kernel: protection fault trap, code=0 (4)
6 views
Skip to first unread message
syzbot
Feb 28, 2019, 5:14:05 PM2/28/19
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 0d1bbdcdb407 add mpip(4)
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=120998aac00000
kernel config: https://syzkaller.appspot.com/x/.config?x=ffa1da4399f74b2b
dashboard link: https://syzkaller.appspot.com/bug?extid=a33f137d7d3c0197fe86
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a33f13...@syzkaller.appspotmail.com
kernel: protection fault trap, code=0
Stopped at mrouter6_rtwalk_delete+0x2b: movl 0x5c(%r15),%r12d
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
the kernel did not panic
ddb> trace
mrouter6_rtwalk_delete(5153e11fff8a8470,0,0) at mrouter6_rtwalk_delete+0x2b
sys/netinet6/ip6_mroute.c:497
rtable_walk_helper(fffffd8036dddb20,ffff800014957c00) at
rtable_walk_helper+0x58 sys/net/rtable.c:682
art_table_walk(ffff800000074780,fffffd8036ddc220,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x226 art_walk_apply sys/net/art.c:707 [inline]
art_table_walk(ffff800000074780,fffffd8036ddc220,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x226 sys/net/art.c:679
art_table_walk(ffff800000074780,fffffd8036ddc1e0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc180,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc140,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc120,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc100,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc0e0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc080,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc060,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc020,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc000,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc040,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc0a0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc0c0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc160,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc1a0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc1c0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc200,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc240,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc260,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc280,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc2a0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc2c0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc2e0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc300,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc320,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc380,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc3a0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc3c0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc440,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc4a0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddcf20,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_walk(ffff800000074780,ffffffff8178b4f0,ffff800014957c00) at
art_walk+0xcf sys/net/art.c:626
rtable_walk(0,18,ffffffff8122ec00,0) at rtable_walk+0xd7
sys/net/rtable.c:706
ip6_mrouter_done(fffffd803982c180) at ip6_mrouter_done+0xc4
sys/netinet6/ip6_mroute.c:526
rip6_detach(fffffd803982c180) at rip6_detach+0x56 sys/netinet6/raw_ip6.c:748
soclose(fffffd803982c180,0) at soclose+0xb2 sys/kern/uipc_socket.c:292
soo_close(fffffd8039c20b58,ffff8000149d4270) at soo_close+0x40
fdrop(fffffd8039c20b58,ffff8000149d4270) at fdrop+0xc9
sys/kern/kern_descrip.c:1260
closef(fffffd8039c20b58,ffff8000149d4270) at closef+0x124
sys/kern/kern_descrip.c:1244
fdfree(ffff8000149d4270) at fdfree+0xe7 sys/kern/kern_descrip.c:1176
exit1(ffff8000149d4270,0,1) at exit1+0x2f4 sys/kern/kern_exit.c:194
sys_exit(ffff8000149d4270,ffff8000149580e0,ffff8000149580d0) at
sys_exit+0x17 sys/kern/kern_exit.c:94
syscall(ffff800014958180) at syscall+0x541
Xsyscall(6,1,0,1,0,7f7ffffe13a4) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffe1370, count: -47
ddb> show registers
rdi 0x5153e11fff8a8470
rsi 0
rbp 0xffff800014956940
rbx 0xffff800000074788
rdx 0
rcx 0
rax 0x204
r8 0
r9 0x5
r10 0
r11 0x5fc5adf50e8daba6
r12 0
r13 0xfffffd8036ddc220
r14 0
r15 0x5153e11fff8a8470
rip 0xffffffff8122ec2b mrouter6_rtwalk_delete+0x2b
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff800014956900
ss 0x10
mrouter6_rtwalk_delete+0x2b: movl 0x5c(%r15),%r12d
ddb> show proc
PROC (syz-executor.1) pid=484813 stat=onproc
flags process=1008<EXITING,SINGLEEXIT> proc=2000<WEXIT>
pri=50, usrpri=78, nice=20
forw=0xffffffffffffffff, list=0xffff8000149d4bd0,0xffffffff82264bc8
process=0xffff8000ffff69e8 user=0xffff800014953000,
vmspace=0xfffffd803f015d68
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
19959 483335 1 0 3 0x100083 ttyin getty
2989 517760 0 0 3 0x14200 bored sosplice
31500 429419 63020 0 3 0x2 biowait syz-executor.0
59158 112605 63020 0 3 0x82 nanosleep syz-executor.1
63020 6625 50092 0 3 0x82 thrsleep syz-fuzzer
63020 190560 50092 0 3 0x4000082 nanosleep syz-fuzzer
63020 43389 50092 0 3 0x4000082 thrsleep syz-fuzzer
63020 110269 50092 0 3 0x4000082 kqread syz-fuzzer
63020 441551 50092 0 3 0x4000082 thrsleep syz-fuzzer
63020 286069 50092 0 3 0x4000082 thrsleep syz-fuzzer
63020 439753 50092 0 3 0x4000082 thrsleep syz-fuzzer
50092 375479 15116 0 3 0x10008a pause ksh
15116 62073 95523 0 3 0x92 select sshd
95523 93770 1 0 3 0x80 select sshd
74798 16928 7021 73 3 0x100090 kqread syslogd
7021 477313 1 0 3 0x100082 netio syslogd
41605 131787 1 77 3 0x100090 poll dhclient
53474 59062 1 0 3 0x80 poll dhclient
81561 289761 0 0 2 0x14200 zerothread
1532 371719 0 0 3 0x14200 aiodoned aiodoned
46288 66984 0 0 3 0x14200 syncer update
65478 19388 0 0 3 0x14200 cleaner cleaner
26152 479804 0 0 3 0x14200 reaper reaper
93601 337232 0 0 3 0x14200 pgdaemon pagedaemon
23210 512129 0 0 3 0x14200 bored crynlk
58596 377782 0 0 3 0x14200 bored crypto
97237 32077 0 0 3 0x40014200 acpi0 acpi0
72696 407874 0 0 3 0x14200 bored softnet
64821 357827 0 0 2 0x14200 systqmp
58811 392995 0 0 3 0x14200 bored systq
26778 245622 0 0 3 0x40014200 bored softclock
91754 407002 0 0 3 0x40014200 idle0
43311 110841 0 0 3 0x14200 bored smr
1 131226 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9556 8412K 8433K 78643K 12392 0 0
pcb 25 9K 11K 78643K 2873 0 0
rtable 101 3K 3K 78643K 1112 0 0
ifaddr 67 17K 19K 78643K 637 0 0
counters 19 16K 16K 78643K 19 0 0
ioctlops 0 0K 2K 78643K 80 0 0
iov 0 0K 24K 78643K 727 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1201 75K 76K 78643K 4299 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 5K 78643K 78 0 0
VM map 2 0K 0K 78643K 2 0 0
sem 12 1K 1K 78643K 146 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1777 193K 286K 78643K 12501 0 0
file desc 5 13K 25K 78643K 5471 0 0
sigio 1 0K 0K 78643K 76 0 0
proc 42 30K 54K 78643K 912 0 0
subproc 64 65538K 69634K 78643K 106 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
ip_moptions 0 0K 0K 78643K 1917 0 0
in_multi 33 2K 2K 78643K 783 0 0
ether_multi 1 0K 0K 78643K 42 0 0
mrt 1 0K 0K 78643K 11 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 132 583K 583K 78643K 132 0 0
exec 0 0K 1K 78643K 729 0 0
pfkey data 0 0K 0K 78643K 2 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 106 22K 42K 78643K 14143 0 0
UVM aobj 130 5K 5K 78643K 155 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
ip6_options 0 0K 0K 78643K 185 0 0
NDP 15 0K 0K 78643K 168 0 0
temp 192 2360K 2487K 78643K 17493 0 0
kqueue 0 0K 0K 78643K 47 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 4 0 0 1 0 1 1 0
8 0
inpcbpl 280 3159 0 3150 1 0 1 1 0
8 0
plimitpl 152 76 0 69 1 0 1 1 0
8 0
rtentry 112 42 0 2 2 0 2 2 0
8 0
syncache 264 4 0 4 1 1 0 1 0
8 0
tcpqe 32 8 0 8 1 1 0 1 0
8 0
tcpcb 544 877 0 873 1 0 1 1 0
8 0
rttmr 72 1 0 1 1 0 1 1 0
8 1
nd6 48 4 0 0 1 0 1 1 0
8 0
ppxss 1128 129 0 129 31 30 1 1 0
8 1
art_heap8 4096 1 0 0 1 0 1 1 0
8 0
art_heap4 256 186 0 0 12 0 12 12 0
8 0
art_table 32 187 0 0 2 0 2 2 0
8 0
art_node 16 41 0 6 1 0 1 1 0
8 0
sysvmsgpl 40 105 0 96 1 0 1 1 0
8 0
semapl 112 144 0 134 1 0 1 1 0
8 0
shmpl 112 153 0 25 4 0 4 4 0
8 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0
dino1pl 128 11776 0 10305 48 0 48 48 0
8 0
ffsino 240 11776 0 10305 88 1 87 87 0
8 0
nchpl 144 20867 0 19243 61 0 61 61 0
8 0
uvmvnodes 72 5926 0 0 108 0 108 108 0
8 0
vnodes 200 5926 0 0 312 0 312 312 0
8 0
namei 1024 63090 0 63089 2 1 1 1 0
8 0
scsiplug 64 7 0 7 6 6 0 1 0
8 0
scxspl 192 71925 0 71924 31 29 2 6 0
8 1
sigapl 432 5642 0 5629 2 0 2 2 0
8 0
futexpl 56 102472 0 102472 1 0 1 1 0
8 1
knotepl 112 1320 0 1293 2 0 2 2 0
8 0
kqueuepl 104 1649 0 1647 1 0 1 1 0
8 0
pipepl 112 5958 0 5939 19 17 2 2 0
8 1
fdescpl 424 5643 0 5629 2 0 2 2 0
8 0
filepl 120 39024 0 38928 14 9 5 5 0
8 1
lockfpl 104 1937 0 1937 8 7 1 1 0
8 1
lockfspl 32 2758 0 2758 8 7 1 1 0
8 1
sessionpl 112 20 0 10 1 0 1 1 0
8 0
pgrppl 48 92 0 82 1 0 1 1 0
8 0
ucredpl 96 11702 0 11695 1 0 1 1 0
8 0
zombiepl 144 5630 0 5629 3 2 1 1 0
8 0
processpl 840 5658 0 5629 4 0 4 4 0
8 0
procpl 600 13177 0 13142 4 0 4 4 0
8 0
sosppl 128 93 0 93 23 22 1 1 0
8 1
sockpl 384 5703 0 5684 16 12 4 4 0
8 2
mcl64k 65536 3001 0 3001 295 295 0 47 0
8 0
mcl16k 16384 17 0 17 14 14 0 1 0
8 0
mcl12k 12288 129 0 129 30 29 1 1 0
8 1
mcl9k 9216 93 0 93 38 38 0 1 0
8 0
mcl8k 8192 82 0 82 31 31 0 1 0
8 0
mcl4k 4096 265 0 265 24 23 1 1 0
8 1
mcl2k2 2112 38 0 38 22 22 0 1 0
8 0
mcl2k 2048 53799 0 53768 11 6 5 8 0
8 0
mtagpl 80 4 0 4 2 2 0 1 0
8 0
mbufpl 256 117934 0 117878 154 149 5 28 0
8 0
bufpl 256 20169 0 14686 344 0 344 344 0
8 0
anonpl 16 590894 0 582214 314 271 43 59 0
62 7
amapchunkpl 152 33145 0 33066 231 203 28 96 0 158
23
amappl16 192 35652 0 35187 311 286 25 40 0
8 1
amappl15 184 2 0 0 1 0 1 1 0
8 0
amappl14 176 2645 0 2644 2 1 1 1 0
8 0
amappl13 168 23 0 20 1 0 1 1 0
8 0
amappl12 160 26 0 22 1 0 1 1 0
8 0
amappl11 152 177 0 168 1 0 1 1 0
8 0
amappl10 144 60 0 58 2 1 1 1 0
8 0
amappl9 136 351 0 346 1 0 1 1 0
8 0
amappl8 128 2979 0 2940 2 0 2 2 0
8 0
amappl7 120 26 0 22 1 0 1 1 0
8 0
amappl6 112 2686 0 2679 1 0 1 1 0
8 0
amappl5 104 165 0 153 1 0 1 1 0
8 0
amappl4 96 306 0 282 2 1 1 2 0
8 0
amappl3 88 400 0 394 1 0 1 1 0
8 0
amappl2 80 58620 0 58566 2 0 2 2 0
8 0
amappl1 72 108706 0 108293 25 16 9 18 0
8 0
amappl 72 13504 0 13473 1 0 1 1 0
75 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 154 0 25 3 0 3 3 0
8 0
uaddrrnd 24 5643 0 5629 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 5643 0 5629 1 0 1 1 0
8 0
vmmpekpl 168 45321 0 45302 2 0 2 2 0
8 0
vmmpepl 168 593937 0 592522 245 177 68 80 0
357 1
vmsppl 264 5642 0 5629 2 1 1 2 0
8 0
pdppl 4096 11292 0 11258 6 1 5 6 0
8 0
pvpl 32 1801247 0 1789518 577 448 129 208 0 265
32
pmappl 192 5642 0 5629 1 0 1 1 0
8 0
extentpl 40 39 0 25 1 0 1 1 0
8 0
phpool 112 988 0 523 16 0 16 16 0
8 0
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: 0d1bbdcdb407 add mpip(4)
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=120998aac00000
kernel config: https://syzkaller.appspot.com/x/.config?x=ffa1da4399f74b2b
dashboard link: https://syzkaller.appspot.com/bug?extid=a33f137d7d3c0197fe86
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a33f13...@syzkaller.appspotmail.com
kernel: protection fault trap, code=0
Stopped at mrouter6_rtwalk_delete+0x2b: movl 0x5c(%r15),%r12d
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
the kernel did not panic
ddb> trace
mrouter6_rtwalk_delete(5153e11fff8a8470,0,0) at mrouter6_rtwalk_delete+0x2b
sys/netinet6/ip6_mroute.c:497
rtable_walk_helper(fffffd8036dddb20,ffff800014957c00) at
rtable_walk_helper+0x58 sys/net/rtable.c:682
art_table_walk(ffff800000074780,fffffd8036ddc220,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x226 art_walk_apply sys/net/art.c:707 [inline]
art_table_walk(ffff800000074780,fffffd8036ddc220,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x226 sys/net/art.c:679
art_table_walk(ffff800000074780,fffffd8036ddc1e0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc180,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc140,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc120,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc100,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc0e0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc080,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc060,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc020,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc000,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc040,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc0a0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc0c0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc160,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc1a0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc1c0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc200,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc240,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc260,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc280,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc2a0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc2c0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc2e0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc300,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc320,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc380,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc3a0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc3c0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc440,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddc4a0,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036ddcf20,ffffffff8178b4f0,ffff800014957c00)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_walk(ffff800000074780,ffffffff8178b4f0,ffff800014957c00) at
art_walk+0xcf sys/net/art.c:626
rtable_walk(0,18,ffffffff8122ec00,0) at rtable_walk+0xd7
sys/net/rtable.c:706
ip6_mrouter_done(fffffd803982c180) at ip6_mrouter_done+0xc4
sys/netinet6/ip6_mroute.c:526
rip6_detach(fffffd803982c180) at rip6_detach+0x56 sys/netinet6/raw_ip6.c:748
soclose(fffffd803982c180,0) at soclose+0xb2 sys/kern/uipc_socket.c:292
soo_close(fffffd8039c20b58,ffff8000149d4270) at soo_close+0x40
fdrop(fffffd8039c20b58,ffff8000149d4270) at fdrop+0xc9
sys/kern/kern_descrip.c:1260
closef(fffffd8039c20b58,ffff8000149d4270) at closef+0x124
sys/kern/kern_descrip.c:1244
fdfree(ffff8000149d4270) at fdfree+0xe7 sys/kern/kern_descrip.c:1176
exit1(ffff8000149d4270,0,1) at exit1+0x2f4 sys/kern/kern_exit.c:194
sys_exit(ffff8000149d4270,ffff8000149580e0,ffff8000149580d0) at
sys_exit+0x17 sys/kern/kern_exit.c:94
syscall(ffff800014958180) at syscall+0x541
Xsyscall(6,1,0,1,0,7f7ffffe13a4) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffe1370, count: -47
ddb> show registers
rdi 0x5153e11fff8a8470
rsi 0
rbp 0xffff800014956940
rbx 0xffff800000074788
rdx 0
rcx 0
rax 0x204
r8 0
r9 0x5
r10 0
r11 0x5fc5adf50e8daba6
r12 0
r13 0xfffffd8036ddc220
r14 0
r15 0x5153e11fff8a8470
rip 0xffffffff8122ec2b mrouter6_rtwalk_delete+0x2b
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff800014956900
ss 0x10
mrouter6_rtwalk_delete+0x2b: movl 0x5c(%r15),%r12d
ddb> show proc
PROC (syz-executor.1) pid=484813 stat=onproc
flags process=1008<EXITING,SINGLEEXIT> proc=2000<WEXIT>
pri=50, usrpri=78, nice=20
forw=0xffffffffffffffff, list=0xffff8000149d4bd0,0xffffffff82264bc8
process=0xffff8000ffff69e8 user=0xffff800014953000,
vmspace=0xfffffd803f015d68
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
19959 483335 1 0 3 0x100083 ttyin getty
2989 517760 0 0 3 0x14200 bored sosplice
31500 429419 63020 0 3 0x2 biowait syz-executor.0
59158 112605 63020 0 3 0x82 nanosleep syz-executor.1
63020 6625 50092 0 3 0x82 thrsleep syz-fuzzer
