[ 65.5513353] panic: kernel diagnostic assertion "radix_tree_empty_tree_p(&pmap->pm_pvtree)" failed: file "/syzkaller/managers/netbsd/kernel/sys/arch/x86/x86/pmap.c", line 2599 [ 65.5717662] cpu0: Begin traceback... [ 65.5813370] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 65.6214071] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 65.6714933] pmap_dropref() at netbsd:pmap_dropref+0x2c6 pmap_dropref sys/arch/x86/x86/pmap.c:2599 [inline] [ 65.6714933] pmap_dropref() at netbsd:pmap_dropref+0x2c6 sys/arch/x86/x86/pmap.c:2550 [ 65.7115605] uvmspace_free() at netbsd:uvmspace_free+0x19a sys/uvm/uvm_map.c:4307 [ 65.7416130] uvm_proc_exit() at netbsd:uvm_proc_exit+0xc4 sys/uvm/uvm_glue.c:442 [ 65.7816841] exit1() at netbsd:exit1+0x3de sys/kern/kern_exit.c:334 [ 65.8217483] sigexit() at netbsd:sigexit+0x39d sys/kern/kern_sig.c:2285 [ 65.8618204] sendsig_siginfo() at netbsd:sendsig_siginfo+0x5c3 sys/arch/amd64/amd64/machdep.c:666 [ 65.8918692] sendsig() at netbsd:sendsig+0x94 sys/kern/kern_sig.c:2163 [ 65.9319363] trapsignal() at netbsd:trapsignal+0x686 sys/kern/kern_sig.c:972 [ 65.9720055] trap() at netbsd:trap+0xf34 sys/arch/amd64/amd64/trap.c:665 [ 65.9824577] --- trap (number 6) --- [ 65.9920394] 401f25: [ 66.0030539] cpu0: End traceback... [ 66.0030539] fatal breakpoint trap in supervisor mode [ 66.0030539] trap type 1 code 0 rip 0xffffffff8021e4b5 cs 0x8 rflags 0x246 cr2 0x718701867000 ilevel 0 rsp 0xffff9a018b51f3e0 [ 66.0229139] curlwp 0xffff9a0013b6ec00 pid 591.3 lowest kstack 0xffff9a018b5182c0 Stopped in pid 591.3 (syz-executor.4) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure pmap_dropref() at netbsd:pmap_dropref+0x2c6 pmap_dropref sys/arch/x86/x86/pmap.c:2599 [inline] pmap_dropref() at netbsd:pmap_dropref+0x2c6 sys/arch/x86/x86/pmap.c:2550 uvmspace_free() at netbsd:uvmspace_free+0x19a sys/uvm/uvm_map.c:4307 uvm_proc_exit() at netbsd:uvm_proc_exit+0xc4 sys/uvm/uvm_glue.c:442 exit1() at netbsd:exit1+0x3de sys/kern/kern_exit.c:334 sigexit() at netbsd:sigexit+0x39d sys/kern/kern_sig.c:2285 sendsig_siginfo() at netbsd:sendsig_siginfo+0x5c3 sys/arch/amd64/amd64/machdep.c:666 sendsig() at netbsd:sendsig+0x94 sys/kern/kern_sig.c:2163 trapsignal() at netbsd:trapsignal+0x686 sys/kern/kern_sig.c:972 trap() at netbsd:trap+0xf34 sys/arch/amd64/amd64/trap.c:665 --- trap (number 6) --- 401f25: ds 91b0 es ca65 fs f3c0 gs f410 rdi ffff9a000d92b458 rsi ffff9a0013b6eea8 rbp ffff9a018b51f3e0 rbx ffffffff82810340 cpu_info_primary rdx 3ffff rcx ffff9a017fc5d000 rax ffff9a0012a4da08 r8 4 r9 1ffffffff0553b20 r10 ffffffff82a9d903 db_onpanic+0x3 r11 10 r12 ffff9a016d8a4000 r13 ffffffff81c225e0 platform_private_nodes+0x140 r14 ffff9a018b51f470 r15 ffff9a016d893068 rip ffffffff8021e4b5 breakpoint+0x5 cs 8 rflags 246 rsp ffff9a018b51f3e0 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 98 3 2 0 0 ffff9a0011d46c00 syz-executor.1 98 1 2 0 0 ffff9a0013b6e800 syz-executor.1 96 4 3 1 80 ffff9a0013b84000 syz-executor.3 parked 96 3 3 1 80 ffff9a0013b6e400 syz-executor.3 netio 96 1 2 0 10000000 ffff9a0013b34800 syz-executor.3 591 > 3 7 0 20000000 ffff9a0013b6ec00 syz-executor.4 524 4 3 1 80 ffff9a0013b1e800 syz-executor.5 parked 602 3 3 1 80 ffff9a0011d04800 syz-executor.0 parked 517 3 3 1 40080 ffff9a0011d04400 syz-executor.0 parked 454 3 3 1 80 ffff9a0011c94c00 syz-executor.5 parked 627 3 3 1 40080 ffff9a0011ae0000 syz-executor.2 parked 587 5 3 1 80 ffff9a0013b34000 syz-executor.5 parked 587 4 3 1 10000004 ffff9a0012a9ec00 syz-executor.5 vfork 587 3 3 1 10000004 ffff9a0013b1e000 syz-executor.5 vfork 587 1 2 0 10040000 ffff9a0013ae9c00 syz-executor.5 535 4 3 1 80 ffff9a0013b1ec00 syz-executor.0 parked 535 3 3 1 4 ffff9a000f3c2800 syz-executor.0 vfork 535 1 2 1 10040000 ffff9a0013ae9400 syz-executor.0 548 1 2 1 0 ffff9a001397a000 syz-executor.5 603 1 2 1 0 ffff9a0013936c00 syz-executor.4 41 1 2 1 0 ffff9a0013936800 syz-executor.2 40 1 2 1 0 ffff9a0013936400 syz-executor.3 528 1 2 0 40000 ffff9a00137d7c00 syz-executor.1 601 1 2 1 0 ffff9a00137d7800 syz-executor.0 618 11 3 0 80 ffff9a0013936000 syz-fuzzer parked 618 10 3 0 80 ffff9a000f3c2c00 syz-fuzzer parked 618 9 3 1 80 ffff9a00137d7400 syz-fuzzer parked 618 8 2 0 0 ffff9a00137d3c00 syz-fuzzer 618 7 3 1 80 ffff9a00137d3800 syz-fuzzer parked 618 6 3 1 80 ffff9a00137d3400 syz-fuzzer parked 618 5 3 0 80 ffff9a00137d3000 syz-fuzzer parked 618 4 3 1 80 ffff9a0012a9e400 syz-fuzzer parked 618 3 3 1 80 ffff9a0012a9e000 syz-fuzzer kqueue 618 2 2 1 0 ffff9a0012aae800 syz-fuzzer 618 1 3 1 80 ffff9a00129c2000 syz-fuzzer parked 423 1 3 0 80 ffff9a0011ae3400 sshd select 574 1 3 0 80 ffff9a0012a7f800 getty nanoslp 511 1 3 0 80 ffff9a0012a90c00 getty nanoslp 469 1 3 0 80 ffff9a0012a90400 getty nanoslp 564 1 3 1 80 ffff9a0012a90000 getty ttyraw 558 1 3 0 80 ffff9a0012a67400 cron nanoslp 530 1 3 1 80 ffff9a00129fd400 inetd kqueue 317 1 3 1 80 ffff9a0011f8dc00 sshd select 408 1 3 0 80 ffff9a0011f39000 powerd kqueue 337 1 2 0 40000 ffff9a0012aae400 makemandb 195 1 3 1 80 ffff9a00129c2c00 syslogd kqueue 278 1 3 0 80 ffff9a0011f39400 dhcpcd kqueue 220 1 3 1 80 ffff9a0011e60000 dhcpcd kqueue 1 1 3 0 80 ffff9a0011c3ec00 init wait 0 58 3 0 204 ffff9a0011c54400 physiod physiod 0 57 3 1 204 ffff9a0011c94400 aiodoned aiodoned 0 56 3 0 204 ffff9a0011c94000 pooldrain pooldrain 0 55 3 0 200 ffff9a0011c54c00 ioflush syncer 0 54 3 1 200 ffff9a0011c54800 pgdaemon pgdaemon 0 51 2 0 200 ffff9a0011c54000 npfgc-0 0 50 3 1 204 ffff9a0011c3e800 rt_free rt_free 0 49 3 1 204 ffff9a0011c3e400 unpgc unpgc 0 48 2 0 200 ffff9a0011c3e000 key_timehandler 0 47 3 1 204 ffff9a0011b08c00 icmp6_wqinput/1 icmp6_wqinput 0 46 3 0 204 ffff9a0011b08800 icmp6_wqinput/0 icmp6_wqinput 0 45 2 0 200 ffff9a0011b08400 nd6_timer 0 44 3 1 204 ffff9a0011b08000 carp6_wqinput/1 carp6_wqinput 0 43 3 0 204 ffff9a0011af3c00 carp6_wqinput/0 carp6_wqinput 0 42 3 1 204 ffff9a0011af3800 carp_wqinput/1 carp_wqinput 0 41 3 0 204 ffff9a0011af3400 carp_wqinput/0 carp_wqinput 0 40 3 1 204 ffff9a0011af3000 icmp_wqinput/1 icmp_wqinput 0 39 3 0 204 ffff9a0011ae3c00 icmp_wqinput/0 icmp_wqinput 0 38 2 0 200 ffff9a0011ae3800 rt_timer 0 37 3 0 204 ffff9a0011ae3000 vmem_rehash vmem_rehash 0 27 3 0 204 ffff9a000f3c2400 scsibus0 sccomp 0 26 3 0 200 ffff9a000f3c2000 pms0 pmsreset 0 25 3 1 204 ffff9a000f333c00 xcall/1 xcall 0 24 1 1 200 ffff9a000f333800 softser/1 0 23 1 1 200 ffff9a000f333400 softclk/1 0 22 1 1 200 ffff9a000f333000 softbio/1 0 21 1 1 200 ffff9a000de51c00 softnet/1 0 20 1 1 201 ffff9a000de51800 idle/1 0 19 3 0 204 ffff9a000de51400 lnxpwrwq lnxpwrwq 0 18 3 0 204 ffff9a000de51000 lnxlngwq lnxlngwq 0 17 3 0 204 ffff9a000de4cc00 lnxsyswq lnxsyswq 0 16 3 0 204 ffff9a000de4c800 lnxrcugc lnxrcugc 0 15 3 0 204 ffff9a000de4c400 sysmon smtaskq 0 14 3 0 204 ffff9a000de4c000 pmfsuspend pmfsuspend 0 13 3 0 204 ffff9a000de35c00 pmfevent pmfevent 0 12 3 0 204 ffff9a000de35800 sopendfree sopendfr 0 11 3 0 204 ffff9a000de35400 nfssilly nfssilly 0 > 10 7 1 20000200 ffff9a000de35000 cachegc 0 9 3 0 204 ffff9a000de24c00 vdrain vdrain 0 8 3 1 200 ffff9a000de24800 modunload mod_unld 0 7 3 0 204 ffff9a000de24400 xcall/0 xcall 0 6 1 0 200 ffff9a000de24000 softser/0 0 5 1 0 200 ffff9a000de1fc00 softclk/0 0 4 1 0 200 ffff9a000de1f800 softbio/0 0 3 1 0 200 ffff9a000de1f400 softnet/0 0 2 1 0 201 ffff9a000de1f000 idle/0 0 1 3 0 200 ffffffff82b65e40 swapper uvm [Locks tracked through LWPs] Locks held by an LWP (syz-executor.1): Lock 0 (initialized at filedesc_ctor) lock address : 0xffff9a0013b39c40 type : sleep/adaptive initialized : 0xffffffff81140034 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 1 current lwp : 0xffff9a0013b6ec00 last held: 0xffff9a0011d46c00 last locked* : 0xffffffff811424cf unlocked : 0xffffffff811419be owner field : 0xffff9a0011d46c00 wait/spin: 0/0 Turnstile chain at 0xffffffff82d8a6c8 with mutex 0xffffffff82d89f80. => No active turnstile for this lock. Locks held by an LWP (syz-executor.4): Lock 0 (initialized at fork1) lock address : 0xffff9a0013b2f3e8 type : sleep/adaptive initialized : 0xffffffff81159f4c shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffff9a0013b6ec00 last held: 0xffff9a0013b6ec00 last locked* : 0xffffffff81156677 unlocked : 000000000000000000 owner/count : 0xffff9a0013b6ec00 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d8a5b8 with mutex 0xffffffff82d89700. => No active turnstile for this lock. Locks held by an LWP (syz-executor.2): Lock 0 (initialized at vcache_alloc) lock address : 0xffff9a00137db680 type : sleep/adaptive initialized : 0xffffffff812c2852 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 1 current lwp : 0xffff9a0013b6ec00 last held: 0xffff9a0013936800 last locked* : 0xffffffff812ef760 unlocked : 0xffffffff812ef61d owner/count : 0xffff9a0013936800 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d8a610 with mutex 0xffffffff82d899c0. => No active turnstile for this lock. Lock 1 (initialized at vcache_alloc) lock address : 0xffff9a00137db8c0 type : sleep/adaptive initialized : 0xffffffff812c2852 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 1 current lwp : 0xffff9a0013b6ec00 last held: 0xffff9a0013936800 last locked* : 0xffffffff812ef760 unlocked : 0xffffffff812ef61d [ 66.0229139] Skipping crash dump on recursive panic [ 66.0229139] panic: ASan: Unauthorized Access In 0xffffffff81195cb0: Addr 0xffff9a00137db8c0 [8 bytes, read, PoolUseAfterFree] [ 66.0229139] cpu0: Begin traceback... [ 66.0229139] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 66.0229139] snprintf() at netbsd:snprintf [ 66.0229139] kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:172 [inline] [ 66.0229139] kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:194 [ 66.0229139] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:344 [inline] [ 66.0229139] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:358 [inline] [ 66.0229139] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:410 [inline] [ 66.0229139] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1180 [ 66.0229139] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:180 [ 66.0229139] lockdebug_dump() at netbsd:lockdebug_dump+0x281 sys/kern/subr_lockdebug.c:780 [ 66.0229139] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb9 sys/kern/subr_lockdebug.c:858 [ 66.0229139] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:889 [inline] [ 66.0229139] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f sys/kern/subr_lockdebug.c:936 [ 66.0229139] db_command() at netbsd:db_command+0x2c0 sys/ddb/db_command.c:942 [ 66.0229139] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:439 [inline] [ 66.0229139] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:589 [ 66.0229139] db_trap() at netbsd:db_trap+0x219 sys/ddb/db_trap.c:94 [ 66.0229139] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:246 [ 66.0229139] trap() at netbsd:trap+0x650 sys/arch/amd64/amd64/trap.c:313 [ 66.0229139] --- trap (number 1) --- [ 66.0229139] breakpoint() at netbsd:breakpoint+0x5 [ 66.0229139] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 [ 66.0229139] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 66.0229139] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 66.0229139] pmap_dropref() at netbsd:pmap_dropref+0x2c6 pmap_dropref sys/arch/x86/x86/pmap.c:2599 [inline] [ 66.0229139] pmap_dropref() at netbsd:pmap_dropref+0x2c6 sys/arch/x86/x86/pmap.c:2550 [ 66.0229139] uvmspace_free() at netbsd:uvmspace_free+0x19a sys/uvm/uvm_map.c:4307 [ 66.0229139] uvm_proc_exit() at netbsd:uvm_proc_exit+0xc4 sys/uvm/uvm_glue.c:442 [ 66.0229139] exit1() at netbsd:exit1+0x3de sys/kern/kern_exit.c:334 [ 66.0229139] sigexit() at netbsd:sigexit+0x39d sys/kern/kern_sig.c:2285 [ 66.0229139] sendsig_siginfo() at netbsd:sendsig_siginfo+0x5c3 sys/arch/amd64/amd64/machdep.c:666 [ 66.0229139] sendsig() at netbsd:sendsig+0x94 sys/kern/kern_sig.c:2163 [ 66.0229139] trapsignal() at netbsd:trapsignal+0x686 sys/kern/kern_sig.c:972 [ 66.0229139] trap() at netbsd:trap+0xf34 sys/arch/amd64/amd64/trap.c:665 [ 66.0229139] --- trap (number 6) --- [ 66.0229139] 401f25: [ 66.0229139] cpu0: End traceback... [ 66.0229139] fatal breakpoint trap in supervisor mode [ 66.0229139] trap type 1 code 0 rip 0xffffffff8021e4b5 cs 0x8 rflags 0x246 cr2 0x718701867000 ilevel 0x8 rsp 0xffff9a018b51e9a0 [ 66.0229139] curlwp 0xffff9a0013b6ec00 pid 591.3 lowest kstack 0xffff9a018b5182c0 Stopped in pid 591.3 (syz-executor.4) at netbsd:breakpoint+0x5: leave