syzbot

 sign-in | mailing list | source | docs
🐞 Open [138] 🐞 Fixed [269] 🐞 Invalid [578] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

uvm_fault.c:LINE

Status: closed as dup on 2019/01/25 07:22
Reported-by: syzbot+47eacc8e12a6fd4ef75e@syzkaller.appspotmail.com
First crash: 1926d, last: 1925d
Duplicate of
Title Repro Cause bisect Fix bisect Count Last Reported
witness: reversal: vmmaplk inode C 103124 1598d 1925d

Sample crash report:
 1st 0xfffffd806e92f458 vmmaplk (&map->lock) @ /syzkaller/managers/setuid/kernel/sys/uvm/uvm_fault.c:1442
 2nd 0xfffffd806deadf80 inode (&ip->i_lock) @ /syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547
lock order "&ip->i_lock"(rrwlock) -> "&map->lock"(rwlock) first seen at:
#0  witness_checkorder+0x6d8
#1  _rw_enter+0xbf
#2  vm_map_lock_ln+0x14e
#3  uvm_map+0x2e2
#4  km_alloc+0x19a
#5  pool_multi_alloc_ni+0xe4
#6  pool_p_alloc+0x70
#7  pool_do_get+0x127
#8  pool_get+0x104
#9  ufsdirhash_build+0x40b
#10 ufs_lookup+0x2a5
#11 VOP_LOOKUP+0x63
#12 vfs_lookup+0x552
#13 namei+0x4af
#14 start_init+0xd6
lock order "&map->lock"(rwlock) -> "&ip->i_lock"(rrwlock) first seen at:
#0  witness_checkorder+0x6d8
#1  _rw_enter+0xbf
#2  _rrw_enter+0x5c
#3  VOP_LOCK+0x55
#4  vn_lock+0x6e
#5  uvn_io+0x2ca
#6  uvn_get+0x206
#7  uvm_fault+0x12c1
#8  uvm_fault_wire+0x70
#9  uvm_map_pageable_wire+0x2fd
#10 sys_mlockall+0x69
#11 syscall+0x5a0
#12 Xsyscall+0x128
Stopped at      db_enter+0x18:  addq    $0x8,%rsp
ddb{1}> 
ddb{1}> set $lines = 0
ddb{1}> show panic
the kernel did not panic
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399
witness_checkorder(ae0828b4533a740f,81,fffffd806deadf70,fffffd806deadf70,0) at witness_checkorder+0x12f9 witness_debugger sys/kern/subr_witness.c:2543 [inline]
witness_checkorder(ae0828b4533a740f,81,fffffd806deadf70,fffffd806deadf70,0) at witness_checkorder+0x12f9 sys/kern/subr_witness.c:1089
_rw_enter(aa5934606d8498f5,60b,fffffd806deadf70,ffffffff81edebdf) at _rw_enter+0xbf
_rrw_enter(31f4c7a672a0571,fffffd806dceeaf8,ffffffff8139fd50,2) at _rrw_enter+0x5c sys/kern/kern_rwlock.c:410
VOP_LOCK(298cc098f1ddfcab,fffffd806dceeaf8) at VOP_LOCK+0x55 sys/kern/vfs_vops.c:598
vn_lock(e0904ac18d36d5c7,2000) at vn_lock+0x6e sys/kern/vfs_vnops.c:549
uvn_io(f88ad38f7f7b4aff,0,0,fffffd806e00f638,1000) at uvn_io+0x2ca sys/uvm/uvm_vnode.c:1188
uvn_get(a63dbfec490f829,ffffffff8146c190,fffffd806e00f638,fffffd8077d96650,1000,1) at uvn_get+0x206 sys/uvm/uvm_vnode.c:1048
uvm_fault(f88ad38f7f8fbea9,7b290c96000,fffffffffffff000,1) at uvm_fault+0x12c1 sys/uvm/uvm_fault.c:1023
uvm_fault_wire(a390d2050a23402c,1,7b290c96000,fffffd8077d96650) at uvm_fault_wire+0x70 sys/uvm/uvm_fault.c:1293
uvm_map_pageable_wire(298cc098f1f4393c,3,ffff800020be5780,7f7ffffef318,2,10f0) at uvm_map_pageable_wire+0x2fd sys/uvm/uvm_map.c:2258
sys_mlockall(3c4bbc7629bf4fae,2,ffff800020be5780) at sys_mlockall+0x69 sys/uvm/uvm_mmap.c:801
syscall(9f716b3e573ab6f0) at syscall+0x5a0 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(9f716b3e573ab6f0) at syscall+0x5a0 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,7f7ffffef398,0,1,7f7ffffef3a8) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffef330, count: -14
ddb{1}> show registers
rdi                              0x3
rsi               0xffffffff821837a8    __sancov_gen_cov_switch_values.125+0x28rbp               0xffff800020bfe7d0
rbx                              0x3
rdx                             0x8b
rcx                              0x3
rax                                0
r8                0xffffffff817c727f    witness_checkorder+0x12cf
r9                               0x5
r10               0x608e94c1d6d0c7c4
r11               0xd307d401d5fbbf1a
r12               0xfffffd80025cdc30
r13               0xffffffff81ebbd52    cmd0646_9_tim_udma+0xc96d
r14               0xffffffff8227c3a0    w_lodata+0x51db0
r15               0xffffffff82280390    w_lodata+0x55da0
rip               0xffffffff81107618    db_enter+0x18
cs                               0x8
rflags                         0x246
rsp               0xffff800020bfe7c0
ss                              0x10
db_enter+0x18:  addq    $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor0465) pid=240284 stat=onproc
    flags process=2<EXEC> proc=0
    pri=52, usrpri=52, nice=20
    forw=0xffffffffffffffff, list=0xffff800020be4970,0xffffffff82300be0
    process=0xffff800020bca360 user=0xffff800020bfa000, vmspace=0xfffffd806e92f440
    estcpu=2, cpticks=4, pctcpu=0.0
    user=0, sys=4, intr=0
ddb{1}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
*42372  240284  79999      0  7         0x2                syz-executor0465
 79999   27993  12004      0  3    0x10008a  pause         ksh
 12004  315339  91063      0  3        0x92  select        sshd
 14081  187999      1      0  3    0x100083  ttyin         getty
 91063  445362      1      0  3        0x80  select        sshd
 87241  189365    685     73  2    0x100090                syslogd
   685  503330      1      0  3    0x100082  netio         syslogd
 34706  160454      1     77  3    0x100090  poll          dhclient
 60080  421791      1      0  3        0x80  poll          dhclient
 88170  510733      0      0  2     0x14200                zerothread
 40689  436538      0      0  3     0x14200  aiodoned      aiodoned
 41481  474909      0      0  3     0x14200  syncer        update
 79300  340081      0      0  3     0x14200  cleaner       cleaner
 50111  434270      0      0  3     0x14200  reaper        reaper
 63383  192767      0      0  3     0x14200  pgdaemon      pagedaemon
  7293  318875      0      0  3     0x14200  bored         crynlk
 95872  452665      0      0  3     0x14200  bored         crypto
 69734  200187      0      0  3  0x40014200  acpi0         acpi0
 62736  256422      0      0  3  0x40014200                idle1
 98732  322640      0      0  3     0x14200  bored         softnet
 62632   28613      0      0  3     0x14200  bored         systqmp
 34362  316597      0      0  3     0x14200  bored         systq
 35525  436202      0      0  3  0x40014200  bored         softclock
 81892  295088      0      0  7  0x40014200                idle0
     1  508284      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{1}>

