uvm_fault: remrunqueue

0 views
Skip to first unread message

syzbot

unread,
May 12, 2026, 2:18:27 AM (8 days ago) May 12
to syzkaller-o...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: 369ac04692fe In merge_peers() also set local_bgpid for clo..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=16a9c7ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=a6db90562083d1335c82

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e9073b7eb940/disk-369ac046.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/669e75f9146c/bsd-369ac046.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/993037e57b18/kernel-369ac046.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a6db90...@syzkaller.appspotmail.com

uvm_fault(0xfffffd806c6df7b8, 0x98, 0, 1) -> e
kernel: page fault trap, codeuvm_fault(0xffffffff83a3b708, 0xffffffffffffffff, 0, 2) -> e
kernel: page fault trap, code=2
Stopped at remrunqueue+0x116: movq %rcx,0(%r12)
TID PID UID PRFLAGS PFLAGS CPU COMMAND
47055 95820 0 0 0 1 syz-executor
* 67015 95820 0 0 0x4000000 0 syz-executor
remrunqueue(ffff80003a3cd778) at remrunqueue+0x116 sys/kern/kern_sched.c:313
schedcpu(0) at schedcpu+0x306 sys/kern/sched_bsd.c:280
timeout_run(ffffffff8394c478,ffffffff838c4230) at timeout_run+0x159 sys/kern/kern_timeout.c:698
softclock_process_tick_timeout(ffffffff838c4230,0) at softclock_process_tick_timeout+0x232 sys/kern/kern_timeout.c:756
softclock(0) at softclock+0x152 sys/kern/kern_timeout.c:788
softintr_dispatch(0) at softintr_dispatch+0x13b sys/kern/kern_softintr.c:84
dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
cnputc(65) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(65) at db_putchar+0x36d sys/ddb/db_output.c:155
kprintf() at kprintf+0x223 sys/kern/subr_prf.c:723
db_printf(ffffffff834159ef) at db_printf+0x9b sys/kern/subr_prf.c:-1
db_ktrap(6,0,ffff80003c3d9060) at db_ktrap+0x1c7 sys/arch/amd64/amd64/db_interface.c:129
kerntrap(ffff80003c3d9060) at kerntrap+0x243 sys/arch/amd64/amd64/trap.c:519
end trace frame: 0xffff80003c3d90e0, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu0: uvm_fault(0xffffffff83a3b708, 0xffffffffffffffff, 0, 2) -> e
ddb{0}> trace
remrunqueue(ffff80003a3cd778) at remrunqueue+0x116 sys/kern/kern_sched.c:313
schedcpu(0) at schedcpu+0x306 sys/kern/sched_bsd.c:280
timeout_run(ffffffff8394c478,ffffffff838c4230) at timeout_run+0x159 sys/kern/kern_timeout.c:698
softclock_process_tick_timeout(ffffffff838c4230,0) at softclock_process_tick_timeout+0x232 sys/kern/kern_timeout.c:756
softclock(0) at softclock+0x152 sys/kern/kern_timeout.c:788
softintr_dispatch(0) at softintr_dispatch+0x13b sys/kern/kern_softintr.c:84
dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
cnputc(65) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(65) at db_putchar+0x36d sys/ddb/db_output.c:155
kprintf() at kprintf+0x223 sys/kern/subr_prf.c:723
db_printf(ffffffff834159ef) at db_printf+0x9b sys/kern/subr_prf.c:-1
db_ktrap(6,0,ffff80003c3d9060) at db_ktrap+0x1c7 sys/arch/amd64/amd64/db_interface.c:129
kerntrap(ffff80003c3d9060) at kerntrap+0x243 sys/arch/amd64/amd64/trap.c:519
alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b
dovutimens(ffff80003a3cdca8,fffffd806c4261b8,ffff80003c3d9240) at dovutimens+0x368 sys/kern/vfs_syscalls.c:2771
sys_futimes(ffff80003a3cdca8,ffff80003c3d9390,ffff80003c3d92e0) at sys_futimes+0x208 sys/kern/vfs_syscalls.c:2813
syscall(ffff80003c3d9390) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c3d9390) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x79243f55310, count: -19
ddb{0}> show registers
rdi 0
rsi 0
rbp 0xffff80003c3d8b00
rbx 0
rdx 0xffff8000015c7d80
rcx 0
rax 0xc
r8 0xffff80003c3d8f60
r9 0x8080808080808080
r10 0x8cded1974f249ab3
r11 0x9e2d4336f8aec137
r12 0xffffffffffffffff
r13 0xffff8000299adff0
r14 0xffff80003a3cd778
r15 0xc
rip 0xffffffff815e2176 remrunqueue+0x116
cs 0x8
rflags 0x10206 __ALIGN_SIZE+0xf206
rsp 0xffff80003c3d8ac0
ss 0x10
remrunqueue+0x116: movq %rcx,0(%r12)
ddb{0}> show proc
PROC (syz-executor) tid=67015 pid=95820 tcnt=2 stat=onproc
flags process=0 proc=4000000<THREAD>
runpri=32, usrpri=55, slppri=32, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff80003a3cd778,0xffff80003a3cc7f8
process=0xffff80002a393038 user=0xffff80003c3d4000, vmspace=0xfffffd806c6df7b8
estcpu=5, cpticks=1, pctcpu=0.0, user=0, sys=0, intr=1
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
52406 155027 75761 0 2 0 syz-executor
95820 47055 54446 0 7 0 syz-executor
*95820 67015 54446 0 7 0x4000000 syz-executor
98261 143060 65781 0 2 0x100000 sh
65781 29312 12635 0 3 0x10008a sigsusp sh
88119 159784 12067 0 2 0x100002 sh
38077 345318 20530 0 2 0 syz-executor
5285 249720 8727 0 2 0x1000000 syz-executor
5285 187300 8727 0 3 0x5000080 fsleep syz-executor
51068 513319 34766 0 2 0 syz-executor
51068 57093 34766 0 3 0x4000080 fsleep syz-executor
51068 419429 34766 0 3 0x4000080 fsleep syz-executor
41374 518575 44177 0 2 0 syz-executor
41374 293026 44177 0 3 0x4000080 fsleep syz-executor
34766 131391 34527 0 3 0x82 nanoslp syz-executor
44177 96824 34527 0 3 0x82 nanoslp syz-executor
20530 317780 34527 0 3 0x82 nanoslp syz-executor
8727 194338 34527 0 3 0x82 nanoslp syz-executor
54446 295306 34527 0 3 0x82 nanoslp syz-executor
75761 323242 34527 0 3 0x82 nanoslp syz-executor
12067 450419 34527 0 3 0x82 wait syz-executor
12635 216212 34527 0 3 0x82 wait syz-executor
34527 446976 34398 0 3 0x82 kqread syz-executor
34398 408857 89932 0 3 0x10008a sigsusp ksh
89932 498334 18563 0 3 0x98 kqread sshd-session
18563 305144 64700 0 3 0x92 kqread sshd-session
95069 276641 1 0 3 0x100083 ttyin getty
64700 16788 1 0 3 0x88 kqread sshd
8124 165205 62566 74 3 0x1100092 bpf pflogd
62566 220351 1 0 3 0x80 sbwait pflogd
1521 478330 72901 73 3 0x1100090 kqread syslogd
72901 261184 1 0 3 0x100082 sbwait syslogd
76733 168807 1 0 3 0x100080 kqread resolvd
14456 292978 65215 77 3 0x100092 kqread dhcpleased
38621 255434 65215 77 3 0x100092 kqread dhcpleased
65215 432284 1 0 3 0x80 kqread dhcpleased
38629 80075 0 0 3 0x14200 pause smr
32083 316717 0 0 2 0x14200 zerothread
82999 478769 0 0 3 0x14200 aiodoned aiodoned
70954 386916 0 0 3 0x14200 syncer update
52110 114465 0 0 3 0x14200 cleaner cleaner
68982 240431 0 0 3 0x14200 reaper reaper
12246 144490 0 0 3 0x14200 pgdaemon pagedaemon
13655 218442 0 0 3 0x14200 bored viomb
9012 452451 0 0 3 0x40014200 acpi0 acpi0
90933 138463 0 0 3 0x40014200 idle1
43298 228738 0 0 3 0x14200 bored softnet1
76897 68974 0 0 3 0x14200 bored softnet0
2512 220083 0 0 3 0x14200 smrbar systqmp
44743 437366 0 0 3 0x14200 bored systq
83984 409690 0 0 3 0x14200 tmoslp softclockmp
49399 331795 0 0 3 0x40014200 tmoslp softclock
55364 367460 0 0 3 0x40014200 idle0
1 139305 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 95820 (syz-executor) thread 0xffff80003a3cdca8 (67015)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff839cb0c0)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline]
#1 syscall+0xaf4 sys/arch/amd64/amd64/trap.c:783
#2 Xsyscall+0x128
Process 2512 (systqmp) thread 0xffff8000ffffe000 (220083)
shared rwlock systqmp r = 0 (0xffffffff838e67e8)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 taskq_thread+0x12a sys/kern/kern_task.c:442
#2 proc_trampoline+0x10
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 11059 12149K 12295K 166960K 12167 0
pcb 17 12K 12K 166960K 21 0
rtable 207 5K 6K 166960K 315 0
pf 34 17K 18K 166960K 45 0
ifaddr 39 6K 6K 166960K 41 0
ifgroup 55 2K 2K 166960K 55 0
sysctl 1 1K 9K 166960K 5 0
counters 70 37K 37K 166960K 70 0
ioctlops 0 0K 4K 166960K 1485 0
iov 0 0K 2K 166960K 1 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1290 81K 81K 166960K 1368 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 1K 166960K 2 0
VM map 2 1K 1K 166960K 2 0
sem 2 0K 0K 166960K 2 0
dirhash 12 2K 2K 166960K 12 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 19 69K 89K 166960K 137 0
proc 70 115K 164K 166960K 538 0
subproc 72 4K 4K 166960K 72 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 2 0
in_multi 79 5K 5K 166960K 79 0
ether_multi 1 0K 0K 166960K 1 0
mrt 0 0K 0K 166960K 2 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 43 201K 201K 166960K 43 0
exec 0 0K 1K 166960K 370 0
fusefs mount 1 32K 32K 166960K 1 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 217 161K 167K 166960K 3111 0
UVM aobj 3 2K 2K 166960K 3 0
pinsyscall 44 88K 100K 166960K 1255 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
NDP 24 1K 1K 166960K 24 0
temp 36 9074K 9138K 166960K 4007 0
kqueue 14 22K 24K 166960K 25 0
SYN cache 2 16K 16K 166960K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 26 0 0 1 0 1 1 0 8 0
rtpcb 120 30 0 27 1 0 1 1 0 8 0
rtentry 176 99 0 4 5 0 5 5 0 8 0
unpcb 144 39 0 20 1 0 1 1 0 8 0
syncache 336 3 0 3 1 0 1 1 0 8 1
tcpcb 736 13 0 9 1 0 1 1 0 8 0
arp 136 18 0 1 1 0 1 1 0 8 0
inpcb 328 72 0 65 2 0 2 2 0 8 1
nd6 152 18 0 0 1 0 1 1 0 8 0
kcovpl 48 8 0 0 1 0 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 16 0 0 1 0 1 1 0 8 0
pfstkey 128 16 0 0 1 0 1 1 0 8 0
pfstate 448 16 0 0 2 0 2 2 0 8 0
pfrule 1360 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 378 0 2 24 0 24 24 0 8 0
art_table 40 379 0 2 4 0 4 4 0 8 0
art_node 32 99 0 11 1 0 1 1 0 8 0
sysvmsgpl 40 1 0 1 1 0 1 1 0 8 1
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 1576 0 111 92 0 92 92 0 8 0
ffsino 296 1576 0 111 114 0 114 114 0 8 1
nchpl 144 1783 0 85 63 0 63 63 0 8 0
vnodes 216 1668 0 0 93 0 93 93 0 8 0
namei 1024 5349 0 5349 1 0 1 1 0 8 1
percpumem 16 50 0 0 1 0 1 1 0 8 0
kstatmem 264 27 0 0 2 0 2 2 0 8 0
scxspl 216 6231 0 6231 4 1 3 3 1 8 3
plimitpl 152 27 0 10 1 0 1 1 0 8 0
sigapl 424 449 0 400 7 0 7 7 0 8 1
knotepl 120 56 0 0 2 0 2 2 0 8 0
kqueuepl 224 22 0 12 1 0 1 1 0 8 0
pipepl 344 122 0 95 3 0 3 3 0 8 0
fdescpl 528 433 0 400 3 0 3 3 0 8 0
filepl 160 1552 0 1339 10 0 10 10 0 8 0
lockfpl 104 11 0 8 1 0 1 1 0 8 0
lockfspl 48 7 0 4 1 0 1 1 0 8 0
sessionpl 144 22 0 13 1 0 1 1 0 8 0
pgrppl 48 30 0 13 1 0 1 1 0 8 0
ucredpl 104 90 0 77 1 0 1 1 0 8 0
zombiepl 144 400 0 400 1 0 1 1 0 8 1
processpl 1232 449 0 400 5 0 5 5 0 8 1
procpl 664 464 0 410 5 0 5 5 0 8 0
sockpl 752 141 0 112 4 0 4 4 0 8 0
mcl8k 8192 3 0 0 1 0 1 1 0 8 0
mcl4k 4096 116 0 0 15 0 15 15 0 8 0
mcl2k 2048 14 0 0 2 0 2 2 0 8 0
mtagpl 96 4 0 0 1 0 1 1 0 8 0
mbufpl 256 116 0 0 8 0 8 8 0 8 0
bufpl 280 2342 0 105 160 0 160 160 0 8 0
anonpl 32 7676 0 0 62 0 62 62 0 246 0
amapchunkpl 152 8534 0 8098 19 0 19 19 0 158 1
amappl16 200 2221 0 1964 15 0 15 15 0 8 0
amappl15 192 18 0 18 1 0 1 1 0 8 1
amappl14 184 425 0 421 1 0 1 1 0 8 0
amappl13 176 154 0 142 1 0 1 1 0 8 0
amappl12 168 696 0 666 2 0 2 2 0 8 0
amappl11 160 4 0 3 1 0 1 1 0 8 0
amappl10 152 90 0 76 1 0 1 1 0 8 0
amappl9 144 271 0 270 1 0 1 1 0 8 0
amappl8 136 98 0 96 1 0 1 1 0 8 0
amappl7 128 139 0 126 1 0 1 1 0 8 0
amappl6 120 159 0 156 1 0 1 1 0 8 0
amappl5 112 95 0 85 1 0 1 1 0 8 0
amappl4 104 275 0 258 1 0 1 1 0 8 0
amappl3 96 1433 0 1331 3 0 3 3 0 8 0
amappl2 88 504 0 443 2 0 2 2 0 8 0
amappl1 80 9106 0 8489 14 0 14 14 0 8 0
amappl 88 2416 0 2272 4 0 4 4 0 92 0
uvmvnodes 80 100 0 0 3 0 3 3 0 8 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma2048 2048 1 0 1 1 0 1 1 0 8 1
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 2 0 0 1 0 1 1 0 8 0
uaddrrnd 24 433 0 400 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 433 0 400 1 0 1 1 0 8 0
vmmpekpl 168 5234 0 5203 2 0 2 2 0 8 0
vmmpepl 168 36119 0 33995 96 0 96 96 0 357 2
vmsppl 488 432 0 400 5 0 5 5 0 8 0
rwobjpl 80 13800 0 12539 28 0 28 28 0 8 0
pdppl 4096 873 0 800 95 12 83 83 0 8 10
pvpl 32 14821 0 0 120 0 120 120 0 265 0
pmappl 256 432 0 400 3 0 3 3 0 8 0
extentpl 40 45 0 27 1 0 1 1 0 8 0
phpool 112 255 0 15 7 0 7 7 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
remrunqueue(ffff80003a3cd778) at remrunqueue+0x116 sys/kern/kern_sched.c:313
schedcpu(0) at schedcpu+0x306 sys/kern/sched_bsd.c:280
timeout_run(ffffffff8394c478,ffffffff838c4230) at timeout_run+0x159 sys/kern/kern_timeout.c:698
softclock_process_tick_timeout(ffffffff838c4230,0) at softclock_process_tick_timeout+0x232 sys/kern/kern_timeout.c:756
softclock(0) at softclock+0x152 sys/kern/kern_timeout.c:788
softintr_dispatch(0) at softintr_dispatch+0x13b sys/kern/kern_softintr.c:84
dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
cnputc(65) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(65) at db_putchar+0x36d sys/ddb/db_output.c:155
kprintf() at kprintf+0x223 sys/kern/subr_prf.c:723
db_printf(ffffffff834159ef) at db_printf+0x9b sys/kern/subr_prf.c:-1
db_ktrap(6,0,ffff80003c3d9060) at db_ktrap+0x1c7 sys/arch/amd64/amd64/db_interface.c:129
kerntrap(ffff80003c3d9060) at kerntrap+0x243 sys/arch/amd64/amd64/trap.c:519
alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b
dovutimens(ffff80003a3cdca8,fffffd806c4261b8,ffff80003c3d9240) at dovutimens+0x368 sys/kern/vfs_syscalls.c:2771
sys_futimes(ffff80003a3cdca8,ffff80003c3d9390,ffff80003c3d92e0) at sys_futimes+0x208 sys/kern/vfs_syscalls.c:2813
syscall(ffff80003c3d9390) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c3d9390) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x79243f55310, count: -19
ddb{0}> machine ddbcpu 1


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages