kern.securelevel: 0 -> 1
creating runtime link editor directory cache.
preserving editor files.
starting network daemons: sshd.
starting local daemons:.
Wed Apr 10 09:57:44 PDT 2019
OpenBSD/amd64 (ci-openbsd-multicore-7.c.syzkaller.internal) (tty00)
Warning: Permanently added '10.128.15.218' (ECDSA) to the list of known hosts.
2019/04/10 09:58:27 fuzzer started
2019/04/10 09:58:34 dialing manager at 10.128.15.235:43703
2019/04/10 09:58:34 syscalls: 311
2019/04/10 09:58:34 code coverage: enabled
2019/04/10 09:58:34 comparison tracing: enabled
2019/04/10 09:58:34 extra coverage: support is not implemented in syzkaller
2019/04/10 09:58:34 setuid sandbox: enabled
2019/04/10 09:58:34 namespace sandbox: support is not implemented in syzkaller
2019/04/10 09:58:34 Android sandbox: support is not implemented in syzkaller
2019/04/10 09:58:34 fault injection: support is not implemented in syzkaller
2019/04/10 09:58:34 leak checking: support is not implemented in syzkaller
2019/04/10 09:58:34 net packet injection: enabled
2019/04/10 09:58:34 net device setup: support is not implemented in syzkaller
09:58:40 executing program 0:
r0 = dup2(0xffffffffffffffff, 0xffffffffffffff9c)
ioctl$TIOCSETD(r0, 0x8004741b, &(0x7f0000000000)=0x5)
ioctl$TIOCSETD(r0, 0x8004741b, &(0x7f0000000040)=0x1)
ioctl$VT_WAITACTIVE(r0, 0x20007606, &(0x7f0000000080)=0x100)
ioctl$TIOCSETD(r0, 0x8004741b, &(0x7f00000000c0)=0x1)
ioctl$TIOCSWINSZ(r0, 0x80087467, &(0x7f0000000100)={0x81, 0x5, 0x101, 0xf13c})
ioctl$TIOCGTSTAMP(r0, 0x4010745b, &(0x7f0000000140))
getpgrp()
ioctl$TIOCSFLAGS(r0, 0x8004745c, &(0x7f0000000180)=0x7)
r1 = syz_open_pts()
r2 = fcntl$getown(r1, 0x5)
ioctl$BIOCGDLTLIST(r0, 0xc010427b, &(0x7f0000000200)={0x2, &(0x7f00000001c0)=[0x9, 0x212d5bbc]})
fcntl$lock(r0, 0xf, &(0x7f0000000240)={0x3, 0x2, 0x20000000000000, 0x1f, r2})
close(r1)
ioctl$TIOCSETD(r1, 0x8004741b, &(0x7f0000000280)=0x7)
ioctl$VT_WAITACTIVE(r0, 0x20007606, &(0x7f00000002c0)=0x8)
ioctl$TIOCFLUSH(r1, 0x80047410, &(0x7f0000000300)=0xff)
ioctl$WSMUXIO_INJECTEVENT(r0, 0x80185760, &(0x7f0000000340)={0x1, 0x4, {0x8000, 0x7}})
ioctl$TIOCSDTR(r1, 0x20007479)
mmap(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2, 0x12, r1, 0x0, 0x0)
ioctl$TIOCSETAF(r0, 0x802c7416, &(0x7f0000000380)={0x100000000, 0x40, 0x0, 0x4b0, "b12fa8d055c3ea0a871167a4eb512794eeef80ab", 0x8af, 0x3f})
ioctl$TIOCNXCL(r0, 0x2000740e)
kevent(r0, &(0x7f00000003c0)=[{{r0}, 0xffffffffffffffff, 0x10, 0x2, 0xffffffff, 0x7ff}, {{r0}, 0xffffffffffffffff, 0x0, 0x11, 0x8a4b, 0x8}], 0x1f, &(0x7f0000000400)=[{{r0}, 0xfffffffffffffffb, 0x1, 0x1, 0xffffffff, 0x2}, {{r0}, 0xffffffffffffffff, 0x4, 0xfffff, 0xfffffffffffffff7}], 0x37, &(0x7f0000000440)={0x1, 0x9})
r3 = open(&(0x7f0000000480)='./file0\x00', 0x0, 0x20)
ioctl$TIOCSPGRP(r0, 0x40047477, &(0x7f00000004c0))
r4 = open(&(0x7f0000000680)='./file0\x00', 0x80, 0x24)
getsockopt$sock_cred(r3, 0xffff, 0x1022, &(0x7f00000006c0)={0x0, <r5=>0x0}, &(0x7f0000000700)=0xc)
r6 = getgid()
sendmsg$unix(r0, &(0x7f00000007c0)={&(0x7f0000000500)=@abs={0x1, 0x0, 0x2}, 0x8, &(0x7f0000000640)=[{&(0x7f0000000540)="6c2d4e8b10011d37caaf9f155eaca58f0a290ec0863c40d296f80b841a0de22ab9e96c662463df836f321b493a2918ff3c567838020c77e863c2de041e404653524c1f5934adbc27dd3009df18341d8be107274df019f1542194cde76b6d1810f27e1411a8c0f01655385af2a488f6182bf49c9bf89e50be7c876cb570d50093b078a3f231d3fbaca670bbe26e2a3ff06ba67bf9b691cc2c3bd9462fe5ed3eadd173f8b85961c86ab7de590f752a58bcd2d6e1104af8656615fbcf868f36f50b7f648fdff3fb49ce804cb25a103dbfb94cdeea993e8b5a32014cc94587f1d4137a45bc14ebdc4eff317992dda71edb", 0xef}], 0x1, &(0x7f0000000740)=[@rights={0x18, 0xffff, 0x1, [r0, r1]}, @rights={0x20, 0xffff, 0x1, [r0, r1, r1, r4]}, @cred={0x20, 0xffff, 0x0, r2, r5, r6}], 0x58, 0x400}, 0x8)
setitimer(0x4bf43f7837c9289a, &(0x7f0000000800)={{0x1, 0x8}, {0x1, 0x6ca}}, &(0x7f0000000840))
09:58:40 executing program 1:
pipe2(&(0x7f0000000000)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x10004)
ioctl$WSDISPLAYIO_GVIDEO(r0, 0x40045744, &(0x7f0000000040))
fcntl$getown(r0, 0x5)
pipe2(&(0x7f0000000080)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff}, 0x10000)
r4 = fcntl$dupfd(r1, 0x0, r3)
r5 = fcntl$getown(r0, 0x5)
recvmsg(r1, &(0x7f0000001500)={&(0x7f00000000c0)=@in6, 0xc, &(0x7f0000001400)=[{&(0x7f0000000100)=""/4096, 0x1000}, {&(0x7f0000001100)=""/38, 0x26}, {&(0x7f0000001140)=""/52, 0x34}, {&(0x7f0000001180)=""/182, 0xb6}, {&(0x7f0000001240)=""/248, 0xf8}, {&(0x7f0000001340)=""/158, 0x9e}], 0x6, &(0x7f0000001480)=""/127, 0x7f}, 0x1)
ioctl$VT_ACTIVATE(r3, 0x20007605, &(0x7f0000001540)=0x8)
r6 = kqueue()
pipe2(&(0x7f0000001580)={0xffffffffffffffff, <r7=>0xffffffffffffffff}, 0x10000)
mmap(&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x2, 0x4010, r6, 0x0, 0x0)
ioctl$PCIOCWRITE(r7, 0xc0107003, &(0x7f00000015c0)={{0x8, 0x8, 0x3}, 0x3, 0x800, 0x6})
ioctl$TIOCSTAT(r4, 0x20007465, &(0x7f0000001600))
ioctl$WSDISPLAYIO_GVIDEO(r4, 0x40045744, &(0x7f0000001640))
r8 = open(&(0x7f0000001680)='./file0\x00', 0x0, 0x22)
ioctl$KDSETRAD(r8, 0x20004b43)
ioctl$FIOSETOWN(r1, 0x8004667c, &(0x7f00000016c0)=0x1)
writev(r8, &(0x7f00000019c0)=[{&(0x7f0000001700)="f8024d37b19bd311e89780f601a0861c245df79afd2b103f224fb92223f30ffb5576d8", 0x23}, {&(0x7f0000001740)="19", 0x1}, {&(0x7f0000001780)="c1e8bafbe50e8ad898d71a8143d5a37466a7959d7180a5b6afbed51a75a0deb9f48031e5f8361d76a430f1d51f439393932fe684361d20cab20bd73732bbae95d25b48a497f006e618cb7738cf35241ba88f90595d8fc6a6655188ce856acd6a7d08b319564326b4277ba92fd2492ac8432c0232b43c0154d3f2b0e5d8cf50f756c7e01035b74822cd43aac4a65ce08c8554a763f5d7f4e8d7a2a74deeac3f056d54dff382759d2aab08a4f54a00ee51823dc7ae50d222756df895ddab615b051f6c3dd5f09740687538a5a31cb75347412357c9e37abff4b4aad3bc", 0xdc}, {&(0x7f0000001880)="011117d326a2b87950868a39b6a21a8468192943b7590834843589cf316a087fbc8d7d8fcfc51f7d80c82570ba54a3427bfa210271c0ea0ab426", 0x3a}, {&(0x7f00000018c0)="a70d309877c4c348d4d6651bb04b405360f384502de207393cec8c950e08c375371c6396ab08e10122b7786178727c2d69cb814aaee654838c256156c49f15b8345469c95f312874ea251be867a7ec2ab10d618228811e199834e1a51ed2fc209520dd952bd18205afdae90e066ae33f4ff2afd992cc98b9ec64d2f5d0785d4cd0e29e9c72c8f862f677fe25760ce8a604847d37439cf2038c01699bd09c44b574aab26db25c1edad9763d202eaf8a276ef540ba846f4997e95338f1694d3231f402c1c49480139dd08a2a37472919fc5b5759af04c48745662cd15c", 0xdc}], 0x5)
chroot(&(0x7f0000001a40)='./file0\x00')
ioctl$TIOCGETD(r8, 0x4004741a, &(0x7f0000001a80))
pipe(&(0x7f0000001ac0)={<r9=>0xffffffffffffffff, <r10=>0xffffffffffffffff})
ioctl$BIOCSFILDROP(r9, 0x80044279, &(0x7f0000001b00)=0xff)
getsockopt(r3, 0x31b5000000000000, 0x7, &(0x7f0000001b40)=""/111, &(0x7f0000001bc0)=0x6f)
r11 = openat(r10, &(0x7f0000001c00)='./file0\x00', 0x0, 0x10)
fcntl$lock(r11, 0x9, &(0x7f0000001c40)={0x3, 0x0, 0xb977, 0x7fffffff, r5})
semget$private(0x0, 0x0, 0x200)
pipe(&(0x7f0000001c80))
ioctl$TIOCMBIS(r4, 0x8004746c, &(0x7f0000001cc0)=0x4)
ioctl$WSMUXIO_ADD_DEVICE(r2, 0x80085761, &(0x7f0000001d00)={0x3, 0xffffffffffff8001})
fcntl$setstatus(r4, 0x4, 0x80)
09:58:40 executing program 0:
ioctl$BIOCSETWF(0xffffffffffffffff, 0x80104277, &(0x7f0000000100)={0x1, &(0x7f00000000c0)=[{0x0, 0x0, 0x0, 0x28}]})
r0 = syz_open_pts()
fcntl$setstatus(r0, 0x4, 0x4)
fcntl$lock(r0, 0x9, &(0x7f0000000100)={0x0, 0x3, 0x0, 0x100000000})
fcntl$lock(r0, 0x9, &(0x7f0000000180)={0x0, 0x0, 0x1, 0x2000100000003})
fcntl$lock(r0, 0x9, &(0x7f00000000c0)={0x0, 0x0, 0x6cf921cc, 0x200000005})
09:58:40 executing program 1:
mknod(&(0x7f0000000240)='./file0\x00', 0x100042000, 0x28ae)
r0 = open$dir(&(0x7f0000000400)='./file0\x00', 0x0, 0x0)
r1 = kqueue()
mknod(&(0x7f0000000040)='./bus\x00', 0x80002002, 0x28a9)
r2 = openat$null(0xffffffffffffff9c, &(0x7f0000000000)='/dev/null\x00', 0x80, 0x0)
ioctl$BIOCGFILDROP(r2, 0x40044278, &(0x7f00000000c0))
openat(r0, &(0x7f0000000100)='./file0\x00', 0x8100, 0x89)
open(&(0x7f0000000080)='./bus\x00', 0x0, 0x0)
kevent(r1, &(0x7f0000000440)=[{{r0}, 0xfffffffffffffff8, 0x41}], 0xc98, 0x0, 0xb811, 0x0)
09:58:40 executing program 0:
r0 = socket$inet(0x2, 0x2, 0x0)
setsockopt$inet_opts(r0, 0x0, 0x100000000000000b, &(0x7f00000000c0)='\x00', 0x1)
setsockopt(r0, 0x0, 0x800000000000c, &(0x7f0000000000)="eaffffffffff0195", 0x8)
r1 = getpgid(0x0)
getsockopt$sock_cred(r0, 0xffff, 0x1022, &(0x7f0000000380)={0x0, <r2=>0x0}, &(0x7f00000003c0)=0xc)
socketpair(0x16, 0x4, 0x1f, &(0x7f00000004c0)={<r3=>0xffffffffffffffff, <r4=>0xffffffffffffffff})
getsockopt$sock_cred(r3, 0xffff, 0x1022, &(0x7f0000000400)={0x0, 0x0, <r5=>0x0}, &(0x7f0000000440)=0xc)
setsockopt$sock_cred(r0, 0xffff, 0x1022, &(0x7f0000000480)={r1, r2, r5}, 0xc)
setsockopt(r0, 0x6, 0x40, &(0x7f0000000100)="8be8e4cac089754d6c8bb2caacf3e35e8f7a4197550fe252cf555160de23820723289588e6e9ea1649f5e9f58f22606b3ddcebdf81b475e569f89b08141397e2c476151aaa8b1af04b1604f4b4225f5a71d96836c7240e142b2b034a2e32871a3e774a5c74a815f5b4c3ae755229a01db762a0533af954452258ddb67ded44326ca1fbdd58d5e8e37e3645294490925ecb5e88b5169080f12fc9d4", 0x9b)
r6 = getpid()
r7 = dup2(r3, r4)
ioctl$WSMUXIO_LIST_DEVICES(r7, 0xc1045763, &(0x7f0000000500)={0x9, [{0x3, 0x1}, {0x3, 0x1fffc00000}, {0x1, 0x10001}, {0x0, 0x80000001}, {0x3, 0x9}, {0x1, 0x3}, {0x3, 0x3}, {0x2, 0x9}, {0x3, 0x1}, {0x1, 0x1}, {0x3, 0x6}, {0x1, 0x2}, {0x3, 0x2}, {0x2}, {0x0, 0xd}, {0x2, 0x8fc}, {0x3, 0x7c7}, {0x3, 0x7f}, {0x3, 0x8000}, {0x3, 0x18e000000}, {0x1, 0x7fff}, {0x3, 0xf94a}, {0x2, 0x1}, {0x3, 0x6}, {0x3, 0x401}, {0x3, 0x1000}, {0x2, 0x8}, {0x0, 0x8}, {0x3, 0x1ff}, {0x3, 0x4}, {0x3, 0x7}, {0x3, 0x89a}]})
getsockopt$sock_cred(r0, 0xffff, 0x1022, &(0x7f0000000040)={0x0, <r8=>0x0, <r9=>0x0}, &(0x7f0000000080)=0xc)
getgroups(0x6, &(0x7f00000002c0)=[<r10=>0xffffffffffffffff, 0x0, <r11=>0xffffffffffffffff, <r12=>0xffffffffffffffff, 0xffffffffffffffff, <r13=>0x0])
setsockopt$sock_cred(r0, 0xffff, 0x1022, &(0x7f0000000300)={r6, r8, r10}, 0xc)
r14 = semget$private(0x0, 0x4, 0x7e)
setgroups(0x5, &(0x7f0000000340)=[r13, r9, r10, r12, r11])
semctl$GETNCNT(r14, 0x0, 0x3, &(0x7f00000001c0)=""/245)
09:58:40 executing program 0:
r0 = open$dir(&(0x7f0000000140)='./file0\x00', 0x400000002c5, 0x40000)
dup2(r0, r0)
r1 = getppid()
fcntl$lock(r0, 0xa, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x1000100000001, r1})
r2 = shmget$private(0x0, 0x4000, 0x50, &(0x7f0000ffb000/0x4000)=nil)
shmat(r2, &(0x7f0000ffe000/0x2000)=nil, 0xffe)
ftruncate(r0, 0x1f)
09:58:40 executing program 1:
r0 = socket$inet(0x2, 0x3, 0x0)
setsockopt$inet_opts(r0, 0x0, 0x14, &(0x7f0000000080), 0x159)
09:58:40 executing program 0:
mknod(&(0x7f0000000100)='./bus\x00', 0x80002008, 0x0)
open$dir(&(0x7f0000000000)='./bus\x00', 0x0, 0x1000000000000148)
09:58:40 executing program 1:
r0 = semget$private(0x0, 0x4, 0x301)
semctl$SETVAL(r0, 0x3, 0x8, &(0x7f0000000000))
shmget$private(0x0, 0x0, 0x0, &(0x7f0000b39000/0x3000)=nil)
09:58:40 executing program 0:
sendto$inet6(0xffffffffffffffff, &(0x7f0000000140)="04926c31db06594cd58f312d4405b6e179b63350cb45353de423c5ab5baf64794418d809d7b32b902256caa48028f2606adb9aabc12665ffdc567ca2497bd9a596925d81f9003193d19fe232bb597ff5cb06d3662d5e862c2a6774ebdbbb567cfd064351ad7f1caa59bbfa69b4f018b98a9127360978762ea58f883b17635bd8da", 0x81, 0x0, 0x0, 0x0)
clock_getres(0x2, &(0x7f0000000540))
pipe(&(0x7f0000000300)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
bind(r1, &(0x7f0000000340)=@un=@abs={0x1, 0x0, 0x2}, 0x8)
getgroups(0x7, &(0x7f0000000200)=[0x0, 0x0, <r2=>0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0])
setegid(r2)
chdir(0x0)
open$dir(&(0x7f0000000100)='./file0\x00', 0x400000002c5, 0xfffffffffffffffc)
unlink(&(0x7f00000000c0)='./file0\x00')
r3 = socket(0x2, 0x400000000002, 0x0)
r4 = getpgid(0x0)
getpgid(r4)
sendmsg(r3, &(0x7f0000000480)={&(0x7f0000000040)=@in, 0xc, 0x0, 0x0, &(0x7f00000001c0), 0x10}, 0x0)
r5 = getpgid(0xffffffffffffffff)
wait4(r5, &(0x7f0000000200), 0x8, &(0x7f0000000240))
sendto$inet6(r0, &(0x7f00000004c0)="020b6cd14dd884b086f9943dbc3b2f1937185ceebbe4c224f1dd21c02fe6666c268fb70d03d33987949f6474e5e6fdd209d355ea66f06988faf64ad6cb7ff02f8afcbb428049620c09555dfdd688b0ed9ffb3ddd5ffdeefac426c70ecadc424178ef8528fd79206e3f0116", 0x6b, 0x1, &(0x7f0000000440)={0x18, 0x1, 0x7fffffff, 0x8}, 0xc)
getsockname(r3, &(0x7f0000000000)=@in6, &(0x7f0000000080)=0xc)
r6 = dup2(r3, r3)
close(r3)
getsockopt$sock_linger(r6, 0xffff, 0x80, &(0x7f0000000380), &(0x7f00000003c0)=0x8)
ioctl$WSMUXIO_REMOVE_DEVICE(r6, 0x80085762, &(0x7f0000000100)={0x3, 0xf3c})
wait4(r5, &(0x7f0000000400), 0x1, 0x0)
09:58:40 executing program 1:
r0 = accept$unix(0xffffffffffffffff, 0x0, &(0x7f0000000100))
recvmsg(r0, &(0x7f00000005c0)={&(0x7f0000000140)=@in, 0xc, &(0x7f0000000480)=[{&(0x7f0000000180)=""/228, 0xe4}, {&(0x7f0000000280)=""/193, 0xc1}, {&(0x7f0000000380)=""/230, 0xe6}], 0x3, &(0x7f00000004c0)=""/212, 0xd4}, 0x2)
r1 = socket(0x2, 0x8001, 0x0)
getsockopt$sock_int(r1, 0xffff, 0x200, &(0x7f0000000040), &(0x7f0000000080)=0x4)
r2 = openat$null(0xffffffffffffff9c, &(0x7f0000000000)='/dev/null\x00', 0x12, 0x0)
connect(r2, &(0x7f00000000c0)=@in={0x2, 0x2}, 0xc)
r3 = shmget$private(0x0, 0x4000, 0x203, &(0x7f0000ffa000/0x4000)=nil)
r4 = geteuid()
getsockopt$SO_PEERCRED(0xffffffffffffffff, 0xffff, 0x1022, &(0x7f00000004c0)={<r5=>0x0, 0x0, <r6=>0x0}, 0xc)
getsockopt$SO_PEERCRED(0xffffffffffffffff, 0xffff, 0x1022, &(0x7f0000000680)={<r7=>0x0, <r8=>0x0}, 0xc)
r9 = getegid()
getpgid(r5)
r10 = fcntl$getown(0xffffffffffffff9c, 0x5)
pipe(&(0x7f0000001280)={<r11=>0xffffffffffffffff, <r12=>0xffffffffffffffff})
open(&(0x7f0000000040)='./file0\x00', 0x200, 0x0)
r13 = open(&(0x7f0000000180)='./file0\x00', 0x0, 0x0)
preadv(0xffffffffffffffff, &(0x7f00000004c0)=[{&(0x7f0000001640)=""/247, 0xffffffcc}], 0x1, 0x0)
r14 = open(&(0x7f0000000040)='./file0\x00', 0x611, 0x0)
fcntl$setstatus(r14, 0x4, 0x80)
r15 = getppid()
fcntl$setown(r11, 0x6, r15)
pwritev(r14, &(0x7f00000003c0), 0x1000000000000297, 0x0)
mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x5, 0x10, r13, 0x0, 0x0)
write(r12, &(0x7f00000000c0)="1d", 0x1)
close(r11)
shmctl$IPC_SET(r3, 0x1, &(0x7f0000000780)={{0x5, r4, r6, r8, r9, 0x1, 0x8740}, 0xa9, 0x5, r7, r10, 0x80000001, 0x5, 0xd6a})
shmctl$IPC_STAT(r3, 0x2, &(0x7f0000000000)=""/249)
shmctl$IPC_RMID(r3, 0x0)
r16 = semget$private(0x0, 0x10000000008, 0x800000000280)
semop(r16, &(0x7f0000000100)=[{0x2, 0xfffffffffffffbff, 0x1000}, {0x0, 0x1, 0x1800}, {0x7, 0x1, 0x17fd}], 0x3)
09:58:40 executing program 0:
write(0xffffffffffffffff, &(0x7f0000000180)="582720efabd16ebae63225259560f8e581", 0x11)
r0 = socket(0x18, 0x1, 0x0)
setsockopt(r0, 0x29, 0x9, &(0x7f0000000000)="03000000", 0x4)
getgroups(0x1, &(0x7f0000000180)=[0xffffffffffffffff])
r1 = open$dir(&(0x7f0000000140)='./file0\x00', 0x0, 0x40)
faccessat(r1, &(0x7f00000001c0)='./file0\x00', 0x100, 0x3)
setsockopt(r0, 0x29, 0x80000000000000c, &(0x7f0000000180), 0x14)
r2 = socket(0x11, 0x3, 0x0)
pipe(&(0x7f0000000040)={<r3=>0xffffffffffffffff})
pipe2(&(0x7f0000000080)={0xffffffffffffffff, <r4=>0xffffffffffffffff}, 0x10000)
r5 = kqueue()
kevent(r5, &(0x7f00000000c0)=[{{r2}, 0xfffffffffffffffe, 0x31}], 0x20, 0x0, 0x0, 0x0)
open(&(0x7f0000000000)='./file0\x00', 0x8, 0x52)
ioctl$TIOCSETA(r3, 0x802c7414, &(0x7f0000000100)={0x100000d764, 0x7fffffff, 0xcdc4, 0x3, "1ce073420eeb0f58df84e8e558112cf6bf946b04", 0x2, 0x110000000})
kevent(r4, &(0x7f0000000000), 0x10000, 0x0, 0x1000, 0x0)
09:58:40 executing program 0:
r0 = socket(0x2, 0x1, 0x0)
setsockopt(r0, 0x0, 0x20, &(0x7f0000000180), 0x0)
socket(0x6, 0x8007, 0x0)
09:58:41 executing program 0:
mkdir(&(0x7f0000000000)='./file0\x00', 0x0)
r0 = shmget(0x2, 0x4000, 0x40, &(0x7f0000ffb000/0x4000)=nil)
getsockopt$sock_cred(0xffffffffffffff9c, 0xffff, 0x1022, &(0x7f0000000040)={0x0, <r1=>0x0}, &(0x7f0000000100)=0xc)
getsockopt$SO_PEERCRED(0xffffffffffffff9c, 0xffff, 0x1022, &(0x7f0000000140)={0x0, 0x0, <r2=>0x0}, 0xc)
r3 = getuid()
getsockopt$sock_cred(0xffffffffffffff9c, 0xffff, 0x1022, &(0x7f00000001c0)={0x0, 0x0, <r4=>0x0}, &(0x7f0000000240)=0xc)
getsockopt$SO_PEERCRED(0xffffffffffffff9c, 0xffff, 0x1022, &(0x7f0000000280)={<r5=>0x0}, 0xc)
r6 = fcntl$getown(0xffffffffffffff9c, 0x5)
shmctl$IPC_SET(r0, 0x1, &(0x7f00000002c0)={{0x0, r1, r2, r3, r4, 0x90, 0x5}, 0x85, 0x200, r5, r6, 0x401, 0x7fff, 0x7})
chmod(&(0x7f0000000180)='./file0\x00', 0x23f)
setuid(0xee01)
r7 = openat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0, 0x0)
mkdirat(r7, &(0x7f0000000080)='./file1\x00', 0xfffffffffffffffc)
faccessat(r7, &(0x7f0000000200)='./file1\x00', 0x5, 0x0)
login: panic: pool_do_get: shmpl free list modified: page 0xfffffd807e1c6000; item addr 0xfffffd807e1c6d20; offset 0x10=0xdead4000
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
112543 11030 0 0 0 0 syz-executor.1
*144861 11030 0 0 0x4000000 1K syz-executor.1
db_enter() at db_enter+0x18
panic() at panic+0x174
pool_do_get(ffffffff822f54f8,1,ffff800020c61918) at pool_do_get+0x4a3
pool_get() at pool_get+0xf7
shmget_allocate_segment(ffff800020b70720,ffff800020c61ab8,3,ffff800020c61b20) at shmget_allocate_segment+0x15e
sys_shmget(ffff800020b70720,ffff800020c61ab8,ffff800020c61b20) at sys_shmget+0x13f
syscall(ffff800020c61b90) at syscall+0x576
Xsyscall(6,0,fffffffffffffff4,0,4,ca77b2e40d8) at Xsyscall+0x128
end of kernel
end trace frame: 0x357, count: 7
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
pool_do_get: shmpl free list modified: page 0xfffffd807e1c6000; item addr 0xfffffd807e1c6d20; offset 0x10=0xdead4000
ddb{1}> trace
db_enter() at db_enter+0x18
panic() at panic+0x174
pool_do_get(ffffffff822f54f8,1,ffff800020c61918) at pool_do_get+0x4a3
pool_get() at pool_get+0xf7
shmget_allocate_segment(ffff800020b70720,ffff800020c61ab8,3,ffff800020c61b20) at shmget_allocate_segment+0x15e
sys_shmget(ffff800020b70720,ffff800020c61ab8,ffff800020c61b20) at sys_shmget+0x13f
syscall(ffff800020c61b90) at syscall+0x576
Xsyscall(6,0,fffffffffffffff4,0,4,ca77b2e40d8) at Xsyscall+0x128
end of kernel
end trace frame: 0x357, count: -8
ddb{1}> show registers
rdi 0xffffffff81b163d7 db_enter+0x17
rsi 0x2efd __ALIGN_SIZE+0x1efd
rbp 0xffff800020c61760
rbx 0xffff800020c61810
rdx 0x2efe __ALIGN_SIZE+0x1efe
rcx 0xffff800002d66000
rax 0xffff800002d66000
r8 0xffffffff815cd003 kprintf+0x173
r9 0x1
r10 0x25
r11 0xe8030ee55f4e2815
r12 0x3000000008
r13 0xffff800020c61770
r14 0x100
r15 0x1
rip 0xffffffff81b163d8 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020c61750
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor.1) pid=144861 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=59, usrpri=59, nice=20
forw=0xffffffffffffffff, list=0xffff800020b70018,0xffff800020b70280
process=0xffff800020b9c360 user=0xffff800020c5c000, vmspace=0xfffffd807f00b438
estcpu=9, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
11030 112543 13120 0 7 0 syz-executor.1
11030 176020 13120 0 3 0x4000080 fsleep syz-executor.1
*11030 144861 13120 0 7 0x4000000 syz-executor.1
11030 23236 13120 0 3 0x4000080 fsleep syz-executor.1
11030 79602 13120 0 3 0x4000080 fsleep syz-executor.1
11030 475325 13120 0 3 0x4000080 fsleep syz-executor.1
13120 512529 78602 0 3 0x82 nanosleep syz-executor.1
31157 214478 78602 0 3 0x82 piperd syz-executor.0
78602 362079 1934 0 3 0x82 kqread syz-fuzzer
78602 106757 1934 0 3 0x4000082 thrsleep syz-fuzzer
78602 410201 1934 0 3 0x4000082 thrsleep syz-fuzzer
78602 129615 1934 0 3 0x4000082 thrsleep syz-fuzzer
78602 268072 1934 0 3 0x4000082 thrsleep syz-fuzzer
78602 16909 1934 0 3 0x4000082 thrsleep syz-fuzzer
78602 447621 1934 0 3 0x4000082 thrsleep syz-fuzzer
78602 191516 1934 0 3 0x4000082 thrsleep syz-fuzzer
78602 135230 1934 0 3 0x4000082 thrsleep syz-fuzzer
78602 511543 1934 0 3 0x4000082 thrsleep syz-fuzzer
1934 440099 49112 0 3 0x10008a pause ksh
49112 257970 82933 0 3 0x92 select sshd
83727 364565 1 0 3 0x100083 ttyin getty
82933 158482 1 0 3 0x80 select sshd
68394 462765 24260 74 3 0x100092 bpf pflogd
24260 280947 1 0 3 0x80 netio pflogd
53988 77576 76298 73 3 0x100090 kqread syslogd
76298 63664 1 0 3 0x100082 netio syslogd
796 203433 1 77 3 0x100090 poll dhclient
77748 139239 1 0 3 0x80 poll dhclient
82994 3267 0 0 3 0x14200 pgzero zerothread
42779 443304 0 0 3 0x14200 aiodoned aiodoned
60151 91394 0 0 3 0x14200 syncer update
26079 432486 0 0 3 0x14200 cleaner cleaner
34579 81068 0 0 3 0x14200 reaper reaper
91866 237293 0 0 3 0x14200 pgdaemon pagedaemon
34614 18453 0 0 3 0x14200 bored crynlk
31832 511055 0 0 3 0x14200 bored crypto
88650 343275 0 0 3 0x40014200 acpi0 acpi0
68728 279491 0 0 3 0x40014200 idle1
2741 507294 0 0 3 0x14200 bored softnet
91484 42034 0 0 3 0x14200 bored systqmp
88756 93522 0 0 3 0x14200 bored systq
95593 503193 0 0 3 0x40014200 bored softclock
50356 281493 0 0 3 0x40014200 idle0
92369 220852 0 0 3 0x14200 bored smr
1 430671 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex shmpl r = 0 (0xffffffff822f5508) locked @ /syzkaller/managers/multicore/kernel/sys/kern/subr_pool.c:583
#0 witness_lock+0x5a4
#1 pool_get+0xcb
#2 shmget_allocate_segment+0x15e
#3 sys_shmget+0x13f
#4 syscall+0x576
#5 Xsyscall+0x128
Process 11030 (syz-executor.1) thread 0xffff800020b70720 (144861)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff8230a380) locked @ /syzkaller/managers/multicore/kernel/sys/sys/syscall_mi.h:90
#0 witness_lock+0x5a4
#1 syscall+0x45e
#2 Xsyscall+0x128
exclusive mutex shmpl r = 0 (0xffffffff822f5508) locked @ /syzkaller/managers/multicore/kernel/sys/kern/subr_pool.c:583
#0 witness_lock+0x5a4
#1 pool_get+0xcb
#2 shmget_allocate_segment+0x15e
#3 sys_shmget+0x13f
#4 syscall+0x576
#5 Xsyscall+0x128
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9462 6387K 6392K 78643K 10557 0 0
pcb 25 9K 9K 78643K 59 0 0
rtable 100 3K 4K 78643K 192 0 0
ifaddr 39 10K 11K 78643K 48 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 4K 78643K 1469 0 0
iov 0 0K 12K 78643K 1 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1201 75K 75K 78643K 1210 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 5K 78643K 3 0 0
VM map 2 1K 1K 78643K 2 0 0
sem 7 0K 0K 78643K 7 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1808 196K 290K 78643K 12628 0 0
file desc 5 13K 21K 78643K 32 0 0
sigio 0 0K 0K 78643K 3 0 0
proc 53 50K 71K 78643K 320 0 0
subproc 64 65538K 67586K 78643K 68 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
ip_moptions 0 0K 0K 78643K 6 0 0
in_multi 33 2K 2K 78643K 33 0 0
ether_multi 1 0K 0K 78643K 1 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 30 132K 132K 78643K 30 0 0
exec 0 0K 1K 78643K 192 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 93 21K 21K 78643K 933 0 0
UVM aobj 4 2K 2K 78643K 5 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
NDP 10 0K 0K 78643K 12 0 0
temp 88 2364K 2433K 78643K 3213 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp 64 4 0 0 1 0 1 1 0 8 0
inpcbpl 280 47 0 38 1 0 1 1 0 8 0
plimitpl 152 15 0 7 1 0 1 1 0 8 0
plcache 128 20 0 0 1 0 1 1 0 8 0
rtentry 112 41 0 1 2 0 2 2 0 8 0
syncache 264 4 0 4 1 1 0 1 0 8 0
tcpqe 32 6 0 6 1 0 1 1 0 8 1
tcpcb 544 16 0 10 1 0 1 1 0 8 0
nd6 48 4 0 0 1 0 1 1 0 8 0
ppxss 1128 2 0 2 1 0 1 1 0 8 1
pfosfp 40 846 0 423 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 12 0 2 1 0 1 1 0 8 0
pfstkey 112 12 0 2 1 0 1 1 0 8 0
pfstate 328 12 0 2 1 0 1 1 0 8 0
pfrule 1360 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 186 0 0 12 0 12 12 0 8 0
art_table 32 187 0 0 2 0 2 2 0 8 0
art_node 16 40 0 6 1 0 1 1 0 8 0
semapl 112 5 0 0 1 0 1 1 0 8 0
shmpl 112 3 0 1 1 0 1 1 0 8 0
shmpl: pool(0xffffffff822f54f8:shmpl): page inconsistency: page 0xfffffd807e1c6000; item ordinal 0; addr 0x91306705767d39a1
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino1pl 128 1463 0 45 46 0 46 46 0 8 0
ffsino 272 1463 0 45 95 0 95 95 0 8 0
nchpl 144 1711 0 81 61 0 61 61 0 8 0
uvmvnodes 72 1508 0 0 28 0 28 28 0 8 0
vnodes 200 1508 0 0 80 0 80 80 0 8 0
namei 1024 4306 0 4306 2 1 1 1 0 8 1
percpumem 16 30 0 0 1 0 1 1 0 8 0
scxspl 192 4348 0 4348 8 7 1 6 0 8 1
sigapl 432 231 0 216 2 0 2 2 0 8 0
futexpl 56 316 0 312 1 0 1 1 0 8 0
knotepl 112 51 0 32 1 0 1 1 0 8 0
kqueuepl 104 8 0 6 1 0 1 1 0 8 0
pipepl 112 180 0 160 3 1 2 2 0 8 1
fdescpl 488 232 0 216 3 0 3 3 0 8 0
filepl 152 1182 0 1075 5 0 5 5 0 8 0
lockfpl 104 17 0 14 2 1 1 1 0 8 0
lockfspl 32 28 0 26 2 1 1 1 0 8 0
sessionpl 112 18 0 7 1 0 1 1 0 8 0
pgrppl 48 18 0 7 1 0 1 1 0 8 0
ucredpl 96 61 0 52 1 0 1 1 0 8 0
zombiepl 144 216 0 216 2 1 1 1 0 8 1
processpl 840 247 0 216 4 0 4 4 0 8 0
procpl 600 282 0 237 4 0 4 4 0 8 0
sockpl 384 89 0 68 3 0 3 3 0 8 0
mcl4k 4096 2 0 0 1 0 1 1 0 8 0
mcl2k 2048 118 0 0 14 0 14 14 0 8 0
mtagpl 80 1 0 0 1 0 1 1 0 8 0
mbufpl 256 137 0 0 8 0 8 8 0 8 0
bufpl 256 5740 0 1165 286 0 286 286 0 8 0
anonpl 16 30912 0 21890 39 2 37 37 0 125 0
amapchunkpl 152 870 0 775 5 0 5 5 0 158 0
amappl16 192 640 0 161 24 0 24 24 0 8 0
amappl14 176 26 0 22 2 1 1 1 0 8 0
amappl13 168 6 0 6 1 1 0 1 0 8 0
amappl12 160 27 0 23 1 0 1 1 0 8 0
amappl11 152 42 0 24 1 0 1 1 0 8 0
amappl10 144 69 0 66 1 0 1 1 0 8 0
amappl9 136 571 0 568 1 0 1 1 0 8 0
amappl8 128 135 0 116 1 0 1 1 0 8 0
amappl7 120 27 0 25 1 0 1 1 0 8 0
amappl6 112 58 0 49 1 0 1 1 0 8 0
amappl5 104 140 0 125 1 0 1 1 0 8 0
amappl4 96 466 0 435 2 1 1 2 0 8 0
amappl3 88 127 0 119 1 0 1 1 0 8 0
amappl2 80 854 0 799 2 0 2 2 0 8 0
amappl1 72 14287 0 13834 26 9 17 20 0 8 7
amappl 72 516 0 477 1 0 1 1 0 75 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma64 64 259 0 259 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 17 0 17 1 1 0 1 0 8 0
aobjpl 64 4 0 1 1 0 1 1 0 8 0
uaddrrnd 24 232 0 216 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 232 0 216 1 0 1 1 0 8 0
vmmpekpl 168 5999 0 5971 2 0 2 2 0 8 0
vmmpepl 168 32417 0 30911 100 17 83 83 0 357 13
vmsppl 360 231 0 216 2 0 2 2 0 8 0
pdppl 4096 471 0 432 6 0 6 6 0 8 0
pvpl 32 119119 0 106455 108 5 103 103 0 265 0
pmappl 232 231 0 216 2 0 2 2 0 8 1
extentpl 40 39 0 25 1 0 1 1 0 8 0
phpool 112 433 0 4 13 0 13 13 0 8 0