uvm_fault: ufs_direnter (6)

uvm_fault: ufs_direnter (6)

Status: upstream: reported on 2026/04/01 04:53
Reported-by: syzbot+ea762fbfc40d721c3e07@syzkaller.appspotmail.com
First crash: 77d, last: 5d20h

▶ ▼ Similar bugs (5)

Kernel	Title	Rank 🛈	Count	Last	Reported	Patched	Status
openbsd	uvm_fault: ufs_direnter (2)	-1	1	817d	817d	0/3	auto-obsoleted due to no activity on 2024/06/20 10:15
openbsd	uvm_fault: ufs_direnter	-1	1	1357d	1357d	0/3	auto-obsoleted due to no activity on 2022/12/28 17:05
openbsd	uvm_fault: ufs_direnter (4)	-1	1	496d	496d	0/3	auto-obsoleted due to no activity on 2025/05/07 09:55
openbsd	uvm_fault: ufs_direnter (3)	-1	3	640d	642d	0/3	auto-obsoleted due to no activity on 2024/12/14 08:05
openbsd	uvm_fault: ufs_direnter (5)	-1	1	277d	277d	0/3	auto-obsoleted due to no activity on 2025/12/12 09:01

Sample crash report:

uvm_fault(0xffffffff83a41c50, 0xffff80002319200c, 0, 1) -> d
kernel: page fault trap, code=0
Stopped at      ufs_direnter+0x23b:     movl    0(%r14),%r15d
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
*124140  13890      0         0x2          0    0  syz-executor
ufs_direnter(fffff0006c2772e8,fffff0000e95c7d8,ffff80003c8e1200,ffff80003c8e1530,fffff00073e9f010) at ufs_direnter+0x23b sys/ufs/ufs/ufs_lookup.c:764
ufs_mkdir(ffff80003c8e13a0) at ufs_mkdir+0x5d5 sys/ufs/ufs/ufs_vnops.c:1179
VOP_MKDIR(fffff0006c2772e8,ffff80003c8e1500,ffff80003c8e1530,ffff80003c8e1430) at VOP_MKDIR+0x101 sys/kern/vfs_vops.c:394
domkdirat(ffff80002a79c560,ffffff9c,70f43cdefd80,1ff) at domkdirat+0x179 sys/kern/vfs_syscalls.c:3062
syscall(ffff80003c8e16a0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline]
syscall(ffff80003c8e16a0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x70f43cdefe20, count: 9
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb> 
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
*cpu0: uvm_fault(0xffffffff83a41c50, 0xffff80002319200c, 0, 1) -> d
ddb> trace
ufs_direnter(fffff0006c2772e8,fffff0000e95c7d8,ffff80003c8e1200,ffff80003c8e1530,fffff00073e9f010) at ufs_direnter+0x23b sys/ufs/ufs/ufs_lookup.c:764
ufs_mkdir(ffff80003c8e13a0) at ufs_mkdir+0x5d5 sys/ufs/ufs/ufs_vnops.c:1179
VOP_MKDIR(fffff0006c2772e8,ffff80003c8e1500,ffff80003c8e1530,ffff80003c8e1430) at VOP_MKDIR+0x101 sys/kern/vfs_vops.c:394
domkdirat(ffff80002a79c560,ffffff9c,70f43cdefd80,1ff) at domkdirat+0x179 sys/kern/vfs_syscalls.c:3062
syscall(ffff80003c8e16a0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline]
syscall(ffff80003c8e16a0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x70f43cdefe20, count: -6
ddb> show registers
rdi                                0
rsi                                0
rbp               0xffff80003c8e11f0
rbx               0xfffff00007ffd068
rdx                                0
rcx               0xfffff0006978e8c8
rax               0xffff80002a79c560
r8                0xffffffffffffffff
r9                                 0
r10               0xc8e26869c20e43cc
r11               0xd197b485f446f387
r12               0xfffff000746b4b00
r13               0xfffff0006f2e5200
r14               0xffff80002319200c
r15                                0
rip               0xffffffff827bc8fb    ufs_direnter+0x23b
cs                               0x8
rflags                       0x10246    __ALIGN_SIZE+0xf246
rsp               0xffff80003c8e1150
ss                              0x10
ufs_direnter+0x23b:     movl    0(%r14),%r15d
ddb> show proc
PROC (syz-executor) tid=124140 pid=13890 tcnt=1 stat=onproc
    flags process=2<EXEC> proc=0
    runpri=17, usrpri=50, slppri=17, nice=20
    wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
    forw=0xffffffffffffffff, list=0xffff80002a79c7f8,0xffff80002a79da30
    process=0xffff800035d16420 user=0xffff80003c8dc000, vmspace=0xfffff0006d6905d8
    estcpu=36, cpticks=2, pctcpu=0.0, user=0, sys=2, intr=0
ddb> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 89373  427722  70565      0  2           0                syz-executor
 89373  349890  70565      0  2   0x4000000                syz-executor
 90811  169550  75571      0  3        0x80  nanoslp       syz-executor
 90811  446282  75571      0  3   0x4000080  kqpoll        syz-executor
 90811   71853  75571      0  3   0x4000080  fsleep        syz-executor
 27200  283887  76846      0  2       0xc80                syz-executor
 27200  475384  76846      0  3   0x4000080  pipewr        syz-executor
 27200  485580  76846      0  3   0x4000080  fsleep        syz-executor
 35790  207728  84641      0  3        0x80  nanoslp       syz-executor
 35790   70981  84641      0  3   0x4000080  kqpoll        syz-executor
 35790  386870  84641      0  3   0x4000080  fsleep        syz-executor
 21009  196598    583      0  3        0x91  nanoslp       syz-executor
 21009  238408    583      0  3   0x4000091  kqsel         syz-executor
 21009  211468    583      0  3   0x4000091  fsleep        syz-executor
 21009  477276    583      0  3   0x4000091  kqsel         syz-executor
*13890  124140  15070      0  7         0x2                syz-executor
 70565  431502  15070      0  2       0xc82                syz-executor
 75571   46446  15070      0  3        0x82  nanoslp       syz-executor
 11151  446738      1      0  3        0x80  nanoslp       init
 84641  232156  15070      0  2       0xc82                syz-executor
 51101  223162  15070      0  2         0x2                syz-executor
 76846  469223  15070      0  3        0x82  nanoslp       syz-executor
   583  419993  15070      0  3        0x82  nanoslp       syz-executor
 15070   50271      1      0  2        0x82                syz-executor
 71449  297668      1     73  3   0x1100090  kqread        syslogd
 60946  102013      0      0  3     0x14200  bored         smr
 74727  244833      0      0  2     0x14200                zerothread
 82124  219733      0      0  3     0x14200  aiodoned      aiodoned
 27501  276204      0      0  3     0x14200  syncer        update
 33711   93510      0      0  3     0x14200  cleaner       cleaner
 79243  502925      0      0  3     0x14200  reaper        reaper
 44368   69144      0      0  3     0x14200  pgdaemon      pagedaemon
  2262  253776      0      0  3     0x14200  bored         viomb
 47190  144202      0      0  3  0x40014200  acpi0         acpi0
 60198  125755      0      0  2     0x14200                softnet0
 84024  434580      0      0  3     0x14200  bored         systqmp
 97499  288885      0      0  3     0x14200  bored         systq
 88332  211067      0      0  3  0x40014200  tmoslp        softclock
 80297  249895      0      0  3  0x40014200                idle0
     1  212481      0      0  3        0x82  wait          init
     0       0     -1      0  3  0x10010200  scheduler     swapper
ddb> show all locks
No such command
ddb> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 11037  12176K   12647K 166960K     12888        0
            pcb    18     13K      13K 166960K       129        0
         rtable   228     10K      11K 166960K       604        0
             pf    38     14K      18K 166960K       122        0
         ifaddr    36      5K       7K 166960K        76        0
        ifgroup    55      2K       2K 166960K       107        0
         sysctl     4      1K       9K 166960K        16        0
       counters    34     17K      18K 166960K        56        0
       ioctlops     0      0K       4K 166960K       310        0
            iov     0      0K      16K 166960K        34        0
          mount     1      1K       1K 166960K         1        0
            log     0      0K       0K 166960K         4        0
         vnodes  1416     89K      90K 166960K      2006        0
      UFS quota     1     32K      32K 166960K         1        0
      UFS mount     5     36K      36K 166960K         5        0
            shm     2      1K       9K 166960K        19        0
         VM map     2      1K       1K 166960K         2        0
            sem    12      0K       1K 166960K        36        0
        dirhash    12      2K       2K 166960K        21        0
           ACPI  1692    195K     286K 166960K     12470        0
      file desc    15     53K     224K 166960K       794        0
          sigio     0      0K       0K 166960K         6        0
           proc    14     25K      83K 166960K       663        0
        subproc    72      4K       4K 166960K        99        0
    NFS srvsock     1      0K       0K 166960K         1        0
     NFS daemon     1     16K      16K 166960K         1        0
    ip_moptions     0      0K       0K 166960K       206        0
       in_multi    76      5K       7K 166960K       153        0
    ether_multi     1      0K       0K 166960K         4        0
            mrt     1      0K       0K 166960K        21        0
    ISOFS mount     1     32K      32K 166960K         1        0
  MSDOSFS mount     1     16K      16K 166960K         1        0
           ttys    73    334K     334K 166960K        73        0
           exec     0      0K       1K 166960K       459        0
   fusefs mount     1     32K      32K 166960K         1        0
            tdb     3      0K       0K 166960K         3        0
        VM swap     8     62K      64K 166960K        10        0
       UVM amap   137    100K     167K 166960K      8554        0
       UVM aobj    28      2K       2K 166960K        30        0
     pinsyscall    18     36K      92K 166960K      1973        0
        memdesc     1      4K       4K 166960K         1        0
    crypto data     1      1K       1K 166960K         1        0
    ip6_options     0      0K       0K 166960K        20        0
            NDP    12      0K       2K 166960K        54        0
           temp    58   9111K    9175K 166960K     33663        0
         kqueue     4      6K      28K 166960K       112        0
      SYN cache     2     16K      16K 166960K         2        0
ddb> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
rtpcb      120       80    0       80     1     0     1     1     0     8    1
rtentry    136      162    0       75     4     0     4     4     0     8    0
unpcb      144      733    0      728     6     5     1     6     0     8    0
syncache   336        7    0        7     2     1     1     1     0     8    1
tcpcb      736      167    0      166     1     0     1     1     0     8    0
arp         96       25    0       13     1     0     1     1     0     8    0
ipq         40        4    0        1     1     0     1     1     0     8    0
ipqe        40        6    0        2     1     0     1     1     0     8    0
inpcb      328      589    0      586     8     2     6     6     0     8    5
ip6q        72        4    0        1     2     1     1     1     0     8    0
ip6af       40        5    0        2     2     1     1     1     0     8    0
nd6        112       37    0       17     1     0     1     1     0     8    0
pkpcb       40       10    0       10     2     1     1     1     0     8    1
kcovpl      48       11    0        3     1     0     1     1     0     8    0
ppxss      1072      15    0       15     2     1     1     1     0     8    1
pfstscr     40        4    0        0     1     0     1     1     0     8    0
pfrktable  1344       9    0        7     1     0     1     1     0     8    0
pfsrclim   320        1    0        1     1     0     1     1     0     8    1
pfanchor   1288       3    0        1     1     0     1     1     0     8    0
pftag       88        4    0        2     1     0     1     1     0     8    0
pfstitem    24        6    0        0     1     0     1     1     0     8    0
pfstkey    128        8    0        2     1     0     1     1     0     8    0
pfstate    384        5    0        2     1     0     1     1     0     8    0
pfrule     1360      13    0       11     1     0     1     1     0     8    0
rttmr      136        3    0        3     1     1     0     1     0     8    0
art_heap8  4096       2    0        0     2     0     2     2     0     8    0
art_heap4  256      669    0      296    33     7    26    30     0     8    0
art_table   40      671    0      296     5     0     5     5     0     8    0
art_node    32      158    0       79     1     0     1     1     0     8    0
sysvmsgpl   40        5    0        3     1     0     1     1     0     8    0
semupl     112        2    0        2     1     1     0     1     0     8    0
semapl      72       34    0       24     1     0     1     1     0     8    0
shmpl      112       27    0        2     1     0     1     1     0     8    0
dirhash    1024      23    0        6     3     0     3     3     0     8    0
dino2pl    256     2694    0     1229    92     0    92    92     0     8    0
ffsino     256     2694    0     1229    92     0    92    92     0     8    0
nchpl      144     3756    0     2051    64     0    64    64     0     8    0
rtmask      32        1    0        1     1     1     0     1     0     8    0
vnodes     216     3201    0        0   178     0   178   178     0     8    0
namei      1024   12104    0    12103     3     1     2     2     0     8    1
pfiaddrpl  120        2    0        1     1     0     1     1     0     8    0
kstatmem   264       63    0       38     3     1     2     3     0     8    0
scsiplug    72        4    0        4     1     1     0     1     0     8    0
scxspl     216    16298    0    16298    11     3     8     8     1     8    8
plimitpl   152       97    0       86     1     0     1     1     0     8    0
sigapl     424     1094    0     1063     7     0     7     7     0     8    1
knotepl    120    25069    0    25045    10     0    10    10     0     8    7
kqueuepl   184      225    0      218     2     1     1     2     0     8    0
pipepl     304      229    0      201     8     5     3     8     0     8    0
fdescpl    448     1060    0     1042     5     1     4     5     0     8    0
filepl     120     5638    0     5461    14     6     8    13     0     8    1
lockfpl    104      213    0      212     1     0     1     1     0     8    0
lockfspl    48       93    0       92     1     0     1     1     0     8    0
sessionpl  144       51    0       46     1     0     1     1     0     8    0
pgrppl      48       67    0       54     1     0     1     1     0     8    0
ucredpl    104      704    0      698     1     0     1     1     0     8    0
zombiepl   144     1064    0     1063     1     0     1     1     0     8    0
processpl  1152    1094    0     1063     5     0     5     5     0     8    0
procpl     664     2023    0     1982     7     0     7     7     0     8    1
sosppl     176        1    0        1     1     1     0     1     0     8    0
sockpl     552     1434    0     1426    15     9     6    12     0     8    4
mcl64k     65536     49    0       48     1     0     1     1     0     8    0
mcl16k     16384      3    0        3     1     1     0     1     0     8    0
mcl9k128   9344       1    0        1     1     0     1     1     0     8    1
mcl8k      8192      12    0       11     2     1     1     1     0     8    0
mcl4k      4096    3384    0     3328    15     5    10    13     0     8    2
mcl2k      2048     725    0      724     5     3     2     3     0     8    1
mtagpl      96       13    0       12     1     0     1     1     0     8    0
mbufpl     256    12239    0    12123    22     9    13    22     0     8    2
bufpl      272     6617    0      401   415     0   415   415     0     8    0
anonpl      24   176825    0   175105    55    14    41    53     0   186   10
amapchunkpl 152   29567    0    29042    46    15    31    33     0   158    7
amappl16   200     3403    0     3383    25    21     4    21     0     8    0
amappl15   192        7    0        5     1     0     1     1     0     8    0
amappl14   184      445    0      445     2     1     1     1     0     8    1
amappl13   176      125    0      124     1     0     1     1     0     8    0
amappl12   168     1322    0     1306     2     0     2     2     0     8    0
amappl11   160        4    0        4     1     1     0     1     0     8    0
amappl10   152       56    0       54     1     0     1     1     0     8    0
amappl9    144      272    0      272     1     1     0     1     0     8    0
amappl8    136      104    0      104     1     0     1     1     0     8    1
amappl7    128      157    0      152     1     0     1     1     0     8    0
amappl6    120      185    0      184     1     0     1     1     0     8    0
amappl5    112       92    0       89     1     0     1     1     0     8    0
amappl4    104      310    0      303     1     0     1     1     0     8    0
amappl3     96     5541    0     5471     4     1     3     4     0     8    0
amappl2     88      577    0      563     2     0     2     2     0     8    0
amappl1     80    13600    0    13477    13     3    10    13     0     8    1
amappl      88     7658    0     7540     5     0     5     5     0    92    0
uvmvnodes   80      119    0        0     3     0     3     3     0     8    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma1024    1024       1    0        0     1     0     1     1     0     8    0
dma256     256        7    0        7     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       21    0       20     1     0     1     1     0     8    0
aobjpl      72       29    0        2     1     0     1     1     0     8    0
uaddrrnd    24     1060    0     1042     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24     1060    0     1042     1     0     1     1     0     8    0
vmmpekpl   168     9986    0     9935     3     0     3     3     0     8    0
vmmpepl    168    75562    0    74749    93    17    76    93     0   357   23
vmsppl     368     1059    0     1042     4     1     3     4     0     8    0
rwobjpl     40    23118    0    22648    13     0    13    13     0     8    0
pdppl      4096    2126    0     2084    98    50    48    78     0     8    6
pvpl        32   476991    0   472900   133    30   103   133     0   265   25
pmappl     216     1059    0     1042     2     0     2     2     0     8    0
extentpl    40       45    0       27     1     0     1     1     0     8    0
phpool     112      800    0       82    21     0    21    21     0     8    0
ddb> machine ddbcpu 0
No such command
ddb>

Crashes (9):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Assets (help?)	Manager	Title
2026/06/11 20:19	openbsd	28cce1e713d0	d93a6ab6	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	uvm_fault: ufs_direnter
2026/05/24 01:16	openbsd	19a448b47c50	c69befb3	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	uvm_fault: ufs_direnter
2026/05/01 16:54	openbsd	bedf3632bee6	340bcdf0	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	uvm_fault: ufs_direnter
2026/05/01 04:03	openbsd	d15801fa3705	340bcdf0	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	uvm_fault: ufs_direnter
2026/04/27 16:30	openbsd	80ba1745ccfd	0f700595	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	uvm_fault: ufs_direnter
2026/04/23 12:50	openbsd	7a2e62a4900c	4c3406dc	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	uvm_fault: ufs_direnter
2026/04/22 23:22	openbsd	18dcbfb1f230	b10da5ec	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	uvm_fault: ufs_direnter
2026/04/08 09:55	openbsd	7ed665c6a362	4b3d9a38	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	uvm_fault: ufs_direnter
2026/04/01 04:53	openbsd	9f2496a89535	4b3d9a38	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	uvm_fault: ufs_direnter

* ~~Struck through~~ repros no longer work on HEAD.