panic: vref used where vget required
Stopped at db_enter+0x25: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*236156 66647 0 0 0x4000000 0K syz-executor
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff834b7b00) at panic+0x1e5 sys/kern/subr_prf.c:198
vref(fffffd806adef980) at vref+0x109 sys/kern/vfs_subr.c:708
namei(ffff80003c3e6558) at namei+0x555 sys/kern/vfs_lookup.c:221
dounlinkat(ffff8000fffe82c0,ffffff9c,200000001dc0,8) at dounlinkat+0xc1 sys/kern/vfs_syscalls.c:1887
syscall(ffff80003c3e6730) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c3e6730) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x215aa5bc9c0, count: 8
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu0: vref used where vget required
ddb{0}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff834b7b00) at panic+0x1e5 sys/kern/subr_prf.c:198
vref(fffffd806adef980) at vref+0x109 sys/kern/vfs_subr.c:708
namei(ffff80003c3e6558) at namei+0x555 sys/kern/vfs_lookup.c:221
dounlinkat(ffff8000fffe82c0,ffffff9c,200000001dc0,8) at dounlinkat+0xc1 sys/kern/vfs_syscalls.c:1887
syscall(ffff80003c3e6730) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c3e6730) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x215aa5bc9c0, count: -7
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff80003c3e63b0
rbx 0xffffffff8393de07 cpu_info_full_primary+0x2e07
rdx 0xffff8000015f5700
rcx 0xffff8000fffe82c0
rax 0xffffffff8393cff0 cpu_info_full_primary+0x1ff0
r8 0x101010101010101
r9 0x8080808080808080
r10 0x2f84db9e71e81501
r11 0x3ff5dc2545823298
r12 0xffffffff8393dc08 cpu_info_full_primary+0x2c08
r13 0
r14 0
r15 0x1
rip 0xffffffff8282b645 db_enter+0x25
cs 0x8
rflags 0x246
rsp 0xffff80003c3e63a0
ss 0x10
db_enter+0x25: addq $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor) tid=236156 pid=66647 tcnt=3 stat=onproc
flags process=0 proc=4000000<THREAD>
runpri=79, usrpri=79, slppri=32, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff8000fffe94e8,0xffff8000fffe8d30
process=0xffff8000fffef508 user=0xffff80003c3e1000, vmspace=0xfffffd806acb4410
estcpu=36, cpticks=0, pctcpu=0.0, user=0, sys=0, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
7229 518393 97784 0 2 0 syz-executor
7229 357446 97784 0 3 0x4000080 fsleep syz-executor
4829 477959 48815 0 2 0 syz-executor
4829 38531 48815 0 3 0x4000080 fsleep syz-executor
33507 419558 53984 0 2 0 syz-executor
33507 138641 53984 0 3 0x4000080 fsleep syz-executor
35205 398544 80506 0 2 0 syz-executor
35205 299449 80506 0 3 0x4000080 fsleep syz-executor
35205 477445 80506 0 3 0x4000080 fsleep syz-executor
53268 71390 90323 0 3 0x80 nanoslp syz-executor
53268 219130 90323 0 3 0x4000000 smrbar syz-executor
53268 417088 90323 0 3 0x4000080 fsleep syz-executor
53268 357649 90323 0 3 0x4000080 fsleep syz-executor
75482 373445 3788 0 2 0 syz-executor
75482 458146 3788 0 3 0x4000080 fsleep syz-executor
66647 497958 24460 0 2 0 syz-executor
*66647 236156 24460 0 7 0x4000000 syz-executor
66647 186490 24460 0 3 0x4000080 fsleep syz-executor
58131 377736 87888 0 2 0 syz-executor
58131 194027 87888 0 3 0x4000080 fsleep syz-executor
58131 94587 87888 0 3 0x4000080 fsleep syz-executor
58131 174625 87888 0 3 0x4000080 fsleep syz-executor
62380 523391 0 0 3 0x14200 acct acct
87888 29490 12328 0 3 0x82 nanoslp syz-executor
90323 522739 12328 0 3 0x82 nanoslp syz-executor
24460 462491 12328 0 3 0x82 nanoslp syz-executor
48815 325697 12328 0 3 0x82 nanoslp syz-executor
80506 289344 12328 0 3 0x82 nanoslp syz-executor
3788 330874 12328 0 3 0x82 nanoslp syz-executor
53984 375704 12328 0 3 0x82 nanoslp syz-executor
97784 312298 12328 0 3 0x82 nanoslp syz-executor
12328 409343 26573 0 3 0x82 kqread syz-executor
26573 35439 79106 0 3 0x10008a sigsusp ksh
79106 173165 26659 0 3 0x98 kqread sshd-session
26659 233041 4555 0 3 0x92 kqread sshd-session
32632 381608 1 0 3 0x100083 ttyopn getty
4555 521141 1 0 3 0x88 kqread sshd
57752 52629 89711 74 3 0x1100092 bpf pflogd
89711 70449 1 0 3 0x80 sbwait pflogd
29046 442660 79730 73 3 0x1100090 kqread syslogd
79730 385797 1 0 3 0x100082 sbwait syslogd
15973 234002 1 0 3 0x100080 kqread resolvd
78960 265588 76647 77 3 0x100092 kqread dhcpleased
55395 73572 76647 77 3 0x100092 kqread dhcpleased
76647 150138 1 0 3 0x80 kqread dhcpleased
95184 76105 0 0 3 0x14200 bored smr
79590 438432 0 0 2 0x14200 zerothread
77756 410444 0 0 3 0x14200 aiodoned aiodoned
5140 150601 0 0 3 0x14200 syncer update
12539 271694 0 0 3 0x14200 cleaner cleaner
36201 501209 0 0 3 0x14200 reaper reaper
68393 184497 0 0 3 0x14200 pgdaemon pagedaemon
82351 80775 0 0 3 0x14200 bored viomb
43664 449001 0 0 3 0x40014200 acpi0 acpi0
70499 141306 0 0 7 0x40014200 idle1
2347 401751 0 0 3 0x14200 bored softnet1
81542 95963 0 0 3 0x14200 bored softnet0
36107 395332 0 0 3 0x14200 smrbar systqmp
91973 391716 0 0 3 0x14200 bored systq
18354 60544 0 0 3 0x14200 tmoslp softclockmp
94913 492050 0 0 3 0x40014200 tmoslp softclock
94629 365371 0 0 3 0x40014200 idle0
1 8687 0 0 3 0x82 wait init
0 0 -1 0 3 0x10010200 scheduler swapper
ddb{0}> show all locks
Process 66647 (syz-executor) thread 0xffff8000fffe82c0 (236156)
Process 36107 (systqmp) thread 0xffff8000ffffe298 (395332)
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 11080 12109K 12392K 166960K 13354 0
pcb 20 16K 17K 166960K 268 0
rtable 246 10K 10K 166960K 519 0
pf 36 17K 81K 166960K 156 0
ifaddr 44 8K 8K 166960K 96 0
ifgroup 57 2K 2K 166960K 149 0
sysctl 4 1K 9K 166960K 13 0
counters 76 37K 37K 166960K 180 0
ioctlops 0 0K 8K 166960K 1747 0
iov 0 0K 16K 166960K 82 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1511 95K 96K 166960K 2394 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 5K 166960K 14 0
VM map 2 1K 1K 166960K 2 0
sem 12 0K 0K 166960K 36 0
dirhash 12 2K 2K 166960K 39 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 18 65K 93K 166960K 1070 0
sigio 0 0K 0K 166960K 6 0
proc 78 131K 164K 166960K 694 0
subproc 72 4K 4K 166960K 90 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 112 0
in_multi 99 7K 7K 166960K 148 0
ether_multi 1 0K 0K 166960K 9 0
mrt 1 0K 0K 166960K 28 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 127 572K 572K 166960K 127 0
exec 0 0K 1K 166960K 566 0
fusefs mount 1 32K 32K 166960K 1 0
pfkey data 0 0K 0K 166960K 1 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 248 159K 180K 166960K 11821 0
UVM aobj 27 14K 14K 166960K 28 0
pinsyscall 43 86K 104K 166960K 2349 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 1K 166960K 86 0
NDP 13 0K 1K 166960K 71 0
temp 77 9088K 9331K 166960K 54647 0
kqueue 15 24K 34K 166960K 211 0
SYN cache 2 16K 16K 166960K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 26 0 0 1 0 1 1 0 8 0
rtpcb 120 128 0 125 2 1 1 2 0 8 0
rtentry 176 153 0 50 6 0 6 6 0 8 0
unpcb 144 835 0 817 12 9 3 4 0 8 2
syncache 336 12 0 12 5 4 1 1 0 8 1
tcpqe 32 3 0 3 2 1 1 1 0 8 1
tcpcb 736 280 0 274 4 3 1 4 0 8 0
arp 136 26 0 7 1 0 1 1 0 8 0
inpcb 328 1303 0 1289 30 23 7 9 0 8 5
nd6 152 34 0 6 2 0 2 2 0 8 0
pkpcb 40 11 0 11 4 3 1 1 0 8 1
kcovpl 48 10 0 2 1 0 1 1 0 8 0
ppxss 1192 48 0 45 3 2 1 1 0 8 0
pffrag 232 11 0 5 1 0 1 1 0 482 0
pffrnode 88 9 0 3 1 0 1 1 0 8 0
pffrent 40 17 0 11 1 0 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfrktable 1344 7 0 7 1 1 0 1 0 8 0
pfanchor 1288 1 0 1 1 1 0 1 0 8 0
pftag 88 1 0 1 1 1 0 1 0 8 0
pfstitem 24 63 0 25 1 0 1 1 0 8 0
pfstkey 128 63 0 25 2 0 2 2 0 8 0
pfstate 448 63 0 25 5 0 5 5 0 8 0
pfrule 1360 25 0 20 2 1 1 2 0 8 0
rttmr 136 2 0 2 2 2 0 1 0 8 0
art_heap8 4096 2 0 0 2 0 2 2 0 8 0
art_heap4 256 648 0 219 35 8 27 29 0 8 0
art_table 40 650 0 219 5 0 5 5 0 8 0
art_node 32 152 0 59 1 0 1 1 0 8 0
sysvmsgpl 40 3 0 1 1 0 1 1 0 8 0
semapl 112 33 0 23 1 0 1 1 0 8 0
shmpl 112 18 0 0 1 0 1 1 0 8 0
dirhash 1024 36 0 19 3 0 3 3 0 8 0
dino2pl 256 3395 0 1932 93 0 93 93 0 8 0
ffsino 296 3395 0 1932 114 0 114 114 0 8 0
nchpl 144 4912 0 3202 64 0 64 64 0 8 0
rtmask 32 10 0 10 3 3 0 1 0 8 0
vnodes 216 4130 0 0 230 0 230 230 0 8 0
vnodes: pool(0xffffffff83a6e570:vnodes): page inconsistency: page 0x0; at page head addr 0xfffffd806adeff90 (p 0xfffffd806adef000)
namei 1024 16309 0 16308 2 1 1 2 0 8 0
percpumem 16 105 0 52 1 0 1 1 0 8 0
vcpupl 3968 7 0 1 1 0 1 1 0 8 0
vmpool 848 7 0 1 1 0 1 1 0 8 0
pfiaddrpl 120 2 0 2 1 1 0 1 0 8 0
kstatmem 264 102 0 74 5 3 2 3 0 8 0
acpiwqpl 32 1 0 1 1 0 1 1 1 8 1
scsiplug 72 8 0 8 3 2 1 1 0 8 1
scxspl 216 19761 0 19761 13 11 2 8 1 8 2
plimitpl 152 247 0 227 1 0 1 1 0 8 0
sigapl 424 1419 0 1370 8 2 6 8 0 8 0
knotepl 120 494 0 0 15 0 15 15 0 8 0
kqueuepl 224 387 0 374 4 1 3 3 0 8 2
pipepl 344 217 0 190 3 0 3 3 0 8 0
fdescpl 528 1380 0 1348 3 0 3 3 0 8 0
filepl 160 8672 0 8449 28 13 15 18 0 8 4
lockfpl 104 618 0 616 3 2 1 3 0 8 0
lockfspl 48 282 0 280 2 1 1 2 0 8 0
sessionpl 144 33 0 24 1 0 1 1 0 8 0
pgrppl 48 52 0 35 1 0 1 1 0 8 0
ucredpl 104 1252 0 1239 1 0 1 1 0 8 0
zombiepl 144 1779 0 1779 1 0 1 1 0 8 1
processpl 1232 1419 0 1370 6 2 4 6 0 8 0
procpl 664 2989 0 2926 7 1 6 7 0 8 0
sosppl 176 9 0 9 3 3 0 1 0 8 0
sockpl 752 2311 0 2276 34 23 11 13 0 8 6
mcl64k 65536 6 0 0 1 0 1 1 0 8 0
mcl16k 16384 1 0 0 1 0 1 1 0 8 0
mcl12k 12288 1 0 0 1 0 1 1 0 8 0
mcl9k 9216 1 0 0 1 0 1 1 0 8 0
mcl8k 8192 2 0 0 1 0 1 1 0 8 0
mcl4k 4096 130 0 0 16 0 16 16 0 8 0
mcl2k 2048 42 0 0 5 0 5 5 0 8 0
mtagpl 96 12 0 0 1 0 1 1 0 8 0
mbufpl 256 208 0 0 13 0 13 13 0 8 0
bufpl 280 6615 0 485 439 0 439 439 0 8 0
anonpl 32 10384 0 0 84 0 84 84 0 246 0
amapchunkpl 152 39644 0 39117 59 25 34 34 0 158 11
amappl16 200 4138 0 4100 35 30 5 18 0 8 1
amappl15 192 6 0 6 1 1 0 1 0 8 0
amappl14 184 453 0 452 1 0 1 1 0 8 0
amappl13 176 152 0 140 1 0 1 1 0 8 0
amappl12 168 1650 0 1619 2 0 2 2 0 8 0
amappl11 160 5 0 5 1 1 0 1 0 8 0
amappl10 152 66 0 52 1 0 1 1 0 8 0
amappl9 144 310 0 310 1 1 0 1 0 8 0
amappl8 136 114 0 112 1 0 1 1 0 8 0
amappl7 128 169 0 156 1 0 1 1 0 8 0
amappl6 120 176 0 171 1 0 1 1 0 8 0
amappl5 112 117 0 106 1 0 1 1 0 8 0
amappl4 104 337 0 316 1 0 1 1 0 8 0
amappl3 96 6901 0 6795 3 0 3 3 0 8 0
amappl2 88 1612 0 1532 3 0 3 3 0 8 0
amappl1 80 17589 0 16980 26 9 17 17 0 8 3
amappl 88 10817 0 10641 6 1 5 5 0 92 0
uvmvnodes 80 140 0 0 3 0 3 3 0 8 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 7 0 7 2 2 0 1 0 8 0
dma128 128 255 0 255 3 2 1 1 0 8 1
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 8 0 8 2 1 1 1 0 8 1
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 27 0 1 1 0 1 1 0 8 0
uaddrrnd 24 1380 0 1348 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 1380 0 1348 1 0 1 1 0 8 0
vmmpekpl 168 13887 0 13840 3 0 3 3 0 8 0
vmmpepl 168 100015 0 98016 133 33 100 108 0 357 3
vmsppl 488 1379 0 1348 9 4 5 5 0 8 0
rwobjpl 80 30290 0 29162 35 7 28 31 0 8 0
pdppl 4096 2781 0 2704 145 65 80 85 0 8 3
pvpl 32 18632 0 0 150 0 150 150 0 265 0
pmappl 256 1386 0 1349 3 0 3 3 0 8 0
extentpl 40 45 0 27 1 0 1 1 0 8 0
phpool 112 340 0 85 8 0 8 8 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff834b7b00) at panic+0x1e5 sys/kern/subr_prf.c:198
vref(fffffd806adef980) at vref+0x109 sys/kern/vfs_subr.c:708
namei(ffff80003c3e6558) at namei+0x555 sys/kern/vfs_lookup.c:221
dounlinkat(ffff8000fffe82c0,ffffff9c,200000001dc0,8) at dounlinkat+0xc1 sys/kern/vfs_syscalls.c:1887
syscall(ffff80003c3e6730) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c3e6730) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x215aa5bc9c0, count: -7
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x27: addq $0x8,%rsp
x86_ipi_db(ffff8000299bdff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
acpicpu_idle() at acpicpu_idle+0x457 sys/dev/acpi/acpicpu_x86.c:1224
sched_idle(ffff8000299bdff0) at sched_idle+0x391 sys/kern/kern_sched.c:191
end trace frame: 0x0, count: 10
ddb{1}> trace
x86_ipi_db(ffff8000299bdff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
acpicpu_idle() at acpicpu_idle+0x457 sys/dev/acpi/acpicpu_x86.c:1224
sched_idle(ffff8000299bdff0) at sched_idle+0x391 sys/kern/kern_sched.c:191
end trace frame: 0x0, count: -5