syzbot


Fatal trap NUM: page fault in inp_next

Status: fixed on 2022/01/01 22:26
Reported-by: syzbot+403406a9cbf082b36ea4@syzkaller.appspotmail.com
Fix commit: 430df2abee90 in_pcb: improve inp_next()
First crash: 410d, last: 405d

Sample crash report:
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address	= 0x1b0
fault code		= supervisor read data, page not present
instruction pointer	= 0x20:0xffffffff81aa4de1
stack pointer	        = 0x28:0xfffffe00540303f0
frame pointer	        = 0x28:0xfffffe0054030450
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 12 (swi1: netisr 0)
trap number		= 12
panic: page fault
cpuid = 0
time = 1640258925
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0xc7/frame 0xfffffe005402fbf0
kdb_backtrace() at kdb_backtrace+0xd3/frame 0xfffffe005402fd50
vpanic() at vpanic+0x2b8/frame 0xfffffe005402fe30
panic() at panic+0xb5/frame 0xfffffe005402fef0
trap_fatal() at trap_fatal+0x6a4/frame 0xfffffe005402fff0
trap_pfault() at trap_pfault+0x186/frame 0xfffffe0054030130
trap() at trap+0x5e4/frame 0xfffffe0054030320
calltrap() at calltrap+0x8/frame 0xfffffe0054030320
--- trap 0xc, rip = 0xffffffff81aa4de1, rsp = 0xfffffe00540303f0, rbp = 0xfffffe0054030450 ---
inp_next() at inp_next+0x4f1/frame 0xfffffe0054030450
in6_pcbnotify() at in6_pcbnotify+0x3a6/frame 0xfffffe0054030600
udp6_common_ctlinput() at udp6_common_ctlinput+0x13f/frame 0xfffffe00540306f0
icmp6_input() at icmp6_input+0x3773/frame 0xfffffe0054030a90
ip6_input() at ip6_input+0x1f40/frame 0xfffffe0054030cf0
swi_net() at swi_net+0x2e5/frame 0xfffffe0054030d90
ithread_loop() at ithread_loop+0x4f1/frame 0xfffffe0054030ef0
fork_exit() at fork_exit+0xd0/frame 0xfffffe0054030f30
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0054030f30
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
KDB: enter: panic
[ thread pid 12 tid 100032 ]
Stopped at      kdb_enter+0x6b: movq    $0,0x250ddca(%rip)
db> 
db> 

Crashes (3):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-freebsd-main 2021/12/23 11:48 freebsd-src acdc1de369a5 6caa12e4 console log report syz Fatal trap NUM: page fault in inp_next
ci-freebsd-main 2021/12/23 11:26 freebsd-src acdc1de369a5 6caa12e4 console log report Fatal trap NUM: page fault in inp_next
ci-freebsd-i386 2021/12/29 03:04 freebsd-src f7926a6d0c10 76c8cf06 console log report Fatal trap NUM: page fault in inp_next
* Struck through repros no longer work on HEAD.