Date: Tue, 21 May 2019 22:15:09 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 238034] Use after free in constty_timeout Message-ID: <bug-238034-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238034 Bug ID: 238034 Summary: Use after free in constty_timeout Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: Andrew@FreeBSD.org I received the following from syzkaller. I think it's related to posix_open= pt, but don't have a reproducer. I have the kernel and core dump. Fatal trap 9: general protection fault while in kernel mode=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 cpuid =3D 0; apic id =3D 00 instruction pointer =3D 0x20:0xffffffff81001008 stack pointer =3D 0x28:0xfffffe000c95a870 frame pointer =3D 0x28:0xfffffe000c95a8c0 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 12 (swi4: clock (0)) trap number =3D 9 panic: general protection fault cpuid =3D 0 time =3D 1558476172 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe000c95a= 540 vpanic() at vpanic+0x1e0/frame 0xfffffe000c95a5a0 panic() at panic+0x43/frame 0xfffffe000c95a600 trap_fatal() at trap_fatal+0x4c6/frame 0xfffffe000c95a680 trap() at trap+0xba/frame 0xfffffe000c95a7a0 calltrap() at calltrap+0x8/frame 0xfffffe000c95a7a0 --- trap 0x9, rip =3D 0xffffffff81001008, rsp =3D 0xfffffe000c95a870, rbp = =3D 0xfffffe000c95a8c0 --- __mtx_lock_flags() at __mtx_lock_flags+0x98/frame 0xfffffe000c95a8c0 constty_timeout() at constty_timeout+0x36/frame 0xfffffe000c95a8e0 softclock_call_cc() at softclock_call_cc+0x1dd/frame 0xfffffe000c95a9b0 softclock() at softclock+0xa3/frame 0xfffffe000c95a9f0 ithread_loop() at ithread_loop+0x2f2/frame 0xfffffe000c95aa60 fork_exit() at fork_exit+0xb0/frame 0xfffffe000c95aab0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe000c95aab0 --- trap 0, rip =3D 0, rsp =3D 0, rbp =3D 0 --- Uptime: 1m0s netdump: overwriting mbuf zone pointers netdump in progress. searching for server... netdumping to 169.254.0.1 (02:82:93:04:a7:00) Dumping 101 out of 465 MB:..16%..32%..48%..64%..80%..95% __curthread () at /usr/home/andrew/head-git/sys/amd64/include/pcpu.h:246 246 __asm("movq %%gs:%P1,%0" : "=3Dr" (td) : "n" (OFFSETOF_CURTHREAD)); (kgdb) bt #0 __curthread () at /usr/home/andrew/head-git/sys/amd64/include/pcpu.h:246 #1 doadump (textdump=3D1) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:383 #2 0xffffffff81032217 in kern_reboot (howto=3D260) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:470 #3 0xffffffff81032825 in vpanic (fmt=3D<optimized out>, ap=3D<optimized ou= t>) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:896 #4 0xffffffff81032473 in panic (fmt=3D<unavailable>) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:823 #5 0xffffffff816d13d6 in trap_fatal (frame=3D0xfffffe000c95a7b0, eva=3D0) = at /usr/home/andrew/head-git/sys/amd64/amd64/trap.c:946 #6 0xffffffff816d004a in trap (frame=3D<optimized out>) at /usr/home/andrew/head-git/sys/amd64/amd64/trap.c:218 #7 <signal handler called> #8 __mtx_lock_flags (c=3D<optimized out>, opts=3D0, file=3D0xffffffff81998= af3 "/usr/home/andrew/head-git/sys/kern/kern_cons.c", line=3D608) at /usr/home/andrew/head-git/sys/kern/kern_mutex.c:244 #9 0xffffffff80fa3336 in constty_timeout (arg=3D<optimized out>) at /usr/home/andrew/head-git/sys/kern/kern_cons.c:608 #10 0xffffffff81058ddd in softclock_call_cc (c=3D<optimized out>, cc=3D0xffffffff8271dd00 <cc_cpu>, direct=3D0) at /usr/home/andrew/head-git/sys/kern/kern_timeout.c:731 #11 0xffffffff81059343 in softclock (arg=3D0xffffffff8271dd00 <cc_cpu>) at /usr/home/andrew/head-git/sys/kern/kern_timeout.c:869 #12 0xffffffff80fd6f72 in intr_event_execute_handlers (p=3D<optimized out>, ie=3D<optimized out>) at /usr/home/andrew/head-git/sys/kern/kern_intr.c:1148 #13 ithread_execute_handlers (p=3D<optimized out>, ie=3D<optimized out>) at /usr/home/andrew/head-git/sys/kern/kern_intr.c:1161 #14 ithread_loop (arg=3D<optimized out>) at /usr/home/andrew/head-git/sys/kern/kern_intr.c:1241 #15 0xffffffff80fd23d0 in fork_exit (callout=3D0xffffffff80fd6c80 <ithread_= loop>, arg=3D0xfffff800031b2000, frame=3D0xfffffe000c95aac0) at /usr/home/andrew/head-git/sys/kern/kern_fork.c:1056 #16 <signal handler called> (kgdb) up 8 #8 __mtx_lock_flags (c=3D<optimized out>, opts=3D0, file=3D0xffffffff81998= af3 "/usr/home/andrew/head-git/sys/kern/kern_cons.c", line=3D608) at /usr/home/andrew/head-git/sys/kern/kern_mutex.c:244 244 KASSERT(m->mtx_lock !=3D MTX_DESTROYED, (kgdb) p m $2 =3D (struct mtx *) 0xdeadc0dedeadc0de --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238034-227>