Hello,
syzbot found the following crash on:
HEAD commit: 6f9e9be94f66 sort output suffixes
git tree: openbsd
console output:
https://syzkaller.appspot.com/x/log.txt?x=155214b8c00000
kernel config:
https://syzkaller.appspot.com/x/.config?x=3303344588104330
dashboard link:
https://syzkaller.appspot.com/bug?extid=0ab93519af8f3dbfb136
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+0ab935...@syzkaller.appspotmail.com
login: lock order reversal:
1st 0xfffffd807f00d9f0 vmmaplk (&map->lock) @
/syzkaller/managers/setuid/kernel/sys/uvm/uvm_fault.c:1442
2nd 0xfffffd8069dc9e68 inode (&ip->i_lock) @
/syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547
lock order "&ip->i_lock"(rrwlock) -> "&map->lock"(rwlock) first seen at:
#0 witness_checkorder+0x6d8
#1 _rw_enter+0xbf
#2 vm_map_lock_ln+0x14e
#3 uvm_map+0x2e2
#4 km_alloc+0x19a
#5 pool_multi_alloc_ni+0xe4
#6 pool_p_alloc+0x70
#7 pool_do_get+0x127
#8 pool_get+0x104
#9 ufsdirhash_build+0x40b
#10 ufs_lookup+0x2a5
#11 VOP_LOOKUP+0x63
#12 vfs_lookup+0x552
#13 namei+0x4af
#14 start_init+0xd6
lock order "&map->lock"(rwlock) -> "&ip->i_lock"(rrwlock) first seen at:
#0 witness_checkorder+0x6d8
#1 _rw_enter+0xbf
#2 _rrw_enter+0x5c
#3 VOP_LOCK+0x55
#4 vn_lock+0x6e
#5 uvn_io+0x2ca
#6 uvn_get+0x206
#7 uvm_fault+0x12c1
#8 uvm_fault_wire+0x70
#9 uvm_map_pageable_wire+0x2fd
#10 sys_mlock+0x187
#11 syscall+0x5a0
#12 Xsyscall+0x128
Stopped at db_enter+0x18: addq $0x8,%rsp
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
the kernel did not panic
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399
witness_checkorder(6dd17dc74a701eaa,81,fffffd8069dc9e58,fffffd8069dc9e58,0)
at witness_checkorder+0x12f9 witness_debugger sys/kern/subr_witness.c:2543
[inline]
witness_checkorder(6dd17dc74a701eaa,81,fffffd8069dc9e58,fffffd8069dc9e58,0)
at witness_checkorder+0x12f9 sys/kern/subr_witness.c:1089
_rw_enter(6fa38a843c292a30,60b,fffffd8069dc9e58,ffffffff81ee040a) at
_rw_enter+0xbf
_rrw_enter(c2256cfed570c526,fffffd807dff7ec8,ffffffff8125c1f0,0) at
_rrw_enter+0x5c sys/kern/kern_rwlock.c:410
VOP_LOCK(2b6d136fefb12e46,fffffd807dff7ec8) at VOP_LOCK+0x55
sys/kern/vfs_vops.c:598
vn_lock(802146b15fcc059a,1000) at vn_lock+0x6e sys/kern/vfs_vnops.c:549
uvn_io(cab2147d694bf04a,0,0,fffffd80682470a8,0) at uvn_io+0x2ca
sys/uvm/uvm_vnode.c:1188
uvn_get(45b577dbd4ace9cc,ffffffff81df4b90,fffffd80682470a8,fffffd806b584418,0,1)
at
uvn_get+0x206 sys/uvm/uvm_vnode.c:1048
uvm_fault(9a65425dcf3dc953,2000e000,0,1) at uvm_fault+0x12c1
sys/uvm/uvm_fault.c:1023
uvm_fault_wire(e78623c7a62600cc,1,2000e000,fffffd806b584418) at
uvm_fault_wire+0x70 sys/uvm/uvm_fault.c:1293
uvm_map_pageable_wire(74079f66c1c03b53,20801000,20001000,800000,fffffd807f00d9d8,800000)
at
uvm_map_pageable_wire+0x2fd sys/uvm/uvm_map.c:2258
sys_mlock(ffb3d8d67976bac5,10,ffff800020b924c8) at sys_mlock+0x187
sys/uvm/uvm_mmap.c:740
syscall(c2256cfed5f69df7) at syscall+0x5a0 mi_syscall
sys/sys/syscall_mi.h:99 [inline]
syscall(c2256cfed5f69df7) at syscall+0x5a0 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,ffffffffffffffa1,0,2,b07df1f5010) at Xsyscall+0x128
end of kernel
end trace frame: 0xb0accd81840, count: -14
ddb{1}> show registers
rdi 0x3
rsi 0x3ffff acpi_pdirpa+0x2be67
rbp 0xffff800020c5f1f0
rbx 0x3
rdx 0x40000 acpi_pdirpa+0x2be68
rcx 0xffff800001947000
rax 0xffff800001946440
r8 0xffffffff81c2c0ff witness_checkorder+0x12cf
r9 0x5
r10 0xfd836cc0497e8b36
r11 0x4c2729f8cc5035
r12 0xfffffd80025cec30
r13 0xffffffff81ebdb3f cmd0646_9_tim_udma+0xa8ca
r14 0xffffffff82290ee0 w_lodata+0x48b40
r15 0xffffffff8229e1f0 w_lodata+0x55e50
rip 0xffffffff817aed68 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020c5f1e0
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor0) pid=83026 stat=onproc
flags process=10<SUGID> proc=4000000<THREAD>
pri=86, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff800020b93c38,0xffffffff82307ab0
process=0xffff800020bcad38 user=0xffff800020c5a000,
vmspace=0xfffffd807f00d9d8
estcpu=36, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
16624 103159 66908 32767 7 0x10 syz-executor0
*16624 83026 66908 32767 7 0x4000010 syz-executor0
66908 197331 23116 32767 3 0x90 nanosleep syz-executor0
23116 136779 93973 0 3 0x82 wait syz-executor0
16429 136074 59005 32767 3 0x90 nanosleep syz-executor1
59005 21359 93973 0 3 0x82 wait syz-executor1
36430 520597 0 0 3 0x14200 bored sosplice
93973 202035 82989 0 3 0x82 thrsleep syz-fuzzer
93973 493225 82989 0 3 0x4000082 nanosleep syz-fuzzer
93973 75372 82989 0 3 0x4000082 thrsleep syz-fuzzer
93973 14892 82989 0 3 0x4000082 thrsleep syz-fuzzer
93973 201709 82989 0 3 0x4000082 thrsleep syz-fuzzer
93973 486231 82989 0 3 0x4000082 kqread syz-fuzzer
93973 489010 82989 0 3 0x4000082 thrsleep syz-fuzzer
93973 16519 82989 0 3 0x4000082 thrsleep syz-fuzzer
93973 226203 82989 0 3 0x4000082 thrsleep syz-fuzzer
93973 188076 82989 0 3 0x4000082 thrsleep syz-fuzzer
82989 216880 84954 0 3 0x10008a pause ksh
84954 81275 53543 0 3 0x92 select sshd
47808 473426 1 0 3 0x100083 ttyin getty
53543 332812 1 0 3 0x80 select sshd
45451 374218 45662 73 2 0x100090 syslogd
45662 491218 1 0 3 0x100082 netio syslogd
72189 279069 1 77 3 0x100090 poll dhclient
1212 278122 1 0 3 0x80 poll dhclient
9769 49931 0 0 2 0x14200 zerothread
85604 274939 0 0 3 0x14200 aiodoned aiodoned
92159 44259 0 0 3 0x14200 syncer update
74710 406891 0 0 3 0x14200 cleaner cleaner
87550 426171 0 0 3 0x14200 reaper reaper
36235 275247 0 0 3 0x14200 pgdaemon pagedaemon
26276 160937 0 0 3 0x14200 bored crynlk
90999 276468 0 0 3 0x14200 bored crypto
25858 363501 0 0 3 0x40014200 acpi0 acpi0
9413 377275 0 0 3 0x40014200 idle1
3246 452782 0 0 3 0x14200 bored softnet
42083 342771 0 0 3 0x14200 bored systqmp
84083 315508 0 0 3 0x14200 bored systq
16502 370165 0 0 3 0x40014200 bored softclock
70756 120747 0 0 3 0x40014200 idle0
1 253388 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.