syzbot


witness: reversal: sbufrcv inode (4)

Status: upstream: reported on 2026/06/30 11:48
Reported-by: syzbot+21683eaa3d0ab21fe622@syzkaller.appspotmail.com
First crash: 3d16h, last: 3d16h
Similar bugs (3)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd witness: reversal: sbufrcv inode -1 2 694d 695d 0/4 auto-obsoleted due to no activity on 2024/11/06 12:44
openbsd witness: reversal: sbufrcv inode (2) -1 13 271d 509d 0/4 auto-obsoleted due to no activity on 2026/01/04 00:01
openbsd witness: reversal: sbufrcv inode (3) -1 13 145d 163d 0/4 auto-obsoleted due to no activity on 2026/03/30 20:30

Sample crash report:
pf: key search, in on vio0: witness: TCPlock order reversal:
 wire: (0)  1st 0xffff8000015aafb0 sbufrcv (&so->so_rcv.sb_lock)
10.128.15.235 2nd 0xfffff6006a229d80 inode (&ip->i_lock)
:30002lock order [1] sbufrcv (&so->so_rcv.sb_lock) -> [2] inode (&ip->i_lock)
 lock order data 0xffffffff8343de93 -> 0xffffffff834927a5 is missing
10.128.0.91lock order [2] inode (&ip->i_lock) -> [1] sbufrcv (&so->so_rcv.sb_lock)
:21930#0  
pf: key search, in on vio0: TCP wire: (0) rw_do_enter_write10.128.15.235+0xba:30002
 #1  10.128.0.91:21930
pf: key search, in on vio0: sblockTCP+0xb6 wire: (0) 
10.128.15.235#2  :30002 10.128.0.91:21930
soreceivepf: key search, out on vio0: +0x27dTCP
 wire: (0) #3  10.128.15.235:30002 10.128.0.91fifo_read:21930+0x117

#4  VOP_READ+0x101 sys/kern/vfs_vops.c:227
#5  vn_rdwr+0x15b sys/kern/vfs_vnops.c:-1
#6  vndsetcred+0xa1 sys/dev/vnd.c:685
#7  vndioctl+0xdfc sys/dev/vnd.c:486
#8  VOP_IOCTL+0xac sys/kern/vfs_vops.c:264
#9  vn_ioctl+0xf8 sys/kern/vfs_vnops.c:537
#10 sys_ioctl+0x674 sys/kern/sys_generic.c:-1
#11 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#11 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
#12 Xsyscall+0x128
Stopped at      db_enter+0x25:  addq    $0x8,%rsp
ddb{0}> 
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
the kernel did not panic
ddb{0}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
witness_checkorder(fffff6006a229d80,9,0) at witness_checkorder+0x10d1 sys/kern/subr_witness.c:-1
rw_do_enter_write(fffff6006a229d68,1) at rw_do_enter_write+0xba sys/kern/kern_rwlock.c:234
rrw_enter(fffff6006a229d68,1) at rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
VOP_LOCK(fffff600609e56f0,2001) at VOP_LOCK+0xbd sys/kern/vfs_vops.c:527
vn_lock(fffff600609e56f0,2001) at vn_lock+0xa4 sys/kern/vfs_vnops.c:576
vfs_getcwd_common(fffff600609e56f0,fffff6005f88de90,0,0,200,0,d69ccbf3908f7554) at vfs_getcwd_common+0xd1 sys/kern/vfs_getcwd.c:287
vn_isunder(fffff600609e56f0,fffff6005f88de90,ffff800045fee548) at vn_isunder+0x56 sys/kern/vfs_vnops.c:700
unp_externalize(fffff6006d915400,33,0) at unp_externalize+0x26f sys/kern/uipc_usrreq.c:1090
soreceive(ffff8000015aaec0,ffff80003abc5428,ffff80003abc53d8,0,ffff80003abc5410,ffff80003abc559c,146c914bf6bbd154) at soreceive+0xc24 sys/kern/uipc_socket.c:1029
recvit(ffff800045fee548,1,ffff80003abc5570,0,ffff80003abc5620) at recvit+0x40b sys/kern/uipc_syscalls.c:1078
sys_recvmsg(ffff800045fee548,ffff80003abc56d0,ffff80003abc5620) at sys_recvmsg+0x1bf sys/kern/uipc_syscalls.c:878
syscall(ffff80003abc56d0) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003abc56d0) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x98be43c3fb0, count: -14
ddb{0}> show registers
rdi                                0
rsi                          0x80000    acpi_pdirpa+0x6be71
rbp               0xffff80003abc4eb0
rbx                                0
rdx               0xffff8000015fc4c0
rcx               0xffff800045fee548
rax                          0x7ffff    acpi_pdirpa+0x6be70
r8                0xffff80003abc4d90
r9                0x8080808080808080
r10               0x3c445f6aaa732515
r11                0x503e456304b34b2
r12               0xfffff600040be880
r13               0xfffff600048a69b0
r14                              0x3
r15               0xffffffff83521880    substchar+0x3a69
rip               0xffffffff81740505    db_enter+0x25
cs                               0x8
rflags                         0x246
rsp               0xffff80003abc4ea0
ss                              0x10
db_enter+0x25:  addq    $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor) tid=269706 pid=14682 tcnt=2 stat=onproc
    flags process=1000000<CHROOT> proc=4000000<THREAD>
    runpri=32, usrpri=50, slppri=32, nice=20
    wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
    forw=0xffffffffffffffff, list=0xffff800045fef240,0xffff800045feefb8
    process=0xffff80003638d368 user=0xffff80003abc0000, vmspace=0xfffff6006cd535d0
    estcpu=36, cpticks=0, pctcpu=0.0, user=0, sys=0, intr=0
ddb{0}> 

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/06/30 11:47 openbsd 08f6b236ad6b e5173a01 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore witness: reversal: sbufrcv inode
* Struck through repros no longer work on HEAD.