000009d6000) at tun_clone_destroy+0x1f2 sys/net/if_tun.c:329
tun_dev_close(5d00,7) at tun_dev_close+0x160 sys/net/if_tun.c:480
spec_close(ffff800020f6add0) at spec_close+0x311 sys/kern/spec_vnops.c:555
VOP_CLOSE(fffffd806e36f4e8,7,fffffd807f7bf780,ffff800020e6dd48) at VOP_CLOSE+0xc0 sys/kern/vfs_vops.c:174
vn_closefile(fffffd80670a9570,ffff800020e6dd48) at vn_closefile+0xd7 vn_close sys/kern/vfs_vnops.c:298 [inline]
vn_closefile(fffffd80670a9570,ffff800020e6dd48) at vn_closefile+0xd7 sys/kern/vfs_vnops.c:614
fdrop(fffffd80670a9570,ffff800020e6dd48) at fdrop+0xc2 sys/kern/kern_descrip.c:1276
closef(fffffd80670a9570,ffff800020e6dd48) at closef+0x11c sys/kern/kern_descrip.c:1260
fdfree(ffff800020e6dd48) at fdfree+0x101 sys/kern/kern_descrip.c:1192
exit1(ffff800020e6dd48,0,d,1) at exit1+0x32c sys/kern/kern_exit.c:197
postsig(ffff800020e6dd48,d) at postsig+0x4ed sigexit sys/kern/kern_sig.c:1483 [inline]
postsig(ffff800020e6dd48,d) at postsig+0x4ed sys/kern/kern_sig.c:1415
userret(ffff800020e6dd48) at userret+0x199 sys/kern/kern_sig.c:1867
syscall(ffff800020f6b250) at syscall+0x55f mi_syscall_return sys/sys/syscall_mi.h:129 [inline]
syscall(ffff800020f6b250) at syscall+0x55f sys/arch/amd64/amd64/trap.c:592
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7fffff77b0, count: -17
ddb{0}> show registers
rdi 0x2
rsi 0
rbp 0xffff800020f6aba0
rbx 0
rdx 0xffff800020e6dd48
rcx 0
rax 0
r8 0xffffffff8189d363 rt_ifa_purge+0x153
r9 0x5
r10 0x2f
r11 0x6934d6d1a2809417
r12 0
r13 0x3
r14 0x1ff
r15 0x1
rip 0xffffffff81806b4d in_delmulti+0x8d
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff800020f6ab40
ss 0x10
in_delmulti+0x8d: movl 0xc(%r14),%r15d
ddb{0}> show proc
PROC (syz-executor.0) pid=61864 stat=onproc
flags process=a<EXEC,EXITING,8ORPHAN> proc=2000<WEXIT>
pri=32, usrpri=77, nice=20
forw=0xffffffffffffffff, list=0xffff800020ed0c40,0xffff800020ec6778
process=0xffff800020e803e8 user=0xffff800020f66000, vmspace=0xfffffd807f000cf0
estcpu=36, cpticks=2, pctcpu=0.14
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
17799 318900 0 0 3 0x14200 bored sosplice
86195 442598 51971 0 3 0x10008a pause ksh
51971 138374 53393 0 3 0x92 select sshd
49760 264584 1 0 3 0x100083 ttyin getty
53393 93157 1 0 3 0x80 select sshd
68335 440673 5567 74 3 0x100092 bpf pflogd
5567 239893 1 0 3 0x80 netio pflogd
68000 169206 78261 73 3 0x100090 kqread syslogd
78261 85728 1 0 3 0x100082 netio syslogd
52826 511488 1 77 2 0x100090 dhclient
45295 434679 1 0 3 0x80 poll dhclient
19650 49631 0 0 3 0x14200 bored smr
70157 448869 0 0 2 0x14200 zerothread
35588 438014 0 0 3 0x14200 aiodoned aiodoned
65007 377486 0 0 3 0x14200 syncer update
65522 498621 0 0 3 0x14200 cleaner cleaner
81993 168474 0 0 7 0x14200 reaper
89632 305932 0 0 3 0x14200 pgdaemon pagedaemon
85407 20899 0 0 3 0x14200 bored crynlk
84012 213567 0 0 3 0x14200 bored crypto
59046 19260 0 0 3 0x40014200 acpi0 acpi0
21858 45048 0 0 3 0x40014200 idle1
20417 231858 0 0 3 0x14200 bored softnet
63469 329929 0 0 2 0x14200 systqmp
45131 89504 0 0 3 0x14200 bored systq
90308 11833 0 0 3 0x40014200 bored softclock
14766 252816 0 0 3 0x40014200 idle0
1 394291 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 9505 6418K 6932K 78643K 11382 0
pcb 13 8K 8K 78643K 102 0
rtable 90 3K 4K 78643K 290 0
ifaddr 79 17K 17K 78643K 117 0
counters 43 33K 34K 78643K 51 0
ioctlops 0 0K 4K 78643K 1496 0
iov 0 0K 32K 78643K 57 0
mount 1 1K 1K 78643K 1 0
vnodes 1226 77K 77K 78643K 1498 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 5K 78643K 7 0
VM map 2 1K 1K 78643K 2 0
sem 12 0K 0K 78643K 71 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1824 197K 290K 78643K 13058 0
file desc 3 8K 25K 78643K 444 0
sigio 0 0K 0K 78643K 17 0
proc 61 63K 95K 78643K 483 0
subproc 14 0K 2K 78643K 34 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 35 0
in_multi 86 3K 3K 78643K 148 0
ether_multi 1 0K 0K 78643K 17 0
mrt 0 0K 0K 78643K 10 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 61 281K 281K 78643K 61 0
exec 0 0K 1K 78643K 264 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 71 36K 48K 78643K 2450 0
UVM aobj 9 2K 2K 78643K 10 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 0K 78643K 64 0
NDP 10 0K 0K 78643K 22 0
temp 108 3042K 3106K 78643K 4492 0
kqueue 2 2K 8K 78643K 13 0
SYN cache 2 16K 16K 78643K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp 64 7 0 2 1 0 1 1 0 8 0
plcache 128 20 0 0 1 0 1 1 0 8 0
rtpcb 80 40 0 38 1 0 1 1 0 8 0
rtentry 112 67 0 32 2 0 2 2 0 8 0
unpcb 120 170 0 160 1 0 1 1 0 8 0
syncache 264 11 0 11 4 3 1 1 0 8 1
tcpqe 32 3 0 3 2 1 1 1 0 8 1
tcpcb 544 367 0 362 1 0 1 1 0 8 0
inpcb 280 741 0 733 3 1 2 2 0 8 1
rttmr 72 4 0 4 2 1 1 1 0 8 1
ip6q 72 1 0 1 1 1 0 1 0 8 0
ip6af 40 3 0 3 1 1 0 1 0 8 0
nd6 48 11 0 9 1 0 1 1 0 8 0
pkpcb 40 1 0 1 1 1 0 1 0 8 0
ppxss 1128 1 0 1 1 1 0 1 0 8 0
pffrag 232 2 0 2 1 1 0 1 0 482 0
pffrnode 88 2 0 2 1 1 0 1 0 8 0
pffrent 40 50 0 50 2 1 1 1 0 8 1
pfosfp 40 846 0 423 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 47 0 12 1 0 1 1 0 8 0
pfstkey 112 47 0 12 2 0 2 2 0 8 0
pfstate 328 47 0 12 3 0 3 3 0 8 0
pfrule 1360 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 305 0 143 13 2 11 13 0 8 0
art_table 32 306 0 143 2 0 2 2 0 8 0
art_node 16 66 0 29 1 0 1 1 0 8 0
sysvmsgpl 40 7 0 0 1 0 1 1 0 8 0
semapl 112 65 0 55 1 0 1 1 0 8 0
shmpl 112 8 0 1 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 2056 0 656 89 0 89 89 0 8 0
ffsino 272 2056 0 656 94 0 94 94 0 8 0
nchpl 144 2849 0 1253 60 0 60 60 0 8 0
uvmvnodes 72 2286 0 0 42 0 42 42 0 8 0
vnodes 208 2286 0 0 121 0 121 121 0 8 0
namei 1024 7919 0 7919 1 0 1 1 0 8 1
percpumem 16 36 0 4 1 0 1 1 0 8 0
vcpupl 1984 2 0 0 1 0 1 1 0 8 0
vmpool 560 5 0 3 2 1 1 1 0 8 0
scxspl 192 8800 0 8800 10 7 3 7 0 8 3
plimitpl 152 40 0 32 1 0 1 1 0 8 0
sigapl 424 660 0 630 4 0 4 4 0 8 0
futexpl 56 7802 0 7802 1 0 1 1 0 8 1
knotepl 112 74 0 69 1 0 1 1 0 8 0
kqueuepl 144 100 0 99 1 0 1 1 0 8 0
pipelkpl 48 152 0 144 1 0 1 1 0 8 0
pipepl 120 304 0 293 1 0 1 1 0 8 0
fdescpl 496 644 0 630 3 0 3 3 0 8 0
filepl 152 3989 0 3921 5 0 5 5 0 8 1
lockfpl 104 106 0 105 1 0 1 1 0 8 0
lockfspl 48 40 0 39 1 0 1 1 0 8 0
sessionpl 112 18 0 7 1 0 1 1 0 8 0
pgrppl 48 28 0 17 1 0 1 1 0 8 0
ucredpl 96 438 0 429 1 0 1 1 0 8 0
zombiepl 144 632 0 629 1 0 1 1 0 8 0
processpl 984 660 0 629 5 0 5 5 0 8 0
procpl 624 1654 0 1623 4 0 4 4 0 8 0
sosppl 128 11 0 11 2 1 1 1 0 8 1
sockpl 400 952 0 932 6 2 4 4 0 8 1
mcl64k 65536 7 0 0 1 0 1 1 0 8 0
mcl16k 16384 2 0 0 1 0 1 1 0 8 0
mcl12k 12288 4 0 0 1 0 1 1 0 8 0
mcl9k 9216 1 0 0 1 0 1 1 0 8 0
mcl8k 8192 3 0 0 1 0 1 1 0 8 0
mcl4k 4096 10 0 0 2 0 2 2 0 8 0
mcl2k2 2112 1 0 0 1 0 1 1 0 8 0
mcl2k 2048 161 0 0 20 0 20 20 0 8 1
mtagpl 80 42 0 0 1 0 1 1 0 8 0
mbufpl 256 277 0 0 15 0 15 15 0 8 0
bufpl 280 4339 0 139 300 0 300 300 0 8 0
anonpl 16 74737 0 73430 81 7 74 74 0 124 55
amapchunkpl 152 4395 0 4356 22 2 20 20 0 158 17
amappl16 192 3232 0 3214 60 21 39 50 0 8 31
amappl15 184 2 0 1 1 0 1 1 0 8 0
amappl14 176 32 0 28 1 0 1 1 0 8 0
amappl13 168 36 0 34 1 0 1 1 0 8 0
amappl12 160 8 0 6 2 1 1 1 0 8 0
amappl11 152 56 0 41 1 0 1 1 0 8 0
amappl10 144 216 0 212 1 0 1 1 0 8 0
amappl9 136 597 0 595 1 0 1 1 0 8 0
amappl8 128 562 0 561 2 0 2 2 0 8 1
amappl7 120 313 0 305 1 0 1 1 0 8 0
amappl6 112 23 0 23 1 0 1 1 0 8 1
amappl5 104 549 0 532 1 0 1 1 0 8 0
amappl4 96 491 0 468 1 0 1 1 0 8 0
amappl3 88 110 0 105 1 0 1 1 0 8 0
amappl2 80 4226 0 4168 2 0 2 2 0 8 0
amappl1 72 23817 0 23390 23 13 10 18 0 8 0
amappl 80 1913 0 1888 2 0 2 2 0 84 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 64 9 0 1 1 0 1 1 0 8 0
uaddrrnd 24 649 0 633 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 649 0 633 1 0 1 1 0 8 0
vmmpekpl 168 8889 0 8857 2 0 2 2 0 8 0
vmmpepl 168 86023 0 85066 119 19 100 105 0 357 44
vmsppl 368 648 0 632 2 0 2 2 0 8 0
pdppl 4096 1306 0 1266 6 0 6 6 0 8 0
pvpl 32 243419 0 240280 184 6 178 178 0 265 119
pmappl 232 648 0 632 3 1 2 2 0 8 1
extentpl 40 53 0 36 1 0 1 1 0 8 0
phpool 112 264 0 7 8 0 8 8 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
in_delmulti(1ff) at in_delmulti+0x8d sys/netinet/in.c:914
in_purgeaddr(ffff800000a43300) at in_purgeaddr+0x156 sys/netinet/in.c:760
in_ifdetach(ffff8000009d6000) at in_ifdetach+0x74 sys/netinet/in.c:971
if_detach(ffff8000009d6000) at if_detach+0x140 sys/net/if.c:1149
tun_clone_destroy(ffff8000009d6000) at tun_clone_destroy+0x1f2 sys/net/if_tun.c:329
tun_dev_close(5d00,7) at tun_dev_close+0x160 sys/net/if_tun.c:480
spec_close(ffff800020f6add0) at spec_close+0x311 sys/kern/spec_vnops.c:555
VOP_CLOSE(fffffd806e36f4e8,7,fffffd807f7bf780,ffff800020e6dd48) at VOP_CLOSE+0xc0 sys/kern/vfs_vops.c:174
vn_closefile(fffffd80670a9570,ffff800020e6dd48) at vn_closefile+0xd7 vn_close sys/kern/vfs_vnops.c:298 [inline]
vn_closefile(fffffd80670a9570,ffff800020e6dd48) at vn_closefile+0xd7 sys/kern/vfs_vnops.c:614
fdrop(fffffd80670a9570,ffff800020e6dd48) at fdrop+0xc2 sys/kern/kern_descrip.c:1276
closef(fffffd80670a9570,ffff800020e6dd48) at closef+0x11c sys/kern/kern_descrip.c:1260
fdfree(ffff800020e6dd48) at fdfree+0x101 sys/kern/kern_descrip.c:1192
exit1(ffff800020e6dd48,0,d,1) at exit1+0x32c sys/kern/kern_exit.c:197
postsig(ffff800020e6dd48,d) at postsig+0x4ed sigexit sys/kern/kern_sig.c:1483 [inline]
postsig(ffff800020e6dd48,d) at postsig+0x4ed sys/kern/kern_sig.c:1415
userret(ffff800020e6dd48) at userret+0x199 sys/kern/kern_sig.c:1867
syscall(ffff800020f6b250) at syscall+0x55f mi_syscall_return sys/sys/syscall_mi.h:129 [inline]
syscall(ffff800020f6b250) at syscall+0x55f sys/arch/amd64/amd64/trap.c:592
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7fffff77b0, count: -17
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
ddb{1}> trace
x86_ipi_db(ffff800020e00ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352
x86_ipi_handler() at x86_ipi_handler+0xc6 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__sanitizer_cov_trace_cmp4(ffffffff82667c28,ffffffff82667c28) at __sanitizer_cov_trace_cmp4+0xb sys/dev/kcov.c:169
uvm_map_teardown(fffffd806e94a738) at uvm_map_teardown+0x261 sys/uvm/uvm_map.c:2759
uvmspace_free(fffffd806e94a738) at uvmspace_free+0x86 sys/uvm/uvm_map.c:3646
uvm_exit(ffff800020ec9728) at uvm_exit+0x29 sys/uvm/uvm_glue.c:297
reaper(ffff800020e19380) at reaper+0x189 sys/kern/kern_exit.c:456
end trace frame: 0x0, count: -8
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Greg Steuck
May 15, 2020, 5:37:05 PM5/15/20
to syzbot, syzkaller-o...@googlegroups.com
#syz dup: uvm_fault: in_delmulti
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/000000000000e9edde05a5b68b3c%40google.com.
--
nest.cx is Gmail hosted, use PGP: https://pgp.key-server.io/0x0B1542BD8DF5A1B0
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
> You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/000000000000e9edde05a5b68b3c%40google.com.
--
nest.cx is Gmail hosted, use PGP: https://pgp.key-server.io/0x0B1542BD8DF5A1B0
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
Reply all
Reply to author
Forward
0 new messages