syzbot


panic: pool_cache_item_magic_check: mbufpWlA RcNpIuN Gf:r eSeP Ll iNstO Tm oLdifOiWEeRdED: OiNt eSmYS CaAdLdLr 1306x -

Status: closed as dup on 2020/04/18 07:58
Reported-by: syzbot+b57dab58c5ff5979dcd0@syzkaller.appspotmail.com
First crash: 1679d, last: 1679d
Duplicate of
Title Repro Cause bisect Fix bisect Count Last Reported
pool: cpu free list modified: mbufpl syz 15863 1570d 1856d

Sample crash report:
panic: pool_cache_item_magic_check: mbufpWlA RcNpIuN Gf:r eSeP Ll iNstO Tm oLdifOiWEeRdED:  OiNt eSmYS CaAdLdLr  1306x -f2ff39f7f1d28 0E7XfI0T1 e60 090
+
16Stopped at      savectx+0xb1:   movl    $0,%gs:0x530
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
* 61888  65740      0         0x2          0    0  syz-executor.0
 150230  53860      0     0x14000      0x200    1  softnet
savectx() at savectx+0xb1
end of kernel
end trace frame: 0x7f7ffffc5810, count: 14
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{0}> 
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd807f01e600+16 0x0!=0x7e98d6dc37f89af4
ddb{0}> trace
savectx() at savectx+0xb1
end of kernel
end trace frame: 0x7f7ffffc5810, count: -1
ddb{0}> show registers
rdi                                0
rsi                                0
rbp               0xffff800020f8b580
rbx                                0
rdx               0xffff800020e6d388
rcx                                0
rax                             0x39
r8                0xffffffff81ce227f    kprintf+0x16f
r9                               0x1
r10                             0x25
r11               0x1c6cc8b14a823a10
r12                                0
r13                                0
r14               0xffff800020e6d388
r15                                0
rip               0xffffffff815413f1    savectx+0xb1
cs                               0x8
rflags                          0x46
rsp               0xffff800020f8b500
ss                              0x10
savectx+0xb1:   movl    $0,%gs:0x530
ddb{0}> show proc
PROC (syz-executor.0) pid=61888 stat=onproc
    flags process=2<EXEC,8ORPHAN> proc=0
    pri=17, usrpri=86, nice=20
    forw=0xffffffffffffffff, list=0xffff800020e6c9c8,0xffff800020ec6ec8
    process=0xffff800020e80b98 user=0xffff800020f86000, vmspace=0xfffffd807efff170
    estcpu=36, cpticks=1, pctcpu=0.10
    user=0, sys=1, intr=0
ddb{0}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 31466  225082     68      0  2           0                syz-executor.1
 31466  223072     68      0  3   0x4000080  netcon        syz-executor.1
 79520  169170      0      0  3     0x14200  bored         sosplice
*65740   61888   9402      0  7         0x2                syz-executor.0
    68  458702   9402      0  3        0x82  nanosleep     syz-executor.1
  9402  357401  53620      0  3        0x82  thrsleep      syz-fuzzer
  9402  462710  53620      0  3   0x4000082  nanosleep     syz-fuzzer
  9402  274159  53620      0  3   0x4000082  thrsleep      syz-fuzzer
  9402  148022  53620      0  3   0x4000082  thrsleep      syz-fuzzer
  9402  213038  53620      0  3   0x4000082  thrsleep      syz-fuzzer
  9402  126134  53620      0  3   0x4000082  thrsleep      syz-fuzzer
  9402  311353  53620      0  3   0x4000082  thrsleep      syz-fuzzer
  9402  273473  53620      0  3   0x4000082  thrsleep      syz-fuzzer
  9402     252  53620      0  3   0x4000082  kqread        syz-fuzzer
  9402  414488  53620      0  3   0x4000082  thrsleep      syz-fuzzer
 53620   35769  63121      0  3    0x10008a  pause         ksh
 63121  273575  36805      0  3        0x92  select        sshd
 56666  389505      1      0  3    0x100083  ttyin         getty
 36805  278705      1      0  3        0x80  select        sshd
 47857   71148  15856     74  3    0x100092  bpf           pflogd
 15856   91491      1      0  3        0x80  netio         pflogd
 45642  493433  56791     73  3    0x100090  kqread        syslogd
 56791  326380      1      0  3    0x100082  netio         syslogd
 74571  181055      1     77  3    0x100090  poll          dhclient
  7671  169553      1      0  3        0x80  poll          dhclient
