protection_fault: witness

protection_fault: witness_checkorder (5)

Status: upstream: reported on 2025/02/06 12:35
Reported-by: syzbot+a61fbe87bc805c481c49@syzkaller.appspotmail.com
First crash: 289d, last: 2d23h

▶ ▼ Similar bugs (4)

Kernel	Title	Rank 🛈	Repro	Count	Last	Reported	Patched	Status
openbsd	protection_fault: witness_checkorder (2)	-1	C	311	746d	861d	0/3	auto-obsoleted due to no activity on 2023/12/28 01:55
openbsd	protection_fault: witness_checkorder	-1		1	1181d	1181d	0/3	auto-obsoleted due to no activity on 2022/11/27 19:38
openbsd	protection_fault: witness_checkorder (4)	-1		1	439d	439d	0/3	auto-obsoleted due to no activity on 2024/12/08 12:11
openbsd	protection_fault: witness_checkorder (3)	-1		1	628d	628d	0/3	auto-obsoleted due to no activity on 2024/06/02 14:39

Sample crash report:

kernel: protection fault trap, code=0
Stopped at      witness_checkorder+0xb5:        movl    0x20(%r14),%r15d
ddb{1}> 
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
the kernel did not panic
ddb{1}> trace
witness_checkorder(dead4110dead4228,9,0) at witness_checkorder+0xb5 sys/kern/subr_witness.c:779
mtx_enter(dead4110dead4218) at mtx_enter+0x4a sys/kern/kern_lock.c:260
prsignal(dead4110dead4110,14) at prsignal+0x36 sys/kern/kern_sig.c:904
reaper(ffff8000ffffd9f8) at reaper+0x2cc sys/kern/kern_exit.c:516
end trace frame: 0x0, count: -4
ddb{1}> show registers
rdi                                0
rsi                                0
rbp               0xffff80002a2448c0
rbx                                0
rdx                                0
rcx               0xffff8000ffffd9f8
rax               0xffff8000299edffe
r8                0xffffffffffffffff
r9                               0x1
r10               0x1941c026f0f4bb17
r11                0xe4c2a45bb829118
r12               0xdead4110dead41fe
r13                              0x9
r14               0xdead4110dead4228
r15                                0
rip               0xffffffff823a77d5    witness_checkorder+0xb5
cs                               0x8
rflags                       0x10246    __ALIGN_SIZE+0xf246
rsp               0xffff80002a244820
ss                              0x10
witness_checkorder+0xb5:        movl    0x20(%r14),%r15d
ddb{1}> show proc
PROC (reaper) tid=298387 pid=39273 tcnt=1 stat=onproc
    flags process=14000<NOZOMBIE,SYSTEM> proc=200<SYSTEM>
    runpri=32, usrpri=50, slppri=32, nice=20
    wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
    forw=0xffffffffffffffff, list=0xffff8000fffff9f0,0xffff8000ffffd240
    process=0xffff8000ffffb020 user=0xffff80002a23f000, vmspace=0xffffffff83980cd0
    estcpu=0, cpticks=16, pctcpu=0.0, user=0, sys=0, intr=0
ddb{1}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 86617  289470  44808  32767  2        0x10                syz-executor
 86617  242959  44808  32767  3   0x4000090  kqread        syz-executor
 86617  148419  44808  32767  3   0x4000090  kqread        syz-executor
 80114  353458   7224  32767  2        0x10                syz-executor
 80114  402802   7224  32767  3   0x4000090  fsleep        syz-executor
 80114   12543   7224  32767  3   0x4000090  fsleep        syz-executor
  9350  379831  15244  32767  3        0x90  piperd        syz-executor
 79072  153068  97589  32767  7        0x10                syz-executor
 33422   79237   9774  32767  3        0x90  piperd        syz-executor
  6392   44508  29662  32767  3        0x90  piperd        syz-executor
 44808  407230  62439  32767  3        0x90  nanoslp       syz-executor
  7224  260648  17027  32767  3        0x90  nanoslp       syz-executor
 66679  419242  78089  32767  3        0x90  piperd        syz-executor
 15244  365947  34906      0  3        0x82  wait          syz-executor
 97589  293330  34906      0  3        0x82  wait          syz-executor
 29662  470073  34906      0  3        0x82  wait          syz-executor
  9774   91764  34906      0  3        0x82  wait          syz-executor
 62439  171282  34906      0  3        0x82  wait          syz-executor
 17027  136362  34906      0  3        0x82  wait          syz-executor
 78089   68938  34906      0  3        0x82  wait          syz-executor
 34906   50352  45628      0  3        0x82  nanoslp       syz-executor
 45628  502408  64499      0  3    0x10008a  sigsusp       ksh
 64499   18921   9933      0  3        0x98  kqread        sshd-session
  9933  418625   3672      0  3        0x92  kqread        sshd-session
 53608  172403      1      0  3    0x100083  ttyin         getty
  3672  196617      1      0  3        0x88  kqread        sshd
 22084  279719  83754     73  3   0x1100090  kqread        syslogd
 83754  505260      1      0  3    0x100082  sbwait        syslogd
 55437  128346      1      0  3    0x100080  kqread        resolvd
 46961  422927  73027     77  3    0x100092  kqread        dhcpleased
 22695  372297  73027     77  3    0x100092  kqread        dhcpleased
 73027   66152      1      0  3        0x80  kqread        dhcpleased
 24782   50631      0      0  3     0x14200  bored         smr
 21355  309878      0      0  2     0x14200                zerothread
   421  497604      0      0  3     0x14200  aiodoned      aiodoned
 17559  255010      0      0  3     0x14200  syncer        update
 19014  287383      0      0  3     0x14200  cleaner       cleaner
*39273  298387      0      0  7     0x14200                reaper
 50249  329704      0      0  3     0x14200  pgdaemon      pagedaemon
 34855   99995      0      0  3     0x14200  bored         viomb
 17662  499973      0      0  3  0x40014200  acpi0         acpi0
 87733  228728      0      0  3  0x40014200                idle1
 90115   23190      0      0  3     0x14200  bored         softnet1
 77791   82950      0      0  3     0x14200  bored         softnet0
 28982  401151      0      0  3     0x14200  bored         systqmp
  6407   20438      0      0  3     0x14200  bored         systq
 88787   30749      0      0  3     0x14200  tmoslp        softclockmp
 41312  133030      0      0  3  0x40014200  tmoslp        softclock
