syzbot


panic: pr_find_pagehead: mbufpl: page header missing

Status: fixed on 2018/12/28 21:36
Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com
Fix commit: Fix mbuf releated crashes in switch(4). They have been found by
First crash: 1463d, last: 1450d
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd panic: pr_find_pagehead: mbufpl: page header missing (3) 2 894d 927d 0/3 auto-closed as invalid on 2020/09/23 20:57
openbsd panic: pr_find_pagehead: mbufpl: page header missing (2) 1 1089d 1089d 0/3 auto-closed as invalid on 2020/03/12 10:50

Sample crash report:
panic: pr_find_pagehead: mbufpl: page header missing
Stopped at      db_enter+0xa:   popq    %rbp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_do_put(ffffff0006000100,ffffffff81ecbc58) at pool_do_put+0x339
pool_put(0,ffffff0006000100) at pool_put+0x37
m_free(ffffff0006000100) at m_free+0x12c
mq_purge(ffff800000aca600) at mq_purge+0x6d
switchclose(ffff8000210c3528,ffff80002110e698,ffffffff818e10a7,ffff80002110e640) at switchclose+0x77
spec_close(ffffffff81dfb940) at spec_close+0x271
VOP_CLOSE(ffffff006e1e9900,ffff8000210c3528,ffffff007f7c7ba0,3) at VOP_CLOSE+0x5f
vn_closefile(ffff8000210c3528,ffffff006e471170) at vn_closefile+0xfc
fdrop(ffffff006e471170,ffff8000210c3528) at fdrop+0xa4
closef(ffff8000210c3528,ffffff006e994d48) at closef+0xd5
fdfree(ffff80002105f330) at fdfree+0x98
exit1(ffff80002110e960,ffff8000210c3528,ffff80002105f330) at exit1+0x22f
end trace frame: 0xffff80002110e880, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb> 
ddb> set $lines = 0
ddb> show panic
pr_find_pagehead: mbufpl: page header missing
ddb> trace
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_do_put(ffffff0006000100,ffffffff81ecbc58) at pool_do_put+0x339
pool_put(0,ffffff0006000100) at pool_put+0x37
m_free(ffffff0006000100) at m_free+0x12c
mq_purge(ffff800000aca600) at mq_purge+0x6d
switchclose(ffff8000210c3528,ffff80002110e698,ffffffff818e10a7,ffff80002110e640) at switchclose+0x77
spec_close(ffffffff81dfb940) at spec_close+0x271
VOP_CLOSE(ffffff006e1e9900,ffff8000210c3528,ffffff007f7c7ba0,3) at VOP_CLOSE+0x5f
vn_closefile(ffff8000210c3528,ffffff006e471170) at vn_closefile+0xfc
fdrop(ffffff006e471170,ffff8000210c3528) at fdrop+0xa4
closef(ffff8000210c3528,ffffff006e994d48) at closef+0xd5
fdfree(ffff80002105f330) at fdfree+0x98
exit1(ffff80002110e960,ffff8000210c3528,ffff80002105f330) at exit1+0x22f
sys_exit(ffffffff81ab3003,ffff80002110e880,ffff80002110e960) at sys_exit+0x13
syscall(0) at syscall+0x3e4
Xsyscall(6,1,0,1,7f7fffff1fd0,0) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7fffff1fc0, count: -17
ddb> show registers
rdi               0xffffffff81e10dd8    kprintf_mutex
rsi                              0x5
rbp               0xffff80002110e450
rbx               0xffff80002110e4f0
rdx                            0x3fd
rcx                                0
rax                                0
r8                0xffff80002110e420
r9                0x8080808080808080
r10                                0
r11               0xffffffff8174f9a0    x86_bus_space_io_read_1
r12                     0x3000000008
r13               0xffff80002110e460
r14                            0x100
r15               0xffffffff81c13cbf    apollo_udma100_tim+0x4253
rip               0xffffffff81679b8a    db_enter+0xa
cs                               0x8
rflags                         0x246
rsp               0xffff80002110e450
ss                              0x10
db_enter+0xa:   popq    %rbp
ddb> show proc
PROC (syz-executor1529) pid=256821 stat=onproc
    flags process=1008<EXITING,SINGLEEXIT> proc=2000<WEXIT>
    pri=50, usrpri=52, nice=20
    forw=0xffffffffffffffff, list=0xffff8000210c24c0,0xffff8000210c2980
    process=0xffff80002105f330 user=0xffff800021109000, vmspace=0xffffff007f12bc60
    estcpu=2, cpticks=3, pctcpu=0.0
    user=0, sys=0, intr=0
ddb> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 92269   24317  56229      0  2           0                syz-executor1529
 92269  296183  56229      0  3   0x4000080  fsleep        syz-executor1529
 56229  184095  58894      0  3        0x80  nanosleep     syz-executor1529
 79067  184662  58894      0  3        0x80  nanosleep     syz-executor1529
 58894  303198  95543      0  3        0x82  nanosleep     syz-executor1529
 95543  281058  10636      0  3    0x10008a  pause         ksh
 10636  168310  76093      0  3        0x92  select        sshd
 94196  121686      1      0  3    0x100083  ttyin         getty
 76093  324165      1      0  3        0x80  select        sshd
 79609  491412  86175     73  3    0x100090  kqread        syslogd
 86175  329814      1      0  3    0x100082  netio         syslogd
 17870  299425      1     77  3    0x100090  poll          dhclient
  6644    4573      1      0  3        0x80  poll          dhclient
 32923  101997      0      0  2     0x14200                zerothread
  9610  506004      0      0  3     0x14200  aiodoned      aiodoned
 41544  500091      0      0  3     0x14200  syncer        update
 77298  147067      0      0  3     0x14200  cleaner       cleaner
 32985    9534      0      0  3     0x14200  reaper        reaper
 38828  104275      0      0  3     0x14200  pgdaemon      pagedaemon
 26122  450894      0      0  3     0x14200  bored         crynlk
 44138  482470      0      0  3     0x14200  bored         crypto
 33502  211846      0      0  3  0x40014200  acpi0         acpi0
 45102  375338      0      0  3     0x14200  bored         softnet
 49751  428803      0      0  3     0x14200  bored         systqmp
 24903  429017      0      0  3     0x14200  bored         systq
   758  266970      0      0  3  0x40014200  bored         softclock
 95851   33566      0      0  3  0x40014200                idle0
     1  478748      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper

Crashes (10):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-openbsd-main 2018/12/04 14:56 openbsd f939acc2595a 03f94a45 log report syz C
ci-openbsd-main 2018/12/08 05:09 openbsd 53ac6a98736c 65ed2472 .config log report syz
ci-openbsd-multicore 2018/12/06 09:38 https://github.com/blackgnezdo/src.git multicore 46168e0d3b1d f162ad97 log report syz
ci-openbsd-main 2018/12/17 17:13 openbsd 9257d67bbd0d 527230f1 .config log report
ci-openbsd-main 2018/12/16 04:58 openbsd 014e15819e15 def91db3 .config log report
ci-openbsd-main 2018/12/07 06:02 openbsd 76d787ec3667 b6709220 .config log report
ci-openbsd-main 2018/12/06 18:46 openbsd 7d03a16b0321 cc3a19d5 log report
ci-openbsd-main 2018/12/06 09:50 openbsd 7d03a16b0321 f162ad97 log report
ci-openbsd-main 2018/12/05 16:32 openbsd 522be8593c5d f162ad97 log report
ci-openbsd-main 2018/12/05 00:50 openbsd f9485e1deed3 03f94a45 log report
* Struck through repros no longer work on HEAD.