panic: free: size too small NUM <= NUM / NUM (ADDR) type devbuf
1 view
Skip to first unread message
syzbot
Dec 27, 2021, 11:04:33 AM12/27/21
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: e82b5ebce50c Rework garbage collector for unix(4) sockets.
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=10c9f747b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d
dashboard link: https://syzkaller.appspot.com/bug?extid=7f8224e9f1a3487caf25
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7f8224...@syzkaller.appspotmail.com
panic: free: size too small 20 <= 64 / 2 (0xffff800000cca1c0) type devbuf
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
425575 44389 0 0 0 0 syz-executor.0
*432109 44389 0 0 0x4000000 1K syz-executor.0
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff8249233f) at panic+0x177 sys/kern/subr_prf.c:202
free(ffff800000cca1c0,2,14) at free+0x58c sys/kern/kern_malloc.c:433
wskbd_init_keymap(4,ffff800000680958,ffff800000680954) at wskbd_init_keymap+0x75 sys/dev/wscons/wskbdutil.c:385
wskbd_displayioctl_sc(ffff800000680800,8010570e,ffff800027a2da80,2,ffff800022298000,0) at wskbd_displayioctl_sc+0xb78 sys/dev/wscons/wskbd.c:1136
wskbd_do_ioctl_sc(ffff800000680800,8010570e,ffff800027a2da80,2,ffff800022298000,0) at wskbd_do_ioctl_sc+0x18f sys/dev/wscons/wskbd.c:995
wskbdioctl(4300,8010570e,ffff800027a2da80,2,ffff800022298000) at wskbdioctl+0x7e sys/dev/wscons/wskbd.c:934
VOP_IOCTL(fffffd80726c93f0,8010570e,ffff800027a2da80,2,fffffd807f7d8300,ffff800022298000) at VOP_IOCTL+0x96 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd807460d390,8010570e,ffff800027a2da80,ffff800022298000) at vn_ioctl+0xbc sys/kern/vfs_vnops.c:531
sys_ioctl(ffff800022298000,ffff800027a2db98,ffff800027a2dbf0) at sys_ioctl+0x4a2
syscall(ffff800027a2dc60) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800027a2dc60) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xbb00e122ca0, count: 3
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: e82b5ebce50c Rework garbage collector for unix(4) sockets.
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=10c9f747b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d
dashboard link: https://syzkaller.appspot.com/bug?extid=7f8224e9f1a3487caf25
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7f8224...@syzkaller.appspotmail.com
panic: free: size too small 20 <= 64 / 2 (0xffff800000cca1c0) type devbuf
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
425575 44389 0 0 0 0 syz-executor.0
*432109 44389 0 0 0x4000000 1K syz-executor.0
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff8249233f) at panic+0x177 sys/kern/subr_prf.c:202
free(ffff800000cca1c0,2,14) at free+0x58c sys/kern/kern_malloc.c:433
wskbd_init_keymap(4,ffff800000680958,ffff800000680954) at wskbd_init_keymap+0x75 sys/dev/wscons/wskbdutil.c:385
wskbd_displayioctl_sc(ffff800000680800,8010570e,ffff800027a2da80,2,ffff800022298000,0) at wskbd_displayioctl_sc+0xb78 sys/dev/wscons/wskbd.c:1136
wskbd_do_ioctl_sc(ffff800000680800,8010570e,ffff800027a2da80,2,ffff800022298000,0) at wskbd_do_ioctl_sc+0x18f sys/dev/wscons/wskbd.c:995
wskbdioctl(4300,8010570e,ffff800027a2da80,2,ffff800022298000) at wskbdioctl+0x7e sys/dev/wscons/wskbd.c:934
VOP_IOCTL(fffffd80726c93f0,8010570e,ffff800027a2da80,2,fffffd807f7d8300,ffff800022298000) at VOP_IOCTL+0x96 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd807460d390,8010570e,ffff800027a2da80,ffff800022298000) at vn_ioctl+0xbc sys/kern/vfs_vnops.c:531
sys_ioctl(ffff800022298000,ffff800027a2db98,ffff800027a2dbf0) at sys_ioctl+0x4a2
syscall(ffff800027a2dc60) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800027a2dc60) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xbb00e122ca0, count: 3
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Reply all
Reply to author
Forward
0 new messages