syzbot


uvm_fault: ip_ctloutput

Status: fixed on 2018/12/04 18:27
Reported-by: syzbot+02168317bd0156c13b69@syzkaller.appspotmail.com
Fix commit: In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
First crash: 1458d, last: 1454d

Sample crash report:
login: uvm_fault(0xffffff007f12bb58, 0xd0, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at      ip_ctloutput+0x784:     movq    0xd0(%r14),%rbx
ddb> 
ddb> set $lines = 0
ddb> show panic
kernel page fault
uvm_fault(0xffffff007f12bb58, 0xd0, 0, 1) -> e
ip_ctloutput(ffffff006e48e170,ffff8000210c2e20,ffffff006e706788,ffff8000210fa988,ffffff007f146c00) at ip_ctloutput+0x784
end trace frame: 0xffff8000210fa930, count: 0
ddb> trace
ip_ctloutput(ffffff006e48e170,ffff8000210c2e20,ffffff006e706788,ffff8000210fa988,ffffff007f146c00) at ip_ctloutput+0x784
sys_getsockopt(ffff8000210faa10,ffff8000210c2e20,ffff8000210a5338) at sys_getsockopt+0x13c
syscall(0) at syscall+0x3e4
Xsyscall(6,0,0,0,1,7f7fffff3a18) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7fffff39d0, count: -4
ddb> show registers
rdi                                0
rsi               0xffffff006e706788
rbp               0xffff8000210fa8d0
rbx                                0
rdx                                0
rcx                              0x1
rax                                0
r8                0xffffff007f146c00
r9                                 0
r10               0xa28679f43345c2df
r11               0xffffffff8110e110    rip_ctloutput
r12                              0x1
r13                                0
r14                                0
r15               0xffffff007f146c00
rip               0xffffffff81a13b44    ip_ctloutput+0x784
cs                               0x8
rflags                       0x10246    __ALIGN_SIZE+0xf246
rsp               0xffff8000210fa8a0
ss                              0x10
ip_ctloutput+0x784:     movq    0xd0(%r14),%rbx
ddb> show proc
PROC (syz-executor1283) pid=307178 stat=onproc
    flags process=2<EXEC> proc=0
    pri=51, usrpri=51, nice=20
    forw=0xffffffffffffffff, list=0xffff8000210c3078,0xffffffff81e98cf0
    process=0xffff8000210a5338 user=0xffff8000210f5000, vmspace=0xffffff007f12bb58
    estcpu=1, cpticks=1, pctcpu=0.0
    user=0, sys=1, intr=0
ddb> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
*22391  307178  19661      0  7         0x2                syz-executor1283
 19661  340086  17670      0  3    0x10008a  pause         ksh
 17670  326992  29604      0  3        0x92  select        sshd
 41270   33654      1      0  3    0x100083  ttyin         getty
 29604  327245      1      0  3        0x80  select        sshd
 79075   90932  56293     73  2    0x100090                syslogd
 56293  303628      1      0  3    0x100082  netio         syslogd
 68459  425749      1     77  3    0x100090  poll          dhclient
 36911   58752      1      0  3        0x80  poll          dhclient
 56206  238502      0      0  2     0x14200                zerothread
  5835  239343      0      0  3     0x14200  aiodoned      aiodoned
 38692  124704      0      0  3     0x14200  syncer        update
 30045  377418      0      0  3     0x14200  cleaner       cleaner
  8830  232312      0      0  3     0x14200  reaper        reaper
 36321  273872      0      0  3     0x14200  pgdaemon      pagedaemon
 27140  184915      0      0  3     0x14200  bored         crynlk
 99803  446221      0      0  3     0x14200  bored         crypto
 11482  154614      0      0  3  0x40014200  acpi0         acpi0
 50541  283257      0      0  3     0x14200  bored         softnet
 80198  487934      0      0  3     0x14200  bored         systqmp
 67536  180871      0      0  3     0x14200  bored         systq
 44741  199952      0      0  3  0x40014200  bored         softclock
 30804  187632      0      0  3  0x40014200                idle0
     1   82730      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb> 

Crashes (11):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-openbsd-main 2018/12/01 03:57 openbsd e9b93a3e5ebc 28e157f1 log report syz C
ci-openbsd-main 2018/12/04 13:16 openbsd f939acc2595a 03f94a45 log report
ci-openbsd-main 2018/12/04 00:05 openbsd f939acc2595a 03f94a45 log report
ci-openbsd-main 2018/12/03 16:35 openbsd f939acc2595a 21927904 log report
ci-openbsd-main 2018/12/03 04:41 openbsd 87d30890b5c0 7dcaeaf3 log report
ci-openbsd-main 2018/12/02 08:45 openbsd cedc02c7d74b 28e157f1 log report
ci-openbsd-main 2018/12/01 13:19 openbsd e9b93a3e5ebc 28e157f1 log report
ci-openbsd-main 2018/12/01 11:14 openbsd e9b93a3e5ebc 28e157f1 log report
ci-openbsd-main 2018/12/01 03:41 openbsd e9b93a3e5ebc 28e157f1 log report
ci-openbsd-main 2018/11/30 17:05 openbsd d93678d71f23 ade12e91 log report
ci-openbsd-main 2018/11/30 14:51 openbsd d93678d71f23 ade12e91 log report
* Struck through repros no longer work on HEAD.