syzbot


panic:WA RpNoIoNlG_:ca ScPheL_ NitOTe m_LOmWaEgRiEcD_ cOhNe cSkY:S mCAbuLfL pl2 -c1pu8 43f9r5ee68 5l2i sEtX ImTo d0i fa

Status: closed as dup on 2020/05/30 07:37
Reported-by: syzbot+cf47bb7212c30662cb2b@syzkaller.appspotmail.com
First crash: 1637d, last: 1637d
Duplicate of
Title Repro Cause bisect Fix bisect Count Last Reported
pool: cpu free list modified: mbufpl syz 15863 1570d 1856d

Sample crash report:
panic:WA RpNoIoNlG_:ca ScPheL_ NitOTe m_LOmWaEgRiEcD_ cOhNe cSkY:S mCAbuLfL pl2  -c1pu8 43f9r5ee68 5l2i sEtX ImTo d0i fai
e
d:Stopped at      savectx+0xb1:   movl    $0,%gs:0x530
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
*115844  47006      0         0x2          0    0  syz-executor.0
 342029  14255      0     0x14000      0x200    1  softnet
savectx() at savectx+0xb1
end of kernel
end trace frame: 0x7f7ffffc1890, count: 14
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{0}> 
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806d808400+16 0x0!=0xd4ee3057f6d04cad
ddb{0}> trace
savectx() at savectx+0xb1
end of kernel
end trace frame: 0x7f7ffffc1890, count: -1
ddb{0}> show registers
rdi                                0
rsi                                0
rbp               0xffff800020f57120
rbx                                0
rdx                             0x8b
rcx                              0x2
rax                             0x3b
r8                0xffffffff818e80df    kprintf+0x16f
r9                               0x1
r10                              0x2
r11               0xae02a5c2c5db4ea2
r12                                0
r13                                0
r14               0xffff800020ec7d58
r15                                0
rip               0xffffffff81a603f1    savectx+0xb1
cs                               0x8
rflags                          0x46
rsp               0xffff800020f570a0
ss                              0x10
savectx+0xb1:   movl    $0,%gs:0x530
ddb{0}> show proc
PROC (syz-executor.0) pid=115844 stat=onproc
    flags process=2<EXEC,8ORPHAN> proc=0
    pri=16, usrpri=60, nice=20
    forw=0xffffffffffffffff, list=0xffff800020ec6c48,0xffff800020ec6508
    process=0xffff800020e803e8 user=0xffff800020f52000, vmspace=0xfffffd807f0008a0
    estcpu=36, cpticks=1, pctcpu=0.1
    user=0, sys=1, intr=0
ddb{0}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 48517  295268  47006      0  2           0                syz-executor.0
 40087  370601  51015      0  2           0                syz-executor.1
*47006  115844  60651      0  7         0x2                syz-executor.0
 53428  418312      0      0  3     0x14200  bored         sosplice
 51015  453290  60651      0  3        0x82  nanosleep     syz-executor.1
 60651   44461  55717      0  3        0x82  thrsleep      syz-fuzzer
 60651   72712  55717      0  2   0x4000002                syz-fuzzer
 60651  186759  55717      0  3   0x4000082  thrsleep      syz-fuzzer
 60651   93199  55717      0  2   0x4000002                syz-fuzzer
 60651  210182  55717      0  3   0x4000082  thrsleep      syz-fuzzer
 60651  481338  55717      0  3   0x4000082  thrsleep      syz-fuzzer
 60651  200640  55717      0  2   0x4000002                syz-fuzzer
 60651  243711  55717      0  3   0x4000082  thrsleep      syz-fuzzer
 60651  394884  55717      0  3   0x4000082  thrsleep      syz-fuzzer
 60651  482480  55717      0  3   0x4000082  thrsleep      syz-fuzzer
 55717  315529  58654      0  3    0x10008a  pause         ksh
 58654   81308  45461      0  2        0x12                sshd
 36598  171863      1      0  3    0x100083  ttyin         getty
 45461  266332      1      0  3        0x80  select        sshd
 64432  302821    867     74  3    0x100092  bpf           pflogd
   867  512881      1      0  3        0x80  netio         pflogd
 33277    9004   2059     73  3    0x100090  kqread        syslogd
  2059  444293      1      0  3    0x100082  netio         syslogd
 39594  187132      1     77  3    0x100090  poll          dhclient
 13078  524003      1      0  3        0x80  poll          dhclient
 35595  342043      0      0  3     0x14200  bored         smr
 27880  480835      0      0  2     0x14200                zerothread
 64018   42412      0      0  3     0x14200  aiodoned      aiodoned
 33201  355625      0      0  3     0x14200  syncer        update
 77619  380613      0      0  3     0x14200  cleaner       cleaner
 12581  111379      0      0  3     0x14200  reaper        reaper
 92466  222225      0      0  3     0x14200  pgdaemon      pagedaemon
  3116   96963      0      0  3     0x14200  bored         crynlk
 60458  282001      0      0  3     0x14200  bored         crypto
 85966  305481      0      0  3  0x40014200  acpi0         acpi0
 39261  169623      0      0  3  0x40014200                idle1
 14255  342029      0      0  7     0x14200                softnet
 77975  198125      0      0  3     0x14200  bored         systqmp
 41733  331117      0      0  3     0x14200  bored         systq
 69621   59415      0      0  3  0x40014200  bored         softclock
 91087  343397      0      0  3  0x40014200                idle0
     1  351799      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{0}> show all locks
CPU 0:
exclusive mutex &map->flags_lock r = 0 (0xffffffff82544700)
#0  witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0  witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1  mtx_enter_try+0x102
#2  mtx_enter+0x4b sys/kern/kern_lock.c:266
#3  vm_map_lock_ln+0x7d sys/uvm/uvm_map.c:5437
#4  uvm_map+0x2d0 sys/uvm/uvm_map.c:1236
#5  uvm_km_kmemalloc_pla+0x11d sys/uvm/uvm_km.c:335
#6  uvm_uarea_alloc+0x51 sys/uvm/uvm_glue.c:274
#7  fork1+0x271 sys/kern/kern_fork.c:365
#8  syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#8  syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#9  Xsyscall+0x128
Process 47006 (syz-executor.0) thread 0xffff800020ec7d58 (115844)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82644b58)
#0  witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0  witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1  syscall+0x400 mi_syscall sys/sys/syscall_mi.h:93 [inline]
#1  syscall+0x400 sys/arch/amd64/amd64/trap.c:570
#2  Xsyscall+0x128
exclusive mutex &map->flags_lock r = 0 (0xffffffff82544700)
#0  witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0  witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1  mtx_enter_try+0x102
#2  mtx_enter+0x4b sys/kern/kern_lock.c:266
#3  vm_map_lock_ln+0x7d sys/uvm/uvm_map.c:5437
#4  uvm_map+0x2d0 sys/uvm/uvm_map.c:1236
#5  uvm_km_kmemalloc_pla+0x11d sys/uvm/uvm_km.c:335
#6  uvm_uarea_alloc+0x51 sys/uvm/uvm_glue.c:274
#7  fork1+0x271 sys/kern/kern_fork.c:365
#8  syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#8  syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#9  Xsyscall+0x128
Process 14255 (softnet) thread 0xffff800020e18750 (342029)
exclusive rwlock netlock r = 0 (0xffffffff824b2b58)
#0  witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0  witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1  if_input_process+0x85 sys/net/if.c:941
#2  ifiq_process+0x80 sys/net/ifq.c:646
#3  taskq_thread+0x9c sys/kern/kern_task.c:369
#4  proc_trampoline+0x1c
shared rwlock softnet r = 0 (0xffff80000002b0e0)
#0  witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0  witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1  taskq_thread+0x8f sys/kern/kern_task.c:368
#2  proc_trampoline+0x1c
ddb{0}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf  9529   6427K    6681K  78643K     11058        0
            pcb    13      8K       8K  78643K        71        0
         rtable    79      3K       4K  78643K       342        0
         ifaddr    74     14K      14K  78643K       130        0
       counters    43     33K      34K  78643K        63        0
       ioctlops     0      0K       4K  78643K      1496        0
            iov     0      0K      16K  78643K        48        0
          mount     1      1K       1K  78643K         1        0
         vnodes  1224     77K      77K  78643K      1405        0
      UFS quota     1     32K      32K  78643K         1        0
      UFS mount     5     36K      36K  78643K         5        0
            shm     2      1K       5K  78643K         8        0
         VM map     2      1K       1K  78643K         2        0
            sem    12      1K       1K  78643K        29        0
        dirhash    12      2K       2K  78643K        12        0
           ACPI  1824    197K     290K  78643K     13058        0
      file desc     6     17K      25K  78643K       468        0
          sigio     0      0K       0K  78643K         2        0