 15547  130897      0      0  3     0x14200  bored         smr
 27073  315539      0      0  3     0x14200  pgzero        zerothread
 79571  156872      0      0  3     0x14200  aiodoned      aiodoned
 74888  220703      0      0  3     0x14200  syncer        update
  1090  431237      0      0  3     0x14200  cleaner       cleaner
  1635  423720      0      0  3     0x14200  reaper        reaper
 51031  129589      0      0  3     0x14200  pgdaemon      pagedaemon
  6926   54092      0      0  3     0x14200  bored         crynlk
 32191  132667      0      0  3     0x14200  bored         crypto
 40092   89395      0      0  3  0x40014200  acpi0         acpi0
 71179   25625      0      0  3  0x40014200                idle1
 53860  150230      0      0  7     0x14200                softnet
  1885  405497      0      0  3     0x14200  bored         systqmp
 51234   41995      0      0  3     0x14200  bored         systq
   409  435325      0      0  3  0x40014200  bored         softclock
 71898  438189      0      0  3  0x40014200                idle0
     1  483852      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{0}> show all locks
CPU 0:
exclusive mutex scxspl r = 0 (0xffffffff8263d4c8)
#0  witness_lock+0x4c5 sys/kern/subr_witness.c:1164
#1  mtx_enter_try+0x102
#2  mtx_enter+0x4b sys/kern/kern_lock.c:266
#3  pool_get+0xbf sys/kern/subr_pool.c:578
#4  scsi_xs_io+0x4d sys/scsi/scsi_base.c:760
#5  scsi_xsh_ioh+0x35 sys/scsi/scsi_base.c:607
#6  scsi_iopool_run+0x129 scsi_ioh_pending sys/scsi/scsi_base.c:404 [inline]
#6  scsi_iopool_run+0x129 sys/scsi/scsi_base.c:420
#7  scsi_xsh_runqueue+0x210 sys/scsi/scsi_base.c:596
#8  scsi_xsh_add+0xc9 sys/scsi/scsi_base.c:535
#9  sdstrategy+0x187 sys/scsi/sd.c:585
#10 spec_strategy+0x74 sys/kern/spec_vnops.c:468
#11 ufs_strategy+0x17c
#12 VOP_STRATEGY+0x99 sys/kern/vfs_vops.c:712
#13 bwrite+0x1b9 sys/kern/vfs_bio.c:756
#14 VOP_BWRITE+0x4a sys/kern/vfs_vops.c:724
#15 ufs_mkdir+0x6b7 sys/ufs/ufs/ufs_vnops.c:1248
#16 VOP_MKDIR+0xc6 sys/kern/vfs_vops.c:450
#17 domkdirat+0x121 sys/kern/vfs_syscalls.c:3051
#18 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#18 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
Process 65740 (syz-executor.0) thread 0xffff800020e6d388 (61888)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff8268ff78)
#0  witness_lock+0x4c5 sys/kern/subr_witness.c:1164
#1  __mp_acquire_count+0x51 sys/kern/kern_lock.c:227
#2  mi_switch+0x392 sys/kern/sched_bsd.c:435
#3  sleep_finish+0x113 sys/kern/kern_synch.c:418
#4  sleep_finish_all+0x32 sleep_finish_timeout sys/kern/kern_synch.c:447 [inline]
#4  sleep_finish_all+0x32 sys/kern/kern_synch.c:393
#5  tsleep+0x1cc sys/kern/kern_synch.c:155
#6  biowait+0xa6 sys/kern/vfs_bio.c:1255
#7  bwrite+0x1e4 sys/kern/vfs_bio.c:765
#8  ffs_update+0x2c2 sys/ufs/ffs/ffs_inode.c:113
#9  ufs_mkdir+0x665 sys/ufs/ufs/ufs_vnops.c:1232
#10 VOP_MKDIR+0xc6 sys/kern/vfs_vops.c:450
#11 domkdirat+0x121 sys/kern/vfs_syscalls.c:3051
#12 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#12 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#13 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806ed4e3c8)
#0  witness_lock+0x4c5 sys/kern/subr_witness.c:1164
#1  rw_enter+0x453 sys/kern/kern_rwlock.c:311
#2  rrw_enter+0x88 sys/kern/kern_rwlock.c:462
#3  ufs_ihashins+0x45 sys/ufs/ufs/ufs_ihash.c:140
#4  ffs_vget+0x13e sys/ufs/ffs/ffs_vfsops.c:1358
#5  ffs_inode_alloc+0x1cf sys/ufs/ffs/ffs_alloc.c:392
#6  ufs_mkdir+0xf4 sys/ufs/ufs/ufs_vnops.c:1162
#7  VOP_MKDIR+0xc6 sys/kern/vfs_vops.c:450
#8  domkdirat+0x121 sys/kern/vfs_syscalls.c:3051
#9  syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#9  syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#10 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806b3866f8)
#0  witness_lock+0x4c5 sys/kern/subr_witness.c:1164
#1  rw_enter+0x453 sys/kern/kern_rwlock.c:311
#2  rrw_enter+0x88 sys/kern/kern_rwlock.c:462
#3  VOP_LOCK+0x4b sys/kern/vfs_vops.c:603
#4  vn_lock+0x81 sys/kern/vfs_vnops.c:575
#5  vfs_lookup+0xe6 sys/kern/vfs_lookup.c:419
#6  namei+0x63c sys/kern/vfs_lookup.c:249
