Syzkaller hit 'panic: sbready: sb ADDR NULL fnrdy' bug. login: panic: sbready: sb 0xfffffe0069ba4200 NULL fnrdy cpuid = 0 time = 1744527114 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe00573b4210 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe00573b4370 vpanic() at vpanic+0x257/frame 0xfffffe00573b4530 panic() at panic+0xb5/frame 0xfffffe00573b4600 sbready() at sbready+0x37f/frame 0xfffffe00573b4670 uipc_ready() at uipc_ready+0xf0/frame 0xfffffe00573b46d0 sendfile_iodone() at sendfile_iodone+0x631/frame 0xfffffe00573b47b0 vnode_pager_generic_getpages_done_async() at vnode_pager_generic_getpages_done_async+0xa8/frame 0xfffffe00573b4800 bufdone() at bufdone+0xfb/frame 0xfffffe00573b48b0 g_io_deliver() at g_io_deliver+0x5f6/frame 0xfffffe00573b49b0 g_io_deliver() at g_io_deliver+0x5f6/frame 0xfffffe00573b4ab0 g_io_deliver() at g_io_deliver+0x5f6/frame 0xfffffe00573b4bb0 g_disk_done() at g_disk_done+0x26d/frame 0xfffffe00573b4c80 vtblk_done_completed() at vtblk_done_completed+0x170/frame 0xfffffe00573b4cd0 vtblk_vq_intr() at vtblk_vq_intr+0x1a4/frame 0xfffffe00573b4d90 ithread_loop() at ithread_loop+0x4ec/frame 0xfffffe00573b4ef0 fork_exit() at fork_exit+0xcc/frame 0xfffffe00573b4f30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00573b4f30 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- KDB: enter: panic [ thread pid 12 tid 100052 ] Stopped at kdb_enter+0x6e: movq $0,0x23dd937(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe00033ef038 rdx 0xdffff7c000000000 rbx 0xffffffff82727b20 .str.27 rsp 0xfffffe00573b4350 rbp 0xfffffe00573b4370 rsi 0 rdi 0xffffffff82e004c0 panicstr r8 0 r9 0xffffffff r10 0x1000000000187 r11 0x1f r12 0xfffffe000802a740 r13 0xfffffffffffffffe r14 0xffffffff82727b20 .str.27 r15 0 rip 0xffffffff815bd6de kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x23dd937(%rip) db> show proc Process 12 (intr) at 0xfffffe0008006580: state: NORMAL uid: 0 gids: 0 parent: pid 0 at 0xffffffff839257c0 ABI: null flag: 0x10000284 flag2: 0 reaper: 0xffffffff839257c0 reapsubtree: 12 sigparent: 20 vmspace: 0xffffffff83926760 (map 0xffffffff83926760) (map.pmap 0xffffffff83926800) (pmap 0xffffffff83926870) threads: 12 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100046 I [irq40: virtio_pci0] 100047 I [irq41: virtio_pci0] 100048 I [irq42: virtio_pci0] 100051 I [irq43: virtio_pci1] 100052 Run CPU 0 [irq44: virtio_pci1] 100053 I [irq1: atkbd0] 100054 I [irq12: psm0] 100055 I [swi0: uart uart++] db> ps pid ppid pgrp uid state wmesg wchan cmd 934 933 934 0 REs CPU 1 syz-executor3489835 933 931 931 0 S select 0xfffffe0007e54bc0 sshd-session 931 895 931 0 Ss select 0xfffffe0007e54c40 sshd-session 914 1 914 0 Ss+ ttyin 0xfffffe00581240b0 getty 911 1 911 0 Ss select 0xfffffe00582cb040 logger 904 1 16 0 S+ piperd 0xfffffe006c5efb80 logger 903 902 16 0 S+ nanslp 0xffffffff8397c400 sleep 902 1 16 0 S+ wait 0xfffffe00548035c0 sh 899 1 899 0 Ss nanslp 0xffffffff8397c400 cron 895 1 895 0 Ss select 0xfffffe00582ca7c0 sshd 776 1 776 0 Ss select 0xfffffe00582ca840 syslogd 775 1 772 0 S select 0xfffffe00582ca8c0 syslogd 772 1 772 0 Ss kqread 0xfffffe005830eb00 syslogd 563 1 563 0 Ss select 0xfffffe00582cb1c0 devd 349 1 349 65 Ss select 0xfffffe00582cb140 dhclient 325 1 325 0 Ss select 0xfffffe00582cb0c0 dhclient 322 1 322 0 Ss select 0xfffffe0007e54ec0 dhclient 15 0 0 0 DL syncer 0xffffffff83a99be0 [syncer] 9 0 0 0 DL vlruwt 0xfffffe0008026b00 [vnlru] 8 0 0 0 DL (threaded) [bufdaemon] 100065 D psleep 0xffffffff83a981c0 [bufdaemon] 100068 D - 0xffffffff82e02140 [bufspacedaemon-0] 100084 D sdflush 0xfffffe005874fce8 [/ worker] 7 0 0 0 DL psleep 0xffffffff83ad8c80 [vmdaemon] 6 0 0 0 DL (threaded) [pagedaemon] 100063 D psleep 0xffffffff83abebf8 [dom0] 100069 D launds 0xffffffff83abec04 [laundry: dom0] 100070 D umarcl 0xffffffff81d64e50 [uma] 5 0 0 0 DL - 0xffffffff836f9bd0 [rand_harvestq] 4 0 0 0 DL (threaded) [cam] 100044 D - 0xffffffff836c4340 [doneq0] 100045 D - 0xffffffff836c42c0 [async] 100062 D - 0xffffffff836c4140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100041 D crypto_ 0xffffffff83aba460 [crypto] 100042 D crypto_ 0xfffffe005447db30 [crypto returns 0] 100043 D crypto_ 0xfffffe005447db80 [crypto returns 1] 14 0 0 0 DL seqstat 0xfffffe00547e7088 [sequencer 00] 13 0 0 0 DL (threaded) [geom] 100035 D - 0xffffffff83924de0 [g_event] 100036 D - 0xffffffff83924e00 [g_up] 100037 D - 0xffffffff83924e20 [g_down] 2 0 0 0 WL (threaded) [clock] 100031 I [clock (0)] 100032 I [clock (1)] 12 0 0 0 RL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100046 I [irq40: virtio_pci0] 100047 I [irq41: virtio_pci0] 100048 I [irq42: virtio_pci0] 100051 I [irq43: virtio_pci1] 100052 Run CPU 0 [irq44: virtio_pci1] 100053 I [irq1: atkbd0] 100054 I [irq12: psm0] 100055 I [swi0: uart uart++] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0008007040 [init] 10 0 0 0 DL audit_w 0xffffffff83abaee0 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D parked 0xffffffff843e2ff0 [swapper] 100005 D - 0xfffffe00089faa00 [softirq_0] 100006 D - 0xfffffe00089fa800 [softirq_1] 100007 D - 0xfffffe00089fa600 [if_io_tqg_0] 100008 D - 0xfffffe00089fa400 [if_io_tqg_1] 100009 D - 0xfffffe00089fa200 [if_config_tqg_0] 100010 D - 0xfffffe00089fa000 [kqueue_ctx taskq] 100011 D - 0xfffffe00089f9d00 [jail_remove taskq] 100012 D - 0xfffffe00089f9b00 [bus taskq] 100015 D - 0xfffffe00089f9500 [thread taskq] 100017 D - 0xfffffe00089f9100 [aiod_kick taskq] 100018 D - 0xfffffe00089f8e00 [deferred_unmount ta] 100019 D - 0xfffffe00089f8c00 [inm_free taskq] 100020 D - 0xfffffe00089f8a00 [in6m_free taskq] 100021 D - 0xfffffe00089f8800 [linuxkpi_irq_wq] 100022 D - 0xfffffe00089f8600 [linuxkpi_short_wq_0] 100023 D - 0xfffffe00089f8600 [linuxkpi_short_wq_1] 100024 D - 0xfffffe00089f8600 [linuxkpi_short_wq_2] 100025 D - 0xfffffe00089f8600 [linuxkpi_short_wq_3] 100026 D - 0xfffffe00089f8100 [linuxkpi_long_wq_0] 100027 D - 0xfffffe00089f8100 [linuxkpi_long_wq_1] 100028 D - 0xfffffe00089f8100 [linuxkpi_long_wq_2] 100029 D - 0xfffffe00089f8100 [linuxkpi_long_wq_3] 100034 D - 0xfffffe00089f7700 [firmware taskq] 100039 D - 0xfffffe00089f7100 [crypto_0] 100040 D - 0xfffffe00089f7100 [crypto_1] 100049 D - 0xfffffe00580a0b00 [vtnet0 rxq 0] 100050 D - 0xfffffe00580a0a00 [vtnet0 txq 0] 100056 D - 0xffffffff8272cce1 [deadlkres] 100057 D - 0xfffffe0058587800 [acpi_task_0] 100058 D - 0xfffffe0058587800 [acpi_task_1] 100059 D - 0xfffffe0058587800 [acpi_task_2] 100061 D - 0xfffffe00580a0e00 [CAM taskq] db> show all locks Process 934 (syz-executor3489835) thread 0xfffffe00548f6740 (100131) exclusive sx vm map (user) (vm map (user)) r = 0 (0xffffffff83abe180) locked @ /home/markj/sb/main/src/sys/vm/vm_map.c:4096 Process 12 (intr) thread 0xfffffe000802a740 (100052) exclusive sleep mutex so_rcv (so_rcv) r = 0 (0xfffffe0069ba41e0) locked @ /home/markj/sb/main/src/sys/kern/uipc_usrreq.c:1654 exclusive sleep mutex unp (unp) r = 0 (0xfffffe0069bcfdc0) locked @ /home/markj/sb/main/src/sys/kern/uipc_usrreq.c:391 db> show malloc Type InUse MemUse Requests linker 233 3900K 258 sysctloid 30950 1821K 30994 newblk 1901 1499K 1981 kobj 328 1312K 549 devbuf 1333 1138K 1363 vfscache 3 1025K 3 inodedep 52 532K 64 pcb 17 525K 44 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 vnet_data 2 224K 2 acpitask 1 224K 1 KTRACE 100 200K 100 subproc 89 153K 991 bus-sc 31 148K 1014 tidhash 3 141K 3 SWAP 1 132K 1 pagedep 14 132K 21 tfo_ccache 1 128K 1 IP reass 1 128K 1 sem 4 106K 4 gtaskqueue 18 98K 18 DEVFS1 94 94K 103 vmem 5 78K 5 bus 970 78K 3390 mtx_pool 3 74K 3 syncache 1 68K 1 NFSD srvcache 3 68K 3 ddb_capture 1 64K 1 module 504 63K 504 acpica 420 39K 59430 temp 19 37K 1574 LRO 2 33K 2 hostcache 1 32K 1 shm 1 32K 1 msg 4 30K 4 DEVFS3 117 30K 124 kdtrace 137 29K 1067 umtx 224 28K 224 kbdmux 5 28K 5 DEVFS_RULE 61 22K 61 BPF 10 18K 10 ithread 92 17K 92 GEOM 106 17K 690 ufs_mount 4 17K 5 proc 3 17K 3 devstat 6 13K 6 eventhandler 138 12K 138 rman 99 12K 529 kenv 92 12K 92 ifaddr 29 11K 29 routetbl 42 10K 125 rpc 8 9K 8 bmsafemap 2 9K 59 UART 12 9K 12 shmfd 1 8K 1 pfs_vncache 1 8K 1 audit_evclass 239 8K 301 taskqueue 59 7K 140 pfs_nodes 22 6K 22 ufs_dirhash 27 6K 27 sglist 3 6K 3 kqueue 36 5K 938 cred 17 5K 360 ifnet 3 5K 3 UMA 247 5K 247 io_apic 1 4K 1 tty 4 4K 4 filedesc 1 4K 1 evdev 4 4K 4 diradd 30 4K 69 plimit 10 4K 286 lltable 10 3K 10 acpidev 22 3K 22 acpisem 21 3K 21 hhook 8 3K 10 uidinfo 3 3K 8 local_apic 1 2K 1 ipsec-saq 2 2K 2 clone 8 2K 8 pwddesc 32 2K 935 CAM DEV 1 2K 2 selfd 30 2K 12294 proc-args 52 2K 1899 toponodes 7 2K 7 session 14 2K 29 msi 13 2K 13 in6_multi 15 2K 15 lockf 15 2K 18 pci_link 16 2K 16 select 12 2K 68 Unitno 25 2K 37 mount 31 2K 156 ether_multi 17 2K 17 CAM queue 2 2K 5 softdep 1 1K 1 mkdir 8 1K 12 ipsecpolicy 1 1K 1 sahead 1 1K 1 secasvar 1 1K 1 vnodemarker 2 1K 8 NFSD session 1 1K 1 dirrem 3 1K 20 indirdep 3 1K 4 nhops 6 1K 6 pfil 6 1K 6 crypto 4 1K 4 dumper 2 1K 2 osd 8 1K 46 CAM XPT 11 1K 12 newdirblk 4 1K 6 in_multi 2 1K 2 procdesc 4 1K 23 cdev 2 1K 2 lkpikmalloc 8 1K 9 encap_export_host 8 1K 8 ip6ndp 3 1K 3 CC Mem 3 1K 7 chacha20random 1 1K 1 biobuf 1 1K 1 CAM periph 2 1K 14 prison 10 1K 10 DEVFS 10 1K 11 MCA 2 1K 2 freefile 2 1K 4 mld 2 1K 2 igmp 2 1K 2 vnodes 1 1K 1 isadev 2 1K 3 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 feeder 7 1K 7 inpcbpolicy 6 1K 94 loginclass 3 1K 7 apmdev 1 1K 1 atkbddev 2 1K 2 vm_pgdata 1 1K 1 netlink 1 1K 110 pmchooks 1 1K 1 DEVFSP 2 1K 2 CAM SIM 1 1K 1 soname 4 1K 990 filecaps 4 1K 157 nexusdev 6 1K 6 tcpfunc 1 1K 1 vnet 1 1K 1 sendfile 1 1K 1 pmc 1 1K 1 acpiintr 1 1K 1 CAM dev queue 1 1K 1 cpus 2 1K 2 vnet_data_free 1 1K 1 Per-cpu 1 1K 1 cache 1 1K 1 entropy 1 1K 85 CAM path 1 1K 12 fdesc_mount 1 1K 1 freework 1 1K 7 p1003.1b 1 1K 1 p9fs_mount_tag 0 0K 0 uio 0 0K 0 p9fs_mount 0 0K 0 p9_client 0 0K 0 madt_table 0 0K 2 smartpqi 0 0K 0 ixl 0 0K 0 ice-resmgr 0 0K 0 ice-osdep 0 0K 0 ice 0 0K 0 iavf 0 0K 0 axgbe 0 0K 0 memdesc 0 0K 0 fpukern_ctx 0 0K 0 xen_intr 0 0K 0 xen_hvm 0 0K 0 legacydrv 0 0K 0 NMI handlers 0 0K 0 bounce 0 0K 0 busdma 0 0K 0 qpidrv 0 0K 0 dmar_idpgtbl 0 0K 0 dmar_dom 0 0K 0 dmar_ctx 0 0K 0 amdiommu_dom 0 0K 0 amdiommu_ctx 0 0K 0 isci 0 0K 0 iommu_dmamap 0 0K 0 hyperv_socket 0 0K 0 bxe_ilt 0 0K 0 aesni_data 0 0K 0 xenbus 0 0K 0 vm_fictitious 0 0K 0 UMAHash 0 0K 0 jblocks 0 0K 0 savedino 0 0K 0 sentinel 0 0K 0 jfsync 0 0K 0 jtrunc 0 0K 0 sbdep 0 0K 2 jsegdep 0 0K 0 jseg 0 0K 0 jfreefrag 0 0K 0 jfreeblk 0 0K 0 jnewblk 0 0K 0 jmvref 0 0K 0 jremref 0 0K 0 jaddref 0 0K 0 freedep 0 0K 0 freeblks 0 0K 6 freefrag 0 0K 1 allocindir 0 0K 0 allocdirect 0 0K 0 ufs_trim 0 0K 0 mactemp 0 0K 0 audit_trigger 0 0K 0 audit_pipe_presel 0 0K 0 audit_pipeent 0 0K 0 audit_pipe 0 0K 0 audit_evname 0 0K 0 audit_bsm 0 0K 0 audit_gidset 0 0K 0 audit_text 0 0K 0 audit_path 0 0K 0 audit_data 0 0K 0 audit_cred 0 0K 0 ktls_ocf 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5E_TLS_RX 0 0K 0 MLX5EEPROM 0 0K 0 MLX5E_TLS 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EN 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5DUMP 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 simple_attr 0 0K 0 seq_file 0 0K 0 lkpiskb 0 0K 0 radix 0 0K 0 idr 0 0K 0 lkpindev 0 0K 0 lkpimhi 0 0K 0 lkpifw 0 0K 0 lkpi80211 0 0K 0 NLM 0 0K 0 ipsec-spdcache 0 0K 0 ipsec-reg 0 0K 0 ipsec-misc 0 0K 0 ipsecrequest 0 0K 0 ip6opt 0 0K 0 ip6_msource 0 0K 0 ip6_moptions 0 0K 0 in6_mfilter 0 0K 0 frag6 0 0K 0 tcplog 0 0K 0 ip_msource 0 0K 0 ip_moptions 0 0K 0 in_mfilter 0 0K 0 ipid 0 0K 0 80211scan 0 0K 0 80211ratectl 0 0K 0 80211power 0 0K 0 80211nodeie 0 0K 0 80211node 0 0K 0 80211mesh_gt 0 0K 0 80211mesh_rt 0 0K 0 80211perr 0 0K 0 80211prep 0 0K 0 80211preq 0 0K 0 80211dfs 0 0K 0 80211crypto 0 0K 0 80211vap 0 0K 0 iflib 0 0K 0 vlan 0 0K 0 tun 0 0K 0 gif 0 0K 0 ifdescr 0 0K 0 zlib 0 0K 4 fadvise 0 0K 0 VN POLL 0 0K 0 statfs 0 0K 17 namei_tracker 0 0K 0 export_host 0 0K 0 cl_savebuf 0 0K 4 aio 0 0K 0 lio 0 0K 0 acl 0 0K 0 mbuf_tag 0 0K 0 ktls 0 0K 0 accf 0 0K 0 pts 0 0K 0 timerfd 0 0K 0 iov 0 0K 6505 ioctlops 0 0K 70 eventfd 0 0K 0 Witness 0 0K 0 terminal 0 0K 0 stack 0 0K 0 sbuf 0 0K 481 firmware 0 0K 0 compressor 0 0K 0 sysctltmp 0 0K 528 sysctl 0 0K 37 ekcd 0 0K 0 rctl 0 0K 0 kcovinfo 0 0K 0 prison_racct 0 0K 0 Fail Points 0 0K 0 sigio 0 0K 1 filedesc_to_leader 0 0K 0 pwd 0 0K 0 tty console 0 0K 0 boottrace 0 0K 0 isofs_node 0 0K 0 isofs_mount 0 0K 0 tr_raid5_data 0 0K 0 tr_raid1e_data 0 0K 0 tr_raid1_data 0 0K 0 tr_raid0_data 0 0K 0 tr_concat_data 0 0K 0 md_sii_data 0 0K 0 md_promise_data 0 0K 0 md_nvidia_data 0 0K 0 md_jmicron_data 