panic: kernel diagnostic assertion "map->limit == rtmap_limit" failed: file "/syzkaller/managers/multicore/kernel/sys/net/rtable.c", line 132 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 103377 97614 0 0 0 1 syz-executor * 80542 97614 0 0 0x4000000 0K syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833949ac) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff833d4263,ffffffff833d00b7,84,ffffffff8342a65c) at __assert+0x29 sys/kern/subr_prf.c:-1 rtmap_grow(17,21) at rtmap_grow+0x24f rtable_add(16) at rtable_add+0x2d9 rtable_alloc sys/net/rtable.c:370 [inline] rtable_add(16) at rtable_add+0x2d9 sys/net/rtable.c:223 if_createrdomain(16,ffff800000afd800) at if_createrdomain+0x40 sys/net/if.c:1974 ifioctl(ffff800001505228,8020699f,ffff80002a344630,ffff80003ac07a20) at ifioctl+0x1b40 sys/net/if.c:2323 sys_ioctl(ffff80003ac07a20,ffff80002a344810,ffff80002a344760) at sys_ioctl+0x674 sys/kern/sys_generic.c:-1 syscall(ffff80002a344810) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80002a344810) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:765 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xc52b12b4d90, count: 5 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: kernel diagnostic assertion "map->limit == rtmap_limit" failed: file "/syzkaller/managers/multicore/kernel/sys/net/rtable.c", line 132 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833949ac) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff833d4263,ffffffff833d00b7,84,ffffffff8342a65c) at __assert+0x29 sys/kern/subr_prf.c:-1 rtmap_grow(17,21) at rtmap_grow+0x24f rtable_add(16) at rtable_add+0x2d9 rtable_alloc sys/net/rtable.c:370 [inline] rtable_add(16) at rtable_add+0x2d9 sys/net/rtable.c:223 if_createrdomain(16,ffff800000afd800) at if_createrdomain+0x40 sys/net/if.c:1974 ifioctl(ffff800001505228,8020699f,ffff80002a344630,ffff80003ac07a20) at ifioctl+0x1b40 sys/net/if.c:2323 sys_ioctl(ffff80003ac07a20,ffff80002a344810,ffff80002a344760) at sys_ioctl+0x674 sys/kern/sys_generic.c:-1 syscall(ffff80002a344810) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80002a344810) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:765 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xc52b12b4d90, count: -10 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff80002a344340 rbx 0xffffffff8384ce07 cpu_info_full_primary+0x2e07 rdx 0 rcx 0xffff80003ac07a20 rax 0xffffffff8384bff0 cpu_info_full_primary+0x1ff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0x923b52df0cae5f3b r11 0xb3bf8d1f8da507ba r12 0xffffffff8384cc08 cpu_info_full_primary+0x2c08 r13 0 r14 0 r15 0x1 rip 0xffffffff82d87095 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80002a344330 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor) tid=80542 pid=97614 tcnt=3 stat=onproc flags process=0 proc=4000000 runpri=50, usrpri=50, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80003ac062c8,0xffff80003ac07798 process=0xffff80003c4e39e8 user=0xffff80002a33f000, vmspace=0xfffffd806eee2b78 estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 97614 103377 3553 0 7 0 syz-executor 97614 217587 3553 0 2 0x4000000 syz-executor *97614 80542 3553 0 7 0x4000000 syz-executor 43661 101565 4630 0 2 0 syz-executor 43661 412669 4630 0 3 0x4000080 fsleep syz-executor 43661 428844 4630 0 2 0x4000000 syz-executor 29455 512963 86606 0 2 0 syz-executor 29455 222881 86606 0 3 0x4000080 kqsel syz-executor 29455 