syzbot


panic: uvmspace_fork: no space in map for entry in empty map

Status: fixed on 2019/12/04 16:31
Reported-by: syzbot+2c625ab1b8e964da644a@syzkaller.appspotmail.com
Fix commit: 0f83bb56e561 Fix a bad offset calculation in uvm_share.
First crash: 1155d, last: 1101d

Sample crash report:
login: panic: uvmspace_fork: no space in map for entry in empty map
Stopped at      db_enter+0x18:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
*366221  31743      0         0x2          0    0  syz-executor3278
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
uvm_mapent_clone(ffff8000006a2200,8000,1f0000,0,7,7) at uvm_mapent_clone+0x1de sys/uvm/uvm_map.c:3708
uvm_share(ffff8000006a2200,0,7,fffffd803f012220,20008000,200000) at uvm_share+0x4b4 uvm_mapent_share sys/uvm/uvm_map.c:3767 [inline]
uvm_share(ffff8000006a2200,0,7,fffffd803f012220,20008000,200000) at uvm_share+0x4b4 sys/uvm/uvm_map.c:3668
vm_impl_init_vmx(ffff800014889860,ffff8000ffff4500) at vm_impl_init_vmx+0xf1 sys/arch/amd64/amd64/vmm.c:1270
vm_create(ffff800000a66000,ffff8000ffff4500) at vm_create+0x193 vm_impl_init sys/arch/amd64/amd64/vmm.c:1385 [inline]
vm_create(ffff800000a66000,ffff8000ffff4500) at vm_create+0x193 sys/arch/amd64/amd64/vmm.c:1174
VOP_IOCTL(fffffd8037ddc410,c5005601,ffff800000a66000,1,fffffd803f7c6a20,ffff8000ffff4500) at VOP_IOCTL+0x88 sys/kern/vfs_vops.c:291
vn_ioctl(fffffd803620b620,c5005601,ffff800000a66000,ffff8000ffff4500) at vn_ioctl+0xb7 sys/kern/vfs_vnops.c:536
sys_ioctl(ffff8000ffff4500,ffff8000148da768,ffff8000148da7b0) at sys_ioctl+0x5b9
syscall(ffff8000148da830) at syscall+0x507 sys/arch/amd64/amd64/trap.c:555
Xsyscall(6,0,deab7582000,0,7f7ffffd7028,7f7ffffd7018) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffd6fb0, count: 4
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb> 
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
uvmspace_fork: no space in map for entry in empty map
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
uvm_mapent_clone(ffff8000006a2200,8000,1f0000,0,7,7) at uvm_mapent_clone+0x1de sys/uvm/uvm_map.c:3708
uvm_share(ffff8000006a2200,0,7,fffffd803f012220,20008000,200000) at uvm_share+0x4b4 uvm_mapent_share sys/uvm/uvm_map.c:3767 [inline]
uvm_share(ffff8000006a2200,0,7,fffffd803f012220,20008000,200000) at uvm_share+0x4b4 sys/uvm/uvm_map.c:3668
vm_impl_init_vmx(ffff800014889860,ffff8000ffff4500) at vm_impl_init_vmx+0xf1 sys/arch/amd64/amd64/vmm.c:1270
vm_create(ffff800000a66000,ffff8000ffff4500) at vm_create+0x193 vm_impl_init sys/arch/amd64/amd64/vmm.c:1385 [inline]
vm_create(ffff800000a66000,ffff8000ffff4500) at vm_create+0x193 sys/arch/amd64/amd64/vmm.c:1174
VOP_IOCTL(fffffd8037ddc410,c5005601,ffff800000a66000,1,fffffd803f7c6a20,ffff8000ffff4500) at VOP_IOCTL+0x88 sys/kern/vfs_vops.c:291
vn_ioctl(fffffd803620b620,c5005601,ffff800000a66000,ffff8000ffff4500) at vn_ioctl+0xb7 sys/kern/vfs_vnops.c:536
sys_ioctl(ffff8000ffff4500,ffff8000148da768,ffff8000148da7b0) at sys_ioctl+0x5b9
syscall(ffff8000148da830) at syscall+0x507 sys/arch/amd64/amd64/trap.c:555
Xsyscall(6,0,deab7582000,0,7f7ffffd7028,7f7ffffd7018) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffd6fb0, count: -11
ddb> show registers
rdi                                0
rsi                              0x1
rbp               0xffff8000148da190
rbx               0xffff8000148da240
rdx                              0x2
rcx                              0x1
rax                              0x1
r8                0xffff8000148da150
r9                               0x1
r10               0x58a71c39d496137f
r11               0x41e1031ba5bbe106
r12                     0x3000000008
r13               0xffff8000148da1a0
r14                            0x100
r15                              0x1
rip               0xffffffff81f649d8    db_enter+0x18
cs                               0x8
rflags                         0x246
rsp               0xffff8000148da180
ss                              0x10
db_enter+0x18:  addq    $0x8,%rsp
ddb> show proc
PROC (syz-executor3278) pid=366221 stat=onproc
    flags process=2<EXEC> proc=0
    pri=52, usrpri=52, nice=20
    forw=0xffffffffffffffff, list=0xffff8000ffff49f0,0xffffffff82592f90
    process=0xffff8000148a2378 user=0xffff8000148d5000, vmspace=0xfffffd803f012220
    estcpu=2, cpticks=0, pctcpu=0.0
    user=0, sys=0, intr=0
ddb> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
*31743  366221  93580      0  7         0x2                syz-executor3278
 93580  128286  66098      0  3    0x10008a  pause         ksh
 66098  396201  70966      0  3        0x92  select        sshd
 25910  144265      1      0  3    0x100083  ttyin         getty
 70966  514555      1      0  3        0x80  select        sshd
 71981   44626  26709     73  3    0x100090  kqread        syslogd
 26709  478034      1      0  3    0x100082  netio         syslogd
  4259   47270      1     77  3    0x100090  poll          dhclient
 63090  426851      1      0  3        0x80  poll          dhclient
 48795  325899      0      0  2     0x14200                zerothread
 39158  470658      0      0  3     0x14200  aiodoned      aiodoned
 19622  423561      0      0  3     0x14200  syncer        update
 20631  389618      0      0  3     0x14200  cleaner       cleaner
 75307  387905      0      0  3     0x14200  reaper        reaper
 17248   56450      0      0  3     0x14200  pgdaemon      pagedaemon
 12805  202978      0      0  3     0x14200  bored         crynlk
 50579  428211      0      0  3     0x14200  bored         crypto
 66070  404589      0      0  3  0x40014200  acpi0         acpi0
 46572    9186      0      0  3     0x14200  bored         softnet
 11309  272481      0      0  3     0x14200  bored         systqmp
 49728  194027      0      0  3     0x14200  bored         systq
 49692  462607      0      0  3  0x40014200  bored         softclock
 56386    8528      0      0  3  0x40014200                idle0
 24297  508723      0      0  3     0x14200  bored         smr
     1   45544      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb> show all locks
No such command
ddb> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim Kern Lim
         devbuf  9441   6318K    6319K  78643K     10538        0        0
            pcb    13      8K       8K  78643K        13        0        0
         rtable    61      1K       2K  78643K       115        0        0
         ifaddr    21      7K       7K  78643K        21        0        0
       counters    19     16K      16K  78643K        19        0        0
       ioctlops     1      2K       2K  78643K        14        0        0
          mount     1      1K       1K  78643K         1        0        0
         vnodes  1180     74K      74K  78643K      1185        0        0
      UFS quota     1     32K      32K  78643K         1        0        0
      UFS mount     5     36K      36K  78643K         5        0        0
            shm     2      1K       1K  78643K         2        0        0
         VM map     3      0K       0K  78643K         3        0        0
            sem     2      0K       0K  78643K         2        0        0
        dirhash    12      2K       2K  78643K        12        0        0
           ACPI  1794    195K     288K  78643K     12646        0        0
      file desc     1      0K       0K  78643K         1        0        0
           proc    47     38K      46K  78643K       278        0        0
    NFS srvsock     1      0K       0K  78643K         1        0        0
     NFS daemon     1     16K      16K  78643K         1        0        0
       in_multi    11      0K       0K  78643K        11        0        0
    ether_multi     1      0K       0K  78643K         1        0        0
    ISOFS mount     1     32K      32K  78643K         1        0        0
  MSDOSFS mount     1     16K      16K  78643K         1        0        0
           ttys    18     79K      79K  78643K        18        0        0
           exec     0      0K       1K  78643K       151        0        0
        pagedep     1      8K       8K  78643K         1        0        0
       inodedep     1     32K      32K  78643K         1        0        0
         newblk     1      0K       0K  78643K         1        0        0
        VM swap     7     26K      26K  78643K         7        0        0
       UVM amap    51      3K       3K  78643K       685        0        0
       UVM aobj     2      2K       2K  78643K         2        0        0
        memdesc     1      4K       4K  78643K         1        0        0
    crypto data     1      1K       1K  78643K         1        0        0
            NDP     3      0K       0K  78643K         3        0        0
           temp    30   3523K    3587K  78643K      1695        0        0
      SYN cache     2     16K      16K  78643K         2        0        0
ddb> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp         64        2    0        0     1     0     1     1     0     8    0
rtpcb       80       15    0       13     1     0     1     1     0     8    0
rtentry    112       23    0        1     1     0     1     1     0     8    0
unpcb      120       27    0       19     1     0     1     1     0     8    0
syncache   264        5    0        5     1     0     1     1     0     8    1
tcpcb      544        8    0        5     1     0     1     1     0     8    0
inpcb      280       22    0       16     1     0     1     1     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256       97    0        0     7     0     7     7     0     8    0
art_table   32       98    0        0     1     0     1     1     0     8    0
art_node    16       22    0        2     1     0     1     1     0     8    0
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino1pl    128     1389    0       15    45     0    45    45     0     8    0
ffsino     240     1389    0       15    81     0    81    81     0     8    0
nchpl      144     1576    0       44    57     0    57    57     0     8    0
uvmvnodes   72     1398    0        0    26     0    26    26     0     8    0
vnodes     208     1398    0        0    74     0    74    74     0     8    0
namei      1024    3453    0     3453     1     0     1     1     0     8    1
vmpool     520        1    0        0     1     0     1     1     0     8    0
scxspl     192     2400    0     2400     2     0     2     2     0     8    2
plimitpl   152       13    0        8     1     0     1     1     0     8    0
sigapl     432      175    0      165     2     0     2     2     0     8    0
knotepl    112        5    0        0     1     0     1     1     0     8    0
kqueuepl   104        1    0        0     1     0     1     1     0     8    0
pipepl     112      114    0      107     1     0     1     1     0     8    0
fdescpl    424      176    0      165     2     0     2     2     0     8    0
filepl     120      834    0      790     2     0     2     2     0     8    0
lockfpl    104        5    0        4     1     0     1     1     0     8    0
lockfspl    48        3    0        2     1     0     1     1     0     8    0
sessionpl  112       17    0        9     1     0     1     1     0     8    0
pgrppl      48       17    0        9     1     0     1     1     0     8    0
ucredpl     96       47    0       40     1     0     1     1     0     8    0
zombiepl   144      165    0      165     1     0     1     1     0     8    1
processpl  864      190    0      165     4     0     4     4     0     8    0
procpl     632      190    0      165     3     0     3     3     0     8    0
sockpl     384       64    0       48     2     0     2     2     0     8    0
mcl4k      4096      10    0       10     1     0     1     1     0     8    1
mcl2k      2048    5768    0     5733     8     0     8     8     0     8    3
mtagpl      80        2    0        2     1     1     0     1     0     8    0
mbufpl     256     9845    0     9795     6     0     6     6     0     8    1
bufpl      256     2045    0      239   113     0   113   113     0     8    0
anonpl      16    16897    0    15784     6     1     5     6     0    62    0
amapchunkpl 152     462    0      427     2     0     2     2     0   158    0
amappl16   192       70    0       65     1     0     1     1     0     8    0
amappl14   176       35    0       31     1     0     1     1     0     8    0
amappl12   160        3    0        3     1     0     1     1     0     8    1
amappl11   152       39    0       28     1     0     1     1     0     8    0
amappl10   144        2    0        2     1     0     1     1     0     8    1
amappl9    136      372    0      371     1     0     1     1     0     8    0
amappl8    128       82    0       78     1     0     1     1     0     8    0
amappl7    120       15    0       13     1     0     1     1     0     8    0
amappl6    112       45    0       41     1     0     1     1     0     8    0
amappl5    104      144    0      134     1     0     1     1     0     8    0
amappl4     96      393    0      370     1     0     1     1     0     8    0
amappl3     88      103    0       97     1     0     1     1     0     8    0
amappl2     80      705    0      656     2     0     2     2     0     8    0
amappl1     72    11876    0    11499    14     5     9    14     0     8    0
amappl      80      353    0      333     1     0     1     1     0    84    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      64        1    0        0     1     0     1     1     0     8    0
uaddrrnd    24      177    0      165     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      177    0      165     1     0     1     1     0     8    0
vmmpekpl   168     5293    0     5277     1     0     1     1     0     8    0
vmmpepl    168    25221    0    24485    44     4    40    44     0   357    7
vmsppl     272      175    0      165     1     0     1     1     0     8    0
pdppl      4096     360    0      330     5     0     5     5     0     8    0
pvpl        32    70145    0    67396    26     0    26    26     0   265    3
pmappl     200      176    0      165     1     0     1     1     0     8    0
extentpl    40       46    0       29     1     0     1     1     0     8    0
phpool     112      230    0        2     7     0     7     7     0     8    0

Crashes (450):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-openbsd-main 2019/11/05 09:03 openbsd 67035d4b95d6 76630fc9 .config log report syz C
ci-openbsd-multicore 2019/11/01 17:05 openbsd c2600de8aa52 a41ca8fa .config log report syz C
ci-openbsd-main 2019/10/15 06:01 openbsd 670fdd297620 05ad7292 .config log report syz C
ci-openbsd-multicore 2019/10/03 04:56 openbsd c722278fddec 2e29b534 .config log report syz C
ci-openbsd-multicore 2019/11/26 16:29 openbsd 30289eba60fe 2649e7cc .config log report
ci-openbsd-main 2019/11/26 08:09 openbsd 943f8c8c295c f746151a .config log report
ci-openbsd-main 2019/11/26 01:22 openbsd 943f8c8c295c f746151a .config log report
ci-openbsd-main 2019/11/25 22:25 openbsd 943f8c8c295c f746151a .config log report
ci-openbsd-main 2019/11/25 19:31 openbsd d70f219138ae 371caf77 .config log report
ci-openbsd-main 2019/11/25 06:51 openbsd fcf6720f14d1 598ca6c8 .config log report
ci-openbsd-multicore 2019/11/25 05:48 openbsd fcf6720f14d1 598ca6c8 .config log report
ci-openbsd-multicore 2019/11/24 23:14 openbsd 978220ac0b15 598ca6c8 .config log report
ci-openbsd-multicore 2019/11/24 18:10 openbsd 978220ac0b15 598ca6c8 .config log report
ci-openbsd-main 2019/11/24 17:20 openbsd 978220ac0b15 598ca6c8 .config log report
ci-openbsd-multicore 2019/11/24 03:34 openbsd 254679ff52b1 598ca6c8 .config log report
ci-openbsd-multicore 2019/11/23 18:39 openbsd ee79b9a7c44b 598ca6c8 .config log report
ci-openbsd-main 2019/11/22 16:05 openbsd 2919d9e0cbdc e89749ef .config log report
ci-openbsd-main 2019/11/21 21:24 openbsd 135e95f28b53 8098ea0f .config log report
ci-openbsd-main 2019/11/21 16:19 openbsd 135e95f28b53 8098ea0f .config log report
ci-openbsd-multicore 2019/11/21 11:39 openbsd 135e95f28b53 8098ea0f .config log report
ci-openbsd-multicore 2019/11/20 22:19 openbsd ddfcd1cc9cf3 8098ea0f .config log report
ci-openbsd-multicore 2019/11/20 14:20 openbsd 039d6aae052b 12be8ffc .config log report
ci-openbsd-multicore 2019/11/20 01:38 openbsd 593a100ba7e7 b7a277d2 .config log report
ci-openbsd-multicore 2019/11/19 22:26 openbsd 593a100ba7e7 b7a277d2 .config log report
ci-openbsd-main 2019/11/19 14:36 openbsd 30d546f475f9 432c7650 .config log report
ci-openbsd-main 2019/11/19 11:25 openbsd 30d546f475f9 432c7650 .config log report
ci-openbsd-multicore 2019/11/18 06:43 openbsd 4022b8731182 d5696d51 .config log report
ci-openbsd-main 2019/11/18 04:11 openbsd 4022b8731182 d5696d51 .config log report
ci-openbsd-main 2019/11/18 00:30 openbsd eb818a3e8307 d5696d51 .config log report
ci-openbsd-main 2019/11/18 00:22 openbsd eb818a3e8307 d5696d51 .config log report
ci-openbsd-multicore 2019/11/17 17:41 openbsd eb818a3e8307 d5696d51 .config log report
ci-openbsd-main 2019/11/17 15:32 openbsd eb818a3e8307 d5696d51 .config log report
ci-openbsd-main 2019/11/17 12:36 openbsd eb818a3e8307 d5696d51 .config log report
ci-openbsd-multicore 2019/11/17 08:45 openbsd d8449269f3d4 d5696d51 .config log report
ci-openbsd-multicore 2019/11/16 19:57 openbsd b78dbe0757a3 d5696d51 .config log report
ci-openbsd-main 2019/11/16 16:13 openbsd b78dbe0757a3 d5696d51 .config log report
ci-openbsd-multicore 2019/11/16 10:31 openbsd b78dbe0757a3 d5696d51 .config log report
ci-openbsd-main 2019/11/16 06:27 openbsd c982058ecee1 cdac920b .config log report
ci-openbsd-multicore 2019/11/16 03:44 openbsd c982058ecee1 cdac920b .config log report
ci-openbsd-main 2019/11/16 01:00 openbsd c982058ecee1 cdac920b .config log report
ci-openbsd-main 2019/11/15 23:25 openbsd c982058ecee1 cdac920b .config log report
ci-openbsd-main 2019/11/15 22:02 openbsd c982058ecee1 cdac920b .config log report
ci-openbsd-multicore 2019/11/15 04:41 openbsd 3d133dcfcb5d a24fe792 .config log report
ci-openbsd-main 2019/11/15 04:30 openbsd 3d133dcfcb5d a24fe792 .config log report
ci-openbsd-main 2019/11/15 03:21 openbsd 3d133dcfcb5d a24fe792 .config log report
ci-openbsd-main 2019/11/14 23:28 openbsd 3d133dcfcb5d a24fe792 .config log report
ci-openbsd-multicore 2019/11/14 20:53 openbsd 3d133dcfcb5d a24fe792 .config log report
ci-openbsd-main 2019/11/14 19:44 openbsd 9d8a210628dc 5d15a967 .config log report
ci-openbsd-multicore 2019/11/14 15:14 openbsd 9d8a210628dc 5d15a967 .config log report
ci-openbsd-multicore 2019/11/14 12:46 openbsd 9d8a210628dc 5d15a967 .config log report
ci-openbsd-main 2019/11/14 11:29 openbsd 9d8a210628dc 5d15a967 .config log report
ci-openbsd-multicore 2019/11/14 09:52 openbsd 9d8a210628dc 5d15a967 .config log report
ci-openbsd-main 2019/11/14 06:08 openbsd 39b7db2742d3 048f2d49 .config log report
ci-openbsd-main 2019/11/14 03:00 openbsd 39b7db2742d3 048f2d49 .config log report
ci-openbsd-multicore 2019/10/03 04:39 openbsd c722278fddec 2e29b534 .config log report
* Struck through repros no longer work on HEAD.