panic: kernel diagnostic assertion "pg->wire_count != 0" failed: file "/syzkaller/managers/main/kernel/sys/uvm/uvm_page.c", line 1250 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83412687) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff83453dd9,ffffffff8343b102,4e2,ffffffff833a9e06) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pageunwire(fffffd800793bc80) at uvm_pageunwire+0x17d sys/uvm/uvm_page.c:1249 uvm_fault_unwire_locked(fffffd806cd15740,299c6b51000,299c6b52000) at uvm_fault_unwire_locked+0x33a sys/uvm/uvm_fault.c:1790 uvm_unmap_kill_entry_withlock(fffffd806cd15740,fffffd806cd111a8,0) at uvm_unmap_kill_entry_withlock+0x81 sys/uvm/uvm_map.c:1866 uvm_map_teardown(fffffd806cd15740) at uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline] uvm_map_teardown(fffffd806cd15740) at uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2497 exit1(ffff800035ce7a10,0,0,1) at exit1+0x6e6 sys/kern/kern_exit.c:259 sys_exit(ffff800035ce7a10,ffff80003c9217a0,ffff80003c9216f0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c9217a0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c9217a0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x76284e752ed0, count: 4 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "pg->wire_count != 0" failed: file "/syzkaller/managers/main/kernel/sys/uvm/uvm_page.c", line 1250 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83412687) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff83453dd9,ffffffff8343b102,4e2,ffffffff833a9e06) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pageunwire(fffffd800793bc80) at uvm_pageunwire+0x17d sys/uvm/uvm_page.c:1249 uvm_fault_unwire_locked(fffffd806cd15740,299c6b51000,299c6b52000) at uvm_fault_unwire_locked+0x33a sys/uvm/uvm_fault.c:1790 uvm_unmap_kill_entry_withlock(fffffd806cd15740,fffffd806cd111a8,0) at uvm_unmap_kill_entry_withlock+0x81 sys/uvm/uvm_map.c:1866 uvm_map_teardown(fffffd806cd15740) at uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline] uvm_map_teardown(fffffd806cd15740) at uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2497 exit1(ffff800035ce7a10,0,0,1) at exit1+0x6e6 sys/kern/kern_exit.c:259 sys_exit(ffff800035ce7a10,ffff80003c9217a0,ffff80003c9216f0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c9217a0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c9217a0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x76284e752ed0, count: -11 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80003c9213e0 rbx 0xffff8000314c7618 rdx 0 rcx 0 rax 0xffff800035ce7a10 r8 0x101010101010101 r9 0x8080808080808080 r10 0xa91cef98f5230684 r11 0x68c6318be1ea5100 r12 0 r13 0xffffffff834fdac0 uvm_map_addr_RBT_INFO r14 0 r15 0x1 rip 0xffffffff826947d5 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003c9213d0 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=279958 pid=70571 tcnt=0 stat=onproc flags process=1018 proc=2000 runpri=32, usrpri=86, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0xffff800035ce7a10 scnt=-1 ecnt=1 forw=0xffffffffffffffff, list=0xffff800035ce67e8,0xffff800035ce6560 process=0xffff8000314c7618 user=0xffff80003c91c000, vmspace=0xfffffd806cd15740 estcpu=36, cpticks=6, pctcpu=0.0, user=0, sys=2, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 34686 221724 61141 0 2 0 syz-executor 34686 205135 61141 0 2 0x4000000 syz-executor 34686 191721 61141 0 3 0x4000000 inode syz-executor 23397 165715 56559 0 2 0 syz-executor 23397 261155 56559 0 3 0x4000080 ttyout syz-executor 23397 269686 56559 0 3 0x4000080 fsleep syz-executor 26128 333748 57514 0 2 0xc80 syz-executor 26128 278736 57514 0 3 0x4000080 fifor syz-executor 26128 82625 57514 0 3 0x4000080 fsleep syz-executor 25 455580 1 0 3 0x82 nanoslp getty 11242 465088 0 0 3 0x14200 acct acct 57514 278826 13686 0 2 0xc82 syz-executor 61141 267264 13686 0 2 0xc82 syz-executor 33053 408203 13686 0 2 0x2 syz-executor 32389 129235 13686 0 2 0xc82 syz-executor 78989 521605 13686 0 2 0x2 syz-executor 80674 249146 13686 0 2 0xc82 syz-executor 56559 317711 13686 0 2 0xc82 syz-executor 82609 122480 13686 0 2 0xc82 syz-executor 13686 207030 21353 0 3 0x82 kqread syz-executor 21353 469532 36884 0 3 0x10008a sigsusp ksh 36884 268288 74878 0 3 0x98 kqread sshd-session 74878 416314 64373 0 3 0x92 kqread sshd-session 64373 362005 1 0 3 0x88 kqread sshd 67944 368697 11083 73 3 0x1100090 kqread syslogd 11083 250348 1 0 3 0x100082 sbwait syslogd 2992 53246 1 0 3 0x100080 kqread resolvd 39666 76464 92151 77 3 0x100092 kqread dhcpleased 22715 438626 92151 77 3 0x100092 kqread dhcpleased 92151 262169 1 0 3 0x80 kqread dhcpleased 44684 494655 0 0 2 0x14200 smr 59568 321769 0 0 2 0x14200 zerothread 41287 476552 0 0 3 0x14200 aiodoned aiodoned 32755 201886 0 0 3 0x14200 syncer update 72962 213444 0 0 3 0x14200 cleaner cleaner 11588 312050 0 0 3 0x14200 reaper reaper 81505 219385 0 0 3 0x14200 pgdaemon pagedaemon 93043 395909 0 0 3 0x14200 bored viomb 50402 39279 0 0 3 0x40014200 acpi0 acpi0 97025 92804 0 0 2 0x14200 softnet0 39743 338607 0 0 3 0x14200 smrbar systqmp 56819 55030 0 0 3 0x14200 bored systq 69830 119754 0 0 3 0x40014200 tmoslp softclock 69461 363000 0 0 3 0x40014200 idle0 1 58059 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 11067 12355K 12361K 166960K 12368 0 pcb 20 14K 15K 166960K 62 0 rtable 190 7K 7K 166960K 392 0 pf 30 12K 14K 166960K 38 0 ifaddr 37 6K 7K 166960K 49 0 ifgroup 50 2K 2K 166960K 58 0 sysctl 1 1K 9K 166960K 5 0 counters 33 17K 18K 166960K 71 0 ioctlops 0 0K 2K 166960K 84 0 iov 0 0K 12K 166960K 6 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1299 82K 82K 166960K 1473 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 1K 166960K 2 0 VM map 2 1K 1K 166960K 2 0 sem 8 0K 0K 166960K 9 0 dirhash 12 2K 2K 166960K 15 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 15 53K 89K 166960K 247 0 sigio 0 0K 0K 166960K 1 0 proc 60 59K 100K 166960K 513 0 subproc 72 4K 4K 166960K 72 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 6 0 in_multi 80 5K 7K 166960K 111 0 ether_multi 1 0K 0K 166960K 3 0 mrt 0 0K 0K 166960K 5 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 61 281K 281K 166960K 61 0 exec 0 0K 1K 166960K 373 0 fusefs mount 1 32K 32K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 221 157K 165K 166960K 4007 0 UVM aobj 4 4K 6K 166960K 6 0 pinsyscall 36 72K 92K 166960K 1332 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 6 0 NDP 11 0K 2K 166960K 30 0 temp 40 9067K 9131K 166960K 5636 0 kqueue 13 20K 30K 166960K 50 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 74 0 71 2 0 2 2 0 8 1 rtentry 136 112 0 34 4 0 4 4 0 8 0 unpcb 144 109 0 89 2 0 2 2 0 8 1 syncache 336 3 0 3 1 0 1 1 0 8 1 tcpcb 736 46 0 41 1 0 1 1 0 8 0 arp 96 18 0 4 1 0 1 1 0 8 0 inpcb 328 213 0 201 7 0 7 7 0 8 5 nd6 112 24 0 6 1 0 1 1 0 8 0 kcovpl 48 8 0 0 1 0 1 1 0 8 0 mppekey 1024 1 0 1 1 0 1 1 0 8 1 ppxss 1072 37 0 37 1 0 1 1 0 8 1 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 483 0 85 31 0 31 31 0 8 3 art_table 40 484 0 85 5 0 5 5 0 8 0 art_node 32 112 0 32 1 0 1 1 0 8 0 sysvmsgpl 40 4 0 1 1 0 1 1 0 8 0 semapl 112 6 0 0 1 0 1 1 0 8 0 shmpl 112 3 0 2 1 0 1 1 0 8 0 dirhash 1024 19 0 2 3 0 3 3 0 8 0 dino2pl 256 1769 0 311 92 0 92 92 0 8 0 ffsino 256 1769 0 311 92 0 92 92 0 8 0 nchpl 144 2108 0 414 63 0 63 63 0 8 0 rtmask 32 2 0 2 1 0 1 1 0 8 1 vnodes 216 1918 0 0 107 0 107 107 0 8 0 namei 1024 6292 0 6291 2 0 2 2 0 8 1 kstatmem 264 28 0 6 2 0 2 2 0 8 0 scsiplug 72 1 0 1 1 0 1 1 0 8 1 scxspl 216 7152 0 7152 8 0 8 8 1 8 8 plimitpl 152 45 0 28 1 0 1 1 0 8 0 sigapl 424 539 0 497 6 0 6 6 0 8 1 knotepl 120 22323 0 22276 10 0 10 10 0 8 7 kqueuepl 184 56 0 45 1 0 1 1 0 8 0 pipepl 304 128 0 101 3 0 3 3 0 8 0 fdescpl 448 525 0 498 5 0 5 5 0 8 1 filepl 120 2125 0 1905 9 0 9 9 0 8 1 lockfpl 104 37 0 35 1 0 1 1 0 8 0 lockfspl 48 17 0 15 1 0 1 1 0 8 0 sessionpl 144 21 0 14 1 0 1 1 0 8 0 pgrppl 48 31 0 16 1 0 1 1 0 8 0 ucredpl 104 186 0 173 1 0 1 1 0 8 0 zombiepl 144 500 0 497 1 0 1 1 0 8 0 processpl 1152 539 0 497 4 0 4 4 0 8 0 procpl 664 715 0 667 6 0 6 6 0 8 1 sockpl 552 401 0 366 8 0 8 8 0 8 4 mcl64k 65536 5 0 5 1 0 1 1 0 8 1 mcl8k 8192 4 0 4 1 0 1 1 0 8 1 mcl4k 4096 2619 0 2564 15 0 15 15 0 8 7 mcl2k 2048 244 0 243 2 0 2 2 0 8 1 mtagpl 96 5 0 4 1 0 1 1 0 8 0 mbufpl 256 6148 0 5997 76 0 76 76 0 8 63 bufpl 280 4978 0 102 349 0 349 349 0 8 0 anonpl 24 82542 0 74420 50 0 50 50 0 187 0 amapchunkpl 152 11516 0 10790 30 0 30 30 0 158 0 amappl16 200 708 0 669 3 0 3 3 0 8 0 amappl15 192 4 0 4 1 0 1 1 0 8 1 amappl14 184 407 0 406 1 0 1 1 0 8 0 amappl13 176 114 0 104 1 0 1 1 0 8 0 amappl12 168 776 0 749 2 0 2 2 0 8 0 amappl11 160 7 0 7 1 0 1 1 0 8 1 amappl10 152 62 0 52 1 0 1 1 0 8 0 amappl9 144 269 0 268 1 0 1 1 0 8 0 amappl8 136 123 0 121 1 0 1 1 0 8 0 amappl7 128 237 0 226 1 0 1 1 0 8 0 amappl6 120 170 0 167 1 0 1 1 0 8 0 amappl5 112 86 0 78 1 0 1 1 0 8 0 amappl4 104 251 0 236 1 0 1 1 0 8 0 amappl3 96 2131 0 2023 4 0 4 4 0 8 1 amappl2 88 529 0 475 2 0 2 2 0 8 0 amappl1 80 9439 0 8890 13 0 13 13 0 8 1 amappl 88 3297 0 3140 5 0 5 5 0 92 1 uvmvnodes 80 95 0 0 2 0 2 2 0 8 0 dma4096 4096 1 0 1 1 0 1 1 0 8 1 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 7 0 7 1 0 1 1 0 8 1 dma128 128 253 0 253 1 0 1 1 0 8 1 dma64 64 6 0 6 1 0 1 1 0 8 1 dma32 32 7 0 7 1 0 1 1 0 8 1 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 5 0 2 1 0 1 1 0 8 0 uaddrrnd 24 525 0 497 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 525 0 497 1 0 1 1 0 8 0 vmmpekpl 168 5873 0 5838 2 0 2 2 0 8 0 vmmpepl 168 40096 0 38351 81 0 81 81 0 357 0 vmsppl 368 524 0 497 4 0 4 4 0 8 1 rwobjpl 40 13178 0 12222 11 0 11 11 0 8 0 pdppl 4096 1056 0 994 92 26 66 78 0 8 4 pvpl 32 245626 0 217615 233 0 233 233 0 265 0 pmappl 216 524 0 497 2 0 2 2 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 423 0 26 12 0 12 12 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83412687) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff83453dd9,ffffffff8343b102,4e2,ffffffff833a9e06) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pageunwire(fffffd800793bc80) at uvm_pageunwire+0x17d sys/uvm/uvm_page.c:1249 uvm_fault_unwire_locked(fffffd806cd15740,299c6b51000,299c6b52000) at uvm_fault_unwire_locked+0x33a sys/uvm/uvm_fault.c:1790 uvm_unmap_kill_entry_withlock(fffffd806cd15740,fffffd806cd111a8,0) at uvm_unmap_kill_entry_withlock+0x81 sys/uvm/uvm_map.c:1866 uvm_map_teardown(fffffd806cd15740) at uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline] uvm_map_teardown(fffffd806cd15740) at uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2497 exit1(ffff800035ce7a10,0,0,1) at exit1+0x6e6 sys/kern/kern_exit.c:259 sys_exit(ffff800035ce7a10,ffff80003c9217a0,ffff80003c9216f0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c9217a0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c9217a0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x76284e752ed0, count: -11 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83412687) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff83453dd9,ffffffff8343b102,4e2,ffffffff833a9e06) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pageunwire(fffffd800793bc80) at uvm_pageunwire+0x17d sys/uvm/uvm_page.c:1249 uvm_fault_unwire_locked(fffffd806cd15740,299c6b51000,299c6b52000) at uvm_fault_unwire_locked+0x33a sys/uvm/uvm_fault.c:1790 uvm_unmap_kill_entry_withlock(fffffd806cd15740,fffffd806cd111a8,0) at uvm_unmap_kill_entry_withlock+0x81 sys/uvm/uvm_map.c:1866 uvm_map_teardown(fffffd806cd15740) at uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline] uvm_map_teardown(fffffd806cd15740) at uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2497 exit1(ffff800035ce7a10,0,0,1) at exit1+0x6e6 sys/kern/kern_exit.c:259 sys_exit(ffff800035ce7a10,ffff80003c9217a0,ffff80003c9216f0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c9217a0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c9217a0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x76284e752ed0, count: -11