syzbot

 sign-in | mailing list | source | docs
🐞 Open [133] 🐞 Fixed [269] 🐞 Invalid [575] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

panic: kernel diagnostic assertion "M_DATABUF(m) + M_SIZE(m) >= (m->m_data + m->m_len)" failed: file "/syzkaller/manager

Status: fixed on 2018/12/19 08:48
Reported-by: syzbot+6cf507dd6e63d45e55a3@syzkaller.appspotmail.com
Fix commit: 49729d6ed45f In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees the inpcb apart from the disconnect. Just call soisdisconnected() and clear the inp->inp_faddr since the socket is still valid after a disconnect. Problem found by syzkaller via Greg Steuck OK visa@ Fixes: Reported-by: syzbot+2cd350dfe5c96f6469f2@syzkaller.appspotmail.com Reported-by: syzbot+139ac2d7d3d60162334b@syzkaller.appspotmail.com Reported-by: syzbot+02168317bd0156c13b69@syzkaller.appspotmail.com Reported-by: syzbot+de8d2459ecf4cdc576a1@syzkaller.appspotmail.com
First crash: 1969d, last: 1963d

Sample crash report:
panic: kernel diagnostic assertion "M_DATABUF(m) + M_SIZE(m) >= (m->m_data + m->m_len)" failed: file "/syzkaller/managers/main/kernel/sys/kern/uipc_mbuf.c", line 1335
Stopped at      db_enter+0xa:   popq    %rbp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
*493644  38952      0           0  0x4000000    0  syz-executor9632
db_enter() at db_enter+0xa
panic() at panic+0x147
__assert(ffffffff813a1834,ffff800021103cf0,ffffff006d8d0d04,c) at __assert+0x24
m_copyback(ffffff006d8d0cf8,ffffff006d8d0c00,8,600,100) at m_copyback+0x4a4
swofp_send_error(ffff800000aa4800,ffffff006d8d0c00,ffff8000006b3d00,ffffff006d8d0cf8) at swofp_send_error+0xac
swofp_recv_set_config(ffffff006d8d0c00,ffff800000aa4800) at swofp_recv_set_config+0x46
swofp_input(ffff800000aa4800,ffff800021103e98) at swofp_input+0xfe
switchwrite(ffffff0072a92af0,ffffff0072a92af0,ffff800021104078) at switchwrite+0x30e
spec_write(ffffffff81dfb940) at spec_write+0xa0
VOP_WRITE(1,ffffff0072a92af0,1,ffffff006e905260) at VOP_WRITE+0x65
vn_write(ffffff006e905260,ffff800021104078,a) at vn_write+0x161
dofilewritev(ffff8000211041a0,1,ffff8000211041b8,ffff8000210c2010,0) at dofilewritev+0x13e
sys_pwritev(ffff800021104240,ffff8000210c2010,ffff8000210a5010) at sys_pwritev+0xbf
--db_more--           syscall(0) at syscall+0x3e4
--db_more--           end trace frame: 0xffff8000211042c0, count: 0
--db_more--           https://www.openbsd.org/ddb.html describes the minimum info required in bug
--db_more--           reports.  Insufficient info makes it difficult to find and fix bugs.
ddb>  $lines = 0
?
ddb> show panic
kernel diagnostic assertion "M_DATABUF(m) + M_SIZE(m) >= (m->m_data + m->m_len)" failed: file "/syzkaller/managers/main/kernel/sys/kern/uipc_mbuf.c", line 1335
ddb> trace
db_enter() at db_enter+0xa
panic() at panic+0x147
__assert(ffffffff813a1834,ffff800021103cf0,ffffff006d8d0d04,c) at __assert+0x24
m_copyback(ffffff006d8d0cf8,ffffff006d8d0c00,8,600,100) at m_copyback+0x4a4
swofp_send_error(ffff800000aa4800,ffffff006d8d0c00,ffff8000006b3d00,ffffff006d8d0cf8) at swofp_send_error+0xac
swofp_recv_set_config(ffffff006d8d0c00,ffff800000aa4800) at swofp_recv_set_config+0x46
swofp_input(ffff800000aa4800,ffff800021103e98) at swofp_input+0xfe
switchwrite(ffffff0072a92af0,ffffff0072a92af0,ffff800021104078) at switchwrite+0x30e
