[ 85.6343057] panic: kernel diagnostic assertion "pmap->pm_ncsw == curlwp->l_ncsw" failed: file "/syzkaller/managers/netbsd/kernel/sys/arch/x86/x86/pmap.c", line 700 [ 85.6461410] cpu1: Begin traceback... [ 85.6698692] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 85.7173179] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 85.7647713] pmap_unmap_ptes() at netbsd:pmap_unmap_ptes+0x1c7 sys/arch/x86/x86/pmap.c:700 [ 85.8122210] pmap_remove() at netbsd:pmap_remove+0x491 sys/arch/x86/x86/pmap.c:3635 [ 85.8596703] uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 [ 85.9071194] uvm_unmap1() at netbsd:uvm_unmap1+0xd0 sys/uvm/uvm_map.c:4766 [ 85.9545695] lwp_ctl_exit() at netbsd:lwp_ctl_exit+0x15a sys/kern/kern_lwp.c:1966 [ 86.0020209] exit1() at netbsd:exit1+0x26f sys/kern/kern_exit.c:272 [ 86.0494728] sigexit() at netbsd:sigexit+0x39d sys/kern/kern_sig.c:2285 [ 86.0969206] sendsig() at netbsd:sendsig [ 86.1443738] lwp_userret() at netbsd:lwp_userret+0x392 sys/kern/kern_lwp.c:1579 [ 86.1918269] syscall() at netbsd:syscall+0x84c x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] [ 86.1918269] syscall() at netbsd:syscall+0x84c KPREEMPT_DISABLE sys/sys/lwp.h:516 [inline] [ 86.1918269] syscall() at netbsd:syscall+0x84c mi_userret sys/sys/userret.h:100 [inline] [ 86.1918269] syscall() at netbsd:syscall+0x84c userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 86.1918269] syscall() at netbsd:syscall+0x84c sys/arch/x86/x86/syscall.c:166 [ 86.2036926] --- syscall (number 27) --- [ 86.2274124] 745e09043b9a: [ 86.2274124] cpu1: End traceback... [ 86.2392737] fatal breakpoint trap in supervisor mode [ 86.2392737] trap type 1 code 0 rip 0xffffffff8021ccb5 cs 0x8 rflags 0x246 cr2 0x20001000 ilevel 0 rsp 0xffff92017aebb4b0 [ 86.2511396] curlwp 0xffff920011f7b040 pid 684.3 lowest kstack 0xffff92017aeb42c0 Stopped in pid 684.3 (syz-executor.2) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure pmap_unmap_ptes() at netbsd:pmap_unmap_ptes+0x1c7 sys/arch/x86/x86/pmap.c:700 pmap_remove() at netbsd:pmap_remove+0x491 sys/arch/x86/x86/pmap.c:3635 uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 uvm_unmap1() at netbsd:uvm_unmap1+0xd0 sys/uvm/uvm_map.c:4766 lwp_ctl_exit() at netbsd:lwp_ctl_exit+0x15a sys/kern/kern_lwp.c:1966 exit1() at netbsd:exit1+0x26f sys/kern/kern_exit.c:272 sigexit() at netbsd:sigexit+0x39d sys/kern/kern_sig.c:2285 sendsig() at netbsd:sendsig lwp_userret() at netbsd:lwp_userret+0x392 sys/kern/kern_lwp.c:1579 syscall() at netbsd:syscall+0x84c x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] syscall() at netbsd:syscall+0x84c KPREEMPT_DISABLE sys/sys/lwp.h:516 [inline] syscall() at netbsd:syscall+0x84c mi_userret sys/sys/userret.h:100 [inline] syscall() at netbsd:syscall+0x84c userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] syscall() at netbsd:syscall+0x84c sys/arch/x86/x86/syscall.c:166 --- syscall (number 27) --- 745e09043b9a: ds 5d0 es 6b38 fs b490 gs b4e0 rdi ffff92000cb1a458 rsi ffff920011f7b328 rbp ffff92017aebb4b0 rbx ffff92016ca80000 rdx 3ffff rcx ffff920170a00000 rax ffff920012f2b1c8 r8 4 r9 1ffffffff0553818 r10 ffffffff82a9c0c3 db_onpanic+0x3 r11 10 r12 ffff92016ca92000 r13 ffffffff81c22540 platform_private_nodes+0x140 r14 ffff92017aebb540 r15 ffff92016ca80060 rip ffffffff8021ccb5 breakpoint+0x5 cs 8 rflags 246 rsp ffff92017aebb4b0 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 162 1 2 0 0 ffff920011f9f080 syz-executor.3 686 3 2 0 0 ffff920011f7b480 syz-executor.4 686 1 2 0 0 ffff92001270f1e0 syz-executor.4 684 > 3 7 1 1000000 ffff920011f7b040 syz-executor.2 549 3 2 1 0 ffff9200114bc5c0 syz-executor.0 549 1 3 0 80 ffff920012728640 syz-executor.0 parked 587 4 2 0 0 ffff920012728a80 syz-executor.1 587 3 3 1 80 ffff920011f4e320 syz-executor.1 parked 587 1 2 0 0 ffff92001148e9a0 syz-executor.1 583 4 3 1 40080 ffff9200114cca20 syz-executor.1 parked 422 3 3 0 80 ffff9200113c9340 syz-executor.1 parked 97 3 3 1 80 ffff920011242b00 syz-executor.2 parked 96 3 3 1 80 ffff9200112af2a0 syz-executor.2 parked 635 3 3 0 80 ffff92000e9b99c0 syz-executor.2 parked 567 3 3 1 80 ffff92001309e760 syz-executor.2 parked 594 1 2 0 0 ffff920012f6b280 syz-executor.4 45 1 2 0 0 ffff920012eccae0 syz-executor.5 612 1 2 1 0 ffff920012ecc6a0 syz-executor.2 40 1 2 0 0 ffff920012ecc260 syz-executor.3 41 1 2 1 0 ffff9200110d4a00 syz-executor.1 537 1 2 0 0 ffff9200110d45c0 syz-executor.0 602 11 2 1 0 ffff920012d68240 syz-fuzzer 602 10 3 0 80 ffff9200110d39e0 syz-fuzzer kqueue 602 9 3 0 80 ffff920012d46660 syz-fuzzer parked 602 8 3 1 80 ffff920012d46220 syz-fuzzer parked 602 7 3 1 80 ffff920011fd7940 syz-fuzzer parked 602 6 3 1 80 ffff920011fd7500 syz-fuzzer parked 602 5 2 1 0 ffff920011feb980 syz-fuzzer 602 4 3 1 80 ffff920011feb540 syz-fuzzer parked 602 3 3 0 80 ffff9200120155c0 syz-fuzzer parked 602 > 2 7 0 0 ffff9200120099e0 syz-fuzzer 602 1 3 1 80 ffff920011f898e0 syz-fuzzer parked 432 1 3 0 80 ffff920011f4e760 sshd select 598 1 3 0 80 ffff920011fff580 getty nanoslp 595 1 3 1 80 ffff9200120095a0 getty nanoslp 465 1 3 0 80 ffff9200120211a0 getty nanoslp 574 1 3 0 80 ffff920011f32740 getty ttyraw 463 1 3 0 80 ffff920011fd70c0 cron nanoslp 554 1 3 0 80 ffff920011f894a0 inetd kqueue 317 1 3 1 80 ffff92001159e6e0 sshd select 404 1 3 1 80 ffff9200114f8640 powerd kqueue 326 1 2 0 0 ffff920012021a20 makemandb 195 1 3 0 80 ffff920011f4eba0 syslogd kqueue 245 1 3 1 80 ffff9200114eb1e0 dhcpcd kqueue 220 1 3 1 80 ffff9200113f38e0 dhcpcd kqueue 1 1 3 0 80 ffff9200111fb240 init wait 0 58 3 0 204 ffff9200111fbac0 physiod physiod 0 57 3 0 204 ffff920011242280 aiodoned aiodoned 0 56 3 1 200 ffff920011241ae0 ioflush syncer 0 55 3 0 204 ffff9200112416a0 pooldrain pooldrain 0 54 3 0 200 ffff920011241260 pgdaemon pgdaemon 0 51 2 1 200 ffff9200111fb680 npfgc-0 0 50 3 0 204 ffff9200111edaa0 rt_free rt_free 0 49 3 0 204 ffff9200111ed660 unpgc unpgc 0 48 2 1 200 ffff9200111ed220 key_timehandler 0 47 3 1 204 ffff9200111e5a80 icmp6_wqinput/1 icmp6_wqinput 0 46 3 0 204 ffff9200111e5640 icmp6_wqinput/0 icmp6_wqinput 0 45 3 0 204 ffff9200111e5200 nd6_timer nd6_timer 0 44 3 1 204 ffff9200110fca60 carp6_wqinput/1 carp6_wqinput 0 43 3 0 204 ffff9200110fc620 carp6_wqinput/0 carp6_wqinput 0 42 3 1 204 ffff9200110fc1e0 carp_wqinput/1 carp_wqinput 0 41 3 0 204 ffff9200110e9a40 carp_wqinput/0 carp_wqinput 0 40 3 1 204 ffff9200110e9600 icmp_wqinput/1 icmp_wqinput 0 39 3 0 204 ffff9200110e91c0 icmp_wqinput/0 icmp_wqinput 0 38 3 1 204 ffff9200110d7a20 rt_timer rt_timer 0 37 3 1 204 ffff9200110d75e0 vmem_rehash vmem_rehash 0 27 3 0 204 ffff92000e9b9580 scsibus0 sccomp 0 26 3 0 200 ffff92000e9b9140 pms0 pmsreset 0 25 3 1 204 ffff92000e92b9a0 xcall/1 xcall 0 24 1 1 200 ffff92000e92b560 softser/1 0 23 1 1 200 ffff92000e92b120 softclk/1 0 22 1 1 200 ffff92000e927980 softbio/1 0 21 1 1 200 ffff92000e927540 softnet/1 0 20 1 1 201 ffff92000e927100 idle/1 0 19 3 1 204 ffff92000e85d960 lnxpwrwq lnxpwrwq 0 18 3 1 204 ffff92000e85d520 lnxlngwq lnxlngwq 0 17 3 1 204 ffff92000e85d0e0 lnxsyswq lnxsyswq 0 16 3 1 204 ffff92000d042940 lnxrcugc lnxrcugc 0 15 3 0 204 ffff92000d042500 sysmon smtaskq 0 14 3 1 204 ffff92000d0420c0 pmfsuspend pmfsuspend 0 13 3 0 204 ffff92000d033920 pmfevent pmfevent 0 12 3 0 204 ffff92000d0334e0 sopendfree sopendfr 0 11 3 1 204 ffff92000d0330a0 nfssilly nfssilly 0 10 3 0 200 ffff92000d027900 cachegc cachegc 0 9 3 0 204 ffff92000d0274c0 vdrain vdrain 0 8 3 0 200 ffff92000d027080 modunload mod_unld 0 7 3 0 204 ffff92000d0188e0 xcall/0 xcall 0 6 1 0 200 ffff92000d0184a0 softser/0 0 5 1 0 200 ffff92000d018060 softclk/0 0 4 1 0 200 ffff92000d0148c0 softbio/0 0 3 1 0 200 ffff92000d014480 softnet/0 0 2 1 0 201 ffff92000d014040 idle/0 0 1 3 0 200 ffffffff82b62fa0 swapper uvm [Locks tracked through LWPs] Locks held by an LWP (syz-executor.4): Lock 0 (initialized at uvm_obj_init) lock address : 0xffff920011256240 type : sleep/adaptive initialized : 0xffffffff810f33bc shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffff920011f7b040 last held: 0xffff92001270f1e0 last locked* : 0xffffffff810d79ce unlocked : 0xffffffff810d4872 owner field : 000000000000000000 wait/spin: 0/0 Turnstile chain at 0xffffffff82d837c8 with mutex 0xffff92000cb2f400. => No active turnstile for this lock. Locks held by an LWP (syz-executor.2): Lock 0 (initialized at uvm_map_setup) lock address : 0xffff9200113e05d8 type : sleep/adaptive initialized : 0xffffffff810e792d shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffff920011f7b040 last held: 0xffff920011f7b040 last locked* : 0xffffffff810e17d4 unlocked : 0xffffffff810d48b4 owner/count : 0xffff920011f7b040 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d83838 with mutex 0xffff92000cb2f780. => No active turnstile for this lock. Lock 1 (initialized at uvm_obj_init) lock address : 0xffff92001270d740 type : sleep/adaptive initialized : 0xffffffff810f33bc shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffff920011f7b040 last held: 0xffff920011f7b040 last locked* : 0xffffffff810e7c10 unlocked : 0xffffffff810e7c8f owner field : 0xffff920011f7b040 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83a68 with mutex 0xffff92000d00b940. => No active turnstile for this lock. Lock 2 (initialized at pmap_create) lock address : 0xffff9200113ffb00 type : sleep/adaptive initialized : 0xffffffff80272166 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffff920011f7b040 last held: 0xffff920011f7b040 last locked* : 0xffffffff80274a67 unlocked : 0xffffffff80274b88 owner field : 0xffff920011f7b040 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83ae0 with mutex 0xffff92000d00bd00. => No active turnstile for this lock. Locks held by an LWP (syz-executor.1): Lock 0 (initialized at amap_alloc) lock address : 0xffff920012ced540 type : sleep/adaptive initialized : 0xffffffff810c6fb1 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffff920011f7b040 last held: 0xffff92001148e9a0 last locked* : 0xffffffff810d65a5 unlocked : 000000000000000000 owner field : 000000000000000000 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83a28 with mutex 0xffff92000d00b740. => No active turnstile for this lock. Locks held by an LWP (syz-executor.5): Lock 0 (initialized at vcache_alloc) lock address : 0xffff920012d50900 type : sleep/adaptive initialized : 0xffffffff812ad182 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffff920011f7b040 last held: 0xffff920012eccae0 last locked* : 0xffffffff812da8f0 unlocked : 0xffffffff812da7ad owner/count : 0xffff920012eccae0 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d838a0 with mutex 0xffff92000cb2fac0. => No active turnstile for this lock. Lock 1 (initialized at vcache_alloc) lock address : 0xffff920012d50fc0 type : sleep/adaptive initialized : 0xffffffff812ad182 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffff920011f7b040 last held: 0xffff920012eccae0 last locked* : 0xffffffff812da8f0 unlocked : 0xffffffff812da7ad [ 86.2629949] Skipping crash dump on recursive panic [ 86.2629949] panic: ASan: Unauthorized Access In 0xffffffff81182850: Addr 0xffff920012d50fc0 [8 bytes, read, PoolUseAfterFree] [ 86.2629949] cpu1: Begin traceback... [ 86.2629949] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 86.2629949] snprintf() at netbsd:snprintf [ 86.2629949] kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:172 [inline] [ 86.2629949] kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:194 [ 86.2629949] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:344 [inline] [ 86.2629949] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:358 [inline] [ 86.2629949] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:410 [inline] [ 86.2629949] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1180 [ 86.2629949] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:191 [ 86.2629949] lockdebug_dump() at netbsd:lockdebug_dump+0x281 sys/kern/subr_lockdebug.c:777 [ 86.2629949] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb9 sys/kern/subr_lockdebug.c:855 [ 86.2629949] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:886 [inline] [ 86.2629949] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f sys/kern/subr_lockdebug.c:933 [ 86.2629949] db_command() at netbsd:db_command+0x2c0 sys/ddb/db_command.c:935 [ 86.2629949] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:432 [inline] [ 86.2629949] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:582 [ 86.2629949] db_trap() at netbsd:db_trap+0x219 sys/ddb/db_trap.c:94 [ 86.2629949] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:246 [ 86.2629949] trap() at netbsd:trap+0x650 sys/arch/amd64/amd64/trap.c:313 [ 86.2629949] --- trap (number 1) --- [ 86.2629949] breakpoint() at netbsd:breakpoint+0x5 [ 86.2629949] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 [ 86.2629949] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 86.2629949] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 86.2629949] pmap_unmap_ptes() at netbsd:pmap_unmap_ptes+0x1c7 sys/arch/x86/x86/pmap.c:700 [ 86.2629949] pmap_remove() at netbsd:pmap_remove+0x491 sys/arch/x86/x86/pmap.c:3635 [ 86.2629949] uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 [ 86.2629949] uvm_unmap1() at netbsd:uvm_unmap1+0xd0 sys/uvm/uvm_map.c:4766 [ 86.2629949] lwp_ctl_exit() at netbsd:lwp_ctl_exit+0x15a sys/kern/kern_lwp.c:1966 [ 86.2629949] exit1() at netbsd:exit1+0x26f sys/kern/kern_exit.c:272 [ 86.2629949] sigexit() at netbsd:sigexit+0x39d sys/kern/kern_sig.c:2285 [ 86.2629949] sendsig() at netbsd:sendsig [ 86.2629949] lwp_userret() at netbsd:lwp_userret+0x392 sys/kern/kern_lwp.c:1579 [ 86.2629949] syscall() at netbsd:syscall+0x84c x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] [ 86.2629949] syscall() at netbsd:syscall+0x84c KPREEMPT_DISABLE sys/sys/lwp.h:516 [inline] [ 86.2629949] syscall() at netbsd:syscall+0x84c mi_userret sys/sys/userret.h:100 [inline] [ 86.2629949] syscall() at netbsd:syscall+0x84c userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 86.2629949] syscall() at netbsd:syscall+0x84c sys/arch/x86/x86/syscall.c:166 [ 86.2629949] --- syscall (number 27) --- [ 86.2629949] 745e09043b9a: [ 86.2629949] cpu1: End traceback... [ 86.2629949] fatal breakpoint trap in supervisor mode [ 86.2629949] trap type 1 code 0 rip 0xffffffff8021ccb5 cs 0x8 rflags 0x246 cr2 0x20001000 ilevel 0x8 rsp 0xffff92017aebaa70 [ 86.2629949] curlwp 0xffff920011f7b040 pid 684.3 lowest kstack 0xffff92017aeb42c0 Stopped in pid 684.3 (syz-executor.2) at netbsd:breakpoint+0x5: leave