uvm_fault: ufs_lookup
9 views
Skip to first unread message
syzbot
Jan 14, 2022, 3:52:18 AM1/14/22
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: a0e2ca3ce324 sshsk_sign: trim call to sshkey_fingerprint()
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=147c3a88700000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d
dashboard link: https://syzkaller.appspot.com/bug?extid=d0ae3406b0874e045aa1
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d0ae34...@syzkaller.appspotmail.com
uvm_fault(0xffffffff829c20d0, 0xffff80001926f004, 0, 1) -> d
kernel: page fault trap, code=0
Stopped at ufs_lookup+0x4ce: movzwl 0x4(%r15,%r13,1),%ebx
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*329948 12068 0 0 0x4000000 0K syz-executor.2
ufs_lookup() at ufs_lookup+0x4ce sys/ufs/ufs/ufs_lookup.c:281
VOP_LOOKUP(fffffd80688eb0a8,ffff800027b71448,ffff800027b71478) at VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
vfs_lookup(ffff800027b71418) at vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:561
namei(ffff800027b71418) at namei+0x36a sys/kern/vfs_lookup.c:245
vn_open(ffff800027b71418,1,0) at vn_open+0x105 sys/kern/vfs_vnops.c:146
doopenat(ffff800021192008,ffffff9c,20000100,0,0,ffff800027b71600) at doopenat+0x26a sys/kern/vfs_syscalls.c:1128
syscall(ffff800027b71670) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800027b71670) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x8a9310c6920, count: 7
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu0: uvm_fault(0xffffffff829c20d0, 0xffff80001926f004, 0, 1) -> d
ddb{0}> trace
ufs_lookup() at ufs_lookup+0x4ce sys/ufs/ufs/ufs_lookup.c:281
VOP_LOOKUP(fffffd80688eb0a8,ffff800027b71448,ffff800027b71478) at VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
vfs_lookup(ffff800027b71418) at vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:561
namei(ffff800027b71418) at namei+0x36a sys/kern/vfs_lookup.c:245
vn_open(ffff800027b71418,1,0) at vn_open+0x105 sys/kern/vfs_vnops.c:146
doopenat(ffff800021192008,ffffff9c,20000100,0,0,ffff800027b71600) at doopenat+0x26a sys/kern/vfs_syscalls.c:1128
syscall(ffff800027b71670) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800027b71670) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x8a9310c6920, count: -8
ddb{0}> show registers
rdi 0
rsi 0
rbp 0xffff800027b71080
rbx 0
rdx 0
rcx 0xffffffff
rax 0xfffffd8061533120
r8 0xffffffffffffffff
r9 0xfffffd807f7d7720
r10 0xeb2b147d6f0bf70e
r11 0xd962c6bc8993a042
r12 0
r13 0
r14 0
r15 0xffff80001926f000
rip 0xffffffff81748c7e ufs_lookup+0x4ce
cs 0x8
rflags 0x10202 __ALIGN_SIZE+0xf202
rsp 0xffff800027b70f80
ss 0x10
ufs_lookup+0x4ce: movzwl 0x4(%r15,%r13,1),%ebx
ddb{0}> show proc
PROC (syz-executor.2) pid=329948 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=82, nice=20
forw=0xffffffffffffffff, list=0xffff800021264a88,0xffffffff829f6170
process=0xffff800027b5dd30 user=0xffff800027b6c000, vmspace=0xfffffd8067040310
estcpu=32, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
12068 378493 24794 0 2 0 syz-executor.2
12068 316630 24794 0 2 0x4000000 syz-executor.2
*12068 329948 24794 0 7 0x4000000 syz-executor.2
23992 206774 7423 0 2 0x482 syz-executor.1
24794 331302 7423 0 2 0x482 syz-executor.2
32192 235378 7423 0 2 0x2 syz-executor.3
63269 478390 7423 0 2 0x482 syz-executor.0
63691 4168 1 0 3 0x100083 ttyin getty
8597 57247 0 0 3 0x14200 bored sosplice
7423 490004 2509 0 3 0x82 thrsleep syz-fuzzer
7423 100784 2509 0 3 0x4000082 thrsleep syz-fuzzer
7423 153242 2509 0 3 0x4000082 kqread syz-fuzzer
7423 491485 2509 0 3 0x4000082 thrsleep syz-fuzzer
7423 307820 2509 0 3 0x4000082 thrsleep syz-fuzzer
7423 282263 2509 0 3 0x4000082 thrsleep syz-fuzzer
7423 441538 2509 0 3 0x4000082 thrsleep syz-fuzzer
7423 104925 2509 0 3 0x4000082 thrsleep syz-fuzzer
2509 399390 92311 0 3 0x10008a sigsusp ksh
92311 36590 67181 0 3 0x9a poll sshd
67181 495261 1 0 3 0x88 poll sshd
60989 391411 44274 74 3 0x100092 bpf pflogd
44274 256463 1 0 3 0x80 netio pflogd
8023 20205 23936 73 3 0x100090 kqread syslogd
23936 46949 1 0 3 0x100082 netio syslogd
95417 433442 1 0 3 0x100080 kqread resolvd
43392 143003 19471 77 3 0x100092 kqread dhcpleased
14570 14692 19471 77 3 0x100092 kqread dhcpleased
19471 14776 1 0 3 0x80 kqread dhcpleased
8186 54959 0 0 3 0x14200 bored smr
43205 493277 0 0 2 0x14200 zerothread
86155 423212 0 0 3 0x14200 aiodoned aiodoned
39177 425597 0 0 3 0x14200 syncer update
2347 204498 0 0 3 0x14200 cleaner cleaner
96201 153003 0 0 3 0x14200 reaper reaper
59696 414733 0 0 3 0x14200 pgdaemon pagedaemon
37265 197104 0 0 3 0x14200 bored viomb
64578 283870 0 0 3 0x40014200 acpi0 acpi0
87243 345543 0 0 7 0x40014200 idle1
64720 319905 0 0 3 0x14200 bored softnet
16602 12595 0 0 3 0x14200 bored systqmp
57954 443218 0 0 3 0x14200 bored systq
27104 351550 0 0 2 0x40014200 softclock
87177 454043 0 0 3 0x40014200 idle0
1 296372 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 12068 (syz-executor.2) thread 0xffff800021192008 (329948)
exclusive rrwlock inode r = 0 (0xfffffd806e23f1b0)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:461
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:534
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:579
#5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:413
#6 namei+0x36a sys/kern/vfs_lookup.c:245
#7 vn_open+0x105 sys/kern/vfs_vnops.c:146
#8 doopenat+0x26a sys/kern/vfs_syscalls.c:1128
#9 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#9 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#10 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 1 (0xffffffff8287ee48)
#0 witness_lock+0x44d
#1 syscall+0x3ef mi_syscall sys/sys/syscall_mi.h:93 [inline]
#1 syscall+0x3ef sys/arch/amd64/amd64/trap.c:585
#2 Xsyscall+0x128
Process 32192 (syz-executor.3) thread 0xffff800021265508 (235378)
exclusive rrwlock inode r = 0 (0xfffffd806578d3d0)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:461
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:534
#4 ufs_ihashins+0x42 sys/ufs/ufs/ufs_ihash.c:140
#5 ffs_vget+0x141 sys/ufs/ffs/ffs_vfsops.c:1347
#6 ffs_inode_alloc+0x1be sys/ufs/ffs/ffs_alloc.c:394
#7 ufs_mkdir+0xf4 sys/ufs/ufs/ufs_vnops.c:1162
#8 VOP_MKDIR+0xbf sys/kern/vfs_vops.c:404
#9 domkdirat+0x121 sys/kern/vfs_syscalls.c:3100
#10 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#10 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#11 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806578db40)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:461
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:534
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:579
#5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:413
#6 namei+0x36a sys/kern/vfs_lookup.c:245
#7 domkdirat+0x75 sys/kern/vfs_syscalls.c:3085
#8 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#8 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#9 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10206 6508K 8086K 78643K 46599 0
pcb 13 24K 27K 78643K 4235 0
rtable 149 19K 21K 78643K 4626 0
ifaddr 66 22K 26K 78643K 1876 0
sysctl 2 0K 0K 78643K 2 0
counters 48 34K 35K 78643K 674 0
ioctlops 0 0K 4K 78643K 7601 0
iov 0 0K 20K 78643K 2908 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 5 0
vnodes 1747 110K 110K 78643K 15374 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 9K 78643K 215 0
VM map 2 1K 1K 78643K 2 0
sem 12 0K 0K 78643K 1994 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12598 0
file desc 7 21K 49K 78643K 21815 0
sigio 0 0K 0K 78643K 1503 0
proc 75 87K 124K 78643K 3200 0
subproc 52 6K 23K 78643K 1188 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 1944 0
in_multi 41 2K 4K 78643K 3285 0
ether_multi 1 0K 0K 78643K 463 0
mrt 1 0K 0K 78643K 101 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 259 1155K 1155K 78643K 259 0
exec 0 0K 2K 78643K 4350 0
pfkey data 0 0K 0K 78643K 5 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 624 1525K 1525K 78643K 266266 0
UVM aobj 133 8K 8K 78643K 134 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 1K 78643K 4055 0
NDP 9 0K 1K 78643K 688 0
temp 104 4204K 8300K 78643K 209520 0
kqueue 10 14K 22K 78643K 909 0
SYN cache 2 16K 16K 78643K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtpcb 120 2600 0 2597 27 26 1 3 0 8 0
rtentry 112 1422 0 1376 3 1 2 2 0 8 0
unpcb 136 12048 0 12033 130 129 1 9 0 8 0
syncache 296 112 0 112 29 29 0 1 0 8 0
tcpqe 32 63 50 63 3 3 0 1 0 8 0
tcpcb 736 9316 0 9310 302 300 2 21 0 8 1
arp 120 169 0 161 1 0 1 1 0 8 0
inpcb 304 27319 0 27310 298 289 9 16 0 8 8
rttmr 72 23 0 23 8 8 0 1 0 8 0
ip6q 72 4 0 4 1 1 0 1 0 8 0
ip6af 40 12 0 12 1 1 0 1 0 8 0
nd6 48 485 0 475 1 0 1 1 0 8 0
pkpcb 40 47 0 47 10 10 0 1 0 8 0
kcovpl 48 73 0 69 1 0 1 1 0 8 0
ppxss 1248 99 0 99 19 19 0 1 0 8 0
pfstscr 40 766 0 766 2 2 0 1 0 8 0
pffrag 232 97 0 96 7 6 1 1 0 482 0
pffrnode 88 96 0 95 7 6 1 1 0 8 0
pffrent 40 1028 0 1027 9 8 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfrke_plain 168 8 0 8 2 2 0 1 0 8 0
pfrktable 1344 165 0 152 4 2 2 2 0 8 0
pftag 88 3 0 0 1 0 1 1 0 8 0
pfstitem 24 526 0 524 1 0 1 1 0 8 0
pfstkey 112 1538 0 1536 1 0 1 1 0 8 0
pfstate 320 777 0 775 1 0 1 1 0 8 0
pfrule 1360 177 0 146 5 1 4 4 0 8 0
art_heap8 4096 2 0 1 2 1 1 2 0 8 0
art_heap4 256 5573 0 5369 47 33 14 22 0 8 0
art_table 32 5575 0 5370 4 1 3 3 0 8 0
art_node 16 1406 0 1368 1 0 1 1 0 8 0
sysvmsgpl 40 45 0 5 1 0 1 1 0 8 0
semapl 112 1992 0 1982 1 0 1 1 0 8 0
shmpl 112 131 0 3 4 0 4 4 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 31662 0 30207 92 0 92 92 0 8 0
ffsino 272 31662 0 30207 98 0 98 98 0 8 0
nchpl 144 67985 0 66392 61 0 61 61 0 8 0
rtmask 32 12 0 12 2 2 0 1 0 8 0
uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0
vnodes 224 5926 0 0 349 0 349 349 0 8 0
namei 1024 239426 0 239424 3 2 1 1 0 8 0
percpumem 16 349 0 313 1 0 1 1 0 8 0
vcpupl 2048 420 0 0 53 0 53 53 0 8 0
vmpool 560 512 0 92 32 2 30 30 0 8 0
pfiaddrpl 120 114 0 95 1 0 1 1 0 8 0
scsiplug 72 13 0 13 4 4 0 1 0 8 0
scxspl 216 194507 0 194507 30 28 2 8 0 8 2
plimitpl 152 3788 0 3777 1 0 1 1 0 8 0
sigapl 424 21885 0 21849 8 2 6 7 0 8 0
futexpl 64 225952 0 225952 4 3 1 1 0 8 1
knotepl 112 210 0 0 4 0 4 4 0 8 0
kqueuepl 216 5195 0 5189 99 98 1 8 0 8 0
pipepl 336 6222 0 6206 168 163 5 12 0 8 3
fdescpl 496 21838 0 21817 7 4 3 4 0 8 0
filepl 152 183119 0 182966 268 256 12 19 0 8 5
lockfpl 104 8148 0 8146 19 18 1 2 0 8 0
lockfspl 48 2075 0 2073 1 0 1 1 0 8 0
sessionpl 144 95 0 82 1 0 1 1 0 8 0
pgrppl 48 134 0 121 1 0 1 1 0 8 0
ucredpl 96 29601 0 29586 1 0 1 1 0 8 0
zombiepl 144 21850 0 21848 1 0 1 1 0 8 0
processpl 1064 21885 0 21848 5 1 4 5 0 8 0
procpl 672 54494 0 54448 29 24 5 8 0 8 0
srpgc 96 90 0 90 20 20 0 1 0 8 0
sosppl 168 167 0 167 33 32 1 1 0 8 1
sockpl 480 42056 0 42029 779 767 12 42 0 8 8
mcl64k 65536 15 0 0 2 0 2 2 0 8 0
mcl16k 16384 8 0 0 1 0 1 1 0 8 0
mcl12k 12288 10 0 0 1 0 1 1 0 8 0
mcl9k 9216 4 0 0 1 0 1 1 0 8 0
mcl8k 8192 14 0 0 2 0 2 2 0 8 0
mcl4k 4096 14 0 0 2 0 2 2 0 8 0
mcl2k2 2112 2 0 0 1 0 1 1 0 8 0
mcl2k 2048 355 0 0 28 6 22 28 0 8 0
mtagpl 96 1116 0 0 16 1 15 16 0 8 0
mbufpl 256 9060 0 0 561 0 561 561 0 8 0
bufpl 288 55055 0 48711 454 0 454 454 0 8 0
anonpl 24 6235247 0 6210434 548 374 174 186 0 186 0
amapchunkpl 152 812039 0 811129 222 184 38 53 0 158 0
amappl16 200 70588 0 69527 345 281 64 69 0 8 7
amappl15 192 4361 0 4360 1 0 1 1 0 8 0
amappl14 184 1719 0 1715 1 0 1 1 0 8 0
amappl13 176 2617 0 2611 1 0 1 1 0 8 0
amappl12 168 4253 0 4248 1 0 1 1 0 8 0
amappl11 160 2905 0 2891 1 0 1 1 0 8 0
amappl10 152 1630 0 1619 1 0 1 1 0 8 0
amappl9 144 3290 0 3285 1 0 1 1 0 8 0
amappl8 136 4420 0 4295 5 0 5 5 0 8 0
amappl7 128 2902 0 2891 1 0 1 1 0 8 0
amappl6 120 3376 0 3353 1 0 1 1 0 8 0
amappl5 112 16530 0 16505 1 0 1 1 0 8 0
amappl4 104 8256 0 8228 1 0 1 1 0 8 0
amappl3 96 7036 0 7012 1 0 1 1 0 8 0
amappl2 88 6229 0 6179 2 0 2 2 0 8 0
amappl1 80 382964 0 382474 15 4 11 13 0 8 0
amappl 88 264016 0 263698 9 1 8 8 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 133 0 1 3 0 3 3 0 8 0
uaddrrnd 24 22350 0 21909 3 0 3 3 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 22350 0 21909 3 0 3 3 0 8 0
vmmpekpl 168 138900 0 138838 5 1 4 4 0 8 0
vmmpepl 168 1993067 0 1989600 670 480 190 200 0 357 32
vmsppl 368 22349 0 21909 42 1 41 41 0 8 0
rwobjpl 56 472474 0 464305 171 53 118 119 0 8 2
pdppl 4096 44708 0 44238 574 100 474 476 0 8 4
pvpl 32 10474061 0 10452182 771 556 215 263 0 265 0
pmappl 248 22349 0 21909 29 1 28 28 0 8 0
extentpl 40 57 0 38 1 0 1 1 0 8 0
phpool 112 2442 0 609 54 1 53 53 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
ufs_lookup() at ufs_lookup+0x4ce sys/ufs/ufs/ufs_lookup.c:281
VOP_LOOKUP(fffffd80688eb0a8,ffff800027b71448,ffff800027b71478) at VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
vfs_lookup(ffff800027b71418) at vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:561
namei(ffff800027b71418) at namei+0x36a sys/kern/vfs_lookup.c:245
vn_open(ffff800027b71418,1,0) at vn_open+0x105 sys/kern/vfs_vnops.c:146
doopenat(ffff800021192008,ffffff9c,20000100,0,0,ffff800027b71600) at doopenat+0x26a sys/kern/vfs_syscalls.c:1128
syscall(ffff800027b71670) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800027b71670) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x8a9310c6920, count: -8
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffff800020d38ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206
sched_idle(ffff800020d38ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178
end trace frame: 0x0, count: 10
ddb{1}> trace
x86_ipi_db(ffff800020d38ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206
sched_idle(ffff800020d38ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178
end trace frame: 0x0, count: -5
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: a0e2ca3ce324 sshsk_sign: trim call to sshkey_fingerprint()
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=147c3a88700000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d
dashboard link: https://syzkaller.appspot.com/bug?extid=d0ae3406b0874e045aa1
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d0ae34...@syzkaller.appspotmail.com
uvm_fault(0xffffffff829c20d0, 0xffff80001926f004, 0, 1) -> d
kernel: page fault trap, code=0
Stopped at ufs_lookup+0x4ce: movzwl 0x4(%r15,%r13,1),%ebx
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*329948 12068 0 0 0x4000000 0K syz-executor.2
ufs_lookup() at ufs_lookup+0x4ce sys/ufs/ufs/ufs_lookup.c:281
VOP_LOOKUP(fffffd80688eb0a8,ffff800027b71448,ffff800027b71478) at VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
vfs_lookup(ffff800027b71418) at vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:561
namei(ffff800027b71418) at namei+0x36a sys/kern/vfs_lookup.c:245
vn_open(ffff800027b71418,1,0) at vn_open+0x105 sys/kern/vfs_vnops.c:146
doopenat(ffff800021192008,ffffff9c,20000100,0,0,ffff800027b71600) at doopenat+0x26a sys/kern/vfs_syscalls.c:1128
syscall(ffff800027b71670) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800027b71670) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x8a9310c6920, count: 7
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu0: uvm_fault(0xffffffff829c20d0, 0xffff80001926f004, 0, 1) -> d
ddb{0}> trace
ufs_lookup() at ufs_lookup+0x4ce sys/ufs/ufs/ufs_lookup.c:281
VOP_LOOKUP(fffffd80688eb0a8,ffff800027b71448,ffff800027b71478) at VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
vfs_lookup(ffff800027b71418) at vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:561
namei(ffff800027b71418) at namei+0x36a sys/kern/vfs_lookup.c:245
vn_open(ffff800027b71418,1,0) at vn_open+0x105 sys/kern/vfs_vnops.c:146
doopenat(ffff800021192008,ffffff9c,20000100,0,0,ffff800027b71600) at doopenat+0x26a sys/kern/vfs_syscalls.c:1128
syscall(ffff800027b71670) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800027b71670) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x8a9310c6920, count: -8
ddb{0}> show registers
rdi 0
rsi 0
rbp 0xffff800027b71080
rbx 0
rdx 0
rcx 0xffffffff
rax 0xfffffd8061533120
r8 0xffffffffffffffff
r9 0xfffffd807f7d7720
r10 0xeb2b147d6f0bf70e
r11 0xd962c6bc8993a042
r12 0
r13 0
r14 0
r15 0xffff80001926f000
rip 0xffffffff81748c7e ufs_lookup+0x4ce
cs 0x8
rflags 0x10202 __ALIGN_SIZE+0xf202
rsp 0xffff800027b70f80
ss 0x10
ufs_lookup+0x4ce: movzwl 0x4(%r15,%r13,1),%ebx
ddb{0}> show proc
PROC (syz-executor.2) pid=329948 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=82, nice=20
forw=0xffffffffffffffff, list=0xffff800021264a88,0xffffffff829f6170
process=0xffff800027b5dd30 user=0xffff800027b6c000, vmspace=0xfffffd8067040310
estcpu=32, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
12068 378493 24794 0 2 0 syz-executor.2
12068 316630 24794 0 2 0x4000000 syz-executor.2
*12068 329948 24794 0 7 0x4000000 syz-executor.2
23992 206774 7423 0 2 0x482 syz-executor.1
24794 331302 7423 0 2 0x482 syz-executor.2
32192 235378 7423 0 2 0x2 syz-executor.3
63269 478390 7423 0 2 0x482 syz-executor.0
63691 4168 1 0 3 0x100083 ttyin getty
8597 57247 0 0 3 0x14200 bored sosplice
7423 490004 2509 0 3 0x82 thrsleep syz-fuzzer
7423 100784 2509 0 3 0x4000082 thrsleep syz-fuzzer
7423 153242 2509 0 3 0x4000082 kqread syz-fuzzer
7423 491485 2509 0 3 0x4000082 thrsleep syz-fuzzer
7423 307820 2509 0 3 0x4000082 thrsleep syz-fuzzer
7423 282263 2509 0 3 0x4000082 thrsleep syz-fuzzer
7423 441538 2509 0 3 0x4000082 thrsleep syz-fuzzer
7423 104925 2509 0 3 0x4000082 thrsleep syz-fuzzer
2509 399390 92311 0 3 0x10008a sigsusp ksh
92311 36590 67181 0 3 0x9a poll sshd
67181 495261 1 0 3 0x88 poll sshd
60989 391411 44274 74 3 0x100092 bpf pflogd
44274 256463 1 0 3 0x80 netio pflogd
8023 20205 23936 73 3 0x100090 kqread syslogd
23936 46949 1 0 3 0x100082 netio syslogd
95417 433442 1 0 3 0x100080 kqread resolvd
43392 143003 19471 77 3 0x100092 kqread dhcpleased
14570 14692 19471 77 3 0x100092 kqread dhcpleased
19471 14776 1 0 3 0x80 kqread dhcpleased
8186 54959 0 0 3 0x14200 bored smr
43205 493277 0 0 2 0x14200 zerothread
86155 423212 0 0 3 0x14200 aiodoned aiodoned
39177 425597 0 0 3 0x14200 syncer update
2347 204498 0 0 3 0x14200 cleaner cleaner
96201 153003 0 0 3 0x14200 reaper reaper
59696 414733 0 0 3 0x14200 pgdaemon pagedaemon
37265 197104 0 0 3 0x14200 bored viomb
64578 283870 0 0 3 0x40014200 acpi0 acpi0
87243 345543 0 0 7 0x40014200 idle1
64720 319905 0 0 3 0x14200 bored softnet
16602 12595 0 0 3 0x14200 bored systqmp
57954 443218 0 0 3 0x14200 bored systq
27104 351550 0 0 2 0x40014200 softclock
87177 454043 0 0 3 0x40014200 idle0
1 296372 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 12068 (syz-executor.2) thread 0xffff800021192008 (329948)
exclusive rrwlock inode r = 0 (0xfffffd806e23f1b0)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:461
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:534
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:579
#5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:413
#6 namei+0x36a sys/kern/vfs_lookup.c:245
#7 vn_open+0x105 sys/kern/vfs_vnops.c:146
#8 doopenat+0x26a sys/kern/vfs_syscalls.c:1128
#9 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#9 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#10 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 1 (0xffffffff8287ee48)
#0 witness_lock+0x44d
#1 syscall+0x3ef mi_syscall sys/sys/syscall_mi.h:93 [inline]
#1 syscall+0x3ef sys/arch/amd64/amd64/trap.c:585
#2 Xsyscall+0x128
Process 32192 (syz-executor.3) thread 0xffff800021265508 (235378)
exclusive rrwlock inode r = 0 (0xfffffd806578d3d0)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:461
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:534
#4 ufs_ihashins+0x42 sys/ufs/ufs/ufs_ihash.c:140
#5 ffs_vget+0x141 sys/ufs/ffs/ffs_vfsops.c:1347
#6 ffs_inode_alloc+0x1be sys/ufs/ffs/ffs_alloc.c:394
#7 ufs_mkdir+0xf4 sys/ufs/ufs/ufs_vnops.c:1162
#8 VOP_MKDIR+0xbf sys/kern/vfs_vops.c:404
#9 domkdirat+0x121 sys/kern/vfs_syscalls.c:3100
#10 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#10 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#11 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806578db40)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:461
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:534
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:579
#5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:413
#6 namei+0x36a sys/kern/vfs_lookup.c:245
#7 domkdirat+0x75 sys/kern/vfs_syscalls.c:3085
#8 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#8 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#9 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10206 6508K 8086K 78643K 46599 0
