panic: kernel diagnostic assertion "va >= entry->start" failed: file "/WARNING: SPL NOT LOWERED ON SYSCALL 83 147833536 EXIT 0 9
Stopped at savectx+0xae: movl $0,%gs:0x680
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*219891 56946 0 0 0 1 syz-executor
131577 56946 0 0 0x4000000 0 syz-executor
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7995c8dcff10, count: 14
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu0: kernel diagnostic assertion "va >= entry->start" failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_fault.c", line 1739
ddb{1}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7995c8dcff10, count: -1
ddb{1}> show registers
rdi 0
rsi 0
rbp 0xffff800038cc6370
rbx 0
rdx 0
rcx 0xffff80003c502f98
rax 0x3a
r8 0xffff800038cc62a0
r9 0x1
r10 0xcdf509ea1da9057c
r11 0x40db4fecc839c4e5
r12 0
r13 0
r14 0xffff80003c502f98
r15 0
rip 0xffffffff82deb3ee savectx+0xae
cs 0x8
rflags 0x46
rsp 0xffff800038cc62f0
ss 0
savectx+0xae: movl $0,%gs:0x680
ddb{1}> show proc
PROC (syz-executor) tid=219891 pid=56946 tcnt=4 stat=onproc
flags process=0 proc=0
runpri=50, usrpri=50, slppri=36, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff80003c5039d8,0xffff80003c502d18
process=0xffff80003c4e0028 user=0xffff800038cc1000, vmspace=0xfffffd806bcd5740
estcpu=36, cpticks=0, pctcpu=0.0, user=0, sys=0, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
17667 521596 42849 0 2 0 syz-executor
*56946 219891 89371 0 7 0 syz-executor
56946 131577 89371 0 7 0x4000000 syz-executor
56946 93076 89371 0 3 0x4000080 fsleep syz-executor
56946 35689 89371 0 2 0x4000000 syz-executor
64881 90407 86124 0 3 0x80 fsleep syz-executor
64881 324646 86124 0 3 0x4000080 kqsel syz-executor
86523 418284 59921 0 3 0x80 fsleep syz-executor
86523 515304 59921 0 3 0x4000080 tunread syz-executor
18592 385978 93076 0 3 0x80 fsleep syz-executor
18592 330477 93076 0 3 0x4000080 kqsel syz-executor
20096 267521 87828 0 3 0x90 fsleep syz-executor
20096 236481 87828 0 3 0x4000090 kqread syz-executor
20096 449365 87828 0 3 0x4000090 fsleep syz-executor
20096 502687 87828 0 3 0x4000090 fsleep syz-executor
43675 345517 79914 0 3 0x80 fsleep syz-executor
43675 83289 79914 0 3 0x4000080 nanoslp syz-executor
16629 462643 72080 0 3 0x80 fsleep syz-executor
16629 205789 72080 0 3 0x4000080 kqread syz-executor
87828 385909 86840 0 3 0x82 nanoslp syz-executor
72080 246747 86840 0 3 0x82 nanoslp syz-executor
79914 105321 86840 0 3 0x82 nanoslp syz-executor
59921 204929 86840 0 3 0x82 nanoslp syz-executor
86124 240084 86840 0 3 0x82 nanoslp syz-executor
32032 193547 16438 0 3 0x82 sbwait sshd-session
92840 432896 0 0 3 0x14200 bored sosplice
35155 172576 0 0 3 0x14280 nfsidl nfsio
92497 141154 0 0 3 0x14280 nfsidl nfsio
7609 293062 0 0 3 0x14280 nfsidl nfsio
71382 399227 0 0 3 0x14280 nfsidl nfsio
16135 166223 0 0 3 0x14280 nfsidl nfsio
33477 410228 0 0 3 0x14280 nfsidl nfsio
25802 311054 0 0 3 0x14280 nfsidl nfsio
70153 166156 0 0 3 0x14280 nfsidl nfsio
1936 125835 0 0 3 0x14280 nfsidl nfsio
40750 431780 0 0 3 0x14280 nfsidl nfsio
49246 421232 0 0 3 0x14280 nfsidl nfsio
252 265393 0 0 3 0x14280 nfsidl nfsio
70034 407427 0 0 3 0x14280 nfsidl nfsio
28691 76553 0 0 3 0x14280 nfsidl nfsio
4075 453719 0 0 3 0x14280 nfsidl nfsio
7354 48012 0 0 3 0x14280 nfsidl nfsio
8175 87696 0 0 3 0x14280 nfsidl nfsio
74880 60940 0 0 3 0x14280 nfsidl nfsio
8580 489723 0 0 3 0x14280 nfsidl nfsio
79190 103642 0 0 3 0x14280 nfsidl nfsio
89371 434074 86840 0 3 0x82 nanoslp syz-executor
93076 367272 86840 0 3 0x82 nanoslp syz-executor
42849 76676 86840 0 3 0x82 nanoslp syz-executor
86840 90176 72245 0 3 0x2 tmobar syz-executor
72245 76593 21575 0 3 0x10008a sigsusp ksh
21575 299303 25346 0 3 0x98 kqread sshd-session
25346 111341 16438 0 3 0x92 kqread sshd-session
10771 515962 1 0 3 0x100083 ttyin getty
16438 123518 1 0 3 0x88 kqread sshd
15144 125642 86231 74 3 0x1100092 bpf pflogd
86231 398912 1 0 3 0x80 sbwait pflogd
52756 326294 80866 73 3 0x1100090 kqread syslogd
80866 144579 1 0 3 0x100082 sbwait syslogd
20171 175899 1 0 3 0x100080 kqread resolvd
57542 125284 36556 77 3 0x100092 kqread dhcpleased
71859 370108 36556 77 3 0x100092 kqread dhcpleased
36556 324863 1 0 3 0x80 kqread dhcpleased
56667 314327 0 0 3 0x14200 bored smr
25690 508044 0 0 3 0x14200 pgzero zerothread
73541 222911 0 0 3 0x14200 aiodoned aiodoned
70997 84433 0 0 3 0x14200 syncer update
27080 205865 0 0 3 0x14200 cleaner cleaner
23796 77018 0 0 3 0x14200 reaper reaper
71149 173777 0 0 3 0x14200 pgdaemon pagedaemon
1773 424046 0 0 3 0x14200 bored viomb
65859 316272 0 0 3 0x40014200 acpi0 acpi0
26036 168200 0 0 3 0x40014200 idle1
5061 190577 0 0 3 0x14200 bored softnet3
78203 494994 0 0 3 0x14200 bored softnet2
63625 388288 0 0 3 0x14200 bored softnet1
60927 190922 0 0 2 0x14200 softnet0
30384 489183 0 0 3 0x14200 bored systqmp
90521 301268 0 0 3 0x14200 bored systq
16165 327514 0 0 3 0x14200 tmoslp softclockmp
90758 258317 0 0 3 0x40014200 tmoslp softclock
8836 438478 0 0 3 0x40014200 idle0
1 233693 0 0 3 0x82 wait init
0 0 -1 0 3 0x10010200 scheduler swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex softnet0 r = 0 (0xffff80000002c028)
#0 witness_lock+0x5bb stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5bb sys/kern/subr_witness.c:1155
#1 mtx_enter_try+0x178
#2 mtx_enter+0x60 sys/kern/kern_lock.c:239
#3 msleep+0x183 sys/kern/kern_synch.c:252
#4 taskq_next_work+0x8e sys/kern/kern_task.c:399
#5 taskq_thread+0x1d5 sys/kern/kern_task.c:439
#6 proc_trampoline+0x10
Process 56946 (syz-executor) thread 0xffff80003c502d08 (131577)
Process 86523 (syz-executor) thread 0xffff80003c55f9d0 (515304)
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10248 11049K 11611K 166960K 15037 0
pcb 17 15K 16K 166960K 446 0
rtable 279 14K 14K 166960K 859 0
pf 49 21K 28K 166960K 276 0
ifaddr 44 8K 9K 166960K 155 0
ifgroup 60 2K 2K 166960K 259 0
sysctl 4 1K 2K 166960K 10 0
counters 66 36K 37K 166960K 248 0
ioctlops 0 0K 8K 166960K 1720 0
iov 0 0K 32K 166960K 134 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1456 92K 92K 166960K 3674 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 3 5K 5K 166960K 36 0
VM map 2 1K 1K 166960K 2 0
sem 18 16K 16K 166960K 169 0
dirhash 12 2K 3K 166960K 57 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 18 65K 93K 166960K 2301 0
sigio 0 0K 0K 166960K 71 0
proc 73 91K 140K 166960K 936 0
subproc 72 4K 4K 166960K 135 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 245 0
in_multi 92 6K 7K 166960K 252 0
ether_multi 1 0K 0K 166960K 17 0
mrt 2 0K 0K 166960K 9 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 301 1341K 1341K 166960K 301 0
exec 0 0K 1K 166960K 795 0
fusefs mount 1 32K 32K 166960K 1 0
pfkey data 0 0K 0K 166960K 3 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 248 75K 89K 166960K 22883 0
UVM aobj 73 3K 3K 166960K 80 0
pinsyscall 45 90K 104K 166960K 3614 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 0K 166960K 139 0
NDP 13 0K 2K 166960K 106 0
temp 80 8648K 8897K 166960K 104773 0
kqueue 15 24K 32K 166960K 389 0
SYN cache 2 16K 16K 166960K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 24 0 0 1 0 1 1 0 8 0
rtpcb 120 178 0 175 1 0 1 1 0 8 0
rtentry 112 260 0 143 4 0 4 4 0 8 0
unpcb 144 1568 0 1551 13 11 2 6 0 8 1
syncache 336 14 0 14 4 4 0 1 0 8 0
tcpqe 32 3 0 3 2 2 0 1 0 8 0
tcpcb 808 821 0 813 22 20 2 8 0 8 1
arp 120 55 0 22 2 0 2 2 0 8 0
inpcb 376 2563 0 2546 34 28 6 11 0 8 3
nd6 136 57 0 30 2 0 2 2 0 8 0
pkpcb 40 18 0 18 5 5 0 1 0 8 0
kcovpl 48 15 0 7 1 0 1 1 0 8 0
ppxss 1168 61 0 61 3 2 1 1 0 8 1
pppxif 1472 14 0 14 5 5 0 1 0 8 0
pfstscr 40 4 0 3 2 1 1 1 0 8 0
pffrag 232 8 0 5 1 0 1 1 0 482 0
pffrnode 88 7 0 4 1 0 1 1 0 8 0
pffrent 40 10 0 7 1 0 1 1 0 8 0
pfosfp 40 1428 0 1428 5 5 0 5 0 8 0
pfosfpen 112 1428 0 1428 21 21 0 21 0 8 0
pfrktable 1344 11 0 7 1 0 1 1 0 8 0
pfanchor 1288 3 0 2 2 1 1 1 0 8 0
pftag 88 4 0 0 1 0 1 1 0 8 0
pfstitem 24 165 0 91 1 0 1 1 0 8 0
pfstkey 128 171 0 97 3 0 3 3 0 8 0
pfstate 376 167 0 95 9 0 9 9 0 8 0
pfrule 1344 43 0 30 3 1 2 2 0 8 0
art_heap8 4096 3 0 0 3 0 3 3 0 8 0
art_heap4 256 1053 0 536 46 13 33 36 0 8 0
art_table 32 1056 0 536 5 0 5 5 0 8 0
art_node 16 253 0 152 1 0 1 1 0 8 0
sysvmsgpl 40 27 0 20 1 0 1 1 0 8 0
semupl 112 4 0 4 3 3 0 1 0 8 0
semapl 112 161 0 145 1 0 1 1 0 8 0
shmpl 112 77 0 7 2 0 2 2 0 8 0
dirhash 1024 48 0 31 3 0 3 3 0 8 0
dino2pl 256 5690 0 4187 95 0 95 95 0 8 0
ffsino 280 5690 0 4187 109 0 109 109 0 8 0
nchpl 144 8887 0 7177 64 0 64 64 0 8 0
rtmask 32 10 0 10 3 3 0 1 0 8 0
uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0
vnodes 216 5926 0 0 330 0 330 330 0 8 0
namei 1024 32499 0 32499 2 1 1 1 0 8 1
percpumem 16 138 0 91 1 0 1 1 0 8 0
pfiaddrpl 120 3 0 2 2 1 1 1 0 8 0
kstatmem 264 146 0 120 3 1 2 3 0 8 0
scsiplug 72 5 0 5 4 4 0 1 0 8 0
scxspl 216 25481 0 25481 14 11 3 8 1 8 3
plimitpl 152 574 0 555 1 0 1 1 0 8 0
sigapl 424 2621 0 2549 9 0 9 9 0 8 0
futexpl 64 39650 0 39641 1 0 1 1 0 8 0
knotepl 120 583 0 0 18 0 18 18 0 8 0
kqueuepl 216 851 0 838 10 9 1 5 0 8 0
pipepl 328 488 0 459 8 5 3 8 0 8 0
fdescpl 504 2578 0 2545 5 0 5 5 0 8 0
filepl 152 18401 0 18175 27 9 18 18 0 8 6
lockfpl 104 834 0 830 2 1 1 2 0 8 0
lockfspl 48 263 0 259 1 0 1 1 0 8 0
sessionpl 144 39 0 29 1 0 1 1 0 8 0
pgrppl 48 111 0 93 1 0 1 1 0 8 0
ucredpl 104 3557 0 3542 1 0 1 1 0 8 0
zombiepl 144 2549 0 2549 1 0 1 1 0 8 1
processpl 1176 2621 0 2549 6 0 6 6 0 8 0
procpl 656 6069 0 5986 8 0 8 8 0 8 0
srpgc 96 17 0 17 6 6 0 1 0 8 0
sosppl 168 16 0 16 6 6 0 1 0 8 0
sockpl 688 4391 0 4359 36 30 6 17 0 8 2
mcl64k 65536 7 0 0 1 0 1 1 0 8 0
mcl16k 16384 1 0 0 1 0 1 1 0 8 0
mcl9k 9216 1 0 0 1 0 1 1 0 8 0
mcl8k 8192 6 0 0 1 0 1 1 0 8 0
mcl4k 4096 114 0 0 15 0 15 15 0 8 0
mcl2k 2048 43 0 0 5 0 5 5 0 8 0
mtagpl 96 223 0 0 6 0 6 6 0 8 0
mbufpl 256 534 0 0 31 0 31 31 0 8 0
bufpl 280 8005 0 1851 440 0 440 440 0 8 0
anonpl 24 324593 0 313175 119 37 82 82 0 184 0
amapchunkpl 152 74986 0 74245 46 14 32 32 0 158 3
amappl16 200 6885 0 6596 66 39 27 28 0 8 0
amappl15 192 3 0 3 2 2 0 1 0 8 0
amappl14 184 146 0 133 1 0 1 1 0 8 0
amappl13 176 9 0 9 2 2 0 1 0 8 0
amappl12 168 3343 0 3311 4 2 2 3 0 8 0
amappl11 160 52 0 38 1 0 1 1 0 8 0
amappl10 152 5 0 5 1 1 0 1 0 8 0
amappl9 144 254 0 254 1 1 0 1 0 8 0
amappl8 136 71 0 68 1 0 1 1 0 8 0
amappl7 128 218 0 204 1 0 1 1 0 8 0
amappl6 120 258 0 254 1 0 1 1 0 8 0
amappl5 112 156 0 146 1 0 1 1 0 8 0
amappl4 104 376 0 357 1 0 1 1 0 8 0
amappl3 96 15519 0 15400 4 0 4 4 0 8 0
amappl2 88 876 0 807 2 0 2 2 0 8 0
amappl1 80 17147 0 16491 16 0 16 16 0 8 0
amappl 88 22263 0 22078 5 0 5 5 0 92 0
dma65536 65536 1 0 1 1 1 0 1 0 8 0
dma4096 4096 2 0 2 2 2 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 8 0 8 3 3 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 7 0 7 2 2 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 20 0 19 1 0 1 1 0 8 0
aobjpl 72 79 0 7 2 0 2 2 0 8 0
uaddrrnd 24 2578 0 2545 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 2578 0 2545 1 0 1 1 0 8 0
vmmpekpl 168 20428 0 20365 4 0 4 4 0 8 0
vmmpepl 168 161214 0 158893 128 17 111 111 0 357 0
vmsppl 456 2577 0 2545 5 0 5 5 0 8 0
rwobjpl 64 48175 0 40872 125 3 122 122 0 8 0
pdppl 4096 5163 0 5090 137 64 73 87 0 8 0
pvpl 32 21997 0 0 177 0 177 177 0 265 0
pmappl 248 2577 0 2545 3 0 3 3 0 8 0
extentpl 40 55 0 38 1 0 1 1 0 8 0
phpool 112 381 0 110 9 0 9 9 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x27: addq $0x8,%rsp
x86_ipi_db(ffffffff8383aff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x2c kd_curproc sys/dev/kcov.c:584 [inline]
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x2c sys/dev/kcov.c:153
__mp_lock(ffffffff839068f0) at __mp_lock+0x1a3 __mp_lock_spin sys/kern/kern_lock.c:113 [inline]
__mp_lock(ffffffff839068f0) at __mp_lock+0x1a3 sys/kern/kern_lock.c:144
softintr_dispatch(0) at softintr_dispatch+0x5b sys/arch/amd64/amd64/softintr.c:88
Xsoftclock() at Xsoftclock+0x27
cnputc(2f) at cnputc+0x61 sys/dev/cons.c:218
db_putchar(2f) at db_putchar+0x65c sys/ddb/db_output.c:155
kprintf() at kprintf+0x2aba sys/kern/subr_prf.c:1065
db_printf(ffffffff833cf760) at db_printf+0x9b
panic(ffffffff8343c78e) at panic+0x103 sys/kern/subr_prf.c:216
__assert(ffffffff833e97ac,ffffffff83381fbf,6cb,ffffffff8333c25b) at __assert+0x29
uvm_fault_unwire_locked(fffffd806bcd5740,400000000000,400000011000) at uvm_fault_unwire_locked+0x4c1
end trace frame: 0xffff80003b0d3d30, count: 0
ddb{0}> trace
x86_ipi_db(ffffffff8383aff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x2c kd_curproc sys/dev/kcov.c:584 [inline]
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x2c sys/dev/kcov.c:153
__mp_lock(ffffffff839068f0) at __mp_lock+0x1a3 __mp_lock_spin sys/kern/kern_lock.c:113 [inline]
__mp_lock(ffffffff839068f0) at __mp_lock+0x1a3 sys/kern/kern_lock.c:144
softintr_dispatch(0) at softintr_dispatch+0x5b sys/arch/amd64/amd64/softintr.c:88
Xsoftclock() at Xsoftclock+0x27
cnputc(2f) at cnputc+0x61 sys/dev/cons.c:218
db_putchar(2f) at db_putchar+0x65c sys/ddb/db_output.c:155
kprintf() at kprintf+0x2aba sys/kern/subr_prf.c:1065
db_printf(ffffffff833cf760) at db_printf+0x9b
panic(ffffffff8343c78e) at panic+0x103 sys/kern/subr_prf.c:216
__assert(ffffffff833e97ac,ffffffff83381fbf,6cb,ffffffff8333c25b) at __assert+0x29
uvm_fault_unwire_locked(fffffd806bcd5740,400000000000,400000011000) at uvm_fault_unwire_locked+0x4c1
uvm_fault_unwire(fffffd806bcd5740,400000000000,400000011000) at uvm_fault_unwire+0x55 sys/uvm/uvm_fault.c:1702
sysctl_vsunlock(400000000240,fe1e) at sysctl_vsunlock+0x7b sys/kern/kern_sysctl.c:215
kern_sysctl(ffff80003b0d3f44,1,400000000240,ffff80003b0d3f78,0,0,6adfcf6e12e4a27f) at kern_sysctl+0xa8d sys/kern/kern_sysctl.c:635
sys_sysctl(ffff80003c502d08,ffff80003b0d40b0,ffff80003b0d4000) at sys_sysctl+0x425
syscall(ffff80003b0d40b0) at syscall+0xbc6 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003b0d40b0) at syscall+0xbc6 sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xe8e7eac9130, count: -20
ddb{0}> machine ddbcpu 1
Stopped at savectx+0xae: movl $0,%gs:0x680
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7995c8dcff10, count: 14
ddb{1}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7995c8dcff10, count: -1