panic: kernel diagnostic assertion "pg->wire_count == 1" failed: file "/syzkaller/managers/main/kernel/sys/kern/vfs_biomem.c", line 310 Stopped at db_enter+0x1c: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND * 90582 72187 0 0x1a000002 0x4000000 0 syz-fuzzer db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82927243) at panic+0x165 sys/kern/subr_prf.c:198 __assert(ffffffff828e0a5b,ffffffff828ec3c5,136,ffffffff8286c307) at __assert+0x29 sys/kern/subr_prf.c:157 buf_free_pages(fffffd806f724388) at buf_free_pages+0x1d0 sys/kern/vfs_biomem.c:299 buf_dealloc_mem(fffffd806f724388) at buf_dealloc_mem+0xe2 sys/kern/vfs_biomem.c:179 buf_put(fffffd806f724388) at buf_put+0x15e sys/kern/vfs_bio.c:127 brelse(fffffd806f724388) at brelse+0x26b sys/kern/vfs_bio.c:944 vinvalbuf(fffffd8068a33c08,2,fffffd807f7d75b0,ffff80002a6b12b0,0,ffffffffffffffff) at vinvalbuf+0x3b8 sys/kern/vfs_subr.c:2025 ffs_truncate(fffffd8062e675a8,0,4,fffffd807f7d75b0) at ffs_truncate+0xb99 ufs_rmdir(ffff80002a6c71d8) at ufs_rmdir+0x295 sys/ufs/ufs/ufs_vnops.c:1280 VOP_RMDIR(fffffd806b1a2e78,fffffd8068a33c08,ffff80002a6c72b8) at VOP_RMDIR+0x12a sys/kern/vfs_vops.c:407 dounlinkat(ffff80002a6b12b0,11,c002122449,8) at dounlinkat+0x20e sys/kern/vfs_syscalls.c:1880 syscall(ffff80002a6c7420) at syscall+0x538 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x25e49b3b0, count: 1 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "pg->wire_count == 1" failed: file "/syzkaller/managers/main/kernel/sys/kern/vfs_biomem.c", line 310 ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82927243) at panic+0x165 sys/kern/subr_prf.c:198 __assert(ffffffff828e0a5b,ffffffff828ec3c5,136,ffffffff8286c307) at __assert+0x29 sys/kern/subr_prf.c:157 buf_free_pages(fffffd806f724388) at buf_free_pages+0x1d0 sys/kern/vfs_biomem.c:299 buf_dealloc_mem(fffffd806f724388) at buf_dealloc_mem+0xe2 sys/kern/vfs_biomem.c:179 buf_put(fffffd806f724388) at buf_put+0x15e sys/kern/vfs_bio.c:127 brelse(fffffd806f724388) at brelse+0x26b sys/kern/vfs_bio.c:944 vinvalbuf(fffffd8068a33c08,2,fffffd807f7d75b0,ffff80002a6b12b0,0,ffffffffffffffff) at vinvalbuf+0x3b8 sys/kern/vfs_subr.c:2025 ffs_truncate(fffffd8062e675a8,0,4,fffffd807f7d75b0) at ffs_truncate+0xb99 ufs_rmdir(ffff80002a6c71d8) at ufs_rmdir+0x295 sys/ufs/ufs/ufs_vnops.c:1280 VOP_RMDIR(fffffd806b1a2e78,fffffd8068a33c08,ffff80002a6c72b8) at VOP_RMDIR+0x12a sys/kern/vfs_vops.c:407 dounlinkat(ffff80002a6b12b0,11,c002122449,8) at dounlinkat+0x20e sys/kern/vfs_syscalls.c:1880 syscall(ffff80002a6c7420) at syscall+0x538 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x25e49b3b0, count: -14 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80002a6c6cd0 rbx 0 rdx 0 rcx 0 rax 0xffff80002a6b12b0 r8 0x101010101010101 r9 0x8080808080808080 r10 0xb3046406e5d07b28 r11 0xcfb8f8f18605f18f r12 0 r13 0xfffffd8005e49d80 r14 0 r15 0x1 rip 0xffffffff824be62c db_enter+0x1c cs 0x8 rflags 0x246 rsp 0xffff80002a6c6cc0 ss 0x10 db_enter+0x1c: addq $0x8,%rsp ddb> show proc PROC (syz-fuzzer) tid=90582 pid=72187 tcnt=14 stat=onproc flags process=1a000002 proc=4000000 runpri=17, usrpri=50, slppri=17, nice=20 wchan=0x0, wmesg=, ps_single=0x0 forw=0xffffffffffffffff, list=0xffff80002a6b1aa8,0xffff80002a6b0820 process=0xffff8000ffff7250 user=0xffff80002a6c2000, vmspace=0xfffffd80074a2420 estcpu=0, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 93690 183766 1 0 3 0x80 fsleep syz-executor.5 93690 314589 1 0 3 0x4000080 netcon syz-executor.5 72519 288995 0 0 3 0x14200 acct acct 51813 277711 1 0 3 0x18100083 ttyin getty 62070 175886 0 0 3 0x14200 bored sosplice 62761 275164 0 0 3 0x14280 nfsidl nfsio 70630 131457 0 0 3 0x14280 nfsidl nfsio 87236 165818 0 0 3 0x14280 nfsidl nfsio 18433 147454 0 0 3 0x14280 nfsidl nfsio 44881 105356 0 0 3 0x14280 nfsidl nfsio 31336 446267 0 0 3 0x14280 nfsidl nfsio 80971 247233 0 0 3 0x14280 nfsidl nfsio 5972 118908 0 0 3 0x14280 nfsidl nfsio 65377 405597 0 0 3 0x14280 nfsidl nfsio 94608 213404 0 0 3 0x14280 nfsidl nfsio 56998 339207 0 0 3 0x14280 nfsidl nfsio 62196 208455 0 0 3 0x14280 nfsidl nfsio 2212 250004 0 0 3 0x14280 nfsidl nfsio 85228 235 0 0 3 0x14280 nfsidl nfsio 54429 203097 0 0 3 0x14280 nfsidl nfsio 93251 262121 0 0 3 0x14280 nfsidl nfsio 84663 320599 0 0 3 0x14280 nfsidl nfsio 13747 89586 0 0 3 0x14280 nfsidl nfsio 88833 9594 0 0 3 0x14280 nfsidl nfsio 37573 177945 0 0 3 0x14280 nfsidl nfsio 72187 358038 92991 0 3 0x1a000082 thrsleep syz-fuzzer 72187 122241 92991 0 3 0x1e000082 nanoslp syz-fuzzer 72187 267713 92991 0 3 0x1e000082 thrsleep syz-fuzzer 72187 515578 92991 0 3 0x1e000082 thrsleep syz-fuzzer 72187 74064 92991 0 3 0x1e000082 kqread syz-fuzzer 72187 10438 92991 0 3 0x1e000082 thrsleep syz-fuzzer *72187 90582 92991 0 7 0x1e000002 syz-fuzzer 72187 43378 92991 0 3 0x1e000082 thrsleep syz-fuzzer 72187 191978 92991 0 3 0x1e000082 thrsleep syz-fuzzer 72187 442408 92991 0 3 0x1e000082 thrsleep syz-fuzzer 72187 459831 92991 0 3 0x1e000082 thrsleep syz-fuzzer 72187 121759 92991 0 3 0x1e000082 thrsleep syz-fuzzer 72187 204610 92991 0 3 0x1e000082 thrsleep syz-fuzzer 72187 319871 92991 0 3 0x1e000082 thrsleep syz-fuzzer 92991 39159 80924 0 3 0x810008a sigsusp ksh 80924 73265 36237 0 3 0x1800009a kqread sshd 36237 267140 1 0 3 0x18000088 kqread sshd 20990 111385 18952 73 3 0x19100010 biowait syslogd 18952 437112 1 0 3 0x18100082 netio syslogd 94187 442515 1 0 3 0x18100080 kqread resolvd 42059 404197 86550 77 3 0x18100092 kqread dhcpleased 92781 72093 86550 77 3 0x18100092 kqread dhcpleased 86550 458086 1 0 3 0x18000080 kqread dhcpleased 50376 22549 0 0 3 0x14200 bored smr 26148 112748 0 0 3 0x14200 pgzero zerothread 29937 153913 0 0 3 0x14200 aiodoned aiodoned 63106 303509 0 0 3 0x14200 syncer update 6778 24738 0 0 3 0x14200 cleaner cleaner 58480 231193 0 0 3 0x14200 reaper reaper 26280 41431 0 0 3 0x14200 pgdaemon pagedaemon 85535 85372 0 0 3 0x14200 bored viomb 19506 457079 0 0 3 0x40014200 acpi0 acpi0 57713 137147 0 0 3 0x14200 bored softnet3 47788 365274 0 0 3 0x14200 bored softnet2 9309 470925 0 0 3 0x14200 bored softnet1 2041 375136 0 0 3 0x14200 bored softnet0 1712 275260 0 0 3 0x14200 bored systqmp 18666 315059 0 0 3 0x14200 bored systq 76002 376390 0 0 3 0x40014200 tmoslp softclock 2620 437239 0 0 3 0x40014200 idle0 1 169776 0 0 3 0x8000082 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10151 6397K 6857K 166960K 16455 0 pcb 15 15K 17K 166960K 336 0 rtable 86 7K 11K 166960K 1170 0 pf 17 7K 10K 166960K 145 0 ifaddr 16 6K 12K 166960K 152 0 ifgroup 26 1K 2K 166960K 226 0 sysctl 3 0K 0K 166960K 3 0 counters 24 16K 17K 166960K 82 0 ioctlops 0 0K 2K 166960K 357 0 iov 0 0K 18K 166960K 295 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1424 90K 90K 166960K 3038 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 9K 166960K 46 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 1K 166960K 447 0 dirhash 12 2K 2K 166960K 36 0 ACPI 1697 195K 286K 166960K 12548 0 file desc 3 5K 77K 166960K 3631 0 sigio 0 0K 0K 166960K 203 0 proc 57 59K 83K 166960K 1053 0 subproc 13 0K 6K 166960K 325 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 252 0 in_multi 22 1K 7K 166960K 310 0 ether_multi 1 0K 0K 166960K 1 0 mrt 1 0K 0K 166960K 1 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 61 281K 281K 166960K 61 0 exec 0 0K 1K 166960K 1100 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 297 228K 294K 166960K 35204 0 UVM aobj 130 4K 4K 166960K 142 0 pinsyscall 22 44K 100K 166960K 1775 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 703 0 NDP 5 0K 2K 166960K 113 0 temp 46 6802K 6884K 166960K 21942 0 kqueue 12 18K 24K 166960K 224 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 242 0 239 2 0 2 2 0 8 1 rtentry 112 322 0 289 4 0 4 4 0 8 2 unpcb 144 2171 0 2158 7 0 7 7 0 8 6 syncache 336 38 0 38 1 0 1 1 0 8 1 tcpqe 32 169 0 169 1 0 1 1 0 8 1 tcpcb 808 1950 0 1943 12 3 9 11 0 8 8 arp 88 58 0 54 1 0 1 1 0 8 0 ipq 40 3 0 3 1 0 1 1 0 8 1 ipqe 40 81 0 81 1 0 1 1 0 8 1 inpcb 360 4403 0 4393 19 10 9 15 0 8 8 nd6 104 78 0 75 1 0 1 1 0 8 0 pkpcb 40 3 0 3 1 0 1 1 0 8 1 kcovpl 48 25 0 24 1 0 1 1 0 8 0 ppxss 1072 22 0 22 1 0 1 1 0 8 1 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 1248 0 1100 32 11 21 29 0 8 10 art_table 32 1249 0 1100 4 0 4 4 0 8 2 art_node 16 318 0 288 1 0 1 1 0 8 0 sysvmsgpl 40 75 0 75 1 0 1 1 0 8 1 semapl 112 445 0 435 1 0 1 1 0 8 0 shmpl 112 139 0 12 4 0 4 4 0 8 0 dirhash 1024 33 0 16 3 0 3 3 0 8 0 dino2pl 256 6391 0 4890 96 0 96 96 0 8 0 ffsino 240 6391 0 4890 90 0 90 90 0 8 0 nchpl 144 11375 0 9672 66 0 66 66 0 8 0 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 39307 0 39307 2 0 2 2 0 8 2 vcpupl 2048 91 0 0 12 0 12 12 0 8 0 vmpool 664 91 0 0 8 0 8 8 0 8 0 kstatmem 264 126 0 116 2 0 2 2 0 8 0 scxspl 216 55879 0 55878 8 0 8 8 1 8 7 plimitpl 152 398 0 390 1 0 1 1 0 8 0 sigapl 424 3916 0 3864 8 0 8 8 0 8 0 futexpl 64 40505 0 40504 1 0 1 1 0 8 0 knotepl 120 36343 0 36299 10 0 10 10 0 8 7 kqueuepl 184 760 0 752 4 0 4 4 0 8 3 pipepl 288 778 0 769 8 0 8 8 0 8 5 fdescpl 432 3878 0 3864 4 0 4 4 0 8 1 filepl 120 24387 0 24287 15 0 15 15 0 8 7 lockfpl 104 1000 0 998 4 0 4 4 0 8 3 lockfspl 48 224 0 222 1 0 1 1 0 8 0 sessionpl 144 42 0 33 1 0 1 1 0 8 0 pgrppl 48 62 0 53 1 0 1 1 0 8 0 ucredpl 104 2525 0 2515 1 0 1 1 0 8 0 zombiepl 144 3864 0 3864 1 0 1 1 0 8 1 processpl 1072 3916 0 3864 5 0 5 5 0 8 0 procpl 680 9137 0 9071 9 0 9 9 0 8 1 sosppl 168 50 0 50 1 0 1 1 0 8 1 sockpl 488 6828 0 6802 80 69 11 30 0 8 7 mcl64k 65536 141 0 141 1 0 1 1 0 8 1 mcl16k 16384 52 0 52 1 0 1 1 0 8 1 mcl12k 12288 120 0 120 1 0 1 1 0 8 1 mcl9k 9216 58 0 58 1 0 1 1 0 8 1 mcl8k 8192 339 0 339 1 0 1 1 0 8 1 mcl4k 4096 504 0 504 2 0 2 2 0 8 2 mcl2k2 2112 7 0 7 1 0 1 1 0 8 1 mcl2k 2048 77385 0 77343 28 14 14 28 0 8 7 mtagpl 96 366 0 366 4 0 4 4 0 8 4 mbufpl 256 151808 0 151743 27 8 19 22 0 8 8 bufpl 280 31406 0 25057 454 0 454 454 0 8 0 anonpl 24 587776 0 576963 160 0 160 160 0 188 67 amapchunkpl 152 132634 0 132006 79 0 79 79 0 158 40 amappl16 200 15615 0 15207 41 9 32 36 0 8 8 amappl15 192 43 0 42 1 0 1 1 0 8 0 amappl14 184 207 0 195 2 0 2 2 0 8 1 amappl13 176 29 0 27 1 0 1 1 0 8 0 amappl12 168 4764 0 4749 2 0 2 2 0 8 0 amappl11 160 55 0 45 1 0 1 1 0 8 0 amappl10 152 57 0 55 1 0 1 1 0 8 0 amappl9 144 173 0 171 1 0 1 1 0 8 0 amappl8 136 271 0 205 3 0 3 3 0 8 0 amappl7 128 60 0 48 1 0 1 1 0 8 0 amappl6 120 550 0 535 2 0 2 2 0 8 1 amappl5 112 297 0 285 1 0 1 1 0 8 0 amappl4 104 668 0 632 2 0 2 2 0 8 0 amappl3 96 22365 0 22327 3 0 3 3 0 8 0 amappl2 88 4604 0 4546 4 0 4 4 0 8 2 amappl1 80 23232 0 22788 22 2 20 22 0 8 8 amappl 88 34410 0 34252 7 0 7 7 0 92 0 dma4096 4096 1 0 1 1 0 1 1 0 8 1 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 0 1 1 0 8 1 dma128 128 253 0 253 1 0 1 1 0 8 1 dma64 64 6 0 6 1 0 1 1 0 8 1 dma32 32 7 0 7 1 0 1 1 0 8 1 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 141 0 12 3 0 3 3 0 8 0 uaddrrnd 24 3969 0 3864 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 3969 0 3864 1 0 1 1 0 8 0 vmmpekpl 168 31087 0 31034 4 0 4 4 0 8 0 vmmpepl 168 259145 0 257403 129 0 129 129 0 357 24 vmsppl 352 3968 0 3864 11 0 11 11 0 8 0 rwobjpl 24 75323 0 68010 47 0 47 47 0 8 0 pdppl 4096 7944 0 7819 292 141 151 158 0 8 26 pvpl 32 1450694 0 1435320 359 25 334 359 0 265 162 pmappl 216 3968 0 3864 7 0 7 7 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 621 0 177 13 0 13 13 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82927243) at panic+0x165 sys/kern/subr_prf.c:198 __assert(ffffffff828e0a5b,ffffffff828ec3c5,136,ffffffff8286c307) at __assert+0x29 sys/kern/subr_prf.c:157 buf_free_pages(fffffd806f724388) at buf_free_pages+0x1d0 sys/kern/vfs_biomem.c:299 buf_dealloc_mem(fffffd806f724388) at buf_dealloc_mem+0xe2 sys/kern/vfs_biomem.c:179 buf_put(fffffd806f724388) at buf_put+0x15e sys/kern/vfs_bio.c:127 brelse(fffffd806f724388) at brelse+0x26b sys/kern/vfs_bio.c:944 vinvalbuf(fffffd8068a33c08,2,fffffd807f7d75b0,ffff80002a6b12b0,0,ffffffffffffffff) at vinvalbuf+0x3b8 sys/kern/vfs_subr.c:2025 ffs_truncate(fffffd8062e675a8,0,4,fffffd807f7d75b0) at ffs_truncate+0xb99 ufs_rmdir(ffff80002a6c71d8) at ufs_rmdir+0x295 sys/ufs/ufs/ufs_vnops.c:1280 VOP_RMDIR(fffffd806b1a2e78,fffffd8068a33c08,ffff80002a6c72b8) at VOP_RMDIR+0x12a sys/kern/vfs_vops.c:407 dounlinkat(ffff80002a6b12b0,11,c002122449,8) at dounlinkat+0x20e sys/kern/vfs_syscalls.c:1880 syscall(ffff80002a6c7420) at syscall+0x538 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x25e49b3b0, count: -14 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82927243) at panic+0x165 sys/kern/subr_prf.c:198 __assert(ffffffff828e0a5b,ffffffff828ec3c5,136,ffffffff8286c307) at __assert+0x29 sys/kern/subr_prf.c:157 buf_free_pages(fffffd806f724388) at buf_free_pages+0x1d0 sys/kern/vfs_biomem.c:299 buf_dealloc_mem(fffffd806f724388) at buf_dealloc_mem+0xe2 sys/kern/vfs_biomem.c:179 buf_put(fffffd806f724388) at buf_put+0x15e sys/kern/vfs_bio.c:127 brelse(fffffd806f724388) at brelse+0x26b sys/kern/vfs_bio.c:944 vinvalbuf(fffffd8068a33c08,2,fffffd807f7d75b0,ffff80002a6b12b0,0,ffffffffffffffff) at vinvalbuf+0x3b8 sys/kern/vfs_subr.c:2025 ffs_truncate(fffffd8062e675a8,0,4,fffffd807f7d75b0) at ffs_truncate+0xb99 ufs_rmdir(ffff80002a6c71d8) at ufs_rmdir+0x295 sys/ufs/ufs/ufs_vnops.c:1280 VOP_RMDIR(fffffd806b1a2e78,fffffd8068a33c08,ffff80002a6c72b8) at VOP_RMDIR+0x12a sys/kern/vfs_vops.c:407 dounlinkat(ffff80002a6b12b0,11,c002122449,8) at dounlinkat+0x20e sys/kern/vfs_syscalls.c:1880 syscall(ffff80002a6c7420) at syscall+0x538 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x25e49b3b0, count: -14