[ 80.0665260] panic: kernel diagnostic assertion "pmap->pm_ncsw == curlwp->l_ncsw" failed: file "/syzkaller/managers/netbsd/kernel/sys/arch/x86/x86/pmap.c", line 700 [ 80.0765284] cpu1: Begin traceback... [ 80.0965783] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 80.1166159] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 80.1466534] pmap_unmap_ptes() at netbsd:pmap_unmap_ptes+0x1c7 sys/arch/x86/x86/pmap.c:700 [ 80.1767008] pmap_remove() at netbsd:pmap_remove+0x491 sys/arch/x86/x86/pmap.c:3635 [ 80.2067431] uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 [ 80.2367886] uvm_unmap1() at netbsd:uvm_unmap1+0xd0 sys/uvm/uvm_map.c:4766 [ 80.2568181] lwp_ctl_exit() at netbsd:lwp_ctl_exit+0x15a sys/kern/kern_lwp.c:1966 [ 80.2868615] exit1() at netbsd:exit1+0x26f sys/kern/kern_exit.c:272 [ 80.3068915] sys_exit() at netbsd:sys_exit+0x77 sys/kern/kern_exit.c:179 [ 80.3369369] syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] [ 80.3369369] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 80.3369369] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 [ 80.3469490] --- syscall (number 1) --- [ 80.3669822] 76df10399a6a: [ 80.3669822] cpu1: End traceback... [ 80.3669822] fatal breakpoint trap in supervisor mode [ 80.3770283] trap type 1 code 0 rip 0xffffffff8021ccb5 cs 0x8 rflags 0x246 cr2 0x74187829d000 ilevel 0 rsp 0xffffd0817a4af6a0 [ 80.3870260] curlwp 0xffffd08012030a40 pid 264.1 lowest kstack 0xffffd0817a4a82c0 Stopped in pid 264.1 (syz-executor.5) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure pmap_unmap_ptes() at netbsd:pmap_unmap_ptes+0x1c7 sys/arch/x86/x86/pmap.c:700 pmap_remove() at netbsd:pmap_remove+0x491 sys/arch/x86/x86/pmap.c:3635 uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 uvm_unmap1() at netbsd:uvm_unmap1+0xd0 sys/uvm/uvm_map.c:4766 lwp_ctl_exit() at netbsd:lwp_ctl_exit+0x15a sys/kern/kern_lwp.c:1966 exit1() at netbsd:exit1+0x26f sys/kern/kern_exit.c:272 sys_exit() at netbsd:sys_exit+0x77 sys/kern/kern_exit.c:179 syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 --- syscall (number 1) --- 76df10399a6a: ds 5d0 es 2f8 fs f680 gs f6d0 rdi ffffd0800cb1a458 rsi ffffd08012030d28 rbp ffffd0817a4af6a0 rbx ffffd0816ca80000 rdx 2 rcx ffffffff80d00841 db_panic+0xd5 rax 0 r8 4 r9 1ffffffff0553818 r10 ffffffff82a9c0c3 db_onpanic+0x3 r11 10 r12 ffffd0816ca92000 r13 ffffffff81c22540 platform_private_nodes+0x140 r14 ffffd0817a4af730 r15 ffffd0816ca80060 rip ffffffff8021ccb5 breakpoint+0x5 cs 8 rflags 246 rsp ffffd0817a4af6a0 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 850 3 1 0 0 ffffd0801304e740 syz-executor.2 850 1 3 0 0 ffffd08011415920 syz-executor.2 tstile 264 > 1 7 1 10000000 ffffd08012030a40 syz-executor.5 818 4 3 1 80 ffffd08012030600 syz-executor.3 parked 818 3 3 0 80 ffffd080113d3040 syz-executor.3 parked 818 1 2 1 10040000 ffffd080115266a0 syz-executor.3 747 3 3 1 80 ffffd08012d4e220 syz-executor.4 parked 686 3 3 1 80 ffffd08011fd14e0 syz-executor.2 parked 529 3 3 1 80 ffffd080114150a0 syz-executor.0 parked 97 3 3 1 80 ffffd08011338b60 syz-executor.5 parked 547 1 2 1 0 ffffd08012f1d280 syz-executor.5 497 1 3 0 80 ffffd08012e77ae0 syz-executor.4 pipe_rd 542 1 2 1 0 ffffd08012e776a0 syz-executor.3 612 1 3 0 0 ffffd08012e42ac0 syz-executor.2 tstile 40 1 2 1 0 ffffd08012e42680 syz-executor.1 41 1 3 1 80 ffffd08012e42240 syz-executor.0 pipe_rd 389 11 3 0 80 ffffd08012e77260 syz-fuzzer parked 389 10 3 1 80 ffffd080110d4a00 syz-fuzzer parked 389 9 3 0 80 ffffd08012d4eaa0 syz-fuzzer kqueue 389 8 3 0 80 ffffd08012d4e660 syz-fuzzer parked 389 7 3 0 80 ffffd08011f8e8e0 syz-fuzzer parked 389 6 3 0 80 ffffd08011f8e4a0 syz-fuzzer parked 389 5 3 0 80 ffffd08011f808c0 syz-fuzzer parked 389 4 3 1 80 ffffd08011f80040 syz-fuzzer parked 389 3 3 1 80 ffffd080120235e0 syz-fuzzer parked 389 2 3 0 80 ffffd080120231a0 syz-fuzzer parked 389 1 3 0 80 ffffd080110d4180 syz-fuzzer parked 532 1 3 0 80 ffffd08011f51760 sshd select 526 1 3 1 80 ffffd08011ffa9a0 getty nanoslp 575 1 3 0 80 ffffd08011ffa120 getty nanoslp 587 1 3 1 80 ffffd08011f30740 getty nanoslp 566 1 3 0 80 ffffd0801200e9e0 getty ttyraw 527 1 3 1 80 ffffd08011f8e060 cron nanoslp 464 1 3 1 80 ffffd08011f51320 inetd kqueue 437 1 3 0 80 ffffd080115a16e0 sshd select 473 1 3 1 80 ffffd080114dfa40 powerd kqueue 460 1 2 1 40000 ffffd080113d3480 makemandb 198 1 3 0 80 ffffd08011f51ba0 syslogd kqueue 247 1 3 1 80 ffffd080114ef1e0 dhcpcd kqueue 220 1 3 1 80 ffffd080113f18e0 dhcpcd kqueue 1 1 3 1 80 ffffd080111fa240 init wait 0 58 3 0 204 ffffd080111faac0 physiod physiod 0 57 3 0 204 ffffd08011242280 aiodoned aiodoned 0 56 3 0 40200 ffffd08011241ae0 ioflush syncer 0 55 3 0 204 ffffd080112416a0 pooldrain pooldrain 0 54 3 0 200 ffffd08011241260 pgdaemon pgdaemon 0 51 2 1 200 ffffd080111fa680 npfgc-0 0 50 3 0 204 ffffd080111ebaa0 rt_free rt_free 0 49 3 0 204 ffffd080111eb660 unpgc unpgc 0 48 3 1 204 ffffd080111eb220 key_timehandler key_timehandler 0 47 3 1 204 ffffd08011104a80 icmp6_wqinput/1 icmp6_wqinput 0 46 3 0 204 ffffd08011104640 icmp6_wqinput/0 icmp6_wqinput 0 45 3 1 204 ffffd08011104200 nd6_timer nd6_timer 0 44 3 1 204 ffffd080110f9a60 carp6_wqinput/1 carp6_wqinput 0 43 3 0 204 ffffd080110f9620 carp6_wqinput/0 carp6_wqinput 0 42 3 1 204 ffffd080110f91e0 carp_wqinput/1 carp_wqinput 0 41 3 0 204 ffffd080110e8a40 carp_wqinput/0 carp_wqinput 0 40 3 1 204 ffffd080110e8600 icmp_wqinput/1 icmp_wqinput 0 39 3 0 204 ffffd080110e81c0 icmp_wqinput/0 icmp_wqinput 0 38 3 1 204 ffffd080110d35a0 rt_timer rt_timer 0 37 3 1 204 ffffd080110d7a20 vmem_rehash vmem_rehash 0 27 3 0 204 ffffd0800e9b9580 scsibus0 sccomp 0 26 3 0 200 ffffd0800e9b9140 pms0 pmsreset 0 25 3 1 204 ffffd0800e92b9a0 xcall/1 xcall 0 24 1 1 200 ffffd0800e92b560 softser/1 0 23 1 1 200 ffffd0800e92b120 softclk/1 0 22 1 1 200 ffffd0800e927980 softbio/1 0 21 1 1 200 ffffd0800e927540 softnet/1 0 20 1 1 201 ffffd0800e927100 idle/1 0 19 3 0 204 ffffd0800e85d960 lnxpwrwq lnxpwrwq 0 18 3 0 204 ffffd0800e85d520 lnxlngwq lnxlngwq 0 17 3 0 204 ffffd0800e85d0e0 lnxsyswq lnxsyswq 0 16 3 0 204 ffffd0800d042940 lnxrcugc lnxrcugc 0 15 3 0 204 ffffd0800d042500 sysmon smtaskq 0 14 3 0 204 ffffd0800d0420c0 pmfsuspend pmfsuspend 0 13 3 0 204 ffffd0800d033920 pmfevent pmfevent 0 12 3 0 204 ffffd0800d0334e0 sopendfree sopendfr 0 11 3 1 204 ffffd0800d0330a0 nfssilly nfssilly 0 10 3 1 200 ffffd0800d027900 cachegc cachegc 0 9 3 1 204 ffffd0800d0274c0 vdrain vdrain 0 8 3 0 200 ffffd0800d027080 modunload mod_unld 0 7 3 0 204 ffffd0800d0188e0 xcall/0 xcall 0 6 1 0 200 ffffd0800d0184a0 softser/0 0 5 1 0 200 ffffd0800d018060 softclk/0 0 4 1 0 200 ffffd0800d0148c0 softbio/0 0 3 1 0 200 ffffd0800d014480 softnet/0 0 > 2 7 0 201 ffffd0800d014040 idle/0 0 1 3 0 200 ffffffff82b62fa0 swapper uvm [Locks tracked through LWPs] Locks held by an LWP (syz-executor.2): Lock 0 (initialized at uvm_obj_init) lock address : 0xffffd08011257240 type : sleep/adaptive initialized : 0xffffffff810f33bc shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffd08012030a40 last held: 0xffffd08011415920 last locked* : 0xffffffff810d79ce unlocked : 0xffffffff812adba4 owner field : 000000000000000000 wait/spin: 0/0 Turnstile chain at 0xffffffff82d839c8 with mutex 0xffffd0800d00b440. => No active turnstile for this lock. Locks held by an LWP (syz-executor.5): Lock 0 (initialized at uvm_map_setup) lock address : 0xffffd08012006d18 type : sleep/adaptive initialized : 0xffffffff810e792d shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffd08012030a40 last held: 0xffffd08012030a40 last locked* : 0xffffffff810e17d4 unlocked : 0xffffffff810d48b4 owner/count : 0xffffd08012030a40 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d83920 with mutex 0xffffd0800cb2fec0. => No active turnstile for this lock. Lock 1 (initialized at uvm_obj_init) lock address : 0xffffd08012cf37c0 type : sleep/adaptive initialized : 0xffffffff810f33bc shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffd08012030a40 last held: 0xffffd08012030a40 last locked* : 0xffffffff810e7c10 unlocked : 0xffffffff810e7c8f owner field : 0xffffd08012030a40 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83a78 with mutex 0xffffd0800d00b9c0. => No active turnstile for this lock. Lock 2 (initialized at pmap_create) lock address : 0xffffd080120189b0 type : sleep/adaptive initialized : 0xffffffff80272166 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffd08012030a40 last held: 0xffffd08012030a40 last locked* : 0xffffffff80274a67 unlocked : 0xffffffff80274b88 owner field : 0xffffd08012030a40 wait/spin: 0/0 Turnstile chain at 0xffffffff82d838b0 with mutex 0xffffd0800cb2fb40. => No active turnstile for this lock. Locks held by an LWP (syz-executor.3): Lock 0 (initialized at vcache_alloc) lock address : 0xffffd08012d57880 type : sleep/adaptive initialized : 0xffffffff812ad182 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffd08012030a40 last held: 0xffffd080113d3040 last locked* : 0xffffffff812da8f0 unlocked : 0xffffffff812da7ad owner/count : 000000000000000000 flags : 000000000000000000 Turnstile chain at 0xffffffff82d83a90 with mutex 0xffffd0800d00ba80. => No active turnstile for this lock. Lock 1 (initialized at vcache_alloc) lock address : 0xffffd080110796c0 type : sleep/adaptive initialized : 0xffffffff812ad182 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffd08012030a40 last held: 0xffffd080113d3040 last locked* : 0xffffffff812da838 unlocked : 0xffffffff812da7ad [ 80.3870260] Skipping crash dump on recursive panic [ 80.3870260] panic: ASan: Unauthorized Access In 0xffffffff81182850: Addr 0xffffd080110796c0 [8 bytes, read, PoolUseAfterFree] [ 80.3870260] cpu1: Begin traceback... [ 80.3870260] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 80.3870260] snprintf() at netbsd:snprintf [ 80.3870260] kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:172 [inline] [ 80.3870260] kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:194 [ 80.3870260] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:344 [inline] [ 80.3870260] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:358 [inline] [ 80.3870260] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:410 [inline] [ 80.3870260] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1180 [ 80.3870260] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:191 [ 80.3870260] lockdebug_dump() at netbsd:lockdebug_dump+0x281 sys/kern/subr_lockdebug.c:777 [ 80.3870260] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb9 sys/kern/subr_lockdebug.c:855 [ 80.3870260] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:886 [inline] [ 80.3870260] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f sys/kern/subr_lockdebug.c:933 [ 80.3870260] db_command() at netbsd:db_command+0x2c0 sys/ddb/db_command.c:935 [ 80.3870260] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:432 [inline] [ 80.3870260] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:582 [ 80.3870260] db_trap() at netbsd:db_trap+0x219 sys/ddb/db_trap.c:94 [ 80.3870260] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:246 [ 80.3870260] trap() at netbsd:trap+0x650 sys/arch/amd64/amd64/trap.c:313 [ 80.3870260] --- trap (number 1) --- [ 80.3870260] breakpoint() at netbsd:breakpoint+0x5 [ 80.3870260] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 [ 80.3870260] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 80.3870260] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 80.3870260] pmap_unmap_ptes() at netbsd:pmap_unmap_ptes+0x1c7 sys/arch/x86/x86/pmap.c:700 [ 80.3870260] pmap_remove() at netbsd:pmap_remove+0x491 sys/arch/x86/x86/pmap.c:3635 [ 80.3870260] uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 [ 80.3870260] uvm_unmap1() at netbsd:uvm_unmap1+0xd0 sys/uvm/uvm_map.c:4766 [ 80.3870260] lwp_ctl_exit() at netbsd:lwp_ctl_exit+0x15a sys/kern/kern_lwp.c:1966 [ 80.3870260] exit1() at netbsd:exit1+0x26f sys/kern/kern_exit.c:272 [ 80.3870260] sys_exit() at netbsd:sys_exit+0x77 sys/kern/kern_exit.c:179 [ 80.3870260] syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] [ 80.3870260] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 80.3870260] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 [ 80.3870260] --- syscall (number 1) --- [ 80.3870260] 76df10399a6a: [ 80.3870260] cpu1: End traceback... [ 80.3870260] fatal breakpoint trap in supervisor mode [ 80.3870260] trap type 1 code 0 rip 0xffffffff8021ccb5 cs 0x8 rflags 0x246 cr2 0x74187829d000 ilevel 0x8 rsp 0xffffd0817a4aec60 [ 80.3870260] curlwp 0xffffd08012030a40 pid 264.1 lowest kstack 0xffffd0817a4a82c0 Stopped in pid 264.1 (syz-executor.5) at netbsd:breakpoint+0x5: leave