syzbot


panic: pr_find_pagehead: mbufpl: incorrect page
Status: fixed on 2019/01/06 10:35
Reported-by: syzbot+4e4d97eae870fe5993a5@syzkaller.appspotmail.com
Fix commit: 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
First crash: 285d, last: 269d

Sample crash report:

All crashes (3):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro
ci-openbsd-main 2018/12/23 23:36 openbsd 7d0170de e3bd7ab8 .config log report
ci-openbsd-main 2018/12/19 14:51 openbsd f26abd72 cda92f77 .config log report
ci-openbsd-main 2018/12/08 02:23 openbsd 53ac6a98 65ed2472 .config log report