panic: ufsdirhash_lookup: bad offset in hash array Stopped at db_enter+0x1c: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *115502 20397 0 0 0x4000000 0 syz-executor.7 db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff828e4a03) at panic+0x165 sys/kern/subr_prf.c:198 ufsdirhash_lookup(fffffd806bd655a8,ffff80002f51cc00,1,fffffd806bd65654,ffff800035dd8ab0,0) at ufsdirhash_lookup+0x8a8 sys/ufs/ufs/ufs_dirhash.c:342 ufs_lookup() at ufs_lookup+0xba0 sys/ufs/ufs/ufs_lookup.c:214 VOP_LOOKUP(fffffd805c899610,ffff800035dd8d58,ffff800035dd8d88) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85 vfs_lookup(ffff800035dd8d28) at vfs_lookup+0x6df sys/kern/vfs_lookup.c:566 namei(ffff800035dd8d28) at namei+0x56a sys/kern/vfs_lookup.c:250 dorenameat(ffff80002a677560,ffffff9c,20000840,5,200008c0) at dorenameat+0x106 sys/kern/vfs_syscalls.c:2960 syscall(ffff800035dd8fc0) at syscall+0x538 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xea4e8cb5d90, count: 5 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: ufsdirhash_lookup: bad offset in hash array ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff828e4a03) at panic+0x165 sys/kern/subr_prf.c:198 ufsdirhash_lookup(fffffd806bd655a8,ffff80002f51cc00,1,fffffd806bd65654,ffff800035dd8ab0,0) at ufsdirhash_lookup+0x8a8 sys/ufs/ufs/ufs_dirhash.c:342 ufs_lookup() at ufs_lookup+0xba0 sys/ufs/ufs/ufs_lookup.c:214 VOP_LOOKUP(fffffd805c899610,ffff800035dd8d58,ffff800035dd8d88) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85 vfs_lookup(ffff800035dd8d28) at vfs_lookup+0x6df sys/kern/vfs_lookup.c:566 namei(ffff800035dd8d28) at namei+0x56a sys/kern/vfs_lookup.c:250 dorenameat(ffff80002a677560,ffffff9c,20000840,5,200008c0) at dorenameat+0x106 sys/kern/vfs_syscalls.c:2960 syscall(ffff800035dd8fc0) at syscall+0x538 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xea4e8cb5d90, count: -10 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff800035dd88d0 rbx 0xffff800000e71d30 rdx 0xffff800000e70bc0 rcx 0 rax 0xffff80002a677560 r8 0 r9 0x8080808080808080 r10 0xf6edd2b77dc6dc90 r11 0x95325a901c7fc8ac r12 0 r13 0xffff800000e3b400 r14 0 r15 0x1 rip 0xffffffff821623bc db_enter+0x1c cs 0x8 rflags 0x246 rsp 0xffff800035dd88c0 ss 0x10 db_enter+0x1c: addq $0x8,%rsp ddb> show proc PROC (syz-executor.7) tid=115502 pid=20397 tcnt=2 stat=onproc flags process=0 proc=4000000 runpri=32, usrpri=84, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 forw=0xffffffffffffffff, list=0xffff80002a676020,0xffffffff82dea270 process=0xffff80003781ccb0 user=0xffff800035dd4000, vmspace=0xfffffd8073c57168 estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 20397 322129 25210 0 2 0 syz-executor.7 *20397 115502 25210 0 7 0x4000000 syz-executor.7 94320 55687 45218 60928 3 0x90 nanoslp syz-executor.6 94320 145883 45218 60928 3 0x4000090 fsleep syz-executor.6 12483 239091 96076 0 3 0x80 nanoslp syz-executor.5 12483 451192 96076 0 3 0x4000080 fsleep syz-executor.5 12483 252857 96076 0 2 0x4000480 syz-executor.5 9119 478871 0 0 3 0x14280 nfsidl nfsio 42388 521414 0 0 3 0x14280 nfsidl nfsio 36721 292381 0 0 3 0x14280 nfsidl nfsio 34625 125141 0 0 3 0x14280 nfsidl nfsio 37875 472305 0 0 3 0x14280 nfsidl nfsio 7398 141745 0 0 3 0x14280 nfsidl nfsio 34568 207780 0 0 3 0x14280 nfsidl nfsio 71287 410094 0 0 3 0x14280 nfsidl nfsio 30379 245184 0 0 3 0x14280 nfsidl nfsio 43049 308850 0 0 3 0x14280 nfsidl nfsio 15859 149229 0 0 3 0x14280 nfsidl nfsio 24765 170261 0 0 3 0x14280 nfsidl nfsio 63974 292308 0 0 3 0x14280 nfsidl nfsio 74132 66478 0 0 3 0x14280 nfsidl nfsio 12789 63675 0 0 3 0x14280 nfsidl nfsio 86417 55340 0 0 3 0x14280 nfsidl nfsio 42493 351633 0 0 3 0x14280 nfsidl nfsio 18855 246826 0 0 3 0x14280 nfsidl nfsio 68615 3697 0 0 3 0x14280 nfsidl nfsio 11158 456416 0 0 3 0x14280 nfsidl nfsio 49918 478512 251 0 3 0x82 piperd syz-executor.2 89207 155459 251 0 2 0x482 syz-executor.1 25210 415173 251 0 3 0x82 nanoslp syz-executor.7 48858 29298 251 0 3 0x82 piperd syz-executor.0 96076 211526 251 0 3 0x82 nanoslp syz-executor.5 21659 98270 251 0 3 0x82 piperd syz-executor.3 45218 186819 251 0 2 0x482 syz-executor.6 42918 324148 251 0 2 0x2 syz-executor.4 86024 184178 0 0 3 0x14200 acct acct 69590 504997 1 0 3 0x18100083 ttyin getty 78790 222545 0 0 3 0x14200 bored sosplice 251 234024 29296 0 3 0x1a000082 wait syz-fuzzer 251 467340 29296 0 3 0x1e000082 nanoslp syz-fuzzer 251 51999 29296 0 3 0x1e000082 wait syz-fuzzer 251 378128 29296 0 3 0x1e000082 thrsleep syz-fuzzer 251 439576 29296 0 3 0x1e000082 thrsleep syz-fuzzer 251 478144 29296 0 3 0x1e000082 thrsleep syz-fuzzer 251 490957 29296 0 3 0x1e000082 wait syz-fuzzer 251 14905 29296 0 3 0x1e000082 wait syz-fuzzer 251 500571 29296 0 3 0x1e000082 thrsleep syz-fuzzer 251 27969 29296 0 3 0x1e000082 wait syz-fuzzer 251 410445 29296 0 3 0x1e000082 thrsleep syz-fuzzer 251 424937 29296 0 3 0x1e000082 wait syz-fuzzer 251 442377 29296 0 3 0x1e000082 wait syz-fuzzer 251 137368 29296 0 3 0x1e000082 kqread syz-fuzzer 251 518432 29296 0 3 0x1e000082 wait syz-fuzzer 29296 115210 5191 0 3 0x810008a sigsusp ksh 5191 304548 86063 0 3 0x1800009a kqread sshd 86063 139784 1 0 3 0x18000088 kqread sshd 57693 350630 5208 73 3 0x19100090 kqread syslogd 5208 207666 1 0 3 0x18100082 netio syslogd 7783 179266 1 0 3 0x18100080 kqread resolvd 36072 396573 2040 77 3 0x18100092 kqread dhcpleased 18108 222521 2040 77 3 0x18100092 kqread dhcpleased 2040 264358 1 0 3 0x18000080 kqread dhcpleased 53903 210038 0 0 3 0x14200 bored smr 42741 396046 0 0 2 0x14200 zerothread 40919 412648 0 0 3 0x14200 aiodoned aiodoned 85658 236166 0 0 3 0x14200 syncer update 3501 267752 0 0 3 0x14200 cleaner cleaner 46042 397124 0 0 3 0x14200 reaper reaper 85580 201880 0 0 3 0x14200 pgdaemon pagedaemon 9570 262192 0 0 3 0x14200 bored viomb 73796 17459 0 0 3 0x40014200 acpi0 acpi0 38402 243126 0 0 3 0x14200 bored softnet3 87504 454746 0 0 3 0x14200 bored softnet2 37454 407056 0 0 3 0x14200 bored softnet1 88772 184781 0 0 3 0x14200 bored softnet0 11893 83910 0 0 3 0x14200 bored systqmp 3307 245525 0 0 3 0x14200 bored systq 41315 318384 0 0 2 0x40014200 softclock 49004 405527 0 0 3 0x40014200 idle0 1 394455 0 0 3 0x8080082 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10215 6503K 14918K 166960K 62546 0 pcb 15 24K 26K 166960K 3833 0 rtable 226 11K 12K 166960K 6152 0 pf 31 9K 10K 166960K 744 0 ifaddr 41 14K 15K 166960K 849 0 ifgroup 54 2K 2K 166960K 1225 0 sysctl 3 0K 0K 166960K 13 0 counters 31 17K 18K 166960K 334 0 ioctlops 0 0K 2K 166960K 6423 0 iov 1 2K 32K 166960K 2997 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1836 115K 116K 166960K 20232 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 13K 166960K 1175 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 4239 0 dirhash 81 14K 18K 166960K 9813 0 ACPI 1697 195K 286K 166960K 12548 0 file desc 13 45K 81K 166960K 30962 0 sigio 0 0K 0K 166960K 1024 0 proc 58 59K 92K 166960K 6734 0 subproc 104 6K 6K 166960K 1711 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 1499 0 in_multi 88 6K 7K 166960K 2057 0 ether_multi 1 0K 0K 166960K 26 0 mrt 1 0K 0K 166960K 17 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 229 1023K 1023K 166960K 229 0 exec 0 0K 1K 166960K 5843 0 pfkey data 0 0K 0K 166960K 17 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 556 923K 925K 166960K 279534 0 UVM aobj 131 8K 8K 166960K 149 0 pinsyscall 22 44K 100K 166960K 5124 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 1K 166960K 1575 0 NDP 12 0K 2K 166960K 621 0 temp 74 6804K 7440K 166960K 254955 0 kqueue 12 18K 29K 166960K 1618 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 1226 0 1223 4 1 3 3 0 8 2 rtentry 112 2123 0 2023 4 0 4 4 0 8 1 unpcb 144 25447 0 25432 27 19 8 10 0 8 7 syncache 336 223 0 223 4 3 1 1 0 8 1 sackhl 24 3 93 3 3 2 1 1 0 8 1 tcpqe 32 228 914 228 3 2 1 1 0 8 1 tcpcb 808 14843 0 14822 71 59 12 17 0 8 6 arp 88 319 0 303 1 0 1 1 0 8 0 ipq 40 49 0 49 2 1 1 1 0 8 1 ipqe 40 1297 0 1297 4 1 3 3 0 8 3 inpcb 360 29475 0 29449 131 119 12 22 0 8 6 nd6 104 521 0 498 1 0 1 1 0 8 0 pkpcb 40 444 0 444 3 2 1 1 0 8 1 kcovpl 48 126 0 118 1 0 1 1 0 8 0 ppxss 1072 74 0 74 3 2 1 1 0 8 1 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 9016 0 8596 65 38 27 32 0 8 0 art_table 32 9017 0 8596 5 1 4 5 0 8 0 art_node 16 2026 0 1935 1 0 1 1 0 8 0 sysvmsgpl 40 18 0 3 1 0 1 1 0 8 0 semapl 112 4237 0 4227 1 0 1 1 0 8 0 shmpl 112 146 0 18 4 0 4 4 0 8 0 dirhash 1024 3301 0 3261 6 0 6 6 0 8 0 dino2pl 256 41324 0 39679 104 0 104 104 0 8 0 ffsino 240 41324 0 39679 98 0 98 98 0 8 0 nchpl 144 83279 0 81559 66 0 66 66 0 8 0 uvmvnodes 80 7628 0 0 156 0 156 156 0 8 0 vnodes 216 7628 0 0 424 0 424 424 0 8 0 namei 1024 300601 0 300598 6 4 2 2 0 8 1 vcpupl 2048 145 0 1 18 0 18 18 0 8 0 vmpool 664 269 0 125 13 0 13 13 0 8 1 kstatmem 264 630 0 606 3 0 3 3 0 8 1 scxspl 216 251248 0 251248 16 13 3 8 1 8 3 plimitpl 152 2847 0 2831 1 0 1 1 0 8 0 sigapl 424 31751 0 31688 8 0 8 8 0 8 0 futexpl 64 287484 0 287482 1 0 1 1 0 8 0 knotepl 120 267583 0 267501 30 19 11 17 0 8 7 kqueuepl 184 4777 0 4769 10 6 4 4 0 8 3 pipepl 288 4356 0 4328 17 8 9 9 0 8 6 fdescpl 432 31011 0 30987 4 0 4 4 0 8 0 filepl 120 194218 0 193976 39 24 15 18 0 8 7 lockfpl 104 10454 0 10450 4 2 2 2 0 8 1 lockfspl 48 4355 0 4351 1 0 1 1 0 8 0 sessionpl 144 141 0 125 1 0 1 1 0 8 0 pgrppl 48 1086 0 1070 1 0 1 1 0 8 0 ucredpl 104 21723 0 21712 1 0 1 1 0 8 0 zombiepl 144 31689 0 31688 2 1 1 1 0 8 0 processpl 1072 31751 0 31688 5 0 5 5 0 8 0 procpl 680 75597 0 75516 12 3 9 9 0 8 1 sosppl 168 308 0 302 4 3 1 1 0 8 0 sockpl 488 56655 0 56611 887 871 16 45 0 8 8 mcl64k 65536 1237 0 1237 4 3 1 1 0 8 1 mcl16k 16384 602 0 602 4 3 1 1 0 8 1 mcl12k 12288 1133 0 1133 4 3 1 1 0 8 1 mcl9k 9216 591 0 591 4 3 1 1 0 8 1 mcl8k 8192 2085 0 2084 4 3 1 1 0 8 0 mcl4k 4096 3971 0 3971 12 9 3 4 0 8 3 mcl2k2 2112 334 0 334 4 3 1 1 0 8 1 mcl2k 2048 137030 0 136967 56 42 14 31 0 8 5 mtagpl 96 5182 0 5116 24 16 8 20 0 8 6 mbufpl 256 496063 0 495801 546 514 32 90 0 8 8 bufpl 280 54501 0 46872 546 0 546 546 0 8 0 anonpl 24 2685108 0 2670703 143 28 115 115 0 188 7 amapchunkpl 152 879220 0 878429 56 10 46 46 0 158 8 amappl16 200 51958 0 51413 122 84 38 41 0 8 8 amappl15 192 185 0 183 1 0 1 1 0 8 0 amappl14 184 534 0 518 2 1 1 2 0 8 0 amappl13 176 35 0 35 3 2 1 1 0 8 1 amappl12 168 33391 0 33362 2 0 2 2 0 8 0 amappl11 160 61 0 51 1 0 1 1 0 8 0 amappl10 152 170 0 156 1 0 1 1 0 8 0 amappl9 144 417 0 417 1 0 1 1 0 8 1 amappl8 136 1111 0 992 5 0 5 5 0 8 0 amappl7 128 193 0 176 1 0 1 1 0 8 0 amappl6 120 1983 0 1963 2 1 1 2 0 8 0 amappl5 112 1189 0 1177 1 0 1 1 0 8 0 amappl4 104 1839 0 1795 3 1 2 2 0 8 0 amappl3 96 173911 0 173841 3 0 3 3 0 8 0 amappl2 88 32921 0 32852 4 1 3 4 0 8 1 amappl1 80 127190 0 126707 22 10 12 21 0 8 0 amappl 88 277477 0 277198 8 0 8 8 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 148 0 18 3 0 3 3 0 8 0 uaddrrnd 24 31280 0 31112 2 0 2 2 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 31280 0 31112 2 0 2 2 0 8 0 vmmpekpl 168 202612 0 202532 5 0 5 5 0 8 0 vmmpepl 168 1839026 0 1836600 203 52 151 151 0 357 19 vmsppl 352 31279 0 31112 17 1 16 16 0 8 0 rwobjpl 24 406495 0 397074 60 1 59 59 0 8 1 pdppl 4096 62566 0 62368 1543 1335 208 208 0 8 10 pvpl 32 7923448 0 7903509 460 223 237 359 0 265 48 pmappl 216 31279 0 31112 10 0 10 10 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 2574 0 2026 17 0 17 17 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff828e4a03) at panic+0x165 sys/kern/subr_prf.c:198 ufsdirhash_lookup(fffffd806bd655a8,ffff80002f51cc00,1,fffffd806bd65654,ffff800035dd8ab0,0) at ufsdirhash_lookup+0x8a8 sys/ufs/ufs/ufs_dirhash.c:342 ufs_lookup() at ufs_lookup+0xba0 sys/ufs/ufs/ufs_lookup.c:214 VOP_LOOKUP(fffffd805c899610,ffff800035dd8d58,ffff800035dd8d88) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85 vfs_lookup(ffff800035dd8d28) at vfs_lookup+0x6df sys/kern/vfs_lookup.c:566 namei(ffff800035dd8d28) at namei+0x56a sys/kern/vfs_lookup.c:250 dorenameat(ffff80002a677560,ffffff9c,20000840,5,200008c0) at dorenameat+0x106 sys/kern/vfs_syscalls.c:2960 syscall(ffff800035dd8fc0) at syscall+0x538 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xea4e8cb5d90, count: -10 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff828e4a03) at panic+0x165 sys/kern/subr_prf.c:198 ufsdirhash_lookup(fffffd806bd655a8,ffff80002f51cc00,1,fffffd806bd65654,ffff800035dd8ab0,0) at ufsdirhash_lookup+0x8a8 sys/ufs/ufs/ufs_dirhash.c:342 ufs_lookup() at ufs_lookup+0xba0 sys/ufs/ufs/ufs_lookup.c:214 VOP_LOOKUP(fffffd805c899610,ffff800035dd8d58,ffff800035dd8d88) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85 vfs_lookup(ffff800035dd8d28) at vfs_lookup+0x6df sys/kern/vfs_lookup.c:566 namei(ffff800035dd8d28) at namei+0x56a sys/kern/vfs_lookup.c:250 dorenameat(ffff80002a677560,ffffff9c,20000840,5,200008c0) at dorenameat+0x106 sys/kern/vfs_syscalls.c:2960 syscall(ffff800035dd8fc0) at syscall+0x538 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xea4e8cb5d90, count: -10