Crashes (260):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/01/24 07:43 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report syz C ci-openbsd-setuid
2019/01/24 07:42 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report syz C ci-openbsd-multicore
2019/01/25 05:52 openbsd 6be7898a800b fea4b504 .config console log report ci-openbsd-setuid
2019/01/25 04:44 openbsd 6be7898a800b fea4b504 .config console log report ci-openbsd-setuid
2019/01/25 03:38 openbsd 6be7898a800b fea4b504 .config console log report ci-openbsd-multicore
2019/01/25 02:47 openbsd 6be7898a800b fea4b504 .config console log report ci-openbsd-multicore
2019/01/25 01:47 openbsd 6be7898a800b fea4b504 .config console log report ci-openbsd-setuid
2019/01/25 00:49 openbsd 6be7898a800b fea4b504 .config console log report ci-openbsd-setuid
2019/01/24 23:45 openbsd 6be7898a800b fea4b504 .config console log report ci-openbsd-multicore
2019/01/24 23:01 openbsd 6be7898a800b fea4b504 .config console log report ci-openbsd-setuid
2019/01/24 21:59 openbsd 6be7898a800b fea4b504 .config console log report ci-openbsd-multicore
2019/01/24 20:58 openbsd 6be7898a800b fea4b504 .config console log report ci-openbsd-setuid
2019/01/24 20:43 openbsd 6be7898a800b fea4b504 .config console log report ci-openbsd-multicore
2019/01/24 19:32 openbsd 6be7898a800b fea4b504 .config console log report ci-openbsd-setuid
2019/01/24 18:28 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 18:19 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 17:16 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 16:02 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 15:51 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 14:49 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-multicore
2019/01/24 13:45 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 12:30 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 11:28 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 11:11 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 10:11 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 09:11 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 08:08 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-multicore
2019/01/24 07:20 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-multicore
2019/01/24 07:14 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 07:10 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-multicore
2019/01/24 07:10 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 07:09 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-multicore
2019/01/24 07:09 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-multicore
2019/01/24 07:08 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 07:08 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 07:08 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 07:08 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 07:08 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-multicore
2019/01/24 07:08 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 07:08 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 07:07 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 07:07 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-multicore
2019/01/24 07:07 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
2019/01/24 07:06 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-multicore
2019/01/24 07:06 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-multicore
2019/01/24 06:59 openbsd f1baa6d0b1f2 ce1ccf97 .config console log report ci-openbsd-setuid
* Struck through repros no longer work on HEAD.