panic: kernel diagnostic assertion "(pg->pg_flags & (PQ_INACTIVE|PQ_ACTIVE)) == 0" failed: file "/syzkallerWARNING: SPL NOT LOWERED ON SYSCALL 110 50 EXIT 0 9 Stopped at savectx+0xae: movl $0,%gs:0x688 TID PID UID PRFLAGS PFLAGS CPU COMMAND *470465 47367 0 0x2 0 1 syz-executor savectx() at savectx+0xae end of kernel end trace frame: 0x794d5b885f40, count: 14 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic *cpu0: kernel diagnostic assertion "(pg->pg_flags & (PQ_INACTIVE|PQ_ACTIVE)) == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_page.c", line 1267 ddb{1}> trace savectx() at savectx+0xae end of kernel end trace frame: 0x794d5b885f40, count: -1 ddb{1}> show registers rdi 0 rsi 0 rbp 0xffff80002a2c8a70 rbx 0 rdx 0 rcx 0xffff8000ffffd4c8 rax 0x34 r8 0xffff80002a2c89a0 r9 0x1 r10 0xc1812c80657ca432 r11 0xc5974db1baa142f2 r12 0 r13 0 r14 0xffff8000ffffd4c8 r15 0 rip 0xffffffff8293f3ee savectx+0xae cs 0x8 rflags 0x46 rsp 0xffff80002a2c89f0 ss 0x10 savectx+0xae: movl $0,%gs:0x688 ddb{1}> show proc PROC (syz-executor) tid=470465 pid=47367 tcnt=1 stat=onproc flags process=2 proc=0 runpri=24, usrpri=50, slppri=24, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff8000ffffd760,0xffff8000ffffda08 process=0xffff8000ffff61b8 user=0xffff80002a2c3000, vmspace=0xfffffd800b0633d0 estcpu=0, cpticks=10, pctcpu=0.8, user=0, sys=10, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 1793 375806 97398 32767 2 0x10 syz-executor 1793 481524 97398 32767 3 0x4000090 fsleep syz-executor 38558 256810 52337 32767 2 0x10 syz-executor 38558 518408 52337 32767 2 0x4000010 syz-executor 62932 175597 16087 32767 2 0x10 syz-executor 62932 38860 16087 32767 3 0x4000090 ttyin syz-executor 62932 479560 16087 32767 2 0x4000010 syz-executor 62932 282116 16087 32767 3 0x4000090 fsleep syz-executor 74459 412296 47046 0 3 0x82 sbwait sshd-session 48045 457010 94501 32767 3 0x400090 nanoslp syz-executor 48045 305529 94501 32767 3 0x4400090 fsleep syz-executor 48045 391965 94501 32767 3 0x4400090 fsleep syz-executor 48045 264710 94501 32767 3 0x4400090 sbwait syz-executor 97398 381011 5259 32767 2 0xc90 syz-executor 96762 34019 97128 32767 3 0x90 nanoslp syz-executor 52337 167742 97981 32767 2 0xc90 syz-executor 85180 224869 16145 32767 2 0x10 syz-executor 16087 499784 80254 32767 3 0x90 nanoslp syz-executor 10746 8677 7700 32767 2 0x90 syz-executor 94501 459694 82524 32767 2 0xc90 syz-executor 95306 236837 59069 32767 2 0x90 syz-executor 97981 446967 47367 0 3 0x82 wait syz-executor 16145 55515 47367 0 3 0x82 wait syz-executor 97128 126232 47367 0 3 0x82 wait syz-executor 59069 167034 47367 0 3 0x82 wait syz-executor 7700 17357 47367 0 3 0x82 wait syz-executor 82524 245553 47367 0 3 0x82 wait syz-executor 80254 382810 47367 0 3 0x82 wait syz-executor 5259 239239 47367 0 3 0x82 wait syz-executor *47367 470465 40748 0 7 0x2 syz-executor 40748 1015 48983 0 3 0x10008a sigsusp ksh 48983 158232 55217 0 3 0x98 kqread sshd-session 55217 210660 47046 0 3 0x92 kqread sshd-session 20574 157332 1 0 3 0x100083 ttyin getty 47046 237385 1 0 3 0x88 kqread sshd 58735 202445 63614 73 3 0x1100090 kqread syslogd 63614 330763 1 0 3 0x100082 sbwait syslogd 67057 17189 1 0 3 0x100080 kqread resolvd 9269 500872 30772 77 3 0x100092 kqread dhcpleased 53778 434028 30772 77 3 0x100092 kqread dhcpleased 30772 183860 1 0 3 0x80 kqread dhcpleased 51474 504583 0 0 3 0x14200 bored smr 11425 126889 0 0 2 0x14200 zerothread 44612 346905 0 0 3 0x14200 aiodoned aiodoned 69605 59533 0 0 3 0x14200 syncer update 19852 37077 0 0 3 0x14200 cleaner cleaner 10262 114879 0 0 3 0x14200 reaper reaper 77704 305253 0 0 3 0x14200 pgdaemon pagedaemon 53841 98242 0 0 3 0x14200 bored viomb 58463 6439 0 0 3 0x40014200 acpi0 acpi0 87745 409079 0 0 3 0x40014200 idle1 4103 316502 0 0 3 0x14200 bored softnet1 12424 30932 0 0 2 0x14200 softnet0 26002 19037 0 0 3 0x14200 bored systqmp 39276 94848 0 0 3 0x14200 bored systq 72563 224471 0 0 3 0x14200 tmoslp softclockmp 61270 389123 0 0 3 0x40014200 tmoslp softclock 45109 286866 0 0 3 0x40014200 idle0 1 268065 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks CPU 1: exclusive mutex sbrcv r = 0 (0xffff8000014272e0) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487 #2 somove+0x161e sys/kern/uipc_socket.c:1788 #3 sosplice+0x7fe sys/kern/uipc_socket.c:1396 #4 sys_setsockopt+0x2ba sys/kern/uipc_syscalls.c:1227 #5 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] #5 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775 #6 Xsyscall+0x128 Process 38558 (syz-executor) thread 0xffff80003c43ba18 (518408) exclusive rwlock sbufrcv r = 0 (0xffff8000014272a0) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320 #2 sblock+0xb6 sys/kern/uipc_socket2.c:536 #3 sosplice+0x28f sys/kern/uipc_socket.c:1333 #4 sys_setsockopt+0x2ba sys/kern/uipc_syscalls.c:1227 #5 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] #5 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775 #6 Xsyscall+0x128 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10187 10957K 10973K 166960K 11278 0 pcb 17 12K 12K 166960K 17 0 rtable 237 6K 7K 166960K 353 0 pf 31 16K 16K 166960K 31 0 ifaddr 42 7K 7K 166960K 44 0 ifgroup 50 2K 2K 166960K 50 0 sysctl 1 1K 9K 166960K 6 0 counters 70 37K 37K 166960K 70 0 ioctlops 0 0K 2K 166960K 62 0 iov 1 12K 12K 166960K 4 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1335 84K 84K 166960K 1359 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 1K 166960K 2 0 VM map 2 1K 1K 166960K 2 0 sem 3 0K 0K 166960K 3 0 dirhash 12 2K 2K 166960K 12 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 22 81K 125K 166960K 181 0 proc 63 115K 147K 166960K 479 0 subproc 72 4K 4K 166960K 72 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 1 0K 0K 166960K 142 0 in_multi 99 7K 7K 166960K 99 0 ether_multi 1 0K 0K 166960K 1 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 55 254K 254K 166960K 55 0 exec 0 0K 1K 166960K 359 0 fusefs mount 1 32K 32K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 246 180K 195K 166960K 3291 0 UVM aobj 6 3K 3K 166960K 6 0 pinsyscall 45 90K 114K 166960K 1249 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 2 0 NDP 13 0K 2K 166960K 27 0 temp 36 8670K 8734K 166960K 4047 0 kqueue 13 20K 23K 166960K 33 0 SYN cache 2 16K 16K 166960K 2 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 40 0 37 1 0 1 1 0 8 0 rtentry 176 111 0 1 5 0 5 5 0 8 0 unpcb 144 69 0 52 1 0 1 1 0 8 0 syncache 336 5 0 5 1 0 1 1 0 8 1 tcpcb 736 95 0 86 7 0 7 7 0 8 6 arp 136 18 0 0 1 0 1 1 0 8 0 inpcb 328 266 0 252 7 0 7 7 0 8 4 nd6 152 24 0 0 1 0 1 1 0 8 0 kcovpl 48 8 0 0 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 452 0 0 29 0 29 29 0 8 0 art_table 40 453 0 0 5 0 5 5 0 8 0 art_node 32 111 0 11 1 0 1 1 0 8 0 sysvmsgpl 40 4 0 2 1 0 1 1 0 8 0 semapl 112 1 0 0 1 0 1 1 0 8 0 shmpl 112 3 0 0 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 1613 0 106 95 0 95 95 0 8 0 ffsino 296 1613 0 106 117 0 117 117 0 8 0 nchpl 144 1861 0 174 63 0 63 63 0 8 0 vnodes 216 1694 0 0 95 0 95 95 0 8 0 namei 1024 5690 0 5690 2 0 2 2 0 8 2 percpumem 16 50 0 0 1 0 1 1 0 8 0 kstatmem 264 24 0 0 2 0 2 2 0 8 0 scxspl 216 6187 0 6187 3 1 2 2 1 8 2 plimitpl 152 40 0 16 2 0 2 2 0 8 1 sigapl 424 469 0 417 7 0 7 7 0 8 0 knotepl 120 300 0 0 10 0 10 10 0 8 0 kqueuepl 224 32 0 22 1 0 1 1 0 8 0 pipepl 344 113 0 86 3 0 3 3 0 8 0 fdescpl 528 453 0 418 4 0 4 4 0 8 0 filepl 160 1840 0 1618 13 0 13 13 0 8 1 lockfpl 104 10 0 8 1 0 1 1 0 8 0 lockfspl 48 6 0 4 1 0 1 1 0 8 0 sessionpl 144 23 0 6 1 0 1 1 0 8 0 pgrppl 48 31 0 6 1 0 1 1 0 8 0 ucredpl 104 147 0 128 1 0 1 1 0 8 0 zombiepl 144 418 0 417 1 0 1 1 0 8 0 processpl 1232 469 0 417 5 0 5 5 0 8 0 procpl 664 533 0 473 6 0 6 6 0 8 0 sosppl 176 1 0 0 1 0 1 1 0 8 0 sockpl 752 376 0 342 11 0 11 11 0 8 6 mcl64k 65536 2 0 0 1 0 1 1 0 8 0 mcl8k 8192 2 0 0 1 0 1 1 0 8 0 mcl4k 4096 117 0 0 15 0 15 15 0 8 0 mcl2k 2048 30 0 0 4 0 4 4 0 8 0 mtagpl 96 2 0 0 1 0 1 1 0 8 0 mbufpl 256 1846 0 0 116 0 116 116 0 8 0 bufpl 280 2399 0 118 163 0 163 163 0 8 0 anonpl 32 8021 0 0 66 0 66 66 0 246 1 amapchunkpl 152 9929 0 9444 32 0 32 32 0 158 4 amappl16 200 2264 0 2244 14 0 14 14 0 8 11 amappl15 192 5 0 5 1 0 1 1 0 8 1 amappl14 184 8 0 7 1 0 1 1 0 8 0 amappl13 176 399 0 398 1 0 1 1 0 8 0 amappl12 168 794 0 749 3 0 3 3 0 8 0 amappl11 160 11 0 10 1 0 1 1 0 8 0 amappl10 152 47 0 36 1 0 1 1 0 8 0 amappl9 144 250 0 250 1 0 1 1 0 8 1 amappl8 136 23 0 21 1 0 1 1 0 8 0 amappl7 128 74 0 73 1 0 1 1 0 8 0 amappl6 120 264 0 252 1 0 1 1 0 8 0 amappl5 112 105 0 97 1 0 1 1 0 8 0 amappl4 104 387 0 362 1 0 1 1 0 8 0 amappl3 96 1491 0 1381 4 0 4 4 0 8 0 amappl2 88 520 0 459 2 0 2 2 0 8 0 amappl1 80 9416 0 8773 16 0 16 16 0 8 1 amappl 88 2583 0 2415 5 0 5 5 0 92 0 uvmvnodes 80 100 0 0 3 0 3 3 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 5 0 0 1 0 1 1 0 8 0 uaddrrnd 24 453 0 418 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 453 0 418 1 0 1 1 0 8 0 vmmpekpl 168 5451 0 5417 2 0 2 2 0 8 0 vmmpepl 168 37850 0 35800 115 0 115 115 0 357 8 vmsppl 488 452 0 417 7 1 6 6 0 8 0 rwobjpl 80 14140 0 13114 29 0 29 29 0 8 2 pdppl 4096 913 0 834 111 18 93 97 0 8 14 pvpl 32 16864 0 0 136 0 136 136 0 265 0 pmappl 256 452 0 417 4 1 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 393 0 21 11 0 11 11 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffffffff83866ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff8397aac0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline] __mp_lock(ffffffff8397aac0) at __mp_lock+0x192 sys/kern/kern_lock.c:173 softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83 dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862 Xsoftclock() at Xsoftclock+0x27 cnputc(72) at cnputc+0x67 sys/dev/cons.c:218 db_putchar(72) at db_putchar+0x36d sys/ddb/db_output.c:155 kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1 db_printf(ffffffff8338bb0d) at db_printf+0x9b sys/kern/subr_prf.c:-1 panic(ffffffff833b41d6) at panic+0x103 sys/kern/subr_prf.c:217 __assert(ffffffff833f0de3,ffffffff83345b7a,4f3,ffffffff8342241f) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pagedeactivate(fffffd8008760e90) at uvm_pagedeactivate+0x34a sys/uvm/uvm_page.c:1264 end trace frame: 0xffff8000397e0330, count: 0 ddb{0}> trace x86_ipi_db(ffffffff83866ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff8397aac0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline] __mp_lock(ffffffff8397aac0) at __mp_lock+0x192 sys/kern/kern_lock.c:173 softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83 dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862 Xsoftclock() at Xsoftclock+0x27 cnputc(72) at cnputc+0x67 sys/dev/cons.c:218 db_putchar(72) at db_putchar+0x36d sys/ddb/db_output.c:155 kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1 db_printf(ffffffff8338bb0d) at db_printf+0x9b sys/kern/subr_prf.c:-1 panic(ffffffff833b41d6) at panic+0x103 sys/kern/subr_prf.c:217 __assert(ffffffff833f0de3,ffffffff83345b7a,4f3,ffffffff8342241f) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pagedeactivate(fffffd8008760e90) at uvm_pagedeactivate+0x34a sys/uvm/uvm_page.c:1264 uvn_flush(fffffd8068f6dc40,0,0,14) at uvn_flush+0x43b sys/uvm/uvm_vnode.c:668 uvn_detach(fffffd8068f6dc40) at uvn_detach+0x19e sys/uvm/uvm_vnode.c:371 uvm_unmap_detach(ffff8000397e03e0,0) at uvm_unmap_detach+0x15e sys/uvm/uvm_map.c:1364 uvm_map_teardown(fffffd800f797d88) at uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2525 exit1(ffff80003c43a028,0,0,1) at exit1+0x6fc sys/kern/kern_exit.c:260 sys_exit(ffff80003c43a028,ffff8000397e05b0,ffff8000397e0500) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff8000397e05b0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff8000397e05b0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x768a7dcd85c0, count: -22 ddb{0}> machine ddbcpu 1 Stopped at savectx+0xae: movl $0,%gs:0x688 savectx() at savectx+0xae end of kernel end trace frame: 0x794d5b885f40, count: 14 ddb{1}> trace savectx() at savectx+0xae end of kernel end trace frame: 0x794d5b885f40, count: -1