panic: kernel diagnostic assertion "ps->ps_uvncount == 0" failed: file "/syzkaller/managers/multicore/kernWARNING: SPL NOT LOWERED ON SYSCALL 49 0 EXIT 0 a
Stopped at savectx+0xae: movl $0,%gs:0x550
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*107209 73405 0 0 0x4000000 1 syz-executor.6
savectx() at savectx+0xae
end of kernel
end trace frame: 0xd2649e47e90, count: 14
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu0: kernel diagnostic assertion "ps->ps_uvncount == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_unveil.c", line 188
ddb{1}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0xd2649e47e90, count: -1
ddb{1}> show registers
rdi 0
rsi 0
rbp 0xffff80002ae81560
rbx 0
rdx 0
rcx 0xffff80002120f070
rax 0x32
r8 0xffff80002ae81490
r9 0x80713 acpi_pdirpa+0x6c576
r10 0xf3219d67fd5e1a8b
r11 0x1bb9be7851f8a16b
r12 0
r13 0
r14 0xffff80002120f070
r15 0
rip 0xffffffff820613fe savectx+0xae
cs 0x8
rflags 0x46
rsp 0xffff80002ae814e0
ss 0
savectx+0xae: movl $0,%gs:0x550
ddb{1}> show proc
PROC (syz-executor.6) pid=107209 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=83, usrpri=83, nice=20
forw=0xffffffffffffffff, list=0xffff8000212146b0,0xffffffff82ce9f08
process=0xffff800026165948 user=0xffff80002ae7c000, vmspace=0xfffffd806d63fcc0
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
73405 128226 74991 0 2 0 syz-executor.6
*73405 107209 74991 0 7 0x4000000 syz-executor.6
15561 232269 49175 0 2 0 syz-executor.5
15561 361225 49175 0 3 0x4000080 fsleep syz-executor.5
15561 359529 49175 0 3 0x4000080 fsleep syz-executor.5
71196 413917 87842 0 2 0 syz-executor.4
71196 144578 87842 0 3 0x4000080 fsleep syz-executor.4
99077 136184 84607 0 2 0 syz-executor.3
99077 32739 84607 0 3 0x4000080 lockf syz-executor.3
99077 254677 84607 0 2 0x4000000 syz-executor.3
85198 365867 95527 0 2 0 syz-executor.1
85198 487541 95527 0 3 0x4000080 fsleep syz-executor.1
86693 508255 84499 0 2 0 syz-executor.0
86693 21283 84499 0 3 0x4000080 fsleep syz-executor.0
86693 81430 84499 0 3 0x4000080 fsleep syz-executor.0
31532 50104 86072 0 2 0 syz-executor.2
31532 191605 86072 0 3 0x4000080 fsleep syz-executor.2
11342 193461 53469 0 3 0x82 nanoslp syz-executor.7
49175 358751 53469 0 3 0x82 nanoslp syz-executor.5
86072 43403 53469 0 3 0x82 nanoslp syz-executor.2
3119 114427 1 0 3 0x100083 ttyin getty
53775 202691 0 0 3 0x14200 acct acct
95527 355609 53469 0 3 0x82 nanoslp syz-executor.1
84607 234266 53469 0 3 0x82 nanoslp syz-executor.3
84499 66215 53469 0 3 0x82 nanoslp syz-executor.0
87842 489841 53469 0 3 0x82 nanoslp syz-executor.4
74991 484696 53469 0 3 0x82 nanoslp syz-executor.6
74334 172511 0 0 3 0x14280 nfsidl nfsio
63163 454752 0 0 3 0x14280 nfsidl nfsio
28837 466372 0 0 3 0x14280 nfsidl nfsio
22660 72001 0 0 3 0x14280 nfsidl nfsio
49924 425144 0 0 3 0x14280 nfsidl nfsio
24671 120965 0 0 3 0x14280 nfsidl nfsio
60648 194807 0 0 3 0x14280 nfsidl nfsio
18148 270523 0 0 3 0x14280 nfsidl nfsio
78840 323896 0 0 3 0x14280 nfsidl nfsio
36474 328148 0 0 3 0x14280 nfsidl nfsio
33513 274068 0 0 3 0x14280 nfsidl nfsio
87575 488912 0 0 3 0x14280 nfsidl nfsio
25020 174150 0 0 3 0x14280 nfsidl nfsio
13066 52487 0 0 3 0x14280 nfsidl nfsio
59295 320917 0 0 3 0x14280 nfsidl nfsio
15393 221652 0 0 3 0x14280 nfsidl nfsio
24284 109288 0 0 3 0x14280 nfsidl nfsio
83275 219618 0 0 3 0x14280 nfsidl nfsio
19578 228845 0 0 3 0x14280 nfsidl nfsio
33954 298834 0 0 3 0x14280 nfsidl nfsio
69159 295706 0 0 3 0x14200 bored sosplice
53469 451994 29981 0 3 0x2000082 wait syz-fuzzer
53469 233761 29981 0 3 0x6000082 thrsleep syz-fuzzer
53469 66665 29981 0 3 0x6000082 wait syz-fuzzer
53469 95046 29981 0 3 0x6000082 thrsleep syz-fuzzer
53469 103540 29981 0 3 0x6000082 kqread syz-fuzzer
53469 432488 29981 0 3 0x6000082 thrsleep syz-fuzzer
53469 372654 29981 0 3 0x6000082 wait syz-fuzzer
53469 435251 29981 0 3 0x6000082 wait syz-fuzzer
53469 20951 29981 0 3 0x6000082 thrsleep syz-fuzzer
53469 170066 29981 0 3 0x6000082 thrsleep syz-fuzzer
53469 471765 29981 0 3 0x6000082 thrsleep syz-fuzzer
53469 383373 29981 0 3 0x6000082 wait syz-fuzzer
53469 266807 29981 0 3 0x6000082 wait syz-fuzzer
53469 445461 29981 0 3 0x6000082 thrsleep syz-fuzzer
53469 221510 29981 0 3 0x6000082 wait syz-fuzzer
53469 389092 29981 0 3 0x6000082 wait syz-fuzzer
29981 348156 75152 0 3 0x10008a sigsusp ksh
75152 421082 33872 0 3 0x9a kqread sshd
33872 507339 1 0 3 0x88 kqread sshd
32612 173552 4406 74 3 0x1100092 bpf pflogd
4406 375124 1 0 3 0x80 netio pflogd
34188 374389 91676 73 3 0x1100090 kqread syslogd
91676 150152 1 0 3 0x100082 netio syslogd
5244 78458 1 0 3 0x100080 kqread resolvd
63603 169422 53844 77 3 0x100092 kqread dhcpleased
72344 490373 53844 77 3 0x100092 kqread dhcpleased
53844 364516 1 0 3 0x80 kqread dhcpleased
60733 30715 0 0 3 0x14200 bored smr
98152 185240 0 0 2 0x14200 zerothread
92780 392867 0 0 3 0x14200 aiodoned aiodoned
41912 270772 0 0 3 0x14200 syncer update
92488 63193 0 0 3 0x14200 cleaner cleaner
20864 65266 0 0 2 0x14200 reaper
56305 474953 0 0 3 0x14200 pgdaemon pagedaemon
70078 3238 0 0 3 0x14200 bored viomb
8792 244512 0 0 3 0x40014200 acpi0 acpi0
11253 300379 0 0 3 0x40014200 idle1
88323 458888 0 0 3 0x14200 bored softnet3
21944 237309 0 0 3 0x14200 bored softnet2
74071 298944 0 0 3 0x14200 bored softnet1
50282 264430 0 0 3 0x14200 bored softnet0
70040 93908 0 0 3 0x14200 bored systqmp
88033 372014 0 0 3 0x14200 bored systq
51295 200768 0 0 3 0x40014200 bored softclock
24506 330181 0 0 3 0x40014200 idle0
1 227545 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex &pmap->pm_mtx r = 0 (0xfffffd807eff88c8)
#0 witness_lock+0x447
#1 mtx_enter_try+0x104
#2 mtx_enter+0x4f sys/kern/kern_lock.c:266
#3 pmap_enter+0x1c3 pmap_map_ptes sys/arch/amd64/amd64/pmap.c:423 [inline]
#3 pmap_enter+0x1c3 sys/arch/amd64/amd64/pmap.c:2710
#4 uvm_fault_lower+0x768 sys/uvm/uvm_fault.c:1506
#5 uvm_fault+0x238
#6 upageflttrap+0x86 sys/arch/amd64/amd64/trap.c:188
#7 usertrap+0x226 sys/arch/amd64/amd64/trap.c:436
#8 recall_trap+0x8
Process 73405 (syz-executor.6) thread 0xffff80002120f070 (107209)
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10238 6517K 14939K 78643K 164058 0
pcb 13 18K 23K 78643K 4435 0
rtable 243 7K 7K 78643K 5250 0
pf 35 10K 10K 78643K 1064 0
ifaddr 46 19K 21K 78643K 838 0
ifgroup 60 2K 2K 78643K 1696 0
sysctl 3 1K 4K 78643K 26 0
counters 62 36K 36K 78643K 992 0
ioctlops 0 0K 4K 78643K 2516 0
iov 0 0K 28K 78643K 4125 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 4 0
vnodes 1797 112K 113K 78643K 45241 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 9K 78643K 481 0
VM map 2 1K 1K 78643K 2 0
sem 11 1K 1K 78643K 14 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 17 61K 89K 78643K 51564 0
sigio 0 0K 0K 78643K 2510 0
proc 74 115K 127K 78643K 6374 0
subproc 104 6K 8K 78643K 1644 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 9082 0
in_multi 99 7K 7K 78643K 1602 0
ether_multi 1 0K 0K 78643K 37 0
mrt 4 0K 0K 78643K 33 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 271 1208K 1208K 78643K 271 0
exec 0 0K 1K 78643K 8522 0
pfkey data 0 0K 0K 78643K 30 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 8 62K 64K 78643K 10 0
UVM amap 597 103K 115K 78643K 501019 0
UVM aobj 131 6K 6K 78643K 141 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 1K 78643K 1437 0
NDP 13 0K 1K 78643K 704 0
temp 74 5920K 6052K 78643K 318657 0
kqueue 12 18K 26K 78643K 2692 0
SYN cache 2 16K 24K 78643K 3 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 22 0 0 1 0 1 1 0 8 0
rtpcb 120 1810 0 1807 20 19 1 3 0 8 0
rtentry 112 1629 0 1516 4 0 4 4 0 8 0
unpcb 144 23993 0 23976 298 297 1 10 0 8 0
syncache 296 267 0 267 62 61 1 1 0 8 1
tcpqe 32 425 819 425 32 31 1 2 0 8 1
tcpcb 808 11019 0 11009 388 380 8 14 0 8 6
arp 120 236 0 217 1 0 1 1 0 8 0
inpcb 368 36568 0 36552 604 593 11 20 0 8 8
nd6 136 371 0 345 1 0 1 1 0 8 0
pkpcb 40 253 0 253 23 23 0 1 0 8 0
kcovpl 48 118 0 110 1 0 1 1 0 8 0
ppxss 1256 156 0 156 42 42 0 1 0 8 0
pffrag 232 519 0 514 11 10 1 1 0 482 0
pffrnode 88 513 0 508 11 10 1 1 0 8 0
pffrent 40 1977 0 1972 10 9 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 1254 0 1241 1 0 1 1 0 8 0
pfstkey 128 1254 0 1241 5 3 2 2 0 8 0
pfstate 376 1254 0 1241 25 23 2 6 0 8 0
pfrule 1344 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 5277 0 4804 36 6 30 31 0 8 0
art_table 32 5278 0 4804 4 0 4 4 0 8 0
art_node 16 1305 0 1202 1 0 1 1 0 8 0
sysvmsgpl 40 42 0 29 2 1 1 1 0 8 0
semupl 112 3 0 3 1 1 0 1 0 8 0
semapl 112 9 0 0 1 0 1 1 0 8 0
shmpl 112 138 0 10 4 0 4 4 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 69755 0 67966 113 0 113 113 0 8 0
ffsino 272 69755 0 67966 121 1 120 120 0 8 0
nchpl 144 137403 0 136887 63 40 23 63 0 8 0
uvmvnodes 80 12655 0 0 259 0 259 259 0 8 0
vnodes 216 12655 0 0 704 0 704 704 0 8 0
namei 1024 480239 0 480239 21 20 1 3 0 8 1
percpumem 16 509 0 465 1 0 1 1 0 8 0
kstatmem 264 956 0 930 3 1 2 3 0 8 0
scxspl 216 401640 0 401640 84 83 1 8 1 8 1
plimitpl 152 5463 0 5447 1 0 1 1 0 8 0
sigapl 424 51751 0 51681 11 3 8 8 0 8 0
futexpl 64 459302 0 459295 9 8 1 1 0 8 0
knotepl 120 2212 0 0 11 1 10 11 0 8 0
kqueuepl 216 7389 0 7381 124 123 1 8 0 8 0
pipepl 320 16758 0 16730 347 342 5 13 0 8 2
fdescpl 496 51661 0 51631 7 3 4 5 0 8 0
filepl 152 322644 0 322400 494 478 16 23 0 8 5
lockfpl 104 62407 0 62367 111 109 2 4 0 8 0
lockfspl 48 26950 0 26913 15 14 1 2 0 8 0
sessionpl 144 152 0 135 1 0 1 1 0 8 0
pgrppl 48 2324 0 2307 1 0 1 1 0 8 0
ucredpl 104 41029 0 41010 2 1 1 2 0 8 0
zombiepl 144 55858 0 55857 5 4 1 1 0 8 0
processpl 1072 51751 0 51681 6 1 5 5 0 8 0
procpl 696 141670 0 141574 64 54 10 11 0 8 0
srpgc 96 6 0 6 3 3 0 1 0 8 0
sosppl 168 492 0 492 29 29 0 1 0 8 0
sockpl 488 62775 0 62740 1334 1320 14 37 0 8 8
mcl64k 65536 51 0 0 3 0 3 3 0 8 1
mcl16k 16384 25 0 0 4 1 3 3 0 8 0
mcl12k 12288 33 0 0 2 0 2 2 0 8 0
mcl9k 9216 21 0 0 2 0 2 2 0 8 0
mcl8k 8192 35 0 0 4 1 3 3 0 8 0
mcl4k 4096 57 0 0 5 2 3 3 0 8 0
mcl2k2 2112 13 0 0 1 0 1 1 0 8 0
mcl2k 2048 974 0 0 51 30 21 38 0 8 0
mtagpl 96 1679 0 0 30 19 11 30 0 8 0
mbufpl 256 3089 0 0 149 0 149 149 0 8 0
bufpl 288 88902 0 76246 906 1 905 905 0 8 0
anonpl 24 4751708 0 4737421 254 138 116 134 0 186 0
amapchunkpl 152 1552440 0 1551448 178 137 41 48 0 158 2
amappl16 200 93120 0 92575 509 479 30 54 0 8 0
amappl15 192 13 0 13 3 3 0 1 0 8 0
amappl14 184 617 0 596 7 5 2 2 0 8 0
amappl13 176 53 0 52 1 0 1 1 0 8 0
amappl12 168 54065 0 54027 4 2 2 3 0 8 0
amappl11 160 60 0 46 1 0 1 1 0 8 0
amappl10 152 174 0 159 2 1 1 1 0 8 0
amappl9 144 511 0 509 1 0 1 1 0 8 0
amappl8 136 2669 0 2308 13 0 13 13 0 8 0
amappl7 128 380 0 366 2 0 2 2 0 8 0
amappl6 120 1541 0 1505 11 9 2 2 0 8 0
amappl5 112 3468 0 3444 1 0 1 1 0 8 0
amappl4 104 2331 0 2270 3 1 2 3 0 8 0
amappl3 96 294490 0 294417 7 4 3 4 0 8 0
amappl2 88 68349 0 68251 5 2 3 3 0 8 0
amappl1 80 198086 0 197517 23 10 13 23 0 8 0
amappl 88 498240 0 497947 10 2 8 8 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 140 0 10 3 0 3 3 0 8 0
uaddrrnd 24 51661 0 51630 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 51661 0 51630 1 0 1 1 0 8 0
vmmpekpl 168 412435 0 412364 4 0 4 4 0 8 0
vmmpepl 168 3055495 0 3052503 803 647 156 173 0 357 0
vmsppl 464 51660 0 51630 5 1 4 5 0 8 0
rwobjpl 56 716609 0 701816 276 67 209 210 0 8 0
pdppl 4096 103330 0 103260 1432 1362 70 82 0 8 0
pvpl 32 13992978 0 13971904 794 590 204 369 0 265 0
pmappl 248 51660 0 51630 3 1 2 3 0 8 0
extentpl 40 56 0 38 1 0 1 1 0 8 0
phpool 112 3886 0 2441 42 0 42 42 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x1e: addq $0x8,%rsp
x86_ipi_db(ffffffff82bd4ff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff82cf3cd0) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82cf3cd0) at __mp_lock+0x122 sys/kern/kern_lock.c:147
softintr_dispatch(0) at softintr_dispatch+0x52 sys/arch/amd64/amd64/softintr.c:88
Xsoftclock() at Xsoftclock+0x27
cnputc(6e) at cnputc+0x4f sys/dev/cons.c:218
db_putchar(6e) at db_putchar+0x3fc sys/ddb/db_output.c:155
kprintf() at kprintf+0x20fc sys/kern/subr_prf.c:1064
db_printf(ffffffff8281f698) at db_printf+0x89 sys/kern/subr_prf.c:498
panic(ffffffff8279c7bf) at panic+0xdb sys/kern/subr_prf.c:216
__assert(ffffffff8281f037,ffffffff8282537a,bc,ffffffff827bb2af) at __assert+0x29 sys/kern/subr_prf.c:157
unveil_destroy(ffff8000212710d8) at unveil_destroy+0x1a4 sys/kern/kern_unveil.c:188
exit1(ffff800022d0b090,0,0,1) at exit1+0x3d5 sys/kern/kern_exit.c:220
end trace frame: 0xffff800029021770, count: 0
ddb{0}> trace
x86_ipi_db(ffffffff82bd4ff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff82cf3cd0) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82cf3cd0) at __mp_lock+0x122 sys/kern/kern_lock.c:147
softintr_dispatch(0) at softintr_dispatch+0x52 sys/arch/amd64/amd64/softintr.c:88
Xsoftclock() at Xsoftclock+0x27
cnputc(6e) at cnputc+0x4f sys/dev/cons.c:218
db_putchar(6e) at db_putchar+0x3fc sys/ddb/db_output.c:155
kprintf() at kprintf+0x20fc sys/kern/subr_prf.c:1064
db_printf(ffffffff8281f698) at db_printf+0x89 sys/kern/subr_prf.c:498
panic(ffffffff8279c7bf) at panic+0xdb sys/kern/subr_prf.c:216
__assert(ffffffff8281f037,ffffffff8282537a,bc,ffffffff827bb2af) at __assert+0x29 sys/kern/subr_prf.c:157
unveil_destroy(ffff8000212710d8) at unveil_destroy+0x1a4 sys/kern/kern_unveil.c:188
exit1(ffff800022d0b090,0,0,1) at exit1+0x3d5 sys/kern/kern_exit.c:220
sys_exit(ffff800022d0b090,ffff800029021780,ffff8000290217d0) at sys_exit+0x1a sys/kern/kern_exit.c:89
syscall(ffff800029021850) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline]
syscall(ffff800029021850) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x70b05941f7d0, count: -17
ddb{0}> machine ddbcpu 1
Stopped at savectx+0xae: movl $0,%gs:0x550
savectx() at savectx+0xae
end of kernel
end trace frame: 0xd2649e47e90, count: 14
ddb{1}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0xd2649e47e90, count: -1