witness: shared lock of (rwlock) mpaddr while exclusively locked
0 views
Skip to first unread message
syzbot
Jan 3, 2026, 9:57:23 AM (2 days ago) Jan 3
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 80bc9799356e Protect IGMP and MLD6 fast timer with rwlock.
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1495ffb4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=610755708e0266e487b2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/91089fc9acd2/disk-80bc9799.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/d43f4be640bc/bsd-80bc9799.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d583b541db80/kernel-80bc9799.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+610755...@syzkaller.appspotmail.com
witness: shared lock of (rwlock) mpaddr while exclusively locked
anic: excl->share
Stopped at db_enter+0x25: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
288305 73040 0 0x2 0 0 syz-executor
*349296 96838 0 0x14000 0x200 1 softnet0
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833b5a1c) at panic+0x1e5 sys/kern/subr_prf.c:198
witness_checkorder(ffff800000c31078,1,0) at witness_checkorder+0x122c sys/kern/subr_witness.c:854
rw_do_enter_read(ffff800000c31060,0) at rw_do_enter_read+0x99 sys/kern/kern_rwlock.c:355
in6_hasmulti(fffffd8064e01af0,ffff800000c31000) at in6_hasmulti+0x41 in6_lookupmulti sys/netinet6/in6.c:-1 [inline]
in6_hasmulti(fffffd8064e01af0,ffff800000c31000) at in6_hasmulti+0x41 sys/netinet6/in6.c:1150
ip6_output(fffffd8064e01a00,ffffffff83987338,0,0,ffff80002a210480,0) at ip6_output+0x13bd sys/netinet6/ip6_output.c:507
mld6_sendpkt(ffff80000154e700,84,ffff80002a210518) at mld6_sendpkt+0x385 sys/netinet6/mld6.c:499
mld6_stop_listening(ffff80000154e700,ffff800000c31000) at mld6_stop_listening+0x125 sys/netinet6/mld6.c:168
in6_delmulti(ffff80000154e700) at in6_delmulti+0xb1 sys/netinet6/in6.c:1118
in6_purgeaddr(ffff800001614c00) at in6_purgeaddr+0x1d5 in6_leavegroup sys/netinet6/in6.c:1181 [inline]
in6_purgeaddr(ffff800001614c00) at in6_purgeaddr+0x1d5 sys/netinet6/in6.c:916
nd6_expire(0) at nd6_expire+0x111 sys/netinet6/nd6.c:-1
taskq_thread(ffff80000002c000) at taskq_thread+0x157 sys/kern/kern_task.c:446
end trace frame: 0x0, count: 3
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: excl->share
ddb{1}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833b5a1c) at panic+0x1e5 sys/kern/subr_prf.c:198
witness_checkorder(ffff800000c31078,1,0) at witness_checkorder+0x122c sys/kern/subr_witness.c:854
rw_do_enter_read(ffff800000c31060,0) at rw_do_enter_read+0x99 sys/kern/kern_rwlock.c:355
in6_hasmulti(fffffd8064e01af0,ffff800000c31000) at in6_hasmulti+0x41 in6_lookupmulti sys/netinet6/in6.c:-1 [inline]
in6_hasmulti(fffffd8064e01af0,ffff800000c31000) at in6_hasmulti+0x41 sys/netinet6/in6.c:1150
ip6_output(fffffd8064e01a00,ffffffff83987338,0,0,ffff80002a210480,0) at ip6_output+0x13bd sys/netinet6/ip6_output.c:507
mld6_sendpkt(ffff80000154e700,84,ffff80002a210518) at mld6_sendpkt+0x385 sys/netinet6/mld6.c:499
mld6_stop_listening(ffff80000154e700,ffff800000c31000) at mld6_stop_listening+0x125 sys/netinet6/mld6.c:168
in6_delmulti(ffff80000154e700) at in6_delmulti+0xb1 sys/netinet6/in6.c:1118
in6_purgeaddr(ffff800001614c00) at in6_purgeaddr+0x1d5 in6_leavegroup sys/netinet6/in6.c:1181 [inline]
in6_purgeaddr(ffff800001614c00) at in6_purgeaddr+0x1d5 sys/netinet6/in6.c:916
nd6_expire(0) at nd6_expire+0x111 sys/netinet6/nd6.c:-1
taskq_thread(ffff80000002c000) at taskq_thread+0x157 sys/kern/kern_task.c:446
end trace frame: 0x0, count: -12
ddb{1}> show registers
rdi 0
rsi 0x1
rbp 0xffff80002a2100d0
rbx 0xffff8000299dee07
rdx 0
rcx 0xffff8000ffffe298
rax 0xffff8000299ddff0
r8 0x101010101010101
r9 0x8080808080808080
r10 0x3164f5fb8233b428
r11 0x62e399ec95bd36bd
r12 0xffff8000299dec08
r13 0
r14 0
r15 0x1
rip 0xffffffff817c1d35 db_enter+0x25
cs 0x8
rflags 0x246
rsp 0xffff80002a2100c0
ss 0x10
db_enter+0x25: addq $0x8,%rsp
ddb{1}> show proc
PROC (softnet0) tid=349296 pid=96838 tcnt=1 stat=onproc
flags process=14000<NOZOMBIE,SYSTEM> proc=200<SYSTEM>
runpri=32, usrpri=50, slppri=32, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff8000ffffe530,0xffff8000ffffe010
process=0xffff8000ffff8000 user=0xffff80002a20b000, vmspace=0xffffffff838bee00
estcpu=0, cpticks=14, pctcpu=0.1, user=0, sys=0, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
97502 370282 52484 0 2 0 syz-executor
97502 330749 52484 0 2 0x4000000 syz-executor
98966 132725 88774 0 2 0 syz-executor
98966 347775 88774 0 3 0x4000080 fsleep syz-executor
11064 66418 13356 0 2 0 syz-executor
11064 148167 13356 0 3 0x4000080 fsleep syz-executor
98203 312873 46190 0 2 0 syz-executor
98203 134274 46190 0 3 0x4000080 fsleep syz-executor
98203 426634 46190 0 2 0x4000000 syz-executor
28829 199161 9023 0 2 0 syz-executor
28829 105221 9023 0 3 0x4000080 fsleep syz-executor
33888 162273 17076 0 2 0 syz-executor
33888 396099 17076 0 2 0x4000000 syz-executor
69539 353873 58503 0 3 0x3000 suspend syz-executor
69539 356269 58503 0 2 0x4081000 syz-executor
69539 317991 58503 0 3 0x4081000 inode syz-executor
69539 379110 58503 0 3 0x4081000 inode syz-executor
52484 255404 92881 0 2 0xc82 syz-executor
2045 14661 0 0 3 0x14200 acct acct
90255 230138 0 0 3 0x14280 nfsidl nfsio
49549 119018 0 0 3 0x14280 nfsidl nfsio
40092 254536 0 0 3 0x14280 nfsidl nfsio
55083 428941 0 0 3 0x14280 nfsidl nfsio
75604 127508 0 0 3 0x14280 nfsidl nfsio
88232 43767 0 0 3 0x14280 nfsidl nfsio
19713 123936 0 0 3 0x14280 nfsidl nfsio
20335 94694 0 0 3 0x14280 nfsidl nfsio
9627 240984 0 0 3 0x14280 nfsidl nfsio
34727 476340 0 0 3 0x14280 nfsidl nfsio
45833 160482 0 0 3 0x14280 nfsidl nfsio
66537 140883 0 0 3 0x14280 nfsidl nfsio
90730 5723 0 0 3 0x14280 nfsidl nfsio
1778 241688 0 0 3 0x14280 nfsidl nfsio
58604 104856 0 0 3 0x14280 nfsidl nfsio
58365 158385 0 0 3 0x14280 nfsidl nfsio
70727 159903 0 0 3 0x14280 nfsidl nfsio
75252 83450 0 0 3 0x14280 nfsidl nfsio
39268 215502 0 0 3 0x14280 nfsidl nfsio
39922 175264 0 0 3 0x14280 nfsidl nfsio
13356 101328 92881 0 2 0xc82 syz-executor
9023 11106 92881 0 2 0xc82 syz-executor
88774 184617 92881 0 2 0xc82 syz-executor
17076 328689 92881 0 2 0xc82 syz-executor
73040 288305 92881 0 7 0x2 syz-executor
46190 501937 92881 0 2 0xc82 syz-executor
58503 4195 92881 0 2 0x2 syz-executor
92881 218250 46883 0 2 0x2 syz-executor
46883 171983 6161 0 3 0x10008a sigsusp ksh
6161 240842 93387 0 3 0x98 kqread sshd-session
93387 428035 75112 0 3 0x92 kqread sshd-session
24028 90134 1 0 3 0x100083 ttyopn getty
75112 126355 1 0 3 0x88 kqread sshd
70609 127837 99424 74 3 0x1100092 bpf pflogd
99424 307506 1 0 3 0x80 sbwait pflogd
9925 246459 22192 73 3 0x1100090 kqread syslogd
22192 431049 1 0 3 0x100082 sbwait syslogd
37469 153095 1 0 3 0x100080 kqread resolvd
6961 158867 90982 77 3 0x100092 kqread dhcpleased
97554 309750 90982 77 3 0x100092 kqread dhcpleased
90982 111683 1 0 3 0x80 kqread dhcpleased
11989 456837 0 0 3 0x14200 bored smr
45121 422307 0 0 2 0x14200 zerothread
26572 96118 0 0 3 0x14200 aiodoned aiodoned
90128 1801 0 0 2 0x14e00 update
11425 40690 0 0 3 0x14200 cleaner cleaner
30935 466208 0 0 3 0x14200 reaper reaper
42638 49824 0 0 3 0x14200 pgdaemon pagedaemon
78495 55358 0 0 3 0x14200 bored viomb
45508 294912 0 0 3 0x40014200 acpi0 acpi0
87212 82260 0 0 3 0x40014200 idle1
66370 342418 0 0 3 0x14200 bored softnet1
*96838 349296 0 0 7 0x14200 softnet0
94911 178857 0 0 3 0x14200 smrbar systqmp
7469 330958 0 0 3 0x14200 bored systq
37308 247007 0 0 3 0x14200 tmoslp softclockmp
86495 13074 0 0 3 0x40014200 tmoslp softclock
19450 160408 0 0 3 0x40014200 idle0
1 241704 0 0 3 0x80082 wait init
0 0 -1 0 3 0x10010200 scheduler swapper
ddb{1}> show all locks
Process 98203 (syz-executor) thread 0xffff80003c4defc8 (312873)
exclusive rwlock vmmaplk r = 0 (0xfffffd80649e34f8)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 vm_map_lock_ln+0x12e sys/uvm/uvm_map.c:5165
#3 uvm_map_protect+0xe0 sys/uvm/uvm_map.c:3069
#4 sys_mprotect+0x351 sys/uvm/uvm_mmap.c:590
#5 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#5 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775
#6 Xsyscall+0x128
Process 69539 (syz-executor) thread 0xffff80003c4de038 (356269)
exclusive rrwlock inode r = 0 (0xfffffd806ef0eb70)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3 VOP_LOCK+0xbd sys/kern/vfs_vops.c:527
#4 vn_lock+0xa4 sys/kern/vfs_vnops.c:570
#5 vn_write+0x18f sys/kern/vfs_vnops.c:405
#6 dofilewritev+0x242 sys/kern/sys_generic.c:380
#7 sys_write+0xa2 sys/kern/sys_generic.c:300
#8 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#8 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775
#9 Xsyscall+0x128
Process 69539 (syz-executor) thread 0xffff80003c4de2d0 (317991)
exclusive rrwlock inode r = 0 (0xfffffd806bdf78f8)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3 VOP_LOCK+0xbd sys/kern/vfs_vops.c:527
#4 vn_lock+0xa4 sys/kern/vfs_vnops.c:570
#5 vfs_lookup+0x11c sys/kern/vfs_lookup.c:-1
#6 namei+0x7ca sys/kern/vfs_lookup.c:250
#7 domknodat+0xb4 sys/kern/vfs_syscalls.c:1592
#8 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#8 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
#9 Xsyscall+0x128
Process 73040 (syz-executor) thread 0xffff8000ffffc538 (288305)
exclusive rwlock amaplk r = 0 (0xfffffd806c432d00)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 uvm_fault_check+0x8a9 sys/uvm/uvm_fault.c:834
#3 uvm_fault+0x106 sys/uvm/uvm_fault.c:627
#4 kpageflttrap+0x2f4 sys/arch/amd64/amd64/trap.c:283
#5 kerntrap+0x19c sys/arch/amd64/amd64/trap.c:520
#6 alltraps_kern_meltdown+0x7b
#7 copyout+0x64
#8 ufs_readdir+0x427 sys/ufs/ufs/ufs_vnops.c:-1
#9 VOP_READDIR+0x125 sys/kern/vfs_vops.c:453
#10 sys_getdents+0x2df sys/kern/vfs_syscalls.c:3183
#11 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#11 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
#12 Xsyscall+0x128
shared rwlock vmmaplk r = 0 (0xfffffd800b063100)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_read+0x3e8 sys/kern/kern_rwlock.c:413
#2 uvmfault_lookup+0x122 sys/uvm/uvm_fault.c:1880
#3 uvm_fault_check+0x4f sys/uvm/uvm_fault.c:693
#4 uvm_fault+0x106 sys/uvm/uvm_fault.c:627
#5 kpageflttrap+0x2f4 sys/arch/amd64/amd64/trap.c:283
#6 kerntrap+0x19c sys/arch/amd64/amd64/trap.c:520
#7 alltraps_kern_meltdown+0x7b
#8 copyout+0x64
#9 ufs_readdir+0x427 sys/ufs/ufs/ufs_vnops.c:-1
#10 VOP_READDIR+0x125 sys/kern/vfs_vops.c:453
#11 sys_getdents+0x2df sys/kern/vfs_syscalls.c:3183
#12 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#12 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
#13 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff83970b08)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 __mp_acquire_count+0x58 sys/kern/kern_lock.c:-1
#2 malloc+0xe3 sys/kern/kern_malloc.c:175
#3 ufs_readdir+0x13f sys/ufs/ufs/ufs_vnops.c:1364
#4 VOP_READDIR+0x125 sys/kern/vfs_vops.c:453
#5 sys_getdents+0x2df sys/kern/vfs_syscalls.c:3183
#6 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#6 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
#7 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd80606d6460)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3 VOP_LOCK+0xbd sys/kern/vfs_vops.c:527
#4 vn_lock+0xa4 sys/kern/vfs_vnops.c:570
#5 sys_getdents+0x254 sys/kern/vfs_syscalls.c:3168
#6 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#6 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
#7 Xsyscall+0x128
Process 96838 (softnet0) thread 0xffff8000ffffe298 (349296)
exclusive rwlock maddr r = 0 (0xffff800000c31078)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 in6_delmulti+0x9d sys/netinet6/in6.c:1116
#3 in6_purgeaddr+0x1d5 in6_leavegroup sys/netinet6/in6.c:1181 [inline]
#3 in6_purgeaddr+0x1d5 sys/netinet6/in6.c:916
#4 nd6_expire+0x111 sys/netinet6/nd6.c:-1
#5 taskq_thread+0x157 sys/kern/kern_task.c:446
#6 proc_trampoline+0x10
exclusive rwlock netlock r = 0 (0xffffffff83832e50)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 nd6_expire+0x2e sys/netinet6/nd6.c:467
#3 taskq_thread+0x157 sys/kern/kern_task.c:446
#4 proc_trampoline+0x10
shared rwlock softnet0 r = 0 (0xffff80000002c078)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 taskq_thread+0x12a sys/kern/kern_task.c:442
#2 proc_trampoline+0x10
Process 94911 (systqmp) thread 0xffff8000ffffe530 (178857)
shared rwlock systqmp r = 0 (0xffffffff837bcb68)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 taskq_thread+0x12a sys/kern/kern_task.c:442
#2 proc_trampoline+0x10
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 11079 12101K 12416K 166960K 13189 0
pcb 18 12K 12K 166960K 123 0
rtable 233 10K 10K 166960K 462 0
pf 39 18K 19K 166960K 99 0
ifaddr 43 7K 7K 166960K 80 0
ifgroup 61 2K 2K 166960K 107 0
sysctl 3 1K 9K 166960K 12 0
counters 76 37K 38K 166960K 148 0
ioctlops 0 0K 4K 166960K 1586 0
iov 0 0K 26K 166960K 77 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1404 88K 89K 166960K 1983 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 9K 166960K 8 0
VM map 2 1K 1K 166960K 2 0
sem 12 0K 0K 166960K 31 0
dirhash 12 2K 3K 166960K 33 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 17 61K 93K 166960K 697 0
sigio 0 0K 0K 166960K 13 0
proc 72 115K 180K 166960K 621 0
subproc 72 4K 4K 166960K 81 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 69 0
in_multi 90 6K 7K 166960K 137 0
ether_multi 1 0K 0K 166960K 2 0
mrt 2 0K 0K 166960K 6 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 103 466K 466K 166960K 103 0
exec 0 0K 1K 166960K 468 0
fusefs mount 1 32K 32K 166960K 1 0
pfkey data 0 0K 0K 166960K 2 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 233 159K 173K 166960K 8186 0
UVM aobj 10 2K 2K 166960K 10 0
pinsyscall 42 84K 104K 166960K 1852 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 0K 166960K 42 0
NDP 14 0K 1K 166960K 54 0
temp 54 8674K 8746K 166960K 35810 0
kqueue 14 22K 28K 166960K 149 0
SYN cache 2 16K 16K 166960K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 26 0 0 1 0 1 1 0 8 0
rtpcb 120 104 0 101 2 1 1 2 0 8 0
rtentry 176 136 0 43 6 0 6 6 0 8 0
unpcb 144 285 0 267 2 1 1 2 0 8 0
syncache 336 4 0 4 2 2 0 1 0 8 0
tcpcb 736 185 0 181 2 1 1 2 0 8 0
arp 136 20 0 6 1 0 1 1 0 8 0
inpcb 328 767 0 759 14 7 7 7 0 8 6
nd6 152 29 0 6 1 0 1 1 0 8 0
pkpcb 40 40 0 40 3 2 1 1 0 8 1
kcovpl 48 9 0 1 1 0 1 1 0 8 0
mppekey 1024 1 0 1 1 1 0 1 0 8 0
ppxss 1192 36 0 34 2 1 1 1 0 8 0
pfstscr 40 1 0 1 1 1 0 1 0 8 0
pffrag 232 5 0 1 1 0 1 1 0 482 0
pffrnode 88 5 0 1 1 0 1 1 0 8 0
pffrent 40 8 0 4 1 0 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 54 0 4 1 0 1 1 0 8 0
pfstkey 128 55 0 5 2 0 2 2 0 8 0
pfstate 448 55 0 5 6 0 6 6 0 8 0
pfrule 1344 25 0 20 2 1 1 2 0 8 0
rttmr 136 2 0 1 2 1 1 1 0 8 0
art_heap8 4096 3 0 0 3 0 3 3 0 8 0
art_heap4 256 671 0 208 31 2 29 29 0 8 0
art_table 40 674 0 208 5 0 5 5 0 8 0
art_node 32 135 0 51 1 0 1 1 0 8 0
sysvmsgpl 40 5 0 2 1 0 1 1 0 8 0
semupl 112 4 0 4 1 1 0 1 0 8 0
semapl 112 28 0 18 1 0 1 1 0 8 0
shmpl 112 7 0 0 1 0 1 1 0 8 0
dirhash 1024 31 0 14 3 0 3 3 0 8 0
dino2pl 256 2687 0 1178 96 0 96 96 0 8 0
ffsino 296 2687 0 1178 118 0 118 118 0 8 0
nchpl 144 3626 0 1929 64 0 64 64 0 8 0
rtmask 32 11 0 11 2 2 0 1 0 8 0
vnodes 216 3151 0 0 176 0 176 176 0 8 0
namei 1024 11979 0 11977 3 2 1 2 0 8 0
percpumem 16 89 0 36 1 0 1 1 0 8 0
kstatmem 264 74 0 42 4 1 3 3 0 8 0
scsiplug 72 2 0 2 2 1 1 1 0 8 1
scxspl 216 16647 0 16646 10 9 1 8 1 8 0
plimitpl 152 248 0 230 1 0 1 1 0 8 0
sigapl 424 1026 0 958 8 0 8 8 0 8 0
knotepl 120 625 0 0 19 0 19 19 0 8 0
kqueuepl 224 244 0 234 2 1 1 2 0 8 0
pipepl 344 159 0 132 3 0 3 3 0 8 0
fdescpl 528 988 0 957 3 0 3 3 0 8 0
filepl 160 5625 0 5410 23 10 13 19 0 8 3
lockfpl 104 221 0 219 1 0 1 1 0 8 0
lockfspl 48 93 0 91 1 0 1 1 0 8 0
sessionpl 144 24 0 15 1 0 1 1 0 8 0
pgrppl 48 40 0 23 1 0 1 1 0 8 0
ucredpl 104 812 0 798 1 0 1 1 0 8 0
zombiepl 144 993 0 992 1 0 1 1 0 8 0
processpl 1232 1026 0 958 6 0 6 6 0 8 0
procpl 664 1991 0 1913 8 0 8 8 0 8 0
sosppl 176 5 0 5 3 2 1 1 0 8 1
sockpl 752 1209 0 1180 21 10 11 11 0 8 7
mcl64k 65536 3 0 0 1 0 1 1 0 8 0
mcl16k 16384 2 0 0 1 0 1 1 0 8 0
mcl12k 12288 1 0 0 1 0 1 1 0 8 0
mcl8k 8192 4 0 0 1 0 1 1 0 8 0
mcl4k 4096 126 0 0 16 0 16 16 0 8 0
mcl2k2 2112 1 0 0 1 0 1 1 0 8 0
mcl2k 2048 40 0 0 5 0 5 5 0 8 0
mtagpl 96 16 0 0 1 0 1 1 0 8 0
mbufpl 256 251 0 0 16 0 16 16 0 8 0
bufpl 280 6176 0 131 432 0 432 432 0 8 0
anonpl 32 11584 0 0 94 0 94 94 0 246 0
amapchunkpl 152 26741 0 26275 41 15 26 30 0 158 5
amappl16 200 3640 0 3573 35 23 12 28 0 8 5
amappl15 192 8 0 8 1 1 0 1 0 8 0
amappl14 184 5 0 5 1 1 0 1 0 8 0
amappl13 176 436 0 434 1 0 1 1 0 8 0
amappl12 168 1359 0 1317 3 0 3 3 0 8 0
amappl11 160 32 0 31 1 0 1 1 0 8 0
amappl10 152 49 0 34 1 0 1 1 0 8 0
amappl9 144 244 0 244 1 1 0 1 0 8 0
amappl8 136 26 0 24 1 0 1 1 0 8 0
amappl7 128 87 0 85 1 0 1 1 0 8 0
amappl6 120 308 0 295 1 0 1 1 0 8 0
amappl5 112 81 0 71 1 0 1 1 0 8 0
amappl4 104 419 0 390 1 0 1 1 0 8 0
amappl3 96 4494 0 4405 4 1 3 3 0 8 0
amappl2 88 1104 0 1027 2 0 2 2 0 8 0
amappl1 80 11726 0 11121 17 2 15 15 0 8 0
amappl 88 7342 0 7185 5 0 5 5 0 92 0
uvmvnodes 80 126 0 0 3 0 3 3 0 8 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 7 0 7 2 2 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 7 0 7 2 2 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 19 0 18 1 0 1 1 0 8 0
aobjpl 72 9 0 0 1 0 1 1 0 8 0
uaddrrnd 24 988 0 957 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 988 0 957 1 0 1 1 0 8 0
vmmpekpl 168 9661 0 9619 3 0 3 3 0 8 0
vmmpepl 168 69471 0 67513 109 13 96 108 0 357 1
vmsppl 488 987 0 957 6 1 5 5 0 8 0
rwobjpl 80 21308 0 20210 33 4 29 32 0 8 0
pdppl 4096 1983 0 1914 105 34 71 85 0 8 2
pvpl 32 18807 0 0 152 0 152 152 0 265 0
pmappl 256 987 0 957 3 0 3 3 0 8 0
extentpl 40 45 0 27 1 0 1 1 0 8 0
phpool 112 299 0 45 8 0 8 8 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x27: addq $0x8,%rsp
x86_ipi_db(ffffffff83878ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x33 kd_curproc sys/dev/kcov.c:585 [inline]
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x33 sys/dev/kcov.c:153
witness_checkorder(ffffffff83970b08,9,0) at witness_checkorder+0xa7 sys/kern/subr_witness.c:830
__mp_lock(ffffffff83970900) at __mp_lock+0xe1 read_rflags sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:212 [inline]
__mp_lock(ffffffff83970900) at __mp_lock+0xe1 intr_disable sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:233 [inline]
__mp_lock(ffffffff83970900) at __mp_lock+0xe1 sys/kern/kern_lock.c:168
__mp_acquire_count(ffffffff83970900,1) at __mp_acquire_count+0x58 sys/kern/kern_lock.c:-1
tsleep_nsec(fffffd806f5b7e58,11,ffffffff83461be4,ffffffffffffffff) at tsleep_nsec+0x23d sys/kern/kern_synch.c:-1
biowait(fffffd806f5b7e58) at biowait+0xc6 sys/kern/vfs_bio.c:1242
bwrite(fffffd806f5b7e58) at bwrite+0x2e7 sys/kern/vfs_bio.c:754
ffs_update(fffffd80606d63c0,1) at ffs_update+0x2fe sys/ufs/ffs/ffs_inode.c:111
ffs_truncate(fffffd80606d63c0,0,4,fffffd80097fd340) at ffs_truncate+0xc9b sys/ufs/ffs/ffs_inode.c:-1
ufs_rmdir(ffff80002a344980) at ufs_rmdir+0x2f1 sys/ufs/ufs/ufs_vnops.c:1265
VOP_RMDIR(fffffd806d03eb38,fffffd8064be3530,ffff80002a344a58) at VOP_RMDIR+0x192 sys/kern/vfs_vops.c:413
end trace frame: 0xffff80002a344af0, count: 0
ddb{0}> trace
x86_ipi_db(ffffffff83878ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x33 kd_curproc sys/dev/kcov.c:585 [inline]
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x33 sys/dev/kcov.c:153
witness_checkorder(ffffffff83970b08,9,0) at witness_checkorder+0xa7 sys/kern/subr_witness.c:830
__mp_lock(ffffffff83970900) at __mp_lock+0xe1 read_rflags sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:212 [inline]
__mp_lock(ffffffff83970900) at __mp_lock+0xe1 intr_disable sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:233 [inline]
__mp_lock(ffffffff83970900) at __mp_lock+0xe1 sys/kern/kern_lock.c:168
__mp_acquire_count(ffffffff83970900,1) at __mp_acquire_count+0x58 sys/kern/kern_lock.c:-1
tsleep_nsec(fffffd806f5b7e58,11,ffffffff83461be4,ffffffffffffffff) at tsleep_nsec+0x23d sys/kern/kern_synch.c:-1
biowait(fffffd806f5b7e58) at biowait+0xc6 sys/kern/vfs_bio.c:1242
bwrite(fffffd806f5b7e58) at bwrite+0x2e7 sys/kern/vfs_bio.c:754
ffs_update(fffffd80606d63c0,1) at ffs_update+0x2fe sys/ufs/ffs/ffs_inode.c:111
ffs_truncate(fffffd80606d63c0,0,4,fffffd80097fd340) at ffs_truncate+0xc9b sys/ufs/ffs/ffs_inode.c:-1
ufs_rmdir(ffff80002a344980) at ufs_rmdir+0x2f1 sys/ufs/ufs/ufs_vnops.c:1265
VOP_RMDIR(fffffd806d03eb38,fffffd8064be3530,ffff80002a344a58) at VOP_RMDIR+0x192 sys/kern/vfs_vops.c:413
dounlinkat(ffff8000ffffc538,ffffff9c,7ab05b95cbf0,8) at dounlinkat+0x2e0 sys/kern/vfs_syscalls.c:1901
syscall(ffff80002a344bd0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002a344bd0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7ab05b95cbe0, count: -17
ddb{0}> machine ddbcpu 1
Stopped at db_enter+0x25: addq $0x8,%rsp
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833b5a1c) at panic+0x1e5 sys/kern/subr_prf.c:198
witness_checkorder(ffff800000c31078,1,0) at witness_checkorder+0x122c sys/kern/subr_witness.c:854
rw_do_enter_read(ffff800000c31060,0) at rw_do_enter_read+0x99 sys/kern/kern_rwlock.c:355
in6_hasmulti(fffffd8064e01af0,ffff800000c31000) at in6_hasmulti+0x41 in6_lookupmulti sys/netinet6/in6.c:-1 [inline]
in6_hasmulti(fffffd8064e01af0,ffff800000c31000) at in6_hasmulti+0x41 sys/netinet6/in6.c:1150
ip6_output(fffffd8064e01a00,ffffffff83987338,0,0,ffff80002a210480,0) at ip6_output+0x13bd sys/netinet6/ip6_output.c:507
mld6_sendpkt(ffff80000154e700,84,ffff80002a210518) at mld6_sendpkt+0x385 sys/netinet6/mld6.c:499
mld6_stop_listening(ffff80000154e700,ffff800000c31000) at mld6_stop_listening+0x125 sys/netinet6/mld6.c:168
in6_delmulti(ffff80000154e700) at in6_delmulti+0xb1 sys/netinet6/in6.c:1118
in6_purgeaddr(ffff800001614c00) at in6_purgeaddr+0x1d5 in6_leavegroup sys/netinet6/in6.c:1181 [inline]
in6_purgeaddr(ffff800001614c00) at in6_purgeaddr+0x1d5 sys/netinet6/in6.c:916
nd6_expire(0) at nd6_expire+0x111 sys/netinet6/nd6.c:-1
taskq_thread(ffff80000002c000) at taskq_thread+0x157 sys/kern/kern_task.c:446
end trace frame: 0x0, count: 3
ddb{1}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833b5a1c) at panic+0x1e5 sys/kern/subr_prf.c:198
witness_checkorder(ffff800000c31078,1,0) at witness_checkorder+0x122c sys/kern/subr_witness.c:854
rw_do_enter_read(ffff800000c31060,0) at rw_do_enter_read+0x99 sys/kern/kern_rwlock.c:355
in6_hasmulti(fffffd8064e01af0,ffff800000c31000) at in6_hasmulti+0x41 in6_lookupmulti sys/netinet6/in6.c:-1 [inline]
in6_hasmulti(fffffd8064e01af0,ffff800000c31000) at in6_hasmulti+0x41 sys/netinet6/in6.c:1150
ip6_output(fffffd8064e01a00,ffffffff83987338,0,0,ffff80002a210480,0) at ip6_output+0x13bd sys/netinet6/ip6_output.c:507
mld6_sendpkt(ffff80000154e700,84,ffff80002a210518) at mld6_sendpkt+0x385 sys/netinet6/mld6.c:499
mld6_stop_listening(ffff80000154e700,ffff800000c31000) at mld6_stop_listening+0x125 sys/netinet6/mld6.c:168
in6_delmulti(ffff80000154e700) at in6_delmulti+0xb1 sys/netinet6/in6.c:1118
in6_purgeaddr(ffff800001614c00) at in6_purgeaddr+0x1d5 in6_leavegroup sys/netinet6/in6.c:1181 [inline]
in6_purgeaddr(ffff800001614c00) at in6_purgeaddr+0x1d5 sys/netinet6/in6.c:916
nd6_expire(0) at nd6_expire+0x111 sys/netinet6/nd6.c:-1
taskq_thread(ffff80000002c000) at taskq_thread+0x157 sys/kern/kern_task.c:446
end trace frame: 0x0, count: -12
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 80bc9799356e Protect IGMP and MLD6 fast timer with rwlock.
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1495ffb4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=610755708e0266e487b2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/91089fc9acd2/disk-80bc9799.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/d43f4be640bc/bsd-80bc9799.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d583b541db80/kernel-80bc9799.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+610755...@syzkaller.appspotmail.com
witness: shared lock of (rwlock) mpaddr while exclusively locked
anic: excl->share
Stopped at db_enter+0x25: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
288305 73040 0 0x2 0 0 syz-executor
*349296 96838 0 0x14000 0x200 1 softnet0
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833b5a1c) at panic+0x1e5 sys/kern/subr_prf.c:198
witness_checkorder(ffff800000c31078,1,0) at witness_checkorder+0x122c sys/kern/subr_witness.c:854
rw_do_enter_read(ffff800000c31060,0) at rw_do_enter_read+0x99 sys/kern/kern_rwlock.c:355
in6_hasmulti(fffffd8064e01af0,ffff800000c31000) at in6_hasmulti+0x41 in6_lookupmulti sys/netinet6/in6.c:-1 [inline]
in6_hasmulti(fffffd8064e01af0,ffff800000c31000) at in6_hasmulti+0x41 sys/netinet6/in6.c:1150
ip6_output(fffffd8064e01a00,ffffffff83987338,0,0,ffff80002a210480,0) at ip6_output+0x13bd sys/netinet6/ip6_output.c:507
mld6_sendpkt(ffff80000154e700,84,ffff80002a210518) at mld6_sendpkt+0x385 sys/netinet6/mld6.c:499
mld6_stop_listening(ffff80000154e700,ffff800000c31000) at mld6_stop_listening+0x125 sys/netinet6/mld6.c:168
in6_delmulti(ffff80000154e700) at in6_delmulti+0xb1 sys/netinet6/in6.c:1118
in6_purgeaddr(ffff800001614c00) at in6_purgeaddr+0x1d5 in6_leavegroup sys/netinet6/in6.c:1181 [inline]
in6_purgeaddr(ffff800001614c00) at in6_purgeaddr+0x1d5 sys/netinet6/in6.c:916
nd6_expire(0) at nd6_expire+0x111 sys/netinet6/nd6.c:-1
taskq_thread(ffff80000002c000) at taskq_thread+0x157 sys/kern/kern_task.c:446
end trace frame: 0x0, count: 3
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: excl->share
ddb{1}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833b5a1c) at panic+0x1e5 sys/kern/subr_prf.c:198
witness_checkorder(ffff800000c31078,1,0) at witness_checkorder+0x122c sys/kern/subr_witness.c:854
rw_do_enter_read(ffff800000c31060,0) at rw_do_enter_read+0x99 sys/kern/kern_rwlock.c:355
in6_hasmulti(fffffd8064e01af0,ffff800000c31000) at in6_hasmulti+0x41 in6_lookupmulti sys/netinet6/in6.c:-1 [inline]
in6_hasmulti(fffffd8064e01af0,ffff800000c31000) at in6_hasmulti+0x41 sys/netinet6/in6.c:1150
ip6_output(fffffd8064e01a00,ffffffff83987338,0,0,ffff80002a210480,0) at ip6_output+0x13bd sys/netinet6/ip6_output.c:507
mld6_sendpkt(ffff80000154e700,84,ffff80002a210518) at mld6_sendpkt+0x385 sys/netinet6/mld6.c:499
mld6_stop_listening(ffff80000154e700,ffff800000c31000) at mld6_stop_listening+0x125 sys/netinet6/mld6.c:168
in6_delmulti(ffff80000154e700) at in6_delmulti+0xb1 sys/netinet6/in6.c:1118
in6_purgeaddr(ffff800001614c00) at in6_purgeaddr+0x1d5 in6_leavegroup sys/netinet6/in6.c:1181 [inline]
in6_purgeaddr(ffff800001614c00) at in6_purgeaddr+0x1d5 sys/netinet6/in6.c:916
nd6_expire(0) at nd6_expire+0x111 sys/netinet6/nd6.c:-1
taskq_thread(ffff80000002c000) at taskq_thread+0x157 sys/kern/kern_task.c:446
end trace frame: 0x0, count: -12
ddb{1}> show registers
rdi 0
rsi 0x1
rbp 0xffff80002a2100d0
rbx 0xffff8000299dee07
rdx 0
rcx 0xffff8000ffffe298
rax 0xffff8000299ddff0
r8 0x101010101010101
r9 0x8080808080808080
r10 0x3164f5fb8233b428
r11 0x62e399ec95bd36bd
r12 0xffff8000299dec08
r13 0
r14 0
r15 0x1
rip 0xffffffff817c1d35 db_enter+0x25
cs 0x8
rflags 0x246
rsp 0xffff80002a2100c0
ss 0x10
db_enter+0x25: addq $0x8,%rsp
ddb{1}> show proc
PROC (softnet0) tid=349296 pid=96838 tcnt=1 stat=onproc
flags process=14000<NOZOMBIE,SYSTEM> proc=200<SYSTEM>
runpri=32, usrpri=50, slppri=32, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff8000ffffe530,0xffff8000ffffe010
process=0xffff8000ffff8000 user=0xffff80002a20b000, vmspace=0xffffffff838bee00
estcpu=0, cpticks=14, pctcpu=0.1, user=0, sys=0, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
97502 370282 52484 0 2 0 syz-executor
97502 330749 52484 0 2 0x4000000 syz-executor
98966 132725 88774 0 2 0 syz-executor
98966 347775 88774 0 3 0x4000080 fsleep syz-executor
11064 66418 13356 0 2 0 syz-executor
11064 148167 13356 0 3 0x4000080 fsleep syz-executor
98203 312873 46190 0 2 0 syz-executor
98203 134274 46190 0 3 0x4000080 fsleep syz-executor
98203 426634 46190 0 2 0x4000000 syz-executor
28829 199161 9023 0 2 0 syz-executor
28829 105221 9023 0 3 0x4000080 fsleep syz-executor
33888 162273 17076 0 2 0 syz-executor
33888 396099 17076 0 2 0x4000000 syz-executor
69539 353873 58503 0 3 0x3000 suspend syz-executor
69539 356269 58503 0 2 0x4081000 syz-executor
69539 317991 58503 0 3 0x4081000 inode syz-executor
69539 379110 58503 0 3 0x4081000 inode syz-executor
52484 255404 92881 0 2 0xc82 syz-executor
2045 14661 0 0 3 0x14200 acct acct
90255 230138 0 0 3 0x14280 nfsidl nfsio
49549 119018 0 0 3 0x14280 nfsidl nfsio
40092 254536 0 0 3 0x14280 nfsidl nfsio
55083 428941 0 0 3 0x14280 nfsidl nfsio
75604 127508 0 0 3 0x14280 nfsidl nfsio
88232 43767 0 0 3 0x14280 nfsidl nfsio
19713 123936 0 0 3 0x14280 nfsidl nfsio
20335 94694 0 0 3 0x14280 nfsidl nfsio
9627 240984 0 0 3 0x14280 nfsidl nfsio
34727 476340 0 0 3 0x14280 nfsidl nfsio
45833 160482 0 0 3 0x14280 nfsidl nfsio
66537 140883 0 0 3 0x14280 nfsidl nfsio
90730 5723 0 0 3 0x14280 nfsidl nfsio
1778 241688 0 0 3 0x14280 nfsidl nfsio
58604 104856 0 0 3 0x14280 nfsidl nfsio
58365 158385 0 0 3 0x14280 nfsidl nfsio
70727 159903 0 0 3 0x14280 nfsidl nfsio
75252 83450 0 0 3 0x14280 nfsidl nfsio
39268 215502 0 0 3 0x14280 nfsidl nfsio
39922 175264 0 0 3 0x14280 nfsidl nfsio
13356 101328 92881 0 2 0xc82 syz-executor
9023 11106 92881 0 2 0xc82 syz-executor
88774 184617 92881 0 2 0xc82 syz-executor
17076 328689 92881 0 2 0xc82 syz-executor
73040 288305 92881 0 7 0x2 syz-executor
46190 501937 92881 0 2 0xc82 syz-executor
58503 4195 92881 0 2 0x2 syz-executor
92881 218250 46883 0 2 0x2 syz-executor
46883 171983 6161 0 3 0x10008a sigsusp ksh
6161 240842 93387 0 3 0x98 kqread sshd-session
93387 428035 75112 0 3 0x92 kqread sshd-session
24028 90134 1 0 3 0x100083 ttyopn getty
75112 126355 1 0 3 0x88 kqread sshd
70609 127837 99424 74 3 0x1100092 bpf pflogd
99424 307506 1 0 3 0x80 sbwait pflogd
9925 246459 22192 73 3 0x1100090 kqread syslogd
22192 431049 1 0 3 0x100082 sbwait syslogd
37469 153095 1 0 3 0x100080 kqread resolvd
6961 158867 90982 77 3 0x100092 kqread dhcpleased
97554 309750 90982 77 3 0x100092 kqread dhcpleased
90982 111683 1 0 3 0x80 kqread dhcpleased
11989 456837 0 0 3 0x14200 bored smr
45121 422307 0 0 2 0x14200 zerothread
26572 96118 0 0 3 0x14200 aiodoned aiodoned
90128 1801 0 0 2 0x14e00 update
11425 40690 0 0 3 0x14200 cleaner cleaner
30935 466208 0 0 3 0x14200 reaper reaper
42638 49824 0 0 3 0x14200 pgdaemon pagedaemon
78495 55358 0 0 3 0x14200 bored viomb
45508 294912 0 0 3 0x40014200 acpi0 acpi0
87212 82260 0 0 3 0x40014200 idle1
66370 342418 0 0 3 0x14200 bored softnet1
*96838 349296 0 0 7 0x14200 softnet0
94911 178857 0 0 3 0x14200 smrbar systqmp
7469 330958 0 0 3 0x14200 bored systq
37308 247007 0 0 3 0x14200 tmoslp softclockmp
86495 13074 0 0 3 0x40014200 tmoslp softclock
19450 160408 0 0 3 0x40014200 idle0
1 241704 0 0 3 0x80082 wait init
0 0 -1 0 3 0x10010200 scheduler swapper
ddb{1}> show all locks
Process 98203 (syz-executor) thread 0xffff80003c4defc8 (312873)
exclusive rwlock vmmaplk r = 0 (0xfffffd80649e34f8)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 vm_map_lock_ln+0x12e sys/uvm/uvm_map.c:5165
#3 uvm_map_protect+0xe0 sys/uvm/uvm_map.c:3069
#4 sys_mprotect+0x351 sys/uvm/uvm_mmap.c:590
#5 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#5 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775
#6 Xsyscall+0x128
Process 69539 (syz-executor) thread 0xffff80003c4de038 (356269)
exclusive rrwlock inode r = 0 (0xfffffd806ef0eb70)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3 VOP_LOCK+0xbd sys/kern/vfs_vops.c:527
#4 vn_lock+0xa4 sys/kern/vfs_vnops.c:570
#5 vn_write+0x18f sys/kern/vfs_vnops.c:405
#6 dofilewritev+0x242 sys/kern/sys_generic.c:380
#7 sys_write+0xa2 sys/kern/sys_generic.c:300
#8 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#8 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775
#9 Xsyscall+0x128
Process 69539 (syz-executor) thread 0xffff80003c4de2d0 (317991)
exclusive rrwlock inode r = 0 (0xfffffd806bdf78f8)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3 VOP_LOCK+0xbd sys/kern/vfs_vops.c:527
#4 vn_lock+0xa4 sys/kern/vfs_vnops.c:570
#5 vfs_lookup+0x11c sys/kern/vfs_lookup.c:-1
#6 namei+0x7ca sys/kern/vfs_lookup.c:250
#7 domknodat+0xb4 sys/kern/vfs_syscalls.c:1592
#8 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#8 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
#9 Xsyscall+0x128
Process 73040 (syz-executor) thread 0xffff8000ffffc538 (288305)
exclusive rwlock amaplk r = 0 (0xfffffd806c432d00)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 uvm_fault_check+0x8a9 sys/uvm/uvm_fault.c:834
#3 uvm_fault+0x106 sys/uvm/uvm_fault.c:627
#4 kpageflttrap+0x2f4 sys/arch/amd64/amd64/trap.c:283
#5 kerntrap+0x19c sys/arch/amd64/amd64/trap.c:520
#6 alltraps_kern_meltdown+0x7b
#7 copyout+0x64
#8 ufs_readdir+0x427 sys/ufs/ufs/ufs_vnops.c:-1
#9 VOP_READDIR+0x125 sys/kern/vfs_vops.c:453
#10 sys_getdents+0x2df sys/kern/vfs_syscalls.c:3183
#11 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#11 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
#12 Xsyscall+0x128
shared rwlock vmmaplk r = 0 (0xfffffd800b063100)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_read+0x3e8 sys/kern/kern_rwlock.c:413
#2 uvmfault_lookup+0x122 sys/uvm/uvm_fault.c:1880
#3 uvm_fault_check+0x4f sys/uvm/uvm_fault.c:693
#4 uvm_fault+0x106 sys/uvm/uvm_fault.c:627
#5 kpageflttrap+0x2f4 sys/arch/amd64/amd64/trap.c:283
#6 kerntrap+0x19c sys/arch/amd64/amd64/trap.c:520
#7 alltraps_kern_meltdown+0x7b
#8 copyout+0x64
#9 ufs_readdir+0x427 sys/ufs/ufs/ufs_vnops.c:-1
#10 VOP_READDIR+0x125 sys/kern/vfs_vops.c:453
#11 sys_getdents+0x2df sys/kern/vfs_syscalls.c:3183
#12 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#12 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
#13 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff83970b08)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 __mp_acquire_count+0x58 sys/kern/kern_lock.c:-1
#2 malloc+0xe3 sys/kern/kern_malloc.c:175
#3 ufs_readdir+0x13f sys/ufs/ufs/ufs_vnops.c:1364
#4 VOP_READDIR+0x125 sys/kern/vfs_vops.c:453
#5 sys_getdents+0x2df sys/kern/vfs_syscalls.c:3183
#6 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#6 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
#7 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd80606d6460)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3 VOP_LOCK+0xbd sys/kern/vfs_vops.c:527
#4 vn_lock+0xa4 sys/kern/vfs_vnops.c:570
#5 sys_getdents+0x254 sys/kern/vfs_syscalls.c:3168
#6 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#6 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
#7 Xsyscall+0x128
Process 96838 (softnet0) thread 0xffff8000ffffe298 (349296)
exclusive rwlock maddr r = 0 (0xffff800000c31078)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 in6_delmulti+0x9d sys/netinet6/in6.c:1116
#3 in6_purgeaddr+0x1d5 in6_leavegroup sys/netinet6/in6.c:1181 [inline]
#3 in6_purgeaddr+0x1d5 sys/netinet6/in6.c:916
#4 nd6_expire+0x111 sys/netinet6/nd6.c:-1
#5 taskq_thread+0x157 sys/kern/kern_task.c:446
#6 proc_trampoline+0x10
exclusive rwlock netlock r = 0 (0xffffffff83832e50)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 nd6_expire+0x2e sys/netinet6/nd6.c:467
#3 taskq_thread+0x157 sys/kern/kern_task.c:446
#4 proc_trampoline+0x10
shared rwlock softnet0 r = 0 (0xffff80000002c078)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 taskq_thread+0x12a sys/kern/kern_task.c:442
#2 proc_trampoline+0x10
Process 94911 (systqmp) thread 0xffff8000ffffe530 (178857)
shared rwlock systqmp r = 0 (0xffffffff837bcb68)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 taskq_thread+0x12a sys/kern/kern_task.c:442
#2 proc_trampoline+0x10
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 11079 12101K 12416K 166960K 13189 0
pcb 18 12K 12K 166960K 123 0
rtable 233 10K 10K 166960K 462 0
pf 39 18K 19K 166960K 99 0
ifaddr 43 7K 7K 166960K 80 0
ifgroup 61 2K 2K 166960K 107 0
sysctl 3 1K 9K 166960K 12 0
counters 76 37K 38K 166960K 148 0
ioctlops 0 0K 4K 166960K 1586 0
iov 0 0K 26K 166960K 77 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1404 88K 89K 166960K 1983 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 9K 166960K 8 0
VM map 2 1K 1K 166960K 2 0
sem 12 0K 0K 166960K 31 0
dirhash 12 2K 3K 166960K 33 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 17 61K 93K 166960K 697 0
sigio 0 0K 0K 166960K 13 0
proc 72 115K 180K 166960K 621 0
subproc 72 4K 4K 166960K 81 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 69 0
in_multi 90 6K 7K 166960K 137 0
ether_multi 1 0K 0K 166960K 2 0
mrt 2 0K 0K 166960K 6 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 103 466K 466K 166960K 103 0
exec 0 0K 1K 166960K 468 0
fusefs mount 1 32K 32K 166960K 1 0
pfkey data 0 0K 0K 166960K 2 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 233 159K 173K 166960K 8186 0
UVM aobj 10 2K 2K 166960K 10 0
pinsyscall 42 84K 104K 166960K 1852 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 0K 166960K 42 0
NDP 14 0K 1K 166960K 54 0
temp 54 8674K 8746K 166960K 35810 0
kqueue 14 22K 28K 166960K 149 0
SYN cache 2 16K 16K 166960K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 26 0 0 1 0 1 1 0 8 0
rtpcb 120 104 0 101 2 1 1 2 0 8 0
rtentry 176 136 0 43 6 0 6 6 0 8 0
unpcb 144 285 0 267 2 1 1 2 0 8 0
syncache 336 4 0 4 2 2 0 1 0 8 0
tcpcb 736 185 0 181 2 1 1 2 0 8 0
arp 136 20 0 6 1 0 1 1 0 8 0
inpcb 328 767 0 759 14 7 7 7 0 8 6
nd6 152 29 0 6 1 0 1 1 0 8 0
pkpcb 40 40 0 40 3 2 1 1 0 8 1
kcovpl 48 9 0 1 1 0 1 1 0 8 0
mppekey 1024 1 0 1 1 1 0 1 0 8 0
ppxss 1192 36 0 34 2 1 1 1 0 8 0
pfstscr 40 1 0 1 1 1 0 1 0 8 0
pffrag 232 5 0 1 1 0 1 1 0 482 0
pffrnode 88 5 0 1 1 0 1 1 0 8 0
pffrent 40 8 0 4 1 0 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 54 0 4 1 0 1 1 0 8 0
pfstkey 128 55 0 5 2 0 2 2 0 8 0
pfstate 448 55 0 5 6 0 6 6 0 8 0
pfrule 1344 25 0 20 2 1 1 2 0 8 0
rttmr 136 2 0 1 2 1 1 1 0 8 0
art_heap8 4096 3 0 0 3 0 3 3 0 8 0
art_heap4 256 671 0 208 31 2 29 29 0 8 0
art_table 40 674 0 208 5 0 5 5 0 8 0
art_node 32 135 0 51 1 0 1 1 0 8 0
sysvmsgpl 40 5 0 2 1 0 1 1 0 8 0
semupl 112 4 0 4 1 1 0 1 0 8 0
semapl 112 28 0 18 1 0 1 1 0 8 0
shmpl 112 7 0 0 1 0 1 1 0 8 0
dirhash 1024 31 0 14 3 0 3 3 0 8 0
dino2pl 256 2687 0 1178 96 0 96 96 0 8 0
ffsino 296 2687 0 1178 118 0 118 118 0 8 0
nchpl 144 3626 0 1929 64 0 64 64 0 8 0
rtmask 32 11 0 11 2 2 0 1 0 8 0
vnodes 216 3151 0 0 176 0 176 176 0 8 0
namei 1024 11979 0 11977 3 2 1 2 0 8 0
percpumem 16 89 0 36 1 0 1 1 0 8 0
kstatmem 264 74 0 42 4 1 3 3 0 8 0
scsiplug 72 2 0 2 2 1 1 1 0 8 1
scxspl 216 16647 0 16646 10 9 1 8 1 8 0
plimitpl 152 248 0 230 1 0 1 1 0 8 0
sigapl 424 1026 0 958 8 0 8 8 0 8 0
knotepl 120 625 0 0 19 0 19 19 0 8 0
kqueuepl 224 244 0 234 2 1 1 2 0 8 0
pipepl 344 159 0 132 3 0 3 3 0 8 0
fdescpl 528 988 0 957 3 0 3 3 0 8 0
filepl 160 5625 0 5410 23 10 13 19 0 8 3
lockfpl 104 221 0 219 1 0 1 1 0 8 0
lockfspl 48 93 0 91 1 0 1 1 0 8 0
sessionpl 144 24 0 15 1 0 1 1 0 8 0
pgrppl 48 40 0 23 1 0 1 1 0 8 0
ucredpl 104 812 0 798 1 0 1 1 0 8 0
zombiepl 144 993 0 992 1 0 1 1 0 8 0
processpl 1232 1026 0 958 6 0 6 6 0 8 0
procpl 664 1991 0 1913 8 0 8 8 0 8 0
sosppl 176 5 0 5 3 2 1 1 0 8 1
sockpl 752 1209 0 1180 21 10 11 11 0 8 7
mcl64k 65536 3 0 0 1 0 1 1 0 8 0
mcl16k 16384 2 0 0 1 0 1 1 0 8 0
mcl12k 12288 1 0 0 1 0 1 1 0 8 0
mcl8k 8192 4 0 0 1 0 1 1 0 8 0
mcl4k 4096 126 0 0 16 0 16 16 0 8 0
mcl2k2 2112 1 0 0 1 0 1 1 0 8 0
mcl2k 2048 40 0 0 5 0 5 5 0 8 0
mtagpl 96 16 0 0 1 0 1 1 0 8 0
mbufpl 256 251 0 0 16 0 16 16 0 8 0
bufpl 280 6176 0 131 432 0 432 432 0 8 0
anonpl 32 11584 0 0 94 0 94 94 0 246 0
amapchunkpl 152 26741 0 26275 41 15 26 30 0 158 5
amappl16 200 3640 0 3573 35 23 12 28 0 8 5
amappl15 192 8 0 8 1 1 0 1 0 8 0
amappl14 184 5 0 5 1 1 0 1 0 8 0
amappl13 176 436 0 434 1 0 1 1 0 8 0
amappl12 168 1359 0 1317 3 0 3 3 0 8 0
amappl11 160 32 0 31 1 0 1 1 0 8 0
amappl10 152 49 0 34 1 0 1 1 0 8 0
amappl9 144 244 0 244 1 1 0 1 0 8 0
amappl8 136 26 0 24 1 0 1 1 0 8 0
amappl7 128 87 0 85 1 0 1 1 0 8 0
amappl6 120 308 0 295 1 0 1 1 0 8 0
amappl5 112 81 0 71 1 0 1 1 0 8 0
amappl4 104 419 0 390 1 0 1 1 0 8 0
amappl3 96 4494 0 4405 4 1 3 3 0 8 0
amappl2 88 1104 0 1027 2 0 2 2 0 8 0
amappl1 80 11726 0 11121 17 2 15 15 0 8 0
amappl 88 7342 0 7185 5 0 5 5 0 92 0
uvmvnodes 80 126 0 0 3 0 3 3 0 8 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 7 0 7 2 2 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 7 0 7 2 2 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 19 0 18 1 0 1 1 0 8 0
aobjpl 72 9 0 0 1 0 1 1 0 8 0
uaddrrnd 24 988 0 957 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 988 0 957 1 0 1 1 0 8 0
vmmpekpl 168 9661 0 9619 3 0 3 3 0 8 0
vmmpepl 168 69471 0 67513 109 13 96 108 0 357 1
vmsppl 488 987 0 957 6 1 5 5 0 8 0
rwobjpl 80 21308 0 20210 33 4 29 32 0 8 0
pdppl 4096 1983 0 1914 105 34 71 85 0 8 2
pvpl 32 18807 0 0 152 0 152 152 0 265 0
pmappl 256 987 0 957 3 0 3 3 0 8 0
extentpl 40 45 0 27 1 0 1 1 0 8 0
phpool 112 299 0 45 8 0 8 8 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x27: addq $0x8,%rsp
x86_ipi_db(ffffffff83878ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x33 kd_curproc sys/dev/kcov.c:585 [inline]
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x33 sys/dev/kcov.c:153
witness_checkorder(ffffffff83970b08,9,0) at witness_checkorder+0xa7 sys/kern/subr_witness.c:830
__mp_lock(ffffffff83970900) at __mp_lock+0xe1 read_rflags sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:212 [inline]
__mp_lock(ffffffff83970900) at __mp_lock+0xe1 intr_disable sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:233 [inline]
__mp_lock(ffffffff83970900) at __mp_lock+0xe1 sys/kern/kern_lock.c:168
__mp_acquire_count(ffffffff83970900,1) at __mp_acquire_count+0x58 sys/kern/kern_lock.c:-1
tsleep_nsec(fffffd806f5b7e58,11,ffffffff83461be4,ffffffffffffffff) at tsleep_nsec+0x23d sys/kern/kern_synch.c:-1
biowait(fffffd806f5b7e58) at biowait+0xc6 sys/kern/vfs_bio.c:1242
bwrite(fffffd806f5b7e58) at bwrite+0x2e7 sys/kern/vfs_bio.c:754
ffs_update(fffffd80606d63c0,1) at ffs_update+0x2fe sys/ufs/ffs/ffs_inode.c:111
ffs_truncate(fffffd80606d63c0,0,4,fffffd80097fd340) at ffs_truncate+0xc9b sys/ufs/ffs/ffs_inode.c:-1
ufs_rmdir(ffff80002a344980) at ufs_rmdir+0x2f1 sys/ufs/ufs/ufs_vnops.c:1265
VOP_RMDIR(fffffd806d03eb38,fffffd8064be3530,ffff80002a344a58) at VOP_RMDIR+0x192 sys/kern/vfs_vops.c:413
end trace frame: 0xffff80002a344af0, count: 0
ddb{0}> trace
x86_ipi_db(ffffffff83878ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x33 kd_curproc sys/dev/kcov.c:585 [inline]
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x33 sys/dev/kcov.c:153
witness_checkorder(ffffffff83970b08,9,0) at witness_checkorder+0xa7 sys/kern/subr_witness.c:830
__mp_lock(ffffffff83970900) at __mp_lock+0xe1 read_rflags sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:212 [inline]
__mp_lock(ffffffff83970900) at __mp_lock+0xe1 intr_disable sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:233 [inline]
__mp_lock(ffffffff83970900) at __mp_lock+0xe1 sys/kern/kern_lock.c:168
__mp_acquire_count(ffffffff83970900,1) at __mp_acquire_count+0x58 sys/kern/kern_lock.c:-1
tsleep_nsec(fffffd806f5b7e58,11,ffffffff83461be4,ffffffffffffffff) at tsleep_nsec+0x23d sys/kern/kern_synch.c:-1
biowait(fffffd806f5b7e58) at biowait+0xc6 sys/kern/vfs_bio.c:1242
bwrite(fffffd806f5b7e58) at bwrite+0x2e7 sys/kern/vfs_bio.c:754
ffs_update(fffffd80606d63c0,1) at ffs_update+0x2fe sys/ufs/ffs/ffs_inode.c:111
ffs_truncate(fffffd80606d63c0,0,4,fffffd80097fd340) at ffs_truncate+0xc9b sys/ufs/ffs/ffs_inode.c:-1
ufs_rmdir(ffff80002a344980) at ufs_rmdir+0x2f1 sys/ufs/ufs/ufs_vnops.c:1265
VOP_RMDIR(fffffd806d03eb38,fffffd8064be3530,ffff80002a344a58) at VOP_RMDIR+0x192 sys/kern/vfs_vops.c:413
dounlinkat(ffff8000ffffc538,ffffff9c,7ab05b95cbf0,8) at dounlinkat+0x2e0 sys/kern/vfs_syscalls.c:1901
syscall(ffff80002a344bd0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002a344bd0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7ab05b95cbe0, count: -17
ddb{0}> machine ddbcpu 1
Stopped at db_enter+0x25: addq $0x8,%rsp
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833b5a1c) at panic+0x1e5 sys/kern/subr_prf.c:198
witness_checkorder(ffff800000c31078,1,0) at witness_checkorder+0x122c sys/kern/subr_witness.c:854
rw_do_enter_read(ffff800000c31060,0) at rw_do_enter_read+0x99 sys/kern/kern_rwlock.c:355
in6_hasmulti(fffffd8064e01af0,ffff800000c31000) at in6_hasmulti+0x41 in6_lookupmulti sys/netinet6/in6.c:-1 [inline]
in6_hasmulti(fffffd8064e01af0,ffff800000c31000) at in6_hasmulti+0x41 sys/netinet6/in6.c:1150
ip6_output(fffffd8064e01a00,ffffffff83987338,0,0,ffff80002a210480,0) at ip6_output+0x13bd sys/netinet6/ip6_output.c:507
mld6_sendpkt(ffff80000154e700,84,ffff80002a210518) at mld6_sendpkt+0x385 sys/netinet6/mld6.c:499
mld6_stop_listening(ffff80000154e700,ffff800000c31000) at mld6_stop_listening+0x125 sys/netinet6/mld6.c:168
in6_delmulti(ffff80000154e700) at in6_delmulti+0xb1 sys/netinet6/in6.c:1118
in6_purgeaddr(ffff800001614c00) at in6_purgeaddr+0x1d5 in6_leavegroup sys/netinet6/in6.c:1181 [inline]
in6_purgeaddr(ffff800001614c00) at in6_purgeaddr+0x1d5 sys/netinet6/in6.c:916
nd6_expire(0) at nd6_expire+0x111 sys/netinet6/nd6.c:-1
taskq_thread(ffff80000002c000) at taskq_thread+0x157 sys/kern/kern_task.c:446
end trace frame: 0x0, count: 3
ddb{1}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833b5a1c) at panic+0x1e5 sys/kern/subr_prf.c:198
witness_checkorder(ffff800000c31078,1,0) at witness_checkorder+0x122c sys/kern/subr_witness.c:854
rw_do_enter_read(ffff800000c31060,0) at rw_do_enter_read+0x99 sys/kern/kern_rwlock.c:355
in6_hasmulti(fffffd8064e01af0,ffff800000c31000) at in6_hasmulti+0x41 in6_lookupmulti sys/netinet6/in6.c:-1 [inline]
in6_hasmulti(fffffd8064e01af0,ffff800000c31000) at in6_hasmulti+0x41 sys/netinet6/in6.c:1150
ip6_output(fffffd8064e01a00,ffffffff83987338,0,0,ffff80002a210480,0) at ip6_output+0x13bd sys/netinet6/ip6_output.c:507
mld6_sendpkt(ffff80000154e700,84,ffff80002a210518) at mld6_sendpkt+0x385 sys/netinet6/mld6.c:499
mld6_stop_listening(ffff80000154e700,ffff800000c31000) at mld6_stop_listening+0x125 sys/netinet6/mld6.c:168
in6_delmulti(ffff80000154e700) at in6_delmulti+0xb1 sys/netinet6/in6.c:1118
in6_purgeaddr(ffff800001614c00) at in6_purgeaddr+0x1d5 in6_leavegroup sys/netinet6/in6.c:1181 [inline]
in6_purgeaddr(ffff800001614c00) at in6_purgeaddr+0x1d5 sys/netinet6/in6.c:916
nd6_expire(0) at nd6_expire+0x111 sys/netinet6/nd6.c:-1
taskq_thread(ffff80000002c000) at taskq_thread+0x157 sys/kern/kern_task.c:446
end trace frame: 0x0, count: -12
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages