panic: vm_object_terminate_single_page: page 0xfffffe00023f3278 does not belong to a queue cpuid = 1 time = 1754858587 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0056d404f0 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe0056d40650 vpanic() at vpanic+0x257/frame 0xfffffe0056d40810 panic() at panic+0xb5/frame 0xfffffe0056d408d0 vm_object_terminate_single_page() at vm_object_terminate_single_page+0x210/frame 0xfffffe0056d40910 pctrie_reclaim_resume_cb() at pctrie_reclaim_resume_cb+0xf5/frame 0xfffffe0056d40970 vm_object_terminate() at vm_object_terminate+0x232/frame 0xfffffe0056d40a30 vm_object_deallocate() at vm_object_deallocate+0x617/frame 0xfffffe0056d40b10 vm_map_process_deferred() at vm_map_process_deferred+0x1a0/frame 0xfffffe0056d40b50 vmspace_dofree() at vmspace_dofree+0xfd/frame 0xfffffe0056d40b90 vmspace_exit() at vmspace_exit+0x278/frame 0xfffffe0056d40c50 exit1() at exit1+0x99b/frame 0xfffffe0056d40cf0 sys__exit() at sys__exit+0x28/frame 0xfffffe0056d40d10 amd64_syscall() at amd64_syscall+0x4e2/frame 0xfffffe0056d40f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0056d40f30 --- syscall (1, FreeBSD ELF64, _exit), rip = 0x3a1f5a, rsp = 0x82070d0b8, rbp = 0x82070d0c0 --- KDB: enter: panic [ thread pid 935 tid 100123 ] Stopped at kdb_enter+0x6e: movq $0,0x25c3f57(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe0002bf1850 rdx 0 rbx 0xffffffff827cd960 .str.27 rsp 0xfffffe0056d40630 rbp 0xfffffe0056d40650 rsi 0 rdi 0xffffffff81615109 printf+0x149 r8 0 r9 0xffffffff r10 0x1 r11 0x3f r12 0xfffffe0054110780 r13 0xfffffffffffffffd r14 0xffffffff827cd960 .str.27 r15 0 rip 0xffffffff815fec3e kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x25c3f57(%rip) db> show proc Process 935 (syz-executor) at 0xfffffe00540f8010: state: NORMAL uid: 0 gids: 0, 5 parent: pid 763 at 0xfffffe00540f9018 ABI: FreeBSD ELF64 flag: 0x10002100 flag2: 0x40000 arguments: ./syz-executor exec reaper: 0xfffffe0007809010 reapsubtree: 1 sigparent: 20 vmspace: 0xffffffff83b4e020 (map 0xffffffff83b4e020) (map.pmap 0xffffffff83b4e0c0) (pmap 0xffffffff83b4e130) threads: 1 100123 Run CPU 1 syz-executor db> ps pid ppid pgrp uid state wmesg wchan cmd 944 765 765 60928 R (threaded) syz-executor 100234 RunQ syz-executor 100241 S uwait 0xfffffe0058504d80 syz-executor 100242 S uwait 0xfffffe00077ef100 syz-executor 100243 S uwait 0xfffffe006e54f100 syz-executor 940 764 764 0 T (threaded) syz-executor 100100 s syz-executor 100227 RunQ syz-executor 100230 D rangelk 0xfffffe006de5d350 syz-executor 939 0 0 0 DL - 0xffffffff83cb3e00 [soaiod4] 938 0 0 0 DL - 0xffffffff83cb3e00 [soaiod3] 937 0 0 0 DL - 0xffffffff83cb3e00 [soaiod2] 936 0 0 0 DL - 0xffffffff83cb3e00 [soaiod1] 935 763 763 0 RE CPU 1 syz-executor 933 0 0 0 DL (threaded) [so_splice] 100114 D - 0xfffffe0058504380 [thr_0] 100218 D - 0xfffffe00585043c0 [thr_1] 925 1 763 0 S uwait 0xfffffe0058287c00 syz-executor 923 1 763 0 S uwait 0xfffffe0058288d00 syz-executor 918 1 918 0 Ss+ ttyin 0xfffffe005829f8b0 getty 917 1 917 0 Ss+ ttyin 0xfffffe00594bf4b0 getty 916 1 916 0 Ss+ ttyin 0xfffffe00594eb4b0 getty 915 1 915 0 Ss+ ttyin 0xfffffe00594ebcb0 getty 913 1 913 0 Ss+ ttyin 0xfffffe0053f720b0 getty 912 1 912 0 Ss+ ttyin 0xfffffe00582ad4b0 getty 911 1 911 0 Ss+ ttyin 0xfffffe0053f728b0 getty 910 1 910 0 Ss+ ttyin 0xfffffe0053f730b0 getty 909 1 909 0 Ss+ ttyin 0xfffffe0053f738b0 getty 881 1 766 0 S uwait 0xfffffe0058287a00 syz-executor 870 778 423 0 S kqread 0xfffffe0053ebe700 rtsol 869 1 763 0 S uwait 0xfffffe00077ef500 syz-executor 857 1 763 0 S uwait 0xfffffe0058288000 syz-executor 826 0 0 0 DL aiordy 0xfffffe0054102558 [aiod4] 825 0 0 0 DL aiordy 0xfffffe0054102ab0 [aiod3] 824 0 0 0 DL aiordy 0xfffffe0054103008 [aiod2] 823 0 0 0 DL aiordy 0xfffffe0054103560 [aiod1] 819 0 0 0 DL (threaded) [KTLS] 100137 D - 0xfffffe006e436300 [thr_0] 100138 D - 0xfffffe006e436380 [thr_1] 100139 D - 0xffffffff83cb5628 [reclaim_0] 814 1 765 0 SV uwait 0xfffffe00077efe80 syz-executor 809 1 766 0 S uwait 0xfffffe00077efd80 syz-executor 778 1 423 0 S wait 0xfffffe00540d6ab0 sh 766 762 766 0 R syz-executor 765 762 765 0 S nanslp 0xffffffff83ba3c01 syz-executor 764 762 764 0 S nanslp 0xffffffff83ba3c00 syz-executor 763 762 763 0 S nanslp 0xffffffff83ba3c01 syz-executor 762 760 760 0 R CPU 0 syz-executor 760 1 760 0 Ss sigsusp 0xfffffe0054005620 csh 16 0 0 0 DL syncer 0xffffffff83cc1820 [syncer] 15 0 0 0 DL vlruwt 0xfffffe000780a018 [vnlru] 14 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83cbfd60 [bufdaemon] 100082 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100093 D sdflush 0xfffffe00598f8ce8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d0ac80 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83cf0d48 [dom0] 100080 D launds 0xffffffff83cf0d54 [laundry: dom0] 100081 D umarcl 0xffffffff81de2bf0 [uma] 7 0 0 0 DL - 0xffffffff8391c5d8 [rand_harvestq] 6 0 0 0 DL pftm 0xffffffff843b2bd0 [pf purge] 5 0 0 0 DL waiting 0xffffffff84674700 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100045 D - 0xffffffff838e6340 [doneq0] 100046 D - 0xffffffff838e62c0 [async] 100075 D - 0xffffffff838e6140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100042 D crypto_ 0xffffffff83cec640 [crypto] 100043 D crypto_ 0xfffffe0053efed30 [crypto returns 0] 100044 D crypto_ 0xfffffe0053efed80 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83b4c600 [g_event] 100038 D - 0xffffffff83b4c620 [g_up] 100039 D - 0xffffffff83b4c640 [g_down] 2 0 0 0 WL (threaded) [clock] 100031 I [clock (0)] 100032 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100047 I [irq24: virtio_pci0] 100048 I [irq25: virtio_pci0] 100049 I [irq26: virtio_pci0] 100050 I [irq27: virtio_pci0] 100051 I [irq28: virtio_pci1] 100052 I [irq29: virtio_pci1] 100053 I [irq30: virtio_pci1] 100054 I [irq31: virtio_pci1] 100055 I [irq32: virtio_pci1] 100060 I [irq10: virtio_pci2] 100062 I [irq1: atkbd0] 100063 I [irq12: psm0] 100064 I [swi0: uart uart++] 100068 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 RLs [init] 10 0 0 0 DL audit_w 0xffffffff83ced0e0 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D parked 0xffffffff84c40ff0 [swapper] 100005 D - 0xfffffe0053ec1100 [softirq_0] 100006 D - 0xfffffe0053ec1000 [softirq_1] 100007 D - 0xfffffe0053ec0e00 [if_io_tqg_0] 100008 D - 0xfffffe0053ec0d00 [if_io_tqg_1] 100009 D - 0xfffffe0053ec0c00 [if_config_tqg_0] 100010 D - 0xfffffe00077d4000 [kqueue_ctx taskq] 100011 D - 0xfffffe00077d3e00 [jail_remove taskq] 100012 D - 0xfffffe00077d3d00 [bus taskq] 100015 D - 0xfffffe00077d3a00 [thread taskq] 100017 D - 0xfffffe00077d3800 [aiod_kick taskq] 100018 D - 0xfffffe00077d3700 [deferred_unmount ta] 100019 D - 0xfffffe00077d3600 [inm_free taskq] 100020 D - 0xfffffe00077d3500 [in6m_free taskq] 100021 D - 0xfffffe00077d3400 [linuxkpi_irq_wq] 100022 D - 0xfffffe00077d3300 [linuxkpi_short_wq_0] 100023 D - 0xfffffe00077d3300 [linuxkpi_short_wq_1] 100024 D - 0xfffffe00077d3300 [linuxkpi_short_wq_2] 100025 D - 0xfffffe00077d3300 [linuxkpi_short_wq_3] 100026 D - 0xfffffe00077d3200 [linuxkpi_long_wq_0] 100027 D - 0xfffffe00077d3200 [linuxkpi_long_wq_1] 100028 D - 0xfffffe00077d3200 [linuxkpi_long_wq_2] 100029 D - 0xfffffe00077d3200 [linuxkpi_long_wq_3] 100036 D - 0xfffffe00077d3000 [firmware taskq] 100040 D - 0xfffffe00077d2e00 [crypto_0] 100041 D - 0xfffffe00077d2e00 [crypto_1] 100056 D - 0xfffffe0057e4be00 [vtnet0 rxq 0] 100057 D - 0xfffffe0057e4bd00 [vtnet0 txq 0] 100058 D - 0xfffffe0057e4bc00 [vtnet0 rxq 1] 100059 D - 0xfffffe0057e4bb00 [vtnet0 txq 1] 100061 D vtbslp 0xfffffe005818a100 [virtio_balloon] 100065 D - 0xffffffff827d2040 [deadlkres] 100069 D - 0xfffffe0059403200 [acpi_task_0] 100070 D - 0xfffffe0059403200 [acpi_task_1] 100071 D - 0xfffffe0059403200 [acpi_task_2] 100073 D - 0xfffffe00077d4100 [mca taskq] 100074 D - 0xfffffe00077d2c00 [CAM taskq] 100076 D - 0xfffffe0059403000 [ipsec_offload] 931 1 766 0 Z syz-executor db> show all locks Process 940 (syz-executor) thread 0xfffffe005409f000 (100227) exclusive lockmgr ufs (ufs) r = 0 (0xfffffe006de5d228) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_vnops.c:3843 Process 935 (syz-executor) thread 0xfffffe0054110780 (100123) exclusive rw vmobject (vmobject) r = 0 (0xfffffe00540bc7c0) locked @ /syzkaller/managers/main/kernel/sys/vm/vm_object.c:647 Process 762 (syz-executor) thread 0xfffffe00540ca780 (100103) exclusive sleep mutex select mtxpool (select mtxpool) r = 0 (0xfffffe005966bf40) locked @ /syzkaller/managers/main/kernel/sys/kern/sys_generic.c:1897 db> show malloc Type InUse MemUse Requests pf_hash 6 12804K 6 linker 376 5079K 551 tcp_hpts 7 4801K 7 devbuf 4187 4323K 4212 sysctloid 35455 2089K 35530 vtbuf 24 1968K 46 kobj 330 1320K 496 newblk 78 1044K 926 vfscache