I received the following from syzkaller. I think it's related to posix_openpt, but don't have a reproducer. I have the kernel and core dump. Fatal trap 9: general protection fault while in kernel mode cpuid = 0; apic id = 00 instruction pointer = 0x20:0xffffffff81001008 stack pointer = 0x28:0xfffffe000c95a870 frame pointer = 0x28:0xfffffe000c95a8c0 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 12 (swi4: clock (0)) trap number = 9 panic: general protection fault cpuid = 0 time = 1558476172 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe000c95a540 vpanic() at vpanic+0x1e0/frame 0xfffffe000c95a5a0 panic() at panic+0x43/frame 0xfffffe000c95a600 trap_fatal() at trap_fatal+0x4c6/frame 0xfffffe000c95a680 trap() at trap+0xba/frame 0xfffffe000c95a7a0 calltrap() at calltrap+0x8/frame 0xfffffe000c95a7a0 --- trap 0x9, rip = 0xffffffff81001008, rsp = 0xfffffe000c95a870, rbp = 0xfffffe000c95a8c0 --- __mtx_lock_flags() at __mtx_lock_flags+0x98/frame 0xfffffe000c95a8c0 constty_timeout() at constty_timeout+0x36/frame 0xfffffe000c95a8e0 softclock_call_cc() at softclock_call_cc+0x1dd/frame 0xfffffe000c95a9b0 softclock() at softclock+0xa3/frame 0xfffffe000c95a9f0 ithread_loop() at ithread_loop+0x2f2/frame 0xfffffe000c95aa60 fork_exit() at fork_exit+0xb0/frame 0xfffffe000c95aab0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe000c95aab0 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- Uptime: 1m0s netdump: overwriting mbuf zone pointers netdump in progress. searching for server... netdumping to 169.254.0.1 (02:82:93:04:a7:00) Dumping 101 out of 465 MB:..16%..32%..48%..64%..80%..95% __curthread () at /usr/home/andrew/head-git/sys/amd64/include/pcpu.h:246 246 __asm("movq %%gs:%P1,%0" : "=r" (td) : "n" (OFFSETOF_CURTHREAD)); (kgdb) bt #0 __curthread () at /usr/home/andrew/head-git/sys/amd64/include/pcpu.h:246 #1 doadump (textdump=1) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:383 #2 0xffffffff81032217 in kern_reboot (howto=260) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:470 #3 0xffffffff81032825 in vpanic (fmt=<optimized out>, ap=<optimized out>) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:896 #4 0xffffffff81032473 in panic (fmt=<unavailable>) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:823 #5 0xffffffff816d13d6 in trap_fatal (frame=0xfffffe000c95a7b0, eva=0) at /usr/home/andrew/head-git/sys/amd64/amd64/trap.c:946 #6 0xffffffff816d004a in trap (frame=<optimized out>) at /usr/home/andrew/head-git/sys/amd64/amd64/trap.c:218 #7 <signal handler called> #8 __mtx_lock_flags (c=<optimized out>, opts=0, file=0xffffffff81998af3 "/usr/home/andrew/head-git/sys/kern/kern_cons.c", line=608) at /usr/home/andrew/head-git/sys/kern/kern_mutex.c:244 #9 0xffffffff80fa3336 in constty_timeout (arg=<optimized out>) at /usr/home/andrew/head-git/sys/kern/kern_cons.c:608 #10 0xffffffff81058ddd in softclock_call_cc (c=<optimized out>, cc=0xffffffff8271dd00 <cc_cpu>, direct=0) at /usr/home/andrew/head-git/sys/kern/kern_timeout.c:731 #11 0xffffffff81059343 in softclock (arg=0xffffffff8271dd00 <cc_cpu>) at /usr/home/andrew/head-git/sys/kern/kern_timeout.c:869 #12 0xffffffff80fd6f72 in intr_event_execute_handlers (p=<optimized out>, ie=<optimized out>) at /usr/home/andrew/head-git/sys/kern/kern_intr.c:1148 #13 ithread_execute_handlers (p=<optimized out>, ie=<optimized out>) at /usr/home/andrew/head-git/sys/kern/kern_intr.c:1161 #14 ithread_loop (arg=<optimized out>) at /usr/home/andrew/head-git/sys/kern/kern_intr.c:1241 #15 0xffffffff80fd23d0 in fork_exit (callout=0xffffffff80fd6c80 <ithread_loop>, arg=0xfffff800031b2000, frame=0xfffffe000c95aac0) at /usr/home/andrew/head-git/sys/kern/kern_fork.c:1056 #16 <signal handler called> (kgdb) up 8 #8 __mtx_lock_flags (c=<optimized out>, opts=0, file=0xffffffff81998af3 "/usr/home/andrew/head-git/sys/kern/kern_cons.c", line=608) at /usr/home/andrew/head-git/sys/kern/kern_mutex.c:244 244 KASSERT(m->mtx_lock != MTX_DESTROYED, (kgdb) p m $2 = (struct mtx *) 0xdeadc0dedeadc0de
This was fixed by r349733.