panic: ufsdirhash_lookup: bad offset in hash array Stopped at db_enter+0x1c: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *374689 94785 0 0 0x4000000 0K syz-executor.0 db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82939e54) at panic+0x17b sys/kern/subr_prf.c:198 ufsdirhash_lookup(fffffd8076b8a230,ffffffff829118e1,2,fffffd8076b8a2fc,ffff800035d8fad8,0) at ufsdirhash_lookup+0x8b8 sys/ufs/ufs/ufs_dirhash.c:342 ufs_lookup() at ufs_lookup+0xbb6 sys/ufs/ufs/ufs_lookup.c:214 VOP_LOOKUP(fffffd807284e2d8,ffff800035d8fc78,ffff800035d8fc18) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85 unveil_find_cover(fffffd807284e2d8,ffff80002a182aa0) at unveil_find_cover+0x130 sys/kern/kern_unveil.c:277 unveil_start_relative(ffff80002a182aa0,ffff800035d8ffb8,fffffd807284e2d8) at unveil_start_relative+0xf6 sys/kern/kern_unveil.c:606 namei(ffff800035d8ffb8) at namei+0x453 sys/kern/vfs_lookup.c:237 vn_open(ffff800035d8ffb8,201,0) at vn_open+0x17b sys/kern/vfs_vnops.c:107 doopenat(ffff80002a182aa0,4,20000240,200,0,ffff800035d90160) at doopenat+0x26e sys/kern/vfs_syscalls.c:1126 syscall(ffff800035d90210) at syscall+0x533 mi_syscall sys/sys/syscall_mi.h:183 [inline] syscall(ffff800035d90210) at syscall+0x533 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x534cea496a0, count: 3 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: ufsdirhash_lookup: bad offset in hash array ddb{0}> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82939e54) at panic+0x17b sys/kern/subr_prf.c:198 ufsdirhash_lookup(fffffd8076b8a230,ffffffff829118e1,2,fffffd8076b8a2fc,ffff800035d8fad8,0) at ufsdirhash_lookup+0x8b8 sys/ufs/ufs/ufs_dirhash.c:342 ufs_lookup() at ufs_lookup+0xbb6 sys/ufs/ufs/ufs_lookup.c:214 VOP_LOOKUP(fffffd807284e2d8,ffff800035d8fc78,ffff800035d8fc18) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85 unveil_find_cover(fffffd807284e2d8,ffff80002a182aa0) at unveil_find_cover+0x130 sys/kern/kern_unveil.c:277 unveil_start_relative(ffff80002a182aa0,ffff800035d8ffb8,fffffd807284e2d8) at unveil_start_relative+0xf6 sys/kern/kern_unveil.c:606 namei(ffff800035d8ffb8) at namei+0x453 sys/kern/vfs_lookup.c:237 vn_open(ffff800035d8ffb8,201,0) at vn_open+0x17b sys/kern/vfs_vnops.c:107 doopenat(ffff80002a182aa0,4,20000240,200,0,ffff800035d90160) at doopenat+0x26e sys/kern/vfs_syscalls.c:1126 syscall(ffff800035d90210) at syscall+0x533 mi_syscall sys/sys/syscall_mi.h:183 [inline] syscall(ffff800035d90210) at syscall+0x533 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x534cea496a0, count: -12 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff800035d8f8f0 rbx 0xffffffff82d20ca7 cpu_info_full_primary+0x2ca7 rdx 0xffff800000f38ac0 rcx 0xffff80002a182aa0 rax 0xffffffff82d1fff0 cpu_info_full_primary+0x1ff0 r8 0 r9 0x8080808080808080 r10 0x7fa032d9cf7fe845 r11 0x8941c87f6d77eaeb r12 0xffffffff82d20aa8 cpu_info_full_primary+0x2aa8 r13 0 r14 0 r15 0x1 rip 0xffffffff826c231c db_enter+0x1c cs 0x8 rflags 0x246 rsp 0xffff800035d8f8e0 ss 0x10 db_enter+0x1c: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.0) tid=374689 pid=94785 tcnt=2 stat=onproc flags process=0 proc=4000000 runpri=32, usrpri=84, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 forw=0xffffffffffffffff, list=0xffff80002a1812b8,0xffff80002a23d818 process=0xffff8000373c8498 user=0xffff800035d8b000, vmspace=0xfffffd807989c3c0 estcpu=34, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 13108 313383 87455 0 2 0x480 syz-executor.2 13108 34624 87455 0 3 0x4000080 ttyin syz-executor.2 13108 194368 87455 0 3 0x4000080 fsleep syz-executor.2 94785 135757 83377 0 2 0 syz-executor.0 *94785 374689 83377 0 7 0x4000000 syz-executor.0 97435 504795 474 0 2 0x482 syz-executor.5 9974 305384 474 0 2 0x482 syz-executor.1 50920 497724 474 0 2 0x2 syz-executor.6 80990 212442 1 0 3 0x100083 ttyin getty 83377 304038 474 0 2 0x482 syz-executor.0 87455 499955 474 0 2 0x482 syz-executor.2 83541 294531 0 0 3 0x14200 acct acct 87225 125325 474 0 2 0x2 syz-executor.7 29865 186551 474 0 2 0x482 syz-executor.4 55245 274533 474 0 2 0x482 syz-executor.3 2431 329104 0 0 3 0x14280 nfsidl nfsio 61849 461199 0 0 3 0x14280 nfsidl nfsio 13752 340862 0 0 3 0x14200 bored sosplice 474 272205 82989 0 3 0x2000082 wait syz-fuzzer 474 491112 82989 0 3 0x6000082 nanoslp syz-fuzzer 474 358180 82989 0 3 0x6000082 wait syz-fuzzer 474 244501 82989 0 3 0x6000082 thrsleep syz-fuzzer 474 10599 82989 0 3 0x6000082 thrsleep syz-fuzzer 474 271365 82989 0 3 0x6000082 thrsleep syz-fuzzer 474 363918 82989 0 3 0x6000082 thrsleep syz-fuzzer 474 73415 82989 0 3 0x6000082 thrsleep syz-fuzzer 474 354891 82989 0 3 0x6000082 wait syz-fuzzer 474 240961 82989 0 3 0x6000082 wait syz-fuzzer 474 54669 82989 0 3 0x6000082 thrsleep syz-fuzzer 474 283616 82989 0 3 0x6000082 wait syz-fuzzer 474 116777 82989 0 3 0x6000082 wait syz-fuzzer 474 497576 82989 0 3 0x6000082 thrsleep syz-fuzzer 474 467427 82989 0 3 0x6000082 wait syz-fuzzer 474 324154 82989 0 3 0x6000082 kqread syz-fuzzer 474 360692 82989 0 3 0x6000082 wait syz-fuzzer 82989 247661 97983 0 3 0x10008a sigsusp ksh 97983 428061 62773 0 3 0x9a kqread sshd 62773 423539 1 0 3 0x88 kqread sshd 19637 142611 89299 74 3 0x1100092 bpf pflogd 89299 207785 1 0 3 0x80 netio pflogd 71150 338907 23314 73 3 0x1100090 kqread syslogd 23314 66704 1 0 3 0x100082 netio syslogd 19989 423049 1 0 3 0x100080 kqread resolvd 12841 479005 16597 77 3 0x100092 kqread dhcpleased 804 261563 16597 77 3 0x100092 kqread dhcpleased 16597 180492 1 0 3 0x80 kqread dhcpleased 71873 62031 0 0 3 0x14200 bored smr 72761 476722 0 0 2 0x14200 zerothread 33381 491750 0 0 3 0x14200 aiodoned aiodoned 79942 300203 0 0 3 0x14200 syncer update 65325 456697 0 0 3 0x14200 cleaner cleaner 68464 293814 0 0 3 0x14200 reaper reaper 16751 416343 0 0 3 0x14200 pgdaemon pagedaemon 6158 131444 0 0 3 0x14200 bored viomb 56751 472352 0 0 3 0x40014200 acpi0 acpi0 7962 91562 0 0 7 0x40014200 idle1 72742 239902 0 0 3 0x14200 bored softnet3 28364 276463 0 0 3 0x14200 bored softnet2 38171 110826 0 0 3 0x14200 bored softnet1 48320 390481 0 0 3 0x14200 bored softnet0 15802 448730 0 0 3 0x14200 bored systqmp 17169 354918 0 0 3 0x14200 bored systq 45307 226851 0 0 2 0x14200 softclockmp 5113 470316 0 0 2 0x40014200 softclock 35409 435362 0 0 3 0x40014200 idle0 1 207263 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 94785 (syz-executor.0) thread 0xffff80002a182aa0 (374689) Process 50920 (syz-executor.6) thread 0xffff80002a1827f8 (497724) Process 87225 (syz-executor.7) thread 0xffff80002a23eaa0 (125325) ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10220 6497K 6987K 166960K 17283 0 pcb 15 20K 22K 166960K 1157 0 rtable 196 6K 8K 166960K 2030 0 pf 33 9K 10K 166960K 224 0 ifaddr 39 14K 16K 166960K 245 0 ifgroup 56 2K 2K 166960K 386 0 sysctl 4 1K 3K 166960K 13 0 counters 64 36K 37K 166960K 232 0 ioctlops 0 0K 4K 166960K 3150 0 iov 0 0K 24K 166960K 1308 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1417 89K 89K 166960K 7736 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 9K 166960K 166 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 2632 0 dirhash 93 16K 19K 166960K 13482 0 ACPI 1697 195K 286K 166960K 12548 0 file desc 12 41K 81K 166960K 27846 0 sigio 0 0K 0K 166960K 832 0 proc 71 103K 151K 166960K 2254 0 subproc 104 6K 8K 166960K 649 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 1K 166960K 1684 0 in_multi 77 5K 7K 166960K 705 0 ether_multi 1 0K 0K 166960K 19 0 mrt 1 0K 0K 166960K 17 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 247 1102K 1102K 166960K 247 0 exec 0 0K 1K 166960K 2617 0 pfkey data 0 0K 4K 166960K 588 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 523 101K 103K 166960K 252550 0 UVM aobj 131 4K 4K 166960K 134 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 618 0 NDP 14 0K 1K 166960K 184 0 temp 74 6708K 137784K 166960K 140396 0 kqueue 12 18K 28K 166960K 2143 0 SYN cache 2 16K 16K 166960K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 24 0 0 1 0 1 1 0 8 0 rtpcb 120 788 0 785 10 9 1 5 0 8 0 rtentry 112 598 0 510 7 3 4 4 0 8 0 unpcb 144 20379 0 20364 241 237 4 19 0 8 3 syncache 320 193 0 193 31 31 0 1 0 8 0 sackhl 24 4 0 4 1 1 0 1 0 8 0 tcpqe 32 840 0 840 21 21 0 1 0 8 0 tcpcb 808 4171 0 4157 164 158 6 12 0 8 3 arp 120 103 0 89 1 0 1 1 0 8 0 ipq 40 35 0 35 1 1 0 1 0 8 0 ipqe 40 105 0 105 1 1 0 1 0 8 0 inpcb 376 14806 0 14790 383 374 9 18 0 8 5 nd6 136 139 0 121 1 0 1 1 0 8 0 pkpcb 40 1885 0 1885 20 20 0 1 0 8 0 kcovpl 48 44 0 36 1 0 1 1 0 8 0 ppxss 1168 9 0 9 4 4 0 1 0 8 0 pffrag 232 73 0 72 7 6 1 1 0 482 0 pffrnode 88 71 0 70 7 6 1 1 0 8 0 pffrent 40 444 0 443 9 8 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 574 0 562 1 0 1 1 0 8 0 pfstkey 128 574 0 562 4 2 2 3 0 8 0 pfstate 376 574 0 562 17 15 2 8 0 8 0 pfrule 1344 21 0 16 2 1 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 2131 0 1755 65 41 24 29 0 8 0 art_table 32 2132 0 1755 6 2 4 4 0 8 0 art_node 16 540 0 460 1 0 1 1 0 8 0 sysvmsgpl 40 20 0 20 1 1 0 1 0 8 0 semapl 112 2630 0 2620 1 0 1 1 0 8 0 shmpl 112 131 0 3 4 0 4 4 0 8 0 dirhash 1024 4936 0 4892 8 1 7 7 0 8 0 dino2pl 256 41471 0 39954 95 0 95 95 0 8 0 ffsino 272 41471 0 39954 102 0 102 102 0 8 0 nchpl 144 77611 0 75966 63 0 63 63 0 8 0 uvmvnodes 80 6027 0 0 123 0 123 123 0 8 0 vnodes 216 6027 0 0 335 0 335 335 0 8 0 namei 1024 258440 0 258438 14 12 2 2 0 8 1 percpumem 16 130 0 84 1 0 1 1 0 8 0 vcpupl 2048 78 0 1 10 0 10 10 0 8 0 vmpool 696 89 0 12 7 0 7 7 0 8 0 kstatmem 264 192 0 168 3 1 2 3 0 8 0 scxspl 216 238749 0 238749 26 25 1 8 1 8 1 plimitpl 152 915 0 899 1 0 1 1 0 8 0 sigapl 424 28136 0 28085 13 5 8 9 0 8 0 futexpl 64 225589 0 225588 5 4 1 1 0 8 0 knotepl 120 1124 0 0 26 15 11 26 0 8 0 kqueuepl 216 6479 0 6471 93 88 5 7 0 8 4 pipepl 320 4358 0 4329 140 137 3 14 0 8 0 fdescpl 496 28077 0 28052 5 0 5 5 0 8 0 filepl 152 145773 0 145525 419 402 17 28 0 8 4 lockfpl 104 7773 0 7770 4 3 1 2 0 8 0 lockfspl 48 1786 0 1783 1 0 1 1 0 8 0 sessionpl 144 66 0 49 1 0 1 1 0 8 0 pgrppl 48 197 0 180 1 0 1 1 0 8 0 ucredpl 104 14104 0 14090 1 0 1 1 0 8 0 zombiepl 144 28089 0 28085 2 1 1 1 0 8 0 processpl 1136 28136 0 28085 6 0 6 6 0 8 0 procpl 680 66610 0 66540 24 15 9 10 0 8 0 srpgc 96 72 0 72 25 25 0 1 0 8 0 sosppl 168 178 0 178 21 21 0 1 0 8 0 sockpl 584 37867 0 37830 525 517 8 36 0 8 2 mcl64k 65536 12 0 0 2 0 2 2 0 8 0 mcl16k 16384 6 0 0 1 0 1 1 0 8 0 mcl12k 12288 6 0 0 1 0 1 1 0 8 0 mcl9k 9216 6 0 0 1 0 1 1 0 8 0 mcl8k 8192 14 0 0 2 0 2 2 0 8 0 mcl4k 4096 17 0 0 3 0 3 3 0 8 0 mcl2k2 2112 2 0 0 1 0 1 1 0 8 0 mcl2k 2048 1315 0 0 42 18 24 42 0 8 0 mtagpl 96 87 0 0 3 0 3 3 0 8 0 mbufpl 256 2830 0 0 93 35 58 79 0 8 0 bufpl 280 42670 0 36352 452 0 452 452 0 8 0 anonpl 24 2412625 0 2399853 317 208 109 133 0 186 0 amapchunkpl 152 796011 0 795237 119 80 39 46 0 158 0 amappl16 200 49282 0 48735 280 242 38 45 0 8 7 amappl15 192 14 0 14 4 4 0 1 0 8 0 amappl14 184 327 0 308 2 1 1 2 0 8 0 amappl13 176 78 0 74 1 0 1 1 0 8 0 amappl12 168 29304 0 29267 4 1 3 3 0 8 1 amappl11 160 61 0 47 1 0 1 1 0 8 0 amappl10 152 72 0 54 1 0 1 1 0 8 0 amappl9 144 287 0 287 35 35 0 1 0 8 0 amappl8 136 1182 0 950 9 0 9 9 0 8 0 amappl7 128 347 0 318 2 0 2 2 0 8 0 amappl6 120 943 0 925 1 0 1 1 0 8 0 amappl5 112 518 0 507 1 0 1 1 0 8 0 amappl4 104 948 0 904 3 1 2 2 0 8 0 amappl3 96 158367 0 158292 4 1 3 3 0 8 0 amappl2 88 30155 0 30073 3 1 2 3 0 8 0 amappl1 80 109234 0 108692 23 10 13 23 0 8 0 amappl 88 251217 0 250987 8 1 7 7 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 133 0 3 3 0 3 3 0 8 0 uaddrrnd 24 28167 0 28065 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 28167 0 28065 1 0 1 1 0 8 0 vmmpekpl 168 179009 0 178916 5 0 5 5 0 8 0 vmmpepl 168 1591501 0 1588949 583 427 156 163 0 357 23 vmsppl 448 28166 0 28065 19 6 13 13 0 8 1 rwobjpl 56 357674 0 349697 135 19 116 117 0 8 0 pdppl 4096 56341 0 56207 2066 1918 148 148 0 8 14 pvpl 32 42635 0 0 345 1 344 344 0 265 0 pmappl 248 28166 0 28065 7 0 7 7 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 3243 0 2727 15 0 15 15 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82939e54) at panic+0x17b sys/kern/subr_prf.c:198 ufsdirhash_lookup(fffffd8076b8a230,ffffffff829118e1,2,fffffd8076b8a2fc,ffff800035d8fad8,0) at ufsdirhash_lookup+0x8b8 sys/ufs/ufs/ufs_dirhash.c:342 ufs_lookup() at ufs_lookup+0xbb6 sys/ufs/ufs/ufs_lookup.c:214 VOP_LOOKUP(fffffd807284e2d8,ffff800035d8fc78,ffff800035d8fc18) at VOP_LOOKUP+0x5c sys/kern/vfs_vops.c:85 unveil_find_cover(fffffd807284e2d8,ffff80002a182aa0) at unveil_find_cover+0x130 sys/kern/kern_unveil.c:277 unveil_start_relative(ffff80002a182aa0,ffff800035d8ffb8,fffffd807284e2d8) at unveil_start_relative+0xf6 sys/kern/kern_unveil.c:606 namei(ffff800035d8ffb8) at namei+0x453 sys/kern/vfs_lookup.c:237 vn_open(ffff800035d8ffb8,201,0) at vn_open+0x17b sys/kern/vfs_vnops.c:107 doopenat(ffff80002a182aa0,4,20000240,200,0,ffff800035d90160) at doopenat+0x26e sys/kern/vfs_syscalls.c:1126 syscall(ffff800035d90210) at syscall+0x533 mi_syscall sys/sys/syscall_mi.h:183 [inline] syscall(ffff800035d90210) at syscall+0x533 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x534cea496a0, count: -12 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x1e: addq $0x8,%rsp x86_ipi_db(ffff800029cfbff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800029cfbff0) at sched_idle+0x41e sys/kern/kern_sched.c:183 end trace frame: 0x0, count: 10 ddb{1}> trace x86_ipi_db(ffff800029cfbff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800029cfbff0) at sched_idle+0x41e sys/kern/kern_sched.c:183 end trace frame: 0x0, count: -5