Re: panic: kmem_free(ADDR, NUM) != allocated size NUM; overwrote?

To: syzkaller-netbsd-bugs%googlegroups.com@localhost
Subject: Re: panic: kmem_free(ADDR, NUM) != allocated size NUM; overwrote?
From: syzbot <syzbot+619594123012278666e0%syzkaller.appspotmail.com@localhost>
Date: Tue, 02 Aug 2022 03:01:38 -0700

syzbot has found a reproducer for the following issue on:

HEAD commit:    ac44c67317ab Provide _GNU_SOURCE for t_clone now that is r..
git tree:       netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=12d423b1080000
kernel config:  https://syzkaller.appspot.com/x/.config?x=739e57438eb9ed9e
dashboard link: https://syzkaller.appspot.com/bug?extid=619594123012278666e0
compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1104b91e080000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13aea1a6080000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+619594123012278666e0%syzkaller.appspotmail.com@localhost

[  41.8847116] panic: kmem_free(0xffffe4801328db40, 16) != allocated size 2; overwrote?
[  41.8847116] cpu1: Begin traceback...
[  41.9047074] vpanic() at netbsd:vpanic+0xc9d
[  41.9447062] panic() at netbsd:panic+0x1b3 sys/kern/subr_prf.c:210
[  41.9947390] kmem_intr_free() at netbsd:kmem_intr_free+0x82f sys/kern/subr_kmem.c:365
[  42.0447762] compat_30_sys_getdents() at netbsd:compat_30_sys_getdents+0x1372
[  42.0947810] sys_syscall() at netbsd:sys_syscall+0x2c5 sys/kern/sys_syscall.c:90
[  42.1547856] syscall() at netbsd:syscall+0x60c sy_invoke sys/sys/syscallvar.h:94 [inline]
[  42.1547856] syscall() at netbsd:syscall+0x60c sys/arch/x86/x86/syscall.c:138
[  42.1647756] --- syscall (number 272 via SYS_syscall) ---
[  42.1847773] netbsd:syscall+0x60c:
[  42.1847773] cpu1: End traceback...
[  42.1847773] fatal breakpoint trap in supervisor mode
[  42.1947747] trap type 1 code 0 rip 0xffffffff802228ad cs 0x8 rflags 0x286 cr2 0 ilevel 0 rsp 0xffffe480878cb820
[  42.2047977] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0
[  42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[  42.2148011] fatal page fault in supervisor mode
[  42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878cb210
[  42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0
kernel: page fault trap, code=0
[  42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[  42.2148011] fatal page fault in supervisor mode
[  42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878cac00
[  42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0
kernel: page fault trap, code=0
[  42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[  42.2148011] fatal page fault in supervisor mode
[  42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878ca5f0
[  42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0
kernel: page fault trap, code=0
[  42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[  42.2148011] fatal page fault in supervisor mode
[  42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c9fe0
[  42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0
kernel: page fault trap, code=0
[  42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[  42.2148011] fatal page fault in supervisor mode
[  42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c99d0
[  42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0
kernel: page fault trap, code=0
[  42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[  42.2148011] fatal page fault in supervisor mode
[  42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c93c0
[  42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0
kernel: page fault trap, code=0
[  42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[  42.2148011] fatal page fault in supervisor mode
[  42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c8db0
[  42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0
kernel: page fault trap, code=0
[  42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[  42.2148011] fatal page fault in supervisor mode
[  42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c87a0
[  42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0
kernel: page fault trap, code=0
[  42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[  42.2148011] fatal page fault in supervisor mode
[  42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c8190
[  42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0
kernel: page fault trap, code=0
[  42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[  42.2148011] fatal page fault in supervisor mode
[  42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c7b80
[  42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0
kernel: page fault trap, code=0
[  42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[  42.2148011] fatal page fault in supervisor mode
[  42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c7570
[  42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0
kernel: page fault trap, code=0
[  42.2148011] uvm_fault(0xffffe480124ebc58, 0x0, 1) -> e
[  42.2148011] fatal page fault in supervisor mode
[  42.2148011] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffe480878c6f60
[  42.2148011] curlwp 0xffffe48012b9c080 pid 1223.1223 lowest kstack 0xffffe480878c42c0
kernel: page fault trap, code=0

-- 
You received this message because you are subscribed to the Google Groups "syzkaller-netbsd-bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-netbsd-bugs+unsubscribe%googlegroups.com@localhost.
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-netbsd-bugs/000000000000cca81b05e53f330f%40google.com.

References:
- panic: kmem_free(ADDR, NUM) != allocated size NUM; overwrote?
  - From: syzbot

Prev by Date: panic: kmem_free(ADDR, NUM) != allocated size NUM; overwrote?
Next by Date: panic: ASan: Unauthorized Access In ADDR: Addr ADDR [NUM bytes, write, MallocRedZone]
Previous by Thread: panic: kmem_free(ADDR, NUM) != allocated size NUM; overwrote?
Next by Thread: panic: kmem_free(ADDR, NUM) != allocated size NUM; overwrote?
Indexes:

Home | Main Index | Thread Index | Old Index