panic: kernel diagnostic assertion "ps->ps_uvncount == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_unveil.c", line 188 Stopped at db_enter+0x1c: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff827a0e01) at panic+0x17b sys/kern/subr_prf.c:198 __assert(ffffffff8281f100,ffffffff82823261,bc,ffffffff827b914b) at __assert+0x29 sys/kern/subr_prf.c:157 unveil_destroy(ffff80002128fab8) at unveil_destroy+0x1a4 sys/kern/kern_unveil.c:188 exit1(ffff8000212a0b08,0,0,1) at exit1+0x3d5 sys/kern/kern_exit.c:220 sys_exit(ffff8000212a0b08,ffff80002e44daf0,ffff80002e44db40) at sys_exit+0x1a sys/kern/kern_exit.c:89 syscall(ffff80002e44dbc0) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline] syscall(ffff80002e44dbc0) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7dd773dd9f80, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic *cpu1: kernel diagnostic assertion "ps->ps_uvncount == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_unveil.c", line 188 ddb{1}> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff827a0e01) at panic+0x17b sys/kern/subr_prf.c:198 __assert(ffffffff8281f100,ffffffff82823261,bc,ffffffff827b914b) at __assert+0x29 sys/kern/subr_prf.c:157 unveil_destroy(ffff80002128fab8) at unveil_destroy+0x1a4 sys/kern/kern_unveil.c:188 exit1(ffff8000212a0b08,0,0,1) at exit1+0x3d5 sys/kern/kern_exit.c:220 sys_exit(ffff8000212a0b08,ffff80002e44daf0,ffff80002e44db40) at sys_exit+0x1a sys/kern/kern_exit.c:89 syscall(ffff80002e44dbc0) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline] syscall(ffff80002e44dbc0) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7dd773dd9f80, count: -8 ddb{1}> show registers rdi 0 rsi 0x1 rbp 0xffff80002e44d900 rbx 0xffff800020d59b9f rdx 0 rcx 0xffff8000212a0b08 rax 0xffff800020d58ff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0xa0aba430ab7c1c47 r11 0x1c04119f8a8a1334 r12 0xffff800020d599a0 r13 0 r14 0 r15 0x1 rip 0xffffffff8255bacc db_enter+0x1c cs 0x8 rflags 0x246 rsp 0xffff80002e44d8f0 ss 0 db_enter+0x1c: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor.1) pid=489306 stat=onproc flags process=1018 proc=2000 pri=32, usrpri=86, nice=20 forw=0xffffffffffffffff, list=0xffff8000211ad880,0xffff8000212a0dd0 process=0xffff80002128fab8 user=0xffff80002e448000, vmspace=0xfffffd806efbb3a8 estcpu=36, cpticks=5, pctcpu=0.0 user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 79708 439357 40669 0 2 0 syz-executor.5 62936 321712 11794 0 2 0 syz-executor.7 62936 69004 11794 0 2 0x4000000 syz-executor.7 89758 259199 8085 0 2 0 syz-executor.6 89758 24775 8085 0 2 0x4000000 syz-executor.6 52501 408459 59081 0 3 0x82 nanoslp syz-executor.4 11794 28993 59081 0 3 0x82 nanoslp syz-executor.7 40420 328249 0 0 3 0x14200 bored sosplice 8085 387643 59081 0 3 0x82 nanoslp syz-executor.6 40669 116834 59081 0 3 0x82 nanoslp syz-executor.5 30289 468889 59081 0 3 0x2 biowait syz-executor.2 12149 363621 59081 0 3 0x82 nanoslp syz-executor.1 84284 116512 59081 0 3 0x2 biowait syz-executor.3 25850 144071 59081 0 3 0x2 biowait syz-executor.0 59081 360758 64478 0 3 0x2000082 wait syz-fuzzer 59081 282975 64478 0 3 0x6000082 nanoslp syz-fuzzer 59081 328711 64478 0 3 0x6000082 wait syz-fuzzer 59081 33279 64478 0 3 0x6000082 wait syz-fuzzer 59081 340158 64478 0 3 0x6000082 thrsleep syz-fuzzer 59081 258955 64478 0 3 0x6000082 wait syz-fuzzer 59081 51012 64478 0 3 0x6000082 wait syz-fuzzer 59081 237542 64478 0 3 0x6000082 wait syz-fuzzer 59081 107320 64478 0 3 0x6000082 thrsleep syz-fuzzer 59081 359915 64478 0 3 0x6000082 thrsleep syz-fuzzer 59081 449549 64478 0 3 0x6000082 thrsleep syz-fuzzer 59081 113114 64478 0 3 0x6000082 wait syz-fuzzer 59081 514676 64478 0 3 0x6000082 kqread syz-fuzzer 59081 268294 64478 0 3 0x6000082 wait syz-fuzzer 59081 304252 64478 0 3 0x6000082 thrsleep syz-fuzzer 64478 153105 99609 0 3 0x10008a sigsusp ksh 99609 181396 1724 0 3 0x9a kqread sshd 27657 227169 1 0 3 0x100083 ttyopn getty 1724 318906 1 0 3 0x88 kqread sshd 27502 136465 23670 74 3 0x1100092 bpf pflogd 23670 461014 1 0 3 0x80 netio pflogd 88121 150697 46734 73 3 0x1100090 kqread syslogd 46734 435523 1 0 3 0x100082 netio syslogd 75151 331909 1 0 3 0x100080 kqread resolvd 80145 173666 37036 77 3 0x100092 kqread dhcpleased 53814 357487 37036 77 3 0x100092 kqread dhcpleased 37036 173808 1 0 3 0x80 kqread dhcpleased 69250 26386 0 0 3 0x14200 bored smr 67738 424761 0 0 3 0x14200 pgzero zerothread 50573 390995 0 0 3 0x14200 aiodoned aiodoned 39592 466254 0 0 3 0x14200 syncer update 53019 151321 0 0 3 0x14200 cleaner cleaner 43631 412988 0 0 2 0x14200 reaper 52290 401050 0 0 3 0x14200 pgdaemon pagedaemon 40875 223955 0 0 3 0x14200 bored viomb 18604 389097 0 0 3 0x40014200 acpi0 acpi0 31164 485336 0 0 3 0x40014200 idle1 48881 313785 0 0 3 0x14200 bored softnet3 82691 364861 0 0 3 0x14200 bored softnet2 55310 276540 0 0 3 0x14200 bored softnet1 45318 300142 0 0 3 0x14200 bored softnet0 33014 114045 0 0 3 0x14200 bored systqmp 84709 446013 0 0 3 0x14200 bored systq 76184 124917 0 0 3 0x40014200 bored softclock 23899 143518 0 0 3 0x40014200 idle0 1 64405 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks Process 89758 (syz-executor.6) thread 0xffff8000212a8848 (24775) Process 30289 (syz-executor.2) thread 0xffff8000212a9898 (468889) Process 84284 (syz-executor.3) thread 0xffff8000212a9070 (116512) Process 25850 (syz-executor.0) thread 0xffff8000211ad5c8 (144071) Process 43631 (reaper) thread 0xffff8000211ac578 (412988) ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10213 6479K 6804K 78643K 14113 0 pcb 13 10K 11K 78643K 73 0 rtable 241 7K 7K 78643K 2490 0 pf 32 9K 10K 78643K 89 0 ifaddr 45 15K 16K 78643K 77 0 ifgroup 55 2K 2K 78643K 123 0 sysctl 2 0K 0K 78643K 2 0 counters 60 35K 36K 78643K 100 0 ioctlops 0 0K 4K 78643K 1642 0 iov 0 0K 16K 78643K 188 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 4 0 vnodes 1408 88K 88K 78643K 2569 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 9K 78643K 33 0 VM map 2 1K 1K 78643K 2 0 sem 11 1K 1K 78643K 15 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 14 49K 97K 78643K 2554 0 sigio 0 0K 0K 78643K 79 0 proc 73 115K 140K 78643K 788 0 subproc 104 6K 6K 78643K 133 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 77 0 in_multi 99 7K 7K 78643K 148 0 ether_multi 1 0K 0K 78643K 10 0 mrt 1 0K 0K 78643K 1 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 169 758K 758K 78643K 169 0 exec 0 0K 1K 78643K 617 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 8 62K 64K 78643K 10 0 UVM amap 356 92K 99K 78643K 27637 0 UVM aobj 131 7K 7K 78643K 131 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 76 0 NDP 12 0K 0K 78643K 52 0 temp 75 5920K 5988K 78643K 12327 0 kqueue 12 18K 26K 78643K 281 0 SYN cache 2 16K 16K 78643K 2 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 2303 0 2300 16 14 2 5 0 8 1 rtentry 112 141 0 29 4 0 4 4 0 8 0 unpcb 144 2972 0 2957 28 24 4 8 0 8 3 syncache 296 10 0 10 4 4 0 1 0 8 0 tcpqe 32 203 0 203 4 4 0 1 0 8 0 tcpcb 808 382 0 375 18 16 2 8 0 8 0 arp 120 23 0 4 1 0 1 1 0 8 0 inpcb 368 1148 0 1138 30 27 3 8 0 8 0 nd6 136 31 0 6 1 0 1 1 0 8 0 pkpcb 40 7 0 7 1 1 0 1 0 8 0 kcovpl 48 10 0 2 1 0 1 1 0 8 0 ppxss 1256 9 0 9 3 3 0 1 0 8 0 pffrag 232 10 0 7 1 0 1 1 0 482 0 pffrnode 88 10 0 7 1 0 1 1 0 8 0 pffrent 40 34 0 31 1 0 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 84 0 56 1 0 1 1 0 8 0 pfstkey 128 84 0 56 2 0 2 2 0 8 0 pfstate 376 84 0 56 5 1 4 4 0 8 0 pfrule 1344 21 0 16 2 1 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 545 0 88 29 0 29 29 0 8 0 art_table 32 546 0 88 4 0 4 4 0 8 0 art_node 16 134 0 32 1 0 1 1 0 8 0 sysvmsgpl 40 2 0 1 1 0 1 1 0 8 0 semapl 112 13 0 4 1 0 1 1 0 8 0 shmpl 112 128 0 0 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 4764 0 3313 92 0 92 92 0 8 0 ffsino 272 4764 0 3313 98 0 98 98 0 8 0 nchpl 144 8476 0 6826 63 0 63 63 0 8 0 uvmvnodes 80 5775 0 0 118 0 118 118 0 8 0 vnodes 216 5775 0 0 321 0 321 321 0 8 0 namei 1024 27913 0 27911 5 4 1 3 0 8 0 percpumem 16 63 0 20 1 0 1 1 0 8 0 kstatmem 264 64 0 40 2 0 2 2 0 8 0 scxspl 216 24612 0 24609 18 17 1 8 1 8 0 plimitpl 152 145 0 129 1 0 1 1 0 8 0 sigapl 424 2869 0 2823 8 2 6 7 0 8 0 futexpl 64 20140 0 20139 1 0 1 1 0 8 0 knotepl 120 394 0 0 11 0 11 11 0 8 0 kqueuepl 216 452 0 444 5 4 1 5 0 8 0 pipepl 320 562 0 534 18 12 6 8 0 8 3 fdescpl 496 2851 0 2824 5 1 4 5 0 8 0 filepl 152 19183 0 18943 42 29 13 20 0 8 3 lockfpl 104 865 0 863 2 1 1 2 0 8 0 lockfspl 48 298 0 296 1 0 1 1 0 8 0 sessionpl 144 26 0 9 1 0 1 1 0 8 0 pgrppl 48 103 0 86 1 0 1 1 0 8 0 ucredpl 104 2281 0 2268 1 0 1 1 0 8 0 zombiepl 144 3291 0 3289 2 1 1 1 0 8 0 processpl 1072 2869 0 2823 4 0 4 4 0 8 0 procpl 696 7302 0 7237 14 6 8 8 0 8 1 sosppl 168 27 0 26 1 0 1 1 0 8 0 sockpl 488 6433 0 6405 179 166 13 38 0 8 6 mcl64k 65536 16 0 0 2 0 2 2 0 8 0 mcl16k 16384 9 0 0 2 0 2 2 0 8 0 mcl12k 12288 16 0 0 2 0 2 2 0 8 0 mcl9k 9216 12 0 0 1 0 1 1 0 8 0 mcl8k 8192 15 0 0 2 0 2 2 0 8 0 mcl4k 4096 26 0 0 4 0 4 4 0 8 0 mcl2k2 2112 5 0 0 1 0 1 1 0 8 0 mcl2k 2048 253 0 0 32 0 32 32 0 8 1 mtagpl 96 150 0 0 4 0 4 4 0 8 0 mbufpl 256 1039 0 0 60 0 60 60 0 8 0 bufpl 288 8067 0 1743 452 0 452 452 0 8 0 anonpl 24 397787 0 384645 117 29 88 104 0 186 0 amapchunkpl 152 91471 0 90553 52 10 42 43 0 158 3 amappl16 200 8870 0 8532 38 19 19 30 0 8 1 amappl15 192 11 0 11 1 1 0 1 0 8 0 amappl14 184 178 0 163 2 1 1 2 0 8 0 amappl13 176 39 0 38 1 0 1 1 0 8 0 amappl12 168 3561 0 3529 4 2 2 3 0 8 0 amappl11 160 114 0 100 1 0 1 1 0 8 0 amappl10 152 31 0 19 1 0 1 1 0 8 0 amappl9 144 200 0 199 1 0 1 1 0 8 0 amappl8 136 275 0 198 3 0 3 3 0 8 0 amappl7 128 92 0 80 2 1 1 2 0 8 0 amappl6 120 325 0 299 3 2 1 3 0 8 0 amappl5 112 1196 0 1177 1 0 1 1 0 8 0 amappl4 104 669 0 623 4 2 2 3 0 8 0 amappl3 96 16678 0 16606 4 1 3 3 0 8 0 amappl2 88 3191 0 3122 3 1 2 3 0 8 0 amappl1 80 18743 0 18190 24 10 14 23 0 8 0 amappl 88 27026 0 26797 7 0 7 7 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 130 0 0 3 0 3 3 0 8 0 uaddrrnd 24 2851 0 2823 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 2851 0 2823 1 0 1 1 0 8 0 vmmpekpl 168 26159 0 26100 3 0 3 3 0 8 0 vmmpepl 168 186245 0 184014 145 39 106 115 0 357 1 vmsppl 464 2850 0 2823 5 1 4 5 0 8 0 rwobjpl 56 57745 0 50396 107 3 104 104 0 8 0 pdppl 4096 5710 0 5646 196 126 70 86 0 8 6 pvpl 32 977305 0 958305 343 183 160 340 0 265 0 pmappl 248 2850 0 2823 3 1 2 3 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 1032 0 178 25 0 25 25 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+0x1e: addq $0x8,%rsp x86_ipi_db(ffffffff82b97ff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0xf sys/dev/kcov.c:154 __mp_acquire_count(ffffffff82c77498,1) at __mp_acquire_count+0x48 sys/kern/kern_lock.c:227 mi_switch() at mi_switch+0x4c6 sys/kern/sched_bsd.c:470 sleep_finish(0,1) at sleep_finish+0x19b sys/kern/kern_synch.c:414 exit1(ffff800022d185a0,0,0,1) at exit1+0x231 sys/kern/kern_exit.c:165 sys_exit(ffff800022d185a0,ffff80002afadc80,ffff80002afadcd0) at sys_exit+0x1a sys/kern/kern_exit.c:89 syscall(ffff80002afadd50) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline] syscall(ffff80002afadd50) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x71d91f019640, count: 4 ddb{0}> trace x86_ipi_db(ffffffff82b97ff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0xf sys/dev/kcov.c:154 __mp_acquire_count(ffffffff82c77498,1) at __mp_acquire_count+0x48 sys/kern/kern_lock.c:227 mi_switch() at mi_switch+0x4c6 sys/kern/sched_bsd.c:470 sleep_finish(0,1) at sleep_finish+0x19b sys/kern/kern_synch.c:414 exit1(ffff800022d185a0,0,0,1) at exit1+0x231 sys/kern/kern_exit.c:165 sys_exit(ffff800022d185a0,ffff80002afadc80,ffff80002afadcd0) at sys_exit+0x1a sys/kern/kern_exit.c:89 syscall(ffff80002afadd50) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline] syscall(ffff80002afadd50) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x71d91f019640, count: -11 ddb{0}> machine ddbcpu 1 Stopped at db_enter+0x1c: addq $0x8,%rsp db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff827a0e01) at panic+0x17b sys/kern/subr_prf.c:198 __assert(ffffffff8281f100,ffffffff82823261,bc,ffffffff827b914b) at __assert+0x29 sys/kern/subr_prf.c:157 unveil_destroy(ffff80002128fab8) at unveil_destroy+0x1a4 sys/kern/kern_unveil.c:188 exit1(ffff8000212a0b08,0,0,1) at exit1+0x3d5 sys/kern/kern_exit.c:220 sys_exit(ffff8000212a0b08,ffff80002e44daf0,ffff80002e44db40) at sys_exit+0x1a sys/kern/kern_exit.c:89 syscall(ffff80002e44dbc0) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline] syscall(ffff80002e44dbc0) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7dd773dd9f80, count: 7 ddb{1}> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff827a0e01) at panic+0x17b sys/kern/subr_prf.c:198 __assert(ffffffff8281f100,ffffffff82823261,bc,ffffffff827b914b) at __assert+0x29 sys/kern/subr_prf.c:157 unveil_destroy(ffff80002128fab8) at unveil_destroy+0x1a4 sys/kern/kern_unveil.c:188 exit1(ffff8000212a0b08,0,0,1) at exit1+0x3d5 sys/kern/kern_exit.c:220 sys_exit(ffff8000212a0b08,ffff80002e44daf0,ffff80002e44db40) at sys_exit+0x1a sys/kern/kern_exit.c:89 syscall(ffff80002e44dbc0) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline] syscall(ffff80002e44dbc0) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7dd773dd9f80, count: -8