kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd. starting local daemons:. Thu Feb 4 06:14:09 PST 2021 OpenBSD/amd64 (ci-openbsd-main-6.c.syzkaller.internal) (tty00) Warning: Permanently added '10.128.0.96' (ECDSA) to the list of known hosts. executing program login: vrele: bad writecount: 0xfffffd807aa48408, type VCHR, use 0, write 1, hold 0, tag VT_UFS, ino 2676, on dev 4, 0 flags 0x180, effnlink 1, nlink 1 mode 020620, owner 0, group 4, size 0 panic: vrele: v_writecount != 0 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *251929 86380 0 0x2 0x4000000 0 syz-executor1255 db_enter() at db_enter+0x18 panic(ffffffff8243627a) at panic+0x15e vrele(fffffd807aa48408) at vrele+0x187 ptmioctl(5100,40287401,ffff8000216cbc00,3,ffff800021697270) at ptmioctl+0x5b9 VOP_IOCTL(fffffd806e6c6050,40287401,ffff8000216cbc00,3,fffffd807f7b7d80,ffff800021697270) at VOP_IOCTL+0x91 vn_ioctl(fffffd806e6b5170,40287401,ffff8000216cbc00,ffff800021697270) at vn_ioctl+0xb5 sys_ioctl(ffff800021697270,ffff8000216cbd10,ffff8000216cbd60) at sys_ioctl+0x4ac syscall(ffff8000216cbde0) at syscall+0x507 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd8d74e49d10, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic vrele: v_writecount != 0 ddb> trace db_enter() at db_enter+0x18 panic(ffffffff8243627a) at panic+0x15e vrele(fffffd807aa48408) at vrele+0x187 ptmioctl(5100,40287401,ffff8000216cbc00,3,ffff800021697270) at ptmioctl+0x5b9 VOP_IOCTL(fffffd806e6c6050,40287401,ffff8000216cbc00,3,fffffd807f7b7d80,ffff800021697270) at VOP_IOCTL+0x91 vn_ioctl(fffffd806e6b5170,40287401,ffff8000216cbc00,ffff800021697270) at vn_ioctl+0xb5 sys_ioctl(ffff800021697270,ffff8000216cbd10,ffff8000216cbd60) at sys_ioctl+0x4ac syscall(ffff8000216cbde0) at syscall+0x507 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd8d74e49d10, count: -9 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff8000216cb640 rbx 0xffff8000216cb650 rdx 0x8b rcx 0x2 rax 0x1 r8 0xffffffff820e50f5 kprintf+0x155 r9 0x1 r10 0x72d6a74aa10202f7 r11 0x8e7180593447e8e r12 0x3000000008 r13 0xffff8000216cb6f0 r14 0x100 r15 0x1 rip 0xffffffff81ab85c8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff8000216cb630 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb> show proc PROC (syz-executor1255) pid=251929 stat=onproc flags process=2 proc=4000000 pri=32, usrpri=50, nice=20 forw=0xffffffffffffffff, list=0xffff800021696a90,0xffffffff827ebf10 process=0xffff800021698808 user=0xffff8000216c6000, vmspace=0xfffffd807effc000 estcpu=0, cpticks=2, pctcpu=0.0 user=0, sys=2, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 86380 461900 23501 0 2 0x2 syz-executor1255 *86380 251929 23501 0 7 0x4000002 syz-executor1255 23501 388786 77213 0 3 0x10008a sigsusp ksh 77213 384441 23694 0 3 0x92 select sshd 24610 307496 1 0 3 0x100083 ttyin getty 23694 496809 1 0 3 0x80 select sshd 63799 215322 387 73 3 0x100090 kqread syslogd 387 484722 1 0 3 0x100082 netio syslogd 41355 196815 1 77 3 0x100090 poll dhclient 45921 328280 1 0 3 0x80 poll dhclient 55028 124421 0 0 3 0x14200 bored smr 79955 338904 0 0 2 0x14200 zerothread 52476 328560 0 0 3 0x14200 aiodoned aiodoned 16828 118230 0 0 3 0x14200 syncer update 89495 101359 0 0 3 0x14200 cleaner cleaner 49386 447446 0 0 3 0x14200 reaper reaper 65670 255095 0 0 3 0x14200 pgdaemon pagedaemon 37430 344970 0 0 3 0x14200 bored crynlk 86617 451998 0 0 3 0x14200 bored crypto 3713 365716 0 0 3 0x14200 bored viomb 78049 161911 0 0 3 0x40014200 acpi0 acpi0 25686 445512 0 0 3 0x14200 bored softnet 78058 10955 0 0 3 0x14200 bored systqmp 29497 141258 0 0 3 0x14200 bored systq 55395 65817 0 0 3 0x40014200 bored softclock 96366 438557 0 0 3 0x40014200 idle0 1 246423 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 9459 6338K 6338K 78643K 10549 0 pcb 13 8K 8K 78643K 13 0 rtable 61 2K 2K 78643K 117 0 ifaddr 24 7K 7K 78643K 24 0 counters 19 16K 16K 78643K 19 0 ioctlops 0 0K 2K 78643K 13 0 mount 1 1K 1K 78643K 1 0 vnodes 1182 74K 74K 78643K 1187 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 1K 78643K 2 0 VM map 2 0K 0K 78643K 2 0 sem 2 0K 0K 78643K 2 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12598 0 file desc 1 0K 0K 78643K 1 0 proc 47 38K 46K 78643K 284 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 in_multi 11 0K 0K 78643K 11 0 ether_multi 1 0K 0K 78643K 1 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 31 148K 148K 78643K 31 0 exec 0 0K 2K 78643K 261 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 33 1K 2K 78643K 512 0 UVM aobj 3 2K 2K 78643K 3 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 NDP 3 0K 0K 78643K 3 0 temp 18 3961K 4025K 78643K 1442 0 kqueue 2 2K 2K 78643K 2 0 SYN cache 2 16K 16K 78643K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 2 0 0 1 0 1 1 0 8 0 rtpcb 120 15 0 13 1 0 1 1 0 8 0 rtentry 112 23 0 1 1 0 1 1 0 8 0 unpcb 120 27 0 19 1 0 1 1 0 8 0 syncache 296 5 0 5 2 1 1 1 0 8 1 tcpcb 736 8 0 5 1 0 1 1 0 8 0 inpcb 304 22 0 16 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 96 0 0 6 0 6 6 0 8 0 art_table 32 97 0 0 1 0 1 1 0 8 0 art_node 16 22 0 2 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 1389 0 15 86 0 86 86 0 8 0 ffsino 240 1389 0 15 81 0 81 81 0 8 0 nchpl 144 1563 0 31 57 0 57 57 0 8 0 uvmvnodes 72 1398 0 0 26 0 26 26 0 8 0 vnodes 224 1398 0 0 83 0 83 83 0 8 0 namei 1024 3497 0 3497 2 1 1 1 0 8 1 scxspl 216 3434 0 3434 10 9 1 8 0 8 1 plimitpl 152 15 0 9 1 0 1 1 0 8 0 sigapl 424 192 0 166 4 0 4 4 0 8 0 futexpl 56 3 0 3 1 0 1 1 0 8 1 knotepl 112 5 0 0 1 0 1 1 0 8 0 kqueuepl 168 1 0 0 1 0 1 1 0 8 0 pipepl 304 57 0 53 2 1 1 1 0 8 0 fdescpl 432 177 0 166 2 0 2 2 0 8 0 filepl 120 827 0 781 2 0 2 2 0 8 0 lockfpl 104 5 0 4 1 0 1 1 0 8 0 lockfspl 48 3 0 2 1 0 1 1 0 8 0 sessionpl 144 17 0 9 1 0 1 1 0 8 0 pgrppl 48 17 0 9 1 0 1 1 0 8 0 ucredpl 96 63 0 56 1 0 1 1 0 8 0 zombiepl 144 166 0 166 2 1 1 1 0 8 1 processpl 1016 192 0 166 4 0 4 4 0 8 0 procpl 672 193 0 166 3 0 3 3 0 8 0 sockpl 432 64 0 48 2 0 2 2 0 8 0 mcl4k 4096 10 0 10 2 1 1 1 0 8 1 mcl2k 2048 6263 0 6223 10 3 7 9 0 8 1 mtagpl 96 2 0 2 1 1 0 1 0 8 0 mbufpl 256 7903 0 7850 7 2 5 6 0 8 1 bufpl 280 1914 0 101 130 0 130 130 0 8 0 anonpl 24 18263 0 17106 11 3 8 10 0 188 1 amapchunkpl 152 470 0 433 3 1 2 3 0 158 0 amappl16 200 67 0 62 1 0 1 1 0 8 0 amappl15 192 1 0 0 1 0 1 1 0 8 0 amappl14 184 22 0 19 1 0 1 1 0 8 0 amappl13 176 12 0 11 2 1 1 1 0 8 0 amappl12 168 8 0 8 2 1 1 1 0 8 1 amappl11 160 47 0 38 1 0 1 1 0 8 0 amappl10 152 13 0 11 1 0 1 1 0 8 0 amappl9 144 220 0 220 2 1 1 1 0 8 1 amappl8 136 59 0 57 1 0 1 1 0 8 0 amappl7 128 183 0 182 1 0 1 1 0 8 0 amappl6 120 50 0 44 1 0 1 1 0 8 0 amappl5 112 343 0 329 1 0 1 1 0 8 0 amappl4 104 241 0 219 1 0 1 1 0 8 0 amappl3 96 92 0 85 1 0 1 1 0 8 0 amappl2 88 759 0 706 2 0 2 2 0 8 0 amappl1 80 12672 0 12271 18 7 11 18 0 8 0 amappl 88 349 0 330 1 0 1 1 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 64 2 0 0 1 0 1 1 0 8 0 uaddrrnd 24 177 0 166 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 177 0 166 1 0 1 1 0 8 0 vmmpekpl 168 5290 0 5275 1 0 1 1 0 8 0 vmmpepl 168 26397 0 25610 53 17 36 48 0 357 1 vmsppl 272 176 0 166 1 0 1 1 0 8 0 rwobjpl 24 6985 0 6466 6 2 4 6 0 8 0 pdppl 4096 360 0 332 44 16 28 34 0 8 0 pvpl 32 72525 0 69716 33 6 27 27 0 265 2 pmappl 200 176 0 166 1 0 1 1 0 8 0 extentpl 40 58 0 40 1 0 1 1 0 8 0 phpool 112 251 0 25 7 0 7 7 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x18 panic(ffffffff8243627a) at panic+0x15e vrele(fffffd807aa48408) at vrele+0x187 ptmioctl(5100,40287401,ffff8000216cbc00,3,ffff800021697270) at ptmioctl+0x5b9 VOP_IOCTL(fffffd806e6c6050,40287401,ffff8000216cbc00,3,fffffd807f7b7d80,ffff800021697270) at VOP_IOCTL+0x91 vn_ioctl(fffffd806e6b5170,40287401,ffff8000216cbc00,ffff800021697270) at vn_ioctl+0xb5 sys_ioctl(ffff800021697270,ffff8000216cbd10,ffff8000216cbd60) at sys_ioctl+0x4ac syscall(ffff8000216cbde0) at syscall+0x507 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd8d74e49d10, count: -9 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x18 panic(ffffffff8243627a) at panic+0x15e vrele(fffffd807aa48408) at vrele+0x187 ptmioctl(5100,40287401,ffff8000216cbc00,3,ffff800021697270) at ptmioctl+0x5b9 VOP_IOCTL(fffffd806e6c6050,40287401,ffff8000216cbc00,3,fffffd807f7b7d80,ffff800021697270) at VOP_IOCTL+0x91 vn_ioctl(fffffd806e6b5170,40287401,ffff8000216cbc00,ffff800021697270) at vn_ioctl+0xb5 sys_ioctl(ffff800021697270,ffff8000216cbd10,ffff8000216cbd60) at sys_ioctl+0x4ac syscall(ffff8000216cbde0) at syscall+0x507 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd8d74e49d10, count: -9 ddb>