panic: tcp_oputapnuitc : Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *181125 26825 32767 0x10 0x4000000 0 syz-executor.3 104353 3246 0 0x14000 0x200 1 reaper db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8257befc) at panic+0x177 sys/kern/subr_prf.c:198 tcp_output(ffff800000c65c08) at tcp_output+0x2cd2 sys/netinet/tcp_output.c:727 tcp_send(fffffd8066c0cd90,fffffd806aa6e700,0,fffffd806aa6ce00) at tcp_send+0xc4 sys/netinet/tcp_usrreq.c:953 sosend(fffffd8066c0cd90,0,ffff800021f743c0,0,fffffd806aa6ce00,0) at sosend+0x62a pru_send sys/sys/protosw.h:331 [inline] sosend(fffffd8066c0cd90,0,ffff800021f743c0,0,fffffd806aa6ce00,0) at sosend+0x62a sys/kern/uipc_socket.c:646 sendit(ffff800021282540,3,ffff800021f74540,0,ffff800021f74630) at sendit+0x65d sys/kern/uipc_syscalls.c:694 sys_sendmsg(ffff800021282540,ffff800021f745e8,ffff800021f74630) at sys_sendmsg+0x198 sys/kern/uipc_syscalls.c:601 syscall(ffff800021f746b0) at syscall+0x4c3 mi_syscall sys/sys/syscall_mi.h:101 [inline] syscall(ffff800021f746b0) at syscall+0x4c3 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd3ba69111f0, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: tcp_output cpu1: kernel diagnostic assertion "!_kernel_lock_held()" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_map.c", line 2486 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8257befc) at panic+0x177 sys/kern/subr_prf.c:198 tcp_output(ffff800000c65c08) at tcp_output+0x2cd2 sys/netinet/tcp_output.c:727 tcp_send(fffffd8066c0cd90,fffffd806aa6e700,0,fffffd806aa6ce00) at tcp_send+0xc4 sys/netinet/tcp_usrreq.c:953 sosend(fffffd8066c0cd90,0,ffff800021f743c0,0,fffffd806aa6ce00,0) at sosend+0x62a pru_send sys/sys/protosw.h:331 [inline] sosend(fffffd8066c0cd90,0,ffff800021f743c0,0,fffffd806aa6ce00,0) at sosend+0x62a sys/kern/uipc_socket.c:646 sendit(ffff800021282540,3,ffff800021f74540,0,ffff800021f74630) at sendit+0x65d sys/kern/uipc_syscalls.c:694 sys_sendmsg(ffff800021282540,ffff800021f745e8,ffff800021f74630) at sys_sendmsg+0x198 sys/kern/uipc_syscalls.c:601 syscall(ffff800021f746b0) at syscall+0x4c3 mi_syscall sys/sys/syscall_mi.h:101 [inline] syscall(ffff800021f746b0) at syscall+0x4c3 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd3ba69111f0, count: -9 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff800021f74020 rbx 0xffffffff82934b8f cpu_info_full_primary+0x2b8f rdx 0 rcx 0 rax 0xffff800021282540 r8 0x101010101010101 r9 0x8080808080808080 r10 0xd530d36788137213 r11 0x78deae3ee4e79b0d r12 0xffffffff82934990 cpu_info_full_primary+0x2990 r13 0 r14 0 r15 0x1 rip 0xffffffff823fc058 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800021f74010 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.3) pid=181125 stat=onproc flags process=10 proc=4000000 pri=32, usrpri=81, nice=20 forw=0xffffffffffffffff, list=0xffff800021282fc0,0xffff80002b048550 process=0xffff800027e0fa48 