Hello,
syzbot found the following crash on:
HEAD commit: 19120e8f Fix db_stack_dump() w/ custom addr & implement db..
git tree: openbsd
console output:
https://syzkaller.appspot.com/x/log.txt?x=13d7276f600000
kernel config:
https://syzkaller.appspot.com/x/.config?x=d0fe83f82fe104d4
dashboard link:
https://syzkaller.appspot.com/bug?extid=17937fddcfc9aedfe5b0
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+17937f...@syzkaller.appspotmail.com
panic: Data modified on freelist: word 5 of object 0xffff800000b9da00 size
0xc0 previous type devbuf (0xd != 0xdeafbead)
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*321221 26071 0 0 0x4000000 0 syz-executor.1
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
malloc(c0,2,1) at malloc+0xa23 sys/kern/kern_malloc.c:331
ifq_init(ffff800000b3c260,ffff800000b3c000,0) at ifq_init+0x6f priq_alloc
sys/net/ifq.c:671 [inline]
ifq_init(ffff800000b3c260,ffff800000b3c000,0) at ifq_init+0x6f
sys/net/ifq.c:202
if_attach_common(ffff800000b3c000) at if_attach_common+0xaf sys/net/if.c:617
if_attach(ffff800000b3c000) at if_attach+0x19 sys/net/if.c:540
tun_create(ffffffff824f9dd0,d9,800) at tun_create+0x1d3 sys/net/if_tun.c:241
if_clone_create(ffff800017b5cb00,0) at if_clone_create+0xa0
sys/net/if.c:1221
tapopen(5dd9,1,2000,ffff8000ffff29f8) at tapopen+0xd1 sys/net/if_tun.c:342
spec_open(ffff800017b5cbe8) at spec_open+0x3ea sys/kern/spec_vnops.c:158
VOP_OPEN(fffffd802f4aeaa8,1,fffffd803f7c6780,ffff8000ffff29f8) at
VOP_OPEN+0x6a sys/kern/vfs_vops.c:154
vn_open(ffff800017b5ce38,201,80) at vn_open+0x4eb sys/kern/vfs_vnops.c:186
doopenat(ffff8000ffff29f8,ffffff9c,200001c0,200,80,ffff800017b5d030) at
doopenat+0x28b sys/kern/vfs_syscalls.c:1157
syscall(ffff800017b5d0b0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:555
end trace frame: 0xffff800017b5d130, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
Data modified on freelist: word 5 of object 0xffff800000b9da00 size 0xc0
previous type devbuf (0xd != 0xdeafbead)
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
malloc(c0,2,1) at malloc+0xa23 sys/kern/kern_malloc.c:331
ifq_init(ffff800000b3c260,ffff800000b3c000,0) at ifq_init+0x6f priq_alloc
sys/net/ifq.c:671 [inline]
ifq_init(ffff800000b3c260,ffff800000b3c000,0) at ifq_init+0x6f
sys/net/ifq.c:202
if_attach_common(ffff800000b3c000) at if_attach_common+0xaf sys/net/if.c:617
if_attach(ffff800000b3c000) at if_attach+0x19 sys/net/if.c:540
tun_create(ffffffff824f9dd0,d9,800) at tun_create+0x1d3 sys/net/if_tun.c:241
if_clone_create(ffff800017b5cb00,0) at if_clone_create+0xa0
sys/net/if.c:1221
tapopen(5dd9,1,2000,ffff8000ffff29f8) at tapopen+0xd1 sys/net/if_tun.c:342
spec_open(ffff800017b5cbe8) at spec_open+0x3ea sys/kern/spec_vnops.c:158
VOP_OPEN(fffffd802f4aeaa8,1,fffffd803f7c6780,ffff8000ffff29f8) at
VOP_OPEN+0x6a sys/kern/vfs_vops.c:154
vn_open(ffff800017b5ce38,201,80) at vn_open+0x4eb sys/kern/vfs_vnops.c:186
doopenat(ffff8000ffff29f8,ffffff9c,200001c0,200,80,ffff800017b5d030) at
doopenat+0x28b sys/kern/vfs_syscalls.c:1157
syscall(ffff800017b5d0b0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:555
Xsyscall(0,0,ffffffffffffffa0,0,3,ac1f3c39010) at Xsyscall+0x128
end of kernel
end trace frame: 0xac408ce53d0, count: -15
ddb> show registers
rdi 0xffffffff81e06467 db_enter+0x17
rsi 0x43e6 __ALIGN_SIZE+0x33e6
rbp 0xffff800017b5c7f0
rbx 0xffff800017b5c8a0
rdx 0x43e7 __ALIGN_SIZE+0x33e7
rcx 0xffff800014919000
rax 0xffff800014919000
r8 0xffff800017b5c7b0
r9 0x1
r10 0xffff800000a56b00
r11 0x205e44f73dfc1e16
r12 0x3000000008
r13 0xffff800017b5c800
r14 0x100
r15 0x1
rip 0xffffffff81e06468 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800017b5c7e0
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb> show proc
PROC (syz-executor.1) pid=321221 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=80, usrpri=80, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffff2780,0xffffffff825a3380
process=0xffff8000148a2d98 user=0xffff800017b58000,
vmspace=0xfffffd803f013440
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
26071 348508 8367 0 2 0 syz-executor.1
*26071 321221 8367 0 7 0x4000000 syz-executor.1
33077 439238 16371 0 3 0x2 biowait syz-executor.0
8367 156333 16371 0 3 0x82 nanosleep syz-executor.1
35062 11272 0 0 3 0x14200 acct acct
21605 66056 0 0 3 0x14200 bored sosplice
16371 493359 85085 0 3 0x82 thrsleep syz-fuzzer
16371 341247 85085 0 3 0x4000082 nanosleep syz-fuzzer
16371 63339 85085 0 3 0x4000082 thrsleep syz-fuzzer
16371 84711 85085 0 3 0x4000082 thrsleep syz-fuzzer
16371 427920 85085 0 3 0x4000082 kqread syz-fuzzer
16371 359071 85085 0 3 0x4000082 thrsleep syz-fuzzer
16371 23035 85085 0 3 0x4000082 thrsleep syz-fuzzer
85085 475267 57101 0 3 0x10008a pause ksh
57101 46057 28699 0 3 0x92 select sshd
56042 331427 1 0 3 0x100083 ttyin getty
28699 238667 1 0 3 0x80 select sshd
59948 337748 87455 73 3 0x100090 kqread syslogd
87455 199676 1 0 3 0x100082 netio syslogd
43088 454142 1 77 3 0x100090 poll dhclient
2372 260173 1 0 3 0x80 poll dhclient
78186 102103 0 0 2 0x14200 zerothread
43391 387436 0 0 3 0x14200 aiodoned aiodoned
31202 347966 0 0 3 0x14200 syncer update
31562 251260 0 0 3 0x14200 cleaner cleaner
15369 278326 0 0 3 0x14200 reaper reaper
47622 363459 0 0 3 0x14200 pgdaemon pagedaemon
97473 486353 0 0 3 0x14200 bored crynlk
29891 207209 0 0 3 0x14200 bored crypto
1210 108459 0 0 3 0x40014200 acpi0 acpi0
26478 504876 0 0 3 0x14200 bored softnet
19781 37517 0 0 3 0x14200 bored systqmp
81335 129483 0 0 3 0x14200 bored systq
27691 147583 0 0 3 0x40014200 bored softclock
55053 22369 0 0 3 0x40014200 idle0
68927 390354 0 0 3 0x14200 bored smr
1 417915 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9571 6390K 7663K 78643K 22669 0 0
pcb 13 10K 12K 78643K 589 0 0
rtable 85 7K 9K 78643K 2090 0 0
ifaddr 76 15K 18K 78643K 481 0 0
counters 19 16K 16K 78643K 19 0 0
ioctlops 0 0K 2K 78643K 202 0 0
iov 0 0K 32K 78643K 817 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1217 76K 77K 78643K 6173 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 5K 78643K 55 0 0
VM map 17 4K 4K 78643K 28 0 0
sem 12 0K 1K 78643K 589 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1793 195K 288K 78643K 12645 0 0
file desc 5 13K 25K 78643K 3071 0 0
sigio 0 0K 0K 78643K 43 0 0
proc 49 38K 55K 78643K 1624 0 0
subproc 32 2K 2K 78643K 442 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
ip_moptions 0 0K 0K 78643K 235 0 0
in_multi 11 0K 2K 78643K 428 0 0
ether_multi 1 0K 0K 78643K 34 0 0
mrt 0 0K 0K 78643K 33 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 96 424K 424K 78643K 96 0 0
exec 0 0K 1K 78643K 851 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 142 153K 153K 78643K 10048 0 0
UVM aobj 130 4K 4K 78643K 147 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
ip6_options 0 0K 0K 78643K 565 0 0
NDP 20 0K 1K 78643K 163 0 0
temp 226 3544K 4193K 78643K 81211 0 0
kqueue 0 0K 0K 78643K 38 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 81 0 77 1 0 1 1 0
8 0
rtpcb 80 336 0 333 1 0 1 1 0
8 0
rtentry 112 416 0 390 2 0 2 2 0
8 0
unpcb 120 1668 0 1659 2 1 1 2 0
8 0
syncache 264 14 0 14 6 6 0 1 0
8 0
tcpqe 32 87 0 87 2 2 0 1 0
8 0
tcpcb 544 1119 0 1115 8 7 1 2 0
8 0
ipq 40 27 0 27 12 11 1 1 0
8 1
ipqe 40 414 0 414 12 11 1 1 0
8 1
inpcb 280 4857 0 4850 40 38 2 13 0
8 1
rttmr 72 9 0 9 6 6 0 1 0
8 0
ip6q 72 1 0 1 1 1 0 1 0
8 0
nd6 48 57 0 57 4 3 1 1 0
8 1
pkpcb 40 4 0 4 1 1 0 1 0
8 0
swfcl 56 2 0 0 1 0 1 1 0
8 0
ppxss 1128 42 0 42 18 17 1 1 0
8 1
art_heap8 4096 37 0 36 19 18 1 3 0
8 0
art_heap4 256 2015 0 1885 44 31 13 17 0
8 3
art_table 32 2052 0 1921 5 2 3 3 0
8 1
art_node 16 415 0 391 1 0 1 1 0
8 0
sysvmsgpl 40 44 0 29 1 0 1 1 0
8 0
semupl 112 1 0 1 1 1 0 1 0
8 0
semapl 112 585 0 575 1 0 1 1 0
8 0
shmpl 112 145 0 17 4 0 4 4 0
8 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0
dino1pl 128 6098 0 4705 46 0 46 46 0
8 0
ffsino 240 6098 0 4705 83 0 83 83 0
8 0
nchpl 144 11535 0 11103 60 41 19 60 0
8 0
uvmvnodes 72 7397 0 0 135 0 135 135 0
8 0
vnodes 208 7397 0 0 390 0 390 390 0
8 0
namei 1024 42606 0 42605 4 3 1 1 0
8 0
vcpupl 1984 16 0 1 2 0 2 2 0
8 0
vmpool 520 26 0 11 1 0 1 1 0
8 0
scsiplug 64 5 0 5 3 3 0 1 0
8 0
scxspl 192 44179 0 44177 29 28 1 7 0
8 0
plimitpl 152 281 0 274 1 0 1 1 0
8 0
sigapl 432 3170 0 3157 2 0 2 2 0
8 0
futexpl 56 87751 0 87751 4 3 1 1 0
8 1
knotepl 112 2688 0 2669 5 4 1 2 0
8 0
kqueuepl 104 3586 0 3584 1 0 1 1 0
8 0
pipepl 112 3000 0 2981 11 10 1 2 0
8 0
fdescpl 424 3171 0 3157 2 0 2 2 0
8 0
filepl 120 34351 0 34253 31 27 4 11 0
8 1
lockfpl 104 1101 0 1099 1 0 1 1 0
8 0
lockfspl 48 381 0 379 1 0 1 1 0
8 0
sessionpl 112 41 0 31 1 0 1 1 0
8 0
pgrppl 48 87 0 77 1 0 1 1 0
8 0
ucredpl 96 5886 0 5878 1 0 1 1 0
8 0
zombiepl 144 3157 0 3157 1 0 1 1 0
8 1
processpl 864 3187 0 3157 4 0 4 4 0
8 0
procpl 632 8153 0 8116 19 15 4 5 0
8 0
sosppl 128 27 0 27 9 9 0 1 0
8 0
sockpl 384 7049 0 7030 59 55 4 21 0
8 1
mcl64k 65536 1622 0 1622 148 123 25 33 0 8
25
mcl16k 16384 50 0 50 22 21 1 1 0
8 1
mcl12k 12288 103 0 103 18 18 0 1 0
8 0
mcl9k 9216 45 0 45 22 22 0 1 0
8 0
mcl8k 8192 179 0 179 14 13 1 1 0
8 1
mcl4k 4096 404 0 404 8 7 1 1 0
8 1
mcl2k2 2112 35 0 35 15 15 0 1 0
8 0
mcl2k 2048 72451 0 72402 19 12 7 15 0
8 0
mtagpl 80 150 0 148 8 7 1 1 0
8 0
mbufpl 256 143425 0 143357 124 106 18 26 0
8 8
bufpl 256 19732 0 12336 467 4 463 463 0
8 0
anonpl 16 449514 0 432845 262 175 87 98 0
62 7
amapchunkpl 152 21840 0 21706 87 80 7 17 0
158 0
amappl16 192 19231 0 18209 220 162 58 64 0
8 5
amappl15 184 405 0 403 3 2 1 1 0
8 0
amappl14 176 978 0 974 1 0 1 1 0
8 0
amappl13 168 58 0 58 6 6 0 1 0
8 0
amappl12 160 307 0 304 1 0 1 1 0
8 0
amappl11 152 395 0 384 1 0 1 1 0
8 0
amappl10 144 419 0 416 2 1 1 1 0
8 0
amappl9 136 1402 0 1395 1 0 1 1 0
8 0
amappl8 128 922 0 882 2 0 2 2 0
8 0
amappl7 120 536 0 527 1 0 1 1 0
8 0
amappl6 112 359 0 348 1 0 1 1 0
8 0
amappl5 104 631 0 620 1 0 1 1 0
8 0
amappl4 96 3032 0 3002 1 0 1 1 0
8 0
amappl3 88 1026 0 1018 1 0 1 1 0
8 0
amappl2 80 23340 0 23272 3 1 2 3 0
8 0
amappl1 72 72409 0 72003 26 17 9 20 0
8 0
amappl 80 8778 0 8726 2 0 2 2 0
84 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma128 128 253 0 253 1 1 0 1 0
8 0
dma64 64 6 0 6 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 146 0 17 3 0 3 3 0
8 0
uaddrrnd 24 3197 0 3157 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 3197 0 3157 1 0 1 1 0
8 0
vmmpekpl 168 28210 0 28180 2 0 2 2 0
8 0
vmmpepl 168 403544 0 401422 431 298 133 138 0 357
32
vmsppl 272 3170 0 3157 8 7 1 2 0
8 0
pdppl 4096 6400 0 6351 9 2 7 7 0
8 0
pvpl 32 1187064 0 1167268 549 346 203 334 0 265
26
pmappl 200 3196 0 3168 2 0 2 2 0
8 0
extentpl 40 41 0 26 1 0 1 1 0
8 0
phpool 112 982 0 356 19 0 19 19 0
8 0
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.