assert "next != NULL && next->start <= entry->end" failed in uvm_fault.c (6)
0 views
Skip to first unread message
syzbot
May 8, 2026, 11:26:31 AM (11 days ago) May 8
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d1081477e0e5 remove unused trunklacp code
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=174e71ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=7629e9b4887254ba456b
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/83361e9f4033/disk-d1081477.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/31d3105af480/bsd-d1081477.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5ca41f0d58c2/kernel-d1081477.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7629e9...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "next != NULL && next->start <= entry->end" failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_fault.c", line 1764
Stopped at db_enter+0x25: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
75837 78212 0 0 0 0 syz-executor
*335308 78212 0 0 0x4000000 1K syz-executor
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff8345238f) at panic+0x1e5 sys/kern/subr_prf.c:198
__assert(ffffffff8349046e,ffffffff833f0b84,6e4,ffffffff834711f4) at __assert+0x29 sys/kern/subr_prf.c:-1
uvm_fault_unwire_locked(fffffd806c77a200,200000000000,200000002000) at uvm_fault_unwire_locked+0x414 sys/uvm/uvm_fault.c:1761
uvm_fault_wire(fffffd806c77a200,200000000000,200000010000,3) at uvm_fault_wire+0x12d uvm_fault_unwire sys/uvm/uvm_fault.c:1724 [inline]
uvm_fault_wire(fffffd806c77a200,200000000000,200000010000,3) at uvm_fault_wire+0x12d sys/uvm/uvm_fault.c:1706
uvm_vslock_device(ffff8000fffe6a80,200000000000,10000,3,ffff80003c41d7b8) at uvm_vslock_device+0x112 sys/uvm/uvm_glue.c:169
physio(ffffffff82df90b0,d02,8000,ffffffff82df9900,ffff80003c41da98) at physio+0x257 sys/kern/kern_physio.c:139
spec_read(ffff80003c41d8f0) at spec_read+0x14b sys/kern/spec_vnops.c:215
VOP_READ(fffffd806c5f26c0,ffff80003c41da98,0,fffffd80097fd680) at VOP_READ+0x101 sys/kern/vfs_vops.c:227
vn_read(fffffd806c512908,ffff80003c41da98,1) at vn_read+0x17b sys/kern/vfs_vnops.c:375
dofilereadv(ffff8000fffe6a80,3,ffff80003c41da98,1,ffff80003c41db50) at dofilereadv+0x25a sys/kern/sys_generic.c:252
sys_pread(ffff8000fffe6a80,ffff80003c41dc00,ffff80003c41db50) at sys_pread+0xae sys/kern/vfs_syscalls.c:3337
syscall(ffff80003c41dc00) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c41dc00) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x86735f6c8a0, count: 1
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: kernel diagnostic assertion "next != NULL && next->start <= entry->end" failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_fault.c", line 1764
ddb{1}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff8345238f) at panic+0x1e5 sys/kern/subr_prf.c:198
__assert(ffffffff8349046e,ffffffff833f0b84,6e4,ffffffff834711f4) at __assert+0x29 sys/kern/subr_prf.c:-1
uvm_fault_unwire_locked(fffffd806c77a200,200000000000,200000002000) at uvm_fault_unwire_locked+0x414 sys/uvm/uvm_fault.c:1761
uvm_fault_wire(fffffd806c77a200,200000000000,200000010000,3) at uvm_fault_wire+0x12d uvm_fault_unwire sys/uvm/uvm_fault.c:1724 [inline]
uvm_fault_wire(fffffd806c77a200,200000000000,200000010000,3) at uvm_fault_wire+0x12d sys/uvm/uvm_fault.c:1706
uvm_vslock_device(ffff8000fffe6a80,200000000000,10000,3,ffff80003c41d7b8) at uvm_vslock_device+0x112 sys/uvm/uvm_glue.c:169
