panic: kernel diagnostic assertion "pg->wire_count != NUM" failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uv
0 views
Skip to first unread message
syzbot
May 24, 2026, 6:34:25 PM (2 days ago) May 24
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 6adc68a286a5 Do not crash when freeing layout cell, report..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=14377cec580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=61588d0185a27d61b032
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7ec05711a3fd/disk-6adc68a2.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/4355e4eaefdc/bsd-6adc68a2.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/257b565f1aa7/kernel-6adc68a2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+61588d...@syzkaller.appspotmail.com
panic: kernWAeRl NG:i SgPnLo sNOic asseRErD Oo YSCgA-L>Lw i13e7_ c6o9u3nt9!= 0"X ITfai0le
: Stopped at savectx+0xae: movl $0,%gs:0x688
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*520623 32324 0 0x2 0 1 syz-executor
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7de8295b4ec0, count: 14
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu0: kernel diagnostic assertion "pg->wire_count != 0" failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_page.c", line 1250
ddb{1}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7de8295b4ec0, count: -1
ddb{1}> show registers
rdi 0
rsi 0
rbp 0xffff80002a2cadf0
rbx 0
rdx 0
rcx 0xffff80002a222540
rax 0x3b
r8 0xffff80002a2cad20
r9 0xffff80002a2ca9e8
r10 0x26f88d58dc162d65
r11 0x3fc2d6fd869a2329
r12 0
r13 0
r14 0xffff80002a222540
r15 0
rip 0xffffffff821093ee savectx+0xae
cs 0x8
rflags 0x46
rsp 0xffff80002a2cad70
ss 0
savectx+0xae: movl $0,%gs:0x688
ddb{1}> show proc
PROC (syz-executor) tid=520623 pid=32324 tcnt=1 stat=onproc
flags process=2<EXEC> proc=0
runpri=17, usrpri=50, slppri=17, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff80002a2222a8,0xffff80002a2227e8
process=0xffff8000ffff2690 user=0xffff80002a2c5000, vmspace=0xfffffd8073c97b78
estcpu=36, cpticks=39, pctcpu=0.22, user=0, sys=29, intr=9
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
90871 173890 57033 0 2 0 syz-executor
90871 239497 57033 0 3 0x4000080 fsleep syz-executor
90871 479874 57033 0 3 0x4000080 fsleep syz-executor
90871 215456 57033 0 3 0x4000080 fsleep syz-executor
9329 10665 1 0 3 0x82 nanoslp getty
93649 84086 27080 0 2 0x10 syz-executor
93649 325235 27080 0 3 0x4000090 fsleep syz-executor
93649 64066 27080 0 2 0x4000010 syz-executor
71380 376751 28309 0 2 0 syz-executor
71380 432349 28309 0 2 0x4000000 syz-executor
71380 433231 28309 0 3 0x4000080 fsleep syz-executor
92190 293829 73445 0 2 0 syz-executor
92190 384918 73445 0 3 0x4000080 fsleep syz-executor
18541 377658 37025 0 2 0 syz-executor
18541 265881 37025 0 2 0x4000000 syz-executor
32662 54645 40291 0 2 0 syz-executor
32662 135323 40291 0 3 0x4000080 fsleep syz-executor
73445 374629 41309 0 3 0x82 nanoslp syz-executor
52379 480827 41309 0 3 0x82 nanoslp syz-executor
37025 265200 41309 0 3 0x82 nanoslp syz-executor
57033 430889 41309 0 3 0x82 nanoslp syz-executor
28309 359302 41309 0 3 0x82 nanoslp syz-executor
27080 33411 41309 0 3 0x82 nanoslp syz-executor
*32324 520623 41309 0 7 0x2 syz-executor
40291 158229 41309 0 3 0x82 nanoslp syz-executor
41309 330725 1 0 3 0x82 kqread syz-executor
87141 243932 0 0 3 0x14200 bored smr
66581 161752 0 0 3 0x14200 pgzero zerothread
40528 441580 0 0 3 0x14200 aiodoned aiodoned
39236 489657 0 0 3 0x14200 syncer update
78985 92985 0 0 3 0x14200 cleaner cleaner
75941 53584 0 0 2 0x14200 reaper
12814 202691 0 0 3 0x14200 pgdaemon pagedaemon
94494 453440 0 0 3 0x14200 bored viomb
33977 442614 0 0 3 0x40014200 acpi0 acpi0
88869 419953 0 0 3 0x40014200 idle1
21914 270520 0 0 3 0x14200 bored softnet1
6838 117002 0 0 3 0x14200 bored softnet0
93020 155000 0 0 3 0x14200 bored systqmp
46743 18803 0 0 3 0x14200 bored systq
56092 11903 0 0 3 0x14200 tmoslp softclockmp
52844 286912 0 0 3 0x40014200 tmoslp softclock
64617 355190 0 0 3 0x40014200 idle0
1 76686 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex nchpl r = 0 (0xffffffff839f3af0)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2 pool_put+0xa6 sys/kern/subr_pool.c:803
#3 cache_zap+0x310 sys/kern/vfs_cache.c:124
#4 cache_purge+0xe8 namecache_rb_cache_RBT_ROOT sys/kern/vfs_cache.c:-1 [inline]
#4 cache_purge+0xe8 sys/kern/vfs_cache.c:440
#5 ufs_rmdir+0x298 sys/ufs/ufs/ufs_vnops.c:1261
#6 VOP_RMDIR+0x192 sys/kern/vfs_vops.c:413
#7 dounlinkat+0x2e0 sys/kern/vfs_syscalls.c:1926
#8 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#8 syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#9 Xsyscall+0x128
Process 32324 (syz-executor) thread 0xffff80002a222540 (520623)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff839ffcc0)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 __mp_acquire_count+0x58 sys/kern/kern_lock.c:-1
#2 sleep_finish+0x2d8 sys/kern/kern_synch.c:369
#3 biowait+0xc6 sys/kern/vfs_bio.c:1242
#4 bwrite+0x2e7 sys/kern/vfs_bio.c:754
#5 ufs_dirremove+0x290 sys/ufs/ufs/ufs_lookup.c:919
#6 ufs_rmdir+0x238 sys/ufs/ufs/ufs_vnops.c:1248
#7 VOP_RMDIR+0x192 sys/kern/vfs_vops.c:413
#8 dounlinkat+0x2e0 sys/kern/vfs_syscalls.c:1926
#9 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#9 syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#10 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806de2a420)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3 VOP_LOCK+0xbd sys/kern/vfs_vops.c:527
#4 vn_lock+0xa4 sys/kern/vfs_vnops.c:576
#5 vget+0x2a2 sys/kern/vfs_subr.c:686
#6 ufs_ihashget+0x185 sys/ufs/ufs/ufs_ihash.c:98
#7 ffs_vget+0x8c sys/ufs/ffs/ffs_vfsops.c:1203
#8 ufs_lookup+0x1a36 sys/ufs/ufs/ufs_lookup.c:478
#9 VOP_LOOKUP+0x6e sys/kern/vfs_vops.c:85
#10 vfs_lookup+0x963 sys/kern/vfs_lookup.c:580
#11 namei+0x7c5 sys/kern/vfs_lookup.c:250
#12 dounlinkat+0xc1 sys/kern/vfs_syscalls.c:1893
#13 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#13 syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd80742a3678)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3 VOP_LOCK+0xbd sys/kern/vfs_vops.c:527
#4 vn_lock+0xa4 sys/kern/vfs_vnops.c:576
#5 vfs_lookup+0x12b sys/kern/vfs_lookup.c:431
#6 namei+0x7c5 sys/kern/vfs_lookup.c:250
#7 dounlinkat+0xc1 sys/kern/vfs_syscalls.c:1893
#8 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#8 syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#9 Xsyscall+0x128
exclusive mutex nchpl r = 0 (0xffffffff839f3af0)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2 pool_put+0xa6 sys/kern/subr_pool.c:803
#3 cache_zap+0x310 sys/kern/vfs_cache.c:124
#4 cache_purge+0xe8 namecache_rb_cache_RBT_ROOT sys/kern/vfs_cache.c:-1 [inline]
#4 cache_purge+0xe8 sys/kern/vfs_cache.c:440
#5 ufs_rmdir+0x298 sys/ufs/ufs/ufs_vnops.c:1261
#6 VOP_RMDIR+0x192 sys/kern/vfs_vops.c:413
#7 dounlinkat+0x2e0 sys/kern/vfs_syscalls.c:1926
#8 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#8 syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#9 Xsyscall+0x128
Process 75941 (reaper) thread 0xffff8000ffffdc90 (53584)
exclusive rwlock kmmaplk r = 0 (0xffffffff83ae18b8)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 vm_map_lock_ln+0x12e sys/uvm/uvm_map.c:5171
#3 uvm_unmap+0x7d sys/uvm/uvm_map.c:1798
#4 km_free+0x87 sys/uvm/uvm_km.c:714
#5 uvm_uarea_free+0x4f sys/uvm/uvm_glue.c:304
#6 reaper+0x1ca sys/kern/kern_exit.c:493
#7 proc_trampoline+0x10
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 11080 12033K 12481K 166960K 12591 0
pcb 17 13K 14K 166960K 124 0
rtable 161 6K 8K 166960K 402 0
pf 32 17K 24K 166960K 126 0
ifaddr 28 4K 7K 166960K 62 0
ifgroup 47 2K 2K 166960K 100 0
sysctl 3 1K 9K 166960K 9 0
counters 66 36K 37K 166960K 100 0
ioctlops 0 0K 4K 166960K 1573 0
iov 0 0K 16K 166960K 44 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1351 85K 85K 166960K 1722 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 9K 166960K 14 0
VM map 2 1K 1K 166960K 2 0
sem 12 0K 0K 166960K 23 0
dirhash 12 2K 2K 166960K 15 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 15 57K 93K 166960K 456 0
sigio 1 0K 0K 166960K 8 0
proc 20 33K 164K 166960K 600 0
subproc 72 4K 4K 166960K 73 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 37 0
in_multi 51 3K 7K 166960K 104 0
ether_multi 1 0K 0K 166960K 2 0
mrt 0 0K 0K 166960K 9 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 229 1023K 1023K 166960K 229 0
exec 0 0K 1K 166960K 399 0
fusefs mount 1 32K 32K 166960K 1 0
pfkey data 0 0K 0K 166960K 1 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 141 84K 180K 166960K 5943 0
UVM aobj 22 2K 2K 166960K 22 0
pinsyscall 18 36K 104K 166960K 1633 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 0K 166960K 13 0
NDP 10 0K 2K 166960K 40 0
temp 56 9119K 9196K 166960K 20587 0
kqueue 2 4K 26K 166960K 66 0
SYN cache 2 16K 16K 166960K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 26 0 0 1 0 1 1 0 8 0
rtpcb 120 55 0 55 1 0 1 1 0 8 1
rtentry 176 116 0 54 6 0 6 6 0 8 0
unpcb 144 197 0 194 2 0 2 2 0 8 1
syncache 336 7 0 7 1 1 0 1 0 8 0
tcpcb 736 89 0 88 1 0 1 1 0 8 0
arp 136 19 0 8 1 0 1 1 0 8 0
inpcb 328 389 0 386 4 2 2 4 0 8 0
nd6 152 25 0 15 1 0 1 1 0 8 0
pkpcb 40 5 0 5 2 1 1 1 0 8 1
kcovpl 48 8 0 0 1 0 1 1 0 8 0
ppxss 1192 7 0 7 1 1 0 1 0 8 0
pppxif 1576 3 0 3 1 1 0 1 0 8 0
pfstscr 40 3 0 3 2 1 1 1 0 8 1
pffrag 232 5 0 1 1 0 1 1 0 482 0
pffrnode 88 3 0 1 1 0 1 1 0 8 0
pffrent 40 6 0 2 1 0 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfanchor 1288 4 0 0 1 0 1 1 0 8 0
pftag 88 1 0 0 1 0 1 1 0 8 0
pfqueue 320 1 0 1 1 1 0 1 0 8 0
pfstitem 24 38 0 2 1 0 1 1 0 8 0
pfstkey 128 41 0 5 2 0 2 2 0 8 0
pfstate 448 40 0 4 5 0 5 5 0 8 0
pfrule 1360 24 0 20 2 1 1 2 0 8 0
art_heap8 4096 2 0 0 2 0 2 2 0 8 0
art_heap4 256 478 0 218 30 1 29 30 0 8 5
art_table 40 480 0 218 5 0 5 5 0 8 0
art_node 32 116 0 59 1 0 1 1 0 8 0
sysvmsgpl 40 16 0 10 1 0 1 1 0 8 0
semupl 112 1 0 1 1 1 0 1 0 8 0
semapl 72 21 0 11 1 0 1 1 0 8 0
shmpl 112 19 0 0 1 0 1 1 0 8 0
dirhash 1024 19 0 2 3 0 3 3 0 8 0
dino2pl 256 2185 0 722 93 0 93 93 0 8 0
ffsino 296 2185 0 722 114 0 114 114 0 8 0
nchpl 144 2819 0 1115 64 0 64 64 0 8 0
vnodes 216 2507 0 0 140 0 140 140 0 8 0
namei 1024 9517 0 9517 10 2 8 8 0 8 8
percpumem 16 65 0 17 1 0 1 1 0 8 0
kstatmem 264 53 0 28 2 0 2 2 0 8 0
scsiplug 72 2 0 2 1 1 0 1 0 8 0
scxspl 216 11102 0 11102 4 3 1 3 1 8 1
plimitpl 152 98 0 86 1 0 1 1 0 8 0
sigapl 424 778 0 742 7 1 6 7 0 8 0
knotepl 120 322 0 0 10 0 10 10 0 8 0
kqueuepl 224 176 0 173 5 4 1 5 0 8 0
pipepl 344 151 0 123 4 1 3 4 0 8 0
fdescpl 528 762 0 744 3 0 3 3 0 8 0
filepl 160 3757 0 3597 19 3 16 16 0 8 6
lockfpl 104 247 0 247 2 0 2 2 0 8 2
lockfspl 48 53 0 53 1 0 1 1 0 8 1
sessionpl 144 40 0 36 1 0 1 1 0 8 0
pgrppl 48 52 0 40 1 0 1 1 0 8 0
ucredpl 104 467 0 462 1 0 1 1 0 8 0
zombiepl 144 790 0 788 2 1 1 1 0 8 0
processpl 1232 778 0 742 5 0 5 5 0 8 0
procpl 664 1335 0 1288 6 0 6 6 0 8 0
sockpl 752 654 0 648 8 3 5 7 0 8 2
mcl64k 65536 6 0 0 1 0 1 1 0 8 0
mcl16k 16384 3 0 0 1 0 1 1 0 8 0
mcl12k 12288 2 0 0 1 0 1 1 0 8 0
mcl8k 8192 5 0 0 1 0 1 1 0 8 0
mcl4k 4096 123 0 0 16 0 16 16 0 8 0
mcl2k 2048 25 0 0 4 0 4 4 0 8 0
mtagpl 96 2 0 0 1 0 1 1 0 8 0
mbufpl 256 164 0 0 11 0 11 11 0 8 0
bufpl 280 8363 0 2032 453 0 453 453 0 8 0
anonpl 32 9995 0 0 81 0 81 81 0 246 0
amapchunkpl 152 18584 0 17962 34 2 32 32 0 158 0
amappl16 200 2088 0 2063 17 14 3 15 0 8 0
amappl15 192 10 0 10 2 1 1 1 0 8 1
amappl14 184 469 0 469 1 0 1 1 0 8 1
amappl13 176 125 0 123 1 0 1 1 0 8 0
amappl12 168 1012 0 993 2 0 2 2 0 8 0
amappl11 160 4 0 4 1 1 0 1 0 8 0
amappl10 152 72 0 72 1 0 1 1 0 8 1
amappl9 144 279 0 278 2 1 1 1 0 8 0
amappl8 136 116 0 115 1 0 1 1 0 8 0
amappl7 128 153 0 151 1 0 1 1 0 8 0
amappl6 120 153 0 153 1 0 1 1 0 8 1
amappl5 112 101 0 100 1 0 1 1 0 8 0
amappl4 104 320 0 316 1 0 1 1 0 8 0
amappl3 96 3652 0 3570 5 1 4 4 0 8 0
amappl2 88 557 0 545 2 0 2 2 0 8 0
amappl1 80 12488 0 12365 18 4 14 18 0 8 7
amappl 88 5103 0 4981 6 1 5 5 0 92 0
uvmvnodes 80 104 0 0 3 0 3 3 0 8 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma2048 2048 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 254 0 254 2 2 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 19 0 18 1 0 1 1 0 8 0
aobjpl 72 21 0 0 1 0 1 1 0 8 0
uaddrrnd 24 762 0 743 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 762 0 743 1 0 1 1 0 8 0
vmmpekpl 168 8362 0 8322 3 1 2 3 0 8 0
vmmpepl 168 57466 0 56590 98 10 88 98 0 357 28
vmsppl 488 761 0 742 5 1 4 5 0 8 0
rwobjpl 80 18700 0 18247 27 1 26 27 0 8 3
pdppl 4096 1531 0 1484 105 34 71 85 0 8 24
pvpl 32 28942 0 0 235 1 234 234 0 265 0
pmappl 256 761 0 742 3 0 3 3 0 8 0
extentpl 40 45 0 27 1 0 1 1 0 8 0
phpool 112 293 0 42 8 0 8 8 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x27: addq $0x8,%rsp
x86_ipi_db(ffffffff8399dff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
x86_bus_space_io_read_4(b008,0) at x86_bus_space_io_read_4+0x37 sys/arch/amd64/amd64/bus_space.c:682
acpitimer_delay(1) at acpitimer_delay+0x76 acpitimer_read sys/dev/acpi/acpitimer.c:142 [inline]
acpitimer_delay(1) at acpitimer_delay+0x76 sys/dev/acpi/acpitimer.c:120
comcnputc(800,20) at comcnputc+0x29b sys/dev/ic/com.c:1274
cnputc(20) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(66) at db_putchar+0x126 db_force_whitespace sys/ddb/db_output.c:102 [inline]
db_putchar(66) at db_putchar+0x126 sys/ddb/db_output.c:153
kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1
db_printf(ffffffff834917c0) at db_printf+0x9b sys/kern/subr_prf.c:-1
panic(ffffffff834b85bc) at panic+0x103 sys/kern/subr_prf.c:217
__assert(ffffffff834f5b3b,ffffffff834e49b2,4e2,ffffffff834468b7) at __assert+0x29 sys/kern/subr_prf.c:-1
uvm_pageunwire(fffffd8008ea3bb0) at uvm_pageunwire+0x17d sys/uvm/uvm_page.c:1249
uvm_fault_unwire_locked(fffffd806b326d78,e7f834aa000,e7f834ab000) at uvm_fault_unwire_locked+0x33a sys/uvm/uvm_fault.c:1790
end trace frame: 0xffff80003a3c9ca0, count: 0
ddb{0}> trace
x86_ipi_db(ffffffff8399dff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
x86_bus_space_io_read_4(b008,0) at x86_bus_space_io_read_4+0x37 sys/arch/amd64/amd64/bus_space.c:682
acpitimer_delay(1) at acpitimer_delay+0x76 acpitimer_read sys/dev/acpi/acpitimer.c:142 [inline]
acpitimer_delay(1) at acpitimer_delay+0x76 sys/dev/acpi/acpitimer.c:120
comcnputc(800,20) at comcnputc+0x29b sys/dev/ic/com.c:1274
cnputc(20) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(66) at db_putchar+0x126 db_force_whitespace sys/ddb/db_output.c:102 [inline]
db_putchar(66) at db_putchar+0x126 sys/ddb/db_output.c:153
kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1
db_printf(ffffffff834917c0) at db_printf+0x9b sys/kern/subr_prf.c:-1
panic(ffffffff834b85bc) at panic+0x103 sys/kern/subr_prf.c:217
__assert(ffffffff834f5b3b,ffffffff834e49b2,4e2,ffffffff834468b7) at __assert+0x29 sys/kern/subr_prf.c:-1
uvm_pageunwire(fffffd8008ea3bb0) at uvm_pageunwire+0x17d sys/uvm/uvm_page.c:1249
uvm_fault_unwire_locked(fffffd806b326d78,e7f834aa000,e7f834ab000) at uvm_fault_unwire_locked+0x33a sys/uvm/uvm_fault.c:1790
uvm_unmap_kill_entry_withlock(fffffd806b326d78,fffffd806685eb70,0) at uvm_unmap_kill_entry_withlock+0x81 sys/uvm/uvm_map.c:1866
uvm_map_teardown(fffffd806b326d78) at uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline]
uvm_map_teardown(fffffd806b326d78) at uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2497
exit1(ffff80003c3e67f0,0,0,1) at exit1+0x6fc sys/kern/kern_exit.c:260
sys_exit(ffff80003c3e67f0,ffff80003a3c9e80,ffff80003a3c9dd0) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff80003a3c9e80) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003a3c9e80) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7d46ae0a21c0, count: -20
ddb{0}> machine ddbcpu 1
Stopped at savectx+0xae: movl $0,%gs:0x688
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7de8295b4ec0, count: 14
ddb{1}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7de8295b4ec0, count: -1
ddb{1}>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 6adc68a286a5 Do not crash when freeing layout cell, report..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=14377cec580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=61588d0185a27d61b032
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7ec05711a3fd/disk-6adc68a2.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/4355e4eaefdc/bsd-6adc68a2.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/257b565f1aa7/kernel-6adc68a2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+61588d...@syzkaller.appspotmail.com
panic: kernWAeRl NG:i SgPnLo sNOic asseRErD Oo YSCgA-L>Lw i13e7_ c6o9u3nt9!= 0"X ITfai0le
: Stopped at savectx+0xae: movl $0,%gs:0x688
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*520623 32324 0 0x2 0 1 syz-executor
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7de8295b4ec0, count: 14
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu0: kernel diagnostic assertion "pg->wire_count != 0" failed: file "/syzkaller/managers/multicore/kernel/sys/uvm/uvm_page.c", line 1250
ddb{1}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7de8295b4ec0, count: -1
ddb{1}> show registers
rdi 0
rsi 0
rbp 0xffff80002a2cadf0
rbx 0
rdx 0
rcx 0xffff80002a222540
rax 0x3b
r8 0xffff80002a2cad20
r9 0xffff80002a2ca9e8
r10 0x26f88d58dc162d65
r11 0x3fc2d6fd869a2329
r12 0
r13 0
r14 0xffff80002a222540
r15 0
rip 0xffffffff821093ee savectx+0xae
cs 0x8
rflags 0x46
rsp 0xffff80002a2cad70
ss 0
savectx+0xae: movl $0,%gs:0x688
ddb{1}> show proc
PROC (syz-executor) tid=520623 pid=32324 tcnt=1 stat=onproc
flags process=2<EXEC> proc=0
runpri=17, usrpri=50, slppri=17, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff80002a2222a8,0xffff80002a2227e8
process=0xffff8000ffff2690 user=0xffff80002a2c5000, vmspace=0xfffffd8073c97b78
estcpu=36, cpticks=39, pctcpu=0.22, user=0, sys=29, intr=9
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
90871 173890 57033 0 2 0 syz-executor
90871 239497 57033 0 3 0x4000080 fsleep syz-executor
90871 479874 57033 0 3 0x4000080 fsleep syz-executor
90871 215456 57033 0 3 0x4000080 fsleep syz-executor
9329 10665 1 0 3 0x82 nanoslp getty
93649 84086 27080 0 2 0x10 syz-executor
93649 325235 27080 0 3 0x4000090 fsleep syz-executor
93649 64066 27080 0 2 0x4000010 syz-executor
71380 376751 28309 0 2 0 syz-executor
71380 432349 28309 0 2 0x4000000 syz-executor
71380 433231 28309 0 3 0x4000080 fsleep syz-executor
92190 293829 73445 0 2 0 syz-executor
92190 384918 73445 0 3 0x4000080 fsleep syz-executor
18541 377658 37025 0 2 0 syz-executor
18541 265881 37025 0 2 0x4000000 syz-executor
32662 54645 40291 0 2 0 syz-executor
32662 135323 40291 0 3 0x4000080 fsleep syz-executor
73445 374629 41309 0 3 0x82 nanoslp syz-executor
52379 480827 41309 0 3 0x82 nanoslp syz-executor
37025 265200 41309 0 3 0x82 nanoslp syz-executor
57033 430889 41309 0 3 0x82 nanoslp syz-executor
28309 359302 41309 0 3 0x82 nanoslp syz-executor
27080 33411 41309 0 3 0x82 nanoslp syz-executor
*32324 520623 41309 0 7 0x2 syz-executor
40291 158229 41309 0 3 0x82 nanoslp syz-executor
41309 330725 1 0 3 0x82 kqread syz-executor
87141 243932 0 0 3 0x14200 bored smr
66581 161752 0 0 3 0x14200 pgzero zerothread
40528 441580 0 0 3 0x14200 aiodoned aiodoned
39236 489657 0 0 3 0x14200 syncer update
78985 92985 0 0 3 0x14200 cleaner cleaner
75941 53584 0 0 2 0x14200 reaper
12814 202691 0 0 3 0x14200 pgdaemon pagedaemon
94494 453440 0 0 3 0x14200 bored viomb
33977 442614 0 0 3 0x40014200 acpi0 acpi0
88869 419953 0 0 3 0x40014200 idle1
21914 270520 0 0 3 0x14200 bored softnet1
6838 117002 0 0 3 0x14200 bored softnet0
93020 155000 0 0 3 0x14200 bored systqmp
46743 18803 0 0 3 0x14200 bored systq
56092 11903 0 0 3 0x14200 tmoslp softclockmp
52844 286912 0 0 3 0x40014200 tmoslp softclock
64617 355190 0 0 3 0x40014200 idle0
1 76686 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex nchpl r = 0 (0xffffffff839f3af0)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2 pool_put+0xa6 sys/kern/subr_pool.c:803
#3 cache_zap+0x310 sys/kern/vfs_cache.c:124
#4 cache_purge+0xe8 namecache_rb_cache_RBT_ROOT sys/kern/vfs_cache.c:-1 [inline]
#4 cache_purge+0xe8 sys/kern/vfs_cache.c:440
#5 ufs_rmdir+0x298 sys/ufs/ufs/ufs_vnops.c:1261
#6 VOP_RMDIR+0x192 sys/kern/vfs_vops.c:413
#7 dounlinkat+0x2e0 sys/kern/vfs_syscalls.c:1926
#8 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#8 syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#9 Xsyscall+0x128
Process 32324 (syz-executor) thread 0xffff80002a222540 (520623)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff839ffcc0)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 __mp_acquire_count+0x58 sys/kern/kern_lock.c:-1
#2 sleep_finish+0x2d8 sys/kern/kern_synch.c:369
#3 biowait+0xc6 sys/kern/vfs_bio.c:1242
#4 bwrite+0x2e7 sys/kern/vfs_bio.c:754
#5 ufs_dirremove+0x290 sys/ufs/ufs/ufs_lookup.c:919
#6 ufs_rmdir+0x238 sys/ufs/ufs/ufs_vnops.c:1248
#7 VOP_RMDIR+0x192 sys/kern/vfs_vops.c:413
#8 dounlinkat+0x2e0 sys/kern/vfs_syscalls.c:1926
#9 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#9 syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#10 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806de2a420)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3 VOP_LOCK+0xbd sys/kern/vfs_vops.c:527
#4 vn_lock+0xa4 sys/kern/vfs_vnops.c:576
#5 vget+0x2a2 sys/kern/vfs_subr.c:686
#6 ufs_ihashget+0x185 sys/ufs/ufs/ufs_ihash.c:98
#7 ffs_vget+0x8c sys/ufs/ffs/ffs_vfsops.c:1203
#8 ufs_lookup+0x1a36 sys/ufs/ufs/ufs_lookup.c:478
#9 VOP_LOOKUP+0x6e sys/kern/vfs_vops.c:85
#10 vfs_lookup+0x963 sys/kern/vfs_lookup.c:580
#11 namei+0x7c5 sys/kern/vfs_lookup.c:250
#12 dounlinkat+0xc1 sys/kern/vfs_syscalls.c:1893
#13 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#13 syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd80742a3678)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3 VOP_LOCK+0xbd sys/kern/vfs_vops.c:527
#4 vn_lock+0xa4 sys/kern/vfs_vnops.c:576
#5 vfs_lookup+0x12b sys/kern/vfs_lookup.c:431
#6 namei+0x7c5 sys/kern/vfs_lookup.c:250
#7 dounlinkat+0xc1 sys/kern/vfs_syscalls.c:1893
#8 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#8 syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#9 Xsyscall+0x128
exclusive mutex nchpl r = 0 (0xffffffff839f3af0)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2 pool_put+0xa6 sys/kern/subr_pool.c:803
#3 cache_zap+0x310 sys/kern/vfs_cache.c:124
#4 cache_purge+0xe8 namecache_rb_cache_RBT_ROOT sys/kern/vfs_cache.c:-1 [inline]
#4 cache_purge+0xe8 sys/kern/vfs_cache.c:440
#5 ufs_rmdir+0x298 sys/ufs/ufs/ufs_vnops.c:1261
#6 VOP_RMDIR+0x192 sys/kern/vfs_vops.c:413
#7 dounlinkat+0x2e0 sys/kern/vfs_syscalls.c:1926
#8 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#8 syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#9 Xsyscall+0x128
Process 75941 (reaper) thread 0xffff8000ffffdc90 (53584)
exclusive rwlock kmmaplk r = 0 (0xffffffff83ae18b8)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 vm_map_lock_ln+0x12e sys/uvm/uvm_map.c:5171
#3 uvm_unmap+0x7d sys/uvm/uvm_map.c:1798
#4 km_free+0x87 sys/uvm/uvm_km.c:714
#5 uvm_uarea_free+0x4f sys/uvm/uvm_glue.c:304
#6 reaper+0x1ca sys/kern/kern_exit.c:493
#7 proc_trampoline+0x10
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 11080 12033K 12481K 166960K 12591 0
pcb 17 13K 14K 166960K 124 0
rtable 161 6K 8K 166960K 402 0
pf 32 17K 24K 166960K 126 0
ifaddr 28 4K 7K 166960K 62 0
ifgroup 47 2K 2K 166960K 100 0
sysctl 3 1K 9K 166960K 9 0
counters 66 36K 37K 166960K 100 0
ioctlops 0 0K 4K 166960K 1573 0
iov 0 0K 16K 166960K 44 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1351 85K 85K 166960K 1722 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 9K 166960K 14 0
VM map 2 1K 1K 166960K 2 0
sem 12 0K 0K 166960K 23 0
dirhash 12 2K 2K 166960K 15 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 15 57K 93K 166960K 456 0
sigio 1 0K 0K 166960K 8 0
proc 20 33K 164K 166960K 600 0
subproc 72 4K 4K 166960K 73 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 37 0
in_multi 51 3K 7K 166960K 104 0
ether_multi 1 0K 0K 166960K 2 0
mrt 0 0K 0K 166960K 9 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 229 1023K 1023K 166960K 229 0
exec 0 0K 1K 166960K 399 0
fusefs mount 1 32K 32K 166960K 1 0
pfkey data 0 0K 0K 166960K 1 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 141 84K 180K 166960K 5943 0
UVM aobj 22 2K 2K 166960K 22 0
pinsyscall 18 36K 104K 166960K 1633 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 0K 166960K 13 0
NDP 10 0K 2K 166960K 40 0
temp 56 9119K 9196K 166960K 20587 0
kqueue 2 4K 26K 166960K 66 0
SYN cache 2 16K 16K 166960K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 26 0 0 1 0 1 1 0 8 0
rtpcb 120 55 0 55 1 0 1 1 0 8 1
rtentry 176 116 0 54 6 0 6 6 0 8 0
unpcb 144 197 0 194 2 0 2 2 0 8 1
syncache 336 7 0 7 1 1 0 1 0 8 0
tcpcb 736 89 0 88 1 0 1 1 0 8 0
arp 136 19 0 8 1 0 1 1 0 8 0
inpcb 328 389 0 386 4 2 2 4 0 8 0
nd6 152 25 0 15 1 0 1 1 0 8 0
pkpcb 40 5 0 5 2 1 1 1 0 8 1
kcovpl 48 8 0 0 1 0 1 1 0 8 0
ppxss 1192 7 0 7 1 1 0 1 0 8 0
pppxif 1576 3 0 3 1 1 0 1 0 8 0
pfstscr 40 3 0 3 2 1 1 1 0 8 1
pffrag 232 5 0 1 1 0 1 1 0 482 0
pffrnode 88 3 0 1 1 0 1 1 0 8 0
pffrent 40 6 0 2 1 0 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfanchor 1288 4 0 0 1 0 1 1 0 8 0
pftag 88 1 0 0 1 0 1 1 0 8 0
pfqueue 320 1 0 1 1 1 0 1 0 8 0
pfstitem 24 38 0 2 1 0 1 1 0 8 0
pfstkey 128 41 0 5 2 0 2 2 0 8 0
pfstate 448 40 0 4 5 0 5 5 0 8 0
pfrule 1360 24 0 20 2 1 1 2 0 8 0
art_heap8 4096 2 0 0 2 0 2 2 0 8 0
art_heap4 256 478 0 218 30 1 29 30 0 8 5
art_table 40 480 0 218 5 0 5 5 0 8 0
art_node 32 116 0 59 1 0 1 1 0 8 0
sysvmsgpl 40 16 0 10 1 0 1 1 0 8 0
semupl 112 1 0 1 1 1 0 1 0 8 0
semapl 72 21 0 11 1 0 1 1 0 8 0
shmpl 112 19 0 0 1 0 1 1 0 8 0
dirhash 1024 19 0 2 3 0 3 3 0 8 0
dino2pl 256 2185 0 722 93 0 93 93 0 8 0
ffsino 296 2185 0 722 114 0 114 114 0 8 0
nchpl 144 2819 0 1115 64 0 64 64 0 8 0
vnodes 216 2507 0 0 140 0 140 140 0 8 0
namei 1024 9517 0 9517 10 2 8 8 0 8 8
percpumem 16 65 0 17 1 0 1 1 0 8 0
kstatmem 264 53 0 28 2 0 2 2 0 8 0
scsiplug 72 2 0 2 1 1 0 1 0 8 0
scxspl 216 11102 0 11102 4 3 1 3 1 8 1
plimitpl 152 98 0 86 1 0 1 1 0 8 0
sigapl 424 778 0 742 7 1 6 7 0 8 0
knotepl 120 322 0 0 10 0 10 10 0 8 0
kqueuepl 224 176 0 173 5 4 1 5 0 8 0
pipepl 344 151 0 123 4 1 3 4 0 8 0
fdescpl 528 762 0 744 3 0 3 3 0 8 0
filepl 160 3757 0 3597 19 3 16 16 0 8 6
lockfpl 104 247 0 247 2 0 2 2 0 8 2
lockfspl 48 53 0 53 1 0 1 1 0 8 1
sessionpl 144 40 0 36 1 0 1 1 0 8 0
pgrppl 48 52 0 40 1 0 1 1 0 8 0
ucredpl 104 467 0 462 1 0 1 1 0 8 0
zombiepl 144 790 0 788 2 1 1 1 0 8 0
processpl 1232 778 0 742 5 0 5 5 0 8 0
procpl 664 1335 0 1288 6 0 6 6 0 8 0
sockpl 752 654 0 648 8 3 5 7 0 8 2
mcl64k 65536 6 0 0 1 0 1 1 0 8 0
mcl16k 16384 3 0 0 1 0 1 1 0 8 0
mcl12k 12288 2 0 0 1 0 1 1 0 8 0
mcl8k 8192 5 0 0 1 0 1 1 0 8 0
mcl4k 4096 123 0 0 16 0 16 16 0 8 0
mcl2k 2048 25 0 0 4 0 4 4 0 8 0
mtagpl 96 2 0 0 1 0 1 1 0 8 0
mbufpl 256 164 0 0 11 0 11 11 0 8 0
bufpl 280 8363 0 2032 453 0 453 453 0 8 0
anonpl 32 9995 0 0 81 0 81 81 0 246 0
amapchunkpl 152 18584 0 17962 34 2 32 32 0 158 0
amappl16 200 2088 0 2063 17 14 3 15 0 8 0
amappl15 192 10 0 10 2 1 1 1 0 8 1
amappl14 184 469 0 469 1 0 1 1 0 8 1
amappl13 176 125 0 123 1 0 1 1 0 8 0
amappl12 168 1012 0 993 2 0 2 2 0 8 0
amappl11 160 4 0 4 1 1 0 1 0 8 0
amappl10 152 72 0 72 1 0 1 1 0 8 1
amappl9 144 279 0 278 2 1 1 1 0 8 0
amappl8 136 116 0 115 1 0 1 1 0 8 0
amappl7 128 153 0 151 1 0 1 1 0 8 0
amappl6 120 153 0 153 1 0 1 1 0 8 1
amappl5 112 101 0 100 1 0 1 1 0 8 0
amappl4 104 320 0 316 1 0 1 1 0 8 0
amappl3 96 3652 0 3570 5 1 4 4 0 8 0
amappl2 88 557 0 545 2 0 2 2 0 8 0
amappl1 80 12488 0 12365 18 4 14 18 0 8 7
amappl 88 5103 0 4981 6 1 5 5 0 92 0
uvmvnodes 80 104 0 0 3 0 3 3 0 8 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma2048 2048 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 254 0 254 2 2 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 19 0 18 1 0 1 1 0 8 0
aobjpl 72 21 0 0 1 0 1 1 0 8 0
uaddrrnd 24 762 0 743 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 762 0 743 1 0 1 1 0 8 0
vmmpekpl 168 8362 0 8322 3 1 2 3 0 8 0
vmmpepl 168 57466 0 56590 98 10 88 98 0 357 28
vmsppl 488 761 0 742 5 1 4 5 0 8 0
rwobjpl 80 18700 0 18247 27 1 26 27 0 8 3
pdppl 4096 1531 0 1484 105 34 71 85 0 8 24
pvpl 32 28942 0 0 235 1 234 234 0 265 0
pmappl 256 761 0 742 3 0 3 3 0 8 0
extentpl 40 45 0 27 1 0 1 1 0 8 0
phpool 112 293 0 42 8 0 8 8 0 8 0
ddb{1}> machine ddbcpu 0
Stopped at x86_ipi_db+0x27: addq $0x8,%rsp
x86_ipi_db(ffffffff8399dff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
x86_bus_space_io_read_4(b008,0) at x86_bus_space_io_read_4+0x37 sys/arch/amd64/amd64/bus_space.c:682
acpitimer_delay(1) at acpitimer_delay+0x76 acpitimer_read sys/dev/acpi/acpitimer.c:142 [inline]
acpitimer_delay(1) at acpitimer_delay+0x76 sys/dev/acpi/acpitimer.c:120
comcnputc(800,20) at comcnputc+0x29b sys/dev/ic/com.c:1274
cnputc(20) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(66) at db_putchar+0x126 db_force_whitespace sys/ddb/db_output.c:102 [inline]
db_putchar(66) at db_putchar+0x126 sys/ddb/db_output.c:153
kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1
db_printf(ffffffff834917c0) at db_printf+0x9b sys/kern/subr_prf.c:-1
panic(ffffffff834b85bc) at panic+0x103 sys/kern/subr_prf.c:217
__assert(ffffffff834f5b3b,ffffffff834e49b2,4e2,ffffffff834468b7) at __assert+0x29 sys/kern/subr_prf.c:-1
uvm_pageunwire(fffffd8008ea3bb0) at uvm_pageunwire+0x17d sys/uvm/uvm_page.c:1249
uvm_fault_unwire_locked(fffffd806b326d78,e7f834aa000,e7f834ab000) at uvm_fault_unwire_locked+0x33a sys/uvm/uvm_fault.c:1790
end trace frame: 0xffff80003a3c9ca0, count: 0
ddb{0}> trace
x86_ipi_db(ffffffff8399dff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
x86_bus_space_io_read_4(b008,0) at x86_bus_space_io_read_4+0x37 sys/arch/amd64/amd64/bus_space.c:682
acpitimer_delay(1) at acpitimer_delay+0x76 acpitimer_read sys/dev/acpi/acpitimer.c:142 [inline]
acpitimer_delay(1) at acpitimer_delay+0x76 sys/dev/acpi/acpitimer.c:120
comcnputc(800,20) at comcnputc+0x29b sys/dev/ic/com.c:1274
cnputc(20) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(66) at db_putchar+0x126 db_force_whitespace sys/ddb/db_output.c:102 [inline]
db_putchar(66) at db_putchar+0x126 sys/ddb/db_output.c:153
kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1
db_printf(ffffffff834917c0) at db_printf+0x9b sys/kern/subr_prf.c:-1
panic(ffffffff834b85bc) at panic+0x103 sys/kern/subr_prf.c:217
__assert(ffffffff834f5b3b,ffffffff834e49b2,4e2,ffffffff834468b7) at __assert+0x29 sys/kern/subr_prf.c:-1
uvm_pageunwire(fffffd8008ea3bb0) at uvm_pageunwire+0x17d sys/uvm/uvm_page.c:1249
uvm_fault_unwire_locked(fffffd806b326d78,e7f834aa000,e7f834ab000) at uvm_fault_unwire_locked+0x33a sys/uvm/uvm_fault.c:1790
uvm_unmap_kill_entry_withlock(fffffd806b326d78,fffffd806685eb70,0) at uvm_unmap_kill_entry_withlock+0x81 sys/uvm/uvm_map.c:1866
uvm_map_teardown(fffffd806b326d78) at uvm_map_teardown+0x117 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:-1 [inline]
uvm_map_teardown(fffffd806b326d78) at uvm_map_teardown+0x117 sys/uvm/uvm_map.c:2497
exit1(ffff80003c3e67f0,0,0,1) at exit1+0x6fc sys/kern/kern_exit.c:260
sys_exit(ffff80003c3e67f0,ffff80003a3c9e80,ffff80003a3c9dd0) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff80003a3c9e80) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003a3c9e80) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7d46ae0a21c0, count: -20
ddb{0}> machine ddbcpu 1
Stopped at savectx+0xae: movl $0,%gs:0x688
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7de8295b4ec0, count: 14
ddb{1}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7de8295b4ec0, count: -1
ddb{1}>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages