panic: kernel diagnostic assertion "pr->ps_threadcnt == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/kern/kern_exit.c", line 848 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 297857 96539 32767 0x10 0 1 syz-executor *472518 28470 0 0x14000 0x200 0K reaper db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff830e9d1a) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff8309bc1f,ffffffff830aaf6b,350,ffffffff82ff2316) at __assert+0x29 process_zap(ffff8000ffff0928) at process_zap+0x32d sys/kern/kern_exit.c:849 reaper(ffff800029fd8a28) at reaper+0x2f6 sys/kern/kern_exit.c:497 end trace frame: 0x0, count: 10 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: kernel diagnostic assertion "pr->ps_threadcnt == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/kern/kern_exit.c", line 848 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff830e9d1a) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff8309bc1f,ffffffff830aaf6b,350,ffffffff82ff2316) at __assert+0x29 process_zap(ffff8000ffff0928) at process_zap+0x32d sys/kern/kern_exit.c:849 reaper(ffff800029fd8a28) at reaper+0x2f6 sys/kern/kern_exit.c:497 end trace frame: 0x0, count: -5 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff800029fe52f0 rbx 0xffffffff834dfdcf cpu_info_full_primary+0x2dcf rdx 0 rcx 0xffff800029fd8a28 rax 0xffffffff834deff0 cpu_info_full_primary+0x1ff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0x4882b516f80a70b1 r11 0x52a882c9cfc6b11 r12 0xffffffff834dfbd0 cpu_info_full_primary+0x2bd0 r13 0 r14 0 r15 0x1 rip 0xffffffff828dd045 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff800029fe52e0 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb{0}> show proc PROC (reaper) tid=472518 pid=28470 tcnt=1 stat=onproc flags process=14000 proc=200 runpri=32, usrpri=73, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff800029fd91c0,0xffff800029fd87b0 process=0xffff800029febaf0 user=0xffff800029fe0000, vmspace=0xffffffff835c7b20 estcpu=23, cpticks=2, pctcpu=3.90, user=0, sys=89058, intr=6567 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 82016 454561 14743 0 2 0x2 ifconfig 14743 436061 68178 0 3 0x10008a sigsusp sh 30288 175958 43023 32767 2 0x10 syz-executor 30288 495290 43023 32767 2 0x4000090 syz-executor 25671 406749 57921 0 2 0x2 syz-executor 68178 160764 51959 0 3 0x80 wait syz-executor 38037 119245 63087 32767 2 0x10 syz-executor 38037 171938 63087 32767 3 0x4000090 pipewr syz-executor 38037 17910 63087 32767 3 0x4000090 pipewr syz-executor 38037 16097 63087 32767 2 0x4000010 syz-executor 38037 78820 63087 32767 3 0x4000090 fsleep syz-executor 51959 116520 57921 0 3 0x82 wait syz-executor 65602 467452 46619 32767 2 0x490 syz-executor 65602 399330 46619 32767 3 0x4000090 fsleep syz-executor 65602 363560 46619 32767 3 0x4000090 ttyout syz-executor 65602 426962 46619 32767 3 0x4000090 fsleep syz-executor 96539 297857 72251 32767 7 0x10 syz-executor 72251 439290 57921 0 3 0x82 wait syz-executor 63087 114071 18419 32767 2 0x490 syz-executor 18419 382350 57921 0 3 0x82 wait syz-executor 46619 384535 93378 32767 2 0x490 syz-executor 93378 69428 57921 0 3 0x82 wait syz-executor 46293 16324 64446 32767 2 0x490 syz-executor 64446 83584 57921 0 3 0x82 wait syz-executor 43023 367448 16356 32767 2 0x490 syz-executor 16356 68258 57921 0 3 0x82 wait syz-executor 85969 347996 33145 32767 2 0x490 syz-executor 33145 95910 57921 0 3 0x82 wait syz-executor 64015 67256 16566 0 3 0x100082 sbwait arp 16566 454456 66630 0 3 0x10008a sigsusp sh 66630 16365 1 0 3 0x80 wait syz-executor 75580 478603 0 0 3 0x14200 bored sosplice 57921 148189 16962 0 3 0x82 kqread syz-executor 16962 95637 53784 0 3 0x10008a sigsusp ksh 53784 123278 69856 0 3 0x98 kqread sshd-session 69856 126737 30456 0 3 0x92 kqread sshd-session 2934 162555 1 0 3 0x100083 ttyin getty 30456 44267 1 0 3 0x88 kqread sshd 71280 147488 48924 73 3 0x1100090 kqread syslogd 48924 14081 1 0 3 0x100082 sbwait syslogd 20766 461570 1 0 3 0x100080 kqread resolvd 97006 380208 97182 77 3 0x100092 kqread dhcpleased 80084 407881 97182 77 3 0x100092 kqread dhcpleased 97182 445700 1 0 3 0x80 kqread dhcpleased 46732 87087 0 0 3 0x14200 bored smr 64751 14941 0 0 2 0x14200 zerothread 26563 40877 0 0 3 0x14200 aiodoned aiodoned 24483 461306 0 0 3 0x14200 syncer update 65864 247819 0 0 3 0x14200 cleaner cleaner *28470 472518 0 0 7 0x14200 reaper 30383 24261 0 0 3 0x14200 pgdaemon pagedaemon 74390 234471 0 0 3 0x14200 bored viomb 58765 276952 0 0 3 0x40014200 acpi0 acpi0 37861 452742 0 0 3 0x40014200 idle1 44494 364797 0 0 3 0x14200 bored softnet3 13427 492183 0 0 3 0x14200 bored softnet2 52601 243462 0 0 3 0x14200 bored softnet1 99583 68002 0 0 3 0x14200 bored softnet0 95657 474757 0 0 3 0x14200 bored systqmp 2900 228155 0 0 3 0x14200 bored systq 43067 445410 0 0 3 0x14200 tmoslp softclockmp 16724 235673 0 0 2 0x40014200 softclock 19301 78743 0 0 3 0x40014200 idle0 1 61091 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 28470 (reaper) thread 0xffff800029fd8a28 (472518) exclusive kernel_lock &kernel_lock r = 0 (0xffffffff83599f78) #0 witness_lock+0x5bb stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5bb sys/kern/subr_witness.c:1155 #1 __mp_acquire_count+0x58 #2 mi_switch+0x658 sys/kern/sched_bsd.c:460 #3 sleep_finish+0x219 sys/kern/kern_synch.c:416 #4 rw_enter+0x348 sys/kern/kern_rwlock.c:285 #5 knote_processexit+0x2b sys/kern/kern_event.c:2063 #6 reaper+0x2ad sys/kern/kern_exit.c:489 #7 proc_trampoline+0x10 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10220 14122K 14131K 166960K 13019 0 pcb 17 24K 26K 166960K 27 0 rtable 194 5K 7K 166960K 20174 0 pf 29 16K 16K 166960K 1199 0 ifaddr 35 14K 17K 166960K 2330 0 ifgroup 46 2K 2K 166960K 2362 0 sysctl 4 1K 5K 166960K 15 0 counters 62 36K 36K 166960K 1208 0 ioctlops 0 0K 2K 166960K 1127 0 iov 0 0K 32K 166960K 2103 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1482 93K 93K 166960K 13848 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 13K 166960K 482 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 1025 0 dirhash 21 4K 4K 166960K 621 0 ACPI 1690 195K 286K 166960K 12418 0 file desc 27 101K 169K 166960K 30138 0 sigio 0 0K 0K 166960K 1103 0 proc 58 79K 176K 166960K 18726 0 subproc 112 7K 13K 166960K 8809 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 5624 0 in_multi 77 5K 7K 166960K 7415 0 ether_multi 1 0K 0K 166960K 184 0 mrt 1 0K 0K 166960K 4 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 277 1235K 1235K 166960K 277 0 exec 0 0K 1K 166960K 12635 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 268 75K 140K 166960K 250907 0 UVM aobj 131 4K 8K 166960K 149 0 pinsyscall 49 98K 138K 166960K 47319 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 1K 166960K 1929 0 NDP 10 0K 2K 166960K 1731 0 temp 79 6824K 6952K 166960K 201464 0 kqueue 15 22K 35K 166960K 4333 0 SYN cache 2 16K 16K 166960K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 24 0 0 1 0 1 1 0 8 0 rtpcb 120 4853 0 4849 36 35 1 3 0 8 0 rtentry 112 6625 0 6535 16 12 4 4 0 8 0 unpcb 144 27142 0 27118 149 146 3 11 0 8 2 syncache 336 550 0 550 56 55 1 1 0 8 1 tcpqe 32 228 0 228 49 48 1 1 0 8 1 tcpcb 808 17261 0 17211 223 211 12 24 0 8 3 arp 120 1167 0 1153 1 0 1 1 0 8 0 ipq 40 156 0 153 5 4 1 1 0 8 0 ipqe 40 1737 0 1734 5 4 1 1 0 8 0 inpcb 336 39822 0 39767 270 259 11 26 0 8 0 ip6q 72 8 0 8 6 5 1 1 0 8 1 ip6af 40 16 0 16 6 5 1 1 0 8 1 nd6 136 1985 0 1965 8 6 2 2 0 8 0 kcovpl 48 677 0 669 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 26994 0 26617 248 216 32 33 0 8 3 art_table 32 26995 0 26617 10 5 5 5 0 8 0 art_node 16 6624 0 6542 1 0 1 1 0 8 0 sysvmsgpl 40 49 0 41 1 0 1 1 0 8 0 semapl 112 1023 0 1013 1 0 1 1 0 8 0 shmpl 112 146 0 18 4 0 4 4 0 8 0 dirhash 1024 438 0 407 13 8 5 5 0 8 1 dino2pl 256 35678 0 32452 205 3 202 202 0 8 0 ffsino 272 35678 0 32452 217 1 216 216 0 8 0 nchpl 144 65666 0 62727 111 1 110 110 0 8 1 uvmvnodes 80 10256 0 0 210 0 210 210 0 8 0 vnodes 216 10256 0 0 570 0 570 570 0 8 0 namei 1024 299003 0 299003 70 69 1 2 0 8 1 percpumem 16 618 0 573 1 0 1 1 0 8 0 kstatmem 264 1166 0 1146 2 0 2 2 0 8 0 scxspl 216 353890 0 353890 90 87 3 8 1 8 3 plimitpl 152 9791 0 9767 2 0 2 2 0 8 0 sigapl 424 29358 0 29300 27 19 8 9 0 8 0 futexpl 64 320772 0 320769 40 39 1 1 0 8 0 knotepl 120 1963 0 0 26 1 25 25 0 8 0 kqueuepl 216 8816 0 8803 76 74 2 6 0 8 1 pipepl 320 6068 0 6037 52 47 5 9 0 8 0 fdescpl 496 29339 0 29300 34 27 7 8 0 8 0 filepl 152 198652 0 198379 166 150 16 25 0 8 3 lockfpl 104 7843 0 7841 3 2 1 2 0 8 0 lockfspl 48 2189 0 2187 1 0 1 1 0 8 0 sessionpl 144 869 0 853 1 0 1 1 0 8 0 pgrppl 48 2259 0 2235 1 0 1 1 0 8 0 ucredpl 104 37173 0 37156 1 0 1 1 0 8 0 zombiepl 144 29302 0 29300 1 0 1 1 0 8 0 processpl 1160 29358 0 29300 7 1 6 6 0 8 0 procpl 648 65327 0 65261 11 4 7 8 0 8 0 srpgc 96 40 0 40 17 17 0 1 0 8 0 sosppl 168 333 0 330 28 27 1 1 0 8 0 sockpl 664 72526 0 72437 437 422 15 33 0 8 3 mcl64k 65536 52 0 0 5 2 3 3 0 8 0 mcl16k 16384 8 0 0 1 0 1 1 0 8 0 mcl12k 12288 4 0 0 1 0 1 1 0 8 0 mcl9k 9216 4 0 0 1 0 1 1 0 8 0 mcl8k 8192 25 0 0 4 1 3 3 0 8 0 mcl4k 4096 3 0 0 1 0 1 1 0 8 0 mcl2k2 2112 7 0 0 1 0 1 1 0 8 0 mcl2k 2048 860 0 0 29 9 20 28 0 8 0 mtagpl 96 15 0 0 1 0 1 1 0 8 0 mbufpl 256 7549 0 0 422 0 422 422 0 8 0 bufpl 280 49557 0 39300 733 0 733 733 0 8 0 anonpl 24 3626895 0 3617320 510 421 89 119 0 185 0 amapchunkpl 152 807230 0 806490 276 227 49 51 0 158 13 amappl16 200 75944 0 75727 549 525 24 39 0 8 4 amappl15 192 11 0 11 3 3 0 1 0 8 0 amappl14 184 1816 0 1805 1 0 1 1 0 8 0 amappl13 176 27 0 27 16 16 0 1 0 8 0 amappl12 168 39359 0 39319 6 3 3 3 0 8 0 amappl11 160 59 0 49 1 0 1 1 0 8 0 amappl10 152 11 0 11 1 1 0 1 0 8 0 amappl9 144 142 0 141 2 1 1 1 0 8 0 amappl8 136 18 0 16 1 0 1 1 0 8 0 amappl7 128 1539 0 1527 1 0 1 1 0 8 0 amappl6 120 5841 0 5837 1 0 1 1 0 8 0 amappl5 112 2685 0 2672 1 0 1 1 0 8 0 amappl4 104 3155 0 3139 1 0 1 1 0 8 0 amappl3 96 165528 0 165401 10 5 5 5 0 8 0 amappl2 88 11887 0 11819 13 11 2 3 0 8 0 amappl1 80 201608 0 201033 34 18 16 19 0 8 1 amappl 88 242920 0 242708 8 2 6 6 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 148 0 18 3 0 3 3 0 8 0 uaddrrnd 24 29339 0 29300 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 29339 0 29300 1 0 1 1 0 8 0 vmmpekpl 168 270561 0 270514 5 1 4 5 0 8 0 vmmpepl 168 1869653 0 1867407 468 352 116 136 0 357 3 vmsppl 440 29338 0 29300 30 23 7 7 0 8 1 rwobjpl 56 499803 0 488274 201 33 168 170 0 8 0 pdppl 4096 58685 0 58600 1882 1793 89 121 0 8 4 pvpl 32 49070 0 0 388 3 385 385 0 265 0 pmappl 248 29338 0 29300 8 4 4 4 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 3650 0 2629 32 2 30 30 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff830e9d1a) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff8309bc1f,ffffffff830aaf6b,350,ffffffff82ff2316) at __assert+0x29 process_zap(ffff8000ffff0928) at process_zap+0x32d sys/kern/kern_exit.c:849 reaper(ffff800029fd8a28) at reaper+0x2f6 sys/kern/kern_exit.c:497 end trace frame: 0x0, count: -5 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffff800029b7bff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff83599d70) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:113 [inline] __mp_lock(ffffffff83599d70) at __mp_lock+0x192 sys/kern/kern_lock.c:144 syscall(ffff8000371b8150) at syscall+0xad6 mi_syscall sys/sys/syscall_mi.h:179 [inline] syscall(ffff8000371b8150) at syscall+0xad6 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7e48691a9a10, count: 9 ddb{1}> trace x86_ipi_db(ffff800029b7bff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff83599d70) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:113 [inline] __mp_lock(ffffffff83599d70) at __mp_lock+0x192 sys/kern/kern_lock.c:144 syscall(ffff8000371b8150) at syscall+0xad6 mi_syscall sys/sys/syscall_mi.h:179 [inline] syscall(ffff8000371b8150) at syscall+0xad6 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7e48691a9a10, count: -6