#7  domkdirat+0x75 sys/kern/vfs_syscalls.c:3036
#8  syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#8  syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#9  Xsyscall+0x128
exclusive mutex scxspl r = 0 (0xffffffff8263d4c8)
#0  witness_lock+0x4c5 sys/kern/subr_witness.c:1164
#1  mtx_enter_try+0x102
#2  mtx_enter+0x4b sys/kern/kern_lock.c:266
#3  pool_get+0xbf sys/kern/subr_pool.c:578
#4  scsi_xs_io+0x4d sys/scsi/scsi_base.c:760
#5  scsi_xsh_ioh+0x35 sys/scsi/scsi_base.c:607
#6  scsi_iopool_run+0x129 scsi_ioh_pending sys/scsi/scsi_base.c:404 [inline]
#6  scsi_iopool_run+0x129 sys/scsi/scsi_base.c:420
#7  scsi_xsh_runqueue+0x210 sys/scsi/scsi_base.c:596
#8  scsi_xsh_add+0xc9 sys/scsi/scsi_base.c:535
#9  sdstrategy+0x187 sys/scsi/sd.c:585
#10 spec_strategy+0x74 sys/kern/spec_vnops.c:468
#11 ufs_strategy+0x17c
#12 VOP_STRATEGY+0x99 sys/kern/vfs_vops.c:712
#13 bwrite+0x1b9 sys/kern/vfs_bio.c:756
#14 VOP_BWRITE+0x4a sys/kern/vfs_vops.c:724
#15 ufs_mkdir+0x6b7 sys/ufs/ufs/ufs_vnops.c:1248
#16 VOP_MKDIR+0xc6 sys/kern/vfs_vops.c:450
#17 domkdirat+0x121 sys/kern/vfs_syscalls.c:3051
#18 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#18 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
Process 53860 (softnet) thread 0xffff800020e18270 (150230)
exclusive rwlock netlock r = 0 (0xffffffff82494738)
#0  witness_lock+0x4c5 sys/kern/subr_witness.c:1164
#1  if_input_process+0x84 sys/net/if.c:941
#2  ifiq_process+0x80 sys/net/ifq.c:646
#3  taskq_thread+0x9c sys/kern/kern_task.c:369
#4  proc_trampoline+0x1c
shared rwlock softnet r = 0 (0xffff80000002b0e0)
#0  witness_lock+0x4c5 sys/kern/subr_witness.c:1164
#1  taskq_thread+0x8f sys/kern/kern_task.c:368
#2  proc_trampoline+0x1c
ddb{0}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf  9484   6402K    6660K  78643K     10725        0
            pcb    13      8K       8K  78643K        31        0
         rtable   109      3K       3K  78643K       253        0
         ifaddr    57     13K      14K  78643K        84        0
       counters    43     33K      34K  78643K        53        0
       ioctlops     0      0K       4K  78643K      1482        0
            iov     0      0K       8K  78643K         5        0
          mount     1      1K       1K  78643K         1        0
         vnodes  1217     77K      77K  78643K      1262        0
      UFS quota     1     32K      32K  78643K         1        0
      UFS mount     5     36K      36K  78643K         5        0
            shm     2      1K       5K  78643K         4        0
         VM map     2      1K       1K  78643K         2        0
            sem     9      0K       1K  78643K        12        0
        dirhash    12      2K       2K  78643K        12        0
           ACPI  1809    196K     290K  78643K     12766        0
      file desc     5     13K      25K  78643K       128        0
          sigio     0      0K       0K  78643K         2        0
           proc    61     63K      95K  78643K       459        0
        subproc    32      2K       2K  78643K        34        0
    NFS srvsock     1      0K       0K  78643K         1        0
     NFS daemon     1     16K      16K  78643K         1        0
    ip_moptions     0      0K       0K  78643K       119        0
       in_multi    59      3K       3K  78643K        73        0
    ether_multi     1      0K       0K  78643K         4        0
            mrt     0      0K       0K  78643K         2        0
    ISOFS mount     1     32K      32K  78643K         1        0
  MSDOSFS mount     1     16K      16K  78643K         1        0
           ttys    49    228K     228K  78643K        49        0
           exec     0      0K       1K  78643K       222        0
        pagedep     1      8K       8K  78643K         1        0
       inodedep     1     32K      32K  78643K         1        0
         newblk     1      0K       0K  78643K         1        0
        VM swap     7     26K      26K  78643K         7        0
       UVM amap   103     53K      62K  78643K      1320        0
