syzbot

 sign-in | mailing list | source | docs
🐞 Open [144]
🐞 Fixed [274]
🐞 Invalid [739]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

panic: pool_p_free: semupl free list modified: page ADDR; item addr ADDR; offset 0x0=ADDR

Status: fixed on 2019/02/08 08:15
Reported-by: syzbot+dbe8f002f8051f26f6fe@syzkaller.appspotmail.com
Fix commit: When freeing the sem_undo structure in semundo_adjust(), update the
First crash: 2234d, last: 2113d

Sample crash report:
login: panic: pool_p_free: semupl free list modified: page 0xffffff006d4e6000; item addr 0xffffff006d4e6ee0; offset 0x0=0xdead4111
Stopped at      db_enter+0xa:   popq    %rbp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
 362715  55485      0         0x2      0x480    0  syz-executor5779
* 73677  94006      0     0x14000      0x200    1  systqmp
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
pool_p_free(ffffffff81ed80f8,0) at pool_p_free+0x18e sys/kern/subr_pool.c:1004
pool_gc_pages(ffffffff815c7770) at pool_gc_pages+0x1f5 sys/kern/subr_pool.c:1586
taskq_thread(0) at taskq_thread+0xa2 sys/kern/kern_task.c:309
end trace frame: 0x0, count: 10
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{1}> 
ddb{1}> set $lines = 0
ddb{1}> show panic
pool_p_free: semupl free list modified: page 0xffffff006d4e6000; item addr 0xffffff006d4e6ee0; offset 0x0=0xdead4111
ddb{1}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
pool_p_free(ffffffff81ed80f8,0) at pool_p_free+0x18e sys/kern/subr_pool.c:1004
pool_gc_pages(ffffffff815c7770) at pool_gc_pages+0x1f5 sys/kern/subr_pool.c:1586
taskq_thread(0) at taskq_thread+0xa2 sys/kern/kern_task.c:309
end trace frame: 0x0, count: -5
ddb{1}> show registers
rdi               0xffffffff81e208b8    kprintf_mutex
rsi                              0x5
rbp               0xffff80002104bbb0
rbx               0xffff80002104bc50
rdx                            0x3fd
rcx                                0
rax                              0x1
r8                0xffff80002104bb80
r9                0x8080808080808080
r10                                0
r11               0xffffffff816da490    x86_bus_space_io_read_1
r12                     0x3000000008
r13               0xffff80002104bbc0
r14                            0x100
r15               0xffffffff81c3b433    apollo_udma100_tim+0xe293
rip               0xffffffff8125fcba    db_enter+0xa
cs                               0x8
rflags                         0x202
rsp               0xffff80002104bbb0
ss                              0x10
db_enter+0xa:   popq    %rbp
ddb{1}> show proc
PROC (systqmp) pid=73677 stat=onproc
    flags process=14000<NOZOMBIE,SYSTEM> proc=200<SYSTEM>
    pri=32, usrpri=51, nice=20
    forw=0xffffffffffffffff, list=0xffff800021030bb8,0xffff800021030010
    process=0xffff800021032978 user=0xffff800021046000, vmspace=0xffffffff81efbef0
    estcpu=1, cpticks=1, pctcpu=0.0
    user=0, sys=1, intr=0
ddb{1}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 55485  362715  53640      0  7       0x482                syz-executor5779
 53640    3444  65332      0  3    0x10008a  pause         ksh
 65332  518487  56204      0  3        0x92  select        sshd
 87935  104325      1      0  3    0x100083  ttyin         getty
 56204  406125      1      0  3        0x80  select        sshd
 91478  135306  25187     73  3    0x100090  kqread        syslogd
 25187  477137      1      0  3    0x100082  netio         syslogd
 78702  457850      1     77  3    0x100090  poll          dhclient
 67694  402241      1      0  3        0x80  poll          dhclient
 56049  126278      0      0  3     0x14200  pgzero        zerothread
 67622  327451      0      0  3     0x14200  aiodoned      aiodoned
 58186  172580      0      0  3     0x14200  syncer        update
 93712  246055      0      0  3     0x14200  cleaner       cleaner
 63610   66195      0      0  3     0x14200  reaper        reaper
 86908  489372      0      0  3     0x14200  pgdaemon      pagedaemon
 49789  263503      0      0  3     0x14200  bored         crynlk
 19364  132853      0      0  3     0x14200  bored         crypto
 56354  232881      0      0  3  0x40014200  acpi0         acpi0
 92359  143245      0      0  3  0x40014200                idle1
 32475   53911      0      0  3     0x14200  bored         softnet
*94006   73677      0      0  7     0x14200                systqmp
  2203  378251      0      0  3     0x14200  bored         systq
 71596  437611      0      0  3  0x40014200  bored         softclock
 99976  350407      0      0  3  0x40014200                idle0
     1  196263      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{1}>

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/12/30 10:22 openbsd 1a6243b7c046 35e3f847 .config console log report syz C ci-openbsd-multicore
2019/02/08 03:01 openbsd 6e31582a5a78 aa4feb03 .config console log report ci-openbsd-multicore
2018/11/29 09:38 openbsd 53d61c88d76d 4b6d14f2 console log report ci-openbsd-main
2018/10/29 03:02 openbsd eb7587a2dab5 9ca2afa1 console log report ci-openbsd-main
2018/10/10 14:10 openbsd 33815e14fd11 5b11ac2c console log report ci-openbsd-main
* Struck through repros no longer work on HEAD.