*cpu0: uvm_fault(0xfffffd80664c63f8, 0x0, 0, 1) -> e ddb{1}> trace proc_trampoline() at proc_trampoline+0xc7 end of kernel end trace frame: 0x73819c4acd10, count: -1 ddb{1}> show registers rdi 0 rsi 0 rbp 0xffff80002a383830 rbx 0 rdx 0 rcx 0xffff80003c457cc0 rax 0x2a r8 0xffff80002a383760 r9 0 r10 0x3ae00e27d9125e3d r11 0xb51b0490d6df5866 r12 0 r13 0 r14 0 r15 0 rip 0xffffffff8189c4c7 proc_trampoline+0xc7 cs 0x8 rflags 0x246 rsp 0xffff80002a3837b0 ss 0 proc_trampoline+0xc7: movl $0,%gs:0x688 ddb{1}> show proc PROC (syz-executor) tid=415910 pid=5335 tcnt=1 stat=onproc flags process=0 proc=0 runpri=50, usrpri=50, slppri=17, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80002a324fe8,0xffffffff83893598 process=0xffff80002a2b6230 user=0xffff80002a37e000, vmspace=0xfffffd806817d020 estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND * 5335 415910 95627 0 7 0 syz-executor 53881 436630 4888 0 3 0x80 nanoslp syz-executor 53881 461598 4888 0 3 0x4000080 kqread syz-executor 53881 400869 4888 0 3 0x4000080 fsleep syz-executor 41768 15340 56284 0 3 0x80 nanoslp syz-executor 41768 147312 56284 0 3 0x4000080 kqread syz-executor 41768 364351 56284 0 3 0x4000080 fsleep syz-executor 41768 154756 56284 0 3 0x4000080 fsleep syz-executor 59297 381814 17929 0 3 0x80 nanoslp syz-executor 59297 436378 17929 0 3 0x4000080 kqpoll syz-executor 59297 129973 17929 0 3 0x4000080 fsleep syz-executor 63425 516962 0 0 3 0x14200 acct acct 95627 355459 70122 0 3 0x82 nanoslp syz-executor 4888 506831 70122 0 3 0x82 nanoslp syz-executor 11860 426818 70122 0 2 0x2 syz-executor 591 358315 70122 0 2 0x2 syz-executor 6265 6084 70122 0 3 0x82 wait syz-executor 56284 417066 70122 0 3 0x82 nanoslp syz-executor 6768 244573 1 0 3 0x100083 ttyin getty 26434 322587 70122 0 3 0x82 nanoslp syz-executor 17929 308202 70122 0 3 0x82 nanoslp syz-executor 91431 477954 0 0 3 0x14200 bored sosplice 70122 415038 82807 0 2 0x2 syz-executor 82807 2398 38237 0 3 0x10008a sigsusp ksh 38237 385625 4059 0 3 0x98 kqread sshd-session 4059 395566 97835 0 3 0x92 kqread sshd-session 97835 405990 1 0 3 0x88 kqread sshd 15308 497349 86791 74 3 0x1100092 bpf pflogd 86791 89539 1 0 3 0x80 sbwait pflogd 91658 319177 37397 73 3 0x1100090 kqread syslogd 37397 171801 1 0 3 0x100082 sbwait syslogd 94740 61152 1 0 3 0x100080 kqread resolvd 21637 155787 0 0 3 0x14200 bored smr 94658 505364 0 0 2 0x14200 zerothread 18889 308006 0 0 3 0x14200 aiodoned aiodoned 21710 99094 0 0 3 0x14200 syncer update 44142 242971 0 0 3 0x14200 cleaner cleaner 81912 134561 0 0 3 0x14200 reaper reaper 46010 97457 0 0 3 0x14200 pgdaemon pagedaemon 33528 231999 0 0 3 0x14200 bored viomb 28025 385689 0 0 3 0x40014200 acpi0 acpi0 66172 345103 0 0 3 0x40014200 idle1 9095 393559 0 0 3 0x14200 bored softnet7 29564 435622 0 0 3 0x14200 bored softnet6 89653 518345 0 0 3 0x14200 bored softnet5 16523 406784 0 0 3 0x14200 bored softnet4 56269 364639 0 0 3 0x14200 bored softnet3 13897 190153 0 0 3 0x14200 bored softnet2 30788 396767 0 0 3 0x14200 bored softnet1 50443 233064 0 0 3 0x14200 bored softnet0 72074 10756 0 0 3 0x14200 bored systqmp 64846 507248 0 0 3 0x14200 bored systq 49024 372802 0 0 3 0x14200 tmoslp softclockmp 17991 157040 0 0 3 0x40014200 tmoslp softclock 62396 93156 0 0 3 0x40014200 idle0 1 338092 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb{1}> show all locks CPU 1: exclusive mutex &(curpg)->mdpage.pv_mtx r = 0 (0xfffffd8008072530) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 mtx_enter_try+0x1ad sys/kern/kern_lock.c:311 #2 mtx_enter+0x62 sys/kern/kern_lock.c:261 #3 pmap_enter+0x86c pmap_enter_pv sys/arch/amd64/amd64/pmap.c:1094 [inline] #3 pmap_enter+0x86c sys/arch/amd64/amd64/pmap.c:2881 #4 uvm_fault_upper_lookup+0x337 sys/uvm/uvm_fault.c:-1 #5 uvm_fault+0x159 sys/uvm/uvm_fault.c:682 #6 upageflttrap+0xa9 sys/arch/amd64/amd64/trap.c:192 #7 usertrap+0x3c6 sys/arch/amd64/amd64/trap.c:605 #8 recall_trap+0x8 exclusive mutex &pmap->pm_mtx r = 0 (0xfffffd8068995610) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 mtx_enter_try+0x1ad sys/kern/kern_lock.c:311 #2 mtx_enter+0x62 sys/kern/kern_lock.c:261 #3 pmap_enter+0x24b rcr3 sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:139 [inline] #3 pmap_enter+0x24b pmap_map_ptes sys/arch/amd64/amd64/pmap.c:437 [inline] #3 pmap_enter+0x24b sys/arch/amd64/amd64/pmap.c:2770 #4 uvm_fault_upper_lookup+0x337 sys/uvm/uvm_fault.c:-1 #5 uvm_fault+0x159 sys/uvm/uvm_fault.c:682 #6 upageflttrap+0xa9 sys/arch/amd64/amd64/trap.c:192 #7 usertrap+0x3c6 sys/arch/amd64/amd64/trap.c:605 #8 recall_trap+0x8 Process 5335 (syz-executor) thread 0xffff80003c457cc0 (415910) Process 11860 (syz-executor) thread 0xffff80002a325518 (426818) ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10259 11197K 12116K 166960K 18789 0 pcb 17 22K 26K 166960K 2144 0 rtable 178 13K 15K 166960K 1360 0 pf 33 17K 21K 166960K 633 0 ifaddr 30 8K 11K 166960K 406 0 ifgroup 54 2K 3K 166960K 826 0 sysctl 4 1K 9K 166960K 73 0 counters 66 36K 39K 166960K 828 0 ioctlops 0 0K 4K 166960K 2944 0 iov 0 0K 32K 166960K 524 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1466 92K 93K 166960K 6438 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 96K 104K 166960K 45 0 VM map 2 1K 1K 166960K 2 0 sem 27 52K 84K 166960K 153 0 dirhash 12 2K 2K 166960K 129 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 16 57K 240K 166960K 7142 0 sigio 1 0K 0K 166960K 213 0 proc 67 83K 164K 166960K 1574 0 subproc 72 4K 4K 166960K 207 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 972 0 in_multi 43 3K 7K 166960K 455 0 ether_multi 1 0K 0K 166960K 75 0 mrt 1 0K 0K 166960K 30 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 265 1182K 1182K 166960K 265 0 exec 0 0K 1K 166960K 1960 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 47 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 223 140K 180K 166960K 63899 0 UVM aobj 104 8K 8K 166960K 120 0 pinsyscall 35 70K 104K 166960K 8526 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 2 0K 0K 166960K 632 0 NDP 11 0K 2K 166960K 316 0 temp 86 8652K 8908K 166960K 361006 0 kqueue 9 16K 33K 166960K 1356 0 SYN cache 2 8K 16K 166960K 3 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 743 0 738 6 5 1 3 0 8 0 rtentry 176 401 0 347 6 1 5 5 0 8 0 unpcb 144 5881 0 5869 32 29 3 6 0 8 2 syncache 336 9 0 9 6 5 1 1 0 8 1 tcpqe 32 5 0 5 4 3 1 1 0 8 1 tcpcb 736 2779 0 2772 52 45 7 13 0 8 6 arp 128 57 0 47 1 0 1 1 0 8 0 ipq 40 1 0 1 1 1 0 1 0 8 0 ipqe 40 2 0 2 1 1 0 1 0 8 0 inpcb 328 9199 0 9192 90 81 9 15 0 8 8 nd6 144 67 0 60 1 0 1 1 0 8 0 pkpcb 40 156 0 156 9 8 1 1 0 8 1 kcovpl 48 22 0 14 1 0 1 1 0 8 0 mppekey 1024 3 0 3 2 2 0 1 0 8 0 ppxss 1192 285 0 285 7 6 1 1 0 8 1 pppxif 1504 33 0 33 9 8 1 1 0 8 1 pffrag 232 45 0 27 2 0 2 2 0 482 0 pffrnode 88 38 0 23 1 0 1 1 0 8 0 pffrent 40 137 0 118 1 0 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 405 0 250 2 0 2 2 0 8 0 pfstkey 128 405 0 250 6 0 6 6 0 8 0 pfstate 384 405 0 250 17 0 17 17 0 8 0 pfrule 1344 23 0 18 2 1 1 2 0 8 0 rttmr 136 4 0 4 4 4 0 1 0 8 0 art_heap8 4096 7 0 2 7 1 6 7 0 8 1 art_heap4 256 1543 0 1326 38 14 24 28 0 8 2 art_table 40 1550 0 1328 5 1 4 5 0 8 0 art_node 32 391 0 349 1 0 1 1 0 8 0 sysvmsgpl 40 40 0 36 1 0 1 1 0 8 0 semupl 112 18 0 18 1 1 0 1 0 8 0 semapl 112 138 0 113 1 0 1 1 0 8 0 shmpl 112 117 0 16 3 0 3 3 0 8 0 dirhash 1024 96 0 79 3 0 3 3 0 8 0 dino2pl 256 15138 0 13594 97 0 97 97 0 8 0 ffsino 296 15138 0 13594 120 0 120 120 0 8 0 nchpl 144 24914 0 24346 65 38 27 65 0 8 0 rtmask 32 57 0 57 9 8 1 1 0 8 1 uvmvnodes 80 5387 0 0 110 0 110 110 0 8 0 vnodes 216 5387 0 0 300 0 300 300 0 8 0 namei 1024 96485 0 96485 6 5 1 2 0 8 1 percpumem 16 429 0 381 1 0 1 1 0 8 0 kstatmem 264 548 0 520 5 2 3 4 0 8 0 acpiwqpl 32 2 0 2 1 0 1 1 1 8 1 scsiplug 72 30 0 30 10 9 1 1 0 8 1 scxspl 216 177156 0 177156 23 21 2 8 1 8 2 plimitpl 152 1910 0 1894 1 0 1 1 0 8 0 sigapl 424 7399 0 7348 10 1 9 9 0 8 1 knotepl 120 828 0 0 22 0 22 22 0 8 0 kqueuepl 224 3190 0 3177 33 28 5 5 0 8 4 pipepl 344 1071 0 1044 24 21 3 12 0 8 0 fdescpl 528 7306 0 7279 3 0 3 3 0 8 0 filepl 160 59131 0 58909 72 56 16 20 0 8 4 lockfpl 104 3889 0 3887 5 3 2 2 0 8 1 lockfspl 48 1250 0 1248 1 0 1 1 0 8 0 sessionpl 144 39 0 31 1 0 1 1 0 8 0 pgrppl 48 179 0 163 1 0 1 1 0 8 0 ucredpl 104 11355 0 11344 1 0 1 1 0 8 0 zombiepl 144 8505 0 8503 1 0 1 1 0 8 0 processpl 1248 7399 0 7348 7 2 5 6 0 8 0 procpl 664 18909 0 18851 12 4 8 8 0 8 0 sosppl 168 35 0 35 12 11 1 1 0 8 1 sockpl 752 16338 0 16314 155 145 10 21 0 8 7 mcl64k 65536 19 0 0 3 0 3 3 0 8 0 mcl16k 16384 6 0 0 1 0 1 1 0 8 0 mcl12k 12288 2 0 0 1 0 1 1 0 8 0 mcl9k 9216 1 0 0 1 0 1 1 0 8 0 mcl8k 8192 53 0 0 7 5 2 7 0 8 0 mcl4k 4096 121 0 0 15 0 15 15 0 8 0 mcl2k2 2112 1 0 0 1 0 1 1 0 8 0 mcl2k 2048 157 0 0 11 3 8 8 0 8 0 mtagpl 96 97 0 0 3 0 3 3 0 8 0 mbufpl 256 1384 0 0 81 0 81 81 0 8 0 bufpl 280 76735 0 70591 440 0 440 440 0 8 0 anonpl 32 18189 0 0 146 0 146 146 0 246 0 amapchunkpl 152 227686 0 227074 94 62 32 44 0 158 2 amappl16 200 26534 0 26352 121 98 23 41 0 8 4 amappl15 192 14 0 14 4 4 0 1 0 8 0 amappl14 184 156 0 146 1 0 1 1 0 8 0 amappl13 176 7 0 7 3 3 0 1 0 8 0 amappl12 168 8189 0 8163 3 1 2 2 0 8 0 amappl11 160 51 0 42 1 0 1 1 0 8 0 amappl10 152 6 0 6 1 1 0 1 0 8 0 amappl9 144 250 0 250 1 1 0 1 0 8 0 amappl8 136 26 0 23 1 0 1 1 0 8 0 amappl7 128 139 0 130 1 0 1 1 0 8 0 amappl6 120 344 0 340 1 0 1 1 0 8 0 amappl5 112 198 0 191 1 0 1 1 0 8 0 amappl4 104 350 0 328 1 0 1 1 0 8 0 amappl3 96 47731 0 47630 5 1 4 4 0 8 0 amappl2 88 987 0 939 2 0 2 2 0 8 0 amappl1 80 37490 0 36984 16 1 15 15 0 8 0 amappl 88 61688 0 61522 5 0 5 5 0 92 0 dma65536 65536 1 0 1 1 1 0 1 0 8 0 dma32768 32768 1 0 1 1 1 0 1 0 8 0 dma16384 16384 1 0 1 1 1 0 1 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma2048 2048 1 0 1 1 1 0 1 0 8 0 dma1024 1024 2 0 1 1 0 1 1 0 8 0 dma512 512 3 0 3 3 3 0 1 0 8 0 dma256 256 8 0 8 3 3 0 1 0 8 0 dma128 128 265 0 265 8 7 1 1 0 8 1 dma64 64 10 0 10 5 5 0 1 0 8 0 dma32 32 9 0 9 3 3 0 1 0 8 0 dma16 16 19 0 18 1 0 1 1 0 8 0 aobjpl 72 119 0 16 2 0 2 2 0 8 0 uaddrrnd 24 7306 0 7279 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 7306 0 7279 1 0 1 1 0 8 0 vmmpekpl 168 49925 0 49854 4 0 4 4 0 8 0 vmmpepl 168 455388 0 453557 166 66 100 127 0 357 0 vmsppl 488 7305 0 7279 6 1 5 5 0 8 0 rwobjpl 80 116411 0 109947 158 18 140 147 0 8 0 pdppl 4096 14620 0 14558 132 66 66 84 0 8 4 pvpl 32 25926 0 0 208 0 208 208 0 265 0 pmappl 256 7305 0 7279 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 476 0 157 10 0 10 10 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffffffff83785ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 x86_bus_space_io_read_1(3f8,5) at x86_bus_space_io_read_1+0x37 sys/arch/amd64/amd64/bus_space.c:654 comcnputc(800,20) at comcnputc+0x250 comcn_read_reg sys/dev/ic/com.c:1655 [inline] comcnputc(800,20) at comcnputc+0x250 sys/dev/ic/com.c:1269 cnputc(20) at cnputc+0x67 sys/dev/cons.c:218 db_putchar(65) at db_putchar+0x126 db_force_whitespace sys/ddb/db_output.c:102 [inline] db_putchar(65) at db_putchar+0x126 sys/ddb/db_output.c:153 kprintf() at kprintf+0x29a5 sys/kern/subr_prf.c:-1 db_printf(ffffffff83313232) at db_printf+0x9b sys/kern/subr_prf.c:-1 fault(ffffffff833d3d7f) at fault+0xa7 sys/arch/amd64/amd64/trap.c:161 kpageflttrap(ffff80002a342c10,0) at kpageflttrap+0x37d sys/arch/amd64/amd64/trap.c:296 kerntrap(ffff80002a342c10) at kerntrap+0x198 sys/arch/amd64/amd64/trap.c:491 alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b dt_ioctl_record_stop(ffff8000016c3000) at dt_ioctl_record_stop+0x108 sys/dev/dt/dt_dev.c:586 end trace frame: 0xffff80002a342d40, count: 0 ddb{0}> trace x86_ipi_db(ffffffff83785ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 x86_bus_space_io_read_1(3f8,5) at x86_bus_space_io_read_1+0x37 sys/arch/amd64/amd64/bus_space.c:654 comcnputc(800,20) at comcnputc+0x250 comcn_read_reg sys/dev/ic/com.c:1655 [inline] comcnputc(800,20) at comcnputc+0x250 sys/dev/ic/com.c:1269 cnputc(20) at cnputc+0x67 sys/dev/cons.c:218 db_putchar(65) at db_putchar+0x126 db_force_whitespace sys/ddb/db_output.c:102 [inline] db_putchar(65) at db_putchar+0x126 sys/ddb/db_output.c:153 kprintf() at kprintf+0x29a5 sys/kern/subr_prf.c:-1 db_printf(ffffffff83313232) at db_printf+0x9b sys/kern/subr_prf.c:-1 fault(ffffffff833d3d7f) at fault+0xa7 sys/arch/amd64/amd64/trap.c:161 kpageflttrap(ffff80002a342c10,0) at kpageflttrap+0x37d sys/arch/amd64/amd64/trap.c:296 kerntrap(ffff80002a342c10) at kerntrap+0x198 sys/arch/amd64/amd64/trap.c:491 alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b dt_ioctl_record_stop(ffff8000016c3000) at dt_ioctl_record_stop+0x108 sys/dev/dt/dt_dev.c:586 dtclose(11e5f,1,2000,ffff80002a324fe8) at dtclose+0x109 dt_pcb_purge sys/dev/dt/dt_dev.c:-1 [inline] dtclose(11e5f,1,2000,ffff80002a324fe8) at dtclose+0x109 sys/dev/dt/dt_dev.c:232 spec_close(ffff80002a342dc0) at spec_close+0x466 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8067b9f700,1,fffffd80097fb478,ffff80002a324fe8) at VOP_CLOSE+0x132 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806fe71980,ffff80002a324fe8) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806fe71980,ffff80002a324fe8) at vn_closefile+0x12b sys/kern/vfs_vnops.c:615 fdrop(fffffd806fe71980,ffff80002a324fe8) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd806fe71980,ffff80002a324fe8) at closef+0x192 sys/kern/kern_descrip.c:1264 fdfree(ffff80002a324fe8) at fdfree+0x116 sys/kern/kern_descrip.c:1195 exit1(ffff80002a324fe8,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80002a324fe8,ffff80002a343130,ffff80002a343080) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80002a343130) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80002a343130) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x782c4cfb7d10, count: -25 ddb{0}> machine ddbcpu 1 Stopped at proc_trampoline+0xc7: movl $0,%gs:0x688 proc_trampoline() at proc_trampoline+0xc7 end of kernel end trace frame: 0x73819c4acd10, count: 14 ddb{1}> trace proc_trampoline() at proc_trampoline+0xc7 end of kernel end trace frame: 0x73819c4acd10, count: -1