       UVM aobj    11      2K       2K  78643K        12        0
        memdesc     1      4K       4K  78643K         1        0
    crypto data     1      1K       1K  78643K         1        0
    ip6_options     0      0K       0K  78643K        20        0
            NDP     7      0K       0K  78643K        16        0
           temp    74   3036K    3100K  78643K      3901        0
         kqueue     3      4K       8K  78643K        17        0
      SYN cache     2     16K      16K  78643K         2        0
ddb{0}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp         64        8    0        1     1     0     1     1     0     8    0
plcache    128       20    0        0     1     0     1     1     0     8    0
rtpcb       80       25    0       23     1     0     1     1     0     8    0
rtentry    112       51    0        5     2     0     2     2     0     8    0
unpcb      120       75    0       65     1     0     1     1     0     8    0
syncache   264        4    0        4     1     1     0     1     0     8    0
tcpqe       32       61    0       61     1     1     0     1     0     8    0
tcpcb      544      106    0      101     1     0     1     1     0     8    0
inpcb      280      201    0      193     2     0     2     2     0     8    1
rttmr       72        1    0        1     1     0     1     1     0     8    1
nd6         48        6    0        0     1     0     1     1     0     8    0
pfosfp      40      846    0      423     5     0     5     5     0     8    0
pfosfpen   112     1428    0      714    21     0    21    21     0     8    0
pfstitem    24       20    0        1     1     0     1     1     0     8    0
pfstkey    112       20    0        1     1     0     1     1     0     8    0
pfstate    328       20    0        1     2     0     2     2     0     8    0
pfrule     1360      21    0       16     2     1     1     2     0     8    0
art_heap8  4096       2    0        0     2     0     2     2     0     8    0
art_heap4  256      204    0        2    13     0    13    13     0     8    0
art_table   32      206    0        2     2     0     2     2     0     8    0
art_node    16       50    0        8     1     0     1     1     0     8    0
sysvmsgpl   40        4    0        4     1     0     1     1     0     8    1
semapl     112        8    0        1     1     0     1     1     0     8    0
shmpl      112       10    0        1     1     0     1     1     0     8    0
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino2pl    256     1557    0      152    89     0    89    89     0     8    0
ffsino     272     1557    0      152    94     0    94    94     0     8    0
nchpl      144     1961    0      346    61     0    61    61     0     8    0
uvmvnodes   72     1631    0        0    30     0    30    30     0     8    0
vnodes     208     1631    0        0    86     0    86    86     0     8    0
namei      1024    5175    0     5175     1     0     1     1     0     8    1
percpumem   16       37    0        5     1     0     1     1     0     8    0
vcpupl     1984       3    0        0     1     0     1     1     0     8    0
vmpool     560        9    0        6     1     0     1     1     0     8    0
scxspl     192     5713    0     5713     8     1     7     7     0     8    7
plimitpl   152       23    0       15     1     0     1     1     0     8    0
sigapl     424      344    0      312     4     0     4     4     0     8    0
futexpl     56     1670    0     1670     1     0     1     1     0     8    1
knotepl    112       63    0       44     1     0     1     1     0     8    0
kqueuepl   144       21    0       18     1     0     1     1     0     8    0
pipelkpl    48       98    0       88     1     0     1     1     0     8    0
pipepl     120      196    0      177     1     0     1     1     0     8    0
fdescpl    496      328    0      312     3     0     3     3     0     8    0
filepl     152     1811    0     1707     5     0     5     5     0     8    0
lockfpl    104       40    0       39     1     0     1     1     0     8    0
lockfspl    48       12    0       11     1     0     1     1     0     8    0
sessionpl  112       18    0        7     1     0     1     1     0     8    0
pgrppl      48       20    0        9     1     0     1     1     0     8    0
ucredpl     96      119    0      110     1     0     1     1     0     8    0
zombiepl   144      312    0      312     1     0     1     1     0     8    1
processpl  984      344    0      312     5     0     5     5     0     8    0
procpl     624      564    0      522     4     0     4     4     0     8    0
sosppl     128        4    0        4     1     0     1     1     0     8    1
sockpl     400      301    0      280     4     0     4     4     0     8    1
mcl64k     65536      3    0        0     1     0     1     1     0     8    0
mcl16k     16384      1    0        0     1     0     1     1     0     8    0
mcl12k     12288      2    0        0     1     0     1     1     0     8    0
mcl9k      9216       3    0        0     1     0     1     1     0     8    0
mcl8k      8192       1    0        0     1     0     1     1     0     8    0
mcl4k      4096       3    0        0     1     0     1     1     0     8    0
mcl2k      2048     188    0        0    23     0    23    23     0     8    0
mtagpl      80       11    0        0     1     0     1     1     0     8    0
mbufpl     256      197    0        0    12     0    12    12     0     8    0
bufpl      280     4249    0      190   290     0   290   290     0     8    0
anonpl      16    48712    0    34372    74     1    73    73     0   124   14
amapchunkpl 152    1764    0     1620    11     0    11    11     0   158    4
amappl16   192     1524    0      755    50     0    50    50     0     8   11
amappl15   184        2    0        1     2     1     1     1     0     8    0
amappl14   176       22    0       18     1     0     1     1     0     8    0
amappl13   168       26    0       25     1     0     1     1     0     8    0
amappl12   160       15    0       14     2     1     1     1     0     8    0
amappl11   152      150    0      131     1     0     1     1     0     8    0
amappl10   144       18    0       14     1     0     1     1     0     8    0
amappl9    136      397    0      393     1     0     1     1     0     8    0
amappl8    128      290    0      277     1     0     1     1     0     8    0
amappl7    120      118    0      107     1     0     1     1     0     8    0
amappl6    112      121    0      113     1     0     1     1     0     8    0
amappl5    104      182    0      168     1     0     1     1     0     8    0
amappl4     96      530    0      499     1     0     1     1     0     8    0
amappl3     88      112    0      107     1     0     1     1     0     8    0
amappl2     80     1699    0     1628     3     1     2     3     0     8    0
amappl1     72    17285    0    16845    25    14    11    20     0     8    1
amappl      80      820    0      771     2     0     2     2     0    84    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      64       11    0        1     1     0     1     1     0     8    0
uaddrrnd    24      337    0      318     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      337    0      318     1     0     1     1     0     8    0
vmmpekpl   168     6552    0     6521     2     0     2     2     0     8    0
vmmpepl    168    46985    0    45078   105     6    99    99     0   357   12
vmsppl     368      336    0      318     2     0     2     2     0     8    0
pdppl      4096     682    0      639     6     0     6     6     0     8    0
pvpl        32   157490    0   140004   176     0   176   176     0   265   34
pmappl     232      336    0      318     2     0     2     2     0     8    0
extentpl    40       46    0       29     1     0     1     1     0     8    0
phpool     112      262    0        3     8     0     8     8     0     8    0

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/04/18 02:40 openbsd 6a1018b17955 435c6d53 .config console log report ci-openbsd-multicore
* Struck through repros no longer work on HEAD.