panic: pooWlAR_NpI_fNrGe:e :S PL rNOtTt mLr OWEfrReEDe liOsN tS YmoSdiCfAiLedL: 8pa3 g-2e096 20xf5f803ff2f dEX8IT0 05 eaff
600Stopped at savectx+0xae: movl $0,%gs:0x688
TID PID UID PRFLAGS PFLAGS CPU COMMAND
312160 61853 0 0 0x4000000 1 syz-executor
*293351 46508 0 0 0 0 syz-executor
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7638ce0ced40, count: 14
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu1: pool_p_free: rttmr free list modified: page 0xfffffd805eff6000; item addr 0xfffffd805eff6ee8; offset 0x10=0x838b61d0
ddb{0}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7638ce0ced40, count: -1
ddb{0}> show registers
rdi 0
rsi 0
rbp 0xffff80002a3ad810
rbx 0
rdx 0
rcx 0xffff80003c4554e8
rax 0x3c
r8 0xffff80002a3ad740
r9 0
r10 0xa92d8e19789e53c7
r11 0x58601a94a52865b
r12 0
r13 0
r14 0xffff80003c4554e8
r15 0
rip 0xffffffff819763ee savectx+0xae
cs 0x8
rflags 0x46
rsp 0xffff80002a3ad790
ss 0x10
savectx+0xae: movl $0,%gs:0x688
ddb{0}> show proc
PROC (syz-executor) tid=293351 pid=46508 tcnt=3 stat=onproc
flags process=0 proc=0
runpri=84, usrpri=84, slppri=16, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff800037810d38,0xffff80003c454fc8
process=0xffff80003c026720 user=0xffff80002a3a8000, vmspace=0xfffffd800ef9f9a8
estcpu=34, cpticks=3, pctcpu=0.2, user=1, sys=2, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
71070 156201 58746 0 2 0 syz-executor
71070 21030 58746 0 3 0x4000080 fsleep syz-executor
38165 112944 89147 0 2 0 syz-executor
38165 204741 89147 0 3 0x4000080 fsleep syz-executor
61853 214342 74611 0 2 0 syz-executor
61853 127633 74611 0 3 0x4000080 fsleep syz-executor
61853 312160 74611 0 7 0x4000000 syz-executor
*46508 293351 58118 0 7 0 syz-executor
46508 310399 58118 0 3 0x4000080 kqsel syz-executor
46508 450021 58118 0 3 0x4000080 fsleep syz-executor
95640 257815 12222 0 2 0 syz-executor
95640 334314 12222 0 3 0x4000080 fsleep syz-executor
95640 68110 12222 0 3 0x4000080 fsleep syz-executor
58746 210919 69834 0 3 0x82 nanoslp syz-executor
26760 326336 0 0 3 0x14280 nfsidl nfsio
62194 10732 0 0 3 0x14280 nfsidl nfsio
55498 283789 69834 0 3 0x82 nanoslp syz-executor
74611 139935 69834 0 3 0x82 nanoslp syz-executor
71224 343414 1 0 3 0x100083 ttyopn getty
58118 312590 69834 0 3 0x82 nanoslp syz-executor
3445 217027 0 0 3 0x14200 bored sosplice
10530 61396 69834 0 3 0x82 nanoslp syz-executor
89147 94183 69834 0 3 0x82 nanoslp syz-executor
43245 66385 69834 0 2 0x2 syz-executor
12222 362445 69834 0 3 0x82 nanoslp syz-executor
69834 484330 27338 0 3 0x82 kqread syz-executor
27338 241984 98831 0 3 0x10008a sigsusp ksh
98831 417700 40819 0 3 0x98 kqread sshd-session
40819 303065 130 0 3 0x92 kqread sshd-session
130 18172 1 0 3 0x88 kqread sshd
56933 462680 29681 74 3 0x1100092 bpf pflogd
29681 11702 1 0 3 0x80 sbwait pflogd
38367 149599 60551 73 3 0x1100090 kqread syslogd
60551 263404 1 0 3 0x100082 sbwait syslogd
94024 266688 1 0 3 0x100080 kqread resolvd
36045 415687 67183 77 3 0x100092 kqread dhcpleased
91166 319692 67183 77 3 0x100092 kqread dhcpleased
67183 246680 1 0 3 0x80 kqread dhcpleased
77687 48205 0 0 3 0x14200 bored smr
814 278291 0 0 2 0x14200 zerothread
99506 473557 0 0 3 0x14200 aiodoned aiodoned
94899 486591 0 0 3 0x14200 syncer update
1821 378886 0 0 3 0x14200 cleaner cleaner
53651 197763 0 0 2 0x14200 reaper
3058 131629 0 0 3 0x14200 pgdaemon pagedaemon
86548 55153 0 0 3 0x14200 bored viomb
5565 132016 0 0 3 0x40014200 acpi0 acpi0
24208 502008 0 0 3 0x40014200 idle1
98098 369663 0 0 3 0x14200 bored softnet7
16588 258881 0 0 3 0x14200 bored softnet6
61329 511558 0 0 3 0x14200 bored softnet5
61668 17585 0 0 3 0x14200 bored softnet4
13769 512312 0 0 3 0x14200 bored softnet3
94197 370886 0 0 3 0x14200 bored softnet2
98631 366941 0 0 3 0x14200 bored softnet1
571 209835 0 0 3 0x14200 bored softnet0
45563 150304 0 0 3 0x14200 bored systqmp
46060 425545 0 0 3 0x14200 bored systq
8499 115290 0 0 3 0x14200 tmoslp softclockmp
81510 249252 0 0 3 0x40014200 tmoslp softclock
59931 301232 0 0 3 0x40014200 idle0
1 326378 0 0 3 0x82 wait init
0 0 -1 0 3 0x10010200 scheduler swapper
ddb{0}> show all locks
CPU 0:
exclusive mutex &pmap->pm_mtx r = 0 (0xfffffd806b7b7310)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 mtx_enter_try+0x1ad sys/kern/kern_lock.c:311
#2 mtx_enter+0x62 sys/kern/kern_lock.c:261
#3 pmap_do_remove+0xa9 rcr3 sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:139 [inline]
#3 pmap_do_remove+0xa9 pmap_map_ptes sys/arch/amd64/amd64/pmap.c:437 [inline]
#3 pmap_do_remove+0xa9 sys/arch/amd64/amd64/pmap.c:1824
#4 uvm_unmap_kill_entry_withlock+0x269 sys/uvm/uvm_map.c:1863
#5 uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline]
#5 uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2486
#6 exit1+0x6fc sys/kern/kern_exit.c:260
#7 proc_suspend_check_locked+0x2fd sys/kern/kern_sig.c:2235
#8 userret+0x8c proc_suspend_check sys/kern/kern_sig.c:-1 [inline]
#8 userret+0x8c sys/kern/kern_sig.c:2194
#9 intr_user_exit+0x3c
Process 61853 (syz-executor) thread 0xffff800037810aa0 (312160)
Process 43245 (syz-executor) thread 0xffff8000ffff2fa0 (66385)
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10246 11054K 12654K 166960K 15204 0
pcb 17 16K 18K 166960K 996 0
rtable 212 12K 13K 166960K 705 0
pf 42 19K 67486K 166960K 378 0
ifaddr 43 9K 10K 166960K 240 0
ifgroup 63 2K 3K 166960K 459 0
sysctl 4 1K 9K 166960K 63 0
counters 70 37K 38K 166960K 432 0
ioctlops 0 0K 4K 166960K 1974 0
iov 0 0K 18K 166960K 223 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1491 94K 95K 166960K 4084 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 9K 166960K 38 0
VM map 2 1K 1K 166960K 2 0
sem 12 0K 0K 166960K 183 0
dirhash 12 2K 2K 166960K 75 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 16 57K 240K 166960K 2966 0
sigio 0 0K 0K 166960K 88 0
proc 72 115K 164K 166960K 1112 0
subproc 72 4K 4K 166960K 136 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 502 0
in_multi 84 6K 7K 166960K 338 0
ether_multi 1 0K 0K 166960K 41 0
mrt 2 0K 0K 166960K 18 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 253 1129K 1129K 166960K 253 0
exec 0 0K 1K 166960K 1079 0
fusefs mount 1 32K 32K 166960K 1 0
pfkey data 0 0K 0K 166960K 3 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 232 161K 180K 166960K 27959 0
UVM aobj 57 2K 2K 166960K 61 0
pinsyscall 41 82K 106K 166960K 4251 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 0K 166960K 145 0
NDP 13 0K 2K 166960K 165 0
temp 83 8652K 29644K 166960K 123677 0
kqueue 13 20K 31K 166960K 591 0
SYN cache 2 16K 16K 166960K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 26 0 0 1 0 1 1 0 8 0
rtpcb 120 248 0 245 1 0 1 1 0 8 0
rtentry 176 237 0 160 5 0 5 5 0 8 0
unpcb 144 2395 0 2374 23 22 1 6 0 8 0
syncache 336 7 0 7 2 2 0 1 0 8 0
tcpqe 32 3 0 3 2 2 0 1 0 8 0
tcpcb 736 1271 0 1260 26 24 2 8 0 8 0
arp 128 22 0 13 1 0 1 1 0 8 0
inpcb 328 3860 0 3846 33 31 2 8 0 8 0
nd6 144 37 0 21 1 0 1 1 0 8 0
pkpcb 40 85 0 85 6 6 0 1 0 8 0
kcovpl 48 15 0 7 1 0 1 1 0 8 0
ppxss 1192 126 0 126 3 3 0 1 0 8 0
pppxif 1504 26 0 26 6 6 0 1 0 8 0
pfstscr 40 2 0 2 1 1 0 1 0 8 0
pffrag 232 58 0 50 1 0 1 1 0 482 0
pffrnode 88 57 0 49 1 0 1 1 0 8 0
pffrent 40 105 0 97 1 0 1 1 0 8 0
pfosfp 40 1430 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1430 0 714 21 0 21 21 0 8 0
pfanchor 1288 1 0 0 1 0 1 1 0 8 0
pftag 88 1 0 0 1 0 1 1 0 8 0
pfstitem 24 193 0 93 1 0 1 1 0 8 0
pfstkey 128 198 0 99 4 0 4 4 0 8 0
pfstate 384 195 0 96 11 0 11 11 0 8 0
pfrule 1344 35 0 29 2 1 1 2 0 8 0
rttmr 136 6 0 6 2 2 0 1 0 8 0
art_heap8 4096 6 0 1 6 1 5 5 0 8 0
art_heap4 256 1206 0 836 35 10 25 30 0 8 1
art_table 40 1212 0 837 5 0 5 5 0 8 0
art_node 32 233 0 167 1 0 1 1 0 8 0
sysvmsgpl 40 21 0 13 1 0 1 1 0 8 0
semupl 112 1 0 1 1 1 0 1 0 8 0
semapl 112 177 0 167 1 0 1 1 0 8 0
shmpl 112 58 0 4 2 0 2 2 0 8 0
dirhash 1024 60 0 43 3 0 3 3 0 8 0
dino2pl 256 7006 0 5481 96 0 96 96 0 8 0
ffsino 296 7006 0 5481 119 1 118 118 0 8 0
nchpl 144 11053 0 9340 65 0 65 65 0 8 0
rtmask 32 25 0 25 7 6 1 1 0 8 1
uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0
vnodes 216 5926 0 0 330 0 330 330 0 8 0
namei 1024 41275 0 41275 6 5 1 2 0 8 1
percpumem 16 231 0 181 1 0 1 1 0 8 0
kstatmem 264 274 0 244 4 1 3 3 0 8 0
acpiwqpl 32 2 0 2 1 0 1 1 1 8 1
scsiplug 72 18 0 18 5 4 1 1 0 8 1
scxspl 216 79284 0 79284 15 13 2 8 1 8 2
plimitpl 152 917 0 900 1 0 1 1 0 8 0
sigapl 424 3274 0 3218 9 1 8 9 0 8 0
knotepl 120 790 0 0 24 0 24 24 0 8 0
kqueuepl 224 1333 0 1323 18 17 1 5 0 8 0
pipepl 344 685 0 658 19 10 9 9 0 8 6
fdescpl 528 3215 0 3185 3 0 3 3 0 8 0
filepl 160 24401 0 24178 31 13 18 19 0 8 6
lockfpl 104 1504 0 1502 4 2 2 2 0 8 1
lockfspl 48 502 0 500 1 0 1 1 0 8 0
sessionpl 144 33 0 24 1 0 1 1 0 8 0
pgrppl 48 175 0 158 1 0 1 1 0 8 0
ucredpl 104 3939 0 3926 1 0 1 1 0 8 0
zombiepl 144 3466 0 3464 2 1 1 1 0 8 0
processpl 1248 3274 0 3218 6 1 5 6 0 8 0
procpl 664 8073 0 8009 9 2 7 9 0 8 0
sosppl 168 31 0 31 6 5 1 1 0 8 1
sockpl 752 6739 0 6701 73 61 12 24 0 8 7
mcl64k 65536 15 0 0 2 0 2 2 0 8 0
mcl16k 16384 7 0 0 1 0 1 1 0 8 0
mcl12k 12288 2 0 0 1 0 1 1 0 8 0
mcl9k 9216 2 0 0 1 0 1 1 0 8 0
mcl8k 8192 3 0 0 1 0 1 1 0 8 0
mcl4k 4096 123 0 0 15 0 15 15 0 8 0
mcl2k2 2112 1 0 0 1 0 1 1 0 8 0
mcl2k 2048 99 0 0 9 0 9 9 0 8 0
mtagpl 96 98 0 0 3 0 3 3 0 8 0
mbufpl 256 301 0 0 16 0 16 16 0 8 0
bufpl 280 31864 0 25721 440 1 439 440 0 8 0
anonpl 32 14929 0 0 120 0 120 120 0 246 0
amapchunkpl 152 97354 0 96896 52 22 30 33 0 158 6
amappl16 200 11203 0 11164 94 78 16 35 0 8 5
amappl15 192 5 0 5 1 1 0 1 0 8 0
amappl14 184 181 0 168 1 0 1 1 0 8 0
amappl13 176 19 0 19 1 1 0 1 0 8 0
amappl12 168 3993 0 3962 3 1 2 2 0 8 0
amappl11 160 79 0 65 1 0 1 1 0 8 0
amappl10 152 18 0 18 3 3 0 1 0 8 0
amappl9 144 255 0 254 2 1 1 1 0 8 0
amappl8 136 19 0 16 1 0 1 1 0 8 0
amappl7 128 136 0 122 1 0 1 1 0 8 0
amappl6 120 256 0 252 1 0 1 1 0 8 0
amappl5 112 152 0 142 1 0 1 1 0 8 0
amappl4 104 318 0 297 1 0 1 1 0 8 0
amappl3 96 20294 0 20188 5 1 4 4 0 8 0
amappl2 88 859 0 795 2 0 2 2 0 8 0
amappl1 80 20907 0 20309 16 2 14 16 0 8 0
amappl 88 26625 0 26468 5 0 5 5 0 92 0
dma16384 16384 1 0 1 1 0 1 1 0 8 1
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma512 512 1 0 1 1 1 0 1 0 8 0
dma256 256 7 0 7 2 2 0 1 0 8 0
dma128 128 261 0 261 3 2 1 1 0 8 1
dma64 64 8 0 8 3 3 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 23 0 22 1 0 1 1 0 8 0
aobjpl 72 60 0 4 2 0 2 2 0 8 0
uaddrrnd 24 3215 0 3185 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 3215 0 3185 1 0 1 1 0 8 0
vmmpekpl 168 25722 0 25664 4 0 4 4 0 8 0
vmmpepl 168 205659 0 203683 139 34 105 119 0 357 0
vmsppl 488 3214 0 3184 5 0 5 5 0 8 0
rwobjpl 80 58538 0 51614 153 2 151 152 0 8 0
pdppl 4096 6438 0 6368 126 54 72 86 0 8 2
pvpl 32 24716 0 0 199 0 199 199 0 265 0
pmappl 256 3214 0 3184 3 0 3 3 0 8 0
extentpl 40 45 0 27 1 0 1 1 0 8 0
phpool 112 353 0 100 8 0 8 8 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7638ce0ced40, count: -1
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x27: addq $0x8,%rsp
x86_ipi_db(ffff8000299edff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
x86_bus_space_io_read_4(b008,0) at x86_bus_space_io_read_4+0x37 sys/arch/amd64/amd64/bus_space.c:666
acpitimer_delay(1) at acpitimer_delay+0x76 acpitimer_read sys/dev/acpi/acpitimer.c:142 [inline]
acpitimer_delay(1) at acpitimer_delay+0x76 sys/dev/acpi/acpitimer.c:120
comcnputc(800,30) at comcnputc+0x29b sys/dev/ic/com.c:1269
cnputc(30) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(30) at db_putchar+0x36d sys/ddb/db_output.c:155
kprintf() at kprintf+0x29a5 sys/kern/subr_prf.c:-1
db_printf(ffffffff83347140) at db_printf+0x9b sys/kern/subr_prf.c:-1
panic(ffffffff83363e2c) at panic+0x103 sys/kern/subr_prf.c:217
pool_p_free(ffffffff839bb320,fffffd805eff6f90) at pool_p_free+0x2d1 sys/kern/subr_pool.c:986
pool_reclaim(ffffffff839bb320) at pool_reclaim+0x2c2 sys/kern/subr_pool.c:1152
pool_reclaim_all() at pool_reclaim_all+0x48 sys/kern/subr_pool.c:-1
end trace frame: 0xffff80003c4b3550, count: 0
ddb{1}> trace
x86_ipi_db(ffff8000299edff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
x86_bus_space_io_read_4(b008,0) at x86_bus_space_io_read_4+0x37 sys/arch/amd64/amd64/bus_space.c:666
acpitimer_delay(1) at acpitimer_delay+0x76 acpitimer_read sys/dev/acpi/acpitimer.c:142 [inline]
acpitimer_delay(1) at acpitimer_delay+0x76 sys/dev/acpi/acpitimer.c:120
comcnputc(800,30) at comcnputc+0x29b sys/dev/ic/com.c:1269
cnputc(30) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(30) at db_putchar+0x36d sys/ddb/db_output.c:155
kprintf() at kprintf+0x29a5 sys/kern/subr_prf.c:-1
db_printf(ffffffff83347140) at db_printf+0x9b sys/kern/subr_prf.c:-1
panic(ffffffff83363e2c) at panic+0x103 sys/kern/subr_prf.c:217
pool_p_free(ffffffff839bb320,fffffd805eff6f90) at pool_p_free+0x2d1 sys/kern/subr_pool.c:986
pool_reclaim(ffffffff839bb320) at pool_reclaim+0x2c2 sys/kern/subr_pool.c:1152
pool_reclaim_all() at pool_reclaim_all+0x48 sys/kern/subr_pool.c:-1
kern_sysctl(ffff80003c4b3574,1,200000000180,ffff80003c4b35a8,200000001180,4,d99cfffc49365172) at kern_sysctl+0x1095 sys/kern/kern_sysctl.c:686
sys_sysctl(ffff800037810aa0,ffff80003c4b36e0,ffff80003c4b3630) at sys_sysctl+0x3e5 sys/kern/kern_sysctl.c:-1
syscall(ffff80003c4b36e0) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c4b36e0) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:748
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x1200d9feb00, count: -18