uvm_fault: switchread

Status: fixed on 2019/01/06 10:35
Fix commit: 54e30ac1a804 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: test akoshibe@; OK claudio@
First crash: 1754d, last: 1754d

Sample crash report:
uvm_fault(0xffffff003f12b000, 0x6000118, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at      switchread+0x95:        movl    0x18(%r13),%r12d

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/12/09 12:43 openbsd 3173a78d3f87 e699a2b9 .config console log report ci-openbsd-main
* Struck through repros no longer work on HEAD.