[ 75.6410215] panic: kernel diagnostic assertion "lwp_locked(l, l->l_cpu->ci_schedstate.spc_lwplock)" failed: file "/syzkaller/managers/netbsd/kernel/sys/kern/kern_synch.c", line 910 [ 75.6410215] cpu1: Begin traceback... [ 75.6410215] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 75.6410215] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 75.6410215] setrunnable() at netbsd:setrunnable+0x2d5 sys/kern/kern_synch.c:910 [ 75.6410215] lwp_start() at netbsd:lwp_start+0x18b sys/kern/kern_lwp.c:1007 [ 75.6410215] do_lwp_create() at netbsd:do_lwp_create+0x151 sys/kern/sys_lwp.c:123 [ 75.6410215] sys__lwp_create() at netbsd:sys__lwp_create+0x1fc sys/kern/sys_lwp.c:156 [ 75.6410215] syscall() at netbsd:syscall+0x526 sy_call sys/sys/syscallvar.h:65 [inline] [ 75.6410215] syscall() at netbsd:syscall+0x526 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 75.6410215] syscall() at netbsd:syscall+0x526 sys/arch/x86/x86/syscall.c:138 [ 75.6410215] --- syscall (number 309) --- [ 75.6410215] 7b8737c4333a: [ 75.6410215] cpu1: End traceback... [ 75.6410215] fatal breakpoint trap in supervisor mode [ 75.6410215] trap type 1 code 0 rip 0xffffffff8021ccc5 cs 0x8 rflags 0x246 cr2 0x7f7f0bc007e0 ilevel 0x8 rsp 0xffffdd816f0ffa90 [ 75.6410215] curlwp 0xffffdd8012dc2940 pid 1199.1 lowest kstack 0xffffdd816f0f82c0 Stopped in pid 1199.1 (syz-executor.3) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xf9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure setrunnable() at netbsd:setrunnable+0x2d5 sys/kern/kern_synch.c:910 lwp_start() at netbsd:lwp_start+0x18b sys/kern/kern_lwp.c:1007 do_lwp_create() at netbsd:do_lwp_create+0x151 sys/kern/sys_lwp.c:123 sys__lwp_create() at netbsd:sys__lwp_create+0x1fc sys/kern/sys_lwp.c:156 syscall() at netbsd:syscall+0x526 sy_call sys/sys/syscallvar.h:65 [inline] syscall() at netbsd:syscall+0x526 sy_invoke sys/sys/syscallvar.h:94 [inline] syscall() at netbsd:syscall+0x526 sys/arch/x86/x86/syscall.c:138 --- syscall (number 309) --- 7b8737c4333a: ds faa0 es 200a fs fa70 gs fac0 rdi ffffdd800d92c458 rsi ffffdd8012dc2c28 rbp ffffdd816f0ffa90 rbx ffffdd816d892000 rdx 2 rcx ffffffff80cee821 db_panic+0xe5 rax 0 r8 4 r9 1ffffffff0553694 r10 ffffffff82a9b4a3 db_onpanic+0x3 r11 8000000000 r12 ffffdd816d8a4000 r13 ffffffff82180b20 __func__.12370+0xce0 r14 ffffdd816f0ffb20 r15 ffffdd816d892058 rip ffffffff8021ccc5 breakpoint+0x5 cs 8 rflags 246 rsp ffffdd816f0ffa90 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 1199 3 1 1 0 ffffdd801228e120 syz-executor.3 1199 > 1 7 1 0 ffffdd8012dc2940 syz-executor.3 1275 1 2 1 10000000 ffffdd8012205900 syz-executor.0 1013 5 2 0 0 ffffdd80123256a0 syz-executor.1 1013 4 2 0 0 ffffdd8012260540 syz-executor.1 1013 3 2 0 0 ffffdd8013b8e2c0 syz-executor.1 1013 1 2 0 0 ffffdd801229e140 syz-executor.1 1082 3 2 1 0 ffffdd8013b50b00 syz-executor.5 1082 1 2 1 0 ffffdd80122ba180 syz-executor.5 1061 1 2 1 0 ffffdd8012392b20 syz-executor.2 497 1 3 0 80 ffffdd8013b506c0 syz-executor.5 nanoslp 598 1 3 0 80 ffffdd8013aedae0 syz-executor.1 nanoslp 45 1 2 0 0 ffffdd8013aed6a0 syz-executor.3 550 1 2 1 0 ffffdd8013aed260 syz-executor.0 41 > 1 7 0 0 ffffdd8013ae5240 syz-executor.4 40 1 3 0 80 ffffdd8013ad9660 syz-executor.2 nanoslp 483 11 3 1 80 ffffdd8013ae5ac0 syz-execprog parked 483 10 3 0 80 ffffdd8013ae5680 syz-execprog parked 483 9 3 1 80 ffffdd8013ad9aa0 syz-execprog parked 483 8 3 1 80 ffffdd8013ad9220 syz-execprog parked 483 7 3 0 80 ffffdd8013587a80 syz-execprog parked 483 6 3 1 80 ffffdd8012e0fa20 syz-execprog parked 483 5 2 0 0 ffffdd8012d4c760 syz-execprog 483 4 3 0 80 ffffdd8012dd7980 syz-execprog parked 483 3 3 0 80 ffffdd8012dd7540 syz-execprog parked 483 2 3 1 80 ffffdd8012e0f1a0 syz-execprog parked 483 1 3 0 80 ffffdd80120bc6e0 syz-execprog parked 601 1 3 1 80 ffffdd8011ee85a0 sshd select 590 1 3 1 80 ffffdd8012df59e0 getty nanoslp 504 1 3 1 80 ffffdd8012df55a0 getty nanoslp 503 1 3 1 80 ffffdd8012e0f5e0 getty nanoslp 587 1 3 1 80 ffffdd8012dfea00 getty ttyraw 381 1 3 1 80 ffffdd8012d4c320 cron nanoslp 548 1 3 0 80 ffffdd8012d96900 inetd kqueue 400 1 3 0 80 ffffdd80123926e0 sshd select 476 1 3 0 80 ffffdd80122daa40 powerd kqueue 435 1 2 1 40000 ffffdd80121f8060 makemandb 202 1 3 0 80 ffffdd8012d66780 syslogd kqueue 276 1 3 0 80 ffffdd80122ea620 dhcpcd kqueue 236 1 3 1 80 ffffdd80122180a0 dhcpcd kqueue 1 1 3 0 80 ffffdd8012015240 init wait 0 58 3 0 204 ffffdd8012015ac0 physiod physiod 0 57 3 1 204 ffffdd801205c6a0 pooldrain pooldrain 0 56 3 0 204 ffffdd801205d280 aiodoned aiodoned 0 55 3 0 200 ffffdd801205cae0 ioflush syncer 0 54 3 1 200 ffffdd801205c260 pgdaemon pgdaemon 0 51 3 1 200 ffffdd800f7cb9c0 npfgc-0 npfgccv 0 50 3 0 204 ffffdd8012007aa0 rt_free rt_free 0 49 3 1 204 ffffdd8012007660 unpgc unpgc 0 48 3 1 204 ffffdd8012007220 key_timehandler key_timehandler 0 47 3 1 204 ffffdd8011ffaa80 icmp6_wqinput/1 icmp6_wqinput 0 46 3 0 204 ffffdd8011ffa640 icmp6_wqinput/0 icmp6_wqinput 0 45 3 1 204 ffffdd8011ffa200 nd6_timer nd6_timer 0 44 3 1 204 ffffdd8011f11a60 carp6_wqinput/1 carp6_wqinput 0 43 3 0 204 ffffdd8011f11620 carp6_wqinput/0 carp6_wqinput 0 42 3 1 204 ffffdd8011f111e0 carp_wqinput/1 carp_wqinput 0 41 3 0 204 ffffdd8011efea40 carp_wqinput/0 carp_wqinput 0 40 3 1 204 ffffdd8011efe600 icmp_wqinput/1 icmp_wqinput 0 39 3 0 204 ffffdd8011efe1c0 icmp_wqinput/0 icmp_wqinput 0 38 3 1 204 ffffdd8011ee9180 rt_timer rt_timer 0 37 3 0 204 ffffdd8011eeca20 vmem_rehash vmem_rehash 0 27 3 0 204 ffffdd800f7cb580 scsibus0 sccomp 0 26 3 0 200 ffffdd800f7cb140 pms0 pmsreset 0 25 3 1 204 ffffdd800f73d9a0 xcall/1 xcall 0 24 1 1 200 ffffdd800f73d560 softser/1 0 23 1 1 200 ffffdd800f73d120 softclk/1 0 22 1 1 200 ffffdd800f739980 softbio/1 0 21 1 1 200 ffffdd800f739540 softnet/1 0 20 1 1 201 ffffdd800f739100 idle/1 0 19 3 0 204 ffffdd800f66f960 lnxpwrwq lnxpwrwq 0 18 3 0 204 ffffdd800f66f520 lnxlngwq lnxlngwq 0 17 3 0 204 ffffdd800f66f0e0 lnxsyswq lnxsyswq 0 16 3 0 204 ffffdd800de54940 lnxrcugc lnxrcugc 0 15 3 0 204 ffffdd800de54500 sysmon smtaskq 0 14 3 1 204 ffffdd800de540c0 pmfsuspend pmfsuspend 0 13 3 1 204 ffffdd800de45920 pmfevent pmfevent 0 12 3 0 204 ffffdd800de454e0 sopendfree sopendfr 0 11 3 0 204 ffffdd800de450a0 nfssilly nfssilly 0 10 3 0 200 ffffdd800de3a900 cachegc cachegc 0 9 3 0 204 ffffdd800de3a4c0 vdrain vdrain 0 8 3 0 200 ffffdd800de3a080 modunload mod_unld 0 7 3 0 204 ffffdd800de2c8e0 xcall/0 xcall 0 6 1 0 200 ffffdd800de2c4a0 softser/0 0 5 1 0 200 ffffdd800de2c060 softclk/0 0 4 1 0 200 ffffdd800de278c0 softbio/0 0 3 1 0 200 ffffdd800de27480 softnet/0 0 2 1 0 201 ffffdd800de27040 idle/0 0 1 3 1 200 ffffffff82b64320 swapper uvm [Locks tracked through LWPs] Locks held by an LWP (syz-executor.3): Lock 0 (initialized at fork1) lock address : 0xffffdd80135df400 type : sleep/adaptive initialized : 0xffffffff81136fce shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffdd8012dc2940 last held: 0xffffdd8012dc2940 last locked* : 0xffffffff8114344f unlocked : 0xffffffff81146b66 owner field : 0xffffdd8012dc2940 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83c80 with mutex 0xffffdd800de1e600. => No active turnstile for this lock. Locks held by an LWP (syz-executor.2): Lock 0 (initialized at amap_alloc) lock address : 0xffffdd8013ab8fc0 type : sleep/adaptive initialized : 0xffffffff810b6351 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffdd8012dc2940 last held: 0xffffdd8012392b20 last locked* : 0xffffffff810c5aa3 unlocked : 0xffffffff810c3a66 owner field : 0xffffdd8012392b20 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83bf8 with mutex 0xffffdd800de1e1c0. => No active turnstile for this lock. Locks held by an LWP (syz-executor.4): Lock 0 (initialized at pipe1) lock address : 0xffffdd8013ab8980 type : sleep/adaptive initialized : 0xffffffff8120e4ee shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffdd8012dc2940 last held: 0xffffdd8013ae5240 last locked* : 0xffffffff8120ddab unlocked : 0xffffffff8120dd5d owner field : 0xffffdd8013ae5240 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83b30 with mutex 0xffffdd800d942b40. => No active turnstile for this lock. [Locks tracked through CPUs] Locks held on CPU 1: Lock 0 (initialized at sched_cpuattach) lock address : 0xffffdd800de212c0 type : spin initialized : 0xffffffff8116fa6c shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 1 current cpu : 1 last held: 1 current lwp : 0xffffdd8012dc2940 last held: 0xffffdd8012dc2940 last locked* : 0xffffffff81143467 unlocked : 0xffffffff811846e1 owner field : 0x0000000000010700 wait/spin: 0/1 PAGE FLAG PQ UOBJECT UANON 0xffffdd8000014180 0048 0000 0x0 0x0 0xffffdd80000141f8 0048 0000 0x0 0x0 0xffffdd8000014270 0048 0000 0x0 0x0 0xffffdd80000142e8 0048 0000 0x0 0x0 0xffffdd8000014360 0048 0000 0x0 0x0 0xffffdd80000143d8 0040 0000 0x0 0x0 0xffffdd8000014450 0048 0000 0x0 0x0 0xffffdd80000144c8 0048 0000 0x0 0x0 0xffffdd8000014540 0040 0000 0x0 0x0 0xffffdd80000145b8 0048 0000 0x0 0x0 0xffffdd8000014630 0048 0000 0x0 0x0 0xffffdd80000146a8 0048 0000 0x0 0x0 0xffffdd8000014720 0048 0000 0x0 0x0 0xffffdd8000014798 0048 0000 0x0 0x0 0xffffdd8000014810 0040 0000 0x0 0x0 0xffffdd8000014888 0040 0000 0x0 0x0 0xffffdd8000014900 0048 0000 0x0 0x0 0xffffdd8000014978 0040 0000 0x0 0x0 0xffffdd80000149f0 0040 0000 0x0 0x0 0xffffdd8000014a68 0040 0000 0x0 0x0 0xffffdd8000014ae0 0040 0000 0x0 0x0 0xffffdd8000014b58 0048 0000 0x0 0x0 0xffffdd8000014bd0 0048 0000 0x0 0x0 0xffffdd8000014c48 0048 0000 0x0 0x0 0xffffdd8000014cc0 0048 0000 0x0 0x0 0xffffdd8000014d38 0048 0000 0x0 0x0 0xffffdd8000014db0 0048 0000 0x0 0x0 0xffffdd8000014e28 0048 0000 0x0 0x0 0xffffdd8000014ea0 0048 0000 0x0 0x0 0xffffdd8000014f18 0040 0000 0x0 0x0 0xffffdd8000014f90 0048 0000 0x0 0x0 0xffffdd8000015008 0048 0000 0x0 0x0 0xffffdd8000015080 0048 0000 0x0 0x0 0xffffdd80000150f8 0048 0000 0x0 0x0 0xffffdd8000015170 0048 0000 0x0 0x0 0xffffdd80000151e8 0048 0000 0x0 0x0 0xffffdd8000015260 0048 0000 0x0 0x0 0xffffdd80000152d8 0048 0000 0x0 0x0 0xffffdd8000015350 0048 0000 0x0 0x0 0xffffdd80000153c8 0048 0000 0x0 0x0 0xffffdd8000015440 0048 0000 0x0 0x0 0xffffdd80000154b8 0048 0000 0x0 0x0 0xffffdd8000015530 0048 0000 0x0 0x0 0xffffdd80000155a8 0048 0000 0x0 0x0 0xffffdd8000015620 0048 0000 0x0 0x0 0xffffdd8000015698 0048 0000 0x0 0x0 0xffffdd8000015710 0048 0000 0x0 0x0 0xffffdd8000015788 0048 0000 0x0 0x0 0xffffdd8000015800 0048 0000 0x0 0x0 0xffffdd8000015878 0048 0000 0x0 0x0 0xffffdd80000158f0 0048 0000 0x0 0x0 0xffffdd8000015968 0048 0000 0x0 0x0 0xffffdd80000159e0 0048 0000 0x0 0x0 0xffffdd8000015a58 0048 0000 0x0 0x0 0xffffdd8000015ad0 0048 0000 0x0 0x0 0xffffdd8000015b48 0048 0000 0x0 0x0 0xffffdd8000015bc0 0048 0000 0x0 0x0 0xffffdd8000015c38 0048 0000 0x0 0x0 0xffffdd8000015cb0 0048 0000 0x0 0x0 0xffffdd8000015d28 0048 0000 0x0 0x0 0xffffdd8000015da0 0048 0000 0x0 0x0 0xffffdd8000015e18 0048 0000 0x0 0x0 0xffffdd8000015e90 0048 0000 0x0 0x0 0xffffdd8000015f08 0048 0000 0x0 0x0 0xffffdd8000015f80 0048 0000 0x0 0x0 0xffffdd8000015ff8 0048 0000 0x0 0x0 0xffffdd8000016070 0040 0000 0x0 0x0 0xffffdd80000160e8 0041 0000 0x0 0x0 0xffffdd8000016160 0041 0000 0x0 0x0 0xffffdd80000161d8 0048 0000 0x0 0x0 0xffffdd8000016250 0048 0000 0x0 0x0 0xffffdd80000162c8 0048 0000 0x0 0x0 0xffffdd8000016340 0048 0000 0x0 0x0 0xffffdd80000163b8 0040 0000 0x0 0x0 0xffffdd8000016430 0041 0000 0x0 0x0 0xffffdd80000164a8 0041 0000 0x0 0x0 0xffffdd8000016520 0041 0000 0x0 0x0 0xffffdd8000016598 0048 0000 0x0 0x0 0xffffdd8000016610 0040 0000 0x0 0x0 0xffffdd8000016688 0048 0000 0x0 0x0 0xffffdd8000016700 0048 0000 0x0 0x0 0xffffdd8000016778 0041 0000 0x0 0x0 0xffffdd80000167f0 0041 0000 0x0 0x0 0xffffdd8000016868 0048 0000 0x0 0x0 0xffffdd80000168e0 0048 0000 0x0 0x0 0xffffdd8000016958 0041 0000 0x0 0x0 0xffffdd80000169d0 0041 0000 0x0 0x0 0xffffdd8000016a48 0040 0000 0x0 0x0 0xffffdd8000016ac0 0040 0000 0x0 0x0 0xffffdd8000016b38 0041 0000 0x0 0x0 0xffffdd8000016bb0 0048 0000 0x0 0x0 0xffffdd8000016c28 0048 0000 0x0 0x0 0xffffdd8000016ca0 0048 0000 0x0 0x0 0xffffdd8000016d18 0041 0000 0x0 0x0 0xffffdd8000016d90 0041 0000 0x0 0x0 0xffffdd8000016e08 0041 0000 0x0 0x0 0xffffdd8000016e80 0041 0000 0x0 0x0 0xffffdd8000016ef8 0048 0000 0x0 0x0 0xffffdd8000016f70 0048 0000 0x0 0x0 0xffffdd8000016fe8 0048 0000 0x0 0x0 0xffffdd8000017060 0048 0000 0x0 0x0 0xffffdd80000170d8 0048 0000 0x0 0x0 0xffffdd8000017150 0048 0000 0x0 0x0 0xffffdd80000171c8 0041 0000 0x0 0x0 0xffffdd8000017240 0041 0000 0x0 0x0 0xffffdd80000172b8 0048 0000 0x0 0x0 0xffffdd8000017330 0048 0000 0x0 0x0 0xffffdd80000173a8 0048 0000 0x0 0x0 0xffffdd8000017420 0048 0000 0x0 0x0 0xffffdd8000017498 0048 0000 0x0 0x0 0xffffdd8000017510 0048 0000 0x0 0x0 0xffffdd8000017588 0048 0000 0x0 0x0 0xffffdd8000017600 0048 0000 0x0 0x0 0xffffdd8000017678 0048 0000 0x0 0x0 0xffffdd80000176f0 0048 0000 0x0 0x0 0xffffdd8000017768 0048 0000 0x0 0x0 0xffffdd80000177e0 0048 0000 0x0 0x0 0xffffdd8000017858 0048 0000 0x0 0x0 0xffffdd80000178d0 0048 0000 0x0 0x0 0xffffdd8000017948 0048 0000 0x0 0x0 0xffffdd80000179c0 0048 0000 0x0 0x0 0xffffdd8000017a38 0048 0000 0x0 0x0 0xffffdd8000017ab0 0048 0000 0x0 0x0 0xffffdd8000017b28 0048 0000 0x0 0x0 0xffffdd8000017ba0 0048 0000 0x0 0x0 0xffffdd8000017c18 0048 0000 0x0 0x0 0xffffdd8000017c90 0048 0000 0x0 0x0 0xffffdd8000017d08 0048 0000 0x0 0x0 0xffffdd8000017d80 0048 0000 0x0 0x0 0xffffdd8000017df8 0048 0000 0x0 0x0 0xffffdd8000017e70 0048 0000 0x0 0x0 0xffffdd8000017ee8 0048 0000 0x0 0x0 0xffffdd8000017f60 0048 0000 0x0 0x0 0xffffdd8000017fd8 0048 0000 0x0 0x0 0xffffdd8000018050 0048 0000 0x0 0x0 0xffffdd80000180c8 0048 0000 0x0 0x0 0xffffdd8000018140 0048 0000 0x0 0x0 0xffffdd80000181b8 0048 0000 0x0 0x0 0xffffdd8000018230 0048 0000 0x0 0x0 0xffffdd80000182a8 0048 0000 0x0 0x0 0xffffdd8000018320 0048 0000 0x0 0x0 0xffffdd8000018398 0048 0000 0x0 0x0 0xffffdd8000018410 0048 0000 0x0 0x0 0xffffdd8000018488 0048 0000 0x0 0x0 0xffffdd8000018500 0048 0000 0x0 0x0 0xffffdd8000018578 0048 0000