pcb 13 24K 27K 78643K 4235 0
rtable 149 19K 21K 78643K 4626 0
ifaddr 66 22K 26K 78643K 1876 0
sysctl 2 0K 0K 78643K 2 0
counters 48 34K 35K 78643K 674 0
ioctlops 0 0K 4K 78643K 7601 0
iov 0 0K 20K 78643K 2908 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 5 0
vnodes 1747 110K 110K 78643K 15374 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 9K 78643K 215 0
VM map 2 1K 1K 78643K 2 0
sem 12 0K 0K 78643K 1994 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12598 0
file desc 7 21K 49K 78643K 21815 0
sigio 0 0K 0K 78643K 1503 0
proc 75 87K 124K 78643K 3200 0
subproc 52 6K 23K 78643K 1188 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 1944 0
in_multi 41 2K 4K 78643K 3285 0
ether_multi 1 0K 0K 78643K 463 0
mrt 1 0K 0K 78643K 101 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 259 1155K 1155K 78643K 259 0
exec 0 0K 2K 78643K 4350 0
pfkey data 0 0K 0K 78643K 5 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 624 1525K 1525K 78643K 266266 0
UVM aobj 133 8K 8K 78643K 134 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 1K 78643K 4055 0
NDP 9 0K 1K 78643K 688 0
temp 104 4204K 8300K 78643K 209520 0
kqueue 10 14K 22K 78643K 909 0
SYN cache 2 16K 16K 78643K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtpcb 120 2600 0 2597 27 26 1 3 0 8 0
rtentry 112 1422 0 1376 3 1 2 2 0 8 0
unpcb 136 12048 0 12033 130 129 1 9 0 8 0
syncache 296 112 0 112 29 29 0 1 0 8 0
tcpqe 32 63 50 63 3 3 0 1 0 8 0
tcpcb 736 9316 0 9310 302 300 2 21 0 8 1
arp 120 169 0 161 1 0 1 1 0 8 0
inpcb 304 27319 0 27310 298 289 9 16 0 8 8
rttmr 72 23 0 23 8 8 0 1 0 8 0
ip6q 72 4 0 4 1 1 0 1 0 8 0
ip6af 40 12 0 12 1 1 0 1 0 8 0
nd6 48 485 0 475 1 0 1 1 0 8 0
pkpcb 40 47 0 47 10 10 0 1 0 8 0
kcovpl 48 73 0 69 1 0 1 1 0 8 0
ppxss 1248 99 0 99 19 19 0 1 0 8 0
pfstscr 40 766 0 766 2 2 0 1 0 8 0
pffrag 232 97 0 96 7 6 1 1 0 482 0
pffrnode 88 96 0 95 7 6 1 1 0 8 0
pffrent 40 1028 0 1027 9 8 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfrke_plain 168 8 0 8 2 2 0 1 0 8 0
pfrktable 1344 165 0 152 4 2 2 2 0 8 0
pftag 88 3 0 0 1 0 1 1 0 8 0
pfstitem 24 526 0 524 1 0 1 1 0 8 0
pfstkey 112 1538 0 1536 1 0 1 1 0 8 0
pfstate 320 777 0 775 1 0 1 1 0 8 0
pfrule 1360 177 0 146 5 1 4 4 0 8 0
art_heap8 4096 2 0 1 2 1 1 2 0 8 0
art_heap4 256 5573 0 5369 47 33 14 22 0 8 0
art_table 32 5575 0 5370 4 1 3 3 0 8 0
art_node 16 1406 0 1368 1 0 1 1 0 8 0
sysvmsgpl 40 45 0 5 1 0 1 1 0 8 0
semapl 112 1992 0 1982 1 0 1 1 0 8 0
shmpl 112 131 0 3 4 0 4 4 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 31662 0 30207 92 0 92 92 0 8 0
ffsino 272 31662 0 30207 98 0 98 98 0 8 0
nchpl 144 67985 0 66392 61 0 61 61 0 8 0
rtmask 32 12 0 12 2 2 0 1 0 8 0
uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0
vnodes 224 5926 0 0 349 0 349 349 0 8 0
namei 1024 239426 0 239424 3 2 1 1 0 8 0
percpumem 16 349 0 313 1 0 1 1 0 8 0
vcpupl 2048 420 0 0 53 0 53 53 0 8 0
vmpool 560 512 0 92 32 2 30 30 0 8 0
pfiaddrpl 120 114 0 95 1 0 1 1 0 8 0
scsiplug 72 13 0 13 4 4 0 1 0 8 0
scxspl 216 194507 0 194507 30 28 2 8 0 8 2
plimitpl 152 3788 0 3777 1 0 1 1 0 8 0
sigapl 424 21885 0 21849 8 2 6 7 0 8 0
futexpl 64 225952 0 225952 4 3 1 1 0 8 1
knotepl 112 210 0 0 4 0 4 4 0 8 0
kqueuepl 216 5195 0 5189 99 98 1 8 0 8 0
pipepl 336 6222 0 6206 168 163 5 12 0 8 3
fdescpl 496 21838 0 21817 7 4 3 4 0 8 0
filepl 152 183119 0 182966 268 256 12 19 0 8 5
lockfpl 104 8148 0 8146 19 18 1 2 0 8 0
lockfspl 48 2075 0 2073 1 0 1 1 0 8 0
sessionpl 144 95 0 82 1 0 1 1 0 8 0
pgrppl 48 134 0 121 1 0 1 1 0 8 0
ucredpl 96 29601 0 29586 1 0 1 1 0 8 0
zombiepl 144 21850 0 21848 1 0 1 1 0 8 0
processpl 1064 21885 0 21848 5 1 4 5 0 8 0
procpl 672 54494 0 54448 29 24 5 8 0 8 0
srpgc 96 90 0 90 20 20 0 1 0 8 0
sosppl 168 167 0 167 33 32 1 1 0 8 1
sockpl 480 42056 0 42029 779 767 12 42 0 8 8
mcl64k 65536 15 0 0 2 0 2 2 0 8 0
mcl16k 16384 8 0 0 1 0 1 1 0 8 0
mcl12k 12288 10 0 0 1 0 1 1 0 8 0
mcl9k 9216 4 0 0 1 0 1 1 0 8 0
mcl8k 8192 14 0 0 2 0 2 2 0 8 0
mcl4k 4096 14 0 0 2 0 2 2 0 8 0
mcl2k2 2112 2 0 0 1 0 1 1 0 8 0
mcl2k 2048 355 0 0 28 6 22 28 0 8 0
mtagpl 96 1116 0 0 16 1 15 16 0 8 0
mbufpl 256 9060 0 0 561 0 561 561 0 8 0
bufpl 288 55055 0 48711 454 0 454 454 0 8 0
anonpl 24 6235247 0 6210434 548 374 174 186 0 186 0
amapchunkpl 152 812039 0 811129 222 184 38 53 0 158 0
amappl16 200 70588 0 69527 345 281 64 69 0 8 7
amappl15 192 4361 0 4360 1 0 1 1 0 8 0
amappl14 184 1719 0 1715 1 0 1 1 0 8 0
amappl13 176 2617 0 2611 1 0 1 1 0 8 0
amappl12 168 4253 0 4248 1 0 1 1 0 8 0
amappl11 160 2905 0 2891 1 0 1 1 0 8 0
amappl10 152 1630 0 1619 1 0 1 1 0 8 0
amappl9 144 3290 0 3285 1 0 1 1 0 8 0
amappl8 136 4420 0 4295 5 0 5 5 0 8 0
amappl7 128 2902 0 2891 1 0 1 1 0 8 0
amappl6 120 3376 0 3353 1 0 1 1 0 8 0
amappl5 112 16530 0 16505 1 0 1 1 0 8 0
amappl4 104 8256 0 8228 1 0 1 1 0 8 0
amappl3 96 7036 0 7012 1 0 1 1 0 8 0
amappl2 88 6229 0 6179 2 0 2 2 0 8 0
amappl1 80 382964 0 382474 15 4 11 13 0 8 0
amappl 88 264016 0 263698 9 1 8 8 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 133 0 1 3 0 3 3 0 8 0
uaddrrnd 24 22350 0 21909 3 0 3 3 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 22350 0 21909 3 0 3 3 0 8 0
vmmpekpl 168 138900 0 138838 5 1 4 4 0 8 0
vmmpepl 168 1993067 0 1989600 670 480 190 200 0 357 32
vmsppl 368 22349 0 21909 42 1 41 41 0 8 0
rwobjpl 56 472474 0 464305 171 53 118 119 0 8 2
pdppl 4096 44708 0 44238 574 100 474 476 0 8 4
pvpl 32 10474061 0 10452182 771 556 215 263 0 265 0
pmappl 248 22349 0 21909 29 1 28 28 0 8 0
extentpl 40 57 0 38 1 0 1 1 0 8 0
phpool 112 2442 0 609 54 1 53 53 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
ufs_lookup() at ufs_lookup+0x4ce sys/ufs/ufs/ufs_lookup.c:281
VOP_LOOKUP(fffffd80688eb0a8,ffff800027b71448,ffff800027b71478) at VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
vfs_lookup(ffff800027b71418) at vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:561
namei(ffff800027b71418) at namei+0x36a sys/kern/vfs_lookup.c:245
vn_open(ffff800027b71418,1,0) at vn_open+0x105 sys/kern/vfs_vnops.c:146
doopenat(ffff800021192008,ffffff9c,20000100,0,0,ffff800027b71600) at doopenat+0x26a sys/kern/vfs_syscalls.c:1128
syscall(ffff800027b71670) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800027b71670) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x8a9310c6920, count: -8
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffff800020d38ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206
sched_idle(ffff800020d38ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178
end trace frame: 0x0, count: 10
ddb{1}> trace
x86_ipi_db(ffff800020d38ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206
sched_idle(ffff800020d38ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178
end trace frame: 0x0, count: -5
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Feb 26, 2023, 5:50:46 PM2/26/23
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 1e5b016c5082 sync for __syscall removal
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=10d1a1a8c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=d0ae3406b0874e045aa1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14d68960c80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cb9a404e2563/disk-1e5b016c.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/27dc2036237a/bsd-1e5b016c.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ea0ea667b9fa/kernel-1e5b016c.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d0ae34...@syzkaller.appspotmail.com
uvm_fault(0xffffffff82d6bcf0, 0xffff80001765f004, 0, 1) -> d
*226751 28615 0 0 0x4000000 0K syz-executor.7
vfs_lookup(ffff800021409658) at vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:566
namei(ffff800021409658) at namei+0x55a sys/kern/vfs_lookup.c:250
vn_open(ffff800021409658,201,0) at vn_open+0x188 sys/kern/vfs_vnops.c:107
doopenat(ffff8000212ec850,ffffff9c,20000180,200,0,ffff800021409830) at doopenat+0x26a sys/kern/vfs_syscalls.c:1127
syscall(ffff8000214098b0) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff8000214098b0) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:625
vfs_lookup(ffff800021409658) at vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:566
namei(ffff800021409658) at namei+0x55a sys/kern/vfs_lookup.c:250
vn_open(ffff800021409658,201,0) at vn_open+0x188 sys/kern/vfs_vnops.c:107
doopenat(ffff8000212ec850,ffffff9c,20000180,200,0,ffff800021409830) at doopenat+0x26a sys/kern/vfs_syscalls.c:1127
syscall(ffff8000214098b0) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff8000214098b0) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:625
rbx 0
rdx 0xfffffd80693e1ca0
rcx 0xffffffff
rax 0xfffffd8076200ea0
r8 0xffffffffffffffff
r9 0xfffffd807f7d76e8
r10 0xa74fda976244850a
r11 0x72062e65ae6fd718
rip 0xffffffff81e0d07e ufs_lookup+0x4ce
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff8000212ecdc0,0xffffffff82ca0df8
process=0xffff80002128fab8 user=0xffff800021404000, vmspace=0xfffffd80699311b8
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=0, intr=0
28615 442890 79279 0 2 0 syz-executor.7
*28615 226751 79279 0 7 0x4000000 syz-executor.7
63728 408923 70710 0 2 0 syz-executor.5
63728 86463 70710 0 3 0x4000080 fsleep syz-executor.5
83654 315824 173 0 2 0 syz-executor.4
83654 498073 173 0 3 0x4000080 fsleep syz-executor.4
97766 472442 51288 0 2 0 syz-executor.1
97766 388668 51288 0 2 0x4000000 syz-executor.1
173 85880 20712 0 2 0x2 syz-executor.4
34544 276522 3517 0 3 0x100082 netio arp
3517 80054 1 0 3 0x10008a sigsusp sh
80993 33740 20712 0 2 0x482 syz-executor.2
51288 508635 20712 0 2 0x482 syz-executor.1
50563 91193 20712 0 2 0x482 syz-executor.0
79279 158629 20712 0 3 0x82 nanoslp syz-executor.7
70710 327980 20712 0 3 0x82 nanoslp syz-executor.5
74663 482390 20712 0 2 0x2 syz-executor.3
20712 192277 86957 0 3 0x82 thrsleep syz-execprog
20712 331057 86957 0 3 0x4000082 nanoslp syz-execprog
20712 81988 86957 0 3 0x4000082 wait syz-execprog
20712 467073 86957 0 3 0x4000082 wait syz-execprog
20712 57360 86957 0 3 0x4000082 thrsleep syz-execprog
20712 257520 86957 0 3 0x4000082 wait syz-execprog
20712 297431 86957 0 3 0x4000082 wait syz-execprog
20712 105983 86957 0 3 0x4000082 wait syz-execprog
20712 170954 86957 0 3 0x4000082 wait syz-execprog
20712 71930 86957 0 3 0x4000082 wait syz-execprog
20712 138831 86957 0 3 0x4000082 thrsleep syz-execprog
20712 105580 86957 0 3 0x4000082 wait syz-execprog
20712 271401 86957 0 3 0x4000082 thrsleep syz-execprog
20712 36712 86957 0 3 0x4000082 thrsleep syz-execprog
20712 521717 86957 0 3 0x4000082 thrsleep syz-execprog
20712 68325 86957 0 3 0x4000082 kqread syz-execprog
86957 72332 50724 0 3 0x10008a sigsusp ksh
50724 201949 97503 0 3 0x9a kqread sshd
44552 225932 1 0 3 0x100083 ttyin getty
97503 91956 1 0 3 0x88 kqread sshd
66189 48527 28168 74 3 0x1100092 bpf pflogd
28168 501789 1 0 3 0x80 netio pflogd
26781 177309 12417 73 3 0x1100090 kqread syslogd
12417 250851 1 0 3 0x100082 netio syslogd
4820 277574 1 0 3 0x100080 kqread resolvd
14629 517973 94773 77 3 0x100092 kqread dhcpleased
58446 292679 94773 77 3 0x100092 kqread dhcpleased
94773 45626 1 0 3 0x80 kqread dhcpleased
53060 413054 0 0 3 0x14200 bored smr
84606 85954 0 0 2 0x14200 zerothread
4660 111759 0 0 3 0x14200 aiodoned aiodoned
18710 51494 0 0 3 0x14200 syncer update
90816 291438 0 0 3 0x14200 cleaner cleaner
97774 334538 0 0 3 0x14200 reaper reaper
12318 382696 0 0 3 0x14200 pgdaemon pagedaemon
81273 264490 0 0 3 0x14200 bored viomb
51794 177399 0 0 3 0x40014200 acpi0 acpi0
50126 109263 0 0 3 0x40014200 idle1
56787 521027 0 0 3 0x14200 bored softnet
64185 25580 0 0 3 0x14200 bored softnet
62260 448723 0 0 3 0x14200 bored softnet
10626 359374 0 0 3 0x14200 bored softnet
77195 368000 0 0 3 0x14200 bored systqmp
10935 104361 0 0 3 0x14200 bored systq
79995 9308 0 0 3 0x40014200 bored softclock
9146 389340 0 0 3 0x40014200 idle0
1 15650 0 0 3 0x82 wait init
shared rwlock vmmaplk r = 0 (0xfffffd80699310f0)
#0 witness_lock+0x44d
#1 uvmfault_lookup+0xc9 sys/uvm/uvm_fault.c:1773
#2 uvm_fault_check+0x3a sys/uvm/uvm_fault.c:673
#3 uvm_fault+0xf2 sys/uvm/uvm_fault.c:601
#4 upageflttrap+0x85 sys/arch/amd64/amd64/trap.c:186
#5 usertrap+0x204 sys/arch/amd64/amd64/trap.c:438
#6 recall_trap+0x8
Process 28615 (syz-executor.7) thread 0xffff8000212ec850 (226751)
exclusive rrwlock inode r = 0 (0xfffffd8071951f80)
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:418
#6 namei+0x55a sys/kern/vfs_lookup.c:250
#7 vn_open+0x188 sys/kern/vfs_vnops.c:107
#8 doopenat+0x26a sys/kern/vfs_syscalls.c:1127
#9 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
#9 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:625
#10 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 1 (0xffffffff82db6228)
#0 witness_lock+0x44d
#1 syscall+0x5cd mi_syscall sys/sys/syscall_mi.h:110 [inline]
#1 syscall+0x5cd sys/arch/amd64/amd64/trap.c:625
#2 Xsyscall+0x128
Process 74663 (syz-executor.3) thread 0xffff800021202838 (482390)
exclusive rrwlock inode r = 0 (0xfffffd80758c40a8)
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vget+0x1fc sys/kern/vfs_subr.c:676
#6 ufs_ihashget+0x121 sys/ufs/ufs/ufs_ihash.c:119
#7 ffs_vget+0x7c sys/ufs/ffs/ffs_vfsops.c:1324
#8 ufs_lookup+0x13ba sys/ufs/ufs/ufs_lookup.c:487
#9 VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
#10 vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:566
#11 namei+0x55a sys/kern/vfs_lookup.c:250
#12 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1848
#13 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
#13 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:625
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806b35b3d0)
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:418
#6 namei+0x55a sys/kern/vfs_lookup.c:250
#7 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1848
#8 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
#8 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:625
pcb 13 8K 8K 78643K 13 0
rtable 234 6K 6K 78643K 355 0
ifaddr 77 25K 25K 78643K 86 0
counters 60 35K 35K 78643K 62 0
ioctlops 0 0K 4K 78643K 1481 0
vnodes 1169 73K 73K 78643K 1187 0
file desc 17 61K 89K 78643K 6334 0
proc 67 91K 115K 78643K 540 0
ether_multi 1 0K 0K 78643K 1 0
exec 0 0K 1K 78643K 389 0
UVM amap 256 75K 76K 78643K 37700 0
UVM aobj 3 2K 2K 78643K 3 0
temp 56 5762K 5826K 78643K 22720 0
kqueue 12 18K 18K 78643K 25 0
rtentry 112 114 0 4 4 0 4 4 0 8 0
unpcb 144 35 0 20 1 0 1 1 0 8 0
syncache 296 5 0 5 2 2 0 1 0 8 0
tcpqe 32 77 0 77 1 1 0 1 0 8 0
tcpcb 776 8 0 5 1 0 1 1 0 8 0
arp 120 19 0 1 1 0 1 1 0 8 0
inpcb 368 67 0 61 1 0 1 1 0 8 0
nd6 48 24 0 0 1 0 1 1 0 8 0
pfstkey 128 10 0 9 2 1 1 1 0 8 0
pfstate 384 10 0 9 2 1 1 1 0 8 0
pfrule 1344 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 455 0 3 29 0 29 29 0 8 0
art_table 32 456 0 3 4 0 4 4 0 8 0
art_node 16 113 0 13 1 0 1 1 0 8 0
ffsino 272 13869 0 10047 255 0 255 255 0 8 0
nchpl 144 26581 0 24935 63 0 63 63 0 8 0
uvmvnodes 80 6289 0 0 129 0 129 129 0 8 0
vnodes 216 6289 0 0 350 0 350 350 0 8 0
namei 1024 74415 0 74414 4 3 1 2 0 8 0
percpumem 16 44 0 1 1 0 1 1 0 8 0
kstatmem 264 26 0 2 2 0 2 2 0 8 0
scxspl 216 67249 0 67249 30 27 3 8 0 8 3
plimitpl 152 27 0 10 1 0 1 1 0 8 0
sigapl 424 6649 0 6601 8 2 6 7 0 8 0
futexpl 64 39674 0 39672 2 1 1 1 0 8 0
knotepl 120 110 0 0 4 0 4 4 0 8 0
kqueuepl 216 21 0 13 1 0 1 1 0 8 0
pipepl 320 143 0 113 4 1 3 3 0 8 0
fdescpl 496 6632 0 6602 6 1 5 5 0 8 1
filepl 152 20275 0 20135 6 0 6 6 0 8 0
lockfpl 104 6 0 4 1 0 1 1 0 8 0
lockfspl 48 4 0 2 1 0 1 1 0 8 0
sessionpl 144 27 0 9 1 0 1 1 0 8 0
pgrppl 48 27 0 9 1 0 1 1 0 8 0
ucredpl 104 6218 0 6206 1 0 1 1 0 8 0
zombiepl 144 6603 0 6601 3 2 1 1 0 8 0
processpl 1072 6649 0 6601 4 0 4 4 0 8 0
procpl 696 13090 0 13023 7 0 7 7 0 8 0
sockpl 488 136 0 111 5 1 4 4 0 8 0
mcl8k 8192 5 0 0 1 0 1 1 0 8 0
mcl4k 4096 5 0 0 1 0 1 1 0 8 0
mcl2k 2048 284 0 0 32 4 28 32 0 8 0
mtagpl 96 2 0 0 1 0 1 1 0 8 0
mbufpl 256 490 0 0 19 0 19 19 0 8 0
bufpl 288 16393 0 10071 452 0 452 452 0 8 0
anonpl 24 1017610 0 1010879 75 29 46 55 0 186 2
amapchunkpl 152 103200 0 102684 29 6 23 23 0 158 1
amappl16 200 8499 0 8407 10 4 6 6 0 8 1
amappl15 192 5 0 5 1 1 0 1 0 8 0
amappl14 184 178 0 162 2 1 1 2 0 8 0
amappl13 176 7 0 7 1 1 0 1 0 8 0
amappl12 168 425 0 423 2 1 1 1 0 8 0
amappl11 160 54 0 39 1 0 1 1 0 8 0
amappl10 152 73 0 61 2 1 1 1 0 8 0
amappl9 144 949 0 948 1 0 1 1 0 8 0
amappl8 136 130 0 96 3 1 2 2 0 8 0
amappl7 128 166 0 141 2 0 2 2 0 8 0
amappl6 120 175 0 166 2 1 1 2 0 8 0
amappl5 112 130 0 120 1 0 1 1 0 8 0
amappl4 104 519 0 487 2 0 2 2 0 8 0
amappl3 96 16871 0 16816 2 0 2 2 0 8 0
amappl2 88 6982 0 6905 3 1 2 3 0 8 0
amappl1 80 139276 0 138460 34 15 19 28 0 8 1
amappl 88 37174 0 37023 5 1 4 4 0 92 0
uaddrrnd 24 6632 0 6602 1 0 1 1 0 8 0
vmmpekpl 168 38845 0 38806 2 0 2 2 0 8 0
vmmpepl 168 501709 0 499473 155 47 108 133 0 357 9
vmsppl 440 6631 0 6602 6 2 4 5 0 8 0
rwobjpl 56 136528 0 128986 119 11 108 108 0 8 0
pdppl 4096 13271 0 13204 135 62 73 83 0 8 6
pvpl 32 2047893 0 2035673 361 136 225 343 0 265 122
pmappl 248 6631 0 6602 3 0 3 3 0 8 0
extentpl 40 56 0 38 1 0 1 1 0 8 0
phpool 112 1175 0 71 32 0 32 32 0 8 0
vfs_lookup(ffff800021409658) at vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:566
namei(ffff800021409658) at namei+0x55a sys/kern/vfs_lookup.c:250
vn_open(ffff800021409658,201,0) at vn_open+0x188 sys/kern/vfs_vnops.c:107
doopenat(ffff8000212ec850,ffffff9c,20000180,200,0,ffff800021409830) at doopenat+0x26a sys/kern/vfs_syscalls.c:1127
syscall(ffff8000214098b0) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff8000214098b0) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:625
__mp_lock(ffffffff82db6020) at __mp_lock+0x122 sys/kern/kern_lock.c:147
syscall(ffff800021421ab0) at syscall+0x5cd mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff800021421ab0) at syscall+0x5cd sys/arch/amd64/amd64/trap.c:625
ddb{1}> trace
x86_ipi_db(ffff800020d68ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
__mp_lock(ffffffff82db6020) at __mp_lock+0x122 sys/kern/kern_lock.c:147
syscall(ffff800021421ab0) at syscall+0x5cd mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff800021421ab0) at syscall+0x5cd sys/arch/amd64/amd64/trap.c:625
ddb{1}>
HEAD commit: 1e5b016c5082 sync for __syscall removal
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=10d1a1a8c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=d0ae3406b0874e045aa1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14d68960c80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cb9a404e2563/disk-1e5b016c.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/27dc2036237a/bsd-1e5b016c.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ea0ea667b9fa/kernel-1e5b016c.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d0ae34...@syzkaller.appspotmail.com
kernel: page fault trap, code=0
Stopped at ufs_lookup+0x4ce: movzwl 0x4(%r15,%r13,1),%ebx
TID PID UID PRFLAGS PFLAGS CPU COMMAND
185719 72845 0 0 0 1 syz-executor.0
Stopped at ufs_lookup+0x4ce: movzwl 0x4(%r15,%r13,1),%ebx
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*226751 28615 0 0 0x4000000 0K syz-executor.7
ufs_lookup() at ufs_lookup+0x4ce sys/ufs/ufs/ufs_lookup.c:281
VOP_LOOKUP(fffffd806b862cf8,ffff800021409688,ffff8000214096b8) at VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
vfs_lookup(ffff800021409658) at vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:566
namei(ffff800021409658) at namei+0x55a sys/kern/vfs_lookup.c:250
vn_open(ffff800021409658,201,0) at vn_open+0x188 sys/kern/vfs_vnops.c:107
doopenat(ffff8000212ec850,ffffff9c,20000180,200,0,ffff800021409830) at doopenat+0x26a sys/kern/vfs_syscalls.c:1127
syscall(ffff8000214098b0) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff8000214098b0) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:625
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x9f2b11ddd0, count: 7
end of kernel
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu0: uvm_fault(0xffffffff82d6bcf0, 0xffff80001765f004, 0, 1) -> d
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
ddb{0}> trace
ufs_lookup() at ufs_lookup+0x4ce sys/ufs/ufs/ufs_lookup.c:281
VOP_LOOKUP(fffffd806b862cf8,ffff800021409688,ffff8000214096b8) at VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
ufs_lookup() at ufs_lookup+0x4ce sys/ufs/ufs/ufs_lookup.c:281
vfs_lookup(ffff800021409658) at vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:566
namei(ffff800021409658) at namei+0x55a sys/kern/vfs_lookup.c:250
vn_open(ffff800021409658,201,0) at vn_open+0x188 sys/kern/vfs_vnops.c:107
doopenat(ffff8000212ec850,ffffff9c,20000180,200,0,ffff800021409830) at doopenat+0x26a sys/kern/vfs_syscalls.c:1127
syscall(ffff8000214098b0) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff8000214098b0) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:625
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x9f2b11ddd0, count: -8
end of kernel
ddb{0}> show registers
rdi 0
rsi 0
rbp 0xffff8000214092c0
rdi 0
rsi 0
rbx 0
rdx 0xfffffd80693e1ca0
rcx 0xffffffff
rax 0xfffffd8076200ea0
r8 0xffffffffffffffff
r9 0xfffffd807f7d76e8
r10 0xa74fda976244850a
r11 0x72062e65ae6fd718
r12 0
r13 0
r14 0
r15 0xffff80001765f000
r13 0
r14 0
rip 0xffffffff81e0d07e ufs_lookup+0x4ce
cs 0x8
rflags 0x10202 __ALIGN_SIZE+0xf202
rsp 0xffff8000214091c0
rflags 0x10202 __ALIGN_SIZE+0xf202
ss 0x10
ufs_lookup+0x4ce: movzwl 0x4(%r15,%r13,1),%ebx
ddb{0}> show proc
PROC (syz-executor.7) pid=226751 stat=onproc
ufs_lookup+0x4ce: movzwl 0x4(%r15,%r13,1),%ebx
ddb{0}> show proc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff8000212ecdc0,0xffffffff82ca0df8
process=0xffff80002128fab8 user=0xffff800021404000, vmspace=0xfffffd80699311b8
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=0, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
72845 185719 50563 0 7 0 syz-executor.0
PID TID PPID UID S FLAGS WAIT COMMAND
28615 442890 79279 0 2 0 syz-executor.7
*28615 226751 79279 0 7 0x4000000 syz-executor.7
63728 408923 70710 0 2 0 syz-executor.5
63728 86463 70710 0 3 0x4000080 fsleep syz-executor.5
83654 315824 173 0 2 0 syz-executor.4
83654 498073 173 0 3 0x4000080 fsleep syz-executor.4
97766 472442 51288 0 2 0 syz-executor.1
97766 388668 51288 0 2 0x4000000 syz-executor.1
173 85880 20712 0 2 0x2 syz-executor.4
34544 276522 3517 0 3 0x100082 netio arp
3517 80054 1 0 3 0x10008a sigsusp sh
80993 33740 20712 0 2 0x482 syz-executor.2
51288 508635 20712 0 2 0x482 syz-executor.1
50563 91193 20712 0 2 0x482 syz-executor.0
79279 158629 20712 0 3 0x82 nanoslp syz-executor.7
70710 327980 20712 0 3 0x82 nanoslp syz-executor.5
74663 482390 20712 0 2 0x2 syz-executor.3
20712 192277 86957 0 3 0x82 thrsleep syz-execprog
20712 331057 86957 0 3 0x4000082 nanoslp syz-execprog
20712 81988 86957 0 3 0x4000082 wait syz-execprog
20712 467073 86957 0 3 0x4000082 wait syz-execprog
20712 57360 86957 0 3 0x4000082 thrsleep syz-execprog
20712 257520 86957 0 3 0x4000082 wait syz-execprog
20712 297431 86957 0 3 0x4000082 wait syz-execprog
20712 105983 86957 0 3 0x4000082 wait syz-execprog
20712 170954 86957 0 3 0x4000082 wait syz-execprog
20712 71930 86957 0 3 0x4000082 wait syz-execprog
20712 138831 86957 0 3 0x4000082 thrsleep syz-execprog
20712 105580 86957 0 3 0x4000082 wait syz-execprog
20712 271401 86957 0 3 0x4000082 thrsleep syz-execprog
20712 36712 86957 0 3 0x4000082 thrsleep syz-execprog
20712 521717 86957 0 3 0x4000082 thrsleep syz-execprog
20712 68325 86957 0 3 0x4000082 kqread syz-execprog
86957 72332 50724 0 3 0x10008a sigsusp ksh
50724 201949 97503 0 3 0x9a kqread sshd
44552 225932 1 0 3 0x100083 ttyin getty
97503 91956 1 0 3 0x88 kqread sshd
66189 48527 28168 74 3 0x1100092 bpf pflogd
28168 501789 1 0 3 0x80 netio pflogd
26781 177309 12417 73 3 0x1100090 kqread syslogd
12417 250851 1 0 3 0x100082 netio syslogd
4820 277574 1 0 3 0x100080 kqread resolvd
14629 517973 94773 77 3 0x100092 kqread dhcpleased
58446 292679 94773 77 3 0x100092 kqread dhcpleased
94773 45626 1 0 3 0x80 kqread dhcpleased
53060 413054 0 0 3 0x14200 bored smr
84606 85954 0 0 2 0x14200 zerothread
4660 111759 0 0 3 0x14200 aiodoned aiodoned
18710 51494 0 0 3 0x14200 syncer update
90816 291438 0 0 3 0x14200 cleaner cleaner
97774 334538 0 0 3 0x14200 reaper reaper
12318 382696 0 0 3 0x14200 pgdaemon pagedaemon
81273 264490 0 0 3 0x14200 bored viomb
51794 177399 0 0 3 0x40014200 acpi0 acpi0
50126 109263 0 0 3 0x40014200 idle1
56787 521027 0 0 3 0x14200 bored softnet
64185 25580 0 0 3 0x14200 bored softnet
62260 448723 0 0 3 0x14200 bored softnet
10626 359374 0 0 3 0x14200 bored softnet
77195 368000 0 0 3 0x14200 bored systqmp
10935 104361 0 0 3 0x14200 bored systq
79995 9308 0 0 3 0x40014200 bored softclock
9146 389340 0 0 3 0x40014200 idle0
1 15650 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 72845 (syz-executor.0) thread 0xffff8000212ecb08 (185719)
ddb{0}> show all locks
shared rwlock vmmaplk r = 0 (0xfffffd80699310f0)
#0 witness_lock+0x44d
#1 uvmfault_lookup+0xc9 sys/uvm/uvm_fault.c:1773
#2 uvm_fault_check+0x3a sys/uvm/uvm_fault.c:673
#3 uvm_fault+0xf2 sys/uvm/uvm_fault.c:601
#4 upageflttrap+0x85 sys/arch/amd64/amd64/trap.c:186
#5 usertrap+0x204 sys/arch/amd64/amd64/trap.c:438
#6 recall_trap+0x8
Process 28615 (syz-executor.7) thread 0xffff8000212ec850 (226751)
exclusive rrwlock inode r = 0 (0xfffffd8071951f80)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:465
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:418
#6 namei+0x55a sys/kern/vfs_lookup.c:250
#7 vn_open+0x188 sys/kern/vfs_vnops.c:107
#8 doopenat+0x26a sys/kern/vfs_syscalls.c:1127
#9 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
#9 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:625
#10 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 1 (0xffffffff82db6228)
#0 witness_lock+0x44d
#1 syscall+0x5cd mi_syscall sys/sys/syscall_mi.h:110 [inline]
#1 syscall+0x5cd sys/arch/amd64/amd64/trap.c:625
#2 Xsyscall+0x128
Process 74663 (syz-executor.3) thread 0xffff800021202838 (482390)
exclusive rrwlock inode r = 0 (0xfffffd80758c40a8)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:465
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vget+0x1fc sys/kern/vfs_subr.c:676
#6 ufs_ihashget+0x121 sys/ufs/ufs/ufs_ihash.c:119
#7 ffs_vget+0x7c sys/ufs/ffs/ffs_vfsops.c:1324
#8 ufs_lookup+0x13ba sys/ufs/ufs/ufs_lookup.c:487
#9 VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
#10 vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:566
#11 namei+0x55a sys/kern/vfs_lookup.c:250
#12 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1848
#13 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
#13 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:625
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806b35b3d0)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:465
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:418
#6 namei+0x55a sys/kern/vfs_lookup.c:250
#7 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1848
#8 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
#8 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:625
#9 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10197 6475K 6476K 78643K 11292 0
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
pcb 13 8K 8K 78643K 13 0
rtable 234 6K 6K 78643K 355 0
ifaddr 77 25K 25K 78643K 86 0
counters 60 35K 35K 78643K 62 0
ioctlops 0 0K 4K 78643K 1481 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 4 0
vnodes 1169 73K 73K 78643K 1187 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 1K 78643K 2 0
UFS mount 5 36K 36K 78643K 5 0
VM map 2 1K 1K 78643K 2 0
sem 2 0K 0K 78643K 2 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 17 61K 89K 78643K 6334 0
proc 67 91K 115K 78643K 540 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
in_multi 99 6K 6K 78643K 100 0
NFS daemon 1 16K 16K 78643K 1 0
ether_multi 1 0K 0K 78643K 1 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 25 122K 122K 78643K 25 0
MSDOSFS mount 1 16K 16K 78643K 1 0
exec 0 0K 1K 78643K 389 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 8 62K 64K 78643K 10 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
UVM amap 256 75K 76K 78643K 37700 0
UVM aobj 3 2K 2K 78643K 3 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
NDP 12 0K 1K 78643K 29 0
crypto data 1 1K 1K 78643K 1 0
temp 56 5762K 5826K 78643K 22720 0
kqueue 12 18K 18K 78643K 25 0
SYN cache 2 16K 16K 78643K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtpcb 120 34 0 30 1 0 1 1 0 8 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtentry 112 114 0 4 4 0 4 4 0 8 0
unpcb 144 35 0 20 1 0 1 1 0 8 0
syncache 296 5 0 5 2 2 0 1 0 8 0
tcpqe 32 77 0 77 1 1 0 1 0 8 0
tcpcb 776 8 0 5 1 0 1 1 0 8 0
arp 120 19 0 1 1 0 1 1 0 8 0
inpcb 368 67 0 61 1 0 1 1 0 8 0
nd6 48 24 0 0 1 0 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 10 0 9 2 1 1 1 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstkey 128 10 0 9 2 1 1 1 0 8 0
pfstate 384 10 0 9 2 1 1 1 0 8 0
pfrule 1344 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 455 0 3 29 0 29 29 0 8 0
art_table 32 456 0 3 4 0 4 4 0 8 0
art_node 16 113 0 13 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 13869 0 10047 239 0 239 239 0 8 0
ffsino 272 13869 0 10047 255 0 255 255 0 8 0
nchpl 144 26581 0 24935 63 0 63 63 0 8 0
uvmvnodes 80 6289 0 0 129 0 129 129 0 8 0
vnodes 216 6289 0 0 350 0 350 350 0 8 0
namei 1024 74415 0 74414 4 3 1 2 0 8 0
percpumem 16 44 0 1 1 0 1 1 0 8 0
kstatmem 264 26 0 2 2 0 2 2 0 8 0
scxspl 216 67249 0 67249 30 27 3 8 0 8 3
plimitpl 152 27 0 10 1 0 1 1 0 8 0
sigapl 424 6649 0 6601 8 2 6 7 0 8 0
futexpl 64 39674 0 39672 2 1 1 1 0 8 0
knotepl 120 110 0 0 4 0 4 4 0 8 0
kqueuepl 216 21 0 13 1 0 1 1 0 8 0
pipepl 320 143 0 113 4 1 3 3 0 8 0
fdescpl 496 6632 0 6602 6 1 5 5 0 8 1
filepl 152 20275 0 20135 6 0 6 6 0 8 0
lockfpl 104 6 0 4 1 0 1 1 0 8 0
lockfspl 48 4 0 2 1 0 1 1 0 8 0
sessionpl 144 27 0 9 1 0 1 1 0 8 0
pgrppl 48 27 0 9 1 0 1 1 0 8 0
ucredpl 104 6218 0 6206 1 0 1 1 0 8 0
zombiepl 144 6603 0 6601 3 2 1 1 0 8 0
processpl 1072 6649 0 6601 4 0 4 4 0 8 0
procpl 696 13090 0 13023 7 0 7 7 0 8 0
sockpl 488 136 0 111 5 1 4 4 0 8 0
mcl8k 8192 5 0 0 1 0 1 1 0 8 0
mcl4k 4096 5 0 0 1 0 1 1 0 8 0
mcl2k 2048 284 0 0 32 4 28 32 0 8 0
mtagpl 96 2 0 0 1 0 1 1 0 8 0
mbufpl 256 490 0 0 19 0 19 19 0 8 0
bufpl 288 16393 0 10071 452 0 452 452 0 8 0
anonpl 24 1017610 0 1010879 75 29 46 55 0 186 2
amapchunkpl 152 103200 0 102684 29 6 23 23 0 158 1
amappl16 200 8499 0 8407 10 4 6 6 0 8 1
amappl15 192 5 0 5 1 1 0 1 0 8 0
amappl14 184 178 0 162 2 1 1 2 0 8 0
amappl13 176 7 0 7 1 1 0 1 0 8 0
amappl12 168 425 0 423 2 1 1 1 0 8 0
amappl11 160 54 0 39 1 0 1 1 0 8 0
amappl10 152 73 0 61 2 1 1 1 0 8 0
amappl9 144 949 0 948 1 0 1 1 0 8 0
amappl8 136 130 0 96 3 1 2 2 0 8 0
amappl7 128 166 0 141 2 0 2 2 0 8 0
amappl6 120 175 0 166 2 1 1 2 0 8 0
amappl5 112 130 0 120 1 0 1 1 0 8 0
amappl4 104 519 0 487 2 0 2 2 0 8 0
amappl3 96 16871 0 16816 2 0 2 2 0 8 0
amappl2 88 6982 0 6905 3 1 2 3 0 8 0
amappl1 80 139276 0 138460 34 15 19 28 0 8 1
amappl 88 37174 0 37023 5 1 4 4 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 2 0 0 1 0 1 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
uaddrrnd 24 6632 0 6602 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 6632 0 6602 1 0 1 1 0 8 0
vmmpekpl 168 38845 0 38806 2 0 2 2 0 8 0
vmmpepl 168 501709 0 499473 155 47 108 133 0 357 9
vmsppl 440 6631 0 6602 6 2 4 5 0 8 0
rwobjpl 56 136528 0 128986 119 11 108 108 0 8 0
pdppl 4096 13271 0 13204 135 62 73 83 0 8 6
pvpl 32 2047893 0 2035673 361 136 225 343 0 265 122
pmappl 248 6631 0 6602 3 0 3 3 0 8 0
extentpl 40 56 0 38 1 0 1 1 0 8 0
phpool 112 1175 0 71 32 0 32 32 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
ufs_lookup() at ufs_lookup+0x4ce sys/ufs/ufs/ufs_lookup.c:281
VOP_LOOKUP(fffffd806b862cf8,ffff800021409688,ffff8000214096b8) at VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
Invalid cpu 0
ddb{0}> trace
ufs_lookup() at ufs_lookup+0x4ce sys/ufs/ufs/ufs_lookup.c:281
vfs_lookup(ffff800021409658) at vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:566
namei(ffff800021409658) at namei+0x55a sys/kern/vfs_lookup.c:250
vn_open(ffff800021409658,201,0) at vn_open+0x188 sys/kern/vfs_vnops.c:107
doopenat(ffff8000212ec850,ffffff9c,20000180,200,0,ffff800021409830) at doopenat+0x26a sys/kern/vfs_syscalls.c:1127
syscall(ffff8000214098b0) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff8000214098b0) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:625
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x9f2b11ddd0, count: -8
end of kernel
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffff800020d68ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__mp_lock(ffffffff82db6020) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__mp_lock(ffffffff82db6020) at __mp_lock+0x122 sys/kern/kern_lock.c:147
syscall(ffff800021421ab0) at syscall+0x5cd mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff800021421ab0) at syscall+0x5cd sys/arch/amd64/amd64/trap.c:625
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7fffff5960, count: 9
end of kernel
ddb{1}> trace
x86_ipi_db(ffff800020d68ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__mp_lock(ffffffff82db6020) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__mp_lock(ffffffff82db6020) at __mp_lock+0x122 sys/kern/kern_lock.c:147
syscall(ffff800021421ab0) at syscall+0x5cd mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff800021421ab0) at syscall+0x5cd sys/arch/amd64/amd64/trap.c:625
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7fffff5960, count: -6
end of kernel
ddb{1}>
syzbot
Oct 24, 2023, 1:20:42 AM10/24/23
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: e0c1f4798a44 Use xoff instead of *olen in the shift_right(..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=12efcff5680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12927bcb680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ac66645f0d97/disk-e0c1f479.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/8610cce9f100/bsd-e0c1f479.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/033c51df4b71/kernel-e0c1f479.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d0ae34...@syzkaller.appspotmail.com
uvm_fault(0xffffffff82d8afc8, 0xffff8000124ef004, 0, 1) -> d
*367405 64437 0 0 0 1K syz-executor714944071
vfs_lookup(ffff800021263178) at vfs_lookup+0x6e2 sys/kern/vfs_lookup.c:566
namei(ffff800021263178) at namei+0x55a sys/kern/vfs_lookup.c:250
dounlinkat(ffff8000211db808,ffffff9c,77499618a190,0) at dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
syscall(ffff800021263350) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff800021263350) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: uvm_fault(0xffffffff82d8afc8, 0xffff8000124ef004, 0, 1) -> d
ddb{1}> trace
vfs_lookup(ffff800021263178) at vfs_lookup+0x6e2 sys/kern/vfs_lookup.c:566
namei(ffff800021263178) at namei+0x55a sys/kern/vfs_lookup.c:250
dounlinkat(ffff8000211db808,ffffff9c,77499618a190,0) at dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
syscall(ffff800021263350) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff800021263350) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623
ddb{1}> show registers
rdi 0
rsi 0
rbp 0xffff800021262fb0
rbx 0
rdx 0xfffffd806ca52040
rcx 0xffffffff
rax 0xfffffd806ce56a50
r8 0xffffffffffffffff
r9 0xfffffd807f7d7888
r10 0xf4a9a6f4f29946d1
r11 0xc64e7f0bbc658523
rip 0xffffffff8270491e ufs_lookup+0x4ce
PROC (syz-executor714944071) tid=367405 pid=64437 tcnt=1 stat=onproc
flags process=0 proc=0
runpri=76, usrpri=76, slppri=32, nice=20
wchan=0x0, wmesg=, ps_single=0x0
forw=0xffffffffffffffff, list=0xffff8000211eb550,0xffff8000211dad78
process=0xffff800021222190 user=0xffff80002125e000, vmspace=0xfffffd807eff81d0
estcpu=36, cpticks=3, pctcpu=1.6, user=0, sys=1, intr=0
ddb{1}> ps
79757 455089 93338 0 2 0 syz-executor714944071
28323 89367 12357 0 2 0 syz-executor714944071
12357 177072 1901 0 3 0x80 nanoslp syz-executor714944071
93338 322735 1901 0 2 0 syz-executor714944071
36232 142274 1901 0 2 0 syz-executor714944071
81776 439309 1901 0 7 0 syz-executor714944071
*64437 367405 1901 0 7 0 syz-executor714944071
18396 180090 1901 0 2 0 syz-executor714944071
23132 64642 1901 0 2 0 syz-executor714944071
76499 149857 1901 0 3 0x80 nanoslp syz-executor714944071
1901 371025 9335 0 3 0x82 nanoslp syz-executor714944071
9335 167302 80506 0 3 0x10008a sigsusp ksh
80506 477544 2579 0 3 0x9a kqread sshd
27296 185970 1 0 3 0x100083 ttyin getty
2579 228357 1 0 3 0x88 kqread sshd
98995 64434 204 74 3 0x1100092 bpf pflogd
204 228554 1 0 3 0x80 netio pflogd
39139 39713 47215 73 3 0x1100090 kqread syslogd
47215 441410 1 0 3 0x100082 netio syslogd
93419 380938 1 0 3 0x100080 kqread resolvd
12250 63890 40780 77 3 0x100092 kqread dhcpleased
44426 496968 40780 77 3 0x100092 kqread dhcpleased
40780 513708 1 0 3 0x80 kqread dhcpleased
55409 292663 0 0 3 0x14200 bored smr
34022 25268 0 0 2 0x14200 zerothread
91351 63771 0 0 3 0x14200 aiodoned aiodoned
370 227839 0 0 3 0x14200 syncer update
37470 155649 0 0 3 0x14200 cleaner cleaner
90686 233182 0 0 3 0x14200 reaper reaper
27778 156143 0 0 3 0x14200 pgdaemon pagedaemon
93832 303299 0 0 3 0x14200 bored viomb
92366 322842 0 0 3 0x40014200 acpi0 acpi0
33761 448401 0 0 3 0x40014200 idle1
72074 78315 0 0 3 0x14200 bored softnet3
98142 518561 0 0 3 0x14200 bored softnet2
943 126037 0 0 3 0x14200 bored softnet1
19461 23463 0 0 3 0x14200 bored softnet0
24047 257041 0 0 3 0x14200 bored systqmp
69877 429324 0 0 3 0x14200 bored systq
79719 300144 0 0 3 0x14200 tmoslp softclockmp
84937 275865 0 0 3 0x40014200 tmoslp softclock
52547 141682 0 0 3 0x40014200 idle0
1 481727 0 0 3 0x82 wait init
Process 36232 (syz-executor714944071) thread 0xffff8000211daac0 (142274)
exclusive rrwlock inode r = 0 (0xfffffd8068cfae70)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vget+0x200 sys/kern/vfs_subr.c:676
#6 ufs_ihashget+0x121 sys/ufs/ufs/ufs_ihash.c:119
#7 ffs_vget+0x7c sys/ufs/ffs/ffs_vfsops.c:1314
#8 ufs_lookup+0x13ba sys/ufs/ufs/ufs_lookup.c:487
#9 VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85
#10 vfs_lookup+0x6e2 sys/kern/vfs_lookup.c:566
#11 namei+0x55a sys/kern/vfs_lookup.c:250
#12 dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd8068ce9c50)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vget+0x200 sys/kern/vfs_subr.c:676
#6 cache_lookup+0x2b4 sys/kern/vfs_cache.c:222
#7 ufs_lookup+0x1ac sys/ufs/ufs/ufs_lookup.c:162
#8 VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85
#9 vfs_lookup+0x6e2 sys/kern/vfs_lookup.c:566
#10 namei+0x55a sys/kern/vfs_lookup.c:250
#11 dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
#12 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
#12 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623
#13 Xsyscall+0x128
Process 64437 (syz-executor714944071) thread 0xffff8000211db808 (367405)
exclusive rrwlock inode r = 0 (0xfffffd8068d115f8)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vget+0x200 sys/kern/vfs_subr.c:676
#6 cache_lookup+0x2b4 sys/kern/vfs_cache.c:222
#7 ufs_lookup+0x1ac sys/ufs/ufs/ufs_lookup.c:162
#8 VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85
#9 vfs_lookup+0x6e2 sys/kern/vfs_lookup.c:566
#10 namei+0x55a sys/kern/vfs_lookup.c:250
#11 dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
#12 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
#12 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623
#13 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82d15a68)
#0 witness_lock+0x447
#2 Xsyscall+0x128
Process 18396 (syz-executor714944071) thread 0xffff8000211eb550 (180090)
exclusive rrwlock inode r = 0 (0xfffffd8068d20708)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 ufs_ihashins+0x46 sys/ufs/ufs/ufs_ihash.c:140
#5 ffs_vget+0x141 sys/ufs/ffs/ffs_vfsops.c:1343
#6 ffs_inode_alloc+0x1c2 sys/ufs/ffs/ffs_alloc.c:394
#7 ufs_mkdir+0xf8 sys/ufs/ufs/ufs_vnops.c:1149
#8 VOP_MKDIR+0xc3 sys/kern/vfs_vops.c:388
#9 domkdirat+0x125 sys/kern/vfs_syscalls.c:3073
#10 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
#10 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623
#11 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806d5885e8)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vfs_lookup+0xd5 sys/kern/vfs_lookup.c:418
#6 namei+0x55a sys/kern/vfs_lookup.c:250
#7 domkdirat+0x79 sys/kern/vfs_syscalls.c:3058
#9 Xsyscall+0x128
ddb{1}> show malloc
pf 15 6K 10K 78643K 26 0
ifaddr 13 9K 9K 78643K 13 0
ifgroup 22 1K 1K 78643K 22 0
counters 44 33K 33K 78643K 44 0
ioctlops 0 0K 4K 78643K 1475 0
vnodes 1176 74K 74K 78643K 1193 0
file desc 1 0K 0K 78643K 1 0
proc 67 91K 91K 78643K 302 0
ether_multi 1 0K 0K 78643K 1 0
UVM aobj 3 2K 2K 78643K 3 0
temp 1 5904K 5968K 78643K 66430 0
kqueue 11 16K 18K 78643K 24 0
rtentry 112 23 0 1 1 0 1 1 0 8 0
unpcb 144 35 0 20 1 0 1 1 0 8 0
syncache 304 5 0 5 2 2 0 1 0 8 0
tcpqe 32 118 0 118 1 1 0 1 0 8 0
tcpcb 808 8 0 5 1 0 1 1 0 8 0
arp 120 2 0 0 1 0 1 1 0 8 0
