panic: kernel diagnostic assertion "pg->wire_count == NUM" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_p
0 views
Skip to first unread message
syzbot
6:49 AM (3 hours ago) 6:49 AM
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d11ef3f2eb06 replace SRPs with SMRs for carp iface list ha..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=115ab31a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=b7b01d64bc59e1fea8b1
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/363ed98c2d45/disk-d11ef3f2.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/40685b3aba08/bsd-d11ef3f2.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e48474de7585/kernel-d11ef3f2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b7b01d...@syzkaller.appspotmail.com
login: panic: keWArnRNelI NdGi:a gSnPoLs tNiOcT aLsOseWErRtEioD n ON"p Sg-YS>wCAirLLe_ 3co 3un EtX I=T= 00 "a f
aiStopped at savectx+0xae: movl $0,%gs:0x688
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*491587 12478 0 0x2 0 0 syz-executor
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7e9274015470, count: 14
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu1: kernel diagnostic assertion "pg->wire_count == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_page.c", line 1326
ddb{0}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7e9274015470, count: -1
ddb{0}> show registers
rdi 0
rsi 0
rbp 0xffff80002a2c6150
rbx 0
rdx 0
rcx 0xffff8000ffffca68
rax 0x31
r8 0xffff80002a2c6080
r9 0
r10 0xa761c5b4a816ca1b
r11 0x239cf3f99a68c9c4
r12 0
r13 0
r14 0xffff8000ffffca68
r15 0
rip 0xffffffff82ea63ee savectx+0xae
cs 0x8
rflags 0x46
rsp 0xffff80002a2c60d0
ss 0x10
savectx+0xae: movl $0,%gs:0x688
ddb{0}> show proc
PROC (syz-executor) tid=491587 pid=12478 tcnt=1 stat=onproc
flags process=2<EXEC> proc=0
runpri=70, usrpri=70, slppri=24, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff8000ffffcd00,0xffff8000ffffcfa8
process=0xffff8000ffff4008 user=0xffff80002a2c1000, vmspace=0xfffffd8070586b80
estcpu=20, cpticks=28, pctcpu=0.17, user=0, sys=21, intr=7
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
65607 108510 5819 32767 2 0x10 syz-executor
19316 72288 70738 32767 2 0x10 syz-executor
19316 473029 70738 32767 2 0x4000010 syz-executor
69584 60532 94650 32767 2 0x10 syz-executor
69584 207296 94650 32767 3 0x4000090 sbwait syz-executor
30308 73873 85518 32767 2 0x10 syz-executor
30308 116151 85518 32767 3 0x4000090 fsleep syz-executor
79980 68424 12478 0 2 0x2 syz-executor
70738 63577 84462 32767 2 0x10 syz-executor
18429 384839 75674 32767 3 0x90 wait syz-executor
5819 516319 26479 32767 3 0x90 nanoslp syz-executor
66131 649 95959 32767 3 0x90 nanoslp syz-executor
94650 420260 22154 32767 2 0x10 syz-executor
65532 89504 94221 32767 3 0x90 nanoslp syz-executor
85518 352376 26703 32767 3 0x90 nanoslp syz-executor
26479 252947 12478 0 3 0x82 wait syz-executor
84462 77973 12478 0 3 0x82 wait syz-executor
75674 103588 12478 0 3 0x82 wait syz-executor
22154 10528 12478 0 3 0x82 wait syz-executor
94221 399694 12478 0 3 0x82 wait syz-executor
26703 42505 12478 0 3 0x82 wait syz-executor
95959 435921 12478 0 3 0x82 wait syz-executor
*12478 491587 13510 0 7 0x2 syz-executor
13510 243991 29399 0 3 0x10008a sigsusp ksh
29399 369261 61233 0 3 0x98 kqread sshd-session
61233 479332 37139 0 3 0x92 kqread sshd-session
35257 10277 1 0 3 0x100083 ttyin getty
37139 244122 1 0 3 0x88 kqread sshd
7925 421659 47505 73 3 0x1100090 kqread syslogd
47505 509484 1 0 3 0x100082 sbwait syslogd
16430 411446 1 0 3 0x100080 kqread resolvd
31244 286787 69349 77 3 0x100092 kqread dhcpleased
71573 460803 69349 77 3 0x100092 kqread dhcpleased
69349 499169 1 0 3 0x80 kqread dhcpleased
32369 132952 0 0 3 0x14200 bored smr
10207 506954 0 0 2 0x14200 zerothread
35839 372337 0 0 3 0x14200 aiodoned aiodoned
64132 294344 0 0 3 0x14200 syncer update
80916 270989 0 0 3 0x14200 cleaner cleaner
76900 361839 0 0 2 0x14200 reaper
99154 484678 0 0 3 0x14200 pgdaemon pagedaemon
60489 409399 0 0 3 0x14200 bored viomb
50469 410632 0 0 3 0x40014200 acpi0 acpi0
98590 71892 0 0 3 0x40014200 idle1
45538 281440 0 0 3 0x14200 bored softnet1
59975 47020 0 0 3 0x14200 bored softnet0
32916 99594 0 0 3 0x14200 bored systqmp
2240 376306 0 0 3 0x14200 bored systq
36584 44735 0 0 3 0x14200 tmoslp softclockmp
79197 167477 0 0 3 0x40014200 tmoslp softclock
27036 14852 0 0 3 0x40014200 idle0
1 195686 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
CPU 0:
exclusive mutex &pmap->pm_mtx r = 0 (0xfffffd806cd1a810)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2 pmap_do_remove+0xa9 rcr3 sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:139 [inline]
#2 pmap_do_remove+0xa9 pmap_map_ptes sys/arch/amd64/amd64/pmap.c:437 [inline]
#2 pmap_do_remove+0xa9 sys/arch/amd64/amd64/pmap.c:1824
#3 uvm_unmap_kill_entry_withlock+0x269 sys/uvm/uvm_map.c:1863
#4 uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline]
#4 uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2486
#5 exit1+0x6fc sys/kern/kern_exit.c:260
#6 sys_exit+0x1a sys/kern/kern_exit.c:-1
#7 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#7 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
#8 Xsyscall+0x128
CPU 1:
exclusive mutex &uvm.pageqlock r = 0 (0xffffffff839b7b50)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2 uvm_pageclean+0x29c sys/uvm/uvm_page.c:980
#3 uvm_pagefree+0x26 sys/uvm/uvm_page.c:1020
#4 uvm_anfree+0xe9 sys/uvm/uvm_anon.c:112
#5 amap_wipeout+0x246 sys/uvm/uvm_amap.c:-1
#6 uvm_unmap_detach+0x8a sys/uvm/uvm_map.c:1353
#7 uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2525
#8 exit1+0x6fc sys/kern/kern_exit.c:260
#9 sys_exit+0x1a sys/kern/kern_exit.c:-1
#10 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#10 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
#11 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10188 10955K 10973K 166960K 11282 0
pcb 17 12K 12K 166960K 17 0
rtable 217 6K 7K 166960K 372 0
pf 29 16K 16K 166960K 31 0
ifaddr 38 6K 7K 166960K 44 0
ifgroup 46 2K 2K 166960K 50 0
sysctl 1 1K 9K 166960K 6 0
counters 68 36K 37K 166960K 70 0
ioctlops 0 0K 2K 166960K 96 0
iov 0 0K 16K 166960K 16 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1336 84K 84K 166960K 1475 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 5K 166960K 5 0
VM map 2 1K 1K 166960K 2 0
sem 12 0K 0K 166960K 26 0
dirhash 12 2K 2K 166960K 21 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 22 81K 125K 166960K 400 0
proc 58 99K 147K 166960K 509 0
subproc 72 4K 4K 166960K 171 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 28 0
in_multi 88 6K 7K 166960K 104 0
ether_multi 1 0K 0K 166960K 1 0
mrt 1 0K 0K 166960K 1 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 79 360K 360K 166960K 79 0
exec 0 0K 1K 166960K 395 0
fusefs mount 1 32K 32K 166960K 1 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 230 175K 191K 166960K 5114 0
UVM aobj 9 2K 2K 166960K 9 0
pinsyscall 43 86K 110K 166960K 1481 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 0K 166960K 18 0
NDP 10 0K 2K 166960K 27 0
temp 40 8667K 8732K 166960K 5002 0
kqueue 13 20K 26K 166960K 83 0
SYN cache 2 16K 16K 166960K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 26 0 0 1 0 1 1 0 8 0
rtpcb 120 59 0 56 1 0 1 1 0 8 0
rtentry 176 115 0 15 6 0 6 6 0 8 1
unpcb 144 194 0 177 1 0 1 1 0 8 0
syncache 336 4 0 4 1 0 1 1 0 8 1
tcpqe 32 1 0 1 1 0 1 1 0 8 1
tcpcb 736 144 0 138 4 0 4 4 0 8 3
arp 136 18 0 2 1 0 1 1 0 8 0
ipq 40 5 0 0 1 0 1 1 0 8 0
ipqe 40 5 0 0 1 0 1 1 0 8 0
inpcb 328 377 0 368 7 0 7 7 0 8 5
nd6 152 28 0 6 2 0 2 2 0 8 1
kcovpl 48 18 0 11 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 458 0 49 29 0 29 29 0 8 2
art_table 40 459 0 49 5 0 5 5 0 8 0
art_node 32 115 0 24 1 0 1 1 0 8 0
sysvmsgpl 40 7 0 2 1 0 1 1 0 8 0
semupl 112 3 0 3 1 0 1 1 0 8 1
semapl 112 24 0 14 1 0 1 1 0 8 0
shmpl 112 6 0 0 1 0 1 1 0 8 0
dirhash 1024 23 0 6 3 0 3 3 0 8 0
dino2pl 256 1903 0 380 96 0 96 96 0 8 0
ffsino 296 1903 0 380 118 0 118 118 0 8 0
nchpl 144 2406 0 707 64 0 64 64 0 8 0
vnodes 216 2083 0 0 116 0 116 116 0 8 0
namei 1024 7386 0 7386 1 0 1 1 0 8 1
percpumem 16 50 0 1 1 0 1 1 0 8 0
kstatmem 264 24 0 2 2 0 2 2 0 8 0
scxspl 216 7946 0 7946 7 2 5 5 1 8 5
plimitpl 152 89 0 66 2 0 2 2 0 8 1
sigapl 424 671 0 619 7 0 7 7 0 8 0
knotepl 120 299 0 0 10 0 10 10 0 8 0
kqueuepl 224 157 0 148 5 1 4 5 0 8 3
pipepl 344 161 0 134 3 0 3 3 0 8 0
fdescpl 528 655 0 621 4 0 4 4 0 8 0
filepl 160 3011 0 2804 13 0 13 13 0 8 2
lockfpl 104 94 0 92 1 0 1 1 0 8 0
lockfspl 48 27 0 25 1 0 1 1 0 8 0
sessionpl 144 31 0 16 1 0 1 1 0 8 0
pgrppl 48 52 0 29 1 0 1 1 0 8 0
ucredpl 104 378 0 360 1 0 1 1 0 8 0
zombiepl 144 622 0 619 1 0 1 1 0 8 0
processpl 1232 671 0 619 5 0 5 5 0 8 0
procpl 664 1030 0 973 6 0 6 6 0 8 0
sosppl 176 8 0 8 1 0 1 1 0 8 1
sockpl 752 634 0 605 11 0 11 11 0 8 7
mcl64k 65536 5 0 0 1 0 1 1 0 8 0
mcl16k 16384 5 0 0 1 0 1 1 0 8 0
mcl12k 12288 1 0 0 1 0 1 1 0 8 0
mcl9k 9216 1 0 0 1 0 1 1 0 8 0
mcl8k 8192 3 0 0 1 0 1 1 0 8 0
mcl4k 4096 120 0 0 15 0 15 15 0 8 0
mcl2k2 2112 1 0 0 1 0 1 1 0 8 0
mcl2k 2048 23 0 0 3 0 3 3 0 8 0
mtagpl 96 3 0 0 1 0 1 1 0 8 0
mbufpl 256 1161 0 0 73 0 73 73 0 8 0
bufpl 280 2617 0 114 179 0 179 179 0 8 0
anonpl 32 5625 0 0 46 0 46 46 0 246 0
amapchunkpl 152 15661 0 15173 33 0 33 33 0 158 12
amappl16 200 2196 0 2178 5 3 2 5 0 8 0
amappl15 192 5 0 5 1 1 0 1 0 8 0
amappl14 184 11 0 10 1 0 1 1 0 8 0
amappl13 176 410 0 409 1 0 1 1 0 8 0
amappl12 168 995 0 953 3 0 3 3 0 8 0
amappl11 160 2 0 2 1 1 0 1 0 8 0
amappl10 152 103 0 93 1 0 1 1 0 8 0
amappl9 144 251 0 251 1 1 0 1 0 8 0
amappl8 136 28 0 25 1 0 1 1 0 8 0
amappl7 128 118 0 117 1 0 1 1 0 8 0
amappl6 120 304 0 292 1 0 1 1 0 8 0
amappl5 112 75 0 68 1 0 1 1 0 8 0
amappl4 104 383 0 360 1 0 1 1 0 8 0
amappl3 96 2793 0 2689 4 0 4 4 0 8 0
amappl2 88 510 0 457 2 0 2 2 0 8 0
amappl1 80 9714 0 9166 13 0 13 13 0 8 0
amappl 88 4367 0 4207 5 0 5 5 0 92 0
uvmvnodes 80 108 0 0 3 0 3 3 0 8 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 8 0 0 1 0 1 1 0 8 0
uaddrrnd 24 655 0 621 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 655 0 621 1 0 1 1 0 8 0
vmmpekpl 168 7000 0 6957 3 0 3 3 0 8 0
vmmpepl 168 48425 0 46540 94 0 94 94 0 357 7
vmsppl 488 654 0 619 6 0 6 6 0 8 0
rwobjpl 80 15708 0 14795 22 1 21 21 0 8 0
pdppl 4096 1317 0 1238 119 38 81 99 0 8 2
pvpl 32 13513 0 0 109 0 109 109 0 265 0
pmappl 256 654 0 619 3 0 3 3 0 8 0
extentpl 40 45 0 27 1 0 1 1 0 8 0
phpool 112 354 0 40 10 0 10 10 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7e9274015470, count: -1
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x27: addq $0x8,%rsp
x86_ipi_db(ffff8000299ddff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
x86_bus_space_io_write_1(3f8,0,69) at x86_bus_space_io_write_1+0x40 sys/arch/amd64/amd64/bus_space.c:790
comcnputc(800,69) at comcnputc+0x1ab bus_space_barrier sys/dev/ic/com.c:-1 [inline]
comcnputc(800,69) at comcnputc+0x1ab sys/dev/ic/com.c:1263
cnputc(69) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(69) at db_putchar+0x36d sys/ddb/db_output.c:155
kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1
db_printf(ffffffff83381e2e) at db_printf+0x9b sys/kern/subr_prf.c:-1
panic(ffffffff833aa9aa) at panic+0x103 sys/kern/subr_prf.c:217
__assert(ffffffff833ee6a5,ffffffff833439b2,52e,ffffffff8340aa84) at __assert+0x29 sys/kern/subr_prf.c:-1
uvm_pagedequeue(fffffd80087e1d38) at uvm_pagedequeue+0x2dd sys/uvm/uvm_page.c:1324
uvm_pageclean(fffffd80087e1d38) at uvm_pageclean+0x2ad sys/uvm/uvm_page.c:981
uvm_pagefree(fffffd80087e1d38) at uvm_pagefree+0x26 sys/uvm/uvm_page.c:1020
end trace frame: 0xffff80003c4412a0, count: 0
ddb{1}> trace
x86_ipi_db(ffff8000299ddff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
x86_bus_space_io_write_1(3f8,0,69) at x86_bus_space_io_write_1+0x40 sys/arch/amd64/amd64/bus_space.c:790
comcnputc(800,69) at comcnputc+0x1ab bus_space_barrier sys/dev/ic/com.c:-1 [inline]
comcnputc(800,69) at comcnputc+0x1ab sys/dev/ic/com.c:1263
cnputc(69) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(69) at db_putchar+0x36d sys/ddb/db_output.c:155
kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1
db_printf(ffffffff83381e2e) at db_printf+0x9b sys/kern/subr_prf.c:-1
panic(ffffffff833aa9aa) at panic+0x103 sys/kern/subr_prf.c:217
__assert(ffffffff833ee6a5,ffffffff833439b2,52e,ffffffff8340aa84) at __assert+0x29 sys/kern/subr_prf.c:-1
uvm_pagedequeue(fffffd80087e1d38) at uvm_pagedequeue+0x2dd sys/uvm/uvm_page.c:1324
uvm_pageclean(fffffd80087e1d38) at uvm_pageclean+0x2ad sys/uvm/uvm_page.c:981
uvm_pagefree(fffffd80087e1d38) at uvm_pagefree+0x26 sys/uvm/uvm_page.c:1020
uvm_anfree(fffffd806bd37d00) at uvm_anfree+0xe9 sys/uvm/uvm_anon.c:112
amap_wipeout(fffffd8070483160) at amap_wipeout+0x246 sys/uvm/uvm_amap.c:-1
uvm_unmap_detach(ffff80003c441360,0) at uvm_unmap_detach+0x8a sys/uvm/uvm_map.c:1353
uvm_map_teardown(fffffd806cc735d8) at uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2525
exit1(ffff8000363e3cb0,0,0,1) at exit1+0x6fc sys/kern/kern_exit.c:260
sys_exit(ffff8000363e3cb0,ffff80003c441530,ffff80003c441480) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff80003c441530) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c441530) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x703eb1b63aa0, count: -22
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: d11ef3f2eb06 replace SRPs with SMRs for carp iface list ha..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=115ab31a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=b7b01d64bc59e1fea8b1
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/363ed98c2d45/disk-d11ef3f2.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/40685b3aba08/bsd-d11ef3f2.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e48474de7585/kernel-d11ef3f2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b7b01d...@syzkaller.appspotmail.com
login: panic: keWArnRNelI NdGi:a gSnPoLs tNiOcT aLsOseWErRtEioD n ON"p Sg-YS>wCAirLLe_ 3co 3un EtX I=T= 00 "a f
aiStopped at savectx+0xae: movl $0,%gs:0x688
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*491587 12478 0 0x2 0 0 syz-executor
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7e9274015470, count: 14
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu1: kernel diagnostic assertion "pg->wire_count == 0" failed: file "/syzkaller/managers/setuid/kernel/sys/uvm/uvm_page.c", line 1326
ddb{0}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7e9274015470, count: -1
ddb{0}> show registers
rdi 0
rsi 0
rbp 0xffff80002a2c6150
rbx 0
rdx 0
rcx 0xffff8000ffffca68
rax 0x31
r8 0xffff80002a2c6080
r9 0
r10 0xa761c5b4a816ca1b
r11 0x239cf3f99a68c9c4
r12 0
r13 0
r14 0xffff8000ffffca68
r15 0
rip 0xffffffff82ea63ee savectx+0xae
cs 0x8
rflags 0x46
rsp 0xffff80002a2c60d0
ss 0x10
savectx+0xae: movl $0,%gs:0x688
ddb{0}> show proc
PROC (syz-executor) tid=491587 pid=12478 tcnt=1 stat=onproc
flags process=2<EXEC> proc=0
runpri=70, usrpri=70, slppri=24, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff8000ffffcd00,0xffff8000ffffcfa8
process=0xffff8000ffff4008 user=0xffff80002a2c1000, vmspace=0xfffffd8070586b80
estcpu=20, cpticks=28, pctcpu=0.17, user=0, sys=21, intr=7
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
65607 108510 5819 32767 2 0x10 syz-executor
19316 72288 70738 32767 2 0x10 syz-executor
19316 473029 70738 32767 2 0x4000010 syz-executor
69584 60532 94650 32767 2 0x10 syz-executor
69584 207296 94650 32767 3 0x4000090 sbwait syz-executor
30308 73873 85518 32767 2 0x10 syz-executor
30308 116151 85518 32767 3 0x4000090 fsleep syz-executor
79980 68424 12478 0 2 0x2 syz-executor
70738 63577 84462 32767 2 0x10 syz-executor
18429 384839 75674 32767 3 0x90 wait syz-executor
5819 516319 26479 32767 3 0x90 nanoslp syz-executor
66131 649 95959 32767 3 0x90 nanoslp syz-executor
94650 420260 22154 32767 2 0x10 syz-executor
65532 89504 94221 32767 3 0x90 nanoslp syz-executor
85518 352376 26703 32767 3 0x90 nanoslp syz-executor
26479 252947 12478 0 3 0x82 wait syz-executor
84462 77973 12478 0 3 0x82 wait syz-executor
75674 103588 12478 0 3 0x82 wait syz-executor
22154 10528 12478 0 3 0x82 wait syz-executor
94221 399694 12478 0 3 0x82 wait syz-executor
26703 42505 12478 0 3 0x82 wait syz-executor
95959 435921 12478 0 3 0x82 wait syz-executor
*12478 491587 13510 0 7 0x2 syz-executor
13510 243991 29399 0 3 0x10008a sigsusp ksh
29399 369261 61233 0 3 0x98 kqread sshd-session
61233 479332 37139 0 3 0x92 kqread sshd-session
35257 10277 1 0 3 0x100083 ttyin getty
37139 244122 1 0 3 0x88 kqread sshd
7925 421659 47505 73 3 0x1100090 kqread syslogd
47505 509484 1 0 3 0x100082 sbwait syslogd
16430 411446 1 0 3 0x100080 kqread resolvd
31244 286787 69349 77 3 0x100092 kqread dhcpleased
71573 460803 69349 77 3 0x100092 kqread dhcpleased
69349 499169 1 0 3 0x80 kqread dhcpleased
32369 132952 0 0 3 0x14200 bored smr
10207 506954 0 0 2 0x14200 zerothread
35839 372337 0 0 3 0x14200 aiodoned aiodoned
64132 294344 0 0 3 0x14200 syncer update
80916 270989 0 0 3 0x14200 cleaner cleaner
76900 361839 0 0 2 0x14200 reaper
99154 484678 0 0 3 0x14200 pgdaemon pagedaemon
60489 409399 0 0 3 0x14200 bored viomb
50469 410632 0 0 3 0x40014200 acpi0 acpi0
98590 71892 0 0 3 0x40014200 idle1
45538 281440 0 0 3 0x14200 bored softnet1
59975 47020 0 0 3 0x14200 bored softnet0
32916 99594 0 0 3 0x14200 bored systqmp
2240 376306 0 0 3 0x14200 bored systq
36584 44735 0 0 3 0x14200 tmoslp softclockmp
79197 167477 0 0 3 0x40014200 tmoslp softclock
27036 14852 0 0 3 0x40014200 idle0
1 195686 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
CPU 0:
exclusive mutex &pmap->pm_mtx r = 0 (0xfffffd806cd1a810)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2 pmap_do_remove+0xa9 rcr3 sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:139 [inline]
#2 pmap_do_remove+0xa9 pmap_map_ptes sys/arch/amd64/amd64/pmap.c:437 [inline]
#2 pmap_do_remove+0xa9 sys/arch/amd64/amd64/pmap.c:1824
#3 uvm_unmap_kill_entry_withlock+0x269 sys/uvm/uvm_map.c:1863
#4 uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline]
#4 uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2486
#5 exit1+0x6fc sys/kern/kern_exit.c:260
#6 sys_exit+0x1a sys/kern/kern_exit.c:-1
#7 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#7 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
#8 Xsyscall+0x128
CPU 1:
exclusive mutex &uvm.pageqlock r = 0 (0xffffffff839b7b50)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2 uvm_pageclean+0x29c sys/uvm/uvm_page.c:980
#3 uvm_pagefree+0x26 sys/uvm/uvm_page.c:1020
#4 uvm_anfree+0xe9 sys/uvm/uvm_anon.c:112
#5 amap_wipeout+0x246 sys/uvm/uvm_amap.c:-1
#6 uvm_unmap_detach+0x8a sys/uvm/uvm_map.c:1353
#7 uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2525
#8 exit1+0x6fc sys/kern/kern_exit.c:260
#9 sys_exit+0x1a sys/kern/kern_exit.c:-1
#10 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#10 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
#11 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10188 10955K 10973K 166960K 11282 0
pcb 17 12K 12K 166960K 17 0
rtable 217 6K 7K 166960K 372 0
pf 29 16K 16K 166960K 31 0
ifaddr 38 6K 7K 166960K 44 0
ifgroup 46 2K 2K 166960K 50 0
sysctl 1 1K 9K 166960K 6 0
counters 68 36K 37K 166960K 70 0
ioctlops 0 0K 2K 166960K 96 0
iov 0 0K 16K 166960K 16 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1336 84K 84K 166960K 1475 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 5K 166960K 5 0
VM map 2 1K 1K 166960K 2 0
sem 12 0K 0K 166960K 26 0
dirhash 12 2K 2K 166960K 21 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 22 81K 125K 166960K 400 0
proc 58 99K 147K 166960K 509 0
subproc 72 4K 4K 166960K 171 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 28 0
in_multi 88 6K 7K 166960K 104 0
ether_multi 1 0K 0K 166960K 1 0
mrt 1 0K 0K 166960K 1 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 79 360K 360K 166960K 79 0
exec 0 0K 1K 166960K 395 0
fusefs mount 1 32K 32K 166960K 1 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 230 175K 191K 166960K 5114 0
UVM aobj 9 2K 2K 166960K 9 0
pinsyscall 43 86K 110K 166960K 1481 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 0K 166960K 18 0
NDP 10 0K 2K 166960K 27 0
temp 40 8667K 8732K 166960K 5002 0
kqueue 13 20K 26K 166960K 83 0
SYN cache 2 16K 16K 166960K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 26 0 0 1 0 1 1 0 8 0
rtpcb 120 59 0 56 1 0 1 1 0 8 0
rtentry 176 115 0 15 6 0 6 6 0 8 1
unpcb 144 194 0 177 1 0 1 1 0 8 0
syncache 336 4 0 4 1 0 1 1 0 8 1
tcpqe 32 1 0 1 1 0 1 1 0 8 1
tcpcb 736 144 0 138 4 0 4 4 0 8 3
arp 136 18 0 2 1 0 1 1 0 8 0
ipq 40 5 0 0 1 0 1 1 0 8 0
ipqe 40 5 0 0 1 0 1 1 0 8 0
inpcb 328 377 0 368 7 0 7 7 0 8 5
nd6 152 28 0 6 2 0 2 2 0 8 1
kcovpl 48 18 0 11 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 458 0 49 29 0 29 29 0 8 2
art_table 40 459 0 49 5 0 5 5 0 8 0
art_node 32 115 0 24 1 0 1 1 0 8 0
sysvmsgpl 40 7 0 2 1 0 1 1 0 8 0
semupl 112 3 0 3 1 0 1 1 0 8 1
semapl 112 24 0 14 1 0 1 1 0 8 0
shmpl 112 6 0 0 1 0 1 1 0 8 0
dirhash 1024 23 0 6 3 0 3 3 0 8 0
dino2pl 256 1903 0 380 96 0 96 96 0 8 0
ffsino 296 1903 0 380 118 0 118 118 0 8 0
nchpl 144 2406 0 707 64 0 64 64 0 8 0
vnodes 216 2083 0 0 116 0 116 116 0 8 0
namei 1024 7386 0 7386 1 0 1 1 0 8 1
percpumem 16 50 0 1 1 0 1 1 0 8 0
kstatmem 264 24 0 2 2 0 2 2 0 8 0
scxspl 216 7946 0 7946 7 2 5 5 1 8 5
plimitpl 152 89 0 66 2 0 2 2 0 8 1
sigapl 424 671 0 619 7 0 7 7 0 8 0
knotepl 120 299 0 0 10 0 10 10 0 8 0
kqueuepl 224 157 0 148 5 1 4 5 0 8 3
pipepl 344 161 0 134 3 0 3 3 0 8 0
fdescpl 528 655 0 621 4 0 4 4 0 8 0
filepl 160 3011 0 2804 13 0 13 13 0 8 2
lockfpl 104 94 0 92 1 0 1 1 0 8 0
lockfspl 48 27 0 25 1 0 1 1 0 8 0
sessionpl 144 31 0 16 1 0 1 1 0 8 0
pgrppl 48 52 0 29 1 0 1 1 0 8 0
ucredpl 104 378 0 360 1 0 1 1 0 8 0
zombiepl 144 622 0 619 1 0 1 1 0 8 0
processpl 1232 671 0 619 5 0 5 5 0 8 0
procpl 664 1030 0 973 6 0 6 6 0 8 0
sosppl 176 8 0 8 1 0 1 1 0 8 1
sockpl 752 634 0 605 11 0 11 11 0 8 7
mcl64k 65536 5 0 0 1 0 1 1 0 8 0
mcl16k 16384 5 0 0 1 0 1 1 0 8 0
mcl12k 12288 1 0 0 1 0 1 1 0 8 0
mcl9k 9216 1 0 0 1 0 1 1 0 8 0
mcl8k 8192 3 0 0 1 0 1 1 0 8 0
mcl4k 4096 120 0 0 15 0 15 15 0 8 0
mcl2k2 2112 1 0 0 1 0 1 1 0 8 0
mcl2k 2048 23 0 0 3 0 3 3 0 8 0
mtagpl 96 3 0 0 1 0 1 1 0 8 0
mbufpl 256 1161 0 0 73 0 73 73 0 8 0
bufpl 280 2617 0 114 179 0 179 179 0 8 0
anonpl 32 5625 0 0 46 0 46 46 0 246 0
amapchunkpl 152 15661 0 15173 33 0 33 33 0 158 12
amappl16 200 2196 0 2178 5 3 2 5 0 8 0
amappl15 192 5 0 5 1 1 0 1 0 8 0
amappl14 184 11 0 10 1 0 1 1 0 8 0
amappl13 176 410 0 409 1 0 1 1 0 8 0
amappl12 168 995 0 953 3 0 3 3 0 8 0
amappl11 160 2 0 2 1 1 0 1 0 8 0
amappl10 152 103 0 93 1 0 1 1 0 8 0
amappl9 144 251 0 251 1 1 0 1 0 8 0
amappl8 136 28 0 25 1 0 1 1 0 8 0
amappl7 128 118 0 117 1 0 1 1 0 8 0
amappl6 120 304 0 292 1 0 1 1 0 8 0
amappl5 112 75 0 68 1 0 1 1 0 8 0
amappl4 104 383 0 360 1 0 1 1 0 8 0
amappl3 96 2793 0 2689 4 0 4 4 0 8 0
amappl2 88 510 0 457 2 0 2 2 0 8 0
amappl1 80 9714 0 9166 13 0 13 13 0 8 0
amappl 88 4367 0 4207 5 0 5 5 0 92 0
uvmvnodes 80 108 0 0 3 0 3 3 0 8 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 8 0 0 1 0 1 1 0 8 0
uaddrrnd 24 655 0 621 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 655 0 621 1 0 1 1 0 8 0
vmmpekpl 168 7000 0 6957 3 0 3 3 0 8 0
vmmpepl 168 48425 0 46540 94 0 94 94 0 357 7
vmsppl 488 654 0 619 6 0 6 6 0 8 0
rwobjpl 80 15708 0 14795 22 1 21 21 0 8 0
pdppl 4096 1317 0 1238 119 38 81 99 0 8 2
pvpl 32 13513 0 0 109 0 109 109 0 265 0
pmappl 256 654 0 619 3 0 3 3 0 8 0
extentpl 40 45 0 27 1 0 1 1 0 8 0
phpool 112 354 0 40 10 0 10 10 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7e9274015470, count: -1
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x27: addq $0x8,%rsp
x86_ipi_db(ffff8000299ddff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
x86_bus_space_io_write_1(3f8,0,69) at x86_bus_space_io_write_1+0x40 sys/arch/amd64/amd64/bus_space.c:790
comcnputc(800,69) at comcnputc+0x1ab bus_space_barrier sys/dev/ic/com.c:-1 [inline]
comcnputc(800,69) at comcnputc+0x1ab sys/dev/ic/com.c:1263
cnputc(69) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(69) at db_putchar+0x36d sys/ddb/db_output.c:155
kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1
db_printf(ffffffff83381e2e) at db_printf+0x9b sys/kern/subr_prf.c:-1
panic(ffffffff833aa9aa) at panic+0x103 sys/kern/subr_prf.c:217
__assert(ffffffff833ee6a5,ffffffff833439b2,52e,ffffffff8340aa84) at __assert+0x29 sys/kern/subr_prf.c:-1
uvm_pagedequeue(fffffd80087e1d38) at uvm_pagedequeue+0x2dd sys/uvm/uvm_page.c:1324
uvm_pageclean(fffffd80087e1d38) at uvm_pageclean+0x2ad sys/uvm/uvm_page.c:981
uvm_pagefree(fffffd80087e1d38) at uvm_pagefree+0x26 sys/uvm/uvm_page.c:1020
end trace frame: 0xffff80003c4412a0, count: 0
ddb{1}> trace
x86_ipi_db(ffff8000299ddff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
x86_bus_space_io_write_1(3f8,0,69) at x86_bus_space_io_write_1+0x40 sys/arch/amd64/amd64/bus_space.c:790
comcnputc(800,69) at comcnputc+0x1ab bus_space_barrier sys/dev/ic/com.c:-1 [inline]
comcnputc(800,69) at comcnputc+0x1ab sys/dev/ic/com.c:1263
cnputc(69) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(69) at db_putchar+0x36d sys/ddb/db_output.c:155
kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1
db_printf(ffffffff83381e2e) at db_printf+0x9b sys/kern/subr_prf.c:-1
panic(ffffffff833aa9aa) at panic+0x103 sys/kern/subr_prf.c:217
__assert(ffffffff833ee6a5,ffffffff833439b2,52e,ffffffff8340aa84) at __assert+0x29 sys/kern/subr_prf.c:-1
uvm_pagedequeue(fffffd80087e1d38) at uvm_pagedequeue+0x2dd sys/uvm/uvm_page.c:1324
uvm_pageclean(fffffd80087e1d38) at uvm_pageclean+0x2ad sys/uvm/uvm_page.c:981
uvm_pagefree(fffffd80087e1d38) at uvm_pagefree+0x26 sys/uvm/uvm_page.c:1020
uvm_anfree(fffffd806bd37d00) at uvm_anfree+0xe9 sys/uvm/uvm_anon.c:112
amap_wipeout(fffffd8070483160) at amap_wipeout+0x246 sys/uvm/uvm_amap.c:-1
uvm_unmap_detach(ffff80003c441360,0) at uvm_unmap_detach+0x8a sys/uvm/uvm_map.c:1353
uvm_map_teardown(fffffd806cc735d8) at uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2525
exit1(ffff8000363e3cb0,0,0,1) at exit1+0x6fc sys/kern/kern_exit.c:260
sys_exit(ffff8000363e3cb0,ffff80003c441530,ffff80003c441480) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff80003c441530) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c441530) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x703eb1b63aa0, count: -22
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages