From owner-freebsd-bugs@freebsd.org Tue May 21 22:15:11 2019 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9259C1591905 for ; Tue, 21 May 2019 22:15:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 28F3D83F65 for ; Tue, 21 May 2019 22:15:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id E0B831591904; Tue, 21 May 2019 22:15:10 +0000 (UTC) Delivered-To: bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BE71F1591903 for ; Tue, 21 May 2019 22:15:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5D82C83F62 for ; Tue, 21 May 2019 22:15:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 77B9E14CF4 for ; Tue, 21 May 2019 22:15:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x4LMF9sN029579 for ; Tue, 21 May 2019 22:15:09 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x4LMF933029578 for bugs@FreeBSD.org; Tue, 21 May 2019 22:15:09 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 238034] Use after free in constty_timeout Date: Tue, 21 May 2019 22:15:09 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: Andrew@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 May 2019 22:15:11 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238034 Bug ID: 238034 Summary: Use after free in constty_timeout Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: Andrew@FreeBSD.org I received the following from syzkaller. I think it's related to posix_open= pt, but don't have a reproducer. I have the kernel and core dump. Fatal trap 9: general protection fault while in kernel mode=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 cpuid =3D 0; apic id =3D 00 instruction pointer =3D 0x20:0xffffffff81001008 stack pointer =3D 0x28:0xfffffe000c95a870 frame pointer =3D 0x28:0xfffffe000c95a8c0 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 12 (swi4: clock (0)) trap number =3D 9 panic: general protection fault cpuid =3D 0 time =3D 1558476172 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe000c95a= 540 vpanic() at vpanic+0x1e0/frame 0xfffffe000c95a5a0 panic() at panic+0x43/frame 0xfffffe000c95a600 trap_fatal() at trap_fatal+0x4c6/frame 0xfffffe000c95a680 trap() at trap+0xba/frame 0xfffffe000c95a7a0 calltrap() at calltrap+0x8/frame 0xfffffe000c95a7a0 --- trap 0x9, rip =3D 0xffffffff81001008, rsp =3D 0xfffffe000c95a870, rbp = =3D 0xfffffe000c95a8c0 --- __mtx_lock_flags() at __mtx_lock_flags+0x98/frame 0xfffffe000c95a8c0 constty_timeout() at constty_timeout+0x36/frame 0xfffffe000c95a8e0 softclock_call_cc() at softclock_call_cc+0x1dd/frame 0xfffffe000c95a9b0 softclock() at softclock+0xa3/frame 0xfffffe000c95a9f0 ithread_loop() at ithread_loop+0x2f2/frame 0xfffffe000c95aa60 fork_exit() at fork_exit+0xb0/frame 0xfffffe000c95aab0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe000c95aab0 --- trap 0, rip =3D 0, rsp =3D 0, rbp =3D 0 --- Uptime: 1m0s netdump: overwriting mbuf zone pointers netdump in progress. searching for server... netdumping to 169.254.0.1 (02:82:93:04:a7:00) Dumping 101 out of 465 MB:..16%..32%..48%..64%..80%..95% __curthread () at /usr/home/andrew/head-git/sys/amd64/include/pcpu.h:246 246 __asm("movq %%gs:%P1,%0" : "=3Dr" (td) : "n" (OFFSETOF_CURTHREAD)); (kgdb) bt #0 __curthread () at /usr/home/andrew/head-git/sys/amd64/include/pcpu.h:246 #1 doadump (textdump=3D1) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:383 #2 0xffffffff81032217 in kern_reboot (howto=3D260) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:470 #3 0xffffffff81032825 in vpanic (fmt=3D, ap=3D) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:896 #4 0xffffffff81032473 in panic (fmt=3D) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:823 #5 0xffffffff816d13d6 in trap_fatal (frame=3D0xfffffe000c95a7b0, eva=3D0) = at /usr/home/andrew/head-git/sys/amd64/amd64/trap.c:946 #6 0xffffffff816d004a in trap (frame=3D) at /usr/home/andrew/head-git/sys/amd64/amd64/trap.c:218 #7 #8 __mtx_lock_flags (c=3D, opts=3D0, file=3D0xffffffff81998= af3 "/usr/home/andrew/head-git/sys/kern/kern_cons.c", line=3D608) at /usr/home/andrew/head-git/sys/kern/kern_mutex.c:244 #9 0xffffffff80fa3336 in constty_timeout (arg=3D) at /usr/home/andrew/head-git/sys/kern/kern_cons.c:608 #10 0xffffffff81058ddd in softclock_call_cc (c=3D, cc=3D0xffffffff8271dd00 , direct=3D0) at /usr/home/andrew/head-git/sys/kern/kern_timeout.c:731 #11 0xffffffff81059343 in softclock (arg=3D0xffffffff8271dd00 ) at /usr/home/andrew/head-git/sys/kern/kern_timeout.c:869 #12 0xffffffff80fd6f72 in intr_event_execute_handlers (p=3D, ie=3D) at /usr/home/andrew/head-git/sys/kern/kern_intr.c:1148 #13 ithread_execute_handlers (p=3D, ie=3D) at /usr/home/andrew/head-git/sys/kern/kern_intr.c:1161 #14 ithread_loop (arg=3D) at /usr/home/andrew/head-git/sys/kern/kern_intr.c:1241 #15 0xffffffff80fd23d0 in fork_exit (callout=3D0xffffffff80fd6c80 , arg=3D0xfffff800031b2000, frame=3D0xfffffe000c95aac0) at /usr/home/andrew/head-git/sys/kern/kern_fork.c:1056 #16 (kgdb) up 8 #8 __mtx_lock_flags (c=3D, opts=3D0, file=3D0xffffffff81998= af3 "/usr/home/andrew/head-git/sys/kern/kern_cons.c", line=3D608) at /usr/home/andrew/head-git/sys/kern/kern_mutex.c:244 244 KASSERT(m->mtx_lock !=3D MTX_DESTROYED, (kgdb) p m $2 =3D (struct mtx *) 0xdeadc0dedeadc0de --=20 You are receiving this mail because: You are the assignee for the bug.=