           proc    61     63K      83K  78643K       516        0
        subproc    32      2K       2K  78643K        51        0
    NFS srvsock     1      0K       0K  78643K         1        0
     NFS daemon     1     16K      16K  78643K         1        0
    ip_moptions     0      0K       0K  78643K        31        0
       in_multi    29      1K       2K  78643K        71        0
    ether_multi     1      0K       0K  78643K         8        0
    ISOFS mount     1     32K      32K  78643K         1        0
  MSDOSFS mount     1     16K      16K  78643K         1        0
           ttys    49    228K     228K  78643K        49        0
           exec     0      0K       1K  78643K       237        0
        pagedep     1      8K       8K  78643K         1        0
       inodedep     1     32K      32K  78643K         1        0
         newblk     1      0K       0K  78643K         1        0
        VM swap     7     26K      26K  78643K         7        0
       UVM amap   116     38K      38K  78643K      2278        0
       UVM aobj    16      2K       2K  78643K        18        0
        memdesc     1      4K       4K  78643K         1        0
    crypto data     1      1K       1K  78643K         1        0
    ip6_options     0      0K       0K  78643K        42        0
            NDP    13      0K       0K  78643K        29        0
           temp   108   3035K    3099K  78643K      6011        0
         kqueue     3      4K      12K  78643K        19        0
      SYN cache     2     16K      16K  78643K         2        0
ddb{0}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp         64        8    0        2     1     0     1     1     0     8    0
plcache    128       20    0        0     1     0     1     1     0     8    0
rtpcb       80       46    0       44     1     0     1     1     0     8    0
rtentry    112       61    0       33     2     0     2     2     0     8    0
unpcb      120      173    0      163     1     0     1     1     0     8    0
syncache   264        4    0        4     1     1     0     1     0     8    0
tcpqe       32      985    0      985     1     1     0     1     0     8    0
tcpcb      544      100    0       96     1     0     1     1     0     8    0
inpcb      280     1057    0     1050     2     1     1     2     0     8    0
nd6         48        9    0        6     1     0     1     1     0     8    0
pkpcb       40        1    0        1     1     1     0     1     0     8    0
ppxss      1128       2    0        2     2     1     1     1     0     8    1
pffrag     232        3    0        3     1     1     0     1     0   482    0
pffrnode    88        3    0        3     1     1     0     1     0     8    0
pffrent     40       93    0       93     1     1     0     1     0     8    0
pfosfp      40      846    0      423     5     0     5     5     0     8    0
pfosfpen   112     1428    0      714    21     0    21    21     0     8    0
pfstitem    24       34    0        9     1     0     1     1     0     8    0
pfstkey    112       34    0        9     1     0     1     1     0     8    0
pfstate    328       34    0        9     3     0     3     3     0     8    0
pfrule     1360      21    0       16     2     1     1     2     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256      247    0      137    14     4    10    13     0     8    0
art_table   32      248    0      137     2     0     2     2     0     8    0
art_node    16       59    0       36     1     0     1     1     0     8    0
sysvmsgpl   40        6    0        2     1     0     1     1     0     8    0
semupl     112        2    0        2     1     1     0     1     0     8    0
semapl     112       20    0       10     1     0     1     1     0     8    0
shmpl      112       16    0        2     1     0     1     1     0     8    0
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino2pl    256     2004    0      599    89     0    89    89     0     8    0
ffsino     272     2004    0      599    95     0    95    95     0     8    0
nchpl      144     2804    0     1211    60     0    60    60     0     8    0
uvmvnodes   72     2179    0        0    40     0    40    40     0     8    0
vnodes     208     2179    0        0   115     0   115   115     0     8    0
namei      1024    7470    0     7470     2     1     1     1     0     8    1
