panic: kernel diagnostic assertion "ps->ps_uvncount == 0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_unveil.c", line 188 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff83401a9c) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833b289a,ffffffff8337e115,bc,ffffffff83327483) at __assert+0x29 unveil_destroy(ffff800035d26f88) at unveil_destroy+0x1dd sys/kern/kern_unveil.c:188 exit1(ffff80002a7c6538,0,0,1) at exit1+0x60f sys/kern/kern_exit.c:233 sys_exit(ffff80002a7c6538,ffff80002a8a92b0,ffff80002a8a9200) at sys_exit+0x1a syscall(ffff80002a8a92b0) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7ca51d0901b0, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "ps->ps_uvncount == 0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_unveil.c", line 188 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff83401a9c) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833b289a,ffffffff8337e115,bc,ffffffff83327483) at __assert+0x29 unveil_destroy(ffff800035d26f88) at unveil_destroy+0x1dd sys/kern/kern_unveil.c:188 exit1(ffff80002a7c6538,0,0,1) at exit1+0x60f sys/kern/kern_exit.c:233 sys_exit(ffff80002a7c6538,ffff80002a8a92b0,ffff80002a8a9200) at sys_exit+0x1a syscall(ffff80002a8a92b0) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7ca51d0901b0, count: -8 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80002a8a9000 rbx 0xffff800035d26f88 rdx 0 rcx 0 rax 0xffff80002a7c6538 r8 0x101010101010101 r9 0x8080808080808080 r10 0x6f340f1ccc6e940d r11 0x4f19d238c05f8b17 r12 0 r13 0x2 r14 0 r15 0x1 rip 0xffffffff827a7515 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80002a8a8ff0 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=156489 pid=23984 tcnt=0 stat=onproc flags process=1008 proc=2000 runpri=84, usrpri=85, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0xffff80002a7c6538 scnt=-1 ecnt=1 forw=0xffffffffffffffff, list=0xffff80003c94d218,0xffff80003c94c7e8 process=0xffff800035d26f88 user=0xffff80002a8a4000, vmspace=0xfffffd806c0ab718 estcpu=35, cpticks=3, pctcpu=0.90, user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 23377 152865 44558 0 2 0 syz-executor 23377 268435 44558 0 2 0x4000000 syz-executor 23377 284062 44558 0 3 0x4000080 fsleep syz-executor 79518 378200 0 0 3 0x14200 acct acct 31327 274477 0 0 3 0x14200 bored sosplice 81990 414250 59726 0 3 0x82 nanoslp syz-executor 33348 315767 59726 0 2 0x2 syz-executor 9147 100101 59726 0 2 0x2 syz-executor 15655 107775 59726 0 2 0x2 syz-executor 37288 42710 59726 0 2 0x2 syz-executor 58626 116204 59726 0 2 0x2 syz-executor 44558 461267 59726 0 3 0x82 nanoslp syz-executor 59726 24059 46494 0 3 0x82 nanoslp syz-executor 46494 71290 52861 0 3 0x10008a sigsusp ksh 52861 169745 29292 0 3 0x98 kqread sshd-session 29292 344844 58661 0 3 0x92 kqread sshd-session 5423 49464 1 0 3 0x100083 ttyin getty 58661 505785 1 0 3 0x88 kqread sshd 85279 469610 52939 73 3 0x1100090 kqread syslogd 52939 132548 1 0 3 0x100082 sbwait syslogd 37793 245783 1 0 3 0x100080 kqread resolvd 73713 118033 86234 77 3 0x100092 kqread dhcpleased 33047 15203 86234 77 3 0x100092 kqread dhcpleased 86234 130403 1 0 3 0x80 kqread dhcpleased 91831 5590 0 0 3 0x14200 bored smr 90192 74746 0 0 2 0x14200 zerothread 708 124529 0 0 3 0x14200 aiodoned aiodoned 78721 184354 0 0 3 0x14200 syncer update 34290 294133 0 0 3 0x14200 cleaner cleaner 78985 3625 0 0 3 0x14200 reaper reaper 55210 171702 0 0 3 0x14200 pgdaemon pagedaemon 58295 130082 0 0 3 0x14200 bored viomb 47829 484354 0 0 3 0x40014200 acpi0 acpi0 4903 490797 0 0 3 0x14200 bored softnet3 34097 374551 0 0 3 0x14200 bored softnet2 79467 474207 0 0 3 0x14200 bored softnet1 96479 384442 0 0 3 0x14200 bored softnet0 51202 171734 0 0 3 0x14200 bored systqmp 73814 97739 0 0 3 0x14200 bored systq 38934 140202 0 0 2 0x40014200 softclock 91044 136107 0 0 3 0x40014200 idle0 1 22641 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10180 11054K 11499K 166960K 12785 0 pcb 17 19K 20K 166960K 369 0 rtable 200 8K 9K 166960K 542 0 pf 31 13K 18K 166960K 122 0 ifaddr 38 7K 7K 166960K 100 0 ifgroup 49 2K 2K 166960K 163 0 sysctl 4 1K 2K 166960K 5 0 counters 29 17K 18K 166960K 71 0 ioctlops 0 0K 4K 166960K 229 0 iov 0 0K 20K 166960K 258 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1416 89K 89K 166960K 2503 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 2K 10K 166960K 38 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 43 0 dirhash 12 2K 3K 166960K 27 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 15 53K 97K 166960K 1444 0 sigio 1 0K 0K 166960K 24 0 proc 64 75K 108K 166960K 635 0 subproc 63 3K 5K 166960K 183 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 299 0 in_multi 84 6K 7K 166960K 154 0 ether_multi 1 0K 0K 166960K 6 0 mrt 1 0K 0K 166960K 5 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 97 440K 440K 166960K 97 0 exec 0 0K 1K 166960K 525 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 2 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 157 62K 87K 166960K 14644 0 UVM aobj 64 5K 6K 166960K 68 0 pinsyscall 37 74K 96K 166960K 2557 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 79 0 NDP 10 0K 2K 166960K 69 0 temp 72 8639K 8718K 166960K 27762 0 kqueue 13 20K 32K 166960K 284 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 193 0 190 3 2 1 3 0 8 0 rtentry 112 154 0 67 4 0 4 4 0 8 0 unpcb 144 959 0 943 5 3 2 4 0 8 1 syncache 336 14 0 14 3 2 1 1 0 8 1 tcpqe 32 8 0 8 2 1 1 1 0 8 1 tcpcb 808 527 0 517 15 6 9 11 0 8 7 arp 88 22 0 5 1 0 1 1 0 8 0 ipq 40 6 0 5 1 0 1 1 0 8 0 ipqe 40 96 0 95 1 0 1 1 0 8 0 inpcb 344 1638 0 1625 18 8 10 11 0 8 7 nd6 104 36 0 14 1 0 1 1 0 8 0 pkpcb 40 11 0 11 2 1 1 1 0 8 1 kcovpl 48 20 0 13 1 0 1 1 0 8 0 ppxss 1072 27 0 27 3 2 1 1 0 8 1 pppxif 1376 5 0 5 1 0 1 1 0 8 1 pfstscr 40 4 0 3 2 1 1 1 0 8 0 pfrktable 1344 1 0 0 1 0 1 1 0 8 0 pftag 88 2 0 0 1 0 1 1 0 8 0 pfstitem 24 2 0 0 1 0 1 1 0 8 0 pfstkey 128 7 0 5 2 1 1 1 0 8 0 pfstate 344 4 0 3 2 1 1 1 0 8 0 pfrule 1344 12 0 11 2 1 1 1 0 8 0 art_heap8 4096 2 0 0 2 0 2 2 0 8 0 art_heap4 256 687 0 300 31 4 27 29 0 8 2 art_table 32 689 0 300 4 0 4 4 0 8 0 art_node 16 147 0 71 1 0 1 1 0 8 0 sysvmsgpl 40 87 0 79 2 1 1 1 0 8 0 semupl 112 1 0 1 1 0 1 1 0 8 1 semapl 112 41 0 31 1 0 1 1 0 8 0 shmpl 112 65 0 4 2 0 2 2 0 8 0 dirhash 1024 28 0 11 3 0 3 3 0 8 0 dino2pl 256 3865 0 2358 95 0 95 95 0 8 0 ffsino 248 3865 0 2358 95 0 95 95 0 8 0 nchpl 144 5888 0 5354 63 42 21 63 0 8 0 rtmask 32 1 0 1 1 1 0 1 0 8 0 uvmvnodes 80 4640 0 0 95 0 95 95 0 8 0 vnodes 216 4640 0 0 258 0 258 258 0 8 0 namei 1024 19350 0 19350 2 1 1 2 0 8 1 kstatmem 264 92 0 72 2 0 2 2 0 8 0 scsiplug 72 4 0 4 2 1 1 1 0 8 1 scxspl 216 17531 0 17531 12 9 3 8 1 8 3 plimitpl 152 263 0 248 1 0 1 1 0 8 0 sigapl 424 1713 0 1667 7 1 6 7 0 8 0 futexpl 64 18361 0 18360 1 0 1 1 0 8 0 knotepl 120 64981 0 64934 22 12 10 13 0 8 7 kqueuepl 184 617 0 606 7 3 4 4 0 8 3 pipepl 296 233 0 206 3 0 3 3 0 8 0 fdescpl 440 1695 0 1668 5 1 4 5 0 8 0 filepl 120 10572 0 10381 16 5 11 11 0 8 3 lockfpl 104 464 0 462 2 0 2 2 0 8 1 lockfspl 48 131 0 129 1 0 1 1 0 8 0 sessionpl 144 39 0 31 1 0 1 1 0 8 0 pgrppl 48 70 0 55 1 0 1 1 0 8 0 ucredpl 104 1656 0 1645 1 0 1 1 0 8 0 zombiepl 144 2144 0 2143 2 1 1 1 0 8 0 processpl 1104 1713 0 1667 4 0 4 4 0 8 0 procpl 656 3655 0 3607 9 1 8 8 0 8 3 sosppl 168 19 0 18 2 1 1 1 0 8 0 sockpl 528 2928 0 2896 19 9 10 12 0 8 6 mcl64k 65536 81 0 81 3 2 1 1 0 8 1 mcl16k 16384 43 0 43 2 1 1 1 0 8 1 mcl12k 12288 8 0 8 3 2 1 1 0 8 1 mcl9k 9216 9 0 9 2 1 1 1 0 8 1 mcl8k 8192 64 0 64 3 2 1 1 0 8 1 mcl4k 4096 4521 0 4466 15 7 8 13 0 8 0 mcl2k2 2112 11 0 11 2 1 1 1 0 8 1 mcl2k 2048 1499 0 1495 4 2 2 3 0 8 1 mtagpl 96 79 0 42 3 1 2 2 0 8 0 mbufpl 256 22861 0 22670 93 67 26 80 0 8 8 bufpl 280 5020 0 136 349 0 349 349 0 8 0 anonpl 24 234764 0 232022 82 28 54 54 0 187 19 amapchunkpl 152 48167 0 47868 41 14 27 31 0 158 10 amappl16 200 4809 0 4779 43 31 12 20 0 8 7 amappl15 192 4 0 4 1 1 0 1 0 8 0 amappl14 184 126 0 116 1 0 1 1 0 8 0 amappl13 176 8 0 7 1 0 1 1 0 8 0 amappl12 168 2336 0 2313 2 0 2 2 0 8 0 amappl11 160 46 0 36 1 0 1 1 0 8 0 amappl10 152 3 0 3 2 1 1 1 0 8 1 amappl9 144 258 0 258 1 1 0 1 0 8 0 amappl8 136 79 0 78 1 0 1 1 0 8 0 amappl7 128 106 0 96 1 0 1 1 0 8 0 amappl6 120 187 0 183 1 0 1 1 0 8 0 amappl5 112 125 0 118 1 0 1 1 0 8 0 amappl4 104 327 0 311 1 0 1 1 0 8 0 amappl3 96 9788 0 9720 4 0 4 4 0 8 1 amappl2 88 739 0 683 2 0 2 2 0 8 0 amappl1 80 13934 0 13429 15 0 15 15 0 8 2 amappl 88 14164 0 14054 6 1 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 9 0 9 3 2 1 1 0 8 1 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 8 0 8 2 1 1 1 0 8 1 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 67 0 4 2 0 2 2 0 8 0 uaddrrnd 24 1695 0 1667 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 1695 0 1667 1 0 1 1 0 8 0 vmmpekpl 168 14880 0 14841 3 0 3 3 0 8 0 vmmpepl 168 109593 0 108123 109 16 93 95 0 357 14 vmsppl 360 1694 0 1667 4 1 3 4 0 8 0 rwobjpl 32 35194 0 29711 46 0 46 46 0 8 0 pdppl 4096 3397 0 3334 129 66 63 83 0 8 0 pvpl 32 741525 0 734198 180 50 130 130 0 265 41 pmappl 216 1694 0 1667 3 0 3 3 0 8 1 extentpl 40 55 0 38 1 0 1 1 0 8 0 phpool 112 405 0 163 9 0 9 9 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff83401a9c) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833b289a,ffffffff8337e115,bc,ffffffff83327483) at __assert+0x29 unveil_destroy(ffff800035d26f88) at unveil_destroy+0x1dd sys/kern/kern_unveil.c:188 exit1(ffff80002a7c6538,0,0,1) at exit1+0x60f sys/kern/kern_exit.c:233 sys_exit(ffff80002a7c6538,ffff80002a8a92b0,ffff80002a8a9200) at sys_exit+0x1a syscall(ffff80002a8a92b0) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7ca51d0901b0, count: -8 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff83401a9c) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833b289a,ffffffff8337e115,bc,ffffffff83327483) at __assert+0x29 unveil_destroy(ffff800035d26f88) at unveil_destroy+0x1dd sys/kern/kern_unveil.c:188 exit1(ffff80002a7c6538,0,0,1) at exit1+0x60f sys/kern/kern_exit.c:233 sys_exit(ffff80002a7c6538,ffff80002a8a92b0,ffff80002a8a9200) at sys_exit+0x1a syscall(ffff80002a8a92b0) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7ca51d0901b0, count: -8