syzbot


panic: uvm_mapent_clone: no space in map for entry in empty map

Status: fixed on 2019/12/04 16:31
Reported-by: syzbot+3e700c5698177f91cce1@syzkaller.appspotmail.com
Fix commit: 0f83bb56e561 Fix a bad offset calculation in uvm_share.
First crash: 1095d, last: 1089d

Sample crash report:
login: panic: uvm_mapent_clone: no space in map for entry in empty map
Stopped at      db_enter+0x18:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
*411888  59840      0         0x2          0    0  syz-executor4532
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
uvm_mapent_clone(ffff8000006a2200,6e9000,4000,0,7,7) at uvm_mapent_clone+0x1de sys/uvm/uvm_map.c:3708
uvm_share(ffff8000006a2200,10000,7,fffffd803f012aa0,20040000,80000000) at uvm_share+0x4b4 uvm_mapent_share sys/uvm/uvm_map.c:3766 [inline]
uvm_share(ffff8000006a2200,10000,7,fffffd803f012aa0,20040000,80000000) at uvm_share+0x4b4 sys/uvm/uvm_map.c:3668
vm_impl_init_vmx(ffff80001488da68,ffff8000ffff47a8) at vm_impl_init_vmx+0xf1 sys/arch/amd64/amd64/vmm.c:1269
vm_create(ffff800000a69000,ffff8000ffff47a8) at vm_create+0x193 vm_impl_init sys/arch/amd64/amd64/vmm.c:1384 [inline]
vm_create(ffff800000a69000,ffff8000ffff47a8) at vm_create+0x193 sys/arch/amd64/amd64/vmm.c:1173
VOP_IOCTL(fffffd80366b5750,c5005601,ffff800000a69000,1,fffffd803f7c6c60,ffff8000ffff47a8) at VOP_IOCTL+0x88 sys/kern/vfs_vops.c:291
vn_ioctl(fffffd8036211698,c5005601,ffff800000a69000,ffff8000ffff47a8) at vn_ioctl+0xb7 sys/kern/vfs_vnops.c:533
sys_ioctl(ffff8000ffff47a8,ffff8000148da358,ffff8000148da3a0) at sys_ioctl+0x5b9
syscall(ffff8000148da420) at syscall+0x507 sys/arch/amd64/amd64/trap.c:555
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffc3930, count: 4
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb> 
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
uvm_mapent_clone: no space in map for entry in empty map
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
uvm_mapent_clone(ffff8000006a2200,6e9000,4000,0,7,7) at uvm_mapent_clone+0x1de sys/uvm/uvm_map.c:3708
uvm_share(ffff8000006a2200,10000,7,fffffd803f012aa0,20040000,80000000) at uvm_share+0x4b4 uvm_mapent_share sys/uvm/uvm_map.c:3766 [inline]
uvm_share(ffff8000006a2200,10000,7,fffffd803f012aa0,20040000,80000000) at uvm_share+0x4b4 sys/uvm/uvm_map.c:3668
vm_impl_init_vmx(ffff80001488da68,ffff8000ffff47a8) at vm_impl_init_vmx+0xf1 sys/arch/amd64/amd64/vmm.c:1269
vm_create(ffff800000a69000,ffff8000ffff47a8) at vm_create+0x193 vm_impl_init sys/arch/amd64/amd64/vmm.c:1384 [inline]
vm_create(ffff800000a69000,ffff8000ffff47a8) at vm_create+0x193 sys/arch/amd64/amd64/vmm.c:1173
VOP_IOCTL(fffffd80366b5750,c5005601,ffff800000a69000,1,fffffd803f7c6c60,ffff8000ffff47a8) at VOP_IOCTL+0x88 sys/kern/vfs_vops.c:291
vn_ioctl(fffffd8036211698,c5005601,ffff800000a69000,ffff8000ffff47a8) at vn_ioctl+0xb7 sys/kern/vfs_vnops.c:533
sys_ioctl(ffff8000ffff47a8,ffff8000148da358,ffff8000148da3a0) at sys_ioctl+0x5b9
syscall(ffff8000148da420) at syscall+0x507 sys/arch/amd64/amd64/trap.c:555
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffc3930, count: -11
ddb> show registers
rdi                                0
rsi                              0x1
rbp               0xffff8000148d9d80
rbx               0xffff8000148d9e30
rdx                              0x2
rcx                              0x1
rax                              0x1
r8                0xffff8000148d9d40
r9                               0x1
r10               0x69b3c07f03dc44fd
r11               0x20f10b71a5c2912e
r12                     0x3000000008
r13               0xffff8000148d9d90
r14                            0x100
r15                              0x1
rip               0xffffffff8115b788    db_enter+0x18
cs                               0x8
rflags                         0x246
rsp               0xffff8000148d9d70
ss                              0x10
db_enter+0x18:  addq    $0x8,%rsp
ddb> show proc
PROC (syz-executor4532) pid=411888 stat=onproc
    flags process=2<EXEC> proc=0
    pri=50, usrpri=50, nice=20
    forw=0xffffffffffffffff, list=0xffff8000ffff4298,0xffffffff82580b38
    process=0xffff8000148a2000 user=0xffff8000148d5000, vmspace=0xfffffd803f012aa0
    estcpu=0, cpticks=0, pctcpu=0.0
    user=0, sys=0, intr=0
ddb> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
*59840  411888  10447      0  7         0x2                syz-executor4532
 10447  323497  89961      0  3    0x10008a  pause         ksh
 89961    4455  92224      0  2        0x12                sshd
 18886   94387      1      0  3    0x100083  ttyin         getty
 92224  309344      1      0  3        0x80  select        sshd
 82368  165357  33115     73  3    0x100090  kqread        syslogd
 33115  195801      1      0  3    0x100082  netio         syslogd
 60685  406701      1     77  3    0x100090  poll          dhclient
 20929  315437      1      0  3        0x80  poll          dhclient
 78006  396907      0      0  2     0x14200                zerothread
 52822  470921      0      0  3     0x14200  aiodoned      aiodoned
 22419  262092      0      0  3     0x14200  syncer        update
