syzbot


uvm_fault: uvm_unmap_remove

Status: fixed on 2019/09/12 08:35
Reported-by: syzbot+39ff060789d93be0084f@syzkaller.appspotmail.com
Fix commit: 00ba8250173b vm_teardown() must be serialized since it modifies the global vmm_softc structure. Therefore grab the appropriate lock before calling the same function. This issue has been known for a while and reported before but lacking a way to easily reproduce it; until syzkaller came up with a reproducer.
First crash: 1199d, last: 1180d
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd uvm_fault: uvm_unmap_remove (2) C 7836 1097d 1180d 3/3 fixed on 2019/12/04 16:31
Patch testing requests:
Created Duration User Patch Repo Result
2019/09/10 19:49 17m anton@basename.se https://github.com/mptre/openbsd-src vmm OK

Sample crash report:
uvm_fault(0xffffffff824f9f80, 0xffff800000a62000, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at      uvm_unmap_remove+0x3ef: movq    0x100(%rax),%r12
ddb> 
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
kernel page fault
uvm_fault(0xffffffff824f9f80, 0xffff800000a62000, 0, 1) -> e
uvm_unmap_remove(ffff800000a61f00,0,80000000,ffff8000148dfaa8,1,0) at uvm_unmap_remove+0x3ef uvmspace_dused sys/uvm/uvm_map.c:496 [inline]
uvm_unmap_remove(ffff800000a61f00,0,80000000,ffff8000148dfaa8,1,0) at uvm_unmap_remove+0x3ef sys/uvm/uvm_map.c:2215
end trace frame: 0xffff8000148dfae0, count: 0
ddb> trace
uvm_unmap_remove(ffff800000a61f00,0,80000000,ffff8000148dfaa8,1,0) at uvm_unmap_remove+0x3ef uvmspace_dused sys/uvm/uvm_map.c:496 [inline]
uvm_unmap_remove(ffff800000a61f00,0,80000000,ffff8000148dfaa8,1,0) at uvm_unmap_remove+0x3ef sys/uvm/uvm_map.c:2215
uvm_map_deallocate(ffff800000a61f00) at uvm_map_deallocate+0x6e sys/uvm/uvm_map.c:4231
vm_impl_init_vmx(ffff80001488f658,ffff8000ffff4500) at vm_impl_init_vmx+0x1e0
vm_create(ffff800000a38800,ffff8000ffff4500) at vm_create+0x182 vm_impl_init sys/arch/amd64/amd64/vmm.c:1376 [inline]
vm_create(ffff800000a38800,ffff8000ffff4500) at vm_create+0x182 sys/arch/amd64/amd64/vmm.c:1164
VOP_IOCTL(fffffd803d5ef1a0,c5005601,ffff800000a38800,1,fffffd803f7c6900,ffff8000ffff4500) at VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
vn_ioctl(fffffd803610a4b8,c5005601,ffff800000a38800,ffff8000ffff4500) at vn_ioctl+0xb7 sys/kern/vfs_vnops.c:524
sys_ioctl(ffff8000ffff4500,ffff8000148dfe88,ffff8000148dfef0) at sys_ioctl+0x5b8
syscall(ffff8000148dff50) at syscall+0x508
Xsyscall(6,0,2e3,0,2f,0) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffd4830, count: -9
ddb> show registers
rdi                                0
rsi                                0
rbp               0xffff8000148dfa90
rbx                                0
rdx                                0
rcx                                0
rax               0xffff800000a61f00
r8                               0x1
r9                                 0
r10               0x21339893c0af04a4
r11               0xd10a6daeea793966
r12               0xfffffd8035cb3e80
r13                       0x80000000    __kernel_virt_to_phys
r14                                0
r15                                0
rip               0xffffffff81f92e3f    uvm_unmap_remove+0x3ef
cs                               0x8
rflags                       0x10246    __ALIGN_SIZE+0xf246
rsp               0xffff8000148df9e0
ss                              0x10
uvm_unmap_remove+0x3ef: movq    0x100(%rax),%r12
ddb> show proc
PROC (syz-executor2181) pid=261152 stat=onproc
    flags process=0 proc=0
    pri=50, usrpri=50, nice=20
    forw=0xffffffffffffffff, list=0xffff8000ffff53d0,0xffffffff82583dc8
    process=0xffff8000148a2378 user=0xffff8000148db000, vmspace=0xfffffd803f013aa0
    estcpu=36, cpticks=1, pctcpu=0.0
    user=0, sys=1, intr=0
ddb> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
*42558  261152  86080      0  7           0                syz-executor2181
 86080   87691  60663      0  3        0x82  nanosleep     syz-executor2181
 60663  422924  41390      0  3    0x10008a  pause         ksh
 41390  451777   8262      0  2        0x12                sshd
 77892  400786      1      0  3    0x100083  ttyin         getty
  8262  417502      1      0  3        0x80  select        sshd
 48534  237851  98936     73  2    0x100090                syslogd
 98936  204123      1      0  3    0x100082  netio         syslogd
 89666   16148      1     77  3    0x100090  poll          dhclient
 15961  286044      1      0  3        0x80  poll          dhclient
 36552  281338      0      0  2     0x14200                zerothread
 77672  249414      0      0  3     0x14200  aiodoned      aiodoned
 49611  162849      0      0  3     0x14200  syncer        update
 84309  125875      0      0  3     0x14200  cleaner       cleaner
 10405  432666      0      0  3     0x14200  reaper        reaper
 12605  174526      0      0  3     0x14200  pgdaemon      pagedaemon
 72046  510273      0      0  3     0x14200  bored         crynlk
 75395  174347      0      0  3     0x14200  bored         crypto
 94721  137129      0      0  3  0x40014200  acpi0         acpi0
 14037  290951      0      0  3     0x14200  bored         softnet
 55364  366986      0      0  3     0x14200  bored         systqmp
 15307    8119      0      0  3     0x14200  bored         systq
 38895  349467      0      0  3  0x40014200  bored         softclock
  2664  373010      0      0  3  0x40014200                idle0
   719  354046      0      0  3     0x14200  bored         smr
     1  366328      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb> show all locks
No such command
ddb> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim Kern Lim
         devbuf  9428   6307K    6308K  78643K     10521        0        0
            pcb    13      8K       8K  78643K        13        0        0
         rtable    61      1K       2K  78643K       115        0        0
         ifaddr    21      7K       7K  78643K        21        0        0
       counters    19     16K      16K  78643K        19        0        0
       ioctlops     1      2K       2K  78643K        66        0        0
          mount     1      1K       1K  78643K         1        0        0
         vnodes  1180     74K      74K  78643K      1185        0        0
      UFS quota     1     32K      32K  78643K         1        0        0
      UFS mount     5     36K      36K  78643K         5        0        0
            shm     2      1K       1K  78643K         2        0        0
         VM map     3      0K       0K  78643K        55        0        0
            sem     2      0K       0K  78643K         2        0        0
        dirhash    12      2K       2K  78643K        12        0        0
           ACPI  1793    195K     288K  78643K     12645        0        0
      file desc     1      0K       0K  78643K         1        0        0
           proc    40     30K      38K  78643K       257        0        0
    NFS srvsock     1      0K       0K  78643K         1        0        0
     NFS daemon     1     16K      16K  78643K         1        0        0
       in_multi    11      0K       0K  78643K        11        0        0
    ether_multi     1      0K       0K  78643K         1        0        0
    ISOFS mount     1     32K      32K  78643K         1        0        0
  MSDOSFS mount     1     16K      16K  78643K         1        0        0
           ttys    18     79K      79K  78643K        18        0        0
           exec     0      0K       1K  78643K       152        0        0
        pagedep     1      8K       8K  78643K         1        0        0
       inodedep     1     32K      32K  78643K         1        0        0
         newblk     1      0K       0K  78643K         1        0        0
        VM swap     7     26K      26K  78643K         7        0        0
       UVM amap    53      3K       3K  78643K       773        0        0
       UVM aobj     2      2K       2K  78643K         2        0        0
        memdesc     1      4K       4K  78643K         1        0        0
    crypto data     1      1K       1K  78643K         1        0        0
            NDP     3      0K       0K  78643K         3        0        0
           temp    70   3525K    3579K  78643K      1759        0        0
      SYN cache     2     16K      16K  78643K         2        0        0
ddb> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp         64        2    0        0     1     0     1     1     0     8    0
rtpcb       80       15    0       13     1     0     1     1     0     8    0
rtentry    112       23    0        1     1     0     1     1     0     8    0
unpcb      120       27    0       19     1     0     1     1     0     8    0
syncache   264        5    0        5     2     1     1     1     0     8    1
tcpcb      544        8    0        5     1     0     1     1     0     8    0
inpcb      280       22    0       16     1     0     1     1     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256       97    0        0     7     0     7     7     0     8    0
art_table   32       98    0        0     1     0     1     1     0     8    0
art_node    16       22    0        2     1     0     1     1     0     8    0
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino1pl    128     1391    0       16    45     0    45    45     0     8    0
ffsino     240     1391    0       16    81     0    81    81     0     8    0
nchpl      144     1578    0       43    57     0    57    57     0     8    0
uvmvnodes   72     1400    0        0    26     0    26    26     0     8    0
vnodes     200     1400    0        0    74     0    74    74     0     8    0
namei      1024    3508    0     3508     2     1     1     1     0     8    1
vmpool     520       53    0       52     1     0     1     1     0     8    0
scxspl     192     2769    0     2769     9     7     2     7     0     8    2
plimitpl   152       13    0        8     1     0     1     1     0     8    0
sigapl     432      229    0      218     2     0     2     2     0     8    0
knotepl    112        5    0        0     1     0     1     1     0     8    0
kqueuepl   104        1    0        0     1     0     1     1     0     8    0
pipepl     112      118    0      111     2     1     1     1     0     8    0
fdescpl    424      230    0      218     2     0     2     2     0     8    0
filepl     120      891    0      848     2     0     2     2     0     8    0
lockfpl    104      111    0      110     2     1     1     1     0     8    0
lockfspl    48       56    0       55     2     1     1     1     0     8    0
sessionpl  112       17    0        9     1     0     1     1     0     8    0
pgrppl      48       17    0        9     1     0     1     1     0     8    0
ucredpl     96       47    0       40     1     0     1     1     0     8    0
zombiepl   144      218    0      218     2     1     1     1     0     8    1
processpl  864      244    0      218     4     0     4     4     0     8    0
procpl     632      244    0      218     3     0     3     3     0     8    0
sockpl     384       64    0       48     2     0     2     2     0     8    0
mcl4k      4096      10    0       10     2     1     1     1     0     8    1
mcl2k      2048    5976    0     5948     7     1     6     6     0     8    2
mtagpl      80        2    0        2     1     1     0     1     0     8    0
mbufpl     256    10359    0    10319     5     1     4     4     0     8    1
bufpl      256     2093    0      262   115     0   115   115     0     8    0
anonpl      16    19642    0    18499     7     2     5     7     0    62    0
amapchunkpl 152     627    0      591     2     0     2     2     0   158    0
amappl16   192      125    0      118     1     0     1     1     0     8    0
amappl14   176       36    0       32     1     0     1     1     0     8    0
amappl12   160        3    0        3     1     1     0     1     0     8    0
amappl11   152       41    0       30     1     0     1     1     0     8    0
amappl10   144       44    0       44     2     1     1     1     0     8    1
amappl9    136      378    0      377     1     0     1     1     0     8    0
amappl8    128       82    0       78     1     0     1     1     0     8    0
amappl7    120       17    0       16     1     0     1     1     0     8    0
amappl6    112       41    0       37     1     0     1     1     0     8    0
amappl5    104      197    0      186     1     0     1     1     0     8    0
amappl4     96      397    0      376     1     0     1     1     0     8    0
amappl3     88      147    0      136     1     0     1     1     0     8    0
amappl2     80      672    0      625     3     1     2     2     0     8    0
amappl1     72    12239    0    11855    16     6    10    16     0     8    0
amappl      80      438    0      418     1     0     1     1     0    84    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma64       64      259    0      259     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       17    0       17     1     1     0     1     0     8    0
aobjpl      64        1    0        0     1     0     1     1     0     8    0
uaddrrnd    24      283    0      218     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      283    0      218     1     0     1     1     0     8    0
vmmpekpl   168     5425    0     5409     1     0     1     1     0     8    0
vmmpepl    168    26522    0    25768    53    17    36    48     0   357    2
vmsppl     272      229    0      218     1     0     1     1     0     8    0
pdppl      4096     572    0      540     5     0     5     5     0     8    0
pvpl        32    73940    0    71187    34     8    26    27     0   265    3
pmappl     200      282    0      270     1     0     1     1     0     8    0
extentpl    40       41    0       26     1     0     1     1     0     8    0
phpool     112      232    0        6     7     0     7     7     0     8    0
ddb> 

Crashes (780):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-openbsd-main 2019/08/24 12:59 openbsd 9be55947e891 78ded196 .config log report syz C
ci-openbsd-main 2019/09/12 08:25 openbsd caeae271c597 0b7672ee .config log report
ci-openbsd-main 2019/09/12 05:35 openbsd 98dbb244f271 f4e53c10 .config log report
ci-openbsd-main 2019/09/12 04:28 openbsd 98dbb244f271 f4e53c10 .config log report
ci-openbsd-main 2019/09/12 02:09 openbsd 98dbb244f271 f4e53c10 .config log report
ci-openbsd-main 2019/09/11 18:57 openbsd 067ee7eb2bf9 a60cb4cd .config log report
ci-openbsd-main 2019/09/11 17:52 openbsd 067ee7eb2bf9 a60cb4cd .config log report
ci-openbsd-main 2019/09/11 16:41 openbsd 067ee7eb2bf9 a60cb4cd .config log report
ci-openbsd-main 2019/09/11 15:12 openbsd 067ee7eb2bf9 a60cb4cd .config log report
ci-openbsd-main 2019/09/11 14:09 openbsd 067ee7eb2bf9 a60cb4cd .config log report
ci-openbsd-main 2019/09/11 13:38 openbsd 067ee7eb2bf9 a60cb4cd .config log report
ci-openbsd-main 2019/09/11 12:25 openbsd 067ee7eb2bf9 a60cb4cd .config log report
ci-openbsd-main 2019/09/11 11:13 openbsd ce97d859af21 a60cb4cd .config log report
ci-openbsd-main 2019/09/11 09:47 openbsd ce97d859af21 a60cb4cd .config log report
ci-openbsd-main 2019/09/11 08:31 openbsd ce97d859af21 a60cb4cd .config log report
ci-openbsd-main 2019/09/11 06:22 openbsd ce97d859af21 a60cb4cd .config log report
ci-openbsd-main 2019/09/11 05:00 openbsd ce97d859af21 a60cb4cd .config log report
ci-openbsd-main 2019/09/11 03:45 openbsd ce97d859af21 a60cb4cd .config log report
ci-openbsd-main 2019/09/11 00:22 openbsd ce97d859af21 a60cb4cd .config log report
ci-openbsd-main 2019/09/10 23:10 openbsd 4f5a6e711025 a60cb4cd .config log report
ci-openbsd-main 2019/09/10 22:02 openbsd 4f5a6e711025 a60cb4cd .config log report
ci-openbsd-main 2019/09/10 20:12 openbsd 4f5a6e711025 a60cb4cd .config log report
ci-openbsd-main 2019/09/10 17:42 openbsd 4f5a6e711025 a60cb4cd .config log report
ci-openbsd-main 2019/09/10 16:43 openbsd 4f5a6e711025 a60cb4cd .config log report
ci-openbsd-main 2019/09/10 14:36 openbsd 4f5a6e711025 a60cb4cd .config log report
ci-openbsd-main 2019/09/10 12:53 openbsd 4f5a6e711025 a60cb4cd .config log report
ci-openbsd-main 2019/09/10 11:30 openbsd 4f5a6e711025 a60cb4cd .config log report
ci-openbsd-main 2019/09/10 10:07 openbsd 4f5a6e711025 a60cb4cd .config log report
ci-openbsd-main 2019/09/10 09:06 openbsd 62d8f86c43d3 a60cb4cd .config log report
ci-openbsd-main 2019/09/10 07:26 openbsd 62d8f86c43d3 a60cb4cd .config log report
ci-openbsd-main 2019/09/10 05:34 openbsd 62d8f86c43d3 a60cb4cd .config log report
ci-openbsd-main 2019/09/10 03:57 openbsd 62d8f86c43d3 a60cb4cd .config log report
ci-openbsd-main 2019/09/10 02:30 openbsd 62d8f86c43d3 a60cb4cd .config log report
ci-openbsd-main 2019/09/10 01:16 openbsd 62d8f86c43d3 a60cb4cd .config log report
ci-openbsd-main 2019/09/09 22:27 openbsd 62d8f86c43d3 a60cb4cd .config log report
ci-openbsd-main 2019/09/09 22:19 openbsd 62d8f86c43d3 a60cb4cd .config log report
ci-openbsd-main 2019/09/09 20:44 openbsd 1af766eb9cce a60cb4cd .config log report
ci-openbsd-main 2019/09/09 19:25 openbsd 1af766eb9cce a60cb4cd .config log report
ci-openbsd-main 2019/09/09 18:17 openbsd 1af766eb9cce a60cb4cd .config log report
ci-openbsd-main 2019/09/09 16:24 openbsd 1af766eb9cce a60cb4cd .config log report
ci-openbsd-main 2019/09/09 15:10 openbsd 1af766eb9cce a60cb4cd .config log report
ci-openbsd-main 2019/09/09 13:21 openbsd 1af766eb9cce a60cb4cd .config log report
ci-openbsd-main 2019/09/09 12:16 openbsd 1af766eb9cce a60cb4cd .config log report
ci-openbsd-main 2019/09/09 10:26 openbsd 1af766eb9cce a60cb4cd .config log report
ci-openbsd-main 2019/09/09 08:59 openbsd 1af766eb9cce a60cb4cd .config log report
ci-openbsd-main 2019/09/09 07:37 openbsd 8b22851bda0c a60cb4cd .config log report
ci-openbsd-main 2019/09/09 06:03 openbsd 8b22851bda0c a60cb4cd .config log report
ci-openbsd-main 2019/09/09 02:41 openbsd 8b22851bda0c a60cb4cd .config log report
ci-openbsd-main 2019/09/09 01:10 openbsd 8b22851bda0c a60cb4cd .config log report
ci-openbsd-main 2019/09/08 23:08 openbsd 8b22851bda0c a60cb4cd .config log report
ci-openbsd-main 2019/08/24 09:04 openbsd 9be55947e891 78ded196 .config log report
* Struck through repros no longer work on HEAD.