syzbot


assert "next != NULL && next->start <= entry->end" failed in uvm_fault.c

Status: fixed on 2019/01/11 00:09
Reported-by: syzbot+b8e7faf688f8c9d341b1@syzkaller.appspotmail.com
Fix commit: Hold a read lock on the map while doing the actual device I/O during in
First crash: 1436d, last: 1436d
duplicates (1):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
uvm_fault.c", line 1354 1 1464d 1464d 0/3 closed as dup on 2018/12/27 12:08
similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd assert "next != NULL && next->start <= entry->end" failed in uvm_fault.c (4) C 9 242d 256d 3/3 fixed on 2022/04/05 02:42
openbsd assert "next != NULL && next->start <= entry->end" failed in uvm_fault.c (2) syz 2 353d 353d 0/3 closed as invalid on 2022/02/22 18:45
openbsd assert "next != NULL && next->start <= entry->end" failed in uvm_fault.c (3) syz 11 266d 281d 3/3 fixed on 2022/03/12 12:41

Sample crash report:
panic: kernel diagnostic assertion "next != NULL && next->start <= entry->end" failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_fault.c", line 1354
Stopped at      db_enter+0xa:   popq    %rbp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
* 10269  83986      0           0  0x4000000    1K syz-executor8120
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff8132b5f4,ffff80002111b350,20008000,20011000) at __assert+0x24 sys/kern/subr_prf.c:155
uvm_fault_unwire_locked(20000000,20011000,0) at uvm_fault_unwire_locked+0x1f9 sys/uvm/uvm_fault.c:1351
uvm_fault_unwire(10000,ffffff006d2bf800,10000) at uvm_fault_unwire+0x3b sys/uvm/uvm_fault.c:1314
physio(ffff80002111b648,ffffff006d8ca968,ffffff006d8ca968,ffff80002111b648,ffff80002111b518) at physio+0x2ba sys/kern/kern_physio.c:183
spec_read(0) at spec_read+0xa5 sys/kern/spec_vnops.c:223
VOP_READ(ffff80002111b648,ffffff006d8ca968,ffffff006e4a42d8,0) at VOP_READ+0x5e sys/kern/vfs_vops.c:247
vn_read(ffffff006e4a42d8,ffff8000210f4010,fffffe73) at vn_read+0x130 sys/kern/vfs_vnops.c:365
dofilereadv(ffff8000210f4010,ffff80002111b6f0,fffffe73,ffff80002111b708,b53815ff038) at dofilereadv+0x14f sys/kern/sys_generic.c:235
sys_read(30,ffff8000210f4010,0) at sys_read+0x6e sys/kern/sys_generic.c:155
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,b53975ed0a0,0,b50d7474098,b50d7474090) at Xsyscall+0x128
end of kernel
end trace frame: 0xb53815ff060, count: 2
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{1}> 
ddb{1}> set $lines = 0
ddb{1}> show panic
kernel diagnostic assertion "next != NULL && next->start <= entry->end" failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_fault.c", line 1354
ddb{1}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
__assert(ffffffff8132b5f4,ffff80002111b350,20008000,20011000) at __assert+0x24 sys/kern/subr_prf.c:155
uvm_fault_unwire_locked(20000000,20011000,0) at uvm_fault_unwire_locked+0x1f9 sys/uvm/uvm_fault.c:1351
uvm_fault_unwire(10000,ffffff006d2bf800,10000) at uvm_fault_unwire+0x3b sys/uvm/uvm_fault.c:1314
physio(ffff80002111b648,ffffff006d8ca968,ffffff006d8ca968,ffff80002111b648,ffff80002111b518) at physio+0x2ba sys/kern/kern_physio.c:183
spec_read(0) at spec_read+0xa5 sys/kern/spec_vnops.c:223
VOP_READ(ffff80002111b648,ffffff006d8ca968,ffffff006e4a42d8,0) at VOP_READ+0x5e sys/kern/vfs_vops.c:247vn_read(ffffff006e4a42d8,ffff8000210f4010,fffffe73) at vn_read+0x130
dofilereadv(ffff8000210f4010,ffff80002111b6f0,fffffe73,ffff80002111b708,b53815ff038) at dofilereadv+0x14f sys/kern/sys_generic.c:235
sys_read(30,ffff8000210f4010,0) at sys_read+0x6e sys/kern/sys_generic.c:155
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,b53975ed0a0,0,b50d7474098,b50d7474090) at Xsyscall+0x128
end of kernel
end trace frame: 0xb53815ff060, count: -13
ddb{1}> show registers
rdi               0xffffffff81e27170    kprintf_mutex
rsi                              0x5
rbp               0xffff80002111b2b0
rbx               0xffff80002111b350
rdx                            0x3fd
rcx                                0
rax                              0x1
r8                0xffff80002111b280
r9                0x8080808080808080
r10                                0
r11               0xffffffff812f8ba0    x86_bus_space_io_read_1
r12                     0x3000000008
r13               0xffff80002111b2c0
r14                            0x100
r15               0xffffffff81bf514e    cmd0646_9_tim_udma+0x1eab3
rip               0xffffffff818e4fea    db_enter+0xa
cs                               0x8
rflags                         0x202
rsp               0xffff80002111b2b0
ss                              0x10
db_enter+0xa:   popq    %rbp
ddb{1}> show proc
PROC (syz-executor8120) pid=10269 stat=onproc
    flags process=0 proc=4000000<THREAD>
    pri=17, usrpri=86, nice=20
    forw=0xffffffffffffffff, list=0xffff8000210f4bc8,0xffff8000210f44d0
    process=0xffff800021070fd0 user=0xffff800021116000, vmspace=0xffffff007f125c60
    estcpu=36, cpticks=2, pctcpu=0.0
    user=0, sys=2, intr=0
ddb{1}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 83986   12042   6606      0  3        0x80  nanosleep     syz-executor8120
*83986   10269   6606      0  7   0x4000000                syz-executor8120
 83986  110087   6606      0  3   0x4000080  fsleep        syz-executor8120
  6606    9747  92253      0  3        0x82  nanosleep     syz-executor8120
 92253  305578  74197      0  3    0x10008a  pause         ksh
 74197  266486  46347      0  3        0x92  select        sshd
 19217  329309      1      0  3    0x100083  ttyin         getty
 46347  395782      1      0  3        0x80  select        sshd
 36461  389446  40994     73  3    0x100090  kqread        syslogd
 40994  370430      1      0  3    0x100082  netio         syslogd
   891   46690      1     77  3    0x100090  poll          dhclient
 26508   42021      1      0  3        0x80  poll          dhclient
 77262   10265      0      0  3     0x14200  pgzero        zerothread
 95597   17271      0      0  3     0x14200  aiodoned      aiodoned
 77622  160427      0      0  3     0x14200  syncer        update
   376  159265      0      0  3     0x14200  cleaner       cleaner
 55143  500485      0      0  3     0x14200  reaper        reaper
 26165   61597      0      0  3     0x14200  pgdaemon      pagedaemon
 95905  217790      0      0  3     0x14200  bored         crynlk
 49743  436122      0      0  3     0x14200  bored         crypto
  1655  477308      0      0  3  0x40014200  acpi0         acpi0
 79504  274047      0      0  3  0x40014200                idle1
 19847   84012      0      0  3     0x14200  bored         softnet
 38359  168216      0      0  3     0x14200  bored         systqmp
 21912  331360      0      0  3     0x14200  bored         systq
 25658  142620      0      0  3  0x40014200  bored         softclock
 23784  325256      0      0  7  0x40014200                idle0
     1  341806      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-openbsd-multicore 2018/12/27 13:29 openbsd 01cfcf25097a e747ec98 .config log report syz C
ci-openbsd-multicore 2018/12/27 11:44 openbsd 01cfcf25097a e747ec98 .config log report
* Struck through repros no longer work on HEAD.