uvm_fault: ufs_dirremove

0 views
Skip to first unread message

syzbot

unread,
May 27, 2026, 1:47:29 PM (4 days ago) May 27
to syzkaller-o...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: ed6146792872 Improve handling of unknown extended communit..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1224d67e580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1bc15e68cd2a49e5
dashboard link: https://syzkaller.appspot.com/bug?extid=69625fd39bb41b94a0d2

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b4072b36278d/disk-ed614679.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/7312fbfa6211/bsd-ed614679.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/561db691a71e/kernel-ed614679.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+69625f...@syzkaller.appspotmail.com

uvm_fault(0xffffffff83a5ce70, 0xffff800027ef2010, 0, 2) -> d
kernel: page fault trap, code=2
Stopped at ufs_dirremove+0x14a: addw %ax,0x4(%rcx)
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*500896 12760 0 0 0x4000000 0 syz-executor
ufs_dirremove(fffffd806c4eaeb0,fffffd8071cc2000,940c,0) at ufs_dirremove+0x14a sys/ufs/ufs/ufs_lookup.c:902
ufs_rename(ffff80002a814c68) at ufs_rename+0x15e5 sys/ufs/ufs/ufs_vnops.c:1049
VOP_RENAME(fffffd806c4eaeb0,fffffd806f0fad08,ffff80002a814e38,fffffd806d9858c0,fffffd806c4ea490,ffff80002a814d88) at VOP_RENAME+0x137 sys/kern/vfs_vops.c:376
dorenameat(ffff80002a767a00,ffffff9c,200000000100,ffffff9c,200000000140) at dorenameat+0x3f7 sys/kern/vfs_syscalls.c:3070
syscall(ffff80002a814fc0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline]
syscall(ffff80002a814fc0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xc2d4fcb5a20, count: 9
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Reply all
Reply to author
Forward
0 new messages