[ 72.2055612] panic: kernel diagnostic assertion "ci->ci_tlbstate != TLBSTATE_VALID" failed: file "/syzkaller/managers/netbsd/kernel/sys/arch/x86/x86/pmap.c", line 2790 [ 72.2155593] cpu1: Begin traceback... [ 72.2355883] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 72.2756372] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 72.3056777] pmap_activate() at netbsd:pmap_activate+0x179 sys/arch/x86/x86/pmap.c:2790 [ 72.3457296] mi_switch() at netbsd:mi_switch+0x5bc sys/kern/kern_synch.c:738 [ 72.3857829] preempt() at netbsd:preempt+0xe4 sys/kern/kern_synch.c:302 [ 72.4158234] syscall() at netbsd:syscall+0x88d mi_userret sys/sys/userret.h:91 [inline] [ 72.4158234] syscall() at netbsd:syscall+0x88d userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 72.4158234] syscall() at netbsd:syscall+0x88d sys/arch/x86/x86/syscall.c:166 [ 72.4258361] --- syscall (number 0) --- [ 72.4458621] 7226be4432da: [ 72.4458621] cpu1: End traceback... [ 72.4558741] fatal breakpoint trap in supervisor mode [ 72.4558741] trap type 1 code 0 rip 0xffffffff8021ccb5 cs 0x8 rflags 0x246 cr2 0x20000000 ilevel 0x8 rsp 0xffffaf017aaa7bb0 [ 72.4658858] curlwp 0xffffaf0011f31300 pid 635.1 lowest kstack 0xffffaf017aaa02c0 Stopped in pid 635.1 (syz-executor.3) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure pmap_activate() at netbsd:pmap_activate+0x179 sys/arch/x86/x86/pmap.c:2790 mi_switch() at netbsd:mi_switch+0x5bc sys/kern/kern_synch.c:738 preempt() at netbsd:preempt+0xe4 sys/kern/kern_synch.c:302 syscall() at netbsd:syscall+0x88d mi_userret sys/sys/userret.h:91 [inline] syscall() at netbsd:syscall+0x88d userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] syscall() at netbsd:syscall+0x88d sys/arch/x86/x86/syscall.c:166 --- syscall (number 0) --- 7226be4432da: ds 360 es acf5 fs 7b90 gs 7be0 rdi ffffaf000cb1a458 rsi ffffaf0011f315e8 rbp ffffaf017aaa7bb0 rbx ffffaf016ca80000 rdx 2 rcx ffffffff80d00841 db_panic+0xd5 rax 0 r8 4 r9 1ffffffff0553818 r10 ffffffff82a9c0c3 db_onpanic+0x3 r11 8000000000 r12 ffffaf016ca92000 r13 ffffffff81c22540 platform_private_nodes+0x140 r14 ffffaf017aaa7c40 r15 ffffaf016ca80060 rip ffffffff8021ccb5 breakpoint+0x5 cs 8 rflags 246 rsp ffffaf017aaa7bb0 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 509 3 3 1 80 ffffaf0011f72780 syz-executor.3 parked 635 4 3 1 80 ffffaf00115d0720 syz-executor.3 parked 635 3 3 1 80 ffffaf00115d02e0 syz-executor.3 parked 635 > 1 7 1 10000000 ffffaf0011f31300 syz-executor.3 569 4 3 0 80 ffffaf0011505aa0 syz-executor.5 parked 569 3 3 0 80 ffffaf001158d2a0 syz-executor.5 parked 569 1 2 0 10000000 ffffaf0011523260 syz-executor.5 600 1 2 1 10000000 ffffaf0011505660 syz-executor.4 631 6 3 0 80 ffffaf0011505220 syz-executor.1 parked 694 5 3 0 80 ffffaf00114c7a20 syz-executor.1 parked 561 3 3 1 80 ffffaf00114ae5a0 syz-executor.5 parked 559 3 3 1 80 ffffaf00130b38e0 syz-executor.5 parked 651 3 3 0 80 ffffaf001149e140 syz-executor.1 parked 586 4 3 0 80 ffffaf001307d040 syz-executor.1 parked 263 6 3 0 100004 ffffaf00114d8a40 syz-executor.1 vfork 263 3 3 0 100004 ffffaf001136b740 syz-executor.1 vfork 263 1 3 0 10000004 ffffaf0011451960 syz-executor.1 lwpwait 98 3 3 1 80 ffffaf001158db20 syz-executor.1 parked 96 4 3 0 80 ffffaf0013045780 syz-executor.1 parked 554 3 3 1 80 ffffaf0012ff7720 syz-executor.1 parked 486 3 3 1 80 ffffaf0011338b60 syz-executor.1 parked 45 1 3 1 80 ffffaf0012f306c0 syz-executor.5 nanoslp 535 1 3 1 80 ffffaf0012f30280 syz-executor.4 nanoslp 574 1 2 0 0 ffffaf0012e4e6a0 syz-executor.1 619 1 3 1 80 ffffaf0012e12ac0 syz-executor.3 nanoslp 451 1 3 0 80 ffffaf0012e12680 syz-executor.2 pipe_rd 41 1 3 0 80 ffffaf0012e12240 syz-executor.0 pipe_rd 594 11 3 1 80 ffffaf0012e4e260 syz-fuzzer parked 594 10 2 1 0 ffffaf00110d4a00 syz-fuzzer 594 9 3 0 80 ffffaf0012d3f660 syz-fuzzer parked 594 8 3 1 80 ffffaf0012d3f220 syz-fuzzer parked 594 7 3 1 80 ffffaf0011f8e8e0 syz-fuzzer parked 594 6 3 0 80 ffffaf0011f8e4a0 syz-fuzzer parked 594 5 3 0 80 ffffaf0011f7f8c0 syz-fuzzer kqueue 594 4 3 1 80 ffffaf0011f7f040 syz-fuzzer parked 594 3 2 1 0 ffffaf00120241a0 syz-fuzzer 594 2 2 1 0 ffffaf0011fef540 syz-fuzzer 594 1 3 0 80 ffffaf00110d4180 syz-fuzzer parked 548 1 3 1 80 ffffaf0011f54760 sshd select 575 1 3 1 80 ffffaf00120039c0 getty nanoslp 463 1 3 1 80 ffffaf0012003580 getty nanoslp 465 1 3 1 80 ffffaf0011ff9120 getty nanoslp 432 1 3 1 80 ffffaf0012018180 getty ttyraw 563 1 3 0 80 ffffaf0011f8e060 cron nanoslp 539 1 3 0 80 ffffaf0011f54320 inetd kqueue 462 1 3 1 80 ffffaf001158d6e0 sshd select 473 1 3 1 80 ffffaf00114f6640 powerd kqueue 325 1 2 0 0 ffffaf0011463980 makemandb 231 1 3 0 80 ffffaf0011f54ba0 syslogd kqueue 245 1 3 1 80 ffffaf00114e81e0 dhcpcd kqueue 220 1 3 0 80 ffffaf00113f68e0 dhcpcd kqueue 1 1 3 0 80 ffffaf00111fa240 init wait 0 58 3 0 204 ffffaf00111faac0 physiod physiod 0 57 3 0 204 ffffaf0011242280 aiodoned aiodoned 0 56 3 1 200 ffffaf0011241ae0 ioflush syncer 0 55 3 0 204 ffffaf00112416a0 pooldrain pooldrain 0 54 3 0 200 ffffaf0011241260 pgdaemon pgdaemon 0 51 3 1 200 ffffaf00111fa680 npfgc-0 npfgccv 0 50 3 1 204 ffffaf00111ebaa0 rt_free rt_free 0 49 3 1 204 ffffaf00111eb660 unpgc unpgc 0 48 3 1 204 ffffaf00111eb220 key_timehandler key_timehandler 0 47 3 1 204 ffffaf0011104a80 icmp6_wqinput/1 icmp6_wqinput 0 46 3 0 204 ffffaf0011104640 icmp6_wqinput/0 icmp6_wqinput 0 45 3 1 204 ffffaf0011104200 nd6_timer nd6_timer 0 44 3 1 204 ffffaf00110f9a60 carp6_wqinput/1 carp6_wqinput 0 43 3 0 204 ffffaf00110f9620 carp6_wqinput/0 carp6_wqinput 0 42 3 1 204 ffffaf00110f91e0 carp_wqinput/1 carp_wqinput 0 41 3 0 204 ffffaf00110e8a40 carp_wqinput/0 carp_wqinput 0 40 3 1 204 ffffaf00110e8600 icmp_wqinput/1 icmp_wqinput 0 39 3 0 204 ffffaf00110e81c0 icmp_wqinput/0 icmp_wqinput 0 38 3 1 204 ffffaf00110d7a20 rt_timer rt_timer 0 37 3 1 204 ffffaf00110d35a0 vmem_rehash vmem_rehash 0 27 3 0 204 ffffaf000e9b9580 scsibus0 sccomp 0 26 3 0 200 ffffaf000e9b9140 pms0 pmsreset 0 25 3 1 204 ffffaf000e92b9a0 xcall/1 xcall 0 24 1 1 200 ffffaf000e92b560 softser/1 0 23 1 1 200 ffffaf000e92b120 softclk/1 0 22 1 1 200 ffffaf000e927980 softbio/1 0 21 1 1 200 ffffaf000e927540 softnet/1 0 20 1 1 201 ffffaf000e927100 idle/1 0 19 3 0 204 ffffaf000e85d960 lnxpwrwq lnxpwrwq 0 18 3 0 204 ffffaf000e85d520 lnxlngwq lnxlngwq 0 17 3 0 204 ffffaf000e85d0e0 lnxsyswq lnxsyswq 0 16 3 0 204 ffffaf000d042940 lnxrcugc lnxrcugc 0 15 3 0 204 ffffaf000d042500 sysmon smtaskq 0 14 3 0 204 ffffaf000d0420c0 pmfsuspend pmfsuspend 0 13 3 0 204 ffffaf000d033920 pmfevent pmfevent 0 12 3 0 204 ffffaf000d0334e0 sopendfree sopendfr 0 11 3 1 204 ffffaf000d0330a0 nfssilly nfssilly 0 10 3 1 200 ffffaf000d027900 cachegc cachegc 0 9 3 0 204 ffffaf000d0274c0 vdrain vdrain 0 8 3 0 200 ffffaf000d027080 modunload mod_unld 0 7 3 0 204 ffffaf000d0188e0 xcall/0 xcall 0 6 1 0 200 ffffaf000d0184a0 softser/0 0 5 1 0 200 ffffaf000d018060 softclk/0 0 4 1 0 200 ffffaf000d0148c0 softbio/0 0 3 1 0 200 ffffaf000d014480 softnet/0 0 2 1 0 201 ffffaf000d014040 idle/0 0 > 1 7 0 200 ffffffff82b62fa0 swapper [Locks tracked through LWPs] Locks held by an LWP (syz-executor.5): Lock 0 (initialized at uvm_obj_init) lock address : 0xffffaf00128ba180 type : sleep/adaptive initialized : 0xffffffff810f33bc shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffaf0011f31300 last held: 0xffffaf0011505aa0 last locked* : 0xffffffff810cf65d unlocked : 0xffffffff810f3a6b [ 72.4759009] Skipping crash dump on recursive panic [ 72.4759009] panic: ASan: Unauthorized Access In 0xffffffff8115fa1e: Addr 0xffffaf00128ba180 [8 bytes, read, PoolUseAfterFree] [ 72.4759009] cpu1: Begin traceback... [ 72.4759009] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 72.4759009] snprintf() at netbsd:snprintf [ 72.4759009] kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:172 [inline] [ 72.4759009] kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:194 [ 72.4759009] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:344 [inline] [ 72.4759009] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:358 [inline] [ 72.4759009] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:410 [inline] [ 72.4759009] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1180 [ 72.4759009] mutex_dump() at netbsd:mutex_dump+0x1e sys/kern/kern_mutex.c:316 [ 72.4759009] lockdebug_dump() at netbsd:lockdebug_dump+0x281 sys/kern/subr_lockdebug.c:777 [ 72.4759009] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb9 sys/kern/subr_lockdebug.c:855 [ 72.4759009] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:886 [inline] [ 72.4759009] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f sys/kern/subr_lockdebug.c:933 [ 72.4759009] db_command() at netbsd:db_command+0x2c0 sys/ddb/db_command.c:935 [ 72.4759009] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:432 [inline] [ 72.4759009] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:582 [ 72.4759009] db_trap() at netbsd:db_trap+0x219 sys/ddb/db_trap.c:94 [ 72.4759009] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:246 [ 72.4759009] trap() at netbsd:trap+0x650 sys/arch/amd64/amd64/trap.c:313 [ 72.4759009] --- trap (number 1) --- [ 72.4759009] breakpoint() at netbsd:breakpoint+0x5 [ 72.4759009] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 [ 72.4759009] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 72.4759009] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 72.4759009] pmap_activate() at netbsd:pmap_activate+0x179 sys/arch/x86/x86/pmap.c:2790 [ 72.4759009] mi_switch() at netbsd:mi_switch+0x5bc sys/kern/kern_synch.c:738 [ 72.4759009] preempt() at netbsd:preempt+0xe4 sys/kern/kern_synch.c:302 [ 72.4759009] syscall() at netbsd:syscall+0x88d mi_userret sys/sys/userret.h:91 [inline] [ 72.4759009] syscall() at netbsd:syscall+0x88d userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 72.4759009] syscall() at netbsd:syscall+0x88d sys/arch/x86/x86/syscall.c:166 [ 72.4759009] --- syscall (number 0) --- [ 72.4759009] 7226be4432da: [ 72.4759009] cpu1: End traceback... [ 72.4759009] fatal breakpoint trap in supervisor mode [ 72.4759009] trap type 1 code 0 rip 0xffffffff8021ccb5 cs 0x8 rflags 0x246 cr2 0x20000000 ilevel 0x8 rsp 0xffffaf017aaa7170 [ 72.4759009] curlwp 0xffffaf0011f31300 pid 635.1 lowest kstack 0xffffaf017aaa02c0 Stopped in pid 635.1 (syz-executor.3) at netbsd:breakpoint+0x5: leave