Re: option kcov + GENERIC.MP -> silent crash
Hi Greg,
On Sun, Nov 25, 2018 at 10:13:52AM -0800, Greg Steuck wrote:
> Hi Anton,
>
> I tried to boot a kernel with kcov based on GENERIC.MP and the machine
> reboots without a peep immediately after
>
> vmm0 at mainbus0: VMX (using slow L1TF mitigation)
>
> Switching off either of kcov or MP results in normally working kernels. I'm
> attaching two concatenated dmesgs. The effect is reproducible on real HW
> and on GCE VM. Broken config is just:
> $ cat /sys/arch/amd64/conf/SYZKALLER
> include "arch/amd64/conf/GENERIC.MP"
> pseudo-device kcov 1
>
> Disabling either vmm or kcov in broken kernel UKC doesn't prevent crashes.
Known limitation, I haven't spent much time on making kcov MP-safe.
Especially since it's primarily used inside a VM through vmm which
currently is limited to a single CPU.
However, I did some investigation before and concluded that the problem
resides in the trace routine which is called from
cpu_boot_secondary_processors() before the secondary CPU is accessible
through curcpu(). I came up with a hackish solution to this problem (see
diff below) that got rejected; kettenis@ mentioned that we instead
should set MSR_GSBASE earlier in cpu_hatch() but I never managed to get
the right people involved with knowledge in this area. I might take a
look myself.
In the meantime, you could give the diff a try. It might be the case
that more functions are not eligible for tracing. OpenBSD as no method
of turning of tracing for a given source file like Linux does. This
might become necessary since I fear many more functions will not cope
with tracing.
Index: dev/kcov.c
===
RCS file: /cvs/src/sys/dev/kcov.c,v
retrieving revision 1.4
diff -u -p -r1.4 kcov.c
--- dev/kcov.c 27 Aug 2018 15:57:39 - 1.4
+++ dev/kcov.c 8 Sep 2018 21:51:20 -
@@ -49,6 +49,7 @@ struct kcov_dev {
};
void kcovattach(int);
+void kcov_attachhook(struct device *);
int kd_alloc(struct kcov_dev *, unsigned long);
void kd_free(struct kcov_dev *);
@@ -57,6 +58,7 @@ struct kcov_dev *kd_lookup(int);
static inline int inintr(void);
TAILQ_HEAD(, kcov_dev) kd_list = TAILQ_HEAD_INITIALIZER(kd_list);
+int kcov_attached = 0;
#ifdef KCOV_DEBUG
int kcov_debug = 1;
@@ -76,12 +78,11 @@ int kcov_debug = 1;
void
__sanitizer_cov_trace_pc(void)
{
- extern int cold;
struct kcov_dev *kd;
uint64_t idx;
- /* Do not trace during boot. */
- if (cold)
+ /* Do not trace before the root file system is mounted. */
+ if (!kcov_attached)
return;
/* Do not trace in interrupts to prevent noisy coverage. */
@@ -102,6 +103,13 @@ __sanitizer_cov_trace_pc(void)
void
kcovattach(int count)
{
+ config_mountroot(NULL, kcov_attachhook);
+}
+
+void
+kcov_attachhook(struct device *dev)
+{
+ kcov_attached = 1;
}
int
refactor malloc a bit
Hi,
this refactors the code that find an existsing allocation into a
separate function. The code is currently repeated in three spots.
Prepatory work to get a somehwat more efficient version of the
"not-my-pool" case.
Please review and test,
-Otto
Index: malloc.c
===
RCS file: /cvs/src/lib/libc/stdlib/malloc.c,v
retrieving revision 1.254
diff -u -p -r1.254 malloc.c
--- malloc.c21 Nov 2018 06:57:04 - 1.254
+++ malloc.c25 Nov 2018 18:44:50 -
@@ -1273,19 +1273,18 @@ validate_junk(struct dir_info *pool, voi
}
}
-static void
-ofree(struct dir_info *argpool, void *p, int clear, int check, size_t argsz)
+
+static struct region_info *
+findpool(void *p, struct dir_info *argpool, struct dir_info **foundpool,
+char **saved_function)
{
- struct dir_info *pool;
- struct region_info *r;
- char *saved_function;
- size_t sz;
- int i;
+ struct dir_info *pool = argpool;
+ struct region_info *r = find(pool, p);
- pool = argpool;
- r = find(pool, p);
if (r == NULL) {
if (mopts.malloc_mt) {
+ int i;
+
for (i = 0; i < _MALLOC_MUTEXES; i++) {
if (i == argpool->mutex)
continue;
@@ -1296,7 +1295,7 @@ ofree(struct dir_info *argpool, void *p,
pool->active++;
r = find(pool, p);
if (r != NULL) {
- saved_function = pool->func;
+ *saved_function = pool->func;
pool->func = argpool->func;
break;
}
@@ -1305,6 +1304,19 @@ ofree(struct dir_info *argpool, void *p,
if (r == NULL)
wrterror(argpool, "bogus pointer (double free?) %p", p);
}
+ *foundpool = pool;
+ return r;
+}
+
+static void
+ofree(struct dir_info *argpool, void *p, int clear, int check, size_t argsz)
+{
+ struct region_info *r;
+ struct dir_info *pool;
+ char *saved_function;
+ size_t sz;
+
+ r = findpool(p, argpool, , _function);
REALSIZE(sz, r);
if (check) {
@@ -1469,48 +1481,24 @@ DEF_WEAK(freezero);
static void *
orealloc(struct dir_info *argpool, void *p, size_t newsz, void *f)
{
- struct dir_info *pool;
struct region_info *r;
+ struct dir_info *pool;
+ char *saved_function;
struct chunk_info *info;
size_t oldsz, goldsz, gnewsz;
void *q, *ret;
- char *saved_function;
- int i;
uint32_t chunknum;
- pool = argpool;
-
if (p == NULL)
- return omalloc(pool, newsz, 0, f);
+ return omalloc(argpool, newsz, 0, f);
- r = find(pool, p);
- if (r == NULL) {
- if (mopts.malloc_mt) {
- for (i = 0; i < _MALLOC_MUTEXES; i++) {
- if (i == argpool->mutex)
- continue;
- pool->active--;
- _MALLOC_UNLOCK(pool->mutex);
- pool = mopts.malloc_pool[i];
- _MALLOC_LOCK(pool->mutex);
- pool->active++;
- r = find(pool, p);
- if (r != NULL) {
- saved_function = pool->func;
- pool->func = argpool->func;
- break;
- }
- }
- }
- if (r == NULL)
- wrterror(argpool, "bogus pointer (double free?) %p", p);
- }
if (newsz >= SIZE_MAX - mopts.malloc_guard - MALLOC_PAGESIZE) {
errno = ENOMEM;
- ret = NULL;
- goto done;
+ return NULL;
}
+ r = findpool(p, argpool, , _function);
+
REALSIZE(oldsz, r);
if (mopts.chunk_canaries && oldsz <= MALLOC_MAXCHUNK) {
info = (struct chunk_info *)r->size;
@@ -1745,39 +1733,19 @@ static void *
orecallocarray(struct dir_info *argpool, void *p, size_t oldsize,
size_t newsize, void *f)
{
- struct dir_info *pool;
struct region_info *r;
+ struct dir_info *pool;
+ char * saved_function;
void *newptr;
size_t sz;
- int i;
-
- pool = argpool;
if (p == NULL)
- return omalloc(pool, newsize, 1, f);
+ return omalloc(argpool, newsize, 1, f);
if (oldsize == newsize)
return p;
- r = find(pool, p);
- if (r
Re: relayd and TLS client cert verification
On Mon, Nov 26, 2018 at 04:29:40PM +1100, Ashe Connor wrote: > Wonderful. Here's a first pass at such a patch. I should add, in addition to the regression test passing, I'm currently test-running this patch on a live server where client certificates are mandatory, and it's working well so far.
Re: relayd and TLS client cert verification
On Fri, Nov 23, 2018 at 04:41:21PM +0100, Sebastian Benoit wrote:
> > It appears that relayd doesn't support TLS client certificate validation
> > (in the manner that httpd does with "tls client ca [cafile]"). Would
> > there be interest in a patch that added such support?
>
> yes, a patch to support client certificates would be welcome.
>
> /Benno
Wonderful. Here's a first pass at such a patch.
Ashe
--
Index: usr.sbin/relayd/config.c
===
RCS file: /home/kivikakk/cvsync/root/src/usr.sbin/relayd/config.c,v
retrieving revision 1.36
retrieving revision 1.36.6.1
diff -u -p -r1.36 -r1.36.6.1
--- usr.sbin/relayd/config.c29 Nov 2017 15:24:50 - 1.36
+++ usr.sbin/relayd/config.c24 Nov 2018 16:15:37 - 1.36.6.1
@@ -900,6 +900,15 @@ config_setrelay(struct relayd *env, stru
rlay->rl_conf.name);
return (-1);
}
+ if (rlay->rl_tls_client_ca_fd != -1 &&
+ config_setrelayfd(ps, id, n,
+ rlay->rl_conf.id, RELAY_FD_CLIENTCACERT,
+ rlay->rl_tls_client_ca_fd) == -1) {
+ log_warn("%s: fd passing failed for "
+ "`%s'", __func__,
+ rlay->rl_conf.name);
+ return (-1);
+ }
/* Prevent fd exhaustion in the parent. */
if (proc_flush_imsg(ps, id, n) == -1) {
log_warn("%s: failed to flush "
@@ -945,6 +954,10 @@ config_setrelay(struct relayd *env, stru
close(rlay->rl_tls_ca_fd);
rlay->rl_tls_ca_fd = -1;
}
+ if (rlay->rl_tls_client_ca_fd != -1) {
+ close(rlay->rl_tls_client_ca_fd);
+ rlay->rl_tls_client_ca_fd = -1;
+ }
return (0);
}
@@ -968,6 +981,7 @@ config_getrelay(struct relayd *env, stru
rlay->rl_tls_cert_fd = -1;
rlay->rl_tls_ca_fd = -1;
rlay->rl_tls_cacert_fd = -1;
+ rlay->rl_tls_client_ca_fd = -1;
if (ps->ps_what[privsep_process] & CONFIG_PROTOS) {
if (rlay->rl_conf.proto == EMPTY_ID)
@@ -1084,6 +1098,9 @@ config_getrelayfd(struct relayd *env, st
break;
case RELAY_FD_CAFILE:
rlay->rl_tls_cacert_fd = imsg->fd;
+ break;
+ case RELAY_FD_CLIENTCACERT:
+ rlay->rl_tls_client_ca_fd = imsg->fd;
break;
}
Index: usr.sbin/relayd/parse.y
===
RCS file: /home/kivikakk/cvsync/root/src/usr.sbin/relayd/parse.y,v
retrieving revision 1.230
retrieving revision 1.230.2.2
diff -u -p -r1.230 -r1.230.2.2
--- usr.sbin/relayd/parse.y 1 Nov 2018 00:18:44 - 1.230
+++ usr.sbin/relayd/parse.y 24 Nov 2018 16:15:37 - 1.230.2.2
@@ -175,7 +175,7 @@ typedef struct {
%token SNMP SOCKET SPLICE SSL STICKYADDR STYLE TABLE TAG TAGGED TCP TIMEOUT TLS
%token TO ROUTER RTLABEL TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE
%token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE
-%token EDH TICKETS CONNECTION CONNECTIONS ERRORS STATE CHANGES CHECKS
+%token EDH TICKETS CONNECTION CONNECTIONS ERRORS STATE CHANGES CHECKS CLIENT
%token STRING
%token NUMBER
%typehostname interface table value optstring
@@ -1246,6 +1246,16 @@ tlsflags : SESSION TICKETS { proto->tick
}
free($3);
}
