kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd. starting local daemons:. Mon Mar 25 20:42:30 PDT 2019 OpenBSD/amd64 (ci-openbsd-multicore-8.c.syzkaller.internal) (tty00) Warning: Permanently added '10.128.0.190' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program login: panic: kernel diagnostic assertion "tname->un_flags & UNVEIL_USERSET" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_unveil.c", line 879 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 264074 61226 0 0 0 0 syz-executor6448 * 89049 76853 0 0 0x4000000 1K syz-executor6448 db_enter() at db_enter+0x18 panic() at panic+0x174 __assert(ffffffff81f7cec5,ffffffff81f805b4,36f,ffffffff81f8b307) at __assert+0x2e unveil_check_final(ffff800020b044b8,ffff800020bc7b38) at unveil_check_final+0x81d namei(ffff800020bc7b38) at namei+0x88b domkdirat(ffff800020b044b8,ffffff9c,20000040,0) at domkdirat+0x81 syscall(ffff800020bc7df0) at syscall+0x5b8 Xsyscall(6,0,1df6d39b0c8,0,1df6d39b0a8,1df6d39b0a0) at Xsyscall+0x128 end of kernel end trace frame: 0x1e17c25df20, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic kernel diagnostic assertion "tname->un_flags & UNVEIL_USERSET" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_unveil.c", line 879 ddb{1}> trace db_enter() at db_enter+0x18 panic() at panic+0x174 __assert(ffffffff81f7cec5,ffffffff81f805b4,36f,ffffffff81f8b307) at __assert+0x2e unveil_check_final(ffff800020b044b8,ffff800020bc7b38) at unveil_check_final+0x81d namei(ffff800020bc7b38) at namei+0x88b domkdirat(ffff800020b044b8,ffffff9c,20000040,0) at domkdirat+0x81 syscall(ffff800020bc7df0) at syscall+0x5b8 Xsyscall(6,0,1df6d39b0c8,0,1df6d39b0a8,1df6d39b0a0) at Xsyscall+0x128 end of kernel end trace frame: 0x1e17c25df20, count: -8 ddb{1}> show registers rdi 0 rsi 0x1 rbp 0xffff800020bc78e0 rbx 0xffff800020bc7990 rdx 0xffffffff81f8b3e6 apollo_pio_rec+0x9d5d rcx 0x201 rax 0x1 r8 0xffffffff81b94ad3 kprintf+0x183 r9 0x1 r10 0xf7154240dfad5b9f r11 0x87043a6d9ca046b5 r12 0x3000000008 r13 0xffff800020bc78f0 r14 0x100 r15 0x1 rip 0xffffffff81d528d8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800020bc78d0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor6448) pid=89049 stat=onproc flags process=0 proc=4000000 pri=86, usrpri=86, nice=20 forw=0xffffffffffffffff, list=0xffff800020b05c28,0xffff800020b04e28 process=0xffff800020b7cd38 user=0xffff800020bc2000, vmspace=0xfffffd807effeca8 estcpu=36, cpticks=2, pctcpu=0.0 user=0, sys=2, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 61226 264074 27059 0 7 0 syz-executor6448 61226 195377 27059 0 3 0x4000000 biowait syz-executor6448 61226 246688 27059 0 2 0x4000000 syz-executor6448 76853 213926 95487 0 3 0x80 nanosleep syz-executor6448 *76853 89049 95487 0 7 0x4000000 syz-executor6448 76853 366323 95487 0 3 0x4000080 fsleep syz-executor6448 27059 333869 21567 0 3 0x80 nanosleep syz-executor6448 95487 389067 21567 0 3 0x80 nanosleep syz-executor6448 21567 90280 23580 0 3 0x82 nanosleep syz-executor6448 23580 5914 19273 0 3 0x10008a pause ksh 19273 296 63850 0 3 0x92 select sshd 83030 158496 1 0 3 0x100083 ttyin getty 63850 97625 1 0 3 0x80 select sshd 29481 108737 76413 74 3 0x100092 bpf pflogd 76413 79638 1 0 3 0x80 netio pflogd 75950 363631 79227 73 3 0x100090 kqread syslogd 79227 496909 1 0 3 0x100082 netio syslogd 34735 317365 1 77 3 0x100090 poll dhclient 13460 454764 1 0 3 0x80 poll dhclient 41740 453792 0 0 3 0x14200 pgzero zerothread 80095 458746 0 0 3 0x14200 aiodoned aiodoned 75995 493183 0 0 3 0x14200 syncer update 9375 142587 0 0 3 0x14200 cleaner cleaner 42724 115927 0 0 3 0x14200 reaper reaper 67509 503315 0 0 3 0x14200 pgdaemon pagedaemon 51773 270265 0 0 3 0x14200 bored crynlk 37253 233301 0 0 3 0x14200 bored crypto 38737 28207 0 0 3 0x40014200 acpi0 acpi0 9381 396108 0 0 3 0x40014200 idle1 16580 475178 0 0 3 0x14200 bored softnet 78671 452431 0 0 3 0x14200 bored systqmp 32269 206490 0 0 3 0x14200 bored systq 93206 115000 0 0 3 0x40014200 bored softclock 39872 28468 0 0 3 0x40014200 idle0 8413 263798 0 0 3 0x14200 bored smr 1 34312 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks Process 61226 (syz-executor6448) thread 0xffff800020b04e18 (195377) exclusive rrwlock inode r = 0 (0xfffffd807bcb6d60) locked @ /syzkaller/managers/multicore/kernel/sys/ufs/ufs/ufs_ihash.c:140 #0 witness_lock+0x594 #1 _rw_enter+0x45d #2 _rrw_enter+0x60 #3 ufs_ihashins+0x6d #4 ffs_vget+0x143 #5 ffs_inode_alloc+0x1cf #6 ufs_mkdir+0x10f #7 VOP_MKDIR+0x76 #8 domkdirat+0x12d #9 syscall+0x5b8 #10 Xsyscall+0x128 exclusive rrwlock inode r = 0 (0xfffffd807bcb6c50) locked @ /syzkaller/managers/multicore/kernel/sys/ufs/ufs/ufs_vnops.c:1547 #0 witness_lock+0x594 #1 _rw_enter+0x45d #2 _rrw_enter+0x60 #3 VOP_LOCK+0x57 #4 vn_lock+0x6e #5 vfs_lookup+0xf5 #6 namei+0x4b2 #7 domkdirat+0x81 #8 syscall+0x5b8 #9 Xsyscall+0x128 Process 76853 (syz-executor6448) thread 0xffff800020b044b8 (89049) exclusive rrwlock inode r = 0 (0xfffffd807bcb6e70) locked @ /syzkaller/managers/multicore/kernel/sys/ufs/ufs/ufs_vnops.c:1547 #0 witness_lock+0x594 #1 _rw_enter+0x45d #2 _rrw_enter+0x60 #3 VOP_LOCK+0x57 #4 vn_lock+0x6e #5 vfs_lookup+0xf5 #6 namei+0x4b2 #7 domkdirat+0x81 #8 syscall+0x5b8 #9 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 0 (0xffffffff823e9b78) locked @ /syzkaller/managers/multicore/kernel/sys/sys/syscall_mi.h:90 #0 witness_lock+0x594 #1 syscall+0x48b #2 Xsyscall+0x128 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim devbuf 9450 6382K 6383K 78643K 10537 0 0 pcb 25 9K 9K 78643K 57 0 0 rtable 61 2K 2K 78643K 125 0 0 ifaddr 25 7K 7K 78643K 26 0 0 counters 39 33K 33K 78643K 39 0 0 ioctlops 0 0K 4K 78643K 1467 0 0 mount 1 1K 1K 78643K 1 0 0 vnodes 1167 73K 73K 78643K 1172 0 0 UFS quota 1 32K 32K 78643K 1 0 0 UFS mount 5 36K 36K 78643K 5 0 0 shm 2 1K 1K 78643K 2 0 0 VM map 2 1K 1K 78643K 2 0 0 sem 2 0K 0K 78643K 2 0 0 dirhash 12 2K 2K 78643K 12 0 0 ACPI 1808 196K 290K 78643K 12628 0 0 file desc 1 0K 0K 78643K 1 0 0 proc 55 62K 82K 78643K 525 0 0 NFS srvsock 1 0K 0K 78643K 1 0 0 NFS daemon 1 16K 16K 78643K 1 0 0 in_multi 11 0K 0K 78643K 11 0 0 ether_multi 1 0K 0K 78643K 1 0 0 ISOFS mount 1 32K 32K 78643K 1 0 0 MSDOSFS mount 1 16K 16K 78643K 1 0 0 ttys 18 79K 79K 78643K 18 0 0 exec 0 0K 1K 78643K 179 0 0 pagedep 1 8K 8K 78643K 1 0 0 inodedep 1 32K 32K 78643K 1 0 0 newblk 1 0K 0K 78643K 1 0 0 VM swap 7 26K 26K 78643K 7 0 0 UVM amap 64 3K 3K 78643K 1021 0 0 UVM aobj 2 2K 2K 78643K 2 0 0 memdesc 1 4K 4K 78643K 1 0 0 crypto data 1 1K 1K 78643K 1 0 0 NDP 4 0K 0K 78643K 4 0 0 temp 39 2360K 2424K 78643K 2484 0 0 SYN cache 2 16K 16K 78643K 2 0 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 2 0 0 1 0 1 1 0 8 0 inpcbpl 280 29 0 23 1 0 1 1 0 8 0 plimitpl 152 14 0 8 1 0 1 1 0 8 0 plcache 128 20 0 0 1 0 1 1 0 8 0 rtentry 112 23 0 1 1 0 1 1 0 8 0 syncache 264 5 0 5 1 0 1 1 0 8 1 tcpqe 32 24 0 24 1 1 0 1 0 8 0 tcpcb 544 8 0 5 1 0 1 1 0 8 0 pfosfp 40 846 0 423 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 8 0 0 1 0 1 1 0 8 0 pfstkey 112 8 0 0 1 0 1 1 0 8 0 pfstate 328 8 0 0 1 0 1 1 0 8 0 pfrule 1360 21 0 16 2 1 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 96 0 0 6 0 6 6 0 8 0 art_table 32 97 0 0 1 0 1 1 0 8 0 art_node 16 22 0 2 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino1pl 128 1637 0 259 45 0 45 45 0 8 0 ffsino 272 1637 0 259 92 0 92 92 0 8 0 nchpl 144 2056 0 518 58 0 58 58 0 8 0 uvmvnodes 72 1647 0 0 30 0 30 30 0 8 0 vnodes 200 1647 0 0 87 0 87 87 0 8 0 namei 1024 4661 0 4659 2 1 1 1 0 8 0 percpumem 16 30 0 0 1 0 1 1 0 8 0 scxspl 192 3910 0 3909 7 1 6 6 0 8 5 sigapl 432 330 0 314 2 0 2 2 0 8 0 futexpl 56 146 0 145 1 0 1 1 0 8 0 knotepl 112 5 0 0 1 0 1 1 0 8 0 kqueuepl 104 1 0 0 1 0 1 1 0 8 0 pipepl 112 134 0 127 2 1 1 1 0 8 0 fdescpl 488 331 0 314 3 0 3 3 0 8 0 filepl 152 1202 0 1155 2 0 2 2 0 8 0 lockfpl 104 6 0 6 1 1 0 1 0 8 0 lockfspl 32 3 0 3 1 1 0 1 0 8 0 sessionpl 112 18 0 9 1 0 1 1 0 8 0 pgrppl 48 18 0 9 1 0 1 1 0 8 0 ucredpl 96 52 0 43 1 0 1 1 0 8 0 zombiepl 144 314 0 314 2 1 1 1 0 8 1 processpl 840 346 0 314 4 0 4 4 0 8 0 procpl 600 474 0 438 3 0 3 3 0 8 0 sockpl 384 73 0 55 2 0 2 2 0 8 0 mcl4k 4096 3 0 0 1 0 1 1 0 8 0 mcl2k 2048 74 0 0 10 0 10 10 0 8 0 mtagpl 80 1 0 0 1 0 1 1 0 8 0 mbufpl 256 94 0 0 6 0 6 6 0 8 0 bufpl 256 2416 0 275 134 0 134 134 0 8 0 anonpl 16 24187 0 22846 8 2 6 7 0 125 0 amapchunkpl 152 931 0 884 2 0 2 2 0 158 0 amappl16 192 303 0 291 1 0 1 1 0 8 0 amappl15 184 53 0 49 1 0 1 1 0 8 0 amappl14 176 16 0 15 2 1 1 1 0 8 0 amappl13 168 22 0 19 1 0 1 1 0 8 0 amappl12 160 12 0 12 1 1 0 1 0 8 0 amappl11 152 25 0 10 1 0 1 1 0 8 0 amappl10 144 56 0 54 1 0 1 1 0 8 0 amappl9 136 424 0 423 1 0 1 1 0 8 0 amappl8 128 105 0 97 1 0 1 1 0 8 0 amappl7 120 18 0 17 1 0 1 1 0 8 0 amappl6 112 44 0 39 1 0 1 1 0 8 0 amappl5 104 121 0 108 1 0 1 1 0 8 0 amappl4 96 553 0 524 1 0 1 1 0 8 0 amappl3 88 226 0 217 1 0 1 1 0 8 0 amappl2 80 1749 0 1690 2 0 2 2 0 8 0 amappl1 72 15426 0 14958 16 6 10 16 0 8 0 amappl 72 678 0 650 1 0 1 1 0 75 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma64 64 259 0 259 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 17 0 17 1 1 0 1 0 8 0 aobjpl 64 1 0 0 1 0 1 1 0 8 0 uaddrrnd 24 331 0 314 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 331 0 314 1 0 1 1 0 8 0 vmmpekpl 168 6100 0 6081 2 0 2 2 0 8 1 vmmpepl 168 35022 0 34059 55 13 42 50 0 357 0 vmsppl 360 330 0 314 2 0 2 2 0 8 0 pdppl 4096 670 0 628 6 0 6 6 0 8 0 pvpl 32 94429 0 91086 32 3 29 29 0 265 2 pmappl 224 330 0 314 1 0 1 1 0 8 0 extentpl 40 39 0 25 1 0 1 1 0 8 0 phpool 112 266 0 4 8 0 8 8 0 8 0 ddb{1}>