*cpu1: uvm_fault(0xfffffd800b063988, 0x0, 0, 1) -> e ddb{0}> trace proc_trampoline() at proc_trampoline+0xc7 end of kernel end trace frame: 0x37f57b2d5e0, count: -1 ddb{0}> show registers rdi 0 rsi 0 rbp 0xffff80002a353140 rbx 0 rdx 0 rcx 0xffff80003c49fa48 rax 0x2a r8 0xffff80002a353070 r9 0x1 r10 0x1bc0076356abf5c6 r11 0xe809d56676bf0bd4 r12 0 r13 0 r14 0 r15 0 rip 0xffffffff81de74c7 proc_trampoline+0xc7 cs 0x8 rflags 0x246 rsp 0xffff80002a3530c0 ss 0 proc_trampoline+0xc7: movl $0,%gs:0x688 ddb{0}> show proc PROC (syz-executor) tid=302356 pid=87687 tcnt=2 stat=onproc flags process=0 proc=4000000 runpri=50, usrpri=50, slppri=17, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80003c49e058,0xffff8000ffffca78 process=0xffff80003c45f9f0 user=0xffff80002a34e000, vmspace=0xfffffd8066845218 estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 2509 114554 84928 0 2 0 syz-executor 15728 61779 75944 0 2 0 syz-executor 87687 147200 98497 0 2 0 syz-executor *87687 302356 98497 0 7 0x4000000 syz-executor 97135 15066 57667 0 2 0 syz-executor 97135 124525 57667 0 3 0x4000080 fsleep syz-executor 16982 332739 11943 -1 2 0x10 syz-executor 16982 276519 11943 -1 3 0x4000090 fsleep syz-executor 16982 232627 11943 -1 3 0x4000090 fsleep syz-executor 16982 112054 11943 -1 3 0x4000090 fsleep syz-executor 92579 458592 13463 0 2 0 syz-executor 92579 227881 13463 0 3 0x4000080 sbwait syz-executor 92579 410475 13463 0 2 0x4000000 syz-executor 27980 204162 36632 0 2 0 syz-executor 27980 470645 36632 0 3 0x4000080 sbwait syz-executor 27980 3474 36632 0 3 0x4000080 fsleep syz-executor 73476 107482 0 0 3 0x14200 acct acct 98497 477807 61553 0 3 0x82 nanoslp syz-executor 13463 179263 61553 0 2 0x2 syz-executor 36632 132825 61553 0 3 0x82 nanoslp syz-executor 41641 495452 1 0 3 0x100083 ttyopn getty 84928 436898 61553 0 3 0x82 nanoslp syz-executor 92894 477415 0 0 3 0x14280 nfsidl nfsio 92403 21054 0 0 3 0x14280 nfsidl nfsio 95410 496063 0 0 3 0x14280 nfsidl nfsio 42747 200762 0 0 3 0x14280 nfsidl nfsio 1233 496586 0 0 3 0x14280 nfsidl nfsio 99982 158819 0 0 3 0x14280 nfsidl nfsio 53652 350732 0 0 3 0x14280 nfsidl nfsio 93329 144434 0 0 3 0x14280 nfsidl nfsio 12339 489469 0 0 3 0x14280 nfsidl nfsio 85890 182307 0 0 3 0x14280 nfsidl nfsio 91184 397188 0 0 3 0x14280 nfsidl nfsio 43640 64520 0 0 3 0x14280 nfsidl nfsio 54016 207205 0 0 3 0x14280 nfsidl nfsio 78862 438411 0 0 3 0x14280 nfsidl nfsio 9035 206663 0 0 3 0x14280 nfsidl nfsio 49239 379984 0 0 3 0x14280 nfsidl nfsio 58834 306884 0 0 3 0x14280 nfsidl nfsio 42427 31844 0 0 3 0x14280 nfsidl nfsio 23198 146279 0 0 3 0x14280 nfsidl nfsio 10681 318260 0 0 3 0x14280 nfsidl nfsio 57667 205885 61553 0 3 0x82 nanoslp syz-executor 75944 301147 61553 0 3 0x82 nanoslp syz-executor 74191 243329 61553 0 3 0x82 nanoslp syz-executor 11943 483150 61553 0 3 0x82 nanoslp syz-executor 61553 499609 70402 0 3 0x82 kqread syz-executor 70402 399555 77934 0 3 0x10008a sigsusp ksh 77934 206318 14432 0 3 0x98 kqread sshd-session 14432 115381 80481 0 3 0x92 kqread sshd-session 80481 178740 1 0 3 0x88 kqread sshd 76255 15834 13785 74 3 0x1100092 bpf pflogd 13785 228017 1 0 3 0x80 sbwait pflogd 21506 426236 49717 73 3 0x1100090 kqread syslogd 49717 318207 1 0 3 0x100082 sbwait syslogd 93908 332275 1 0 3 0x100080 kqread resolvd 37601 112120 0 0 3 0x14200 bored smr 93877 8391 0 0 2 0x14200 zerothread 46201 277731 0 0 3 0x14200 aiodoned aiodoned 2937 83267 0 0 3 0x14200 syncer update 39181 242385 0 0 3 0x14200 cleaner cleaner 559 227416 0 0 3 0x14200 reaper reaper 36075 390450 0 0 3 0x14200 pgdaemon pagedaemon 7069 19445 0 0 3 0x14200 bored viomb 92233 114494 0 0 3 0x40014200 acpi0 acpi0 5875 3808 0 0 3 0x40014200 idle1 47465 237935 0 0 3 0x14200 bored softnet1 16080 294194 0 0 3 0x14200 bored softnet0 36586 445298 0 0 3 0x14200 bored systqmp 29890 243504 0 0 3 0x14200 bored systq 72126 336345 0 0 3 0x14200 tmoslp softclockmp 11804 454028 0 0 3 0x40014200 tmoslp softclock 97476 181940 0 0 3 0x40014200 idle0 1 266989 0 0 3 0x80082 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb{0}> show all locks CPU 0: exclusive mutex &pmap->pm_mtx r = 0 (0xfffffd8063467f10) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487 #2 pmap_enter+0x24b rcr3 sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:139 [inline] #2 pmap_enter+0x24b pmap_map_ptes sys/arch/amd64/amd64/pmap.c:437 [inline] #2 pmap_enter+0x24b sys/arch/amd64/amd64/pmap.c:2767 #3 uvm_fault_lower_lookup+0x369 sys/uvm/uvm_fault.c:-1 #4 uvm_fault_lower+0x89 sys/uvm/uvm_fault.c:1334 #5 uvm_fault+0x274 sys/uvm/uvm_fault.c:-1 #6 upageflttrap+0xa9 sys/arch/amd64/amd64/trap.c:192 #7 usertrap+0x42f sys/arch/amd64/amd64/trap.c:632 #8 recall_trap+0x8 Process 87687 (syz-executor) thread 0xffff80003c49fa48 (302356) ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 11148 12283K 14157K 166960K 22955 0 pcb 17 24K 40K 166960K 4124 0 rtable 299 22K 23K 166960K 3247 0 pf 42 18K 20K 166960K 1249 0 ifaddr 47 15K 19K 166960K 868 0 ifgroup 71 2K 3K 166960K 1613 0 sysctl 4 1K 9K 166960K 80 0 counters 78 38K 40K 166960K 2236 0 ioctlops 0 0K 4K 166960K 5290 0 iov 1 4K 24K 166960K 1288 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1509 95K 95K 166960K 10278 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 2K 5K 166960K 34 0 VM map 2 1K 1K 166960K 2 0 sem 15 1K 1K 166960K 616 0 dirhash 12 2K 3K 166960K 279 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 18 65K 240K 166960K 12500 0 sigio 0 0K 0K 166960K 443 0 proc 67 83K 164K 166960K 2946 0 subproc 72 4K 4K 166960K 420 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 1851 0 in_multi 84 6K 7K 166960K 1127 0 ether_multi 1 0K 0K 166960K 157 0 mrt 1 0K 0K 166960K 102 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 289 1288K 1288K 166960K 289 0 exec 0 0K 1K 166960K 3984 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 16 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 218 142K 194K 166960K 108096 0 UVM aobj 170 111K 111K 166960K 199 0 pinsyscall 37 74K 100K 166960K 14430 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 1K 166960K 1274 0 NDP 16 0K 1K 166960K 657 0 temp 106 8688K 8944K 166960K 675012 0 kqueue 9 13K 30K 166960K 2602 0 SYN cache 2 8K 16K 166960K 3 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 1487 0 1486 11 9 2 3 0 8 1 rtentry 176 937 0 834 8 2 6 6 0 8 0 unpcb 144 11342 0 11328 101 100 1 10 0 8 0 syncache 336 8 0 8 5 5 0 1 0 8 0 tcpqe 32 4 0 4 2 2 0 1 0 8 0 tcpcb 736 4551 0 4545 102 98 4 8 0 8 3 arp 136 139 0 121 1 0 1 1 0 8 0 ipq 40 1 0 1 1 1 0 1 0 8 0 ipqe 40 11 0 11 1 1 0 1 0 8 0 inpcb 328 17938 0 17932 160 156 4 17 0 8 2 nd6 152 185 0 159 2 0 2 2 0 8 0 pkpcb 40 347 0 347 31 31 0 1 0 8 0 kcovpl 48 45 0 37 1 0 1 1 0 8 0 mppekey 1024 6 0 6 4 4 0 1 0 8 0 ppxss 1192 890 0 890 13 12 1 1 0 8 1 pppxif 1504 155 0 155 30 30 0 1 0 8 0 pffrag 232 114 0 105 2 1 1 2 0 482 0 pffrnode 88 89 0 80 1 0 1 1 0 8 0 pffrent 40 345 0 336 1 0 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfrktable 1344 4 0 4 3 3 0 1 0 8 0 pftag 88 2 0 0 1 0 1 1 0 8 0 pfrule 1360 73 0 73 3 3 0 1 0 8 0 rttmr 136 24 0 24 17 16 1 1 0 8 1 art_heap8 4096 5 0 0 5 0 5 5 0 8 0 art_heap4 256 4370 0 3950 82 51 31 39 0 8 3 art_table 40 4375 0 3950 7 0 7 7 0 8 0 art_node 32 926 0 839 1 0 1 1 0 8 0 sysvmsgpl 40 50 0 12 1 0 1 1 0 8 0 semupl 112 5 0 5 5 5 0 1 0 8 0 semapl 112 610 0 597 1 0 1 1 0 8 0 shmpl 112 129 0 14 4 0 4 4 0 8 0 dirhash 1024 200 0 183 3 0 3 3 0 8 0 dino2pl 256 26402 0 24788 103 1 102 102 0 8 0 ffsino 296 26402 0 24788 127 2 125 125 0 8 0 nchpl 144 43399 0 42693 68 41 27 64 0 8 0 rtmask 32 112 0 112 31 30 1 1 0 8 1 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 164838 0 164838 15 14 1 4 0 8 1 percpumem 16 1133 0 1079 1 0 1 1 0 8 0 vcpupl 3968 56 0 4 7 0 7 7 0 8 0 vmpool 848 65 0 13 6 0 6 6 0 8 0 kstatmem 264 1112 0 1072 9 6 3 4 0 8 0 acpiwqpl 32 4 0 4 1 0 1 1 1 8 1 scsiplug 72 57 0 57 26 26 0 1 0 8 0 scxspl 216 358319 0 358319 39 37 2 8 1 8 2 plimitpl 152 4409 0 4392 2 1 1 2 0 8 0 sigapl 424 12664 0 12598 12 4 8 8 0 8 0 knotepl 120 1295 0 0 24 0 24 24 0 8 0 kqueuepl 224 5849 0 5841 71 70 1 13 0 8 0 pipepl 344 1994 0 1965 47 43 4 9 0 8 0 fdescpl 528 12537 0 12508 3 0 3 3 0 8 0 filepl 160 103437 0 103163 150 137 13 25 0 8 1 lockfpl 104 5311 0 5310 10 9 1 2 0 8 0 lockfspl 48 1641 0 1640 1 0 1 1 0 8 0 sessionpl 144 67 0 59 1 0 1 1 0 8 0 pgrppl 48 483 0 467 1 0 1 1 0 8 0 ucredpl 104 17299 0 17287 1 0 1 1 0 8 0 zombiepl 144 14307 0 14306 3 2 1 1 0 8 0 processpl 1232 12664 0 12598 7 1 6 6 0 8 0 procpl 664 31780 0 31705 13 5 8 8 0 8 0 sosppl 176 132 0 132 28 27 1 1 0 8 1 sockpl 752 31961 0 31940 368 362 6 28 0 8 1 mcl64k 65536 10 0 0 2 0 2 2 0 8 0 mcl16k 16384 5 0 0 1 0 1 1 0 8 0 mcl12k 12288 3 0 0 1 0 1 1 0 8 0 mcl9k 9216 3 0 0 1 0 1 1 0 8 0 mcl8k 8192 5 0 0 1 0 1 1 0 8 0 mcl4k 4096 127 0 0 16 0 16 16 0 8 0 mcl2k2 2112 1 0 0 1 0 1 1 0 8 0 mcl2k 2048 81 0 0 7 2 5 5 0 8 0 mtagpl 96 6 0 0 1 0 1 1 0 8 0 mbufpl 256 2068 0 0 112 0 112 112 0 8 0 bufpl 280 149747 0 143611 439 0 439 439 0 8 0 anonpl 32 18522 0 0 146 0 146 146 0 246 0 amapchunkpl 152 396279 0 395735 183 147 36 36 0 158 9 amappl16 200 48360 0 48155 392 370 22 41 0 8 3 amappl15 192 9 0 8 3 2 1 1 0 8 0 amappl14 184 9 0 9 4 4 0 1 0 8 0 amappl13 176 867 0 866 1 0 1 1 0 8 0 amappl12 168 13164 0 13128 3 0 3 3 0 8 0 amappl11 160 16 0 16 7 7 0 1 0 8 0 amappl10 152 51 0 42 1 0 1 1 0 8 0 amappl9 144 262 0 261 2 1 1 1 0 8 0 amappl8 136 30 0 26 1 0 1 1 0 8 0 amappl7 128 237 0 235 1 0 1 1 0 8 0 amappl6 120 744 0 733 1 0 1 1 0 8 0 amappl5 112 77 0 68 1 0 1 1 0 8 0 amappl4 104 666 0 638 1 0 1 1 0 8 0 amappl3 96 70614 0 70535 4 1 3 3 0 8 0 amappl2 88 12579 0 12519 2 0 2 2 0 8 0 amappl1 80 61042 0 60543 15 0 15 15 0 8 0 amappl 88 104707 0 104546 5 0 5 5 0 92 0 uvmvnodes 80 364 0 0 8 0 8 8 0 8 0 dma65536 65536 67 0 67 3 3 0 1 0 8 0 dma16384 16384 1 0 1 1 1 0 1 0 8 0 dma4096 4096 4 0 4 4 3 1 1 0 8 1 dma2048 2048 4 0 4 4 4 0 1 0 8 0 dma1024 1024 2 0 1 1 0 1 1 0 8 0 dma512 512 2 0 2 2 2 0 1 0 8 0 dma256 256 15 0 15 9 9 0 1 0 8 0 dma128 128 268 0 268 13 13 0 1 0 8 0 dma64 64 12 0 12 7 6 1 1 0 8 1 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 20 0 19 1 0 1 1 0 8 0 aobjpl 72 198 0 29 4 0 4 4 0 8 0 uaddrrnd 24 12537 0 12508 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 12537 0 12508 1 0 1 1 0 8 0 vmmpekpl 168 82924 0 82855 5 1 4 5 0 8 0 vmmpepl 168 782376 0 780478 299 203 96 120 0 357 2 vmsppl 488 12536 0 12508 7 3 4 5 0 8 0 rwobjpl 80 189641 0 188141 63 22 41 41 0 8 0 pdppl 4096 25211 0 25094 271 154 117 117 0 8 0 pvpl 32 27178 0 0 219 0 219 219 0 265 0 pmappl 256 12601 0 12521 6 0 6 6 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 762 0 354 12 0 12 12 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace proc_trampoline() at proc_trampoline+0xc7 end of kernel end trace frame: 0x37f57b2d5e0, count: -1 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffff8000299ddff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 x86_bus_space_io_write_1(3f8,0,73) at x86_bus_space_io_write_1+0x40 sys/arch/amd64/amd64/bus_space.c:790 comcnputc(800,73) at comcnputc+0x1ab bus_space_barrier sys/dev/ic/com.c:-1 [inline] comcnputc(800,73) at comcnputc+0x1ab sys/dev/ic/com.c:1263 cnputc(73) at cnputc+0x67 sys/dev/cons.c:218 kputchar(73,5,0) at kputchar+0x2ed sys/kern/subr_prf.c:367 kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1 printf(ffffffff83375717) at printf+0x8b sys/kern/subr_prf.c:529 trap_print(ffff80002a349730,6) at trap_print+0xd8 sys/arch/amd64/amd64/trap.c:660 kerntrap(ffff80002a349730) at kerntrap+0x2e6 sys/arch/amd64/amd64/trap.c:516 alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b dt_ioctl_record_stop(ffff8000017a2000) at dt_ioctl_record_stop+0x108 sys/dev/dt/dt_dev.c:593 dtclose(11e5f,81,2000,ffff80003c49f280) at dtclose+0x109 dt_pcb_purge sys/dev/dt/dt_dev.c:-1 [inline] dtclose(11e5f,81,2000,ffff80003c49f280) at dtclose+0x109 sys/dev/dt/dt_dev.c:239 end trace frame: 0xffff80002a3498d0, count: 0 ddb{1}> trace x86_ipi_db(ffff8000299ddff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 x86_bus_space_io_write_1(3f8,0,73) at x86_bus_space_io_write_1+0x40 sys/arch/amd64/amd64/bus_space.c:790 comcnputc(800,73) at comcnputc+0x1ab bus_space_barrier sys/dev/ic/com.c:-1 [inline] comcnputc(800,73) at comcnputc+0x1ab sys/dev/ic/com.c:1263 cnputc(73) at cnputc+0x67 sys/dev/cons.c:218 kputchar(73,5,0) at kputchar+0x2ed sys/kern/subr_prf.c:367 kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1 printf(ffffffff83375717) at printf+0x8b sys/kern/subr_prf.c:529 trap_print(ffff80002a349730,6) at trap_print+0xd8 sys/arch/amd64/amd64/trap.c:660 kerntrap(ffff80002a349730) at kerntrap+0x2e6 sys/arch/amd64/amd64/trap.c:516 alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b dt_ioctl_record_stop(ffff8000017a2000) at dt_ioctl_record_stop+0x108 sys/dev/dt/dt_dev.c:593 dtclose(11e5f,81,2000,ffff80003c49f280) at dtclose+0x109 dt_pcb_purge sys/dev/dt/dt_dev.c:-1 [inline] dtclose(11e5f,81,2000,ffff80003c49f280) at dtclose+0x109 sys/dev/dt/dt_dev.c:239 spec_close(ffff80002a3498e0) at spec_close+0x466 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd80630cd050,81,fffffd80097fd068,ffff80003c49f280) at VOP_CLOSE+0x132 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806c97adf8,ffff80003c49f280) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806c97adf8,ffff80003c49f280) at vn_closefile+0x12b sys/kern/vfs_vnops.c:615 fdrop(fffffd806c97adf8,ffff80003c49f280) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd806c97adf8,ffff80003c49f280) at closef+0x192 sys/kern/kern_descrip.c:1264 fdfree(ffff80003c49f280) at fdfree+0x116 sys/kern/kern_descrip.c:1195 exit1(ffff80003c49f280,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80003c49f280,ffff80002a349c50,ffff80002a349ba0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80002a349c50) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80002a349c50) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x79ecc864ed10, count: -24