[ 284.0759791] panic: kernel diagnostic assertion "ci->ci_tlbstate != TLBSTATE_VAMLID" failed: file "/syzkaller/managers/netbsd/kernel/sys/arch/x86/x86/pmap.c", line 3412 [ 284.0859594] cpu1: Begin traceback... ay 28 20:32:19 ci2-netbsd-1 syslogd[449]: Exiting on signal 15 [ 284.0960054] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 284.1259616] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 284.1559619] pmap_activate() at netbsd:pmap_activate+0x173 sys/arch/x86/x86/pmap.c:3412 [ 284.1859630] mi_switch() at netbsd:mi_switch+0x673 sys/kern/kern_synch.c:808 [ 284.2059637] sleepq_block() at netbsd:sleepq_block+0x130 sys/kern/kern_sleepq.c:345 [ 284.2359682] turnstile_block() at netbsd:turnstile_block+0x9c9 sys/kern/kern_turnstile.c:438 [ 284.2559832] mutex_enter() at netbsd:mutex_enter+0x230 sys/kern/kern_mutex.c:693 [ 284.2759825] pool_put() at netbsd:pool_put+0x86 pool_put_quarantine sys/kern/subr_pool.c:2957 [inline] [ 284.2759825] pool_put() at netbsd:pool_put+0x86 sys/kern/subr_pool.c:1316 [ 284.2959994] fd_free() at netbsd:fd_free+0x52c sys/kern/kern_descrip.c:1577 [ 284.3159821] exit1() at netbsd:exit1+0x2bf sys/kern/kern_exit.c:301 [ 284.3359923] sigexit() at netbsd:sigexit+0x39f sys/kern/kern_sig.c:2305 [ 284.3559904] sendsig() at netbsd:sendsig [ 284.3759884] lwp_userret() at netbsd:lwp_userret+0x38a sys/kern/kern_lwp.c:1633 [ 284.3959887] syscall() at netbsd:syscall+0x858 x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] [ 284.3959887] syscall() at netbsd:syscall+0x858 KPREEMPT_DISABLE sys/sys/lwp.h:539 [inline] [ 284.3959887] syscall() at netbsd:syscall+0x858 mi_userret sys/sys/userret.h:97 [inline] [ 284.3959887] syscall() at netbsd:syscall+0x858 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 284.3959887] syscall() at netbsd:syscall+0x858 sys/arch/x86/x86/syscall.c:166 [ 284.4059828] --- syscall (number 4) --- [ 284.4159844] netbsd:syscall+0x858: [ 284.4159844] cpu1: End traceback... [ 284.4259859] fatal breakpoint trap in supervisor mode [ 284.4259859] trap type 1 code 0 rip 0xffffffff8022094d cs 0x8 rflags 0x286 cr2 0xffffdb016fc35248 ilevel 0x8 rsp 0xffffdb018b4d44d0 [ 284.4459927] curlwp 0xffffdb0012d05600 pid 1097.1097 lowest kstack 0xffffdb018b4cd2c0 Stopped in pid 1097.1097 (syz-executor.3) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure pmap_activate() at netbsd:pmap_activate+0x173 sys/arch/x86/x86/pmap.c:3412 mi_switch() at netbsd:mi_switch+0x673 sys/kern/kern_synch.c:808 sleepq_block() at netbsd:sleepq_block+0x130 sys/kern/kern_sleepq.c:345 turnstile_block() at netbsd:turnstile_block+0x9c9 sys/kern/kern_turnstile.c:438 mutex_enter() at netbsd:mutex_enter+0x230 sys/kern/kern_mutex.c:693 pool_put() at netbsd:pool_put+0x86 pool_put_quarantine sys/kern/subr_pool.c:2957 [inline] pool_put() at netbsd:pool_put+0x86 sys/kern/subr_pool.c:1316 fd_free() at netbsd:fd_free+0x52c sys/kern/kern_descrip.c:1577 exit1() at netbsd:exit1+0x2bf sys/kern/kern_exit.c:301 sigexit() at netbsd:sigexit+0x39f sys/kern/kern_sig.c:2305 sendsig() at netbsd:sendsig lwp_userret() at netbsd:lwp_userret+0x38a sys/kern/kern_lwp.c:1633 syscall() at netbsd:syscall+0x858 x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] syscall() at netbsd:syscall+0x858 KPREEMPT_DISABLE sys/sys/lwp.h:539 [inline] syscall() at netbsd:syscall+0x858 mi_userret sys/sys/userret.h:97 [inline] syscall() at netbsd:syscall+0x858 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] syscall() at netbsd:syscall+0x858 sys/arch/x86/x86/syscall.c:166 --- syscall (number 4) --- netbsd:syscall+0x858: ds ffff es b580 fs 44b0 gs 980 rdi ffffffff82bd8280 db_onpanic rsi 1ffffffff057b050 rbp ffffdb018b4d44d0 rbx ffffdb016e699000 rdx 0 rcx ffffffff8126bf59 db_panic+0xd5 rax ffffdb0012d05600 r8 4 r9 1ffffffff057b050 r10 ffffffff82bd8283 db_onpanic+0x3 r11 8000000000 r12 ffffdb016e6aa000 r13 ffffffff81f89140 platform_private_nodes+0x160 r14 ffffdb018b4d4560 r15 ffffdb016e699060 rip ffffffff8022094d breakpoint+0x5 cs 8 rflags 286 rsp ffffdb018b4d44d0 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 1882 1882 3 0 0 ffffdb0012b35340 dhcpcd fstchg 1357 1357 3 1 80 ffffdb001295a180 halt nanoslp 1222 1222 2 1 1000000 ffffdb00137e20c0 syz-executor.1 1254 608 5 0 11100000 ffffdb001295ca40 syz-executor.1 1254 1254 3 0 11000000 ffffdb001380b600 syz-executor.1 xclocv 767 767 2 1 1000000 ffffdb0012d75ac0 syz-executor.3 1097 >1097 7 1 1000000 ffffdb0012d05600 syz-executor.3 965 965 2 1 1000000 ffffdb0012b35bc0 syz-executor.1 1313 1313 2 1 1000040 ffffdb001490c980 syz-executor.5 702 702 3 0 1000040 ffffdb001490c100 syz-executor.3 tstile 1436 1436 3 0 1000040 ffffdb00148ca940 syz-executor.4 tstile 1659 1659 3 0 1000040 ffffdb00148ca500 syz-executor.2 tstile 700 700 3 0 1000040 ffffdb0014789900 syz-executor.0 tstile 690 695 3 0 0 ffffdb0014789080 syz-fuzzer xclocv 690 697 2 1 100000 ffffdb0013813a80 syz-fuzzer 690 714 3 0 100000 ffffdb0013813640 syz-fuzzer xclocv 690 694 2 1 100040 ffffdb0013813200 syz-fuzzer 690 693 2 1 100040 ffffdb00136da6c0 syz-fuzzer 690 692 5 0 100000 ffffdb0013827280 syz-fuzzer 690 690 5 0 100000 ffffdb00127442c0 syz-fuzzer 734 734 3 0 0 ffffdb00138035c0 sshd fstchg 800 800 3 0 10000c0 ffffdb0013803180 getty fstcnt 1443 1443 3 0 0 ffffdb0012cf0a00 sshd tstile 449 449 3 0 0 ffffdb001374db40 syslogd tstile 303 303 3 0 0 ffffdb0012c9b040 dhcpcd fstchg 338 338 3 0 80 ffffdb0012b7a900 dhcpcd wait 1 1 3 0 0 ffffdb00128e8980 init xclocv 0 932 3 0 200 ffffdb001295a5c0 physiod physiod 0 63 3 0 200 ffffdb001295c600 pooldrain pooldrain 0 126 3 0 200 ffffdb001295c1c0 ioflush syncer 0 125 3 1 200 ffffdb001295aa00 pgdaemon pgdaemon 0 122 3 0 200 ffffdb00128fd9c0 usb0 usbevt 0 121 3 1 200 ffffdb00128fd580 usbtask-dr usbtsk 0 120 3 0 200 ffffdb000fe5cac0 usbtask-hc usbtsk 0 119 3 0 200 ffffdb00128fd140 npfgc-0 npfgccv 0 118 3 1 200 ffffdb00128e8540 rt_free rt_free 0 117 3 1 200 ffffdb00128e8100 unpgc unpgc 0 116 3 0 200 ffffdb00128df940 key_timehandler key_timehandler 0 115 3 1 200 ffffdb00128df500 icmp6_wqinput/1 icmp6_wqinput 0 114 3 0 200 ffffdb00128df0c0 icmp6_wqinput/0 icmp6_wqinput 0 113 3 0 200 ffffdb00128d6900 nd6_timer nd6_timer 0 112 3 1 200 ffffdb00128d64c0 carp6_wqinput/1 carp6_wqinput 0 111 3 0 200 ffffdb00128d6080 carp6_wqinput/0 carp6_wqinput 0 110 3 1 200 ffffdb00127598c0 carp_wqinput/1 carp_wqinput 0 109 3 0 200 ffffdb0012759480 carp_wqinput/0 carp_wqinput 0 108 3 1 200 ffffdb0012759040 icmp_wqinput/1 icmp_wqinput 0 107 3 0 200 ffffdb0012748bc0 icmp_wqinput/0 icmp_wqinput 0 106 3 0 200 ffffdb0012747740 rt_timer rt_timer 0 105 3 0 200 ffffdb0012748780 vmem_rehash vmem_rehash 0 104 3 1 200 ffffdb0012748340 entbutler entropy 0 30 3 1 200 ffffdb00121626c0 vioif0_txrx/1 vioif0_txrx 0 29 3 0 200 ffffdb0012162280 vioif0_txrx/0 vioif0_txrx 0 27 3 0 200 ffffdb000fe5c680 scsibus0 sccomp 0 26 3 0 200 ffffdb000fe5c240 pms0 pmsreset 0 25 2 1 200 ffffdb000fd9da80 xcall/1 0 24 1 1 200 ffffdb000fd9d640 softser/1 0 23 1 1 200 ffffdb000fd9d200 softclk/1 0 22 1 1 200 ffffdb000fd9ba40 softbio/1 0 21 1 1 200 ffffdb000fd9b600 softnet/1 0 20 1 1 201 ffffdb000fd9b1c0 idle/1 0 19 3 0 200 ffffdb000e80aa00 lnxpwrwq lnxpwrwq 0 18 3 0 200 ffffdb000e80a5c0 lnxlngwq lnxlngwq 0 17 3 0 200 ffffdb000e80a180 lnxsyswq lnxsyswq 0 16 3 0 200 ffffdb000e8049c0 lnxrcugc lnxrcugc 0 15 3 0 200 ffffdb000e804580 sysmon smtaskq 0 14 3 0 200 ffffdb000e804140 pmfsuspend pmfsuspend 0 13 3 0 200 ffffdb000e7ff980 pmfevent pmfevent 0 12 3 0 200 ffffdb000e7ff540 sopendfree sopendfr 0 11 3 0 200 ffffdb000e7ff100 iflnkst iflnkst 0 10 3 0 200 ffffdb000e7f3940 nfssilly nfssilly 0 9 3 0 200 ffffdb000e7f3500 vdrain vdrain 0 8 3 0 200 ffffdb000e7f30c0 modunload mod_unld 0 7 3 0 200 ffffdb000e7e6900 xcall/0 xcall 0 6 1 0 200 ffffdb000e7e64c0 softser/0 0 5 1 0 200 ffffdb000e7e6080 softclk/0 0 4 1 0 200 ffffdb000e7e48c0 softbio/0 0 3 1 0 200 ffffdb000e7e4480 softnet/0 0 > 2 1 0 201 ffffdb000e7e4040 idle/0 0 0 3 0 200 ffffffff82ca3700 swapper uvm [Locks tracked through LWPs] ****** LWP 1222.1222 (syz-executor.1) @ 0xffffdb00137e20c0, l_stat=2 *** Locks held: * Lock 0 (initialized at fork1) lock address : 0xffffdb0012b4f490 type : sleep/adaptive initialized : 0xffffffff816b76d8 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffdb00137e20c0 last held: 0xffffdb00137e20c0 last locked* : 0xffffffff816b3fa4 unlocked : 000000000000000000 owner/count : 0xffffdb00137e20c0 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at pmap_ctor) lock address : 0xffffdb0012bcf180 type : sleep/adaptive initialized : 0xffffffff80870a87 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffdb00137e20c0 last held: 0xffffdb00137e20c0 last locked* : 0xffffffff8086fd29 unlocked : 0xffffffff808773c9 owner field : 0xffffdb00137e20c0 wait/spin: 0/0 Turnstile: no active turnstile for this lock. * Lock 2 (initialized at pmap_ctor) lock address : 0xffffdb0012bcf188 type : sleep/adaptive initialized : 0xffffffff80870a93 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffdb00137e20c0 last held: 0xffffdb00137e20c0 last locked* : 0xffffffff8086fe22 unlocked : 0xffffffff8086fe36 owner/count : 0xffffdb00137e20c0 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. *** Locks wanted: * Lock 0 (initialized at pool_init) lock address : 0xffffdb000e741130 type : sleep/adaptive initialized : 0xffffffff8175dd47 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 1 relevant cpu : 1 last held: 1 relevant lwp : 0xffffdb00137e20c0 last held: 000000000000000000 last locked : 0xffffffff81760585 unlocked*: 0xffffffff8176064c owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 767.767 (syz-executor.3) @ 0xffffdb0012d75ac0, l_stat=2 *** Locks held: * Lock 0 (initialized at fork1) lock address : 0xffffdb0012a79790 type : sleep/adaptive initialized : 0xffffffff816b76d8 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffdb0012d75ac0 last held: 0xffffdb0012d75ac0 last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff81792c12 owner/count : 0xffffdb0012d75ac0 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at pmap_ctor) lock address : 0xffffdb0013854780 type : sleep/adaptive initialized : 0xffffffff80870a87 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffdb0012d75ac0 last held: 0xffffdb0012d75ac0 last locked* : 0xffffffff80876dfc unlocked : 0xffffffff80872daa owner field : 0xffffdb0012d75ac0 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: * Lock 0 (initialized at pool_init) lock address : 0xffffffff82dca1b0 type : sleep/adaptive initialized : 0xffffffff8175dd47 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 1 relevant cpu : 1 last held: 0 relevant lwp : 0xffffdb0012d75ac0 last held: 000000000000000000 last locked : 0xffffffff81760585 unlocked*: 0xffffffff8176064c owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 1097.1097 (syz-executor.3) @ 0xffffdb0012d05600, l_stat=7 *** Locks held: * Lock 0 (initialized at fork1) lock address : 0xffffdb0012b27ed0 type : sleep/adaptive initialized : 0xffffffff816b76d8 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffdb0012d05600 last held: 0xffffdb0012d05600 last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff81792c12 owner/count : 0xffffdb0012d05600 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. *** Locks wanted: * Lock 0 (initialized at pool_init) lock address : 0xffffdb000fca2170 type : sleep/adaptive initialized : 0xffffffff8175dd47 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 2 relevant cpu : 1 last held: 1 relevant lwp : 0xffffdb0012d05600 last held: 000000000000000000 last locked : 0xffffffff81760585 unlocked*: 0xffffffff8176064c owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 965.965 (syz-executor.1) @ 0xffffdb0012b35bc0, l_stat=2 *** Locks held: * Lock 0 (initialized at fork1) lock address : 0xffffdb0014ab9890 type : sleep/adaptive initialized : 0xffffffff816b76d8 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffdb0012b35bc0 last held: 0xffffdb0012b35bc0 last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff81792c12 owner/count : 0xffffdb0012b35bc0 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. *** Locks wanted: * Lock 0 (initialized at pool_init) lock address : 0xffffdb000fca2170 type : sleep/adaptive initialized : 0xffffffff8175dd47 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 2 relevant cpu : 1 last held: 1 relevant lwp : 0xffffdb0012b35bc0 last held: 000000000000000000 last locked : 0xffffffff81760585 unlocked*: 0xffffffff8176064c owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 1313.1313 (syz-executor.5) @ 0xffffdb001490c980, l_stat=2 *** Locks held: * Lock 0 (initialized at fork1) lock address : 0xffffdb001406ded0 type : sleep/adaptive initialized : 0xffffffff816b76d8 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 0 relevant lwp : 0xffffdb001490c980 last held: 0xffffdb001490c980 last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff816b1947 owner/count : 0xffffdb001490c980 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at uvm_map_setup) lock address : 0xffffffff82e217e8 type : sleep/adaptive initialized : 0xffffffff8164a151 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 4 relevant cpu : 1 last held: 1 relevant lwp : 0xffffdb001490c980 last held: 0xffffdb001490c980 last locked* : 0xffffffff81644405 unlocked : 0xffffffff8164d90d owner/count : 0xffffdb001490c980 flags : 0x0000000000000007 Turnstile: => 1 waiting readers: 0xffffdb001374db40 => 4 waiting writers: 0xffffdb00148ca940 0xffffdb00148ca500 0xffffdb0014789900 0xffffdb001490c100 * Lock 2 (initialized at uvm_obj_init) lock address : 0xffffdb001495c480 type : sleep/adaptive initialized : 0xffffffff81656de0 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffdb001490c980 last held: 0xffffdb001490c980 last locked* : 0xffffffff8164a39f unlocked : 0xffffffff81631225 owner/count : 0xffffdb001490c980 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. * Lock 3 (initialized at pmap_bootstrap) lock address : 0xffffffff82d99040 type : sleep/adaptive initialized : 0xffffffff8086da6e shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffdb001490c980 last held: 0xffffdb001490c980 last locked* : 0xffffffff80871f1d unlocked : 0xffffffff808720be owner field : 0xffffdb001490c980 wait/spin: 1/0 Turnstile: => 0 waiting readers: => 1 waiting writers: 0xffffdb0012cf0a00 *** Locks wanted: none ****** LWP 702.702 (syz-executor.3) @ 0xffffdb001490c100, l_stat=3 *** Locks held: * Lock 0 (initialized at fork1) lock address : 0xffffdb0012c4cb10 type : sleep/adaptive initialized : 0xffffffff816b76d8 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffdb001490c100 last held: 0xffffdb001490c100 last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff816b1947 owner/count : 0xffffdb001490c100 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. *** Locks wanted: * Lock 0 (initialized at uvm_map_setup) lock address : 0xffffffff82e217e8 type : sleep/adaptive initialized : 0xffffffff8164a151 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 4 relevant cpu : 0 last held: 1 relevant lwp : 0xffffdb001490c100 last held: 0xffffdb001490c980 last locked* : 0xffffffff81644405 unlocked : 0xffffffff8164d90d owner/count : 0xffffdb001490c980 flags : 0x0000000000000007 Turnstile: => 1 waiting readers: 0xffffdb001374db40 => 4 waiting writers: 0xffffdb00148ca940 0xffffdb00148ca500 0xffffdb0014789900 0xffffdb001490c100 ****** LWP 1436.1436 (syz-executor.4) @ 0xffffdb00148ca940, l_stat=3 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at uvm_map_setup) lock address : 0xffffffff82e217e8 type : sleep/adaptive initialized : 0xffffffff8164a151 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 4 relevant cpu : 0 last held: 1 relevant lwp : 0xffffdb00148ca940 last held: 0xffffdb001490c980 last locked* : 0xffffffff81644405 unlocked : 0xffffffff8164d90d owner/count : 0xffffdb001490c980 flags : 0x0000000000000007 Turnstile: => 1 waiting readers: 0xffffdb001374db40 => 4 waiting writers: 0xffffdb00148ca940 0xffffdb00148ca500 0xffffdb0014789900 0xffffdb001490c100 ****** LWP 1659.1659 (syz-executor.2) @ 0xffffdb00148ca500, l_stat=3 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at uvm_map_setup) lock address : 0xffffffff82e217e8 type : sleep/adaptive initialized : 0xffffffff8164a151 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 4 relevant cpu : 0 last held: 1 relevant lwp : 0xffffdb00148ca500 last held: 0xffffdb001490c980 last locked* : 0xffffffff81644405 unlocked : 0xffffffff8164d90d owner/count : 0xffffdb001490c980 flags : 0x0000000000000007 Turnstile: => 1 waiting readers: 0xffffdb001374db40 => 4 waiting writers: 0xffffdb00148ca940 0xffffdb00148ca500 0xffffdb0014789900 0xffffdb001490c100 ****** LWP 700.700 (syz-executor.0) @ 0xffffdb0014789900, l_stat=3 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at uvm_map_setup) lock address : 0xffffffff82e217e8 type : sleep/adaptive initialized : 0xffffffff8164a151 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 4 relevant cpu : 0 last held: 1 relevant lwp : 0xffffdb0014789900 last held: 0xffffdb001490c980 last locked* : 0xffffffff81644405 unlocked : 0xffffffff8164d90d owner/count : 0xffffdb001490c980 flags : 0x0000000000000007 Turnstile: => 1 waiting readers: 0xffffdb001374db40 => 4 waiting writers: 0xffffdb00148ca940 0xffffdb00148ca500 0xffffdb0014789900 0xffffdb001490c100 ****** LWP 800.800 (getty) @ 0xffffdb0013803180, l_stat=3 *** Locks held: * Lock 0 (initialized at fork1) lock address : 0xffffdb00137f97d0 type : sleep/adaptive initialized : 0xffffffff816b76d8 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffdb0013803180 last held: 0xffffdb0013803180 last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff816b1947 owner/count : 0xffffdb0013803180 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at pmap_ctor) lock address : 0xffffdb0013818380 type : sleep/adaptive initialized : 0xffffffff80870a87 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffdb0013803180 last held: 0xffffdb0013803180 last locked* : 0xffffffff80876dfc unlocked : 0xffffffff80872daa [ 284.4459927] Skipping crash dump on recursive panic [ 284.4459927] panic: ASan: Unauthorized Access In 0xffffffff816cff80: Addr 0xffffdb0013818380 [8 bytes, read, PoolUseAfterFree] [ 284.4459927] cpu1: Begin traceback... [ 284.4459927] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 284.4459927] snprintf() at netbsd:snprintf [ 284.4459927] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] [ 284.4459927] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 [ 284.4459927] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] [ 284.4459927] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] [ 284.4459927] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] [ 284.4459927] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 [ 284.4459927] mutex_dump() at netbsd:mutex_dump+0x20 sys/kern/kern_mutex.c:313 [ 284.4459927] lockdebug_dump() at netbsd:lockdebug_dump+0x205 sys/kern/subr_lockdebug.c:759 [ 284.4459927] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb7 sys/kern/subr_lockdebug.c:839 [ 284.4459927] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:877 [inline] [ 284.4459927] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a sys/kern/subr_lockdebug.c:941 [ 284.4459927] db_command() at netbsd:db_command+0x2ad sys/ddb/db_command.c:942 [ 284.4459927] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:439 [inline] [ 284.4459927] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:589 [ 284.4459927] db_trap() at netbsd:db_trap+0x206 sys/ddb/db_trap.c:94 [ 284.4459927] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:248 [ 284.4459927] trap() at netbsd:trap+0x579 sys/arch/amd64/amd64/trap.c:315 [ 284.4459927] --- trap (number 1) --- [ 284.4459927] breakpoint() at netbsd:breakpoint+0x5 [ 284.4459927] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 [ 284.4459927] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 284.4459927] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 284.4459927] pmap_activate() at netbsd:pmap_activate+0x173 sys/arch/x86/x86/pmap.c:3412 [ 284.4459927] mi_switch() at netbsd:mi_switch+0x673 sys/kern/kern_synch.c:808 [ 284.4459927] sleepq_block() at netbsd:sleepq_block+0x130 sys/kern/kern_sleepq.c:345 [ 284.4459927] turnstile_block() at netbsd:turnstile_block+0x9c9 sys/kern/kern_turnstile.c:438 [ 284.4459927] mutex_enter() at netbsd:mutex_enter+0x230 sys/kern/kern_mutex.c:693 [ 284.4459927] pool_put() at netbsd:pool_put+0x86 pool_put_quarantine sys/kern/subr_pool.c:2957 [inline] [ 284.4459927] pool_put() at netbsd:pool_put+0x86 sys/kern/subr_pool.c:1316 [ 284.4459927] fd_free() at netbsd:fd_free+0x52c sys/kern/kern_descrip.c:1577 [ 284.4459927] exit1() at netbsd:exit1+0x2bf sys/kern/kern_exit.c:301 [ 284.4459927] sigexit() at netbsd:sigexit+0x39f sys/kern/kern_sig.c:2305 [ 284.4459927] sendsig() at netbsd:sendsig [ 284.4459927] lwp_userret() at netbsd:lwp_userret+0x38a sys/kern/kern_lwp.c:1633 [ 284.4459927] syscall() at netbsd:syscall+0x858 x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] [ 284.4459927] syscall() at netbsd:syscall+0x858 KPREEMPT_DISABLE sys/sys/lwp.h:539 [inline] [ 284.4459927] syscall() at netbsd:syscall+0x858 mi_userret sys/sys/userret.h:97 [inline] [ 284.4459927] syscall() at netbsd:syscall+0x858 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 284.4459927] syscall() at netbsd:syscall+0x858 sys/arch/x86/x86/syscall.c:166 [ 284.4459927] --- syscall (number 4) --- [ 284.4459927] netbsd:syscall+0x858: [ 284.4459927] cpu1: End traceback... [ 284.4459927] fatal breakpoint trap in supervisor mode [ 284.4459927] trap type 1 code 0 rip 0xffffffff8022094d cs 0x8 rflags 0x282 cr2 0xffffdb016fc35248 ilevel 0x8 rsp 0xffffdb018b4d3a70 [ 284.4459927] curlwp 0xffffdb0012d05600 pid 1097.1097 lowest kstack 0xffffdb018b4cd2c0 Stopped in pid 1097.1097 (syz-executor.3) at netbsd:breakpoint+0x5: leave