assert "(pg->pg_flags & (PQ_INACTIVE|PQ_ACTIVE)) == NUM" failed in syzkallerWARNING: SPL NOT LOWERED ON SYSCALL NUM NUM
0 views
Skip to first unread message
syzbot
Dec 13, 2025, 6:43:26 PM (10 hours ago) Dec 13
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 6c2671e4e6d0 speed: make hmac(sha256) the default hmac
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=159371b4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=6fb44082201cc0d1b158
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/26e900f0cd3e/disk-6c2671e4.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/75abd6cb3359/bsd-6c2671e4.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0586cfb59d74/kernel-6c2671e4.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6fb440...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "(pg->pg_flags & (PQ_INACTIVE|PQ_ACTIVE)) == 0" failed: file "/syzkallerWARNING: SPL NOT LOWERED ON SYSCALL 110 50 EXIT 0 9
Stopped at savectx+0xae: movl $0,%gs:0x688
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*470465 47367 0 0x2 0 1 syz-executor
savectx() at savectx+0xae
end of kernel
end trace frame: 0x794d5b885f40, count: 14
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu0: kernel diagnostic assertion "(pg->pg_flags & (PQ_INACTIVE|PQ_ACTIVE)) == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_page.c", line 1267
ddb{1}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x794d5b885f40, count: -1
ddb{1}> show registers
rdi 0
rsi 0
rbp 0xffff80002a2c8a70
rbx 0
rdx 0
rcx 0xffff8000ffffd4c8
rax 0x34
r8 0xffff80002a2c89a0
r9 0x1
r10 0xc1812c80657ca432
r11 0xc5974db1baa142f2
r12 0
r13 0
r14 0xffff8000ffffd4c8
r15 0
rip 0xffffffff8293f3ee savectx+0xae
cs 0x8
rflags 0x46
rsp 0xffff80002a2c89f0
ss 0x10
savectx+0xae: movl $0,%gs:0x688
ddb{1}> show proc
PROC (syz-executor) tid=470465 pid=47367 tcnt=1 stat=onproc
flags process=2<EXEC> proc=0
runpri=24, usrpri=50, slppri=24, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff8000ffffd760,0xffff8000ffffda08
process=0xffff8000ffff61b8 user=0xffff80002a2c3000, vmspace=0xfffffd800b0633d0
estcpu=0, cpticks=10, pctcpu=0.8, user=0, sys=10, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
1793 375806 97398 32767 2 0x10 syz-executor
1793 481524 97398 32767 3 0x4000090 fsleep syz-executor
38558 256810 52337 32767 2 0x10 syz-executor
38558 518408 52337 32767 2 0x4000010 syz-executor
62932 175597 16087 32767 2 0x10 syz-executor
62932 38860 16087 32767 3 0x4000090 ttyin syz-executor
62932 479560 16087 32767 2 0x4000010 syz-executor
62932 282116 16087 32767 3 0x4000090 fsleep syz-executor
74459 412296 47046 0 3 0x82 sbwait sshd-session
48045 457010 94501 32767 3 0x400090 nanoslp syz-executor
48045 305529 94501 32767 3 0x4400090 fsleep syz-executor
48045 391965 94501 32767 3 0x4400090 fsleep syz-executor
48045 264710 94501 32767 3 0x4400090 sbwait syz-executor
97398 381011 5259 32767 2 0xc90 syz-executor
96762 34019 97128 32767 3 0x90 nanoslp syz-executor
52337 167742 97981 32767 2 0xc90 syz-executor
85180 224869 16145 32767 2 0x10 syz-executor
16087 499784 80254 32767 3 0x90 nanoslp syz-executor
10746 8677 7700 32767 2 0x90 syz-executor
94501 459694 82524 32767 2 0xc90 syz-executor
95306 236837 59069 32767 2 0x90 syz-executor
97981 446967 47367 0 3 0x82 wait syz-executor
16145 55515 47367 0 3 0x82 wait syz-executor
97128 126232 47367 0 3 0x82 wait syz-executor
59069 167034 47367 0 3 0x82 wait syz-executor
7700 17357 47367 0 3 0x82 wait syz-executor
82524 245553 47367 0 3 0x82 wait syz-executor
80254 382810 47367 0 3 0x82 wait syz-executor
5259 239239 47367 0 3 0x82 wait syz-executor
*47367 470465 40748 0 7 0x2 syz-executor
40748 1015 48983 0 3 0x10008a sigsusp ksh
48983 158232 55217 0 3 0x98 kqread sshd-session
55217 210660 47046 0 3 0x92 kqread sshd-session
20574 157332 1 0 3 0x100083 ttyin getty
47046 237385 1 0 3 0x88 kqread sshd
58735 202445 63614 73 3 0x1100090 kqread syslogd
63614 330763 1 0 3 0x100082 sbwait syslogd
67057 17189 1 0 3 0x100080 kqread resolvd
9269 500872 30772 77 3 0x100092 kqread dhcpleased
53778 434028 30772 77 3 0x100092 kqread dhcpleased
30772 183860 1 0 3 0x80 kqread dhcpleased
51474 504583 0 0 3 0x14200 bored smr
11425 126889 0 0 2 0x14200 zerothread
44612 346905 0 0 3 0x14200 aiodoned aiodoned
69605 59533 0 0 3 0x14200 syncer update
19852 37077 0 0 3 0x14200 cleaner cleaner
10262 114879 0 0 3 0x14200 reaper reaper
77704 305253 0 0 3 0x14200 pgdaemon pagedaemon
53841 98242 0 0 3 0x14200 bored viomb
58463 6439 0 0 3 0x40014200 acpi0 acpi0
87745 409079 0 0 3 0x40014200 idle1
4103 316502 0 0 3 0x14200 bored softnet1
12424 30932 0 0 2 0x14200 softnet0
26002 19037 0 0 3 0x14200 bored systqmp
39276 94848 0 0 3 0x14200 bored systq
72563 224471 0 0 3 0x14200 tmoslp softclockmp
61270 389123 0 0 3 0x40014200 tmoslp softclock
45109 286866 0 0 3 0x40014200 idle0
1 268065 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex sbrcv r = 0 (0xffff8000014272e0)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2 somove+0x161e sys/kern/uipc_socket.c:1788
#3 sosplice+0x7fe sys/kern/uipc_socket.c:1396
#4 sys_setsockopt+0x2ba sys/kern/uipc_syscalls.c:1227
#5 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#5 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775
#6 Xsyscall+0x128
Process 38558 (syz-executor) thread 0xffff80003c43ba18 (518408)
exclusive rwlock sbufrcv r = 0 (0xffff8000014272a0)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 sblock+0xb6 sys/kern/uipc_socket2.c:536
#3 sosplice+0x28f sys/kern/uipc_socket.c:1333
#4 sys_setsockopt+0x2ba sys/kern/uipc_syscalls.c:1227
#5 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#5 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775
#6 Xsyscall+0x128
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10187 10957K 10973K 166960K 11278 0
pcb 17 12K 12K 166960K 17 0
rtable 237 6K 7K 166960K 353 0
pf 31 16K 16K 166960K 31 0
ifaddr 42 7K 7K 166960K 44 0
ifgroup 50 2K 2K 166960K 50 0
sysctl 1 1K 9K 166960K 6 0
counters 70 37K 37K 166960K 70 0
ioctlops 0 0K 2K 166960K 62 0
iov 1 12K 12K 166960K 4 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1335 84K 84K 166960K 1359 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 1K 166960K 2 0
VM map 2 1K 1K 166960K 2 0
sem 3 0K 0K 166960K 3 0
dirhash 12 2K 2K 166960K 12 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 22 81K 125K 166960K 181 0
