kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd. starting local daemons:. Sat May 16 21:26:03 PDT 2020 OpenBSD/amd64 (ci-openbsd-multicore-1.c.syzkaller.internal) (tty00) Warning: Permanently added '10.128.0.64' (ECDSA) to the list of known hosts. 2020/05/16 21:26:14 parsed 1 programs 2020/05/16 21:26:18 executed programs: 0 login: uvm_fault(0xfffffd807f000450, 0x13, 0, 1) -> e kernel: page fault trap, code=0 Stopped at in_delmulti+0x8d: movl 0xc(%r14),%r15d ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic kernel page fault uvm_fault(0xfffffd807f000450, 0x13, 0, 1) -> e in_delmulti(7) at in_delmulti+0x8d end trace frame: 0xffff800020f59400, count: 0 ddb{1}> trace in_delmulti(7) at in_delmulti+0x8d in_purgeaddr(ffff800000a0d300) at in_purgeaddr+0x156 in_ifdetach(ffff8000009d6000) at in_ifdetach+0x74 if_detach(ffff8000009d6000) at if_detach+0x140 tun_clone_destroy(ffff8000009d6000) at tun_clone_destroy+0x1f2 ifioctl(fffffd806f6db7d0,80206979,ffff800020f59640,ffff800020e6c758) at ifioctl+0x3ea soo_ioctl(fffffd806d0b6568,80206979,ffff800020f59640,ffff800020e6c758) at soo_ioctl+0x27c sys_ioctl(ffff800020e6c758,ffff800020f59758,ffff800020f597a0) at sys_ioctl+0x4a5 syscall(ffff800020f59820) at syscall+0x4a4 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7ffffc52e0, count: -10 ddb{1}> show registers rdi 0x2 rsi 0 rbp 0xffff800020f593b0 rbx 0 rdx 0x8b rcx 0x1 rax 0x1 r8 0xffffffff81945803 rt_ifa_purge+0x153 r9 0x5 r10 0x3 r11 0x21ff2373e11d34ef r12 0 r13 0x3 r14 0x7 r15 0x1 rip 0xffffffff81edc7dd in_delmulti+0x8d cs 0x8 rflags 0x10246 __ALIGN_SIZE+0xf246 rsp 0xffff800020f59350 ss 0x10 in_delmulti+0x8d: movl 0xc(%r14),%r15d ddb{1}> show proc PROC (syz-executor.0) pid=63520 stat=onproc flags process=0 proc=0 pri=32, usrpri=50, nice=20 forw=0xffffffffffffffff, list=0xffff800020e6c4e8,0xffffffff8267b4d8 process=0xffff800020e81720 user=0xffff800020f54000, vmspace=0xfffffd807f000450 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND *30632 63520 4011 0 7 0 syz-executor.0 4011 23952 67243 0 3 0x82 nanosleep syz-executor.0 67243 58340 76523 0 3 0x82 thrsleep syz-execprog 67243 22312 76523 0 3 0x4000082 thrsleep syz-execprog 67243 214214 76523 0 3 0x4000082 thrsleep syz-execprog 67243 172713 76523 0 3 0x4000082 thrsleep syz-execprog 67243 302914 76523 0 3 0x4000082 thrsleep syz-execprog 67243 81470 76523 0 3 0x4000082 kqread syz-execprog 67243 277106 76523 0 3 0x4000082 thrsleep syz-execprog 67243 365795 76523 0 3 0x4000082 thrsleep syz-execprog 76523 406557 37717 0 3 0x10008a pause ksh 37717 124088 13530 0 3 0x92 select sshd 24331 496519 1 0 3 0x100083 ttyin getty 13530 342290 1 0 3 0x80 select sshd 60473 197388 38998 74 3 0x100092 bpf pflogd 38998 29055 1 0 3 0x80 netio pflogd 77476 359962 29982 73 3 0x100090 kqread syslogd 29982 198520 1 0 3 0x100082 netio syslogd 65061 298750 1 77 7 0x100090 dhclient 82162 292457 1 0 3 0x80 poll dhclient 93582 260737 0 0 3 0x14200 bored smr 96968 301048 0 0 3 0x14200 pgzero zerothread 25569 353113 0 0 3 0x14200 aiodoned aiodoned 87394 26612 0 0 3 0x14200 syncer update 34201 220574 0 0 3 0x14200 cleaner cleaner 85069 489161 0 0 3 0x14200 reaper reaper 50626 450303 0 0 3 0x14200 pgdaemon pagedaemon 16100 70396 0 0 3 0x14200 bored crynlk 68029 144653 0 0 3 0x14200 bored crypto 76905 380572 0 0 3 0x40014200 acpi0 acpi0 15577 296062 0 0 3 0x40014200 idle1 69551 172886 0 0 3 0x14200 bored softnet 98624 361334 0 0 2 0x14200 systqmp 25295 227054 0 0 3 0x14200 bored systq 96495 160706 0 0 3 0x40014200 bored softclock 65209 479819 0 0 3 0x40014200 idle0 1 455276 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks Process 30632 (syz-executor.0) thread 0xffff800020e6c758 (63520) exclusive rwlock netlock r = 0 (0xffffffff824a2978) #0 witness_lock+0x4c7 #1 if_detach+0x70 #2 tun_clone_destroy+0x1f2 #3 ifioctl+0x3ea #4 soo_ioctl+0x27c #5 sys_ioctl+0x4a5 #6 syscall+0x4a4 #7 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 1 (0xffffffff82695610) #0 witness_lock+0x4c7 #1 __mp_acquire_count+0x51 #2 mi_switch+0x392 #3 sleep_finish+0x113 #4 cond_wait+0x76 #5 smr_barrier_impl+0xf9 #6 tun_clone_destroy+0x136 #7 ifioctl+0x3ea #8 soo_ioctl+0x27c #9 sys_ioctl+0x4a5 #10 syscall+0x4a4 #11 Xsyscall+0x128 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 9465 6396K 6396K 78643K 10560 0 pcb 14 8K 8K 78643K 14 0 rtable 75 2K 2K 78643K 165 0 ifaddr 37 9K 9K 78643K 39 0 counters 41 33K 33K 78643K 41 0 ioctlops 0 0K 4K 78643K 1468 0 mount 1 1K 1K 78643K 1 0 vnodes 1182 74K 75K 78643K 1188 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 1K 78643K 2 0 VM map 2 1K 1K 78643K 2 0 sem 2 0K 0K 78643K 2 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1824 197K 290K 78643K 13058 0 file desc 3 8K 12K 78643K 18 0 proc 59 63K 83K 78643K 398 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 in_multi 25 1K 1K 78643K 26 0 ether_multi 1 0K 0K 78643K 1 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 19 95K 95K 78643K 19 0 exec 0 0K 1K 78643K 197 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 74 12K 12K 78643K 944 0 UVM aobj 2 2K 2K 78643K 2 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 NDP 7 0K 0K 78643K 7 0 temp 29 3033K 3097K 78643K 1867 0 kqueue 3 4K 4K 78643K 3 0 SYN cache 2 16K 16K 78643K 2 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 4 0 2 1 0 1 1 0 8 0 plcache 128 20 0 0 1 0 1 1 0 8 0 rtpcb 80 17 0 15 1 0 1 1 0 8 0 rtentry 112 34 0 5 1 0 1 1 0 8 0 unpcb 120 29 0 19 1 0 1 1 0 8 0 syncache 264 5 0 5 1 0 1 1 0 8 1 tcpcb 544 8 0 5 1 0 1 1 0 8 0 inpcb 280 35 0 27 1 0 1 1 0 8 0 nd6 48 3 0 0 1 0 1 1 0 8 0 pfosfp 40 846 0 423 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 11 0 0 1 0 1 1 0 8 0 pfstkey 112 11 0 0 1 0 1 1 0 8 0 pfstate 328 11 0 0 1 0 1 1 0 8 0 pfrule 1360 21 0 16 2 1 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 144 0 2 9 0 9 9 0 8 0 art_table 32 145 0 2 2 0 2 2 0 8 0 art_node 16 33 0 6 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 1424 0 23 88 0 88 88 0 8 0 ffsino 272 1424 0 23 94 0 94 94 0 8 0 nchpl 144 1640 0 38 60 0 60 60 0 8 0 uvmvnodes 72 1434 0 0 27 0 27 27 0 8 0 vnodes 208 1434 0 0 76 0 76 76 0 8 0 namei 1024 4204 0 4204 1 0 1 1 0 8 1 percpumem 16 31 0 0 1 0 1 1 0 8 0 scxspl 192 3850 0 3850 2 1 1 2 0 8 1 plimitpl 152 15 0 8 1 0 1 1 0 8 0 sigapl 424 241 0 211 4 0 4 4 0 8 0 knotepl 112 47 0 36 1 0 1 1 0 8 0 kqueuepl 144 2 0 0 1 0 1 1 0 8 0 pipelkpl 48 77 0 70 1 0 1 1 0 8 0 pipepl 120 154 0 141 1 0 1 1 0 8 0 fdescpl 496 226 0 211 3 0 3 3 0 8 0 filepl 152 1110 0 1050 3 0 3 3 0 8 0 lockfpl 104 5 0 4 1 0 1 1 0 8 0 lockfspl 48 3 0 2 1 0 1 1 0 8 0 sessionpl 112 19 0 9 1 0 1 1 0 8 0 pgrppl 48 19 0 9 1 0 1 1 0 8 0 ucredpl 96 62 0 53 1 0 1 1 0 8 0 zombiepl 144 211 0 211 1 0 1 1 0 8 1 processpl 984 241 0 211 5 0 5 5 0 8 1 procpl 624 248 0 211 3 0 3 3 0 8 0 srpgc 64 2 0 2 1 0 1 1 0 8 1 sockpl 400 81 0 61 2 0 2 2 0 8 0 mcl4k 4096 3 0 0 1 0 1 1 0 8 0 mcl2k 2048 80 0 0 10 0 10 10 0 8 0 mtagpl 80 1 0 0 1 0 1 1 0 8 0 mbufpl 256 98 0 0 7 0 7 7 0 8 0 bufpl 280 2980 0 133 204 0 204 204 0 8 0 anonpl 16 22287 0 20633 13 1 12 12 0 124 2 amapchunkpl 152 841 0 775 4 0 4 4 0 158 0 amappl16 192 152 0 118 2 0 2 2 0 8 0 amappl15 184 2 0 0 1 0 1 1 0 8 0 amappl14 176 34 0 27 1 0 1 1 0 8 0 amappl13 168 21 0 20 1 0 1 1 0 8 0 amappl12 160 8 0 7 2 1 1 1 0 8 0 amappl11 152 56 0 40 1 0 1 1 0 8 0 amappl10 144 18 0 15 1 0 1 1 0 8 0 amappl9 136 230 0 229 1 0 1 1 0 8 0 amappl8 128 271 0 264 1 0 1 1 0 8 0 amappl7 120 115 0 103 1 0 1 1 0 8 0 amappl6 112 23 0 21 1 0 1 1 0 8 0 amappl5 104 131 0 117 1 0 1 1 0 8 0 amappl4 96 494 0 466 1 0 1 1 0 8 0 amappl3 88 106 0 99 1 0 1 1 0 8 0 amappl2 80 904 0 848 2 0 2 2 0 8 0 amappl1 72 15374 0 14938 23 5 18 18 0 8 8 amappl 80 474 0 445 1 0 1 1 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 64 1 0 0 1 0 1 1 0 8 0 uaddrrnd 24 226 0 211 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 226 0 211 1 0 1 1 0 8 0 vmmpekpl 168 6369 0 6346 2 0 2 2 0 8 0 vmmpepl 168 32618 0 31665 76 4 72 72 0 357 29 vmsppl 368 225 0 211 2 0 2 2 0 8 0 pdppl 4096 460 0 422 6 0 6 6 0 8 0 pvpl 32 113506 0 109453 104 0 104 104 0 265 70 pmappl 232 225 0 211 1 0 1 1 0 8 0 extentpl 40 53 0 36 1 0 1 1 0 8 0 phpool 112 232 0 3 7 0 7 7 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp ddb{0}> trace x86_ipi_db(ffffffff824abff0) at x86_ipi_db+0x1a x86_ipi_handler() at x86_ipi_handler+0xc6 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 __mp_lock(ffffffff82695408) at __mp_lock+0x127 __mp_acquire_count(ffffffff82695408,2) at __mp_acquire_count+0x51 mi_switch() at mi_switch+0x392 sleep_finish(ffff800020ea75d0,1) at sleep_finish+0x113 sleep_finish_all(ffff800020ea75d0,1) at sleep_finish_all+0x32 tsleep(ffffffff82663c34,118,ffffffff8224a1a6,41e331) at tsleep+0x1cc doppoll(ffff800020e6c278,7f7fffff5b20,3,ffff800020ea7768,0,ffff800020ea7820) at doppoll+0x57e sys_poll(ffff800020e6c278,ffff800020ea77d0,ffff800020ea7820) at sys_poll+0xa6 syscall(ffff800020ea78a0) at syscall+0x4a4 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffff5b00, count: -13 ddb{0}> machine ddbcpu 1 Stopped at in_delmulti+0x8d: movl 0xc(%r14),%r15d ddb{1}> trace in_delmulti(7) at in_delmulti+0x8d in_purgeaddr(ffff800000a0d300) at in_purgeaddr+0x156 in_ifdetach(ffff8000009d6000) at in_ifdetach+0x74 if_detach(ffff8000009d6000) at if_detach+0x140 tun_clone_destroy(ffff8000009d6000) at tun_clone_destroy+0x1f2 ifioctl(fffffd806f6db7d0,80206979,ffff800020f59640,ffff800020e6c758) at ifioctl+0x3ea soo_ioctl(fffffd806d0b6568,80206979,ffff800020f59640,ffff800020e6c758) at soo_ioctl+0x27c sys_ioctl(ffff800020e6c758,ffff800020f59758,ffff800020f597a0) at sys_ioctl+0x4a5 syscall(ffff800020f59820) at syscall+0x4a4 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7ffffc52e0, count: -10 ddb{1}>