Hello,
syzbot found the following crash on:
HEAD commit: 463b33d1 Sort TOK_USELEASE case into proper alphabetic loc..
git tree: openbsd
console output:
https://syzkaller.appspot.com/x/log.txt?x=121c4968600000
kernel config:
https://syzkaller.appspot.com/x/.config?x=60e2b7157576c8d7
dashboard link:
https://syzkaller.appspot.com/bug?extid=2a29c4391377f57ac593
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+2a29c4...@syzkaller.appspotmail.com
panic: vput: v_writecount != 0
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:212
vput(fffffd8035d7f2e0) at vput+0x187 sys/kern/vfs_subr.c:759
vn_closefile(fffffd802af10f00,ffff800014fdf160) at vn_closefile+0x15b
sys/kern/vfs_vnops.c:589
fdrop(fffffd802af10f00,ffff800014fdf160) at fdrop+0xc9
sys/kern/kern_descrip.c:1269
closef(fffffd802af10f00,ffff800014fdf160) at closef+0x118
sys/kern/kern_descrip.c:1253
fdfree(ffff800014fdf160) at fdfree+0xf7 sys/kern/kern_descrip.c:1185
exit1(ffff800014fdf160,0,1) at exit1+0x32f sys/kern/kern_exit.c:196
sys_exit(ffff800014fdf160,ffff800015a06490,ffff800015a06500) at
sys_exit+0x17 sys/kern/kern_exit.c:94
syscall(ffff800015a06560) at syscall+0x508
Xsyscall(0,1,0,1,0,7f7ffffcc384) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffcc350, count: 4
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
vput: v_writecount != 0
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:212
vput(fffffd8035d7f2e0) at vput+0x187 sys/kern/vfs_subr.c:759
vn_closefile(fffffd802af10f00,ffff800014fdf160) at vn_closefile+0x15b
sys/kern/vfs_vnops.c:589
fdrop(fffffd802af10f00,ffff800014fdf160) at fdrop+0xc9
sys/kern/kern_descrip.c:1269
closef(fffffd802af10f00,ffff800014fdf160) at closef+0x118
sys/kern/kern_descrip.c:1253
fdfree(ffff800014fdf160) at fdfree+0xf7 sys/kern/kern_descrip.c:1185
exit1(ffff800014fdf160,0,1) at exit1+0x32f sys/kern/kern_exit.c:196
sys_exit(ffff800014fdf160,ffff800015a06490,ffff800015a06500) at
sys_exit+0x17 sys/kern/kern_exit.c:94
syscall(ffff800015a06560) at syscall+0x508
Xsyscall(0,1,0,1,0,7f7ffffcc384) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffcc350, count: -11
ddb> show registers
rdi 0
rsi 0x1
rbp 0xffff800015a06180
rbx 0xffff800015a06230
rdx 0x2
rcx 0
rax 0
r8 0xffff800015a06140
r9 0x1
r10 0
r11 0x9434756d3625d550
r12 0x3000000008
r13 0xffff800015a06190
r14 0x100
r15 0x1
rip 0xffffffff8125b5f8 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800015a06170
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb> show proc
PROC (syz-executor.0) pid=326610 stat=onproc
flags process=1008<EXITING,SINGLEEXIT> proc=2000<WEXIT>
pri=32, usrpri=71, nice=20
forw=0xffffffffffffffff, list=0xffff800014fde018,0xffffffff822c3340
process=0xffff8000ffff6a30 user=0xffff800015a01000,
vmspace=0xfffffd803f014cc0
estcpu=21, cpticks=2, pctcpu=0.10
user=0, sys=2, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
90070 406631 1 0 3 0x100083 ttyin getty
66235 272344 0 0 3 0x14200 bored sosplice
18893 387885 44669 0 3 0x82 wait syz-executor.0
50824 263280 44669 0 3 0x82 piperd syz-executor.1
44669 92246 15551 0 3 0x82 kqread syz-fuzzer
44669 348364 15551 0 3 0x4000082 thrsleep syz-fuzzer
44669 64781 15551 0 3 0x4000082 thrsleep syz-fuzzer
44669 469277 15551 0 3 0x4000082 thrsleep syz-fuzzer
44669 236731 15551 0 3 0x4000082 thrsleep syz-fuzzer
44669 297065 15551 0 3 0x4000082 thrsleep syz-fuzzer
44669 512336 15551 0 3 0x4000082 thrsleep syz-fuzzer
15551 54636 79452 0 3 0x10008a pause ksh
79452 481500 9249 0 3 0x92 select sshd
9249 290630 1 0 3 0x80 select sshd
1056 345654 8182 73 2 0x100090 syslogd
8182 47832 1 0 3 0x100082 netio syslogd
93748 147913 1 77 3 0x100090 poll dhclient
44234 466627 1 0 3 0x80 poll dhclient
17617 1158 0 0 2 0x14200 zerothread
97654 91882 0 0 3 0x14200 aiodoned aiodoned
33597 437371 0 0 3 0x14200 syncer update
77223 42740 0 0 3 0x14200 cleaner cleaner
66288 221913 0 0 3 0x14200 reaper reaper
58260 161045 0 0 3 0x14200 pgdaemon pagedaemon
73536 159209 0 0 3 0x14200 bored crynlk
82429 69347 0 0 3 0x14200 bored crypto
68113 30928 0 0 3 0x40014200 acpi0 acpi0
31104 256916 0 0 3 0x14200 bored softnet
25544 86460 0 0 3 0x14200 bored systqmp
12487 196497 0 0 3 0x14200 bored systq
5967 377896 0 0 3 0x40014200 bored softclock
52750 375414 0 0 3 0x40014200 idle0
66373 161625 0 0 3 0x14200 bored smr
1 508272 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9521 6369K 10781K 78643K 18579 0 0
pcb 13 8K 8K 78643K 244 0 0
rtable 116 4K 4K 78643K 675 0 0
ifaddr 60 14K 15K 78643K 301 0 0
counters 19 16K 16K 78643K 19 0 0
ioctlops 0 0K 2K 78643K 162 0 0
iov 0 0K 28K 78643K 384 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1208 76K 77K 78643K 4035 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 5K 78643K 44 0 0
VM map 2 0K 0K 78643K 2 0 0
sem 12 0K 0K 78643K 271 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1793 195K 288K 78643K 12645 0 0
file desc 5 13K 25K 78643K 3080 0 0
sigio 1 0K 0K 78643K 47 0 0
proc 42 30K 54K 78643K 638 0 0
subproc 32 2K 2K 78643K 36 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
ip_moptions 0 0K 0K 78643K 279 0 0
in_multi 33 2K 2K 78643K 122 0 0
ether_multi 1 0K 0K 78643K 13 0 0
mrt 0 0K 0K 78643K 7 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 84 371K 371K 78643K 84 0 0
exec 0 0K 1K 78643K 432 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 91 20K 36K 78643K 8162 0 0
UVM aobj 130 4K 4K 78643K 145 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
ip6_options 0 0K 1K 78643K 125 0 0
NDP 13 0K 0K 78643K 81 0 0
temp 178 2727K 2855K 78643K 12607 0 0
kqueue 0 0K 0K 78643K 25 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 6 0 0 1 0 1 1 0
8 0
rtpcb 80 134 0 132 1 0 1 1 0
8 0
rtentry 112 49 0 5 2 0 2 2 0
8 0
unpcb 120 1149 0 1141 1 0 1 1 0
8 0
syncache 264 4 0 4 1 1 0 1 0
8 0
tcpqe 32 386 0 386 1 1 0 1 0
8 0
tcpcb 544 479 0 475 1 0 1 1 0
8 0
inpcb 280 1288 0 1281 2 1 1 2 0
8 0
nd6 48 6 0 0 1 0 1 1 0
8 0
pkpcb 40 12 0 12 5 5 0 1 0
8 0
ppxss 1128 49 0 49 13 13 0 1 0
8 0
art_heap8 4096 1 0 0 1 0 1 1 0
8 0
art_heap4 256 188 0 0 12 0 12 12 0
8 0
art_table 32 189 0 0 2 0 2 2 0
8 0
art_node 16 44 0 4 1 0 1 1 0
8 0
sysvmsgpl 40 19 0 8 1 0 1 1 0
8 0
semapl 112 269 0 259 1 0 1 1 0
8 0
shmpl 112 143 0 15 4 0 4 4 0
8 0
dirhash 1024 17 0 0 3 0 3 3 0
8 0
dino1pl 128 6476 0 5069 46 0 46 46 0
8 0
ffsino 240 6476 0 5069 84 0 84 84 0
8 0
nchpl 144 11014 0 9379 61 0 61 61 0
8 0
uvmvnodes 72 5934 0 0 108 0 108 108 0
8 0
vnodes 200 5934 0 0 313 0 313 313 0
8 0
namei 1024 34557 0 34557 1 0 1 1 0
8 1
scsiplug 64 6 0 6 6 5 1 1 0
8 1
scxspl 192 51958 0 51958 10 9 1 5 0
8 1
plimitpl 152 261 0 254 1 0 1 1 0
8 0
sigapl 432 3256 0 3243 2 0 2 2 0
8 0
futexpl 56 51065 0 51065 1 0 1 1 0
8 1
knotepl 112 684 0 665 1 0 1 1 0
8 0
kqueuepl 104 824 0 822 1 0 1 1 0
8 0
pipepl 112 1868 0 1849 6 5 1 2 0
8 0
fdescpl 424 3257 0 3243 2 0 2 2 0
8 0
filepl 120 19758 0 19662 5 1 4 5 0
8 0
lockfpl 104 1045 0 1045 4 3 1 1 0
8 1
lockfspl 48 355 0 355 4 3 1 1 0
8 1
sessionpl 112 22 0 12 1 0 1 1 0
8 0
pgrppl 48 52 0 42 1 0 1 1 0
8 0
ucredpl 96 4190 0 4183 1 0 1 1 0
8 0
zombiepl 144 3244 0 3243 2 1 1 1 0
8 0
processpl 864 3272 0 3243 4 0 4 4 0
8 0
procpl 632 7320 0 7285 4 0 4 4 0
8 0
sosppl 128 37 0 37 11 11 0 1 0
8 0
sockpl 384 2617 0 2600 4 1 3 3 0
8 1
mcl64k 65536 621 0 621 73 73 0 65 0
8 0
mcl16k 16384 14 0 14 10 10 0 1 0
8 0
mcl12k 12288 53 0 53 10 9 1 1 0
8 1
mcl9k 9216 38 0 38 12 12 0 1 0
8 0
mcl8k 8192 40 0 40 11 10 1 1 0
8 1
mcl4k 4096 149 0 149 4 3 1 1 0
8 1
mcl2k2 2112 18 0 18 7 6 1 1 0
8 1
mcl2k 2048 57690 0 57653 14 8 6 12 0
8 0
mtagpl 80 14 0 5 2 1 1 1 0
8 0
mbufpl 256 105891 0 105807 40 32 8 37 0
8 0
bufpl 256 23321 0 14625 862 0 862 862 0 8
315
anonpl 16 311053 0 295627 162 100 62 64 0
62 0
amapchunkpl 152 14295 0 14166 48 40 8 18 0
158 3
amappl16 192 18187 0 17326 148 104 44 44 0
8 0
amappl15 184 1525 0 1523 1 0 1 1 0
8 0
amappl14 176 53 0 48 1 0 1 1 0
8 0
amappl13 168 9 0 8 1 0 1 1 0
8 0
amappl12 160 13 0 11 1 0 1 1 0
8 0
amappl11 152 1581 0 1569 1 0 1 1 0
8 0
amappl10 144 66 0 66 5 5 0 1 0
8 0
amappl9 136 559 0 556 1 0 1 1 0
8 0
amappl8 128 133 0 115 1 0 1 1 0
8 0
amappl7 120 38 0 34 1 0 1 1 0
8 0
amappl6 112 1576 0 1569 1 0 1 1 0
8 0
amappl5 104 158 0 148 1 0 1 1 0
8 0
amappl4 96 3521 0 3495 1 0 1 1 0
8 0
amappl3 88 256 0 246 1 0 1 1 0
8 0
amappl2 80 26824 0 26759 4 2 2 3 0
8 0
amappl1 72 64563 0 64130 26 17 9 19 0
8 0
amappl 80 7585 0 7544 1 0 1 1 0
84 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 144 0 15 3 0 3 3 0
8 0
uaddrrnd 24 3257 0 3243 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 3257 0 3243 1 0 1 1 0
8 0
vmmpekpl 168 21421 0 21397 2 0 2 2 0
8 0
vmmpepl 168 385246 0 383319 180 96 84 91 0
357 0
vmsppl 272 3256 0 3243 2 1 1 2 0
8 0
pdppl 4096 6520 0 6486 6 1 5 6 0
8 0
pvpl 32 856481 0 837493 323 159 164 222 0 265
10
pmappl 200 3256 0 3243 1 0 1 1 0
8 0
extentpl 40 41 0 26 1 0 1 1 0
8 0
phpool 112 1126 0 140 31 2 29 29 0
8 0
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.