>Synopsis: uvm_fault: lptpushbytes >Category: system kernel amd64 >Environment: System : OpenBSD 7.9 Details : OpenBSD 7.9-beta (CLOUD) #0: Fri Mar 13 16:18:43 CST 2026 [email protected]:/root/openbsd/mainline/sys/arch/amd64/compile/CLOUD
Architecture: OpenBSD.amd64 Machine : amd64 >Description: An issue is discovered while fuzzing OpenBSD kernel using syzkaller with our generated syscall specifications. This issue is reproducible in a recent version of OpenBSD (commit: 7ed008f9564d36435bd789cd2da574d6a032ea7a). >How-To-Repeat: The issue can be reproduced via execute syz reproducer with specified kernel config (as shown below). The kernel console output and symbolized issue report are available at: https://drive.google.com/drive/folders/1ZEN30FJfq3zK254F56C3qhXShNFdrdU_?usp=sharing kernel config: ``` include "arch/amd64/conf/GENERIC.MP" pseudo-device kcov 1 option KQUEUE_DEBUG option SPLASSERT_WATCH option VFSLCKDEBUG option WITNESS option WITNESS_LOCKTRACE option WITNESS_WATCH ``` syz reproducer: ``` r0 = socket$inet_gre_gre_usrreqs(0x2, 0x3, 0x2f) setsockopt$sock_cred(r0, 0xffff, 0x1021, 0x0, 0x0) (async) setsockopt$sock_cred(r0, 0xffff, 0x1021, 0x0, 0x0) r1 = syz_open_pts() writev(r1, &(0x7f0000000180)=[{&(0x7f0000000240)="9e612b19ce", 0xfffffebc}], 0x100000000000011d) openat$null(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0) (async) r2 = openat$null(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0) fpathconf$nfs_spec_nfs_specvops(r2, 0x3) read$kqueue_kqueueops(0xffffffffffffffff, &(0x7f0000000140)=[{{<r3=>0xffffffffffffffff}}], 0x1) ioctl$WSMOUSEIO_SRES(r3, 0x80045721, &(0x7f00000001c0)=0x2) (async) ioctl$WSMOUSEIO_SRES(r3, 0x80045721, &(0x7f00000001c0)=0x2) mknod(&(0x7f0000000040)='./file0\x00', 0x2000, 0x1080) ktrace(&(0x7f0000000ac0)='./file0\x00', 0x2, 0x4, 0x0) close$ffs_fifo_ffs_fifovops(r1) unveil(0x0, &(0x7f0000000000)='W\x00') shmget(0x0, 0x3000, 0x601, &(0x7f0000ffd000/0x3000)=nil) r4 = open$dir(&(0x7f0000000200)='./file0\x00', 0x9caa0f50c548e3fe, 0x2) writev(r4, &(0x7f0000000100)=[{&(0x7f0000000040)="f5a64599a8b3c7a8f7108d5d", 0xc}, {&(0x7f0000000080)="3be2263ac1404ec330a20539a4ef504683802f0b48df9d6aac835f38dedd18a562c5cac148cc215fea6a", 0x2a}], 0x2) (async) writev(r4, &(0x7f0000000100)=[{&(0x7f0000000040)="f5a64599a8b3c7a8f7108d5d", 0xc}, {&(0x7f0000000080)="3be2263ac1404ec330a20539a4ef504683802f0b48df9d6aac835f38dedd18a562c5cac148cc215fea6a", 0x2a}], 0x2) syz_open_pts() (async) ``` >Fix: We are trying to analyze the root cause. The symbolized issue report (symbolized by syz-symbolize) is also attached below below to assist analysis: ``` TITLE: uvm_fault: lptpushbytes CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] uvm_fault(0xffffffff83982700, 0xffff800000e32000, 0, 1) -> e kernel: page fault trap, code=0 Stopped at lptpushbytes+0x4f2: movzbl 0(%rax),%edx TID PID UID PRFLAGS PFLAGS CPU COMMAND *242561 14489 0 0 0x4000000 0K syz-executor 163074 26464 0 0x2 0 1 syz-executor lptpushbytes(ffff8000000dbd00) at lptpushbytes+0x4f2 root/openbsd/mainline/sys/dev/ic/lpt.c:316 lptwrite(1080,ffff80002a54bbb0,15) at lptwrite+0xc8 root/openbsd/mainline/sys/dev/ic/lpt.c:-1 spec_write(ffff80002a54b980) at spec_write+0x11f root/openbsd/mainline/sys/kern/spec_vnops.c:302 VOP_WRITE(fffffd805e9b4360,ffff80002a54bbb0,15,fffffd80097fdd00) at VOP_WRITE+0x101 root/openbsd/mainline/sys/kern/vfs_vops.c:245 vn_write(fffffd800b5bdcc0,ffff80002a54bbb0,0) at vn_write+0x1d3 root/openbsd/mainline/sys/kern/vfs_vnops.c:408 dofilewritev(ffff80002a3787d8,6,ffff80002a54bbb0,0,ffff80002a54bc70) at dofilewritev+0x2bd root/openbsd/mainline/sys/kern/sys_generic.c:384 sys_writev(ffff80002a3787d8,ffff80002a54bd20,ffff80002a54bc70) at sys_writev+0xd8 root/openbsd/mainline/sys/kern/sys_generic.c:327 syscall(ffff80002a54bd20) at syscall+0xbd4 mi_syscall root/openbsd/mainline/sys/sys/syscall_mi.h:176 [inline] syscall(ffff80002a54bd20) at syscall+0xbd4 root/openbsd/mainline/sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd81c4233280, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> TITLE: kernel: page fault trap, code=NUM CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] kernel: page fault trap, code=0 Stopped at lptpushbytes+0x4f2: movzbl 0(%rax),%edx TID PID UID PRFLAGS PFLAGS CPU COMMAND *242561 14489 0 0 0x4000000 0K syz-executor 163074 26464 0 0x2 0 1 syz-executor lptpushbytes(ffff8000000dbd00) at lptpushbytes+0x4f2 root/openbsd/mainline/sys/dev/ic/lpt.c:316 lptwrite(1080,ffff80002a54bbb0,15) at lptwrite+0xc8 root/openbsd/mainline/sys/dev/ic/lpt.c:-1 spec_write(ffff80002a54b980) at spec_write+0x11f root/openbsd/mainline/sys/kern/spec_vnops.c:302 VOP_WRITE(fffffd805e9b4360,ffff80002a54bbb0,15,fffffd80097fdd00) at VOP_WRITE+0x101 root/openbsd/mainline/sys/kern/vfs_vops.c:245 vn_write(fffffd800b5bdcc0,ffff80002a54bbb0,0) at vn_write+0x1d3 root/openbsd/mainline/sys/kern/vfs_vnops.c:408 dofilewritev(ffff80002a3787d8,6,ffff80002a54bbb0,0,ffff80002a54bc70) at dofilewritev+0x2bd root/openbsd/mainline/sys/kern/sys_generic.c:384 sys_writev(ffff80002a3787d8,ffff80002a54bd20,ffff80002a54bc70) at sys_writev+0xd8 root/openbsd/mainline/sys/kern/sys_generic.c:327 syscall(ffff80002a54bd20) at syscall+0xbd4 mi_syscall root/openbsd/mainline/sys/sys/syscall_mi.h:176 [inline] syscall(ffff80002a54bd20) at syscall+0xbd4 root/openbsd/mainline/sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd81c4233280, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ``` Feel free to contact me if any further information is needed. Many thanks! Best Regards, Jiaming Zhang
