kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd. starting local daemons:. Wed Dec 15 23:30:40 PST 2021 OpenBSD/amd64 (ci-openbsd-setuid-2.c.syzkaller.internal) (tty00) Warning: Permanently added '10.128.0.188' (ED25519) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program login: uvm_fault(0xfffffd8008586cf0, 0x0, 0, 1) -> e kernel: page fault trap, code=0 Stopped at uvm_fault_lower+0xbb1: movq 0(%rbx),%rdi TID PID UID PRFLAGS PFLAGS CPU COMMAND *106416 42737 0 0 0x4000000 1K syz-executor1794 220797 42737 0 0 0x4000000 0 syz-executor1794 uvm_fault_lower(ffff800021226a80,ffff800021226ab8,ffff800021226a00,0) at uvm_fault_lower+0xbb1 uvm_fault(fffffd8008586cf0,20000000,0,2) at uvm_fault+0x24f upageflttrap(ffff800021226bf0,20000000) at upageflttrap+0x82 usertrap(ffff800021226bf0) at usertrap+0x214 recall_trap() at recall_trap+0x8 end of kernel end trace frame: 0xcf2c95d32f0, count: 10 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic *cpu1: uvm_fault(0xfffffd8008586cf0, 0x0, 0, 1) -> e ddb{1}> trace uvm_fault_lower(ffff800021226a80,ffff800021226ab8,ffff800021226a00,0) at uvm_fault_lower+0xbb1 uvm_fault(fffffd8008586cf0,20000000,0,2) at uvm_fault+0x24f upageflttrap(ffff800021226bf0,20000000) at upageflttrap+0x82 usertrap(ffff800021226bf0) at usertrap+0x214 recall_trap() at recall_trap+0x8 end of kernel end trace frame: 0xcf2c95d32f0, count: -5 ddb{1}> show registers rdi 0 rsi 0 rbp 0xffff800021226970 rbx 0 rdx 0x8b rcx 0x8 rax 0x1 r8 0xffffffff821e656e witness_assert+0x1fe r9 0x5 r10 0 r11 0x2a91698ae871a98c r12 0xffff800021226a80 r13 0xfffffd806ce2ee28 r14 0 r15 0xffffffff81d65300 uvn_flush+0x990 rip 0xffffffff81a60511 uvm_fault_lower+0xbb1 cs 0x8 rflags 0x10246 __ALIGN_SIZE+0xf246 rsp 0xffff8000212268e0 ss 0 uvm_fault_lower+0xbb1: movq 0(%rbx),%rdi ddb{1}> show proc PROC (syz-executor1794) pid=106416 stat=onproc flags process=0 proc=4000000 pri=36, usrpri=60, nice=20 forw=0xffffffffffffffff, list=0xffff800021193268,0xffff800021192018 process=0xffff8000ffff14d8 user=0xffff800021221000, vmspace=0xfffffd8008586cf0 estcpu=36, cpticks=0, pctcpu=0.0 user=0, sys=0, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 42737 470227 10376 0 2 0 syz-executor1794 *42737 106416 10376 0 7 0x4000000 syz-executor1794 42737 220797 10376 0 7 0x4000000 syz-executor1794 10376 487437 22010 0 3 0x80 nanoslp syz-executor1794 4299 179263 22010 0 3 0 biowait syz-executor1794 22010 454061 7364 0 3 0x82 nanoslp syz-executor1794 7364 118175 12124 0 3 0x10008a sigsusp ksh 12124 180097 71517 0 3 0x9a kqread sshd 25827 162815 1 0 3 0x100083 ttyin getty 71517 120902 1 0 3 0x88 kqread sshd 81290 442237 89405 73 3 0x100090 kqread syslogd 89405 452524 1 0 3 0x100082 netio syslogd 84552 420772 1 0 3 0x100080 kqread resolvd 51577 181722 94030 77 3 0x100092 kqread dhcpleased 42850 505917 94030 77 3 0x100092 kqread dhcpleased 94030 223341 1 0 3 0x80 kqread dhcpleased 53352 508219 0 0 3 0x14200 bored smr 39814 161099 0 0 3 0x14200 pgzero zerothread 80651 408767 0 0 3 0x14200 aiodoned aiodoned 70713 418418 0 0 3 0x14200 syncer update 77735 478406 0 0 3 0x14200 cleaner cleaner 42854 347986 0 0 3 0x14200 reaper reaper 33906 138368 0 0 3 0x14200 pgdaemon pagedaemon 35717 19040 0 0 3 0x14200 bored viomb 44437 18484 0 0 3 0x40014200 acpi0 acpi0 56691 227144 0 0 3 0x40014200 idle1 72879 315427 0 0 3 0x14200 bored softnet 71717 411143 0 0 3 0x14200 bored systqmp 30984 523136 0 0 3 0x14200 bored systq 42838 96102 0 0 3 0x40014200 bored softclock 2289 283963 0 0 3 0x40014200 idle0 1 67459 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks Process 42737 (syz-executor1794) thread 0xffff8000211922a8 (106416) exclusive kernel_lock &kernel_lock r = 1 (0xffffffff8286b6c8) #0 witness_lock+0x4b0 #1 __mp_acquire_count+0x4c #2 mi_switch+0x3d3 #3 sleep_finish+0x1b2 #4 rw_enter+0x35b #5 uvmfault_relock+0x6f #6 uvm_fault_lower+0x931 #7 uvm_fault+0x24f #8 upageflttrap+0x82 #9 usertrap+0x214 #10 recall_trap+0x8 Process 42737 (syz-executor1794) thread 0xffff800021192008 (220797) exclusive rwlock amaplk r = 0 (0xfffffd806cf430c0) #0 witness_lock+0x4b0 #1 uvm_fault_check+0x3d2 #2 uvm_fault+0x102 #3 upageflttrap+0x82 #4 usertrap+0x214 #5 recall_trap+0x8 shared rwlock vmmaplk r = 0 (0xfffffd8008586d08) #0 witness_lock+0x4b0 #1 uvmfault_lookup+0xe9 #2 uvm_fault_check+0x3a #3 uvm_fault+0x102 #4 upageflttrap+0x82 #5 usertrap+0x214 #6 recall_trap+0x8 Process 4299 (syz-executor1794) thread 0xffff8000ffff6d30 (179263) exclusive rrwlock inode r = 0 (0xfffffd806d769b48) #0 witness_lock+0x4b0 #1 rw_enter+0x3e2 #2 rrw_enter+0x8b #3 VOP_LOCK+0x87 #4 ufs_ihashins+0x42 #5 ffs_vget+0x141 #6 ffs_inode_alloc+0x1c3 #7 ufs_mkdir+0xf4 #8 VOP_MKDIR+0xbf #9 domkdirat+0x121 #10 syscall+0x489 #11 Xsyscall+0x128 exclusive rrwlock inode r = 0 (0xfffffd806d769d68) #0 witness_lock+0x4b0 #1 rw_enter+0x3e2 #2 rrw_enter+0x8b #3 VOP_LOCK+0x87 #4 vn_lock+0x84 #5 vfs_lookup+0xdd #6 namei+0x55a #7 domkdirat+0x75 #8 syscall+0x489 #9 Xsyscall+0x128 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10105 6348K 6379K 78643K 11195 0 pcb 13 8K 8K 78643K 13 0 rtable 62 2K 2K 78643K 108 0 ifaddr 24 7K 7K 78643K 24 0 counters 40 33K 33K 78643K 40 0 ioctlops 0 0K 2K 78643K 25 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 5 0 vnodes 1182 74K 74K 78643K 1187 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 1K 78643K 2 0 VM map 2 1K 1K 78643K 2 0 sem 2 0K 0K 78643K 2 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12598 0 file desc 1 0K 5K 78643K 526 0 proc 55 74K 75K 78643K 222 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 in_multi 11 0K 0K 78643K 11 0 ether_multi 1 0K 0K 78643K 1 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 31 148K 148K 78643K 31 0 exec 0 0K 2K 78643K 312 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 96 4K 5K 78643K 3933 0 UVM aobj 3 2K 2K 78643K 3 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 NDP 3 0K 0K 78643K 3 0 temp 18 4181K 4245K 78643K 2072 0 kqueue 11 16K 16K 78643K 20 0 SYN cache 2 16K 16K 78643K 2 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 17 0 14 1 0 1 1 0 8 0 rtentry 112 23 0 1 1 0 1 1 0 8 0 unpcb 128 33 0 20 1 0 1 1 0 8 0 syncache 296 5 0 5 2 1 1 1 0 8 1 tcpcb 736 8 0 5 1 0 1 1 0 8 0 arp 120 2 0 0 1 0 1 1 0 8 0 inpcb 304 25 0 19 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 96 0 0 6 0 6 6 0 8 0 art_table 32 97 0 0 1 0 1 1 0 8 0 art_node 16 22 0 2 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 1759 0 372 87 0 87 87 0 8 0 ffsino 272 1759 0 372 93 0 93 93 0 8 0 nchpl 144 2284 0 740 59 1 58 58 0 8 0 uvmvnodes 80 1768 0 0 37 0 37 37 0 8 0 vnodes 224 1768 0 0 104 0 104 104 0 8 0 namei 1024 5793 0 5792 2 1 1 1 0 8 0 percpumem 16 32 0 0 1 0 1 1 0 8 0 scxspl 216 5250 0 5249 11 10 1 8 0 8 0 plimitpl 152 15 0 9 1 0 1 1 0 8 0 sigapl 424 404 0 374 4 0 4 4 0 8 0 futexpl 64 550 0 550 1 0 1 1 0 8 1 knotepl 112 36 0 0 2 0 2 2 0 8 0 kqueuepl 216 16 0 9 1 0 1 1 0 8 0 pipepl 336 62 0 59 2 1 1 1 0 8 0 fdescpl 496 390 0 374 3 0 3 3 0 8 0 filepl 152 1823 0 1769 3 0 3 3 0 8 0 lockfpl 104 6 0 4 1 0 1 1 0 8 0 lockfspl 48 4 0 2 1 0 1 1 0 8 0 sessionpl 144 17 0 9 1 0 1 1 0 8 0 pgrppl 48 17 0 9 1 0 1 1 0 8 0 ucredpl 96 589 0 579 1 0 1 1 0 8 0 zombiepl 144 374 0 374 2 1 1 1 0 8 1 processpl 1064 404 0 374 3 0 3 3 0 8 0 procpl 672 749 0 717 3 0 3 3 0 8 0 sockpl 480 75 0 53 3 0 3 3 0 8 0 mcl8k 8192 5 0 0 1 0 1 1 0 8 0 mcl4k 4096 2 0 0 1 0 1 1 0 8 0 mcl2k 2048 89 0 0 10 0 10 10 0 8 0 mtagpl 96 1 0 0 1 0 1 1 0 8 0 mbufpl 256 148 0 0 8 0 8 8 0 8 0 bufpl 288 2111 0 87 145 0 145 145 0 8 0 anonpl 24 62216 0 59835 19 3 16 16 0 186 1 amapchunkpl 152 7666 0 7495 9 1 8 8 0 158 1 amappl16 200 203 0 201 2 1 1 1 0 8 0 amappl15 192 58 0 54 1 0 1 1 0 8 0 amappl13 176 16 0 15 2 1 1 1 0 8 0 amappl12 168 11 0 11 2 2 0 1 0 8 0 amappl11 160 63 0 51 1 0 1 1 0 8 0 amappl10 152 7 0 7 1 1 0 1 0 8 0 amappl9 144 225 0 223 1 0 1 1 0 8 0 amappl8 136 252 0 247 1 0 1 1 0 8 0 amappl7 128 29 0 28 1 0 1 1 0 8 0 amappl6 120 35 0 31 1 0 1 1 0 8 0 amappl5 112 209 0 195 1 0 1 1 0 8 0 amappl4 104 649 0 627 1 0 1 1 0 8 0 amappl3 96 319 0 305 1 0 1 1 0 8 0 amappl2 88 271 0 238 1 0 1 1 0 8 0 amappl1 80 9462 0 9091 12 3 9 9 0 8 0 amappl 88 3536 0 3459 3 0 3 3 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 2 0 0 1 0 1 1 0 8 0 uaddrrnd 24 390 0 374 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 390 0 374 1 0 1 1 0 8 0 vmmpekpl 168 6778 0 6763 1 0 1 1 0 8 0 vmmpepl 168 32711 0 31823 46 4 42 42 0 357 3 vmsppl 368 389 0 374 2 0 2 2 0 8 0 rwobjpl 56 11381 0 9084 34 1 33 33 0 8 0 pdppl 4096 788 0 748 66 24 42 46 0 8 2 pvpl 32 150680 0 146397 43 5 38 38 0 265 3 pmappl 248 389 0 374 2 0 2 2 0 8 0 extentpl 40 58 0 40 1 0 1 1 0 8 0 phpool 112 431 0 28 12 0 12 12 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp x86_ipi_db(ffffffff82783ff0) at x86_ipi_db+0x1a x86_ipi_handler() at x86_ipi_handler+0xb7 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 __mp_lock(ffffffff8286b4c0) at __mp_lock+0x122 intr_handler(ffff80002122bd10,ffff80000006a400) at intr_handler+0x5e Xintr_ioapic_edge17_untramp() at Xintr_ioapic_edge17_untramp+0x18f __mp_lock(ffffffff8286b4c0) at __mp_lock+0x122 uvm_fault(fffffd8008586cf0,cf2b0c90000,0,2) at uvm_fault+0x233 upageflttrap(ffff80002122c080,cf2b0c900f8) at upageflttrap+0x82 usertrap(ffff80002122c080) at usertrap+0x214 recall_trap() at recall_trap+0x8 end trace frame: 0x0, count: 4 ddb{0}> trace x86_ipi_db(ffffffff82783ff0) at x86_ipi_db+0x1a x86_ipi_handler() at x86_ipi_handler+0xb7 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 __mp_lock(ffffffff8286b4c0) at __mp_lock+0x122 intr_handler(ffff80002122bd10,ffff80000006a400) at intr_handler+0x5e Xintr_ioapic_edge17_untramp() at Xintr_ioapic_edge17_untramp+0x18f __mp_lock(ffffffff8286b4c0) at __mp_lock+0x122 uvm_fault(fffffd8008586cf0,cf2b0c90000,0,2) at uvm_fault+0x233 upageflttrap(ffff80002122c080,cf2b0c900f8) at upageflttrap+0x82 usertrap(ffff80002122c080) at usertrap+0x214 recall_trap() at recall_trap+0x8 end trace frame: 0x0, count: -11 ddb{0}> machine ddbcpu 1 Stopped at uvm_fault_lower+0xbb1: movq 0(%rbx),%rdi uvm_fault_lower(ffff800021226a80,ffff800021226ab8,ffff800021226a00,0) at uvm_fault_lower+0xbb1 uvm_fault(fffffd8008586cf0,20000000,0,2) at uvm_fault+0x24f upageflttrap(ffff800021226bf0,20000000) at upageflttrap+0x82 usertrap(ffff800021226bf0) at usertrap+0x214 recall_trap() at recall_trap+0x8 end of kernel end trace frame: 0xcf2c95d32f0, count: 10 ddb{1}> trace uvm_fault_lower(ffff800021226a80,ffff800021226ab8,ffff800021226a00,0) at uvm_fault_lower+0xbb1 uvm_fault(fffffd8008586cf0,20000000,0,2) at uvm_fault+0x24f upageflttrap(ffff800021226bf0,20000000) at upageflttrap+0x82 usertrap(ffff800021226bf0) at usertrap+0x214 recall_trap() at recall_trap+0x8 end of kernel end trace frame: 0xcf2c95d32f0, count: -5 ddb{1}>