[ 89.0149990] panic: [ 89.0149990] kernel diagnostic assertion "semcnt >= 0" failed: file "/syzkaller/managers/netbsd/kernel/sys/kern/kern_uidinfo.c", line 241 [ 89.0249821] cpu1: Begin traceback... [ 89.0549814] vpanic() at netbsd:vpanic+0x265 sys/kern/subr_prf.c:290 [ 89.0949796] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 89.1549801] chgsemcnt() at netbsd:chgsemcnt+0x71 sys/kern/kern_uidinfo.c:242 [ 89.2049820] ksem_release() at netbsd:ksem_release+0xbf sys/kern/uipc_sem.c:536 [ 89.2649824] ksem_close_fop() at netbsd:ksem_close_fop+0xb0 sys/kern/uipc_sem.c:853 [ 89.3149808] closef() at netbsd:closef+0x152 sys/kern/kern_descrip.c:832 [ 89.3649810] fd_free() at netbsd:fd_free+0x544 sys/kern/kern_descrip.c:1565 [ 89.4149801] exit1() at netbsd:exit1+0x307 sys/kern/kern_exit.c:301 [ 89.4549803] sigexit() at netbsd:sigexit+0x3cd sys/kern/kern_sig.c:2307 [ 89.5049846] sendsig() at netbsd:sendsig [ 89.5549793] lwp_userret() at netbsd:lwp_userret+0x2e7 sys/kern/kern_lwp.c:1633 [ 89.6049847] syscall() at netbsd:syscall+0x89a x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] [ 89.6049847] syscall() at netbsd:syscall+0x89a KPREEMPT_DISABLE sys/sys/lwp.h:541 [inline] [ 89.6049847] syscall() at netbsd:syscall+0x89a mi_userret sys/sys/userret.h:97 [inline] [ 89.6049847] syscall() at netbsd:syscall+0x89a userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 89.6049847] syscall() at netbsd:syscall+0x89a sys/arch/x86/x86/syscall.c:166 [ 89.6149809] --- syscall (number 4) --- [ 89.6349803] netbsd:syscall+0x89a: [ 89.6349803] cpu1: End traceback... [ 89.6349803] fatal breakpoint trap in supervisor mode [ 89.6449811] trap type 1 code 0 rip 0xffffffff80220a2d cs 0x8 rflags 0x282 cr2 0x1b30825000 ilevel 0 rsp 0xffffcc01a4417750 [ 89.6549808] curlwp 0xffffcc001477f100 pid 2022.961 lowest kstack 0xffffcc01a44102c0 Stopped in pid 2022.961 (syz-executor.5) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0x105 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x265 sys/kern/subr_prf.c:290 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure chgsemcnt() at netbsd:chgsemcnt+0x71 sys/kern/kern_uidinfo.c:242 ksem_release() at netbsd:ksem_release+0xbf sys/kern/uipc_sem.c:536 ksem_close_fop() at netbsd:ksem_close_fop+0xb0 sys/kern/uipc_sem.c:853 closef() at netbsd:closef+0x152 sys/kern/kern_descrip.c:832 fd_free() at netbsd:fd_free+0x544 sys/kern/kern_descrip.c:1565 exit1() at netbsd:exit1+0x307 sys/kern/kern_exit.c:301 sigexit() at netbsd:sigexit+0x3cd sys/kern/kern_sig.c:2307 sendsig() at netbsd:sendsig lwp_userret() at netbsd:lwp_userret+0x2e7 sys/kern/kern_lwp.c:1633 syscall() at netbsd:syscall+0x89a x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] syscall() at netbsd:syscall+0x89a KPREEMPT_DISABLE sys/sys/lwp.h:541 [inline] syscall() at netbsd:syscall+0x89a mi_userret sys/sys/userret.h:97 [inline] syscall() at netbsd:syscall+0x89a userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] syscall() at netbsd:syscall+0x89a sys/arch/x86/x86/syscall.c:166 --- syscall (number 4) --- netbsd:syscall+0x89a: Panic string: kernel diagnostic assertion "semcnt >= 0" failed: file "/syzkaller/managers/netbsd/kernel/sys/kern/kern_uidinfo.c", line 241 PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 2093 2093 2 0 0 ffffcc0013cf3240 syz-executor.3 2076 1961 2 0 0 ffffcc0013d5d780 syz-executor.0 2076 1881 2 0 0 ffffcc0013c8c080 syz-executor.0 2076 1224 2 0 0 ffffcc0013d42740 syz-executor.0 2076 1986 2 0 0 ffffcc0013cf3680 syz-executor.0 2076 2076 2 0 10000000 ffffcc0013ce6200 syz-executor.0 1879 2260 2 0 100 ffffcc0013c5db80 syz-executor.1 1879 1879 2 0 10000000 ffffcc00148c2580 syz-executor.1 2022 > 961 7 1 1000000 ffffcc001477f100 syz-executor.5 2090 2090 3 0 180 ffffcc0013bc65c0 syz-executor.0 parked 1968 2116 2 1 0 ffffcc0013d5d340 syz-executor.2 1968 1968 2 1 10000000 ffffcc0013c12280 syz-executor.2 1824 1824 3 0 180 ffffcc00153d7340 syz-executor.1 parked 1723 1723 3 1 180 ffffcc00154e7940 syz-executor.1 parked 839 839 3 1 180 ffffcc00154c14c0 syz-executor.5 parked 1619 1619 3 0 180 ffffcc0013ba9580 syz-executor.5 parked 1368 1368 3 0 180 ffffcc0014882940 syz-executor.3 parked 1591 1591 3 0 180 ffffcc00148820c0 syz-executor.3 parked 1764 1764 3 0 180 ffffcc0013cc4180 syz-executor.5 parked 1603 1603 3 0 180 ffffcc0013ca8100 syz-executor.5 parked 1488 1488 3 1 180 ffffcc0013c8c900 syz-executor.1 parked 1509 1509 3 0 180 ffffcc00147a8580 syz-executor.1 parked 1383 1383 3 0 180 ffffcc0013c7f480 syz-executor.4 parked 332 332 2 1 140 ffffcc0013b5d940 syz-executor.5 826 826 3 0 180 ffffcc0013b78980 syz-executor.2 parked 1191 1191 2 0 40 ffffcc0015278640 syz-executor.4 1099 1099 2 0 40 ffffcc0015278200 syz-executor.3 1078 1078 2 1 140 ffffcc001522b600 syz-executor.2 1073 1073 2 1 140 ffffcc001522b1c0 syz-executor.1 422 422 2 0 40 ffffcc0015139a00 syz-executor.0 1070 1085 3 0 180 ffffcc0014723940 syz-fuzzer parked 1070 1128 2 1 100 ffffcc0015139180 syz-fuzzer 1070 956 3 0 1c0 ffffcc0013c47b40 syz-fuzzer parked 1070 1081 3 0 1c0 ffffcc00147d1a40 syz-fuzzer parked 1070 1071 3 1 180 ffffcc0014839b00 syz-fuzzer parked 1070 1076 3 0 180 ffffcc0014839280 syz-fuzzer parked 1070 1077 3 1 1c0 ffffcc00136e9700 syz-fuzzer parked 1070 1074 3 1 180 ffffcc00148a6540 syz-fuzzer parked 1070 1070 3 1 180 ffffcc0013abe4c0 syz-fuzzer parked 1068 1068 3 1 180 ffffcc0013abe080 sshd select 1249 1249 3 0 180 ffffcc00136e9b40 getty nanoslp 1101 1101 3 0 180 ffffcc00148a6980 getty nanoslp 1097 1097 3 1 180 ffffcc00136ec740 getty nanoslp 947 947 3 1 1c0 ffffcc00139f7700 getty ttyraw 965 965 3 1 180 ffffcc00147d1600 sshd select 1122 1122 3 1 180 ffffcc0013d00b00 powerd kqueue 555 555 3 0 180 ffffcc001484eb40 syslogd kqueue 598 598 3 1 180 ffffcc0013c05ac0 dhcpcd poll 597 597 3 0 180 ffffcc0013c8c4c0 dhcpcd poll 594 594 3 0 180 ffffcc0013c05240 dhcpcd poll 462 462 3 1 180 ffffcc0013c5d300 dhcpcd poll 350 350 3 0 180 ffffcc0013d778c0 dhcpcd poll 349 349 3 0 180 ffffcc0013d77480 dhcpcd poll 348 348 2 1 100 ffffcc0013d77040 dhcpcd 1 1 3 0 180 ffffcc001385a140 init wait 0 1247 3 0 200 ffffcc0013b5d500 acctwatch actwat 0 895 3 0 200 ffffcc0013986240 physiod physiod 0 192 3 0 200 ffffcc0013988280 pooldrain pooldrain 0 > 163 7 0 240 ffffcc0013986ac0 ioflush 0 168 3 1 200 ffffcc0013986680 pgdaemon pgdaemon 0 162 3 1 200 ffffcc001395a640 usb7 usbevt 0 161 3 1 200 ffffcc001395a200 usb6 usbevt 0 31 3 1 200 ffffcc001390ba40 usb5 usbevt 0 63 3 1 200 ffffcc001390b600 usb4 usbevt 0 126 3 1 200 ffffcc001390b1c0 usb3 usbevt 0 125 3 0 240 ffffcc00138b8a00 usb2 usbxfer 0 124 3 0 200 ffffcc00138b85c0 usb1 usbevt 0 123 3 0 200 ffffcc00138b8180 usb0 usbevt 0 122 3 0 200 ffffcc001385a9c0 usbtask-dr usbtsk 0 121 3 0 200 ffffcc0010dbaac0 usbtask-hc usbtsk 0 120 3 1 200 ffffcc001385a580 npfgc0 npfgcw 0 119 3 0 200 ffffcc001384b980 rt_free rt_free 0 118 3 1 200 ffffcc001384b540 unpgc unpgc 0 117 3 0 200 ffffcc001384b100 key_timehandler key_timehandler 0 116 3 1 200 ffffcc001371b940 icmp6_wqinput/1 icmp6_wqinput 0 115 3 0 200 ffffcc001371b500 icmp6_wqinput/0 icmp6_wqinput 0 114 3 0 200 ffffcc001371b0c0 nd6_timer nd6_timer 0 113 3 1 200 ffffcc0013710900 carp6_wqinput/1 carp6_wqinput 0 112 3 0 200 ffffcc00137104c0 carp6_wqinput/0 carp6_wqinput 0 111 3 1 200 ffffcc0013710080 carp_wqinput/1 carp_wqinput 0 110 3 0 200 ffffcc00136ff8c0 carp_wqinput/0 carp_wqinput 0 109 3 1 200 ffffcc00136ff480 icmp_wqinput/1 icmp_wqinput 0 108 3 0 200 ffffcc00136ff040 icmp_wqinput/0 icmp_wqinput 0 107 3 0 200 ffffcc00136edbc0 rt_timer rt_timer 0 106 3 1 200 ffffcc00136ed780 vmem_rehash vmem_rehash 0 105 3 0 200 ffffcc00136ecb80 entbutler entropy 0 96 3 0 200 ffffcc00130c0b00 viomb balloon 0 30 3 1 200 ffffcc00130c06c0 vioif0_txrx/1 vioif0_txrx 0 29 3 0 200 ffffcc00130c0280 vioif0_txrx/0 vioif0_txrx 0 27 3 0 200 ffffcc0010dba680 scsibus0 sccomp 0 26 3 0 200 ffffcc0010dba240 pms0 pmsreset 0 25 3 1 200 ffffcc0010d0ea80 xcall/1 xcall 0 24 1 1 200 ffffcc0010d0e640 softser/1 0 23 1 1 200 ffffcc0010d0e200 softclk/1 0 22 1 1 200 ffffcc0010d0ca40 softbio/1 0 21 1 1 200 ffffcc0010d0c600 softnet/1 0 20 1 1 201 ffffcc0010d0c1c0 idle/1 0 19 3 0 200 ffffcc000f77da00 lnxpwrwq lnxpwrwq 0 18 3 0 200 ffffcc000f77d5c0 lnxlngwq lnxlngwq 0 17 3 0 200 ffffcc000f77d180 lnxsyswq lnxsyswq 0 16 3 0 200 ffffcc000f7759c0 lnxrcugc lnxrcugc 0 15 3 0 200 ffffcc000f775580 sysmon smtaskq 0 14 3 0 200 ffffcc000f775140 pmfsuspend pmfsuspend 0 13 3 0 200 ffffcc000f771980 pmfevent pmfevent 0 12 3 0 200 ffffcc000f771540 sopendfree sopendfr 0 11 3 0 200 ffffcc000f771100 iflnkst iflnkst 0 10 3 0 200 ffffcc000f765940 nfssilly nfssilly 0 9 3 0 200 ffffcc000f765500 vdrain vdrain 0 8 3 0 200 ffffcc000f7650c0 modunload mod_unld 0 7 3 0 200 ffffcc000f758900 xcall/0 xcall 0 6 1 0 200 ffffcc000f7584c0 softser/0 0 5 1 0 200 ffffcc000f758080 softclk/0 0 4 1 0 200 ffffcc000f7568c0 softbio/0 0 3 1 0 200 ffffcc000f756480 softnet/0 0 2 1 0 201 ffffcc000f756040 idle/0 0 0 2 1 240 ffffffff82eee200 swapper [Locks tracked through LWPs] ****** LWP 2022.961 (syz-executor.5) @ 0xffffcc001477f100, l_stat=7 *** Locks held: * Lock 0 (initialized at fork1) lock address : 0xffffcc0013ca4f90 type : sleep/adaptive initialized : 0xffffffff818c553e shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffcc001477f100 last held: 0xffffcc001477f100 last locked* : 0xffffffff818c18c1 unlocked : 000000000000000000 owner/count : 0xffffcc001477f100 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. *** Locks wanted: * Lock 0 (initialized at module_hook_init) lock address : 0xffffffff82ff5f80 type : sleep/adaptive initialized : 0xffffffff818df781 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 0 relevant lwp : 0xffffcc001477f100 last held: 000000000000000000 last locked : 000000000000000000 unlocked*: 000000000000000000 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 1191.1191 (syz-executor.4) @ 0xffffcc0015278640, l_stat=2 *** Locks held: * Lock 0 (initialized at amap_ctor) lock address : 0xffffcc001526eb80 type : sleep/adaptive initialized : 0xffffffff8182910b shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffcc0015278640 last held: 0xffffcc0015278640 last locked* : 0xffffffff818398fd unlocked : 0xffffffff81829b5b owner/count : 0xffffcc0015278640 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at pmap_ctor) lock address : 0xffffcc00148bcd80 type : sleep/adaptive initialized : 0xffffffff808d2c54 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffcc0015278640 last held: 0xffffcc0015278640 last locked* : 0xffffffff808d48e2 unlocked : 0xffffffff808d51e8 owner field : 0xffffcc0015278640 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 1099.1099 (syz-executor.3) @ 0xffffcc0015278200, l_stat=2 *** Locks held: * Lock 0 (initialized at vcache_alloc) lock address : 0xffffcc0015242e80 type : sleep/adaptive initialized : 0xffffffff81a58500 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffcc0015278200 last held: 0xffffcc0015278200 last locked* : 0xffffffff81a8b2d0 unlocked : 0xffffffff81a8b332 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at vcache_alloc) lock address : 0xffffcc001397a200 type : sleep/adaptive initialized : 0xffffffff81a58500 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffcc0015278200 last held: 0xffffcc0015278200 last locked* : 0xffffffff81a8b2d0 unlocked : 0xffffffff81a8b332 [ 89.6649810] Skipping crash dump on recursive panic [ 89.6649810] panic: ASan: Unauthorized Access In 0xffffffff81903dd0: Addr 0xffffcc001397a200 [8 bytes, read, PoolUseAfterFree] [ 89.6649810] cpu1: Begin traceback... [ 89.6649810] vpanic() at netbsd:vpanic+0x265 sys/kern/subr_prf.c:290 [ 89.6649810] snprintf() at netbsd:snprintf [ 89.6649810] kasan_report() at netbsd:kasan_report+0x8c kasan_code_name sys/kern/subr_asan.c:163 [inline] [ 89.6649810] kasan_report() at netbsd:kasan_report+0x8c sys/kern/subr_asan.c:195 [ 89.6649810] __asan_load8() at netbsd:__asan_load8+0x27e kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:345 [inline] [ 89.6649810] __asan_load8() at netbsd:__asan_load8+0x27e kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:359 [inline] [ 89.6649810] __asan_load8() at netbsd:__asan_load8+0x27e kasan_shadow_check sys/kern/subr_asan.c:411 [inline] [ 89.6649810] __asan_load8() at netbsd:__asan_load8+0x27e sys/kern/subr_asan.c:1198 [ 89.6649810] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:186 [ 89.6649810] lockdebug_dump() at netbsd:lockdebug_dump+0x23b sys/kern/subr_lockdebug.c:759 [ 89.6649810] lockdebug_show_one() at netbsd:lockdebug_show_one+0xa7 sys/kern/subr_lockdebug.c:839 [ 89.6649810] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x274 lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:877 [inline] [ 89.6649810] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x274 sys/kern/subr_lockdebug.c:941 [ 89.6649810] db_command() at netbsd:db_command+0x310 sys/ddb/db_command.c:957 [ 89.6649810] db_command_loop() at netbsd:db_command_loop+0x293 db_execute_commandlist sys/ddb/db_command.c:454 [inline] [ 89.6649810] db_command_loop() at netbsd:db_command_loop+0x293 sys/ddb/db_command.c:604 [ 89.6649810] db_trap() at netbsd:db_trap+0x22c sys/ddb/db_trap.c:94 [ 89.6649810] kdb_trap() at netbsd:kdb_trap+0x25c sys/arch/amd64/amd64/db_interface.c:250 [ 89.6649810] trap() at netbsd:trap+0x819 sys/arch/amd64/amd64/trap.c:315 [ 89.6649810] --- trap (number 1) --- [ 89.6649810] breakpoint() at netbsd:breakpoint+0x5 [ 89.6649810] db_panic() at netbsd:db_panic+0x105 sys/ddb/db_panic.c:67 [ 89.6649810] vpanic() at netbsd:vpanic+0x265 sys/kern/subr_prf.c:290 [ 89.6649810] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 89.6649810] chgsemcnt() at netbsd:chgsemcnt+0x71 sys/kern/kern_uidinfo.c:242 [ 89.6649810] ksem_release() at netbsd:ksem_release+0xbf sys/kern/uipc_sem.c:536 [ 89.6649810] ksem_close_fop() at netbsd:ksem_close_fop+0xb0 sys/kern/uipc_sem.c:853 [ 89.6649810] closef() at netbsd:closef+0x152 sys/kern/kern_descrip.c:832 [ 89.6649810] fd_free() at netbsd:fd_free+0x544 sys/kern/kern_descrip.c:1565 [ 89.6649810] exit1() at netbsd:exit1+0x307 sys/kern/kern_exit.c:301 [ 89.6649810] sigexit() at netbsd:sigexit+0x3cd sys/kern/kern_sig.c:2307 [ 89.6649810] sendsig() at netbsd:sendsig [ 89.6649810] lwp_userret() at netbsd:lwp_userret+0x2e7 sys/kern/kern_lwp.c:1633 [ 89.6649810] syscall() at netbsd:syscall+0x89a x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] [ 89.6649810] syscall() at netbsd:syscall+0x89a KPREEMPT_DISABLE sys/sys/lwp.h:541 [inline] [ 89.6649810] syscall() at netbsd:syscall+0x89a mi_userret sys/sys/userret.h:97 [inline] [ 89.6649810] syscall() at netbsd:syscall+0x89a userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 89.6649810] syscall() at netbsd:syscall+0x89a sys/arch/x86/x86/syscall.c:166 [ 89.6649810] --- syscall (number 4) --- [ 89.6649810] netbsd:syscall+0x89a: [ 89.6649810] cpu1: End traceback... [ 89.6649810] fatal breakpoint trap in supervisor mode [ 89.6649810] trap type 1 code 0 rip 0xffffffff80220a2d cs 0x8 rflags 0x282 cr2 0x1b30825000 ilevel 0x8 rsp 0xffffcc01a4416d20 [ 89.6649810] curlwp 0xffffcc001477f100 pid 2022.961 lowest kstack 0xffffcc01a44102c0 Stopped in pid 2022.961 (syz-executor.5) at netbsd:breakpoint+0x5: leave