witness: userret: returning with the following locks held:

2 views

Skip to first unread message

syzbot

unread,

Jan 28, 2019, 4:55:05 PM1/28/19

to syzkaller-o...@googlegroups.com

Hello,

syzbot found the following crash on:

HEAD commit: fabafa7b0c06 Allow fstat to filter multiple pids and multi..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=14278b17400000
kernel config: https://syzkaller.appspot.com/x/.config?x=3303344588104330
dashboard link: https://syzkaller.appspot.com/bug?extid=374d0e7e2400004957f7
compiler:
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167c5717400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+374d0e...@syzkaller.appspotmail.com

witness: userret: returning with the following locks held:
exclusive rrwlock inode r = 0 (0xfffffd806c231928) locked @
/syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547
panic: witness_warn
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*391618 735 0 0x1000 0x4080000 1 syz-executor0
176822 52552 73 0x100010 0 0 syslogd
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x16c sys/kern/subr_prf.c:208
witness_warn(fdd8fe9062a00d21,0,ffff800020b74bc0) at witness_warn+0x700
witness_debugger sys/kern/subr_witness.c:2549 [inline]
witness_warn(fdd8fe9062a00d21,0,ffff800020b74bc0) at witness_warn+0x700
sys/kern/subr_witness.c:1465
userret(6dbdec8ee0d2d576) at userret+0x361 sys/kern/kern_sig.c:1899
syscall(63bf95ec7ea5ff49) at syscall+0x680 mi_syscall_return
sys/sys/syscall_mi.h:122 [inline]
syscall(63bf95ec7ea5ff49) at syscall+0x680 sys/arch/amd64/amd64/trap.c:605
Xsyscall(6,5,c,0,3,ddf6060c0d8) at Xsyscall+0x128
end of kernel
end trace frame: 0xde1bc905050, count: 9
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
witness_warn
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x16c sys/kern/subr_prf.c:208
witness_warn(fdd8fe9062a00d21,0,ffff800020b74bc0) at witness_warn+0x700
witness_debugger sys/kern/subr_witness.c:2549 [inline]
witness_warn(fdd8fe9062a00d21,0,ffff800020b74bc0) at witness_warn+0x700
sys/kern/subr_witness.c:1465
userret(6dbdec8ee0d2d576) at userret+0x361 sys/kern/kern_sig.c:1899
syscall(63bf95ec7ea5ff49) at syscall+0x680 mi_syscall_return
sys/sys/syscall_mi.h:122 [inline]
syscall(63bf95ec7ea5ff49) at syscall+0x680 sys/arch/amd64/amd64/trap.c:605
Xsyscall(6,5,c,0,3,ddf6060c0d8) at Xsyscall+0x128
end of kernel
end trace frame: 0xde1bc905050, count: -6
ddb{1}> show registers
rdi 0
rsi 0x1
rbp 0xffff800020c5cfe0
rbx 0xffff800020c5d080
rdx 0xffffffff81ec9049 cmd0646_9_tim_udma+0x1780c
rcx 0x201
rax 0x1
r8 0xffffffff816aa1c4 kprintf+0x174
r9 0x1
r10 0x6dd5c757c8972325
r11 0xec8bbe39a90d2692
r12 0x3000000008
r13 0xffff800020c5cff0
r14 0x100
r15 0x1
rip 0xffffffff8156b348 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020c5cfd0
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor0) pid=391618 stat=onproc
flags process=1000<SINGLEEXIT> proc=4080000<SUSPSINGLE,THREAD>
pri=32, usrpri=54, nice=20
forw=0xffffffffffffffff, list=0xffff800020be52d0,0xffffffff823154f8
process=0xffff800020bca360 user=0xffff800020c58000,
vmspace=0xfffffd806e928440
estcpu=4, cpticks=3, pctcpu=0.0
user=0, sys=3, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
735 20873 34089 0 3 0x3000 suspend syz-executor0
* 735 391618 34089 0 7 0x4081000 syz-executor0
34089 487275 8546 0 3 0x82 nanosleep syz-executor0
8546 352266 67522 0 3 0x82 thrsleep syz-execprog
8546 96048 67522 0 3 0x4000082 thrsleep syz-execprog
8546 229339 67522 0 3 0x4000082 thrsleep syz-execprog
8546 103762 67522 0 3 0x4000082 thrsleep syz-execprog
8546 267221 67522 0 3 0x4000082 thrsleep syz-execprog
8546 204948 67522 0 3 0x4000082 thrsleep syz-execprog
8546 22150 67522 0 3 0x4000082 thrsleep syz-execprog
8546 61565 67522 0 3 0x4000082 thrsleep syz-execprog
8546 503996 67522 0 3 0x4000082 kqread syz-execprog
67522 482096 86744 0 3 0x10008a pause ksh
86744 155661 27416 0 3 0x92 select sshd
60003 386042 1 0 3 0x100083 ttyin getty
27416 146236 1 0 3 0x80 select sshd
52552 176822 73657 73 7 0x100010 syslogd
73657 330764 1 0 3 0x100082 netio syslogd
45416 123551 1 77 3 0x100090 poll dhclient
42003 519974 1 0 3 0x80 poll dhclient
88767 346327 0 0 3 0x14200 pgzero zerothread
18408 412126 0 0 3 0x14200 aiodoned aiodoned
9892 423931 0 0 3 0x14200 syncer update
90716 117483 0 0 3 0x14200 cleaner cleaner
66960 207161 0 0 3 0x14200 reaper reaper
98853 131814 0 0 3 0x14200 pgdaemon pagedaemon
64960 288132 0 0 3 0x14200 bored crynlk
27024 137522 0 0 3 0x14200 bored crypto
59832 311388 0 0 3 0x40014200 acpi0 acpi0
83819 382285 0 0 3 0x40014200 idle1
43437 425512 0 0 3 0x14200 bored softnet
235 251675 0 0 3 0x14200 bored systqmp
26193 131739 0 0 3 0x14200 bored systq
52756 367982 0 0 3 0x40014200 bored softclock
72820 414692 0 0 3 0x40014200 idle0
1 119322 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
Process 735 (syz-executor0) thread 0xffff800020b74bc0 (391618)
exclusive rrwlock inode r = 0 (0xfffffd806c231928) locked @
/syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547
Process 52552 (syslogd) thread 0xffff800020be5c30 (176822)
exclusive rrwlock inode r = 0 (0xfffffd806eba9098) locked @
/syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547
ddb{1}>

---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

syzbot

unread,

Jan 28, 2019, 5:33:03 PM1/28/19

to syzkaller-o...@googlegroups.com

syzbot has found a reproducer for the following crash on:

HEAD commit: fabafa7b0c06 Allow fstat to filter multiple pids and multi..
git tree: openbsd

console output: https://syzkaller.appspot.com/x/log.txt?x=1223a1c0c00000

kernel config: https://syzkaller.appspot.com/x/.config?x=3303344588104330
dashboard link: https://syzkaller.appspot.com/bug?extid=374d0e7e2400004957f7
compiler:

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1726956b400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=123c2287400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+374d0e...@syzkaller.appspotmail.com

login: witness: userret: returning with the following locks held:
exclusive rrwlock inode r = 0 (0xfffffd8076c5d5f0) locked @
/syzkaller/managers/multicore/kernel/sys/ufs/ufs/ufs_vnops.c:1547

panic: witness_warn
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND

270698 73942 0 0 0x480 1 syz-executor6228
*453653 73942 0 0 0x4000000 0 syz-executor6228

db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x16c sys/kern/subr_prf.c:208

https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.

ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> show panic
witness_warn
ddb{0}> trace

db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x16c sys/kern/subr_prf.c:208

witness_warn(507bcae4261ef179,0,ffff800020be4970) at witness_warn+0x700
witness_debugger sys/kern/subr_witness.c:2549 [inline]
witness_warn(507bcae4261ef179,0,ffff800020be4970) at witness_warn+0x700
sys/kern/subr_witness.c:1465
userret(d178c027f79620c5) at userret+0x361 sys/kern/kern_sig.c:1899
syscall(c556373217555fb7) at syscall+0x680 mi_syscall_return
sys/sys/syscall_mi.h:122 [inline]
syscall(c556373217555fb7) at syscall+0x680 sys/arch/amd64/amd64/trap.c:605
Xsyscall(6,5,ed5f89010b8,0,ed5f8901098,ed5f8901090) at Xsyscall+0x128
end of kernel
end trace frame: 0xed8e6972ad0, count: -6
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff800020c0af40
rbx 0xffff800020c0afe0
rdx 0xffffffff81f33250 cy_pio_rec+0x41b4
rcx 0x201
rax 0x1
r8 0xffffffff81df7814 kprintf+0x174
r9 0x1
r10 0x7cf76f81e813f7f6
r11 0x795e7570cf214d5b
r12 0x3000000008
r13 0xffff800020c0af50
r14 0x100
r15 0x1
rip 0xffffffff8100c2e8 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020c0af30

ss 0x10
db_enter+0x18: addq $0x8,%rsp

ddb{0}> show proc
PROC (syz-executor6228) pid=453653 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff800020be4010,0xffff800020be44d0
process=0xffff800020bca360 user=0xffff800020c06000,
vmspace=0xfffffd806e925710
estcpu=36, cpticks=2, pctcpu=0.0
user=0, sys=2, intr=0
ddb{0}> ps

PID TID PPID UID S FLAGS WAIT COMMAND

73942 270698 59418 0 7 0x480 syz-executor6228
*73942 453653 59418 0 7 0x4000000 syz-executor6228
73942 230439 59418 0 3 0x4000080 fsleep syz-executor6228
73942 179925 59418 0 3 0x4000080 fsleep syz-executor6228
73942 478723 59418 0 3 0x4000080 fsleep syz-executor6228
59418 268678 44260 0 2 0x482 syz-executor6228
44260 436522 24337 0 3 0x10008a pause ksh
24337 114902 93407 0 3 0x92 select sshd
96871 135617 1 0 3 0x100083 ttyin getty
93407 256335 1 0 3 0x80 select sshd
73530 194253 21231 73 2 0x100010 syslogd
21231 372363 1 0 3 0x100082 netio syslogd
88110 507126 1 77 3 0x100090 poll dhclient
57580 250122 1 0 3 0x80 poll dhclient
86817 507807 0 0 3 0x14200 pgzero zerothread
93105 400105 0 0 3 0x14200 aiodoned aiodoned
35533 261527 0 0 3 0x14200 syncer update
48959 6084 0 0 3 0x14200 cleaner cleaner
68307 205827 0 0 3 0x14200 reaper reaper
19355 374577 0 0 3 0x14200 pgdaemon pagedaemon
5889 28487 0 0 3 0x14200 bored crynlk
97009 36008 0 0 3 0x14200 bored crypto
8639 319581 0 0 3 0x40014200 acpi0 acpi0
46574 116492 0 0 3 0x40014200 idle1
52318 511356 0 0 3 0x14200 bored softnet
86374 441737 0 0 3 0x14200 bored systqmp
28510 186753 0 0 3 0x14200 bored systq
47051 510633 0 0 3 0x40014200 bored softclock
83513 233275 0 0 3 0x40014200 idle0
1 523314 0 0 3 0x82 wait init

0 0 -1 0 3 0x10200 scheduler swapper

ddb{0}> show all locks
CPU 1:
exclusive sched_lock &sched_lock r = 0 (0xffffffff822f2bb0) locked @
/syzkaller/managers/multicore/kernel/sys/kern/kern_sched.c:162
Process 73942 (syz-executor6228) thread 0xffff800020be4970 (453653)
exclusive rrwlock inode r = 0 (0xfffffd8076c5d5f0) locked @
/syzkaller/managers/multicore/kernel/sys/ufs/ufs/ufs_vnops.c:1547
Process 73530 (syslogd) thread 0xffff800020be5c30 (194253)
exclusive rrwlock inode r = 0 (0xfffffd806ebab6f8) locked @
/syzkaller/managers/multicore/kernel/sys/ufs/ufs/ufs_vnops.c:1547
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9445 6315K 6316K 78643K 10532 0 0
pcb 23 9K 9K 78643K 55 0 0
rtable 61 2K 2K 78643K 115 0 0
ifaddr 21 7K 7K 78643K 21 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 2K 78643K 13 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1166 73K 73K 78643K 1261 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 1K 78643K 2 0 0
VM map 2 1K 1K 78643K 2 0 0
sem 2 0K 0K 78643K 2 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1792 194K 288K 78643K 12592 0 0
file desc 2 2K 3K 78643K 91 0 0
proc 40 38K 46K 78643K 201 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
in_multi 11 0K 0K 78643K 11 0 0
ether_multi 1 0K 0K 78643K 1 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 36 159K 159K 78643K 36 0 0
exec 0 0K 1K 78643K 149 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 52 2K 3K 78643K 792 0 0
UVM aobj 2 2K 2K 78643K 2 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
NDP 3 0K 0K 78643K 3 0 0
temp 30 2343K 2407K 78643K 1747 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 2 0 0 1 0 1 1 0
8 0
inpcbpl 280 22 0 16 1 0 1 1 0
8 0
plimitpl 152 13 0 8 1 0 1 1 0
8 0
plcache 128 20 0 0 1 0 1 1 0
8 0
rtentry 112 23 0 1 1 0 1 1 0
8 0
syncache 264 5 0 5 1 0 1 1 0
8 1
tcpcb 544 8 0 5 1 0 1 1 0
8 0
art_heap8 4096 1 0 0 1 0 1 1 0
8 0
art_heap4 256 97 0 0 7 0 7 7 0
8 0
art_table 32 98 0 0 1 0 1 1 0
8 0
art_node 16 22 0 2 1 0 1 1 0
8 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0
dino1pl 128 1502 0 135 45 0 45 45 0
8 0
ffsino 272 1502 0 135 92 0 92 92 0
8 0
nchpl 144 1704 0 179 57 0 57 57 0
8 0
uvmvnodes 72 1511 0 0 28 0 28 28 0
8 0
vnodes 200 1511 0 0 80 0 80 80 0
8 0
namei 1024 4096 0 4096 2 1 1 1 0
8 1
percpumem 16 30 0 0 1 0 1 1 0
8 0
scxspl 192 2662 0 2662 8 2 6 6 0
8 6
sigapl 432 203 0 192 2 0 2 2 0
8 0
futexpl 56 188 0 185 1 0 1 1 0
8 0
knotepl 112 5 0 0 1 0 1 1 0
8 0
kqueuepl 104 1 0 0 1 0 1 1 0
8 0
pipepl 112 114 0 107 2 1 1 1 0
8 0
fdescpl 488 204 0 192 2 0 2 2 0
8 0
filepl 152 1376 0 1325 3 0 3 3 0
8 1
lockfpl 96 6 0 6 1 1 0 1 0
8 0
lockfspl 24 3 0 3 1 1 0 1 0
8 0
sessionpl 112 17 0 9 1 0 1 1 0
8 0
pgrppl 48 17 0 9 1 0 1 1 0
8 0
ucredpl 96 587 0 580 1 0 1 1 0
8 0
zombiepl 144 192 0 192 2 1 1 1 0
8 1
processpl 840 218 0 192 4 0 4 4 0
8 0
procpl 600 328 0 298 3 0 3 3 0
8 0
sockpl 384 64 0 48 2 0 2 2 0
8 0
mcl4k 4096 2 0 0 1 0 1 1 0
8 0
mcl2k 2048 67 0 0 9 0 9 9 0
8 0
mtagpl 80 1 0 0 1 0 1 1 0
8 0
mbufpl 256 85 0 0 6 0 6 6 0
8 0
bufpl 256 2046 0 261 112 0 112 112 0
8 0
anonpl 16 18529 0 17364 6 1 5 6 0
125 0
amapchunkpl 152 743 0 699 2 0 2 2 0
158 0
amappl16 192 134 0 125 1 0 1 1 0
8 0
amappl15 184 1 0 1 1 1 0 1 0
8 0
amappl14 176 1 0 1 1 1 0 1 0
8 0
amappl13 168 16 0 13 1 0 1 1 0
8 0
amappl12 160 4 0 4 1 1 0 1 0
8 0
amappl11 152 177 0 168 1 0 1 1 0
8 0
amappl10 144 43 0 43 2 1 1 1 0
8 1
amappl9 136 203 0 202 1 0 1 1 0
8 0
amappl8 128 106 0 99 1 0 1 1 0
8 0
amappl7 120 30 0 26 1 0 1 1 0
8 0
amappl6 112 42 0 38 1 0 1 1 0
8 0
amappl5 104 176 0 164 1 0 1 1 0
8 0
amappl4 96 257 0 238 1 0 1 1 0
8 0
amappl3 88 112 0 106 1 0 1 1 0
8 0
amappl2 80 814 0 768 1 0 1 1 0
8 0
amappl1 72 12427 0 12012 15 5 10 15 0
8 0
amappl 72 507 0 483 1 0 1 1 0
75 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 1 0 0 1 0 1 1 0
8 0
uaddrrnd 24 204 0 192 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 204 0 192 1 0 1 1 0
8 0
vmmpekpl 168 5377 0 5357 1 0 1 1 0
8 0
vmmpepl 168 25699 0 24920 49 15 34 43 0
357 0
vmsppl 360 203 0 192 2 0 2 2 0
8 0
pdppl 4096 415 0 384 5 0 5 5 0
8 0
pvpl 32 73927 0 71052 30 4 26 26 0
265 2
pmappl 224 203 0 192 1 0 1 1 0
8 0
extentpl 40 39 0 25 1 0 1 1 0
8 0
phpool 112 241 0 3 7 0 7 7 0
8 0
ddb{0}>

Anton Lindqvist

unread,

Aug 17, 2019, 10:17:41 AM8/17/19

to syzbot, syzkaller-o...@googlegroups.com

#syz test: https://github.com/mptre/openbsd-src vn-lock-race

syzbot

unread,

Aug 17, 2019, 10:49:01 AM8/17/19

to an...@basename.se, syzkaller-o...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:

witness: userret: returning with the following locks held:

login: witness: userret: returning with the following locks held:

exclusive rrwlock inode r = 0 (0xfffffd807e99bb48)

panic: witness_warn
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND

*500034 88839 0 0x1000 0x4080000 0 syz-executor1
335334 51436 73 0x100010 0x80 1 syslogd
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
witness_warn(2,0,ffffffff822074f4) at witness_warn+0x69e witness_debugger
sys/kern/subr_witness.c:2509 [inline]
witness_warn(2,0,ffffffff822074f4) at witness_warn+0x69e
sys/kern/subr_witness.c:1454
userret(ffff800020ae0290) at userret+0x36a sys/kern/kern_sig.c:1916
syscall(ffff800020beb270) at syscall+0x44a mi_syscall_return
sys/sys/syscall_mi.h:115 [inline]
syscall(ffff800020beb270) at syscall+0x44a sys/arch/amd64/amd64/trap.c:577
Xsyscall(6,5,c,0,3,1a9480780d8) at Xsyscall+0x128
end of kernel
end trace frame: 0x1ac438011b0, count: 9

https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0

ddb{0}> set $maxwidth = 0

ddb{0}> show panic
witness_warn
ddb{0}> trace

db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
witness_warn(2,0,ffffffff822074f4) at witness_warn+0x69e witness_debugger
sys/kern/subr_witness.c:2509 [inline]
witness_warn(2,0,ffffffff822074f4) at witness_warn+0x69e
sys/kern/subr_witness.c:1454
userret(ffff800020ae0290) at userret+0x36a sys/kern/kern_sig.c:1916
syscall(ffff800020beb270) at syscall+0x44a mi_syscall_return
sys/sys/syscall_mi.h:115 [inline]
syscall(ffff800020beb270) at syscall+0x44a sys/arch/amd64/amd64/trap.c:577
Xsyscall(6,5,c,0,3,1a9480780d8) at Xsyscall+0x128
end of kernel
end trace frame: 0x1ac438011b0, count: -6

ddb{0}> show registers
rdi 0
rsi 0x1

rbp 0xffff800020beafb0
rbx 0xffff800020beb060
rdx 0xffff800020ae0290
rcx 0
rax 0
r8 0xffffffff81faa3c3 kprintf+0x173
r9 0x1
r10 0x25
r11 0x222819c4edc903b1
r12 0x3000000008
r13 0xffff800020beafc0
r14 0x100
r15 0x1
rip 0xffffffff81b0d898 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020beafa0

ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc

PROC (syz-executor1) pid=500034 stat=onproc

flags process=1000<SINGLEEXIT> proc=4080000<SUSPSINGLE,THREAD>

pri=32, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff800020ae0018,0xffff800020ae0ef8
process=0xffff800020b2dc00 user=0xffff800020be6000,
vmspace=0xfffffd806e7652e8
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0

ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND

36383 239295 60172 0 2 0 syz-executor0
36383 167076 60172 0 2 0x4000080 syz-executor0
36383 28513 60172 0 2 0x4000000 syz-executor0
88839 482830 22059 0 3 0x3000 suspend syz-executor1
*88839 500034 22059 0 7 0x4081000 syz-executor1
60172 98115 78502 0 2 0x2 syz-executor0
22059 271064 78502 0 3 0x82 nanosleep syz-executor1
78502 459302 15906 0 3 0x82 thrsleep syz-execprog
78502 166326 15906 0 3 0x4000082 thrsleep syz-execprog
78502 351806 15906 0 3 0x4000082 thrsleep syz-execprog
78502 131250 15906 0 3 0x4000082 kqread syz-execprog
78502 283707 15906 0 3 0x4000082 thrsleep syz-execprog
78502 119973 15906 0 3 0x4000082 thrsleep syz-execprog
78502 408856 15906 0 3 0x4000082 thrsleep syz-execprog
78502 37676 15906 0 3 0x4000082 thrsleep syz-execprog
78502 404297 15906 0 3 0x4000082 thrsleep syz-execprog
78502 128894 15906 0 3 0x4000082 thrsleep syz-execprog
15906 496390 40034 0 3 0x10008a pause ksh
40034 324871 66218 0 3 0x92 select sshd
92451 459144 1 0 3 0x100083 ttyin getty
66218 162563 1 0 3 0x80 select sshd
41650 45208 41636 74 3 0x100092 bpf pflogd
41636 278670 1 0 3 0x80 netio pflogd
51436 335334 54850 73 7 0x100090 syslogd
54850 53921 1 0 3 0x100082 netio syslogd
93851 519068 1 77 3 0x100090 poll dhclient
73735 21956 1 0 3 0x80 poll dhclient
72468 203821 0 0 2 0x14200 zerothread
44810 48919 0 0 3 0x14200 aiodoned aiodoned
31520 153929 0 0 3 0x14200 syncer update
92518 58208 0 0 3 0x14200 cleaner cleaner
4698 320838 0 0 3 0x14200 reaper reaper
49400 441691 0 0 3 0x14200 pgdaemon pagedaemon
78245 63231 0 0 3 0x14200 bored crynlk
87515 318950 0 0 3 0x14200 bored crypto
48038 521208 0 0 3 0x40014200 acpi0 acpi0
4319 480147 0 0 3 0x40014200 idle1
18557 83512 0 0 3 0x14200 bored softnet
75834 374062 0 0 3 0x14200 bored systqmp
7087 73206 0 0 3 0x14200 bored systq
30731 508547 0 0 2 0x40014200 softclock
75791 25634 0 0 3 0x40014200 idle0
62385 329459 0 0 3 0x14200 bored smr
1 423421 0 0 3 0x82 wait init

0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks

Process 88839 (syz-executor1) thread 0xffff800020ae0290 (500034)
exclusive rrwlock inode r = 0 (0xfffffd807e99bb48)

ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim

devbuf 9468 6388K 6388K 78643K 10555 0 0
pcb 13 8K 8K 78643K 13 0 0
rtable 97 3K 3K 78643K 177 0 0
ifaddr 38 10K 10K 78643K 39 0 0

counters 39 33K 33K 78643K 39 0 0

ioctlops 0 0K 4K 78643K 1469 0 0

mount 1 1K 1K 78643K 1 0 0

vnodes 1198 75K 75K 78643K 20092 0 0

UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 1K 78643K 2 0 0
VM map 2 1K 1K 78643K 2 0 0
sem 2 0K 0K 78643K 2 0 0
dirhash 12 2K 2K 78643K 12 0 0

ACPI 1808 196K 290K 78643K 12765 0 0
file desc 6 17K 21K 78643K 8203 0 0
proc 52 50K 71K 78643K 374 0 0
subproc 0 0K 1K 78643K 17 0 0

NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0

in_multi 33 2K 2K 78643K 33 0 0

ether_multi 1 0K 0K 78643K 1 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0

ttys 54 238K 238K 78643K 54 0 0
exec 0 0K 1K 78643K 212 0 0

pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0

UVM amap 90 20K 20K 78643K 24872 0 0

UVM aobj 2 2K 2K 78643K 2 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0

NDP 6 0K 0K 78643K 10 0 0
temp 55 3526K 3590K 78643K 19682 0 0

SYN cache 2 16K 16K 78643K 2 0 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle

arp 64 4 0 0 1 0 1 1 0
8 0

plcache 128 20 0 0 1 0 1 1 0
8 0

rtpcb 80 15 0 13 1 0 1 1 0
8 0
rtentry 112 41 0 1 2 0 2 2 0
8 0
unpcb 120 41 0 31 1 0 1 1 0
8 0
syncache 264 8 0 8 1 1 0 1 0
8 0
tcpqe 32 11 0 11 1 1 0 1 0
8 0
tcpcb 544 14 0 11 1 0 1 1 0
8 0
inpcb 280 39 0 33 1 0 1 1 0
8 0
nd6 48 4 0 0 1 0 1 1 0
8 0
pfosfp 40 846 0 423 5 0 5 5 0
8 0
pfosfpen 112 1428 0 714 21 0 21 21 0
8 0
pfstitem 24 16 0 15 1 0 1 1 0
8 0
pfstkey 112 16 0 15 1 0 1 1 0
8 0
pfstate 328 16 0 15 2 1 1 2 0
8 0
pfrule 1360 21 0 16 2 1 1 2 0

8 0
art_heap8 4096 1 0 0 1 0 1 1 0
8 0

art_heap4 256 185 0 0 12 0 12 12 0
8 0
art_table 32 186 0 0 2 0 2 2 0
8 0
art_node 16 40 0 6 1 0 1 1 0

8 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0

dino1pl 128 28526 0 27097 47 0 47 47 0
8 0
ffsino 272 28526 0 27097 96 0 96 96 0
8 0
nchpl 144 36969 0 35330 61 0 61 61 0
8 0
uvmvnodes 72 5926 0 0 108 0 108 108 0
8 0
vnodes 200 5926 0 0 312 0 312 312 0
8 0
namei 1024 213752 0 213752 1 0 1 1 0
8 1

percpumem 16 30 0 0 1 0 1 1 0
8 0

scxspl 192 69450 0 69450 8 7 1 7 0
8 1
plimitpl 152 20 0 12 1 0 1 1 0
8 0
sigapl 432 8422 0 8406 2 0 2 2 0
8 0
futexpl 56 83299 0 83299 2 1 1 1 0
8 1
knotepl 112 95 0 78 1 0 1 1 0
8 0
kqueuepl 104 3 0 1 1 0 1 1 0
8 0
pipepl 112 218 0 199 1 0 1 1 0
8 0
fdescpl 488 8423 0 8406 3 0 3 3 0
8 0
filepl 152 141668 0 141591 5 1 4 4 0
8 1
lockfpl 104 6 0 6 1 1 0 1 0
8 0
lockfspl 48 3 0 3 1 1 0 1 0
8 0
sessionpl 112 27 0 16 1 0 1 1 0
8 0
pgrppl 48 27 0 16 1 0 1 1 0
8 0
ucredpl 96 131113 0 131104 1 0 1 1 0
8 0
zombiepl 144 8407 0 8406 1 0 1 1 0
8 0
processpl 896 8438 0 8406 4 0 4 4 0
8 0
procpl 632 24029 0 23985 4 0 4 4 0
8 0
sockpl 384 95 0 77 3 1 2 3 0
8 0
mcl4k 4096 4 0 0 1 0 1 1 0
8 0
mcl2k 2048 89 0 0 11 0 11 11 0

8 0
mtagpl 80 1 0 0 1 0 1 1 0
8 0

mbufpl 256 113 0 0 7 0 7 7 0
8 0
bufpl 256 14193 0 7168 440 0 440 440 0
8 0
anonpl 16 466466 0 463763 18 7 11 13 0
125 0
amapchunkpl 152 40246 0 40151 7 3 4 5 0
158 0
amappl16 192 34699 0 34595 7 1 6 6 0
8 0
amappl15 184 5 0 4 2 1 1 1 0
8 0
amappl14 176 85 0 76 1 0 1 1 0
8 0
amappl13 168 15 0 15 2 2 0 1 0
8 0
amappl12 160 12 0 10 2 1 1 1 0
8 0
amappl11 152 58 0 43 1 0 1 1 0
8 0
amappl10 144 89 0 86 1 0 1 1 0
8 0
amappl9 136 8969 0 8962 1 0 1 1 0
8 0
amappl8 128 8339 0 8324 1 0 1 1 0
8 0
amappl7 120 37 0 34 1 0 1 1 0
8 0
amappl6 112 87 0 81 1 0 1 1 0
8 0
amappl5 104 200 0 185 1 0 1 1 0
8 0
amappl4 96 8778 0 8747 3 2 1 2 0
8 0
amappl3 88 230 0 220 1 0 1 1 0
8 0
amappl2 80 66556 0 66479 4 2 2 3 0
8 0
amappl1 72 196795 0 196323 29 19 10 20 0
8 0
amappl 80 24294 0 24255 1 0 1 1 0
84 0

dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 1 0 0 1 0 1 1 0
8 0

uaddrrnd 24 8423 0 8406 1 0 1 1 0

8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0

uaddr 24 8423 0 8406 1 0 1 1 0
8 0
vmmpekpl 168 56841 0 56814 2 0 2 2 0
8 0
vmmpepl 168 726774 0 725565 84 31 53 78 0
357 0
vmsppl 368 8422 0 8406 2 0 2 2 0
8 0
pdppl 4096 16853 0 16812 7 1 6 6 0
8 0
pvpl 32 1325602 0 1320214 111 67 44 108 0
265 0
pmappl 232 8422 0 8406 2 1 1 2 0
8 0
extentpl 40 41 0 26 1 0 1 1 0
8 0
phpool 112 586 0 4 17 0 17 17 0
8 0

Tested on:

commit: 3b047971 potential vn_lock() race fix
git tree: https://github.com/mptre/openbsd-src vn-lock-race
console output: https://syzkaller.appspot.com/x/log.txt?x=1062e0f2600000
kernel config: https://syzkaller.appspot.com/x/.config?x=3303344588104330
compiler:

syzbot

unread,

Aug 18, 2019, 6:16:01 AM8/18/19

to an...@basename.se, syzkaller-o...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
witness: userret: returning with the following locks held:

login: witness: userret: returning with the following locks held:

exclusive rrwlock inode r = 0 (0xfffffd806944f708)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 rw_enter+0x46d sys/kern/kern_rwlock.c:306
#2 rrw_enter+0x4f sys/kern/kern_rwlock.c:435
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602
#4 vn_write+0x179 vn_lock sys/kern/vfs_vnops.c:561 [inline]
#4 vn_write+0x179 sys/kern/vfs_vnops.c:401
#5 dofilewritev+0x1ac sys/kern/sys_generic.c:364
#6 sys_write+0x83 sys/kern/sys_generic.c:284
#7 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:92 [inline]
#7 syscall+0x552 sys/arch/amd64/amd64/trap.c:555
#8 Xsyscall+0x128

panic: witness_warn
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND

* 80115 18947 0 0 0x4000000 1 syz-executor0
299896 62775 73 0x100010 0 0K syslogd

db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207

https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.

ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0

ddb{1}> show panic
witness_warn

ddb{1}> trace

db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207

witness_warn(2,0,ffffffff82208600) at witness_warn+0x69e witness_debugger
sys/kern/subr_witness.c:2509 [inline]
witness_warn(2,0,ffffffff82208600) at witness_warn+0x69e
sys/kern/subr_witness.c:1454
userret(ffff800020ab0c78) at userret+0x36a sys/kern/kern_sig.c:1916
syscall(ffff800020b9dab0) at syscall+0x44a mi_syscall_return
sys/sys/syscall_mi.h:115 [inline]
syscall(ffff800020b9dab0) at syscall+0x44a sys/arch/amd64/amd64/trap.c:577
Xsyscall(6,5,c,0,3,7bcb641f0d8) at Xsyscall+0x128
end of kernel
end trace frame: 0x7bf83ff0720, count: -6
ddb{1}> show registers
rdi 0
rsi 0x1
rbp 0xffff800020b9d7f0
rbx 0xffff800020b9d8a0
rdx 0xffff800020ab0c78
rcx 0
rax 0
r8 0xffffffff81419ea3 kprintf+0x173
r9 0x1
r10 0x25
r11 0xde79626c8c0721ef
r12 0x3000000008
r13 0xffff800020b9d800
r14 0x100
r15 0x1
rip 0xffffffff8131c258 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020b9d7e0

ss 0x10
db_enter+0x18: addq $0x8,%rsp

ddb{1}> show proc
PROC (syz-executor0) pid=80115 stat=onproc

flags process=0 proc=4000000<THREAD>
pri=32, usrpri=86, nice=20

forw=0xffffffffffffffff, list=0xffff800020ab1658,0xffff800020ab13f0
process=0xffff800020add500 user=0xffff800020b98000,
vmspace=0xfffffd806e792008
estcpu=36, cpticks=4, pctcpu=0.0
user=0, sys=4, intr=0
ddb{1}> ps

PID TID PPID UID S FLAGS WAIT COMMAND

2013 379530 60502 0 2 0 syz-executor1
2013 428993 60502 0 3 0x4000000 inode syz-executor1
2013 491568 60502 0 3 0x4000000 fdlock syz-executor1
18947 285148 63561 0 2 0 syz-executor0
18947 167120 63561 0 3 0x4000080 fsleep syz-executor0
*18947 80115 63561 0 7 0x4000000 syz-executor0
18947 22450 63561 0 2 0x4000000 syz-executor0
60502 276705 30528 0 2 0x482 syz-executor1
63561 214348 30528 0 2 0x482 syz-executor0
30528 207844 10752 0 3 0x82 thrsleep syz-execprog
30528 522672 10752 0 3 0x4000082 thrsleep syz-execprog
30528 44794 10752 0 3 0x4000082 thrsleep syz-execprog
30528 75166 10752 0 3 0x4000082 thrsleep syz-execprog
30528 212739 10752 0 3 0x4000082 thrsleep syz-execprog
30528 519189 10752 0 3 0x4000082 thrsleep syz-execprog
30528 330248 10752 0 3 0x4000082 thrsleep syz-execprog
30528 125884 10752 0 3 0x4000082 thrsleep syz-execprog
30528 101037 10752 0 3 0x4000082 kqread syz-execprog
30528 42905 10752 0 3 0x4000082 thrsleep syz-execprog
10752 82775 3903 0 3 0x10008a pause ksh
3903 34556 86945 0 3 0x92 select sshd
61788 199541 1 0 3 0x100083 ttyin getty
86945 195944 1 0 3 0x80 select sshd
43925 522324 49301 74 3 0x100092 bpf pflogd
49301 141094 1 0 3 0x80 netio pflogd
62775 299896 71049 73 7 0x100010 syslogd
71049 161457 1 0 3 0x100082 netio syslogd
60772 244397 1 77 3 0x100090 poll dhclient
75688 75097 1 0 3 0x80 poll dhclient
45998 76790 0 0 3 0x14200 pgzero zerothread
67986 339506 0 0 3 0x14200 aiodoned aiodoned
87731 468024 0 0 3 0x14200 syncer update
22190 7179 0 0 3 0x14200 cleaner cleaner
56326 485463 0 0 3 0x14200 reaper reaper
37333 92293 0 0 3 0x14200 pgdaemon pagedaemon
43142 159405 0 0 3 0x14200 bored crynlk
5671 370911 0 0 3 0x14200 bored crypto
26260 119428 0 0 3 0x40014200 acpi0 acpi0
94438 239520 0 0 3 0x40014200 idle1
68651 26846 0 0 3 0x14200 bored softnet
73455 294796 0 0 3 0x14200 bored systqmp
95702 363389 0 0 3 0x14200 bored systq
75275 99696 0 0 3 0x40014200 bored softclock
95968 112087 0 0 3 0x40014200 idle0
46729 72175 0 0 3 0x14200 bored smr
1 150433 0 0 3 0x82 wait init

0 0 -1 0 3 0x10200 scheduler swapper

ddb{1}> show all locks

Process 2013 (syz-executor1) thread 0xffff800020ab1658 (428993)
exclusive rrwlock inode r = 0 (0xfffffd807ec56d58)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 rw_enter+0x46d sys/kern/kern_rwlock.c:306
#2 rrw_enter+0x4f sys/kern/kern_rwlock.c:435
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602
#4 vn_lock+0x6c sys/kern/vfs_vnops.c:561
#5 vget+0x1c3 sys/kern/vfs_subr.c:672
#6 cache_lookup+0x2cf sys/kern/vfs_cache.c:224
#7 ufs_lookup+0x1ad sys/ufs/ufs/ufs_lookup.c:162
#8 VOP_LOOKUP+0x5b sys/kern/vfs_vops.c:90
#9 vfs_lookup+0x7a5 sys/kern/vfs_lookup.c:567
#10 namei+0x61c sys/kern/vfs_lookup.c:248
#11 ptmioctl+0x3af sys/kern/tty_pty.c:1121
#12 VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
#13 vn_ioctl+0xb7 sys/kern/vfs_vnops.c:524
#14 sys_ioctl+0x5b8
#15 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:92 [inline]
#15 syscall+0x552 sys/arch/amd64/amd64/trap.c:555
#16 Xsyscall+0x128
exclusive rwlock fdlock r = 0 (0xfffffd807df6c068)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 ptmioctl+0xe7 sys/kern/tty_pty.c:1071
#2 VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
#3 vn_ioctl+0xb7 sys/kern/vfs_vnops.c:524
#4 sys_ioctl+0x5b8
#5 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:92 [inline]
#5 syscall+0x552 sys/arch/amd64/amd64/trap.c:555
#6 Xsyscall+0x128
Process 18947 (syz-executor0) thread 0xffff800020ab0c78 (80115)
exclusive rrwlock inode r = 0 (0xfffffd806944f708)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 rw_enter+0x46d sys/kern/kern_rwlock.c:306
#2 rrw_enter+0x4f sys/kern/kern_rwlock.c:435
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602
#4 vn_write+0x179 vn_lock sys/kern/vfs_vnops.c:561 [inline]
#4 vn_write+0x179 sys/kern/vfs_vnops.c:401
#5 dofilewritev+0x1ac sys/kern/sys_generic.c:364
#6 sys_write+0x83 sys/kern/sys_generic.c:284
#7 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:92 [inline]
#7 syscall+0x552 sys/arch/amd64/amd64/trap.c:555
#8 Xsyscall+0x128
Process 62775 (syslogd) thread 0xffff800020ac1158 (299896)
exclusive rrwlock inode r = 0 (0xfffffd807e2dac48)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 rw_enter+0x46d sys/kern/kern_rwlock.c:306
#2 rrw_enter+0x4f sys/kern/kern_rwlock.c:435
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602
#4 vn_lock+0x6c sys/kern/vfs_vnops.c:561
#5 sys_fsync+0x114 sys/kern/vfs_syscalls.c:2806
#6 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:92 [inline]
#6 syscall+0x552 sys/arch/amd64/amd64/trap.c:555
#7 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82618c78)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 syscall+0x412 mi_syscall sys/sys/syscall_mi.h:83 [inline]
#1 syscall+0x412 sys/arch/amd64/amd64/trap.c:555
#2 Xsyscall+0x128
ddb{1}> show malloc

Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim

devbuf 9469 6388K 6388K 78643K 10556 0 0

pcb 13 8K 8K 78643K 13 0 0
rtable 97 3K 3K 78643K 177 0 0
ifaddr 38 10K 10K 78643K 39 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 4K 78643K 1469 0 0
mount 1 1K 1K 78643K 1 0 0

vnodes 1198 75K 75K 78643K 39808 0 0

UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 1K 78643K 2 0 0
VM map 2 1K 1K 78643K 2 0 0
sem 2 0K 0K 78643K 2 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1808 196K 290K 78643K 12765 0 0

file desc 5 16K 20K 78643K 17603 0 0

proc 52 50K 71K 78643K 374 0 0
subproc 0 0K 1K 78643K 17 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
in_multi 33 2K 2K 78643K 33 0 0
ether_multi 1 0K 0K 78643K 1 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0

ttys 60 265K 265K 78643K 60 0 0

exec 0 0K 1K 78643K 212 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0

UVM amap 87 20K 20K 78643K 53771 0 0

UVM aobj 2 2K 2K 78643K 2 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
NDP 6 0K 0K 78643K 10 0 0

temp 55 3526K 3590K 78643K 38485 0 0

SYN cache 2 16K 16K 78643K 2 0 0

ddb{1}> show all pools

Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 4 0 0 1 0 1 1 0
8 0
plcache 128 20 0 0 1 0 1 1 0
8 0
rtpcb 80 15 0 13 1 0 1 1 0
8 0
rtentry 112 41 0 1 2 0 2 2 0
8 0
unpcb 120 41 0 31 1 0 1 1 0
8 0
syncache 264 8 0 8 1 1 0 1 0
8 0

dino1pl 128 57643 0 56214 47 0 47 47 0
8 0
ffsino 272 57643 0 56214 96 0 96 96 0
8 0
nchpl 144 75487 0 73848 61 0 61 61 0

8 0
uvmvnodes 72 5926 0 0 108 0 108 108 0
8 0
vnodes 200 5926 0 0 312 0 312 312 0
8 0

namei 1024 446686 0 446685 1 0 1 1 0
8 0

percpumem 16 30 0 0 1 0 1 1 0
8 0

scxspl 192 144620 0 144619 8 7 1 7 0
8 0

plimitpl 152 20 0 12 1 0 1 1 0
8 0

sigapl 432 17823 0 17807 2 0 2 2 0
8 0
futexpl 56 156212 0 156211 2 1 1 1 0
8 0

knotepl 112 95 0 78 1 0 1 1 0
8 0
kqueuepl 104 3 0 1 1 0 1 1 0
8 0
pipepl 112 218 0 199 1 0 1 1 0
8 0

fdescpl 488 17824 0 17807 3 0 3 3 0
8 0
filepl 152 298445 0 298363 5 1 4 4 0
8 0

lockfpl 104 6 0 6 1 1 0 1 0
8 0
lockfspl 48 3 0 3 1 1 0 1 0
8 0
sessionpl 112 27 0 16 1 0 1 1 0
8 0
pgrppl 48 27 0 16 1 0 1 1 0
8 0

ucredpl 96 274976 0 274967 1 0 1 1 0
8 0
zombiepl 144 17807 0 17807 1 0 1 1 0
8 1
processpl 896 17839 0 17807 4 0 4 4 0
8 0
procpl 632 52968 0 52922 5 1 4 4 0

8 0
sockpl 384 95 0 77 3 1 2 3 0
8 0

mcl4k 4096 3 0 0 1 0 1 1 0

8 0
mcl2k 2048 89 0 0 11 0 11 11 0
8 0
mtagpl 80 1 0 0 1 0 1 1 0
8 0
mbufpl 256 113 0 0 7 0 7 7 0
8 0

bufpl 256 23594 0 16574 439 0 439 439 0
8 0
anonpl 16 973703 0 970998 17 6 11 13 0
124 0
amapchunkpl 152 88654 0 88556 7 3 4 5 0
158 0
amappl16 192 73778 0 73676 7 1 6 6 0
8 0
amappl15 184 2 0 1 2 1 1 1 0
8 0
amappl14 176 8827 0 8816 1 0 1 1 0
8 0
amappl13 168 12 0 12 2 2 0 1 0
8 0
amappl12 160 10 0 9 2 1 1 1 0
8 0
amappl11 152 59 0 44 1 0 1 1 0
8 0
amappl10 144 93 0 91 1 0 1 1 0
8 0
amappl9 136 9633 0 9628 1 0 1 1 0
8 0
amappl8 128 8993 0 8979 1 0 1 1 0
8 0
amappl7 120 41 0 38 1 0 1 1 0
8 0
amappl6 112 82 0 75 1 0 1 1 0
8 0
amappl5 104 180 0 166 1 0 1 1 0
8 0
amappl4 96 18180 0 18151 3 2 1 2 0
8 0
amappl3 88 233 0 222 1 0 1 1 0
8 0
amappl2 80 141759 0 141680 4 2 2 3 0
8 0
amappl1 72 416823 0 416351 30 20 10 20 0
8 0
amappl 80 53194 0 53155 1 0 1 1 0

84 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 1 0 0 1 0 1 1 0
8 0

uaddrrnd 24 17824 0 17807 1 0 1 1 0

8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0

uaddr 24 17824 0 17807 1 0 1 1 0
8 0
vmmpekpl 168 130135 0 130110 2 0 2 2 0
8 0
vmmpepl 168 1499646 0 1498450 98 46 52 78 0
357 0
vmsppl 368 17823 0 17807 2 0 2 2 0
8 0
pdppl 4096 35655 0 35614 7 1 6 6 0
8 0
pvpl 32 2705102 0 2699710 110 66 44 107 0
265 0
pmappl 232 17823 0 17807 2 1 1 2 0

8 0
extentpl 40 41 0 26 1 0 1 1 0
8 0

phpool 112 585 0 4 17 0 17 17 0
8 0

Tested on:

commit: 92c86d03 enable witness lock trace

git tree: https://github.com/mptre/openbsd-src vn-lock-race

console output: https://syzkaller.appspot.com/x/log.txt?x=16dd1f72600000

syzbot

unread,

Aug 20, 2019, 3:58:01 AM8/20/19

to an...@basename.se, syzkaller-o...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
witness: userret: returning with the following locks held:

witness: userret: returning with the following locks held:

exclusive rrwlock inode r = 0 (0xfffffd806987e3d8)

#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 rw_enter+0x46d sys/kern/kern_rwlock.c:306
#2 rrw_enter+0x4f sys/kern/kern_rwlock.c:435
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602

#4 vn_write+0x169 vn_lock sys/kern/vfs_vnops.c:579 [inline]
#4 vn_write+0x169 sys/kern/vfs_vnops.c:402

#5 dofilewritev+0x1ac sys/kern/sys_generic.c:364
#6 sys_write+0x83 sys/kern/sys_generic.c:284
#7 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:92 [inline]
#7 syscall+0x552 sys/arch/amd64/amd64/trap.c:555
#8 Xsyscall+0x128
panic: witness_warn
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND

141144 69832 0 0 0 0 syz-executor1
*111339 68947 0 0 0x4000000 1 syz-executor0

db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207

witness_warn(2,0,ffffffff82209915) at witness_warn+0x69e witness_debugger
sys/kern/subr_witness.c:2509 [inline]
witness_warn(2,0,ffffffff82209915) at witness_warn+0x69e
sys/kern/subr_witness.c:1454
userret(ffff800020ab0020) at userret+0x36a sys/kern/kern_sig.c:1916
syscall(ffff800020b958a0) at syscall+0x44a mi_syscall_return
sys/sys/syscall_mi.h:115 [inline]
syscall(ffff800020b958a0) at syscall+0x44a sys/arch/amd64/amd64/trap.c:577
Xsyscall(6,5,c,0,3,9d90b92a0d8) at Xsyscall+0x128
end of kernel
end trace frame: 0x9db2bf433b0, count: 9

https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
witness_warn
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207

ddb{1}> show registers
rdi 0
rsi 0x1

rbp 0xffff800020b955e0
rbx 0xffff800020b95690
rdx 0xffff800020ab0020
rcx 0
rax 0
r8 0xffffffff81c59ef3 kprintf+0x173
r9 0x1
r10 0x25
r11 0x48b75532a577ffa5
r12 0x3000000008
r13 0xffff800020b955f0
r14 0x100
r15 0x1
rip 0xffffffff81fd43e8 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020b955d0

ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{1}> show proc

PROC (syz-executor0) pid=111339 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=77, nice=20
forw=0xffffffffffffffff, list=0xffff800020ab0788,0xffff800020ab0c88
process=0xffff800020adce00 user=0xffff800020b90000,
vmspace=0xfffffd806e7a52e8
estcpu=27, cpticks=6, pctcpu=0.0
user=0, sys=6, intr=0

ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND

69832 141144 1430 0 7 0 syz-executor1
69832 291764 1430 0 3 0x4000000 inode syz-executor1
69832 82936 1430 0 2 0x4000000 syz-executor1
68947 314802 63541 0 2 0 syz-executor0
68947 66837 63541 0 3 0x4000080 fsleep syz-executor0
*68947 111339 63541 0 7 0x4000000 syz-executor0
68947 265494 63541 0 3 0x4000080 fsleep syz-executor0
1430 351475 47482 0 2 0x482 syz-executor1
63541 480213 47482 0 3 0x82 nanosleep syz-executor0
47482 265870 81370 0 3 0x82 thrsleep syz-execprog
47482 147042 81370 0 3 0x4000082 thrsleep syz-execprog
47482 478118 81370 0 3 0x4000082 thrsleep syz-execprog
47482 489038 81370 0 3 0x4000082 thrsleep syz-execprog
47482 115939 81370 0 3 0x4000082 thrsleep syz-execprog
47482 357933 81370 0 3 0x4000082 thrsleep syz-execprog
47482 305081 81370 0 3 0x4000082 thrsleep syz-execprog
47482 139586 81370 0 3 0x4000082 thrsleep syz-execprog
47482 241386 81370 0 3 0x4000082 kqread syz-execprog
47482 402110 81370 0 3 0x4000082 thrsleep syz-execprog
81370 289729 97624 0 3 0x10008a pause ksh
97624 344730 69502 0 3 0x92 select sshd
49825 279468 1 0 3 0x100083 ttyin getty
69502 154648 1 0 3 0x80 select sshd
98721 451358 79366 74 3 0x100092 bpf pflogd
79366 173659 1 0 3 0x80 netio pflogd
46157 9771 24433 73 2 0x100090 syslogd
24433 513111 1 0 3 0x100082 netio syslogd
79669 441014 1 77 3 0x100090 poll dhclient
46776 134180 1 0 3 0x80 poll dhclient
85900 194336 0 0 2 0x14200 zerothread
13535 143625 0 0 3 0x14200 aiodoned aiodoned
79427 313135 0 0 3 0x14200 syncer update
34749 65359 0 0 3 0x14200 cleaner cleaner
81560 293512 0 0 3 0x14200 reaper reaper
34971 402618 0 0 3 0x14200 pgdaemon pagedaemon
35624 345777 0 0 3 0x14200 bored crynlk
7008 220583 0 0 3 0x14200 bored crypto
46794 389183 0 0 3 0x40014200 acpi0 acpi0
82677 277007 0 0 3 0x40014200 idle1
13886 360361 0 0 3 0x14200 bored softnet
38534 250690 0 0 3 0x14200 bored systqmp
47793 487170 0 0 3 0x14200 bored systq
52706 250665 0 0 3 0x40014200 bored softclock
75141 421983 0 0 3 0x40014200 idle0
13731 20162 0 0 3 0x14200 bored smr
1 82505 0 0 3 0x82 wait init

0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks

Process 68947 (syz-executor0) thread 0xffff800020ab0020 (111339)
exclusive rrwlock inode r = 0 (0xfffffd806987e3d8)

#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 rw_enter+0x46d sys/kern/kern_rwlock.c:306
#2 rrw_enter+0x4f sys/kern/kern_rwlock.c:435
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602

#4 vn_write+0x169 vn_lock sys/kern/vfs_vnops.c:579 [inline]
#4 vn_write+0x169 sys/kern/vfs_vnops.c:402

ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim

devbuf 9468 6388K 6388K 78643K 10555 0 0

pcb 13 8K 8K 78643K 13 0 0
rtable 97 3K 3K 78643K 177 0 0
ifaddr 38 10K 10K 78643K 39 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 4K 78643K 1469 0 0
mount 1 1K 1K 78643K 1 0 0

vnodes 1198 75K 75K 78643K 38972 0 0

file desc 5 16K 20K 78643K 17210 0 0

ttys 54 238K 238K 78643K 54 0 0

exec 0 0K 1K 78643K 212 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0

UVM amap 89 20K 20K 78643K 52611 0 0

UVM aobj 2 2K 2K 78643K 2 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
NDP 6 0K 0K 78643K 10 0 0

temp 55 3538K 3602K 78643K 37699 0 0

dino1pl 128 56414 0 54985 47 0 47 47 0
8 0
ffsino 272 56414 0 54985 96 0 96 96 0
8 0
nchpl 144 73865 0 72226 61 0 61 61 0

8 0
uvmvnodes 72 5926 0 0 108 0 108 108 0
8 0
vnodes 200 5926 0 0 312 0 312 312 0
8 0

namei 1024 436000 0 436000 1 0 1 1 0
8 1

percpumem 16 30 0 0 1 0 1 1 0
8 0

scxspl 192 141822 0 141822 8 7 1 7 0
8 1

plimitpl 152 20 0 12 1 0 1 1 0
8 0

sigapl 432 17430 0 17414 2 0 2 2 0
8 0
futexpl 56 138150 0 138148 2 1 1 1 0

8 0
knotepl 112 95 0 78 1 0 1 1 0
8 0
kqueuepl 104 3 0 1 1 0 1 1 0
8 0
pipepl 112 218 0 199 1 0 1 1 0
8 0

fdescpl 488 17431 0 17414 3 0 3 3 0
8 0
filepl 152 291157 0 291082 5 1 4 4 0
8 1

lockfpl 104 6 0 6 1 1 0 1 0
8 0
lockfspl 48 3 0 3 1 1 0 1 0
8 0
sessionpl 112 27 0 16 1 0 1 1 0
8 0
pgrppl 48 27 0 16 1 0 1 1 0
8 0

ucredpl 96 268318 0 268309 1 0 1 1 0
8 0
zombiepl 144 17414 0 17414 1 0 1 1 0
8 1
processpl 896 17446 0 17414 4 0 4 4 0
8 0
procpl 632 51780 0 51734 5 1 4 4 0

8 0
sockpl 384 95 0 77 3 1 2 3 0
8 0

mcl4k 4096 2 0 0 1 0 1 1 0
8 0
mcl2k 2048 105 0 0 13 0 13 13 0

8 0
mtagpl 80 1 0 0 1 0 1 1 0
8 0

mbufpl 256 138 0 0 8 0 8 8 0
8 0
bufpl 256 23202 0 16182 439 0 439 439 0
8 0
anonpl 16 961768 0 959050 18 7 11 13 0
124 0
amapchunkpl 152 86752 0 86658 7 3 4 5 0
158 0
amappl16 192 71466 0 71362 8 2 6 6 0
8 0
amappl14 176 8665 0 8657 1 0 1 1 0
8 0
amappl13 168 13 0 13 2 2 0 1 0
8 0
amappl12 160 16 0 14 2 1 1 1 0
8 0
amappl11 152 8656 0 8639 1 0 1 1 0
8 0
amappl10 144 94 0 91 1 0 1 1 0
8 0
amappl9 136 796 0 792 1 0 1 1 0
8 0
amappl8 128 158 0 145 1 0 1 1 0
8 0
amappl7 120 39 0 36 1 0 1 1 0
8 0
amappl6 112 8684 0 8677 1 0 1 1 0
8 0
amappl5 104 189 0 176 1 0 1 1 0
8 0
amappl4 96 9205 0 9175 3 2 1 2 0
8 0
amappl3 88 17417 0 17403 1 0 1 1 0
8 0
amappl2 80 138621 0 138542 4 2 2 3 0
8 0
amappl1 72 398247 0 397770 32 22 10 20 0
8 0
amappl 80 52038 0 51999 1 0 1 1 0

84 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 1 0 0 1 0 1 1 0
8 0

uaddrrnd 24 17431 0 17414 1 0 1 1 0

8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0

uaddr 24 17431 0 17414 1 0 1 1 0
8 0
vmmpekpl 168 112872 0 112848 2 0 2 2 0
8 0
vmmpepl 168 1465883 0 1464670 87 34 53 78 0
357 0
vmsppl 368 17430 0 17414 2 0 2 2 0
8 0
pdppl 4096 34869 0 34828 7 1 6 6 0
8 0
pvpl 32 2644058 0 2638657 111 67 44 107 0
265 0
pmappl 232 17430 0 17414 2 1 1 2 0

8 0
extentpl 40 41 0 26 1 0 1 1 0
8 0

phpool 112 588 0 4 17 0 17 17 0
8 0

Tested on:

commit: 3e54a91e XXX tmp

git tree: https://github.com/mptre/openbsd-src vn-lock-race

console output: https://syzkaller.appspot.com/x/log.txt?x=12f26986600000

syzbot

unread,

Aug 20, 2019, 4:47:02 AM8/20/19

to an...@basename.se, syzkaller-o...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:

panic: vn_write: v_davtna _wcrhiatne: ge0dx!ff

panic: vn_write: v_davtna _wcrhiatne: ge0dx!ff
ffStopped at db_enter+0x18: addq $0x8,%rsp

TID PID UID PRFLAGS PFLAGS CPU COMMAND

*204287 15810 0 0 0x4000000 0 syz-executor0
283288 34991 73 0x100010 0 1K syslogd

db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207

https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.

ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
vn_write: v_data changed!
ddb{0}> trace

db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207

vn_write(fffffd8068b5e4d8,ffff800020b97248,0) at vn_write+0x394
sys/kern/vfs_vnops.c:435
dofilewritev(ffff800020a89b48,9,ffff800020b97248,0,ffff800020b97350) at
dofilewritev+0x1ac sys/kern/sys_generic.c:364
sys_write(ffff800020a89b48,ffff800020b972e8,ffff800020b97350) at
sys_write+0x83 sys/kern/sys_generic.c:284
syscall(ffff800020b973c0) at syscall+0x552 mi_syscall
sys/sys/syscall_mi.h:92 [inline]
syscall(ffff800020b973c0) at syscall+0x552 sys/arch/amd64/amd64/trap.c:555
Xsyscall(6,0,c,0,3,351448e30d8) at Xsyscall+0x128
end of kernel
end trace frame: 0x353c0f72ae0, count: -7
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff800020b97060
rbx 0xffff800020b97110
rdx 0xffff800020a89b48
rcx 0
rax 0
r8 0xffffffff816816b3 kprintf+0x173
r9 0x1
r10 0x25
r11 0xd99baf9f9c640734
r12 0x3000000008
r13 0xffff800020b97070
r14 0x100
r15 0x1
rip 0xffffffff82160de8 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020b97050

ss 0x10
db_enter+0x18: addq $0x8,%rsp

ddb{0}> show proc
PROC (syz-executor0) pid=204287 stat=onproc

flags process=0 proc=4000000<THREAD>
pri=32, usrpri=77, nice=20

forw=0xffffffffffffffff, list=0xffff800020a88a00,0xffff800020a88c88
process=0xffff800020adc380 user=0xffff800020b92000,
vmspace=0xfffffd806e7ad738
estcpu=27, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps

PID TID PPID UID S FLAGS WAIT COMMAND

78109 227219 39454 0 2 0 syz-executor1
78109 379448 39454 0 3 0x4000080 fsleep syz-executor1
78109 159081 39454 0 2 0x4000000 syz-executor1
15810 457164 38660 0 2 0 syz-executor0
15810 182773 38660 0 3 0x4000080 fsleep syz-executor0
*15810 204287 38660 0 7 0x4000000 syz-executor0
15810 178362 38660 0 2 0x4000000 syz-executor0
39454 222162 48406 0 3 0x82 nanosleep syz-executor1
38660 434506 48406 0 3 0x82 nanosleep syz-executor0
48406 359134 50409 0 3 0x82 thrsleep syz-execprog
48406 178400 50409 0 3 0x4000082 thrsleep syz-execprog
48406 468569 50409 0 3 0x4000082 thrsleep syz-execprog
48406 157351 50409 0 3 0x4000082 thrsleep syz-execprog
48406 32238 50409 0 3 0x4000082 thrsleep syz-execprog
48406 257146 50409 0 3 0x4000082 thrsleep syz-execprog
48406 111383 50409 0 3 0x4000082 thrsleep syz-execprog
48406 215343 50409 0 3 0x4000082 thrsleep syz-execprog
48406 196297 50409 0 3 0x4000082 kqread syz-execprog
48406 493538 50409 0 3 0x4000082 thrsleep syz-execprog
50409 495674 12228 0 3 0x10008a pause ksh
12228 175204 87935 0 3 0x92 select sshd
19433 44517 1 0 3 0x100083 ttyin getty
87935 519668 1 0 3 0x80 select sshd
79565 336462 16418 74 3 0x100092 bpf pflogd
16418 102330 1 0 3 0x80 netio pflogd
34991 283288 22364 73 7 0x100010 syslogd
22364 319060 1 0 3 0x100082 netio syslogd
11086 188474 1 77 3 0x100090 poll dhclient
74228 435567 1 0 3 0x80 poll dhclient
90222 347576 0 0 2 0x14200 zerothread
29902 131704 0 0 3 0x14200 aiodoned aiodoned
19849 207893 0 0 3 0x14200 syncer update
25786 170208 0 0 3 0x14200 cleaner cleaner
487 77500 0 0 3 0x14200 reaper reaper
52199 425340 0 0 3 0x14200 pgdaemon pagedaemon
96735 335275 0 0 3 0x14200 bored crynlk
78608 212358 0 0 3 0x14200 bored crypto
34567 132891 0 0 3 0x40014200 acpi0 acpi0
51581 78173 0 0 3 0x40014200 idle1
32728 207327 0 0 3 0x14200 bored softnet
30688 18991 0 0 3 0x14200 bored systqmp
33488 38492 0 0 3 0x14200 bored systq
64273 261849 0 0 2 0x40014200 softclock
91486 447907 0 0 3 0x40014200 idle0
26680 285370 0 0 3 0x14200 bored smr
1 230829 0 0 3 0x82 wait init

0 0 -1 0 3 0x10200 scheduler swapper

ddb{0}> show all locks

Process 15810 (syz-executor0) thread 0xffff800020a89b48 (204287)
exclusive rrwlock inode r = 0 (0xfffffd80697d20a8)

#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 rw_enter+0x46d sys/kern/kern_rwlock.c:306
#2 rrw_enter+0x4f sys/kern/kern_rwlock.c:435
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602

#4 vn_write+0x179 vn_lock sys/kern/vfs_vnops.c:586 [inline]
#4 vn_write+0x179 sys/kern/vfs_vnops.c:404

exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82627bd0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 __mp_acquire_count+0x51 sys/kern/kern_lock.c:227
#2 mi_switch+0x38f sys/kern/sched_bsd.c:441
#3 sleep_finish+0x113 sys/kern/kern_synch.c:373
#4 rw_enter+0x366 sys/kern/kern_rwlock.c:282
#5 rrw_enter+0x4f sys/kern/kern_rwlock.c:435
#6 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602
#7 vn_write+0x179 vn_lock sys/kern/vfs_vnops.c:586 [inline]
#7 vn_write+0x179 sys/kern/vfs_vnops.c:404
#8 dofilewritev+0x1ac sys/kern/sys_generic.c:364
#9 sys_write+0x83 sys/kern/sys_generic.c:284
#10 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:92 [inline]
#10 syscall+0x552 sys/arch/amd64/amd64/trap.c:555
#11 Xsyscall+0x128
ddb{0}> show malloc

Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim

devbuf 9469 6388K 6388K 78643K 10556 0 0

pcb 13 8K 8K 78643K 13 0 0
rtable 97 3K 3K 78643K 177 0 0
ifaddr 38 10K 10K 78643K 39 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 4K 78643K 1469 0 0
mount 1 1K 1K 78643K 1 0 0

vnodes 1198 75K 75K 78643K 16561 0 0

file desc 5 16K 20K 78643K 6989 0 0

ttys 60 265K 265K 78643K 60 0 0

exec 0 0K 1K 78643K 212 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0

UVM amap 86 20K 20K 78643K 21897 0 0

UVM aobj 2 2K 2K 78643K 2 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
NDP 6 0K 0K 78643K 10 0 0

temp 55 3538K 3602K 78643K 17257 0 0

SYN cache 2 16K 16K 78643K 2 0 0

ddb{0}> show all pools

dino1pl 128 23782 0 22353 47 0 47 47 0
8 0
ffsino 272 23782 0 22353 96 0 96 96 0
8 0
nchpl 144 31012 0 29373 61 0 61 61 0

8 0
uvmvnodes 72 5926 0 0 108 0 108 108 0
8 0
vnodes 200 5926 0 0 312 0 312 312 0
8 0

namei 1024 180399 0 180399 1 0 1 1 0

8 1
percpumem 16 30 0 0 1 0 1 1 0
8 0

scxspl 192 60299 0 60299 8 7 1 7 0

8 1
plimitpl 152 20 0 12 1 0 1 1 0
8 0

sigapl 432 7209 0 7193 2 0 2 2 0
8 0
futexpl 56 56087 0 56085 2 1 1 1 0

8 0
knotepl 112 95 0 78 1 0 1 1 0
8 0
kqueuepl 104 3 0 1 1 0 1 1 0
8 0
pipepl 112 218 0 199 1 0 1 1 0
8 0

fdescpl 488 7210 0 7193 3 0 3 3 0
8 0
filepl 152 119284 0 119209 5 1 4 4 0

8 1
lockfpl 104 6 0 6 1 1 0 1 0
8 0
lockfspl 48 3 0 3 1 1 0 1 0
8 0
sessionpl 112 27 0 16 1 0 1 1 0
8 0
pgrppl 48 27 0 16 1 0 1 1 0
8 0

ucredpl 96 109123 0 109114 1 0 1 1 0
8 0
zombiepl 144 7193 0 7193 1 0 1 1 0
8 1
processpl 896 7225 0 7193 4 0 4 4 0
8 0
procpl 632 21048 0 21002 5 1 4 4 0

8 0
sockpl 384 95 0 77 3 1 2 3 0
8 0

mcl4k 4096 3 0 0 1 0 1 1 0
8 0
mcl2k 2048 89 0 0 11 0 11 11 0

8 0
mtagpl 80 1 0 0 1 0 1 1 0
8 0

mbufpl 256 109 0 0 7 0 7 7 0
8 0
bufpl 256 12980 0 5960 439 0 439 439 0
8 0
anonpl 16 412001 0 409320 18 7 11 13 0
124 0
amapchunkpl 152 35568 0 35474 8 4 4 5 0
158 0
amappl16 192 29051 0 28948 7 1 6 6 0
8 0
amappl14 176 78 0 69 1 0 1 1 0
8 0
amappl13 168 3489 0 3486 2 1 1 1 0
8 0
amappl12 160 18 0 17 2 1 1 1 0
8 0
amappl11 152 59 0 44 1 0 1 1 0
8 0
amappl10 144 3586 0 3582 1 0 1 1 0
8 0
amappl9 136 807 0 803 1 0 1 1 0
8 0
amappl8 128 150 0 139 1 0 1 1 0
8 0
amappl7 120 3531 0 3528 1 0 1 1 0
8 0
amappl6 112 84 0 78 1 0 1 1 0
8 0
amappl5 104 169 0 156 1 0 1 1 0
8 0
amappl4 96 11041 0 11010 3 2 1 2 0
8 0
amappl3 88 231 0 221 1 0 1 1 0
8 0
amappl2 80 56843 0 56766 4 2 2 3 0
8 0
amappl1 72 172088 0 171615 31 21 10 20 0
8 0
amappl 80 21320 0 21282 1 0 1 1 0

84 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 1 0 0 1 0 1 1 0
8 0

uaddrrnd 24 7210 0 7193 1 0 1 1 0

8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0

uaddr 24 7210 0 7193 1 0 1 1 0
8 0
vmmpekpl 168 51682 0 51657 2 0 2 2 0
8 0
vmmpepl 168 620875 0 619666 88 35 53 79 0
357 0
vmsppl 368 7209 0 7193 2 0 2 2 0
8 0
pdppl 4096 14427 0 14386 7 1 6 6 0
8 0
pvpl 32 1167133 0 1161761 112 68 44 107 0
265 0
pmappl 232 7209 0 7193 2 1 1 2 0

8 0
extentpl 40 41 0 26 1 0 1 1 0
8 0

phpool 112 585 0 4 17 0 17 17 0
8 0

Tested on:

commit: 0d47d92c XXX tmp

git tree: https://github.com/mptre/openbsd-src vn-lock-race

console output: https://syzkaller.appspot.com/x/log.txt?x=15c52482600000

syzbot

unread,

Aug 20, 2019, 6:19:01 AM8/20/19

to an...@basename.se, syzkaller-o...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:

witness: userret: returning with the following locks held:

#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 rw_enter+0x46d sys/kern/kern_rwlock.c:306
#2 rrw_enter+0x4f sys/kern/kern_rwlock.c:435
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602

#4 vn_write+0x179 vn_lock sys/kern/vfs_vnops.c:561 [inline]
#4 vn_write+0x179 sys/kern/vfs_vnops.c:401

panic: witness_warn

Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND

*361881 95730 0 0 0x4000000 0 syz-executor1630
64617 99884 73 0x100010 0 1 syslogd

db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207

witness_warn(2,0,ffffffff82208f75) at witness_warn+0x69e witness_debugger
sys/kern/subr_witness.c:2509 [inline]
witness_warn(2,0,ffffffff82208f75) at witness_warn+0x69e
sys/kern/subr_witness.c:1454
userret(ffff800020ac0ee0) at userret+0x36a sys/kern/kern_sig.c:1916
syscall(ffff800020b0fea0) at syscall+0x44a mi_syscall_return
sys/sys/syscall_mi.h:115 [inline]
syscall(ffff800020b0fea0) at syscall+0x44a sys/arch/amd64/amd64/trap.c:577
Xsyscall(6,5,7385d7400c8,0,7385d7400a8,7385d7400a0) at Xsyscall+0x128
end of kernel
end trace frame: 0x73b1916d7e0, count: 9

https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic

witness_warn

ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207

ddb{0}> show registers
rdi 0
rsi 0x1

rbp 0xffff800020b0fbe0
rbx 0xffff800020b0fc90
rdx 0xffff800020ac0ee0
rcx 0
rax 0
r8 0xffffffff81caa3a3 kprintf+0x173
r9 0x1
r10 0x25
r11 0xaa9b922bbb3c0a35
r12 0x3000000008
r13 0xffff800020b0fbf0
r14 0x100
r15 0x1
rip 0xffffffff81107d08 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020b0fbd0

ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc

PROC (syz-executor1630) pid=361881 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff800020ac0500,0xffff800020ac18d0
process=0xffff800020addc00 user=0xffff800020b0a000,
vmspace=0xfffffd807f00c730
estcpu=36, cpticks=4, pctcpu=0.0
user=0, sys=4, intr=0

ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND

95730 104777 52204 0 3 0x80 nanosleep syz-executor1630
*95730 361881 52204 0 7 0x4000000 syz-executor1630
95730 23037 52204 0 3 0x4000080 fsleep syz-executor1630
95730 328866 52204 0 3 0x4000080 fsleep syz-executor1630
95730 412724 52204 0 3 0x4000080 fsleep syz-executor1630
52204 244989 98263 0 3 0x82 nanosleep syz-executor1630
98263 510871 68997 0 3 0x10008a pause ksh
68997 189461 46979 0 3 0x92 select sshd
34810 402014 1 0 3 0x100083 ttyin getty
46979 410814 1 0 3 0x80 select sshd
14972 446330 65582 74 3 0x100092 bpf pflogd
65582 330995 1 0 3 0x80 netio pflogd
99884 64617 13860 73 7 0x100010 syslogd
13860 143168 1 0 3 0x100082 netio syslogd
85490 294853 1 77 3 0x100090 poll dhclient
5446 514954 1 0 3 0x80 poll dhclient
24924 162349 0 0 3 0x14200 pgzero zerothread
23824 429691 0 0 3 0x14200 aiodoned aiodoned
10399 171745 0 0 3 0x14200 syncer update
68893 53229 0 0 3 0x14200 cleaner cleaner
12233 396633 0 0 3 0x14200 reaper reaper
78238 384022 0 0 3 0x14200 pgdaemon pagedaemon
93060 258741 0 0 3 0x14200 bored crynlk
10011 225937 0 0 3 0x14200 bored crypto
61322 163074 0 0 3 0x40014200 acpi0 acpi0
5974 9420 0 0 3 0x40014200 idle1
71287 93890 0 0 3 0x14200 bored softnet
4402 73184 0 0 3 0x14200 bored systqmp
52161 1598 0 0 3 0x14200 bored systq
87420 346474 0 0 3 0x40014200 bored softclock
89918 397350 0 0 3 0x40014200 idle0
46598 38743 0 0 3 0x14200 bored smr
1 481108 0 0 3 0x82 wait init

0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks

Process 95730 (syz-executor1630) thread 0xffff800020ac0ee0 (361881)
exclusive rrwlock inode r = 0 (0xfffffd8068e442c8)

#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 rw_enter+0x46d sys/kern/kern_rwlock.c:306
#2 rrw_enter+0x4f sys/kern/kern_rwlock.c:435
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602

#4 vn_write+0x179 vn_lock sys/kern/vfs_vnops.c:561 [inline]
#4 vn_write+0x179 sys/kern/vfs_vnops.c:401

Process 99884 (syslogd) thread 0xffff800020ac09f0 (64617)
exclusive rrwlock inode r = 0 (0xfffffd806eca5c48)

#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 rw_enter+0x46d sys/kern/kern_rwlock.c:306
#2 rrw_enter+0x4f sys/kern/kern_rwlock.c:435
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602

#4 vn_lock+0x6c sys/kern/vfs_vnops.c:561
#5 sys_fsync+0x114 sys/kern/vfs_syscalls.c:2806
#6 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:92 [inline]
#6 syscall+0x552 sys/arch/amd64/amd64/trap.c:555

#7 Xsyscall+0x128

ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim

devbuf 9458 6383K 6388K 78643K 10555 0 0

pcb 13 8K 8K 78643K 13 0 0

rtable 61 2K 3K 78643K 189 0 0
ifaddr 26 8K 10K 78643K 40 0 0

counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 4K 78643K 1469 0 0
mount 1 1K 1K 78643K 1 0 0

vnodes 1198 75K 75K 78643K 75256 0 0

file desc 2 2K 25K 78643K 34030 0 0
proc 52 50K 83K 78643K 374 0 0

subproc 0 0K 1K 78643K 17 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0

in_multi 11 0K 2K 78643K 33 0 0

ether_multi 1 0K 0K 78643K 1 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0

ttys 54 238K 238K 78643K 54 0 0
exec 0 0K 1K 78643K 218 0 0

pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0

UVM amap 65 3K 21K 78643K 103250 0 0

UVM aobj 2 2K 2K 78643K 2 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0

NDP 4 0K 0K 78643K 10 0 0
temp 39 3536K 3602K 78643K 71305 0 0

SYN cache 2 16K 16K 78643K 2 0 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle

arp 64 4 0 2 1 0 1 1 0

8 0
plcache 128 20 0 0 1 0 1 1 0
8 0
rtpcb 80 15 0 13 1 0 1 1 0
8 0

rtentry 112 41 0 19 2 0 2 2 0
8 1
unpcb 120 49 0 39 1 0 1 1 0
8 0
syncache 264 10 0 10 2 1 1 1 0
8 1
tcpqe 32 1 0 1 1 1 0 1 0
8 0
tcpcb 544 16 0 13 1 0 1 1 0
8 0
inpcb 280 41 0 35 1 0 1 1 0
8 0
nd6 48 4 0 4 1 0 1 1 0
8 1

pfosfp 40 846 0 423 5 0 5 5 0
8 0
pfosfpen 112 1428 0 714 21 0 21 21 0
8 0

pfstitem 24 18 0 15 1 0 1 1 0
8 0
pfstkey 112 18 0 15 1 0 1 1 0
8 0
pfstate 328 18 0 15 2 1 1 2 0

8 0
pfrule 1360 21 0 16 2 1 1 2 0
8 0
art_heap8 4096 1 0 0 1 0 1 1 0
8 0

art_heap4 256 185 0 89 12 0 12 12 0
8 6
art_table 32 186 0 89 2 0 2 2 0
8 1
art_node 16 40 0 20 1 0 1 1 0

8 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0

dino1pl 128 109478 0 108046 47 0 47 47 0
8 0
ffsino 272 109478 0 108046 96 0 96 96 0
8 0
nchpl 144 143711 0 142070 61 0 61 61 0

8 0
uvmvnodes 72 5926 0 0 108 0 108 108 0
8 0
vnodes 200 5926 0 0 312 0 312 312 0
8 0

namei 1024 854540 0 854540 1 0 1 1 0

8 1
percpumem 16 30 0 0 1 0 1 1 0
8 0

scxspl 192 275749 0 275749 7 6 1 6 0
8 1
plimitpl 152 22 0 16 1 0 1 1 0
8 0
sigapl 432 34215 0 34202 4 1 3 3 0
8 1
futexpl 56 257046 0 257043 2 1 1 1 0
8 0
knotepl 112 95 0 90 1 0 1 1 0
8 0
kqueuepl 104 3 0 2 1 0 1 1 0
8 0
pipepl 112 242 0 235 1 0 1 1 0
8 0
fdescpl 488 34216 0 34202 3 0 3 3 0
8 0
filepl 152 572735 0 572679 5 1 4 4 0

8 1
lockfpl 104 6 0 6 1 1 0 1 0
8 0
lockfspl 48 3 0 3 1 1 0 1 0
8 0

sessionpl 112 31 0 22 1 0 1 1 0
8 0
pgrppl 48 31 0 22 1 0 1 1 0
8 0
ucredpl 96 528108 0 528099 1 0 1 1 0
8 0
zombiepl 144 34202 0 34202 1 0 1 1 0
8 1
processpl 896 34231 0 34202 4 0 4 4 0
8 0
procpl 632 102432 0 102399 5 1 4 4 0
8 1
srpgc 64 6 0 6 1 0 1 1 0
8 1
sockpl 384 105 0 87 3 1 2 3 0
8 0
mcl4k 4096 4 0 0 1 0 1 1 0
8 0
mcl2k 2048 100 0 0 11 0 11 11 0

8 0
mtagpl 80 1 0 0 1 0 1 1 0
8 0

mbufpl 256 172 0 0 9 0 9 9 0
8 0
bufpl 256 40023 0 33003 439 0 439 439 0
8 0
anonpl 16 1881926 0 1880619 18 6 12 13 0
124 6
amapchunkpl 152 171143 0 171097 8 4 4 5 0
158 2
amappl16 192 142545 0 142535 7 1 6 6 0
8 5
amappl15 184 1 0 1 1 1 0 1 0
8 0
amappl14 176 34030 0 34026 1 0 1 1 0
8 0
amappl13 168 15 0 15 2 2 0 1 0
8 0
amappl12 160 17 0 17 2 1 1 1 0
8 1
amappl11 152 65 0 50 1 0 1 1 0
8 0
amappl10 144 95 0 93 1 0 1 1 0
8 0
amappl9 136 815 0 814 1 0 1 1 0
8 0
amappl8 128 162 0 156 1 0 1 1 0
8 0
amappl7 120 41 0 40 1 0 1 1 0
8 0
amappl6 112 93 0 89 1 0 1 1 0
8 0
amappl5 104 198 0 185 1 0 1 1 0
8 0
amappl4 96 17659 0 17633 2 1 1 2 0
8 0
amappl3 88 34184 0 34172 1 0 1 1 0
8 0
amappl2 80 272868 0 272804 4 2 2 3 0
8 0
amappl1 72 793144 0 792708 30 20 10 20 0
8 0
amappl 80 102656 0 102630 1 0 1 1 0

84 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 1 0 0 1 0 1 1 0
8 0

uaddrrnd 24 34216 0 34202 1 0 1 1 0

8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0

uaddr 24 34216 0 34202 1 0 1 1 0
8 0
vmmpekpl 168 217114 0 217092 3 1 2 2 0
8 0
vmmpepl 168 2883786 0 2882869 91 33 58 79 0 357
18
vmsppl 368 34215 0 34202 2 0 2 2 0
8 0
pdppl 4096 68439 0 68404 7 1 6 6 0
8 1
pvpl 32 5102767 0 5099656 114 66 48 107 0 265
18
pmappl 232 34215 0 34202 3 1 2 2 0
8 1

extentpl 40 41 0 26 1 0 1 1 0
8 0

phpool 112 587 0 4 17 0 17 17 0
8 0

Tested on:

commit: 19a40f8b XXX tmp

git tree: https://github.com/mptre/openbsd-src vn-lock-race

console output: https://syzkaller.appspot.com/x/log.txt?x=17802cac600000

syzbot

unread,

Aug 20, 2019, 10:46:02 AM8/20/19

to an...@basename.se, syzkaller-o...@googlegroups.com

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+374d0e...@syzkaller.appspotmail.com

Tested on:

commit: 3340db53 XXX tmp

git tree: https://github.com/mptre/openbsd-src vn-lock-race

kernel config: https://syzkaller.appspot.com/x/.config?x=3303344588104330
compiler: