witness: reversal: pf_lock netlock (4)
0 views
Skip to first unread message
syzbot
May 10, 2026, 12:56:33 AM (10 days ago) May 10
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 33e6d7cf8045 Add kernel support for the vector extension o..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=115663ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=65be7385fa082665e7e8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/310cd46d6bad/disk-33e6d7cf.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/63423a171225/bsd-33e6d7cf.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a1056361ccaf/kernel-33e6d7cf.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+65be73...@syzkaller.appspotmail.com
�j���|����E1\�: witness: lock order reversal:
1st 0xffffffff83967608 pf_lock (pf_lock)
2nd 0xffffffff8389c890 netlock (netlock)
lock order [1] pf_lock (pf_lock) -> [2] netlock (netlock)
#0 rw_do_enter_write+0xba sys/kern/kern_rwlock.c:234
#1 uvn_io+0x54c sys/uvm/uvm_vnode.c:1243
#2 uvn_get+0x31d sys/uvm/uvm_vnode.c:1075
#3 uvm_fault_lower_io+0x2ce sys/uvm/uvm_fault.c:1612
#4 uvm_fault_lower+0x28d sys/uvm/uvm_fault.c:1381
#5 uvm_fault+0x274 sys/uvm/uvm_fault.c:-1
#6 kpageflttrap+0x2f4 sys/arch/amd64/amd64/trap.c:283
#7 kerntrap+0x19d sys/arch/amd64/amd64/trap.c:528
#8 alltraps_kern_meltdown+0x7b
#9 _copyin+0x5b
#10 pfioctl+0x13ff sys/net/pf_ioctl.c:3238
#11 VOP_IOCTL+0xac sys/kern/vfs_vops.c:264
#12 vn_ioctl+0xf8 sys/kern/vfs_vnops.c:537
#13 sys_ioctl+0x674 sys/kern/sys_generic.c:-1
#14 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#14 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
#15 Xsyscall+0x128
lock order [2] netlock (netlock) -> [1] pf_lock (pf_lock)
#0 rw_do_enter_write+0xba sys/kern/kern_rwlock.c:234
#1 pfi_attach_ifgroup+0x2a sys/net/pf_if.c:357
#2 if_addgroup+0x2f8 if_creategroup sys/net/if.c:3057 [inline]
#2 if_addgroup+0x2f8 sys/net/if.c:3095
#3 if_attachsetup+0xcf sys/net/if.c:512
#4 if_attach+0x6d sys/net/if.c:604
#5 vio_attach+0x17f7 sys/dev/pv/if_vio.c:927
#6 config_attach+0x449 sys/kern/subr_autoconf.c:421
#7 virtio_pci_attach+0x52c sys/dev/pci/virtio_pci.c:675
#8 config_attach+0x449 sys/kern/subr_autoconf.c:421
#9 pci_probe_device+0x8e5 sys/dev/pci/pci.c:574
#10 pci_enumerate_bus+0x368 sys/dev/pci/pci.c:877
#11 config_attach+0x449 sys/kern/subr_autoconf.c:421
#12 acpipci_attach_bus+0x37a sys/arch/amd64/pci/acpipci.c:231
#13 acpipci_attach_busses+0x93 sys/arch/amd64/pci/acpipci.c:239
#14 mainbus_attach+0x304 sys/arch/amd64/amd64/mainbus.c:222
#15 config_attach+0x449 sys/kern/subr_autoconf.c:421
#16 cpu_configure+0x47 sys/arch/amd64/amd64/autoconf.c:124
#17 main+0x4c7 sys/kern/init_main.c:345
Stopped at db_enter+0x25: addq $0x8,%rsp
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
the kernel did not panic
ddb{0}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
witness_checkorder(ffffffff8389c890,9,0) at witness_checkorder+0x10d1 sys/kern/subr_witness.c:-1
rw_do_enter_write(ffffffff8389c878,0) at rw_do_enter_write+0xba sys/kern/kern_rwlock.c:234
uvn_io(fffffd806c6c8ce0,ffff80003c3efee8,1,202,0) at uvn_io+0x54c sys/uvm/uvm_vnode.c:1243
uvn_get(fffffd806c6c8ce0,0,ffff80003c3effb8,ffff80003c3eff9c,0,1,9a98315d9338660,1) at uvn_get+0x31d sys/uvm/uvm_vnode.c:1075
uvm_fault_lower_io(ffff80003c3f01d0,ffff80003c3f0208,ffff80003c3f0050,ffff80003c3f0038) at uvm_fault_lower_io+0x2ce sys/uvm/uvm_fault.c:1612
uvm_fault_lower(ffff80003c3f01d0,ffff80003c3f0208,ffff80003c3f0150) at uvm_fault_lower+0x28d sys/uvm/uvm_fault.c:1381
uvm_fault(fffffd806e878998,200000000000,0,1) at uvm_fault+0x274 sys/uvm/uvm_fault.c:-1
kpageflttrap(ffff80003c3f0380,200000000200) at kpageflttrap+0x2f4 sys/arch/amd64/amd64/trap.c:283
kerntrap(ffff80003c3f0380) at kerntrap+0x19d sys/arch/amd64/amd64/trap.c:528
alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b
_copyin() at _copyin+0x5b
pfioctl(14900,c4504441,ffff800001572000,1,ffff80002a243768) at pfioctl+0x13ff sys/net/pf_ioctl.c:3238
VOP_IOCTL(fffffd8061a572a8,c4504441,ffff800001572000,1,fffffd80097fd4e0,ffff80002a243768) at VOP_IOCTL+0xac sys/kern/vfs_vops.c:264
vn_ioctl(fffffd806c53a540,c4504441,ffff800001572000,ffff80002a243768) at vn_ioctl+0xf8 sys/kern/vfs_vnops.c:537
sys_ioctl(ffff80002a243768,ffff80003c3f0f30,ffff80003c3f0e80) at sys_ioctl+0x674 sys/kern/sys_generic.c:-1
syscall(ffff80003c3f0f30) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c3f0f30) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xc29b7105550, count: -18
ddb{0}> show registers
rdi 0
rsi 0x80000 acpi_pdirpa+0x6be71
rbp 0xffff80003c3efca0
rbx 0
rdx 0xffff8000015efa40
rcx 0xffff80002a243768
rax 0x7ffff acpi_pdirpa+0x6be70
r8 0xffff80003c3efb80
r9 0x8080808080808080
r10 0xfa6dc335fc59b73d
r11 0x1aed33dd75e018e9
r12 0xfffffd800403b2c0
r13 0xfffffd800482b010
r14 0x3
r15 0xffffffff834bc225 substchar+0xc1b7
rip 0xffffffff817fc5f5 db_enter+0x25
cs 0x8
rflags 0x246
rsp 0xffff80003c3efc90
ss 0x10
db_enter+0x25: addq $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor) tid=432163 pid=79076 tcnt=2 stat=onproc
flags process=0 proc=4000000<THREAD>
runpri=50, usrpri=50, slppri=32, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff80002a242fa0,0xffff80002a242020
process=0xffff8000fffed358 user=0xffff80003c3eb000, vmspace=0xfffffd806e878998
estcpu=36, cpticks=0, pctcpu=0.0, user=0, sys=0, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
50310 477353 91091 0 2 0 syz-executor
50310 191442 91091 0 3 0x4000080 fsleep syz-executor
37785 386090 6312 0 2 0x1 syz-executor
37785 449815 6312 0 3 0x4000080 fsleep syz-executor
37785 424220 6312 0 3 0x4000080 fsleep syz-executor
32903 327215 12686 0 2 0 syz-executor
32903 332660 12686 0 3 0x4000080 ttyout syz-executor
32903 452503 12686 0 7 0x4000000 syz-executor
79076 232896 30047 0 2 0 syz-executor
*79076 432163 30047 0 7 0x4000000 syz-executor
3388 104549 1 0 3 0x82 nanoslp getty
31306 314836 0 0 3 0x14200 acct acct
6312 307221 5486 0 3 0x82 nanoslp syz-executor
59989 474406 5486 0 2 0x2 syz-executor
73207 385995 5486 0 2 0x2 syz-executor
81077 373614 5486 0 2 0x2 syz-executor
30047 121550 5486 0 3 0x82 nanoslp syz-executor
19788 118943 5486 0 2 0xc82 syz-executor
12686 134082 5486 0 2 0xc82 syz-executor
91091 36263 5486 0 2 0xc82 syz-executor
5486 471470 1 0 3 0x82 kqread syz-executor
80856 166132 0 0 3 0x14200 pause smr
12256 184599 0 0 3 0x14200 pgzero zerothread
80984 137379 0 0 3 0x14200 aiodoned aiodoned
81990 232894 0 0 3 0x14200 syncer update
11380 27663 0 0 3 0x14200 cleaner cleaner
62519 44797 0 0 3 0x14200 reaper reaper
38775 424570 0 0 3 0x14200 pgdaemon pagedaemon
79736 504830 0 0 3 0x14200 bored viomb
8133 393153 0 0 3 0x40014200 acpi0 acpi0
97749 104759 0 0 3 0x40014200 idle1
24388 130961 0 0 3 0x14200 bored softnet1
99702 506647 0 0 3 0x14200 bored softnet0
25731 277744 0 0 3 0x14200 smrbar systqmp
30615 145918 0 0 3 0x14200 bored systq
36622 145124 0 0 2 0x14200 softclockmp
32069 517211 0 0 3 0x40014200 tmoslp softclock
44080 59286 0 0 3 0x40014200 idle0
1 298897 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 33e6d7cf8045 Add kernel support for the vector extension o..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=115663ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=65be7385fa082665e7e8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/310cd46d6bad/disk-33e6d7cf.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/63423a171225/bsd-33e6d7cf.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a1056361ccaf/kernel-33e6d7cf.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+65be73...@syzkaller.appspotmail.com
�j���|����E1\�: witness: lock order reversal:
1st 0xffffffff83967608 pf_lock (pf_lock)
2nd 0xffffffff8389c890 netlock (netlock)
lock order [1] pf_lock (pf_lock) -> [2] netlock (netlock)
#0 rw_do_enter_write+0xba sys/kern/kern_rwlock.c:234
#1 uvn_io+0x54c sys/uvm/uvm_vnode.c:1243
#2 uvn_get+0x31d sys/uvm/uvm_vnode.c:1075
#3 uvm_fault_lower_io+0x2ce sys/uvm/uvm_fault.c:1612
#4 uvm_fault_lower+0x28d sys/uvm/uvm_fault.c:1381
#5 uvm_fault+0x274 sys/uvm/uvm_fault.c:-1
#6 kpageflttrap+0x2f4 sys/arch/amd64/amd64/trap.c:283
#7 kerntrap+0x19d sys/arch/amd64/amd64/trap.c:528
#8 alltraps_kern_meltdown+0x7b
#9 _copyin+0x5b
#10 pfioctl+0x13ff sys/net/pf_ioctl.c:3238
#11 VOP_IOCTL+0xac sys/kern/vfs_vops.c:264
#12 vn_ioctl+0xf8 sys/kern/vfs_vnops.c:537
#13 sys_ioctl+0x674 sys/kern/sys_generic.c:-1
#14 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#14 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
#15 Xsyscall+0x128
lock order [2] netlock (netlock) -> [1] pf_lock (pf_lock)
#0 rw_do_enter_write+0xba sys/kern/kern_rwlock.c:234
#1 pfi_attach_ifgroup+0x2a sys/net/pf_if.c:357
#2 if_addgroup+0x2f8 if_creategroup sys/net/if.c:3057 [inline]
#2 if_addgroup+0x2f8 sys/net/if.c:3095
#3 if_attachsetup+0xcf sys/net/if.c:512
#4 if_attach+0x6d sys/net/if.c:604
#5 vio_attach+0x17f7 sys/dev/pv/if_vio.c:927
#6 config_attach+0x449 sys/kern/subr_autoconf.c:421
#7 virtio_pci_attach+0x52c sys/dev/pci/virtio_pci.c:675
#8 config_attach+0x449 sys/kern/subr_autoconf.c:421
#9 pci_probe_device+0x8e5 sys/dev/pci/pci.c:574
#10 pci_enumerate_bus+0x368 sys/dev/pci/pci.c:877
#11 config_attach+0x449 sys/kern/subr_autoconf.c:421
#12 acpipci_attach_bus+0x37a sys/arch/amd64/pci/acpipci.c:231
#13 acpipci_attach_busses+0x93 sys/arch/amd64/pci/acpipci.c:239
#14 mainbus_attach+0x304 sys/arch/amd64/amd64/mainbus.c:222
#15 config_attach+0x449 sys/kern/subr_autoconf.c:421
#16 cpu_configure+0x47 sys/arch/amd64/amd64/autoconf.c:124
#17 main+0x4c7 sys/kern/init_main.c:345
Stopped at db_enter+0x25: addq $0x8,%rsp
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
the kernel did not panic
ddb{0}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
witness_checkorder(ffffffff8389c890,9,0) at witness_checkorder+0x10d1 sys/kern/subr_witness.c:-1
rw_do_enter_write(ffffffff8389c878,0) at rw_do_enter_write+0xba sys/kern/kern_rwlock.c:234
uvn_io(fffffd806c6c8ce0,ffff80003c3efee8,1,202,0) at uvn_io+0x54c sys/uvm/uvm_vnode.c:1243
uvn_get(fffffd806c6c8ce0,0,ffff80003c3effb8,ffff80003c3eff9c,0,1,9a98315d9338660,1) at uvn_get+0x31d sys/uvm/uvm_vnode.c:1075
uvm_fault_lower_io(ffff80003c3f01d0,ffff80003c3f0208,ffff80003c3f0050,ffff80003c3f0038) at uvm_fault_lower_io+0x2ce sys/uvm/uvm_fault.c:1612
uvm_fault_lower(ffff80003c3f01d0,ffff80003c3f0208,ffff80003c3f0150) at uvm_fault_lower+0x28d sys/uvm/uvm_fault.c:1381
uvm_fault(fffffd806e878998,200000000000,0,1) at uvm_fault+0x274 sys/uvm/uvm_fault.c:-1
kpageflttrap(ffff80003c3f0380,200000000200) at kpageflttrap+0x2f4 sys/arch/amd64/amd64/trap.c:283
kerntrap(ffff80003c3f0380) at kerntrap+0x19d sys/arch/amd64/amd64/trap.c:528
alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b
_copyin() at _copyin+0x5b
pfioctl(14900,c4504441,ffff800001572000,1,ffff80002a243768) at pfioctl+0x13ff sys/net/pf_ioctl.c:3238
VOP_IOCTL(fffffd8061a572a8,c4504441,ffff800001572000,1,fffffd80097fd4e0,ffff80002a243768) at VOP_IOCTL+0xac sys/kern/vfs_vops.c:264
vn_ioctl(fffffd806c53a540,c4504441,ffff800001572000,ffff80002a243768) at vn_ioctl+0xf8 sys/kern/vfs_vnops.c:537
sys_ioctl(ffff80002a243768,ffff80003c3f0f30,ffff80003c3f0e80) at sys_ioctl+0x674 sys/kern/sys_generic.c:-1
syscall(ffff80003c3f0f30) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c3f0f30) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xc29b7105550, count: -18
ddb{0}> show registers
rdi 0
rsi 0x80000 acpi_pdirpa+0x6be71
rbp 0xffff80003c3efca0
rbx 0
rdx 0xffff8000015efa40
rcx 0xffff80002a243768
rax 0x7ffff acpi_pdirpa+0x6be70
r8 0xffff80003c3efb80
r9 0x8080808080808080
r10 0xfa6dc335fc59b73d
r11 0x1aed33dd75e018e9
r12 0xfffffd800403b2c0
r13 0xfffffd800482b010
r14 0x3
r15 0xffffffff834bc225 substchar+0xc1b7
rip 0xffffffff817fc5f5 db_enter+0x25
cs 0x8
rflags 0x246
rsp 0xffff80003c3efc90
ss 0x10
db_enter+0x25: addq $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor) tid=432163 pid=79076 tcnt=2 stat=onproc
flags process=0 proc=4000000<THREAD>
runpri=50, usrpri=50, slppri=32, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff80002a242fa0,0xffff80002a242020
process=0xffff8000fffed358 user=0xffff80003c3eb000, vmspace=0xfffffd806e878998
estcpu=36, cpticks=0, pctcpu=0.0, user=0, sys=0, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
50310 477353 91091 0 2 0 syz-executor
50310 191442 91091 0 3 0x4000080 fsleep syz-executor
37785 386090 6312 0 2 0x1 syz-executor
37785 449815 6312 0 3 0x4000080 fsleep syz-executor
37785 424220 6312 0 3 0x4000080 fsleep syz-executor
32903 327215 12686 0 2 0 syz-executor
32903 332660 12686 0 3 0x4000080 ttyout syz-executor
32903 452503 12686 0 7 0x4000000 syz-executor
79076 232896 30047 0 2 0 syz-executor
*79076 432163 30047 0 7 0x4000000 syz-executor
3388 104549 1 0 3 0x82 nanoslp getty
31306 314836 0 0 3 0x14200 acct acct
6312 307221 5486 0 3 0x82 nanoslp syz-executor
59989 474406 5486 0 2 0x2 syz-executor
73207 385995 5486 0 2 0x2 syz-executor
81077 373614 5486 0 2 0x2 syz-executor
30047 121550 5486 0 3 0x82 nanoslp syz-executor
19788 118943 5486 0 2 0xc82 syz-executor
12686 134082 5486 0 2 0xc82 syz-executor
91091 36263 5486 0 2 0xc82 syz-executor
5486 471470 1 0 3 0x82 kqread syz-executor
80856 166132 0 0 3 0x14200 pause smr
12256 184599 0 0 3 0x14200 pgzero zerothread
80984 137379 0 0 3 0x14200 aiodoned aiodoned
81990 232894 0 0 3 0x14200 syncer update
11380 27663 0 0 3 0x14200 cleaner cleaner
62519 44797 0 0 3 0x14200 reaper reaper
38775 424570 0 0 3 0x14200 pgdaemon pagedaemon
79736 504830 0 0 3 0x14200 bored viomb
8133 393153 0 0 3 0x40014200 acpi0 acpi0
97749 104759 0 0 3 0x40014200 idle1
24388 130961 0 0 3 0x14200 bored softnet1
99702 506647 0 0 3 0x14200 bored softnet0
25731 277744 0 0 3 0x14200 smrbar systqmp
30615 145918 0 0 3 0x14200 bored systq
36622 145124 0 0 2 0x14200 softclockmp
32069 517211 0 0 3 0x40014200 tmoslp softclock
44080 59286 0 0 3 0x40014200 idle0
1 298897 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages