syzbot


panic:p a anciqc:uikerrinngel dbialgocnkoastbliec a s s e r t i o n "! _k er neslle_lepo lcokc_khe l dw ( )i

Status: fixed on 2022/03/24 08:53
Reported-by: syzbot+8cf79c6dac8bdea4b3c3@syzkaller.appspotmail.com
Fix commit: d25fea59a0de For raw IP packets rip_input() traverses the loop of all PCBs. From there it calls sbappendaddr() while holding the raw table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. syzbot+ebe3f03a472fecf5e42e@syzkaller.appspotmail.com OK claudio@
First crash: 255d, last: 255d

Sample crash report:
panic:p a anciqc:uikerrinngel    dbialgocnkoastbliec  a s s  e r t i o n   "!  _k  er   neslle_lepo  lcokc_khe l dw ( )i"t  h  s p i n lo  ck   o  r   cr i t  ic a  l   s ec t i o  n  h e l  d  (  k er n  e l _l  o ck )   & k  er n e  l _ lo  ck 
  fStopped at      db_enter+0x18:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
*479979  11324      0           0  0x4000000    1  syz-executor.2
 327639  52915      0     0x14000      0x200    0  reaper
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a2db5) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff829f3ad8,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff829f38d0) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff829f38d0) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff829f38d0) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd80688bfaa0) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd80688bfaa0) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd80688bf988) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip_input(ffff80002e348a48,ffff80002e348a54,0,2) at rip_input+0x3b0 sys/netinet/raw_ip.c:188
ip_deliver(ffff80002e348a48,ffff80002e348a54,0,2) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip_ours(ffff80002e348a48,ffff80002e348a54,0,0) at ip_ours+0x3ba sys/netinet/ip_input.c:616
ip_input_if(ffff80002e348a48,ffff80002e348a54,4,0,ffff800000689000) at ip_input_if+0x2a1
ipv4_input(ffff800000689000,fffffd80669ae400) at ipv4_input+0x48 sys/netinet/ip_input.c:242
if_input_local(ffff800000689000,fffffd80669ae400,2) at if_input_local+0x10e sys/net/if.c:774
ip_output(fffffd806c496000,0,fffffd80681e7098,20,0,fffffd80681e7020,aba0b48b42057bb5) at ip_output+0xb05 ip_mloopback sys/netinet/ip_output.c:1791 [inline]
ip_output(fffffd806c496000,0,fffffd80681e7098,20,0,fffffd80681e7020,aba0b48b42057bb5) at ip_output+0xb05 sys/netinet/ip_output.c:332
rip_output(fffffd806c496000,fffffd80688bfb68,ffff80002e348ca0,1) at rip_output+0x2cb sys/netinet/raw_ip.c:302
end trace frame: 0xffff80002e348d20, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{1}> 
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
 cpu0: kernel diagnostic assertion "!_kernel_lock_held()" failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_map.c", line 2734
*cpu1: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a2db5) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff829f3ad8,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff829f38d0) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff829f38d0) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff829f38d0) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd80688bfaa0) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd80688bfaa0) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd80688bf988) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip_input(ffff80002e348a48,ffff80002e348a54,0,2) at rip_input+0x3b0 sys/netinet/raw_ip.c:188
ip_deliver(ffff80002e348a48,ffff80002e348a54,0,2) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip_ours(ffff80002e348a48,ffff80002e348a54,0,0) at ip_ours+0x3ba sys/netinet/ip_input.c:616
ip_input_if(ffff80002e348a48,ffff80002e348a54,4,0,ffff800000689000) at ip_input_if+0x2a1
ipv4_input(ffff800000689000,fffffd80669ae400) at ipv4_input+0x48 sys/netinet/ip_input.c:242
if_input_local(ffff800000689000,fffffd80669ae400,2) at if_input_local+0x10e sys/net/if.c:774
ip_output(fffffd806c496000,0,fffffd80681e7098,20,0,fffffd80681e7020,aba0b48b42057bb5) at ip_output+0xb05 ip_mloopback sys/netinet/ip_output.c:1791 [inline]
ip_output(fffffd806c496000,0,fffffd80681e7098,20,0,fffffd80681e7020,aba0b48b42057bb5) at ip_output+0xb05 sys/netinet/ip_output.c:332
rip_output(fffffd806c496000,fffffd80688bfb68,ffff80002e348ca0,1) at rip_output+0x2cb sys/netinet/raw_ip.c:302
rip_usrreq(fffffd80688bfb68,9,fffffd806c496000,0,0,ffff8000ffff42a0) at rip_usrreq+0x49c sys/netinet/raw_ip.c:554
sosend(fffffd80688bfb68,0,ffff80002e348f30,0,0,0) at sosend+0x632 sys/kern/uipc_socket.c:582
dofilewritev(ffff8000ffff42a0,85,ffff80002e348f30,0,ffff80002e349030) at dofilewritev+0x19c sys/kern/sys_generic.c:381
sys_writev(ffff8000ffff42a0,ffff80002e348fd8,ffff80002e349030) at sys_writev+0xa7 sys/kern/sys_generic.c:328
syscall(ffff80002e3490a0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff80002e3490a0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x2f5a8dfe040, count: -20
ddb{1}> show registers
rdi                                0
rsi                              0x1
rbp               0xffff80002e3485d0
rbx               0xffff800020ce9bff
rdx                                0
rcx                                0
rax               0xffff8000ffff42a0
r8                 0x101010101010101
r9                0x8080808080808080
r10               0xb51095ac86cf98e3
r11               0x34d6089192ea19b3
r12               0xffff800020ce9a00
r13                                0
r14                                0
r15                              0x1
rip               0xffffffff811e4c58    db_enter+0x18
cs                               0x8
rflags                         0x246
rsp               0xffff80002e3485c0
ss                              0x10
db_enter+0x18:  addq    $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor.2) pid=479979 stat=onproc
    flags process=0 proc=4000000<THREAD>
    pri=86, usrpri=86, nice=20
    forw=0xffffffffffffffff, list=0xffff8000ffff4000,0xffff800021142a98
    process=0xffff8000ffff14e0 user=0xffff80002e344000, vmspace=0xfffffd8066f60d10
    estcpu=36, cpticks=2, pctcpu=0.0
    user=0, sys=2, intr=0
ddb{1}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 48566  381212  57114      0  2           0                syz-executor.5
 48566  183989  57114      0  2   0x4000000                syz-executor.5
 18618  284978   1642      0  2           0                syz-executor.0
 18618  436162   1642      0  3   0x4000080  fsleep        syz-executor.0
 18618  410801   1642      0  3   0x4000080  fsleep        syz-executor.0
 11324  480892  24952      0  2           0                syz-executor.2
*11324  479979  24952      0  7   0x4000000                syz-executor.2
 57114  523309  94937      0  3        0x82  nanoslp       syz-executor.5
 63923  371181      0      0  3     0x14200  bored         sosplice
 67459   74572  94937      0  2         0x2                syz-executor.7
  8516   30484  94937      0  3        0x82  nanoslp       syz-executor.6
 68651  424775  94937      0  2         0x2                syz-executor.4
 24952  187726  94937      0  3        0x82  nanoslp       syz-executor.2
 60008  446408  94937      0  2         0x2                syz-executor.3
 99369  433863  94937      0  3        0x82  nanoslp       syz-executor.1
  1642  116174  94937      0  3        0x82  nanoslp       syz-executor.0
 94937  267888   3356      0  3        0x82  thrsleep      syz-fuzzer
 94937  122368   3356      0  3   0x4000082  nanoslp       syz-fuzzer
 94937  462139   3356      0  3   0x4000082  thrsleep      syz-fuzzer
 94937  168484   3356      0  3   0x4000082  thrsleep      syz-fuzzer
 94937  203593   3356      0  3   0x4000082  thrsleep      syz-fuzzer
 94937   17513   3356      0  3   0x4000082  thrsleep      syz-fuzzer
 94937  345731   3356      0  3   0x4000082  kqread        syz-fuzzer
 94937  470476   3356      0  3   0x4000082  thrsleep      syz-fuzzer
  3356  358902  60977      0  3    0x10008a  sigsusp       ksh
 60977  207412  72072      0  3        0x9a  kqread        sshd
 94739  275052      1      0  3    0x100083  ttyin         getty
 72072  487461      1      0  3        0x88  kqread        sshd
 79085  295427  96530     74  3   0x1100092  bpf           pflogd
 96530   45620      1      0  3        0x80  netio         pflogd
 83482  166601  60811     73  3   0x1100090  kqread        syslogd
 60811    1320      1      0  3    0x100082  netio         syslogd
 30587  420435      1      0  3    0x100080  kqread        resolvd
 74804  509582  11019     77  3    0x100092  kqread        dhcpleased
 31476  112855  11019     77  3    0x100092  kqread        dhcpleased
 11019  238809      1      0  3        0x80  kqread        dhcpleased
 34049  331480      0      0  3     0x14200  bored         smr
 51462  366675      0      0  2     0x14200                zerothread
 16796  186855      0      0  3     0x14200  aiodoned      aiodoned
  8636  519153      0      0  3     0x14200  syncer        update
 76440    9773      0      0  3     0x14200  cleaner       cleaner
 52915  327639      0      0  7     0x14200                reaper
 38972  369191      0      0  3     0x14200  pgdaemon      pagedaemon
  7211   77816      0      0  3     0x14200  bored         viomb
 74891  321496      0      0  3  0x40014200  acpi0         acpi0
 31947  301083      0      0  3  0x40014200                idle1
 16088  462938      0      0  2     0x14200                softnet
 42000  333243      0      0  3     0x14200  bored         systqmp
 79061  139833      0      0  3     0x14200  bored         systq
 91246  414812      0      0  3  0x40014200  bored         softclock
 55773  379200      0      0  3  0x40014200                idle0
     1   43302      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{1}> show all locks
CPU 0:
exclusive mutex &(curpg)->mdpage.pv_mtx r = 0 (0xfffffd8006f208b8)
#0  witness_lock+0x44d
#1  mtx_enter_try+0x100
#2  mtx_enter+0x4b sys/kern/kern_lock.c:266
#3  pmap_page_remove+0x44 sys/arch/amd64/amd64/pmap.c:1912
#4  uvm_anfree_list+0x98
#5  amap_wipeout+0x1b1 sys/uvm/uvm_amap.c:504
#6  uvm_unmap_detach+0x7d sys/uvm/uvm_map.c:1599
#7  uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2789
#8  uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
#9  reaper+0x18b sys/kern/kern_exit.c:457
#10 proc_trampoline+0x1c
CPU 1:
exclusive mutex &table->inpt_mtx r = 0 (0xffffffff82b03010)
#0  witness_lock+0x44d
#1  mtx_enter_try+0x100
#2  mtx_enter+0x4b sys/kern/kern_lock.c:266
#3  rip_input+0x135
#4  ip_deliver+0x322 sys/netinet/ip_input.c:657
#5  ip_ours+0x3ba sys/netinet/ip_input.c:616
#6  ip_input_if+0x2a1
#7  ipv4_input+0x48 sys/netinet/ip_input.c:242
#8  if_input_local+0x10e sys/net/if.c:774
#9  ip_output+0xb05 ip_mloopback sys/netinet/ip_output.c:1791 [inline]
#9  ip_output+0xb05 sys/netinet/ip_output.c:332
#10 rip_output+0x2cb sys/netinet/raw_ip.c:302
#11 rip_usrreq+0x49c sys/netinet/raw_ip.c:554
#12 sosend+0x632 sys/kern/uipc_socket.c:582
#13 dofilewritev+0x19c sys/kern/sys_generic.c:381
#14 sys_writev+0xa7 sys/kern/sys_generic.c:328
#15 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#15 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#16 Xsyscall+0x128
Process 11324 (syz-executor.2) thread 0xffff8000ffff42a0 (479979)
exclusive rwlock netlock r = 0 (0xffffffff82904160)
#0  witness_lock+0x44d
#1  solock+0x86 sys/kern/uipc_socket2.c:295
#2  sosend+0x517 sys/kern/uipc_socket.c:570
#3  dofilewritev+0x19c sys/kern/sys_generic.c:381
#4  sys_writev+0xa7 sys/kern/sys_generic.c:328
#5  syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#5  syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#6  Xsyscall+0x128
exclusive mutex &table->inpt_mtx r = 0 (0xffffffff82b03010)
#0  witness_lock+0x44d
#1  mtx_enter_try+0x100
#2  mtx_enter+0x4b sys/kern/kern_lock.c:266
#3  rip_input+0x135
#4  ip_deliver+0x322 sys/netinet/ip_input.c:657
#5  ip_ours+0x3ba sys/netinet/ip_input.c:616
#6  ip_input_if+0x2a1
#7  ipv4_input+0x48 sys/netinet/ip_input.c:242
#8  if_input_local+0x10e sys/net/if.c:774
#9  ip_output+0xb05 ip_mloopback sys/netinet/ip_output.c:1791 [inline]
#9  ip_output+0xb05 sys/netinet/ip_output.c:332
#10 rip_output+0x2cb sys/netinet/raw_ip.c:302
#11 rip_usrreq+0x49c sys/netinet/raw_ip.c:554
#12 sosend+0x632 sys/kern/uipc_socket.c:582
#13 dofilewritev+0x19c sys/kern/sys_generic.c:381
#14 sys_writev+0xa7 sys/kern/sys_generic.c:328
#15 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#15 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#16 Xsyscall+0x128
Process 52915 (reaper) thread 0xffff8000210f9500 (327639)
exclusive rwlock amaplk r = 0 (0xfffffd8075889588)
#0  witness_lock+0x44d
#1  amap_unref+0x2b sys/uvm/uvm_amap.c:1365
#2  uvm_unmap_detach+0x7d sys/uvm/uvm_map.c:1599
#3  uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2789
#4  uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
#5  reaper+0x18b sys/kern/kern_exit.c:457
#6  proc_trampoline+0x1c
ddb{1}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 10192   6619K    7400K  78643K     15974        0
            pcb    13     16K      18K  78643K       166        0
         rtable   235      7K       8K  78643K       910        0
         ifaddr    82     17K      18K  78643K       208        0
         sysctl     2      0K       0K  78643K         4        0
       counters    54     35K      35K  78643K        90        0
       ioctlops     0      0K       4K  78643K      1744        0
            iov     0      0K      16K  78643K       204        0
          mount     1      1K       1K  78643K         1        0
            log     0      0K       0K  78643K         5        0
         vnodes  1407     88K      88K  78643K      2792        0
      UFS quota     1     32K      32K  78643K         1        0
      UFS mount     5     36K      36K  78643K         5        0
            shm     2      1K       5K  78643K        20        0
         VM map     2      1K       1K  78643K         2        0
            sem    12      0K       1K  78643K        61        0
        dirhash    12      2K       2K  78643K        12        0
           ACPI  1697    195K     286K  78643K     12548        0
      file desc    13     45K      89K  78643K      1489        0
          sigio     0      0K       0K  78643K        88        0
           proc    71     87K     111K  78643K       873        0
        subproc   104      6K       6K  78643K       247        0
    NFS srvsock     1      0K       0K  78643K         1        0
     NFS daemon     1     16K      16K  78643K         1        0
    ip_moptions     0      0K       0K  78643K        39        0
       in_multi    88      5K       6K  78643K       251        0
    ether_multi     1      0K       0K  78643K        10        0
            mrt     1      0K       0K  78643K         1        0
    ISOFS mount     1     32K      32K  78643K         1        0
  MSDOSFS mount     1     16K      16K  78643K         1        0
           ttys    61    281K     281K  78643K        61        0
           exec     0      0K       2K  78643K      1041        0
            tdb     3      0K       0K  78643K         3        0
        pagedep     1      8K       8K  78643K         1        0
       inodedep     1     32K      32K  78643K         1        0
         newblk     1      0K       0K  78643K         1        0
        VM swap     7     26K      26K  78643K         7        0
       UVM amap   330    134K     136K  78643K     19840        0
       UVM aobj   131      4K       4K  78643K       134        0
        memdesc     1      4K       4K  78643K         1        0
    crypto data     1      1K       1K  78643K         1        0
    ip6_options     0      0K       0K  78643K        29        0
            NDP    11      0K       2K  78643K        68        0
           temp   113   4711K    4787K  78643K     18959        0
         kqueue    12     18K      24K  78643K       115        0
      SYN cache     2     16K      16K  78643K         2        0
ddb{1}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache    128       22    0        0     1     0     1     1     0     8    0
rtpcb      120      126    0      123     2     1     1     2     0     8    0
rtentry    112      256    0      150     4     0     4     4     0     8    0
unpcb      136      507    0      490     6     2     4     4     0     8    3
syncache   296        9    0        9     3     2     1     1     0     8    1
tcpqe       32      214    0      214     2     1     1     1     0     8    1
tcpcb      736      398    0      392    18    16     2    10     0     8    1
arp        120       43    0       25     1     0     1     1     0     8    0
inpcb      312     1262    0     1123    23    12    11    11     0     8    0
nd6         48       61    0       39     1     0     1     1     0     8    0
pkpcb       40        4    0        4     1     1     0     1     0     8    0
kcovpl      48       19    0       11     1     0     1     1     0     8    0
pffrag     232        4    0        2     1     0     1     1     0   482    0
pffrnode    88        4    0        2     1     0     1     1     0     8    0
pffrent     40        9    0        7     1     0     1     1     0     8    0
pfosfp      40     1428    0     1005     5     0     5     5     0     8    0
pfosfpen   112     1428    0      714    21     0    21    21     0     8    0
pfrktable  1344      14    0       12     1     0     1     1     0     8    0
pfstitem    24       43    0       20     1     0     1     1     0     8    0
pfstkey    112       43    0       20     1     0     1     1     0     8    0
pfstate    320       43    0       20     2     0     2     2     0     8    0
pfrule     1360      78    0       65     3     1     2     2     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256      990    0      566    30     3    27    30     0     8    0
art_table   32      991    0      566     4     0     4     4     0     8    0
art_node    16      254    0      159     1     0     1     1     0     8    0
sysvmsgpl   40       14    0        9     1     0     1     1     0     8    0
semupl     112        3    0        3     1     1     0     1     0     8    0
semapl     112       56    0       46     1     0     1     1     0     8    0
shmpl      112      131    0        3     4     0     4     4     0     8    0
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino2pl    256     3092    0     1654    91     0    91    91     0     8    0
ffsino     272     3092    0     1654    97     0    97    97     0     8    0
nchpl      144     5241    0     3613    63     0    63    63     0     8    0
uvmvnodes   80     4521    0        0    93     0    93    93     0     8    0
vnodes     224     4521    0        0   266     0   266   266     0     8    0
namei      1024   19570    0    19570     3     2     1     2     0     8    1
percpumem   16       57    0       18     1     0     1     1     0     8    0
vcpupl     2048       3    0        0     1     0     1     1     0     8    0
vmpool     560        6    0        3     1     0     1     1     0     8    0
pfiaddrpl  120        4    0        0     1     0     1     1     0     8    0
scxspl     216    14372    0    14372    10     9     1     8     0     8    1
plimitpl   152      266    0      251     1     0     1     1     0     8    0
sigapl     424     1768    0     1725     6     0     6     6     0     8    0
futexpl     64    11070    0    11068     1     0     1     1     0     8    0
knotepl    120      104    0        0     4     0     4     4     0     8    0
kqueuepl   216      370    0      362    10     5     5     5     0     8    4
pipepl     336      398    0      370    13    10     3     8     0     8    0
fdescpl    496     1753    0     1727     5     1     4     5     0     8    0
filepl     152    10538    0    10165    25    10    15    15     0     8    0
lockfpl    104      312    0      310     1     0     1     1     0     8    0
lockfspl    48      141    0      139     1     0     1     1     0     8    0
sessionpl  144       35    0       18     1     0     1     1     0     8    0
pgrppl      48       35    0       18     1     0     1     1     0     8    0
ucredpl     96      890    0      876     1     0     1     1     0     8    0
zombiepl   144     1727    0     1725     1     0     1     1     0     8    0
processpl  1064    1768    0     1725     4     0     4     4     0     8    0
procpl     672     4319    0     4264     9     3     6     7     0     8    0
srpgc       96       24    0       24     1     1     0     1     0     8    0
sosppl     168        4    0        4     1     1     0     1     0     8    0
sockpl     480     1967    0     1808    44    24    20    20     0     8    0
mcl64k     65536     16    0        0     2     0     2     2     0     8    0
mcl16k     16384      5    0        0     1     0     1     1     0     8    0
mcl12k     12288     17    0        0     2     0     2     2     0     8    0
mcl9k      9216       5    0        0     1     0     1     1     0     8    0
mcl8k      8192      17    0        0     3     0     3     3     0     8    0
mcl4k      4096      15    0        0     2     0     2     2     0     8    0
mcl2k2     2112       2    0        0     1     0     1     1     0     8    0
mcl2k      2048     228    0        0    28     0    28    28     0     8    0
mtagpl      96      291    0        0     8     0     8     8     0     8    0
mbufpl     256      517    0        0    32     1    31    31     0     8    0
bufpl      288     5430    0      148   378     0   378   378     0     8    0
anonpl      24   440476    0   422394   142    24   118   130     0   186    0
amapchunkpl 152   46662    0    45830    41     4    37    39     0   158    0
amappl16   200     3951    0     3422    39    10    29    36     0     8    0
amappl15   192      648    0      641     1     0     1     1     0     8    0
amappl14   184      338    0      331     1     0     1     1     0     8    0
amappl13   176      210    0      208     1     0     1     1     0     8    0
amappl12   168       22    0       19     1     0     1     1     0     8    0
amappl11   160       71    0       57     1     0     1     1     0     8    0
amappl10   152       50    0       44     1     0     1     1     0     8    0
amappl9    144      838    0      831     1     0     1     1     0     8    0
amappl8    136      928    0      864     4     1     3     3     0     8    0
amappl7    128      313    0      301     1     0     1     1     0     8    0
amappl6    120      611    0      585     2     1     1     2     0     8    0
amappl5    112     1351    0     1334     1     0     1     1     0     8    0
amappl4    104     1315    0     1286     2     1     1     2     0     8    0
amappl3     96      297    0      282     1     0     1     1     0     8    0
amappl2     88      794    0      750     3     1     2     3     0     8    0
amappl1     80    35096    0    34545    20     7    13    19     0     8    0
amappl      88    19197    0    18957     7     0     7     7     0    92    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma1024    1024       1    0        0     1     0     1     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      72      133    0        3     3     0     3     3     0     8    0
uaddrrnd    24     1759    0     1729     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24     1759    0     1729     1     0     1     1     0     8    0
vmmpekpl   168    18077    0    18027     3     0     3     3     0     8    0
vmmpepl    168   166915    0   164582   146    29   117   128     0   357    4
vmsppl     368     1758    0     1729     5     1     4     4     0     8    0
rwobjpl     56    45188    0    39035    88     0    88    88     0     8    0
pdppl      4096    3525    0     3461   157    85    72    81     0     8    8
pvpl        32   879573    0   857615   265    72   193   263     0   265    2
pmappl     248     1758    0     1729     3     0     3     3     0     8    0
extentpl    40       58    0       38     1     0     1     1     0     8    0
phpool     112      894    0      133    22     0    22    22     0     8    0
ddb{1}> machine ddbcpu 0
Stopped at      x86_ipi_db+0x1a:        addq    $0x8,%rsp
x86_ipi_db(ffffffff8298cff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_write_1(3f8,0,66) at x86_bus_space_io_write_1+0x31 sys/arch/amd64/amd64/bus_space.c:759
comcnputc(800,66) at comcnputc+0x128 bus_space_barrier machine/bus.h:481 [inline]
comcnputc(800,66) at comcnputc+0x128 sys/dev/ic/com.c:1263
cnputc(66) at cnputc+0x4b sys/dev/cons.c:239
db_putchar(66) at db_putchar+0x3fc sys/ddb/db_output.c:155
kprintf() at kprintf+0x20ec sys/kern/subr_prf.c:1068
db_printf(ffffffff82608c08) at db_printf+0x85 sys/kern/subr_prf.c:502
panic(ffffffff8258fc0f) at panic+0xd7 sys/kern/subr_prf.c:220
__assert(ffffffff826026c6,ffffffff82609d0d,aae,ffffffff825be35d) at __assert+0x25 sys/kern/subr_prf.c:161
uvm_map_teardown(fffffd8066f60020) at uvm_map_teardown+0x2e8 sys/uvm/uvm_map.c:2736
uvmspace_free(fffffd8066f60020) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
reaper(ffff8000210f9500) at reaper+0x18b sys/kern/kern_exit.c:457
end trace frame: 0x0, count: 1
ddb{0}> trace
x86_ipi_db(ffffffff8298cff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_write_1(3f8,0,66) at x86_bus_space_io_write_1+0x31 sys/arch/amd64/amd64/bus_space.c:759
comcnputc(800,66) at comcnputc+0x128 bus_space_barrier machine/bus.h:481 [inline]
comcnputc(800,66) at comcnputc+0x128 sys/dev/ic/com.c:1263
cnputc(66) at cnputc+0x4b sys/dev/cons.c:239
db_putchar(66) at db_putchar+0x3fc sys/ddb/db_output.c:155
kprintf() at kprintf+0x20ec sys/kern/subr_prf.c:1068
db_printf(ffffffff82608c08) at db_printf+0x85 sys/kern/subr_prf.c:502
panic(ffffffff8258fc0f) at panic+0xd7 sys/kern/subr_prf.c:220
__assert(ffffffff826026c6,ffffffff82609d0d,aae,ffffffff825be35d) at __assert+0x25 sys/kern/subr_prf.c:161
uvm_map_teardown(fffffd8066f60020) at uvm_map_teardown+0x2e8 sys/uvm/uvm_map.c:2736
uvmspace_free(fffffd8066f60020) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
reaper(ffff8000210f9500) at reaper+0x18b sys/kern/kern_exit.c:457
end trace frame: 0x0, count: -14
ddb{0}> machine ddbcpu 1
Stopped at      db_enter+0x18:  addq    $0x8,%rsp
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a2db5) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff829f3ad8,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff829f38d0) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff829f38d0) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff829f38d0) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd80688bfaa0) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd80688bfaa0) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd80688bf988) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip_input(ffff80002e348a48,ffff80002e348a54,0,2) at rip_input+0x3b0 sys/netinet/raw_ip.c:188
ip_deliver(ffff80002e348a48,ffff80002e348a54,0,2) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip_ours(ffff80002e348a48,ffff80002e348a54,0,0) at ip_ours+0x3ba sys/netinet/ip_input.c:616
ip_input_if(ffff80002e348a48,ffff80002e348a54,4,0,ffff800000689000) at ip_input_if+0x2a1
ipv4_input(ffff800000689000,fffffd80669ae400) at ipv4_input+0x48 sys/netinet/ip_input.c:242
if_input_local(ffff800000689000,fffffd80669ae400,2) at if_input_local+0x10e sys/net/if.c:774
ip_output(fffffd806c496000,0,fffffd80681e7098,20,0,fffffd80681e7020,aba0b48b42057bb5) at ip_output+0xb05 ip_mloopback sys/netinet/ip_output.c:1791 [inline]
ip_output(fffffd806c496000,0,fffffd80681e7098,20,0,fffffd80681e7020,aba0b48b42057bb5) at ip_output+0xb05 sys/netinet/ip_output.c:332
rip_output(fffffd806c496000,fffffd80688bfb68,ffff80002e348ca0,1) at rip_output+0x2cb sys/netinet/raw_ip.c:302
end trace frame: 0xffff80002e348d20, count: 0
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a2db5) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff829f3ad8,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff829f38d0) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff829f38d0) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff829f38d0) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd80688bfaa0) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd80688bfaa0) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd80688bf988) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip_input(ffff80002e348a48,ffff80002e348a54,0,2) at rip_input+0x3b0 sys/netinet/raw_ip.c:188
ip_deliver(ffff80002e348a48,ffff80002e348a54,0,2) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip_ours(ffff80002e348a48,ffff80002e348a54,0,0) at ip_ours+0x3ba sys/netinet/ip_input.c:616
ip_input_if(ffff80002e348a48,ffff80002e348a54,4,0,ffff800000689000) at ip_input_if+0x2a1
ipv4_input(ffff800000689000,fffffd80669ae400) at ipv4_input+0x48 sys/netinet/ip_input.c:242
if_input_local(ffff800000689000,fffffd80669ae400,2) at if_input_local+0x10e sys/net/if.c:774
ip_output(fffffd806c496000,0,fffffd80681e7098,20,0,fffffd80681e7020,aba0b48b42057bb5) at ip_output+0xb05 ip_mloopback sys/netinet/ip_output.c:1791 [inline]
ip_output(fffffd806c496000,0,fffffd80681e7098,20,0,fffffd80681e7020,aba0b48b42057bb5) at ip_output+0xb05 sys/netinet/ip_output.c:332
rip_output(fffffd806c496000,fffffd80688bfb68,ffff80002e348ca0,1) at rip_output+0x2cb sys/netinet/raw_ip.c:302
rip_usrreq(fffffd80688bfb68,9,fffffd806c496000,0,0,ffff8000ffff42a0) at rip_usrreq+0x49c sys/netinet/raw_ip.c:554
sosend(fffffd80688bfb68,0,ffff80002e348f30,0,0,0) at sosend+0x632 sys/kern/uipc_socket.c:582
dofilewritev(ffff8000ffff42a0,85,ffff80002e348f30,0,ffff80002e349030) at dofilewritev+0x19c sys/kern/sys_generic.c:381
sys_writev(ffff8000ffff42a0,ffff80002e348fd8,ffff80002e349030) at sys_writev+0xa7 sys/kern/sys_generic.c:328
syscall(ffff80002e3490a0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff80002e3490a0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x2f5a8dfe040, count: -20

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-openbsd-multicore 2022/03/22 15:27 openbsd 63abc0ec39b5 d88ef0c5 .config log report panic:p a anciqc:uikerrinngel dbialgocnkoastbliec a s s e r t i o n "! _k er neslle_lepo lcokc_khe l dw ( )i
* Struck through repros no longer work on HEAD.