*cpu1: uvm_fault(0xfffffd80689d4dc8, 0x2b0, 0, 1) -> e ddb{0}> trace proc_trampoline() at proc_trampoline+0xc7 end of kernel end trace frame: 0x7be27f08ca90, count: -1 ddb{0}> show registers rdi 0 rsi 0 rbp 0xffff80002a0d4af0 rbx 0 rdx 0 rcx 0xffff8000ffff2a40 rax 0x2a r8 0xffff80002a0d4a20 r9 0 r10 0x52ba0c71f1c83403 r11 0xec5ed2d35a3cd206 r12 0 r13 0xffffffff82952f38 Xdoreti+0x18 r14 0 r15 0 rip 0xffffffff81c9d4c7 proc_trampoline+0xc7 cs 0x8 rflags 0x246 rsp 0xffff80002a0d4a70 ss 0x10 proc_trampoline+0xc7: movl $0,%gs:0x680 ddb{0}> show proc PROC (syz-executor) tid=278580 pid=23586 tcnt=2 stat=onproc flags process=0 proc=0 runpri=50, usrpri=50, slppri=17, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff8000ffff36e8,0xffff800033fa6a68 process=0xffff8000fffe56a8 user=0xffff80002a0cf000, vmspace=0xfffffd80689d41c0 estcpu=36, cpticks=0, pctcpu=0.0, user=0, sys=0, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND *23586 278580 35922 0 7 0 syz-executor 23586 102357 35922 0 3 0x4000080 lockf syz-executor 95299 210148 65153 0 2 0 syz-executor 92977 316398 71538 0 2 0 syz-executor 92977 144495 71538 0 3 0x4000000 vm_terminate syz-executor 92977 207970 71538 0 7 0x4000000 syz-executor 43842 485071 9351 0 2 0x10 syz-executor 43842 246582 9351 0 3 0x4000090 piperd syz-executor 43842 351000 9351 0 2 0x4000010 syz-executor 71901 68166 34791 60929 2 0x10 syz-executor 71901 131601 34791 60929 3 0x4000090 kqsel syz-executor 21840 429478 0 0 3 0x14200 acct acct 79478 479131 93597 0 3 0x80 nanoslp syz-executor 79478 39064 93597 0 3 0x4000080 fsleep syz-executor 79478 205923 93597 0 3 0x4000080 fifor syz-executor 79478 310782 93597 0 3 0x4000080 fsleep syz-executor 35963 430940 18467 0 3 0x80 nanoslp syz-executor 35963 349622 18467 0 3 0x4000080 kqread syz-executor 35963 39001 18467 0 3 0x4000080 fsleep syz-executor 34791 459760 37783 0 3 0x82 nanoslp syz-executor 36577 161732 37783 0 2 0x2 syz-executor 93597 235513 37783 0 3 0x82 nanoslp syz-executor 9351 384577 37783 0 3 0x82 nanoslp syz-executor 18467 126240 37783 0 3 0x82 nanoslp syz-executor 35922 363476 37783 0 3 0x82 nanoslp syz-executor 65153 146066 37783 0 3 0x82 nanoslp syz-executor 71538 148334 37783 0 3 0x82 nanoslp syz-executor 55123 316310 1 0 3 0x100083 ttyin getty 46416 88320 0 0 3 0x14200 bored sosplice 64713 217748 0 0 3 0x14280 nfsidl nfsio 268 405847 0 0 3 0x14280 nfsidl nfsio 73934 310053 0 0 3 0x14280 nfsidl nfsio 15902 309396 0 0 3 0x14280 nfsidl nfsio 31730 307504 0 0 3 0x14280 nfsidl nfsio 55030 289160 0 0 3 0x14280 nfsidl nfsio 23486 374856 0 0 3 0x14280 nfsidl nfsio 9374 57316 0 0 3 0x14280 nfsidl nfsio 79852 10447 0 0 3 0x14280 nfsidl nfsio 89367 348736 0 0 3 0x14280 nfsidl nfsio 76536 267749 0 0 3 0x14280 nfsidl nfsio 86523 410228 0 0 3 0x14280 nfsidl nfsio 44916 33521 0 0 3 0x14280 nfsidl nfsio 65862 263568 0 0 3 0x14280 nfsidl nfsio 81710 202516 0 0 3 0x14280 nfsidl nfsio 53351 302524 0 0 3 0x14280 nfsidl nfsio 54992 98888 0 0 3 0x14280 nfsidl nfsio 37801 220061 0 0 3 0x14280 nfsidl nfsio 78122 316947 0 0 3 0x14280 nfsidl nfsio 85019 379212 0 0 3 0x14280 nfsidl nfsio 37783 291608 64343 0 2 0x2 syz-executor 64343 380578 64334 0 3 0x10008a sigsusp ksh 64334 47130 7608 0 3 0x98 kqread sshd-session 7608 18248 87503 0 3 0x92 kqread sshd-session 87503 162405 1 0 3 0x88 kqread sshd 40362 228621 92540 74 3 0x1100092 bpf pflogd 92540 142270 1 0 3 0x80 sbwait pflogd 36743 182558 48933 73 3 0x1100010 biowait syslogd 48933 489872 1 0 3 0x100082 sbwait syslogd 17687 379013 1 0 3 0x100080 kqread resolvd 15633 241081 48160 77 3 0x100092 kqread dhcpleased 8535 163287 48160 77 3 0x100092 kqread dhcpleased 48160 394522 1 0 3 0x80 kqread dhcpleased 66500 263355 0 0 3 0x14200 bored smr 95797 212364 0 0 2 0x14200 zerothread 44267 413915 0 0 3 0x14200 aiodoned aiodoned 77162 442935 0 0 3 0x14200 syncer update 34035 4123 0 0 3 0x14200 cleaner cleaner 86120 276297 0 0 3 0x14200 reaper reaper 11361 318664 0 0 3 0x14200 pgdaemon pagedaemon 92624 312370 0 0 3 0x14200 bored viomb 7881 435608 0 0 3 0x40014200 acpi0 acpi0 99290 9865 0 0 3 0x40014200 idle1 90904 284348 0 0 3 0x14200 bored softnet3 87900 203357 0 0 3 0x14200 bored softnet2 79465 309854 0 0 3 0x14200 bored softnet1 89783 256494 0 0 3 0x14200 bored softnet0 14597 247917 0 0 3 0x14200 bored systqmp 47300 360704 0 0 3 0x14200 bored systq 67505 383941 0 0 3 0x14200 tmoslp softclockmp 7582 483744 0 0 3 0x40014200 tmoslp softclock 63324 256745 0 0 3 0x40014200 idle0 1 469996 0 0 3 0x80082 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks CPU 0: exclusive mutex &sched_lock r = 0 (0xffffffff83580eb0) #0 witness_lock+0x5b8 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5b8 sys/kern/subr_witness.c:1151 #1 mtx_enter_try+0x178 #2 mtx_enter+0x60 sys/kern/kern_lock.c:239 #3 sleep_finish+0x1a9 sys/kern/kern_synch.c:400 #4 refcnt_finalize+0xd6 sys/kern/kern_synch.c:848 #5 vm_terminate+0x16d #6 vmmioctl+0x3c5 sys/dev/vmm/vmm.c:248 #7 VOP_IOCTL+0xac sys/kern/vfs_vops.c:264 #8 vn_ioctl+0xf6 sys/kern/vfs_vnops.c:525 #9 sys_ioctl+0x67c #10 syscall+0xbb6 mi_syscall sys/sys/syscall_mi.h:179 [inline] #10 syscall+0xbb6 sys/arch/amd64/amd64/trap.c:577 #11 Xsyscall+0x128 Process 92977 (syz-executor) thread 0xffff8000ffff36e8 (207970) Process 36743 (syslogd) thread 0xffff8000ffffc520 (182558) ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10245 10320K 14393K 166960K 16077 0 pcb 18 18K 20K 166960K 1104 0 rtable 239 17K 17K 166960K 5084 0 pf 42 19K 81K 166960K 520 0 ifaddr 45 9K 10K 166960K 684 0 ifgroup 63 2K 2K 166960K 788 0 sysctl 4 1K 4K 166960K 9 0 counters 68 36K 37K 166960K 454 0 ioctlops 0 0K 4K 166960K 2011 0 iov 1 0K 24K 166960K 280 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1541 97K 97K 166960K 6332 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 9K 166960K 58 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 326 0 dirhash 15 2K 3K 166960K 54 0 ACPI 1697 195K 286K 166960K 12548 0 file desc 17 61K 97K 166960K 5093 0 sigio 1 0K 0K 166960K 80 0 proc 71 91K 140K 166960K 4749 0 subproc 104 6K 6K 166960K 1937 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 677 0 in_multi 99 7K 7K 166960K 1723 0 ether_multi 1 0K 0K 166960K 9 0 mrt 1 0K 0K 166960K 9 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 289 1288K 1288K 166960K 289 0 exec 0 0K 1K 166960K 3099 0 pfkey data 0 0K 0K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 265 135K 155K 166960K 41795 0 UVM aobj 131 4K 4K 166960K 138 0 pinsyscall 42 84K 106K 166960K 9866 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 188 0 NDP 20 0K 2K 166960K 506 0 temp 76 6824K 6904K 166960K 191792 0 kqueue 15 24K 32K 166960K 509 0 SYN cache 2 8K 16K 166960K 3 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 24 0 0 1 0 1 1 0 8 0 rtpcb 120 702 0 699 5 4 1 3 0 8 0 rtentry 112 1766 0 1662 7 3 4 4 0 8 0 unpcb 144 3388 0 3366 42 38 4 9 0 8 3 syncache 336 14 0 14 8 8 0 1 0 8 0 tcpqe 32 4 0 4 2 2 0 1 0 8 0 tcpcb 808 1443 0 1437 50 47 3 8 0 8 2 arp 120 318 0 300 1 0 1 1 0 8 0 ipq 40 1 0 1 1 1 0 1 0 8 0 ipqe 40 3 0 3 1 1 0 1 0 8 0 inpcb 336 5681 0 5669 91 89 2 13 0 8 0 nd6 136 476 0 452 1 0 1 1 0 8 0 pkpcb 40 9 0 9 4 3 1 1 0 8 1 kcovpl 48 149 0 141 1 0 1 1 0 8 0 ppxss 1168 34 0 34 13 13 0 1 0 8 0 pfstscr 40 3 0 3 3 3 0 1 0 8 0 pffrag 232 26 0 24 1 0 1 1 0 482 0 pffrnode 88 26 0 24 1 0 1 1 0 8 0 pffrent 40 132 0 130 1 0 1 1 0 8 0 pfosfp 40 1431 0 1006 5 0 5 5 0 8 0 pfosfpen 112 1431 0 715 21 0 21 21 0 8 0 pfrktable 1344 17 0 14 1 0 1 1 0 8 0 pfanchor 1288 6 0 0 1 0 1 1 0 8 0 pftag 88 4 0 4 2 2 0 1 0 8 0 pfqueue 264 1 0 1 1 1 0 1 0 8 0 pfstitem 24 353 0 303 1 0 1 1 0 8 0 pfstkey 128 363 0 313 3 0 3 3 0 8 0 pfstate 376 355 0 308 9 2 7 8 0 8 0 pfrule 1344 35 0 26 2 1 1 2 0 8 0 art_heap8 4096 3 0 0 3 0 3 3 0 8 0 art_heap4 256 6980 0 6529 47 18 29 29 0 8 0 art_table 32 6983 0 6529 4 0 4 4 0 8 0 art_node 16 1760 0 1668 1 0 1 1 0 8 0 sysvmsgpl 40 17 0 9 2 1 1 1 0 8 0 semupl 112 1 0 1 1 1 0 1 0 8 0 semapl 112 324 0 314 1 0 1 1 0 8 0 shmpl 112 135 0 7 4 0 4 4 0 8 0 dirhash 1024 46 0 26 3 0 3 3 0 8 0 dino2pl 256 7393 0 5610 112 0 112 112 0 8 0 ffsino 272 7393 0 5610 120 0 120 120 0 8 0 nchpl 144 12027 0 10156 71 1 70 70 0 8 0 uvmvnodes 80 7880 0 0 161 0 161 161 0 8 0 vnodes 216 7880 0 0 438 0 438 438 0 8 0 namei 1024 59143 0 59143 10 9 1 1 0 8 1 percpumem 16 241 0 193 1 0 1 1 0 8 0 vcpupl 3904 26 0 2 3 0 3 3 0 8 0 vmpool 696 40 0 16 3 0 3 3 0 8 0 pfiaddrpl 120 3 0 2 1 0 1 1 0 8 0 kstatmem 264 414 0 386 10 8 2 3 0 8 0 scsiplug 72 6 0 6 3 3 0 1 0 8 0 scxspl 216 101664 0 101663 29 28 1 8 1 8 0 plimitpl 152 1316 0 1299 1 0 1 1 0 8 0 sigapl 424 5142 0 5071 9 0 9 9 0 8 0 futexpl 64 50929 0 50926 13 12 1 1 0 8 0 knotepl 120 781 0 0 18 0 18 18 0 8 0 kqueuepl 216 1171 0 1158 23 22 1 5 0 8 0 pipepl 320 907 0 878 5 2 3 5 0 8 0 fdescpl 496 5102 0 5071 11 6 5 6 0 8 0 filepl 152 33524 0 33262 86 71 15 21 0 8 4 lockfpl 104 1443 0 1437 4 3 1 2 0 8 0 lockfspl 48 564 0 560 1 0 1 1 0 8 0 sessionpl 144 165 0 156 1 0 1 1 0 8 0 pgrppl 48 390 0 373 1 0 1 1 0 8 0 ucredpl 104 5890 0 5874 1 0 1 1 0 8 0 zombiepl 144 5071 0 5071 4 3 1 1 0 8 1 processpl 1160 5142 0 5071 6 0 6 6 0 8 0 procpl 648 10367 0 10285 9 1 8 9 0 8 0 srpgc 96 30 0 30 8 8 0 1 0 8 0 sosppl 168 19 0 19 10 10 0 1 0 8 0 sockpl 664 9826 0 9789 130 122 8 21 0 8 4 mcl64k 65536 6 0 0 1 0 1 1 0 8 0 mcl16k 16384 5 0 0 1 0 1 1 0 8 0 mcl12k 12288 2 0 0 1 0 1 1 0 8 0 mcl9k 9216 1 0 0 1 0 1 1 0 8 0 mcl8k 8192 8 0 0 1 0 1 1 0 8 0 mcl4k 4096 3 0 0 1 0 1 1 0 8 0 mcl2k2 2112 1 0 0 1 0 1 1 0 8 0 mcl2k 2048 343 0 0 29 3 26 29 0 8 0 mtagpl 96 16 0 0 1 0 1 1 0 8 0 mbufpl 256 4447 0 0 277 0 277 277 0 8 0 bufpl 280 16444 0 8563 563 0 563 563 0 8 0 anonpl 24 708391 0 702548 304 224 80 99 0 185 25 amapchunkpl 152 134522 0 133931 150 112 38 47 0 158 14 amappl16 200 12147 0 12054 110 100 10 28 0 8 1 amappl15 192 17 0 17 1 1 0 1 0 8 0 amappl14 184 405 0 393 1 0 1 1 0 8 0 amappl13 176 9 0 9 3 3 0 1 0 8 0 amappl12 168 8010 0 7979 4 2 2 3 0 8 0 amappl11 160 58 0 44 1 0 1 1 0 8 0 amappl10 152 12 0 12 1 1 0 1 0 8 0 amappl9 144 141 0 141 1 1 0 1 0 8 0 amappl8 136 19 0 16 1 0 1 1 0 8 0 amappl7 128 400 0 386 1 0 1 1 0 8 0 amappl6 120 1590 0 1588 1 0 1 1 0 8 0 amappl5 112 713 0 701 1 0 1 1 0 8 0 amappl4 104 755 0 735 1 0 1 1 0 8 0 amappl3 96 26302 0 26178 4 0 4 4 0 8 0 amappl2 88 2623 0 2556 2 0 2 2 0 8 0 amappl1 80 31320 0 30735 20 6 14 14 0 8 0 amappl 88 40180 0 39989 5 0 5 5 0 92 0 dma16384 16384 1 0 1 1 1 0 1 0 8 0 dma8192 8192 2 0 2 2 2 0 1 0 8 0 dma4096 4096 2 0 2 2 2 0 1 0 8 0 dma1024 1024 2 0 1 1 0 1 1 0 8 0 dma512 512 1 0 1 1 1 0 1 0 8 0 dma256 256 9 0 9 3 3 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 21 0 20 1 0 1 1 0 8 0 aobjpl 72 137 0 7 3 0 3 3 0 8 0 uaddrrnd 24 5142 0 5087 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 5142 0 5087 1 0 1 1 0 8 0 vmmpekpl 168 43191 0 43140 3 0 3 3 0 8 0 vmmpepl 168 321402 0 319408 182 90 92 108 0 357 2 vmsppl 440 5141 0 5087 10 3 7 7 0 8 0 rwobjpl 56 91787 0 82735 144 16 128 130 0 8 0 pdppl 4096 10291 0 10198 301 202 99 99 0 8 6 pvpl 32 44054 0 0 356 1 355 355 0 265 0 pmappl 248 5141 0 5087 4 0 4 4 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 1078 0 398 21 1 20 20 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace proc_trampoline() at proc_trampoline+0xc7 end of kernel end trace frame: 0x7be27f08ca90, count: -1 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffff800029b7bff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 x86_bus_space_io_write_1(3f8,0,65) at x86_bus_space_io_write_1+0x40 sys/arch/amd64/amd64/bus_space.c:774 comcnputc(800,65) at comcnputc+0x1ab bus_space_barrier machine/bus.h:481 [inline] comcnputc(800,65) at comcnputc+0x1ab sys/dev/ic/com.c:1263 cnputc(65) at cnputc+0x61 sys/dev/cons.c:218 db_putchar(65) at db_putchar+0x65c sys/ddb/db_output.c:155 kprintf() at kprintf+0x2aba sys/kern/subr_prf.c:1065 db_printf(ffffffff8308d869) at db_printf+0x9b fault(ffffffff8303b640) at fault+0xa7 sys/arch/amd64/amd64/trap.c:157 kpageflttrap(ffff80002a12f790,2b0) at kpageflttrap+0x385 sys/arch/amd64/amd64/trap.c:290 kerntrap(ffff80002a12f790) at kerntrap+0x14a sys/arch/amd64/amd64/trap.c:332 alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b vm_terminate(ffff80002a12fae0) at vm_terminate+0xb0 sys/dev/vmm/vmm.c:674 end trace frame: 0xffff80002a12f910, count: 0 ddb{1}> trace x86_ipi_db(ffff800029b7bff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 x86_bus_space_io_write_1(3f8,0,65) at x86_bus_space_io_write_1+0x40 sys/arch/amd64/amd64/bus_space.c:774 comcnputc(800,65) at comcnputc+0x1ab bus_space_barrier machine/bus.h:481 [inline] comcnputc(800,65) at comcnputc+0x1ab sys/dev/ic/com.c:1263 cnputc(65) at cnputc+0x61 sys/dev/cons.c:218 db_putchar(65) at db_putchar+0x65c sys/ddb/db_output.c:155 kprintf() at kprintf+0x2aba sys/kern/subr_prf.c:1065 db_printf(ffffffff8308d869) at db_printf+0x9b fault(ffffffff8303b640) at fault+0xa7 sys/arch/amd64/amd64/trap.c:157 kpageflttrap(ffff80002a12f790,2b0) at kpageflttrap+0x385 sys/arch/amd64/amd64/trap.c:290 kerntrap(ffff80002a12f790) at kerntrap+0x14a sys/arch/amd64/amd64/trap.c:332 alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b vm_terminate(ffff80002a12fae0) at vm_terminate+0xb0 sys/dev/vmm/vmm.c:674 vmmioctl(a00,80045604,ffff80002a12fae0,81,ffff8000ffff36e8) at vmmioctl+0x3c5 sys/dev/vmm/vmm.c:248 VOP_IOCTL(fffffd806dca61b8,80045604,ffff80002a12fae0,81,fffffd807f7d34e0,ffff8000ffff36e8) at VOP_IOCTL+0xac sys/kern/vfs_vops.c:264 vn_ioctl(fffffd807b604260,80045604,ffff80002a12fae0,ffff8000ffff36e8) at vn_ioctl+0xf6 sys/kern/vfs_vnops.c:525 sys_ioctl(ffff8000ffff36e8,ffff80002a12fcc0,ffff80002a12fc10) at sys_ioctl+0x67c syscall(ffff80002a12fcc0) at syscall+0xbb6 mi_syscall sys/sys/syscall_mi.h:179 [inline] syscall(ffff80002a12fcc0) at syscall+0xbb6 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x974836277b0, count: -20