370441 86606 0 3 0x4000080 fsleep syz-executor 82696 211085 47229 0 2 0 syz-executor 82696 130230 47229 0 3 0x4000080 fsleep syz-executor 62184 206313 87592 0 2 0 syz-executor 62184 509620 87592 0 3 0x4000080 piperd syz-executor 62184 6271 87592 0 3 0x4000080 fsleep syz-executor 86036 385627 0 0 3 0x14200 acct acct 54579 240443 1 0 3 0x100083 ttyopn getty 2797 492590 27588 0 3 0x82 wait syz-executor 47229 417714 27588 0 2 0xc82 syz-executor 3553 482570 27588 0 2 0xc82 syz-executor 24719 428584 27588 0 3 0x82 piperd syz-executor 87592 344195 27588 0 3 0x82 nanoslp syz-executor 88538 434219 27588 0 2 0x2 syz-executor 86606 445122 27588 0 2 0xc82 syz-executor 4630 219060 27588 0 3 0x82 nanoslp syz-executor 27588 287539 78897 0 2 0x2 syz-executor 78897 373735 11921 0 3 0x10008a sigsusp ksh 11921 268341 51232 0 3 0x98 kqread sshd-session 51232 39449 32524 0 3 0x92 kqread sshd-session 32524 68065 1 0 3 0x88 kqread sshd 97384 229944 8190 74 3 0x1100092 bpf pflogd 8190 398981 1 0 3 0x80 sbwait pflogd 92903 450069 18656 73 3 0x1100090 kqread syslogd 18656 394427 1 0 3 0x100082 sbwait syslogd 7416 121261 1 0 3 0x100080 kqread resolvd 92932 158676 48289 77 3 0x100092 kqread dhcpleased 81055 89286 48289 77 3 0x100092 kqread dhcpleased 48289 210211 1 0 3 0x80 kqread dhcpleased 26648 237210 0 0 3 0x14200 bored smr 26697 407158 0 0 2 0x14200 zerothread 96197 519240 0 0 3 0x14200 aiodoned aiodoned 4131 4603 0 0 3 0x14200 syncer update 90337 119630 0 0 3 0x14200 cleaner cleaner 77052 90724 0 0 3 0x14200 reaper reaper 15762 458232 0 0 3 0x14200 pgdaemon pagedaemon 89688 47803 0 0 3 0x14200 bored viomb 86405 361306 0 0 3 0x40014200 acpi0 acpi0 31139 124498 0 0 3 0x40014200 idle1 46750 408042 0 0 3 0x14200 bored softnet1 92916 354136 0 0 3 0x14200 bored softnet0 3619 136358 0 0 3 0x14200 bored systqmp 94631 32407 0 0 3 0x14200 bored systq 8361 58544 0 0 3 0x14200 tmoslp softclockmp 72247 115424 0 0 3 0x40014200 tmoslp softclock 43875 282686 0 0 3 0x40014200 idle0 1 448738 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb{0}> show all locks Process 97614 (syz-executor) thread 0xffff80003ac07a20 (80542) exclusive kernel_lock &kernel_lock r = 1 (0xffffffff83901248) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 __mp_acquire_count+0x58 sys/kern/kern_lock.c:-1 #2 malloc+0xe3 sys/kern/kern_malloc.c:174 #3 rtmap_grow+0xb2 sys/net/rtable.c:127 #4 rtable_add+0x2d9 rtable_alloc sys/net/rtable.c:370 [inline] #4 rtable_add+0x2d9 sys/net/rtable.c:223 #5 if_createrdomain+0x40 sys/net/if.c:1974 #6 ifioctl+0x1b40 sys/net/if.c:2323 #7 sys_ioctl+0x674 sys/kern/sys_generic.c:-1 #8 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] #8 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:765 #9 Xsyscall+0x128 Process 88538 (syz-executor) thread 0xffff8000fffefa08 (434219) exclusive rwlock vmmaplk r = 0 (0xfffffd800b0276b8) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320 #2 vm_map_lock_ln+0x12e sys/uvm/uvm_map.c:5171 #3 uvmspace_fork+0x12b sys/uvm/uvm_map.c:3741 #4 process_new+0x577 sys/kern/kern_fork.c:281 #5 fork1+0x3f6 sys/kern/kern_fork.c:-1 #6 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] #6 syscall+0xb17 sys/arch/amd64/amd64/trap.c:765 #7 Xsyscall+0x128 exclusive rwlock vmmaplk r = 0 (0xfffffd800b0278a0) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320 #2 vm_map_lock_ln+0x12e sys/uvm/uvm_map.c:5171 #3 uvmspace_fork+0x44 sys/uvm/uvm_map.c:3732 #4 process_new+0x577 sys/kern/kern_fork.c:281 #5 fork1+0x3f6 sys/kern/kern_fork.c:-1 #6 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] #6 syscall+0xb17 sys/arch/amd64/amd64/trap.c:765 #7 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10206 11043K 11511K 166960K 12695 0 pcb 22 12K 12K 166960K 224 0 rtable 177 10K 10K 166960K 691 0 pf 38 18K 67485K 166960K 524 0 ifaddr 32 5K 8K 166960K 117 0 ifgroup 51 2K 2K 166960K 186 0 sysctl 4 1K 9K 166960K 12 0 counters 66 36K 37K 166960K 268 0 ioctlops 0 0K 4K 166960K 1894 0 iov 0 0K 24K 166960K 78 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1460 92K 92K 166960K 2665 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 25 0 VM map 2 1K 1K 166960K 2 0 sem 12 1K 1K 166960K 40 0 dirhash 12 2K 3K 166960K 66 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 17 61K 106K 166960K 1355 0 sigio 0 0K 0K 166960K 26 0 proc 75 131K 164K 166960K 749 0 subproc 72 4K 4K 166960K 99 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 1 0K 0K 166960K 137 0 in_multi 57 4K 7K 166960K 185 0 ether_multi 1 0K 0K 166960K 12 0 mrt 1 0K 0K 166960K 8 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 97 440K 440K 166960K 97 0 exec 0 0K 1K 166960K 664 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 237 159K 175K 166960K 14422 0 UVM aobj 52 11K 11K 166960K 57 0 pinsyscall 42 84K 100K 166960K 2564 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 2 0K 1K 166960K 97 0 NDP 11 0K 2K 166960K 78 0 temp 78 8664K 8744K 166960K 42008 0 kqueue 14 22K 31K 166960K 309 0 SYN cache 2 16K 16K 166960K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 119 0 116 1 0 1 1 0 8 0 rtentry 176 186 0 123 6 0 6 6 0 8 0 unpcb 144 990 0 971 6 5 1 6 0 8 0 syncache 336 7 0 7 3 3 0 1 0 8 0 tcpcb 736 436 0 431 13 12 1 7 0 8 0 arp 136 27 0 16 1 0 1 1 0 8 0 inpcb 328 1260 0 1246 12 10 2 7 0 8 0 nd6 152 40 0 26 1 0 1 1 0 8 0 pkpcb 40 75 0 75 2 2 0 1 0 8 0 kcovpl 48 11 0 3 1 0 1 1 0 8 0 ppxss 1192 84 0 84 1 0 1 1 0 8 1 pppxif 1504 6 0 6 1 1 0 1 0 8 0 pffrag 232 13 0 3 1 0 1 1 0 482 0 pffrnode 88 12 0 3 1 0 1 1 0 8 0 pffrent 40 23 0 13 1 0 1 1 0 8 0 pfosfp 40 1429 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1429 0 714 21 0 21 21 0 8 0 pfrktable 1344 9 0 7 3 2 1 1 0 8 0 pfanchor 1288 4 0 0 1 0 1 1 0 8 0 pftag 88 4 0 2 1 0 1 1 0 8 0 pfstitem 24 98 0 32 1 0 1 1 0 8 0 pfstkey 128 98 0 32 3 0 3 3 0 8 0 pfstate 384 97 0 32 7 0 7 7 0 8 0 pfrule 1344 78 0 71 2 1 1 2 0 8 0 rttmr 136 2 0 2 1 1 0 1 0 8 0 art_heap8 4096 4 0 0 4 0 4 4 0 8 0 art_heap4 256 854 0 567 32 8 24 32 0 8 1 art_table 40 858 0 567 6 0 6 6 0 8 0 art_node 32 185 0 128 1 0 1 1 0 8 0 sysvmsgpl 40 90 0 80 1 0 1 1 0 8 0 semupl 112 4 0 4 3 2 1 1 0 8 1 semapl 112 34 0 24 1 0 1 1 0 8 0 shmpl 112 51 0 5 2 0 2 2 0 8 0 dirhash 1024 54 0 37 3 0 3 3 0 8 0 dino2pl 256 3942 0 2431 96 0 96 96 0 8 0 ffsino 296 3942 0 2431 118 1 117 118 0 8 0 nchpl 144 5721 0 4015 64 0 64 64 0 8 0 rtmask 32 7 0 7 2 1 1 1 0 8 1 vnodes 216 4810 0 0 268 0 268 268 0 8 0 namei 1024 19947 0 19947 2 1 1 2 0 8 1 percpumem 16 149 0 101 1 0 1 1 0 8 0 vcpupl 3968 3 0 0 1 0 1 1 0 8 0 vmpool 840 3 0 0 1 0 1 1 0 8 0 pfiaddrpl 120 1 0 0 1 0 1 1 0 8 0 kstatmem 264 114 0 88 3 0 3 3 0 8 1 scsiplug 72 8 0 8 2 2 0 1 0 8 0 scxspl 216 26649 0 26649 11 10 1 8 1 8 1 plimitpl 152 281 0 261 1 0 1 1 0 8 0 sigapl 424 1680 0 1632 8 1 7 8 0 8 1 knotepl 120 561 0 0 18 1 17 17 0 8 0 kqueuepl 224 752 0 739 7 5 2 5 0 8 1 pipepl 344 227 0 199 3 0 3 3 0 8 0 fdescpl 528 1637 0 1606 3 0 3 3 0 8 0 filepl 160 10379 0 10150 17 5 12 16 0 8 0 lockfpl 104 594 0 590 2 1 1 2 0 8 0 lockfspl 48 245 0 242 1 0 1 1 0 8 0 sessionpl 144 28 0 19 1 0 1 1 0 8 0 pgrppl 48 56 0 39 1 0 1 1 0 8 0 ucredpl 104 1540 0 1526 1 0 1 1 0 8 0 zombiepl 144 1688 0 1687 1 0 1 1 0 8 0 processpl 1232 1680 0 1632 6 1 5 6 0 8 0 procpl 664 3754 0 3697 8 1 7 8 0 8 0 sosppl 176 6 0 6 2 2 0 1 0 8 0 sockpl 752 2470 0 2432 20 16 4 18 0 8 0 mcl64k 65536 5 0 0 1 0 1 1 0 8 0 mcl16k 16384 3 0 0 1 0 1 1 0 8 0 mcl9k 9216 2 0 0 1 0 1 1 0 8 0 mcl8k 8192 5 0 0 1 0 1 1 0 8 0 mcl4k 4096 132 0 0 17 0 17 17 0 8 0 mcl2k 2048 32 0 0 4 0 4 4 0 8 0 mtagpl 96 6 0 0 1 0 1 1 0 8 0 mbufpl 256 1170 0 0 73 0 73 73 0 8 0 bufpl 280 9222 0 3085 439 0 439 439 0 8 0 anonpl 32 11668 0 0 95 0 95 95 0 246 0 amapchunkpl 152 49982 0 49518 43 14 29 35 0 158 7 amappl16 200 4605 0 4574 29 23 6 16 0 8 0 amappl15 192 6 0 6 1 1 0 1 0 8 0 amappl14 184 4 0 4 1 1 0 1 0 8 0 amappl13 176 466 0 465 1 0 1 1 0 8 0 amappl12 168 2018 0 1977 3 1 2 3 0 8 0 amappl11 160 6 0 6 1 1 0 1 0 8 0 amappl10 152 123 0 109 1 0 1 1 0 8 0 amappl9 144 249 0 248 2 1 1 1 0 8 0 amappl8 136 29 0 27 1 0 1 1 0 8 0 amappl7 128 93 0 90 1 0 1 1 0 8 0 amappl6 120 317 0 304 1 0 1 1 0 8 0 amappl5 112 98 0 87 1 0 1 1 0 8 0 amappl4 104 443 0 414 1 0 1 1 0 8 0 amappl3 96 8373 0 8287 4 1 3 3 0 8 0 amappl2 88 1760 0 1683 2 0 2 2 0 8 0 amappl1 80 14779 0 14183 16 2 14 15 0 8 0 amappl 88 13439 0 13279 5 0 5 5 0 92 0 uvmvnodes 80 161 0 0 4 0 4 4 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma2048 2048 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 8 0 8 3 2 1 1 0 8 1 dma128 128 254 0 254 2 2 0 1 0 8 0 dma64 64 7 0 7 2 2 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 56 0 5 1 0 1 1 0 8 0 uaddrrnd 24 1637 0 1606 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 1637 0 1606 1 0 1 1 0 8 0 vmmpekpl 168 14984 0 14945 3 0 3 3 0 8 0 vmmpepl 168 108192 0 106309 103 13 90 100 0 357 0 vmsppl 488 1636 0 1606 6 1 5 5 0 8 0 rwobjpl 80 29784 0 28651 32 3 29 29 0 8 0 pdppl 4096 3287 0 3215 113 39 74 85 0 8 2 pvpl 32 19395 0 0 158 1 157 157 0 265 0 pmappl 256 1639 0 1606 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 372 0 67 9 0 9 9 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833949ac) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff833d4263,ffffffff833d00b7,84,ffffffff8342a65c) at __assert+0x29 sys/kern/subr_prf.c:-1 rtmap_grow(17,21) at rtmap_grow+0x24f rtable_add(16) at rtable_add+0x2d9 rtable_alloc sys/net/rtable.c:370 [inline] rtable_add(16) at rtable_add+0x2d9 sys/net/rtable.c:223 if_createrdomain(16,ffff800000afd800) at if_createrdomain+0x40 sys/net/if.c:1974 ifioctl(ffff800001505228,8020699f,ffff80002a344630,ffff80003ac07a20) at ifioctl+0x1b40 sys/net/if.c:2323 sys_ioctl(ffff80003ac07a20,ffff80002a344810,ffff80002a344760) at sys_ioctl+0x674 sys/kern/sys_generic.c:-1 syscall(ffff80002a344810) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80002a344810) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:765 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xc52b12b4d90, count: -10 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffff8000299edff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 end of kernel end trace frame: 0x728b83976070, count: 12 ddb{1}> trace x86_ipi_db(ffff8000299edff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 end of kernel end trace frame: 0x728b83976070, count: -3