[ 87.7665645] panic: kernel diagnostic assertion "semcnt >= 0" failed: file "/syzkaller/managers/netbsd/kernel/sys/kern/kern_uidinfo.c", line 241 [ 87.7765477] cpu1: Begin traceback... [ 87.7965461] vpanic() at netbsd:vpanic+0x265 sys/kern/subr_prf.c:290 [ 87.8465460] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 87.8865459] chgsemcnt() at netbsd:chgsemcnt+0x71 sys/kern/kern_uidinfo.c:242 [ 87.9365499] ksem_release() at netbsd:ksem_release+0xbf sys/kern/uipc_sem.c:536 [ 87.9865484] ksem_close_fop() at netbsd:ksem_close_fop+0xb0 sys/kern/uipc_sem.c:853 [ 88.0265450] closef() at netbsd:closef+0x152 sys/kern/kern_descrip.c:832 [ 88.0765463] fd_free() at netbsd:fd_free+0x544 sys/kern/kern_descrip.c:1565 [ 88.1165444] exit1() at netbsd:exit1+0x307 sys/kern/kern_exit.c:301 [ 88.1565476] sys_exit() at netbsd:sys_exit+0x92 sys/kern/kern_exit.c:180 [ 88.2065481] syscall() at netbsd:syscall+0x259 sy_call sys/sys/syscallvar.h:65 [inline] [ 88.2065481] syscall() at netbsd:syscall+0x259 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 88.2065481] syscall() at netbsd:syscall+0x259 sys/arch/x86/x86/syscall.c:138 [ 88.2165486] --- syscall (number 1) --- [ 88.2265493] netbsd:syscall+0x259: [ 88.2365458] cpu1: End traceback... [ 88.2365458] fatal breakpoint trap in supervisor mode [ 88.2365458] trap type 1 code 0 rip 0xffffffff80220a2d cs 0x8 rflags 0x286 cr2 0x769a78807ea0 ilevel 0 rsp 0xffffbf819ddd7930 [ 88.2465485] curlwp 0xffffbf8015428bc0 pid 1453.1453 lowest kstack 0xffffbf819ddd02c0 Stopped in pid 1453.1453 (syz-executor.2) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0x105 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x265 sys/kern/subr_prf.c:290 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure chgsemcnt() at netbsd:chgsemcnt+0x71 sys/kern/kern_uidinfo.c:242 ksem_release() at netbsd:ksem_release+0xbf sys/kern/uipc_sem.c:536 ksem_close_fop() at netbsd:ksem_close_fop+0xb0 sys/kern/uipc_sem.c:853 closef() at netbsd:closef+0x152 sys/kern/kern_descrip.c:832 fd_free() at netbsd:fd_free+0x544 sys/kern/kern_descrip.c:1565 exit1() at netbsd:exit1+0x307 sys/kern/kern_exit.c:301 sys_exit() at netbsd:sys_exit+0x92 sys/kern/kern_exit.c:180 syscall() at netbsd:syscall+0x259 sy_call sys/sys/syscallvar.h:65 [inline] syscall() at netbsd:syscall+0x259 sy_invoke sys/sys/syscallvar.h:94 [inline] syscall() at netbsd:syscall+0x259 sys/arch/x86/x86/syscall.c:138 --- syscall (number 1) --- netbsd:syscall+0x259: Panic string: kernel diagnostic assertion "semcnt >= 0" failed: file "/syzkaller/managers/netbsd/kernel/sys/kern/kern_uidinfo.c", line 241 PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 1075 1075 2 0 0 ffffbf8013c818c0 syz-executor.4 1583 1583 2 0 40000 ffffbf8013be3a40 syz-executor.5 1453 >1453 7 1 10040000 ffffbf8015428bc0 syz-executor.2 1961 1961 2 0 0 ffffbf80147d0a40 syz-executor.5 1829 1829 3 1 40180 ffffbf8013988b00 syz-executor.5 parked 291 1831 2 0 0 ffffbf80153d2700 syz-executor.1 291 1190 3 1 180 ffffbf80153b1b00 syz-executor.1 parked 291 291 2 0 10040000 ffffbf8013bf3640 syz-executor.1 290 1458 2 0 40100 ffffbf8013959a80 syz-executor.0 290 290 2 0 10040000 ffffbf8013c26280 syz-executor.0 411 411 3 1 180 ffffbf8013a4dbc0 syz-executor.3 parked 404 404 3 0 180 ffffbf8013bc7180 syz-executor.3 parked 400 400 2 0 40140 ffffbf80153eb740 syz-executor.1 395 395 3 0 180 ffffbf801487a080 syz-executor.0 parked 393 410 3 1 10100000 ffffbf8013b79100 syz-executor.3 vfork 393 403 3 0 10100000 ffffbf8013b79540 syz-executor.3 vfork 393 393 2 0 10000040 ffffbf80153eb300 syz-executor.3 385 385 3 0 180 ffffbf80136e9b40 syz-executor.0 parked 384 384 3 1 180 ffffbf80154e5140 syz-executor.5 parked 1638 1638 3 0 180 ffffbf8014882500 syz-executor.4 parked 1370 1370 3 0 180 ffffbf80148c19c0 syz-executor.2 parked 1572 1572 3 1 180 ffffbf80147d01c0 syz-executor.2 parked 1731 1731 3 0 180 ffffbf8013daf900 syz-executor.2 parked 1701 1701 3 0 180 ffffbf80147dca80 syz-executor.2 parked 1762 1762 3 1 180 ffffbf801486f8c0 syz-executor.3 parked 577 577 3 1 180 ffffbf801547d0c0 syz-executor.3 parked 1336 1336 3 1 180 ffffbf80154764c0 syz-executor.3 parked 1067 1067 3 0 180 ffffbf8013bab580 syz-executor.2 parked 1077 1077 3 1 180 ffffbf80153ebb80 syz-executor.2 parked 327 327 3 1 180 ffffbf8013b79980 syz-executor.2 parked 1073 1073 2 0 140 ffffbf80152e4200 syz-executor.5 1104 1104 2 0 40 ffffbf801528da40 syz-executor.4 1083 1083 2 0 140 ffffbf801528d600 syz-executor.3 1078 1078 2 0 140 ffffbf801528d1c0 syz-executor.2 1023 1023 2 0 140 ffffbf8013b5e500 syz-executor.0 1068 1085 2 1 100 ffffbf8015138180 syz-fuzzer 1068 857 3 0 180 ffffbf8014839b00 syz-fuzzer parked 1068 1074 3 0 180 ffffbf80148396c0 syz-fuzzer parked 1068 1072 3 1 180 ffffbf8014839280 syz-fuzzer parked 1068 1081 3 1 180 ffffbf8013c4ab40 syz-fuzzer parked 1068 1079 2 1 140 ffffbf80148a6540 syz-fuzzer 1068 1125 2 1 140 ffffbf8013a4d780 syz-fuzzer 1068 1068 3 0 180 ffffbf8013ab74c0 syz-fuzzer parked 1069 1069 3 1 180 ffffbf8013ab7080 sshd select 1249 1249 3 1 180 ffffbf80148c1140 getty nanoslp 1101 1101 3 1 180 ffffbf80148a6980 getty nanoslp 698 698 3 0 180 ffffbf80136ec740 getty nanoslp 947 947 3 0 1c0 ffffbf80139f6700 getty ttyraw 948 948 3 1 180 ffffbf80147d0600 sshd select 980 980 3 1 180 ffffbf8013d00b00 powerd kqueue 872 872 3 0 180 ffffbf801484e700 syslogd kqueue 598 598 3 0 180 ffffbf8013c07ac0 dhcpcd poll 597 597 3 0 180 ffffbf8013c8f4c0 dhcpcd poll 594 594 3 0 180 ffffbf8013c07240 dhcpcd poll 462 462 3 1 180 ffffbf8013c5e740 dhcpcd poll 350 350 3 0 180 ffffbf8013d788c0 dhcpcd poll 349 349 3 0 180 ffffbf8013d78480 dhcpcd poll 348 348 3 1 180 ffffbf8013d78040 dhcpcd poll 1 1 3 0 180 ffffbf801385b140 init wait 0 837 3 1 200 ffffbf8013986240 physiod physiod 0 192 3 0 200 ffffbf8013988280 pooldrain pooldrain 0 > 163 7 0 240 ffffbf8013986ac0 ioflush 0 168 3 1 200 ffffbf8013986680 pgdaemon pgdaemon 0 162 3 1 200 ffffbf8013959640 usb7 usbevt 0 161 3 1 200 ffffbf8013959200 usb6 usbevt 0 31 3 0 200 ffffbf801390ba40 usb5 usbevt 0 63 3 1 200 ffffbf801390b600 usb4 usbevt 0 126 3 1 200 ffffbf801390b1c0 usb3 usbevt 0 125 3 1 200 ffffbf80138b8a00 usb2 usbevt 0 124 3 1 200 ffffbf80138b85c0 usb1 usbevt 0 123 3 1 200 ffffbf80138b8180 usb0 usbevt 0 122 3 1 200 ffffbf801385b9c0 usbtask-dr usbtsk 0 121 3 0 200 ffffbf8010dbbac0 usbtask-hc usbtsk 0 120 2 0 240 ffffbf801385b580 npfgc0 0 119 3 1 200 ffffbf801384c980 rt_free rt_free 0 118 3 1 200 ffffbf801384c540 unpgc unpgc 0 117 3 0 200 ffffbf801384c100 key_timehandler key_timehandler 0 116 3 1 200 ffffbf801371b940 icmp6_wqinput/1 icmp6_wqinput 0 115 3 0 200 ffffbf801371b500 icmp6_wqinput/0 icmp6_wqinput 0 114 3 0 200 ffffbf801371b0c0 nd6_timer nd6_timer 0 113 3 1 200 ffffbf8013711900 carp6_wqinput/1 carp6_wqinput 0 112 3 0 200 ffffbf80137114c0 carp6_wqinput/0 carp6_wqinput 0 111 3 1 200 ffffbf8013711080 carp_wqinput/1 carp_wqinput 0 110 3 0 200 ffffbf80137008c0 carp_wqinput/0 carp_wqinput 0 109 3 1 200 ffffbf8013700480 icmp_wqinput/1 icmp_wqinput 0 108 3 0 200 ffffbf8013700040 icmp_wqinput/0 icmp_wqinput 0 107 3 0 200 ffffbf80136edbc0 rt_timer rt_timer 0 106 3 1 200 ffffbf80136ed780 vmem_rehash vmem_rehash 0 105 3 0 200 ffffbf80136ecb80 entbutler entropy 0 96 3 1 200 ffffbf80130c0b00 viomb balloon 0 30 3 1 200 ffffbf80130c06c0 vioif0_txrx/1 vioif0_txrx 0 29 3 0 200 ffffbf80130c0280 vioif0_txrx/0 vioif0_txrx 0 27 3 0 200 ffffbf8010dbb680 scsibus0 sccomp 0 26 3 0 200 ffffbf8010dbb240 pms0 pmsreset 0 25 3 1 200 ffffbf8010d0ea80 xcall/1 xcall 0 24 1 1 200 ffffbf8010d0e640 softser/1 0 23 1 1 200 ffffbf8010d0e200 softclk/1 0 22 1 1 200 ffffbf8010d0ca40 softbio/1 0 21 1 1 200 ffffbf8010d0c600 softnet/1 0 20 1 1 201 ffffbf8010d0c1c0 idle/1 0 19 3 0 200 ffffbf800f77da00 lnxpwrwq lnxpwrwq 0 18 3 0 200 ffffbf800f77d5c0 lnxlngwq lnxlngwq 0 17 3 0 200 ffffbf800f77d180 lnxsyswq lnxsyswq 0 16 3 0 200 ffffbf800f7759c0 lnxrcugc lnxrcugc 0 15 3 0 200 ffffbf800f775580 sysmon smtaskq 0 14 3 0 200 ffffbf800f775140 pmfsuspend pmfsuspend 0 13 3 0 200 ffffbf800f771980 pmfevent pmfevent 0 12 3 0 200 ffffbf800f771540 sopendfree sopendfr 0 11 3 0 200 ffffbf800f771100 iflnkst iflnkst 0 10 3 0 200 ffffbf800f766940 nfssilly nfssilly 0 9 3 0 200 ffffbf800f766500 vdrain vdrain 0 8 3 0 200 ffffbf800f7660c0 modunload mod_unld 0 7 3 0 200 ffffbf800f758900 xcall/0 xcall 0 6 1 0 200 ffffbf800f7584c0 softser/0 0 5 1 0 200 ffffbf800f758080 softclk/0 0 4 1 0 200 ffffbf800f7568c0 softbio/0 0 3 1 0 200 ffffbf800f756480 softnet/0 0 2 1 0 201 ffffbf800f756040 idle/0 0 0 3 1 200 ffffffff82eee880 swapper uvm [Locks tracked through LWPs] ****** LWP 1583.1583 (syz-executor.5) @ 0xffffbf8013be3a40, l_stat=2 *** Locks held: * Lock 0 (initialized at amap_ctor) lock address : 0xffffbf80152a9ec0 type : sleep/adaptive initialized : 0xffffffff8182acdb shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffbf8013be3a40 last held: 0xffffbf8013be3a40 last locked* : 0xffffffff8183b4cd unlocked : 0xffffffff81839096 owner/count : 0xffffbf8013be3a40 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at pmap_ctor) lock address : 0xffffbf8013c76b80 type : sleep/adaptive initialized : 0xffffffff808d3c54 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffbf8013be3a40 last held: 0xffffbf8013be3a40 last locked* : 0xffffffff808d58e2 unlocked : 0xffffffff808d3967 owner field : 0xffffbf8013be3a40 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: * Lock 0 (initialized at pmap_ctor) lock address : 0xffffbf8013c76b88 type : sleep/adaptive initialized : 0xffffffff808d3c60 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 1 relevant cpu : 0 last held: 0 relevant lwp : 0xffffbf8013be3a40 last held: 000000000000000000 last locked : 0xffffffff808ccd2b unlocked*: 0xffffffff808ccd4d owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. ****** LWP 1453.1453 (syz-executor.2) @ 0xffffbf8015428bc0, l_stat=7 *** Locks held: * Lock 0 (initialized at fork1) lock address : 0xffffbf8013c87810 type : sleep/adaptive initialized : 0xffffffff818c702e shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffbf8015428bc0 last held: 0xffffbf8015428bc0 last locked* : 0xffffffff818c33b1 unlocked : 000000000000000000 owner/count : 0xffffbf8015428bc0 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 1104.1104 (syz-executor.4) @ 0xffffbf801528da40, l_stat=2 *** Locks held: * Lock 0 (initialized at vcache_alloc) lock address : 0xffffbf8015282c00 type : sleep/adaptive initialized : 0xffffffff81a5a1b0 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffbf801528da40 last held: 0xffffbf801528da40 last locked* : 0xffffffff81a8cf80 unlocked : 0xffffffff81a8cfe2 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at vcache_alloc) lock address : 0xffffbf80136ee480 type : sleep/adaptive initialized : 0xffffffff81a5a1b0 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffbf801528da40 last held: 0xffffbf801528da40 last locked* : 0xffffffff81a8cf80 unlocked : 0xffffffff81a8cfe2 [ 88.2565462] Skipping crash dump on recursive panic [ 88.2565462] panic: ASan: Unauthorized Access In 0xffffffff819058c0: Addr 0xffffbf80136ee480 [8 bytes, read, PoolUseAfterFree] [ 88.2565462] cpu1: Begin traceback... [ 88.2565462] vpanic() at netbsd:vpanic+0x265 sys/kern/subr_prf.c:290 [ 88.2565462] snprintf() at netbsd:snprintf [ 88.2565462] kasan_report() at netbsd:kasan_report+0x8c kasan_code_name sys/kern/subr_asan.c:163 [inline] [ 88.2565462] kasan_report() at netbsd:kasan_report+0x8c sys/kern/subr_asan.c:195 [ 88.2565462] __asan_load8() at netbsd:__asan_load8+0x27e kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:345 [inline] [ 88.2565462] __asan_load8() at netbsd:__asan_load8+0x27e kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:359 [inline] [ 88.2565462] __asan_load8() at netbsd:__asan_load8+0x27e kasan_shadow_check sys/kern/subr_asan.c:411 [inline] [ 88.2565462] __asan_load8() at netbsd:__asan_load8+0x27e sys/kern/subr_asan.c:1198 [ 88.2565462] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:186 [ 88.2565462] lockdebug_dump() at netbsd:lockdebug_dump+0x23b sys/kern/subr_lockdebug.c:759 [ 88.2565462] lockdebug_show_one() at netbsd:lockdebug_show_one+0xa7 sys/kern/subr_lockdebug.c:839 [ 88.2565462] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x274 lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:877 [inline] [ 88.2565462] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x274 sys/kern/subr_lockdebug.c:941 [ 88.2565462] db_command() at netbsd:db_command+0x310 sys/ddb/db_command.c:957 [ 88.2565462] db_command_loop() at netbsd:db_command_loop+0x293 db_execute_commandlist sys/ddb/db_command.c:454 [inline] [ 88.2565462] db_command_loop() at netbsd:db_command_loop+0x293 sys/ddb/db_command.c:604 [ 88.2565462] db_trap() at netbsd:db_trap+0x22c sys/ddb/db_trap.c:94 [ 88.2565462] kdb_trap() at netbsd:kdb_trap+0x25c sys/arch/amd64/amd64/db_interface.c:250 [ 88.2565462] trap() at netbsd:trap+0x819 sys/arch/amd64/amd64/trap.c:315 [ 88.2565462] --- trap (number 1) --- [ 88.2565462] breakpoint() at netbsd:breakpoint+0x5 [ 88.2565462] db_panic() at netbsd:db_panic+0x105 sys/ddb/db_panic.c:67 [ 88.2565462] vpanic() at netbsd:vpanic+0x265 sys/kern/subr_prf.c:290 [ 88.2565462] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 88.2565462] chgsemcnt() at netbsd:chgsemcnt+0x71 sys/kern/kern_uidinfo.c:242 [ 88.2565462] ksem_release() at netbsd:ksem_release+0xbf sys/kern/uipc_sem.c:536 [ 88.2565462] ksem_close_fop() at netbsd:ksem_close_fop+0xb0 sys/kern/uipc_sem.c:853 [ 88.2565462] closef() at netbsd:closef+0x152 sys/kern/kern_descrip.c:832 [ 88.2565462] fd_free() at netbsd:fd_free+0x544 sys/kern/kern_descrip.c:1565 [ 88.2565462] exit1() at netbsd:exit1+0x307 sys/kern/kern_exit.c:301 [ 88.2565462] sys_exit() at netbsd:sys_exit+0x92 sys/kern/kern_exit.c:180 [ 88.2565462] syscall() at netbsd:syscall+0x259 sy_call sys/sys/syscallvar.h:65 [inline] [ 88.2565462] syscall() at netbsd:syscall+0x259 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 88.2565462] syscall() at netbsd:syscall+0x259 sys/arch/x86/x86/syscall.c:138 [ 88.2565462] --- syscall (number 1) --- [ 88.2565462] netbsd:syscall+0x259: [ 88.2565462] cpu1: End traceback... [ 88.2565462] fatal breakpoint trap in supervisor mode [ 88.2565462] trap type 1 code 0 rip 0xffffffff80220a2d cs 0x8 rflags 0x286 cr2 0x769a78807ea0 ilevel 0x8 rsp 0xffffbf819ddd6f00 [ 88.2565462] curlwp 0xffffbf8015428bc0 pid 1453.1453 lowest kstack 0xffffbf819ddd02c0 Stopped in pid 1453.1453 (syz-executor.2) at netbsd:breakpoint+0x5: leave