On Sat, Dec 27, 2025 at 10:26:58AM +0100, Martin Pieuchot wrote:
> On 26/12/25(Fri) 13:36, Alexander Bluhm wrote:
> > On Fri, Dec 26, 2025 at 01:02:17PM +0100, Alexander Bluhm wrote:
> > > Anyway. Currently I cannot reproduce. I will keep an eye on it.
> > > I will use the diff below if it happens again.
> >
> > And just after writing this, I hit the crash.
>
> Thanks Alexander, so this confirms the race with uvm_pagefree().
>
> Here's the full diff. Would you please try to reproduce the panic with
> it and hopefully report the next bug?
Here we go
[-- MARK -- Sat Dec 27 17:30:00 2025]
panic: uvm_fault(0xd1062cb0, 0xfffff000, 0, 1) -> e
Stopped at db_enter+0x4: popl %ebp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
238764 12784 21 0x2 0 6 c++
372094 9406 21 0x2 0 8 c++
336133 51102 21 0x2 0 2 c++
12534 21098 21 0x2 0 11 c++
378160 24125 21 0x2 0 7 c++
260192 67324 21 0x2 0 3 c++
102433 66011 21 0x2 0 0 c++
503366 54483 21 0x2 0 10 c++
448239 3215 21 0x2 0 5 c++
252470 65378 21 0x2 0 4 c++
212092 95763 21 0x2 0 9 c++
*360711 17945 0 0x14000 0x200 1K pagedaemon
db_enter() at db_enter+0x4
panic(d0ccc359) at panic+0x7a
kpageflttrap(f68981ac,ffffffff) at kpageflttrap+0x133
trap(f68981ac) at trap+0x255
calltrap() at calltrap+0xc
uvmpd_scan_active(0,0,16c96) at uvmpd_scan_active+0x73
uvm_pageout(d6c54354) at uvm_pageout+0x381
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> x/s version
version: OpenBSD 7.8-current (GENERIC.MP) #0: Sat Dec 27 15:19:29 CET
2025\012
[email protected]:/usr/src/sys/arch/i386/compile/GENERIC.MP\012
ddb{1}> show panic
*cpu1: uvm_fault(0xd1062cb0, 0xfffff000, 0, 1) -> e
ddb{1}> trace
db_enter() at db_enter+0x4
panic(d0ccc359) at panic+0x7a
kpageflttrap(f68981ac,ffffffff) at kpageflttrap+0x133
trap(f68981ac) at trap+0x255
calltrap() at calltrap+0xc
uvmpd_scan_active(0,0,16c96) at uvmpd_scan_active+0x73
uvm_pageout(d6c54354) at uvm_pageout+0x381
ddb{1}> show register
ds 0x10
es 0x10
fs 0x20
gs 0
edi 0xd0ccc359 gen12_xcs_offsets+0x126ab
esi 0
ebp 0xf6898124
ebx 0xf6537618
edx 0x10
ecx 0xe3e0c8e5
eax 0x34
eip 0xd0b11724 db_enter+0x4
cs 0x8
eflags 0x202
esp 0xf6898124
ss 0x10
db_enter+0x4: popl %ebp
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
12784 238764 4051 21 7 0x2 c++
4051 213853 85486 21 3 0x10008a sigsusp sh
9406 372094 22410 21 7 0x2 c++
22410 107219 85486 21 3 0x10008a sigsusp sh
51102 336133 81592 21 7 0x2 c++
81592 37797 85486 21 3 0x10008a sigsusp sh
21098 12534 84211 21 7 0x2 c++
84211 299556 85486 21 3 0x10008a sigsusp sh
33749 488796 62197 21 2 0x2 c++
62197 364671 85486 21 3 0x10008a sigsusp sh
24125 378160 11120 21 7 0x2 c++
11120 325616 85486 21 3 0x10008a sigsusp sh
67324 260192 75115 21 7 0x2 c++
75115 448053 85486 21 3 0x10008a sigsusp sh
66011 102433 83873 21 7 0x2 c++
83873 468587 85486 21 3 0x10008a sigsusp sh
54483 503366 73861 21 7 0x2 c++
73861 310239 85486 21 3 0x10008a sigsusp sh
3215 448239 79094 21 7 0x2 c++
79094 219200 85486 21 3 0x10008a sigsusp sh
3543 508184 53789 21 2 0x2 c++
53789 424449 85486 21 3 0x10008a sigsusp sh
65378 252470 86113 21 7 0x2 c++
86113 398428 85486 21 3 0x10008a sigsusp sh
95763 212092 34350 21 7 0x2 c++
34350 103305 85486 21 3 0x10008a sigsusp sh
85486 110176 30854 21 3 0x10008a sigsusp make
30854 119143 73547 21 3 0x10008a sigsusp sh
73547 89054 93784 21 3 0x10008a sigsusp make
93784 435435 83110 21 3 0x10008a sigsusp sh
83110 265241 16382 21 3 0x10008a sigsusp make
16382 180370 81296 21 3 0x10008a sigsusp sh
81296 435718 97144 21 3 0x10008a sigsusp make
97144 355538 11288 21 3 0x10008a sigsusp sh
11288 355670 27429 21 3 0x10008a sigsusp make
27429 201215 93112 0 3 0x10008a sigsusp sh
93112 331941 35323 0 3 0x10008a sigsusp make
35323 416785 80900 0 3 0x10008a sigsusp make
80900 187117 5980 0 3 0x10008a sigsusp ksh
5980 167754 43828 0 3 0x98 kqread sshd-session
43828 291370 50168 0 3 0x92 kqread sshd-session
89616 161876 1 0 3 0x100083 ttyin getty
72202 418999 1 0 3 0x100083 ttyin getty
65297 163030 1 0 3 0x100083 ttyin getty
81677 312671 1 0 3 0x100083 ttyin getty
45562 244775 1 0 3 0x100083 ttyin getty
25349 74048 1 0 3 0x100083 ttyin getty
46945 456895 1 0 3 0x100098 kqread cron
56940 252653 1 99 3 0x1100090 kqread sndiod
26844 489638 1 110 3 0x100090 kqread sndiod
42269 302664 1 0 3 0x100090 kqread inetd
5838 28358 25939 95 3 0x1100092 kqread smtpd
30624 500215 25939 103 3 0x1100092 kqread smtpd
26555 86424 25939 95 3 0x1100092 kqread smtpd
65778 102047 25939 95 3 0x100092 kqread smtpd
92218 312921 25939 95 3 0x1100092 kqread smtpd
82791 512923 25939 95 3 0x1100092 kqread smtpd
25939 388888 1 0 3 0x100080 kqread smtpd
62734 41546 47766 91 3 0x92 kqread snmpd_metrics
77825 423892 47766 91 3 0x1100092 kqread snmpd
47766 453332 1 0 3 0x100080 kqread snmpd
50168 169122 1 0 3 0x88 kqread sshd
25952 110899 0 0 3 0x14280 nfsidl nfsio
56170 36448 0 0 3 0x14280 nfsidl nfsio
8945 294726 0 0 3 0x14280 nfsidl nfsio
80024 393674 0 0 3 0x14280 nfsidl nfsio
91415 318889 1 0 3 0x100080 kqread ntpd
54732 235575 73799 83 3 0x100092 kqread ntpd
73799 24049 1 83 3 0x1100092 kqread ntpd
66385 72109 7458 73 3 0x1100090 kqread syslogd
7458 65342 1 0 3 0x100082 sbwait syslogd
72862 110841 43575 77 3 0x100092 kqread dhcpleased
14385 488034 43575 77 3 0x100092 kqread dhcpleased
43575 397003 1 0 3 0x80 kqread dhcpleased
93099 511005 51357 115 3 0x100092 kqread slaacd
75452 456931 51357 115 3 0x100092 kqread slaacd
51357 342819 1 0 3 0x100080 kqread slaacd
9464 225208 0 0 3 0x14200 bored smr
86578 63328 0 0 3 0x14200 pgzero zerothread
66697 457782 0 0 3 0x14200 aiodoned aiodoned
44393 486560 0 0 3 0x14200 syncer update
98036 383847 0 0 3 0x14200 cleaner cleaner
71708 462528 0 0 3 0x14200 reaper reaper
*17945 360711 0 0 7 0x14200 pagedaemon
4301 303900 0 0 3 0x14200 bored wsdisplay0
796 405448 0 0 3 0x14200 usbtsk usbtask
44518 38373 0 0 3 0x14200 usbatsk usbatsk
15283 479938 0 0 3 0x14200 bored sensors
63177 488100 0 0 3 0x40014200 acpi0 acpi0
20968 160366 0 0 3 0x40014200 idle11
19728 215232 0 0 3 0x40014200 idle10
71014 15196 0 0 3 0x40014200 idle9
97392 464361 0 0 3 0x40014200 idle8
19767 363415 0 0 3 0x40014200 idle7
62621 385821 0 0 3 0x40014200 idle6
3113 452665 0 0 3 0x40014200 idle5
58169 521026 0 0 3 0x40014200 idle4
33472 395004 0 0 3 0x40014200 idle3
12536 28550 0 0 3 0x40014200 idle2
54821 503470 0 0 3 0x40014200 idle1
53735 449146 0 0 3 0x14200 bored softnet7
7849 378194 0 0 3 0x14200 bored softnet6
62796 205930 0 0 3 0x14200 bored softnet5
56329 445222 0 0 3 0x14200 bored softnet4
6686 311403 0 0 3 0x14200 bored softnet3
67645 116100 0 0 3 0x14200 bored softnet2
35367 331756 0 0 3 0x14200 bored softnet1
54136 439842 0 0 2 0x14200 softnet0
15611 30884 0 0 3 0x14200 bored systqmp
57318 205513 0 0 3 0x14200 bored systq
66284 76449 0 0 3 0x14200 tmoslp softclockmp
8377 50174 0 0 3 0x40014200 tmoslp softclock
32442 151525 0 0 3 0x40014200 idle0
59669 237502 0 0 3 0x14200 kmalloc kmthread
1 390799 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show uvm
Current UVM status:
pagesize=4096 (0x1000), pagemask=0xfff, pageshift=12
765674 VM pages: 497737 active, 153841 inactive, 1 wired, 37586 free (23552
zero)
freemin=25522, free-target=34029, inactive-target=217895, wired-max=255224
faults=161033203, traps=163065595, intrs=2949958, ctxswitch=42707746
fpuswitch=371666
softint=2958690, syscalls=180863877, kmapent=12
fault counts:
noram=473123, noanon=0, noamap=0, pgwait=1, pgrele=0
relocks=2528054(5458), upgrades=0(0) anget(retries)=85534611(2069135),
amapcopy=8118949
neighbor anon/obj pg=7517858/112345273, gets(lock/unlock)=39409237/466506
cases: anon=83928397, anoncow=1606158, obj=38593561, prcopy=808089,
przero=36098046
daemon and swap counts:
woke=171426, revs=171302, scans=57590039, obscans=141940, anscans=30837600
busy=0, freed=2018143, reactivate=26610450, deactivate=31879489
pageouts=51586729, pending=699290, nswget=1772171
nswapdev=1
swpages=849685, swpginuse=44327, swpgonly=43251 paging=0
kernel pointers:
objs(kern)=0xd0fc3e3c
ddb{0}> trace
db_enter() at db_enter+0x4
i386_ipi_handler() at i386_ipi_handler+0x3f
Xipi_untramp() at Xipi_untramp+0xc2
_kernel_lock() at _kernel_lock+0x80
softintr_dispatch(0) at softintr_dispatch+0xb7
Xsoftclock() at Xsoftclock+0x12
end of kernel
*66011 102433 83873 21 7 0x2 c++
ddb{2}> trace
db_enter() at db_enter+0x4
i386_ipi_handler() at i386_ipi_handler+0x3f
Xipi_untramp() at Xipi_untramp+0xc2
_kernel_lock() at _kernel_lock+0x90
doopenat(fb7ffb88,ffffff9c,cf7d7e5c,10000,0,f6d66c38) at doopenat+0x175
sys_open(fb7ffb88,f6d66c40,f6d66c38) at sys_open+0x1b
syscall(f6d66c80) at syscall+0x57b
Xsyscall_untramp() at Xsyscall_untramp+0xa9
end of kernel
*51102 336133 81592 21 7 0x2 c++
ddb{3}> trace
db_enter() at db_enter+0x4
i386_ipi_handler() at i386_ipi_handler+0x3f
Xipi_untramp() at Xipi_untramp+0xc2
end of kernel
*67324 260192 75115 21 7 0x2 c++
ddb{4}> trace
db_enter() at db_enter+0x4
i386_ipi_handler() at i386_ipi_handler+0x3f
Xipi_untramp() at Xipi_untramp+0xc2
end of kernel
*65378 252470 86113 21 7 0x2 c++
ddb{5}> trace
db_enter() at db_enter+0x4
i386_ipi_handler() at i386_ipi_handler+0x3f
Xipi_untramp() at Xipi_untramp+0xc2
end of kernel
* 3215 448239 79094 21 7 0x2 c++
ddb{6}> trace
db_enter() at db_enter+0x4
i386_ipi_handler() at i386_ipi_handler+0x3f
Xipi_untramp() at Xipi_untramp+0xc2
_kernel_lock() at _kernel_lock+0x90
doopenat(f77624f4,ffffff9c,cf7ecd6c,10000,0,def98a08) at doopenat+0x175
sys_open(f77624f4,def98a10,def98a08) at sys_open+0x1b
syscall(def98a50) at syscall+0x57b
Xsyscall_untramp() at Xsyscall_untramp+0xa9
end of kernel
*12784 238764 4051 21 7 0x2 c++
ddb{7}> trace
db_enter() at db_enter+0x4
i386_ipi_handler() at i386_ipi_handler+0x3f
Xipi_untramp() at Xipi_untramp+0xc2
_kernel_lock() at _kernel_lock+0x90
doopenat(f7a3dad8,ffffff9c,cf7cd8dc,10000,0,def28848) at doopenat+0x175
sys_open(f7a3dad8,def28850,def28848) at sys_open+0x1b
syscall(def28890) at syscall+0x57b
Xsyscall_untramp() at Xsyscall_untramp+0xa9
end of kernel
*24125 378160 11120 21 7 0x2 c++
ddb{8}> trace
db_enter() at db_enter+0x4
i386_ipi_handler() at i386_ipi_handler+0x3f
Xipi_untramp() at Xipi_untramp+0xc2
_kernel_lock() at _kernel_lock+0x86
dofstatat(d683e024,ffffff9c,cf7c85e4,cf7c856c,0) at dofstatat+0x73
sys_stat(d683e024,def58340,def58338) at sys_stat+0x17
syscall(def58380) at syscall+0x57b
Xsyscall_untramp() at Xsyscall_untramp+0xa9
end of kernel
* 9406 372094 22410 21 7 0x2 c++
ddb{9}> trace
db_enter() at db_enter+0x4
i386_ipi_handler() at i386_ipi_handler+0x3f
Xipi_untramp() at Xipi_untramp+0xc2
end of kernel
*95763 212092 34350 21 7 0x2 c++
ddb{10}> trace
db_enter() at db_enter+0x4
i386_ipi_handler() at i386_ipi_handler+0x3f
Xipi_untramp() at Xipi_untramp+0xc2
_kernel_lock() at _kernel_lock+0x90
uvn_io(d6c49784,f6b59e48,1,202,0) at uvn_io+0x1a3
uvn_get(d6c49784,53aa000,0,f6b59ea0,f6b59e9c,0,4,0) at uvn_get+0x16d
uvm_fault_lower_io(f6b59f40,f6b59f14,f6b59ee4,f6b59ee0) at
uvm_fault_lower_io+0x221
uvm_fault_lower(f6b59f40,f6b59f14,f6b59f5c) at uvm_fault_lower+0x26c
uvm_fault(f702484c,57ab000,0,4) at uvm_fault+0x1a1
upageflttrap(f6b5a050,57ab9c0) at upageflttrap+0x55
trap(f6b5a050) at trap+0x1e9
calltrap() at calltrap+0xc
end of kernel
*54483 503366 73861 21 7 0x2 c++
ddb{11}> trace
db_enter() at db_enter+0x4
i386_ipi_handler() at i386_ipi_handler+0x3f
Xipi_untramp() at Xipi_untramp+0xc2
_kernel_lock() at _kernel_lock+0x90
doopenat(fb7ff1b0,ffffff9c,cf7c7adc,10000,0,f6aff828) at doopenat+0x175
sys_open(fb7ff1b0,f6aff830,f6aff828) at sys_open+0x1b
syscall(f6aff870) at syscall+0x57b
Xsyscall_untramp() at Xsyscall_untramp+0xa9
end of kernel
*21098 12534 84211 21 7 0x2 c++
