syzbot


assert "(rt->rt_flags & RTF_MPATH) || mrt->rt_priority != prio" failed in rtable.c

Status: fixed on 2019/06/14 04:59
Reported-by: syzbot+10fe9cd8d0211c562ead@syzkaller.appspotmail.com
Fix commit: ff10691ed095 Copy the user provided sockaddr into a normalized sockaddr in rtrequest() before adding it to the routing table. The rtable code is doing memcmp() of those rt_dest sockaddrs so it is important that they are stored in a canonical form. To do this struct domain is extended to include the sockaddr size for this address family. OK bluhm@ anton@
First crash: 1287d, last: 1274d
Patch testing requests:
Created Duration User Patch Repo Result
2019/06/09 09:14 15m anton@basename.se https://github.com/mptre/openbsd-src rtable OK

Sample crash report:
login: panic: kernel diagnostic assertion "(rt->rt_flags & RTF_MPATH) || mrt->rt_priority != prio" failed: file "/syzkaller/managers/main/kernel/sys/net/rtable.c", line 569
Stopped at      db_enter+0x18:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
*125965  40975      0           0          0    0  syz-executor9836
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:212
__assert(ffffffff81f7d03e,ffffffff81f3c041,239,ffffffff81f187eb) at __assert+0x2e sys/kern/subr_prf.c:159
rtable_insert(0,ffff80000098fb00,0,ffff8000006a1d90,38,fffffd8036db14d0) at rtable_insert+0x66b sys/net/rtable.c:569
rtrequest(1,ffff800014990200,38,ffff800014990178,0) at rtrequest+0x875 sys/net/route.c:928
rtm_output(ffff8000006a1d00,ffff8000149902a8,ffff800014990200,38,0) at rtm_output+0x6e5 sys/net/rtsock.c:896
route_output(fffffd8035256200,fffffd8037035180,0,0) at route_output+0x7d7 sys/net/rtsock.c:814
route_usrreq(fffffd8037035180,9,fffffd8035256200,0,0,ffff8000ffff5528) at route_usrreq+0x363 sys/net/rtsock.c:271
sosend(fffffd8037035180,0,ffff8000149904a0,0,0,80) at sosend+0x660 sys/kern/uipc_socket.c:513
sendit(ffff8000ffff5528,4,ffff800014990580,0,ffff800014990690) at sendit+0x53c sys/kern/uipc_syscalls.c:662
sys_sendto(ffff8000ffff5528,ffff800014990628,ffff800014990690) at sys_sendto+0x80 sys/kern/uipc_syscalls.c:527
syscall(ffff800014990700) at syscall+0x511
Xsyscall(6,0,3dc,0,53,4) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffef9b0, count: 2
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb> 
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
kernel diagnostic assertion "(rt->rt_flags & RTF_MPATH) || mrt->rt_priority != prio" failed: file "/syzkaller/managers/main/kernel/sys/net/rtable.c", line 569
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:212
__assert(ffffffff81f7d03e,ffffffff81f3c041,239,ffffffff81f187eb) at __assert+0x2e sys/kern/subr_prf.c:159
rtable_insert(0,ffff80000098fb00,0,ffff8000006a1d90,38,fffffd8036db14d0) at rtable_insert+0x66b sys/net/rtable.c:569
rtrequest(1,ffff800014990200,38,ffff800014990178,0) at rtrequest+0x875 sys/net/route.c:928
rtm_output(ffff8000006a1d00,ffff8000149902a8,ffff800014990200,38,0) at rtm_output+0x6e5 sys/net/rtsock.c:896
route_output(fffffd8035256200,fffffd8037035180,0,0) at route_output+0x7d7 sys/net/rtsock.c:814
route_usrreq(fffffd8037035180,9,fffffd8035256200,0,0,ffff8000ffff5528) at route_usrreq+0x363 sys/net/rtsock.c:271
sosend(fffffd8037035180,0,ffff8000149904a0,0,0,80) at sosend+0x660 sys/kern/uipc_socket.c:513
sendit(ffff8000ffff5528,4,ffff800014990580,0,ffff800014990690) at sendit+0x53c sys/kern/uipc_syscalls.c:662
sys_sendto(ffff8000ffff5528,ffff800014990628,ffff800014990690) at sys_sendto+0x80 sys/kern/uipc_syscalls.c:527
syscall(ffff800014990700) at syscall+0x511
Xsyscall(6,0,3dc,0,53,4) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffef9b0, count: -13
ddb> show registers
rdi                                0
rsi                              0x1
rbp               0xffff80001498fec0
rbx               0xffff80001498ff70
rdx                              0x2
rcx                              0x1
rax                              0x1
r8                0xffff80001498fe80
r9                               0x1
r10               0xde8a19c112159fe5
r11               0x52e632fbf53063b0
r12                     0x3000000008
r13               0xffff80001498fed0
r14                            0x100
r15                              0x1
rip               0xffffffff819b5b38    db_enter+0x18
cs                               0x8
rflags                         0x246
rsp               0xffff80001498feb0
ss                              0x10
db_enter+0x18:  addq    $0x8,%rsp
ddb> show proc
PROC (syz-executor9836) pid=125965 stat=onproc
    flags process=0 proc=0
    pri=50, usrpri=50, nice=20
