uvm_fault(0xfffffd806caa5018, 0x7f864ce51370, 0, 2) -> e
kernel: page fault trap, code=2
Stopped at pmap_page_remove+0x45d: xchgq %rax,0(%r14,%rcx,1)
TID PID UID PRFLAGS PFLAGS CPU COMMAND
427116 22772 0 0 0 0 syz-executor
pmap_page_remove(fffffd80085618a8) at pmap_page_remove+0x45d _atomic_swap_64 sys/arch/amd64/compile/SYZKALLER/obj/machine/atomic.h:117 [inline]
pmap_page_remove(fffffd80085618a8) at pmap_page_remove+0x45d sys/arch/amd64/amd64/pmap.c:2014
uvm_anfree_list(fffffd80680f1e28,0) at uvm_anfree_list+0xd6 sys/uvm/uvm_anon.c:112
amap_wipeout(fffffd806cc440c0) at amap_wipeout+0x248 sys/uvm/uvm_amap.c:-1
uvm_unmap_detach(ffff80002a370410,0) at uvm_unmap_detach+0x8a sys/uvm/uvm_map.c:1353
uvm_map_teardown(fffffd806caa5018) at uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2525
exit1(ffff8000313d9ca8,0,0,1) at exit1+0x6fc sys/kern/kern_exit.c:260
sys_exit(ffff8000313d9ca8,ffff80002a3705e0,ffff80002a370530) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff80002a3705e0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002a3705e0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:765
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7166d260d4b0, count: 6
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: uvm_fault(0xfffffd806caa5018, 0x7f864ce51370, 0, 2) -> e
ddb{1}> trace
pmap_page_remove(fffffd80085618a8) at pmap_page_remove+0x45d _atomic_swap_64 sys/arch/amd64/compile/SYZKALLER/obj/machine/atomic.h:117 [inline]
pmap_page_remove(fffffd80085618a8) at pmap_page_remove+0x45d sys/arch/amd64/amd64/pmap.c:2014
uvm_anfree_list(fffffd80680f1e28,0) at uvm_anfree_list+0xd6 sys/uvm/uvm_anon.c:112
amap_wipeout(fffffd806cc440c0) at amap_wipeout+0x248 sys/uvm/uvm_amap.c:-1
uvm_unmap_detach(ffff80002a370410,0) at uvm_unmap_detach+0x8a sys/uvm/uvm_map.c:1353
uvm_map_teardown(fffffd806caa5018) at uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2525
exit1(ffff8000313d9ca8,0,0,1) at exit1+0x6fc sys/kern/kern_exit.c:260
sys_exit(ffff8000313d9ca8,ffff80002a3705e0,ffff80002a370530) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff80002a3705e0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002a3705e0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:765
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7166d260d4b0, count: -9
ddb{1}> show registers
rdi 0
rsi 0
rbp 0xffff80002a370310
rbx 0xfffffd8069b9e970
rdx 0
rcx 0x7f8000000000
rax 0
r8 0
r9 0xffff80002a370300
r10 0x764fbb51120517e
r11 0xf828528c71a33f3a
r12 0
r13 0
r14 0x64ce51370
r15 0xfffffd8008561910
rip 0xffffffff82977a1d pmap_page_remove+0x45d
cs 0x8
rflags 0x10246 __ALIGN_SIZE+0xf246
rsp 0xffff80002a370290
ss 0
pmap_page_remove+0x45d: xchgq %rax,0(%r14,%rcx,1)
ddb{1}> show proc
PROC (syz-executor) tid=439179 pid=59402 tcnt=0 stat=onproc
flags process=1008<EXITING,SINGLEEXIT> proc=2000<WEXIT>
runpri=26, usrpri=79, slppri=26, nice=20
wchan=0x0, wmesg=, ps_single=0xffff8000313d9ca8 scnt=-1 ecnt=1
forw=0xffffffffffffffff, list=0xffff8000313da558,0xffff8000fffef4e8
process=0xffff80003c418020 user=0xffff80002a36b000, vmspace=0xfffffd806caa5018
estcpu=29, cpticks=2, pctcpu=0.0, user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
22772 427116 66832 0 7 0 syz-executor
22772 299358 66832 0 2 0x4000000 syz-executor
40735 343113 82988 0 2 0 syz-executor
40735 69202 82988 0 2 0x4000000 syz-executor
73125 178829 43553 0 2 0 syz-executor
73125 458306 43553 0 3 0x4000080 ttyin syz-executor
73125 173119 43553 0 2 0x4000000 syz-executor
21996 435118 68676 0 2 0 syz-executor
21996 329495 68676 0 3 0x4000080 kqsel syz-executor
21996 386324 68676 0 3 0x4000080 fsleep syz-executor
31178 382440 35252 0 3 0x80 nanoslp syz-executor
31178 277980 35252 0 3 0x4000080 ttyin syz-executor
85817 509712 61449 0 2 0 syz-executor
85817 243976 61449 0 3 0x4000080 ttyin syz-executor
85817 75206 61449 0 3 0x4000080 fsleep syz-executor
61449 488597 74194 0 3 0x82 nanoslp syz-executor
66369 260652 74194 0 3 0x82 nanoslp syz-executor
87698 261788 74194 0 3 0x82 wait syz-executor
82988 308531 74194 0 2 0xc82 syz-executor
66832 400835 74194 0 3 0x82 nanoslp syz-executor
68676 352659 74194 0 3 0x82 nanoslp syz-executor
35252 386949 74194 0 3 0x82 nanoslp syz-executor
43553 73345 74194 0 3 0x82 nanoslp syz-executor
74194 72639 22874 0 3 0x82 kqread syz-executor
22874 199488 7157 0 3 0x10008a sigsusp ksh
7157 516473 5934 0 3 0x98 kqread sshd-session
5934 442877 36693 0 3 0x92 kqread sshd-session
94577 10377 1 0 3 0x100083 ttyopn getty
36693 214151 1 0 3 0x88 kqread sshd
16707 176574 97737 74 3 0x1100092 bpf pflogd
97737 177229 1 0 3 0x80 sbwait pflogd
38623 273265 65262 73 3 0x1100090 kqread syslogd
65262 346637 1 0 3 0x100082 sbwait syslogd
40101 233736 1 0 3 0x100080 kqread resolvd
22799 104935 66574 77 3 0x100092 kqread dhcpleased
37418 173161 66574 77 3 0x100092 kqread dhcpleased
66574 429682 1 0 3 0x80 kqread dhcpleased
78391 233181 0 0 2 0x40014200 smr
22614 221995 0 0 2 0x14200 zerothread
74024 68936 0 0 3 0x14200 aiodoned aiodoned
7121 315919 0 0 3 0x14200 syncer update
7554 100354 0 0 3 0x14200 cleaner cleaner
10407 132018 0 0 3 0x14200 reaper reaper
67192 411961 0 0 3 0x14200 pgdaemon pagedaemon
65352 387707 0 0 3 0x14200 bored viomb
11425 373402 0 0 3 0x40014200 acpi0 acpi0
60197 310025 0 0 3 0x40014200 idle1
72330 315069 0 0 3 0x14200 bored softnet1
50571 504124 0 0 3 0x14200 bored softnet0
91913 62377 0 0 3 0x14200 bored systqmp
95233 156177 0 0 3 0x14200 bored systq
63434 369570 0 0 3 0x14200 tmoslp softclockmp
23991 298011 0 0 3 0x40014200 tmoslp softclock
16851 60888 0 0 3 0x40014200 idle0
1 52490 0 0 3 0x82 wait init
0 0 -1 0 3 0x10010200 scheduler swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex &pmap->pm_mtx r = 0 (0xfffffd806c93a010)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 mtx_enter_try+0x1ad sys/kern/kern_lock.c:311
#2 mtx_enter+0x62 sys/kern/kern_lock.c:261
#3 pmap_page_remove+0xca rcr3 sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:139 [inline]
#3 pmap_page_remove+0xca pmap_map_ptes sys/arch/amd64/amd64/pmap.c:437 [inline]
#3 pmap_page_remove+0xca sys/arch/amd64/amd64/pmap.c:1974
#4 uvm_anfree_list+0xd6 sys/uvm/uvm_anon.c:112
#5 amap_wipeout+0x248 sys/uvm/uvm_amap.c:-1
#6 uvm_unmap_detach+0x8a sys/uvm/uvm_map.c:1353
#7 uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2525
#8 exit1+0x6fc sys/kern/kern_exit.c:260
#9 sys_exit+0x1a sys/kern/kern_exit.c:-1
#10 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#10 syscall+0xb17 sys/arch/amd64/amd64/trap.c:765
#11 Xsyscall+0x128
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10213 11096K 12509K 166960K 13527 0
pcb 18 18K 34K 166960K 583 0
rtable 213 10K 11K 166960K 651 0
pf 35 17K 81K 166960K 140 0
ifaddr 37 6K 8K 166960K 104 0
ifgroup 51 2K 2K 166960K 151 0
sysctl 4 1K 9K 166960K 20 0
counters 66 36K 37K 166960K 164 0
ioctlops 0 0K 4K 166960K 1801 0
iov 0 0K 16K 166960K 75 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1525 96K 96K 166960K 2944 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 9K 166960K 19 0
VM map 2 1K 1K 166960K 2 0
sem 12 0K 1K 166960K 58 0
dirhash 12 2K 2K 166960K 21 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 17 61K 240K 166960K 1308 0
sigio 0 0K 0K 166960K 27 0
proc 74 115K 147K 166960K 742 0
subproc 72 4K 4K 166960K 118 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 337 0
in_multi 74 5K 7K 166960K 213 0
ether_multi 1 0K 0K 166960K 15 0
mrt 1 0K 0K 166960K 9 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 109 493K 493K 166960K 109 0
exec 0 0K 1K 166960K 786 0
fusefs mount 1 32K 32K 166960K 1 0
pfkey data 0 0K 0K 166960K 1 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 253 177K 196K 166960K 13673 0
UVM aobj 130 9K 10K 166960K 135 0
pinsyscall 42 84K 104K 166960K 2582 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 2 0K 1K 166960K 99 0
NDP 11 0K 2K 166960K 73 0
temp 79 8676K 8836K 166960K 45521 0
kqueue 15 20K 30K 166960K 232 0
SYN cache 2 16K 16K 166960K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 26 0 0 1 0 1 1 0 8 0
rtpcb 120 253 0 250 5 2 3 3 0 8 2
rtentry 176 193 0 111 6 0 6 6 0 8 0
unpcb 144 900 0 881 9 5 4 7 0 8 3
syncache 336 9 0 9 3 2 1 1 0 8 1
tcpqe 32 4 0 4 2 2 0 1 0 8 0
tcpcb 736 468 0 459 13 6 7 7 0 8 5
arp 136 30 0 14 1 0 1 1 0 8 0
inpcb 328 1519 0 1504 19 9 10 12 0 8 8
nd6 152 45 0 28 2 0 2 2 0 8 0
pkpcb 40 9 0 9 2 2 0 1 0 8 0
kcovpl 48 13 0 5 1 0 1 1 0 8 0
ppxss 1192 36 0 36 2 1 1 1 0 8 1
pfstscr 40 15 0 15 3 3 0 1 0 8 0
pffrag 232 7 0 2 1 0 1 1 0 482 0
pffrnode 88 7 0 2 1 0 1 1 0 8 0
pffrent 40 10 0 5 1 0 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfrktable 1344 1 0 1 1 1 0 1 0 8 0
pfanchor 1288 1 0 1 1 1 0 1 0 8 0
pftag 88 1 0 1 1 1 0 1 0 8 0
pfstitem 24 92 0 29 1 0 1 1 0 8 0
pfstkey 128 110 0 48 2 0 2 2 0 8 0
pfstate 448 104 0 42 7 0 7 7 0 8 0
pfrule 1344 25 0 20 2 1 1 2 0 8 0
rttmr 136 1 0 1 1 1 0 1 0 8 0
art_heap8 4096 4 0 1 3 0 3 3 0 8 0
art_heap4 256 818 0 495 31 7 24 29 0 8 2
art_table 40 822 0 496 5 0 5 5 0 8 0
art_node 32 191 0 120 1 0 1 1 0 8 0
sysvmsgpl 40 10 0 6 1 0 1 1 0 8 0
semupl 112 2 0 2 2 1 1 1 0 8 1
semapl 112 52 0 42 1 0 1 1 0 8 0
shmpl 112 128 0 4 4 0 4 4 0 8 0
dirhash 1024 23 0 6 3 0 3 3 0 8 0
dino2pl 256 3782 0 2266 96 0 96 96 0 8 0
ffsino 296 3782 0 2266 118 0 118 118 0 8 0
nchpl 144 5532 0 3830 64 0 64 64 0 8 0
rtmask 32 13 0 13 2 2 0 1 0 8 0
vnodes 216 4914 0 0 273 0 273 273 0 8 0
namei 1024 19949 0 19949 2 1 1 2 0 8 1
percpumem 16 97 0 49 1 0 1 1 0 8 0
vcpupl 3968 4 0 1 1 0 1 1 0 8 0
vmpool 840 4 0 1 1 0 1 1 0 8 0
kstatmem 264 96 0 70 3 0 3 3 0 8 1
scsiplug 72 5 0 5 3 2 1 1 0 8 1
scxspl 216 23865 0 23865 14 11 3 8 1 8 3
plimitpl 152 467 0 446 1 0 1 1 0 8 0
sigapl 424 1602 0 1554 7 1 6 7 0 8 0
knotepl 120 562 0 0 17 0 17 17 0 8 0
kqueuepl 224 481 0 468 8 5 3 5 0 8 2
pipepl 344 389 0 361 12 5 7 9 0 8 4
fdescpl 528 1585 0 1554 3 0 3 3 0 8 0
filepl 160 11075 0 10840 28 7 21 21 0 8 7
lockfpl 104 677 0 668 3 2 1 2 0 8 0
lockfspl 48 294 0 286 1 0 1 1 0 8 0
sessionpl 144 31 0 22 1 0 1 1 0 8 0
pgrppl 48 64 0 47 1 0 1 1 0 8 0
ucredpl 104 1667 0 1654 1 0 1 1 0 8 0
zombiepl 144 1556 0 1554 1 0 1 1 0 8 0
processpl 1232 1602 0 1554 5 0 5 5 0 8 0
procpl 664 3553 0 3496 6 0 6 6 0 8 0
sosppl 176 10 0 10 3 2 1 1 0 8 1
sockpl 752 2817 0 2780 39 25 14 18 0 8 8
mcl64k 65536 18 0 0 3 0 3 3 0 8 0
mcl16k 16384 3 0 0 1 0 1 1 0 8 0
mcl12k 12288 3 0 0 1 0 1 1 0 8 0
mcl8k 8192 3 0 0 1 0 1 1 0 8 0
mcl4k 4096 121 0 0 16 0 16 16 0 8 0
mcl2k2 2112 3 0 0 1 0 1 1 0 8 0
mcl2k 2048 43 0 0 5 0 5 5 0 8 0
mtagpl 96 41 0 0 1 0 1 1 0 8 0
mbufpl 256 252 0 0 16 0 16 16 0 8 0
bufpl 280 8372 0 2236 439 0 439 439 0 8 0
anonpl 32 8251 0 0 67 0 67 67 0 246 0
amapchunkpl 152 45829 0 45325 34 6 28 32 0 158 4
amappl16 200 4404 0 4368 26 14 12 16 0 8 5
amappl15 192 12 0 12 1 1 0 1 0 8 0
amappl14 184 3 0 3 1 1 0 1 0 8 0
amappl13 176 540 0 538 1 0 1 1 0 8 0
amappl12 168 1989 0 1946 3 0 3 3 0 8 0
amappl11 160 19 0 19 1 1 0 1 0 8 0
amappl10 152 53 0 39 1 0 1 1 0 8 0
amappl9 144 256 0 256 1 1 0 1 0 8 0
amappl8 136 125 0 123 1 0 1 1 0 8 0
amappl7 128 126 0 124 1 0 1 1 0 8 0
amappl6 120 336 0 323 1 0 1 1 0 8 0
amappl5 112 103 0 92 1 0 1 1 0 8 0
amappl4 104 469 0 436 1 0 1 1 0 8 0
amappl3 96 7944 0 7848 4 1 3 3 0 8 0
amappl2 88 1714 0 1635 2 0 2 2 0 8 0
amappl1 80 15364 0 14768 18 3 15 15 0 8 0
amappl 88 12639 0 12468 5 0 5 5 0 92 0
uvmvnodes 80 131 0 0 3 0 3 3 0 8 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 7 0 7 2 2 0 1 0 8 0
dma128 128 255 0 255 3 3 0 1 0 8 0
dma64 64 8 0 8 3 3 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 134 0 5 3 0 3 3 0 8 0
uaddrrnd 24 1585 0 1554 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 1585 0 1554 1 0 1 1 0 8 0
vmmpekpl 168 14622 0 14581 3 0 3 3 0 8 0
vmmpepl 168 106840 0 104847 105 9 96 99 0 357 3
vmsppl 488 1584 0 1553 6 1 5 5 0 8 0
rwobjpl 80 29748 0 28549 29 0 29 29 0 8 0
pdppl 4096 3185 0 3111 118 42 76 85 0 8 2
pvpl 32 17298 0 0 139 0 139 139 0 265 0
pmappl 256 1588 0 1554 3 0 3 3 0 8 0
extentpl 40 45 0 27 1 0 1 1 0 8 0
phpool 112 325 0 61 8 0 8 8 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x27: addq $0x8,%rsp
x86_ipi_db(ffffffff83867ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
end of kernel
end trace frame: 0x7c55129623c0, count: 12
ddb{0}> trace
x86_ipi_db(ffffffff83867ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
end of kernel
end trace frame: 0x7c55129623c0, count: -3
ddb{0}> machine ddbcpu 1
Stopped at pmap_page_remove+0x45d: xchgq %rax,0(%r14,%rcx,1)
pmap_page_remove(fffffd80085618a8) at pmap_page_remove+0x45d _atomic_swap_64 sys/arch/amd64/compile/SYZKALLER/obj/machine/atomic.h:117 [inline]
pmap_page_remove(fffffd80085618a8) at pmap_page_remove+0x45d sys/arch/amd64/amd64/pmap.c:2014
uvm_anfree_list(fffffd80680f1e28,0) at uvm_anfree_list+0xd6 sys/uvm/uvm_anon.c:112
amap_wipeout(fffffd806cc440c0) at amap_wipeout+0x248 sys/uvm/uvm_amap.c:-1
uvm_unmap_detach(ffff80002a370410,0) at uvm_unmap_detach+0x8a sys/uvm/uvm_map.c:1353
uvm_map_teardown(fffffd806caa5018) at uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2525
exit1(ffff8000313d9ca8,0,0,1) at exit1+0x6fc sys/kern/kern_exit.c:260
sys_exit(ffff8000313d9ca8,ffff80002a3705e0,ffff80002a370530) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff80002a3705e0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002a3705e0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:765
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7166d260d4b0, count: 6
ddb{1}> trace
pmap_page_remove(fffffd80085618a8) at pmap_page_remove+0x45d _atomic_swap_64 sys/arch/amd64/compile/SYZKALLER/obj/machine/atomic.h:117 [inline]
pmap_page_remove(fffffd80085618a8) at pmap_page_remove+0x45d sys/arch/amd64/amd64/pmap.c:2014
uvm_anfree_list(fffffd80680f1e28,0) at uvm_anfree_list+0xd6 sys/uvm/uvm_anon.c:112
amap_wipeout(fffffd806cc440c0) at amap_wipeout+0x248 sys/uvm/uvm_amap.c:-1
uvm_unmap_detach(ffff80002a370410,0) at uvm_unmap_detach+0x8a sys/uvm/uvm_map.c:1353
uvm_map_teardown(fffffd806caa5018) at uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2525
exit1(ffff8000313d9ca8,0,0,1) at exit1+0x6fc sys/kern/kern_exit.c:260
sys_exit(ffff8000313d9ca8,ffff80002a3705e0,ffff80002a370530) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff80002a3705e0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002a3705e0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:765
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7166d260d4b0, count: -9