panic: ufsdirhash_lookup: bad offset in hash array Stopped at db_enter+0x1c: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *247017 31652 0 0 0x4000000 0K syz-executor.3 db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8286ceae) at panic+0x17b sys/kern/subr_prf.c:198 ufsdirhash_lookup(fffffd8071883990,ffffffff8284e982,2,fffffd8071883a5c,ffff80002e441548,0) at ufsdirhash_lookup+0x8b8 sys/ufs/ufs/ufs_dirhash.c:343 ufs_lookup() at ufs_lookup+0xc15 sys/ufs/ufs/ufs_lookup.c:216 VOP_LOOKUP(fffffd806467a8a0,ffff80002e4416e8,ffff80002e441688) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85 unveil_find_cover(fffffd806467a8a0,ffff8000212342d8) at unveil_find_cover+0x130 sys/kern/kern_unveil.c:277 unveil_start_relative(ffff8000212342d8,ffff80002e441a28,fffffd806467a8a0) at unveil_start_relative+0xf6 sys/kern/kern_unveil.c:606 namei(ffff80002e441a28) at namei+0x453 sys/kern/vfs_lookup.c:237 vn_open(ffff80002e441a28,201,0) at vn_open+0x17b sys/kern/vfs_vnops.c:107 doopenat(ffff8000212342d8,4,20000240,200,0,ffff80002e441c00) at doopenat+0x26e sys/kern/vfs_syscalls.c:1126 syscall(ffff80002e441c80) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline] syscall(ffff80002e441c80) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xf84da8c2a40, count: 3 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: ufsdirhash_lookup: bad offset in hash array ddb{0}> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8286ceae) at panic+0x17b sys/kern/subr_prf.c:198 ufsdirhash_lookup(fffffd8071883990,ffffffff8284e982,2,fffffd8071883a5c,ffff80002e441548,0) at ufsdirhash_lookup+0x8b8 sys/ufs/ufs/ufs_dirhash.c:343 ufs_lookup() at ufs_lookup+0xc15 sys/ufs/ufs/ufs_lookup.c:216 VOP_LOOKUP(fffffd806467a8a0,ffff80002e4416e8,ffff80002e441688) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85 unveil_find_cover(fffffd806467a8a0,ffff8000212342d8) at unveil_find_cover+0x130 sys/kern/kern_unveil.c:277 unveil_start_relative(ffff8000212342d8,ffff80002e441a28,fffffd806467a8a0) at unveil_start_relative+0xf6 sys/kern/kern_unveil.c:606 namei(ffff80002e441a28) at namei+0x453 sys/kern/vfs_lookup.c:237 vn_open(ffff80002e441a28,201,0) at vn_open+0x17b sys/kern/vfs_vnops.c:107 doopenat(ffff8000212342d8,4,20000240,200,0,ffff80002e441c00) at doopenat+0x26e sys/kern/vfs_syscalls.c:1126 syscall(ffff80002e441c80) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline] syscall(ffff80002e441c80) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xf84da8c2a40, count: -12 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff80002e441360 rbx 0xffffffff82b6eb9f cpu_info_full_primary+0x2b9f rdx 0xffff800000e51300 rcx 0xffff8000212342d8 rax 0xffffffff82b6dff0 cpu_info_full_primary+0x1ff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0x56f2f9379ff8cc26 r11 0x40b7d0e1bd95183f r12 0xffffffff82b6e9a0 cpu_info_full_primary+0x29a0 r13 0 r14 0 r15 0x1 rip 0xffffffff81d4418c db_enter+0x1c cs 0x8 rflags 0x246 rsp 0xffff80002e441350 ss 0x10 db_enter+0x1c: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.3) pid=247017 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=82, nice=20 forw=0xffffffffffffffff, list=0xffff800021235070,0xffffffff82d7d138 process=0xffff8000212dc878 user=0xffff80002e43c000, vmspace=0xfffffd8008a0a910 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 73297 477935 93016 0 2 0 syz-executor.1 73297 68146 93016 0 2 0x4000000 syz-executor.1 31652 427980 15812 0 2 0 syz-executor.3 *31652 247017 15812 0 7 0x4000000 syz-executor.3 93016 207893 87674 0 3 0x82 nanoslp syz-executor.1 70323 204960 87674 0 3 0x82 piperd syz-executor.5 20670 385978 1 0 3 0x100083 ttyin getty 92741 71533 0 0 3 0x14200 acct acct 82639 90785 87674 0 3 0x82 piperd syz-executor.6 15812 512383 87674 0 3 0x82 nanoslp syz-executor.3 24066 57642 87674 0 3 0x82 nanoslp syz-executor.7 35690 317359 87674 0 3 0x82 piperd syz-executor.2 99540 237579 87674 0 3 0x82 piperd syz-executor.0 26575 477448 87674 0 3 0x82 piperd syz-executor.4 20717 301104 1458 0 3 0x100082 netio arp 1458 203078 1 0 3 0x10008a sigsusp sh 30013 24954 0 0 3 0x14200 bored sosplice 87674 26069 33837 0 3 0x2000082 wait syz-fuzzer 87674 349306 33837 0 3 0x6000082 thrsleep syz-fuzzer 87674 186508 33837 0 3 0x6000082 wait syz-fuzzer 87674 266119 33837 0 3 0x6000082 wait syz-fuzzer 87674 30050 33837 0 3 0x6000082 thrsleep syz-fuzzer 87674 159810 33837 0 3 0x6000082 wait syz-fuzzer 87674 132443 33837 0 3 0x6000082 thrsleep syz-fuzzer 87674 132630 33837 0 3 0x6000082 thrsleep syz-fuzzer 87674 453555 33837 0 3 0x6000082 thrsleep syz-fuzzer 87674 113575 33837 0 3 0x6000082 wait syz-fuzzer 87674 75144 33837 0 3 0x6000082 thrsleep syz-fuzzer 87674 18643 33837 0 3 0x6000082 thrsleep syz-fuzzer 87674 417100 33837 0 3 0x6000082 kqread syz-fuzzer 87674 203247 33837 0 3 0x6000082 wait syz-fuzzer 87674 183444 33837 0 3 0x6000082 wait syz-fuzzer 87674 200707 33837 0 3 0x6000082 wait syz-fuzzer 33837 134190 5491 0 3 0x10008a sigsusp ksh 5491 82631 72141 0 3 0x9a kqread sshd 72141 100215 1 0 3 0x88 kqread sshd 54047 323400 72033 74 3 0x1100092 bpf pflogd 72033 39105 1 0 3 0x80 netio pflogd 61225 308642 14966 73 3 0x1100090 kqread syslogd 14966 224997 1 0 3 0x100082 netio syslogd 68486 285503 1 0 3 0x100080 kqread resolvd 77494 189049 53351 77 3 0x100092 kqread dhcpleased 12042 298298 53351 77 3 0x100092 kqread dhcpleased 53351 147199 1 0 3 0x80 kqread dhcpleased 73134 260432 0 0 3 0x14200 bored smr 23584 496829 0 0 2 0x14200 zerothread 95436 289990 0 0 3 0x14200 aiodoned aiodoned 43635 489939 0 0 3 0x14200 syncer update 63647 359691 0 0 3 0x14200 cleaner cleaner 35022 387161 0 0 3 0x14200 reaper reaper 28578 451531 0 0 3 0x14200 pgdaemon pagedaemon 82693 388370 0 0 3 0x14200 bored viomb 83841 427957 0 0 3 0x40014200 acpi0 acpi0 14642 362961 0 0 7 0x40014200 idle1 58140 504434 0 0 3 0x14200 bored softnet3 11551 348292 0 0 3 0x14200 bored softnet2 20392 90211 0 0 3 0x14200 bored softnet1 47890 231612 0 0 3 0x14200 bored softnet0 47215 72002 0 0 3 0x14200 bored systqmp 69446 275506 0 0 3 0x14200 bored systq 34422 385239 0 0 3 0x40014200 bored softclock 76516 100231 0 0 3 0x40014200 idle0 1 376251 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 31652 (syz-executor.3) thread 0xffff8000212342d8 (247017) exclusive rrwlock inode r = 0 (0xfffffd8071883a28) #0 witness_lock+0x447 #1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309 #2 rrw_enter+0x8c sys/kern/kern_rwlock.c:464 #3 VOP_LOCK+0x8b sys/kern/vfs_vops.c:518 #4 vn_lock+0x84 sys/kern/vfs_vnops.c:564 #5 vget+0x200 sys/kern/vfs_subr.c:676 #6 unveil_find_cover+0x10a sys/kern/kern_unveil.c:273 #7 unveil_start_relative+0xf6 sys/kern/kern_unveil.c:606 #8 namei+0x453 sys/kern/vfs_lookup.c:237 #9 vn_open+0x17b sys/kern/vfs_vnops.c:107 #10 doopenat+0x26e sys/kern/vfs_syscalls.c:1126 #11 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline] #11 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623 #12 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82c95078) #0 witness_lock+0x447 #1 syscall+0x5cd mi_syscall sys/sys/syscall_mi.h:110 [inline] #1 syscall+0x5cd sys/arch/amd64/amd64/trap.c:623 #2 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10237 6516K 8093K 78643K 45194 0 pcb 13 18K 23K 78643K 1934 0 rtable 241 7K 7K 78643K 5547 0 pf 35 10K 10K 78643K 843 0 ifaddr 46 19K 21K 78643K 895 0 ifgroup 60 2K 2K 78643K 1437 0 sysctl 3 1K 5K 78643K 95 0 counters 62 36K 36K 78643K 834 0 ioctlops 0 0K 4K 78643K 2877 0 iov 0 0K 32K 78643K 3594 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 4 0 vnodes 1641 103K 103K 78643K 15718 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 9K 78643K 408 0 VM map 2 1K 1K 78643K 2 0 sem 12 0K 0K 78643K 4210 0 dirhash 90 16K 18K 78643K 28503 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 14 49K 89K 78643K 41064 0 sigio 0 0K 0K 78643K 475 0 proc 71 103K 177K 78643K 6968 0 subproc 117 7K 7K 78643K 2175 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 10735 0 in_multi 99 7K 7K 78643K 3673 0 ether_multi 1 0K 0K 78643K 23 0 mrt 1 0K 0K 78643K 24 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 283 1261K 1261K 78643K 283 0 exec 0 0K 1K 78643K 7535 0 pfkey data 0 0K 0K 78643K 5 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 8 62K 64K 78643K 10 0 UVM amap 503 94K 990K 78643K 388415 0 UVM aobj 131 4K 6K 78643K 137 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 792 0 NDP 13 0K 2K 78643K 715 0 temp 74 5876K 6008K 78643K 329388 0 kqueue 12 18K 26K 78643K 2520 0 SYN cache 2 16K 24K 78643K 4 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 1226 0 1222 9 8 1 3 0 8 0 rtentry 112 1854 0 1742 4 0 4 4 0 8 0 unpcb 144 24914 0 24899 290 289 1 10 0 8 0 syncache 296 311 0 311 68 68 0 1 0 8 0 tcpqe 32 863 488 863 37 37 0 1 0 8 0 tcpcb 808 11998 0 11974 431 428 3 15 0 8 0 arp 120 319 0 301 1 0 1 1 0 8 0 inpcb 368 30445 0 30418 561 557 4 19 0 8 0 nd6 136 504 0 478 1 0 1 1 0 8 0 pkpcb 40 68 0 68 15 15 0 1 0 8 0 kcovpl 48 166 0 157 1 0 1 1 0 8 0 ppxss 1256 96 0 96 31 31 0 1 0 8 0 pffrag 232 396 0 394 16 15 1 1 0 482 0 pffrnode 88 394 0 392 16 15 1 1 0 8 0 pffrent 40 1212 0 1210 17 16 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 1064 0 1050 1 0 1 1 0 8 0 pfstkey 128 1064 0 1050 5 3 2 2 0 8 0 pfstate 376 1064 0 1050 25 22 3 5 0 8 0 pfrule 1344 21 0 16 2 1 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 7239 0 6768 52 22 30 30 0 8 0 art_table 32 7240 0 6768 4 0 4 4 0 8 0 art_node 16 1793 0 1691 1 0 1 1 0 8 0 sysvmsgpl 40 29 0 16 1 0 1 1 0 8 0 semupl 112 1 0 1 1 1 0 1 0 8 0 semapl 112 4208 0 4198 1 0 1 1 0 8 0 shmpl 112 134 0 6 4 0 4 4 0 8 0 dirhash 1024 9514 0 9471 10 4 6 7 0 8 0 dino2pl 256 54467 0 52735 109 0 109 109 0 8 0 ffsino 272 54467 0 52735 116 0 116 116 0 8 0 nchpl 144 116262 0 115753 64 41 23 63 0 8 0 uvmvnodes 80 12516 0 0 256 0 256 256 0 8 0 vnodes 216 12516 0 0 696 0 696 696 0 8 0 namei 1024 443607 0 443606 10 9 1 2 0 8 0 percpumem 16 430 0 386 1 0 1 1 0 8 0 kstatmem 264 798 0 772 5 3 2 3 0 8 0 scxspl 216 336600 0 336600 83 81 2 8 1 8 2 plimitpl 152 5508 0 5491 1 0 1 1 0 8 0 sigapl 424 41099 0 41052 16 10 6 9 0 8 0 futexpl 64 340440 0 340440 9 8 1 1 0 8 1 knotepl 120 2370 0 0 21 4 17 18 0 8 0 kqueuepl 216 6423 0 6415 117 116 1 8 0 8 0 pipepl 320 15121 0 15090 359 356 3 14 0 8 0 fdescpl 496 41036 0 41009 8 3 5 5 0 8 0 filepl 152 308361 0 308102 599 587 12 25 0 8 0 lockfpl 104 8419 0 8417 15 14 1 3 0 8 0 lockfspl 48 2436 0 2434 2 1 1 2 0 8 0 sessionpl 144 189 0 171 1 0 1 1 0 8 0 pgrppl 48 3623 0 3605 1 0 1 1 0 8 0 ucredpl 104 35826 0 35814 1 0 1 1 0 8 0 zombiepl 144 41053 0 41052 5 4 1 1 0 8 0 processpl 1072 41099 0 41052 6 1 5 6 0 8 0 procpl 696 106823 0 106759 73 64 9 10 0 8 0 srpgc 96 2 0 2 1 1 0 1 0 8 0 sosppl 168 387 0 387 54 53 1 1 0 8 1 sockpl 488 56776 0 56730 1292 1284 8 35 0 8 0 mcl64k 65536 33 0 0 3 0 3 3 0 8 0 mcl16k 16384 18 0 0 3 0 3 3 0 8 0 mcl12k 12288 25 0 0 2 0 2 2 0 8 0 mcl9k 9216 20 0 0 2 0 2 2 0 8 0 mcl8k 8192 41 0 0 3 0 3 3 0 8 0 mcl4k 4096 84 0 0 5 2 3 5 0 8 0 mcl2k2 2112 15 0 0 1 0 1 1 0 8 0 mcl2k 2048 655 0 0 45 29 16 45 0 8 0 mtagpl 96 168 0 0 4 1 3 4 0 8 0 mbufpl 256 3255 0 0 74 3 71 74 0 8 0 bufpl 288 75905 0 63388 895 0 895 895 0 8 0 anonpl 24 3993238 0 3979396 236 120 116 133 0 186 0 amapchunkpl 152 2282920 0 2282125 13227 13189 38 4424 0 158 0 amappl16 200 85384 0 84901 356 317 39 53 0 8 4 amappl15 192 71 0 70 2 1 1 1 0 8 0 amappl14 184 681 0 659 5 3 2 2 0 8 0 amappl13 176 31 0 31 7 7 0 1 0 8 0 amappl12 168 44029 0 43990 5 2 3 3 0 8 0 amappl11 160 102 0 86 1 0 1 1 0 8 0 amappl10 152 228 0 211 1 0 1 1 0 8 0 amappl9 144 605 0 605 80 79 1 1 0 8 1 amappl8 136 2462 0 2134 12 0 12 12 0 8 0 amappl7 128 232 0 216 2 0 2 2 0 8 0 amappl6 120 1902 0 1859 8 6 2 2 0 8 0 amappl5 112 1500 0 1488 1 0 1 1 0 8 0 amappl4 104 2166 0 2094 6 4 2 3 0 8 0 amappl3 96 240278 0 240202 5 2 3 4 0 8 0 amappl2 88 42323 0 42231 4 1 3 3 0 8 0 amappl1 80 164991 0 164408 24 10 14 23 0 8 0 amappl 88 385574 0 385346 7 0 7 7 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 136 0 6 3 0 3 3 0 8 0 uaddrrnd 24 41036 0 41009 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 41036 0 41009 1 0 1 1 0 8 0 vmmpekpl 168 328383 0 328323 4 0 4 4 0 8 0 vmmpepl 168 2503708 0 2501035 753 592 161 200 0 357 0 vmsppl 464 41035 0 41009 9 4 5 5 0 8 0 rwobjpl 56 577697 0 563103 292 82 210 210 0 8 0 pdppl 4096 82080 0 82018 1984 1910 74 82 0 8 12 pvpl 32 11505106 0 11484477 758 553 205 369 0 265 3 pmappl 248 41035 0 41009 3 0 3 3 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 4336 0 2997 39 0 39 39 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8286ceae) at panic+0x17b sys/kern/subr_prf.c:198 ufsdirhash_lookup(fffffd8071883990,ffffffff8284e982,2,fffffd8071883a5c,ffff80002e441548,0) at ufsdirhash_lookup+0x8b8 sys/ufs/ufs/ufs_dirhash.c:343 ufs_lookup() at ufs_lookup+0xc15 sys/ufs/ufs/ufs_lookup.c:216 VOP_LOOKUP(fffffd806467a8a0,ffff80002e4416e8,ffff80002e441688) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85 unveil_find_cover(fffffd806467a8a0,ffff8000212342d8) at unveil_find_cover+0x130 sys/kern/kern_unveil.c:277 unveil_start_relative(ffff8000212342d8,ffff80002e441a28,fffffd806467a8a0) at unveil_start_relative+0xf6 sys/kern/kern_unveil.c:606 namei(ffff80002e441a28) at namei+0x453 sys/kern/vfs_lookup.c:237 vn_open(ffff80002e441a28,201,0) at vn_open+0x17b sys/kern/vfs_vnops.c:107 doopenat(ffff8000212342d8,4,20000240,200,0,ffff80002e441c00) at doopenat+0x26e sys/kern/vfs_syscalls.c:1126 syscall(ffff80002e441c80) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline] syscall(ffff80002e441c80) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xf84da8c2a40, count: -12 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x1e: addq $0x8,%rsp x86_ipi_db(ffff800020d58ff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800020d58ff0) at sched_idle+0x41e sys/kern/kern_sched.c:199 end trace frame: 0x0, count: 10 ddb{1}> trace x86_ipi_db(ffff800020d58ff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800020d58ff0) at sched_idle+0x41e sys/kern/kern_sched.c:199 end trace frame: 0x0, count: -5