spec_write(ffffffff81dfb940) at spec_write+0xa0
VOP_WRITE(1,ffffff0072a92af0,1,ffffff006e905260) at VOP_WRITE+0x65
vn_write(ffffff006e905260,ffff800021104078,a) at vn_write+0x161
dofilewritev(ffff8000211041a0,1,ffff8000211041b8,ffff8000210c2010,0) at dofilewritev+0x13e
sys_pwritev(ffff800021104240,ffff8000210c2010,ffff8000210a5010) at sys_pwritev+0xbf
syscall(0) at syscall+0x3e4
Xsyscall(6,0,78d667e22a0,0,78b26cb6098,78b26cb6090) at Xsyscall+0x128
end of kernel
--db_more--           end trace frame: 0x78dfb060b40, count: -15
ddb> how registers
No such command
ddb> show proc
PROC (syz-executor9632) pid=493644 stat=onproc
    flags process=0 proc=4000000<THREAD>
    pri=50, usrpri=50, nice=20
    forw=0xffffffffffffffff, list=0xffff8000210c2268,0xffffffff81eafaa0
    process=0xffff8000210a5010 user=0xffff8000210ff000, vmspace=0xffffff007f12b420
    estcpu=0, cpticks=1, pctcpu=0.0
    user=0, sys=1, intr=0
ddb> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 38952  144305  90902      0  2           0                syz-executor9632
*38952  493644  90902      0  7   0x4000000                syz-executor9632
 90902  194569  71558      0  3        0x82  nanosleep     syz-executor9632
 71558  309209  16830      0  3    0x10008a  pause         ksh
 16830   48163  46985      0  3        0x92  select        sshd
  3199  169615      1      0  3    0x100083  ttyin         getty
 46985  225443      1      0  3        0x80  select        sshd
 47338  300199   4465     73  3    0x100090  kqread        syslogd
  4465  267722      1      0  3    0x100082  netio         syslogd
 97035  507533      1     77  3    0x100090  poll          dhclient
 10698  201555      1      0  3        0x80  poll          dhclient
 93153  509914      0      0  2     0x14200                zerothread
 34540   92097      0      0  3     0x14200  aiodoned      aiodoned
  2809  416480      0      0  3     0x14200  syncer        update
 41150  407119      0      0  3     0x14200  cleaner       cleaner
 11152  503560      0      0  3     0x14200  reaper        reaper
 25842  252600      0      0  3     0x14200  pgdaemon      pagedaemon
 79196  486929      0      0  3     0x14200  bored         crynlk
 79215  483737      0      0  3     0x14200  bored         crypto
 70525   49945      0      0  3  0x40014200  acpi0         acpi0
 90632  215559      0      0  3     0x14200  bored         softnet
--db_more--

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/12/03 18:21 openbsd f939acc2595a 21927904 console log report syz C ci-openbsd-main
2018/12/09 14:23 https://github.com/blackgnezdo/src.git anton-kcov-dec8 737f2a163501 e699a2b9 .config console log report ci-openbsd-multicore
2018/12/07 23:51 https://github.com/blackgnezdo/src.git multicore 013d15613728 65ed2472 .config console log report ci-openbsd-multicore
2018/12/07 23:28 https://github.com/blackgnezdo/src.git multicore 013d15613728 65ed2472 .config console log report ci-openbsd-multicore
2018/12/07 23:23 https://github.com/blackgnezdo/src.git multicore 013d15613728 65ed2472 .config console log report ci-openbsd-multicore
2018/12/05 21:02 openbsd 7d03a16b0321 f162ad97 console log report ci-openbsd-main
2018/12/03 18:02 openbsd f939acc2595a 21927904 console log report ci-openbsd-main
* Struck through repros no longer work on HEAD.