syzbot

 sign-in | mailing list | source | docs
🐞 Open [541] 🐞 Fixed [376] 🐞 Invalid [902] 📈 Kernel Health 📈 Bugs/Month 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

assert failed: vp->v_specnode == sn

Status: upstream: reported on 2024/06/03 00:26
Reported-by: syzbot+98d20781b70db15a0e2e@syzkaller.appspotmail.com
First crash: 15d, last: 11d

Sample crash report:
[  89.3972083] panic: kernel diagnostic assertion "vp->v_specnode == sn" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/miscfs/specfs/spec_vnops.c", line 327 
[  89.4125654] cpu0: Begin traceback...
[  89.4471899] vpanic() at netbsd:vpanic+0x2f0 sys/kern/subr_prf.c:288
[  89.5871917] kern_assert() at netbsd:kern_assert+0x65 sys/arch/amd64/amd64/db_disasm.c:1074
[  89.7071902] spec_io_exit() at netbsd:spec_io_exit+0x254 sys/miscfs/specfs/spec_vnops.c:327
[  89.8071903] spec_read() at netbsd:spec_read+0x6c6 sys/miscfs/specfs/spec_vnops.c:1111
[  89.9071913] layer_bypass() at netbsd:layer_bypass+0x63e sys/miscfs/genfs/layer_vnops.c:294
[  90.0071926] VOP_READ() at netbsd:VOP_READ+0x138 sys/kern/vnode_if.c:785
[  90.1071931] vn_read() at netbsd:vn_read+0x5f6 sys/kern/vfs_vnops.c:677
[  90.2071897] dofileread() at netbsd:dofileread+0x133 sys/kern/sys_generic.c:156
[  90.2971930] sys_read() at netbsd:sys_read+0xd3 sys/kern/sys_generic.c:121
[  90.3971927] sys___syscall() at netbsd:sys___syscall+0x1e4 sy_call sys/sys/syscallvar.h:65 [inline]
[  90.3971927] sys___syscall() at netbsd:sys___syscall+0x1e4 sys/kern/sys_syscall.c:90
[  90.4871977] syscall() at netbsd:syscall+0x28b sy_call sys/sys/syscallvar.h:65 [inline]
[  90.4871977] syscall() at netbsd:syscall+0x28b sy_invoke sys/sys/syscallvar.h:94 [inline]
[  90.4871977] syscall() at netbsd:syscall+0x28b sys/arch/x86/x86/syscall.c:137
[  90.5179679] --- syscall (number 3 via SYS_syscall) ---
[  90.5471942] netbsd:syscall+0x28b:
[  90.5471942] cpu0: End traceback...
[  90.5471942] fatal breakpoint trap in supervisor mode
[  90.5590533] trap type 1 code 0 rip 0xffffffff80235475 cs 0x8 rflags 0x246 cr2 0xc000258408 ilevel 0 rsp 0xffffa682484aea20
[  90.5718362] curlwp 0xffffa112cf252040 pid 2363.1345 lowest kstack 0xffffa682484aa2c0
Stopped in pid 2363.1345 (syz-executor.4) at    netbsd:breakpoint+0x5:  leave
?
breakpoint() at netbsd:breakpoint+0x5
db_panic() at netbsd:db_panic+0xec sys/ddb/db_panic.c:71
vpanic() at netbsd:vpanic+0x2f0 sys/kern/subr_prf.c:288
kern_assert() at netbsd:kern_assert+0x65 sys/arch/amd64/amd64/db_disasm.c:1074
spec_io_exit() at netbsd:spec_io_exit+0x254 sys/miscfs/specfs/spec_vnops.c:327
spec_read() at netbsd:spec_read+0x6c6 sys/miscfs/specfs/spec_vnops.c:1111
layer_bypass() at netbsd:layer_bypass+0x63e sys/miscfs/genfs/layer_vnops.c:294
VOP_READ() at netbsd:VOP_READ+0x138 sys/kern/vnode_if.c:785
vn_read() at netbsd:vn_read+0x5f6 sys/kern/vfs_vnops.c:677
dofileread() at netbsd:dofileread+0x133 sys/kern/sys_generic.c:156
sys_read() at netbsd:sys_read+0xd3 sys/kern/sys_generic.c:121
sys___syscall() at netbsd:sys___syscall+0x1e4 sy_call sys/sys/syscallvar.h:65 [inline]
sys___syscall() at netbsd:sys___syscall+0x1e4 sys/kern/sys_syscall.c:90
syscall() at netbsd:syscall+0x28b sy_call sys/sys/syscallvar.h:65 [inline]
syscall() at netbsd:syscall+0x28b sy_invoke sys/sys/syscallvar.h:94 [inline]
syscall() at netbsd:syscall+0x28b sys/arch/x86/x86/syscall.c:137
--- syscall (number 3 via SYS_syscall) ---
netbsd:syscall+0x28b:
Panic string: kernel diagnostic assertion "vp->v_specnode == sn" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/miscfs/specfs/spec_vnops.c", line 327
PID     LID S CPU     FLAGS       STRUCT LWP *               NAME WAIT
1750   1750 2   1         0   ffffa112c241c1c0     syz-executor.3
2489   2489 2   1       140   ffffa112cefc74c0     syz-executor.0
2127   2761 3   1       180   ffffa112c0ebd8c0     syz-executor.2 parked
2127   2127 2   1  10000000   ffffa112ce49e300     syz-executor.2
2363   1356 2   1    100100   ffffa112c0ebd480     syz-executor.4
2363   1090 2   1    100100   ffffa112c66be100     syz-executor.4
2363   1444 2   1    100100   ffffa112cfcc0a00     syz-executor.4
2363 > 1345 7   0    100100   ffffa112cf252040     syz-executor.4
2363   2363 2   0  10040140   ffffa112cf252480     syz-executor.4
1156   1156 3   1        40   ffffa112ce49eb80     syz-executor.2 mutex
1062   1062 3   1       180   ffffa112ceffa340     syz-executor.5 parked
1174   1174 3   1        40   ffffa112c2597200     syz-executor.4 mutex
2028   2028 2   0         0   ffffa112cefbea80     syz-executor.1
2375   2375 2   0       140   ffffa112c1ad1580     syz-executor.5
916     916 3   0       180   ffffa112c1b714c0     syz-executor.4 parked
899     899 3   0       180   ffffa112d3d8f280     syz-executor.4 parked
1129   1129 3   1       180   ffffa112c18eb940     syz-executor.1 parked
2247   2247 3   0       180   ffffa112c1b71900     syz-executor.0 parked
1600   1084 2   0   1140000   ffffa112ceffa780     syz-executor.3
1600   1600 2   1  11000040   ffffa112c66be540     syz-executor.3
482     482 3   1       180   ffffa112c66be980     syz-executor.5 parked
1323   1323 3   0       180   ffffa112c17df100     syz-executor.1 parked
1237   1332 3   1       180   ffffa112c2a092c0         syz-fuzzer wait
1237   1132 3   1       180   ffffa112c18eb500         syz-fuzzer wait
1237   1236 3   1       180   ffffa112c18eb0c0         syz-fuzzer wait
1237   1199 3   1       180   ffffa112c17df540         syz-fuzzer wait
1237    990 2   0         0   ffffa112c1de2180         syz-fuzzer
1237    813 3   1       180   ffffa112c0b2b2c0         syz-fuzzer wait
1237   1241 3   1       180   ffffa112c2584b00         syz-fuzzer parked
1237   1224 3   0       180   ffffa112c2597a80         syz-fuzzer parked
1237    989 3   1         0   ffffa112c1ef7240         syz-fuzzer mutex
1237   1226 3   0       180   ffffa112c1ef7ac0         syz-fuzzer parked
1237   1231 3   1       180   ffffa112c0b2b700         syz-fuzzer parked
1237   1229 2   1       140   ffffa112c09ce280         syz-fuzzer
1237   1237 3   1       180   ffffa112c241c600         syz-fuzzer wait
1235   1235 3   0       180   ffffa112c09ceb00               sshd select
1082   1082 2   0       140   ffffa112c1ef7680              getty
1216   1216 2   1       140   ffffa112c09ce6c0              getty
1195   1195 2   1       140   ffffa112c069cac0              getty
1196   1196 3   1       180   ffffa112c06b7200              getty ttyraw
952     952 3   0       180   ffffa112c25846c0               sshd select
1056   1056 3   0       180   ffffa112c2584280             powerd kqueue
700     700 3   1       180   ffffa112c17df980            syslogd kqueue
747     747 3   0       180   ffffa112c0b2bb40             dhcpcd poll
742     742 3   0       180   ffffa112c0d6fbc0             dhcpcd poll
-2087909354address 0x7 is invalid
address 0x8 is invalid
address 0x9 is invalid
address 0xa is invalid
address 0xb is invalid
address 0xc is invalid
address 0xd is invalid
[  90.5795070] Skipping crash dump on recursive panic
[  90.5795070] panic: UBSan: Undefined Behavior in /syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/ddb/db_proc.c:202:10, member access within misaligned address 0xffffa68251465320 for type 'struct cpu_info' which requires 64 byte alignment

