syzbot

 sign-in | mailing list | source | docs
🐞 Open [175]
🐞 Fixed [301]
🐞 Invalid [1022]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

uvm_fault: arp_rtrequest (3)

Status: upstream: reported on 2025/02/05 13:53
Reported-by: syzbot+4d8933b9545402ed0c6b@syzkaller.appspotmail.com
First crash: 441d, last: 7h16m
Similar bugs (2)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd uvm_fault: arp_rtrequest (2) -1 18 563d 736d 0/3 auto-obsoleted due to no activity on 2025/01/04 11:42
openbsd uvm_fault: arp_rtrequest -1 C 79 2515d 2525d 3/3 fixed on 2019/06/14 04:59

Sample crash report:
uvm_fault(0xffffffff839916c8, 0xffff8000015ff04a, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at      arp_rtrequest+0x6a4:    movzwl  0xc(%rcx,%rbx,1),%ecx
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
* 85066  42425      0           0  0x4000000    0  syz-executor
arp_rtrequest(ffff8000002a2058,1,fffffd80780ffa30) at arp_rtrequest+0x6a4 arprequest sys/netinet/if_ether.c:325 [inline]
arp_rtrequest(ffff8000002a2058,1,fffffd80780ffa30) at arp_rtrequest+0x6a4 sys/netinet/if_ether.c:226
rtrequest(1,ffff80002a79f470,0,ffff80002a79f3e0,16) at rtrequest+0xdc1 sys/net/route.c:1114
rtm_output(ffff8000015fd600,ffff80002a79f518,ffff80002a79f470,0,16) at rtm_output+0x91a sys/net/rtsock.c:956
route_output(fffffd806ce09300,ffff800010fdfc10) at route_output+0xa6a sys/net/rtsock.c:862
route_send(ffff800010fdfc10,fffffd806ce09300,0,0) at route_send+0xd7 sys/net/rtsock.c:322
sosend(ffff800010fdfc10,0,ffff80002a79f6c8,0,0,808) at sosend+0x804 sys/kern/uipc_socket.c:-1
sendit(ffff80003c8f9ca8,3,ffff80002a79f7c0,808,ffff80002a79f860) at sendit+0x5a5 sys/kern/uipc_syscalls.c:785
sys_sendto(ffff80003c8f9ca8,ffff80002a79f910,ffff80002a79f860) at sys_sendto+0x8d sys/kern/uipc_syscalls.c:563
syscall(ffff80002a79f910) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline]
syscall(ffff80002a79f910) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x9012551dd30, count: 5
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb> 
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
*cpu0: uvm_fault(0xffffffff839916c8, 0xffff8000015ff04a, 0, 1) -> e
ddb> trace
arp_rtrequest(ffff8000002a2058,1,fffffd80780ffa30) at arp_rtrequest+0x6a4 arprequest sys/netinet/if_ether.c:325 [inline]
arp_rtrequest(ffff8000002a2058,1,fffffd80780ffa30) at arp_rtrequest+0x6a4 sys/netinet/if_ether.c:226
rtrequest(1,ffff80002a79f470,0,ffff80002a79f3e0,16) at rtrequest+0xdc1 sys/net/route.c:1114
rtm_output(ffff8000015fd600,ffff80002a79f518,ffff80002a79f470,0,16) at rtm_output+0x91a sys/net/rtsock.c:956
route_output(fffffd806ce09300,ffff800010fdfc10) at route_output+0xa6a sys/net/rtsock.c:862
route_send(ffff800010fdfc10,fffffd806ce09300,0,0) at route_send+0xd7 sys/net/rtsock.c:322
sosend(ffff800010fdfc10,0,ffff80002a79f6c8,0,0,808) at sosend+0x804 sys/kern/uipc_socket.c:-1
sendit(ffff80003c8f9ca8,3,ffff80002a79f7c0,808,ffff80002a79f860) at sendit+0x5a5 sys/kern/uipc_syscalls.c:785
sys_sendto(ffff80003c8f9ca8,ffff80002a79f910,ffff80002a79f860) at sys_sendto+0x8d sys/kern/uipc_syscalls.c:563
syscall(ffff80002a79f910) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline]
syscall(ffff80002a79f910) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x9012551dd30, count: -10
ddb> show registers
rdi               0xffff8000380e6000
rsi                            0x95b
rbp               0xffff80002a79f2c0
rbx                             0xde
rdx               0xffff8000380e6000
rcx               0xffff8000015fef60
rax               0xfffffd806e95e0e0
r8                            0x1000    __ALIGN_SIZE
r9                                 0
r10               0x1b190dd2e379e7e7
r11                0xe3c201e9ab68b2c
r12                             0x1a
r13               0xfffffd806e95e000
r14               0xfffffd80780ffa30
r15               0xffff8000002a2058
rip               0xffffffff8256f014    arp_rtrequest+0x6a4
cs                               0x8
rflags                       0x10246    __ALIGN_SIZE+0xf246
rsp               0xffff80002a79f240
ss                              0x10
arp_rtrequest+0x6a4:    movzwl  0xc(%rcx,%rbx,1),%ecx
ddb> show proc
PROC (syz-executor) tid=85066 pid=42425 tcnt=2 stat=onproc
    flags process=0 proc=4000000<THREAD>
    runpri=32, usrpri=50, slppri=32, nice=20
    wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
    forw=0xffffffffffffffff, list=0xffff80003c8f8a80,0xffffffff8395bae0
    process=0xffff8000ffffb198 user=0xffff80002a79a000, vmspace=0xfffffd800e08eb98
    estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0
ddb> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 99329  177965  55258      0  2           0                syz-executor
 42425  362624  66125      0  2           0                syz-executor
*42425   85066  66125      0  7   0x4000000                syz-executor
 40857  488670  35106      0  2           0                syz-executor
 40857  357238  35106      0  3   0x4000080  fsleep        syz-executor
 51758  351523  58683      0  2           0                syz-executor
 51758  242779  58683      0  3   0x4000080  fsleep        syz-executor
 89343  135223  46433      0  2           0                syz-executor
 89343  500323  46433      0  3   0x4000080  fsleep        syz-executor
 29380  105261  57965      0  3        0x80  nanoslp       syz-executor
 29380   79218  57965      0  3   0x4000080  bell          syz-executor
 87779  403898      1      0  3        0x82  nanoslp       getty
 57965  270448  25377      0  2       0xc82                syz-executor
 66125  257655  25377      0  2       0xc82                syz-executor
 55258  281995  25377      0  2       0xc82                syz-executor
 97210  326571  25377      0  2         0x2                syz-executor
 35106  121171  25377      0  2       0xc82                syz-executor
 46433    7959  25377      0  2       0xc82                syz-executor
 58683  223111  25377      0  2       0xc82                syz-executor
 47022  365271  25377      0  2         0x2                syz-executor
 25377  191953  48600      0  3        0x82  kqread        syz-executor
 48600  315183      1      0  3    0x100082  nanoslp       ksh
 92875   73974      1      0  3  0x1000008a  kqread        sshd
 33587  508393   6591     73  3   0x1100090  kqread        syslogd
  6591  116402      1      0  3    0x100082  sbwait        syslogd
 89834  206740      1      0  3    0x100080  kqread        resolvd
 61553  255844  58385     77  3    0x100092  kqread        dhcpleased
 30211  252553  58385     77  3    0x100092  kqread        dhcpleased
 58385  123926      1      0  3        0x80  kqread        dhcpleased
 93474  521523      0      0  3     0x14200  bored         smr
 15747  374199      0      0  2     0x14200                zerothread
 84654  244573      0      0  3     0x14200  aiodoned      aiodoned
 88917  474786      0      0  3     0x14200  syncer        update
 79404    8007      0      0  3     0x14200  cleaner       cleaner
 12206  441183      0      0  3     0x14200  reaper        reaper
 19943  245575      0      0  3     0x14200  pgdaemon      pagedaemon
 24654  416583      0      0  3     0x14200  bored         viomb
  5634  298881      0      0  3  0x40014200  acpi0         acpi0
 57715  333137      0      0  3     0x14200  bored         softnet0
 69993   26413      0      0  3     0x14200  bored         systqmp
 55146  150367      0      0  3     0x14200  bored         systq
   913  510493      0      0  3  0x40014200  tmoslp        softclock
 83665  141011      0      0  3  0x40014200                idle0
     1  260712      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb> show all locks
No such command
ddb> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 11032  12104K   12119K 166960K     12143        0
            pcb    17     12K      12K 166960K        40        0
         rtable   258      8K       8K 166960K       405        0
             pf    30     12K      15K 166960K        34        0
         ifaddr    42      7K       7K 166960K        45        0
        ifgroup    50      2K       2K 166960K        54        0
         sysctl     1      1K       9K 166960K         6        0
       counters    33     17K      17K 166960K        34        0
       ioctlops     0      0K       4K 166960K        44        0
          mount     1      1K       1K 166960K         1        0
            log     0      0K       0K 166960K         4        0
         vnodes  1291     81K      81K 166960K      1404        0
      UFS quota     1     32K      32K 166960K         1        0
      UFS mount     5     36K      36K 166960K         5        0
            shm     2      1K       1K 166960K         2        0
         VM map     2      1K       1K 166960K         2        0
            sem     5      0K       0K 166960K         6        0
        dirhash    12      2K       2K 166960K        12        0
           ACPI  1692    195K     286K 166960K     12470        0
      file desc    16     57K      85K 166960K       447        0
           proc    59     59K      91K 166960K       513        0
        subproc    72      4K       4K 166960K        72        0
    NFS srvsock     1      0K       0K 166960K         1        0
     NFS daemon     1     16K      16K 166960K         1        0
       in_multi    99      7K       7K 166960K        99        0
    ether_multi     1      0K       0K 166960K         1        0
            mrt     0      0K       0K 166960K         5        0
    ISOFS mount     1     32K      32K 166960K         1        0
  MSDOSFS mount     1     16K      16K 166960K         1        0
           ttys    31    148K     148K 166960K        31        0
           exec     0      0K       1K 166960K       367        0
   fusefs mount     1     32K      32K 166960K         1        0
            tdb     3      0K       0K 166960K         3        0
        VM swap     8     62K      64K 166960K        10        0
       UVM amap   185    141K     163K 166960K      5355        0
       UVM aobj     4      2K       2K 166960K         4        0
     pinsyscall    33     66K      90K 166960K      1548        0
        memdesc     1      4K       4K 166960K         1        0
    crypto data     1      1K       1K 166960K         1        0
    ip6_options     0      0K       0K 166960K         2        0
            NDP    11      0K       2K 166960K        28        0
           temp    38   9070K    9134K 166960K      5038        0
         kqueue    11     16K      22K 166960K        26        0
      SYN cache     2     16K      16K 166960K         2        0
ddb>

Crashes (393):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/04/22 11:18 openbsd 3802f0c790f9 4595e353 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/04/16 17:37 openbsd 203548908adb 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/04/16 01:58 openbsd 8928aa246822 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/04/11 22:35 openbsd de62a587e27d 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/04/10 09:07 openbsd 7bdd0d20c161 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/04/09 09:46 openbsd b0cdb9e75fee 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/04/06 16:23 openbsd 8a4a3a78bbe7 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/04/06 13:46 openbsd 8a4a3a78bbe7 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/04/04 22:54 openbsd c9c58e023502 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/04/04 00:04 openbsd a0d451d3ebb4 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/04/03 20:00 openbsd a0d451d3ebb4 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/04/02 12:56 openbsd 8eafb9a57fa3 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/04/01 17:00 openbsd ffc378411de4 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/03/31 19:25 openbsd 077f28b4c6a4 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/03/31 03:14 openbsd 0a71aa187b1b 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/03/30 17:02 openbsd d3e6ebe0e992 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/03/29 16:09 openbsd 8c0bc7d7b019 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/03/29 07:38 openbsd 8c0bc7d7b019 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/03/24 11:02 openbsd 2084961b940b baf8bf12 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/03/21 21:43 openbsd 8aa14d77a9ab 5b92003d .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/03/20 08:39 openbsd f53d362946f9 2f245add .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/03/18 12:14 openbsd 561bf2d2294a 0199f9a1 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/03/16 13:32 openbsd 15ef65f2835f 64e21424 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/03/16 06:21 openbsd fd49698d88e5 351cb5cf .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/03/13 22:28 openbsd fd49698d88e5 351cb5cf .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/03/12 16:29 openbsd fd49698d88e5 4efadf07 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/03/12 10:33 openbsd fd49698d88e5 4efadf07 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/03/11 23:17 openbsd 73e77b6607d4 2d88ab01 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/02/12 01:13 openbsd fad87c8e2325 018ebef2 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/02/10 18:26 openbsd 21ab72ae2d9b 018ebef2 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/02/08 18:37 openbsd 3c0af00218ea 018ebef2 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/02/04 07:26 openbsd 75991a0e19ad 018ebef2 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/02/03 18:37 openbsd 72466e384590 018ebef2 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/02/03 09:37 openbsd 2933a3218787 018ebef2 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/01/31 03:50 openbsd ffeb3c477d3b c75a2f6e .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/01/29 14:03 openbsd efad3755d7df aeb6fdd5 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/01/29 12:42 openbsd efad3755d7df aeb6fdd5 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/01/29 09:50 openbsd 132d3f17556a b78a7341 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/01/28 08:18 openbsd 2cb4d48e2c81 3029c699 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/01/23 12:36 openbsd 2db1efefed82 7556b6ec .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/01/22 18:29 openbsd 9e4d3748fbc0 56f88057 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/01/20 12:42 openbsd 4dbb760ec6c4 56f88057 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/01/19 08:27 openbsd 085960a72a94 56f88057 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2026/01/19 02:49 openbsd 085960a72a94 56f88057 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: arp_rtrequest
2025/07/09 05:20 openbsd bc55f572b2c5 f4e5e155 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore uvm_fault: arp_rtrequest
2025/02/05 13:52 openbsd 9d84dc8a699e 5896748e .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore uvm_fault: arp_rtrequest
* Struck through repros no longer work on HEAD.