panic: kernel diagnostic assertion "map->limit == rtmap_limit" failed: file "/syzkaller/managers/multicore/kernel/sys/net/rtable.c", line 131 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *134590 44364 0 0 0x4000000 0K syz-executor 183681 44364 0 0 0x4000000 1 syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff830e2bfc) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff8309b3c7,ffffffff82fdcad1,83,ffffffff830dc8ea) at __assert+0x29 rtable_init() at rtable_init rtable_add(16) at rtable_add+0x2d9 rtable_alloc sys/net/rtable.c:373 [inline] rtable_add(16) at rtable_add+0x2d9 sys/net/rtable.c:222 if_createrdomain(16,ffff800001589800) at if_createrdomain+0x40 sys/net/if.c:1947 ifioctl(ffff80000160ed38,8020699f,ffff800036b98600,ffff80002a03f968) at ifioctl+0x1a1e sys/net/if.c:2296 sys_ioctl(ffff80002a03f968,ffff800036b987e0,ffff800036b98730) at sys_ioctl+0x67c syscall(ffff800036b987e0) at syscall+0xbb6 mi_syscall sys/sys/syscall_mi.h:179 [inline] syscall(ffff800036b987e0) at syscall+0xbb6 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x9998055f7e0, count: 5 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: kernel diagnostic assertion "map->limit == rtmap_limit" failed: file "/syzkaller/managers/multicore/kernel/sys/net/rtable.c", line 131 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff830e2bfc) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff8309b3c7,ffffffff82fdcad1,83,ffffffff830dc8ea) at __assert+0x29 rtable_init() at rtable_init rtable_add(16) at rtable_add+0x2d9 rtable_alloc sys/net/rtable.c:373 [inline] rtable_add(16) at rtable_add+0x2d9 sys/net/rtable.c:222 if_createrdomain(16,ffff800001589800) at if_createrdomain+0x40 sys/net/if.c:1947 ifioctl(ffff80000160ed38,8020699f,ffff800036b98600,ffff80002a03f968) at ifioctl+0x1a1e sys/net/if.c:2296 sys_ioctl(ffff80002a03f968,ffff800036b987e0,ffff800036b98730) at sys_ioctl+0x67c syscall(ffff800036b987e0) at syscall+0xbb6 mi_syscall sys/sys/syscall_mi.h:179 [inline] syscall(ffff800036b987e0) at syscall+0xbb6 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x9998055f7e0, count: -10 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff800036b98320 rbx 0xffffffff834cddcf cpu_info_full_primary+0x2dcf rdx 0 rcx 0xffff80002a03f968 rax 0xffffffff834ccff0 cpu_info_full_primary+0x1ff0 r8 0 r9 0x8080808080808080 r10 0x2f255caae9a2f013 r11 0x9c12b610ce678c13 r12 0xffffffff834cdbd0 cpu_info_full_primary+0x2bd0 r13 0 r14 0 r15 0x1 rip 0xffffffff82827105 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff800036b98310 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor) tid=134590 pid=44364 tcnt=3 stat=onproc flags process=0 proc=4000000 runpri=50, usrpri=50, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80002a03ecc0,0xffff80002a03ea48 process=0xffff800029fe8008 user=0xffff800036b93000, vmspace=0xfffffd806bca06e0 estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 44364 442886 3966 0 3 0x80 fsleep syz-executor *44364 134590 3966 0 7 0x4000000 syz-executor 44364 183681 3966 0 7 0x4000000 syz-executor 46322 9095 86392 0 3 0x80 fsleep syz-executor 46322 283938 86392 0 3 0x4000080 netacc syz-executor 13400 137854 19993 0 3 0x80 fsleep syz-executor 13400 218165 19993 0 3 0x4000080 kqsel syz-executor 48618 519643 97605 0 3 0x80 fsleep syz-executor 48618 366935 97605 0 3 0x4000080 kqread syz-executor 48618 124795 97605 0 3 0x4000080 fsleep syz-executor 32389 155424 19742 0 3 0x80 fsleep syz-executor 32389 415630 19742 0 3 0x4000080 piperd syz-executor 86059 477854 26478 0 3 0x80 fsleep syz-executor 86059 260819 26478 0 3 0x4000080 msgwait syz-executor 19993 19981 53867 0 3 0x82 nanoslp syz-executor 26478 160828 53867 0 2 0x482 syz-executor 61668 205117 53867 0 3 0x82 wait syz-executor 19742 10962 53867 0 2 0x482 syz-executor 97605 37293 53867 0 3 0x82 nanoslp syz-executor 86392 263932 53867 0 2 0x482 syz-executor 3966 13959 53867 0 2 0x482 syz-executor 78464 376839 53867 0 3 0x82 wait syz-executor 36076 162397 0 0 3 0x14200 acct acct 12795 455697 0 0 3 0x14200 bored sosplice 53867 236785 77148 0 3 0x82 kqread syz-executor 77148 481251 9059 0 3 0x10008a sigsusp ksh 9059 190090 31918 0 3 0x98 kqread sshd-session 31918 244575 95505 0 3 0x92 kqread sshd-session 51017 329828 1 0 3 0x100083 ttyin getty 95505 202167 1 0 3 0x88 kqread sshd 66184 280922 25651 74 3 0x1100092 bpf pflogd 25651 407775 1 0 3 0x80 sbwait pflogd 24003 499776 36780 73 3 0x1100090 kqread syslogd 36780 219522 1 0 3 0x100082 sbwait syslogd 45257 151376 1 0 3 0x100080 kqread resolvd 79166 470011 29979 77 3 0x100092 kqread dhcpleased 59679 462305 29979 77 3 0x100092 kqread dhcpleased 29979 395534 1 0 3 0x80 kqread dhcpleased 55155 461561 0 0 3 0x14200 bored smr 50759 506700 0 0 3 0x14200 pgzero zerothread 11696 121142 0 0 3 0x14200 aiodoned aiodoned 36931 396609 0 0 3 0x14200 syncer update 2732 196041 0 0 3 0x14200 cleaner cleaner 91791 403191 0 0 3 0x14200 reaper reaper 92638 230552 0 0 3 0x14200 pgdaemon pagedaemon 41949 242476 0 0 3 0x14200 bored viomb 34990 362127 0 0 3 0x40014200 acpi0 acpi0 42260 316122 0 0 3 0x40014200 idle1 67047 292795 0 0 3 0x14200 bored softnet3 57553 235308 0 0 3 0x14200 bored softnet2 56415 356340 0 0 3 0x14200 bored softnet1 59172 77281 0 0 3 0x14200 bored softnet0 47690 78921 0 0 3 0x14200 bored systqmp 52157 173336 0 0 3 0x14200 bored systq 94644 350136 0 0 3 0x14200 tmoslp softclockmp 99333 220302 0 0 2 0x40014200 softclock 53636 456622 0 0 3 0x40014200 idle0 1 220250 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 44364 (syz-executor) thread 0xffff80002a03f968 (134590) exclusive kernel_lock &kernel_lock r = 1 (0xffffffff835e44b0) #0 witness_lock+0x5bb stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5bb sys/kern/subr_witness.c:1155 #1 __mp_acquire_count+0x58 #2 mi_switch+0x658 sys/kern/sched_bsd.c:460 #3 yield+0x6a sys/kern/sched_bsd.c:320 #4 malloc+0xe5 sys/kern/kern_malloc.c:170 #5 rtmap_grow+0xb2 sys/net/rtable.c:126 #6 rtable_add+0x2d9 rtable_alloc sys/net/rtable.c:373 [inline] #6 rtable_add+0x2d9 sys/net/rtable.c:222 #7 if_createrdomain+0x40 sys/net/if.c:1947 #8 ifioctl+0x1a1e sys/net/if.c:2296 #9 sys_ioctl+0x67c #10 syscall+0xbb6 mi_syscall sys/sys/syscall_mi.h:179 [inline] #10 syscall+0xbb6 sys/arch/amd64/amd64/trap.c:577 #11 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10216 14384K 14486K 166960K 11925 0 pcb 17 12K 12K 166960K 81 0 rtable 242 7K 7K 166960K 708 0 pf 36 18K 18K 166960K 77 0 ifaddr 43 7K 7K 166960K 88 0 ifgroup 55 2K 2K 166960K 104 0 sysctl 3 0K 0K 166960K 3 0 counters 64 36K 36K 166960K 90 0 ioctlops 0 0K 4K 166960K 1585 0 iov 1 16K 16K 166960K 17 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1430 90K 91K 166960K 1881 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 3 5K 13K 166960K 12 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 14 0 dirhash 12 2K 2K 166960K 18 0 ACPI 1690 195K 286K 166960K 12418 0 file desc 18 65K 97K 166960K 568 0 sigio 0 0K 0K 166960K 7 0 proc 72 91K 128K 166960K 817 0 subproc 104 6K 6K 166960K 221 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 48 0 in_multi 99 7K 7K 166960K 210 0 ether_multi 1 0K 0K 166960K 2 0 mrt 0 0K 0K 166960K 1 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 79 360K 360K 166960K 79 0 exec 0 0K 1K 166960K 524 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 242 73K 95K 166960K 6364 0 UVM aobj 18 2K 2K 166960K 18 0 pinsyscall 43 86K 104K 166960K 1886 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 28 0 NDP 12 0K 2K 166960K 60 0 temp 46 6832K 6896K 166960K 18288 0 kqueue 14 22K 30K 166960K 82 0 SYN cache 2 16K 16K 166960K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 24 0 0 1 0 1 1 0 8 0 rtpcb 120 76 0 73 1 0 1 1 0 8 0 rtentry 112 224 0 113 4 0 4 4 0 8 0 unpcb 144 236 0 213 2 1 1 2 0 8 0 syncache 336 6 0 6 3 2 1 1 0 8 1 tcpcb 808 144 0 140 5 4 1 4 0 8 0 arp 120 38 0 20 1 0 1 1 0 8 0 inpcb 336 518 0 508 6 4 2 5 0 8 1 nd6 136 56 0 31 1 0 1 1 0 8 0 pkpcb 40 1 0 1 1 1 0 1 0 8 0 kcovpl 48 17 0 9 1 0 1 1 0 8 0 ppxss 1168 2 0 2 2 1 1 1 0 8 1 pffrag 232 1 0 0 1 0 1 1 0 482 0 pffrnode 88 1 0 0 1 0 1 1 0 8 0 pffrent 40 2 0 1 1 0 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 58 0 21 1 0 1 1 0 8 0 pfstkey 128 58 0 21 2 0 2 2 0 8 0 pfstate 376 58 0 21 5 0 5 5 0 8 0 pfrule 1344 24 0 17 2 0 2 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 900 0 443 30 1 29 30 0 8 0 art_table 32 901 0 443 4 0 4 4 0 8 0 art_node 16 222 0 121 1 0 1 1 0 8 0 sysvmsgpl 40 5 0 4 2 1 1 1 0 8 0 semapl 112 12 0 2 1 0 1 1 0 8 0 shmpl 112 15 0 0 1 0 1 1 0 8 0 dirhash 1024 21 0 4 3 0 3 3 0 8 0 dino2pl 256 2216 0 689 96 0 96 96 0 8 0 ffsino 272 2216 0 689 104 1 103 103 0 8 0 nchpl 144 2870 0 1163 64 0 64 64 0 8 0 uvmvnodes 80 2645 0 0 54 0 54 54 0 8 0 vnodes 216 2645 0 0 147 0 147 147 0 8 0 namei 1024 10119 0 10119 4 3 1 2 0 8 1 percpumem 16 59 0 13 1 0 1 1 0 8 0 kstatmem 264 50 0 26 2 0 2 2 0 8 0 acpiwqpl 32 1 0 1 1 0 1 1 1 8 1 scxspl 216 12350 0 12350 11 3 8 8 1 8 8 plimitpl 152 120 0 101 1 0 1 1 0 8 0 sigapl 424 873 0 821 9 2 7 9 0 8 0 futexpl 64 5209 0 5202 2 1 1 1 0 8 0 knotepl 120 487 0 0 15 0 15 15 0 8 0 kqueuepl 216 202 0 190 5 4 1 5 0 8 0 pipepl 320 164 0 134 3 0 3 3 0 8 0 fdescpl 496 833 0 801 7 2 5 6 0 8 0 filepl 152 4278 0 4011 19 7 12 18 0 8 0 lockfpl 104 573 0 571 2 1 1 2 0 8 0 lockfspl 48 109 0 107 1 0 1 1 0 8 0 sessionpl 144 34 0 25 1 0 1 1 0 8 0 pgrppl 48 51 0 34 1 0 1 1 0 8 0 ucredpl 104 666 0 652 1 0 1 1 0 8 0 zombiepl 144 835 0 833 2 1 1 1 0 8 0 processpl 1160 873 0 821 6 2 4 6 0 8 0 procpl 648 1384 0 1324 8 2 6 8 0 8 0 srpgc 96 2 0 2 1 1 0 1 0 8 0 sosppl 168 1 0 1 1 1 0 1 0 8 0 sockpl 664 836 0 800 9 5 4 7 0 8 0 mcl64k 65536 2 0 0 1 0 1 1 0 8 0 mcl9k 9216 1 0 0 1 0 1 1 0 8 0 mcl8k 8192 5 0 0 1 0 1 1 0 8 0 mcl4k 4096 2 0 0 1 0 1 1 0 8 0 mcl2k 2048 233 0 0 30 0 30 30 0 8 0 mtagpl 96 9 0 0 1 0 1 1 0 8 0 mbufpl 256 1203 0 0 75 0 75 75 0 8 0 bufpl 280 5212 0 98 366 0 366 366 0 8 0 anonpl 24 176706 0 173095 60 35 25 58 0 185 0 amapchunkpl 152 20702 0 20189 32 11 21 30 0 158 1 amappl16 200 3949 0 3928 13 11 2 11 0 8 0 amappl15 192 7 0 7 1 1 0 1 0 8 0 amappl14 184 144 0 132 1 0 1 1 0 8 0 amappl13 176 11 0 11 1 1 0 1 0 8 0 amappl12 168 1615 0 1583 4 2 2 3 0 8 0 amappl11 160 52 0 37 1 0 1 1 0 8 0 amappl10 152 12 0 12 1 1 0 1 0 8 0 amappl9 144 136 0 136 1 1 0 1 0 8 0 amappl8 136 25 0 22 1 0 1 1 0 8 0 amappl7 128 129 0 117 1 0 1 1 0 8 0 amappl6 120 253 0 252 1 0 1 1 0 8 0 amappl5 112 169 0 157 1 0 1 1 0 8 0 amappl4 104 346 0 326 1 0 1 1 0 8 0 amappl3 96 4071 0 3954 4 1 3 4 0 8 0 amappl2 88 835 0 766 2 0 2 2 0 8 0 amappl1 80 10056 0 9488 15 1 14 14 0 8 0 amappl 88 5892 0 5713 5 0 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 7 0 7 2 2 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 17 0 0 1 0 1 1 0 8 0 uaddrrnd 24 833 0 801 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 833 0 801 1 0 1 1 0 8 0 vmmpekpl 168 8191 0 8143 3 0 3 3 0 8 0 vmmpepl 168 59235 0 57339 101 12 89 92 0 357 3 vmsppl 440 832 0 801 6 2 4 5 0 8 0 rwobjpl 56 22848 0 19261 53 1 52 52 0 8 0 pdppl 4096 1673 0 1602 119 46 73 87 0 8 2 pvpl 32 25763 0 0 208 0 208 208 0 265 0 pmappl 248 832 0 801 4 1 3 3 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 484 0 64 13 0 13 13 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff830e2bfc) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff8309b3c7,ffffffff82fdcad1,83,ffffffff830dc8ea) at __assert+0x29 rtable_init() at rtable_init rtable_add(16) at rtable_add+0x2d9 rtable_alloc sys/net/rtable.c:373 [inline] rtable_add(16) at rtable_add+0x2d9 sys/net/rtable.c:222 if_createrdomain(16,ffff800001589800) at if_createrdomain+0x40 sys/net/if.c:1947 ifioctl(ffff80000160ed38,8020699f,ffff800036b98600,ffff80002a03f968) at ifioctl+0x1a1e sys/net/if.c:2296 sys_ioctl(ffff80002a03f968,ffff800036b987e0,ffff800036b98730) at sys_ioctl+0x67c syscall(ffff800036b987e0) at syscall+0xbb6 mi_syscall sys/sys/syscall_mi.h:179 [inline] syscall(ffff800036b987e0) at syscall+0xbb6 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x9998055f7e0, count: -10 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffff800029b7bff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0xb sys/dev/kcov.c:154 __mp_acquire_count(ffffffff835e42a8,2) at __mp_acquire_count+0x58 mi_switch() at mi_switch+0x658 sys/kern/sched_bsd.c:460 yield() at yield+0x6a sys/kern/sched_bsd.c:320 malloc(10,5,1) at malloc+0xe5 sys/kern/kern_malloc.c:170 rtmap_grow(17,18) at rtmap_grow+0x8c sys/net/rtable.c:124 rtable_add(16) at rtable_add+0x2d9 rtable_alloc sys/net/rtable.c:373 [inline] rtable_add(16) at rtable_add+0x2d9 sys/net/rtable.c:222 if_createrdomain(16,ffff800001589800) at if_createrdomain+0x40 sys/net/if.c:1947 ifioctl(ffff80000160ed38,8020699f,ffff8000371c3d80,ffff80002a03ea38) at ifioctl+0x1a1e sys/net/if.c:2296 sys_ioctl(ffff80002a03ea38,ffff8000371c3f60,ffff8000371c3eb0) at sys_ioctl+0x67c syscall(ffff8000371c3f60) at syscall+0xbb6 mi_syscall sys/sys/syscall_mi.h:179 [inline] syscall(ffff8000371c3f60) at syscall+0xbb6 sys/arch/amd64/amd64/trap.c:577 end trace frame: 0xffff8000371c3fe0, count: 0 ddb{1}> trace x86_ipi_db(ffff800029b7bff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0xb sys/dev/kcov.c:154 __mp_acquire_count(ffffffff835e42a8,2) at __mp_acquire_count+0x58 mi_switch() at mi_switch+0x658 sys/kern/sched_bsd.c:460 yield() at yield+0x6a sys/kern/sched_bsd.c:320 malloc(10,5,1) at malloc+0xe5 sys/kern/kern_malloc.c:170 rtmap_grow(17,18) at rtmap_grow+0x8c sys/net/rtable.c:124 rtable_add(16) at rtable_add+0x2d9 rtable_alloc sys/net/rtable.c:373 [inline] rtable_add(16) at rtable_add+0x2d9 sys/net/rtable.c:222 if_createrdomain(16,ffff800001589800) at if_createrdomain+0x40 sys/net/if.c:1947 ifioctl(ffff80000160ed38,8020699f,ffff8000371c3d80,ffff80002a03ea38) at ifioctl+0x1a1e sys/net/if.c:2296 sys_ioctl(ffff80002a03ea38,ffff8000371c3f60,ffff8000371c3eb0) at sys_ioctl+0x67c syscall(ffff8000371c3f60) at syscall+0xbb6 mi_syscall sys/sys/syscall_mi.h:179 [inline] syscall(ffff8000371c3f60) at syscall+0xbb6 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x99a371026b0, count: -15