panic: ufs_rename: lost dir entry

panic: ufs_rename: lost dir entry
Status: upstream: reported syz repro on 2020/02/14 02:31
Reported-by: syzbot+f94777020f021fc5d7b3@syzkaller.appspotmail.com
First crash: 434d, last: 288d

Sample crash report:
panic: ufs_rename: lost dir entry
Stopped at      db_enter+0x18:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
 519032  35073      0           0          0    1  syz-executor.0
*   315  35073      0           0  0x4000000    0K syz-executor.0
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff821db594) at panic+0x15c sys/kern/subr_prf.c:207
ufs_mkdir(ffff800020b87a88) at ufs_mkdir
VOP_RENAME(fffffd806c1d1b80,fffffd807c132c30,ffff800020b87c98,fffffd807c132b60,0,ffff800020b87bc8) at VOP_RENAME+0x106 sys/kern/vfs_vops.c:426
dorenameat(ffff800020aa9608,e,20000140,c,20000180) at dorenameat+0x2a3 sys/kern/vfs_syscalls.c:2979
syscall(ffff800020b87e30) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800020b87e30) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xcb945f9a260, count: 8
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{0}> 
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
ufs_rename: lost dir entry
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff821db594) at panic+0x15c sys/kern/subr_prf.c:207
ufs_mkdir(ffff800020b87a88) at ufs_mkdir
VOP_RENAME(fffffd806c1d1b80,fffffd807c132c30,ffff800020b87c98,fffffd807c132b60,0,ffff800020b87bc8) at VOP_RENAME+0x106 sys/kern/vfs_vops.c:426
dorenameat(ffff800020aa9608,e,20000140,c,20000180) at dorenameat+0x2a3 sys/kern/vfs_syscalls.c:2979
syscall(ffff800020b87e30) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800020b87e30) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xcb945f9a260, count: -7
ddb{0}> show registers
rdi                                0
rsi                              0x1
rbp               0xffff800020b87800
rbx               0xffff800020b878b0
rdx                             0x8b
rcx                              0x2
rax                              0x1
r8                0xffffffff81102b0f    kprintf+0x16f
r9                               0x1
r10               0xf636ee0151d2d0e5
r11               0x158b7a16bc0e05b0
r12                     0x3000000008
r13               0xffff800020b87810
r14                            0x100
r15                              0x1
rip               0xffffffff816f8f38    db_enter+0x18
cs                               0x8
rflags                         0x246
rsp               0xffff800020b877f0
ss                              0x10
db_enter+0x18:  addq    $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor.0) pid=315 stat=onproc
    flags process=0 proc=4000000<THREAD>
    pri=17, usrpri=53, nice=20
    forw=0xffffffffffffffff, list=0xffff800020aa9ae8,0xffffffff82618be0
    process=0xffff800020a91690 user=0xffff800020b82000, vmspace=0xfffffd806ea25738
    estcpu=3, cpticks=0, pctcpu=0.0
    user=0, sys=0, intr=0
ddb{0}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 35073  519032    542      0  7           0                syz-executor.0
 35073   36181    542      0  3   0x4000080  select        syz-executor.0
 35073  349764    542      0  3   0x4000080  select        syz-executor.0
 35073   29245    542      0  3   0x4000080  fsleep        syz-executor.0
 35073    7966    542      0  3   0x4000080  fsleep        syz-executor.0
 35073  336907    542      0  3   0x4000080  fsleep        syz-executor.0
*35073     315    542      0  7   0x4000000                syz-executor.0
   542  469040  42518      0  3        0x82  nanosleep     syz-executor.0
 42518  110130  44986      0  3        0x82  kqread        syz-execprog
 42518  304702  44986      0  3   0x4000082  thrsleep      syz-execprog
 42518  472090  44986      0  3   0x4000082  thrsleep      syz-execprog
 42518  434029  44986      0  3   0x4000082  thrsleep      syz-execprog
 42518  112714  44986      0  3   0x4000082  thrsleep      syz-execprog
 42518  326278  44986      0  3   0x4000082  thrsleep      syz-execprog
 42518   18759  44986      0  3   0x4000082  thrsleep      syz-execprog
 42518  511506  44986      0  3   0x4000082  thrsleep      syz-execprog
 42518  496918  44986      0  3   0x4000082  thrsleep      syz-execprog
