panic: apcaqniuci:r kinegr nbleol c kdaiblage snloesteipc laosscke r t io n " ! _ ke r n e l_ l o wcikt_hh s
0 views
Skip to first unread message
syzbot
Mar 23, 2022, 2:56:25 AM3/23/22
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: bf088e2b2bca Extract the type from the ICMP6 header before..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=122ed425700000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d
dashboard link: https://syzkaller.appspot.com/bug?extid=8781619db4af078f1995
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+878161...@syzkaller.appspotmail.com
panic: apcaqniuci:r kinegr nbleol c kdaiblage snloesteipc laosscke r t io n " ! _ ke r n e l_ l o wcikt_hh selp i nl doc()k" ofra cirlietd:ic faill es e"c/styizonk ahellled r(k/emranenla_gelorsc/km) u lt i c o r e/ &kkeernrnele/ls_ylsoc/kuv
m/Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
* 73188 81061 0 0 0x4000000 0 syz-executor.1
29954 39164 0 0x14000 0x200 1 reaper
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a4184) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff82a6f1a0,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd807f547130) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd807f547130) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd807f547018) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip6_input(ffff800021205d08,ffff800021205d14,85,18) at rip6_input+0x6bc sys/netinet6/raw_ip6.c:224
ip_deliver(ffff800021205d08,ffff800021205d14,85,18) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip6_input_if(ffff800021205d08,ffff800021205d14,29,0,ffff80000019f2a8) at ip6_input_if+0x920
ipv6_input(ffff80000019f2a8,fffffd8079eea900) at ipv6_input+0x48 sys/netinet6/ip6_input.c:169
if_input_local(ffff80000019f2a8,fffffd8079eea900,18) at if_input_local+0x136 sys/net/if.c:778
ip6_output(fffffd8073c28e00,ffff8000006d5380,fffffd80654bcb80,0,0,fffffd80654bcb08) at ip6_output+0xf57
rip6_output(fffffd8073c28e00,fffffd80681deb78,ffff800021206070,0) at rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
rip6_usrreq(fffffd80681deb78,9,fffffd8073c28e00,0,0,ffff800026cd8008) at rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
end trace frame: 0xffff8000212061f0, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu0: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock
cpu1: kernel diagnostic assertion "!_kernel_lock_held()" failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_map.c", line 2734
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a4184) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff82a6f1a0,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd807f547130) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd807f547130) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd807f547018) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip6_input(ffff800021205d08,ffff800021205d14,85,18) at rip6_input+0x6bc sys/netinet6/raw_ip6.c:224
ip_deliver(ffff800021205d08,ffff800021205d14,85,18) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip6_input_if(ffff800021205d08,ffff800021205d14,29,0,ffff80000019f2a8) at ip6_input_if+0x920
ipv6_input(ffff80000019f2a8,fffffd8079eea900) at ipv6_input+0x48 sys/netinet6/ip6_input.c:169
if_input_local(ffff80000019f2a8,fffffd8079eea900,18) at if_input_local+0x136 sys/net/if.c:778
ip6_output(fffffd8073c28e00,ffff8000006d5380,fffffd80654bcb80,0,0,fffffd80654bcb08) at ip6_output+0xf57
rip6_output(fffffd8073c28e00,fffffd80681deb78,ffff800021206070,0) at rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
rip6_usrreq(fffffd80681deb78,9,fffffd8073c28e00,0,0,ffff800026cd8008) at rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
sosend(fffffd80681deb78,0,ffff8000212062a8,0,0,0) at sosend+0x632 sys/kern/uipc_socket.c:582
dofilewritev(ffff800026cd8008,5,ffff8000212062a8,0,ffff8000212063a0) at dofilewritev+0x19c sys/kern/sys_generic.c:381
sys_write(ffff800026cd8008,ffff800021206348,ffff8000212063a0) at sys_write+0x83 sys/kern/sys_generic.c:301
syscall(ffff800021206410) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800021206410) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x9d094d1a6d0, count: -19
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff800021205820
rbx 0xffffffff82987bff cpu_info_full_primary+0x2bff
rdx 0
rcx 0
rax 0xffff800026cd8008
r8 0x101010101010101
r9 0x8080808080808080
r10 0x98cffb8ea03bc5f4
r11 0xc0b5ea7ddf5447c
r12 0xffffffff82987a00 cpu_info_full_primary+0x2a00
r13 0
r14 0
r15 0x1
rip 0xffffffff815a2d98 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800021205810
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor.1) pid=73188 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff800026cd82a8,0xffff80002e37ea90
process=0xffff8000ffffa570 user=0xffff800021201000, vmspace=0xfffffd8066524460
estcpu=36, cpticks=3, pctcpu=0.0
user=0, sys=2, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
81061 229543 98716 0 2 0 syz-executor.1
*81061 73188 98716 0 7 0x4000000 syz-executor.1
21018 62538 40898 0 2 0 syz-executor.5
21018 102356 40898 0 3 0x4000080 fsleep syz-executor.5
78020 415036 8988 0 3 0x80 nanoslp syz-executor.7
78020 121621 8988 0 3 0x4000080 fsleep syz-executor.7
78020 456883 8988 0 3 0x4000080 fsleep syz-executor.7
24561 322962 82145 0 2 0x4003000 syz-executor.2
82145 69402 26610 0 2 0x482 syz-executor.2
44781 104976 26610 0 3 0x82 nanoslp syz-executor.4
40738 175164 26610 0 3 0x82 nanoslp syz-executor.0
53974 160868 26610 0 3 0x82 nanoslp syz-executor.3
20471 202483 0 0 3 0x14200 acct acct
40898 436295 26610 0 2 0x482 syz-executor.5
8988 182209 26610 0 3 0x82 nanoslp syz-executor.7
50044 436926 26610 0 2 0x2 syz-executor.6
71456 252434 1 0 3 0x100083 ttyin getty
98716 350874 26610 0 3 0x82 nanoslp syz-executor.1
92381 479440 0 0 3 0x14280 nfsidl nfsio
73173 154906 0 0 3 0x14280 nfsidl nfsio
33750 407413 0 0 3 0x14280 nfsidl nfsio
98548 258613 0 0 3 0x14280 nfsidl nfsio
99691 493577 0 0 3 0x14280 nfsidl nfsio
82307 26922 0 0 3 0x14280 nfsidl nfsio
55905 293353 0 0 3 0x14280 nfsidl nfsio
63170 276834 0 0 3 0x14280 nfsidl nfsio
65712 441409 0 0 3 0x14280 nfsidl nfsio
35490 44214 0 0 3 0x14280 nfsidl nfsio
39602 114295 0 0 3 0x14280 nfsidl nfsio
21633 142858 0 0 3 0x14280 nfsidl nfsio
21248 131980 0 0 3 0x14280 nfsidl nfsio
96163 191510 0 0 3 0x14280 nfsidl nfsio
46704 143605 0 0 3 0x14280 nfsidl nfsio
7208 56689 0 0 3 0x14280 nfsidl nfsio
14017 189638 0 0 3 0x14280 nfsidl nfsio
57227 234755 0 0 3 0x14280 nfsidl nfsio
89302 161709 0 0 3 0x14280 nfsidl nfsio
89682 217834 0 0 3 0x14280 nfsidl nfsio
43559 40476 0 0 3 0x14200 bored sosplice
26610 416595 82567 0 2 0x482 syz-fuzzer
26610 467638 82567 0 3 0x4000082 nanoslp syz-fuzzer
26610 449433 82567 0 3 0x4000082 thrsleep syz-fuzzer
26610 449392 82567 0 3 0x4000082 thrsleep syz-fuzzer
26610 180237 82567 0 3 0x4000082 thrsleep syz-fuzzer
26610 319568 82567 0 3 0x4000082 thrsleep syz-fuzzer
26610 139299 82567 0 3 0x4000082 thrsleep syz-fuzzer
26610 385614 82567 0 3 0x4000082 kqread syz-fuzzer
26610 1509 82567 0 3 0x4000082 thrsleep syz-fuzzer
82567 57211 95924 0 3 0x10008a sigsusp ksh
95924 389973 61366 0 3 0x9a kqread sshd
61366 102488 1 0 3 0x88 kqread sshd
36965 363107 40721 74 3 0x1100092 bpf pflogd
40721 113626 1 0 3 0x80 netio pflogd
82895 170590 77985 73 2 0x1100090 syslogd
77985 463953 1 0 3 0x100082 netio syslogd
84964 669 1 0 3 0x100080 kqread resolvd
48467 246873 87041 77 3 0x100092 kqread dhcpleased
90591 30552 87041 77 3 0x100092 kqread dhcpleased
87041 181985 1 0 3 0x80 kqread dhcpleased
59123 161915 0 0 3 0x14200 bored smr
42045 201316 0 0 2 0x14200 zerothread
78591 182442 0 0 3 0x14200 aiodoned aiodoned
29335 395519 0 0 3 0x14200 syncer update
14108 427743 0 0 3 0x14200 cleaner cleaner
39164 29954 0 0 7 0x14200 reaper
60675 121349 0 0 3 0x14200 pgdaemon pagedaemon
18051 453502 0 0 3 0x14200 bored viomb
42873 541 0 0 3 0x40014200 acpi0 acpi0
56486 272017 0 0 3 0x40014200 idle1
17429 288978 0 0 3 0x14200 bored softnet
86213 280021 0 0 3 0x14200 bored systqmp
24772 435846 0 0 3 0x14200 bored systq
58674 58452 0 0 3 0x40014200 bored softclock
60544 62144 0 0 3 0x40014200 idle0
1 435802 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
CPU 0:
exclusive mutex &table->inpt_mtx r = 0 (0xffffffff82a21700)
#0 witness_lock+0x44d
#1 mtx_enter_try+0x100
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 rip6_input+0x28f
#4 ip_deliver+0x322 sys/netinet/ip_input.c:657
#5 ip6_input_if+0x920
#6 ipv6_input+0x48 sys/netinet6/ip6_input.c:169
#7 if_input_local+0x136 sys/net/if.c:778
#8 ip6_output+0xf57
#9 rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
#10 rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
#11 sosend+0x632 sys/kern/uipc_socket.c:582
#12 dofilewritev+0x19c sys/kern/sys_generic.c:381
#13 sys_write+0x83 sys/kern/sys_generic.c:301
#14 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#14 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#15 Xsyscall+0x128
CPU 1:
exclusive mutex &uvm.fpageqlock r = 0 (0xffffffff82b87938)
#0 witness_lock+0x44d
#1 mtx_enter_try+0x100
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 uvm_pmr_freepageq+0xcc sys/uvm/uvm_pmemrange.c:1333
#4 amap_wipeout+0x1ff sys/uvm/uvm_amap.c:523
#5 uvm_unmap_detach+0x7d sys/uvm/uvm_map.c:1599
#6 uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2789
#7 uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
#8 reaper+0x18b sys/kern/kern_exit.c:457
#9 proc_trampoline+0x1c
Process 81061 (syz-executor.1) thread 0xffff800026cd8008 (73188)
exclusive rwlock netlock r = 0 (0xffffffff829bbd70)
#0 witness_lock+0x44d
#1 solock+0x86 sys/kern/uipc_socket2.c:295
#2 sosend+0x517 sys/kern/uipc_socket.c:570
#3 dofilewritev+0x19c sys/kern/sys_generic.c:381
#4 sys_write+0x83 sys/kern/sys_generic.c:301
#5 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#5 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#6 Xsyscall+0x128
exclusive mutex &table->inpt_mtx r = 0 (0xffffffff82a21700)
#0 witness_lock+0x44d
#1 mtx_enter_try+0x100
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 rip6_input+0x28f
#4 ip_deliver+0x322 sys/netinet/ip_input.c:657
#5 ip6_input_if+0x920
#6 ipv6_input+0x48 sys/netinet6/ip6_input.c:169
#7 if_input_local+0x136 sys/net/if.c:778
#8 ip6_output+0xf57
#9 rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
#10 rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
#11 sosend+0x632 sys/kern/uipc_socket.c:582
#12 dofilewritev+0x19c sys/kern/sys_generic.c:381
#13 sys_write+0x83 sys/kern/sys_generic.c:301
#14 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#14 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#15 Xsyscall+0x128
Process 39164 (reaper) thread 0xffff8000210f9500 (29954)
exclusive rwlock amaplk r = 0 (0xfffffd80668a70f8)
#0 witness_lock+0x44d
#1 amap_unref+0x2b sys/uvm/uvm_amap.c:1365
#2 uvm_unmap_detach+0x7d sys/uvm/uvm_map.c:1599
#3 uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2789
#4 uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
#5 reaper+0x18b sys/kern/kern_exit.c:457
#6 proc_trampoline+0x1c
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10223 6504K 6897K 78643K 24727 0
pcb 18 18K 23K 78643K 1400 0
rtable 268 22K 23K 78643K 4326 0
ifaddr 106 25K 25K 78643K 1549 0
sysctl 2 0K 0K 78643K 2 0
counters 58 35K 36K 78643K 360 0
ioctlops 0 0K 4K 78643K 4642 0
iov 0 0K 16K 78643K 941 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 5 0
vnodes 1337 84K 84K 78643K 6451 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 9K 78643K 115 0
VM map 2 1K 1K 78643K 2 0
sem 22 10K 20K 78643K 654 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 14 49K 89K 78643K 12691 0
sigio 0 0K 0K 78643K 85 0
proc 72 87K 124K 78643K 2529 0
subproc 104 6K 6K 78643K 806 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 1 0K 0K 78643K 361 0
in_multi 102 6K 7K 78643K 951 0
ether_multi 2 0K 0K 78643K 61 0
mrt 1 0K 0K 78643K 55 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 259 1155K 1155K 78643K 259 0
exec 0 0K 2K 78643K 2780 0
pfkey data 0 0K 0K 78643K 4 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 530 871K 872K 78643K 160916 0
UVM aobj 131 8K 8K 78643K 135 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 2 0K 0K 78643K 435 0
NDP 14 0K 2K 78643K 307 0
temp 172 4771K 4845K 78643K 147502 0
kqueue 13 20K 26K 78643K 636 0
SYN cache 2 16K 16K 78643K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtpcb 120 681 0 678 7 6 1 3 0 8 0
rtentry 112 920 0 815 4 0 4 4 0 8 0
unpcb 136 10740 0 10725 97 93 4 9 0 8 3
syncache 296 67 0 67 17 17 0 1 0 8 0
tcpqe 32 6 0 6 2 2 0 1 0 8 0
tcpcb 736 5785 0 5780 180 173 7 20 0 8 6
arp 120 141 0 121 1 0 1 1 0 8 0
inpcb 312 12380 0 12367 160 151 9 11 0 8 7
rttmr 72 15 0 15 4 4 0 1 0 8 0
ip6q 72 6 0 6 2 2 0 1 0 8 0
ip6af 40 18 0 18 2 2 0 1 0 8 0
nd6 48 219 0 194 1 0 1 1 0 8 0
pkpcb 40 65 0 65 7 7 0 1 0 8 0
kcovpl 48 62 0 54 1 0 1 1 0 8 0
ppxss 1248 50 0 50 13 12 1 1 0 8 1
pfstscr 40 32 0 32 6 6 0 1 0 8 0
pffrag 232 121 0 119 5 4 1 1 0 482 0
pffrnode 88 121 0 119 5 4 1 1 0 8 0
pffrent 40 498 0 496 5 4 1 1 0 8 0
pfosfp 40 1432 0 1008 5 0 5 5 0 8 0
pfosfpen 112 1432 0 714 21 0 21 21 0 8 0
pfrke_plain 168 6 0 6 1 1 0 1 0 8 0
pfrktable 1344 743 0 730 13 11 2 2 0 8 0
pftag 88 23 0 15 1 0 1 1 0 8 0
pfqueue 264 3 0 3 1 1 0 1 0 8 0
pfstitem 24 40 0 38 1 0 1 1 0 8 0
pfstkey 112 92 0 90 1 0 1 1 0 8 0
pfstate 320 60 0 58 3 2 1 3 0 8 0
pfsrctr 152 18 0 18 1 1 0 1 0 8 0
pfrule 1360 1071 0 891 23 7 16 16 0 8 1
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 3906 0 3463 44 16 28 37 0 8 0
art_table 32 3907 0 3463 5 0 5 5 0 8 0
art_node 16 912 0 820 1 0 1 1 0 8 0
sysvmsgpl 40 33 0 26 2 1 1 1 0 8 0
semupl 112 5 0 5 1 1 0 1 0 8 0
semapl 112 295 0 275 1 0 1 1 0 8 0
shmpl 112 132 0 4 4 0 4 4 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 17091 0 15611 93 0 93 93 0 8 0
ffsino 272 17091 0 15611 100 0 100 100 0 8 0
nchpl 144 35936 0 34304 63 0 63 63 0 8 0
rtmask 32 12 0 12 1 1 0 1 0 8 0
uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0
vnodes 224 5926 0 0 349 0 349 349 0 8 0
namei 1024 127912 0 127912 7 6 1 2 0 8 1
percpumem 16 192 0 151 1 0 1 1 0 8 0
vcpupl 2048 54 0 0 7 0 7 7 0 8 0
vmpool 560 106 0 52 4 0 4 4 0 8 0
pfiaddrpl 120 237 0 212 4 3 1 1 0 8 0
scsiplug 72 6 0 6 2 2 0 1 0 8 0
scxspl 216 92676 0 92676 25 23 2 8 0 8 2
plimitpl 152 1281 0 1266 1 0 1 1 0 8 0
sigapl 424 12911 0 12845 9 1 8 8 0 8 0
futexpl 64 111928 0 111925 1 0 1 1 0 8 0
knotepl 120 758 0 0 11 2 9 11 0 8 0
kqueuepl 216 2061 0 2051 43 42 1 5 0 8 0
pipepl 336 1720 0 1692 33 30 3 8 0 8 0
fdescpl 496 12873 0 12846 7 3 4 5 0 8 0
filepl 152 87863 0 87613 154 138 16 21 0 8 6
lockfpl 104 4172 0 4170 10 8 2 2 0 8 1
lockfspl 48 1139 0 1137 1 0 1 1 0 8 0
sessionpl 144 79 0 62 1 0 1 1 0 8 0
pgrppl 48 260 0 243 1 0 1 1 0 8 0
ucredpl 96 11318 0 11305 1 0 1 1 0 8 0
zombiepl 144 12849 0 12845 1 0 1 1 0 8 0
processpl 1064 12911 0 12845 5 0 5 5 0 8 0
procpl 672 36888 0 36807 25 16 9 9 0 8 1
srpgc 96 84 0 84 9 8 1 1 0 8 1
sosppl 168 71 0 71 12 11 1 1 0 8 1
sockpl 480 23949 0 23914 471 458 13 34 0 8 8
mcl64k 65536 34 0 0 3 0 3 3 0 8 0
mcl16k 16384 33 0 0 5 2 3 3 0 8 0
mcl12k 12288 42 0 0 3 1 2 2 0 8 0
mcl9k 9216 17 0 0 2 0 2 2 0 8 0
mcl8k 8192 32 0 0 4 1 3 3 0 8 0
mcl4k 4096 25 0 0 3 0 3 3 0 8 0
mcl2k2 2112 8 0 0 1 0 1 1 0 8 0
mcl2k 2048 302 0 0 21 4 17 21 0 8 0
mtagpl 96 643 0 0 10 0 10 10 0 8 0
mbufpl 256 1242 0 0 47 0 47 47 0 8 0
bufpl 288 21264 0 14929 453 0 453 453 0 8 0
anonpl 24 3558294 0 3541378 225 97 128 154 0 186 0
amapchunkpl 152 398541 0 397672 103 64 39 49 0 158 1
amappl16 200 31125 0 30504 126 92 34 51 0 8 0
amappl15 192 4713 0 4705 1 0 1 1 0 8 0
amappl14 184 2578 0 2569 1 0 1 1 0 8 0
amappl13 176 772 0 768 1 0 1 1 0 8 0
amappl12 168 1010 0 1005 1 0 1 1 0 8 0
amappl11 160 804 0 787 1 0 1 1 0 8 0
amappl10 152 2442 0 2433 1 0 1 1 0 8 0
amappl9 144 516 0 514 1 0 1 1 0 8 0
amappl8 136 2777 0 2668 4 0 4 4 0 8 0
amappl7 128 1331 0 1317 1 0 1 1 0 8 0
amappl6 120 436 0 411 2 1 1 2 0 8 0
amappl5 112 13656 0 13636 1 0 1 1 0 8 0
amappl4 104 3684 0 3653 2 1 1 2 0 8 0
amappl3 96 2327 0 2312 1 0 1 1 0 8 0
amappl2 88 2261 0 2208 3 1 2 3 0 8 0
amappl1 80 235496 0 234904 19 5 14 19 0 8 0
amappl 88 159338 0 159018 9 1 8 9 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 134 0 4 3 0 3 3 0 8 0
uaddrrnd 24 12979 0 12897 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 12979 0 12897 1 0 1 1 0 8 0
vmmpekpl 168 98634 0 98555 6 2 4 4 0 8 0
vmmpepl 168 1177526 0 1174850 327 192 135 150 0 357 4
vmsppl 368 12978 0 12897 10 2 8 8 0 8 0
rwobjpl 56 286344 0 278543 123 10 113 115 0 8 0
pdppl 4096 25965 0 25848 719 596 123 123 0 8 6
pvpl 32 5980911 0 5959574 428 220 208 259 0 265 3
pmappl 248 12978 0 12897 7 1 6 6 0 8 0
extentpl 40 58 0 38 1 0 1 1 0 8 0
phpool 112 1919 0 990 27 0 27 27 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a4184) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff82a6f1a0,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd807f547130) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd807f547130) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd807f547018) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip6_input(ffff800021205d08,ffff800021205d14,85,18) at rip6_input+0x6bc sys/netinet6/raw_ip6.c:224
ip_deliver(ffff800021205d08,ffff800021205d14,85,18) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip6_input_if(ffff800021205d08,ffff800021205d14,29,0,ffff80000019f2a8) at ip6_input_if+0x920
ipv6_input(ffff80000019f2a8,fffffd8079eea900) at ipv6_input+0x48 sys/netinet6/ip6_input.c:169
if_input_local(ffff80000019f2a8,fffffd8079eea900,18) at if_input_local+0x136 sys/net/if.c:778
ip6_output(fffffd8073c28e00,ffff8000006d5380,fffffd80654bcb80,0,0,fffffd80654bcb08) at ip6_output+0xf57
rip6_output(fffffd8073c28e00,fffffd80681deb78,ffff800021206070,0) at rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
rip6_usrreq(fffffd80681deb78,9,fffffd8073c28e00,0,0,ffff800026cd8008) at rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
sosend(fffffd80681deb78,0,ffff8000212062a8,0,0,0) at sosend+0x632 sys/kern/uipc_socket.c:582
dofilewritev(ffff800026cd8008,5,ffff8000212062a8,0,ffff8000212063a0) at dofilewritev+0x19c sys/kern/sys_generic.c:381
sys_write(ffff800026cd8008,ffff800021206348,ffff8000212063a0) at sys_write+0x83 sys/kern/sys_generic.c:301
syscall(ffff800021206410) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800021206410) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x9d094d1a6d0, count: -19
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_write_1(3f8,0,2f) at x86_bus_space_io_write_1+0x31 sys/arch/amd64/amd64/bus_space.c:759
comcnputc(800,2f) at comcnputc+0x128 bus_space_barrier machine/bus.h:481 [inline]
comcnputc(800,2f) at comcnputc+0x128 sys/dev/ic/com.c:1263
cnputc(2f) at cnputc+0x4b sys/dev/cons.c:239
db_putchar(2f) at db_putchar+0x3fc sys/ddb/db_output.c:155
kprintf() at kprintf+0x20ec sys/kern/subr_prf.c:1068
db_printf(ffffffff82605424) at db_printf+0x85 sys/kern/subr_prf.c:502
panic(ffffffff8258c085) at panic+0xd7 sys/kern/subr_prf.c:220
__assert(ffffffff8260257e,ffffffff8260f998,aae,ffffffff825bfe73) at __assert+0x25 sys/kern/subr_prf.c:161
uvm_map_teardown(fffffd80752e2008) at uvm_map_teardown+0x2e8 sys/uvm/uvm_map.c:2736
uvmspace_free(fffffd80752e2008) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
reaper(ffff8000210f9500) at reaper+0x18b sys/kern/kern_exit.c:457
end trace frame: 0x0, count: 1
ddb{1}> trace
x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_write_1(3f8,0,2f) at x86_bus_space_io_write_1+0x31 sys/arch/amd64/amd64/bus_space.c:759
comcnputc(800,2f) at comcnputc+0x128 bus_space_barrier machine/bus.h:481 [inline]
comcnputc(800,2f) at comcnputc+0x128 sys/dev/ic/com.c:1263
cnputc(2f) at cnputc+0x4b sys/dev/cons.c:239
db_putchar(2f) at db_putchar+0x3fc sys/ddb/db_output.c:155
kprintf() at kprintf+0x20ec sys/kern/subr_prf.c:1068
db_printf(ffffffff82605424) at db_printf+0x85 sys/kern/subr_prf.c:502
panic(ffffffff8258c085) at panic+0xd7 sys/kern/subr_prf.c:220
__assert(ffffffff8260257e,ffffffff8260f998,aae,ffffffff825bfe73) at __assert+0x25 sys/kern/subr_prf.c:161
uvm_map_teardown(fffffd80752e2008) at uvm_map_teardown+0x2e8 sys/uvm/uvm_map.c:2736
uvmspace_free(fffffd80752e2008) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
reaper(ffff8000210f9500) at reaper+0x18b sys/kern/kern_exit.c:457
end trace frame: 0x0, count: -14
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: bf088e2b2bca Extract the type from the ICMP6 header before..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=122ed425700000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d
dashboard link: https://syzkaller.appspot.com/bug?extid=8781619db4af078f1995
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+878161...@syzkaller.appspotmail.com
panic: apcaqniuci:r kinegr nbleol c kdaiblage snloesteipc laosscke r t io n " ! _ ke r n e l_ l o wcikt_hh selp i nl doc()k" ofra cirlietd:ic faill es e"c/styizonk ahellled r(k/emranenla_gelorsc/km) u lt i c o r e/ &kkeernrnele/ls_ylsoc/kuv
m/Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
* 73188 81061 0 0 0x4000000 0 syz-executor.1
29954 39164 0 0x14000 0x200 1 reaper
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a4184) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff82a6f1a0,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd807f547130) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd807f547130) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd807f547018) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip6_input(ffff800021205d08,ffff800021205d14,85,18) at rip6_input+0x6bc sys/netinet6/raw_ip6.c:224
ip_deliver(ffff800021205d08,ffff800021205d14,85,18) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip6_input_if(ffff800021205d08,ffff800021205d14,29,0,ffff80000019f2a8) at ip6_input_if+0x920
ipv6_input(ffff80000019f2a8,fffffd8079eea900) at ipv6_input+0x48 sys/netinet6/ip6_input.c:169
if_input_local(ffff80000019f2a8,fffffd8079eea900,18) at if_input_local+0x136 sys/net/if.c:778
ip6_output(fffffd8073c28e00,ffff8000006d5380,fffffd80654bcb80,0,0,fffffd80654bcb08) at ip6_output+0xf57
rip6_output(fffffd8073c28e00,fffffd80681deb78,ffff800021206070,0) at rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
rip6_usrreq(fffffd80681deb78,9,fffffd8073c28e00,0,0,ffff800026cd8008) at rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
end trace frame: 0xffff8000212061f0, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu0: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock
cpu1: kernel diagnostic assertion "!_kernel_lock_held()" failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_map.c", line 2734
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a4184) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff82a6f1a0,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd807f547130) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd807f547130) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd807f547018) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip6_input(ffff800021205d08,ffff800021205d14,85,18) at rip6_input+0x6bc sys/netinet6/raw_ip6.c:224
ip_deliver(ffff800021205d08,ffff800021205d14,85,18) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip6_input_if(ffff800021205d08,ffff800021205d14,29,0,ffff80000019f2a8) at ip6_input_if+0x920
ipv6_input(ffff80000019f2a8,fffffd8079eea900) at ipv6_input+0x48 sys/netinet6/ip6_input.c:169
if_input_local(ffff80000019f2a8,fffffd8079eea900,18) at if_input_local+0x136 sys/net/if.c:778
ip6_output(fffffd8073c28e00,ffff8000006d5380,fffffd80654bcb80,0,0,fffffd80654bcb08) at ip6_output+0xf57
rip6_output(fffffd8073c28e00,fffffd80681deb78,ffff800021206070,0) at rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
rip6_usrreq(fffffd80681deb78,9,fffffd8073c28e00,0,0,ffff800026cd8008) at rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
sosend(fffffd80681deb78,0,ffff8000212062a8,0,0,0) at sosend+0x632 sys/kern/uipc_socket.c:582
dofilewritev(ffff800026cd8008,5,ffff8000212062a8,0,ffff8000212063a0) at dofilewritev+0x19c sys/kern/sys_generic.c:381
sys_write(ffff800026cd8008,ffff800021206348,ffff8000212063a0) at sys_write+0x83 sys/kern/sys_generic.c:301
syscall(ffff800021206410) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800021206410) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x9d094d1a6d0, count: -19
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff800021205820
rbx 0xffffffff82987bff cpu_info_full_primary+0x2bff
rdx 0
rcx 0
rax 0xffff800026cd8008
r8 0x101010101010101
r9 0x8080808080808080
r10 0x98cffb8ea03bc5f4
r11 0xc0b5ea7ddf5447c
r12 0xffffffff82987a00 cpu_info_full_primary+0x2a00
r13 0
r14 0
r15 0x1
rip 0xffffffff815a2d98 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800021205810
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor.1) pid=73188 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff800026cd82a8,0xffff80002e37ea90
process=0xffff8000ffffa570 user=0xffff800021201000, vmspace=0xfffffd8066524460
estcpu=36, cpticks=3, pctcpu=0.0
user=0, sys=2, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
81061 229543 98716 0 2 0 syz-executor.1
*81061 73188 98716 0 7 0x4000000 syz-executor.1
21018 62538 40898 0 2 0 syz-executor.5
21018 102356 40898 0 3 0x4000080 fsleep syz-executor.5
78020 415036 8988 0 3 0x80 nanoslp syz-executor.7
78020 121621 8988 0 3 0x4000080 fsleep syz-executor.7
78020 456883 8988 0 3 0x4000080 fsleep syz-executor.7
24561 322962 82145 0 2 0x4003000 syz-executor.2
82145 69402 26610 0 2 0x482 syz-executor.2
44781 104976 26610 0 3 0x82 nanoslp syz-executor.4
40738 175164 26610 0 3 0x82 nanoslp syz-executor.0
53974 160868 26610 0 3 0x82 nanoslp syz-executor.3
20471 202483 0 0 3 0x14200 acct acct
40898 436295 26610 0 2 0x482 syz-executor.5
8988 182209 26610 0 3 0x82 nanoslp syz-executor.7
50044 436926 26610 0 2 0x2 syz-executor.6
71456 252434 1 0 3 0x100083 ttyin getty
98716 350874 26610 0 3 0x82 nanoslp syz-executor.1
92381 479440 0 0 3 0x14280 nfsidl nfsio
73173 154906 0 0 3 0x14280 nfsidl nfsio
33750 407413 0 0 3 0x14280 nfsidl nfsio
98548 258613 0 0 3 0x14280 nfsidl nfsio
99691 493577 0 0 3 0x14280 nfsidl nfsio
82307 26922 0 0 3 0x14280 nfsidl nfsio
55905 293353 0 0 3 0x14280 nfsidl nfsio
63170 276834 0 0 3 0x14280 nfsidl nfsio
65712 441409 0 0 3 0x14280 nfsidl nfsio
35490 44214 0 0 3 0x14280 nfsidl nfsio
39602 114295 0 0 3 0x14280 nfsidl nfsio
21633 142858 0 0 3 0x14280 nfsidl nfsio
21248 131980 0 0 3 0x14280 nfsidl nfsio
96163 191510 0 0 3 0x14280 nfsidl nfsio
46704 143605 0 0 3 0x14280 nfsidl nfsio
7208 56689 0 0 3 0x14280 nfsidl nfsio
14017 189638 0 0 3 0x14280 nfsidl nfsio
57227 234755 0 0 3 0x14280 nfsidl nfsio
89302 161709 0 0 3 0x14280 nfsidl nfsio
89682 217834 0 0 3 0x14280 nfsidl nfsio
43559 40476 0 0 3 0x14200 bored sosplice
26610 416595 82567 0 2 0x482 syz-fuzzer
26610 467638 82567 0 3 0x4000082 nanoslp syz-fuzzer
26610 449433 82567 0 3 0x4000082 thrsleep syz-fuzzer
26610 449392 82567 0 3 0x4000082 thrsleep syz-fuzzer
26610 180237 82567 0 3 0x4000082 thrsleep syz-fuzzer
26610 319568 82567 0 3 0x4000082 thrsleep syz-fuzzer
26610 139299 82567 0 3 0x4000082 thrsleep syz-fuzzer
26610 385614 82567 0 3 0x4000082 kqread syz-fuzzer
26610 1509 82567 0 3 0x4000082 thrsleep syz-fuzzer
82567 57211 95924 0 3 0x10008a sigsusp ksh
95924 389973 61366 0 3 0x9a kqread sshd
61366 102488 1 0 3 0x88 kqread sshd
36965 363107 40721 74 3 0x1100092 bpf pflogd
40721 113626 1 0 3 0x80 netio pflogd
82895 170590 77985 73 2 0x1100090 syslogd
77985 463953 1 0 3 0x100082 netio syslogd
84964 669 1 0 3 0x100080 kqread resolvd
48467 246873 87041 77 3 0x100092 kqread dhcpleased
90591 30552 87041 77 3 0x100092 kqread dhcpleased
87041 181985 1 0 3 0x80 kqread dhcpleased
59123 161915 0 0 3 0x14200 bored smr
42045 201316 0 0 2 0x14200 zerothread
78591 182442 0 0 3 0x14200 aiodoned aiodoned
29335 395519 0 0 3 0x14200 syncer update
14108 427743 0 0 3 0x14200 cleaner cleaner
39164 29954 0 0 7 0x14200 reaper
60675 121349 0 0 3 0x14200 pgdaemon pagedaemon
18051 453502 0 0 3 0x14200 bored viomb
42873 541 0 0 3 0x40014200 acpi0 acpi0
56486 272017 0 0 3 0x40014200 idle1
17429 288978 0 0 3 0x14200 bored softnet
86213 280021 0 0 3 0x14200 bored systqmp
24772 435846 0 0 3 0x14200 bored systq
58674 58452 0 0 3 0x40014200 bored softclock
60544 62144 0 0 3 0x40014200 idle0
1 435802 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
CPU 0:
exclusive mutex &table->inpt_mtx r = 0 (0xffffffff82a21700)
#0 witness_lock+0x44d
#1 mtx_enter_try+0x100
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 rip6_input+0x28f
#4 ip_deliver+0x322 sys/netinet/ip_input.c:657
#5 ip6_input_if+0x920
#6 ipv6_input+0x48 sys/netinet6/ip6_input.c:169
#7 if_input_local+0x136 sys/net/if.c:778
#8 ip6_output+0xf57
#9 rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
#10 rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
#11 sosend+0x632 sys/kern/uipc_socket.c:582
#12 dofilewritev+0x19c sys/kern/sys_generic.c:381
#13 sys_write+0x83 sys/kern/sys_generic.c:301
#14 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#14 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#15 Xsyscall+0x128
CPU 1:
exclusive mutex &uvm.fpageqlock r = 0 (0xffffffff82b87938)
#0 witness_lock+0x44d
#1 mtx_enter_try+0x100
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 uvm_pmr_freepageq+0xcc sys/uvm/uvm_pmemrange.c:1333
#4 amap_wipeout+0x1ff sys/uvm/uvm_amap.c:523
#5 uvm_unmap_detach+0x7d sys/uvm/uvm_map.c:1599
#6 uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2789
#7 uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
#8 reaper+0x18b sys/kern/kern_exit.c:457
#9 proc_trampoline+0x1c
Process 81061 (syz-executor.1) thread 0xffff800026cd8008 (73188)
exclusive rwlock netlock r = 0 (0xffffffff829bbd70)
#0 witness_lock+0x44d
#1 solock+0x86 sys/kern/uipc_socket2.c:295
#2 sosend+0x517 sys/kern/uipc_socket.c:570
#3 dofilewritev+0x19c sys/kern/sys_generic.c:381
#4 sys_write+0x83 sys/kern/sys_generic.c:301
#5 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#5 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#6 Xsyscall+0x128
exclusive mutex &table->inpt_mtx r = 0 (0xffffffff82a21700)
#0 witness_lock+0x44d
#1 mtx_enter_try+0x100
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 rip6_input+0x28f
#4 ip_deliver+0x322 sys/netinet/ip_input.c:657
#5 ip6_input_if+0x920
#6 ipv6_input+0x48 sys/netinet6/ip6_input.c:169
#7 if_input_local+0x136 sys/net/if.c:778
#8 ip6_output+0xf57
#9 rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
#10 rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
#11 sosend+0x632 sys/kern/uipc_socket.c:582
#12 dofilewritev+0x19c sys/kern/sys_generic.c:381
#13 sys_write+0x83 sys/kern/sys_generic.c:301
#14 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#14 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#15 Xsyscall+0x128
Process 39164 (reaper) thread 0xffff8000210f9500 (29954)
exclusive rwlock amaplk r = 0 (0xfffffd80668a70f8)
#0 witness_lock+0x44d
#1 amap_unref+0x2b sys/uvm/uvm_amap.c:1365
#2 uvm_unmap_detach+0x7d sys/uvm/uvm_map.c:1599
#3 uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2789
#4 uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
#5 reaper+0x18b sys/kern/kern_exit.c:457
#6 proc_trampoline+0x1c
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10223 6504K 6897K 78643K 24727 0
pcb 18 18K 23K 78643K 1400 0
rtable 268 22K 23K 78643K 4326 0
ifaddr 106 25K 25K 78643K 1549 0
sysctl 2 0K 0K 78643K 2 0
counters 58 35K 36K 78643K 360 0
ioctlops 0 0K 4K 78643K 4642 0
iov 0 0K 16K 78643K 941 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 5 0
vnodes 1337 84K 84K 78643K 6451 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 9K 78643K 115 0
VM map 2 1K 1K 78643K 2 0
sem 22 10K 20K 78643K 654 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 14 49K 89K 78643K 12691 0
sigio 0 0K 0K 78643K 85 0
proc 72 87K 124K 78643K 2529 0
subproc 104 6K 6K 78643K 806 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 1 0K 0K 78643K 361 0
in_multi 102 6K 7K 78643K 951 0
ether_multi 2 0K 0K 78643K 61 0
mrt 1 0K 0K 78643K 55 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 259 1155K 1155K 78643K 259 0
exec 0 0K 2K 78643K 2780 0
pfkey data 0 0K 0K 78643K 4 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 530 871K 872K 78643K 160916 0
UVM aobj 131 8K 8K 78643K 135 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 2 0K 0K 78643K 435 0
NDP 14 0K 2K 78643K 307 0
temp 172 4771K 4845K 78643K 147502 0
kqueue 13 20K 26K 78643K 636 0
SYN cache 2 16K 16K 78643K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtpcb 120 681 0 678 7 6 1 3 0 8 0
rtentry 112 920 0 815 4 0 4 4 0 8 0
unpcb 136 10740 0 10725 97 93 4 9 0 8 3
syncache 296 67 0 67 17 17 0 1 0 8 0
tcpqe 32 6 0 6 2 2 0 1 0 8 0
tcpcb 736 5785 0 5780 180 173 7 20 0 8 6
arp 120 141 0 121 1 0 1 1 0 8 0
inpcb 312 12380 0 12367 160 151 9 11 0 8 7
rttmr 72 15 0 15 4 4 0 1 0 8 0
ip6q 72 6 0 6 2 2 0 1 0 8 0
ip6af 40 18 0 18 2 2 0 1 0 8 0
nd6 48 219 0 194 1 0 1 1 0 8 0
pkpcb 40 65 0 65 7 7 0 1 0 8 0
kcovpl 48 62 0 54 1 0 1 1 0 8 0
ppxss 1248 50 0 50 13 12 1 1 0 8 1
pfstscr 40 32 0 32 6 6 0 1 0 8 0
pffrag 232 121 0 119 5 4 1 1 0 482 0
pffrnode 88 121 0 119 5 4 1 1 0 8 0
pffrent 40 498 0 496 5 4 1 1 0 8 0
pfosfp 40 1432 0 1008 5 0 5 5 0 8 0
pfosfpen 112 1432 0 714 21 0 21 21 0 8 0
pfrke_plain 168 6 0 6 1 1 0 1 0 8 0
pfrktable 1344 743 0 730 13 11 2 2 0 8 0
pftag 88 23 0 15 1 0 1 1 0 8 0
pfqueue 264 3 0 3 1 1 0 1 0 8 0
pfstitem 24 40 0 38 1 0 1 1 0 8 0
pfstkey 112 92 0 90 1 0 1 1 0 8 0
pfstate 320 60 0 58 3 2 1 3 0 8 0
pfsrctr 152 18 0 18 1 1 0 1 0 8 0
pfrule 1360 1071 0 891 23 7 16 16 0 8 1
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 3906 0 3463 44 16 28 37 0 8 0
art_table 32 3907 0 3463 5 0 5 5 0 8 0
art_node 16 912 0 820 1 0 1 1 0 8 0
sysvmsgpl 40 33 0 26 2 1 1 1 0 8 0
semupl 112 5 0 5 1 1 0 1 0 8 0
semapl 112 295 0 275 1 0 1 1 0 8 0
shmpl 112 132 0 4 4 0 4 4 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 17091 0 15611 93 0 93 93 0 8 0
ffsino 272 17091 0 15611 100 0 100 100 0 8 0
nchpl 144 35936 0 34304 63 0 63 63 0 8 0
rtmask 32 12 0 12 1 1 0 1 0 8 0
uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0
vnodes 224 5926 0 0 349 0 349 349 0 8 0
namei 1024 127912 0 127912 7 6 1 2 0 8 1
percpumem 16 192 0 151 1 0 1 1 0 8 0
vcpupl 2048 54 0 0 7 0 7 7 0 8 0
vmpool 560 106 0 52 4 0 4 4 0 8 0
pfiaddrpl 120 237 0 212 4 3 1 1 0 8 0
scsiplug 72 6 0 6 2 2 0 1 0 8 0
scxspl 216 92676 0 92676 25 23 2 8 0 8 2
plimitpl 152 1281 0 1266 1 0 1 1 0 8 0
sigapl 424 12911 0 12845 9 1 8 8 0 8 0
futexpl 64 111928 0 111925 1 0 1 1 0 8 0
knotepl 120 758 0 0 11 2 9 11 0 8 0
kqueuepl 216 2061 0 2051 43 42 1 5 0 8 0
pipepl 336 1720 0 1692 33 30 3 8 0 8 0
fdescpl 496 12873 0 12846 7 3 4 5 0 8 0
filepl 152 87863 0 87613 154 138 16 21 0 8 6
lockfpl 104 4172 0 4170 10 8 2 2 0 8 1
lockfspl 48 1139 0 1137 1 0 1 1 0 8 0
sessionpl 144 79 0 62 1 0 1 1 0 8 0
pgrppl 48 260 0 243 1 0 1 1 0 8 0
ucredpl 96 11318 0 11305 1 0 1 1 0 8 0
zombiepl 144 12849 0 12845 1 0 1 1 0 8 0
processpl 1064 12911 0 12845 5 0 5 5 0 8 0
procpl 672 36888 0 36807 25 16 9 9 0 8 1
srpgc 96 84 0 84 9 8 1 1 0 8 1
sosppl 168 71 0 71 12 11 1 1 0 8 1
sockpl 480 23949 0 23914 471 458 13 34 0 8 8
mcl64k 65536 34 0 0 3 0 3 3 0 8 0
mcl16k 16384 33 0 0 5 2 3 3 0 8 0
mcl12k 12288 42 0 0 3 1 2 2 0 8 0
mcl9k 9216 17 0 0 2 0 2 2 0 8 0
mcl8k 8192 32 0 0 4 1 3 3 0 8 0
mcl4k 4096 25 0 0 3 0 3 3 0 8 0
mcl2k2 2112 8 0 0 1 0 1 1 0 8 0
mcl2k 2048 302 0 0 21 4 17 21 0 8 0
mtagpl 96 643 0 0 10 0 10 10 0 8 0
mbufpl 256 1242 0 0 47 0 47 47 0 8 0
bufpl 288 21264 0 14929 453 0 453 453 0 8 0
anonpl 24 3558294 0 3541378 225 97 128 154 0 186 0
amapchunkpl 152 398541 0 397672 103 64 39 49 0 158 1
amappl16 200 31125 0 30504 126 92 34 51 0 8 0
amappl15 192 4713 0 4705 1 0 1 1 0 8 0
amappl14 184 2578 0 2569 1 0 1 1 0 8 0
amappl13 176 772 0 768 1 0 1 1 0 8 0
amappl12 168 1010 0 1005 1 0 1 1 0 8 0
amappl11 160 804 0 787 1 0 1 1 0 8 0
amappl10 152 2442 0 2433 1 0 1 1 0 8 0
amappl9 144 516 0 514 1 0 1 1 0 8 0
amappl8 136 2777 0 2668 4 0 4 4 0 8 0
amappl7 128 1331 0 1317 1 0 1 1 0 8 0
amappl6 120 436 0 411 2 1 1 2 0 8 0
amappl5 112 13656 0 13636 1 0 1 1 0 8 0
amappl4 104 3684 0 3653 2 1 1 2 0 8 0
amappl3 96 2327 0 2312 1 0 1 1 0 8 0
amappl2 88 2261 0 2208 3 1 2 3 0 8 0
amappl1 80 235496 0 234904 19 5 14 19 0 8 0
amappl 88 159338 0 159018 9 1 8 9 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 134 0 4 3 0 3 3 0 8 0
uaddrrnd 24 12979 0 12897 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 12979 0 12897 1 0 1 1 0 8 0
vmmpekpl 168 98634 0 98555 6 2 4 4 0 8 0
vmmpepl 168 1177526 0 1174850 327 192 135 150 0 357 4
vmsppl 368 12978 0 12897 10 2 8 8 0 8 0
rwobjpl 56 286344 0 278543 123 10 113 115 0 8 0
pdppl 4096 25965 0 25848 719 596 123 123 0 8 6
pvpl 32 5980911 0 5959574 428 220 208 259 0 265 3
pmappl 248 12978 0 12897 7 1 6 6 0 8 0
extentpl 40 58 0 38 1 0 1 1 0 8 0
phpool 112 1919 0 990 27 0 27 27 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a4184) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff82a6f1a0,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd807f547130) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd807f547130) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd807f547018) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip6_input(ffff800021205d08,ffff800021205d14,85,18) at rip6_input+0x6bc sys/netinet6/raw_ip6.c:224
ip_deliver(ffff800021205d08,ffff800021205d14,85,18) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip6_input_if(ffff800021205d08,ffff800021205d14,29,0,ffff80000019f2a8) at ip6_input_if+0x920
ipv6_input(ffff80000019f2a8,fffffd8079eea900) at ipv6_input+0x48 sys/netinet6/ip6_input.c:169
if_input_local(ffff80000019f2a8,fffffd8079eea900,18) at if_input_local+0x136 sys/net/if.c:778
ip6_output(fffffd8073c28e00,ffff8000006d5380,fffffd80654bcb80,0,0,fffffd80654bcb08) at ip6_output+0xf57
rip6_output(fffffd8073c28e00,fffffd80681deb78,ffff800021206070,0) at rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
rip6_usrreq(fffffd80681deb78,9,fffffd8073c28e00,0,0,ffff800026cd8008) at rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
sosend(fffffd80681deb78,0,ffff8000212062a8,0,0,0) at sosend+0x632 sys/kern/uipc_socket.c:582
dofilewritev(ffff800026cd8008,5,ffff8000212062a8,0,ffff8000212063a0) at dofilewritev+0x19c sys/kern/sys_generic.c:381
sys_write(ffff800026cd8008,ffff800021206348,ffff8000212063a0) at sys_write+0x83 sys/kern/sys_generic.c:301
syscall(ffff800021206410) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800021206410) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x9d094d1a6d0, count: -19
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_write_1(3f8,0,2f) at x86_bus_space_io_write_1+0x31 sys/arch/amd64/amd64/bus_space.c:759
comcnputc(800,2f) at comcnputc+0x128 bus_space_barrier machine/bus.h:481 [inline]
comcnputc(800,2f) at comcnputc+0x128 sys/dev/ic/com.c:1263
cnputc(2f) at cnputc+0x4b sys/dev/cons.c:239
db_putchar(2f) at db_putchar+0x3fc sys/ddb/db_output.c:155
kprintf() at kprintf+0x20ec sys/kern/subr_prf.c:1068
db_printf(ffffffff82605424) at db_printf+0x85 sys/kern/subr_prf.c:502
panic(ffffffff8258c085) at panic+0xd7 sys/kern/subr_prf.c:220
__assert(ffffffff8260257e,ffffffff8260f998,aae,ffffffff825bfe73) at __assert+0x25 sys/kern/subr_prf.c:161
uvm_map_teardown(fffffd80752e2008) at uvm_map_teardown+0x2e8 sys/uvm/uvm_map.c:2736
uvmspace_free(fffffd80752e2008) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
reaper(ffff8000210f9500) at reaper+0x18b sys/kern/kern_exit.c:457
end trace frame: 0x0, count: 1
ddb{1}> trace
x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_write_1(3f8,0,2f) at x86_bus_space_io_write_1+0x31 sys/arch/amd64/amd64/bus_space.c:759
comcnputc(800,2f) at comcnputc+0x128 bus_space_barrier machine/bus.h:481 [inline]
comcnputc(800,2f) at comcnputc+0x128 sys/dev/ic/com.c:1263
cnputc(2f) at cnputc+0x4b sys/dev/cons.c:239
db_putchar(2f) at db_putchar+0x3fc sys/ddb/db_output.c:155
kprintf() at kprintf+0x20ec sys/kern/subr_prf.c:1068
db_printf(ffffffff82605424) at db_printf+0x85 sys/kern/subr_prf.c:502
panic(ffffffff8258c085) at panic+0xd7 sys/kern/subr_prf.c:220
__assert(ffffffff8260257e,ffffffff8260f998,aae,ffffffff825bfe73) at __assert+0x25 sys/kern/subr_prf.c:161
uvm_map_teardown(fffffd80752e2008) at uvm_map_teardown+0x2e8 sys/uvm/uvm_map.c:2736
uvmspace_free(fffffd80752e2008) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
reaper(ffff8000210f9500) at reaper+0x18b sys/kern/kern_exit.c:457
end trace frame: 0x0, count: -14
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Mar 23, 2022, 6:51:37 AM3/23/22
to Aleksandr Nogikh, nog...@google.com, syzkaller-o...@googlegroups.com
> #syz invalid
Your 'invalid' command is accepted, but please keep syzkaller-o...@googlegroups.com mailing list in CC next time. It serves as a history of what happened with each bug report. Thank you.
>> --
>> You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/0000000000004d3aa605dadd3a95%40google.com.
Your 'invalid' command is accepted, but please keep syzkaller-o...@googlegroups.com mailing list in CC next time. It serves as a history of what happened with each bug report. Thank you.
>> You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/0000000000004d3aa605dadd3a95%40google.com.
Reply all
Reply to author
Forward
0 new messages