kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd. starting local daemons:. Wed Apr 10 09:57:44 PDT 2019 OpenBSD/amd64 (ci-openbsd-multicore-7.c.syzkaller.internal) (tty00) Warning: Permanently added '10.128.15.218' (ECDSA) to the list of known hosts. 2019/04/10 09:58:27 fuzzer started 2019/04/10 09:58:34 dialing manager at 10.128.15.235:43703 2019/04/10 09:58:34 syscalls: 311 2019/04/10 09:58:34 code coverage: enabled 2019/04/10 09:58:34 comparison tracing: enabled 2019/04/10 09:58:34 extra coverage: support is not implemented in syzkaller 2019/04/10 09:58:34 setuid sandbox: enabled 2019/04/10 09:58:34 namespace sandbox: support is not implemented in syzkaller 2019/04/10 09:58:34 Android sandbox: support is not implemented in syzkaller 2019/04/10 09:58:34 fault injection: support is not implemented in syzkaller 2019/04/10 09:58:34 leak checking: support is not implemented in syzkaller 2019/04/10 09:58:34 net packet injection: enabled 2019/04/10 09:58:34 net device setup: support is not implemented in syzkaller 09:58:40 executing program 0: r0 = dup2(0xffffffffffffffff, 0xffffffffffffff9c) ioctl$TIOCSETD(r0, 0x8004741b, &(0x7f0000000000)=0x5) ioctl$TIOCSETD(r0, 0x8004741b, &(0x7f0000000040)=0x1) ioctl$VT_WAITACTIVE(r0, 0x20007606, &(0x7f0000000080)=0x100) ioctl$TIOCSETD(r0, 0x8004741b, &(0x7f00000000c0)=0x1) ioctl$TIOCSWINSZ(r0, 0x80087467, &(0x7f0000000100)={0x81, 0x5, 0x101, 0xf13c}) ioctl$TIOCGTSTAMP(r0, 0x4010745b, &(0x7f0000000140)) getpgrp() ioctl$TIOCSFLAGS(r0, 0x8004745c, &(0x7f0000000180)=0x7) r1 = syz_open_pts() r2 = fcntl$getown(r1, 0x5) ioctl$BIOCGDLTLIST(r0, 0xc010427b, &(0x7f0000000200)={0x2, &(0x7f00000001c0)=[0x9, 0x212d5bbc]}) fcntl$lock(r0, 0xf, &(0x7f0000000240)={0x3, 0x2, 0x20000000000000, 0x1f, r2}) close(r1) ioctl$TIOCSETD(r1, 0x8004741b, &(0x7f0000000280)=0x7) ioctl$VT_WAITACTIVE(r0, 0x20007606, &(0x7f00000002c0)=0x8) ioctl$TIOCFLUSH(r1, 0x80047410, &(0x7f0000000300)=0xff) ioctl$WSMUXIO_INJECTEVENT(r0, 0x80185760, &(0x7f0000000340)={0x1, 0x4, {0x8000, 0x7}}) ioctl$TIOCSDTR(r1, 0x20007479) mmap(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2, 0x12, r1, 0x0, 0x0) ioctl$TIOCSETAF(r0, 0x802c7416, &(0x7f0000000380)={0x100000000, 0x40, 0x0, 0x4b0, "b12fa8d055c3ea0a871167a4eb512794eeef80ab", 0x8af, 0x3f}) ioctl$TIOCNXCL(r0, 0x2000740e) kevent(r0, &(0x7f00000003c0)=[{{r0}, 0xffffffffffffffff, 0x10, 0x2, 0xffffffff, 0x7ff}, {{r0}, 0xffffffffffffffff, 0x0, 0x11, 0x8a4b, 0x8}], 0x1f, &(0x7f0000000400)=[{{r0}, 0xfffffffffffffffb, 0x1, 0x1, 0xffffffff, 0x2}, {{r0}, 0xffffffffffffffff, 0x4, 0xfffff, 0xfffffffffffffff7}], 0x37, &(0x7f0000000440)={0x1, 0x9}) r3 = open(&(0x7f0000000480)='./file0\x00', 0x0, 0x20) ioctl$TIOCSPGRP(r0, 0x40047477, &(0x7f00000004c0)) r4 = open(&(0x7f0000000680)='./file0\x00', 0x80, 0x24) getsockopt$sock_cred(r3, 0xffff, 0x1022, &(0x7f00000006c0)={0x0, 0x0}, &(0x7f0000000700)=0xc) r6 = getgid() sendmsg$unix(r0, &(0x7f00000007c0)={&(0x7f0000000500)=@abs={0x1, 0x0, 0x2}, 0x8, &(0x7f0000000640)=[{&(0x7f0000000540)="6c2d4e8b10011d37caaf9f155eaca58f0a290ec0863c40d296f80b841a0de22ab9e96c662463df836f321b493a2918ff3c567838020c77e863c2de041e404653524c1f5934adbc27dd3009df18341d8be107274df019f1542194cde76b6d1810f27e1411a8c0f01655385af2a488f6182bf49c9bf89e50be7c876cb570d50093b078a3f231d3fbaca670bbe26e2a3ff06ba67bf9b691cc2c3bd9462fe5ed3eadd173f8b85961c86ab7de590f752a58bcd2d6e1104af8656615fbcf868f36f50b7f648fdff3fb49ce804cb25a103dbfb94cdeea993e8b5a32014cc94587f1d4137a45bc14ebdc4eff317992dda71edb", 0xef}], 0x1, &(0x7f0000000740)=[@rights={0x18, 0xffff, 0x1, [r0, r1]}, @rights={0x20, 0xffff, 0x1, [r0, r1, r1, r4]}, @cred={0x20, 0xffff, 0x0, r2, r5, r6}], 0x58, 0x400}, 0x8) setitimer(0x4bf43f7837c9289a, &(0x7f0000000800)={{0x1, 0x8}, {0x1, 0x6ca}}, &(0x7f0000000840)) 09:58:40 executing program 1: pipe2(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}, 0x10004) ioctl$WSDISPLAYIO_GVIDEO(r0, 0x40045744, &(0x7f0000000040)) fcntl$getown(r0, 0x5) pipe2(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}, 0x10000) r4 = fcntl$dupfd(r1, 0x0, r3) r5 = fcntl$getown(r0, 0x5) recvmsg(r1, &(0x7f0000001500)={&(0x7f00000000c0)=@in6, 0xc, &(0x7f0000001400)=[{&(0x7f0000000100)=""/4096, 0x1000}, {&(0x7f0000001100)=""/38, 0x26}, {&(0x7f0000001140)=""/52, 0x34}, {&(0x7f0000001180)=""/182, 0xb6}, {&(0x7f0000001240)=""/248, 0xf8}, {&(0x7f0000001340)=""/158, 0x9e}], 0x6, &(0x7f0000001480)=""/127, 0x7f}, 0x1) ioctl$VT_ACTIVATE(r3, 0x20007605, &(0x7f0000001540)=0x8) r6 = kqueue() pipe2(&(0x7f0000001580)={0xffffffffffffffff, 0xffffffffffffffff}, 0x10000) mmap(&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x2, 0x4010, r6, 0x0, 0x0) ioctl$PCIOCWRITE(r7, 0xc0107003, &(0x7f00000015c0)={{0x8, 0x8, 0x3}, 0x3, 0x800, 0x6}) ioctl$TIOCSTAT(r4, 0x20007465, &(0x7f0000001600)) ioctl$WSDISPLAYIO_GVIDEO(r4, 0x40045744, &(0x7f0000001640)) r8 = open(&(0x7f0000001680)='./file0\x00', 0x0, 0x22) ioctl$KDSETRAD(r8, 0x20004b43) ioctl$FIOSETOWN(r1, 0x8004667c, &(0x7f00000016c0)=0x1) writev(r8, &(0x7f00000019c0)=[{&(0x7f0000001700)="f8024d37b19bd311e89780f601a0861c245df79afd2b103f224fb92223f30ffb5576d8", 0x23}, {&(0x7f0000001740)="19", 0x1}, {&(0x7f0000001780)="c1e8bafbe50e8ad898d71a8143d5a37466a7959d7180a5b6afbed51a75a0deb9f48031e5f8361d76a430f1d51f439393932fe684361d20cab20bd73732bbae95d25b48a497f006e618cb7738cf35241ba88f90595d8fc6a6655188ce856acd6a7d08b319564326b4277ba92fd2492ac8432c0232b43c0154d3f2b0e5d8cf50f756c7e01035b74822cd43aac4a65ce08c8554a763f5d7f4e8d7a2a74deeac3f056d54dff382759d2aab08a4f54a00ee51823dc7ae50d222756df895ddab615b051f6c3dd5f09740687538a5a31cb75347412357c9e37abff4b4aad3bc", 0xdc}, {&(0x7f0000001880)="011117d326a2b87950868a39b6a21a8468192943b7590834843589cf316a087fbc8d7d8fcfc51f7d80c82570ba54a3427bfa210271c0ea0ab426", 0x3a}, {&(0x7f00000018c0)="a70d309877c4c348d4d6651bb04b405360f384502de207393cec8c950e08c375371c6396ab08e10122b7786178727c2d69cb814aaee654838c256156c49f15b8345469c95f312874ea251be867a7ec2ab10d618228811e199834e1a51ed2fc209520dd952bd18205afdae90e066ae33f4ff2afd992cc98b9ec64d2f5d0785d4cd0e29e9c72c8f862f677fe25760ce8a604847d37439cf2038c01699bd09c44b574aab26db25c1edad9763d202eaf8a276ef540ba846f4997e95338f1694d3231f402c1c49480139dd08a2a37472919fc5b5759af04c48745662cd15c", 0xdc}], 0x5) chroot(&(0x7f0000001a40)='./file0\x00') ioctl$TIOCGETD(r8, 0x4004741a, &(0x7f0000001a80)) pipe(&(0x7f0000001ac0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$BIOCSFILDROP(r9, 0x80044279, &(0x7f0000001b00)=0xff) getsockopt(r3, 0x31b5000000000000, 0x7, &(0x7f0000001b40)=""/111, &(0x7f0000001bc0)=0x6f) r11 = openat(r10, &(0x7f0000001c00)='./file0\x00', 0x0, 0x10) fcntl$lock(r11, 0x9, &(0x7f0000001c40)={0x3, 0x0, 0xb977, 0x7fffffff, r5}) semget$private(0x0, 0x0, 0x200) pipe(&(0x7f0000001c80)) ioctl$TIOCMBIS(r4, 0x8004746c, &(0x7f0000001cc0)=0x4) ioctl$WSMUXIO_ADD_DEVICE(r2, 0x80085761, &(0x7f0000001d00)={0x3, 0xffffffffffff8001}) fcntl$setstatus(r4, 0x4, 0x80) 09:58:40 executing program 0: ioctl$BIOCSETWF(0xffffffffffffffff, 0x80104277, &(0x7f0000000100)={0x1, &(0x7f00000000c0)=[{0x0, 0x0, 0x0, 0x28}]}) r0 = syz_open_pts() fcntl$setstatus(r0, 0x4, 0x4) fcntl$lock(r0, 0x9, &(0x7f0000000100)={0x0, 0x3, 0x0, 0x100000000}) fcntl$lock(r0, 0x9, &(0x7f0000000180)={0x0, 0x0, 0x1, 0x2000100000003}) fcntl$lock(r0, 0x9, &(0x7f00000000c0)={0x0, 0x0, 0x6cf921cc, 0x200000005}) 09:58:40 executing program 1: mknod(&(0x7f0000000240)='./file0\x00', 0x100042000, 0x28ae) r0 = open$dir(&(0x7f0000000400)='./file0\x00', 0x0, 0x0) r1 = kqueue() mknod(&(0x7f0000000040)='./bus\x00', 0x80002002, 0x28a9) r2 = openat$null(0xffffffffffffff9c, &(0x7f0000000000)='/dev/null\x00', 0x80, 0x0) ioctl$BIOCGFILDROP(r2, 0x40044278, &(0x7f00000000c0)) openat(r0, &(0x7f0000000100)='./file0\x00', 0x8100, 0x89) open(&(0x7f0000000080)='./bus\x00', 0x0, 0x0) kevent(r1, &(0x7f0000000440)=[{{r0}, 0xfffffffffffffff8, 0x41}], 0xc98, 0x0, 0xb811, 0x0) 09:58:40 executing program 0: r0 = socket$inet(0x2, 0x2, 0x0) setsockopt$inet_opts(r0, 0x0, 0x100000000000000b, &(0x7f00000000c0)='\x00', 0x1) setsockopt(r0, 0x0, 0x800000000000c, &(0x7f0000000000)="eaffffffffff0195", 0x8) r1 = getpgid(0x0) getsockopt$sock_cred(r0, 0xffff, 0x1022, &(0x7f0000000380)={0x0, 0x0}, &(0x7f00000003c0)=0xc) socketpair(0x16, 0x4, 0x1f, &(0x7f00000004c0)={0xffffffffffffffff, 0xffffffffffffffff}) getsockopt$sock_cred(r3, 0xffff, 0x1022, &(0x7f0000000400)={0x0, 0x0, 0x0}, &(0x7f0000000440)=0xc) setsockopt$sock_cred(r0, 0xffff, 0x1022, &(0x7f0000000480)={r1, r2, r5}, 0xc) setsockopt(r0, 0x6, 0x40, &(0x7f0000000100)="8be8e4cac089754d6c8bb2caacf3e35e8f7a4197550fe252cf555160de23820723289588e6e9ea1649f5e9f58f22606b3ddcebdf81b475e569f89b08141397e2c476151aaa8b1af04b1604f4b4225f5a71d96836c7240e142b2b034a2e32871a3e774a5c74a815f5b4c3ae755229a01db762a0533af954452258ddb67ded44326ca1fbdd58d5e8e37e3645294490925ecb5e88b5169080f12fc9d4", 0x9b) r6 = getpid() r7 = dup2(r3, r4) ioctl$WSMUXIO_LIST_DEVICES(r7, 0xc1045763, &(0x7f0000000500)={0x9, [{0x3, 0x1}, {0x3, 0x1fffc00000}, {0x1, 0x10001}, {0x0, 0x80000001}, {0x3, 0x9}, {0x1, 0x3}, {0x3, 0x3}, {0x2, 0x9}, {0x3, 0x1}, {0x1, 0x1}, {0x3, 0x6}, {0x1, 0x2}, {0x3, 0x2}, {0x2}, {0x0, 0xd}, {0x2, 0x8fc}, {0x3, 0x7c7}, {0x3, 0x7f}, {0x3, 0x8000}, {0x3, 0x18e000000}, {0x1, 0x7fff}, {0x3, 0xf94a}, {0x2, 0x1}, {0x3, 0x6}, {0x3, 0x401}, {0x3, 0x1000}, {0x2, 0x8}, {0x0, 0x8}, {0x3, 0x1ff}, {0x3, 0x4}, {0x3, 0x7}, {0x3, 0x89a}]}) getsockopt$sock_cred(r0, 0xffff, 0x1022, &(0x7f0000000040)={0x0, 0x0, 0x0}, &(0x7f0000000080)=0xc) getgroups(0x6, &(0x7f00000002c0)=[0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0]) setsockopt$sock_cred(r0, 0xffff, 0x1022, &(0x7f0000000300)={r6, r8, r10}, 0xc) r14 = semget$private(0x0, 0x4, 0x7e) setgroups(0x5, &(0x7f0000000340)=[r13, r9, r10, r12, r11]) semctl$GETNCNT(r14, 0x0, 0x3, &(0x7f00000001c0)=""/245) 09:58:40 executing program 0: r0 = open$dir(&(0x7f0000000140)='./file0\x00', 0x400000002c5, 0x40000) dup2(r0, r0) r1 = getppid() fcntl$lock(r0, 0xa, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x1000100000001, r1}) r2 = shmget$private(0x0, 0x4000, 0x50, &(0x7f0000ffb000/0x4000)=nil) shmat(r2, &(0x7f0000ffe000/0x2000)=nil, 0xffe) ftruncate(r0, 0x1f) 09:58:40 executing program 1: r0 = socket$inet(0x2, 0x3, 0x0) setsockopt$inet_opts(r0, 0x0, 0x14, &(0x7f0000000080), 0x159) 09:58:40 executing program 0: mknod(&(0x7f0000000100)='./bus\x00', 0x80002008, 0x0) open$dir(&(0x7f0000000000)='./bus\x00', 0x0, 0x1000000000000148) 09:58:40 executing program 1: r0 = semget$private(0x0, 0x4, 0x301) semctl$SETVAL(r0, 0x3, 0x8, &(0x7f0000000000)) shmget$private(0x0, 0x0, 0x0, &(0x7f0000b39000/0x3000)=nil) 09:58:40 executing program 0: sendto$inet6(0xffffffffffffffff, &(0x7f0000000140)="04926c31db06594cd58f312d4405b6e179b63350cb45353de423c5ab5baf64794418d809d7b32b902256caa48028f2606adb9aabc12665ffdc567ca2497bd9a596925d81f9003193d19fe232bb597ff5cb06d3662d5e862c2a6774ebdbbb567cfd064351ad7f1caa59bbfa69b4f018b98a9127360978762ea58f883b17635bd8da", 0x81, 0x0, 0x0, 0x0) clock_getres(0x2, &(0x7f0000000540)) pipe(&(0x7f0000000300)={0xffffffffffffffff, 0xffffffffffffffff}) bind(r1, &(0x7f0000000340)=@un=@abs={0x1, 0x0, 0x2}, 0x8) getgroups(0x7, &(0x7f0000000200)=[0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0]) setegid(r2) chdir(0x0) open$dir(&(0x7f0000000100)='./file0\x00', 0x400000002c5, 0xfffffffffffffffc) unlink(&(0x7f00000000c0)='./file0\x00') r3 = socket(0x2, 0x400000000002, 0x0) r4 = getpgid(0x0) getpgid(r4) sendmsg(r3, &(0x7f0000000480)={&(0x7f0000000040)=@in, 0xc, 0x0, 0x0, &(0x7f00000001c0), 0x10}, 0x0) r5 = getpgid(0xffffffffffffffff) wait4(r5, &(0x7f0000000200), 0x8, &(0x7f0000000240)) sendto$inet6(r0, &(0x7f00000004c0)="020b6cd14dd884b086f9943dbc3b2f1937185ceebbe4c224f1dd21c02fe6666c268fb70d03d33987949f6474e5e6fdd209d355ea66f06988faf64ad6cb7ff02f8afcbb428049620c09555dfdd688b0ed9ffb3ddd5ffdeefac426c70ecadc424178ef8528fd79206e3f0116", 0x6b, 0x1, &(0x7f0000000440)={0x18, 0x1, 0x7fffffff, 0x8}, 0xc) getsockname(r3, &(0x7f0000000000)=@in6, &(0x7f0000000080)=0xc) r6 = dup2(r3, r3) close(r3) getsockopt$sock_linger(r6, 0xffff, 0x80, &(0x7f0000000380), &(0x7f00000003c0)=0x8) ioctl$WSMUXIO_REMOVE_DEVICE(r6, 0x80085762, &(0x7f0000000100)={0x3, 0xf3c}) wait4(r5, &(0x7f0000000400), 0x1, 0x0) 09:58:40 executing program 1: r0 = accept$unix(0xffffffffffffffff, 0x0, &(0x7f0000000100)) recvmsg(r0, &(0x7f00000005c0)={&(0x7f0000000140)=@in, 0xc, &(0x7f0000000480)=[{&(0x7f0000000180)=""/228, 0xe4}, {&(0x7f0000000280)=""/193, 0xc1}, {&(0x7f0000000380)=""/230, 0xe6}], 0x3, &(0x7f00000004c0)=""/212, 0xd4}, 0x2) r1 = socket(0x2, 0x8001, 0x0) getsockopt$sock_int(r1, 0xffff, 0x200, &(0x7f0000000040), &(0x7f0000000080)=0x4) r2 = openat$null(0xffffffffffffff9c, &(0x7f0000000000)='/dev/null\x00', 0x12, 0x0) connect(r2, &(0x7f00000000c0)=@in={0x2, 0x2}, 0xc) r3 = shmget$private(0x0, 0x4000, 0x203, &(0x7f0000ffa000/0x4000)=nil) r4 = geteuid() getsockopt$SO_PEERCRED(0xffffffffffffffff, 0xffff, 0x1022, &(0x7f00000004c0)={0x0, 0x0, 0x0}, 0xc) getsockopt$SO_PEERCRED(0xffffffffffffffff, 0xffff, 0x1022, &(0x7f0000000680)={0x0, 0x0}, 0xc) r9 = getegid() getpgid(r5) r10 = fcntl$getown(0xffffffffffffff9c, 0x5) pipe(&(0x7f0000001280)={0xffffffffffffffff, 0xffffffffffffffff}) open(&(0x7f0000000040)='./file0\x00', 0x200, 0x0) r13 = open(&(0x7f0000000180)='./file0\x00', 0x0, 0x0) preadv(0xffffffffffffffff, &(0x7f00000004c0)=[{&(0x7f0000001640)=""/247, 0xffffffcc}], 0x1, 0x0) r14 = open(&(0x7f0000000040)='./file0\x00', 0x611, 0x0) fcntl$setstatus(r14, 0x4, 0x80) r15 = getppid() fcntl$setown(r11, 0x6, r15) pwritev(r14, &(0x7f00000003c0), 0x1000000000000297, 0x0) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x5, 0x10, r13, 0x0, 0x0) write(r12, &(0x7f00000000c0)="1d", 0x1) close(r11) shmctl$IPC_SET(r3, 0x1, &(0x7f0000000780)={{0x5, r4, r6, r8, r9, 0x1, 0x8740}, 0xa9, 0x5, r7, r10, 0x80000001, 0x5, 0xd6a}) shmctl$IPC_STAT(r3, 0x2, &(0x7f0000000000)=""/249) shmctl$IPC_RMID(r3, 0x0) r16 = semget$private(0x0, 0x10000000008, 0x800000000280) semop(r16, &(0x7f0000000100)=[{0x2, 0xfffffffffffffbff, 0x1000}, {0x0, 0x1, 0x1800}, {0x7, 0x1, 0x17fd}], 0x3) 09:58:40 executing program 0: write(0xffffffffffffffff, &(0x7f0000000180)="582720efabd16ebae63225259560f8e581", 0x11) r0 = socket(0x18, 0x1, 0x0) setsockopt(r0, 0x29, 0x9, &(0x7f0000000000)="03000000", 0x4) getgroups(0x1, &(0x7f0000000180)=[0xffffffffffffffff]) r1 = open$dir(&(0x7f0000000140)='./file0\x00', 0x0, 0x40) faccessat(r1, &(0x7f00000001c0)='./file0\x00', 0x100, 0x3) setsockopt(r0, 0x29, 0x80000000000000c, &(0x7f0000000180), 0x14) r2 = socket(0x11, 0x3, 0x0) pipe(&(0x7f0000000040)={0xffffffffffffffff}) pipe2(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}, 0x10000) r5 = kqueue() kevent(r5, &(0x7f00000000c0)=[{{r2}, 0xfffffffffffffffe, 0x31}], 0x20, 0x0, 0x0, 0x0) open(&(0x7f0000000000)='./file0\x00', 0x8, 0x52) ioctl$TIOCSETA(r3, 0x802c7414, &(0x7f0000000100)={0x100000d764, 0x7fffffff, 0xcdc4, 0x3, "1ce073420eeb0f58df84e8e558112cf6bf946b04", 0x2, 0x110000000}) kevent(r4, &(0x7f0000000000), 0x10000, 0x0, 0x1000, 0x0) 09:58:40 executing program 0: r0 = socket(0x2, 0x1, 0x0) setsockopt(r0, 0x0, 0x20, &(0x7f0000000180), 0x0) socket(0x6, 0x8007, 0x0) 09:58:41 executing program 0: mkdir(&(0x7f0000000000)='./file0\x00', 0x0) r0 = shmget(0x2, 0x4000, 0x40, &(0x7f0000ffb000/0x4000)=nil) getsockopt$sock_cred(0xffffffffffffff9c, 0xffff, 0x1022, &(0x7f0000000040)={0x0, 0x0}, &(0x7f0000000100)=0xc) getsockopt$SO_PEERCRED(0xffffffffffffff9c, 0xffff, 0x1022, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0xc) r3 = getuid() getsockopt$sock_cred(0xffffffffffffff9c, 0xffff, 0x1022, &(0x7f00000001c0)={0x0, 0x0, 0x0}, &(0x7f0000000240)=0xc) getsockopt$SO_PEERCRED(0xffffffffffffff9c, 0xffff, 0x1022, &(0x7f0000000280)={0x0}, 0xc) r6 = fcntl$getown(0xffffffffffffff9c, 0x5) shmctl$IPC_SET(r0, 0x1, &(0x7f00000002c0)={{0x0, r1, r2, r3, r4, 0x90, 0x5}, 0x85, 0x200, r5, r6, 0x401, 0x7fff, 0x7}) chmod(&(0x7f0000000180)='./file0\x00', 0x23f) setuid(0xee01) r7 = openat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0, 0x0) mkdirat(r7, &(0x7f0000000080)='./file1\x00', 0xfffffffffffffffc) faccessat(r7, &(0x7f0000000200)='./file1\x00', 0x5, 0x0) login: panic: pool_do_get: shmpl free list modified: page 0xfffffd807e1c6000; item addr 0xfffffd807e1c6d20; offset 0x10=0xdead4000 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 112543 11030 0 0 0 0 syz-executor.1 *144861 11030 0 0 0x4000000 1K syz-executor.1 db_enter() at db_enter+0x18 panic() at panic+0x174 pool_do_get(ffffffff822f54f8,1,ffff800020c61918) at pool_do_get+0x4a3 pool_get() at pool_get+0xf7 shmget_allocate_segment(ffff800020b70720,ffff800020c61ab8,3,ffff800020c61b20) at shmget_allocate_segment+0x15e sys_shmget(ffff800020b70720,ffff800020c61ab8,ffff800020c61b20) at sys_shmget+0x13f syscall(ffff800020c61b90) at syscall+0x576 Xsyscall(6,0,fffffffffffffff4,0,4,ca77b2e40d8) at Xsyscall+0x128 end of kernel end trace frame: 0x357, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic pool_do_get: shmpl free list modified: page 0xfffffd807e1c6000; item addr 0xfffffd807e1c6d20; offset 0x10=0xdead4000 ddb{1}> trace db_enter() at db_enter+0x18 panic() at panic+0x174 pool_do_get(ffffffff822f54f8,1,ffff800020c61918) at pool_do_get+0x4a3 pool_get() at pool_get+0xf7 shmget_allocate_segment(ffff800020b70720,ffff800020c61ab8,3,ffff800020c61b20) at shmget_allocate_segment+0x15e sys_shmget(ffff800020b70720,ffff800020c61ab8,ffff800020c61b20) at sys_shmget+0x13f syscall(ffff800020c61b90) at syscall+0x576 Xsyscall(6,0,fffffffffffffff4,0,4,ca77b2e40d8) at Xsyscall+0x128 end of kernel end trace frame: 0x357, count: -8 ddb{1}> show registers rdi 0xffffffff81b163d7 db_enter+0x17 rsi 0x2efd __ALIGN_SIZE+0x1efd rbp 0xffff800020c61760 rbx 0xffff800020c61810 rdx 0x2efe __ALIGN_SIZE+0x1efe rcx 0xffff800002d66000 rax 0xffff800002d66000 r8 0xffffffff815cd003 kprintf+0x173 r9 0x1 r10 0x25 r11 0xe8030ee55f4e2815 r12 0x3000000008 r13 0xffff800020c61770 r14 0x100 r15 0x1 rip 0xffffffff81b163d8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800020c61750 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor.1) pid=144861 stat=onproc flags process=0 proc=4000000 pri=59, usrpri=59, nice=20 forw=0xffffffffffffffff, list=0xffff800020b70018,0xffff800020b70280 process=0xffff800020b9c360 user=0xffff800020c5c000, vmspace=0xfffffd807f00b438 estcpu=9, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 11030 112543 13120 0 7 0 syz-executor.1 11030 176020 13120 0 3 0x4000080 fsleep syz-executor.1 *11030 144861 13120 0 7 0x4000000 syz-executor.1 11030 23236 13120 0 3 0x4000080 fsleep syz-executor.1 11030 79602 13120 0 3 0x4000080 fsleep syz-executor.1 11030 475325 13120 0 3 0x4000080 fsleep syz-executor.1 13120 512529 78602 0 3 0x82 nanosleep syz-executor.1 31157 214478 78602 0 3 0x82 piperd syz-executor.0 78602 362079 1934 0 3 0x82 kqread syz-fuzzer 78602 106757 1934 0 3 0x4000082 thrsleep syz-fuzzer 78602 410201 1934 0 3 0x4000082 thrsleep syz-fuzzer 78602 129615 1934 0 3 0x4000082 thrsleep syz-fuzzer 78602 268072 1934 0 3 0x4000082 thrsleep syz-fuzzer 78602 16909 1934 0 3 0x4000082 thrsleep syz-fuzzer 78602 447621 1934 0 3 0x4000082 thrsleep syz-fuzzer 78602 191516 1934 0 3 0x4000082 thrsleep syz-fuzzer 78602 135230 1934 0 3 0x4000082 thrsleep syz-fuzzer 78602 511543 1934 0 3 0x4000082 thrsleep syz-fuzzer 1934 440099 49112 0 3 0x10008a pause ksh 49112 257970 82933 0 3 0x92 select sshd 83727 364565 1 0 3 0x100083 ttyin getty 82933 158482 1 0 3 0x80 select sshd 68394 462765 24260 74 3 0x100092 bpf pflogd 24260 280947 1 0 3 0x80 netio pflogd 53988 77576 76298 73 3 0x100090 kqread syslogd 76298 63664 1 0 3 0x100082 netio syslogd 796 203433 1 77 3 0x100090 poll dhclient 77748 139239 1 0 3 0x80 poll dhclient 82994 3267 0 0 3 0x14200 pgzero zerothread 42779 443304 0 0 3 0x14200 aiodoned aiodoned 60151 91394 0 0 3 0x14200 syncer update 26079 432486 0 0 3 0x14200 cleaner cleaner 34579 81068 0 0 3 0x14200 reaper reaper 91866 237293 0 0 3 0x14200 pgdaemon pagedaemon 34614 18453 0 0 3 0x14200 bored crynlk 31832 511055 0 0 3 0x14200 bored crypto 88650 343275 0 0 3 0x40014200 acpi0 acpi0 68728 279491 0 0 3 0x40014200 idle1 2741 507294 0 0 3 0x14200 bored softnet 91484 42034 0 0 3 0x14200 bored systqmp 88756 93522 0 0 3 0x14200 bored systq 95593 503193 0 0 3 0x40014200 bored softclock 50356 281493 0 0 3 0x40014200 idle0 92369 220852 0 0 3 0x14200 bored smr 1 430671 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks CPU 1: exclusive mutex shmpl r = 0 (0xffffffff822f5508) locked @ /syzkaller/managers/multicore/kernel/sys/kern/subr_pool.c:583 #0 witness_lock+0x5a4 #1 pool_get+0xcb #2 shmget_allocate_segment+0x15e #3 sys_shmget+0x13f #4 syscall+0x576 #5 Xsyscall+0x128 Process 11030 (syz-executor.1) thread 0xffff800020b70720 (144861) exclusive kernel_lock &kernel_lock r = 0 (0xffffffff8230a380) locked @ /syzkaller/managers/multicore/kernel/sys/sys/syscall_mi.h:90 #0 witness_lock+0x5a4 #1 syscall+0x45e #2 Xsyscall+0x128 exclusive mutex shmpl r = 0 (0xffffffff822f5508) locked @ /syzkaller/managers/multicore/kernel/sys/kern/subr_pool.c:583 #0 witness_lock+0x5a4 #1 pool_get+0xcb #2 shmget_allocate_segment+0x15e #3 sys_shmget+0x13f #4 syscall+0x576 #5 Xsyscall+0x128 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim devbuf 9462 6387K 6392K 78643K 10557 0 0 pcb 25 9K 9K 78643K 59 0 0 rtable 100 3K 4K 78643K 192 0 0 ifaddr 39 10K 11K 78643K 48 0 0 counters 39 33K 33K 78643K 39 0 0 ioctlops 0 0K 4K 78643K 1469 0 0 iov 0 0K 12K 78643K 1 0 0 mount 1 1K 1K 78643K 1 0 0 vnodes 1201 75K 75K 78643K 1210 0 0 UFS quota 1 32K 32K 78643K 1 0 0 UFS mount 5 36K 36K 78643K 5 0 0 shm 2 1K 5K 78643K 3 0 0 VM map 2 1K 1K 78643K 2 0 0 sem 7 0K 0K 78643K 7 0 0 dirhash 12 2K 2K 78643K 12 0 0 ACPI 1808 196K 290K 78643K 12628 0 0 file desc 5 13K 21K 78643K 32 0 0 sigio 0 0K 0K 78643K 3 0 0 proc 53 50K 71K 78643K 320 0 0 subproc 64 65538K 67586K 78643K 68 0 0 NFS srvsock 1 0K 0K 78643K 1 0 0 NFS daemon 1 16K 16K 78643K 1 0 0 ip_moptions 0 0K 0K 78643K 6 0 0 in_multi 33 2K 2K 78643K 33 0 0 ether_multi 1 0K 0K 78643K 1 0 0 ISOFS mount 1 32K 32K 78643K 1 0 0 MSDOSFS mount 1 16K 16K 78643K 1 0 0 ttys 30 132K 132K 78643K 30 0 0 exec 0 0K 1K 78643K 192 0 0 pagedep 1 8K 8K 78643K 1 0 0 inodedep 1 32K 32K 78643K 1 0 0 newblk 1 0K 0K 78643K 1 0 0 VM swap 7 26K 26K 78643K 7 0 0 UVM amap 93 21K 21K 78643K 933 0 0 UVM aobj 4 2K 2K 78643K 5 0 0 memdesc 1 4K 4K 78643K 1 0 0 crypto data 1 1K 1K 78643K 1 0 0 NDP 10 0K 0K 78643K 12 0 0 temp 88 2364K 2433K 78643K 3213 0 0 SYN cache 2 16K 16K 78643K 2 0 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 4 0 0 1 0 1 1 0 8 0 inpcbpl 280 47 0 38 1 0 1 1 0 8 0 plimitpl 152 15 0 7 1 0 1 1 0 8 0 plcache 128 20 0 0 1 0 1 1 0 8 0 rtentry 112 41 0 1 2 0 2 2 0 8 0 syncache 264 4 0 4 1 1 0 1 0 8 0 tcpqe 32 6 0 6 1 0 1 1 0 8 1 tcpcb 544 16 0 10 1 0 1 1 0 8 0 nd6 48 4 0 0 1 0 1 1 0 8 0 ppxss 1128 2 0 2 1 0 1 1 0 8 1 pfosfp 40 846 0 423 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 12 0 2 1 0 1 1 0 8 0 pfstkey 112 12 0 2 1 0 1 1 0 8 0 pfstate 328 12 0 2 1 0 1 1 0 8 0 pfrule 1360 21 0 16 2 1 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 186 0 0 12 0 12 12 0 8 0 art_table 32 187 0 0 2 0 2 2 0 8 0 art_node 16 40 0 6 1 0 1 1 0 8 0 semapl 112 5 0 0 1 0 1 1 0 8 0 shmpl 112 3 0 1 1 0 1 1 0 8 0 shmpl: pool(0xffffffff822f54f8:shmpl): page inconsistency: page 0xfffffd807e1c6000; item ordinal 0; addr 0x91306705767d39a1 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino1pl 128 1463 0 45 46 0 46 46 0 8 0 ffsino 272 1463 0 45 95 0 95 95 0 8 0 nchpl 144 1711 0 81 61 0 61 61 0 8 0 uvmvnodes 72 1508 0 0 28 0 28 28 0 8 0 vnodes 200 1508 0 0 80 0 80 80 0 8 0 namei 1024 4306 0 4306 2 1 1 1 0 8 1 percpumem 16 30 0 0 1 0 1 1 0 8 0 scxspl 192 4348 0 4348 8 7 1 6 0 8 1 sigapl 432 231 0 216 2 0 2 2 0 8 0 futexpl 56 316 0 312 1 0 1 1 0 8 0 knotepl 112 51 0 32 1 0 1 1 0 8 0 kqueuepl 104 8 0 6 1 0 1 1 0 8 0 pipepl 112 180 0 160 3 1 2 2 0 8 1 fdescpl 488 232 0 216 3 0 3 3 0 8 0 filepl 152 1182 0 1075 5 0 5 5 0 8 0 lockfpl 104 17 0 14 2 1 1 1 0 8 0 lockfspl 32 28 0 26 2 1 1 1 0 8 0 sessionpl 112 18 0 7 1 0 1 1 0 8 0 pgrppl 48 18 0 7 1 0 1 1 0 8 0 ucredpl 96 61 0 52 1 0 1 1 0 8 0 zombiepl 144 216 0 216 2 1 1 1 0 8 1 processpl 840 247 0 216 4 0 4 4 0 8 0 procpl 600 282 0 237 4 0 4 4 0 8 0 sockpl 384 89 0 68 3 0 3 3 0 8 0 mcl4k 4096 2 0 0 1 0 1 1 0 8 0 mcl2k 2048 118 0 0 14 0 14 14 0 8 0 mtagpl 80 1 0 0 1 0 1 1 0 8 0 mbufpl 256 137 0 0 8 0 8 8 0 8 0 bufpl 256 5740 0 1165 286 0 286 286 0 8 0 anonpl 16 30912 0 21890 39 2 37 37 0 125 0 amapchunkpl 152 870 0 775 5 0 5 5 0 158 0 amappl16 192 640 0 161 24 0 24 24 0 8 0 amappl14 176 26 0 22 2 1 1 1 0 8 0 amappl13 168 6 0 6 1 1 0 1 0 8 0 amappl12 160 27 0 23 1 0 1 1 0 8 0 amappl11 152 42 0 24 1 0 1 1 0 8 0 amappl10 144 69 0 66 1 0 1 1 0 8 0 amappl9 136 571 0 568 1 0 1 1 0 8 0 amappl8 128 135 0 116 1 0 1 1 0 8 0 amappl7 120 27 0 25 1 0 1 1 0 8 0 amappl6 112 58 0 49 1 0 1 1 0 8 0 amappl5 104 140 0 125 1 0 1 1 0 8 0 amappl4 96 466 0 435 2 1 1 2 0 8 0 amappl3 88 127 0 119 1 0 1 1 0 8 0 amappl2 80 854 0 799 2 0 2 2 0 8 0 amappl1 72 14287 0 13834 26 9 17 20 0 8 7 amappl 72 516 0 477 1 0 1 1 0 75 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma64 64 259 0 259 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 17 0 17 1 1 0 1 0 8 0 aobjpl 64 4 0 1 1 0 1 1 0 8 0 uaddrrnd 24 232 0 216 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 232 0 216 1 0 1 1 0 8 0 vmmpekpl 168 5999 0 5971 2 0 2 2 0 8 0 vmmpepl 168 32417 0 30911 100 17 83 83 0 357 13 vmsppl 360 231 0 216 2 0 2 2 0 8 0 pdppl 4096 471 0 432 6 0 6 6 0 8 0 pvpl 32 119119 0 106455 108 5 103 103 0 265 0 pmappl 232 231 0 216 2 0 2 2 0 8 1 extentpl 40 39 0 25 1 0 1 1 0 8 0 phpool 112 433 0 4 13 0 13 13 0 8 0