syzbot


panic: apcaquniirci: ng bkloerckneabll de i a g n o st ic a s s er ti o n " ! _ ke r n e l_ l oc k _ h sel

Status: fixed on 2022/03/24 08:53
Reported-by: syzbot+0af0c842c817ae90d782@syzkaller.appspotmail.com
Fix commit: 2be5be2c1f9e For raw IPv6 packets rip6_input() traverses the loop of all PCBs. From there it calls sbappendaddr() while holding the raw6 table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. Reported-by: syzbot+5b2679ee9be0895d26f9@syzkaller.appspotmail.com OK claudio@
First crash: 249d, last: 249d

Sample crash report:
panic: apcaquniirci: ng    bkloerckneabll de i a g n o st  ic   a s s er  ti o  n  " !  _ ke r  n e l_  l oc k  _  h selleedp( )"    f a i l ed  :  f i l  e  "  / s y z k a llolcekr / wmaitnha g e r s / m u l t ic o  r e/ k e r n e l  / s y s  /supvmin/ulvocm_k  mora p. c c"r,i t liicnael 2 7 3 s4e
ctStopped at     db_enter+0x18:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
 226463  10548      0           0  0x4000000    1  syz-executor.3
*173119  55646      0     0x14000      0x200    0  reaper
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff8258c085) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff8260257e,ffffffff8260f998,aae,ffffffff825bfe73) at __assert+0x25 sys/kern/subr_prf.c:161
uvm_map_teardown(fffffd8074d19180) at uvm_map_teardown+0x2e8 sys/uvm/uvm_map.c:2736
uvmspace_free(fffffd8074d19180) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
reaper(ffff8000210f9a40) at reaper+0x18b sys/kern/kern_exit.c:457
end trace frame: 0x0, count: 9
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{0}> 
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
 cpu0: kernel diagnostic assertion "!_kernel_lock_held()" failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_map.c", line 2734
*cpu1: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff8258c085) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff8260257e,ffffffff8260f998,aae,ffffffff825bfe73) at __assert+0x25 sys/kern/subr_prf.c:161
uvm_map_teardown(fffffd8074d19180) at uvm_map_teardown+0x2e8 sys/uvm/uvm_map.c:2736
uvmspace_free(fffffd8074d19180) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
reaper(ffff8000210f9a40) at reaper+0x18b sys/kern/kern_exit.c:457
end trace frame: 0x0, count: -6
ddb{0}> show registers
rdi                                0
rsi                              0x1
rbp               0xffff800021135a90
rbx               0xffffffff82987bff    cpu_info_full_primary+0x2bff
rdx                                0
rcx                                0
rax               0xffff8000210f9a40
r8                 0x101010101010101
r9                0x8080808080808080
r10               0x50489d8f0dadfbfe
r11               0xddaa8058119fae66
r12               0xffffffff82987a00    cpu_info_full_primary+0x2a00
r13                                0
r14               0xffff800020ce9a00
r15                              0x1
rip               0xffffffff815a2d98    db_enter+0x18
cs                               0x8
rflags                         0x246
rsp               0xffff800021135a80
ss                              0x10
db_enter+0x18:  addq    $0x8,%rsp
ddb{0}> show proc
PROC (reaper) pid=173119 stat=onproc
    flags process=14000<NOZOMBIE,SYSTEM> proc=200<SYSTEM>
    pri=4, usrpri=52, nice=20
    forw=0xffffffffffffffff, list=0xffff8000210f97a0,0xffff8000210f9cf0
    process=0xffff8000ffffe990 user=0xffff800021130000, vmspace=0xffffffff82b84d18
    estcpu=2, cpticks=8, pctcpu=1.4
    user=0, sys=2, intr=0
ddb{0}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 10548  360236  53290      0  2           0                syz-executor.3
 10548  226463  53290      0  7   0x4000000                syz-executor.3
 10548  192647  53290      0  3   0x4000080  fsleep        syz-executor.3
 10548  158292  53290      0  3   0x4000080  fsleep        syz-executor.3
 62193  334328  79494      0  2           0                syz-executor.6
 62193  187119  79494      0  3   0x4000080  fifor         syz-executor.6
 62193  330293  79494      0  2   0x4000000                syz-executor.6
 95895  399648  39558      0  2           0                syz-executor.5
 95895  238432  39558      0  2   0x4000000                syz-executor.5
 56712   49633   8536      0  3         0x2  biowait       syz-executor.0
 23730  510316      0      0  3     0x14280  nfsidl        nfsio
 80397  492585      0      0  3     0x14280  nfsidl        nfsio
 86741  518958      0      0  3     0x14280  nfsidl        nfsio
 59535   43383      0      0  3     0x14280  nfsidl        nfsio
 34480  521584      0      0  3     0x14280  nfsidl        nfsio
 66298  212493      0      0  3     0x14280  nfsidl        nfsio
 48408  419189      0      0  3     0x14280  nfsidl        nfsio
 88876  188785      0      0  3     0x14280  nfsidl        nfsio
 48248  184093      0      0  3     0x14280  nfsidl        nfsio
 37626   35516      0      0  3     0x14280  nfsidl        nfsio
 85622  171836      0      0  3     0x14280  nfsidl        nfsio
 90391  380100      0      0  3     0x14280  nfsidl        nfsio
 24965  457189      0      0  3     0x14280  nfsidl        nfsio
 54499  127302      0      0  3     0x14280  nfsidl        nfsio
 44428  464954      0      0  3     0x14280  nfsidl        nfsio
 99375  366040      0      0  3     0x14280  nfsidl        nfsio
 56619   92809      0      0  3     0x14280  nfsidl        nfsio
 16485   12409      0      0  3     0x14280  nfsidl        nfsio
 39409   62565      0      0  3     0x14280  nfsidl        nfsio
 77750  257881      0      0  3     0x14280  nfsidl        nfsio
 37306  458273      0      0  3     0x14200  bored         sosplice
 40856  148381   8536      0  3        0x82  nanoslp       syz-executor.4
 40078  433500   8536      0  3        0x82  nanoslp       syz-executor.7
 79494  503248   8536      0  3        0x82  nanoslp       syz-executor.6
 39558  356931   8536      0  3        0x82  nanoslp       syz-executor.5
 53290  479903   8536      0  3        0x82  nanoslp       syz-executor.3
 21721  395678   8536      0  2         0x2                syz-executor.2
 60006  237829   8536      0  3         0x2  biowait       syz-executor.1
  8536  385010  11535      0  3        0x82  kqread        syz-fuzzer
  8536   42018  11535      0  3   0x4000082  nanoslp       syz-fuzzer
  8536  179699  11535      0  3   0x4000082  thrsleep      syz-fuzzer
  8536  202005  11535      0  3   0x4000082  nanoslp       syz-fuzzer
  8536  232611  11535      0  3   0x4000082  thrsleep      syz-fuzzer
  8536   27327  11535      0  3   0x4000082  thrsleep      syz-fuzzer
  8536  269504  11535      0  3   0x4000082  thrsleep      syz-fuzzer
  8536  453735  11535      0  3   0x4000082  thrsleep      syz-fuzzer
 11535  129647  41149      0  3    0x10008a  sigsusp       ksh
 41149  375089  85383      0  3        0x9a  kqread        sshd
 94951   54517      1      0  3    0x100083  ttyin         getty
 85383  388313      1      0  3        0x88  kqread        sshd
 97654  389897  46044     74  3   0x1100092  bpf           pflogd
 46044  283592      1      0  3        0x80  netio         pflogd
 10641  371060  84729     73  3   0x1100090  kqread        syslogd
 84729  436642      1      0  3    0x100082  netio         syslogd
 47658  160742      1      0  3    0x100080  kqread        resolvd
 20447  363968  61636     77  3    0x100092  kqread        dhcpleased
 74071  387193  61636     77  3    0x100092  kqread        dhcpleased
 61636  396776      1      0  3        0x80  kqread        dhcpleased
 64536  269590      0      0  3     0x14200  bored         smr
 82297   67166      0      0  2     0x14200                zerothread
 46379  466242      0      0  3     0x14200  aiodoned      aiodoned
 87629  505425      0      0  3     0x14200  syncer        update
 78281  148023      0      0  3     0x14200  cleaner       cleaner
*55646  173119      0      0  7     0x14200                reaper
 28338  329234      0      0  3     0x14200  pgdaemon      pagedaemon
 71306  504678      0      0  3     0x14200  bored         viomb
 44226   14532      0      0  3  0x40014200  acpi0         acpi0
 16731  222632      0      0  3  0x40014200                idle1
 23323  113970      0      0  3     0x14200  bored         softnet
  3298  165129      0      0  3     0x14200  bored         systqmp
 19661  373833      0      0  3     0x14200  bored         systq
 90228   36921      0      0  3  0x40014200  bored         softclock
 77541   51662      0      0  3  0x40014200                idle0
     1  118321      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{0}> show all locks
CPU 0:
exclusive mutex &uvm.fpageqlock r = 0 (0xffffffff82b87938)
#0  witness_lock+0x44d
#1  mtx_enter_try+0x100
#2  mtx_enter+0x4b sys/kern/kern_lock.c:266
#3  uvm_pmr_freepageq+0xcc sys/uvm/uvm_pmemrange.c:1333
#4  amap_wipeout+0x1ff sys/uvm/uvm_amap.c:523
#5  uvm_unmap_detach+0x7d sys/uvm/uvm_map.c:1599
#6  uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2789
#7  uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
#8  reaper+0x18b sys/kern/kern_exit.c:457
#9  proc_trampoline+0x1c
CPU 1:
exclusive mutex &table->inpt_mtx r = 0 (0xffffffff82a21700)
#0  witness_lock+0x44d
#1  mtx_enter_try+0x100
#2  mtx_enter+0x4b sys/kern/kern_lock.c:266
#3  rip6_input+0x28f
#4  icmp6_input+0x8e8 sys/netinet6/icmp6.c:762
#5  ip_deliver+0x322 sys/netinet/ip_input.c:657
#6  ip6_input_if+0x920
#7  ipv6_input+0x48 sys/netinet6/ip6_input.c:169
#8  if_input_local+0x136 sys/net/if.c:778
#9  ip6_output+0xf57
#10 rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
#11 rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
#12 sosend+0x632 sys/kern/uipc_socket.c:582
#13 dofilewritev+0x19c sys/kern/sys_generic.c:381
#14 sys_write+0x83 sys/kern/sys_generic.c:301
#15 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#15 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#16 Xsyscall+0x128
Process 10548 (syz-executor.3) thread 0xffff8000ffff5260 (226463)
exclusive rwlock netlock r = 0 (0xffffffff829bbd70)
#0  witness_lock+0x44d
#1  solock+0x86 sys/kern/uipc_socket2.c:295
#2  sosend+0x517 sys/kern/uipc_socket.c:570
#3  dofilewritev+0x19c sys/kern/sys_generic.c:381
#4  sys_write+0x83 sys/kern/sys_generic.c:301
#5  syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#5  syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#6  Xsyscall+0x128
Process 56712 (syz-executor.0) thread 0xffff8000246b5cf0 (49633)
exclusive rrwlock inode r = 0 (0xfffffd806654c1b8)
#0  witness_lock+0x44d
#1  rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2  rrw_enter+0x8b sys/kern/kern_rwlock.c:461
#3  VOP_LOCK+0x87 sys/kern/vfs_vops.c:534
#4  ufs_ihashins+0x42 sys/ufs/ufs/ufs_ihash.c:140
#5  ffs_vget+0x141 sys/ufs/ffs/ffs_vfsops.c:1347
#6  ffs_inode_alloc+0x1be sys/ufs/ffs/ffs_alloc.c:394
#7  ufs_mkdir+0xf4 sys/ufs/ufs/ufs_vnops.c:1162
#8  VOP_MKDIR+0xbf sys/kern/vfs_vops.c:404
#9  domkdirat+0x121 sys/kern/vfs_syscalls.c:3101
#10 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#10 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#11 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd8067c513c8)
#0  witness_lock+0x44d
#1  rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2  rrw_enter+0x8b sys/kern/kern_rwlock.c:461
#3  VOP_LOCK+0x87 sys/kern/vfs_vops.c:534
#4  vn_lock+0x84 sys/kern/vfs_vnops.c:579
#5  vfs_lookup+0xd1 sys/kern/vfs_lookup.c:413
#6  namei+0x36a sys/kern/vfs_lookup.c:245
#7  domkdirat+0x75 sys/kern/vfs_syscalls.c:3086
#8  syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#8  syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#9  Xsyscall+0x128
Process 60006 (syz-executor.1) thread 0xffff8000ffff4fc0 (237829)
exclusive rrwlock inode r = 0 (0xfffffd806654ca38)
#0  witness_lock+0x44d
#1  rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2  rrw_enter+0x8b sys/kern/kern_rwlock.c:461
#3  VOP_LOCK+0x87 sys/kern/vfs_vops.c:534
#4  vn_lock+0x84 sys/kern/vfs_vnops.c:579
#5  vget+0x1d3 sys/kern/vfs_subr.c:677
#6  ufs_ihashget+0x121 sys/ufs/ufs/ufs_ihash.c:119
#7  ffs_vget+0x7c sys/ufs/ffs/ffs_vfsops.c:1318
