syzbot


pool: free list modified: art_heap4 (2)

Status: fixed on 2020/08/05 06:16
Reported-by: syzbot+3c87ca9873bfd0492f5c@syzkaller.appspotmail.com
Fix commit: efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
First crash: 1404d, last: 1374d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd pool: free list modified: art_heap4 2 1560d 1584d 0/3 auto-closed as invalid on 2020/03/19 11:43
openbsd pool: free list modified: art_heap4 (3) 1 654d 654d 0/3 auto-obsoleted due to no activity on 2022/09/11 15:13

Sample crash report:
login: panic: pool_do_get: art_heap4 free list modified: page 0xfffffd8079b5c000; item addr 0xfffffd8079b5c000; offset 0x0=0xb600000000000000 != 0xb6bb2dbc0595536b
Stopped at      db_enter+0x18:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
 510175  14205      0           0          0    0  syz-executor.0
*133667  14205      0           0  0x4000000    1K syz-executor.0
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff8247aa02) at panic+0x15c sys/kern/subr_prf.c:207
pool_do_get(ffffffff828ecd60,a,ffff800023f207f8) at pool_do_get+0x439 sys/kern/subr_pool.c:738
pool_get(ffffffff828ecd60,a) at pool_get+0xeb sys/kern/subr_pool.c:581
art_table_get(ffff800000676500,fffffd80684d87e8,10) at art_table_get+0x12e sys/net/art.c:722
art_insert(ffff800000676500,fffffd806f765a00,ffff800000b52788,80) at art_insert+0x155 sys/net/art.c:387
rtable_insert(0,ffff800000b52780,0,ffff800000ac2f80,1,fffffd8067b2c0e8) at rtable_insert+0x2f6
rtrequest(1,ffff800023f20b18,1,ffff800023f20be0,0) at rtrequest+0x8bf sys/net/route.c:941
rt_ifa_add(ffff800000b4a100,240404,ffff800000b4a140,0) at rt_ifa_add+0x25c sys/net/route.c:1131
rt_ifa_addlocal(ffff800000b4a100) at rt_ifa_addlocal+0x16d sys/net/route.c:1238
in6_update_ifa(ffff800000ac3000,ffff800023f20ea0,0) at in6_update_ifa+0x13bb sys/netinet6/in6.c:723
in6_ifattach_linklocal(ffff800000ac3000,0) at in6_ifattach_linklocal+0x2a2 sys/netinet6/in6_ifattach.c:281
in6_ifattach(ffff800000ac3000) at in6_ifattach+0x1b8 sys/netinet6/in6_ifattach.c:401
ifnewlladdr(ffff800000ac3000) at ifnewlladdr+0x119 sys/net/if.c:3120
end trace frame: 0xffff800023f210e0, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{1}> 
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
pool_do_get: art_heap4 free list modified: page 0xfffffd8079b5c000; item addr 0xfffffd8079b5c000; offset 0x0=0xb600000000000000 != 0xb6bb2dbc0595536b
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff8247aa02) at panic+0x15c sys/kern/subr_prf.c:207
pool_do_get(ffffffff828ecd60,a,ffff800023f207f8) at pool_do_get+0x439 sys/kern/subr_pool.c:738
pool_get(ffffffff828ecd60,a) at pool_get+0xeb sys/kern/subr_pool.c:581
art_table_get(ffff800000676500,fffffd80684d87e8,10) at art_table_get+0x12e sys/net/art.c:722
art_insert(ffff800000676500,fffffd806f765a00,ffff800000b52788,80) at art_insert+0x155 sys/net/art.c:387
rtable_insert(0,ffff800000b52780,0,ffff800000ac2f80,1,fffffd8067b2c0e8) at rtable_insert+0x2f6
rtrequest(1,ffff800023f20b18,1,ffff800023f20be0,0) at rtrequest+0x8bf sys/net/route.c:941
rt_ifa_add(ffff800000b4a100,240404,ffff800000b4a140,0) at rt_ifa_add+0x25c sys/net/route.c:1131
rt_ifa_addlocal(ffff800000b4a100) at rt_ifa_addlocal+0x16d sys/net/route.c:1238
in6_update_ifa(ffff800000ac3000,ffff800023f20ea0,0) at in6_update_ifa+0x13bb sys/netinet6/in6.c:723
in6_ifattach_linklocal(ffff800000ac3000,0) at in6_ifattach_linklocal+0x2a2 sys/netinet6/in6_ifattach.c:281
in6_ifattach(ffff800000ac3000) at in6_ifattach+0x1b8 sys/netinet6/in6_ifattach.c:401
ifnewlladdr(ffff800000ac3000) at ifnewlladdr+0x119 sys/net/if.c:3120
ifioctl(fffffd80651ed1b8,8020691f,ffff800023f21160,ffff800020e22c48) at ifioctl+0x1b3e sys/net/if.c:2196
soo_ioctl(fffffd807c44c130,8020691f,ffff800023f21160,ffff800020e22c48) at soo_ioctl+0x27c sys/kern/sys_socket.c:138
sys_ioctl(ffff800020e22c48,ffff800023f21278,ffff800023f212c0) at sys_ioctl+0x4a5
syscall(ffff800023f21340) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800023f21340) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xfb1d8a48d80, count: -19
ddb{1}> show registers
rdi                                0
rsi                              0x1
rbp               0xffff800023f20640
rbx               0xffff800023f206f0
rdx                             0x8b
rcx                              0x2
rax                              0x1
r8                0xffffffff819672cf    kprintf+0x16f
r9                               0x1
r10                              0x2
r11               0xa8ff3e44c0ac8693
r12                     0x3000000008
r13               0xffff800023f20650
r14                            0x100
r15                              0x1
rip               0xffffffff8143b848    db_enter+0x18
cs                               0x8
rflags                         0x246
rsp               0xffff800023f20630
ss                              0x10
db_enter+0x18:  addq    $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor.0) pid=133667 stat=onproc
    flags process=0 proc=4000000<THREAD>
    pri=32, usrpri=86, nice=20
    forw=0xffffffffffffffff, list=0xffff800020e22018,0xffffffff828a02e8
    process=0xffff800020e08f80 user=0xffff800023f1c000, vmspace=0xfffffd806514c010
    estcpu=36, cpticks=2, pctcpu=0.0
    user=0, sys=2, intr=0
ddb{1}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 14205  510175  90147      0  7           0                syz-executor.0
*14205  133667  90147      0  7   0x4000000                syz-executor.0
 94149  273797      1      0  3    0x100083  ttyin         getty
 18833  449541      0      0  3     0x14200  bored         sosplice
 92357   43678  98793      0  3        0x82  nanosleep     syz-executor.1
 90147  470154  98793      0  3        0x82  nanosleep     syz-executor.0
 98793  471218  60122      0  3        0x82  thrsleep      syz-fuzzer
 98793  464716  60122      0  3   0x4000082  nanosleep     syz-fuzzer
 98793  499892  60122      0  3   0x4000082  thrsleep      syz-fuzzer
 98793  233882  60122      0  3   0x4000082  thrsleep      syz-fuzzer
 98793   33294  60122      0  3   0x4000082  thrsleep      syz-fuzzer
 98793  262097  60122      0  3   0x4000082  thrsleep      syz-fuzzer
 98793  412625  60122      0  3   0x4000082  thrsleep      syz-fuzzer
 98793   47466  60122      0  3   0x4000082  thrsleep      syz-fuzzer
 98793   57462  60122      0  3   0x4000082  thrsleep      syz-fuzzer
 98793   26651  60122      0  3   0x4000082  thrsleep      syz-fuzzer
 98793  244055  60122      0  3   0x4000082  kqread        syz-fuzzer
 60122   56720   4224      0  3    0x10008a  pause         ksh
  4224  286386  19079      0  3        0x92  select        sshd
 19079  310600      1      0  3        0x80  select        sshd
 76371  358589  16934     74  3    0x100092  bpf           pflogd
 16934  372819      1      0  3        0x80  netio         pflogd
 55950  125377  21160     73  3    0x100090  kqread        syslogd
 21160  366427      1      0  3    0x100082  netio         syslogd
 77151  340134      1     77  3    0x100090  poll          dhclient
 20314  118800      1      0  3        0x80  poll          dhclient
 45816  106506      0      0  3     0x14200  bored         smr
  1846  444678      0      0  3     0x14200  pgzero        zerothread
 95042  146461      0      0  3     0x14200  aiodoned      aiodoned
 93609  311434      0      0  3     0x14200  syncer        update
 52066  486179      0      0  3     0x14200  cleaner       cleaner
 65759  130233      0      0  3     0x14200  reaper        reaper
  1759  377621      0      0  3     0x14200  pgdaemon      pagedaemon
 70609   61734      0      0  3     0x14200  bored         crynlk
 84007    9468      0      0  3     0x14200  bored         crypto
  3126  289460      0      0  3  0x40014200  acpi0         acpi0
 34861  121079      0      0  3  0x40014200                idle1
 38361    8424      0      0  3     0x14200  bored         softnet
  3714  111858      0      0  2     0x14200                systqmp
 45795  464885      0      0  3     0x14200  bored         systq
  1791  441293      0      0  3  0x40014200  bored         softclock
 81441  397845      0      0  3  0x40014200                idle0
     1  328591      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex art_heap4 r = 0 (0xffffffff828ecd70)
#0  witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0  witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1  mtx_enter_try+0x102
#2  mtx_enter+0x4b sys/kern/kern_lock.c:266
#3  pool_get+0xbf sys/kern/subr_pool.c:578
#4  art_table_get+0x12e sys/net/art.c:722
#5  art_insert+0x155 sys/net/art.c:387
#6  rtable_insert+0x2f6
#7  rtrequest+0x8bf sys/net/route.c:941
#8  rt_ifa_add+0x25c sys/net/route.c:1131
#9  rt_ifa_addlocal+0x16d sys/net/route.c:1238
#10 in6_update_ifa+0x13bb sys/netinet6/in6.c:723
#11 in6_ifattach_linklocal+0x2a2 sys/netinet6/in6_ifattach.c:281
#12 in6_ifattach+0x1b8 sys/netinet6/in6_ifattach.c:401
#13 ifnewlladdr+0x119 sys/net/if.c:3120
#14 ifioctl+0x1b3e sys/net/if.c:2196
#15 soo_ioctl+0x27c sys/kern/sys_socket.c:138
#16 sys_ioctl+0x4a5
#17 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#17 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#18 Xsyscall+0x128
Process 14205 (syz-executor.0) thread 0xffff800020e22c48 (133667)
exclusive rwlock art r = 0 (0xffff800000676518)
#0  witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0  witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1  rtable_insert+0x142 sys/net/rtable.c:517
#2  rtrequest+0x8bf sys/net/route.c:941
#3  rt_ifa_add+0x25c sys/net/route.c:1131
#4  rt_ifa_addlocal+0x16d sys/net/route.c:1238
#5  in6_update_ifa+0x13bb sys/netinet6/in6.c:723
#6  in6_ifattach_linklocal+0x2a2 sys/netinet6/in6_ifattach.c:281
#7  in6_ifattach+0x1b8 sys/netinet6/in6_ifattach.c:401
#8  ifnewlladdr+0x119 sys/net/if.c:3120
#9  ifioctl+0x1b3e sys/net/if.c:2196
#10 soo_ioctl+0x27c sys/kern/sys_socket.c:138
#11 sys_ioctl+0x4a5
#12 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#12 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#13 Xsyscall+0x128
exclusive rwlock netlock r = 0 (0xffffffff826e83a8)
#0  witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0  witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1  ifioctl+0x117b sys/net/if.c:2179
#2  soo_ioctl+0x27c sys/kern/sys_socket.c:138
#3  sys_ioctl+0x4a5
#4  syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#4  syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#5  Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff828a6230)
#0  witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0  witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1  soo_ioctl+0x26a sys/kern/sys_socket.c:138
#2  sys_ioctl+0x4a5
#3  syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#3  syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#4  Xsyscall+0x128
exclusive mutex art_heap4 r = 0 (0xffffffff828ecd70)
#0  witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0  witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1  mtx_enter_try+0x102
#2  mtx_enter+0x4b sys/kern/kern_lock.c:266
#3  pool_get+0xbf sys/kern/subr_pool.c:578
#4  art_table_get+0x12e sys/net/art.c:722
#5  art_insert+0x155 sys/net/art.c:387
#6  rtable_insert+0x2f6
#7  rtrequest+0x8bf sys/net/route.c:941
#8  rt_ifa_add+0x25c sys/net/route.c:1131
#9  rt_ifa_addlocal+0x16d sys/net/route.c:1238
#10 in6_update_ifa+0x13bb sys/netinet6/in6.c:723
#11 in6_ifattach_linklocal+0x2a2 sys/netinet6/in6_ifattach.c:281
#12 in6_ifattach+0x1b8 sys/netinet6/in6_ifattach.c:401
#13 ifnewlladdr+0x119 sys/net/if.c:3120
#14 ifioctl+0x1b3e sys/net/if.c:2196
#15 soo_ioctl+0x27c sys/kern/sys_socket.c:138
#16 sys_ioctl+0x4a5
#17 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#17 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#18 Xsyscall+0x128
ddb{1}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf  9552   6624K    7116K  78643K     12732        0
            pcb    13      8K       8K  78643K       121        0
         rtable   118      7K       8K  78643K       440        0
         ifaddr    91     17K      18K  78643K       174        0
       counters    43     33K      34K  78643K        63        0
       ioctlops     0      0K       4K  78643K      1549        0
            iov     0      0K      16K  78643K       388        0
          mount     1      1K       1K  78643K         1        0
         vnodes  1221     77K      77K  78643K      1782        0
      UFS quota     1     32K      32K  78643K         1        0
      UFS mount     5     36K      36K  78643K         5        0
            shm     2      1K       5K  78643K         5        0
         VM map     2      1K       1K  78643K         2        0
            sem    12      0K       0K  78643K        85        0
        dirhash    12      2K       2K  78643K        12        0
           ACPI  1824    197K     290K  78643K     13058        0
      file desc     5     13K      25K  78643K       517        0
          sigio     0      0K       0K  78643K         9        0
           proc    62     63K      83K  78643K       506        0
        subproc    32      2K       2K  78643K        34        0
    NFS srvsock     1      0K       0K  78643K         1        0
     NFS daemon     1     16K      16K  78643K         1        0
    ip_moptions     0      0K       0K  78643K        39        0
       in_multi    67      3K       3K  78643K       136        0
    ether_multi     1      0K       0K  78643K        10        0
            mrt     0      0K       0K  78643K        10        0
    ISOFS mount     1     32K      32K  78643K         1        0
  MSDOSFS mount     1     16K      16K  78643K         1        0
           ttys    43    201K     201K  78643K        43        0
           exec     0      0K       1K  78643K       244        0
        pagedep     1      8K       8K  78643K         1        0
       inodedep     1     32K      32K  78643K         1        0
         newblk     1      0K       0K  78643K         1        0
        VM swap     7     26K      26K  78643K         7        0
       UVM amap   150    121K     137K  78643K      2684        0
       UVM aobj    16      4K       4K  78643K        21        0
        memdesc     1      4K       4K  78643K         1        0
    crypto data     1      1K       1K  78643K         1        0
    ip6_options     0      0K       0K  78643K        88        0
            NDP    14      0K       0K  78643K        33        0
           temp   123   3856K    3924K  78643K      9147        0
         kqueue     3      4K      12K  78643K        47        0
      SYN cache     2     16K      16K  78643K         2        0
ddb{1}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp         64        6    0        0     1     0     1     1     0     8    0
plcache    128       20    0        0     1     0     1     1     0     8    0
rtpcb       80       51    0       48     1     0     1     1     0     8    0
rtentry    112       67    0       25     2     0     2     2     0     8    0
unpcb      120      337    0      327     2     1     1     2     0     8    0
syncache   264        8    0        8     2     2     0     1     0     8    0
tcpcb      544      156    0      151     1     0     1     1     0     8    0
inpcb      296      570    0      561     3     1     2     2     0     8    1
rttmr       72        3    0        3     1     1     0     1     0     8    0
nd6         48       15    0        9     1     0     1     1     0     8    0
pkpcb       40        6    0        6     2     1     1     1     0     8    1
ppxss      1128       1    0        1     1     1     0     1     0     8    0
pffrag     232        1    0        1     1     1     0     1     0   482    0
pffrnode    88        1    0        1     1     1     0     1     0     8    0
pffrent     40        2    0        2     1     1     0     1     0     8    0
pfosfp      40      846    0      423     5     0     5     5     0     8    0
pfosfpen   112     1428    0      714    21     0    21    21     0     8    0
pfrktable  1344      42    0       37     2     1     1     1     0     8    0
pfstitem    24       23    0        8     1     0     1     1     0     8    0
pfstkey    112       23    0        8     1     0     1     1     0     8    0
pfstate    328       23    0        8     2     0     2     2     0     8    0
pfrule     1360      39    0       24     3     1     2     2     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256      261    0       64    14     1    13    13     0     8    0
art_heap4: pool(0xffffffff828ecd60:art_heap4): free list modified: page 0xfffffd8079b5c000; item ordinal 0; addr 0xfffffd8079b5c000 (p 0xfffffd80662be000); offset 0x0=0xb600000000000000
art_table   32      263    0       64     2     0     2     2     0     8    0
art_node    16       64    0       22     1     0     1     1     0     8    0
sysvmsgpl   40       34    0       11     1     0     1     1     0     8    0
semupl     112        2    0        2     1     1     0     1     0     8    0
semapl     112       81    0       71     1     0     1     1     0     8    0
shmpl      112       19    0        5     1     0     1     1     0     8    0
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino2pl    256     2133    0      731    89     0    89    89     0     8    0
ffsino     272     2133    0      731    95     1    94    95     0     8    0
nchpl      144     3221    0     1611    60     0    60    60     0     8    0
uvmvnodes   72     2657    0        0    49     0    49    49     0     8    0
vnodes     208     2657    0        0   140     0   140   140     0     8    0
namei      1024    9189    0     9189     2     1     1     1     0     8    1
percpumem   16       42    0       10     1     0     1     1     0     8    0
vcpupl     1984       9    0        0     2     0     2     2     0     8    0
vmpool     560        9    0        0     1     0     1     1     0     8    0
pfiaddrpl  120       12    0        8     1     0     1     1     0     8    0
scxspl     192     9014    0     9014    13    10     3     7     0     8    3
plimitpl   152       44    0       36     1     0     1     1     0     8    0
sigapl     424      734    0      702     4     0     4     4     0     8    0
futexpl     56     8447    0     8447     1     0     1     1     0     8    1
knotepl    112      108    0       89     1     0     1     1     0     8    0
kqueuepl   144      115    0      111     1     0     1     1     0     8    0
pipelkpl    48      164    0      154     1     0     1     1     0     8    0
pipepl     120      328    0      309     3     2     1     2     0     8    0
fdescpl    496      718    0      702     3     0     3     3     0     8    0
filepl     152     4701    0     4597     7     2     5     6     0     8    0
lockfpl    104      134    0      133     1     0     1     1     0     8    0
lockfspl    48       47    0       46     1     0     1     1     0     8    0
sessionpl  112       19    0        8     1     0     1     1     0     8    0
pgrppl      48       19    0        8     1     0     1     1     0     8    0
ucredpl     96      472    0      463     1     0     1     1     0     8    0
zombiepl   144      702    0      701     2     1     1     1     0     8    0
processpl  984      734    0      701     5     0     5     5     0     8    0
procpl     624     1858    0     1814     4     0     4     4     0     8    0
srpgc       64        2    0        2     1     1     0     1     0     8    0
sosppl     128        8    0        8     2     2     0     1     0     8    0
sockpl     400      964    0      942     7     4     3     5     0     8    0
mcl64k     65536      8    0        0     1     0     1     1     0     8    0
mcl16k     16384      2    0        0     1     0     1     1     0     8    0
mcl12k     12288      6    0        0     1     0     1     1     0     8    0
mcl9k      9216       2    0        0     1     0     1     1     0     8    0
mcl8k      8192       6    0        0     1     0     1     1     0     8    0
mcl4k      4096       9    0        0     2     0     2     2     0     8    0
mcl2k2     2112       3    0        0     1     0     1     1     0     8    0
mcl2k      2048     170    0        0    21     0    21    21     0     8    0
mtagpl      96      223    0        0     6     0     6     6     0     8    0
mbufpl     256      719    0        0    43     0    43    43     0     8    0
bufpl      280     4479    0      133   311     0   311   311     0     8    0
anonpl      16    80346    0    63665    84    15    69    80     0   124    0
amapchunkpl 152    5582    0     5414    40    19    21    21     0   158   14
amappl16   192     3490    0     2607    59    13    46    54     0     8    1
amappl15   184        1    0        1     1     1     0     1     0     8    0
amappl14   176       25    0       19     1     0     1     1     0     8    0
amappl13   168      269    0      264     1     0     1     1     0     8    0
amappl12   160        1    0        1     1     1     0     1     0     8    0
amappl11   152       61    0       46     1     0     1     1     0     8    0
amappl10   144      276    0      267     1     0     1     1     0     8    0
amappl9    136      389    0      387     1     0     1     1     0     8    0
amappl8    128      369    0      333     2     0     2     2     0     8    0
amappl7    120      120    0      108     1     0     1     1     0     8    0
amappl6    112       27    0       21     2     1     1     1     0     8    0
amappl5    104      610    0      593     1     0     1     1     0     8    0
amappl4     96      743    0      710     1     0     1     1     0     8    0
amappl3     88      120    0      115     1     0     1     1     0     8    0
amappl2     80     4792    0     4722     2     0     2     2     0     8    0
amappl1     72    25528    0    25082    23    13    10    18     0     8    0
amappl      80     2132    0     2076     2     0     2     2     0    84    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      64       20    0        5     1     0     1     1     0     8    0
uaddrrnd    24      727    0      702     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      727    0      702     1     0     1     1     0     8    0
vmmpekpl   168     9388    0     9353     2     0     2     2     0     8    0
vmmpepl    168    93744    0    91676   128    32    96   114     0   357    1
vmsppl     368      726    0      702     3     0     3     3     0     8    0
pdppl      4096    1461    0     1413     7     0     7     7     0     8    0
pvpl        32   245750    0   225917   200    32   168   189     0   265    5
pmappl     232      726    0      702     2     0     2     2     0     8    0
extentpl    40       53    0       36     1     0     1     1     0     8    0
phpool     112      300    0       10     9     0     9     9     0     8    0
ddb{1}> machine ddbcpu 0
Stopped at      x86_ipi_db+0x1a:        addq    $0x8,%rsp
x86_ipi_db(ffffffff8274fff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352
x86_ipi_handler() at x86_ipi_handler+0xc6 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__mp_lock(ffffffff828a6028) at __mp_lock+0x127 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff828a6028) at __mp_lock+0x127 sys/kern/kern_lock.c:147
softintr_dispatch(0) at softintr_dispatch+0x4e sys/arch/amd64/amd64/softintr.c:89
Xsoftclock() at Xsoftclock+0x1f
__sanitizer_cov_trace_switch(0,ffffffff8270bd20) at __sanitizer_cov_trace_switch+0x14f sys/dev/kcov.c:202
syscall(ffff800020e01ee0) at syscall+0x4ea sys/arch/amd64/amd64/trap.c:572
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7fffff77b0, count: 6
ddb{0}> trace
x86_ipi_db(ffffffff8274fff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352
x86_ipi_handler() at x86_ipi_handler+0xc6 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__mp_lock(ffffffff828a6028) at __mp_lock+0x127 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff828a6028) at __mp_lock+0x127 sys/kern/kern_lock.c:147
softintr_dispatch(0) at softintr_dispatch+0x4e sys/arch/amd64/amd64/softintr.c:89
Xsoftclock() at Xsoftclock+0x1f
__sanitizer_cov_trace_switch(0,ffffffff8270bd20) at __sanitizer_cov_trace_switch+0x14f sys/dev/kcov.c:202
syscall(ffff800020e01ee0) at syscall+0x4ea sys/arch/amd64/amd64/trap.c:572
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7fffff77b0, count: -9
ddb{0}> machine ddbcpu 1
Stopped at      db_enter+0x18:  addq    $0x8,%rsp
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff8247aa02) at panic+0x15c sys/kern/subr_prf.c:207
pool_do_get(ffffffff828ecd60,a,ffff800023f207f8) at pool_do_get+0x439 sys/kern/subr_pool.c:738
pool_get(ffffffff828ecd60,a) at pool_get+0xeb sys/kern/subr_pool.c:581
art_table_get(ffff800000676500,fffffd80684d87e8,10) at art_table_get+0x12e sys/net/art.c:722
art_insert(ffff800000676500,fffffd806f765a00,ffff800000b52788,80) at art_insert+0x155 sys/net/art.c:387
rtable_insert(0,ffff800000b52780,0,ffff800000ac2f80,1,fffffd8067b2c0e8) at rtable_insert+0x2f6
rtrequest(1,ffff800023f20b18,1,ffff800023f20be0,0) at rtrequest+0x8bf sys/net/route.c:941
rt_ifa_add(ffff800000b4a100,240404,ffff800000b4a140,0) at rt_ifa_add+0x25c sys/net/route.c:1131
rt_ifa_addlocal(ffff800000b4a100) at rt_ifa_addlocal+0x16d sys/net/route.c:1238
in6_update_ifa(ffff800000ac3000,ffff800023f20ea0,0) at in6_update_ifa+0x13bb sys/netinet6/in6.c:723
in6_ifattach_linklocal(ffff800000ac3000,0) at in6_ifattach_linklocal+0x2a2 sys/netinet6/in6_ifattach.c:281
in6_ifattach(ffff800000ac3000) at in6_ifattach+0x1b8 sys/netinet6/in6_ifattach.c:401
ifnewlladdr(ffff800000ac3000) at ifnewlladdr+0x119 sys/net/if.c:3120
end trace frame: 0xffff800023f210e0, count: 0
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff8247aa02) at panic+0x15c sys/kern/subr_prf.c:207
pool_do_get(ffffffff828ecd60,a,ffff800023f207f8) at pool_do_get+0x439 sys/kern/subr_pool.c:738
pool_get(ffffffff828ecd60,a) at pool_get+0xeb sys/kern/subr_pool.c:581
art_table_get(ffff800000676500,fffffd80684d87e8,10) at art_table_get+0x12e sys/net/art.c:722
art_insert(ffff800000676500,fffffd806f765a00,ffff800000b52788,80) at art_insert+0x155 sys/net/art.c:387
rtable_insert(0,ffff800000b52780,0,ffff800000ac2f80,1,fffffd8067b2c0e8) at rtable_insert+0x2f6
rtrequest(1,ffff800023f20b18,1,ffff800023f20be0,0) at rtrequest+0x8bf sys/net/route.c:941
rt_ifa_add(ffff800000b4a100,240404,ffff800000b4a140,0) at rt_ifa_add+0x25c sys/net/route.c:1131
rt_ifa_addlocal(ffff800000b4a100) at rt_ifa_addlocal+0x16d sys/net/route.c:1238
in6_update_ifa(ffff800000ac3000,ffff800023f20ea0,0) at in6_update_ifa+0x13bb sys/netinet6/in6.c:723
in6_ifattach_linklocal(ffff800000ac3000,0) at in6_ifattach_linklocal+0x2a2 sys/netinet6/in6_ifattach.c:281
in6_ifattach(ffff800000ac3000) at in6_ifattach+0x1b8 sys/netinet6/in6_ifattach.c:401
ifnewlladdr(ffff800000ac3000) at ifnewlladdr+0x119 sys/net/if.c:3120
ifioctl(fffffd80651ed1b8,8020691f,ffff800023f21160,ffff800020e22c48) at ifioctl+0x1b3e sys/net/if.c:2196
soo_ioctl(fffffd807c44c130,8020691f,ffff800023f21160,ffff800020e22c48) at soo_ioctl+0x27c sys/kern/sys_socket.c:138
sys_ioctl(ffff800020e22c48,ffff800023f21278,ffff800023f212c0) at sys_ioctl+0x4a5
syscall(ffff800023f21340) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800023f21340) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xfb1d8a48d80, count: -19

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/06/23 19:41 openbsd 8569c6f62927 54566aff .config console log report ci-openbsd-multicore
2020/06/20 18:26 openbsd c4b445c6ea7c c655ec77 .config console log report ci-openbsd-main
2020/06/07 02:03 openbsd d3d7dc897d09 e6b89e4e .config console log report ci-openbsd-multicore
2020/05/24 05:41 openbsd 0e6fb2a1b110 96c92ad3 .config console log report ci-openbsd-main
* Struck through repros no longer work on HEAD.