We got "lucky" in a different way after enabling VMM_DEBUG. I captured some details of a crash. The fault address seems to be vm_map(=0xffff800000b44200) + 0x100.
The kernel is built with this config: ci-openbsd$ cat /syzkaller/src/sys/arch/amd64/conf/VMM_DEBUG include "arch/amd64/conf/GENERIC.MP" option VMM_DEBUG Still this commit: commit 44df374beffdeeab308e9c219092e1c860fc97a9 (HEAD) Author: kevlo <[email protected]> Date: Tue Oct 2 02:05:34 2018 +0000 Add support for RT3290 chipset by James Hastings. Tested by me and James Hastings. Logs: SeaBIOS (version 1.8.2-20171012_061934-google) Total RAM Size = 0x0000000400000000 = 16384 MiB CPUs found: 8 Max CPUs supported: 8 found virtio-scsi at 0:3 virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0 removable=0 virtio-scsi blksize=512 sectors=20971520 = 10240 MiB virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0 removable=0 virtio-scsi blksize=512 sectors=2097152000 = 1024000 MiB drive 0x000f2bc0: PCHS=0/0/0 translation=lba LCHS=1024/255/63 s=20971520 drive 0x000f2b80: PCHS=0/0/0 translation=lba LCHS=1024/255/63 s=2097152000 Booting from Hard Disk 0... >> OpenBSD/amd64 BOOT 3.41 boot> [ using 2143328 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2018 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 6.4 (VMM_DEBUG) #0: Tue Oct 2 10:37:13 PDT 2018 [email protected] :/syzkaller/src/sys/arch/amd64/compile/VMM_DEBUG real mem = 17163079680 (16367MB) avail mem = 16633610240 (15863MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xbffffcf0 (20 entries) bios0: vendor Google version "Google" date 01/01/2011 bios0: Google Google Compute Engine acpi0 at bios0: rev 0 acpi0: sleep states S3 S4 S5 acpi0: tables DSDT FACP SSDT APIC WAET SRAT acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU @ 2.30GHz, 2300.55 MHz, 06-3f-00 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 990MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU @ 2.30GHz, 2276.88 MHz, 06-3f-00 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU @ 2.30GHz, 2276.87 MHz, 06-3f-00 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU @ 2.30GHz, 2276.89 MHz, 06-3f-00 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 0, core 3, package 0 cpu4 at mainbus0: apid 1 (application processor) cpu4: Intel(R) Xeon(R) CPU @ 2.30GHz, 2276.88 MHz, 06-3f-00 cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN cpu4: 256KB 64b/line 8-way L2 cache cpu4: smt 1, core 0, package 0 cpu5 at mainbus0: apid 3 (application processor) cpu5: Intel(R) Xeon(R) CPU @ 2.30GHz, 2276.88 MHz, 06-3f-00 cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN cpu5: 256KB 64b/line 8-way L2 cache cpu5: smt 1, core 1, package 0 cpu6 at mainbus0: apid 5 (application processor) cpu6: Intel(R) Xeon(R) CPU @ 2.30GHz, 2276.94 MHz, 06-3f-00 cpu6: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN cpu6: 256KB 64b/line 8-way L2 cache cpu6: smt 1, core 2, package 0 cpu7 at mainbus0: apid 7 (application processor) cpu7: Intel(R) Xeon(R) CPU @ 2.30GHz, 2276.91 MHz, 06-3f-00 cpu7: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN cpu7: 256KB 64b/line 8-way L2 cache cpu7: smt 1, core 3, package 0 ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: C1(@1 halt!) acpicpu1 at acpi0: C1(@1 halt!) acpicpu2 at acpi0: C1(@1 halt!) acpicpu3 at acpi0: C1(@1 halt!) acpicpu4 at acpi0: C1(@1 halt!) acpicpu5 at acpi0: C1(@1 halt!) acpicpu6 at acpi0: C1(@1 halt!) acpicpu7 at acpi0: C1(@1 halt!) "ACPI0006" at acpi0 not configured acpicmos0 at acpi0 "QEMU0001" at acpi0 not configured "ACPI0007" at acpi0 not configured "ACPI0007" at acpi0 not configured "ACPI0007" at acpi0 not configured "ACPI0007" at acpi0 not configured "ACPI0007" at acpi0 not configured "ACPI0007" at acpi0 not configured "ACPI0007" at acpi0 not configured "ACPI0007" at acpi0 not configured pvbus0 at mainbus0: KVM pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 pcib0 at pci0 dev 1 function 0 "Intel 82371AB PIIX4 ISA" rev 0x03 piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: SMBus disabled virtio0 at pci0 dev 3 function 0 "Qumranet Virtio SCSI" rev 0x00 vioscsi0 at virtio0: qsize 8192 scsibus1 at vioscsi0: 253 targets sd0 at scsibus1 targ 1 lun 0: <Google, PersistentDisk, 1> SCSI4 0/direct fixed serial.Google_PersistentDisk_ sd0: 10240MB, 512 bytes/sector, 20971520 sectors, thin sd1 at scsibus1 targ 2 lun 0: <Google, PersistentDisk, 1> SCSI4 0/direct fixed serial.Google_PersistentDisk_ sd1: 1024000MB, 512 bytes/sector, 2097152000 sectors, thin virtio0: msix shared virtio1 at pci0 dev 4 function 0 "Qumranet Virtio Network" rev 0x00 vio0 at virtio1: address 42:01:0a:80:00:3f virtio1: msix per-VQ isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo com2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0 mux 1 pms0 at pckbc0 (aux slot) wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 vmm0 at mainbus0: VMX/EPT (using slow L1TF mitigation) vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets root on sd0a (dd61083aafe9fd0b.a) swap on sd0b dump on sd0b Automatic boot in progress: starting file system checks. /dev/sd0a (dd61083aafe9fd0b.a): file system is clean; not checking setting tty flags pf enabled kern.nosuidcoredump: 1 -> 3 starting network vio0: bound to 10.128.0.63 from 169.254.169.254 (42:01:0a:80:00:01) reordering libraries: done. starting early daemons: syslogd pflogd ntpd. starting RPC daemons:. savecore: no core dump checking quotas: done. clearing /tmp kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd vmd. + echo starting syz-ci starting syz-ci + fsck -y /dev/sd1a ** /dev/rsd1a ** File system is clean; not checking + mount /syzkaller + mkdir -p /syzkaller/ramdisk + mount -t mfs -o-s=10G /dev/sd0b /syzkaller/ramdisk + chown syzkaller:syzkaller /syzkaller/ramdisk + su -l syzkaller + << EOF2 + test -x syz-ci + ./syz-ci -config ./config-openbsd.ci + 2>&1 + tee syz-ci.log starting local daemons: cron. Tue Oct 2 10:56:09 PDT 2018 OpenBSD/amd64 (ci-openbsd.syzkaller) (tty00) login: vm_impl_init_vmx: created vm_map @ 0xffff800000b27700 vm_impl_init_vmx: created vm_map @ 0xffff800000b27200 vm_impl_init_vmx: created vm_map @ 0xffff800000b27800 vm_resetcpu: resetting vm 2 vcpu 0 to power on defaults Guest EPTP = 0x11f07101e vm_resetcpu: resetting vm 1 vcpu 0 to power on defaults Guest EPTP = 0x11f05b01e vm_resetcpu: resetting vm 3 vcpu 0 to power on defaults Guest EPTP = 0x3b688401e vmm_handle_cpuid: function 0x07 (SEFF) unsupported subleaf 0x6c65746e not supported vmm_handle_cpuid: function 0x07 (SEFF) unsupported subleaf 0x6c65746e not supported vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported vmm_handle_cpuid: function 0x07 (SEFF) unsupported subleaf 0x6c65746e not supported vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported vmx_handle_cr: mov to cr0 @ 100060a, data=0xe0010031 vmx_handle_cr: mov to cr0 @ 100060a, data=0xe0010031 vmx_handle_cr: mov to cr0 @ 100060a, data=0xe0010031 vmm_handle_cpuid: unsupported rax=0x40000100 vmm_handle_cpuid: unsupported rax=0x40000100 vmm_handle_cpuid: unsupported rax=0x40000100 vmm_handle_cpuid: function 0x06 (thermal/power mgt) not supported vmm_handle_cpuid: function 0x06 (thermal/power mgt) not supported vmm_handle_cpuid: invalid cpuid input leaf 0x15, guest rip=0xffffffff8138f075 - resetting to 0xd vmx_handle_wrmsr: wrmsr exit, msr=0x277, discarding data written from guest=0x70106:0x70106 vmm_handle_cpuid: invalid cpuid input leaf 0x15, guest rip=0xffffffff8138f075 - resetting to 0xd vmx_handle_wrmsr: wrmsr exit, msr=0x277, discarding data written from guest=0x70106:0x70106 vmm_handle_cpuid: function 0x06 (thermal/power mgt) not supported vmm_handle_cpuid: invalid cpuid input leaf 0x15, guest rip=0xffffffff8138f075 - resetting to 0xd vmx_handle_wrmsr: wrmsr exit, msr=0x277, discarding data written from guest=0x70106:0x70106 vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported vm_impl_init_vmx: created vm_map @ 0xffff800000b44200 vm_resetcpu: resetting vm 4 vcpu 0 to power on defaults Guest EPTP = 0x3befc301e vmm_handle_cpuid: function 0x07 (SEFF) unsupported subleaf 0x6c65746e not supported vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported vmx_handle_cr: mov to cr0 @ 100060a, data=0xe0010031 vmm_handle_cpuid: unsupported rax=0x40000100 vmm_handle_cpuid: function 0x06 (thermal/power mgt) not supported vmm_handle_cpuid: invalid cpuid input leaf 0x15, guest rip=0xffffffff8138f075 - resetting to 0xd vmx_handle_wrmsr: wrmsr exit, msr=0x277, discarding data written from guest=0x70106:0x70106 vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported vm_impl_init_vmx: created vm_map @ 0xffff800000b44700 vm_resetcpu: resetting vm 5 vcpu 0 to power on defaults Guest EPTP = 0x3c27f401e vmm_handle_cpuid: function 0x07 (SEFF) unsupported subleaf 0x6c65746e not supported vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported vmx_handle_cr: mov to cr0 @ 100060a, data=0xe0010031 vmm_handle_cpuid: unsupported rax=0x40000100 vmm_handle_cpuid: function 0x06 (thermal/power mgt) not supported vmm_handle_cpuid: invalid cpuid input leaf 0x15, guest rip=0xffffffff8138f075 - resetting to 0xd vmx_handle_wrmsr: wrmsr exit, msr=0x277, discarding data written from guest=0x70106:0x70106 vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported vm_impl_init_vmx: created vm_map @ 0xffff800000b27100 vm_resetcpu: resetting vm 6 vcpu 0 to power on defaults Guest EPTP = 0x3befc401e vmm_handle_cpuid: function 0x07 (SEFF) unsupported subleaf 0x6c65746e not supported vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported vmx_handle_cr: mov to cr0 @ 100060a, data=0xe0010031 vmm_handle_cpuid: unsupported rax=0x40000100 vmm_handle_cpuid: function 0x06 (thermal/power mgt) not supported vmm_handle_cpuid: invalid cpuid input leaf 0x15, guest rip=0xffffffff8138f075 - resetting to 0xd vmx_handle_wrmsr: wrmsr exit, msr=0x277, discarding data written from guest=0x70106:0x70106 vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported vm_impl_init_vmx: created vm_map @ 0xffff800000b44f00 vm_resetcpu: resetting vm 7 vcpu 0 to power on defaults Guest EPTP = 0x3c27fa01e vmm_handle_cpuid: function 0x07 (SEFF) unsupported subleaf 0x6c65746e not supported vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported vmx_handle_cr: mov to cr0 @ 100060a, data=0xe0010031 vmm_handle_cpuid: unsupported rax=0x40000100 vmm_handle_cpuid: function 0x06 (thermal/power mgt) not supported vmm_handle_cpuid: invalid cpuid input leaf 0x15, guest rip=0xffffffff8138f075 - resetting to 0xd vmx_handle_wrmsr: wrmsr exit, msr=0x277, discarding data written from guest=0x70106:0x70106 vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported uvm_fault(0xffffffff81ced808, 0xffff800000b45000, 0, 1) -> e kernel: page fault trap, code=0 Stopped at uvm_unmap_remove+0x212: movq 0x100(%r13),%r8 ddb{3}> show registers rdi 0x2a549b acpi_pdirpa+0x291303 rsi 0 rbp 0xffff8000221a5bc0 rbx 0xffff8000221a5b80 rdx 0x11f010 acpi_pdirpa+0x10ae78 rcx 0 rax 0xffffff01152bad80 r8 0x3 r9 0xa0000 acpi_pdirpa+0x8be68 r10 0xd0bcf2dd46b2b746 r11 0xdb541ee3f9c6bb0f r12 0xffffff03ae5b9798 r13 0xffff800000b44f00 r14 0xffffff03ae5b98e8 r15 0x20000000 rip 0xffffffff813aac22 uvm_unmap_remove+0x212 cs 0x8 rflags 0x10246 __ALIGN_SIZE+0xf246 rsp 0xffff8000221a5b70 ss 0x10 uvm_unmap_remove+0x212: movq 0x100(%r13),%r8 ddb{3}> show uvm Current UVM status: pagesize=4096 (0x1000), pagemask=0xfff, pageshift=12 4063012 VM pages: 248880 active, 22841 inactive, 0 wired, 3618910 free (45236 3 zero) min 10% (25) anon, 10% (25) vnode, 5% (12) vtext freemin=135433, free-target=180577, inactive-target=0, wired-max=1354337 faults=1834393, traps=1968492, intrs=259893, ctxswitch=2128046 fpuswitch=0 softint=711009, syscalls=54992133, kmapent=28 fault counts: noram=0, noanon=0, noamap=0, pgwait=0, pgrele=0 ok relocks(total)=44885(44947), anget(retries)=186943(0), amapcopy=138714 neighbor anon/obj pg=176803/119887, gets(lock/unlock)=85155/44947 cases: anon=174733, anoncow=12210, obj=76574, prcopy=8519, przero=1562349 daemon and swap counts: woke=0, revs=0, scans=0, obscans=0, anscans=0 busy=0, freed=0, reactivate=0, deactivate=0 pageouts=0, pending=0, nswget=0 nswapdev=1 swpages=262143, swpginuse=0, swpgonly=0 paging=0 kernel pointers: objs(kern)=0xffffffff81d0dfa8 ddb{3}> show bcstats Current Buffer Cache status: numbufs 13807 busymapped 0, delwri 14 kvaslots 6553 avail kva slots 6553 bufpages 157098, dmapages 156346, dirtypages 224 pendingreads 0, pendingwrites 0 highflips 188, highflops 0, dmaflips 0 ddb{3}> trace uvm_unmap_remove(44d1cccf70f0c14e,ffffff03af20df28,ffff800000b44f00,ffffff03af2 0df18,ffff8000fffeab80,0) at uvm_unmap_remove+0x212 uvm_map_deallocate(afb692e07744b9d) at uvm_map_deallocate+0x5e vm_teardown(ffffff03af20df28) at vm_teardown+0xf0 vm_terminate(4d5b55e959cb995b) at vm_terminate+0x192 VOP_IOCTL(57a3eaddf57314b9,ffffff03c0cd75f0,aa07f3f3f1aae2e8,ffff8000220e7528,f fffff043f7ca3c0,ffff800000000003) at VOP_IOCTL+0x5a vn_ioctl(7a3832e847fe16c7,ffffff03bef01088,ffff8000220e7528,4) at vn_ioctl+0x6b sys_ioctl(4c28df5ce452af20,360,ffff8000220e7528) at sys_ioctl+0x3ec syscall(2f430d22c712d672) at syscall+0x32a Xsyscall(6,36,1,36,7f7ffffc8f38,154b669bd800) at Xsyscall+0x128 end of kernel end trace frame: 0x7f7ffffc8f20, count: -9 ddb{3}> show panic kernel page fault uvm_fault(0xffffffff81ced808, 0xffff800000b45000, 0, 1) -> e uvm_unmap_remove(44d1cccf70f0c14e,ffffff03af20df28,ffff800000b44f00,ffffff03af2 0df18,ffff8000fffeab80,0) at uvm_unmap_remove+0x212 end trace frame: 0xffff8000221a5c00, count: 0 ddb{3}> trace uvm_unmap_remove(44d1cccf70f0c14e,ffffff03af20df28,ffff800000b44f00,ffffff03af2 0df18,ffff8000fffeab80,0) at uvm_unmap_remove+0x212 uvm_map_deallocate(afb692e07744b9d) at uvm_map_deallocate+0x5e vm_teardown(ffffff03af20df28) at vm_teardown+0xf0 vm_terminate(4d5b55e959cb995b) at vm_terminate+0x192 VOP_IOCTL(57a3eaddf57314b9,ffffff03c0cd75f0,aa07f3f3f1aae2e8,ffff8000220e7528,f fffff043f7ca3c0,ffff800000000003) at VOP_IOCTL+0x5a vn_ioctl(7a3832e847fe16c7,ffffff03bef01088,ffff8000220e7528,4) at vn_ioctl+0x6b sys_ioctl(4c28df5ce452af20,360,ffff8000220e7528) at sys_ioctl+0x3ec syscall(2f430d22c712d672) at syscall+0x32a Xsyscall(6,36,1,36,7f7ffffc8f38,154b669bd800) at Xsyscall+0x128 end of kernel end trace frame: 0x7f7ffffc8f20, count: -9 ddb{3}> machine ddbcpu 0 Stopped at x86_ipi_db+0x12: popq %r11 ddb{0}> trace x86_ipi_db(9f7125898da98c60) at x86_ipi_db+0x12 x86_ipi_handler() at x86_ipi_handler+0x80 Xresume_lapic_ipi(4,ffffffff81cb4ff0,0,0,0,0) at Xresume_lapic_ipi+0x23 _kernel_lock(2f430d22c72c0929,0) at _kernel_lock+0xa0 Xsoftclock(0,ffffffff81cb4ff0,154b45ccbe98,0,360,ffff800022168980) at Xsoftcloc k+0x1f _kernel_lock(2f430d22c712d672,0) at _kernel_lock+0xa2 Xsyscall(6,36,ffff,36,1549443b2ee0,154944332e20) at Xsyscall+0x128 end of kernel end trace frame: 0x154b45ccbf00, count: -7 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x12: popq %r11 ddb{1}> trace x86_ipi_db(9f7125898da98c60) at x86_ipi_db+0x12 x86_ipi_handler() at x86_ipi_handler+0x80 Xresume_lapic_ipi(c,ffff800022008ff0,ffffff03c91e5c78,0,0,ffff8000220e6e20) at X resume_lapic_ipi+0x23 ___mp_acquire_count(5fc7dbe4cddc104b,202) at ___mp_acquire_count+0x82 mi_switch() at mi_switch+0x284 sleep_finish(4f65d4dca25e8b44,ffff80002213e8b0) at sleep_finish+0x7f sleep_finish_all(bb564a080f93a3cd,ffff80002213e8b0) at sleep_finish_all+0x1f tsleep(ec8de469adcead5c,ffffff03c24e9ea8,ffff80002213e9e0,40) at tsleep+0xcd kqueue_scan(c3f2a33c1aebefd9,ffffff03c24e9ea0,0,ffff80002213ed10,ffff80002213ed 00,ffff8000220e6e20) at kqueue_scan+0x50c sys_kevent(498f516e1701a4e8,480,ffff8000220e6e20) at sys_kevent+0x2e4 syscall(2f430d22c712d672) at syscall+0x32a Xsyscall(6,48,7f7ffffe6bc0,48,0,1aaa39bbd800) at Xsyscall+0x128 end of kernel end trace frame: 0x7f7ffffe6b80, count: -12 ddb{1}> machine ddbcpu 2 Stopped at x86_ipi_db+0x12: popq %r11 ddb{2}> trace x86_ipi_db(9f7125898da98c60) at x86_ipi_db+0x12 x86_ipi_handler() at x86_ipi_handler+0x80 Xresume_lapic_ipi(0,ffff800022019ff0,3,0,ffff,ffff8000fffe95c0) at Xresume_lapi c_ipi+0x23 _kernel_lock(b4b9e7642801437d,ffffff03af20d988) at _kernel_lock+0xa2 vm_run(4968c378ff2b0243) at vm_run+0x1d2 VOP_IOCTL(57a3eaddf57314b9,ffffff03c0cd75f0,aa07f3f3f1aae2e8,ffff8000221699e8,f fffff043f7ca3c0,ffff800000000003) at VOP_IOCTL+0x5a vn_ioctl(7a3832e847fe16c7,ffffff03bef01088,ffff8000221699e8,20) at vn_ioctl+0x6 b sys_ioctl(4c28df5ce452af20,360,ffff8000221699e8) at sys_ioctl+0x3ec syscall(2f430d22c712d672) at syscall+0x32a Xsyscall(0,36,0,36,1549443b2ee0,154944332e20) at Xsyscall+0x128 end of kernel end trace frame: 0x154c07f45dc0, count: -10 ddb{2}> machine ddbcpu 3 Stopped at uvm_unmap_remove+0x212: movq 0x100(%r13),%r8 ddb{3}> trace uvm_unmap_remove(44d1cccf70f0c14e,ffffff03af20df28,ffff800000b44f00,ffffff03af2 0df18,ffff8000fffeab80,0) at uvm_unmap_remove+0x212 uvm_map_deallocate(afb692e07744b9d) at uvm_map_deallocate+0x5e vm_teardown(ffffff03af20df28) at vm_teardown+0xf0 vm_terminate(4d5b55e959cb995b) at vm_terminate+0x192 VOP_IOCTL(57a3eaddf57314b9,ffffff03c0cd75f0,aa07f3f3f1aae2e8,ffff8000220e7528,f fffff043f7ca3c0,ffff800000000003) at VOP_IOCTL+0x5a vn_ioctl(7a3832e847fe16c7,ffffff03bef01088,ffff8000220e7528,4) at vn_ioctl+0x6b sys_ioctl(4c28df5ce452af20,360,ffff8000220e7528) at sys_ioctl+0x3ec syscall(2f430d22c712d672) at syscall+0x32a Xsyscall(6,36,1,36,7f7ffffc8f38,154b669bd800) at Xsyscall+0x128 end of kernel end trace frame: 0x7f7ffffc8f20, count: -9 ddb{3}> machine ddbcpu 4 Stopped at x86_ipi_db+0x12: popq %r11 ddb{4}> trace x86_ipi_db(9f7125898da98c60) at x86_ipi_db+0x12 x86_ipi_handler() at x86_ipi_handler+0x80 Xresume_lapic_ipi(0,0,1388,0,ffff800000022a00,ffff80002202c6b0) at Xresume_lapi c_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x281 sched_idle(0) at sched_idle+0x245 end trace frame: 0x0, count: -5 ddb{4}> machine ddbcpu 5 Stopped at x86_ipi_db+0x12: popq %r11 ddb{5}> trace x86_ipi_db(9f7125898da98c60) at x86_ipi_db+0x12 x86_ipi_handler() at x86_ipi_handler+0x80 Xresume_lapic_ipi(0,0,1388,0,ffff800000022a60,ffff8000220356b0) at Xresume_lapi c_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x281 sched_idle(0) at sched_idle+0x245 end trace frame: 0x0, count: -5 ddb{5}> machine ddbcpu 6 Stopped at x86_ipi_db+0x12: popq %r11 ddb{6}> trace x86_ipi_db(9f7125898da98c60) at x86_ipi_db+0x12 x86_ipi_handler() at x86_ipi_handler+0x80 Xresume_lapic_ipi(0,0,1388,0,ffff800000022aa0,ffff80002203e6b0) at Xresume_lapi c_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x281 sched_idle(0) at sched_idle+0x245 end trace frame: 0x0, count: -5 ddb{6}> machine ddbcpu 7 Stopped at x86_ipi_db+0x12: popq %r11 ddb{7}> trace x86_ipi_db(9f7125898da98c60) at x86_ipi_db+0x12 x86_ipi_handler() at x86_ipi_handler+0x80 Xresume_lapic_ipi(0,0,1388,0,ffff800000022ae0,ffff8000220476b0) at Xresume_lapi c_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x281 sched_idle(0) at sched_idle+0x245 end trace frame: 0x0, count: -5 ddb{7}> 75909 98659 98458 107 3 0x4100090 fsleep vmd 75909 520548 98458 107 3 0x4100090 kqread vmd 72563 152888 36719 1000 3 0x100082 kqread cu 31544 86900 6660 1000 3 0x100083 ttyin sh 6660 393208 69188 1000 3 0x10008b pause ksh 69188 422355 70910 1000 3 0x90 select sshd 70910 469490 42311 0 3 0x92 poll sshd 77741 311020 36719 1000 3 0x100082 select ssh 98046 73968 36719 1000 3 0x100082 select ssh 65876 294564 98458 107 3 0x100090 fsleep vmd 65876 355927 98458 107 7 0x4100010 vmd 65876 290815 98458 107 3 0x4100090 kqread vmd 76344 172390 98458 107 3 0x100090 fsleep vmd 76344 313650 98458 107 7 0x4100010 vmd 76344 313492 98458 107 3 0x4100090 kqread vmd 43125 25647 36719 1000 3 0x100082 kqread cu 10661 491560 36719 1000 3 0x100082 kqread cu 36719 369167 78910 1000 3 0x82 wait syz-manager 36719 344670 78910 1000 3 0x4000082 nanosleep syz-manager 36719 342133 78910 1000 3 0x4000082 thrsleep syz-manager 36719 437023 78910 1000 3 0x4000082 kqread syz-manager 36719 246037 78910 1000 3 0x4000082 thrsleep syz-manager 36719 448056 78910 1000 3 0x4000082 thrsleep syz-manager 36719 55877 78910 1000 3 0x4000082 thrsleep syz-manager 36719 63574 78910 1000 3 0x4000082 thrsleep syz-manager 36719 9314 78910 1000 3 0x4000082 thrsleep syz-manager 36719 374331 78910 1000 3 0x4000082 nanosleep syz-manager 36719 312249 78910 1000 3 0x4000082 thrsleep syz-manager 36719 177228 78910 1000 3 0x4000082 thrsleep syz-manager 36719 193073 78910 1000 3 0x4000082 thrsleep syz-manager 36719 172834 78910 1000 3 0x4000082 thrsleep syz-manager 36719 276406 78910 1000 3 0x4000082 thrsleep syz-manager 36719 116842 78910 1000 3 0x4000082 thrsleep syz-manager 36719 400281 78910 1000 3 0x4000082 thrsleep syz-manager 36719 517174 78910 1000 3 0x4000082 thrsleep syz-manager 36719 33034 78910 1000 3 0x4000082 thrsleep syz-manager 36719 51166 78910 1000 3 0x4000082 thrsleep syz-manager 56831 285988 1 0 3 0x100083 ttyin getty 46580 302811 1 0 3 0x100098 poll cron 41577 146375 1 1000 3 0x100083 piperd tee 78910 158261 1 1000 3 0x83 thrsleep syz-ci 78910 492581 1 1000 3 0x4000083 thrsleep syz-ci 78910 187554 1 1000 3 0x4000083 thrsleep syz-ci 78910 302523 1 1000 3 0x4000083 kqread syz-ci 78910 42140 1 1000 3 0x4000083 thrsleep syz-ci 78910 98351 1 1000 3 0x4000083 thrsleep syz-ci 78910 293366 1 1000 3 0x4000083 thrsleep syz-ci 78910 274983 1 1000 3 0x4000083 thrsleep syz-ci 78910 220652 1 1000 3 0x4000083 thrsleep syz-ci 78910 81881 1 1000 3 0x4000083 thrsleep syz-ci 78910 351811 1 1000 3 0x4000083 thrsleep syz-ci 78910 849 1 1000 3 0x4000083 thrsleep syz-ci 78910 22847 1 1000 3 0x4000083 wait syz-ci 78910 134511 1 1000 3 0x4000083 thrsleep syz-ci 78910 266881 1 1000 3 0x4000083 thrsleep syz-ci 78910 332277 1 1000 3 0x4000083 thrsleep syz-ci 78910 86226 1 1000 3 0x4000083 thrsleep syz-ci 70312 392767 1 0 3 0x80 mfsidl mount_mfs 51730 34439 1 0 3 0x100080 kqread vmd *98458 83239 1 107 7 0x100012 vmd 29269 182472 1 107 3 0x100092 kqread vmd 2965 312618 1 0 3 0x92 kqread vmd 42311 326700 1 0 3 0x80 select sshd 69323 248571 37758 83 3 0x100092 poll ntpd 37758 332004 64168 83 3 0x100092 poll ntpd 64168 228197 1 0 3 0x100080 poll ntpd 51883 6706 27507 74 3 0x100092 bpf pflogd 27507 202290 1 0 3 0x80 netio pflogd 10928 97553 86776 73 7 0x100090 syslogd 86776 160925 1 0 3 0x100082 netio syslogd 45980 55090 1 77 3 0x100090 poll dhclient 87711 334773 1 0 3 0x80 poll dhclient 60259 386314 0 0 3 0x14200 pgzero zerothread 17324 31150 0 0 3 0x14200 aiodoned aiodoned 90110 311109 0 0 3 0x14200 syncer update 13835 86777 0 0 3 0x14200 cleaner cleaner 50914 55800 0 0 3 0x14200 reaper reaper 95240 140341 0 0 3 0x14200 pgdaemon pagedaemon 7054 382711 0 0 3 0x14200 bored crynlk 86581 108259 0 0 3 0x14200 bored crypto 12742 161682 0 0 3 0x40014200 acpi0 acpi0 13196 391981 0 0 7 0x40014200 idle7 95224 83812 0 0 7 0x40014200 idle6 13741 57385 0 0 7 0x40014200 idle5 80243 30890 0 0 7 0x40014200 idle4 45207 455294 0 0 3 0x40014200 idle3 55689 61935 0 0 3 0x40014200 idle2 26997 523249 0 0 3 0x40014200 idle1 91848 76499 0 0 3 0x14200 bored softnet 97774 352546 0 0 3 0x14200 bored systqmp 63560 114974 0 0 3 0x14200 bored systq 89082 449782 0 0 3 0x40014200 bored softclock 98578 254644 0 0 3 0x40014200 idle0 1 62172 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper The relevant disassembly looks like this: 000000000001c10 <uvm_unmap_remove>: uvm_unmap_remove(): ... syzkaller/src/sys/uvm/uvm_map.c:2125 1de0: 4c 89 ef mov %r13,%rdi 1de3: 4c 89 e6 mov %r12,%rsi 1de6: e8 c5 1e 00 00 callq 3cb0 <uvm_unmap_kill_entry> /syzkaller/src/sys/uvm/uvm_map.c:2128 1deb: 41 f6 45 44 40 testb $0x40,0x44(%r13) 1df0: 0f 84 ba 00 00 00 je 1eb0 <uvm_unmap_remove+0x2a0> /syzkaller/src/sys/uvm/uvm_map.c:2129 1df6: 49 83 7c 24 60 00 cmpq $0x0,0x60(%r12) 1dfc: 0f 85 ae 00 00 00 jne 1eb0 <uvm_unmap_remove+0x2a0> /syzkaller/src/sys/uvm/uvm_map.c:2128 1e02: 41 f6 84 24 80 00 00 testb $0x10,0x80(%r12) 1e09: 00 10 1e0b: 0f 85 9f 00 00 00 jne 1eb0 <uvm_unmap_remove+0x2a0> /syzkaller/src/sys/uvm/uvm_map.c:2132 1e11: 49 8b 4c 24 40 mov 0x40(%r12),%rcx 1e16: 4d 8b 4c 24 48 mov 0x48(%r12),%r9 uvmspace_dused(): /syzkaller/src/sys/uvm/uvm_map.c:494 1e1b: 49 8b b5 f8 00 00 00 mov 0xf8(%r13),%rsi 1e22: 4d 8b 85 00 01 00 00 mov 0x100(%r13),%r8 1e29: 4c 39 c6 cmp %r8,%rsi 1e2c: 4c 89 c2 mov %r8,%rdx 1e2f: 48 0f 42 d6 cmovb %rsi,%rdx /syzkaller/src/sys/uvm/uvm_map.c:495 1e33: 4c 0f 47 c6 cmova %rsi,%r8 /syzkaller/src/sys/uvm/uvm_map.c:498 1e37: 4c 39 c9 cmp %r9,%rcx 1e3a: 75 04 jne 1e40 <uvm_unmap_remove+0x230> 1e3c: 31 f6 xor %esi,%esi 1e3e: eb 5a jmp 1e9a <uvm_unmap_remove+0x28a> 1e40: 49 89 da mov %rbx,%r10 1e43: 31 f6 xor %esi,%esi 1e45: eb 09 jmp 1e50 <uvm_unmap_remove+0x240> -- nest.cx is Gmail hosted, use PGP for anything private. Key: http://goo.gl/6dMsr Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
