syzbot


panic: ufsdirhash_lookup: bad offset in hash array

Status: auto-closed as invalid on 2022/08/14 03:42
Reported-by: syzbot+23d9e4f8a92d9fc8c87b@syzkaller.appspotmail.com
First crash: 673d, last: 673d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd panic: ufsdirhash_lookup: bad offset in hash array (2) 1 491d 491d 0/3 auto-obsoleted due to no activity on 2023/02/12 08:25
openbsd panic: ufsdirhash_lookup: bad offset in hash array (3) C 67 11d 392d 0/3 upstream: reported C repro on 2023/02/20 12:28

Sample crash report:
panic: ufsdirhash_lookup: bad offset in hash array
Stopped at      db_enter+0x18:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
*255810  28133      0           0  0x4000000    0  syz-executor.4
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8262e73e) at panic+0x161 sys/kern/subr_prf.c:202
ufsdirhash_lookup(fffffd806e91f5a0,ffffffff8260c77c,2,fffffd806e91f64c,ffff80002e83b5b8,0) at ufsdirhash_lookup+0x8b8 sys/ufs/ufs/ufs_dirhash.c:343
ufs_lookup() at ufs_lookup+0xc15 sys/ufs/ufs/ufs_lookup.c:216
VOP_LOOKUP(fffffd8065a62d78,ffff80002e83b758,ffff80002e83b6f8) at VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
unveil_find_cover(fffffd8065a62d78,ffff800025d0bcf0) at unveil_find_cover+0x130 sys/kern/kern_unveil.c:280
unveil_start_relative(ffff800025d0bcf0,ffff80002e83b978,fffffd8065a62d78) at unveil_start_relative+0xf6 sys/kern/kern_unveil.c:609
namei(ffff80002e83b978) at namei+0x7c9 sys/kern/vfs_lookup.c:232
dorenameat(ffff800025d0bcf0,4,200000c0,ffffff9c,20000140) at dorenameat+0x7b sys/kern/vfs_syscalls.c:2978
syscall(ffff80002e83bb70) at syscall+0x44e sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x1294443eb40, count: 4
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb> 
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
*cpu0: ufsdirhash_lookup: bad offset in hash array
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8262e73e) at panic+0x161 sys/kern/subr_prf.c:202
ufsdirhash_lookup(fffffd806e91f5a0,ffffffff8260c77c,2,fffffd806e91f64c,ffff80002e83b5b8,0) at ufsdirhash_lookup+0x8b8 sys/ufs/ufs/ufs_dirhash.c:343
ufs_lookup() at ufs_lookup+0xc15 sys/ufs/ufs/ufs_lookup.c:216
VOP_LOOKUP(fffffd8065a62d78,ffff80002e83b758,ffff80002e83b6f8) at VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
unveil_find_cover(fffffd8065a62d78,ffff800025d0bcf0) at unveil_find_cover+0x130 sys/kern/kern_unveil.c:280
unveil_start_relative(ffff800025d0bcf0,ffff80002e83b978,fffffd8065a62d78) at unveil_start_relative+0xf6 sys/kern/kern_unveil.c:609
namei(ffff80002e83b978) at namei+0x7c9 sys/kern/vfs_lookup.c:232
dorenameat(ffff800025d0bcf0,4,200000c0,ffffff9c,20000140) at dorenameat+0x7b sys/kern/vfs_syscalls.c:2978
syscall(ffff80002e83bb70) at syscall+0x44e sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x1294443eb40, count: -11
ddb> show registers
rdi                                0
rsi                              0x1
rbp               0xffff80002e83b3e0
rbx                                0
rdx                                0
rcx                                0
rax               0xffff800025d0bcf0
r8                 0x101010101010101
r9                0x8080808080808080
r10               0xeac646875e8f1375
r11               0x98fd0bee09499c33
r12                                0
r13               0xffff800000cb3650
r14                                0
r15                              0x1
rip               0xffffffff81067a58    db_enter+0x18
cs                               0x8
rflags                         0x246
rsp               0xffff80002e83b3d0
ss                              0x10
db_enter+0x18:  addq    $0x8,%rsp
ddb> show proc
PROC (syz-executor.4) pid=255810 stat=onproc
    flags process=0 proc=4000000<THREAD>
    pri=32, usrpri=84, nice=20
    forw=0xffffffffffffffff, list=0xffff800025d0b270,0xffff800025d0a2c0
    process=0xffff8000215fcfc8 user=0xffff80002e836000, vmspace=0xfffffd80673ff010
    estcpu=36, cpticks=0, pctcpu=0.0
    user=0, sys=0, intr=0
ddb> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 27032  416514  50518      0  2           0                syz-executor.3
 27032  442409  50518      0  2   0x4000000                syz-executor.3
 28133  349971  10684      0  2           0                syz-executor.4
 28133  481175  10684      0  3   0x4000080  netio         syz-executor.4
*28133  255810  10684      0  7   0x4000000                syz-executor.4
 81447  513129  86360      0  2         0x2                syz-executor.5
 47188  221245  86360      0  2         0x2                syz-executor.0
 50518  272602  86360      0  3        0x82  nanoslp       syz-executor.3
 73605  315808  86360      0  3        0x82  piperd        syz-executor.7
 62473  309137  86360      0  3        0x82  nanoslp       syz-executor.6
 10684  176777  86360      0  3        0x82  nanoslp       syz-executor.4
 11528  486763      0      0  3     0x14200  acct          acct
 77453  260614      0      0  3     0x14280  nfsidl        nfsio
 82967  392622      0      0  3     0x14280  nfsidl        nfsio
  4760  275189      0      0  3     0x14280  nfsidl        nfsio
 54225  282773      0      0  3     0x14280  nfsidl        nfsio
 46941  124165      0      0  3     0x14280  nfsidl        nfsio
 59388  434957      0      0  3     0x14280  nfsidl        nfsio
 38592  498654      0      0  3     0x14200  bored         sosplice
 87258  114947  86360      0  3        0x82  nanoslp       syz-executor.1
 84675  114501  86360      0  3        0x82  nanoslp       syz-executor.2
 86360  168590  41027      0  3        0x82  thrsleep      syz-fuzzer
 86360   99861  41027      0  3   0x4000082  nanoslp       syz-fuzzer
 86360  474936  41027      0  3   0x4000082  thrsleep      syz-fuzzer
 86360   25531  41027      0  3   0x4000082  thrsleep      syz-fuzzer
 86360  211919  41027      0  3   0x4000082  thrsleep      syz-fuzzer
 86360   23592  41027      0  3   0x4000082  kqread        syz-fuzzer
 86360  231442  41027      0  3   0x4000082  thrsleep      syz-fuzzer
 86360   46575  41027      0  3   0x4000082  thrsleep      syz-fuzzer
 86360  136932  41027      0  3   0x4000082  thrsleep      syz-fuzzer
 41027  519717  26005      0  3    0x10008a  sigsusp       ksh
 26005  246398  71375      0  3        0x9a  kqread        sshd
 55919   24904      1      0  3    0x100083  ttyin         getty
 71375  370763      1      0  3        0x88  kqread        sshd
 32033  511853  85825     73  3   0x1100090  kqread        syslogd
 85825  162328      1      0  3    0x100082  netio         syslogd
 28143   50159      1      0  3    0x100080  kqread        resolvd
 16400  421396  64094     77  3    0x100092  kqread        dhcpleased
 81240  120901  64094     77  3    0x100092  kqread        dhcpleased
 64094  332829      1      0  3        0x80  kqread        dhcpleased
 15648   37185      0      0  3     0x14200  bored         smr
 15282  450977      0      0  2     0x14200                zerothread
 38011  219806      0      0  3     0x14200  aiodoned      aiodoned
 66804  457938      0      0  3     0x14200  syncer        update
 81925  455841      0      0  3     0x14200  cleaner       cleaner
 81665  185621      0      0  3     0x14200  reaper        reaper
  8927  371010      0      0  3     0x14200  pgdaemon      pagedaemon
 64669  217278      0      0  3     0x14200  bored         viomb
 21238  122867      0      0  3  0x40014200  acpi0         acpi0
  4619  319120      0      0  3     0x14200  bored         softnet
 60988  422922      0      0  3     0x14200  bored         softnet
 30173  160134      0      0  3     0x14200  bored         softnet
 41930  261640      0      0  3     0x14200  bored         softnet
 53712  522938      0      0  3     0x14200  bored         systqmp
 49181   48952      0      0  3     0x14200  bored         systq
  4610  429733      0      0  3  0x40014200  bored         softclock
  7892  250058      0      0  3  0x40014200                idle0
     1  419200      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb> show all locks
No such command
ddb> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 10190   6422K    7193K  78643K     27606        0
            pcb    13     14K      19K  78643K      4120        0
         rtable   223     24K      24K  78643K      2693        0
         ifaddr   103     25K      26K  78643K      2203        0
         sysctl     2      0K       0K  78643K         2        0
       counters    26     17K      17K  78643K       153        0
       ioctlops     0      0K       4K  78643K      6458        0
            iov     0      0K      24K  78643K       773        0
          mount     1      1K       1K  78643K         1        0
            log     0      0K       0K  78643K         4        0
         vnodes  1784    111K     112K  78643K     10065        0
      UFS quota     1     32K      32K  78643K         1        0
      UFS mount     5     36K      36K  78643K         5        0
            shm     2      1K       9K  78643K        79        0
         VM map     2      0K       0K  78643K         2        0
            sem    19      2K       2K  78643K       109        0
        dirhash    99     17K      19K  78643K     13317        0
           ACPI  1697    195K     286K  78643K     12548        0
      file desc    12     41K      70K  78643K     13419        0
          sigio     0      0K       0K  78643K        44        0
           proc    60     67K      83K  78643K      2870        0
        subproc   104      6K       6K  78643K       455        0
    NFS srvsock     1      0K       0K  78643K         1        0
     NFS daemon     1     16K      16K  78643K         1        0
    ip_moptions     0      0K       0K  78643K       420        0
       in_multi    68      4K       6K  78643K       474        0
    ether_multi     1      0K       0K  78643K        16        0
            mrt     1      0K       0K  78643K        16        0
    ISOFS mount     1     32K      32K  78643K         1        0
  MSDOSFS mount     1     16K      16K  78643K         1        0
           ttys   175    784K     784K  78643K       175        0
           exec     0      0K       2K  78643K      3340        0
     pfkey data     0      0K       0K  78643K         4        0
            tdb     3      0K       0K  78643K         3        0
        pagedep     1      8K       8K  78643K         1        0
       inodedep     1     32K      32K  78643K         1        0
         newblk     1      0K       0K  78643K         1        0
        VM swap     7     26K      26K  78643K         7        0
       UVM amap   326    508K     653K  78643K     75583        0
       UVM aobj   131      8K       8K  78643K       133        0
        memdesc     1      4K       4K  78643K         1        0
    crypto data     1      1K       1K  78643K         1        0
    ip6_options     0      0K       0K  78643K       989        0
            NDP    12      0K       1K  78643K       211        0
           temp   151   4772K   21114K  78643K     64234        0
         kqueue    12     18K      26K  78643K       461        0
      SYN cache     2     16K      16K  78643K         2        0
ddb> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
rtpcb      120    11563    0    11558    49    46     3     6     0     8    2
rtentry    112      467    0      389     4     0     4     4     0     8    0
unpcb      136     5872    0     5859    47    45     2     5     0     8    1
syncache   296       20    0       20     6     6     0     1     0     8    0
tcpqe       32      350    0      350     5     5     0     1     0     8    0
tcpcb      736     1590    0     1586    53    52     1     8     0     8    0
arp         88       79    0       65     1     0     1     1     0     8    0
ipq         40        3    0        3     1     1     0     1     0     8    0
ipqe        40        9    0        9     1     1     0     1     0     8    0
inpcb      312     8618    0     8611    76    75     1    11     0     8    0
nd6         48      115    0       96     1     0     1     1     0     8    0
pkpcb       40       16    0       16     3     3     0     1     0     8    0
kcovpl      48       35    0       27     1     0     1     1     0     8    0
ppxss      1152      38    0       38     8     8     0     1     0     8    0
pfstscr     40       73    0       66     1     0     1     1     0     8    0
pfrktable  1344      56    0       37     3     1     2     2     0     8    0
pftag       88       10    0        1     1     0     1     1     0     8    0
pfstitem    24       46    0       32     1     0     1     1     0     8    0
pfstkey    112      136    0      134     1     0     1     1     0     8    0
pfstate    336       68    0       61     1     0     1     1     0     8    0
pfrule     1360    2554    0     1786    64     0    64    64     0     8    0
rttmr       64        6    0        6     1     1     0     1     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256     1992    0     1677    40    19    21    30     0     8    0
art_table   32     1993    0     1677     4     1     3     4     0     8    0
art_node    16      462    0      395     1     0     1     1     0     8    0
sysvmsgpl   40        6    0        0     1     0     1     1     0     8    0
semupl     112        5    0        5     3     3     0     1     0     8    0
semapl     112      105    0       88     1     0     1     1     0     8    0
shmpl      112      130    0        2     4     0     4     4     0     8    0
dirhash    1024    4452    0     4406     8     1     7     7     0     8    1
dino2pl    256    28280    0    26766    95     0    95    95     0     8    0
ffsino     240    28281    0    26766    90     0    90    90     0     8    0
nchpl      144    48651    0    47015    63     0    63    63     0     8    0
uvmvnodes   80     5926    0        0   121     0   121   121     0     8    0
vnodes     224     5926    0        0   349     0   349   349     0     8    0
namei      1024  196167    0   196165    15    13     2     2     0     8    1
vcpupl     1984      29    0        0     4     0     4     4     0     8    0
vmpool     528       34    0        5     2     0     2     2     0     8    0
pfiaddrpl  120       52    0        6     2     0     2     2     0     8    0
kstatmem   264      278    0      254     2     0     2     2     0     8    0
scsiplug    72        6    0        6     2     2     0     1     0     8    0
scxspl     216   137862    0   137862    15    14     1     8     0     8    1
plimitpl   152      832    0      818     1     0     1     1     0     8    0
sigapl     424    13677    0    13627     8     1     7     8     0     8    0
futexpl     64   136024    0   136024     1     0     1     1     0     8    1
knotepl    120   136314    0   136234    34    30     4    17     0     8    0
kqueuepl   184     2408    0     2400    28    27     1     6     0     8    0
pipepl     304     2425    0     2397    58    53     5     8     0     8    2
fdescpl    432    13637    0    13614     5     1     4     4     0     8    0
filepl     120   107317    0   107078    94    83    11    16     0     8    3
lockfpl    104     2297    0     2295     4     3     1     2     0     8    0
lockfspl    48      588    0      586     1     0     1     1     0     8    0
sessionpl  144       50    0       34     1     0     1     1     0     8    0
pgrppl      48       83    0       67     1     0     1     1     0     8    0
ucredpl     96    25098    0    25083     1     0     1     1     0     8    0
zombiepl   144    13630    0    13627     1     0     1     1     0     8    0
processpl  1000   13677    0    13627    10     2     8     9     0     8    0
procpl     672    35086    0    35025    12     5     7     8     0     8    0
sosppl     168       55    0       55     8     8     0     1     0     8    0
sockpl     448    26077    0    26052   328   318    10    26     0     8    7
mcl64k     65536    262    0      262    21    20     1     1     0     8    1
mcl16k     16384    111    0      111    24    24     0     1     0     8    0
mcl12k     12288    259    0      259    22    21     1     1     0     8    1
mcl9k      9216     108    0      108    23    23     0     1     0     8    0
mcl8k      8192     633    0      633    14    13     1     1     0     8    1
mcl4k      4096    1326    0     1325     6     5     1     1     0     8    0
mcl2k2     2112     110    0      110    20    19     1     1     0     8    1
mcl2k      2048   88218    0    88149    28    17    11    16     0     8    1
mtagpl      96     2484    0     1758    22     4    18    18     0     8    0
mbufpl     256   245782    0   244846   377   316    61   201     0     8    0
bufpl      288    26781    0    20374   458     0   458   458     0     8    0
anonpl      24  2440577    0  2424673   149    40   109   125     0   188    0
amapchunkpl 152  253174    0   252635   405   380    25   339     0   158    0
amappl16   200    33569    0    32972    65    32    33    45     0     8    0
amappl15   192     1000    0      999     4     3     1     1     0     8    0
amappl14   184     1052    0     1048     1     0     1     1     0     8    0
amappl13   176      914    0      912     1     0     1     1     0     8    0
amappl12   168     1397    0     1389     1     0     1     1     0     8    0
amappl11   160     3818    0     3801     2     1     1     2     0     8    0
amappl10   152      854    0      849     1     0     1     1     0     8    0
amappl9    144     2959    0     2950     1     0     1     1     0     8    0
amappl8    136     4106    0     4012     5     1     4     4     0     8    0
amappl7    128     3183    0     3171     1     0     1     1     0     8    0
amappl6    120     2878    0     2856     2     1     1     2     0     8    0
amappl5    112    10586    0    10575     1     0     1     1     0     8    0
amappl4    104     6865    0     6831     4     3     1     2     0     8    0
amappl3     96    40263    0    40227     2     0     2     2     0     8    0
amappl2     88    16379    0    16317     3     1     2     3     0     8    0
amappl1     80   319963    0   319426    25    10    15    19     0     8    0
amappl      88    73288    0    73131     5     0     5     5     0    92    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma1024    1024       1    0        0     1     0     1     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      72      132    0        2     3     0     3     3     0     8    0
uaddrrnd    24    13671    0    13619     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24    13671    0    13619     1     0     1     1     0     8    0
vmmpekpl   168    95071    0    95010     3     0     3     3     0     8    0
vmmpepl    168  1307620    0  1305349   220    97   123   143     0   357    0
vmsppl     272    13670    0    13619     7     3     4     4     0     8    0
rwobjpl     24   313546    0   305933    49     1    48    48     0     8    0
pdppl      4096   27348    0    27267   577   484    93    93     0     8   12
pvpl        32  4800824    0  4780908   333   156   177   254     0   265    0
pmappl     216    13670    0    13619     4     0     4     4     0     8    0
extentpl    40       58    0       38     1     0     1     1     0     8    0
phpool     112     2286    0     1362    30     3    27    29     0     8    0
ddb> machine ddbcpu 0
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8262e73e) at panic+0x161 sys/kern/subr_prf.c:202
ufsdirhash_lookup(fffffd806e91f5a0,ffffffff8260c77c,2,fffffd806e91f64c,ffff80002e83b5b8,0) at ufsdirhash_lookup+0x8b8 sys/ufs/ufs/ufs_dirhash.c:343
ufs_lookup() at ufs_lookup+0xc15 sys/ufs/ufs/ufs_lookup.c:216
VOP_LOOKUP(fffffd8065a62d78,ffff80002e83b758,ffff80002e83b6f8) at VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
unveil_find_cover(fffffd8065a62d78,ffff800025d0bcf0) at unveil_find_cover+0x130 sys/kern/kern_unveil.c:280
unveil_start_relative(ffff800025d0bcf0,ffff80002e83b978,fffffd8065a62d78) at unveil_start_relative+0xf6 sys/kern/kern_unveil.c:609
namei(ffff80002e83b978) at namei+0x7c9 sys/kern/vfs_lookup.c:232
dorenameat(ffff800025d0bcf0,4,200000c0,ffffff9c,20000140) at dorenameat+0x7b sys/kern/vfs_syscalls.c:2978
syscall(ffff80002e83bb70) at syscall+0x44e sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x1294443eb40, count: -11
ddb> machine ddbcpu 1
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8262e73e) at panic+0x161 sys/kern/subr_prf.c:202
ufsdirhash_lookup(fffffd806e91f5a0,ffffffff8260c77c,2,fffffd806e91f64c,ffff80002e83b5b8,0) at ufsdirhash_lookup+0x8b8 sys/ufs/ufs/ufs_dirhash.c:343
ufs_lookup() at ufs_lookup+0xc15 sys/ufs/ufs/ufs_lookup.c:216
VOP_LOOKUP(fffffd8065a62d78,ffff80002e83b758,ffff80002e83b6f8) at VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
unveil_find_cover(fffffd8065a62d78,ffff800025d0bcf0) at unveil_find_cover+0x130 sys/kern/kern_unveil.c:280
unveil_start_relative(ffff800025d0bcf0,ffff80002e83b978,fffffd8065a62d78) at unveil_start_relative+0xf6 sys/kern/kern_unveil.c:609
namei(ffff80002e83b978) at namei+0x7c9 sys/kern/vfs_lookup.c:232
dorenameat(ffff800025d0bcf0,4,200000c0,ffffff9c,20000140) at dorenameat+0x7b sys/kern/vfs_syscalls.c:2978
syscall(ffff80002e83bb70) at syscall+0x44e sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x1294443eb40, count: -11

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/05/16 03:41 openbsd 9d7872c9260d 744a39e2 .config console log report ci-openbsd-main panic: ufsdirhash_lookup: bad offset in hash array
* Struck through repros no longer work on HEAD.