uvm_fault: memcpy (5)

uvm_fault: memcpy (5)

Status: upstream: reported C repro on 2022/10/08 21:10
Reported-by: syzbot+ebd31a2d814e8ac4260b@syzkaller.appspotmail.com
First crash: 563d, last: 36d

▶ ▼ Similar bugs (4)

Kernel	Title	Repro	Count	Last	Reported	Patched	Status
openbsd	uvm_fault: memcpy	C	460	1850d	1870d	3/3	fixed on 2019/03/31 22:33
openbsd	uvm_fault: memcpy (2)	syz	2168	1438d	1687d	0/3	closed as invalid on 2020/05/18 08:51
openbsd	uvm_fault: memcpy (4)		2	782d	851d	0/3	auto-closed as invalid on 2022/06/01 18:10
openbsd	uvm_fault: memcpy (3)		26	1374d	1432d	0/3	auto-closed as invalid on 2020/10/17 21:23

▶ ▼ Last patch testing requests (7)


Created	Duration	User	Repo	Result
2024/04/01 04:09	15m	retest repro	openbsd	report log
2024/04/01 04:09	0m	retest repro	openbsd	error OK
2024/01/08 23:17	6m	retest repro	openbsd	error OK
2023/10/30 23:05	9m	retest repro	openbsd	error OK
2023/08/21 22:50	8m	retest repro	openbsd	error OK
2023/05/12 11:18	8m	retest repro	openbsd	error OK
2023/01/16 21:32	9m	retest repro	openbsd	error OK

Sample crash report:

uvm_fault(0xffffffff82e28bd0, 0xffff80001ce63e00, 0, 2) -> d
kernel: page fault trap, code=2
Stopped at      memcpy+0x19:    repe movsq      (%rsi),%es:(%rdi)
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
memcpy() at memcpy+0x19
ufs_inactive(ffff80002a690d18) at ufs_inactive+0x229 sys/ufs/ufs/ufs_inode.c:95
VOP_INACTIVE(fffffd8068b196f8,ffff80002a62f008) at VOP_INACTIVE+0xbf sys/kern/vfs_vops.c:489
vrele(fffffd8068b196f8) at vrele+0xcd sys/kern/vfs_subr.c:827
fdfree(ffff80002a62f008) at fdfree+0x1f4 sys/kern/kern_descrip.c:1210
exit1(ffff80002a62f008,0,0,1) at exit1+0x367 sys/kern/kern_exit.c:199
sys_exit(ffff80002a62f008,ffff80002a690fb0,ffff80002a690f00) at sys_exit+0x1a sys/kern/kern_exit.c:89
syscall(ffff80002a690fb0) at syscall+0x751 sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f49b1104d80, count: 6
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb> 
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
*cpu0: uvm_fault(0xffffffff82e28bd0, 0xffff80001ce63e00, 0, 2) -> d
ddb> trace
memcpy() at memcpy+0x19
ufs_inactive(ffff80002a690d18) at ufs_inactive+0x229 sys/ufs/ufs/ufs_inode.c:95
VOP_INACTIVE(fffffd8068b196f8,ffff80002a62f008) at VOP_INACTIVE+0xbf sys/kern/vfs_vops.c:489
vrele(fffffd8068b196f8) at vrele+0xcd sys/kern/vfs_subr.c:827
fdfree(ffff80002a62f008) at fdfree+0x1f4 sys/kern/kern_descrip.c:1210
exit1(ffff80002a62f008,0,0,1) at exit1+0x367 sys/kern/kern_exit.c:199
sys_exit(ffff80002a62f008,ffff80002a690fb0,ffff80002a690f00) at sys_exit+0x1a sys/kern/kern_exit.c:89
syscall(ffff80002a690fb0) at syscall+0x751 sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f49b1104d80, count: -9
ddb> show registers
rdi               0xffff80001ce63e00
rsi               0xfffffd8068a99300
rbp               0xffff80002a690ca0
rbx                              0x2
rdx                            0x100
rcx                             0x20
rax                            0x35b
r8                0xffffffffffffffff
r9                               0x2
r10               0xd3b14781006563ba
r11               0xffff80001ce63e00
r12               0xfffffd8068b015a8
r13               0xfffffd806c799270
r14                                0
r15               0xffff8000006ab800
rip               0xffffffff8250f969    memcpy+0x19
cs                               0x8
rflags                       0x10202    __ALIGN_SIZE+0xf202
rsp               0xffff80002a690c38
ss                              0x10
memcpy+0x19:    repe movsq      (%rsi),%es:(%rdi)
ddb> show proc
PROC (syz-executor4051834110) tid=153670 pid=92164 tcnt=1 stat=onproc
    flags process=8<EXITING> proc=2000<WEXIT>
    runpri=17, usrpri=86, slppri=17, nice=20
    wchan=0x0, wmesg=, ps_single=0x0
    forw=0xffffffffffffffff, list=0xffff80002a62e2c0,0xffff80002a62e820
    process=0xffff8000ffffa188 user=0xffff80002a68c000, vmspace=0xfffffd806c2d6170
    estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0
ddb> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 31578  306638  85222      0  2           0                syz-executor4051834110
 14456  287386  96596      0  2           0                syz-executor4051834110
 89631   87844  36327      0  2           0                syz-executor4051834110
 85222  435585  14134      0  3        0x80  nanoslp       syz-executor4051834110
 36327  278314  14134      0  2       0x480                syz-executor4051834110
 15301  265878  14134      0  2       0x480                syz-executor4051834110
 52147  154101  14134      0  2       0x480                syz-executor4051834110
 51780  105348  14134      0  2       0x480                syz-executor4051834110
 25818  205935  14134      0  2           0                syz-executor4051834110
 30021  490049  14134      0  2       0x480                syz-executor4051834110
 96596  126570  14134      0  2       0x480                syz-executor4051834110
 14134  434983   6337      0  3        0x82  nanoslp       syz-executor4051834110
  6337  171446  29594      0  3    0x10008a  sigsusp       ksh
 29594   26632  42805      0  3        0x9a  kqread        sshd
 36199  216677      1      0  3    0x100083  ttyin         getty
 42805  282991      1      0  3        0x88  kqread        sshd
 23125  254627  79699     73  3   0x1100090  kqread        syslogd
 79699  428858      1      0  3    0x100082  netio         syslogd
   680  520398      1      0  3    0x100080  kqread        resolvd
 53921   17600  78311     77  3    0x100092  kqread        dhcpleased
 89096  257871  78311     77  3    0x100092  kqread        dhcpleased
 78311  347970      1      0  3        0x80  kqread        dhcpleased
 49524  270572      0      0  3     0x14200  bored         smr
 92440  165649      0      0  3     0x14200  pgzero        zerothread
 34617  448343      0      0  3     0x14200  aiodoned      aiodoned
 78855  290627      0      0  3     0x14200  syncer        update
 23003  214005      0      0  3     0x14200  cleaner       cleaner
 38663   93304      0      0  3     0x14200  reaper        reaper
 73685  271769      0      0  3     0x14200  pgdaemon      pagedaemon
 72055  255687      0      0  3     0x14200  bored         viomb
 16122  209071      0      0  3  0x40014200  acpi0         acpi0
 46882  242477      0      0  3     0x14200  bored         softnet3
 24485  269841      0      0  3     0x14200  bored         softnet2
 52385  412612      0      0  3     0x14200  bored         softnet1
 18791  425362      0      0  3     0x14200  bored         softnet0
 49993  205776      0      0  3     0x14200  bored         systqmp
 18321  169154      0      0  3     0x14200  bored         systq
 58123  448768      0      0  3  0x40014200  tmoslp        softclock
 62434  511529      0      0  3  0x40014200                idle0
     1  364270      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb> show all locks
No such command
ddb> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 10138   6382K    6413K 166960K     11216        0
            pcb    15     10K      10K 166960K        15        0
         rtable    58      1K       2K 166960K       110        0
             pf    12      6K       6K 166960K        12        0
         ifaddr    11      5K       5K 166960K        11        0
        ifgroup    17      1K       1K 166960K        17        0
       counters    22     16K      16K 166960K        22        0
       ioctlops     0      0K       2K 166960K        21        0
          mount     1      1K       1K 166960K         1        0
            log     0      0K       0K 166960K         4        0
         vnodes  1174     73K      74K 166960K      1188        0
      UFS quota     1     32K      32K 166960K         1        0
      UFS mount     5     36K      36K 166960K         5        0
            shm     2      1K       1K 166960K         2        0
         VM map     2      1K       1K 166960K         2        0
            sem     2      0K       0K 166960K         2        0
        dirhash    12      2K       2K 166960K        12        0
           ACPI  1697    195K     286K 166960K     12548        0
      file desc     1      0K       0K 166960K         1        0
           proc    55     58K      59K 166960K       246        0
    NFS srvsock     1      0K       0K 166960K         1        0
     NFS daemon     1     16K      16K 166960K         1        0
       in_multi    11      0K       0K 166960K        11        0
    ether_multi     1      0K       0K 166960K         1        0
    ISOFS mount     1     32K      32K 166960K         1        0
  MSDOSFS mount     1     16K      16K 166960K         1        0
           ttys    25    122K     122K 166960K        25        0
           exec     0      0K       1K 166960K       243        0
            tdb     3      0K       0K 166960K         3        0
        VM swap     8     62K      64K 166960K        10        0
       UVM amap   114      6K       6K 166960K     11187        0
       UVM aobj     3      2K       2K 166960K         3        0
        memdesc     1      4K       4K 166960K         1        0
    crypto data     1      1K       1K 166960K         1        0
            NDP     3      0K       0K 166960K         3        0
           temp     1   6748K    6812K 166960K    361143        0
         kqueue    11     16K      18K 166960K        24        0
      SYN cache     2     16K      16K 166960K         2        0
ddb> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
rtpcb      120       20    0       17     1     0     1     1     0     8    0
rtentry    112       23    0        1     1     0     1     1     0     8    0
unpcb      144       33    0       20     1     0     1     1     0     8    0
syncache   336        5    0        5     1     0     1     1     0     8    1
tcpqe       32       59    0       59     1     0     1     1     0     8    1
tcpcb      808        8    0        5     1     0     1     1     0     8    0
arp         88        2    0        0     1     0     1     1     0     8    0
inpcb      360       26    0       20     1     0     1     1     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256       97    0        0     7     0     7     7     0     8    0
art_table   32       98    0        0     1     0     1     1     0     8    0
art_node    16       22    0        2     1     0     1     1     0     8    0
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino2pl    256    19338    0    14621   295     0   295   295     0     8    0
ffsino     240    19338    0    14621   278     0   278   278     0     8    0
nchpl      144    37427    0    35843    60     0    60    60     0     8    1
uvmvnodes   80     6228    0        0   128     0   128   128     0     8    0
vnodes     216     6228    0        0   346     0   346   346     0     8    0
namei      1024   84834    0    84832     2     0     2     2     0     8    1
kstatmem   264        6    0        0     1     0     1     1     0     8    0
scxspl     216    92546    0    92546     8     0     8     8     1     8    8
plimitpl   152       16    0       10     1     0     1     1     0     8    0
sigapl     424     9270    0     9226     6     0     6     6     0     8    1
knotepl    120    75288    0    75259     2     0     2     2     0     8    1
kqueuepl   184       20    0       13     1     0     1     1     0     8    0
pipepl     288       87    0       84     1     0     1     1     0     8    0
fdescpl    432     9254    0     9229     4     0     4     4     0     8    1
filepl     120    27977    0    27922     3     0     3     3     0     8    1
lockfpl    104    17908    0    17906     1     0     1     1     0     8    0
lockfspl    48     8453    0     8451     1     0     1     1     0     8    0
sessionpl  144       17    0        9     1     0     1     1     0     8    0
pgrppl      48       17    0        9     1     0     1     1     0     8    0
ucredpl    104       67    0       56     1     0     1     1     0     8    0
zombiepl   144     9230    0     9226     1     0     1     1     0     8    0
processpl  1072    9270    0     9226     4     0     4     4     0     8    1
procpl     680     9270    0     9226     4     0     4     4     0     8    0
sockpl     488       79    0       57     3     0     3     3     0     8    0
mcl8k      8192       4    0        4     1     0     1     1     0     8    1
mcl4k      4096      10    0       10     1     0     1     1     0     8    1
mcl2k      2048   16567    0    16528    30    17    13    30     0     8    7
mtagpl      96        4    0        4     1     0     1     1     0     8    1
mbufpl     256    50726    0    50683    16     5    11    16     0     8    7
bufpl      280    20954    0    14695   448     0   448   448     0     8    0
anonpl      24   256935    0   254845    24     0    24    24     0   188   11
amapchunkpl 152   17813    0    17605     9     0     9     9     0   158    0
amappl16   200    14553    0    14542     5     0     5     5     0     8    4
amappl15   192        8    0        8     1     0     1     1     0     8    1
amappl14   184      115    0      106     1     0     1     1     0     8    0
amappl13   176       10    0       10     1     0     1     1     0     8    1
amappl12   168      800    0      780     1     0     1     1     0     8    0
amappl11   160       64    0       54     1     0     1     1     0     8    0
amappl10   152       30    0       30     1     0     1     1     0     8    1
amappl9    144      142    0      142     1     0     1     1     0     8    1
amappl8    136       39    0       37     1     0     1     1     0     8    0
amappl7    128       93    0       83     1     0     1     1     0     8    0
amappl6    120      114    0      109     1     0     1     1     0     8    0
amappl5    112       99    0       91     1     0     1     1     0     8    0
amappl4    104     9276    0     9250     1     0     1     1     0     8    0
amappl3     96     2321    0     2274     2     0     2     2     0     8    0
amappl2     88     9551    0     9501     2     0     2     2     0     8    0
amappl1     80    35725    0    35266    11     0    11    11     0     8    0
amappl      88    10916    0    10840     2     0     2     2     0    92    0
dma4096    4096       1    0        1     1     0     1     1     0     8    1
dma1024    1024       1    0        0     1     0     1     1     0     8    0
dma256     256        6    0        6     1     0     1     1     0     8    1
dma128     128      253    0      253     1     0     1     1     0     8    1
dma64       64        6    0        6     1     0     1     1     0     8    1
dma32       32        7    0        7     1     0     1     1     0     8    1
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      72        2    0        0     1     0     1     1     0     8    0
uaddrrnd    24     9254    0     9229     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24     9254    0     9229     1     0     1     1     0     8    0
vmmpekpl   168    26126    0    26107     1     0     1     1     0     8    0
vmmpepl    168   258385    0   257188    57     0    57    57     0   357    4
vmsppl     352     9253    0     9229     3     0     3     3     0     8    0
rwobjpl     24    32831    0    25926    42     0    42    42     0     8    0
pdppl      4096   18514    0    18458   118    58    60    64     0     8    4
pvpl        32   791454    0   786624    52     0    52    52     0   265   12
pmappl     216     9253    0     9229     2     0     2     2     0     8    0
extentpl    40       56    0       38     1     0     1     1     0     8    0
phpool     112      762    0       80    20     0    20    20     0     8    0
ddb> machine ddbcpu 0
No such command
ddb> trace
memcpy() at memcpy+0x19
ufs_inactive(ffff80002a690d18) at ufs_inactive+0x229 sys/ufs/ufs/ufs_inode.c:95
VOP_INACTIVE(fffffd8068b196f8,ffff80002a62f008) at VOP_INACTIVE+0xbf sys/kern/vfs_vops.c:489
vrele(fffffd8068b196f8) at vrele+0xcd sys/kern/vfs_subr.c:827
fdfree(ffff80002a62f008) at fdfree+0x1f4 sys/kern/kern_descrip.c:1210
exit1(ffff80002a62f008,0,0,1) at exit1+0x367 sys/kern/kern_exit.c:199
sys_exit(ffff80002a62f008,ffff80002a690fb0,ffff80002a690f00) at sys_exit+0x1a sys/kern/kern_exit.c:89
syscall(ffff80002a690fb0) at syscall+0x751 sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f49b1104d80, count: -9
ddb> machine ddbcpu 1
No such command
ddb> trace
memcpy() at memcpy+0x19
ufs_inactive(ffff80002a690d18) at ufs_inactive+0x229 sys/ufs/ufs/ufs_inode.c:95
VOP_INACTIVE(fffffd8068b196f8,ffff80002a62f008) at VOP_INACTIVE+0xbf sys/kern/vfs_vops.c:489
vrele(fffffd8068b196f8) at vrele+0xcd sys/kern/vfs_subr.c:827
fdfree(ffff80002a62f008) at fdfree+0x1f4 sys/kern/kern_descrip.c:1210
exit1(ffff80002a62f008,0,0,1) at exit1+0x367 sys/kern/kern_exit.c:199
sys_exit(ffff80002a62f008,ffff80002a690fb0,ffff80002a690f00) at sys_exit+0x1a sys/kern/kern_exit.c:89
syscall(ffff80002a690fb0) at syscall+0x751 sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f49b1104d80, count: -9

Crashes (6):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Assets (help?)	Manager	Title
2024/03/18 04:09	openbsd	1eb3d403c0b9	6ee49f2e	.config	console log	report	syz	C	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	uvm_fault: memcpy
2022/10/08 21:10	openbsd	5cb1d9dce18f	aea5da89	.config	console log	report	syz	C	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	uvm_fault: memcpy
2023/11/14 17:25	openbsd	c101cdd2dbb5	cb976f63	.config	console log	report			[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	uvm_fault: memcpy
2023/06/30 11:50	openbsd	5f0c994b3e51	01298212	.config	console log	report			[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	uvm_fault: memcpy
2023/02/20 16:00	openbsd	1e5b016c5082	4f5f5209	.config	console log	report			[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	uvm_fault: memcpy
2023/01/29 13:16	openbsd	7173161c5823	b68fb8d6	.config	console log	report			[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	uvm_fault: memcpy

* ~~Struck through~~ repros no longer work on HEAD.