panic: vrele: v_writecount != 0 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *476255 31874 32767 0x10 0x4000000 0K syz-executor.0 34694 12034 73 0x100010 0x80 1 syslogd db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff82460f22) at panic+0x15e sys/kern/subr_prf.c:218 vrele(fffffd80665abe18) at vrele+0x197 sys/kern/vfs_subr.c:803 ptmioctl(5100,40287401,ffff8000234b0540,3,ffff8000ffff57a0) at ptmioctl+0x5b9 sys/kern/tty_pty.c:1225 VOP_IOCTL(fffffd806e89f2f0,40287401,ffff8000234b0540,3,fffffd807f7b79c0,ffff8000ffff57a0) at VOP_IOCTL+0x9a sys/kern/vfs_vops.c:297 vn_ioctl(fffffd8066befb48,40287401,ffff8000234b0540,ffff8000ffff57a0) at vn_ioctl+0xba sys/kern/vfs_vnops.c:531 sys_ioctl(ffff8000ffff57a0,ffff8000234b0650,ffff8000234b06a0) at sys_ioctl+0x4b0 syscall(ffff8000234b0720) at syscall+0x4a1 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff8000234b0720) at syscall+0x4a1 sys/arch/amd64/amd64/trap.c:590 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x1518191ef30, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic vrele: v_writecount != 0 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff82460f22) at panic+0x15e sys/kern/subr_prf.c:218 vrele(fffffd80665abe18) at vrele+0x197 sys/kern/vfs_subr.c:803 ptmioctl(5100,40287401,ffff8000234b0540,3,ffff8000ffff57a0) at ptmioctl+0x5b9 sys/kern/tty_pty.c:1225 VOP_IOCTL(fffffd806e89f2f0,40287401,ffff8000234b0540,3,fffffd807f7b79c0,ffff8000ffff57a0) at VOP_IOCTL+0x9a sys/kern/vfs_vops.c:297 vn_ioctl(fffffd8066befb48,40287401,ffff8000234b0540,ffff8000ffff57a0) at vn_ioctl+0xba sys/kern/vfs_vnops.c:531 sys_ioctl(ffff8000ffff57a0,ffff8000234b0650,ffff8000234b06a0) at sys_ioctl+0x4b0 syscall(ffff8000234b0720) at syscall+0x4a1 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff8000234b0720) at syscall+0x4a1 sys/arch/amd64/amd64/trap.c:590 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x1518191ef30, count: -9 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff8000234aff80 rbx 0xffff8000234aff90 rdx 0x8b rcx 0x2 rax 0x1 r8 0xffffffff81ea78f5 kprintf+0x145 r9 0x1 r10 0x4e733c760fad166e r11 0x8e747ca00b5c6eb4 r12 0x3000000008 r13 0xffff8000234b0030 r14 0x100 r15 0x1 rip 0xffffffff8184d248 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff8000234aff70 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.0) pid=476255 stat=onproc flags process=10 proc=4000000 pri=66, usrpri=66, nice=20 forw=0xffffffffffffffff, list=0xffff8000ffff4fc0,0xffff8000ffff42b0 process=0xffff8000ffff3b30 user=0xffff8000234ab000, vmspace=0xfffffd807effaa10 estcpu=16, cpticks=2, pctcpu=0.0 user=0, sys=2, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 31874 497902 38994 32767 2 0x10 syz-executor.0 *31874 476255 38994 32767 7 0x4000010 syz-executor.0 31874 320403 38994 32767 2 0x4000010 syz-executor.0 31874 247549 38994 32767 3 0x4000090 poll syz-executor.0 49984 308582 49864 32767 3 0x90 piperd syz-executor.1 38994 84797 3011 32767 2 0x490 syz-executor.0 49864 159321 38172 0 3 0x82 wait syz-executor.1 3011 463136 38172 0 3 0x82 wait syz-executor.0 38172 193956 17140 0 3 0x82 thrsleep syz-fuzzer 38172 476362 17140 0 3 0x4000082 thrsleep syz-fuzzer 38172 301063 17140 0 3 0x4000082 kqread syz-fuzzer 38172 119080 17140 0 3 0x4000082 thrsleep syz-fuzzer 38172 22879 17140 0 3 0x4000082 thrsleep syz-fuzzer 38172 292929 17140 0 3 0x4000082 thrsleep syz-fuzzer 38172 227940 17140 0 3 0x4000082 thrsleep syz-fuzzer 38172 157400 17140 0 3 0x4000082 thrsleep syz-fuzzer 17140 249782 72039 0 3 0x10008a sigsusp ksh 72039 255202 73795 0 3 0x92 select sshd 23886 325305 1 0 3 0x100083 ttyin getty 73795 325170 1 0 3 0x80 select sshd 12034 34694 66466 73 7 0x100090 syslogd 66466 154607 1 0 3 0x100082 netio syslogd 2322 150609 1 77 3 0x100090 poll dhclient 85782 204200 1 0 3 0x80 poll dhclient 32939 187508 0 0 3 0x14200 bored smr 9828 381627 0 0 2 0x14200 zerothread 41643 509575 0 0 3 0x14200 aiodoned aiodoned 3919 496709 0 0 3 0x14200 syncer update 68768 324371 0 0 3 0x14200 cleaner cleaner 20418 467270 0 0 3 0x14200 reaper reaper 62658 127211 0 0 3 0x14200 pgdaemon pagedaemon 82261 358671 0 0 3 0x14200 bored crynlk 96848 496457 0 0 3 0x14200 bored crypto 33507 86192 0 0 3 0x14200 bored viomb 64299 406446 0 0 3 0x40014200 acpi0 acpi0 84302 385511 0 0 3 0x40014200 idle1 86229 49897 0 0 3 0x14200 bored softnet 2643 487702 0 0 3 0x14200 bored systqmp 31623 257048 0 0 3 0x14200 bored systq 5958 40111 0 0 3 0x40014200 bored softclock 7373 229782 0 0 3 0x40014200 idle0 1 103241 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 31874 (syz-executor.0) thread 0xffff8000ffff57a0 (476255) exclusive kernel_lock &kernel_lock r = 0 (0xffffffff828cdd98) #0 witness_lock+0x4b0 stacktrace_save sys/sys/stacktrace.h:36 [inline] #0 witness_lock+0x4b0 sys/kern/subr_witness.c:1182 #1 vn_ioctl+0x40 sys/kern/vfs_vnops.c:514 #2 sys_ioctl+0x4b0 #3 syscall+0x4a1 mi_syscall sys/sys/syscall_mi.h:102 [inline] #3 syscall+0x4a1 sys/arch/amd64/amd64/trap.c:590 #4 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 9478 6349K 6349K 78643K 10568 0 pcb 13 8K 8K 78643K 13 0 rtable 105 3K 3K 78643K 189 0 ifaddr 39 10K 10K 78643K 39 0 counters 44 34K 34K 78643K 44 0 ioctlops 0 0K 2K 78643K 15 0 iov 0 0K 0K 78643K 2 0 mount 1 1K 1K 78643K 1 0 vnodes 1216 76K 76K 78643K 1233 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 1K 78643K 2 0 VM map 2 1K 1K 78643K 2 0 sem 10 1K 1K 78643K 12 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12598 0 file desc 7 21K 33K 78643K 189 0 proc 48 50K 70K 78643K 369 0 subproc 34 2K 2K 78643K 34 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 7 0 in_multi 33 2K 2K 78643K 35 0 ether_multi 1 0K 0K 78643K 1 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 37 175K 175K 78643K 37 0 exec 0 0K 2K 78643K 319 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 157 27K 27K 78643K 1147 0 UVM aobj 3 2K 2K 78643K 3 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 NDP 5 0K 0K 78643K 9 0 temp 71 3974K 4038K 78643K 2130 0 kqueue 3 4K 4K 78643K 3 0 SYN cache 2 16K 16K 78643K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 6 0 0 1 0 1 1 0 8 0 plcache 128 20 0 0 1 0 1 1 0 8 0 rtpcb 120 19 0 17 1 0 1 1 0 8 0 rtentry 112 45 0 1 2 0 2 2 0 8 0 unpcb 120 78 0 70 1 0 1 1 0 8 0 syncache 296 4 0 4 1 1 0 1 0 8 0 tcpqe 32 680 0 680 3 2 1 2 0 8 1 tcpcb 736 30 0 26 2 0 2 2 0 8 1 inpcb 304 64 0 57 1 0 1 1 0 8 0 nd6 48 6 0 0 1 0 1 1 0 8 0 kcovpl 48 2 0 0 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 189 0 0 12 0 12 12 0 8 0 art_table 32 190 0 0 2 0 2 2 0 8 0 art_node 16 44 0 4 1 0 1 1 0 8 0 sysvmsgpl 40 10 0 4 1 0 1 1 0 8 0 semupl 112 2 0 2 1 1 0 1 0 8 0 semapl 112 8 0 0 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 1589 0 193 88 0 88 88 0 8 0 ffsino 272 1589 0 193 94 0 94 94 0 8 0 nchpl 144 1974 0 377 60 0 60 60 0 8 0 uvmvnodes 72 1632 0 0 30 0 30 30 0 8 0 vnodes 224 1632 0 0 96 0 96 96 0 8 0 namei 1024 4835 0 4835 2 1 1 1 0 8 1 percpumem 16 33 0 0 1 0 1 1 0 8 0 scxspl 216 6200 0 6200 9 8 1 8 0 8 1 plimitpl 152 23 0 13 1 0 1 1 0 8 0 sigapl 424 377 0 345 4 0 4 4 0 8 0 futexpl 56 1512 0 1512 1 0 1 1 0 8 1 knotepl 112 62 0 42 1 0 1 1 0 8 0 kqueuepl 168 174 0 172 1 0 1 1 0 8 0 pipepl 336 74 0 63 2 1 1 2 0 8 0 fdescpl 496 361 0 345 3 0 3 3 0 8 0 filepl 152 1556 0 1452 6 1 5 5 0 8 0 lockfpl 104 17 0 16 1 0 1 1 0 8 0 lockfspl 48 9 0 8 1 0 1 1 0 8 0 sessionpl 144 17 0 7 1 0 1 1 0 8 0 pgrppl 48 17 0 7 1 0 1 1 0 8 0 ucredpl 96 165 0 156 1 0 1 1 0 8 0 zombiepl 144 345 0 345 2 1 1 1 0 8 1 processpl 1080 377 0 345 5 2 3 3 0 8 0 procpl 672 594 0 552 4 0 4 4 0 8 0 sockpl 432 161 0 144 4 1 3 3 0 8 1 mcl64k 65536 4 0 0 1 0 1 1 0 8 0 mcl12k 12288 4 0 0 1 0 1 1 0 8 0 mcl8k 8192 2 0 0 1 0 1 1 0 8 0 mcl4k 4096 4 0 0 1 0 1 1 0 8 0 mcl2k 2048 267 0 0 33 0 33 33 0 8 0 mtagpl 96 1 0 0 1 0 1 1 0 8 0 mbufpl 256 281 0 0 18 0 18 18 0 8 0 bufpl 280 3674 0 173 251 0 251 251 0 8 0 anonpl 24 55473 0 30911 152 2 150 150 0 186 1 amapchunkpl 152 2056 0 1445 27 2 25 26 0 158 0 amappl16 200 1408 0 466 51 0 51 51 0 8 1 amappl15 192 2 0 1 1 0 1 1 0 8 0 amappl14 184 21 0 18 1 0 1 1 0 8 0 amappl13 176 29 0 26 1 0 1 1 0 8 0 amappl12 168 60 0 53 1 0 1 1 0 8 0 amappl11 160 47 0 36 1 0 1 1 0 8 0 amappl10 152 115 0 110 1 0 1 1 0 8 0 amappl9 144 17 0 15 1 0 1 1 0 8 0 amappl8 136 118 0 87 2 0 2 2 0 8 0 amappl7 128 215 0 208 1 0 1 1 0 8 0 amappl6 120 164 0 150 1 0 1 1 0 8 0 amappl5 112 1035 0 1017 1 0 1 1 0 8 0 amappl4 104 302 0 276 1 0 1 1 0 8 0 amappl3 96 129 0 121 1 0 1 1 0 8 0 amappl2 88 2111 0 2045 3 1 2 3 0 8 0 amappl1 80 18655 0 18162 25 14 11 20 0 8 0 amappl 88 889 0 775 3 0 3 3 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 64 2 0 0 1 0 1 1 0 8 0 uaddrrnd 24 361 0 345 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 361 0 345 1 0 1 1 0 8 0 vmmpekpl 168 6491 0 6464 2 0 2 2 0 8 0 vmmpepl 168 54835 0 52534 146 15 131 139 0 357 29 vmsppl 368 360 0 345 2 0 2 2 0 8 0 rwobjpl 56 14028 0 12359 30 6 24 25 0 8 0 pdppl 4096 729 0 690 60 19 41 45 0 8 2 pvpl 32 186799 0 159127 231 1 230 230 0 265 4 pmappl 232 360 0 345 2 1 1 2 0 8 0 extentpl 40 58 0 40 1 0 1 1 0 8 0 phpool 112 323 0 23 9 0 9 9 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff82460f22) at panic+0x15e sys/kern/subr_prf.c:218 vrele(fffffd80665abe18) at vrele+0x197 sys/kern/vfs_subr.c:803 ptmioctl(5100,40287401,ffff8000234b0540,3,ffff8000ffff57a0) at ptmioctl+0x5b9 sys/kern/tty_pty.c:1225 VOP_IOCTL(fffffd806e89f2f0,40287401,ffff8000234b0540,3,fffffd807f7b79c0,ffff8000ffff57a0) at VOP_IOCTL+0x9a sys/kern/vfs_vops.c:297 vn_ioctl(fffffd8066befb48,40287401,ffff8000234b0540,ffff8000ffff57a0) at vn_ioctl+0xba sys/kern/vfs_vnops.c:531 sys_ioctl(ffff8000ffff57a0,ffff8000234b0650,ffff8000234b06a0) at sys_ioctl+0x4b0 syscall(ffff8000234b0720) at syscall+0x4a1 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff8000234b0720) at syscall+0x4a1 sys/arch/amd64/amd64/trap.c:590 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x1518191ef30, count: -9 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp x86_ipi_db(ffff800020d68ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0xb sys/dev/kcov.c:139 __mp_acquire_count(ffffffff828cdb90,2) at __mp_acquire_count+0x4c sys/kern/kern_lock.c:227 mi_switch() at mi_switch+0x390 sys/kern/sched_bsd.c:433 sleep_finish(ffff800021232448,1) at sleep_finish+0x111 sys/kern/kern_synch.c:427 sleep_finish_all(ffff800021232448,1) at sleep_finish_all+0x32 sleep_finish_timeout sys/kern/kern_synch.c:457 [inline] sleep_finish_all(ffff800021232448,1) at sleep_finish_all+0x32 sys/kern/kern_synch.c:402 tsleep(fffffd806ea03d20,118,ffffffff8241d42f,bb9) at tsleep+0x1f2 sys/kern/kern_synch.c:163 kqueue_sleep(fffffd806ea03d20,ffff800021232800) at kqueue_sleep+0x101 sys/kern/kern_event.c:1009 kqueue_scan(ffff800021232710,8,ffff800021232610,ffff800021232800,ffff8000ffff62b0,ffff80002123285c) at kqueue_scan+0x198 sys/kern/kern_event.c:1059 sys_kevent(ffff8000ffff62b0,ffff8000212328c0,ffff800021232910) at sys_kevent+0x4d3 sys/kern/kern_event.c:756 syscall(ffff800021232990) at syscall+0x4a1 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff800021232990) at syscall+0x4a1 sys/arch/amd64/amd64/trap.c:590 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffff1660, count: 1 ddb{1}> trace x86_ipi_db(ffff800020d68ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0xb sys/dev/kcov.c:139 __mp_acquire_count(ffffffff828cdb90,2) at __mp_acquire_count+0x4c sys/kern/kern_lock.c:227 mi_switch() at mi_switch+0x390 sys/kern/sched_bsd.c:433 sleep_finish(ffff800021232448,1) at sleep_finish+0x111 sys/kern/kern_synch.c:427 sleep_finish_all(ffff800021232448,1) at sleep_finish_all+0x32 sleep_finish_timeout sys/kern/kern_synch.c:457 [inline] sleep_finish_all(ffff800021232448,1) at sleep_finish_all+0x32 sys/kern/kern_synch.c:402 tsleep(fffffd806ea03d20,118,ffffffff8241d42f,bb9) at tsleep+0x1f2 sys/kern/kern_synch.c:163 kqueue_sleep(fffffd806ea03d20,ffff800021232800) at kqueue_sleep+0x101 sys/kern/kern_event.c:1009 kqueue_scan(ffff800021232710,8,ffff800021232610,ffff800021232800,ffff8000ffff62b0,ffff80002123285c) at kqueue_scan+0x198 sys/kern/kern_event.c:1059 sys_kevent(ffff8000ffff62b0,ffff8000212328c0,ffff800021232910) at sys_kevent+0x4d3 sys/kern/kern_event.c:756 syscall(ffff800021232990) at syscall+0x4a1 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff800021232990) at syscall+0x4a1 sys/arch/amd64/amd64/trap.c:590 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffff1660, count: -14