63020 190560 50092 0 3 0x4000082 nanosleep syz-fuzzer
63020 43389 50092 0 3 0x4000082 thrsleep syz-fuzzer
63020 110269 50092 0 3 0x4000082 kqread syz-fuzzer
63020 441551 50092 0 3 0x4000082 thrsleep syz-fuzzer
63020 286069 50092 0 3 0x4000082 thrsleep syz-fuzzer
63020 439753 50092 0 3 0x4000082 thrsleep syz-fuzzer
50092 375479 15116 0 3 0x10008a pause ksh
15116 62073 95523 0 3 0x92 select sshd
95523 93770 1 0 3 0x80 select sshd
74798 16928 7021 73 3 0x100090 kqread syslogd
7021 477313 1 0 3 0x100082 netio syslogd
41605 131787 1 77 3 0x100090 poll dhclient
53474 59062 1 0 3 0x80 poll dhclient
81561 289761 0 0 2 0x14200 zerothread
1532 371719 0 0 3 0x14200 aiodoned aiodoned
46288 66984 0 0 3 0x14200 syncer update
65478 19388 0 0 3 0x14200 cleaner cleaner
26152 479804 0 0 3 0x14200 reaper reaper
93601 337232 0 0 3 0x14200 pgdaemon pagedaemon
23210 512129 0 0 3 0x14200 bored crynlk
58596 377782 0 0 3 0x14200 bored crypto
97237 32077 0 0 3 0x40014200 acpi0 acpi0
72696 407874 0 0 3 0x14200 bored softnet
64821 357827 0 0 2 0x14200 systqmp
58811 392995 0 0 3 0x14200 bored systq
26778 245622 0 0 3 0x40014200 bored softclock
91754 407002 0 0 3 0x40014200 idle0
43311 110841 0 0 3 0x14200 bored smr
1 131226 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9556 8412K 8433K 78643K 12392 0 0
pcb 25 9K 11K 78643K 2873 0 0
rtable 101 3K 3K 78643K 1112 0 0
ifaddr 67 17K 19K 78643K 637 0 0
counters 19 16K 16K 78643K 19 0 0
ioctlops 0 0K 2K 78643K 80 0 0
iov 0 0K 24K 78643K 727 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1201 75K 76K 78643K 4299 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 5K 78643K 78 0 0
VM map 2 0K 0K 78643K 2 0 0
sem 12 1K 1K 78643K 146 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1777 193K 286K 78643K 12501 0 0
file desc 5 13K 25K 78643K 5471 0 0
sigio 1 0K 0K 78643K 76 0 0
proc 42 30K 54K 78643K 912 0 0
subproc 64 65538K 69634K 78643K 106 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
ip_moptions 0 0K 0K 78643K 1917 0 0
in_multi 33 2K 2K 78643K 783 0 0
ether_multi 1 0K 0K 78643K 42 0 0
mrt 1 0K 0K 78643K 11 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 132 583K 583K 78643K 132 0 0
exec 0 0K 1K 78643K 729 0 0
pfkey data 0 0K 0K 78643K 2 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 106 22K 42K 78643K 14143 0 0
UVM aobj 130 5K 5K 78643K 155 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
ip6_options 0 0K 0K 78643K 185 0 0
NDP 15 0K 0K 78643K 168 0 0
temp 192 2360K 2487K 78643K 17493 0 0
kqueue 0 0K 0K 78643K 47 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 4 0 0 1 0 1 1 0
8 0
inpcbpl 280 3159 0 3150 1 0 1 1 0
8 0
plimitpl 152 76 0 69 1 0 1 1 0
8 0
rtentry 112 42 0 2 2 0 2 2 0
8 0
syncache 264 4 0 4 1 1 0 1 0
8 0
tcpqe 32 8 0 8 1 1 0 1 0
8 0
tcpcb 544 877 0 873 1 0 1 1 0
8 0
rttmr 72 1 0 1 1 0 1 1 0
8 1
nd6 48 4 0 0 1 0 1 1 0
8 0
ppxss 1128 129 0 129 31 30 1 1 0
8 1
art_heap8 4096 1 0 0 1 0 1 1 0
8 0
art_heap4 256 186 0 0 12 0 12 12 0
8 0
art_table 32 187 0 0 2 0 2 2 0
8 0
art_node 16 41 0 6 1 0 1 1 0
8 0
sysvmsgpl 40 105 0 96 1 0 1 1 0
8 0
semapl 112 144 0 134 1 0 1 1 0
8 0
shmpl 112 153 0 25 4 0 4 4 0
8 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0
dino1pl 128 11776 0 10305 48 0 48 48 0
8 0
ffsino 240 11776 0 10305 88 1 87 87 0
8 0
nchpl 144 20867 0 19243 61 0 61 61 0
8 0
uvmvnodes 72 5926 0 0 108 0 108 108 0
8 0
vnodes 200 5926 0 0 312 0 312 312 0
8 0
namei 1024 63090 0 63089 2 1 1 1 0
8 0
scsiplug 64 7 0 7 6 6 0 1 0
8 0
scxspl 192 71925 0 71924 31 29 2 6 0
8 1
sigapl 432 5642 0 5629 2 0 2 2 0
8 0
futexpl 56 102472 0 102472 1 0 1 1 0
8 1
knotepl 112 1320 0 1293 2 0 2 2 0
8 0
kqueuepl 104 1649 0 1647 1 0 1 1 0
8 0
pipepl 112 5958 0 5939 19 17 2 2 0
8 1
fdescpl 424 5643 0 5629 2 0 2 2 0
8 0
filepl 120 39024 0 38928 14 9 5 5 0
8 1
lockfpl 104 1937 0 1937 8 7 1 1 0
8 1
lockfspl 32 2758 0 2758 8 7 1 1 0
8 1
sessionpl 112 20 0 10 1 0 1 1 0
8 0
pgrppl 48 92 0 82 1 0 1 1 0
8 0
ucredpl 96 11702 0 11695 1 0 1 1 0
8 0
zombiepl 144 5630 0 5629 3 2 1 1 0
8 0
processpl 840 5658 0 5629 4 0 4 4 0
8 0
procpl 600 13177 0 13142 4 0 4 4 0
8 0
sosppl 128 93 0 93 23 22 1 1 0
8 1
sockpl 384 5703 0 5684 16 12 4 4 0
8 2
mcl64k 65536 3001 0 3001 295 295 0 47 0
8 0
mcl16k 16384 17 0 17 14 14 0 1 0
8 0
mcl12k 12288 129 0 129 30 29 1 1 0
8 1
mcl9k 9216 93 0 93 38 38 0 1 0
8 0
mcl8k 8192 82 0 82 31 31 0 1 0
8 0
mcl4k 4096 265 0 265 24 23 1 1 0
8 1
mcl2k2 2112 38 0 38 22 22 0 1 0
8 0
mcl2k 2048 53799 0 53768 11 6 5 8 0
8 0
mtagpl 80 4 0 4 2 2 0 1 0
8 0
mbufpl 256 117934 0 117878 154 149 5 28 0
8 0
bufpl 256 20169 0 14686 344 0 344 344 0
8 0
anonpl 16 590894 0 582214 314 271 43 59 0
62 7
amapchunkpl 152 33145 0 33066 231 203 28 96 0 158
23
amappl16 192 35652 0 35187 311 286 25 40 0
8 1
amappl15 184 2 0 0 1 0 1 1 0
8 0
amappl14 176 2645 0 2644 2 1 1 1 0
8 0
amappl13 168 23 0 20 1 0 1 1 0
8 0
amappl12 160 26 0 22 1 0 1 1 0
8 0
amappl11 152 177 0 168 1 0 1 1 0
8 0
amappl10 144 60 0 58 2 1 1 1 0
8 0
amappl9 136 351 0 346 1 0 1 1 0
8 0
amappl8 128 2979 0 2940 2 0 2 2 0
8 0
amappl7 120 26 0 22 1 0 1 1 0
8 0
amappl6 112 2686 0 2679 1 0 1 1 0
8 0
amappl5 104 165 0 153 1 0 1 1 0
8 0
amappl4 96 306 0 282 2 1 1 2 0
8 0
amappl3 88 400 0 394 1 0 1 1 0
8 0
amappl2 80 58620 0 58566 2 0 2 2 0
8 0
amappl1 72 108706 0 108293 25 16 9 18 0
8 0
amappl 72 13504 0 13473 1 0 1 1 0
75 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 154 0 25 3 0 3 3 0
8 0
uaddrrnd 24 5643 0 5629 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 5643 0 5629 1 0 1 1 0
8 0
vmmpekpl 168 45321 0 45302 2 0 2 2 0
8 0
vmmpepl 168 593937 0 592522 245 177 68 80 0
357 1
vmsppl 264 5642 0 5629 2 1 1 2 0
8 0
pdppl 4096 11292 0 11258 6 1 5 6 0
8 0
pvpl 32 1801247 0 1789518 577 448 129 208 0 265
32
pmappl 192 5642 0 5629 1 0 1 1 0
8 0
extentpl 40 39 0 25 1 0 1 1 0
8 0
phpool 112 988 0 523 16 0 16 16 0
8 0
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
Feb 28, 2019, 5:35:05 PM2/28/19
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 0d1bbdcdb407 add mpip(4)
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=15f7de42c00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1403cd5cc00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a33f13...@syzkaller.appspotmail.com
login: kernel: protection fault trap, code=0
sys/netinet6/ip6_mroute.c:497
rtable_walk_helper(fffffd8036de1ce0,ffff80001499a4a0) at
rtable_walk_helper+0x58 sys/net/rtable.c:682
art_table_walk(ffff800000074780,fffffd8036de0300,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x226 sys/net/art.c:679
art_table_walk(ffff800000074780,fffffd8036de02e0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de02a0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0260,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0240,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de01c0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de01a0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0140,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0100,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de00c0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de00a0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0020,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0000,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0040,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0060,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0080,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de00e0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0120,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0160,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0180,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de01e0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0200,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0220,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0280,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de02c0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0320,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0360,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0380,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de03e0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0400,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0440,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0f00,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_walk(ffff800000074780,ffffffff8178b4f0,ffff80001499a4a0) at
