syzbot


panic: free: non-malloced addr ADDR type in_multi

Status: auto-closed as invalid on 2020/01/31 05:32
Reported-by: syzbot+937a3495cdf23901478f@syzkaller.appspotmail.com
First crash: 1631d, last: 1609d

Sample crash report:
panic: free: non-malloced addr 0xffff800020ab0c70 type in_multi
Stopped at      db_enter+0x18:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
*399355  42953      0           0  0x4000000    1K syz-executor.0
 363788  30803      0     0x14000      0x200    0  reaper
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
free(ffff800020ab0c70,36,18) at free+0x50c
in6_purgeaddr(ffff800000a93f00) at in6_purgeaddr+0x1b7 sys/netinet6/in6.c:912
in6_ifdetach(ffff800000a68000) at in6_ifdetach+0x74 sys/netinet6/in6_ifattach.c:422
if_setrdomain(ffff800000a68000,18) at if_setrdomain+0x1a2 sys/net/if.c:1829
ifioctl(fffffd806f6d5600,8020699f,ffff800023b8f350,ffff800020ab1160) at ifioctl+0x1303 sys/net/if.c:2087
sys_ioctl(ffff800020ab1160,ffff800023b8f468,ffff800023b8f4b0) at sys_ioctl+0x5b9
syscall(ffff800023b8f530) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline]
syscall(ffff800023b8f530) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555
Xsyscall(6,0,ffffffffffffff36,0,3,751a3982010) at Xsyscall+0x128
end of kernel
end trace frame: 0x753ff8858c0, count: 5
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{1}> 
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
free: non-malloced addr 0xffff800020ab0c70 type in_multi
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
free(ffff800020ab0c70,36,18) at free+0x50c
in6_purgeaddr(ffff800000a93f00) at in6_purgeaddr+0x1b7 sys/netinet6/in6.c:912
in6_ifdetach(ffff800000a68000) at in6_ifdetach+0x74 sys/netinet6/in6_ifattach.c:422
if_setrdomain(ffff800000a68000,18) at if_setrdomain+0x1a2 sys/net/if.c:1829
ifioctl(fffffd806f6d5600,8020699f,ffff800023b8f350,ffff800020ab1160) at ifioctl+0x1303 sys/net/if.c:2087
sys_ioctl(ffff800020ab1160,ffff800023b8f468,ffff800023b8f4b0) at sys_ioctl+0x5b9
syscall(ffff800023b8f530) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline]
syscall(ffff800023b8f530) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555
Xsyscall(6,0,ffffffffffffff36,0,3,751a3982010) at Xsyscall+0x128
end of kernel
end trace frame: 0x753ff8858c0, count: -10
ddb{1}> show registers
rdi               0xffffffff81194cb7    db_enter+0x17
rsi                          0x3f456    acpi_pdirpa+0x2b2be
rbp               0xffff800023b8efd0
rbx               0xffff800023b8f080
rdx                          0x3f457    acpi_pdirpa+0x2b2bf
rcx               0xffff800023db0000
rax               0xffff800023db0000
r8                0xffffffff81f734ef    kprintf+0x16f
r9                               0x1
r10                             0x25
r11               0x837f1aa167bfc0e3
r12                     0x3000000008
r13               0xffff800023b8efe0
r14                            0x100
r15                              0x1
rip               0xffffffff81194cb8    db_enter+0x18
cs                               0x8
rflags                         0x246
rsp               0xffff800023b8efc0
ss                              0x10
db_enter+0x18:  addq    $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor.0) pid=399355 stat=onproc
    flags process=0 proc=4000000<THREAD>
    pri=78, usrpri=78, nice=20
    forw=0xffffffffffffffff, list=0xffff800020ab0c70,0xffffffff82645b50
    process=0xffff800020add500 user=0xffff800023b8a000, vmspace=0xfffffd807f00a8a0
    estcpu=36, cpticks=2, pctcpu=0.0
    user=0, sys=1, intr=0
ddb{1}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 42953  515750  65197      0  2           0                syz-executor.0
*42953  399355  65197      0  7   0x4000000                syz-executor.0
 65197  388153  30134      0  3        0x82  nanosleep     syz-executor.0
  7778   53244  30134      0  3        0x82  nanosleep     syz-executor.1
 45944  434043      0      0  3     0x14200  bored         sosplice
 30134  377367  96416      0  3        0x82  thrsleep      syz-fuzzer
 30134  294965  96416      0  3   0x4000082  nanosleep     syz-fuzzer
 30134  467171  96416      0  3   0x4000082  thrsleep      syz-fuzzer
 30134  359958  96416      0  3   0x4000082  thrsleep      syz-fuzzer
 30134   53654  96416      0  3   0x4000082  thrsleep      syz-fuzzer
 30134  167673  96416      0  3   0x4000082  thrsleep      syz-fuzzer
 30134   25897  96416      0  3   0x4000082  thrsleep      syz-fuzzer
 30134  441718  96416      0  3   0x4000082  thrsleep      syz-fuzzer
 30134  398068  96416      0  3   0x4000082  thrsleep      syz-fuzzer
 30134  187498  96416      0  3   0x4000082  kqread        syz-fuzzer
 30134  161562  96416      0  3   0x4000082  thrsleep      syz-fuzzer
 96416  293924  12696      0  3    0x10008a  pause         ksh
 12696  473638   8692      0  3        0x92  select        sshd
 80496  149093      1      0  3    0x100083  ttyin         getty
  8692  127887      1      0  3        0x80  select        sshd
 62679  103264   7940     74  3    0x100092  bpf           pflogd
  7940  257590      1      0  3        0x80  netio         pflogd
  8769  431536  31574     73  3    0x100090  kqread        syslogd
 31574  494525      1      0  3    0x100082  netio         syslogd
 97723  241007      1     77  2    0x100090                dhclient
 91805   75816      1      0  3        0x80  poll          dhclient
 19773  218356      0      0  2     0x14200                zerothread
 95068   18674      0      0  3     0x14200  aiodoned      aiodoned
  1324  435435      0      0  3     0x14200  syncer        update
 72727   31253      0      0  3     0x14200  cleaner       cleaner
 30803  363788      0      0  7     0x14200                reaper
 25044  236991      0      0  3     0x14200  pgdaemon      pagedaemon
  7761  488506      0      0  3     0x14200  bored         crynlk
 23597  466258      0      0  3     0x14200  bored         crypto
 17413  348201      0      0  3  0x40014200  acpi0         acpi0
 62113  117604      0      0  3  0x40014200                idle1
 69891  156133      0      0  3     0x14200  bored         softnet
 18748  295386      0      0  2     0x14200                systqmp
 55709  124396      0      0  3     0x14200  bored         systq
  2883  501948      0      0  3  0x40014200  bored         softclock
 65881  194712      0      0  3  0x40014200                idle0
 84137  404979      0      0  3     0x14200  bored         smr
     1  404486      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{1}> show all locks
Process 42953 (syz-executor.0) thread 0xffff800020ab1160 (399355)
exclusive rwlock netlock r = 0 (0xffffffff824f3758)
#0  witness_lock+0x52e sys/kern/subr_witness.c:1163
#1  ifioctl+0x12f6 sys/net/if.c:2087
#2  sys_ioctl+0x5b9
#3  syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline]
#3  syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555
#4  Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff8262a6d0)
#0  witness_lock+0x52e sys/kern/subr_witness.c:1163
#1  syscall+0x400 mi_syscall sys/sys/syscall_mi.h:83 [inline]
#1  syscall+0x400 sys/arch/amd64/amd64/trap.c:555
#2  Xsyscall+0x128
ddb{1}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim Kern Lim
         devbuf  9605   6578K    7053K  78643K     12882        0        0
            pcb    13      8K       8K  78643K       216        0        0
         rtable   101      6K       6K  78643K       784        0        0
         ifaddr    86     16K      17K  78643K       228        0        0
       counters    39     33K      33K  78643K        39        0        0
       ioctlops     0      0K       4K  78643K      1505        0        0
            iov     0      0K      16K  78643K       203        0        0
          mount     1      1K       1K  78643K         1        0        0
         vnodes  1215     76K      77K  78643K      2237        0        0
      UFS quota     1     32K      32K  78643K         1        0        0
      UFS mount     5     36K      36K  78643K         5        0        0
            shm     2      1K       5K  78643K         8        0        0
         VM map    13      6K       6K  78643K        13        0        0
            sem    12      0K       0K  78643K       197        0        0
        dirhash    12      2K       2K  78643K        12        0        0
           ACPI  1808    196K     290K  78643K     12765        0        0
      file desc     5     13K      25K  78643K       907        0        0
          sigio     0      0K       0K  78643K         7        0        0
           proc    60     63K      83K  78643K       812        0        0
        subproc    32      2K       2K  78643K       153        0        0
    NFS srvsock     1      0K       0K  78643K         1        0        0
     NFS daemon     1     16K      16K  78643K         1        0        0
    ip_moptions     0      0K       0K  78643K        95        0        0
       in_multi    25      1K       2K  78643K       134        0        0
    ether_multi     1      0K       0K  78643K        15        0        0
            mrt     0      0K       0K  78643K         9        0        0
    ISOFS mount     1     32K      32K  78643K         1        0        0
  MSDOSFS mount     1     16K      16K  78643K         1        0        0
           ttys    54    238K     238K  78643K        54        0        0
           exec     0      0K       1K  78643K       377        0        0
        pagedep     1      8K       8K  78643K         1        0        0
       inodedep     1     32K      32K  78643K         1        0        0
         newblk     1      0K       0K  78643K         1        0        0
        VM swap     7     26K      26K  78643K         7        0        0
       UVM amap   146    118K     118K  78643K      4093        0        0
       UVM aobj    71      3K       3K  78643K        78        0        0
        memdesc     1      4K       4K  78643K         1        0        0
    crypto data     1      1K       1K  78643K         1        0        0
    ip6_options     0      0K       1K  78643K       205        0        0
            NDP    21      0K       0K  78643K        66        0        0
           temp   238   3565K    3633K  78643K     23233        0        0
         kqueue     0      0K       0K  78643K       219        0        0
      SYN cache     2     16K      16K  78643K         2        0        0
ddb{1}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp         64       31    0       26     1     0     1     1     0     8    0
plcache    128       20    0        0     1     0     1     1     0     8    0
rtpcb       80      119    0      117     1     0     1     1     0     8    0
rtentry    112      148    0      112     2     0     2     2     0     8    0
unpcb      120      449    0      439     1     0     1     1     0     8    0
syncache   264       11    0       11     4     4     0     1     0     8    0
tcpqe       32      141    0      141     2     2     0     1     0     8    0
tcpcb      544      367    0      363     2     1     1     2     0     8    0
inpcb      280     1084    0     1075     5     3     2     2     0     8    1
rttmr       72        5    0        5     2     1     1     1     0     8    1
ip6q        72        2    0        2     1     1     0     1     0     8    0
ip6af       40        6    0        6     1     1     0     1     0     8    0
nd6         48       30    0       27     1     0     1     1     0     8    0
pkpcb       40        4    0        4     2     2     0     1     0     8    0
ppxss      1128      19    0       19     2     1     1     1     0     8    1
pffrag     232       29    0       29     2     1     1     1     0   482    1
pffrnode    88       29    0       29     2     1     1     1     0     8    1
pffrent     40     1042    0     1042     2     1     1     1     0     8    1
pfosfp      40      846    0      423     5     0     5     5     0     8    0
pfosfpen   112     1428    0      714    21     0    21    21     0     8    0
pfstitem    24       74    0       21     1     0     1     1     0     8    0
pfstkey    112       74    0       21     2     0     2     2     0     8    0
pfstate    328       74    0       21     5     0     5     5     0     8    0
pfrule     1360      21    0       16     2     1     1     2     0     8    0
art_heap8  4096      10    0        8     3     1     2     3     0     8    0
art_heap4  256      942    0      617    26     5    21    24     0     8    0
art_table   32      952    0      625     4     0     4     4     0     8    0
art_node    16      147    0      106     1     0     1     1     0     8    0
sysvmsgpl   40       56    0       34     1     0     1     1     0     8    0
semupl     112        1    0        1     1     1     0     1     0     8    0
semapl     112      195    0      185     1     0     1     1     0     8    0
shmpl      112       76    0        7     2     0     2     2     0     8    0
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino1pl    128     2702    0     1286    46     0    46    46     0     8    0
ffsino     272     2702    0     1286    95     0    95    95     0     8    0
nchpl      144     4587    0     2982    61     0    61    61     0     8    0
uvmvnodes   72     3572    0        0    65     0    65    65     0     8    0
vnodes     208     3572    0        0   188     0   188   188     0     8    0
namei      1024   14694    0    14694     1     0     1     1     0     8    1
percpumem   16       30    0        0     1     0     1     1     0     8    0
vcpupl     1984      11    0        0     2     0     2     2     0     8    0
vmpool     552       11    0        0     1     0     1     1     0     8    0
scxspl     192    12331    0    12331    13    12     1     7     0     8    1
plimitpl   152       84    0       76     1     0     1     1     0     8    0
sigapl     432     1084    0     1069     3     1     2     3     0     8    0
futexpl     56    19220    0    19220     1     0     1     1     0     8    1
knotepl    112      709    0      690     2     1     1     2     0     8    0
kqueuepl   104      587    0      585     1     0     1     1     0     8    0
pipepl     112      650    0      631     3     2     1     2     0     8    0
fdescpl    488     1085    0     1069     3     0     3     3     0     8    0
filepl     152     9186    0     9084     9     4     5     6     0     8    1
lockfpl    104      307    0      306     1     0     1     1     0     8    0
lockfspl    48      108    0      107     1     0     1     1     0     8    0
sessionpl  112       25    0       14     1     0     1     1     0     8    0
pgrppl      48       41    0       30     1     0     1     1     0     8    0
ucredpl     96      906    0      897     1     0     1     1     0     8    0
zombiepl   144     1069    0     1068     1     0     1     1     0     8    0
processpl  896     1101    0     1068     4     0     4     4     0     8    0
procpl     632     2952    0     2908     5     0     5     5     0     8    1
srpgc       64       16    0       16     4     4     0     1     0     8    0
sosppl     128       14    0       14     3     2     1     1     0     8    1
sockpl     384     1661    0     1640     6     3     3     4     0     8    0
mcl64k     65536     17    0        0     3     0     3     3     0     8    0
mcl16k     16384      6    0        0     1     0     1     1     0     8    0
mcl12k     12288     11    0        0     2     0     2     2     0     8    0
mcl9k      9216       6    0        0     1     0     1     1     0     8    0
mcl8k      8192      17    0        0     3     0     3     3     0     8    0
mcl4k      4096      17    0        0     3     0     3     3     0     8    0
mcl2k2     2112       3    0        0     1     0     1     1     0     8    0
mcl2k      2048     175    0        0    21     0    21    21     0     8    0
mtagpl      80       17    0        0     1     0     1     1     0     8    0
mbufpl     256      329    0        0    19     0    19    19     0     8    0
bufpl      256     8500    0     1442   442     0   442   442     0     8    0
anonpl      16   148747    0   128505   125    27    98    98     0   124   15
amapchunkpl 152    7162    0     7007    18     8    10    11     0   158    3
amappl16   192     5518    0     4352    96    30    66    70     0     8    7
amappl15   184      133    0      133     1     1     0     1     0     8    0
amappl14   176      277    0      270     1     0     1     1     0     8    0
amappl13   168      321    0      318     1     0     1     1     0     8    0
amappl12   160       77    0       75     1     0     1     1     0     8    0
amappl11   152      151    0      136     1     0     1     1     0     8    0
amappl10   144       82    0       78     1     0     1     1     0     8    0
amappl9    136      695    0      691     1     0     1     1     0     8    0
amappl8    128      276    0      235     3     1     2     2     0     8    0
amappl7    120      128    0      121     1     0     1     1     0     8    0
amappl6    112      142    0      130     1     0     1     1     0     8    0
amappl5    104      256    0      242     1     0     1     1     0     8    0
amappl4     96     1330    0     1293     1     0     1     1     0     8    0
amappl3     88      370    0      362     1     0     1     1     0     8    0
amappl2     80     7775    0     7693     3     1     2     3     0     8    0
amappl1     72    34057    0    33601    27    17    10    21     0     8    0
amappl      80     3339    0     3284     2     0     2     2     0    84    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       17    0       17     1     1     0     1     0     8    0
aobjpl      64       77    0        7     2     0     2     2     0     8    0
uaddrrnd    24     1096    0     1069     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24     1096    0     1069     1     0     1     1     0     8    0
vmmpekpl   168    12669    0    12630     2     0     2     2     0     8    0
vmmpepl    168   145625    0   143194   174    30   144   148     0   357   37
vmsppl     368     1084    0     1068     2     0     2     2     0     8    0
pdppl      4096    2199    0     2147     7     0     7     7     0     8    0
pvpl        32   401024    0   377900   268    44   224   226     0   265   33
pmappl     232     1095    0     1068     3     1     2     2     0     8    0
extentpl    40       41    0       26     1     0     1     1     0     8    0
phpool     112      635    0       10    18     0    18    18     0     8    0

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/02 05:31 openbsd c2600de8aa52 997ccc67 .config console log report ci-openbsd-multicore
2019/10/18 12:26 openbsd 1463ff3c9b45 8c88c9c1 .config console log report ci-openbsd-multicore
2019/10/12 05:29 openbsd b8fc78b9a375 426631dd .config console log report ci-openbsd-multicore
2019/10/11 03:46 openbsd 9db0ea45749c 1a3bad90 .config console log report ci-openbsd-multicore
* Struck through repros no longer work on HEAD.