panic: vrele: v_writecount != 0 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *133936 48555 0 0 0x4000000 0 syz-executor.0 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x15c sys/kern/subr_prf.c:207 vrele(fffffd802eb1f8b0) at vrele+0x188 sys/kern/vfs_subr.c:797 diskmapioctl(5a00,c0106477,ffff80001492cd30,1,ffff8000ffff2018) at diskmapioctl+0x2a8 sys/dev/diskmap.c:140 VOP_IOCTL(fffffd803741c198,c0106477,ffff80001492cd30,1,fffffd803f7c6c00,ffff8000ffff2018) at VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290 vn_ioctl(fffffd803468ce98,c0106477,ffff80001492cd30,ffff8000ffff2018) at vn_ioctl+0xb6 sys/kern/vfs_vnops.c:519 sys_ioctl(ffff8000ffff2018,ffff80001492ce48,ffff80001492ceb0) at sys_ioctl+0x5b8 syscall(ffff80001492cf10) at syscall+0x508 Xsyscall(6,0,ffffffffffffff1f,0,3,c088f01b010) at Xsyscall+0x128 end of kernel end trace frame: 0xc0b4581a4b0, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic vrele: v_writecount != 0 ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x15c sys/kern/subr_prf.c:207 vrele(fffffd802eb1f8b0) at vrele+0x188 sys/kern/vfs_subr.c:797 diskmapioctl(5a00,c0106477,ffff80001492cd30,1,ffff8000ffff2018) at diskmapioctl+0x2a8 sys/dev/diskmap.c:140 VOP_IOCTL(fffffd803741c198,c0106477,ffff80001492cd30,1,fffffd803f7c6c00,ffff8000ffff2018) at VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290 vn_ioctl(fffffd803468ce98,c0106477,ffff80001492cd30,ffff8000ffff2018) at vn_ioctl+0xb6 sys/kern/vfs_vnops.c:519 sys_ioctl(ffff8000ffff2018,ffff80001492ce48,ffff80001492ceb0) at sys_ioctl+0x5b8 syscall(ffff80001492cf10) at syscall+0x508 Xsyscall(6,0,ffffffffffffff1f,0,3,c088f01b010) at Xsyscall+0x128 end of kernel end trace frame: 0xc0b4581a4b0, count: -9 ddb> show registers rdi 0xffffffff81ac3167 db_enter+0x17 rsi 0x72da __ALIGN_SIZE+0x62da rbp 0xffff80001492c8f0 rbx 0xffff80001492c9a0 rdx 0x72db __ALIGN_SIZE+0x62db rcx 0xffff800016be5000 rax 0xffff800016be5000 r8 0xffff80001492c8b0 r9 0x1 r10 0xffff800000998e00 r11 0x90a4205b846d42c9 r12 0x3000000008 r13 0xffff80001492c900 r14 0x100 r15 0x1 rip 0xffffffff81ac3168 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff80001492c8e0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb> show proc PROC (syz-executor.0) pid=133936 stat=onproc flags process=0 proc=4000000 pri=24, usrpri=77, nice=20 forw=0xffffffffffffffff, list=0xffff8000ffff3160,0xffff8000ffff2c80 process=0xffff8000ffff6010 user=0xffff800014927000, vmspace=0xfffffd803f013110 estcpu=36, cpticks=2, pctcpu=0.0 user=0, sys=2, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 56503 202535 53907 0 2 0 syz-executor.1 56503 286429 53907 0 3 0x4000080 fsleep syz-executor.1 48555 436904 53647 0 2 0 syz-executor.0 *48555 133936 53647 0 7 0x4000000 syz-executor.0 48555 369503 53647 0 2 0x4000000 syz-executor.0 85465 319007 0 0 3 0x14200 bored sosplice 32312 288189 1 0 3 0x100083 ttyin getty 53647 442230 78462 0 2 0x482 syz-executor.0 53907 205377 78462 0 2 0x482 syz-executor.1 78462 367349 63185 0 3 0x82 thrsleep syz-fuzzer 78462 162070 63185 0 3 0x4000082 thrsleep syz-fuzzer 78462 358521 63185 0 3 0x4000082 thrsleep syz-fuzzer 78462 383035 63185 0 3 0x4000082 thrsleep syz-fuzzer 78462 246884 63185 0 3 0x4000082 kqread syz-fuzzer 78462 218811 63185 0 3 0x4000082 thrsleep syz-fuzzer 78462 293142 63185 0 3 0x4000082 thrsleep syz-fuzzer 63185 7334 90673 0 3 0x10008a pause ksh 90673 332580 88951 0 3 0x92 select sshd 88951 3070 1 0 3 0x80 select sshd 3174 475306 83518 73 2 0x100090 syslogd 83518 336927 1 0 3 0x100082 netio syslogd 32759 42683 1 77 3 0x100090 poll dhclient 75296 262430 1 0 3 0x80 poll dhclient 73402 146851 0 0 2 0x14200 zerothread 73944 358800 0 0 3 0x14200 aiodoned aiodoned 92291 22499 0 0 3 0x14200 syncer update 69862 124198 0 0 3 0x14200 cleaner cleaner 60560 107765 0 0 3 0x14200 reaper reaper 90111 388039 0 0 3 0x14200 pgdaemon pagedaemon 98057 304330 0 0 3 0x14200 bored crynlk 56410 157392 0 0 3 0x14200 bored crypto 33570 222948 0 0 3 0x40014200 acpi0 acpi0 16538 152746 0 0 3 0x14200 bored softnet 26034 434950 0 0 3 0x14200 bored systqmp 10643 84756 0 0 3 0x14200 bored systq 16241 477291 0 0 3 0x40014200 bored softclock 74683 335883 0 0 3 0x40014200 idle0 30455 156101 0 0 2 0x14200 smr 1 105126 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim devbuf 9489 6340K 6854K 78643K 12133 0 0 pcb 13 8K 8K 78643K 67 0 0 rtable 111 4K 4K 78643K 374 0 0 ifaddr 52 12K 13K 78643K 144 0 0 counters 19 16K 16K 78643K 19 0 0 ioctlops 0 0K 2K 78643K 55 0 0 iov 0 0K 20K 78643K 58 0 0 mount 1 1K 1K 78643K 1 0 0 vnodes 1213 76K 77K 78643K 1747 0 0 UFS quota 1 32K 32K 78643K 1 0 0 UFS mount 5 36K 36K 78643K 5 0 0 shm 2 1K 5K 78643K 6 0 0 VM map 2 0K 0K 78643K 2 0 0 sem 12 0K 0K 78643K 62 0 0 dirhash 12 2K 2K 78643K 12 0 0 ACPI 1793 195K 288K 78643K 12645 0 0 file desc 6 17K 25K 78643K 649 0 0 sigio 0 0K 0K 78643K 6 0 0 proc 41 30K 54K 78643K 422 0 0 subproc 32 2K 2K 78643K 34 0 0 NFS srvsock 1 0K 0K 78643K 1 0 0 NFS daemon 1 16K 16K 78643K 1 0 0 ip_moptions 0 0K 0K 78643K 58 0 0 in_multi 33 2K 2K 78643K 64 0 0 ether_multi 1 0K 0K 78643K 7 0 0 ISOFS mount 1 32K 32K 78643K 1 0 0 MSDOSFS mount 1 16K 16K 78643K 1 0 0 ttys 48 212K 212K 78643K 48 0 0 exec 0 0K 1K 78643K 234 0 0 pagedep 1 8K 8K 78643K 1 0 0 inodedep 1 32K 32K 78643K 1 0 0 newblk 1 0K 0K 78643K 1 0 0 VM swap 7 26K 26K 78643K 7 0 0 UVM amap 89 20K 25K 78643K 2318 0 0 UVM aobj 18 2K 2K 78643K 20 0 0 memdesc 1 4K 4K 78643K 1 0 0 crypto data 1 1K 1K 78643K 1 0 0 ip6_options 0 0K 0K 78643K 23 0 0 NDP 10 0K 0K 78643K 38 0 0 temp 137 2722K 2788K 78643K 5019 0 0 kqueue 0 0K 0K 78643K 8 0 0 SYN cache 2 16K 16K 78643K 2 0 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 6 0 0 1 0 1 1 0 8 0 rtpcb 80 45 0 43 1 0 1 1 0 8 0 rtentry 112 45 0 1 2 0 2 2 0 8 0 unpcb 120 199 0 189 1 0 1 1 0 8 0 syncache 264 4 0 4 1 1 0 1 0 8 0 tcpqe 32 1359 0 1359 1 1 0 1 0 8 0 tcpcb 544 100 0 96 1 0 1 1 0 8 0 inpcb 280 266 0 259 1 0 1 1 0 8 0 nd6 48 6 0 0 1 0 1 1 0 8 0 pkpcb 40 10 0 10 3 2 1 1 0 8 1 ppxss 1128 20 0 20 1 0 1 1 0 8 1 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 188 0 0 12 0 12 12 0 8 0 art_table 32 189 0 0 2 0 2 2 0 8 0 art_node 16 44 0 4 1 0 1 1 0 8 0 sysvmsgpl 40 8 0 6 2 1 1 1 0 8 0 semapl 112 60 0 50 1 0 1 1 0 8 0 shmpl 112 18 0 2 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino1pl 128 2428 0 1009 46 0 46 46 0 8 0 ffsino 240 2428 0 1009 84 0 84 84 0 8 0 nchpl 144 3546 0 1914 62 1 61 62 0 8 0 uvmvnodes 72 2812 0 0 52 0 52 52 0 8 0 vnodes 200 2812 0 0 148 0 148 148 0 8 0 namei 1024 10206 0 10206 1 0 1 1 0 8 1 scsiplug 64 1 0 1 1 1 0 1 0 8 0 scxspl 192 10233 0 10233 11 7 4 6 0 8 4 plimitpl 152 84 0 77 1 0 1 1 0 8 0 sigapl 432 821 0 807 2 0 2 2 0 8 0 futexpl 56 10048 0 10047 1 0 1 1 0 8 0 knotepl 112 169 0 150 1 0 1 1 0 8 0 kqueuepl 104 152 0 150 1 0 1 1 0 8 0 pipepl 112 462 0 443 2 0 2 2 0 8 1 fdescpl 424 822 0 807 2 0 2 2 0 8 0 filepl 120 4733 0 4637 4 0 4 4 0 8 1 lockfpl 104 194 0 194 2 1 1 1 0 8 1 lockfspl 48 71 0 71 2 1 1 1 0 8 1 sessionpl 112 18 0 8 1 0 1 1 0 8 0 pgrppl 48 20 0 10 1 0 1 1 0 8 0 ucredpl 96 948 0 941 1 0 1 1 0 8 0 zombiepl 144 807 0 807 1 0 1 1 0 8 1 processpl 864 837 0 807 4 0 4 4 0 8 0 procpl 632 1621 0 1582 4 0 4 4 0 8 0 sosppl 128 3 0 3 1 0 1 1 0 8 1 sockpl 384 528 0 509 3 0 3 3 0 8 1 mcl64k 65536 22 0 22 2 1 1 1 0 8 1 mcl16k 16384 2 0 2 2 1 1 1 0 8 1 mcl12k 12288 12 0 12 1 0 1 1 0 8 1 mcl9k 9216 13 0 13 1 0 1 1 0 8 1 mcl8k 8192 8 0 8 3 2 1 1 0 8 1 mcl4k 4096 39 0 39 2 1 1 1 0 8 1 mcl2k2 2112 2 0 2 1 1 0 1 0 8 0 mcl2k 2048 54989 0 54946 14 7 7 11 0 8 1 mtagpl 80 19 0 11 2 1 1 1 0 8 0 mbufpl 256 90261 0 90186 12 5 7 10 0 8 0 bufpl 256 7251 0 2684 286 0 286 286 0 8 0 anonpl 16 92236 0 80619 70 6 64 64 0 62 15 amapchunkpl 152 3531 0 3425 11 5 6 8 0 158 1 amappl16 192 4354 0 3711 53 12 41 45 0 8 8 amappl15 184 310 0 308 1 0 1 1 0 8 0 amappl14 176 52 0 46 1 0 1 1 0 8 0 amappl13 168 8 0 8 1 1 0 1 0 8 0 amappl12 160 319 0 316 1 0 1 1 0 8 0 amappl11 152 59 0 46 1 0 1 1 0 8 0 amappl10 144 60 0 60 2 2 0 1 0 8 0 amappl9 136 544 0 541 1 0 1 1 0 8 0 amappl8 128 128 0 113 1 0 1 1 0 8 0 amappl7 120 38 0 34 1 0 1 1 0 8 0 amappl6 112 54 0 45 1 0 1 1 0 8 0 amappl5 104 475 0 463 1 0 1 1 0 8 0 amappl4 96 729 0 703 1 0 1 1 0 8 0 amappl3 88 505 0 493 1 0 1 1 0 8 0 amappl2 80 5969 0 5894 3 1 2 3 0 8 0 amappl1 72 23475 0 23043 25 15 10 19 0 8 0 amappl 80 1856 0 1819 1 0 1 1 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma64 64 259 0 259 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 17 0 17 1 1 0 1 0 8 0 aobjpl 64 19 0 2 1 0 1 1 0 8 0 uaddrrnd 24 822 0 807 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 822 0 807 1 0 1 1 0 8 0 vmmpekpl 168 8731 0 8707 2 0 2 2 0 8 0 vmmpepl 168 101869 0 100075 107 18 89 90 0 357 11 vmsppl 272 821 0 807 2 1 1 2 0 8 0 pdppl 4096 1650 0 1614 6 1 5 6 0 8 0 pvpl 32 256026 0 241339 167 7 160 160 0 265 38 pmappl 200 821 0 807 1 0 1 1 0 8 0 extentpl 40 41 0 26 1 0 1 1 0 8 0 phpool 112 433 0 21 12 0 12 12 0 8 0