syzbot


panic: vrele: v_writecount != 0

Status: fixed on 2019/08/05 23:05
Reported-by: syzbot+4724df09d9ab0fdca28a@syzkaller.appspotmail.com
Fix commit: 3e253b4759f0 Favor vn_close() in the error path of diskmapioctl() since side-effects caused by calling vn_open() with write permissions must be reverted. Otherwise, the vfs subsystem could panic while releasing the last vnode reference if the writecount is still positive.
First crash: 1219d, last: 1214d
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd panic: vrele: v_writecount != 0 (2) C 1955 665d 665d 3/3 fixed on 2021/02/04 23:26
Patch testing requests:
Created Duration User Patch Repo Result
2019/08/02 16:00 14m anton@basename.se https://github.com/mptre/openbsd-src diskmap OK

Sample crash report:
panic: vrele: v_writecount != 0
Stopped at      db_enter+0x18:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
*429714  44852      0         0x2  0x4000000    0  syz-executor0213
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
vrele(fffffd803b532710) at vrele+0x188 sys/kern/vfs_subr.c:797
diskmapioctl(5a00,c0106477,ffff80001497fea0,1,ffff8000ffff5648) at diskmapioctl+0x2a8 sys/dev/diskmap.c:140
VOP_IOCTL(fffffd80374158a0,c0106477,ffff80001497fea0,1,fffffd803f7c6ae0,ffff8000ffff5648) at VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
vn_ioctl(fffffd8036535080,c0106477,ffff80001497fea0,ffff8000ffff5648) at vn_ioctl+0xb6 sys/kern/vfs_vnops.c:519
sys_ioctl(ffff8000ffff5648,ffff80001497ffb8,ffff800014980020) at sys_ioctl+0x5b8
syscall(ffff800014980080) at syscall+0x508
Xsyscall(6,0,509131d80c8,0,509131d80a8,509131d80a0) at Xsyscall+0x128
end of kernel
end trace frame: 0x50bab258d20, count: 6
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb> 
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
vrele: v_writecount != 0
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
vrele(fffffd803b532710) at vrele+0x188 sys/kern/vfs_subr.c:797
diskmapioctl(5a00,c0106477,ffff80001497fea0,1,ffff8000ffff5648) at diskmapioctl+0x2a8 sys/dev/diskmap.c:140
VOP_IOCTL(fffffd80374158a0,c0106477,ffff80001497fea0,1,fffffd803f7c6ae0,ffff8000ffff5648) at VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
vn_ioctl(fffffd8036535080,c0106477,ffff80001497fea0,ffff8000ffff5648) at vn_ioctl+0xb6 sys/kern/vfs_vnops.c:519
sys_ioctl(ffff8000ffff5648,ffff80001497ffb8,ffff800014980020) at sys_ioctl+0x5b8
syscall(ffff800014980080) at syscall+0x508
Xsyscall(6,0,509131d80c8,0,509131d80a8,509131d80a0) at Xsyscall+0x128
end of kernel
end trace frame: 0x50bab258d20, count: -9
ddb> show registers
rdi                                0
rsi                              0x1
rbp               0xffff80001497fa60
rbx               0xffff80001497fb10
rdx                              0x2
rcx                              0x1
rax                              0x1
r8                0xffff80001497fa20
r9                               0x1
r10               0x5582f37ff1e16aa8
r11               0xba385b527345ccae
r12                     0x3000000008
r13               0xffff80001497fa70
r14                            0x100
r15                              0x1
rip               0xffffffff8141a408    db_enter+0x18
cs                               0x8
rflags                         0x246
rsp               0xffff80001497fa50
ss                              0x10
db_enter+0x18:  addq    $0x8,%rsp
ddb> show proc
PROC (syz-executor0213) pid=429714 stat=onproc
    flags process=2<EXEC> proc=4000000<THREAD>
    pri=24, usrpri=50, nice=20
    forw=0xffffffffffffffff, list=0xffff8000ffff5b38,0xffff8000ffff4020
    process=0xffff800014942018 user=0xffff80001497b000, vmspace=0xfffffd803f00c220
    estcpu=0, cpticks=2, pctcpu=0.0
    user=0, sys=2, intr=0
ddb> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 44852   35757   1804      0  2         0x2                syz-executor0213
*44852  429714   1804      0  7   0x4000002                syz-executor0213
 44852  101060   1804      0  2   0x4000002                syz-executor0213
  1804  210316  54369      0  3    0x10008a  pause         ksh
 54369  107265  59454      0  3        0x92  select        sshd
 20252  105870      1      0  3    0x100083  ttyin         getty
 59454  328956      1      0  3        0x80  select        sshd
 29507  288062  52125     73  2    0x100090                syslogd
 52125  459546      1      0  3    0x100082  netio         syslogd
 20059  343245      1     77  3    0x100090  poll          dhclient
 32781  124896      1      0  3        0x80  poll          dhclient
 77079  320766      0      0  2     0x14200                zerothread
 52403  171623      0      0  3     0x14200  aiodoned      aiodoned
 16238  196056      0      0  3     0x14200  syncer        update
 37961  393319      0      0  3     0x14200  cleaner       cleaner
 89618  240927      0      0  3     0x14200  reaper        reaper
 68647     214      0      0  3     0x14200  pgdaemon      pagedaemon
 52448  173219      0      0  3     0x14200  bored         crynlk
 12848  441366      0      0  3     0x14200  bored         crypto
 85245  302917      0      0  3  0x40014200  acpi0         acpi0
 15503  468649      0      0  3     0x14200  bored         softnet
 45423  405801      0      0  3     0x14200  bored         systqmp
 34818  509738      0      0  3     0x14200  bored         systq
 10821  221791      0      0  3  0x40014200  bored         softclock
 39128   99366      0      0  3  0x40014200                idle0
 90799   31366      0      0  3     0x14200  bored         smr
     1  507578      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb> show all locks
No such command
ddb> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim Kern Lim
         devbuf  9429   6308K    6308K  78643K     10522        0        0
            pcb    13      8K       8K  78643K        13        0        0
         rtable    61      1K       2K  78643K       115        0        0
         ifaddr    21      7K       7K  78643K        21        0        0
       counters    19     16K      16K  78643K        19        0        0
       ioctlops     0      0K       2K  78643K        13        0        0
          mount     1      1K       1K  78643K         1        0        0
         vnodes  1181     74K      74K  78643K      1186        0        0
      UFS quota     1     32K      32K  78643K         1        0        0
      UFS mount     5     36K      36K  78643K         5        0        0
            shm     2      1K       1K  78643K         2        0        0
         VM map     2      0K       0K  78643K         2        0        0
            sem     2      0K       0K  78643K         2        0        0
        dirhash    12      2K       2K  78643K        12        0        0
           ACPI  1793    195K     288K  78643K     12645        0        0
      file desc     1      0K       0K  78643K         1        0        0
           proc    40     30K      38K  78643K       257        0        0
    NFS srvsock     1      0K       0K  78643K         1        0        0
     NFS daemon     1     16K      16K  78643K         1        0        0
       in_multi    11      0K       0K  78643K        11        0        0
    ether_multi     1      0K       0K  78643K         1        0        0
    ISOFS mount     1     32K      32K  78643K         1        0        0
  MSDOSFS mount     1     16K      16K  78643K         1        0        0
           ttys    18     79K      79K  78643K        18        0        0
           exec     0      0K       1K  78643K       152        0        0
        pagedep     1      8K       8K  78643K         1        0        0
       inodedep     1     32K      32K  78643K         1        0        0
         newblk     1      0K       0K  78643K         1        0        0
        VM swap     7     26K      26K  78643K         7        0        0
       UVM amap    58      3K       3K  78643K       706        0        0
       UVM aobj     2      2K       2K  78643K         2        0        0
        memdesc     1      4K       4K  78643K         1        0        0
    crypto data     1      1K       1K  78643K         1        0        0
            NDP     3      0K       0K  78643K         3        0        0
           temp    30   2707K    2771K  78643K      1716        0        0
      SYN cache     2     16K      16K  78643K         2        0        0
ddb> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp         64        2    0        0     1     0     1     1     0     8    0
rtpcb       80       15    0       13     1     0     1     1     0     8    0
rtentry    112       23    0        1     1     0     1     1     0     8    0
unpcb      120       29    0       19     1     0     1     1     0     8    0
syncache   264        5    0        5     1     0     1     1     0     8    1
tcpcb      544        8    0        5     1     0     1     1     0     8    0
inpcb      280       22    0       16     1     0     1     1     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256       97    0        0     7     0     7     7     0     8    0
art_table   32       98    0        0     1     0     1     1     0     8    0
art_node    16       22    0        2     1     0     1     1     0     8    0
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino1pl    128     1393    0       17    45     0    45    45     0     8    0
ffsino     240     1393    0       17    81     0    81    81     0     8    0
nchpl      144     1578    0       43    57     0    57    57     0     8    0
uvmvnodes   72     1402    0        0    26     0    26    26     0     8    0
vnodes     200     1402    0        0    74     0    74    74     0     8    0
namei      1024    3368    0     3368     2     1     1     1     0     8    1
scxspl     192     2266    0     2266     2     1     1     2     0     8    1
plimitpl   152       13    0        8     1     0     1     1     0     8    0
sigapl     432      176    0      166     2     0     2     2     0     8    0
futexpl     56        4    0        4     1     0     1     1     0     8    1
knotepl    112        5    0        0     1     0     1     1     0     8    0
kqueuepl   104        1    0        0     1     0     1     1     0     8    0
pipepl     112      118    0      111     2     1     1     1     0     8    0
fdescpl    424      177    0      166     2     0     2     2     0     8    0
filepl     120      840    0      796     2     0     2     2     0     8    0
lockfpl    104        6    0        6     1     1     0     1     0     8    0
lockfspl    48        3    0        3     1     1     0     1     0     8    0
sessionpl  112       17    0        9     1     0     1     1     0     8    0
pgrppl      48       17    0        9     1     0     1     1     0     8    0
ucredpl     96       47    0       40     1     0     1     1     0     8    0
zombiepl   144      166    0      166     2     1     1     1     0     8    1
processpl  864      191    0      166     4     0     4     4     0     8    0
procpl     632      193    0      166     3     0     3     3     0     8    0
sockpl     384       66    0       48     2     0     2     2     0     8    0
mcl4k      4096      10    0       10     1     0     1     1     0     8    1
mcl2k      2048    6072    0     6044     6     0     6     6     0     8    2
mtagpl      80        2    0        2     1     1     0     1     0     8    0
mbufpl     256    10382    0    10339     5     1     4     4     0     8    0
bufpl      256     2078    0      262   114     0   114   114     0     8    0
anonpl      16    17986    0    16794     8     2     6     7     0    62    1
amapchunkpl 152     480    0      441     2     0     2     2     0   158    0
amappl16   192       73    0       66     1     0     1     1     0     8    0
amappl14   176       37    0       33     1     0     1     1     0     8    0
amappl12   160        9    0        9     1     0     1     1     0     8    1
amappl11   152       36    0       25     1     0     1     1     0     8    0
amappl10   144       44    0       44     2     1     1     1     0     8    1
amappl9    136      363    0      362     1     0     1     1     0     8    0
amappl8    128       84    0       79     1     0     1     1     0     8    0
amappl7    120       18    0       16     1     0     1     1     0     8    0
amappl6    112       43    0       39     1     0     1     1     0     8    0
amappl5    104      189    0      178     1     0     1     1     0     8    0
amappl4     96      403    0      378     1     0     1     1     0     8    0
amappl3     88      147    0      136     1     0     1     1     0     8    0
amappl2     80      720    0      664     3     1     2     2     0     8    0
amappl1     72    12015    0    11615    16     8     8    16     0     8    0
amappl      80      366    0      345     1     0     1     1     0    84    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma64       64      259    0      259     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       17    0       17     1     1     0     1     0     8    0
aobjpl      64        1    0        0     1     0     1     1     0     8    0
uaddrrnd    24      177    0      166     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      177    0      166     1     0     1     1     0     8    0
vmmpekpl   168     5316    0     5300     1     0     1     1     0     8    0
vmmpepl    168    25741    0    24936    48    12    36    48     0   357    1
vmsppl     272      176    0      166     1     0     1     1     0     8    0
pdppl      4096     361    0      332     5     0     5     5     0     8    0
pvpl        32    71246    0    68431    30     4    26    26     0   265    3
pmappl     200      176    0      166     1     0     1     1     0     8    0
extentpl    40       41    0       26     1     0     1     1     0     8    0
phpool     112      229    0        4     7     0     7     7     0     8    0

Crashes (51):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-openbsd-main 2019/07/31 04:09 openbsd 75866a61bd74 7c7ded69 .config log report syz C
ci-openbsd-multicore 2019/08/05 18:06 openbsd d8d31ef08b65 6affd8e8 .config log report
ci-openbsd-multicore 2019/08/05 16:44 openbsd d8d31ef08b65 6affd8e8 .config log report
ci-openbsd-multicore 2019/08/05 08:28 openbsd 864b814f529e 6affd8e8 .config log report
ci-openbsd-main 2019/08/05 05:09 openbsd 864b814f529e 6affd8e8 .config log report
ci-openbsd-main 2019/08/05 02:15 openbsd 864b814f529e 6affd8e8 .config log report
ci-openbsd-main 2019/08/04 23:41 openbsd 864b814f529e 6affd8e8 .config log report
ci-openbsd-multicore 2019/08/04 21:45 openbsd 864b814f529e 6affd8e8 .config log report
ci-openbsd-main 2019/08/04 19:38 openbsd e4f599ca6879 6affd8e8 .config log report
ci-openbsd-main 2019/08/04 16:29 openbsd e4f599ca6879 6affd8e8 .config log report
ci-openbsd-multicore 2019/08/04 15:41 openbsd e4f599ca6879 6affd8e8 .config log report
ci-openbsd-multicore 2019/08/04 14:24 openbsd e4f599ca6879 6affd8e8 .config log report
ci-openbsd-multicore 2019/08/04 13:01 openbsd e4f599ca6879 6affd8e8 .config log report
ci-openbsd-multicore 2019/08/04 11:21 openbsd e4f599ca6879 6affd8e8 .config log report
ci-openbsd-main 2019/08/04 10:22 openbsd e4f599ca6879 6affd8e8 .config log report
ci-openbsd-main 2019/08/04 08:57 openbsd e4f599ca6879 6affd8e8 .config log report
ci-openbsd-main 2019/08/04 06:19 openbsd d72f70aa5ac4 6affd8e8 .config log report
ci-openbsd-main 2019/08/04 05:37 openbsd d72f70aa5ac4 6affd8e8 .config log report
ci-openbsd-main 2019/08/04 01:51 openbsd d72f70aa5ac4 6affd8e8 .config log report
ci-openbsd-multicore 2019/08/03 20:49 openbsd d72f70aa5ac4 6affd8e8 .config log report
ci-openbsd-multicore 2019/08/03 11:15 openbsd c935b51f457f 6affd8e8 .config log report
ci-openbsd-main 2019/08/03 08:05 openbsd c935b51f457f 6affd8e8 .config log report
ci-openbsd-main 2019/08/03 03:57 openbsd f7c95aac3abf 3faab807 .config log report
ci-openbsd-main 2019/08/03 02:19 openbsd f7c95aac3abf 3faab807 .config log report
ci-openbsd-main 2019/08/02 23:58 openbsd f7c95aac3abf 3faab807 .config log report
ci-openbsd-main 2019/08/02 19:29 openbsd f7c95aac3abf 3faab807 .config log report
ci-openbsd-main 2019/08/02 15:21 openbsd f7c95aac3abf 835dffe7 .config log report
ci-openbsd-multicore 2019/08/02 09:21 openbsd c529027a472a 835dffe7 .config log report
ci-openbsd-main 2019/08/02 06:24 openbsd c529027a472a 835dffe7 .config log report
ci-openbsd-main 2019/08/02 04:08 openbsd c529027a472a 835dffe7 .config log report
ci-openbsd-multicore 2019/08/02 03:27 openbsd c529027a472a 835dffe7 .config log report
ci-openbsd-multicore 2019/08/02 01:10 openbsd 6521c58462c4 835dffe7 .config log report
ci-openbsd-multicore 2019/08/02 00:00 openbsd 6521c58462c4 835dffe7 .config log report
ci-openbsd-main 2019/08/01 22:13 openbsd 6521c58462c4 835dffe7 .config log report
ci-openbsd-main 2019/08/01 22:02 openbsd 6521c58462c4 835dffe7 .config log report
ci-openbsd-main 2019/08/01 21:55 openbsd 6521c58462c4 835dffe7 .config log report
ci-openbsd-main 2019/08/01 20:46 openbsd 6521c58462c4 835dffe7 .config log report
ci-openbsd-multicore 2019/08/01 19:14 openbsd 6521c58462c4 835dffe7 .config log report
ci-openbsd-multicore 2019/08/01 17:49 openbsd 6521c58462c4 835dffe7 .config log report
ci-openbsd-main 2019/08/01 11:09 openbsd e9c83ba3b557 c692b5bd .config log report
ci-openbsd-multicore 2019/08/01 04:49 openbsd e9c83ba3b557 c692b5bd .config log report
ci-openbsd-main 2019/08/01 03:32 openbsd e9c83ba3b557 c692b5bd .config log report
ci-openbsd-main 2019/08/01 02:45 openbsd e9c83ba3b557 c692b5bd .config log report
ci-openbsd-multicore 2019/08/01 02:44 openbsd e9c83ba3b557 c692b5bd .config log report
ci-openbsd-multicore 2019/08/01 02:04 openbsd e9c83ba3b557 c692b5bd .config log report
ci-openbsd-multicore 2019/07/31 20:58 openbsd ddc1a6c2c175 995b2a26 .config log report
ci-openbsd-main 2019/07/31 20:14 openbsd ddc1a6c2c175 995b2a26 .config log report
ci-openbsd-main 2019/07/31 03:37 openbsd 75866a61bd74 7c7ded69 .config log report
ci-openbsd-main 2019/07/31 03:34 openbsd 75866a61bd74 7c7ded69 .config log report
* Struck through repros no longer work on HEAD.