syzbot


pool: free list modified: mbufpl

Status: fixed on 2019/01/06 10:35
Reported-by: syzbot+0a7c326f85a03ab26744@syzkaller.appspotmail.com
Fix commit: 54e30ac1a804 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
First crash: 1454d, last: 1440d
duplicates (2):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
panic: pool_p_free: mbufpl free list modified: page ADDR; item addr ADDR; offset 0x0=ADDR 1 1088d 1088d 0/3 closed as dup on 2019/12/09 09:34
panic: pool_p_free: mbufpl free list modified: page ADDR; item addr ADDR; offset 0x0=0x0 1 1084d 1084d 0/3 closed as dup on 2019/12/09 09:34
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd pool: free list modified: mbufpl (2) syz 1781 845d 1173d 0/3 closed as dup on 2020/05/08 06:40

Sample crash report:
panic: pool_do_get: mbufpl free list modified: page 0xffffff0035326000; item addr 0xffffff0035326300; offset 0x0=0x3e25322106000100 != 0x3e2532217855ddee
Stopped at      db_enter+0xa:   popq    %rbp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
*  5026  71013      0           0  0x4000000    0  syz-executor1
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_do_get(2,ffffffff81ea46b8,ffffff0034f58c00) at pool_do_get+0x3ae
pool_get(c,0) at pool_get+0x77
m_copyback(ffffff003a34102e,ffffff0034f58c00,40,100,100) at m_copyback+0x344
swofp_send_error(ffffff0034f58c00,ffff800000ad9000,ffff800000ad3900,0) at swofp_send_error+0xac
swofp_input(ffff800000ad9000,ffff800014adc3c8) at swofp_input+0x126
switchwrite(ffffff003a4142a8,ffffff003a4142a8,ffff800014adc5a8) at switchwrite+0x30e
spec_write(ffffffff81e1e918) at spec_write+0xa0
VOP_WRITE(1,ffffff003a4142a8,1,ffffff0037690438) at VOP_WRITE+0x65
vn_write(ffffff0037690438,ffff800014adc5a8,ffd4) at vn_write+0x161
dofilewritev(ffff800014adc6d0,1,ffff800014adc6e8,ffff8000ffffd070,0) at dofilewritev+0x13e
sys_pwritev(ffff800014adc770,ffff8000ffffd070,ffff8000149cf008) at sys_pwritev+0xbf
syscall(0) at syscall+0x3e4
end trace frame: 0xffff800014adc7f0, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb> 
ddb> set $lines = 0
ddb> show panic
pool_do_get: mbufpl free list modified: page 0xffffff0035326000; item addr 0xffffff0035326300; offset 0x0=0x3e25322106000100 != 0x3e2532217855ddee
ddb> trace
db_enter() at db_enter+0xa
panic() at panic+0x147
pool_do_get(2,ffffffff81ea46b8,ffffff0034f58c00) at pool_do_get+0x3ae
pool_get(c,0) at pool_get+0x77
m_copyback(ffffff003a34102e,ffffff0034f58c00,40,100,100) at m_copyback+0x344
swofp_send_error(ffffff0034f58c00,ffff800000ad9000,ffff800000ad3900,0) at swofp_send_error+0xac
swofp_input(ffff800000ad9000,ffff800014adc3c8) at swofp_input+0x126
switchwrite(ffffff003a4142a8,ffffff003a4142a8,ffff800014adc5a8) at switchwrite+0x30e
spec_write(ffffffff81e1e918) at spec_write+0xa0
VOP_WRITE(1,ffffff003a4142a8,1,ffffff0037690438) at VOP_WRITE+0x65
vn_write(ffffff0037690438,ffff800014adc5a8,ffd4) at vn_write+0x161
dofilewritev(ffff800014adc6d0,1,ffff800014adc6e8,ffff8000ffffd070,0) at dofilewritev+0x13e
sys_pwritev(ffff800014adc770,ffff8000ffffd070,ffff8000149cf008) at sys_pwritev+0xbf
syscall(0) at syscall+0x3e4
Xsyscall(6,0,ffffffffffffffb8,0,4,2602601e010) at Xsyscall+0x128
end of kernel
end trace frame: 0x262de7f8d40, count: -15
ddb> 

Crashes (13):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-openbsd-main 2018/12/08 10:01 openbsd 696945d58559 6ae0ca72 .config log report syz
ci-openbsd-main 2018/12/07 06:43 openbsd 76d787ec3667 b6709220 .config log report syz
ci-openbsd-main 2018/12/18 06:21 openbsd 9257d67bbd0d 527230f1 .config log report
ci-openbsd-main 2018/12/17 19:34 openbsd 9257d67bbd0d 527230f1 .config log report
ci-openbsd-main 2018/12/17 13:20 openbsd 9257d67bbd0d 527230f1 .config log report
ci-openbsd-main 2018/12/16 20:01 openbsd 4e9c41985603 1749e412 .config log report
ci-openbsd-main 2018/12/16 09:38 openbsd fc1a50024d2f def91db3 .config log report
ci-openbsd-main 2018/12/09 07:16 openbsd 3173a78d3f87 e699a2b9 .config log report
ci-openbsd-main 2018/12/08 23:56 openbsd 5ed42fc8f61a c8b26e15 .config log report
ci-openbsd-main 2018/12/08 18:05 openbsd 696945d58559 6ae0ca72 .config log report
ci-openbsd-main 2018/12/08 10:02 openbsd 696945d58559 6ae0ca72 .config log report
ci-openbsd-main 2018/12/08 01:59 openbsd 53ac6a98736c 65ed2472 .config log report
ci-openbsd-main 2018/12/04 10:37 openbsd f939acc2595a 03f94a45 log report
* Struck through repros no longer work on HEAD.