 44986  469022  41436      0  3    0x10008a  pause         ksh
 41436  216691   3791      0  3        0x92  select        sshd
 69173  402438      1      0  3    0x100083  ttyin         getty
  3791  478667      1      0  3        0x80  select        sshd
  4655  515593  39716     73  3    0x100090  kqread        syslogd
 39716  214089      1      0  3    0x100082  netio         syslogd
 69645  108617      1     77  3    0x100090  poll          dhclient
 44180  493840      1      0  3        0x80  poll          dhclient
 18739  230471      0      0  3     0x14200  pgzero        zerothread
 71321    9796      0      0  3     0x14200  aiodoned      aiodoned
 31068  260237      0      0  3     0x14200  syncer        update
 17507  244391      0      0  3     0x14200  cleaner       cleaner
 50908  266509      0      0  3     0x14200  reaper        reaper
 70320   52549      0      0  3     0x14200  pgdaemon      pagedaemon
 18004  143881      0      0  3     0x14200  bored         crynlk
 87328  111725      0      0  3     0x14200  bored         crypto
 87203  263508      0      0  3  0x40014200  acpi0         acpi0
 82590  187672      0      0  3  0x40014200                idle1
 13134  501438      0      0  3     0x14200  bored         softnet
  4601   15482      0      0  3     0x14200  bored         systqmp
  8493  413165      0      0  3     0x14200  bored         systq
 74655  206485      0      0  3  0x40014200  bored         softclock
 48125  393002      0      0  3  0x40014200                idle0
 61351  322772      0      0  3     0x14200  bored         smr
     1  240500      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{0}> show all locks
Process 35073 (syz-executor.0) thread 0xffff800020aa9608 (315)
exclusive rrwlock inode r = 0 (0xfffffd806d1492b8)
#0  witness_lock+0x52e sys/kern/subr_witness.c:1164
#1  rw_enter+0x453 sys/kern/kern_rwlock.c:309
#2  rrw_enter+0x88 sys/kern/kern_rwlock.c:453
#3  VOP_LOCK+0x4b sys/kern/vfs_vops.c:602
#4  vn_lock+0x81 sys/kern/vfs_vnops.c:571
#5  vget+0x1c8 sys/kern/vfs_subr.c:671
#6  ufs_ihashget+0x141 sys/ufs/ufs/ufs_ihash.c:119
#7  ffs_vget+0x74 sys/ufs/ffs/ffs_vfsops.c:1323
#8  ufs_lookup+0x14b7 sys/ufs/ufs/ufs_lookup.c:487
#9  VOP_LOOKUP+0x5b sys/kern/vfs_vops.c:90
#10 vfs_relookup+0xb0 sys/kern/vfs_lookup.c:789
#11 ufs_rename+0x1463 sys/ufs/ufs/ufs_vnops.c:1057
#12 VOP_RENAME+0x106 sys/kern/vfs_vops.c:426
#13 dorenameat+0x2a3 sys/kern/vfs_syscalls.c:2979
#14 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#14 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#15 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806d149e68)
#0  witness_lock+0x52e sys/kern/subr_witness.c:1164
#1  rw_enter+0x453 sys/kern/kern_rwlock.c:309
#2  rrw_enter+0x88 sys/kern/kern_rwlock.c:453
#3  VOP_LOCK+0x4b sys/kern/vfs_vops.c:602
#4  vn_lock+0x81 sys/kern/vfs_vnops.c:571
#5  vfs_relookup+0x53 sys/kern/vfs_lookup.c:780
#6  ufs_rename+0x1463 sys/ufs/ufs/ufs_vnops.c:1057
#7  VOP_RENAME+0x106 sys/kern/vfs_vops.c:426
#8  dorenameat+0x2a3 sys/kern/vfs_syscalls.c:2979
#9  syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#9  syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#10 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82633b18)
#0  witness_lock+0x52e sys/kern/subr_witness.c:1164
#1  __mp_acquire_count+0x51 sys/kern/kern_lock.c:227
#2  mi_switch+0x392 sys/kern/sched_bsd.c:435
#3  sleep_finish+0x113 sys/kern/kern_synch.c:415
#4  sleep_finish_all+0x32 sleep_finish_timeout sys/kern/kern_synch.c:444 [inline]
#4  sleep_finish_all+0x32 sys/kern/kern_synch.c:206
#5  tsleep+0x1cc sys/kern/kern_synch.c:155
#6  biowait+0xa6 sys/kern/vfs_bio.c:1255
#7  bwrite+0x1e4 sys/kern/vfs_bio.c:765
#8  VOP_BWRITE+0x4a sys/kern/vfs_vops.c:727
#9  ufs_direnter+0x8e3 sys/ufs/ufs/ufs_lookup.c:909
#10 ufs_rename+0xbfe sys/ufs/ufs/ufs_vnops.c:951
#11 VOP_RENAME+0x106 sys/kern/vfs_vops.c:426
#12 dorenameat+0x2a3 sys/kern/vfs_syscalls.c:2979
#13 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#13 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#14 Xsyscall+0x128
ddb{0}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf  9458   6329K    6329K  78643K     10549        0
            pcb    13      8K       8K  78643K        13        0
         rtable    83      2K       2K  78643K       153        0
         ifaddr    32      8K       8K  78643K        32        0
       counters    41     33K      33K  78643K        41        0
       ioctlops     0      0K       2K  78643K        14        0
          mount     1      1K       1K  78643K         1        0
         vnodes  1180     74K      74K  78643K      1185        0
      UFS quota     1     32K      32K  78643K         1        0
      UFS mount     5     36K      36K  78643K         5        0
            shm     2      1K       1K  78643K         2        0
         VM map     2      1K       1K  78643K         2        0
            sem     2      0K       0K  78643K         2        0
        dirhash    12      2K       2K  78643K        12        0
           ACPI  1809    196K     290K  78643K     12766        0
      file desc     3      8K      12K  78643K        18        0
           proc    47     50K      70K  78643K       318        0
    NFS srvsock     1      0K       0K  78643K         1        0
     NFS daemon     1     16K      16K  78643K         1        0
       in_multi    22      1K       1K  78643K        22        0
    ether_multi     1      0K       0K  78643K         1        0
    ISOFS mount     1     32K      32K  78643K         1        0
  MSDOSFS mount     1     16K      16K  78643K         1        0
           ttys    19     95K      95K  78643K        19        0
           exec     0      0K       1K  78643K       171        0
        pagedep     1      8K       8K  78643K         1        0
       inodedep     1     32K      32K  78643K         1        0
         newblk     1      0K       0K  78643K         1        0
        VM swap     7     26K      26K  78643K         7        0
       UVM amap    80     11K      12K  78643K       869        0
       UVM aobj     2      2K       2K  78643K         2        0
        memdesc     1      4K       4K  78643K         1        0
    crypto data     1      1K       1K  78643K         1        0
            NDP     6      0K       0K  78643K         6        0
           temp    23   3005K    3069K  78643K      1690        0
         kqueue     3      4K       4K  78643K         3        0
      SYN cache     2     16K      16K  78643K         2        0
ddb{0}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp         64        4    0        0     1     0     1     1     0     8    0
plcache    128       20    0        0     1     0     1     1     0     8    0
rtpcb       80       17    0       15     1     0     1     1     0     8    0
rtentry    112       34    0        1     1     0     1     1     0     8    0
unpcb      120       27    0       19     1     0     1     1     0     8    0
syncache   264        5    0        5     1     1     0     1     0     8    0
tcpcb      544        8    0        5     1     0     1     1     0     8    0
inpcb      280       28    0       20     1     0     1     1     0     8    0
nd6         48        2    0        0     1     0     1     1     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256      168    0        0    11     0    11    11     0     8    0
art_table   32      169    0        0     2     0     2     2     0     8    0
art_node    16       33    0        3     1     0     1     1     0     8    0
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino1pl    128     1419    0       19    46     0    46    46     0     8    0
ffsino     272     1419    0       19    94     0    94    94     0     8    0
nchpl      144     1648    0       44    60     0    60    60     0     8    0
uvmvnodes   72     1428    0        0    26     0    26    26     0     8    0
vnodes     208     1428    0        0    76     0    76    76     0     8    0
namei      1024    3950    0     3948     1     0     1     1     0     8    0
percpumem   16       31    0        0     1     0     1     1     0     8    0
scxspl     192     4457    0     4457     2     1     1     2     0     8    1
plimitpl   152       14    0        8     1     0     1     1     0     8    0
sigapl     432      197    0      185     2     0     2     2     0     8    0
futexpl     56       35    0       32     1     0     1     1     0     8    0
knotepl    112       39    0       28     1     0     1     1     0     8    0
kqueuepl   104        2    0        0     1     0     1     1     0     8    0
pipelkpl    48       67    0       60     1     0     1     1     0     8    0
pipepl     120      134    0      121     1     0     1     1     0     8    0
fdescpl    496      198    0      185     2     0     2     2     0     8    0
filepl     152     1036    0      971     3     0     3     3     0     8    0
lockfpl    104        5    0        4     1     0     1     1     0     8    0
lockfspl    48        3    0        2     1     0     1     1     0     8    0
sessionpl  112       18    0        9     1     0     1     1     0     8    0
pgrppl      48       18    0        9     1     0     1     1     0     8    0
ucredpl     96       47    0       40     1     0     1     1     0     8    0
zombiepl   144      185    0      185     1     0     1     1     0     8    1
processpl  960      213    0      185     4     0     4     4     0     8    0
procpl     624      227    0      185     4     0     4     4     0     8    0
sockpl     400       72    0       54     2     0     2     2     0     8    0
mcl4k      4096       3    0        0     1     0     1     1     0     8    0
mcl2k      2048      56    0        0     7     0     7     7     0     8    0
mtagpl      80        1    0        0     1     0     1     1     0     8    0
mbufpl     256       91    0        0     5     0     5     5     0     8    0
bufpl      280     3728    0      183   254     0   254   254     0     8    0
anonpl      16    20801    0    18988    16     2    14    14     0   125    6
amapchunkpl 152     779    0      701     5     0     5     5     0   158    1
amappl16   192       94    0       49     3     0     3     3     0     8    0
amappl15   184       50    0       46     1     0     1     1     0     8    0
amappl14   176       22    0       20     1     0     1     1     0     8    0
amappl13   168        3    0        1     1     0     1     1     0     8    0
amappl12   160        8    0        6     2     1     1     1     0     8    0
amappl11   152       52    0       40     1     0     1     1     0     8    0
amappl10   144       10    0       10     2     1     1     1     0     8    1
amappl9    136      413    0      409     1     0     1     1     0     8    0
amappl8    128       95    0       82     1     0     1     1     0     8    0
amappl7    120       86    0       76     1     0     1     1     0     8    0
amappl6    112       55    0       50     1     0     1     1     0     8    0
amappl5    104      113    0      104     1     0     1     1     0     8    0
amappl4     96      427    0      403     1     0     1     1     0     8    0
amappl3     88      125    0      117     1     0     1     1     0     8    0
amappl2     80      864    0      798     3     0     3     3     0     8    1
amappl1     72    13519    0    13098    24     6    18    20     0     8    8
amappl      80      426    0      393     1     0     1     1     0    84    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      64        1    0        0     1     0     1     1     0     8    0
uaddrrnd    24      198    0      185     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      198    0      185     1     0     1     1     0     8    0
vmmpekpl   168     5964    0     5943     2     0     2     2     0     8    0
vmmpepl    168    29755    0    28780    87     8    79    79     0   357   36
vmsppl     368      197    0      185     2     0     2     2     0     8    0
pdppl      4096     403    0      370     5     0     5     5     0     8    0
pvpl        32   104076    0    99911   116     0   116   116     0   265   82
pmappl     232      197    0      185     1     0     1     1     0     8    0
extentpl    40       46    0       29     1     0     1     1     0     8    0
phpool     112      139    0        2     4     0     4     4     0     8    0
ddb{0}>
Crashes (3):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro
ci-openbsd-setuid	2020/02/14 04:07	openbsd	c9200921	5d7b90f1	.config	log	report	syz
ci-openbsd-setuid	2020/07/08 20:28	openbsd	638aa2bc	bae5742c	.config	log	report
ci-openbsd-setuid	2020/02/14 02:30	openbsd	c9200921	5d7b90f1	.config	log	report