panic: acquiring bl o c kpaablniec s:le e p l o c k wi t h s p i n l o c k o r c ri t i c a l s e c t i
0 views
Skip to first unread message
syzbot
Mar 21, 2022, 8:44:10 AM3/21/22
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 4ff57d1d979c Adjust to renaming of F_CTL_ACTIVE/F_PREF_ACT..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=160141cb700000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d
dashboard link: https://syzkaller.appspot.com/bug?extid=5b2679ee9be0895d26f9
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5b2679...@syzkaller.appspotmail.com
panic: acquiring bl o c kpaablniec s:le e p l o c k wi t h s p i n l o c k o r c ri t i c a l s e c t i o n h el d ( k e r n e l _ l o ck ) & k e rn el _ l o ck
kStopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
* 9067 82003 0 0 0x4000000 1 syz-executor.1
177172 26158 0 0x14000 0x200 0 reaper
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a56b6) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff82b47030,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd806e4aba90) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd806e4aba90) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd806e4ab978) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip6_input(ffff80002af39b08,ffff80002af39b14,85,18) at rip6_input+0x692 sys/netinet6/raw_ip6.c:224
ip_deliver(ffff80002af39b08,ffff80002af39b14,85,18) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip6_input_if(ffff80002af39b08,ffff80002af39b14,29,0,ffff80000019f2a8) at ip6_input_if+0x920
ipv6_input(ffff80000019f2a8,fffffd806889c100) at ipv6_input+0x48 sys/netinet6/ip6_input.c:169
if_input_local(ffff80000019f2a8,fffffd806889c100,18) at if_input_local+0x136 sys/net/if.c:778
ip6_output(fffffd8067ff0a00,ffff800000c10700,fffffd805d7e42f0,0,0,fffffd805d7e4278) at ip6_output+0xf57
rip6_output(fffffd8067ff0a00,fffffd806c4e7980,ffff80002af39e70,0) at rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
rip6_usrreq(fffffd806c4e7980,9,fffffd8067ff0a00,0,0,ffff8000ffff3ce8) at rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
end trace frame: 0xffff80002af39ff0, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
cpu0: kernel diagnostic assertion "!_kernel_lock_held()" failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_map.c", line 2734
*cpu1: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a56b6) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff82b47030,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd806e4aba90) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd806e4aba90) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd806e4ab978) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip6_input(ffff80002af39b08,ffff80002af39b14,85,18) at rip6_input+0x692 sys/netinet6/raw_ip6.c:224
ip_deliver(ffff80002af39b08,ffff80002af39b14,85,18) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip6_input_if(ffff80002af39b08,ffff80002af39b14,29,0,ffff80000019f2a8) at ip6_input_if+0x920
ipv6_input(ffff80000019f2a8,fffffd806889c100) at ipv6_input+0x48 sys/netinet6/ip6_input.c:169
if_input_local(ffff80000019f2a8,fffffd806889c100,18) at if_input_local+0x136 sys/net/if.c:778
ip6_output(fffffd8067ff0a00,ffff800000c10700,fffffd805d7e42f0,0,0,fffffd805d7e4278) at ip6_output+0xf57
rip6_output(fffffd8067ff0a00,fffffd806c4e7980,ffff80002af39e70,0) at rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
rip6_usrreq(fffffd806c4e7980,9,fffffd8067ff0a00,0,0,ffff8000ffff3ce8) at rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
sosend(fffffd806c4e7980,0,ffff80002af3a0a8,0,0,0) at sosend+0x632 sys/kern/uipc_socket.c:582
dofilewritev(ffff8000ffff3ce8,5,ffff80002af3a0a8,0,ffff80002af3a1a0) at dofilewritev+0x19c sys/kern/sys_generic.c:381
sys_write(ffff8000ffff3ce8,ffff80002af3a148,ffff80002af3a1a0) at sys_write+0x83 sys/kern/sys_generic.c:301
syscall(ffff80002af3a210) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff80002af3a210) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x724547dbf70, count: -19
ddb{1}> show registers
rdi 0
rsi 0x1
rbp 0xffff80002af39620
rbx 0xffff800020ce9bff
rdx 0xffff800000bda900
rcx 0
rax 0xffff8000ffff3ce8
r8 0x101010101010101
r9 0x8080808080808080
r10 0xee870fa3d1e9bcda
r11 0x33dc5c9c8c6260b
r12 0xffff800020ce9a00
r13 0
r14 0
r15 0x1
rip 0xffffffff81f18858 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff80002af39610
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor.1) pid=9067 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=82, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffff2008,0xffff800027adcfe0
