panic: ufsdirhash_lookup: bad offset in hash array Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 310988 84177 0 0 0 1 syz-executor * 85490 99458 0 0 0x4000000 0K syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833da98a) at panic+0x1e5 sys/kern/subr_prf.c:198 ufsdirhash_lookup(fffffd806e978510,ffff80002a263c02,5,fffffd806e9785f4,ffff80003c443430,0) at ufsdirhash_lookup+0xb9a sys/ufs/ufs/ufs_dirhash.c:342 ufs_lookup() at ufs_lookup+0xf76 sys/ufs/ufs/ufs_lookup.c:214 VOP_LOOKUP(fffffd807c8cba70,ffff80003c4436d8,ffff80003c443708) at VOP_LOOKUP+0x6e sys/kern/vfs_vops.c:85 vfs_lookup(ffff80003c4436a8) at vfs_lookup+0x93a sys/kern/vfs_lookup.c:566 namei(ffff80003c4436a8) at namei+0x7ca sys/kern/vfs_lookup.c:250 dorenameat(ffff8000fffe2028,4,200000000040,3,200000000280) at dorenameat+0x144 sys/kern/vfs_syscalls.c:3004 syscall(ffff80003c443950) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c443950) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x96e7ca121b0, count: 5 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: ufsdirhash_lookup: bad offset in hash array ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833da98a) at panic+0x1e5 sys/kern/subr_prf.c:198 ufsdirhash_lookup(fffffd806e978510,ffff80002a263c02,5,fffffd806e9785f4,ffff80003c443430,0) at ufsdirhash_lookup+0xb9a sys/ufs/ufs/ufs_dirhash.c:342 ufs_lookup() at ufs_lookup+0xf76 sys/ufs/ufs/ufs_lookup.c:214 VOP_LOOKUP(fffffd807c8cba70,ffff80003c4436d8,ffff80003c443708) at VOP_LOOKUP+0x6e sys/kern/vfs_vops.c:85 vfs_lookup(ffff80003c4436a8) at vfs_lookup+0x93a sys/kern/vfs_lookup.c:566 namei(ffff80003c4436a8) at namei+0x7ca sys/kern/vfs_lookup.c:250 dorenameat(ffff8000fffe2028,4,200000000040,3,200000000280) at dorenameat+0x144 sys/kern/vfs_syscalls.c:3004 syscall(ffff80003c443950) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c443950) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x96e7ca121b0, count: -10 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff80003c443250 rbx 0xffffffff8385ce07 cpu_info_full_primary+0x2e07 rdx 0 rcx 0xffff8000fffe2028 rax 0xffffffff8385bff0 cpu_info_full_primary+0x1ff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0x3510ef8a94935a22 r11 0x1b5aa5a4a4dbe94e r12 0xffffffff8385cc08 cpu_info_full_primary+0x2c08 r13 0 r14 0 r15 0x1 rip 0xffffffff81117245 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003c443240 ss 0 db_enter+0x25: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor) tid=85490 pid=99458 tcnt=3 stat=onproc flags process=0 proc=4000000 runpri=32, usrpri=84, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff8000fffe3250,0xffff8000fffe87f8 process=0xffff80002f7d7518 user=0xffff80003c43e000, vmspace=0xfffffd806caf2200 estcpu=34, cpticks=0, pctcpu=0.0, user=0, sys=0, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 84177 310988 46632 0 7 0 syz-executor 84177 407513 46632 0 2 0x4000000 syz-executor 84763 86168 22096 0 2 0 syz-executor 84763 377388 22096 0 3 0x4000080 fsleep syz-executor 23525 253978 15192 0 2 0 syz-executor 23525 417912 15192 0 2 0x4000000 syz-executor 99458 243243 6462 0 2 0 syz-executor 99458 378181 6462 0 2 0x4000000 syz-executor *99458 85490 6462 0 7 0x4000000 syz-executor 66259 34872 77790 0 2 0 syz-executor 66259 418044 77790 0 2 0x4000000 syz-executor 79690 149872 58467 0 2 0 syz-executor 79690 6280 58467 0 3 0x4000080 fsleep syz-executor 79690 324845 58467 0 3 0x4000080 fsleep syz-executor 31491 93310 17360 0 3 0x3000 suspend syz-executor 31491 389812 17360 0 2 0x4081000 syz-executor 31491 33131 17360 0 3 0x4081000 inode syz-executor 3349 471642 0 0 3 0x14200 acct acct 46632 137527 88785 0 3 0x82 nanoslp syz-executor 15192 309811 88785 0 3 0x82 nanoslp syz-executor 22096 236211 88785 0 3 0x82 nanoslp syz-executor 40016 37953 1 0 3 0x100083 ttyopn getty 58467 272833 88785 0 3 0x82 nanoslp syz-executor 17888 154772 88785 0 3 0x82 wait syz-executor 17360 200926 88785 0 3 0x82 nanoslp syz-executor 86046 438637 53150 0 3 0x100082 sbwait arp 53150 285203 1 0 3 0x10008a sigsusp sh 77790 89661 88785 0 3 0x82 nanoslp syz-executor 6462 396187 88785 0 3 0x82 nanoslp syz-executor 88785 430146 66462 0 3 0x82 kqread syz-executor 66462 88889 17131 0 3 0x10008a sigsusp ksh 17131 30662 34467 0 3 0x98 kqread sshd-session 34467 120672 3329 0 3 0x92 kqread sshd-session 3329 519095 1 0 3 0x88 kqread sshd 20007 3751 95832 74 3 0x1100092 bpf pflogd 95832 488578 1 0 3 0x80 sbwait pflogd 43583 281688 21060 73 3 0x1100090 kqread syslogd 21060 40989 1 0 3 0x100082 sbwait syslogd 79171 222161 1 0 3 0x100080 kqread resolvd 88070 265905 67237 77 3 0x100092 kqread dhcpleased 61968 338494 67237 77 3 0x100092 kqread dhcpleased 67237 484326 1 0 3 0x80 kqread dhcpleased 60581 229460 0 0 3 0x14200 bored smr 1333 392462 0 0 2 0x14200 zerothread 27767 301135 0 0 3 0x14200 aiodoned aiodoned 60263 317994 0 0 3 0x14200 syncer update 17424 496552 0 0 3 0x14200 cleaner cleaner 79492 78859 0 0 3 0x14200 reaper reaper 74796 305625 0 0 3 0x14200 pgdaemon pagedaemon 41731 24180 0 0 3 0x14200 bored viomb 98305 72124 0 0 3 0x40014200 acpi0 acpi0 91013 334216 0 0 3 0x40014200 idle1 25561 81464 0 0 3 0x14200 bored softnet1 64167 33253 0 0 3 0x14200 bored softnet0 26838 53183 0 0 3 0x14200 bored systqmp 92655 206769 0 0 3 0x14200 bored systq 52291 135222 0 0 3 0x14200 tmoslp softclockmp 44447 311072 0 0 3 0x40014200 tmoslp softclock 98560 23941 0 0 3 0x40014200 idle0 1 89979 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb{0}> show all locks Process 99458 (syz-executor) thread 0xffff8000fffe2028 (85490) Process 31491 (syz-executor) thread 0xffff80002a2714d8 (389812) ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10235 11050K 12347K 166960K 13530 0 pcb 17 22K 24K 166960K 539 0 rtable 214 13K 13K 166960K 968 0 pf 32 17K 82K 166960K 342 0 ifaddr 33 6K 7K 166960K 182 0 ifgroup 51 2K 2K 166960K 334 0 sysctl 4 1K 9K 166960K 20 0 counters 68 36K 38K 166960K 358 0 ioctlops 0 0K 4K 166960K 2146 0 iov 0 0K 24K 166960K 218 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1523 96K 96K 166960K 3383 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 2K 6K 166960K 36 0 VM map 2 1K 1K 166960K 2 0 sem 27 136K 136K 166960K 171 0 dirhash 63 11K 14K 166960K 933 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 20 73K 240K 166960K 2344 0 sigio 0 0K 0K 166960K 48 0 proc 74 115K 164K 166960K 959 0 subproc 81 5K 5K 166960K 137 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 332 0 in_multi 66 4K 6K 166960K 266 0 ether_multi 1 0K 0K 166960K 40 0 mrt 2 0K 0K 166960K 19 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 259 1155K 1155K 166960K 259 0 exec 0 0K 1K 166960K 850 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 7 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 269 162K 180K 166960K 22757 0 UVM aobj 62 22K 22K 166960K 67 0 pinsyscall 46 92K 106K 166960K 3641 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 1K 166960K 243 0 NDP 11 0K 1K 166960K 134 0 temp 80 8680K 8776K 166960K 103133 0 kqueue 13 20K 32K 166960K 429 0 SYN cache 2 16K 16K 166960K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 231 0 226 2 1 1 2 0 8 0 rtentry 176 255 0 180 5 0 5 5 0 8 0 unpcb 144 1642 0 1625 15 14 1 8 0 8 0 syncache 336 5 0 5 2 2 0 1 0 8 0 tcpcb 736 1143 0 1137 30 25 5 13 0 8 4 arp 136 35 0 22 1 0 1 1 0 8 0 inpcb 328 3628 0 3617 29 24 5 12 0 8 4 nd6 152 47 0 27 1 0 1 1 0 8 0 pkpcb 40 81 0 81 5 4 1 1 0 8 1 kcovpl 48 15 0 6 1 0 1 1 0 8 0 mppekey 1024 1 0 1 1 1 0 1 0 8 0 ppxss 1192 112 0 112 3 2 1 1 0 8 1 pppxif 1504 13 0 13 4 4 0 1 0 8 0 pffrag 232 17 0 8 1 0 1 1 0 482 0 pffrnode 88 15 0 8 1 0 1 1 0 8 0 pffrent 40 41 0 32 1 0 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfrktable 1344 2 0 2 2 2 0 1 0 8 0 pfanchor 1288 1 0 0 1 0 1 1 0 8 0 pfstitem 24 166 0 80 1 0 1 1 0 8 0 pfstkey 128 166 0 80 4 0 4 4 0 8 0 pfstate 448 166 0 80 12 0 12 12 0 8 0 pfrule 1344 25 0 19 2 1 1 2 0 8 0 rttmr 136 2 0 2 2 2 0 1 0 8 0 art_heap8 4096 5 0 0 5 0 5 5 0 8 0 art_heap4 256 959 0 613 35 11 24 27 0 8 0 art_table 40 964 0 613 5 0 5 5 0 8 0 art_node 32 252 0 184 1 0 1 1 0 8 0 sysvmsgpl 40 8 0 2 1 0 1 1 0 8 0 semupl 112 4 0 4 3 3 0 1 0 8 0 semapl 112 164 0 139 1 0 1 1 0 8 0 shmpl 112 53 0 2 2 0 2 2 0 8 0 dirhash 1024 327 0 293 5 0 5 5 0 8 0 dino2pl 256 5991 0 4479 95 0 95 95 0 8 0 ffsino 296 5991 0 4479 117 0 117 117 0 8 0 nchpl 144 9293 0 8761 65 41 24 64 0 8 0 rtmask 32 26 0 26 3 3 0 1 0 8 0 vnodes 216 4192 0 0 233 0 233 233 0 8 0 namei 1024 35001 0 34999 2 1 1 1 0 8 0 percpumem 16 194 0 145 1 0 1 1 0 8 0 vcpupl 3968 9 0 1 2 0 2 2 0 8 0 vmpool 840 11 0 3 1 0 1 1 0 8 0 kstatmem 264 216 0 190 3 0 3 3 0 8 0 scsiplug 72 4 0 4 3 2 1 1 0 8 1 scxspl 216 60290 0 60290 14 12 2 8 1 8 2 plimitpl 152 667 0 648 1 0 1 1 0 8 0 sigapl 424 2660 0 2609 8 1 7 8 0 8 0 knotepl 120 766 0 0 23 0 23 23 0 8 0 kqueuepl 224 1208 0 1199 9 8 1 5 0 8 0 pipepl 344 521 0 491 19 15 4 9 0 8 1 fdescpl 528 2612 0 2578 3 0 3 3 0 8 0 filepl 160 20991 0 20757 36 22 14 22 0 8 1 lockfpl 104 1020 0 1018 2 1 1 2 0 8 0 lockfspl 48 326 0 324 1 0 1 1 0 8 0 sessionpl 144 32 0 23 1 0 1 1 0 8 0 pgrppl 48 74 0 56 1 0 1 1 0 8 0 ucredpl 104 3616 0 3602 1 0 1 1 0 8 0 zombiepl 144 2611 0 2609 1 0 1 1 0 8 0 processpl 1232 2660 0 2609 6 0 6 6 0 8 0 procpl 664 6119 0 6058 8 1 7 8 0 8 0 sosppl 176 15 0 15 3 3 0 1 0 8 0 sockpl 752 5703 0 5670 61 52 9 29 0 8 5 mcl64k 65536 18 0 0 3 0 3 3 0 8 0 mcl16k 16384 1 0 0 1 0 1 1 0 8 0 mcl9k 9216 1 0 0 1 0 1 1 0 8 0 mcl8k 8192 3 0 0 1 0 1 1 0 8 0 mcl4k 4096 125 0 0 16 0 16 16 0 8 0 mcl2k2 2112 2 0 0 1 0 1 1 0 8 0 mcl2k 2048 50 0 0 5 0 5 5 0 8 0 mtagpl 96 11 0 0 1 0 1 1 0 8 0 mbufpl 256 1849 0 0 115 0 115 115 0 8 0 bufpl 280 23898 0 17761 439 0 439 439 0 8 0 anonpl 32 13443 0 0 108 0 108 108 0 246 0 amapchunkpl 152 78283 0 77705 51 19 32 36 0 158 8 amappl16 200 8040 0 7969 78 62 16 27 0 8 6 amappl15 192 107 0 107 1 1 0 1 0 8 0 amappl14 184 9 0 9 1 1 0 1 0 8 0 amappl13 176 506 0 504 1 0 1 1 0 8 0 amappl12 168 3015 0 2968 3 0 3 3 0 8 0 amappl11 160 9 0 9 2 2 0 1 0 8 0 amappl10 152 49 0 35 1 0 1 1 0 8 0 amappl9 144 255 0 255 1 1 0 1 0 8 0 amappl8 136 64 0 61 1 0 1 1 0 8 0 amappl7 128 105 0 104 1 0 1 1 0 8 0 amappl6 120 362 0 346 1 0 1 1 0 8 0 amappl5 112 77 0 65 1 0 1 1 0 8 0 amappl4 104 460 0 427 1 0 1 1 0 8 0 amappl3 96 15831 0 15709 5 1 4 4 0 8 0 amappl2 88 611 0 547 2 0 2 2 0 8 0 amappl1 80 18628 0 18004 15 0 15 15 0 8 0 amappl 88 21514 0 21327 5 0 5 5 0 92 0 uvmvnodes 80 170 0 0 4 0 4 4 0 8 0 dma65536 65536 1 0 1 1 1 0 1 0 8 0 dma32768 32768 1 0 1 1 0 1 1 0 8 1 dma16384 16384 1 0 1 1 1 0 1 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 3 0 2 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 8 0 8 3 2 1 1 0 8 1 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 19 0 18 1 0 1 1 0 8 0 aobjpl 72 66 0 5 2 0 2 2 0 8 0 uaddrrnd 24 2612 0 2578 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 2612 0 2578 1 0 1 1 0 8 0 vmmpekpl 168 21184 0 21127 3 0 3 3 0 8 0 vmmpepl 168 165904 0 163795 135 26 109 111 0 357 9 vmsppl 488 2611 0 2578 5 0 5 5 0 8 0 rwobjpl 80 42876 0 41606 38 4 34 35 0 8 0 pdppl 4096 5254 0 5170 128 44 84 86 0 8 0 pvpl 32 21508 0 0 174 1 173 174 0 265 0 pmappl 256 2622 0 2581 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 465 0 88 11 0 11 11 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833da98a) at panic+0x1e5 sys/kern/subr_prf.c:198 ufsdirhash_lookup(fffffd806e978510,ffff80002a263c02,5,fffffd806e9785f4,ffff80003c443430,0) at ufsdirhash_lookup+0xb9a sys/ufs/ufs/ufs_dirhash.c:342 ufs_lookup() at ufs_lookup+0xf76 sys/ufs/ufs/ufs_lookup.c:214 VOP_LOOKUP(fffffd807c8cba70,ffff80003c4436d8,ffff80003c443708) at VOP_LOOKUP+0x6e sys/kern/vfs_vops.c:85 vfs_lookup(ffff80003c4436a8) at vfs_lookup+0x93a sys/kern/vfs_lookup.c:566 namei(ffff80003c4436a8) at namei+0x7ca sys/kern/vfs_lookup.c:250 dorenameat(ffff8000fffe2028,4,200000000040,3,200000000280) at dorenameat+0x144 sys/kern/vfs_syscalls.c:3004 syscall(ffff80003c443950) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c443950) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x96e7ca121b0, count: -10 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffff8000299edff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 end of kernel end trace frame: 0x72c9089fe1e0, count: 12 ddb{1}> trace x86_ipi_db(ffff8000299edff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 end of kernel end trace frame: 0x72c9089fe1e0, count: -3