inpcb 368 33 0 27 1 0 1 1 0 8 0
pfstkey 128 9 0 7 2 1 1 1 0 8 0
pfstate 376 9 0 7 2 1 1 1 0 8 0
pfrule 1344 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 97 0 0 7 0 7 7 0 8 0
art_table 32 98 0 0 1 0 1 1 0 8 0
art_node 16 22 0 2 1 0 1 1 0 8 0
ffsino 272 21253 0 16174 339 0 339 339 0 8 0
nchpl 144 41249 0 39660 60 0 60 60 0 8 0
uvmvnodes 80 6153 0 0 126 0 126 126 0 8 0
vnodes 216 6153 0 0 342 0 342 342 0 8 0
namei 1024 93684 0 93682 3 1 2 2 0 8 1
percpumem 16 35 0 0 1 0 1 1 0 8 0
kstatmem 264 8 0 0 1 0 1 1 0 8 0
scxspl 216 102371 0 102371 16 10 6 8 1 8 6
plimitpl 152 17 0 10 1 0 1 1 0 8 0
sigapl 424 10244 0 10199 7 1 6 6 0 8 0
knotepl 120 47 0 0 2 0 2 2 0 8 0
kqueuepl 216 20 0 13 1 0 1 1 0 8 0
pipepl 320 91 0 88 2 1 1 1 0 8 0
fdescpl 496 10226 0 10199 4 0 4 4 0 8 0
filepl 152 30970 0 30905 3 0 3 3 0 8 0
lockfpl 104 6 0 4 1 0 1 1 0 8 0
lockfspl 48 4 0 2 1 0 1 1 0 8 0
sessionpl 144 18 0 9 1 0 1 1 0 8 0
pgrppl 48 18 0 9 1 0 1 1 0 8 0
ucredpl 104 81 0 68 1 0 1 1 0 8 0
zombiepl 144 10200 0 10199 2 1 1 1 0 8 0
processpl 1072 10244 0 10199 4 0 4 4 0 8 0
procpl 680 10244 0 10199 6 1 5 5 0 8 1
sockpl 488 85 0 61 5 1 4 4 0 8 0
mcl8k 8192 5 0 0 1 0 1 1 0 8 0
mcl4k 4096 4 0 0 1 0 1 1 0 8 0
mcl2k 2048 295 0 0 34 5 29 34 0 8 0
mtagpl 96 2 0 0 1 0 1 1 0 8 0
mbufpl 256 331 0 0 18 1 17 18 0 8 0
bufpl 288 22411 0 16219 443 0 443 443 0 8 0
anonpl 24 268264 0 265991 27 13 14 25 0 186 0
amapchunkpl 152 18736 0 18514 10 1 9 9 0 158 0
amappl16 200 15471 0 15461 6 5 1 5 0 8 0
amappl15 192 8 0 8 1 1 0 1 0 8 0
amappl14 184 111 0 99 1 0 1 1 0 8 0
amappl13 176 18 0 18 1 1 0 1 0 8 0
amappl12 168 863 0 841 2 1 1 2 0 8 0
amappl11 160 63 0 49 1 0 1 1 0 8 0
amappl10 152 18 0 17 1 0 1 1 0 8 0
amappl9 144 212 0 212 1 1 0 1 0 8 0
amappl8 136 36 0 34 1 0 1 1 0 8 0
amappl7 128 22 0 21 1 0 1 1 0 8 0
amappl6 120 148 0 133 1 0 1 1 0 8 0
amappl5 112 118 0 107 1 0 1 1 0 8 0
amappl4 104 10373 0 10329 2 0 2 2 0 8 0
amappl3 96 2173 0 2126 3 1 2 2 0 8 0
amappl2 88 10396 0 10345 2 0 2 2 0 8 0
amappl1 80 39142 0 38641 16 4 12 12 0 8 0
amappl 88 12266 0 12187 2 0 2 2 0 92 0
uaddrrnd 24 10226 0 10199 1 0 1 1 0 8 0
vmmpekpl 168 29050 0 29027 2 0 2 2 0 8 0
vmmpepl 168 283284 0 281953 70 9 61 63 0 357 3
vmsppl 464 10225 0 10199 4 0 4 4 0 8 0
rwobjpl 56 34122 0 27212 100 2 98 98 0 8 0
pdppl 4096 20460 0 20398 138 72 66 70 0 8 4
pvpl 32 808980 0 803624 65 20 45 57 0 265 0
pmappl 248 10225 0 10199 2 0 2 2 0 8 0
extentpl 40 56 0 38 1 0 1 1 0 8 0
phpool 112 1317 0 82 36 0 36 36 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x1e: addq $0x8,%rsp
x86_ipi_db(ffffffff82c0cff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393
__mp_lock(ffffffff82d15860) at __mp_lock+0x129 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82d15860) at __mp_lock+0x129 sys/kern/kern_lock.c:147
softintr_dispatch(0) at softintr_dispatch+0x52 sys/arch/amd64/amd64/softintr.c:88
Xsoftclock() at Xsoftclock+0x27
__mp_lock(ffffffff82d15860) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82d15860) at __mp_lock+0x122 sys/kern/kern_lock.c:147
syscall(ffff800021269160) at syscall+0x52b mi_syscall_return sys/sys/syscall_mi.h:138 [inline]
syscall(ffff800021269160) at syscall+0x52b sys/arch/amd64/amd64/trap.c:644
ddb{0}> trace
x86_ipi_db(ffffffff82c0cff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393
__mp_lock(ffffffff82d15860) at __mp_lock+0x129 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82d15860) at __mp_lock+0x129 sys/kern/kern_lock.c:147
softintr_dispatch(0) at softintr_dispatch+0x52 sys/arch/amd64/amd64/softintr.c:88
Xsoftclock() at Xsoftclock+0x27
__mp_lock(ffffffff82d15860) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82d15860) at __mp_lock+0x122 sys/kern/kern_lock.c:147
syscall(ffff800021269160) at syscall+0x52b mi_syscall_return sys/sys/syscall_mi.h:138 [inline]
syscall(ffff800021269160) at syscall+0x52b sys/arch/amd64/amd64/trap.c:644
vfs_lookup(ffff800021263178) at vfs_lookup+0x6e2 sys/kern/vfs_lookup.c:566
namei(ffff800021263178) at namei+0x55a sys/kern/vfs_lookup.c:250
dounlinkat(ffff8000211db808,ffffff9c,77499618a190,0) at dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
syscall(ffff800021263350) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff800021263350) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623
ddb{1}> trace
vfs_lookup(ffff800021263178) at vfs_lookup+0x6e2 sys/kern/vfs_lookup.c:566
namei(ffff800021263178) at namei+0x55a sys/kern/vfs_lookup.c:250
dounlinkat(ffff8000211db808,ffffff9c,77499618a190,0) at dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
syscall(ffff800021263350) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff800021263350) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: e0c1f4798a44 Use xoff instead of *olen in the shift_right(..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=12efcff5680000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=d0ae3406b0874e045aa1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=177f7305680000
dashboard link: https://syzkaller.appspot.com/bug?extid=d0ae3406b0874e045aa1
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12927bcb680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ac66645f0d97/disk-e0c1f479.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/8610cce9f100/bsd-e0c1f479.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/033c51df4b71/kernel-e0c1f479.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d0ae34...@syzkaller.appspotmail.com
kernel: page fault trap, code=0
Stopped at ufs_lookup+0x4ce: movzwl 0x4(%r15,%r13,1),%ebx
TID PID UID PRFLAGS PFLAGS CPU COMMAND
439309 81776 0 0 0 0 syz-executor714944071
Stopped at ufs_lookup+0x4ce: movzwl 0x4(%r15,%r13,1),%ebx
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*367405 64437 0 0 0 1K syz-executor714944071
ufs_lookup() at ufs_lookup+0x4ce sys/ufs/ufs/ufs_lookup.c:281
VOP_LOOKUP(fffffd8068cef600,ffff8000212631a8,ffff8000212631d8) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85
vfs_lookup(ffff800021263178) at vfs_lookup+0x6e2 sys/kern/vfs_lookup.c:566
namei(ffff800021263178) at namei+0x55a sys/kern/vfs_lookup.c:250
dounlinkat(ffff8000211db808,ffffff9c,77499618a190,0) at dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
syscall(ffff800021263350) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff800021263350) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x77499618a640, count: 8
end of kernel
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: uvm_fault(0xffffffff82d8afc8, 0xffff8000124ef004, 0, 1) -> d
ddb{1}> trace
ufs_lookup() at ufs_lookup+0x4ce sys/ufs/ufs/ufs_lookup.c:281
VOP_LOOKUP(fffffd8068cef600,ffff8000212631a8,ffff8000212631d8) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85
vfs_lookup(ffff800021263178) at vfs_lookup+0x6e2 sys/kern/vfs_lookup.c:566
namei(ffff800021263178) at namei+0x55a sys/kern/vfs_lookup.c:250
dounlinkat(ffff8000211db808,ffffff9c,77499618a190,0) at dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
syscall(ffff800021263350) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff800021263350) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x77499618a640, count: -7
end of kernel
ddb{1}> show registers
rdi 0
rsi 0
rbp 0xffff800021262fb0
rbx 0
rdx 0xfffffd806ca52040
rcx 0xffffffff
rax 0xfffffd806ce56a50
r8 0xffffffffffffffff
r9 0xfffffd807f7d7888
r10 0xf4a9a6f4f29946d1
r11 0xc64e7f0bbc658523
r12 0
r13 0
r14 0
r15 0xffff8000124ef000
r13 0
r14 0
rip 0xffffffff8270491e ufs_lookup+0x4ce
cs 0x8
rflags 0x10202 __ALIGN_SIZE+0xf202
rsp 0xffff800021262eb0
rflags 0x10202 __ALIGN_SIZE+0xf202
ss 0x10
ufs_lookup+0x4ce: movzwl 0x4(%r15,%r13,1),%ebx
ddb{1}> show proc
ufs_lookup+0x4ce: movzwl 0x4(%r15,%r13,1),%ebx
PROC (syz-executor714944071) tid=367405 pid=64437 tcnt=1 stat=onproc
flags process=0 proc=0
runpri=76, usrpri=76, slppri=32, nice=20
wchan=0x0, wmesg=, ps_single=0x0
forw=0xffffffffffffffff, list=0xffff8000211eb550,0xffff8000211dad78
process=0xffff800021222190 user=0xffff80002125e000, vmspace=0xfffffd807eff81d0
estcpu=36, cpticks=3, pctcpu=1.6, user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
60322 172325 23132 0 2 0 syz-executor714944071
79757 455089 93338 0 2 0 syz-executor714944071
28323 89367 12357 0 2 0 syz-executor714944071
12357 177072 1901 0 3 0x80 nanoslp syz-executor714944071
93338 322735 1901 0 2 0 syz-executor714944071
36232 142274 1901 0 2 0 syz-executor714944071
81776 439309 1901 0 7 0 syz-executor714944071
*64437 367405 1901 0 7 0 syz-executor714944071
18396 180090 1901 0 2 0 syz-executor714944071
23132 64642 1901 0 2 0 syz-executor714944071
76499 149857 1901 0 3 0x80 nanoslp syz-executor714944071
1901 371025 9335 0 3 0x82 nanoslp syz-executor714944071
9335 167302 80506 0 3 0x10008a sigsusp ksh
80506 477544 2579 0 3 0x9a kqread sshd
27296 185970 1 0 3 0x100083 ttyin getty
2579 228357 1 0 3 0x88 kqread sshd
98995 64434 204 74 3 0x1100092 bpf pflogd
204 228554 1 0 3 0x80 netio pflogd
39139 39713 47215 73 3 0x1100090 kqread syslogd
47215 441410 1 0 3 0x100082 netio syslogd
93419 380938 1 0 3 0x100080 kqread resolvd
12250 63890 40780 77 3 0x100092 kqread dhcpleased
44426 496968 40780 77 3 0x100092 kqread dhcpleased
40780 513708 1 0 3 0x80 kqread dhcpleased
55409 292663 0 0 3 0x14200 bored smr
34022 25268 0 0 2 0x14200 zerothread
91351 63771 0 0 3 0x14200 aiodoned aiodoned
370 227839 0 0 3 0x14200 syncer update
37470 155649 0 0 3 0x14200 cleaner cleaner
90686 233182 0 0 3 0x14200 reaper reaper
27778 156143 0 0 3 0x14200 pgdaemon pagedaemon
93832 303299 0 0 3 0x14200 bored viomb
92366 322842 0 0 3 0x40014200 acpi0 acpi0
33761 448401 0 0 3 0x40014200 idle1
72074 78315 0 0 3 0x14200 bored softnet3
98142 518561 0 0 3 0x14200 bored softnet2
943 126037 0 0 3 0x14200 bored softnet1
19461 23463 0 0 3 0x14200 bored softnet0
24047 257041 0 0 3 0x14200 bored systqmp
69877 429324 0 0 3 0x14200 bored systq
79719 300144 0 0 3 0x14200 tmoslp softclockmp
84937 275865 0 0 3 0x40014200 tmoslp softclock
52547 141682 0 0 3 0x40014200 idle0
1 481727 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
Process 36232 (syz-executor714944071) thread 0xffff8000211daac0 (142274)
exclusive rrwlock inode r = 0 (0xfffffd8068cfae70)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vget+0x200 sys/kern/vfs_subr.c:676
#6 ufs_ihashget+0x121 sys/ufs/ufs/ufs_ihash.c:119
#7 ffs_vget+0x7c sys/ufs/ffs/ffs_vfsops.c:1314
#8 ufs_lookup+0x13ba sys/ufs/ufs/ufs_lookup.c:487
#9 VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85
#10 vfs_lookup+0x6e2 sys/kern/vfs_lookup.c:566
#11 namei+0x55a sys/kern/vfs_lookup.c:250
#12 dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
#13 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
#13 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd8068ce9c50)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vget+0x200 sys/kern/vfs_subr.c:676
#6 cache_lookup+0x2b4 sys/kern/vfs_cache.c:222
#7 ufs_lookup+0x1ac sys/ufs/ufs/ufs_lookup.c:162
#8 VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85
#9 vfs_lookup+0x6e2 sys/kern/vfs_lookup.c:566
#10 namei+0x55a sys/kern/vfs_lookup.c:250
#11 dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
#12 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
#12 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623
#13 Xsyscall+0x128
Process 64437 (syz-executor714944071) thread 0xffff8000211db808 (367405)
exclusive rrwlock inode r = 0 (0xfffffd8068d115f8)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vget+0x200 sys/kern/vfs_subr.c:676
#6 cache_lookup+0x2b4 sys/kern/vfs_cache.c:222
#7 ufs_lookup+0x1ac sys/ufs/ufs/ufs_lookup.c:162
#8 VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85
#9 vfs_lookup+0x6e2 sys/kern/vfs_lookup.c:566
#10 namei+0x55a sys/kern/vfs_lookup.c:250
#11 dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
#12 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
#12 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623
#13 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82d15a68)
#0 witness_lock+0x447
#1 syscall+0x5cd mi_syscall sys/sys/syscall_mi.h:110 [inline]
#1 syscall+0x5cd sys/arch/amd64/amd64/trap.c:623
#2 Xsyscall+0x128
Process 18396 (syz-executor714944071) thread 0xffff8000211eb550 (180090)
exclusive rrwlock inode r = 0 (0xfffffd8068d20708)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 ufs_ihashins+0x46 sys/ufs/ufs/ufs_ihash.c:140
#5 ffs_vget+0x141 sys/ufs/ffs/ffs_vfsops.c:1343
#6 ffs_inode_alloc+0x1c2 sys/ufs/ffs/ffs_alloc.c:394
#7 ufs_mkdir+0xf8 sys/ufs/ufs/ufs_vnops.c:1149
#8 VOP_MKDIR+0xc3 sys/kern/vfs_vops.c:388
#9 domkdirat+0x125 sys/kern/vfs_syscalls.c:3073
#10 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
#10 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623
#11 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806d5885e8)
#0 witness_lock+0x447
#1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309
#2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464
#3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:564
#5 vfs_lookup+0xd5 sys/kern/vfs_lookup.c:418
#6 namei+0x55a sys/kern/vfs_lookup.c:250
#7 domkdirat+0x79 sys/kern/vfs_syscalls.c:3058
#8 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
#8 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623
#9 Xsyscall+0x128
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10163 6456K 6457K 78643K 11241 0
pcb 13 8K 8K 78643K 13 0
rtable 58 1K 2K 78643K 108 0
pf 15 6K 10K 78643K 26 0
ifaddr 13 9K 9K 78643K 13 0
ifgroup 22 1K 1K 78643K 22 0
counters 44 33K 33K 78643K 44 0
ioctlops 0 0K 4K 78643K 1475 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 4 0
vnodes 1176 74K 74K 78643K 1193 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 1K 78643K 2 0
UFS mount 5 36K 36K 78643K 5 0
VM map 2 1K 1K 78643K 2 0
sem 2 0K 0K 78643K 2 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 1 0K 0K 78643K 1 0
proc 67 91K 91K 78643K 302 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
in_multi 11 0K 0K 78643K 11 0
NFS daemon 1 16K 16K 78643K 1 0
ether_multi 1 0K 0K 78643K 1 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 25 122K 122K 78643K 25 0
exec 0 0K 1K 78643K 260 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 8 62K 64K 78643K 10 0
UVM amap 125 6K 7K 78643K 12558 0
UVM aobj 3 2K 2K 78643K 3 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
NDP 4 0K 0K 78643K 4 0
crypto data 1 1K 1K 78643K 1 0
temp 1 5904K 5968K 78643K 66430 0
kqueue 11 16K 18K 78643K 24 0
SYN cache 2 16K 16K 78643K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtpcb 120 17 0 14 1 0 1 1 0 8 0
plcache 128 22 0 0 1 0 1 1 0 8 0
rtentry 112 23 0 1 1 0 1 1 0 8 0
unpcb 144 35 0 20 1 0 1 1 0 8 0
syncache 304 5 0 5 2 2 0 1 0 8 0
tcpqe 32 118 0 118 1 1 0 1 0 8 0
tcpcb 808 8 0 5 1 0 1 1 0 8 0
arp 120 2 0 0 1 0 1 1 0 8 0
inpcb 368 33 0 27 1 0 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 9 0 7 2 1 1 1 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstkey 128 9 0 7 2 1 1 1 0 8 0
pfstate 376 9 0 7 2 1 1 1 0 8 0
pfrule 1344 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 97 0 0 7 0 7 7 0 8 0
art_table 32 98 0 0 1 0 1 1 0 8 0
art_node 16 22 0 2 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 21253 0 16174 318 0 318 318 0 8 0
ffsino 272 21253 0 16174 339 0 339 339 0 8 0
nchpl 144 41249 0 39660 60 0 60 60 0 8 0
uvmvnodes 80 6153 0 0 126 0 126 126 0 8 0
vnodes 216 6153 0 0 342 0 342 342 0 8 0
namei 1024 93684 0 93682 3 1 2 2 0 8 1
percpumem 16 35 0 0 1 0 1 1 0 8 0
kstatmem 264 8 0 0 1 0 1 1 0 8 0
scxspl 216 102371 0 102371 16 10 6 8 1 8 6
plimitpl 152 17 0 10 1 0 1 1 0 8 0
sigapl 424 10244 0 10199 7 1 6 6 0 8 0
knotepl 120 47 0 0 2 0 2 2 0 8 0
kqueuepl 216 20 0 13 1 0 1 1 0 8 0
pipepl 320 91 0 88 2 1 1 1 0 8 0
fdescpl 496 10226 0 10199 4 0 4 4 0 8 0
filepl 152 30970 0 30905 3 0 3 3 0 8 0
lockfpl 104 6 0 4 1 0 1 1 0 8 0
lockfspl 48 4 0 2 1 0 1 1 0 8 0
sessionpl 144 18 0 9 1 0 1 1 0 8 0
pgrppl 48 18 0 9 1 0 1 1 0 8 0
ucredpl 104 81 0 68 1 0 1 1 0 8 0
zombiepl 144 10200 0 10199 2 1 1 1 0 8 0
processpl 1072 10244 0 10199 4 0 4 4 0 8 0
procpl 680 10244 0 10199 6 1 5 5 0 8 1
sockpl 488 85 0 61 5 1 4 4 0 8 0
mcl8k 8192 5 0 0 1 0 1 1 0 8 0
mcl4k 4096 4 0 0 1 0 1 1 0 8 0
mcl2k 2048 295 0 0 34 5 29 34 0 8 0
mtagpl 96 2 0 0 1 0 1 1 0 8 0
mbufpl 256 331 0 0 18 1 17 18 0 8 0
bufpl 288 22411 0 16219 443 0 443 443 0 8 0
anonpl 24 268264 0 265991 27 13 14 25 0 186 0
amapchunkpl 152 18736 0 18514 10 1 9 9 0 158 0
amappl16 200 15471 0 15461 6 5 1 5 0 8 0
amappl15 192 8 0 8 1 1 0 1 0 8 0
amappl14 184 111 0 99 1 0 1 1 0 8 0
amappl13 176 18 0 18 1 1 0 1 0 8 0
amappl12 168 863 0 841 2 1 1 2 0 8 0
amappl11 160 63 0 49 1 0 1 1 0 8 0
amappl10 152 18 0 17 1 0 1 1 0 8 0
amappl9 144 212 0 212 1 1 0 1 0 8 0
amappl8 136 36 0 34 1 0 1 1 0 8 0
amappl7 128 22 0 21 1 0 1 1 0 8 0
amappl6 120 148 0 133 1 0 1 1 0 8 0
amappl5 112 118 0 107 1 0 1 1 0 8 0
amappl4 104 10373 0 10329 2 0 2 2 0 8 0
amappl3 96 2173 0 2126 3 1 2 2 0 8 0
amappl2 88 10396 0 10345 2 0 2 2 0 8 0
amappl1 80 39142 0 38641 16 4 12 12 0 8 0
amappl 88 12266 0 12187 2 0 2 2 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 2 0 0 1 0 1 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
uaddrrnd 24 10226 0 10199 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 10226 0 10199 1 0 1 1 0 8 0
vmmpekpl 168 29050 0 29027 2 0 2 2 0 8 0
vmmpepl 168 283284 0 281953 70 9 61 63 0 357 3
vmsppl 464 10225 0 10199 4 0 4 4 0 8 0
rwobjpl 56 34122 0 27212 100 2 98 98 0 8 0
pdppl 4096 20460 0 20398 138 72 66 70 0 8 4
pvpl 32 808980 0 803624 65 20 45 57 0 265 0
pmappl 248 10225 0 10199 2 0 2 2 0 8 0
extentpl 40 56 0 38 1 0 1 1 0 8 0
phpool 112 1317 0 82 36 0 36 36 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x1e: addq $0x8,%rsp
x86_ipi_db(ffffffff82c0cff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff82d15860) at __mp_lock+0x129 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82d15860) at __mp_lock+0x129 sys/kern/kern_lock.c:147
softintr_dispatch(0) at softintr_dispatch+0x52 sys/arch/amd64/amd64/softintr.c:88
Xsoftclock() at Xsoftclock+0x27
__mp_lock(ffffffff82d15860) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82d15860) at __mp_lock+0x122 sys/kern/kern_lock.c:147
syscall(ffff800021269160) at syscall+0x52b mi_syscall_return sys/sys/syscall_mi.h:138 [inline]
syscall(ffff800021269160) at syscall+0x52b sys/arch/amd64/amd64/trap.c:644
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x77499618a640, count: 6
end of kernel
ddb{0}> trace
x86_ipi_db(ffffffff82c0cff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff82d15860) at __mp_lock+0x129 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82d15860) at __mp_lock+0x129 sys/kern/kern_lock.c:147
softintr_dispatch(0) at softintr_dispatch+0x52 sys/arch/amd64/amd64/softintr.c:88
Xsoftclock() at Xsoftclock+0x27
__mp_lock(ffffffff82d15860) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82d15860) at __mp_lock+0x122 sys/kern/kern_lock.c:147
syscall(ffff800021269160) at syscall+0x52b mi_syscall_return sys/sys/syscall_mi.h:138 [inline]
syscall(ffff800021269160) at syscall+0x52b sys/arch/amd64/amd64/trap.c:644
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x77499618a640, count: -9
end of kernel
ddb{0}> machine ddbcpu 1
Stopped at ufs_lookup+0x4ce: movzwl 0x4(%r15,%r13,1),%ebx
ufs_lookup() at ufs_lookup+0x4ce sys/ufs/ufs/ufs_lookup.c:281
VOP_LOOKUP(fffffd8068cef600,ffff8000212631a8,ffff8000212631d8) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85
vfs_lookup(ffff800021263178) at vfs_lookup+0x6e2 sys/kern/vfs_lookup.c:566
namei(ffff800021263178) at namei+0x55a sys/kern/vfs_lookup.c:250
dounlinkat(ffff8000211db808,ffffff9c,77499618a190,0) at dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
syscall(ffff800021263350) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff800021263350) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x77499618a640, count: 8
end of kernel
ddb{1}> trace
ufs_lookup() at ufs_lookup+0x4ce sys/ufs/ufs/ufs_lookup.c:281
VOP_LOOKUP(fffffd8068cef600,ffff8000212631a8,ffff8000212631d8) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85
vfs_lookup(ffff800021263178) at vfs_lookup+0x6e2 sys/kern/vfs_lookup.c:566
namei(ffff800021263178) at namei+0x55a sys/kern/vfs_lookup.c:250
dounlinkat(ffff8000211db808,ffffff9c,77499618a190,0) at dounlinkat+0x9d sys/kern/vfs_syscalls.c:1847
syscall(ffff800021263350) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff800021263350) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x77499618a640, count: -7
end of kernel
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages