[ 63.4325714] panic: kernel diagnostic assertion "(cnp->cn_flags & LOCKPARENT) == 0 || searchdir == NULL || VOP_ISLOCKED(searchdir) == LK_EXCLUSIVE" failed: file "/syzkaller/managers/netbsd/kernel/sys/kern/vfs_lookup.c", line 1758 [ 63.4458876] cpu0: Begin traceback... [ 63.4525600] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 63.4825612] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 63.5125614] namei_tryemulroot() at netbsd:namei_tryemulroot+0x14f8 namei_oneroot sys/kern/vfs_lookup.c:1760 [inline] [ 63.5125614] namei_tryemulroot() at netbsd:namei_tryemulroot+0x14f8 sys/kern/vfs_lookup.c:1909 [ 63.5425633] namei() at netbsd:namei+0x6a sys/kern/vfs_lookup.c:1945 [ 63.5725612] compat_43_sys_lstat() at netbsd:compat_43_sys_lstat+0x194 sys/compat/common/vfs_syscalls_43.c:198 [ 63.6025617] sys___syscall() at netbsd:sys___syscall+0xde sy_call sys/sys/syscallvar.h:65 [inline] [ 63.6025617] sys___syscall() at netbsd:sys___syscall+0xde sys/kern/sys_syscall.c:77 [ 63.6325600] syscall() at netbsd:syscall+0x553 sy_call sys/sys/syscallvar.h:65 [inline] [ 63.6325600] syscall() at netbsd:syscall+0x553 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 63.6325600] syscall() at netbsd:syscall+0x553 sys/arch/x86/x86/syscall.c:138 [ 63.6427270] --- syscall (number 198) --- [ 63.6525599] netbsd:syscall+0x553: [ 63.6525599] cpu0: End traceback... [ 63.6525599] fatal breakpoint trap in supervisor mode [ 63.6643785] trap type 1 code 0 rip 0xffffffff80220a2d cs 0x8 rflags 0x286 cr2 0x1b2f825000 ilevel 0 rsp 0xffffae818e787530 [ 63.6772178] curlwp 0xffffae8012d44140 pid 1322.1236 lowest kstack 0xffffae818e7802c0 Stopped in pid 1322.1236 (syz-executor.3) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure namei_tryemulroot() at netbsd:namei_tryemulroot+0x14f8 namei_oneroot sys/kern/vfs_lookup.c:1760 [inline] namei_tryemulroot() at netbsd:namei_tryemulroot+0x14f8 sys/kern/vfs_lookup.c:1909 namei() at netbsd:namei+0x6a sys/kern/vfs_lookup.c:1945 compat_43_sys_lstat() at netbsd:compat_43_sys_lstat+0x194 sys/compat/common/vfs_syscalls_43.c:198 sys___syscall() at netbsd:sys___syscall+0xde sy_call sys/sys/syscallvar.h:65 [inline] sys___syscall() at netbsd:sys___syscall+0xde sys/kern/sys_syscall.c:77 syscall() at netbsd:syscall+0x553 sy_call sys/sys/syscallvar.h:65 [inline] syscall() at netbsd:syscall+0x553 sy_invoke sys/sys/syscallvar.h:94 [inline] syscall() at netbsd:syscall+0x553 sys/arch/x86/x86/syscall.c:138 --- syscall (number 198) --- netbsd:syscall+0x553: ds 75d0 es bd00 fs 7510 gs 7560 rdi ffffffff82bd6c40 db_onpanic rsi 1ffffffff057ad88 rbp ffffae818e787530 rbx ffffffff829b4f80 cpu_info_primary rdx ffffae818a565000 rcx ffffffff812645e9 db_panic+0xd5 rax 3ffff r8 4 r9 1ffffffff057ad88 r10 ffffffff82bd6c43 db_onpanic+0x3 r11 8000000000 r12 ffffae816e6aa000 r13 ffffffff823453e0 vfs_special_vnodeopv_descs+0x760 r14 ffffae818e7875c0 r15 ffffae816e699060 rip ffffffff80220a2d breakpoint+0x5 cs 8 rflags 286 rsp ffffae818e787530 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 581 581 2 0 0 ffffae8012d76640 syz-executor.0 1324 1324 2 0 0 ffffae8012d83240 syz-executor.4 1374 1374 2 1 0 ffffae8012d651c0 syz-executor.5 1322 1363 3 0 80 ffffae8012d0e8c0 syz-executor.3 parked 1322 >1236 7 0 0 ffffae8012d44140 syz-executor.3 1322 1322 2 0 10000000 ffffae8012d29940 syz-executor.3 454 1192 2 0 0 ffffae8012d36980 syz-executor.2 454 1380 2 0 0 ffffae8012d76a80 syz-executor.2 454 1511 2 0 0 ffffae8012d83680 syz-executor.2 454 454 2 1 0 ffffae8012ce3b80 syz-executor.2 1104 1104 3 1 40080 ffffae80144f9740 syz-executor.1 parked 1245 1245 3 1 80 ffffae8012ae7780 syz-executor.1 parked 1151 >1151 7 1 40040 ffffae8014445ac0 syz-executor.5 1078 1078 2 1 40 ffffae8014445240 syz-executor.4 1084 1084 2 0 40 ffffae8014326600 syz-executor.3 1083 1083 2 0 40 ffffae80143261c0 syz-executor.1 421 421 2 0 40 ffffae80141dba00 syz-executor.2 1081 1081 2 1 40 ffffae80141db5c0 syz-executor.0 1250 1097 3 1 80 ffffae8014326a40 syz-fuzzer kqueue 1250 1082 3 1 80 ffffae80137be940 syz-fuzzer parked 1250 1079 3 1 c0 ffffae80141db180 syz-fuzzer parked 1250 1070 3 1 80 ffffae8013871640 syz-fuzzer parked 1250 1077 3 1 80 ffffae8013871200 syz-fuzzer parked 1250 962 3 0 80 ffffae80141049c0 syz-fuzzer parked 1250 1069 3 1 c0 ffffae8013861a40 syz-fuzzer parked 1250 1072 2 0 40 ffffae80138c9b00 syz-fuzzer 1250 1250 3 0 80 ffffae8013838580 syz-fuzzer parked 1249 1249 3 1 80 ffffae8012bc74c0 sshd select 945 945 3 0 80 ffffae8012770b40 getty nanoslp 1091 1091 3 1 80 ffffae801393a980 getty nanoslp 811 811 3 0 80 ffffae801393a540 getty nanoslp 696 696 3 0 c0 ffffae8012773b80 getty ttyraw 946 946 3 1 80 ffffae8013861600 sshd select 960 960 3 0 80 ffffae8012da6700 powerd kqueue 869 869 3 1 80 ffffae80138ebb80 syslogd kqueue 597 597 3 1 80 ffffae8012cd22c0 dhcpcd kqueue 593 593 3 0 80 ffffae8012d184c0 dhcpcd kqueue 591 591 3 1 80 ffffae8012c9cb00 dhcpcd kqueue 547 547 3 1 80 ffffae8012ce3300 dhcpcd kqueue 480 480 3 1 80 ffffae80137be500 dhcpcd kqueue 348 348 3 0 80 ffffae8012e158c0 dhcpcd kqueue 347 347 3 1 80 ffffae8012e15480 dhcpcd kqueue 346 346 3 1 80 ffffae8012e15040 dhcpcd kqueue 1 1 3 0 80 ffffae80128d6980 init wait 0 820 3 0 200 ffffae80129f7a80 physiod physiod 0 167 3 0 200 ffffae8012a0dac0 pooldrain pooldrain 0 162 3 0 200 ffffae8012a0d680 ioflush syncer 0 160 3 1 200 ffffae8012a0d240 pgdaemon pgdaemon 0 161 3 1 200 ffffae80129f7200 usb7 usbevt 0 31 3 1 200 ffffae80129aea40 usb6 usbevt 0 63 3 1 200 ffffae80129ae600 usb5 usbevt 0 126 3 1 200 ffffae80129ae1c0 usb4 usbevt 0 125 3 1 200 ffffae801295aa00 usb3 usbevt 0 124 3 1 200 ffffae801295a5c0 usb2 usbevt 0 123 3 1 200 ffffae801295a180 usb1 usbevt 0 122 3 1 200 ffffae80128eb9c0 usb0 usbevt 0 121 3 1 200 ffffae80128eb580 usbtask-dr usbtsk 0 120 3 0 200 ffffae800fe47ac0 usbtask-hc usbtsk 0 119 3 1 200 ffffae80128eb140 npfgc0 npfgcw 0 118 3 1 200 ffffae80128d6540 rt_free rt_free 0 117 3 1 200 ffffae80128d6100 unpgc unpgc 0 116 3 0 200 ffffae80127a6940 key_timehandler key_timehandler 0 115 3 1 200 ffffae80127a6500 icmp6_wqinput/1 icmp6_wqinput 0 114 3 0 200 ffffae80127a60c0 icmp6_wqinput/0 icmp6_wqinput 0 113 3 1 200 ffffae801279c900 nd6_timer nd6_timer 0 112 3 1 200 ffffae801279c4c0 carp6_wqinput/1 carp6_wqinput 0 111 3 0 200 ffffae801279c080 carp6_wqinput/0 carp6_wqinput 0 110 3 1 200 ffffae80127878c0 carp_wqinput/1 carp_wqinput 0 109 3 0 200 ffffae8012787480 carp_wqinput/0 carp_wqinput 0 108 3 1 200 ffffae8012787040 icmp_wqinput/1 icmp_wqinput 0 107 3 0 200 ffffae8012774bc0 icmp_wqinput/0 icmp_wqinput 0 106 3 1 200 ffffae8012773300 rt_timer rt_timer 0 105 3 1 200 ffffae8012774780 vmem_rehash vmem_rehash 0 104 3 0 200 ffffae8012770700 entbutler entropy 0 30 3 1 200 ffffae801214d6c0 vioif0_txrx/1 vioif0_txrx 0 29 3 0 200 ffffae801214d280 vioif0_txrx/0 vioif0_txrx 0 27 3 0 200 ffffae800fe47680 scsibus0 sccomp 0 26 3 0 200 ffffae800fe47240 pms0 pmsreset 0 25 3 1 200 ffffae800fd9aa80 xcall/1 xcall 0 24 1 1 200 ffffae800fd9a640 softser/1 0 23 1 1 200 ffffae800fd9a200 softclk/1 0 22 1 1 200 ffffae800fd98a40 softbio/1 0 21 1 1 200 ffffae800fd98600 softnet/1 0 20 1 1 201 ffffae800fd981c0 idle/1 0 19 3 0 200 ffffae800e809a00 lnxpwrwq lnxpwrwq 0 18 3 0 200 ffffae800e8095c0 lnxlngwq lnxlngwq 0 17 3 0 200 ffffae800e809180 lnxsyswq lnxsyswq 0 16 3 0 200 ffffae800e8039c0 lnxrcugc lnxrcugc 0 15 3 0 200 ffffae800e803580 sysmon smtaskq 0 14 3 0 200 ffffae800e803140 pmfsuspend pmfsuspend 0 13 3 0 200 ffffae800e7fe980 pmfevent pmfevent 0 12 3 0 200 ffffae800e7fe540 sopendfree sopendfr 0 11 3 0 200 ffffae800e7fe100 iflnkst iflnkst 0 10 3 0 200 ffffae800e7f3940 nfssilly nfssilly 0 9 3 0 200 ffffae800e7f3500 vdrain vdrain 0 8 3 0 200 ffffae800e7f30c0 modunload mod_unld 0 7 3 0 200 ffffae800e7e6900 xcall/0 xcall 0 6 1 0 200 ffffae800e7e64c0 softser/0 0 5 1 0 200 ffffae800e7e6080 softclk/0 0 4 1 0 200 ffffae800e7e48c0 softbio/0 0 3 1 0 200 ffffae800e7e4480 softnet/0 0 2 1 0 201 ffffae800e7e4040 idle/0 0 0 3 0 200 ffffffff82ca1fc0 swapper uvm [Locks tracked through LWPs] ****** LWP 1374.1374 (syz-executor.5) @ 0xffffae8012d651c0, l_stat=2 *** Locks held: * Lock 0 (initialized at amap_ctor) lock address : 0xffffae8014458440 type : sleep/adaptive initialized : 0xffffffff816215f3 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffae8012d651c0 last held: 0xffffae8012d651c0 last locked* : 0xffffffff81630406 unlocked : 0xffffffff8162e3b8 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at pmap_ctor) lock address : 0xffffae80128e0b80 type : sleep/adaptive initialized : 0xffffffff80872a37 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffae8012d651c0 last held: 0xffffae8012d651c0 last locked* : 0xffffffff80874566 unlocked : 0xffffffff808726f5 owner field : 0xffffae8012d651c0 wait/spin: 0/0 Turnstile: no active turnstile for this lock. * Lock 2 (initialized at pmap_ctor) lock address : 0xffffae80128e0b88 type : sleep/adaptive initialized : 0xffffffff80872a43 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffae8012d651c0 last held: 0xffffae8012d651c0 last locked* : 0xffffffff808754dc unlocked : 0xffffffff8087560b owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 454.454 (syz-executor.2) @ 0xffffae8012ce3b80, l_stat=2 *** Locks held: * Lock 0 (initialized at amap_ctor) lock address : 0xffffae8014075cc0 type : sleep/adaptive initialized : 0xffffffff816215f3 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffae8012ce3b80 last held: 0xffffae8012ce3b80 last locked* : 0xffffffff81630406 unlocked : 0xffffffff8162e3b8 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at pmap_ctor) lock address : 0xffffae8012ac9f80 type : sleep/adaptive initialized : 0xffffffff80872a37 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffae8012ce3b80 last held: 0xffffae8012ce3b80 last locked* : 0xffffffff80874566 unlocked : 0xffffffff808726f5 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 1151.1151 (syz-executor.5) @ 0xffffae8014445ac0, l_stat=7 *** Locks held: * Lock 0 (initialized at amap_ctor) lock address : 0xffffae80144586c0 type : sleep/adaptive initialized : 0xffffffff816215f3 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffae8014445ac0 last held: 0xffffae8014445ac0 last locked* : 0xffffffff81630406 unlocked : 0xffffffff8162e3b8 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 1078.1078 (syz-executor.4) @ 0xffffae8014445240, l_stat=2 *** Locks held: * Lock 0 (initialized at vcache_alloc) lock address : 0xffffae8014467280 type : sleep/adaptive initialized : 0xffffffff8181c783 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffae8014445240 last held: 0xffffae8014445240 last locked* : 0xffffffff8184b4bf unlocked : 0xffffffff8184b521 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at vcache_alloc) lock address : 0xffffae8014546a00 type : sleep/adaptive initialized : 0xffffffff8181c783 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffae8014445240 last held: 0xffffae8014445240 last locked* : 0xffffffff8184b4bf unlocked : 000000000000000000 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 1081.1081 (syz-executor.0) @ 0xffffae80141db5c0, l_stat=2 *** Locks held: * Lock 0 (initialized at vcache_alloc) lock address : 0xffffae801431ccc0 type : sleep/adaptive initialized : 0xffffffff8181c783 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffae80141db5c0 last held: 0xffffae80141db5c0 last locked* : 0xffffffff8184b4bf unlocked : 0xffffffff8184b521 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at vcache_alloc) lock address : 0xffffae801451bc00 type : sleep/adaptive initialized : 0xffffffff8181c783 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffae80141db5c0 last held: 0xffffae80141db5c0 last locked* : 0xffffffff8184b4bf unlocked : 0xffffffff8184b521 [ 63.6849202] Skipping crash dump on recursive panic [ 63.6849202] panic: ASan: Unauthorized Access In 0xffffffff816e6d30: Addr 0xffffae801451bc00 [8 bytes, read, PoolUseAfterFree] [ 63.6849202] cpu0: Begin traceback... [ 63.6849202] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 63.6849202] snprintf() at netbsd:snprintf [ 63.6849202] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] [ 63.6849202] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 [ 63.6849202] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] [ 63.6849202] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] [ 63.6849202] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] [ 63.6849202] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 [ 63.6849202] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:186 [ 63.6849202] lockdebug_dump() at netbsd:lockdebug_dump+0x205 sys/kern/subr_lockdebug.c:759 [ 63.6849202] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb7 sys/kern/subr_lockdebug.c:839 [ 63.6849202] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:877 [inline] [ 63.6849202] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a sys/kern/subr_lockdebug.c:941 [ 63.6849202] db_command() at netbsd:db_command+0x2ad sys/ddb/db_command.c:942 [ 63.6849202] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:439 [inline] [ 63.6849202] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:589 [ 63.6849202] db_trap() at netbsd:db_trap+0x206 sys/ddb/db_trap.c:94 [ 63.6849202] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:248 [ 63.6849202] trap() at netbsd:trap+0x579 sys/arch/amd64/amd64/trap.c:315 [ 63.6849202] --- trap (number 1) --- [ 63.6849202] breakpoint() at netbsd:breakpoint+0x5 [ 63.6849202] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 [ 63.6849202] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 63.6849202] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 63.6849202] namei_tryemulroot() at netbsd:namei_tryemulroot+0x14f8 namei_oneroot sys/kern/vfs_lookup.c:1760 [inline] [ 63.6849202] namei_tryemulroot() at netbsd:namei_tryemulroot+0x14f8 sys/kern/vfs_lookup.c:1909 [ 63.6849202] namei() at netbsd:namei+0x6a sys/kern/vfs_lookup.c:1945 [ 63.6849202] compat_43_sys_lstat() at netbsd:compat_43_sys_lstat+0x194 sys/compat/common/vfs_syscalls_43.c:198 [ 63.6849202] sys___syscall() at netbsd:sys___syscall+0xde sy_call sys/sys/syscallvar.h:65 [inline] [ 63.6849202] sys___syscall() at netbsd:sys___syscall+0xde sys/kern/sys_syscall.c:77 [ 63.6849202] syscall() at netbsd:syscall+0x553 sy_call sys/sys/syscallvar.h:65 [inline] [ 63.6849202] syscall() at netbsd:syscall+0x553 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 63.6849202] syscall() at netbsd:syscall+0x553 sys/arch/x86/x86/syscall.c:138 [ 63.6849202] --- syscall (number 198) --- [ 63.6849202] netbsd:syscall+0x553: [ 63.6849202] cpu0: End traceback... [ 63.6849202] fatal breakpoint trap in supervisor mode [ 63.6849202] trap type 1 code 0 rip 0xffffffff80220a2d cs 0x8 rflags 0x286 cr2 0x1b2f825000 ilevel 0x8 rsp 0xffffae818e786ad0 [ 63.6849202] curlwp 0xffffae8012d44140 pid 1322.1236 lowest kstack 0xffffae818e7802c0 Stopped in pid 1322.1236 (syz-executor.3) at netbsd:breakpoint+0x5: leave