process=0xffff80002af3fa48 user=0xffff80002af35000, vmspace=0xfffffd80675b9188
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
88109 131777 63159 0 2 0 syz-executor.6
88109 266698 63159 0 2 0x4000000 syz-executor.6
7207 193153 86575 0 2 0 syz-executor.7
7207 57857 86575 0 2 0x4000000 syz-executor.7
64405 315890 46818 0 2 0 syz-executor.2
64405 42052 46818 0 3 0x4000080 ttyout syz-executor.2
64405 204433 46818 0 2 0x4000000 syz-executor.2
5035 390833 68424 0 2 0 syz-executor.0
5035 83394 68424 0 3 0x4000080 fsleep syz-executor.0
82003 124192 39644 0 2 0 syz-executor.1
*82003 9067 39644 0 7 0x4000000 syz-executor.1
65881 483507 0 0 3 0x14200 bored sosplice
86575 25687 80237 0 3 0x82 nanoslp syz-executor.7
63159 124190 80237 0 3 0x82 nanoslp syz-executor.6
72985 135666 80237 0 3 0x82 nanoslp syz-executor.5
74409 143466 80237 0 3 0x82 nanoslp syz-executor.3
27793 405472 80237 0 3 0x82 nanoslp syz-executor.4
46818 328277 80237 0 3 0x82 nanoslp syz-executor.2
39644 207566 80237 0 3 0x82 nanoslp syz-executor.1
68424 393903 80237 0 3 0x82 nanoslp syz-executor.0
80237 174279 50276 0 3 0x82 kqread syz-fuzzer
80237 132622 50276 0 3 0x4000082 thrsleep syz-fuzzer
80237 3771 50276 0 3 0x4000082 thrsleep syz-fuzzer
80237 436210 50276 0 3 0x4000082 thrsleep syz-fuzzer
80237 477366 50276 0 3 0x4000082 thrsleep syz-fuzzer
80237 7623 50276 0 3 0x4000082 thrsleep syz-fuzzer
80237 123055 50276 0 3 0x4000082 thrsleep syz-fuzzer
80237 495366 50276 0 3 0x4000082 thrsleep syz-fuzzer
80237 82189 50276 0 3 0x4000082 thrsleep syz-fuzzer
50276 507682 29752 0 3 0x10008a sigsusp ksh
29752 93630 20416 0 3 0x9a kqread sshd
50531 442097 1 0 3 0x100083 ttyin getty
20416 290544 1 0 3 0x88 kqread sshd
73243 113468 81255 74 3 0x1100092 bpf pflogd
81255 492386 1 0 3 0x80 netio pflogd
4377 43136 8815 73 3 0x1100090 kqread syslogd
8815 290830 1 0 3 0x100082 netio syslogd
84727 449895 1 0 3 0x100080 kqread resolvd
3586 452115 66496 77 3 0x100092 kqread dhcpleased
53580 325732 66496 77 3 0x100092 kqread dhcpleased
66496 90968 1 0 3 0x80 kqread dhcpleased
76329 166980 0 0 3 0x14200 bored smr
18065 506840 0 0 2 0x14200 zerothread
95610 382238 0 0 3 0x14200 aiodoned aiodoned
13388 77628 0 0 3 0x14200 syncer update
56575 190931 0 0 3 0x14200 cleaner cleaner
26158 177172 0 0 7 0x14200 reaper
78782 265265 0 0 3 0x14200 pgdaemon pagedaemon
20819 89157 0 0 3 0x14200 bored viomb
64238 38484 0 0 3 0x40014200 acpi0 acpi0
13380 297443 0 0 3 0x40014200 idle1
51348 359445 0 0 3 0x14200 bored softnet
97989 117652 0 0 3 0x14200 bored systqmp
25061 492710 0 0 3 0x14200 bored systq
50197 352845 0 0 3 0x40014200 bored softclock
26349 264610 0 0 3 0x40014200 idle0
1 200354 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
CPU 0:
exclusive mutex &(curpg)->mdpage.pv_mtx r = 0 (0xfffffd80080fa778)
#0 witness_lock+0x44d
#1 mtx_enter_try+0x100
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 pmap_remove_ptes+0x208 pmap_remove_pv sys/arch/amd64/amd64/pmap.c:1059 [inline]
#3 pmap_remove_ptes+0x208 sys/arch/amd64/amd64/pmap.c:1657
#4 pmap_do_remove+0x416 sys/arch/amd64/amd64/pmap.c:1865
#5 uvm_unmap_kill_entry_withlock+0x1af sys/uvm/uvm_map.c:2139
#6 uvm_map_teardown+0x197 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:176 [inline]
#6 uvm_map_teardown+0x197 sys/uvm/uvm_map.c:2771
#7 uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
#8 reaper+0x18b sys/kern/kern_exit.c:457
#9 proc_trampoline+0x1c
exclusive kernel: protection fault trap, code=0
Faulted in DDB; continuing...
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10185 6485K 7064K 78643K 12973 0
pcb 16 8K 8K 78643K 75 0
rtable 243 8K 10K 78643K 432 0
ifaddr 93 18K 19K 78643K 156 0
counters 58 35K 35K 78643K 68 0
ioctlops 0 0K 4K 78643K 1564 0
iov 0 0K 16K 78643K 50 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 5 0
vnodes 1277 80K 80K 78643K 1753 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 9K 78643K 19 0
VM map 2 1K 1K 78643K 2 0
sem 12 0K 0K 78643K 32 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 16 57K 93K 78643K 1456 0
sigio 0 0K 0K 78643K 26 0
proc 70 87K 124K 78643K 555 0
subproc 104 6K 6K 78643K 104 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 2 0K 0K 78643K 119 0
in_multi 102 6K 7K 78643K 228 0
ether_multi 2 0K 0K 78643K 39 0
mrt 1 0K 0K 78643K 1 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 61 281K 281K 78643K 61 0
exec 0 0K 2K 78643K 673 0
pfkey data 0 0K 0K 78643K 4 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 338 147K 147K 78643K 18877 0
UVM aobj 25 7K 7K 78643K 45 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 2 0K 0K 78643K 36 0
NDP 13 0K 2K 78643K 38 0
temp 103 4704K 4772K 78643K 11748 0
kqueue 12 18K 24K 78643K 109 0
SYN cache 2 16K 16K 78643K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtpcb 120 73 0 70 1 0 1 1 0 8 0
rtentry 112 115 0 5 4 0 4 4 0 8 0
unpcb 136 239 0 224 1 0 1 1 0 8 0
syncache 296 14 0 14 3 2 1 1 0 8 1
tcpqe 32 262 0 262 2 2 0 1 0 8 0
tcpcb 736 205 0 192 4 1 3 3 0 8 1
arp 120 18 0 0 1 0 1 1 0 8 0
inpcb 312 552 0 535 2 0 2 2 0 8 0
nd6 48 28 0 4 1 0 1 1 0 8 0
pkpcb 40 4 0 4 1 1 0 1 0 8 0
kcovpl 48 8 0 0 1 0 1 1 0 8 0
ppxss 1248 4 0 4 1 1 0 1 0 8 0
pffrag 232 4 0 2 1 0 1 1 0 482 0
pffrnode 88 4 0 2 1 0 1 1 0 8 0
pffrent 40 14 0 12 1 0 1 1 0 8 0
pfosfp 40 1435 0 1011 5 0 5 5 0 8 0
pfosfpen 112 1435 0 714 21 0 21 21 0 8 0
pfrke_plain 168 8 0 8 1 1 0 1 0 8 0
pfrktable 1344 19 0 17 1 0 1 1 0 8 0
pftag 88 8 0 8 1 1 0 1 0 8 0
pfstitem 24 50 0 12 1 0 1 1 0 8 0
pfstkey 112 50 0 12 2 0 2 2 0 8 0
pfstate 320 50 0 12 4 0 4 4 0 8 0
pfrule 1360 42 0 28 2 0 2 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 453 0 0 29 0 29 29 0 8 0
art_table 32 454 0 0 4 0 4 4 0 8 0
art_node 16 114 0 14 1 0 1 1 0 8 0
semupl 112 7 0 7 1 1 0 1 0 8 0
semapl 112 30 0 20 1 0 1 1 0 8 0
shmpl 112 42 0 20 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 3174 0 1731 91 0 91 91 0 8 0
ffsino 272 3174 0 1731 97 0 97 97 0 8 0
nchpl 144 4980 0 3309 63 0 63 63 0 8 0
rtmask 32 16 0 16 1 1 0 1 0 8 0
uvmvnodes 80 3665 0 0 75 0 75 75 0 8 0
vnodes 224 3665 0 0 216 0 216 216 0 8 0
namei 1024 13598 0 13598 2 1 1 2 0 8 1
percpumem 16 46 0 5 1 0 1 1 0 8 0
vcpupl 2048 4 0 0 1 0 1 1 0 8 0
vmpool 560 4 0 0 1 0 1 1 0 8 0
pfiaddrpl 120 8 0 4 1 0 1 1 0 8 0
scxspl 216 14955 0 14955 9 8 1 8 0 8 1
plimitpl 152 45 0 30 1 0 1 1 0 8 0
sigapl 424 1758 0 1712 6 0 6 6 0 8 0
futexpl 64 7494 0 7493 1 0 1 1 0 8 0
knotepl 120 116 0 0 4 0 4 4 0 8 0
kqueuepl 216 128 0 120 1 0 1 1 0 8 0
pipepl 336 177 0 149 3 0 3 3 0 8 0
fdescpl 496 1743 0 1714 5 1 4 5 0 8 0
filepl 152 4942 0 4692 10 0 10 10 0 8 0
lockfpl 104 178 0 176 1 0 1 1 0 8 0
lockfspl 48 89 0 87 1 0 1 1 0 8 0
sessionpl 144 24 0 7 1 0 1 1 0 8 0
pgrppl 48 28 0 11 1 0 1 1 0 8 0
ucredpl 96 429 0 416 1 0 1 1 0 8 0
zombiepl 144 1715 0 1712 1 0 1 1 0 8 0
processpl 1064 1758 0 1712 4 0 4 4 0 8 0
procpl 672 3236 0 3175 6 0 6 6 0 8 0
sosppl 168 12 0 11 1 0 1 1 0 8 0
sockpl 480 872 0 837 6 1 5 6 0 8 0
mcl64k 65536 5 0 0 1 0 1 1 0 8 0
mcl16k 16384 1 0 0 1 0 1 1 0 8 0
mcl12k 12288 2 0 0 1 0 1 1 0 8 0
mcl9k 9216 2 0 0 1 0 1 1 0 8 0
mcl8k 8192 4 0 0 1 0 1 1 0 8 0
mcl4k 4096 12 0 0 2 0 2 2 0 8 0
mcl2k2 2112 1 0 0 1 0 1 1 0 8 0
mcl2k 2048 170 0 0 21 0 21 21 0 8 0
mtagpl 96 230 0 0 6 0 6 6 0 8 0
mbufpl 256 686 0 0 43 0 43 43 0 8 0
bufpl 288 5274 0 147 367 0 367 367 0 8 0
anonpl 24 431306 0 416459 118 20 98 115 0 186 6
amapchunkpl 152 45428 0 44603 43 9 34 38 0 158 1
amappl16 200 4666 0 4282 31 9 22 26 0 8 1
amappl15 192 448 0 441 1 0 1 1 0 8 0
amappl14 184 168 0 164 1 0 1 1 0 8 0
amappl13 176 274 0 271 1 0 1 1 0 8 0
amappl12 168 192 0 186 1 0 1 1 0 8 0
amappl11 160 365 0 347 1 0 1 1 0 8 0
amappl10 152 218 0 211 1 0 1 1 0 8 0
amappl9 144 474 0 471 1 0 1 1 0 8 0
amappl8 136 590 0 540 2 0 2 2 0 8 0
amappl7 128 123 0 110 1 0 1 1 0 8 0
amappl6 120 213 0 191 2 1 1 2 0 8 0
amappl5 112 1544 0 1523 1 0 1 1 0 8 0
amappl4 104 1315 0 1284 2 0 2 2 0 8 0
amappl3 96 365 0 353 1 0 1 1 0 8 0
amappl2 88 757 0 708 3 1 2 3 0 8 0
amappl1 80 32225 0 31625 19 5 14 19 0 8 0
amappl 88 18365 0 18102 7 0 7 7 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 44 0 20 1 0 1 1 0 8 0
uaddrrnd 24 1747 0 1713 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 1747 0 1713 1 0 1 1 0 8 0
vmmpekpl 168 13662 0 13608 3 0 3 3 0 8 0
vmmpepl 168 154402 0 151978 127 17 110 127 0 357 1
vmsppl 368 1746 0 1713 4 0 4 4 0 8 0
rwobjpl 56 39988 0 34913 73 1 72 72 0 8 0
pdppl 4096 3501 0 3430 107 34 73 83 0 8 2
pvpl 32 892324 0 872990 247 30 217 247 0 265 57
pmappl 248 1746 0 1713 3 0 3 3 0 8 0
extentpl 40 58 0 38 1 0 1 1 0 8 0
phpool 112 785 0 38 22 0 22 22 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffffffff8294dff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_write_1(3f8,0,6b) at x86_bus_space_io_write_1+0x31 sys/arch/amd64/amd64/bus_space.c:759
comcnputc(800,6b) at comcnputc+0x128 bus_space_barrier machine/bus.h:481 [inline]
comcnputc(800,6b) at comcnputc+0x128 sys/dev/ic/com.c:1263
cnputc(6b) at cnputc+0x4b sys/dev/cons.c:239
db_putchar(6b) at db_putchar+0x3fc sys/ddb/db_output.c:155
kprintf() at kprintf+0x20ec sys/kern/subr_prf.c:1068
db_printf(ffffffff82608896) at db_printf+0x85 sys/kern/subr_prf.c:502
panic(ffffffff8258f849) at panic+0xd7 sys/kern/subr_prf.c:220
__assert(ffffffff826021d1,ffffffff826102ef,aae,ffffffff825c283e) at __assert+0x25 sys/kern/subr_prf.c:161
uvm_map_teardown(fffffd80675b9b98) at uvm_map_teardown+0x2e8 sys/uvm/uvm_map.c:2736
uvmspace_free(fffffd80675b9b98) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
reaper(ffff8000210f9260) at reaper+0x18b sys/kern/kern_exit.c:457
end trace frame: 0x0, count: 1
ddb{0}> trace
x86_ipi_db(ffffffff8294dff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_write_1(3f8,0,6b) at x86_bus_space_io_write_1+0x31 sys/arch/amd64/amd64/bus_space.c:759
comcnputc(800,6b) at comcnputc+0x128 bus_space_barrier machine/bus.h:481 [inline]
comcnputc(800,6b) at comcnputc+0x128 sys/dev/ic/com.c:1263
cnputc(6b) at cnputc+0x4b sys/dev/cons.c:239
db_putchar(6b) at db_putchar+0x3fc sys/ddb/db_output.c:155
kprintf() at kprintf+0x20ec sys/kern/subr_prf.c:1068
db_printf(ffffffff82608896) at db_printf+0x85 sys/kern/subr_prf.c:502
panic(ffffffff8258f849) at panic+0xd7 sys/kern/subr_prf.c:220
__assert(ffffffff826021d1,ffffffff826102ef,aae,ffffffff825c283e) at __assert+0x25 sys/kern/subr_prf.c:161
uvm_map_teardown(fffffd80675b9b98) at uvm_map_teardown+0x2e8 sys/uvm/uvm_map.c:2736
uvmspace_free(fffffd80675b9b98) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
reaper(ffff8000210f9260) at reaper+0x18b sys/kern/kern_exit.c:457
end trace frame: 0x0, count: -14
ddb{0}> machine ddbcpu 1
Stopped at db_enter+0x18: addq $0x8,%rsp
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a56b6) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff82b47030,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd806e4aba90) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd806e4aba90) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd806e4ab978) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip6_input(ffff80002af39b08,ffff80002af39b14,85,18) at rip6_input+0x692 sys/netinet6/raw_ip6.c:224
ip_deliver(ffff80002af39b08,ffff80002af39b14,85,18) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip6_input_if(ffff80002af39b08,ffff80002af39b14,29,0,ffff80000019f2a8) at ip6_input_if+0x920
ipv6_input(ffff80000019f2a8,fffffd806889c100) at ipv6_input+0x48 sys/netinet6/ip6_input.c:169
if_input_local(ffff80000019f2a8,fffffd806889c100,18) at if_input_local+0x136 sys/net/if.c:778
ip6_output(fffffd8067ff0a00,ffff800000c10700,fffffd805d7e42f0,0,0,fffffd805d7e4278) at ip6_output+0xf57
rip6_output(fffffd8067ff0a00,fffffd806c4e7980,ffff80002af39e70,0) at rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
rip6_usrreq(fffffd806c4e7980,9,fffffd8067ff0a00,0,0,ffff8000ffff3ce8) at rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
end trace frame: 0xffff80002af39ff0, count: 0
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a56b6) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff82b47030,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd806e4aba90) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd806e4aba90) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd806e4ab978) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip6_input(ffff80002af39b08,ffff80002af39b14,85,18) at rip6_input+0x692 sys/netinet6/raw_ip6.c:224
ip_deliver(ffff80002af39b08,ffff80002af39b14,85,18) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip6_input_if(ffff80002af39b08,ffff80002af39b14,29,0,ffff80000019f2a8) at ip6_input_if+0x920
ipv6_input(ffff80000019f2a8,fffffd806889c100) at ipv6_input+0x48 sys/netinet6/ip6_input.c:169
if_input_local(ffff80000019f2a8,fffffd806889c100,18) at if_input_local+0x136 sys/net/if.c:778
ip6_output(fffffd8067ff0a00,ffff800000c10700,fffffd805d7e42f0,0,0,fffffd805d7e4278) at ip6_output+0xf57
rip6_output(fffffd8067ff0a00,fffffd806c4e7980,ffff80002af39e70,0) at rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
rip6_usrreq(fffffd806c4e7980,9,fffffd8067ff0a00,0,0,ffff8000ffff3ce8) at rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
sosend(fffffd806c4e7980,0,ffff80002af3a0a8,0,0,0) at sosend+0x632 sys/kern/uipc_socket.c:582
dofilewritev(ffff8000ffff3ce8,5,ffff80002af3a0a8,0,ffff80002af3a1a0) at dofilewritev+0x19c sys/kern/sys_generic.c:381
sys_write(ffff8000ffff3ce8,ffff80002af3a148,ffff80002af3a1a0) at sys_write+0x83 sys/kern/sys_generic.c:301
syscall(ffff80002af3a210) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff80002af3a210) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x724547dbf70, count: -19
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 4ff57d1d979c Adjust to renaming of F_CTL_ACTIVE/F_PREF_ACT..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=160141cb700000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d
dashboard link: https://syzkaller.appspot.com/bug?extid=5b2679ee9be0895d26f9
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5b2679...@syzkaller.appspotmail.com
panic: acquiring bl o c kpaablniec s:le e p l o c k wi t h s p i n l o c k o r c ri t i c a l s e c t i o n h el d ( k e r n e l _ l o ck ) & k e rn el _ l o ck
kStopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
* 9067 82003 0 0 0x4000000 1 syz-executor.1
177172 26158 0 0x14000 0x200 0 reaper
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a56b6) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff82b47030,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd806e4aba90) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd806e4aba90) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd806e4ab978) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip6_input(ffff80002af39b08,ffff80002af39b14,85,18) at rip6_input+0x692 sys/netinet6/raw_ip6.c:224
ip_deliver(ffff80002af39b08,ffff80002af39b14,85,18) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip6_input_if(ffff80002af39b08,ffff80002af39b14,29,0,ffff80000019f2a8) at ip6_input_if+0x920
ipv6_input(ffff80000019f2a8,fffffd806889c100) at ipv6_input+0x48 sys/netinet6/ip6_input.c:169
if_input_local(ffff80000019f2a8,fffffd806889c100,18) at if_input_local+0x136 sys/net/if.c:778
ip6_output(fffffd8067ff0a00,ffff800000c10700,fffffd805d7e42f0,0,0,fffffd805d7e4278) at ip6_output+0xf57
rip6_output(fffffd8067ff0a00,fffffd806c4e7980,ffff80002af39e70,0) at rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
rip6_usrreq(fffffd806c4e7980,9,fffffd8067ff0a00,0,0,ffff8000ffff3ce8) at rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
end trace frame: 0xffff80002af39ff0, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
cpu0: kernel diagnostic assertion "!_kernel_lock_held()" failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_map.c", line 2734
*cpu1: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a56b6) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff82b47030,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd806e4aba90) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd806e4aba90) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd806e4ab978) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip6_input(ffff80002af39b08,ffff80002af39b14,85,18) at rip6_input+0x692 sys/netinet6/raw_ip6.c:224
ip_deliver(ffff80002af39b08,ffff80002af39b14,85,18) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip6_input_if(ffff80002af39b08,ffff80002af39b14,29,0,ffff80000019f2a8) at ip6_input_if+0x920
ipv6_input(ffff80000019f2a8,fffffd806889c100) at ipv6_input+0x48 sys/netinet6/ip6_input.c:169
if_input_local(ffff80000019f2a8,fffffd806889c100,18) at if_input_local+0x136 sys/net/if.c:778
ip6_output(fffffd8067ff0a00,ffff800000c10700,fffffd805d7e42f0,0,0,fffffd805d7e4278) at ip6_output+0xf57
rip6_output(fffffd8067ff0a00,fffffd806c4e7980,ffff80002af39e70,0) at rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
rip6_usrreq(fffffd806c4e7980,9,fffffd8067ff0a00,0,0,ffff8000ffff3ce8) at rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
sosend(fffffd806c4e7980,0,ffff80002af3a0a8,0,0,0) at sosend+0x632 sys/kern/uipc_socket.c:582
dofilewritev(ffff8000ffff3ce8,5,ffff80002af3a0a8,0,ffff80002af3a1a0) at dofilewritev+0x19c sys/kern/sys_generic.c:381
sys_write(ffff8000ffff3ce8,ffff80002af3a148,ffff80002af3a1a0) at sys_write+0x83 sys/kern/sys_generic.c:301
syscall(ffff80002af3a210) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff80002af3a210) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x724547dbf70, count: -19
ddb{1}> show registers
rdi 0
rsi 0x1
rbp 0xffff80002af39620
rbx 0xffff800020ce9bff
rdx 0xffff800000bda900
rcx 0
rax 0xffff8000ffff3ce8
r8 0x101010101010101
r9 0x8080808080808080
r10 0xee870fa3d1e9bcda
r11 0x33dc5c9c8c6260b
r12 0xffff800020ce9a00
r13 0
r14 0
r15 0x1
rip 0xffffffff81f18858 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff80002af39610
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor.1) pid=9067 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=82, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffff2008,0xffff800027adcfe0
process=0xffff80002af3fa48 user=0xffff80002af35000, vmspace=0xfffffd80675b9188
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
88109 131777 63159 0 2 0 syz-executor.6
88109 266698 63159 0 2 0x4000000 syz-executor.6
7207 193153 86575 0 2 0 syz-executor.7
7207 57857 86575 0 2 0x4000000 syz-executor.7
64405 315890 46818 0 2 0 syz-executor.2
64405 42052 46818 0 3 0x4000080 ttyout syz-executor.2
64405 204433 46818 0 2 0x4000000 syz-executor.2
5035 390833 68424 0 2 0 syz-executor.0
5035 83394 68424 0 3 0x4000080 fsleep syz-executor.0
82003 124192 39644 0 2 0 syz-executor.1
*82003 9067 39644 0 7 0x4000000 syz-executor.1
65881 483507 0 0 3 0x14200 bored sosplice
86575 25687 80237 0 3 0x82 nanoslp syz-executor.7
63159 124190 80237 0 3 0x82 nanoslp syz-executor.6
72985 135666 80237 0 3 0x82 nanoslp syz-executor.5
74409 143466 80237 0 3 0x82 nanoslp syz-executor.3
27793 405472 80237 0 3 0x82 nanoslp syz-executor.4
46818 328277 80237 0 3 0x82 nanoslp syz-executor.2
39644 207566 80237 0 3 0x82 nanoslp syz-executor.1
68424 393903 80237 0 3 0x82 nanoslp syz-executor.0
80237 174279 50276 0 3 0x82 kqread syz-fuzzer
80237 132622 50276 0 3 0x4000082 thrsleep syz-fuzzer
80237 3771 50276 0 3 0x4000082 thrsleep syz-fuzzer
80237 436210 50276 0 3 0x4000082 thrsleep syz-fuzzer
80237 477366 50276 0 3 0x4000082 thrsleep syz-fuzzer
80237 7623 50276 0 3 0x4000082 thrsleep syz-fuzzer
80237 123055 50276 0 3 0x4000082 thrsleep syz-fuzzer
80237 495366 50276 0 3 0x4000082 thrsleep syz-fuzzer
80237 82189 50276 0 3 0x4000082 thrsleep syz-fuzzer
50276 507682 29752 0 3 0x10008a sigsusp ksh
29752 93630 20416 0 3 0x9a kqread sshd
50531 442097 1 0 3 0x100083 ttyin getty
20416 290544 1 0 3 0x88 kqread sshd
73243 113468 81255 74 3 0x1100092 bpf pflogd
81255 492386 1 0 3 0x80 netio pflogd
4377 43136 8815 73 3 0x1100090 kqread syslogd
8815 290830 1 0 3 0x100082 netio syslogd
84727 449895 1 0 3 0x100080 kqread resolvd
3586 452115 66496 77 3 0x100092 kqread dhcpleased
53580 325732 66496 77 3 0x100092 kqread dhcpleased
66496 90968 1 0 3 0x80 kqread dhcpleased
76329 166980 0 0 3 0x14200 bored smr
18065 506840 0 0 2 0x14200 zerothread
95610 382238 0 0 3 0x14200 aiodoned aiodoned
13388 77628 0 0 3 0x14200 syncer update
56575 190931 0 0 3 0x14200 cleaner cleaner
26158 177172 0 0 7 0x14200 reaper
78782 265265 0 0 3 0x14200 pgdaemon pagedaemon
20819 89157 0 0 3 0x14200 bored viomb
64238 38484 0 0 3 0x40014200 acpi0 acpi0
13380 297443 0 0 3 0x40014200 idle1
51348 359445 0 0 3 0x14200 bored softnet
97989 117652 0 0 3 0x14200 bored systqmp
25061 492710 0 0 3 0x14200 bored systq
50197 352845 0 0 3 0x40014200 bored softclock
26349 264610 0 0 3 0x40014200 idle0
1 200354 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
CPU 0:
exclusive mutex &(curpg)->mdpage.pv_mtx r = 0 (0xfffffd80080fa778)
#0 witness_lock+0x44d
#1 mtx_enter_try+0x100
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 pmap_remove_ptes+0x208 pmap_remove_pv sys/arch/amd64/amd64/pmap.c:1059 [inline]
#3 pmap_remove_ptes+0x208 sys/arch/amd64/amd64/pmap.c:1657
#4 pmap_do_remove+0x416 sys/arch/amd64/amd64/pmap.c:1865
#5 uvm_unmap_kill_entry_withlock+0x1af sys/uvm/uvm_map.c:2139
#6 uvm_map_teardown+0x197 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:176 [inline]
#6 uvm_map_teardown+0x197 sys/uvm/uvm_map.c:2771
#7 uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
#8 reaper+0x18b sys/kern/kern_exit.c:457
#9 proc_trampoline+0x1c
exclusive kernel: protection fault trap, code=0
Faulted in DDB; continuing...
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10185 6485K 7064K 78643K 12973 0
pcb 16 8K 8K 78643K 75 0
rtable 243 8K 10K 78643K 432 0
ifaddr 93 18K 19K 78643K 156 0
counters 58 35K 35K 78643K 68 0
ioctlops 0 0K 4K 78643K 1564 0
iov 0 0K 16K 78643K 50 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 5 0
vnodes 1277 80K 80K 78643K 1753 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 9K 78643K 19 0
VM map 2 1K 1K 78643K 2 0
sem 12 0K 0K 78643K 32 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 16 57K 93K 78643K 1456 0
sigio 0 0K 0K 78643K 26 0
proc 70 87K 124K 78643K 555 0
subproc 104 6K 6K 78643K 104 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 2 0K 0K 78643K 119 0
in_multi 102 6K 7K 78643K 228 0
ether_multi 2 0K 0K 78643K 39 0
mrt 1 0K 0K 78643K 1 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 61 281K 281K 78643K 61 0
exec 0 0K 2K 78643K 673 0
pfkey data 0 0K 0K 78643K 4 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 338 147K 147K 78643K 18877 0
UVM aobj 25 7K 7K 78643K 45 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 2 0K 0K 78643K 36 0
NDP 13 0K 2K 78643K 38 0
temp 103 4704K 4772K 78643K 11748 0
kqueue 12 18K 24K 78643K 109 0
SYN cache 2 16K 16K 78643K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtpcb 120 73 0 70 1 0 1 1 0 8 0
rtentry 112 115 0 5 4 0 4 4 0 8 0
unpcb 136 239 0 224 1 0 1 1 0 8 0
syncache 296 14 0 14 3 2 1 1 0 8 1
tcpqe 32 262 0 262 2 2 0 1 0 8 0
tcpcb 736 205 0 192 4 1 3 3 0 8 1
arp 120 18 0 0 1 0 1 1 0 8 0
inpcb 312 552 0 535 2 0 2 2 0 8 0
nd6 48 28 0 4 1 0 1 1 0 8 0
pkpcb 40 4 0 4 1 1 0 1 0 8 0
kcovpl 48 8 0 0 1 0 1 1 0 8 0
ppxss 1248 4 0 4 1 1 0 1 0 8 0
pffrag 232 4 0 2 1 0 1 1 0 482 0
pffrnode 88 4 0 2 1 0 1 1 0 8 0
pffrent 40 14 0 12 1 0 1 1 0 8 0
pfosfp 40 1435 0 1011 5 0 5 5 0 8 0
pfosfpen 112 1435 0 714 21 0 21 21 0 8 0
pfrke_plain 168 8 0 8 1 1 0 1 0 8 0
pfrktable 1344 19 0 17 1 0 1 1 0 8 0
pftag 88 8 0 8 1 1 0 1 0 8 0
pfstitem 24 50 0 12 1 0 1 1 0 8 0
pfstkey 112 50 0 12 2 0 2 2 0 8 0
pfstate 320 50 0 12 4 0 4 4 0 8 0
pfrule 1360 42 0 28 2 0 2 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 453 0 0 29 0 29 29 0 8 0
art_table 32 454 0 0 4 0 4 4 0 8 0
art_node 16 114 0 14 1 0 1 1 0 8 0
semupl 112 7 0 7 1 1 0 1 0 8 0
semapl 112 30 0 20 1 0 1 1 0 8 0
shmpl 112 42 0 20 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 3174 0 1731 91 0 91 91 0 8 0
ffsino 272 3174 0 1731 97 0 97 97 0 8 0
nchpl 144 4980 0 3309 63 0 63 63 0 8 0
rtmask 32 16 0 16 1 1 0 1 0 8 0
uvmvnodes 80 3665 0 0 75 0 75 75 0 8 0
vnodes 224 3665 0 0 216 0 216 216 0 8 0
namei 1024 13598 0 13598 2 1 1 2 0 8 1
percpumem 16 46 0 5 1 0 1 1 0 8 0
vcpupl 2048 4 0 0 1 0 1 1 0 8 0
vmpool 560 4 0 0 1 0 1 1 0 8 0
pfiaddrpl 120 8 0 4 1 0 1 1 0 8 0
scxspl 216 14955 0 14955 9 8 1 8 0 8 1
plimitpl 152 45 0 30 1 0 1 1 0 8 0
sigapl 424 1758 0 1712 6 0 6 6 0 8 0
futexpl 64 7494 0 7493 1 0 1 1 0 8 0
knotepl 120 116 0 0 4 0 4 4 0 8 0
kqueuepl 216 128 0 120 1 0 1 1 0 8 0
pipepl 336 177 0 149 3 0 3 3 0 8 0
fdescpl 496 1743 0 1714 5 1 4 5 0 8 0
filepl 152 4942 0 4692 10 0 10 10 0 8 0
lockfpl 104 178 0 176 1 0 1 1 0 8 0
lockfspl 48 89 0 87 1 0 1 1 0 8 0
sessionpl 144 24 0 7 1 0 1 1 0 8 0
pgrppl 48 28 0 11 1 0 1 1 0 8 0
ucredpl 96 429 0 416 1 0 1 1 0 8 0
zombiepl 144 1715 0 1712 1 0 1 1 0 8 0
processpl 1064 1758 0 1712 4 0 4 4 0 8 0
procpl 672 3236 0 3175 6 0 6 6 0 8 0
sosppl 168 12 0 11 1 0 1 1 0 8 0
sockpl 480 872 0 837 6 1 5 6 0 8 0
mcl64k 65536 5 0 0 1 0 1 1 0 8 0
mcl16k 16384 1 0 0 1 0 1 1 0 8 0
mcl12k 12288 2 0 0 1 0 1 1 0 8 0
mcl9k 9216 2 0 0 1 0 1 1 0 8 0
mcl8k 8192 4 0 0 1 0 1 1 0 8 0
mcl4k 4096 12 0 0 2 0 2 2 0 8 0
mcl2k2 2112 1 0 0 1 0 1 1 0 8 0
mcl2k 2048 170 0 0 21 0 21 21 0 8 0
mtagpl 96 230 0 0 6 0 6 6 0 8 0
mbufpl 256 686 0 0 43 0 43 43 0 8 0
bufpl 288 5274 0 147 367 0 367 367 0 8 0
anonpl 24 431306 0 416459 118 20 98 115 0 186 6
amapchunkpl 152 45428 0 44603 43 9 34 38 0 158 1
amappl16 200 4666 0 4282 31 9 22 26 0 8 1
amappl15 192 448 0 441 1 0 1 1 0 8 0
amappl14 184 168 0 164 1 0 1 1 0 8 0
amappl13 176 274 0 271 1 0 1 1 0 8 0
amappl12 168 192 0 186 1 0 1 1 0 8 0
amappl11 160 365 0 347 1 0 1 1 0 8 0
amappl10 152 218 0 211 1 0 1 1 0 8 0
amappl9 144 474 0 471 1 0 1 1 0 8 0
amappl8 136 590 0 540 2 0 2 2 0 8 0
amappl7 128 123 0 110 1 0 1 1 0 8 0
amappl6 120 213 0 191 2 1 1 2 0 8 0
amappl5 112 1544 0 1523 1 0 1 1 0 8 0
amappl4 104 1315 0 1284 2 0 2 2 0 8 0
amappl3 96 365 0 353 1 0 1 1 0 8 0
amappl2 88 757 0 708 3 1 2 3 0 8 0
amappl1 80 32225 0 31625 19 5 14 19 0 8 0
amappl 88 18365 0 18102 7 0 7 7 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 44 0 20 1 0 1 1 0 8 0
uaddrrnd 24 1747 0 1713 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 1747 0 1713 1 0 1 1 0 8 0
vmmpekpl 168 13662 0 13608 3 0 3 3 0 8 0
vmmpepl 168 154402 0 151978 127 17 110 127 0 357 1
vmsppl 368 1746 0 1713 4 0 4 4 0 8 0
rwobjpl 56 39988 0 34913 73 1 72 72 0 8 0
pdppl 4096 3501 0 3430 107 34 73 83 0 8 2
pvpl 32 892324 0 872990 247 30 217 247 0 265 57
pmappl 248 1746 0 1713 3 0 3 3 0 8 0
extentpl 40 58 0 38 1 0 1 1 0 8 0
phpool 112 785 0 38 22 0 22 22 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffffffff8294dff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_write_1(3f8,0,6b) at x86_bus_space_io_write_1+0x31 sys/arch/amd64/amd64/bus_space.c:759
comcnputc(800,6b) at comcnputc+0x128 bus_space_barrier machine/bus.h:481 [inline]
comcnputc(800,6b) at comcnputc+0x128 sys/dev/ic/com.c:1263
cnputc(6b) at cnputc+0x4b sys/dev/cons.c:239
db_putchar(6b) at db_putchar+0x3fc sys/ddb/db_output.c:155
kprintf() at kprintf+0x20ec sys/kern/subr_prf.c:1068
db_printf(ffffffff82608896) at db_printf+0x85 sys/kern/subr_prf.c:502
panic(ffffffff8258f849) at panic+0xd7 sys/kern/subr_prf.c:220
__assert(ffffffff826021d1,ffffffff826102ef,aae,ffffffff825c283e) at __assert+0x25 sys/kern/subr_prf.c:161
uvm_map_teardown(fffffd80675b9b98) at uvm_map_teardown+0x2e8 sys/uvm/uvm_map.c:2736
uvmspace_free(fffffd80675b9b98) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
reaper(ffff8000210f9260) at reaper+0x18b sys/kern/kern_exit.c:457
end trace frame: 0x0, count: 1
ddb{0}> trace
x86_ipi_db(ffffffff8294dff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
x86_bus_space_io_write_1(3f8,0,6b) at x86_bus_space_io_write_1+0x31 sys/arch/amd64/amd64/bus_space.c:759
comcnputc(800,6b) at comcnputc+0x128 bus_space_barrier machine/bus.h:481 [inline]
comcnputc(800,6b) at comcnputc+0x128 sys/dev/ic/com.c:1263
cnputc(6b) at cnputc+0x4b sys/dev/cons.c:239
db_putchar(6b) at db_putchar+0x3fc sys/ddb/db_output.c:155
kprintf() at kprintf+0x20ec sys/kern/subr_prf.c:1068
db_printf(ffffffff82608896) at db_printf+0x85 sys/kern/subr_prf.c:502
panic(ffffffff8258f849) at panic+0xd7 sys/kern/subr_prf.c:220
__assert(ffffffff826021d1,ffffffff826102ef,aae,ffffffff825c283e) at __assert+0x25 sys/kern/subr_prf.c:161
uvm_map_teardown(fffffd80675b9b98) at uvm_map_teardown+0x2e8 sys/uvm/uvm_map.c:2736
uvmspace_free(fffffd80675b9b98) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3685
reaper(ffff8000210f9260) at reaper+0x18b sys/kern/kern_exit.c:457
end trace frame: 0x0, count: -14
ddb{0}> machine ddbcpu 1
Stopped at db_enter+0x18: addq $0x8,%rsp
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a56b6) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff82b47030,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd806e4aba90) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd806e4aba90) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd806e4ab978) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip6_input(ffff80002af39b08,ffff80002af39b14,85,18) at rip6_input+0x692 sys/netinet6/raw_ip6.c:224
ip_deliver(ffff80002af39b08,ffff80002af39b14,85,18) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip6_input_if(ffff80002af39b08,ffff80002af39b14,29,0,ffff80000019f2a8) at ip6_input_if+0x920
ipv6_input(ffff80000019f2a8,fffffd806889c100) at ipv6_input+0x48 sys/netinet6/ip6_input.c:169
if_input_local(ffff80000019f2a8,fffffd806889c100,18) at if_input_local+0x136 sys/net/if.c:778
ip6_output(fffffd8067ff0a00,ffff800000c10700,fffffd805d7e42f0,0,0,fffffd805d7e4278) at ip6_output+0xf57
rip6_output(fffffd8067ff0a00,fffffd806c4e7980,ffff80002af39e70,0) at rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
rip6_usrreq(fffffd806c4e7980,9,fffffd8067ff0a00,0,0,ffff8000ffff3ce8) at rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
end trace frame: 0xffff80002af39ff0, count: 0
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440
panic(ffffffff825a56b6) at panic+0x177 sys/kern/subr_prf.c:202
witness_checkorder(ffffffff82b47030,9,0) at witness_checkorder+0x116d sys/kern/subr_witness.c:833
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 read_rflags machine/cpufunc.h:195 [inline]
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 intr_disable machine/cpufunc.h:216 [inline]
__mp_lock(ffffffff82b46e28) at __mp_lock+0xa1 sys/kern/kern_lock.c:142
selwakeup(fffffd806e4aba90) at selwakeup+0x16 klist_empty sys/sys/event.h:361 [inline]
selwakeup(fffffd806e4aba90) at selwakeup+0x16 sys/kern/sys_generic.c:885
sorwakeup(fffffd806e4ab978) at sorwakeup+0xc9 sys/kern/uipc_socket.c:1699
rip6_input(ffff80002af39b08,ffff80002af39b14,85,18) at rip6_input+0x692 sys/netinet6/raw_ip6.c:224
ip_deliver(ffff80002af39b08,ffff80002af39b14,85,18) at ip_deliver+0x322 sys/netinet/ip_input.c:657
ip6_input_if(ffff80002af39b08,ffff80002af39b14,29,0,ffff80000019f2a8) at ip6_input_if+0x920
ipv6_input(ffff80000019f2a8,fffffd806889c100) at ipv6_input+0x48 sys/netinet6/ip6_input.c:169
if_input_local(ffff80000019f2a8,fffffd806889c100,18) at if_input_local+0x136 sys/net/if.c:778
ip6_output(fffffd8067ff0a00,ffff800000c10700,fffffd805d7e42f0,0,0,fffffd805d7e4278) at ip6_output+0xf57
rip6_output(fffffd8067ff0a00,fffffd806c4e7980,ffff80002af39e70,0) at rip6_output+0x4ad sys/netinet6/raw_ip6.c:490
rip6_usrreq(fffffd806c4e7980,9,fffffd8067ff0a00,0,0,ffff8000ffff3ce8) at rip6_usrreq+0x5d3 sys/netinet6/raw_ip6.c:679
sosend(fffffd806c4e7980,0,ffff80002af3a0a8,0,0,0) at sosend+0x632 sys/kern/uipc_socket.c:582
dofilewritev(ffff8000ffff3ce8,5,ffff80002af3a0a8,0,ffff80002af3a1a0) at dofilewritev+0x19c sys/kern/sys_generic.c:381
sys_write(ffff8000ffff3ce8,ffff80002af3a148,ffff80002af3a1a0) at sys_write+0x83 sys/kern/sys_generic.c:301
syscall(ffff80002af3a210) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff80002af3a210) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x724547dbf70, count: -19
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Anton Lindqvist
Mar 22, 2022, 7:45:49 AM3/22/22
to syzbot, syzkaller-o...@googlegroups.com
#syz invalid
Reply all
Reply to author
Forward
0 new messages