kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd. starting local daemons:. Tue Mar 26 19:40:19 PDT 2019 OpenBSD/amd64 (ci-openbsd-setuid-9.c.syzkaller.internal) (tty00) Warning: Permanently added '10.128.15.197' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program login: panic: kernel diagnostic assertion "tname->un_flags & UNVEIL_USERSET" failed: file "/syzkaller/managers/setuid/kernel/sys/kern/kern_unveil.c", line 879 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 152900 88482 0 0 0 1 syz-executor7631 *201929 43954 0 0 0x4000000 0K syz-executor7631 db_enter() at db_enter+0x18 panic() at panic+0x174 __assert(ffffffff81f7c61c,ffffffff81f2d7dd,36f,ffffffff81f8730a) at __assert+0x2e unveil_check_final(ffff800020b14710,ffff800020bc5930) at unveil_check_final+0x81d namei(ffff800020bc5930) at namei+0x88b vn_open(ffff800020bc5930,212,0) at vn_open+0x157 doopenat(ffff800020b14710,ffffff9c,20000000,611,0,ffff800020bc5b70) at doopenat+0x2ca syscall(ffff800020bc5c20) at syscall+0x5b8 Xsyscall(6,0,c23b4f350c8,0,c23b4f350a8,c23b4f350a0) at Xsyscall+0x128 end of kernel end trace frame: 0xc2602cf33a0, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic kernel diagnostic assertion "tname->un_flags & UNVEIL_USERSET" failed: file "/syzkaller/managers/setuid/kernel/sys/kern/kern_unveil.c", line 879 ddb{0}> trace db_enter() at db_enter+0x18 panic() at panic+0x174 __assert(ffffffff81f7c61c,ffffffff81f2d7dd,36f,ffffffff81f8730a) at __assert+0x2e unveil_check_final(ffff800020b14710,ffff800020bc5930) at unveil_check_final+0x81d namei(ffff800020bc5930) at namei+0x88b vn_open(ffff800020bc5930,212,0) at vn_open+0x157 doopenat(ffff800020b14710,ffffff9c,20000000,611,0,ffff800020bc5b70) at doopenat+0x2ca syscall(ffff800020bc5c20) at syscall+0x5b8 Xsyscall(6,0,c23b4f350c8,0,c23b4f350a8,c23b4f350a0) at Xsyscall+0x128 end of kernel end trace frame: 0xc2602cf33a0, count: -9 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff800020bc5570 rbx 0xffff800020bc5620 rdx 0xffffffff81f1e360 cmd0646_9_tim_udma+0x129e0 rcx 0x201 rax 0x1 r8 0xffffffff813481d3 kprintf+0x183 r9 0x1 r10 0x1c4d0ddc370497cc r11 0x2f7ef1034f66fa98 r12 0x3000000008 r13 0xffff800020bc5580 r14 0x100 r15 0x1 rip 0xffffffff81266358 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800020bc5560 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor7631) pid=201929 stat=onproc flags process=0 proc=4000000 pri=66, usrpri=66, nice=20 forw=0xffffffffffffffff, list=0xffff800020b15520,0xffff800020b14bd0 process=0xffff800020b3a358 user=0xffff800020bc0000, vmspace=0xfffffd806e926b48 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 88482 152900 54740 0 7 0 syz-executor7631 88482 514709 54740 0 2 0x4000000 syz-executor7631 88482 357068 54740 0 2 0x4000000 syz-executor7631 43954 407203 44113 0 3 0x80 nanosleep syz-executor7631 *43954 201929 44113 0 7 0x4000000 syz-executor7631 43954 50772 44113 0 3 0x4000080 fsleep syz-executor7631 54740 381142 63189 0 3 0x80 nanosleep syz-executor7631 44113 384815 63189 0 3 0x80 nanosleep syz-executor7631 63189 515357 26489 0 3 0x82 nanosleep syz-executor7631 26489 42264 86796 0 3 0x10008a pause ksh 86796 184689 93217 0 3 0x92 select sshd 83005 186881 1 0 3 0x100083 ttyin getty 93217 329001 1 0 3 0x80 select sshd 17882 463197 2492 73 3 0x100090 kqread syslogd 2492 93388 1 0 3 0x100082 netio syslogd 21845 316095 1 77 3 0x100090 poll dhclient 15722 71616 1 0 3 0x80 poll dhclient 17708 159004 0 0 2 0x14200 zerothread 27693 189949 0 0 3 0x14200 aiodoned aiodoned 51608 61558 0 0 3 0x14200 syncer update 758 426718 0 0 3 0x14200 cleaner cleaner 70808 382555 0 0 3 0x14200 reaper reaper 41140 175598 0 0 3 0x14200 pgdaemon pagedaemon 43279 173203 0 0 3 0x14200 bored crynlk 54515 450218 0 0 3 0x14200 bored crypto 61623 198302 0 0 3 0x40014200 acpi0 acpi0 86810 444973 0 0 3 0x40014200 idle1 36439 9786 0 0 3 0x14200 bored softnet 53971 421171 0 0 3 0x14200 bored systqmp 93126 159034 0 0 3 0x14200 bored systq 61886 513204 0 0 2 0x40014200 softclock 92339 147684 0 0 3 0x40014200 idle0 7787 201342 0 0 3 0x14200 bored smr 1 137160 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 43954 (syz-executor7631) thread 0xffff800020b14710 (201929) exclusive rrwlock inode r = 0 (0xfffffd806dbb7e70) locked @ /syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547 #0 witness_lock+0x594 #1 _rw_enter+0x45d #2 _rrw_enter+0x60 #3 VOP_LOCK+0x57 #4 vn_lock+0x6e #5 vget+0x1c3 #6 cache_lookup+0x300 #7 ufs_lookup+0x1d7 #8 VOP_LOOKUP+0x67 #9 vfs_lookup+0x556 #10 namei+0x4b2 #11 vn_open+0x157 #12 doopenat+0x2ca #13 syscall+0x5b8 #14 Xsyscall+0x128 exclusive rrwlock inode r = 0 (0xfffffd806ee07708) locked @ /syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547 #0 witness_lock+0x594 #1 _rw_enter+0x45d #2 _rrw_enter+0x60 #3 VOP_LOCK+0x57 #4 vn_lock+0x6e #5 vfs_lookup+0xf5 #6 namei+0x4b2 #7 vn_open+0x157 #8 doopenat+0x2ca #9 syscall+0x5b8 #10 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82397440) locked @ /syzkaller/managers/setuid/kernel/sys/sys/syscall_mi.h:90 #0 witness_lock+0x594 #1 syscall+0x48b #2 Xsyscall+0x128 ddb{0}>