Fapanic: uma_zalloc: Bucket pointer mangled. cpuid = 0 time = 1579525197 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe00245691d0 vpanic() at vpanic+0x1ce/frame 0xfffffe0024569240 panic() at panic+0x43/frame 0xfffffe00245692a0 uma_zalloc_arg() at uma_zalloc_arg+0x30c/frame 0xfffffe0024569300 vm_page_alloc_domain_after() at vm_page_alloc_domain_after+0x20d/frame 0xfffffe00245693a0 vm_page_alloc() at vm_page_alloc+0x74/frame 0xfffffe0024569400 get_pv_entry() at get_pv_entry+0xb3/frame 0xfffffe0024569450 pmap_enter() at pmap_enter+0xefd/frame 0xfffffe0024569530 vm_fault() at vm_fault+0x20a8/frame 0xfffffe00245696d0 vm_fault_trap() at vm_fault_trap+0xa2/frame 0xfffffe0024569720 trap_pfault() at trap_pfault+0x3f7/frame 0xfffffe00245697c0 trap() at trap+0x441/frame 0xfffffe0024569900 calltrap() at calltrap+0x8/frame 0xfffffe0024569900 --- trap 0xc, rip = 0xffffffff8175fa26, rsp = 0xfffffe00245699d0, rbp = 0xfffffe00245699d0 --- copyin_nosmap_erms() at copyin_nosmap_erms+0x156/frame 0xfffffe00245699d0 freebsd32_sendmsg() at freebsd32_sendmsg+0x48e/frame 0xfffffe0024569ab0 ia32_syscall() at ia32_syscall+0x48c/frame 0xfffffe0024569bf0 int0x80_syscall_common() at int0x80_syscall_common+0x9c/frame 0x8143001 KDB: enter: panic [ thread pid 6605 tid 100891 ] Stopped at kdb_enter+0x67: movq $0,0x1466d86(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b ll+0x1a es 0x3b ll+0x1a fs 0x13 gs 0x1b ss 0 rax 0x12 rcx 0xfffffe0025e00000 rdx 0x3ffff rbx 0 rsp 0xfffffe00245691b0 rbp 0xfffffe00245691d0 rsi 0x40001 rdi 0xffffffff810ba256 vprintf+0x176 r8 0 r9 0xffffffff r10 0xfffffe002456961c r11 0xfffff8003af554f0 r12 0xffffffff82068d90 ddb_dbbe r13 0 r14 0xffffffff8193636f r15 0xffffffff8193636f rip 0xffffffff810af317 kdb_enter+0x67 rflags 0x200082 kernphys+0x82 kdb_enter+0x67: movq $0,0x1466d86(%rip) db> show proc Process 6605 (syz-executor.1) at 0xfffff8003ac09a60: state: NORMAL uid: 0 gids: 0, 0, 5 parent: pid 769 at 0xfffff8003a6f6a60 ABI: FreeBSD ELF32 arguments: /root/syz-executor.1 reaper: 0xfffff800032fa530 reapsubtree: 1 sigparent: 20 vmspace: 0xfffff8003aed9000 (map 0xfffff8003aed9000) (map.pmap 0xfffff8003aed90c0) (pmap 0xfffff8003aed9120) threads: 2 101079 s syz-executor.1 100891 Run CPU 0 syz-executor.1 db> ps pid ppid pgrp uid state wmesg wchan cmd 6605 769 769 0 T (threaded) syz-executor.1 101079 s syz-executor.1 100891 Run CPU 0 syz-executor.1 6604 791 791 0 R (threaded) syz-executor.3 101148 RunQ syz-executor.3 100883 RunQ syz-executor.3 100884 S uwait 0xfffff800210d0a80 syz-executor.3 6603 771 771 0 R (threaded) syz-executor.2 100074 RunQ syz-executor.2 100887 Run CPU 1 syz-executor.2 100889 S uwait 0xfffff80003d97600 syz-executor.2 6602 768 768 0 R (threaded) syz-executor.0 100124 RunQ syz-executor.0 100874 RunQ syz-executor.0 100888 S accept 0xfffff80003e80878 syz-executor.0 100881 S uwait 0xfffff80003300100 syz-executor.0 5554 1 5554 65 Ss select 0xfffff80003f60240 dhclient 4350 1 4350 0 Ss select 0xfffff8003af440c0 dhclient 4347 1 4347 0 Ss select 0xfffff8003ac43f40 dhclient 4326 1 4326 65 Ss select 0xfffff80003f60340 dhclient 3101 1 3101 0 Ss select 0xfffff8003af442c0 dhclient 3098 1 3098 0 Ss select 0xfffff80003f604c0 dhclient 3076 1 3076 65 Ss select 0xfffff8003af441c0 dhclient 1776 1 1776 0 Ss select 0xfffff80003f603c0 dhclient 1773 1 1773 0 Ss select 0xfffff80003f60440 dhclient 1753 1 1753 65 Ss select 0xfffff8003af44240 dhclient 1032 1 1032 0 Ss select 0xfffff80003f605c0 dhclient 1029 1 1029 0 Ss select 0xfffff8003af444c0 dhclient 791 766 791 0 Rs syz-executor.3 771 766 771 0 Rs syz-executor.2 769 766 769 0 Rs syz-executor.1 768 766 768 0 Rs syz-executor.0 766 764 764 0 S (threaded) syz-fuzzer 100100 S uwait 0xfffff80003a48180 syz-fuzzer 100101 S uwait 0xfffff80003df6b80 syz-fuzzer 100102 S uwait 0xfffff80003e02080 syz-fuzzer 100103 S uwait 0xfffff80003d97d80 syz-fuzzer 100104 S uwait 0xfffff80003d97e80 syz-fuzzer 100105 S uwait 0xfffff80003a48280 syz-fuzzer 100106 S uwait 0xfffff80003a48380 syz-fuzzer 100107 S uwait 0xfffff80003df6000 syz-fuzzer 100108 S kqread 0xfffff8000333b900 syz-fuzzer 100110 S uwait 0xfffff80003a47c00 syz-fuzzer 100112 S uwait 0xfffff80003a47d00 syz-fuzzer 764 762 764 0 Ss pause 0xfffff8003a704b08 csh 762 0 762 0 Ss select 0xfffff80003f608c0 sshd 746 1 746 0 Ss+ ttyin 0xfffff800033f7cb0 getty 745 1 745 0 Ss+ ttyin 0xfffff800033f8cb0 getty 744 1 744 0 Ss+ ttyin 0xfffff80003aba0b0 getty 743 1 743 0 Ss+ ttyin 0xfffff80003aba4b0 getty 742 1 742 0 Ss+ ttyin 0xfffff80003aba8b0 getty 741 1 741 0 Ss+ ttyin 0xfffff80003abacb0 getty 740 1 740 0 Ss+ ttyin 0xfffff80003abb0b0 getty 739 1 739 0 Ss+ ttyin 0xfffff80003abb4b0 getty 738 1 738 0 Ss+ ttyin 0xfffff80003abb8b0 getty 684 1 684 0 Ss nanslp 0xffffffff824feca0 cron 0 0 0 0 NW db> show all locks Process 6605 (syz-executor.1) thread 0xfffff8003af55000 (100891) exclusive sleep mutex pmap (pmap) r = 0 (0xfffff8003aed9120) locked @ /syzkaller/managers/i386/kernel/sys/amd64/amd64/pmap.c:6027 shared sx vm map (user) (vm map (user)) r = 0 (0xfffff8003aed9060) locked @ /syzkaller/managers/i386/kernel/sys/vm/vm_map.c:4776 Process 6604 (syz-executor.3) thread 0xfffff8003a5e9000 (100883) exclusive lockmgr bufwait (bufwait) r = 0 (0xfffffe0003f3ebc0) locked @ /syzkaller/managers/i386/kernel/sys/kern/vfs_bio.c:1665 exclusive lockmgr ufs (ufs) r = 0 (0xfffff8003a5dc438) locked @ /syzkaller/managers/i386/kernel/sys/kern/vfs_vnops.c:877 Process 6603 (syz-executor.2) thread 0xfffff8002161a000 (100887) exclusive lockmgr bufwait (bufwait) r = 0 (0xfffffe0003f37380) locked @ /syzkaller/managers/i386/kernel/sys/kern/vfs_bio.c:1665 exclusive lockmgr ufs (ufs) r = 0 (0xfffff8003a5fb068) locked @ /syzkaller/managers/i386/kernel/sys/kern/vfs_vnops.c:877 Process 6602 (syz-executor.0) thread 0xfffff8002124f000 (100874) exclusive lockmgr bufwait (bufwait) r = 0 (0xfffffe0003f47440) locked @ /syzkaller/managers/i386/kernel/sys/kern/vfs_bio.c:1665 exclusive lockmgr ufs (ufs) r = 0 (0xfffff8003a5dc068) locked @ /syzkaller/managers/i386/kernel/sys/kern/vfs_vnops.c:877 db> show malloc Type InUse MemUse Requests devbuf 4213 4851K 4241 vtbuf 24 1968K 46 sysctloid 26527 1553K 26591 kobj 331 1324K 487 newblk 62 1040K 83796 vfscache 4 1025K 4 pcb 39 551K 2225 inodedep 13 518K 10528 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 388K 4 subproc 143 285K 6688 acpica 1674 185K 49750 vnet_data 1 168K 1 filedesc 21 149K 11293 pagedep 9 130K 5654 tfo_ccache 1 128K 1 sem 4 106K 4 DEVFS1 105 105K 122 linker 221 89K 252 BPF 46 88K 46 bus 962 78K 3330 mtx_pool 2 72K 2 syncache 1 68K 1 acpitask 1 64K 1 ddb_capture 1 64K 1 module 493 62K 493 umtx 340 43K 340 kdtrace 191 37K 22289 shm 2 34K 4 gtaskqueue 22 34K 22 hostcache 1 32K 1 DEVFS3 124 31K 134 msg 4 30K 4 DEVFS_RULE 56 27K 56 ifaddr 74 25K 76 kbdmux 6 22K 6 vmem 3 20K 5 temp 34 17K 2310 ufs_mount 3 17K 4 proc 3 17K 3 lltable 44 16K 101 tty 16 16K 16 tidhash 1 16K 1 ithread 89 15K 89 ether_multi 172 14K 177 bus-sc 30 14K 1394 KTRACE 100 13K 100 ifnet 7 13K 7 kenv 95 12K 99 eventhandler 123 11K 123 in6_multi 89 11K 89 pfs_nodes 20 10K 20 GEOM 60 10K 487 rman 82 10K 423 bmsafemap 2 9K 10526 devstat 4 9K 4 UART 12 9K 12 rpc 2 8K 2 shmfd 1 8K 1 cred 32 8K 253 pfs_vncache 1 8K 1 sctp_timw 31 8K 31 audit_evclass 231 8K 289 routetbl 58 7K 62 kqueue 63 7K 6612 CAM DEV 3 6K 508 plimit 24 6K 426 vt 11 6K 11 sglist 5 6K 5 CAM queue 5 6K 1522 sctp_atcl 10 5K 332 select 40 5K 40 DEVFSP 78 5K 82 ufs_dirhash 24 5K 24 taskqueue 42 5K 42 session 35 5K 50 pgrp 35 5K 52 memdesc 1 4K 1 MCA 32 4K 32 sctp_stro 4 4K 109 evdev 4 4K 4 kcovinfo 64 4K 68 freework 16 4K 37541 UMA 234 4K 234 lockf 32 4K 54 hhook 13 4K 13 proc-args 52 3K 661 acpisem 22 3K 22 terminal 11 3K 11 uidinfo 5 3K 8 sctp_ifa 17 3K 17 local_apic 1 2K 1 io_apic 1 2K 1 ipsec-saq 2 2K 2 ip6ndp 12 2K 21 Unitno 30 2K 16015 CAM XPT 22 2K 541 in_multi 6 2K 7 acpidev 20 2K 20 crypto 2 2K 2 msi 9 2K 9 tun 7 2K 7 ipsecpolicy 1 1K 1 sahead 1 1K 1 secasvar 1 1K 1 clone 8 1K 8 vnodemarker 2 1K 47 NFSD session 1 1K 1 diradd 7 1K 8856 CAM periph 4 1K 270 freeblks 3 1K 10204 indirdep 3 1K 47911 mld 6 1K 6 sctp_ifn 6 1K 6 igmp 6 1K 6 toponodes 6 1K 6 isadev 6 1K 6 mount 16 1K 86 pci_link 10 1K 10 sctp_atky 14 1K 441 iov 7 1K 23085 CAM SIM 2 1K 2 softdep 1 1K 1 mkdir 4 1K 11264 pfil 4 1K 4 chacha20random 1 1K 1 epoch 4 1K 4 cdev 2 1K 2 inpcbpolicy 14 1K 2291 encap_export_host 8 1K 8 freefile 3 1K 8811 osd 3 1K 9 newdirblk 4 1K 5632 dirrem 2 1K 8813 vnodes 1 1K 1 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 DEVFS 9 1K 10 feeder 7 1K 7 loginclass 3 1K 3 sctp_athm 10 1K 334 CAM path 4 1K 1030 apmdev 1 1K 1 atkbddev 2 1K 2 sctp_map 8 1K 218 soname 5 1K 7846 pmchooks 1 1K 1 prison 4 1K 4 CAM dev queue 2 1K 2 CAM I/O Scheduler 1 1K 1 nexusdev 5 1K 5 filecaps 5 1K 116 entropy 2 1K 42 tcpfunc 1 1K 1 sctp_vrf 1 1K 1 vnet 1 1K 1 acpiintr 1 1K 1 pmc 1 1K 1 cpus 2 1K 2 vnet_data_free 1 1K 1 Per-cpu 1 1K 1 p1003.1b 1 1K 1 CAM CCB 0 0K 167375 madt_table 0 0K 2 PUC 0 0K 0 ppbusdev 0 0K 0 agtiapi_MemAlloc malloc 0 0K 0 osti_cacheable 0 0K 0 tempbuff 0 0K 0 tempbuff 0 0K 0 pvscsi 0 0K 0 smartpqi 0 0K 0 ag_tgt_map_t malloc 0 0K 0 ag_slr_map_t malloc 0 0K 0 lDevFlags * malloc 0 0K 0 tiDeviceHandle_t * malloc 0 0K 0 ag_portal_data_t malloc 0 0K 0 ag_device_t malloc 0 0K 0 STLock malloc 0 0K 0 CCB List 0 0K 0 iavf 0 0K 0 ixl 0 0K 0 sr_iov 0 0K 0 OCS 0 0K 0 OCS 0 0K 0 nvme 0 0K 0 nvd 0 0K 0 netmap 0 0K 0 mwldev 0 0K 0 MVS driver 0 0K 0 fpukern_ctx 0 0K 0 xen_intr 0 0K 0 CAM ccb queue 0 0K 0 xen_hvm 0 0K 0 legacydrv 0 0K 0 qpidrv 0 0K 0 mrsasbuf 0 0K 0 mpt_user 0 0K 0 dmar_idpgtbl 0 0K 0 dmar_dom 0 0K 0 dmar_ctx 0 0K 0 dmar_dmamap 0 0K 0 mps_user 0 0K 0 MPSSAS 0 0K 0 isci 0 0K 0 bxe_ilt 0 0K 0 xenbus 0 0K 0 vm_fictitious 0 0K 0 mps 0 0K 0 mpr_user 0 0K 0 MPRSAS 0 0K 0 UMAHash 0 0K 0 vm_pgdata 0 0K 0 jblocks 0 0K 0 savedino 0 0K 21706 sentinel 0 0K 0 jfsync 0 0K 0 jtrunc 0 0K 0 sbdep 0 0K 19 jsegdep 0 0K 0 jseg 0 0K 0 jfreefrag 0 0K 0 jfreeblk 0 0K 0 jnewblk 0 0K 0 jmvref 0 0K 0 jremref 0 0K 0 jaddref 0 0K 0 freedep 0 0K 0 freefrag 0 0K 5 allocindir 0 0K 0 allocdirect 0 0K 0 ufs_trim 0 0K 0 mactemp 0 0K 0 audit_trigger 0 0K 0 audit_pipe_presel 0 0K 0 audit_pipeent 0 0K 0 audit_pipe 0 0K 0 audit_evname 0 0K 0 audit_bsm 0 0K 0 audit_gidset 0 0K 0 audit_text 0 0K 0 audit_path 0 0K 0 audit_data 0 0K 0 audit_cred 0 0K 0 xform 0 0K 0 NLM 0 0K 0 nfsclient_nlminfo 0 0K 0 nfsclient_lock 0 0K 0 NFS FHA 0 0K 0 ipsec-spdcache 0 0K 0 ipsec-reg 0 0K 0 ipsec-misc 0 0K 0 ipsecrequest 0 0K 0 ip6opt 0 0K 16 ip6_msource 0 0K 0 ip6_moptions 0 0K 0 in6_mfilter 0 0K 0 frag6 0 0K 0 tcplog 0 0K 0 LRO 0 0K 0 sctp_mcore 0 0K 0 sctp_socko 0 0K 331 sctp_iter 0 0K 9 sctp_mvrf 0 0K 0 sctp_cpal 0 0K 0 sctp_cmsg 0 0K 0 sctp_stre 0 0K 0 sctp_athi 0 0K 0 sctp_a_it 0 0K 9 sctp_aadr 0 0K 0 sctp_stri 0 0K 0 newreno data 0 0K 0 ip_msource 0 0K 0 ip_moptions 0 0K 4 in_mfilter 0 0K 0 ipid 0 0K 0 80211scan 0 0K 0 80211ratectl 0 0K 0 80211power 0 0K 0 80211nodeie 0 0K 0 80211node 0 0K 0 80211mesh_gt 0 0K 0 80211mesh_rt 0 0K 0 80211perr 0 0K 0 80211prep 0 0K 0 80211preq 0 0K 0 80211dfs 0 0K 0 80211crypto 0 0K 0 80211vap 0 0K 0 iflib 0 0K 0 vlan 0 0K 0 gif 0 0K 0 ifdescr 0 0K 0 zlib 0 0K 0 fadvise 0 0K 0 mpr 0 0K 0 statfs 0 0K 5815 export_host 0 0K 0 cl_savebuf 0 0K 2 biobuf 0 0K 0 aios 0 0K 0 lio 0 0K 0 acl 0 0K 0 mfibuf 0 0K 0 mbuf_tag 0 0K 178 accf 0 0K 0 pts 0 0K 0 ioctlops 0 0K 145 Witness 0 0K 0 stack 0 0K 0 md_sectors 0 0K 0 sbuf 0 0K 288 md_disk 0 0K 0 compressor 0 0K 0 malodev 0 0K 0 SWAP 0 0K 0 LED 0 0K 0 sysctltmp 0 0K 682 sysctl 0 0K 1 ekcd 0 0K 0 dumper 0 0K 0 rctl 0 0K 0 ix_sriov 0 0K 0 aacraidcam 0 0K 0 ix 0 0K 0 ipsbuf 0 0K 0 iirbuf 0 0K 0 cache 0 0K 0 aacraid_buf 0 0K 0 prison_racct 0 0K 0 Fail Points 0 0K 0 sigio 0 0K 53 filedesc_to_leader 0 0K 0 tty console 0 0K 0 aaccam 0 0K 0 aacbuf 0 0K 0 zstd 0 0K 0 nvlist 0 0K 0 SCSI ENC 0 0K 0 SCSI sa 0 0K 0 isofs_node 0 0K 0 isofs_mount 0 0K 0 tr_raid5_data 0 0K 0 tr_raid1e_data 0 0K 0 tr_raid1_data 0 0K 0 tr_raid0_data 0 0K 0 tr_concat_data 0 0K 0 md_sii_data 0 0K 0 md_promise_data 0 0K 0 md_nvidia_data 0 0K 0 md_jmicron_data 0 0K 0 md_intel_data 0 0K 0 md_ddf_data 0 0K 0 raid_data 0 0K 72 geom_flashmap 0 0K 0 newnfsmnt 0 0K 0 newnfsclient_req 0 0K 0 NFSCL layrecall 0 0K 0 NFSCL session 0 0K 0 NFSCL sockreq 0 0K 0 NFSCL devinfo 0 0K 0 NFSCL flayout 0 0K 0 NFSCL layout 0 0K 0 NFSD rollback 0 0K 0 NFSCL diroffdiroff 0 0K 0 NEWdirectio 0 0K 0 NEWNFSnode 0 0K 0 NFSCL lck 0 0K 0 NFSCL lckown 0 0K 0 NFSCL client 0 0K 0 NFSCL deleg 0 0K 0 NFSCL open 0 0K 0 NFSCL owner 0 0K 0 NFS fh 0 0K 0 NFS req 0 0K 0 NFSD usrgroup 0 0K 0 NFSD string 0 0K 0 NFSD V4lock 0 0K 0 NFSD V4state 0 0K 0 NFSD srvcache 0 0K 0 msdosfs_fat 0 0K 0 msdosfs_mount 0 0K 0 msdosfs_node 0 0K 0 DEVFS4 0 0K 0 DEVFS2 0 0K 0 gntdev 0 0K 0 privcmd_dev 0 0K 0 evtchn_dev 0 0K 0 xenstore 0 0K 0 scsi_pass 0 0K 0 ciss_data 0 0K 0 xnb 0 0K 0 xbbd 0 0K 0 xbd 0 0K 0 Balloon 0 0K 0 sysmouse 0 0K 0 vtfont 0 0K 0 ath_hal 0 0K 0 athdev 0 0K 0 ata_pci 0 0K 0 ata_dma 0 0K 0 ata_generic 0 0K 0 amr 0 0K 0 scsi_da 0 0K 69 ata_da 0 0K 0 scsi_ch 0 0K 0 scsi_cd 0 0K 0 USBdev 0 0K 0 USB 0 0K 0 AHCI driver 0 0K 0 agp 0 0K 0 nvme_da 0 0K 0 acpipwr 0 0K 0 twsbuf 0 0K 0 twe_commands 0 0K 0 twa_commands 0 0K 0 tcp_log_dev 0 0K 0 midi buffers 0 0K 0 mixer 0 0K 0 ac97 0 0K 0 hdacc 0 0K 0 hdac 0 0K 0 hdaa 0 0K 0 acpi_perf 0 0K 0 acpicmbat 0 0K 0 SIIS driver 0 0K 0 db> show ktr No such command; use "help" to list available commands