user=0xffff800021f6f000, vmspace=0xfffffd807effc000 estcpu=36, cpticks=0, pctcpu=0.0 user=0, sys=0, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 7436 433798 59895 32767 3 0x90 nanoslp syz-executor.2 7436 95119 59895 32767 3 0x4000090 fsleep syz-executor.2 7436 13342 59895 32767 3 0x4000090 fsleep syz-executor.2 7436 35202 59895 32767 3 0x4000090 fsleep syz-executor.2 20199 210174 86284 32767 2 0x10 syz-executor.1 36818 52777 36315 32767 2 0x10 syz-executor.0 36818 355740 36315 32767 3 0x4000090 fsleep syz-executor.0 81994 291455 18467 32767 2 0x10 syz-executor.5 81994 193484 18467 32767 3 0x4000090 fsleep syz-executor.5 26825 262825 98208 32767 2 0x10 syz-executor.3 *26825 181125 98208 32767 7 0x4000010 syz-executor.3 26825 78355 98208 32767 3 0x4000090 fsleep syz-executor.3 461 26217 20948 32767 2 0x10 syz-executor.4 461 206534 20948 32767 3 0x4000090 fsleep syz-executor.4 18467 55803 48171 32767 3 0x90 nanoslp syz-executor.5 48171 211065 2499 0 3 0x82 wait syz-executor.5 98208 171811 63083 32767 3 0x90 nanoslp syz-executor.3 63083 201003 2499 0 3 0x82 wait syz-executor.3 36315 271000 60945 32767 3 0x90 nanoslp syz-executor.0 60945 290401 2499 0 3 0x82 wait syz-executor.0 17747 118283 17018 32767 3 0x90 nanoslp syz-executor.6 17018 512604 2499 0 3 0x82 wait syz-executor.6 67355 369575 28893 32767 3 0x90 nanoslp syz-executor.7 28893 287929 2499 0 3 0x82 wait syz-executor.7 86284 262066 40958 32767 3 0x90 nanoslp syz-executor.1 40958 284186 2499 0 3 0x82 wait syz-executor.1 59895 14544 12815 32767 3 0x90 nanoslp syz-executor.2 12815 142770 2499 0 3 0x82 wait syz-executor.2 76683 116353 0 0 3 0x14200 bored sosplice 20948 439588 82839 32767 3 0x90 nanoslp syz-executor.4 82839 238897 2499 0 3 0x82 wait syz-executor.4 2499 442232 89062 0 3 0x82 wait syz-fuzzer 2499 48589 89062 0 3 0x4000082 thrsleep syz-fuzzer 2499 271161 89062 0 3 0x4000082 wait syz-fuzzer 2499 146158 89062 0 3 0x4000082 thrsleep syz-fuzzer 2499 431991 89062 0 3 0x4000082 thrsleep syz-fuzzer 2499 270902 89062 0 3 0x4000082 wait syz-fuzzer 2499 366775 89062 0 3 0x4000082 thrsleep syz-fuzzer 2499 173035 89062 0 3 0x4000082 thrsleep syz-fuzzer 2499 185342 89062 0 3 0x4000082 wait syz-fuzzer 2499 24098 89062 0 3 0x4000082 wait syz-fuzzer 2499 238540 89062 0 3 0x4000082 wait syz-fuzzer 2499 263550 89062 0 3 0x4000082 thrsleep syz-fuzzer 2499 87663 89062 0 3 0x4000082 wait syz-fuzzer 2499 427731 89062 0 3 0x4000082 wait syz-fuzzer 2499 186915 89062 0 3 0x4000082 kqread syz-fuzzer 2499 121239 89062 0 3 0x4000082 thrsleep syz-fuzzer 89062 424717 86260 0 3 0x10008a sigsusp ksh 86260 127141 38778 0 3 0x9a kqread sshd 12047 312570 1 0 3 0x100083 ttyin getty 38778 330471 1 0 3 0x88 kqread sshd 91463 95817 31481 73 3 0x1100090 kqread syslogd 31481 285555 1 0 3 0x100082 netio syslogd 49380 362295 1 0 3 0x100080 kqread resolvd 14107 396325 50304 77 3 