[ 64.1530698] panic: kernel diagnostic assertion "ci->ci_tlbstate != TLBSTATE_VALID" failed: file "/syzkaller/managers/netbsd/kernel/sys/arch/x86/x86/pmap.c", line 2790 [ 64.1630750] cpu1: Begin traceback... [ 64.1831147] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 64.2131643] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 64.2532339] pmap_activate() at netbsd:pmap_activate+0x179 sys/arch/x86/x86/pmap.c:2790 [ 64.2933048] mi_switch() at netbsd:mi_switch+0x5bc sys/kern/kern_synch.c:738 [ 64.3233548] sleepq_block() at netbsd:sleepq_block+0x2b4 sys/kern/kern_sleepq.c:276 [ 64.3634276] kpause() at netbsd:kpause+0x1da sys/kern/kern_synch.c:235 [ 64.3934773] nanosleep1() at netbsd:nanosleep1+0x289 sys/kern/kern_time.c:355 [ 64.4335495] sys___nanosleep50() at netbsd:sys___nanosleep50+0xe5 sys/kern/kern_time.c:293 [ 64.4736192] syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] [ 64.4736192] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 64.4736192] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 [ 64.4836398] --- syscall (number 430) --- [ 64.4936532] 7e3b2de42a1a: [ 64.5036687] cpu1: End traceback... [ 64.5036687] fatal breakpoint trap in supervisor mode [ 64.5136886] trap type 1 code 0 rip 0xffffffff8021ccb5 cs 0x8 rflags 0x246 cr2 0xffffcb016d42e000 ilevel 0x8 rsp 0xffffcb016e1b3890 [ 64.5237066] curlwp 0xffffcb0012d50aa0 pid 45.1 lowest kstack 0xffffcb016e1ac2c0 Stopped in pid 45.1 (syz-executor.3) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure pmap_activate() at netbsd:pmap_activate+0x179 sys/arch/x86/x86/pmap.c:2790 mi_switch() at netbsd:mi_switch+0x5bc sys/kern/kern_synch.c:738 sleepq_block() at netbsd:sleepq_block+0x2b4 sys/kern/kern_sleepq.c:276 kpause() at netbsd:kpause+0x1da sys/kern/kern_synch.c:235 nanosleep1() at netbsd:nanosleep1+0x289 sys/kern/kern_time.c:355 sys___nanosleep50() at netbsd:sys___nanosleep50+0xe5 sys/kern/kern_time.c:293 syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 --- syscall (number 430) --- 7e3b2de42a1a: ds 6a0 es 3950 fs 3870 gs 38c0 rdi ffffcb000cb1a458 rsi ffffcb0012d50d88 rbp ffffcb016e1b3890 rbx ffffcb016ca80000 rdx 2 rcx ffffffff80d00841 db_panic+0xd5 rax 0 r8 4 r9 1ffffffff0553818 r10 ffffffff82a9c0c3 db_onpanic+0x3 r11 8000000000 r12 ffffcb016ca92000 r13 ffffffff81c22540 platform_private_nodes+0x140 r14 ffffcb016e1b3920 r15 ffffcb016ca80060 rip ffffffff8021ccb5 breakpoint+0x5 cs 8 rflags 246 rsp ffffcb016e1b3890 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 914 1 2 0 0 ffffcb0011ffd140 syz-executor.0 971 1 2 0 0 ffffcb00114ab9e0 syz-executor.3 953 1 2 1 10000000 ffffcb0011f6d340 syz-executor.1 823 1 2 0 0 ffffcb0011fde0e0 syz-executor.2 519 1 2 1 0 ffffcb0012d98b00 syz-executor.5 445 1 2 0 0 ffffcb0012d6cae0 syz-executor.0 496 1 2 0 0 ffffcb0012d6c6a0 syz-executor.1 575 1 3 0 4 ffffcb0012d6c260 syz-executor.4 xclocv 45 > 1 7 1 0 ffffcb0012d50aa0 syz-executor.3 564 > 1 7 0 0 ffffcb0012d50660 syz-executor.2 566 11 3 0 80 ffffcb0012d5bac0 syz-execprog parked 566 10 3 0 80 ffffcb0012d5b680 syz-execprog parked 566 9 3 0 80 ffffcb0012d5b240 syz-execprog parked 566 8 2 1 0 ffffcb0012d50220 syz-execprog 566 7 3 0 80 ffffcb0012724a80 syz-execprog parked 566 6 3 1 80 ffffcb000e9b99c0 syz-execprog parked 566 5 3 1 80 ffffcb0011f7a8c0 syz-execprog parked 566 4 3 0 80 ffffcb00120089e0 syz-execprog parked 566 3 3 1 80 ffffcb0012008160 syz-execprog parked 566 2 3 0 80 ffffcb0011fe9540 syz-execprog parked 566 1 3 0 80 ffffcb00110d4180 syz-execprog parked 40 1 3 1 80 ffffcb00110d71a0 sshd select 558 1 3 1 80 ffffcb0011ff3560 getty nanoslp 570 1 3 1 80 ffffcb0011ff3120 getty nanoslp 580 1 3 1 80 ffffcb0011ffd9c0 getty nanoslp 539 1 3 1 80 ffffcb0011ffd580 getty ttyraw 357 1 3 1 80 ffffcb0011f30b80 cron nanoslp 499 1 3 1 80 ffffcb0011f7a480 inetd kqueue 431 1 3 0 80 ffffcb001159f6e0 sshd select 478 1 3 1 80 ffffcb00114d9a40 powerd kqueue 259 1 2 1 40000 ffffcb001145f980 makemandb 330 1 3 1 80 ffffcb0011f50ba0 syslogd kqueue 268 1 3 0 80 ffffcb00114e81e0 dhcpcd kqueue 220 1 3 1 80 ffffcb00113f68e0 dhcpcd kqueue 1 1 3 1 80 ffffcb00111fa240 init wait 0 58 3 0 204 ffffcb00111faac0 physiod physiod 0 57 3 0 204 ffffcb0011242280 aiodoned aiodoned 0 56 3 1 200 ffffcb0011241ae0 ioflush syncer 0 55 3 0 204 ffffcb00112416a0 pooldrain pooldrain 0 54 3 0 200 ffffcb0011241260 pgdaemon pgdaemon 0 51 3 0 200 ffffcb00111fa680 npfgc-0 npfgccv 0 50 3 0 204 ffffcb00111ebaa0 rt_free rt_free 0 49 3 0 204 ffffcb00111eb660 unpgc unpgc 0 48 3 1 204 ffffcb00111eb220 key_timehandler key_timehandler 0 47 3 1 204 ffffcb0011104a80 icmp6_wqinput/1 icmp6_wqinput 0 46 3 0 204 ffffcb0011104640 icmp6_wqinput/0 icmp6_wqinput 0 45 3 0 204 ffffcb0011104200 nd6_timer nd6_timer 0 44 3 1 204 ffffcb00110f9a60 carp6_wqinput/1 carp6_wqinput 0 43 3 0 204 ffffcb00110f9620 carp6_wqinput/0 carp6_wqinput 0 42 3 1 204 ffffcb00110f91e0 carp_wqinput/1 carp_wqinput 0 41 3 0 204 ffffcb00110e8a40 carp_wqinput/0 carp_wqinput 0 40 3 1 204 ffffcb00110e8600 icmp_wqinput/1 icmp_wqinput 0 39 3 0 204 ffffcb00110e81c0 icmp_wqinput/0 icmp_wqinput 0 38 3 1 204 ffffcb00110d7a20 rt_timer rt_timer 0 37 3 0 204 ffffcb00110d35a0 vmem_rehash vmem_rehash 0 27 3 0 204 ffffcb000e9b9580 scsibus0 sccomp 0 26 3 0 200 ffffcb000e9b9140 pms0 pmsreset 0 25 2 1 200 ffffcb000e92b9a0 xcall/1 0 24 1 1 200 ffffcb000e92b560 softser/1 0 23 1 1 200 ffffcb000e92b120 softclk/1 0 22 1 1 200 ffffcb000e927980 softbio/1 0 21 1 1 200 ffffcb000e927540 softnet/1 0 20 1 1 201 ffffcb000e927100 idle/1 0 19 3 1 204 ffffcb000e85d960 lnxpwrwq lnxpwrwq 0 18 3 1 204 ffffcb000e85d520 lnxlngwq lnxlngwq 0 17 3 0 204 ffffcb000e85d0e0 lnxsyswq lnxsyswq 0 16 3 1 204 ffffcb000d042940 lnxrcugc lnxrcugc 0 15 3 0 204 ffffcb000d042500 sysmon smtaskq 0 14 3 0 204 ffffcb000d0420c0 pmfsuspend pmfsuspend 0 13 3 0 204 ffffcb000d033920 pmfevent pmfevent 0 12 3 0 204 ffffcb000d0334e0 sopendfree sopendfr 0 11 3 0 204 ffffcb000d0330a0 nfssilly nfssilly 0 10 3 1 200 ffffcb000d027900 cachegc cachegc 0 9 3 1 204 ffffcb000d0274c0 vdrain vdrain 0 8 3 0 200 ffffcb000d027080 modunload mod_unld 0 7 3 0 204 ffffcb000d0188e0 xcall/0 xcall 0 6 1 0 200 ffffcb000d0184a0 softser/0 0 5 1 0 200 ffffcb000d018060 softclk/0 0 4 1 0 200 ffffcb000d0148c0 softbio/0 0 3 1 0 200 ffffcb000d014480 softnet/0 0 2 1 0 201 ffffcb000d014040 idle/0 0 1 3 1 200 ffffffff82b62fa0 swapper uvm [Locks tracked through LWPs] Locks held by an LWP (syz-executor.3): Lock 0 (initialized at uvm_obj_init) lock address : 0xffffcb001295ca80 type : sleep/adaptive initialized : 0xffffffff810f33bc shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffcb0012d50aa0 last held: 0xffffcb00114ab9e0 last locked* : 0xffffffff810d79ce unlocked : 0xffffffff810e0baa owner field : 000000000000000000 wait/spin: 0/0 Turnstile chain at 0xffffffff82d838d0 with mutex 0xffffcb000cb2fc40. => No active turnstile for this lock. Locks held by an LWP (syz-executor.1): Lock 0 (initialized at fork1) lock address : 0xffffcb0011f72698 type : sleep/adaptive initialized : 0xffffffff8114751c shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffcb0012d50aa0 last held: 0xffffcb0011f6d340 last locked* : 0xffffffff81143c0d unlocked : 000000000000000000 owner/count : 0xffffcb0011f6d340 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d83850 with mutex 0xffffcb000cb2f840. => No active turnstile for this lock. Lock 1 (initialized at amap_alloc) lock address : 0xffffcb0012d61cc0 type : sleep/adaptive initialized : 0xffffffff810c6fb1 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffcb0012d50aa0 last held: 0xffffcb0011f6d340 last locked* : 0xffffffff810e7bd1 unlocked : 0xffffffff810d4895 owner field : 0xffffcb0011f6d340 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83b18 with mutex 0xffffcb000d00bec0. => No active turnstile for this lock. Lock 2 (initialized at pmap_create) lock address : 0xffffcb0011f4c498 type : sleep/adaptive initialized : 0xffffffff80272166 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffcb0012d50aa0 last held: 0xffffcb0011f6d340 last locked* : 0xffffffff80274a67 unlocked : 0xffffffff80274456 owner field : 0xffffcb0011f6d340 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83810 with mutex 0xffffcb000cb2f640. => No active turnstile for this lock. Locks held by an LWP (syz-executor.0): Lock 0 (initialized at vcache_alloc) lock address : 0xffffcb0012d47780 type : sleep/adaptive initialized : 0xffffffff812ad182 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffcb0012d50aa0 last held: 0xffffcb0012d6cae0 last locked* : 0xffffffff812da8f0 unlocked : 0xffffffff812da7ad owner/count : 000000000000000000 flags : 000000000000000000 Turnstile chain at 0xffffffff82d83a70 with mutex 0xffffcb000d00b980. => No active turnstile for this lock. Lock 1 (initialized at vcache_alloc) lock address : 0xffffcb0012e6b400 type : sleep/adaptive initialized : 0xffffffff812ad182 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffcb0012d50aa0 last held: 0xffffcb0012d6cae0 last locked* : 0xffffffff812da8f0 unlocked : 0xffffffff812da7ad [ 64.5237066] Skipping crash dump on recursive panic [ 64.5237066] panic: ASan: Unauthorized Access In 0xffffffff81182850: Addr 0xffffcb0012e6b400 [8 bytes, read, PoolUseAfterFree] [ 64.5237066] cpu1: Begin traceback... [ 64.5237066] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 64.5237066] snprintf() at netbsd:snprintf [ 64.5237066] kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:172 [inline] [ 64.5237066] kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:194 [ 64.5237066] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:344 [inline] [ 64.5237066] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:358 [inline] [ 64.5237066] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:410 [inline] [ 64.5237066] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1180 [ 64.5237066] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:191 [ 64.5237066] lockdebug_dump() at netbsd:lockdebug_dump+0x281 sys/kern/subr_lockdebug.c:777 [ 64.5237066] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb9 sys/kern/subr_lockdebug.c:855 [ 64.5237066] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:886 [inline] [ 64.5237066] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f sys/kern/subr_lockdebug.c:933 [ 64.5237066] db_command() at netbsd:db_command+0x2c0 sys/ddb/db_command.c:935 [ 64.5237066] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:432 [inline] [ 64.5237066] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:582 [ 64.5237066] db_trap() at netbsd:db_trap+0x219 sys/ddb/db_trap.c:94 [ 64.5237066] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:246 [ 64.5237066] trap() at netbsd:trap+0x650 sys/arch/amd64/amd64/trap.c:313 [ 64.5237066] --- trap (number 1) --- [ 64.5237066] breakpoint() at netbsd:breakpoint+0x5 [ 64.5237066] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 [ 64.5237066] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 64.5237066] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 64.5237066] pmap_activate() at netbsd:pmap_activate+0x179 sys/arch/x86/x86/pmap.c:2790 [ 64.5237066] mi_switch() at netbsd:mi_switch+0x5bc sys/kern/kern_synch.c:738 [ 64.5237066] sleepq_block() at netbsd:sleepq_block+0x2b4 sys/kern/kern_sleepq.c:276 [ 64.5237066] kpause() at netbsd:kpause+0x1da sys/kern/kern_synch.c:235 [ 64.5237066] nanosleep1() at netbsd:nanosleep1+0x289 sys/kern/kern_time.c:355 [ 64.5237066] sys___nanosleep50() at netbsd:sys___nanosleep50+0xe5 sys/kern/kern_time.c:293 [ 64.5237066] syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] [ 64.5237066] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 64.5237066] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 [ 64.5237066] --- syscall (number 430) --- [ 64.5237066] 7e3b2de42a1a: [ 64.5237066] cpu1: End traceback... [ 64.5237066] fatal breakpoint trap in supervisor mode [ 64.5237066] trap type 1 code 0 rip 0xffffffff8021ccb5 cs 0x8 rflags 0x246 cr2 0xffffcb016d42e000 ilevel 0x8 rsp 0xffffcb016e1b2e50 [ 64.5237066] curlwp 0xffffcb0012d50aa0 pid 45.1 lowest kstack 0xffffcb016e1ac2c0 Stopped in pid 45.1 (syz-executor.3) at netbsd:breakpoint+0x5: leave db{1}>