syzbot

 sign-in | mailing list | source | docs
🐞 Open [89]
🐞 Fixed [277]
🐞 Invalid [849]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

panic: kernel diagnostic assertion "ps->ps_uvncount == NUM" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/

Status: upstream: reported on 2025/02/09 09:53
Reported-by: syzbot+7bea42106c3dbc1d3fb4@syzkaller.appspotmail.com
First crash: 13d, last: 13d

Sample crash report:
Wpanic:IkNeGr:n SPel Ld iNaOTn oLOstERiEc aDs sOeNr tSiYoSnCA"p 8s-3p-10vnco4nt7=  XI"T fa iled:Stopped at      savectx+0xae:   movl    $0,%gs:0x680
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
*305739  95577      0           0  0x4000000    0  syz-executor
savectx() at savectx+0xae
end of kernel
end trace frame: 0xd4081a0d690, count: 14
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{0}> 
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu1: kernel diagnostic assertion "ps->ps_uvncount == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_unveil.c", line 188
ddb{0}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0xd4081a0d690, count: -1
ddb{0}> show registers
rdi                                0
rsi                                0
rbp               0xffff80003c5d9c80
rbx                                0
rdx               0xffff800001461c80
rcx               0xffff8000ffff6cd0
rax                             0x3c
r8                0xffff80003c5d9bb0
r9                                 0
r10               0xbba0f174a97fd919
r11               0xdf2451ee762b321a
r12                                0
r13                                0
r14               0xffff8000ffff6cd0
r15                                0
rip               0xffffffff832643ee    savectx+0xae
cs                               0x8
rflags                          0x46
rsp               0xffff80003c5d9c00
ss                              0x10
savectx+0xae:   movl    $0,%gs:0x680
ddb{0}> show proc
PROC (syz-executor) tid=305739 pid=95577 tcnt=3 stat=onproc
    flags process=0 proc=4000000<THREAD>
    runpri=32, usrpri=50, slppri=32, nice=20
    wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
    forw=0xffffffffffffffff, list=0xffff8000ffff7c00,0xffff8000338ac550
    process=0xffff80003c541498 user=0xffff80003c5d4000, vmspace=0xfffffd8078f4fca8
    estcpu=36, cpticks=0, pctcpu=0.0, user=0, sys=0, intr=0
ddb{0}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 50944  134914   2660      0  2           0                syz-executor
 50944  220752   2660      0  3   0x4000080  fsleep        syz-executor
 50944  430366   2660      0  3   0x4000080  fsleep        syz-executor
 95577  128460  98964      0  2           0                syz-executor
*95577  305739  98964      0  7   0x4000000                syz-executor
 95577  507676  98964      0  3   0x4000080  fsleep        syz-executor
 21871  231965  91287      0  2         0x2                syz-executor
 42734  338902      1      0  3        0x80  nanoslp       init
 37498  281667  91287      0  3         0x2  biowait       syz-executor
 31527  411210  91287      0  3        0x82  nanoslp       syz-executor
 75430   70633  91287      0  2         0x2                syz-executor
 98964  352134  91287      0  3        0x82  nanoslp       syz-executor
 54288  100954      0      0  3     0x14280  nfsidl        nfsio
 44425  434554      0      0  3     0x14280  nfsidl        nfsio
 45986  441192      0      0  3     0x14280  nfsidl        nfsio
 20719  353304      0      0  3     0x14280  nfsidl        nfsio
  6182  357403      0      0  3     0x14280  nfsidl        nfsio
 15520  140312      0      0  3     0x14280  nfsidl        nfsio
 75297   18294      0      0  3     0x14280  nfsidl        nfsio
 99085  446760      0      0  3     0x14280  nfsidl        nfsio
 59440  283582      0      0  3     0x14280  nfsidl        nfsio
 88211  378773      0      0  3     0x14280  nfsidl        nfsio
 78453  342850      0      0  3     0x14280  nfsidl        nfsio
 59888   70238      0      0  3     0x14280  nfsidl        nfsio
 12571  474711      0      0  3     0x14280  nfsidl        nfsio
 48075  143135      0      0  3     0x14280  nfsidl        nfsio
 93975  171597      0      0  3     0x14280  nfsidl        nfsio
 52827  420245      0      0  3     0x14280  nfsidl        nfsio
 40998   55502      0      0  3     0x14280  nfsidl        nfsio
 69017  144513      0      0  3     0x14280  nfsidl        nfsio
 49111  428791      0      0  3     0x14280  nfsidl        nfsio
 80240  466907      0      0  3     0x14280  nfsidl        nfsio
  8719  140237      0      0  3     0x14200  bored         sosplice
  2660  249157  91287      0  3        0x82  nanoslp       syz-executor
 55468  335941  91287      0  3        0x82  wait          syz-executor
 59624  122727  91287      0  3         0x2  biowait       syz-executor
 91287  252654  74434      0  3        0x82  kqread        syz-executor
 74434  442493  79143      0  3    0x10008a  sigsusp       ksh
 79143   30346  29123      0  3        0x98  kqread        sshd-session
 29123  158024  85759      0  3        0x92  kqread        sshd-session
 85759  358909      1      0  3        0x88  kqread        sshd
 50884  183908    521     74  3   0x1100092  bpf           pflogd
   521  191661      1      0  3        0x80  sbwait        pflogd
 83668  282430   2453     73  3   0x1100090  kqread        syslogd
  2453  136928      1      0  3    0x100082  sbwait        syslogd
  7736  426208      1      0  3    0x100080  kqread        resolvd
   279  514042  34699     77  3    0x100092  kqread        dhcpleased
 51827  388638  34699     77  3    0x100092  kqread        dhcpleased
 34699  116673      1      0  3        0x80  kqread        dhcpleased
 29274  513967      0      0  3     0x14200  bored         smr
 32507  421439      0      0  3     0x14200  pgzero        zerothread
 97809  154657      0      0  3     0x14200  aiodoned      aiodoned
  8235  251890      0      0  3     0x14200  syncer        update
   344  407637      0      0  3     0x14200  cleaner       cleaner
 37020  192195      0      0  3     0x14200  reaper        reaper
 41362  410178      0      0  3     0x14200  pgdaemon      pagedaemon
 84614   67301      0      0  3     0x14200  bored         viomb
 35631  157343      0      0  3  0x40014200  acpi0         acpi0
 94278  520468      0      0  3  0x40014200                idle1
 47727  272557      0      0  3     0x14200  bored         softnet3
 51215  199831      0      0  3     0x14200  bored         softnet2
 30642  151767      0      0  3     0x14200  bored         softnet1
 59014  102702      0      0  3     0x14200  bored         softnet0
 35672  478030      0      0  3     0x14200  bored         systqmp
 21247  365178      0      0  3     0x14200  bored         systq
 40136  308210      0      0  3     0x14200  tmoslp        softclockmp
 35112  118540      0      0  3  0x40014200  tmoslp        softclock
 54735     169      0      0  3  0x40014200                idle0
     1    4011      0      0  3     0x80082  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{0}> show all locks
CPU 0:
exclusive mutex &sched_lock r = 0 (0xffffffff8397e690)
#0  witness_lock+0x5bb stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5bb sys/kern/subr_witness.c:1155
#1  mtx_enter_try+0x178
#2  mtx_enter+0x60 sys/kern/kern_lock.c:239
#3  sleep_finish+0x24f sys/kern/kern_synch.c:414
#4  rwsleep+0xf2 sys/kern/kern_synch.c:300
#5  futex_wait+0x372 sys/kern/sys_futex.c:250
#6  sys_futex+0x149 sys/kern/sys_futex.c:101
#7  syscall+0xbc6 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#7  syscall+0xbc6 sys/arch/amd64/amd64/trap.c:577
#8  Xsyscall+0x128
Process 37498 (syz-executor) thread 0xffff80003c5cfc18 (281667)
Process 59624 (syz-executor) thread 0xffff8000ffffaf40 (122727)
ddb{0}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 10229  11048K   11486K 166960K     15940        0
            pcb    18     18K      20K 166960K       675        0
         rtable   218      8K       9K 166960K      1383        0
             pf    38     18K      22K 166960K       297        0
         ifaddr    39      7K       7K 166960K       204        0
        ifgroup    51      2K       2K 166960K       227        0
         sysctl     4      1K       1K 166960K         6        0
       counters    62     36K      36K 166960K       236        0
       ioctlops     0      0K       4K 166960K      2076        0
            iov     0      0K      22K 166960K       253        0
          mount     1      1K       1K 166960K         1        0
            log     0      0K       0K 166960K         4        0
         vnodes  1499     94K      94K 166960K      4166        0
      UFS quota     1     32K      32K 166960K         1        0
      UFS mount     5     36K      36K 166960K         5        0
            shm     3      5K      17K 166960K        70        0
         VM map     2      1K       1K 166960K         2        0
            sem    29     11K      11K 166960K       143        0
        dirhash    12      2K       2K 166960K        63        0
           ACPI  1690    195K     286K 166960K     12468        0
      file desc    15     53K      89K 166960K      2893        0
          sigio     0      0K       0K 166960K        59        0
           proc    67    103K     140K 166960K       963        0
        subproc    72      4K       4K 166960K       126        0
    NFS srvsock     1      0K       0K 166960K         1        0
     NFS daemon     1     16K      16K 166960K         1        0
    ip_moptions     0      0K       0K 166960K       534        0
       in_multi    81      5K       7K 166960K       695        0
    ether_multi     1      0K       0K 166960K        10        0
            mrt     0      0K       0K 166960K         5        0
    ISOFS mount     1     32K      32K 166960K         1        0
  MSDOSFS mount     1     16K      16K 166960K         1        0
           ttys   241   1076K    1076K 166960K       241        0
           exec     0      0K       1K 166960K      1076        0
   fusefs mount     1     32K      32K 166960K         1        0
     pfkey data     0      0K       0K 166960K         6        0
            tdb     3      0K       0K 166960K         3        0
        VM swap     8     62K      64K 166960K        10        0
       UVM amap   235     73K      88K 166960K     29388        0
       UVM aobj   131     12K      12K 166960K       141        0
     pinsyscall    40     80K     103K 166960K      4204        0
        memdesc     1      4K       4K 166960K         1        0
    crypto data     1      1K       1K 166960K         1        0
    ip6_options     0      0K       0K 166960K       246        0
            NDP    12      0K       2K 166960K       166        0
           temp    78   8644K    8900K 166960K    135550        0
         kqueue    13     20K      36K 166960K       507        0
      SYN cache     2     16K      16K 166960K         2        0
ddb{0}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache    128       24    0        0     1     0     1     1     0     8    0
rtpcb      120      275    0      272     3     2     1     2     0     8    0
rtentry    112      522    0      427     4     0     4     4     0     8    0
unpcb      144     3448    0     3431    18    17     1     7     0     8    0
syncache   336       16    0       16     4     3     1     1     0     8    1
tcpqe       32        6    0        6     4     3     1     1     0     8    1
tcpcb      808      923    0      915    26    18     8     8     0     8    6
arp        120       45    0       27     1     0     1     1     0     8    0
inpcb      376     4489    0     4474    59    50     9    15     0     8    7
ip6q        72        1    0        1     1     1     0     1     0     8    0
ip6af       40        2    0        2     1     1     0     1     0     8    0
nd6        136      133    0      110     1     0     1     1     0     8    0
pkpcb       40       55    0       55     6     5     1     1     0     8    1
kcovpl      48       14    0        6     1     0     1     1     0     8    0
ppxss      1168      58    0       58     4     4     0     1     0     8    0
pppxif     1472      35    0       35     2     2     0     1     0     8    0
pfstscr     40        4    0        3     1     0     1     1     0     8    0
pffrag     232       16    0        9     1     0     1     1     0   482    0
pffrnode    88       15    0        9     1     0     1     1     0     8    0
pffrent     40       31    0       24     1     0     1     1     0     8    0
pfosfp      40     1428    0     1005     5     0     5     5     0     8    0
pfosfpen   112     1428    0      714    21     0    21    21     0     8    0
pfrktable  1344       2    0        1     1     0     1     1     0     8    0
pfanchor   1288       5    0        1     2     1     1     1     0     8    0
pftag       88        4    0        1     1     0     1     1     0     8    0
pfstitem    24      175    0      124     1     0     1     1     0     8    0
pfstkey    128      181    0      128     3     0     3     3     0     8    0
pfstate    376      177    0      128     8     0     8     8     0     8    0
pfrule     1344      51    0       39     4     2     2     2     0     8    1
art_heap8  4096       4    0        0     4     0     4     4     0     8    0
art_heap4  256     2788    0     2356    36     9    27    30     0     8    0
art_table   32     2792    0     2356     4     0     4     4     0     8    0
art_node    16      519    0      437     1     0     1     1     0     8    0
sysvmsgpl   40       11    0        4     1     0     1     1     0     8    0
semupl     112        3    0        3     3     3     0     1     0     8    0
semapl     112       70    0       43     1     0     1     1     0     8    0
shmpl      112      138    0       10     4     0     4     4     0     8    0
dirhash    1024      52    0       35     3     0     3     3     0     8    0
dino2pl    256     6734    0     5228    95     0    95    95     0     8    0
ffsino     280     6734    0     5228   109     0   109   109     0     8    0
nchpl      144    10766    0    10213    64    39    25    64     0     8    0
rtmask      32        2    0        2     2     2     0     1     0     8    0
uvmvnodes   80     5926    0        0   121     0   121   121     0     8    0
vnodes     216     5926    0        0   330     0   330   330     0     8    0
namei      1024   40135    0    40134     3     2     1     2     0     8    0
percpumem   16      132    0       87     1     0     1     1     0     8    0
kstatmem   264      122    0      100     2     0     2     2     0     8    0
acpiwqpl    32        1    0        1     1     0     1     1     1     8    1
scsiplug    72       12    0       12     3     3     0     1     0     8    0
scxspl     216    32193    0    32191    13    12     1     8     1     8    0
plimitpl   152      775    0      758     1     0     1     1     0     8    0
sigapl     424     3220    0     3151    11     2     9     9     0     8    0
futexpl     64    41862    0    41859     1     0     1     1     0     8    0
knotepl    120      618    0        0    17     0    17    17     0     8    0
kqueuepl   216     1124    0     1113    18    15     3     5     0     8    2
pipepl     328      666    0      638    13     5     8     8     0     8    5
fdescpl    504     3178    0     3149     6     1     5     5     0     8    0
filepl     152    25450    0    25226    40    25    15    20     0     8    3
lockfpl    104     1210    0     1207     2     1     1     2     0     8    0
lockfspl    48      428    0      425     1     0     1     1     0     8    0
sessionpl  144       44    0       36     1     0     1     1     0     8    0
pgrppl      48      123    0      107     1     0     1     1     0     8    0
ucredpl    104     3771    0     3757     1     0     1     1     0     8    0
zombiepl   144     4014    0     4010     1     0     1     1     0     8    0
processpl  1168    3220    0     3151     7     1     6     6     0     8    0
procpl     648     8002    0     7929     9     1     8     8     0     8    0
srpgc       96       13    0       13     3     3     0     1     0     8    0
sosppl     168        8    0        8     3     3     0     1     0     8    0
sockpl     688     8307    0     8275    82    72    10    22     0     8    6
mcl64k     65536      4    0        0     1     0     1     1     0     8    0
mcl16k     16384      1    0        0     1     0     1     1     0     8    0
mcl12k     12288      1    0        0     1     0     1     1     0     8    0
mcl9k      9216       2    0        0     1     0     1     1     0     8    0
mcl8k      8192       5    0        0     1     0     1     1     0     8    0
mcl4k      4096     117    0        0    14     0    14    14     0     8    0
mcl2k2     2112       1    0        0     1     0     1     1     0     8    0
mcl2k      2048     106    0        0    13     0    13    13     0     8    0
mtagpl      96      149    0        0     4     0     4     4     0     8    0
mbufpl     256     1430    0        0    86     0    86    86     0     8    0
bufpl      280     8598    0     2443   440     0   440   440     0     8    0
anonpl      24   385436    0   379931   102    50    52    59     0   184    5
amapchunkpl 152   95128    0    94539    46    20    26    34     0   158    0
amappl16   200     7439    0     7369    46    37     9    17     0     8    0
amappl15   192        7    0        7     1     1     0     1     0     8    0
amappl14   184      172    0      161     1     0     1     1     0     8    0
amappl13   176        8    0        8     2     2     0     1     0     8    0
amappl12   168     3926    0     3897     4     2     2     3     0     8    0
amappl11   160       51    0       37     1     0     1     1     0     8    0
amappl10   152        4    0        3     2     1     1     1     0     8    0
amappl9    144      246    0      246     1     1     0     1     0     8    0
amappl8    136       40    0       37     1     0     1     1     0     8    0
amappl7    128      136    0      124     1     0     1     1     0     8    0
amappl6    120      253    0      249     1     0     1     1     0     8    0
amappl5    112      154    0      143     1     0     1     1     0     8    0
amappl4    104      411    0      390     1     0     1     1     0     8    0
amappl3     96    20089    0    19978     4     0     4     4     0     8    0
amappl2     88      876    0      811     2     0     2     2     0     8    0
amappl1     80    19503    0    18962    15     0    15    15     0     8    0
amappl      88    28701    0    28520     5     0     5     5     0    92    0
dma32768   32768      1    0        1     1     1     0     1     0     8    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma1024    1024       1    0        0     1     0     1     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      255    0      255     2     2     0     1     0     8    0
dma64       64        8    0        8     3     3     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      72      140    0       10     3     0     3     3     0     8    0
uaddrrnd    24     3178    0     3148     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24     3178    0     3148     1     0     1     1     0     8    0
vmmpekpl   168    25986    0    25932     3     0     3     3     0     8    0
vmmpepl    168   198586    0   196738   117    25    92    98     0   357    1
vmsppl     456     3177    0     3148     7     2     5     5     0     8    0
rwobjpl     64    56832    0    49821   121     5   116   118     0     8    0
pdppl      4096    6363    0     6296   143    72    71    83     0     8    4
pvpl        32    17514    0        0   141     0   141   141     0   265    0
pmappl     248     3177    0     3148     3     0     3     3     0     8    0
extentpl    40       55    0       38     1     0     1     1     0     8    0
phpool     112      451    0      113    10     0    10    10     0     8    0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0xd4081a0d690, count: -1
ddb{0}> machine ddbcpu 1
Stopped at      x86_ipi_db+0x27:        addq    $0x8,%rsp
x86_ipi_db(ffff800029aabff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
x86_bus_space_io_read_1(3f8,5) at x86_bus_space_io_read_1+0x37 sys/arch/amd64/amd64/bus_space.c:654
comcnputc(800,3a) at comcnputc+0x250 comcn_read_reg sys/dev/ic/com.c:1655 [inline]
comcnputc(800,3a) at comcnputc+0x250 sys/dev/ic/com.c:1269
cnputc(3a) at cnputc+0x61 sys/dev/cons.c:218
db_putchar(3a) at db_putchar+0x65c sys/ddb/db_output.c:155
kprintf() at kprintf+0x2aba sys/kern/subr_prf.c:1065
db_printf(ffffffff833cf72b) at db_printf+0x9b
panic(ffffffff8343b582) at panic+0x103 sys/kern/subr_prf.c:216
__assert(ffffffff833e7d34,ffffffff8339e492,bc,ffffffff833580a4) at __assert+0x29
unveil_destroy(ffff80003c544238) at unveil_destroy+0x1dd sys/kern/kern_unveil.c:188
exit1(ffff8000ffff76f0,0,0,1) at exit1+0x60f sys/kern/kern_exit.c:233
sys_exit(ffff8000ffff76f0,ffff80003c50aa30,ffff80003c50a980) at sys_exit+0x1a
end trace frame: 0xffff80003c50aa20, count: 0
ddb{1}> trace
x86_ipi_db(ffff800029aabff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
x86_bus_space_io_read_1(3f8,5) at x86_bus_space_io_read_1+0x37 sys/arch/amd64/amd64/bus_space.c:654
comcnputc(800,3a) at comcnputc+0x250 comcn_read_reg sys/dev/ic/com.c:1655 [inline]
comcnputc(800,3a) at comcnputc+0x250 sys/dev/ic/com.c:1269
cnputc(3a) at cnputc+0x61 sys/dev/cons.c:218
db_putchar(3a) at db_putchar+0x65c sys/ddb/db_output.c:155
kprintf() at kprintf+0x2aba sys/kern/subr_prf.c:1065
db_printf(ffffffff833cf72b) at db_printf+0x9b
panic(ffffffff8343b582) at panic+0x103 sys/kern/subr_prf.c:216
__assert(ffffffff833e7d34,ffffffff8339e492,bc,ffffffff833580a4) at __assert+0x29
unveil_destroy(ffff80003c544238) at unveil_destroy+0x1dd sys/kern/kern_unveil.c:188
exit1(ffff8000ffff76f0,0,0,1) at exit1+0x60f sys/kern/kern_exit.c:233
sys_exit(ffff8000ffff76f0,ffff80003c50aa30,ffff80003c50a980) at sys_exit+0x1a
syscall(ffff80003c50aa30) at syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c50aa30) at syscall+0xb08 sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7e883b045d10, count: -16

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/02/09 09:53 openbsd 2347e6edcd5e ef44b750 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore panic: kernel diagnostic assertion "ps->ps_uvncount == NUM" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/
* Struck through repros no longer work on HEAD.