*cpu1: uvm_fault(0xfffffd80605975e0, 0x0, 0, 1) -> e ddb{0}> trace proc_trampoline() at proc_trampoline+0xc7 end of kernel end trace frame: 0x71a56c522d10, count: -1 ddb{0}> show registers rdi 0 rsi 0 rbp 0xffff80002a37be00 rbx 0 rdx 0 rcx 0xffff80003c49f4f0 rax 0x2a r8 0xffff80002a37bd30 r9 0x4 r10 0xc319bbcbffd6ef28 r11 0xc91259ca791a8831 r12 0 r13 0 r14 0 r15 0 rip 0xffffffff8323d4c7 proc_trampoline+0xc7 cs 0x8 rflags 0x246 rsp 0xffff80002a37bd80 ss 0 proc_trampoline+0xc7: movl $0,%gs:0x688 ddb{0}> show proc PROC (syz-executor) tid=273053 pid=78231 tcnt=1 stat=onproc flags process=0 proc=0 runpri=50, usrpri=50, slppri=17, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80003c49fa20,0xffffffff8390d950 process=0xffff80003a836720 user=0xffff80002a376000, vmspace=0xfffffd8060597b98 estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND *78231 273053 74200 0 7 0 syz-executor 24023 123668 26437 0 3 0x80 nanoslp syz-executor 24023 510769 26437 0 3 0x4000080 kqread syz-executor 24023 33392 26437 0 3 0x4000080 fsleep syz-executor 40802 67465 57364 0 3 0x80 nanoslp syz-executor 40802 499120 57364 0 3 0x4000080 kqread syz-executor 40802 452387 57364 0 3 0x4000080 fsleep syz-executor 74200 501530 42106 0 3 0x82 nanoslp syz-executor 62288 485980 42106 0 3 0x82 nanoslp syz-executor 26495 382500 42106 0 3 0x82 nanoslp syz-executor 74507 497834 42106 0 3 0x82 wait syz-executor 57364 249567 42106 0 3 0x82 nanoslp syz-executor 82850 289146 83460 0 3 0x82 sbwait sshd-session 63770 104191 42106 0 3 0x82 nanoslp syz-executor 87505 19071 0 0 3 0x14200 bored sosplice 26437 349850 42106 0 3 0x82 nanoslp syz-executor 78909 175055 42106 0 3 0x82 nanoslp syz-executor 42106 509248 57847 0 3 0x82 kqread syz-executor 57847 342390 64451 0 3 0x10008a sigsusp ksh 64451 57082 50075 0 3 0x98 kqread sshd-session 50075 472180 83460 0 3 0x92 kqread sshd-session 4222 229715 1 0 3 0x100083 ttyopn getty 83460 322301 1 0 3 0x88 kqread sshd 43309 164711 72787 74 3 0x1100092 bpf pflogd 72787 47194 1 0 3 0x80 sbwait pflogd 83955 313682 73442 73 3 0x1100090 kqread syslogd 73442 309123 1 0 3 0x100082 sbwait syslogd 45134 448517 1 0 3 0x100080 kqread resolvd 34350 328321 18723 77 3 0x100092 kqread dhcpleased 73572 433401 18723 77 3 0x100092 kqread dhcpleased 18723 120528 1 0 3 0x80 kqread dhcpleased 5608 500227 0 0 3 0x14200 bored smr 76063 381018 0 0 3 0x14200 pgzero zerothread 58552 128350 0 0 3 0x14200 aiodoned aiodoned 30465 333446 0 0 3 0x14200 syncer update 29623 461673 0 0 3 0x14200 cleaner cleaner 22496 249318 0 0 3 0x14200 reaper reaper 24842 168129 0 0 3 0x14200 pgdaemon pagedaemon 64266 167856 0 0 3 0x14200 bored viomb 10684 103565 0 0 3 0x40014200 acpi0 acpi0 86726 413752 0 0 3 0x40014200 idle1 28715 349427 0 0 3 0x14200 bored softnet7 64876 414242 0 0 3 0x14200 bored softnet6 36046 419496 0 0 3 0x14200 bored softnet5 88459 495695 0 0 3 0x14200 bored softnet4 54368 57402 0 0 3 0x14200 bored softnet3 81492 345112 0 0 3 0x14200 bored softnet2 67021 8746 0 0 3 0x14200 bored softnet1 6439 338719 0 0 3 0x14200 bored softnet0 87869 81813 0 0 3 0x14200 bored systqmp 48666 206443 0 0 3 0x14200 bored systq 99063 63474 0 0 3 0x14200 tmoslp softclockmp 1107 222982 0 0 3 0x40014200 tmoslp softclock 30842 70681 0 0 3 0x40014200 idle0 1 423491 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb{0}> show all locks CPU 0: exclusive mutex &pmap->pm_mtx r = 0 (0xfffffd806af67210) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 mtx_enter_try+0x1ad sys/kern/kern_lock.c:311 #2 mtx_enter+0x62 sys/kern/kern_lock.c:261 #3 pmap_extract+0xb1 sys/arch/amd64/amd64/pmap.c:1572 #4 uvm_fault_lower_lookup+0x268 sys/uvm/uvm_fault.c:1271 #5 uvm_fault_lower+0x89 sys/uvm/uvm_fault.c:1370 #6 uvm_fault+0x274 sys/uvm/uvm_fault.c:-1 #7 upageflttrap+0xa9 sys/arch/amd64/amd64/trap.c:192 #8 usertrap+0x3c6 sys/arch/amd64/amd64/trap.c:605 #9 recall_trap+0x8 Process 78231 (syz-executor) thread 0xffff80003c49f4f0 (273053) ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10248 11081K 13143K 166960K 16478 0 pcb 17 14K 30K 166960K 943 0 rtable 157 12K 13K 166960K 792 0 pf 36 18K 83K 166960K 436 0 ifaddr 27 5K 9K 166960K 252 0 ifgroup 47 2K 3K 166960K 470 0 sysctl 4 1K 9K 166960K 102 0 counters 64 36K 38K 166960K 522 0 ioctlops 0 0K 4K 166960K 2312 0 iov 0 0K 28K 166960K 258 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1612 101K 102K 166960K 5096 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 10K 14K 166960K 51 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 351 0 dirhash 12 2K 3K 166960K 99 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 18 65K 240K 166960K 3523 0 sigio 0 0K 0K 166960K 132 0 proc 72 115K 164K 166960K 1192 0 subproc 72 4K 4K 166960K 157 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 810 0 in_multi 44 3K 7K 166960K 328 0 ether_multi 1 0K 0K 166960K 38 0 mrt 1 0K 0K 166960K 25 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 229 1023K 1023K 166960K 229 0 exec 0 0K 1K 166960K 1038 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 5 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 264 174K 187K 166960K 33085 0 UVM aobj 81 3K 3K 166960K 87 0 pinsyscall 45 90K 103K 166960K 4862 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 1K 166960K 236 0 NDP 10 0K 2K 166960K 184 0 temp 79 8652K 8908K 166960K 178481 0 kqueue 15 24K 34K 166960K 704 0 SYN cache 2 16K 16K 166960K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 357 0 354 3 2 1 2 0 8 0 rtentry 176 273 0 228 5 0 5 5 0 8 0 unpcb 144 2681 0 2662 17 14 3 6 0 8 2 syncache 336 12 0 12 4 4 0 1 0 8 0 tcpqe 32 2 0 2 2 2 0 1 0 8 0 tcpcb 736 1115 0 1108 18 15 3 7 0 8 1 arp 128 30 0 24 1 0 1 1 0 8 0 inpcb 328 3871 0 3860 25 21 4 8 0 8 2 nd6 144 47 0 40 1 0 1 1 0 8 0 pkpcb 40 35 0 35 3 2 1 1 0 8 1 kcovpl 48 17 0 9 1 0 1 1 0 8 0 mppekey 1024 1 0 1 1 1 0 1 0 8 0 ppxss 1192 176 0 176 3 2 1 1 0 8 1 pppxif 1504 21 0 21 4 3 1 1 0 8 1 pfstscr 40 5 0 5 2 2 0 1 0 8 0 pffrag 232 22 0 11 1 0 1 1 0 482 0 pffrnode 88 12 0 2 1 0 1 1 0 8 0 pffrent 40 39 0 27 1 0 1 1 0 8 0 pfosfp 40 1428 0 1428 5 5 0 5 0 8 0 pfosfpen 112 1428 0 1428 21 21 0 21 0 8 0 pfrktable 1344 1 0 1 1 1 0 1 0 8 0 pfanchor 1288 1 0 0 1 0 1 1 0 8 0 pftag 88 1 0 0 1 0 1 1 0 8 0 pfstitem 24 223 0 95 1 0 1 1 0 8 0 pfstkey 128 231 0 103 5 0 5 5 0 8 0 pfstate 384 224 0 99 13 0 13 13 0 8 0 pfrule 1344 34 0 29 2 1 1 2 0 8 0 rttmr 136 4 0 4 2 2 0 1 0 8 0 art_heap8 4096 5 0 1 4 0 4 4 0 8 0 art_heap4 256 1337 0 1110 34 14 20 30 0 8 3 art_table 40 1342 0 1111 5 0 5 5 0 8 0 art_node 32 272 0 234 1 0 1 1 0 8 0 sysvmsgpl 40 4 0 1 1 0 1 1 0 8 0 semupl 112 3 0 3 3 2 1 1 0 8 1 semapl 112 345 0 335 1 0 1 1 0 8 0 shmpl 112 84 0 6 3 0 3 3 0 8 0 dirhash 1024 77 0 60 3 0 3 3 0 8 0 dino2pl 256 8196 0 6676 98 2 96 96 0 8 0 ffsino 296 8196 0 6676 119 1 118 118 0 8 0 nchpl 144 13071 0 11363 64 0 64 64 0 8 0 rtmask 32 37 0 37 3 3 0 1 0 8 0 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 48019 0 48019 3 2 1 2 0 8 1 percpumem 16 276 0 229 1 0 1 1 0 8 0 kstatmem 264 306 0 280 4 1 3 3 0 8 0 scsiplug 72 9 0 9 5 5 0 1 0 8 0 scxspl 216 92552 0 92552 14 11 3 8 1 8 3 plimitpl 152 1048 0 1030 2 1 1 2 0 8 0 sigapl 424 3822 0 3766 9 1 8 9 0 8 0 knotepl 120 763 0 0 23 0 23 23 0 8 0 kqueuepl 224 1820 0 1809 19 16 3 9 0 8 2 pipepl 344 737 0 710 24 20 4 9 0 8 1 fdescpl 528 3771 0 3738 3 0 3 3 0 8 0 filepl 160 28490 0 28261 36 18 18 21 0 8 6 lockfpl 104 2147 0 2144 4 3 1 2 0 8 0 lockfspl 48 747 0 744 1 0 1 1 0 8 0 sessionpl 144 39 0 29 1 0 1 1 0 8 0 pgrppl 48 102 0 84 1 0 1 1 0 8 0 ucredpl 104 4807 0 4793 1 0 1 1 0 8 0 zombiepl 144 4060 0 4055 1 0 1 1 0 8 0 processpl 1248 3822 0 3766 6 0 6 6 0 8 0 procpl 664 9540 0 9480 10 2 8 9 0 8 0 sosppl 168 38 0 38 3 2 1 1 0 8 1 sockpl 752 7165 0 7132 51 43 8 17 0 8 3 mcl64k 65536 7 0 0 1 0 1 1 0 8 0 mcl16k 16384 4 0 0 1 0 1 1 0 8 0 mcl12k 12288 2 0 0 1 0 1 1 0 8 0 mcl9k 9216 1 0 0 1 0 1 1 0 8 0 mcl8k 8192 5 0 0 1 0 1 1 0 8 0 mcl4k 4096 118 0 0 15 0 15 15 0 8 0 mcl2k2 2112 1 0 0 1 0 1 1 0 8 0 mcl2k 2048 44 0 0 6 0 6 6 0 8 0 mtagpl 96 47 0 0 2 0 2 2 0 8 0 mbufpl 256 1207 0 0 73 0 73 73 0 8 0 bufpl 280 38233 0 32089 440 0 440 440 0 8 0 anonpl 32 15651 0 0 128 1 127 127 0 246 0 amapchunkpl 152 114362 0 113823 52 22 30 31 0 158 7 amappl16 200 13860 0 13824 84 66 18 40 0 8 5 amappl15 192 15 0 15 1 1 0 1 0 8 0 amappl14 184 151 0 138 1 0 1 1 0 8 0 amappl13 176 8 0 8 1 1 0 1 0 8 0 amappl12 168 4575 0 4542 4 2 2 3 0 8 0 amappl11 160 55 0 41 1 0 1 1 0 8 0 amappl10 152 4 0 4 2 2 0 1 0 8 0 amappl9 144 268 0 267 2 1 1 1 0 8 0 amappl8 136 29 0 26 1 0 1 1 0 8 0 amappl7 128 135 0 120 1 0 1 1 0 8 0 amappl6 120 278 0 273 1 0 1 1 0 8 0 amappl5 112 174 0 164 1 0 1 1 0 8 0 amappl4 104 357 0 335 1 0 1 1 0 8 0 amappl3 96 23919 0 23796 5 1 4 4 0 8 0 amappl2 88 869 0 796 2 0 2 2 0 8 0 amappl1 80 24124 0 23443 17 1 16 16 0 8 0 amappl 88 31672 0 31489 5 0 5 5 0 92 0 dma32768 32768 1 0 1 1 1 0 1 0 8 0 dma16384 16384 2 0 2 2 2 0 1 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma2048 2048 2 0 2 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 257 0 257 5 5 0 1 0 8 0 dma64 64 9 0 9 3 3 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 19 0 18 1 0 1 1 0 8 0 aobjpl 72 86 0 6 2 0 2 2 0 8 0 uaddrrnd 24 3771 0 3738 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 3771 0 3738 1 0 1 1 0 8 0 vmmpekpl 168 29172 0 29110 4 0 4 4 0 8 0 vmmpepl 168 240778 0 238552 144 31 113 127 0 357 1 vmsppl 488 3770 0 3738 6 1 5 5 0 8 0 rwobjpl 80 68193 0 61122 157 5 152 154 0 8 0 pdppl 4096 7550 0 7476 128 52 76 86 0 8 2 pvpl 32 24028 0 0 194 0 194 194 0 265 0 pmappl 256 3770 0 3738 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 400 0 96 9 0 9 9 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace proc_trampoline() at proc_trampoline+0xc7 end of kernel end trace frame: 0x71a56c522d10, count: -1 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffff8000299fdff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 x86_bus_space_io_write_1(3f8,0,66) at x86_bus_space_io_write_1+0x40 sys/arch/amd64/amd64/bus_space.c:774 comcnputc(800,66) at comcnputc+0x1ab bus_space_barrier sys/dev/ic/com.c:-1 [inline] comcnputc(800,66) at comcnputc+0x1ab sys/dev/ic/com.c:1263 cnputc(66) at cnputc+0x67 sys/dev/cons.c:218 kputchar(66,5,0) at kputchar+0x2ed sys/kern/subr_prf.c:367 kprintf() at kprintf+0x203 sys/kern/subr_prf.c:723 printf(ffffffff8341525e) at printf+0x8b sys/kern/subr_prf.c:529 trap_print(ffff80002a39f470,6) at trap_print+0x70 sys/arch/amd64/amd64/trap.c:626 kerntrap(ffff80002a39f470) at kerntrap+0x2e6 sys/arch/amd64/amd64/trap.c:487 alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b dt_ioctl_record_stop(ffff800001688000) at dt_ioctl_record_stop+0x108 sys/dev/dt/dt_dev.c:586 dtclose(11e5f,81,2000,ffff80003c49fa20) at dtclose+0x109 dt_pcb_purge sys/dev/dt/dt_dev.c:-1 [inline] dtclose(11e5f,81,2000,ffff80003c49fa20) at dtclose+0x109 sys/dev/dt/dt_dev.c:232 end trace frame: 0xffff80002a39f610, count: 0 ddb{1}> trace x86_ipi_db(ffff8000299fdff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 x86_bus_space_io_write_1(3f8,0,66) at x86_bus_space_io_write_1+0x40 sys/arch/amd64/amd64/bus_space.c:774 comcnputc(800,66) at comcnputc+0x1ab bus_space_barrier sys/dev/ic/com.c:-1 [inline] comcnputc(800,66) at comcnputc+0x1ab sys/dev/ic/com.c:1263 cnputc(66) at cnputc+0x67 sys/dev/cons.c:218 kputchar(66,5,0) at kputchar+0x2ed sys/kern/subr_prf.c:367 kprintf() at kprintf+0x203 sys/kern/subr_prf.c:723 printf(ffffffff8341525e) at printf+0x8b sys/kern/subr_prf.c:529 trap_print(ffff80002a39f470,6) at trap_print+0x70 sys/arch/amd64/amd64/trap.c:626 kerntrap(ffff80002a39f470) at kerntrap+0x2e6 sys/arch/amd64/amd64/trap.c:487 alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b dt_ioctl_record_stop(ffff800001688000) at dt_ioctl_record_stop+0x108 sys/dev/dt/dt_dev.c:586 dtclose(11e5f,81,2000,ffff80003c49fa20) at dtclose+0x109 dt_pcb_purge sys/dev/dt/dt_dev.c:-1 [inline] dtclose(11e5f,81,2000,ffff80003c49fa20) at dtclose+0x109 sys/dev/dt/dt_dev.c:232 spec_close(ffff80002a39f620) at spec_close+0x466 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806808e630,81,fffffd80097fb6e8,ffff80003c49fa20) at VOP_CLOSE+0x132 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806bea5d48,ffff80003c49fa20) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806bea5d48,ffff80003c49fa20) at vn_closefile+0x12b sys/kern/vfs_vnops.c:615 fdrop(fffffd806bea5d48,ffff80003c49fa20) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd806bea5d48,ffff80003c49fa20) at closef+0x192 sys/kern/kern_descrip.c:1264 fdfree(ffff80003c49fa20) at fdfree+0x116 sys/kern/kern_descrip.c:1195 exit1(ffff80003c49fa20,b,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80003c49fa20,ffff80002a39f990,ffff80002a39f8e0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80002a39f990) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80002a39f990) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7d0a13eed660, count: -24