syzbot

 sign-in | mailing list | source | docs
🐞 Open [124] 🐞 Fixed [269] 🐞 Invalid [574] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

panic: pool_cache_item_magic_check: mcl64k cpu free list modified: item addr ADDR+24 ADDR!=ADDR

Status: fixed on 2019/01/06 10:35
Reported-by: syzbot+1a4eb3447ba2a862477c@syzkaller.appspotmail.com
Fix commit: 54e30ac1a804 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
First crash: 1960d, last: 1960d

Sample crash report:
panic: pool_cache_item_magic_check: mcl64k cpu free list modified: item addr 0xffffff0006004000+24 0xf9e347e578321f8e!=0xf9e347e57e315f8e
Stopped at      db_enter+0xa:   popq    %rbp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
 204185  30672      0           0          0    1  syz-executor0
*251044  30672      0           0  0x4000000    0K syz-executor0
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_cache_get(2) at pool_cache_get+0x2bf
pool_get(ffffff0065128900,2) at pool_get+0x60
m_clget(10000,ff95ff8a,ffffff007b6a1100) at m_clget+0x204
switchwrite(ffffff00656ba350,ffffff00656ba350,ffff8000211b57b8) at switchwrite+0x20c
spec_write(ffffffff81e45548) at spec_write+0xa8
VOP_WRITE(1,ffffff00656ba350,1,ffffff00604f4000) at VOP_WRITE+0x65
vn_write(ffffff00604f4000,ffff8000211b57b8,ffffff91) at vn_write+0x161
dofilewritev(ffff8000211b58e0,1,ffff8000211b58f8,ffff8000210a3530,0) at dofilewritev+0x13e
sys_pwritev(10c0,ffff8000210a3530,0) at sys_pwritev+0xbf
syscall(0) at syscall+0x489
Xsyscall(6,0,ffffffffffffffb8,0,4,df03e92b0d8) at Xsyscall+0x128
end of kernel
end trace frame: 0xdf287633550, count: 2
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{0}> 
ddb{0}> set $lines = 0
ddb{0}> show panic
pool_cache_item_magic_check: mcl64k cpu free list modified: item addr 0xffffff0006004000+24 0xf9e347e578321f8e!=0xf9e347e57e315f8e
ddb{0}> trace
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_cache_get(2) at pool_cache_get+0x2bf
pool_get(ffffff0065128900,2) at pool_get+0x60
m_clget(10000,ff95ff8a,ffffff007b6a1100) at m_clget+0x204
switchwrite(ffffff00656ba350,ffffff00656ba350,ffff8000211b57b8) at switchwrite+0x20c
spec_write(ffffffff81e45548) at spec_write+0xa8
VOP_WRITE(1,ffffff00656ba350,1,ffffff00604f4000) at VOP_WRITE+0x65
vn_write(ffffff00604f4000,ffff8000211b57b8,ffffff91) at vn_write+0x161
dofilewritev(ffff8000211b58e0,1,ffff8000211b58f8,ffff8000210a3530,0) at dofilewritev+0x13e
sys_pwritev(10c0,ffff8000210a3530,0) at sys_pwritev+0xbf
syscall(0) at syscall+0x489
Xsyscall(6,0,ffffffffffffffb8,0,4,df03e92b0d8) at Xsyscall+0x128
end of kernel
end trace frame: 0xdf287633550, count: -13
ddb{0}> show registers
rdi               0xffffffff81e263d0    kprintf_mutex
rsi                              0x5
rbp               0xffff8000211b53f0
rbx               0xffff8000211b5490
rdx               0xffff800000cd6000
rcx                          0x3ffff    acpi_pdirpa+0x2be67
rax               0xffff800000ad2a00
r8                0xffff8000211b53c0
r9                0x8080808080808080
r10                                0
r11               0xffffffff81437f90    x86_bus_space_io_read_1
r12                     0x3000000008
r13               0xffff8000211b5400
r14                            0x100
r15               0xffffffff81bf1c1e    cmd0646_9_tim_udma+0x1bda7
rip               0xffffffff810b44fa    db_enter+0xa
cs                               0x8
rflags                         0x246
rsp               0xffff8000211b53f0
ss                              0x10