#8  ufs_lookup+0x13ba sys/ufs/ufs/ufs_lookup.c:487
#9  VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85
#10 vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:561
#11 namei+0x36a sys/kern/vfs_lookup.c:245
#12 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1850
#13 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#13 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806d452a38)
#0  witness_lock+0x44d
#1  rw_enter+0x3e1 sys/kern/kern_rwlock.c:310
#2  rrw_enter+0x8b sys/kern/kern_rwlock.c:461
#3  VOP_LOCK+0x87 sys/kern/vfs_vops.c:534
#4  vn_lock+0x84 sys/kern/vfs_vnops.c:579
#5  vfs_lookup+0xd1 sys/kern/vfs_lookup.c:413
#6  namei+0x36a sys/kern/vfs_lookup.c:245
#7  dounlinkat+0x99 sys/kern/vfs_syscalls.c:1850
#8  syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#8  syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#9  Xsyscall+0x128
Process 55646 (reaper) thread 0xffff8000210f9a40 (173119)
uvm_fault(0xffffffff82b84d18, 0x1, 0, 1) -> e
kernel: page fault trap, code=0
Faulted in DDB; continuing...
ddb{0}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 10183   6482K    6677K  78643K     11576        0
            pcb    79     12K      12K  78643K       206        0
         rtable   245      8K       8K  78643K       429        0
         ifaddr    87     18K      18K  78643K       124        0
       counters    56     35K      35K  78643K        68        0
       ioctlops     0      0K       4K  78643K      1501        0
            iov     0      0K       0K  78643K         4        0
          mount     1      1K       1K  78643K         1        0
            log     0      0K       0K  78643K         5        0
         vnodes  1337     83K      84K  78643K      1489        0
      UFS quota     1     32K      32K  78643K         1        0
      UFS mount     5     36K      36K  78643K         5        0
            shm     2      1K       5K  78643K         7        0
         VM map     2      1K       1K  78643K         2        0
            sem    12      0K       0K  78643K        27        0
        dirhash    12      2K       2K  78643K        12        0
           ACPI  1697    195K     286K  78643K     12548        0
      file desc    13     45K      82K  78643K       451        0
          sigio     0      0K       0K  78643K         4        0
           proc    69     87K     124K  78643K       538        0
        subproc   104      6K       6K  78643K       117        0
    NFS srvsock     1      0K       0K  78643K         1        0
     NFS daemon     1     16K      16K  78643K         1        0
    ip_moptions     1      0K       0K  78643K        36        0
       in_multi   101      6K       7K  78643K       132        0
    ether_multi     2      0K       0K  78643K        12        0
            mrt     1      0K       0K  78643K         1        0
    ISOFS mount     1     32K      32K  78643K         1        0
  MSDOSFS mount     1     16K      16K  78643K         1        0
           ttys    79    360K     360K  78643K        79        0
           exec     0      0K       2K  78643K       676        0
            tdb     3      0K       0K  78643K         3        0
        pagedep     1      8K       8K  78643K         1        0
       inodedep     1     32K      32K  78643K         1        0
         newblk     1      0K       0K  78643K         1        0
        VM swap     7     26K      26K  78643K         7        0
       UVM amap   297     82K      87K  78643K      7322        0
       UVM aobj    12      2K       2K  78643K        16        0
        memdesc     1      4K       4K  78643K         1        0
    crypto data     1      1K       1K  78643K         1        0
    ip6_options     2      0K       0K  78643K        15        0
            NDP    12      0K       2K  78643K        36        0
           temp   131   4713K    4777K  78643K      7197        0
         kqueue    12     18K      22K  78643K        44        0
      SYN cache     2     16K      16K  78643K         2        0
ddb{0}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache    128       22    0        0     1     0     1     1     0     8    0
rtpcb      120       36    0       33     1     0     1     1     0     8    0
rtentry    112      140    0       29     4     0     4     4     0     8    0
unpcb      136      304    0      287     7     6     1     6     0     8    0
syncache   296        8    0        8     2     2     0     1     0     8    0
tcpqe       32      183    0      183     1     1     0     1     0     8    0
tcpcb      736      201    0      121    12     4     8     8     0     8    0
arp        120       25    0        7     1     0     1     1     0     8    0
inpcb      312      613    0      473    16     5    11    11     0     8    0
nd6         48       28    0        3     1     0     1     1     0     8    0
kcovpl      48        9    0        1     1     0     1     1     0     8    0
pffrag     232        1    0        0     1     0     1     1     0   482    0
pffrnode    88        1    0        0     1     0     1     1     0     8    0
pffrent     40        3    0        2     1     0     1     1     0     8    0
pfosfp      40     1428    0     1005     5     0     5     5     0     8    0
pfosfpen   112     1428    0      714    21     0    21    21     0     8    0
pfrktable  1344       4    0        2     1     0     1     1     0     8    0
pftag       88        1    0        0     1     0     1     1     0     8    0
pfqueue    264        2    0        2     1     1     0     1     0     8    0
pfstitem    24       27    0       11     1     0     1     1     0     8    0
pfstkey    112       27    0       11     1     0     1     1     0     8    0
pfstate    320       27    0       11     2     0     2     2     0     8    0
pfrule     1360      24    0       16     2     1     1     2     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256      518    0       57    29     0    29    29     0     8    0
art_table   32      519    0       57     4     0     4     4     0     8    0
art_node    16      139    0       38     1     0     1     1     0     8    0
semapl     112       25    0       15     1     0     1     1     0     8    0
shmpl      112       13    0        4     1     0     1     1     0     8    0
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino2pl    256     1914    0      473    91     0    91    91     0     8    0
ffsino     272     1914    0      473    97     0    97    97     0     8    0
nchpl      144     2597    0      967    63     0    63    63     0     8    0
uvmvnodes   80     2173    0        0    45     0    45    45     0     8    0
vnodes     224     2173    0        0   128     0   128   128     0     8    0
namei      1024    9150    0     9149     3     2     1     2     0     8    0
percpumem   16       46    0        6     1     0     1     1     0     8    0
pfiaddrpl  120        3    0        0     1     0     1     1     0     8    0
scxspl     216     7861    0     7859     9     8     1     8     0     8    0
plimitpl   152       41    0       26     1     0     1     1     0     8    0
sigapl     424      773    0      710     8     0     8     8     0     8    0
futexpl     64     2602    0     2600     1     0     1     1     0     8    0
knotepl    120      230    0        0     7     0     7     7     0     8    0
kqueuepl   216      146    0      138     7     2     5     5     0     8    4
pipepl     336      145    0      117     3     0     3     3     0     8    0
fdescpl    496      738    0      712     5     1     4     5     0     8    0
filepl     152     3866    0     3496    20     3    17    17     0     8    2
lockfpl    104        8    0        6     1     0     1     1     0     8    0
lockfspl    48        5    0        3     1     0     1     1     0     8    0
sessionpl  144       25    0        8     1     0     1     1     0     8    0
pgrppl      48       25    0        8     1     0     1     1     0     8    0
ucredpl     96      455    0      440     1     0     1     1     0     8    0
zombiepl   144      712    0      710     1     0     1     1     0     8    0
processpl  1064     773    0      710     5     0     5     5     0     8    0
procpl     672     1432    0     1355     9     1     8     8     0     8    0
sosppl     168        6    0        6     1     1     0     1     0     8    0
sockpl     480      953    0      796    31    11    20    21     0     8    0
mcl64k     65536      7    0        0     1     0     1     1     0     8    0
mcl16k     16384      4    0        0     1     0     1     1     0     8    0
mcl12k     12288      4    0        0     1     0     1     1     0     8    0
mcl9k      9216       3    0        0     1     0     1     1     0     8    0
mcl8k      8192       8    0        0     1     0     1     1     0     8    0
mcl4k      4096       9    0        0     2     0     2     2     0     8    0
mcl2k2     2112       2    0        0     1     0     1     1     0     8    0
mcl2k      2048     191    0        0    23     0    23    23     0     8    0
mtagpl      96       10    0        0     1     0     1     1     0     8    0
mbufpl     256      242    0        0    15     0    15    15     0     8    0
bufpl      288     4087    0      145   282     0   282   282     0     8    0
anonpl      24   159714    0   143269   119     7   112   113     0   186    0
amapchunkpl 152   16896    0    16094    41     5    36    37     0   158    1
amappl16   200     1413    0      877    30     1    29    29     0     8    0
amappl15   192      101    0       93     1     0     1     1     0     8    0
amappl14   184       27    0       22     1     0     1     1     0     8    0
amappl13   176      161    0      156     1     0     1     1     0     8    0
amappl12   168       56    0       55     1     0     1     1     0     8    0
amappl11   160      112    0       95     1     0     1     1     0     8    0
amappl10   152       41    0       36     1     0     1     1     0     8    0
amappl9    144      569    0      564     1     0     1     1     0     8    0
amappl8    136      670    0      623     2     0     2     2     0     8    0
amappl7    128      200    0      187     1     0     1     1     0     8    0
amappl6    120      296    0      271     2     1     1     2     0     8    0
amappl5    112      381    0      366     1     0     1     1     0     8    0
amappl4    104      982    0      952     2     1     1     2     0     8    0
amappl3     96      289    0      272     1     0     1     1     0     8    0
amappl2     88      667    0      621     3     1     2     3     0     8    0
amappl1     80    16538    0    15980    19     6    13    19     0     8    0
amappl      88     6864    0     6628     7     0     7     7     0    92    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma1024    1024       1    0        0     1     0     1     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      72       15    0        4     1     0     1     1     0     8    0
uaddrrnd    24      738    0      711     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      738    0      711     1     0     1     1     0     8    0
vmmpekpl   168    10519    0    10463     3     0     3     3     0     8    0
vmmpepl    168    71643    0    69313   177    24   153   177     0   357   40
vmsppl     368      737    0      711     4     1     3     4     0     8    0
rwobjpl     56    20274    0    16594    53     0    53    53     0     8    0
pdppl      4096    1483    0     1422   114    47    67    79     0     8    6
pvpl        32   403515    0   383040   251    32   219   250     0   265   38
pmappl     248      737    0      711     3     1     2     3     0     8    0
extentpl    40       58    0       38     1     0     1     1     0     8    0
phpool     112      703    0       62    19     0    19    19     0     8    0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff8258c085) at panic+0x177 sys/kern/subr_prf.c:202
__assert(ffffffff8260257e,ffffffff8260f998,aae,ffffffff825bfe73) at __assert+0x25 sys/kern/subr_prf.c:161
uvm_map_teardown(fffffd8074d19180) at uvm_map_teardown+0x2e8 sys/uvm/uvm_map.c:2736
uvmspace_free(fffffd8074d19180) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
reaper(ffff8000210f9a40) at reaper+0x18b sys/kern/kern_exit.c:457
end trace frame: 0x0, count: -6
ddb{0}> machine ddbcpu 1
Stopped at      x86_ipi_db+0x1a:        addq    $0x8,%rsp
x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_write_1(3f8,0,74) at x86_bus_space_io_write_1+0x31 sys/arch/amd64/amd64/bus_space.c:759
comcnputc(800,74) at comcnputc+0x128 bus_space_barrier machine/bus.h:481 [inline]
comcnputc(800,74) at comcnputc+0x128 sys/dev/ic/com.c:1263
cnputc(74) at cnputc+0x4b sys/dev/cons.c:239
db_putchar(74) at db_putchar+0x3fc sys/ddb/db_output.c:155
kprintf() at kprintf+0x20ec sys/kern/subr_prf.c:1068
db_printf(ffffffff82605424) at db_printf+0x85 sys/kern/subr_prf.c:502
panic(ffffffff825a4184) at panic+0xd7 sys/kern/subr_prf.c:220
witness_checkorder(ffffffff82a6f1a0,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd80697c44f0) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd80697c44f0) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd80697c43d8) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
end trace frame: 0xffff80002e4067a0, count: 0
ddb{1}> trace
x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_write_1(3f8,0,74) at x86_bus_space_io_write_1+0x31 sys/arch/amd64/amd64/bus_space.c:759
comcnputc(800,74) at comcnputc+0x128 bus_space_barrier machine/bus.h:481 [inline]
comcnputc(800,74) at comcnputc+0x128 sys/dev/ic/com.c:1263
cnputc(74) at cnputc+0x4b sys/dev/cons.c:239
db_putchar(74) at db_putchar+0x3fc sys/ddb/db_output.c:155
kprintf() at kprintf+0x20ec sys/kern/subr_prf.c:1068
db_printf(ffffffff82605424) at db_printf+0x85 sys/kern/subr_prf.c:502
panic(ffffffff825a4184) at panic+0xd7 sys/kern/subr_prf.c:220
witness_checkorder(ffffffff82a6f1a0,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff82a6ef98) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd80697c44f0) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd80697c44f0) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd80697c43d8) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip6_input(ffff80002e406aa8,ffff80002e406ab4,3a,18) at rip6_input+0x6bc sys/netinet6/raw_ip6.c:224
icmp6_input(ffff80002e406aa8,ffff80002e406ab4,3a,18) at icmp6_input+0x8e8 sys/netinet6/icmp6.c:762
ip_deliver(ffff80002e406aa8,ffff80002e406ab4,3a,18) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip6_input_if(ffff80002e406aa8,ffff80002e406ab4,29,0,ffff80000019f2a8) at ip6_input_if+0x920
ipv6_input(ffff80000019f2a8,fffffd806c14cc00) at ipv6_input+0x48 sys/netinet6/ip6_input.c:169
if_input_local(ffff80000019f2a8,fffffd806c14cc00,18) at if_input_local+0x136 sys/net/if.c:778
ip6_output(fffffd806c442600,ffff800000c0f400,fffffd8068db3900,0,0,fffffd8068db3888) at ip6_output+0xf57
rip6_output(fffffd8074b97800,fffffd8066bb6d40,ffff80002e406e10,0) at rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
rip6_usrreq(fffffd8066bb6d40,9,fffffd8074b97800,0,0,ffff8000ffff5260) at rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
sosend(fffffd8066bb6d40,0,ffff80002e407048,0,0,0) at sosend+0x632 sys/kern/uipc_socket.c:582
dofilewritev(ffff8000ffff5260,4,ffff80002e407048,0,ffff80002e407140) at dofilewritev+0x19c sys/kern/sys_generic.c:381
sys_write(ffff8000ffff5260,ffff80002e4070e8,ffff80002e407140) at sys_write+0x83 sys/kern/sys_generic.c:301
syscall(ffff80002e4071b0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff80002e4071b0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7105f59f460, count: -28

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-openbsd-multicore 2022/03/23 07:20 openbsd bf088e2b2bca 5ff41e94 .config log report panic: apcaquniirci: ng bkloerckneabll de i a g n o st ic a s s er ti o n " ! _ ke r n e l_ l oc k _ h sel
* Struck through repros no longer work on HEAD.