sys/netinet6/ip6_mroute.c:526
rip6_detach(fffffd803642cc08) at rip6_detach+0x56 sys/netinet6/raw_ip6.c:748
soclose(fffffd803642cc08,0) at soclose+0xb2 sys/kern/uipc_socket.c:292
soo_close(fffffd80361a31e8,ffff8000ffff5078) at soo_close+0x40
fdrop(fffffd80361a31e8,ffff8000ffff5078) at fdrop+0xc9
sys/kern/kern_descrip.c:1260
closef(fffffd80361a31e8,ffff8000ffff5078) at closef+0x124
sys/kern/kern_descrip.c:1244
fdfree(ffff8000ffff5078) at fdfree+0xe7 sys/kern/kern_descrip.c:1176
exit1(ffff8000ffff5078,0,1) at exit1+0x2f4 sys/kern/kern_exit.c:194
sys_exit(ffff8000ffff5078,ffff80001499a980,ffff80001499a970) at
sys_exit+0x17 sys/kern/kern_exit.c:94
syscall(ffff80001499aa20) at syscall+0x541
Xsyscall(6,1,7f7ffffeb0c8,1,1,0) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffeb060, count: -47
ddb> show registers
rdi 0xd0328f8e50a22aee
rsi 0
rbp 0xffff8000149991e0
rbx 0xffff800000074788
rdx 0
rcx 0x1
r11 0x9b6947429d56b64f
r12 0
r13 0xfffffd8036de0300
r14 0
r15 0xd0328f8e50a22aee
flags process=a<EXEC,EXITING> proc=2000<WEXIT>
pri=50, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffff4268,0xffffffff82264bc8
process=0xffff800014962360 user=0xffff800014995000,
vmspace=0xfffffd803f015630
estcpu=0, cpticks=1, pctcpu=0.0
19506 453665 47492 0 3 0x92 select sshd
78334 361723 1 0 3 0x100083 ttyin getty
47492 6396 1 0 3 0x80 select sshd
8340 209018 29085 73 3 0x100090 kqread syslogd
29085 109966 1 0 3 0x100082 netio syslogd
68066 120240 1 77 3 0x100090 poll dhclient
98656 383651 1 0 3 0x80 poll dhclient
27534 500438 0 0 2 0x14200 zerothread
57774 218987 0 0 3 0x14200 aiodoned aiodoned
57026 516288 0 0 3 0x14200 syncer update
48000 39695 0 0 3 0x14200 cleaner cleaner
95582 24901 0 0 3 0x14200 reaper reaper
77133 163567 0 0 3 0x14200 pgdaemon pagedaemon
65199 35976 0 0 3 0x14200 bored crynlk
78238 229182 0 0 3 0x14200 bored crypto
6231 289892 0 0 3 0x40014200 acpi0 acpi0
83245 326892 0 0 3 0x14200 bored softnet
68512 199941 0 0 2 0x14200 systqmp
7016 63645 0 0 3 0x14200 bored systq
69237 26016 0 0 3 0x40014200 bored softclock
21844 76390 0 0 3 0x40014200 idle0
98655 460125 0 0 3 0x14200 bored smr
1 99271 0 0 3 0x82 wait init
pcb 24 9K 9K 78643K 56 0 0
rtable 62 1K 2K 78643K 119 0 0
ifaddr 21 7K 7K 78643K 21 0 0
proc 40 30K 38K 78643K 207 0 0
ether_multi 1 0K 0K 78643K 1 0 0
mrt 1 0K 0K 78643K 2 0 0
exec 0 0K 1K 78643K 150 0 0
UVM aobj 2 2K 2K 78643K 2 0 0
temp 30 2339K 2403K 78643K 1681 0 0
8 0
inpcbpl 280 23 0 16 1 0 1 1 0
8 0
plimitpl 152 13 0 8 1 0 1 1 0
8 0
rtentry 112 24 0 2 1 0 1 1 0
8 0
syncache 264 5 0 5 1 0 1 1 0
8 1
tcpcb 544 8 0 5 1 0 1 1 0
8 0
art_table 32 98 0 0 1 0 1 1 0
8 0
art_node 16 23 0 2 1 0 1 1 0
8 0
ffsino 240 1381 0 16 81 0 81 81 0
8 0
nchpl 144 1554 0 30 57 0 57 57 0
8 0
uvmvnodes 72 1390 0 0 26 0 26 26 0
8 0
vnodes 200 1390 0 0 74 0 74 74 0
8 0
namei 1024 3260 0 3260 2 1 1 1 0
8 1
scxspl 192 2347 0 2347 8 2 6 6 0
8 6
sigapl 432 174 0 164 2 0 2 2 0
8 0
knotepl 112 5 0 0 1 0 1 1 0
8 0
kqueuepl 104 1 0 0 1 0 1 1 0
8 0
pipepl 112 114 0 107 2 1 1 1 0
8 0
fdescpl 424 175 0 164 2 0 2 2 0
8 0
filepl 120 808 0 765 2 0 2 2 0
8 0
lockfpl 104 6 0 6 1 1 0 1 0
8 0
lockfspl 32 3 0 3 1 1 0 1 0
8 0
sessionpl 112 17 0 9 1 0 1 1 0
8 0
pgrppl 48 17 0 9 1 0 1 1 0
8 0
ucredpl 96 47 0 40 1 0 1 1 0
8 0
zombiepl 144 165 0 164 2 1 1 1 0
8 0
processpl 840 189 0 164 4 0 4 4 0
8 0
procpl 600 189 0 164 3 0 3 3 0
8 0
sockpl 384 65 0 48 2 0 2 2 0
8 0
mcl4k 4096 10 0 10 1 0 1 1 0
8 1
mcl2k 2048 5640 0 5612 6 0 6 6 0
8 1
mtagpl 80 2 0 2 1 1 0 1 0
8 0
mbufpl 256 9698 0 9655 6 2 4 4 0
8 0
bufpl 256 2011 0 230 112 0 112 112 0
8 0
anonpl 16 17025 0 15939 7 1 6 6 0
62 1
amapchunkpl 152 513 0 478 2 0 2 2 0
158 0
amappl16 192 70 0 65 1 0 1 1 0
8 0
amappl15 184 1 0 0 1 0 1 1 0
8 0
amappl14 176 2 0 2 1 1 0 1 0
8 0
amappl13 168 14 0 11 1 0 1 1 0
8 0
amappl12 160 28 0 25 1 0 1 1 0
8 0
amappl11 152 172 0 163 1 0 1 1 0
8 0
amappl10 144 46 0 46 2 1 1 1 0
8 1
amappl9 136 200 0 199 1 0 1 1 0
8 0
amappl8 128 81 0 77 1 0 1 1 0
8 0
amappl7 120 11 0 10 1 0 1 1 0
8 0
amappl6 112 43 0 38 1 0 1 1 0
8 0
amappl5 104 156 0 145 1 0 1 1 0
8 0
amappl4 96 258 0 238 1 0 1 1 0
8 0
amappl3 88 121 0 115 1 0 1 1 0
8 0
amappl2 80 555 0 521 1 0 1 1 0
8 0
amappl1 72 11579 0 11195 14 4 10 14 0
8 0
amappl 72 376 0 357 1 0 1 1 0
8 0
uaddrrnd 24 175 0 164 1 0 1 1 0
8 0
vmmpekpl 168 5196 0 5181 1 0 1 1 0
8 0
vmmpepl 168 23570 0 22886 48 14 34 42 0
357 3
vmsppl 264 174 0 164 1 0 1 1 0
8 0
pdppl 4096 356 0 328 5 0 5 5 0
8 0
pvpl 32 70712 0 67976 30 4 26 26 0
265 3
pmappl 192 174 0 164 1 0 1 1 0
8 0
ddb>
HEAD commit: 0d1bbdcdb407 add mpip(4)
git tree: openbsd
kernel config: https://syzkaller.appspot.com/x/.config?x=ffa1da4399f74b2b
dashboard link: https://syzkaller.appspot.com/bug?extid=a33f137d7d3c0197fe86
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=143661f4c00000
dashboard link: https://syzkaller.appspot.com/bug?extid=a33f137d7d3c0197fe86
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1403cd5cc00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a33f13...@syzkaller.appspotmail.com
Stopped at mrouter6_rtwalk_delete+0x2b: movl 0x5c(%r15),%r12d
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
the kernel did not panic
ddb> trace
mrouter6_rtwalk_delete(d0328f8e50a22aee,0,0) at mrouter6_rtwalk_delete+0x2b
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
the kernel did not panic
ddb> trace
sys/netinet6/ip6_mroute.c:497
rtable_walk_helper(fffffd8036de1ce0,ffff80001499a4a0) at
rtable_walk_helper+0x58 sys/net/rtable.c:682
art_table_walk(ffff800000074780,fffffd8036de0300,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x226 art_walk_apply sys/net/art.c:707 [inline]
art_table_walk(ffff800000074780,fffffd8036de0300,ffffffff8178b4f0,ffff80001499a4a0)
art_table_walk+0x226 art_walk_apply sys/net/art.c:707 [inline]
at
art_table_walk+0x226 sys/net/art.c:679
art_table_walk(ffff800000074780,fffffd8036de02e0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de02a0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0260,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0240,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de01c0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de01a0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0140,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0100,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de00c0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de00a0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0020,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0000,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0040,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0060,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0080,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de00e0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0120,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0160,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0180,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de01e0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0200,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0220,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0280,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de02c0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0320,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0360,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0380,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de03e0,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0400,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0440,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000074780,fffffd8036de0f00,ffffffff8178b4f0,ffff80001499a4a0)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_walk(ffff800000074780,ffffffff8178b4f0,ffff80001499a4a0) at
