syzbot


panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE

Status: fixed on 2021/09/08 10:31
Reported-by: syzbot+9fece8a63c0e27273821@syzkaller.appspotmail.com
Fix commit: bd4a39cc93d9 socket: Properly interlock when transitioning to a listening socket
First crash: 1423d, last: 538d
duplicates (24):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/kern/uipc_sockbuf.c:LINE syz 670 516d 1373d 0/2 closed as dup on 2021/09/07 21:51
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/sctp_output.c:NUM syz 10 579d 1025d 0/2 closed as dup on 2021/09/11 17:07
panic: _mtx_lock_sleep: recursed on non-recursive mutex sctp-tcb @ /syzkaller/managers/i386/kernel/sys/netinet/sctp_pcb. syz 3 632d 836d 0/2 closed as dup on 2021/09/07 22:01
panic: ASan: Invalid access, 1-byte write at ADDR, UMAUseAfterFree(fd) syz 222 521d 578d 0/2 closed as dup on 2021/09/07 23:38
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/i386/kernel/sys/netinet/sctp_output.c:NUM syz 8 592d 860d 0/2 closed as dup on 2021/09/11 17:06
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/i386/kernel/sys/modules/tcp/rack/../../../netinet/tcp_stack 190 518d 761d 0/2 closed as dup on 2021/09/18 15:57
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/i386/kernel/sys/modules/tcp/bbr/../../../netinet/tcp_stacks C 412 517d 969d 0/2 closed as dup on 2021/09/07 21:44
Fatal trap 12: page fault in _sx_xlock_hard C 115 598d 1376d 0/2 closed as dup on 2021/09/09 12:52
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/sctputil.c:LINE C 107 525d 1417d 0/2 closed as dup on 2021/09/07 21:29
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/modules/tcp/rack/../../../netinet/tcp_stack (2) C 537 516d 761d 0/2 closed as dup on 2021/09/07 22:03
panic: sbflush_internal: residual data C 374 516d 1089d 0/2 closed as dup on 2021/09/07 21:31
panic: sx_try_xlock() of destroyed sx at sys/kern/uipc_sockbuf.c:LINE (2) syz 21 585d 838d 0/2 closed as dup on 2021/09/07 21:57
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/sctp_pcb.c:LINE (2) syz 10 557d 868d 0/2 closed as dup on 2021/09/08 20:33
panic: sx lock still held C 133 739d 1423d 0/2 closed as dup on 2021/09/07 22:12
panic: sx_xlock() of destroyed sx at sys/kern/uipc_sockbuf.c:LINE syz 181 540d 1423d 0/2 closed as dup on 2021/09/07 21:27
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/i386/kernel/sys/netinet/tcp_output.c:LINE syz 296 553d 1347d 0/2 closed as dup on 2021/09/07 22:05
Fatal trap NUM: page fault in kasan_atomic_load_int syz 3 516d 519d 0/2 closed as dup on 2021/09/08 18:32
panic: sx lock still held in solisten_proto syz 1693 518d 1118d 0/2 closed as dup on 2021/09/07 21:30
panic: Assertion mtx_unowned(m) failed at /syzkaller/managers/main/kernel/sys/kern/kern_mutex.c:LINE C 18 586d 1343d 0/2 closed as dup on 2021/09/07 21:33
panic: Assertion mtx_unowned(m) failed at /syzkaller/managers/i386/kernel/sys/kern/kern_mutex.c:LINE syz 19 615d 1180d 0/2 closed as dup on 2021/09/07 21:35
panic: Memory modified after free ADDR(736) val=ADDR @ ADDR syz 95 662d 858d 0/2 closed as dup on 2021/09/08 20:34
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/i386/kernel/sys/kern/uipc_sockbuf.c:LINE syz 201 517d 1228d 0/2 closed as dup on 2021/09/07 22:09
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/modules/tcp/bbr/../../../netinet/tcp_stacks C 926 516d 1023d 0/2 closed as dup on 2021/09/07 22:11
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/kern/uipc_socket.c:LINE 1 556d 556d 0/2 closed as dup on 2021/09/19 22:31

Sample crash report:
login: panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:352
cpuid = 1
time = 1601841451
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe0025e72660
vpanic() at vpanic+0x1c7/frame 0xfffffe0025e726c0
panic() at panic+0x43/frame 0xfffffe0025e72720
__mtx_lock_flags() at __mtx_lock_flags+0x202/frame 0xfffffe0025e72780
tcp_output() at tcp_output+0x717/frame 0xfffffe0025e72950
tcp_usr_connect() at tcp_usr_connect+0x258/frame 0xfffffe0025e729c0
soconnectat() at soconnectat+0x183/frame 0xfffffe0025e72a20
kern_connectat() at kern_connectat+0x1e1/frame 0xfffffe0025e72a80
sys_connect() at sys_connect+0xd9/frame 0xfffffe0025e72ac0
amd64_syscall() at amd64_syscall+0x25e/frame 0xfffffe0025e72bf0
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0025e72bf0
--- syscall (198, FreeBSD ELF64, nosys), rip = 0x2838ca, rsp = 0x7fffdfffdf08, rbp = 0x7fffdfffdf70 ---
KDB: enter: panic
[ thread pid 7250 tid 100181 ]
Stopped at      kdb_enter+0x67: movq    $0,0x1480d96(%rip)
db> 
db> set $lines = 0
db> set $maxwidth = 0
db> show registers
cs                        0x20
ds                        0x3b  ll+0x1a
es                        0x3b  ll+0x1a
fs                        0x13
gs                        0x1b
ss                        0x28  ll+0x7
rax                       0x12
rcx                       0x80  ll+0x5f
rdx         0xffffffff818928e9
rbx                          0
rsp         0xfffffe0025e72640
rbp         0xfffffe0025e72660
rsi                        0x1
rdi                          0
r8                           0
r9                  0xffffffff
r10                 0x489c6dfe
r11                 0xf4f789de
r12         0xffffffff82066ae0  ddb_dbbe
r13                          0
r14         0xffffffff819377eb
r15         0xffffffff819377eb
rip         0xffffffff810d12e7  kdb_enter+0x67
rflags                    0x86  ll+0x65
kdb_enter+0x67: movq    $0,0x1480d96(%rip)
db> show proc
Process 7250 (syz-executor.1) at 0xfffff80019aed520:
 state: NORMAL
 uid: 0  gids: 0, 0, 5
 parent: pid 774 at 0xfffff800198f1000
 ABI: FreeBSD ELF64
 arguments: /root/syz-executor.1
 reaper: 0xfffff80004312000 reapsubtree: 1
 sigparent: 20
 vmspace: 0xfffffe00258213d0
   (map 0xfffffe00258213d0)
   (map.pmap 0xfffffe0025821490)
   (pmap 0xfffffe00258214f0)
 threads: 3
100165                   RunQ                                syz-executor.1
100181                   Run     CPU 1                       syz-executor.1
100183                   S       umtxn   0xfffff80019b3f980  syz-executor.1
db> 

Crashes (707):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-freebsd-main 2020/10/04 20:01 freebsd cd0149b3b0ea 5ef9c291 console log report syz
ci-freebsd-main 2020/06/12 00:15 freebsd 41056ba93b7f 1beaee21 console log report syz
ci-freebsd-main 2019/08/07 06:54 freebsd 6ba91e269d4a cdde7486 console log report syz
ci-freebsd-main 2019/07/20 03:06 freebsd f4934e65688a 1656845f console log report syz
ci-freebsd-main 2019/06/10 08:54 freebsd c93a14fd8c6e 0159583c console log report syz
ci-freebsd-main 2019/06/05 23:38 freebsd ae1a873a0d0b bfb4a51e console log report syz
ci-freebsd-main 2019/06/05 02:05 freebsd 54eb1c14c26e bfb4a51e console log report syz
ci-freebsd-main 2019/05/31 23:50 freebsd 11c242c7312a a8482b78 console log report syz
ci-freebsd-main 2019/05/31 23:21 freebsd 11c242c7312a a8482b78 console log report syz
ci-freebsd-main 2019/03/18 19:14 freebsd b24a98cb7ea8 4656beca console log report syz
ci-freebsd-main 2019/03/18 06:38 freebsd 8b17fbc25c73 f8757044 console log report syz
ci-freebsd-main 2019/03/18 04:53 freebsd 8b17fbc25c73 f8757044 console log report syz
ci-freebsd-main 2019/03/17 09:03 freebsd 310a121be6b8 bab43553 console log report syz
ci-freebsd-main 2019/03/17 06:29 freebsd 310a121be6b8 bab43553 console log report syz
ci-freebsd-main 2019/03/16 22:29 freebsd 4ccae8165c74 bab43553 console log report syz
ci-freebsd-main 2019/03/16 20:15 freebsd 4ccae8165c74 bab43553 console log report syz
ci-freebsd-main 2019/03/16 19:37 freebsd 4ccae8165c74 bab43553 console log report syz
ci-freebsd-main 2019/03/16 08:03 freebsd 4d504c5762fd bab43553 console log report syz
ci-freebsd-main 2019/03/15 16:37 freebsd 84b9791bcc2c bab43553 console log report syz
ci-freebsd-main 2021/08/16 19:16 freebsd-src cc1345056b11 6652437d console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/08/08 11:30 freebsd-src 9748eb742791 6972b106 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/07/31 09:51 freebsd-src f7f76c200a8c 6c236867 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/07/21 17:48 freebsd-src 8bc3dc01005e 29c3f20f console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/07/01 01:05 freebsd-src 28dd6730a5d6 38a885d1 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/06/29 20:57 freebsd-src f77697dd9f31 a4fccb01 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/06/28 12:06 freebsd-src 91064841d72b 9d2ab5df console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/06/28 05:25 freebsd-src 91064841d72b 9d2ab5df console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/06/28 00:35 freebsd-src 91064841d72b 9d2ab5df console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/06/27 11:05 freebsd-src 19c288b3a664 9d2ab5df console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/06/27 02:35 freebsd-src 9a8e4527f07d 9d2ab5df console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/06/26 16:02 freebsd-src 18b19f8c6e04 9d2ab5df console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/06/23 17:08 freebsd-src ddfc9c4c59e2 aba2b2fb console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/06/21 16:04 freebsd-src 7544c1d20d8b aba2b2fb console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/06/20 18:54 freebsd-src 5403f2c163f7 aba2b2fb console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/06/19 06:38 freebsd-src 5f88df77a6a0 aba2b2fb console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/06/18 09:35 freebsd-src 6a836ea741c7 aba2b2fb console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/06/11 16:41 freebsd-src 07d72396f8fb 1ba81399 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/06/09 12:18 freebsd-src dc318a4ffabc 5c2fe346 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/06/07 01:01 freebsd-src 9c1045ff0093 500c2339 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/05/31 23:29 freebsd-src d40cd26a86a7 032639db console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/05/28 14:14 freebsd-src f81b451dcccd 858ea628 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/05/27 19:07 freebsd-src 16fa3dcba027 858ea628 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/05/25 07:03 freebsd-src fbf75b113edc 3c7fef33 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/05/25 02:25 freebsd-src fbf75b113edc 3c7fef33 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/05/19 22:54 freebsd-src f4b38c360e63 a343ba6b console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/05/19 17:06 freebsd-src f4b38c360e63 a343ba6b console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/05/19 09:59 freebsd-src fc0dc94029df a343ba6b console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/05/19 05:47 freebsd-src fc0dc94029df a343ba6b console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/05/18 20:37 freebsd-src 9e14ac116e70 a343ba6b console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/05/18 04:00 freebsd-src 4224dbf4c7c4 a343ba6b console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/05/17 11:02 freebsd-src a44489fb5132 a2eb125d console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/05/09 11:33 freebsd-src 6cb13813caa0 bc5434be console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/05/08 17:23 freebsd-src 2018d4886281 bc5434be console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/05/07 15:16 freebsd-src fb53b42e36a9 f6da8120 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/05/02 14:02 freebsd-src be48fe60009e 77e2b668 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/04/30 12:06 freebsd-src 420d30f5bdbf 77e2b668 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/04/22 23:56 freebsd-src 2183bfcce46b 590921a5 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/04/20 02:43 freebsd-src d3f0c032fb8b 4285c989 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/04/19 18:48 freebsd-src 61c83c4e8b6f 50f523d7 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/04/14 08:08 freebsd-src e49d3eb40324 a184b83e console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/04/12 06:15 freebsd-src d647d0d4f78f bfeda1b1 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/04/11 06:34 freebsd-src 7f5f3fcc32bf bfeda1b1 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/04/10 15:09 freebsd-src 041c50494242 bfeda1b1 console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/04/08 11:19 freebsd-src 15dc713ceb57 6a81331a console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/04/08 09:34 freebsd-src 15dc713ceb57 6a81331a console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/04/08 09:23 freebsd-src 15dc713ceb57 6a81331a console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2021/04/08 07:49 freebsd-src 15dc713ceb57 6a81331a console log report panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE
ci-freebsd-main 2019/03/15 16:20 freebsd 84b9791bcc2c bab43553 console log report
ci-freebsd-main 2021/01/15 20:32 freebsd-src 8a7a4683b083 65a7a854 console log report
* Struck through repros no longer work on HEAD.