MsMspanic: mallocarray: overflow 18446744071562067968 * 8 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *476061 5185 0 0 0x4000000 0 syz-executor.0 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x15c sys/kern/subr_prf.c:208 drm_prime_remove_buf_handle_locked(ffffffff80000000,8) at drm_prime_remove_buf_handle_locked wsmux_getmux(7fffffff) at wsmux_getmux+0x71 sys/dev/wscons/wsmux.c:152 wsmux_add_mux(7fffffff,ffff800001943000) at wsmux_add_mux+0x2f sys/dev/wscons/wsmux.c:594 VOP_IOCTL(fffffd8029f7f1c0,80085761,ffff800014a02920,2,fffffd803f7c69c0,ffff8000ffff9520) at VOP_IOCTL+0x9a sys/kern/vfs_vops.c:290 vn_ioctl(fffffd80304bc970,80085761,ffff800014a02920,ffff8000ffff9520) at vn_ioctl+0xc9 sys/kern/vfs_vnops.c:512 sys_ioctl(ffff8000ffff9520,ffff800014a02a68,ffff800014a02a50) at sys_ioctl+0x638 syscall(ffff800014a02b00) at syscall+0x541 Xsyscall(6,0,ffffffffffffff86,0,3,fcf7a6d9010) at Xsyscall+0x128 end of kernel end trace frame: 0xfd1e0ce5100, count: 5 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic mallocarray: overflow 18446744071562067968 * 8 ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x15c sys/kern/subr_prf.c:208 drm_prime_remove_buf_handle_locked(ffffffff80000000,8) at drm_prime_remove_buf_handle_locked wsmux_getmux(7fffffff) at wsmux_getmux+0x71 sys/dev/wscons/wsmux.c:152 wsmux_add_mux(7fffffff,ffff800001943000) at wsmux_add_mux+0x2f sys/dev/wscons/wsmux.c:594 VOP_IOCTL(fffffd8029f7f1c0,80085761,ffff800014a02920,2,fffffd803f7c69c0,ffff8000ffff9520) at VOP_IOCTL+0x9a sys/kern/vfs_vops.c:290 vn_ioctl(fffffd80304bc970,80085761,ffff800014a02920,ffff8000ffff9520) at vn_ioctl+0xc9 sys/kern/vfs_vnops.c:512 sys_ioctl(ffff8000ffff9520,ffff800014a02a68,ffff800014a02a50) at sys_ioctl+0x638 syscall(ffff800014a02b00) at syscall+0x541 Xsyscall(6,0,ffffffffffffff86,0,3,fcf7a6d9010) at Xsyscall+0x128 end of kernel end trace frame: 0xfd1e0ce5100, count: -10 ddb> show registers rdi 0xffffffff819129c7 db_enter+0x17 rsi 0x1935 __ALIGN_SIZE+0x935 rbp 0xffff800014a02560 rbx 0xffff800014a02610 rdx 0x1936 __ALIGN_SIZE+0x936 rcx 0xffff80000133c000 rax 0xffff80000133c000 r8 0xffff800014a02520 r9 0x1 r10 0xffff800001b3c780 r11 0xcaa461c4dffd74fb r12 0x3000000008 r13 0xffff800014a02570 r14 0x100 r15 0x1 rip 0xffffffff819129c8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800014a02550 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb> show proc PROC (syz-executor.0) pid=476061 stat=onproc flags process=0 proc=4000000 pri=51, usrpri=51, nice=20 forw=0xffffffffffffffff, list=0xffff8000ffff92c8,0xffffffff822dfc38 process=0xffff8000ffff73c0 user=0xffff8000149fd000, vmspace=0xfffffd803f013c60 estcpu=9, cpticks=0, pctcpu=0.0 user=0, sys=0, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 5185 458941 70454 0 2 0 syz-executor.0 * 5185 476061 70454 0 7 0x4000000 syz-executor.0 70454 288940 93519 0 3 0x82 nanosleep syz-executor.0 51317 438367 93519 0 3 0x82 piperd syz-executor.1 74716 365151 0 0 3 0x14200 bored sosplice 93519 50779 61442 0 3 0x82 thrsleep syz-fuzzer 93519 308188 61442 0 3 0x4000082 thrsleep syz-fuzzer 93519 130101 61442 0 3 0x4000082 thrsleep syz-fuzzer 93519 317010 61442 0 3 0x4000082 thrsleep syz-fuzzer 93519 41027 61442 0 3 0x4000082 thrsleep syz-fuzzer 93519 204323 61442 0 3 0x4000082 kqread syz-fuzzer 93519 53081 61442 0 3 0x4000082 thrsleep syz-fuzzer 93519 45120 61442 0 3 0x4000082 thrsleep syz-fuzzer 61442 90887 97821 0 3 0x10008a pause ksh 97821 296085 88514 0 3 0x92 select sshd 94035 474574 1 0 3 0x100083 ttyin getty 88514 479812 1 0 3 0x80 select sshd 85485 215325 82006 73 3 0x100090 kqread syslogd 82006 190635 1 0 3 0x100082 netio syslogd 98671 86877 1 77 3 0x100090 poll dhclient 5647 303722 1 0 3 0x80 poll dhclient 74685 245423 0 0 3 0x14200 pgzero zerothread 44730 23764 0 0 3 0x14200 aiodoned aiodoned 69945 44886 0 0 3 0x14200 syncer update 77716 498327 0 0 3 0x14200 cleaner cleaner 52866 82627 0 0 3 0x14200 reaper reaper 6204 228711 0 0 3 0x14200 pgdaemon pagedaemon 95964 132190 0 0 3 0x14200 bored crynlk 98008 86231 0 0 3 0x14200 bored crypto 23796 450479 0 0 3 0x40014200 acpi0 acpi0 39881 93441 0 0 3 0x14200 bored softnet 37498 185015 0 0 3 0x14200 bored systqmp 83677 415428 0 0 3 0x14200 bored systq 93031 130458 0 0 3 0x40014200 bored softclock 32441 133419 0 0 3 0x40014200 idle0 61448 457214 0 0 3 0x14200 bored smr 1 410420 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim devbuf 9492 6341K 6350K 78643K 11012 0 0 pcb 23 9K 11K 78643K 854 0 0 rtable 100 3K 3K 78643K 867 0 0 ifaddr 56 13K 14K 78643K 273 0 0 counters 19 16K 16K 78643K 19 0 0 ioctlops 0 0K 2K 78643K 58 0 0 iov 0 0K 28K 78643K 339 0 0 mount 1 1K 1K 78643K 1 0 0 vnodes 1196 75K 76K 78643K 1830 0 0 UFS quota 1 32K 32K 78643K 1 0 0 UFS mount 5 36K 36K 78643K 5 0 0 shm 2 1K 5K 78643K 13 0 0 VM map 2 0K 0K 78643K 2 0 0 sem 12 0K 1K 78643K 166 0 0 dirhash 12 2K 2K 78643K 12 0 0 ACPI 1793 195K 288K 78643K 12537 0 0 file desc 5 13K 25K 78643K 1186 0 0 sigio 0 0K 0K 78643K 30 0 0 proc 42 30K 54K 78643K 670 0 0 subproc 64 65538K 67586K 78643K 578 0 0 NFS srvsock 1 0K 0K 78643K 1 0 0 NFS daemon 1 16K 16K 78643K 1 0 0 ip_moptions 0 0K 0K 78643K 103 0 0 in_multi 33 2K 2K 78643K 230 0 0 ether_multi 1 0K 0K 78643K 4 0 0 mrt 0 0K 0K 78643K 1 0 0 ISOFS mount 1 32K 32K 78643K 1 0 0 MSDOSFS mount 1 16K 16K 78643K 1 0 0 ttys 36 159K 159K 78643K 36 0 0 exec 0 0K 1K 78643K 380 0 0 pagedep 1 8K 8K 78643K 1 0 0 inodedep 1 32K 32K 78643K 1 0 0 newblk 1 0K 0K 78643K 1 0 0 VM swap 7 26K 26K 78643K 7 0 0 UVM amap 73 20K 22K 78643K 3809 0 0 UVM aobj 49 4K 4K 78643K 59 0 0 memdesc 1 4K 4K 78643K 1 0 0 crypto data 1 1K 1K 78643K 1 0 0 ip6_options 0 0K 0K 78643K 42 0 0 NDP 13 0K 0K 78643K 93 0 0 temp 162 2355K 2423K 78643K 7000 0 0 kqueue 0 0K 0K 78643K 4 0 0 SYN cache 2 16K 16K 78643K 2 0 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 19 0 15 1 0 1 1 0 8 0 inpcbpl 280 636 0 629 1 0 1 1 0 8 0 plimitpl 152 68 0 61 1 0 1 1 0 8 0 rtentry 112 176 0 136 2 0 2 2 0 8 0 syncache 264 4 0 4 1 1 0 1 0 8 0 tcpcb 544 293 0 289 1 0 1 1 0 8 0 nd6 48 34 0 30 1 0 1 1 0 8 0 ppxss 1128 30 0 30 5 5 0 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 834 0 644 12 0 12 12 0 8 0 art_table 32 835 0 644 2 0 2 2 0 8 0 art_node 16 175 0 141 1 0 1 1 0 8 0 sysvmsgpl 40 28 0 15 1 0 1 1 0 8 0 semapl 112 164 0 154 1 0 1 1 0 8 0 shmpl 112 57 0 10 2 0 2 2 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino1pl 128 3393 0 1950 47 0 47 47 0 8 0 ffsino 240 3393 0 1950 85 0 85 85 0 8 0 nchpl 144 5394 0 3745 62 0 62 62 0 8 0 uvmvnodes 72 3772 0 0 69 0 69 69 0 8 0 vnodes 200 3772 0 0 199 0 199 199 0 8 0 namei 1024 16864 0 16864 2 1 1 1 0 8 1 scxspl 192 28362 0 28362 8 7 1 6 0 8 1 sigapl 432 1311 0 1298 2 0 2 2 0 8 0 futexpl 56 19186 0 19186 1 0 1 1 0 8 1 knotepl 112 568 0 549 1 0 1 1 0 8 0 kqueuepl 104 318 0 316 1 0 1 1 0 8 0 pipepl 112 850 0 831 3 2 1 2 0 8 0 fdescpl 424 1312 0 1298 2 0 2 2 0 8 0 filepl 120 9249 0 9154 5 1 4 5 0 8 1 lockfpl 104 591 0 590 2 1 1 1 0 8 0 lockfspl 32 228 0 227 2 1 1 1 0 8 0 sessionpl 112 32 0 22 1 0 1 1 0 8 0 pgrppl 48 44 0 34 1 0 1 1 0 8 0 ucredpl 96 1739 0 1732 1 0 1 1 0 8 0 zombiepl 144 1298 0 1298 2 1 1 1 0 8 1 processpl 840 1327 0 1298 4 0 4 4 0 8 0 procpl 600 2792 0 2755 4 0 4 4 0 8 1 sosppl 128 18 0 18 4 3 1 1 0 8 1 sockpl 384 1379 0 1362 4 1 3 4 0 8 1 mcl64k 65536 6183 0 6183 64 57 7 33 0 8 7 mcl16k 16384 2 0 2 2 2 0 1 0 8 0 mcl12k 12288 18 0 18 4 3 1 1 0 8 1 mcl9k 9216 16 0 16 4 4 0 1 0 8 0 mcl8k 8192 13 0 13 4 3 1 1 0 8 1 mcl4k 4096 79 0 79 3 2 1 1 0 8 1 mcl2k2 2112 6 0 6 3 2 1 1 0 8 1 mcl2k 2048 49034 0 49002 13 8 5 11 0 8 0 mtagpl 80 2 0 2 1 1 0 1 0 8 0 mbufpl 256 98306 0 98215 62 50 12 43 0 8 0 bufpl 256 15523 0 9811 358 0 358 358 0 8 0 anonpl 16 262911 0 255691 69 25 44 52 0 62 1 amapchunkpl 152 6561 0 6481 17 12 5 13 0 158 1 amappl16 192 13623 0 13154 61 35 26 37 0 8 1 amappl15 184 521 0 514 1 0 1 1 0 8 0 amappl14 176 74 0 73 2 1 1 1 0 8 0 amappl13 168 403 0 399 1 0 1 1 0 8 0 amappl12 160 24 0 22 1 0 1 1 0 8 0 amappl11 152 241 0 230 1 0 1 1 0 8 0 amappl10 144 283 0 281 2 1 1 1 0 8 0 amappl9 136 711 0 707 1 0 1 1 0 8 0 amappl8 128 286 0 270 1 0 1 1 0 8 0 amappl7 120 243 0 234 1 0 1 1 0 8 0 amappl6 112 277 0 271 1 0 1 1 0 8 0 amappl5 104 197 0 188 1 0 1 1 0 8 0 amappl4 96 1586 0 1558 2 1 1 2 0 8 0 amappl3 88 167 0 160 1 0 1 1 0 8 0 amappl2 80 10686 0 10637 2 0 2 2 0 8 0 amappl1 72 33347 0 32935 26 17 9 19 0 8 0 amappl 72 3127 0 3095 1 0 1 1 0 75 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma64 64 259 0 259 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 17 0 17 1 1 0 1 0 8 0 aobjpl 64 58 0 10 1 0 1 1 0 8 0 uaddrrnd 24 1312 0 1298 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 1312 0 1298 1 0 1 1 0 8 0 vmmpekpl 168 12977 0 12957 2 0 2 2 0 8 0 vmmpepl 168 155009 0 153621 120 42 78 93 0 357 15 vmsppl 264 1311 0 1298 3 2 1 2 0 8 0 pdppl 4096 2630 0 2596 6 1 5 6 0 8 0 pvpl 32 632518 0 622104 224 79 145 206 0 265 42 pmappl 192 1311 0 1298 1 0 1 1 0 8 0 extentpl 40 39 0 25 1 0 1 1 0 8 0 phpool 112 618 0 126 16 0 16 16 0 8 0