 81467  160721      0      0  3     0x14200  cleaner       cleaner
 81081  372788      0      0  3     0x14200  reaper        reaper
 74286  201702      0      0  3     0x14200  pgdaemon      pagedaemon
 87987   27645      0      0  3     0x14200  bored         crynlk
 75965  473571      0      0  3     0x14200  bored         crypto
 74415  299902      0      0  3  0x40014200  acpi0         acpi0
 85266  472280      0      0  3     0x14200  bored         softnet
 35717  219567      0      0  3     0x14200  bored         systqmp
 43025  490235      0      0  3     0x14200  bored         systq
 52315   78643      0      0  3  0x40014200  bored         softclock
 19637  204899      0      0  3  0x40014200                idle0
 28425  341112      0      0  3     0x14200  bored         smr
     1  311984      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb> show all locks
No such command
ddb> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim Kern Lim
         devbuf  9438   6318K    6319K  78643K     10535        0        0
            pcb    13      8K       8K  78643K        13        0        0
         rtable    61      1K       2K  78643K       115        0        0
         ifaddr    24      7K       7K  78643K        24        0        0
       counters    19     16K      16K  78643K        19        0        0
       ioctlops     1      2K       2K  78643K        14        0        0
          mount     1      1K       1K  78643K         1        0        0
         vnodes  1180     74K      74K  78643K      1185        0        0
      UFS quota     1     32K      32K  78643K         1        0        0
      UFS mount     5     36K      36K  78643K         5        0        0
            shm     2      1K       1K  78643K         2        0        0
         VM map     3      0K       0K  78643K         3        0        0
            sem     2      0K       0K  78643K         2        0        0
        dirhash    12      2K       2K  78643K        12        0        0
           ACPI  1794    195K     288K  78643K     12646        0        0
      file desc     1      0K       0K  78643K         1        0        0
           proc    47     38K      46K  78643K       278        0        0
    NFS srvsock     1      0K       0K  78643K         1        0        0
     NFS daemon     1     16K      16K  78643K         1        0        0
       in_multi    11      0K       0K  78643K        11        0        0
    ether_multi     1      0K       0K  78643K         1        0        0
    ISOFS mount     1     32K      32K  78643K         1        0        0
  MSDOSFS mount     1     16K      16K  78643K         1        0        0
           ttys    18     79K      79K  78643K        18        0        0
           exec     0      0K       1K  78643K       151        0        0
        pagedep     1      8K       8K  78643K         1        0        0
       inodedep     1     32K      32K  78643K         1        0        0
         newblk     1      0K       0K  78643K         1        0        0
        VM swap     7     26K      26K  78643K         7        0        0
       UVM amap    52      2K       3K  78643K       685        0        0
       UVM aobj     2      2K       2K  78643K         2        0        0
        memdesc     1      4K       4K  78643K         1        0        0
    crypto data     1      1K       1K  78643K         1        0        0
            NDP     3      0K       0K  78643K         3        0        0
           temp    21   3543K    3607K  78643K      1686        0        0
      SYN cache     2     16K      16K  78643K         2        0        0
ddb> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp         64        2    0        0     1     0     1     1     0     8    0
rtpcb       96       15    0       13     1     0     1     1     0     8    0
rtentry    112       23    0        1     1     0     1     1     0     8    0
unpcb      120       27    0       19     1     0     1     1     0     8    0
syncache   280        5    0        5     1     0     1     1     0     8    1
tcpcb      640        8    0        5     1     0     1     1     0     8    0
inpcb      280       22    0       16     1     0     1     1     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256       96    0        0     6     0     6     6     0     8    0
art_table   32       97    0        0     1     0     1     1     0     8    0
art_node    16       22    0        2     1     0     1     1     0     8    0
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino1pl    128     1389    0       15    45     0    45    45     0     8    0
ffsino     240     1389    0       15    81     0    81    81     0     8    0
nchpl      144     1564    0       31    57     0    57    57     0     8    0
uvmvnodes   72     1398    0        0    26     0    26    26     0     8    0
vnodes     208     1398    0        0    74     0    74    74     0     8    0
namei      1024    3453    0     3453     1     0     1     1     0     8    1
vmpool     520        1    0        0     1     0     1     1     0     8    0
scxspl     208     2385    0     2385     2     0     2     2     0     8    2
plimitpl   152       13    0        8     1     0     1     1     0     8    0
sigapl     432      175    0      165     2     0     2     2     0     8    0
knotepl    112        5    0        0     1     0     1     1     0     8    0
kqueuepl   104        1    0        0     1     0     1     1     0     8    0
pipepl     128      114    0      107     1     0     1     1     0     8    0
fdescpl    424      176    0      165     2     0     2     2     0     8    0
filepl     120      834    0      790     2     0     2     2     0     8    0
lockfpl    104        5    0        4     1     0     1     1     0     8    0
lockfspl    48        3    0        2     1     0     1     1     0     8    0
sessionpl  128       17    0        9     1     0     1     1     0     8    0
pgrppl      48       17    0        9     1     0     1     1     0     8    0
ucredpl     96       47    0       40     1     0     1     1     0     8    0
zombiepl   144      165    0      165     1     0     1     1     0     8    1
processpl  896      190    0      165     4     0     4     4     0     8    0
procpl     648      190    0      165     3     0     3     3     0     8    0
sockpl     384       64    0       48     2     0     2     2     0     8    0
mcl4k      4096      10    0       10     1     0     1     1     0     8    1
mcl2k      2048    5764    0     5737     6     0     6     6     0     8    2
mtagpl      80        2    0        2     1     1     0     1     0     8    0
mbufpl     256     9855    0     9813     4     0     4     4     0     8    0
bufpl      280     2046    0      240   129     0   129   129     0     8    0
anonpl      16    16860    0    15750     7     2     5     7     0    62    0
amapchunkpl 152     462    0      427     2     0     2     2     0   158    0
amappl16   192       75    0       69     1     0     1     1     0     8    0
amappl14   176       35    0       31     1     0     1     1     0     8    0
amappl12   160        4    0        4     1     0     1     1     0     8    1
amappl11   152       41    0       30     1     0     1     1     0     8    0
amappl10   144        1    0        1     1     0     1     1     0     8    1
amappl9    136      366    0      365     1     0     1     1     0     8    0
amappl8    128       81    0       77     1     0     1     1     0     8    0
amappl7    120       16    0       15     1     0     1     1     0     8    0
amappl6    112       43    0       39     1     0     1     1     0     8    0
amappl5    104      157    0      146     1     0     1     1     0     8    0
amappl4     96      394    0      370     1     0     1     1     0     8    0
amappl3     88      102    0       97     1     0     1     1     0     8    0
amappl2     80      708    0      658     2     0     2     2     0     8    0
amappl1     72    12049    0    11673    16     6    10    16     0     8    1
amappl      80      353    0      333     1     0     1     1     0    84    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      64        1    0        0     1     0     1     1     0     8    0
uaddrrnd    24      177    0      165     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      177    0      165     1     0     1     1     0     8    0
vmmpekpl   168     5282    0     5267     1     0     1     1     0     8    0
vmmpepl    168    25131    0    24389    48     6    42    48     0   357    9
vmsppl     272      175    0      165     1     0     1     1     0     8    0
pdppl      4096     360    0      330     5     0     5     5     0     8    0
pvpl        32    70274    0    67526    26     0    26    26     0   265    3
pmappl     200      176    0      165     1     0     1     1     0     8    0
extentpl    40       46    0       29     1     0     1     1     0     8    0
phpool     112      111    0        2     4     0     4     4     0     8    0

Crashes (12):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-openbsd-main 2019/11/28 16:57 openbsd 258e938fc1ef 861a5980 .config log report syz C
ci-openbsd-main 2019/12/04 14:04 openbsd 502b49aa2bd0 0ecb9746 .config log report
ci-openbsd-main 2019/12/03 22:49 openbsd afd2bec52a56 4b0a22b9 .config log report
ci-openbsd-main 2019/12/03 21:07 openbsd afd2bec52a56 4b0a22b9 .config log report
ci-openbsd-main 2019/12/03 02:23 openbsd 9f5f6f881ebc ab342da3 .config log report
ci-openbsd-main 2019/12/02 01:35 openbsd e41f21f1a78d f879db37 .config log report
ci-openbsd-multicore 2019/12/02 00:05 openbsd e41f21f1a78d f879db37 .config log report
ci-openbsd-main 2019/12/01 08:05 openbsd de4d173916c8 a76bf83f .config log report
ci-openbsd-main 2019/11/30 23:47 openbsd f4ae6ec74ba8 a76bf83f .config log report
ci-openbsd-multicore 2019/11/30 09:42 openbsd f4ae6ec74ba8 3a75be00 .config log report
ci-openbsd-main 2019/11/29 05:02 openbsd 21d4c0f4eaae 76357d6f .config log report
ci-openbsd-main 2019/11/28 16:41 openbsd 258e938fc1ef 861a5980 .config log report
* Struck through repros no longer work on HEAD.