0x100092 kqread dhcpleased 92062 365569 50304 77 3 0x100092 kqread dhcpleased 50304 84369 1 0 3 0x80 kqread dhcpleased 31956 38134 0 0 3 0x14200 bored smr 33701 10065 0 0 2 0x14200 zerothread 13953 460406 0 0 3 0x14200 aiodoned aiodoned 43387 321560 0 0 3 0x14200 syncer update 32085 104171 0 0 3 0x14200 cleaner cleaner 3246 104353 0 0 7 0x14200 reaper 51793 452726 0 0 3 0x14200 pgdaemon pagedaemon 43218 400157 0 0 3 0x14200 bored viomb 63888 48382 0 0 3 0x40014200 acpi0 acpi0 37969 431370 0 0 3 0x40014200 idle1 57643 213807 0 0 3 0x14200 bored softnet 30033 456963 0 0 3 0x14200 bored softnet 28370 401447 0 0 3 0x14200 bored softnet 94467 213083 0 0 3 0x14200 bored softnet 21379 262062 0 0 3 0x14200 bored systqmp 56505 470757 0 0 3 0x14200 bored systq 81068 314044 0 0 3 0x40014200 bored softclock 41538 47204 0 0 3 0x40014200 idle0 1 466272 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks CPU 1: exclusive kernel: protection fault trap, code=0 Faulted in DDB; continuing... ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10213 6412K 6419K 78643K 11353 0 pcb 13 16K 20K 78643K 19 0 rtable 254 7K 7K 78643K 2189 0 ifaddr 82 17K 17K 78643K 198 0 sysctl 3 1K 4K 78643K 9 0 counters 56 35K 35K 78643K 88 0 ioctlops 0 0K 2K 78643K 221 0 iov 0 0K 32K 78643K 4207 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 4 0 vnodes 1271 79K 79K 78643K 6227 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 9K 78643K 288 0 VM map 2 1K 1K 78643K 2 0 sem 12 0K 0K 78643K 5415 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 24 89K 117K 78643K 19547 0 sigio 0 0K 0K 78643K 305 0 proc 56 78K 103K 78643K 2501 0 subproc 104 6K 6K 78643K 312 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 5254 0 in_multi 99 6K 7K 78643K 497 0 ether_multi 1 0K 0K 78643K 69 0 mrt 1 0K 0K 78643K 1 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 259 1155K 1155K 78643K 259 0 exec 0 0K 2K 78643K 5008 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 8 62K 62K 78643K 8 0 UVM amap 414 99K 115K 78643K 118863 0 UVM aobj 131 8K 8K 78643K 132 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 470 0 NDP 11 0K 2K 78643K 75 0 temp 124 4726K 4854K 78643K 49987 0 kqueue 14 22K 28K 78643K 1900 0 SYN cache 2 16K 16K 78643K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 2065 0 2062 29 27 2 5 0 8 1 rtentry 112 320 0 200 4 0 4 4 0 8 0 unpcb 144 20036 0 20021 170 162 8 10 0 8 7 syncache 296 172 0 172 32 32 0 1 0 8 0 tcpqe 32 69 0 69 19 19 0 1 0 8 0 tcpcb 768 16607 0 16588 406 400 6 25 0 8 3 arp 120 61 0 40 1 0 1 1 0 8 0 ipq 40 26 0 23 5 4 1 1 0 8 0 ipqe 40 192 0 189 5 4 1 1 0 8 0 inpcb 368 25147 0 25117 289 283 6 22 0 8 3 nd6 48 94 0 63 1 0 1 1 0 8 0 kcovpl 48 24 0 16 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 1224 0 753 33 3 30 31 0 8 0 art_table 32 1225 0 753 4 0 4 4 0 8 0 art_node 16 319 0 209 1 0 1 1 0 8 0 sysvmsgpl 40 92 0 82 2 1 1 1 0 8 0 semupl 112 1 0 1 1 1 0 1 0 8 0 semapl 112 5412 0 5402 1 0 1 1 0 8 0 shmpl 112 129 0 1 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 29074 0 27601 93 0 93 93 0 8 0 ffsino 272 29074 0 27601 99 0 99 99 0 8 0 nchpl 144 55455 0 53810 63 0 63 63 0 8 0 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 195822 0 195822 4 3 1 2 0 8 1 percpumem 16 56 0 16 1 0 1 1 0 8 0 kstatmem 264 54 0 32 2 0 2 2 0 8 0 scxspl 216 159047 0 159047 53 52 1 8 0 8 1 plimitpl 152 4526 0 4503 16 15 1 2 0 8 0 sigapl 424 19790 0 19735 7 0 7 7 0 8 0 futexpl 64 178658 0 178651 4 3 1 1 0 8 0 knotepl 120 1237 0 0 18 1 17 17 0 8 0 kqueuepl 216 7222 0 7212 139 138 1 12 0 8 0 pipepl 320 5694 0 5666 150 144 6 18 0 8 3 fdescpl 496 19772 0 19737 7 2 5 6 0 8 0 filepl 152 154648 0 154402 226 209 17 31 0 8 5 lockfpl 104 3918 0 3916 4 3 1 2 0 8 0 lockfspl 48 789 0 787 1 0 1 1 0 8 0 sessionpl 144 39 0 23 1 0 1 1 0 8 0 pgrppl 48 1653 0 1636 1 0 1 1 0 8 0 ucredpl 104 28270 0 28252 1 0 1 1 0 8 0 zombiepl 144 19737 0 19735 1 0 1 1 0 8 0 processpl 1064 19790 0 19735 4 0 4 4 0 8 0 procpl 672 58109 0 58029 38 30 8 9 0 8 0 srpgc 96 1 0 1 1 1 0 1 0 8 0 sosppl 168 294 0 293 31 30 1 1 0 8 0 sockpl 488 48190 0 48155 900 887 13 34 0 8 7 mcl64k 65536 51 0 0 3 0 3 3 0 8 0 mcl16k 16384 41 0 0 4 1 3 3 0 8 0 mcl12k 12288 57 0 0 3 0 3 3 0 8 0 mcl9k 9216 57 0 0 3 1 2 2 0 8 0 mcl8k 8192 79 0 0 3 0 3 3 0 8 0 mcl4k 4096 49 0 0 5 1 4 5 0 8 0 mcl2k2 2112 15 0 0 1 0 1 1 0 8 0 mcl2k 2048 541 0 0 37 14 23 37 0 8 0 mtagpl 96 5 0 0 1 0 1 1 0 8 0 mbufpl 256 1416 0 0 40 2 38 40 0 8 0 bufpl 288 34128 0 27801 453 0 453 453 0 8 0 anonpl 24 4037317 0 4023455 220 113 107 135 0 186 0 amapchunkpl 152 347692 0 346982 141 103 38 41 0 158 7 amappl16 200 61294 0 60889 168 141 27 47 0 8 0 amappl15 192 5770 0 5759 1 0 1 1 0 8 0 amappl14 184 2137 0 2127 1 0 1 1 0 8 0 amappl13 176 672 0 669 1 0 1 1 0 8 0 amappl12 168 12 0 6 1 0 1 1 0 8 0 amappl11 160 4142 0 4123 1 0 1 1 0 8 0 amappl10 152 2214 0 2210 1 0 1 1 0 8 0 amappl9 144 4722 0 4715 1 0 1 1 0 8 0 amappl8 136 3861 0 3675 8 1 7 7 0 8 0 amappl7 128 2636 0 2614 1 0 1 1 0 8 0 amappl6 120 4496 0 4472 2 1 1 2 0 8 0 amappl5 112 20905 0 20883 1 0 1 1 0 8 0 amappl4 104 7085 0 7049 9 7 2 2 0 8 1 amappl3 96 61444 0 61377 2 0 2 2 0 8 0 amappl2 88 1911 0 1872 2 1 1 2 0 8 0 amappl1 80 490512 0 489734 21 4 17 19 0 8 0 amappl 88 117143 0 116934 8 2 6 6 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 131 0 1 3 0 3 3 0 8 0 uaddrrnd 24 19772 0 19736 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 19772 0 19736 1 0 1 1 0 8 0 vmmpekpl 168 163086 0 163030 5 1 4 4 0 8 0 vmmpepl 168 1956479 0 1953469 367 229 138 162 0 357 1 vmsppl 368 19771 0 19736 4 0 4 4 0 8 0 rwobjpl 56 488923 0 481288 125 14 111 114 0 8 0 pdppl 4096 39551 0 39472 465 384 81 91 0 8 2 pvpl 32 7552427 0 7532557 583 401 182 252 0 265 0 pmappl 248 19771 0 19736 4 1 3 3 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 1539 0 693 25 0 25 25 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8257befc) at panic+0x177 sys/kern/subr_prf.c:198 tcp_output(ffff800000c65c08) at tcp_output+0x2cd2 sys/netinet/tcp_output.c:727 tcp_send(fffffd8066c0cd90,fffffd806aa6e700,0,fffffd806aa6ce00) at tcp_send+0xc4 sys/netinet/tcp_usrreq.c:953 sosend(fffffd8066c0cd90,0,ffff800021f743c0,0,fffffd806aa6ce00,0) at sosend+0x62a pru_send sys/sys/protosw.h:331 [inline] sosend(fffffd8066c0cd90,0,ffff800021f743c0,0,fffffd806aa6ce00,0) at sosend+0x62a sys/kern/uipc_socket.c:646 sendit(ffff800021282540,3,ffff800021f74540,0,ffff800021f74630) at sendit+0x65d sys/kern/uipc_syscalls.c:694 sys_sendmsg(ffff800021282540,ffff800021f745e8,ffff800021f74630) at sys_sendmsg+0x198 sys/kern/uipc_syscalls.c:601 syscall(ffff800021f746b0) at syscall+0x4c3 mi_syscall sys/sys/syscall_mi.h:101 [inline] syscall(ffff800021f746b0) at syscall+0x4c3 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd3ba69111f0, count: -9 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp x86_ipi_db(ffff800020dd8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 x86_bus_space_io_read_1(3f8,5) at x86_bus_space_io_read_1+0x28 sys/arch/amd64/amd64/bus_space.c:651 comcnputc(800,6b) at comcnputc+0x97 sys/dev/ic/com.c:1259 cnputc(6b) at cnputc+0x4b sys/dev/cons.c:218 db_putchar(6b) at db_putchar+0x3fc sys/ddb/db_output.c:155 kprintf() at kprintf+0x20ec sys/kern/subr_prf.c:1064 db_printf(ffffffff8261ba78) at db_printf+0x85 sys/kern/subr_prf.c:498 panic(ffffffff825a1bd6) at panic+0xd7 sys/kern/subr_prf.c:216 __assert(ffffffff82619795,ffffffff826448c7,9b6,ffffffff825d77c8) at __assert+0x25 sys/kern/subr_prf.c:157 uvm_map_teardown(fffffd806c48e460) at uvm_map_teardown+0x2e8 sys/uvm/uvm_map.c:2488 uvmspace_free(fffffd806c48e460) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3436 reaper(ffff800021233508) at reaper+0x19a sys/kern/kern_exit.c:448 end trace frame: 0x0, count: 1 ddb{1}> trace x86_ipi_db(ffff800020dd8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 x86_bus_space_io_read_1(3f8,5) at x86_bus_space_io_read_1+0x28 sys/arch/amd64/amd64/bus_space.c:651 comcnputc(800,6b) at comcnputc+0x97 sys/dev/ic/com.c:1259 cnputc(6b) at cnputc+0x4b sys/dev/cons.c:218 db_putchar(6b) at db_putchar+0x3fc sys/ddb/db_output.c:155 kprintf() at kprintf+0x20ec sys/kern/subr_prf.c:1064 db_printf(ffffffff8261ba78) at db_printf+0x85 sys/kern/subr_prf.c:498 panic(ffffffff825a1bd6) at panic+0xd7 sys/kern/subr_prf.c:216 __assert(ffffffff82619795,ffffffff826448c7,9b6,ffffffff825d77c8) at __assert+0x25 sys/kern/subr_prf.c:157 uvm_map_teardown(fffffd806c48e460) at uvm_map_teardown+0x2e8 sys/uvm/uvm_map.c:2488 uvmspace_free(fffffd806c48e460) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3436 reaper(ffff800021233508) at reaper+0x19a sys/kern/kern_exit.c:448 end trace frame: 0x0, count: -14