panic: kernel diagnostic assertion "ps->ps_uvncount == 0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_unveil.c", line 188 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff833ff54a) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833b1752,ffffffff8337adec,bc,ffffffff83323f6a) at __assert+0x29 unveil_destroy(ffff80003c9baf90) at unveil_destroy+0x1dd sys/kern/kern_unveil.c:188 exit1(ffff80002a8007d0,0,0,1) at exit1+0x60f sys/kern/kern_exit.c:233 sys_exit(ffff80002a8007d0,ffff80002a7c9070,ffff80002a7c8fc0) at sys_exit+0x1a syscall(ffff80002a7c9070) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x70185c169280, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "ps->ps_uvncount == 0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_unveil.c", line 188 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff833ff54a) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833b1752,ffffffff8337adec,bc,ffffffff83323f6a) at __assert+0x29 unveil_destroy(ffff80003c9baf90) at unveil_destroy+0x1dd sys/kern/kern_unveil.c:188 exit1(ffff80002a8007d0,0,0,1) at exit1+0x60f sys/kern/kern_exit.c:233 sys_exit(ffff80002a8007d0,ffff80002a7c9070,ffff80002a7c8fc0) at sys_exit+0x1a syscall(ffff80002a7c9070) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x70185c169280, count: -8 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80002a7c8dc0 rbx 0xffff80003c9baf90 rdx 0 rcx 0 rax 0xffff80002a8007d0 r8 0 r9 0x8080808080808080 r10 0x2c854f13d69d50d1 r11 0xc8734136a80cb2ff r12 0 r13 0x2 r14 0 r15 0x1 rip 0xffffffff81725795 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80002a7c8db0 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=250134 pid=76047 tcnt=0 stat=onproc flags process=1008 proc=2000 runpri=82, usrpri=82, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0xffff80002a8007d0 scnt=-1 ecnt=1 forw=0xffffffffffffffff, list=0xffff80003a540a70,0xffff80002a7f2cf8 process=0xffff80003c9baf90 user=0xffff80002a7c4000, vmspace=0xfffffd806c0b6880 estcpu=32, cpticks=12, pctcpu=0.7, user=0, sys=2, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 94895 338607 77956 0 2 0 syz-executor 8489 209680 99992 0 2 0 syz-executor 8489 69923 99992 0 3 0x4000080 fsleep syz-executor 10401 77942 65141 0 2 0 syz-executor 10401 513834 65141 0 3 0x4000080 fsleep syz-executor 13416 109750 35798 0 2 0 syz-executor 13416 200573 35798 0 3 0x4000080 fsleep syz-executor 13416 445345 35798 0 3 0x4000080 fsleep syz-executor 58540 401508 85274 0 2 0 syz-executor 58540 333150 85274 0 3 0x4000080 fsleep syz-executor 32228 154283 72722 0 2 0 syz-executor 32228 218096 72722 0 3 0x4000080 fsleep syz-executor 32228 155302 72722 0 3 0x4000080 fsleep syz-executor 77956 399012 61661 0 3 0x82 nanoslp syz-executor 46735 334014 0 0 3 0x14200 acct acct 99992 317460 61661 0 2 0x482 syz-executor 34994 252729 1 0 3 0x100083 ttyin getty 45817 328168 0 0 3 0x14200 bored sosplice 55324 63642 0 0 3 0x14280 nfsidl nfsio 86753 89786 0 0 3 0x14280 nfsidl nfsio 84484 193676 0 0 3 0x14280 nfsidl nfsio 36645 408024 0 0 3 0x14280 nfsidl nfsio 668 59706 0 0 3 0x14280 nfsidl nfsio 50603 307154 0 0 3 0x14280 nfsidl nfsio 12894 60699 0 0 3 0x14280 nfsidl nfsio 96638 132181 0 0 3 0x14280 nfsidl nfsio 80223 157884 0 0 3 0x14280 nfsidl nfsio 78681 15049 0 0 3 0x14280 nfsidl nfsio 85127 271891 0 0 3 0x14280 nfsidl nfsio 27500 393930 0 0 3 0x14280 nfsidl nfsio 74833 123741 0 0 3 0x14280 nfsidl nfsio 81671 167816 0 0 3 0x14280 nfsidl nfsio 14376 183735 0 0 3 0x14280 nfsidl nfsio 73766 28983 0 0 3 0x14280 nfsidl nfsio 88737 266498 0 0 3 0x14280 nfsidl nfsio 16408 63404 0 0 3 0x14280 nfsidl nfsio 30857 157702 0 0 3 0x14280 nfsidl nfsio 5298 354041 0 0 3 0x14280 nfsidl nfsio 87496 136844 61661 0 3 0x82 nanoslp syz-executor 85274 39178 61661 0 3 0x82 nanoslp syz-executor 35798 500074 61661 0 3 0x82 nanoslp syz-executor 65141 447763 61661 0 3 0x82 nanoslp syz-executor 72722 102817 61661 0 3 0x82 nanoslp syz-executor 93510 95620 61661 0 2 0x2 syz-executor 61661 103060 19372 0 3 0x82 kqread syz-executor 19372 204807 38475 0 3 0x10008a sigsusp ksh 38475 202014 82774 0 3 0x98 kqread sshd-session 82774 228991 49819 0 3 0x92 kqread sshd-session 49819 101707 1 0 3 0x88 kqread sshd 34170 330845 58582 73 3 0x1100090 kqread syslogd 58582 395465 1 0 3 0x100082 sbwait syslogd 19544 158675 1 0 3 0x100080 kqread resolvd 55666 276178 44717 77 3 0x100092 kqread dhcpleased 33016 484006 44717 77 3 0x100092 kqread dhcpleased 44717 76776 1 0 3 0x80 kqread dhcpleased 4102 138609 0 0 3 0x14200 bored smr 61411 333048 0 0 2 0x14200 zerothread 36708 155780 0 0 3 0x14200 aiodoned aiodoned 20727 101254 0 0 3 0x14200 syncer update 9172 222813 0 0 3 0x14200 cleaner cleaner 73928 280069 0 0 3 0x14200 reaper reaper 76328 159349 0 0 3 0x14200 pgdaemon pagedaemon 5198 51077 0 0 3 0x14200 bored viomb 99937 162733 0 0 3 0x40014200 acpi0 acpi0 64060 211413 0 0 3 0x14200 bored softnet3 38789 221820 0 0 3 0x14200 bored softnet2 11356 382240 0 0 3 0x14200 bored softnet1 88750 91074 0 0 3 0x14200 bored softnet0 9376 150193 0 0 3 0x14200 bored systqmp 64423 199502 0 0 3 0x14200 bored systq 70388 453346 0 0 2 0x40014200 softclock 89217 42533 0 0 3 0x40014200 idle0 1 98399 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10181 11038K 11335K 166960K 13026 0 pcb 17 16K 18K 166960K 313 0 rtable 206 8K 9K 166960K 770 0 pf 31 13K 269K 166960K 132 0 ifaddr 36 6K 7K 166960K 86 0 ifgroup 46 2K 2K 166960K 138 0 sysctl 4 1K 2K 166960K 9 0 counters 29 17K 17K 166960K 61 0 ioctlops 0 0K 4K 166960K 129 0 iov 0 0K 16K 166960K 271 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1423 89K 90K 166960K 2417 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 9K 166960K 26 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 105 0 dirhash 12 2K 3K 166960K 54 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 16 57K 97K 166960K 1322 0 sigio 1 0K 0K 166960K 102 0 proc 64 75K 116K 166960K 709 0 subproc 72 4K 4K 166960K 100 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 166 0 in_multi 83 6K 7K 166960K 169 0 ether_multi 1 0K 0K 166960K 3 0 mrt 1 0K 0K 166960K 4 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 121 546K 546K 166960K 121 0 exec 0 0K 1K 166960K 791 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 215 72K 88K 166960K 13282 0 UVM aobj 110 3K 4K 166960K 115 0 pinsyscall 38 76K 96K 166960K 2426 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 76 0 NDP 10 0K 2K 166960K 57 0 temp 81 8636K 8764K 166960K 41890 0 kqueue 14 22K 32K 166960K 223 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 202 0 198 3 2 1 3 0 8 0 rtentry 112 214 0 124 4 0 4 4 0 8 0 unpcb 144 1333 0 1317 8 5 3 6 0 8 2 syncache 336 3 0 3 1 1 0 1 0 8 0 tcpcb 808 293 0 288 7 3 4 4 0 8 3 arp 88 27 0 12 1 0 1 1 0 8 0 ipq 40 1 0 1 1 1 0 1 0 8 0 ipqe 40 3 0 3 1 1 0 1 0 8 0 inpcb 344 1628 0 1620 25 16 9 13 0 8 7 nd6 104 45 0 22 1 0 1 1 0 8 0 pkpcb 40 5 0 5 1 1 0 1 0 8 0 kcovpl 48 11 0 3 1 0 1 1 0 8 0 ppxss 1072 18 0 18 2 1 1 1 0 8 1 pppxif 1376 4 0 4 2 1 1 1 0 8 1 pffrag 232 1 0 0 1 0 1 1 0 482 0 pffrnode 88 1 0 0 1 0 1 1 0 8 0 pffrent 40 1 0 0 1 0 1 1 0 8 0 pfrktable 1344 4 0 4 1 1 0 1 0 8 0 pfanchor 1288 3 0 1 1 0 1 1 0 8 0 pftag 88 4 0 3 1 0 1 1 0 8 0 pfstitem 24 1 0 0 1 0 1 1 0 8 0 pfstkey 128 2 0 1 2 1 1 1 0 8 0 pfstate 344 2 0 1 2 1 1 1 0 8 0 pfrule 1344 15 0 14 1 0 1 1 0 8 0 art_heap8 4096 4 0 0 4 0 4 4 0 8 0 art_heap4 256 735 0 336 31 4 27 31 0 8 1 art_table 32 739 0 336 4 0 4 4 0 8 0 art_node 16 173 0 95 1 0 1 1 0 8 0 sysvmsgpl 40 3 0 3 1 1 0 1 0 8 0 semapl 112 101 0 91 1 0 1 1 0 8 0 shmpl 112 112 0 5 4 0 4 4 0 8 0 dirhash 1024 45 0 28 3 0 3 3 0 8 0 dino2pl 256 3781 0 2283 95 0 95 95 0 8 0 ffsino 248 3781 0 2283 95 0 95 95 0 8 0 nchpl 144 5683 0 5150 63 33 30 63 0 8 8 rtmask 32 2 0 2 1 1 0 1 0 8 0 uvmvnodes 80 4529 0 0 93 0 93 93 0 8 0 vnodes 216 4529 0 0 252 0 252 252 0 8 0 namei 1024 20251 0 20250 3 2 1 2 0 8 0 pfiaddrpl 120 1 0 1 1 1 0 1 0 8 0 kstatmem 264 68 0 48 2 0 2 2 0 8 0 scsiplug 72 4 0 4 1 1 0 1 0 8 0 scxspl 216 19724 0 19724 11 7 4 8 1 8 4 plimitpl 152 412 0 396 1 0 1 1 0 8 0 sigapl 424 1618 0 1551 8 0 8 8 0 8 0 futexpl 64 19181 0 19174 1 0 1 1 0 8 0 knotepl 120 44573 0 44526 24 13 11 17 0 8 8 kqueuepl 184 381 0 370 3 2 1 3 0 8 0 pipepl 296 213 0 186 3 0 3 3 0 8 0 fdescpl 440 1578 0 1550 5 1 4 5 0 8 0 filepl 120 11088 0 10876 16 4 12 13 0 8 4 lockfpl 104 376 0 373 1 0 1 1 0 8 0 lockfspl 48 170 0 167 1 0 1 1 0 8 0 sessionpl 144 25 0 17 1 0 1 1 0 8 0 pgrppl 48 48 0 32 1 0 1 1 0 8 0 ucredpl 104 1754 0 1742 1 0 1 1 0 8 0 zombiepl 144 1719 0 1718 1 0 1 1 0 8 0 processpl 1104 1618 0 1551 5 0 5 5 0 8 0 procpl 656 3353 0 3279 10 1 9 9 0 8 2 sosppl 168 6 0 6 1 1 0 1 0 8 0 sockpl 528 3186 0 3158 23 13 10 13 0 8 7 mcl64k 65536 38 0 38 2 1 1 1 0 8 1 mcl16k 16384 6 0 6 2 1 1 1 0 8 1 mcl12k 12288 1 0 1 1 1 0 1 0 8 0 mcl9k 9216 2 0 2 2 1 1 1 0 8 1 mcl8k 8192 27 0 27 2 1 1 1 0 8 1 mcl4k 4096 4009 0 3959 15 7 8 14 0 8 1 mcl2k2 2112 1 0 1 1 1 0 1 0 8 0 mcl2k 2048 1292 0 1289 3 2 1 3 0 8 0 mtagpl 96 44 0 24 1 0 1 1 0 8 0 mbufpl 256 18973 0 18825 23 6 17 23 0 8 1 bufpl 280 4989 0 174 344 0 344 344 0 8 0 anonpl 24 211810 0 208622 73 22 51 51 0 187 24 amapchunkpl 152 44898 0 44408 47 13 34 35 0 158 14 amappl16 200 3639 0 3602 27 16 11 15 0 8 8 amappl15 192 3 0 3 1 1 0 1 0 8 0 amappl14 184 116 0 106 1 0 1 1 0 8 0 amappl13 176 6 0 6 2 1 1 1 0 8 1 amappl12 168 2244 0 2215 3 1 2 3 0 8 0 amappl11 160 44 0 33 1 0 1 1 0 8 0 amappl10 152 6 0 6 1 1 0 1 0 8 0 amappl9 144 255 0 255 1 1 0 1 0 8 0 amappl8 136 28 0 27 1 0 1 1 0 8 0 amappl7 128 105 0 94 1 0 1 1 0 8 0 amappl6 120 200 0 197 1 0 1 1 0 8 0 amappl5 112 148 0 141 1 0 1 1 0 8 0 amappl4 104 312 0 296 1 0 1 1 0 8 0 amappl3 96 8826 0 8712 4 0 4 4 0 8 0 amappl2 88 671 0 615 2 0 2 2 0 8 0 amappl1 80 11245 0 10732 13 1 12 13 0 8 0 amappl 88 12807 0 12639 5 0 5 5 0 92 0 dma65536 65536 1 0 1 1 0 1 1 0 8 1 dma32768 32768 1 0 1 1 1 0 1 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma2048 2048 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 254 0 254 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 20 0 19 1 0 1 1 0 8 0 aobjpl 72 114 0 5 2 0 2 2 0 8 0 uaddrrnd 24 1578 0 1549 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 1578 0 1549 1 0 1 1 0 8 0 vmmpekpl 168 12871 0 12827 3 0 3 3 0 8 0 vmmpepl 168 98234 0 96481 100 10 90 90 0 357 11 vmsppl 360 1577 0 1549 4 1 3 4 0 8 0 rwobjpl 32 30209 0 24711 45 0 45 45 0 8 0 pdppl 4096 3163 0 3098 107 40 67 83 0 8 2 pvpl 32 647899 0 638697 155 25 130 130 0 265 47 pmappl 216 1577 0 1549 3 0 3 3 0 8 0 extentpl 40 55 0 38 1 0 1 1 0 8 0 phpool 112 304 0 72 8 0 8 8 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff833ff54a) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833b1752,ffffffff8337adec,bc,ffffffff83323f6a) at __assert+0x29 unveil_destroy(ffff80003c9baf90) at unveil_destroy+0x1dd sys/kern/kern_unveil.c:188 exit1(ffff80002a8007d0,0,0,1) at exit1+0x60f sys/kern/kern_exit.c:233 sys_exit(ffff80002a8007d0,ffff80002a7c9070,ffff80002a7c8fc0) at sys_exit+0x1a syscall(ffff80002a7c9070) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x70185c169280, count: -8 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff833ff54a) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833b1752,ffffffff8337adec,bc,ffffffff83323f6a) at __assert+0x29 unveil_destroy(ffff80003c9baf90) at unveil_destroy+0x1dd sys/kern/kern_unveil.c:188 exit1(ffff80002a8007d0,0,0,1) at exit1+0x60f sys/kern/kern_exit.c:233 sys_exit(ffff80002a8007d0,ffff80002a7c9070,ffff80002a7c8fc0) at sys_exit+0x1a syscall(ffff80002a7c9070) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x70185c169280, count: -8