panic: kernel diagnostic assertion "ps->ps_uvncount == 0" failed: file "/syzkaller/managers/multicore/kernWARNING: SPL NOT LOWERED ON SYSCALL 49 0 EXIT 0 a Stopped at savectx+0xae: movl $0,%gs:0x550 TID PID UID PRFLAGS PFLAGS CPU COMMAND *107209 73405 0 0 0x4000000 1 syz-executor.6 savectx() at savectx+0xae end of kernel end trace frame: 0xd2649e47e90, count: 14 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic *cpu0: kernel diagnostic assertion "ps->ps_uvncount == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_unveil.c", line 188 ddb{1}> trace savectx() at savectx+0xae end of kernel end trace frame: 0xd2649e47e90, count: -1 ddb{1}> show registers rdi 0 rsi 0 rbp 0xffff80002ae81560 rbx 0 rdx 0 rcx 0xffff80002120f070 rax 0x32 r8 0xffff80002ae81490 r9 0x80713 acpi_pdirpa+0x6c576 r10 0xf3219d67fd5e1a8b r11 0x1bb9be7851f8a16b r12 0 r13 0 r14 0xffff80002120f070 r15 0 rip 0xffffffff820613fe savectx+0xae cs 0x8 rflags 0x46 rsp 0xffff80002ae814e0 ss 0 savectx+0xae: movl $0,%gs:0x550 ddb{1}> show proc PROC (syz-executor.6) pid=107209 stat=onproc flags process=0 proc=4000000 pri=83, usrpri=83, nice=20 forw=0xffffffffffffffff, list=0xffff8000212146b0,0xffffffff82ce9f08 process=0xffff800026165948 user=0xffff80002ae7c000, vmspace=0xfffffd806d63fcc0 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 73405 128226 74991 0 2 0 syz-executor.6 *73405 107209 74991 0 7 0x4000000 syz-executor.6 15561 232269 49175 0 2 0 syz-executor.5 15561 361225 49175 0 3 0x4000080 fsleep syz-executor.5 15561 359529 49175 0 3 0x4000080 fsleep syz-executor.5 71196 413917 87842 0 2 0 syz-executor.4 71196 144578 87842 0 3 0x4000080 fsleep syz-executor.4 99077 136184 84607 0 2 0 syz-executor.3 99077 32739 84607 0 3 0x4000080 lockf syz-executor.3 99077 254677 84607 0 2 0x4000000 syz-executor.3 85198 365867 95527 0 2 0 syz-executor.1 85198 487541 95527 0 3 0x4000080 fsleep syz-executor.1 86693 508255 84499 0 2 0 syz-executor.0 86693 21283 84499 0 3 0x4000080 fsleep syz-executor.0 86693 81430 84499 0 3 0x4000080 fsleep syz-executor.0 31532 50104 86072 0 2 0 syz-executor.2 31532 191605 86072 0 3 0x4000080 fsleep syz-executor.2 11342 193461 53469 0 3 0x82 nanoslp syz-executor.7 49175 358751 53469 0 3 0x82 nanoslp syz-executor.5 86072 43403 53469 0 3 0x82 nanoslp syz-executor.2 3119 114427 1 0 3 0x100083 ttyin getty 53775 202691 0 0 3 0x14200 acct acct 95527 355609 53469 0 3 0x82 nanoslp syz-executor.1 84607 234266 53469 0 3 0x82 nanoslp syz-executor.3 84499 66215 53469 0 3 0x82 nanoslp syz-executor.0 87842 489841 53469 0 3 0x82 nanoslp syz-executor.4 74991 484696 53469 0 3 0x82 nanoslp syz-executor.6 74334 172511 0 0 3 0x14280 nfsidl nfsio 63163 454752 0 0 3 0x14280 nfsidl nfsio 28837 466372 0 0 3 0x14280 nfsidl nfsio 22660 72001 0 0 3 0x14280 nfsidl nfsio 49924 425144 0 0 3 0x14280 nfsidl nfsio 24671 120965 0 0 3 0x14280 nfsidl nfsio 60648 194807 0 0 3 0x14280 nfsidl nfsio 18148 270523 0 0 3 0x14280 nfsidl nfsio 78840 323896 0 0 3 0x14280 nfsidl nfsio 36474 328148 0 0 3 0x14280 nfsidl nfsio 33513 274068 0 0 3 0x14280 nfsidl nfsio 87575 488912 0 0 3 0x14280 nfsidl nfsio 25020 174150 0 0 3 0x14280 nfsidl nfsio 13066 52487 0 0 3 0x14280 nfsidl nfsio 59295 320917 0 0 3 0x14280 nfsidl nfsio 15393 221652 0 0 3 0x14280 nfsidl nfsio 24284 109288 0 0 3 0x14280 nfsidl nfsio 83275 219618 0 0 3 0x14280 nfsidl nfsio 19578 228845 0 0 3 0x14280 nfsidl nfsio 33954 298834 0 0 3 0x14280 nfsidl nfsio 69159 295706 0 0 3 0x14200 bored sosplice 53469 451994 29981 0 3 0x2000082 wait syz-fuzzer 53469 233761 29981 0 3 0x6000082 thrsleep syz-fuzzer 53469 66665 29981 0 3 0x6000082 wait syz-fuzzer 53469 95046 29981 0 3 0x6000082 thrsleep syz-fuzzer 53469 103540 29981 0 3 0x6000082 kqread syz-fuzzer 53469 432488 29981 0 3 0x6000082 thrsleep syz-fuzzer 53469 372654 29981 0 3 0x6000082 wait syz-fuzzer 53469 435251 29981 0 3 0x6000082 wait syz-fuzzer 53469 20951 29981 0 3 0x6000082 thrsleep syz-fuzzer 53469 170066 29981 0 3 0x6000082 thrsleep syz-fuzzer 53469 471765 29981 0 3 0x6000082 thrsleep syz-fuzzer 53469 383373 29981 0 3 0x6000082 wait syz-fuzzer 53469 266807 29981 0 3 0x6000082 wait syz-fuzzer 53469 445461 29981 0 3 0x6000082 thrsleep syz-fuzzer 53469 221510 29981 0 3 0x6000082 wait syz-fuzzer 53469 389092 29981 0 3 0x6000082 wait syz-fuzzer 29981 348156 75152 0 3 0x10008a sigsusp ksh 75152 421082 33872 0 3 0x9a kqread sshd 33872 507339 1 0 3 0x88 kqread sshd 32612 173552 4406 74 3 0x1100092 bpf pflogd 4406 375124 1 0 3 0x80 netio pflogd 34188 374389 91676 73 3 0x1100090 kqread syslogd 91676 150152 1 0 3 0x100082 netio syslogd 5244 78458 1 0 3 0x100080 kqread resolvd 63603 169422 53844 77 3 0x100092 kqread dhcpleased 72344 490373 53844 77 3 0x100092 kqread dhcpleased 53844 364516 1 0 3 0x80 kqread dhcpleased 60733 30715 0 0 3 0x14200 bored smr 98152 185240 0 0 2 0x14200 zerothread 92780 392867 0 0 3 0x14200 aiodoned aiodoned 41912 270772 0 0 3 0x14200 syncer update 92488 63193 0 0 3 0x14200 cleaner cleaner 20864 65266 0 0 2 0x14200 reaper 56305 474953 0 0 3 0x14200 pgdaemon pagedaemon 70078 3238 0 0 3 0x14200 bored viomb 8792 244512 0 0 3 0x40014200 acpi0 acpi0 11253 300379 0 0 3 0x40014200 idle1 88323 458888 0 0 3 0x14200 bored softnet3 21944 237309 0 0 3 0x14200 bored softnet2 74071 298944 0 0 3 0x14200 bored softnet1 50282 264430 0 0 3 0x14200 bored softnet0 70040 93908 0 0 3 0x14200 bored systqmp 88033 372014 0 0 3 0x14200 bored systq 51295 200768 0 0 3 0x40014200 bored softclock 24506 330181 0 0 3 0x40014200 idle0 1 227545 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks CPU 1: exclusive mutex &pmap->pm_mtx r = 0 (0xfffffd807eff88c8) #0 witness_lock+0x447 #1 mtx_enter_try+0x104 #2 mtx_enter+0x4f sys/kern/kern_lock.c:266 #3 pmap_enter+0x1c3 pmap_map_ptes sys/arch/amd64/amd64/pmap.c:423 [inline] #3 pmap_enter+0x1c3 sys/arch/amd64/amd64/pmap.c:2710 #4 uvm_fault_lower+0x768 sys/uvm/uvm_fault.c:1506 #5 uvm_fault+0x238 #6 upageflttrap+0x86 sys/arch/amd64/amd64/trap.c:188 #7 usertrap+0x226 sys/arch/amd64/amd64/trap.c:436 #8 recall_trap+0x8 Process 73405 (syz-executor.6) thread 0xffff80002120f070 (107209) ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10238 6517K 14939K 78643K 164058 0 pcb 13 18K 23K 78643K 4435 0 rtable 243 7K 7K 78643K 5250 0 pf 35 10K 10K 78643K 1064 0 ifaddr 46 19K 21K 78643K 838 0 ifgroup 60 2K 2K 78643K 1696 0 sysctl 3 1K 4K 78643K 26 0 counters 62 36K 36K 78643K 992 0 ioctlops 0 0K 4K 78643K 2516 0 iov 0 0K 28K 78643K 4125 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 4 0 vnodes 1797 112K 113K 78643K 45241 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 9K 78643K 481 0 VM map 2 1K 1K 78643K 2 0 sem 11 1K 1K 78643K 14 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 17 61K 89K 78643K 51564 0 sigio 0 0K 0K 78643K 2510 0 proc 74 115K 127K 78643K 6374 0 subproc 104 6K 8K 78643K 1644 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 9082 0 in_multi 99 7K 7K 78643K 1602 0 ether_multi 1 0K 0K 78643K 37 0 mrt 4 0K 0K 78643K 33 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 271 1208K 1208K 78643K 271 0 exec 0 0K 1K 78643K 8522 0 pfkey data 0 0K 0K 78643K 30 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 8 62K 64K 78643K 10 0 UVM amap 597 103K 115K 78643K 501019 0 UVM aobj 131 6K 6K 78643K 141 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 1K 78643K 1437 0 NDP 13 0K 1K 78643K 704 0 temp 74 5920K 6052K 78643K 318657 0 kqueue 12 18K 26K 78643K 2692 0 SYN cache 2 16K 24K 78643K 3 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 1810 0 1807 20 19 1 3 0 8 0 rtentry 112 1629 0 1516 4 0 4 4 0 8 0 unpcb 144 23993 0 23976 298 297 1 10 0 8 0 syncache 296 267 0 267 62 61 1 1 0 8 1 tcpqe 32 425 819 425 32 31 1 2 0 8 1 tcpcb 808 11019 0 11009 388 380 8 14 0 8 6 arp 120 236 0 217 1 0 1 1 0 8 0 inpcb 368 36568 0 36552 604 593 11 20 0 8 8 nd6 136 371 0 345 1 0 1 1 0 8 0 pkpcb 40 253 0 253 23 23 0 1 0 8 0 kcovpl 48 118 0 110 1 0 1 1 0 8 0 ppxss 1256 156 0 156 42 42 0 1 0 8 0 pffrag 232 519 0 514 11 10 1 1 0 482 0 pffrnode 88 513 0 508 11 10 1 1 0 8 0 pffrent 40 1977 0 1972 10 9 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 1254 0 1241 1 0 1 1 0 8 0 pfstkey 128 1254 0 1241 5 3 2 2 0 8 0 pfstate 376 1254 0 1241 25 23 2 6 0 8 0 pfrule 1344 21 0 16 2 1 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 5277 0 4804 36 6 30 31 0 8 0 art_table 32 5278 0 4804 4 0 4 4 0 8 0 art_node 16 1305 0 1202 1 0 1 1 0 8 0 sysvmsgpl 40 42 0 29 2 1 1 1 0 8 0 semupl 112 3 0 3 1 1 0 1 0 8 0 semapl 112 9 0 0 1 0 1 1 0 8 0 shmpl 112 138 0 10 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 69755 0 67966 113 0 113 113 0 8 0 ffsino 272 69755 0 67966 121 1 120 120 0 8 0 nchpl 144 137403 0 136887 63 40 23 63 0 8 0 uvmvnodes 80 12655 0 0 259 0 259 259 0 8 0 vnodes 216 12655 0 0 704 0 704 704 0 8 0 namei 1024 480239 0 480239 21 20 1 3 0 8 1 percpumem 16 509 0 465 1 0 1 1 0 8 0 kstatmem 264 956 0 930 3 1 2 3 0 8 0 scxspl 216 401640 0 401640 84 83 1 8 1 8 1 plimitpl 152 5463 0 5447 1 0 1 1 0 8 0 sigapl 424 51751 0 51681 11 3 8 8 0 8 0 futexpl 64 459302 0 459295 9 8 1 1 0 8 0 knotepl 120 2212 0 0 11 1 10 11 0 8 0 kqueuepl 216 7389 0 7381 124 123 1 8 0 8 0 pipepl 320 16758 0 16730 347 342 5 13 0 8 2 fdescpl 496 51661 0 51631 7 3 4 5 0 8 0 filepl 152 322644 0 322400 494 478 16 23 0 8 5 lockfpl 104 62407 0 62367 111 109 2 4 0 8 0 lockfspl 48 26950 0 26913 15 14 1 2 0 8 0 sessionpl 144 152 0 135 1 0 1 1 0 8 0 pgrppl 48 2324 0 2307 1 0 1 1 0 8 0 ucredpl 104 41029 0 41010 2 1 1 2 0 8 0 zombiepl 144 55858 0 55857 5 4 1 1 0 8 0 processpl 1072 51751 0 51681 6 1 5 5 0 8 0 procpl 696 141670 0 141574 64 54 10 11 0 8 0 srpgc 96 6 0 6 3 3 0 1 0 8 0 sosppl 168 492 0 492 29 29 0 1 0 8 0 sockpl 488 62775 0 62740 1334 1320 14 37 0 8 8 mcl64k 65536 51 0 0 3 0 3 3 0 8 1 mcl16k 16384 25 0 0 4 1 3 3 0 8 0 mcl12k 12288 33 0 0 2 0 2 2 0 8 0 mcl9k 9216 21 0 0 2 0 2 2 0 8 0 mcl8k 8192 35 0 0 4 1 3 3 0 8 0 mcl4k 4096 57 0 0 5 2 3 3 0 8 0 mcl2k2 2112 13 0 0 1 0 1 1 0 8 0 mcl2k 2048 974 0 0 51 30 21 38 0 8 0 mtagpl 96 1679 0 0 30 19 11 30 0 8 0 mbufpl 256 3089 0 0 149 0 149 149 0 8 0 bufpl 288 88902 0 76246 906 1 905 905 0 8 0 anonpl 24 4751708 0 4737421 254 138 116 134 0 186 0 amapchunkpl 152 1552440 0 1551448 178 137 41 48 0 158 2 amappl16 200 93120 0 92575 509 479 30 54 0 8 0 amappl15 192 13 0 13 3 3 0 1 0 8 0 amappl14 184 617 0 596 7 5 2 2 0 8 0 amappl13 176 53 0 52 1 0 1 1 0 8 0 amappl12 168 54065 0 54027 4 2 2 3 0 8 0 amappl11 160 60 0 46 1 0 1 1 0 8 0 amappl10 152 174 0 159 2 1 1 1 0 8 0 amappl9 144 511 0 509 1 0 1 1 0 8 0 amappl8 136 2669 0 2308 13 0 13 13 0 8 0 amappl7 128 380 0 366 2 0 2 2 0 8 0 amappl6 120 1541 0 1505 11 9 2 2 0 8 0 amappl5 112 3468 0 3444 1 0 1 1 0 8 0 amappl4 104 2331 0 2270 3 1 2 3 0 8 0 amappl3 96 294490 0 294417 7 4 3 4 0 8 0 amappl2 88 68349 0 68251 5 2 3 3 0 8 0 amappl1 80 198086 0 197517 23 10 13 23 0 8 0 amappl 88 498240 0 497947 10 2 8 8 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 140 0 10 3 0 3 3 0 8 0 uaddrrnd 24 51661 0 51630 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 51661 0 51630 1 0 1 1 0 8 0 vmmpekpl 168 412435 0 412364 4 0 4 4 0 8 0 vmmpepl 168 3055495 0 3052503 803 647 156 173 0 357 0 vmsppl 464 51660 0 51630 5 1 4 5 0 8 0 rwobjpl 56 716609 0 701816 276 67 209 210 0 8 0 pdppl 4096 103330 0 103260 1432 1362 70 82 0 8 0 pvpl 32 13992978 0 13971904 794 590 204 369 0 265 0 pmappl 248 51660 0 51630 3 1 2 3 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 3886 0 2441 42 0 42 42 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+0x1e: addq $0x8,%rsp x86_ipi_db(ffffffff82bd4ff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff82cf3cd0) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline] __mp_lock(ffffffff82cf3cd0) at __mp_lock+0x122 sys/kern/kern_lock.c:147 softintr_dispatch(0) at softintr_dispatch+0x52 sys/arch/amd64/amd64/softintr.c:88 Xsoftclock() at Xsoftclock+0x27 cnputc(6e) at cnputc+0x4f sys/dev/cons.c:218 db_putchar(6e) at db_putchar+0x3fc sys/ddb/db_output.c:155 kprintf() at kprintf+0x20fc sys/kern/subr_prf.c:1064 db_printf(ffffffff8281f698) at db_printf+0x89 sys/kern/subr_prf.c:498 panic(ffffffff8279c7bf) at panic+0xdb sys/kern/subr_prf.c:216 __assert(ffffffff8281f037,ffffffff8282537a,bc,ffffffff827bb2af) at __assert+0x29 sys/kern/subr_prf.c:157 unveil_destroy(ffff8000212710d8) at unveil_destroy+0x1a4 sys/kern/kern_unveil.c:188 exit1(ffff800022d0b090,0,0,1) at exit1+0x3d5 sys/kern/kern_exit.c:220 end trace frame: 0xffff800029021770, count: 0 ddb{0}> trace x86_ipi_db(ffffffff82bd4ff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff82cf3cd0) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline] __mp_lock(ffffffff82cf3cd0) at __mp_lock+0x122 sys/kern/kern_lock.c:147 softintr_dispatch(0) at softintr_dispatch+0x52 sys/arch/amd64/amd64/softintr.c:88 Xsoftclock() at Xsoftclock+0x27 cnputc(6e) at cnputc+0x4f sys/dev/cons.c:218 db_putchar(6e) at db_putchar+0x3fc sys/ddb/db_output.c:155 kprintf() at kprintf+0x20fc sys/kern/subr_prf.c:1064 db_printf(ffffffff8281f698) at db_printf+0x89 sys/kern/subr_prf.c:498 panic(ffffffff8279c7bf) at panic+0xdb sys/kern/subr_prf.c:216 __assert(ffffffff8281f037,ffffffff8282537a,bc,ffffffff827bb2af) at __assert+0x29 sys/kern/subr_prf.c:157 unveil_destroy(ffff8000212710d8) at unveil_destroy+0x1a4 sys/kern/kern_unveil.c:188 exit1(ffff800022d0b090,0,0,1) at exit1+0x3d5 sys/kern/kern_exit.c:220 sys_exit(ffff800022d0b090,ffff800029021780,ffff8000290217d0) at sys_exit+0x1a sys/kern/kern_exit.c:89 syscall(ffff800029021850) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline] syscall(ffff800029021850) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x70b05941f7d0, count: -17 ddb{0}> machine ddbcpu 1 Stopped at savectx+0xae: movl $0,%gs:0x550 savectx() at savectx+0xae end of kernel end trace frame: 0xd2649e47e90, count: 14 ddb{1}> trace savectx() at savectx+0xae end of kernel end trace frame: 0xd2649e47e90, count: -1