login: panic: pipe_destroy_write_buffer: pipe map for 0xfffff80003c1d8e8 contains residual data cpuid = 1 time = 1572261104 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe0024321820 vpanic() at vpanic+0x1c7/frame 0xfffffe0024321890 panic() at panic+0x43/frame 0xfffffe00243218f0 pipe_write() at pipe_write+0x1fd1/frame 0xfffffe00243219c0 dofilewrite() at dofilewrite+0xb0/frame 0xfffffe0024321a10 kern_writev() at kern_writev+0x63/frame 0xfffffe0024321a50 sys_write() at sys_write+0xd1/frame 0xfffffe0024321ac0 amd64_syscall() at amd64_syscall+0x473/frame 0xfffffe0024321bf0 fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0024321bf0 --- syscall (198, FreeBSD ELF64, nosys), rip = 0x4132ba, rsp = 0x7fffdfffdf38, rbp = 0x3 --- KDB: enter: panic [ thread pid 1074 tid 100666 ] Stopped at kdb_enter+0x67: movq $0,0x1467206(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b ll+0x1a es 0x3b ll+0x1a fs 0x13 gs 0x1b ss 0x28 ll+0x7 rax 0x12 rcx 0x80 ll+0x5f rdx 0xffffffff818746f6 rbx 0 rsp 0xfffffe0024321800 rbp 0xfffffe0024321820 rsi 0 rdi 0 r8 0 r9 0xffffffff r10 0x6066 ll+0x6045 r11 0xfffff800368e2bd0 r12 0xffffffff82068cf0 ddb_dbbe r13 0 r14 0xffffffff81911cfe r15 0xffffffff81911cfe rip 0xffffffff810a96e7 kdb_enter+0x67 rflags 0x86 ll+0x65 kdb_enter+0x67: movq $0,0x1467206(%rip) db> show proc Process 1074 (syz-executor.0) at 0xfffff80036949a60: state: NORMAL uid: 0 gids: 0, 0, 5 parent: pid 773 at 0xfffff80003c18530 ABI: FreeBSD ELF64 arguments: /root/syz-executor.0 reaper: 0xfffff800031ed530 reapsubtree: 1 sigparent: 20 vmspace: 0xfffff80036923000 (map 0xfffff80036923000) (map.pmap 0xfffff800369230d0) (pmap 0xfffff80036923130) threads: 3 100509 s syz-executor.0 100666 Run CPU 1 syz-executor.0 100667 D pipecl 0xfffff80003c1d8e8 syz-executor.0 db> ps pid ppid pgrp uid state wmesg wchan cmd 1074 773 773 0 T (threaded) syz-executor.0 100509 s syz-executor.0 100666 Run CPU 1 syz-executor.0 100667 D pipecl 0xfffff80003c1d8e8 syz-executor.0 803 796 803 0 Ss select 0xfffff800034b05c0 dhclient 800 1 800 0 Ss select 0xfffff8000348ddc0 dhclient 796 788 422 65 S select 0xfffff800031e7dc0 dhclient 788 422 422 0 S wait 0xfffff80003c18000 sh 773 771 773 0 Ss nanslp 0xffffffff824f94e1 syz-executor.0 771 769 769 0 S (threaded) syz-execprog 100082 S uwait 0xfffff800030bf280 syz-execprog 100103 S uwait 0xfffff80003c9e080 syz-execprog 100104 S uwait 0xfffff80003c9e180 syz-execprog 100105 S uwait 0xfffff80003c9e280 syz-execprog 100106 S uwait 0xfffff80003c73800 syz-execprog 100107 S uwait 0xfffff8000373a100 syz-execprog 100108 S uwait 0xfffff8000373a200 syz-execprog 100109 S kqread 0xfffff800031c9900 syz-execprog 100110 S uwait 0xfffff8000373a580 syz-execprog 769 767 769 0 Ss pause 0xfffff800039f9b08 csh 767 680 767 0 Ss select 0xfffff800031e7f40 sshd 746 1 746 0 Ss+ ttyin 0xfffff80003316cb0 getty 745 1 745 0 Ss+ ttyin 0xfffff800033144b0 getty 744 1 744 0 Ss+ ttyin 0xfffff800033148b0 getty 743 1 743 0 Ss+ ttyin 0xfffff80003314cb0 getty 742 1 742 0 Ss+ ttyin 0xfffff800033150b0 getty 741 1 741 0 Ss+ ttyin 0xfffff800033154b0 getty 740 1 740 0 Ss+ ttyin 0xfffff800033158b0 getty 739 1 739 0 Ss+ ttyin 0xfffff80003315cb0 getty 738 1 738 0 Ss+ ttyin 0xfffff800039d04b0 getty 736 1 22 0 S+ piperd 0xfffff80003c298e8 logger 735 734 22 0 S+ nanslp 0xffffffff824f94e0 sleep 734 1 22 0 S+ wait 0xfffff800364c6a60 sh 684 1 684 0 Ss nanslp 0xffffffff824f94e1 cron 680 1 680 0 Ss select 0xfffff800031e8640 sshd 493 1 493 0 Ss select 0xfffff800031e86c0 syslogd 422 1 422 0 Ss wait 0xfffff800039fa000 devd 421 1 421 65 Ss select 0xfffff800034924c0 dhclient 336 1 336 0 Ss select 0xfffff800031e8840 dhclient 333 1 333 0 Ss select 0xfffff800034923c0 dhclient 21 0 0 0 DL vlruwt 0xfffff800039faa60 [vnlru] 20 0 0 0 DL syncer 0xffffffff825cf9b0 [syncer] 19 0 0 0 DL (threaded) [bufdaemon] 100063 D qsleep 0xffffffff825cee58 [bufdaemon] 100068 D - 0xffffffff8200a900 [bufspacedaemon-0] 100079 D sdflush 0xfffff800030864e8 [/ worker] 18 0 0 0 DL psleep 0xffffffff825ea308 [vmdaemon] 17 0 0 0 DL (threaded) [pagedaemon] 100061 D psleep 0xffffffff82616098 [dom0] 100066 D launds 0xffffffff826160a4 [laundry: dom0] 100067 D umarcl 0xffffffff8152b080 [uma] 16 0 0 0 DL - 0xffffffff82355120 [rand_harvestq] 15 0 0 0 DL waiting 0xffffffff8265b670 [sctp_iterator] 9 0 0 0 DL - 0xffffffff825ce85c [soaiod4] 8 0 0 0 DL - 0xffffffff825ce85c [soaiod3] 7 0 0 0 DL - 0xffffffff825ce85c [soaiod2] 6 0 0 0 DL - 0xffffffff825ce85c [soaiod1] 5 0 0 0 DL (threaded) [cam] 100031 D - 0xffffffff822304c0 [doneq0] 100060 D - 0xffffffff82230388 [scanner] 4 0 0 0 DL crypto_ 0xfffff80003320090 [crypto returns 1] 3 0 0 0 DL crypto_ 0xfffff80003320030 [crypto returns 0] 2 0 0 0 DL crypto_ 0xffffffff825e4948 [crypto] 14 0 0 0 DL seqstat 0xfffff80003286c88 [sequencer 00] 13 0 0 0 DL (threaded) [geom] 100022 D - 0xffffffff82614690 [g_event] 100023 D - 0xffffffff826146a0 [g_up] 100024 D - 0xffffffff82614698 [g_down] 12 0 0 0 WL (threaded) [intr] 100005 I [swi6: Giant taskq] 100007 I [swi5: fast taskq] 100011 I [swi6: task queue] 100017 I [swi4: clock (0)] 100018 I [swi4: clock (1)] 100019 I [swi3: vm] 100020 I [swi1: netisr 0] 100032 I [irq24: virtio_pci0] 100033 I [irq25: virtio_pci0] 100034 I [irq26: virtio_pci0] 100035 I [irq27: virtio_pci0] 100036 I [irq28: virtio_pci1] 100037 I [irq29: virtio_pci1] 100038 I [irq30: virtio_pci1] 100039 I [irq31: virtio_pci1] 100040 I [irq32: virtio_pci1] 100045 I [irq1: atkbd0] 100046 I [irq12: psm0] 100047 I [swi0: uart uart++] 11 0 0 0 RL (threaded) [idle] 100003 Run CPU 0 [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffff800031ed530 [init] 10 0 0 0 DL audit_w 0xffffffff8265c300 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D swapin 0xffffffff82603e58 [swapper] 100006 D - 0xfffff800031d7400 [thread taskq] 100008 D - 0xfffff800031e2600 [config_0] 100009 D - 0xfffff800031d7100 [kqueue_ctx taskq] 100010 D - 0xfffff800031d7000 [aiod_kick taskq] 100012 D - 0xfffff800031e2100 [if_config_tqg_0] 100013 D - 0xfffff800031e1e00 [softirq_0] 100014 D - 0xfffff800031e1c00 [softirq_1] 100015 D - 0xfffff800031e1a00 [if_io_tqg_0] 100016 D - 0xfffff800031e1800 [if_io_tqg_1] 100021 D - 0xfffff80003247c00 [firmware taskq] 100026 D - 0xfffff80003247b00 [crypto_0] 100027 D - 0xfffff80003247b00 [crypto_1] 100041 D - 0xfffff80003247500 [vtnet0 rxq 0] 100042 D - 0xfffff80003247400 [vtnet0 txq 0] 100043 D - 0xfffff80003247300 [vtnet0 rxq 1] 100044 D - 0xfffff80003247200 [vtnet0 txq 1] 100048 D - 0xfffff80003246a00 [mca taskq] 100049 D - 0xffffffff824f8260 [deadlkres] 100056 D - 0xfffff80003246900 [acpi_task_0] 100057 D - 0xfffff80003246900 [acpi_task_1] 100058 D - 0xfffff80003246900 [acpi_task_2] 100059 D - 0xfffff80003247a00 [CAM taskq] db> show all locks Process 1074 (syz-executor.0) thread 0xfffff800368e26e0 (100666) exclusive sleep mutex pipe mutex (pipe mutex) r = 0 (0xfffff80003c1dbb8) locked @ /syzkaller/managers/main/kernel/sys/kern/sys_pipe.c:836 db> show malloc Type InUse MemUse Requests devbuf 4206 4793K 4230 vtbuf 24 1968K 46 callout 3 1672K 3 kobj 332 1328K 489 newblk 368 1116K 694 vfscache 4 1025K 4 inodedep 94 559K 351 pcb 22 537K 78 ufs_quota 1 512K 1 vfs_hash 1 512K 1 intr 4 388K 4 subproc 123 237K 1148 acpica 1674 185K 50082 vnet_data 1 168K 1 pagedep 17 132K 294 tfo_ccache 1 128K 1 sysctloid 2096 110K 2158 sem 4 106K 4 DEVFS1 102 102K 113 linker 220 89K 242 bus 957 77K 3149 mtx_pool 2 72K 2 syncache 1 68K 1 UMAHash 3 67K 3 acpitask 1 64K 1 ddb_capture 1 64K 1 module 493 62K 494 filedesc 5 37K 561 BPF 19 36K 19 umtx 272 34K 272 gtaskqueue 22 34K 22 hostcache 1 32K 1 shm 1 32K 1 DEVFS3 121 31K 131 kdtrace 158 31K 2752 msg 4 30K 4 DEVFS_RULE 56 27K 56 kbdmux 6 22K 6 vmem 3 19K 4 temp 22 17K 1662 ufs_mount 3 17K 4 proc 3 17K 3 ifaddr 43 17K 43 tty 16 16K 16 tidhash 1 16K 1 ithread 87 15K 87 bus-sc 28 13K 1286 KTRACE 100 13K 100 kenv 95 12K 99 eventhandler 122 11K 122 pfs_nodes 20 10K 20 GEOM 60 10K 489 rman 80 10K 421 bmsafemap 3 9K 321 devstat 4 9K 4 UART 12 9K 12 rpc 2 8K 2 shmfd 1 8K 1 pfs_vncache 1 8K 1 dirrem 61 8K 300 audit_evclass 230 8K 288 lltable 20 7K 20 cred 28 7K 240 ifnet 4 7K 4 CAM DEV 3 6K 508 ether_multi 73 6K 78 freefile 44 6K 281 vt 11 6K 11 kqueue 52 6K 1079 sglist 5 6K 5 CAM queue 5 6K 1522 in6_multi 41 5K 41 routetbl 37 5K 41 plimit 19 5K 344 ufs_dirhash 24 5K 24 taskqueue 42 5K 42 memdesc 1 4K 1 MCA 32 4K 32 diradd 32 4K 316 evdev 4 4K 4 hhook 13 4K 13 session 23 3K 34 pgrp 23 3K 34 terminal 11 3K 11 acpisem 21 3K 21 select 21 3K 21 uidinfo 4 3K 4 proc-args 44 3K 509 local_apic 1 2K 1 io_apic 1 2K 1 ipsec-saq 2 2K 2 lockf 19 2K 29 CAM XPT 22 2K 542 Unitno 25 2K 39 acpidev 20 2K 20 crypto 2 2K 2 msi 9 2K 9 mkdir 8 1K 566 indirdep 4 1K 4 ipsecpolicy 1 1K 1 sahead 1 1K 1 secasvar 1 1K 1 sctp_ifa 8 1K 8 clone 8 1K 8 cdev 4 1K 4 NFSD session 1 1K 1 ip6ndp 6 1K 9 CAM periph 4 1K 270 in_multi 3 1K 4 toponodes 6 1K 6 isadev 6 1K 6 mount 16 1K 86 pci_link 10 1K 10 CAM SIM 2 1K 2 softdep 1 1K 1 chacha20random 1 1K 1 epoch 4 1K 4 newdirblk 7 1K 283 encap_export_host 8 1K 8 mld 3 1K 3 sctp_ifn 3 1K 3 igmp 3 1K 3 pfil 3 1K 3 tun 4 1K 4 osd 3 1K 9 DEVFSP 5 1K 5 freework 2 1K 298 freeblks 1 1K 297 vnodes 1 1K 1 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 DEVFS 9 1K 10 inpcbpolicy 7 1K 145 feeder 7 1K 7 loginclass 3 1K 3 atkbddev 2 1K 2 apmdev 1 1K 1 pmchooks 1 1K 1 prison 4 1K 4 filecaps 5 1K 72 CAM dev queue 2 1K 2 CAM I/O Scheduler 1 1K 1 CAM path 4 1K 1030 soname 4 1K 5670 nexusdev 5 1K 5 tcpfunc 1 1K 1 sctp_vrf 1 1K 1 vnet 1 1K 1 acpiintr 1 1K 1 pmc 1 1K 1 entropy 2 1K 38 cpus 2 1K 2 vnet_data_free 1 1K 1 Per-cpu 1 1K 1 p1003.1b 1 1K 1 ppbusdev 0 0K 0 agtiapi_MemAlloc malloc 0 0K 0 osti_cacheable 0 0K 0 madt_table 0 0K 2 tempbuff 0 0K 0 tempbuff 0 0K 0 smartpqi 0 0K 0 ag_tgt_map_t malloc 0 0K 0 ag_slr_map_t malloc 0 0K 0 lDevFlags * malloc 0 0K 0 tiDeviceHandle_t * malloc 0 0K 0 ag_portal_data_t malloc 0 0K 0 ag_device_t malloc 0 0K 0 STLock malloc 0 0K 0 CCB List 0 0K 0 iavf 0 0K 0 ixl 0 0K 0 sr_iov 0 0K 0 OCS 0 0K 0 OCS 0 0K 0 nvme 0 0K 0 nvd 0 0K 0 netmap 0 0K 0 mwldev 0 0K 0 MVS driver 0 0K 0 fpukern_ctx 0 0K 0 xen_intr 0 0K 0 CAM ccb queue 0 0K 0 xen_hvm 0 0K 0 legacydrv 0 0K 0 qpidrv 0 0K 0 mrsasbuf 0 0K 0 mpt_user 0 0K 0 dmar_idpgtbl 0 0K 0 dmar_dom 0 0K 0 dmar_ctx 0 0K 0 dmar_dmamap 0 0K 0 mps_user 0 0K 0 MPSSAS 0 0K 0 isci 0 0K 0 bxe_ilt 0 0K 0 xenbus 0 0K 0 vm_fictitious 0 0K 0 mps 0 0K 0 mpr_user 0 0K 0 MPRSAS 0 0K 0 vm_pgdata 0 0K 0 jblocks 0 0K 0 savedino 0 0K 238 sentinel 0 0K 0 jfsync 0 0K 0 jtrunc 0 0K 0 sbdep 0 0K 3 jsegdep 0 0K 0 jseg 0 0K 0 jfreefrag 0 0K 0 jfreeblk 0 0K 0 jnewblk 0 0K 0 jmvref 0 0K 0 jremref 0 0K 0 jaddref 0 0K 0 freedep 0 0K 0 freefrag 0 0K 5 allocindir 0 0K 0 allocdirect 0 0K 0 ufs_trim 0 0K 0 mactemp 0 0K 0 audit_trigger 0 0K 0 audit_pipe_presel 0 0K 0 audit_pipeent 0 0K 0 audit_pipe 0 0K 0 audit_evname 0 0K 0 audit_bsm 0 0K 0 audit_gidset 0 0K 0 audit_text 0 0K 0 audit_path 0 0K 0 audit_data 0 0K 0 audit_cred 0 0K 0 xform 0 0K 0 NLM 0 0K 0 nfsclient_nlminfo 0 0K 0 nfsclient_lock 0 0K 0 NFS FHA 0 0K 0 ipsec-spdcache 0 0K 0 ipsec-reg 0 0K 0 ipsec-misc 0 0K 0 ipsecrequest 0 0K 0 ip6opt 0 0K 3 ip6_msource 0 0K 0 ip6_moptions 0 0K 0 in6_mfilter 0 0K 0 frag6 0 0K 0 tcplog 0 0K 0