The C reproducer panics the machine like a charm. Requires root. https://syzkaller.appspot.com/x/repro.c?x=117e5733400000
---------- Forwarded message --------- From: syzbot <syzbot+02168317bd0156c13...@syzkaller.appspotmail.com> Date: Fri, Nov 30, 2018 at 7:58 PM Subject: Re: uvm_fault: ip_ctloutput To: <syzkaller-openbsd-b...@googlegroups.com> syzbot has found a reproducer for the following crash on: HEAD commit: e9b93a3e5ebc Remove erroneous quote added in previous git tree: https://github.com/openbsd/src.git master console output: https://syzkaller.appspot.com/x/log.txt?x=11a23625400000 dashboard link: https://syzkaller.appspot.com/bug?extid=02168317bd0156c13b69 compiler: syz repro: https://syzkaller.appspot.com/x/repro.syz?x=111b11a3400000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=117e5733400000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+02168317bd0156c13...@syzkaller.appspotmail.com login: uvm_fault(0xffffff007f12bb58, 0xd0, 0, 1) -> e kernel: page fault trap, code=0 Stopped at ip_ctloutput+0x784: movq 0xd0(%r14),%rbx ddb> ddb> set $lines = 0 ddb> show panic kernel page fault uvm_fault(0xffffff007f12bb58, 0xd0, 0, 1) -> e ip_ctloutput(ffffff006e48e170,ffff8000210c2e20,ffffff006e706788,ffff8000210fa988,ffffff007f146c00) at ip_ctloutput+0x784 end trace frame: 0xffff8000210fa930, count: 0 ddb> trace ip_ctloutput(ffffff006e48e170,ffff8000210c2e20,ffffff006e706788,ffff8000210fa988,ffffff007f146c00) at ip_ctloutput+0x784 sys_getsockopt(ffff8000210faa10,ffff8000210c2e20,ffff8000210a5338) at sys_getsockopt+0x13c syscall(0) at syscall+0x3e4 Xsyscall(6,0,0,0,1,7f7fffff3a18) at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffff39d0, count: -4 ddb> show registers rdi 0 rsi 0xffffff006e706788 rbp 0xffff8000210fa8d0 rbx 0 rdx 0 rcx 0x1 rax 0 r8 0xffffff007f146c00 r9 0 r10 0xa28679f43345c2df r11 0xffffffff8110e110 rip_ctloutput r12 0x1 r13 0 r14 0 r15 0xffffff007f146c00 rip 0xffffffff81a13b44 ip_ctloutput+0x784 cs 0x8 rflags 0x10246 __ALIGN_SIZE+0xf246 rsp 0xffff8000210fa8a0 ss 0x10 ip_ctloutput+0x784: movq 0xd0(%r14),%rbx ddb> show proc PROC (syz-executor1283) pid=307178 stat=onproc flags process=2<EXEC> proc=0 pri=51, usrpri=51, nice=20 forw=0xffffffffffffffff, list=0xffff8000210c3078,0xffffffff81e98cf0 process=0xffff8000210a5338 user=0xffff8000210f5000, vmspace=0xffffff007f12bb58 estcpu=1, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND *22391 307178 19661 0 7 0x2 syz-executor1283 19661 340086 17670 0 3 0x10008a pause ksh 17670 326992 29604 0 3 0x92 select sshd 41270 33654 1 0 3 0x100083 ttyin getty 29604 327245 1 0 3 0x80 select sshd 79075 90932 56293 73 2 0x100090 syslogd 56293 303628 1 0 3 0x100082 netio syslogd 68459 425749 1 77 3 0x100090 poll dhclient 36911 58752 1 0 3 0x80 poll dhclient 56206 238502 0 0 2 0x14200 zerothread 5835 239343 0 0 3 0x14200 aiodoned aiodoned 38692 124704 0 0 3 0x14200 syncer update 30045 377418 0 0 3 0x14200 cleaner cleaner 8830 232312 0 0 3 0x14200 reaper reaper 36321 273872 0 0 3 0x14200 pgdaemon pagedaemon 27140 184915 0 0 3 0x14200 bored crynlk 99803 446221 0 0 3 0x14200 bored crypto 11482 154614 0 0 3 0x40014200 acpi0 acpi0 50541 283257 0 0 3 0x14200 bored softnet 80198 487934 0 0 3 0x14200 bored systqmp 67536 180871 0 0 3 0x14200 bored systq 44741 199952 0 0 3 0x40014200 bored softclock 30804 187632 0 0 3 0x40014200 idle0 1 82730 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> -- You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/0000000000003598af057bedecfd%40google.com . For more options, visit https://groups.google.com/d/optout. -- nest.cx is Gmail hosted, use PGP for anything private. Key: http://goo.gl/6dMsr Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
