panic: kernel diagnostic assertion "ps->ps_uvncount == 0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_unveil.c", line 188 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff825784bd) at panic+0x161 sys/kern/subr_prf.c:198 __assert(ffffffff825ee4e5,ffffffff8256f6b7,bc,ffffffff8258e1e0) at __assert+0x25 sys/kern/subr_prf.c:157 unveil_destroy(ffff80002663f3c8) at unveil_destroy+0x1a4 sys/kern/kern_unveil.c:188 exit1(ffff8000217a7270,0,0,1) at exit1+0x3b5 sys/kern/kern_exit.c:219 sys_exit(ffff8000217a7270,ffff8000266019d0,ffff800026601a30) at sys_exit+0x16 sys/kern/kern_exit.c:89 syscall(ffff800026601aa0) at syscall+0x447 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffffb7c0, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "ps->ps_uvncount == 0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_unveil.c", line 188 ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff825784bd) at panic+0x161 sys/kern/subr_prf.c:198 __assert(ffffffff825ee4e5,ffffffff8256f6b7,bc,ffffffff8258e1e0) at __assert+0x25 sys/kern/subr_prf.c:157 unveil_destroy(ffff80002663f3c8) at unveil_destroy+0x1a4 sys/kern/kern_unveil.c:188 exit1(ffff8000217a7270,0,0,1) at exit1+0x3b5 sys/kern/kern_exit.c:219 sys_exit(ffff8000217a7270,ffff8000266019d0,ffff800026601a30) at sys_exit+0x16 sys/kern/kern_exit.c:89 syscall(ffff800026601aa0) at syscall+0x447 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffffb7c0, count: -8 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff8000266017f0 rbx 0x4 rdx 0 rcx 0 rax 0xffff8000217a7270 r8 0 r9 0x8080808080808080 r10 0xfd46d505ae7f22b0 r11 0x10a4e3db99efe842 r12 0 r13 0xffff80002663f3c8 r14 0 r15 0x1 rip 0xffffffff8155c7b8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff8000266017e0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb> show proc PROC (syz-executor.6) pid=337911 stat=onproc flags process=1008 proc=2000 pri=32, usrpri=84, nice=20 forw=0xffffffffffffffff, list=0xffff8000217a6010,0xffffffff829b7c58 process=0xffff80002663f3c8 user=0xffff8000265fc000, vmspace=0xfffffd806b723230 estcpu=34, cpticks=4, pctcpu=0.11 user=0, sys=3, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 26612 115222 4652 0 3 0x82 piperd syz-executor.3 64511 243722 4652 0 3 0x82 piperd syz-executor.0 61649 409080 4652 0 3 0x82 piperd syz-executor.2 40888 16047 4652 0 2 0x482 syz-executor.6 60547 389987 4652 0 3 0x82 piperd syz-executor.1 4747 144691 4652 0 3 0x82 piperd syz-executor.4 77351 287639 4652 0 3 0x82 piperd syz-executor.5 55361 155335 1 0 3 0x100083 ttyin getty 85582 82048 4652 0 3 0x82 piperd syz-executor.7 66244 43850 0 0 3 0x14280 nfsidl nfsio 65506 163887 0 0 3 0x14280 nfsidl nfsio 17674 311311 0 0 3 0x14280 nfsidl nfsio 66957 329587 0 0 3 0x14280 nfsidl nfsio 47415 171995 0 0 3 0x14280 nfsidl nfsio 16432 484648 0 0 3 0x14280 nfsidl nfsio 18605 390520 0 0 3 0x14280 nfsidl nfsio 48553 264914 0 0 3 0x14280 nfsidl nfsio 41394 130409 0 0 3 0x14280 nfsidl nfsio 76111 345721 0 0 3 0x14280 nfsidl nfsio 35633 