uvm_fault: wsmux_do

uvm_fault: wsmux_do_ioctl

Status: fixed on 2018/12/18 19:33
Reported-by: syzbot+e07caaf3659f6caa6900@syzkaller.appspotmail.com
Fix commit: Utilize sigio with wscons. The old behavior of always making the process group of the process who opens the device the default recipient of sigio is removed as a side-effect of this change. Issuing ioctl(FIOSETOWN) is therefore mandatory in order to receive sigio, which is more consistent with other subsystems supporting sigio.
First crash: 2022d, last: 1983d

▶ ▼ Similar bugs (3)

Kernel	Title	Repro	Count	Last	Reported	Patched	Status
openbsd	uvm_fault: wsmux_do_ioctl (4)	C	3	1801d	1825d	3/3	fixed on 2019/05/22 04:45
openbsd	uvm_fault: wsmux_do_ioctl (3)	C	2	1892d	1900d	0/3	closed as dup on 2019/02/10 09:16
openbsd	uvm_fault: wsmux_do_ioctl (2)	C	17	1909d	1913d	3/3	fixed on 2019/02/01 17:26

Sample crash report:

login: uvm_fault(0xffffff001f717210, 0x28, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at      wsmux_do_ioctl+0x281:   cmpl    0x28(%rcx),%eax
ddb> set $lines = 0
ddb> show panic
kernel page fault
uvm_fault(0xffffff001f717210, 0x28, 0, 1) -> e
wsmux_do_ioctl(80047476,ffffff000303b5d8,2,ffffff001f7cbcc0,ffffffff81e038b0) at wsmux_do_ioctl+0x281
end trace frame: 0xffff80000e378f00, count: 0
ddb> trace
wsmux_do_ioctl(80047476,ffffff000303b5d8,2,ffffff001f7cbcc0,ffffffff81e038b0) at wsmux_do_ioctl+0x281
VOP_IOCTL(ffff80000e379030,ffff80000e2c6980,ffffff0015305ad8,ffffff000303b5d8,80047476,40c3bcaa1ba94cf9) at VOP_IOCTL+0x73
vn_ioctl(ffffff0015305ad8,ffff80000e3790d8,ffff80000e2c6980,ffffff001d729d90) at vn_ioctl+0xcd
sys_fcntl(ffff80000e379160,ffff80000e2c6980,ffff80000e27c330) at sys_fcntl+0x73f
syscall(0) at syscall+0x3e4
Xsyscall(6,0,ffffffffffffff4b,0,3,97ac25cf010) at Xsyscall+0x128
end of kernel
end trace frame: 0x97d6b91c560, count: -6
ddb> show registers
rdi               0xffff8000044e8e00
rsi               0xffffffff81784fd0    wsmux_do_ioctl+0x270
rbp               0xffff80000e378e80
rbx               0xffff8000044e8e50
rdx               0xffff8000004db000
rcx                                0
rax                                0
r8                0xffff80000e2c6980
r9                0xffff80000e2c6980
r10                                0
r11               0xffffffff817862c0    wsmuxioctl
r12                                0
r13                              0x2
r14               0xffff80000e379030
r15               0xffff8000044e8e00
rip               0xffffffff81784fe1    wsmux_do_ioctl+0x281
cs                               0x8
rflags                       0x10246    __ALIGN_SIZE+0xf246
rsp               0xffff80000e378e40
ss                              0x10
wsmux_do_ioctl+0x281:   cmpl    0x28(%rcx),%eax

Crashes (2):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2018/11/18 18:47	openbsd	df0bbf748a07	7aaa8122		console log	report					ci-openbsd-main
2018/10/10 22:40	openbsd	52b89152be51	5f818b4b		console log	report					ci-openbsd-main

* ~~Struck through~~ repros no longer work on HEAD.