panic: m_copydata: null mbpuafn
0 views
Skip to first unread message
syzbot
Nov 7, 2019, 8:09:10 AM11/7/19
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: b50d7ae0 Remove half way implemented address and defau..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=11f47294e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=26ca0a9c07f16a3a
dashboard link: https://syzkaller.appspot.com/bug?extid=b7c953ceea026e17a6da
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b7c953...@syzkaller.appspotmail.com
panic: m_copydata: null mbpuafn
i
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
286114 5653 0 0 0x4000000 1 syz-executor.0
*439894 8057 0 0x14000 0x200 0 softnet
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
m_copydata(fffffd8061ea2900,6f8,8,fffffd80690a9220) at m_copydata+0x17e
m_getptr sys/kern/uipc_mbuf.c:1031 [inline]
m_copydata(fffffd8061ea2900,6f8,8,fffffd80690a9220) at m_copydata+0x17e
sys/kern/uipc_mbuf.c:722
ip6_pullexthdr(fffffd8061ea2900,6f8,0) at ip6_pullexthdr+0x16f
sys/netinet6/ip6_input.c:1149
ip6_savecontrol(fffffd806f6d1118,fffffd8061ea2900,ffff800020a36e40) at
ip6_savecontrol+0x373 sys/netinet6/ip6_input.c:1036
rip6_input(ffff800020a37098,ffff800020a370a4,0,18) at rip6_input+0x50b
sys/netinet6/raw_ip6.c:206
ip_deliver(ffff800020a37098,ffff800020a370a4,0,18) at ip_deliver+0x353
sys/netinet/ip_input.c:665
ip6_input_if(ffff800020a37098,ffff800020a370a4,29,0,ffff80000066d000) at
ip6_input_if+0x17cb ip6_ours sys/netinet6/ip6_input.c:518 [inline]
ip6_input_if(ffff800020a37098,ffff800020a370a4,29,0,ffff80000066d000) at
ip6_input_if+0x17cb sys/netinet6/ip6_input.c:340
ipv6_input(ffff80000066d000,fffffd8065fb1900) at ipv6_input+0x48
sys/netinet6/ip6_input.c:171
if_input_local(ffff80000066d000,fffffd8065fb1900,18) at
if_input_local+0x121 sys/net/if.c:783
loinput(ffff80000066d000,fffffd8065fb1900,0) at loinput+0x4f
sys/net/if_loop.c:235
if_input_process(ffff80000066d000,ffff800020a37208) at
if_input_process+0xfb if_ih_input sys/net/if.c:912 [inline]
if_input_process(ffff80000066d000,ffff800020a37208) at
if_input_process+0xfb sys/net/if.c:946
ifiq_process(ffff80000066d3f0) at ifiq_process+0x80 sys/net/ifq.c:607
taskq_thread(ffff800000023080) at taskq_thread+0x9c sys/kern/kern_task.c:368
end trace frame: 0x0, count: 1
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
m_copydata: null mbuf
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
m_copydata(fffffd8061ea2900,6f8,8,fffffd80690a9220) at m_copydata+0x17e
m_getptr sys/kern/uipc_mbuf.c:1031 [inline]
m_copydata(fffffd8061ea2900,6f8,8,fffffd80690a9220) at m_copydata+0x17e
sys/kern/uipc_mbuf.c:722
ip6_pullexthdr(fffffd8061ea2900,6f8,0) at ip6_pullexthdr+0x16f
sys/netinet6/ip6_input.c:1149
ip6_savecontrol(fffffd806f6d1118,fffffd8061ea2900,ffff800020a36e40) at
ip6_savecontrol+0x373 sys/netinet6/ip6_input.c:1036
rip6_input(ffff800020a37098,ffff800020a370a4,0,18) at rip6_input+0x50b
sys/netinet6/raw_ip6.c:206
ip_deliver(ffff800020a37098,ffff800020a370a4,0,18) at ip_deliver+0x353
sys/netinet/ip_input.c:665
ip6_input_if(ffff800020a37098,ffff800020a370a4,29,0,ffff80000066d000) at
ip6_input_if+0x17cb ip6_ours sys/netinet6/ip6_input.c:518 [inline]
ip6_input_if(ffff800020a37098,ffff800020a370a4,29,0,ffff80000066d000) at
ip6_input_if+0x17cb sys/netinet6/ip6_input.c:340
ipv6_input(ffff80000066d000,fffffd8065fb1900) at ipv6_input+0x48
sys/netinet6/ip6_input.c:171
if_input_local(ffff80000066d000,fffffd8065fb1900,18) at
if_input_local+0x121 sys/net/if.c:783
loinput(ffff80000066d000,fffffd8065fb1900,0) at loinput+0x4f
sys/net/if_loop.c:235
if_input_process(ffff80000066d000,ffff800020a37208) at
if_input_process+0xfb if_ih_input sys/net/if.c:912 [inline]
if_input_process(ffff80000066d000,ffff800020a37208) at
if_input_process+0xfb sys/net/if.c:946
ifiq_process(ffff80000066d3f0) at ifiq_process+0x80 sys/net/ifq.c:607
taskq_thread(ffff800000023080) at taskq_thread+0x9c sys/kern/kern_task.c:368
end trace frame: 0x0, count: -14
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff800020a36bb0
rbx 0xffff800020a36c60
rdx 0xffff800020a10278
rcx 0
rax 0
r8 0xffffffff81879bcf kprintf+0x16f
r9 0x1
r10 0x25
r11 0x40c2b7b835e1ac1
r12 0x3000000008
r13 0xffff800020a36bc0
r14 0x100
r15 0x1
rip 0xffffffff81db2358 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020a36ba0
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc
PROC (softnet) pid=439894 stat=onproc
flags process=14000<NOZOMBIE,SYSTEM> proc=200<SYSTEM>
pri=32, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff800020a10000,0xffff800020a10ee0
process=0xffff800020a12000 user=0xffff800020a32000,
vmspace=0xffffffff82641920
estcpu=0, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
14965 396456 54695 0 2 0 syz-executor.1
14965 252127 54695 0 2 0x4000000 syz-executor.1
5653 206399 33596 0 2 0 syz-executor.0
5653 196478 33596 0 3 0x4000000 netlock syz-executor.0
5653 286114 33596 0 7 0x4000000 syz-executor.0
33596 92517 8029 0 3 0x82 nanosleep syz-executor.0
54695 43697 8029 0 3 0x82 nanosleep syz-executor.1
19299 48406 1 0 3 0x100083 ttyopn getty
28207 234465 0 0 3 0x14200 bored sosplice
8029 155744 29363 0 3 0x82 thrsleep syz-fuzzer
8029 281445 29363 0 3 0x4000082 thrsleep syz-fuzzer
8029 350795 29363 0 3 0x4000082 thrsleep syz-fuzzer
8029 496943 29363 0 3 0x4000082 thrsleep syz-fuzzer
8029 396539 29363 0 3 0x4000082 kqread syz-fuzzer
8029 310217 29363 0 3 0x4000082 thrsleep syz-fuzzer
8029 164246 29363 0 3 0x4000082 thrsleep syz-fuzzer
8029 346991 29363 0 3 0x4000082 thrsleep syz-fuzzer
8029 223677 29363 0 3 0x4000082 thrsleep syz-fuzzer
8029 199546 29363 0 3 0x4000082 thrsleep syz-fuzzer
29363 424449 68128 0 3 0x10008a pause ksh
68128 499690 86569 0 3 0x92 select sshd
86569 480905 1 0 3 0x80 select sshd
89016 520778 53292 74 3 0x100092 bpf pflogd
53292 82039 1 0 3 0x80 netio pflogd
41021 57293 63521 73 3 0x100090 kqread syslogd
63521 204867 1 0 3 0x100082 netio syslogd
11648 202060 1 77 3 0x100090 poll dhclient
53239 70734 1 0 3 0x80 poll dhclient
64677 135019 0 0 2 0x14200 zerothread
69605 26593 0 0 3 0x14200 aiodoned aiodoned
10247 237701 0 0 3 0x14200 syncer update
87747 341243 0 0 3 0x14200 cleaner cleaner
79695 329877 0 0 3 0x14200 reaper reaper
76350 3514 0 0 3 0x14200 pgdaemon pagedaemon
26011 414741 0 0 3 0x14200 bored crynlk
76294 453269 0 0 3 0x14200 bored crypto
81250 195215 0 0 3 0x40014200 acpi0 acpi0
58856 184483 0 0 3 0x40014200 idle1
* 8057 439894 0 0 7 0x14200 softnet
82950 343039 0 0 3 0x14200 bored systqmp
29054 108401 0 0 3 0x14200 bored systq
43839 58620 0 0 3 0x40014200 bored softclock
4492 517103 0 0 3 0x40014200 idle0
99327 445079 0 0 3 0x14200 bored smr
1 149554 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 5653 (syz-executor.0) thread 0xffff800020ab1b40 (206399)
shared rwlock vmmaplk r = 0 (0xfffffd807f00a468)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 uvmfault_lookup+0xd9 sys/uvm/uvm_fault.c:1448
#2 uvm_fault+0xd85 sys/uvm/uvm_fault.c:524
#3 pageflttrap+0x20b sys/arch/amd64/amd64/trap.c:199
#4 usertrap+0x21a sys/arch/amd64/amd64/trap.c:369
#5 recall_trap+0x8
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82645558)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 pageflttrap+0x6f sys/arch/amd64/amd64/trap.c:162
#2 usertrap+0x21a sys/arch/amd64/amd64/trap.c:369
#3 recall_trap+0x8
Process 8057 (softnet) thread 0xffff800020a10278 (439894)
shared rwlock netlock r = 0 (0xffffffff824fd158)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 if_input_process+0x84 sys/net/if.c:944
#2 ifiq_process+0x80 sys/net/ifq.c:607
#3 taskq_thread+0x9c sys/kern/kern_task.c:368
#4 proc_trampoline+0x1c
shared rwlock softnet r = 0 (0xffff8000000230e0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 taskq_thread+0x8f sys/kern/kern_task.c:367
#2 proc_trampoline+0x1c
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9619 7100K 8889K 78643K 53709 0 0
pcb 17 10K 12K 78643K 2125 0 0
rtable 185 17K 18K 78643K 9169 0 0
ifaddr 237 60K 61K 78643K 2334 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 4K 78643K 1937 0 0
iov 0 0K 24K 78643K 1630 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1240 78K 78K 78643K 14426 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 9K 78643K 249 0 0
VM map 51 25K 25K 78643K 70 0 0
sem 12 0K 1K 78643K 1988 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1808 196K 290K 78643K 12765 0 0
file desc 6 17K 25K 78643K 11420 0 0
sigio 0 0K 0K 78643K 1449 0 0
proc 62 63K 95K 78643K 2782 0 0
subproc 32 2K 2K 78643K 731 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
ip_moptions 0 0K 1K 78643K 1390 0 0
in_multi 48 3K 3K 78643K 3552 0 0
ether_multi 1 0K 0K 78643K 63 0 0
mrt 0 0K 0K 78643K 31 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 102 450K 450K 78643K 102 0 0
exec 0 0K 1K 78643K 1389 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 229 442K 442K 78643K 37369 0 0
UVM aobj 130 5K 5K 78643K 138 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
ip6_options 2 0K 2K 78643K 1945 0 0
NDP 24 0K 1K 78643K 984 0 0
temp 209 3565K 4205K 78643K 216824 0 0
kqueue 0 0K 0K 78643K 47 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 120 0 114 1 0 1 1 0
8 0
plcache 128 20 0 0 1 0 1 1 0
8 0
rtpcb 80 1279 0 1277 1 0 1 1 0
8 0
rtentry 112 2539 0 2465 5 2 3 3 0
8 0
unpcb 120 13542 0 13523 15 14 1 2 0
8 0
syncache 264 30 0 30 15 15 0 1 0
8 0
tcpqe 32 81 0 81 6 6 0 1 0
8 0
tcpcb 544 3676 0 3667 32 31 1 11 0
8 0
inpcb 280 29985 0 29971 59 56 3 9 0
8 2
rttmr 72 8 0 8 6 6 0 1 0
8 0
ip6q 72 12 0 12 6 6 0 1 0
8 0
ip6af 40 22 0 22 5 5 0 1 0
8 0
nd6 48 562 0 558 3 2 1 1 0
8 0
pkpcb 40 31 0 31 13 13 0 1 0
8 0
swfcl 56 5 0 0 1 0 1 1 0
8 0
ppxss 1128 179 0 179 30 29 1 1 0
8 1
pffrag 232 654 0 654 40 40 0 16 0
482 0
pffrnode 88 307 0 307 25 25 0 1 0
8 0
pffrent 40 11810 0 11810 28 28 0 4 0
8 0
pfosfp 40 846 0 846 5 5 0 5 0
8 0
pfosfpen 112 1428 0 1428 21 21 0 21 0
8 0
pfstitem 24 1798 0 1756 3 1 2 2 0
8 0
pfstkey 112 1801 0 1759 16 12 4 10 0
8 0
pfstate 328 1801 0 1756 52 46 6 27 0
8 0
pfrule 1360 21 0 16 2 1 1 2 0
8 0
art_heap8 4096 12 0 8 10 6 4 6 0
8 0
art_heap4 256 14288 0 14009 42 24 18 20 0
8 0
art_table 32 14300 0 14017 3 0 3 3 0
8 0
art_node 16 2534 0 2482 1 0 1 1 0
8 0
sysvmsgpl 40 19 0 9 1 0 1 1 0
8 0
semupl 112 2 0 2 1 1 0 1 0
8 0
semapl 112 1986 0 1976 1 0 1 1 0
8 0
shmpl 112 136 0 8 4 0 4 4 0
8 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0
dino1pl 128 18307 0 16873 47 0 47 47 0
8 0
ffsino 272 18307 0 16873 96 0 96 96 0
8 0
nchpl 144 36301 0 35842 61 41 20 61 0
8 0
uvmvnodes 72 6779 0 0 124 0 124 124 0
8 0
vnodes 208 6779 0 0 357 0 357 357 0
8 0
namei 1024 117374 0 117374 5 4 1 1 0
8 1
percpumem 16 30 0 0 1 0 1 1 0
8 0
vcpupl 1984 49 0 0 7 0 7 7 0
8 0
vmpool 552 68 0 19 4 0 4 4 0
8 0
scsiplug 64 8 0 8 4 4 0 1 0
8 0
scxspl 192 105455 0 105455 54 53 1 7 0
8 1
plimitpl 152 468 0 460 1 0 1 1 0
8 0
sigapl 432 11501 0 11485 3 1 2 3 0
8 0
futexpl 56 245634 0 245634 2 1 1 1 0
8 1
knotepl 112 1640 0 1621 6 5 1 3 0
8 0
kqueuepl 104 2430 0 2428 4 3 1 4 0
8 0
pipepl 112 8078 0 8059 18 17 1 2 0
8 0
fdescpl 488 11502 0 11485 3 0 3 3 0
8 0
filepl 152 107015 0 106910 69 64 5 14 0
8 0
lockfpl 104 2852 0 2851 1 0 1 1 0
8 0
lockfspl 48 916 0 915 1 0 1 1 0
8 0
sessionpl 112 65 0 54 1 0 1 1 0
8 0
pgrppl 48 181 0 170 1 0 1 1 0
8 0
ucredpl 96 9821 0 9810 1 0 1 1 0
8 0
zombiepl 144 11490 0 11490 3 2 1 1 0
8 1
processpl 896 11523 0 11490 4 0 4 4 0
8 0
procpl 632 34387 0 34342 20 15 5 5 0
8 0
srpgc 64 76 0 76 23 23 0 1 0
8 0
sosppl 128 228 0 228 23 23 0 1 0
8 0
sockpl 384 46171 0 46133 109 103 6 15 0
8 1
mcl64k 65536 495 0 0 41 9 32 35 0
8 0
mcl16k 16384 41 0 0 5 3 2 3 0
8 0
mcl12k 12288 49 0 0 2 0 2 2 0
8 0
mcl9k 9216 32 0 0 2 0 2 2 0
8 0
mcl8k 8192 19 0 0 3 0 3 3 0
8 0
mcl4k 4096 33 0 0 3 0 3 3 0
8 0
mcl2k2 2112 12 0 0 1 0 1 1 0
8 0
mcl2k 2048 396 0 0 24 13 11 20 0
8 0
mtagpl 80 69 0 0 1 0 1 1 0
8 0
mbufpl 256 1668 0 0 63 1 62 62 0
8 0
bufpl 256 38285 0 31227 442 0 442 442 0
8 0
anonpl 16 1093282 0 1070177 251 145 106 118 0
124 0
amapchunkpl 152 72145 0 71731 130 113 17 24 0
158 0
amappl16 192 55526 0 54267 235 171 64 74 0
8 0
amappl15 184 527 0 527 5 5 0 1 0
8 0
amappl14 176 2123 0 2116 1 0 1 1 0
8 0
amappl13 168 3441 0 3441 6 6 0 1 0
8 0
amappl12 160 174 0 172 1 0 1 1 0
8 0
amappl11 152 1114 0 1098 1 0 1 1 0
8 0
amappl10 144 648 0 643 1 0 1 1 0
8 0
amappl9 136 3702 0 3698 1 0 1 1 0
8 0
amappl8 128 3360 0 3282 3 0 3 3 0
8 0
amappl7 120 853 0 843 1 0 1 1 0
8 0
amappl6 112 1020 0 1003 1 0 1 1 0
8 0
amappl5 104 710 0 695 1 0 1 1 0
8 0
amappl4 96 12007 0 11974 1 0 1 1 0
8 0
amappl3 88 2730 0 2719 1 0 1 1 0
8 0
amappl2 80 90320 0 90229 3 1 2 3 0
8 0
amappl1 72 249204 0 248743 25 15 10 20 0
8 0
amappl 80 35422 0 35343 2 0 2 2 0
84 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma128 128 253 0 253 1 1 0 1 0
8 0
dma64 64 6 0 6 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 137 0 8 3 0 3 3 0
8 0
uaddrrnd 24 11570 0 11485 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 11570 0 11485 1 0 1 1 0
8 0
vmmpekpl 168 87439 0 87393 5 2 3 3 0
8 0
vmmpepl 168 1410162 0 1407441 655 495 160 160 0 357
36
vmsppl 368 11501 0 11485 2 0 2 2 0
8 0
pdppl 4096 23147 0 23057 16 4 12 12 0
8 0
pvpl 32 3174801 0 3154447 554 358 196 227 0
265 0
pmappl 232 11569 0 11504 6 2 4 4 0
8 0
extentpl 40 41 0 26 1 0 1 1 0
8 0
phpool 112 791 0 98 21 1 20 21 0
8 0
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: b50d7ae0 Remove half way implemented address and defau..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=11f47294e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=26ca0a9c07f16a3a
dashboard link: https://syzkaller.appspot.com/bug?extid=b7c953ceea026e17a6da
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b7c953...@syzkaller.appspotmail.com
panic: m_copydata: null mbpuafn
i
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
286114 5653 0 0 0x4000000 1 syz-executor.0
*439894 8057 0 0x14000 0x200 0 softnet
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
m_copydata(fffffd8061ea2900,6f8,8,fffffd80690a9220) at m_copydata+0x17e
m_getptr sys/kern/uipc_mbuf.c:1031 [inline]
m_copydata(fffffd8061ea2900,6f8,8,fffffd80690a9220) at m_copydata+0x17e
sys/kern/uipc_mbuf.c:722
ip6_pullexthdr(fffffd8061ea2900,6f8,0) at ip6_pullexthdr+0x16f
sys/netinet6/ip6_input.c:1149
ip6_savecontrol(fffffd806f6d1118,fffffd8061ea2900,ffff800020a36e40) at
ip6_savecontrol+0x373 sys/netinet6/ip6_input.c:1036
rip6_input(ffff800020a37098,ffff800020a370a4,0,18) at rip6_input+0x50b
sys/netinet6/raw_ip6.c:206
ip_deliver(ffff800020a37098,ffff800020a370a4,0,18) at ip_deliver+0x353
sys/netinet/ip_input.c:665
ip6_input_if(ffff800020a37098,ffff800020a370a4,29,0,ffff80000066d000) at
ip6_input_if+0x17cb ip6_ours sys/netinet6/ip6_input.c:518 [inline]
ip6_input_if(ffff800020a37098,ffff800020a370a4,29,0,ffff80000066d000) at
ip6_input_if+0x17cb sys/netinet6/ip6_input.c:340
ipv6_input(ffff80000066d000,fffffd8065fb1900) at ipv6_input+0x48
sys/netinet6/ip6_input.c:171
if_input_local(ffff80000066d000,fffffd8065fb1900,18) at
if_input_local+0x121 sys/net/if.c:783
loinput(ffff80000066d000,fffffd8065fb1900,0) at loinput+0x4f
sys/net/if_loop.c:235
if_input_process(ffff80000066d000,ffff800020a37208) at
if_input_process+0xfb if_ih_input sys/net/if.c:912 [inline]
if_input_process(ffff80000066d000,ffff800020a37208) at
if_input_process+0xfb sys/net/if.c:946
ifiq_process(ffff80000066d3f0) at ifiq_process+0x80 sys/net/ifq.c:607
taskq_thread(ffff800000023080) at taskq_thread+0x9c sys/kern/kern_task.c:368
end trace frame: 0x0, count: 1
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
m_copydata: null mbuf
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
m_copydata(fffffd8061ea2900,6f8,8,fffffd80690a9220) at m_copydata+0x17e
m_getptr sys/kern/uipc_mbuf.c:1031 [inline]
m_copydata(fffffd8061ea2900,6f8,8,fffffd80690a9220) at m_copydata+0x17e
sys/kern/uipc_mbuf.c:722
ip6_pullexthdr(fffffd8061ea2900,6f8,0) at ip6_pullexthdr+0x16f
sys/netinet6/ip6_input.c:1149
ip6_savecontrol(fffffd806f6d1118,fffffd8061ea2900,ffff800020a36e40) at
ip6_savecontrol+0x373 sys/netinet6/ip6_input.c:1036
rip6_input(ffff800020a37098,ffff800020a370a4,0,18) at rip6_input+0x50b
sys/netinet6/raw_ip6.c:206
ip_deliver(ffff800020a37098,ffff800020a370a4,0,18) at ip_deliver+0x353
sys/netinet/ip_input.c:665
ip6_input_if(ffff800020a37098,ffff800020a370a4,29,0,ffff80000066d000) at
ip6_input_if+0x17cb ip6_ours sys/netinet6/ip6_input.c:518 [inline]
ip6_input_if(ffff800020a37098,ffff800020a370a4,29,0,ffff80000066d000) at
ip6_input_if+0x17cb sys/netinet6/ip6_input.c:340
ipv6_input(ffff80000066d000,fffffd8065fb1900) at ipv6_input+0x48
sys/netinet6/ip6_input.c:171
if_input_local(ffff80000066d000,fffffd8065fb1900,18) at
if_input_local+0x121 sys/net/if.c:783
loinput(ffff80000066d000,fffffd8065fb1900,0) at loinput+0x4f
sys/net/if_loop.c:235
if_input_process(ffff80000066d000,ffff800020a37208) at
if_input_process+0xfb if_ih_input sys/net/if.c:912 [inline]
if_input_process(ffff80000066d000,ffff800020a37208) at
if_input_process+0xfb sys/net/if.c:946
ifiq_process(ffff80000066d3f0) at ifiq_process+0x80 sys/net/ifq.c:607
taskq_thread(ffff800000023080) at taskq_thread+0x9c sys/kern/kern_task.c:368
end trace frame: 0x0, count: -14
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff800020a36bb0
rbx 0xffff800020a36c60
rdx 0xffff800020a10278
rcx 0
rax 0
r8 0xffffffff81879bcf kprintf+0x16f
r9 0x1
r10 0x25
r11 0x40c2b7b835e1ac1
r12 0x3000000008
r13 0xffff800020a36bc0
r14 0x100
r15 0x1
rip 0xffffffff81db2358 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020a36ba0
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc
PROC (softnet) pid=439894 stat=onproc
flags process=14000<NOZOMBIE,SYSTEM> proc=200<SYSTEM>
pri=32, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff800020a10000,0xffff800020a10ee0
process=0xffff800020a12000 user=0xffff800020a32000,
vmspace=0xffffffff82641920
estcpu=0, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
14965 396456 54695 0 2 0 syz-executor.1
14965 252127 54695 0 2 0x4000000 syz-executor.1
5653 206399 33596 0 2 0 syz-executor.0
5653 196478 33596 0 3 0x4000000 netlock syz-executor.0
5653 286114 33596 0 7 0x4000000 syz-executor.0
33596 92517 8029 0 3 0x82 nanosleep syz-executor.0
54695 43697 8029 0 3 0x82 nanosleep syz-executor.1
19299 48406 1 0 3 0x100083 ttyopn getty
28207 234465 0 0 3 0x14200 bored sosplice
8029 155744 29363 0 3 0x82 thrsleep syz-fuzzer
8029 281445 29363 0 3 0x4000082 thrsleep syz-fuzzer
8029 350795 29363 0 3 0x4000082 thrsleep syz-fuzzer
8029 496943 29363 0 3 0x4000082 thrsleep syz-fuzzer
8029 396539 29363 0 3 0x4000082 kqread syz-fuzzer
8029 310217 29363 0 3 0x4000082 thrsleep syz-fuzzer
8029 164246 29363 0 3 0x4000082 thrsleep syz-fuzzer
8029 346991 29363 0 3 0x4000082 thrsleep syz-fuzzer
8029 223677 29363 0 3 0x4000082 thrsleep syz-fuzzer
8029 199546 29363 0 3 0x4000082 thrsleep syz-fuzzer
29363 424449 68128 0 3 0x10008a pause ksh
68128 499690 86569 0 3 0x92 select sshd
86569 480905 1 0 3 0x80 select sshd
89016 520778 53292 74 3 0x100092 bpf pflogd
53292 82039 1 0 3 0x80 netio pflogd
41021 57293 63521 73 3 0x100090 kqread syslogd
63521 204867 1 0 3 0x100082 netio syslogd
11648 202060 1 77 3 0x100090 poll dhclient
53239 70734 1 0 3 0x80 poll dhclient
64677 135019 0 0 2 0x14200 zerothread
69605 26593 0 0 3 0x14200 aiodoned aiodoned
10247 237701 0 0 3 0x14200 syncer update
87747 341243 0 0 3 0x14200 cleaner cleaner
79695 329877 0 0 3 0x14200 reaper reaper
76350 3514 0 0 3 0x14200 pgdaemon pagedaemon
26011 414741 0 0 3 0x14200 bored crynlk
76294 453269 0 0 3 0x14200 bored crypto
81250 195215 0 0 3 0x40014200 acpi0 acpi0
58856 184483 0 0 3 0x40014200 idle1
* 8057 439894 0 0 7 0x14200 softnet
82950 343039 0 0 3 0x14200 bored systqmp
29054 108401 0 0 3 0x14200 bored systq
43839 58620 0 0 3 0x40014200 bored softclock
4492 517103 0 0 3 0x40014200 idle0
99327 445079 0 0 3 0x14200 bored smr
1 149554 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 5653 (syz-executor.0) thread 0xffff800020ab1b40 (206399)
shared rwlock vmmaplk r = 0 (0xfffffd807f00a468)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 uvmfault_lookup+0xd9 sys/uvm/uvm_fault.c:1448
#2 uvm_fault+0xd85 sys/uvm/uvm_fault.c:524
#3 pageflttrap+0x20b sys/arch/amd64/amd64/trap.c:199
#4 usertrap+0x21a sys/arch/amd64/amd64/trap.c:369
#5 recall_trap+0x8
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82645558)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 pageflttrap+0x6f sys/arch/amd64/amd64/trap.c:162
#2 usertrap+0x21a sys/arch/amd64/amd64/trap.c:369
#3 recall_trap+0x8
Process 8057 (softnet) thread 0xffff800020a10278 (439894)
shared rwlock netlock r = 0 (0xffffffff824fd158)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 if_input_process+0x84 sys/net/if.c:944
#2 ifiq_process+0x80 sys/net/ifq.c:607
#3 taskq_thread+0x9c sys/kern/kern_task.c:368
#4 proc_trampoline+0x1c
shared rwlock softnet r = 0 (0xffff8000000230e0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 taskq_thread+0x8f sys/kern/kern_task.c:367
#2 proc_trampoline+0x1c
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9619 7100K 8889K 78643K 53709 0 0
pcb 17 10K 12K 78643K 2125 0 0
rtable 185 17K 18K 78643K 9169 0 0
ifaddr 237 60K 61K 78643K 2334 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 4K 78643K 1937 0 0
iov 0 0K 24K 78643K 1630 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1240 78K 78K 78643K 14426 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 9K 78643K 249 0 0
VM map 51 25K 25K 78643K 70 0 0
sem 12 0K 1K 78643K 1988 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1808 196K 290K 78643K 12765 0 0
file desc 6 17K 25K 78643K 11420 0 0
sigio 0 0K 0K 78643K 1449 0 0
proc 62 63K 95K 78643K 2782 0 0
subproc 32 2K 2K 78643K 731 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
ip_moptions 0 0K 1K 78643K 1390 0 0
in_multi 48 3K 3K 78643K 3552 0 0
ether_multi 1 0K 0K 78643K 63 0 0
mrt 0 0K 0K 78643K 31 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 102 450K 450K 78643K 102 0 0
exec 0 0K 1K 78643K 1389 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 229 442K 442K 78643K 37369 0 0
UVM aobj 130 5K 5K 78643K 138 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
ip6_options 2 0K 2K 78643K 1945 0 0
NDP 24 0K 1K 78643K 984 0 0
temp 209 3565K 4205K 78643K 216824 0 0
kqueue 0 0K 0K 78643K 47 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 120 0 114 1 0 1 1 0
8 0
plcache 128 20 0 0 1 0 1 1 0
8 0
rtpcb 80 1279 0 1277 1 0 1 1 0
8 0
rtentry 112 2539 0 2465 5 2 3 3 0
8 0
unpcb 120 13542 0 13523 15 14 1 2 0
8 0
syncache 264 30 0 30 15 15 0 1 0
8 0
tcpqe 32 81 0 81 6 6 0 1 0
8 0
tcpcb 544 3676 0 3667 32 31 1 11 0
8 0
inpcb 280 29985 0 29971 59 56 3 9 0
8 2
rttmr 72 8 0 8 6 6 0 1 0
8 0
ip6q 72 12 0 12 6 6 0 1 0
8 0
ip6af 40 22 0 22 5 5 0 1 0
8 0
nd6 48 562 0 558 3 2 1 1 0
8 0
pkpcb 40 31 0 31 13 13 0 1 0
8 0
swfcl 56 5 0 0 1 0 1 1 0
8 0
ppxss 1128 179 0 179 30 29 1 1 0
8 1
pffrag 232 654 0 654 40 40 0 16 0
482 0
pffrnode 88 307 0 307 25 25 0 1 0
8 0
pffrent 40 11810 0 11810 28 28 0 4 0
8 0
pfosfp 40 846 0 846 5 5 0 5 0
8 0
pfosfpen 112 1428 0 1428 21 21 0 21 0
8 0
pfstitem 24 1798 0 1756 3 1 2 2 0
8 0
pfstkey 112 1801 0 1759 16 12 4 10 0
8 0
pfstate 328 1801 0 1756 52 46 6 27 0
8 0
pfrule 1360 21 0 16 2 1 1 2 0
8 0
art_heap8 4096 12 0 8 10 6 4 6 0
8 0
art_heap4 256 14288 0 14009 42 24 18 20 0
8 0
art_table 32 14300 0 14017 3 0 3 3 0
8 0
art_node 16 2534 0 2482 1 0 1 1 0
8 0
sysvmsgpl 40 19 0 9 1 0 1 1 0
8 0
semupl 112 2 0 2 1 1 0 1 0
8 0
semapl 112 1986 0 1976 1 0 1 1 0
8 0
shmpl 112 136 0 8 4 0 4 4 0
8 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0
dino1pl 128 18307 0 16873 47 0 47 47 0
8 0
ffsino 272 18307 0 16873 96 0 96 96 0
8 0
nchpl 144 36301 0 35842 61 41 20 61 0
8 0
uvmvnodes 72 6779 0 0 124 0 124 124 0
8 0
vnodes 208 6779 0 0 357 0 357 357 0
8 0
namei 1024 117374 0 117374 5 4 1 1 0
8 1
percpumem 16 30 0 0 1 0 1 1 0
8 0
vcpupl 1984 49 0 0 7 0 7 7 0
8 0
vmpool 552 68 0 19 4 0 4 4 0
8 0
scsiplug 64 8 0 8 4 4 0 1 0
8 0
scxspl 192 105455 0 105455 54 53 1 7 0
8 1
plimitpl 152 468 0 460 1 0 1 1 0
8 0
sigapl 432 11501 0 11485 3 1 2 3 0
8 0
futexpl 56 245634 0 245634 2 1 1 1 0
8 1
knotepl 112 1640 0 1621 6 5 1 3 0
8 0
kqueuepl 104 2430 0 2428 4 3 1 4 0
8 0
pipepl 112 8078 0 8059 18 17 1 2 0
8 0
fdescpl 488 11502 0 11485 3 0 3 3 0
8 0
filepl 152 107015 0 106910 69 64 5 14 0
8 0
lockfpl 104 2852 0 2851 1 0 1 1 0
8 0
lockfspl 48 916 0 915 1 0 1 1 0
8 0
sessionpl 112 65 0 54 1 0 1 1 0
8 0
pgrppl 48 181 0 170 1 0 1 1 0
8 0
ucredpl 96 9821 0 9810 1 0 1 1 0
8 0
zombiepl 144 11490 0 11490 3 2 1 1 0
8 1
processpl 896 11523 0 11490 4 0 4 4 0
8 0
procpl 632 34387 0 34342 20 15 5 5 0
8 0
srpgc 64 76 0 76 23 23 0 1 0
8 0
sosppl 128 228 0 228 23 23 0 1 0
8 0
sockpl 384 46171 0 46133 109 103 6 15 0
8 1
mcl64k 65536 495 0 0 41 9 32 35 0
8 0
mcl16k 16384 41 0 0 5 3 2 3 0
8 0
mcl12k 12288 49 0 0 2 0 2 2 0
8 0
mcl9k 9216 32 0 0 2 0 2 2 0
8 0
mcl8k 8192 19 0 0 3 0 3 3 0
8 0
mcl4k 4096 33 0 0 3 0 3 3 0
8 0
mcl2k2 2112 12 0 0 1 0 1 1 0
8 0
mcl2k 2048 396 0 0 24 13 11 20 0
8 0
mtagpl 80 69 0 0 1 0 1 1 0
8 0
mbufpl 256 1668 0 0 63 1 62 62 0
8 0
bufpl 256 38285 0 31227 442 0 442 442 0
8 0
anonpl 16 1093282 0 1070177 251 145 106 118 0
124 0
amapchunkpl 152 72145 0 71731 130 113 17 24 0
158 0
amappl16 192 55526 0 54267 235 171 64 74 0
8 0
amappl15 184 527 0 527 5 5 0 1 0
8 0
amappl14 176 2123 0 2116 1 0 1 1 0
8 0
amappl13 168 3441 0 3441 6 6 0 1 0
8 0
amappl12 160 174 0 172 1 0 1 1 0
8 0
amappl11 152 1114 0 1098 1 0 1 1 0
8 0
amappl10 144 648 0 643 1 0 1 1 0
8 0
amappl9 136 3702 0 3698 1 0 1 1 0
8 0
amappl8 128 3360 0 3282 3 0 3 3 0
8 0
amappl7 120 853 0 843 1 0 1 1 0
8 0
amappl6 112 1020 0 1003 1 0 1 1 0
8 0
amappl5 104 710 0 695 1 0 1 1 0
8 0
amappl4 96 12007 0 11974 1 0 1 1 0
8 0
amappl3 88 2730 0 2719 1 0 1 1 0
8 0
amappl2 80 90320 0 90229 3 1 2 3 0
8 0
amappl1 72 249204 0 248743 25 15 10 20 0
8 0
amappl 80 35422 0 35343 2 0 2 2 0
84 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma128 128 253 0 253 1 1 0 1 0
8 0
dma64 64 6 0 6 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 137 0 8 3 0 3 3 0
8 0
uaddrrnd 24 11570 0 11485 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 11570 0 11485 1 0 1 1 0
8 0
vmmpekpl 168 87439 0 87393 5 2 3 3 0
8 0
vmmpepl 168 1410162 0 1407441 655 495 160 160 0 357
36
vmsppl 368 11501 0 11485 2 0 2 2 0
8 0
pdppl 4096 23147 0 23057 16 4 12 12 0
8 0
pvpl 32 3174801 0 3154447 554 358 196 227 0
265 0
pmappl 232 11569 0 11504 6 2 4 4 0
8 0
extentpl 40 41 0 26 1 0 1 1 0
8 0
phpool 112 791 0 98 21 1 20 21 0
8 0
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Anton Lindqvist
Nov 7, 2019, 9:24:15 AM11/7/19
to syzbot, syzkaller-o...@googlegroups.com
#syz dup: panic: m_copydata: null mbuf
Reply all
Reply to author
Forward
0 new messages