399238 0 0 3 0x14280 nfsidl nfsio 11836 388286 0 0 3 0x14280 nfsidl nfsio 63683 258822 0 0 3 0x14280 nfsidl nfsio 40793 67184 0 0 3 0x14280 nfsidl nfsio 58059 328077 0 0 3 0x14280 nfsidl nfsio 77319 58570 0 0 3 0x14280 nfsidl nfsio 81120 130801 0 0 3 0x14280 nfsidl nfsio 99121 463767 0 0 3 0x14280 nfsidl nfsio 98175 437134 0 0 3 0x14280 nfsidl nfsio 63193 194793 0 0 3 0x14280 nfsidl nfsio 31849 70086 0 0 3 0x14200 bored sosplice 4652 273286 36142 0 3 0x82 kqread syz-fuzzer 4652 457429 36142 0 2 0x4000482 syz-fuzzer 4652 138195 36142 0 3 0x4000082 wait syz-fuzzer 4652 240691 36142 0 3 0x4000082 thrsleep syz-fuzzer 4652 316507 36142 0 3 0x4000082 wait syz-fuzzer 4652 346619 36142 0 3 0x4000082 thrsleep syz-fuzzer 4652 312071 36142 0 3 0x4000082 thrsleep syz-fuzzer 4652 201975 36142 0 3 0x4000082 thrsleep syz-fuzzer 4652 374451 36142 0 3 0x4000082 wait syz-fuzzer 4652 237639 36142 0 3 0x4000082 wait syz-fuzzer 4652 426366 36142 0 3 0x4000082 wait syz-fuzzer 4652 76758 36142 0 3 0x4000082 wait syz-fuzzer 4652 517665 36142 0 3 0x4000082 wait syz-fuzzer 4652 306867 36142 0 3 0x4000082 wait syz-fuzzer 4652 211295 36142 0 3 0x4000082 thrsleep syz-fuzzer 36142 183717 27238 0 3 0x10008a sigsusp ksh 27238 396008 59563 0 3 0x9a kqread sshd 59563 221957 1 0 3 0x88 kqread sshd 88450 104409 7565 73 3 0x1100090 kqread syslogd 7565 496765 1 0 3 0x100082 netio syslogd 92059 205978 1 0 3 0x100080 kqread resolvd 16414 103122 0 0 3 0x14200 bored smr 43820 245605 0 0 2 0x14200 zerothread 74074 414285 0 0 3 0x14200 aiodoned aiodoned 60808 318044 0 0 3 0x14200 syncer update 23839 358127 0 0 3 0x14200 cleaner cleaner 84016 490670 0 0 3 0x14200 reaper reaper 59825 151553 0 0 3 0x14200 pgdaemon pagedaemon 55219 504175 0 0 3 0x14200 bored viomb 79471 431453 0 0 3 0x40014200 acpi0 acpi0 6065 165150 0 0 3 0x14200 bored softnet 73165 72836 0 0 3 0x14200 bored softnet 55117 490726 0 0 3 0x14200 bored softnet 59022 165366 0 0 3 0x14200 bored softnet 92788 14700 0 0 3 0x14200 bored systqmp 39593 367471 0 0 3 0x14200 bored systq 46451 63199 0 0 2 0x40014200 softclock 99312 96137 0 0 3 0x40014200 idle0 1 301022 0 0 3 0x80082 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10207 6442K 7677K 78643K 64025 0 pcb 13 18K 21K 78643K 7729 0 rtable 263 15K 16K 78643K 12947 0 ifaddr 393 104K 105K 78643K 4599 0 sysctl 3 1K 3K 78643K 12 0 counters 28 17K 17K 78643K 1165 0 ioctlops 0 0K 4K 78643K 9103 0 iov 0 0K 36K 78643K 7016 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 4 0 vnodes 1534 96K 96K 78643K 21919 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 9K 78643K 334 0 VM map 2 0K 0K 78643K 2 0 sem 52 32K 48K 78643K 1562 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 10 33K 81K 78643K 39496 0 sigio 0 0K 0K 78643K 479 0 proc 66 59K 83K 78643K 7600 0 subproc 104 6K 7K 78643K 2723 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 1675 0 in_multi 99 6K 7K 78643K 3512 0 ether_multi 1 0K 0K 78643K 229 0 mrt 1 0K 0K 78643K 225 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 181 811K 811K 78643K 181 0 exec 0 0K 2K 78643K 11838 0 pfkey data 0 0K 0K 78643K 25 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 8 62K 64K 78643K 10 0 UVM amap 352 197K 212K 78643K 215346 0 UVM aobj 131 8K 8K 78643K 142 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 1352 0 NDP 14 0K 1K 78643K 1212 0 temp 137 4726K 66430K 78643K 457496 0 kqueue 6 10K 32K 78643K 4291 0 SYN cache 2 4688K 4696K 78643K 4 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 4205 0 4204 45 44 1 3 0 8 0 rtentry 112 3173 0 3067 7 3 4 4 0 8 0 unpcb 144 26395 0 26389 316 315 1 10 0 8 0 syncache 296 175 0 175 50 50 0 1 0 8 0 sackhl 24 2 0 2 2 2 0 1 0 8 0 tcpqe 32 47 418 47 8 8 0 1 0 8 0 tcpcb 768 12939 0 12931 464 463 1 16 0 8 0 arp 88 561 0 542 1 0 1 1 0 8 0 ipq 40 50 0 49 18 17 1 1 0 8 0 ipqe 40 258 0 257 18 17 1 1 0 8 0 inpcb 336 35827 0 35819 548 546 2 18 0 8 1 ip6q 72 2 0 2 1 1 0 1 0 8 0 ip6af 40 3 0 3 1 1 0 1 0 8 0 nd6 48 724 0 699 1 0 1 1 0 8 0 pkpcb 40 263 0 263 24 24 0 1 0 8 0 kcovpl 48 209 0 201 1 0 1 1 0 8 0 ppxss 1160 669 0 669 64 64 0 1 0 8 0 pppxif 1608 287 0 287 39 39 0 1 0 8 0 pfstscr 40 16 0 15 1 0 1 1 0 8 0 pfosfp 40 7 0 5 1 0 1 1 0 8 0 pfosfpen 112 7 0 3 1 0 1 1 0 8 0 pfrktable 1344 609 0 603 8 7 1 2 0 8 0 pfanchor 1280 227 0 44 17 1 16 16 0 8 0 pftag 88 13 0 6 2 1 1 1 0 8 0 pfstitem 24 8 0 6 1 0 1 1 0 8 0 pfstkey 120 20 0 18 1 0 1 1 0 8 0 pfstate 336 12 0 11 1 0 1 1 0 8 0 pfrule 1360 327 0 305 3 1 2 2 0 8 0 rttmr 136 53 0 53 17 17 0 1 0 8 0 art_heap8 4096 21 0 20 20 19 1 3 0 8 0 art_heap4 256 14223 0 13758 153 123 30 31 0 8 0 art_table 32 14244 0 13778 6 2 4 4 0 8 0 art_node 16 3106 0 3014 1 0 1 1 0 8 0 semapl 112 1554 0 1504 2 0 2 2 0 8 0 shmpl 112 139 0 11 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 54424 0 52826 100 0 100 100 0 8 0 ffsino 240 54424 0 52826 95 0 95 95 0 8 0 nchpl 144 113355 0 112892 63 42 21 63 0 8 0 rtmask 32 21 0 21 7 7 0 1 0 8 0 uvmvnodes 80 8744 0 0 179 0 179 179 0 8 0 vnodes 216 8744 0 0 486 0 486 486 0 8 0 namei 1024 434303 0 434303 21 20 1 2 0 8 1 vcpupl 2048 11 0 0 2 0 2 2 0 8 0 vmpool 536 11 0 0 1 0 1 1 0 8 0 pfiaddrpl 120 188 0 177 6 5 1 1 0 8 0 kstatmem 264 1434 0 1406 6 4 2 3 0 8 0 scsiplug 72 29 0 29 12 12 0 1 0 8 0 scxspl 216 310715 0 310715 60 58 2 8 0 8 2 plimitpl 152 5701 0 5687 1 0 1 1 0 8 0 sigapl 424 39418 0 39362 8 0 8 8 0 8 0 futexpl 64 423940 0 423940 14 13 1 1 0 8 1 knotepl 120 587507 0 587443 240 236 4 16 0 8 1 kqueuepl 184 12988 0 12983 100 99 1 7 0 8 0 pipepl 288 8521 0 8493 191 188 3 11 0 8 0 fdescpl 432 39353 0 39335 5 2 3 4 0 8 0 filepl 120 300244 0 300029 395 387 8 19 0 8 1 lockfpl 104 12232 0 12231 23 22 1 2 0 8 0 lockfspl 48 3051 0 3050 1 0 1 1 0 8 0 sessionpl 144 227 0 212 1 0 1 1 0 8 0 pgrppl 48 876 0 861 1 0 1 1 0 8 0 ucredpl 104 35908 0 35889 1 0 1 1 0 8 0 zombiepl 144 39594 0 39593 8 7 1 1 0 8 0 processpl 1000 39418 0 39362 11 2 9 9 0 8 0 procpl 672 101489 0 101419 93 85 8 10 0 8 0 sosppl 168 446 0 446 28 27 1 1 0 8 1 sockpl 456 66724 0 66709 1405 1402 3 36 0 8 0 mcl64k 65536 1516 0 1516 80 80 0 1 0 8 0 mcl16k 16384 557 0 557 93 93 0 1 0 8 0 mcl12k 12288 1334 0 1334 78 77 1 1 0 8 1 mcl9k 9216 679 0 679 98 98 0 1 0 8 0 mcl8k 8192 2900 0 2900 69 68 1 1 0 8 1 mcl4k 4096 4865 0 4865 52 51 1 3 0 8 1 mcl2k2 2112 283 0 283 91 91 0 1 0 8 0 mcl2k 2048 163055 0 163013 131 125 6 33 0 8 0 mtagpl 96 9237 0 9237 65 65 0 28 0 8 0 mbufpl 256 743964 0 743884 3081 3073 8 538 0 8 0 bufpl 288 66158 0 57414 625 0 625 625 0 8 0 anonpl 24 7337304 0 7321303 514 392 122 183 0 188 0 amapchunkpl 152 643002 0 642378 349 320 29 58 0 158 0 amappl16 200 100121 0 99490 274 238 36 48 0 8 0 amappl15 192 7424 0 7417 1 0 1 1 0 8 0 amappl14 184 5369 0 5367 1 0 1 1 0 8 0 amappl13 176 6124 0 6119 1 0 1 1 0 8 0 amappl12 168 4380 0 4377 1 0 1 1 0 8 0 amappl11 160 5706 0 5697 1 0 1 1 0 8 0 amappl10 152 5269 0 5263 1 0 1 1 0 8 0 amappl9 144 4249 0 4241 1 0 1 1 0 8 0 amappl8 136 8628 0 8491 6 1 5 5 0 8 0 amappl7 128 5123 0 5102 1 0 1 1 0 8 0 amappl6 120 4793 0 4764 3 2 1 2 0 8 0 amappl5 112 33313 0 33307 1 0 1 1 0 8 0 amappl4 104 16128 0 16101 2 0 2 2 0 8 0 amappl3 96 118338 0 118306 2 0 2 2 0 8 0 amappl2 88 46376 0 46329 3 1 2 3 0 8 0 amappl1 80 925661 0 925167 23 9 14 21 0 8 0 amappl 88 210911 0 210756 6 1 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 141 0 11 3 0 3 3 0 8 0 uaddrrnd 24 39364 0 39334 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 39364 0 39334 1 0 1 1 0 8 0 vmmpekpl 168 281817 0 281769 5 1 4 4 0 8 0 vmmpepl 168 3880247 0 3878044 663 529 134 164 0 357 0 vmsppl 272 39363 0 39334 5 2 3 3 0 8 0 rwobjpl 24 908202 0 897769 76 11 65 66 0 8 0 pdppl 4096 78734 0 78679 2261 2192 69 77 0 8 14 pvpl 32 14592193 0 14571668 1014 814 200 321 0 265 0 pmappl 216 39363 0 39334 3 0 3 3 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 7537 0 6583 52 22 30 40 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff825784bd) at panic+0x161 sys/kern/subr_prf.c:198 __assert(ffffffff825ee4e5,ffffffff8256f6b7,bc,ffffffff8258e1e0) at __assert+0x25 sys/kern/subr_prf.c:157 unveil_destroy(ffff80002663f3c8) at unveil_destroy+0x1a4 sys/kern/kern_unveil.c:188 exit1(ffff8000217a7270,0,0,1) at exit1+0x3b5 sys/kern/kern_exit.c:219 sys_exit(ffff8000217a7270,ffff8000266019d0,ffff800026601a30) at sys_exit+0x16 sys/kern/kern_exit.c:89 syscall(ffff800026601aa0) at syscall+0x447 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffffb7c0, count: -8 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff825784bd) at panic+0x161 sys/kern/subr_prf.c:198 __assert(ffffffff825ee4e5,ffffffff8256f6b7,bc,ffffffff8258e1e0) at __assert+0x25 sys/kern/subr_prf.c:157 unveil_destroy(ffff80002663f3c8) at unveil_destroy+0x1a4 sys/kern/kern_unveil.c:188 exit1(ffff8000217a7270,0,0,1) at exit1+0x3b5 sys/kern/kern_exit.c:219 sys_exit(ffff8000217a7270,ffff8000266019d0,ffff800026601a30) at sys_exit+0x16 sys/kern/kern_exit.c:89 syscall(ffff800026601aa0) at syscall+0x447 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffffb7c0, count: -8