As if to reiterate Dmitry's point regarding manual reporting, here's
another bug found by syzkaller. I'll stop sending them manually now.
https://syzkaller.appspot.com/text?tag=CrashLog&x=16cea37e400000
The disassembly looks like this:
/syzkaller/managers/main/kernel/sys/dev/wscons/wsmux.c:485
41b: 49 8b 9f 80 00 00 00 mov 0x80(%r15),%rbx
/syzkaller/managers/main/kernel/sys/dev/wscons/wsmux.c:486
422: 48 85 db test %rbx,%rbx
425: 0f 84 bd 01 00 00 je 5e8 <wsmux_do_ioctl+0x428>
/syzkaller/managers/main/kernel/sys/dev/wscons/wsmux.c:488
42b: e8 00 00 00 00 callq 430 <wsmux_do_ioctl+0x270>
42c: R_X86_64_PC32
__sanitizer_cov_trace_pc+0xfffffffffffffffc
430: 41 8b 06 mov (%r14),%eax
433: 48 8b 4b 18 mov 0x18(%rbx),%rcx
437: 48 8b 89 48 02 00 00 mov 0x248(%rcx),%rcx
43e: 45 31 e4 xor %r12d,%r12d
441: 3b 41 20 cmp 0x20(%rcx),%eax
444: 41 0f 95 c4 setne %r12b
448: e9 c5 02 00 00 jmpq 712 <wsmux_do_ioctl+0x552>
And seems to correspond to evar->io == NULL:
evar = sc->sc_base.me_evp;
if (evar == NULL)
return (EINVAL);
488: if (*(int *)data != evar->io->ps_pgid)
<https://github.com/openbsd/src/blob/b66614995ab119f75167daaa7755b34001836821/sys/dev/wscons/wsmux.c#L488>
return (EPERM);
return (0);
16:03:56 executing program 0:
mknod(&(0x7f00000000c0)='./file0\x00', 0x2000, 0x4502)
r0 = open$dir(&(0x7f0000000180)='./file0\x00', 0x1, 0x5)
r1 = fcntl$getown(0xffffffffffffffff, 0x5)
fcntl$setown(r0, 0x6, r1)
readlink(&(0x7f0000000080)='./file0\x00', &(0x7f0000000100), 0x0)
r2 = dup(r0)
getsockname$unix(r2, &(0x7f0000000040)=@abs, &(0x7f0000000100)=0x8)
getsockopt$SO_PEERCRED(0xffffffffffffff9c, 0xffff, 0x1022,
&(0x7f0000000000)={<r3=>0x0}, 0xc)
r4 = getpgid(r3)
fcntl$setown(r0, 0x6, r4)
16:03:58 executing program 1:
mknod(&(0x7f00000000c0)='./file0\x00', 0x2000, 0x4502)
r0 = open$dir(&(0x7f0000000040)='./file0\x00', 0x10, 0x108)
r1 = getpgid(0x0)
fcntl$setown(r0, 0x6, r1)
getsockopt$sock_cred(0xffffffffffffff9c, 0xffff, 0x1022,
&(0x7f0000000080)={0x0, <r2=>0x0, <r3=>0x0}, &(0x7f0000000100)=0xc)
getsockopt$sock_cred(0xffffffffffffffff, 0xffff, 0x1022, &(0x7f0000000140),
&(0x7f0000000180)=0xc)
lchown(&(0x7f0000000000)='./file0/file0\x00', r2, r3)
kernel: page fault trap, code=0
Stopped at wsmux_do_ioctl+0x281: cmpl 0x20(%rcx),%eax
ddb> trace
wsmux_do_ioctl(80047476,ffffff0016925038,2,ffffff001f7cbc00,ffffffff81e025c8)
at wsmux_do_ioctl+0x281
VOP_IOCTL(ffff80000e3910c0,ffff80000e2a6988,ffffff0015a1fe20,ffffff0016925038,80047476,5e7efaff42607ee8)
at VOP_IOCTL+0x73
vn_ioctl(ffffff0015a1fe20,ffffff001d6fb050,ffff80000e2a6988,ffffff001d6fb050)
at vn_ioctl+0xcd
sys_fcntl(ffff80000e3911f0,ffff80000e2a6988,ffff80000e2a9910) at
sys_fcntl+0x74e
syscall(0) at syscall+0x3e4
Xsyscall(6,0,23,0,3,11ff055a0010) at Xsyscall+0x128
end of kernel
end trace frame: 0x120164d2a670, count: -6
ddb> show registers
rdi 0xffff8000044f9d00
rsi 0xffffffff816dfde0 wsmux_do_ioctl+0x270
rbp 0xffff80000e390f20
rbx 0xffff8000044f9d50
rdx 0xffff8000004d9000
rcx 0
rax 0
r8 0xffff80000e2a6988
r9 0xffff80000e2a6988
r10 0
r11 0xffffffff816e10d0 wsmuxioctl
r12 0
r13 0x2
r14 0xffff80000e3910c0
r15 0xffff8000044f9d00
rip 0xffffffff816dfdf1 wsmux_do_ioctl+0x281
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff80000e390ee0
ss 0x10
wsmux_do_ioctl+0x281: cmpl 0x20(%rcx),%eax
--
nest.cx is Gmail hosted, use PGP for anything private. Key:
http://goo.gl/6dMsr
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
