panic: kernel diagnostic assertion "atomic_load_int(&fdp->fd_nuserevents) == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_descrip.c", line 1219 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 175167 96209 0 0 0x4000000 1 syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83452d82) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff8348dfe0,ffffffff833e372e,4c3,ffffffff8341efc2) at __assert+0x29 sys/kern/subr_prf.c:-1 fdfree(ffff8000fffe8d18) at fdfree+0x349 exit1(ffff8000fffe8d18,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff8000fffe8d18,ffff800038fae4d0,ffff800038fae420) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff800038fae4d0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff800038fae4d0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7dab6b692ee0, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: kernel diagnostic assertion "atomic_load_int(&fdp->fd_nuserevents) == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_descrip.c", line 1219 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83452d82) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff8348dfe0,ffffffff833e372e,4c3,ffffffff8341efc2) at __assert+0x29 sys/kern/subr_prf.c:-1 fdfree(ffff8000fffe8d18) at fdfree+0x349 exit1(ffff8000fffe8d18,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff8000fffe8d18,ffff800038fae4d0,ffff800038fae420) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff800038fae4d0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff800038fae4d0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7dab6b692ee0, count: -8 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff800038fae210 rbx 0xffffffff838c8e07 cpu_info_full_primary+0x2e07 rdx 0 rcx 0xffff8000fffe8d18 rax 0xffffffff838c7ff0 cpu_info_full_primary+0x1ff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0x36d1c84a6964833b r11 0xf0d4288cdc925b4a r12 0xffffffff838c8c08 cpu_info_full_primary+0x2c08 r13 0 r14 0 r15 0x1 rip 0xffffffff81db9fa5 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff800038fae200 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor) tid=452988 pid=89335 tcnt=0 stat=onproc flags process=1008 proc=2000 runpri=32, usrpri=86, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0xffff8000fffe8d18 scnt=-1 ecnt=1 forw=0xffffffffffffffff, list=0xffff8000fffe82b8,0xffff8000fffe87f8 process=0xffff8000fffe49c0 user=0xffff800038fa9000, vmspace=0xfffffd806c7069a0 estcpu=36, cpticks=6, pctcpu=0.0, user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 8345 204247 84405 60928 2 0x10 syz-executor 8345 250784 84405 60928 3 0x4000090 fsleep syz-executor 8345 275146 84405 60928 3 0x4000090 fsleep syz-executor 96209 65813 3698 0 2 0 syz-executor 96209 175167 3698 0 7 0x4000000 syz-executor 96209 125296 3698 0 3 0x4000080 fsleep syz-executor 90454 223156 2722 0 2 0xc80 syz-executor 90454 90598 2722 0 3 0x4000080 kqsel syz-executor 90454 52964 2722 0 3 0x4000080 fsleep syz-executor 66865 112588 81042 0 2 0xc80 syz-executor 66865 84036 81042 0 3 0x4000080 fsleep syz-executor 66865 474126 81042 0 3 0x4000080 lockf syz-executor 66865 191767 81042 0 3 0x4000080 fsleep syz-executor 16214 467310 8170 0 2 0xc80 syz-executor 16214 129080 8170 0 3 0x4000080 kqsel syz-executor 16214 216347 8170 0 3 0x4000080 fsleep syz-executor 25480 107282 0 0 3 0x14200 acct acct 84405 500427 97141 0 2 0xc82 syz-executor 8170 275574 97141 0 2 0xc82 syz-executor 2722 358975 97141 0 2 0xc82 syz-executor 49063 408406 97141 0 2 0x2 syz-executor 63284 185690 97141 0 2 0xc82 syz-executor 3698 13557 97141 0 2 0xc82 syz-executor 65083 498400 97141 0 2 0x10000c82 syz-executor 81042 469143 97141 0 2 0xc82 syz-executor 97141 372042 81412 0 3 0x82 kqread syz-executor 81412 304031 46750 0 3 0x10008a sigsusp ksh 46750 319968 70499 0 3 0x98 kqread sshd-session 70499 203382 65002 0 3 0x92 kqread sshd-session 59813 421870 1 0 3 0x100083 ttyin getty 65002 503278 1 0 3 0x88 kqread sshd 76454 361509 70287 74 3 0x1100092 bpf pflogd 70287 253037 1 0 3 0x80 sbwait pflogd 72807 357138 77407 73 3 0x1100090 kqread syslogd 77407 259915 1 0 3 0x100082 sbwait syslogd 81274 157780 1 0 3 0x100080 kqread resolvd 54362 243671 88966 77 3 0x100092 kqread dhcpleased 30239 394960 88966 77 3 0x100092 kqread dhcpleased 88966 492839 1 0 3 0x80 kqread dhcpleased 67553 371735 0 0 3 0x14200 bored smr 71965 370697 0 0 3 0x14200 pgzero zerothread 44178 401778 0 0 3 0x14200 aiodoned aiodoned 84387 324725 0 0 3 0x14200 syncer update 51578 89762 0 0 3 0x14200 cleaner cleaner 81916 279388 0 0 2 0x14200 reaper 16583 470069 0 0 3 0x14200 pgdaemon pagedaemon 16187 488316 0 0 3 0x14200 bored viomb 27085 271470 0 0 3 0x40014200 acpi0 acpi0 60727 227042 0 0 3 0x40014200 idle1 36670 30007 0 0 3 0x14200 bored softnet1 91513 311609 0 0 3 0x14200 bored softnet0 93872 187248 0 0 3 0x14200 bored systqmp 41003 403030 0 0 3 0x14200 bored systq 23104 9886 0 0 3 0x14200 tmoslp softclockmp 99672 178288 0 0 3 0x40014200 tmoslp softclock 30988 433237 0 0 3 0x40014200 idle0 1 165992 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 49063 (syz-executor) thread 0xffff80002a231770 (408406) exclusive rrwlock inode r = 0 (0xfffffd806c5ea560) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320 #2 rrw_enter+0xc6 sys/kern/kern_rwlock.c:621 #3 VOP_LOCK+0xbd sys/kern/vfs_vops.c:527 #4 vn_lock+0xa4 sys/kern/vfs_vnops.c:576 #5 vget+0x2a2 sys/kern/vfs_subr.c:686 #6 ufs_ihashget+0x185 sys/ufs/ufs/ufs_ihash.c:98 #7 ffs_vget+0x8c sys/ufs/ffs/ffs_vfsops.c:1203 #8 ufs_lookup+0x1a36 sys/ufs/ufs/ufs_lookup.c:478 #9 VOP_LOOKUP+0x6e sys/kern/vfs_vops.c:85 #10 vfs_lookup+0x98a sys/kern/vfs_lookup.c:567 #11 namei+0x7ca sys/kern/vfs_lookup.c:250 #12 dounlinkat+0xc1 sys/kern/vfs_syscalls.c:1887 #13 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] #13 syscall+0xb17 sys/arch/amd64/amd64/trap.c:783 #14 Xsyscall+0x128 exclusive rrwlock inode r = 0 (0xfffffd806c327b30) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320 #2 rrw_enter+0xc6 sys/kern/kern_rwlock.c:621 #3 VOP_LOCK+0xbd sys/kern/vfs_vops.c:527 #4 vn_lock+0xa4 sys/kern/vfs_vnops.c:576 #5 vget+0x2a2 sys/kern/vfs_subr.c:686 #6 cache_lookup+0x351 sys/kern/vfs_cache.c:222 #7 ufs_lookup+0x1e3 sys/ufs/ufs/ufs_lookup.c:160 #8 VOP_LOOKUP+0x6e sys/kern/vfs_vops.c:85 #9 vfs_lookup+0x98a sys/kern/vfs_lookup.c:567 #10 namei+0x7ca sys/kern/vfs_lookup.c:250 #11 dounlinkat+0xc1 sys/kern/vfs_syscalls.c:1887 #12 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] #12 syscall+0xb17 sys/arch/amd64/amd64/trap.c:783 #13 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 11060 12093K 12172K 166960K 12217 0 pcb 18 12K 12K 166960K 26 0 rtable 243 7K 7K 166960K 378 0 pf 35 17K 24K 166960K 62 0 ifaddr 43 7K 7K 166960K 48 0 ifgroup 55 2K 2K 166960K 62 0 sysctl 2 1K 9K 166960K 6 0 counters 70 37K 37K 166960K 74 0 ioctlops 0 0K 4K 166960K 1501 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1297 82K 82K 166960K 1411 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 4 0 VM map 2 1K 1K 166960K 2 0 sem 5 0K 0K 166960K 5 0 dirhash 15 2K 2K 166960K 15 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 15 53K 93K 166960K 198 0 sigio 0 0K 0K 166960K 2 0 proc 72 115K 164K 166960K 566 0 subproc 72 4K 4K 166960K 72 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 3 0 in_multi 99 7K 7K 166960K 100 0 ether_multi 1 0K 0K 166960K 1 0 mrt 0 0K 0K 166960K 5 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 61 281K 281K 166960K 61 0 exec 0 0K 1K 166960K 381 0 fusefs mount 1 32K 32K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 238 167K 176K 166960K 3750 0 UVM aobj 6 2K 2K 166960K 6 0 pinsyscall 41 82K 104K 166960K 1335 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 NDP 12 0K 2K 166960K 30 0 temp 38 9075K 9138K 166960K 4337 0 kqueue 16 22K 24K 166960K 41 0 SYN cache 2 16K 16K 166960K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 42 0 38 1 0 1 1 0 8 0 rtentry 176 115 0 5 5 0 5 5 0 8 0 unpcb 144 48 0 29 1 0 1 1 0 8 0 syncache 336 3 0 3 1 0 1 1 0 8 1 tcpcb 736 24 0 20 1 0 1 1 0 8 0 arp 136 19 0 2 1 0 1 1 0 8 0 inpcb 328 105 0 97 2 0 2 2 0 8 1 nd6 152 24 0 0 1 0 1 1 0 8 0 kcovpl 48 8 0 0 1 0 1 1 0 8 0 ppxss 1192 1 0 1 1 0 1 1 0 8 1 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfanchor 1288 2 0 0 1 0 1 1 0 8 0 pfstitem 24 22 0 0 1 0 1 1 0 8 0 pfstkey 128 22 0 0 1 0 1 1 0 8 0 pfstate 448 21 0 0 3 0 3 3 0 8 0 pfrule 1360 21 0 16 2 1 1 2 0 8 0 art_heap8 4096 2 0 0 2 0 2 2 0 8 0 art_heap4 256 464 0 4 29 0 29 29 0 8 0 art_table 40 466 0 4 5 0 5 5 0 8 0 art_node 32 115 0 15 1 0 1 1 0 8 0 semupl 112 1 0 0 1 0 1 1 0 8 0 semapl 112 3 0 0 1 0 1 1 0 8 0 shmpl 112 3 0 0 1 0 1 1 0 8 0 dirhash 1024 19 0 0 3 0 3 3 0 8 0 dino2pl 256 1687 0 208 93 0 93 93 0 8 0 ffsino 296 1687 0 208 114 0 114 114 0 8 0 nchpl 144 1967 0 260 64 0 64 64 0 8 0 vnodes 216 1805 0 0 101 0 101 101 0 8 0 namei 1024 5951 0 5951 1 0 1 1 0 8 1 percpumem 16 52 0 2 1 0 1 1 0 8 0 kstatmem 264 30 0 4 2 0 2 2 0 8 0 scxspl 216 7053 0 7053 4 1 3 3 1 8 3 plimitpl 152 36 0 19 1 0 1 1 0 8 0 sigapl 424 511 0 463 7 0 7 7 0 8 1 knotepl 120 308 0 0 10 0 10 10 0 8 0 kqueuepl 224 36 0 24 1 0 1 1 0 8 0 pipepl 344 128 0 101 3 0 3 3 0 8 0 fdescpl 528 494 0 464 3 0 3 3 0 8 0 filepl 160 1850 0 1624 10 0 10 10 0 8 0 lockfpl 104 33 0 26 1 0 1 1 0 8 0 lockfspl 48 17 0 11 1 0 1 1 0 8 0 sessionpl 144 24 0 15 1 0 1 1 0 8 0 pgrppl 48 32 0 15 1 0 1 1 0 8 0 ucredpl 104 142 0 128 1 0 1 1 0 8 0 zombiepl 144 465 0 463 1 0 1 1 0 8 0 processpl 1232 511 0 463 5 0 5 5 0 8 0 procpl 664 620 0 559 6 0 6 6 0 8 0 sockpl 752 197 0 166 4 0 4 4 0 8 0 mcl64k 65536 3 0 0 1 0 1 1 0 8 0 mcl16k 16384 7 0 0 1 0 1 1 0 8 0 mcl12k 12288 1 0 0 1 0 1 1 0 8 0 mcl9k 9216 1 0 0 1 0 1 1 0 8 0 mcl8k 8192 2 0 0 1 0 1 1 0 8 0 mcl4k 4096 117 0 0 15 0 15 15 0 8 0 mcl2k 2048 18 0 0 3 0 3 3 0 8 0 mtagpl 96 1 0 0 1 0 1 1 0 8 0 mbufpl 256 135 0 0 9 0 9 9 0 8 0 bufpl 280 2663 0 105 183 0 183 183 0 8 0 anonpl 32 4066 0 0 34 1 33 34 0 246 0 amapchunkpl 152 10440 0 9951 22 0 22 22 0 158 1 amappl16 200 2069 0 2046 5 1 4 5 0 8 1 amappl15 192 29 0 29 1 1 0 1 0 8 0 amappl14 184 430 0 429 1 0 1 1 0 8 0 amappl13 176 119 0 106 1 0 1 1 0 8 0 amappl12 168 746 0 717 2 0 2 2 0 8 0 amappl11 160 6 0 6 1 1 0 1 0 8 0 amappl10 152 111 0 97 1 0 1 1 0 8 0 amappl9 144 269 0 269 1 1 0 1 0 8 0 amappl8 136 105 0 103 1 0 1 1 0 8 0 amappl7 128 142 0 129 1 0 1 1 0 8 0 amappl6 120 169 0 168 1 0 1 1 0 8 0 amappl5 112 92 0 81 1 0 1 1 0 8 0 amappl4 104 287 0 267 1 0 1 1 0 8 0 amappl3 96 1868 0 1753 4 0 4 4 0 8 0 amappl2 88 532 0 469 2 0 2 2 0 8 0 amappl1 80 9492 0 8899 14 0 14 14 0 8 1 amappl 88 3014 0 2849 5 0 5 5 0 92 1 uvmvnodes 80 101 0 0 3 0 3 3 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma2048 2048 1 0 1 1 0 1 1 0 8 1 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 5 0 0 1 0 1 1 0 8 0 uaddrrnd 24 494 0 464 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 494 0 464 1 0 1 1 0 8 0 vmmpekpl 168 5759 0 5727 2 0 2 2 0 8 0 vmmpepl 168 39702 0 37833 88 0 88 88 0 357 1 vmsppl 488 493 0 464 5 0 5 5 0 8 1 rwobjpl 80 14481 0 13446 23 0 23 23 0 8 0 pdppl 4096 995 0 928 97 24 73 85 0 8 6 pvpl 32 11131 0 0 91 1 90 90 0 265 0 pmappl 256 493 0 464 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 269 0 27 8 0 8 8 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83452d82) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff8348dfe0,ffffffff833e372e,4c3,ffffffff8341efc2) at __assert+0x29 sys/kern/subr_prf.c:-1 fdfree(ffff8000fffe8d18) at fdfree+0x349 exit1(ffff8000fffe8d18,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff8000fffe8d18,ffff800038fae4d0,ffff800038fae420) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff800038fae4d0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff800038fae4d0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7dab6b692ee0, count: -8 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffff8000299adff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff83a93ac0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline] __mp_lock(ffffffff83a93ac0) at __mp_lock+0x192 sys/kern/kern_lock.c:173 sysctl_file(ffff80003c407e58,4,200000000100,ffff80003c407e88,ffff8000fffe82b8) at sysctl_file+0x2d20 sys/kern/kern_sysctl.c:1796 kern_sysctl(ffff80003c407e54,5,200000000100,ffff80003c407e88,0,37,f09925064c98a914) at kern_sysctl+0x139 sys/kern/kern_sysctl.c:736 sys_sysctl(ffff8000fffe82b8,ffff80003c407fc0,ffff80003c407f10) at sys_sysctl+0x3e5 sys/kern/kern_sysctl.c:-1 syscall(ffff80003c407fc0) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c407fc0) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xafbb3f0ce40, count: 6 ddb{1}> trace x86_ipi_db(ffff8000299adff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff83a93ac0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline] __mp_lock(ffffffff83a93ac0) at __mp_lock+0x192 sys/kern/kern_lock.c:173 sysctl_file(ffff80003c407e58,4,200000000100,ffff80003c407e88,ffff8000fffe82b8) at sysctl_file+0x2d20 sys/kern/kern_sysctl.c:1796 kern_sysctl(ffff80003c407e54,5,200000000100,ffff80003c407e88,0,37,f09925064c98a914) at kern_sysctl+0x139 sys/kern/kern_sysctl.c:736 sys_sysctl(ffff8000fffe82b8,ffff80003c407fc0,ffff80003c407f10) at sys_sysctl+0x3e5 sys/kern/kern_sysctl.c:-1 syscall(ffff80003c407fc0) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c407fc0) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xafbb3f0ce40, count: -9