panic: kmem_free(ADDR, NUM) != allocated size NUM; overwrote?

To: syzkaller-netbsd-bugs%googlegroups.com@localhost
Subject: panic: kmem_free(ADDR, NUM) != allocated size NUM; overwrote?
From: syzbot <syzbot+619594123012278666e0%syzkaller.appspotmail.com@localhost>
Date: Tue, 02 Aug 2022 02:43:28 -0700

Hello,

syzbot found the following issue on:

HEAD commit:    ac44c67317ab Provide _GNU_SOURCE for t_clone now that is r..
git tree:       netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1309f83e080000
kernel config:  https://syzkaller.appspot.com/x/.config?x=739e57438eb9ed9e
dashboard link: https://syzkaller.appspot.com/bug?extid=619594123012278666e0
compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+619594123012278666e0%syzkaller.appspotmail.com@localhost

[ 168.7528436] panic: kmem_free(0xffffca8013aa96a0, 16) != allocated size 2; overwrote?
[ 168.7642248] cpu0: Begin traceback...
[ 168.7828192] vpanic() at netbsd:vpanic+0xc9d
[ 168.8328207] panic() at netbsd:panic+0x1b3 sys/kern/subr_prf.c:210
[ 168.8828178] kmem_intr_free() at netbsd:kmem_intr_free+0x82f sys/kern/subr_kmem.c:365
[ 168.9428232] compat_30_sys_getdents() at netbsd:compat_30_sys_getdents+0x1372
[ 168.9928231] sys___syscall() at netbsd:sys___syscall+0x2c6 sys/kern/sys_syscall.c:90
[ 169.0528205] syscall() at netbsd:syscall+0x60c sy_invoke sys/sys/syscallvar.h:94 [inline]
[ 169.0528205] syscall() at netbsd:syscall+0x60c sys/arch/x86/x86/syscall.c:138
[ 169.0729818] --- syscall (number 272 via SYS_syscall) ---
[ 169.0828173] netbsd:syscall+0x60c:
[ 169.0943198] cpu0: End traceback...
[ 169.0943198] fatal breakpoint trap in supervisor mode
[ 169.1034131] trap type 1 code 0 rip 0xffffffff802228ad cs 0x8 rflags 0x286 cr2 0 ilevel 0 rsp 0xffffca8090dc0820
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dc0210
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbfc00
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbf5f0
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbefe0
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbe9d0
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbe3c0
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbddb0
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbd7a0
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbd190
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbcb80
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbc570
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0
[ 169.1134747] uvm_fault(0xffffca8012502c58, 0x0, 1) -> e
[ 169.1134747] fatal page fault in supervisor mode
[ 169.1134747] trap type 6 code 0 rip 0xffffffff848af867 cs 0x8 rflags 0x10246 cr2 0x1e8 ilevel 0x8 rsp 0xffffca8090dbbf60
[ 169.1134747] curlwp 0xffffca801389c340 pid 2776.9681 lowest kstack 0xffffca8090db92c0
kernel: page fault trap, code=0


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller%googlegroups.com@localhost.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

-- 
You received this message because you are subscribed to the Google Groups "syzkaller-netbsd-bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-netbsd-bugs+unsubscribe%googlegroups.com@localhost.
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-netbsd-bugs/000000000000d53c2c05e53ef25d%40google.com.

Follow-Ups:
- Re: panic: kmem_free(ADDR, NUM) != allocated size NUM; overwrote?
  - From: syzbot

Prev by Date: panic: pec_close: spurious pgrp ref
Next by Date: Re: panic: kmem_free(ADDR, NUM) != allocated size NUM; overwrote?
Previous by Thread: assert failed: (cnp->cn_flags & LOCKPARENT) == NUM || searchdir == NULL || VOP_ISLOCKED(searchdir) == LK_EXCLUSIVE (2)
Next by Thread: Re: panic: kmem_free(ADDR, NUM) != allocated size NUM; overwrote?
Indexes:

Home | Main Index | Thread Index | Old Index