panic: kernel diagnostic assertion "pr->ps_threadcnt == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/kern/kern_exit.c", line 848
Stopped at db_enter+0x25: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
297857 96539 32767 0x10 0 1 syz-executor
*472518 28470 0 0x14000 0x200 0K reaper
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff830e9d1a) at panic+0x1e5 sys/kern/subr_prf.c:198
__assert(ffffffff8309bc1f,ffffffff830aaf6b,350,ffffffff82ff2316) at __assert+0x29
process_zap(ffff8000ffff0928) at process_zap+0x32d sys/kern/kern_exit.c:849
reaper(ffff800029fd8a28) at reaper+0x2f6 sys/kern/kern_exit.c:497
end trace frame: 0x0, count: 10
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu0: kernel diagnostic assertion "pr->ps_threadcnt == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/kern/kern_exit.c", line 848
ddb{0}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff830e9d1a) at panic+0x1e5 sys/kern/subr_prf.c:198
__assert(ffffffff8309bc1f,ffffffff830aaf6b,350,ffffffff82ff2316) at __assert+0x29
process_zap(ffff8000ffff0928) at process_zap+0x32d sys/kern/kern_exit.c:849
reaper(ffff800029fd8a28) at reaper+0x2f6 sys/kern/kern_exit.c:497
end trace frame: 0x0, count: -5
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff800029fe52f0
rbx 0xffffffff834dfdcf cpu_info_full_primary+0x2dcf
rdx 0
rcx 0xffff800029fd8a28
rax 0xffffffff834deff0 cpu_info_full_primary+0x1ff0
r8 0x101010101010101
r9 0x8080808080808080
r10 0x4882b516f80a70b1
r11 0x52a882c9cfc6b11
r12 0xffffffff834dfbd0 cpu_info_full_primary+0x2bd0
r13 0
r14 0
r15 0x1
rip 0xffffffff828dd045 db_enter+0x25
cs 0x8
rflags 0x246
rsp 0xffff800029fe52e0
ss 0x10
db_enter+0x25: addq $0x8,%rsp
ddb{0}> show proc
PROC (reaper) tid=472518 pid=28470 tcnt=1 stat=onproc
flags process=14000<NOZOMBIE,SYSTEM> proc=200<SYSTEM>
runpri=32, usrpri=73, slppri=32, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff800029fd91c0,0xffff800029fd87b0
process=0xffff800029febaf0 user=0xffff800029fe0000, vmspace=0xffffffff835c7b20
estcpu=23, cpticks=2, pctcpu=3.90, user=0, sys=89058, intr=6567
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
82016 454561 14743 0 2 0x2 ifconfig
14743 436061 68178 0 3 0x10008a sigsusp sh
30288 175958 43023 32767 2 0x10 syz-executor
30288 495290 43023 32767 2 0x4000090 syz-executor
25671 406749 57921 0 2 0x2 syz-executor
68178 160764 51959 0 3 0x80 wait syz-executor
38037 119245 63087 32767 2 0x10 syz-executor
38037 171938 63087 32767 3 0x4000090 pipewr syz-executor
38037 17910 63087 32767 3 0x4000090 pipewr syz-executor
38037 16097 63087 32767 2 0x4000010 syz-executor
38037 78820 63087 32767 3 0x4000090 fsleep syz-executor
51959 116520 57921 0 3 0x82 wait syz-executor
65602 467452 46619 32767 2 0x490 syz-executor
65602 399330 46619 32767 3 0x4000090 fsleep syz-executor
65602 363560 46619 32767 3 0x4000090 ttyout syz-executor
65602 426962 46619 32767 3 0x4000090 fsleep syz-executor
96539 297857 72251 32767 7 0x10 syz-executor
72251 439290 57921 0 3 0x82 wait syz-executor
63087 114071 18419 32767 2 0x490 syz-executor
18419 382350 57921 0 3 0x82 wait syz-executor
46619 384535 93378 32767 2 0x490 syz-executor
93378 69428 57921 0 3 0x82 wait syz-executor
46293 16324 64446 32767 2 0x490 syz-executor
64446 83584 57921 0 3 0x82 wait syz-executor
43023 367448 16356 32767 2 0x490 syz-executor
16356 68258 57921 0 3 0x82 wait syz-executor
85969 347996 33145 32767 2 0x490 syz-executor
33145 95910 57921 0 3 0x82 wait syz-executor
64015 67256 16566 0 3 0x100082 sbwait arp
16566 454456 66630 0 3 0x10008a sigsusp sh
66630 16365 1 0 3 0x80 wait syz-executor
75580 478603 0 0 3 0x14200 bored sosplice
57921 148189 16962 0 3 0x82 kqread syz-executor
16962 95637 53784 0 3 0x10008a sigsusp ksh
53784 123278 69856 0 3 0x98 kqread sshd-session
69856 126737 30456 0 3 0x92 kqread sshd-session
2934 162555 1 0 3 0x100083 ttyin getty
30456 44267 1 0 3 0x88 kqread sshd
71280 147488 48924 73 3 0x1100090 kqread syslogd
48924 14081 1 0 3 0x100082 sbwait syslogd
20766 461570 1 0 3 0x100080 kqread resolvd
97006 380208 97182 77 3 0x100092 kqread dhcpleased
80084 407881 97182 77 3 0x100092 kqread dhcpleased
97182 445700 1 0 3 0x80 kqread dhcpleased
46732 87087 0 0 3 0x14200 bored smr
64751 14941 0 0 2 0x14200 zerothread
26563 40877 0 0 3 0x14200 aiodoned aiodoned
24483 461306 0 0 3 0x14200 syncer update
65864 247819 0 0 3 0x14200 cleaner cleaner
*28470 472518 0 0 7 0x14200 reaper
30383 24261 0 0 3 0x14200 pgdaemon pagedaemon
74390 234471 0 0 3 0x14200 bored viomb
58765 276952 0 0 3 0x40014200 acpi0 acpi0
37861 452742 0 0 3 0x40014200 idle1
44494 364797 0 0 3 0x14200 bored softnet3
13427 492183 0 0 3 0x14200 bored softnet2
52601 243462 0 0 3 0x14200 bored softnet1
99583 68002 0 0 3 0x14200 bored softnet0
95657 474757 0 0 3 0x14200 bored systqmp
2900 228155 0 0 3 0x14200 bored systq
43067 445410 0 0 3 0x14200 tmoslp softclockmp
16724 235673 0 0 2 0x40014200 softclock
19301 78743 0 0 3 0x40014200 idle0
1 61091 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 28470 (reaper) thread 0xffff800029fd8a28 (472518)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff83599f78)
#0 witness_lock+0x5bb stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5bb sys/kern/subr_witness.c:1155
#1 __mp_acquire_count+0x58
#2 mi_switch+0x658 sys/kern/sched_bsd.c:460
#3 sleep_finish+0x219 sys/kern/kern_synch.c:416
#4 rw_enter+0x348 sys/kern/kern_rwlock.c:285
#5 knote_processexit+0x2b sys/kern/kern_event.c:2063
#6 reaper+0x2ad sys/kern/kern_exit.c:489
#7 proc_trampoline+0x10
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10220 14122K 14131K 166960K 13019 0
pcb 17 24K 26K 166960K 27 0
rtable 194 5K 7K 166960K 20174 0
pf 29 16K 16K 166960K 1199 0
ifaddr 35 14K 17K 166960K 2330 0
ifgroup 46 2K 2K 166960K 2362 0
sysctl 4 1K 5K 166960K 15 0
counters 62 36K 36K 166960K 1208 0
ioctlops 0 0K 2K 166960K 1127 0
iov 0 0K 32K 166960K 2103 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1482 93K 93K 166960K 13848 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 13K 166960K 482 0
VM map 2 1K 1K 166960K 2 0
sem 12 0K 0K 166960K 1025 0
dirhash 21 4K 4K 166960K 621 0
ACPI 1690 195K 286K 166960K 12418 0
file desc 27 101K 169K 166960K 30138 0
sigio 0 0K 0K 166960K 1103 0
proc 58 79K 176K 166960K 18726 0
subproc 112 7K 13K 166960K 8809 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 5624 0
in_multi 77 5K 7K 166960K 7415 0
ether_multi 1 0K 0K 166960K 184 0
mrt 1 0K 0K 166960K 4 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 277 1235K 1235K 166960K 277 0
exec 0 0K 1K 166960K 12635 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 268 75K 140K 166960K 250907 0
UVM aobj 131 4K 8K 166960K 149 0
pinsyscall 49 98K 138K 166960K 47319 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 1K 166960K 1929 0
NDP 10 0K 2K 166960K 1731 0
temp 79 6824K 6952K 166960K 201464 0
kqueue 15 22K 35K 166960K 4333 0
SYN cache 2 16K 16K 166960K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 24 0 0 1 0 1 1 0 8 0
rtpcb 120 4853 0 4849 36 35 1 3 0 8 0
rtentry 112 6625 0 6535 16 12 4 4 0 8 0
unpcb 144 27142 0 27118 149 146 3 11 0 8 2
syncache 336 550 0 550 56 55 1 1 0 8 1
tcpqe 32 228 0 228 49 48 1 1 0 8 1
tcpcb 808 17261 0 17211 223 211 12 24 0 8 3
arp 120 1167 0 1153 1 0 1 1 0 8 0
ipq 40 156 0 153 5 4 1 1 0 8 0
ipqe 40 1737 0 1734 5 4 1 1 0 8 0
inpcb 336 39822 0 39767 270 259 11 26 0 8 0
ip6q 72 8 0 8 6 5 1 1 0 8 1
ip6af 40 16 0 16 6 5 1 1 0 8 1
nd6 136 1985 0 1965 8 6 2 2 0 8 0
kcovpl 48 677 0 669 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 26994 0 26617 248 216 32 33 0 8 3
art_table 32 26995 0 26617 10 5 5 5 0 8 0
art_node 16 6624 0 6542 1 0 1 1 0 8 0
sysvmsgpl 40 49 0 41 1 0 1 1 0 8 0
semapl 112 1023 0 1013 1 0 1 1 0 8 0
shmpl 112 146 0 18 4 0 4 4 0 8 0
dirhash 1024 438 0 407 13 8 5 5 0 8 1
dino2pl 256 35678 0 32452 205 3 202 202 0 8 0
ffsino 272 35678 0 32452 217 1 216 216 0 8 0
nchpl 144 65666 0 62727 111 1 110 110 0 8 1
uvmvnodes 80 10256 0 0 210 0 210 210 0 8 0
vnodes 216 10256 0 0 570 0 570 570 0 8 0
namei 1024 299003 0 299003 70 69 1 2 0 8 1
percpumem 16 618 0 573 1 0 1 1 0 8 0
kstatmem 264 1166 0 1146 2 0 2 2 0 8 0
scxspl 216 353890 0 353890 90 87 3 8 1 8 3
plimitpl 152 9791 0 9767 2 0 2 2 0 8 0
sigapl 424 29358 0 29300 27 19 8 9 0 8 0
futexpl 64 320772 0 320769 40 39 1 1 0 8 0
knotepl 120 1963 0 0 26 1 25 25 0 8 0
kqueuepl 216 8816 0 8803 76 74 2 6 0 8 1
pipepl 320 6068 0 6037 52 47 5 9 0 8 0
fdescpl 496 29339 0 29300 34 27 7 8 0 8 0
filepl 152 198652 0 198379 166 150 16 25 0 8 3
lockfpl 104 7843 0 7841 3 2 1 2 0 8 0
lockfspl 48 2189 0 2187 1 0 1 1 0 8 0
sessionpl 144 869 0 853 1 0 1 1 0 8 0
pgrppl 48 2259 0 2235 1 0 1 1 0 8 0
ucredpl 104 37173 0 37156 1 0 1 1 0 8 0
zombiepl 144 29302 0 29300 1 0 1 1 0 8 0
processpl 1160 29358 0 29300 7 1 6 6 0 8 0
procpl 648 65327 0 65261 11 4 7 8 0 8 0
srpgc 96 40 0 40 17 17 0 1 0 8 0
sosppl 168 333 0 330 28 27 1 1 0 8 0
sockpl 664 72526 0 72437 437 422 15 33 0 8 3
mcl64k 65536 52 0 0 5 2 3 3 0 8 0
mcl16k 16384 8 0 0 1 0 1 1 0 8 0
mcl12k 12288 4 0 0 1 0 1 1 0 8 0
mcl9k 9216 4 0 0 1 0 1 1 0 8 0
mcl8k 8192 25 0 0 4 1 3 3 0 8 0
mcl4k 4096 3 0 0 1 0 1 1 0 8 0
mcl2k2 2112 7 0 0 1 0 1 1 0 8 0
mcl2k 2048 860 0 0 29 9 20 28 0 8 0
mtagpl 96 15 0 0 1 0 1 1 0 8 0
mbufpl 256 7549 0 0 422 0 422 422 0 8 0
bufpl 280 49557 0 39300 733 0 733 733 0 8 0
anonpl 24 3626895 0 3617320 510 421 89 119 0 185 0
amapchunkpl 152 807230 0 806490 276 227 49 51 0 158 13
amappl16 200 75944 0 75727 549 525 24 39 0 8 4
amappl15 192 11 0 11 3 3 0 1 0 8 0
amappl14 184 1816 0 1805 1 0 1 1 0 8 0
amappl13 176 27 0 27 16 16 0 1 0 8 0
amappl12 168 39359 0 39319 6 3 3 3 0 8 0
amappl11 160 59 0 49 1 0 1 1 0 8 0
amappl10 152 11 0 11 1 1 0 1 0 8 0
amappl9 144 142 0 141 2 1 1 1 0 8 0
amappl8 136 18 0 16 1 0 1 1 0 8 0
amappl7 128 1539 0 1527 1 0 1 1 0 8 0
amappl6 120 5841 0 5837 1 0 1 1 0 8 0
amappl5 112 2685 0 2672 1 0 1 1 0 8 0
amappl4 104 3155 0 3139 1 0 1 1 0 8 0
amappl3 96 165528 0 165401 10 5 5 5 0 8 0
amappl2 88 11887 0 11819 13 11 2 3 0 8 0
amappl1 80 201608 0 201033 34 18 16 19 0 8 1
amappl 88 242920 0 242708 8 2 6 6 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 148 0 18 3 0 3 3 0 8 0
uaddrrnd 24 29339 0 29300 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 29339 0 29300 1 0 1 1 0 8 0
vmmpekpl 168 270561 0 270514 5 1 4 5 0 8 0
vmmpepl 168 1869653 0 1867407 468 352 116 136 0 357 3
vmsppl 440 29338 0 29300 30 23 7 7 0 8 1
rwobjpl 56 499803 0 488274 201 33 168 170 0 8 0
pdppl 4096 58685 0 58600 1882 1793 89 121 0 8 4
pvpl 32 49070 0 0 388 3 385 385 0 265 0
pmappl 248 29338 0 29300 8 4 4 4 0 8 0
extentpl 40 56 0 38 1 0 1 1 0 8 0
phpool 112 3650 0 2629 32 2 30 30 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff830e9d1a) at panic+0x1e5 sys/kern/subr_prf.c:198
__assert(ffffffff8309bc1f,ffffffff830aaf6b,350,ffffffff82ff2316) at __assert+0x29
process_zap(ffff8000ffff0928) at process_zap+0x32d sys/kern/kern_exit.c:849
reaper(ffff800029fd8a28) at reaper+0x2f6 sys/kern/kern_exit.c:497
end trace frame: 0x0, count: -5
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x27: addq $0x8,%rsp
x86_ipi_db(ffff800029b7bff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff83599d70) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:113 [inline]
__mp_lock(ffffffff83599d70) at __mp_lock+0x192 sys/kern/kern_lock.c:144
syscall(ffff8000371b8150) at syscall+0xad6 mi_syscall sys/sys/syscall_mi.h:179 [inline]
syscall(ffff8000371b8150) at syscall+0xad6 sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7e48691a9a10, count: 9
ddb{1}> trace
x86_ipi_db(ffff800029b7bff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff83599d70) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:113 [inline]
__mp_lock(ffffffff83599d70) at __mp_lock+0x192 sys/kern/kern_lock.c:144
syscall(ffff8000371b8150) at syscall+0xad6 mi_syscall sys/sys/syscall_mi.h:179 [inline]
syscall(ffff8000371b8150) at syscall+0xad6 sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7e48691a9a10, count: -6