kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd. starting local daemons:. Mon Oct 26 19:13:19 PDT 2020 OpenBSD/amd64 (ci-openbsd-multicore-3.c.syzkaller.internal) (tty00) Warning: Permanently added '10.128.0.63' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program login: witness: lock order reversal: 1st 0xfffffd806d959c58 inode (&ip->i_lock) 2nd 0xffffffff8277e670 netlock (netlock) lock order "netlock"(rwlock) -> "&ip->i_lock"(rrwlock) first seen at: #0 witness_checkorder+0x65e #1 rw_enter+0xd4 #2 rrw_enter+0x88 #3 VOP_LOCK+0x4b #4 vn_lock+0x6c #5 vget+0x1c6 #6 ktrwriteraw+0x138 #7 ktrstruct+0x169 #8 sys_connect+0x246 #9 syscall+0x4a1 #10 Xsyscall+0x128 lock order "&ip->i_lock"(rrwlock) -> "netlock"(rwlock) first seen at: #0 witness_checkorder+0x65e #1 rw_enter_write+0x5b #2 uvn_get+0xeb #3 uvm_fault+0xa41 #4 kpageflttrap+0x202 #5 kerntrap+0xef #6 alltraps_kern_meltdown+0x7b #7 copyin+0x53 #8 sys_connect+0x9b #9 syscall+0x4a1 #10 Xsyscall+0x128 Stopped at db_enter+0x18: addq $0x8,%rsp ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic the kernel did not panic ddb{1}> trace db_enter() at db_enter+0x18 witness_checkorder(ffffffff8277e670,9,0) at witness_checkorder+0xf5a rw_enter_write(ffffffff8277e660) at rw_enter_write+0x5b uvn_get(fffffd806dd01098,0,ffff8000212818e8,ffff800021281884,0,1) at uvn_get+0xeb uvm_fault(fffffd807eff92e0,20000000,0,1) at uvm_fault+0xa41 kpageflttrap(ffff800021281a10,20000000) at kpageflttrap+0x202 kerntrap(ffff800021281a10) at kerntrap+0xef alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b copyin() at copyin+0x53 sys_connect(ffff8000211c2f68,ffff800021281bd8,ffff800021281c20) at sys_connect+0x9b syscall(ffff800021281ca0) at syscall+0x4a1 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xa1ce7c9b900, count: -12 ddb{1}> show registers rdi 0x3 rsi 0xffffffff82748230 __sancov_gen_cov_switch_values.129 rbp 0xffff800021281550 rbx 0x3 rdx 0x8b rcx 0x3 rax 0x1 r8 0xffffffff81e34c43 witness_checkorder+0xf33 r9 0x5 r10 0x93c8d092c0afb425 r11 0xe78518eee4cf2a24 r12 0xffffffff8284bd70 w_lodata+0x4f1b0 r13 0 r14 0xffffffff8284ada0 w_lodata+0x4e1e0 r15 0xfffffd8002c975c0 rip 0xffffffff82243a18 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800021281540 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor1110) pid=370833 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=50, nice=20 forw=0xffffffffffffffff, list=0xffff8000211c2cd8,0xffff80002123ccf8 process=0xffff800021236110 user=0xffff80002127c000, vmspace=0xfffffd807eff92e0 estcpu=36, cpticks=0, pctcpu=0.0 user=0, sys=0, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 2332 231743 38822 0 2 0 syz-executor1110 2332 382824 38822 0 3 0x4000080 fsleep syz-executor1110 89897 137440 23066 0 7 0x1 syz-executor1110 89897 376959 23066 0 2 0x4000000 syz-executor1110 *89897 370833 23066 0 7 0x4000000 syz-executor1110 89897 236868 23066 0 3 0x4000080 fsleep syz-executor1110 23066 105723 32501 0 3 0x80 nanosleep syz-executor1110 38822 45265 32501 0 3 0x80 nanosleep syz-executor1110 32501 92898 44376 0 3 0x82 nanosleep syz-executor1110 44376 157798 89348 0 3 0x10008a pause ksh 89348 239575 43051 0 3 0x92 select sshd 15362 206872 1 0 3 0x100083 ttyin getty 43051 496708 1 0 3 0x80 select sshd 8200 383691 9562 74 3 0x100092 bpf pflogd 9562 82947 1 0 3 0x80 netio pflogd 20935 124804 1289 73 3 0x100090 kqread syslogd 1289 400314 1 0 3 0x100082 netio syslogd 13326 312889 1 77 3 0x100090 poll dhclient 47676 106257 1 0 3 0x80 poll dhclient 32424 107186 0 0 3 0x14200 bored smr 49553 410255 0 0 3 0x14200 pgzero zerothread 74612 391175 0 0 3 0x14200 aiodoned aiodoned 51704 299291 0 0 3 0x14200 syncer update 67424 202381 0 0 3 0x14200 cleaner cleaner 9856 222382 0 0 3 0x14200 reaper reaper 46383 365998 0 0 3 0x14200 pgdaemon pagedaemon 19252 30359 0 0 3 0x14200 bored crynlk 33678 462230 0 0 3 0x14200 bored crypto 99312 228822 0 0 3 0x14200 bored viomb 37336 394094 0 0 3 0x40014200 acpi0 acpi0 52084 441998 0 0 3 0x40014200 idle1 44993 134340 0 0 3 0x14200 bored softnet 92885 459870 0 0 3 0x14200 bored systqmp 96000 41783 0 0 3 0x14200 bored systq 63555 439254 0 0 3 0x40014200 bored softclock 31016 151544 0 0 3 0x40014200 idle0 1 56614 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks Process 89897 (syz-executor1110) thread 0xffff8000211c2f68 (370833) exclusive rrwlock inode r = 0 (0xfffffd806d959c58) #0 witness_lock+0x4b0 #1 rw_enter+0x446 #2 rrw_enter+0x88 #3 VOP_LOCK+0x4b #4 vn_lock+0x6c #5 uvn_get+0xd7 #6 uvm_fault+0xa41 #7 kpageflttrap+0x202 #8 kerntrap+0xef #9 alltraps_kern_meltdown+0x7b #10 copyin+0x53 #11 sys_connect+0x9b #12 syscall+0x4a1 #13 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 1 (0xffffffff828cea78) #0 witness_lock+0x4b0 #1 syscall+0x3fd #2 Xsyscall+0x128 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 9474 6410K 6411K 78643K 10565 0 pcb 13 8K 8K 78643K 13 0 rtable 61 2K 2K 78643K 127 0 ifaddr 29 8K 8K 78643K 30 0 counters 39 33K 33K 78643K 39 0 ioctlops 0 0K 4K 78643K 1467 0 mount 1 1K 1K 78643K 1 0 vnodes 1183 74K 75K 78643K 1188 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 1K 78643K 2 0 VM map 2 1K 1K 78643K 2 0 sem 2 0K 0K 78643K 2 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1825 197K 290K 78643K 13109 0 file desc 1 0K 0K 78643K 1 0 proc 59 63K 71K 78643K 367 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 in_multi 11 0K 0K 78643K 11 0 ether_multi 1 0K 0K 78643K 1 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 19 95K 95K 78643K 19 0 exec 0 0K 2K 78643K 302 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 48 18K 18K 78643K 1613 0 UVM aobj 3 2K 2K 78643K 3 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 NDP 4 0K 0K 78643K 4 0 temp 23 3949K 4013K 78643K 52107 0 kqueue 2 2K 2K 78643K 2 0 SYN cache 2 16K 16K 78643K 2 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 2 0 0 1 0 1 1 0 8 0 plcache 128 20 0 0 1 0 1 1 0 8 0 rtpcb 120 15 0 13 1 0 1 1 0 8 0 rtentry 112 23 0 1 1 0 1 1 0 8 0 unpcb 120 29 0 19 1 0 1 1 0 8 0 syncache 296 5 0 5 2 1 1 1 0 8 1 tcpcb 736 427 0 379 6 0 6 6 0 8 1 inpcb 296 1285 0 1273 2 0 2 2 0 8 1 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 8 0 2 1 0 1 1 0 8 0 pfstkey 112 8 0 2 1 0 1 1 0 8 0 pfstate 328 8 0 2 1 0 1 1 0 8 0 pfrule 1360 21 0 16 2 1 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 96 0 0 6 0 6 6 0 8 0 art_table 32 97 0 0 1 0 1 1 0 8 0 art_node 16 22 0 2 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 1404 0 16 87 0 87 87 0 8 0 ffsino 272 1404 0 16 93 0 93 93 0 8 0 nchpl 144 1585 0 33 59 1 58 58 0 8 0 uvmvnodes 72 1414 0 0 26 0 26 26 0 8 0 vnodes 208 1414 0 0 75 0 75 75 0 8 0 namei 1024 5037 0 5037 2 1 1 1 0 8 1 percpumem 16 30 0 0 1 0 1 1 0 8 0 scxspl 216 4104 0 4104 10 7 3 8 0 8 3 plimitpl 152 16 0 8 1 0 1 1 0 8 0 sigapl 424 433 0 400 4 0 4 4 0 8 0 futexpl 56 3390 0 3388 1 0 1 1 0 8 0 knotepl 112 5 0 0 1 0 1 1 0 8 0 kqueuepl 152 1 0 0 1 0 1 1 0 8 0 pipepl 304 64 0 60 2 1 1 1 0 8 0 fdescpl 496 417 0 400 3 0 3 3 0 8 0 filepl 152 3051 0 2991 3 0 3 3 0 8 0 lockfpl 104 5 0 4 1 0 1 1 0 8 0 lockfspl 48 3 0 2 1 0 1 1 0 8 0 sessionpl 144 20 0 9 1 0 1 1 0 8 0 pgrppl 48 20 0 9 1 0 1 1 0 8 0 ucredpl 96 62 0 53 1 0 1 1 0 8 0 zombiepl 144 400 0 400 2 1 1 1 0 8 1 processpl 1056 433 0 400 3 0 3 3 0 8 0 procpl 656 1027 0 990 4 0 4 4 0 8 0 sockpl 400 1329 0 1305 3 0 3 3 0 8 0 mcl4k 4096 2 0 0 1 0 1 1 0 8 0 mcl2k 2048 81 0 0 10 0 10 10 0 8 0 mtagpl 96 1 0 0 1 0 1 1 0 8 0 mbufpl 256 100 0 0 6 0 6 6 0 8 0 bufpl 280 2517 0 112 172 0 172 172 0 8 0 anonpl 16 32388 0 31048 8 2 6 7 0 124 0 amapchunkpl 152 1929 0 1880 4 1 3 3 0 158 0 amappl16 192 294 0 289 1 0 1 1 0 8 0 amappl15 184 1 0 1 1 1 0 1 0 8 0 amappl14 176 22 0 19 1 0 1 1 0 8 0 amappl13 168 15 0 14 2 1 1 1 0 8 0 amappl12 160 3 0 3 1 1 0 1 0 8 0 amappl11 152 50 0 35 1 0 1 1 0 8 0 amappl10 144 9 0 7 1 0 1 1 0 8 0 amappl9 136 202 0 202 2 2 0 1 0 8 0 amappl8 128 274 0 268 1 0 1 1 0 8 0 amappl7 120 210 0 209 1 0 1 1 0 8 0 amappl6 112 55 0 48 1 0 1 1 0 8 0 amappl5 104 353 0 337 1 0 1 1 0 8 0 amappl4 96 278 0 257 1 0 1 1 0 8 0 amappl3 88 104 0 97 1 0 1 1 0 8 0 amappl2 80 2537 0 2468 3 1 2 2 0 8 0 amappl1 72 21909 0 21425 15 5 10 15 0 8 0 amappl 80 1211 0 1181 1 0 1 1 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 64 2 0 0 1 0 1 1 0 8 0 uaddrrnd 24 417 0 400 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 417 0 400 1 0 1 1 0 8 0 vmmpekpl 168 7298 0 7279 2 0 2 2 0 8 1 vmmpepl 168 48836 0 47820 57 11 46 48 0 357 1 vmsppl 368 416 0 400 2 0 2 2 0 8 0 pdppl 4096 841 0 800 59 18 41 41 0 8 0 pvpl 32 106841 0 103598 33 5 28 28 0 265 1 pmappl 232 416 0 400 1 0 1 1 0 8 0 extentpl 40 57 0 39 1 0 1 1 0 8 0 phpool 112 284 0 22 8 0 8 8 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp ddb{0}> trace x86_ipi_db(ffffffff8272eff0) at x86_ipi_db+0x1a x86_ipi_handler() at x86_ipi_handler+0xb7 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 __mp_lock(ffffffff828ce870) at __mp_lock+0x129 intr_handler(ffff800021269340,ffff80000065a300) at intr_handler+0x5e Xintr_ioapic_edge4_untramp() at Xintr_ioapic_edge4_untramp+0x19f __mp_lock(ffffffff828ce870) at __mp_lock+0x129 softintr_dispatch(0) at softintr_dispatch+0x4e Xsoftclock() at Xsoftclock+0x1f __mp_lock(ffffffff828ce870) at __mp_lock+0x122 ktrstruct(ffff8000ffff7720,ffffffff823b8f04,ffff800021269678,10) at ktrstruct+0xee sys_clock_gettime(ffff8000ffff7720,ffff8000212696e0,ffff800021269730) at sys_clock_gettime+0xfb syscall(ffff8000212697b0) at syscall+0x4a1 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7ffffe1a70, count: -14 ddb{0}> machine ddbcpu 1 Stopped at db_enter+0x18: addq $0x8,%rsp ddb{1}> trace db_enter() at db_enter+0x18 witness_checkorder(ffffffff8277e670,9,0) at witness_checkorder+0xf5a rw_enter_write(ffffffff8277e660) at rw_enter_write+0x5b uvn_get(fffffd806dd01098,0,ffff8000212818e8,ffff800021281884,0,1) at uvn_get+0xeb uvm_fault(fffffd807eff92e0,20000000,0,1) at uvm_fault+0xa41 kpageflttrap(ffff800021281a10,20000000) at kpageflttrap+0x202 kerntrap(ffff800021281a10) at kerntrap+0xef alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b copyin() at copyin+0x53 sys_connect(ffff8000211c2f68,ffff800021281bd8,ffff800021281c20) at sys_connect+0x9b syscall(ffff800021281ca0) at syscall+0x4a1 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xa1ce7c9b900, count: -12 ddb{1}>