panic: thread NUM p_stat is -NUM
0 views
Skip to first unread message
syzbot
4:15 AM (19 hours ago) 4:15 AM
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 8a5afb5cdcf9 find: Fix mix of character block size check
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=12f1702e580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1bc15e68cd2a49e5
dashboard link: https://syzkaller.appspot.com/bug?extid=36b7634d3820434a47b7
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a190e0f9b680/disk-8a5afb5c.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/656cc364ac53/bsd-8a5afb5c.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8594a66e2ec2/kernel-8a5afb5c.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+36b763...@syzkaller.appspotmail.com
panic: thread 0 p_stat is -1
Stopped at db_enter+0x25: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff83509fc9) at panic+0x1cf sys/kern/subr_prf.c:198
wakeup_n(fffffd8067dd2388,ffffffff) at wakeup_n+0x3af
sd_buf_done(fffffd8007ff46c0) at sd_buf_done+0x2de sys/scsi/sd.c:770
vioscsi_vq_done(ffff8000000a2618) at vioscsi_vq_done+0xe1 sys/dev/pv/vioscsi.c:-1
intr_handler(ffff80003c9cccf0,ffff80000029af80) at intr_handler+0xcb sys/arch/amd64/amd64/intr.c:-1
Xintr_ioapic_edge23_untramp() at Xintr_ioapic_edge23_untramp+0x18f
Xspllower() at Xspllower+0x1d
softintr_dispatch(0) at softintr_dispatch+0xe3 sys/kern/kern_softintr.c:-1
dosoftint(0) at dosoftint+0x48 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
buf_get(0,0,ffd000) at buf_get+0x5de sys/kern/vfs_bio.c:1170
geteblk(ffd000) at geteblk+0x3c sys/kern/vfs_bio.c:-1
writedisklabel(d02,ffffffff8277f790,ffff800000039000) at writedisklabel+0x4b sys/arch/amd64/amd64/disksubr.c:133
end trace frame: 0xffff80003c9cd1c0, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
*cpu0: thread 0 p_stat is -1
ddb> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff83509fc9) at panic+0x1cf sys/kern/subr_prf.c:198
wakeup_n(fffffd8067dd2388,ffffffff) at wakeup_n+0x3af
sd_buf_done(fffffd8007ff46c0) at sd_buf_done+0x2de sys/scsi/sd.c:770
vioscsi_vq_done(ffff8000000a2618) at vioscsi_vq_done+0xe1 sys/dev/pv/vioscsi.c:-1
intr_handler(ffff80003c9cccf0,ffff80000029af80) at intr_handler+0xcb sys/arch/amd64/amd64/intr.c:-1
Xintr_ioapic_edge23_untramp() at Xintr_ioapic_edge23_untramp+0x18f
Xspllower() at Xspllower+0x1d
softintr_dispatch(0) at softintr_dispatch+0xe3 sys/kern/kern_softintr.c:-1
dosoftint(0) at dosoftint+0x48 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
buf_get(0,0,ffd000) at buf_get+0x5de sys/kern/vfs_bio.c:1170
geteblk(ffd000) at geteblk+0x3c sys/kern/vfs_bio.c:-1
writedisklabel(d02,ffffffff8277f790,ffff800000039000) at writedisklabel+0x4b sys/arch/amd64/amd64/disksubr.c:133
sdioctl(d01,84946467,ffff80000160c000,3,ffff80002a76b770) at sdioctl+0x959 sys/scsi/sd.c:919
VOP_IOCTL(fffffd8068a25a50,84946467,ffff80000160c000,3,fffffd8007ffd000,ffff80002a76b770) at VOP_IOCTL+0xa3 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd806caa7448,84946467,ffff80000160c000,ffff80002a76b770) at vn_ioctl+0xea sys/kern/vfs_vnops.c:537
sys_ioctl(ffff80002a76b770,ffff80003c9cd560,ffff80003c9cd4b0) at sys_ioctl+0x660 sys/kern/sys_generic.c:-1
syscall(ffff80003c9cd560) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline]
syscall(ffff80003c9cd560) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xd2e9a287a10, count: -20
ddb> show registers
rdi 0
rsi 0x1
rbp 0xffff80003c9ccb00
rbx 0xffff80002a778a70
rdx 0
rcx 0
rax 0xffff80002a76b770
r8 0x101010101010101
r9 0x8080808080808080
r10 0xe9cff523b9a6a236
r11 0x6df36c7d4c86f795
r12 0
r13 0xfc
r14 0
r15 0x1
rip 0xffffffff81ada545 db_enter+0x25
cs 0x8
rflags 0x246
rsp 0xffff80003c9ccaf0
ss 0x10
db_enter+0x25: addq $0x8,%rsp
ddb> show proc
kernel: page fault trap, code=0
Faulted in DDB; continuing...
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
86562 340122 0 0 3 0x80 nanoslp syz-executor
86562 9292 0 0 3 0x4000080 fsleep syz-executor
82209 213496 0 0 3 0x80 nanoslp syz-executor
82209 179440 0 0 3 0x4000080 fsleep syz-executor
82209 392306 0 0 3 0x4000080 msgwait syz-executor
60338 457631 0 0 3 0x14280 nfsidl nfsio
48610 158069 0 0 3 0x14280 nfsidl nfsio
7260 3047 0 0 3 0x14280 nfsidl nfsio
70034 2436 0 0 3 0x14280 nfsidl nfsio
6742 281903 0 0 3 0x14280 nfsidl nfsio
64590 498377 0 0 3 0x14280 nfsidl nfsio
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 11052 12190K 12430K 166960K 12610 0
pcb 18 14K 15K 166960K 115 0
rtable 208 6K 9K 166960K 444 0
pf 31 13K 20K 166960K 359 0
ifaddr 36 6K 7K 166960K 60 0
ifgroup 46 2K 2K 166960K 80 0
sysctl 4 1K 9K 166960K 11 0
counters 32 17K 18K 166960K 51 0
ioctlops 1 2K 4K 166960K 339 0
iov 0 0K 8K 166960K 12 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1390 87K 88K 166960K 1924 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 13K 166960K 16 0
VM map 2 1K 1K 166960K 2 0
sem 12 0K 0K 166960K 84 0
dirhash 12 2K 2K 166960K 15 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 17 61K 89K 166960K 604 0
sigio 0 0K 0K 166960K 4 0
proc 63 67K 108K 166960K 574 0
subproc 72 4K 4K 166960K 72 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 193 0
in_multi 83 6K 7K 166960K 116 0
ether_multi 1 0K 0K 166960K 4 0
mrt 0 0K 0K 166960K 16 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 115 519K 519K 166960K 115 0
exec 0 0K 1K 166960K 486 0
fusefs mount 1 32K 32K 166960K 1 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 223 142K 161K 166960K 6907 0
UVM aobj 50 2K 2K 166960K 52 0
pinsyscall 38 76K 94K 166960K 1685 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 0K 166960K 22 0
NDP 10 0K 2K 166960K 40 0
temp 53 9110K 9174K 166960K 28378 0
kqueue 13 20K 28K 166960K 103 0
SYN cache 2 16K 16K 166960K 2 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
rtpcb 120 64 0 60 1 0 1 1 0 8 0
rtentry 136 124 0 31 4 0 4 4 0 8 0
unpcb 144 441 0 426 5 1 4 4 0 8 3
syncache 336 3 0 3 1 1 0 1 0 8 0
tcpcb 736 137 0 133 2 1 1 2 0 8 0
arp 96 19 0 5 1 0 1 1 0 8 0
ipq 40 4 0 2 1 0 1 1 0 8 0
ipqe 40 9 0 7 1 0 1 1 0 8 0
inpcb 328 670 0 660 13 6 7 7 0 8 6
ip6q 72 5 0 2 1 0 1 1 0 8 0
ip6af 40 11 0 8 1 0 1 1 0 8 0
nd6 112 28 0 8 1 0 1 1 0 8 0
pkpcb 40 4 0 4 2 1 1 1 0 8 1
kcovpl 48 8 0 0 1 0 1 1 0 8 0
ppxss 1072 16 0 16 2 1 1 1 0 8 1
pppxif 1416 1 0 1 1 1 0 1 0 8 0
pfstscr 40 3 0 2 1 0 1 1 0 8 0
pfrktable 1344 21 0 21 1 1 0 1 0 8 0
pfanchor 1288 12 0 10 2 1 1 1 0 8 0
pfstitem 24 4 0 0 1 0 1 1 0 8 0
pfstkey 128 8 0 4 1 0 1 1 0 8 0
pfstate 384 4 0 2 1 0 1 1 0 8 0
pfrule 1360 87 0 87 2 1 1 1 0 8 1
rttmr 136 2 0 2 1 1 0 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 497 0 106 31 1 30 31 0 8 2
art_table 40 498 0 106 5 0 5 5 0 8 0
art_node 32 124 0 39 1 0 1 1 0 8 0
sysvmsgpl 40 7 0 4 1 0 1 1 0 8 0
semapl 64 79 0 69 1 0 1 1 0 8 0
shmpl 112 49 0 2 2 0 2 2 0 8 0
dirhash 1024 19 0 2 3 0 3 3 0 8 0
dirhash: pool(0xffffffff839c6e20:dirhash): free list modified: page 0xffff80002a77a000; item ordinal 0; addr 0xffff80002a77ac00 (p 0xfffffd806e9b4000); offset 0x0=0x0
pool(dirhash): free list modified: page 0xffff80002a77a000; item ordinal 0; addr 0xffff80002a77ac00 (p 0xfffffd806e9b4000); offset 0x0=0x0
dirhash: pool(0xffffffff839c6e20:dirhash): page inconsistency: page 0xffff80002a77a000; item ordinal 1; addr 0x578293f53fa7b614
dino2pl 256 2537 0 1078 92 0 92 92 0 8 0
ffsino 256 2537 0 1078 92 0 92 92 0 8 0
nchpl 144 3391 0 1696 64 0 64 64 0 8 0
rtmask 32 2 0 2 1 1 0 1 0 8 0
vnodes 216 2919 0 0 163 0 163 163 0 8 0
namei 1024 10864 0 10864 3 2 1 2 0 8 1
namei: pool(0xffffffff83999b48:namei): free list modified: page 0xffff80002a748000; item ordinal 0; addr 0xffff80002a748000 (p 0xfffffd806cac0000); offset 0x0=0x0
namei: pool(0xffffffff83999b48:namei): page inconsistency: page 0xffff80002a748000; item ordinal 1; addr 0x43aa8881bc3d11ca
pfiaddrpl 120 7 0 7 1 1 0 1 0 8 0
kstatmem 264 47 0 26 2 0 2 2 0 8 0
scsiplug 72 3 0 3 2 1 1 1 0 8 1
scxspl 216 15210 0 15209 8 7 1 8 1 8 0
plimitpl 152 85 0 67 1 0 1 1 0 8 0
sigapl 424 915 0 852 8 0 8 8 0 8 0
knotepl 120 26495 0 26448 17 8 9 10 0 8 7
kqueuepl 184 168 0 158 1 0 1 1 0 8 0
pipepl 304 246 0 217 6 3 3 6 0 8 0
fdescpl 448 881 0 852 5 1 4 5 0 8 0
filepl 120 5174 0 4955 17 7 10 15 0 8 3
lockfpl 104 217 0 215 1 0 1 1 0 8 0
lockfspl 48 94 0 92 1 0 1 1 0 8 0
sessionpl 144 39 0 31 1 0 1 1 0 8 0
pgrppl 48 51 0 35 1 0 1 1 0 8 0
ucredpl 104 1016 0 1005 1 0 1 1 0 8 0
zombiepl 144 855 0 852 1 0 1 1 0 8 0
processpl 1152 915 0 852 5 0 5 5 0 8 0
processpl: pool(0xffffffff839d5fe8:processpl): page inconsistency: page 0x0; at page head addr 0xffff80002a79ff90 (p 0xffff80002a79c000)
procpl 664 1610 0 1539 7 0 7 7 0 8 0
procpl: pool(0xffffffff839d5e30:procpl): page inconsistency: page 0x0; at page head addr 0xffff80002a6edf90 (p 0xffff80002a6ec000)
procpl: pool(0xffffffff839d5e30:procpl): page inconsistency: page 0xffffffff8246375a; at page head addr 0xffff80002a77df90 (p 0xffff80002a77c000)
sosppl 176 1 0 1 1 0 1 1 0 8 1
sockpl 552 1203 0 1174 12 4 8 8 0 8 5
mcl64k 65536 66 0 66 2 1 1 1 0 8 1
mcl16k 16384 3 0 3 1 1 0 1 0 8 0
mcl12k 12288 2 0 2 1 1 0 1 0 8 0
mcl9k128 9344 1 0 1 1 1 0 1 0 8 0
mcl8k 8192 26 0 26 2 1 1 1 0 8 1
mcl4k 4096 3205 0 3152 15 8 7 15 0 8 0
mcl2k 2048 712 0 710 1 0 1 1 0 8 0
mtagpl 96 6 0 4 1 0 1 1 0 8 0
mbufpl 256 9484 0 9311 15 3 12 15 0 8 0
bufpl 280 6567 0 354 444 0 444 444 0 8 0
anonpl 24 137684 0 134174 68 30 38 68 0 186 4
amapchunkpl 152 23292 0 22810 38 10 28 31 0 158 7
amappl16 200 2515 0 2463 27 21 6 27 0 8 0
amappl15 192 8 0 8 1 1 0 1 0 8 0
amappl14 184 425 0 423 1 0 1 1 0 8 0
amappl13 176 109 0 99 1 0 1 1 0 8 0
amappl12 168 1119 0 1090 2 0 2 2 0 8 0
amappl11 160 4 0 3 1 0 1 1 0 8 0
amappl10 152 57 0 47 1 0 1 1 0 8 0
amappl9 144 271 0 271 1 1 0 1 0 8 0
amappl8 136 122 0 119 1 0 1 1 0 8 0
amappl7 128 167 0 155 1 0 1 1 0 8 0
amappl6 120 147 0 146 1 0 1 1 0 8 0
amappl5 112 160 0 152 1 0 1 1 0 8 0
amappl4 104 258 0 242 1 0 1 1 0 8 0
amappl3 96 4470 0 4358 4 0 4 4 0 8 0
amappl2 88 518 0 464 2 0 2 2 0 8 0
amappl1 80 10935 0 10390 13 1 12 13 0 8 0
amappl 88 6139 0 5978 5 0 5 5 0 92 0
uvmvnodes 80 117 0 0 3 0 3 3 0 8 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma2048 2048 1 0 1 1 0 1 1 0 8 1
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 254 0 254 1 1 0 1 0 8 0
dma64 64 7 0 7 2 1 1 1 0 8 1
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 51 0 2 1 0 1 1 0 8 0
uaddrrnd 24 881 0 852 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 881 0 852 1 0 1 1 0 8 0
vmmpekpl 168 8601 0 8565 2 0 2 2 0 8 0
vmmpepl 168 61362 0 59551 103 19 84 100 0 357 0
vmsppl 368 880 0 852 4 1 3 4 0 8 0
rwobjpl 40 18407 0 17368 15 2 13 15 0 8 0
pdppl 4096 1768 0 1704 94 28 66 78 0 8 2
pvpl 32 380945 0 371893 147 43 104 145 0 265 8
pmappl 216 880 0 852 2 0 2 2 0 8 0
extentpl 40 45 0 27 1 0 1 1 0 8 0
phpool 112 370 0 52 10 0 10 10 0 8 0
ddb> machine ddbcpu 0
No such command
ddb> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff83509fc9) at panic+0x1cf sys/kern/subr_prf.c:198
wakeup_n(fffffd8067dd2388,ffffffff) at wakeup_n+0x3af
sd_buf_done(fffffd8007ff46c0) at sd_buf_done+0x2de sys/scsi/sd.c:770
vioscsi_vq_done(ffff8000000a2618) at vioscsi_vq_done+0xe1 sys/dev/pv/vioscsi.c:-1
intr_handler(ffff80003c9cccf0,ffff80000029af80) at intr_handler+0xcb sys/arch/amd64/amd64/intr.c:-1
Xintr_ioapic_edge23_untramp() at Xintr_ioapic_edge23_untramp+0x18f
Xspllower() at Xspllower+0x1d
softintr_dispatch(0) at softintr_dispatch+0xe3 sys/kern/kern_softintr.c:-1
dosoftint(0) at dosoftint+0x48 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
buf_get(0,0,ffd000) at buf_get+0x5de sys/kern/vfs_bio.c:1170
geteblk(ffd000) at geteblk+0x3c sys/kern/vfs_bio.c:-1
writedisklabel(d02,ffffffff8277f790,ffff800000039000) at writedisklabel+0x4b sys/arch/amd64/amd64/disksubr.c:133
sdioctl(d01,84946467,ffff80000160c000,3,ffff80002a76b770) at sdioctl+0x959 sys/scsi/sd.c:919
VOP_IOCTL(fffffd8068a25a50,84946467,ffff80000160c000,3,fffffd8007ffd000,ffff80002a76b770) at VOP_IOCTL+0xa3 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd806caa7448,84946467,ffff80000160c000,ffff80002a76b770) at vn_ioctl+0xea sys/kern/vfs_vnops.c:537
sys_ioctl(ffff80002a76b770,ffff80003c9cd560,ffff80003c9cd4b0) at sys_ioctl+0x660 sys/kern/sys_generic.c:-1
syscall(ffff80003c9cd560) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline]
syscall(ffff80003c9cd560) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xd2e9a287a10, count: -20
ddb> machine ddbcpu 1
No such command
ddb> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff83509fc9) at panic+0x1cf sys/kern/subr_prf.c:198
wakeup_n(fffffd8067dd2388,ffffffff) at wakeup_n+0x3af
sd_buf_done(fffffd8007ff46c0) at sd_buf_done+0x2de sys/scsi/sd.c:770
vioscsi_vq_done(ffff8000000a2618) at vioscsi_vq_done+0xe1 sys/dev/pv/vioscsi.c:-1
intr_handler(ffff80003c9cccf0,ffff80000029af80) at intr_handler+0xcb sys/arch/amd64/amd64/intr.c:-1
Xintr_ioapic_edge23_untramp() at Xintr_ioapic_edge23_untramp+0x18f
Xspllower() at Xspllower+0x1d
softintr_dispatch(0) at softintr_dispatch+0xe3 sys/kern/kern_softintr.c:-1
dosoftint(0) at dosoftint+0x48 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
buf_get(0,0,ffd000) at buf_get+0x5de sys/kern/vfs_bio.c:1170
geteblk(ffd000) at geteblk+0x3c sys/kern/vfs_bio.c:-1
writedisklabel(d02,ffffffff8277f790,ffff800000039000) at writedisklabel+0x4b sys/arch/amd64/amd64/disksubr.c:133
sdioctl(d01,84946467,ffff80000160c000,3,ffff80002a76b770) at sdioctl+0x959 sys/scsi/sd.c:919
VOP_IOCTL(fffffd8068a25a50,84946467,ffff80000160c000,3,fffffd8007ffd000,ffff80002a76b770) at VOP_IOCTL+0xa3 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd806caa7448,84946467,ffff80000160c000,ffff80002a76b770) at vn_ioctl+0xea sys/kern/vfs_vnops.c:537
sys_ioctl(ffff80002a76b770,ffff80003c9cd560,ffff80003c9cd4b0) at sys_ioctl+0x660 sys/kern/sys_generic.c:-1
syscall(ffff80003c9cd560) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline]
syscall(ffff80003c9cd560) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xd2e9a287a10, count: -20
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 8a5afb5cdcf9 find: Fix mix of character block size check
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=12f1702e580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1bc15e68cd2a49e5
