kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd. starting local daemons:. Tue Mar 17 15:26:41 PDT 2020 OpenBSD/amd64 (ci-openbsd-main-0.c.syzkaller.internal) (tty00) Warning: Permanently added '10.128.0.138' (ECDSA) to the list of known hosts. 2020/03/17 15:26:53 fuzzer started 2020/03/17 15:26:58 dialing manager at 10.128.15.235:22090 2020/03/17 15:26:58 syscalls: 338 2020/03/17 15:26:58 code coverage: enabled 2020/03/17 15:26:58 comparison tracing: enabled 2020/03/17 15:26:58 extra coverage: support is not implemented in syzkaller 2020/03/17 15:26:58 setuid sandbox: enabled 2020/03/17 15:26:58 namespace sandbox: support is not implemented in syzkaller 2020/03/17 15:26:58 Android sandbox: support is not implemented in syzkaller 2020/03/17 15:26:58 fault injection: support is not implemented in syzkaller 2020/03/17 15:26:58 leak checking: support is not implemented in syzkaller 2020/03/17 15:26:58 net packet injection: enabled 2020/03/17 15:26:58 net device setup: support is not implemented in syzkaller 2020/03/17 15:26:58 concurrency sanitizer: support is not implemented in syzkaller 2020/03/17 15:26:58 devlink PCI setup: support is not implemented in syzkaller 15:27:02 executing program 0: pipe2(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}, 0x10000) ioctl$SPKRTONE(r0, 0x80085301, &(0x7f0000000040)={0xfffffffb, 0x9a6c}) r2 = socket$inet6(0x18, 0x5, 0x6) dup2(r2, r1) syz_emit_ethernet(0x4e, &(0x7f0000000080)="3bd04d8b840c00bf3b04bd5abfb0ab893f1c683a5ac92a6ec04bcab0d8d13c0682d9aaf1872662b02266e62aab948c4e68240fc1b7afce0c4dfe453a18eedbdd0afa5405918382a60d43cef6a922") pledge(&(0x7f0000000100)='!/\'(\x00', &(0x7f0000000140)='$\x00') ioctl$TIOCSBRK(r1, 0x2000747b) readlink(&(0x7f0000000180)='./file0\x00', &(0x7f00000001c0)=""/199, 0xc7) r3 = socket(0x6, 0x5, 0x9) getsockopt$SO_PEERCRED(r3, 0xffff, 0x1022, &(0x7f00000002c0), 0xc) pipe2(&(0x7f0000000300), 0x10000) r4 = shmget$private(0x0, 0x1000, 0x511, &(0x7f0000fff000/0x1000)=nil) shmctl$IPC_STAT(r4, 0x2, &(0x7f0000000340)=""/105) pipe(&(0x7f00000003c0)) r5 = accept$inet(0xffffffffffffffff, &(0x7f0000000400), &(0x7f0000000440)=0xc) accept$inet(r5, 0x0, &(0x7f0000000480)) r6 = openat$zero(0xffffffffffffff9c, &(0x7f00000004c0)='/dev/zero\x00', 0x20000, 0x0) ioctl$TIOCOUTQ(r6, 0x40047473, &(0x7f0000000500)=0x4f) r7 = shmget(0x3, 0x3000, 0x75c, &(0x7f0000ffd000/0x3000)=nil) shmat(r7, &(0x7f0000ffc000/0x4000)=nil, 0x3000) 15:27:02 executing program 1: r0 = socket$inet(0x2, 0x3, 0x6) sendto(r0, &(0x7f0000000000)="b0c50e72f8489f3fc3ede9d62e08f7314b694625d741c87ba185d35432119da48117356ce574310d2b0d0ff0aeaea99dc7e198f6ce971afc227d66100b5731318795d2181619feeff7f7d4e06780c9111e37953bb45d6697a1e8bdf74b7ba6ad20dc3976638f075a10596a6a20c5afbbe9405b3331aec1b6da24bf67", 0x7c, 0x402, &(0x7f0000000080)=@in={0x2, 0x1}, 0xc) ioctl$WSKBDIO_GETMODE(0xffffffffffffff9c, 0x40045714, &(0x7f00000000c0)) writev(0xffffffffffffffff, &(0x7f0000000200)=[{&(0x7f0000000100)="92b0dab358cf8fcc86ec077c1330381e5a470baf862192278cda1757004cd354f1eea8432bf91f8406bb21f763884d0e2830887585180727fb28ea4499d08c4327f7fc7782919c09822c6f82fd551d1e0271e535801eaa7835ed534509102011385e16a93bfa9a7c423e263cba03fac77b7a592415c2bcc96ff3236332d6daca90db1d1dc3b25ce33c46931388a0a202e070463bb06707155525beb66272d40852cbbe6d24c67ba6daf1b6f22dd7927b1325b1347abe508905d767eacb7abd4bcab95637cfed8a4b03ec60fcf3fb2c61b385c4a42ed4ad4f51c5a4faeed20c68cfa58357720bc2bf45006bab5b1349859af51ffdf8", 0xf5}], 0x1) pipe2(&(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}, 0x4) ioctl$WSKBDIO_SETMODE(r2, 0x80045713, &(0x7f0000000280)=0x4639a512b68ee648) poll(&(0x7f00000002c0), 0x0, 0x1) r3 = openat(0xffffffffffffff9c, &(0x7f0000000300)='./file0\x00', 0xa1, 0x0) getsockopt$inet_opts(r3, 0x0, 0x1, &(0x7f0000000340)=""/6, &(0x7f0000000380)=0x6) r4 = fcntl$dupfd(0xffffffffffffff9c, 0xa, r2) setsockopt$sock_timeval(r4, 0xffff, 0x1005, &(0x7f00000003c0)={0x400, 0x8001}, 0x10) lseek(r4, 0x0, 0x5, 0x2) r5 = socket(0x18, 0x4000, 0x82) bind$inet(r5, &(0x7f0000000400)={0x2, 0x3}, 0xc) getsockname$unix(r3, &(0x7f0000000440)=@file={0x0, ""/108}, &(0x7f00000004c0)=0x6e) ioctl$BIOCSETIF(r1, 0x8020426c, &(0x7f0000000500)={'tap', 0x0}) r6 = openat$bpf(0xffffffffffffff9c, &(0x7f0000000540)='/dev/bpf\x00', 0x400, 0x0) ioctl$BIOCSETIF(r6, 0x8020426c, &(0x7f0000000580)={'tap', 0x0}) clock_gettime(0x1, &(0x7f00000005c0)) fcntl$getflags(0xffffffffffffffff, 0x1) 15:27:03 executing program 0: munlock(&(0x7f0000ffc000/0x4000)=nil, 0x4000) r0 = openat$bpf(0xffffffffffffff9c, &(0x7f0000000200)='/dev/bpf\x00', 0x4000000001, 0x0) ioctl$BIOCSETIF(r0, 0x8020426c, &(0x7f0000000080)={'tap', 0x0}) ioctl$BIOCSETWF(r0, 0x80104277, &(0x7f00000000c0)={0x3, &(0x7f0000000000)=[{0x64}, {0x28}, {0x6, 0x0, 0x0, 0xfb}]}) readlink(&(0x7f0000000040)='./file0\x00', &(0x7f0000000100)=""/2, 0x2) pwrite(r0, &(0x7f0000000240)="fbaf8a8d1a029be96914f6357e3a", 0xe, 0x0, 0x0) 15:27:03 executing program 0: clock_settime(0x2, &(0x7f0000000040)={0xfffffffffffffeff, 0x7ff}) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) sendto$unix(r0, 0x0, 0x0, 0x0, &(0x7f00000001c0)=@file={0x0, './file0\x00'}, 0xa) 15:27:03 executing program 1: ioctl$VMM_IOC_WRITEREGS(0xffffffffffffff9c, 0x82485608, &(0x7f0000000240)={0x0, 0x0, 0x0, {[], [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffa], [0x0, 0x0, 0x0, 0x9, 0xffffffffffffffff, 0xbfffbfffbffbffff], [0x0, 0x0, 0x401]}}) ioctl$BIOCSETIF(0xffffffffffffffff, 0x8020426c, &(0x7f0000000300)={'tap', 0x0}) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x5) r0 = socket(0x18, 0x2, 0x0) r1 = fcntl$dupfd(r0, 0x0, r0) ioctl$TIOCFLUSH(r1, 0x8080691a, &(0x7f0000000300)) 15:27:03 executing program 0: ioctl$VMM_IOC_WRITEREGS(0xffffffffffffffff, 0x82485608, &(0x7f0000000240)={0x0, 0x0, 0x0, {[], [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x276], [0x0, 0x0, 0x0, 0x9, 0xfffffffeeff7ffff], [0x0, 0x0, 0x401]}}) ioctl$BIOCSETIF(0xffffffffffffffff, 0x8020426c, &(0x7f0000000300)={'tap', 0x0}) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x5) r0 = socket(0x18, 0x2, 0x0) r1 = fcntl$dupfd(r0, 0x0, r0) ioctl$TIOCFLUSH(r1, 0x8080691a, &(0x7f0000000300)) r2 = shmget$private(0x0, 0xa000, 0x189, &(0x7f0000ff6000/0xa000)=nil) shmctl$IPC_RMID(r2, 0x0) shmctl$SHM_UNLOCK(r2, 0x4) login: uvm_fault(0xfffffd806bc0a990, 0x0, 0, 2) -> e kernel: page fault trap, code=0 Stopped at memcpy+0x15: repe movsq (%rsi),%es:(%rdi) ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic kernel page fault uvm_fault(0xfffffd806bc0a990, 0x0, 0, 2) -> e memcpy() at memcpy+0x15 end trace frame: 0xffff80001d359fc0, count: 0 ddb> trace memcpy() at memcpy+0x15 sbappendstream(fffffd805db03648,fffffd805db03740,fffffd805c8ef100) at sbappendstream+0x105 tcp_usrreq(fffffd805db03648,9,fffffd805c8ef100,0,0,ffff80001d3a79d0) at tcp_usrreq+0x225 sosend(fffffd805db03648,0,ffff80001d35a218,0,0,80) at sosend+0x669 dofilewritev(ffff80001d3a79d0,4,ffff80001d35a218,0,ffff80001d35a300) at dofilewritev+0x1ab sys_write(ffff80001d3a79d0,ffff80001d35a2b0,ffff80001d35a300) at sys_write+0x83 syscall(ffff80001d35a380) at syscall+0x507 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7ffffea230, count: -8 ddb> show registers rdi 0 rsi 0xfffffd805c8ef170 rbp 0xffff80001d359f60 rbx 0x1 rdx 0x90 rcx 0x12 rax 0 r8 0 r9 0x5 r10 0xa3001d2023edd50c r11 0 r12 0xfffffd805c8ef100 r13 0xfffffd805c8ef200 r14 0x1 r15 0xfffffd805db03740 rip 0xffffffff81cbc6a5 memcpy+0x15 cs 0x8 rflags 0x10206 __ALIGN_SIZE+0xf206 rsp 0xffff80001d359ee8 ss 0x10 memcpy+0x15: repe movsq (%rsi),%es:(%rdi) ddb> show proc PROC (sshd) pid=30971 stat=onproc flags process=12 proc=0 pri=24, usrpri=50, nice=20 forw=0xffffffffffffffff, list=0xffff80001d3a8390,0xffff80001d3a7020 process=0xffff8000ffff83b0 user=0xffff80001d355000, vmspace=0xfffffd806bc0a990 estcpu=0, cpticks=0, pctcpu=0.0 user=0, sys=0, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 561 373350 5364 0 2 0 syz-executor.0 561 186682 5364 0 2 0x4000000 syz-executor.0 11524 433583 57179 0 2 0x2 syz-executor.1 5364 510107 57179 0 3 0x82 nanosleep syz-executor.0 57179 420308 66854 0 3 0x82 thrsleep syz-fuzzer 57179 21849 66854 0 3 0x4000082 nanosleep syz-fuzzer 57179 294039 66854 0 2 0x4000002 syz-fuzzer 57179 274386 66854 0 3 0x4000082 thrsleep syz-fuzzer 57179 444318 66854 0 3 0x4000082 thrsleep syz-fuzzer 57179 63538 66854 0 3 0x4000082 thrsleep syz-fuzzer 57179 432934 66854 0 3 0x4000082 thrsleep syz-fuzzer 57179 55763 66854 0 3 0x4000082 thrsleep syz-fuzzer 66854 345106 51185 0 3 0x10008a pause ksh *51185 30971 73786 0 7 0x12 sshd 87163 25022 1 0 3 0x100083 ttyin getty 73786 257836 1 0 3 0x80 select sshd 66129 397339 88676 73 3 0x100090 kqread syslogd 88676 141817 1 0 3 0x100082 netio syslogd 99445 401482 1 77 3 0x100090 poll dhclient 25484 411691 1 0 3 0x80 poll dhclient 77630 353094 0 0 3 0x14200 bored smr 12057 108990 0 0 2 0x14200 zerothread 8725 146181 0 0 3 0x14200 aiodoned aiodoned 81286 22833 0 0 3 0x14200 syncer update 95068 129638 0 0 3 0x14200 cleaner cleaner 33335 330876 0 0 3 0x14200 reaper reaper 77159 13871 0 0 3 0x14200 pgdaemon pagedaemon 3804 474216 0 0 3 0x14200 bored crynlk 40625 280250 0 0 3 0x14200 bored crypto 58030 32239 0 0 3 0x40014200 acpi0 acpi0 39319 496776 0 0 3 0x14200 bored softnet 70205 521310 0 0 3 0x14200 bored systqmp 56163 516991 0 0 3 0x14200 bored systq 64824 361003 0 0 3 0x40014200 bored softclock 15767 171295 0 0 3 0x40014200 idle0 1 177917 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 9455 6388K 6388K 78643K 10552 0 pcb 13 8K 8K 78643K 17 0 rtable 105 3K 3K 78643K 189 0 ifaddr 39 10K 10K 78643K 41 0 counters 21 16K 16K 78643K 21 0 ioctlops 0 0K 2K 78643K 15 0 mount 1 1K 1K 78643K 1 0 vnodes 1217 77K 77K 78643K 1223 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 5K 78643K 3 0 VM map 2 0K 0K 78643K 2 0 sem 2 0K 0K 78643K 2 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1794 195K 288K 78643K 12646 0 file desc 5 13K 25K 78643K 40 0 proc 47 38K 54K 78643K 358 0 subproc 32 2K 2K 78643K 34 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 in_multi 33 2K 2K 78643K 33 0 ether_multi 1 0K 0K 78643K 1 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 19 95K 95K 78643K 19 0 exec 0 0K 1K 78643K 181 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 84 20K 21K 78643K 898 0 UVM aobj 5 2K 2K 78643K 5 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 NDP 9 0K 0K 78643K 9 0 temp 60 3027K 3091K 78643K 1815 0 kqueue 3 4K 4K 78643K 3 0 SYN cache 2 16K 16K 78643K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 6 0 0 1 0 1 1 0 8 0 rtpcb 80 19 0 17 1 0 1 1 0 8 0 rtentry 112 45 0 1 2 0 2 2 0 8 0 unpcb 120 27 0 19 1 0 1 1 0 8 0 syncache 264 4 0 4 1 1 0 1 0 8 0 tcpqe 32 30 0 30 1 0 1 1 0 8 1 tcpcb 544 10 0 6 1 0 1 1 0 8 0 inpcb 280 36 0 29 1 0 1 1 0 8 0 nd6 48 6 0 0 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 188 0 0 12 0 12 12 0 8 0 art_table 32 189 0 0 2 0 2 2 0 8 0 art_node 16 44 0 4 1 0 1 1 0 8 0 shmpl 112 3 0 0 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino1pl 128 1422 0 23 46 0 46 46 0 8 0 ffsino 240 1422 0 23 83 0 83 83 0 8 0 nchpl 144 1659 0 50 60 0 60 60 0 8 0 uvmvnodes 72 1467 0 0 27 0 27 27 0 8 0 vnodes 208 1467 0 0 78 0 78 78 0 8 0 namei 1024 3929 0 3929 1 0 1 1 0 8 1 scxspl 192 4705 0 4705 1 0 1 1 0 8 1 plimitpl 152 14 0 7 1 0 1 1 0 8 0 sigapl 424 226 0 198 4 0 4 4 0 8 0 futexpl 56 113 0 113 1 0 1 1 0 8 1 knotepl 112 53 0 34 1 0 1 1 0 8 0 kqueuepl 144 2 0 0 1 0 1 1 0 8 0 pipelkpl 16 73 0 63 1 0 1 1 0 8 0 pipepl 120 146 0 127 1 0 1 1 0 8 0 fdescpl 432 212 0 198 2 0 2 2 0 8 0 filepl 120 1016 0 921 4 0 4 4 0 8 1 lockfpl 104 5 0 4 1 0 1 1 0 8 0 lockfspl 48 3 0 2 1 0 1 1 0 8 0 sessionpl 112 17 0 7 1 0 1 1 0 8 0 pgrppl 48 17 0 7 1 0 1 1 0 8 0 ucredpl 96 40 0 33 1 0 1 1 0 8 0 zombiepl 144 198 0 198 1 0 1 1 0 8 1 processpl 920 226 0 198 4 0 4 4 0 8 0 procpl 624 239 0 203 3 0 3 3 0 8 0 sockpl 400 82 0 65 3 0 3 3 0 8 1 mcl4k 4096 8 0 8 1 1 0 1 0 8 0 mcl2k 2048 59982 0 59939 15 2 13 13 0 8 7 mtagpl 80 3 0 2 2 1 1 1 0 8 0 mbufpl 256 94601 0 94496 10 2 8 8 0 8 1 bufpl 280 3969 0 161 272 0 272 272 0 8 0 anonpl 16 32228 0 20526 50 2 48 48 0 107 1 amapchunkpl 152 962 0 836 8 0 8 8 0 158 2 amappl16 192 746 0 128 31 0 31 31 0 8 0 amappl15 184 1 0 0 1 0 1 1 0 8 0 amappl14 176 3 0 2 2 1 1 1 0 8 0 amappl13 168 30 0 26 1 0 1 1 0 8 0 amappl12 160 4 0 4 1 1 0 1 0 8 0 amappl11 152 57 0 45 1 0 1 1 0 8 0 amappl10 144 23 0 16 1 0 1 1 0 8 0 amappl9 136 340 0 337 1 0 1 1 0 8 0 amappl8 128 256 0 244 1 0 1 1 0 8 0 amappl7 120 108 0 97 1 0 1 1 0 8 0 amappl6 112 20 0 17 1 0 1 1 0 8 0 amappl5 104 217 0 208 1 0 1 1 0 8 0 amappl4 96 441 0 411 1 0 1 1 0 8 0 amappl3 88 109 0 102 1 0 1 1 0 8 0 amappl2 80 887 0 823 3 0 3 3 0 8 1 amappl1 72 13316 0 12906 27 10 17 20 0 8 8 amappl 80 457 0 418 1 0 1 1 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 64 4 0 0 1 0 1 1 0 8 0 uaddrrnd 24 212 0 198 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 212 0 198 1 0 1 1 0 8 0 vmmpekpl 168 5607 0 5582 2 0 2 2 0 8 0 vmmpepl 168 32549 0 30889 97 6 91 91 0 357 18 vmsppl 272 211 0 198 2 0 2 2 0 8 1 pdppl 4096 430 0 396 6 0 6 6 0 8 1 pvpl 32 116887 0 102265 123 0 123 123 0 265 3 pmappl 200 211 0 198 1 0 1 1 0 8 0 extentpl 40 46 0 29 1 0 1 1 0 8 0 phpool 112 143 0 7 4 0 4 4 0 8 0