uvm_fault: pckbc_start (2)

1 view
Skip to first unread message

syzbot

unread,
May 22, 2019, 2:35:08 PM5/22/19
to syzkaller-o...@googlegroups.com
Hello,

syzbot found the following crash on:

HEAD commit: f537473e Allow loading of bigger ucode. This implementati..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=11b40ae4a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=7f659e47e42d9641
dashboard link: https://syzkaller.appspot.com/bug?extid=fe74fc50c630bfa26302

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fe74fc...@syzkaller.appspotmail.com

uvm_fault(0xfffffd807f00c168, 0x1c, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at pckbc_start+0x170: movsxdq 0x1c(%r14),%rax
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
kernel page fault
uvm_fault(0xfffffd807f00c168, 0x1c, 0, 1) -> e
pckbc_start(ffff800000026e00,1) at pckbc_start+0x170 sys/dev/ic/pckbc.c:809
end trace frame: 0xffff80002282b150, count: 0
ddb{0}> trace
pckbc_start(ffff800000026e00,1) at pckbc_start+0x170 sys/dev/ic/pckbc.c:809
pckbc_enqueue_cmd(ffff800000026e00,1,ffff80002282b16e,2,0,1) at
pckbc_enqueue_cmd+0x25a sys/dev/ic/pckbc.c:918
pms_ioctl_mouse(ffff80000066c200,80045721,ffff80002282b510,42,ffff800020b38bd0)
at
pms_ioctl_mouse+0x137
wsmouse_do_ioctl(ffff80000064dc00,80045721,ffff80002282b510,42,ffff800020b38bd0)
at
wsmouse_do_ioctl+0x2e3 sys/dev/wscons/wsmouse.c:530
wsmousedoioctl(ffff80000064dc00,80045721,ffff80002282b510,42,ffff800020b38bd0)
at
wsmousedoioctl+0x51 sys/dev/wscons/wsmouse.c:432
wsmux_do_ioctl(ffff800000026d00,80045721,ffff80002282b510,42,ffff800020b38bd0)
at
wsmux_do_ioctl+0x5b3 sys/dev/wscons/wsmux.c:544
VOP_IOCTL(fffffd80684452d0,80045721,ffff80002282b510,42,fffffd807f7c69c0,ffff800020b38bd0)
at
VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
vn_ioctl(fffffd806cb1c8f8,80045721,ffff80002282b510,ffff800020b38bd0) at
vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
sys_ioctl(ffff800020b38bd0,ffff80002282b638,ffff80002282b6a0) at
sys_ioctl+0x5b8
syscall(ffff80002282b710) at syscall+0x552 mi_syscall
sys/sys/syscall_mi.h:99 [inline]
syscall(ffff80002282b710) at syscall+0x552 sys/arch/amd64/amd64/trap.c:574
Xsyscall(6,0,ffffffffffffff39,0,3,8ebb2389010) at Xsyscall+0x128
end of kernel
end trace frame: 0x8ee583c4280, count: -11
ddb{0}> show registers
rdi 0
rsi 0
rbp 0xffff80002282b0b0
rbx 0
rdx 0x156
rcx 0xffff800000977e00
rax 0xffffffff817c28f4 pckbc_start+0x44
r8 0
r9 0x1
r10 0xca0a7bf12613a668
r11 0x6bc4adbd05e9e681
r12 0xffff800000026e00
r13 0xffff80000066c400
r14 0
r15 0x1
rip 0xffffffff817c2a20 pckbc_start+0x170
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff80002282b050
ss 0x10
pckbc_start+0x170: movsxdq 0x1c(%r14),%rax
ddb{0}> show proc
PROC (syz-executor.1) pid=132220 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=60, usrpri=60, nice=20
forw=0xffffffffffffffff, list=0xffff800020b39530,0xffffffff8237f6f8
process=0xffff800020b8c6a8 user=0xffff800022826000,
vmspace=0xfffffd807f00c168
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
88503 347086 33711 0 2 0 syz-executor.1
*88503 132220 33711 0 7 0x4000000 syz-executor.1
82707 262460 1 0 3 0x100083 ttyin getty
66220 299399 0 0 3 0x14200 bored sosplice
33711 127559 91706 0 3 0x82 nanosleep syz-executor.1
66722 230146 91706 0 3 0x82 nanosleep syz-executor.0
91706 331090 86565 0 3 0x82 kqread syz-fuzzer
91706 46970 86565 0 3 0x4000082 thrsleep syz-fuzzer
91706 25419 86565 0 3 0x4000082 thrsleep syz-fuzzer
91706 434799 86565 0 3 0x4000082 thrsleep syz-fuzzer
91706 253919 86565 0 3 0x4000082 thrsleep syz-fuzzer
91706 460102 86565 0 3 0x4000082 thrsleep syz-fuzzer
91706 465589 86565 0 3 0x4000082 thrsleep syz-fuzzer
91706 396345 86565 0 3 0x4000082 thrsleep syz-fuzzer
91706 499263 86565 0 3 0x4000082 thrsleep syz-fuzzer
91706 427221 86565 0 3 0x4000082 thrsleep syz-fuzzer
86565 378389 25320 0 3 0x10008a pause ksh
25320 188994 41576 0 3 0x92 select sshd
41576 359811 1 0 3 0x80 select sshd
38686 90443 147 74 3 0x100092 bpf pflogd
147 438535 1 0 3 0x80 netio pflogd
22570 352998 27357 73 2 0x100090 syslogd
27357 202433 1 0 3 0x100082 netio syslogd
95146 198319 1 77 3 0x100090 poll dhclient
98644 389160 1 0 3 0x80 poll dhclient
1364 392249 0 0 3 0x14200 pgzero zerothread
21432 472706 0 0 3 0x14200 aiodoned aiodoned
59308 185824 0 0 3 0x14200 syncer update
11076 37643 0 0 3 0x14200 cleaner cleaner
91529 173998 0 0 7 0x14200 reaper
83030 389618 0 0 3 0x14200 pgdaemon pagedaemon
80354 403401 0 0 3 0x14200 bored crynlk
84687 95294 0 0 3 0x14200 bored crypto
93695 97743 0 0 3 0x40014200 acpi0 acpi0
54343 351450 0 0 3 0x40014200 idle1
77836 297046 0 0 3 0x14200 bored softnet
5438 264956 0 0 3 0x14200 bored systqmp
46342 100235 0 0 3 0x14200 bored systq
83035 410266 0 0 3 0x40014200 bored softclock
19922 269589 0 0 3 0x40014200 idle0
99033 313115 0 0 3 0x14200 bored smr
1 465559 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 88503 (syz-executor.1) thread 0xffff800020b38bd0 (132220)
shared rwlock wsmuxlk r = 0 (0xffff800000026dd0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 wsmux_do_ioctl+0x521
#2 VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
#3 vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
#4 sys_ioctl+0x5b8
#5 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#5 syscall+0x552 sys/arch/amd64/amd64/trap.c:574
#6 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 1 (0xffffffff82396f70)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 syscall+0x43a mi_syscall sys/sys/syscall_mi.h:91 [inline]
#1 syscall+0x43a sys/arch/amd64/amd64/trap.c:574
#2 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9489 6418K 6798K 78643K 10799 0 0
pcb 25 9K 10K 78643K 181 0 0
rtable 108 4K 4K 78643K 275 0 0
ifaddr 47 12K 12K 78643K 93 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 4K 78643K 1486 0 0
iov 0 0K 16K 78643K 38 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1212 76K 76K 78643K 2355 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 9K 78643K 6 0 0
VM map 2 1K 1K 78643K 2 0 0
sem 12 0K 0K 78643K 16 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1808 196K 290K 78643K 12628 0 0
file desc 5 13K 25K 78643K 1021 0 0
sigio 0 0K 0K 78643K 5 0 0
proc 54 51K 83K 78643K 400 0 0
subproc 32 2K 2K 78643K 38 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
ip_moptions 0 0K 0K 78643K 22 0 0
in_multi 33 2K 2K 78643K 40 0 0
ether_multi 1 0K 0K 78643K 1 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 54 238K 238K 78643K 54 0 0
exec 0 0K 1K 78643K 220 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 91 20K 29K 78643K 3786 0 0
UVM aobj 32 4K 4K 78643K 34 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
ip6_options 0 0K 0K 78643K 24 0 0
NDP 8 0K 0K 78643K 23 0 0
temp 116 2720K 2785K 78643K 5522 0 0
kqueue 0 0K 0K 78643K 4 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 6 0 0 1 0 1 1 0
8 0
inpcbpl 280 155 0 148 1 0 1 1 0
8 0
plimitpl 152 18 0 10 1 0 1 1 0
8 0
plcache 128 20 0 0 1 0 1 1 0
8 0
rtentry 112 45 0 1 2 0 2 2 0
8 0
syncache 264 4 0 4 1 1 0 1 0
8 0
tcpcb 544 54 0 50 1 0 1 1 0
8 0
nd6 48 6 0 0 1 0 1 1 0
8 0
ppxss 1128 11 0 11 1 1 0 1 0
8 0
pfosfp 40 846 0 423 5 0 5 5 0
8 0
pfosfpen 112 1428 0 714 21 0 21 21 0
8 0
pfstitem 24 12 0 5 1 0 1 1 0
8 0
pfstkey 112 12 0 5 1 0 1 1 0
8 0
pfstate 328 12 0 5 1 0 1 1 0
8 0
pfrule 1360 21 0 16 2 1 1 2 0
8 0
art_heap8 4096 1 0 0 1 0 1 1 0
8 0
art_heap4 256 188 0 0 12 0 12 12 0
8 0
art_table 32 189 0 0 2 0 2 2 0
8 0
art_node 16 44 0 4 1 0 1 1 0
8 0
sysvmsgpl 40 2 0 2 1 1 0 1 0
8 0
semapl 112 14 0 4 1 0 1 1 0
8 0
shmpl 112 32 0 2 1 0 1 1 0
8 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0
dino1pl 128 4281 0 2859 47 0 47 47 0
8 0
ffsino 272 4281 0 2859 96 0 96 96 0
8 0
nchpl 144 5709 0 4067 61 0 61 61 0
8 0
uvmvnodes 72 4401 0 0 81 0 81 81 0
8 0
vnodes 200 4401 0 0 232 0 232 232 0
8 0
namei 1024 13796 0 13796 2 1 1 1 0
8 1
percpumem 16 30 0 0 1 0 1 1 0
8 0
scxspl 192 13191 0 13191 7 6 1 5 0
8 1
sigapl 432 1222 0 1207 3 1 2 3 0
8 0
futexpl 56 6944 0 6944 1 0 1 1 0
8 1
knotepl 112 84 0 65 1 0 1 1 0
8 0
kqueuepl 104 61 0 59 1 0 1 1 0
8 0
pipepl 112 286 0 267 2 1 1 1 0
8 0
fdescpl 488 1223 0 1207 3 0 3 3 0
8 0
filepl 152 4663 0 4562 6 1 5 5 0
8 1
lockfpl 104 2438 0 2436 2 1 1 1 0
8 0
lockfspl 48 664 0 663 2 1 1 1 0
8 0
sessionpl 112 19 0 8 1 0 1 1 0
8 0
pgrppl 48 33 0 22 1 0 1 1 0
8 0
ucredpl 96 441 0 432 1 0 1 1 0
8 0
zombiepl 144 1207 0 1206 2 1 1 1 0
8 0
processpl 840 1239 0 1206 4 0 4 4 0
8 0
procpl 600 3027 0 2983 4 0 4 4 0
8 0
sosppl 128 7 0 7 2 2 0 1 0
8 0
sockpl 384 315 0 296 4 1 3 3 0
8 1
mcl64k 65536 5 0 0 1 0 1 1 0
8 0
mcl16k 16384 1 0 0 1 0 1 1 0
8 0
mcl12k 12288 6 0 0 1 0 1 1 0
8 0
mcl9k 9216 3 0 0 1 0 1 1 0
8 0
mcl8k 8192 4 0 0 1 0 1 1 0
8 0
mcl4k 4096 4 0 0 1 0 1 1 0
8 0
mcl2k2 2112 1 0 0 1 0 1 1 0
8 0
mcl2k 2048 121 0 0 15 1 14 15 0
8 0
mtagpl 80 1 0 0 1 0 1 1 0
8 0
mbufpl 256 161 0 0 9 0 9 9 0
8 0
bufpl 256 7036 0 1188 366 0 366 366 0
8 0
anonpl 16 94249 0 86196 43 10 33 41 0
125 0
amapchunkpl 152 5701 0 5602 10 6 4 9 0
158 0
amappl16 192 4699 0 4286 22 1 21 22 0
8 0
amappl15 184 502 0 499 1 0 1 1 0
8 0
amappl14 176 37 0 34 2 1 1 1 0
8 0
amappl12 160 13 0 12 1 0 1 1 0
8 0
amappl11 152 60 0 42 1 0 1 1 0
8 0
amappl10 144 576 0 572 1 0 1 1 0
8 0
amappl9 136 591 0 588 1 0 1 1 0
8 0
amappl8 128 147 0 132 1 0 1 1 0
8 0
amappl7 120 542 0 533 1 0 1 1 0
8 0
amappl6 112 57 0 51 1 0 1 1 0
8 0
amappl5 104 125 0 111 1 0 1 1 0
8 0
amappl4 96 1397 0 1367 2 1 1 2 0
8 0
amappl3 88 196 0 186 1 0 1 1 0
8 0
amappl2 80 9435 0 9355 3 1 2 3 0
8 0
amappl1 72 33305 0 32850 24 14 10 19 0
8 0
amappl 80 3277 0 3237 1 0 1 1 0
84 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 33 0 2 1 0 1 1 0
8 0
uaddrrnd 24 1223 0 1207 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 1223 0 1207 1 0 1 1 0
8 0
vmmpekpl 168 10279 0 10244 2 0 2 2 0
8 0
vmmpepl 168 131639 0 130117 88 19 69 77 0
357 1
vmsppl 360 1222 0 1206 2 0 2 2 0
8 0
pdppl 4096 2453 0 2412 6 0 6 6 0
8 0
pvpl 32 302843 0 291671 123 28 95 112 0
265 3
pmappl 232 1222 0 1206 2 1 1 2 0
8 0
extentpl 40 41 0 26 1 0 1 1 0
8 0
phpool 112 519 0 5 15 0 15 15 0
8 0


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

syzbot

unread,
May 22, 2019, 4:23:06 PM5/22/19
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following crash on:

HEAD commit: f537473e Allow loading of bigger ucode. This implementati..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=117e9d6ca00000
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10b80c18a00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fe74fc...@syzkaller.appspotmail.com

uvm_fault(0xfffffd807f00c870, 0x1c, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at pckbc_start+0x170: movsxdq 0x1c(%r14),%rax
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
kernel page fault
uvm_fault(0xfffffd807f00c870, 0x1c, 0, 1) -> e
pckbc_start(ffff800000026e00,1) at pckbc_start+0x170 sys/dev/ic/pckbc.c:809
end trace frame: 0xffff800020c36ae0, count: 0
ddb{0}> trace
pckbc_start(ffff800000026e00,1) at pckbc_start+0x170 sys/dev/ic/pckbc.c:809
pckbc_enqueue_cmd(ffff800000026e00,1,ffff800020c36afe,2,0,1) at
pckbc_enqueue_cmd+0x25a sys/dev/ic/pckbc.c:918
pms_ioctl_mouse(ffff80000066c200,80045721,ffff800020c36ea0,42,ffff800020b384c8)
at
pms_ioctl_mouse+0x137
wsmouse_do_ioctl(ffff80000064dc00,80045721,ffff800020c36ea0,42,ffff800020b384c8)
at
wsmouse_do_ioctl+0x2e3 sys/dev/wscons/wsmouse.c:530
wsmousedoioctl(ffff80000064dc00,80045721,ffff800020c36ea0,42,ffff800020b384c8)
at
wsmousedoioctl+0x51 sys/dev/wscons/wsmouse.c:432
wsmux_do_ioctl(ffff800000026d00,80045721,ffff800020c36ea0,42,ffff800020b384c8)
at
wsmux_do_ioctl+0x5b3 sys/dev/wscons/wsmux.c:544
VOP_IOCTL(fffffd807078c6f8,80045721,ffff800020c36ea0,42,fffffd807f7c6b40,ffff800020b384c8)
at
VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
vn_ioctl(fffffd806d04dac0,80045721,ffff800020c36ea0,ffff800020b384c8) at
vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
sys_ioctl(ffff800020b384c8,ffff800020c36fc8,ffff800020c37030) at
sys_ioctl+0x5b8
syscall(ffff800020c370a0) at syscall+0x552 mi_syscall
sys/sys/syscall_mi.h:99 [inline]
syscall(ffff800020c370a0) at syscall+0x552 sys/arch/amd64/amd64/trap.c:574
Xsyscall(6,0,ffffffffffffff39,0,3,e7d5117c010) at Xsyscall+0x128
end of kernel
end trace frame: 0xe7f9f2c8080, count: -11
ddb{0}> show registers
rdi 0
rsi 0
rbp 0xffff800020c36a40
rbx 0
rdx 0x2
rcx 0
rax 0x1
r8 0
r9 0x1
r10 0x7fc9d5263e6512bb
r11 0x3acb7f87347620a3
r12 0xffff800000026e00
r13 0xffff80000066c400
r14 0
r15 0x1
rip 0xffffffff817c2a20 pckbc_start+0x170
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff800020c369e0
ss 0x10
pckbc_start+0x170: movsxdq 0x1c(%r14),%rax
ddb{0}> show proc
PROC (syz-executor.0) pid=8027 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=52, usrpri=52, nice=20
forw=0xffffffffffffffff, list=0xffff800020b38e28,0xffffffff8237f6f8
process=0xffff800020b8c9f0 user=0xffff800020c32000,
vmspace=0xfffffd807f00c870
estcpu=8, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
68979 223726 30061 0 2 0 syz-executor.0
*68979 8027 30061 0 7 0x4000000 syz-executor.0
51083 91150 87283 0 3 0x82 nanosleep syz-executor.1
30061 406734 87283 0 3 0x82 nanosleep syz-executor.0
87283 11925 11838 0 3 0x82 thrsleep syz-execprog
87283 298187 11838 0 3 0x4000082 nanosleep syz-execprog
87283 387730 11838 0 3 0x4000082 thrsleep syz-execprog
87283 223584 11838 0 3 0x4000082 thrsleep syz-execprog
87283 101209 11838 0 3 0x4000082 thrsleep syz-execprog
87283 409225 11838 0 3 0x4000082 thrsleep syz-execprog
87283 324024 11838 0 3 0x4000082 thrsleep syz-execprog
87283 283126 11838 0 3 0x4000082 thrsleep syz-execprog
87283 105447 11838 0 3 0x4000082 kqread syz-execprog
11838 512979 98557 0 3 0x10008a pause ksh
98557 348053 38114 0 3 0x92 select sshd
27594 219225 1 0 3 0x100083 ttyin getty
38114 115717 1 0 3 0x80 select sshd
62237 352477 37177 74 3 0x100092 bpf pflogd
37177 170818 1 0 3 0x80 netio pflogd
36146 373113 11712 73 2 0x100090 syslogd
11712 13278 1 0 3 0x100082 netio syslogd
1110 179094 1 77 3 0x100090 poll dhclient
32167 147612 1 0 3 0x80 poll dhclient
79811 373370 0 0 2 0x14200 zerothread
14002 122343 0 0 3 0x14200 aiodoned aiodoned
47952 475147 0 0 3 0x14200 syncer update
57307 60310 0 0 3 0x14200 cleaner cleaner
83433 225231 0 0 7 0x14200 reaper
55766 252947 0 0 3 0x14200 pgdaemon pagedaemon
19853 263592 0 0 3 0x14200 bored crynlk
91976 267339 0 0 3 0x14200 bored crypto
16238 304075 0 0 3 0x40014200 acpi0 acpi0
50733 40334 0 0 3 0x40014200 idle1
47547 264176 0 0 3 0x14200 bored softnet
77315 34027 0 0 3 0x14200 bored systqmp
763 127276 0 0 3 0x14200 bored systq
87299 492243 0 0 3 0x40014200 bored softclock
40028 492858 0 0 3 0x40014200 idle0
10833 454173 0 0 3 0x14200 bored smr
1 477969 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 68979 (syz-executor.0) thread 0xffff800020b384c8 (8027)
shared rwlock wsmuxlk r = 0 (0xffff800000026dd0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 wsmux_do_ioctl+0x521
#2 VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
#3 vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
#4 sys_ioctl+0x5b8
#5 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#5 syscall+0x552 sys/arch/amd64/amd64/trap.c:574
#6 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 1 (0xffffffff82396f70)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 syscall+0x43a mi_syscall sys/sys/syscall_mi.h:91 [inline]
#1 syscall+0x43a sys/arch/amd64/amd64/trap.c:574
#2 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9461 6395K 6395K 78643K 10548 0 0
pcb 25 9K 9K 78643K 61 0 0
rtable 105 3K 3K 78643K 201 0 0
ifaddr 38 10K 10K 78643K 39 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 4K 78643K 1469 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1176 74K 74K 78643K 1746 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 1K 78643K 2 0 0
VM map 2 1K 1K 78643K 2 0 0
sem 2 0K 0K 78643K 2 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1808 196K 290K 78643K 12628 0 0
file desc 4 12K 24K 78643K 389 0 0
proc 52 50K 83K 78643K 359 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
in_multi 33 2K 2K 78643K 33 0 0
ether_multi 1 0K 0K 78643K 1 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 18 79K 79K 78643K 18 0 0
exec 0 0K 1K 78643K 212 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 84 20K 20K 78643K 2054 0 0
UVM aobj 2 2K 2K 78643K 2 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
NDP 6 0K 0K 78643K 10 0 0
temp 55 2714K 2778K 78643K 3981 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 6 0 0 1 0 1 1 0
8 0
inpcbpl 280 37 0 31 1 0 1 1 0
8 0
plimitpl 152 16 0 8 1 0 1 1 0
8 0
plcache 128 20 0 0 1 0 1 1 0
8 0
rtentry 112 45 0 1 2 0 2 2 0
8 0
syncache 264 5 0 5 1 1 0 1 0
8 0
tcpcb 544 8 0 5 1 0 1 1 0
8 0
nd6 48 6 0 0 1 0 1 1 0
8 0
pfosfp 40 846 0 423 5 0 5 5 0
8 0
pfosfpen 112 1428 0 714 21 0 21 21 0
8 0
pfstitem 24 11 0 2 1 0 1 1 0
8 0
pfstkey 112 11 0 2 1 0 1 1 0
8 0
pfstate 328 11 0 2 1 0 1 1 0
8 0
pfrule 1360 21 0 16 2 1 1 2 0
8 0
art_heap8 4096 1 0 0 1 0 1 1 0
8 0
art_heap4 256 187 0 0 12 0 12 12 0
8 0
art_table 32 188 0 0 2 0 2 2 0
8 0
art_node 16 44 0 4 1 0 1 1 0
8 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0
dino1pl 128 2722 0 1296 47 0 47 47 0
8 0
ffsino 272 2722 0 1296 96 0 96 96 0
8 0
nchpl 144 3304 0 1660 61 0 61 61 0
8 0
uvmvnodes 72 2732 0 0 50 0 50 50 0
8 0
vnodes 200 2732 0 0 144 0 144 144 0
8 0
namei 1024 8265 0 8265 2 1 1 1 0
8 1
percpumem 16 30 0 0 1 0 1 1 0
8 0
scxspl 192 7045 0 7045 8 7 1 6 0
8 1
sigapl 432 594 0 579 3 0 3 3 0
8 1
futexpl 56 1726 0 1726 1 0 1 1 0
8 1
knotepl 112 51 0 34 1 0 1 1 0
8 0
kqueuepl 104 2 0 0 1 0 1 1 0
8 0
pipepl 112 162 0 143 2 1 1 1 0
8 0
fdescpl 488 595 0 579 3 0 3 3 0
8 0
filepl 152 2584 0 2516 3 0 3 3 0
8 0
lockfpl 104 1422 0 1420 2 1 1 1 0
8 0
lockfspl 48 359 0 358 2 1 1 1 0
8 0
sessionpl 112 20 0 9 1 0 1 1 0
8 0
pgrppl 48 20 0 9 1 0 1 1 0
8 0
ucredpl 96 52 0 43 1 0 1 1 0
8 0
zombiepl 144 579 0 578 2 1 1 1 0
8 0
processpl 840 610 0 578 4 0 4 4 0
8 0
procpl 600 1300 0 1259 4 0 4 4 0
8 0
sockpl 384 85 0 67 3 0 3 3 0
8 1
mcl4k 4096 2 0 0 1 0 1 1 0
8 0
mcl2k 2048 80 0 0 10 0 10 10 0
8 0
mtagpl 80 1 0 0 1 0 1 1 0
8 0
mbufpl 256 143 0 0 8 0 8 8 0
8 0
bufpl 256 5754 0 1188 286 0 286 286 0
8 0
anonpl 16 43131 0 41064 15 5 10 13 0
125 1
amapchunkpl 152 2680 0 2590 6 0 6 6 0
158 2
amappl16 192 1664 0 1600 4 0 4 4 0
8 0
amappl15 184 1 0 0 1 0 1 1 0
8 0
amappl14 176 52 0 46 2 1 1 1 0
8 0
amappl13 168 177 0 175 1 0 1 1 0
8 0
amappl12 160 5 0 5 1 1 0 1 0
8 0
amappl11 152 241 0 221 1 0 1 1 0
8 0
amappl10 144 79 0 74 1 0 1 1 0
8 0
amappl9 136 444 0 441 1 0 1 1 0
8 0
amappl8 128 135 0 124 1 0 1 1 0
8 0
amappl7 120 34 0 30 1 0 1 1 0
8 0
amappl6 112 242 0 233 1 0 1 1 0
8 0
amappl5 104 119 0 106 1 0 1 1 0
8 0
amappl4 96 771 0 749 1 0 1 1 0
8 0
amappl3 88 190 0 179 1 0 1 1 0
8 0
amappl2 80 4032 0 3949 3 1 2 3 0
8 0
amappl1 72 22180 0 21715 25 10 15 20 0
8 5
amappl 80 1545 0 1507 1 0 1 1 0
84 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 1 0 0 1 0 1 1 0
8 0
uaddrrnd 24 595 0 579 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 595 0 579 1 0 1 1 0
8 0
vmmpekpl 168 8632 0 8609 2 0 2 2 0
8 0
vmmpepl 168 61600 0 60499 89 14 75 78 0 357
25
vmsppl 360 594 0 578 2 0 2 2 0
8 0
pdppl 4096 1197 0 1156 6 0 6 6 0
8 0
pvpl 32 167724 0 163195 105 6 99 102 0 265
61
pmappl 232 594 0 578 2 0 2 2 0
8 1
extentpl 40 41 0 26 1 0 1 1 0
8 0
phpool 112 430 0 4 13 0 13 13 0
8 0

Anton Lindqvist

unread,
May 25, 2019, 7:25:53 AM5/25/19
to syzbot, syzkaller-o...@googlegroups.com
#syz test: https://github.com/mptre/openbsd-src.git bcbc3a82a68f0522eac31ab9060119194f065d13

syzbot

unread,
May 25, 2019, 7:41:01 AM5/25/19
to an...@basename.se, syzkaller-o...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
uvm_fault: pckbc_start

uvm_fault(0xfffffd806e7e55a8, 0x1c, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at pckbc_start+0x170: movsxdq 0x1c(%r14),%rax
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
kernel page fault
uvm_fault(0xfffffd806e7e55a8, 0x1c, 0, 1) -> e
pckbc_start(ffff800000026e00,1) at pckbc_start+0x170 sys/dev/ic/pckbc.c:812
end trace frame: 0xffff800020c35540, count: 0
ddb{0}> trace
pckbc_start(ffff800000026e00,1) at pckbc_start+0x170 sys/dev/ic/pckbc.c:812
pckbc_enqueue_cmd(ffff800000026e00,1,ffff800020c3555e,2,0,1) at
pckbc_enqueue_cmd+0x25f sys/dev/ic/pckbc.c:925
pms_ioctl_mouse(ffff80000066c200,80045721,ffff800020c35900,42,ffff800020b38278)
at
pms_ioctl_mouse+0x137
wsmouse_do_ioctl(ffff80000064dc00,80045721,ffff800020c35900,42,ffff800020b38278)
at
wsmouse_do_ioctl+0x2e3 sys/dev/wscons/wsmouse.c:527
wsmousedoioctl(ffff80000064dc00,80045721,ffff800020c35900,42,ffff800020b38278)
at
wsmousedoioctl+0x51 sys/dev/wscons/wsmouse.c:429
wsmux_do_ioctl(ffff800000026d00,80045721,ffff800020c35900,42,ffff800020b38278)
at
wsmux_do_ioctl+0x5b3 sys/dev/wscons/wsmux.c:546
VOP_IOCTL(fffffd806815eb28,80045721,ffff800020c35900,42,fffffd807f7c6720,ffff800020b38278)
at
VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
vn_ioctl(fffffd807c399278,80045721,ffff800020c35900,ffff800020b38278) at
vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
sys_ioctl(ffff800020b38278,ffff800020c35a28,ffff800020c35a90) at
sys_ioctl+0x5b8
syscall(ffff800020c35b00) at syscall+0x552 mi_syscall
sys/sys/syscall_mi.h:99 [inline]
syscall(ffff800020c35b00) at syscall+0x552 sys/arch/amd64/amd64/trap.c:574
Xsyscall(6,0,ffffffffffffff39,0,3,33d293db0d8) at Xsyscall+0x128
end of kernel
end trace frame: 0x33f49785e70, count: -11
ddb{0}> show registers
rdi 0
rsi 0
rbp 0xffff800020c354a0
rbx 0
rdx 0x2
rcx 0
rax 0xffffffff8161c094 pckbc_start+0x44
r8 0
r9 0x1
r10 0xd2179b58632126cf
r11 0x1984771193a45571
r12 0xffff800000026e00
r13 0xffff80000066c400
r14 0
r15 0x1
rip 0xffffffff8161c1c0 pckbc_start+0x170
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff800020c35440
ss 0x10
pckbc_start+0x170: movsxdq 0x1c(%r14),%rax
ddb{0}> show proc
PROC (syz-executor.0) pid=97286 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=55, usrpri=55, nice=20
forw=0xffffffffffffffff, list=0xffff800020b399e8,0xffffffff82387648
process=0xffff800020b8c6a8 user=0xffff800020c30000,
vmspace=0xfffffd806e7e55a8
estcpu=5, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
86755 146706 40396 0 2 0 syz-executor.0
86755 80313 40396 0 3 0x4000080 fsleep syz-executor.0
*86755 97286 40396 0 7 0x4000000 syz-executor.0
2859 474281 27137 0 3 0x82 nanosleep syz-executor.1
40396 307110 27137 0 3 0x82 nanosleep syz-executor.0
27137 317527 61499 0 3 0x82 thrsleep syz-execprog
27137 498834 61499 0 3 0x4000082 nanosleep syz-execprog
27137 168452 61499 0 3 0x4000082 thrsleep syz-execprog
27137 397892 61499 0 3 0x4000082 thrsleep syz-execprog
27137 199143 61499 0 3 0x4000082 thrsleep syz-execprog
27137 73418 61499 0 3 0x4000082 thrsleep syz-execprog
27137 9106 61499 0 3 0x4000082 thrsleep syz-execprog
27137 510607 61499 0 3 0x4000082 thrsleep syz-execprog
27137 182591 61499 0 3 0x4000082 kqread syz-execprog
61499 260201 33989 0 3 0x10008a pause ksh
33989 249522 63596 0 3 0x92 select sshd
91827 208572 1 0 3 0x100083 ttyin getty
63596 260130 1 0 3 0x80 select sshd
73825 245470 91156 74 3 0x100092 bpf pflogd
91156 231251 1 0 3 0x80 netio pflogd
97321 135785 15534 73 7 0x100090 syslogd
15534 96673 1 0 3 0x100082 netio syslogd
54812 433760 1 77 3 0x100090 poll dhclient
39038 417187 1 0 3 0x80 poll dhclient
62952 271775 0 0 3 0x14200 pgzero zerothread
94761 180571 0 0 3 0x14200 aiodoned aiodoned
90925 420788 0 0 3 0x14200 syncer update
3063 367555 0 0 3 0x14200 cleaner cleaner
64339 178109 0 0 3 0x14200 reaper reaper
17130 428756 0 0 3 0x14200 pgdaemon pagedaemon
97282 353286 0 0 3 0x14200 bored crynlk
8708 109121 0 0 3 0x14200 bored crypto
39 290117 0 0 3 0x40014200 acpi0 acpi0
15012 324039 0 0 3 0x40014200 idle1
91365 351954 0 0 3 0x14200 bored softnet
18811 463768 0 0 3 0x14200 bored systqmp
38449 187901 0 0 3 0x14200 bored systq
70025 374769 0 0 3 0x40014200 bored softclock
31368 88073 0 0 3 0x40014200 idle0
83953 253519 0 0 3 0x14200 bored smr
1 370994 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 86755 (syz-executor.0) thread 0xffff800020b38278 (97286)
shared rwlock wsmuxlk r = 0 (0xffff800000026dd0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 wsmux_do_ioctl+0x521
#2 VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
#3 vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
#4 sys_ioctl+0x5b8
#5 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#5 syscall+0x552 sys/arch/amd64/amd64/trap.c:574
#6 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 1 (0xffffffff8235bed8)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 syscall+0x43a mi_syscall sys/sys/syscall_mi.h:91 [inline]
#1 syscall+0x43a sys/arch/amd64/amd64/trap.c:574
#2 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9461 6395K 6395K 78643K 10548 0 0
pcb 25 9K 9K 78643K 73 0 0
rtable 105 3K 3K 78643K 201 0 0
ifaddr 38 10K 10K 78643K 39 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 4K 78643K 1469 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1193 75K 75K 78643K 1206 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 1K 78643K 2 0 0
VM map 2 1K 1K 78643K 2 0 0
sem 2 0K 0K 78643K 2 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1808 196K 290K 78643K 12628 0 0
file desc 5 13K 25K 78643K 46 0 0
proc 52 50K 71K 78643K 359 0 0
subproc 0 0K 1K 78643K 17 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
in_multi 33 2K 2K 78643K 33 0 0
ether_multi 1 0K 0K 78643K 1 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 18 79K 79K 78643K 18 0 0
exec 0 0K 1K 78643K 230 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 78 20K 20K 78643K 1228 0 0
UVM aobj 2 2K 2K 78643K 2 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
NDP 6 0K 0K 78643K 10 0 0
temp 55 2714K 2778K 78643K 3480 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 6 0 0 1 0 1 1 0
8 0
inpcbpl 280 43 0 37 1 0 1 1 0
8 0
plimitpl 152 20 0 12 1 0 1 1 0
8 0
plcache 128 20 0 0 1 0 1 1 0
8 0
rtentry 112 45 0 1 2 0 2 2 0
8 0
syncache 264 8 0 8 1 0 1 1 0
8 1
tcpcb 544 14 0 11 1 0 1 1 0
8 0
nd6 48 6 0 0 1 0 1 1 0
8 0
pfosfp 40 846 0 423 5 0 5 5 0
8 0
pfosfpen 112 1428 0 714 21 0 21 21 0
8 0
pfstitem 24 15 0 2 1 0 1 1 0
8 0
pfstkey 112 15 0 2 1 0 1 1 0
8 0
pfstate 328 15 0 2 2 0 2 2 0
8 0
pfrule 1360 21 0 16 2 1 1 2 0
8 0
art_heap8 4096 1 0 0 1 0 1 1 0
8 0
art_heap4 256 188 0 0 12 0 12 12 0
8 0
art_table 32 189 0 0 2 0 2 2 0
8 0
art_node 16 44 0 4 1 0 1 1 0
8 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0
dino1pl 128 1477 0 50 47 0 47 47 0
8 0
ffsino 272 1477 0 50 96 0 96 96 0
8 0
nchpl 144 1728 0 85 62 1 61 61 0
8 0
uvmvnodes 72 1504 0 0 28 0 28 28 0
8 0
vnodes 200 1504 0 0 80 0 80 80 0
8 0
namei 1024 5187 0 5187 1 0 1 1 0
8 1
percpumem 16 30 0 0 1 0 1 1 0
8 0
scxspl 192 4716 0 4716 7 4 3 6 0
8 3
sigapl 432 267 0 252 3 0 3 3 0
8 1
futexpl 56 33 0 32 2 1 1 1 0
8 0
knotepl 112 107 0 90 1 0 1 1 0
8 0
kqueuepl 104 3 0 1 1 0 1 1 0
8 0
pipepl 112 226 0 207 2 1 1 1 0
8 0
fdescpl 488 268 0 252 3 0 3 3 0
8 0
filepl 152 1412 0 1344 4 1 3 3 0
8 0
lockfpl 104 32 0 30 2 1 1 1 0
8 0
lockfspl 48 10 0 9 2 1 1 1 0
8 0
sessionpl 112 27 0 16 1 0 1 1 0
8 0
pgrppl 48 27 0 16 1 0 1 1 0
8 0
ucredpl 96 73 0 64 1 0 1 1 0
8 0
zombiepl 144 252 0 251 2 1 1 1 0
8 0
processpl 840 283 0 251 4 0 4 4 0
8 0
procpl 600 315 0 273 5 1 4 4 0
8 0
sockpl 384 103 0 85 3 1 2 3 0
8 0
mcl4k 4096 3 0 0 1 0 1 1 0
8 0
mcl2k 2048 88 0 0 11 0 11 11 0
8 0
mtagpl 80 1 0 0 1 0 1 1 0
8 0
mbufpl 256 147 0 0 9 0 9 9 0
8 0
bufpl 256 6006 0 1188 302 0 302 302 0
8 0
anonpl 16 31931 0 30310 19 6 13 13 0
125 5
amapchunkpl 152 1202 0 1131 8 2 6 6 0
158 2
amappl16 192 243 0 207 3 1 2 2 0
8 0
amappl15 184 7 0 5 2 1 1 1 0
8 0
amappl14 176 63 0 57 2 1 1 1 0
8 0
amappl13 168 4 0 4 2 2 0 1 0
8 0
amappl12 160 18 0 16 1 0 1 1 0
8 0
amappl11 152 78 0 60 1 0 1 1 0
8 0
amappl10 144 92 0 89 1 0 1 1 0
8 0
amappl9 136 802 0 798 1 0 1 1 0
8 0
amappl8 128 167 0 156 1 0 1 1 0
8 0
amappl7 120 53 0 48 1 0 1 1 0
8 0
amappl6 112 85 0 79 1 0 1 1 0
8 0
amappl5 104 203 0 188 1 0 1 1 0
8 0
amappl4 96 501 0 479 1 0 1 1 0
8 0
amappl3 88 256 0 243 1 0 1 1 0
8 0
amappl2 80 1220 0 1150 4 1 3 3 0
8 1
amappl1 72 17602 0 17163 30 12 18 19 0
8 8
amappl 80 624 0 591 1 0 1 1 0
84 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 1 0 0 1 0 1 1 0
8 0
uaddrrnd 24 268 0 252 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 268 0 252 1 0 1 1 0
8 0
vmmpekpl 168 9048 0 9026 2 0 2 2 0
8 0
vmmpepl 168 39840 0 38819 92 16 76 77 0 357
27
vmsppl 360 267 0 252 2 0 2 2 0
8 0
pdppl 4096 544 0 504 6 0 6 6 0
8 0
pvpl 32 154465 0 150314 115 7 108 108 0 265
71
pmappl 232 267 0 252 2 0 2 2 0
8 1
extentpl 40 41 0 26 1 0 1 1 0
8 0
phpool 112 447 0 3 13 0 13 13 0
8 0


Tested on:

commit: bcbc3a82 pckbc: protect critical section using smr
git tree: https://github.com/mptre/openbsd-src.git
console output: https://syzkaller.appspot.com/x/log.txt?x=13863f3aa00000
kernel config: https://syzkaller.appspot.com/x/.config?x=7f659e47e42d9641
compiler:

Anton Lindqvist

unread,
May 27, 2019, 1:32:52 PM5/27/19
to syzbot, syzkaller-o...@googlegroups.com
#syz test: https://github.com/mptre/openbsd-src 50ca04f8b6d

syzbot

unread,
May 27, 2019, 1:45:02 PM5/27/19
to an...@basename.se, syzkaller-o...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
assert "cmd != NULL" failed in pckbc.c

panic: kernel diagnostic assertion "cmd != NULL" failed:
file "/syzkaller/jobs/openbsd/kernel/sys/dev/ic/pckbc.c", line 790
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
229026 48338 0 0 0 1 syz-executor.0
*373008 48338 0 0 0x4000000 0K syz-executor.0
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:212
__assert(ffffffff81f9f588,ffffffff81f5c29c,316,ffffffff81f7a536) at
__assert+0x2e sys/kern/subr_prf.c:159
pckbc_start(ffff800000026e00,1) at pckbc_start+0x2e3 sys/dev/ic/pckbc.c:790
pckbc_enqueue_cmd(ffff800000026e00,1,ffff800020c42c2e,2,0,1) at
pckbc_enqueue_cmd+0x25a sys/dev/ic/pckbc.c:920
pms_ioctl_mouse(ffff80000066c200,80045721,ffff800020c42fd0,42,ffff800020b38270)
at
pms_ioctl_mouse+0x137
wsmouse_do_ioctl(ffff80000064dc00,80045721,ffff800020c42fd0,42,ffff800020b38270)
at
wsmouse_do_ioctl+0x2e3 sys/dev/wscons/wsmouse.c:527
wsmousedoioctl(ffff80000064dc00,80045721,ffff800020c42fd0,42,ffff800020b38270)
at
wsmousedoioctl+0x51 sys/dev/wscons/wsmouse.c:429
wsmux_do_ioctl(ffff800000026d00,80045721,ffff800020c42fd0,42,ffff800020b38270)
at
wsmux_do_ioctl+0x5b3 sys/dev/wscons/wsmux.c:546
VOP_IOCTL(fffffd8069345770,80045721,ffff800020c42fd0,42,fffffd807f7c69c0,ffff800020b38270)
at
VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
vn_ioctl(fffffd8068f4e7d0,80045721,ffff800020c42fd0,ffff800020b38270) at
vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
sys_ioctl(ffff800020b38270,ffff800020c430f8,ffff800020c43160) at
sys_ioctl+0x5b8
syscall(ffff800020c431d0) at syscall+0x552 mi_syscall
sys/sys/syscall_mi.h:99 [inline]
syscall(ffff800020c431d0) at syscall+0x552 sys/arch/amd64/amd64/trap.c:574
Xsyscall(6,0,ffffffffffffff39,0,3,7fcb8d90d8) at Xsyscall+0x128
end of kernel
end trace frame: 0x82908cefc0, count: 1
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
kernel diagnostic assertion "cmd != NULL" failed:
file "/syzkaller/jobs/openbsd/kernel/sys/dev/ic/pckbc.c", line 790
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:212
__assert(ffffffff81f9f588,ffffffff81f5c29c,316,ffffffff81f7a536) at
__assert+0x2e sys/kern/subr_prf.c:159
pckbc_start(ffff800000026e00,1) at pckbc_start+0x2e3 sys/dev/ic/pckbc.c:790
pckbc_enqueue_cmd(ffff800000026e00,1,ffff800020c42c2e,2,0,1) at
pckbc_enqueue_cmd+0x25a sys/dev/ic/pckbc.c:920
pms_ioctl_mouse(ffff80000066c200,80045721,ffff800020c42fd0,42,ffff800020b38270)
at
pms_ioctl_mouse+0x137
wsmouse_do_ioctl(ffff80000064dc00,80045721,ffff800020c42fd0,42,ffff800020b38270)
at
wsmouse_do_ioctl+0x2e3 sys/dev/wscons/wsmouse.c:527
wsmousedoioctl(ffff80000064dc00,80045721,ffff800020c42fd0,42,ffff800020b38270)
at
wsmousedoioctl+0x51 sys/dev/wscons/wsmouse.c:429
wsmux_do_ioctl(ffff800000026d00,80045721,ffff800020c42fd0,42,ffff800020b38270)
at
wsmux_do_ioctl+0x5b3 sys/dev/wscons/wsmux.c:546
VOP_IOCTL(fffffd8069345770,80045721,ffff800020c42fd0,42,fffffd807f7c69c0,ffff800020b38270)
at
VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
vn_ioctl(fffffd8068f4e7d0,80045721,ffff800020c42fd0,ffff800020b38270) at
vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
sys_ioctl(ffff800020b38270,ffff800020c430f8,ffff800020c43160) at
sys_ioctl+0x5b8
syscall(ffff800020c431d0) at syscall+0x552 mi_syscall
sys/sys/syscall_mi.h:99 [inline]
syscall(ffff800020c431d0) at syscall+0x552 sys/arch/amd64/amd64/trap.c:574
Xsyscall(6,0,ffffffffffffff39,0,3,7fcb8d90d8) at Xsyscall+0x128
end of kernel
end trace frame: 0x82908cefc0, count: -14
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff800020c42a30
rbx 0xffff800020c42ae0
rdx 0xffff800020b38270
rcx 0
rax 0
r8 0xffffffff8114f173 kprintf+0x173
r9 0x1
r10 0x25
r11 0x9bbc2d7a1bcfca43
r12 0x3000000008
r13 0xffff800020c42a40
r14 0x100
r15 0x1
rip 0xffffffff819db7c8 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020c42a20
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor.0) pid=373008 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=51, usrpri=51, nice=20
forw=0xffffffffffffffff, list=0xffff800020b38018,0xffffffff8238a678
process=0xffff800020b8c018 user=0xffff800020c3e000,
vmspace=0xfffffd806e7e2440
estcpu=1, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
48338 229026 42146 0 7 0 syz-executor.0
48338 36281 42146 0 3 0x4000080 fsleep syz-executor.0
*48338 373008 42146 0 7 0x4000000 syz-executor.0
29438 442166 89523 0 3 0x82 nanosleep syz-executor.1
42146 181938 89523 0 3 0x82 nanosleep syz-executor.0
89523 12984 7641 0 3 0x82 thrsleep syz-execprog
89523 427735 7641 0 3 0x4000082 thrsleep syz-execprog
89523 483812 7641 0 3 0x4000082 thrsleep syz-execprog
89523 315113 7641 0 3 0x4000082 thrsleep syz-execprog
89523 473437 7641 0 3 0x4000082 thrsleep syz-execprog
89523 17176 7641 0 3 0x4000082 thrsleep syz-execprog
89523 455033 7641 0 3 0x4000082 thrsleep syz-execprog
89523 340498 7641 0 3 0x4000082 thrsleep syz-execprog
89523 154335 7641 0 3 0x4000082 kqread syz-execprog
7641 453599 40514 0 3 0x10008a pause ksh
40514 228479 4009 0 3 0x92 select sshd
38586 335452 1 0 3 0x100083 ttyin getty
4009 68036 1 0 3 0x80 select sshd
24725 40700 31916 74 3 0x100092 bpf pflogd
31916 70617 1 0 3 0x80 netio pflogd
97948 250626 22270 73 3 0x100090 kqread syslogd
22270 48630 1 0 3 0x100082 netio syslogd
54264 200322 1 77 3 0x100090 poll dhclient
97183 207439 1 0 3 0x80 poll dhclient
15282 97497 0 0 2 0x14200 zerothread
48979 190405 0 0 3 0x14200 aiodoned aiodoned
18656 280245 0 0 3 0x14200 syncer update
13773 338294 0 0 3 0x14200 cleaner cleaner
79689 512581 0 0 3 0x14200 reaper reaper
31327 137724 0 0 3 0x14200 pgdaemon pagedaemon
71712 200341 0 0 3 0x14200 bored crynlk
21340 348574 0 0 3 0x14200 bored crypto
73353 365911 0 0 3 0x40014200 acpi0 acpi0
75375 406758 0 0 3 0x40014200 idle1
76203 479889 0 0 3 0x14200 bored softnet
71389 498542 0 0 3 0x14200 bored systqmp
78180 387374 0 0 3 0x14200 bored systq
24254 305252 0 0 3 0x40014200 bored softclock
98842 428796 0 0 3 0x40014200 idle0
18400 313325 0 0 3 0x14200 bored smr
1 428965 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 48338 (syz-executor.0) thread 0xffff800020b38270 (373008)
shared rwlock wsmuxlk r = 0 (0xffff800000026dd0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 wsmux_do_ioctl+0x521
#2 VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
#3 vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
#4 sys_ioctl+0x5b8
#5 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#5 syscall+0x552 sys/arch/amd64/amd64/trap.c:574
#6 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff823802e0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 syscall+0x43a mi_syscall sys/sys/syscall_mi.h:91 [inline]
#1 syscall+0x43a sys/arch/amd64/amd64/trap.c:574
#2 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9461 6395K 6395K 78643K 10548 0 0
pcb 25 9K 9K 78643K 73 0 0
rtable 105 3K 3K 78643K 201 0 0
ifaddr 38 10K 10K 78643K 39 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 4K 78643K 1469 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1193 75K 75K 78643K 1259 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 1K 78643K 2 0 0
VM map 2 1K 1K 78643K 2 0 0
sem 2 0K 0K 78643K 2 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1808 196K 290K 78643K 12628 0 0
file desc 4 12K 24K 78643K 76 0 0
proc 52 50K 83K 78643K 359 0 0
subproc 0 0K 1K 78643K 17 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
in_multi 33 2K 2K 78643K 33 0 0
ether_multi 1 0K 0K 78643K 1 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 18 79K 79K 78643K 18 0 0
exec 0 0K 1K 78643K 230 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 82 20K 20K 78643K 1317 0 0
UVM aobj 2 2K 2K 78643K 2 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
NDP 6 0K 0K 78643K 10 0 0
temp 55 2714K 2778K 78643K 3542 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 6 0 0 1 0 1 1 0
8 0
inpcbpl 280 43 0 37 1 0 1 1 0
8 0
plimitpl 152 20 0 12 1 0 1 1 0
8 0
plcache 128 20 0 0 1 0 1 1 0
8 0
rtentry 112 45 0 1 2 0 2 2 0
8 0
syncache 264 8 0 8 2 1 1 1 0
dino1pl 128 1592 0 165 47 0 47 47 0
8 0
ffsino 272 1592 0 165 96 0 96 96 0
8 0
nchpl 144 1874 0 231 62 1 61 61 0
8 0
uvmvnodes 72 1619 0 0 30 0 30 30 0
8 0
vnodes 200 1619 0 0 86 0 86 86 0
8 0
namei 1024 5543 0 5543 2 1 1 1 0
8 1
percpumem 16 30 0 0 1 0 1 1 0
8 0
scxspl 192 5012 0 5012 7 6 1 6 0
8 1
sigapl 432 298 0 283 3 0 3 3 0
8 1
futexpl 56 219 0 218 2 1 1 1 0
8 0
knotepl 112 107 0 90 1 0 1 1 0
8 0
kqueuepl 104 3 0 1 1 0 1 1 0
8 0
pipepl 112 226 0 207 2 1 1 1 0
8 0
fdescpl 488 299 0 283 5 2 3 3 0
8 0
filepl 152 1551 0 1483 4 1 3 3 0
8 0
lockfpl 104 156 0 154 2 1 1 1 0
8 0
lockfspl 48 41 0 40 2 1 1 1 0
8 0
sessionpl 112 27 0 16 1 0 1 1 0
8 0
pgrppl 48 27 0 16 1 0 1 1 0
8 0
ucredpl 96 73 0 64 1 0 1 1 0
8 0
zombiepl 144 283 0 282 2 1 1 1 0
8 0
processpl 840 314 0 282 4 0 4 4 0
8 0
procpl 600 400 0 358 4 0 4 4 0
8 0
sockpl 384 103 0 85 4 1 3 3 0
8 1
mcl4k 4096 8 0 0 1 0 1 1 0
8 0
mcl2k 2048 88 0 0 10 0 10 10 0
8 0
mtagpl 80 1 0 0 1 0 1 1 0
8 0
mbufpl 256 154 0 0 9 0 9 9 0
8 0
bufpl 256 6036 0 1188 303 0 303 303 0
8 0
anonpl 16 33767 0 32102 19 6 13 13 0
125 5
amapchunkpl 152 1315 0 1242 7 2 5 5 0
158 1
amappl16 192 364 0 323 4 1 3 3 0
8 0
amappl15 184 9 0 8 2 1 1 1 0
8 0
amappl14 176 55 0 52 2 1 1 1 0
8 0
amappl13 168 8 0 7 1 0 1 1 0
8 0
amappl12 160 29 0 28 1 0 1 1 0
8 0
amappl11 152 84 0 66 1 0 1 1 0
8 0
amappl10 144 112 0 107 1 0 1 1 0
8 0
amappl9 136 842 0 838 1 0 1 1 0
8 0
amappl8 128 190 0 178 1 0 1 1 0
8 0
amappl7 120 64 0 58 1 0 1 1 0
8 0
amappl6 112 80 0 74 1 0 1 1 0
8 0
amappl5 104 162 0 149 1 0 1 1 0
8 0
amappl4 96 545 0 521 2 1 1 2 0
8 0
amappl3 88 247 0 236 1 0 1 1 0
8 0
amappl2 80 1463 0 1390 4 1 3 3 0
8 1
amappl1 72 18122 0 17682 30 12 18 20 0
8 8
amappl 80 706 0 672 1 0 1 1 0
84 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 1 0 0 1 0 1 1 0
8 0
uaddrrnd 24 299 0 283 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 299 0 283 1 0 1 1 0
8 0
vmmpekpl 168 9261 0 9237 2 0 2 2 0
8 0
vmmpepl 168 42182 0 41160 90 13 77 78 0 357
30
vmsppl 360 298 0 283 2 0 2 2 0
8 0
pdppl 4096 606 0 566 8 2 6 6 0
8 0
pvpl 32 159222 0 155017 114 6 108 108 0 265
71
pmappl 232 298 0 283 2 0 2 2 0
8 1
extentpl 40 41 0 26 1 0 1 1 0
8 0
phpool 112 450 0 6 13 0 13 13 0
8 0


Tested on:

commit: 50ca04f8 tmp debug
git tree: https://github.com/mptre/openbsd-src
console output: https://syzkaller.appspot.com/x/log.txt?x=142f53d8a00000

syzbot

unread,
May 27, 2019, 2:17:01 PM5/27/19
to an...@basename.se, syzkaller-o...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
assert "cmd != NULL" failed in pckbc.c

panic: kernel diagnostic assertion "cmd != NULL" failed:
file "/syzkaller/jobs/openbsd/kernel/sys/dev/ic/pckbc.c", line 793
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*267967 96840 0 0 0x4000000 0K syz-executor.0
485362 87546 0 0x14000 0x200 1 reaper
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:212
__assert(ffffffff81f9ccfd,ffffffff81f5bdb2,319,ffffffff81f79c01) at
__assert+0x2e sys/kern/subr_prf.c:159
pckbc_start(ffff800000026e00,1) at pckbc_start+0x2e3 sys/dev/ic/pckbc.c:793
pckbc_enqueue_cmd(ffff800000026e00,1,ffff800020c3afce,2,0,1) at
pckbc_enqueue_cmd+0x25a sys/dev/ic/pckbc.c:923
pms_ioctl_mouse(ffff80000066c200,80045721,ffff800020c3b370,42,ffff800020b38980)
at
pms_ioctl_mouse+0x137
wsmouse_do_ioctl(ffff80000064dc00,80045721,ffff800020c3b370,42,ffff800020b38980)
at
wsmouse_do_ioctl+0x2e3 sys/dev/wscons/wsmouse.c:527
wsmousedoioctl(ffff80000064dc00,80045721,ffff800020c3b370,42,ffff800020b38980)
at
wsmousedoioctl+0x51 sys/dev/wscons/wsmouse.c:429
wsmux_do_ioctl(ffff800000026d00,80045721,ffff800020c3b370,42,ffff800020b38980)
at
wsmux_do_ioctl+0x5b3 sys/dev/wscons/wsmux.c:546
VOP_IOCTL(fffffd8069040a60,80045721,ffff800020c3b370,42,fffffd807f7c6900,ffff800020b38980)
at
VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
vn_ioctl(fffffd8073949900,80045721,ffff800020c3b370,ffff800020b38980) at
vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
sys_ioctl(ffff800020b38980,ffff800020c3b498,ffff800020c3b500) at
sys_ioctl+0x5b8
syscall(ffff800020c3b570) at syscall+0x552 mi_syscall
sys/sys/syscall_mi.h:99 [inline]
syscall(ffff800020c3b570) at syscall+0x552 sys/arch/amd64/amd64/trap.c:574
Xsyscall(6,0,ffffffffffffff39,0,3,96b4ff24010) at Xsyscall+0x128
end of kernel
end trace frame: 0x96e3493f560, count: 1
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
kernel diagnostic assertion "cmd != NULL" failed:
file "/syzkaller/jobs/openbsd/kernel/sys/dev/ic/pckbc.c", line 793
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:212
__assert(ffffffff81f9ccfd,ffffffff81f5bdb2,319,ffffffff81f79c01) at
__assert+0x2e sys/kern/subr_prf.c:159
pckbc_start(ffff800000026e00,1) at pckbc_start+0x2e3 sys/dev/ic/pckbc.c:793
pckbc_enqueue_cmd(ffff800000026e00,1,ffff800020c3afce,2,0,1) at
pckbc_enqueue_cmd+0x25a sys/dev/ic/pckbc.c:923
pms_ioctl_mouse(ffff80000066c200,80045721,ffff800020c3b370,42,ffff800020b38980)
at
pms_ioctl_mouse+0x137
wsmouse_do_ioctl(ffff80000064dc00,80045721,ffff800020c3b370,42,ffff800020b38980)
at
wsmouse_do_ioctl+0x2e3 sys/dev/wscons/wsmouse.c:527
wsmousedoioctl(ffff80000064dc00,80045721,ffff800020c3b370,42,ffff800020b38980)
at
wsmousedoioctl+0x51 sys/dev/wscons/wsmouse.c:429
wsmux_do_ioctl(ffff800000026d00,80045721,ffff800020c3b370,42,ffff800020b38980)
at
wsmux_do_ioctl+0x5b3 sys/dev/wscons/wsmux.c:546
VOP_IOCTL(fffffd8069040a60,80045721,ffff800020c3b370,42,fffffd807f7c6900,ffff800020b38980)
at
VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
vn_ioctl(fffffd8073949900,80045721,ffff800020c3b370,ffff800020b38980) at
vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
sys_ioctl(ffff800020b38980,ffff800020c3b498,ffff800020c3b500) at
sys_ioctl+0x5b8
syscall(ffff800020c3b570) at syscall+0x552 mi_syscall
sys/sys/syscall_mi.h:99 [inline]
syscall(ffff800020c3b570) at syscall+0x552 sys/arch/amd64/amd64/trap.c:574
Xsyscall(6,0,ffffffffffffff39,0,3,96b4ff24010) at Xsyscall+0x128
end of kernel
end trace frame: 0x96e3493f560, count: -14
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff800020c3add0
rbx 0xffff800020c3ae80
rdx 0xffff800020b38980
rcx 0
rax 0
r8 0xffffffff81749a43 kprintf+0x173
r9 0x1
r10 0x25
r11 0x1d7488c7b85750bb
r12 0x3000000008
r13 0xffff800020c3ade0
r14 0x100
r15 0x1
rip 0xffffffff819cfb88 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020c3adc0
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor.0) pid=267967 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=65, usrpri=65, nice=20
forw=0xffffffffffffffff, list=0xffff800020b39790,0xffffffff8237e8f8
process=0xffff800020b8cd38 user=0xffff800020c36000,
vmspace=0xfffffd806e7e3710
estcpu=15, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
96840 480277 11819 0 2 0 syz-executor.0
*96840 267967 11819 0 7 0x4000000 syz-executor.0
97119 282975 61939 0 3 0x82 nanosleep syz-executor.1
11819 29973 61939 0 3 0x82 nanosleep syz-executor.0
61939 74852 3375 0 3 0x82 kqread syz-execprog
61939 185632 3375 0 3 0x4000082 nanosleep syz-execprog
61939 193769 3375 0 3 0x4000082 thrsleep syz-execprog
61939 27622 3375 0 3 0x4000082 thrsleep syz-execprog
61939 5699 3375 0 3 0x4000082 thrsleep syz-execprog
61939 273081 3375 0 3 0x4000082 thrsleep syz-execprog
61939 409223 3375 0 3 0x4000082 thrsleep syz-execprog
61939 320573 3375 0 3 0x4000082 thrsleep syz-execprog
61939 116697 3375 0 3 0x4000082 thrsleep syz-execprog
3375 99602 9298 0 3 0x10008a pause ksh
9298 358394 4203 0 3 0x92 select sshd
42589 58459 1 0 3 0x100083 ttyin getty
4203 35406 1 0 3 0x80 select sshd
27155 459921 69593 74 3 0x100092 bpf pflogd
69593 23145 1 0 3 0x80 netio pflogd
27175 252926 74933 73 3 0x100010 biowait syslogd
74933 391966 1 0 3 0x100082 netio syslogd
20905 36700 1 77 3 0x100090 poll dhclient
15965 159371 1 0 3 0x80 poll dhclient
19275 164034 0 0 2 0x14200 zerothread
32239 293791 0 0 3 0x14200 aiodoned aiodoned
99020 374153 0 0 3 0x14200 syncer update
66530 425822 0 0 3 0x14200 cleaner cleaner
87546 485362 0 0 7 0x14200 reaper
63500 9999 0 0 3 0x14200 pgdaemon pagedaemon
23659 240860 0 0 3 0x14200 bored crynlk
55257 321619 0 0 3 0x14200 bored crypto
67055 120672 0 0 3 0x40014200 acpi0 acpi0
55119 148343 0 0 3 0x40014200 idle1
95211 220052 0 0 3 0x14200 bored softnet
80690 167216 0 0 3 0x14200 bored systqmp
22512 426169 0 0 3 0x14200 bored systq
51405 331215 0 0 3 0x40014200 bored softclock
38186 20086 0 0 3 0x40014200 idle0
35573 369154 0 0 3 0x14200 bored smr
1 415048 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
CPU 1:
exclusive mutex &(curpg)->mdpage.pv_mtx r = 0 (0xfffffd8006b196d8)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 mtx_enter_try+0x102
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 pmap_remove_ptes+0x22b pmap_remove_pv sys/arch/amd64/amd64/pmap.c:984
[inline]
#3 pmap_remove_ptes+0x22b sys/arch/amd64/amd64/pmap.c:1577
#4 pmap_do_remove+0x400 sys/arch/amd64/amd64/pmap.c:1785
#5 uvm_map_teardown+0x195 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:206
[inline]
#5 uvm_map_teardown+0x195 sys/uvm/uvm_map.c:2650
#6 uvmspace_free+0x86 sys/uvm/uvm_map.c:3519
#7 uvm_exit+0x29 sys/uvm/uvm_glue.c:297
#8 reaper+0x170 sys/kern/kern_exit.c:433
#9 proc_trampoline+0x1c
exclusive mutex &pmap->pm_mtx r = 0 (0xfffffd807f00abd8)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 mtx_enter_try+0x102
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 pmap_do_remove+0x88 rcr3
sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:141 [inline]
#3 pmap_do_remove+0x88 pmap_map_ptes sys/arch/amd64/amd64/pmap.c:418
[inline]
#3 pmap_do_remove+0x88 sys/arch/amd64/amd64/pmap.c:1689
#4 uvm_map_teardown+0x195 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:206
[inline]
#4 uvm_map_teardown+0x195 sys/uvm/uvm_map.c:2650
#5 uvmspace_free+0x86 sys/uvm/uvm_map.c:3519
#6 uvm_exit+0x29 sys/uvm/uvm_glue.c:297
#7 reaper+0x170 sys/kern/kern_exit.c:433
#8 proc_trampoline+0x1c
Process 96840 (syz-executor.0) thread 0xffff800020b38980 (267967)
shared rwlock wsmuxlk r = 0 (0xffff800000026dd0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 wsmux_do_ioctl+0x521
#2 VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
#3 vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
#4 sys_ioctl+0x5b8
#5 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#5 syscall+0x552 sys/arch/amd64/amd64/trap.c:574
#6 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff8234f1e0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 syscall+0x43a mi_syscall sys/sys/syscall_mi.h:91 [inline]
#1 syscall+0x43a sys/arch/amd64/amd64/trap.c:574
#2 Xsyscall+0x128
Process 27175 (syslogd) thread 0xffff800020b85780 (252926)
exclusive rrwlock inode r = 0 (0xfffffd806eafdd58)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 rw_enter+0x46d sys/kern/kern_rwlock.c:306
#2 rrw_enter+0x4f sys/kern/kern_rwlock.c:435
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602
#4 vn_lock+0x6e sys/kern/vfs_vnops.c:549
#5 sys_fsync+0x114 sys/kern/vfs_syscalls.c:2793
#6 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#6 syscall+0x552 sys/arch/amd64/amd64/trap.c:574
#7 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9461 6395K 6395K 78643K 10548 0 0
pcb 25 9K 9K 78643K 73 0 0
rtable 105 3K 3K 78643K 201 0 0
ifaddr 38 10K 10K 78643K 39 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 4K 78643K 1469 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1193 75K 75K 78643K 1212 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 1K 78643K 2 0 0
VM map 2 1K 1K 78643K 2 0 0
sem 2 0K 0K 78643K 2 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1808 196K 290K 78643K 12628 0 0
file desc 5 13K 25K 78643K 50 0 0
proc 52 50K 83K 78643K 359 0 0
subproc 0 0K 1K 78643K 17 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
in_multi 33 2K 2K 78643K 33 0 0
ether_multi 1 0K 0K 78643K 1 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 18 79K 79K 78643K 18 0 0
exec 0 0K 1K 78643K 230 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 80 20K 20K 78643K 1240 0 0
UVM aobj 2 2K 2K 78643K 2 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
NDP 6 0K 0K 78643K 10 0 0
temp 55 2714K 2778K 78643K 3487 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 6 0 0 1 0 1 1 0
8 0
inpcbpl 280 43 0 37 1 0 1 1 0
8 0
plimitpl 152 20 0 12 1 0 1 1 0
8 0
plcache 128 20 0 0 1 0 1 1 0
8 0
rtentry 112 45 0 1 2 0 2 2 0
8 0
syncache 264 8 0 8 1 0 1 1 0
dino1pl 128 1491 0 64 47 0 47 47 0
8 0
ffsino 272 1491 0 64 96 0 96 96 0
8 0
nchpl 144 1746 0 103 62 1 61 61 0
8 0
uvmvnodes 72 1518 0 0 28 0 28 28 0
8 0
vnodes 200 1518 0 0 80 0 80 80 0
8 0
namei 1024 5235 0 5235 2 1 1 1 0
8 1
percpumem 16 30 0 0 1 0 1 1 0
8 0
scxspl 192 4789 0 4788 8 7 1 7 0
8 0
sigapl 432 271 0 256 3 0 3 3 0
8 1
futexpl 56 68 0 68 2 1 1 1 0
8 1
knotepl 112 107 0 90 1 0 1 1 0
8 0
kqueuepl 104 3 0 1 1 0 1 1 0
8 0
pipepl 112 226 0 207 2 1 1 1 0
8 0
fdescpl 488 272 0 256 5 2 3 3 0
8 0
filepl 152 1432 0 1364 4 1 3 3 0
8 0
lockfpl 104 48 0 46 2 1 1 1 0
8 0
lockfspl 48 14 0 13 2 1 1 1 0
8 0
sessionpl 112 27 0 16 1 0 1 1 0
8 0
pgrppl 48 27 0 16 1 0 1 1 0
8 0
ucredpl 96 73 0 64 1 0 1 1 0
8 0
zombiepl 144 256 0 255 2 1 1 1 0
8 0
processpl 840 287 0 255 4 0 4 4 0
8 0
procpl 600 323 0 282 5 1 4 4 0
8 0
sockpl 384 103 0 85 4 1 3 3 0
8 1
mcl4k 4096 3 0 0 1 0 1 1 0
8 0
mcl2k 2048 95 0 0 12 0 12 12 0
8 0
mtagpl 80 1 0 0 1 0 1 1 0
8 0
mbufpl 256 151 0 0 8 0 8 8 0
8 0
bufpl 256 6009 0 1188 302 0 302 302 0
8 0
anonpl 16 32421 0 30748 19 6 13 13 0
125 5
amapchunkpl 152 1204 0 1128 8 2 6 6 0
158 2
amappl16 192 256 0 217 3 1 2 2 0
8 0
amappl15 184 1 0 1 1 0 1 1 0
8 1
amappl14 176 63 0 58 2 1 1 1 0
8 0
amappl13 168 4 0 4 2 2 0 1 0
8 0
amappl12 160 28 0 25 1 0 1 1 0
8 0
amappl11 152 91 0 71 1 0 1 1 0
8 0
amappl10 144 108 0 103 1 0 1 1 0
8 0
amappl9 136 817 0 814 1 0 1 1 0
8 0
amappl8 128 170 0 160 1 0 1 1 0
8 0
amappl7 120 47 0 42 1 0 1 1 0
8 0
amappl6 112 94 0 86 1 0 1 1 0
8 0
amappl5 104 182 0 167 1 0 1 1 0
8 0
amappl4 96 503 0 481 1 0 1 1 0
8 0
amappl3 88 249 0 239 1 0 1 1 0
8 0
amappl2 80 1270 0 1192 4 1 3 3 0
8 1
amappl1 72 17422 0 16969 32 14 18 20 0
8 8
amappl 80 629 0 593 1 0 1 1 0
84 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 1 0 0 1 0 1 1 0
8 0
uaddrrnd 24 272 0 256 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 272 0 256 1 0 1 1 0
8 0
vmmpekpl 168 9021 0 8996 2 0 2 2 0
8 0
vmmpepl 168 40075 0 39019 93 16 77 78 0 357
29
vmsppl 360 271 0 255 2 0 2 2 0
8 0
pdppl 4096 551 0 510 7 1 6 6 0
8 0
pvpl 32 155188 0 151044 116 8 108 108 0 265
69
pmappl 232 271 0 255 2 0 2 2 0
8 1
extentpl 40 41 0 26 1 0 1 1 0
8 0
phpool 112 449 0 5 13 0 13 13 0
8 0


Tested on:

commit: c77fcae4 tmp debug
git tree: https://github.com/mptre/openbsd-src
console output: https://syzkaller.appspot.com/x/log.txt?x=129107bca00000

syzbot

unread,
May 27, 2019, 2:35:01 PM5/27/19
to an...@basename.se, syzkaller-o...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
assert "cmd != NULL" failed in pckbc.c

panic: kernel diagnostic assertion "cmd != NULL" failed:
file "/syzkaller/jobs/openbsd/kernel/sys/dev/ic/pckbc.c", line 794
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
522266 77852 0 0 0 1 syz-executor.1
*242183 77852 0 0 0x4000000 0K syz-executor.1
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:212
__assert(ffffffff81f9dc0b,ffffffff81f5c19b,31a,ffffffff81f7a0da) at
__assert+0x2e sys/kern/subr_prf.c:159
pckbc_start(ffff800000026e00,1) at pckbc_start+0x2e8 sys/dev/ic/pckbc.c:794
pckbc_enqueue_cmd(ffff800000026e00,1,ffff800020c4136e,2,0,1) at
pckbc_enqueue_cmd+0x25a sys/dev/ic/pckbc.c:925
pms_ioctl_mouse(ffff80000066c200,80045721,ffff800020c41710,42,ffff800020b38e28)
at
pms_ioctl_mouse+0x137
wsmouse_do_ioctl(ffff80000064dc00,80045721,ffff800020c41710,42,ffff800020b38e28)
at
wsmouse_do_ioctl+0x2e3 sys/dev/wscons/wsmouse.c:527
wsmousedoioctl(ffff80000064dc00,80045721,ffff800020c41710,42,ffff800020b38e28)
at
wsmousedoioctl+0x51 sys/dev/wscons/wsmouse.c:429
wsmux_do_ioctl(ffff800000026d00,80045721,ffff800020c41710,42,ffff800020b38e28)
at
wsmux_do_ioctl+0x5b3 sys/dev/wscons/wsmux.c:546
VOP_IOCTL(fffffd806852f170,80045721,ffff800020c41710,42,fffffd807f7c68a0,ffff800020b38e28)
at
VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
vn_ioctl(fffffd806fdb5440,80045721,ffff800020c41710,ffff800020b38e28) at
vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
sys_ioctl(ffff800020b38e28,ffff800020c41838,ffff800020c418a0) at
sys_ioctl+0x5b8
syscall(ffff800020c41910) at syscall+0x552 mi_syscall
sys/sys/syscall_mi.h:99 [inline]
syscall(ffff800020c41910) at syscall+0x552 sys/arch/amd64/amd64/trap.c:574
Xsyscall(6,0,ffffffffffffff39,0,3,c6798f9c0d8) at Xsyscall+0x128
end of kernel
end trace frame: 0xc6a2552d590, count: 1
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
kernel diagnostic assertion "cmd != NULL" failed:
file "/syzkaller/jobs/openbsd/kernel/sys/dev/ic/pckbc.c", line 794
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:212
__assert(ffffffff81f9dc0b,ffffffff81f5c19b,31a,ffffffff81f7a0da) at
__assert+0x2e sys/kern/subr_prf.c:159
pckbc_start(ffff800000026e00,1) at pckbc_start+0x2e8 sys/dev/ic/pckbc.c:794
pckbc_enqueue_cmd(ffff800000026e00,1,ffff800020c4136e,2,0,1) at
pckbc_enqueue_cmd+0x25a sys/dev/ic/pckbc.c:925
pms_ioctl_mouse(ffff80000066c200,80045721,ffff800020c41710,42,ffff800020b38e28)
at
pms_ioctl_mouse+0x137
wsmouse_do_ioctl(ffff80000064dc00,80045721,ffff800020c41710,42,ffff800020b38e28)
at
wsmouse_do_ioctl+0x2e3 sys/dev/wscons/wsmouse.c:527
wsmousedoioctl(ffff80000064dc00,80045721,ffff800020c41710,42,ffff800020b38e28)
at
wsmousedoioctl+0x51 sys/dev/wscons/wsmouse.c:429
wsmux_do_ioctl(ffff800000026d00,80045721,ffff800020c41710,42,ffff800020b38e28)
at
wsmux_do_ioctl+0x5b3 sys/dev/wscons/wsmux.c:546
VOP_IOCTL(fffffd806852f170,80045721,ffff800020c41710,42,fffffd807f7c68a0,ffff800020b38e28)
at
VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
vn_ioctl(fffffd806fdb5440,80045721,ffff800020c41710,ffff800020b38e28) at
vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
sys_ioctl(ffff800020b38e28,ffff800020c41838,ffff800020c418a0) at
sys_ioctl+0x5b8
syscall(ffff800020c41910) at syscall+0x552 mi_syscall
sys/sys/syscall_mi.h:99 [inline]
syscall(ffff800020c41910) at syscall+0x552 sys/arch/amd64/amd64/trap.c:574
Xsyscall(6,0,ffffffffffffff39,0,3,c6798f9c0d8) at Xsyscall+0x128
end of kernel
end trace frame: 0xc6a2552d590, count: -14
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff800020c41170
rbx 0xffff800020c41220
rdx 0xffff800020b38e28
rcx 0
rax 0
r8 0xffffffff817645e3 kprintf+0x173
r9 0x1
r10 0x25
r11 0x775288b39ed5715
r12 0x3000000008
r13 0xffff800020c41180
r14 0x100
r15 0x1
rip 0xffffffff81138968 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020c41160
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor.1) pid=242183 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=86, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff800020b39530,0xffffffff82355700
process=0xffff800020b8c018 user=0xffff800020c3c000,
vmspace=0xfffffd806e7d7e18
estcpu=36, cpticks=15, pctcpu=0.0
user=0, sys=15, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
77852 522266 96671 0 7 0 syz-executor.1
77852 436406 96671 0 2 0x4000080 syz-executor.1
*77852 242183 96671 0 7 0x4000000 syz-executor.1
96671 397795 18444 0 3 0x82 nanosleep syz-executor.1
66629 270766 18444 0 3 0x82 nanosleep syz-executor.0
18444 15747 23385 0 3 0x82 thrsleep syz-execprog
18444 231441 23385 0 3 0x4000082 thrsleep syz-execprog
18444 408244 23385 0 3 0x4000082 thrsleep syz-execprog
18444 240014 23385 0 3 0x4000082 kqread syz-execprog
18444 407454 23385 0 3 0x4000082 thrsleep syz-execprog
18444 379241 23385 0 3 0x4000082 thrsleep syz-execprog
18444 334496 23385 0 3 0x4000082 thrsleep syz-execprog
18444 328220 23385 0 3 0x4000082 thrsleep syz-execprog
18444 438902 23385 0 3 0x4000082 thrsleep syz-execprog
18444 196899 23385 0 3 0x4000082 thrsleep syz-execprog
23385 96749 44664 0 3 0x10008a pause ksh
44664 58157 25142 0 3 0x92 select sshd
78405 407017 1 0 3 0x100083 ttyin getty
25142 441026 1 0 3 0x80 select sshd
199 158009 34222 74 3 0x100092 bpf pflogd
34222 4472 1 0 3 0x80 netio pflogd
8098 470343 64502 73 2 0x100090 syslogd
64502 42712 1 0 3 0x100082 netio syslogd
78643 437138 1 77 3 0x100090 poll dhclient
42432 245065 1 0 3 0x80 poll dhclient
86090 295179 0 0 3 0x14200 pgzero zerothread
47818 406645 0 0 3 0x14200 aiodoned aiodoned
47104 24198 0 0 3 0x14200 syncer update
19181 327883 0 0 3 0x14200 cleaner cleaner
88811 66106 0 0 3 0x14200 reaper reaper
31635 150283 0 0 3 0x14200 pgdaemon pagedaemon
12201 143702 0 0 3 0x14200 bored crynlk
22305 66411 0 0 3 0x14200 bored crypto
5944 387425 0 0 3 0x40014200 acpi0 acpi0
52652 357581 0 0 3 0x40014200 idle1
11350 521639 0 0 3 0x14200 bored softnet
73894 446821 0 0 3 0x14200 bored systqmp
40894 334529 0 0 3 0x14200 bored systq
97544 409964 0 0 3 0x40014200 bored softclock
70286 49166 0 0 3 0x40014200 idle0
71491 253151 0 0 3 0x14200 bored smr
1 302998 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 77852 (syz-executor.1) thread 0xffff800020b38e28 (242183)
shared rwlock wsmuxlk r = 0 (0xffff800000026dd0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 wsmux_do_ioctl+0x521
#2 VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
#3 vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
#4 sys_ioctl+0x5b8
#5 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#5 syscall+0x552 sys/arch/amd64/amd64/trap.c:574
#6 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff8237b060)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 syscall+0x43a mi_syscall sys/sys/syscall_mi.h:91 [inline]
#1 syscall+0x43a sys/arch/amd64/amd64/trap.c:574
#2 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9461 6395K 6395K 78643K 10548 0 0
pcb 25 9K 9K 78643K 73 0 0
rtable 105 3K 3K 78643K 201 0 0
ifaddr 38 10K 10K 78643K 39 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 4K 78643K 1469 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1193 75K 75K 78643K 2688 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 1K 78643K 2 0 0
VM map 2 1K 1K 78643K 2 0 0
sem 2 0K 0K 78643K 2 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1808 196K 290K 78643K 12628 0 0
file desc 5 13K 25K 78643K 1037 0 0
proc 52 50K 83K 78643K 359 0 0
subproc 0 0K 1K 78643K 17 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
in_multi 33 2K 2K 78643K 33 0 0
ether_multi 1 0K 0K 78643K 1 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 18 79K 79K 78643K 18 0 0
exec 0 0K 1K 78643K 230 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 79 20K 20K 78643K 4073 0 0
UVM aobj 2 2K 2K 78643K 2 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
NDP 6 0K 0K 78643K 10 0 0
temp 55 2714K 2778K 78643K 5462 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 6 0 0 1 0 1 1 0
8 0
inpcbpl 280 43 0 36 1 0 1 1 0
8 0
plimitpl 152 20 0 12 1 0 1 1 0
8 0
plcache 128 20 0 0 1 0 1 1 0
8 0
rtentry 112 45 0 1 2 0 2 2 0
8 0
syncache 264 8 0 8 1 1 0 1 0
8 0
tcpqe 32 1 0 1 1 1 0 1 0
8 0
tcpcb 544 14 0 10 1 0 1 1 0
8 0
nd6 48 6 0 0 1 0 1 1 0
8 0
pfosfp 40 846 0 423 5 0 5 5 0
8 0
pfosfpen 112 1428 0 714 21 0 21 21 0
8 0
pfstitem 24 15 0 5 1 0 1 1 0
8 0
pfstkey 112 15 0 5 1 0 1 1 0
8 0
pfstate 328 15 0 5 2 0 2 2 0
8 1
pfrule 1360 21 0 16 2 1 1 2 0
8 0
art_heap8 4096 1 0 0 1 0 1 1 0
8 0
art_heap4 256 188 0 0 12 0 12 12 0
8 0
art_table 32 189 0 0 2 0 2 2 0
8 0
art_node 16 44 0 4 1 0 1 1 0
8 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0
dino1pl 128 4941 0 3514 47 0 47 47 0
8 0
ffsino 272 4941 0 3514 96 0 96 96 0
8 0
nchpl 144 6163 0 4520 62 1 61 61 0
8 0
uvmvnodes 72 4968 0 0 91 0 91 91 0
8 0
vnodes 200 4968 0 0 262 0 262 262 0
8 0
namei 1024 16280 0 16280 2 1 1 1 0
8 1
percpumem 16 30 0 0 1 0 1 1 0
8 0
scxspl 192 13678 0 13678 8 7 1 6 0
8 1
sigapl 432 1258 0 1243 3 1 2 3 0
8 0
futexpl 56 4873 0 4873 2 1 1 1 0
8 1
knotepl 112 107 0 90 1 0 1 1 0
8 0
kqueuepl 104 3 0 1 1 0 1 1 0
8 0
pipepl 112 226 0 207 2 1 1 1 0
8 0
fdescpl 488 1259 0 1243 3 0 3 3 0
8 0
filepl 152 5568 0 5500 4 1 3 3 0
8 0
lockfpl 104 3978 0 3976 2 1 1 1 0
8 0
lockfspl 48 1001 0 1000 2 1 1 1 0
8 0
sessionpl 112 27 0 16 1 0 1 1 0
8 0
pgrppl 48 27 0 16 1 0 1 1 0
8 0
ucredpl 96 73 0 64 1 0 1 1 0
8 0
zombiepl 144 1243 0 1242 2 1 1 1 0
8 0
processpl 840 1274 0 1242 4 0 4 4 0
8 0
procpl 600 3193 0 3150 4 0 4 4 0
8 0
sockpl 384 103 0 84 3 0 3 3 0
8 0
mcl4k 4096 4 0 0 1 0 1 1 0
8 0
mcl2k 2048 97 0 0 13 0 13 13 0
8 0
mtagpl 80 1 0 0 1 0 1 1 0
8 0
mbufpl 256 152 0 0 9 0 9 9 0
8 0
bufpl 256 6997 0 1188 364 0 364 364 0
8 0
anonpl 16 86844 0 84379 20 9 11 13 0
125 0
amapchunkpl 152 6032 0 5952 9 5 4 6 0
158 0
amappl16 192 4493 0 4405 6 1 5 5 0
8 0
amappl15 184 2 0 2 1 1 0 1 0
8 0
amappl14 176 60 0 55 2 1 1 1 0
8 0
amappl13 168 1002 0 999 2 1 1 1 0
8 0
amappl12 160 19 0 19 1 1 0 1 0
8 0
amappl11 152 97 0 79 1 0 1 1 0
8 0
amappl10 144 98 0 96 1 0 1 1 0
8 0
amappl9 136 819 0 813 1 0 1 1 0
8 0
amappl8 128 176 0 163 1 0 1 1 0
8 0
amappl7 120 47 0 45 1 0 1 1 0
8 0
amappl6 112 85 0 79 1 0 1 1 0
8 0
amappl5 104 186 0 173 1 0 1 1 0
8 0
amappl4 96 2002 0 1980 1 0 1 1 0
8 0
amappl3 88 247 0 237 1 0 1 1 0
8 0
amappl2 80 9641 0 9567 4 2 2 3 0
8 0
amappl1 72 36173 0 35728 30 20 10 20 0
8 0
amappl 80 3467 0 3433 1 0 1 1 0
84 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 1 0 0 1 0 1 1 0
8 0
uaddrrnd 24 1259 0 1243 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 1259 0 1243 1 0 1 1 0
8 0
vmmpekpl 168 14969 0 14947 2 0 2 2 0
8 0
vmmpepl 168 119206 0 118126 94 35 59 77 0
357 9
vmsppl 360 1258 0 1243 2 0 2 2 0
8 0
pdppl 4096 2526 0 2486 6 0 6 6 0
8 0
pvpl 32 304937 0 299794 112 22 90 108 0 265
47
pmappl 232 1258 0 1243 2 1 1 2 0
8 0
extentpl 40 41 0 26 1 0 1 1 0
8 0
phpool 112 512 0 4 15 0 15 15 0
8 0


Tested on:

commit: b50fe85d tmp debug
git tree: https://github.com/mptre/openbsd-src
console output: https://syzkaller.appspot.com/x/log.txt?x=1336f480a00000

syzbot

unread,
May 27, 2019, 4:12:02 PM5/27/19
to an...@basename.se, syzkaller-o...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
assert "in_enqueue == 0" failed in pckbc.c

panic: kernel diagnostic assertion "in_enqueue == 0" failed:
file "/syzkaller/jobs/openbsd/kernel/sys/dev/ic/pckbc.c", line 737
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*353186 95233 0 0x1000 0x4080000 1 syz-executor.0
450832 86297 73 0x100010 0 0K syslogd
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:212
__assert(ffffffff81f9ebf0,ffffffff81f5be29,2e1,ffffffff81fb5f91) at
__assert+0x2e sys/kern/subr_prf.c:159
pckbc_cleanup(ffff800000026e00) at pckbc_cleanup+0x228
sys/dev/ic/pckbc.c:737
pckbc_enqueue_cmd(ffff800000026e00,1,ffff800020c44bfe,2,0,1) at
pckbc_enqueue_cmd+0x334 sys/dev/ic/pckbc.c:944
pms_ioctl_mouse(ffff80000066c200,80045721,ffff800020c44fa0,42,ffff800020b9abd0)
at
pms_ioctl_mouse+0x137
wsmouse_do_ioctl(ffff80000064dc00,80045721,ffff800020c44fa0,42,ffff800020b9abd0)
at
wsmouse_do_ioctl+0x2e3 sys/dev/wscons/wsmouse.c:527
wsmousedoioctl(ffff80000064dc00,80045721,ffff800020c44fa0,42,ffff800020b9abd0)
at
wsmousedoioctl+0x51 sys/dev/wscons/wsmouse.c:429
wsmux_do_ioctl(ffff800000026d00,80045721,ffff800020c44fa0,42,ffff800020b9abd0)
at
wsmux_do_ioctl+0x5b3 sys/dev/wscons/wsmux.c:546
VOP_IOCTL(fffffd806fefb310,80045721,ffff800020c44fa0,42,fffffd807f7c6a80,ffff800020b9abd0)
at
VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
vn_ioctl(fffffd807a34c018,80045721,ffff800020c44fa0,ffff800020b9abd0) at
vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
sys_ioctl(ffff800020b9abd0,ffff800020c450c8,ffff800020c45130) at
sys_ioctl+0x5b8
syscall(ffff800020c451a0) at syscall+0x552 mi_syscall
sys/sys/syscall_mi.h:99 [inline]
syscall(ffff800020c451a0) at syscall+0x552 sys/arch/amd64/amd64/trap.c:574
Xsyscall(6,0,ffffffffffffff39,0,3,482e6aaa0d8) at Xsyscall+0x128
end of kernel
end trace frame: 0x484f98c32e0, count: 1
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
kernel diagnostic assertion "in_enqueue == 0" failed:
file "/syzkaller/jobs/openbsd/kernel/sys/dev/ic/pckbc.c", line 737
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:212
__assert(ffffffff81f9ebf0,ffffffff81f5be29,2e1,ffffffff81fb5f91) at
__assert+0x2e sys/kern/subr_prf.c:159
pckbc_cleanup(ffff800000026e00) at pckbc_cleanup+0x228
sys/dev/ic/pckbc.c:737
pckbc_enqueue_cmd(ffff800000026e00,1,ffff800020c44bfe,2,0,1) at
pckbc_enqueue_cmd+0x334 sys/dev/ic/pckbc.c:944
pms_ioctl_mouse(ffff80000066c200,80045721,ffff800020c44fa0,42,ffff800020b9abd0)
at
pms_ioctl_mouse+0x137
wsmouse_do_ioctl(ffff80000064dc00,80045721,ffff800020c44fa0,42,ffff800020b9abd0)
at
wsmouse_do_ioctl+0x2e3 sys/dev/wscons/wsmouse.c:527
wsmousedoioctl(ffff80000064dc00,80045721,ffff800020c44fa0,42,ffff800020b9abd0)
at
wsmousedoioctl+0x51 sys/dev/wscons/wsmouse.c:429
wsmux_do_ioctl(ffff800000026d00,80045721,ffff800020c44fa0,42,ffff800020b9abd0)
at
wsmux_do_ioctl+0x5b3 sys/dev/wscons/wsmux.c:546
VOP_IOCTL(fffffd806fefb310,80045721,ffff800020c44fa0,42,fffffd807f7c6a80,ffff800020b9abd0)
at
VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
vn_ioctl(fffffd807a34c018,80045721,ffff800020c44fa0,ffff800020b9abd0) at
vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
sys_ioctl(ffff800020b9abd0,ffff800020c450c8,ffff800020c45130) at
sys_ioctl+0x5b8
syscall(ffff800020c451a0) at syscall+0x552 mi_syscall
sys/sys/syscall_mi.h:99 [inline]
syscall(ffff800020c451a0) at syscall+0x552 sys/arch/amd64/amd64/trap.c:574
Xsyscall(6,0,ffffffffffffff39,0,3,482e6aaa0d8) at Xsyscall+0x128
end of kernel
end trace frame: 0x484f98c32e0, count: -14
ddb{1}> show registers
rdi 0
rsi 0x1
rbp 0xffff800020c44a20
rbx 0xffff800020c44ad0
rdx 0xffff800020b9abd0
rcx 0
rax 0
r8 0xffffffff81bb7c93 kprintf+0x173
r9 0x1
r10 0x25
r11 0x50769e6c9d4947e5
r12 0x3000000008
r13 0xffff800020c44a30
r14 0x100
r15 0x1
rip 0xffffffff8163e5c8 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020c44a10
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor.0) pid=353186 stat=onproc
flags process=1000<SINGLEEXIT> proc=4080000<SUSPSINGLE,THREAD>
pri=0, usrpri=69, nice=20
forw=0xffffffffffffffff, list=0xffff800020b9ae28,0xffff800020b9a028
process=0xffff800020b8c6a8 user=0xffff800020c40000,
vmspace=0xfffffd806e7dc440
estcpu=19, cpticks=2, pctcpu=0.0
user=0, sys=2, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
29202 188590 9630 0 3 0x3000 suspend syz-executor.1
29202 55140 9630 0 3 0x4081000 kbccmd syz-executor.1
29202 209516 9630 0 3 0x4081000 kbccmd syz-executor.1
95233 508074 41791 0 3 0x3000 suspend syz-executor.0
*95233 353186 41791 0 7 0x4081000 syz-executor.0
9630 449269 45912 0 2 0x482 syz-executor.1
41791 311423 45912 0 2 0x482 syz-executor.0
45912 494503 12948 0 3 0x82 thrsleep syz-execprog
45912 315317 12948 0 3 0x4000082 thrsleep syz-execprog
45912 497233 12948 0 3 0x4000082 thrsleep syz-execprog
45912 47544 12948 0 3 0x4000082 thrsleep syz-execprog
45912 396499 12948 0 3 0x4000082 thrsleep syz-execprog
45912 151641 12948 0 3 0x4000082 thrsleep syz-execprog
45912 236110 12948 0 3 0x4000082 thrsleep syz-execprog
45912 152893 12948 0 3 0x4000082 thrsleep syz-execprog
45912 299765 12948 0 3 0x4000082 kqread syz-execprog
45912 58235 12948 0 3 0x4000082 thrsleep syz-execprog
12948 24329 78185 0 3 0x10008a pause ksh
78185 191268 10029 0 3 0x92 select sshd
70761 522943 1 0 3 0x100083 ttyin getty
10029 496494 1 0 3 0x80 select sshd
77489 421136 7745 74 3 0x100092 bpf pflogd
7745 344370 1 0 3 0x80 netio pflogd
86297 450832 51724 73 7 0x100010 syslogd
51724 298617 1 0 3 0x100082 netio syslogd
2290 471648 1 77 3 0x100090 poll dhclient
88130 186859 1 0 3 0x80 poll dhclient
46709 114340 0 0 3 0x14200 pgzero zerothread
28349 232147 0 0 3 0x14200 aiodoned aiodoned
13869 130924 0 0 3 0x14200 syncer update
72853 145552 0 0 3 0x14200 cleaner cleaner
15294 25893 0 0 3 0x14200 reaper reaper
50549 79825 0 0 3 0x14200 pgdaemon pagedaemon
2574 165296 0 0 3 0x14200 bored crynlk
25942 405093 0 0 3 0x14200 bored crypto
22171 465691 0 0 3 0x40014200 acpi0 acpi0
56110 388691 0 0 3 0x40014200 idle1
54620 430053 0 0 3 0x14200 bored softnet
41455 228889 0 0 3 0x14200 bored systqmp
87893 506589 0 0 3 0x14200 bored systq
41503 320470 0 0 3 0x40014200 bored softclock
78411 429461 0 0 3 0x40014200 idle0
71234 446541 0 0 3 0x14200 bored smr
1 7187 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
Process 29202 (syz-executor.1) thread 0xffff800020b9a978 (55140)
shared rwlock wsmuxlk r = 0 (0xffff800000026dd0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 wsmux_do_ioctl+0x521
#2 VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
#3 vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
#4 sys_ioctl+0x5b8
#5 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#5 syscall+0x552 sys/arch/amd64/amd64/trap.c:574
#6 Xsyscall+0x128
Process 29202 (syz-executor.1) thread 0xffff800020b9a720 (209516)
shared rwlock wsmuxlk r = 0 (0xffff800000026dd0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 wsmux_do_ioctl+0x521
#2 VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
#3 vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
#4 sys_ioctl+0x5b8
#5 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#5 syscall+0x552 sys/arch/amd64/amd64/trap.c:574
#6 Xsyscall+0x128
Process 95233 (syz-executor.0) thread 0xffff800020b9abd0 (353186)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82389ed8)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 __mp_acquire_count+0x51 sys/kern/kern_lock.c:227
#2 mi_switch+0x38c sys/kern/sched_bsd.c:439
#3 sleep_finish+0x110 sys/kern/kern_synch.c:303
#4 tsleep+0x198 sleep_finish_timeout sys/kern/kern_synch.c:327 [inline]
#4 tsleep+0x198 sleep_finish_all sys/kern/kern_synch.c:157 [inline]
#4 tsleep+0x198 sys/kern/kern_synch.c:148
#5 pckbc_enqueue_cmd+0x2db sys/dev/ic/pckbc.c:941
#6 pms_ioctl_mouse+0x137
#7 wsmouse_do_ioctl+0x2e3 sys/dev/wscons/wsmouse.c:527
#8 wsmousedoioctl+0x51 sys/dev/wscons/wsmouse.c:429
#9 wsmux_do_ioctl+0x5b3 sys/dev/wscons/wsmux.c:546
#10 VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
#11 vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
#12 sys_ioctl+0x5b8
#13 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#13 syscall+0x552 sys/arch/amd64/amd64/trap.c:574
#14 Xsyscall+0x128
shared rwlock wsmuxlk r = 0 (0xffff800000026dd0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 wsmux_do_ioctl+0x521
#2 VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
#3 vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
#4 sys_ioctl+0x5b8
#5 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#5 syscall+0x552 sys/arch/amd64/amd64/trap.c:574
#6 Xsyscall+0x128
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9461 6395K 6395K 78643K 10548 0 0
pcb 25 9K 9K 78643K 73 0 0
rtable 105 3K 3K 78643K 201 0 0
ifaddr 38 10K 10K 78643K 39 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 4K 78643K 1469 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1193 75K 75K 78643K 3536 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 1K 78643K 2 0 0
VM map 2 1K 1K 78643K 2 0 0
sem 2 0K 0K 78643K 2 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1808 196K 290K 78643K 12628 0 0
file desc 5 16K 24K 78643K 1542 0 0
proc 52 50K 71K 78643K 359 0 0
subproc 0 0K 1K 78643K 17 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
in_multi 33 2K 2K 78643K 33 0 0
ether_multi 1 0K 0K 78643K 1 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 18 79K 79K 78643K 18 0 0
exec 0 0K 1K 78643K 230 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 84 20K 20K 78643K 5537 0 0
UVM aobj 2 2K 2K 78643K 2 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
NDP 6 0K 0K 78643K 10 0 0
temp 55 2718K 2782K 78643K 6474 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 6 0 0 1 0 1 1 0
8 0
inpcbpl 280 43 0 37 1 0 1 1 0
8 0
plimitpl 152 20 0 12 1 0 1 1 0
8 0
plcache 128 20 0 0 1 0 1 1 0
8 0
rtentry 112 45 0 1 2 0 2 2 0
8 0
syncache 264 8 0 8 1 1 0 1 0
8 0
tcpcb 544 14 0 11 1 0 1 1 0
dino1pl 128 6801 0 5374 47 0 47 47 0
8 0
ffsino 272 6801 0 5374 96 0 96 96 0
8 0
nchpl 144 8534 0 6891 62 1 61 61 0
8 0
uvmvnodes 72 5926 0 0 108 0 108 108 0
8 0
vnodes 200 5926 0 0 312 0 312 312 0
8 0
namei 1024 21936 0 21936 2 1 1 1 0
8 1
percpumem 16 30 0 0 1 0 1 1 0
8 0
scxspl 192 18213 0 18212 7 6 1 6 0
8 0
sigapl 432 1764 0 1748 3 1 2 3 0
8 0
futexpl 56 7117 0 7117 2 1 1 1 0
8 1
knotepl 112 107 0 90 1 0 1 1 0
8 0
kqueuepl 104 3 0 1 1 0 1 1 0
8 0
pipepl 112 226 0 207 2 1 1 1 0
8 0
fdescpl 488 1765 0 1748 3 0 3 3 0
8 0
filepl 152 7682 0 7612 4 1 3 3 0
8 0
lockfpl 104 6006 0 6002 2 1 1 1 0
8 0
lockfspl 48 1507 0 1505 2 1 1 1 0
8 0
sessionpl 112 27 0 16 1 0 1 1 0
8 0
pgrppl 48 27 0 16 1 0 1 1 0
8 0
ucredpl 96 73 0 64 1 0 1 1 0
8 0
zombiepl 144 1750 0 1748 2 1 1 1 0
8 0
processpl 840 1780 0 1748 4 0 4 4 0
8 0
procpl 600 4651 0 4607 4 0 4 4 0
8 0
sockpl 384 103 0 85 3 1 2 3 0
8 0
mcl4k 4096 4 0 0 1 0 1 1 0
8 0
mcl2k 2048 95 0 0 12 0 12 12 0
8 0
mtagpl 80 1 0 0 1 0 1 1 0
8 0
mbufpl 256 153 0 0 9 0 9 9 0
8 0
bufpl 256 7502 0 1188 395 0 395 395 0
8 0
anonpl 16 114185 0 111652 19 8 11 13 0
125 0
amapchunkpl 152 8322 0 8226 7 3 4 5 0
158 0
amappl16 192 5883 0 5787 6 1 5 5 0
8 0
amappl15 184 752 0 750 1 0 1 1 0
8 0
amappl14 176 812 0 805 2 1 1 1 0
8 0
amappl12 160 23 0 22 1 0 1 1 0
8 0
amappl11 152 840 0 820 1 0 1 1 0
8 0
amappl10 144 95 0 93 1 0 1 1 0
8 0
amappl9 136 803 0 799 1 0 1 1 0
8 0
amappl8 128 175 0 165 1 0 1 1 0
8 0
amappl7 120 47 0 45 1 0 1 1 0
8 0
amappl6 112 833 0 825 1 0 1 1 0
8 0
amappl5 104 194 0 181 1 0 1 1 0
8 0
amappl4 96 2002 0 1975 2 1 1 2 0
8 0
amappl3 88 246 0 235 1 0 1 1 0
8 0
amappl2 80 13943 0 13864 5 3 2 3 0
8 0
amappl1 72 45802 0 45326 30 20 10 20 0
8 0
amappl 80 4930 0 4891 1 0 1 1 0
84 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 1 0 0 1 0 1 1 0
8 0
uaddrrnd 24 1765 0 1748 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 1765 0 1748 1 0 1 1 0
8 0
vmmpekpl 168 18492 0 18467 2 0 2 2 0
8 0
vmmpepl 168 158246 0 157071 92 35 57 78 0
357 5
vmsppl 360 1764 0 1748 2 0 2 2 0
8 0
pdppl 4096 3538 0 3496 6 0 6 6 0
8 0
pvpl 32 381210 0 375945 113 24 89 108 0 265
46
pmappl 232 1764 0 1748 2 1 1 2 0
8 0
extentpl 40 41 0 26 1 0 1 1 0
8 0
phpool 112 542 0 4 16 0 16 16 0
8 0


Tested on:

commit: cd6858be tmp debug
git tree: https://github.com/mptre/openbsd-src
console output: https://syzkaller.appspot.com/x/log.txt?x=11c9b982a00000

syzbot

unread,
May 28, 2019, 11:41:01 AM5/28/19
to an...@basename.se, syzkaller-o...@googlegroups.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+fe74fc...@syzkaller.appspotmail.com

Tested on:

commit: 95976790 prevent list corruption
git tree: https://github.com/mptre/openbsd-src pckbc
Note: testing is done by a robot and is best-effort only.

syzbot

unread,
May 30, 2019, 6:33:01 AM5/30/19
to an...@basename.se, syzkaller-o...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
uvm_fault: pckbc_enqueue_cmd

uvm_fault(0xfffffd807f00b708, 0x7, 0, 2) -> e
kernel: page fault trap, code=0
Stopped at pckbc_enqueue_cmd+0x3ab: movq %rcx,0(%rax)
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
kernel page fault
uvm_fault(0xfffffd807f00b708, 0x7, 0, 2) -> e
pckbc_enqueue_cmd(ffff800000026e00,1,ffff800020c44ede,2,0,1) at
pckbc_enqueue_cmd+0x3ab sys/dev/ic/pckbc.c:935
end trace frame: 0xffff800020c44f30, count: 0
ddb{0}> trace
pckbc_enqueue_cmd(ffff800000026e00,1,ffff800020c44ede,2,0,1) at
pckbc_enqueue_cmd+0x3ab sys/dev/ic/pckbc.c:935
pms_ioctl_mouse(ffff80000066c200,80045721,ffff800020c45280,42,ffff800020b60270)
at
pms_ioctl_mouse+0x137
wsmouse_do_ioctl(ffff80000064dc00,80045721,ffff800020c45280,42,ffff800020b60270)
at
wsmouse_do_ioctl+0x2e3 sys/dev/wscons/wsmouse.c:527
wsmousedoioctl(ffff80000064dc00,80045721,ffff800020c45280,42,ffff800020b60270)
at
wsmousedoioctl+0x51 sys/dev/wscons/wsmouse.c:429
wsmux_do_ioctl(ffff800000026d00,80045721,ffff800020c45280,42,ffff800020b60270)
at
wsmux_do_ioctl+0x5b3 sys/dev/wscons/wsmux.c:546
VOP_IOCTL(fffffd8068778888,80045721,ffff800020c45280,42,fffffd807f7c6540,ffff800020b60270)
at
VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
vn_ioctl(fffffd8068f4a570,80045721,ffff800020c45280,ffff800020b60270) at
vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
sys_ioctl(ffff800020b60270,ffff800020c453a8,ffff800020c45410) at
sys_ioctl+0x5b8
syscall(ffff800020c45480) at syscall+0x552 mi_syscall
sys/sys/syscall_mi.h:99 [inline]
syscall(ffff800020c45480) at syscall+0x552 sys/arch/amd64/amd64/trap.c:574
Xsyscall(6,0,ffffffffffffff39,0,3,8b18160d010) at Xsyscall+0x128
end of kernel
end trace frame: 0x8b45b782ea0, count: -10
ddb{0}> show registers
rdi 0
rsi 0
rbp 0xffff800020c44ec0
rbx 0xffff80000066c410
rdx 0
rcx 0xffffffffffffffff
rax 0x7
r8 0
r9 0
r10 0xffff800020acef00
r11 0x6a2c78bc88bb6266
r12 0xffff800000026e00
r13 0x1
r14 0xffff80000066c400
r15 0xffff80000066c498
rip 0xffffffff811ba06b pckbc_enqueue_cmd+0x3ab
cs 0x8
rflags 0x10286 __ALIGN_SIZE+0xf286
rsp 0xffff800020c44e40
ss 0x10
pckbc_enqueue_cmd+0x3ab: movq %rcx,0(%rax)
ddb{0}> show proc
PROC (syz-executor.0) pid=154461 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=0, usrpri=77, nice=20
forw=0xffffffffffffffff, list=0xffff800020b619e0,0xffffffff8238e968
process=0xffff800020b8c360 user=0xffff800020c40000,
vmspace=0xfffffd807f00b708
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
64880 229903 61377 0 2 0 syz-executor.0
*64880 154461 61377 0 7 0x4000000 syz-executor.0
22759 83648 65673 0 3 0x3000 suspend syz-executor.1
22759 354709 65673 0 7 0x4081000 syz-executor.1
22759 94728 65673 0 3 0x4081000 kbccmd syz-executor.1
65673 114081 28802 0 3 0x82 nanosleep syz-executor.1
61377 102385 28802 0 3 0x82 nanosleep syz-executor.0
28802 197121 70344 0 3 0x82 thrsleep syz-execprog
28802 64122 70344 0 2 0x4000482 syz-execprog
28802 216249 70344 0 3 0x4000082 thrsleep syz-execprog
28802 39863 70344 0 3 0x4000082 thrsleep syz-execprog
28802 451334 70344 0 3 0x4000082 kqread syz-execprog
28802 515971 70344 0 3 0x4000082 thrsleep syz-execprog
28802 447504 70344 0 3 0x4000082 thrsleep syz-execprog
28802 377674 70344 0 3 0x4000082 thrsleep syz-execprog
28802 11714 70344 0 3 0x4000082 thrsleep syz-execprog
28802 39522 70344 0 3 0x4000082 thrsleep syz-execprog
70344 51694 99798 0 3 0x10008a pause ksh
99798 7648 29257 0 3 0x92 select sshd
19335 207439 1 0 3 0x100083 ttyin getty
29257 488032 1 0 3 0x80 select sshd
17483 354415 4582 74 3 0x100092 bpf pflogd
4582 183353 1 0 3 0x80 netio pflogd
69355 424666 95191 73 3 0x100010 ffs_fsync syslogd
95191 310867 1 0 3 0x100082 netio syslogd
86236 471404 1 77 3 0x100090 poll dhclient
17993 485445 1 0 3 0x80 poll dhclient
58105 505871 0 0 3 0x14200 pgzero zerothread
51140 250035 0 0 3 0x14200 aiodoned aiodoned
14201 314176 0 0 3 0x14200 syncer update
20374 147446 0 0 3 0x14200 cleaner cleaner
34598 342406 0 0 3 0x14200 reaper reaper
40898 390435 0 0 3 0x14200 pgdaemon pagedaemon
6468 523150 0 0 3 0x14200 bored crynlk
43392 37311 0 0 3 0x14200 bored crypto
69744 70990 0 0 3 0x40014200 acpi0 acpi0
57227 481354 0 0 3 0x40014200 idle1
38586 186316 0 0 3 0x14200 bored softnet
8102 217727 0 0 3 0x14200 bored systqmp
40567 392176 0 0 3 0x14200 bored systq
45899 386259 0 0 3 0x40014200 bored softclock
54084 121595 0 0 3 0x40014200 idle0
33599 153782 0 0 3 0x14200 bored smr
1 338640 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 64880 (syz-executor.0) thread 0xffff800020b60270 (154461)
exclusive kernel_lock &kernel_lock r = 1 (0xffffffff82393de8)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 __mp_acquire_count+0x51 sys/kern/kern_lock.c:227
#2 mi_switch+0x38c sys/kern/sched_bsd.c:439
#3 sleep_finish+0x110 sys/kern/kern_synch.c:303
#4 tsleep+0x198 sleep_finish_timeout sys/kern/kern_synch.c:327 [inline]
#4 tsleep+0x198 sleep_finish_all sys/kern/kern_synch.c:157 [inline]
#4 tsleep+0x198 sys/kern/kern_synch.c:148
#5 pckbc_enqueue_cmd+0x2cf sys/dev/ic/pckbc.c:931
#6 pms_ioctl_mouse+0x137
#7 wsmouse_do_ioctl+0x2e3 sys/dev/wscons/wsmouse.c:527
#8 wsmousedoioctl+0x51 sys/dev/wscons/wsmouse.c:429
#9 wsmux_do_ioctl+0x5b3 sys/dev/wscons/wsmux.c:546
#10 VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
#11 vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
#12 sys_ioctl+0x5b8
#13 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#13 syscall+0x552 sys/arch/amd64/amd64/trap.c:574
#14 Xsyscall+0x128
shared rwlock wsmuxlk r = 0 (0xffff800000026dd0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 wsmux_do_ioctl+0x521
#2 VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
#3 vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
#4 sys_ioctl+0x5b8
#5 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#5 syscall+0x552 sys/arch/amd64/amd64/trap.c:574
#6 Xsyscall+0x128
Process 22759 (syz-executor.1) thread 0xffff800020b60018 (94728)
shared rwlock wsmuxlk r = 0 (0xffff800000026dd0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 wsmux_do_ioctl+0x521
#2 VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
#3 vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
#4 sys_ioctl+0x5b8
#5 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#5 syscall+0x552 sys/arch/amd64/amd64/trap.c:574
#6 Xsyscall+0x128
Process 69355 (syslogd) thread 0xffff800020b85780 (424666)
exclusive rrwlock inode r = 0 (0xfffffd806ec1de68)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 rw_enter+0x46d sys/kern/kern_rwlock.c:306
#2 rrw_enter+0x4f sys/kern/kern_rwlock.c:435
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602
#4 vn_lock+0x6e sys/kern/vfs_vnops.c:549
#5 sys_fsync+0x114 sys/kern/vfs_syscalls.c:2793
#6 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#6 syscall+0x552 sys/arch/amd64/amd64/trap.c:574
#7 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9461 6395K 6395K 78643K 10548 0 0
pcb 25 9K 9K 78643K 73 0 0
rtable 105 3K 3K 78643K 201 0 0
ifaddr 38 10K 10K 78643K 39 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 4K 78643K 1469 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1193 75K 75K 78643K 8984 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 1K 78643K 2 0 0
VM map 2 1K 1K 78643K 2 0 0
sem 2 0K 0K 78643K 2 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1808 196K 290K 78643K 12628 0 0
file desc 5 16K 24K 78643K 4968 0 0
proc 52 50K 83K 78643K 359 0 0
subproc 0 0K 1K 78643K 17 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
in_multi 33 2K 2K 78643K 33 0 0
ether_multi 1 0K 0K 78643K 1 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 18 79K 79K 78643K 18 0 0
exec 0 0K 1K 78643K 230 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 88 20K 20K 78643K 15235 0 0
UVM aobj 2 2K 2K 78643K 2 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
NDP 6 0K 0K 78643K 10 0 0
temp 55 2714K 2778K 78643K 13326 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 6 0 0 1 0 1 1 0
8 0
inpcbpl 280 43 0 37 1 0 1 1 0
8 0
plimitpl 152 20 0 12 1 0 1 1 0
8 0
plcache 128 20 0 0 1 0 1 1 0
8 0
rtentry 112 45 0 1 2 0 2 2 0
8 0
syncache 264 8 0 8 1 1 0 1 0
8 0
tcpqe 32 2 0 2 1 1 0 1 0
8 0
tcpcb 544 14 0 11 1 0 1 1 0
8 0
nd6 48 6 0 0 1 0 1 1 0
8 0
pfosfp 40 846 0 423 5 0 5 5 0
8 0
pfosfpen 112 1428 0 714 21 0 21 21 0
8 0
pfstitem 24 15 0 14 1 0 1 1 0
8 0
pfstkey 112 15 0 14 1 0 1 1 0
8 0
pfstate 328 15 0 14 2 1 1 2 0
8 0
pfrule 1360 21 0 16 2 1 1 2 0
8 0
art_heap8 4096 1 0 0 1 0 1 1 0
8 0
art_heap4 256 188 0 0 12 0 12 12 0
8 0
art_table 32 189 0 0 2 0 2 2 0
8 0
art_node 16 44 0 4 1 0 1 1 0
8 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0
dino1pl 128 19101 0 17674 47 0 47 47 0
8 0
ffsino 272 19101 0 17674 96 0 96 96 0
8 0
nchpl 144 24156 0 22513 62 1 61 61 0
8 0
uvmvnodes 72 5926 0 0 108 0 108 108 0
8 0
vnodes 200 5926 0 0 312 0 312 312 0
8 0
namei 1024 60409 0 60409 2 1 1 1 0
8 1
percpumem 16 30 0 0 1 0 1 1 0
8 0
scxspl 192 49158 0 49157 8 7 1 6 0
8 0
sigapl 432 5190 0 5174 3 1 2 3 0
8 0
futexpl 56 24320 0 24320 2 1 1 1 0
8 1
knotepl 112 107 0 90 1 0 1 1 0
8 0
kqueuepl 104 3 0 1 1 0 1 1 0
8 0
pipepl 112 226 0 207 2 1 1 1 0
8 0
fdescpl 488 5191 0 5174 3 0 3 3 0
8 0
filepl 152 22174 0 22105 4 1 3 3 0
8 0
lockfpl 104 19599 0 19596 2 1 1 1 0
8 0
lockfspl 48 4933 0 4931 2 1 1 1 0
8 0
sessionpl 112 27 0 16 1 0 1 1 0
8 0
pgrppl 48 27 0 16 1 0 1 1 0
8 0
ucredpl 96 73 0 64 1 0 1 1 0
8 0
zombiepl 144 5175 0 5174 2 1 1 1 0
8 0
processpl 840 5206 0 5174 4 0 4 4 0
8 0
procpl 600 14470 0 14426 4 0 4 4 0
8 0
sockpl 384 103 0 85 3 0 3 3 0
8 0
mcl4k 4096 4 0 0 1 0 1 1 0
8 0
mcl2k 2048 98 0 0 12 0 12 12 0
8 0
mtagpl 80 1 0 0 1 0 1 1 0
8 0
mbufpl 256 182 0 0 10 1 9 9 0
8 0
bufpl 256 10928 0 3920 439 0 439 439 0
8 0
anonpl 16 299596 0 296920 23 12 11 13 0
125 0
amapchunkpl 152 24264 0 24165 8 4 4 6 0
158 0
amappl16 192 18625 0 18524 7 1 6 6 0
8 0
amappl15 184 4938 0 4935 2 1 1 1 0
8 0
amappl14 176 2528 0 2520 2 1 1 1 0
8 0
amappl13 168 3 0 2 2 1 1 1 0
8 0
amappl12 160 22 0 22 1 1 0 1 0
8 0
amappl11 152 86 0 68 1 0 1 1 0
8 0
amappl10 144 99 0 96 1 0 1 1 0
8 0
amappl9 136 755 0 752 1 0 1 1 0
8 0
amappl8 128 163 0 152 1 0 1 1 0
8 0
amappl7 120 48 0 43 1 0 1 1 0
8 0
amappl6 112 85 0 79 1 0 1 1 0
8 0
amappl5 104 291 0 278 1 0 1 1 0
8 0
amappl4 96 2978 0 2952 2 1 1 2 0
8 0
amappl3 88 5179 0 5164 1 0 1 1 0
8 0
amappl2 80 43065 0 42986 5 3 2 3 0
8 0
amappl1 72 109851 0 109398 31 21 10 19 0
8 0
amappl 80 14626 0 14587 1 0 1 1 0
84 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 1 0 0 1 0 1 1 0
8 0
uaddrrnd 24 5191 0 5174 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 5191 0 5174 1 0 1 1 0
8 0
vmmpekpl 168 38166 0 38141 2 0 2 2 0
8 0
vmmpepl 168 438376 0 437203 96 44 52 77 0
357 0
vmsppl 360 5190 0 5174 2 0 2 2 0
8 0
pdppl 4096 10389 0 10348 7 1 6 6 0
8 0
pvpl 32 887577 0 882170 117 73 44 108 0
265 0
pmappl 232 5190 0 5174 2 1 1 2 0
8 0
extentpl 40 41 0 26 1 0 1 1 0
8 0
phpool 112 588 0 6 17 0 17 17 0
8 0


Tested on:

commit: 297b7aa8 prevent list corruption
console output: https://syzkaller.appspot.com/x/log.txt?x=148e954ca00000

syzbot

unread,
May 30, 2019, 5:23:01 PM5/30/19
to an...@basename.se, syzkaller-o...@googlegroups.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+fe74fc...@syzkaller.appspotmail.com

Tested on:

commit: f6a80786 prevent list corruption

syzbot

unread,
Jun 2, 2019, 12:41:00 PM6/2/19
to an...@basename.se, syzkaller-o...@googlegroups.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+fe74fc...@syzkaller.appspotmail.com

Tested on:

commit: 2d8944f1 prevent list corruption
Reply all
Reply to author
Forward
0 new messages