percpumem   16       42    0       10     1     0     1     1     0     8    0
vcpupl     1984       2    0        0     1     0     1     1     0     8    0
vmpool     560        4    0        2     1     0     1     1     0     8    0
scxspl     192     8890    0     8890     8     7     1     7     0     8    1
plimitpl   152       48    0       40     1     0     1     1     0     8    0
sigapl     424      681    0      648     4     0     4     4     0     8    0
futexpl     56     5237    0     5237     2     1     1     1     0     8    1
knotepl    112       91    0       72     1     0     1     1     0     8    0
kqueuepl   144       37    0       35     1     0     1     1     0     8    0
pipelkpl    48      119    0      109     1     0     1     1     0     8    0
pipepl     120      238    0      219     1     0     1     1     0     8    0
fdescpl    496      665    0      648     3     0     3     3     0     8    0
filepl     152     3636    0     3536     5     0     5     5     0     8    1
lockfpl    104       84    0       83     1     0     1     1     0     8    0
lockfspl    48       23    0       22     1     0     1     1     0     8    0
sessionpl  112       19    0        8     1     0     1     1     0     8    0
pgrppl      48       19    0        8     1     0     1     1     0     8    0
ucredpl     96      235    0      226     1     0     1     1     0     8    0
zombiepl   144      648    0      648     1     0     1     1     0     8    1
processpl  984      681    0      648     5     0     5     5     0     8    0
procpl     624     1467    0     1425     4     0     4     4     0     8    0
srpgc       64        2    0        2     1     1     0     1     0     8    0
sosppl     128        4    0        4     1     1     0     1     0     8    0
sockpl     400     1281    0     1262     4     1     3     4     0     8    1
mcl64k     65536     14    0        0     2     0     2     2     0     8    0
mcl12k     12288      5    0        0     1     0     1     1     0     8    0
mcl9k      9216       2    0        0     1     0     1     1     0     8    0
mcl8k      8192       6    0        0     1     0     1     1     0     8    0
mcl4k      4096       5    0        0     1     0     1     1     0     8    0
mcl2k2     2112       1    0        0     1     0     1     1     0     8    0
mcl2k      2048     202    0        0    25     0    25    25     0     8    0
mtagpl      80       21    0        0     1     0     1     1     0     8    0
mbufpl     256      468    0        0    29     0    29    29     0     8    0
bufpl      280     4852    0      141   337     0   337   337     0     8    0
anonpl      16    80644    0    66144    70     9    61    69     0   124    0
amapchunkpl 152    3051    0     2922     9     3     6     8     0   158    0
amappl16   192     3372    0     2563    53    11    42    53     0     8    0
amappl15   184        2    0        1     2     1     1     1     0     8    0
amappl14   176       23    0       18     1     0     1     1     0     8    0
amappl13   168       44    0       40     1     0     1     1     0     8    0
amappl12   160      374    0      371     1     0     1     1     0     8    0
amappl11   152       78    0       62     1     0     1     1     0     8    0
amappl10   144       71    0       65     1     0     1     1     0     8    0
amappl9    136      391    0      389     1     0     1     1     0     8    0
amappl8    128      357    0      328     2     0     2     2     0     8    0
amappl7    120      174    0      162     1     0     1     1     0     8    0
amappl6    112       25    0       20     1     0     1     1     0     8    0
amappl5    104      784    0      769     1     0     1     1     0     8    0
amappl4     96      503    0      474     1     0     1     1     0     8    0
amappl3     88      120    0      114     1     0     1     1     0     8    0
amappl2     80     3740    0     3675     2     0     2     2     0     8    0
amappl1     72    22728    0    22300    23    13    10    18     0     8    0
amappl      80     1732    0     1689     2     0     2     2     0    84    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      64       17    0        2     1     0     1     1     0     8    0
uaddrrnd    24      669    0      650     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      669    0      650     1     0     1     1     0     8    0
vmmpekpl   168     8236    0     8196     2     0     2     2     0     8    0
vmmpepl    168    87006    0    85003   127    20   107   117     0   357   16
vmsppl     368      668    0      650     2     0     2     2     0     8    0
pdppl      4096    1346    0     1302     6     0     6     6     0     8    0
pvpl        32   261772    0   244193   171     8   163   171     0   265   16
pmappl     232      668    0      650     3     1     2     2     0     8    0
extentpl    40       53    0       36     1     0     1     1     0     8    0
phpool     112      283    0        9     8     0     8     8     0     8    0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
savectx() at savectx+0xb1
end of kernel
end trace frame: 0x7f7ffffc1890, count: -1
ddb{0}> machine ddbcpu 1
Stopped at      x86_ipi_db+0x1a:        addq    $0x8,%rsp
x86_ipi_db(ffff800020e00ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352
x86_ipi_handler() at x86_ipi_handler+0xc6 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_write_1(3f8,0,3a) at x86_bus_space_io_write_1+0x45 sys/arch/amd64/amd64/bus_space.c:759
comcnputc(800,3a) at comcnputc+0x131 bus_space_barrier machine/bus.h:481 [inline]
comcnputc(800,3a) at comcnputc+0x131 sys/dev/ic/com.c:1254
cnputc(3a) at cnputc+0x4c sys/dev/cons.c:239
kputchar(3a,5,0) at kputchar+0x219 sys/kern/subr_prf.c:343
kprintf() at kprintf+0x15c sys/kern/subr_prf.c:700
panic(ffffffff821fac58) at panic+0xf3 vprintf sys/kern/subr_prf.c:528 [inline]
panic(ffffffff821fac58) at panic+0xf3 sys/kern/subr_prf.c:197
pool_cache_get(ffffffff826919c8) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline]
pool_cache_get(ffffffff826919c8) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884
pool_get(ffffffff826919c8,2) at pool_get+0x91 sys/kern/subr_pool.c:572
m_gethdr(2,2) at m_gethdr+0x4c sys/kern/uipc_mbuf.c:283
tcp_output(ffff800000a0aee0) at tcp_output+0x14e6
tcp_input(ffff800020e398e8,ffff800020e398f4,6,2) at tcp_input+0x2356
end trace frame: 0xffff800020e397a0, count: 0
ddb{1}> trace
x86_ipi_db(ffff800020e00ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352
x86_ipi_handler() at x86_ipi_handler+0xc6 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_write_1(3f8,0,3a) at x86_bus_space_io_write_1+0x45 sys/arch/amd64/amd64/bus_space.c:759
comcnputc(800,3a) at comcnputc+0x131 bus_space_barrier machine/bus.h:481 [inline]
comcnputc(800,3a) at comcnputc+0x131 sys/dev/ic/com.c:1254
cnputc(3a) at cnputc+0x4c sys/dev/cons.c:239
kputchar(3a,5,0) at kputchar+0x219 sys/kern/subr_prf.c:343
kprintf() at kprintf+0x15c sys/kern/subr_prf.c:700
panic(ffffffff821fac58) at panic+0xf3 vprintf sys/kern/subr_prf.c:528 [inline]
panic(ffffffff821fac58) at panic+0xf3 sys/kern/subr_prf.c:197
pool_cache_get(ffffffff826919c8) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline]
pool_cache_get(ffffffff826919c8) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884
pool_get(ffffffff826919c8,2) at pool_get+0x91 sys/kern/subr_pool.c:572
m_gethdr(2,2) at m_gethdr+0x4c sys/kern/uipc_mbuf.c:283
tcp_output(ffff800000a0aee0) at tcp_output+0x14e6
tcp_input(ffff800020e398e8,ffff800020e398f4,6,2) at tcp_input+0x2356
ip_deliver(ffff800020e398e8,ffff800020e398f4,6,2) at ip_deliver+0x353 sys/netinet/ip_input.c:668
ip_ours(ffff800020e398e8,ffff800020e398f4,ffff800020e18750,0) at ip_ours+0x412
ip_input_if(ffff800020e398e8,ffff800020e398f4,4,0,ffff80000017b2a8) at ip_input_if+0x6ce
ipv4_input(ffff80000017b2a8,fffffd8064c1f400) at ipv4_input+0x48 sys/netinet/ip_input.c:215
ether_input(ffff80000017b2a8,fffffd8064c1f400,0) at ether_input+0x345 sys/net/if_ethersubr.c:461
if_input_process(ffff80000017b2a8,ffff800020e39a18) at if_input_process+0x10b if_ih_input sys/net/if.c:908 [inline]
if_input_process(ffff80000017b2a8,ffff800020e39a18) at if_input_process+0x10b sys/net/if.c:942
ifiq_process(ffff80000017b6a0) at ifiq_process+0x80 sys/net/ifq.c:646
taskq_thread(ffff80000002b080) at taskq_thread+0x9c sys/kern/kern_task.c:369
end trace frame: 0x0, count: -22

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/05/30 04:56 openbsd d0e5c0ea53c9 954bd312 .config console log report ci-openbsd-multicore
* Struck through repros no longer work on HEAD.