panic: rw_enter: dklk locking against myself

2 views
Skip to first unread message

syzbot

unread,
Sep 8, 2021, 11:26:28 AMSep 8
to syzkaller-o...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: 413a7a136984 document that SFP modules work in SFP+ cards...
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=13013051300000
kernel config: https://syzkaller.appspot.com/x/.config?x=fe55924c11e64b0a
dashboard link: https://syzkaller.appspot.com/bug?extid=af49990b75015907fa0e

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+af4999...@syzkaller.appspotmail.com

panic: rw_enter: dklk locking against myself
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*496692 30620 0 0 0x4000000 0 syz-executor.1
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff82474a14) at panic+0x161 sys/kern/subr_prf.c:202
rw_enter(ffff8000006aa058,11) at rw_enter+0x36f sys/kern/kern_rwlock.c:174
vndopen(2902,3,2000,ffff800021674fc0) at vndopen+0x8d sys/dev/vnd.c:185
spec_open(ffff800024717668) at spec_open+0x3c8 sys/kern/spec_vnops.c:157
VOP_OPEN(fffffd8075e9c4c8,3,fffffd807f7d7720,ffff800021674fc0) at VOP_OPEN+0x73 sys/kern/vfs_vops.c:153
vn_open(ffff800024717900,3,0) at vn_open+0x467 sys/kern/vfs_vnops.c:183
vndioctl(2902,c0384600,ffff800024717c20,1,ffff800021674fc0) at vndioctl+0xa07 sys/dev/vnd.c:452
VOP_IOCTL(fffffd8075e9c4c8,c0384600,ffff800024717c20,1,fffffd807f7d7720,ffff800021674fc0) at VOP_IOCTL+0x91 sys/kern/vfs_vops.c:295
vn_ioctl(fffffd806af14540,c0384600,ffff800024717c20,ffff800021674fc0) at vn_ioctl+0xb5 sys/kern/vfs_vnops.c:531
sys_ioctl(ffff800021674fc0,ffff800024717d38,ffff800024717d90) at sys_ioctl+0x49e
syscall(ffff800024717e00) at syscall+0x571 sys/arch/amd64/amd64/trap.c:587
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x70fdd4bc920, count: 2
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
*cpu0: rw_enter: dklk locking against myself
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff82474a14) at panic+0x161 sys/kern/subr_prf.c:202
rw_enter(ffff8000006aa058,11) at rw_enter+0x36f sys/kern/kern_rwlock.c:174
vndopen(2902,3,2000,ffff800021674fc0) at vndopen+0x8d sys/dev/vnd.c:185
spec_open(ffff800024717668) at spec_open+0x3c8 sys/kern/spec_vnops.c:157
VOP_OPEN(fffffd8075e9c4c8,3,fffffd807f7d7720,ffff800021674fc0) at VOP_OPEN+0x73 sys/kern/vfs_vops.c:153
vn_open(ffff800024717900,3,0) at vn_open+0x467 sys/kern/vfs_vnops.c:183
vndioctl(2902,c0384600,ffff800024717c20,1,ffff800021674fc0) at vndioctl+0xa07 sys/dev/vnd.c:452
VOP_IOCTL(fffffd8075e9c4c8,c0384600,ffff800024717c20,1,fffffd807f7d7720,ffff800021674fc0) at VOP_IOCTL+0x91 sys/kern/vfs_vops.c:295
vn_ioctl(fffffd806af14540,c0384600,ffff800024717c20,ffff800021674fc0) at vn_ioctl+0xb5 sys/kern/vfs_vnops.c:531
sys_ioctl(ffff800021674fc0,ffff800024717d38,ffff800024717d90) at sys_ioctl+0x49e
syscall(ffff800024717e00) at syscall+0x571 sys/arch/amd64/amd64/trap.c:587
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x70fdd4bc920, count: -13
ddb> show registers
rdi 0
rsi 0x1
rbp 0xffff800024717430
rbx 0x4
rdx 0x8b
rcx 0x2
rax 0x2d
r8 0xffffffff81b21fc5 kprintf+0x145
r9 0x1
r10 0xe517ec2dc8bbda3b
r11 0xa42f4745caf1d4e
r12 0
r13 0xffff800021674fc4
r14 0
r15 0x1
rip 0xffffffff8102d098 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800024717420
ss 0
db_enter+0x18: addq $0x8,%rsp
ddb> show proc
PROC (syz-executor.1) pid=496692 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=81, nice=20
forw=0xffffffffffffffff, list=0xffff800021674000,0xffffffff828ac128
process=0xffff8000216533b8 user=0xffff800024712000, vmspace=0xfffffd807f00a000
estcpu=31, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
30620 267524 22237 0 2 0 syz-executor.1
30620 349953 22237 0 2 0x4000000 syz-executor.1
*30620 496692 22237 0 7 0x4000000 syz-executor.1
13494 393419 21970 0 2 0x2 syz-executor.0
22237 67114 21970 0 3 0x82 nanoslp syz-executor.1
21970 398865 18807 0 3 0x82 kqread syz-fuzzer
21970 157150 18807 0 3 0x4000082 thrsleep syz-fuzzer
21970 421838 18807 0 3 0x4000082 thrsleep syz-fuzzer
21970 378457 18807 0 3 0x4000082 thrsleep syz-fuzzer
21970 405843 18807 0 3 0x4000082 thrsleep syz-fuzzer
21970 122317 18807 0 3 0x4000082 thrsleep syz-fuzzer
18807 415738 45193 0 3 0x10008a sigsusp ksh
45193 139547 76718 0 3 0x9a select sshd
72891 116013 1 0 3 0x100083 ttyin getty
76718 384458 1 0 3 0x88 select sshd
49333 448021 81092 73 3 0x100090 kqread syslogd
81092 69875 1 0 3 0x100082 netio syslogd
90581 494319 1 0 3 0x100080 kqread resolvd
68243 62328 52509 77 3 0x100092 kqread dhcpleased
7605 452638 52509 77 3 0x100092 kqread dhcpleased
52509 175039 1 0 3 0x80 kqread dhcpleased
12159 249068 0 0 3 0x14200 bored smr
3369 14558 0 0 2 0x14200 zerothread
62059 217251 0 0 3 0x14200 aiodoned aiodoned
24713 96122 0 0 3 0x14200 syncer update
27316 489013 0 0 3 0x14200 cleaner cleaner
64389 296596 0 0 3 0x14200 reaper reaper
79174 19933 0 0 3 0x14200 pgdaemon pagedaemon
99614 470303 0 0 3 0x14200 bored crynlk
84824 143445 0 0 3 0x14200 bored crypto
62722 458494 0 0 3 0x14200 bored viomb
30061 85269 0 0 3 0x40014200 acpi0 acpi0
15370 270229 0 0 3 0x14200 bored softnet
73653 322876 0 0 3 0x14200 bored systqmp
7744 352484 0 0 3 0x14200 bored systq
51069 454279 0 0 3 0x40014200 bored softclock
31451 409394 0 0 3 0x40014200 idle0
1 402033 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10103 6355K 6492K 78643K 13075 0
pcb 13 8K 8K 78643K 95 0
rtable 106 3K 3K 78643K 174 0
ifaddr 39 10K 10K 78643K 39 0
counters 21 16K 16K 78643K 21 0
ioctlops 0 0K 2K 78643K 2642 0
iov 0 0K 8K 78643K 1013 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 5 0
vnodes 1219 77K 77K 78643K 1890 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 5K 78643K 63 0
VM map 2 0K 0K 78643K 2 0
sem 12 0K 0K 78643K 110 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12598 0
file desc 5 13K 25K 78643K 15295 0
sigio 0 0K 0K 78643K 139 0
proc 56 54K 71K 78643K 279 0
subproc 32 2K 2K 78643K 34 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 26 0
in_multi 33 2K 2K 78643K 33 0
ether_multi 1 0K 0K 78643K 1 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 37 175K 175K 78643K 37 0
exec 0 0K 2K 78643K 378 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 190 24K 24K 78643K 179306 0
UVM aobj 131 4K 4K 78643K 223 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
NDP 5 0K 0K 78643K 9 0
temp 101 4205K 4269K 78643K 33403 0
kqueue 10 14K 14K 78643K 10 0
SYN cache 2 16K 16K 78643K 2 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
rtpcb 120 24 0 21 1 0 1 1 0 8 0
rtentry 112 45 0 1 2 0 2 2 0 8 0
unpcb 120 10583 0 10570 2 1 1 2 0 8 0
syncache 296 4 0 4 1 1 0 1 0 8 0
tcpcb 736 78 0 74 3 2 1 3 0 8 0
arp 88 6 0 0 1 0 1 1 0 8 0
inpcb 304 384 0 377 1 0 1 1 0 8 0
nd6 48 6 0 0 1 0 1 1 0 8 0
kcovpl 48 2 0 0 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 188 0 0 12 0 12 12 0 8 0
art_table 32 189 0 0 2 0 2 2 0 8 0
art_node 16 44 0 4 1 0 1 1 0 8 0
semapl 112 108 0 98 1 0 1 1 0 8 0
shmpl 112 220 0 92 4 0 4 4 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 16830 0 15426 88 0 88 88 0 8 0
ffsino 240 16830 0 15426 83 0 83 83 0 8 0
nchpl 144 35057 0 33443 60 0 60 60 0 8 0
uvmvnodes 72 5926 0 0 108 0 108 108 0 8 0
vnodes 224 5926 0 0 349 0 349 349 0 8 0
namei 1024 88628 0 88627 1 0 1 1 0 8 0
scxspl 216 97042 0 97042 14 13 1 8 0 8 1
plimitpl 152 16 0 8 1 0 1 1 0 8 0
sigapl 424 15525 0 15494 4 0 4 4 0 8 0
futexpl 56 83606 0 83606 2 1 1 1 0 8 1
knotepl 112 178 0 140 2 0 2 2 0 8 0
kqueuepl 184 428 0 422 1 0 1 1 0 8 0
pipepl 304 2095 0 2085 9 8 1 2 0 8 0
fdescpl 432 15510 0 15494 3 1 2 3 0 8 0
filepl 120 52776 0 52668 5 1 4 5 0 8 0
lockfpl 104 1847 0 1845 1 0 1 1 0 8 0
lockfspl 48 824 0 822 1 0 1 1 0 8 0
sessionpl 144 17 0 7 1 0 1 1 0 8 0
pgrppl 48 275 0 265 1 0 1 1 0 8 0
ucredpl 96 1398 0 1388 1 0 1 1 0 8 0
zombiepl 144 15494 0 15494 14 13 1 1 0 8 1
processpl 1008 15525 0 15494 11 6 5 5 0 8 0
procpl 672 31206 0 31168 4 0 4 4 0 8 0
sockpl 448 10991 0 10968 26 23 3 5 0 8 0
mcl64k 65536 280 0 280 13 12 1 1 0 8 1
mcl16k 16384 114 0 114 9 8 1 1 0 8 1
mcl12k 12288 299 0 299 25 25 0 1 0 8 0
mcl9k 9216 194 0 194 23 23 0 1 0 8 0
mcl8k 8192 769 0 769 13 12 1 1 0 8 1
mcl4k 4096 957 0 957 35 35 0 1 0 8 0
mcl2k2 2112 105 0 105 7 7 0 1 0 8 0
mcl2k 2048 29471 0 29439 18 12 6 6 0 8 1
mtagpl 96 3 0 3 1 1 0 1 0 8 0
mbufpl 256 126141 0 126028 21 11 10 11 0 8 1
bufpl 280 18757 0 12351 458 0 458 458 0 8 0
anonpl 24 3801092 0 3795138 50 11 39 40 0 188 1
amapchunkpl 152 422966 0 422635 37 23 14 15 0 158 0
amappl16 200 29116 0 28959 9 0 9 9 0 8 0
amappl15 192 1 0 0 1 0 1 1 0 8 0
amappl13 176 28 0 26 1 0 1 1 0 8 0
amappl12 168 7648 0 7644 1 0 1 1 0 8 0
amappl11 160 7679 0 7668 1 0 1 1 0 8 0
amappl10 152 30 0 25 1 0 1 1 0 8 0
amappl9 144 227 0 224 1 0 1 1 0 8 0
amappl8 136 485 0 427 3 0 3 3 0 8 0
amappl7 128 64 0 53 1 0 1 1 0 8 0
amappl6 120 112 0 102 1 0 1 1 0 8 0
amappl5 112 8102 0 8087 1 0 1 1 0 8 0
amappl4 104 15927 0 15903 1 0 1 1 0 8 0
amappl3 96 8220 0 8217 1 0 1 1 0 8 0
amappl2 88 976 0 924 2 0 2 2 0 8 0
amappl1 80 256536 0 256124 12 3 9 12 0 8 0
amappl 88 178975 0 178864 3 0 3 3 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 64 222 0 92 3 0 3 3 0 8 0
uaddrrnd 24 15510 0 15494 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 15510 0 15494 1 0 1 1 0 8 0
vmmpekpl 168 76116 0 76095 2 0 2 2 0 8 0
vmmpepl 168 1686370 0 1684994 100 35 65 65 0 357 3
vmsppl 272 15509 0 15494 3 1 2 2 0 8 1
rwobjpl 24 278241 0 277397 10 4 6 6 0 8 0
pdppl 4096 31027 0 30988 75 34 41 45 0 8 2
pvpl 32 6161737 0 6152475 231 152 79 132 0 265 2
pmappl 192 15509 0 15494 1 0 1 1 0 8 0
extentpl 40 58 0 40 1 0 1 1 0 8 0
phpool 112 407 0 152 8 0 8 8 0 8 0
ddb> machine ddbcpu 0
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff82474a14) at panic+0x161 sys/kern/subr_prf.c:202
rw_enter(ffff8000006aa058,11) at rw_enter+0x36f sys/kern/kern_rwlock.c:174
vndopen(2902,3,2000,ffff800021674fc0) at vndopen+0x8d sys/dev/vnd.c:185
spec_open(ffff800024717668) at spec_open+0x3c8 sys/kern/spec_vnops.c:157
VOP_OPEN(fffffd8075e9c4c8,3,fffffd807f7d7720,ffff800021674fc0) at VOP_OPEN+0x73 sys/kern/vfs_vops.c:153
vn_open(ffff800024717900,3,0) at vn_open+0x467 sys/kern/vfs_vnops.c:183
vndioctl(2902,c0384600,ffff800024717c20,1,ffff800021674fc0) at vndioctl+0xa07 sys/dev/vnd.c:452
VOP_IOCTL(fffffd8075e9c4c8,c0384600,ffff800024717c20,1,fffffd807f7d7720,ffff800021674fc0) at VOP_IOCTL+0x91 sys/kern/vfs_vops.c:295
vn_ioctl(fffffd806af14540,c0384600,ffff800024717c20,ffff800021674fc0) at vn_ioctl+0xb5 sys/kern/vfs_vnops.c:531
sys_ioctl(ffff800021674fc0,ffff800024717d38,ffff800024717d90) at sys_ioctl+0x49e
syscall(ffff800024717e00) at syscall+0x571 sys/arch/amd64/amd64/trap.c:587
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x70fdd4bc920, count: -13
ddb> machine ddbcpu 1
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff82474a14) at panic+0x161 sys/kern/subr_prf.c:202
rw_enter(ffff8000006aa058,11) at rw_enter+0x36f sys/kern/kern_rwlock.c:174
vndopen(2902,3,2000,ffff800021674fc0) at vndopen+0x8d sys/dev/vnd.c:185
spec_open(ffff800024717668) at spec_open+0x3c8 sys/kern/spec_vnops.c:157
VOP_OPEN(fffffd8075e9c4c8,3,fffffd807f7d7720,ffff800021674fc0) at VOP_OPEN+0x73 sys/kern/vfs_vops.c:153
vn_open(ffff800024717900,3,0) at vn_open+0x467 sys/kern/vfs_vnops.c:183
vndioctl(2902,c0384600,ffff800024717c20,1,ffff800021674fc0) at vndioctl+0xa07 sys/dev/vnd.c:452
VOP_IOCTL(fffffd8075e9c4c8,c0384600,ffff800024717c20,1,fffffd807f7d7720,ffff800021674fc0) at VOP_IOCTL+0x91 sys/kern/vfs_vops.c:295
vn_ioctl(fffffd806af14540,c0384600,ffff800024717c20,ffff800021674fc0) at vn_ioctl+0xb5 sys/kern/vfs_vnops.c:531
sys_ioctl(ffff800021674fc0,ffff800024717d38,ffff800024717d90) at sys_ioctl+0x49e
syscall(ffff800024717e00) at syscall+0x571 sys/arch/amd64/amd64/trap.c:587
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x70fdd4bc920, count: -13


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

syzbot

unread,
Sep 8, 2021, 12:07:24 PMSep 8
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following issue on:

HEAD commit: 413a7a136984 document that SFP modules work in SFP+ cards...
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=17797c63300000
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10907a7d300000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+af4999...@syzkaller.appspotmail.com

login: panic: rw_enter: dklk locking against myself
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*493243 21835 0 0 0x4000000 0 syz-executor.0
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff82474a14) at panic+0x161 sys/kern/subr_prf.c:202
rw_enter(ffff8000006aa058,11) at rw_enter+0x36f sys/kern/kern_rwlock.c:174
vndopen(2902,3,2000,ffff800021668000) at vndopen+0x8d sys/dev/vnd.c:185
spec_open(ffff8000217188a8) at spec_open+0x3c8 sys/kern/spec_vnops.c:157
VOP_OPEN(fffffd806f5ef228,3,fffffd807f7d7960,ffff800021668000) at VOP_OPEN+0x73 sys/kern/vfs_vops.c:153
vn_open(ffff800021718b40,3,0) at vn_open+0x467 sys/kern/vfs_vnops.c:183
vndioctl(2902,c0384600,ffff800021718e60,1,ffff800021668000) at vndioctl+0xa07 sys/dev/vnd.c:452
VOP_IOCTL(fffffd806f5ef228,c0384600,ffff800021718e60,1,fffffd807f7d7960,ffff800021668000) at VOP_IOCTL+0x91 sys/kern/vfs_vops.c:295
vn_ioctl(fffffd806e2b0808,c0384600,ffff800021718e60,ffff800021668000) at vn_ioctl+0xb5 sys/kern/vfs_vnops.c:531
sys_ioctl(ffff800021668000,ffff800021718f78,ffff800021718fd0) at sys_ioctl+0x49e
syscall(ffff800021719040) at syscall+0x571 sys/arch/amd64/amd64/trap.c:587
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x780628e87f0, count: 2
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
*cpu0: rw_enter: dklk locking against myself
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff82474a14) at panic+0x161 sys/kern/subr_prf.c:202
rw_enter(ffff8000006aa058,11) at rw_enter+0x36f sys/kern/kern_rwlock.c:174
vndopen(2902,3,2000,ffff800021668000) at vndopen+0x8d sys/dev/vnd.c:185
spec_open(ffff8000217188a8) at spec_open+0x3c8 sys/kern/spec_vnops.c:157
VOP_OPEN(fffffd806f5ef228,3,fffffd807f7d7960,ffff800021668000) at VOP_OPEN+0x73 sys/kern/vfs_vops.c:153
vn_open(ffff800021718b40,3,0) at vn_open+0x467 sys/kern/vfs_vnops.c:183
vndioctl(2902,c0384600,ffff800021718e60,1,ffff800021668000) at vndioctl+0xa07 sys/dev/vnd.c:452
VOP_IOCTL(fffffd806f5ef228,c0384600,ffff800021718e60,1,fffffd807f7d7960,ffff800021668000) at VOP_IOCTL+0x91 sys/kern/vfs_vops.c:295
vn_ioctl(fffffd806e2b0808,c0384600,ffff800021718e60,ffff800021668000) at vn_ioctl+0xb5 sys/kern/vfs_vnops.c:531
sys_ioctl(ffff800021668000,ffff800021718f78,ffff800021718fd0) at sys_ioctl+0x49e
syscall(ffff800021719040) at syscall+0x571 sys/arch/amd64/amd64/trap.c:587
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x780628e87f0, count: -13
ddb> show registers
rdi 0
rsi 0x1
rbp 0xffff800021718670
rbx 0x4
rdx 0x8b
rcx 0x2
rax 0x2d
r8 0xffffffff81b21fc5 kprintf+0x145
r9 0x1
r10 0x7535f75b593825a4
r11 0xfbe983d51c94759a
r12 0
r13 0xffff800021668004
r14 0
r15 0x1
rip 0xffffffff8102d098 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800021718660
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb> show proc
PROC (syz-executor.0) pid=493243 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff8000216687e0,0xffffffff828ac128
process=0xffff80002165d3b0 user=0xffff800021714000, vmspace=0xfffffd806b0faab0
estcpu=36, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
21835 366765 21949 0 2 0 syz-executor.0
21835 477806 21949 0 2 0x4000000 syz-executor.0
*21835 493243 21949 0 7 0x4000000 syz-executor.0
77058 143084 65410 0 3 0x82 nanoslp syz-executor.1
21949 121588 65410 0 3 0x82 nanoslp syz-executor.0
65410 283097 2648 0 3 0x82 thrsleep syz-execprog
65410 177458 2648 0 3 0x4000082 thrsleep syz-execprog
65410 111553 2648 0 3 0x4000082 thrsleep syz-execprog
65410 171388 2648 0 3 0x4000082 thrsleep syz-execprog
65410 495283 2648 0 3 0x4000082 thrsleep syz-execprog
65410 265028 2648 0 3 0x4000082 kqread syz-execprog
65410 53445 2648 0 3 0x4000082 thrsleep syz-execprog
2648 129169 28542 0 3 0x10008a sigsusp ksh
28542 257715 26452 0 3 0x9a select sshd
8231 372206 1 0 3 0x100083 ttyin getty
26452 305118 1 0 3 0x88 select sshd
59420 326925 85507 73 3 0x100090 kqread syslogd
85507 255835 1 0 3 0x100082 netio syslogd
86815 479159 1 0 3 0x100080 kqread resolvd
55825 95268 81496 77 3 0x100092 kqread dhcpleased
88654 505855 81496 77 3 0x100092 kqread dhcpleased
81496 218704 1 0 3 0x80 kqread dhcpleased
84481 173603 0 0 3 0x14200 bored smr
61832 26644 0 0 2 0x14200 zerothread
38888 14544 0 0 3 0x14200 aiodoned aiodoned
10717 11585 0 0 3 0x14200 syncer update
42548 228683 0 0 3 0x14200 cleaner cleaner
74682 193812 0 0 3 0x14200 reaper reaper
19082 242325 0 0 3 0x14200 pgdaemon pagedaemon
20349 231244 0 0 3 0x14200 bored crynlk
6676 403161 0 0 3 0x14200 bored crypto
13762 236779 0 0 3 0x14200 bored viomb
95484 97 0 0 3 0x40014200 acpi0 acpi0
71246 479618 0 0 3 0x14200 bored softnet
62112 166436 0 0 3 0x14200 bored systqmp
89021 37812 0 0 3 0x14200 bored systq
38804 341636 0 0 3 0x40014200 bored softclock
40406 104354 0 0 3 0x40014200 idle0
1 52443 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10099 6346K 6373K 78643K 11189 0
pcb 13 8K 8K 78643K 13 0
rtable 106 3K 3K 78643K 174 0
ifaddr 39 10K 10K 78643K 39 0
counters 21 16K 16K 78643K 21 0
ioctlops 0 0K 2K 78643K 27 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 5 0
vnodes 1182 74K 74K 78643K 1187 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 1K 78643K 2 0
VM map 2 0K 0K 78643K 2 0
sem 2 0K 0K 78643K 2 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12598 0
file desc 5 13K 25K 78643K 7425 0
proc 55 54K 71K 78643K 278 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
in_multi 33 2K 2K 78643K 33 0
ether_multi 1 0K 0K 78643K 1 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 19 95K 95K 78643K 19 0
exec 0 0K 2K 78643K 383 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 144 21K 22K 78643K 87426 0
UVM aobj 3 2K 2K 78643K 3 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
NDP 5 0K 0K 78643K 9 0
temp 27 4189K 4253K 78643K 16912 0
kqueue 10 14K 14K 78643K 10 0
SYN cache 2 16K 16K 78643K 2 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
rtpcb 120 24 0 21 1 0 1 1 0 8 0
rtentry 112 45 0 1 2 0 2 2 0 8 0
unpcb 120 33 0 20 1 0 1 1 0 8 0
syncache 296 5 0 5 2 2 0 1 0 8 0
tcpcb 736 8 0 5 1 0 1 1 0 8 0
arp 88 6 0 0 1 0 1 1 0 8 0
inpcb 304 33 0 27 1 0 1 1 0 8 0
nd6 48 6 0 0 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 188 0 0 12 0 12 12 0 8 0
art_table 32 189 0 0 2 0 2 2 0 8 0
art_node 16 44 0 4 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 16212 0 14806 88 0 88 88 0 8 0
ffsino 240 16212 0 14806 83 0 83 83 0 8 0
nchpl 144 31219 0 29602 60 0 60 60 0 8 0
uvmvnodes 72 5926 0 0 108 0 108 108 0 8 0
vnodes 224 5926 0 0 349 0 349 349 0 8 0
namei 1024 78355 0 78355 2 1 1 1 0 8 1
scxspl 216 78702 0 78702 22 21 1 8 0 8 1
plimitpl 152 17 0 9 1 0 1 1 0 8 0
sigapl 424 7659 0 7628 4 0 4 4 0 8 0
futexpl 56 26703 0 26703 1 0 1 1 0 8 1
knotepl 112 176 0 140 2 0 2 2 0 8 0
kqueuepl 184 6 0 0 1 0 1 1 0 8 0
pipepl 304 83 0 73 2 1 1 1 0 8 0
fdescpl 432 7644 0 7628 3 1 2 3 0 8 0
filepl 120 15897 0 15822 3 0 3 3 0 8 0
lockfpl 104 6 0 4 1 0 1 1 0 8 0
lockfspl 48 4 0 2 1 0 1 1 0 8 0
sessionpl 144 19 0 9 1 0 1 1 0 8 0
pgrppl 48 19 0 9 1 0 1 1 0 8 0
ucredpl 96 64 0 54 1 0 1 1 0 8 0
zombiepl 144 7628 0 7627 2 1 1 1 0 8 0
processpl 1008 7659 0 7627 5 0 5 5 0 8 1
procpl 672 15064 0 15024 4 0 4 4 0 8 0
sockpl 448 90 0 68 3 0 3 3 0 8 0
mcl8k 8192 9 0 9 2 2 0 1 0 8 0
mcl4k 4096 5 0 5 2 2 0 1 0 8 0
mcl2k 2048 5583 0 5545 8 3 5 8 0 8 0
mtagpl 96 3 0 3 1 1 0 1 0 8 0
mbufpl 256 9824 0 9676 11 1 10 10 0 8 0
bufpl 280 10706 0 4300 458 0 458 458 0 8 0
anonpl 24 1774282 0 1769893 35 6 29 29 0 188 1
amapchunkpl 152 205834 0 205519 15 1 14 14 0 158 0
amappl16 200 14990 0 14894 6 0 6 6 0 8 0
amappl14 184 3689 0 3687 1 0 1 1 0 8 0
amappl13 176 3734 0 3732 2 1 1 1 0 8 0
amappl12 168 13 0 11 2 1 1 1 0 8 0
amappl11 160 42 0 32 1 0 1 1 0 8 0
amappl10 152 34 0 30 1 0 1 1 0 8 0
amappl9 144 223 0 219 1 0 1 1 0 8 0
amappl8 136 313 0 293 1 0 1 1 0 8 0
amappl7 128 66 0 55 1 0 1 1 0 8 0
amappl6 120 108 0 100 1 0 1 1 0 8 0
amappl5 112 7570 0 7556 1 0 1 1 0 8 0
amappl4 104 547 0 524 1 0 1 1 0 8 0
amappl3 96 37 0 35 1 0 1 1 0 8 0
amappl2 88 4191 0 4137 3 1 2 2 0 8 0
amappl1 80 124714 0 124298 15 6 9 12 0 8 0
amappl 88 87144 0 87037 3 0 3 3 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 64 2 0 0 1 0 1 1 0 8 0
uaddrrnd 24 7644 0 7628 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 7644 0 7628 1 0 1 1 0 8 0
vmmpekpl 168 42821 0 42806 1 0 1 1 0 8 0
vmmpepl 168 569807 0 568637 65 10 55 60 0 357 0
vmsppl 272 7643 0 7628 3 1 2 2 0 8 0
rwobjpl 24 131501 0 130760 7 2 5 6 0 8 0
pdppl 4096 15295 0 15256 69 28 41 45 0 8 2
pvpl 32 2867468 0 2860036 140 76 64 132 0 265 1
pmappl 192 7643 0 7628 1 0 1 1 0 8 0
extentpl 40 58 0 40 1 0 1 1 0 8 0
phpool 112 291 0 40 8 0 8 8 0 8 0
ddb> machine ddbcpu 0
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff82474a14) at panic+0x161 sys/kern/subr_prf.c:202
rw_enter(ffff8000006aa058,11) at rw_enter+0x36f sys/kern/kern_rwlock.c:174
vndopen(2902,3,2000,ffff800021668000) at vndopen+0x8d sys/dev/vnd.c:185
spec_open(ffff8000217188a8) at spec_open+0x3c8 sys/kern/spec_vnops.c:157
VOP_OPEN(fffffd806f5ef228,3,fffffd807f7d7960,ffff800021668000) at VOP_OPEN+0x73 sys/kern/vfs_vops.c:153
vn_open(ffff800021718b40,3,0) at vn_open+0x467 sys/kern/vfs_vnops.c:183
vndioctl(2902,c0384600,ffff800021718e60,1,ffff800021668000) at vndioctl+0xa07 sys/dev/vnd.c:452
VOP_IOCTL(fffffd806f5ef228,c0384600,ffff800021718e60,1,fffffd807f7d7960,ffff800021668000) at VOP_IOCTL+0x91 sys/kern/vfs_vops.c:295
vn_ioctl(fffffd806e2b0808,c0384600,ffff800021718e60,ffff800021668000) at vn_ioctl+0xb5 sys/kern/vfs_vnops.c:531
sys_ioctl(ffff800021668000,ffff800021718f78,ffff800021718fd0) at sys_ioctl+0x49e
syscall(ffff800021719040) at syscall+0x571 sys/arch/amd64/amd64/trap.c:587
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x780628e87f0, count: -13
ddb> machine ddbcpu 1
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff82474a14) at panic+0x161 sys/kern/subr_prf.c:202
rw_enter(ffff8000006aa058,11) at rw_enter+0x36f sys/kern/kern_rwlock.c:174
vndopen(2902,3,2000,ffff800021668000) at vndopen+0x8d sys/dev/vnd.c:185
spec_open(ffff8000217188a8) at spec_open+0x3c8 sys/kern/spec_vnops.c:157
VOP_OPEN(fffffd806f5ef228,3,fffffd807f7d7960,ffff800021668000) at VOP_OPEN+0x73 sys/kern/vfs_vops.c:153
vn_open(ffff800021718b40,3,0) at vn_open+0x467 sys/kern/vfs_vnops.c:183
vndioctl(2902,c0384600,ffff800021718e60,1,ffff800021668000) at vndioctl+0xa07 sys/dev/vnd.c:452
VOP_IOCTL(fffffd806f5ef228,c0384600,ffff800021718e60,1,fffffd807f7d7960,ffff800021668000) at VOP_IOCTL+0x91 sys/kern/vfs_vops.c:295
vn_ioctl(fffffd806e2b0808,c0384600,ffff800021718e60,ffff800021668000) at vn_ioctl+0xb5 sys/kern/vfs_vnops.c:531
sys_ioctl(ffff800021668000,ffff800021718f78,ffff800021718fd0) at sys_ioctl+0x49e
syscall(ffff800021719040) at syscall+0x571 sys/arch/amd64/amd64/trap.c:587
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x780628e87f0, count: -13

syzbot

unread,
Oct 6, 2021, 2:07:28 PMOct 6
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following issue on:

HEAD commit: 7699728a8abe sync
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=12093698b00000
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167d2c14b00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17b96567300000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+af4999...@syzkaller.appspotmail.com

login: panic: rw_enter: dklk locking against myself
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*407192 66264 0 0x2 0x4000000 0 syz-executor1941
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff8247f6c9) at panic+0x161 sys/kern/subr_prf.c:202
rw_enter(ffff8000006aa058,11) at rw_enter+0x36f sys/kern/kern_rwlock.c:174
vndopen(2902,3,2000,ffff8000ffff87e8) at vndopen+0x8d sys/dev/vnd.c:185
spec_open(ffff80002169a888) at spec_open+0x3c8 sys/kern/spec_vnops.c:157
VOP_OPEN(fffffd806e3ff848,3,fffffd807f7d8ba0,ffff8000ffff87e8) at VOP_OPEN+0x6c sys/kern/vfs_vops.c:138
vn_open(ffff80002169ab20,3,0) at vn_open+0x467 sys/kern/vfs_vnops.c:183
vndioctl(2902,c0384600,ffff80002169ae40,81,ffff8000ffff87e8) at vndioctl+0xa07 sys/dev/vnd.c:452
VOP_IOCTL(fffffd806e3ff848,c0384600,ffff80002169ae40,81,fffffd807f7d8ba0,ffff8000ffff87e8) at VOP_IOCTL+0x8d sys/kern/vfs_vops.c:264
vn_ioctl(fffffd807320eb48,c0384600,ffff80002169ae40,ffff8000ffff87e8) at vn_ioctl+0xb5 sys/kern/vfs_vnops.c:531
sys_ioctl(ffff8000ffff87e8,ffff80002169af58,ffff80002169afb0) at sys_ioctl+0x49e
syscall(ffff80002169b020) at syscall+0x571 sys/arch/amd64/amd64/trap.c:587
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xd579302b000, count: 2
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
*cpu0: rw_enter: dklk locking against myself
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff8247f6c9) at panic+0x161 sys/kern/subr_prf.c:202
rw_enter(ffff8000006aa058,11) at rw_enter+0x36f sys/kern/kern_rwlock.c:174
vndopen(2902,3,2000,ffff8000ffff87e8) at vndopen+0x8d sys/dev/vnd.c:185
spec_open(ffff80002169a888) at spec_open+0x3c8 sys/kern/spec_vnops.c:157
VOP_OPEN(fffffd806e3ff848,3,fffffd807f7d8ba0,ffff8000ffff87e8) at VOP_OPEN+0x6c sys/kern/vfs_vops.c:138
vn_open(ffff80002169ab20,3,0) at vn_open+0x467 sys/kern/vfs_vnops.c:183
vndioctl(2902,c0384600,ffff80002169ae40,81,ffff8000ffff87e8) at vndioctl+0xa07 sys/dev/vnd.c:452
VOP_IOCTL(fffffd806e3ff848,c0384600,ffff80002169ae40,81,fffffd807f7d8ba0,ffff8000ffff87e8) at VOP_IOCTL+0x8d sys/kern/vfs_vops.c:264
vn_ioctl(fffffd807320eb48,c0384600,ffff80002169ae40,ffff8000ffff87e8) at vn_ioctl+0xb5 sys/kern/vfs_vnops.c:531
sys_ioctl(ffff8000ffff87e8,ffff80002169af58,ffff80002169afb0) at sys_ioctl+0x49e
syscall(ffff80002169b020) at syscall+0x571 sys/arch/amd64/amd64/trap.c:587
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xd579302b000, count: -13
ddb> show registers
rdi 0
rsi 0x1
rbp 0xffff80002169a650
rbx 0x4
rdx 0x8b
rcx 0x2
rax 0x2d
r8 0xffffffff816b3695 kprintf+0x145
r9 0x1
r10 0xfe16f6493c46bd6e
r11 0xc4be0aa87f9f6cd8
r12 0
r13 0xffff8000ffff87ec
r14 0
r15 0x1
rip 0xffffffff81036b58 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff80002169a640
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb> show proc
PROC (syz-executor1941) pid=407192 stat=onproc
flags process=2<EXEC> proc=4000000<THREAD>
pri=32, usrpri=53, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffff8a88,0xffffffff829337f0
process=0xffff8000ffff73c0 user=0xffff800021696000, vmspace=0xfffffd807f00b550
estcpu=3, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
66264 318256 33013 0 2 0x2 syz-executor1941
*66264 407192 33013 0 7 0x4000002 syz-executor1941
33013 518112 67422 0 3 0x10008a sigsusp ksh
67422 396821 27718 0 3 0x9a select sshd
57434 439925 1 0 3 0x100083 ttyin getty
27718 100963 1 0 3 0x88 select sshd
15252 220668 96216 73 3 0x100090 kqread syslogd
96216 75708 1 0 3 0x100082 netio syslogd
93030 97484 1 0 3 0x100080 kqread resolvd
77844 23199 53652 77 3 0x100092 kqread dhcpleased
41901 367874 53652 77 3 0x100092 kqread dhcpleased
53652 368385 1 0 3 0x80 kqread dhcpleased
70662 351610 0 0 3 0x14200 bored smr
18873 340960 0 0 2 0x14200 zerothread
57925 492904 0 0 3 0x14200 aiodoned aiodoned
93501 391128 0 0 3 0x14200 syncer update
7236 440225 0 0 3 0x14200 cleaner cleaner
37910 43541 0 0 3 0x14200 reaper reaper
86593 417391 0 0 3 0x14200 pgdaemon pagedaemon
43909 376950 0 0 3 0x14200 bored crynlk
34151 242648 0 0 3 0x14200 bored crypto
97091 478150 0 0 3 0x14200 bored viomb
93393 418114 0 0 3 0x40014200 acpi0 acpi0
63556 495266 0 0 3 0x14200 bored softnet
23082 73247 0 0 3 0x14200 bored systqmp
30919 153874 0 0 3 0x14200 bored systq
20378 165207 0 0 3 0x40014200 bored softclock
22239 330260 0 0 3 0x40014200 idle0
1 397759 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10093 6342K 6373K 78643K 11183 0
pcb 13 8K 8K 78643K 13 0
rtable 62 2K 2K 78643K 114 0
ifaddr 24 7K 7K 78643K 24 0
counters 19 16K 16K 78643K 19 0
ioctlops 0 0K 2K 78643K 25 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 4 0
vnodes 1182 74K 74K 78643K 1187 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 1K 78643K 2 0
VM map 2 0K 0K 78643K 2 0
sem 2 0K 0K 78643K 2 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12598 0
file desc 1 0K 0K 78643K 1 0
proc 55 54K 55K 78643K 222 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
in_multi 11 0K 0K 78643K 11 0
ether_multi 1 0K 0K 78643K 1 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 19 95K 95K 78643K 19 0
exec 0 0K 2K 78643K 325 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 83 3K 5K 78643K 1519 0
UVM aobj 3 2K 2K 78643K 3 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
NDP 3 0K 0K 78643K 3 0
temp 18 4189K 4253K 78643K 1787 0
kqueue 9 12K 12K 78643K 9 0
SYN cache 2 16K 16K 78643K 2 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
rtpcb 120 20 0 17 1 0 1 1 0 8 0
rtentry 112 23 0 1 1 0 1 1 0 8 0
unpcb 120 33 0 20 1 0 1 1 0 8 0
syncache 296 5 0 5 2 1 1 1 0 8 1
tcpcb 736 8 0 5 1 0 1 1 0 8 0
arp 88 2 0 0 1 0 1 1 0 8 0
inpcb 304 25 0 19 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 96 0 0 6 0 6 6 0 8 0
art_table 32 97 0 0 1 0 1 1 0 8 0
art_node 16 22 0 2 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 1405 0 22 87 0 87 87 0 8 0
ffsino 240 1405 0 22 82 0 82 82 0 8 0
nchpl 144 1581 0 39 58 0 58 58 0 8 0
uvmvnodes 72 1414 0 0 26 0 26 26 0 8 0
vnodes 224 1414 0 0 84 0 84 84 0 8 0
namei 1024 3913 0 3913 2 1 1 1 0 8 1
scxspl 216 3715 0 3715 10 9 1 8 0 8 1
plimitpl 152 15 0 9 1 0 1 1 0 8 0
sigapl 424 235 0 207 4 0 4 4 0 8 0
futexpl 56 5 0 5 1 0 1 1 0 8 1
knotepl 112 121 0 98 1 0 1 1 0 8 0
kqueuepl 184 5 0 0 1 0 1 1 0 8 0
pipepl 304 65 0 62 2 1 1 1 0 8 0
fdescpl 432 220 0 207 2 0 2 2 0 8 0
filepl 120 969 0 913 2 0 2 2 0 8 0
lockfpl 104 6 0 4 1 0 1 1 0 8 0
lockfspl 48 4 0 2 1 0 1 1 0 8 0
sessionpl 144 17 0 9 1 0 1 1 0 8 0
pgrppl 48 17 0 9 1 0 1 1 0 8 0
ucredpl 96 64 0 54 1 0 1 1 0 8 0
zombiepl 144 207 0 207 2 1 1 1 0 8 1
processpl 1008 235 0 207 4 0 4 4 0 8 0
procpl 672 236 0 207 3 0 3 3 0 8 0
sockpl 448 78 0 56 3 0 3 3 0 8 0
mcl8k 8192 9 0 9 2 1 1 1 0 8 1
mcl4k 4096 5 0 5 2 1 1 1 0 8 1
mcl2k 2048 7966 0 7928 9 2 7 8 0 8 1
mtagpl 96 3 0 3 1 1 0 1 0 8 0
mbufpl 256 13399 0 13322 9 2 7 8 0 8 0
bufpl 280 2117 0 87 145 0 145 145 0 8 0
anonpl 24 32556 0 30241 18 3 15 15 0 188 1
amapchunkpl 152 2894 0 2743 6 0 6 6 0 158 0
amappl16 200 28 0 26 2 1 1 1 0 8 0
amappl15 192 61 0 58 1 0 1 1 0 8 0
amappl13 176 16 0 15 2 1 1 1 0 8 0
amappl12 168 4 0 4 2 1 1 1 0 8 1
amappl11 160 54 0 40 1 0 1 1 0 8 0
amappl9 144 298 0 296 1 0 1 1 0 8 0
amappl8 136 260 0 257 1 0 1 1 0 8 0
amappl7 128 29 0 28 1 0 1 1 0 8 0
amappl6 120 31 0 27 1 0 1 1 0 8 0
amappl5 112 246 0 232 1 0 1 1 0 8 0
amappl4 104 484 0 463 1 0 1 1 0 8 0
amappl3 96 151 0 137 1 0 1 1 0 8 0
amappl2 88 278 0 246 1 0 1 1 0 8 0
amappl1 80 7079 0 6721 12 3 9 9 0 8 1
amappl 88 1290 0 1223 2 0 2 2 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 64 2 0 0 1 0 1 1 0 8 0
uaddrrnd 24 220 0 207 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 220 0 207 1 0 1 1 0 8 0
vmmpekpl 168 5762 0 5750 1 0 1 1 0 8 0
vmmpepl 168 21461 0 20654 42 4 38 38 0 357 2
vmsppl 272 219 0 207 2 1 1 2 0 8 0
rwobjpl 24 6687 0 6163 5 1 4 4 0 8 0
pdppl 4096 446 0 414 52 20 32 38 0 8 0
pvpl 32 105456 0 101402 41 6 35 35 0 265 2
pmappl 192 219 0 207 1 0 1 1 0 8 0
extentpl 40 58 0 40 1 0 1 1 0 8 0
phpool 112 264 0 30 7 0 7 7 0 8 0
ddb> machine ddbcpu 0
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff8247f6c9) at panic+0x161 sys/kern/subr_prf.c:202
rw_enter(ffff8000006aa058,11) at rw_enter+0x36f sys/kern/kern_rwlock.c:174
vndopen(2902,3,2000,ffff8000ffff87e8) at vndopen+0x8d sys/dev/vnd.c:185
spec_open(ffff80002169a888) at spec_open+0x3c8 sys/kern/spec_vnops.c:157
VOP_OPEN(fffffd806e3ff848,3,fffffd807f7d8ba0,ffff8000ffff87e8) at VOP_OPEN+0x6c sys/kern/vfs_vops.c:138
vn_open(ffff80002169ab20,3,0) at vn_open+0x467 sys/kern/vfs_vnops.c:183
vndioctl(2902,c0384600,ffff80002169ae40,81,ffff8000ffff87e8) at vndioctl+0xa07 sys/dev/vnd.c:452
VOP_IOCTL(fffffd806e3ff848,c0384600,ffff80002169ae40,81,fffffd807f7d8ba0,ffff8000ffff87e8) at VOP_IOCTL+0x8d sys/kern/vfs_vops.c:264
vn_ioctl(fffffd807320eb48,c0384600,ffff80002169ae40,ffff8000ffff87e8) at vn_ioctl+0xb5 sys/kern/vfs_vnops.c:531
sys_ioctl(ffff8000ffff87e8,ffff80002169af58,ffff80002169afb0) at sys_ioctl+0x49e
syscall(ffff80002169b020) at syscall+0x571 sys/arch/amd64/amd64/trap.c:587
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xd579302b000, count: -13
ddb> machine ddbcpu 1
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff8247f6c9) at panic+0x161 sys/kern/subr_prf.c:202
rw_enter(ffff8000006aa058,11) at rw_enter+0x36f sys/kern/kern_rwlock.c:174
vndopen(2902,3,2000,ffff8000ffff87e8) at vndopen+0x8d sys/dev/vnd.c:185
spec_open(ffff80002169a888) at spec_open+0x3c8 sys/kern/spec_vnops.c:157
VOP_OPEN(fffffd806e3ff848,3,fffffd807f7d8ba0,ffff8000ffff87e8) at VOP_OPEN+0x6c sys/kern/vfs_vops.c:138
vn_open(ffff80002169ab20,3,0) at vn_open+0x467 sys/kern/vfs_vnops.c:183
vndioctl(2902,c0384600,ffff80002169ae40,81,ffff8000ffff87e8) at vndioctl+0xa07 sys/dev/vnd.c:452
VOP_IOCTL(fffffd806e3ff848,c0384600,ffff80002169ae40,81,fffffd807f7d8ba0,ffff8000ffff87e8) at VOP_IOCTL+0x8d sys/kern/vfs_vops.c:264
vn_ioctl(fffffd807320eb48,c0384600,ffff80002169ae40,ffff8000ffff87e8) at vn_ioctl+0xb5 sys/kern/vfs_vnops.c:531
sys_ioctl(ffff8000ffff87e8,ffff80002169af58,ffff80002169afb0) at sys_ioctl+0x49e
syscall(ffff80002169b020) at syscall+0x571 sys/arch/amd64/amd64/trap.c:587
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xd579302b000, count: -13
ddb>

Anton Lindqvist

unread,
Oct 10, 2021, 3:58:56 AMOct 10
to syzbot, syzkaller-o...@googlegroups.com
#syz fix: placing the same vnd underneath a vnd (with VNDIOCSET) is a lock violation, but other circumstances are also bad, so let's block all vnd on top of vnd. While here, fix some toctou multiple-copyin of the path, and restructure the ioctl defer all softc updates to the end. ok mpi
Reply all
Reply to author
Forward
0 new messages