panic: kernel diagnostic assertion "map->limit == rtmap_limit" failed: file "/syzkaller/managers/main/kernel/sys/net/rtable.c", line 131 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *227587 85896 0 0 0x4000000 0 syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff834335d1) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833df140,ffffffff833a8d73,83,ffffffff83427d59) at __assert+0x29 sys/kern/subr_prf.c:-1 rtmap_grow(6,21) at rtmap_grow+0x1f3 sys/net/rtable.c:131 rtable_add(5) at rtable_add+0x279 sys/net/rtable.c:-1 route_output(fffffd8079461000,ffff800010fdbae0) at route_output+0x525 sys/net/rtsock.c:786 route_send(ffff800010fdbae0,fffffd8079461000,0,0) at route_send+0xd7 sys/net/rtsock.c:342 sosend(ffff800010fdbae0,0,ffff80003c956e38,0,0,0) at sosend+0x824 sys/kern/uipc_socket.c:-1 sendit(ffff80003390dc58,3,ffff80003c956f30,0,ffff80003c956fe0) at sendit+0x721 sys/kern/uipc_syscalls.c:779 sys_sendto(ffff80003390dc58,ffff80003c957090,ffff80003c956fe0) at sys_sendto+0x8d sys/kern/uipc_syscalls.c:557 syscall(ffff80003c957090) at syscall+0x97e mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c957090) at syscall+0x97e sys/arch/amd64/amd64/trap.c:579 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x633970b4b00, count: 3 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "map->limit == rtmap_limit" failed: file "/syzkaller/managers/main/kernel/sys/net/rtable.c", line 131 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff834335d1) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833df140,ffffffff833a8d73,83,ffffffff83427d59) at __assert+0x29 sys/kern/subr_prf.c:-1 rtmap_grow(6,21) at rtmap_grow+0x1f3 sys/net/rtable.c:131 rtable_add(5) at rtable_add+0x279 sys/net/rtable.c:-1 route_output(fffffd8079461000,ffff800010fdbae0) at route_output+0x525 sys/net/rtsock.c:786 route_send(ffff800010fdbae0,fffffd8079461000,0,0) at route_send+0xd7 sys/net/rtsock.c:342 sosend(ffff800010fdbae0,0,ffff80003c956e38,0,0,0) at sosend+0x824 sys/kern/uipc_socket.c:-1 sendit(ffff80003390dc58,3,ffff80003c956f30,0,ffff80003c956fe0) at sendit+0x721 sys/kern/uipc_syscalls.c:779 sys_sendto(ffff80003390dc58,ffff80003c957090,ffff80003c956fe0) at sys_sendto+0x8d sys/kern/uipc_syscalls.c:557 syscall(ffff80003c957090) at syscall+0x97e mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c957090) at syscall+0x97e sys/arch/amd64/amd64/trap.c:579 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x633970b4b00, count: -12 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80003c956a50 rbx 0x21 rdx 0xffff800001469840 rcx 0 rax 0xffff80003390dc58 r8 0 r9 0x8080808080808080 r10 0xb353358fd5f3eb95 r11 0x23196b0bdf0f54da r12 0 r13 0x1 r14 0 r15 0x1 rip 0xffffffff81d02215 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003c956a40 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=227587 pid=85896 tcnt=2 stat=onproc flags process=0 proc=4000000 runpri=80, usrpri=80, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80003390cf88,0xffff80003390c7e8 process=0xffff800035d14018 user=0xffff80003c952000, vmspace=0xfffffd806c294b50 estcpu=30, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 73759 281775 46356 0 2 0 syz-executor 73759 455440 46356 0 3 0x4000080 fsleep syz-executor 85896 338184 52314 0 3 0x80 nanoslp syz-executor *85896 227587 52314 0 7 0x4000000 syz-executor 11009 309299 45233 60929 2 0x10 syz-executor 11009 484288 45233 60929 3 0x4000090 fsleep syz-executor 11582 27784 7315 0 2 0x400000 syz-executor 11582 327757 7315 0 2 0x4400000 syz-executor 18849 495797 71935 0 2 0 syz-executor 18849 495806 71935 0 3 0x4000080 fsleep syz-executor 96886 150790 28465 0 2 0 syz-executor 96886 179218 28465 0 3 0x4000080 kqsel syz-executor 96886 325101 28465 0 2 0x4000000 syz-executor 96886 209119 28465 0 3 0x4000080 fsleep syz-executor 96886 500306 28465 0 3 0x4000080 fsleep syz-executor 72404 190351 0 0 3 0x14280 nfsidl nfsio 59719 232679 0 0 3 0x14280 nfsidl nfsio 18639 262160 0 0 3 0x14280 nfsidl nfsio 73986 208274 0 0 3 0x14280 nfsidl nfsio 39376 72257 0 0 3 0x14280 nfsidl nfsio 91688 515113 0 0 3 0x14280 nfsidl nfsio 46004 204849 0 0 3 0x14280 nfsidl nfsio 86784 90261 0 0 3 0x14280 nfsidl nfsio 63177 12066 0 0 3 0x14280 nfsidl nfsio 29843 148206 0 0 3 0x14280 nfsidl nfsio 44553 145434 0 0 3 0x14280 nfsidl nfsio 83375 263413 0 0 3 0x14280 nfsidl nfsio 38695 427189 0 0 3 0x14280 nfsidl nfsio 80965 522520 0 0 3 0x14280 nfsidl nfsio 9145 352349 0 0 3 0x14280 nfsidl nfsio 34319 364485 0 0 3 0x14280 nfsidl nfsio 40774 485690 0 0 3 0x14280 nfsidl nfsio 60739 276994 0 0 3 0x14280 nfsidl nfsio 43419 108911 0 0 3 0x14280 nfsidl nfsio 43765 201686 0 0 3 0x14280 nfsidl nfsio 46356 266353 45919 0 3 0x82 nanoslp syz-executor 46404 11062 0 0 3 0x14200 bored sosplice 56273 472397 45919 0 3 0x82 nanoslp syz-executor 28465 513436 45919 0 2 0xc82 syz-executor 52314 348743 45919 0 3 0x82 nanoslp syz-executor 71935 466416 45919 0 3 0x82 nanoslp syz-executor 45233 322724 45919 0 2 0xc82 syz-executor 87726 481575 45919 0 3 0x82 nanoslp syz-executor 7315 157321 45919 0 2 0xc82 syz-executor 45919 77626 37245 0 3 0x82 kqread syz-executor 37245 226809 71940 0 3 0x10008a sigsusp ksh 71940 405764 96643 0 3 0x98 kqread sshd-session 96643 312994 76789 0 3 0x92 kqread sshd-session 31071 277100 1 0 3 0x100083 ttyin getty 76789 181618 1 0 3 0x88 kqread sshd 91553 26430 76935 73 3 0x1100090 kqread syslogd 76935 69068 1 0 3 0x100082 sbwait syslogd 49902 162017 1 0 3 0x100080 kqread resolvd 53788 166459 65192 77 3 0x100092 kqread dhcpleased 48643 520618 65192 77 3 0x100092 kqread dhcpleased 65192 364437 1 0 3 0x80 kqread dhcpleased 5034 179661 0 0 3 0x14200 bored smr 49195 421435 0 0 2 0x14200 zerothread 80185 360924 0 0 3 0x14200 aiodoned aiodoned 51589 472988 0 0 3 0x14200 syncer update 78898 509812 0 0 3 0x14200 cleaner cleaner 987 58230 0 0 3 0x14200 reaper reaper 60911 472628 0 0 3 0x14200 pgdaemon pagedaemon 40696 205525 0 0 3 0x14200 bored viomb 3141 369628 0 0 3 0x40014200 acpi0 acpi0 40404 278817 0 0 3 0x14200 bored softnet3 30458 336473 0 0 3 0x14200 bored softnet2 90696 435514 0 0 3 0x14200 bored softnet1 78628 347270 0 0 3 0x14200 bored softnet0 81129 143027 0 0 3 0x14200 bored systqmp 52820 390106 0 0 3 0x14200 bored systq 51741 93514 0 0 2 0x40014200 softclock 5621 514042 0 0 3 0x40014200 idle0 1 324153 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10208 11044K 11770K 166960K 12120 0 pcb 18 14K 16K 166960K 99 0 rtable 196 7K 7K 166960K 461 0 pf 33 13K 14K 166960K 83 0 ifaddr 37 6K 7K 166960K 71 0 ifgroup 49 2K 2K 166960K 101 0 sysctl 4 1K 9K 166960K 11 0 counters 32 17K 18K 166960K 55 0 ioctlops 0 0K 4K 166960K 102 0 iov 0 0K 20K 166960K 22 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1394 88K 88K 166960K 1810 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 9K 166960K 12 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 17 0 dirhash 12 2K 2K 166960K 15 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 18 65K 97K 166960K 598 0 sigio 0 0K 0K 166960K 10 0 proc 61 67K 124K 166960K 534 0 subproc 72 4K 4K 166960K 81 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 49 0 in_multi 77 5K 7K 166960K 137 0 ether_multi 1 0K 0K 166960K 10 0 mrt 0 0K 0K 166960K 4 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 259 1155K 1155K 166960K 259 0 exec 0 0K 1K 166960K 397 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 229 151K 167K 166960K 6861 0 UVM aobj 20 6K 6K 166960K 22 0 pinsyscall 39 78K 96K 166960K 1656 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 14 0 NDP 11 0K 2K 166960K 46 0 temp 50 8681K 8803K 166960K 22845 0 kqueue 14 22K 32K 166960K 114 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 76 0 71 1 0 1 1 0 8 0 rtentry 136 147 0 61 4 0 4 4 0 8 0 unpcb 144 513 0 498 7 5 2 6 0 8 1 syncache 336 5 0 5 2 1 1 1 0 8 1 tcpcb 736 112 0 107 1 0 1 1 0 8 0 arp 88 24 0 8 1 0 1 1 0 8 0 ipq 40 2 0 1 1 0 1 1 0 8 0 ipqe 40 5 0 4 1 0 1 1 0 8 0 inpcb 328 590 0 577 12 10 2 12 0 8 0 nd6 104 31 0 10 1 0 1 1 0 8 0 pkpcb 40 2 0 2 2 1 1 1 0 8 1 kcovpl 48 9 0 1 1 0 1 1 0 8 0 mppekey 1024 1 0 1 1 0 1 1 0 8 1 ppxss 1072 17 0 16 2 1 1 1 0 8 0 pppxif 1384 2 0 2 1 1 0 1 0 8 0 pfstscr 40 1 0 1 1 1 0 1 0 8 0 pftag 88 2 0 0 1 0 1 1 0 8 0 pfstitem 24 2 0 0 1 0 1 1 0 8 0 pfstkey 128 3 0 1 1 0 1 1 0 8 0 pfstate 384 2 0 1 1 0 1 1 0 8 0 pfrule 1344 3 0 3 2 1 1 1 0 8 1 rttmr 136 1 0 1 1 1 0 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 640 0 264 31 6 25 29 0 8 1 art_table 32 641 0 264 4 0 4 4 0 8 0 art_node 16 144 0 68 1 0 1 1 0 8 0 sysvmsgpl 40 3 0 2 1 0 1 1 0 8 0 semupl 112 1 0 1 1 0 1 1 0 8 1 semapl 112 14 0 4 1 0 1 1 0 8 0 shmpl 112 19 0 2 1 0 1 1 0 8 0 dirhash 1024 19 0 2 3 0 3 3 0 8 0 dino2pl 256 2451 0 961 95 0 95 95 0 8 0 ffsino 248 2451 0 961 95 0 95 95 0 8 0 nchpl 144 3253 0 1566 63 0 63 63 0 8 0 rtmask 32 2 0 2 1 1 0 1 0 8 0 uvmvnodes 80 2813 0 0 58 0 58 58 0 8 0 vnodes 216 2813 0 0 157 0 157 157 0 8 0 namei 1024 10570 0 10569 4 2 2 2 0 8 1 kstatmem 264 56 0 34 2 0 2 2 0 8 0 acpiwqpl 32 1 0 1 1 0 1 1 1 8 1 scsiplug 72 4 0 4 1 1 0 1 0 8 0 scxspl 216 10200 0 10200 8 7 1 8 1 8 1 plimitpl 152 151 0 134 1 0 1 1 0 8 0 sigapl 424 897 0 830 9 1 8 8 0 8 0 knotepl 120 20401 0 20348 24 13 11 16 0 8 8 kqueuepl 184 177 0 165 1 0 1 1 0 8 0 pipepl 296 138 0 111 3 0 3 3 0 8 0 fdescpl 440 859 0 829 5 1 4 5 0 8 0 filepl 120 4346 0 4116 12 4 8 12 0 8 0 lockfpl 104 170 0 167 1 0 1 1 0 8 0 lockfspl 48 76 0 73 1 0 1 1 0 8 0 sessionpl 144 24 0 16 1 0 1 1 0 8 0 pgrppl 48 37 0 21 1 0 1 1 0 8 0 ucredpl 104 551 0 537 1 0 1 1 0 8 0 zombiepl 144 942 0 939 1 0 1 1 0 8 0 processpl 1160 897 0 830 5 0 5 5 0 8 0 procpl 656 1663 0 1583 9 0 9 9 0 8 2 sosppl 168 5 0 5 2 1 1 1 0 8 1 sockpl 528 1194 0 1161 14 11 3 12 0 8 0 mcl64k 65536 19 0 19 2 1 1 1 0 8 1 mcl16k 16384 3 0 3 2 1 1 1 0 8 1 mcl9k 9216 1 0 1 1 1 0 1 0 8 0 mcl8k 8192 6 0 6 2 1 1 1 0 8 1 mcl4k 4096 3031 0 2981 16 8 8 15 0 8 0 mcl2k 2048 606 0 606 4 3 1 3 0 8 1 mtagpl 96 77 0 38 1 0 1 1 0 8 0 mbufpl 256 8877 0 8680 17 1 16 17 0 8 0 bufpl 280 3186 0 122 219 0 219 219 0 8 0 anonpl 24 137148 0 133851 70 39 31 64 0 187 6 amapchunkpl 152 22629 0 22120 38 16 22 38 0 158 1 amappl16 200 1901 0 1867 6 3 3 6 0 8 0 amappl15 192 6 0 6 1 1 0 1 0 8 0 amappl14 184 108 0 98 1 0 1 1 0 8 0 amappl13 176 4 0 4 1 1 0 1 0 8 0 amappl12 168 1499 0 1469 3 1 2 3 0 8 0 amappl11 160 43 0 33 1 0 1 1 0 8 0 amappl10 152 5 0 5 1 1 0 1 0 8 0 amappl9 144 256 0 256 1 1 0 1 0 8 0 amappl8 136 22 0 19 1 0 1 1 0 8 0 amappl7 128 100 0 90 1 0 1 1 0 8 0 amappl6 120 189 0 186 1 0 1 1 0 8 0 amappl5 112 117 0 111 1 0 1 1 0 8 0 amappl4 104 288 0 272 1 0 1 1 0 8 0 amappl3 96 4231 0 4111 4 0 4 4 0 8 1 amappl2 88 634 0 578 2 0 2 2 0 8 0 amappl1 80 10236 0 9682 14 0 14 14 0 8 0 amappl 88 6113 0 5946 5 0 5 5 0 92 1 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 257 0 257 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 21 0 2 1 0 1 1 0 8 0 uaddrrnd 24 859 0 829 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 859 0 829 1 0 1 1 0 8 0 vmmpekpl 168 8409 0 8370 3 0 3 3 0 8 0 vmmpepl 168 58772 0 56854 94 4 90 90 0 357 5 vmsppl 360 858 0 829 4 1 3 4 0 8 0 rwobjpl 32 19897 0 16205 31 0 31 31 0 8 1 pdppl 4096 1725 0 1658 105 36 69 83 0 8 2 pvpl 32 380180 0 370277 135 47 88 132 0 265 4 pmappl 216 858 0 829 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 289 0 62 7 0 7 7 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff834335d1) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833df140,ffffffff833a8d73,83,ffffffff83427d59) at __assert+0x29 sys/kern/subr_prf.c:-1 rtmap_grow(6,21) at rtmap_grow+0x1f3 sys/net/rtable.c:131 rtable_add(5) at rtable_add+0x279 sys/net/rtable.c:-1 route_output(fffffd8079461000,ffff800010fdbae0) at route_output+0x525 sys/net/rtsock.c:786 route_send(ffff800010fdbae0,fffffd8079461000,0,0) at route_send+0xd7 sys/net/rtsock.c:342 sosend(ffff800010fdbae0,0,ffff80003c956e38,0,0,0) at sosend+0x824 sys/kern/uipc_socket.c:-1 sendit(ffff80003390dc58,3,ffff80003c956f30,0,ffff80003c956fe0) at sendit+0x721 sys/kern/uipc_syscalls.c:779 sys_sendto(ffff80003390dc58,ffff80003c957090,ffff80003c956fe0) at sys_sendto+0x8d sys/kern/uipc_syscalls.c:557 syscall(ffff80003c957090) at syscall+0x97e mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c957090) at syscall+0x97e sys/arch/amd64/amd64/trap.c:579 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x633970b4b00, count: -12 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff834335d1) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833df140,ffffffff833a8d73,83,ffffffff83427d59) at __assert+0x29 sys/kern/subr_prf.c:-1 rtmap_grow(6,21) at rtmap_grow+0x1f3 sys/net/rtable.c:131 rtable_add(5) at rtable_add+0x279 sys/net/rtable.c:-1 route_output(fffffd8079461000,ffff800010fdbae0) at route_output+0x525 sys/net/rtsock.c:786 route_send(ffff800010fdbae0,fffffd8079461000,0,0) at route_send+0xd7 sys/net/rtsock.c:342 sosend(ffff800010fdbae0,0,ffff80003c956e38,0,0,0) at sosend+0x824 sys/kern/uipc_socket.c:-1 sendit(ffff80003390dc58,3,ffff80003c956f30,0,ffff80003c956fe0) at sendit+0x721 sys/kern/uipc_syscalls.c:779 sys_sendto(ffff80003390dc58,ffff80003c957090,ffff80003c956fe0) at sys_sendto+0x8d sys/kern/uipc_syscalls.c:557 syscall(ffff80003c957090) at syscall+0x97e mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c957090) at syscall+0x97e sys/arch/amd64/amd64/trap.c:579 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x633970b4b00, count: -12