dashboard link: https://syzkaller.appspot.com/bug?extid=36b7634d3820434a47b7
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a190e0f9b680/disk-8a5afb5c.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/656cc364ac53/bsd-8a5afb5c.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8594a66e2ec2/kernel-8a5afb5c.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+36b763...@syzkaller.appspotmail.com
panic: thread 0 p_stat is -1
Stopped at db_enter+0x25: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff83509fc9) at panic+0x1cf sys/kern/subr_prf.c:198
wakeup_n(fffffd8067dd2388,ffffffff) at wakeup_n+0x3af
sd_buf_done(fffffd8007ff46c0) at sd_buf_done+0x2de sys/scsi/sd.c:770
vioscsi_vq_done(ffff8000000a2618) at vioscsi_vq_done+0xe1 sys/dev/pv/vioscsi.c:-1
intr_handler(ffff80003c9cccf0,ffff80000029af80) at intr_handler+0xcb sys/arch/amd64/amd64/intr.c:-1
Xintr_ioapic_edge23_untramp() at Xintr_ioapic_edge23_untramp+0x18f
Xspllower() at Xspllower+0x1d
softintr_dispatch(0) at softintr_dispatch+0xe3 sys/kern/kern_softintr.c:-1
dosoftint(0) at dosoftint+0x48 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
buf_get(0,0,ffd000) at buf_get+0x5de sys/kern/vfs_bio.c:1170
geteblk(ffd000) at geteblk+0x3c sys/kern/vfs_bio.c:-1
writedisklabel(d02,ffffffff8277f790,ffff800000039000) at writedisklabel+0x4b sys/arch/amd64/amd64/disksubr.c:133
end trace frame: 0xffff80003c9cd1c0, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
*cpu0: thread 0 p_stat is -1
ddb> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff83509fc9) at panic+0x1cf sys/kern/subr_prf.c:198
wakeup_n(fffffd8067dd2388,ffffffff) at wakeup_n+0x3af
sd_buf_done(fffffd8007ff46c0) at sd_buf_done+0x2de sys/scsi/sd.c:770
vioscsi_vq_done(ffff8000000a2618) at vioscsi_vq_done+0xe1 sys/dev/pv/vioscsi.c:-1
intr_handler(ffff80003c9cccf0,ffff80000029af80) at intr_handler+0xcb sys/arch/amd64/amd64/intr.c:-1
Xintr_ioapic_edge23_untramp() at Xintr_ioapic_edge23_untramp+0x18f
Xspllower() at Xspllower+0x1d
softintr_dispatch(0) at softintr_dispatch+0xe3 sys/kern/kern_softintr.c:-1
dosoftint(0) at dosoftint+0x48 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
buf_get(0,0,ffd000) at buf_get+0x5de sys/kern/vfs_bio.c:1170
geteblk(ffd000) at geteblk+0x3c sys/kern/vfs_bio.c:-1
writedisklabel(d02,ffffffff8277f790,ffff800000039000) at writedisklabel+0x4b sys/arch/amd64/amd64/disksubr.c:133
sdioctl(d01,84946467,ffff80000160c000,3,ffff80002a76b770) at sdioctl+0x959 sys/scsi/sd.c:919
VOP_IOCTL(fffffd8068a25a50,84946467,ffff80000160c000,3,fffffd8007ffd000,ffff80002a76b770) at VOP_IOCTL+0xa3 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd806caa7448,84946467,ffff80000160c000,ffff80002a76b770) at vn_ioctl+0xea sys/kern/vfs_vnops.c:537
sys_ioctl(ffff80002a76b770,ffff80003c9cd560,ffff80003c9cd4b0) at sys_ioctl+0x660 sys/kern/sys_generic.c:-1
syscall(ffff80003c9cd560) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline]
syscall(ffff80003c9cd560) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xd2e9a287a10, count: -20
ddb> show registers
rdi 0
rsi 0x1
rbp 0xffff80003c9ccb00
rbx 0xffff80002a778a70
rdx 0
rcx 0
rax 0xffff80002a76b770
r8 0x101010101010101
r9 0x8080808080808080
r10 0xe9cff523b9a6a236
r11 0x6df36c7d4c86f795
r12 0
r13 0xfc
r14 0
r15 0x1
rip 0xffffffff81ada545 db_enter+0x25
cs 0x8
rflags 0x246
rsp 0xffff80003c9ccaf0
ss 0x10
db_enter+0x25: addq $0x8,%rsp
ddb> show proc
kernel: page fault trap, code=0
Faulted in DDB; continuing...
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
86562 340122 0 0 3 0x80 nanoslp syz-executor
86562 9292 0 0 3 0x4000080 fsleep syz-executor
82209 213496 0 0 3 0x80 nanoslp syz-executor
82209 179440 0 0 3 0x4000080 fsleep syz-executor
82209 392306 0 0 3 0x4000080 msgwait syz-executor
60338 457631 0 0 3 0x14280 nfsidl nfsio
48610 158069 0 0 3 0x14280 nfsidl nfsio
7260 3047 0 0 3 0x14280 nfsidl nfsio
70034 2436 0 0 3 0x14280 nfsidl nfsio
6742 281903 0 0 3 0x14280 nfsidl nfsio
64590 498377 0 0 3 0x14280 nfsidl nfsio
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 11052 12190K 12430K 166960K 12610 0
pcb 18 14K 15K 166960K 115 0
rtable 208 6K 9K 166960K 444 0
pf 31 13K 20K 166960K 359 0
ifaddr 36 6K 7K 166960K 60 0
ifgroup 46 2K 2K 166960K 80 0
sysctl 4 1K 9K 166960K 11 0
counters 32 17K 18K 166960K 51 0
ioctlops 1 2K 4K 166960K 339 0
iov 0 0K 8K 166960K 12 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1390 87K 88K 166960K 1924 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 13K 166960K 16 0
VM map 2 1K 1K 166960K 2 0
sem 12 0K 0K 166960K 84 0
dirhash 12 2K 2K 166960K 15 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 17 61K 89K 166960K 604 0
sigio 0 0K 0K 166960K 4 0
proc 63 67K 108K 166960K 574 0
subproc 72 4K 4K 166960K 72 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 193 0
in_multi 83 6K 7K 166960K 116 0
ether_multi 1 0K 0K 166960K 4 0
mrt 0 0K 0K 166960K 16 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 115 519K 519K 166960K 115 0
exec 0 0K 1K 166960K 486 0
fusefs mount 1 32K 32K 166960K 1 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 223 142K 161K 166960K 6907 0
UVM aobj 50 2K 2K 166960K 52 0
pinsyscall 38 76K 94K 166960K 1685 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 0K 166960K 22 0
NDP 10 0K 2K 166960K 40 0
temp 53 9110K 9174K 166960K 28378 0
kqueue 13 20K 28K 166960K 103 0
SYN cache 2 16K 16K 166960K 2 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
rtpcb 120 64 0 60 1 0 1 1 0 8 0
rtentry 136 124 0 31 4 0 4 4 0 8 0
unpcb 144 441 0 426 5 1 4 4 0 8 3
syncache 336 3 0 3 1 1 0 1 0 8 0
tcpcb 736 137 0 133 2 1 1 2 0 8 0
arp 96 19 0 5 1 0 1 1 0 8 0
ipq 40 4 0 2 1 0 1 1 0 8 0
ipqe 40 9 0 7 1 0 1 1 0 8 0
inpcb 328 670 0 660 13 6 7 7 0 8 6
ip6q 72 5 0 2 1 0 1 1 0 8 0
ip6af 40 11 0 8 1 0 1 1 0 8 0
nd6 112 28 0 8 1 0 1 1 0 8 0
pkpcb 40 4 0 4 2 1 1 1 0 8 1
kcovpl 48 8 0 0 1 0 1 1 0 8 0
ppxss 1072 16 0 16 2 1 1 1 0 8 1
pppxif 1416 1 0 1 1 1 0 1 0 8 0
pfstscr 40 3 0 2 1 0 1 1 0 8 0
pfrktable 1344 21 0 21 1 1 0 1 0 8 0
pfanchor 1288 12 0 10 2 1 1 1 0 8 0
pfstitem 24 4 0 0 1 0 1 1 0 8 0
pfstkey 128 8 0 4 1 0 1 1 0 8 0
pfstate 384 4 0 2 1 0 1 1 0 8 0
pfrule 1360 87 0 87 2 1 1 1 0 8 1
rttmr 136 2 0 2 1 1 0 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 497 0 106 31 1 30 31 0 8 2
art_table 40 498 0 106 5 0 5 5 0 8 0
art_node 32 124 0 39 1 0 1 1 0 8 0
sysvmsgpl 40 7 0 4 1 0 1 1 0 8 0
semapl 64 79 0 69 1 0 1 1 0 8 0
shmpl 112 49 0 2 2 0 2 2 0 8 0
dirhash 1024 19 0 2 3 0 3 3 0 8 0
dirhash: pool(0xffffffff839c6e20:dirhash): free list modified: page 0xffff80002a77a000; item ordinal 0; addr 0xffff80002a77ac00 (p 0xfffffd806e9b4000); offset 0x0=0x0
pool(dirhash): free list modified: page 0xffff80002a77a000; item ordinal 0; addr 0xffff80002a77ac00 (p 0xfffffd806e9b4000); offset 0x0=0x0
dirhash: pool(0xffffffff839c6e20:dirhash): page inconsistency: page 0xffff80002a77a000; item ordinal 1; addr 0x578293f53fa7b614
dino2pl 256 2537 0 1078 92 0 92 92 0 8 0
ffsino 256 2537 0 1078 92 0 92 92 0 8 0
nchpl 144 3391 0 1696 64 0 64 64 0 8 0
rtmask 32 2 0 2 1 1 0 1 0 8 0
vnodes 216 2919 0 0 163 0 163 163 0 8 0
namei 1024 10864 0 10864 3 2 1 2 0 8 1
namei: pool(0xffffffff83999b48:namei): free list modified: page 0xffff80002a748000; item ordinal 0; addr 0xffff80002a748000 (p 0xfffffd806cac0000); offset 0x0=0x0
namei: pool(0xffffffff83999b48:namei): page inconsistency: page 0xffff80002a748000; item ordinal 1; addr 0x43aa8881bc3d11ca
pfiaddrpl 120 7 0 7 1 1 0 1 0 8 0
kstatmem 264 47 0 26 2 0 2 2 0 8 0
scsiplug 72 3 0 3 2 1 1 1 0 8 1
scxspl 216 15210 0 15209 8 7 1 8 1 8 0
plimitpl 152 85 0 67 1 0 1 1 0 8 0
sigapl 424 915 0 852 8 0 8 8 0 8 0
knotepl 120 26495 0 26448 17 8 9 10 0 8 7
kqueuepl 184 168 0 158 1 0 1 1 0 8 0
pipepl 304 246 0 217 6 3 3 6 0 8 0
fdescpl 448 881 0 852 5 1 4 5 0 8 0
filepl 120 5174 0 4955 17 7 10 15 0 8 3
lockfpl 104 217 0 215 1 0 1 1 0 8 0
lockfspl 48 94 0 92 1 0 1 1 0 8 0
sessionpl 144 39 0 31 1 0 1 1 0 8 0
pgrppl 48 51 0 35 1 0 1 1 0 8 0
ucredpl 104 1016 0 1005 1 0 1 1 0 8 0
zombiepl 144 855 0 852 1 0 1 1 0 8 0
processpl 1152 915 0 852 5 0 5 5 0 8 0
processpl: pool(0xffffffff839d5fe8:processpl): page inconsistency: page 0x0; at page head addr 0xffff80002a79ff90 (p 0xffff80002a79c000)
procpl 664 1610 0 1539 7 0 7 7 0 8 0
procpl: pool(0xffffffff839d5e30:procpl): page inconsistency: page 0x0; at page head addr 0xffff80002a6edf90 (p 0xffff80002a6ec000)
procpl: pool(0xffffffff839d5e30:procpl): page inconsistency: page 0xffffffff8246375a; at page head addr 0xffff80002a77df90 (p 0xffff80002a77c000)
sosppl 176 1 0 1 1 0 1 1 0 8 1
sockpl 552 1203 0 1174 12 4 8 8 0 8 5
mcl64k 65536 66 0 66 2 1 1 1 0 8 1
mcl16k 16384 3 0 3 1 1 0 1 0 8 0
mcl12k 12288 2 0 2 1 1 0 1 0 8 0
mcl9k128 9344 1 0 1 1 1 0 1 0 8 0
mcl8k 8192 26 0 26 2 1 1 1 0 8 1
mcl4k 4096 3205 0 3152 15 8 7 15 0 8 0
mcl2k 2048 712 0 710 1 0 1 1 0 8 0
mtagpl 96 6 0 4 1 0 1 1 0 8 0
mbufpl 256 9484 0 9311 15 3 12 15 0 8 0
bufpl 280 6567 0 354 444 0 444 444 0 8 0
anonpl 24 137684 0 134174 68 30 38 68 0 186 4
amapchunkpl 152 23292 0 22810 38 10 28 31 0 158 7
amappl16 200 2515 0 2463 27 21 6 27 0 8 0
amappl15 192 8 0 8 1 1 0 1 0 8 0
amappl14 184 425 0 423 1 0 1 1 0 8 0
amappl13 176 109 0 99 1 0 1 1 0 8 0
amappl12 168 1119 0 1090 2 0 2 2 0 8 0
amappl11 160 4 0 3 1 0 1 1 0 8 0
amappl10 152 57 0 47 1 0 1 1 0 8 0
amappl9 144 271 0 271 1 1 0 1 0 8 0
amappl8 136 122 0 119 1 0 1 1 0 8 0
amappl7 128 167 0 155 1 0 1 1 0 8 0
amappl6 120 147 0 146 1 0 1 1 0 8 0
amappl5 112 160 0 152 1 0 1 1 0 8 0
amappl4 104 258 0 242 1 0 1 1 0 8 0
amappl3 96 4470 0 4358 4 0 4 4 0 8 0
amappl2 88 518 0 464 2 0 2 2 0 8 0
amappl1 80 10935 0 10390 13 1 12 13 0 8 0
amappl 88 6139 0 5978 5 0 5 5 0 92 0
uvmvnodes 80 117 0 0 3 0 3 3 0 8 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma2048 2048 1 0 1 1 0 1 1 0 8 1
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 254 0 254 1 1 0 1 0 8 0
dma64 64 7 0 7 2 1 1 1 0 8 1
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 51 0 2 1 0 1 1 0 8 0
uaddrrnd 24 881 0 852 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 881 0 852 1 0 1 1 0 8 0
vmmpekpl 168 8601 0 8565 2 0 2 2 0 8 0
vmmpepl 168 61362 0 59551 103 19 84 100 0 357 0
vmsppl 368 880 0 852 4 1 3 4 0 8 0
rwobjpl 40 18407 0 17368 15 2 13 15 0 8 0
pdppl 4096 1768 0 1704 94 28 66 78 0 8 2
pvpl 32 380945 0 371893 147 43 104 145 0 265 8
pmappl 216 880 0 852 2 0 2 2 0 8 0
extentpl 40 45 0 27 1 0 1 1 0 8 0
phpool 112 370 0 52 10 0 10 10 0 8 0
ddb> machine ddbcpu 0
No such command
ddb> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff83509fc9) at panic+0x1cf sys/kern/subr_prf.c:198
wakeup_n(fffffd8067dd2388,ffffffff) at wakeup_n+0x3af
sd_buf_done(fffffd8007ff46c0) at sd_buf_done+0x2de sys/scsi/sd.c:770
vioscsi_vq_done(ffff8000000a2618) at vioscsi_vq_done+0xe1 sys/dev/pv/vioscsi.c:-1
intr_handler(ffff80003c9cccf0,ffff80000029af80) at intr_handler+0xcb sys/arch/amd64/amd64/intr.c:-1
Xintr_ioapic_edge23_untramp() at Xintr_ioapic_edge23_untramp+0x18f
Xspllower() at Xspllower+0x1d
softintr_dispatch(0) at softintr_dispatch+0xe3 sys/kern/kern_softintr.c:-1
dosoftint(0) at dosoftint+0x48 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
buf_get(0,0,ffd000) at buf_get+0x5de sys/kern/vfs_bio.c:1170
geteblk(ffd000) at geteblk+0x3c sys/kern/vfs_bio.c:-1
writedisklabel(d02,ffffffff8277f790,ffff800000039000) at writedisklabel+0x4b sys/arch/amd64/amd64/disksubr.c:133
sdioctl(d01,84946467,ffff80000160c000,3,ffff80002a76b770) at sdioctl+0x959 sys/scsi/sd.c:919
VOP_IOCTL(fffffd8068a25a50,84946467,ffff80000160c000,3,fffffd8007ffd000,ffff80002a76b770) at VOP_IOCTL+0xa3 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd806caa7448,84946467,ffff80000160c000,ffff80002a76b770) at vn_ioctl+0xea sys/kern/vfs_vnops.c:537
sys_ioctl(ffff80002a76b770,ffff80003c9cd560,ffff80003c9cd4b0) at sys_ioctl+0x660 sys/kern/sys_generic.c:-1
syscall(ffff80003c9cd560) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline]
syscall(ffff80003c9cd560) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xd2e9a287a10, count: -20
ddb> machine ddbcpu 1
No such command
ddb> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff83509fc9) at panic+0x1cf sys/kern/subr_prf.c:198
wakeup_n(fffffd8067dd2388,ffffffff) at wakeup_n+0x3af
sd_buf_done(fffffd8007ff46c0) at sd_buf_done+0x2de sys/scsi/sd.c:770
vioscsi_vq_done(ffff8000000a2618) at vioscsi_vq_done+0xe1 sys/dev/pv/vioscsi.c:-1
intr_handler(ffff80003c9cccf0,ffff80000029af80) at intr_handler+0xcb sys/arch/amd64/amd64/intr.c:-1
Xintr_ioapic_edge23_untramp() at Xintr_ioapic_edge23_untramp+0x18f
Xspllower() at Xspllower+0x1d
softintr_dispatch(0) at softintr_dispatch+0xe3 sys/kern/kern_softintr.c:-1
dosoftint(0) at dosoftint+0x48 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
buf_get(0,0,ffd000) at buf_get+0x5de sys/kern/vfs_bio.c:1170
geteblk(ffd000) at geteblk+0x3c sys/kern/vfs_bio.c:-1
writedisklabel(d02,ffffffff8277f790,ffff800000039000) at writedisklabel+0x4b sys/arch/amd64/amd64/disksubr.c:133
sdioctl(d01,84946467,ffff80000160c000,3,ffff80002a76b770) at sdioctl+0x959 sys/scsi/sd.c:919
VOP_IOCTL(fffffd8068a25a50,84946467,ffff80000160c000,3,fffffd8007ffd000,ffff80002a76b770) at VOP_IOCTL+0xa3 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd806caa7448,84946467,ffff80000160c000,ffff80002a76b770) at vn_ioctl+0xea sys/kern/vfs_vnops.c:537
sys_ioctl(ffff80002a76b770,ffff80003c9cd560,ffff80003c9cd4b0) at sys_ioctl+0x660 sys/kern/sys_generic.c:-1
syscall(ffff80003c9cd560) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline]
syscall(ffff80003c9cd560) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xd2e9a287a10, count: -20
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages