assert "uvn->u_obj.uo_refs == NUM" failed in uvm_vnode.c
10 views
Skip to first unread message
syzbot
Jun 29, 2022, 10:14:26 AM6/29/22
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: acb1415e3c0a Import ts(1) - a timestamp utility
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=174b21d4080000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=dd2d2684ad2818c927da
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dd2d26...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "uvn->u_obj.uo_refs == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_vnode.c", line 234
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*139245 96814 32767 0x10 0x4000000 0K syz-executor.2
464124 76843 0 0x14000 0x200 1 reaper
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff825a1086) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff82613da6,ffffffff826356be,ea,ffffffff8262dfae) at __assert+0x25 sys/kern/subr_prf.c:161
uvn_attach(fffffd8074388e88,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234
uvm_mmapfile(fffffd806cefc5d8,ffff8000247ba3f8,10000,2,6,11,eb0e58e6c976dfb4,fffffd806cefc5d8,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029
sys_mmap(ffff800029a51a50,ffff8000247ba4a0,ffff8000247ba580) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395
sys_pad_mmap(ffff800029a51a50,ffff8000247ba528,ffff8000247ba580) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470
syscall(ffff8000247ba5f0) at syscall+0x484 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff8000247ba5f0) at syscall+0x484 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xd7f34119360, count: 6
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu0: kernel diagnostic assertion "uvn->u_obj.uo_refs == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_vnode.c", line 234
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff825a1086) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff82613da6,ffffffff826356be,ea,ffffffff8262dfae) at __assert+0x25 sys/kern/subr_prf.c:161
uvn_attach(fffffd8074388e88,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234
uvm_mmapfile(fffffd806cefc5d8,ffff8000247ba3f8,10000,2,6,11,eb0e58e6c976dfb4,fffffd806cefc5d8,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029
sys_mmap(ffff800029a51a50,ffff8000247ba4a0,ffff8000247ba580) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395
sys_pad_mmap(ffff800029a51a50,ffff8000247ba528,ffff8000247ba580) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470
syscall(ffff8000247ba5f0) at syscall+0x484 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff8000247ba5f0) at syscall+0x484 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xd7f34119360, count: -9
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff8000247ba090
rbx 0xffffffff82989bb7 cpu_info_full_primary+0x2bb7
rdx 0
rcx 0
rax 0xffff800029a51a50
r8 0x101010101010101
r9 0x8080808080808080
r10 0xd24146b1246febf5
r11 0xca51658726fff2f1
r12 0xffffffff829899b8 cpu_info_full_primary+0x29b8
r13 0
r14 0
r15 0x1
rip 0xffffffff813e2898 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff8000247ba080
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor.2) pid=139245 stat=onproc
flags process=10<SUGID> proc=4000000<THREAD>
pri=32, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff800029a647e0,0xffff800029a50aa0
process=0xffff8000fffe90b8 user=0xffff8000247b5000, vmspace=0xfffffd806cefc5d8
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
96081 502077 28657 32767 2 0x10 syz-executor.6
96814 206648 73483 32767 2 0x490 syz-executor.2
*96814 139245 73483 32767 7 0x4000010 syz-executor.2
96814 509360 73483 32767 3 0x4000090 fsleep syz-executor.2
91598 240121 0 0 3 0x14200 bored sosplice
6602 409733 47434 32767 2 0x490 syz-executor.5
28657 173369 16983 32767 3 0x90 nanoslp syz-executor.6
55224 422272 54898 32767 2 0x490 syz-executor.7
16983 414070 22980 0 3 0x82 wait syz-executor.6
54898 258304 22980 0 3 0x82 wait syz-executor.7
53541 135051 97989 32767 2 0x10 syz-executor.3
47434 481299 22980 0 3 0x82 wait syz-executor.5
98196 63635 56706 32767 2 0x490 syz-executor.1
68495 286996 25591 32767 3 0x90 nanoslp syz-executor.4
97989 343591 22980 0 3 0x82 wait syz-executor.3
73483 36446 10586 32767 2 0x490 syz-executor.2
56706 134976 22980 0 3 0x82 wait syz-executor.1
25591 285392 22980 0 3 0x82 wait syz-executor.4
6512 451306 81362 32767 2 0x490 syz-executor.0
10586 57587 22980 0 3 0x82 wait syz-executor.2
81362 144064 22980 0 3 0x82 wait syz-executor.0
22980 455939 47909 0 3 0x82 kqread syz-fuzzer
22980 208610 47909 0 2 0x4000482 syz-fuzzer
22980 477791 47909 0 3 0x4000082 thrsleep syz-fuzzer
22980 504147 47909 0 3 0x4000082 thrsleep syz-fuzzer
22980 170130 47909 0 3 0x4000082 thrsleep syz-fuzzer
22980 258781 47909 0 3 0x4000082 thrsleep syz-fuzzer
22980 432537 47909 0 3 0x4000082 thrsleep syz-fuzzer
22980 146123 47909 0 3 0x4000082 thrsleep syz-fuzzer
22980 521289 47909 0 3 0x4000082 thrsleep syz-fuzzer
47909 512554 98008 0 3 0x10008a sigsusp ksh
98008 13327 91890 0 3 0x9a kqread sshd
20898 339016 1 0 3 0x100083 ttyin getty
91890 313981 1 0 3 0x88 kqread sshd
55563 260232 59547 73 3 0x1100090 kqread syslogd
59547 153986 1 0 3 0x100082 netio syslogd
35423 467125 1 0 3 0x100080 kqread resolvd
48998 390527 29916 77 3 0x100092 kqread dhcpleased
90220 510099 29916 77 3 0x100092 kqread dhcpleased
29916 241380 1 0 3 0x80 kqread dhcpleased
21937 131306 0 0 3 0x14200 bored smr
53474 48946 0 0 2 0x14200 zerothread
86333 492403 0 0 3 0x14200 aiodoned aiodoned
82869 442701 0 0 3 0x14200 syncer update
63463 160108 0 0 3 0x14200 cleaner cleaner
76843 464124 0 0 7 0x14200 reaper
36359 11253 0 0 3 0x14200 pgdaemon pagedaemon
30350 177748 0 0 3 0x14200 bored viomb
68487 327076 0 0 3 0x40014200 acpi0 acpi0
51945 508059 0 0 3 0x40014200 idle1
47642 521260 0 0 3 0x14200 bored softnet
91254 131333 0 0 3 0x14200 bored softnet
75493 302443 0 0 3 0x14200 bored softnet
90954 92808 0 0 2 0x14200 softnet
77952 391893 0 0 3 0x14200 bored systqmp
19035 401046 0 0 3 0x14200 bored systq
2806 419101 0 0 2 0x40014200 softclock
428 392332 0 0 3 0x40014200 idle0
1 97831 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
CPU 1:
exclusive sched_lock &sched_lock r = 0 (0xffffffff82a153e0)
#0 witness_lock+0x44d
#1 wakeup_n+0x37
#2 uvm_pmr_freepageq+0x2ca sys/uvm/uvm_pmemrange.c:1353
#3 amap_wipeout+0x1ff sys/uvm/uvm_amap.c:523
#4 uvm_unmap_detach+0x7d sys/uvm/uvm_map.c:1599
#5 uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2789
#6 uvmspace_free+0xa6 sys/uvm/uvm_map.c:3684
#7 reaper+0x19a sys/kern/kern_exit.c:454
#8 proc_trampoline+0x1c
exclusive mutex &uvm.fpageqlock r = 0 (0xffffffff82ba3868)
#0 witness_lock+0x44d
#1 mtx_enter_try+0x100
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 uvm_pmr_freepageq+0xcc sys/uvm/uvm_pmemrange.c:1333
#4 amap_wipeout+0x1ff sys/uvm/uvm_amap.c:523
#5 uvm_unmap_detach+0x7d sys/uvm/uvm_map.c:1599
#6 uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2789
#7 uvmspace_free+0xa6 sys/uvm/uvm_map.c:3684
#8 reaper+0x19a sys/kern/kern_exit.c:454
#9 proc_trampoline+0x1c
Process 96814 (syz-executor.2) thread 0xffff800029a51a50 (139245)
exclusive kernel_lock &kernel_lock r = 1 (0xffffffff82ad3210)
#0 witness_lock+0x44d
#1 syscall+0x3e8 mi_syscall sys/sys/syscall_mi.h:93 [inline]
#1 syscall+0x3e8 sys/arch/amd64/amd64/trap.c:585
#2 Xsyscall+0x128
Process 53541 (syz-executor.3) thread 0xffff8000fffeca88 (135051)
exclusive rrwlock inode r = 0 (0xfffffd80740e8b38)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:465
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:567
#5 vget+0x1d3 sys/kern/vfs_subr.c:678
#6 ufs_ihashget+0x121 sys/ufs/ufs/ufs_ihash.c:119
#7 ffs_vget+0x7c sys/ufs/ffs/ffs_vfsops.c:1318
#8 ufs_lookup+0x13ba sys/ufs/ufs/ufs_lookup.c:487
#9 VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
#10 vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:561
#11 namei+0x36a sys/kern/vfs_lookup.c:245
#12 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1852
#13 syscall+0x484 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#13 syscall+0x484 sys/arch/amd64/amd64/trap.c:585
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd8064fcbc50)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:465
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:567
#5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:413
#6 namei+0x36a sys/kern/vfs_lookup.c:245
#7 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1852
#8 syscall+0x484 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#8 syscall+0x484 sys/arch/amd64/amd64/trap.c:585
#9 Xsyscall+0x128
Process 76843 (reaper) thread 0xffff8000212437a8 (464124)
uvm_fault(0xfffffd806cefc5d8, 0x0, 0, 1) -> e
kernel: page fault trap, code=0
Faulted in DDB; continuing...
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10223 6414K 6420K 78643K 11315 0
pcb 13 12K 14K 78643K 17 0
rtable 240 6K 7K 78643K 669 0
ifaddr 81 16K 16K 78643K 82 0
sysctl 2 0K 0K 78643K 2 0
counters 56 35K 35K 78643K 56 0
ioctlops 0 0K 2K 78643K 808 0
iov 0 0K 32K 78643K 1428 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 5 0
vnodes 1270 79K 79K 78643K 1578 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 5K 78643K 27 0
VM map 2 1K 1K 78643K 2 0
sem 12 0K 0K 78643K 467 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 20 73K 121K 78643K 3063 0
sigio 0 0K 0K 78643K 141 0
proc 56 78K 115K 78643K 798 0
subproc 104 6K 6K 78643K 104 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 314 0
in_multi 99 6K 6K 78643K 153 0
ether_multi 1 0K 0K 78643K 24 0
mrt 1 0K 0K 78643K 1 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 337 1500K 1500K 78643K 337 0
exec 0 0K 2K 78643K 1041 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 262 102K 105K 78643K 20211 0
UVM aobj 131 4K 4K 78643K 134 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 0K 78643K 89 0
NDP 11 0K 2K 78643K 27 0
temp 124 4722K 4842K 78643K 10196 0
kqueue 12 18K 24K 78643K 349 0
SYN cache 2 16K 16K 78643K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtpcb 120 663 0 660 9 7 2 3 0 8 1
rtentry 112 115 0 2 4 0 4 4 0 8 0
unpcb 136 2188 0 2175 15 13 2 6 0 8 1
syncache 296 51 0 51 6 5 1 1 0 8 1
tcpqe 32 25 0 25 6 6 0 1 0 8 0
tcpcb 736 2927 0 2898 46 40 6 20 0 8 2
arp 120 19 0 0 1 0 1 1 0 8 0
ipq 40 1 0 1 1 1 0 1 0 8 0
ipqe 40 67 0 67 1 1 0 1 0 8 0
inpcb 320 6032 0 6014 51 44 7 13 0 8 5
nd6 48 27 0 1 1 0 1 1 0 8 0
kcovpl 48 8 0 0 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 469 0 2 30 0 30 30 0 8 0
art_table 32 470 0 2 4 0 4 4 0 8 0
art_node 16 114 0 11 1 0 1 1 0 8 0
sysvmsgpl 40 10 0 7 2 1 1 1 0 8 0
semupl 112 3 0 3 1 1 0 1 0 8 0
semapl 112 465 0 455 1 0 1 1 0 8 0
shmpl 112 131 0 3 4 0 4 4 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 5280 0 3838 91 0 91 91 0 8 0
ffsino 272 5280 0 3838 97 0 97 97 0 8 0
nchpl 144 9580 0 7903 63 0 63 63 0 8 0
uvmvnodes 80 5393 0 0 111 0 111 111 0 8 0
vnodes 224 5393 0 0 318 0 318 318 0 8 0
namei 1024 37676 0 37676 2 1 1 2 0 8 1
percpumem 16 40 0 0 1 0 1 1 0 8 0
kstatmem 264 22 0 0 2 0 2 2 0 8 0
scxspl 216 29449 0 29449 16 12 4 8 0 8 4
plimitpl 152 503 0 480 4 3 1 2 0 8 0
sigapl 424 3342 0 3288 7 0 7 7 0 8 0
futexpl 64 29474 0 29473 1 0 1 1 0 8 0
knotepl 120 439 0 0 13 0 13 13 0 8 0
kqueuepl 224 711 0 703 11 6 5 5 0 8 4
pipepl 336 919 0 891 29 23 6 13 0 8 3
fdescpl 496 3324 0 3293 7 2 5 6 0 8 0
filepl 152 25382 0 25146 44 30 14 20 0 8 4
lockfpl 104 436 0 433 1 0 1 1 0 8 0
lockfspl 48 177 0 174 1 0 1 1 0 8 0
sessionpl 144 23 0 7 1 0 1 1 0 8 0
pgrppl 48 42 0 26 1 0 1 1 0 8 0
ucredpl 104 2971 0 2953 1 0 1 1 0 8 0
zombiepl 144 3293 0 3288 1 0 1 1 0 8 0
processpl 1064 3342 0 3288 5 1 4 5 0 8 0
procpl 672 9398 0 9330 9 2 7 8 0 8 0
sosppl 168 41 0 41 4 3 1 1 0 8 1
sockpl 480 8979 0 8948 149 137 12 35 0 8 7
mcl64k 65536 17 0 0 3 0 3 3 0 8 0
mcl16k 16384 17 0 0 3 0 3 3 0 8 0
mcl12k 12288 17 0 0 2 0 2 2 0 8 0
mcl9k 9216 15 0 0 2 0 2 2 0 8 0
mcl8k 8192 16 0 0 2 0 2 2 0 8 0
mcl4k 4096 17 0 0 3 0 3 3 0 8 0
mcl2k2 2112 3 0 0 1 0 1 1 0 8 0
mcl2k 2048 175 0 0 17 0 17 17 0 8 0
mtagpl 96 2 0 0 1 0 1 1 0 8 0
mbufpl 256 6889 0 0 430 0 430 430 0 8 0
bufpl 288 9106 0 2775 453 0 453 453 0 8 0
anonpl 24 719948 0 707730 167 63 104 124 0 186 2
amapchunkpl 152 63390 0 62627 87 48 39 40 0 158 6
amappl16 200 13555 0 13193 89 56 33 41 0 8 9
amappl15 192 1457 0 1452 1 0 1 1 0 8 0
amappl14 184 1138 0 1128 1 0 1 1 0 8 0
amappl13 176 437 0 435 1 0 1 1 0 8 0
amappl12 168 7 0 4 1 0 1 1 0 8 0
amappl11 160 91 0 74 1 0 1 1 0 8 0
amappl10 152 38 0 35 1 0 1 1 0 8 0
amappl9 144 908 0 902 1 0 1 1 0 8 0
amappl8 136 1029 0 949 3 0 3 3 0 8 0
amappl7 128 471 0 458 1 0 1 1 0 8 0
amappl6 120 643 0 625 2 1 1 2 0 8 0
amappl5 112 2355 0 2337 1 0 1 1 0 8 0
amappl4 104 1546 0 1516 2 0 2 2 0 8 0
amappl3 96 9694 0 9648 2 0 2 2 0 8 0
amappl2 88 4060 0 3996 3 1 2 3 0 8 0
amappl1 80 82215 0 81557 20 3 17 19 0 8 1
amappl 88 19629 0 19469 6 1 5 5 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 133 0 3 3 0 3 3 0 8 0
uaddrrnd 24 3324 0 3291 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 3324 0 3291 1 0 1 1 0 8 0
vmmpekpl 168 29242 0 29184 3 0 3 3 0 8 0
vmmpepl 168 329628 0 327102 182 43 139 139 0 357 8
vmsppl 368 3323 0 3290 4 0 4 4 0 8 0
rwobjpl 56 92614 0 85766 104 2 102 102 0 8 0
pdppl 4096 6655 0 6580 175 94 81 93 0 8 6
pvpl 32 1383633 0 1366515 289 102 187 250 0 265 6
pmappl 248 3323 0 3290 4 1 3 3 0 8 0
extentpl 40 58 0 38 1 0 1 1 0 8 0
phpool 112 1392 0 160 36 0 36 36 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff825a1086) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff82613da6,ffffffff826356be,ea,ffffffff8262dfae) at __assert+0x25 sys/kern/subr_prf.c:161
uvn_attach(fffffd8074388e88,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234
uvm_mmapfile(fffffd806cefc5d8,ffff8000247ba3f8,10000,2,6,11,eb0e58e6c976dfb4,fffffd806cefc5d8,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029
sys_mmap(ffff800029a51a50,ffff8000247ba4a0,ffff8000247ba580) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395
sys_pad_mmap(ffff800029a51a50,ffff8000247ba528,ffff8000247ba580) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470
syscall(ffff8000247ba5f0) at syscall+0x484 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff8000247ba5f0) at syscall+0x484 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xd7f34119360, count: -9
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffff800020de8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x2f kd_curproc sys/dev/kcov.c:578 [inline]
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x2f sys/dev/kcov.c:148
__mp_lock(ffffffff82ad3008) at __mp_lock+0x133 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82ad3008) at __mp_lock+0x133 sys/kern/kern_lock.c:147
uvm_unmap_detach(ffff800021249280,1) at uvm_unmap_detach+0x113 sys/uvm/uvm_map.c:1615
uvm_map_teardown(fffffd806cefc2f8) at uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2789
uvmspace_free(fffffd806cefc2f8) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3684
reaper(ffff8000212437a8) at reaper+0x19a sys/kern/kern_exit.c:454
end trace frame: 0x0, count: 6
ddb{1}> trace
x86_ipi_db(ffff800020de8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x2f kd_curproc sys/dev/kcov.c:578 [inline]
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x2f sys/dev/kcov.c:148
__mp_lock(ffffffff82ad3008) at __mp_lock+0x133 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82ad3008) at __mp_lock+0x133 sys/kern/kern_lock.c:147
uvm_unmap_detach(ffff800021249280,1) at uvm_unmap_detach+0x113 sys/uvm/uvm_map.c:1615
uvm_map_teardown(fffffd806cefc2f8) at uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2789
uvmspace_free(fffffd806cefc2f8) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3684
reaper(ffff8000212437a8) at reaper+0x19a sys/kern/kern_exit.c:454
end trace frame: 0x0, count: -9
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: acb1415e3c0a Import ts(1) - a timestamp utility
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=174b21d4080000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=dd2d2684ad2818c927da
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dd2d26...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "uvn->u_obj.uo_refs == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_vnode.c", line 234
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*139245 96814 32767 0x10 0x4000000 0K syz-executor.2
464124 76843 0 0x14000 0x200 1 reaper
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff825a1086) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff82613da6,ffffffff826356be,ea,ffffffff8262dfae) at __assert+0x25 sys/kern/subr_prf.c:161
uvn_attach(fffffd8074388e88,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234
uvm_mmapfile(fffffd806cefc5d8,ffff8000247ba3f8,10000,2,6,11,eb0e58e6c976dfb4,fffffd806cefc5d8,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029
sys_mmap(ffff800029a51a50,ffff8000247ba4a0,ffff8000247ba580) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395
sys_pad_mmap(ffff800029a51a50,ffff8000247ba528,ffff8000247ba580) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470
syscall(ffff8000247ba5f0) at syscall+0x484 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff8000247ba5f0) at syscall+0x484 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xd7f34119360, count: 6
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu0: kernel diagnostic assertion "uvn->u_obj.uo_refs == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_vnode.c", line 234
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff825a1086) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff82613da6,ffffffff826356be,ea,ffffffff8262dfae) at __assert+0x25 sys/kern/subr_prf.c:161
uvn_attach(fffffd8074388e88,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234
uvm_mmapfile(fffffd806cefc5d8,ffff8000247ba3f8,10000,2,6,11,eb0e58e6c976dfb4,fffffd806cefc5d8,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029
sys_mmap(ffff800029a51a50,ffff8000247ba4a0,ffff8000247ba580) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395
sys_pad_mmap(ffff800029a51a50,ffff8000247ba528,ffff8000247ba580) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470
syscall(ffff8000247ba5f0) at syscall+0x484 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff8000247ba5f0) at syscall+0x484 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xd7f34119360, count: -9
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff8000247ba090
rbx 0xffffffff82989bb7 cpu_info_full_primary+0x2bb7
rdx 0
rcx 0
rax 0xffff800029a51a50
r8 0x101010101010101
r9 0x8080808080808080
r10 0xd24146b1246febf5
r11 0xca51658726fff2f1
r12 0xffffffff829899b8 cpu_info_full_primary+0x29b8
r13 0
r14 0
r15 0x1
rip 0xffffffff813e2898 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff8000247ba080
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor.2) pid=139245 stat=onproc
flags process=10<SUGID> proc=4000000<THREAD>
pri=32, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff800029a647e0,0xffff800029a50aa0
process=0xffff8000fffe90b8 user=0xffff8000247b5000, vmspace=0xfffffd806cefc5d8
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
96081 502077 28657 32767 2 0x10 syz-executor.6
96814 206648 73483 32767 2 0x490 syz-executor.2
*96814 139245 73483 32767 7 0x4000010 syz-executor.2
96814 509360 73483 32767 3 0x4000090 fsleep syz-executor.2
91598 240121 0 0 3 0x14200 bored sosplice
6602 409733 47434 32767 2 0x490 syz-executor.5
28657 173369 16983 32767 3 0x90 nanoslp syz-executor.6
55224 422272 54898 32767 2 0x490 syz-executor.7
16983 414070 22980 0 3 0x82 wait syz-executor.6
54898 258304 22980 0 3 0x82 wait syz-executor.7
53541 135051 97989 32767 2 0x10 syz-executor.3
47434 481299 22980 0 3 0x82 wait syz-executor.5
98196 63635 56706 32767 2 0x490 syz-executor.1
68495 286996 25591 32767 3 0x90 nanoslp syz-executor.4
97989 343591 22980 0 3 0x82 wait syz-executor.3
73483 36446 10586 32767 2 0x490 syz-executor.2
56706 134976 22980 0 3 0x82 wait syz-executor.1
25591 285392 22980 0 3 0x82 wait syz-executor.4
6512 451306 81362 32767 2 0x490 syz-executor.0
10586 57587 22980 0 3 0x82 wait syz-executor.2
81362 144064 22980 0 3 0x82 wait syz-executor.0
22980 455939 47909 0 3 0x82 kqread syz-fuzzer
22980 208610 47909 0 2 0x4000482 syz-fuzzer
22980 477791 47909 0 3 0x4000082 thrsleep syz-fuzzer
22980 504147 47909 0 3 0x4000082 thrsleep syz-fuzzer
22980 170130 47909 0 3 0x4000082 thrsleep syz-fuzzer
22980 258781 47909 0 3 0x4000082 thrsleep syz-fuzzer
22980 432537 47909 0 3 0x4000082 thrsleep syz-fuzzer
22980 146123 47909 0 3 0x4000082 thrsleep syz-fuzzer
22980 521289 47909 0 3 0x4000082 thrsleep syz-fuzzer
47909 512554 98008 0 3 0x10008a sigsusp ksh
98008 13327 91890 0 3 0x9a kqread sshd
20898 339016 1 0 3 0x100083 ttyin getty
91890 313981 1 0 3 0x88 kqread sshd
55563 260232 59547 73 3 0x1100090 kqread syslogd
59547 153986 1 0 3 0x100082 netio syslogd
35423 467125 1 0 3 0x100080 kqread resolvd
48998 390527 29916 77 3 0x100092 kqread dhcpleased
90220 510099 29916 77 3 0x100092 kqread dhcpleased
29916 241380 1 0 3 0x80 kqread dhcpleased
21937 131306 0 0 3 0x14200 bored smr
53474 48946 0 0 2 0x14200 zerothread
86333 492403 0 0 3 0x14200 aiodoned aiodoned
82869 442701 0 0 3 0x14200 syncer update
63463 160108 0 0 3 0x14200 cleaner cleaner
76843 464124 0 0 7 0x14200 reaper
36359 11253 0 0 3 0x14200 pgdaemon pagedaemon
30350 177748 0 0 3 0x14200 bored viomb
68487 327076 0 0 3 0x40014200 acpi0 acpi0
51945 508059 0 0 3 0x40014200 idle1
47642 521260 0 0 3 0x14200 bored softnet
91254 131333 0 0 3 0x14200 bored softnet
75493 302443 0 0 3 0x14200 bored softnet
90954 92808 0 0 2 0x14200 softnet
77952 391893 0 0 3 0x14200 bored systqmp
19035 401046 0 0 3 0x14200 bored systq
2806 419101 0 0 2 0x40014200 softclock
428 392332 0 0 3 0x40014200 idle0
1 97831 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
CPU 1:
exclusive sched_lock &sched_lock r = 0 (0xffffffff82a153e0)
#0 witness_lock+0x44d
#1 wakeup_n+0x37
#2 uvm_pmr_freepageq+0x2ca sys/uvm/uvm_pmemrange.c:1353
#3 amap_wipeout+0x1ff sys/uvm/uvm_amap.c:523
#4 uvm_unmap_detach+0x7d sys/uvm/uvm_map.c:1599
#5 uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2789
#6 uvmspace_free+0xa6 sys/uvm/uvm_map.c:3684
#7 reaper+0x19a sys/kern/kern_exit.c:454
#8 proc_trampoline+0x1c
exclusive mutex &uvm.fpageqlock r = 0 (0xffffffff82ba3868)
#0 witness_lock+0x44d
#1 mtx_enter_try+0x100
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 uvm_pmr_freepageq+0xcc sys/uvm/uvm_pmemrange.c:1333
#4 amap_wipeout+0x1ff sys/uvm/uvm_amap.c:523
#5 uvm_unmap_detach+0x7d sys/uvm/uvm_map.c:1599
#6 uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2789
#7 uvmspace_free+0xa6 sys/uvm/uvm_map.c:3684
#8 reaper+0x19a sys/kern/kern_exit.c:454
#9 proc_trampoline+0x1c
Process 96814 (syz-executor.2) thread 0xffff800029a51a50 (139245)
exclusive kernel_lock &kernel_lock r = 1 (0xffffffff82ad3210)
#0 witness_lock+0x44d
#1 syscall+0x3e8 mi_syscall sys/sys/syscall_mi.h:93 [inline]
#1 syscall+0x3e8 sys/arch/amd64/amd64/trap.c:585
#2 Xsyscall+0x128
Process 53541 (syz-executor.3) thread 0xffff8000fffeca88 (135051)
exclusive rrwlock inode r = 0 (0xfffffd80740e8b38)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:465
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:567
#5 vget+0x1d3 sys/kern/vfs_subr.c:678
#6 ufs_ihashget+0x121 sys/ufs/ufs/ufs_ihash.c:119
#7 ffs_vget+0x7c sys/ufs/ffs/ffs_vfsops.c:1318
#8 ufs_lookup+0x13ba sys/ufs/ufs/ufs_lookup.c:487
#9 VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
#10 vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:561
#11 namei+0x36a sys/kern/vfs_lookup.c:245
#12 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1852
#13 syscall+0x484 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#13 syscall+0x484 sys/arch/amd64/amd64/trap.c:585
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd8064fcbc50)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:465
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:567
#5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:413
#6 namei+0x36a sys/kern/vfs_lookup.c:245
#7 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1852
#8 syscall+0x484 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#8 syscall+0x484 sys/arch/amd64/amd64/trap.c:585
#9 Xsyscall+0x128
Process 76843 (reaper) thread 0xffff8000212437a8 (464124)
uvm_fault(0xfffffd806cefc5d8, 0x0, 0, 1) -> e
kernel: page fault trap, code=0
Faulted in DDB; continuing...
