>Synopsis: uvm_fault: dovutimens >Category: system kernel amd64 >Environment: System : OpenBSD 7.9 Details : OpenBSD 7.9-beta (CLOUD) #0: Fri Mar 13 16:18:43 CST 2026 [email protected]:/root/openbsd/mainline/sys/arch/amd64/compile/CLOUD
Architecture: OpenBSD.amd64 Machine : amd64 >Description: An issue is discovered while fuzzing OpenBSD kernel using syzkaller with our generated syscall specifications. This issue is reproducible in a recent version of OpenBSD (commit: 7ed008f9564d36435bd789cd2da574d6a032ea7a). >How-To-Repeat: The issue can be reproduced via execute syz/C reproducer with specified kernel config (as shown below). The kernel console output and symbolized issue report are available at: https://drive.google.com/drive/folders/1SK3eEL7HWMKRf2KjelmTt5qkPb1FnZYK?usp=sharing kernel config: ``` include "arch/amd64/conf/GENERIC.MP" pseudo-device kcov 1 option KQUEUE_DEBUG option SPLASSERT_WATCH option VFSLCKDEBUG option WITNESS option WITNESS_LOCKTRACE option WITNESS_WATCH ``` syz reproducer: ``` r0 = openat$bpf(0xffffffffffffff9c, &(0x7f0000000100), 0x6729c1cd237c8919, 0x0) futimes$nfs_spec_nfs_specvops(r0, &(0x7f00000005c0)=[{0xffffffff, 0x8}, {0x9, 0x3}]) ``` C reproducer: ``` // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include <dirent.h> #include <endian.h> #include <fcntl.h> #include <poll.h> #include <pwd.h> #include <stdarg.h> #include <stdbool.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/event.h> #include <sys/ioctl.h> #include <sys/ktrace.h> #include <sys/mman.h> #include <sys/msg.h> #include <sys/sem.h> #include <sys/shm.h> #include <sys/socket.h> #include <sys/stat.h> #include <sys/syscall.h> #include <sys/sysctl.h> #include <sys/syslog.h> #include <unistd.h> #define CAST uint64_t r[1] = {0xffffffffffffffff}; int main(void) { ((intptr_t (*)(intptr_t, intptr_t, intptr_t, intptr_t, intptr_t, intptr_t, intptr_t))CAST(mmap))( /*addr=*/0x200000000000, /*len=*/0x1000000, /*prot=PROT_WRITE|PROT_READ*/ 3, /*flags=MAP_ANONYMOUS|MAP_FIXED|MAP_PRIVATE*/ 0x1012, /*fd=*/-1, /*offset=*/0, 0); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // openat$bpf arguments: [ // fd: const = 0xffffffffffffff9c (8 bytes) // file: ptr[in, buffer] { // buffer: {2f 64 65 76 2f 62 70 66 00} (length 0x9) // } // flags: open_flags = 0x6729c1cd237c8919 (8 bytes) // mode: const = 0x0 (8 bytes) // ] // returns fd_bpf memcpy((void*)0x200000000100, "/dev/bpf\000", 9); res = -1; res = ((intptr_t (*)(intptr_t, intptr_t, intptr_t, intptr_t))CAST(openat))( /*fd=*/0xffffffffffffff9c, /*file=*/0x200000000100, /*flags=O_NOCTTY|O_NOFOLLOW|O_SHLOCK|O_EXCL|O_APPEND|0x6729c1cd237c0001*/ 0x6729c1cd237c8919, /*mode=*/0); if (res != -1) r[0] = res; // futimes$nfs_spec_nfs_specvops arguments: [ // fd: fd (resource) // times: ptr[in, array[timeval]] { // array[timeval] { // timeval { // sec: intptr = 0xffffffff (8 bytes) // usec: intptr = 0x8 (8 bytes) // } // timeval { // sec: intptr = 0x9 (8 bytes) // usec: intptr = 0x3 (8 bytes) // } // } // } // ] *(uint64_t*)0x2000000005c0 = 0xffffffff; *(uint64_t*)0x2000000005c8 = 8; *(uint64_t*)0x2000000005d0 = 9; *(uint64_t*)0x2000000005d8 = 3; ((intptr_t (*)(intptr_t, intptr_t))CAST(futimes))(/*fd=*/r[0], /*times=*/0x2000000005c0); return 0; } ``` >Fix: We are trying to analyze the root cause. The symbolized issue report (symbolized by syz-symbolize) is also attached below below to assist analysis: ``` TITLE: uvm_fault: dovutimens CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] login: uvm_fault(0xfffffd802f87e030, 0x98, 0, 1) -> e kernel: page fault trap, code=0 Stopped at dovutimens+0x368: movl 0x98(%rax),%r12d TID PID UID PRFLAGS PFLAGS CPU COMMAND *234193 89524 0 0 0x4000000 1K syz-executor 204353 21715 0 0 0 0 syz-executor dovutimens(ffff80002a471cb8,fffffd800c4911e8,ffff80002c9df560) at dovutimens+0x368 root/openbsd/mainline/sys/kern/vfs_syscalls.c:2771 sys_futimes(ffff80002a471cb8,ffff80002c9df6b0,ffff80002c9df600) at sys_futimes+0x208 root/openbsd/mainline/sys/kern/vfs_syscalls.c:2813 syscall(ffff80002c9df6b0) at syscall+0xb17 mi_syscall root/openbsd/mainline/sys/sys/syscall_mi.h:176 [inline] syscall(ffff80002c9df6b0) at syscall+0xb17 root/openbsd/mainline/sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xb06b58b77d0, count: 11 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> TITLE: kernel: page fault trap, code=NUM CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] kernel: page fault trap, code=0 Stopped at dovutimens+0x368: movl 0x98(%rax),%r12d TID PID UID PRFLAGS PFLAGS CPU COMMAND *234193 89524 0 0 0x4000000 1K syz-executor 204353 21715 0 0 0 0 syz-executor dovutimens(ffff80002a471cb8,fffffd800c4911e8,ffff80002c9df560) at dovutimens+0x368 root/openbsd/mainline/sys/kern/vfs_syscalls.c:2771 sys_futimes(ffff80002a471cb8,ffff80002c9df6b0,ffff80002c9df600) at sys_futimes+0x208 root/openbsd/mainline/sys/kern/vfs_syscalls.c:2813 syscall(ffff80002c9df6b0) at syscall+0xb17 mi_syscall root/openbsd/mainline/sys/sys/syscall_mi.h:176 [inline] syscall(ffff80002c9df6b0) at syscall+0xb17 root/openbsd/mainline/sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xb06b58b77d0, count: 11 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ```
