panic: handle_workitem_remove: file ino 73 negative i_nlink -1 cpuid = 0 time = 3 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0056c447d0 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe0056c44930 vpanic() at vpanic+0x257/frame 0xfffffe0056c44af0 panic() at panic+0xb5/frame 0xfffffe0056c44bb0 handle_workitem_remove() at handle_workitem_remove+0xd45/frame 0xfffffe0056c44cf0 process_worklist_item() at process_worklist_item+0x525/frame 0xfffffe0056c44e40 softdep_process_worklist() at softdep_process_worklist+0xfd/frame 0xfffffe0056c44e90 softdep_flush() at softdep_flush+0x1a4/frame 0xfffffe0056c44ef0 fork_exit() at fork_exit+0xcc/frame 0xfffffe0056c44f30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0056c44f30 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- KDB: enter: panic [ thread pid 14 tid 100093 ] Stopped at kdb_enter+0x6e: movq $0,0x25c45c7(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe0002bf1850 rdx 0 rbx 0xffffffff827cb4c0 .str.27 rsp 0xfffffe0056c44910 rbp 0xfffffe0056c44930 rsi 0 rdi 0xffffffff81614a99 printf+0x149 r8 0 r9 0xffffffff r10 0x5000000000fe5 r11 0x17 r12 0xfffffe00540b2000 r13 0xfffffffffffffffe r14 0xffffffff827cb4c0 .str.27 r15 0 rip 0xffffffff815fe5ce kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x25c45c7(%rip) db> show proc Process 14 (bufdaemon) at 0xfffffe00540055c0: state: NORMAL uid: 0 gids: 0 parent: pid 0 at 0xffffffff83b4d060 ABI: null flag: 0x10000284 flag2: 0 reaper: 0xffffffff83b4d060 reapsubtree: 14 sigparent: 20 vmspace: 0xffffffff83b4e040 (map 0xffffffff83b4e040) (map.pmap 0xffffffff83b4e0e0) (pmap 0xffffffff83b4e150) threads: 3 100079 D psleep 0xffffffff83cbfd60 [bufdaemon] 100082 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100093 Run CPU 0 [/ worker] db> ps pid ppid pgrp uid state wmesg wchan cmd 942 763 763 0 R (threaded) syz-executor 100119 RunQ syz-executor 100311 RunQ syz-executor 941 764 764 0 R (threaded) syz-executor 100105 RunQ syz-executor 100308 S select 0xfffffe00593ebd40 syz-executor 100310 S uwait 0xfffffe0059682700 syz-executor 940 1 764 0 S umtxn 0xfffffe0058259900 syz-executor 937 766 766 0 S (threaded) syz-executor 100242 S nanslp 0xffffffff83ba3c41 syz-executor 100297 S aiowc 0xfffffe00541083e8 syz-executor 100300 S uwait 0xfffffe00584ed080 syz-executor 936 1 766 0 T syz-executor 935 765 765 0 R (threaded) syz-executor 100289 RunQ syz-executor 100296 S select 0xfffffe006e4cc940 syz-executor 100309 RunQ syz-executor 100312 S uwait 0xfffffe00584ec000 syz-executor 927 1 763 0 S uwait 0xfffffe0059683180 syz-executor 920 1 764 0 S uwait 0xfffffe0058259a00 syz-executor 914 1 765 0 S uwait 0xfffffe0059682600 syz-executor 912 1 765 0 S uwait 0xfffffe00584ec100 syz-executor 909 1 766 0 S uwait 0xfffffe00584ec800 syz-executor 907 1 766 0 S uwait 0xfffffe00584ec700 syz-executor 895 1 765 0 S uwait 0xfffffe0058259000 syz-executor 890 1 763 0 S uwait 0xfffffe0059683780 syz-executor 888 1 766 0 S uwait 0xfffffe00584ebd80 syz-executor 880 1 874 0 S uwait 0xfffffe00584eba80 syz-executor 879 1 874 0 S uwait 0xfffffe00584ec200 syz-executor 870 1 423 0 S kqread 0xfffffe00584f0a00 rtsol 818 0 0 0 DL aiordy 0xfffffe00540eb580 [aiod4] 817 0 0 0 DL aiordy 0xfffffe00540ebae0 [aiod3] 816 0 0 0 DL aiordy 0xfffffe00540ec040 [aiod2] 815 0 0 0 DL aiordy 0xfffffe00540ecb00 [aiod1] 813 0 0 0 DL (threaded) [KTLS] 100102 D - 0xfffffe0058568400 [thr_0] 100128 D - 0xfffffe0058568480 [thr_1] 100129 D - 0xffffffff83cb5628 [reclaim_0] 766 762 766 0 S nanslp 0xffffffff83ba3c40 syz-executor 765 762 765 0 S nanslp 0xffffffff83ba3c40 syz-executor 764 762 764 0 S nanslp 0xffffffff83ba3c40 syz-executor 763 762 763 0 S nanslp 0xffffffff83ba3c40 syz-executor 762 760 760 0 S select 0xfffffe0053ffb8c0 syz-executor 760 1 760 0 Ss sigsusp 0xfffffe00540c9b70 csh 16 0 0 0 DL syncer 0xffffffff83cc1820 [syncer] 15 0 0 0 DL vlruwt 0xfffffe0054005060 [vnlru] 14 0 0 0 RL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83cbfd60 [bufdaemon] 100082 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100093 Run CPU 0 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d0acc0 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83cf0d88 [dom0] 100080 D launds 0xffffffff83cf0d94 [laundry: dom0] 100081 D umarcl 0xffffffff81de0e10 [uma] 7 0 0 0 DL - 0xffffffff8391c5d8 [rand_harvestq] 6 0 0 0 DL pftm 0xffffffff846579e0 [pf purge] 5 0 0 0 DL waiting 0xffffffff84526700 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100045 D - 0xffffffff838e6340 [doneq0] 100046 D - 0xffffffff838e62c0 [async] 100075 D - 0xffffffff838e6140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100042 D crypto_ 0xffffffff83cec640 [crypto] 100043 D crypto_ 0xfffffe0057d43030 [crypto returns 0] 100044 D crypto_ 0xfffffe0057d43080 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83b4c620 [g_event] 100038 D - 0xffffffff83b4c640 [g_up] 100039 D - 0xffffffff83b4c660 [g_down] 2 0 0 0 RL (threaded) [clock] 100031 I [clock (0)] 100032 Run CPU 1 [clock (1)] 12 0 0 0 WL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100047 I [irq24: virtio_pci0] 100048 I [irq25: virtio_pci0] 100049 I [irq26: virtio_pci0] 100050 I [irq27: virtio_pci0] 100051 I [irq28: virtio_pci1] 100052 I [irq29: virtio_pci1] 100053 I [irq30: virtio_pci1] 100054 I [irq31: virtio_pci1] 100055 I [irq32: virtio_pci1] 100060 I [irq10: virtio_pci2] 100062 I [irq1: atkbd0] 100063 I [irq12: psm0] 100064 I [swi0: uart uart++] 100068 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0007809040 [init] 10 0 0 0 DL audit_w 0xffffffff83ced0e0 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D parked 0xffffffff84c3dff0 [swapper] 100005 D - 0xfffffe000776dd00 [softirq_0] 100006 D - 0xfffffe000776db00 [softirq_1] 100007 D - 0xfffffe000776d900 [if_io_tqg_0] 100008 D - 0xfffffe000776d700 [if_io_tqg_1] 100009 D - 0xfffffe000776d500 [if_config_tqg_0] 100010 D - 0xfffffe00083db100 [kqueue_ctx taskq] 100011 D - 0xfffffe00083db000 [jail_remove taskq] 100012 D - 0xfffffe00083dae00 [bus taskq] 100015 D - 0xfffffe00083da900 [thread taskq] 100017 D - 0xfffffe00083da600 [aiod_kick taskq] 100018 D - 0xfffffe00083da500 [deferred_unmount ta] 100019 D - 0xfffffe00083da400 [inm_free taskq] 100020 D - 0xfffffe00083da300 [in6m_free taskq] 100021 D - 0xfffffe00083da200 [linuxkpi_irq_wq] 100022 D - 0xfffffe00083da100 [linuxkpi_short_wq_0] 100023 D - 0xfffffe00083da100 [linuxkpi_short_wq_1] 100024 D - 0xfffffe00083da100 [linuxkpi_short_wq_2] 100025 D - 0xfffffe00083da100 [linuxkpi_short_wq_3] 100026 D - 0xfffffe00083da000 [linuxkpi_long_wq_0] 100027 D - 0xfffffe00083da000 [linuxkpi_long_wq_1] 100028 D - 0xfffffe00083da000 [linuxkpi_long_wq_2] 100029 D - 0xfffffe00083da000 [linuxkpi_long_wq_3] 100036 D - 0xfffffe00083d9900 [firmware taskq] 100040 D - 0xfffffe0057d47300 [crypto_0] 100041 D - 0xfffffe0057d47300 [crypto_1] 100056 D - 0xfffffe00083dd200 [vtnet0 rxq 0] 100057 D - 0xfffffe0058145500 [vtnet0 txq 0] 100058 D - 0xfffffe0058145400 [vtnet0 rxq 1] 100059 D - 0xfffffe0058145300 [vtnet0 txq 1] 100061 D vtbslp 0xfffffe0057d67400 [virtio_balloon] 100065 D - 0xffffffff827cfba0 [deadlkres] 100069 D - 0xfffffe0057d46e00 [acpi_task_0] 100070 D - 0xfffffe0057d46e00 [acpi_task_1] 100071 D - 0xfffffe0057d46e00 [acpi_task_2] 100073 D - 0xfffffe00083dca00 [mca taskq] 100074 D - 0xfffffe0057d46b00 [CAM taskq] 100076 D - 0xfffffe0058142300 [ipsec_offload] db> show all locks Process 942 (syz-executor) thread 0xfffffe005413c780 (100311) exclusive sx filedesc structure (filedesc structure) r = 0 (0xfffffe00598dfcb0) locked @ /syzkaller/managers/main/kernel/sys/kern/kern_descrip.c:2290 Process 935 (syz-executor) thread 0xfffffe0054134000 (100309) exclusive lockmgr ufs (ufs) r = 0 (0xfffffe007785b3e0) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_vnops.c:3771 Process 14 (bufdaemon) thread 0xfffffe00540b2000 (100093) exclusive rw SUrw (SUrw) r = 0 (0xfffffe005828dc00) locked @ /syzkaller/managers/main/kernel/sys/ufs/ffs/ffs_softdep.c:10022 exclusive lockmgr ufs (ufs) r = 0 (0xfffffe0059891070) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_subr.c:3384 db> show malloc Type InUse MemUse Requests pf_hash 6 12804K 6 linker 376 5079K 510 tcp_hpts 7 4801K 7 devbuf 4187 4323K 4212 sysctloid 35104 2068K 35179 vtbuf 24 1968K 46 kobj 330 1320K 494 newblk 36 1033K 1206 vfscache 3 1025K 3 pcb 41 682K 254 inodedep 18 519K 250 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 filedesc 43 341K 221 vnet_data 2 224K 2 acpitask 1 224K 1 subproc 137 218K 1035 KTRACE 100 200K 100 acpica 1674 184K 54426 vmem 5 144K 7 tidhash 3 141K 3 pagedep 13 131K 117 tfo_ccache 1 128K 1 IP reass 1 128K 1 sem 4 106K 4 DEVFS1 106 106K 123 gtaskqueue 18 98K 18 bus 997 82K 5063 mtx_pool 3 74K 3 syncache 1 68K 1 NFSD srvcache 3 68K 3 module 521 66K 521 ddb_capture 1 64K 1 temp 32 53K 2247 umtx 336 42K 336 kdtrace 198 41K 1257 shm 2 34K 9 hostcache 1 32K 1 DEVFS3 125 32K 135 msg 4 30K 4 kbdmux 6 28K 6 DEVFS_RULE 56 20K 56 ifaddr 66 19K 68 ufs_mount 4 17K 5 proc 3 17K 3 LRO 16 17K 16 tty 16 16K 16 routetbl 129 16K 409 ithread 90 15K 90 bus-sc 34 15K 1647 eventhandler 163 14K 163 lltable 43 14K 44 ether_multi 157 13K 174 ifnet 7 13K 7 kenv 95 12K 95 kqueue 63 11K 1053 GEOM 49 11K 431 CAM queue 5 11K 1528 rman 82 10K 437 shmfd 4 10K 6 rpc 8 9K 8 in6_multi 66 9K 66 bmsafemap 2 9K 211 devstat 4 9K 4 UART 12 9K 12 ksem 1 8K 1 filemon 1 8K 2 pfs_vncache 1 8K 1 audit_evclass 240 8K 303 taskqueue 69 8K 78 sglist 6 7K 6 CAM DEV 3 6K 510 pfs_nodes 22 6K 22 ufs_dirhash 24 5K 27 UMA 268 5K 268 pf_ifnet 10 5K 19 vt 11 5K 11 memdesc 1 4K 1 MCA 32 4K 32 evdev 4 4K 4 acpisem 28 4K 28 plimit 9 4K 324 sctp_atcl 8 3K 96 cred 12 3K 197 pwddesc 46 3K 949 terminal 11 3K 11 DEVFSP 44 3K 67 acpidev 20 3K 20 hhook 8 3K 10 clone 9 3K 9 uidinfo 3 3K 8 kcovinfo 36 3K 36 local_apic 1 2K 1 io_apic 1 2K 1 ipsec-saq 2 2K 2 ip6ndp 12 2K 14 Unitno 28 2K 52 sctp_ifa 13 2K 14 CAM XPT 22 2K 543 in_multi 6 2K 10 tun 4 2K 4 toponodes 6 2K 6 ipsecpolicy 2 2K 2 proc-args 49 2K 1979 selfd 19 2K 14301 msi 9 2K 9 diradd 9 2K 195 netlink 2 2K 76 sctp_stro 1 1K 3 softdep 1 1K 1 newdirblk 8 1K 99 dirrem 4 1K 176 sahead 1 1K 1 secasvar 1 1K 1 nhops 6 1K 8 vnodemarker 2 1K 22 NFSD session 1 1K 1 CAM periph 4 1K 271 lockf 7 1K 60 CC Mem 7 1K 99 sctp_ifn 6 1K 14 ipsec 3 1K 3 mld 6 1K 6 igmp 6 1K 6 pfil 6 1K 6 BPF 6 1K 18 select 6 1K 45 isadev 6 1K 6 inpcbpolicy 23 1K 437 mount 16 1K 302 pci_link 10 1K 10 osd 12 1K 114 mkdir 5 1K 198 crypto 4 1K 12 frag6 7 1K 10 encap_export_host 12 1K 12 sctp_timw 2 1K 2 sctp_stri 1 1K 2 indirdep 2 1K 174 session 4 1K 36 cdev 2 1K 2 lkpikmalloc 8