[ 99.5901902] panic: LOCKDEBUG: Mutex error: mi_userret,116: sleep lock held [ 99.6001921] cpu1: Begin traceback... [ 99.6201931] vpanic() at netbsd:vpanic+0x265 sys/kern/subr_prf.c:290 [ 99.6701941] snprintf() at netbsd:snprintf [ 99.7301975] lockdebug_more() at netbsd:lockdebug_more [ 99.7801947] lockdebug_barrier() at netbsd:lockdebug_barrier+0x11d sys/kern/subr_lockdebug.c:650 [ 99.8301933] syscall() at netbsd:syscall+0x544 mi_userret sys/sys/userret.h:117 [inline] [ 99.8301933] syscall() at netbsd:syscall+0x544 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 99.8301933] syscall() at netbsd:syscall+0x544 sys/arch/x86/x86/syscall.c:166 [ 99.8501928] --- syscall (number 16) --- [ 99.8701948] netbsd:syscall+0x544: [ 99.8701948] cpu1: End traceback... [ 99.8701948] fatal breakpoint trap in supervisor mode [ 99.8801893] trap type 1 code 0 rip 0xffffffff80220a2d cs 0x8 rflags 0x282 cr2 0x74e6ea295000 ilevel 0 rsp 0xffff9c01a9d77c80 [ 99.8901887] curlwp 0xffff9c0015389ac0 pid 3374.3241 lowest kstack 0xffff9c01a9d702c0 Stopped in pid 3374.3241 (syz-executor.0) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0x105 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x265 sys/kern/subr_prf.c:290 snprintf() at netbsd:snprintf lockdebug_more() at netbsd:lockdebug_more lockdebug_barrier() at netbsd:lockdebug_barrier+0x11d sys/kern/subr_lockdebug.c:650 syscall() at netbsd:syscall+0x544 mi_userret sys/sys/userret.h:117 [inline] syscall() at netbsd:syscall+0x544 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] syscall() at netbsd:syscall+0x544 sys/arch/x86/x86/syscall.c:166 --- syscall (number 16) --- netbsd:syscall+0x544: Panic string: LOCKDEBUG: Mutex error: mi_userret,116: sleep lock held PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 3374 >3241 7 1 100 ffff9c0015389ac0 syz-executor.0 3374 3374 2 1 10000000 ffff9c00155a74c0 syz-executor.0 2369 2863 3 1 180 ffff9c00147dca80 syz-executor.5 parked 2369 3394 3 1 180 ffff9c0013b5a0c0 syz-executor.5 parked 2369 3269 3 1 180 ffff9c00136e92c0 syz-executor.5 parked 2369 2369 2 1 10000140 ffff9c001486d480 syz-executor.5 3427 3300 2 1 0 ffff9c0013ce7a40 syz-executor.3 3427 3427 2 0 10000000 ffff9c0013c482c0 syz-executor.3 3415 3262 3 0 180 ffff9c0014880500 syz-executor.1 parked 3415 3415 2 1 10000140 ffff9c0014862bc0 syz-executor.1 3109 3109 3 0 180 ffff9c00153e5b00 syz-executor.5 parked 2616 2616 3 0 180 ffff9c0013a958c0 syz-executor.5 parked 2080 2080 3 1 180 ffff9c0013cf6a80 syz-executor.4 parked 1880 1880 3 0 180 ffff9c0013cf6640 syz-executor.4 parked 1052 1052 2 0 40 ffff9c00152d2640 syz-executor.4 976 976 2 1 140 ffff9c00152d2200 syz-executor.3 1099 1099 2 0 140 ffff9c0015283a40 syz-executor.5 1083 1083 3 0 40 ffff9c00152831c0 syz-executor.2 xclocv 1078 1078 2 0 140 ffff9c001513fa00 syz-executor.1 949 949 2 0 140 ffff9c0013b5a500 syz-executor.0 1068 422 3 0 180 ffff9c0015283600 syz-fuzzer parked 1068 1085 3 0 180 ffff9c001513f180 syz-fuzzer parked 1068 1074 3 1 180 ffff9c0014838b00 syz-fuzzer parked 1068 1081 3 1 180 ffff9c00148386c0 syz-fuzzer parked 1068 1072 3 1 180 ffff9c0014838280 syz-fuzzer parked 1068 1079 3 1 180 ffff9c0013c48b40 syz-fuzzer parked 1068 1076 3 0 180 ffff9c0013a4e780 syz-fuzzer kqueue 1068 857 3 1 180 ffff9c0013a4e340 syz-fuzzer parked 1068 1068 3 0 180 ffff9c0013abb4c0 syz-fuzzer parked 1125 1125 3 0 180 ffff9c0013abb080 sshd select 998 998 3 0 180 ffff9c0014858740 getty nanoslp 947 947 3 0 180 ffff9c00136e9b40 getty nanoslp 1098 1098 3 0 180 ffff9c00148a4980 getty nanoslp 698 698 3 0 1c0 ffff9c00136ec740 getty ttyraw 979 979 3 1 180 ffff9c00147cf600 sshd select 980 980 3 0 180 ffff9c0013d0fb00 powerd kqueue 872 872 3 0 180 ffff9c001484c700 syslogd kqueue 598 598 3 0 180 ffff9c0013c04ac0 dhcpcd poll 597 597 3 0 180 ffff9c0013c944c0 dhcpcd poll 594 594 3 1 180 ffff9c0013c04240 dhcpcd poll 462 462 3 0 180 ffff9c0013c61740 dhcpcd poll 350 350 3 0 180 ffff9c0013d888c0 dhcpcd poll 349 349 3 1 180 ffff9c0013d88480 dhcpcd poll 348 348 3 0 180 ffff9c0013d88040 dhcpcd poll 1 1 3 0 180 ffff9c001385c140 init wait 0 2986 3 1 200 ffff9c0013a2bb80 midictlt midictlv 0 2884 3 1 200 ffff9c0013d01240 acctwatch actwat 0 895 3 0 200 ffff9c0013986240 physiod physiod 0 192 3 0 200 ffff9c0013988280 pooldrain pooldrain 0 163 3 0 200 ffff9c0013986ac0 ioflush syncer 0 168 3 1 200 ffff9c0013986680 pgdaemon pgdaemon 0 162 3 1 200 ffff9c0013959640 usb7 usbevt 0 161 3 1 200 ffff9c0013959200 usb6 usbevt 0 31 2 1 240 ffff9c001390ba40 usb5 0 63 3 1 200 ffff9c001390b600 usb4 usbevt 0 126 3 1 200 ffff9c001390b1c0 usb3 usbevt 0 125 2 1 240 ffff9c00138b9a00 usb2 0 124 3 1 200 ffff9c00138b95c0 usb1 usbevt 0 123 3 0 200 ffff9c00138b9180 usb0 usbevt 0 122 3 0 200 ffff9c001385c9c0 usbtask-dr usbtsk 0 121 3 0 200 ffff9c0010dbbac0 usbtask-hc usbtsk 0 120 3 0 200 ffff9c001385c580 npfgc0 npfgcw 0 119 3 0 200 ffff9c001384c980 rt_free rt_free 0 118 3 0 200 ffff9c001384c540 unpgc unpgc 0 117 3 0 200 ffff9c001384c100 key_timehandler key_timehandler 0 116 3 1 200 ffff9c001371b940 icmp6_wqinput/1 icmp6_wqinput 0 115 3 0 200 ffff9c001371b500 icmp6_wqinput/0 icmp6_wqinput 0 114 2 1 200 ffff9c001371b0c0 nd6_timer 0 113 3 1 200 ffff9c0013711900 carp6_wqinput/1 carp6_wqinput 0 112 3 0 200 ffff9c00137114c0 carp6_wqinput/0 carp6_wqinput 0 111 3 1 200 ffff9c0013711080 carp_wqinput/1 carp_wqinput 0 110 3 0 200 ffff9c00137008c0 carp_wqinput/0 carp_wqinput 0 109 3 1 200 ffff9c0013700480 icmp_wqinput/1 icmp_wqinput 0 108 3 0 200 ffff9c0013700040 icmp_wqinput/0 icmp_wqinput 0 107 3 0 200 ffff9c00136edbc0 rt_timer rt_timer 0 106 3 1 200 ffff9c00136ed780 vmem_rehash vmem_rehash 0 105 3 0 200 ffff9c00136ecb80 entbutler entropy 0 96 3 1 200 ffff9c00130c0b00 viomb balloon 0 30 3 1 200 ffff9c00130c06c0 vioif0_txrx/1 vioif0_txrx 0 29 3 0 200 ffff9c00130c0280 vioif0_txrx/0 vioif0_txrx 0 27 3 0 200 ffff9c0010dbb680 scsibus0 sccomp 0 26 3 0 200 ffff9c0010dbb240 pms0 pmsreset 0 25 2 1 200 ffff9c0010d0ea80 xcall/1 0 24 1 1 200 ffff9c0010d0e640 softser/1 0 23 1 1 200 ffff9c0010d0e200 softclk/1 0 22 1 1 200 ffff9c0010d0ca40 softbio/1 0 21 1 1 200 ffff9c0010d0c600 softnet/1 0 20 1 1 201 ffff9c0010d0c1c0 idle/1 0 19 3 0 200 ffff9c000f77da00 lnxpwrwq lnxpwrwq 0 18 3 0 200 ffff9c000f77d5c0 lnxlngwq lnxlngwq 0 17 3 0 200 ffff9c000f77d180 lnxsyswq lnxsyswq 0 16 3 0 200 ffff9c000f7759c0 lnxrcugc lnxrcugc 0 15 3 0 200 ffff9c000f775580 sysmon smtaskq 0 14 3 0 200 ffff9c000f775140 pmfsuspend pmfsuspend 0 13 3 0 200 ffff9c000f771980 pmfevent pmfevent 0 12 3 0 200 ffff9c000f771540 sopendfree sopendfr 0 11 3 0 200 ffff9c000f771100 iflnkst iflnkst 0 10 3 0 200 ffff9c000f766940 nfssilly nfssilly 0 9 3 0 200 ffff9c000f766500 vdrain vdrain 0 8 3 0 200 ffff9c000f7660c0 modunload mod_unld 0 7 3 0 200 ffff9c000f758900 xcall/0 xcall 0 6 1 0 200 ffff9c000f7584c0 softser/0 0 5 1 0 200 ffff9c000f758080 softclk/0 0 4 1 0 200 ffff9c000f7568c0 softbio/0 0 3 1 0 200 ffff9c000f756480 softnet/0 0 2 1 0 201 ffff9c000f756040 idle/0 0 > 0 7 0 240 ffffffff82eee8c0 swapper [Locks tracked through LWPs] ****** LWP 3374.3241 (syz-executor.0) @ 0xffff9c0015389ac0, l_stat=7 *** Locks held: * Lock 0 (initialized at sequencerget) lock address : 0xffff9c00136bb050 type : sleep/adaptive initialized : 0xffffffff81ab9bd1 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffff9c0015389ac0 last held: 0xffff9c0015389ac0 last locked* : 0xffffffff81aba28f unlocked : 0xffffffff81abb5bb owner field : 0xffff9c0015389ac0 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 3427.3427 (syz-executor.3) @ 0xffff9c0013c482c0, l_stat=2 *** Locks held: * Lock 0 (initialized at pmap_ctor) lock address : 0xffff9c0013c7bb80 type : sleep/adaptive initialized : 0xffffffff808d4c54 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffff9c0013c482c0 last held: 0xffff9c0013c482c0 last locked* : 0xffffffff808d48ea unlocked : 0xffffffff808d4967 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 1052.1052 (syz-executor.4) @ 0xffff9c00152d2640, l_stat=2 *** Locks held: * Lock 0 (initialized at vcache_alloc) lock address : 0xffff9c0015290e80 type : sleep/adaptive initialized : 0xffffffff81a5b0a0 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffff9c00152d2640 last held: 0xffff9c00152d2640 last locked* : 0xffffffff81a8de70 unlocked : 0xffffffff81a8ded2 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at vcache_alloc) lock address : 0xffff9c00148cef00 type : sleep/adaptive initialized : 0xffffffff81a5b0a0 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffff9c00152d2640 last held: 0xffff9c00152d2640 last locked* : 0xffffffff81a8de70 unlocked : 0xffffffff81a8ded2 [ 99.9001884] Skipping crash dump on recursive panic [ 99.9001884] panic: ASan: Unauthorized Access In 0xffffffff819067b0: Addr 0xffff9c00148cef00 [8 bytes, read, PoolUseAfterFree] [ 99.9001884] cpu1: Begin traceback... [ 99.9001884] vpanic() at netbsd:vpanic+0x265 sys/kern/subr_prf.c:290 [ 99.9001884] snprintf() at netbsd:snprintf [ 99.9001884] kasan_report() at netbsd:kasan_report+0x8c kasan_code_name sys/kern/subr_asan.c:163 [inline] [ 99.9001884] kasan_report() at netbsd:kasan_report+0x8c sys/kern/subr_asan.c:195 [ 99.9001884] __asan_load8() at netbsd:__asan_load8+0x27e kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:345 [inline] [ 99.9001884] __asan_load8() at netbsd:__asan_load8+0x27e kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:359 [inline] [ 99.9001884] __asan_load8() at netbsd:__asan_load8+0x27e kasan_shadow_check sys/kern/subr_asan.c:411 [inline] [ 99.9001884] __asan_load8() at netbsd:__asan_load8+0x27e sys/kern/subr_asan.c:1198 [ 99.9001884] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:186 [ 99.9001884] lockdebug_dump() at netbsd:lockdebug_dump+0x23b sys/kern/subr_lockdebug.c:759 [ 99.9001884] lockdebug_show_one() at netbsd:lockdebug_show_one+0xa7 sys/kern/subr_lockdebug.c:839 [ 99.9001884] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x274 lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:877 [inline] [ 99.9001884] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x274 sys/kern/subr_lockdebug.c:941 [ 99.9001884] db_command() at netbsd:db_command+0x310 sys/ddb/db_command.c:957 [ 99.9001884] db_command_loop() at netbsd:db_command_loop+0x293 db_execute_commandlist sys/ddb/db_command.c:454 [inline] [ 99.9001884] db_command_loop() at netbsd:db_command_loop+0x293 sys/ddb/db_command.c:604 [ 99.9001884] db_trap() at netbsd:db_trap+0x22c sys/ddb/db_trap.c:94 [ 99.9001884] kdb_trap() at netbsd:kdb_trap+0x25c sys/arch/amd64/amd64/db_interface.c:250 [ 99.9001884] trap() at netbsd:trap+0x819 sys/arch/amd64/amd64/trap.c:315 [ 99.9001884] --- trap (number 1) --- [ 99.9001884] breakpoint() at netbsd:breakpoint+0x5 [ 99.9001884] db_panic() at netbsd:db_panic+0x105 sys/ddb/db_panic.c:67 [ 99.9001884] vpanic() at netbsd:vpanic+0x265 sys/kern/subr_prf.c:290 [ 99.9001884] snprintf() at netbsd:snprintf [ 99.9001884] lockdebug_more() at netbsd:lockdebug_more [ 99.9001884] lockdebug_barrier() at netbsd:lockdebug_barrier+0x11d sys/kern/subr_lockdebug.c:650 [ 99.9001884] syscall() at netbsd:syscall+0x544 mi_userret sys/sys/userret.h:117 [inline] [ 99.9001884] syscall() at netbsd:syscall+0x544 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 99.9001884] syscall() at netbsd:syscall+0x544 sys/arch/x86/x86/syscall.c:166 [ 99.9001884] --- syscall (number 16) --- [ 99.9001884] netbsd:syscall+0x544: [ 99.9001884] cpu1: End traceback... [ 99.9001884] fatal breakpoint trap in supervisor mode [ 99.9001884] trap type 1 code 0 rip 0xffffffff80220a2d cs 0x8 rflags 0x282 cr2 0x74e6ea295000 ilevel 0x8 rsp 0xffff9c01a9d77250 [ 99.9001884] curlwp 0xffff9c0015389ac0 pid 3374.3241 lowest kstack 0xffff9c01a9d702c0 Stopped in pid 3374.3241 (syz-executor.0) at netbsd:breakpoint+0x5: leave