panic: vrele: v_writecount != 0
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*476255 31874 32767 0x10 0x4000000 0K syz-executor.0
34694 12034 73 0x100010 0x80 1 syslogd
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff82460f22) at panic+0x15e sys/kern/subr_prf.c:218
vrele(fffffd80665abe18) at vrele+0x197 sys/kern/vfs_subr.c:803
ptmioctl(5100,40287401,ffff8000234b0540,3,ffff8000ffff57a0) at ptmioctl+0x5b9 sys/kern/tty_pty.c:1225
VOP_IOCTL(fffffd806e89f2f0,40287401,ffff8000234b0540,3,fffffd807f7b79c0,ffff8000ffff57a0) at VOP_IOCTL+0x9a sys/kern/vfs_vops.c:297
vn_ioctl(fffffd8066befb48,40287401,ffff8000234b0540,ffff8000ffff57a0) at vn_ioctl+0xba sys/kern/vfs_vnops.c:531
sys_ioctl(ffff8000ffff57a0,ffff8000234b0650,ffff8000234b06a0) at sys_ioctl+0x4b0
syscall(ffff8000234b0720) at syscall+0x4a1 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff8000234b0720) at syscall+0x4a1 sys/arch/amd64/amd64/trap.c:590
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x1518191ef30, count: 6
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
vrele: v_writecount != 0
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff82460f22) at panic+0x15e sys/kern/subr_prf.c:218
vrele(fffffd80665abe18) at vrele+0x197 sys/kern/vfs_subr.c:803
ptmioctl(5100,40287401,ffff8000234b0540,3,ffff8000ffff57a0) at ptmioctl+0x5b9 sys/kern/tty_pty.c:1225
VOP_IOCTL(fffffd806e89f2f0,40287401,ffff8000234b0540,3,fffffd807f7b79c0,ffff8000ffff57a0) at VOP_IOCTL+0x9a sys/kern/vfs_vops.c:297
vn_ioctl(fffffd8066befb48,40287401,ffff8000234b0540,ffff8000ffff57a0) at vn_ioctl+0xba sys/kern/vfs_vnops.c:531
sys_ioctl(ffff8000ffff57a0,ffff8000234b0650,ffff8000234b06a0) at sys_ioctl+0x4b0
syscall(ffff8000234b0720) at syscall+0x4a1 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff8000234b0720) at syscall+0x4a1 sys/arch/amd64/amd64/trap.c:590
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x1518191ef30, count: -9
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff8000234aff80
rbx 0xffff8000234aff90
rdx 0x8b
rcx 0x2
rax 0x1
r8 0xffffffff81ea78f5 kprintf+0x145
r9 0x1
r10 0x4e733c760fad166e
r11 0x8e747ca00b5c6eb4
r12 0x3000000008
r13 0xffff8000234b0030
r14 0x100
r15 0x1
rip 0xffffffff8184d248 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff8000234aff70
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor.0) pid=476255 stat=onproc
flags process=10<SUGID> proc=4000000<THREAD>
pri=66, usrpri=66, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffff4fc0,0xffff8000ffff42b0
process=0xffff8000ffff3b30 user=0xffff8000234ab000, vmspace=0xfffffd807effaa10
estcpu=16, cpticks=2, pctcpu=0.0
user=0, sys=2, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
31874 497902 38994 32767 2 0x10 syz-executor.0
*31874 476255 38994 32767 7 0x4000010 syz-executor.0
31874 320403 38994 32767 2 0x4000010 syz-executor.0
31874 247549 38994 32767 3 0x4000090 poll syz-executor.0
49984 308582 49864 32767 3 0x90 piperd syz-executor.1
38994 84797 3011 32767 2 0x490 syz-executor.0
49864 159321 38172 0 3 0x82 wait syz-executor.1
3011 463136 38172 0 3 0x82 wait syz-executor.0
38172 193956 17140 0 3 0x82 thrsleep syz-fuzzer
38172 476362 17140 0 3 0x4000082 thrsleep syz-fuzzer
38172 301063 17140 0 3 0x4000082 kqread syz-fuzzer
38172 119080 17140 0 3 0x4000082 thrsleep syz-fuzzer
38172 22879 17140 0 3 0x4000082 thrsleep syz-fuzzer
38172 292929 17140 0 3 0x4000082 thrsleep syz-fuzzer
38172 227940 17140 0 3 0x4000082 thrsleep syz-fuzzer
38172 157400 17140 0 3 0x4000082 thrsleep syz-fuzzer
17140 249782 72039 0 3 0x10008a sigsusp ksh
72039 255202 73795 0 3 0x92 select sshd
23886 325305 1 0 3 0x100083 ttyin getty
73795 325170 1 0 3 0x80 select sshd
12034 34694 66466 73 7 0x100090 syslogd
66466 154607 1 0 3 0x100082 netio syslogd
2322 150609 1 77 3 0x100090 poll dhclient
85782 204200 1 0 3 0x80 poll dhclient
32939 187508 0 0 3 0x14200 bored smr
9828 381627 0 0 2 0x14200 zerothread
41643 509575 0 0 3 0x14200 aiodoned aiodoned
3919 496709 0 0 3 0x14200 syncer update
68768 324371 0 0 3 0x14200 cleaner cleaner
20418 467270 0 0 3 0x14200 reaper reaper
62658 127211 0 0 3 0x14200 pgdaemon pagedaemon
82261 358671 0 0 3 0x14200 bored crynlk
96848 496457 0 0 3 0x14200 bored crypto
33507 86192 0 0 3 0x14200 bored viomb
64299 406446 0 0 3 0x40014200 acpi0 acpi0
84302 385511 0 0 3 0x40014200 idle1
86229 49897 0 0 3 0x14200 bored softnet
2643 487702 0 0 3 0x14200 bored systqmp
31623 257048 0 0 3 0x14200 bored systq
5958 40111 0 0 3 0x40014200 bored softclock
7373 229782 0 0 3 0x40014200 idle0
1 103241 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 31874 (syz-executor.0) thread 0xffff8000ffff57a0 (476255)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff828cdd98)
#0 witness_lock+0x4b0 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0 witness_lock+0x4b0 sys/kern/subr_witness.c:1182
#1 vn_ioctl+0x40 sys/kern/vfs_vnops.c:514
#2 sys_ioctl+0x4b0
#3 syscall+0x4a1 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#3 syscall+0x4a1 sys/arch/amd64/amd64/trap.c:590
#4 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 9478 6349K 6349K 78643K 10568 0
pcb 13 8K 8K 78643K 13 0
rtable 105 3K 3K 78643K 189 0
ifaddr 39 10K 10K 78643K 39 0
counters 44 34K 34K 78643K 44 0
ioctlops 0 0K 2K 78643K 15 0
iov 0 0K 0K 78643K 2 0
mount 1 1K 1K 78643K 1 0
vnodes 1216 76K 76K 78643K 1233 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 1K 78643K 2 0
VM map 2 1K 1K 78643K 2 0
sem 10 1K 1K 78643K 12 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12598 0
file desc 7 21K 33K 78643K 189 0
proc 48 50K 70K 78643K 369 0
subproc 34 2K 2K 78643K 34 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 7 0
in_multi 33 2K 2K 78643K 35 0
ether_multi 1 0K 0K 78643K 1 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 37 175K 175K 78643K 37 0
exec 0 0K 2K 78643K 319 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 157 27K 27K 78643K 1147 0
UVM aobj 3 2K 2K 78643K 3 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
NDP 5 0K 0K 78643K 9 0
temp 71 3974K 4038K 78643K 2130 0
kqueue 3 4K 4K 78643K 3 0
SYN cache 2 16K 16K 78643K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp 64 6 0 0 1 0 1 1 0 8 0
plcache 128 20 0 0 1 0 1 1 0 8 0
rtpcb 120 19 0 17 1 0 1 1 0 8 0
rtentry 112 45 0 1 2 0 2 2 0 8 0
unpcb 120 78 0 70 1 0 1 1 0 8 0
syncache 296 4 0 4 1 1 0 1 0 8 0
tcpqe 32 680 0 680 3 2 1 2 0 8 1
tcpcb 736 30 0 26 2 0 2 2 0 8 1
inpcb 304 64 0 57 1 0 1 1 0 8 0
nd6 48 6 0 0 1 0 1 1 0 8 0
kcovpl 48 2 0 0 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 189 0 0 12 0 12 12 0 8 0
art_table 32 190 0 0 2 0 2 2 0 8 0
art_node 16 44 0 4 1 0 1 1 0 8 0
sysvmsgpl 40 10 0 4 1 0 1 1 0 8 0
semupl 112 2 0 2 1 1 0 1 0 8 0
semapl 112 8 0 0 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 1589 0 193 88 0 88 88 0 8 0
ffsino 272 1589 0 193 94 0 94 94 0 8 0
nchpl 144 1974 0 377 60 0 60 60 0 8 0
uvmvnodes 72 1632 0 0 30 0 30 30 0 8 0
vnodes 224 1632 0 0 96 0 96 96 0 8 0
namei 1024 4835 0 4835 2 1 1 1 0 8 1
percpumem 16 33 0 0 1 0 1 1 0 8 0
scxspl 216 6200 0 6200 9 8 1 8 0 8 1
plimitpl 152 23 0 13 1 0 1 1 0 8 0
sigapl 424 377 0 345 4 0 4 4 0 8 0
futexpl 56 1512 0 1512 1 0 1 1 0 8 1
knotepl 112 62 0 42 1 0 1 1 0 8 0
kqueuepl 168 174 0 172 1 0 1 1 0 8 0
pipepl 336 74 0 63 2 1 1 2 0 8 0
fdescpl 496 361 0 345 3 0 3 3 0 8 0
filepl 152 1556 0 1452 6 1 5 5 0 8 0
lockfpl 104 17 0 16 1 0 1 1 0 8 0
lockfspl 48 9 0 8 1 0 1 1 0 8 0
sessionpl 144 17 0 7 1 0 1 1 0 8 0
pgrppl 48 17 0 7 1 0 1 1 0 8 0
ucredpl 96 165 0 156 1 0 1 1 0 8 0
zombiepl 144 345 0 345 2 1 1 1 0 8 1
processpl 1080 377 0 345 5 2 3 3 0 8 0
procpl 672 594 0 552 4 0 4 4 0 8 0
sockpl 432 161 0 144 4 1 3 3 0 8 1
mcl64k 65536 4 0 0 1 0 1 1 0 8 0
mcl12k 12288 4 0 0 1 0 1 1 0 8 0
mcl8k 8192 2 0 0 1 0 1 1 0 8 0
mcl4k 4096 4 0 0 1 0 1 1 0 8 0
mcl2k 2048 267 0 0 33 0 33 33 0 8 0
mtagpl 96 1 0 0 1 0 1 1 0 8 0
mbufpl 256 281 0 0 18 0 18 18 0 8 0
bufpl 280 3674 0 173 251 0 251 251 0 8 0
anonpl 24 55473 0 30911 152 2 150 150 0 186 1
amapchunkpl 152 2056 0 1445 27 2 25 26 0 158 0
amappl16 200 1408 0 466 51 0 51 51 0 8 1
amappl15 192 2 0 1 1 0 1 1 0 8 0
amappl14 184 21 0 18 1 0 1 1 0 8 0
amappl13 176 29 0 26 1 0 1 1 0 8 0
amappl12 168 60 0 53 1 0 1 1 0 8 0
amappl11 160 47 0 36 1 0 1 1 0 8 0
amappl10 152 115 0 110 1 0 1 1 0 8 0
amappl9 144 17 0 15 1 0 1 1 0 8 0
amappl8 136 118 0 87 2 0 2 2 0 8 0
amappl7 128 215 0 208 1 0 1 1 0 8 0
amappl6 120 164 0 150 1 0 1 1 0 8 0
amappl5 112 1035 0 1017 1 0 1 1 0 8 0
amappl4 104 302 0 276 1 0 1 1 0 8 0
amappl3 96 129 0 121 1 0 1 1 0 8 0
amappl2 88 2111 0 2045 3 1 2 3 0 8 0
amappl1 80 18655 0 18162 25 14 11 20 0 8 0
amappl 88 889 0 775 3 0 3 3 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 64 2 0 0 1 0 1 1 0 8 0
uaddrrnd 24 361 0 345 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 361 0 345 1 0 1 1 0 8 0
vmmpekpl 168 6491 0 6464 2 0 2 2 0 8 0
vmmpepl 168 54835 0 52534 146 15 131 139 0 357 29
vmsppl 368 360 0 345 2 0 2 2 0 8 0
rwobjpl 56 14028 0 12359 30 6 24 25 0 8 0
pdppl 4096 729 0 690 60 19 41 45 0 8 2
pvpl 32 186799 0 159127 231 1 230 230 0 265 4
pmappl 232 360 0 345 2 1 1 2 0 8 0
extentpl 40 58 0 40 1 0 1 1 0 8 0
phpool 112 323 0 23 9 0 9 9 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff82460f22) at panic+0x15e sys/kern/subr_prf.c:218
vrele(fffffd80665abe18) at vrele+0x197 sys/kern/vfs_subr.c:803
ptmioctl(5100,40287401,ffff8000234b0540,3,ffff8000ffff57a0) at ptmioctl+0x5b9 sys/kern/tty_pty.c:1225
VOP_IOCTL(fffffd806e89f2f0,40287401,ffff8000234b0540,3,fffffd807f7b79c0,ffff8000ffff57a0) at VOP_IOCTL+0x9a sys/kern/vfs_vops.c:297
vn_ioctl(fffffd8066befb48,40287401,ffff8000234b0540,ffff8000ffff57a0) at vn_ioctl+0xba sys/kern/vfs_vnops.c:531
sys_ioctl(ffff8000ffff57a0,ffff8000234b0650,ffff8000234b06a0) at sys_ioctl+0x4b0
syscall(ffff8000234b0720) at syscall+0x4a1 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff8000234b0720) at syscall+0x4a1 sys/arch/amd64/amd64/trap.c:590
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x1518191ef30, count: -9
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffff800020d68ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0xb sys/dev/kcov.c:139
__mp_acquire_count(ffffffff828cdb90,2) at __mp_acquire_count+0x4c sys/kern/kern_lock.c:227
mi_switch() at mi_switch+0x390 sys/kern/sched_bsd.c:433
sleep_finish(ffff800021232448,1) at sleep_finish+0x111 sys/kern/kern_synch.c:427
sleep_finish_all(ffff800021232448,1) at sleep_finish_all+0x32 sleep_finish_timeout sys/kern/kern_synch.c:457 [inline]
sleep_finish_all(ffff800021232448,1) at sleep_finish_all+0x32 sys/kern/kern_synch.c:402
tsleep(fffffd806ea03d20,118,ffffffff8241d42f,bb9) at tsleep+0x1f2 sys/kern/kern_synch.c:163
kqueue_sleep(fffffd806ea03d20,ffff800021232800) at kqueue_sleep+0x101 sys/kern/kern_event.c:1009
kqueue_scan(ffff800021232710,8,ffff800021232610,ffff800021232800,ffff8000ffff62b0,ffff80002123285c) at kqueue_scan+0x198 sys/kern/kern_event.c:1059
sys_kevent(ffff8000ffff62b0,ffff8000212328c0,ffff800021232910) at sys_kevent+0x4d3 sys/kern/kern_event.c:756
syscall(ffff800021232990) at syscall+0x4a1 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800021232990) at syscall+0x4a1 sys/arch/amd64/amd64/trap.c:590
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7fffff1660, count: 1
ddb{1}> trace
x86_ipi_db(ffff800020d68ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0xb sys/dev/kcov.c:139
__mp_acquire_count(ffffffff828cdb90,2) at __mp_acquire_count+0x4c sys/kern/kern_lock.c:227
mi_switch() at mi_switch+0x390 sys/kern/sched_bsd.c:433
sleep_finish(ffff800021232448,1) at sleep_finish+0x111 sys/kern/kern_synch.c:427
sleep_finish_all(ffff800021232448,1) at sleep_finish_all+0x32 sleep_finish_timeout sys/kern/kern_synch.c:457 [inline]
sleep_finish_all(ffff800021232448,1) at sleep_finish_all+0x32 sys/kern/kern_synch.c:402
tsleep(fffffd806ea03d20,118,ffffffff8241d42f,bb9) at tsleep+0x1f2 sys/kern/kern_synch.c:163
kqueue_sleep(fffffd806ea03d20,ffff800021232800) at kqueue_sleep+0x101 sys/kern/kern_event.c:1009
kqueue_scan(ffff800021232710,8,ffff800021232610,ffff800021232800,ffff8000ffff62b0,ffff80002123285c) at kqueue_scan+0x198 sys/kern/kern_event.c:1059
sys_kevent(ffff8000ffff62b0,ffff8000212328c0,ffff800021232910) at sys_kevent+0x4d3 sys/kern/kern_event.c:756
syscall(ffff800021232990) at syscall+0x4a1 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800021232990) at syscall+0x4a1 sys/arch/amd64/amd64/trap.c:590
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7fffff1660, count: -14