*cpu1: uvm_fault(0xfffffd806b9d1200, 0x48, 0, 1) -> e ddb{0}> trace proc_trampoline() at proc_trampoline+0xc7 end of kernel end trace frame: 0x77fc1fcc28a0, count: -1 ddb{0}> show registers rdi 0 rsi 0 rbp 0xffff80002a3c94f0 rbx 0 rdx 0 rcx 0xffff80002a2d6548 rax 0x2a r8 0xffff80002a3c9420 r9 0 r10 0x6cd17054dc936c54 r11 0x2885635a641ffc0d r12 0 r13 0 r14 0 r15 0 rip 0xffffffff81e1e4c7 proc_trampoline+0xc7 cs 0x8 rflags 0x246 rsp 0xffff80002a3c9470 ss 0 proc_trampoline+0xc7: movl $0,%gs:0x688 ddb{0}> show proc PROC (syz-executor) tid=254321 pid=52541 tcnt=1 stat=onproc flags process=0 proc=0 runpri=82, usrpri=82, slppri=17, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80002a2dc810,0xffffffff839abd00 process=0xffff80003300cec0 user=0xffff80002a3c4000, vmspace=0xfffffd806b9d13e8 estcpu=32, cpticks=0, pctcpu=0.0, user=0, sys=0, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND *52541 254321 29983 0 7 0 syz-executor 62162 455895 98748 0 2 0 syz-executor 14934 398558 15720 0 2 0 syz-executor 14934 62576 15720 0 2 0x4000000 syz-executor 78519 335262 69027 0 2 0 syz-executor 78519 147433 69027 0 3 0x4000080 fsleep syz-executor 51880 417198 1884 0 2 0 syz-executor 51880 447514 1884 0 2 0x4000000 syz-executor 51880 183860 1884 0 3 0x4000080 fsleep syz-executor 51880 454793 1884 0 3 0x4000080 fsleep syz-executor 95750 320760 97978 0 3 0x80 nanoslp syz-executor 95750 122555 97978 0 3 0x4000080 lockf syz-executor 95750 303807 97978 0 3 0x4000080 lockf syz-executor 95750 420232 97978 0 3 0x4000080 fsleep syz-executor 94022 355702 83843 0 3 0x80 nanoslp syz-executor 94022 500591 83843 0 3 0x4000080 kqsel syz-executor 94022 58075 83843 0 3 0x4000080 fsleep syz-executor 69027 216755 60960 0 3 0x82 nanoslp syz-executor 98748 442868 60960 0 3 0x82 nanoslp syz-executor 42468 367752 1 0 3 0x100083 ttyopn getty 15720 313025 60960 0 2 0x2 syz-executor 54218 454265 0 0 3 0x14200 bored sosplice 1884 504009 60960 0 3 0x82 nanoslp syz-executor 68762 411066 60960 0 3 0x82 nanoslp syz-executor 83843 342479 60960 0 3 0x82 nanoslp syz-executor 97978 144060 60960 0 3 0x82 nanoslp syz-executor 29983 186262 60960 0 3 0x82 nanoslp syz-executor 60960 457858 24771 0 3 0x82 kqread syz-executor 24771 261428 56502 0 3 0x10008a sigsusp ksh 56502 113245 24013 0 3 0x98 kqread sshd-session 24013 171767 51210 0 3 0x92 kqread sshd-session 51210 387801 1 0 3 0x88 kqread sshd 19454 74483 41855 74 3 0x1100092 bpf pflogd 41855 524231 1 0 3 0x80 sbwait pflogd 58771 96862 17458 73 3 0x1100090 kqread syslogd 17458 54791 1 0 3 0x100082 sbwait syslogd 63135 299863 1 0 3 0x100080 kqread resolvd 82179 488957 24362 77 3 0x100092 kqread dhcpleased 47308 293613 24362 77 3 0x100092 kqread dhcpleased 24362 347546 1 0 3 0x80 kqread dhcpleased 59595 35723 0 0 3 0x14200 bored smr 27637 407980 0 0 2 0x14200 zerothread 30813 370328 0 0 3 0x14200 aiodoned aiodoned 92254 37702 0 0 3 0x14200 syncer update 88637 171386 0 0 3 0x14200 cleaner cleaner 47500 33701 0 0 2 0x14200 reaper 28768 472411 0 0 3 0x14200 pgdaemon pagedaemon 49482 86264 0 0 3 0x14200 bored viomb 9811 470263 0 0 3 0x40014200 acpi0 acpi0 54913 502517 0 0 3 0x40014200 idle1 69493 14593 0 0 3 0x14200 bored softnet7 56818 81690 0 0 3 0x14200 bored softnet6 48912 406017 0 0 3 0x14200 bored softnet5 99384 385875 0 0 3 0x14200 bored softnet4 65821 222699 0 0 3 0x14200 bored softnet3 19394 457744 0 0 3 0x14200 bored softnet2 29703 173502 0 0 3 0x14200 bored softnet1 34947 124972 0 0 3 0x14200 bored softnet0 80059 28555 0 0 3 0x14200 bored systqmp 26309 131285 0 0 3 0x14200 bored systq 58702 228838 0 0 3 0x14200 tmoslp softclockmp 73887 407597 0 0 3 0x40014200 tmoslp softclock 60221 246781 0 0 3 0x40014200 idle0 1 91858 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb{0}> show all locks CPU 0: exclusive mutex /syzkaller/managers/multicore/kernel/sys/kern/kern_malloc.c:96 r = 0 (0xffffffff8379a0e8) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 mtx_enter_try+0x1ad sys/kern/kern_lock.c:311 #2 mtx_enter+0x62 sys/kern/kern_lock.c:261 #3 free+0x9f sys/kern/kern_malloc.c:389 #4 ip_setmoptions+0xb0c sys/netinet/ip_output.c:1676 #5 sosetopt+0x118 sys/kern/uipc_socket.c:-1 #6 sys_setsockopt+0x2ba sys/kern/uipc_syscalls.c:1221 #7 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] #7 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:748 #8 Xsyscall+0x128 Process 14934 (syz-executor) thread 0xffff80002a2dd270 (62576) exclusive rwlock netlock r = 0 (0xffffffff8378a4b0) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320 #2 sosetopt+0xf2 sys/kern/uipc_socket.c:1902 #3 sys_setsockopt+0x2ba sys/kern/uipc_syscalls.c:1221 #4 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] #4 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:748 #5 Xsyscall+0x128 Process 73887 (softclock) thread 0xffff8000ffffecf8 (407597) shared rwlock timeout r = 0 (0xffffffff837f1048) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 timeout_run+0x115 sys/kern/kern_timeout.c:694 #2 softclock_thread_run+0xe7 sys/kern/kern_timeout.c:842 #3 softclock_thread+0x10a sys/kern/kern_timeout.c:858 #4 proc_trampoline+0x10 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10256 11166K 12365K 166960K 16187 0 pcb 17 22K 36K 166960K 1484 0 rtable 208 13K 13K 166960K 874 0 pf 35 17K 82K 166960K 400 0 ifaddr 37 7K 9K 166960K 245 0 ifgroup 55 2K 2K 166960K 467 0 sysctl 4 1K 9K 166960K 42 0 counters 68 36K 38K 166960K 518 0 ioctlops 0 0K 4K 166960K 2817 0 iov 0 0K 34K 166960K 434 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1470 93K 93K 166960K 5118 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 9K 166960K 39 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 1K 166960K 310 0 dirhash 12 2K 3K 166960K 96 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 18 65K 240K 166960K 4576 0 sigio 0 0K 0K 166960K 68 0 proc 75 131K 164K 166960K 1180 0 subproc 72 4K 4K 166960K 108 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 921 0 in_multi 57 4K 7K 166960K 308 0 ether_multi 1 0K 0K 166960K 32 0 mrt 1 0K 0K 166960K 25 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 253 1129K 1129K 166960K 253 0 exec 0 0K 1K 166960K 986 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 10 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 248 152K 170K 166960K 43403 0 UVM aobj 54 2K 4K 166960K 58 0 pinsyscall 43 86K 102K 166960K 5841 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 1K 166960K 286 0 NDP 12 0K 2K 166960K 186 0 temp 80 8652K 8908K 166960K 187589 0 kqueue 14 22K 36K 166960K 904 0 SYN cache 2 16K 16K 166960K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 458 0 455 3 2 1 3 0 8 0 rtentry 176 246 0 172 5 0 5 5 0 8 1 unpcb 144 3847 0 3824 21 19 2 6 0 8 1 syncache 336 24 0 24 4 4 0 1 0 8 0 tcpqe 32 6 0 6 4 4 0 1 0 8 0 tcpcb 736 1639 0 1634 26 24 2 10 0 8 0 arp 128 34 0 20 1 0 1 1 0 8 0 inpcb 328 5817 0 5807 62 53 9 18 0 8 7 nd6 144 44 0 32 1 0 1 1 0 8 0 pkpcb 40 74 0 74 6 5 1 1 0 8 1 kcovpl 48 12 0 4 1 0 1 1 0 8 0 mppekey 1024 2 0 2 2 2 0 1 0 8 0 ppxss 1192 183 0 183 3 2 1 1 0 8 1 pppxif 1504 17 0 17 6 6 0 1 0 8 0 pfstscr 40 1 0 1 1 1 0 1 0 8 0 pffrag 232 34 0 22 2 1 1 2 0 482 0 pffrnode 88 32 0 20 1 0 1 1 0 8 0 pffrent 40 59 0 46 1 0 1 1 0 8 0 pfosfp 40 1429 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1429 0 714 21 0 21 21 0 8 0 pfrktable 1344 5 0 5 4 4 0 1 0 8 0 pfstitem 24 272 0 131 1 0 1 1 0 8 0 pfstkey 128 274 0 133 5 0 5 5 0 8 0 pfstate 384 273 0 132 15 0 15 15 0 8 0 pfrule 1344 29 0 20 2 1 1 2 0 8 0 rttmr 136 3 0 3 3 3 0 1 0 8 0 art_heap8 4096 5 0 0 5 0 5 5 0 8 0 art_heap4 256 914 0 612 38 14 24 28 0 8 2 art_table 40 919 0 612 5 0 5 5 0 8 0 art_node 32 246 0 187 1 0 1 1 0 8 0 sysvmsgpl 40 40 0 0 1 0 1 1 0 8 0 semupl 112 2 0 2 2 2 0 1 0 8 0 semapl 112 305 0 295 1 0 1 1 0 8 0 shmpl 112 55 0 4 2 0 2 2 0 8 0 dirhash 1024 74 0 57 3 0 3 3 0 8 0 dino2pl 256 10359 0 8842 96 0 96 96 0 8 0 ffsino 296 10359 0 8842 118 0 118 118 0 8 0 nchpl 144 16674 0 14984 64 0 64 64 0 8 0 rtmask 32 31 0 31 5 4 1 1 0 8 1 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 60099 0 60099 5 4 1 2 0 8 1 percpumem 16 274 0 225 1 0 1 1 0 8 0 kstatmem 264 326 0 298 3 0 3 3 0 8 0 acpiwqpl 32 4 0 4 1 0 1 1 1 8 1 scsiplug 72 23 0 23 6 5 1 1 0 8 1 scxspl 216 122312 0 122312 16 14 2 8 1 8 2 plimitpl 152 1283 0 1266 1 0 1 1 0 8 0 sigapl 424 4867 0 4812 9 2 7 9 0 8 0 knotepl 120 765 0 0 24 1 23 23 0 8 0 kqueuepl 224 2000 0 1989 20 15 5 5 0 8 4 pipepl 344 697 0 670 15 12 3 9 0 8 0 fdescpl 528 4815 0 4783 3 0 3 3 0 8 0 filepl 160 36271 0 36045 40 24 16 19 0 8 4 lockfpl 104 1712 0 1704 2 1 1 2 0 8 0 lockfspl 48 623 0 618 1 0 1 1 0 8 0 sessionpl 144 50 0 41 1 0 1 1 0 8 0 pgrppl 48 188 0 171 1 0 1 1 0 8 0 ucredpl 104 6567 0 6554 1 0 1 1 0 8 0 zombiepl 144 5080 0 5079 1 0 1 1 0 8 0 processpl 1248 4867 0 4812 6 1 5 6 0 8 0 procpl 664 12517 0 12451 10 3 7 8 0 8 0 sosppl 168 33 0 33 7 6 1 1 0 8 1 sockpl 752 10535 0 10498 102 91 11 24 0 8 7 mcl64k 65536 8 0 0 1 0 1 1 0 8 0 mcl16k 16384 3 0 0 1 0 1 1 0 8 0 mcl12k 12288 2 0 0 1 0 1 1 0 8 0 mcl9k 9216 2 0 0 1 0 1 1 0 8 0 mcl8k 8192 5 0 0 1 0 1 1 0 8 0 mcl4k 4096 126 0 0 16 0 16 16 0 8 0 mcl2k2 2112 2 0 0 1 0 1 1 0 8 0 mcl2k 2048 105 0 0 7 0 7 7 0 8 0 mtagpl 96 13 0 0 1 0 1 1 0 8 0 mbufpl 256 1252 0 0 76 0 76 76 0 8 0 bufpl 280 50496 0 44353 441 1 440 440 0 8 0 anonpl 32 14561 0 0 118 1 117 118 0 246 0 amapchunkpl 152 151545 0 151021 74 39 35 39 0 158 12 amappl16 200 17969 0 17931 118 102 16 32 0 8 5 amappl15 192 8 0 8 2 2 0 1 0 8 0 amappl14 184 199 0 187 1 0 1 1 0 8 0 amappl13 176 5 0 5 1 1 0 1 0 8 0 amappl12 168 5565 0 5534 3 1 2 2 0 8 0 amappl11 160 55 0 39 1 0 1 1 0 8 0 amappl10 152 8 0 8 2 2 0 1 0 8 0 amappl9 144 245 0 245 1 1 0 1 0 8 0 amappl8 136 24 0 21 1 0 1 1 0 8 0 amappl7 128 141 0 128 1 0 1 1 0 8 0 amappl6 120 255 0 251 1 0 1 1 0 8 0 amappl5 112 163 0 153 1 0 1 1 0 8 0 amappl4 104 405 0 383 1 0 1 1 0 8 0 amappl3 96 31245 0 31124 5 1 4 4 0 8 0 amappl2 88 897 0 833 2 0 2 2 0 8 0 amappl1 80 31693 0 31097 17 3 14 15 0 8 0 amappl 88 41703 0 41527 5 0 5 5 0 92 0 dma16384 16384 1 0 1 1 0 1 1 0 8 1 dma8192 8192 2 0 2 2 2 0 1 0 8 0 dma4096 4096 3 0 3 3 3 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma512 512 1 0 1 1 1 0 1 0 8 0 dma256 256 10 0 10 2 2 0 1 0 8 0 dma128 128 263 0 263 7 7 0 1 0 8 0 dma64 64 8 0 8 3 3 0 1 0 8 0 dma32 32 8 0 8 2 2 0 1 0 8 0 dma16 16 20 0 19 1 0 1 1 0 8 0 aobjpl 72 57 0 4 1 0 1 1 0 8 0 uaddrrnd 24 4815 0 4783 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 4815 0 4783 1 0 1 1 0 8 0 vmmpekpl 168 40784 0 40742 3 0 3 3 0 8 0 vmmpepl 168 311574 0 309504 142 39 103 117 0 357 0 vmsppl 488 4814 0 4783 5 0 5 5 0 8 0 rwobjpl 80 85732 0 78792 157 7 150 154 0 8 0 pdppl 4096 9638 0 9566 132 60 72 84 0 8 0 pvpl 32 22711 0 0 184 1 183 183 0 265 0 pmappl 256 4814 0 4783 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 426 0 116 10 0 10 10 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace proc_trampoline() at proc_trampoline+0xc7 end of kernel end trace frame: 0x77fc1fcc28a0, count: -1 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffff8000299edff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 x86_bus_space_io_read_1(3f8,5) at x86_bus_space_io_read_1+0x37 sys/arch/amd64/amd64/bus_space.c:654 comcnputc(800,34) at comcnputc+0x250 comcn_read_reg sys/dev/ic/com.c:1655 [inline] comcnputc(800,34) at comcnputc+0x250 sys/dev/ic/com.c:1269 cnputc(34) at cnputc+0x67 sys/dev/cons.c:218 db_putchar(34) at db_putchar+0x36d sys/ddb/db_output.c:155 kprintf() at kprintf+0x29a5 sys/kern/subr_prf.c:-1 db_printf(ffffffff8331406f) at db_printf+0x9b sys/kern/subr_prf.c:-1 fault(ffffffff833d76dd) at fault+0xa7 sys/arch/amd64/amd64/trap.c:161 kpageflttrap(ffff80003c439050,48) at kpageflttrap+0x37d sys/arch/amd64/amd64/trap.c:296 kerntrap(ffff80003c439050) at kerntrap+0x198 sys/arch/amd64/amd64/trap.c:491 alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b witness_checkorder(28,9,0) at witness_checkorder+0xb5 sys/kern/subr_witness.c:779 end trace frame: 0xffff80003c4391f0, count: 0 ddb{1}> trace x86_ipi_db(ffff8000299edff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 x86_bus_space_io_read_1(3f8,5) at x86_bus_space_io_read_1+0x37 sys/arch/amd64/amd64/bus_space.c:654 comcnputc(800,34) at comcnputc+0x250 comcn_read_reg sys/dev/ic/com.c:1655 [inline] comcnputc(800,34) at comcnputc+0x250 sys/dev/ic/com.c:1269 cnputc(34) at cnputc+0x67 sys/dev/cons.c:218 db_putchar(34) at db_putchar+0x36d sys/ddb/db_output.c:155 kprintf() at kprintf+0x29a5 sys/kern/subr_prf.c:-1 db_printf(ffffffff8331406f) at db_printf+0x9b sys/kern/subr_prf.c:-1 fault(ffffffff833d76dd) at fault+0xa7 sys/arch/amd64/amd64/trap.c:161 kpageflttrap(ffff80003c439050,48) at kpageflttrap+0x37d sys/arch/amd64/amd64/trap.c:296 kerntrap(ffff80003c439050) at kerntrap+0x198 sys/arch/amd64/amd64/trap.c:491 alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b witness_checkorder(28,9,0) at witness_checkorder+0xb5 sys/kern/subr_witness.c:779 mtx_enter(18) at mtx_enter+0x4a sys/kern/kern_lock.c:260 clockintr_unbind(ffff8000015d9530,1) at clockintr_unbind+0x56 sys/kern/kern_clockintr.c:375 dt_ioctl_record_stop(ffff8000016c5000) at dt_ioctl_record_stop+0xbc sys/dev/dt/dt_dev.c:582 dtclose(11e5f,81,2000,ffff80003582aa88) at dtclose+0x109 dt_pcb_purge sys/dev/dt/dt_dev.c:-1 [inline] dtclose(11e5f,81,2000,ffff80003582aa88) at dtclose+0x109 sys/dev/dt/dt_dev.c:232 spec_close(ffff80003c439340) at spec_close+0x466 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd805a2c52d0,81,fffffd80097fb478,ffff80003582aa88) at VOP_CLOSE+0x132 sys/kern/vfs_vops.c:156 vn_closefile(fffffd80691a6680,ffff80003582aa88) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd80691a6680,ffff80003582aa88) at vn_closefile+0x12b sys/kern/vfs_vnops.c:615 fdrop(fffffd80691a6680,ffff80003582aa88) at fdrop+0x121 sys/kern/kern_descrip.c:1267 closef(fffffd80691a6680,ffff80003582aa88) at closef+0x192 sys/kern/kern_descrip.c:1251 fdfree(ffff80003582aa88) at fdfree+0x116 sys/kern/kern_descrip.c:1182 exit1(ffff80003582aa88,b,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80003582aa88,ffff80003c4396b0,ffff80003c439600) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c4396b0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c4396b0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7b9cbf88eb10, count: -28