kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd. starting local daemons:. Tue Mar 26 20:40:01 PDT 2019 OpenBSD/amd64 (ci-openbsd-multicore-4.c.syzkaller.internal) (tty00) Warning: Permanently added '10.128.0.94' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program login: panic: kernel diagnostic assertion "tname->un_flags & UNVEIL_USERSET" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_unveil.c", line 879 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 25943 4149 0 0 0 0 syz-executor0650 *324807 79845 0 0 0x4000000 1K syz-executor0650 db_enter() at db_enter+0x18 panic() at panic+0x174 __assert(ffffffff81f7eb2c,ffffffff81f800b9,36f,ffffffff81f8afb5) at __assert+0x2e unveil_check_final(ffff800020b152c8,ffff800020bd75d8) at unveil_check_final+0x81d namei(ffff800020bd75d8) at namei+0x88b domknodat(ffff800020b152c8,ffffff9c,20000000,80002002,a22) at domknodat+0xa1 syscall(ffff800020bd78a0) at syscall+0x5b8 Xsyscall(6,0,428adecb0c8,0,428adecb0a8,428adecb0a0) at Xsyscall+0x128 end of kernel end trace frame: 0x42ba95bc640, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic kernel diagnostic assertion "tname->un_flags & UNVEIL_USERSET" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_unveil.c", line 879 ddb{1}> trace db_enter() at db_enter+0x18 panic() at panic+0x174 __assert(ffffffff81f7eb2c,ffffffff81f800b9,36f,ffffffff81f8afb5) at __assert+0x2e unveil_check_final(ffff800020b152c8,ffff800020bd75d8) at unveil_check_final+0x81d namei(ffff800020bd75d8) at namei+0x88b domknodat(ffff800020b152c8,ffffff9c,20000000,80002002,a22) at domknodat+0xa1 syscall(ffff800020bd78a0) at syscall+0x5b8 Xsyscall(6,0,428adecb0c8,0,428adecb0a8,428adecb0a0) at Xsyscall+0x128 end of kernel end trace frame: 0x42ba95bc640, count: -8 ddb{1}> show registers rdi 0 rsi 0x1 rbp 0xffff800020bd7370 rbx 0xffff800020bd7420 rdx 0xffffffff81f89e77 apollo_pio_rec+0x9e22 rcx 0x201 rax 0x1 r8 0xffffffff811c43a3 kprintf+0x183 r9 0x1 r10 0xf3848e40e9679e8f r11 0xda2f1d558d5d0bd5 r12 0x3000000008 r13 0xffff800020bd7380 r14 0x100 r15 0x1 rip 0xffffffff81e2e758 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800020bd7360 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor0650) pid=324807 stat=onproc flags process=0 proc=4000000 pri=86, usrpri=86, nice=20 forw=0xffffffffffffffff, list=0xffff800020b15520,0xffff800020b14018 process=0xffff800020b8d080 user=0xffff800020bd2000, vmspace=0xfffffd807effe5a0 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 4149 25943 85778 0 7 0 syz-executor0650 4149 263349 85778 0 2 0x4000000 syz-executor0650 4149 6572 85778 0 2 0x4000000 syz-executor0650 79845 141307 50214 0 3 0x80 nanosleep syz-executor0650 *79845 324807 50214 0 7 0x4000000 syz-executor0650 79845 482868 50214 0 3 0x4000080 fsleep syz-executor0650 50214 295924 3789 0 3 0x80 nanosleep syz-executor0650 85778 419920 3789 0 3 0x80 nanosleep syz-executor0650 3789 188537 29749 0 3 0x82 nanosleep syz-executor0650 29749 43000 17399 0 3 0x10008a pause ksh 17399 77986 82377 0 3 0x92 select sshd 6510 280092 1 0 3 0x100083 ttyin getty 82377 337231 1 0 3 0x80 select sshd 34532 390030 35905 74 3 0x100092 bpf pflogd 35905 38787 1 0 3 0x80 netio pflogd 95147 348970 45848 73 3 0x100090 kqread syslogd 45848 177996 1 0 3 0x100082 netio syslogd 31633 300380 1 77 3 0x100090 poll dhclient 76077 233000 1 0 3 0x80 poll dhclient 94472 62035 0 0 2 0x14200 zerothread 90754 345818 0 0 3 0x14200 aiodoned aiodoned 58226 55420 0 0 3 0x14200 syncer update 70784 76096 0 0 3 0x14200 cleaner cleaner 37858 517239 0 0 3 0x14200 reaper reaper 39001 493090 0 0 3 0x14200 pgdaemon pagedaemon 98129 57410 0 0 3 0x14200 bored crynlk 16613 70490 0 0 3 0x14200 bored crypto 67361 273705 0 0 3 0x40014200 acpi0 acpi0 3440 409070 0 0 3 0x40014200 idle1 79240 468950 0 0 3 0x14200 bored softnet 27249 488546 0 0 3 0x14200 bored systqmp 57279 219171 0 0 3 0x14200 bored systq 25686 280913 0 0 3 0x40014200 bored softclock 60010 108922 0 0 3 0x40014200 idle0 75023 198022 0 0 3 0x14200 bored smr 1 152482 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks Process 79845 (syz-executor0650) thread 0xffff800020b152c8 (324807) exclusive rrwlock inode r = 0 (0xfffffd806d9f1d60) locked @ /syzkaller/managers/multicore/kernel/sys/ufs/ufs/ufs_vnops.c:1547 #0 witness_lock+0x594 #1 _rw_enter+0x45d #2 _rrw_enter+0x60 #3 VOP_LOCK+0x57 #4 vn_lock+0x6e #5 vfs_lookup+0xf5 #6 namei+0x4b2 #7 domknodat+0xa1 #8 syscall+0x5b8 #9 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 0 (0xffffffff8234a3d0) locked @ /syzkaller/managers/multicore/kernel/sys/sys/syscall_mi.h:90 #0 witness_lock+0x594 #1 syscall+0x48b #2 Xsyscall+0x128 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim devbuf 9450 6382K 6383K 78643K 10537 0 0 pcb 25 9K 9K 78643K 57 0 0 rtable 61 2K 2K 78643K 125 0 0 ifaddr 25 7K 7K 78643K 26 0 0 counters 39 33K 33K 78643K 39 0 0 ioctlops 0 0K 4K 78643K 1467 0 0 mount 1 1K 1K 78643K 1 0 0 vnodes 1167 73K 73K 78643K 1552 0 0 UFS quota 1 32K 32K 78643K 1 0 0 UFS mount 5 36K 36K 78643K 5 0 0 shm 2 1K 1K 78643K 2 0 0 VM map 2 1K 1K 78643K 2 0 0 sem 2 0K 0K 78643K 2 0 0 dirhash 12 2K 2K 78643K 12 0 0 ACPI 1808 196K 290K 78643K 12628 0 0 file desc 1 0K 0K 78643K 1 0 0 proc 55 62K 70K 78643K 1179 0 0 NFS srvsock 1 0K 0K 78643K 1 0 0 NFS daemon 1 16K 16K 78643K 1 0 0 in_multi 11 0K 0K 78643K 11 0 0 ether_multi 1 0K 0K 78643K 1 0 0 ISOFS mount 1 32K 32K 78643K 1 0 0 MSDOSFS mount 1 16K 16K 78643K 1 0 0 ttys 18 79K 79K 78643K 18 0 0 exec 0 0K 1K 78643K 179 0 0 pagedep 1 8K 8K 78643K 1 0 0 inodedep 1 32K 32K 78643K 1 0 0 newblk 1 0K 0K 78643K 1 0 0 VM swap 7 26K 26K 78643K 7 0 0 UVM amap 62 3K 3K 78643K 1222 0 0 UVM aobj 2 2K 2K 78643K 2 0 0 memdesc 1 4K 4K 78643K 1 0 0 crypto data 1 1K 1K 78643K 1 0 0 NDP 4 0K 0K 78643K 4 0 0 temp 39 2360K 2424K 78643K 2447 0 0 SYN cache 2 16K 16K 78643K 2 0 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 2 0 0 1 0 1 1 0 8 0 inpcbpl 280 29 0 23 1 0 1 1 0 8 0 plimitpl 152 14 0 8 1 0 1 1 0 8 0 plcache 128 20 0 0 1 0 1 1 0 8 0 rtentry 112 23 0 1 1 0 1 1 0 8 0 syncache 264 5 0 5 1 0 1 1 0 8 1 tcpcb 544 8 0 5 1 0 1 1 0 8 0 pfosfp 40 846 0 423 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 8 0 0 1 0 1 1 0 8 0 pfstkey 112 8 0 0 1 0 1 1 0 8 0 pfstate 328 8 0 0 1 0 1 1 0 8 0 pfrule 1360 21 0 16 2 1 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 96 0 0 6 0 6 6 0 8 0 art_table 32 97 0 0 1 0 1 1 0 8 0 art_node 16 22 0 2 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino1pl 128 2222 0 845 45 0 45 45 0 8 0 ffsino 272 2222 0 845 92 0 92 92 0 8 0 nchpl 144 2583 0 1046 58 0 58 58 0 8 0 uvmvnodes 72 2232 0 0 41 0 41 41 0 8 0 vnodes 200 2232 0 0 118 0 118 118 0 8 0 namei 1024 5363 0 5362 2 1 1 1 0 8 0 percpumem 16 30 0 0 1 0 1 1 0 8 0 scxspl 192 4477 0 4477 8 2 6 6 0 8 6 sigapl 432 433 0 417 2 0 2 2 0 8 0 futexpl 56 297 0 296 1 0 1 1 0 8 0 knotepl 112 5 0 0 1 0 1 1 0 8 0 kqueuepl 104 1 0 0 1 0 1 1 0 8 0 pipepl 112 134 0 127 2 1 1 1 0 8 0 fdescpl 488 434 0 417 3 0 3 3 0 8 0 filepl 152 1184 0 1137 2 0 2 2 0 8 0 lockfpl 104 6 0 6 1 1 0 1 0 8 0 lockfspl 32 3 0 3 1 1 0 1 0 8 0 sessionpl 112 18 0 9 1 0 1 1 0 8 0 pgrppl 48 18 0 9 1 0 1 1 0 8 0 ucredpl 96 52 0 43 1 0 1 1 0 8 0 zombiepl 144 417 0 417 2 1 1 1 0 8 1 processpl 840 449 0 417 4 0 4 4 0 8 0 procpl 600 677 0 641 3 0 3 3 0 8 0 sockpl 384 73 0 55 2 0 2 2 0 8 0 mcl4k 4096 2 0 0 1 0 1 1 0 8 0 mcl2k 2048 70 0 0 9 0 9 9 0 8 0 mtagpl 80 1 0 0 1 0 1 1 0 8 0 mbufpl 256 86 0 0 5 0 5 5 0 8 0 bufpl 256 2393 0 275 133 0 133 133 0 8 0 anonpl 16 28709 0 27375 8 2 6 7 0 125 0 amapchunkpl 152 1232 0 1187 2 0 2 2 0 158 0 amappl16 192 512 0 503 1 0 1 1 0 8 0 amappl15 184 53 0 49 1 0 1 1 0 8 0 amappl14 176 16 0 15 2 1 1 1 0 8 0 amappl13 168 22 0 19 1 0 1 1 0 8 0 amappl12 160 10 0 10 1 1 0 1 0 8 0 amappl11 152 23 0 8 1 0 1 1 0 8 0 amappl10 144 55 0 53 1 0 1 1 0 8 0 amappl9 136 427 0 425 1 0 1 1 0 8 0 amappl8 128 105 0 98 1 0 1 1 0 8 0 amappl7 120 18 0 16 1 0 1 1 0 8 0 amappl6 112 43 0 39 1 0 1 1 0 8 0 amappl5 104 116 0 103 1 0 1 1 0 8 0 amappl4 96 654 0 628 1 0 1 1 0 8 0 amappl3 88 328 0 319 1 0 1 1 0 8 0 amappl2 80 2675 0 2617 2 0 2 2 0 8 0 amappl1 72 16558 0 16095 15 5 10 15 0 8 0 amappl 72 880 0 853 1 0 1 1 0 75 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma64 64 259 0 259 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 17 0 17 1 1 0 1 0 8 0 aobjpl 64 1 0 0 1 0 1 1 0 8 0 uaddrrnd 24 434 0 417 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 434 0 417 1 0 1 1 0 8 0 vmmpekpl 168 6508 0 6488 2 0 2 2 0 8 1 vmmpepl 168 41411 0 40460 55 13 42 46 0 357 0 vmsppl 360 433 0 417 2 0 2 2 0 8 0 pdppl 4096 876 0 834 6 0 6 6 0 8 0 pvpl 32 104679 0 101332 33 4 29 29 0 265 2 pmappl 224 433 0 417 1 0 1 1 0 8 0 extentpl 40 39 0 25 1 0 1 1 0 8 0 phpool 112 263 0 4 8 0 8 8 0 8 0 ddb{1}>