login: panic: kWeArRNneINlG :d iSaPgLn oNOsTti cLO aWEsRsEeDr tiONo nS Y"(SpCAg-LL> pg91_ fl19ag91s 06& 08(P08Q_ IENXAICTT I0 a Stopped at savectx+0xae: movl $0,%gs:0x688 TID PID UID PRFLAGS PFLAGS CPU COMMAND 185460 94903 32767 0x10 0 0 syz-executor *314647 35087 32767 0x10 0 1 syz-executor savectx() at savectx+0xae end of kernel end trace frame: 0x7b9476ad2d30, count: 14 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic *cpu0: kernel diagnostic assertion "(pg->pg_flags & (PQ_INACTIVE|PQ_ACTIVE)) == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_page.c", line 1309 ddb{1}> trace savectx() at savectx+0xae end of kernel end trace frame: 0x7b9476ad2d30, count: -1 ddb{1}> show registers rdi 0 rsi 0 rbp 0xffff80003a804d70 rbx 0 rdx 0 rcx 0xffff8000fffe6d18 rax 0x3b r8 0xffff80003a804ca0 r9 0x1 r10 0xe29038fb73b42ce2 r11 0x378b6fdc78d67a06 r12 0 r13 0 r14 0xffff8000fffe6d18 r15 0 rip 0xffffffff8234e3ee savectx+0xae cs 0x8 rflags 0x46 rsp 0xffff80003a804cf0 ss 0x10 savectx+0xae: movl $0,%gs:0x688 ddb{1}> show proc PROC (syz-executor) tid=314647 pid=35087 tcnt=1 stat=onproc flags process=10 proc=0 runpri=32, usrpri=50, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff8000fffef4d8,0xffff8000fffe7788 process=0xffff8000fffeb038 user=0xffff80003a7ff000, vmspace=0xfffffd806cca3020 estcpu=36, cpticks=15, pctcpu=0.10, user=1, sys=14, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 94903 185460 35087 32767 7 0x10 syz-executor 94903 516242 35087 32767 3 0x4000090 fsleep syz-executor 35391 196814 56717 32767 2 0x10 syz-executor 35391 195282 56717 32767 2 0x4000010 syz-executor 52845 191813 57551 32767 3 0x90 nanoslp syz-executor 52845 228219 57551 32767 3 0x4000090 kqread syz-executor 52845 189341 57551 32767 3 0x4000090 kqread syz-executor 52845 68804 57551 32767 3 0x4000090 fsleep syz-executor 52845 408746 57551 32767 3 0x4000090 fsleep syz-executor 52845 116405 57551 32767 3 0x4000090 fsleep syz-executor 52845 114105 57551 32767 3 0x4000090 fsleep syz-executor *35087 314647 95885 32767 7 0x10 syz-executor 57551 50860 70246 32767 3 0x90 nanoslp syz-executor 56717 256362 51728 32767 2 0xc90 syz-executor 99082 494063 25096 32767 3 0x90 piperd syz-executor 4914 151287 20779 32767 3 0x90 piperd syz-executor 52624 507726 32762 32767 3 0x90 piperd syz-executor 25096 295013 11245 0 3 0x82 wait syz-executor 51728 336061 11245 0 3 0x82 wait syz-executor 70246 403033 11245 0 3 0x82 wait syz-executor 20779 266813 11245 0 3 0x82 wait syz-executor 32762 215853 11245 0 3 0x82 wait syz-executor 95885 347162 11245 0 3 0x82 wait syz-executor 11245 460497 89313 0 3 0x82 nanoslp syz-executor 89313 286000 64687 0 3 0x10008a sigsusp ksh 64687 489662 2142 0 3 0x98 kqread sshd-session 2142 237746 29872 0 3 0x92 kqread sshd-session 50166 447776 1 0 3 0x100083 ttyin getty 29872 478101 1 0 3 0x88 kqread sshd 33351 317036 15955 73 3 0x1100090 kqread syslogd 15955 29024 1 0 3 0x100082 sbwait syslogd 33995 427340 1 0 3 0x100080 kqread resolvd 61989 9803 25919 77 3 0x100092 kqread dhcpleased 10031 381560 25919 77 3 0x100092 kqread dhcpleased 25919 499020 1 0 3 0x80 kqread dhcpleased 89270 42574 0 0 3 0x14200 bored smr 78267 442176 0 0 2 0x14200 zerothread 35023 112924 0 0 3 0x14200 aiodoned aiodoned 21328 321806 0 0 3 0x14200 syncer update 25283 234294 0 0 3 0x14200 cleaner cleaner 34164 35779 0 0 2 0x14200 reaper 49522 233466 0 0 3 0x14200 pgdaemon pagedaemon 64720 137727 0 0 3 0x14200 bored viomb 32981 267030 0 0 3 0x40014200 acpi0 acpi0 27098 222514 0 0 3 0x40014200 idle1 59073 22141 0 0 3 0x14200 bored softnet1 72734 13672 0 0 3 0x14200 bored softnet0 28494 457409 0 0 3 0x14200 smrbar systqmp 81555 475762 0 0 3 0x14200 bored systq 48580 30424 0 0 3 0x14200 tmoslp softclockmp 68889 113606 0 0 3 0x40014200 tmoslp softclock 14034 105748 0 0 3 0x40014200 idle0 1 156439 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks CPU 1: exclusive mutex &pmap->pm_mtx r = 0 (0xfffffd806cca2c10) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487 #2 pmap_do_remove+0xa9 rcr3 sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:139 [inline] #2 pmap_do_remove+0xa9 pmap_map_ptes sys/arch/amd64/amd64/pmap.c:437 [inline] #2 pmap_do_remove+0xa9 sys/arch/amd64/amd64/pmap.c:1824 #3 uvm_unmap_kill_entry_withlock+0x269 sys/uvm/uvm_map.c:1863 #4 uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline] #4 uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2486 #5 exit1+0x6fc sys/kern/kern_exit.c:260 #6 sys_exit+0x1a sys/kern/kern_exit.c:-1 #7 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] #7 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775 #8 Xsyscall+0x128 Process 94903 (syz-executor) thread 0xffff8000fffe6a80 (185460) exclusive rwlock uobjlk r = 0 (0xfffffd806cba3ec8) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320 #2 uvm_fault_lower_lookup+0x53 sys/uvm/uvm_fault.c:1204 #3 uvm_fault_lower+0x89 sys/uvm/uvm_fault.c:1334 #4 uvm_fault+0x274 sys/uvm/uvm_fault.c:-1 #5 upageflttrap+0xa9 sys/arch/amd64/amd64/trap.c:192 #6 usertrap+0x42f sys/arch/amd64/amd64/trap.c:632 #7 recall_trap+0x8 shared rwlock vmmaplk r = 0 (0xfffffd806cc0d4f8) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 rw_do_enter_read+0x3e8 sys/kern/kern_rwlock.c:413 #2 uvmfault_lookup+0x122 sys/uvm/uvm_fault.c:1880 #3 uvm_fault_check+0x4f sys/uvm/uvm_fault.c:693 #4 uvm_fault+0x106 sys/uvm/uvm_fault.c:627 #5 upageflttrap+0xa9 sys/arch/amd64/amd64/trap.c:192 #6 usertrap+0x42f sys/arch/amd64/amd64/trap.c:632 #7 recall_trap+0x8 Process 28494 (systqmp) thread 0xffff8000ffffea60 (457409) shared rwlock systqmp r = 0 (0xffffffff83866388) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 taskq_thread+0x12a sys/kern/kern_task.c:442 #2 proc_trampoline+0x10 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10186 10953K 10973K 166960K 11283 0 pcb 17 12K 12K 166960K 17 0 rtable 195 5K 7K 166960K 369 0 pf 27 16K 16K 166960K 31 0 ifaddr 34 6K 7K 166960K 44 0 ifgroup 42 1K 2K 166960K 50 0 sysctl 3 1K 9K 166960K 8 0 counters 66 36K 37K 166960K 70 0 ioctlops 0 0K 2K 166960K 30 0 iov 0 0K 12K 166960K 13 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1335 84K 84K 166960K 1576 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 3 0 VM map 2 1K 1K 166960K 2 0 sem 5 0K 0K 166960K 5 0 dirhash 12 2K 2K 166960K 18 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 17 61K 125K 166960K 348 0 sigio 1 0K 0K 166960K 4 0 proc 58 99K 163K 166960K 499 0 subproc 54 3K 4K 166960K 252 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 20 0 in_multi 77 5K 7K 166960K 99 0 ether_multi 1 0K 0K 166960K 1 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 85 387K 387K 166960K 85 0 exec 0 0K 1K 166960K 405 0 fusefs mount 1 32K 32K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 216 161K 186K 166960K 4430 0 UVM aobj 6 2K 2K 166960K 6 0 pinsyscall 38 76K 112K 166960K 1436 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 5 0 NDP 9 0K 2K 166960K 27 0 temp 41 8672K 8736K 166960K 4792 0 kqueue 15 24K 27K 166960K 51 0 SYN cache 2 16K 16K 166960K 2 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 47 0 44 1 0 1 1 0 8 0 rtentry 176 115 0 26 6 0 6 6 0 8 1 unpcb 144 109 0 90 2 0 2 2 0 8 0 syncache 336 6 0 6 1 0 1 1 0 8 1 tcpqe 32 2 0 2 1 0 1 1 0 8 1 tcpcb 736 49 0 43 2 0 2 2 0 8 1 arp 136 18 0 4 1 0 1 1 0 8 0 inpcb 328 255 0 244 9 0 9 9 0 8 7 nd6 152 28 0 9 1 0 1 1 0 8 0 kcovpl 48 28 0 22 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 459 0 90 29 0 29 29 0 8 2 art_table 40 460 0 90 5 0 5 5 0 8 0 art_node 32 115 0 32 1 0 1 1 0 8 0 sysvmsgpl 40 4 0 2 1 0 1 1 0 8 0 semapl 112 3 0 0 1 0 1 1 0 8 0 shmpl 112 3 0 0 1 0 1 1 0 8 0 dirhash 1024 21 0 4 3 0 3 3 0 8 0 dino2pl 256 1797 0 263 96 0 96 96 0 8 0 ffsino 296 1797 0 263 118 0 118 118 0 8 0 nchpl 144 2179 0 468 64 0 64 64 0 8 0 vnodes 216 2058 0 0 115 0 115 115 0 8 0 namei 1024 7092 0 7092 1 0 1 1 0 8 1 percpumem 16 50 0 2 1 0 1 1 0 8 0 kstatmem 264 24 0 4 2 0 2 2 0 8 0 scxspl 216 6958 0 6958 5 2 3 3 1 8 3 plimitpl 152 90 0 69 2 0 2 2 0 8 1 sigapl 424 602 0 556 7 0 7 7 0 8 1 knotepl 120 306 0 0 10 0 10 10 0 8 0 kqueuepl 224 48 0 37 1 0 1 1 0 8 0 pipepl 344 191 0 164 3 0 3 3 0 8 0 fdescpl 528 586 0 557 4 0 4 4 0 8 0 filepl 160 2652 0 2461 15 0 15 15 0 8 6 lockfpl 104 38 0 34 1 0 1 1 0 8 0 lockfspl 48 16 0 13 1 0 1 1 0 8 0 sessionpl 144 43 0 29 1 0 1 1 0 8 0 pgrppl 48 71 0 50 1 0 1 1 0 8 0 ucredpl 104 375 0 358 1 0 1 1 0 8 0 zombiepl 144 557 0 556 1 0 1 1 0 8 0 processpl 1232 602 0 556 5 0 5 5 0 8 0 procpl 664 823 0 769 6 0 6 6 0 8 1 sosppl 176 2 0 2 1 0 1 1 0 8 1 sockpl 752 414 0 381 13 1 12 13 0 8 7 mcl12k 12288 2 0 0 1 0 1 1 0 8 0 mcl8k 8192 2 0 0 1 0 1 1 0 8 0 mcl4k 4096 138 0 0 18 0 18 18 0 8 0 mcl2k 2048 29 0 0 4 0 4 4 0 8 0 mtagpl 96 2 0 0 1 0 1 1 0 8 0 mbufpl 256 218 0 0 15 1 14 15 0 8 0 bufpl 280 2585 0 118 177 0 177 177 0 8 0 anonpl 32 7374 0 0 61 1 60 60 0 246 0 amapchunkpl 152 13356 0 12800 33 0 33 33 0 158 10 amappl16 200 1261 0 1244 17 6 11 14 0 8 8 amappl15 192 2 0 2 1 1 0 1 0 8 0 amappl14 184 6 0 6 1 0 1 1 0 8 1 amappl13 176 403 0 402 1 0 1 1 0 8 0 amappl12 168 957 0 919 3 0 3 3 0 8 0 amappl11 160 1 0 1 1 1 0 1 0 8 0 amappl10 152 70 0 60 1 0 1 1 0 8 0 amappl9 144 258 0 258 1 1 0 1 0 8 0 amappl8 136 20 0 19 1 0 1 1 0 8 0 amappl7 128 90 0 89 1 0 1 1 0 8 0 amappl6 120 257 0 246 1 0 1 1 0 8 0 amappl5 112 69 0 62 1 0 1 1 0 8 0 amappl4 104 378 0 356 1 0 1 1 0 8 0 amappl3 96 2237 0 2148 4 0 4 4 0 8 0 amappl2 88 527 0 474 2 0 2 2 0 8 0 amappl1 80 10064 0 9532 14 0 14 14 0 8 1 amappl 88 3673 0 3528 5 0 5 5 0 92 0 uvmvnodes 80 103 0 0 3 0 3 3 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 5 0 0 1 0 1 1 0 8 0 uaddrrnd 24 586 0 557 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 586 0 557 1 0 1 1 0 8 0 vmmpekpl 168 6827 0 6790 3 0 3 3 0 8 0 vmmpepl 168 44384 0 42687 100 0 100 100 0 357 15 vmsppl 488 585 0 556 6 0 6 6 0 8 0 rwobjpl 80 14538 0 13670 25 0 25 25 0 8 2 pdppl 4096 1179 0 1112 111 34 77 97 0 8 10 pvpl 32 16032 0 0 130 0 130 130 0 265 0 pmappl 256 585 0 556 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 288 0 37 8 0 8 8 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffffffff8385dff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff839befc0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline] __mp_lock(ffffffff839befc0) at __mp_lock+0x192 sys/kern/kern_lock.c:173 softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83 dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862 Xsoftclock() at Xsoftclock+0x27 cnputc(49) at cnputc+0x67 sys/dev/cons.c:218 db_putchar(49) at db_putchar+0x36d sys/ddb/db_output.c:155 kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1 db_printf(ffffffff83384599) at db_printf+0x9b sys/kern/subr_prf.c:-1 panic(ffffffff833ad118) at panic+0x103 sys/kern/subr_prf.c:217 __assert(ffffffff833f05b9,ffffffff83346d16,51d,ffffffff834234ff) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pageactivate(fffffd8008860970) at uvm_pageactivate+0x1e3 sys/uvm/uvm_page.c:1306 end trace frame: 0xffff80002a3c1f50, count: 0 ddb{0}> trace x86_ipi_db(ffffffff8385dff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff839befc0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline] __mp_lock(ffffffff839befc0) at __mp_lock+0x192 sys/kern/kern_lock.c:173 softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83 dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862 Xsoftclock() at Xsoftclock+0x27 cnputc(49) at cnputc+0x67 sys/dev/cons.c:218 db_putchar(49) at db_putchar+0x36d sys/ddb/db_output.c:155 kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1 db_printf(ffffffff83384599) at db_printf+0x9b sys/kern/subr_prf.c:-1 panic(ffffffff833ad118) at panic+0x103 sys/kern/subr_prf.c:217 __assert(ffffffff833f05b9,ffffffff83346d16,51d,ffffffff834234ff) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pageactivate(fffffd8008860970) at uvm_pageactivate+0x1e3 sys/uvm/uvm_page.c:1306 uvm_fault_lower_lookup(ffff80002a3c2110,ffff80002a3c2148,ffff80002a3c2090) at uvm_fault_lower_lookup+0x2a4 sys/uvm/uvm_fault.c:1248 uvm_fault_lower(ffff80002a3c2110,ffff80002a3c2148,ffff80002a3c2090) at uvm_fault_lower+0x89 sys/uvm/uvm_fault.c:1334 uvm_fault(fffffd806cc0d3f8,200000000000,0,2) at uvm_fault+0x274 sys/uvm/uvm_fault.c:-1 upageflttrap(ffff80002a3c22b0,200000000180) at upageflttrap+0xa9 sys/arch/amd64/amd64/trap.c:192 usertrap(ffff80002a3c22b0) at usertrap+0x42f sys/arch/amd64/amd64/trap.c:632 recall_trap() at recall_trap+0x8 end of kernel end trace frame: 0x7b9476ad2be0, count: -20 ddb{0}> machine ddbcpu 1 Stopped at savectx+0xae: movl $0,%gs:0x688 savectx() at savectx+0xae end of kernel end trace frame: 0x7b9476ad2d30, count: 14 ddb{1}> trace savectx() at savectx+0xae end of kernel end trace frame: 0x7b9476ad2d30, count: -1