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10223 6414K 6420K 78643K 11315 0
pcb 13 12K 14K 78643K 17 0
rtable 240 6K 7K 78643K 669 0
ifaddr 81 16K 16K 78643K 82 0
sysctl 2 0K 0K 78643K 2 0
counters 56 35K 35K 78643K 56 0
ioctlops 0 0K 2K 78643K 808 0
iov 0 0K 32K 78643K 1428 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 5 0
vnodes 1270 79K 79K 78643K 1578 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 5K 78643K 27 0
VM map 2 1K 1K 78643K 2 0
sem 12 0K 0K 78643K 467 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 20 73K 121K 78643K 3063 0
sigio 0 0K 0K 78643K 141 0
proc 56 78K 115K 78643K 798 0
subproc 104 6K 6K 78643K 104 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 314 0
in_multi 99 6K 6K 78643K 153 0
ether_multi 1 0K 0K 78643K 24 0
mrt 1 0K 0K 78643K 1 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 337 1500K 1500K 78643K 337 0
exec 0 0K 2K 78643K 1041 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 262 102K 105K 78643K 20211 0
UVM aobj 131 4K 4K 78643K 134 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 0K 78643K 89 0
NDP 11 0K 2K 78643K 27 0
temp 124 4722K 4842K 78643K 10196 0
kqueue 12 18K 24K 78643K 349 0
SYN cache 2 16K 16K 78643K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtpcb 120 663 0 660 9 7 2 3 0 8 1
rtentry 112 115 0 2 4 0 4 4 0 8 0
unpcb 136 2188 0 2175 15 13 2 6 0 8 1
syncache 296 51 0 51 6 5 1 1 0 8 1
tcpqe 32 25 0 25 6 6 0 1 0 8 0
tcpcb 736 2927 0 2898 46 40 6 20 0 8 2
arp 120 19 0 0 1 0 1 1 0 8 0
ipq 40 1 0 1 1 1 0 1 0 8 0
ipqe 40 67 0 67 1 1 0 1 0 8 0
inpcb 320 6032 0 6014 51 44 7 13 0 8 5
nd6 48 27 0 1 1 0 1 1 0 8 0
kcovpl 48 8 0 0 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 469 0 2 30 0 30 30 0 8 0
art_table 32 470 0 2 4 0 4 4 0 8 0
art_node 16 114 0 11 1 0 1 1 0 8 0
sysvmsgpl 40 10 0 7 2 1 1 1 0 8 0
semupl 112 3 0 3 1 1 0 1 0 8 0
semapl 112 465 0 455 1 0 1 1 0 8 0
shmpl 112 131 0 3 4 0 4 4 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 5280 0 3838 91 0 91 91 0 8 0
ffsino 272 5280 0 3838 97 0 97 97 0 8 0
nchpl 144 9580 0 7903 63 0 63 63 0 8 0
uvmvnodes 80 5393 0 0 111 0 111 111 0 8 0
vnodes 224 5393 0 0 318 0 318 318 0 8 0
namei 1024 37676 0 37676 2 1 1 2 0 8 1
percpumem 16 40 0 0 1 0 1 1 0 8 0
kstatmem 264 22 0 0 2 0 2 2 0 8 0
scxspl 216 29449 0 29449 16 12 4 8 0 8 4
plimitpl 152 503 0 480 4 3 1 2 0 8 0
sigapl 424 3342 0 3288 7 0 7 7 0 8 0
futexpl 64 29474 0 29473 1 0 1 1 0 8 0
knotepl 120 439 0 0 13 0 13 13 0 8 0
kqueuepl 224 711 0 703 11 6 5 5 0 8 4
pipepl 336 919 0 891 29 23 6 13 0 8 3
fdescpl 496 3324 0 3293 7 2 5 6 0 8 0
filepl 152 25382 0 25146 44 30 14 20 0 8 4
lockfpl 104 436 0 433 1 0 1 1 0 8 0
lockfspl 48 177 0 174 1 0 1 1 0 8 0
sessionpl 144 23 0 7 1 0 1 1 0 8 0
pgrppl 48 42 0 26 1 0 1 1 0 8 0
ucredpl 104 2971 0 2953 1 0 1 1 0 8 0
zombiepl 144 3293 0 3288 1 0 1 1 0 8 0
processpl 1064 3342 0 3288 5 1 4 5 0 8 0
procpl 672 9398 0 9330 9 2 7 8 0 8 0
sosppl 168 41 0 41 4 3 1 1 0 8 1
sockpl 480 8979 0 8948 149 137 12 35 0 8 7
mcl64k 65536 17 0 0 3 0 3 3 0 8 0
mcl16k 16384 17 0 0 3 0 3 3 0 8 0
mcl12k 12288 17 0 0 2 0 2 2 0 8 0
mcl9k 9216 15 0 0 2 0 2 2 0 8 0
mcl8k 8192 16 0 0 2 0 2 2 0 8 0
mcl4k 4096 17 0 0 3 0 3 3 0 8 0
mcl2k2 2112 3 0 0 1 0 1 1 0 8 0
mcl2k 2048 175 0 0 17 0 17 17 0 8 0
mtagpl 96 2 0 0 1 0 1 1 0 8 0
mbufpl 256 6889 0 0 430 0 430 430 0 8 0
bufpl 288 9106 0 2775 453 0 453 453 0 8 0
anonpl 24 719948 0 707730 167 63 104 124 0 186 2
amapchunkpl 152 63390 0 62627 87 48 39 40 0 158 6
amappl16 200 13555 0 13193 89 56 33 41 0 8 9
amappl15 192 1457 0 1452 1 0 1 1 0 8 0
amappl14 184 1138 0 1128 1 0 1 1 0 8 0
amappl13 176 437 0 435 1 0 1 1 0 8 0
amappl12 168 7 0 4 1 0 1 1 0 8 0
amappl11 160 91 0 74 1 0 1 1 0 8 0
amappl10 152 38 0 35 1 0 1 1 0 8 0
amappl9 144 908 0 902 1 0 1 1 0 8 0
amappl8 136 1029 0 949 3 0 3 3 0 8 0
amappl7 128 471 0 458 1 0 1 1 0 8 0
amappl6 120 643 0 625 2 1 1 2 0 8 0
amappl5 112 2355 0 2337 1 0 1 1 0 8 0
amappl4 104 1546 0 1516 2 0 2 2 0 8 0
amappl3 96 9694 0 9648 2 0 2 2 0 8 0
amappl2 88 4060 0 3996 3 1 2 3 0 8 0
amappl1 80 82215 0 81557 20 3 17 19 0 8 1
amappl 88 19629 0 19469 6 1 5 5 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 133 0 3 3 0 3 3 0 8 0
uaddrrnd 24 3324 0 3291 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 3324 0 3291 1 0 1 1 0 8 0
vmmpekpl 168 29242 0 29184 3 0 3 3 0 8 0
vmmpepl 168 329628 0 327102 182 43 139 139 0 357 8
vmsppl 368 3323 0 3290 4 0 4 4 0 8 0
rwobjpl 56 92614 0 85766 104 2 102 102 0 8 0
pdppl 4096 6655 0 6580 175 94 81 93 0 8 6
pvpl 32 1383633 0 1366515 289 102 187 250 0 265 6
pmappl 248 3323 0 3290 4 1 3 3 0 8 0
extentpl 40 58 0 38 1 0 1 1 0 8 0
phpool 112 1392 0 160 36 0 36 36 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff825a1086) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff82613da6,ffffffff826356be,ea,ffffffff8262dfae) at __assert+0x25 sys/kern/subr_prf.c:161
uvn_attach(fffffd8074388e88,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234
uvm_mmapfile(fffffd806cefc5d8,ffff8000247ba3f8,10000,2,6,11,eb0e58e6c976dfb4,fffffd806cefc5d8,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029
sys_mmap(ffff800029a51a50,ffff8000247ba4a0,ffff8000247ba580) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395
sys_pad_mmap(ffff800029a51a50,ffff8000247ba528,ffff8000247ba580) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470
syscall(ffff8000247ba5f0) at syscall+0x484 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff8000247ba5f0) at syscall+0x484 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xd7f34119360, count: -9
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffff800020de8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x2f kd_curproc sys/dev/kcov.c:578 [inline]
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x2f sys/dev/kcov.c:148
__mp_lock(ffffffff82ad3008) at __mp_lock+0x133 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82ad3008) at __mp_lock+0x133 sys/kern/kern_lock.c:147
uvm_unmap_detach(ffff800021249280,1) at uvm_unmap_detach+0x113 sys/uvm/uvm_map.c:1615
uvm_map_teardown(fffffd806cefc2f8) at uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2789
uvmspace_free(fffffd806cefc2f8) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3684
reaper(ffff8000212437a8) at reaper+0x19a sys/kern/kern_exit.c:454
end trace frame: 0x0, count: 6
ddb{1}> trace
x86_ipi_db(ffff800020de8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x2f kd_curproc sys/dev/kcov.c:578 [inline]
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x2f sys/dev/kcov.c:148
__mp_lock(ffffffff82ad3008) at __mp_lock+0x133 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82ad3008) at __mp_lock+0x133 sys/kern/kern_lock.c:147
uvm_unmap_detach(ffff800021249280,1) at uvm_unmap_detach+0x113 sys/uvm/uvm_map.c:1615
uvm_map_teardown(fffffd806cefc2f8) at uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2789
uvmspace_free(fffffd806cefc2f8) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3684
reaper(ffff8000212437a8) at reaper+0x19a sys/kern/kern_exit.c:454
end trace frame: 0x0, count: -9
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Aug 14, 2022, 5:06:25 AM8/14/22
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 7365c3921944 Remove needless include pledge.h accidently a..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=149a8b6b080000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dd2d26...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "uvn->u_obj.uo_refs == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_vnode.c", line 234
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
102091 92343 0 0 0 0 syz-executor.0
*317800 92343 0 0 0x4000000 1K syz-executor.0
__assert(ffffffff8261a2b2,ffffffff8263e388,ea,ffffffff82636a65) at __assert+0x25 sys/kern/subr_prf.c:161
uvn_attach(fffffd806b1fe3b8,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234
uvm_mmapfile(fffffd80760d7b88,ffff800021436088,10000,2,6,11,1747145d45271d72,fffffd80760d7b88,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029
sys_mmap(ffff8000ffff3268,ffff800021436130,ffff800021436200) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395
sys_pad_mmap(ffff8000ffff3268,ffff8000214361b8,ffff800021436200) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470
syscall(ffff800021436280) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff800021436280) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: kernel diagnostic assertion "uvn->u_obj.uo_refs == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_vnode.c", line 234
ddb{1}> trace
__assert(ffffffff8261a2b2,ffffffff8263e388,ea,ffffffff82636a65) at __assert+0x25 sys/kern/subr_prf.c:161
uvn_attach(fffffd806b1fe3b8,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234
uvm_mmapfile(fffffd80760d7b88,ffff800021436088,10000,2,6,11,1747145d45271d72,fffffd80760d7b88,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029
sys_mmap(ffff8000ffff3268,ffff800021436130,ffff800021436200) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395
sys_pad_mmap(ffff8000ffff3268,ffff8000214361b8,ffff800021436200) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470
syscall(ffff800021436280) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff800021436280) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585
ddb{1}> show registers
rdi 0
rsi 0x1
rbp 0xffff800021435d20
rbx 0xffff800020dd9b8f
rdx 0x3fd
rcx 0
rax 0x8c
r8 0x101010101010101
r9 0x8080808080808080
r10 0x294f6a39af4b3d0f
r11 0xff2306e4bc7d1a6c
r12 0xffff800020dd9990
cs 0x8
rflags 0x246
rsp 0xffff800021435d10
PROC (syz-executor.0) pid=317800 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffff2008,0xffff8000ffff0800
process=0xffff8000fffedd30 user=0xffff800021431000, vmspace=0xfffffd80760d7b88
80794 411306 25721 0 2 0x4000000 syz-executor.2
34995 421791 22566 0 2 0 syz-executor.4
34995 144879 22566 0 2 0x4000000 syz-executor.4
5782 509753 74410 0 2 0 syz-executor.5
5782 110081 74410 0 3 0x4000080 fsleep syz-executor.5
58782 475320 35404 0 2 0 syz-executor.1
58782 321580 35404 0 2 0x4000000 syz-executor.1
58782 376140 35404 0 3 0x4000080 fsleep syz-executor.1
92343 102091 38232 0 7 0 syz-executor.0
*92343 317800 38232 0 7 0x4000000 syz-executor.0
92343 34771 38232 0 2 0x4000000 syz-executor.0
32381 411386 8679 0 2 0 syz-executor.7
32381 351897 8679 0 3 0x4000080 fsleep syz-executor.7
6173 511876 60979 0 2 0 syz-executor.6
6173 252311 60979 0 3 0x4000080 fsleep syz-executor.6
6173 93348 60979 0 3 0x4000080 fsleep syz-executor.6
35404 31442 85496 0 3 0x82 nanoslp syz-executor.1
95078 41911 85496 0 3 0x2 biowait syz-executor.3
8679 244515 85496 0 3 0x82 nanoslp syz-executor.7
74410 312580 85496 0 3 0x82 nanoslp syz-executor.5
25721 379419 85496 0 3 0x82 nanoslp syz-executor.2
60979 417231 85496 0 3 0x82 nanoslp syz-executor.6
22566 35306 85496 0 3 0x82 nanoslp syz-executor.4
38232 325545 85496 0 3 0x82 nanoslp syz-executor.0
85496 438248 13892 0 3 0x82 wait syz-execprog
85496 57174 13892 0 3 0x4000082 nanoslp syz-execprog
85496 25183 13892 0 3 0x4000082 wait syz-execprog
85496 314836 13892 0 3 0x4000082 thrsleep syz-execprog
85496 406960 13892 0 3 0x4000082 thrsleep syz-execprog
85496 290797 13892 0 3 0x4000082 wait syz-execprog
85496 422721 13892 0 3 0x4000082 wait syz-execprog
85496 415722 13892 0 3 0x4000082 thrsleep syz-execprog
85496 25046 13892 0 3 0x4000082 wait syz-execprog
85496 457006 13892 0 3 0x4000082 wait syz-execprog
85496 16488 13892 0 3 0x4000082 wait syz-execprog
85496 354932 13892 0 3 0x4000082 thrsleep syz-execprog
85496 473374 13892 0 3 0x4000082 wait syz-execprog
85496 91546 13892 0 3 0x4000082 kqread syz-execprog
85496 73716 13892 0 3 0x4000082 nanoslp syz-execprog
85496 85313 13892 0 3 0x4000082 thrsleep syz-execprog
13892 414829 13976 0 3 0x10008a sigsusp ksh
13976 502708 87551 0 3 0x9a kqread sshd
46946 152889 1 0 3 0x100083 ttyin getty
87551 80582 1 0 3 0x88 kqread sshd
41628 452225 54823 73 3 0x1100090 kqread syslogd
54823 441652 1 0 3 0x100082 netio syslogd
98197 520579 1 0 3 0x100080 kqread resolvd
63563 220747 816 77 3 0x100092 kqread dhcpleased
57393 345772 816 77 3 0x100092 kqread dhcpleased
816 350283 1 0 3 0x80 kqread dhcpleased
88382 327888 0 0 3 0x14200 bored smr
93696 433190 0 0 2 0x14200 zerothread
65345 120332 0 0 3 0x14200 aiodoned aiodoned
65575 43082 0 0 3 0x14200 syncer update
10860 299764 0 0 3 0x14200 cleaner cleaner
76747 395644 0 0 3 0x14200 reaper reaper
15019 46055 0 0 3 0x14200 pgdaemon pagedaemon
51759 131205 0 0 3 0x14200 bored viomb
40636 441108 0 0 3 0x40014200 acpi0 acpi0
83944 275234 0 0 3 0x40014200 idle1
68415 184668 0 0 3 0x14200 bored softnet
84272 160839 0 0 3 0x14200 bored softnet
18 26734 0 0 3 0x14200 bored softnet
34377 325113 0 0 3 0x14200 bored softnet
70509 60175 0 0 3 0x14200 bored systqmp
54461 131076 0 0 3 0x14200 bored systq
63431 183766 0 0 3 0x40014200 bored softclock
74148 97892 0 0 3 0x40014200 idle0
1 13908 0 0 3 0x82 wait init
Process 92343 (syz-executor.0) thread 0xffff8000ffff3268 (317800)
exclusive kernel_lock &kernel_lock r = 1 (0xffffffff82ac95a0)
#0 witness_lock+0x44d
#1 syscall+0x41d mi_syscall sys/sys/syscall_mi.h:100 [inline]
#1 syscall+0x41d sys/arch/amd64/amd64/trap.c:585
#2 Xsyscall+0x128
Process 95078 (syz-executor.3) thread 0xffff8000ffff4a80 (41911)
exclusive rrwlock inode r = 0 (0xfffffd806a28bc58)
#5 ffs_vget+0x141 sys/ufs/ffs/ffs_vfsops.c:1353
#6 ffs_inode_alloc+0x1be sys/ufs/ffs/ffs_alloc.c:394
#7 ufs_mkdir+0xf4 sys/ufs/ufs/ufs_vnops.c:1150
#8 VOP_MKDIR+0xbf sys/kern/vfs_vops.c:388
#9 domkdirat+0x121 sys/kern/vfs_syscalls.c:3116
#10 syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
#10 syscall+0x435 sys/arch/amd64/amd64/trap.c:585
#11 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd8075d240a0)
#8 syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
#8 syscall+0x435 sys/arch/amd64/amd64/trap.c:585
#9 Xsyscall+0x128
ddb{1}> show malloc
pcb 13 8K 8K 78643K 13 0
rtable 234 6K 6K 78643K 349 0
ifaddr 82 16K 16K 78643K 84 0
vnodes 1166 73K 73K 78643K 1179 0
proc 55 78K 127K 78643K 450 0
ether_multi 1 0K 0K 78643K 1 0
exec 0 0K 2K 78643K 622 0
UVM amap 184 87K 102K 78643K 2599 0
UVM aobj 3 2K 2K 78643K 3 0
temp 51 4710K 4774K 78643K 3455 0
kqueue 12 18K 18K 78643K 25 0
rtentry 112 111 0 1 4 0 4 4 0 8 0
unpcb 144 33 0 20 1 0 1 1 0 8 0
syncache 296 5 0 5 2 1 1 1 0 8 1
tcpcb 768 8 0 5 1 0 1 1 0 8 0
arp 120 18 0 0 1 0 1 1 0 8 0
inpcb 320 57 0 51 1 0 1 1 0 8 0
nd6 48 24 0 0 1 0 1 1 0 8 0
art_table 32 452 0 0 4 0 4 4 0 8 0
art_node 16 110 0 10 1 0 1 1 0 8 0
ffsino 272 1599 0 166 96 0 96 96 0 8 0
nchpl 144 1975 0 300 63 0 63 63 0 8 0
uvmvnodes 80 1608 0 0 33 0 33 33 0 8 0
vnodes 216 1608 0 0 90 0 90 90 0 8 0
namei 1024 6187 0 6186 3 1 2 2 0 8 1
plimitpl 152 23 0 9 1 0 1 1 0 8 0
sigapl 424 486 0 441 7 0 7 7 0 8 1
futexpl 64 387 0 382 1 0 1 1 0 8 0
knotepl 120 102 0 0 4 0 4 4 0 8 0
kqueuepl 216 21 0 13 1 0 1 1 0 8 0
pipepl 320 130 0 102 4 1 3 3 0 8 0
fdescpl 496 469 0 441 6 1 5 5 0 8 0
filepl 152 1631 0 1499 6 0 6 6 0 8 0
lockfpl 104 128 0 122 1 0 1 1 0 8 0
lockfspl 48 67 0 61 1 0 1 1 0 8 0
sessionpl 144 25 0 9 1 0 1 1 0 8 0
pgrppl 48 25 0 9 1 0 1 1 0 8 0
ucredpl 104 64 0 54 1 0 1 1 0 8 0
zombiepl 144 441 0 441 2 1 1 1 0 8 1
processpl 1064 486 0 441 4 0 4 4 0 8 0
procpl 672 617 0 547 6 0 6 6 0 8 0
sockpl 488 126 0 104 4 0 4 4 0 8 1
mcl8k 8192 5 0 0 1 0 1 1 0 8 0
mcl4k 4096 4 0 0 1 0 1 1 0 8 0
mcl2k 2048 78 0 0 9 0 9 9 0 8 0
mtagpl 96 4 0 0 1 0 1 1 0 8 0
mbufpl 256 278 0 0 17 0 17 17 0 8 0
bufpl 288 3565 0 128 246 0 246 246 0 8 0
anonpl 24 62011 0 56913 43 3 40 40 0 186 8
amapchunkpl 152 16298 0 15677 45 1 44 44 0 158 19
amappl16 200 342 0 252 6 1 5 5 0 8 0
amappl15 192 138 0 130 1 0 1 1 0 8 0
amappl14 184 39 0 30 1 0 1 1 0 8 0
amappl13 176 92 0 91 2 1 1 1 0 8 0
amappl12 168 25 0 21 2 1 1 1 0 8 0
amappl11 160 110 0 92 1 0 1 1 0 8 0
amappl10 152 14 0 13 1 0 1 1 0 8 0
amappl9 144 446 0 444 1 0 1 1 0 8 0
amappl8 136 542 0 503 3 1 2 2 0 8 0
amappl7 128 134 0 118 1 0 1 1 0 8 0
amappl6 120 178 0 167 2 0 2 2 0 8 1
amappl5 112 135 0 122 1 0 1 1 0 8 0
amappl4 104 878 0 843 2 0 2 2 0 8 0
amappl3 96 799 0 744 2 0 2 2 0 8 0
amappl2 88 443 0 410 2 0 2 2 0 8 0
amappl1 80 13540 0 12860 19 0 19 19 0 8 4
amappl 88 2168 0 2040 3 0 3 3 0 92 0
uaddrrnd 24 469 0 441 1 0 1 1 0 8 0
vmmpekpl 168 8787 0 8761 2 0 2 2 0 8 0
vmmpepl 168 48478 0 46519 90 1 89 89 0 357 0
vmsppl 368 468 0 441 4 0 4 4 0 8 1
rwobjpl 56 14213 0 11597 40 0 40 40 0 8 2
pdppl 4096 945 0 882 107 36 71 81 0 8 8
pvpl 32 242670 0 233589 258 4 254 254 0 265 179
pmappl 248 468 0 441 4 1 3 3 0 8 0
extentpl 40 56 0 38 1 0 1 1 0 8 0
phpool 112 610 0 39 17 0 17 17 0 8 0
ddb{1}> machine ddbcpu 0
__mp_lock(ffffffff82ac9398) at __mp_lock+0x122 sys/kern/kern_lock.c:147
__mp_acquire_count(ffffffff82ac9398,1) at __mp_acquire_count+0x48 sys/kern/kern_lock.c:227
mi_switch() at mi_switch+0x3bb sys/kern/sched_bsd.c:416
sleep_finish(ffff800021398698,1) at sleep_finish+0x180 sys/kern/kern_synch.c:420
rw_enter(fffffd80760d7b90,21) at rw_enter+0x35a sys/kern/kern_rwlock.c:286
vm_map_lock_ln(fffffd80760d7b88,294c1187000,294c1187000) at vm_map_lock_ln+0xda sys/uvm/uvm_map.c:5448
uvm_map_protect(fffffd80760d7b88,294c1186000,294c1187000,0,0) at uvm_map_protect+0xc1 uvm_map_addr_RBT_ROOT sys/uvm/uvm_map.h:176 [inline]
uvm_map_protect(fffffd80760d7b88,294c1186000,294c1187000,0,0) at uvm_map_protect+0xc1 uvm_map_entrybyaddr sys/uvm/uvm_map.c:559 [inline]
uvm_map_protect(fffffd80760d7b88,294c1186000,294c1187000,0,0) at uvm_map_protect+0xc1 sys/uvm/uvm_map.c:3328
syscall(ffff800021398960) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff800021398960) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585
ddb{0}> trace
x86_ipi_db(ffffffff82931ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
__mp_lock(ffffffff82ac9398) at __mp_lock+0x122 sys/kern/kern_lock.c:147
__mp_acquire_count(ffffffff82ac9398,1) at __mp_acquire_count+0x48 sys/kern/kern_lock.c:227
mi_switch() at mi_switch+0x3bb sys/kern/sched_bsd.c:416
sleep_finish(ffff800021398698,1) at sleep_finish+0x180 sys/kern/kern_synch.c:420
rw_enter(fffffd80760d7b90,21) at rw_enter+0x35a sys/kern/kern_rwlock.c:286
vm_map_lock_ln(fffffd80760d7b88,294c1187000,294c1187000) at vm_map_lock_ln+0xda sys/uvm/uvm_map.c:5448
uvm_map_protect(fffffd80760d7b88,294c1186000,294c1187000,0,0) at uvm_map_protect+0xc1 uvm_map_addr_RBT_ROOT sys/uvm/uvm_map.h:176 [inline]
uvm_map_protect(fffffd80760d7b88,294c1186000,294c1187000,0,0) at uvm_map_protect+0xc1 uvm_map_entrybyaddr sys/uvm/uvm_map.c:559 [inline]
uvm_map_protect(fffffd80760d7b88,294c1186000,294c1187000,0,0) at uvm_map_protect+0xc1 sys/uvm/uvm_map.c:3328
syscall(ffff800021398960) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff800021398960) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585
__assert(ffffffff8261a2b2,ffffffff8263e388,ea,ffffffff82636a65) at __assert+0x25 sys/kern/subr_prf.c:161
uvn_attach(fffffd806b1fe3b8,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234
uvm_mmapfile(fffffd80760d7b88,ffff800021436088,10000,2,6,11,1747145d45271d72,fffffd80760d7b88,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029
sys_mmap(ffff8000ffff3268,ffff800021436130,ffff800021436200) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395
sys_pad_mmap(ffff8000ffff3268,ffff8000214361b8,ffff800021436200) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470
syscall(ffff800021436280) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff800021436280) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585
ddb{1}> trace
__assert(ffffffff8261a2b2,ffffffff8263e388,ea,ffffffff82636a65) at __assert+0x25 sys/kern/subr_prf.c:161
uvn_attach(fffffd806b1fe3b8,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234
uvm_mmapfile(fffffd80760d7b88,ffff800021436088,10000,2,6,11,1747145d45271d72,fffffd80760d7b88,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029
sys_mmap(ffff8000ffff3268,ffff800021436130,ffff800021436200) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395
sys_pad_mmap(ffff8000ffff3268,ffff8000214361b8,ffff800021436200) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470
syscall(ffff800021436280) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff800021436280) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585
ddb{1}>
HEAD commit: 7365c3921944 Remove needless include pledge.h accidently a..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=149a8b6b080000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=dd2d2684ad2818c927da
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=153d292d080000
dashboard link: https://syzkaller.appspot.com/bug?extid=dd2d2684ad2818c927da
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dd2d26...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "uvn->u_obj.uo_refs == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_vnode.c", line 234
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*317800 92343 0 0 0x4000000 1K syz-executor.0
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff825a566a) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff8261a2b2,ffffffff8263e388,ea,ffffffff82636a65) at __assert+0x25 sys/kern/subr_prf.c:161
uvn_attach(fffffd806b1fe3b8,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234
uvm_mmapfile(fffffd80760d7b88,ffff800021436088,10000,2,6,11,1747145d45271d72,fffffd80760d7b88,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029
sys_mmap(ffff8000ffff3268,ffff800021436130,ffff800021436200) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395
sys_pad_mmap(ffff8000ffff3268,ffff8000214361b8,ffff800021436200) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470
syscall(ffff800021436280) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff800021436280) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x2949f151350, count: 6
end of kernel
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: kernel diagnostic assertion "uvn->u_obj.uo_refs == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_vnode.c", line 234
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff825a566a) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff8261a2b2,ffffffff8263e388,ea,ffffffff82636a65) at __assert+0x25 sys/kern/subr_prf.c:161
uvn_attach(fffffd806b1fe3b8,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234
uvm_mmapfile(fffffd80760d7b88,ffff800021436088,10000,2,6,11,1747145d45271d72,fffffd80760d7b88,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029
sys_mmap(ffff8000ffff3268,ffff800021436130,ffff800021436200) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395
sys_pad_mmap(ffff8000ffff3268,ffff8000214361b8,ffff800021436200) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470
syscall(ffff800021436280) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff800021436280) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x2949f151350, count: -9
end of kernel
ddb{1}> show registers
rdi 0
rsi 0x1
rbp 0xffff800021435d20
rbx 0xffff800020dd9b8f
rdx 0x3fd
rcx 0
rax 0x8c
r8 0x101010101010101
r9 0x8080808080808080
r10 0x294f6a39af4b3d0f
r11 0xff2306e4bc7d1a6c
r12 0xffff800020dd9990
r13 0
r14 0
r15 0x1
rip 0xffffffff82293d58 db_enter+0x18
r14 0
r15 0x1
cs 0x8
rflags 0x246
rsp 0xffff800021435d10
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{1}> show proc
db_enter+0x18: addq $0x8,%rsp
PROC (syz-executor.0) pid=317800 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffff2008,0xffff8000ffff0800
process=0xffff8000fffedd30 user=0xffff800021431000, vmspace=0xfffffd80760d7b88
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{1}> ps
user=0, sys=1, intr=0
PID TID PPID UID S FLAGS WAIT COMMAND
80794 173116 25721 0 2 0 syz-executor.2
80794 411306 25721 0 2 0x4000000 syz-executor.2
34995 421791 22566 0 2 0 syz-executor.4
34995 144879 22566 0 2 0x4000000 syz-executor.4
5782 509753 74410 0 2 0 syz-executor.5
5782 110081 74410 0 3 0x4000080 fsleep syz-executor.5
58782 475320 35404 0 2 0 syz-executor.1
58782 321580 35404 0 2 0x4000000 syz-executor.1
58782 376140 35404 0 3 0x4000080 fsleep syz-executor.1
92343 102091 38232 0 7 0 syz-executor.0
*92343 317800 38232 0 7 0x4000000 syz-executor.0
92343 34771 38232 0 2 0x4000000 syz-executor.0
32381 411386 8679 0 2 0 syz-executor.7
32381 351897 8679 0 3 0x4000080 fsleep syz-executor.7
6173 511876 60979 0 2 0 syz-executor.6
6173 252311 60979 0 3 0x4000080 fsleep syz-executor.6
6173 93348 60979 0 3 0x4000080 fsleep syz-executor.6
35404 31442 85496 0 3 0x82 nanoslp syz-executor.1
95078 41911 85496 0 3 0x2 biowait syz-executor.3
8679 244515 85496 0 3 0x82 nanoslp syz-executor.7
74410 312580 85496 0 3 0x82 nanoslp syz-executor.5
25721 379419 85496 0 3 0x82 nanoslp syz-executor.2
60979 417231 85496 0 3 0x82 nanoslp syz-executor.6
22566 35306 85496 0 3 0x82 nanoslp syz-executor.4
38232 325545 85496 0 3 0x82 nanoslp syz-executor.0
85496 438248 13892 0 3 0x82 wait syz-execprog
85496 57174 13892 0 3 0x4000082 nanoslp syz-execprog
85496 25183 13892 0 3 0x4000082 wait syz-execprog
85496 314836 13892 0 3 0x4000082 thrsleep syz-execprog
85496 406960 13892 0 3 0x4000082 thrsleep syz-execprog
85496 290797 13892 0 3 0x4000082 wait syz-execprog
85496 422721 13892 0 3 0x4000082 wait syz-execprog
85496 415722 13892 0 3 0x4000082 thrsleep syz-execprog
85496 25046 13892 0 3 0x4000082 wait syz-execprog
85496 457006 13892 0 3 0x4000082 wait syz-execprog
85496 16488 13892 0 3 0x4000082 wait syz-execprog
85496 354932 13892 0 3 0x4000082 thrsleep syz-execprog
85496 473374 13892 0 3 0x4000082 wait syz-execprog
85496 91546 13892 0 3 0x4000082 kqread syz-execprog
85496 73716 13892 0 3 0x4000082 nanoslp syz-execprog
85496 85313 13892 0 3 0x4000082 thrsleep syz-execprog
13892 414829 13976 0 3 0x10008a sigsusp ksh
13976 502708 87551 0 3 0x9a kqread sshd
46946 152889 1 0 3 0x100083 ttyin getty
87551 80582 1 0 3 0x88 kqread sshd
41628 452225 54823 73 3 0x1100090 kqread syslogd
54823 441652 1 0 3 0x100082 netio syslogd
98197 520579 1 0 3 0x100080 kqread resolvd
63563 220747 816 77 3 0x100092 kqread dhcpleased
57393 345772 816 77 3 0x100092 kqread dhcpleased
816 350283 1 0 3 0x80 kqread dhcpleased
88382 327888 0 0 3 0x14200 bored smr
93696 433190 0 0 2 0x14200 zerothread
65345 120332 0 0 3 0x14200 aiodoned aiodoned
65575 43082 0 0 3 0x14200 syncer update
10860 299764 0 0 3 0x14200 cleaner cleaner
76747 395644 0 0 3 0x14200 reaper reaper
15019 46055 0 0 3 0x14200 pgdaemon pagedaemon
51759 131205 0 0 3 0x14200 bored viomb
40636 441108 0 0 3 0x40014200 acpi0 acpi0
83944 275234 0 0 3 0x40014200 idle1
68415 184668 0 0 3 0x14200 bored softnet
84272 160839 0 0 3 0x14200 bored softnet
18 26734 0 0 3 0x14200 bored softnet
34377 325113 0 0 3 0x14200 bored softnet
70509 60175 0 0 3 0x14200 bored systqmp
54461 131076 0 0 3 0x14200 bored systq
63431 183766 0 0 3 0x40014200 bored softclock
74148 97892 0 0 3 0x40014200 idle0
1 13908 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
Process 92343 (syz-executor.0) thread 0xffff8000ffff3268 (317800)
exclusive kernel_lock &kernel_lock r = 1 (0xffffffff82ac95a0)
#0 witness_lock+0x44d
#1 syscall+0x41d mi_syscall sys/sys/syscall_mi.h:100 [inline]
#1 syscall+0x41d sys/arch/amd64/amd64/trap.c:585
#2 Xsyscall+0x128
Process 95078 (syz-executor.3) thread 0xffff8000ffff4a80 (41911)
exclusive rrwlock inode r = 0 (0xfffffd806a28bc58)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:465
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:518
#4 ufs_ihashins+0x42 sys/ufs/ufs/ufs_ihash.c:140
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:465
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:518
#5 ffs_vget+0x141 sys/ufs/ffs/ffs_vfsops.c:1353
#6 ffs_inode_alloc+0x1be sys/ufs/ffs/ffs_alloc.c:394
#7 ufs_mkdir+0xf4 sys/ufs/ufs/ufs_vnops.c:1150
#8 VOP_MKDIR+0xbf sys/kern/vfs_vops.c:388
#9 domkdirat+0x121 sys/kern/vfs_syscalls.c:3116
#10 syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
#10 syscall+0x435 sys/arch/amd64/amd64/trap.c:585
#11 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd8075d240a0)
#0 witness_lock+0x44d
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:465
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:567
#5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:413
#6 namei+0x36a sys/kern/vfs_lookup.c:245
#7 domkdirat+0x75 sys/kern/vfs_syscalls.c:3101
#1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2 rrw_enter+0x8b sys/kern/kern_rwlock.c:465
#3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:518
#4 vn_lock+0x84 sys/kern/vfs_vnops.c:567
#5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:413
#6 namei+0x36a sys/kern/vfs_lookup.c:245
#8 syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
#8 syscall+0x435 sys/arch/amd64/amd64/trap.c:585
#9 Xsyscall+0x128
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10173 6407K 6419K 78643K 11263 0
pcb 13 8K 8K 78643K 13 0
rtable 234 6K 6K 78643K 349 0
ifaddr 82 16K 16K 78643K 84 0
counters 56 35K 35K 78643K 56 0
ioctlops 0 0K 2K 78643K 33 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 4 0
vnodes 1166 73K 73K 78643K 1179 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 1K 78643K 2 0
UFS mount 5 36K 36K 78643K 5 0
VM map 2 1K 1K 78643K 2 0
sem 2 0K 0K 78643K 2 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 17 61K 97K 78643K 197 0
ACPI 1697 195K 286K 78643K 12548 0
proc 55 78K 127K 78643K 450 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
in_multi 99 6K 6K 78643K 99 0
NFS daemon 1 16K 16K 78643K 1 0
ether_multi 1 0K 0K 78643K 1 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 25 122K 122K 78643K 25 0
MSDOSFS mount 1 16K 16K 78643K 1 0
exec 0 0K 2K 78643K 622 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 8 62K 62K 78643K 8 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
UVM amap 184 87K 102K 78643K 2599 0
UVM aobj 3 2K 2K 78643K 3 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
NDP 17 1K 2K 78643K 27 0
crypto data 1 1K 1K 78643K 1 0
temp 51 4710K 4774K 78643K 3455 0
kqueue 12 18K 18K 78643K 25 0
SYN cache 2 16K 16K 78643K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtpcb 120 36 0 33 1 0 1 1 0 8 0
plcache 128 22 0 0 1 0 1 1 0 8 0
rtentry 112 111 0 1 4 0 4 4 0 8 0
unpcb 144 33 0 20 1 0 1 1 0 8 0
syncache 296 5 0 5 2 1 1 1 0 8 1
tcpcb 768 8 0 5 1 0 1 1 0 8 0
arp 120 18 0 0 1 0 1 1 0 8 0
inpcb 320 57 0 51 1 0 1 1 0 8 0
nd6 48 24 0 0 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 451 0 0 29 0 29 29 0 8 0
art_table 32 452 0 0 4 0 4 4 0 8 0
art_node 16 110 0 10 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 1599 0 166 90 0 90 90 0 8 0
ffsino 272 1599 0 166 96 0 96 96 0 8 0
nchpl 144 1975 0 300 63 0 63 63 0 8 0
uvmvnodes 80 1608 0 0 33 0 33 33 0 8 0
vnodes 216 1608 0 0 90 0 90 90 0 8 0
namei 1024 6187 0 6186 3 1 2 2 0 8 1
percpumem 16 40 0 0 1 0 1 1 0 8 0
kstatmem 264 22 0 0 2 0 2 2 0 8 0
scxspl 216 6023 0 6022 10 7 3 8 0 8 2
kstatmem 264 22 0 0 2 0 2 2 0 8 0
plimitpl 152 23 0 9 1 0 1 1 0 8 0
sigapl 424 486 0 441 7 0 7 7 0 8 1
futexpl 64 387 0 382 1 0 1 1 0 8 0
knotepl 120 102 0 0 4 0 4 4 0 8 0
kqueuepl 216 21 0 13 1 0 1 1 0 8 0
pipepl 320 130 0 102 4 1 3 3 0 8 0
fdescpl 496 469 0 441 6 1 5 5 0 8 0
filepl 152 1631 0 1499 6 0 6 6 0 8 0
lockfpl 104 128 0 122 1 0 1 1 0 8 0
lockfspl 48 67 0 61 1 0 1 1 0 8 0
sessionpl 144 25 0 9 1 0 1 1 0 8 0
pgrppl 48 25 0 9 1 0 1 1 0 8 0
ucredpl 104 64 0 54 1 0 1 1 0 8 0
zombiepl 144 441 0 441 2 1 1 1 0 8 1
processpl 1064 486 0 441 4 0 4 4 0 8 0
procpl 672 617 0 547 6 0 6 6 0 8 0
sockpl 488 126 0 104 4 0 4 4 0 8 1
mcl8k 8192 5 0 0 1 0 1 1 0 8 0
mcl4k 4096 4 0 0 1 0 1 1 0 8 0
mcl2k 2048 78 0 0 9 0 9 9 0 8 0
mtagpl 96 4 0 0 1 0 1 1 0 8 0
mbufpl 256 278 0 0 17 0 17 17 0 8 0
bufpl 288 3565 0 128 246 0 246 246 0 8 0
anonpl 24 62011 0 56913 43 3 40 40 0 186 8
amapchunkpl 152 16298 0 15677 45 1 44 44 0 158 19
amappl16 200 342 0 252 6 1 5 5 0 8 0
amappl15 192 138 0 130 1 0 1 1 0 8 0
amappl14 184 39 0 30 1 0 1 1 0 8 0
amappl13 176 92 0 91 2 1 1 1 0 8 0
amappl12 168 25 0 21 2 1 1 1 0 8 0
amappl11 160 110 0 92 1 0 1 1 0 8 0
amappl10 152 14 0 13 1 0 1 1 0 8 0
amappl9 144 446 0 444 1 0 1 1 0 8 0
amappl8 136 542 0 503 3 1 2 2 0 8 0
amappl7 128 134 0 118 1 0 1 1 0 8 0
amappl6 120 178 0 167 2 0 2 2 0 8 1
amappl5 112 135 0 122 1 0 1 1 0 8 0
amappl4 104 878 0 843 2 0 2 2 0 8 0
amappl3 96 799 0 744 2 0 2 2 0 8 0
amappl2 88 443 0 410 2 0 2 2 0 8 0
amappl1 80 13540 0 12860 19 0 19 19 0 8 4
amappl 88 2168 0 2040 3 0 3 3 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 2 0 0 1 0 1 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
uaddrrnd 24 469 0 441 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 469 0 441 1 0 1 1 0 8 0
vmmpekpl 168 8787 0 8761 2 0 2 2 0 8 0
vmmpepl 168 48478 0 46519 90 1 89 89 0 357 0
vmsppl 368 468 0 441 4 0 4 4 0 8 1
rwobjpl 56 14213 0 11597 40 0 40 40 0 8 2
pdppl 4096 945 0 882 107 36 71 81 0 8 8
pvpl 32 242670 0 233589 258 4 254 254 0 265 179
pmappl 248 468 0 441 4 1 3 3 0 8 0
extentpl 40 56 0 38 1 0 1 1 0 8 0
phpool 112 610 0 39 17 0 17 17 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffffffff82931ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__mp_lock(ffffffff82ac9398) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__mp_lock(ffffffff82ac9398) at __mp_lock+0x122 sys/kern/kern_lock.c:147
__mp_acquire_count(ffffffff82ac9398,1) at __mp_acquire_count+0x48 sys/kern/kern_lock.c:227
mi_switch() at mi_switch+0x3bb sys/kern/sched_bsd.c:416
sleep_finish(ffff800021398698,1) at sleep_finish+0x180 sys/kern/kern_synch.c:420
rw_enter(fffffd80760d7b90,21) at rw_enter+0x35a sys/kern/kern_rwlock.c:286
vm_map_lock_ln(fffffd80760d7b88,294c1187000,294c1187000) at vm_map_lock_ln+0xda sys/uvm/uvm_map.c:5448
uvm_map_protect(fffffd80760d7b88,294c1186000,294c1187000,0,0) at uvm_map_protect+0xc1 uvm_map_addr_RBT_ROOT sys/uvm/uvm_map.h:176 [inline]
uvm_map_protect(fffffd80760d7b88,294c1186000,294c1187000,0,0) at uvm_map_protect+0xc1 uvm_map_entrybyaddr sys/uvm/uvm_map.c:559 [inline]
uvm_map_protect(fffffd80760d7b88,294c1186000,294c1187000,0,0) at uvm_map_protect+0xc1 sys/uvm/uvm_map.c:3328
syscall(ffff800021398960) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff800021398960) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffd5410, count: 3
end of kernel
ddb{0}> trace
x86_ipi_db(ffffffff82931ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__mp_lock(ffffffff82ac9398) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__mp_lock(ffffffff82ac9398) at __mp_lock+0x122 sys/kern/kern_lock.c:147
__mp_acquire_count(ffffffff82ac9398,1) at __mp_acquire_count+0x48 sys/kern/kern_lock.c:227
mi_switch() at mi_switch+0x3bb sys/kern/sched_bsd.c:416
sleep_finish(ffff800021398698,1) at sleep_finish+0x180 sys/kern/kern_synch.c:420
rw_enter(fffffd80760d7b90,21) at rw_enter+0x35a sys/kern/kern_rwlock.c:286
vm_map_lock_ln(fffffd80760d7b88,294c1187000,294c1187000) at vm_map_lock_ln+0xda sys/uvm/uvm_map.c:5448
uvm_map_protect(fffffd80760d7b88,294c1186000,294c1187000,0,0) at uvm_map_protect+0xc1 uvm_map_addr_RBT_ROOT sys/uvm/uvm_map.h:176 [inline]
uvm_map_protect(fffffd80760d7b88,294c1186000,294c1187000,0,0) at uvm_map_protect+0xc1 uvm_map_entrybyaddr sys/uvm/uvm_map.c:559 [inline]
uvm_map_protect(fffffd80760d7b88,294c1186000,294c1187000,0,0) at uvm_map_protect+0xc1 sys/uvm/uvm_map.c:3328
syscall(ffff800021398960) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff800021398960) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffd5410, count: -12
end of kernel
ddb{0}> machine ddbcpu 1
Stopped at db_enter+0x18: addq $0x8,%rsp
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff825a566a) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff8261a2b2,ffffffff8263e388,ea,ffffffff82636a65) at __assert+0x25 sys/kern/subr_prf.c:161
uvn_attach(fffffd806b1fe3b8,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234
uvm_mmapfile(fffffd80760d7b88,ffff800021436088,10000,2,6,11,1747145d45271d72,fffffd80760d7b88,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029
sys_mmap(ffff8000ffff3268,ffff800021436130,ffff800021436200) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395
sys_pad_mmap(ffff8000ffff3268,ffff8000214361b8,ffff800021436200) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470
syscall(ffff800021436280) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff800021436280) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x2949f151350, count: 6
end of kernel
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff825a566a) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff8261a2b2,ffffffff8263e388,ea,ffffffff82636a65) at __assert+0x25 sys/kern/subr_prf.c:161
uvn_attach(fffffd806b1fe3b8,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234
uvm_mmapfile(fffffd80760d7b88,ffff800021436088,10000,2,6,11,1747145d45271d72,fffffd80760d7b88,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029
sys_mmap(ffff8000ffff3268,ffff800021436130,ffff800021436200) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395
sys_pad_mmap(ffff8000ffff3268,ffff8000214361b8,ffff800021436200) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470
syscall(ffff800021436280) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff800021436280) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x2949f151350, count: -9
end of kernel
ddb{1}>
Greg Steuck
Aug 30, 2022, 7:05:32 AM8/30/22
to syzbot, Martin Pieuchot, syzkaller-o...@googlegroups.com
After much manual bisecting I found this commit introduced the failure:
commit 09d7b7f43bc80ca1c0b996f24405859d47161c80
Author: mpi <m...@openbsd.org>
Date: Thu Apr 28 18:12:33 2022 +0000
Always acquire the `vmobjlock' before incrementing an object's reference.
sys/uvm/uvm_vnode.c | 14 ++++++++++++--
Author: mpi <m...@openbsd.org>
Date: Thu Apr 28 18:12:33 2022 +0000
Always acquire the `vmobjlock' before incrementing an object's reference.
sys/uvm/uvm_vnode.c | 14 ++++++++++++--
I proposed a revert.
--
You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/000000000000585fc705e62fd4fb%40google.com.
--
nest.cx is Gmail hosted, use PGP: https://pgp.key-server.io/0x0B1542BD8DF5A1B0
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
Greg Steuck
Aug 30, 2022, 7:19:43 AM8/30/22
to syzbot, syzkaller-o...@googlegroups.com
#syz test: https://github.com/blackgnezdo/openbsd-src.git 3871b827e4a
syzbot
Aug 30, 2022, 7:43:15 AM8/30/22
to gr...@nest.cx, syzkaller-o...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+dd2d26...@syzkaller.appspotmail.com
Tested on:
commit: 3871b827 Revert "Always acquire the `vmobjlock' before..
git tree: https://github.com/blackgnezdo/openbsd-src.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1146fd95080000
Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+dd2d26...@syzkaller.appspotmail.com
Tested on:
commit: 3871b827 Revert "Always acquire the `vmobjlock' before..
git tree: https://github.com/blackgnezdo/openbsd-src.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1146fd95080000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=dd2d2684ad2818c927da
compiler:
dashboard link: https://syzkaller.appspot.com/bug?extid=dd2d2684ad2818c927da
Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages