On Tue, Oct 30, 2018 at 09:17:19PM -0700, Greg Steuck wrote:
> My syzkaller machine running a recent snapshot just crashed. The value
> 0x415efd243b54d319 passed into uvm_map_deallocate looks quite fishy to me.
>
Known issue. And the parameters in the list aren't right (there needs to be
something added to clang/llvm to support reading the params properly).
-ml
> Some hopefully useful info below.
>
> ddb{4}> trace
> uvm_unmap_remove(c05f7f8cd1633180,ffffff036f57f5a8,ffff800000b85f00,ffffff036f57f598,ffff8000222b8040,0)
> at uvm_unmap_remove+0x212
> uvm_map_deallocate(415efd243b54d319) at uvm_map_deallocate+0x5e
> vm_teardown(ffffff036f57f3d8) at vm_teardown+0xf0
> vm_run(a186e3e68e0c8d2d) at vm_run+0x226
> VOP_IOCTL(d3bfd0b457c4b224,ffffff03c9c6f5f0,32269d81b8d394bf,ffff8000222b4968,ffffff043f7ca420,3)
> at VOP_IOCTL+0x5a
> vn_ioctl(d3bfd0b4579725f3,ffffff03ca9e15b0,ffff8000222b4968,20) at
> vn_ioctl+0x6b
> sys_ioctl(7867d986861f8ba2,360,ffff8000222b4968) at sys_ioctl+0x3ec
> syscall(3871e5d148df7b3d) at syscall+0x32a
> Xsyscall(0,36,0,36,1fc2fafb52d0,1fc2faf35000) at Xsyscall+0x128
> end of kernel
> end trace frame: 0x1fc5a67a25b0, count: -9
> ddb{4}> show proc
> PROC (vmd) pid=51765 stat=onproc
> flags process=100010<SUGID,PLEDGE> proc=4000000<THREAD>
> pri=86, usrpri=86, nice=20
> forw=0xffffffffffffffff, list=0xffff8000222b5520,0xffff8000222b4270
> process=0xffff8000fffecfc8 user=0xffff80002237d000,
> vmspace=0xffffff03c12e9
> c70
> estcpu=36, cpticks=110340, pctcpu=13.31
> user=0, sys=110290, intr=0
> ddb{4}> show registers
> rdi 0x313679 acpi_pdirpa+0x2ff4e1
> rsi 0x20656874203a7374
> rbp 0xffff800022382510
> rbx 0xffff8000223824d0
> rdx 0x11f010 acpi_pdirpa+0x10ae78
> rcx 0
> rax 0xffffff01189c9c80
> r8 0x3
> r9 0xa0000 acpi_pdirpa+0x8be68
> r10 0x843d1fe10f0343b5
> r11 0x871ebb2341e37234
> r12 0xffffff036df6f800
> r13 0xffff800000b85f00
> r14 0xffffff036df6f560
> r15 0x20000000
> rip 0xffffffff81253ea2 uvm_unmap_remove+0x212
> cs 0x8
> rflags 0x10246 __ALIGN_SIZE+0xf246
> rsp 0xffff8000223824c0
> ss 0x10
> uvm_unmap_remove+0x212: movq 0x100(%r13),%r8
> ddb{4}> ps
> PID TID PPID UID S FLAGS WAIT COMMAND
> 17768 177047 33715 1000 3 0x100082 netio vmctl
> 29298 159270 33715 1000 3 0x100082 select ssh
> 64908 229787 65965 107 3 0x100090 fsleep vmd
> *64908 51765 65965 107 7 0x4100010 vmd
> 64908 303902 65965 107 3 0x4100090 kqread vmd
> 13897 386612 33715 1000 3 0x100082 kqread cu
> 73064 419314 33715 1000 3 0x100082 select ssh
> 4542 45446 33715 1000 3 0x100082 select ssh
> 68055 103187 65965 107 3 0x100090 fsleep vmd
> 68055 234837 65965 107 7 0x4100010 vmd
> 68055 264629 65965 107 3 0x4100090 kqread vmd
> 52273 63673 33715 1000 3 0x100082 kqread cu
> 66423 519194 65965 107 3 0x100090 fsleep vmd
> 66423 290968 65965 107 7 0x4100010 vmd
> 66423 87324 65965 107 3 0x4100090 kqread vmd
> 99721 216090 33715 1000 3 0x100082 kqread cu
> 94925 180901 59444 1000 3 0x100083 ttyin ksh
> 59444 245156 97608 1000 3 0x90 select sshd
> 97608 190596 7060 0 3 0x92 poll sshd
> 33715 486116 47331 1000 3 0x82 thrsleep syz-manager
> 33715 476656 47331 1000 3 0x4000082 nanosleep syz-manager
> 33715 250648 47331 1000 3 0x4000082 thrsleep syz-manager
> 33715 416559 47331 1000 3 0x4000082 thrsleep syz-manager
> 33715 446496 47331 1000 3 0x4000082 thrsleep syz-manager
> 33715 28430 47331 1000 3 0x4000082 wait syz-manager
> 33715 416959 47331 1000 3 0x4000082 thrsleep syz-manager
> 33715 35863 47331 1000 3 0x4000082 thrsleep syz-manager
> 33715 12026 47331 1000 3 0x4000082 thrsleep syz-manager
> 33715 50683 47331 1000 3 0x4000082 thrsleep syz-manager
> 33715 263314 47331 1000 3 0x4000082 thrsleep syz-manager
> 33715 270714 47331 1000 3 0x4000082 thrsleep syz-manager
> 33715 504545 47331 1000 3 0x4000082 thrsleep syz-manager
> 33715 37212 47331 1000 3 0x4000082 thrsleep syz-manager
> 33715 487285 47331 1000 3 0x4000082 kqread syz-manager
> 33715 367916 47331 1000 3 0x4000082 thrsleep syz-manager
> 33715 365101 47331 1000 3 0x4000082 thrsleep syz-manager
> 33715 175614 47331 1000 3 0x4000082 thrsleep syz-manager
> 33715 86128 47331 1000 3 0x4000082 thrsleep syz-manager
> 33715 243048 47331 1000 3 0x4000082 thrsleep syz-manager
> 33715 65128 47331 1000 3 0x4000082 thrsleep syz-manager
> 7782 391573 1 0 3 0x100083 ttyin getty
> 61355 476277 1 0 3 0x100098 poll cron
> 62279 9994 1 1000 3 0x100083 piperd tee
> 47331 338961 1 1000 3 0x4000083 thrsleep syz-ci
> 47331 88809 1 1000 3 0x4000083 thrsleep syz-ci
> 47331 357835 1 1000 3 0x4000083 thrsleep syz-ci
> 47331 86428 1 1000 3 0x4000083 thrsleep syz-ci
> 47331 516817 1 1000 3 0x4000083 thrsleep syz-ci
> 47331 307439 1 1000 3 0x4000083 kqread syz-ci
> 47331 280879 1 1000 3 0x4000083 thrsleep syz-ci
> 47331 425939 1 1000 3 0x4000083 thrsleep syz-ci
> 47331 40398 1 1000 3 0x4000083 thrsleep syz-ci
> 47331 148862 1 1000 3 0x4000083 thrsleep syz-ci
> 47331 58299 1 1000 3 0x4000083 thrsleep syz-ci
>
> ddb{4}> machine ddbcpu 0
> Stopped at x86_ipi_db+0x12: popq %r11
> ddb{0}> bt
> x86_ipi_db(9888e7051bef5684) at x86_ipi_db+0x12
> x86_ipi_handler() at x86_ipi_handler+0x80
> Xresume_lapic_ipi(4,ffffffff81caaff0,0,0,0,0) at Xresume_lapic_ipi+0x23
> _kernel_lock(bb9edee8e5f890c3,0) at _kernel_lock+0xa2
> Xsoftclock(0,0,1388,0,ffff8000000229e0,ffffffff81cab6b0) at Xsoftclock+0x1f
> acpicpu_idle() at acpicpu_idle+0x281
> sched_idle(0) at sched_idle+0x245
> end trace frame: 0x0, count: -7
> ddb{0}> machine ddbcpu 1
> Stopped at x86_ipi_db+0x12: popq %r11
> ddb{1}> bt
> x86_ipi_db(9888e7051bef5684) at x86_ipi_db+0x12
> x86_ipi_handler() at x86_ipi_handler+0x80
> Xresume_lapic_ipi(0,0,1388,0,ffff800000022a40,ffff8000220116b0) at
> Xresume_lapi
> c_ipi+0x23
> acpicpu_idle() at acpicpu_idle+0x281
> sched_idle(0) at sched_idle+0x245
> end trace frame: 0x0, count: -5
> ddb{1}> machine ddbcpu 2
> Stopped at x86_ipi_db+0x12: popq %r11
> ddb{2}> bt
> x86_ipi_db(9888e7051bef5684) at x86_ipi_db+0x12
> x86_ipi_handler() at x86_ipi_handler+0x80
> Xresume_lapic_ipi(0,ffff800022019ff0,1fc5e1c31188,0,360,ffff8000222b52c8)
> at Xr
> esume_lapic_ipi+0x23
> _kernel_lock(3871e5d148df7b3d,0) at _kernel_lock+0xa2
> Xsyscall(0,36,ffff,36,1fc2fafb52d0,1fc2faf35000) at Xsyscall+0x128
> end of kernel
> end trace frame: 0x1fc5e1c311f0, count: -5
> ddb{2}> machine ddbcpu 3
> Stopped at x86_ipi_db+0x12: popq %r11
> ddb{3}> bt
> x86_ipi_db(9888e7051bef5684) at x86_ipi_db+0x12
> x86_ipi_handler() at x86_ipi_handler+0x80
> Xresume_lapic_ipi(0,0,1388,0,ffff800000022ac0,ffff8000220236b0) at
> Xresume_lapic_ipi+0x23
> acpicpu_idle() at acpicpu_idle+0x281
> sched_idle(0) at sched_idle+0x245
> end trace frame: 0x0, count: -5
> ddb{3}> machine ddbcpu 4
> Stopped at uvm_unmap_remove+0x212: movq 0x100(%r13),%r8
> ddb{4}> bt
> uvm_unmap_remove(c05f7f8cd1633180,ffffff036f57f5a8,ffff800000b85f00,ffffff036f57f598,ffff8000222b8040,0)
> at uvm_unmap_remove+0x212
> uvm_map_deallocate(415efd243b54d319) at uvm_map_deallocate+0x5e
> vm_teardown(ffffff036f57f3d8) at vm_teardown+0xf0
> vm_run(a186e3e68e0c8d2d) at vm_run+0x226
> VOP_IOCTL(d3bfd0b457c4b224,ffffff03c9c6f5f0,32269d81b8d394bf,ffff8000222b4968,f
> fffff043f7ca420,3) at VOP_IOCTL+0x5a
> vn_ioctl(d3bfd0b4579725f3,ffffff03ca9e15b0,ffff8000222b4968,20) at
> vn_ioctl+0x6b
> sys_ioctl(7867d986861f8ba2,360,ffff8000222b4968) at sys_ioctl+0x3ec
> syscall(3871e5d148df7b3d) at syscall+0x32a
> Xsyscall(0,36,0,36,1fc2fafb52d0,1fc2faf35000) at Xsyscall+0x128
> end of kernel
> end trace frame: 0x1fc5a67a25b0, count: -9
> ddb{4}> machine ddbcpu 5
> Stopped at x86_ipi_db+0x12: popq %r11
> ddb{5}> bt
> x86_ipi_db(9888e7051bef5684) at x86_ipi_db+0x12
> x86_ipi_handler() at x86_ipi_handler+0x80
> Xresume_lapic_ipi(0,ffff800022034ff0,3,0,ffff8000222bb300,ffff) at
> Xresume_lapi
> c_ipi+0x23
> _kernel_lock(c63b1b9f2bc06c11,ffffff036f57fd60) at _kernel_lock+0xa2
> vm_run(a186e3e68e0c8d2d) at vm_run+0x1d2
> VOP_IOCTL(d3bfd0b457c4b224,ffffff03c9c6f5f0,32269d81b8d394bf,ffff8000222b5c28,f
> fffff043f7ca420,ffff800000000003) at VOP_IOCTL+0x5a
> vn_ioctl(d3bfd0b4579725f3,ffffff03ca9e15b0,ffff8000222b5c28,20) at
> vn_ioctl+0x6
> b
> sys_ioctl(7867d986861f8ba2,360,ffff8000222b5c28) at sys_ioctl+0x3ec
> syscall(3871e5d148df7b3d) at syscall+0x32a
> Xsyscall(0,36,0,36,1fc2fafb52d0,1fc2faf35000) at Xsyscall+0x128
> end of kernel
> end trace frame: 0x1fc551bac200, count: -10
> ddb{5}> machine ddbcpu 6
> Stopped at x86_ipi_db+0x12: popq %r11
> ddb{6}> bt
> x86_ipi_db(9888e7051bef5684) at x86_ipi_db+0x12
> x86_ipi_handler() at x86_ipi_handler+0x80
> Xresume_lapic_ipi(0,ffff80002203dff0,7f7ffffc9bf8,0,480,ffff8000ffff52d0)
> at Xr
> esume_lapic_ipi+0x23
> _kernel_lock(3871e5d148df7b3d,0) at _kernel_lock+0xa2
> Xsyscall(6,48,0,48,0,1fc566b13000) at Xsyscall+0x128
> end of kernel
> end trace frame: 0x7f7ffffc9c50, count: -5
> ddb{6}> machine ddbcpu 7
> Stopped at x86_ipi_db+0x12: popq %r11
> ddb{7}> bt
> x86_ipi_db(9888e7051bef5684) at x86_ipi_db+0x12
> x86_ipi_handler() at x86_ipi_handler+0x80
> Xresume_lapic_ipi(c,ffff800022046ff0,ffffff03cafd5d10,0,0,ffff8000ffff4970)
> at X
> resume_lapic_ipi+0x23
> ___mp_acquire_count(aab85f2c4e340760,202) at ___mp_acquire_count+0x82
> mi_switch() at mi_switch+0x284
> sleep_finish(b8227d1459d2e769,ffff800022137ef0) at sleep_finish+0x7f
> sleep_finish_all(f363755936598ca5,ffff800022137ef0) at sleep_finish_all+0x1f
> tsleep(56cd3baa1ab2dd67,ffffff03c068af10,ffff800022138020,40) at tsleep+0xcd
> kqueue_scan(a4ff20195ce2b8b4,ffffff03c068af08,0,ffff800022138350,ffff8000221383
> 40,ffff8000ffff4970) at kqueue_scan+0x50c
> sys_kevent(92645263b4dc28f5,480,ffff8000ffff4970) at sys_kevent+0x2e4
> syscall(3871e5d148df7b3d) at syscall+0x32a
> Xsyscall(6,48,7f7ffffbc0b0,48,0,1ff891659800) at Xsyscall+0x128
> end of kernel
> end trace frame: 0x7f7ffffbc070, count: -12
>
>
> db{7}> show uvm
> Current UVM status:
> pagesize=4096 (0x1000), pagemask=0xfff, pageshift=12
> 4063023 VM pages: 265502 active, 139594 inactive, 0 wired, 3327460 free
> (415936 zero)
> min 10% (25) anon, 10% (25) vnode, 5% (12) vtext
> freemin=135434, free-target=180578, inactive-target=0, wired-max=1354341
> faults=17279190, traps=14877979, intrs=318590, ctxswitch=21541542
> fpuswitch=0
> softint=3656393, syscalls=717172451, kmapent=11
> fault counts:
> noram=0, noanon=0, noamap=0, pgwait=0, pgrele=0
> ok relocks(total)=270683(270972), anget(retries)=1142214(0),
> amapcopy=1090269
> neighbor anon/obj pg=1081273/943385, gets(lock/unlock)=580101/270972
> cases: anon=1061886, anoncow=80328, obj=535237, prcopy=44575,
> przero=15557157
> daemon and swap counts:
> woke=0, revs=0, scans=0, obscans=0, anscans=0
> busy=0, freed=0, reactivate=0, deactivate=0
> pageouts=0, pending=0, nswget=0
> nswapdev=1
> swpages=262143, swpginuse=0, swpgonly=0 paging=0
> kernel pointers:
> objs(kern)=0xffffffff81d02098
>
>
> SeaBIOS (version 1.8.2-20171012_061934-google)
> Total RAM Size = 0x0000000400000000 = 16384 MiB
> CPUs found: 8 Max CPUs supported: 8
> found virtio-scsi at 0:3
> virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0
> removable=0
> virtio-scsi blksize=512 sectors=20971520 = 10240 MiB
> virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0
> removable=0
> virtio-scsi blksize=512 sectors=2097152000 = 1024000 MiB
> drive 0x000f2be0: PCHS=0/0/0 translation=lba LCHS=1024/255/63 s=20971520
> drive 0x000f2ba0: PCHS=0/0/0 translation=lba LCHS=1024/255/63 s=2097152000
> Booting from Hard Disk 0...
> >> OpenBSD/amd64 BOOT 3.41
>
> boot>
> [ using 2123928 bytes of bsd ELF symbol table ]
> Copyright (c) 1982, 1986, 1989, 1991, 1993
> The Regents of the University of California. All rights reserved.
> Copyright (c) 1995-2018 OpenBSD. All rights reserved.
> https://www.OpenBSD.org
> OpenBSD 6.4-current (GENERIC.MP) #410: Mon Oct 29 12:13:42 MDT 2018
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 17163079680 (16367MB)
> avail mem = 16633655296 (15863MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xbffffcf0 (20 entries)
> bios0: vendor Google version "Google" date 01/01/2011
> bios0: Google Google Compute Engine
> acpi0 at bios0: rev 0
> acpi0: sleep states S3 S4 S5
> acpi0: tables DSDT FACP SSDT APIC WAET SRAT
> acpi0: wakeup devices
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Xeon(R) CPU @ 2.30GHz, 2300.67 MHz, 06-3f-00
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 999MHz
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Xeon(R) CPU @ 2.30GHz, 2299.87 MHz, 06-3f-00
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 4 (application processor)
> cpu2: Intel(R) Xeon(R) CPU @ 2.30GHz, 2299.87 MHz, 06-3f-00
> cpu2:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN
> cpu2: 256KB 64b/line 8-way L2 cache
> cpu2: smt 0, core 2, package 0
> cpu3 at mainbus0: apid 6 (application processor)
> cpu3: Intel(R) Xeon(R) CPU @ 2.30GHz, 2299.84 MHz, 06-3f-00
> cpu3:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN
> cpu3: 256KB 64b/line 8-way L2 cache
> cpu3: smt 0, core 3, package 0
> cpu4 at mainbus0: apid 1 (application processor)
> cpu4: Intel(R) Xeon(R) CPU @ 2.30GHz, 2299.86 MHz, 06-3f-00
> cpu4:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN
> cpu4: 256KB 64b/line 8-way L2 cache
> cpu4: smt 1, core 0, package 0
> cpu5 at mainbus0: apid 3 (application processor)
> cpu5: Intel(R) Xeon(R) CPU @ 2.30GHz, 2299.90 MHz, 06-3f-00
> cpu5:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN
> cpu5: 256KB 64b/line 8-way L2 cache
> cpu5: smt 1, core 1, package 0
> cpu6 at mainbus0: apid 5 (application processor)
> cpu6: Intel(R) Xeon(R) CPU @ 2.30GHz, 2299.87 MHz, 06-3f-00
> cpu6:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN
> cpu6: 256KB 64b/line 8-way L2 cache
> cpu6: smt 1, core 2, package 0
> cpu7 at mainbus0: apid 7 (application processor)
> cpu7: Intel(R) Xeon(R) CPU @ 2.30GHz, 2299.89 MHz, 06-3f-00
> cpu7:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN
> cpu7: 256KB 64b/line 8-way L2 cache
> cpu7: smt 1, core 3, package 0
> ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0: C1(@1 halt!)
> acpicpu1 at acpi0: C1(@1 halt!)
> acpicpu2 at acpi0: C1(@1 halt!)
> acpicpu3 at acpi0: C1(@1 halt!)
> acpicpu4 at acpi0: C1(@1 halt!)
> acpicpu5 at acpi0: C1(@1 halt!)
> acpicpu6 at acpi0: C1(@1 halt!)
> acpicpu7 at acpi0: C1(@1 halt!)
> "ACPI0006" at acpi0 not configured
> acpipci0 at acpi0 PCI0: _OSC failed
> acpicmos0 at acpi0
> "QEMU0001" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> pvbus0 at mainbus0: KVM
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
> pcib0 at pci0 dev 1 function 0 "Intel 82371AB PIIX4 ISA" rev 0x03
> piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: SMBus
> disabled
> virtio0 at pci0 dev 3 function 0 "Qumranet Virtio SCSI" rev 0x00
> vioscsi0 at virtio0: qsize 8192
> scsibus1 at vioscsi0: 253 targets
> sd0 at scsibus1 targ 1 lun 0: <Google, PersistentDisk, 1> SCSI4 0/direct
> fixed serial.Google_PersistentDisk_
> sd0: 10240MB, 512 bytes/sector, 20971520 sectors, thin
> sd1 at scsibus1 targ 2 lun 0: <Google, PersistentDisk, 1> SCSI4 0/direct
> fixed serial.Google_PersistentDisk_
> sd1: 1024000MB, 512 bytes/sector, 2097152000 sectors, thin
> virtio0: msix shared
> virtio1 at pci0 dev 4 function 0 "Qumranet Virtio Network" rev 0x00
> vio0 at virtio1: address 42:01:0a:80:00:4a
> virtio1: msix per-VQ
> isa0 at pcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com0: console
> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> com2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0 mux 1
> pms0 at pckbc0 (aux slot)
> wsmouse0 at pms0 mux 0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> vmm0 at mainbus0: VMX/EPT (using slow L1TF mitigation)
> vscsi0 at root
> scsibus2 at vscsi0: 256 targets
> softraid0 at root
> scsibus3 at softraid0: 256 targets
> root on sd0a (321880e53594cb63.a) swap on sd0b dump on sd0b
> Automatic boot in progress: starting file system checks.
> /dev/sd0a (321880e53594cb63.a): file system is clean; not checking
> setting tty flags
> pf enabled
> hw.smt: 0 -> 1
> starting network
> vio0: bound to 10.128.0.74 from 169.254.169.254 (42:01:0a:80:00:01)
> reordering libraries: done.
> starting early daemons: syslogd pflogd ntpd.
> starting RPC daemons:.
> savecore: no core dump
> checking quotas: done.
> clearing /tmp
> kern.securelevel: 0 -> 1
> creating runtime link editor directory cache.
> preserving editor files.
> starting network daemons: sshd vmd.
> + echo starting syz-ci
> starting syz-ci
> + fsck -y /dev/sd1a
> ** /dev/rsd1a
> ** File system is clean; not checking
> + mount /syzkaller
> + mkdir -p /syzkaller/ramdisk
> + mount -t mfs -o-s=10G /dev/sd0b /syzkaller/ramdisk
> + chown syzkaller:syzkaller /syzkaller/ramdisk
> + su -l syzkaller
> + << EOF2
> + test -x syz-ci
> + ./syz-ci -config ./config-openbsd.ci
> + tee syz-ci.log
> + 2>&1
> starting local daemons: cron.
> Tue Oct 30 10:31:16 PDT 2018
>
> OpenBSD/amd64 (ci-openbsd.syzkaller) (tty00)
>
> login: uvm_fault(0xffffffff81d01538, 0xffff800000b86000, 0, 1) -> e
> kernel: page fault trap, code=0
> Stopped at uvm_unmap_remove+0x212: movq 0x100(%r13),%r8
