On Thu, Apr 18, 2024 at 11:42:09AM +0200, Martin Pieuchot wrote:
> On 17/04/24(Wed) 18:33, Vitaliy Makkoveev wrote:
> > On Tue, Apr 16, 2024 at 04:30:08PM +0200, Claudio Jeker wrote:
> > > On Tue, Apr 16, 2024 at 04:15:05PM +0300, Vitaliy Makkoveev wrote:
> > > > I suspect syzkaller reported panics [1] and [2] happened because sockets
> > > > were closed due vnode(9) lock release.
> 
> How did you come to this conclusion?
> 
> The bug is a NULL dereference:
> 
> uvm_fault(0xfffffd806d2c9780, 0x8, 0, 1) -> e
> kernel: page fault trap, code=0
> Stopped at      fifo_write+0x4e:        movq    0x8(%rax),%r12
> 
> I don't have the same assembly here, but the offset 0x8 seems to correspond
> the `a_uio' field.   So the argument passed to fifo_write() is NULL.
> 
> How can it be NULL?
> 

I thought this was `fi_writesock' because concurrent fifo_reclaim()
closed both sockets and set `v_fifoinfo' to NULL. This was wrong.