panic: kernel diagnostic assertion "ps->ps_uvncount == 0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_unveil.c", line 188 Stopped at db_enter+0x1c: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82927b8e) at panic+0x165 sys/kern/subr_prf.c:198 __assert(ffffffff828e10c6,ffffffff828b33eb,bc,ffffffff82866e64) at __assert+0x29 sys/kern/subr_prf.c:157 unveil_destroy(ffff8000ffffa5b8) at unveil_destroy+0x174 sys/kern/kern_unveil.c:188 exit1(ffff80002c111550,0,0,3) at exit1+0x3d6 sys/kern/kern_exit.c:218 single_thread_check_locked(ffff80002c111550,0,0) at single_thread_check_locked+0x1f6 sys/kern/kern_sig.c:2039 userret(ffff80002c111550) at userret+0x6f single_thread_check sys/kern/kern_sig.c:2058 [inline] userret(ffff80002c111550) at userret+0x6f sys/kern/kern_sig.c:1974 Xsyscall() at Xsyscall+0x156 end of kernel end trace frame: 0x7c4e91ac47b0, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "ps->ps_uvncount == 0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_unveil.c", line 188 ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82927b8e) at panic+0x165 sys/kern/subr_prf.c:198 __assert(ffffffff828e10c6,ffffffff828b33eb,bc,ffffffff82866e64) at __assert+0x29 sys/kern/subr_prf.c:157 unveil_destroy(ffff8000ffffa5b8) at unveil_destroy+0x174 sys/kern/kern_unveil.c:188 exit1(ffff80002c111550,0,0,3) at exit1+0x3d6 sys/kern/kern_exit.c:218 single_thread_check_locked(ffff80002c111550,0,0) at single_thread_check_locked+0x1f6 sys/kern/kern_sig.c:2039 userret(ffff80002c111550) at userret+0x6f single_thread_check sys/kern/kern_sig.c:2058 [inline] userret(ffff80002c111550) at userret+0x6f sys/kern/kern_sig.c:1974 Xsyscall() at Xsyscall+0x156 end of kernel end trace frame: 0x7c4e91ac47b0, count: -8 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff800037825750 rbx 0xffff8000ffffa5b8 rdx 0 rcx 0 rax 0xffff80002c111550 r8 0 r9 0x8080808080808080 r10 0xd7859540fb2be979 r11 0x8f5df33f989aaa6f r12 0 r13 0x2 r14 0 r15 0x1 rip 0xffffffff811a086c db_enter+0x1c cs 0x8 rflags 0x246 rsp 0xffff800037825740 ss 0x10 db_enter+0x1c: addq $0x8,%rsp ddb> show proc PROC (syz-executor.3) tid=35832 pid=95871 tcnt=1 stat=onproc flags process=1008 proc=82000 runpri=32, usrpri=82, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0xffff800030f2d008 forw=0xffffffffffffffff, list=0xffff80002c1102b8,0xffffffff82e14630 process=0xffff8000ffffa5b8 user=0xffff800037820000, vmspace=0xfffffd8067953018 estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 1570 434699 55414 0 2 0 syz-executor.2 71365 405064 3426 0 2 0 syz-executor.6 71365 56748 3426 0 2 0x4000000 syz-executor.6 15059 153657 54322 0 2 0 syz-executor.0 15059 337798 54322 0 2 0x4000000 syz-executor.0 15059 193570 54322 0 3 0x4000000 vmmaplk syz-executor.0 55414 306204 89065 0 2 0x482 syz-executor.2 41996 352447 89065 0 2 0x482 syz-executor.3 8423 473378 89065 0 2 0x2 syz-executor.4 73170 161625 89065 0 2 0x2 syz-executor.7 3426 221760 89065 0 2 0x482 syz-executor.6 54322 41022 89065 0 2 0x482 syz-executor.0 13266 485850 89065 0 2 0x482 syz-executor.5 38554 133243 89065 0 2 0x482 syz-executor.1 48215 74128 0 0 3 0x14280 nfsidl nfsio 83236 301268 0 0 3 0x14280 nfsidl nfsio 94089 471365 0 0 3 0x14280 nfsidl nfsio 39754 97889 0 0 3 0x14280 nfsidl nfsio 755 469871 0 0 3 0x14280 nfsidl nfsio 34293 8074 0 0 3 0x14280 nfsidl nfsio 90898 484216 0 0 3 0x14280 nfsidl nfsio 98490 213402 0 0 3 0x14280 nfsidl nfsio 5780 324598 0 0 3 0x14280 nfsidl nfsio 59252 249323 0 0 3 0x14280 nfsidl nfsio 13328 495166 0 0 3 0x14280 nfsidl nfsio 92881 116510 0 0 3 0x14280 nfsidl nfsio 52586 312937 0 0 3 0x14280 nfsidl nfsio 84938 167802 0 0 3 0x14280 nfsidl nfsio 80190 162256 0 0 3 0x14280 nfsidl nfsio 12347 31113 0 0 3 0x14280 nfsidl nfsio 23097 175404 0 0 3 0x14280 nfsidl nfsio 58341 411599 0 0 3 0x14280 nfsidl nfsio 5036 321549 0 0 3 0x14280 nfsidl nfsio 2836 115809 0 0 3 0x14280 nfsidl nfsio 25577 133196 0 0 3 0x14200 bored sosplice 89065 20962 82824 0 3 0x1a000082 wait syz-fuzzer 89065 72177 82824 0 3 0x1e000082 thrsleep syz-fuzzer 89065 62657 82824 0 3 0x1e000082 thrsleep syz-fuzzer 89065 55171 82824 0 3 0x1e000082 wait syz-fuzzer 89065 434030 82824 0 3 0x1e000082 wait syz-fuzzer 89065 23250 82824 0 3 0x1e000082 thrsleep syz-fuzzer 89065 16023 82824 0 3 0x1e000082 wait syz-fuzzer 89065 39377 82824 0 3 0x1e000082 wait syz-fuzzer 89065 470900 82824 0 3 0x1e000082 wait syz-fuzzer 89065 472020 82824 0 3 0x1e000082 thrsleep syz-fuzzer 89065 435305 82824 0 3 0x1e000082 thrsleep syz-fuzzer 89065 259138 82824 0 3 0x1e000082 wait syz-fuzzer 89065 155588 82824 0 3 0x1e000082 wait syz-fuzzer 89065 512481 82824 0 3 0x1e000082 kqread syz-fuzzer 89065 309110 82824 0 3 0x1e000082 thrsleep syz-fuzzer 82824 72901 55989 0 3 0x810008a sigsusp ksh 55989 185133 70991 0 3 0x1800009a kqread sshd 21084 173603 1 0 3 0x18100083 ttyin getty 70991 21261 1 0 3 0x18000088 kqread sshd 1645 488476 96860 73 3 0x19100090 kqread syslogd 96860 517914 1 0 3 0x18100082 netio syslogd 30809 228988 1 0 3 0x18100080 kqread resolvd 39037 514645 78865 77 3 0x18100092 kqread dhcpleased 23715 488366 78865 77 3 0x18100092 kqread dhcpleased 78865 94327 1 0 3 0x18000080 kqread dhcpleased 53304 317207 0 0 3 0x14200 bored smr 32729 479439 0 0 2 0x14200 zerothread 83116 274720 0 0 3 0x14200 aiodoned aiodoned 74719 24274 0 0 3 0x14200 syncer update 26116 317708 0 0 3 0x14200 cleaner cleaner 32189 441606 0 0 2 0x14200 reaper 52938 236143 0 0 3 0x14200 pgdaemon pagedaemon 82544 332427 0 0 3 0x14200 bored viomb 522 377326 0 0 3 0x40014200 acpi0 acpi0 94357 453626 0 0 3 0x14200 bored softnet3 3035 170277 0 0 3 0x14200 bored softnet2 86907 513780 0 0 3 0x14200 bored softnet1 65309 422271 0 0 3 0x14200 bored softnet0 66554 100846 0 0 3 0x14200 bored systqmp 4541 335245 0 0 3 0x14200 bored systq 9700 318888 0 0 2 0x40014200 softclock 35554 162617 0 0 3 0x40014200 idle0 1 234184 0 0 3 0x8000082 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10200 6413K 7012K 166960K 22273 0 pcb 15 15K 17K 166960K 685 0 rtable 242 7K 7K 166960K 1469 0 pf 31 9K 9K 166960K 159 0 ifaddr 44 12K 12K 166960K 179 0 ifgroup 54 2K 2K 166960K 246 0 sysctl 3 0K 0K 166960K 3 0 counters 31 17K 17K 166960K 90 0 ioctlops 0 0K 2K 166960K 395 0 iov 0 0K 24K 166960K 779 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1494 94K 94K 166960K 5306 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 9K 166960K 48 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 1081 0 dirhash 12 2K 2K 166960K 24 0 ACPI 1697 195K 286K 166960K 12548 0 file desc 16 57K 69K 166960K 5852 0 sigio 0 0K 0K 166960K 146 0 proc 62 75K 75K 166960K 1322 0 subproc 104 6K 6K 166960K 392 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 532 0 in_multi 99 7K 7K 166960K 393 0 ether_multi 1 0K 0K 166960K 4 0 mrt 1 0K 0K 166960K 3 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 223 996K 996K 166960K 223 0 exec 0 0K 1K 166960K 994 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 386 167K 176K 166960K 56474 0 UVM aobj 131 4K 4K 166960K 134 0 pinsyscall 22 44K 100K 166960K 1937 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 152 0 NDP 12 0K 1K 166960K 133 0 temp 74 6804K 7440K 166960K 56308 0 kqueue 13 18K 26K 166960K 445 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 440 0 437 4 2 2 3 0 8 1 rtentry 112 457 0 346 5 1 4 4 0 8 0 unpcb 144 4288 0 4265 11 5 6 6 0 8 5 syncache 336 40 0 40 1 1 0 1 0 8 0 tcpqe 32 77 0 77 1 1 0 1 0 8 0 tcpcb 808 1932 0 1919 16 13 3 13 0 8 0 arp 88 82 0 64 1 0 1 1 0 8 0 ipq 40 3 0 3 2 1 1 1 0 8 1 ipqe 40 43 0 43 2 1 1 1 0 8 1 inpcb 360 4660 0 4643 23 15 8 14 0 8 5 nd6 104 93 0 68 1 0 1 1 0 8 0 pkpcb 40 11 0 11 1 1 0 1 0 8 0 kcovpl 48 30 0 22 1 0 1 1 0 8 0 ppxss 1072 27 0 27 1 1 0 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 1527 0 1060 37 7 30 30 0 8 0 art_table 32 1528 0 1060 5 1 4 4 0 8 0 art_node 16 413 0 314 1 0 1 1 0 8 0 sysvmsgpl 40 27 0 19 1 0 1 1 0 8 0 semapl 112 1076 0 1066 1 0 1 1 0 8 0 shmpl 112 131 0 3 4 0 4 4 0 8 0 dirhash 1024 25 0 8 3 0 3 3 0 8 0 dino2pl 256 9112 0 7597 96 0 96 96 0 8 0 ffsino 240 9112 0 7597 90 0 90 90 0 8 0 nchpl 144 17269 0 15544 66 0 66 66 0 8 0 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 57718 0 57718 4 2 2 3 0 8 2 vcpupl 2048 15 0 0 2 0 2 2 0 8 0 vmpool 664 24 0 9 2 0 2 2 0 8 0 kstatmem 264 142 0 118 2 0 2 2 0 8 0 scxspl 216 52270 0 52270 8 7 1 8 1 8 1 plimitpl 152 491 0 476 1 0 1 1 0 8 0 sigapl 424 6130 0 6064 8 0 8 8 0 8 0 futexpl 64 52533 0 52533 1 0 1 1 0 8 1 knotepl 120 52884 0 52800 11 7 4 11 0 8 0 kqueuepl 184 1355 0 1345 7 3 4 4 0 8 3 pipepl 288 1107 0 1077 9 4 5 7 0 8 2 fdescpl 432 6091 0 6064 4 0 4 4 0 8 0 filepl 120 35924 0 35669 16 4 12 15 0 8 2 lockfpl 104 2456 0 2454 3 1 2 2 0 8 1 lockfspl 48 815 0 813 1 0 1 1 0 8 0 sessionpl 144 45 0 29 1 0 1 1 0 8 0 pgrppl 48 119 0 103 1 0 1 1 0 8 0 ucredpl 104 4785 0 4775 1 0 1 1 0 8 0 zombiepl 144 7182 0 7177 2 1 1 1 0 8 0 processpl 1072 6130 0 6064 5 0 5 5 0 8 0 procpl 680 15230 0 15142 9 0 9 9 0 8 0 sosppl 168 42 0 39 1 0 1 1 0 8 0 sockpl 488 9403 0 9360 173 159 14 29 0 8 8 mcl64k 65536 229 0 229 2 1 1 1 0 8 1 mcl16k 16384 124 0 124 2 1 1 1 0 8 1 mcl12k 12288 263 0 263 2 1 1 1 0 8 1 mcl9k 9216 103 0 103 2 1 1 1 0 8 1 mcl8k 8192 395 0 395 2 1 1 1 0 8 1 mcl4k 4096 616 0 616 2 1 1 1 0 8 1 mcl2k2 2112 34 0 34 2 1 1 1 0 8 1 mcl2k 2048 84926 0 84869 35 26 9 27 0 8 0 mtagpl 96 1215 0 1029 13 7 6 12 0 8 0 mbufpl 256 320959 0 320651 568 542 26 415 0 8 3 bufpl 280 12683 0 6344 454 0 454 454 0 8 1 anonpl 24 701301 0 686437 178 67 111 164 0 188 9 amapchunkpl 152 181856 0 180977 71 29 42 66 0 158 4 amappl16 200 14081 0 13613 57 23 34 37 0 8 8 amappl15 192 54 0 51 1 0 1 1 0 8 0 amappl14 184 226 0 214 2 1 1 2 0 8 0 amappl13 176 24 0 24 1 1 0 1 0 8 0 amappl12 168 7044 0 7017 2 0 2 2 0 8 0 amappl11 160 93 0 82 1 0 1 1 0 8 0 amappl10 152 62 0 54 1 0 1 1 0 8 0 amappl9 144 193 0 192 1 0 1 1 0 8 0 amappl8 136 321 0 246 3 0 3 3 0 8 0 amappl7 128 91 0 76 1 0 1 1 0 8 0 amappl6 120 636 0 616 2 1 1 2 0 8 0 amappl5 112 347 0 335 1 0 1 1 0 8 0 amappl4 104 767 0 731 2 0 2 2 0 8 0 amappl3 96 35431 0 35355 3 0 3 3 0 8 0 amappl2 88 6824 0 6751 4 2 2 4 0 8 0 amappl1 80 31063 0 30577 21 10 11 21 0 8 0 amappl 88 55577 0 55338 7 0 7 7 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 133 0 3 3 0 3 3 0 8 0 uaddrrnd 24 6115 0 6072 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 6115 0 6072 1 0 1 1 0 8 0 vmmpekpl 168 47245 0 47177 4 0 4 4 0 8 0 vmmpepl 168 381910 0 379610 150 21 129 129 0 357 21 vmsppl 352 6114 0 6072 4 0 4 4 0 8 0 rwobjpl 24 98748 0 91209 47 0 47 47 0 8 0 pdppl 4096 12236 0 12159 464 385 79 79 0 8 2 pvpl 32 1887031 0 1866352 406 215 191 388 0 265 10 pmappl 216 6114 0 6072 3 0 3 3 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 1346 0 986 22 9 13 22 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82927b8e) at panic+0x165 sys/kern/subr_prf.c:198 __assert(ffffffff828e10c6,ffffffff828b33eb,bc,ffffffff82866e64) at __assert+0x29 sys/kern/subr_prf.c:157 unveil_destroy(ffff8000ffffa5b8) at unveil_destroy+0x174 sys/kern/kern_unveil.c:188 exit1(ffff80002c111550,0,0,3) at exit1+0x3d6 sys/kern/kern_exit.c:218 single_thread_check_locked(ffff80002c111550,0,0) at single_thread_check_locked+0x1f6 sys/kern/kern_sig.c:2039 userret(ffff80002c111550) at userret+0x6f single_thread_check sys/kern/kern_sig.c:2058 [inline] userret(ffff80002c111550) at userret+0x6f sys/kern/kern_sig.c:1974 Xsyscall() at Xsyscall+0x156 end of kernel end trace frame: 0x7c4e91ac47b0, count: -8 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82927b8e) at panic+0x165 sys/kern/subr_prf.c:198 __assert(ffffffff828e10c6,ffffffff828b33eb,bc,ffffffff82866e64) at __assert+0x29 sys/kern/subr_prf.c:157 unveil_destroy(ffff8000ffffa5b8) at unveil_destroy+0x174 sys/kern/kern_unveil.c:188 exit1(ffff80002c111550,0,0,3) at exit1+0x3d6 sys/kern/kern_exit.c:218 single_thread_check_locked(ffff80002c111550,0,0) at single_thread_check_locked+0x1f6 sys/kern/kern_sig.c:2039 userret(ffff80002c111550) at userret+0x6f single_thread_check sys/kern/kern_sig.c:2058 [inline] userret(ffff80002c111550) at userret+0x6f sys/kern/kern_sig.c:1974 Xsyscall() at Xsyscall+0x156 end of kernel end trace frame: 0x7c4e91ac47b0, count: -8