login: panic: kernel diagnostic assertion "(pg->pgW_ARfNlaINgGs: &S P(L NPQ_OT LOWERED ON SYSCALL 91 -703008456 EXIT 0 a Stopped at savectx+0xae: movl $0,%gs:0x688 TID PID UID PRFLAGS PFLAGS CPU COMMAND 43370 7889 32767 0x10 0x4000000 0 syz-executor * 15280 7931 32767 0x10 0 1 syz-executor savectx() at savectx+0xae end of kernel end trace frame: 0x797dd618f120, count: 14 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic *cpu0: kernel diagnostic assertion "(pg->pg_flags & (PQ_INACTIVE|PQ_ACTIVE)) == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_page.c", line 1309 ddb{1}> trace savectx() at savectx+0xae end of kernel end trace frame: 0x797dd618f120, count: -1 ddb{1}> show registers rdi 0 rsi 0 rbp 0xffff800035fddf10 rbx 0 rdx 0 rcx 0xffff8000fffee548 rax 0x3b r8 0xffff800035fdde40 r9 0x1 r10 0xe5f88f609d58c19e r11 0xea7c0d5b90bd70b3 r12 0 r13 0 r14 0xffff8000fffee548 r15 0 rip 0xffffffff812673ee savectx+0xae cs 0x8 rflags 0x46 rsp 0xffff800035fdde90 ss 0x10 savectx+0xae: movl $0,%gs:0x688 ddb{1}> show proc PROC (syz-executor) tid=15280 pid=7931 tcnt=1 stat=onproc flags process=10 proc=0 runpri=32, usrpri=50, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff8000fffee018,0xffff8000393f94f0 process=0xffff800032bbc4e8 user=0xffff800035fd8000, vmspace=0xfffffd806ce01208 estcpu=36, cpticks=8, pctcpu=0.1, user=0, sys=8, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 7889 169348 49570 32767 2 0x10 syz-executor 7889 43370 49570 32767 7 0x4000010 syz-executor 27646 280616 7931 32767 3 0x90 nanoslp syz-executor 27646 162315 7931 32767 3 0x4000090 msgwait syz-executor 31833 324315 85434 32767 2 0xc90 syz-executor 31833 247231 85434 32767 3 0x4000090 kqsel syz-executor 31833 233349 85434 32767 3 0x4000090 fsleep syz-executor 19255 63148 4768 0 3 0x82 sbwait sshd-session 79073 134555 94370 32767 2 0xc90 syz-executor 79073 336384 94370 32767 3 0x4000090 netacc syz-executor 79073 345 94370 32767 3 0x4000090 fsleep syz-executor 94370 257125 95516 32767 3 0x90 nanoslp syz-executor 49570 81151 54002 32767 2 0xc90 syz-executor 69392 189152 1217 32767 2 0xc90 syz-executor * 7931 15280 87267 32767 7 0x10 syz-executor 67288 227042 13587 32767 3 0x90 wait syz-executor 85434 392866 49921 32767 3 0x90 nanoslp syz-executor 33202 482365 70604 32767 3 0x90 nanoslp syz-executor 7571 368004 45371 32767 3 0x90 nanoslp syz-executor 45371 254766 6921 0 3 0x82 wait syz-executor 13587 458303 6921 0 3 0x82 wait syz-executor 49921 420204 6921 0 3 0x82 wait syz-executor 1217 29 6921 0 3 0x82 wait syz-executor 70604 478449 6921 0 3 0x82 wait syz-executor 54002 360890 6921 0 3 0x82 wait syz-executor 87267 42585 6921 0 3 0x82 wait syz-executor 95516 432222 6921 0 3 0x82 wait syz-executor 6921 297975 65863 0 3 0x82 kqread syz-executor 65863 33617 99506 0 3 0x10008a sigsusp ksh 99506 357696 81177 0 3 0x98 kqread sshd-session 81177 194842 4768 0 3 0x92 kqread sshd-session 49904 399897 1 0 3 0x100083 ttyin getty 4768 157017 1 0 3 0x88 kqread sshd 73013 304449 51116 73 3 0x1100090 kqread syslogd 51116 44095 1 0 3 0x100082 sbwait syslogd 16052 232093 1 0 3 0x100080 kqread resolvd 9966 2495 58002 77 3 0x100092 kqread dhcpleased 28363 461317 58002 77 3 0x100092 kqread dhcpleased 58002 5446 1 0 3 0x80 kqread dhcpleased 38218 201003 0 0 3 0x14200 bored smr 96823 120421 0 0 2 0x14200 zerothread 33795 304207 0 0 3 0x14200 aiodoned aiodoned 2189 258765 0 0 3 0x14200 syncer update 59683 55851 0 0 3 0x14200 cleaner cleaner 11934 364047 0 0 2 0x14200 reaper 23164 328139 0 0 3 0x14200 pgdaemon pagedaemon 41572 339796 0 0 3 0x14200 bored viomb 55958 103651 0 0 3 0x40014200 acpi0 acpi0 42793 358867 0 0 3 0x40014200 idle1 79863 424426 0 0 3 0x14200 bored softnet1 46556 504340 0 0 3 0x14200 bored softnet0 38686 412487 0 0 3 0x14200 bored systqmp 90749 410451 0 0 3 0x14200 bored systq 17502 2575 0 0 3 0x14200 tmoslp softclockmp 42963 211780 0 0 3 0x40014200 tmoslp softclock 51076 505826 0 0 3 0x40014200 idle0 1 391470 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks CPU 1: exclusive mutex &uvm.fpageqlock r = 0 (0xffffffff838d7ec8) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 mtx_enter_try+0x1ad sys/kern/kern_lock.c:311 #2 mtx_enter+0x62 sys/kern/kern_lock.c:261 #3 uvm_pmr_freepages+0x1a8 sys/uvm/uvm_pmemrange.c:-1 #4 uvm_anfree_list+0x1e5 sys/uvm/uvm_anon.c:129 #5 amap_wipeout+0x248 sys/uvm/uvm_amap.c:-1 #6 uvm_unmap_detach+0x8a sys/uvm/uvm_map.c:1353 #7 uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2525 #8 exit1+0x6fc sys/kern/kern_exit.c:260 #9 sys_exit+0x1a sys/kern/kern_exit.c:-1 #10 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] #10 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775 #11 Xsyscall+0x128 Process 7889 (syz-executor) thread 0xffff80003a8134e8 (43370) shared rwlock amaplk r = 0 (0xfffffd8079790700) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 rw_do_enter_read+0x3e8 sys/kern/kern_rwlock.c:413 #2 uvm_fault_check+0x8a9 sys/uvm/uvm_fault.c:834 #3 uvm_fault+0x106 sys/uvm/uvm_fault.c:627 #4 kpageflttrap+0x2f4 sys/arch/amd64/amd64/trap.c:283 #5 kerntrap+0x19c sys/arch/amd64/amd64/trap.c:520 #6 alltraps_kern_meltdown+0x7b #7 _copyin+0x5b #8 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] #8 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775 #9 Xsyscall+0x128 shared rwlock vmmaplk r = 0 (0xfffffd806cc83e80) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 rw_do_enter_read+0x3e8 sys/kern/kern_rwlock.c:413 #2 uvmfault_lookup+0x122 sys/uvm/uvm_fault.c:1880 #3 uvm_fault_check+0x4f sys/uvm/uvm_fault.c:693 #4 uvm_fault+0x106 sys/uvm/uvm_fault.c:627 #5 kpageflttrap+0x2f4 sys/arch/amd64/amd64/trap.c:283 #6 kerntrap+0x19c sys/arch/amd64/amd64/trap.c:520 #7 alltraps_kern_meltdown+0x7b #8 _copyin+0x5b #9 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] #9 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775 #10 Xsyscall+0x128 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10216 10961K 10973K 166960K 11309 0 pcb 17 12K 12K 166960K 17 0 rtable 243 6K 7K 166960K 363 0 pf 31 16K 16K 166960K 31 0 ifaddr 42 7K 7K 166960K 44 0 ifgroup 50 2K 2K 166960K 50 0 sysctl 1 1K 9K 166960K 6 0 counters 70 37K 37K 166960K 70 0 ioctlops 0 0K 2K 166960K 67 0 iov 0 0K 16K 166960K 14 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1336 84K 84K 166960K 1462 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 8 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 1K 166960K 23 0 dirhash 12 2K 2K 166960K 18 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 25 93K 125K 166960K 335 0 sigio 0 0K 0K 166960K 7 0 proc 58 99K 147K 166960K 497 0 subproc 72 4K 4K 166960K 72 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 35 0 in_multi 99 7K 7K 166960K 104 0 ether_multi 1 0K 0K 166960K 1 0 mrt 1 0K 0K 166960K 1 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 229 1023K 1023K 166960K 229 0 exec 0 0K 1K 166960K 365 0 fusefs mount 1 32K 32K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 269 169K 174K 166960K 4932 0 UVM aobj 13 6K 6K 166960K 13 0 pinsyscall 48 96K 116K 166960K 1381 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 2 0K 0K 166960K 16 0 NDP 11 0K 2K 166960K 27 0 temp 45 8672K 8737K 166960K 4561 0 kqueue 14 22K 25K 166960K 60 0 SYN cache 2 16K 16K 166960K 2 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 55 0 52 1 0 1 1 0 8 0 rtentry 176 114 0 1 6 0 6 6 0 8 0 unpcb 144 232 0 212 4 0 4 4 0 8 2 syncache 336 6 0 6 1 0 1 1 0 8 1 tcpcb 736 197 0 189 7 0 7 7 0 8 6 arp 136 18 0 0 1 0 1 1 0 8 0 ipq 40 2 0 1 1 0 1 1 0 8 0 ipqe 40 5 0 3 1 0 1 1 0 8 0 inpcb 328 507 0 494 7 0 7 7 0 8 5 ip6q 72 1 0 0 1 0 1 1 0 8 0 ip6af 40 1 0 0 1 0 1 1 0 8 0 nd6 152 27 0 0 2 0 2 2 0 8 0 kcovpl 48 8 0 0 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 486 0 0 31 0 31 31 0 8 0 art_table 40 487 0 0 5 0 5 5 0 8 0 art_node 32 114 0 11 1 0 1 1 0 8 0 sysvmsgpl 40 8 0 2 1 0 1 1 0 8 0 semapl 112 18 0 8 1 0 1 1 0 8 0 shmpl 112 10 0 0 1 0 1 1 0 8 0 dirhash 1024 21 0 4 3 0 3 3 0 8 0 dino2pl 256 1923 0 413 95 0 95 95 0 8 0 ffsino 296 1923 0 413 117 0 117 117 0 8 0 nchpl 144 2441 0 750 63 0 63 63 0 8 0 vnodes 216 2004 0 0 112 0 112 112 0 8 0 namei 1024 7764 0 7764 1 0 1 1 0 8 1 percpumem 16 50 0 0 1 0 1 1 0 8 0 kstatmem 264 24 0 0 2 0 2 2 0 8 0 scxspl 216 7631 0 7631 3 1 2 2 1 8 2 plimitpl 152 68 0 41 2 0 2 2 0 8 0 sigapl 424 617 0 562 7 0 7 7 0 8 0 knotepl 120 309 0 0 10 0 10 10 0 8 0 kqueuepl 224 63 0 52 1 0 1 1 0 8 0 pipepl 344 127 0 100 3 0 3 3 0 8 0 fdescpl 528 601 0 563 4 0 4 4 0 8 1 filepl 160 3272 0 3037 14 0 14 14 0 8 3 lockfpl 104 46 0 43 1 0 1 1 0 8 0 lockfspl 48 21 0 18 1 0 1 1 0 8 0 sessionpl 144 22 0 5 1 0 1 1 0 8 0 pgrppl 48 36 0 11 1 0 1 1 0 8 0 ucredpl 104 738 0 719 1 0 1 1 0 8 0 zombiepl 144 566 0 562 1 0 1 1 0 8 0 processpl 1232 617 0 562 5 0 5 5 0 8 0 procpl 664 982 0 921 7 0 7 7 0 8 0 sosppl 176 1 0 1 1 0 1 1 0 8 1 sockpl 752 800 0 763 12 0 12 12 0 8 7 mcl64k 65536 4 0 0 1 0 1 1 0 8 0 mcl16k 16384 3 0 0 1 0 1 1 0 8 0 mcl8k 8192 1 0 0 1 0 1 1 0 8 0 mcl4k 4096 117 0 0 15 0 15 15 0 8 0 mcl2k 2048 24 0 0 3 0 3 3 0 8 0 mtagpl 96 3 0 0 1 0 1 1 0 8 0 mbufpl 256 267 0 0 17 0 17 17 0 8 0 bufpl 280 2729 0 118 187 0 187 187 0 8 0 anonpl 32 10274 0 0 83 0 83 83 0 246 0 amapchunkpl 152 15615 0 14922 34 0 34 34 0 158 5 amappl16 200 2632 0 2607 14 3 11 14 0 8 8 amappl15 192 9 0 9 1 1 0 1 0 8 0 amappl14 184 6 0 6 1 1 0 1 0 8 0 amappl13 176 399 0 398 1 0 1 1 0 8 0 amappl12 168 935 0 887 3 0 3 3 0 8 0 amappl11 160 5 0 4 1 0 1 1 0 8 0 amappl10 152 76 0 66 1 0 1 1 0 8 0 amappl9 144 250 0 250 1 1 0 1 0 8 0 amappl8 136 21 0 20 1 0 1 1 0 8 0 amappl7 128 77 0 76 1 0 1 1 0 8 0 amappl6 120 279 0 267 1 0 1 1 0 8 0 amappl5 112 83 0 74 1 0 1 1 0 8 0 amappl4 104 368 0 343 1 0 1 1 0 8 0 amappl3 96 2607 0 2479 4 0 4 4 0 8 0 amappl2 88 491 0 432 2 0 2 2 0 8 0 amappl1 80 9643 0 8988 15 1 14 15 0 8 0 amappl 88 4214 0 4022 5 0 5 5 0 92 0 uvmvnodes 80 109 0 0 3 0 3 3 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 12 0 0 1 0 1 1 0 8 0 uaddrrnd 24 601 0 563 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 601 0 563 1 0 1 1 0 8 0 vmmpekpl 168 6607 0 6576 2 0 2 2 0 8 0 vmmpepl 168 45999 0 43798 103 0 103 103 0 357 4 vmsppl 488 600 0 562 7 1 6 6 0 8 1 rwobjpl 80 15952 0 14888 25 0 25 25 0 8 2 pdppl 4096 1210 0 1124 108 22 86 98 0 8 0 pvpl 32 19737 0 0 160 0 160 160 0 265 0 pmappl 256 600 0 562 4 1 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 292 0 25 8 0 8 8 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffffffff83895ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff838ce178) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:134 [inline] __mp_lock(ffffffff838ce178) at __mp_lock+0x192 sys/kern/kern_lock.c:165 softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83 dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862 Xsoftclock() at Xsoftclock+0x27 cnputc(5f) at cnputc+0x67 sys/dev/cons.c:218 db_putchar(5f) at db_putchar+0x36d sys/ddb/db_output.c:155 kprintf() at kprintf+0x29a5 sys/kern/subr_prf.c:-1 db_printf(ffffffff83386902) at db_printf+0x9b sys/kern/subr_prf.c:-1 panic(ffffffff833aedf0) at panic+0x103 sys/kern/subr_prf.c:217 __assert(ffffffff833ee9a7,ffffffff83341a38,51d,ffffffff8341e41d) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pageactivate(fffffd8008689bb0) at uvm_pageactivate+0x1e3 sys/uvm/uvm_page.c:1306 end trace frame: 0xffff80003a804ac0, count: 0 ddb{0}> trace x86_ipi_db(ffffffff83895ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff838ce178) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:134 [inline] __mp_lock(ffffffff838ce178) at __mp_lock+0x192 sys/kern/kern_lock.c:165 softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83 dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862 Xsoftclock() at Xsoftclock+0x27 cnputc(5f) at cnputc+0x67 sys/dev/cons.c:218 db_putchar(5f) at db_putchar+0x36d sys/ddb/db_output.c:155 kprintf() at kprintf+0x29a5 sys/kern/subr_prf.c:-1 db_printf(ffffffff83386902) at db_printf+0x9b sys/kern/subr_prf.c:-1 panic(ffffffff833aedf0) at panic+0x103 sys/kern/subr_prf.c:217 __assert(ffffffff833ee9a7,ffffffff83341a38,51d,ffffffff8341e41d) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pageactivate(fffffd8008689bb0) at uvm_pageactivate+0x1e3 sys/uvm/uvm_page.c:1306 uvm_fault_upper_lookup(ffff80003a804bd0,ffff80003a804c08,ffff80003a804ad0,ffff80003a804b50) at uvm_fault_upper_lookup+0x24d sys/uvm/uvm_fault.c:977 uvm_fault(fffffd806cc83d80,200000000000,0,1) at uvm_fault+0x159 sys/uvm/uvm_fault.c:632 kpageflttrap(ffff80003a804d80,200000000080) at kpageflttrap+0x2f4 sys/arch/amd64/amd64/trap.c:283 kerntrap(ffff80003a804d80) at kerntrap+0x19c sys/arch/amd64/amd64/trap.c:520 alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b _copyin() at _copyin+0x5b syscall(ffff80003a805030) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003a805030) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xe8d4c53ede0, count: -22 ddb{0}> machine ddbcpu 1 Stopped at savectx+0xae: movl $0,%gs:0x688 savectx() at savectx+0xae end of kernel end trace frame: 0x797dd618f120, count: 14 ddb{1}> trace savectx() at savectx+0xae end of kernel end trace frame: 0x797dd618f120, count: -1