panic: ufsdirhash_lookup: bad offset in hash array Stopped at db_enter+0x1c: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *168627 40437 0 0 0x4000000 0 syz-executor.6 db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82922754) at panic+0x165 sys/kern/subr_prf.c:198 ufsdirhash_lookup(fffffd8069aefa58,ffffffff828ffb4a,2,fffffd8069aefb04,ffff800031f5a9f8,0) at ufsdirhash_lookup+0x8b8 sys/ufs/ufs/ufs_dirhash.c:342 ufs_lookup() at ufs_lookup+0xbb6 sys/ufs/ufs/ufs_lookup.c:214 VOP_LOOKUP(fffffd805d574cf8,ffff800031f5ab98,ffff800031f5ab38) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85 unveil_find_cover(fffffd805d574cf8,ffff80002a6a3aa0) at unveil_find_cover+0x130 sys/kern/kern_unveil.c:277 unveil_start_relative(ffff80002a6a3aa0,ffff800031f5adb8,fffffd805d574cf8) at unveil_start_relative+0xf6 sys/kern/kern_unveil.c:606 namei(ffff800031f5adb8) at namei+0x453 sys/kern/vfs_lookup.c:237 dorenameat(ffff80002a6a3aa0,5,200004c0,ffffffff,0) at dorenameat+0x7f sys/kern/vfs_syscalls.c:2950 syscall(ffff800031f5afe0) at syscall+0x5ef sys/arch/amd64/amd64/trap.c:591 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xaffaabd5bf0, count: 4 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: ufsdirhash_lookup: bad offset in hash array ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82922754) at panic+0x165 sys/kern/subr_prf.c:198 ufsdirhash_lookup(fffffd8069aefa58,ffffffff828ffb4a,2,fffffd8069aefb04,ffff800031f5a9f8,0) at ufsdirhash_lookup+0x8b8 sys/ufs/ufs/ufs_dirhash.c:342 ufs_lookup() at ufs_lookup+0xbb6 sys/ufs/ufs/ufs_lookup.c:214 VOP_LOOKUP(fffffd805d574cf8,ffff800031f5ab98,ffff800031f5ab38) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85 unveil_find_cover(fffffd805d574cf8,ffff80002a6a3aa0) at unveil_find_cover+0x130 sys/kern/kern_unveil.c:277 unveil_start_relative(ffff80002a6a3aa0,ffff800031f5adb8,fffffd805d574cf8) at unveil_start_relative+0xf6 sys/kern/kern_unveil.c:606 namei(ffff800031f5adb8) at namei+0x453 sys/kern/vfs_lookup.c:237 dorenameat(ffff80002a6a3aa0,5,200004c0,ffffffff,0) at dorenameat+0x7f sys/kern/vfs_syscalls.c:2950 syscall(ffff800031f5afe0) at syscall+0x5ef sys/arch/amd64/amd64/trap.c:591 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xaffaabd5bf0, count: -11 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff800031f5a820 rbx 0 rdx 0 rcx 0 rax 0xffff80002a6a3aa0 r8 0 r9 0x8080808080808080 r10 0x2bc7ffb330187e09 r11 0xd07a7f594f3c2709 r12 0 r13 0xffff8000006c4fd0 r14 0 r15 0x1 rip 0xffffffff8101a3bc db_enter+0x1c cs 0x8 rflags 0x246 rsp 0xffff800031f5a810 ss 0x10 db_enter+0x1c: addq $0x8,%rsp ddb> show proc PROC (syz-executor.6) tid=168627 pid=40437 tcnt=2 stat=onproc flags process=0 proc=4000000 runpri=32, usrpri=78, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 forw=0xffffffffffffffff, list=0xffff80002a6a3550,0xffff80002a6d9000 process=0xffff8000ffff8438 user=0xffff800031f56000, vmspace=0xfffffd807e42e858 estcpu=36, cpticks=0, pctcpu=0.0, user=0, sys=0, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 74409 85041 52320 0 2 0x480 syz-executor.5 74409 184636 52320 0 3 0x4000080 fsleep syz-executor.5 74409 117099 52320 0 3 0x4000080 fsleep syz-executor.5 40437 443816 24040 0 2 0 syz-executor.6 *40437 168627 24040 0 7 0x4000000 syz-executor.6 37712 414013 26847 0 3 0x80 nanoslp syz-executor.2 37712 179272 26847 0 3 0x4000080 netcon syz-executor.2 37712 488395 26847 0 3 0x4000080 fsleep syz-executor.2 51140 335610 0 0 3 0x14280 nfsidl nfsio 84149 54517 0 0 3 0x14280 nfsidl nfsio 80665 47173 0 0 3 0x14280 nfsidl nfsio 32505 72083 0 0 3 0x14280 nfsidl nfsio 49473 354316 0 0 3 0x14280 nfsidl nfsio 38414 130981 0 0 3 0x14280 nfsidl nfsio 89943 10301 0 0 3 0x14280 nfsidl nfsio 46220 199204 0 0 3 0x14280 nfsidl nfsio 83996 235318 0 0 3 0x14280 nfsidl nfsio 37113 131256 0 0 3 0x14280 nfsidl nfsio 41774 391114 0 0 3 0x14280 nfsidl nfsio 61844 177198 0 0 3 0x14280 nfsidl nfsio 51560 56054 0 0 3 0x14280 nfsidl nfsio 36571 6535 0 0 3 0x14280 nfsidl nfsio 89840 45875 0 0 3 0x14280 nfsidl nfsio 76727 59198 0 0 3 0x14280 nfsidl nfsio 46488 120073 0 0 3 0x14280 nfsidl nfsio 8237 460833 0 0 3 0x14280 nfsidl nfsio 46785 168294 0 0 3 0x14280 nfsidl nfsio 87289 125948 0 0 3 0x14280 nfsidl nfsio 18989 305751 0 0 3 0x14200 acct acct 29011 275105 6771 0 3 0x82 piperd syz-executor.0 26847 222907 6771 0 2 0x482 syz-executor.2 7825 76833 6771 0 3 0x82 piperd syz-executor.1 12614 401347 6771 0 3 0x82 nanoslp syz-executor.4 52320 24653 6771 0 3 0x82 nanoslp syz-executor.5 24040 36135 6771 0 3 0x82 nanoslp syz-executor.6 10365 163068 6771 0 3 0x82 piperd syz-executor.3 50371 319316 6771 0 3 0x82 piperd syz-executor.7 26661 201480 1 0 3 0x100083 ttyin getty 31884 72486 0 0 3 0x14200 bored sosplice 6771 239776 98181 0 3 0x2000082 thrsleep syz-fuzzer 6771 145308 98181 0 2 0x6000482 syz-fuzzer 6771 437200 98181 0 3 0x6000082 wait syz-fuzzer 6771 275955 98181 0 3 0x6000082 thrsleep syz-fuzzer 6771 29999 98181 0 3 0x6000082 wait syz-fuzzer 6771 214113 98181 0 3 0x6000082 kqread syz-fuzzer 6771 74736 98181 0 3 0x6000082 wait syz-fuzzer 6771 153217 98181 0 3 0x6000082 wait syz-fuzzer 6771 293255 98181 0 3 0x6000082 thrsleep syz-fuzzer 6771 159815 98181 0 3 0x6000082 wait syz-fuzzer 6771 355103 98181 0 3 0x6000082 thrsleep syz-fuzzer 6771 186098 98181 0 3 0x6000082 wait syz-fuzzer 6771 364077 98181 0 3 0x6000082 wait syz-fuzzer 6771 361621 98181 0 3 0x6000082 wait syz-fuzzer 98181 177533 733 0 3 0x10008a sigsusp ksh 733 362623 92790 0 3 0x9a kqread sshd 92790 425509 1 0 3 0x88 kqread sshd 46549 147127 45577 73 3 0x1100090 kqread syslogd 45577 25606 1 0 3 0x100082 netio syslogd 33551 418732 1 0 3 0x100080 kqread resolvd 96065 498271 73809 77 3 0x100092 kqread dhcpleased 19975 328645 73809 77 3 0x100092 kqread dhcpleased 73809 110602 1 0 3 0x80 kqread dhcpleased 19136 113943 0 0 3 0x14200 bored smr 63200 280053 0 0 2 0x14200 zerothread 88990 93927 0 0 3 0x14200 aiodoned aiodoned 50973 55148 0 0 3 0x14200 syncer update 31072 219587 0 0 3 0x14200 cleaner cleaner 70100 220513 0 0 3 0x14200 reaper reaper 5062 409546 0 0 3 0x14200 pgdaemon pagedaemon 87609 400327 0 0 3 0x14200 bored viomb 78983 396753 0 0 3 0x40014200 acpi0 acpi0 75140 419148 0 0 3 0x14200 bored softnet3 38784 433067 0 0 3 0x14200 bored softnet2 78257 463120 0 0 3 0x14200 bored softnet1 44677 28021 0 0 3 0x14200 bored softnet0 33942 23112 0 0 3 0x14200 bored systqmp 23231 400262 0 0 3 0x14200 bored systq 3148 491848 0 0 2 0x40014200 softclock 236 95605 0 0 3 0x40014200 idle0 1 146701 0 0 3 0x80082 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10193 6691K 7703K 166960K 27048 0 pcb 15 20K 24K 166960K 614 0 rtable 187 14K 14K 166960K 1037 0 pf 29 8K 9K 166960K 190 0 ifaddr 35 10K 12K 166960K 158 0 ifgroup 50 2K 2K 166960K 311 0 sysctl 3 0K 0K 166960K 3 0 counters 30 17K 17K 166960K 93 0 ioctlops 0 0K 2K 166960K 192 0 iov 0 0K 16K 166960K 587 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1401 88K 88K 166960K 6391 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 1K 166960K 2 0 VM map 2 1K 1K 166960K 2 0 sem 11 1K 1K 166960K 17 0 dirhash 81 14K 16K 166960K 5685 0 ACPI 1697 195K 286K 166960K 12548 0 file desc 14 49K 69K 166960K 10911 0 sigio 0 0K 0K 166960K 200 0 proc 63 67K 75K 166960K 1071 0 subproc 104 6K 6K 166960K 286 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 641 0 in_multi 72 5K 7K 166960K 385 0 ether_multi 2 0K 0K 166960K 18 0 mrt 6 0K 0K 166960K 35 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 73 334K 334K 166960K 73 0 exec 0 0K 1K 166960K 960 0 pfkey data 0 0K 0K 166960K 4 0 tdb 3 0K 0K 166960K 3 0 pagedep 1 8K 8K 166960K 1 0 inodedep 1 32K 32K 166960K 1 0 newblk 1 0K 0K 166960K 1 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 358 109K 111K 166960K 97208 0 UVM aobj 131 4K 4K 166960K 131 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 233 0 NDP 11 0K 2K 166960K 120 0 temp 74 6704K 6832K 166960K 61483 0 kqueue 12 18K 47K 166960K 2440 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 393 0 390 7 6 1 5 0 8 0 rtentry 112 290 0 208 6 3 3 4 0 8 0 unpcb 144 4625 0 4612 57 56 1 7 0 8 0 syncache 312 314 0 314 11 10 1 1 0 8 1 tcpqe 32 537 0 537 14 13 1 1 0 8 1 tcpcb 808 2725 0 2628 40 24 16 21 0 8 0 arp 88 49 0 37 1 0 1 1 0 8 0 ipq 40 3 0 3 3 3 0 1 0 8 0 ipqe 40 3 0 3 3 3 0 1 0 8 0 inpcb 336 5790 0 5689 55 41 14 18 0 8 0 nd6 104 71 0 54 1 0 1 1 0 8 0 pkpcb 40 45 0 45 5 5 0 1 0 8 0 kcovpl 48 22 0 14 1 0 1 1 0 8 0 ppxss 1072 13 0 13 5 5 0 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 1190 0 819 47 23 24 29 0 8 0 art_table 32 1191 0 819 6 2 4 4 0 8 0 art_node 16 284 0 209 1 0 1 1 0 8 0 sysvmsgpl 40 28 0 28 1 1 0 1 0 8 0 semupl 112 7 0 7 1 1 0 1 0 8 0 semapl 112 9 0 0 1 0 1 1 0 8 0 shmpl 112 128 0 0 4 0 4 4 0 8 0 dirhash 1024 1924 0 1884 7 1 6 6 0 8 0 dino2pl 256 15953 0 14486 92 0 92 92 0 8 0 ffsino 240 15953 0 14486 87 0 87 87 0 8 0 nchpl 144 30993 0 29364 63 0 63 63 0 8 0 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 86995 0 86994 4 3 1 2 0 8 0 vcpupl 2048 12 0 0 2 0 2 2 0 8 0 vmpool 664 12 0 0 1 0 1 1 0 8 0 kstatmem 264 148 0 126 2 0 2 2 0 8 0 scxspl 216 87707 0 87707 17 16 1 8 1 8 1 plimitpl 152 314 0 299 1 0 1 1 0 8 0 sigapl 424 11443 0 11380 8 0 8 8 0 8 0 futexpl 64 80898 0 80895 1 0 1 1 0 8 0 knotepl 120 97737 0 97654 26 22 4 17 0 8 0 kqueuepl 184 3899 0 3891 45 44 1 4 0 8 0 pipepl 288 1242 0 1214 24 21 3 7 0 8 0 fdescpl 432 11164 0 11139 4 0 4 4 0 8 0 filepl 120 51816 0 51572 75 66 9 18 0 8 0 lockfpl 104 4820 0 4818 8 7 1 2 0 8 0 lockfspl 48 2003 0 2001 1 0 1 1 0 8 0 sessionpl 144 38 0 22 1 0 1 1 0 8 0 pgrppl 48 68 0 52 1 0 1 1 0 8 0 ucredpl 104 5046 0 5036 1 0 1 1 0 8 0 zombiepl 144 11381 0 11380 1 0 1 1 0 8 0 processpl 1072 11443 0 11380 5 0 5 5 0 8 0 procpl 680 25048 0 24967 14 6 8 9 0 8 0 sosppl 168 208 0 205 5 4 1 2 0 8 0 sockpl 456 10885 0 10767 204 183 21 42 0 8 0 mcl64k 65536 237 0 237 25 25 0 1 0 8 0 mcl16k 16384 180 0 180 20 20 0 1 0 8 0 mcl12k 12288 185 0 185 21 20 1 1 0 8 1 mcl9k 9216 119 0 119 18 18 0 1 0 8 0 mcl8k 8192 402 0 402 20 19 1 1 0 8 1 mcl4k 4096 825 0 825 16 15 1 4 0 8 1 mcl2k2 2112 31 0 31 15 14 1 1 0 8 1 mcl2k 2048 67542 0 67418 95 77 18 39 0 8 0 mtagpl 96 1797 0 1128 22 5 17 17 0 8 0 mbufpl 256 230614 0 229757 331 271 60 104 0 8 0 bufpl 288 19650 0 13252 458 0 458 458 0 8 0 anonpl 24 1035615 0 1023923 169 94 75 95 0 188 0 amapchunkpl 152 306786 0 306036 70 37 33 40 0 158 1 amappl16 200 22063 0 21724 98 79 19 30 0 8 0 amappl15 192 18 0 18 2 2 0 1 0 8 0 amappl14 184 195 0 182 2 1 1 2 0 8 0 amappl13 176 44 0 43 1 0 1 1 0 8 0 amappl12 168 11989 0 11961 2 0 2 2 0 8 0 amappl11 160 60 0 48 1 0 1 1 0 8 0 amappl10 152 49 0 39 1 0 1 1 0 8 0 amappl9 144 142 0 142 8 8 0 1 0 8 0 amappl8 136 383 0 286 4 0 4 4 0 8 0 amappl7 128 226 0 203 2 0 2 2 0 8 0 amappl6 120 488 0 472 1 0 1 1 0 8 0 amappl5 112 234 0 224 1 0 1 1 0 8 0 amappl4 104 585 0 560 2 1 1 2 0 8 0 amappl3 96 61562 0 61484 3 0 3 3 0 8 0 amappl2 88 11812 0 11743 3 1 2 3 0 8 0 amappl1 80 46983 0 46482 23 12 11 22 0 8 0 amappl 88 96454 0 96252 6 0 6 6 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 130 0 0 3 0 3 3 0 8 0 uaddrrnd 24 11176 0 11139 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 11176 0 11139 1 0 1 1 0 8 0 vmmpekpl 168 69479 0 69409 4 0 4 4 0 8 0 vmmpepl 168 634127 0 632064 211 108 103 118 0 357 0 vmsppl 352 11175 0 11139 4 0 4 4 0 8 0 rwobjpl 24 148008 0 140589 48 1 47 47 0 8 0 pdppl 4096 22358 0 22290 470 394 76 78 0 8 8 pvpl 32 2989284 0 2972076 392 245 147 361 0 265 0 pmappl 216 11175 0 11139 3 0 3 3 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 1822 0 952 28 1 27 27 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82922754) at panic+0x165 sys/kern/subr_prf.c:198 ufsdirhash_lookup(fffffd8069aefa58,ffffffff828ffb4a,2,fffffd8069aefb04,ffff800031f5a9f8,0) at ufsdirhash_lookup+0x8b8 sys/ufs/ufs/ufs_dirhash.c:342 ufs_lookup() at ufs_lookup+0xbb6 sys/ufs/ufs/ufs_lookup.c:214 VOP_LOOKUP(fffffd805d574cf8,ffff800031f5ab98,ffff800031f5ab38) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85 unveil_find_cover(fffffd805d574cf8,ffff80002a6a3aa0) at unveil_find_cover+0x130 sys/kern/kern_unveil.c:277 unveil_start_relative(ffff80002a6a3aa0,ffff800031f5adb8,fffffd805d574cf8) at unveil_start_relative+0xf6 sys/kern/kern_unveil.c:606 namei(ffff800031f5adb8) at namei+0x453 sys/kern/vfs_lookup.c:237 dorenameat(ffff80002a6a3aa0,5,200004c0,ffffffff,0) at dorenameat+0x7f sys/kern/vfs_syscalls.c:2950 syscall(ffff800031f5afe0) at syscall+0x5ef sys/arch/amd64/amd64/trap.c:591 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xaffaabd5bf0, count: -11 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82922754) at panic+0x165 sys/kern/subr_prf.c:198 ufsdirhash_lookup(fffffd8069aefa58,ffffffff828ffb4a,2,fffffd8069aefb04,ffff800031f5a9f8,0) at ufsdirhash_lookup+0x8b8 sys/ufs/ufs/ufs_dirhash.c:342 ufs_lookup() at ufs_lookup+0xbb6 sys/ufs/ufs/ufs_lookup.c:214 VOP_LOOKUP(fffffd805d574cf8,ffff800031f5ab98,ffff800031f5ab38) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85 unveil_find_cover(fffffd805d574cf8,ffff80002a6a3aa0) at unveil_find_cover+0x130 sys/kern/kern_unveil.c:277 unveil_start_relative(ffff80002a6a3aa0,ffff800031f5adb8,fffffd805d574cf8) at unveil_start_relative+0xf6 sys/kern/kern_unveil.c:606 namei(ffff800031f5adb8) at namei+0x453 sys/kern/vfs_lookup.c:237 dorenameat(ffff80002a6a3aa0,5,200004c0,ffffffff,0) at dorenameat+0x7f sys/kern/vfs_syscalls.c:2950 syscall(ffff800031f5afe0) at syscall+0x5ef sys/arch/amd64/amd64/trap.c:591 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xaffaabd5bf0, count: -11