art_walk+0xcf sys/net/art.c:626
rtable_walk(0,18,ffffffff8122ec00,0) at rtable_walk+0xd7
sys/net/rtable.c:706
ip6_mrouter_done(fffffd803642cc08) at ip6_mrouter_done+0xc4
rtable_walk(0,18,ffffffff8122ec00,0) at rtable_walk+0xd7
sys/net/rtable.c:706
sys/netinet6/ip6_mroute.c:526
rip6_detach(fffffd803642cc08) at rip6_detach+0x56 sys/netinet6/raw_ip6.c:748
soclose(fffffd803642cc08,0) at soclose+0xb2 sys/kern/uipc_socket.c:292
soo_close(fffffd80361a31e8,ffff8000ffff5078) at soo_close+0x40
fdrop(fffffd80361a31e8,ffff8000ffff5078) at fdrop+0xc9
sys/kern/kern_descrip.c:1260
closef(fffffd80361a31e8,ffff8000ffff5078) at closef+0x124
sys/kern/kern_descrip.c:1244
fdfree(ffff8000ffff5078) at fdfree+0xe7 sys/kern/kern_descrip.c:1176
exit1(ffff8000ffff5078,0,1) at exit1+0x2f4 sys/kern/kern_exit.c:194
sys_exit(ffff8000ffff5078,ffff80001499a980,ffff80001499a970) at
sys_exit+0x17 sys/kern/kern_exit.c:94
syscall(ffff80001499aa20) at syscall+0x541
Xsyscall(6,1,7f7ffffeb0c8,1,1,0) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffeb060, count: -47
ddb> show registers
rdi 0xd0328f8e50a22aee
rsi 0
rbp 0xffff8000149991e0
rbx 0xffff800000074788
rdx 0
rcx 0x1
rax 0x204
r8 0
r9 0x5
r10 0x926743701ac0bfbc
r8 0
r9 0x5
r11 0x9b6947429d56b64f
r12 0
r13 0xfffffd8036de0300
r14 0
r15 0xd0328f8e50a22aee
rip 0xffffffff8122ec2b mrouter6_rtwalk_delete+0x2b
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff8000149991a0
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
ss 0x10
mrouter6_rtwalk_delete+0x2b: movl 0x5c(%r15),%r12d
ddb> show proc
PROC (syz-executor1114) pid=469249 stat=onproc
mrouter6_rtwalk_delete+0x2b: movl 0x5c(%r15),%r12d
ddb> show proc
flags process=a<EXEC,EXITING> proc=2000<WEXIT>
pri=50, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffff4268,0xffffffff82264bc8
process=0xffff800014962360 user=0xffff800014995000,
vmspace=0xfffffd803f015630
estcpu=0, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
35536 479663 19506 0 3 0x10008a pause ksh
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
19506 453665 47492 0 3 0x92 select sshd
78334 361723 1 0 3 0x100083 ttyin getty
47492 6396 1 0 3 0x80 select sshd
8340 209018 29085 73 3 0x100090 kqread syslogd
29085 109966 1 0 3 0x100082 netio syslogd
68066 120240 1 77 3 0x100090 poll dhclient
98656 383651 1 0 3 0x80 poll dhclient
27534 500438 0 0 2 0x14200 zerothread
57774 218987 0 0 3 0x14200 aiodoned aiodoned
57026 516288 0 0 3 0x14200 syncer update
48000 39695 0 0 3 0x14200 cleaner cleaner
95582 24901 0 0 3 0x14200 reaper reaper
77133 163567 0 0 3 0x14200 pgdaemon pagedaemon
65199 35976 0 0 3 0x14200 bored crynlk
78238 229182 0 0 3 0x14200 bored crypto
6231 289892 0 0 3 0x40014200 acpi0 acpi0
83245 326892 0 0 3 0x14200 bored softnet
68512 199941 0 0 2 0x14200 systqmp
7016 63645 0 0 3 0x14200 bored systq
69237 26016 0 0 3 0x40014200 bored softclock
21844 76390 0 0 3 0x40014200 idle0
98655 460125 0 0 3 0x14200 bored smr
1 99271 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9426 6306K 6307K 78643K 10519 0 0
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
pcb 24 9K 9K 78643K 56 0 0
rtable 62 1K 2K 78643K 119 0 0
ifaddr 21 7K 7K 78643K 21 0 0
counters 19 16K 16K 78643K 19 0 0
ioctlops 0 0K 2K 78643K 13 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1166 73K 73K 78643K 1171 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 1K 78643K 2 0 0
UFS mount 5 36K 36K 78643K 5 0 0
VM map 2 0K 0K 78643K 2 0 0
sem 2 0K 0K 78643K 2 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1777 193K 286K 78643K 12501 0 0
file desc 1 0K 0K 78643K 1 0 0
ACPI 1777 193K 286K 78643K 12501 0 0
proc 40 30K 38K 78643K 207 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
in_multi 11 0K 0K 78643K 11 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
ether_multi 1 0K 0K 78643K 1 0 0
mrt 1 0K 0K 78643K 2 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 18 79K 79K 78643K 18 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
exec 0 0K 1K 78643K 150 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 46 2K 3K 78643K 660 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM aobj 2 2K 2K 78643K 2 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
NDP 3 0K 0K 78643K 3 0 0
crypto data 1 1K 1K 78643K 1 0 0
temp 30 2339K 2403K 78643K 1681 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 2 0 0 1 0 1 1 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
8 0
inpcbpl 280 23 0 16 1 0 1 1 0
8 0
plimitpl 152 13 0 8 1 0 1 1 0
8 0
rtentry 112 24 0 2 1 0 1 1 0
8 0
syncache 264 5 0 5 1 0 1 1 0
8 1
tcpcb 544 8 0 5 1 0 1 1 0
8 0
rttmr 72 1 0 1 1 0 1 1 0
8 1
rttmr 72 1 0 1 1 0 1 1 0
8 1
art_heap8 4096 1 0 0 1 0 1 1 0
8 0
art_heap4 256 97 0 0 7 0 7 7 0
8 0
8 0
art_table 32 98 0 0 1 0 1 1 0
8 0
art_node 16 23 0 2 1 0 1 1 0
8 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0
dino1pl 128 1381 0 16 45 0 45 45 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0
8 0
ffsino 240 1381 0 16 81 0 81 81 0
8 0
nchpl 144 1554 0 30 57 0 57 57 0
8 0
uvmvnodes 72 1390 0 0 26 0 26 26 0
8 0
vnodes 200 1390 0 0 74 0 74 74 0
8 0
namei 1024 3260 0 3260 2 1 1 1 0
8 1
scxspl 192 2347 0 2347 8 2 6 6 0
8 6
sigapl 432 174 0 164 2 0 2 2 0
8 0
knotepl 112 5 0 0 1 0 1 1 0
8 0
kqueuepl 104 1 0 0 1 0 1 1 0
8 0
pipepl 112 114 0 107 2 1 1 1 0
8 0
fdescpl 424 175 0 164 2 0 2 2 0
8 0
filepl 120 808 0 765 2 0 2 2 0
8 0
lockfpl 104 6 0 6 1 1 0 1 0
8 0
lockfspl 32 3 0 3 1 1 0 1 0
8 0
sessionpl 112 17 0 9 1 0 1 1 0
8 0
pgrppl 48 17 0 9 1 0 1 1 0
8 0
ucredpl 96 47 0 40 1 0 1 1 0
8 0
zombiepl 144 165 0 164 2 1 1 1 0
8 0
processpl 840 189 0 164 4 0 4 4 0
8 0
procpl 600 189 0 164 3 0 3 3 0
8 0
sockpl 384 65 0 48 2 0 2 2 0
8 0
mcl4k 4096 10 0 10 1 0 1 1 0
8 1
mcl2k 2048 5640 0 5612 6 0 6 6 0
8 1
mtagpl 80 2 0 2 1 1 0 1 0
8 0
mbufpl 256 9698 0 9655 6 2 4 4 0
8 0
bufpl 256 2011 0 230 112 0 112 112 0
8 0
anonpl 16 17025 0 15939 7 1 6 6 0
62 1
amapchunkpl 152 513 0 478 2 0 2 2 0
158 0
amappl16 192 70 0 65 1 0 1 1 0
8 0
amappl15 184 1 0 0 1 0 1 1 0
8 0
amappl14 176 2 0 2 1 1 0 1 0
8 0
amappl13 168 14 0 11 1 0 1 1 0
8 0
amappl12 160 28 0 25 1 0 1 1 0
8 0
amappl11 152 172 0 163 1 0 1 1 0
8 0
amappl10 144 46 0 46 2 1 1 1 0
8 1
amappl9 136 200 0 199 1 0 1 1 0
8 0
amappl8 128 81 0 77 1 0 1 1 0
8 0
amappl7 120 11 0 10 1 0 1 1 0
8 0
amappl6 112 43 0 38 1 0 1 1 0
8 0
amappl5 104 156 0 145 1 0 1 1 0
8 0
amappl4 96 258 0 238 1 0 1 1 0
8 0
amappl3 88 121 0 115 1 0 1 1 0
8 0
amappl2 80 555 0 521 1 0 1 1 0
8 0
amappl1 72 11579 0 11195 14 4 10 14 0
8 0
amappl 72 376 0 357 1 0 1 1 0
75 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 1 0 0 1 0 1 1 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
8 0
uaddrrnd 24 175 0 164 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 175 0 164 1 0 1 1 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
8 0
vmmpekpl 168 5196 0 5181 1 0 1 1 0
8 0
vmmpepl 168 23570 0 22886 48 14 34 42 0
357 3
vmsppl 264 174 0 164 1 0 1 1 0
8 0
pdppl 4096 356 0 328 5 0 5 5 0
8 0
pvpl 32 70712 0 67976 30 4 26 26 0
265 3
pmappl 192 174 0 164 1 0 1 1 0
8 0
extentpl 40 39 0 25 1 0 1 1 0
8 0
phpool 112 227 0 5 7 0 7 7 0
extentpl 40 39 0 25 1 0 1 1 0
8 0
8 0
ddb>
Dmitry Vyukov
May 13, 2019, 1:38:18 AM5/13/19
to syzbot, syzkaller-o...@googlegroups.com
#syz test: https://github.com/openbsd/src.git 0d1bbdcdb407
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/000000000000dafd0d0582fbe6cb%40google.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/000000000000dafd0d0582fbe6cb%40google.com.
> For more options, visit https://groups.google.com/d/optout.
syzbot
May 13, 2019, 1:40:01 AM5/13/19
to syzkaller-o...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but build/boot failed:
failed to checkout kernel repo https://github.com/openbsd/src.git on commit
0d1bbdcdb407: failed to run ["git" "checkout" "0d1bbdcdb407"]: exit status 1
error: pathspec '0d1bbdcdb407' did not match any file(s) known to git
Tested on:
commit: [unknown
git tree: https://github.com/openbsd/src.git 0d1bbdcdb407
compiler:
syzbot tried to test the proposed patch but build/boot failed:
failed to checkout kernel repo https://github.com/openbsd/src.git on commit
0d1bbdcdb407: failed to run ["git" "checkout" "0d1bbdcdb407"]: exit status 1
error: pathspec '0d1bbdcdb407' did not match any file(s) known to git
Tested on:
commit: [unknown
git tree: https://github.com/openbsd/src.git 0d1bbdcdb407
compiler:
Dmitry Vyukov
May 13, 2019, 3:01:47 AM5/13/19
to syzbot, Greg Steuck, Anton Lindqvist, syzkaller-o...@googlegroups.com
From: syzbot <syzbot+a33f13...@syzkaller.appspotmail.com>
Date: Mon, May 13, 2019 at 7:40 AM
To: <syzkaller-o...@googlegroups.com>
> Hello,
>
> syzbot tried to test the proposed patch but build/boot failed:
>
> failed to checkout kernel repo https://github.com/openbsd/src.git on commit
> 0d1bbdcdb407: failed to run ["git" "checkout" "0d1bbdcdb407"]: exit status 1
> error: pathspec '0d1bbdcdb407' did not match any file(s) known to git
Hmmm. Does openbsd tree rebased and force pushed?
0d1bbdcdb407 is a real commit, but it's not reachable from HEAD
anymore and I can't fetch it (tried --tags too):
https://github.com/openbsd/src/commit/0d1bbdcdb407c29969f4b024f75ba782fa351e8c
instead it's now called fa3987868eb897079d198943d8984a9c66c50838:
https://github.com/openbsd/src/commit/fa3987868eb897079d198943d8984a9c66c50838
#syz test: https://github.com/openbsd/src.git fa3987868eb897079d198
> Tested on:
>
> commit: [unknown
> git tree: https://github.com/openbsd/src.git 0d1bbdcdb407
> compiler:
>
Date: Mon, May 13, 2019 at 7:40 AM
To: <syzkaller-o...@googlegroups.com>
> Hello,
>
> syzbot tried to test the proposed patch but build/boot failed:
>
> failed to checkout kernel repo https://github.com/openbsd/src.git on commit
> 0d1bbdcdb407: failed to run ["git" "checkout" "0d1bbdcdb407"]: exit status 1
> error: pathspec '0d1bbdcdb407' did not match any file(s) known to git
0d1bbdcdb407 is a real commit, but it's not reachable from HEAD
anymore and I can't fetch it (tried --tags too):
https://github.com/openbsd/src/commit/0d1bbdcdb407c29969f4b024f75ba782fa351e8c
instead it's now called fa3987868eb897079d198943d8984a9c66c50838:
https://github.com/openbsd/src/commit/fa3987868eb897079d198943d8984a9c66c50838
#syz test: https://github.com/openbsd/src.git fa3987868eb897079d198
> Tested on:
>
> commit: [unknown
> git tree: https://github.com/openbsd/src.git 0d1bbdcdb407
> compiler:
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/000000000000f02f8f0588be5816%40google.com.
> You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
syzbot
May 13, 2019, 3:11:01 AM5/13/19
to an...@basename.se, dvy...@google.com, gne...@google.com, syzkaller-o...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
sys/netinet6/ip6_mroute.c:497
rtable_walk_helper(fffffd8036e07b30,ffff800014a144d8) at
rtable_walk_helper+0x58 sys/net/rtable.c:682
art_table_walk(ffff800000075780,fffffd8036e062c0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x226 sys/net/art.c:679
art_table_walk(ffff800000075780,fffffd8036e062a0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06280,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06240,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06200,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e061e0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06120,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06100,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e060e0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e060c0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e060a0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06040,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06020,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06000,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06060,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06080,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06140,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06160,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06180,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e061a0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e061c0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06220,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06260,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e062e0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06300,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06320,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06360,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e063a0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06400,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06460,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e064a0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06f60,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_walk(ffff800000075780,ffffffff81a5d3c0,ffff800014a144d8) at
art_walk+0xcf sys/net/art.c:626
rtable_walk(0,18,ffffffff81d27280,0) at rtable_walk+0xc7
sys/net/rtable.c:706
ip6_mrouter_done(fffffd8036454d88) at ip6_mrouter_done+0xb8
sys/netinet6/ip6_mroute.c:526
rip6_detach(fffffd8036454d88) at rip6_detach+0x56 sys/netinet6/raw_ip6.c:748
soclose(fffffd8036454d88,0) at soclose+0xb2 sys/kern/uipc_socket.c:292
soo_close(fffffd80361bde90,ffff8000ffff5528) at soo_close+0x40
fdrop(fffffd80361bde90,ffff8000ffff5528) at fdrop+0xc9
sys/kern/kern_descrip.c:1260
closef(fffffd80361bde90,ffff8000ffff5528) at closef+0x118
sys/kern/kern_descrip.c:1244
fdfree(ffff8000ffff5528) at fdfree+0xf7 sys/kern/kern_descrip.c:1176
exit1(ffff8000ffff5528,0,1) at exit1+0x2f4 sys/kern/kern_exit.c:194
sys_exit(ffff8000ffff5528,ffff800014a14960,ffff800014a149d0) at
sys_exit+0x17 sys/kern/kern_exit.c:94
syscall(ffff800014a14a40) at syscall+0x511
Xsyscall(6,1,0,1,0,7f7ffffc84a4) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffc8470, count: -47
ddb> show registers
rdi 0x18e03c1eb6c0d3c8
rsi 0
rbp 0xffff800014a13210
rbx 0xffff800000075788
rdx 0
rcx 0
r12 0
r13 0xfffffd8036e062c0
r14 0
r15 0x18e03c1eb6c0d3c8
rip 0xffffffff81d272ab mrouter6_rtwalk_delete+0x2b
forw=0xffffffffffffffff, list=0xffff8000ffff4e20,0xffffffff821ed260
process=0xffff8000149726a8 user=0xffff800014a0f000,
vmspace=0xfffffd803f014d68
estcpu=36, cpticks=3, pctcpu=0.0
31852 125872 51722 0 3 0x82 nanosleep syz-executor.0
51722 146094 49971 0 3 0x82 thrsleep syz-execprog
51722 21142 49971 0 3 0x4000082 nanosleep syz-execprog
51722 186902 49971 0 3 0x4000082 thrsleep syz-execprog
51722 330848 49971 0 3 0x4000082 thrsleep syz-execprog
51722 240188 49971 0 3 0x4000082 kqread syz-execprog
51722 211397 49971 0 3 0x4000082 thrsleep syz-execprog
51722 377792 49971 0 3 0x4000082 thrsleep syz-execprog
49971 378248 63923 0 3 0x10008a pause ksh
63923 302641 59460 0 3 0x92 select sshd
20265 4157 1 0 3 0x100083 ttyin getty
59460 317807 1 0 3 0x80 select sshd
50818 147295 60760 73 3 0x100090 kqread syslogd
60760 479171 1 0 3 0x100082 netio syslogd
19272 352060 1 77 3 0x100090 poll dhclient
38168 93561 1 0 3 0x80 poll dhclient
2354 291903 0 0 2 0x14200 zerothread
42047 267285 0 0 3 0x14200 aiodoned aiodoned
50857 488345 0 0 3 0x14200 syncer update
49207 105730 0 0 3 0x14200 cleaner cleaner
19208 276591 0 0 3 0x14200 reaper reaper
31031 429027 0 0 3 0x14200 pgdaemon pagedaemon
92996 70358 0 0 3 0x14200 bored crynlk
80311 206612 0 0 3 0x14200 bored crypto
58763 223759 0 0 3 0x40014200 acpi0 acpi0
23645 225932 0 0 3 0x14200 bored softnet
69944 37050 0 0 2 0x14200 systqmp
61427 387724 0 0 3 0x14200 bored systq
97353 166796 0 0 2 0x40014200 softclock
76398 92564 0 0 3 0x40014200 idle0
98746 353429 0 0 3 0x14200 bored smr
1 370627 0 0 3 0x82 wait init
pcb 25 9K 9K 78643K 71 0 0
rtable 98 2K 3K 78643K 170 0 0
ifaddr 34 9K 9K 78643K 34 0 0
file desc 4 12K 20K 78643K 23 0 0
proc 40 30K 46K 78643K 247 0 0
subproc 0 0K 34817K 78643K 34 0 0
temp 46 2338K 2401K 78643K 3025 0 0
8 0
inpcbpl 280 34 0 25 1 0 1 1 0
8 0
plimitpl 152 19 0 12 1 0 1 1 0
8 0
rtentry 112 42 0 2 2 0 2 2 0
8 0
syncache 264 8 0 8 1 0 1 1 0
8 1
tcpqe 32 1 0 1 1 1 0 1 0
8 0
tcpcb 544 14 0 10 1 0 1 1 0
8 0
8 0
8 0
art_table 32 186 0 0 2 0 2 2 0
8 0
art_node 16 41 0 6 1 0 1 1 0
8 0
ffsino 240 1444 0 29 84 0 84 84 0
8 0
nchpl 144 1685 0 59 61 0 61 61 0
8 0
uvmvnodes 72 1470 0 0 27 0 27 27 0
8 0
vnodes 200 1470 0 0 78 0 78 78 0
8 0
namei 1024 4745 0 4744 2 1 1 1 0
8 0
scxspl 192 4548 0 4548 8 7 1 6 0
8 1
sigapl 432 214 0 201 2 0 2 2 0
8 0
futexpl 56 13 0 13 2 1 1 1 0
8 1
knotepl 112 95 0 78 1 0 1 1 0
8 0
kqueuepl 104 3 0 1 1 0 1 1 0
8 0
pipepl 112 202 0 183 2 1 1 1 0
8 0
fdescpl 424 215 0 201 2 0 2 2 0
8 0
filepl 120 1208 0 1145 3 1 2 3 0
8 0
pgrppl 48 26 0 16 1 0 1 1 0
8 0
ucredpl 96 68 0 61 1 0 1 1 0
8 0
zombiepl 144 202 0 201 2 1 1 1 0
8 0
processpl 840 229 0 201 4 0 4 4 0
8 0
procpl 600 243 0 209 3 0 3 3 0
8 0
sockpl 384 88 0 69 2 0 2 2 0
8 0
mcl4k 4096 16 0 16 1 0 1 1 0
8 1
mcl2k 2048 14366 0 14338 8 2 6 6 0
8 2
8 0
bufpl 256 5834 0 1171 292 0 292 292 0
8 0
anonpl 16 30150 0 28717 18 6 12 12 0
62 3
amapchunkpl 152 997 0 935 7 3 4 5 0
158 0
amappl16 192 163 0 136 3 1 2 2 0
8 0
amappl15 184 1 0 1 1 1 0 1 0
8 0
amappl14 176 80 0 74 1 0 1 1 0
8 0
amappl12 160 22 0 20 1 0 1 1 0
8 0
amappl11 152 32 0 21 1 0 1 1 0
8 0
amappl10 144 85 0 83 2 1 1 1 0
8 0
amappl9 136 528 0 524 1 0 1 1 0
8 0
amappl8 128 148 0 134 1 0 1 1 0
8 0
amappl7 120 36 0 34 1 0 1 1 0
8 0
amappl6 112 78 0 71 1 0 1 1 0
8 0
amappl5 104 614 0 605 1 0 1 1 0
8 0
amappl4 96 478 0 455 3 1 2 2 0
8 1
amappl3 88 165 0 160 1 0 1 1 0
8 0
amappl2 80 816 0 770 3 1 2 2 0
8 1
amappl1 72 15177 0 14759 32 13 19 19 0 8
10
amappl 72 534 0 505 1 0 1 1 0
8 0
vmmpekpl 168 8547 0 8530 1 0 1 1 0
8 0
vmmpepl 168 32871 0 32002 95 23 72 72 0 357
30
vmsppl 264 214 0 201 2 0 2 2 0
8 1
pdppl 4096 436 0 402 5 0 5 5 0
8 0
pvpl 32 140744 0 137003 113 8 105 105 0 265
72
pmappl 192 214 0 201 1 0 1 1 0
8 0
Tested on:
commit: fa398786 add mpip(4)
git tree: https://github.com/openbsd/src.git
console output: https://syzkaller.appspot.com/x/log.txt?x=104a4e74a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=ffa1da4399f74b2b
compiler:
syzbot has tested the proposed patch but the reproducer still triggered
crash:
kernel: protection fault trap, code=0
login: kernel: protection fault trap, code=0
Stopped at mrouter6_rtwalk_delete+0x2b: movl 0x5c(%r15),%r12d
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
the kernel did not panic
ddb> trace
mrouter6_rtwalk_delete(18e03c1eb6c0d3c8,0,0) at mrouter6_rtwalk_delete+0x2b
login: kernel: protection fault trap, code=0
Stopped at mrouter6_rtwalk_delete+0x2b: movl 0x5c(%r15),%r12d
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
the kernel did not panic
ddb> trace
sys/netinet6/ip6_mroute.c:497
rtable_walk_helper(fffffd8036e07b30,ffff800014a144d8) at
rtable_walk_helper+0x58 sys/net/rtable.c:682
art_table_walk(ffff800000075780,fffffd8036e062c0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x226 art_walk_apply sys/net/art.c:707 [inline]
art_table_walk(ffff800000075780,fffffd8036e062c0,ffffffff81a5d3c0,ffff800014a144d8)
art_table_walk+0x226 art_walk_apply sys/net/art.c:707 [inline]
at
art_table_walk+0x226 sys/net/art.c:679
art_table_walk(ffff800000075780,fffffd8036e062a0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06280,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06240,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06200,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e061e0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06120,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06100,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e060e0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e060c0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e060a0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06040,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06020,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06000,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06060,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06080,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06140,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06160,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06180,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e061a0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e061c0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06220,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06260,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e062e0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06300,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06320,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06360,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e063a0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06400,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06460,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e064a0,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_table_walk(ffff800000075780,fffffd8036e06f60,ffffffff81a5d3c0,ffff800014a144d8)
at
art_table_walk+0x2a6 sys/net/art.c:688
art_walk(ffff800000075780,ffffffff81a5d3c0,ffff800014a144d8) at
art_walk+0xcf sys/net/art.c:626
rtable_walk(0,18,ffffffff81d27280,0) at rtable_walk+0xc7
sys/net/rtable.c:706
ip6_mrouter_done(fffffd8036454d88) at ip6_mrouter_done+0xb8
sys/netinet6/ip6_mroute.c:526
rip6_detach(fffffd8036454d88) at rip6_detach+0x56 sys/netinet6/raw_ip6.c:748
soclose(fffffd8036454d88,0) at soclose+0xb2 sys/kern/uipc_socket.c:292
soo_close(fffffd80361bde90,ffff8000ffff5528) at soo_close+0x40
fdrop(fffffd80361bde90,ffff8000ffff5528) at fdrop+0xc9
sys/kern/kern_descrip.c:1260
closef(fffffd80361bde90,ffff8000ffff5528) at closef+0x118
sys/kern/kern_descrip.c:1244
fdfree(ffff8000ffff5528) at fdfree+0xf7 sys/kern/kern_descrip.c:1176
exit1(ffff8000ffff5528,0,1) at exit1+0x2f4 sys/kern/kern_exit.c:194
sys_exit(ffff8000ffff5528,ffff800014a14960,ffff800014a149d0) at
sys_exit+0x17 sys/kern/kern_exit.c:94
syscall(ffff800014a14a40) at syscall+0x511
Xsyscall(6,1,0,1,0,7f7ffffc84a4) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffc8470, count: -47
ddb> show registers
rdi 0x18e03c1eb6c0d3c8
rsi 0
rbp 0xffff800014a13210
rbx 0xffff800000075788
rdx 0
rcx 0
rax 0x204
r8 0
r9 0x5
r10 0
r11 0x8205856c0e720e4d
r8 0
r9 0x5
r10 0
r12 0
r13 0xfffffd8036e062c0
r14 0
r15 0x18e03c1eb6c0d3c8
rip 0xffffffff81d272ab mrouter6_rtwalk_delete+0x2b
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff800014a131d0
rflags 0x10246 __ALIGN_SIZE+0xf246
ss 0x10
mrouter6_rtwalk_delete+0x2b: movl 0x5c(%r15),%r12d
ddb> show proc
PROC (syz-executor.0) pid=321489 stat=onproc
mrouter6_rtwalk_delete+0x2b: movl 0x5c(%r15),%r12d
ddb> show proc
flags process=1008<EXITING,SINGLEEXIT> proc=2000<WEXIT>
pri=50, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffff4e20,0xffffffff821ed260
process=0xffff8000149726a8 user=0xffff800014a0f000,
vmspace=0xfffffd803f014d68
estcpu=36, cpticks=3, pctcpu=0.0
user=0, sys=1, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
85963 382508 51722 0 2 0x2 syz-executor.1
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
31852 125872 51722 0 3 0x82 nanosleep syz-executor.0
51722 146094 49971 0 3 0x82 thrsleep syz-execprog
51722 21142 49971 0 3 0x4000082 nanosleep syz-execprog
51722 186902 49971 0 3 0x4000082 thrsleep syz-execprog
51722 330848 49971 0 3 0x4000082 thrsleep syz-execprog
51722 240188 49971 0 3 0x4000082 kqread syz-execprog
51722 211397 49971 0 3 0x4000082 thrsleep syz-execprog
51722 377792 49971 0 3 0x4000082 thrsleep syz-execprog
49971 378248 63923 0 3 0x10008a pause ksh
63923 302641 59460 0 3 0x92 select sshd
20265 4157 1 0 3 0x100083 ttyin getty
59460 317807 1 0 3 0x80 select sshd
50818 147295 60760 73 3 0x100090 kqread syslogd
60760 479171 1 0 3 0x100082 netio syslogd
19272 352060 1 77 3 0x100090 poll dhclient
38168 93561 1 0 3 0x80 poll dhclient
2354 291903 0 0 2 0x14200 zerothread
42047 267285 0 0 3 0x14200 aiodoned aiodoned
50857 488345 0 0 3 0x14200 syncer update
49207 105730 0 0 3 0x14200 cleaner cleaner
19208 276591 0 0 3 0x14200 reaper reaper
31031 429027 0 0 3 0x14200 pgdaemon pagedaemon
92996 70358 0 0 3 0x14200 bored crynlk
80311 206612 0 0 3 0x14200 bored crypto
58763 223759 0 0 3 0x40014200 acpi0 acpi0
23645 225932 0 0 3 0x14200 bored softnet
69944 37050 0 0 2 0x14200 systqmp
61427 387724 0 0 3 0x14200 bored systq
97353 166796 0 0 2 0x40014200 softclock
76398 92564 0 0 3 0x40014200 idle0
98746 353429 0 0 3 0x14200 bored smr
1 370627 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9436 6311K 6311K 78643K 10529 0 0
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
pcb 25 9K 9K 78643K 71 0 0
rtable 98 2K 3K 78643K 170 0 0
ifaddr 34 9K 9K 78643K 34 0 0
counters 19 16K 16K 78643K 19 0 0
ioctlops 0 0K 2K 78643K 15 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1191 75K 75K 78643K 1196 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 1K 78643K 2 0 0
VM map 2 0K 0K 78643K 2 0 0
sem 2 0K 0K 78643K 2 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1793 195K 288K 78643K 12537 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 1K 78643K 2 0 0
VM map 2 0K 0K 78643K 2 0 0
sem 2 0K 0K 78643K 2 0 0
dirhash 12 2K 2K 78643K 12 0 0
file desc 4 12K 20K 78643K 23 0 0
proc 40 30K 46K 78643K 247 0 0
subproc 0 0K 34817K 78643K 34 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
in_multi 33 2K 2K 78643K 33 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
ether_multi 1 0K 0K 78643K 1 0 0
mrt 1 0K 0K 78643K 2 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 18 79K 79K 78643K 18 0 0
exec 0 0K 1K 78643K 185 0 0
mrt 1 0K 0K 78643K 2 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 18 79K 79K 78643K 18 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 66 19K 20K 78643K 982 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM aobj 2 2K 2K 78643K 2 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
NDP 9 0K 0K 78643K 9 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
temp 46 2338K 2401K 78643K 3025 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 4 0 0 1 0 1 1 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
8 0
inpcbpl 280 34 0 25 1 0 1 1 0
8 0
plimitpl 152 19 0 12 1 0 1 1 0
8 0
rtentry 112 42 0 2 2 0 2 2 0
8 0
syncache 264 8 0 8 1 0 1 1 0
8 1
tcpqe 32 1 0 1 1 1 0 1 0
8 0
tcpcb 544 14 0 10 1 0 1 1 0
8 0
rttmr 72 1 0 1 1 0 1 1 0
8 1
nd6 48 4 0 0 1 0 1 1 0
8 1
8 0
art_heap8 4096 1 0 0 1 0 1 1 0
8 0
art_heap4 256 185 0 0 12 0 12 12 0
8 0
8 0
art_table 32 186 0 0 2 0 2 2 0
8 0
art_node 16 41 0 6 1 0 1 1 0
8 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0
dino1pl 128 1444 0 29 46 0 46 46 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0
8 0
ffsino 240 1444 0 29 84 0 84 84 0
8 0
nchpl 144 1685 0 59 61 0 61 61 0
8 0
uvmvnodes 72 1470 0 0 27 0 27 27 0
8 0
vnodes 200 1470 0 0 78 0 78 78 0
8 0
namei 1024 4745 0 4744 2 1 1 1 0
8 0
scxspl 192 4548 0 4548 8 7 1 6 0
8 1
sigapl 432 214 0 201 2 0 2 2 0
8 0
futexpl 56 13 0 13 2 1 1 1 0
8 1
knotepl 112 95 0 78 1 0 1 1 0
8 0
kqueuepl 104 3 0 1 1 0 1 1 0
8 0
pipepl 112 202 0 183 2 1 1 1 0
8 0
fdescpl 424 215 0 201 2 0 2 2 0
8 0
filepl 120 1208 0 1145 3 1 2 3 0
8 0
lockfpl 104 6 0 6 1 1 0 1 0
8 0
lockfspl 32 3 0 3 1 1 0 1 0
8 0
sessionpl 112 26 0 16 1 0 1 1 0
lockfpl 104 6 0 6 1 1 0 1 0
8 0
lockfspl 32 3 0 3 1 1 0 1 0
8 0
8 0
pgrppl 48 26 0 16 1 0 1 1 0
8 0
ucredpl 96 68 0 61 1 0 1 1 0
8 0
zombiepl 144 202 0 201 2 1 1 1 0
8 0
processpl 840 229 0 201 4 0 4 4 0
8 0
procpl 600 243 0 209 3 0 3 3 0
8 0
sockpl 384 88 0 69 2 0 2 2 0
8 0
mcl4k 4096 16 0 16 1 0 1 1 0
8 1
mcl2k 2048 14366 0 14338 8 2 6 6 0
8 2
mtagpl 80 2 0 2 1 1 0 1 0
8 0
mbufpl 256 24442 0 24367 6 1 5 5 0
8 0
8 0
bufpl 256 5834 0 1171 292 0 292 292 0
8 0
anonpl 16 30150 0 28717 18 6 12 12 0
62 3
amapchunkpl 152 997 0 935 7 3 4 5 0
158 0
amappl16 192 163 0 136 3 1 2 2 0
8 0
amappl15 184 1 0 1 1 1 0 1 0
8 0
amappl14 176 80 0 74 1 0 1 1 0
8 0
amappl12 160 22 0 20 1 0 1 1 0
8 0
amappl11 152 32 0 21 1 0 1 1 0
8 0
amappl10 144 85 0 83 2 1 1 1 0
8 0
amappl9 136 528 0 524 1 0 1 1 0
8 0
amappl8 128 148 0 134 1 0 1 1 0
8 0
amappl7 120 36 0 34 1 0 1 1 0
8 0
amappl6 112 78 0 71 1 0 1 1 0
8 0
amappl5 104 614 0 605 1 0 1 1 0
8 0
amappl4 96 478 0 455 3 1 2 2 0
8 1
amappl3 88 165 0 160 1 0 1 1 0
8 0
amappl2 80 816 0 770 3 1 2 2 0
8 1
amappl1 72 15177 0 14759 32 13 19 19 0 8
10
amappl 72 534 0 505 1 0 1 1 0
75 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 1 0 0 1 0 1 1 0
8 0
uaddrrnd 24 215 0 201 1 0 1 1 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 1 0 0 1 0 1 1 0
8 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 215 0 201 1 0 1 1 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
8 0
vmmpekpl 168 8547 0 8530 1 0 1 1 0
8 0
vmmpepl 168 32871 0 32002 95 23 72 72 0 357
30
vmsppl 264 214 0 201 2 0 2 2 0
8 1
pdppl 4096 436 0 402 5 0 5 5 0
8 0
pvpl 32 140744 0 137003 113 8 105 105 0 265
72
pmappl 192 214 0 201 1 0 1 1 0
8 0
extentpl 40 39 0 25 1 0 1 1 0
8 0
phpool 112 417 0 6 12 0 12 12 0
extentpl 40 39 0 25 1 0 1 1 0
8 0
8 0
Tested on:
commit: fa398786 add mpip(4)
git tree: https://github.com/openbsd/src.git
console output: https://syzkaller.appspot.com/x/log.txt?x=104a4e74a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=ffa1da4399f74b2b
compiler:
Dmitry Vyukov
May 13, 2019, 3:19:45 AM5/13/19
to syzbot, Anton Lindqvist, Greg Steuck, syzkaller-o...@googlegroups.com
From: syzbot <syzbot+a33f13...@syzkaller.appspotmail.com>
Date: Mon, May 13, 2019 at 9:11 AM
To: <an...@basename.se>, <dvy...@google.com>, <gne...@google.com>,
<syzkaller-o...@googlegroups.com>
> Hello,
>
> syzbot has tested the proposed patch but the reproducer still triggered
> crash:
> kernel: protection fault trap, code=0
Patch testing works now.
Date: Mon, May 13, 2019 at 9:11 AM
To: <an...@basename.se>, <dvy...@google.com>, <gne...@google.com>,
<syzkaller-o...@googlegroups.com>
> Hello,
>
> syzbot has tested the proposed patch but the reproducer still triggered
> crash:
> kernel: protection fault trap, code=0
Anton Lindqvist
May 13, 2019, 12:21:42 PM5/13/19
to Dmitry Vyukov, syzbot, Greg Steuck, syzkaller-o...@googlegroups.com
On Mon, May 13, 2019 at 09:01:34AM +0200, Dmitry Vyukov wrote:
> From: syzbot <syzbot+a33f13...@syzkaller.appspotmail.com>
> Date: Mon, May 13, 2019 at 7:40 AM
> To: <syzkaller-o...@googlegroups.com>
>
> > Hello,
> >
> > syzbot tried to test the proposed patch but build/boot failed:
> >
> > failed to checkout kernel repo https://github.com/openbsd/src.git on commit
> > 0d1bbdcdb407: failed to run ["git" "checkout" "0d1bbdcdb407"]: exit status 1
> > error: pathspec '0d1bbdcdb407' did not match any file(s) known to git
>
> Hmmm. Does openbsd tree rebased and force pushed?
That can happen. If I recall correctly, we discussed this when settling
> From: syzbot <syzbot+a33f13...@syzkaller.appspotmail.com>
> Date: Mon, May 13, 2019 at 7:40 AM
> To: <syzkaller-o...@googlegroups.com>
>
> > Hello,
> >
> > syzbot tried to test the proposed patch but build/boot failed:
> >
> > failed to checkout kernel repo https://github.com/openbsd/src.git on commit
> > 0d1bbdcdb407: failed to run ["git" "checkout" "0d1bbdcdb407"]: exit status 1
> > error: pathspec '0d1bbdcdb407' did not match any file(s) known to git
>
> Hmmm. Does openbsd tree rebased and force pushed?
on using marc.info URLs instead of GitHub one's in found_bugs.md.
Anton Lindqvist
Jun 22, 2019, 6:27:44 AM6/22/19
to syzbot, syzkaller-o...@googlegroups.com
#syz fix: Prevent recursions by not deleting entries inside rtable_walk(9).
Reply all
Reply to author
Forward
0 new messages