 53499  374371      0      0  3  0x40014200                idle0
     1  447592      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{1}> show all locks
Process 39273 (reaper) thread 0xffff8000ffffd9f8 (298387)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff8398ad48)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  __mp_acquire_count+0x58 sys/kern/kern_lock.c:-1
#2  sleep_finish+0x2d8 sys/kern/kern_synch.c:367
#3  rw_do_enter_write+0x1dc sys/kern/kern_rwlock.c:298
#4  knote_processexit+0x2b sys/kern/kern_event.c:2217
#5  reaper+0x24d sys/kern/kern_exit.c:513
#6  proc_trampoline+0x10
ddb{1}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 10211  10958K   10973K 166960K     11306        0
            pcb    17     12K      12K 166960K        17        0
         rtable   223      6K       7K 166960K       398        0
             pf    29     16K      16K 166960K        31        0
         ifaddr    38      6K       7K 166960K        44        0
        ifgroup    46      2K       2K 166960K        50        0
         sysctl     4      1K       9K 166960K         9        0
       counters    66     36K      36K 166960K        68        0
       ioctlops     0      0K       2K 166960K        48        0
            iov     0      0K      16K 166960K        81        0
          mount     1      1K       1K 166960K         1        0
            log     0      0K       0K 166960K         4        0
         vnodes  1336     84K      84K 166960K      1661        0
      UFS quota     1     32K      32K 166960K         1        0
      UFS mount     5     36K      36K 166960K         5        0
            shm     2      1K       9K 166960K        13        0
         VM map     2      1K       1K 166960K         2        0
            sem    12      0K       0K 166960K        59        0
        dirhash    12      2K       3K 166960K        39        0
           ACPI  1692    195K     286K 166960K     12470        0
      file desc    18     65K     125K 166960K       821        0
          sigio     0      0K       0K 166960K        82        0
           proc    58     99K     147K 166960K       570        0
        subproc    63      3K       4K 166960K       234        0
    NFS srvsock     1      0K       0K 166960K         1        0
     NFS daemon     1     16K      16K 166960K         1        0
    ip_moptions     0      0K       0K 166960K       159        0
       in_multi    88      6K       7K 166960K       140        0
    ether_multi     1      0K       0K 166960K         7        0
            mrt     2      0K       0K 166960K         2        0
    ISOFS mount     1     32K      32K 166960K         1        0
  MSDOSFS mount     1     16K      16K 166960K         1        0
           ttys   217    970K     970K 166960K       217        0
           exec     0      0K       1K 166960K       442        0
   fusefs mount     1     32K      32K 166960K         1        0
            tdb     3      0K       0K 166960K         3        0
        VM swap     8     62K      64K 166960K        10        0
       UVM amap   211    135K     179K 166960K      9016        0
       UVM aobj    23      4K       5K 166960K        25        0
     pinsyscall    39     78K     113K 166960K      1899        0
        memdesc     1      4K       4K 166960K         1        0
    crypto data     1      1K       1K 166960K         1        0
    ip6_options     0      0K       0K 166960K        39        0
            NDP    10      0K       2K 166960K        27        0
           temp    54   8668K    8732K 166960K      9522        0
         kqueue    15     22K      35K 166960K       187        0
      SYN cache     2     16K      16K 166960K         2        0
ddb{1}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache    128       26    0        0     1     0     1     1     0     8    0
rtpcb      120      213    0      210     3     2     1     3     0     8    0
rtentry    176      118    0       15     6     0     6     6     0     8    0
unpcb      144      719    0      704     7     5     2     6     0     8    1
syncache   336       14    0       14     2     1     1     1     0     8    1
tcpqe       32        4    0        4     1     1     0     1     0     8    0
tcpcb      736      392    0      384     7     5     2     7     0     8    0
arp        136       18    0        2     1     0     1     1     0     8    0
ipq         40        5    0        0     1     0     1     1     0     8    0
ipqe        40        6    0        0     1     0     1     1     0     8    0
inpcb      328      921    0      910    17    10     7    13     0     8    5
ip6q        72        3    0        0     1     0     1     1     0     8    0
ip6af       40        4    0        0     1     0     1     1     0     8    0
nd6        152       31    0        6     2     0     2     2     0     8    0
kcovpl      48       26    0       19     1     0     1     1     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256      491    0       70    30     1    29    30     0     8    0
art_table   40      492    0       70     5     0     5     5     0     8    0
art_node    32      118    0       24     1     0     1     1     0     8    0
sysvmsgpl   40       11    0        7     1     0     1     1     0     8    0
semupl     112        3    0        3     1     1     0     1     0     8    0
semapl     112       55    0       45     1     0     1     1     0     8    0
shmpl      112       22    0        2     1     0     1     1     0     8    0
dirhash    1024      35    0       18     3     0     3     3     0     8    0
dino2pl    256     2600    0     1068    97     0    97    97     0     8    0
ffsino     296     2600    0     1068   119     0   119   119     0     8    0
nchpl      144     3680    0     1977    64     0    64    64     0     8    0
vnodes     216     2843    0        0   158     0   158   158     0     8    0
namei      1024   12914    0    12914     2     1     1     2     0     8    1
percpumem   16       49    0        1     1     0     1     1     0     8    0
kstatmem   264       24    0        2     2     0     2     2     0     8    0
scxspl     216    11830    0    11830    11     9     2     8     1     8    2
plimitpl   152      310    0      288     2     1     1     2     0     8    0
sigapl     424     1073    0     1027     7     0     7     7     0     8    0
knotepl    120      540    0        0    17     0    17    17     0     8    0
kqueuepl   224      352    0      342     5     4     1     5     0     8    0
pipepl     344      238    0      211     3     0     3     3     0     8    0
fdescpl    528     1057    0     1027     4     1     3     4     0     8    0
filepl     160     6854    0     6660    16     4    12    16     0     8    3
lockfpl    104      161    0      159     1     0     1     1     0     8    0
lockfspl    48       53    0       51     1     0     1     1     0     8    0
sessionpl  144       47    0       32     1     0     1     1     0     8    0
pgrppl      48      151    0      129     1     0     1     1     0     8    0
ucredpl    104     1362    0     1344     1     0     1     1     0     8    0
zombiepl   144     1027    0     1027     1     0     1     1     0     8    1
processpl  1232    1073    0     1027     5     0     5     5     0     8    0
procpl     664     2076    0     2026     7     1     6     7     0     8    0
sosppl     176        7    0        7     2     2     0     1     0     8    0
sockpl     752     1867    0     1838    25    14    11    17     0     8    6
mcl64k     65536      6    0        0     1     0     1     1     0     8    0
mcl16k     16384      3    0        0     1     0     1     1     0     8    0
mcl8k      8192       2    0        0     1     0     1     1     0     8    0
mcl4k      4096     111    0        0    14     0    14    14     0     8    0
mcl2k2     2112       2    0        0     1     0     1     1     0     8    0
mcl2k      2048      22    0        0     3     0     3     3     0     8    0
mtagpl      96        3    0        0     1     0     1     1     0     8    0
mbufpl     256      638    0        0    40     0    40    40     0     8    0
bufpl      280     3510    0      115   243     0   243   243     0     8    0
anonpl      32     7206    0        0    59     0    59    59     0   246    0
amapchunkpl 152   30254    0    29779    37     9    28    34     0   158    3
amappl16   200     2777    0     2709     6     0     6     6     0     8    0
amappl15   192       11    0       11     1     1     0     1     0     8    0
amappl14   184        5    0        5     1     1     0     1     0     8    0
amappl13   176      399    0      398     1     0     1     1     0     8    0
amappl12   168     1407    0     1368     3     0     3     3     0     8    0
amappl11   160       14    0       14     1     1     0     1     0     8    0
amappl10   152       78    0       68     1     0     1     1     0     8    0
amappl9    144      250    0      250     1     1     0     1     0     8    0
amappl8    136       53    0       51     1     0     1     1     0     8    0
amappl7    128       77    0       75     1     0     1     1     0     8    0
amappl6    120      270    0      259     1     0     1     1     0     8    0
amappl5    112       83    0       75     1     0     1     1     0     8    0
amappl4    104      403    0      379     1     0     1     1     0     8    0
amappl3     96     4767    0     4690     4     0     4     4     0     8    0
amappl2     88     1231    0     1159     3     1     2     3     0     8    0
amappl1     80    13444    0    12901    16     2    14    16     0     8    0
amappl      88     8153    0     8008     6     1     5     6     0    92    0
uvmvnodes   80      126    0        0     3     0     3     3     0     8    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma1024    1024       1    0        0     1     0     1     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      72       24    0        2     1     0     1     1     0     8    0
uaddrrnd    24     1057    0     1027     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24     1057    0     1027     1     0     1     1     0     8    0
vmmpekpl   168    10951    0    10908     3     0     3     3     0     8    0
vmmpepl    168    75451    0    73674   103     5    98   103     0   357    0
vmsppl     488     1056    0     1027     7     2     5     6     0     8    0
rwobjpl     80    22299    0    21307    26     2    24    25     0     8    0
pdppl      4096    2122    0     2054   120    38    82    98     0     8   14
pvpl        32    15806    0        0   128     0   128   128     0   265    0
pmappl     256     1056    0     1027     4     1     3     3     0     8    0
extentpl    40       45    0       27     1     0     1     1     0     8    0
phpool     112      329    0       49     9     0     9     9     0     8    0
ddb{1}> machine ddbcpu 0
Stopped at      x86_ipi_db+0x27:        addq    $0x8,%rsp
ddb{0}> trace
x86_ipi_db(ffffffff837cdff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff8398ab40) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:134 [inline]
__mp_lock(ffffffff8398ab40) at __mp_lock+0x192 sys/kern/kern_lock.c:165
doopenat(ffff8000313ec020,ffffff9c,6fd567a557c0,30000,0,ffff80003a019f90) at doopenat+0x345 sys/kern/vfs_syscalls.c:1138
syscall(ffff80003a01a040) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003a01a040) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:765
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x6fd567a552c0, count: -7
ddb{0}> machine ddbcpu 1
Stopped at      witness_checkorder+0xb5:        movl    0x20(%r14),%r15d
ddb{1}> trace
witness_checkorder(dead4110dead4228,9,0) at witness_checkorder+0xb5 sys/kern/subr_witness.c:779
mtx_enter(dead4110dead4218) at mtx_enter+0x4a sys/kern/kern_lock.c:260
prsignal(dead4110dead4110,14) at prsignal+0x36 sys/kern/kern_sig.c:904
reaper(ffff8000ffffd9f8) at reaper+0x2cc sys/kern/kern_exit.c:516
end trace frame: 0x0, count: -4

Crashes (12):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Assets (help?)	Manager	Title
2025/11/20 04:55	openbsd	9c1a3717ded9	26ee5237	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	protection_fault: witness_checkorder
2025/11/10 19:53	openbsd	d046e1d8fd3f	4e1406b4	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	protection_fault: witness_checkorder
2025/11/07 12:00	openbsd	e6704d8803de	4e1406b4	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	protection_fault: witness_checkorder
2025/11/05 13:07	openbsd	69af9e93ff65	a6c9c731	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	protection_fault: witness_checkorder
2025/11/02 14:16	openbsd	6e779084bd79	2c50b6a9	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	protection_fault: witness_checkorder
2025/08/14 02:11	openbsd	f6ad99933bf1	22ec1469	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	protection_fault: witness_checkorder
2025/08/01 13:31	openbsd	8693ef6a6ffe	3cda49cf	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	protection_fault: witness_checkorder
2025/05/22 04:12	openbsd	c902741cb17b	0919b50b	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	protection_fault: witness_checkorder
2025/03/03 02:30	openbsd	2ca76a892c5e	c3901742	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	protection_fault: witness_checkorder
2025/02/11 06:35	openbsd	c7df606a226b	43f51a00	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	protection_fault: witness_checkorder
2025/02/07 14:11	openbsd	307723971475	a4f327c2	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	protection_fault: witness_checkorder
2025/02/06 12:35	openbsd	4a7e1005694f	1e1faf27	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	protection_fault: witness_checkorder

* ~~Struck through~~ repros no longer work on HEAD.