    forw=0xffffffffffffffff, list=0xffff8000ffff52d0,0xffffffff82296ba0
    process=0xffff800014952d38 user=0xffff80001498b000, vmspace=0xfffffd803f013528
    estcpu=0, cpticks=1, pctcpu=0.0
    user=0, sys=1, intr=0
ddb> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
*40975  125965  61710      0  7           0                syz-executor9836
 61710  284724  77891      0  3        0x82  nanosleep     syz-executor9836
 77891  467861  20372      0  3    0x10008a  pause         ksh
 20372   10925   9322      0  2        0x12                sshd
 27561  348260      1      0  3    0x100083  ttyin         getty
  9322  296720      1      0  3        0x80  select        sshd
 52025  351491  29266     73  3    0x100090  kqread        syslogd
 29266  388221      1      0  3    0x100082  netio         syslogd
 86137  505722      1     77  3    0x100090  poll          dhclient
 93171    7000      1      0  3        0x80  poll          dhclient
 91927  245323      0      0  2     0x14200                zerothread
 93729  506710      0      0  3     0x14200  aiodoned      aiodoned
 81688  260023      0      0  3     0x14200  syncer        update
 14011  357988      0      0  3     0x14200  cleaner       cleaner
 34272  509137      0      0  3     0x14200  reaper        reaper
  7068   46623      0      0  3     0x14200  pgdaemon      pagedaemon
 74924  486205      0      0  3     0x14200  bored         crynlk
 49961  480835      0      0  3     0x14200  bored         crypto
 56148  126101      0      0  3  0x40014200  acpi0         acpi0
 94321  477450      0      0  2     0x14200                softnet
 40802  203481      0      0  2     0x14200                systqmp
  1410  349971      0      0  3     0x14200  bored         systq
 66995  129904      0      0  3  0x40014200  bored         softclock
 64628   89099      0      0  3  0x40014200                idle0
 75682  467225      0      0  3     0x14200  bored         smr
     1  434234      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb> show all locks
No such command
ddb> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim Kern Lim
         devbuf  9426   6306K    6307K  78643K     10519        0        0
            pcb    25      9K       9K  78643K        60        0        0
         rtable    67      2K       2K  78643K       131        0        0
         ifaddr    21      7K       7K  78643K        21        0        0
       counters    19     16K      16K  78643K        19        0        0
       ioctlops     0      0K       2K  78643K        13        0        0
          mount     1      1K       1K  78643K         1        0        0
         vnodes  1174     74K      74K  78643K      1179        0        0
      UFS quota     1     32K      32K  78643K         1        0        0
      UFS mount     5     36K      36K  78643K         5        0        0
            shm     2      1K       1K  78643K         2        0        0
         VM map     2      0K       0K  78643K         2        0        0
            sem     2      0K       0K  78643K         2        0        0
        dirhash    12      2K       2K  78643K        12        0        0
           ACPI  1793    195K     288K  78643K     12537        0        0
      file desc     1      0K       0K  78643K         1        0        0
           proc    40     30K      38K  78643K       207        0        0
    NFS srvsock     1      0K       0K  78643K         1        0        0
     NFS daemon     1     16K      16K  78643K         1        0        0
       in_multi    11      0K       0K  78643K        11        0        0
    ether_multi     1      0K       0K  78643K         1        0        0
    ISOFS mount     1     32K      32K  78643K         1        0        0
  MSDOSFS mount     1     16K      16K  78643K         1        0        0
           ttys    18     79K      79K  78643K        18        0        0
           exec     0      0K       1K  78643K       152        0        0
        pagedep     1      8K       8K  78643K         1        0        0
       inodedep     1     32K      32K  78643K         1        0        0
         newblk     1      0K       0K  78643K         1        0        0
        VM swap     7     26K      26K  78643K         7        0        0
       UVM amap    52      2K       3K  78643K       720        0        0
       UVM aobj     2      2K       2K  78643K         2        0        0
        memdesc     1      4K       4K  78643K         1        0        0
    crypto data     1      1K       1K  78643K         1        0        0
            NDP     3      0K       0K  78643K         3        0        0
           temp    30   2695K    2759K  78643K      1720        0        0
      SYN cache     2     16K      16K  78643K         2        0        0
ddb> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp         64        2    0        0     1     0     1     1     0     8    0
inpcbpl    280       22    0       16     1     0     1     1     0     8    0
plimitpl   152       13    0        8     1     0     1     1     0     8    0
rtentry    112       26    0        2     1     0     1     1     0     8    0
syncache   264        5    0        5     1     0     1     1     0     8    1
tcpcb      544        8    0        5     1     0     1     1     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256      102    0        0     7     0     7     7     0     8    0
art_table   32      103    0        0     1     0     1     1     0     8    0
art_node    16       25    0        3     1     0     1     1     0     8    0
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino1pl    128     1385    0       16    45     0    45    45     0     8    0
ffsino     240     1385    0       16    81     0    81    81     0     8    0
nchpl      144     1558    0       30    57     0    57    57     0     8    0
uvmvnodes   72     1394    0        0    26     0    26    26     0     8    0
vnodes     200     1394    0        0    74     0    74    74     0     8    0
namei      1024    3280    0     3280     2     1     1     1     0     8    1
scxspl     192     2385    0     2385    11     9     2     7     0     8    2
sigapl     432      178    0      167     2     0     2     2     0     8    0
knotepl    112        5    0        0     1     0     1     1     0     8    0
kqueuepl   104        1    0        0     1     0     1     1     0     8    0
pipepl     112      118    0      111     2     1     1     1     0     8    0
fdescpl    424      179    0      167     2     0     2     2     0     8    0
filepl     120      821    0      777     2     0     2     2     0     8    0
lockfpl    104        6    0        6     1     1     0     1     0     8    0
lockfspl    48        3    0        3     1     1     0     1     0     8    0
sessionpl  112       17    0        9     1     0     1     1     0     8    0
pgrppl      48       17    0        9     1     0     1     1     0     8    0
ucredpl     96       47    0       40     1     0     1     1     0     8    0
zombiepl   144      167    0      167     2     1     1     1     0     8    1
processpl  840      193    0      167     4     0     4     4     0     8    0
procpl     600      193    0      167     3     0     3     3     0     8    0
sockpl     384       69    0       51     2     0     2     2     0     8    0
mcl4k      4096      10    0       10     1     0     1     1     0     8    1
mcl2k      2048    5836    0     5797     8     0     8     8     0     8    2
mtagpl      80        2    0        2     1     1     0     1     0     8    0
mbufpl     256     9984    0     9916     7     1     6     6     0     8    1
bufpl      256     2053    0      258   113     0   113   113     0     8    0
anonpl      16    18152    0    17030     7     1     6     6     0    62    1
amapchunkpl 152     550    0      514     2     0     2     2     0   158    0
amappl16   192       73    0       67     1     0     1     1     0     8    0
amappl14   176       14    0       13     2     1     1     1     0     8    0
amappl12   160        6    0        6     1     0     1     1     0     8    1
amappl11   152       44    0       30     1     0     1     1     0     8    0
amappl10   144       46    0       46     2     1     1     1     0     8    1
amappl9    136      372    0      371     1     0     1     1     0     8    0
amappl8    128       82    0       78     1     0     1     1     0     8    0
amappl7    120       15    0       14     1     0     1     1     0     8    0
amappl6    112       43    0       38     1     0     1     1     0     8    0
amappl5    104      139    0      129     1     0     1     1     0     8    0
amappl4     96      310    0      291     1     0     1     1     0     8    0
amappl3     88      153    0      143     1     0     1     1     0     8    0
amappl2     80      727    0      677     3     1     2     2     0     8    0
amappl1     72    11619    0    11239    14     5     9    14     0     8    0
amappl      80      387    0      367     1     0     1     1     0    84    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma64       64      259    0      259     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       17    0       17     1     1     0     1     0     8    0
aobjpl      64        1    0        0     1     0     1     1     0     8    0
uaddrrnd    24      179    0      167     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      179    0      167     1     0     1     1     0     8    0
vmmpekpl   168     5297    0     5283     1     0     1     1     0     8    0
vmmpepl    168    25155    0    24421    49    14    35    44     0   357    1
vmsppl     264      178    0      167     1     0     1     1     0     8    0
pdppl      4096     364    0      334     5     0     5     5     0     8    0
pvpl        32    72144    0    69381    31     5    26    26     0   265    3
pmappl     200      178    0      167     1     0     1     1     0     8    0
extentpl    40       41    0       26     1     0     1     1     0     8    0
phpool     112      231    0        4     7     0     7     7     0     8    0

Crashes (143):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-openbsd-main 2019/05/23 21:59 openbsd df989dde9731 0dadcd9d .config log report syz C
ci-openbsd-main 2019/05/21 18:30 openbsd 8ee14a61788d 13427bd9 .config log report syz C
ci-openbsd-main 2019/06/03 00:06 openbsd 5d24dd80fef3 53c81ea5 .config log report
ci-openbsd-multicore 2019/06/02 22:31 openbsd 5d24dd80fef3 53c81ea5 .config log report
ci-openbsd-multicore 2019/06/01 21:46 openbsd 5d3046682a6c 53c81ea5 .config log report
ci-openbsd-main 2019/05/31 05:52 openbsd 1f4d754ac3a0 d9aaf3c2 .config log report
ci-openbsd-main 2019/05/28 04:44 openbsd 3ca64fa9ea2e 6bd61501 .config log report
ci-openbsd-main 2019/05/28 03:38 openbsd 3ca64fa9ea2e 6bd61501 .config log report
ci-openbsd-main 2019/05/28 01:57 openbsd 3ca64fa9ea2e 6bd61501 .config log report
ci-openbsd-main 2019/05/28 00:37 openbsd 3ca64fa9ea2e 6bd61501 .config log report
ci-openbsd-main 2019/05/27 23:32 openbsd 3ca64fa9ea2e 6bd61501 .config log report
ci-openbsd-main 2019/05/27 08:14 openbsd 95c8efefea12 85c57315 .config log report
ci-openbsd-main 2019/05/27 07:17 openbsd 95c8efefea12 85c57315 .config log report
ci-openbsd-main 2019/05/27 05:34 openbsd 95c8efefea12 85c57315 .config log report
ci-openbsd-main 2019/05/27 04:27 openbsd 95c8efefea12 85c57315 .config log report
ci-openbsd-main 2019/05/27 03:26 openbsd 95c8efefea12 85c57315 .config log report
ci-openbsd-main 2019/05/27 02:25 openbsd 95c8efefea12 85c57315 .config log report
ci-openbsd-main 2019/05/26 12:03 openbsd ffa74332a4c4 85c57315 .config log report
ci-openbsd-main 2019/05/26 09:20 openbsd ffa74332a4c4 85c57315 .config log report
ci-openbsd-main 2019/05/26 08:51 openbsd ffa74332a4c4 85c57315 .config log report
ci-openbsd-main 2019/05/26 07:41 openbsd ffa74332a4c4 85c57315 .config log report
ci-openbsd-main 2019/05/26 06:29 openbsd ffa74332a4c4 85c57315 .config log report
ci-openbsd-main 2019/05/26 02:30 openbsd ffa74332a4c4 85c57315 .config log report
ci-openbsd-main 2019/05/26 00:19 openbsd ffa74332a4c4 85c57315 .config log report
ci-openbsd-main 2019/05/25 22:06 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 20:58 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 20:53 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 19:41 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 18:19 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 17:18 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 17:11 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 16:07 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 14:49 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 14:48 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 14:48 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 14:34 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 14:02 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 13:58 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 13:27 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 13:15 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 13:08 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 13:01 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 12:55 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 12:35 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/25 12:28 openbsd a6afde387ed7 85c57315 .config log report
ci-openbsd-main 2019/05/20 10:49 openbsd 01b2b04ad452 5a4461b0 .config log report
* Struck through repros no longer work on HEAD.