*cpu1: uvm_fault(0xfffffd806899c3e8, 0x0, 0, 1) -> e ddb{0}> trace alltraps_kern_meltdown() at alltraps_kern_meltdown+0xb8 copyout() at copyout+0x57 postsig(ffff80002a291020,14,ffff80003c47f0d8) at postsig+0x4e5 sys/kern/kern_sig.c:1801 userret(ffff80002a291020) at userret+0x24e sys/kern/kern_sig.c:2207 syscall(ffff80003c47f210) at syscall+0x9c0 mi_syscall_return sys/sys/syscall_mi.h:203 [inline] syscall(ffff80003c47f210) at syscall+0x9c0 sys/arch/amd64/amd64/trap.c:598 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x760a8a02f420, count: -6 ddb{0}> show registers rdi 0 rsi 0 rbp 0xffff80003c47ede0 rbx 0 rdx 0 rcx 0xffff80002a291020 rax 0x2a r8 0xffff80003c47ed10 r9 0x760a8a02e001 r10 0x3f47da31495910cf r11 0xc92ce594cd193290 r12 0xffff80002a291020 r13 0xffff80003c47f210 r14 0 r15 0x760a8a02ef50 rip 0xffffffff8332820b alltraps_kern_meltdown+0xb8 cs 0x8 rflags 0x246 rsp 0xffff80003c47ed60 ss 0x10 alltraps_kern_meltdown+0xb8: movl %ebx,%gs:0x680 ddb{0}> show proc PROC (syz-executor) tid=73085 pid=22443 tcnt=1 stat=onproc flags process=10000002 proc=0 runpri=32, usrpri=50, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80003c44aff8,0xffff80003c44aab8 process=0xffff8000ffff4998 user=0xffff80003c47a000, vmspace=0xfffffd806ebe0968 estcpu=36, cpticks=0, pctcpu=0.18, user=1, sys=23, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 14696 69908 5753 0 2 0 syz-executor 14696 389108 5753 0 3 0x4000080 sbwait syz-executor 14696 329141 5753 0 3 0x4000080 fsleep syz-executor 76377 245342 9485 0 3 0x80 nanoslp syz-executor 76377 505218 9485 0 3 0x4000080 kqsel syz-executor 76377 371793 9485 0 3 0x4000080 fsleep syz-executor 89398 445912 82873 0 3 0x1000080 nanoslp syz-executor 89398 518353 82873 0 3 0x5000080 kqsel syz-executor 89398 406639 82873 0 3 0x5000080 fsleep syz-executor 23177 141818 80431 0 3 0x80 nanoslp syz-executor 23177 363585 80431 0 3 0x4000080 pipewr syz-executor 23177 48891 80431 0 3 0x4000080 pipewr syz-executor 23177 382060 80431 0 3 0x4000080 fsleep syz-executor 5753 232380 10973 0 3 0x82 nanoslp syz-executor *22443 73085 10973 0 7 0x10000002 syz-executor 41043 147642 10973 0 3 0x82 wait syz-executor 14620 225354 10973 0 3 0x82 nanoslp syz-executor 82873 257704 10973 0 3 0x82 nanoslp syz-executor 65733 197058 10973 0 3 0x82 nanoslp syz-executor 80431 177606 10973 0 3 0x82 nanoslp syz-executor 45526 451659 1 0 3 0x100083 ttyin getty 69607 180613 0 0 3 0x14200 bored sosplice 9485 332426 10973 0 3 0x82 nanoslp syz-executor 10973 134520 61532 0 3 0x82 kqread syz-executor 61532 389371 69226 0 3 0x10008a sigsusp ksh 69226 505068 75309 0 3 0x98 kqread sshd-session 75309 298728 91846 0 3 0x92 kqread sshd-session 91846 6455 1 0 3 0x88 kqread sshd 29111 292946 59058 74 3 0x1100092 bpf pflogd 59058 427988 1 0 3 0x80 sbwait pflogd 54866 374515 27437 73 3 0x1100090 kqread syslogd 27437 383060 1 0 3 0x100082 sbwait syslogd 65219 449274 1 0 3 0x100080 kqread resolvd 81391 99076 18842 77 3 0x100092 kqread dhcpleased 38941 131412 18842 77 3 0x100092 kqread dhcpleased 18842 484640 1 0 3 0x80 kqread dhcpleased 67940 342764 0 0 3 0x14200 bored smr 56983 380327 0 0 3 0x14200 pgzero zerothread 83917 481087 0 0 3 0x14200 aiodoned aiodoned 427 192776 0 0 3 0x14200 syncer update 56226 516130 0 0 3 0x14200 cleaner cleaner 68675 49324 0 0 2 0x14200 reaper 51014 238394 0 0 3 0x14200 pgdaemon pagedaemon 46803 162192 0 0 3 0x14200 bored viomb 88451 367023 0 0 3 0x40014200 acpi0 acpi0 59834 357886 0 0 3 0x40014200 idle1 53960 310545 0 0 3 0x14200 bored softnet3 45492 353117 0 0 3 0x14200 bored softnet2 52550 93642 0 0 3 0x14200 bored softnet1 24097 133985 0 0 3 0x14200 bored softnet0 56220 337252 0 0 3 0x14200 bored systqmp 6048 21077 0 0 3 0x14200 bored systq 42047 439656 0 0 3 0x14200 tmoslp softclockmp 37915 252306 0 0 3 0x40014200 tmoslp softclock 72769 482223 0 0 3 0x40014200 idle0 1 342902 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb{0}> show all locks CPU 0: exclusive mutex &pmap->pm_mtx r = 0 (0xfffffd806bcdac10) #0 witness_lock+0x5bb stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5bb sys/kern/subr_witness.c:1160 #1 mtx_enter_try+0x178 sys/kern/kern_lock.c:-1 #2 mtx_enter+0x60 sys/kern/kern_lock.c:239 #3 pmap_enter+0x246 rcr3 machine/cpufunc.h:139 [inline] #3 pmap_enter+0x246 pmap_map_ptes sys/arch/amd64/amd64/pmap.c:437 [inline] #3 pmap_enter+0x246 sys/arch/amd64/amd64/pmap.c:2770 #4 uvm_fault_upper+0x353 sys/uvm/uvm_fault.c:1161 #5 uvm_fault+0x19c sys/uvm/uvm_fault.c:685 #6 kpageflttrap+0x2d0 sys/arch/amd64/amd64/trap.c:279 #7 kerntrap+0x14a sys/arch/amd64/amd64/trap.c:332 #8 alltraps_kern_meltdown+0x7b #9 copyout+0x57 #10 postsig+0x4e5 sys/kern/kern_sig.c:1801 #11 userret+0x24e sys/kern/kern_sig.c:2207 #12 syscall+0x9c0 mi_syscall_return sys/sys/syscall_mi.h:203 [inline] #12 syscall+0x9c0 sys/arch/amd64/amd64/trap.c:598 #13 Xsyscall+0x128 Process 22443 (syz-executor) thread 0xffff80002a291020 (73085) Process 68675 (reaper) thread 0xffff80002a238548 (49324) ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10247 11108K 12377K 166960K 16272 0 pcb 17 17K 19K 166960K 672 0 rtable 211 16K 18K 166960K 1250 0 pf 44 19K 83K 166960K 416 0 ifaddr 34 7K 9K 166960K 277 0 ifgroup 63 2K 3K 166960K 497 0 sysctl 4 1K 1K 166960K 12 0 counters 66 36K 37K 166960K 516 0 ioctlops 0 0K 8K 166960K 2174 0 iov 1 12K 28K 166960K 347 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1453 91K 92K 166960K 4773 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 13K 166960K 88 0 VM map 2 1K 1K 166960K 2 0 sem 27 11K 21K 166960K 104 0 dirhash 12 2K 2K 166960K 96 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 17 61K 240K 166960K 4477 0 sigio 0 0K 0K 166960K 76 0 proc 75 103K 140K 166960K 1571 0 subproc 72 4K 4K 166960K 218 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 837 0 in_multi 64 4K 7K 166960K 440 0 ether_multi 1 0K 0K 166960K 62 0 mrt 1 0K 0K 166960K 15 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 265 1182K 1182K 166960K 265 0 exec 0 0K 1K 166960K 1088 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 6 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 264 182K 192K 166960K 41825 0 UVM aobj 57 4K 4K 166960K 62 0 pinsyscall 42 84K 103K 166960K 5942 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 1K 166960K 318 0 NDP 13 0K 2K 166960K 203 0 temp 86 8692K 8948K 166960K 224127 0 kqueue 14 22K 32K 166960K 753 0 SYN cache 2 16K 16K 166960K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 609 0 606 6 5 1 3 0 8 0 rtentry 176 384 0 311 8 2 6 6 0 8 0 unpcb 144 3902 0 3880 24 22 2 6 0 8 1 syncache 336 3 0 3 1 1 0 1 0 8 0 tcpcb 808 1454 0 1448 40 31 9 14 0 8 8 arp 128 64 0 46 1 0 1 1 0 8 0 inpcb 384 4517 0 4508 61 52 9 15 0 8 7 nd6 144 83 0 68 2 0 2 2 0 8 1 pkpcb 40 131 0 131 7 6 1 1 0 8 1 kcovpl 48 24 0 16 1 0 1 1 0 8 0 mppekey 1024 2 0 2 2 2 0 1 0 8 0 ppxss 1192 163 0 163 4 3 1 1 0 8 1 pppxif 1504 28 0 28 8 7 1 1 0 8 1 pfstscr 40 3 0 3 2 2 0 1 0 8 0 pffrag 232 17 0 8 1 0 1 1 0 482 0 pffrnode 88 13 0 5 1 0 1 1 0 8 0 pffrent 40 30 0 21 1 0 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfrktable 1344 9 0 4 1 0 1 1 0 8 0 pfanchor 1288 4 0 0 1 0 1 1 0 8 0 pftag 88 1 0 0 1 0 1 1 0 8 0 pfstitem 24 252 0 128 1 0 1 1 0 8 0 pfstkey 128 258 0 134 5 0 5 5 0 8 0 pfstate 384 255 0 131 13 0 13 13 0 8 0 pfrule 1344 34 0 22 4 3 1 2 0 8 0 rttmr 136 3 0 3 3 3 0 1 0 8 0 art_heap8 4096 4 0 0 4 0 4 4 0 8 0 art_heap4 256 1553 0 1240 39 15 24 30 0 8 2 art_table 32 1557 0 1240 4 0 4 4 0 8 0 art_node 16 366 0 305 1 0 1 1 0 8 0 sysvmsgpl 40 5 0 5 3 3 0 1 0 8 0 semupl 112 1 0 1 1 1 0 1 0 8 0 semapl 112 98 0 73 1 0 1 1 0 8 0 shmpl 112 59 0 5 2 0 2 2 0 8 0 dirhash 1024 74 0 57 3 0 3 3 0 8 0 dino2pl 256 9665 0 8122 97 0 97 97 0 8 0 ffsino 288 9665 0 8122 111 0 111 111 0 8 0 nchpl 144 15943 0 15303 64 39 25 64 0 8 0 rtmask 32 37 0 37 7 6 1 1 0 8 1 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 56492 0 56492 5 4 1 3 0 8 1 percpumem 16 273 0 225 1 0 1 1 0 8 0 pfiaddrpl 120 3 0 1 1 0 1 1 0 8 0 kstatmem 264 306 0 280 5 2 3 3 0 8 0 acpiwqpl 32 4 0 4 1 0 1 1 1 8 1 scsiplug 72 16 0 16 5 4 1 1 0 8 1 scxspl 216 49648 0 49648 15 14 1 8 1 8 1 plimitpl 152 1035 0 1017 1 0 1 1 0 8 0 sigapl 424 4715 0 4664 11 4 7 9 0 8 0 futexpl 64 70942 0 70938 1 0 1 1 0 8 0 knotepl 120 790 0 0 22 0 22 22 0 8 0 kqueuepl 224 1673 0 1660 14 9 5 5 0 8 4 pipepl 336 735 0 707 18 12 6 8 0 8 3 fdescpl 520 4669 0 4638 3 0 3 3 0 8 0 filepl 160 33211 0 32978 39 22 17 20 0 8 3 lockfpl 104 1440 0 1437 2 1 1 2 0 8 0 lockfspl 48 471 0 468 1 0 1 1 0 8 0 sessionpl 144 40 0 31 1 0 1 1 0 8 0 pgrppl 48 291 0 274 1 0 1 1 0 8 0 ucredpl 104 5398 0 5383 1 0 1 1 0 8 0 zombiepl 144 5016 0 5012 1 0 1 1 0 8 0 processpl 1216 4715 0 4664 6 0 6 6 0 8 0 procpl 680 11529 0 11467 9 2 7 8 0 8 0 srpgc 96 39 0 39 5 4 1 1 0 8 1 sosppl 168 25 0 25 4 3 1 1 0 8 1 sockpl 728 9245 0 9211 72 61 11 16 0 8 7 mcl64k 65536 8 14 0 1 0 1 1 0 8 0 mcl12k 12288 3 0 0 1 0 1 1 0 8 0 mcl9k 9216 2 0 0 1 0 1 1 0 8 0 mcl8k 8192 8 3 0 1 0 1 1 0 8 0 mcl4k 4096 126 0 0 16 0 16 16 0 8 0 mcl2k2 2112 2 0 0 1 0 1 1 0 8 0 mcl2k 2048 38 0 0 4 0 4 4 0 8 0 mtagpl 96 103 0 0 3 0 3 3 0 8 0 mbufpl 256 1531 0 0 95 0 95 95 0 8 0 bufpl 280 14270 0 8128 440 0 440 440 0 8 0 anonpl 32 21336 0 0 172 0 172 172 0 246 0 amapchunkpl 152 151798 0 151011 67 30 37 40 0 158 5 amappl16 200 9696 0 9188 94 47 47 52 0 8 8 amappl15 192 4 0 3 1 0 1 1 0 8 0 amappl14 184 144 0 132 1 0 1 1 0 8 0 amappl13 176 10 0 10 3 3 0 1 0 8 0 amappl12 168 5594 0 5563 3 1 2 2 0 8 0 amappl11 160 48 0 34 1 0 1 1 0 8 0 amappl10 152 2 0 2 2 2 0 1 0 8 0 amappl9 144 261 0 260 1 0 1 1 0 8 0 amappl8 136 19 0 16 1 0 1 1 0 8 0 amappl7 128 144 0 131 1 0 1 1 0 8 0 amappl6 120 333 0 329 1 0 1 1 0 8 0 amappl5 112 191 0 181 1 0 1 1 0 8 0 amappl4 104 393 0 374 1 0 1 1 0 8 0 amappl3 96 29365 0 29247 5 1 4 4 0 8 0 amappl2 88 874 0 807 2 0 2 2 0 8 0 amappl1 80 26696 0 26082 19 5 14 15 0 8 0 amappl 88 40017 0 39828 5 0 5 5 0 92 0 dma65536 65536 1 0 1 1 1 0 1 0 8 0 dma32768 32768 1 0 1 1 1 0 1 0 8 0 dma16384 16384 3 0 3 2 2 0 1 0 8 0 dma8192 8192 1 0 1 1 1 0 1 0 8 0 dma4096 4096 2 0 2 2 2 0 1 0 8 0 dma2048 2048 33 0 33 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma512 512 1 0 1 1 1 0 1 0 8 0 dma256 256 11 0 11 4 4 0 1 0 8 0 dma128 128 259 0 259 6 5 1 1 0 8 1 dma64 64 7 0 7 2 2 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 61 0 5 2 0 2 2 0 8 0 uaddrrnd 24 4669 0 4638 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 4669 0 4638 1 0 1 1 0 8 0 vmmpekpl 168 31873 0 31809 4 0 4 4 0 8 0 vmmpepl 168 291543 0 289016 154 20 134 134 0 357 3 vmsppl 480 4668 0 4638 7 2 5 5 0 8 0 rwobjpl 72 71495 0 64061 153 9 144 144 0 8 4 pdppl 4096 9345 0 9276 122 51 71 85 0 8 2 pvpl 32 29013 0 0 235 2 233 233 0 265 0 pmappl 256 4668 0 4638 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 585 0 131 14 0 14 14 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace alltraps_kern_meltdown() at alltraps_kern_meltdown+0xb8 copyout() at copyout+0x57 postsig(ffff80002a291020,14,ffff80003c47f0d8) at postsig+0x4e5 sys/kern/kern_sig.c:1801 userret(ffff80002a291020) at userret+0x24e sys/kern/kern_sig.c:2207 syscall(ffff80003c47f210) at syscall+0x9c0 mi_syscall_return sys/sys/syscall_mi.h:203 [inline] syscall(ffff80003c47f210) at syscall+0x9c0 sys/arch/amd64/amd64/trap.c:598 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x760a8a02f420, count: -6 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffff8000299ddff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 x86_bus_space_io_read_1(3f8,5) at x86_bus_space_io_read_1+0x37 sys/arch/amd64/amd64/bus_space.c:654 comcnputc(800,a) at comcnputc+0x250 comcn_read_reg sys/dev/ic/com.c:1655 [inline] comcnputc(800,a) at comcnputc+0x250 sys/dev/ic/com.c:1269 cnputc(a) at cnputc+0x61 sys/dev/cons.c:218 db_putchar(a) at db_putchar+0x774 sys/ddb/db_output.c:168 kprintf() at kprintf+0x843 sys/kern/subr_prf.c:-1 db_printf(ffffffff833ff6c5) at db_printf+0x9b sys/kern/subr_prf.c:-1 fault(ffffffff8339e75a) at fault+0xa7 sys/arch/amd64/amd64/trap.c:157 kpageflttrap(ffff80002a3029e0,0) at kpageflttrap+0x385 sys/arch/amd64/amd64/trap.c:290 kerntrap(ffff80002a3029e0) at kerntrap+0x14a sys/arch/amd64/amd64/trap.c:332 alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b dt_ioctl_record_stop(ffff800001600000) at dt_ioctl_record_stop+0xf0 sys/dev/dt/dt_dev.c:579 end trace frame: 0xffff80002a302b10, count: 0 ddb{1}> trace x86_ipi_db(ffff8000299ddff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 x86_bus_space_io_read_1(3f8,5) at x86_bus_space_io_read_1+0x37 sys/arch/amd64/amd64/bus_space.c:654 comcnputc(800,a) at comcnputc+0x250 comcn_read_reg sys/dev/ic/com.c:1655 [inline] comcnputc(800,a) at comcnputc+0x250 sys/dev/ic/com.c:1269 cnputc(a) at cnputc+0x61 sys/dev/cons.c:218 db_putchar(a) at db_putchar+0x774 sys/ddb/db_output.c:168 kprintf() at kprintf+0x843 sys/kern/subr_prf.c:-1 db_printf(ffffffff833ff6c5) at db_printf+0x9b sys/kern/subr_prf.c:-1 fault(ffffffff8339e75a) at fault+0xa7 sys/arch/amd64/amd64/trap.c:157 kpageflttrap(ffff80002a3029e0,0) at kpageflttrap+0x385 sys/arch/amd64/amd64/trap.c:290 kerntrap(ffff80002a3029e0) at kerntrap+0x14a sys/arch/amd64/amd64/trap.c:332 alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b dt_ioctl_record_stop(ffff800001600000) at dt_ioctl_record_stop+0xf0 sys/dev/dt/dt_dev.c:579 dtclose(11e5f,81,2000,ffff80002a292ab0) at dtclose+0x105 dt_pcb_purge sys/dev/dt/dt_dev.c:-1 [inline] dtclose(11e5f,81,2000,ffff80002a292ab0) at dtclose+0x105 sys/dev/dt/dt_dev.c:232 spec_close(ffff80002a302b90) at spec_close+0x45f sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd80632a10f0,81,fffffd807f7d3680,ffff80002a292ab0) at VOP_CLOSE+0x133 sys/kern/vfs_vops.c:156 vn_closefile(fffffd805c52f5d8,ffff80002a292ab0) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd805c52f5d8,ffff80002a292ab0) at vn_closefile+0x12b sys/kern/vfs_vnops.c:615 fdrop(fffffd805c52f5d8,ffff80002a292ab0) at fdrop+0x126 sys/kern/kern_descrip.c:1265 closef(fffffd805c52f5d8,ffff80002a292ab0) at closef+0x192 sys/kern/kern_descrip.c:1249 fdfree(ffff80002a292ab0) at fdfree+0x116 sys/kern/kern_descrip.c:1181 exit1(ffff80002a292ab0,0,0,1) at exit1+0x58f sys/kern/kern_exit.c:214 sys_exit(ffff80002a292ab0,ffff80002a302f00,ffff80002a302e50) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80002a302f00) at syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80002a302f00) at syscall+0xb08 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x74c773772220, count: -25