+ | CLIENT CA STRING {
+ if (strlcpy(proto->tlsclientca, $3,
+ sizeof(proto->tlsclientca)) >=
+ sizeof(proto->tlsclientca)) {
+ yyerror("tlsclientca truncated");
+ free($3);
+ YYERROR;
+ }
+ free($3);
+ }
| NO flag { proto->tlsflags &= ~($2); }
| flag { proto->tlsflags |= $1; }
;
@@ -1687,6 +1697,7 @@ relay : RELAY STRING {
r->rl_tls_cert_fd = -1;
r->rl_tls_ca_fd = -1;
r->rl_tls_cacert_fd = -1;
+ r->rl_tls_client_ca_fd = -1;
TAILQ_INIT(>rl_tables);
if (last_relay_id == INT_MAX) {
yyerror("too many relays defined");
@@ -2241,6 +2252,7 @@ lookup(char *s)
{ "check", CHECK },
Re: Add Colemak keyboard encoding
On Tue, 20 Nov 2018 at 19:36:55 -0700, Aaron Bieber wrote:
> On Fri, 16 Nov 2018 at 07:02:42 -0700, Aaron Bieber wrote:
> > On Fri, 16 Nov 2018 at 06:55:09 -0700, Aaron Bieber wrote:
> > > Hi,
> > >
> > > This diff is based off a diff Geert Hendrickx sent to bugs@ back in 2009.
> > > I
> > > have updated it to add the 'swapctrlcaps' bit and removed the xenocara
> > > diff.
> > >
> > > https://marc.info/?l=openbsd-bugs=124284599329729
> > >
> > > Not sure if this didn't land because it was sent to bugs@ or if there are
> > > other
> > > reasons. Please cluestick me if you know!
> > >
> > > OK?
> > >
> >
>
> Here is a much cleaner version of the diff which adds proper man
> entries and only modifies the keys that are different from KB_US.
>
> OK?
Ok, here is the latest version, it:
- Fixes ukbdmap issue I had in the previous diff (spotted by
thfr). Also ukbdmap's diff is generated via the make target.
- Includes a diff for xenocara to add a colemak variant.
To test:
- Apply, Build kernel / reboot
- # cd /usr/src && make includes
- # cd /usr/src/sbin/wsconsctl && make obj && make && make install
- # wsconsctl keyboard.encoding=us.colemak
To test with xenocara:
- Do above steps
- Apply xenocara diff
- Build xenocara as per README
- Restart X
diff --git a/share/man/man4/pckbd.4 b/share/man/man4/pckbd.4
index 45ad55d8765..0135c715bc0 100644
--- a/share/man/man4/pckbd.4
+++ b/share/man/man4/pckbd.4
@@ -162,6 +162,11 @@ British.
.It KB_US
.Pq us
English/US keyboard mapping (default).
+.It KB_US | KB_COLEMAK
+.Pq us.colemak
+English/US keyboard with
+.Dq Colemak
+layout.
.It KB_US | KB_DECLK
.Pq us.declk
English/US mapping for
@@ -180,7 +185,8 @@ variant.
This switches off the
.Dq dead accents .
.Pp
-The KB_BE, KB_FR, KB_FR | KB_DVORAK, KB_JP, KB_UK, KB_US and KB_US | KB_DVORAK
+The KB_BE, KB_FR, KB_FR | KB_DVORAK, KB_JP, KB_UK, KB_US,
+KB_US | KB_DVORAK and KB_US | KB_COLEMAK
mappings can be modified
to swap the left Control and the Caps Lock keys by the
KB_SWAPCTRLCAPS variant bit or the
diff --git a/share/man/man4/ukbd.4 b/share/man/man4/ukbd.4
index af218fa0910..211516596dd 100644
--- a/share/man/man4/ukbd.4
+++ b/share/man/man4/ukbd.4
@@ -198,6 +198,11 @@ British.
.It KB_US
.Pq us
English/US keyboard mapping (default).
+.It KB_US | KB_COLEMAK
+.Pq us.colemak
+English/US keyboard with
+.Dq Colemak
+layout.
.It KB_US | KB_DVORAK
.Pq us.dvorak
English/US keyboard with
@@ -212,8 +217,8 @@ variant.
This switches off the
.Dq dead accents .
.Pp
-The KB_BE, KB_FR, KB_FR | KB_APPLE, KB_FR | KB_DVORAK, KB_JP, KB_UK, KB_US and
-KB_US | KB_DVORAK
+The KB_BE, KB_FR, KB_FR | KB_APPLE, KB_FR | KB_DVORAK, KB_JP, KB_UK, KB_US,
+KB_US | KB_DVORAK and KB_US | KB_COLEMAK
mappings can be modified
to swap the left Control and the Caps Lock keys by the
KB_SWAPCTRLCAPS variant bit or the
diff --git a/sys/dev/pckbc/wskbdmap_mfii.c b/sys/dev/pckbc/wskbdmap_mfii.c
index d10a909eece..8708ef96e11 100644
--- a/sys/dev/pckbc/wskbdmap_mfii.c
+++ b/sys/dev/pckbc/wskbdmap_mfii.c
@@ -597,6 +597,27 @@ static const keysym_t pckbd_keydesc_us_dvorak[] = {
KC(53),KS_z,
};
+static const keysym_t pckbd_keydesc_us_colemak[] = {
+/* pos command normal shifted */
+KC(18),KS_f,
+KC(19),KS_p,
+KC(20),KS_g,
+KC(21),KS_j,
+KC(22),KS_l,
+KC(23),KS_u,
+KC(24),KS_y,
+KC(25),KS_semicolon, KS_colon,
+KC(31),KS_r,
+KC(32),KS_s,
+KC(33),KS_t,
+KC(34),KS_d,
+KC(36),KS_n,
+KC(37),KS_e,
+KC(38),KS_i, KS_I,
+KC(39),KS_o,
+KC(49),KS_k,
+};
+
static const keysym_t pckbd_keydesc_swapctrlcaps[] = {
/* pos command normal shifted */
KC(29),KS_Caps_Lock,
@@ -1129,6 +1150,7 @@ const struct wscons_keydesc pckbd_keydesctab[] = {
KBD_MAP(KB_NO | KB_NODEAD, KB_NO, pckbd_keydesc_no_nodead),
KBD_MAP(KB_US | KB_DECLK, KB_US, pckbd_keydesc_us_declk),
KBD_MAP(KB_US | KB_DVORAK, KB_US, pckbd_keydesc_us_dvorak),
+ KBD_MAP(KB_US | KB_COLEMAK, KB_US, pckbd_keydesc_us_colemak),
KBD_MAP(KB_US | KB_SWAPCTRLCAPS, KB_US, pckbd_keydesc_swapctrlcaps),
KBD_MAP(KB_US | KB_IOPENER, KB_US, pckbd_keydesc_iopener),
KBD_MAP(KB_UK | KB_SWAPCTRLCAPS, KB_UK, pckbd_keydesc_swapctrlcaps),
@@ -1139,6 +1161,8 @@ const struct wscons_keydesc pckbd_keydesctab[] = {
KBD_MAP(KB_BE | KB_SWAPCTRLCAPS, KB_BE, pckbd_keydesc_swapctrlcaps),
KBD_MAP(KB_US | KB_DVORAK | KB_SWAPCTRLCAPS,KB_US | KB_DVORAK,
pckbd_keydesc_swapctrlcaps),
+
decode snmpv3 in tcpdump
I'm implementing snmpv3 in our erlang snmp client at the moment, so I thought
it'd be nice if tcpdump was able to understand it too. I've roughly copied the
output formatting from tcpdump.org tcpdump, but the code is all my own work.
Unlike the other tcpdump, this just says '[PDU encrypted]' for encrypted
packets rather than complaining it got the wrong object type for the PDU.
ok?
Index: print-snmp.c
===
RCS file: /cvs/src/usr.sbin/tcpdump/print-snmp.c,v
retrieving revision 1.23
diff -u -p -r1.23 print-snmp.c
--- print-snmp.c20 Sep 2018 12:23:13 - 1.23
+++ print-snmp.c26 Nov 2018 01:36:38 -
@@ -321,7 +321,17 @@ struct be {
* Defaults for SNMP PDU components
*/
#define DEF_COMMUNITY "public"
-#define DEF_VERSION 1
+#define SNMPV1_VERSION 0
+#define SNMPV2_VERSION 1
+#define SNMPV3_VERSION 3
+
+/*
+ * SNMPv3 message flags
+ */
+#define SNMPV3_FLAG_AUTH 1
+#define SNMPV3_FLAG_PRIV 2
+
+#define SNMPV3_SEC_USM 3
/*
* constants for ASN.1 decoding
@@ -762,6 +772,32 @@ asn1_decode(u_char *p, u_int length)
* community OCTET STRING,
* data ANY-- PDUs
* }
+ *
+ * SNMPv3 header
+ * SEQUENCE {
+ * version INTEGER {version-3(3)},
+ * header SEQUENCE {
+ * msgID INTEGER,
+ * msgMaxSize INTEGER,
+ * msgFlags OCTET STRING,
+ * msgSecurityModel INTEGER {sec-usm(3)}
+ * },
+ * msgSecurityParameters OCTET STRING,
+ * scopedPDU SEQUENCE {
+ * contextEngineID OCTET STRING,
+ * contextName OCTET STRING,
+ * data ANY-- PDUs
+ * }
+ * }
+ * SNMPv3 USM parameters (msgSecurityParameters)
+ * SEQUENCE {
+ * engineID OCTET STRING,
+ * engineBoots INTEGER,
+ * engineTime INTEGER,
+ * username OCTET STRING,
+ * auth OCTET STRING,
+ * privacy OCTET STRING
+ * }
* PDUs for all but Trap: (see rfc1157 from page 15 on)
* SEQUENCE {
* request-id INTEGER,
@@ -1032,6 +1068,254 @@ trap_print(const u_char *np, u_int lengt
return;
}
+static int
+snmpv3_print_usm(const u_char *np, u_int length)
+{
+ struct be elem;
+ int count;
+
+ /* usm Sequence */
+ if ((count = asn1_parse(np, length, )) < 0)
+ return (1);
+ if (elem.type != BE_SEQ) {
+ fputs("[!usm SEQ]", stdout);
+ asn1_print();
+ return (1);
+ }
+
+ /* descend */
+ length = elem.asnlen;
+ np = (u_char *)elem.data.raw;
+
+ /* engineID */
+ if ((count = asn1_parse(np, length, )) < 0)
+ return (1);
+ if (elem.type != BE_STR) {
+ fputs("[!engineID STR]", stdout);
+ asn1_print();
+ return (1);
+ }
+ np += count;
+ length -= count;
+
+ /* engineBoots */
+ if ((count = asn1_parse(np, length, )) < 0)
+ return (1);
+ if (elem.type != BE_INT) {
+ fputs("[!engineBoots INT]", stdout);
+ asn1_print();
+ return (1);
+ }
+ np += count;
+ length -= count;
+
+ /* engineTime */
+ if ((count = asn1_parse(np, length, )) < 0)
+ return (1);
+ if (elem.type != BE_INT) {
+ fputs("[!engineTime INT]", stdout);
+ asn1_print();
+ return (1);
+ }
+ np += count;
+ length -= count;
+
+ /* username */
+ if ((count = asn1_parse(np, length, )) < 0)
+ return (1);
+ if (elem.type != BE_STR) {
+ fputs("[!username STR]", stdout);
+ asn1_print();
+ return (1);
+ }
+ printf("U=%.*s ", (int)elem.asnlen, elem.data.str);
+ np += count;
+ length -= count;
+
+ /* auth and privacy follow, but we don't need to look */
+ return (0);
+}
+
+static int
+snmpv3_print_header(const u_char *np, u_int length, int *encrypted)
+{
+ struct be elem;
+ int count;
+
+ /* msgID */
+ if ((count = asn1_parse(np, length, )) < 0)
+ return (1);
+ if (elem.type != BE_INT) {
+ fputs("[!msgID INT]", stdout);
+ asn1_print();
+ return (1);
+ }
+ np += count;
+ length -= count;
+
+ /* msgMaxSize */
+ if ((count = asn1_parse(np, length, )) < 0)
+ return (1);
+ if (elem.type != BE_INT) {
+ fputs("[!msgMaxSize INT]", stdout);
+ asn1_print();
+ return (1);
+ }
+ np += count;
+ length -= count;
+
+ /* msgFlags */
+ if ((count = asn1_parse(np, length, )) < 0)
+ return (1);
+ if
option kcov + GENERIC.MP -> silent crash
Hi Anton, I tried to boot a kernel with kcov based on GENERIC.MP and the machine reboots without a peep immediately after vmm0 at mainbus0: VMX (using slow L1TF mitigation) Switching off either of kcov or MP results in normally working kernels. I'm attaching two concatenated dmesgs. The effect is reproducible on real HW and on GCE VM. Broken config is just: $ cat /sys/arch/amd64/conf/SYZKALLER include "arch/amd64/conf/GENERIC.MP" pseudo-device kcov 1 Disabling either vmm or kcov in broken kernel UKC doesn't prevent crashes. Thanks Greg -- nest.cx is Gmail hosted, use PGP for anything private. Key: http://goo.gl/6dMsr Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0 OpenBSD 6.4-current (SYZKALLER) #0: Sun Nov 25 09:45:27 PST 2018 syzkaller@ci-openbsd.syzkaller:/usr/src/sys/arch/amd64/compile/SYZKALLER real mem = 4277010432 (4078MB) avail mem = 4136632320 (3945MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf0100 (38 entries) bios0: vendor Award Software International, Inc. version "F10" date 11/07/2008 bios0: Gigabyte Technology Co., Ltd. EP45-DS3L acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP EUDS HPET MCFG APIC SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) PEX5(S5) HUB0(S5) UAR1(S1) IGBE(S4) USB0(S1) USB1(S1) USB2(S1) USB3(S1) US31(S1) USB4(S1) USB5(S1) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimcfg0 at acpi0 acpimcfg0: addr 0xe000, bus 0-63 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz, 3000.09 MHz, 06-17-06 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN cpu0: 6MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 333MHz cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE cpu1 at mainbus0: apid 1 (application processor) 16-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins, remapped acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (PEX0) acpiprt2 at acpi0: bus -1 (PEX1) acpiprt3 at acpi0: bus -1 (PEX2) acpiprt4 at acpi0: bus 3 (PEX3) acpiprt5 at acpi0: bus 5 (PEX4) acpiprt6 at acpi0: bus 6 (PEX5) acpiprt7 at acpi0: bus 7 (HUB0) acpicpu0 at acpi0: !C3(100@150 io@0x416), !C2(500@1 io@0x414), C1(1000@1 halt), FVS, 3000, 2000 MHz acpicpu1 at acpi0: !C3(100@150 io@0x416), !C2(500@1 io@0x414), C1(1000@1 halt), FVS, 3000, 2000 MHz acpibtn0 at acpi0: PWRB acpipci0 at acpi0 PCI0: _OSC failed acpicmos0 at acpi0 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel G45 Host" rev 0x02 ppb0 at pci0 dev 1 function 0 "Intel G45 PCIE" rev 0x02: msi pci1 at ppb0 bus 1 radeondrm0 at pci1 dev 0 function 0 "ATI Radeon Mobility HD 5470" rev 0x00 drm0 at radeondrm0 radeondrm0: msi azalia0 at pci1 dev 0 function 1 "ATI Radeon HD 5470 Audio" rev 0x00: msi azalia0: no supported codecs uhci0 at pci0 dev 26 function 0 "Intel 82801JI USB" rev 0x00: apic 2 int 16 uhci1 at pci0 dev 26 function 1 "Intel 82801JI USB" rev 0x00: apic 2 int 21 uhci2 at pci0 dev 26 function 2 "Intel 82801JI USB" rev 0x00: apic 2 int 18 ehci0 at pci0 dev 26 function 7 "Intel 82801JI USB" rev 0x00: apic 2 int 18 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 azalia1 at pci0 dev 27 function 0 "Intel 82801JI HD Audio" rev 0x00: msi azalia1: codecs: Realtek ALC888 audio0 at azalia1 ppb1 at pci0 dev 28 function 0 "Intel 82801JI PCIE" rev 0x00: msi pci2 at ppb1 bus 2 ppb2 at pci0 dev 28 function 3 "Intel 82801JI PCIE" rev 0x00: msi pci3 at ppb2 bus 3 ppb3 at pci3 dev 0 function 0 "PLX PEX 8111" rev 0x21 pci4 at ppb3 bus 4 puc0 at pci4 dev 0 function 0 "NetMos Nm9835" rev 0x01: ports: 15 com, 1 lpt com4 at puc0 port 0 apic 2 int 19: ns16550a, 16 byte fifo com5 at puc0 port 1 apic 2 int 19: ns16550a, 16 byte fifo lpt1 at puc0 port 2 apic 2 int 19 ppb4 at pci0 dev 28 function 4 "Intel 82801JI PCIE" rev 0x00: msi pci5 at ppb4 bus 5 jmb0 at pci5 dev 0 function 0 "JMicron JMB368 IDE" rev 0x00 pciide0 at jmb0: DMA, channel 0 wired to native-PCI, channel 1 wired to native-PCI pciide0: using apic 2 int 16 for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 381554MB, 781422768 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: channel 1 disabled (no drives) ppb5 at pci0 dev 28 function 5 "Intel 82801JI PCIE" rev 0x00: msi pci6 at ppb5 bus 6 re0 at pci6 dev 0 function 0 "Realtek 8168" rev 0x02: RTL8168C/8111C (0x3c00), msi, address 00:1f:d0:xx:xx:xx rgephy0 at re0 phy 7: RTL8169S/8110S/8211 PHY, rev. 2
Re: pvclock(4)
> Am 25.11.2018 um 05:02 schrieb Greg Steuck :
>
> I realize this report is practically useless, but better out than in
> (according to Shrek).
> I found this in the logs of my GCE VM running syzkaller bot. No further
> details were preserved...
>
> 2018/11/24 09:53:48 ci-openbsd-main: poll:
> 94bf4886dbb69e9fbf0f92f975fc23f16fc5c80f
> 2018/11/24 09:53:48 ci-openbsd-main: building kernel...
> 2018/11/24 09:54:03 ci-openbsd-main: testing image...
> 2018/11/24 10:04:07 ci-openbsd-main: VM boot failed with: panic: pvclock0:
> unstable result on stable clock
>
> The host is running
> OpenBSD 6.4-current (GENERIC.MP) #456: Tue Nov 20 08:46:59 MST 2018
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> The VM kernel at the time was built at "zap 10 tab leading whitespace before
> 'struct evp_pkey_ctx_st {'", so maybe "only attach pvclock(4) inside a KVM
> guest" would've fixed it?
Yes, correct. Sorry for that glitch.
Reyk
