panic: kernel diagnostic assertion "uvn->u_obj.uo_refs == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_vnode.c", line 234 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *521735 71290 32767 0x10 0x4000000 1K syz-executor.4 149993 93405 0 0x14000 0x200 0 reaper db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8259a517) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff8261308a,ffffffff8263280d,ea,ffffffff8262b018) at __assert+0x25 sys/kern/subr_prf.c:161 uvn_attach(fffffd806a680a70,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234 uvm_mmapfile(fffffd807effd2e0,ffff8000212fa078,10000,2,6,11,8ba82b493f1cd1e3,fffffd807effd2e0,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029 sys_mmap(ffff800027ba7500,ffff8000212fa120,ffff8000212fa1f0) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395 sys_pad_mmap(ffff800027ba7500,ffff8000212fa1a8,ffff8000212fa1f0) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470 syscall(ffff8000212fa270) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline] syscall(ffff8000212fa270) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x2296431bc80, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic *cpu1: kernel diagnostic assertion "uvn->u_obj.uo_refs == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_vnode.c", line 234 ddb{1}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8259a517) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff8261308a,ffffffff8263280d,ea,ffffffff8262b018) at __assert+0x25 sys/kern/subr_prf.c:161 uvn_attach(fffffd806a680a70,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234 uvm_mmapfile(fffffd807effd2e0,ffff8000212fa078,10000,2,6,11,8ba82b493f1cd1e3,fffffd807effd2e0,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029 sys_mmap(ffff800027ba7500,ffff8000212fa120,ffff8000212fa1f0) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395 sys_pad_mmap(ffff800027ba7500,ffff8000212fa1a8,ffff8000212fa1f0) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470 syscall(ffff8000212fa270) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline] syscall(ffff8000212fa270) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x2296431bc80, count: -9 ddb{1}> show registers rdi 0 rsi 0x1 rbp 0xffff8000212f9d10 rbx 0xffff800020dd9bb7 rdx 0 rcx 0 rax 0xffff800027ba7500 r8 0x101010101010101 r9 0x8080808080808080 r10 0x37ab5931339e143b r11 0x4beff33976f131d9 r12 0xffff800020dd99b8 r13 0 r14 0 r15 0x1 rip 0xffffffff8210ce38 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff8000212f9d00 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor.4) pid=521735 stat=onproc flags process=10 proc=4000000 pri=32, usrpri=80, nice=20 forw=0xffffffffffffffff, list=0xffff800027ba7ce0,0xffff800027ba7a50 process=0xffff8000ffff3a40 user=0xffff8000212f5000, vmspace=0xfffffd807effd2e0 estcpu=36, cpticks=2, pctcpu=0.0 user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 71290 1110 62830 32767 3 0x90 nanoslp syz-executor.4 *71290 521735 62830 32767 7 0x4000010 syz-executor.4 71290 428334 62830 32767 3 0x4000090 fsleep syz-executor.4 71290 206558 62830 32767 3 0x4000090 fsleep syz-executor.4 14531 78975 10284 32767 3 0x90 piperd syz-executor.0 10284 331273 91623 0 3 0x82 wait syz-executor.0 7920 78802 69859 32767 3 0x90 piperd syz-executor.1 69859 392676 91623 0 3 0x82 wait syz-executor.1 56054 250393 85760 32767 3 0x90 piperd syz-executor.6 85760 75261 91623 0 3 0x82 wait syz-executor.6 37861 449680 49736 32767 3 0x90 nanoslp syz-executor.3 49736 349100 91623 0 3 0x82 wait syz-executor.3 11853 494795 74931 32767 3 0x90 piperd syz-executor.7 74931 225248 91623 0 3 0x82 wait syz-executor.7 62830 7605 28008 32767 3 0x90 nanoslp syz-executor.4 28008 265432 91623 0 3 0x82 wait syz-executor.4 49302 37419 0 0 3 0x14200 bored sosplice 65530 45847 67872 32767 3 0x90 nanoslp syz-executor.5 67872 124191 91623 0 3 0x82 wait syz-executor.5 39184 90373 79310 32767 3 0x90 piperd syz-executor.2 79310 53166 91623 0 3 0x82 wait syz-executor.2 91623 451822 91383 0 3 0x82 kqread syz-fuzzer 91623 447374 91383 0 3 0x4000082 nanoslp syz-fuzzer 91623 158245 91383 0 3 0x4000082 thrsleep syz-fuzzer 91623 145127 91383 0 3 0x4000082 thrsleep syz-fuzzer 91623 56654 91383 0 3 0x4000082 thrsleep syz-fuzzer 91623 85318 91383 0 3 0x4000082 thrsleep syz-fuzzer 91623 341798 91383 0 3 0x4000082 thrsleep syz-fuzzer 91623 189940 91383 0 3 0x4000082 thrsleep syz-fuzzer 91383 244843 70335 0 3 0x10008a sigsusp ksh 70335 189466 20145 0 3 0x9a kqread sshd 27209 152105 1 0 3 0x100083 ttyin getty 20145 480286 1 0 3 0x88 kqread sshd 5020 47020 234 73 3 0x1100090 kqread syslogd 234 434770 1 0 3 0x100082 netio syslogd 59997 380838 1 0 3 0x100080 kqread resolvd 16627 118403 4310 77 3 0x100092 kqread dhcpleased 2523 502341 4310 77 3 0x100092 kqread dhcpleased 4310 476452 1 0 3 0x80 kqread dhcpleased 24177 493208 0 0 3 0x14200 bored smr 94354 311282 0 0 2 0x14200 zerothread 94998 514143 0 0 3 0x14200 aiodoned aiodoned 68561 468848 0 0 3 0x14200 syncer update 38087 319929 0 0 3 0x14200 cleaner cleaner 93405 149993 0 0 7 0x14200 reaper 23809 221092 0 0 3 0x14200 pgdaemon pagedaemon 80754 163353 0 0 3 0x14200 bored viomb 11123 495133 0 0 3 0x40014200 acpi0 acpi0 67106 7287 0 0 3 0x40014200 idle1 87045 46276 0 0 3 0x14200 bored softnet 4895 21735 0 0 3 0x14200 bored softnet 41517 79731 0 0 3 0x14200 bored softnet 28818 348753 0 0 3 0x14200 bored softnet 56967 235307 0 0 3 0x14200 bored systqmp 34960 80450 0 0 3 0x14200 bored systq 60744 523673 0 0 3 0x40014200 bored softclock 26026 368037 0 0 3 0x40014200 idle0 1 166069 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks CPU 0: exclusive mutex &pmap->pm_mtx r = 0 (0xfffffd806c6c18d8) #0 witness_lock+0x44d #1 mtx_enter_try+0x100 #2 mtx_enter+0x4b sys/kern/kern_lock.c:266 #3 pmap_do_remove+0x8b rcr3 machine/cpufunc.h:141 [inline] #3 pmap_do_remove+0x8b pmap_map_ptes sys/arch/amd64/amd64/pmap.c:414 [inline] #3 pmap_do_remove+0x8b sys/arch/amd64/amd64/pmap.c:1768 #4 uvm_unmap_kill_entry_withlock+0x1af sys/uvm/uvm_map.c:2139 #5 uvm_map_teardown+0x197 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:176 [inline] #5 uvm_map_teardown+0x197 sys/uvm/uvm_map.c:2771 #6 uvmspace_free+0xa6 sys/uvm/uvm_map.c:3684 #7 reaper+0x19a sys/kern/kern_exit.c:454 #8 proc_trampoline+0x1c Process 71290 (syz-executor.4) thread 0xffff800027ba7500 (521735) exclusive kernel_lock &kernel_lock r = 1 (0xffffffff82b63040) #0 witness_lock+0x44d #1 syscall+0x41d mi_syscall sys/sys/syscall_mi.h:100 [inline] #1 syscall+0x41d sys/arch/amd64/amd64/trap.c:585 #2 Xsyscall+0x128 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10209 6412K 6419K 78643K 11346 0 pcb 13 8K 8K 78643K 13 0 rtable 234 6K 7K 78643K 1672 0 ifaddr 81 17K 17K 78643K 188 0 sysctl 3 1K 3K 78643K 6 0 counters 56 35K 35K 78643K 86 0 ioctlops 0 0K 2K 78643K 441 0 iov 0 0K 32K 78643K 1927 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 5 0 vnodes 1271 79K 79K 78643K 3752 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 5K 78643K 108 0 VM map 2 1K 1K 78643K 2 0 sem 12 0K 0K 78643K 3119 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 19 69K 113K 78643K 11655 0 sigio 0 0K 0K 78643K 2210 0 proc 56 78K 115K 78643K 1606 0 subproc 104 6K 6K 78643K 299 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 1095 0 in_multi 99 6K 7K 78643K 402 0 ether_multi 1 0K 0K 78643K 34 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 253 1129K 1129K 78643K 253 0 exec 0 0K 2K 78643K 2781 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 294 102K 107K 78643K 72513 0 UVM aobj 131 8K 8K 78643K 131 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 271 0 NDP 11 0K 2K 78643K 72 0 temp 124 4722K 4786K 78643K 30975 0 kqueue 12 18K 26K 78643K 1346 0 SYN cache 2 16K 16K 78643K 2 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 11196 0 11192 53 52 1 5 0 8 0 rtentry 112 290 0 180 4 0 4 4 0 8 0 unpcb 144 11266 0 11253 127 124 3 11 0 8 2 syncache 296 161 0 161 19 18 1 1 0 8 1 tcpqe 32 814 0 814 12 12 0 1 0 8 0 tcpcb 736 4287 0 4280 115 112 3 10 0 8 1 arp 120 51 0 33 1 0 1 1 0 8 0 ipq 40 5 0 5 2 2 0 1 0 8 0 ipqe 40 12 0 12 2 2 0 1 0 8 0 inpcb 320 8762 0 8752 120 116 4 13 0 8 3 nd6 48 80 0 56 1 0 1 1 0 8 0 kcovpl 48 23 0 15 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 1176 0 720 32 3 29 30 0 8 0 art_table 32 1177 0 720 4 0 4 4 0 8 0 art_node 16 289 0 189 1 0 1 1 0 8 0 sysvmsgpl 40 6 0 0 1 0 1 1 0 8 0 semapl 112 3117 0 3107 1 0 1 1 0 8 0 shmpl 112 128 0 0 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 17209 0 15734 93 0 93 93 0 8 0 ffsino 272 17209 0 15734 100 0 100 100 0 8 0 nchpl 144 32899 0 31265 63 0 63 63 0 8 0 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 114501 0 114501 4 3 1 2 0 8 1 percpumem 16 55 0 15 1 0 1 1 0 8 0 kstatmem 264 52 0 30 2 0 2 2 0 8 0 scxspl 216 96035 0 96035 47 46 1 8 0 8 1 plimitpl 152 2725 0 2702 9 8 1 2 0 8 0 sigapl 424 11907 0 11857 7 0 7 7 0 8 0 futexpl 64 108641 0 108639 4 3 1 1 0 8 0 knotepl 120 942 0 0 17 0 17 17 0 8 0 kqueuepl 216 5037 0 5029 63 55 8 8 0 8 7 pipepl 320 6852 0 6824 134 124 10 13 0 8 7 fdescpl 496 11889 0 11859 7 2 5 6 0 8 0 filepl 152 97863 0 97615 171 154 17 26 0 8 7 lockfpl 104 1673 0 1670 1 0 1 1 0 8 0 lockfspl 48 487 0 484 1 0 1 1 0 8 0 sessionpl 144 38 0 22 1 0 1 1 0 8 0 pgrppl 48 123 0 107 1 0 1 1 0 8 0 ucredpl 104 14863 0 14845 1 0 1 1 0 8 0 zombiepl 144 11859 0 11857 1 0 1 1 0 8 0 processpl 1064 11907 0 11857 4 0 4 4 0 8 0 procpl 672 35439 0 35379 21 14 7 8 0 8 0 sosppl 168 178 0 178 19 19 0 1 0 8 0 sockpl 488 31589 0 31562 610 598 12 46 0 8 8 mcl64k 65536 34 0 0 3 0 3 3 0 8 0 mcl16k 16384 25 0 0 4 1 3 3 0 8 0 mcl12k 12288 26 0 0 2 0 2 2 0 8 0 mcl9k 9216 24 0 0 2 0 2 2 0 8 0 mcl8k 8192 17 0 0 3 0 3 3 0 8 0 mcl4k 4096 33 0 0 3 0 3 3 0 8 0 mcl2k2 2112 14 0 0 1 0 1 1 0 8 0 mcl2k 2048 308 0 0 22 1 21 22 0 8 0 mtagpl 96 2 0 0 1 0 1 1 0 8 0 mbufpl 256 1552 0 0 90 0 90 90 0 8 0 bufpl 288 22190 0 15857 453 0 453 453 0 8 0 anonpl 24 2481120 0 2468904 188 82 106 123 0 186 3 amapchunkpl 152 216460 0 215760 149 118 31 37 0 158 3 amappl16 200 39988 0 39595 250 219 31 42 0 8 8 amappl15 192 199 0 196 2 1 1 1 0 8 0 amappl14 184 1550 0 1545 1 0 1 1 0 8 0 amappl13 176 510 0 506 1 0 1 1 0 8 0 amappl12 168 3033 0 3027 1 0 1 1 0 8 0 amappl11 160 810 0 793 1 0 1 1 0 8 0 amappl10 152 805 0 798 1 0 1 1 0 8 0 amappl9 144 3055 0 3052 1 0 1 1 0 8 0 amappl8 136 3631 0 3516 7 2 5 5 0 8 0 amappl7 128 2774 0 2762 1 0 1 1 0 8 0 amappl6 120 2926 0 2905 2 1 1 2 0 8 0 amappl5 112 10220 0 10203 1 0 1 1 0 8 0 amappl4 104 2883 0 2853 2 0 2 2 0 8 0 amappl3 96 39470 0 39425 2 0 2 2 0 8 0 amappl2 88 14396 0 14329 3 1 2 3 0 8 0 amappl1 80 287081 0 286480 21 5 16 19 0 8 0 amappl 88 71221 0 71063 6 1 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 130 0 0 3 0 3 3 0 8 0 uaddrrnd 24 11889 0 11859 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 11889 0 11859 1 0 1 1 0 8 0 vmmpekpl 168 115016 0 114961 5 1 4 5 0 8 0 vmmpepl 168 1181258 0 1178900 296 159 137 143 0 357 10 vmsppl 368 11888 0 11858 4 0 4 4 0 8 0 rwobjpl 56 302662 0 295265 127 18 109 110 0 8 1 pdppl 4096 23785 0 23716 351 270 81 89 0 8 12 pvpl 32 4690238 0 4673129 503 315 188 254 0 265 16 pmappl 248 11888 0 11858 4 1 3 3 0 8 0 extentpl 40 58 0 38 1 0 1 1 0 8 0 phpool 112 1284 0 392 26 0 26 26 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp x86_ipi_db(ffffffff82995ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc uvm_unmap_detach(ffff800021239e20,1) at uvm_unmap_detach+0x113 sys/uvm/uvm_map.c:1615 uvm_map_teardown(fffffd8079235460) at uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2789 uvmspace_free(fffffd8079235460) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3684 reaper(ffff8000212337a8) at reaper+0x19a sys/kern/kern_exit.c:454 end trace frame: 0x0, count: 7 ddb{0}> trace x86_ipi_db(ffffffff82995ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc uvm_unmap_detach(ffff800021239e20,1) at uvm_unmap_detach+0x113 sys/uvm/uvm_map.c:1615 uvm_map_teardown(fffffd8079235460) at uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2789 uvmspace_free(fffffd8079235460) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3684 reaper(ffff8000212337a8) at reaper+0x19a sys/kern/kern_exit.c:454 end trace frame: 0x0, count: -8 ddb{0}> machine ddbcpu 1 Stopped at db_enter+0x18: addq $0x8,%rsp db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8259a517) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff8261308a,ffffffff8263280d,ea,ffffffff8262b018) at __assert+0x25 sys/kern/subr_prf.c:161 uvn_attach(fffffd806a680a70,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234 uvm_mmapfile(fffffd807effd2e0,ffff8000212fa078,10000,2,6,11,8ba82b493f1cd1e3,fffffd807effd2e0,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029 sys_mmap(ffff800027ba7500,ffff8000212fa120,ffff8000212fa1f0) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395 sys_pad_mmap(ffff800027ba7500,ffff8000212fa1a8,ffff8000212fa1f0) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470 syscall(ffff8000212fa270) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline] syscall(ffff8000212fa270) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x2296431bc80, count: 6 ddb{1}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8259a517) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff8261308a,ffffffff8263280d,ea,ffffffff8262b018) at __assert+0x25 sys/kern/subr_prf.c:161 uvn_attach(fffffd806a680a70,6) at uvn_attach+0x444 sys/uvm/uvm_vnode.c:234 uvm_mmapfile(fffffd807effd2e0,ffff8000212fa078,10000,2,6,11,8ba82b493f1cd1e3,fffffd807effd2e0,0,11) at uvm_mmapfile+0x194 sys/uvm/uvm_mmap.c:1029 sys_mmap(ffff800027ba7500,ffff8000212fa120,ffff8000212fa1f0) at sys_mmap+0xb4a sys/uvm/uvm_mmap.c:395 sys_pad_mmap(ffff800027ba7500,ffff8000212fa1a8,ffff8000212fa1f0) at sys_pad_mmap+0x68 sys/uvm/uvm_mmap.c:470 syscall(ffff8000212fa270) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline] syscall(ffff8000212fa270) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x2296431bc80, count: -9