syzbot

 sign-in | mailing list | source | docs
🐞 Open [133] 🐞 Fixed [269] 🐞 Invalid [575] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

uvm_fault: m_free

Status: fixed on 2019/01/06 10:35
Reported-by: syzbot+fed3bb2b9049007f7f34@syzkaller.appspotmail.com
Fix commit: 54e30ac1a804 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
First crash: 1966d, last: 1944d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd uvm_fault: m_free (2) 429 1367d 1617d 0/3 auto-closed as invalid on 2020/09/23 13:01

Sample crash report:
uvm_fault(0xffffff003f12c840, 0x600011c, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at      m_free+0x2a:    movswq  0x1c(%r14),%rdx
ddb> 
ddb> set $lines = 0
ddb> show panic
kernel page fault
uvm_fault(0xffffff003f12c840, 0x600011c, 0, 1) -> e
m_free(6000100) at m_free+0x2a sys/kern/uipc_mbuf.c:423
end trace frame: 0xffff800014a28840, count: 0
ddb> trace
m_free(6000100) at m_free+0x2a sys/kern/uipc_mbuf.c:423
mq_purge(ffff800001af8000) at mq_purge+0x6d m_freem sys/kern/uipc_mbuf.c:525 [inline]
mq_purge(ffff800001af8000) at mq_purge+0x6d ml_purge sys/kern/uipc_mbuf.c:1591 [inline]
mq_purge(ffff800001af8000) at mq_purge+0x6d sys/kern/uipc_mbuf.c:1695
switchclose(ffff8000ffffc260,ffff800014a288b8,ffffffff81524907,ffff800014a28860) at switchclose+0x77 sys/net/switchctl.c:323
spec_close(ffffffff81e38cc0) at spec_close+0x271 sys/kern/spec_vnops.c:553
VOP_CLOSE(ffffff002c51ceb8,ffff8000ffffc260,ffffff003f7c7960,3) at VOP_CLOSE+0x5f sys/kern/vfs_vops.c:174
vn_closefile(ffff8000ffffc260,ffffff00376903c0) at vn_closefile+0xfc vn_close sys/kern/vfs_vnops.c:289 [inline]
vn_closefile(ffff8000ffffc260,ffffff00376903c0) at vn_closefile+0xfc sys/kern/vfs_vnops.c:575
fdrop(ffffff00376903c0,ffff8000ffffc260) at fdrop+0xa4 sys/kern/kern_descrip.c:1260
closef(ffff8000ffffc260,ffffff003f7c6350) at closef+0xd5 sys/kern/kern_descrip.c:1244
fdfree(ffff8000149cf008) at fdfree+0x98 sys/kern/kern_descrip.c:1176
exit1(ffff800014a28b80,ffff8000ffffc260,ffff8000149cf008) at exit1+0x22f sys/kern/kern_exit.c:194
sys_exit(ffffffff8137fb93,ffff800014a28aa0,ffff800014a28b80) at sys_exit+0x13 sys/kern/kern_exit.c:94
syscall(0) at syscall+0x3e4
Xsyscall(6,1,0,1,0,7f7ffffdfe30) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffdfde0, count: -13
ddb> show registers
rdi                              0x7
rsi                             0xf0
rbp               0xffff800014a28810
rbx               0xffffffff81524890    switchclose
rdx               0xffff800014a28720
rcx               0xffffffff81e62c80    mbstat_boot_boot_cpumem
rax                                0
r8                                 0
r9                                 0
r10                                0
r11               0xffffffff817102f0    pool_lock_mtx_leave
r12               0xffffff00354d8800
r13                       0x236161bc
r14                        0x6000100    __kernel_end_phys+0x4000100
r15                        0x6000100    __kernel_end_phys+0x4000100
rip               0xffffffff812802fa    m_free+0x2a
cs                               0x8
rflags                       0x10286    __ALIGN_SIZE+0xf286
rsp               0xffff800014a287f0
ss                              0x10
m_free+0x2a:    movswq  0x1c(%r14),%rdx
ddb> show proc
PROC (syz-executor0) pid=291387 stat=onproc
    flags process=1008<EXITING,SINGLEEXIT> proc=2000<WEXIT>
    pri=86, usrpri=86, nice=20
    forw=0xffffffffffffffff, list=0xffff8000ffffc4b8,0xffffffff81eaa310
    process=0xffff8000149cf008 user=0xffff800014a23000, vmspace=0xffffff003f12c840
    estcpu=36, cpticks=3, pctcpu=0.0
    user=0, sys=1, intr=0
ddb> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 99543   23299      1      0  3    0x100083  ttyin         getty
 80585   32806      0      0  3     0x14200  bored         sosplice
 57444  501905  87821      0  3        0x82  nanosleep     syz-executor0
 82250  312331  87821      0  3         0x2  biowait       syz-executor1
 87821  180984  96365      0  3        0x82  thrsleep      syz-fuzzer
 87821  176654  96365      0  3   0x4000082  nanosleep     syz-fuzzer
 87821  472331  96365      0  3   0x4000082  thrsleep      syz-fuzzer
 87821   68190  96365      0  3   0x4000082  thrsleep      syz-fuzzer
 87821  356916  96365      0  3   0x4000082  thrsleep      syz-fuzzer
 87821  295991  96365      0  3   0x4000082  thrsleep      syz-fuzzer
 87821  275227  96365      0  3   0x4000082  kqread        syz-fuzzer
 96365  469710  72843      0  3    0x10008a  pause         ksh
 72843   84642  63305      0  3        0x92  select        sshd
 63305  192385      1      0  3        0x80  select        sshd
  1126  502807  47791     73  2    0x100090                syslogd
 47791  338467      1      0  3    0x100082  netio         syslogd
 45021  404745      1     77  3    0x100090  poll          dhclient
 27178  311332      1      0  3        0x80  poll          dhclient
 79105  219805      0      0  2     0x14200                zerothread
 39981  360629      0      0  3     0x14200  aiodoned      aiodoned
 76996  378627      0      0  3     0x14200  syncer        update
 60458   41607      0      0  3     0x14200  cleaner       cleaner
 34321  408316      0      0  3     0x14200  reaper        reaper
 69281  233595      0      0  3     0x14200  pgdaemon      pagedaemon
 47806  347339      0      0  3     0x14200  bored         crynlk
 71049  503022      0      0  3     0x14200  bored         crypto
 59358  383180      0      0  3  0x40014200  acpi0         acpi0
 48947  238099      0      0  3     0x14200  bored         softnet
 81371   42480      0      0  3     0x14200  bored         systqmp
 92605  312111      0      0  3     0x14200  bored         systq
  5306  131941      0      0  3  0x40014200  bored         softclock
  7393  186193      0      0  3  0x40014200                idle0
     1  268145      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper

Crashes (12):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/12/27 06:25 openbsd 8ff5027431d5 82c9e677 .config console log report ci-openbsd-main
2018/12/17 16:24 openbsd 9257d67bbd0d 527230f1 .config console log report ci-openbsd-main
2018/12/16 21:09 openbsd 4e9c41985603 1749e412 .config console log report ci-openbsd-main
2018/12/16 05:26 openbsd 014e15819e15 def91db3 .config console log report ci-openbsd-main
2018/12/15 15:27 openbsd ff5089e6ea58 c9128939 .config console log report ci-openbsd-main
2018/12/12 10:47 openbsd feddb4c1c53c 7795ae03 .config console log report ci-openbsd-main
2018/12/08 09:41 openbsd 696945d58559 6ae0ca72 .config console log report ci-openbsd-main
2018/12/07 05:30 openbsd 76d787ec3667 b6709220 .config console log report ci-openbsd-main
2018/12/07 03:35 openbsd 76d787ec3667 b6709220 .config console log report ci-openbsd-main
2018/12/06 14:35 https://github.com/blackgnezdo/src.git multicore 46168e0d3b1d cc3a19d5 console log report ci-openbsd-multicore
2018/12/06 09:23 https://github.com/blackgnezdo/src.git multicore 46168e0d3b1d f162ad97 console log report ci-openbsd-multicore
2018/12/04 12:29 openbsd f939acc2595a 03f94a45 console log report ci-openbsd-main
* Struck through repros no longer work on HEAD.