May 12 11:38:37 ci2-netbsd-1 getty[927]: /dev/ttyE1: Device not configured May 12 11:38:37 ci2-netbsd-1 getty[720]: /dev/ttyE2: Device not configured NetBSD/amd64 (ci2-netbsd-1.c.syzkaller.internal) (console) Warning: Permanently added '10.128.10.0' (ECDSA) to the list of known hosts. 2020/05/12 11:39:51 parsed 1 programs 2020/05/12 11:39:51 executed programs: 0 2020/05/12 11:39:56 executed programs: 133 2020/05/12 11:40:01 executed programs: 269 login: [ 118.8353881] panic: ASan: Unauthorized Access In 0xffffffff816c76c9: Addr 0xffff938012da0658 [8 bytes, read, PoolUseAfterFree] [ 118.8453852] cpu1: Begin traceback... [ 118.8554114] vpanic() at netbsd:vpanic+0x22e [ 118.8754529] snprintf() at netbsd:snprintf [ 118.8954991] kasan_report() at netbsd:kasan_report+0x9c [ 118.9255608] __asan_load8() at netbsd:__asan_load8+0x294 [ 118.9556248] mutex_oncpu() at netbsd:mutex_oncpu+0x38 [ 118.9756665] mutex_enter() at netbsd:mutex_enter+0x1a1 [ 118.9957141] pool_get() at netbsd:pool_get+0xcc [ 119.0257724] pool_cache_get_slow() at netbsd:pool_cache_get_slow+0x30c [ 119.0558406] pool_cache_get_paddr() at netbsd:pool_cache_get_paddr+0x52f [ 119.0859018] uvm_analloc() at netbsd:uvm_analloc+0x1f [ 119.1059474] uvmfault_promote() at netbsd:uvmfault_promote+0x509 [ 119.1360109] uvm_fault_internal() at netbsd:uvm_fault_internal+0x4217 [ 119.1560547] trap() at netbsd:trap+0x953 [ 119.1660732] --- trap (number 6) --- [ 119.1760965] 77f5672e27be: [ 119.1760965] cpu1: End traceback... [ 119.1861206] fatal breakpoint trap in supervisor mode [ 119.1861206] trap type 1 code 0 rip 0xffffffff802209c5 cs 0x8 rflags 0x246 cr2 0x77f567607518 ilevel 0 rsp 0xffff93817f643450 [ 119.2061595] curlwp 0xffff9380147df900 pid 1405.1405 lowest kstack 0xffff93817f63c2c0 Stopped in pid 1405.1405 (syz-executor.5) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 vpanic() at netbsd:vpanic+0x22e snprintf() at netbsd:snprintf kasan_report() at netbsd:kasan_report+0x9c __asan_load8() at netbsd:__asan_load8+0x294 mutex_oncpu() at netbsd:mutex_oncpu+0x38 mutex_enter() at netbsd:mutex_enter+0x1a1 pool_get() at netbsd:pool_get+0xcc pool_cache_get_slow() at netbsd:pool_cache_get_slow+0x30c pool_cache_get_paddr() at netbsd:pool_cache_get_paddr+0x52f uvm_analloc() at netbsd:uvm_analloc+0x1f uvmfault_promote() at netbsd:uvmfault_promote+0x509 uvm_fault_internal() at netbsd:uvm_fault_internal+0x4217 trap() at netbsd:trap+0x953 --- trap (number 6) --- 77f5672e27be: ds ffce es f960 fs 3430 gs 92d1 rdi ffffffff82bdf240 db_onpanic rsi 1ffffffff057be48 rbp ffff93817f643450 rbx ffff93816e699000 rdx 0 rcx ffffffff81265c39 db_panic+0xd5 rax 0 r8 4 r9 1ffffffff057be48 r10 ffffffff82bdf243 db_onpanic+0x3 r11 0 r12 ffff93816e6aa000 r13 ffffffff82444490 ostype+0x70890 r14 ffff93817f6434e0 r15 ffff93816e699060 rip ffffffff802209c5 breakpoint+0x5 cs 8 rflags 246 rsp ffff93817f643450 ss 0 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 2878 2236 2 0 0 ffff938012c08140 syz-executor.1 2878 >2878 7 0 0 ffff9380137dc080 syz-executor.1 2376 2376 2 0 0 ffff938014833a00 syz-executor.5 1697 1697 2 1 0 ffff938012b1bb80 syz-executor.0 1341 1341 2 0 40 ffff938014817580 syz-executor.2 1376 1376 2 1 40 ffff9380147fb540 syz-executor.4 1310 1310 2 1 40 ffff9380147fb100 syz-executor.0 698 698 2 0 40 ffff9380147ec0c0 syz-executor.1 1405 >1405 7 1 40 ffff9380147df900 syz-executor.5 1079 1079 2 0 40 ffff9380147df080 syz-executor.3 692 1406 3 1 80 ffff9380147ec940 syz-execprog parked 692 1314 3 1 80 ffff9380147ec500 syz-execprog parked 692 699 3 0 80 ffff9380147df4c0 syz-execprog parked 692 863 3 0 80 ffff9380136e9ac0 syz-execprog parked 692 696 3 0 80 ffff9380136e9680 syz-execprog parked 692 694 2 1 40 ffff938012a0d200 syz-execprog 692 683 3 0 c0 ffff938013850ac0 syz-execprog parked 692 691 3 0 80 ffff938013850680 syz-execprog parked 692 690 3 1 c0 ffff938013850240 syz-execprog parked 692 865 3 0 80 ffff938013847a80 syz-execprog parked 692 692 3 0 80 ffff938012741b40 syz-execprog parked 686 686 3 0 80 ffff938013859b00 sshd select 1312 1312 3 1 80 ffff93801383b1c0 getty nanoslp 720 720 3 1 80 ffff938013fef8c0 getty nanoslp 927 927 3 1 80 ffff938012bc8900 getty nanoslp 1374 1374 3 1 c0 ffff938013832a00 getty ttyraw 887 887 3 0 80 ffff938013fef480 cron nanoslp 716 716 3 0 80 ffff93801379fb80 inetd kqueue 585 585 3 0 80 ffff938012d2b5c0 sshd select 597 597 3 0 80 ffff938012c1c5c0 powerd kqueue 461 461 3 0 80 ffff938013714b00 syslogd kqueue 303 303 3 1 80 ffff938012cc6780 dhcpcd kqueue 334 334 3 0 80 ffff938012be20c0 dhcpcd kqueue 1 1 3 1 80 ffff938012935100 init wait 0 448 3 0 200 ffff93801297c9c0 physiod physiod 0 123 3 0 200 ffff93801298aa00 pooldrain pooldrain 0 122 3 0 200 ffff93801298a5c0 ioflush syncer 0 121 3 1 200 ffff93801298a180 pgdaemon pgdaemon 0 118 3 0 200 ffff93801297c140 usb0 usbevt 0 117 3 1 200 ffff938012935980 usbtask-dr usbtsk 0 116 3 1 200 ffff938012935540 usbtask-hc usbtsk 0 115 3 0 200 ffff93800fe5cac0 npfgc-0 npfgccv 0 114 3 1 200 ffff938012927940 rt_free rt_free 0 113 3 1 200 ffff938012927500 unpgc unpgc 0 112 3 0 200 ffff9380129270c0 key_timehandler key_timehandler 0 111 3 1 200 ffff93801291d900 icmp6_wqinput/1 icmp6_wqinput 0 110 3 0 200 ffff93801291d4c0 icmp6_wqinput/0 icmp6_wqinput 0 109 3 0 200 ffff93801291d080 nd6_timer nd6_timer 0 108 3 1 200 ffff9380129138c0 carp6_wqinput/1 carp6_wqinput 0 107 3 0 200 ffff938012913480 carp6_wqinput/0 carp6_wqinput 0 106 3 1 200 ffff938012913040 carp_wqinput/1 carp_wqinput 0 105 3 0 200 ffff93801275bbc0 carp_wqinput/0 carp_wqinput 0 104 3 1 200 ffff93801275b780 icmp_wqinput/1 icmp_wqinput 0 103 3 0 200 ffff93801275b340 icmp_wqinput/0 icmp_wqinput 0 102 3 0 200 ffff938012744b80 rt_timer rt_timer 0 101 3 0 200 ffff938012744740 vmem_rehash vmem_rehash 0 100 3 1 200 ffff9380127412c0 entbutler entropy 0 27 3 0 200 ffff93800fe5c680 scsibus0 sccomp 0 26 3 0 200 ffff93800fe5c240 pms0 pmsreset 0 25 3 1 200 ffff93800fd9da80 xcall/1 xcall 0 24 1 1 200 ffff93800fd9d640 softser/1 0 23 1 1 200 ffff93800fd9d200 softclk/1 0 22 1 1 200 ffff93800fd9ba40 softbio/1 0 21 1 1 200 ffff93800fd9b600 softnet/1 0 20 1 1 201 ffff93800fd9b1c0 idle/1 0 19 3 0 200 ffff93800e80aa00 lnxpwrwq lnxpwrwq 0 18 3 1 200 ffff93800e80a5c0 lnxlngwq lnxlngwq 0 17 3 0 200 ffff93800e80a180 lnxsyswq lnxsyswq 0 16 3 1 200 ffff93800e8049c0 lnxrcugc lnxrcugc 0 15 3 0 200 ffff93800e804580 sysmon smtaskq 0 14 3 0 200 ffff93800e804140 pmfsuspend pmfsuspend 0 13 3 1 200 ffff93800e7ff980 pmfevent pmfevent 0 12 3 0 200 ffff93800e7ff540 sopendfree sopendfr 0 11 3 0 200 ffff93800e7ff100 iflnkst iflnkst 0 10 3 0 200 ffff93800e7f3940 nfssilly nfssilly 0 9 3 0 200 ffff93800e7f3500 vdrain vdrain 0 8 3 1 200 ffff93800e7f30c0 modunload mod_unld 0 7 3 0 200 ffff93800e7e5900 xcall/0 xcall 0 6 1 0 200 ffff93800e7e54c0 softser/0 0 5 1 0 200 ffff93800e7e5080 softclk/0 0 4 1 0 200 ffff93800e7e38c0 softbio/0 0 3 1 0 200 ffff93800e7e3480 softnet/0 0 2 1 0 201 ffff93800e7e3040 idle/0 0 0 2 1 240 ffffffff82caa080 swapper [Locks tracked through LWPs] ****** LWP 2376.2376 (syz-executor.5) @ 0xffff938014833a00, l_stat=2 *** Locks held: * Lock 0 (initialized at pmap_ctor) lock address : 0xffff93801387f780 type : sleep/adaptive initialized : 0xffffffff8086bc67 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffff938014833a00 last held: 0xffff938014833a00 last locked* : 0xffffffff8086d812 unlocked : 000000000000000000 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at pmap_ctor) lock address : 0xffff93801387f788 type : sleep/adaptive initialized : 0xffffffff8086bc73 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffff938014833a00 last held: 0xffff938014833a00 last locked* : 0xffffffff8086e774 unlocked : 0xffffffff8086594d owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 1697.1697 (syz-executor.0) @ 0xffff938012b1bb80, l_stat=2 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at pmap_ctor) lock address : 0xffff938012b19b80 type : sleep/adaptive initialized : 0xffffffff8086bc67 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 1 relevant cpu : 1 last held: 1 relevant lwp : 0xffff938012b1bb80 last held: 000000000000000000 last locked : 0xffffffff8086d812 unlocked*: 0xffffffff8086dfed owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 1341.1341 (syz-executor.2) @ 0xffff938014817580, l_stat=2 *** Locks held: * Lock 0 (initialized at uvm_map_setup) lock address : 0xffff938013fde8e8 type : sleep/adaptive initialized : 0xffffffff81641611 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffff938014817580 last held: 0xffff938014817580 last locked* : 0xffffffff8163b8c5 unlocked : 0xffffffff8162c7b7 owner/count : 0xffff938014817580 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 698.698 (syz-executor.1) @ 0xffff9380147ec0c0, l_stat=2 *** Locks held: * Lock 0 (initialized at vcache_alloc) lock address : 0xffff9380147e5c80 type : sleep/adaptive initialized : 0xffffffff818162a3 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffff9380147ec0c0 last held: 0xffff9380147ec0c0 last locked* : 0xffffffff81844b3e unlocked : 0xffffffff81844ba0 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at vcache_alloc) lock address : 0xffff938014863240 type : sleep/adaptive initialized : 0xffffffff818162a3 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffff9380147ec0c0 last held: 0xffff9380147ec0c0 last locked* : 0xffffffff81844b3e unlocked : 0xffffffff81844ba0 [ 119.2061595] Skipping crash dump on recursive panic [ 119.2061595] panic: ASan: Unauthorized Access In 0xffffffff816e6a50: Addr 0xffff938014863240 [8 bytes, read, PoolUseAfterFree] [ 119.2061595] cpu1: Begin traceback... [ 119.2061595] vpanic() at netbsd:vpanic+0x22e [ 119.2061595] snprintf() at netbsd:snprintf [ 119.2061595] kasan_report() at netbsd:kasan_report+0x9c [ 119.2061595] __asan_load8() at netbsd:__asan_load8+0x294 [ 119.2061595] rw_dump() at netbsd:rw_dump+0x20 [ 119.2061595] lockdebug_dump() at netbsd:lockdebug_dump+0x207 [ 119.2061595] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb7 [ 119.2061595] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26b [ 119.2061595] db_command() at netbsd:db_command+0x2ad [ 119.2061595] db_command_loop() at netbsd:db_command_loop+0x26c [ 119.2061595] db_trap() at netbsd:db_trap+0x206 [ 119.2061595] kdb_trap() at netbsd:kdb_trap+0x1ce [ 119.2061595] trap() at netbsd:trap+0x57e [ 119.2061595] --- trap (number 1) --- [ 119.2061595] breakpoint() at netbsd:breakpoint+0x5 [ 119.2061595] db_panic() at netbsd:db_panic+0xe9 [ 119.2061595] vpanic() at netbsd:vpanic+0x22e [ 119.2061595] snprintf() at netbsd:snprintf [ 119.2061595] kasan_report() at netbsd:kasan_report+0x9c [ 119.2061595] __asan_load8() at netbsd:__asan_load8+0x294 [ 119.2061595] mutex_oncpu() at netbsd:mutex_oncpu+0x38 [ 119.2061595] mutex_enter() at netbsd:mutex_enter+0x1a1 [ 119.2061595] pool_get() at netbsd:pool_get+0xcc [ 119.2061595] pool_cache_get_slow() at netbsd:pool_cache_get_slow+0x30c [ 119.2061595] pool_cache_get_paddr() at netbsd:pool_cache_get_paddr+0x52f [ 119.2061595] uvm_analloc() at netbsd:uvm_analloc+0x1f [ 119.2061595] uvmfault_promote() at netbsd:uvmfault_promote+0x509 [ 119.2061595] uvm_fault_internal() at netbsd:uvm_fault_internal+0x4217 [ 119.2061595] trap() at netbsd:trap+0x953 [ 119.2061595] --- trap (number 6) --- [ 119.2061595] 77f5672e27be: [ 119.2061595] cpu1: End traceback... [ 119.2061595] fatal breakpoint trap in supervisor mode [ 119.2061595] trap type 1 code 0 rip 0xffffffff802209c5 cs 0x8 rflags 0x246 cr2 0x77f567607518 ilevel 0x8 rsp 0xffff93817f6429f0 [ 119.2061595] curlwp 0xffff9380147df900 pid 1405.1405 lowest kstack 0xffff93817f63c2c0 Stopped in pid 1405.1405 (syz-executor.5) at netbsd:breakpoint+0x5: leave