kernel:
0 views
Skip to first unread message
syzbot
Apr 29, 2026, 10:10:26 PM (4 hours ago) Apr 29
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 04e2410ca848 Backport fixes from libexpat version 2.8.0.
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=10dccece580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=3373216e81ad55e497a5
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3a3beb6b5658/disk-04e2410c.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/edb7235cfe64/bsd-04e2410c.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/62dfe2c9e4d3/kernel-04e2410c.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+337321...@syzkaller.appspotmail.com
EXIkernel:
Stopped at savectx+0xae: movl $0,%gs:0x688
TID PID UID PRFLAGS PFLAGS CPU COMMAND
349972 33723 0 0 0x4000000 0K syz-executor
*267002 3070 0 0x2 0 1 syz-executor
savectx() at savectx+0xae
end of kernel
end trace frame: 0x701b13dbf560, count: 14
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu0: uvm_fault(0xfffffd806c5b35d8, 0x98, 0, 1) -> e
ddb{1}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x701b13dbf560, count: -1
ddb{1}> show registers
rdi 0
rsi 0
rbp 0xffff80002a2a41e0
rbx 0
rdx 0
rcx 0xffff80002a232010
rax 0x34
r8 0xffff80002a2a4110
r9 0xffff80002a2a3f7c
r10 0xa5c05b3c90aa857f
r11 0x288c7b22379a4e25
r12 0
r13 0
r14 0xffff80002a232010
r15 0
rip 0xffffffff81d973ee savectx+0xae
cs 0x8
rflags 0x46
rsp 0xffff80002a2a4160
ss 0x10
savectx+0xae: movl $0,%gs:0x688
ddb{1}> show proc
PROC (syz-executor) tid=267002 pid=3070 tcnt=1 stat=onproc
flags process=2<EXEC> proc=0
runpri=16, usrpri=59, slppri=16, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff80002a233a00,0xffff8000ffffc7e0
process=0xffff8000ffff1820 user=0xffff80002a29f000, vmspace=0xfffffd806e830b80
estcpu=9, cpticks=60, pctcpu=0.40, user=1, sys=57, intr=2
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
33723 391237 15051 0 2 0 syz-executor
33723 349972 15051 0 7 0x4000000 syz-executor
95042 234563 94944 0 2 0 syz-executor
95042 220997 94944 0 3 0x4000080 fsleep syz-executor
95042 211491 94944 0 3 0x4000080 kqread syz-executor
80823 137456 50142 0 3 0x80 nanoslp syz-executor
80823 513284 50142 0 3 0x4000080 ttyin syz-executor
80823 365922 50142 0 3 0x4000080 fsleep syz-executor
12456 142861 51050 60929 3 0x90 nanoslp syz-executor
12456 277033 51050 60929 3 0x4000090 lockf syz-executor
12456 229305 51050 60929 3 0x4000090 lockf syz-executor
12456 460703 51050 60929 3 0x4000090 fsleep syz-executor
92668 406096 72295 0 3 0x80 nanoslp syz-executor
92668 123114 72295 0 3 0x4000080 kqsel syz-executor
92668 502602 72295 0 3 0x4000080 fsleep syz-executor
58910 62083 93887 0 3 0x80 nanoslp syz-executor
58910 335303 93887 0 3 0x4000080 bell syz-executor
58910 54148 93887 0 3 0x4000080 fsleep syz-executor
58910 489727 93887 0 3 0x4000080 fsleep syz-executor
71343 421437 58880 0 2 0 syz-executor
71343 74332 58880 0 3 0x4000080 pipewr syz-executor
71343 18923 58880 0 3 0x4000080 fsleep syz-executor
71343 301469 58880 0 3 0x4000080 fsleep syz-executor
65808 360408 1 0 3 0x82 nanoslp getty
66263 147875 69831 0 3 0x100082 sbwait arp
69831 314198 43059 0 3 0x10008a sigsusp sh
50142 181945 3070 0 3 0x82 nanoslp syz-executor
15051 83015 3070 0 3 0x82 nanoslp syz-executor
43059 253419 3070 0 3 0x82 wait syz-executor
72295 345959 3070 0 3 0x82 nanoslp syz-executor
93887 184784 3070 0 3 0x82 nanoslp syz-executor
94944 431640 3070 0 3 0x82 nanoslp syz-executor
51050 422409 3070 0 3 0x82 nanoslp syz-executor
58880 443041 3070 0 3 0x82 nanoslp syz-executor
* 3070 267002 1 0 7 0x2 syz-executor
6778 125315 1 0 3 0x1000008a kqread sshd
2085 495265 67116 74 3 0x1100092 bpf pflogd
67116 186629 1 0 3 0x80 sbwait pflogd
15968 236959 8025 73 3 0x1100090 kqread syslogd
8025 138837 1 0 3 0x100082 sbwait syslogd
90498 428246 1 0 3 0x100080 kqread resolvd
66617 168565 26619 77 3 0x100092 kqread dhcpleased
11379 324614 26619 77 3 0x100092 kqread dhcpleased
26619 417900 1 0 3 0x80 kqread dhcpleased
17750 176648 0 0 3 0x14200 bored smr
91522 131492 0 0 2 0x14200 zerothread
95320 346990 0 0 3 0x14200 aiodoned aiodoned
34179 337416 0 0 3 0x14200 syncer update
29080 252692 0 0 3 0x14200 cleaner cleaner
79531 4673 0 0 3 0x14200 reaper reaper
78008 76137 0 0 3 0x14200 pgdaemon pagedaemon
61455 331517 0 0 3 0x14200 bored viomb
93368 379368 0 0 3 0x40014200 acpi0 acpi0
70342 351364 0 0 3 0x40014200 idle1
96980 465166 0 0 3 0x14200 bored softnet1
92576 81008 0 0 3 0x14200 bored softnet0
29673 89051 0 0 3 0x14200 bored systqmp
78044 251998 0 0 3 0x14200 bored systq
14272 199544 0 0 3 0x14200 tmoslp softclockmp
73560 122145 0 0 3 0x40014200 tmoslp softclock
19442 388892 0 0 3 0x40014200 idle0
1 172997 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex &kq->kq_lock r = 0 (0xfffffd8078342010)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2 kqueue_register+0x1000 sys/kern/kern_event.c:1545
#3 pselregister+0x135 sys/kern/sys_generic.c:764
#4 dopselect+0x456 sys/kern/sys_generic.c:657
#5 sys_pselect+0x25a sys/kern/sys_generic.c:593
#6 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#6 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
#7 Xsyscall+0x128
Process 33723 (syz-executor) thread 0xffff800035bb2020 (349972)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff83a6a700)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline]
#1 syscall+0xaf4 sys/arch/amd64/amd64/trap.c:783
#2 Xsyscall+0x128
ddb{1}>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 04e2410ca848 Backport fixes from libexpat version 2.8.0.
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=10dccece580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=3373216e81ad55e497a5
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3a3beb6b5658/disk-04e2410c.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/edb7235cfe64/bsd-04e2410c.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/62dfe2c9e4d3/kernel-04e2410c.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+337321...@syzkaller.appspotmail.com
EXIkernel:
Stopped at savectx+0xae: movl $0,%gs:0x688
TID PID UID PRFLAGS PFLAGS CPU COMMAND
349972 33723 0 0 0x4000000 0K syz-executor
*267002 3070 0 0x2 0 1 syz-executor
savectx() at savectx+0xae
end of kernel
end trace frame: 0x701b13dbf560, count: 14
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu0: uvm_fault(0xfffffd806c5b35d8, 0x98, 0, 1) -> e
ddb{1}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x701b13dbf560, count: -1
ddb{1}> show registers
rdi 0
rsi 0
rbp 0xffff80002a2a41e0
rbx 0
rdx 0
rcx 0xffff80002a232010
rax 0x34
r8 0xffff80002a2a4110
r9 0xffff80002a2a3f7c
r10 0xa5c05b3c90aa857f
r11 0x288c7b22379a4e25
r12 0
r13 0
r14 0xffff80002a232010
r15 0
rip 0xffffffff81d973ee savectx+0xae
cs 0x8
rflags 0x46
rsp 0xffff80002a2a4160
ss 0x10
savectx+0xae: movl $0,%gs:0x688
ddb{1}> show proc
PROC (syz-executor) tid=267002 pid=3070 tcnt=1 stat=onproc
flags process=2<EXEC> proc=0
runpri=16, usrpri=59, slppri=16, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff80002a233a00,0xffff8000ffffc7e0
process=0xffff8000ffff1820 user=0xffff80002a29f000, vmspace=0xfffffd806e830b80
estcpu=9, cpticks=60, pctcpu=0.40, user=1, sys=57, intr=2
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
33723 391237 15051 0 2 0 syz-executor
33723 349972 15051 0 7 0x4000000 syz-executor
95042 234563 94944 0 2 0 syz-executor
95042 220997 94944 0 3 0x4000080 fsleep syz-executor
95042 211491 94944 0 3 0x4000080 kqread syz-executor
80823 137456 50142 0 3 0x80 nanoslp syz-executor
80823 513284 50142 0 3 0x4000080 ttyin syz-executor
80823 365922 50142 0 3 0x4000080 fsleep syz-executor
12456 142861 51050 60929 3 0x90 nanoslp syz-executor
12456 277033 51050 60929 3 0x4000090 lockf syz-executor
12456 229305 51050 60929 3 0x4000090 lockf syz-executor
12456 460703 51050 60929 3 0x4000090 fsleep syz-executor
92668 406096 72295 0 3 0x80 nanoslp syz-executor
92668 123114 72295 0 3 0x4000080 kqsel syz-executor
92668 502602 72295 0 3 0x4000080 fsleep syz-executor
58910 62083 93887 0 3 0x80 nanoslp syz-executor
58910 335303 93887 0 3 0x4000080 bell syz-executor
58910 54148 93887 0 3 0x4000080 fsleep syz-executor
58910 489727 93887 0 3 0x4000080 fsleep syz-executor
71343 421437 58880 0 2 0 syz-executor
71343 74332 58880 0 3 0x4000080 pipewr syz-executor
71343 18923 58880 0 3 0x4000080 fsleep syz-executor
71343 301469 58880 0 3 0x4000080 fsleep syz-executor
65808 360408 1 0 3 0x82 nanoslp getty
66263 147875 69831 0 3 0x100082 sbwait arp
69831 314198 43059 0 3 0x10008a sigsusp sh
50142 181945 3070 0 3 0x82 nanoslp syz-executor
15051 83015 3070 0 3 0x82 nanoslp syz-executor
43059 253419 3070 0 3 0x82 wait syz-executor
72295 345959 3070 0 3 0x82 nanoslp syz-executor
93887 184784 3070 0 3 0x82 nanoslp syz-executor
94944 431640 3070 0 3 0x82 nanoslp syz-executor
51050 422409 3070 0 3 0x82 nanoslp syz-executor
58880 443041 3070 0 3 0x82 nanoslp syz-executor
* 3070 267002 1 0 7 0x2 syz-executor
6778 125315 1 0 3 0x1000008a kqread sshd
2085 495265 67116 74 3 0x1100092 bpf pflogd
67116 186629 1 0 3 0x80 sbwait pflogd
15968 236959 8025 73 3 0x1100090 kqread syslogd
8025 138837 1 0 3 0x100082 sbwait syslogd
90498 428246 1 0 3 0x100080 kqread resolvd
66617 168565 26619 77 3 0x100092 kqread dhcpleased
11379 324614 26619 77 3 0x100092 kqread dhcpleased
26619 417900 1 0 3 0x80 kqread dhcpleased
17750 176648 0 0 3 0x14200 bored smr
91522 131492 0 0 2 0x14200 zerothread
95320 346990 0 0 3 0x14200 aiodoned aiodoned
34179 337416 0 0 3 0x14200 syncer update
29080 252692 0 0 3 0x14200 cleaner cleaner
79531 4673 0 0 3 0x14200 reaper reaper
78008 76137 0 0 3 0x14200 pgdaemon pagedaemon
61455 331517 0 0 3 0x14200 bored viomb
93368 379368 0 0 3 0x40014200 acpi0 acpi0
70342 351364 0 0 3 0x40014200 idle1
96980 465166 0 0 3 0x14200 bored softnet1
92576 81008 0 0 3 0x14200 bored softnet0
29673 89051 0 0 3 0x14200 bored systqmp
78044 251998 0 0 3 0x14200 bored systq
14272 199544 0 0 3 0x14200 tmoslp softclockmp
73560 122145 0 0 3 0x40014200 tmoslp softclock
19442 388892 0 0 3 0x40014200 idle0
1 172997 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex &kq->kq_lock r = 0 (0xfffffd8078342010)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2 kqueue_register+0x1000 sys/kern/kern_event.c:1545
#3 pselregister+0x135 sys/kern/sys_generic.c:764
#4 dopselect+0x456 sys/kern/sys_generic.c:657
#5 sys_pselect+0x25a sys/kern/sys_generic.c:593
#6 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#6 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
#7 Xsyscall+0x128
Process 33723 (syz-executor) thread 0xffff800035bb2020 (349972)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff83a6a700)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline]
#1 syscall+0xaf4 sys/arch/amd64/amd64/trap.c:783
#2 Xsyscall+0x128
ddb{1}>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages