panic:W ApoRNoIlN_Gc:ac hSPeL_ iNtOeTm _LmOaWgERiEcD_ cOheNc Sk:YS CmAbLuLfp 2l -c5p0u7 6fr57e3e3 1l iEsXItT m0od ia
f
ieStopped at savectx+0xb1: movl $0,%gs:0x530
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*394738 91951 0 0x2 0 1 syz-executor.0
396219 692 0 0x12 0 0 sshd
savectx() at savectx+0xb1
end of kernel
end trace frame: 0x7f7ffffeaa60, count: 14
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806a618800+24 0x5a53175d924a398!=0x5a531f5b33b0c98
ddb{1}> trace
savectx() at savectx+0xb1
end of kernel
end trace frame: 0x7f7ffffeaa60, count: -1
ddb{1}> show registers
rdi 0
rsi 0
rbp 0xffff800020ee9880
rbx 0
rdx 0x8b
rcx 0x2
rax 0x3a
r8 0xffffffff81e379ff kprintf+0x16f
r9 0x1
r10 0x2
r11 0xd706d097c2d4fb4c
r12 0
r13 0
r14 0xffff800020dec4e8
r15 0
rip 0xffffffff81a2f3f1 savectx+0xb1
cs 0x8
rflags 0x46
rsp 0xffff800020ee9800
ss 0x10
savectx+0xb1: movl $0,%gs:0x530
ddb{1}> show proc
PROC (syz-executor.0) pid=394738 stat=onproc
flags process=2<EXEC,8ORPHAN> proc=0
pri=17, usrpri=52, nice=20
forw=0xffffffffffffffff, list=0xffff800020dec758,0xffff800020ee3888
process=0xffff800020e003e8 user=0xffff800020ee4000, vmspace=0xfffffd807f000cf0
estcpu=2, cpticks=1, pctcpu=0.5
user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
68722 341358 91951 0 2 0 syz-executor.0
15046 517608 1563 0 2 0x2 syz-executor.1
*91951 394738 1563 0 7 0x2 syz-executor.0
1563 109044 13133 0 3 0x82 thrsleep syz-fuzzer
1563 108191 13133 0 3 0x4000082 nanosleep syz-fuzzer
1563 146694 13133 0 3 0x4000082 thrsleep syz-fuzzer
1563 328585 13133 0 2 0x4000002 syz-fuzzer
1563 83246 13133 0 3 0x4000082 thrsleep syz-fuzzer
1563 57125 13133 0 2 0x4000002 syz-fuzzer
1563 233483 13133 0 3 0x4000082 thrsleep syz-fuzzer
1563 1002 13133 0 3 0x4000082 thrsleep syz-fuzzer
1563 305714 13133 0 3 0x4000082 thrsleep syz-fuzzer
1563 236181 13133 0 3 0x4000082 thrsleep syz-fuzzer
13133 347515 692 0 3 0x10008a pause ksh
692 396219 25003 0 7 0x12 sshd
56443 319744 1 0 3 0x100083 ttyin getty
25003 77526 1 0 3 0x80 select sshd
29203 407144 86951 74 3 0x100092 bpf pflogd
86951 30791 1 0 3 0x80 netio pflogd
70536 177695 19017 73 3 0x100090 kqread syslogd
19017 465942 1 0 3 0x100082 netio syslogd
33389 236826 1 77 3 0x100090 poll dhclient
93221 329581 1 0 3 0x80 poll dhclient
44503 120282 0 0 3 0x14200 bored smr
89672 231260 0 0 2 0x14200 zerothread
68760 64560 0 0 3 0x14200 aiodoned aiodoned
13675 473758 0 0 3 0x14200 syncer update
14843 259900 0 0 3 0x14200 cleaner cleaner
6399 353660 0 0 3 0x14200 reaper reaper
59400 90935 0 0 3 0x14200 pgdaemon pagedaemon
11261 485883 0 0 3 0x14200 bored crynlk
38344 508523 0 0 3 0x14200 bored crypto
43355 199549 0 0 3 0x40014200 acpi0 acpi0
65468 522294 0 0 3 0x40014200 idle1
64816 212627 0 0 2 0x14200 softnet
26269 387494 0 0 3 0x14200 bored systqmp
77137 468021 0 0 3 0x14200 bored systq
57814 467965 0 0 3 0x40014200 bored softclock
57529 269536 0 0 3 0x40014200 idle0
1 249775 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex &uvm.fpageqlock r = 0 (0xffffffff828a3dd0)
#0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1 mtx_enter_try+0x102
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 uvm_pmr_getpages+0x34e sys/uvm/uvm_pmemrange.c:941
#4 uvm_pglistalloc+0x362 sys/uvm/uvm_page.c:790
#5 uvm_km_kmemalloc_pla+0x238 sys/uvm/uvm_km.c:367
#6 uvm_uarea_alloc+0x51 sys/uvm/uvm_glue.c:274
#7 fork1+0x271 sys/kern/kern_fork.c:365
#8 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#8 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#9 Xsyscall+0x128
Process 91951 (syz-executor.0) thread 0xffff800020dec4e8 (394738)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff828b3f90)
#0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1 syscall+0x400 mi_syscall sys/sys/syscall_mi.h:93 [inline]
#1 syscall+0x400 sys/arch/amd64/amd64/trap.c:570
#2 Xsyscall+0x128
exclusive mutex &uvm.fpageqlock r = 0 (0xffffffff828a3dd0)
#0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1 mtx_enter_try+0x102
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 uvm_pmr_getpages+0x34e sys/uvm/uvm_pmemrange.c:941
#4 uvm_pglistalloc+0x362 sys/uvm/uvm_page.c:790
#5 uvm_km_kmemalloc_pla+0x238 sys/uvm/uvm_km.c:367
#6 uvm_uarea_alloc+0x51 sys/uvm/uvm_glue.c:274
#7 fork1+0x271 sys/kern/kern_fork.c:365
#8 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#8 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#9 Xsyscall+0x128
Process 692 (sshd) thread 0xffff800020e5f600 (396219)
exclusive rwlock netlock r = 0 (0xffffffff826eda78)
#0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164
#1 solock+0x5a sys/kern/uipc_socket2.c:282
#2 sosend+0x559 sys/kern/uipc_socket.c:537
#3 dofilewritev+0x1b6 sys/kern/sys_generic.c:365
#4 sys_write+0x83 sys/kern/sys_generic.c:285
#5 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#5 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#6 Xsyscall+0x128
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 9471 6398K 6786K 78643K 10665 0
pcb 13 8K 8K 78643K 31 0
rtable 97 3K 3K 78643K 201 0
ifaddr 44 10K 11K 78643K 49 0
sysctl 2 0K 0K 78643K 2 0
counters 43 33K 33K 78643K 43 0
ioctlops 0 0K 4K 78643K 1473 0
iov 0 0K 12K 78643K 4 0
mount 1 1K 1K 78643K 1 0
vnodes 1222 77K 77K 78643K 1254 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 1K 78643K 2 0
VM map 2 1K 1K 78643K 2 0
sem 8 0K 0K 78643K 14 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1824 197K 290K 78643K 13058 0
file desc 5 13K 25K 78643K 74 0
proc 60 63K 83K 78643K 444 0
subproc 32 2K 2K 78643K 34 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 1 0
in_multi 39 2K 2K 78643K 42 0
ether_multi 1 0K 0K 78643K 2 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 19 95K 95K 78643K 19 0
exec 0 0K 1K 78643K 211 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 115 22K 25K 78643K 1163 0
UVM aobj 2 2K 2K 78643K 2 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 0K 78643K 8 0
NDP 6 0K 0K 78643K 10 0
temp 68 3844K 3908K 78643K 2131 0
kqueue 3 4K 6K 78643K 6 0
SYN cache 2 16K 16K 78643K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp 64 6 0 2 1 0 1 1 0 8 0
plcache 128 20 0 0 1 0 1 1 0 8 0
rtpcb 80 25 0 23 1 0 1 1 0 8 0
rtentry 112 45 0 5 2 0 2 2 0 8 0
unpcb 120 33 0 23 1 0 1 1 0 8 0
syncache 264 4 0 4 1 1 0 1 0 8 0
tcpqe 32 47 0 47 1 1 0 1 0 8 0
tcpcb 544 16 0 12 1 0 1 1 0 8 0
inpcb 280 70 0 63 2 0 2 2 0 8 1
nd6 48 6 0 0 1 0 1 1 0 8 0
pfosfp 40 846 0 423 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 15 0 0 1 0 1 1 0 8 0
pfstkey 112 15 0 0 1 0 1 1 0 8 0
pfstate 328 15 0 0 2 0 2 2 0 8 0
pfrule 1360 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 188 0 4 12 0 12 12 0 8 0
art_table 32 189 0 4 2 0 2 2 0 8 0
art_node 16 44 0 8 1 0 1 1 0 8 0
sysvmsgpl 40 6 0 2 1 0 1 1 0 8 0
semupl 112 4 0 4 1 0 1 1 0 8 1
semapl 112 6 0 0 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 1482 0 75 89 0 89 89 0 8 0
ffsino 272 1482 0 75 95 0 95 95 0 8 0
nchpl 144 1763 0 153 60 0 60 60 0 8 0
uvmvnodes 72 1558 0 0 29 0 29 29 0 8 0
vnodes 208 1558 0 0 82 0 82 82 0 8 0
namei 1024 4620 0 4620 1 0 1 1 0 8 1
percpumem 16 32 0 0 1 0 1 1 0 8 0
scxspl 192 5239 0 5239 8 1 7 7 0 8 7
plimitpl 152 15 0 7 1 0 1 1 0 8 0
sigapl 424 289 0 258 4 0 4 4 0 8 0
futexpl 56 587 0 587 1 0 1 1 0 8 1
knotepl 112 65 0 46 1 0 1 1 0 8 0
kqueuepl 144 14 0 12 1 0 1 1 0 8 0
pipelkpl 48 83 0 73 1 0 1 1 0 8 0
pipepl 120 166 0 147 1 0 1 1 0 8 0
fdescpl 496 274 0 258 3 0 3 3 0 8 0
filepl 152 1377 0 1276 6 0 6 6 0 8 2
lockfpl 104 17 0 16 1 0 1 1 0 8 0
lockfspl 48 7 0 6 1 0 1 1 0 8 0
sessionpl 112 18 0 7 1 0 1 1 0 8 0
pgrppl 48 18 0 7 1 0 1 1 0 8 0
ucredpl 96 58 0 49 1 0 1 1 0 8 0
zombiepl 144 258 0 258 1 0 1 1 0 8 1
processpl 984 289 0 258 5 0 5 5 0 8 1
procpl 624 398 0 358 4 0 4 4 0 8 0
sockpl 400 128 0 109 3 0 3 3 0 8 1
mcl12k 12288 2 0 0 1 0 1 1 0 8 0
mcl9k 9216 1 0 0 1 0 1 1 0 8 0
mcl8k 8192 1 0 0 1 0 1 1 0 8 0
mcl4k 4096 3 0 0 1 0 1 1 0 8 0
mcl2k 2048 202 0 0 25 0 25 25 0 8 0
mtagpl 80 6 0 0 1 0 1 1 0 8 0
mbufpl 256 232 0 0 14 0 14 14 0 8 0
bufpl 280 3421 0 133 235 0 235 235 0 8 0
anonpl 16 44071 0 29278 77 1 76 76 0 124 15
amapchunkpl 152 1298 0 1164 8 0 8 8 0 158 1
amappl16 192 1280 0 478 52 0 52 52 0 8 11
amappl15 184 1 0 1 1 1 0 1 0 8 0
amappl14 176 45 0 39 1 0 1 1 0 8 0
amappl13 168 72 0 67 1 0 1 1 0 8 0
amappl12 160 29 0 24 1 0 1 1 0 8 0
amappl11 152 53 0 38 1 0 1 1 0 8 0
amappl10 144 18 0 12 1 0 1 1 0 8 0
amappl9 136 383 0 382 1 0 1 1 0 8 0
amappl8 128 342 0 313 2 0 2 2 0 8 0
amappl7 120 120 0 107 1 0 1 1 0 8 0
amappl6 112 23 0 20 1 0 1 1 0 8 0
amappl5 104 157 0 142 1 0 1 1 0 8 0
amappl4 96 509 0 480 1 0 1 1 0 8 0
amappl3 88 131 0 121 1 0 1 1 0 8 0
amappl2 80 1254 0 1191 2 0 2 2 0 8 0
amappl1 72 16007 0 15579 23 6 17 18 0 8 7
amappl 80 648 0 607 2 0 2 2 0 84 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 64 1 0 0 1 0 1 1 0 8 0
uaddrrnd 24 274 0 258 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 274 0 258 1 0 1 1 0 8 0
vmmpekpl 168 6218 0 6188 2 0 2 2 0 8 0
vmmpepl 168 40404 0 38487 115 2 113 113 0 357 28
vmsppl 368 273 0 258 2 0 2 2 0 8 0
pdppl 4096 555 0 516 6 0 6 6 0 8 0
pvpl 32 145778 0 127936 180 0 180 180 0 265 31
pmappl 232 273 0 258 2 0 2 2 0 8 1
extentpl 40 53 0 36 1 0 1 1 0 8 0
phpool 112 262 0 3 8 0 8 8 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffffffff82700ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352
x86_ipi_handler() at x86_ipi_handler+0xc6 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_write_1(3f8,0,65) at x86_bus_space_io_write_1+0x45 sys/arch/amd64/amd64/bus_space.c:759
comcnputc(800,65) at comcnputc+0x131 bus_space_barrier machine/bus.h:481 [inline]
comcnputc(800,65) at comcnputc+0x131 sys/dev/ic/com.c:1254
cnputc(65) at cnputc+0x4c sys/dev/cons.c:239
kputchar(65,5,0) at kputchar+0x219 sys/kern/subr_prf.c:343
kprintf() at kprintf+0x15c sys/kern/subr_prf.c:700
panic(ffffffff823e71fa) at panic+0xf3 vprintf sys/kern/subr_prf.c:528 [inline]
panic(ffffffff823e71fa) at panic+0xf3 sys/kern/subr_prf.c:197
pool_cache_get(ffffffff8290ecd8) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline]
pool_cache_get(ffffffff8290ecd8) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884
pool_get(ffffffff8290ecd8,2) at pool_get+0x91 sys/kern/subr_pool.c:572
m_gethdr(2,2) at m_gethdr+0x4c sys/kern/uipc_mbuf.c:283
tcp_output(ffff800000ad7760) at tcp_output+0x14e6
tcp_usrreq(fffffd806f680640,9,fffffd806a1fdd00,0,0,ffff800020e5f600) at tcp_usrreq+0xa55
end trace frame: 0xffff800020e47270, count: 0
ddb{0}> trace
x86_ipi_db(ffffffff82700ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352
x86_ipi_handler() at x86_ipi_handler+0xc6 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_write_1(3f8,0,65) at x86_bus_space_io_write_1+0x45 sys/arch/amd64/amd64/bus_space.c:759
comcnputc(800,65) at comcnputc+0x131 bus_space_barrier machine/bus.h:481 [inline]
comcnputc(800,65) at comcnputc+0x131 sys/dev/ic/com.c:1254
cnputc(65) at cnputc+0x4c sys/dev/cons.c:239
kputchar(65,5,0) at kputchar+0x219 sys/kern/subr_prf.c:343
kprintf() at kprintf+0x15c sys/kern/subr_prf.c:700
panic(ffffffff823e71fa) at panic+0xf3 vprintf sys/kern/subr_prf.c:528 [inline]
panic(ffffffff823e71fa) at panic+0xf3 sys/kern/subr_prf.c:197
pool_cache_get(ffffffff8290ecd8) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline]
pool_cache_get(ffffffff8290ecd8) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884
pool_get(ffffffff8290ecd8,2) at pool_get+0x91 sys/kern/subr_pool.c:572
m_gethdr(2,2) at m_gethdr+0x4c sys/kern/uipc_mbuf.c:283
tcp_output(ffff800000ad7760) at tcp_output+0x14e6
tcp_usrreq(fffffd806f680640,9,fffffd806a1fdd00,0,0,ffff800020e5f600) at tcp_usrreq+0xa55
sosend(fffffd806f680640,0,ffff800020e47338,0,0,80) at sosend+0x671 sys/kern/uipc_socket.c:549
dofilewritev(ffff800020e5f600,4,ffff800020e47338,0,ffff800020e47420) at dofilewritev+0x1b6 sys/kern/sys_generic.c:365
sys_write(ffff800020e5f600,ffff800020e473d0,ffff800020e47420) at sys_write+0x83 sys/kern/sys_generic.c:285
syscall(ffff800020e474a0) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800020e474a0) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffe23a0, count: -19
ddb{0}> machine ddbcpu 1
Stopped at savectx+0xb1: movl $0,%gs:0x530
savectx() at savectx+0xb1
end of kernel
end trace frame: 0x7f7ffffeaa60, count: 14
ddb{1}> trace
savectx() at savectx+0xb1
end of kernel
end trace frame: 0x7f7ffffeaa60, count: -1