db_enter+0xa:   popq    %rbp
ddb{0}> show proc
PROC (syz-executor0) pid=251044 stat=onproc
    flags process=0 proc=4000000<THREAD>
    pri=70, usrpri=70, nice=20
    forw=0xffffffffffffffff, list=0xffff8000210a3788,0xffffffff81ed2ad0
    process=0xffff8000210cb630 user=0xffff8000211b0000, vmspace=0xffffff007f125528
    estcpu=20, cpticks=2, pctcpu=0.0
    user=0, sys=2, intr=0
ddb{0}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 83998  232458  51074      0  2           0                syz-executor1
 83998  494598  51074      0  2   0x4000080                syz-executor1
 30672  204185  36635      0  7           0                syz-executor0
 30672  118847  36635      0  3   0x4000080  switchread    syz-executor0
*30672  251044  36635      0  7   0x4000000                syz-executor0
 67766  319073      1      0  3    0x100083  ttyin         getty
   126  230541      0      0  3     0x14200  bored         sosplice
 51074  256186  26080      0  3        0x82  nanosleep     syz-executor1
 36635   40965  26080      0  3        0x82  nanosleep     syz-executor0
 26080  140887  30412      0  3        0x82  thrsleep      syz-fuzzer
 26080   77644  30412      0  3   0x4000082  thrsleep      syz-fuzzer
 26080  384172  30412      0  3   0x4000082  thrsleep      syz-fuzzer
 26080  273494  30412      0  3   0x4000082  thrsleep      syz-fuzzer
 26080  219023  30412      0  3   0x4000082  thrsleep      syz-fuzzer
 26080   62259  30412      0  3   0x4000082  thrsleep      syz-fuzzer
 26080   79611  30412      0  3   0x4000082  thrsleep      syz-fuzzer
 26080  142192  30412      0  3   0x4000082  thrsleep      syz-fuzzer
 26080  313823  30412      0  3   0x4000082  kqread        syz-fuzzer
 26080  231545  30412      0  3   0x4000082  thrsleep      syz-fuzzer
 30412  451826  38472      0  3    0x10008a  pause         ksh
 38472  343364   9090      0  3        0x92  select        sshd
  9090  172605      1      0  3        0x80  select        sshd
 34739  453867  55217     73  3    0x100090  kqread        syslogd
 55217  188921      1      0  3    0x100082  netio         syslogd
 88923  147142      1     77  3    0x100090  poll          dhclient
 27770   54302      1      0  3        0x80  poll          dhclient
 51982  519644      0      0  2     0x14200                zerothread
 86591   26538      0      0  3     0x14200  aiodoned      aiodoned
  1637  303418      0      0  3     0x14200  syncer        update
 24762   84146      0      0  3     0x14200  cleaner       cleaner
 97467  449575      0      0  3     0x14200  reaper        reaper
 53166  113583      0      0  3     0x14200  pgdaemon      pagedaemon
 83846  421802      0      0  3     0x14200  bored         crynlk
 66958   33457      0      0  3     0x14200  bored         crypto
 18071   31693      0      0  3  0x40014200  acpi0         acpi0
 99178  512824      0      0  3  0x40014200                idle1
 74303  138041      0      0  3     0x14200  bored         softnet
   812  140822      0      0  3     0x14200  bored         systqmp
 65873  228007      0      0  3     0x14200  bored         systq
 20862  477627      0      0  3  0x40014200  bored         softclock
 11010   62754      0      0  3  0x40014200                idle0
     1  394416      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/12/06 20:22 https://github.com/blackgnezdo/src.git multicore 46168e0d3b1d b6709220 .config console log report ci-openbsd-multicore
* Struck through repros no longer work on HEAD.