[  90.5795070] cpu0: Begin traceback...
[  90.5795070] vpanic() at netbsd:vpanic+0x2f0 sys/kern/subr_prf.c:288
[  90.5795070] Report() at netbsd:Report+0x3b sys/../common/lib/libc/misc/ubsan.c:1352
[  90.5795070] HandleTypeMismatch() at netbsd:HandleTypeMismatch+0xfc sys/../common/lib/libc/misc/ubsan.c:432
[  90.5795070] db_show_all_procs() at netbsd:db_show_all_procs+0xe82 sys/ddb/db_proc.c:202
[  90.5795070] db_command() at netbsd:db_command+0x240 sys/ddb/db_command.c:972
[  90.5795070] db_command_loop() at netbsd:db_command_loop+0x221 db_execute_commandlist sys/ddb/db_command.c:468 [inline]
[  90.5795070] db_command_loop() at netbsd:db_command_loop+0x221 sys/ddb/db_command.c:618
[  90.5795070] db_trap() at netbsd:db_trap+0x261 sys/ddb/db_trap.c:94
[  90.5795070] kdb_trap() at netbsd:kdb_trap+0x1aa sys/arch/amd64/amd64/db_interface.c:252
[  90.5795070] trap() at netbsd:trap+0x569 sys/arch/amd64/amd64/trap.c:314
[  90.5795070] --- trap (number 1) ---
[  90.5795070] breakpoint() at netbsd:breakpoint+0x5
[  90.5795070] db_panic() at netbsd:db_panic+0xec sys/ddb/db_panic.c:71
[  90.5795070] vpanic() at netbsd:vpanic+0x2f0 sys/kern/subr_prf.c:288
[  90.5795070] kern_assert() at netbsd:kern_assert+0x65 sys/arch/amd64/amd64/db_disasm.c:1074
[  90.5795070] spec_io_exit() at netbsd:spec_io_exit+0x254 sys/miscfs/specfs/spec_vnops.c:327
[  90.5795070] spec_read() at netbsd:spec_read+0x6c6 sys/miscfs/specfs/spec_vnops.c:1111
[  90.5795070] layer_bypass() at netbsd:layer_bypass+0x63e sys/miscfs/genfs/layer_vnops.c:294
[  90.5795070] VOP_READ() at netbsd:VOP_READ+0x138 sys/kern/vnode_if.c:785
[  90.5795070] vn_read() at netbsd:vn_read+0x5f6 sys/kern/vfs_vnops.c:677
[  90.5795070] dofileread() at netbsd:dofileread+0x133 sys/kern/sys_generic.c:156
[  90.5795070] sys_read() at netbsd:sys_read+0xd3 sys/kern/sys_generic.c:121
[  90.5795070] sys___syscall() at netbsd:sys___syscall+0x1e4 sy_call sys/sys/syscallvar.h:65 [inline]
[  90.5795070] sys___syscall() at netbsd:sys___syscall+0x1e4 sys/kern/sys_syscall.c:90
[  90.5795070] syscall() at netbsd:syscall+0x28b sy_call sys/sys/syscallvar.h:65 [inline]
[  90.5795070] syscall() at netbsd:syscall+0x28b sy_invoke sys/sys/syscallvar.h:94 [inline]
[  90.5795070] syscall() at netbsd:syscall+0x28b sys/arch/x86/x86/syscall.c:137
[  90.5795070] --- syscall (number 3 via SYS_syscall) ---
[  90.5795070] netbsd:syscall+0x28b:
[  90.5795070] cpu0: End traceback...
[  90.5795070] fatal breakpoint trap in supervisor mode
[  90.5795070] trap type 1 code 0 rip 0xffffffff80235475 cs 0x8 rflags 0x246 cr2 0xc000258408 ilevel 0x8 rsp 0xffffa682484adf00
[  90.5795070] curlwp 0xffffa112cf252040 pid 2363.1345 lowest kstack 0xffffa682484aa2c0
Stopped in pid 2363.1345 (syz-executor.4) at    netbsd:breakpoint+0x5:  leave

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/06/06 15:14 netbsd e7626d1f1ae1 121701b6 .config console log report [disk image] [netbsd.gdb] ci2-netbsd-kubsan assert failed: vp->v_specnode == sn
2024/06/06 06:29 netbsd e7626d1f1ae1 121701b6 .config console log report [disk image] [netbsd.gdb] ci2-netbsd-kubsan assert failed: vp->v_specnode == sn
2024/06/03 01:24 netbsd 791da06dc8a6 3113787f .config console log report [disk image] [netbsd.gdb] ci2-netbsd-kubsan assert failed: vp->v_specnode == sn
2024/06/03 00:25 netbsd 791da06dc8a6 3113787f .config console log report [disk image] [netbsd.gdb] ci2-netbsd-kubsan assert failed: vp->v_specnode == sn
* Struck through repros no longer work on HEAD.