kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd. starting local daemons:. Tue Mar 26 06:35:33 PDT 2019 OpenBSD/amd64 (ci-openbsd-multicore-3.c.syzkaller.internal) (tty00) Warning: Permanently added '10.128.15.196' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program login: panic: kernel diagnostic assertion "tname->un_flags & UNVEIL_USERSET" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_unveil.c", line 879 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *286891 22920 0 0 0x4000000 1K syz-executor0455 435237 15206 0 0 0 0 syz-executor0455 db_enter() at db_enter+0x18 panic() at panic+0x174 __assert(ffffffff81f7e6d6,ffffffff81f80d6e,36f,ffffffff81f8ba8b) at __assert+0x2e unveil_check_final(ffff800020b15778,ffff800020bdf7d8) at unveil_check_final+0x81d namei(ffff800020bdf7d8) at namei+0x88b domknodat(ffff800020b15778,ffffff9c,20000440,2000,0) at domknodat+0xa1 syscall(ffff800020bdfaa0) at syscall+0x5b8 Xsyscall(6,0,4613d5540c8,0,4613d5540a8,4613d5540a0) at Xsyscall+0x128 end of kernel end trace frame: 0x46397be6e50, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic kernel diagnostic assertion "tname->un_flags & UNVEIL_USERSET" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_unveil.c", line 879 ddb{1}> trace db_enter() at db_enter+0x18 panic() at panic+0x174 __assert(ffffffff81f7e6d6,ffffffff81f80d6e,36f,ffffffff81f8ba8b) at __assert+0x2e unveil_check_final(ffff800020b15778,ffff800020bdf7d8) at unveil_check_final+0x81d namei(ffff800020bdf7d8) at namei+0x88b domknodat(ffff800020b15778,ffffff9c,20000440,2000,0) at domknodat+0xa1 syscall(ffff800020bdfaa0) at syscall+0x5b8 Xsyscall(6,0,4613d5540c8,0,4613d5540a8,4613d5540a0) at Xsyscall+0x128 end of kernel end trace frame: 0x46397be6e50, count: -8 ddb{1}> show registers rdi 0 rsi 0x1 rbp 0xffff800020bdf570 rbx 0xffff800020bdf620 rdx 0xffffffff81f8c339 apollo_pio_rec+0x95b5 rcx 0x201 rax 0x1 r8 0xffffffff818d1a13 kprintf+0x183 r9 0x1 r10 0x76b7c3bba2fcddb6 r11 0xce5a27f179015edb r12 0x3000000008 r13 0xffff800020bdf580 r14 0x100 r15 0x1 rip 0xffffffff814367b8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800020bdf560 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor0455) pid=286891 stat=onproc flags process=0 proc=4000000 pri=86, usrpri=86, nice=20 forw=0xffffffffffffffff, list=0xffff800020b14260,0xffff800020b14978 process=0xffff800020b8c6a8 user=0xffff800020bda000, vmspace=0xfffffd807effdca8 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 22920 125214 50168 0 3 0x80 nanosleep syz-executor0455 *22920 286891 50168 0 7 0x4000000 syz-executor0455 22920 306005 50168 0 3 0x4000080 fsleep syz-executor0455 15206 435237 48468 0 7 0 syz-executor0455 15206 512918 48468 0 3 0x4000080 fsleep syz-executor0455 15206 217870 48468 0 2 0x4000000 syz-executor0455 48468 333648 82235 0 3 0x80 nanosleep syz-executor0455 50168 522583 82235 0 3 0x80 nanosleep syz-executor0455 82235 98587 96112 0 3 0x82 nanosleep syz-executor0455 96112 25897 12377 0 3 0x10008a pause ksh 12377 53925 7027 0 3 0x92 select sshd 31875 452484 1 0 3 0x100083 ttyin getty 7027 328838 1 0 3 0x80 select sshd 49774 78545 9707 74 3 0x100092 bpf pflogd 9707 378450 1 0 3 0x80 netio pflogd 22106 171029 41583 73 3 0x100090 kqread syslogd 41583 501552 1 0 3 0x100082 netio syslogd 98970 177843 1 77 3 0x100090 poll dhclient 68180 84988 1 0 3 0x80 poll dhclient 3718 489057 0 0 2 0x14200 zerothread 44040 419005 0 0 3 0x14200 aiodoned aiodoned 17998 176321 0 0 3 0x14200 syncer update 4129 232602 0 0 3 0x14200 cleaner cleaner 31385 144188 0 0 3 0x14200 reaper reaper 28955 308343 0 0 3 0x14200 pgdaemon pagedaemon 64987 279768 0 0 3 0x14200 bored crynlk 41898 108967 0 0 3 0x14200 bored crypto 99404 70560 0 0 3 0x40014200 acpi0 acpi0 80075 124303 0 0 3 0x40014200 idle1 48337 327301 0 0 3 0x14200 bored softnet 89103 514988 0 0 3 0x14200 bored systqmp 60283 74115 0 0 3 0x14200 bored systq 14274 443245 0 0 3 0x40014200 bored softclock 43762 486496 0 0 3 0x40014200 idle0 26112 53738 0 0 3 0x14200 bored smr 1 141820 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks Process 22920 (syz-executor0455) thread 0xffff800020b15778 (286891) exclusive rrwlock inode r = 0 (0xfffffd806ed10f88) locked @ /syzkaller/managers/multicore/kernel/sys/ufs/ufs/ufs_vnops.c:1547 #0 witness_lock+0x594 #1 _rw_enter+0x45d #2 _rrw_enter+0x60 #3 VOP_LOCK+0x57 #4 vn_lock+0x6e #5 vfs_lookup+0xf5 #6 namei+0x4b2 #7 domknodat+0xa1 #8 syscall+0x5b8 #9 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82349ce8) locked @ /syzkaller/managers/multicore/kernel/sys/sys/syscall_mi.h:90 #0 witness_lock+0x594 #1 syscall+0x48b #2 Xsyscall+0x128 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim devbuf 9450 6382K 6383K 78643K 10537 0 0 pcb 25 9K 9K 78643K 57 0 0 rtable 61 2K 2K 78643K 125 0 0 ifaddr 25 7K 7K 78643K 26 0 0 counters 39 33K 33K 78643K 39 0 0 ioctlops 0 0K 4K 78643K 1467 0 0 mount 1 1K 1K 78643K 1 0 0 vnodes 1168 73K 73K 78643K 1173 0 0 UFS quota 1 32K 32K 78643K 1 0 0 UFS mount 5 36K 36K 78643K 5 0 0 shm 2 1K 1K 78643K 2 0 0 VM map 2 1K 1K 78643K 2 0 0 sem 2 0K 0K 78643K 2 0 0 dirhash 12 2K 2K 78643K 12 0 0 ACPI 1808 196K 290K 78643K 12628 0 0 file desc 1 0K 0K 78643K 1 0 0 proc 55 62K 83K 78643K 435 0 0 NFS srvsock 1 0K 0K 78643K 1 0 0 NFS daemon 1 16K 16K 78643K 1 0 0 in_multi 11 0K 0K 78643K 11 0 0 ether_multi 1 0K 0K 78643K 1 0 0 ISOFS mount 1 32K 32K 78643K 1 0 0 MSDOSFS mount 1 16K 16K 78643K 1 0 0 ttys 18 79K 79K 78643K 18 0 0 exec 0 0K 1K 78643K 179 0 0 pagedep 1 8K 8K 78643K 1 0 0 inodedep 1 32K 32K 78643K 1 0 0 newblk 1 0K 0K 78643K 1 0 0 VM swap 7 26K 26K 78643K 7 0 0 UVM amap 62 3K 3K 78643K 886 0 0 UVM aobj 2 2K 2K 78643K 2 0 0 memdesc 1 4K 4K 78643K 1 0 0 crypto data 1 1K 1K 78643K 1 0 0 NDP 4 0K 0K 78643K 4 0 0 temp 39 2360K 2424K 78643K 1999 0 0 SYN cache 2 16K 16K 78643K 2 0 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 2 0 0 1 0 1 1 0 8 0 inpcbpl 280 29 0 23 1 0 1 1 0 8 0 plimitpl 152 14 0 8 1 0 1 1 0 8 0 plcache 128 20 0 0 1 0 1 1 0 8 0 rtentry 112 23 0 1 1 0 1 1 0 8 0 syncache 264 5 0 5 2 1 1 1 0 8 1 tcpcb 544 8 0 5 1 0 1 1 0 8 0 pfosfp 40 846 0 423 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 8 0 2 1 0 1 1 0 8 0 pfstkey 112 8 0 2 1 0 1 1 0 8 0 pfstate 328 8 0 2 1 0 1 1 0 8 0 pfrule 1360 21 0 16 2 1 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 97 0 0 7 0 7 7 0 8 0 art_table 32 98 0 0 1 0 1 1 0 8 0 art_node 16 22 0 2 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino1pl 128 1392 0 18 45 0 45 45 0 8 0 ffsino 272 1392 0 18 92 0 92 92 0 8 0 nchpl 144 1565 0 32 57 0 57 57 0 8 0 uvmvnodes 72 1402 0 0 26 0 26 26 0 8 0 vnodes 200 1402 0 0 74 0 74 74 0 8 0 namei 1024 3638 0 3637 3 2 1 1 0 8 0 percpumem 16 30 0 0 1 0 1 1 0 8 0 scxspl 192 2455 0 2455 8 7 1 6 0 8 1 sigapl 432 247 0 231 2 0 2 2 0 8 0 futexpl 56 67 0 65 1 0 1 1 0 8 0 knotepl 112 5 0 0 1 0 1 1 0 8 0 kqueuepl 104 1 0 0 1 0 1 1 0 8 0 pipepl 112 134 0 127 3 2 1 1 0 8 0 fdescpl 488 248 0 231 3 0 3 3 0 8 0 filepl 152 960 0 913 2 0 2 2 0 8 0 lockfpl 104 6 0 6 1 1 0 1 0 8 0 lockfspl 32 3 0 3 1 1 0 1 0 8 0 sessionpl 112 18 0 9 1 0 1 1 0 8 0 pgrppl 48 18 0 9 1 0 1 1 0 8 0 ucredpl 96 52 0 43 1 0 1 1 0 8 0 zombiepl 144 231 0 231 3 2 1 1 0 8 1 processpl 840 263 0 231 4 0 4 4 0 8 0 procpl 600 305 0 269 3 0 3 3 0 8 0 sockpl 384 73 0 55 2 0 2 2 0 8 0 mcl4k 4096 4 0 0 1 0 1 1 0 8 0 mcl2k 2048 74 0 0 9 0 9 9 0 8 0 mtagpl 80 1 0 0 1 0 1 1 0 8 0 mbufpl 256 101 0 0 6 0 6 6 0 8 0 bufpl 256 2165 0 275 119 0 119 119 0 8 0 anonpl 16 20949 0 19625 9 3 6 7 0 125 0 amapchunkpl 152 676 0 629 2 0 2 2 0 158 0 amappl16 192 69 0 66 1 0 1 1 0 8 0 amappl15 184 53 0 49 1 0 1 1 0 8 0 amappl14 176 16 0 15 3 2 1 1 0 8 0 amappl13 168 22 0 19 1 0 1 1 0 8 0 amappl12 160 8 0 8 1 1 0 1 0 8 0 amappl11 152 27 0 12 1 0 1 1 0 8 0 amappl10 144 57 0 55 1 0 1 1 0 8 0 amappl9 136 419 0 418 1 0 1 1 0 8 0 amappl8 128 143 0 133 1 0 1 1 0 8 0 amappl7 120 18 0 17 1 0 1 1 0 8 0 amappl6 112 44 0 40 1 0 1 1 0 8 0 amappl5 104 131 0 118 1 0 1 1 0 8 0 amappl4 96 437 0 414 1 0 1 1 0 8 0 amappl3 88 104 0 98 1 0 1 1 0 8 0 amappl2 80 999 0 942 2 0 2 2 0 8 0 amappl1 72 14283 0 13812 16 6 10 16 0 8 0 amappl 72 509 0 481 1 0 1 1 0 75 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma64 64 259 0 259 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 17 0 17 1 1 0 1 0 8 0 aobjpl 64 1 0 0 1 0 1 1 0 8 0 uaddrrnd 24 248 0 231 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 248 0 231 1 0 1 1 0 8 0 vmmpekpl 168 5767 0 5746 2 0 2 2 0 8 0 vmmpepl 168 29898 0 28963 57 16 41 50 0 357 0 vmsppl 360 247 0 231 2 0 2 2 0 8 0 pdppl 4096 504 0 462 6 0 6 6 0 8 0 pvpl 32 85418 0 82143 38 9 29 29 0 265 1 pmappl 224 247 0 231 1 0 1 1 0 8 0 extentpl 40 39 0 25 1 0 1 1 0 8 0 phpool 112 252 0 5 8 0 8 8 0 8 0 ddb{1}>