panic: kernel diagnostic assertion "pg->wire_count != 0" failed: file "/syzkaller/managers/main/kernel/sys/uvm/uvm_page.c", line 1250 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8348162d) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff834c3767,ffffffff834a9ce6,4e2,ffffffff83417ef0) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pageunwire(fffffa800756f980) at uvm_pageunwire+0x17d sys/uvm/uvm_page.c:1249 uvm_fault_unwire_locked(fffffa806cac3d08,5f81d6dd000,5f81dadc000) at uvm_fault_unwire_locked+0x33a sys/uvm/uvm_fault.c:1790 uvm_unmap_kill_entry_withlock(fffffa806cac3d08,fffffa8073f697a0,0) at uvm_unmap_kill_entry_withlock+0x81 sys/uvm/uvm_map.c:1866 uvm_map_teardown(fffffa806cac3d08) at uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline] uvm_map_teardown(fffffa806cac3d08) at uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2497 exit1(ffff8000390e2550,0,0,1) at exit1+0x6e6 sys/kern/kern_exit.c:259 sys_exit(ffff8000390e2550,ffff80002f8af280,ffff80002f8af1d0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80002f8af280) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80002f8af280) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7c7dbbb181b0, count: 4 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "pg->wire_count != 0" failed: file "/syzkaller/managers/main/kernel/sys/uvm/uvm_page.c", line 1250 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8348162d) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff834c3767,ffffffff834a9ce6,4e2,ffffffff83417ef0) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pageunwire(fffffa800756f980) at uvm_pageunwire+0x17d sys/uvm/uvm_page.c:1249 uvm_fault_unwire_locked(fffffa806cac3d08,5f81d6dd000,5f81dadc000) at uvm_fault_unwire_locked+0x33a sys/uvm/uvm_fault.c:1790 uvm_unmap_kill_entry_withlock(fffffa806cac3d08,fffffa8073f697a0,0) at uvm_unmap_kill_entry_withlock+0x81 sys/uvm/uvm_map.c:1866 uvm_map_teardown(fffffa806cac3d08) at uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline] uvm_map_teardown(fffffa806cac3d08) at uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2497 exit1(ffff8000390e2550,0,0,1) at exit1+0x6e6 sys/kern/kern_exit.c:259 sys_exit(ffff8000390e2550,ffff80002f8af280,ffff80002f8af1d0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80002f8af280) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80002f8af280) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7c7dbbb181b0, count: -11 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80002f8aeec0 rbx 0xffff8000ffffa418 rdx 0 rcx 0 rax 0xffff8000390e2550 r8 0x101010101010101 r9 0x8080808080808080 r10 0xf591eaa4a939413e r11 0xc9aa5a7653c9f1ab r12 0 r13 0xffffffff836ecf70 uvm_map_addr_RBT_INFO r14 0 r15 0x1 rip 0xffffffff81765605 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80002f8aeeb0 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=334506 pid=12799 tcnt=0 stat=onproc flags process=1008 proc=2000 runpri=32, usrpri=52, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0xffff8000390e2550 scnt=-1 ecnt=1 forw=0xffffffffffffffff, list=0xffff8000390e34e0,0xffff80002f8b14e8 process=0xffff8000ffffa418 user=0xffff80002f8aa000, vmspace=0xfffffa806cac3d08 estcpu=2, cpticks=6, pctcpu=0.0, user=0, sys=2, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 19096 332287 35865 0 2 0 syz-executor 19096 503022 35865 0 3 0x4000080 kqsel syz-executor 89366 262163 28255 0 2 0x40 syz-executor 80216 452214 3128 0 2 0 syz-executor 80216 184112 3128 0 3 0x4000080 fsleep syz-executor 65478 261459 43961 0 2 0 syz-executor 65478 316467 43961 0 3 0x4000080 fsleep syz-executor 28255 219722 73602 0 3 0x82 ppwait syz-executor 32841 444316 63080 0 2 0xc80 syz-executor 32841 101991 63080 0 3 0x4000080 sbwait syz-executor 63063 420850 1 0 3 0x82 nanoslp getty 3128 246510 73602 0 2 0xc82 syz-executor 99891 263099 73602 0 3 0x82 piperd syz-executor 63080 384272 73602 0 2 0xc82 syz-executor 23935 78300 73602 0 3 0x82 piperd syz-executor 92597 139199 73602 0 2 0xc82 syz-executor 43961 28163 73602 0 2 0xc82 syz-executor 35865 472759 73602 0 2 0xc82 syz-executor 73602 323496 11235 0 2 0x2 syz-executor 11235 266441 70453 0 3 0x10008a sigsusp ksh 70453 18046 98066 0 3 0x98 kqread sshd-session 98066 81098 88506 0 3 0x92 kqread sshd-session 88506 496397 1 0 3 0x88 kqread sshd 50761 387591 96561 73 3 0x1100090 kqread syslogd 96561 93157 1 0 3 0x100082 sbwait syslogd 90507 346662 1 0 3 0x100080 kqread resolvd 43406 158338 34480 77 3 0x100092 kqread dhcpleased 24676 205760 34480 77 3 0x100092 kqread dhcpleased 34480 329793 1 0 3 0x80 kqread dhcpleased 99037 353327 0 0 3 0x14200 bored smr 83145 120256 0 0 2 0x14200 zerothread 52435 230366 0 0 3 0x14200 aiodoned aiodoned 98452 32831 0 0 3 0x14200 syncer update 66609 184149 0 0 3 0x14200 cleaner cleaner 68747 513562 0 0 3 0x14200 reaper reaper 61115 523688 0 0 3 0x14200 pgdaemon pagedaemon 86174 227927 0 0 3 0x14200 bored viomb 20883 6102 0 0 3 0x40014200 acpi0 acpi0 15052 458977 0 0 3 0x14200 bored softnet0 828 186253 0 0 3 0x14200 bored systqmp 95095 302306 0 0 3 0x14200 bored systq 13192 383588 0 0 3 0x40014200 tmoslp softclock 7412 270121 0 0 3 0x40014200 idle0 1 166049 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 11040 12199K 12232K 166960K 12169 0 pcb 17 12K 12K 166960K 29 0 rtable 217 6K 6K 166960K 356 0 pf 31 13K 16K 166960K 35 0 ifaddr 39 6K 7K 166960K 45 0 ifgroup 50 2K 2K 166960K 54 0 sysctl 1 1K 9K 166960K 5 0 counters 33 17K 17K 166960K 34 0 ioctlops 0 0K 4K 166960K 39 0 iov 0 0K 8K 166960K 3 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1291 81K 81K 166960K 1408 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 3 0 VM map 2 1K 1K 166960K 2 0 sem 6 0K 0K 166960K 10 0 dirhash 12 2K 2K 166960K 15 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 15 53K 236K 166960K 206 0 sigio 0 0K 0K 166960K 1 0 proc 59 59K 83K 166960K 525 0 subproc 72 4K 4K 166960K 81 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 3 0 in_multi 88 6K 7K 166960K 99 0 ether_multi 1 0K 0K 166960K 1 0 mrt 0 0K 0K 166960K 2 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 37 175K 175K 166960K 37 0 exec 0 0K 1K 166960K 383 0 fusefs mount 1 32K 32K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 206 168K 169K 166960K 3279 0 UVM aobj 8 2K 2K 166960K 8 0 pinsyscall 36 72K 88K 166960K 1305 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 2 0 NDP 11 0K 2K 166960K 28 0 temp 40 9106K 9166K 166960K 6841 0 kqueue 13 20K 22K 166960K 31 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 39 0 36 1 0 1 1 0 8 0 rtentry 136 112 0 12 4 0 4 4 0 8 0 unpcb 144 67 0 52 1 0 1 1 0 8 0 syncache 336 4 0 4 1 1 0 1 0 8 0 tcpcb 736 22 0 18 1 0 1 1 0 8 0 arp 96 18 0 2 1 0 1 1 0 8 0 inpcb 328 106 0 97 3 1 2 2 0 8 1 nd6 112 25 0 3 1 0 1 1 0 8 0 kcovpl 48 9 0 1 1 0 1 1 0 8 0 pfstscr 40 2 0 0 1 0 1 1 0 8 0 pfstitem 24 2 0 0 1 0 1 1 0 8 0 pfstkey 128 2 0 0 1 0 1 1 0 8 0 pfstate 384 1 0 0 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 455 0 44 29 0 29 29 0 8 1 art_table 40 456 0 44 5 0 5 5 0 8 0 art_node 32 112 0 21 1 0 1 1 0 8 0 semapl 72 8 0 4 1 0 1 1 0 8 0 shmpl 112 5 0 0 1 0 1 1 0 8 0 dirhash 1024 19 0 2 3 0 3 3 0 8 0 dino2pl 256 1652 0 193 92 0 92 92 0 8 0 ffsino 256 1652 0 193 92 0 92 92 0 8 0 nchpl 144 1920 0 225 63 0 63 63 0 8 0 vnodes 216 1766 0 0 99 0 99 99 0 8 0 namei 1024 5820 0 5820 2 1 1 2 0 8 1 kstatmem 264 25 0 2 2 0 2 2 0 8 0 scsiplug 72 1 0 1 1 0 1 1 0 8 1 scxspl 216 6387 0 6387 4 3 1 4 1 8 1 plimitpl 152 37 0 20 1 0 1 1 0 8 0 sigapl 424 487 0 446 6 0 6 6 0 8 1 knotepl 120 4199 0 4152 4 0 4 4 0 8 2 kqueuepl 184 31 0 21 1 0 1 1 0 8 0 pipepl 304 127 0 100 3 0 3 3 0 8 0 fdescpl 448 474 0 447 4 0 4 4 0 8 0 filepl 120 1772 0 1565 9 0 9 9 0 8 1 lockfpl 104 22 0 20 1 0 1 1 0 8 0 lockfspl 48 12 0 10 1 0 1 1 0 8 0 sessionpl 144 26 0 19 1 0 1 1 0 8 0 pgrppl 48 35 0 20 1 0 1 1 0 8 0 ucredpl 104 114 0 103 1 0 1 1 0 8 0 zombiepl 144 447 0 446 2 1 1 1 0 8 0 processpl 1152 487 0 446 4 0 4 4 0 8 0 procpl 664 560 0 515 5 0 5 5 0 8 0 sockpl 552 213 0 186 4 1 3 3 0 8 0 mcl64k 65536 5 0 5 2 1 1 1 0 8 1 mcl9k128 9344 1 0 0 1 0 1 1 0 8 0 mcl8k 8192 5 0 5 2 1 1 1 0 8 1 mcl4k 4096 2546 0 2496 13 5 8 13 0 8 1 mcl2k 2048 172 0 172 3 0 3 3 0 8 3 mtagpl 96 4 0 4 1 1 0 1 0 8 0 mbufpl 256 4633 0 4496 12 0 12 12 0 8 1 bufpl 280 4857 0 103 340 0 340 340 0 8 0 anonpl 24 88955 0 81189 50 1 49 49 0 186 1 amapchunkpl 152 9260 0 8585 31 2 29 29 0 158 1 amappl16 200 1207 0 1187 14 3 11 11 0 8 9 amappl15 192 5 0 5 1 1 0 1 0 8 0 amappl14 184 452 0 451 1 0 1 1 0 8 0 amappl13 176 118 0 108 1 0 1 1 0 8 0 amappl12 168 713 0 687 2 0 2 2 0 8 0 amappl11 160 93 0 93 1 1 0 1 0 8 0 amappl10 152 70 0 60 1 0 1 1 0 8 0 amappl9 144 271 0 271 1 1 0 1 0 8 0 amappl8 136 96 0 95 1 0 1 1 0 8 0 amappl7 128 143 0 131 1 0 1 1 0 8 0 amappl6 120 151 0 149 1 0 1 1 0 8 0 amappl5 112 88 0 81 1 0 1 1 0 8 0 amappl4 104 259 0 242 1 0 1 1 0 8 0 amappl3 96 1739 0 1643 3 0 3 3 0 8 0 amappl2 88 545 0 488 2 0 2 2 0 8 0 amappl1 80 10381 0 9843 12 0 12 12 0 8 0 amappl 88 2574 0 2432 4 0 4 4 0 92 0 uvmvnodes 80 97 0 0 2 0 2 2 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 19 0 18 1 0 1 1 0 8 0 aobjpl 72 7 0 0 1 0 1 1 0 8 0 uaddrrnd 24 474 0 446 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 474 0 446 1 0 1 1 0 8 0 vmmpekpl 168 5794 0 5749 3 0 3 3 0 8 0 vmmpepl 168 39181 0 37498 85 1 84 84 0 357 6 vmsppl 368 473 0 446 4 1 3 4 0 8 0 rwobjpl 40 14158 0 13239 11 0 11 11 0 8 1 pdppl 4096 954 0 892 96 28 68 76 0 8 6 pvpl 32 238140 0 210738 228 2 226 226 0 265 1 pmappl 216 473 0 446 2 0 2 2 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 360 0 40 10 0 10 10 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8348162d) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff834c3767,ffffffff834a9ce6,4e2,ffffffff83417ef0) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pageunwire(fffffa800756f980) at uvm_pageunwire+0x17d sys/uvm/uvm_page.c:1249 uvm_fault_unwire_locked(fffffa806cac3d08,5f81d6dd000,5f81dadc000) at uvm_fault_unwire_locked+0x33a sys/uvm/uvm_fault.c:1790 uvm_unmap_kill_entry_withlock(fffffa806cac3d08,fffffa8073f697a0,0) at uvm_unmap_kill_entry_withlock+0x81 sys/uvm/uvm_map.c:1866 uvm_map_teardown(fffffa806cac3d08) at uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline] uvm_map_teardown(fffffa806cac3d08) at uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2497 exit1(ffff8000390e2550,0,0,1) at exit1+0x6e6 sys/kern/kern_exit.c:259 sys_exit(ffff8000390e2550,ffff80002f8af280,ffff80002f8af1d0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80002f8af280) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80002f8af280) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7c7dbbb181b0, count: -11 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8348162d) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff834c3767,ffffffff834a9ce6,4e2,ffffffff83417ef0) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pageunwire(fffffa800756f980) at uvm_pageunwire+0x17d sys/uvm/uvm_page.c:1249 uvm_fault_unwire_locked(fffffa806cac3d08,5f81d6dd000,5f81dadc000) at uvm_fault_unwire_locked+0x33a sys/uvm/uvm_fault.c:1790 uvm_unmap_kill_entry_withlock(fffffa806cac3d08,fffffa8073f697a0,0) at uvm_unmap_kill_entry_withlock+0x81 sys/uvm/uvm_map.c:1866 uvm_map_teardown(fffffa806cac3d08) at uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline] uvm_map_teardown(fffffa806cac3d08) at uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2497 exit1(ffff8000390e2550,0,0,1) at exit1+0x6e6 sys/kern/kern_exit.c:259 sys_exit(ffff8000390e2550,ffff80002f8af280,ffff80002f8af1d0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80002f8af280) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80002f8af280) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7c7dbbb181b0, count: -11