proc 63 115K 147K 166960K 479 0
subproc 72 4K 4K 166960K 72 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 1 0K 0K 166960K 142 0
in_multi 99 7K 7K 166960K 99 0
ether_multi 1 0K 0K 166960K 1 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 55 254K 254K 166960K 55 0
exec 0 0K 1K 166960K 359 0
fusefs mount 1 32K 32K 166960K 1 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 246 180K 195K 166960K 3291 0
UVM aobj 6 3K 3K 166960K 6 0
pinsyscall 45 90K 114K 166960K 1249 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 0K 166960K 2 0
NDP 13 0K 2K 166960K 27 0
temp 36 8670K 8734K 166960K 4047 0
kqueue 13 20K 23K 166960K 33 0
SYN cache 2 16K 16K 166960K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 26 0 0 1 0 1 1 0 8 0
rtpcb 120 40 0 37 1 0 1 1 0 8 0
rtentry 176 111 0 1 5 0 5 5 0 8 0
unpcb 144 69 0 52 1 0 1 1 0 8 0
syncache 336 5 0 5 1 0 1 1 0 8 1
tcpcb 736 95 0 86 7 0 7 7 0 8 6
arp 136 18 0 0 1 0 1 1 0 8 0
inpcb 328 266 0 252 7 0 7 7 0 8 4
nd6 152 24 0 0 1 0 1 1 0 8 0
kcovpl 48 8 0 0 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 452 0 0 29 0 29 29 0 8 0
art_table 40 453 0 0 5 0 5 5 0 8 0
art_node 32 111 0 11 1 0 1 1 0 8 0
sysvmsgpl 40 4 0 2 1 0 1 1 0 8 0
semapl 112 1 0 0 1 0 1 1 0 8 0
shmpl 112 3 0 0 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 1613 0 106 95 0 95 95 0 8 0
ffsino 296 1613 0 106 117 0 117 117 0 8 0
nchpl 144 1861 0 174 63 0 63 63 0 8 0
vnodes 216 1694 0 0 95 0 95 95 0 8 0
namei 1024 5690 0 5690 2 0 2 2 0 8 2
percpumem 16 50 0 0 1 0 1 1 0 8 0
kstatmem 264 24 0 0 2 0 2 2 0 8 0
scxspl 216 6187 0 6187 3 1 2 2 1 8 2
plimitpl 152 40 0 16 2 0 2 2 0 8 1
sigapl 424 469 0 417 7 0 7 7 0 8 0
knotepl 120 300 0 0 10 0 10 10 0 8 0
kqueuepl 224 32 0 22 1 0 1 1 0 8 0
pipepl 344 113 0 86 3 0 3 3 0 8 0
fdescpl 528 453 0 418 4 0 4 4 0 8 0
filepl 160 1840 0 1618 13 0 13 13 0 8 1
lockfpl 104 10 0 8 1 0 1 1 0 8 0
lockfspl 48 6 0 4 1 0 1 1 0 8 0
sessionpl 144 23 0 6 1 0 1 1 0 8 0
pgrppl 48 31 0 6 1 0 1 1 0 8 0
ucredpl 104 147 0 128 1 0 1 1 0 8 0
zombiepl 144 418 0 417 1 0 1 1 0 8 0
processpl 1232 469 0 417 5 0 5 5 0 8 0
procpl 664 533 0 473 6 0 6 6 0 8 0
sosppl 176 1 0 0 1 0 1 1 0 8 0
sockpl 752 376 0 342 11 0 11 11 0 8 6
mcl64k 65536 2 0 0 1 0 1 1 0 8 0
mcl8k 8192 2 0 0 1 0 1 1 0 8 0
mcl4k 4096 117 0 0 15 0 15 15 0 8 0
mcl2k 2048 30 0 0 4 0 4 4 0 8 0
mtagpl 96 2 0 0 1 0 1 1 0 8 0
mbufpl 256 1846 0 0 116 0 116 116 0 8 0
bufpl 280 2399 0 118 163 0 163 163 0 8 0
anonpl 32 8021 0 0 66 0 66 66 0 246 1
amapchunkpl 152 9929 0 9444 32 0 32 32 0 158 4
amappl16 200 2264 0 2244 14 0 14 14 0 8 11
amappl15 192 5 0 5 1 0 1 1 0 8 1
amappl14 184 8 0 7 1 0 1 1 0 8 0
amappl13 176 399 0 398 1 0 1 1 0 8 0
amappl12 168 794 0 749 3 0 3 3 0 8 0
amappl11 160 11 0 10 1 0 1 1 0 8 0
amappl10 152 47 0 36 1 0 1 1 0 8 0
amappl9 144 250 0 250 1 0 1 1 0 8 1
amappl8 136 23 0 21 1 0 1 1 0 8 0
amappl7 128 74 0 73 1 0 1 1 0 8 0
amappl6 120 264 0 252 1 0 1 1 0 8 0
amappl5 112 105 0 97 1 0 1 1 0 8 0
amappl4 104 387 0 362 1 0 1 1 0 8 0
amappl3 96 1491 0 1381 4 0 4 4 0 8 0
amappl2 88 520 0 459 2 0 2 2 0 8 0
amappl1 80 9416 0 8773 16 0 16 16 0 8 1
amappl 88 2583 0 2415 5 0 5 5 0 92 0
uvmvnodes 80 100 0 0 3 0 3 3 0 8 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 5 0 0 1 0 1 1 0 8 0
uaddrrnd 24 453 0 418 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 453 0 418 1 0 1 1 0 8 0
vmmpekpl 168 5451 0 5417 2 0 2 2 0 8 0
vmmpepl 168 37850 0 35800 115 0 115 115 0 357 8
vmsppl 488 452 0 417 7 1 6 6 0 8 0
rwobjpl 80 14140 0 13114 29 0 29 29 0 8 2
pdppl 4096 913 0 834 111 18 93 97 0 8 14
pvpl 32 16864 0 0 136 0 136 136 0 265 0
pmappl 256 452 0 417 4 1 3 3 0 8 0
extentpl 40 45 0 27 1 0 1 1 0 8 0
phpool 112 393 0 21 11 0 11 11 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x27: addq $0x8,%rsp
x86_ipi_db(ffffffff83866ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff8397aac0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff8397aac0) at __mp_lock+0x192 sys/kern/kern_lock.c:173
softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83
dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
cnputc(72) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(72) at db_putchar+0x36d sys/ddb/db_output.c:155
kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1
db_printf(ffffffff8338bb0d) at db_printf+0x9b sys/kern/subr_prf.c:-1
panic(ffffffff833b41d6) at panic+0x103 sys/kern/subr_prf.c:217
__assert(ffffffff833f0de3,ffffffff83345b7a,4f3,ffffffff8342241f) at __assert+0x29 sys/kern/subr_prf.c:-1
uvm_pagedeactivate(fffffd8008760e90) at uvm_pagedeactivate+0x34a sys/uvm/uvm_page.c:1264
end trace frame: 0xffff8000397e0330, count: 0
ddb{0}> trace
x86_ipi_db(ffffffff83866ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff8397aac0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff8397aac0) at __mp_lock+0x192 sys/kern/kern_lock.c:173
softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83
dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
cnputc(72) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(72) at db_putchar+0x36d sys/ddb/db_output.c:155
kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1
db_printf(ffffffff8338bb0d) at db_printf+0x9b sys/kern/subr_prf.c:-1
panic(ffffffff833b41d6) at panic+0x103 sys/kern/subr_prf.c:217
__assert(ffffffff833f0de3,ffffffff83345b7a,4f3,ffffffff8342241f) at __assert+0x29 sys/kern/subr_prf.c:-1
uvm_pagedeactivate(fffffd8008760e90) at uvm_pagedeactivate+0x34a sys/uvm/uvm_page.c:1264
uvn_flush(fffffd8068f6dc40,0,0,14) at uvn_flush+0x43b sys/uvm/uvm_vnode.c:668
uvn_detach(fffffd8068f6dc40) at uvn_detach+0x19e sys/uvm/uvm_vnode.c:371
uvm_unmap_detach(ffff8000397e03e0,0) at uvm_unmap_detach+0x15e sys/uvm/uvm_map.c:1364
uvm_map_teardown(fffffd800f797d88) at uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2525
exit1(ffff80003c43a028,0,0,1) at exit1+0x6fc sys/kern/kern_exit.c:260
sys_exit(ffff80003c43a028,ffff8000397e05b0,ffff8000397e0500) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff8000397e05b0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff8000397e05b0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x768a7dcd85c0, count: -22
ddb{0}> machine ddbcpu 1
Stopped at savectx+0xae: movl $0,%gs:0x688
savectx() at savectx+0xae
end of kernel
end trace frame: 0x794d5b885f40, count: 14
ddb{1}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x794d5b885f40, count: -1
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 6c2671e4e6d0 speed: make hmac(sha256) the default hmac
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=159371b4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=6fb44082201cc0d1b158
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/26e900f0cd3e/disk-6c2671e4.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/75abd6cb3359/bsd-6c2671e4.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0586cfb59d74/kernel-6c2671e4.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6fb440...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "(pg->pg_flags & (PQ_INACTIVE|PQ_ACTIVE)) == 0" failed: file "/syzkallerWARNING: SPL NOT LOWERED ON SYSCALL 110 50 EXIT 0 9
Stopped at savectx+0xae: movl $0,%gs:0x688
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*470465 47367 0 0x2 0 1 syz-executor
savectx() at savectx+0xae
end of kernel
end trace frame: 0x794d5b885f40, count: 14
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu0: kernel diagnostic assertion "(pg->pg_flags & (PQ_INACTIVE|PQ_ACTIVE)) == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_page.c", line 1267
ddb{1}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x794d5b885f40, count: -1
ddb{1}> show registers
rdi 0
rsi 0
rbp 0xffff80002a2c8a70
rbx 0
rdx 0
rcx 0xffff8000ffffd4c8
rax 0x34
r8 0xffff80002a2c89a0
r9 0x1
r10 0xc1812c80657ca432
r11 0xc5974db1baa142f2
r12 0
r13 0
r14 0xffff8000ffffd4c8
r15 0
rip 0xffffffff8293f3ee savectx+0xae
cs 0x8
rflags 0x46
rsp 0xffff80002a2c89f0
ss 0x10
savectx+0xae: movl $0,%gs:0x688
ddb{1}> show proc
PROC (syz-executor) tid=470465 pid=47367 tcnt=1 stat=onproc
flags process=2<EXEC> proc=0
runpri=24, usrpri=50, slppri=24, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff8000ffffd760,0xffff8000ffffda08
process=0xffff8000ffff61b8 user=0xffff80002a2c3000, vmspace=0xfffffd800b0633d0
estcpu=0, cpticks=10, pctcpu=0.8, user=0, sys=10, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
1793 375806 97398 32767 2 0x10 syz-executor
1793 481524 97398 32767 3 0x4000090 fsleep syz-executor
38558 256810 52337 32767 2 0x10 syz-executor
38558 518408 52337 32767 2 0x4000010 syz-executor
62932 175597 16087 32767 2 0x10 syz-executor
62932 38860 16087 32767 3 0x4000090 ttyin syz-executor
62932 479560 16087 32767 2 0x4000010 syz-executor
62932 282116 16087 32767 3 0x4000090 fsleep syz-executor
74459 412296 47046 0 3 0x82 sbwait sshd-session
48045 457010 94501 32767 3 0x400090 nanoslp syz-executor
48045 305529 94501 32767 3 0x4400090 fsleep syz-executor
48045 391965 94501 32767 3 0x4400090 fsleep syz-executor
48045 264710 94501 32767 3 0x4400090 sbwait syz-executor
97398 381011 5259 32767 2 0xc90 syz-executor
96762 34019 97128 32767 3 0x90 nanoslp syz-executor
52337 167742 97981 32767 2 0xc90 syz-executor
85180 224869 16145 32767 2 0x10 syz-executor
16087 499784 80254 32767 3 0x90 nanoslp syz-executor
10746 8677 7700 32767 2 0x90 syz-executor
94501 459694 82524 32767 2 0xc90 syz-executor
95306 236837 59069 32767 2 0x90 syz-executor
97981 446967 47367 0 3 0x82 wait syz-executor
16145 55515 47367 0 3 0x82 wait syz-executor
97128 126232 47367 0 3 0x82 wait syz-executor
59069 167034 47367 0 3 0x82 wait syz-executor
7700 17357 47367 0 3 0x82 wait syz-executor
82524 245553 47367 0 3 0x82 wait syz-executor
80254 382810 47367 0 3 0x82 wait syz-executor
5259 239239 47367 0 3 0x82 wait syz-executor
*47367 470465 40748 0 7 0x2 syz-executor
40748 1015 48983 0 3 0x10008a sigsusp ksh
48983 158232 55217 0 3 0x98 kqread sshd-session
55217 210660 47046 0 3 0x92 kqread sshd-session
20574 157332 1 0 3 0x100083 ttyin getty
47046 237385 1 0 3 0x88 kqread sshd
58735 202445 63614 73 3 0x1100090 kqread syslogd
63614 330763 1 0 3 0x100082 sbwait syslogd
67057 17189 1 0 3 0x100080 kqread resolvd
9269 500872 30772 77 3 0x100092 kqread dhcpleased
53778 434028 30772 77 3 0x100092 kqread dhcpleased
30772 183860 1 0 3 0x80 kqread dhcpleased
51474 504583 0 0 3 0x14200 bored smr
11425 126889 0 0 2 0x14200 zerothread
44612 346905 0 0 3 0x14200 aiodoned aiodoned
69605 59533 0 0 3 0x14200 syncer update
19852 37077 0 0 3 0x14200 cleaner cleaner
10262 114879 0 0 3 0x14200 reaper reaper
77704 305253 0 0 3 0x14200 pgdaemon pagedaemon
53841 98242 0 0 3 0x14200 bored viomb
58463 6439 0 0 3 0x40014200 acpi0 acpi0
87745 409079 0 0 3 0x40014200 idle1
4103 316502 0 0 3 0x14200 bored softnet1
12424 30932 0 0 2 0x14200 softnet0
26002 19037 0 0 3 0x14200 bored systqmp
39276 94848 0 0 3 0x14200 bored systq
72563 224471 0 0 3 0x14200 tmoslp softclockmp
61270 389123 0 0 3 0x40014200 tmoslp softclock
45109 286866 0 0 3 0x40014200 idle0
1 268065 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex sbrcv r = 0 (0xffff8000014272e0)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2 somove+0x161e sys/kern/uipc_socket.c:1788
#3 sosplice+0x7fe sys/kern/uipc_socket.c:1396
#4 sys_setsockopt+0x2ba sys/kern/uipc_syscalls.c:1227
#5 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#5 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775
#6 Xsyscall+0x128
Process 38558 (syz-executor) thread 0xffff80003c43ba18 (518408)
exclusive rwlock sbufrcv r = 0 (0xffff8000014272a0)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 sblock+0xb6 sys/kern/uipc_socket2.c:536
#3 sosplice+0x28f sys/kern/uipc_socket.c:1333
#4 sys_setsockopt+0x2ba sys/kern/uipc_syscalls.c:1227
#5 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#5 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775
#6 Xsyscall+0x128
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10187 10957K 10973K 166960K 11278 0
pcb 17 12K 12K 166960K 17 0
rtable 237 6K 7K 166960K 353 0
pf 31 16K 16K 166960K 31 0
ifaddr 42 7K 7K 166960K 44 0
ifgroup 50 2K 2K 166960K 50 0
sysctl 1 1K 9K 166960K 6 0
counters 70 37K 37K 166960K 70 0
ioctlops 0 0K 2K 166960K 62 0
iov 1 12K 12K 166960K 4 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1335 84K 84K 166960K 1359 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 1K 166960K 2 0
VM map 2 1K 1K 166960K 2 0
sem 3 0K 0K 166960K 3 0
dirhash 12 2K 2K 166960K 12 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 22 81K 125K 166960K 181 0
proc 63 115K 147K 166960K 479 0
subproc 72 4K 4K 166960K 72 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 1 0K 0K 166960K 142 0
in_multi 99 7K 7K 166960K 99 0
ether_multi 1 0K 0K 166960K 1 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 55 254K 254K 166960K 55 0
exec 0 0K 1K 166960K 359 0
fusefs mount 1 32K 32K 166960K 1 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 246 180K 195K 166960K 3291 0
UVM aobj 6 3K 3K 166960K 6 0
pinsyscall 45 90K 114K 166960K 1249 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 0K 166960K 2 0
NDP 13 0K 2K 166960K 27 0
temp 36 8670K 8734K 166960K 4047 0
kqueue 13 20K 23K 166960K 33 0
SYN cache 2 16K 16K 166960K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 26 0 0 1 0 1 1 0 8 0
rtpcb 120 40 0 37 1 0 1 1 0 8 0
rtentry 176 111 0 1 5 0 5 5 0 8 0
unpcb 144 69 0 52 1 0 1 1 0 8 0
syncache 336 5 0 5 1 0 1 1 0 8 1
tcpcb 736 95 0 86 7 0 7 7 0 8 6
arp 136 18 0 0 1 0 1 1 0 8 0
inpcb 328 266 0 252 7 0 7 7 0 8 4
nd6 152 24 0 0 1 0 1 1 0 8 0
kcovpl 48 8 0 0 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 452 0 0 29 0 29 29 0 8 0
art_table 40 453 0 0 5 0 5 5 0 8 0
art_node 32 111 0 11 1 0 1 1 0 8 0
sysvmsgpl 40 4 0 2 1 0 1 1 0 8 0
semapl 112 1 0 0 1 0 1 1 0 8 0
shmpl 112 3 0 0 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 1613 0 106 95 0 95 95 0 8 0
ffsino 296 1613 0 106 117 0 117 117 0 8 0
nchpl 144 1861 0 174 63 0 63 63 0 8 0
vnodes 216 1694 0 0 95 0 95 95 0 8 0
namei 1024 5690 0 5690 2 0 2 2 0 8 2
percpumem 16 50 0 0 1 0 1 1 0 8 0
kstatmem 264 24 0 0 2 0 2 2 0 8 0
scxspl 216 6187 0 6187 3 1 2 2 1 8 2
plimitpl 152 40 0 16 2 0 2 2 0 8 1
sigapl 424 469 0 417 7 0 7 7 0 8 0
knotepl 120 300 0 0 10 0 10 10 0 8 0
kqueuepl 224 32 0 22 1 0 1 1 0 8 0
pipepl 344 113 0 86 3 0 3 3 0 8 0
fdescpl 528 453 0 418 4 0 4 4 0 8 0
filepl 160 1840 0 1618 13 0 13 13 0 8 1
lockfpl 104 10 0 8 1 0 1 1 0 8 0
lockfspl 48 6 0 4 1 0 1 1 0 8 0
sessionpl 144 23 0 6 1 0 1 1 0 8 0
pgrppl 48 31 0 6 1 0 1 1 0 8 0
ucredpl 104 147 0 128 1 0 1 1 0 8 0
zombiepl 144 418 0 417 1 0 1 1 0 8 0
processpl 1232 469 0 417 5 0 5 5 0 8 0
procpl 664 533 0 473 6 0 6 6 0 8 0
sosppl 176 1 0 0 1 0 1 1 0 8 0
sockpl 752 376 0 342 11 0 11 11 0 8 6
mcl64k 65536 2 0 0 1 0 1 1 0 8 0
mcl8k 8192 2 0 0 1 0 1 1 0 8 0
mcl4k 4096 117 0 0 15 0 15 15 0 8 0
mcl2k 2048 30 0 0 4 0 4 4 0 8 0
mtagpl 96 2 0 0 1 0 1 1 0 8 0
mbufpl 256 1846 0 0 116 0 116 116 0 8 0
bufpl 280 2399 0 118 163 0 163 163 0 8 0
anonpl 32 8021 0 0 66 0 66 66 0 246 1
amapchunkpl 152 9929 0 9444 32 0 32 32 0 158 4
amappl16 200 2264 0 2244 14 0 14 14 0 8 11
amappl15 192 5 0 5 1 0 1 1 0 8 1
amappl14 184 8 0 7 1 0 1 1 0 8 0
amappl13 176 399 0 398 1 0 1 1 0 8 0
amappl12 168 794 0 749 3 0 3 3 0 8 0
amappl11 160 11 0 10 1 0 1 1 0 8 0
amappl10 152 47 0 36 1 0 1 1 0 8 0
amappl9 144 250 0 250 1 0 1 1 0 8 1
amappl8 136 23 0 21 1 0 1 1 0 8 0
amappl7 128 74 0 73 1 0 1 1 0 8 0
amappl6 120 264 0 252 1 0 1 1 0 8 0
amappl5 112 105 0 97 1 0 1 1 0 8 0
amappl4 104 387 0 362 1 0 1 1 0 8 0
amappl3 96 1491 0 1381 4 0 4 4 0 8 0
amappl2 88 520 0 459 2 0 2 2 0 8 0
amappl1 80 9416 0 8773 16 0 16 16 0 8 1
amappl 88 2583 0 2415 5 0 5 5 0 92 0
uvmvnodes 80 100 0 0 3 0 3 3 0 8 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 5 0 0 1 0 1 1 0 8 0
uaddrrnd 24 453 0 418 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 453 0 418 1 0 1 1 0 8 0
vmmpekpl 168 5451 0 5417 2 0 2 2 0 8 0
vmmpepl 168 37850 0 35800 115 0 115 115 0 357 8
vmsppl 488 452 0 417 7 1 6 6 0 8 0
rwobjpl 80 14140 0 13114 29 0 29 29 0 8 2
pdppl 4096 913 0 834 111 18 93 97 0 8 14
pvpl 32 16864 0 0 136 0 136 136 0 265 0
pmappl 256 452 0 417 4 1 3 3 0 8 0
extentpl 40 45 0 27 1 0 1 1 0 8 0
phpool 112 393 0 21 11 0 11 11 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x27: addq $0x8,%rsp
x86_ipi_db(ffffffff83866ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff8397aac0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff8397aac0) at __mp_lock+0x192 sys/kern/kern_lock.c:173
softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83
dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
cnputc(72) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(72) at db_putchar+0x36d sys/ddb/db_output.c:155
kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1
db_printf(ffffffff8338bb0d) at db_printf+0x9b sys/kern/subr_prf.c:-1
panic(ffffffff833b41d6) at panic+0x103 sys/kern/subr_prf.c:217
__assert(ffffffff833f0de3,ffffffff83345b7a,4f3,ffffffff8342241f) at __assert+0x29 sys/kern/subr_prf.c:-1
uvm_pagedeactivate(fffffd8008760e90) at uvm_pagedeactivate+0x34a sys/uvm/uvm_page.c:1264
end trace frame: 0xffff8000397e0330, count: 0
ddb{0}> trace
x86_ipi_db(ffffffff83866ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff8397aac0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff8397aac0) at __mp_lock+0x192 sys/kern/kern_lock.c:173
softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83
dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
cnputc(72) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(72) at db_putchar+0x36d sys/ddb/db_output.c:155
kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1
db_printf(ffffffff8338bb0d) at db_printf+0x9b sys/kern/subr_prf.c:-1
panic(ffffffff833b41d6) at panic+0x103 sys/kern/subr_prf.c:217
__assert(ffffffff833f0de3,ffffffff83345b7a,4f3,ffffffff8342241f) at __assert+0x29 sys/kern/subr_prf.c:-1
uvm_pagedeactivate(fffffd8008760e90) at uvm_pagedeactivate+0x34a sys/uvm/uvm_page.c:1264
uvn_flush(fffffd8068f6dc40,0,0,14) at uvn_flush+0x43b sys/uvm/uvm_vnode.c:668
uvn_detach(fffffd8068f6dc40) at uvn_detach+0x19e sys/uvm/uvm_vnode.c:371
uvm_unmap_detach(ffff8000397e03e0,0) at uvm_unmap_detach+0x15e sys/uvm/uvm_map.c:1364
uvm_map_teardown(fffffd800f797d88) at uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2525
exit1(ffff80003c43a028,0,0,1) at exit1+0x6fc sys/kern/kern_exit.c:260
sys_exit(ffff80003c43a028,ffff8000397e05b0,ffff8000397e0500) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff8000397e05b0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff8000397e05b0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x768a7dcd85c0, count: -22
ddb{0}> machine ddbcpu 1
Stopped at savectx+0xae: movl $0,%gs:0x688
savectx() at savectx+0xae
end of kernel
end trace frame: 0x794d5b885f40, count: 14
ddb{1}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x794d5b885f40, count: -1
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages