assert "pg->wire_count == NUM" failed in vfs_biomem.c (3)
0 views
Skip to first unread message
syzbot
Dec 29, 2023, 6:04:22 AM12/29/23
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 4600b3a1e352 Rework and fix pkey_hmac_keygen()
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=113148d9e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=9b8f9974ccb14bdd31cb
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3583521c743d/disk-4600b3a1.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/c4ba8dda772f/bsd-4600b3a1.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4163cb324635/kernel-4600b3a1.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9b8f99...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "pg->wire_count == 1" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/vfs_biomem.c", line 310
Stopped at db_enter+0x1c: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
211636 99513 0 0 0 0 syz-executor.6
*202914 92886 0 0x2 0 1K syz-executor.0
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff827a37af) at panic+0x17b sys/kern/subr_prf.c:198
__assert(ffffffff82826740,ffffffff82814e0c,136,ffffffff827efb11) at __assert+0x29 sys/kern/subr_prf.c:157
buf_free_pages(fffffd80691d5b70) at buf_free_pages+0x1d2 sys/kern/vfs_biomem.c:299
buf_dealloc_mem(fffffd80691d5b70) at buf_dealloc_mem+0xe3 sys/kern/vfs_biomem.c:179
buf_put(fffffd80691d5b70) at buf_put+0x165 sys/kern/vfs_bio.c:130
brelse(fffffd80691d5b70) at brelse+0x5c3 sys/kern/vfs_bio.c:957
vinvalbuf(fffffd806b729cc8,2,fffffd807f7d66e8,ffff80002a1ce550,0,ffffffffffffffff) at vinvalbuf+0x391 sys/kern/vfs_subr.c:2021
ffs_truncate(fffffd806608b660,0,4,fffffd807f7d66e8) at ffs_truncate+0xf22 sys/ufs/ffs/ffs_inode.c:326
ufs_rmdir(ffff800033f85e88) at ufs_rmdir+0x3a9 sys/ufs/ufs/ufs_vnops.c:1342
VOP_RMDIR(fffffd807a16daf8,fffffd806b729cc8,ffff800033f85f68) at VOP_RMDIR+0x12a sys/kern/vfs_vops.c:407
dounlinkat(ffff80002a1ce550,ffffff9c,7002072b2360,8) at dounlinkat+0x20e sys/kern/vfs_syscalls.c:1880
syscall(ffff800033f860e0) at syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7002072b2350, count: 1
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: kernel diagnostic assertion "pg->wire_count == 1" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/vfs_biomem.c", line 310
ddb{1}> trace
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff827a37af) at panic+0x17b sys/kern/subr_prf.c:198
__assert(ffffffff82826740,ffffffff82814e0c,136,ffffffff827efb11) at __assert+0x29 sys/kern/subr_prf.c:157
buf_free_pages(fffffd80691d5b70) at buf_free_pages+0x1d2 sys/kern/vfs_biomem.c:299
buf_dealloc_mem(fffffd80691d5b70) at buf_dealloc_mem+0xe3 sys/kern/vfs_biomem.c:179
buf_put(fffffd80691d5b70) at buf_put+0x165 sys/kern/vfs_bio.c:130
brelse(fffffd80691d5b70) at brelse+0x5c3 sys/kern/vfs_bio.c:957
vinvalbuf(fffffd806b729cc8,2,fffffd807f7d66e8,ffff80002a1ce550,0,ffffffffffffffff) at vinvalbuf+0x391 sys/kern/vfs_subr.c:2021
ffs_truncate(fffffd806608b660,0,4,fffffd807f7d66e8) at ffs_truncate+0xf22 sys/ufs/ffs/ffs_inode.c:326
ufs_rmdir(ffff800033f85e88) at ufs_rmdir+0x3a9 sys/ufs/ufs/ufs_vnops.c:1342
VOP_RMDIR(fffffd807a16daf8,fffffd806b729cc8,ffff800033f85f68) at VOP_RMDIR+0x12a sys/kern/vfs_vops.c:407
dounlinkat(ffff80002a1ce550,ffffff9c,7002072b2360,8) at dounlinkat+0x20e sys/kern/vfs_syscalls.c:1880
syscall(ffff800033f860e0) at syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7002072b2350, count: -14
ddb{1}> show registers
rdi 0
rsi 0x1
rbp 0xffff800033f85970
rbx 0xffff800029d2cba7
rdx 0
rcx 0xffff80002a1ce550
rax 0xffff800029d2bff0
r8 0x101010101010101
r9 0x8080808080808080
r10 0xa61255696b6eb2bf
r11 0xe3176f360c9f08ab
r12 0xffff800029d2c9a8
r13 0
r14 0
r15 0x1
rip 0xffffffff81f2cedc db_enter+0x1c
cs 0x8
rflags 0x246
rsp 0xffff800033f85960
ss 0x10
db_enter+0x1c: addq $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor.0) tid=202914 pid=92886 tcnt=1 stat=onproc
flags process=2<EXEC> proc=0
runpri=17, usrpri=50, slppri=17, nice=20
wchan=0x0, wmesg=, ps_single=0x0
forw=0xffffffffffffffff, list=0xffff80002a26f7f8,0xffff80002a1cd2c8
process=0xffff8000ffff3258 user=0xffff800033f81000, vmspace=0xfffffd8069bbe928
estcpu=0, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
12635 322463 29894 0 2 0 syz-executor.3
12635 9122 29894 0 3 0x4000080 rest syz-executor.3
12635 488774 29894 0 3 0x4000080 bell syz-executor.3
99513 211636 47048 0 7 0 syz-executor.6
99094 354384 84523 0 2 0 syz-executor.5
29894 478973 85176 0 3 0x82 nanoslp syz-executor.3
91289 303393 0 0 3 0x14200 bored sosplice
93062 149665 0 0 3 0x14200 acct acct
*92886 202914 85176 0 7 0x2 syz-executor.0
47048 119436 85176 0 3 0x82 nanoslp syz-executor.6
88314 352039 18023 0 3 0x100082 netio arp
18023 222163 1 0 3 0x10008a sigsusp sh
83459 433102 85176 0 3 0x82 nanoslp syz-executor.7
84523 470219 85176 0 3 0x82 nanoslp syz-executor.5
27714 404827 85176 0 3 0x82 nanoslp syz-executor.4
33243 407165 85176 0 3 0x82 nanoslp syz-executor.2
4760 266645 85176 0 2 0x2 syz-executor.1
85176 294456 95998 0 3 0x2000082 thrsleep syz-fuzzer
85176 489605 95998 0 3 0x6000082 nanoslp syz-fuzzer
85176 199477 95998 0 3 0x6000082 thrsleep syz-fuzzer
85176 204547 95998 0 3 0x6000082 wait syz-fuzzer
85176 369586 95998 0 3 0x6000082 wait syz-fuzzer
85176 385287 95998 0 3 0x6000082 wait syz-fuzzer
85176 163876 95998 0 3 0x6000082 wait syz-fuzzer
85176 207522 95998 0 3 0x6000082 wait syz-fuzzer
85176 382405 95998 0 3 0x6000082 wait syz-fuzzer
85176 393298 95998 0 3 0x6000082 thrsleep syz-fuzzer
85176 403964 95998 0 3 0x6000082 thrsleep syz-fuzzer
85176 516616 95998 0 3 0x6000082 wait syz-fuzzer
85176 214137 95998 0 3 0x6000082 kqread syz-fuzzer
85176 424599 95998 0 3 0x6000082 thrsleep syz-fuzzer
85176 185807 95998 0 3 0x6000082 wait syz-fuzzer
95998 112299 24952 0 3 0x10008a sigsusp ksh
24952 415402 58805 0 3 0x9a kqread sshd
45209 124058 1 0 3 0x100083 ttyin getty
58805 124027 1 0 3 0x88 kqread sshd
5255 474199 67809 74 3 0x1100092 bpf pflogd
67809 357019 1 0 3 0x80 netio pflogd
60195 185490 89077 73 2 0x1100010 syslogd
89077 516598 1 0 3 0x100082 netio syslogd
34009 92667 1 0 3 0x100080 kqread resolvd
37809 498008 41854 77 3 0x100092 kqread dhcpleased
17359 74441 41854 77 3 0x100092 kqread dhcpleased
41854 510477 1 0 3 0x80 kqread dhcpleased
90171 338289 0 0 3 0x14200 bored smr
48468 177798 0 0 2 0x14200 zerothread
30749 262203 0 0 3 0x14200 aiodoned aiodoned
86327 312145 0 0 3 0x14200 syncer update
98872 182762 0 0 3 0x14200 cleaner cleaner
20584 165066 0 0 3 0x14200 reaper reaper
83563 411172 0 0 3 0x14200 pgdaemon pagedaemon
10942 468136 0 0 3 0x14200 bored viomb
57294 480971 0 0 3 0x40014200 acpi0 acpi0
71900 406153 0 0 3 0x40014200 idle1
3141 83930 0 0 3 0x14200 bored softnet3
16856 236265 0 0 3 0x14200 bored softnet2
57251 61071 0 0 3 0x14200 bored softnet1
46125 60597 0 0 3 0x14200 bored softnet0
18886 153860 0 0 3 0x14200 bored systqmp
76384 104863 0 0 3 0x14200 bored systq
37528 375253 0 0 3 0x14200 tmoslp softclockmp
33058 368169 0 0 3 0x40014200 tmoslp softclock
50040 65588 0 0 3 0x40014200 idle0
1 506352 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
Process 99513 (syz-executor.6) thread 0xffff80002a1fbd58 (211636)
exclusive rwlock amaplk r = 0 (0xfffffd8069c0d520)
#0 witness_lock+0x447
#1 uvm_fault_check+0x41a sys/uvm/uvm_fault.c:782
#2 uvm_fault+0xf2 sys/uvm/uvm_fault.c:600
#3 upageflttrap+0x86 sys/arch/amd64/amd64/trap.c:188
#4 usertrap+0x226 sys/arch/amd64/amd64/trap.c:436
#5 recall_trap+0x8
shared rwlock vmmaplk r = 0 (0xfffffd8069bbe680)
#0 witness_lock+0x447
#1 uvmfault_lookup+0xd9 sys/uvm/uvm_fault.c:1785
#2 uvm_fault_check+0x3e sys/uvm/uvm_fault.c:672
#3 uvm_fault+0xf2 sys/uvm/uvm_fault.c:600
#4 upageflttrap+0x86 sys/arch/amd64/amd64/trap.c:188
#5 usertrap+0x226 sys/arch/amd64/amd64/trap.c:436
#6 recall_trap+0x8
Process 92886 (syz-executor.0) thread 0xffff80002a1ce550 (202914)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82cb60c0)
#0 witness_lock+0x447
#1 __mp_acquire_count+0x48 sys/kern/kern_lock.c:227
#2 mi_switch+0x46d sys/kern/sched_bsd.c:470
#3 sleep_finish+0x19b sys/kern/kern_synch.c:414
#4 biowait+0x91 sys/kern/vfs_bio.c:1278
#5 bwrite+0x21c sys/kern/vfs_bio.c:769
#6 ffs_update+0x281 sys/ufs/ffs/ffs_inode.c:113
#7 ffs_truncate+0xce7
#8 ufs_rmdir+0x3a9 sys/ufs/ufs/ufs_vnops.c:1342
#9 VOP_RMDIR+0x12a sys/kern/vfs_vops.c:407
#10 dounlinkat+0x20e sys/kern/vfs_syscalls.c:1880
#11 syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
#12 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806608b6f8)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vget+0x200 sys/kern/vfs_subr.c:676
#6 ufs_ihashget+0x121 sys/ufs/ufs/ufs_ihash.c:119
#7 ffs_vget+0x7c sys/ufs/ffs/ffs_vfsops.c:1314
#8 ufs_lookup+0x13ba sys/ufs/ufs/ufs_lookup.c:487
#9 VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85
#10 vfs_lookup+0x6e2 sys/kern/vfs_lookup.c:566
#11 namei+0x55a sys/kern/vfs_lookup.c:250
#12 dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
#13 syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806608b5e8)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vfs_lookup+0xd5 sys/kern/vfs_lookup.c:418
#6 namei+0x55a sys/kern/vfs_lookup.c:250
#7 dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
#8 syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
#9 Xsyscall+0x128
Process 4760 (syz-executor.1) thread 0xffff80002a20c560 (266645)
exclusive rrwlock inode r = 0 (0xfffffd806bb89e78)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 ufs_ihashins+0x46 sys/ufs/ufs/ufs_ihash.c:140
#5 ffs_vget+0x141 sys/ufs/ffs/ffs_vfsops.c:1343
#6 ffs_inode_alloc+0x1c2 sys/ufs/ffs/ffs_alloc.c:394
#7 ufs_mkdir+0xf8 sys/ufs/ufs/ufs_vnops.c:1149
#8 VOP_MKDIR+0xc3 sys/kern/vfs_vops.c:388
#9 domkdirat+0x125 sys/kern/vfs_syscalls.c:3073
#10 syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
#11 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd8069c02c50)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vfs_lookup+0xd5 sys/kern/vfs_lookup.c:418
#6 namei+0x55a sys/kern/vfs_lookup.c:250
#7 domkdirat+0x79 sys/kern/vfs_syscalls.c:3058
#8 syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
#9 Xsyscall+0x128
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10203 6549K 6606K 166960K 11389 0
pcb 13 8K 8K 166960K 26 0
rtable 234 6K 6K 166960K 398 0
pf 32 9K 10K 166960K 47 0
ifaddr 45 15K 15K 166960K 53 0
ifgroup 55 2K 2K 166960K 63 0
sysctl 1 0K 0K 166960K 1 0
counters 62 36K 36K 166960K 66 0
ioctlops 0 0K 4K 166960K 1490 0
iov 0 0K 18K 166960K 18 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1296 81K 81K 166960K 1452 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 5K 166960K 5 0
VM map 2 1K 1K 166960K 2 0
sem 12 0K 0K 166960K 73 0
dirhash 12 2K 2K 166960K 12 0
ACPI 1697 195K 286K 166960K 12548 0
file desc 17 61K 81K 166960K 337 0
proc 68 91K 115K 166960K 591 0
subproc 117 7K 7K 166960K 130 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 10 0
in_multi 99 7K 7K 166960K 111 0
ether_multi 1 0K 0K 166960K 1 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 61 281K 281K 166960K 61 0
exec 0 0K 1K 166960K 415 0
tdb 3 0K 0K 166960K 3 0
pagedep 1 8K 8K 166960K 1 0
inodedep 1 32K 32K 166960K 1 0
newblk 1 0K 0K 166960K 1 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 343 82K 86K 166960K 5768 0
UVM aobj 11 2K 4K 166960K 17 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
NDP 12 0K 0K 166960K 32 0
temp 52 5918K 5998K 166960K 9958 0
kqueue 12 18K 24K 166960K 37 0
SYN cache 2 16K 16K 166960K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtpcb 120 45 0 41 1 0 1 1 0 8 0
rtentry 112 125 0 15 4 0 4 4 0 8 0
unpcb 144 171 0 154 4 3 1 4 0 8 0
syncache 312 4 0 4 1 1 0 1 0 8 0
tcpqe 32 90 0 90 1 1 0 1 0 8 0
tcpcb 808 54 0 50 4 3 1 4 0 8 0
arp 120 21 0 3 1 0 1 1 0 8 0
inpcb 368 347 0 340 12 8 4 7 0 8 3
nd6 136 27 0 3 1 0 1 1 0 8 0
kcovpl 48 10 0 1 1 0 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 32 0 28 1 0 1 1 0 8 0
pfstkey 128 32 0 28 1 0 1 1 0 8 0
pfstate 376 32 0 28 3 2 1 3 0 8 0
pfrule 1344 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 500 0 47 30 1 29 29 0 8 0
art_table 32 501 0 47 4 0 4 4 0 8 0
art_node 16 124 0 24 1 0 1 1 0 8 0
semapl 112 71 0 61 1 0 1 1 0 8 0
shmpl 112 14 0 6 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 1809 0 359 91 0 91 91 0 8 0
ffsino 272 1810 0 359 97 0 97 97 0 8 0
nchpl 144 2357 0 708 63 0 63 63 0 8 0
uvmvnodes 80 1983 0 0 41 0 41 41 0 8 0
vnodes 216 1983 0 0 111 0 111 111 0 8 0
namei 1024 8441 0 8440 4 3 1 2 0 8 0
percpumem 16 46 0 2 1 0 1 1 0 8 0
kstatmem 264 28 0 4 2 0 2 2 0 8 0
scxspl 216 12405 0 12405 10 9 1 8 1 8 1
plimitpl 152 42 0 25 1 0 1 1 0 8 0
sigapl 424 659 0 608 7 1 6 7 0 8 0
futexpl 64 1767 0 1767 5 4 1 1 0 8 1
knotepl 120 107 0 0 4 0 4 4 0 8 0
kqueuepl 216 47 0 37 1 0 1 1 0 8 0
pipepl 320 172 0 141 3 0 3 3 0 8 0
fdescpl 496 639 0 609 5 0 5 5 0 8 0
filepl 152 3159 0 2895 18 7 11 14 0 8 0
lockfpl 104 44 0 42 1 0 1 1 0 8 0
lockfspl 48 23 0 21 1 0 1 1 0 8 0
sessionpl 144 26 0 8 1 0 1 1 0 8 0
pgrppl 48 26 0 8 1 0 1 1 0 8 0
ucredpl 104 562 0 549 1 0 1 1 0 8 0
zombiepl 144 611 0 608 2 1 1 1 0 8 0
processpl 1072 659 0 608 4 0 4 4 0 8 0
procpl 680 1089 0 1022 9 2 7 8 0 8 0
sosppl 168 15 0 15 3 3 0 1 0 8 0
sockpl 488 563 0 535 24 15 9 13 0 8 5
mcl64k 65536 5 0 0 1 0 1 1 0 8 0
mcl16k 16384 3 0 0 1 0 1 1 0 8 0
mcl12k 12288 3 0 0 1 0 1 1 0 8 0
mcl9k 9216 3 0 0 1 0 1 1 0 8 0
mcl8k 8192 4 0 0 1 0 1 1 0 8 0
mcl4k 4096 8 0 0 1 0 1 1 0 8 0
mcl2k 2048 261 0 0 33 3 30 33 0 8 1
mtagpl 96 12 0 0 1 0 1 1 0 8 0
mbufpl 256 325 0 0 18 0 18 18 0 8 0
bufpl 288 4900 0 142 340 0 340 340 0 8 0
anonpl 24 238292 0 225476 111 0 111 111 0 186 24
amapchunkpl 152 19300 0 18452 53 6 47 50 0 158 9
amappl16 200 6315 0 5938 21 0 21 21 0 8 0
amappl15 192 16 0 16 1 1 0 1 0 8 0
amappl14 184 172 0 158 2 1 1 2 0 8 0
amappl13 176 4 0 3 1 0 1 1 0 8 0
amappl12 168 1337 0 1306 3 1 2 2 0 8 0
amappl11 160 56 0 41 1 0 1 1 0 8 0
amappl10 152 34 0 24 1 0 1 1 0 8 0
amappl9 144 188 0 186 1 0 1 1 0 8 0
amappl8 136 240 0 182 3 0 3 3 0 8 0
amappl7 128 182 0 156 2 0 2 2 0 8 0
amappl6 120 305 0 295 1 0 1 1 0 8 0
amappl5 112 136 0 124 1 0 1 1 0 8 0
amappl4 104 463 0 432 2 1 1 2 0 8 0
amappl3 96 3653 0 3565 6 3 3 4 0 8 0
amappl2 88 1063 0 987 3 1 2 3 0 8 0
amappl1 80 10833 0 10257 23 10 13 23 0 8 0
amappl 88 5209 0 4988 7 0 7 7 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 16 0 6 1 0 1 1 0 8 0
uaddrrnd 24 640 0 610 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 640 0 610 1 0 1 1 0 8 0
vmmpekpl 168 11287 0 11219 4 0 4 4 0 8 0
vmmpepl 168 63314 0 61016 159 34 125 125 0 357 18
vmsppl 464 639 0 610 5 0 5 5 0 8 0
rwobjpl 56 25127 0 21626 51 1 50 50 0 8 0
pdppl 4096 1288 0 1220 154 80 74 80 0 8 6
pvpl 32 500425 0 481276 363 122 241 361 0 265 75
pmappl 248 639 0 610 3 0 3 3 0 8 0
extentpl 40 56 0 38 1 0 1 1 0 8 0
phpool 112 804 0 103 21 0 21 21 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x1e: addq $0x8,%rsp
x86_ipi_db(ffffffff82b72ff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff82cb5eb8) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82cb5eb8) at __mp_lock+0x122 sys/kern/kern_lock.c:147
intr_handler(ffff80002f1007f0,ffff800000685b80) at intr_handler+0x62 sys/arch/amd64/amd64/intr.c:532
Xintr_ioapic_edge1_untramp() at Xintr_ioapic_edge1_untramp+0x18f
Xspllower() at Xspllower+0x1d
pmap_enter(fffffd8067baf4e8,7c0a849c9000,666d2000,1,20) at pmap_enter+0x9b7 pmap_unmap_ptes sys/arch/amd64/amd64/pmap.c:444 [inline]
pmap_enter(fffffd8067baf4e8,7c0a849c9000,666d2000,1,20) at pmap_enter+0x9b7 sys/arch/amd64/amd64/pmap.c:2892
uvm_fault_upper_lookup(ffff80002f100bc0,ffff80002f100bf8,ffff80002f100ac0,ffff80002f100b40) at uvm_fault_upper_lookup+0x2c0 sys/uvm/uvm_fault.c:895
uvm_fault(fffffd8069bbe588,7c0a849c8000,0,1) at uvm_fault+0x129 sys/uvm/uvm_fault.c:605
upageflttrap(ffff80002f100d40,7c0a849c8df0) at upageflttrap+0x86 sys/arch/amd64/amd64/trap.c:188
usertrap(ffff80002f100d40) at usertrap+0x226 sys/arch/amd64/amd64/trap.c:436
recall_trap() at recall_trap+0x8
end of kernel
end trace frame: 0x7c0a849c8e20, count: 2
ddb{0}> trace
x86_ipi_db(ffffffff82b72ff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff82cb5eb8) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82cb5eb8) at __mp_lock+0x122 sys/kern/kern_lock.c:147
intr_handler(ffff80002f1007f0,ffff800000685b80) at intr_handler+0x62 sys/arch/amd64/amd64/intr.c:532
Xintr_ioapic_edge1_untramp() at Xintr_ioapic_edge1_untramp+0x18f
Xspllower() at Xspllower+0x1d
pmap_enter(fffffd8067baf4e8,7c0a849c9000,666d2000,1,20) at pmap_enter+0x9b7 pmap_unmap_ptes sys/arch/amd64/amd64/pmap.c:444 [inline]
pmap_enter(fffffd8067baf4e8,7c0a849c9000,666d2000,1,20) at pmap_enter+0x9b7 sys/arch/amd64/amd64/pmap.c:2892
uvm_fault_upper_lookup(ffff80002f100bc0,ffff80002f100bf8,ffff80002f100ac0,ffff80002f100b40) at uvm_fault_upper_lookup+0x2c0 sys/uvm/uvm_fault.c:895
uvm_fault(fffffd8069bbe588,7c0a849c8000,0,1) at uvm_fault+0x129 sys/uvm/uvm_fault.c:605
upageflttrap(ffff80002f100d40,7c0a849c8df0) at upageflttrap+0x86 sys/arch/amd64/amd64/trap.c:188
usertrap(ffff80002f100d40) at usertrap+0x226 sys/arch/amd64/amd64/trap.c:436
recall_trap() at recall_trap+0x8
end of kernel
end trace frame: 0x7c0a849c8e20, count: -13
ddb{0}> machine ddbcpu 1
Stopped at db_enter+0x1c: addq $0x8,%rsp
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff827a37af) at panic+0x17b sys/kern/subr_prf.c:198
__assert(ffffffff82826740,ffffffff82814e0c,136,ffffffff827efb11) at __assert+0x29 sys/kern/subr_prf.c:157
buf_free_pages(fffffd80691d5b70) at buf_free_pages+0x1d2 sys/kern/vfs_biomem.c:299
buf_dealloc_mem(fffffd80691d5b70) at buf_dealloc_mem+0xe3 sys/kern/vfs_biomem.c:179
buf_put(fffffd80691d5b70) at buf_put+0x165 sys/kern/vfs_bio.c:130
brelse(fffffd80691d5b70) at brelse+0x5c3 sys/kern/vfs_bio.c:957
vinvalbuf(fffffd806b729cc8,2,fffffd807f7d66e8,ffff80002a1ce550,0,ffffffffffffffff) at vinvalbuf+0x391 sys/kern/vfs_subr.c:2021
ffs_truncate(fffffd806608b660,0,4,fffffd807f7d66e8) at ffs_truncate+0xf22 sys/ufs/ffs/ffs_inode.c:326
ufs_rmdir(ffff800033f85e88) at ufs_rmdir+0x3a9 sys/ufs/ufs/ufs_vnops.c:1342
VOP_RMDIR(fffffd807a16daf8,fffffd806b729cc8,ffff800033f85f68) at VOP_RMDIR+0x12a sys/kern/vfs_vops.c:407
dounlinkat(ffff80002a1ce550,ffffff9c,7002072b2360,8) at dounlinkat+0x20e sys/kern/vfs_syscalls.c:1880
syscall(ffff800033f860e0) at syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7002072b2350, count: 1
ddb{1}> trace
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff827a37af) at panic+0x17b sys/kern/subr_prf.c:198
__assert(ffffffff82826740,ffffffff82814e0c,136,ffffffff827efb11) at __assert+0x29 sys/kern/subr_prf.c:157
buf_free_pages(fffffd80691d5b70) at buf_free_pages+0x1d2 sys/kern/vfs_biomem.c:299
buf_dealloc_mem(fffffd80691d5b70) at buf_dealloc_mem+0xe3 sys/kern/vfs_biomem.c:179
buf_put(fffffd80691d5b70) at buf_put+0x165 sys/kern/vfs_bio.c:130
brelse(fffffd80691d5b70) at brelse+0x5c3 sys/kern/vfs_bio.c:957
vinvalbuf(fffffd806b729cc8,2,fffffd807f7d66e8,ffff80002a1ce550,0,ffffffffffffffff) at vinvalbuf+0x391 sys/kern/vfs_subr.c:2021
ffs_truncate(fffffd806608b660,0,4,fffffd807f7d66e8) at ffs_truncate+0xf22 sys/ufs/ffs/ffs_inode.c:326
ufs_rmdir(ffff800033f85e88) at ufs_rmdir+0x3a9 sys/ufs/ufs/ufs_vnops.c:1342
VOP_RMDIR(fffffd807a16daf8,fffffd806b729cc8,ffff800033f85f68) at VOP_RMDIR+0x12a sys/kern/vfs_vops.c:407
dounlinkat(ffff80002a1ce550,ffffff9c,7002072b2360,8) at dounlinkat+0x20e sys/kern/vfs_syscalls.c:1880
syscall(ffff800033f860e0) at syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7002072b2350, count: -14
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 4600b3a1e352 Rework and fix pkey_hmac_keygen()
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=113148d9e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=9b8f9974ccb14bdd31cb
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3583521c743d/disk-4600b3a1.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/c4ba8dda772f/bsd-4600b3a1.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4163cb324635/kernel-4600b3a1.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9b8f99...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "pg->wire_count == 1" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/vfs_biomem.c", line 310
Stopped at db_enter+0x1c: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
211636 99513 0 0 0 0 syz-executor.6
*202914 92886 0 0x2 0 1K syz-executor.0
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff827a37af) at panic+0x17b sys/kern/subr_prf.c:198
__assert(ffffffff82826740,ffffffff82814e0c,136,ffffffff827efb11) at __assert+0x29 sys/kern/subr_prf.c:157
buf_free_pages(fffffd80691d5b70) at buf_free_pages+0x1d2 sys/kern/vfs_biomem.c:299
buf_dealloc_mem(fffffd80691d5b70) at buf_dealloc_mem+0xe3 sys/kern/vfs_biomem.c:179
buf_put(fffffd80691d5b70) at buf_put+0x165 sys/kern/vfs_bio.c:130
brelse(fffffd80691d5b70) at brelse+0x5c3 sys/kern/vfs_bio.c:957
vinvalbuf(fffffd806b729cc8,2,fffffd807f7d66e8,ffff80002a1ce550,0,ffffffffffffffff) at vinvalbuf+0x391 sys/kern/vfs_subr.c:2021
ffs_truncate(fffffd806608b660,0,4,fffffd807f7d66e8) at ffs_truncate+0xf22 sys/ufs/ffs/ffs_inode.c:326
ufs_rmdir(ffff800033f85e88) at ufs_rmdir+0x3a9 sys/ufs/ufs/ufs_vnops.c:1342
VOP_RMDIR(fffffd807a16daf8,fffffd806b729cc8,ffff800033f85f68) at VOP_RMDIR+0x12a sys/kern/vfs_vops.c:407
dounlinkat(ffff80002a1ce550,ffffff9c,7002072b2360,8) at dounlinkat+0x20e sys/kern/vfs_syscalls.c:1880
syscall(ffff800033f860e0) at syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7002072b2350, count: 1
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: kernel diagnostic assertion "pg->wire_count == 1" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/vfs_biomem.c", line 310
ddb{1}> trace
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff827a37af) at panic+0x17b sys/kern/subr_prf.c:198
__assert(ffffffff82826740,ffffffff82814e0c,136,ffffffff827efb11) at __assert+0x29 sys/kern/subr_prf.c:157
buf_free_pages(fffffd80691d5b70) at buf_free_pages+0x1d2 sys/kern/vfs_biomem.c:299
buf_dealloc_mem(fffffd80691d5b70) at buf_dealloc_mem+0xe3 sys/kern/vfs_biomem.c:179
buf_put(fffffd80691d5b70) at buf_put+0x165 sys/kern/vfs_bio.c:130
brelse(fffffd80691d5b70) at brelse+0x5c3 sys/kern/vfs_bio.c:957
vinvalbuf(fffffd806b729cc8,2,fffffd807f7d66e8,ffff80002a1ce550,0,ffffffffffffffff) at vinvalbuf+0x391 sys/kern/vfs_subr.c:2021
ffs_truncate(fffffd806608b660,0,4,fffffd807f7d66e8) at ffs_truncate+0xf22 sys/ufs/ffs/ffs_inode.c:326
ufs_rmdir(ffff800033f85e88) at ufs_rmdir+0x3a9 sys/ufs/ufs/ufs_vnops.c:1342
VOP_RMDIR(fffffd807a16daf8,fffffd806b729cc8,ffff800033f85f68) at VOP_RMDIR+0x12a sys/kern/vfs_vops.c:407
dounlinkat(ffff80002a1ce550,ffffff9c,7002072b2360,8) at dounlinkat+0x20e sys/kern/vfs_syscalls.c:1880
syscall(ffff800033f860e0) at syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7002072b2350, count: -14
ddb{1}> show registers
rdi 0
rsi 0x1
rbp 0xffff800033f85970
rbx 0xffff800029d2cba7
rdx 0
rcx 0xffff80002a1ce550
rax 0xffff800029d2bff0
r8 0x101010101010101
r9 0x8080808080808080
r10 0xa61255696b6eb2bf
r11 0xe3176f360c9f08ab
r12 0xffff800029d2c9a8
r13 0
r14 0
r15 0x1
rip 0xffffffff81f2cedc db_enter+0x1c
cs 0x8
rflags 0x246
rsp 0xffff800033f85960
ss 0x10
db_enter+0x1c: addq $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor.0) tid=202914 pid=92886 tcnt=1 stat=onproc
flags process=2<EXEC> proc=0
runpri=17, usrpri=50, slppri=17, nice=20
wchan=0x0, wmesg=, ps_single=0x0
forw=0xffffffffffffffff, list=0xffff80002a26f7f8,0xffff80002a1cd2c8
process=0xffff8000ffff3258 user=0xffff800033f81000, vmspace=0xfffffd8069bbe928
estcpu=0, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
12635 322463 29894 0 2 0 syz-executor.3
12635 9122 29894 0 3 0x4000080 rest syz-executor.3
12635 488774 29894 0 3 0x4000080 bell syz-executor.3
99513 211636 47048 0 7 0 syz-executor.6
99094 354384 84523 0 2 0 syz-executor.5
29894 478973 85176 0 3 0x82 nanoslp syz-executor.3
91289 303393 0 0 3 0x14200 bored sosplice
93062 149665 0 0 3 0x14200 acct acct
*92886 202914 85176 0 7 0x2 syz-executor.0
47048 119436 85176 0 3 0x82 nanoslp syz-executor.6
88314 352039 18023 0 3 0x100082 netio arp
18023 222163 1 0 3 0x10008a sigsusp sh
83459 433102 85176 0 3 0x82 nanoslp syz-executor.7
84523 470219 85176 0 3 0x82 nanoslp syz-executor.5
27714 404827 85176 0 3 0x82 nanoslp syz-executor.4
33243 407165 85176 0 3 0x82 nanoslp syz-executor.2
4760 266645 85176 0 2 0x2 syz-executor.1
85176 294456 95998 0 3 0x2000082 thrsleep syz-fuzzer
85176 489605 95998 0 3 0x6000082 nanoslp syz-fuzzer
85176 199477 95998 0 3 0x6000082 thrsleep syz-fuzzer
85176 204547 95998 0 3 0x6000082 wait syz-fuzzer
85176 369586 95998 0 3 0x6000082 wait syz-fuzzer
85176 385287 95998 0 3 0x6000082 wait syz-fuzzer
85176 163876 95998 0 3 0x6000082 wait syz-fuzzer
85176 207522 95998 0 3 0x6000082 wait syz-fuzzer
85176 382405 95998 0 3 0x6000082 wait syz-fuzzer
85176 393298 95998 0 3 0x6000082 thrsleep syz-fuzzer
85176 403964 95998 0 3 0x6000082 thrsleep syz-fuzzer
85176 516616 95998 0 3 0x6000082 wait syz-fuzzer
85176 214137 95998 0 3 0x6000082 kqread syz-fuzzer
85176 424599 95998 0 3 0x6000082 thrsleep syz-fuzzer
85176 185807 95998 0 3 0x6000082 wait syz-fuzzer
95998 112299 24952 0 3 0x10008a sigsusp ksh
24952 415402 58805 0 3 0x9a kqread sshd
45209 124058 1 0 3 0x100083 ttyin getty
58805 124027 1 0 3 0x88 kqread sshd
5255 474199 67809 74 3 0x1100092 bpf pflogd
67809 357019 1 0 3 0x80 netio pflogd
60195 185490 89077 73 2 0x1100010 syslogd
89077 516598 1 0 3 0x100082 netio syslogd
34009 92667 1 0 3 0x100080 kqread resolvd
37809 498008 41854 77 3 0x100092 kqread dhcpleased
17359 74441 41854 77 3 0x100092 kqread dhcpleased
41854 510477 1 0 3 0x80 kqread dhcpleased
90171 338289 0 0 3 0x14200 bored smr
48468 177798 0 0 2 0x14200 zerothread
30749 262203 0 0 3 0x14200 aiodoned aiodoned
86327 312145 0 0 3 0x14200 syncer update
98872 182762 0 0 3 0x14200 cleaner cleaner
20584 165066 0 0 3 0x14200 reaper reaper
83563 411172 0 0 3 0x14200 pgdaemon pagedaemon
10942 468136 0 0 3 0x14200 bored viomb
57294 480971 0 0 3 0x40014200 acpi0 acpi0
71900 406153 0 0 3 0x40014200 idle1
3141 83930 0 0 3 0x14200 bored softnet3
16856 236265 0 0 3 0x14200 bored softnet2
57251 61071 0 0 3 0x14200 bored softnet1
46125 60597 0 0 3 0x14200 bored softnet0
18886 153860 0 0 3 0x14200 bored systqmp
76384 104863 0 0 3 0x14200 bored systq
37528 375253 0 0 3 0x14200 tmoslp softclockmp
33058 368169 0 0 3 0x40014200 tmoslp softclock
50040 65588 0 0 3 0x40014200 idle0
1 506352 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
Process 99513 (syz-executor.6) thread 0xffff80002a1fbd58 (211636)
exclusive rwlock amaplk r = 0 (0xfffffd8069c0d520)
#0 witness_lock+0x447
#1 uvm_fault_check+0x41a sys/uvm/uvm_fault.c:782
#2 uvm_fault+0xf2 sys/uvm/uvm_fault.c:600
#3 upageflttrap+0x86 sys/arch/amd64/amd64/trap.c:188
#4 usertrap+0x226 sys/arch/amd64/amd64/trap.c:436
#5 recall_trap+0x8
shared rwlock vmmaplk r = 0 (0xfffffd8069bbe680)
#0 witness_lock+0x447
#1 uvmfault_lookup+0xd9 sys/uvm/uvm_fault.c:1785
#2 uvm_fault_check+0x3e sys/uvm/uvm_fault.c:672
#3 uvm_fault+0xf2 sys/uvm/uvm_fault.c:600
#4 upageflttrap+0x86 sys/arch/amd64/amd64/trap.c:188
#5 usertrap+0x226 sys/arch/amd64/amd64/trap.c:436
#6 recall_trap+0x8
Process 92886 (syz-executor.0) thread 0xffff80002a1ce550 (202914)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82cb60c0)
#0 witness_lock+0x447
#1 __mp_acquire_count+0x48 sys/kern/kern_lock.c:227
#2 mi_switch+0x46d sys/kern/sched_bsd.c:470
#3 sleep_finish+0x19b sys/kern/kern_synch.c:414
#4 biowait+0x91 sys/kern/vfs_bio.c:1278
#5 bwrite+0x21c sys/kern/vfs_bio.c:769
#6 ffs_update+0x281 sys/ufs/ffs/ffs_inode.c:113
#7 ffs_truncate+0xce7
#8 ufs_rmdir+0x3a9 sys/ufs/ufs/ufs_vnops.c:1342
#9 VOP_RMDIR+0x12a sys/kern/vfs_vops.c:407
#10 dounlinkat+0x20e sys/kern/vfs_syscalls.c:1880
#11 syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
#12 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806608b6f8)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vget+0x200 sys/kern/vfs_subr.c:676
#6 ufs_ihashget+0x121 sys/ufs/ufs/ufs_ihash.c:119
#7 ffs_vget+0x7c sys/ufs/ffs/ffs_vfsops.c:1314
#8 ufs_lookup+0x13ba sys/ufs/ufs/ufs_lookup.c:487
#9 VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85
#10 vfs_lookup+0x6e2 sys/kern/vfs_lookup.c:566
#11 namei+0x55a sys/kern/vfs_lookup.c:250
#12 dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
#13 syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806608b5e8)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vfs_lookup+0xd5 sys/kern/vfs_lookup.c:418
#6 namei+0x55a sys/kern/vfs_lookup.c:250
#7 dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
#8 syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
#9 Xsyscall+0x128
Process 4760 (syz-executor.1) thread 0xffff80002a20c560 (266645)
exclusive rrwlock inode r = 0 (0xfffffd806bb89e78)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 ufs_ihashins+0x46 sys/ufs/ufs/ufs_ihash.c:140
#5 ffs_vget+0x141 sys/ufs/ffs/ffs_vfsops.c:1343
#6 ffs_inode_alloc+0x1c2 sys/ufs/ffs/ffs_alloc.c:394
#7 ufs_mkdir+0xf8 sys/ufs/ufs/ufs_vnops.c:1149
#8 VOP_MKDIR+0xc3 sys/kern/vfs_vops.c:388
#9 domkdirat+0x125 sys/kern/vfs_syscalls.c:3073
#10 syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
#11 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd8069c02c50)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vfs_lookup+0xd5 sys/kern/vfs_lookup.c:418
#6 namei+0x55a sys/kern/vfs_lookup.c:250
#7 domkdirat+0x79 sys/kern/vfs_syscalls.c:3058
#8 syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
#9 Xsyscall+0x128
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10203 6549K 6606K 166960K 11389 0
pcb 13 8K 8K 166960K 26 0
rtable 234 6K 6K 166960K 398 0
pf 32 9K 10K 166960K 47 0
ifaddr 45 15K 15K 166960K 53 0
ifgroup 55 2K 2K 166960K 63 0
sysctl 1 0K 0K 166960K 1 0
counters 62 36K 36K 166960K 66 0
ioctlops 0 0K 4K 166960K 1490 0
iov 0 0K 18K 166960K 18 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1296 81K 81K 166960K 1452 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 5K 166960K 5 0
VM map 2 1K 1K 166960K 2 0
sem 12 0K 0K 166960K 73 0
dirhash 12 2K 2K 166960K 12 0
ACPI 1697 195K 286K 166960K 12548 0
file desc 17 61K 81K 166960K 337 0
proc 68 91K 115K 166960K 591 0
subproc 117 7K 7K 166960K 130 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 10 0
in_multi 99 7K 7K 166960K 111 0
ether_multi 1 0K 0K 166960K 1 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 61 281K 281K 166960K 61 0
exec 0 0K 1K 166960K 415 0
tdb 3 0K 0K 166960K 3 0
pagedep 1 8K 8K 166960K 1 0
inodedep 1 32K 32K 166960K 1 0
newblk 1 0K 0K 166960K 1 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 343 82K 86K 166960K 5768 0
UVM aobj 11 2K 4K 166960K 17 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
NDP 12 0K 0K 166960K 32 0
temp 52 5918K 5998K 166960K 9958 0
kqueue 12 18K 24K 166960K 37 0
SYN cache 2 16K 16K 166960K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtpcb 120 45 0 41 1 0 1 1 0 8 0
rtentry 112 125 0 15 4 0 4 4 0 8 0
unpcb 144 171 0 154 4 3 1 4 0 8 0
syncache 312 4 0 4 1 1 0 1 0 8 0
tcpqe 32 90 0 90 1 1 0 1 0 8 0
tcpcb 808 54 0 50 4 3 1 4 0 8 0
arp 120 21 0 3 1 0 1 1 0 8 0
inpcb 368 347 0 340 12 8 4 7 0 8 3
nd6 136 27 0 3 1 0 1 1 0 8 0
kcovpl 48 10 0 1 1 0 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 32 0 28 1 0 1 1 0 8 0
pfstkey 128 32 0 28 1 0 1 1 0 8 0
pfstate 376 32 0 28 3 2 1 3 0 8 0
pfrule 1344 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 500 0 47 30 1 29 29 0 8 0
art_table 32 501 0 47 4 0 4 4 0 8 0
art_node 16 124 0 24 1 0 1 1 0 8 0
semapl 112 71 0 61 1 0 1 1 0 8 0
shmpl 112 14 0 6 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 1809 0 359 91 0 91 91 0 8 0
ffsino 272 1810 0 359 97 0 97 97 0 8 0
nchpl 144 2357 0 708 63 0 63 63 0 8 0
uvmvnodes 80 1983 0 0 41 0 41 41 0 8 0
vnodes 216 1983 0 0 111 0 111 111 0 8 0
namei 1024 8441 0 8440 4 3 1 2 0 8 0
percpumem 16 46 0 2 1 0 1 1 0 8 0
kstatmem 264 28 0 4 2 0 2 2 0 8 0
scxspl 216 12405 0 12405 10 9 1 8 1 8 1
plimitpl 152 42 0 25 1 0 1 1 0 8 0
sigapl 424 659 0 608 7 1 6 7 0 8 0
futexpl 64 1767 0 1767 5 4 1 1 0 8 1
knotepl 120 107 0 0 4 0 4 4 0 8 0
kqueuepl 216 47 0 37 1 0 1 1 0 8 0
pipepl 320 172 0 141 3 0 3 3 0 8 0
fdescpl 496 639 0 609 5 0 5 5 0 8 0
filepl 152 3159 0 2895 18 7 11 14 0 8 0
lockfpl 104 44 0 42 1 0 1 1 0 8 0
lockfspl 48 23 0 21 1 0 1 1 0 8 0
sessionpl 144 26 0 8 1 0 1 1 0 8 0
pgrppl 48 26 0 8 1 0 1 1 0 8 0
ucredpl 104 562 0 549 1 0 1 1 0 8 0
zombiepl 144 611 0 608 2 1 1 1 0 8 0
processpl 1072 659 0 608 4 0 4 4 0 8 0
procpl 680 1089 0 1022 9 2 7 8 0 8 0
sosppl 168 15 0 15 3 3 0 1 0 8 0
sockpl 488 563 0 535 24 15 9 13 0 8 5
mcl64k 65536 5 0 0 1 0 1 1 0 8 0
mcl16k 16384 3 0 0 1 0 1 1 0 8 0
mcl12k 12288 3 0 0 1 0 1 1 0 8 0
mcl9k 9216 3 0 0 1 0 1 1 0 8 0
mcl8k 8192 4 0 0 1 0 1 1 0 8 0
mcl4k 4096 8 0 0 1 0 1 1 0 8 0
mcl2k 2048 261 0 0 33 3 30 33 0 8 1
mtagpl 96 12 0 0 1 0 1 1 0 8 0
mbufpl 256 325 0 0 18 0 18 18 0 8 0
bufpl 288 4900 0 142 340 0 340 340 0 8 0
anonpl 24 238292 0 225476 111 0 111 111 0 186 24
amapchunkpl 152 19300 0 18452 53 6 47 50 0 158 9
amappl16 200 6315 0 5938 21 0 21 21 0 8 0
amappl15 192 16 0 16 1 1 0 1 0 8 0
amappl14 184 172 0 158 2 1 1 2 0 8 0
amappl13 176 4 0 3 1 0 1 1 0 8 0
amappl12 168 1337 0 1306 3 1 2 2 0 8 0
amappl11 160 56 0 41 1 0 1 1 0 8 0
amappl10 152 34 0 24 1 0 1 1 0 8 0
amappl9 144 188 0 186 1 0 1 1 0 8 0
amappl8 136 240 0 182 3 0 3 3 0 8 0
amappl7 128 182 0 156 2 0 2 2 0 8 0
amappl6 120 305 0 295 1 0 1 1 0 8 0
amappl5 112 136 0 124 1 0 1 1 0 8 0
amappl4 104 463 0 432 2 1 1 2 0 8 0
amappl3 96 3653 0 3565 6 3 3 4 0 8 0
amappl2 88 1063 0 987 3 1 2 3 0 8 0
amappl1 80 10833 0 10257 23 10 13 23 0 8 0
amappl 88 5209 0 4988 7 0 7 7 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 16 0 6 1 0 1 1 0 8 0
uaddrrnd 24 640 0 610 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 640 0 610 1 0 1 1 0 8 0
vmmpekpl 168 11287 0 11219 4 0 4 4 0 8 0
vmmpepl 168 63314 0 61016 159 34 125 125 0 357 18
vmsppl 464 639 0 610 5 0 5 5 0 8 0
rwobjpl 56 25127 0 21626 51 1 50 50 0 8 0
pdppl 4096 1288 0 1220 154 80 74 80 0 8 6
pvpl 32 500425 0 481276 363 122 241 361 0 265 75
pmappl 248 639 0 610 3 0 3 3 0 8 0
extentpl 40 56 0 38 1 0 1 1 0 8 0
phpool 112 804 0 103 21 0 21 21 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x1e: addq $0x8,%rsp
x86_ipi_db(ffffffff82b72ff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff82cb5eb8) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82cb5eb8) at __mp_lock+0x122 sys/kern/kern_lock.c:147
intr_handler(ffff80002f1007f0,ffff800000685b80) at intr_handler+0x62 sys/arch/amd64/amd64/intr.c:532
Xintr_ioapic_edge1_untramp() at Xintr_ioapic_edge1_untramp+0x18f
Xspllower() at Xspllower+0x1d
pmap_enter(fffffd8067baf4e8,7c0a849c9000,666d2000,1,20) at pmap_enter+0x9b7 pmap_unmap_ptes sys/arch/amd64/amd64/pmap.c:444 [inline]
pmap_enter(fffffd8067baf4e8,7c0a849c9000,666d2000,1,20) at pmap_enter+0x9b7 sys/arch/amd64/amd64/pmap.c:2892
uvm_fault_upper_lookup(ffff80002f100bc0,ffff80002f100bf8,ffff80002f100ac0,ffff80002f100b40) at uvm_fault_upper_lookup+0x2c0 sys/uvm/uvm_fault.c:895
uvm_fault(fffffd8069bbe588,7c0a849c8000,0,1) at uvm_fault+0x129 sys/uvm/uvm_fault.c:605
upageflttrap(ffff80002f100d40,7c0a849c8df0) at upageflttrap+0x86 sys/arch/amd64/amd64/trap.c:188
usertrap(ffff80002f100d40) at usertrap+0x226 sys/arch/amd64/amd64/trap.c:436
recall_trap() at recall_trap+0x8
end of kernel
end trace frame: 0x7c0a849c8e20, count: 2
ddb{0}> trace
x86_ipi_db(ffffffff82b72ff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff82cb5eb8) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82cb5eb8) at __mp_lock+0x122 sys/kern/kern_lock.c:147
intr_handler(ffff80002f1007f0,ffff800000685b80) at intr_handler+0x62 sys/arch/amd64/amd64/intr.c:532
Xintr_ioapic_edge1_untramp() at Xintr_ioapic_edge1_untramp+0x18f
Xspllower() at Xspllower+0x1d
pmap_enter(fffffd8067baf4e8,7c0a849c9000,666d2000,1,20) at pmap_enter+0x9b7 pmap_unmap_ptes sys/arch/amd64/amd64/pmap.c:444 [inline]
pmap_enter(fffffd8067baf4e8,7c0a849c9000,666d2000,1,20) at pmap_enter+0x9b7 sys/arch/amd64/amd64/pmap.c:2892
uvm_fault_upper_lookup(ffff80002f100bc0,ffff80002f100bf8,ffff80002f100ac0,ffff80002f100b40) at uvm_fault_upper_lookup+0x2c0 sys/uvm/uvm_fault.c:895
uvm_fault(fffffd8069bbe588,7c0a849c8000,0,1) at uvm_fault+0x129 sys/uvm/uvm_fault.c:605
upageflttrap(ffff80002f100d40,7c0a849c8df0) at upageflttrap+0x86 sys/arch/amd64/amd64/trap.c:188
usertrap(ffff80002f100d40) at usertrap+0x226 sys/arch/amd64/amd64/trap.c:436
recall_trap() at recall_trap+0x8
end of kernel
end trace frame: 0x7c0a849c8e20, count: -13
ddb{0}> machine ddbcpu 1
Stopped at db_enter+0x1c: addq $0x8,%rsp
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff827a37af) at panic+0x17b sys/kern/subr_prf.c:198
__assert(ffffffff82826740,ffffffff82814e0c,136,ffffffff827efb11) at __assert+0x29 sys/kern/subr_prf.c:157
buf_free_pages(fffffd80691d5b70) at buf_free_pages+0x1d2 sys/kern/vfs_biomem.c:299
buf_dealloc_mem(fffffd80691d5b70) at buf_dealloc_mem+0xe3 sys/kern/vfs_biomem.c:179
buf_put(fffffd80691d5b70) at buf_put+0x165 sys/kern/vfs_bio.c:130
brelse(fffffd80691d5b70) at brelse+0x5c3 sys/kern/vfs_bio.c:957
vinvalbuf(fffffd806b729cc8,2,fffffd807f7d66e8,ffff80002a1ce550,0,ffffffffffffffff) at vinvalbuf+0x391 sys/kern/vfs_subr.c:2021
ffs_truncate(fffffd806608b660,0,4,fffffd807f7d66e8) at ffs_truncate+0xf22 sys/ufs/ffs/ffs_inode.c:326
ufs_rmdir(ffff800033f85e88) at ufs_rmdir+0x3a9 sys/ufs/ufs/ufs_vnops.c:1342
VOP_RMDIR(fffffd807a16daf8,fffffd806b729cc8,ffff800033f85f68) at VOP_RMDIR+0x12a sys/kern/vfs_vops.c:407
dounlinkat(ffff80002a1ce550,ffffff9c,7002072b2360,8) at dounlinkat+0x20e sys/kern/vfs_syscalls.c:1880
syscall(ffff800033f860e0) at syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7002072b2350, count: 1
ddb{1}> trace
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff827a37af) at panic+0x17b sys/kern/subr_prf.c:198
__assert(ffffffff82826740,ffffffff82814e0c,136,ffffffff827efb11) at __assert+0x29 sys/kern/subr_prf.c:157
buf_free_pages(fffffd80691d5b70) at buf_free_pages+0x1d2 sys/kern/vfs_biomem.c:299
buf_dealloc_mem(fffffd80691d5b70) at buf_dealloc_mem+0xe3 sys/kern/vfs_biomem.c:179
buf_put(fffffd80691d5b70) at buf_put+0x165 sys/kern/vfs_bio.c:130
brelse(fffffd80691d5b70) at brelse+0x5c3 sys/kern/vfs_bio.c:957
vinvalbuf(fffffd806b729cc8,2,fffffd807f7d66e8,ffff80002a1ce550,0,ffffffffffffffff) at vinvalbuf+0x391 sys/kern/vfs_subr.c:2021
ffs_truncate(fffffd806608b660,0,4,fffffd807f7d66e8) at ffs_truncate+0xf22 sys/ufs/ffs/ffs_inode.c:326
ufs_rmdir(ffff800033f85e88) at ufs_rmdir+0x3a9 sys/ufs/ufs/ufs_vnops.c:1342
VOP_RMDIR(fffffd807a16daf8,fffffd806b729cc8,ffff800033f85f68) at VOP_RMDIR+0x12a sys/kern/vfs_vops.c:407
dounlinkat(ffff80002a1ce550,ffffff9c,7002072b2360,8) at dounlinkat+0x20e sys/kern/vfs_syscalls.c:1880
syscall(ffff800033f860e0) at syscall+0x4e6 sys/arch/amd64/amd64/trap.c:606
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7002072b2350, count: -14
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages