uvm_fault(0xfffffd800b0275b8, 0x0, 0, 1) -> e fatal page fault in supervisor mode trap type 6 code 0 rip ffffffff82a8eed8 cs 8 rflags 10207 cr2 0 cpl 0 rsp ffff80003c421f40 gsbase 0xffff8000299edff0 kgsbase 0x0 panic: trap type 6, code=0, pc=ffffffff82a8eed8 Starting stack trace... panic(ffffffff833a159c) at panic+0x1d0 sys/kern/subr_prf.c:229 kerntrap(ffff80003c421e90) at kerntrap+0x30b alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b dt_ioctl_record_stop(ffff800001609000) at dt_ioctl_record_stop+0x108 sys/dev/dt/dt_dev.c:586 dtclose(21e5f,81,2000,ffff800038bfca88) at dtclose+0x109 dt_pcb_purge sys/dev/dt/dt_dev.c:-1 [inline] dtclose(21e5f,81,2000,ffff800038bfca88) at dtclose+0x109 sys/dev/dt/dt_dev.c:232 spec_close(ffff80003c422040) at spec_close+0x466 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806bfcec18,81,fffffd80097fb5b0,ffff800038bfca88) at VOP_CLOSE+0x132 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806b977678,ffff800038bfca88) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806b977678,ffff800038bfca88) at vn_closefile+0x12b sys/kern/vfs_vnops.c:615 fdrop(fffffd806b977678,ffff800038bfca88) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd806b977678,ffff800038bfca88) at closef+0x192 sys/kern/kern_descrip.c:1264 fdfree(ffff800038bfca88) at fdfree+0x116 sys/kern/kern_descrip.c:1195 exit1(ffff800038bfca88,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff800038bfca88,ffff80003c4223b0,ffff80003c422300) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c4223b0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c4223b0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:746 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7d4180300fa0, count: 242 End of stack trace. WARNING: SPL NOT LOWERED ON SYSCALL 4 248 EXIT 0 4 Stopped at savectx+0xae: movl $0,%gs:0x688 TID PID UID PRFLAGS PFLAGS CPU COMMAND *229159 11459 0 0x2 0 1 syz-executor 55265 4677 0 0x14000 0x200 0 reaper savectx() at savectx+0xae end of kernel end trace frame: 0x73512c0e18d0, count: 14 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic *cpu1: uvm_fault(0xfffffd800b0275b8, 0x0, 0, 1) -> e ddb{1}> trace savectx() at savectx+0xae end of kernel end trace frame: 0x73512c0e18d0, count: -1 ddb{1}> show registers rdi 0 rsi 0 rbp 0xffff800039c180c0 rbx 0 rdx 0 rcx 0xffff8000fffe8d18 rax 0x33 r8 0xffff800039c17ff0 r9 0x1 r10 0xb575767cd996839b r11 0xb1569e7417f4b839 r12 0 r13 0 r14 0xffff8000fffe8d18 r15 0 rip 0xffffffff81be33ee savectx+0xae cs 0x8 rflags 0x46 rsp 0xffff800039c18040 ss 0x10 savectx+0xae: movl $0,%gs:0x688 ddb{1}> show proc PROC (syz-executor) tid=229159 pid=11459 tcnt=1 stat=onproc flags process=2 proc=0 runpri=50, usrpri=50, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff8000fffe8020,0xffff80002a2714e8 process=0xffff8000ffff3030 user=0xffff800039c13000, vmspace=0xfffffd806ef4a008 estcpu=36, cpticks=29, pctcpu=0.14, user=0, sys=19, intr=10 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 60400 195650 84459 0 2 0xc80 syz-executor 60400 294447 84459 0 3 0x4000080 sbwait syz-executor 80483 238603 86570 0 2 0x81000 syz-executor 80483 259934 86570 0 2 0x4081000 syz-executor 80483 343487 86570 0 2 0x4081000 syz-executor 80483 98499 86570 0 2 0x4081000 syz-executor 80483 493834 86570 0 3 0x4003000 suspend syz-executor 84459 35472 68742 0 2 0xc82 syz-executor *11459 229159 68742 0 7 0x2 syz-executor 97211 188935 23901 0 3 0x82 sbwait sshd-session 42684 216002 68742 0 2 0x2 syz-executor 59814 146977 68742 0 3 0x82 wait syz-executor 66008 360089 0 0 3 0x14200 bored sosplice 11463 273024 0 0 3 0x14200 acct acct 86570 475632 68742 0 3 0x82 wait syz-executor 11006 178884 68742 0 3 0x82 nanoslp syz-executor 40838 212499 68742 0 2 0xc82 syz-executor 72994 182765 68742 0 3 0x82 nanoslp syz-executor 68742 407140 21469 0 2 0x2 syz-executor 21469 468905 17821 0 3 0x10008a sigsusp ksh 17821 124532 68195 0 3 0x98 kqread sshd-session 68195 323974 23901 0 3 0x92 kqread sshd-session 93143 262080 1 0 3 0x100083 ttyopn getty 23901 415191 1 0 3 0x88 kqread sshd 99313 475393 9193 74 3 0x1100092 bpf pflogd 9193 480142 1 0 3 0x80 sbwait pflogd 4033 322383 38054 73 3 0x1100090 kqread syslogd 38054 189462 1 0 3 0x100082 sbwait syslogd 23703 236300 1 0 3 0x100080 kqread resolvd 93028 238146 80542 77 3 0x100092 kqread dhcpleased 82467 1293 80542 77 3 0x100092 kqread dhcpleased 80542 369423 1 0 3 0x80 kqread dhcpleased 22264 163050 0 0 2 0x40014200 smr 79441 27345 0 0 2 0x14200 zerothread 24417 176481 0 0 3 0x14200 aiodoned aiodoned 50360 328641 0 0 3 0x14200 syncer update 46632 391942 0 0 3 0x14200 cleaner cleaner 4677 55265 0 0 7 0x14200 reaper 60221 477633 0 0 3 0x14200 pgdaemon pagedaemon 45335 462644 0 0 3 0x14200 bored viomb 17807 412834 0 0 3 0x40014200 acpi0 acpi0 32054 53052 0 0 3 0x40014200 idle1 88668 234302 0 0 3 0x14200 bored softnet1 58971 373791 0 0 3 0x14200 bored softnet0 33952 74420 0 0 2 0x40014200 systqmp 62401 72912 0 0 3 0x14200 bored systq 69064 188839 0 0 3 0x14200 tmoslp softclockmp 51084 290124 0 0 3 0x40014200 tmoslp softclock 80665 235824 0 0 3 0x40014200 idle0 1 222382 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb{1}> show all locks CPU 0: exclusive mutex &(curpg)->mdpage.pv_mtx r = 0 (0xfffffd80048c8100) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 mtx_enter_try+0x1ad sys/kern/kern_lock.c:311 #2 mtx_enter+0x62 sys/kern/kern_lock.c:261 #3 pmap_remove_ptes+0x29f pmap_remove_pv sys/arch/amd64/amd64/pmap.c:-1 [inline] #3 pmap_remove_ptes+0x29f sys/arch/amd64/amd64/pmap.c:1711 #4 pmap_do_remove+0x589 sys/arch/amd64/amd64/pmap.c:1920 #5 uvm_unmap_kill_entry_withlock+0x269 sys/uvm/uvm_map.c:1863 #6 uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline] #6 uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2486 #7 exit1+0x6fc sys/kern/kern_exit.c:260 #8 sys_exit+0x1a sys/kern/kern_exit.c:-1 #9 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] #9 syscall+0xb17 sys/arch/amd64/amd64/trap.c:746 #10 Xsyscall+0x128 exclusive mutex &pmap->pm_mtx r = 0 (0xfffffd806b312a10) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 mtx_enter_try+0x1ad sys/kern/kern_lock.c:311 #2 mtx_enter+0x62 sys/kern/kern_lock.c:261 #3 pmap_do_remove+0xa9 rcr3 sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:139 [inline] #3 pmap_do_remove+0xa9 pmap_map_ptes sys/arch/amd64/amd64/pmap.c:437 [inline] #3 pmap_do_remove+0xa9 sys/arch/amd64/amd64/pmap.c:1824 #4 uvm_unmap_kill_entry_withlock+0x269 sys/uvm/uvm_map.c:1863 #5 uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline] #5 uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2486 #6 exit1+0x6fc sys/kern/kern_exit.c:260 #7 sys_exit+0x1a sys/kern/kern_exit.c:-1 #8 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] #8 syscall+0xb17 sys/arch/amd64/amd64/trap.c:746 #9 Xsyscall+0x128 Process 42684 (syz-executor) thread 0xffff800038bfd250 (216002) ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10254 11167K 12429K 166960K 13324 0 pcb 19 14K 14K 166960K 231 0 rtable 170 8K 8K 166960K 499 0 pf 39 18K 67487K 166960K 223 0 ifaddr 34 6K 7K 166960K 128 0 ifgroup 56 2K 2K 166960K 222 0 sysctl 4 1K 9K 166960K 21 0 counters 68 36K 38K 166960K 280 0 ioctlops 0 0K 4K 166960K 1786 0 iov 0 0K 16K 166960K 61 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1567 99K 99K 166960K 3059 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 18 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 45 0 dirhash 12 2K 2K 166960K 15 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 15 53K 240K 166960K 1345 0 sigio 0 0K 0K 166960K 23 0 proc 72 115K 180K 166960K 802 0 subproc 72 4K 4K 166960K 109 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 206 0 in_multi 62 4K 7K 166960K 194 0 ether_multi 1 0K 0K 166960K 16 0 mrt 2 0K 0K 166960K 12 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 223 996K 996K 166960K 223 0 exec 0 0K 1K 166960K 654 0 fusefs mount 1 32K 32K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 238 164K 175K 166960K 13672 0 UVM aobj 90 3K 3K 166960K 92 0 pinsyscall 42 84K 102K 166960K 2566 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 56 0 NDP 12 0K 2K 166960K 91 0 temp 71 8653K 8728K 166960K 52400 0 kqueue 13 20K 31K 166960K 279 0 SYN cache 2 8K 16K 166960K 3 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 105 0 101 1 0 1 1 0 8 0 rtentry 176 173 0 107 5 0 5 5 0 8 0 unpcb 144 807 0 788 7 5 2 6 0 8 1 syncache 336 9 0 9 3 3 0 1 0 8 0 tcpqe 32 4 0 4 1 1 0 1 0 8 0 tcpcb 736 361 0 352 9 7 2 7 0 8 0 arp 136 21 0 13 1 0 1 1 0 8 0 inpcb 328 1295 0 1280 13 6 7 7 0 8 5 nd6 152 28 0 19 1 0 1 1 0 8 0 pkpcb 40 4 0 4 1 1 0 1 0 8 0 kcovpl 48 12 0 4 1 0 1 1 0 8 0 ppxss 1192 82 0 82 1 0 1 1 0 8 1 pppxif 1504 8 0 8 4 3 1 1 0 8 1 pfstscr 40 2 0 2 1 1 0 1 0 8 0 pffrag 232 8 0 1 1 0 1 1 0 482 0 pffrnode 88 6 0 0 1 0 1 1 0 8 0 pffrent 40 15 0 8 1 0 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfrktable 1344 4 0 4 1 1 0 1 0 8 0 pfanchor 1288 3 0 1 2 1 1 1 0 8 0 pftag 88 1 0 0 1 0 1 1 0 8 0 pfqueue 320 1 0 1 1 0 1 1 0 8 1 pfstitem 24 102 0 33 1 0 1 1 0 8 0 pfstkey 128 106 0 38 3 0 3 3 0 8 0 pfstate 384 105 0 36 8 0 8 8 0 8 0 pfrule 1344 34 0 28 2 1 1 2 0 8 0 rttmr 136 2 0 2 2 2 0 1 0 8 0 art_heap8 4096 2 0 0 2 0 2 2 0 8 0 art_heap4 256 740 0 434 30 10 20 28 0 8 0 art_table 40 742 0 434 5 0 5 5 0 8 0 art_node 32 172 0 116 1 0 1 1 0 8 0 sysvmsgpl 40 44 0 39 1 0 1 1 0 8 0 semupl 112 2 0 2 2 2 0 1 0 8 0 semapl 112 40 0 30 1 0 1 1 0 8 0 shmpl 112 89 0 2 3 0 3 3 0 8 0 dirhash 1024 19 0 2 3 0 3 3 0 8 0 dino2pl 256 3944 0 2435 95 0 95 95 0 8 0 ffsino 296 3944 0 2435 117 0 117 117 0 8 0 nchpl 144 5767 0 4064 64 0 64 64 0 8 0 rtmask 32 6 0 6 2 1 1 1 0 8 1 uvmvnodes 80 5083 0 0 104 0 104 104 0 8 0 vnodes 216 5083 0 0 283 0 283 283 0 8 0 namei 1024 20408 0 20407 3 2 1 2 0 8 0 percpumem 16 155 0 106 1 0 1 1 0 8 0 pfiaddrpl 120 1 0 1 1 1 0 1 0 8 0 kstatmem 264 134 0 106 3 0 3 3 0 8 0 scsiplug 72 4 0 4 2 2 0 1 0 8 0 scxspl 216 40226 0 40226 8 5 3 4 1 8 3 plimitpl 152 439 0 420 1 0 1 1 0 8 0 sigapl 424 1633 0 1584 8 2 6 7 0 8 0 knotepl 120 547 0 0 17 0 17 17 0 8 0 kqueuepl 224 676 0 667 8 7 1 5 0 8 0 pipepl 344 305 0 276 6 3 3 6 0 8 0 fdescpl 528 1608 0 1578 3 0 3 3 0 8 0 filepl 160 10971 0 10736 26 12 14 20 0 8 3 lockfpl 104 799 0 797 4 3 1 4 0 8 0 lockfspl 48 350 0 348 2 1 1 2 0 8 0 sessionpl 144 31 0 21 1 0 1 1 0 8 0 pgrppl 48 92 0 74 1 0 1 1 0 8 0 ucredpl 104 2088 0 2075 1 0 1 1 0 8 0 zombiepl 144 1588 0 1584 1 0 1 1 0 8 0 processpl 1232 1633 0 1584 6 1 5 5 0 8 0 procpl 664 3628 0 3573 6 0 6 6 0 8 0 sosppl 168 1 0 1 1 0 1 1 0 8 1 sockpl 752 2235 0 2197 21 10 11 15 0 8 6 mcl64k 65536 17 0 0 3 0 3 3 0 8 0 mcl9k 9216 1 0 0 1 0 1 1 0 8 0 mcl8k 8192 3 0 0 1 0 1 1 0 8 0 mcl4k 4096 115 0 0 15 0 15 15 0 8 0 mcl2k 2048 28 0 0 4 0 4 4 0 8 0 mtagpl 96 3 0 0 1 0 1 1 0 8 0 mbufpl 256 1139 0 0 72 0 72 72 0 8 0 bufpl 280 16316 0 10173 439 0 439 439 0 8 0 anonpl 32 10909 0 0 88 0 88 88 0 246 0 amapchunkpl 152 45876 0 45400 45 16 29 32 0 158 5 amappl16 200 5919 0 5648 43 23 20 24 0 8 0 amappl15 192 4 0 4 1 1 0 1 0 8 0 amappl14 184 136 0 122 1 0 1 1 0 8 0 amappl13 176 12 0 12 2 2 0 1 0 8 0 amappl12 168 2339 0 2309 4 1 3 3 0 8 0 amappl11 160 54 0 40 1 0 1 1 0 8 0 amappl10 152 7 0 6 1 0 1 1 0 8 0 amappl9 144 249 0 249 1 1 0 1 0 8 0 amappl8 136 23 0 21 1 0 1 1 0 8 0 amappl7 128 125 0 111 1 0 1 1 0 8 0 amappl6 120 241 0 237 1 0 1 1 0 8 0 amappl5 112 138 0 128 1 0 1 1 0 8 0 amappl4 104 330 0 311 1 0 1 1 0 8 0 amappl3 96 8025 0 7930 4 1 3 3 0 8 0 amappl2 88 1888 0 1806 2 0 2 2 0 8 0 amappl1 80 14689 0 14001 18 2 16 16 0 8 0 amappl 88 12697 0 12539 5 0 5 5 0 92 0 dma32768 32768 1 0 1 1 1 0 1 0 8 0 dma16384 16384 1 0 1 1 1 0 1 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma2048 2048 65 0 65 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 254 0 254 2 2 0 1 0 8 0 dma64 64 8 0 8 2 2 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 19 0 18 1 0 1 1 0 8 0 aobjpl 72 91 0 2 2 0 2 2 0 8 0 uaddrrnd 24 1608 0 1578 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 1608 0 1578 1 0 1 1 0 8 0 vmmpekpl 168 13955 0 13892 4 0 4 4 0 8 0 vmmpepl 168 107718 0 105432 120 8 112 112 0 357 1 vmsppl 488 1607 0 1577 6 1 5 5 0 8 0 rwobjpl 80 35512 0 29062 133 0 133 133 0 8 0 pdppl 4096 3224 0 3154 114 40 74 86 0 8 4 pvpl 32 20555 0 0 167 2 165 165 0 265 0 pmappl 256 1607 0 1577 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 363 0 67 9 0 9 9 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffffffff83856ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 uvm_unmap_remove(ffffffff83991b48,ffff80003c447000,ffff80003c44d000,ffffffff83991b48,98eb472b186b909e,ffff80003c447000,ffff80003c44d000) at uvm_unmap_remove+0xb sys/uvm/uvm_map.c:1938 km_free(ffff80003c447000,6000,ffffffff835acef0,ffffffff83704130) at km_free+0x87 sys/uvm/uvm_km.c:831 uvm_uarea_free(ffff800038bfcd20) at uvm_uarea_free+0x4f sys/uvm/uvm_glue.c:304 reaper(ffff8000ffffd9f8) at reaper+0x1aa sys/kern/kern_exit.c:493 end trace frame: 0x0, count: 8 ddb{0}> trace x86_ipi_db(ffffffff83856ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 uvm_unmap_remove(ffffffff83991b48,ffff80003c447000,ffff80003c44d000,ffffffff83991b48,98eb472b186b909e,ffff80003c447000,ffff80003c44d000) at uvm_unmap_remove+0xb sys/uvm/uvm_map.c:1938 km_free(ffff80003c447000,6000,ffffffff835acef0,ffffffff83704130) at km_free+0x87 sys/uvm/uvm_km.c:831 uvm_uarea_free(ffff800038bfcd20) at uvm_uarea_free+0x4f sys/uvm/uvm_glue.c:304 reaper(ffff8000ffffd9f8) at reaper+0x1aa sys/kern/kern_exit.c:493 end trace frame: 0x0, count: -7 ddb{0}> machine ddbcpu 1 Stopped at savectx+0xae: movl $0,%gs:0x688 savectx() at savectx+0xae end of kernel end trace frame: 0x73512c0e18d0, count: 14 ddb{1}> trace savectx() at savectx+0xae end of kernel end trace frame: 0x73512c0e18d0, count: -1