Fri Mar 6 03:50:16 UTC 2020 NetBSD/amd64 (ci2-netbsd-6.c.syzkaller.internal) (console) login: Mar 6 03:50:19 ci2-netbsd-6 getty[572]: /dev/ttyE2: Device not configured Mar 6 03:50:19 ci2-netbsd-6 getty[562]: /dev/ttyE1: Device not configured Mar 6 03:50:19 ci2-netbsd-6 getty[574]: /dev/ttyE3: Device not configured Warning: Permanently added '10.128.0.185' (ECDSA) to the list of known hosts. 2020/03/06 03:50:32 parsed 1 programs 2020/03/06 03:50:33 executed programs: 0 2020/03/06 03:50:38 executed programs: 63 2020/03/06 03:50:43 executed programs: 129 2020/03/06 03:50:48 executed programs: 199 [ 77.5149363] panic: ASan: Unauthorized Access In 0xffffffff8117ff25: Addr 0xffffcf8012cafb58 [8 bytes, read, PoolUseAfterFree] [ 77.5328691] cpu0: Begin traceback... [ 77.5449784] vpanic() at netbsd:vpanic+0x241 [ 77.5750304] snprintf() at netbsd:snprintf [ 77.6150943] kasan_report() at netbsd:kasan_report+0x98 [ 77.6451465] __asan_load8() at netbsd:__asan_load8+0x294 [ 77.6852204] mutex_oncpu() at netbsd:mutex_oncpu+0x38 [ 77.7252846] mutex_enter() at netbsd:mutex_enter+0x1a1 [ 77.7553330] pool_get() at netbsd:pool_get+0xcc [ 77.7954015] pool_cache_get_slow() at netbsd:pool_cache_get_slow+0x30c [ 77.8354680] pool_cache_get_paddr() at netbsd:pool_cache_get_paddr+0x535 [ 77.8655197] pmap_enter_ma() at netbsd:pmap_enter_ma+0x8c8 [ 77.8955739] pmap_enter_default() at netbsd:pmap_enter_default+0x60 [ 77.9356406] uvm_fault_internal() at netbsd:uvm_fault_internal+0x212d [ 77.9656949] trap() at netbsd:trap+0xcbb [ 77.9757367] --- trap (number 6) --- [ 77.9957428] 401850: [ 77.9957428] cpu0: End traceback... [ 77.9957428] fatal breakpoint trap in supervisor mode [ 78.0070536] trap type 1 code 0 rip 0xffffffff8021e4b5 cs 0x8 rflags 0x246 cr2 0x401850 ilevel 0 rsp 0xffffcf817e883280 [ 78.0195445] curlwp 0xffffcf80120bc5c0 pid 1311.1 lowest kstack 0xffffcf817e87c2c0 Stopped in pid 1311.1 (syz-executor.0) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 vpanic() at netbsd:vpanic+0x241 snprintf() at netbsd:snprintf kasan_report() at netbsd:kasan_report+0x98 __asan_load8() at netbsd:__asan_load8+0x294 mutex_oncpu() at netbsd:mutex_oncpu+0x38 mutex_enter() at netbsd:mutex_enter+0x1a1 pool_get() at netbsd:pool_get+0xcc pool_cache_get_slow() at netbsd:pool_cache_get_slow+0x30c pool_cache_get_paddr() at netbsd:pool_cache_get_paddr+0x535 pmap_enter_ma() at netbsd:pmap_enter_ma+0x8c8 pmap_enter_default() at netbsd:pmap_enter_default+0x60 uvm_fault_internal() at netbsd:uvm_fault_internal+0x212d trap() at netbsd:trap+0xcbb --- trap (number 6) --- 401850: ds 32b0 es bac1 fs 3260 gs 32b0 rdi ffffcf800d92d488 rsi ffffcf80120bc878 rbp ffffcf817e883280 rbx ffffffff82810480 cpu_info_primary rdx 2 rcx ffffffff80d14f81 db_panic+0xd5 rax 0 r8 4 r9 1ffffffff0554bf0 r10 ffffffff82aa5f83 db_onpanic+0x3 r11 8000000000 r12 ffffcf816d8a4000 r13 ffffffff82440b68 ostype+0x4e268 r14 ffffcf817e883310 r15 ffffcf816d893068 rip ffffffff8021e4b5 breakpoint+0x5 cs 8 rflags 246 rsp ffffcf817e883280 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 845 1 2 1 0 ffffcf8012c765c0 syz-executor.4 1274 1 3 1 0 ffffcf8012ba6b00 syz-executor.3 tstile 1311 > 1 7 0 0 ffffcf80120bc5c0 syz-executor.0 226 1 2 0 0 ffffcf801218a100 syz-executor.2 600 1 2 1 0 ffffcf80116a1280 syz-executor.2 582 1 2 1 0 ffffcf8013cac540 syz-executor.0 490 1 2 0 0 ffffcf8013ca3940 syz-executor.1 464 1 2 0 0 ffffcf8013c7b900 syz-executor.5 433 1 2 0 0 ffffcf8013c7b080 syz-executor.4 487 1 2 1 0 ffffcf8013c67480 syz-executor.3 469 11 3 0 80 ffffcf8013cac100 syz-execprog parked 469 10 3 0 80 ffffcf8013ca30c0 syz-execprog parked 469 9 3 1 80 ffffcf8013c678c0 syz-execprog parked 469 8 3 0 80 ffffcf8013c67040 syz-execprog parked 469 7 3 1 80 ffffcf8013c54bc0 syz-execprog parked 469 6 3 1 80 ffffcf8012c4e4c0 syz-execprog parked 469 5 3 1 80 ffffcf8013c54340 syz-execprog kqueue 469 4 3 1 80 ffffcf8012c018c0 syz-execprog parked 469 3 3 1 80 ffffcf8012c6d9c0 syz-execprog parked 469 2 3 1 80 ffffcf8012c6d140 syz-execprog parked 469 1 3 0 80 ffffcf80116a1b00 syz-execprog parked 40 1 3 1 80 ffffcf8011c89700 sshd select 574 1 3 1 80 ffffcf8012c76a00 getty nanoslp 572 1 3 1 80 ffffcf8012c76180 getty nanoslp 562 1 3 0 80 ffffcf8012c8c200 getty nanoslp 507 1 3 0 80 ffffcf8012c81a40 getty ttyraw 555 1 3 1 80 ffffcf8012c01480 cron nanoslp 502 1 3 1 80 ffffcf8012c01040 inetd kqueue 317 1 3 0 80 ffffcf80121b2a00 sshd select 430 1 3 1 80 ffffcf801214e340 powerd kqueue 325 1 3 1 80 ffffcf8012bca700 syslogd kqueue 276 1 3 0 80 ffffcf801214e780 dhcpcd kqueue 236 1 3 1 80 ffffcf80120740c0 dhcpcd kqueue 1 1 3 0 80 ffffcf8011e2d540 init wait 0 29 3 0 204 ffffcf8011e84140 physiod physiod 0 48 3 0 204 ffffcf8011e86180 pooldrain pooldrain 0 47 2 0 200 ffffcf8011e849c0 ioflush 0 46 3 1 200 ffffcf8011e84580 pgdaemon pgdaemon 0 44 2 1 200 ffffcf8011e2d980 npfgc-0 0 43 3 1 204 ffffcf8011e2d100 rt_free rt_free 0 42 3 1 204 ffffcf8011e24940 unpgc unpgc 0 41 2 0 200 ffffcf8011e24500 key_timehandler 0 40 3 1 204 ffffcf8011e240c0 icmp6_wqinput/1 icmp6_wqinput 0 39 3 0 204 ffffcf8011e1b900 icmp6_wqinput/0 icmp6_wqinput 0 38 2 0 200 ffffcf8011e1b4c0 nd6_timer 0 37 3 1 204 ffffcf8011e1b080 carp6_wqinput/1 carp6_wqinput 0 36 3 0 204 ffffcf8011e168c0 carp6_wqinput/0 carp6_wqinput 0 35 3 1 204 ffffcf8011e16480 carp_wqinput/1 carp_wqinput 0 34 3 0 204 ffffcf8011e16040 carp_wqinput/0 carp_wqinput 0 33 3 1 204 ffffcf8011c9bbc0 icmp_wqinput/1 icmp_wqinput 0 32 3 0 204 ffffcf8011c9b780 icmp_wqinput/0 icmp_wqinput 0 31 3 0 204 ffffcf8011c9b340 rt_timer rt_timer 0 30 3 0 204 ffffcf8011c8c300 vmem_rehash vmem_rehash 0 28 3 0 204 ffffcf800f35dac0 scsibus0 sccomp 0 27 3 0 200 ffffcf800f35d680 pms0 pmsreset 0 26 3 1 204 ffffcf800f35d240 xcall/1 xcall 0 25 1 1 200 ffffcf800f35ca80 softser/1 0 24 1 1 200 ffffcf800f35c640 softclk/1 0 23 1 1 200 ffffcf800f35c200 softbio/1 0 22 1 1 200 ffffcf800f26ea40 softnet/1 0 21 1 1 201 ffffcf800f26e600 idle/1 0 20 3 0 204 ffffcf800f26e1c0 lnxpwrwq lnxpwrwq 0 19 3 0 204 ffffcf800f26ca00 lnxlngwq lnxlngwq 0 18 3 0 204 ffffcf800f26c5c0 lnxsyswq lnxsyswq 0 17 3 0 204 ffffcf800f26c180 lnxrcugc lnxrcugc 0 16 3 0 204 ffffcf800de4f9c0 sysmon smtaskq 0 15 3 0 204 ffffcf800de4f580 pmfsuspend pmfsuspend 0 14 3 0 204 ffffcf800de4f140 pmfevent pmfevent 0 13 3 0 204 ffffcf800de40980 sopendfree sopendfr 0 12 3 0 204 ffffcf800de40540 iflnkst iflnkst 0 11 3 0 204 ffffcf800de40100 nfssilly nfssilly 0 > 10 7 1 200 ffffcf800de34940 cachegc 0 9 3 0 204 ffffcf800de34500 vdrain vdrain 0 8 3 0 200 ffffcf800de340c0 modunload mod_unld 0 7 3 0 204 ffffcf800de24900 xcall/0 xcall 0 6 1 0 200 ffffcf800de244c0 softser/0 0 5 1 0 200 ffffcf800de24080 softclk/0 0 4 1 0 200 ffffcf800de218c0 softbio/0 0 3 1 0 200 ffffcf800de21480 softnet/0 0 2 1 0 201 ffffcf800de21040 idle/0 0 1 2 1 200 ffffffff82b6ef00 swapper [Locks tracked through LWPs] ****** LWP 845.1 (syz-executor.4) @ 0xffffcf8012c765c0, l_stat=2 *** Locks held: * Lock 0 (initialized at amap_ctor) lock address : 0xffffcf8013c82180 type : sleep/adaptive initialized : 0xffffffff810e0103 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffcf8012c765c0 last held: 0xffffcf8012c765c0 last locked* : 0xffffffff810ef0e4 unlocked : 0xffffffff810ecf90 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at pmap_ctor) lock address : 0xffffcf8012c66180 type : sleep/adaptive initialized : 0xffffffff802772c1 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffcf8012c765c0 last held: 0xffffcf8012c765c0 last locked* : 0xffffffff80278f1f unlocked : 0xffffffff80279c65 owner field : 0xffffcf8012c765c0 wait/spin: 0/0 Turnstile: no active turnstile for this lock. * Lock 2 (initialized at pool_cache_bootstrap) lock address : 0xffffcf800d93a5c0 type : sleep/adaptive initialized : 0xffffffff812199c8 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffcf8012c765c0 last held: 0xffffcf8012c765c0 last locked* : 0xffffffff81218f2b unlocked : 0xffffffff8121917b owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 1274.1 (syz-executor.3) @ 0xffffcf8012ba6b00, l_stat=3 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at uvm_obj_init) lock address : 0xffffcf8013b7d300 type : sleep/adaptive initialized : 0xffffffff8110ca10 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 1 relevant cpu : 1 last held: 0 relevant lwp : 0xffffcf8012ba6b00 last held: 0xffffcf80120bc5c0 last locked* : 0xffffffff810f06ed unlocked : 0xffffffff810ede42 owner/count : 0xffffcf80120bc5c0 flags : 0x0000000000000007 Turnstile: => 0 waiting readers: => 1 waiting writers: 0xffffcf8012ba6b00 ****** LWP 1311.1 (syz-executor.0) @ 0xffffcf80120bc5c0, l_stat=7 *** Locks held: * Lock 0 (initialized at uvm_obj_init) lock address : 0xffffcf8013b7d300 type : sleep/adaptive initialized : 0xffffffff8110ca10 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 1 relevant cpu : 0 last held: 0 relevant lwp : 0xffffcf80120bc5c0 last held: 0xffffcf80120bc5c0 last locked* : 0xffffffff810f06ed unlocked : 0xffffffff810ede42 owner/count : 0xffffcf80120bc5c0 flags : 0x0000000000000007 Turnstile: => 0 waiting readers: => 1 waiting writers: 0xffffcf8012ba6b00 * Lock 1 (initialized at pmap_ctor) lock address : 0xffffcf8012b91b80 type : sleep/adaptive initialized : 0xffffffff802772c1 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffcf80120bc5c0 last held: 0xffffcf80120bc5c0 last locked* : 0xffffffff80278f1f unlocked : 0xffffffff80279c65 owner field : 0xffffcf80120bc5c0 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: * Lock 0 (initialized at pool_init) lock address : 0xffffffff82da2bb0 type : sleep/adaptive initialized : 0xffffffff81215619 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 1 relevant cpu : 0 last held: 1 relevant lwp : 0xffffcf80120bc5c0 last held: 000000000000000000 last locked : 0xffffffff812161e8 unlocked*: 0xffffffff81216826 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 226.1 (syz-executor.2) @ 0xffffcf801218a100, l_stat=2 *** Locks held: * Lock 0 (initialized at amap_ctor) lock address : 0xffffcf8013ccf740 type : sleep/adaptive initialized : 0xffffffff810e0103 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 1 relevant lwp : 0xffffcf801218a100 last held: 0xffffcf801218a100 last locked* : 0xffffffff810ef0e4 unlocked : 0xffffffff810ecf90 owner/count : 0xffffcf801218a100 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 490.1 (syz-executor.1) @ 0xffffcf8013ca3940, l_stat=2 *** Locks held: * Lock 0 (initialized at filedesc_ctor) lock address : 0xffffcf801359db80 type : sleep/adaptive initialized : 0xffffffff8114b384 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 1 relevant lwp : 0xffffcf8013ca3940 last held: 0xffffcf8013ca3940 last locked* : 0xffffffff8114de74 unlocked : 0xffffffff811522b8 owner field : 0xffffcf8013ca3940 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 0.12 (iflnkst) @ 0xffffcf800de40540, l_stat=3 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at module_hook_init) lock address : 0xffffffff82d90180 type : sleep/adaptive initialized : 0xffffffff8117f232 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffcf800de40540 last held: 000000000000000000 last locked : 000000000000000000 unlocked*: 000000000000000000 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 0.5 (softclk/0) @ 0xffffcf800de24080, l_stat=1 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at module_hook_init) lock address : 0xffffffff82d90180 type : sleep/adaptive initialized : 0xffffffff8117f232 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffcf800de24080 last held: 000000000000000000 last locked : 000000000000000000 unlocked*: 000000000000000000 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. [Locks tracked through CPUs] PAGE FLAG PQ UOBJECT UANON 0xffffcf8000014180 0041 00000000 0x0 0x0 0xffffcf80000141f8 0041 00000000 0x0 0x0 0xffffcf8000014270 0041 00000000 0x0 0x0 0xffffcf80000142e8 0041 00000000 0x0 0x0 0xffffcf8000014360 0041 00000000 0x0 0x0 0xffffcf80000143d8 0041 00000000 0x0 0x0 0xffffcf8000014450 0041 00000000 0x0 0x0 0xffffcf80000144c8 0041 00000000 0x0 0x0 0xffffcf8000014540 0041 00000000 0x0 0x0 0xffffcf80000145b8 0041 00000000 0x0 0x0 0xffffcf8000014630 0041 00000000 0x0 0x0 0xffffcf80000146a8 0041 00000000 0x0 0x0 0xffffcf8000014720 0041 00000000 0x0 0x0 0