panic: kernel diagnostic assertion "pg->wire_count != 0" failed: file "/syzkaller/managers/main/kernel/sys/uvm/uvm_page.c", line 1250 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8348c159) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff834c5bd6,ffffffff834a9eca,4e2,ffffffff834184f1) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pageunwire(fffff100075ac400) at uvm_pageunwire+0x17d sys/uvm/uvm_page.c:1249 uvm_fault_unwire_locked(fffff1007ec5ca10,56a447b3000,56a44bb2000) at uvm_fault_unwire_locked+0x33a sys/uvm/uvm_fault.c:1790 uvm_unmap_kill_entry_withlock(fffff1007ec5ca10,fffff1006d1eb4c0,0) at uvm_unmap_kill_entry_withlock+0x81 sys/uvm/uvm_map.c:1866 uvm_map_teardown(fffff1007ec5ca10) at uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline] uvm_map_teardown(fffff1007ec5ca10) at uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2497 exit1(ffff80002f0b02b0,0,4,1) at exit1+0x6e6 sys/kern/kern_exit.c:259 sigexit(ffff80002f0b02b0,4) at sigexit+0x115 trapsignal(ffff80002f0b02b0,b,6,2,7ecd722df4b0) at trapsignal+0x85b sys/kern/kern_sig.c:873 upageflttrap(ffff80002a783ac0,7ecd722df4b0) at upageflttrap+0x25d sys/arch/amd64/amd64/trap.c:218 usertrap(ffff80002a783ac0) at usertrap+0x413 sys/arch/amd64/amd64/trap.c:640 recall_trap() at recall_trap+0x8 end of kernel end trace frame: 0x7ecd722df4e0, count: 2 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "pg->wire_count != 0" failed: file "/syzkaller/managers/main/kernel/sys/uvm/uvm_page.c", line 1250 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8348c159) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff834c5bd6,ffffffff834a9eca,4e2,ffffffff834184f1) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pageunwire(fffff100075ac400) at uvm_pageunwire+0x17d sys/uvm/uvm_page.c:1249 uvm_fault_unwire_locked(fffff1007ec5ca10,56a447b3000,56a44bb2000) at uvm_fault_unwire_locked+0x33a sys/uvm/uvm_fault.c:1790 uvm_unmap_kill_entry_withlock(fffff1007ec5ca10,fffff1006d1eb4c0,0) at uvm_unmap_kill_entry_withlock+0x81 sys/uvm/uvm_map.c:1866 uvm_map_teardown(fffff1007ec5ca10) at uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline] uvm_map_teardown(fffff1007ec5ca10) at uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2497 exit1(ffff80002f0b02b0,0,4,1) at exit1+0x6e6 sys/kern/kern_exit.c:259 sigexit(ffff80002f0b02b0,4) at sigexit+0x115 trapsignal(ffff80002f0b02b0,b,6,2,7ecd722df4b0) at trapsignal+0x85b sys/kern/kern_sig.c:873 upageflttrap(ffff80002a783ac0,7ecd722df4b0) at upageflttrap+0x25d sys/arch/amd64/amd64/trap.c:218 usertrap(ffff80002a783ac0) at usertrap+0x413 sys/arch/amd64/amd64/trap.c:640 recall_trap() at recall_trap+0x8 end of kernel end trace frame: 0x7ecd722df4e0, count: -13 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80002a7835a0 rbx 0xffff8000ffff9218 rdx 0 rcx 0 rax 0xffff80002f0b02b0 r8 0x101010101010101 r9 0x8080808080808080 r10 0x948d3321a8586019 r11 0xfc3d43fed7bf7d9e r12 0 r13 0xffffffff83784c30 uvm_map_addr_RBT_INFO r14 0 r15 0x1 rip 0xffffffff82c04965 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80002a783590 ss 0 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=491586 pid=9463 tcnt=0 stat=onproc flags process=1808 proc=2000 runpri=32, usrpri=86, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0xffff80002f0b02b0 scnt=-1 ecnt=1 forw=0xffffffffffffffff, list=0xffff80002a7762a8,0xffff80002f0b1cb0 process=0xffff8000ffff9218 user=0xffff80002a77e000, vmspace=0xfffff1007ec5ca10 estcpu=36, cpticks=6, pctcpu=0.0, user=0, sys=2, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 99436 283670 99995 0 2 0x1000000 syz-executor 99436 252496 99995 0 3 0x5000080 msgwait syz-executor 99436 168628 99995 0 3 0x5000080 fsleep syz-executor 92277 59026 10942 0 2 0xc80 syz-executor 92277 371704 10942 0 3 0x4000080 rest syz-executor 92277 496122 10942 0 3 0x4000080 fsleep syz-executor 3129 367655 92524 0 2 0xc80 syz-executor 3129 310494 92524 0 3 0x4000080 fsleep syz-executor 54472 375795 39609 0 2 0 syz-executor 54472 298397 39609 0 2 0x4000c80 syz-executor 39609 13378 19202 0 2 0xc82 syz-executor 8405 454446 1 0 3 0x82 nanoslp getty 90305 321726 0 0 3 0x14200 acct acct 81813 134249 48877 0 3 0x3000 suspend syz-executor 81813 331590 48877 0 2 0x4081000 syz-executor 81813 332411 48877 0 3 0x4081000 inode syz-executor 92524 286540 19202 0 2 0xc82 syz-executor 91364 114008 19202 0 2 0xc82 syz-executor 48877 445735 19202 0 3 0x82 wait syz-executor 64995 90980 19202 0 2 0xc82 syz-executor 99995 76944 19202 0 2 0xc82 syz-executor 10942 416110 19202 0 2 0xc82 syz-executor 23783 318315 19202 0 2 0x2 syz-executor 19202 517413 1 0 3 0x82 kqread syz-executor 69444 495411 1 73 2 0x1100090 syslogd 8277 81183 0 0 3 0x14200 bored smr 93128 319046 0 0 2 0x14200 zerothread 10731 280722 0 0 3 0x14200 aiodoned aiodoned 52563 87183 0 0 3 0x14200 syncer update 29275 24618 0 0 3 0x14200 cleaner cleaner 81318 43260 0 0 3 0x14200 reaper reaper 75546 339285 0 0 3 0x14200 pgdaemon pagedaemon 89361 119730 0 0 3 0x14200 bored viomb 45960 182108 0 0 3 0x40014200 acpi0 acpi0 53534 371576 0 0 3 0x14200 bored softnet0 38537 177184 0 0 3 0x14200 bored systqmp 55005 9581 0 0 3 0x14200 bored systq 61899 110620 0 0 3 0x40014200 tmoslp softclock 10612 28659 0 0 3 0x40014200 idle0 1 262858 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 11023 12102K 12301K 166960K 12378 0 pcb 19 12K 12K 166960K 59 0 rtable 199 6K 7K 166960K 391 0 pf 28 12K 16K 166960K 58 0 ifaddr 38 6K 7K 166960K 58 0 ifgroup 46 2K 2K 166960K 79 0 sysctl 3 1K 9K 166960K 7 0 counters 32 17K 17K 166960K 44 0 ioctlops 0 0K 4K 166960K 54 0 iov 0 0K 12K 166960K 73 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1324 83K 84K 166960K 1515 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 3 0 VM map 2 1K 1K 166960K 2 0 sem 11 0K 0K 166960K 112 0 dirhash 12 2K 2K 166960K 12 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 16 57K 89K 166960K 306 0 sigio 0 0K 0K 166960K 1 0 proc 20 25K 91K 166960K 559 0 subproc 72 4K 4K 166960K 81 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 16 0 in_multi 85 6K 7K 166960K 117 0 ether_multi 1 0K 0K 166960K 3 0 mrt 1 0K 0K 166960K 8 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 61 281K 281K 166960K 61 0 exec 0 0K 1K 166960K 432 0 fusefs mount 1 32K 32K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 153 109K 167K 166960K 4378 0 UVM aobj 4 2K 2K 166960K 4 0 pinsyscall 20 40K 92K 166960K 1439 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 4 0 NDP 10 0K 1K 166960K 38 0 temp 75 9116K 13211K 166960K 15722 0 kqueue 7 9K 28K 166960K 60 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 81 0 81 2 0 2 2 0 8 2 rtentry 136 123 0 34 4 0 4 4 0 8 0 unpcb 144 238 0 233 6 0 6 6 0 8 5 syncache 336 4 0 4 1 0 1 1 0 8 1 tcpcb 736 267 0 264 7 0 7 7 0 8 6 arp 96 20 0 4 1 0 1 1 0 8 0 ipq 40 1 0 1 1 0 1 1 0 8 1 ipqe 40 2 0 2 1 0 1 1 0 8 1 inpcb 328 435 0 427 7 0 7 7 0 8 5 ip6q 72 1 0 0 1 0 1 1 0 8 0 ip6af 40 2 0 0 1 0 1 1 0 8 0 nd6 112 27 0 6 1 0 1 1 0 8 0 pkpcb 40 1 0 1 1 0 1 1 0 8 1 kcovpl 48 9 0 1 1 0 1 1 0 8 0 ppxss 1072 7 0 7 1 0 1 1 0 8 1 pfrule 1360 1 0 1 1 0 1 1 0 8 1 rttmr 136 1 0 1 1 0 1 1 0 8 1 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 531 0 160 29 0 29 29 0 8 4 art_table 40 532 0 160 5 0 5 5 0 8 0 art_node 32 123 0 44 1 0 1 1 0 8 0 sysvmsgpl 40 3 0 3 1 0 1 1 0 8 1 semupl 112 1 0 1 1 0 1 1 0 8 1 semapl 72 109 0 100 1 0 1 1 0 8 0 shmpl 112 1 0 0 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 1840 0 377 92 0 92 92 0 8 0 ffsino 256 1840 0 377 92 0 92 92 0 8 0 nchpl 144 2265 0 560 64 0 64 64 0 8 0 rtmask 32 2 0 2 1 0 1 1 0 8 1 vnodes 216 2032 0 0 113 0 113 113 0 8 0 namei 1024 7338 0 7337 1 0 1 1 0 8 0 kstatmem 264 41 0 20 2 0 2 2 0 8 0 scsiplug 72 2 0 2 1 0 1 1 0 8 1 scxspl 216 9250 0 9250 3 0 3 3 1 8 3 plimitpl 152 54 0 40 1 0 1 1 0 8 0 sigapl 424 602 0 568 6 0 6 6 0 8 1 knotepl 120 8300 0 8270 10 0 10 10 0 8 8 kqueuepl 184 68 0 64 1 0 1 1 0 8 0 pipepl 304 140 0 113 3 0 3 3 0 8 0 fdescpl 448 588 0 569 5 0 5 5 0 8 1 filepl 120 3115 0 2926 14 0 14 14 0 8 7 lockfpl 104 80 0 79 1 0 1 1 0 8 0 lockfspl 48 38 0 37 1 0 1 1 0 8 0 sessionpl 144 29 0 26 1 0 1 1 0 8 0 pgrppl 48 39 0 28 1 0 1 1 0 8 0 ucredpl 104 274 0 268 1 0 1 1 0 8 0 zombiepl 144 571 0 568 1 0 1 1 0 8 0 processpl 1152 602 0 568 4 0 4 4 0 8 0 procpl 664 837 0 795 5 0 5 5 0 8 0 sosppl 176 1 0 1 1 0 1 1 0 8 1 sockpl 552 796 0 783 17 7 10 17 0 8 8 mcl64k 65536 42 0 42 1 0 1 1 0 8 1 mcl8k 8192 5 0 5 1 0 1 1 0 8 1 mcl4k 4096 2686 0 2630 14 0 14 14 0 8 7 mcl2k 2048 257 0 256 4 0 4 4 0 8 3 mtagpl 96 4 0 4 1 0 1 1 0 8 1 mbufpl 256 6214 0 6065 16 0 16 16 0 8 4 bufpl 280 6033 0 102 424 0 424 424 0 8 0 anonpl 24 122517 0 112285 72 0 72 72 0 186 9 amapchunkpl 152 13254 0 12590 31 0 31 31 0 158 3 amappl16 200 2255 0 2030 12 0 12 12 0 8 0 amappl15 192 4 0 4 1 0 1 1 0 8 1 amappl14 184 450 0 449 1 0 1 1 0 8 0 amappl13 176 121 0 119 1 0 1 1 0 8 0 amappl12 168 852 0 833 2 0 2 2 0 8 0 amappl11 160 4 0 4 1 0 1 1 0 8 1 amappl10 152 62 0 60 1 0 1 1 0 8 0 amappl9 144 269 0 269 1 0 1 1 0 8 1 amappl8 136 108 0 107 1 0 1 1 0 8 0 amappl7 128 149 0 145 1 0 1 1 0 8 0 amappl6 120 163 0 162 1 0 1 1 0 8 0 amappl5 112 97 0 95 1 0 1 1 0 8 0 amappl4 104 277 0 267 1 0 1 1 0 8 0 amappl3 96 2438 0 2352 4 0 4 4 0 8 1 amappl2 88 532 0 517 2 0 2 2 0 8 0 amappl1 80 10880 0 10721 13 0 13 13 0 8 5 amappl 88 3635 0 3503 5 0 5 5 0 92 1 uvmvnodes 80 101 0 0 3 0 3 3 0 8 0 dma4096 4096 1 0 1 1 0 1 1 0 8 1 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 0 1 1 0 8 1 dma128 128 253 0 253 1 0 1 1 0 8 1 dma64 64 6 0 6 1 0 1 1 0 8 1 dma32 32 7 0 7 1 0 1 1 0 8 1 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 3 0 0 1 0 1 1 0 8 0 uaddrrnd 24 588 0 568 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 588 0 568 1 0 1 1 0 8 0 vmmpekpl 168 6610 0 6571 2 0 2 2 0 8 0 vmmpepl 168 46342 0 45195 83 0 83 83 0 357 25 vmsppl 368 587 0 568 4 0 4 4 0 8 1 rwobjpl 40 16376 0 15689 11 0 11 11 0 8 0 pdppl 4096 1182 0 1136 96 46 50 78 0 8 4 pvpl 32 305810 0 277016 255 0 255 255 0 265 15 pmappl 216 587 0 568 2 0 2 2 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 371 0 46 10 0 10 10 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8348c159) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff834c5bd6,ffffffff834a9eca,4e2,ffffffff834184f1) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pageunwire(fffff100075ac400) at uvm_pageunwire+0x17d sys/uvm/uvm_page.c:1249 uvm_fault_unwire_locked(fffff1007ec5ca10,56a447b3000,56a44bb2000) at uvm_fault_unwire_locked+0x33a sys/uvm/uvm_fault.c:1790 uvm_unmap_kill_entry_withlock(fffff1007ec5ca10,fffff1006d1eb4c0,0) at uvm_unmap_kill_entry_withlock+0x81 sys/uvm/uvm_map.c:1866 uvm_map_teardown(fffff1007ec5ca10) at uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline] uvm_map_teardown(fffff1007ec5ca10) at uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2497 exit1(ffff80002f0b02b0,0,4,1) at exit1+0x6e6 sys/kern/kern_exit.c:259 sigexit(ffff80002f0b02b0,4) at sigexit+0x115 trapsignal(ffff80002f0b02b0,b,6,2,7ecd722df4b0) at trapsignal+0x85b sys/kern/kern_sig.c:873 upageflttrap(ffff80002a783ac0,7ecd722df4b0) at upageflttrap+0x25d sys/arch/amd64/amd64/trap.c:218 usertrap(ffff80002a783ac0) at usertrap+0x413 sys/arch/amd64/amd64/trap.c:640 recall_trap() at recall_trap+0x8 end of kernel end trace frame: 0x7ecd722df4e0, count: -13 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8348c159) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff834c5bd6,ffffffff834a9eca,4e2,ffffffff834184f1) at __assert+0x29 sys/kern/subr_prf.c:-1 uvm_pageunwire(fffff100075ac400) at uvm_pageunwire+0x17d sys/uvm/uvm_page.c:1249 uvm_fault_unwire_locked(fffff1007ec5ca10,56a447b3000,56a44bb2000) at uvm_fault_unwire_locked+0x33a sys/uvm/uvm_fault.c:1790 uvm_unmap_kill_entry_withlock(fffff1007ec5ca10,fffff1006d1eb4c0,0) at uvm_unmap_kill_entry_withlock+0x81 sys/uvm/uvm_map.c:1866 uvm_map_teardown(fffff1007ec5ca10) at uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline] uvm_map_teardown(fffff1007ec5ca10) at uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2497 exit1(ffff80002f0b02b0,0,4,1) at exit1+0x6e6 sys/kern/kern_exit.c:259 sigexit(ffff80002f0b02b0,4) at sigexit+0x115 trapsignal(ffff80002f0b02b0,b,6,2,7ecd722df4b0) at trapsignal+0x85b sys/kern/kern_sig.c:873 upageflttrap(ffff80002a783ac0,7ecd722df4b0) at upageflttrap+0x25d sys/arch/amd64/amd64/trap.c:218 usertrap(ffff80002a783ac0) at usertrap+0x413 sys/arch/amd64/amd64/trap.c:640 recall_trap() at recall_trap+0x8 end of kernel end trace frame: 0x7ecd722df4e0, count: -13 ddb>