0 0K 0 md_intel_data 0 0K 0 md_ddf_data 0 0K 0 raid_data 0 0K 108 geom_flashmap 0 0K 0 tmpfs dir 0 0K 0 tmpfs name 0 0K 0 tmpfs mount 0 0K 0 tmpfs extattr 0 0K 0 NFS FHA 0 0K 0 newnfsmnt 0 0K 0 newnfsclient_req 0 0K 0 NFSCL layrecall 0 0K 0 NFSCL session 0 0K 0 NFSCL sockreq 0 0K 0 NFSCL devinfo 0 0K 0 NFSCL flayout 0 0K 0 NFSCL layout 0 0K 0 NFSD rollback 0 0K 0 NFSCL diroff 0 0K 0 NEWNFSnode 0 0K 0 NFSCL lck 0 0K 0 NFSCL lckown 0 0K 0 NFSCL client 0 0K 0 NFSCL deleg 0 0K 0 NFSCL open 0 0K 0 NFSCL owner 0 0K 0 NFS fh 0 0K 0 NFS req 0 0K 0 NFSD usrgroup 0 0K 0 NFSD string 0 0K 0 NFSD V4lock 0 0K 0 NFSD V4state 0 0K 0 msdosfs_fat 0 0K 0 msdosfs_mount 0 0K 0 msdosfs_node 0 0K 0 DEVFS4 0 0K 0 DEVFS2 0 0K 0 gntdev 0 0K 0 privcmd_dev 0 0K 0 evtchn_dev 0 0K 0 xenstore 0 0K 0 xnb 0 0K 0 xen_acpi 0 0K 0 xbbd 0 0K 0 xbd 0 0K 0 Balloon 0 0K 0 sysmouse 0 0K 0 vtfont 0 0K 0 vt 0 0K 0 vtbuf 0 0K 0 pvscsi 0 0K 0 USBdev 0 0K 0 USB 0 0K 0 twsbuf 0 0K 0 tcp_log_dev 0 0K 0 midi buffers 0 0K 0 mixer 0 0K 0 ac97 0 0K 0 hdacc 0 0K 0 hdac 0 0K 0 hdaa 0 0K 0 SIIS driver 0 0K 0 PUC 0 0K 0 ppbusdev 0 0K 0 sr_iov 0 0K 0 OCS 0 0K 0 OCS 0 0K 0 nvme 0 0K 0 nvd 0 0K 0 netmap 0 0K 0 mwldev 0 0K 0 MVS driver 0 0K 0 mrsasbuf 0 0K 0 mpt_user 0 0K 0 mps_user 0 0K 0 MPSSAS 0 0K 0 mps 0 0K 0 mpr_user 0 0K 0 MPRSAS 0 0K 0 mpr 0 0K 0 mfibuf 0 0K 0 md_sectors 0 0K 0 md_disk 0 0K 0 malodev 0 0K 0 LED 0 0K 0 ix_sriov 0 0K 0 ix 0 0K 0 ipsbuf 0 0K 0 ciss_data 0 0K 0 BACKLIGHT 0 0K 0 ath_hal 0 0K 0 athdev 0 0K 0 ata_pci 0 0K 0 ata_dma 0 0K 0 ata_generic 0 0K 0 AHCI driver 0 0K 0 agp 0 0K 0 acpipwr 0 0K 0 acpi_perf 0 0K 0 acpicmbat 0 0K 0 aacraidcam 0 0K 0 aacraid_buf 0 0K 0 aaccam 0 0K 0 aacbuf 0 0K 0 zstd 0 0K 0 XZ_DEC 0 0K 0 nvlist 0 0K 0 SCSI ENC 0 0K 0 SCSI sa 0 0K 0 scsi_pass 0 0K 0 scsi_da 0 0K 0 ata_da 0 0K 0 scsi_ch 0 0K 0 scsi_cd 0 0K 0 nvme_da 0 0K 0 CAM CCB 0 0K 0 CAM ccb queue 0 0K 0 CAM I/O Scheduler 0 0K 0 db> show uma Zone Size Used Free Requests Sleeps Bucket Total Mem XFree mbuf_jumbo_page 4096 1088 944 44462 0 254 8323072 0 BUF TRIE 152 271 11585 1026 0 62 1802112 0 malloc-4096 4096 366 4 1539 0 2 1515520 0 malloc-128 128 10192 162 10271 0 126 1325312 0 mbuf 256 1348 1203 68166 0 254 653056 0 pbuf 2624 0 216 0 0 2 566784 0 RADIX NODE 152 3023 664 40028 0 62 560424 0 malloc-512 512 1025 55 1031 0 30 552960 0 malloc-256 256 1903 152 1983 0 62 526080 0 socket 1024 24 484 1130 0 254 520192 0 mbuf_cluster 2048 254 0 254 0 254 520192 0 lkpicurr 168 2 3094 2 0 62 520128 0 malloc-65536 65536 5 2 16 0 1 458752 0 UMA Slabs 0 112 3364 14 3364 0 126 378336 0 vmem btag 56 6654 81 6654 0 254 377160 0 malloc-2048 2048 132 12 139 0 8 294912 0 VM OBJECT 264 889 71 14203 0 30 253440 0 malloc-2048 2048 103 17 140 0 8 245760 0 256 Bucket 2048 99 21 775 0 8 245760 0 VNODE 440 513 27 519 0 30 237600 0 malloc-64 64 3392 199 3445 0 254 229824 0 malloc-16 16 13046 454 13267 0 254 216000 0 THREAD 1824 103 9 131 0 8 204288 0 DEVCTL 1024 0 192 91 0 0 196608 0 lkpimm 56 1 3095 1 0 254 173376 0 UMA Zones 768 219 0 219 0 16 168192 0 unpcb 320 17 499 1008 0 254 165120 0 malloc-32 32 4680 234 4771 0 254 157248 0 FFS2 dinode 256 488 82 492 0 62 145920 0 malloc-65536 65536 2 0 2 0 1 131072 0 malloc-32768 32768 4 0 4 0 1 131072 0 malloc-1024 1024 107 21 1038 0 16 131072 0 S VFS Cache 104 924 246 963 0 126 121680 0 MAP ENTRY 96 924 336 49552 0 126 120960 0 ksiginfo 112 39 1005 69 0 126 116928 0 malloc-128 128 828 71 859 0 126 115072 0 FFS inode 200 488 72 492 0 62 112000 0 malloc-32768 32768 3 0 3 0 1 98304 0 malloc-32768 32768 2 1 8 0 1 98304 0 FPU_save_area 832 105 12 141 0 16 97344 0 128 Bucket 1024 43 40 248 0 16 84992 0 malloc-128 128 386 265 944 0 126 83328 0 UMA Kegs 384 204 9 204 0 30 81792 0 malloc-256 256 217 98 843 0 62 80640 0 PROC 1376 32 23 934 0 8 75680 0 malloc-65536 65536 0 1 2 0 1 65536 0 malloc-65536 65536 1 0 1 0 1 65536 0 malloc-65536 65536 1 0 1 0 1 65536 0 malloc-65536 65536 0 1 44 0 1 65536 0 malloc-65536 65536 1 0 1 0 1 65536 0 malloc-256 256 144 111 278 0 62 65280 0 mbuf_packet 256 0 254 61 0 254 65024 0 filedesc0 1072 33 16 935 0 8 52528 0 malloc-64 64 351 468 383 0 254 52416 0 malloc-64 64 468 351 1010 0 254 52416 0 malloc-128 128 235 168 27044 0 126 51584 0 32 Bucket 256 54 141 5251 0 62 49920 0 DIRHASH 1024 39 9 39 0 16 49152 0 NAMEI 1024 0 48 11647 0 16 49152 0 malloc-16384 16384 0 3 6 0 1 49152 0 malloc-16384 16384 1 2 3 0 1 49152 0 pcpu-64 64 459 309 459 0 254 49152 0 syncache 168 0 264 5 0 254 44352 0 vnpbuf 2624 1 15 1 0 16 41984 0 malloc-8192 8192 5 0 5 0 1 40960 0 malloc-4096 4096 8 2 8 0 2 40960 0 pipe 736 5 50 420 0 16 40480 0 64 Bucket 512 70 2 1457 0 30 36864 0 udp_inpcb 408 2 88 86 0 30 36720 0 malloc-64 64 2 565 2 0 254 36288 0 malloc-64 64 184 383 13369 0 254 36288 0 malloc-64 64 86 481 1986 0 254 36288 0 malloc-64 64 176 391 7761 0 254 36288 0 malloc-64 64 12 555 12 0 254 36288 0 malloc-128 128 39 240 57 0 126 35712 0 malloc-128 128 81 198 677 0 126 35712 0 malloc-128 128 25 254 1206 0 126 35712 0 malloc-128 128 13 266 13 0 126 35712 0 routing nhops 256 7 128 12 0 62 34560 0 g_bio 384 1 89 4976 0 30 34560 0 ttyoutq 256 93 42 279 0 62 34560 0 malloc-384 384 54 36 67 0 30 34560 0 malloc-384 384 57 33 57 0 30 34560 0 malloc-384 384 59 31 240 0 30 34560 0 malloc-256 256 40 95 163 0 62 34560 0 malloc-256 256 23 112 415 0 62 34560 0 malloc-256 256 56 79 143 0 62 34560 0 malloc-256 256 9 126 398 0 62 34560 0 malloc-256 256 13 122 47 0 62 34560 0 malloc-32768 32768 0 1 1 0 1 32768 0 malloc-32768 32768 0 1 48 0 1 32768 0 malloc-16384 16384 2 0 3 0 1 32768 0 malloc-8192 8192 3 1 4 0 1 32768 0 malloc-8192 8192 4 0 4 0 1 32768 0 malloc-4096 4096 6 2 136 0 2 32768 0 malloc-2048 2048 1 15 20 0 8 32768 0 malloc-2048 2048 3 13 4 0 8 32768 0 malloc-2048 2048 2 14 5 0 8 32768 0 malloc-2048 2048 2 14 215 0 8 32768 0 malloc-1024 1024 2 30 72 0 16 32768 0 malloc-1024 1024 7 25 7 0 16 32768 0 malloc-1024 1024 12 20 16 0 16 32768 0 malloc-1024 1024 6 26 8 0 16 32768 0 malloc-1024 1024 10 22 10 0 16 32768 0 malloc-512 512 0 64 157 0 30 32768 0 malloc-512 512 2 62 10 0 30 32768 0 malloc-512 512 6 58 40 0 30 32768 0 malloc-512 512 10 54 10 0 30 32768 0 ttyinq 160 180 20 540 0 62 32000 0 PGRP 120 14 250 29 0 126 31680 0 pcpu-8 8 3258 326 3260 0 254 28672 0 VMSPACE 584 18 31 922 0 16 28616 0 4 Bucket 48 5 583 6 0 254 28224 0 TURNSTILE 136 113 76 113 0 62 25704 0 cpuset 200 7 121 7 0 62 25600 0 ertt_txseginfo 40 1 605 592 0 254 24240 0 PWD 40 8 598 64 0 254 24240 0 rtentry 168 10 134 12 0 62 24192 0 Files 80 79 221 7330 0 126 24000 0 8 Bucket 80 37 263 231 0 126 24000 0 malloc-384 384 1 59 5 0 30 23040 0 malloc-384 384 14 46 20 0 30 23040 0 malloc-384 384 6 54 9 0 30 23040 0 malloc-384 384 16 44 292 0 30 23040 0 Mountpoints 2816 3 5 3 0 4 22528 0 SLEEPQUEUE 88 113 143 113 0 126 22528 0 clpbuf 2624 0 8 64 0 4 20992 0 hostcache 64 1 314 1 0 254 20160 0 malloc-32 32 58 572 97 0 254 20160 0 malloc-32 32 49 581 97 0 254 20160 0 malloc-32 32 73 557 239 0 254 20160 0 malloc-32 32 68 562 762 0 254 20160 0 malloc-32 32 31 599 4911 0 254 20160 0 malloc-32 32 21 609 32 0 254 20160 0 16 Bucket 144 42 98 261 0 62 20160 0 2 Bucket 32 47 583 288 0 254 20160 0 KNOTE 160 11 114 31 0 62 20000 0 vmem 1856 2 7 2 0 8 16704 0 epoch_record pcpu 256 4 60 4 0 62 16384 0 malloc-16384 16384 1 0 1 0 1 16384 0 malloc-16384 16384 0 1 72 0 1 16384 0 malloc-16384 16384 1 0 1 0 1 16384 0 malloc-8192 8192 2 0 2 0 1 16384 0 malloc-8192 8192 1 1 38 0 1 16384 0 malloc-4096 4096 1 3 4 0 2 16384 0 malloc-2048 2048 0 8 20 0 8 16384 0 malloc-2048 2048 3 5 3 0 8 16384 0 malloc-1024 1024 0 16 117 0 16 16384 0 malloc-1024 1024 1 15 1 0 16 16384 0 malloc-512 512 1 31 1 0 30 16384 0 malloc-512 512 1 31 1 0 30 16384 0 SMR CPU 32 8 503 8 0 254 16352 0 kenv 258 2 58 697 0 30 15480 0 SMR SHARED 24 8 503 8 0 254 12264 0 ertt 72 3 165 7 0 126 12096 0 malloc-32 32 7 371 7 0 254 12096 0 malloc-16 16 269 481 299 0 254 12000 0 malloc-16 16 24 726 55 0 254 12000 0 malloc-16 16 24 726 290 0 254 12000 0 malloc-16 16 193 557 3289 0 254 12000 0 malloc-16 16 27 723 25944 0 254 12000 0 malloc-16 16 9 741 11 0 254 12000 0 tcp_inpcb 1304 3 6 7 0 8 11736 0 L VFS Cache 320 0 36 1 0 30 11520 0 ripcb 376 1 29 1 0 30 11280 0 malloc-8192 8192 0 1 34 0 1 8192 0 malloc-8192 8192 1 0 1 0 1 8192 0 malloc-4096 4096 0 2 7 0 2 8192 0 malloc-4096 4096 1 1 1 0 2 8192 0 malloc-4096 4096 1 1 2 0 2 8192 0 pcpu-16 16 8 504 8 0 254 8192 0 vtnet_tx_hdr 24 1 166 22065 0 254 4008 0 UMA Slabs 1 176 6 16 6 0 62 3872 0 KMAP ENTRY 96 6 33 7 0 0 3744 0 swblk 136 0 0 0 0 62 0 0 swpctrie 152 0 0 0 0 62 0 0 FFS1 dinode 128 0 0 0 0 126 0 0 da_ccb 544 0 0 0 0 16 0 0 ada_ccb 272 0 0 0 0 30 0 0 tfo_ccache_entries 80 0 0 0 0 126 0 0 tfo 4 0 0 0 0 254 0 0 sackhole 32 0 0 0 0 254 0 0 ipq 56 0 0 0 0 254 0 0 tcp_log_id_node 120 0 0 0 0 126 0 0 tcp_log_id_bucket 176 0 0 0 0 62 0 0 tcp_log 416 0 0 0 0 254 0 0 tcpreass 48 0 0 0 0 254 0 0 udplite_inpcb 408 0 0 0 0 30 0 0 IPsec SA lft_c 16 0 0 0 0 254 0 0 itimer 352 0 0 0 0 30 0 0 AIOLIO 272 0 0 0 0 30 0 0 AIOCB 552 0 0 0 0 16 0 0 AIO 208 0 0 0 0 62 0 0 p9fs io_buffer zone 8192 0 0 0 0 1 0 0 p9fs setattr zone 56 0 0 0 0 254 0 0 p9fs getattr zone 160 0 0 0 0 62 0 0 p9fs node zone 312 0 0 0 0 30 0 0 TMPFS node 240 0 0 0 0 62 0 0 NCLNODE 608 0 0 0 0 16 0 0 LTS VFS Cache 360 0 0 0 0 30 0 0 STS VFS Cache 144 0 0 0 0 62 0 0 p9fs buf zone 8224 0 0 0 0 1 0 0 p9fs req zone 16 0 0 0 0 254 0 0 p9fs fid zone 56 0 0 0 0 254 0 0 p9fs buf zone 8224 0 0 0 0 1 0 0 p9fs req zone 16 0 0 0 0 254 0 0 p9fs fid zone 56 0 0 0 0 254 0 0 cryptop 280 0 0 0 0 30 0 0 linux_dma_object 32 0 0 0 0 254 0 0 linux_dma_pctrie 152 0 0 0 0 62 0 0 IOMMU_MAP_ENTRY 112 0 0 0 0 126 0 0 mbuf_jumbo_16k 16384 0 0 0 0 254 0 0 mbuf_jumbo_9k 9216 0 0 0 0 254 0 0 audit_record 1280 0 0 0 0 8 0 0 domainset 40 0 0 0 0 254 0 0 MAC labels 40 0 0 0 0 254 0 0 nfspbuf 2624 0 0 0 0 4 0 0 p9fs pbuf zone 2624 0 0 0 0 4 0 0 swwbuf 2624 0 0 0 0 2 0 0 swrbuf 2624 0 0 0 0 4 0 0 umtx_shm 88 0 0 0 0 126 0 0 umtx pi 96 0 0 0 0 126 0 0 rangeset pctrie nodes 152 0 0 0 0 62 0 0 rl_entry 48 0 0 0 0 254 0 0 malloc-65536 65536 0 0 0 0 1 0 0 malloc-32768 32768 0 0 0 0 1 0 0 malloc-32768 32768 0 0 0 0 1 0 0 malloc-32768 32768 0 0 0 0 1 0 0 malloc-16384 16384 0 0 0 0 1 0 0 malloc-16384 16384 0 0 0 0 1 0 0 malloc-8192 8192 0 0 0 0 1 0 0 malloc-4096 4096 0 0 0 0 2 0 0 malloc-512 512 0 0 0 0 30 0 0 malloc-384 384 0 0 0 0 30 0 0 malloc-16 16 0 0 0 0 254 0 0 pcpu-32 32 0 0 0 0 254 0 0 pcpu-4 4 0 0 0 0 254 0 0 fakepg 104 0 0 0 0 126 0 0 UMA Hash 256 0 0 0 0 62 0 0 Syzkaller reproducer: # {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} r0 = open$dir(&(0x7f0000000b40)='./file0\x00', 0x206, 0x1e) writev(r0, &(0x7f00000003c0)=[{&(0x7f0000000000)="9a95", 0x100000}], 0x1) r1 = open$dir(&(0x7f0000000b40)='./file0\x00', 0x206, 0x1e) mount(&(0x7f0000000000)='msdosfs\x00', &(0x7f0000000080)='./file0\x00', 0x10000110, &(0x7f0000000040)) socketpair(0x1, 0x1, 0x67, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) sendfile(r1, r2, 0xffffe, 0x2000, 0x0, 0x0, 0x11) shutdown(r3, 0x0) C reproducer: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, /*addr=*/0x400000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, /*fd=*/-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } memcpy((void*)0x400000000b40, "./file0\000", 8); res = syscall(SYS_open, /*file=*/0x400000000b40ul, /*flags=O_NONBLOCK|O_CREAT|O_RDWR*/ 0x206ul, /*mode=S_IWOTH|S_IROTH|S_IXGRP|S_IWGRP*/ 0x1eul); if (res != -1) r[0] = res; *(uint64_t*)0x4000000003c0 = 0x400000000000; memcpy((void*)0x400000000000, "\x9a\x95", 2); *(uint64_t*)0x4000000003c8 = 0x100000; syscall(SYS_writev, /*fd=*/r[0], /*vec=*/0x4000000003c0ul, /*vlen=*/1ul); memcpy((void*)0x400000000b40, "./file0\000", 8); res = syscall(SYS_open, /*file=*/0x400000000b40ul, /*flags=O_NONBLOCK|O_CREAT|O_RDWR*/ 0x206ul, /*mode=S_IWOTH|S_IROTH|S_IXGRP|S_IWGRP*/ 0x1eul); if (res != -1) r[1] = res; memcpy((void*)0x400000000000, "msdosfs\000", 8); memcpy((void*)0x400000000080, "./file0\000", 8); syscall(SYS_mount, /*type=*/0x400000000000ul, /*path=*/0x400000000080ul, /*flags=MNT_EXPORTED|MNT_NFS4ACLS|MNT_NOATIME*/ 0x10000110ul, /*data=*/0x400000000040ul); res = syscall(SYS_socketpair, /*domain=AF_UNIX*/ 1ul, /*type=SOCK_STREAM*/ 1ul, /*proto=*/0x67, /*fds=*/0x400000000040ul); if (res != -1) { r[2] = *(uint32_t*)0x400000000040; r[3] = *(uint32_t*)0x400000000044; } syscall(SYS_sendfile, /*fd=*/r[1], /*s=*/r[2], /*offset=*/0xffffeul, /*nbytes=*/0x2000ul, /*hdtr=*/0ul, /*sbytes=*/0ul, /*flags=SF_NOCACHE|SF_NODISKIO*/ 0x11ul); syscall(SYS_shutdown, /*fd=*/r[3], /*how=*/0ul); return 0; }