panic: vrele: v_writecount != 0
Stopped at db_enter+0x25: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*189639 31217 0 0x1004 0 0K syz-executor
377106 59262 0 0x2 0x1 1 syz-executor
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff8343b3c3) at panic+0x1e5 sys/kern/subr_prf.c:198
vrele(fffffd80799151e8) at vrele+0x274 sys/kern/vfs_subr.c:832
uvn_detach(fffffd806dddb250) at uvn_detach+0x1b7 sys/uvm/uvm_vnode.c:391
uvm_unmap_detach(ffff80003c491338,0) at uvm_unmap_detach+0x15e sys/uvm/uvm_map.c:1364
uvmspace_exec(ffff80002a2c8cf8,1000,7f7fffffc000) at uvmspace_exec+0x44d sys/uvm/uvm_map.c:3386
sys_execve(ffff80002a2c8cf8,ffff80003c4919d0,ffff80003c491920) at sys_execve+0xacb sys/kern/kern_exec.c:448
syscall(ffff80003c4919d0) at syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c4919d0) at syscall+0xb08 sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x704bede65f10, count: 6
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu0: vrele: v_writecount != 0
ddb{0}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff8343b3c3) at panic+0x1e5 sys/kern/subr_prf.c:198
vrele(fffffd80799151e8) at vrele+0x274 sys/kern/vfs_subr.c:832
uvn_detach(fffffd806dddb250) at uvn_detach+0x1b7 sys/uvm/uvm_vnode.c:391
uvm_unmap_detach(ffff80003c491338,0) at uvm_unmap_detach+0x15e sys/uvm/uvm_map.c:1364
uvmspace_exec(ffff80002a2c8cf8,1000,7f7fffffc000) at uvmspace_exec+0x44d sys/uvm/uvm_map.c:3386
sys_execve(ffff80002a2c8cf8,ffff80003c4919d0,ffff80003c491920) at sys_execve+0xacb sys/kern/kern_exec.c:448
syscall(ffff80003c4919d0) at syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c4919d0) at syscall+0xb08 sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x704bede65f10, count: -9
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff80003c491180
rbx 0xffffffff83807dcf cpu_info_full_primary+0x2dcf
rdx 0
rcx 0xffff80002a2c8cf8
rax 0xffffffff83806ff0 cpu_info_full_primary+0x1ff0
r8 0x101010101010101
r9 0x8080808080808080
r10 0x6a7662f8e9380e87
r11 0xf4235045a1d5cc15
r12 0xffffffff83807bd0 cpu_info_full_primary+0x2bd0
r13 0
r14 0
r15 0x1
rip 0xffffffff8163c505 db_enter+0x25
cs 0x8
rflags 0x246
rsp 0xffff80003c491170
ss 0x10
db_enter+0x25: addq $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor) tid=189639 pid=31217 tcnt=1 stat=onproc
flags process=1004<INEXEC,SINGLEEXIT> proc=0
runpri=50, usrpri=50, slppri=24, nice=20
wchan=0x0, wmesg=, ps_single=0xffff80002a2c8cf8 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff80002a2c8f88,0xffffffff838f0860
process=0xffff80003c428020 user=0xffff80003c48c000, vmspace=0xfffffd80799d05c0
estcpu=36, cpticks=2, pctcpu=0.0, user=0, sys=2, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
*31217 189639 10908 0 7 0x1004 syz-executor
5602 422299 8493 0 2 0 syz-executor
5602 455084 8493 0 3 0x4000080 fsleep syz-executor
4550 282514 77953 0 2 0 syz-executor
4550 520126 77953 0 2 0x4000480 syz-executor
86888 442846 59262 0 2 0 syz-executor
86888 450678 59262 0 3 0x4000080 fsleep syz-executor
72964 425281 3175 0 2 0x480 syz-executor
72964 144232 3175 0 3 0x4000080 piperd syz-executor
72964 314596 3175 0 3 0x4000080 kqsel syz-executor
72964 160552 3175 0 3 0x4000080 fsleep syz-executor
57013 283489 81250 0 2 0x480 syz-executor
57013 11296 81250 0 3 0x4000080 netcon syz-executor
57013 515332 81250 0 3 0x4000080 fsleep syz-executor
51818 321392 0 0 3 0x14200 acct acct
99389 488770 0 0 3 0x14200 bored sosplice
65575 429330 10908 0 3 0x82 wait syz-executor
59262 377106 10908 0 7 0x3 syz-executor
77953 418790 10908 0 2 0x482 syz-executor
3175 423753 10908 0 2 0x482 syz-executor
85451 435546 10908 0 2 0x482 syz-executor
8493 134806 10908 0 2 0x482 syz-executor
81250 14532 10908 0 2 0x482 syz-executor
10908 385059 20515 0 3 0x82 kqread syz-executor
20515 307149 94253 0 3 0x10008a sigsusp ksh
94253 177759 67390 0 3 0x98 kqread sshd-session
67390 174659 97477 0 3 0x92 kqread sshd-session
84436 47968 1 0 3 0x100083 ttyin getty
97477 459420 1 0 3 0x88 kqread sshd
14821 368992 97331 74 3 0x1100092 bpf pflogd
97331 462033 1 0 3 0x80 sbwait pflogd
89693 305328 1732 73 3 0x1100090 kqread syslogd
1732 11500 1 0 3 0x100082 sbwait syslogd
38334 357841 1 0 3 0x100080 kqread resolvd
10143 450068 6465 77 3 0x100092 kqread dhcpleased
91456 32570 6465 77 3 0x100092 kqread dhcpleased
6465 204022 1 0 3 0x80 kqread dhcpleased
12299 266542 0 0 3 0x14200 bored smr
14960 411508 0 0 2 0x14200 zerothread
35527 196749 0 0 3 0x14200 aiodoned aiodoned
80250 286522 0 0 3 0x14200 syncer update
36814 1252 0 0 3 0x14200 cleaner cleaner
83048 260492 0 0 3 0x14200 reaper reaper
24368 222306 0 0 3 0x14200 pgdaemon pagedaemon
82684 387796 0 0 3 0x14200 bored viomb
12845 454003 0 0 3 0x40014200 acpi0 acpi0
49591 144536 0 0 3 0x40014200 idle1
71299 495028 0 0 3 0x14200 bored softnet3
20874 233622 0 0 3 0x14200 bored softnet2
81848 418892 0 0 3 0x14200 bored softnet1
44132 359454 0 0 3 0x14200 bored softnet0
53803 132828 0 0 3 0x14200 bored systqmp
52241 520321 0 0 3 0x14200 bored systq
69467 491188 0 0 3 0x14200 tmoslp softclockmp
70899 289776 0 0 3 0x40014200 tmoslp softclock
56958 131695 0 0 3 0x40014200 idle0
1 229462 0 0 3 0x82 wait init
0 0 -1 0 3 0x10010200 scheduler swapper
ddb{0}> show all locks
Process 31217 (syz-executor) thread 0xffff80002a2c8cf8 (189639)
exclusive kernel_lock &kernel_lock r = 1 (0xffffffff839924b8)
#0 witness_lock+0x5bb stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5bb sys/kern/subr_witness.c:1160
#1 syscall+0xae6 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#1 syscall+0xae6 sys/arch/amd64/amd64/trap.c:577
#2 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10202 11115K 11648K 166960K 11950 0
pcb 20 12K 12K 166960K 68 0
rtable 197 7K 8K 166960K 405 0
pf 32 17K 25K 166960K 79 0
ifaddr 36 6K 7K 166960K 65 0
ifgroup 49 2K 2K 166960K 93 0
sysctl 3 1K 1K 166960K 3 0
counters 62 36K 36K 166960K 106 0
ioctlops 0 0K 4K 166960K 1533 0
iov 0 0K 28K 166960K 17 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1430 90K 91K 166960K 1816 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 5K 166960K 6 0
VM map 2 1K 1K 166960K 2 0
sem 11 0K 0K 166960K 15 0
dirhash 12 2K 2K 166960K 21 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 17 58K 93K 166960K 469 0
sigio 0 0K 0K 166960K 4 0
proc 72 91K 140K 166960K 568 0
subproc 63 3K 4K 166960K 72 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 1 0K 0K 166960K 34 0
in_multi 78 5K 7K 166960K 116 0
ether_multi 2 0K 0K 166960K 4 0
mrt 0 0K 0K 166960K 1 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 109 493K 493K 166960K 109 0
exec 1 0K 1K 166960K 395 0
fusefs mount 1 32K 32K 166960K 1 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 237 151K 173K 166960K 5940 0
UVM aobj 11 4K 4K 166960K 12 0
pinsyscall 43 86K 104K 166960K 1592 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 2 0K 0K 166960K 11 0
NDP 11 0K 2K 166960K 41 0
temp 41 8683K 8756K 166960K 12041 0
kqueue 14 22K 30K 166960K 100 0
SYN cache 2 16K 16K 166960K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 26 0 0 1 0 1 1 0 8 0
rtpcb 120 56 0 53 1 0 1 1 0 8 0
rtentry 176 122 0 36 6 0 6 6 0 8 0
unpcb 144 225 0 207 2 0 2 2 0 8 1
syncache 336 3 0 3 1 1 0 1 0 8 0
tcpcb 808 153 0 146 7 0 7 7 0 8 6
arp 128 21 0 7 1 0 1 1 0 8 0
inpcb 384 472 0 457 8 0 8 8 0 8 6
nd6 144 24 0 6 1 0 1 1 0 8 0
pkpcb 40 4 0 4 1 0 1 1 0 8 1
kcovpl 48 8 0 1 1 0 1 1 0 8 0
mppekey 1024 1 0 1 1 0 1 1 0 8 1
ppxss 1192 17 0 16 1 0 1 1 0 8 0
pppxif 1504 2 0 2 1 0 1 1 0 8 1
pffrag 232 3 0 1 1 0 1 1 0 482 0
pffrnode 88 3 0 1 1 0 1 1 0 8 0
pffrent 40 4 0 2 1 0 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 31 0 0 1 0 1 1 0 8 0
pfstkey 128 31 0 0 1 0 1 1 0 8 0
pfstate 384 31 0 0 4 0 4 4 0 8 0
pfrule 1344 24 0 18 2 1 1 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 483 0 119 29 0 29 29 0 8 2
art_table 32 484 0 119 4 0 4 4 0 8 0
art_node 16 121 0 44 1 0 1 1 0 8 0
semapl 112 12 0 3 1 0 1 1 0 8 0
shmpl 112 9 0 1 1 0 1 1 0 8 0
dirhash 1024 23 0 6 3 0 3 3 0 8 0
dino2pl 256 2199 0 695 95 0 95 95 0 8 0
ffsino 288 2199 0 695 109 0 109 109 0 8 0
nchpl 144 2832 0 1143 64 0 64 64 0 8 0
rtmask 32 6 0 6 1 0 1 1 0 8 1
uvmvnodes 80 2619 0 0 54 0 54 54 0 8 0
vnodes 216 2619 0 0 146 0 146 146 0 8 0
namei 1024 9112 0 9111 2 1 1 2 0 8 0
percpumem 16 68 0 22 1 0 1 1 0 8 0
kstatmem 264 50 0 28 2 0 2 2 0 8 0
scsiplug 72 1 0 1 1 0 1 1 0 8 1
scxspl 216 9125 0 9125 10 2 8 8 1 8 8
plimitpl 152 110 0 94 1 0 1 1 0 8 0
sigapl 424 783 0 732 8 2 6 7 0 8 0
futexpl 64 4876 0 4872 1 0 1 1 0 8 0
knotepl 120 547 0 0 17 0 17 17 0 8 0
kqueuepl 224 149 0 138 1 0 1 1 0 8 0
pipepl 336 134 0 105 3 0 3 3 0 8 0
fdescpl 520 762 0 731 3 0 3 3 0 8 0
filepl 160 3929 0 3715 14 0 14 14 0 8 4
lockfpl 104 105 0 103 1 0 1 1 0 8 0
lockfspl 48 48 0 46 1 0 1 1 0 8 0
sessionpl 144 22 0 13 1 0 1 1 0 8 0
pgrppl 48 35 0 18 1 0 1 1 0 8 0
ucredpl 104 365 0 351 1 0 1 1 0 8 0
zombiepl 144 734 0 732 1 0 1 1 0 8 0
processpl 1192 783 0 732 5 0 5 5 0 8 0
procpl 656 1354 0 1295 7 1 6 6 0 8 0
srpgc 96 5 0 5 1 0 1 1 0 8 1
sosppl 168 1 0 1 1 1 0 1 0 8 0
sockpl 728 763 0 728 10 0 10 10 0 8 5
mcl64k 65536 2 0 0 1 0 1 1 0 8 0
mcl9k 9216 3 0 0 1 0 1 1 0 8 0
mcl8k 8192 3 0 0 1 0 1 1 0 8 0
mcl4k 4096 112 0 0 14 0 14 14 0 8 0
mcl2k 2048 19 0 0 3 0 3 3 0 8 0
mtagpl 96 46 0 0 2 0 2 2 0 8 0
mbufpl 256 215 0 0 14 0 14 14 0 8 0
bufpl 280 4005 0 126 278 0 278 278 0 8 0
anonpl 32 11594 0 0 94 0 94 94 0 246 0
amapchunkpl 152 19095 0 18596 30 0 30 30 0 158 8
amappl16 200 3071 0 3043 30 19 11 27 0 8 7
amappl15 192 10 0 10 2 1 1 1 0 8 1
amappl14 184 115 0 103 1 0 1 1 0 8 0
amappl13 176 10 0 10 1 1 0 1 0 8 0
amappl12 168 1418 0 1388 4 1 3 3 0 8 0
amappl11 160 53 0 38 1 0 1 1 0 8 0
amappl10 152 3 0 3 1 1 0 1 0 8 0
amappl9 144 254 0 253 1 0 1 1 0 8 0
amappl8 136 29 0 26 1 0 1 1 0 8 0
amappl7 128 112 0 99 1 0 1 1 0 8 0
amappl6 120 180 0 177 1 0 1 1 0 8 0
amappl5 112 128 0 118 1 0 1 1 0 8 0
amappl4 104 335 0 313 1 0 1 1 0 8 0
amappl3 96 3526 0 3410 5 1 4 4 0 8 0
amappl2 88 656 0 592 2 0 2 2 0 8 0
amappl1 80 9665 0 9063 15 1 14 15 0 8 0
amappl 88 5169 0 5004 5 0 5 5 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 11 0 1 1 0 1 1 0 8 0
uaddrrnd 24 762 0 731 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 762 0 731 1 0 1 1 0 8 0
vmmpekpl 168 7655 0 7602 3 0 3 3 0 8 0
vmmpepl 168 53971 0 51983 109 0 109 109 0 357 18
vmsppl 480 761 0 731 5 1 4 5 0 8 0
rwobjpl 72 19718 0 16159 68 0 68 68 0 8 1
pdppl 4096 1531 0 1462 101 30 71 85 0 8 2
pvpl 32 18021 0 0 146 0 146 146 0 265 0
pmappl 256 761 0 731 3 0 3 3 0 8 0
extentpl 40 45 0 27 1 0 1 1 0 8 0
phpool 112 391 0 34 11 0 11 11 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff8343b3c3) at panic+0x1e5 sys/kern/subr_prf.c:198
vrele(fffffd80799151e8) at vrele+0x274 sys/kern/vfs_subr.c:832
uvn_detach(fffffd806dddb250) at uvn_detach+0x1b7 sys/uvm/uvm_vnode.c:391
uvm_unmap_detach(ffff80003c491338,0) at uvm_unmap_detach+0x15e sys/uvm/uvm_map.c:1364
uvmspace_exec(ffff80002a2c8cf8,1000,7f7fffffc000) at uvmspace_exec+0x44d sys/uvm/uvm_map.c:3386
sys_execve(ffff80002a2c8cf8,ffff80003c4919d0,ffff80003c491920) at sys_execve+0xacb sys/kern/kern_exec.c:448
syscall(ffff80003c4919d0) at syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c4919d0) at syscall+0xb08 sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x704bede65f10, count: -9
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x27: addq $0x8,%rsp
x86_ipi_db(ffff8000299edff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff839922b0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:113 [inline]
__mp_lock(ffffffff839922b0) at __mp_lock+0x192 sys/kern/kern_lock.c:144
ktrsyscall(ffff80002a282cf0,b,20,ffff80002a3c59d0) at ktrsyscall+0x2b3 ktrwrite sys/kern/kern_ktrace.c:-1 [inline]
ktrsyscall(ffff80002a282cf0,b,20,ffff80002a3c59d0) at ktrsyscall+0x2b3 sys/kern/kern_ktrace.c:183
syscall(ffff80002a3c59d0) at syscall+0x2e6 mi_syscall sys/sys/syscall_mi.h:154 [inline]
syscall(ffff80002a3c59d0) at syscall+0x2e6 sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7c4516276f50, count: 8
ddb{1}> trace
x86_ipi_db(ffff8000299edff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff839922b0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:113 [inline]
__mp_lock(ffffffff839922b0) at __mp_lock+0x192 sys/kern/kern_lock.c:144
ktrsyscall(ffff80002a282cf0,b,20,ffff80002a3c59d0) at ktrsyscall+0x2b3 ktrwrite sys/kern/kern_ktrace.c:-1 [inline]
ktrsyscall(ffff80002a282cf0,b,20,ffff80002a3c59d0) at ktrsyscall+0x2b3 sys/kern/kern_ktrace.c:183
syscall(ffff80002a3c59d0) at syscall+0x2e6 mi_syscall sys/sys/syscall_mi.h:154 [inline]
syscall(ffff80002a3c59d0) at syscall+0x2e6 sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7c4516276f50, count: -7