panic: attempt to execute user address 0x20ffa000 in supervisor mode Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 97828 15833 0 0 0 0 syz-executor.1 * 42024 15833 0 0 0x4000000 1K syz-executor.1 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x15c sys/kern/subr_prf.c:207 pageflttrap() at pageflttrap+0x40b kerntrap(ffff800024bad110) at kerntrap+0xec sys/arch/amd64/amd64/trap.c:287 alltraps_kern_meltdown(6,ffff800020b4e000,fffffd807adde388,10,ffff80000005b6b0,ffff800024bad378) at alltraps_kern_meltdown+0x7b __kernel_end_phys(b,ffff800024bad2d8,83,ffff800024bad378,0,b) at 0x20ffa000 rt_clone(ffff800024bad3e8,fffffd806f6ccc88,0) at rt_clone+0x78 sys/net/route.c:266 rtalloc_mpath(fffffd806f6ccc88,0,0) at rtalloc_mpath+0xba rt_match sys/net/route.c:244 [inline] rtalloc_mpath(fffffd806f6ccc88,0,0) at rtalloc_mpath+0xba sys/net/route.c:359 in_pcbselsrc(ffff800024bad4c0,fffffd80641d9420,fffffd806f6ccc08) at in_pcbselsrc+0x219 sys/netinet/in_pcb.c:934 in_pcbconnect(fffffd806f6ccc08,fffffd80641d9400) at in_pcbconnect+0x107 sys/netinet/in_pcb.c:492 tcp_usrreq(fffffd8068762988,4,0,fffffd80641d9400,0,ffff800020ace038) at tcp_usrreq+0xacb sys/netinet/tcp_usrreq.c:228 sys_connect(ffff800020ace038,ffff800024bad668,ffff800024bad6b0) at sys_connect+0x3df sys/kern/uipc_syscalls.c:388 syscall(ffff800024bad730) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline] syscall(ffff800024bad730) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555 Xsyscall(6,0,fffffffffffffecf,0,3,d097d2c5010) at Xsyscall+0x128 end of kernel end trace frame: 0xd0c06c030d0, count: 1 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic attempt to execute user address 0x20ffa000 in supervisor mode ddb{1}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x15c sys/kern/subr_prf.c:207 pageflttrap() at pageflttrap+0x40b kerntrap(ffff800024bad110) at kerntrap+0xec sys/arch/amd64/amd64/trap.c:287 alltraps_kern_meltdown(6,ffff800020b4e000,fffffd807adde388,10,ffff80000005b6b0,ffff800024bad378) at alltraps_kern_meltdown+0x7b __kernel_end_phys(b,ffff800024bad2d8,83,ffff800024bad378,0,b) at 0x20ffa000 rt_clone(ffff800024bad3e8,fffffd806f6ccc88,0) at rt_clone+0x78 sys/net/route.c:266 rtalloc_mpath(fffffd806f6ccc88,0,0) at rtalloc_mpath+0xba rt_match sys/net/route.c:244 [inline] rtalloc_mpath(fffffd806f6ccc88,0,0) at rtalloc_mpath+0xba sys/net/route.c:359 in_pcbselsrc(ffff800024bad4c0,fffffd80641d9420,fffffd806f6ccc08) at in_pcbselsrc+0x219 sys/netinet/in_pcb.c:934 in_pcbconnect(fffffd806f6ccc08,fffffd80641d9400) at in_pcbconnect+0x107 sys/netinet/in_pcb.c:492 tcp_usrreq(fffffd8068762988,4,0,fffffd80641d9400,0,ffff800020ace038) at tcp_usrreq+0xacb sys/netinet/tcp_usrreq.c:228 sys_connect(ffff800020ace038,ffff800024bad668,ffff800024bad6b0) at sys_connect+0x3df sys/kern/uipc_syscalls.c:388 syscall(ffff800024bad730) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline] syscall(ffff800024bad730) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555 Xsyscall(6,0,fffffffffffffecf,0,3,d097d2c5010) at Xsyscall+0x128 end of kernel end trace frame: 0xd0c06c030d0, count: -14 ddb{1}> show registers rdi 0xffffffff81ceddf7 db_enter+0x17 rsi 0x2209 __ALIGN_SIZE+0x1209 rbp 0xffff800024bacf80 rbx 0xffff800024bad030 rdx 0x220a __ALIGN_SIZE+0x120a rcx 0xffff800020b4e000 rax 0xffff800020b4e000 r8 0xffffffff81931c2f kprintf+0x16f r9 0x1 r10 0x25 r11 0x99e73ec2df49a019 r12 0x3000000008 r13 0xffff800024bacf90 r14 0x100 r15 0x1 rip 0xffffffff81ceddf8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800024bacf70 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor.1) pid=42024 stat=onproc flags process=0 proc=4000000 pri=86, usrpri=86, nice=20 forw=0xffffffffffffffff, list=0xffff800020ace7a0,0xffffffff8265fe30 process=0xffff800020adc380 user=0xffff800024ba8000, vmspace=0xfffffd807f00b5c0 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 15833 97828 99291 0 7 0 syz-executor.1 *15833 42024 99291 0 7 0x4000000 syz-executor.1 27656 350684 21926 0 3 0x80 nanosleep syz-executor.0 27656 296460 21926 0 3 0x4000080 ttyout syz-executor.0 27656 149420 21926 0 3 0x4000080 ttyout syz-executor.0 27656 240458 21926 0 3 0x4000080 fsleep syz-executor.0 99291 277002 20372 0 3 0x82 nanosleep syz-executor.1 21926 462409 20372 0 3 0x82 nanosleep syz-executor.0 95388 24651 1 0 3 0x100083 ttyin getty 26470 199056 0 0 3 0x14200 bored sosplice 20372 55637 75330 0 3 0x82 thrsleep syz-fuzzer 20372 387477 75330 0 3 0x4000082 nanosleep syz-fuzzer 20372 121327 75330 0 3 0x4000082 thrsleep syz-fuzzer 20372 502752 75330 0 3 0x4000082 thrsleep syz-fuzzer 20372 232687 75330 0 3 0x4000082 thrsleep syz-fuzzer 20372 264039 75330 0 3 0x4000082 thrsleep syz-fuzzer 20372 499476 75330 0 3 0x4000082 thrsleep syz-fuzzer 20372 479366 75330 0 3 0x4000082 nanosleep syz-fuzzer 20372 351381 75330 0 3 0x4000082 kqread syz-fuzzer 20372 122938 75330 0 3 0x4000082 thrsleep syz-fuzzer 75330 100470 75105 0 3 0x10008a pause ksh 75105 487524 88394 0 3 0x92 select sshd 88394 249143 1 0 3 0x80 select sshd 55715 71098 85806 74 3 0x100092 bpf pflogd 85806 345468 1 0 3 0x80 netio pflogd 86877 522864 66405 73 3 0x100090 kqread syslogd 66405 319072 1 0 3 0x100082 netio syslogd 95034 43073 1 77 3 0x100090 poll dhclient 34924 16181 1 0 3 0x80 poll dhclient 8100 9295 0 0 3 0x14200 pgzero zerothread 9287 373257 0 0 3 0x14200 aiodoned aiodoned 65172 271272 0 0 3 0x14200 syncer update 950 132749 0 0 3 0x14200 cleaner cleaner 6144 206617 0 0 3 0x14200 reaper reaper 84849 133829 0 0 3 0x14200 pgdaemon pagedaemon 45105 493993 0 0 3 0x14200 bored crynlk 27511 29634 0 0 3 0x14200 bored crypto 87334 355531 0 0 3 0x40014200 acpi0 acpi0 93473 209822 0 0 3 0x40014200 idle1 19495 303375 0 0 3 0x14200 bored softnet 10633 422898 0 0 3 0x14200 bored systqmp 33677 219793 0 0 3 0x14200 bored systq 33952 245623 0 0 3 0x40014200 bored softclock 65621 20198 0 0 3 0x40014200 idle0 41402 347052 0 0 3 0x14200 bored smr 1 359531 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks Process 15833 (syz-executor.1) thread 0xffff800020ace038 (42024) exclusive rwlock netlock r = 0 (0xffffffff824e54e8) #0 witness_lock+0x52e sys/kern/subr_witness.c:1163 #1 solock+0x5a sys/kern/uipc_socket2.c:282 #2 sys_connect+0x6b sys/kern/uipc_syscalls.c:362 #3 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline] #3 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555 #4 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 2 (0xffffffff8265c4c8) #0 witness_lock+0x52e sys/kern/subr_witness.c:1163 #1 syscall+0x400 mi_syscall sys/sys/syscall_mi.h:83 [inline] #1 syscall+0x400 sys/arch/amd64/amd64/trap.c:555 #2 Xsyscall+0x128 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim devbuf 9604 6825K 7602K 78643K 15794 0 0 pcb 13 8K 9K 78643K 459 0 0 rtable 118 13K 13K 78643K 1593 0 0 ifaddr 88 18K 19K 78643K 466 0 0 counters 39 33K 33K 78643K 39 0 0 ioctlops 0 0K 4K 78643K 1582 0 0 iov 0 0K 28K 78643K 440 0 0 mount 1 1K 1K 78643K 1 0 0 vnodes 1218 77K 77K 78643K 3163 0 0 UFS quota 1 32K 32K 78643K 1 0 0 UFS mount 5 36K 36K 78643K 5 0 0 shm 2 1K 5K 78643K 45 0 0 VM map 2 1K 1K 78643K 17 0 0 sem 12 0K 0K 78643K 745 0 0 dirhash 12 2K 2K 78643K 12 0 0 ACPI 1808 196K 290K 78643K 12765 0 0 file desc 6 17K 25K 78643K 2536 0 0 sigio 1 0K 0K 78643K 39 0 0 proc 62 63K 95K 78643K 1228 0 0 subproc 32 2K 2K 78643K 255 0 0 NFS srvsock 1 0K 0K 78643K 1 0 0 NFS daemon 1 16K 16K 78643K 1 0 0 ip_moptions 0 0K 0K 78643K 129 0 0 in_multi 31 2K 2K 78643K 246 0 0 ether_multi 1 0K 0K 78643K 7 0 0 mrt 0 0K 0K 78643K 7 0 0 ISOFS mount 1 32K 32K 78643K 1 0 0 MSDOSFS mount 1 16K 16K 78643K 1 0 0 ttys 72 318K 318K 78643K 72 0 0 exec 0 0K 1K 78643K 566 0 0 pagedep 1 8K 8K 78643K 1 0 0 inodedep 1 32K 32K 78643K 1 0 0 newblk 1 0K 0K 78643K 1 0 0 VM swap 7 26K 26K 78643K 7 0 0 UVM amap 121 22K 31K 78643K 9496 0 0 UVM aobj 130 5K 5K 78643K 138 0 0 memdesc 1 4K 4K 78643K 1 0 0 crypto data 1 1K 1K 78643K 1 0 0 ip6_options 0 0K 1K 78643K 525 0 0 NDP 22 0K 0K 78643K 147 0 0 temp 231 3557K 3626K 78643K 70037 0 0 kqueue 0 0K 0K 78643K 30 0 0 SYN cache 2 16K 16K 78643K 2 0 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 60 0 53 1 0 1 1 0 8 0 plcache 128 20 0 0 1 0 1 1 0 8 0 rtpcb 80 164 0 162 1 0 1 1 0 8 0 rtentry 112 264 0 221 2 0 2 2 0 8 0 unpcb 120 870 0 859 2 1 1 2 0 8 0 syncache 264 8 0 8 3 2 1 1 0 8 1 sackhl 24 1 0 1 1 1 0 1 0 8 0 tcpqe 32 5781 0 5781 1 1 0 1 0 8 0 tcpcb 544 3332 0 3326 10 7 3 3 0 8 2 inpcb 280 5416 0 5407 13 10 3 3 0 8 2 rttmr 72 2 0 2 1 1 0 1 0 8 0 nd6 48 35 0 32 1 0 1 1 0 8 0 pkpcb 40 4 0 4 2 2 0 1 0 8 0 ppxss 1128 59 0 59 10 9 1 1 0 8 1 pffrag 232 53 0 53 8 8 0 1 0 482 0 pffrnode 88 53 0 53 8 8 0 1 0 8 0 pffrent 40 117 0 117 8 8 0 1 0 8 0 pfosfp 40 846 0 423 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 195 0 131 1 0 1 1 0 8 0 pfstkey 112 195 0 131 2 0 2 2 0 8 0 pfstate 328 195 0 131 6 0 6 6 0 8 0 pfrule 1360 21 0 16 2 1 1 2 0 8 0 art_heap8 4096 5 0 4 5 4 1 3 0 8 0 art_heap4 256 1082 0 868 22 7 15 15 0 8 0 art_table 32 1087 0 872 2 0 2 2 0 8 0 art_node 16 263 0 223 1 0 1 1 0 8 0 sysvmsgpl 40 196 0 190 2 1 1 1 0 8 0 semapl 112 739 0 729 1 0 1 1 0 8 0 shmpl 112 136 0 8 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino1pl 128 5134 0 3724 46 0 46 46 0 8 0 ffsino 272 5134 0 3724 95 0 95 95 0 8 0 nchpl 144 8826 0 8365 61 41 20 61 0 8 0 uvmvnodes 72 6151 0 0 112 0 112 112 0 8 0 vnodes 208 6151 0 0 324 0 324 324 0 8 0 namei 1024 29995 0 29995 5 4 1 1 0 8 1 percpumem 16 30 0 0 1 0 1 1 0 8 0 vmpool 552 15 0 15 6 5 1 1 0 8 1 scsiplug 64 5 0 5 3 3 0 1 0 8 0 scxspl 192 27743 0 27743 31 28 3 7 0 8 3 plimitpl 152 185 0 177 1 0 1 1 0 8 0 sigapl 432 2699 0 2683 3 1 2 3 0 8 0 futexpl 56 49088 0 49087 2 1 1 1 0 8 0 knotepl 112 604 0 585 1 0 1 1 0 8 0 kqueuepl 104 718 0 715 1 0 1 1 0 8 0 pipepl 112 1200 0 1181 4 3 1 2 0 8 0 fdescpl 488 2700 0 2683 3 0 3 3 0 8 0 filepl 152 20822 0 20713 17 11 6 7 0 8 1 lockfpl 104 792 0 790 1 0 1 1 0 8 0 lockfspl 48 283 0 281 1 0 1 1 0 8 0 sessionpl 112 33 0 22 1 0 1 1 0 8 0 pgrppl 48 65 0 54 1 0 1 1 0 8 0 ucredpl 96 2770 0 2761 1 0 1 1 0 8 0 zombiepl 144 2687 0 2687 5 4 1 1 0 8 1 processpl 896 2720 0 2687 4 0 4 4 0 8 0 procpl 632 8048 0 8002 8 3 5 5 0 8 0 srpgc 64 17 0 17 8 7 1 1 0 8 1 sosppl 128 61 0 61 9 8 1 1 0 8 1 sockpl 384 6495 0 6473 21 15 6 7 0 8 3 mcl64k 65536 346 0 0 41 7 34 34 0 8 1 mcl16k 16384 6 0 0 1 0 1 1 0 8 0 mcl12k 12288 14 0 0 2 0 2 2 0 8 0 mcl9k 9216 9 0 0 1 0 1 1 0 8 0 mcl8k 8192 13 0 0 2 0 2 2 0 8 0 mcl4k 4096 12 0 0 2 0 2 2 0 8 0 mcl2k2 2112 5 0 0 1 0 1 1 0 8 0 mcl2k 2048 196 0 0 20 2 18 20 0 8 0 mtagpl 80 42 0 0 1 0 1 1 0 8 0 mbufpl 256 512 0 0 21 0 21 21 0 8 0 bufpl 256 18424 0 11376 441 0 441 441 0 8 0 anonpl 16 314125 0 299273 153 75 78 82 0 124 10 amapchunkpl 152 18126 0 18003 35 29 6 12 0 158 0 amappl16 192 13970 0 13069 127 77 50 58 0 8 4 amappl15 184 286 0 286 2 1 1 1 0 8 1 amappl14 176 662 0 661 2 1 1 1 0 8 0 amappl13 168 12 0 12 3 3 0 1 0 8 0 amappl12 160 335 0 334 1 0 1 1 0 8 0 amappl11 152 990 0 969 1 0 1 1 0 8 0 amappl10 144 21 0 13 1 0 1 1 0 8 0 amappl9 136 1179 0 1173 1 0 1 1 0 8 0 amappl8 128 756 0 720 3 1 2 2 0 8 0 amappl7 120 110 0 99 1 0 1 1 0 8 0 amappl6 112 961 0 946 1 0 1 1 0 8 0 amappl5 104 575 0 561 1 0 1 1 0 8 0 amappl4 96 2646 0 2612 1 0 1 1 0 8 0 amappl3 88 963 0 958 1 0 1 1 0 8 0 amappl2 80 19937 0 19857 4 2 2 3 0 8 0 amappl1 72 70156 0 69687 25 15 10 20 0 8 0 amappl 80 8540 0 8495 2 0 2 2 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 17 0 17 1 1 0 1 0 8 0 aobjpl 64 137 0 8 3 0 3 3 0 8 0 uaddrrnd 24 2715 0 2683 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 2715 0 2683 1 0 1 1 0 8 0 vmmpekpl 168 22490 0 22451 2 0 2 2 0 8 0 vmmpepl 168 342694 0 340517 261 137 124 128 0 357 28 vmsppl 368 2699 0 2683 2 0 2 2 0 8 0 pdppl 4096 5437 0 5396 7 1 6 6 0 8 0 pvpl 32 812587 0 794400 329 138 191 197 0 265 29 pmappl 232 2714 0 2698 8 7 1 2 0 8 0 extentpl 40 41 0 26 1 0 1 1 0 8 0 phpool 112 681 0 35 19 0 19 19 0 8 0