On Fri, Feb 25, 2022 at 01:36:01AM -0700, Philip Guenther wrote: > CVSROOT: /cvs > Module name: src > Changes by: guent...@cvs.openbsd.org 2022/02/25 01:36:01 > > Modified files: > sys/kern : sys_socket.c uipc_proto.c uipc_socket.c > uipc_socket2.c uipc_usrreq.c > sys/net : if.c pfkeyv2.c rtsock.c > sys/netinet : in_proto.c ip_divert.c ip_divert.h ip_gre.c > ip_gre.h ip_var.h raw_ip.c tcp_usrreq.c > tcp_var.h udp_usrreq.c udp_var.h > sys/netinet6 : in6_proto.c ip6_divert.c ip6_divert.h ip6_var.h > raw_ip6.c > sys/sys : protosw.h unpcb.h > > Log message: > Move pr_attach and pr_detach to a new structure pr_usrreqs that can > then be shared among protosw structures, following the same basic > direction as NetBSD and FreeBSD for this. > > Split PRU_CONTROL out of pr_usrreq into pru_control, giving it the > proper prototype to eliminate the previously necessary casts. > > ok mvs@ bluhm@
Looks like syzkaller found a NULL pointer deference. syzbot has found a reproducer for the following issue on: HEAD commit: 307d7537791b For add-path send the Adj-RIB-Out needs to ha.. git tree: openbsd console output: https://syzkaller.appspot.com/x/log.txt?x=1430cac1700000 kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d dashboard link: https://syzkaller.appspot.com/bug?extid=1b5b209ce506db4d411d syz repro: https://syzkaller.appspot.com/x/repro.syz?x=132bcada700000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12a7ce8e700000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+1b5b209ce506db4d4...@syzkaller.appspotmail.com login: uvm_fault(0xfffffd806ef62cf8, 0x0, 0, 1) -> e kernel: page fault trap, code=0 Stopped at socreate+0x84: cmpq $0,0(%rax) TID PID UID PRFLAGS PFLAGS CPU COMMAND *374824 49792 0 0x2 0 0 syz-executor1478983127 300360 36893 0 0x12 0x8 1K sshd socreate(18,ffff8000211c2c78,0,29) at socreate+0x84 sys/kern/uipc_socket.c:172 sys_socket(ffff8000ffff62b0,ffff8000211c2d08,ffff8000211c2d60) at sys_socket+0xd8 sys/kern/uipc_syscalls.c:96 syscall(ffff8000211c2dd0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff8000211c2dd0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffff9b40, count: 11 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: uvm_fault(0xfffffd806ef62cf8, 0x0, 0, 1) -> e ddb{0}> trace socreate(18,ffff8000211c2c78,0,29) at socreate+0x84 sys/kern/uipc_socket.c:172 sys_socket(ffff8000ffff62b0,ffff8000211c2d08,ffff8000211c2d60) at sys_socket+0xd8 sys/kern/uipc_syscalls.c:96 syscall(ffff8000211c2dd0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff8000211c2dd0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffff9b40, count: -4 ddb{0}> show registers rdi 0 rsi 0 rbp 0xffff8000211c2c60 rbx 0x18 rdx 0 rcx 0x29 rax 0 r8 0xffffffff81e690f0 uvm_map_inentry_pc r9 0xa r10 0 r11 0xff4ca2198e98d0e6 r12 0xffff8000211c2c78 r13 0xffffffff8288cca0 inet6sw r14 0 r15 0x29 rip 0xffffffff81e82144 socreate+0x84 cs 0x8 rflags 0x10286 __ALIGN_SIZE+0xf286 rsp 0xffff8000211c2c00 ss 0x10 socreate+0x84: cmpq $0,0(%rax) ddb{0}> show proc PROC (syz-executor1478983127) pid=374824 stat=onproc flags process=2<EXEC> proc=0 pri=50, usrpri=50, nice=20 forw=0xffffffffffffffff, list=0xffff8000ffff6d30,0xffffffff82a987b8 process=0xffff80002116e150 user=0xffff8000211bd000, vmspace=0xfffffd806ef62cf8 estcpu=0, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND *49792 374824 62493 0 7 0x2 syz-executor1478983127 62493 206950 36893 0 3 0x10008a sigsusp ksh 36893 300360 1719 0 7 0x1a sshd 18267 183592 1 0 3 0x100083 ttyin getty 1719 28545 1 0 3 0x88 kqread sshd 31656 15563 85615 73 3 0x1100090 kqread syslogd 85615 109054 1 0 3 0x100082 netio syslogd 33819 416901 1 0 3 0x100080 kqread resolvd 16368 472675 3428 77 3 0x100092 kqread dhcpleased 67183 51725 3428 77 3 0x100092 kqread dhcpleased 3428 313927 1 0 3 0x80 kqread dhcpleased 99050 12226 0 0 3 0x14200 bored smr 80536 131786 0 0 3 0x14200 pgzero zerothread 88852 165019 0 0 3 0x14200 aiodoned aiodoned 44153 3190 0 0 3 0x14200 syncer update 30241 461732 0 0 3 0x14200 cleaner cleaner 98907 442510 0 0 3 0x14200 reaper reaper 69633 386976 0 0 3 0x14200 pgdaemon pagedaemon 7063 335446 0 0 3 0x14200 bored viomb 20444 13325 0 0 3 0x40014200 acpi0 acpi0 31865 351874 0 0 3 0x40014200 idle1 48745 505016 0 0 2 0x14200 softnet 23809 192922 0 0 3 0x14200 bored systqmp 67036 318524 0 0 3 0x14200 bored systq 55442 191440 0 0 3 0x40014200 bored softclock 63046 353256 0 0 3 0x40014200 idle0 1 433807 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 49792 (syz-executor1478983127) thread 0xffff8000ffff62b0 (374824) exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82abcc60) #0 witness_lock+0x44d #1 kpageflttrap+0x23d sys/arch/amd64/amd64/trap.c:274 #2 kerntrap+0xef sys/arch/amd64/amd64/trap.c:318 #3 alltraps_kern_meltdown+0x7b #4 socreate+0x84 sys/kern/uipc_socket.c:172 #5 sys_socket+0xd8 sys/kern/uipc_syscalls.c:96 #6 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #6 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #7 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10143 6388K 6419K 78643K 11233 0 pcb 13 8K 8K 78643K 13 0 rtable 62 2K 2K 78643K 108 0 ifaddr 24 7K 7K 78643K 24 0 counters 40 33K 33K 78643K 40 0 ioctlops 0 0K 2K 78643K 25 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 5 0 vnodes 1166 73K 73K 78643K 1179 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 1K 78643K 2 0 VM map 2 1K 1K 78643K 2 0 sem 2 0K 0K 78643K 2 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 1 0K 0K 78643K 1 0 proc 55 74K 75K 78643K 226 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 in_multi 11 0K 0K 78643K 11 0 ether_multi 1 0K 0K 78643K 1 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 25 122K 122K 78643K 25 0 exec 0 0K 2K 78643K 391 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 71 3K 5K 78643K 1965 0 UVM aobj 3 2K 2K 78643K 3 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 NDP 3 0K 0K 78643K 3 0 temp 19 4686K 4749K 78643K 3021 0 kqueue 11 16K 18K 78643K 24 0 SYN cache 2 16K 16K 78643K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 17 0 14 1 0 1 1 0 8 0 rtentry 112 23 0 1 1 0 1 1 0 8 0 unpcb 136 33 0 20 1 0 1 1 0 8 0 syncache 296 5 0 5 2 1 1 1 0 8 1 tcpcb 736 8 0 5 1 0 1 1 0 8 0 arp 120 2 0 0 1 0 1 1 0 8 0 inpcb 304 25 0 19 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 97 0 0 7 0 7 7 0 8 0 art_table 32 98 0 0 1 0 1 1 0 8 0 art_node 16 22 0 2 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 1415 0 38 87 0 87 87 0 8 0 ffsino 272 1415 0 38 92 0 92 92 0 8 0 nchpl 144 1590 0 47 58 0 58 58 0 8 0 uvmvnodes 80 1424 0 0 30 0 30 30 0 8 0 vnodes 224 1424 0 0 84 0 84 84 0 8 0 namei 1024 4131 0 4131 2 1 1 1 0 8 1 percpumem 16 32 0 0 1 0 1 1 0 8 0 scxspl 216 3732 0 3732 3 2 1 2 0 8 1 plimitpl 152 15 0 9 1 0 1 1 0 8 0 sigapl 424 292 0 265 4 0 4 4 0 8 0 knotepl 120 48 0 0 2 0 2 2 0 8 0 kqueuepl 216 20 0 13 1 0 1 1 0 8 0 pipepl 336 79 0 76 2 1 1 1 0 8 0 fdescpl 496 278 0 265 3 0 3 3 0 8 0 filepl 152 1010 0 957 3 0 3 3 0 8 0 lockfpl 104 6 0 4 1 0 1 1 0 8 0 lockfspl 48 4 0 2 1 0 1 1 0 8 0 sessionpl 144 17 0 9 1 0 1 1 0 8 0 pgrppl 48 17 0 9 1 0 1 1 0 8 0 ucredpl 96 64 0 54 1 0 1 1 0 8 0 zombiepl 144 265 0 265 2 1 1 1 0 8 1 processpl 1064 292 0 265 3 0 3 3 0 8 0 procpl 672 292 0 265 3 0 3 3 0 8 0 sockpl 480 75 0 53 4 1 3 4 0 8 0 mcl8k 8192 2 0 0 1 0 1 1 0 8 0 mcl4k 4096 3 0 0 1 0 1 1 0 8 0 mcl2k 2048 63 0 0 8 0 8 8 0 8 0 mtagpl 96 2 0 0 1 0 1 1 0 8 0 mbufpl 256 115 0 0 7 0 7 7 0 8 0 bufpl 288 1938 0 88 133 0 133 133 0 8 0 anonpl 24 38297 0 36253 15 1 14 15 0 186 0 amapchunkpl 152 3610 0 3485 7 1 6 7 0 158 0 amappl16 200 25 0 25 1 1 0 1 0 8 0 amappl15 192 59 0 56 1 0 1 1 0 8 0 amappl13 176 32 0 31 2 1 1 1 0 8 0 amappl12 168 23 0 22 1 0 1 1 0 8 0 amappl11 160 54 0 44 1 0 1 1 0 8 0 amappl10 152 13 0 13 1 1 0 1 0 8 0 amappl9 144 450 0 448 1 0 1 1 0 8 0 amappl8 136 341 0 338 1 0 1 1 0 8 0 amappl7 128 61 0 58 1 0 1 1 0 8 0 amappl6 120 108 0 95 1 0 1 1 0 8 0 amappl5 112 164 0 155 1 0 1 1 0 8 0 amappl4 104 578 0 558 1 0 1 1 0 8 0 amappl3 96 112 0 103 1 0 1 1 0 8 0 amappl2 88 338 0 300 1 0 1 1 0 8 0 amappl1 80 8150 0 7795 10 1 9 9 0 8 0 amappl 88 1713 0 1657 2 0 2 2 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 2 0 0 1 0 1 1 0 8 0 uaddrrnd 24 278 0 265 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 278 0 265 1 0 1 1 0 8 0 vmmpekpl 168 5878 0 5863 1 0 1 1 0 8 0 vmmpepl 168 24556 0 23790 46 8 38 43 0 357 1 vmsppl 368 277 0 265 2 0 2 2 0 8 0 rwobjpl 56 8974 0 7038 30 1 29 29 0 8 1 pdppl 4096 563 0 530 51 18 33 41 0 8 0 pvpl 32 123639 0 119843 40 6 34 40 0 265 0 pmappl 248 277 0 265 2 1 1 2 0 8 0 extentpl 40 58 0 38 1 0 1 1 0 8 0 phpool 112 401 0 22 11 0 11 11 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace socreate(18,ffff8000211c2c78,0,29) at socreate+0x84 sys/kern/uipc_socket.c:172 sys_socket(ffff8000ffff62b0,ffff8000211c2d08,ffff8000211c2d60) at sys_socket+0xd8 sys/kern/uipc_syscalls.c:96 syscall(ffff8000211c2dd0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff8000211c2dd0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffff9b40, count: -4 ddb{0}> machine ddbcpu 1
