panic: Memory modified after free ADDR(256) val=ADDR @ ADDR

1 view

Skip to first unread message

syzbot

unread,

May 1, 2021, 10:49:18 AM5/1/21

to syzkaller-f...@googlegroups.com

Hello,

syzbot found the following issue on:

HEAD commit: a6ca7519 powerpc64: Optimize radix trap handling a little ..
git tree: https://github.com/freebsd/freebsd-src.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=1523c079d00000
dashboard link: https://syzkaller.appspot.com/bug?extid=d627d01a95da99bb5db6
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d627d0...@syzkaller.appspotmail.com

panic: Memory modified after free 0xfffff80030124500(256) val=1005326 @ 0xfffff80030124580

cpuid = 1
time = 1619880516
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe0094972340
vpanic() at vpanic+0x1c7/frame 0xfffffe00949723a0
panic() at panic+0x43/frame 0xfffffe0094972400
trash_ctor() at trash_ctor+0xa8/frame 0xfffffe0094972440
item_ctor() at item_ctor+0x1c8/frame 0xfffffe00949724a0
tcp_m_copym() at tcp_m_copym+0x454/frame 0xfffffe0094972560
tcp_output() at tcp_output+0x23d0/frame 0xfffffe0094972760
tcp_usr_send() at tcp_usr_send+0xabc/frame 0xfffffe0094972840
sosend_generic() at sosend_generic+0x99d/frame 0xfffffe0094972930
sosend() at sosend+0xc6/frame 0xfffffe00949729a0
soo_write() at soo_write+0x62/frame 0xfffffe00949729e0
dofilewrite() at dofilewrite+0xb0/frame 0xfffffe0094972a30
sys_write() at sys_write+0x10c/frame 0xfffffe0094972ab0
amd64_syscall() at amd64_syscall+0x247/frame 0xfffffe0094972bf0
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0094972bf0
--- syscall (4, FreeBSD ELF64, sys_write), rip = 0x80090d1ea, rsp = 0x7fffffffa4b8, rbp = 0x7fffffffa4f0 ---
KDB: enter: panic
[ thread pid 776 tid 100110 ]
Stopped at kdb_enter+0x67: movq $0,0x163acbe(%rip)
db>
db> set $lines = 0
db> set $maxwidth = 0
db> show registers
cs 0x20
ds 0x3b
es 0x3b
fs 0x13
gs 0x1b
ss 0x28
rax 0x12
rcx 0xffffffff811374a0 vprintf+0x140
rdx 0x1
rbx 0
rsp 0xfffffe0094972320
rbp 0xfffffe0094972340
rsi 0
rdi 0xffffffff811374d6 vprintf+0x176
r8 0
r9 0x8080808080808080
r10 0xfffffe0094972210
r11 0x1ff6bfff59c
r12 0xffffffff82267ac0 ddb_dbbe
r13 0
r14 0xffffffff81a7194d
r15 0xffffffff81a7194d
rip 0xffffffff8112e4c7 kdb_enter+0x67
rflags 0x82
kdb_enter+0x67: movq $0,0x163acbe(%rip)
db> show proc
Process 776 (sshd) at 0xfffff8003144f000:
state: NORMAL
uid: 0 gids: 0
parent: pid 694 at 0xfffff8002706c538
ABI: FreeBSD ELF64
flag: 0x10004100 flag2: 0
arguments: sshd: root@notty
reaper: 0xfffff80004512538 reapsubtree: 1
sigparent: 20
vmspace: 0xfffffe0094c03000
(map 0xfffffe0094c03000)
(map.pmap 0xfffffe0094c030c0)
(pmap 0xfffffe0094c03120)
threads: 1
100110 Run CPU 1 sshd
db> ps
pid ppid pgrp uid state wmesg wchan cmd
8792 785 785 0 R syz-executor.0
8791 786 786 0 R syz-executor.1
8790 824 824 0 R (threaded) syz-executor.3
100162 RunQ syz-executor.3
108308 RunQ syz-executor.3
7193 7187 7193 0 Ss select 0xfffff80031c34340 dhclient
7190 1 7190 0 Ss select 0xfffff80031c343c0 dhclient
7187 7180 436 65 S select 0xfffff80031c34140 dhclient
7180 436 436 0 S wait 0xfffff800315c1000 sh
7171 1 7171 65 Ss select 0xfffff80004f362c0 dhclient
5143 1 5143 0 Ss select 0xfffff80031c342c0 dhclient
5140 1 5140 0 Ss select 0xfffff80031e044c0 dhclient
5121 1 5121 65 Ss select 0xfffff80031c34440 dhclient
1124 1 818 0 S uwait 0xfffff80031e04d80 syz-executor.2
1121 1 818 0 S uwait 0xfffff80031e04b00 syz-executor.2
827 1 827 0 Ss select 0xfffff80004f360c0 dhclient
824 780 824 0 Ss nanslp 0xffffffff8273c8e0 syz-executor.3
822 1 822 0 Ss select 0xfffff80004f36140 dhclient
818 780 818 0 Rs syz-executor.2
786 780 786 0 Rs syz-executor.1
785 780 785 0 Rs syz-executor.0
780 778 778 0 R (threaded) syz-fuzzer
100099 RunQ syz-fuzzer
100113 Run nanslp 0xffffffff8273c8e0 syz-fuzzer
100114 RunQ syz-fuzzer
100115 S uwait 0xfffff80027019200 syz-fuzzer
100116 S uwait 0xfffff80004f36580 syz-fuzzer
100117 S uwait 0xfffff80027019900 syz-fuzzer
100118 S uwait 0xfffff80004f36780 syz-fuzzer
100119 S uwait 0xfffff80004f36680 syz-fuzzer
100149 S uwait 0xfffff8003145a900 syz-fuzzer
100150 S uwait 0xfffff8003145a100 syz-fuzzer
778 776 778 0 Ss pause 0xfffff800315c1b20 csh
776 694 776 0 Rs CPU 1 sshd
760 1 760 0 Ss+ ttyin 0xfffff800049c1cb0 getty
759 1 759 0 Ss+ ttyin 0xfffff80004ce28b0 getty
758 1 758 0 Ss+ ttyin 0xfffff80004ce2cb0 getty
757 1 757 0 Ss+ ttyin 0xfffff80004cea0b0 getty
756 1 756 0 Ss+ ttyin 0xfffff80004cea4b0 getty
755 1 755 0 Ss+ ttyin 0xfffff80004cea8b0 getty
754 1 754 0 Ss+ ttyin 0xfffff80004ceacb0 getty
753 1 753 0 Ss+ ttyin 0xfffff80004c5a0b0 getty
752 1 752 0 Ss+ ttyin 0xfffff80004c5a4b0 getty
698 1 698 0 Ss nanslp 0xffffffff8273c8e1 cron
694 1 694 0 Ss select 0xfffff8003145a9c0 sshd
507 1 507 0 Ss select 0xfffff8003145aa40 syslogd
436 1 436 0 Ss wait 0xfffff8002709a000 devd
435 1 435 65 Ss select 0xfffff800049b94c0 dhclient
350 1 350 0 Ss select 0xfffff8003145ab40 dhclient
347 1 347 0 Ss select 0xfffff8003145adc0 dhclient
23 0 0 0 DL vlruwt 0xfffff80004cc7000 [vnlru]
22 0 0 0 DL syncer 0xffffffff8282bd50 [syncer]
21 0 0 0 DL (threaded) [bufdaemon]
100080 D qsleep 0xffffffff8282ae00 [bufdaemon]
100087 D - 0xffffffff8220ae00 [bufspacedaemon-0]
100094 D sdflush 0xfffff80004f41ce8 [/ worker]
20 0 0 0 DL psleep 0xffffffff82852c08 [vmdaemon]
19 0 0 0 DL (threaded) [pagedaemon]
100078 D psleep 0xffffffff82847078 [dom0]
100085 D launds 0xffffffff82847084 [laundry: dom0]
100086 D umarcl 0xffffffff815c7670 [uma]
18 0 0 0 DL - 0xffffffff82570c78 [rand_harvestq]
17 0 0 0 DL waiting 0xffffffff82e3f828 [sctp_iterator]
16 0 0 0 DL pftm 0xffffffff8308d3c0 [pf purge]
15 0 0 0 DL - 0xffffffff8282845c [soaiod4]
9 0 0 0 DL - 0xffffffff8282845c [soaiod3]
8 0 0 0 DL - 0xffffffff8282845c [soaiod2]
7 0 0 0 DL - 0xffffffff8282845c [soaiod1]
6 0 0 0 DL (threaded) [cam]
100043 D - 0xffffffff82448140 [doneq0]
100044 D - 0xffffffff824480c0 [async]
100077 D - 0xffffffff82447f90 [scanner]
14 0 0 0 DL seqstat 0xfffff800045a9888 [sequencer 00]
5 0 0 0 DL crypto_ 0xfffff80004619d80 [crypto returns 1]
4 0 0 0 DL crypto_ 0xfffff80004619d30 [crypto returns 0]
3 0 0 0 DL crypto_ 0xffffffff828445a0 [crypto]
13 0 0 0 DL (threaded) [geom]
100034 D - 0xffffffff8271c120 [g_event]
100035 D - 0xffffffff8271c128 [g_up]
100036 D - 0xffffffff8271c130 [g_down]
2 0 0 0 DL (threaded) [KTLS]
100027 D - 0xfffff8000455d700 [thr_0]
100028 D - 0xfffff8000455d780 [thr_1]
12 0 0 0 WL (threaded) [intr]
100012 I [swi6: task queue]
100016 I [swi6: Giant taskq]
100018 I [swi5: fast taskq]
100029 I [swi1: netisr 0]
100030 I [swi3: vm]
100031 I [swi4: clock (0)]
100032 I [swi4: clock (1)]
100045 I [irq24: virtio_pci0]
100046 I [irq25: virtio_pci0]
100047 I [irq26: virtio_pci0]
100048 I [irq27: virtio_pci0]
100049 I [irq28: virtio_pci1]
100050 I [irq29: virtio_pci1]
100051 I [irq30: virtio_pci1]
100052 I [irq31: virtio_pci1]
100053 I [irq32: virtio_pci1]
100058 I [irq10: virtio_pci2]
100060 I [irq1: atkbd0]
100061 I [irq12: psm0]
100062 I [swi0: uart uart++]
100070 I [swi1: pf send]
100083 I [swi1: hpts]
100084 I [swi1: hpts]
11 0 0 0 RL (threaded) [idle]
100003 CanRun [idle: cpu0]
100004 CanRun [idle: cpu1]
1 0 1 0 SLs wait 0xfffff80004512538 [init]
10 0 0 0 DL audit_w 0xffffffff82844ab0 [audit]
0 0 0 0 DLs (threaded) [kernel]
100000 D swapin 0xffffffff8271c6b0 [swapper]
100005 D - 0xfffff80004144800 [softirq_0]
100006 D - 0xfffff80004144700 [softirq_1]
100007 D - 0xfffff80004144600 [if_io_tqg_0]
100008 D - 0xfffff80004144500 [if_io_tqg_1]
100009 D - 0xfffff80004144400 [if_config_tqg_0]
100010 D - 0xfffff80004561600 [kqueue_ctx taskq]
100011 D - 0xfffff80004561500 [in6m_free taskq]
100013 D - 0xfffff80004561200 [linuxkpi_irq_wq]
100014 D - 0xfffff80004561100 [inm_free taskq]
100015 D - 0xfffff80004561000 [aiod_kick taskq]
100017 D - 0xfffff8000455dc00 [thread taskq]
100019 D - 0xfffff8000455d900 [linuxkpi_short_wq_0]
100020 D - 0xfffff8000455d900 [linuxkpi_short_wq_1]
100021 D - 0xfffff8000455d900 [linuxkpi_short_wq_2]
100022 D - 0xfffff8000455d900 [linuxkpi_short_wq_3]
100023 D - 0xfffff8000455d800 [linuxkpi_long_wq_0]
100024 D - 0xfffff8000455d800 [linuxkpi_long_wq_1]
100025 D - 0xfffff8000455d800 [linuxkpi_long_wq_2]
100026 D - 0xfffff8000455d800 [linuxkpi_long_wq_3]
100033 D - 0xfffff8000455d100 [firmware taskq]
100037 D - 0xfffff80004618e00 [crypto_0]
100038 D - 0xfffff80004618e00 [crypto_1]
100054 D - 0xfffff80004618800 [vtnet0 rxq 0]
100055 D - 0xfffff80004618700 [vtnet0 txq 0]
100056 D - 0xfffff80004618600 [vtnet0 rxq 1]
100057 D - 0xfffff80004618500 [vtnet0 txq 1]
100059 D vtbslp 0xfffff8000495c480 [virtio_balloon]
100063 D - 0xfffff8000495db00 [mca taskq]
100066 D - 0xffffffff81e1e100 [deadlkres]
100072 D - 0xfffff80004c22700 [acpi_task_0]
100073 D - 0xfffff80004c22700 [acpi_task_1]
100074 D - 0xfffff80004c22700 [acpi_task_2]
100076 D - 0xfffff80004618d00 [CAM taskq]
db> show all locks
Process 776 (sshd) thread 0xfffffe0094b86e00 (100110)
exclusive sleep mutex so_snd (so_snd) r = 0 (0xfffff80031526260) locked @ /syzkaller/managers/i386/kernel/sys/netinet/tcp_output.c:355
exclusive rw tcpinp (tcpinp) r = 0 (0xfffff800314b47c0) locked @ /syzkaller/managers/i386/kernel/sys/netinet/tcp_usrreq.c:982
exclusive sx so_snd_sx (so_snd_sx) r = 0 (0xfffff80031526280) locked @ /syzkaller/managers/i386/kernel/sys/kern/uipc_sockbuf.c:467
db> show malloc
Type InUse MemUse Requests
pf_hash 5 11524K 5
devbuf 4216 4340K 4244
tcp_hpts 5 3201K 5
vtbuf 24 1968K 46
sysctloid 31145 1826K 31212
pcb 734 1331K 23099
kobj 332 1328K 492
newblk 11 1027K 8588
vfscache 3 1025K 3
inodedep 836 826K 8086
ufs_quota 1 512K 1
vfs_hash 1 512K 1
callout 2 512K 2
intr 4 472K 4
sctp_stro 352 352K 3185
subproc 141 278K 8872
sctp_atcl 705 265K 14292
dirrem 825 207K 8014
acpica 1674 184K 55406
vnet_data 1 168K 1
filedesc 20 153K 15873
tidhash 3 141K 3
pagedep 10 131K 8022
tfo_ccache 1 128K 1
DEVFS1 106 106K 123
sem 4 106K 4
freefile 825 104K 8011
linker 287 101K 1050
bus 995 81K 3509
mtx_pool 2 72K 2
BPF 38 71K 38
syncache 1 68K 1
acpitask 1 64K 1
ddb_capture 1 64K 1
module 507 64K 507
sctp_atky 1057 45K 17752
umtx 342 43K 342
kdtrace 216 43K 17102
temp 35 33K 3398
hostcache 1 32K 1
shm 1 32K 1
DEVFS3 125 32K 135
msg 4 30K 4
sctp_timw 117 30K 117
vmem 3 26K 4
gtaskqueue 18 26K 18
kbdmux 6 22K 6
DEVFS_RULE 56 20K 56
ifaddr 69 20K 71
ufs_mount 5 17K 6
proc 3 17K 3
routetbl 128 16K 419
tty 16 16K 16
ithread 99 16K 99
bus-sc 33 14K 1719
KTRACE 100 13K 100
lltable 41 13K 48
ifnet 7 13K 7
ether_multi 152 13K 162
kenv 93 12K 93
eventhandler 133 12K 133
sctp_athm 705 12K 14308
sctp_map 704 11K 6370
rman 84 10K 425
GEOM 60 10K 489
in6_multi 65 9K 65
bmsafemap 2 9K 8060
UART 12 9K 12
devstat 4 9K 4
ksem 1 8K 1
rpc 2 8K 2
shmfd 1 8K 24
pfs_vncache 1 8K 1
pfs_nodes 20 8K 20
audit_evclass 236 8K 294
cred 25 7K 452
kqueue 64 7K 8797
sglist 5 7K 5
CAM DEV 3 6K 510
taskqueue 57 6K 57
plimit 23 6K 394
CAM queue 5 6K 1528
DEVFSP 76 5K 80
ufs_dirhash 24 5K 24
UMA 265 5K 265
pf_ifnet 10 5K 19
vt 11 5K 11
memdesc 1 4K 1
MCA 32 4K 32
evdev 4 4K 4
kcovinfo 64 4K 68
session 31 4K 42
pwddesc 62 4K 8793
acpisem 28 4K 28
hhook 13 4K 13
fpukern_ctx 3 3K 3
lockf 28 3K 47
terminal 11 3K 11
proc-args 50 3K 612
selfd 38 3K 133800
uidinfo 4 3K 9
local_apic 1 2K 1
io_apic 1 2K 1
ipsec-saq 2 2K 2
select 16 2K 43
ip6ndp 12 2K 13
sctp_ifa 13 2K 14
Unitno 27 2K 63
CAM XPT 22 2K 543
in_multi 6 2K 8
ipsecpolicy 2 2K 2
acpidev 20 2K 20
msi 9 2K 9
clone 9 2K 9
tun 7 2K 7
freework 5 2K 8013
softdep 1 1K 1
mkdir 8 1K 16012
freeblks 4 1K 8012
sahead 1 1K 1
secasvar 1 1K 1
nhops 6 1K 8
vnodemarker 2 1K 26
NFSD session 1 1K 1
CAM periph 4 1K 271
ipsec 3 1K 3
sctp_ifn 6 1K 14
mld 6 1K 6
igmp 6 1K 6
toponodes 6 1K 6
isadev 6 1K 6
mount 16 1K 89
pci_link 10 1K 10
diradd 5 1K 8051
crypto 4 1K 4
encap_export_host 12 1K 12
newdirblk 4 1K 8006
ip6opt 2 1K 87
pfil 4 1K 4
CAM SIM 2 1K 2
procdesc 4 1K 12
cdev 2 1K 2
inpcbpolicy 15 1K 1469
chacha20random 1 1K 1
osd 3 1K 10
NFSD lckfile 1 1K 1
NFSD V4client 1 1K 1
DEVFS 9 1K 10
vnodes 1 1K 1
ktls 1 1K 1
feeder 7 1K 7
tcpfunc 3 1K 3
loginclass 3 1K 6
prison 6 1K 6
linux 5 1K 6
aesni_data 2 1K 2
apmdev 1 1K 1
atkbddev 2 1K 2
CAM dev queue 2 1K 2
CAM I/O Scheduler 1 1K 1
CAM path 4 1K 1034
pmchooks 1 1K 1
nexusdev 7 1K 7
soname 4 1K 10377
sctp_vrf 1 1K 1
vnet 1 1K 1
entropy 2 1K 40
acpiintr 1 1K 1
pmc 1 1K 1
filecaps 4 1K 86
cpus 2 1K 2
vnet_data_free 1 1K 1
Per-cpu 1 1K 1
p1003.1b 1 1K 1
pf_table 0 0K 0
pf_rule 0 0K 0
pf_altq 0 0K 0
pf_osfp 0 0K 0
pf_temp 0 0K 0
mqdata 0 0K 0
sctp_mcore 0 0K 0
sctp_socko 0 0K 6835
sctp_iter 0 0K 10
sctp_mvrf 0 0K 0
sctp_cpal 0 0K 0
sctp_cmsg 0 0K 0
sctp_stre 0 0K 0
sctp_athi 0 0K 0
sctp_a_it 0 0K 10
sctp_aadr 0 0K 0
sctp_stri 0 0K 0
NFSD string 0 0K 0
NFSD V4lock 0 0K 0
madt_table 0 0K 2
smartpqi 0 0K 0
NFSD V4state 0 0K 0
NFSD srvcache 0 0K 0
msdosfs_fat 0 0K 0
msdosfs_mount 0 0K 0
msdosfs_node 0 0K 0
iavf 0 0K 0
ixl 0 0K 0
DEVFS4 0 0K 0
DEVFS2 0 0K 0
gntdev 0 0K 0
privcmd_dev 0 0K 0
ice-resmgr 0 0K 0
ice-osdep 0 0K 0
ice 0 0K 0
axgbe 0 0K 0
evtchn_dev 0 0K 0
xenstore 0 0K 0
ciss_data 0 0K 0
BACKLIGHT 0 0K 0
xnb 0 0K 0
xbbd 0 0K 0
xbd 0 0K 0
Balloon 0 0K 0
sysmouse 0 0K 0
vtfont 0 0K 0
xen_intr 0 0K 0
xen_hvm 0 0K 0
legacydrv 0 0K 0
qpidrv 0 0K 0
ath_hal 0 0K 0
athdev 0 0K 0
dmar_idpgtbl 0 0K 0
dmar_dom 0 0K 0
dmar_ctx 0 0K 0
ata_pci 0 0K 0
ata_dma 0 0K 0
ata_generic 0 0K 0
isci 0 0K 0
iommu_dmamap 0 0K 0
amr 0 0K 0
hyperv_socket 0 0K 0
bxe_ilt 0 0K 0
xenbus 0 0K 0
pvscsi 0 0K 0
scsi_da 0 0K 69
vm_fictitious 0 0K 0
ata_da 0 0K 0
scsi_ch 0 0K 0
scsi_cd 0 0K 0
AHCI driver 0 0K 0
USBdev 0 0K 0
USB 0 0K 0
agp 0 0K 0
nvme_da 0 0K 0
UMAHash 0 0K 0
acpipwr 0 0K 0
acpi_perf 0 0K 0
vm_pgdata 0 0K 0
jblocks 0 0K 0
savedino 0 0K 6732
sentinel 0 0K 0
jfsync 0 0K 0
jtrunc 0 0K 0
sbdep 0 0K 10
jsegdep 0 0K 0
jseg 0 0K 0
jfreefrag 0 0K 0
jfreeblk 0 0K 0
jnewblk 0 0K 0
jmvref 0 0K 0
jremref 0 0K 0
jaddref 0 0K 0
freedep 0 0K 0
freefrag 0 0K 6
allocindir 0 0K 0
indirdep 0 0K 10
allocdirect 0 0K 0
ufs_trim 0 0K 0
mactemp 0 0K 0
audit_trigger 0 0K 0
audit_pipe_presel 0 0K 0
audit_pipeent 0 0K 0
audit_pipe 0 0K 0
audit_evname 0 0K 0
audit_bsm 0 0K 0
audit_gidset 0 0K 0
audit_text 0 0K 0
audit_path 0 0K 0
audit_data 0 0K 0
audit_cred 0 0K 0
xform 0 0K 0
twsbuf 0 0K 0
MLX5EEPROM 0 0K 0
MLX5EEPROM 0 0K 0
MLX5EEPROM 0 0K 0
MLX5EEPROM 0 0K 0
MLX5E_TLS 0 0K 0
MLX5EEPROM 0 0K 0
MLX5EEPROM 0 0K 0
MLX5EEPROM 0 0K 0
MLX5EN 0 0K 0
MLX5EEPROM 0 0K 0
MLX5EEPROM 0 0K 0
MLX5EEPROM 0 0K 0
MLX5DUMP 0 0K 0
MLX5EEPROM 0 0K 0
MLX5EEPROM 0 0K 0
seq_file 0 0K 0
radix 0 0K 0
idr 0 0K 0
lkpifw 0 0K 0
NLM 0 0K 0
ipsec-spdcache 0 0K 0
ipsec-reg 0 0K 0
ipsec-misc 0 0K 0
ipsecrequest 0 0K 0
ip6_msource 0 0K 0
ip6_moptions 0 0K 0
in6_mfilter 0 0K 0
frag6 0 0K 0
tcplog 0 0K 0
tcp_hwpace 0 0K 0
twe_commands 0 0K 0
LRO 0 0K 0
newreno data 0 0K 0
ip_msource 0 0K 0
ip_moptions 0 0K 3
in_mfilter 0 0K 0
ipid 0 0K 0
80211scan 0 0K 0
80211ratectl 0 0K 0
80211power 0 0K 0
80211nodeie 0 0K 0
80211node 0 0K 0
80211mesh_gt 0 0K 0
80211mesh_rt 0 0K 0
80211perr 0 0K 0
80211prep 0 0K 0
80211preq 0 0K 0
80211dfs 0 0K 0
80211crypto 0 0K 0
80211vap 0 0K 0
iflib 0 0K 0
vlan 0 0K 0
gif 0 0K 0
ifdescr 0 0K 0
zlib 0 0K 0
fadvise 0 0K 0
VN POLL 0 0K 0
twa_commands 0 0K 0
statfs 0 0K 8185
namei_tracker 0 0K 0
export_host 0 0K 0
cl_savebuf 0 0K 4
tcp_log_dev 0 0K 0
midi buffers 0 0K 0
mixer 0 0K 0
ac97 0 0K 0
hdacc 0 0K 0
hdac 0 0K 0
hdaa 0 0K 0
acpicmbat 0 0K 0
SIIS driver 0 0K 0
CAM CCB 0 0K 2113
PUC 0 0K 0
ppbusdev 0 0K 0
agtiapi_MemAlloc malloc 0 0K 0
osti_cacheable 0 0K 0
tempbuff 0 0K 0
biobuf 0 0K 0
aios 0 0K 0
lio 0 0K 0
acl 0 0K 0
tempbuff 0 0K 0
mbuf_tag 0 0K 107
ag_tgt_map_t malloc 0 0K 0
ag_slr_map_t malloc 0 0K 0
lDevFlags * malloc 0 0K 0
tiDeviceHandle_t * malloc 0 0K 0
ag_portal_data_t malloc 0 0K 0
ag_device_t malloc 0 0K 0
STLock malloc 0 0K 0
CCB List 0 0K 0
sr_iov 0 0K 0
OCS 0 0K 0
OCS 0 0K 0
nvme 0 0K 0
nvd 0 0K 0
netmap 0 0K 0
mwldev 0 0K 0
MVS driver 0 0K 0
CAM ccb queue 0 0K 0
mrsasbuf 0 0K 0
mpt_user 0 0K 0
mps_user 0 0K 0
accf 0 0K 0
pts 0 0K 0
iov 0 0K 19099
ioctlops 0 0K 178
eventfd 0 0K 0
Witness 0 0K 0
stack 0 0K 0
MPSSAS 0 0K 0
mps 0 0K 0
mpr_user 0 0K 0
MPRSAS 0 0K 0
mpr 0 0K 0
mfibuf 0 0K 0
sbuf 0 0K 288
md_sectors 0 0K 0
firmware 0 0K 0
compressor 0 0K 0
md_disk 0 0K 0
SWAP 0 0K 0
malodev 0 0K 0
LED 0 0K 0
sysctltmp 0 0K 694
sysctl 0 0K 3
ekcd 0 0K 0
dumper 0 0K 0
sendfile 0 0K 0
rctl 0 0K 0
ix_sriov 0 0K 0
aacraidcam 0 0K 0
aacraid_buf 0 0K 0
ix 0 0K 0
ipsbuf 0 0K 0
cache 0 0K 0
iirbuf 0 0K 0
prison_racct 0 0K 0
Fail Points 0 0K 0
sigio 0 0K 1
filedesc_to_leader 0 0K 0
pwd 0 0K 0
tty console 0 0K 0
aaccam 0 0K 0
aacbuf 0 0K 0
zstd 0 0K 0
XZ_DEC 0 0K 0
nvlist 0 0K 0
SCSI ENC 0 0K 0
SCSI sa 0 0K 0
scsi_pass 0 0K 0
isofs_node 0 0K 0
isofs_mount 0 0K 0
tr_raid5_data 0 0K 0
tr_raid1e_data 0 0K 0
tr_raid1_data 0 0K 0
tr_raid0_data 0 0K 0
tr_concat_data 0 0K 0
md_sii_data 0 0K 0
md_promise_data 0 0K 0
md_nvidia_data 0 0K 0
md_jmicron_data 0 0K 0
md_intel_data 0 0K 0
md_ddf_data 0 0K 0
raid_data 0 0K 72
geom_flashmap 0 0K 0
tmpfs dir 0 0K 0
tmpfs name 0 0K 0
tmpfs mount 0 0K 0
NFS FHA 0 0K 0
newnfsmnt 0 0K 0
newnfsclient_req 0 0K 0
NFSCL layrecall 0 0K 0
NFSCL session 0 0K 0
NFSCL sockreq 0 0K 0
NFSCL devinfo 0 0K 0
NFSCL flayout 0 0K 0
NFSCL layout 0 0K 0
NFSD rollback 0 0K 0
NFSCL diroff 0 0K 0
NEWdirectio 0 0K 0
NEWNFSnode 0 0K 0
NFSCL lck 0 0K 0
NFSCL lckown 0 0K 0
NFSCL client 0 0K 0
NFSCL deleg 0 0K 0
NFSCL open 0 0K 0
NFSCL owner 0 0K 0
NFS fh 0 0K 0
NFS req 0 0K 0
NFSD usrgroup 0 0K 0
db> show uma
Zone Size Used Free Requests Sleeps Bucket Total Mem XFree
mbuf_jumbo_page 4096 8461 842 1534133 0 254 38105088 0
pbuf 2624 0 973 0 0 2 2553152 0
mbuf 256 8949 621 2342214 0 254 2449920 0
RADIX NODE 144 14177 212 257356 0 62 2072016 0
BUF TRIE 144 190 13278 704 0 62 1939392 0
malloc-384 384 4116 4 4116 0 30 1582080 0
malloc-4096 4096 332 2 523 0 2 1368064 0
malloc-128 128 10203 27 10224 0 126 1309440 0
mbuf_cluster 2048 600 0 600 0 254 1228800 0
UMA Slabs 0 112 10758 3 10758 0 126 1205232 0
malloc-384 384 871 2119 8145 0 30 1148160 0
sctp_asoc 2288 352 23 3185 0 254 858000 0
malloc-256 256 920 2140 25226 0 62 783360 0
malloc-2048 2048 356 18 11110 0 8 765952 0
malloc-256 256 33 2907 7166 0 62 752640 0
FFS inode 1160 513 103 8525 0 8 714560 0
malloc-128 128 2147 2162 61418 0 126 551552 0
sctp_ep 1280 353 43 11107 0 254 506880 0
VM OBJECT 264 1440 75 125251 0 30 399960 0
malloc-1024 1024 357 23 3206 0 16 389120 0
lkpimm 160 1 2324 1 0 62 372000 0
lkpicurr 160 2 2323 2 0 62 372000 0
malloc-384 384 798 52 14385 0 30 326400 0
VNODE 448 549 162 8563 0 30 318528 0
malloc-4096 4096 72 5 8803 0 2 315392 0
THREAD 1792 153 18 8308 0 8 306432 0
malloc-16384 16384 13 5 8114 0 1 294912 0
256 Bucket 2048 126 18 17664 0 8 294912 0
sctp_raddr 736 352 22 3185 0 254 275264 0
malloc-65536 65536 4 0 4 0 1 262144 0
malloc-64 64 3827 142 15647 0 254 254016 0
malloc-16 16 13619 381 27320 0 254 224000 0
DEVCTL 1024 4 212 131 0 0 221184 0
malloc-65536 65536 1 2 257 0 1 196608 0
MAP ENTRY 96 1643 331 473311 0 126 189504 0
malloc-32 32 5610 186 20925 0 254 185472 0
UMA Zones 768 237 2 237 0 16 183552 0
tcp_bbr_map 128 0 1271 11012 0 126 162688 0
FFS2 dinode 256 513 102 8524 0 62 157440 0
mbuf_packet 256 100 500 10287 0 254 153600 0
S VFS Cache 104 1023 342 9176 0 126 141960 0
malloc-128 128 1043 11 2376 0 126 134912 0
socket 944 36 104 13738 0 254 132160 0
malloc-65536 65536 2 0 2 0 1 131072 0
vmem btag 56 2225 67 2225 0 254 128352 0
VMSPACE 2544 39 9 8776 0 4 122112 0
ksiginfo 112 63 981 1271 0 126 116928 0
malloc-1024 1024 107 5 150 0 16 114688 0
malloc-256 256 374 61 20017 0 62 111360 0
128 Bucket 1024 72 35 1516 0 16 109568 0
malloc-8192 8192 9 4 138 0 1 106496 0
PROC 1336 61 17 8792 0 8 104208 0
64 Bucket 512 145 47 8442 0 30 98304 0
malloc-2048 2048 2 42 2115 0 8 90112 0
filedesc0 1072 62 22 8793 0 8 90048 0
UMA Kegs 384 222 1 222 0 30 85632 0
clpbuf 2624 0 32 20 0 16 83968 0
tcp_inpcb 488 30 138 956 0 254 81984 0
malloc-256 256 237 78 9133 0 62 80640 0
malloc-4096 4096 19 0 551 0 2 77824 0
malloc-4096 4096 15 3 122 0 2 73728 0
g_bio 408 0 170 5917 0 30 69360 0
malloc-65536 65536 1 0 1 0 1 65536 0
malloc-65536 65536 0 1 8 0 1 65536 0
malloc-65536 65536 1 0 1 0 1 65536 0
malloc-32768 32768 0 2 130 0 1 65536 0
malloc-32768 32768 2 0 2 0 1 65536 0
malloc-8192 8192 5 3 13 0 1 65536 0
32 Bucket 256 123 102 8404 0 62 57600 0
malloc-16384 16384 3 0 3 0 1 49152 0
malloc-128 128 117 255 470 0 126 47616 0
malloc-2048 2048 4 18 511 0 8 45056 0
malloc-64 64 570 123 16827 0 254 44352 0
malloc-128 128 299 42 457 0 126 43648 0
malloc-256 256 152 13 177 0 62 42240 0
malloc-256 256 137 28 873 0 62 42240 0
pcpu-8 8 4613 507 4769 0 254 40960 0
DIRHASH 1024 34 2 34 0 16 36864 0
NAMEI 1024 0 36 47042 0 16 36864 0
malloc-512 512 4 68 512 0 30 36864 0
tcpcb 1048 4 29 956 0 254 34584 0
malloc-256 256 104 31 8204 0 62 34560 0
pipe 744 22 23 806 0 16 33480 0
malloc-32768 32768 1 0 1 0 1 32768 0
malloc-8192 8192 3 1 5 0 1 32768 0
malloc-8192 8192 2 2 17 0 1 32768 0
malloc-4096 4096 4 4 8192 0 2 32768 0
pcpu-64 64 478 34 478 0 254 32768 0
sctp_stream_msg_out 112 257 31 315 0 254 32256 0
malloc-64 64 216 288 134010 0 254 32256 0
malloc-64 64 483 21 695 0 254 32256 0
malloc-2048 2048 11 3 117 0 8 28672 0
KNOTE 160 27 148 213930 0 62 28000 0
Files 80 217 133 29921 0 126 28000 0
TURNSTILE 136 172 17 172 0 62 25704 0
malloc-1024 1024 10 14 1309 0 16 24576 0
malloc-1024 1024 18 6 22 0 16 24576 0
PWD 32 20 736 8012 0 254 24192 0
ttyinq 160 135 15 300 0 62 24000 0
8 Bucket 80 56 244 2730 0 126 24000 0
ttyoutq 256 72 18 160 0 62 23040 0
malloc-384 384 52 8 52 0 30 23040 0
malloc-64 64 148 167 17974 0 254 20160 0
malloc-16 16 1018 232 6993 0 254 20000 0
SLEEPQUEUE 88 172 52 172 0 126 19712 0
Mountpoints 2752 2 5 2 0 4 19264 0
malloc-16384 16384 1 0 1 0 1 16384 0
malloc-2048 2048 2 6 283 0 8 16384 0
malloc-2048 2048 6 2 6 0 8 16384 0
malloc-1024 1024 12 4 12 0 16 16384 0
malloc-1024 1024 11 5 11 0 16 16384 0
malloc-64 64 136 116 195 0 254 16128 0
malloc-32 32 411 93 613 0 254 16128 0
malloc-32 32 112 392 11202 0 254 16128 0
vtnet_tx_hdr 24 0 668 771363 0 254 16032 0
sctp_chunk 152 95 9 95 0 254 15808 0
udp_inpcb 488 6 26 222 0 254 15616 0
tcp_rack_pcb 704 0 22 498 0 16 15488 0
malloc-384 384 19 21 378 0 30 15360 0
tcp_bbr_pcb 832 0 18 233 0 16 14976 0
malloc-2048 2048 5 1 196 0 8 12288 0
malloc-1024 1024 8 4 9 0 16 12288 0
malloc-512 512 3 21 194 0 30 12288 0
malloc-32 32 112 266 8616 0 254 12096 0
malloc-128 128 50 43 8064 0 126 11904 0
udplite_inpcb 488 0 24 240 0 254 11712 0
kenv 258 15 30 1058 0 30 11610 0
routing nhops 256 27 18 34 0 62 11520 0
unpcb 256 17 28 1130 0 254 11520 0
malloc-256 256 20 25 8166 0 62 11520 0
malloc-8192 8192 1 0 1 0 1 8192 0
malloc-8192 8192 1 0 1 0 1 8192 0
malloc-8192 8192 1 0 1 0 1 8192 0
malloc-4096 4096 0 2 3 0 2 8192 0
malloc-2048 2048 1 3 42 0 8 8192 0
malloc-1024 1024 0 8 7 0 16 8192 0
malloc-512 512 12 4 36 0 30 8192 0
malloc-512 512 8 8 8 0 30 8192 0
rtentry 176 30 16 34 0 62 8096 0
PGRP 88 31 61 42 0 126 8096 0
rl_entry 40 40 162 40 0 254 8080 0
sctp_laddr 48 0 168 115 0 254 8064 0
udpcb 32 6 246 462 0 254 8064 0
malloc-64 64 8 118 9 0 254 8064 0
malloc-64 64 34 92 1191 0 254 8064 0
malloc-32 32 6 246 13 0 254 8064 0
malloc-32 32 37 215 742 0 254 8064 0
malloc-32 32 34 218 1355 0 254 8064 0
16 Bucket 144 50 6 348 0 62 8064 0
4 Bucket 48 5 163 230 0 254 8064 0
2 Bucket 32 47 205 1285 0 254 8064 0
malloc-16 16 1 499 13 0 254 8000 0
malloc-16 16 20 480 59 0 254 8000 0
malloc-16 16 27 473 28 0 254 8000 0
malloc-16 16 188 312 1431 0 254 8000 0
malloc-16 16 33 467 29955 0 254 8000 0
malloc-16 16 14 486 5031 0 254 8000 0
malloc-128 128 10 52 16 0 126 7936 0
malloc-128 128 8 54 144 0 126 7936 0
tcp_rack_map 120 0 66 832 0 126 7920 0
ripcb 488 4 12 51 0 254 7808 0
malloc-384 384 0 20 32 0 30 7680 0
malloc-384 384 20 0 20 0 30 7680 0
FPU_save_area 832 1 8 1 0 16 7488 0
cpuset 104 7 55 39 0 126 6448 0
domainset 40 0 126 24 0 254 5040 0
epoch_record pcpu 256 4 12 4 0 62 4096 0
malloc-512 512 0 8 2 0 30 4096 0
pcpu-16 16 7 249 7 0 254 4096 0
hostcache 64 1 62 1 0 254 4032 0
syncache 168 0 24 4 0 254 4032 0
malloc-32 32 0 126 2 0 254 4032 0
UMA Slabs 1 176 9 13 9 0 62 3872 0
malloc-384 384 1 9 2 0 30 3840 0
mqnode 416 3 6 3 0 30 3744 0
KMAP ENTRY 96 12 27 12 0 0 3744 0
vmem 1856 1 1 1 0 8 3712 0
SMR CPU 32 3 60 3 0 254 2016 0
SMR SHARED 24 3 60 3 0 254 1512 0
FFS1 dinode 128 0 0 0 0 126 0 0
swblk 136 0 0 0 0 62 0 0
swpctrie 144 0 0 0 0 62 0 0
sctp_asconf_ack 48 0 0 0 0 254 0 0
sctp_asconf 40 0 0 0 0 254 0 0
sctp_readq 152 0 0 0 0 254 0 0
pf state scrubs 40 0 0 0 0 254 0 0
pf frag entries 40 0 0 0 0 254 0 0
pf frags 248 0 0 0 0 62 0 0
pf table entries 160 0 0 0 0 62 0 0
pf table entry counters 64 0 0 0 0 254 0 0
pf source nodes 136 0 0 0 0 254 0 0
pf state keys 88 0 0 0 0 126 0 0
pf states 296 0 0 0 0 254 0 0
pf tags 104 0 0 0 0 126 0 0
pf mtags 48 0 0 0 0 254 0 0
IPsec SA lft_c 16 0 0 0 0 254 0 0
tcp_log_node 120 0 0 0 0 126 0 0
tcp_log_bucket 176 0 0 0 0 62 0 0
tcp_log 416 0 0 0 0 254 0 0
tcpreass 48 0 0 0 0 254 0 0
tfo_ccache_entries 80 0 0 0 0 126 0 0
tfo 4 0 0 0 0 254 0 0
sackhole 32 0 0 0 0 254 0 0
tcptw 88 0 0 0 0 254 0 0
ipq 56 0 0 0 0 254 0 0
itimer 352 0 0 0 0 30 0 0
AIOLIO 272 0 0 0 0 30 0 0
AIOCB 552 0 0 0 0 16 0 0
AIOP 32 0 0 0 0 254 0 0
AIO 208 0 0 0 0 62 0 0
NCLNODE 584 0 0 0 0 16 0 0
mqnotifier 216 0 0 0 0 62 0 0
mvdata 64 0 0 0 0 254 0 0
mqueue 248 0 0 0 0 62 0 0
TMPFS node 224 0 0 0 0 62 0 0
LTS VFS Cache 360 0 0 0 0 30 0 0
L VFS Cache 320 0 0 0 0 30 0 0
STS VFS Cache 144 0 0 0 0 62 0 0
cryptop 280 0 0 0 0 30 0 0
linux_dma_object 24 0 0 0 0 254 0 0
linux_dma_pctrie 144 0 0 0 0 62 0 0
IOMMU_MAP_ENTRY 120 0 0 0 0 126 0 0
ktls_session 192 0 0 0 0 62 0 0
mbuf_jumbo_16k 16384 0 0 0 0 254 0 0
mbuf_jumbo_9k 9216 0 0 0 0 254 0 0
audit_record 1280 0 0 0 0 8 0 0
MAC labels 40 0 0 0 0 254 0 0
vnpbuf 2624 0 0 0 0 64 0 0
mdpbuf 2624 0 0 0 0 3 0 0
nfspbuf 2624 0 0 0 0 16 0 0
swwbuf 2624 0 0 0 0 8 0 0
swrbuf 2624 0 0 0 0 16 0 0
umtx_shm 88 0 0 0 0 126 0 0
umtx pi 96 0 0 0 0 126 0 0
rangeset pctrie nodes 144 0 0 0 0 62 0 0
malloc-65536 65536 0 0 0 0 1 0 0
malloc-65536 65536 0 0 0 0 1 0 0
malloc-32768 32768 0 0 0 0 1 0 0
malloc-32768 32768 0 0 0 0 1 0 0
malloc-32768 32768 0 0 0 0 1 0 0
malloc-32768 32768 0 0 0 0 1 0 0
malloc-32768 32768 0 0 0 0 1 0 0
malloc-16384 16384 0 0 0 0 1 0 0
malloc-16384 16384 0 0 0 0 1 0 0
malloc-16384 16384 0 0 0 0 1 0 0
malloc-16384 16384 0 0 0 0 1 0 0
malloc-16384 16384 0 0 0 0 1 0 0
malloc-8192 8192 0 0 0 0 1 0 0
malloc-4096 4096 0 0 0 0 2 0 0
malloc-4096 4096 0 0 0 0 2 0 0
malloc-512 512 0 0 0 0 30 0 0
malloc-512 512 0 0 0 0 30 0 0
malloc-512 512 0 0 0 0 30 0 0
pcpu-32 32 0 0 0 0 254 0 0
pcpu-4 4 0 0 0 0 254 0 0
fakepg 104 0 0 0 0 126 0 0
UMA Hash 256 0 0 0 0 62 0

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

syzbot

unread,

May 16, 2021, 3:05:32 PM5/16/21

to syzkaller-f...@googlegroups.com

syzbot has found a reproducer for the following issue on:

HEAD commit: 91f251b2 fstyp(8): define HAVE_ZFS macro when built with zfs

git tree: https://github.com/freebsd/freebsd-src.git main

console output: https://syzkaller.appspot.com/x/log.txt?x=13ca3fb3d00000
dashboard link: https://syzkaller.appspot.com/bug?extid=d627d01a95da99bb5db6
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=168a6265d00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d627d0...@syzkaller.appspotmail.com

login: panic: Memory modified after free 0xfffff8004c7a2c00(256) val=9005326 @ 0xfffff8004c7a2cb0

cpuid = 0
time = 1621191730
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe0094dc7310
vpanic() at vpanic+0x1c7/frame 0xfffffe0094dc7370
panic() at panic+0x43/frame 0xfffffe0094dc73d0
trash_ctor() at trash_ctor+0xa8/frame 0xfffffe0094dc7410
item_ctor() at item_ctor+0x1c8/frame 0xfffffe0094dc7470
ip6_splithdr() at ip6_splithdr+0x5b/frame 0xfffffe0094dc74c0
ip6_output() at ip6_output+0x677/frame 0xfffffe0094dc7720
tcp_output() at tcp_output+0x3972/frame 0xfffffe0094dc7910
tcp6_usr_connect() at tcp6_usr_connect+0x436/frame 0xfffffe0094dc79b0
soconnectat() at soconnectat+0x183/frame 0xfffffe0094dc7a10
kern_connectat() at kern_connectat+0x1e5/frame 0xfffffe0094dc7a70
sys_connect() at sys_connect+0xd9/frame 0xfffffe0094dc7ab0
amd64_syscall() at amd64_syscall+0x247/frame 0xfffffe0094dc7bf0
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0094dc7bf0
--- syscall (198, FreeBSD ELF64, nosys), rip = 0x285e1a, rsp = 0x7fffffffe2f8, rbp = 0x7fffffffe360 ---
KDB: enter: panic
[ thread pid 803 tid 100122 ]
Stopped at kdb_enter+0x67: movq $0,0x163a0ee(%rip)

db>
db> set $lines = 0
db> set $maxwidth = 0
db> show registers
cs 0x20
ds 0x3b
es 0x3b
fs 0x13
gs 0x1b
ss 0x28
rax 0x12

rcx 0x80
rdx 0xffffffff819c48e5
rbx 0
rsp 0xfffffe0094dc72f0
rbp 0xfffffe0094dc7310
rsi 0x1
rdi 0
r8 0
r9 0x8080808080808080
r10 0xfffffe0094dc71e0

r11 0x1ff6bfff59c
r12 0xffffffff82267ac0 ddb_dbbe
r13 0

r14 0xffffffff81a75f09
r15 0xffffffff81a75f09
rip 0xffffffff8112f097 kdb_enter+0x67
rflags 0x86
kdb_enter+0x67: movq $0,0x163a0ee(%rip)
db> show proc
Process 803 (syz-executor.0) at 0xfffff8004e593538:
state: NORMAL
uid: 0 gids: 0, 0, 5
parent: pid 787 at 0xfffff80015e11538
ABI: FreeBSD ELF64
flag: 0x10000000 flag2: 0
arguments: /root/syz-executor.0
reaper: 0xfffff80004bc9538 reapsubtree: 1
sigparent: 20
vmspace: 0xfffffe0094fec3e0
(map 0xfffffe0094fec3e0)
(map.pmap 0xfffffe0094fec4a0)
(pmap 0xfffffe0094fec500)
threads: 1
100122 Run CPU 0 syz-executor.0

db> ps
pid ppid pgrp uid state wmesg wchan cmd

803 787 787 0 R CPU 0 syz-executor.0
802 436 436 0 R CPU 1 sh
787 785 787 0 Rs syz-executor.0
785 783 783 0 R (threaded) syz-execprog
100113 S uwait 0xfffff80015da6300 syz-execprog
100115 RunQ syz-execprog
100116 S uwait 0xfffff80015d66d00 syz-execprog
100117 S uwait 0xfffff80015d66f00 syz-execprog
100118 S kqread 0xfffff80015d9c500 syz-execprog
100119 S uwait 0xfffff8004e891900 syz-execprog
100120 S uwait 0xfffff80015a96300 syz-execprog
100121 RunQ syz-execprog
783 781 783 0 Ss pause 0xfffff80015daf0b0 csh
781 694 781 0 Ss select 0xfffff8004e4752c0 sshd
760 1 760 0 Ss+ ttyin 0xfffff80015465cb0 getty
759 1 759 0 Ss+ ttyin 0xfffff80015b004b0 getty
758 1 758 0 Ss+ ttyin 0xfffff80015b00cb0 getty
757 1 757 0 Ss+ ttyin 0xfffff80015a884b0 getty
756 1 756 0 Ss+ ttyin 0xfffff80015a88cb0 getty
755 1 755 0 Ss+ ttyin 0xfffff80015a8b4b0 getty
754 1 754 0 Ss+ ttyin 0xfffff80015a8bcb0 getty
753 1 753 0 Ss+ ttyin 0xfffff80015a904b0 getty
752 1 752 0 Ss+ ttyin 0xfffff80015a90cb0 getty
750 1 24 0 S+ piperd 0xfffff80015db08b8 logger
749 748 24 0 S+ nanslp 0xffffffff8273c8e0 sleep
748 1 24 0 S+ wait 0xfffff80015daf538 sh
698 1 698 0 Ss nanslp 0xffffffff8273c8e0 cron
694 1 694 0 Ss select 0xfffff8004e2f6440 sshd
507 1 507 0 Ds biowr 0xfffffe0003835410 syslogd
436 1 436 0 Ss wait 0xfffff80015e42a70 devd
435 1 435 65 Ss select 0xfffff80015ea9440 dhclient
350 1 350 0 Ss select 0xfffff80015ea92c0 dhclient
347 1 347 0 Ss select 0xfffff80015e5f2c0 dhclient
23 0 0 0 DL vlruwt 0xfffff80015ca5538 [vnlru]

22 0 0 0 DL syncer 0xffffffff8282bd50 [syncer]
21 0 0 0 DL (threaded) [bufdaemon]

100081 D qsleep 0xffffffff8282ae00 [bufdaemon]
100088 D - 0xffffffff8220ae80 [bufspacedaemon-0]
100099 D sdflush 0xfffff80004dfd4e8 [/ worker]
20 0 0 0 DL psleep 0xffffffff82852c48 [vmdaemon]

19 0 0 0 DL (threaded) [pagedaemon]

100079 D psleep 0xffffffff828470b8 [dom0]
100086 D launds 0xffffffff828470c4 [laundry: dom0]
100087 D umarcl 0xffffffff815caad0 [uma]

18 0 0 0 DL - 0xffffffff82570c78 [rand_harvestq]

17 0 0 0 DL waiting 0xffffffff830d9828 [sctp_iterator]
16 0 0 0 DL pftm 0xffffffff82e7d3c0 [pf purge]

15 0 0 0 DL - 0xffffffff8282845c [soaiod4]
9 0 0 0 DL - 0xffffffff8282845c [soaiod3]
8 0 0 0 DL - 0xffffffff8282845c [soaiod2]
7 0 0 0 DL - 0xffffffff8282845c [soaiod1]
6 0 0 0 DL (threaded) [cam]

100044 D - 0xffffffff82448140 [doneq0]
100045 D - 0xffffffff824480c0 [async]
100078 D - 0xffffffff82447f90 [scanner]
14 0 0 0 DL seqstat 0xfffff80004dccc88 [sequencer 00]
5 0 0 0 DL crypto_ 0xfffff80004d9bd80 [crypto returns 1]
4 0 0 0 DL crypto_ 0xfffff80004d9bd30 [crypto returns 0]

3 0 0 0 DL crypto_ 0xffffffff828445a0 [crypto]
13 0 0 0 DL (threaded) [geom]

100035 D - 0xffffffff8271c120 [g_event]
100036 D - 0xffffffff8271c128 [g_up]
100037 D - 0xffffffff8271c130 [g_down]

2 0 0 0 DL (threaded) [KTLS]

100028 D - 0xfffff80004c3ad00 [thr_0]
100029 D - 0xfffff80004c3ad80 [thr_1]

12 0 0 0 WL (threaded) [intr]

100011 I [swi5: fast taskq]
100014 I [swi6: task queue]

100016 I [swi6: Giant taskq]

100030 I [swi1: netisr 0]
100031 I [swi3: vm]
100032 I [swi4: clock (0)]
100033 I [swi4: clock (1)]
100046 I [irq24: virtio_pci0]
100047 I [irq25: virtio_pci0]
100048 I [irq26: virtio_pci0]
100049 I [irq27: virtio_pci0]
100050 I [irq28: virtio_pci1]
100051 I [irq29: virtio_pci1]
100052 I [irq30: virtio_pci1]
100053 I [irq31: virtio_pci1]
100054 I [irq32: virtio_pci1]
100059 I [irq10: virtio_pci2]
100061 I [irq1: atkbd0]
100062 I [irq12: psm0]
100063 I [swi0: uart uart++]
100071 I [swi1: pf send]
100084 I [swi1: hpts]
100085 I [swi1: hpts]

11 0 0 0 RL (threaded) [idle]
100003 CanRun [idle: cpu0]
100004 CanRun [idle: cpu1]

1 0 1 0 SLs wait 0xfffff80004bc9538 [init]

10 0 0 0 DL audit_w 0xffffffff82844ab0 [audit]
0 0 0 0 DLs (threaded) [kernel]
100000 D swapin 0xffffffff8271c6b0 [swapper]

100005 D - 0xfffff80004c65d00 [softirq_0]
100006 D - 0xfffff80004c65900 [softirq_1]
100007 D - 0xfffff80004c65500 [if_io_tqg_0]
100008 D - 0xfffff80004c65100 [if_io_tqg_1]
100009 D - 0xfffff80004c62d00 [if_config_tqg_0]
100010 D - 0xfffff80004c61d00 [aiod_kick taskq]
100012 D - 0xfffff80004c61500 [kqueue_ctx taskq]
100013 D - 0xfffff80004c61100 [pci_hp taskq]
100015 D - 0xfffff80004c5a900 [inm_free taskq]
100017 D - 0xfffff80004c5a100 [linuxkpi_irq_wq]
100018 D - 0xfffff80004c55d00 [thread taskq]
100019 D - 0xfffff80004c55900 [in6m_free taskq]
100020 D - 0xfffff80004c55500 [linuxkpi_short_wq_0]
100021 D - 0xfffff80004c55500 [linuxkpi_short_wq_1]
100022 D - 0xfffff80004c55500 [linuxkpi_short_wq_2]
100023 D - 0xfffff80004c55500 [linuxkpi_short_wq_3]
100024 D - 0xfffff80004c55100 [linuxkpi_long_wq_0]
100025 D - 0xfffff80004c55100 [linuxkpi_long_wq_1]
100026 D - 0xfffff80004c55100 [linuxkpi_long_wq_2]
100027 D - 0xfffff80004c55100 [linuxkpi_long_wq_3]
100034 D - 0xfffff80004c3a900 [firmware taskq]
100038 D - 0xfffff80004c3a500 [crypto_0]
100039 D - 0xfffff80004c3a500 [crypto_1]
100055 D - 0xfffff800153dd900 [vtnet0 rxq 0]
100056 D - 0xfffff800153dd500 [vtnet0 txq 0]
100057 D - 0xfffff800153dd100 [vtnet0 rxq 1]
100058 D - 0xfffff800153c9d00 [vtnet0 txq 1]
100060 D vtbslp 0xfffff8001542b500 [virtio_balloon]
100064 D - 0xfffff800153c9900 [mca taskq]
100066 D - 0xffffffff81e22871 [deadlkres]
100074 D - 0xfffff80015a1b900 [acpi_task_0]
100075 D - 0xfffff80015a1b900 [acpi_task_1]
100076 D - 0xfffff80015a1b900 [acpi_task_2]
100077 D - 0xfffff80004c3a100 [CAM taskq]
db> show all locks
Process 803 (syz-executor.0) thread 0xfffffe0094fdcac0 (100122)
exclusive rw tcpinp (tcpinp) r = 0 (0xfffff8004e467b90) locked @ /syzkaller/managers/main/kernel/sys/netinet/tcp_usrreq.c:627
Process 507 (syslogd) thread 0xfffffe0055943020 (100102)
exclusive lockmgr bufwait (bufwait) r = 0 (0xfffffe0003835490) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_bio.c:3928
exclusive lockmgr ufs (ufs) r = 0 (0xfffff8004e4735b0) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_syscalls.c:3516

db> show malloc
Type InUse MemUse Requests

sysctloid 34060 12773K 34127
pf_hash 5 11560K 5
devbuf 4216 6982K 4241
tcp_hpts 5 3219K 5
kobj 332 2656K 491
vtbuf 24 2064K 46
newblk 439 1251K 479
vfscache 3 1035K 3
acpica 1674 649K 55203
pcb 24 613K 80
inodedep 56 575K 77
callout 2 528K 2
ufs_quota 1 520K 1
vfs_hash 1 520K 1
intr 4 480K 4
subproc 101 444K 856
bus 995 380K 3503
linker 350 271K 402
DEVFS1 104 208K 115
module 516 194K 516
vnet_data 1 176K 1
tidhash 3 164K 3
pagedep 17 144K 21
kdtrace 173 143K 928
tfo_ccache 1 136K 1
sem 4 120K 4
umtx 264 116K 264
UMA 268 101K 268
audit_evclass 236 89K 294
mtx_pool 2 80K 2
syncache 1 76K 1
filedesc 5 73K 17
temp 23 73K 1712
BPF 11 68K 11
msg 4 68K 4

acpitask 1 64K 1
ddb_capture 1 64K 1

DEVFS3 123 62K 133
gtaskqueue 18 57K 18
vmem 3 56K 4
DEVFS_RULE 56 54K 56
kenv 94 51K 94
eventhandler 133 50K 133
ifaddr 39 45K 41
ithread 99 43K 99
rman 84 42K 425
KTRACE 100 38K 100
routetbl 57 36K 205
taskqueue 60 36K 60
proc 3 34K 3
ufs_mount 5 34K 6
bus-sc 33 34K 1713
devstat 4 33K 4
hostcache 1 32K 1
tty 16 32K 16
shm 1 32K 1
GEOM 60 29K 487
kbdmux 6 28K 6
kqueue 51 27K 808
ether_multi 68 26K 78
cred 23 23K 234
CAM queue 5 21K 1528
pfs_nodes 20 20K 20
pwddesc 49 19K 804
plimit 18 18K 329
UART 12 18K 12
bmsafemap 3 17K 46
ksem 1 16K 1
rpc 2 16K 2
lltable 19 16K 19
shmfd 1 16K 1
pfs_vncache 1 16K 1
proc-args 41 16K 515
in6_multi 35 15K 35
ufs_dirhash 24 14K 24
sglist 5 13K 5
ifnet 4 13K 4
MCA 32 12K 32
CAM DEV 3 12K 510
diradd 31 12K 42
vt 11 11K 11
acpisem 28 11K 28
session 21 11K 32
CAM XPT 22 11K 543
Unitno 27 11K 41
uidinfo 3 9K 8
dirrem 17 9K 28
memdesc 1 8K 1
ipsec-saq 2 8K 2
evdev 4 8K 4
acpidev 20 8K 20
hhook 15 8K 17
selfd 19 8K 8606
pf_ifnet 7 7K 10
mount 16 7K 90
fpukern_ctx 3 6K 3
lockf 15 6K 22
terminal 11 6K 11
ipsecpolicy 2 5K 2
encap_export_host 12 5K 12
clone 9 5K 9
inpcbpolicy 11 5K 149
local_apic 1 4K 1
io_apic 1 4K 1
sahead 1 4K 1
secasvar 1 4K 1
CAM CCB 1 4K 1728
pci_link 10 4K 10
mkdir 10 4K 22
msi 9 4K 9
DEVFS 9 4K 10
osd 8 4K 20
ipsec 3 3K 3
nhops 6 3K 6
sctp_ifa 7 3K 8
nexusdev 7 3K 7
newdirblk 7 3K 11
ip6ndp 6 3K 7
feeder 7 3K 7
select 7 3K 29
toponodes 6 3K 6
prison 6 3K 6
isadev 6 3K 6
softdep 1 2K 1
indirdep 4 2K 4
vnodemarker 2 2K 8
NFSD session 1 2K 1
DEVFSP 5 2K 10
linux 5 2K 6
CAM periph 4 2K 271
soname 5 2K 3241
crypto 4 2K 4
tun 4 2K 4
ip6opt 2 2K 5
in_multi 3 2K 5
pfil 4 2K 4
CAM path 4 2K 1034
filecaps 4 2K 66
sctp_ifn 3 2K 8
mld 3 2K 3
tcpfunc 3 2K 3
igmp 3 2K 3
loginclass 3 2K 7
chacha20random 1 1K 1
vnodes 1 1K 1

CAM SIM 2 1K 2

ktls 1 1K 1
cdev 2 1K 2
aesni_data 2 1K 2
cpus 2 1K 2

atkbddev 2 1K 2
CAM dev queue 2 1K 2

xform 2 1K 49
entropy 2 1K 38

NFSD lckfile 1 1K 1
NFSD V4client 1 1K 1

procdesc 1 1K 6
pmchooks 1 1K 1
sctp_vrf 1 1K 1
apmdev 1 1K 1

CAM I/O Scheduler 1 1K 1

freework 1 1K 26
vnet_data_free 1 1K 1
vnet 1 1K 1

Per-cpu 1 1K 1
p1003.1b 1 1K 1

acpiintr 1 1K 1
pmc 1 1K 1

htcp data 0 0K 0
sctp_mcore 0 0K 0
sctp_socko 0 0K 0
sctp_iter 0 0K 5
sctp_mvrf 0 0K 0
sctp_timw 0 0K 0

sctp_cpal 0 0K 0
sctp_cmsg 0 0K 0
sctp_stre 0 0K 0
sctp_athi 0 0K 0

sctp_athm 0 0K 0
sctp_atky 0 0K 0
sctp_atcl 0 0K 0
sctp_a_it 0 0K 5
sctp_aadr 0 0K 0
sctp_stro 0 0K 0
sctp_stri 0 0K 0
sctp_map 0 0K 0
tcp_do 0 0K 0
tcp_fsb 0 0K 0
cubic data 0 0K 0

mqdata 0 0K 0
pf_table 0 0K 0
pf_rule 0 0K 0
pf_altq 0 0K 0
pf_osfp 0 0K 0
pf_temp 0 0K 0

chd data 0 0K 0
vegas data 0 0K 0
dctcp data 0 0K 0
cdg data 0 0K 0

savedino 0 0K 15

sentinel 0 0K 0
jfsync 0 0K 0
jtrunc 0 0K 0

sbdep 0 0K 2

jsegdep 0 0K 0
jseg 0 0K 0
jfreefrag 0 0K 0
jfreeblk 0 0K 0
jnewblk 0 0K 0
jmvref 0 0K 0
jremref 0 0K 0
jaddref 0 0K 0
freedep 0 0K 0

freefile 0 0K 9
freeblks 0 0K 25
freefrag 0 0K 5
allocindir 0 0K 0

allocdirect 0 0K 0
ufs_trim 0 0K 0
mactemp 0 0K 0
audit_trigger 0 0K 0
audit_pipe_presel 0 0K 0
audit_pipeent 0 0K 0
audit_pipe 0 0K 0
audit_evname 0 0K 0
audit_bsm 0 0K 0
audit_gidset 0 0K 0
audit_text 0 0K 0
audit_path 0 0K 0
audit_data 0 0K 0
audit_cred 0 0K 0

ip_moptions 0 0K 0

in_mfilter 0 0K 0
ipid 0 0K 0
80211scan 0 0K 0
80211ratectl 0 0K 0
80211power 0 0K 0
80211nodeie 0 0K 0
80211node 0 0K 0
80211mesh_gt 0 0K 0
80211mesh_rt 0 0K 0
80211perr 0 0K 0
80211prep 0 0K 0
80211preq 0 0K 0
80211dfs 0 0K 0
80211crypto 0 0K 0
80211vap 0 0K 0
iflib 0 0K 0
vlan 0 0K 0
gif 0 0K 0
ifdescr 0 0K 0
zlib 0 0K 0
fadvise 0 0K 0
VN POLL 0 0K 0
twa_commands 0 0K 0

statfs 0 0K 196

namei_tracker 0 0K 0
export_host 0 0K 0
cl_savebuf 0 0K 4
tcp_log_dev 0 0K 0
midi buffers 0 0K 0
mixer 0 0K 0
ac97 0 0K 0
hdacc 0 0K 0
hdac 0 0K 0
hdaa 0 0K 0
acpicmbat 0 0K 0
SIIS driver 0 0K 0

PUC 0 0K 0
ppbusdev 0 0K 0
agtiapi_MemAlloc malloc 0 0K 0
osti_cacheable 0 0K 0
tempbuff 0 0K 0
biobuf 0 0K 0
aios 0 0K 0
lio 0 0K 0
acl 0 0K 0
tempbuff 0 0K 0

mbuf_tag 0 0K 44

ag_tgt_map_t malloc 0 0K 0
ag_slr_map_t malloc 0 0K 0
lDevFlags * malloc 0 0K 0
tiDeviceHandle_t * malloc 0 0K 0
ag_portal_data_t malloc 0 0K 0
ag_device_t malloc 0 0K 0
STLock malloc 0 0K 0
CCB List 0 0K 0
sr_iov 0 0K 0
OCS 0 0K 0
OCS 0 0K 0
nvme 0 0K 0
nvd 0 0K 0
netmap 0 0K 0
mwldev 0 0K 0
MVS driver 0 0K 0
CAM ccb queue 0 0K 0
mrsasbuf 0 0K 0
mpt_user 0 0K 0
mps_user 0 0K 0
accf 0 0K 0
pts 0 0K 0

iov 0 0K 13616
ioctlops 0 0K 90

eventfd 0 0K 0
Witness 0 0K 0
stack 0 0K 0
MPSSAS 0 0K 0
mps 0 0K 0
mpr_user 0 0K 0
MPRSAS 0 0K 0
mpr 0 0K 0
mfibuf 0 0K 0
sbuf 0 0K 288
md_sectors 0 0K 0
firmware 0 0K 0
compressor 0 0K 0
md_disk 0 0K 0
SWAP 0 0K 0
malodev 0 0K 0
LED 0 0K 0

sysctltmp 0 0K 638

sysctl 0 0K 3
ekcd 0 0K 0
dumper 0 0K 0
sendfile 0 0K 0
rctl 0 0K 0
ix_sriov 0 0K 0
aacraidcam 0 0K 0
aacraid_buf 0 0K 0
ix 0 0K 0
ipsbuf 0 0K 0
cache 0 0K 0
iirbuf 0 0K 0

kcovinfo 0 0K 0

mbuf_jumbo_page 4096 8320 618 12168 0 254 36610048 0
malloc-384 384 34430 60 36347 0 30 13244160 0
malloc-1024 1024 4143 13 4360 0 16 4255744 0
malloc-8192 8192 333 1 492 0 1 2736128 0

pbuf 2624 0 973 0 0 2 2553152 0

mbuf 256 8595 600 13776 0 254 2353920 0
BUF TRIE 144 166 13302 363 0 62 1939392 0
UMA Slabs 0 112 11114 7 11114 0 126 1245552 0
malloc-384 384 1954 16 72311 0 30 756480 0
FFS inode 1160 505 13 514 0 8 600880 0
malloc-384 384 1278 32 3701 0 30 503040 0
malloc-8192 8192 58 2 813 0 1 491520 0
malloc-384 384 1002 8 3337 0 30 387840 0

lkpimm 160 1 2324 1 0 62 372000 0
lkpicurr 160 2 2323 2 0 62 372000 0

RADIX NODE 144 2216 161 21030 0 62 342288 0
malloc-512 512 514 38 683 0 30 282624 0

malloc-65536 65536 4 0 4 0 1 262144 0

VM OBJECT 264 938 52 13093 0 30 261360 0
VNODE 448 537 12 548 0 30 245952 0
THREAD 1808 123 9 123 0 8 238656 0
malloc-384 384 599 11 769 0 30 234240 0
malloc-16384 16384 11 3 273 0 1 229376 0
malloc-2048 2048 104 6 115 0 8 225280 0
DEVCTL 1024 0 216 120 0 0 221184 0
malloc-65536 65536 1 2 178 0 1 196608 0
UMA Zones 768 240 4 240 0 16 187392 0
malloc-16384 16384 10 1 14 0 1 180224 0
malloc-1024 1024 164 0 890 0 16 167936 0
malloc-32768 32768 5 0 156 0 1 163840 0
malloc-4096 4096 3 36 1731 0 2 159744 0
256 Bucket 2048 58 14 9747 0 8 147456 0
malloc-8192 8192 15 2 139 0 1 139264 0
malloc-512 512 252 20 965 0 30 139264 0
vmem btag 56 2341 95 2341 0 254 136416 0
FFS2 dinode 256 505 20 514 0 62 134400 0

malloc-65536 65536 2 0 2 0 1 131072 0

malloc-1024 1024 105 11 162 0 16 118784 0
ksiginfo 112 35 1009 52 0 126 116928 0
MAP ENTRY 96 907 311 39370 0 126 116928 0
S VFS Cache 104 982 110 1021 0 126 113568 0
malloc-1024 1024 93 7 704 0 16 102400 0
malloc-16384 16384 6 0 6 0 1 98304 0
mbuf_cluster 2048 45 1 45 0 254 94208 0
malloc-512 512 174 10 201 0 30 94208 0
UMA Kegs 384 225 8 225 0 30 89472 0
clpbuf 2624 0 32 14 0 16 83968 0
VMSPACE 2544 26 7 782 0 4 83952 0
g_bio 408 4 166 4427 0 30 69360 0
PROC 1336 48 3 803 0 8 68136 0
filedesc0 1072 49 14 804 0 8 67536 0

malloc-65536 65536 1 0 1 0 1 65536 0

malloc-32768 32768 2 0 2 0 1 65536 0
malloc-32768 32768 2 0 2 0 1 65536 0

malloc-512 512 78 50 406 0 30 65536 0
malloc-384 384 91 69 8753 0 30 61440 0
malloc-1024 1024 53 3 57 0 16 57344 0
32 Bucket 256 65 130 12917 0 62 49920 0

malloc-16384 16384 3 0 3 0 1 49152 0

malloc-8192 8192 4 2 534 0 1 49152 0
malloc-4096 4096 5 7 515 0 2 49152 0
malloc-2048 2048 18 6 22 0 8 49152 0
malloc-2048 2048 8 16 516 0 8 49152 0
malloc-384 384 72 48 592 0 30 46080 0
malloc-4096 4096 7 4 79 0 2 45056 0
malloc-2048 2048 9 13 1234 0 8 45056 0
DIRHASH 1024 34 6 34 0 16 40960 0
128 Bucket 1024 22 17 146 0 16 39936 0
NAMEI 1024 0 36 12352 0 16 36864 0
malloc-1024 1024 30 6 31 0 16 36864 0
pcpu-8 8 4316 292 4376 0 254 36864 0
malloc-16384 16384 1 1 4 0 1 32768 0
malloc-16384 16384 2 0 2 0 1 32768 0
malloc-4096 4096 6 2 22 0 2 32768 0
malloc-4096 4096 8 0 199 0 2 32768 0
pcpu-64 64 486 26 486 0 254 32768 0
malloc-4096 4096 7 0 7 0 2 28672 0
socket 944 20 8 1274 0 254 26432 0
malloc-8192 8192 1 2 198 0 1 24576 0
malloc-8192 8192 3 0 3 0 1 24576 0
malloc-512 512 17 31 1232 0 30 24576 0
64 Bucket 512 42 6 1359 0 30 24576 0

ttyinq 160 135 15 300 0 62 24000 0

ttyoutq 256 72 18 160 0 62 23040 0

malloc-4096 4096 2 3 271 0 2 20480 0
malloc-2048 2048 9 1 9 0 8 20480 0
malloc-2048 2048 9 1 9 0 8 20480 0
malloc-1024 1024 2 18 20 0 16 20480 0
malloc-512 512 16 24 106 0 30 20480 0
malloc-512 512 31 9 311 0 30 20480 0
2 Bucket 32 78 552 1251 0 254 20160 0
TURNSTILE 136 133 14 133 0 62 19992 0

Mountpoints 2752 2 5 2 0 4 19264 0

pipe 744 11 14 294 0 16 18600 0
SLEEPQUEUE 88 133 59 133 0 126 16896 0

malloc-16384 16384 1 0 1 0 1 16384 0
malloc-16384 16384 1 0 1 0 1 16384 0

tcpcb 1064 4 10 8 0 254 14896 0
malloc-512 512 13 11 20 0 30 12288 0
Files 80 87 63 6718 0 126 12000 0
8 Bucket 80 33 117 379 0 126 12000 0
udp_inpcb 488 6 18 137 0 254 11712 0
kenv 258 15 30 1044 0 30 11610 0
mbuf_packet 256 13 32 118 0 254 11520 0
malloc-384 384 27 3 48 0 30 11520 0
malloc-2048 2048 0 4 5 0 8 8192 0
malloc-2048 2048 4 0 4 0 8 8192 0
malloc-1024 1024 1 7 22 0 16 8192 0
rtentry 176 17 29 21 0 62 8096 0
PGRP 88 21 71 32 0 126 8096 0
ertt_txseginfo 40 0 202 174 0 254 8080 0
rl_entry 40 29 173 29 0 254 8080 0
udpcb 32 6 246 137 0 254 8064 0
ertt 72 4 108 8 0 126 8064 0
PWD 32 12 240 103 0 254 8064 0
16 Bucket 144 36 20 1303 0 62 8064 0
4 Bucket 48 6 162 56 0 254 8064 0
vtnet_tx_hdr 24 0 334 735 0 254 8016 0
KNOTE 160 8 42 51 0 62 8000 0
tcp_inpcb 488 4 12 8 0 254 7808 0
routing nhops 256 14 16 21 0 62 7680 0
unpcb 256 8 22 1106 0 254 7680 0

FPU_save_area 832 1 8 1 0 16 7488 0

cpuset 104 7 55 7 0 126 6448 0

epoch_record pcpu 256 4 12 4 0 62 4096 0

pcpu-16 16 7 249 7 0 254 4096 0

sctp_laddr 48 0 84 6 0 254 4032 0

hostcache 64 1 62 1 0 254 4032 0

syncache 168 0 24 5 0 254 4032 0
ripcb 488 1 7 4 0 254 3904 0
UMA Slabs 1 176 8 14 8 0 62 3872 0

mqnode 416 3 6 3 0 30 3744 0
KMAP ENTRY 96 12 27 12 0 0 3744 0
vmem 1856 1 1 1 0 8 3712 0
SMR CPU 32 3 60 3 0 254 2016 0
SMR SHARED 24 3 60 3 0 254 1512 0
FFS1 dinode 128 0 0 0 0 126 0 0
swblk 136 0 0 0 0 62 0 0
swpctrie 144 0 0 0 0 62 0 0
sctp_asconf_ack 48 0 0 0 0 254 0 0
sctp_asconf 40 0 0 0 0 254 0 0

sctp_stream_msg_out 112 0 0 0 0 254 0 0

sctp_readq 152 0 0 0 0 254 0 0

sctp_chunk 152 0 0 0 0 254 0 0
sctp_raddr 736 0 0 0 0 254 0 0
sctp_asoc 2288 0 0 0 0 254 0 0
sctp_ep 1280 0 0 0 0 254 0 0
cdg_qdiffsample 16 0 0 0 0 254 0 0

pf state scrubs 40 0 0 0 0 254 0 0
pf frag entries 40 0 0 0 0 254 0 0
pf frags 248 0 0 0 0 62 0 0
pf table entries 160 0 0 0 0 62 0 0
pf table entry counters 64 0 0 0 0 254 0 0
pf source nodes 136 0 0 0 0 254 0 0
pf state keys 88 0 0 0 0 126 0 0
pf states 296 0 0 0 0 254 0 0
pf tags 104 0 0 0 0 126 0 0
pf mtags 48 0 0 0 0 254 0 0

tcp_bbr_pcb 832 0 0 0 0 16 0 0
tcp_bbr_map 128 0 0 0 0 126 0 0
tcp_rack_pcb 832 0 0 0 0 16 0 0
tcp_rack_map 112 0 0 0 0 126 0 0

IPsec SA lft_c 16 0 0 0 0 254 0 0

udplite_inpcb 488 0 0 0 0 254 0 0

tcp_log_node 120 0 0 0 0 126 0 0
tcp_log_bucket 176 0 0 0 0 62 0 0
tcp_log 416 0 0 0 0 254 0 0
tcpreass 48 0 0 0 0 254 0 0
tfo_ccache_entries 80 0 0 0 0 126 0 0
tfo 4 0 0 0 0 254 0 0
sackhole 32 0 0 0 0 254 0 0
tcptw 88 0 0 0 0 254 0 0
ipq 56 0 0 0 0 254 0 0
itimer 352 0 0 0 0 30 0 0
AIOLIO 272 0 0 0 0 30 0 0
AIOCB 552 0 0 0 0 16 0 0
AIOP 32 0 0 0 0 254 0 0
AIO 208 0 0 0 0 62 0 0

mqnotifier 216 0 0 0 0 62 0 0
mvdata 64 0 0 0 0 254 0 0
mqueue 248 0 0 0 0 62 0 0
NCLNODE 584 0 0 0 0 16 0 0
TMPFS node 224 0 0 0 0 62 0 0
LTS VFS Cache 360 0 0 0 0 30 0 0
L VFS Cache 320 0 0 0 0 30 0 0
STS VFS Cache 144 0 0 0 0 62 0 0
cryptop 280 0 0 0 0 30 0 0
linux_dma_object 24 0 0 0 0 254 0 0
linux_dma_pctrie 144 0 0 0 0 62 0 0
IOMMU_MAP_ENTRY 120 0 0 0 0 126 0 0
ktls_session 192 0 0 0 0 62 0 0
mbuf_jumbo_16k 16384 0 0 0 0 254 0 0
mbuf_jumbo_9k 9216 0 0 0 0 254 0 0
audit_record 1280 0 0 0 0 8 0 0

domainset 40 0 0 0 0 254 0 0

MAC labels 40 0 0 0 0 254 0 0
vnpbuf 2624 0 0 0 0 64 0 0
mdpbuf 2624 0 0 0 0 3 0 0
nfspbuf 2624 0 0 0 0 16 0 0
swwbuf 2624 0 0 0 0 8 0 0
swrbuf 2624 0 0 0 0 16 0 0
umtx_shm 88 0 0 0 0 126 0 0
umtx pi 96 0 0 0 0 126 0 0
rangeset pctrie nodes 144 0 0 0 0 62 0 0
malloc-65536 65536 0 0 0 0 1 0 0
malloc-65536 65536 0 0 0 0 1 0 0
malloc-65536 65536 0 0 0 0 1 0 0
malloc-32768 32768 0 0 0 0 1 0 0
malloc-32768 32768 0 0 0 0 1 0 0
malloc-32768 32768 0 0 0 0 1 0 0
malloc-32768 32768 0 0 0 0 1 0 0
malloc-32768 32768 0 0 0 0 1 0 0

malloc-8192 8192 0 0 0 0 1 0 0
malloc-8192 8192 0 0 0 0 1 0 0
malloc-4096 4096 0 0 0 0 2 0 0

malloc-256 256 0 0 0 0 62 0 0
malloc-256 256 0 0 0 0 62 0 0
malloc-256 256 0 0 0 0 62 0 0
malloc-256 256 0 0 0 0 62 0 0
malloc-256 256 0 0 0 0 62 0 0
malloc-256 256 0 0 0 0 62 0 0
malloc-256 256 0 0 0 0 62 0 0
malloc-256 256 0 0 0 0 62 0 0
malloc-128 128 0 0 0 0 126 0 0
malloc-128 128 0 0 0 0 126 0 0
malloc-128 128 0 0 0 0 126 0 0
malloc-128 128 0 0 0 0 126 0 0
malloc-128 128 0 0 0 0 126 0 0
malloc-128 128 0 0 0 0 126 0 0
malloc-128 128 0 0 0 0 126 0 0
malloc-128 128 0 0 0 0 126 0 0
malloc-64 64 0 0 0 0 254 0 0
malloc-64 64 0 0 0 0 254 0 0
malloc-64 64 0 0 0 0 254 0 0
malloc-64 64 0 0 0 0 254 0 0
malloc-64 64 0 0 0 0 254 0 0
malloc-64 64 0 0 0 0 254 0 0
malloc-64 64 0 0 0 0 254 0 0
malloc-64 64 0 0 0 0 254 0 0
malloc-32 32 0 0 0 0 254 0 0
malloc-32 32 0 0 0 0 254 0 0
malloc-32 32 0 0 0 0 254 0 0
malloc-32 32 0 0 0 0 254 0 0
malloc-32 32 0 0 0 0 254 0 0
malloc-32 32 0 0 0 0 254 0 0
malloc-32 32 0 0 0 0 254 0 0
malloc-32 32 0 0 0 0 254 0 0
malloc-16 16 0 0 0 0 254 0 0
malloc-16 16 0 0 0 0 254 0 0
malloc-16 16 0 0 0 0 254 0 0
malloc-16 16 0 0 0 0 254 0 0
malloc-16 16 0 0 0 0 254 0 0
malloc-16 16 0 0 0 0 254 0 0
malloc-16 16 0 0 0 0 254 0 0
malloc-16 16 0 0 0 0 254 0 0

pcpu-32 32 0 0 0 0 254 0 0
pcpu-4 4 0 0 0 0 254 0 0
fakepg 104 0 0 0 0 126 0 0

UMA Hash 256 0 0 0 0 62 0 0

syzbot

unread,

May 17, 2021, 9:29:28 PM5/17/21

to syzkaller-f...@googlegroups.com

syzbot has found a reproducer for the following issue on:

HEAD commit: 4224dbf4 xen: Remove leftover bits missed in commit ac3ede..

git tree: https://github.com/freebsd/freebsd-src.git main

console output: https://syzkaller.appspot.com/x/log.txt?x=17368f2dd00000
dashboard link: https://syzkaller.appspot.com/bug?extid=d627d01a95da99bb5db6
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15aef70dd00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15dbb51dd00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d627d0...@syzkaller.appspotmail.com

panic: Memory modified after free 0xfffff80024b71600(256) val=214e7e44 @ 0xfffff80024b71600

cpuid = 0
time = 1621301200
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe008878a420
vpanic() at vpanic+0x1c7/frame 0xfffffe008878a480
panic() at panic+0x43/frame 0xfffffe008878a4e0
trash_ctor() at trash_ctor+0xa8/frame 0xfffffe008878a520
item_ctor() at item_ctor+0x1c8/frame 0xfffffe008878a580
tcp_output() at tcp_output+0x22ab/frame 0xfffffe008878a760
tcp_usr_send() at tcp_usr_send+0x762/frame 0xfffffe008878a840
sosend_generic() at sosend_generic+0x99d/frame 0xfffffe008878a930
sosend() at sosend+0xc6/frame 0xfffffe008878a9a0
soo_write() at soo_write+0x62/frame 0xfffffe008878a9e0
dofilewrite() at dofilewrite+0xb0/frame 0xfffffe008878aa30
sys_write() at sys_write+0x10c/frame 0xfffffe008878aab0
amd64_syscall() at amd64_syscall+0x247/frame 0xfffffe008878abf0
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe008878abf0

--- syscall (4, FreeBSD ELF64, sys_write), rip = 0x80090d1ea, rsp = 0x7fffffffa4b8, rbp = 0x7fffffffa4f0 ---
KDB: enter: panic

[ thread pid 781 tid 100117 ]
Stopped at kdb_enter+0x67: movq $0,0x163930e(%rip)

db>
db> set $lines = 0
db> set $maxwidth = 0
db> show registers
cs 0x20
ds 0x3b
es 0x3b
fs 0x13
gs 0x1b
ss 0x28
rax 0x12

rcx 0x80
rdx 0xffffffff819c26b1
rbx 0
rsp 0xfffffe008878a400
rbp 0xfffffe008878a420
rsi 0x1
rdi 0
r8 0
r9 0x8080808080808080
r10 0xfffffe008878a2f0
r11 0x1ff77fff59c
r12 0xffffffff82267b80 ddb_dbbe
r13 0
r14 0xffffffff81a73b35
r15 0xffffffff81a73b35
rip 0xffffffff8112faf7 kdb_enter+0x67
rflags 0x86
kdb_enter+0x67: movq $0,0x163930e(%rip)
db> show proc
Process 781 (sshd) at 0xfffff800268b2a70:

state: NORMAL
uid: 0 gids: 0

parent: pid 694 at 0xfffff800262d7000

ABI: FreeBSD ELF64
flag: 0x10004100 flag2: 0
arguments: sshd: root@notty

reaper: 0xfffff80004bc7538 reapsubtree: 1
sigparent: 20
vmspace: 0xfffffe00042273e0
(map 0xfffffe00042273e0)
(map.pmap 0xfffffe00042274a0)
(pmap 0xfffffe0004227500)
threads: 1
100117 Run CPU 0 sshd

db> ps
pid ppid pgrp uid state wmesg wchan cmd

842 785 783 0 R CPU 1 syz-executor8578089
785 783 783 0 S nanslp 0xffffffff8273c560 syz-executor8578089
783 781 783 0 Ss pause 0xfffff800268b25e8 csh
781 694 781 0 Rs CPU 0 sshd
760 1 760 0 Ss+ ttyin 0xfffff80015465cb0 getty
759 1 759 0 Ss+ ttyin 0xfffff80015afe4b0 getty
758 1 758 0 Ss+ ttyin 0xfffff80015afecb0 getty
757 1 757 0 Ss+ ttyin 0xfffff80015a864b0 getty
756 1 756 0 Ss+ ttyin 0xfffff80015a86cb0 getty
755 1 755 0 Ss+ ttyin 0xfffff80015a8a4b0 getty
754 1 754 0 Ss+ ttyin 0xfffff80015a8acb0 getty
753 1 753 0 Ss+ ttyin 0xfffff80015a8d4b0 getty
752 1 752 0 Ss+ ttyin 0xfffff80015a8dcb0 getty
750 1 24 0 S+ piperd 0xfffff800264515d0 logger
749 748 24 0 S+ nanslp 0xffffffff8273c561 sleep
748 1 24 0 S+ wait 0xfffff80015ca3000 sh
698 1 698 0 Ss nanslp 0xffffffff8273c561 cron
694 1 694 0 Ss select 0xfffff80015ec5140 sshd
507 1 507 0 Ss select 0xfffff8002635ebc0 syslogd
436 1 436 0 Ss select 0xfffff80015eada40 devd
435 1 435 65 Ss select 0xfffff80015eadec0 dhclient
350 1 350 0 Ss select 0xfffff80015db7740 dhclient
347 1 347 0 Ss select 0xfffff80015ec52c0 dhclient
23 0 0 0 DL vlruwt 0xfffff80015ca3538 [vnlru]
22 0 0 0 DL syncer 0xffffffff8282b9d0 [syncer]

21 0 0 0 DL (threaded) [bufdaemon]

100081 D qsleep 0xffffffff8282aa80 [bufdaemon]
100086 D - 0xffffffff8220ae80 [bufspacedaemon-0]
100098 D sdflush 0xfffff80004dfc4e8 [/ worker]
20 0 0 0 DL psleep 0xffffffff828528c8 [vmdaemon]

19 0 0 0 DL (threaded) [pagedaemon]

100079 D psleep 0xffffffff82846d38 [dom0]
100087 D launds 0xffffffff82846d44 [laundry: dom0]
100088 D umarcl 0xffffffff815cb470 [uma]
18 0 0 0 DL - 0xffffffff82570908 [rand_harvestq]
17 0 0 0 DL waiting 0xffffffff8302c828 [sctp_iterator]
16 0 0 0 DL pftm 0xffffffff82d783c0 [pf purge]
15 0 0 0 DL - 0xffffffff828280dc [soaiod4]
9 0 0 0 DL - 0xffffffff828280dc [soaiod3]
8 0 0 0 DL - 0xffffffff828280dc [soaiod2]
7 0 0 0 DL - 0xffffffff828280dc [soaiod1]

6 0 0 0 DL (threaded) [cam]

100044 D - 0xffffffff82447dc0 [doneq0]
100045 D - 0xffffffff82447d40 [async]
100078 D - 0xffffffff82447c10 [scanner]
14 0 0 0 DL seqstat 0xfffff80004dcbc88 [sequencer 00]
5 0 0 0 DL crypto_ 0xfffff80004d99d80 [crypto returns 1]
4 0 0 0 DL crypto_ 0xfffff80004d99d30 [crypto returns 0]
3 0 0 0 DL crypto_ 0xffffffff82844220 [crypto]

13 0 0 0 DL (threaded) [geom]

100035 D - 0xffffffff8271bda0 [g_event]
100036 D - 0xffffffff8271bda8 [g_up]
100037 D - 0xffffffff8271bdb0 [g_down]

2 0 0 0 DL (threaded) [KTLS]

100028 D - 0xfffff80004c39d00 [thr_0]
100029 D - 0xfffff80004c39d80 [thr_1]

12 0 0 0 WL (threaded) [intr]

100012 I [swi5: fast taskq]
100015 I [swi6: task queue]
100017 I [swi6: Giant taskq]
100030 I [swi4: clock (0)]
100031 I [swi4: clock (1)]
100032 I [swi1: netisr 0]
100033 I [swi3: vm]

100046 I [irq24: virtio_pci0]
100047 I [irq25: virtio_pci0]
100048 I [irq26: virtio_pci0]
100049 I [irq27: virtio_pci0]
100050 I [irq28: virtio_pci1]
100051 I [irq29: virtio_pci1]
100052 I [irq30: virtio_pci1]
100053 I [irq31: virtio_pci1]
100054 I [irq32: virtio_pci1]
100059 I [irq10: virtio_pci2]
100061 I [irq1: atkbd0]
100062 I [irq12: psm0]
100063 I [swi0: uart uart++]
100071 I [swi1: pf send]
100084 I [swi1: hpts]

100085 I [swi1: hpts]

11 0 0 0 RL (threaded) [idle]
100003 CanRun [idle: cpu0]
100004 CanRun [idle: cpu1]

1 0 1 0 SLs wait 0xfffff80004bc7538 [init]
10 0 0 0 DL audit_w 0xffffffff82844730 [audit]

0 0 0 0 DLs (threaded) [kernel]

100000 D swapin 0xffffffff8271c330 [swapper]
100005 D - 0xfffff80004c63d00 [if_config_tqg_0]
100006 D - 0xfffff80004c63900 [softirq_0]
100007 D - 0xfffff80004c63500 [softirq_1]
100008 D - 0xfffff80004c63100 [if_io_tqg_0]
100009 D - 0xfffff80004c61d00 [if_io_tqg_1]
100010 D - 0xfffff80004c5fd00 [in6m_free taskq]
100011 D - 0xfffff80004c5f900 [aiod_kick taskq]
100013 D - 0xfffff80004c5f100 [kqueue_ctx taskq]
100014 D - 0xfffff80004c58d00 [pci_hp taskq]
100016 D - 0xfffff80004c58500 [inm_free taskq]
100018 D - 0xfffff80004c53d00 [linuxkpi_irq_wq]
100019 D - 0xfffff80004c53900 [thread taskq]
100020 D - 0xfffff80004c53500 [linuxkpi_short_wq_0]
100021 D - 0xfffff80004c53500 [linuxkpi_short_wq_1]
100022 D - 0xfffff80004c53500 [linuxkpi_short_wq_2]
100023 D - 0xfffff80004c53500 [linuxkpi_short_wq_3]
100024 D - 0xfffff80004c53100 [linuxkpi_long_wq_0]
100025 D - 0xfffff80004c53100 [linuxkpi_long_wq_1]
100026 D - 0xfffff80004c53100 [linuxkpi_long_wq_2]
100027 D - 0xfffff80004c53100 [linuxkpi_long_wq_3]
100034 D - 0xfffff80004c39900 [firmware taskq]
100038 D - 0xfffff80004c39500 [crypto_0]
100039 D - 0xfffff80004c39500 [crypto_1]
100055 D - 0xfffff800153dc900 [vtnet0 rxq 0]
100056 D - 0xfffff800153dc500 [vtnet0 txq 0]
100057 D - 0xfffff800153dc100 [vtnet0 rxq 1]
100058 D - 0xfffff800153c6d00 [vtnet0 txq 1]
100060 D vtbslp 0xfffff80015429500 [virtio_balloon]
100064 D - 0xfffff800153c6900 [mca taskq]
100066 D - 0xffffffff81e20400 [deadlkres]
100074 D - 0xfffff80015a19900 [acpi_task_0]
100075 D - 0xfffff80015a19900 [acpi_task_1]
100076 D - 0xfffff80015a19900 [acpi_task_2]
100077 D - 0xfffff80004c39100 [CAM taskq]
db> show all locks
Process 781 (sshd) thread 0xfffffe0094f8cc80 (100117)
exclusive sleep mutex so_snd (so_snd) r = 0 (0xfffff8002624c260) locked @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:355
exclusive rw tcpinp (tcpinp) r = 0 (0xfffff80026217d78) locked @ /syzkaller/managers/main/kernel/sys/netinet/tcp_usrreq.c:989
exclusive sx so_snd_sx (so_snd_sx) r = 0 (0xfffff8002624c280) locked @ /syzkaller/managers/main/kernel/sys/kern/uipc_sockbuf.c:467

db> show malloc
Type InUse MemUse Requests

sysctloid 34288 12858K 34355

pf_hash 5 11560K 5
devbuf 4216 6982K 4241
tcp_hpts 5 3219K 5

kobj 328 2624K 488
vtbuf 24 2064K 46
newblk 545 1304K 602
vfscache 3 1035K 3
acpica 1674 649K 55230
pcb 26 613K 134
inodedep 44 563K 71

callout 2 528K 2
ufs_quota 1 520K 1
vfs_hash 1 520K 1
intr 4 480K 4

subproc 102 431K 898
bus 990 378K 3499
linker 348 270K 397
DEVFS1 103 206K 112
module 512 192K 512

vnet_data 1 176K 1
tidhash 3 164K 3

pagedep 14 143K 18
kdtrace 167 138K 963

tfo_ccache 1 136K 1
sem 4 120K 4

umtx 242 106K 242
UMA 270 102K 270

audit_evclass 236 89K 294
mtx_pool 2 80K 2
syncache 1 76K 1

temp 18 71K 1613
msg 4 68K 4
BPF 10 68K 10

acpitask 1 64K 1
ddb_capture 1 64K 1

DEVFS3 122 61K 132

gtaskqueue 18 57K 18
vmem 3 56K 4
DEVFS_RULE 56 54K 56

kenv 95 52K 95
eventhandler 133 50K 133

ithread 99 43K 99
rman 84 42K 425

ifaddr 30 40K 32
KTRACE 100 38K 100

taskqueue 60 36K 60
proc 3 34K 3
ufs_mount 5 34K 6

bus-sc 33 34K 1710
routetbl 50 34K 176

devstat 4 33K 4
hostcache 1 32K 1
tty 16 32K 16
shm 1 32K 1

GEOM 60 29K 489
kbdmux 6 28K 6

cred 23 23K 234
CAM queue 5 21K 1528
pfs_nodes 20 20K 20

kqueue 47 18K 845
pwddesc 47 18K 843
UART 12 18K 12
plimit 17 17K 322

ksem 1 16K 1
rpc 2 16K 2

bmsafemap 1 16K 41

shmfd 1 16K 1
pfs_vncache 1 16K 1

ether_multi 40 15K 50
proc-args 39 15K 488

ufs_dirhash 24 14K 24
sglist 5 13K 5

MCA 32 12K 32
CAM DEV 3 12K 510

vt 11 11K 11
in6_multi 25 11K 25
acpisem 28 11K 28

CAM XPT 22 11K 543

Unitno 27 11K 39
session 20 10K 31
diradd 25 10K 36
lltable 11 9K 11

uidinfo 3 9K 8
dirrem 17 9K 28

ifnet 3 9K 3

memdesc 1 8K 1
ipsec-saq 2 8K 2
evdev 4 8K 4

filedesc 1 8K 1
acpidev 20 8K 20
selfd 20 8K 12720
hhook 15 8K 17
mount 16 7K 90
pf_ifnet 5 6K 6

fpukern_ctx 3 6K 3
lockf 15 6K 22
terminal 11 6K 11

inpcbpolicy 13 5K 194

ipsecpolicy 2 5K 2
encap_export_host 12 5K 12
clone 9 5K 9

local_apic 1 4K 1
io_apic 1 4K 1
sahead 1 4K 1
secasvar 1 4K 1

pci_link 10 4K 10

msi 9 4K 9
DEVFS 9 4K 10

osd 8 4K 76

ipsec 3 3K 3
nhops 6 3K 6

nexusdev 7 3K 7
ip6opt 6 3K 117

feeder 7 3K 7
select 7 3K 29
toponodes 6 3K 6
prison 6 3K 6
isadev 6 3K 6
softdep 1 2K 1

vnodemarker 2 2K 10

NFSD session 1 2K 1

sctp_ifa 5 2K 6

linux 5 2K 6
CAM periph 4 2K 271

soname 5 2K 3288
crypto 4 2K 4
ip6ndp 4 2K 5
DEVFSP 4 2K 9
newdirblk 4 2K 8
mkdir 4 2K 16
indirdep 3 2K 3

pfil 4 2K 4
CAM path 4 2K 1034
filecaps 4 2K 66

tcpfunc 3 2K 3
tun 3 2K 3
loginclass 3 2K 7
in_multi 2 1K 4

chacha20random 1 1K 1
vnodes 1 1K 1

CAM SIM 2 1K 2

ktls 1 1K 1
cdev 2 1K 2
aesni_data 2 1K 2

sctp_ifn 2 1K 6
cpus 2 1K 2

atkbddev 2 1K 2
CAM dev queue 2 1K 2

xform 2 1K 49
mld 2 1K 2
igmp 2 1K 2
entropy 2 1K 35

NFSD lckfile 1 1K 1
NFSD V4client 1 1K 1

procdesc 1 1K 6
pmchooks 1 1K 1
sctp_vrf 1 1K 1
apmdev 1 1K 1

CAM I/O Scheduler 1 1K 1

freework 1 1K 26
vnet_data_free 1 1K 1
vnet 1 1K 1

Per-cpu 1 1K 1
p1003.1b 1 1K 1

acpiintr 1 1K 1
pmc 1 1K 1

chd data 0 0K 0

vegas data 0 0K 0

mqdata 0 0K 0
sctp_mcore 0 0K 0

sctp_socko 0 0K 0
sctp_iter 0 0K 3
sctp_mvrf 0 0K 0
sctp_timw 0 0K 0

sctp_cpal 0 0K 0
sctp_cmsg 0 0K 0
sctp_stre 0 0K 0
sctp_athi 0 0K 0

sctp_athm 0 0K 0
sctp_atky 0 0K 0

sctp_atcl 0 0K 0
sctp_a_it 0 0K 3
sctp_aadr 0 0K 0
sctp_stro 0 0K 0
sctp_stri 0 0K 0
sctp_map 0 0K 0

cubic data 0 0K 0

htcp data 0 0K 0

dctcp data 0 0K 0
cdg data 0 0K 0

tcp_do 0 0K 0
tcp_fsb 0 0K 0

pf_table 0 0K 0
pf_rule 0 0K 0
pf_altq 0 0K 0
pf_osfp 0 0K 0
pf_temp 0 0K 0

savedino 0 0K 16

sentinel 0 0K 0
jfsync 0 0K 0
jtrunc 0 0K 0

sbdep 0 0K 3

jsegdep 0 0K 0
jseg 0 0K 0
jfreefrag 0 0K 0
jfreeblk 0 0K 0
jnewblk 0 0K 0
jmvref 0 0K 0
jremref 0 0K 0
jaddref 0 0K 0
freedep 0 0K 0

freefile 0 0K 9
freeblks 0 0K 25

freefrag 0 0K 7
allocindir 0 0K 0

ip_moptions 0 0K 0

statfs 0 0K 195

namei_tracker 0 0K 0
export_host 0 0K 0

cl_savebuf 0 0K 6

tcp_log_dev 0 0K 0
midi buffers 0 0K 0
mixer 0 0K 0
ac97 0 0K 0
hdacc 0 0K 0
hdac 0 0K 0
hdaa 0 0K 0
acpicmbat 0 0K 0
SIIS driver 0 0K 0

CAM CCB 0 0K 1786

PUC 0 0K 0
ppbusdev 0 0K 0
agtiapi_MemAlloc malloc 0 0K 0
osti_cacheable 0 0K 0
tempbuff 0 0K 0
biobuf 0 0K 0
aios 0 0K 0
lio 0 0K 0
acl 0 0K 0
tempbuff 0 0K 0

mbuf_tag 0 0K 27

iov 0 0K 13508
ioctlops 0 0K 86

sysctltmp 0 0K 618

sysctl 0 0K 3
ekcd 0 0K 0
dumper 0 0K 0
sendfile 0 0K 0
rctl 0 0K 0
ix_sriov 0 0K 0
aacraidcam 0 0K 0
aacraid_buf 0 0K 0
ix 0 0K 0
ipsbuf 0 0K 0
cache 0 0K 0
iirbuf 0 0K 0

kcovinfo 0 0K 0

NFSD string 0 0K 0

db> show uma
Zone Size Used Free Requests Sleeps Bucket Total Mem XFree

mbuf_jumbo_page 4096 8320 562 13285 0 254 36380672 0
malloc-384 384 34654 66 36608 0 30 13332480 0
malloc-1024 1024 4143 13 4362 0 16 4255744 0
malloc-8192 8192 329 2 489 0 1 2711552 0
pbuf 2624 0 989 0 0 2 2595136 0
mbuf 256 8579 571 15204 0 254 2342400 0
BUF TRIE 144 170 13298 447 0 62 1939392 0
UMA Slabs 0 112 11057 28 11057 0 126 1241520 0
malloc-384 384 1908 42 72277 0 30 748800 0
FFS inode 1160 499 19 509 0 8 600880 0
malloc-384 384 1254 26 3723 0 30 491520 0
malloc-8192 8192 56 3 852 0 1 483328 0
malloc-384 384 996 14 3334 0 30 387840 0

lkpimm 160 1 2324 1 0 62 372000 0
lkpicurr 160 2 2323 2 0 62 372000 0

malloc-512 512 618 46 801 0 30 339968 0
RADIX NODE 144 2132 189 21017 0 62 334224 0

malloc-65536 65536 4 0 4 0 1 262144 0

VM OBJECT 264 898 62 13165 0 30 253440 0
VNODE 448 529 20 541 0 30 245952 0
malloc-384 384 589 21 733 0 30 234240 0

malloc-16384 16384 11 3 273 0 1 229376 0

DEVCTL 1024 0 216 116 0 0 221184 0
malloc-2048 2048 103 5 112 0 8 221184 0
THREAD 1808 119 2 119 0 8 218768 0

malloc-65536 65536 1 2 178 0 1 196608 0

malloc-16384 16384 10 2 14 0 1 196608 0
UMA Zones 768 242 2 242 0 16 187392 0
malloc-32768 32768 3 2 148 0 1 163840 0
malloc-4096 4096 2 37 1789 0 2 159744 0
malloc-1024 1024 153 3 874 0 16 159744 0
256 Bucket 2048 56 16 9682 0 8 147456 0
vmem btag 56 2333 103 2333 0 254 136416 0
malloc-512 512 238 26 949 0 30 135168 0

malloc-65536 65536 2 0 2 0 1 131072 0

malloc-8192 8192 14 2 134 0 1 131072 0
FFS2 dinode 256 499 11 508 0 62 130560 0
ksiginfo 112 38 1006 54 0 126 116928 0
MAP ENTRY 96 847 371 38671 0 126 116928 0
malloc-1024 1024 90 18 149 0 16 110592 0
malloc-1024 1024 96 8 687 0 16 106496 0
S VFS Cache 104 966 48 1005 0 126 105456 0

malloc-16384 16384 6 0 6 0 1 98304 0

malloc-512 512 169 7 194 0 30 90112 0
UMA Kegs 384 227 6 227 0 30 89472 0
VMSPACE 2544 24 9 821 0 4 83952 0
g_bio 408 0 180 4600 0 30 73440 0
PROC 1336 46 8 842 0 8 72144 0
filedesc0 1072 47 16 843 0 8 67536 0
mbuf_cluster 2048 30 2 30 0 254 65536 0

malloc-65536 65536 1 0 1 0 1 65536 0
malloc-65536 65536 1 0 1 0 1 65536 0

malloc-32768 32768 2 0 2 0 1 65536 0
malloc-32768 32768 2 0 2 0 1 65536 0

malloc-512 512 72 56 392 0 30 65536 0
malloc-384 384 87 73 12862 0 30 61440 0

malloc-1024 1024 53 3 57 0 16 57344 0

malloc-4096 4096 5 8 515 0 2 53248 0
32 Bucket 256 66 129 10064 0 62 49920 0

malloc-16384 16384 3 0 3 0 1 49152 0

malloc-16384 16384 1 2 4 0 1 49152 0

malloc-8192 8192 4 2 534 0 1 49152 0

malloc-2048 2048 18 6 22 0 8 49152 0
malloc-2048 2048 8 16 516 0 8 49152 0

malloc-384 384 74 46 626 0 30 46080 0
malloc-4096 4096 6 5 74 0 2 45056 0
malloc-2048 2048 9 13 1185 0 8 45056 0
clpbuf 2624 0 16 20 0 16 41984 0

DIRHASH 1024 34 2 34 0 16 36864 0

NAMEI 1024 0 36 11991 0 16 36864 0
pcpu-8 8 4210 398 4238 0 254 36864 0
128 Bucket 1024 22 13 145 0 16 35840 0

malloc-16384 16384 2 0 2 0 1 32768 0
malloc-4096 4096 6 2 22 0 2 32768 0
malloc-4096 4096 8 0 199 0 2 32768 0

malloc-1024 1024 30 2 31 0 16 32768 0

pcpu-64 64 486 26 486 0 254 32768 0

malloc-4096 4096 7 0 7 0 2 28672 0
64 Bucket 512 41 15 1358 0 30 28672 0
socket 944 19 9 1310 0 254 26432 0
pipe 744 7 28 284 0 16 26040 0
malloc-8192 8192 1 2 197 0 1 24576 0
malloc-8192 8192 3 0 3 0 1 24576 0
malloc-4096 4096 2 4 268 0 2 24576 0
malloc-512 512 18 30 161 0 30 24576 0

ttyinq 160 135 15 300 0 62 24000 0

ttyoutq 256 72 18 160 0 62 23040 0

malloc-2048 2048 9 1 9 0 8 20480 0
malloc-2048 2048 9 1 9 0 8 20480 0

malloc-1024 1024 2 18 21 0 16 20480 0
malloc-512 512 12 28 1220 0 30 20480 0
malloc-512 512 26 14 301 0 30 20480 0
2 Bucket 32 79 551 1262 0 254 20160 0
TURNSTILE 136 122 25 122 0 62 19992 0

Mountpoints 2752 2 5 2 0 4 19264 0

malloc-384 384 29 21 160 0 30 19200 0

malloc-16384 16384 1 0 1 0 1 16384 0
malloc-16384 16384 1 0 1 0 1 16384 0

tcpcb 1064 4 10 64 0 254 14896 0
SLEEPQUEUE 88 122 38 122 0 126 14080 0
malloc-512 512 13 11 19 0 30 12288 0
ertt_txseginfo 40 0 303 260 0 254 12120 0
Files 80 72 78 6557 0 126 12000 0
8 Bucket 80 35 115 379 0 126 12000 0
tcp_inpcb 488 6 18 64 0 254 11712 0
udp_inpcb 488 6 18 126 0 254 11712 0

kenv 258 15 30 1044 0 30 11610 0

malloc-2048 2048 0 4 4 0 8 8192 0
malloc-2048 2048 4 0 4 0 8 8192 0
malloc-1024 1024 0 8 19 0 16 8192 0
rtentry 176 13 33 17 0 62 8096 0
PGRP 88 20 72 31 0 126 8096 0
rl_entry 40 31 171 31 0 254 8080 0
udpcb 32 6 246 126 0 254 8064 0
ertt 72 4 108 64 0 126 8064 0
PWD 32 10 242 100 0 254 8064 0
16 Bucket 144 34 22 1303 0 62 8064 0
4 Bucket 48 5 163 64 0 254 8064 0
vtnet_tx_hdr 24 0 334 977 0 254 8016 0
ripcb 488 1 15 4 0 254 7808 0
routing nhops 256 10 20 17 0 62 7680 0
unpcb 256 7 23 1099 0 254 7680 0
mbuf_packet 256 0 30 93 0 254 7680 0

FPU_save_area 832 1 8 1 0 16 7488 0

cpuset 104 7 55 7 0 126 6448 0

epoch_record pcpu 256 4 12 4 0 62 4096 0

pcpu-16 16 7 249 7 0 254 4096 0

sctp_laddr 48 0 84 4 0 254 4032 0

hostcache 64 1 62 1 0 254 4032 0

syncache 168 0 24 5 0 254 4032 0

KNOTE 160 0 25 8 0 62 4000 0
UMA Slabs 1 176 8 14 8 0 62 3872 0

mqnode 416 3 6 3 0 30 3744 0
KMAP ENTRY 96 12 27 12 0 0 3744 0
vmem 1856 1 1 1 0 8 3712 0
SMR CPU 32 3 60 3 0 254 2016 0
SMR SHARED 24 3 60 3 0 254 1512 0
FFS1 dinode 128 0 0 0 0 126 0 0

da_ccb 544 0 0 0 0 16 0 0
ada_ccb 272 0 0 0 0 30 0 0

swblk 136 0 0 0 0 62 0 0
swpctrie 144 0 0 0 0 62 0 0

cdg_qdiffsample 16 0 0 0 0 254 0 0

sctp_asconf_ack 48 0 0 0 0 254 0 0
sctp_asconf 40 0 0 0 0 254 0 0

sctp_stream_msg_out 112 0 0 0 0 254 0 0

sctp_readq 152 0 0 0 0 254 0 0

sctp_chunk 152 0 0 0 0 254 0 0
sctp_raddr 736 0 0 0 0 254 0 0
sctp_asoc 2288 0 0 0 0 254 0 0
sctp_ep 1280 0 0 0 0 254 0 0

tcp_rack_pcb 832 0 0 0 0 16 0 0
tcp_rack_map 112 0 0 0 0 126 0 0
tcp_bbr_pcb 832 0 0 0 0 16 0 0
tcp_bbr_map 128 0 0 0 0 126 0 0
udplite_inpcb 488 0 0 0 0 254 0 0

domainset 40 0 0 0 0 254 0 0

malloc-8192 8192 0 0 0 0 1 0 0
malloc-8192 8192 0 0 0 0 1 0 0
malloc-4096 4096 0 0 0 0 2 0 0

pcpu-32 32 0 0 0 0 254 0 0
pcpu-4 4 0 0 0 0 254 0 0
fakepg 104 0 0 0 0 126 0 0

UMA Hash 256 0 0 0 0 62 0 0

Mark Johnston

unread,

May 21, 2021, 9:26:13 AM5/21/21

to syzbot, syzkaller-f...@googlegroups.com

#syz dup: panic: Memory modified after free ADDR(4096) val=ADDR @ ADDR

Reply all

Reply to author

Forward

0 new messages