[ 164.2647624] panic: kernel diagnostic assertion "pmap->pm_ncsw == curlwp->l_ncsw" failed: file "/syzkaller/managers/netbsd/kernel/sys/arch/x86/x86/pmap.c", line 700 [ 164.2849534] cpu0: Begin traceback... [ 164.3021021] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 164.3465545] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 164.3910025] pmap_unmap_ptes() at netbsd:pmap_unmap_ptes+0x1c7 sys/arch/x86/x86/pmap.c:700 [ 164.4354543] pmap_remove() at netbsd:pmap_remove+0x491 sys/arch/x86/x86/pmap.c:3635 [ 164.4799082] uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 [ 164.5243538] uvm_map_enter() at netbsd:uvm_map_enter+0x565 sys/uvm/uvm_map.c:1343 [ 164.5576922] uvm_map() at netbsd:uvm_map+0x1d9 sys/uvm/uvm_map.c:1102 [ 164.6132572] uvm_mmap.part.0() at netbsd:uvm_mmap.part.0+0x25e [ 164.6577132] sys_mmap() at netbsd:sys_mmap+0x8d9 uvm_mmap sys/uvm/uvm_mmap.c:401 [inline] [ 164.6577132] sys_mmap() at netbsd:sys_mmap+0x8d9 sys/uvm/uvm_mmap.c:401 [ 164.7021591] sys___syscall() at netbsd:sys___syscall+0xf5 sy_call sys/sys/syscallvar.h:65 [inline] [ 164.7021591] sys___syscall() at netbsd:sys___syscall+0xf5 sys/kern/sys_syscall.c:77 [ 164.7466107] syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] [ 164.7466107] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 164.7466107] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 [ 164.7577226] --- syscall (number 198) --- [ 164.7799505] 730e0fe43b9a: [ 164.7910941] cpu0: End traceback... [ 164.7910941] fatal breakpoint trap in supervisor mode [ 164.7910941] trap type 1 code 0 rip 0xffffffff8021ccb5 cs 0x8 rflags 0x246 cr2 0x73ba1844fede ilevel 0 rsp 0xffffbe017b4633d0 [ 164.8127727] curlwp 0xffffbe001133e720 pid 1750.3 lowest kstack 0xffffbe017b45c2c0 Stopped in pid 1750.3 (syz-executor.3) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure pmap_unmap_ptes() at netbsd:pmap_unmap_ptes+0x1c7 sys/arch/x86/x86/pmap.c:700 pmap_remove() at netbsd:pmap_remove+0x491 sys/arch/x86/x86/pmap.c:3635 uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 uvm_map_enter() at netbsd:uvm_map_enter+0x565 sys/uvm/uvm_map.c:1343 uvm_map() at netbsd:uvm_map+0x1d9 sys/uvm/uvm_map.c:1102 uvm_mmap.part.0() at netbsd:uvm_mmap.part.0+0x25e sys_mmap() at netbsd:sys_mmap+0x8d9 uvm_mmap sys/uvm/uvm_mmap.c:401 [inline] sys_mmap() at netbsd:sys_mmap+0x8d9 sys/uvm/uvm_mmap.c:401 sys___syscall() at netbsd:sys___syscall+0xf5 sy_call sys/sys/syscallvar.h:65 [inline] sys___syscall() at netbsd:sys___syscall+0xf5 sys/kern/sys_syscall.c:77 syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 --- syscall (number 198) --- 730e0fe43b9a: ds 5d0 es e280 fs 33b0 gs 3400 rdi ffffbe000cb1a458 rsi ffffbe001133ea08 rbp ffffbe017b4633d0 rbx ffffffff82810340 cpu_info_primary rdx 3ffff rcx ffffbe0170c00000 rax ffffbe0012f17148 r8 4 r9 1ffffffff0553818 r10 ffffffff82a9c0c3 db_onpanic+0x3 r11 10 r12 ffffbe016ca92000 r13 ffffffff81c22540 platform_private_nodes+0x140 r14 ffffbe017b463460 r15 ffffbe016ca80060 rip ffffffff8021ccb5 breakpoint+0x5 cs 8 rflags 246 rsp ffffbe017b4633d0 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 2016 3 2 1 0 ffffbe0012046a40 syz-executor.5 2016 1 2 1 10000000 ffffbe0011449960 syz-executor.5 1750 6 3 0 80 ffffbe00138b09e0 syz-executor.3 parked 1750 5 3 0 80 ffffbe00130a7760 syz-executor.3 parked 1750 4 3 0 80 ffffbe0013905a40 syz-executor.3 parked 1750 > 3 7 0 0 ffffbe001133e720 syz-executor.3 1750 1 2 0 10000000 ffffbe001307fb60 syz-executor.3 1357 4 3 0 80 ffffbe00139021a0 syz-executor.2 parked 1357 3 2 0 0 ffffbe001356c700 syz-executor.2 1357 1 2 0 0 ffffbe0013498220 syz-executor.2 2352 3 3 1 80 ffffbe0011506a60 syz-executor.1 parked 1410 3 3 0 80 ffffbe001317b900 syz-executor.1 parked 2067 4 3 1 80 ffffbe001391b620 syz-executor.1 parked 1790 3 3 0 80 ffffbe0013754920 syz-executor.1 parked 2100 4 3 1 80 ffffbe00114c65a0 syz-executor.1 parked 1659 3 3 1 80 ffffbe00137cb0c0 syz-executor.1 parked 1647 4 3 1 80 ffffbe00130c6780 syz-executor.1 parked 1124 3 3 0 80 ffffbe0013087740 syz-executor.1 parked 1393 3 3 1 80 ffffbe001327f0e0 syz-executor.1 parked 2147 3 3 1 80 ffffbe00111fb680 syz-executor.3 parked 2014 4 3 0 80 ffffbe0013923a80 syz-executor.1 parked 1843 3 3 0 80 ffffbe001200d9a0 syz-executor.1 parked 1105 4 3 0 80 ffffbe0011feb500 syz-executor.3 parked 1107 3 3 1 80 ffffbe001152e240 syz-executor.5 parked 1991 4 3 0 80 ffffbe001153a6a0 syz-executor.1 parked 936 5 3 1 80 ffffbe00137cb500 syz-executor.2 parked 1964 4 3 0 80 ffffbe0013846560 syz-executor.1 parked 1062 3 3 1 80 ffffbe00136b14a0 syz-executor.1 parked 1444 3 3 0 80 ffffbe0013478a80 syz-executor.1 parked 1032 3 3 1 80 ffffbe00136ac480 syz-executor.1 parked 1549 3 3 0 80 ffffbe00115b6b40 syz-executor.1 parked 2328 3 3 1 80 ffffbe0011514a80 syz-executor.1 parked 1364 3 3 1 80 ffffbe0013087300 syz-executor.4 parked 1230 4 3 1 80 ffffbe00115a56e0 syz-executor.1 parked 1213 3 3 0 80 ffffbe00115e6720 syz-executor.1 parked 1943 3 3 0 80 ffffbe0011fe00a0 syz-executor.1 parked 1442 3 3 0 80 ffffbe0013498aa0 syz-executor.1 parked 1561 3 4 1 1000000 ffffbe001154d6c0 syz-executor.2 774 3 4 0 1000000 ffffbe00135922e0 syz-executor.2 774 1 4 1 11000000 ffffbe00137540a0 syz-executor.2 1168 5 3 1 80 ffffbe0011f83bc0 syz-executor.1 parked 2047 3 3 0 80 ffffbe0012017580 syz-executor.2 parked 1691 3 3 1 80 ffffbe00112b2b20 syz-executor.1 parked 1308 3 3 0 80 ffffbe0011fff540 syz-executor.2 parked 1919 4 3 1 80 ffffbe0013813100 syz-executor.2 parked 629 3 3 1 80 ffffbe00112436c0 syz-executor.3 parked 1266 3 3 0 80 ffffbe00114f61c0 syz-executor.1 parked 744 3 3 0 80 ffffbe001152e680 syz-executor.2 parked 737 3 3 0 80 ffffbe001317b4c0 syz-executor.1 parked 1241 3 3 1 80 ffffbe00136ac040 syz-executor.4 parked 1112 3 3 1 80 ffffbe0012fc26e0 syz-executor.4 parked 1495 3 3 0 80 ffffbe00113d5340 syz-executor.2 parked 1234 3 3 1 80 ffffbe00133f51c0 syz-executor.1 parked 838 3 3 1 80 ffffbe00130a7ba0 syz-executor.1 parked 1220 3 3 0 80 ffffbe0011ff40e0 syz-executor.2 parked 321 3 3 1 80 ffffbe001317b080 syz-executor.3 parked 958 3 3 1 80 ffffbe00113d5780 syz-executor.5 parked 1079 3 3 0 80 ffffbe00115a52a0 syz-executor.2 parked 814 3 3 1 80 ffffbe001200d120 syz-executor.1 parked 800 5 3 0 80 ffffbe00130c6bc0 syz-executor.1 parked 1439 3 3 1 80 ffffbe001349c680 syz-executor.3 parked 2200 3 3 1 80 ffffbe00135a1300 syz-executor.1 parked 790 4 3 1 80 ffffbe00110d45c0 syz-executor.5 parked 652 3 3 0 80 ffffbe00135a1740 syz-executor.1 parked 1678 3 3 1 80 ffffbe0012fc22a0 syz-executor.3 parked 770 3 3 1 80 ffffbe0011f8f040 syz-executor.2 parked 1507 3 3 0 80 ffffbe0012755620 syz-executor.2 parked 1822 3 3 0 80 ffffbe0013562b20 syz-executor.3 parked 1514 3 3 0 80 ffffbe001307f720 syz-executor.1 parked 1592 5 3 1 80 ffffbe00130f04a0 syz-executor.2 parked 1639 5 3 0 80 ffffbe0011f63320 syz-executor.1 parked 1082 3 3 1 80 ffffbe0011fb0900 syz-executor.2 parked 1294 5 3 1 80 ffffbe0013297120 syz-executor.2 parked 1605 3 3 0 80 ffffbe00135a1b80 syz-executor.3 parked 1675 5 3 0 80 ffffbe0011411080 syz-executor.1 parked 1739 4 3 0 80 ffffbe00112b22a0 syz-executor.1 parked 710 3 3 0 80 ffffbe00114b5580 syz-executor.0 parked 1467 3 3 1 80 ffffbe001138fba0 syz-executor.2 parked 1149 5 3 1 80 ffffbe0013592720 syz-executor.1 parked 909 3 3 1 80 ffffbe00133f5a40 syz-executor.1 parked 998 3 3 0 80 ffffbe00131c1920 syz-executor.3 parked 864 5 3 1 80 ffffbe001356c2c0 syz-executor.1 parked 913 3 3 1 80 ffffbe00133095a0 syz-executor.2 parked 1487 3 3 1 80 ffffbe00120179c0 syz-executor.1 parked 650 4 3 1 80 ffffbe0013544280 syz-executor.0 parked 1203 5 3 1 80 ffffbe00130d28c0 syz-executor.1 parked 821 3 3 0 80 ffffbe001200d560 syz-executor.2 parked 1334 3 3 1 80 ffffbe0011522660 syz-executor.1 parked 1068 3 3 1 80 ffffbe0011522220 syz-executor.1 parked 1303 3 3 0 80 ffffbe00114d45c0 syz-executor.2 parked 877 4 3 1 80 ffffbe001349cac0 syz-executor.1 parked 1177 5 3 0 80 ffffbe00132bc9c0 syz-executor.0 parked 1156 3 3 1 80 ffffbe00110d75e0 syz-executor.0 parked 392 3 3 0 80 ffffbe00114d4180 syz-executor.4 parked 448 3 3 1 80 ffffbe00134511e0 syz-executor.2 parked 1159 3 3 1 80 ffffbe00113e38c0 syz-executor.1 parked 894 3 3 0 80 ffffbe0011feb0c0 syz-executor.2 parked 1006 5 3 1 80 ffffbe00131c10a0 syz-executor.0 parked 882 5 3 1 80 ffffbe0011fb04c0 syz-executor.2 parked 1191 3 3 1 80 ffffbe0012017140 syz-executor.1 parked 360 3 3 1 80 ffffbe0012d36220 syz-executor.4 parked 805 5 3 1 80 ffffbe00133aea20 syz-executor.2 parked 545 3 3 1 80 ffffbe0011feb940 syz-executor.0 parked 672 3 3 1 80 ffffbe00115e6b60 syz-executor.2 parked 588 3 3 0 80 ffffbe0011f83780 syz-executor.2 parked 457 3 3 0 80 ffffbe00114f6a40 syz-executor.2 parked 1259 3 3 0 80 ffffbe00114b5140 syz-executor.2 parked 1039 3 3 1 80 ffffbe001153aae0 syz-executor.2 parked 682 3 3 0 80 ffffbe0011372300 syz-executor.2 parked 548 3 3 0 80 ffffbe0011411900 syz-executor.3 parked 610 3 3 0 80 ffffbe00133099e0 syz-executor.4 parked 1118 3 3 0 80 ffffbe00114c6160 syz-executor.4 parked 413 3 3 1 80 ffffbe00112e22c0 syz-executor.1 parked 980 5 3 1 80 ffffbe001202ca00 syz-executor.3 parked 662 3 3 1 80 ffffbe0011fff980 syz-executor.2 parked 528 3 3 1 80 ffffbe00114390c0 syz-executor.1 parked 194 3 3 0 80 ffffbe00114a49a0 syz-executor.4 parked 193 3 3 0 80 ffffbe0013309160 syz-executor.2 parked 984 3 3 1 80 ffffbe001154d280 syz-executor.3 parked 748 5 3 0 80 ffffbe001145c100 syz-executor.1 parked 461 3 3 1 80 ffffbe00132979a0 syz-executor.3 parked 883 5 3 1 80 ffffbe0013283980 syz-executor.4 parked 1019 3 3 0 80 ffffbe0013283540 syz-executor.2 parked 836 3 3 0 80 ffffbe001325e940 syz-executor.2 parked 857 3 3 0 80 ffffbe00113e3040 syz-executor.2 parked 850 3 3 0 80 ffffbe0012f986c0 syz-executor.2 parked 888 3 3 1 80 ffffbe00113d5bc0 syz-executor.2 parked 353 3 3 0 80 ffffbe001138f760 syz-executor.3 parked 753 3 3 1 80 ffffbe00131c14e0 syz-executor.2 parked 573 3 3 1 80 ffffbe0012f98b00 syz-executor.2 parked 506 3 3 1 80 ffffbe0011ff4960 syz-executor.4 parked 137 3 3 1 80 ffffbe00127551e0 syz-executor.4 parked 643 5 3 1 80 ffffbe0011f8f480 syz-executor.2 parked 474 3 3 1 80 ffffbe0011506620 syz-executor.2 parked 686 5 3 0 80 ffffbe00130d2480 syz-executor.2 parked 422 3 3 1 80 ffffbe00115a5b20 syz-executor.4 parked 613 3 3 1 80 ffffbe0011f47b80 syz-executor.4 parked 607 3 3 0 80 ffffbe0013087b80 syz-executor.1 parked 569 3 3 0 80 ffffbe001133e2e0 syz-executor.1 parked 464 1 2 1 0 ffffbe0012f98280 syz-executor.5 500 1 2 0 0 ffffbe0012edeae0 syz-executor.4 40 1 2 1 0 ffffbe0012ede6a0 syz-executor.3 41 1 2 1 0 ffffbe0012ede260 syz-executor.2 603 1 2 0 0 ffffbe0012e76680 syz-executor.1 465 1 2 1 0 ffffbe0012e76240 syz-executor.0 349 11 3 0 80 ffffbe0012e76ac0 syz-fuzzer parked 349 10 3 1 80 ffffbe00110d39e0 syz-fuzzer parked 349 9 3 0 80 ffffbe0012d36aa0 syz-fuzzer parked 349 8 3 0 80 ffffbe0012d36660 syz-fuzzer parked 349 7 3 1 80 ffffbe001278da80 syz-fuzzer kqueue 349 6 3 1 80 ffffbe001278d640 syz-fuzzer parked 349 5 2 0 0 ffffbe0011ff4520 syz-fuzzer 349 4 3 1 80 ffffbe001202c5c0 syz-fuzzer parked 349 3 3 1 80 ffffbe00120219e0 syz-fuzzer parked 349 2 2 0 0 ffffbe00120461c0 syz-fuzzer 349 1 3 0 80 ffffbe00110d35a0 syz-fuzzer parked 590 1 3 1 80 ffffbe0011f9d8e0 sshd select 559 1 3 1 80 ffffbe001202c180 getty nanoslp 598 1 3 0 80 ffffbe00120215a0 getty nanoslp 574 1 3 0 80 ffffbe0012021160 getty nanoslp 562 1 3 0 80 ffffbe00120361a0 getty ttyraw 501 1 3 0 80 ffffbe0011fff100 cron nanoslp 547 1 3 1 80 ffffbe0011f9d4a0 inetd kqueue 467 1 3 1 80 ffffbe00115b62c0 sshd select 484 1 3 1 80 ffffbe0011514640 powerd kqueue 202 1 3 0 80 ffffbe0011f63ba0 syslogd kqueue 268 1 3 1 80 ffffbe00115061e0 dhcpcd kqueue 220 1 3 0 80 ffffbe00114028e0 dhcpcd kqueue 1 1 3 0 80 ffffbe00111fb240 init wait 0 58 3 0 204 ffffbe00111fbac0 physiod physiod 0 57 3 0 204 ffffbe0011243280 aiodoned aiodoned 0 56 3 1 200 ffffbe0011242ae0 ioflush syncer 0 55 3 0 204 ffffbe00112426a0 pooldrain pooldrain 0 54 3 0 200 ffffbe0011242260 pgdaemon pgdaemon 0 51 2 0 200 ffffbe000e9b99c0 npfgc-0 0 50 3 0 204 ffffbe00111ecaa0 rt_free rt_free 0 49 3 0 204 ffffbe00111ec660 unpgc unpgc 0 48 3 1 204 ffffbe00111ec220 key_timehandler key_timehandler 0 47 3 1 204 ffffbe00111e4a80 icmp6_wqinput/1 icmp6_wqinput 0 46 3 0 204 ffffbe00111e4640 icmp6_wqinput/0 icmp6_wqinput 0 45 3 1 204 ffffbe00111e4200 nd6_timer nd6_timer 0 44 3 1 204 ffffbe00110fba60 carp6_wqinput/1 carp6_wqinput 0 43 3 0 204 ffffbe00110fb620 carp6_wqinput/0 carp6_wqinput 0 42 3 1 204 ffffbe00110fb1e0 carp_wqinput/1 carp_wqinput 0 41 3 0 204 ffffbe00110e9a40 carp_wqinput/0 carp_wqinput 0 40 3 1 204 ffffbe00110e9600 icmp_wqinput/1 icmp_wqinput 0 39 3 0 204 ffffbe00110e91c0 icmp_wqinput/0 icmp_wqinput 0 38 3 1 204 ffffbe00110d7a20 rt_timer rt_timer 0 37 3 0 204 ffffbe00110d71a0 vmem_rehash vmem_rehash 0 27 3 0 204 ffffbe000e9b9580 scsibus0 sccomp 0 26 3 0 200 ffffbe000e9b9140 pms0 pmsreset 0 25 3 1 204 ffffbe000e92b9a0 xcall/1 xcall 0 24 1 1 200 ffffbe000e92b560 softser/1 0 23 1 1 200 ffffbe000e92b120 softclk/1 0 22 1 1 200 ffffbe000e927980 softbio/1 0 21 1 1 200 ffffbe000e927540 softnet/1 0 20 1 1 201 ffffbe000e927100 idle/1 0 19 3 0 204 ffffbe000e85d960 lnxpwrwq lnxpwrwq 0 18 3 0 204 ffffbe000e85d520 lnxlngwq lnxlngwq 0 17 3 0 204 ffffbe000e85d0e0 lnxsyswq lnxsyswq 0 16 3 0 204 ffffbe000d042940 lnxrcugc lnxrcugc 0 15 3 0 204 ffffbe000d042500 sysmon smtaskq 0 14 3 1 204 ffffbe000d0420c0 pmfsuspend pmfsuspend 0 13 3 0 204 ffffbe000d033920 pmfevent pmfevent 0 12 3 0 204 ffffbe000d0334e0 sopendfree sopendfr 0 11 3 1 204 ffffbe000d0330a0 nfssilly nfssilly 0 > 10 7 1 200 ffffbe000d027900 cachegc 0 9 3 1 204 ffffbe000d0274c0 vdrain vdrain 0 8 3 0 200 ffffbe000d027080 modunload mod_unld 0 7 3 0 204 ffffbe000d0188e0 xcall/0 xcall 0 6 1 0 200 ffffbe000d0184a0 softser/0 0 5 1 0 200 ffffbe000d018060 softclk/0 0 4 1 0 200 ffffbe000d0148c0 softbio/0 0 3 1 0 200 ffffbe000d014480 softnet/0 0 2 1 0 201 ffffbe000d014040 idle/0 0 1 2 0 200 ffffffff82b62fa0 swapper [Locks tracked through LWPs] Locks held by an LWP (syz-executor.5): Lock 0 (initialized at uvm_obj_init) lock address : 0xffffbe0012d2b280 type : sleep/adaptive initialized : 0xffffffff810f33bc shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 1 current lwp : 0xffffbe001133e720 last held: 0xffffbe0011449960 last locked* : 0xffffffff810d79ce unlocked : 0xffffffff810d4872 owner field : 000000000000000000 wait/spin: 0/0 Turnstile chain at 0xffffffff82d839d0 with mutex 0xffffbe000d00b480. => No active turnstile for this lock. Locks held by an LWP (syz-executor.3): Lock 0 (initialized at uvm_map_setup) lock address : 0xffffbe00114aee88 type : sleep/adaptive initialized : 0xffffffff810e792d shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffbe001133e720 last held: 0xffffbe001133e720 last locked* : 0xffffffff810e182c unlocked : 0xffffffff810d7265 owner/count : 0xffffbe001133e720 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d83950 with mutex 0xffffbe000d00b080. => No active turnstile for this lock. Lock 1 (initialized at amap_alloc) lock address : 0xffffbe001364bf00 type : sleep/adaptive initialized : 0xffffffff810c6fb1 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffbe001133e720 last held: 0xffffbe001133e720 last locked* : 0xffffffff810e7bd1 unlocked : 0xffffffff810e7c63 owner field : 0xffffbe001133e720 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83b60 with mutex 0xffffbe000d00c140. => No active turnstile for this lock. Lock 2 (initialized at pmap_create) lock address : 0xffffbe00115bf7e0 type : sleep/adaptive initialized : 0xffffffff80272166 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffbe001133e720 last held: 0xffffbe001133e720 last locked* : 0xffffffff80274a67 unlocked : 0xffffffff80274b88 owner field : 0xffffbe001133e720 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83a78 with mutex 0xffffbe000d00b9c0. => No active turnstile for this lock. Locks held by an LWP (syz-executor.4): Lock 0 (initialized at vcache_alloc) lock address : 0xffffbe0012d39700 type : sleep/adaptive initialized : 0xffffffff812ad182 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 1 current lwp : 0xffffbe001133e720 last held: 0xffffbe0012edeae0 last locked* : 0xffffffff812da8f0 unlocked : 0xffffffff812da7ad owner/count : 0xffffbe0012edeae0 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d83a60 with mutex 0xffffbe000d00b900. => No active turnstile for this lock. Lock 1 (initialized at vcache_alloc) lock address : 0xffffbe0012d397c0 type : sleep/adaptive initialized : 0xffffffff812ad182 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 1 current lwp : 0xffffbe001133e720 last held: 0xffffbe0012edeae0 last locked* : 0xffffffff812da8f0 unlocked : 0xffffffff812da7ad owner/count : 0xffffbe0012edeae0 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d83a78 with mutex 0xffffbe000d00b9c0. => No active turnstile for this lock. Lock 2 (initialized at genfs_node_init) lock address : 0xffffbe0012f5c778 type : sleep/adaptive initialized : 0xffffffff812daa74 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffbe001133e720 last held: 0xffffbe0012edeae0 last locked* : 0xffffffff810262f2 unlocked : 000000000000000000 owner/count : 0xffffbe0012edeae0 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d83868 with mutex 0xffffbe000cb2f900. => No active turnstile for this lock. Locks held by an LWP (syz-executor.1): Lock 0 (initialized at vcache_alloc) lock address : 0xffffbe0012d39440 type : sleep/adaptive initialized : 0xffffffff812ad182 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 1 current lwp : 0xffffbe001133e720 last held: 0xffffbe0012e76680 last locked* : 0xffffffff812da8f0 unlocked : 0xffffffff812da7ad owner/count : 0xffffbe0012e76680 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d83a08 with mutex 0xffffbe000d00b640. => No active turnstile for this lock. Lock 1 (initialized at vcache_alloc) lock address : 0xffffbe0012d39a40 type : sleep/adaptive initialized : 0xffffffff812ad182 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 1 current lwp : 0xffffbe001133e720 last held: 0xffffbe0012e76680 last locked* : 0xffffffff812da8f0 unlocked : 000000000000000000 owner/count : 0xffffbe0012e76680 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d83ac8 with mutex 0xffffbe000d00bc40. => No active turnstile for this lock. Locks held by an LWP (syz-executor.0): Lock 0 (initialized at vcache_alloc) lock address : 0xffffbe0012d39340 type : sleep/adaptive initialized : 0xffffffff812ad182 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 1 current lwp : 0xffffbe001133e720 last held: 0xffffbe0012e76240 last locked* : 0xffffffff812da8f0 unlocked : 0xffffffff812da7ad owner/count : 0xffffbe0012e76240 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d839e8 with mutex 0xffffbe000d00b540. => No active turnstile for this lock. Lock 1 (initialized at vcache_alloc) lock address : 0xffffbe00115a2680 type : sleep/adaptive initialized : 0xffffffff812ad182 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 1 current lwp : 0xffffbe001133e720 last held: 0xffffbe0012e76240 last locked* : 0xffffffff812da8f0 unlocked : 0xffffffff812da7ad [ 164.8210568] Skipping crash dump on recursive panic [ 164.8210568] panic: ASan: Unauthorized Access In 0xffffffff81182850: Addr 0xffffbe00115a2680 [8 bytes, read, PoolUseAfterFree] [ 164.8210568] cpu0: Begin traceback... [ 164.8210568] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 164.8210568] snprintf() at netbsd:snprintf [ 164.8210568] kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:172 [inline] [ 164.8210568] kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:194 [ 164.8210568] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:344 [inline] [ 164.8210568] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:358 [inline] [ 164.8210568] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:410 [inline] [ 164.8210568] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1180 [ 164.8210568] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:191 [ 164.8210568] lockdebug_dump() at netbsd:lockdebug_dump+0x281 sys/kern/subr_lockdebug.c:777 [ 164.8210568] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb9 sys/kern/subr_lockdebug.c:855 [ 164.8210568] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:886 [inline] [ 164.8210568] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f sys/kern/subr_lockdebug.c:933 [ 164.8210568] db_command() at netbsd:db_command+0x2c0 sys/ddb/db_command.c:935 [ 164.8210568] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:432 [inline] [ 164.8210568] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:582 [ 164.8210568] db_trap() at netbsd:db_trap+0x219 sys/ddb/db_trap.c:94 [ 164.8210568] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:246 [ 164.8210568] trap() at netbsd:trap+0x650 sys/arch/amd64/amd64/trap.c:313 [ 164.8210568] --- trap (number 1) --- [ 164.8210568] breakpoint() at netbsd:breakpoint+0x5 [ 164.8210568] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 [ 164.8210568] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 164.8210568] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 164.8210568] pmap_unmap_ptes() at netbsd:pmap_unmap_ptes+0x1c7 sys/arch/x86/x86/pmap.c:700 [ 164.8210568] pmap_remove() at netbsd:pmap_remove+0x491 sys/arch/x86/x86/pmap.c:3635 [ 164.8210568] uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 [ 164.8210568] uvm_map_enter() at netbsd:uvm_map_enter+0x565 sys/uvm/uvm_map.c:1343 [ 164.8210568] uvm_map() at netbsd:uvm_map+0x1d9 sys/uvm/uvm_map.c:1102 [ 164.8210568] uvm_mmap.part.0() at netbsd:uvm_mmap.part.0+0x25e [ 164.8210568] sys_mmap() at netbsd:sys_mmap+0x8d9 uvm_mmap sys/uvm/uvm_mmap.c:401 [inline] [ 164.8210568] sys_mmap() at netbsd:sys_mmap+0x8d9 sys/uvm/uvm_mmap.c:401 [ 164.8210568] sys___syscall() at netbsd:sys___syscall+0xf5 sy_call sys/sys/syscallvar.h:65 [inline] [ 164.8210568] sys___syscall() at netbsd:sys___syscall+0xf5 sys/kern/sys_syscall.c:77 [ 164.8210568] syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] [ 164.8210568] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 164.8210568] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 [ 164.8210568] --- syscall (number 198) --- [ 164.8210568] 730e0fe43b9a: [ 164.8210568] cpu0: End traceback... [ 164.8210568] fatal breakpoint trap in supervisor mode [ 164.8210568] trap type 1 code 0 rip 0xffffffff8021ccb5 cs 0x8 rflags 0x246 cr2 0x73ba1844fede ilevel 0x8 rsp 0xffffbe017b462990 [ 164.8210568] curlwp 0xffffbe001133e720 pid 1750.3 lowest kstack 0xffffbe017b45c2c0 Stopped in pid 1750.3 (syz-executor.3) at netbsd:breakpoint+0x5: leave