physio(ffffffff82df90b0,d02,8000,ffffffff82df9900,ffff80003c41da98) at physio+0x257 sys/kern/kern_physio.c:139
spec_read(ffff80003c41d8f0) at spec_read+0x14b sys/kern/spec_vnops.c:215
VOP_READ(fffffd806c5f26c0,ffff80003c41da98,0,fffffd80097fd680) at VOP_READ+0x101 sys/kern/vfs_vops.c:227
vn_read(fffffd806c512908,ffff80003c41da98,1) at vn_read+0x17b sys/kern/vfs_vnops.c:375
dofilereadv(ffff8000fffe6a80,3,ffff80003c41da98,1,ffff80003c41db50) at dofilereadv+0x25a sys/kern/sys_generic.c:252
sys_pread(ffff8000fffe6a80,ffff80003c41dc00,ffff80003c41db50) at sys_pread+0xae sys/kern/vfs_syscalls.c:3337
syscall(ffff80003c41dc00) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c41dc00) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x86735f6c8a0, count: -14
ddb{1}> show registers
rdi 0
rsi 0x1
rbp 0xffff80003c41d4d0
rbx 0xffff8000299aee07
rdx 0
rcx 0xffff8000fffe6a80
rax 0xffff8000299adff0
r8 0x101010101010101
r9 0x8080808080808080
r10 0xa6158118bbc7a344
r11 0x27c8ab5548425ade
r12 0xffff8000299aec08
r13 0
r14 0
r15 0x1
rip 0xffffffff81afdd35 db_enter+0x25
cs 0x8
rflags 0x246
rsp 0xffff80003c41d4c0
ss 0x10
db_enter+0x25: addq $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor) tid=335308 pid=78212 tcnt=4 stat=onproc
flags process=0 proc=4000000<THREAD>
runpri=36, usrpri=50, slppri=36, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff8000fffe7ca8,0xffffffff83ac51c8
process=0xffff80003c3c9830 user=0xffff80003c418000, vmspace=0xfffffd806c77a200
estcpu=14, cpticks=2, pctcpu=0.0, user=0, sys=2, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
12001 19785 0 0 2 0x14200 acct
12701 68696 82378 0 2 0 syz-executor
78212 75837 23388 0 7 0 syz-executor
78212 244463 23388 0 2 0x4000000 syz-executor
78212 194201 23388 0 2 0x4000000 syz-executor
*78212 335308 23388 0 7 0x4000000 syz-executor
10121 462699 90256 0 2 0 syz-executor
10121 345820 90256 0 3 0x4000000 biowait syz-executor
58458 236152 45296 0 2 0 syz-executor
58458 254065 45296 0 2 0x4000000 syz-executor
37892 294783 4556 0 2 0 syz-executor
37892 425613 4556 0 3 0x4000080 fsleep syz-executor
86627 175776 19726 0 3 0x80 nanoslp syz-executor
86627 379377 19726 0 3 0x4000080 ttyout syz-executor
86627 237452 19726 0 3 0x4000080 fsleep syz-executor
42809 379168 55413 0 2 0 syz-executor
42809 368414 55413 0 3 0x4000080 nanoslp syz-executor
42809 207837 55413 0 3 0x4000080 fsleep syz-executor
21648 6517 7269 0 2 0 syz-executor
45296 452145 31702 0 3 0x82 nanoslp syz-executor
7269 464866 31702 0 3 0x82 nanoslp syz-executor
55413 5826 31702 0 3 0x82 nanoslp syz-executor
4556 50588 31702 0 3 0x82 nanoslp syz-executor
19726 181116 31702 0 3 0x82 nanoslp syz-executor
23388 323842 31702 0 3 0x82 nanoslp syz-executor
82378 276615 31702 0 3 0x82 nanoslp syz-executor
90256 175546 31702 0 3 0x82 nanoslp syz-executor
31702 12616 31582 0 3 0x82 kqread syz-executor
31582 384422 1 0 3 0x100082 nanoslp ksh
92290 407922 1 0 3 0x1000008a kqread sshd
44108 287352 17064 74 3 0x1100092 bpf pflogd
17064 81572 1 0 3 0x80 sbwait pflogd
49400 455645 35889 73 3 0x1100090 kqread syslogd
35889 9791 1 0 3 0x100082 sbwait syslogd
8581 58202 1 0 3 0x100080 kqread resolvd
95588 364243 74347 77 3 0x100092 kqread dhcpleased
22733 120823 74347 77 3 0x100092 kqread dhcpleased
74347 402770 1 0 3 0x80 kqread dhcpleased
7122 170471 0 0 3 0x14200 bored smr
70621 199962 0 0 2 0x14200 zerothread
46714 323949 0 0 3 0x14200 aiodoned aiodoned
28208 273869 0 0 3 0x14200 syncer update
18239 320470 0 0 3 0x14200 cleaner cleaner
1746 34157 0 0 3 0x14200 reaper reaper
64281 183978 0 0 3 0x14200 pgdaemon pagedaemon
56161 473061 0 0 3 0x14200 bored viomb
6412 391898 0 0 3 0x40014200 acpi0 acpi0
48083 509975 0 0 3 0x40014200 idle1
46669 365902 0 0 3 0x14200 bored softnet1
3169 344327 0 0 3 0x14200 bored softnet0
72015 415142 0 0 3 0x14200 bored systqmp
68746 139980 0 0 3 0x14200 bored systq
43825 281901 0 0 3 0x14200 tmoslp softclockmp
5605 360774 0 0 3 0x40014200 tmoslp softclock
77806 514536 0 0 3 0x40014200 idle0
1 9807 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
Process 78212 (syz-executor) thread 0xffff8000fffe6a80 (335308)
exclusive rwlock amaplk r = 0 (0xfffffd806d6280a8)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 uvm_map_lock_entry+0x51 sys/uvm/uvm_map.c:464
#3 uvm_fault_unwire_locked+0x26d sys/uvm/uvm_fault.c:1776
#4 uvm_fault_wire+0x12d uvm_fault_unwire sys/uvm/uvm_fault.c:1724 [inline]
#4 uvm_fault_wire+0x12d sys/uvm/uvm_fault.c:1706
#5 uvm_vslock_device+0x112 sys/uvm/uvm_glue.c:169
#6 physio+0x257 sys/kern/kern_physio.c:139
#7 spec_read+0x14b sys/kern/spec_vnops.c:215
#8 VOP_READ+0x101 sys/kern/vfs_vops.c:227
#9 vn_read+0x17b sys/kern/vfs_vnops.c:375
#10 dofilereadv+0x25a sys/kern/sys_generic.c:252
#11 sys_pread+0xae sys/kern/vfs_syscalls.c:3337
#12 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#12 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
#13 Xsyscall+0x128
shared rwlock vmmaplk r = 0 (0xfffffd806c77a300)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_read+0x3e8 sys/kern/kern_rwlock.c:413
#2 uvm_fault_wire+0x116 uvm_fault_unwire sys/uvm/uvm_fault.c:1723 [inline]
#2 uvm_fault_wire+0x116 sys/uvm/uvm_fault.c:1706
#3 uvm_vslock_device+0x112 sys/uvm/uvm_glue.c:169
#4 physio+0x257 sys/kern/kern_physio.c:139
#5 spec_read+0x14b sys/kern/spec_vnops.c:215
#6 VOP_READ+0x101 sys/kern/vfs_vops.c:227
#7 vn_read+0x17b sys/kern/vfs_vnops.c:375
#8 dofilereadv+0x25a sys/kern/sys_generic.c:252
#9 sys_pread+0xae sys/kern/vfs_syscalls.c:3337
#10 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#10 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
#11 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff83a76e80)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 __mp_acquire_count+0x58 sys/kern/kern_lock.c:-1
#2 sleep_finish+0x2d8 sys/kern/kern_synch.c:369
#3 rw_do_enter_read+0x309 sys/kern/kern_rwlock.c:-1
#4 uvmfault_lookup+0x122 sys/uvm/uvm_fault.c:1880
#5 uvm_fault_check+0x4f sys/uvm/uvm_fault.c:693
#6 uvm_fault+0x106 sys/uvm/uvm_fault.c:627
#7 uvm_fault_wire+0x73 sys/uvm/uvm_fault.c:1703
#8 uvm_vslock_device+0x112 sys/uvm/uvm_glue.c:169
#9 physio+0x257 sys/kern/kern_physio.c:139
#10 spec_read+0x14b sys/kern/spec_vnops.c:215
#11 VOP_READ+0x101 sys/kern/vfs_vops.c:227
#12 vn_read+0x17b sys/kern/vfs_vnops.c:375
#13 dofilereadv+0x25a sys/kern/sys_generic.c:252
#14 sys_pread+0xae sys/kern/vfs_syscalls.c:3337
#15 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#15 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
#16 Xsyscall+0x128
Process 10121 (syz-executor) thread 0xffff80003c40aa88 (345820)
exclusive rrwlock inode r = 0 (0xfffffd806c1db440)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3 VOP_LOCK+0xbd sys/kern/vfs_vops.c:527
#4 vn_lock+0xa4 sys/kern/vfs_vnops.c:576
#5 vn_write+0x18f sys/kern/vfs_vnops.c:411
#6 dofilewritev+0x2bd sys/kern/sys_generic.c:384
#7 sys_write+0xa2 sys/kern/sys_generic.c:300
#8 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#8 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
#9 Xsyscall+0x128
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 11055 12083K 12215K 166960K 12188 0
pcb 17 12K 12K 166960K 33 0
rtable 215 6K 7K 166960K 358 0
pf 32 17K 81K 166960K 46 0
ifaddr 39 6K 7K 166960K 45 0
ifgroup 51 2K 2K 166960K 55 0
sysctl 3 1K 9K 166960K 7 0
counters 68 36K 37K 166960K 70 0
ioctlops 0 0K 4K 166960K 1564 0
iov 0 0K 12K 166960K 5 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1290 81K 82K 166960K 1475 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 3 5K 5K 166960K 3 0
VM map 2 1K 1K 166960K 2 0
sem 4 0K 0K 166960K 4 0
dirhash 12 2K 2K 166960K 18 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 18 65K 93K 166960K 205 0
proc 63 99K 131K 166960K 566 0
subproc 72 4K 4K 166960K 73 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 7 0
in_multi 88 6K 7K 166960K 101 0
ether_multi 1 0K 0K 166960K 1 0
mrt 0 0K 0K 166960K 4 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 55 254K 254K 166960K 55 0
exec 0 0K 1K 166960K 410 0
fusefs mount 1 32K 32K 166960K 1 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 212 162K 181K 166960K 3733 0
UVM aobj 4 2K 2K 166960K 4 0
pinsyscall 37 74K 103K 166960K 1415 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 0K 166960K 2 0
NDP 13 0K 1K 166960K 28 0
temp 37 9070K 9142K 166960K 11301 0
kqueue 11 16K 24K 166960K 35 0
SYN cache 2 16K 16K 166960K 2 0
ddb{1}>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: d1081477e0e5 remove unused trunklacp code
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=174e71ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=7629e9b4887254ba456b
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/83361e9f4033/disk-d1081477.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/31d3105af480/bsd-d1081477.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5ca41f0d58c2/kernel-d1081477.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7629e9...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "next != NULL && next->start <= entry->end" failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_fault.c", line 1764
Stopped at db_enter+0x25: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
75837 78212 0 0 0 0 syz-executor
*335308 78212 0 0 0x4000000 1K syz-executor
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff8345238f) at panic+0x1e5 sys/kern/subr_prf.c:198
__assert(ffffffff8349046e,ffffffff833f0b84,6e4,ffffffff834711f4) at __assert+0x29 sys/kern/subr_prf.c:-1
uvm_fault_unwire_locked(fffffd806c77a200,200000000000,200000002000) at uvm_fault_unwire_locked+0x414 sys/uvm/uvm_fault.c:1761
uvm_fault_wire(fffffd806c77a200,200000000000,200000010000,3) at uvm_fault_wire+0x12d uvm_fault_unwire sys/uvm/uvm_fault.c:1724 [inline]
uvm_fault_wire(fffffd806c77a200,200000000000,200000010000,3) at uvm_fault_wire+0x12d sys/uvm/uvm_fault.c:1706
uvm_vslock_device(ffff8000fffe6a80,200000000000,10000,3,ffff80003c41d7b8) at uvm_vslock_device+0x112 sys/uvm/uvm_glue.c:169
physio(ffffffff82df90b0,d02,8000,ffffffff82df9900,ffff80003c41da98) at physio+0x257 sys/kern/kern_physio.c:139
spec_read(ffff80003c41d8f0) at spec_read+0x14b sys/kern/spec_vnops.c:215
VOP_READ(fffffd806c5f26c0,ffff80003c41da98,0,fffffd80097fd680) at VOP_READ+0x101 sys/kern/vfs_vops.c:227
vn_read(fffffd806c512908,ffff80003c41da98,1) at vn_read+0x17b sys/kern/vfs_vnops.c:375
dofilereadv(ffff8000fffe6a80,3,ffff80003c41da98,1,ffff80003c41db50) at dofilereadv+0x25a sys/kern/sys_generic.c:252
sys_pread(ffff8000fffe6a80,ffff80003c41dc00,ffff80003c41db50) at sys_pread+0xae sys/kern/vfs_syscalls.c:3337
syscall(ffff80003c41dc00) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c41dc00) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x86735f6c8a0, count: 1
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: kernel diagnostic assertion "next != NULL && next->start <= entry->end" failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_fault.c", line 1764
ddb{1}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff8345238f) at panic+0x1e5 sys/kern/subr_prf.c:198
__assert(ffffffff8349046e,ffffffff833f0b84,6e4,ffffffff834711f4) at __assert+0x29 sys/kern/subr_prf.c:-1
uvm_fault_unwire_locked(fffffd806c77a200,200000000000,200000002000) at uvm_fault_unwire_locked+0x414 sys/uvm/uvm_fault.c:1761
uvm_fault_wire(fffffd806c77a200,200000000000,200000010000,3) at uvm_fault_wire+0x12d uvm_fault_unwire sys/uvm/uvm_fault.c:1724 [inline]
uvm_fault_wire(fffffd806c77a200,200000000000,200000010000,3) at uvm_fault_wire+0x12d sys/uvm/uvm_fault.c:1706
uvm_vslock_device(ffff8000fffe6a80,200000000000,10000,3,ffff80003c41d7b8) at uvm_vslock_device+0x112 sys/uvm/uvm_glue.c:169
physio(ffffffff82df90b0,d02,8000,ffffffff82df9900,ffff80003c41da98) at physio+0x257 sys/kern/kern_physio.c:139
spec_read(ffff80003c41d8f0) at spec_read+0x14b sys/kern/spec_vnops.c:215
VOP_READ(fffffd806c5f26c0,ffff80003c41da98,0,fffffd80097fd680) at VOP_READ+0x101 sys/kern/vfs_vops.c:227
vn_read(fffffd806c512908,ffff80003c41da98,1) at vn_read+0x17b sys/kern/vfs_vnops.c:375
dofilereadv(ffff8000fffe6a80,3,ffff80003c41da98,1,ffff80003c41db50) at dofilereadv+0x25a sys/kern/sys_generic.c:252
sys_pread(ffff8000fffe6a80,ffff80003c41dc00,ffff80003c41db50) at sys_pread+0xae sys/kern/vfs_syscalls.c:3337
syscall(ffff80003c41dc00) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c41dc00) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x86735f6c8a0, count: -14
ddb{1}> show registers
rdi 0
rsi 0x1
rbp 0xffff80003c41d4d0
rbx 0xffff8000299aee07
rdx 0
rcx 0xffff8000fffe6a80
rax 0xffff8000299adff0
r8 0x101010101010101
r9 0x8080808080808080
r10 0xa6158118bbc7a344
r11 0x27c8ab5548425ade
r12 0xffff8000299aec08
r13 0
r14 0
r15 0x1
rip 0xffffffff81afdd35 db_enter+0x25
cs 0x8
rflags 0x246
rsp 0xffff80003c41d4c0
ss 0x10
db_enter+0x25: addq $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor) tid=335308 pid=78212 tcnt=4 stat=onproc
flags process=0 proc=4000000<THREAD>
runpri=36, usrpri=50, slppri=36, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff8000fffe7ca8,0xffffffff83ac51c8
process=0xffff80003c3c9830 user=0xffff80003c418000, vmspace=0xfffffd806c77a200
estcpu=14, cpticks=2, pctcpu=0.0, user=0, sys=2, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
12001 19785 0 0 2 0x14200 acct
12701 68696 82378 0 2 0 syz-executor
78212 75837 23388 0 7 0 syz-executor
78212 244463 23388 0 2 0x4000000 syz-executor
78212 194201 23388 0 2 0x4000000 syz-executor
*78212 335308 23388 0 7 0x4000000 syz-executor
10121 462699 90256 0 2 0 syz-executor
10121 345820 90256 0 3 0x4000000 biowait syz-executor
58458 236152 45296 0 2 0 syz-executor
58458 254065 45296 0 2 0x4000000 syz-executor
37892 294783 4556 0 2 0 syz-executor
37892 425613 4556 0 3 0x4000080 fsleep syz-executor
86627 175776 19726 0 3 0x80 nanoslp syz-executor
86627 379377 19726 0 3 0x4000080 ttyout syz-executor
86627 237452 19726 0 3 0x4000080 fsleep syz-executor
42809 379168 55413 0 2 0 syz-executor
42809 368414 55413 0 3 0x4000080 nanoslp syz-executor
42809 207837 55413 0 3 0x4000080 fsleep syz-executor
21648 6517 7269 0 2 0 syz-executor
45296 452145 31702 0 3 0x82 nanoslp syz-executor
7269 464866 31702 0 3 0x82 nanoslp syz-executor
55413 5826 31702 0 3 0x82 nanoslp syz-executor
4556 50588 31702 0 3 0x82 nanoslp syz-executor
19726 181116 31702 0 3 0x82 nanoslp syz-executor
23388 323842 31702 0 3 0x82 nanoslp syz-executor
82378 276615 31702 0 3 0x82 nanoslp syz-executor
90256 175546 31702 0 3 0x82 nanoslp syz-executor
31702 12616 31582 0 3 0x82 kqread syz-executor
31582 384422 1 0 3 0x100082 nanoslp ksh
92290 407922 1 0 3 0x1000008a kqread sshd
44108 287352 17064 74 3 0x1100092 bpf pflogd
17064 81572 1 0 3 0x80 sbwait pflogd
49400 455645 35889 73 3 0x1100090 kqread syslogd
35889 9791 1 0 3 0x100082 sbwait syslogd
8581 58202 1 0 3 0x100080 kqread resolvd
95588 364243 74347 77 3 0x100092 kqread dhcpleased
22733 120823 74347 77 3 0x100092 kqread dhcpleased
74347 402770 1 0 3 0x80 kqread dhcpleased
7122 170471 0 0 3 0x14200 bored smr
70621 199962 0 0 2 0x14200 zerothread
46714 323949 0 0 3 0x14200 aiodoned aiodoned
28208 273869 0 0 3 0x14200 syncer update
18239 320470 0 0 3 0x14200 cleaner cleaner
1746 34157 0 0 3 0x14200 reaper reaper
64281 183978 0 0 3 0x14200 pgdaemon pagedaemon
56161 473061 0 0 3 0x14200 bored viomb
6412 391898 0 0 3 0x40014200 acpi0 acpi0
48083 509975 0 0 3 0x40014200 idle1
46669 365902 0 0 3 0x14200 bored softnet1
3169 344327 0 0 3 0x14200 bored softnet0
72015 415142 0 0 3 0x14200 bored systqmp
68746 139980 0 0 3 0x14200 bored systq
43825 281901 0 0 3 0x14200 tmoslp softclockmp
5605 360774 0 0 3 0x40014200 tmoslp softclock
77806 514536 0 0 3 0x40014200 idle0
1 9807 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
Process 78212 (syz-executor) thread 0xffff8000fffe6a80 (335308)
exclusive rwlock amaplk r = 0 (0xfffffd806d6280a8)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 uvm_map_lock_entry+0x51 sys/uvm/uvm_map.c:464
#3 uvm_fault_unwire_locked+0x26d sys/uvm/uvm_fault.c:1776
#4 uvm_fault_wire+0x12d uvm_fault_unwire sys/uvm/uvm_fault.c:1724 [inline]
#4 uvm_fault_wire+0x12d sys/uvm/uvm_fault.c:1706
#5 uvm_vslock_device+0x112 sys/uvm/uvm_glue.c:169
#6 physio+0x257 sys/kern/kern_physio.c:139
#7 spec_read+0x14b sys/kern/spec_vnops.c:215
#8 VOP_READ+0x101 sys/kern/vfs_vops.c:227
#9 vn_read+0x17b sys/kern/vfs_vnops.c:375
#10 dofilereadv+0x25a sys/kern/sys_generic.c:252
#11 sys_pread+0xae sys/kern/vfs_syscalls.c:3337
#12 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#12 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
#13 Xsyscall+0x128
shared rwlock vmmaplk r = 0 (0xfffffd806c77a300)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_read+0x3e8 sys/kern/kern_rwlock.c:413
#2 uvm_fault_wire+0x116 uvm_fault_unwire sys/uvm/uvm_fault.c:1723 [inline]
#2 uvm_fault_wire+0x116 sys/uvm/uvm_fault.c:1706
#3 uvm_vslock_device+0x112 sys/uvm/uvm_glue.c:169
#4 physio+0x257 sys/kern/kern_physio.c:139
#5 spec_read+0x14b sys/kern/spec_vnops.c:215
#6 VOP_READ+0x101 sys/kern/vfs_vops.c:227
#7 vn_read+0x17b sys/kern/vfs_vnops.c:375
#8 dofilereadv+0x25a sys/kern/sys_generic.c:252
#9 sys_pread+0xae sys/kern/vfs_syscalls.c:3337
#10 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#10 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
#11 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff83a76e80)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 __mp_acquire_count+0x58 sys/kern/kern_lock.c:-1
#2 sleep_finish+0x2d8 sys/kern/kern_synch.c:369
#3 rw_do_enter_read+0x309 sys/kern/kern_rwlock.c:-1
#4 uvmfault_lookup+0x122 sys/uvm/uvm_fault.c:1880
#5 uvm_fault_check+0x4f sys/uvm/uvm_fault.c:693
#6 uvm_fault+0x106 sys/uvm/uvm_fault.c:627
#7 uvm_fault_wire+0x73 sys/uvm/uvm_fault.c:1703
#8 uvm_vslock_device+0x112 sys/uvm/uvm_glue.c:169
#9 physio+0x257 sys/kern/kern_physio.c:139
#10 spec_read+0x14b sys/kern/spec_vnops.c:215
#11 VOP_READ+0x101 sys/kern/vfs_vops.c:227
#12 vn_read+0x17b sys/kern/vfs_vnops.c:375
#13 dofilereadv+0x25a sys/kern/sys_generic.c:252
#14 sys_pread+0xae sys/kern/vfs_syscalls.c:3337
#15 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#15 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
#16 Xsyscall+0x128
Process 10121 (syz-executor) thread 0xffff80003c40aa88 (345820)
exclusive rrwlock inode r = 0 (0xfffffd806c1db440)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3 VOP_LOCK+0xbd sys/kern/vfs_vops.c:527
#4 vn_lock+0xa4 sys/kern/vfs_vnops.c:576
#5 vn_write+0x18f sys/kern/vfs_vnops.c:411
#6 dofilewritev+0x2bd sys/kern/sys_generic.c:384
#7 sys_write+0xa2 sys/kern/sys_generic.c:300
#8 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#8 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
#9 Xsyscall+0x128
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 11055 12083K 12215K 166960K 12188 0
pcb 17 12K 12K 166960K 33 0
rtable 215 6K 7K 166960K 358 0
pf 32 17K 81K 166960K 46 0
ifaddr 39 6K 7K 166960K 45 0
ifgroup 51 2K 2K 166960K 55 0
sysctl 3 1K 9K 166960K 7 0
counters 68 36K 37K 166960K 70 0
ioctlops 0 0K 4K 166960K 1564 0
iov 0 0K 12K 166960K 5 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1290 81K 82K 166960K 1475 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 3 5K 5K 166960K 3 0
VM map 2 1K 1K 166960K 2 0
sem 4 0K 0K 166960K 4 0
dirhash 12 2K 2K 166960K 18 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 18 65K 93K 166960K 205 0
proc 63 99K 131K 166960K 566 0
subproc 72 4K 4K 166960K 73 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 7 0
in_multi 88 6K 7K 166960K 101 0
ether_multi 1 0K 0K 166960K 1 0
mrt 0 0K 0K 166960K 4 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 55 254K 254K 166960K 55 0
exec 0 0K 1K 166960K 410 0
fusefs mount 1 32K 32K 166960K 1 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 212 162K 181K 166960K 3733 0
UVM aobj 4 2K 2K 166960K 4 0
pinsyscall 37 74K 103K 166960K 1415 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 0K 166960K 2 0
NDP 13 0K 1K 166960K 28 0
temp 37 9070K 9142K 166960K 11301 0
kqueue 11 16K 24K 166960K 35 0
SYN cache 2 16K 16K 166960K 2 0
ddb{1}>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages