[ 206.9995974] panic: kernel diagnostic assertion "uvm_page_locked_p(pg)" failed: file "/syzkaller/managers/netbsd/kernel/sys/arch/x86/x86/pmap.c", line 3526 [ 207.0096010] cpu1: Begin traceback... [ 207.0296552] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 207.0597153] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 207.1098226] pmap_remove_pte() at netbsd:pmap_remove_pte+0x47f pmap_remove_pte sys/arch/x86/x86/pmap.c:3526 [inline] [ 207.1098226] pmap_remove_pte() at netbsd:pmap_remove_pte+0x47f sys/arch/x86/x86/pmap.c:3473 [ 207.1398932] pmap_remove() at netbsd:pmap_remove+0x481 pmap_remove_ptes sys/arch/x86/x86/pmap.c:3432 [inline] [ 207.1398932] pmap_remove() at netbsd:pmap_remove+0x481 sys/arch/x86/x86/pmap.c:3631 [ 207.1799734] uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 [ 207.2100386] uvmspace_free() at netbsd:uvmspace_free+0x23b sys/uvm/uvm_map.c:4304 [ 207.2401024] uvm_proc_exit() at netbsd:uvm_proc_exit+0xc4 sys/uvm/uvm_glue.c:443 [ 207.2801937] exit1() at netbsd:exit1+0x3bd sys/kern/kern_exit.c:332 [ 207.3102629] sys_exit() at netbsd:sys_exit+0x77 sys/kern/kern_exit.c:179 [ 207.3503439] syscall() at netbsd:syscall+0x550 sy_call sys/sys/syscallvar.h:65 [inline] [ 207.3503439] syscall() at netbsd:syscall+0x550 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 207.3503439] syscall() at netbsd:syscall+0x550 sys/arch/x86/x86/syscall.c:138 [ 207.3603694] --- syscall (number 1) --- [ 207.3804081] 751c81599a6a: [ 207.3804081] cpu1: End traceback... [ 207.3804081] fatal breakpoint trap in supervisor mode [ 207.3904353] trap type 1 code 0 rip 0xffffffff8021ccc5 cs 0x8 rflags 0x246 cr2 0x7d534d773743 ilevel 0 rsp 0xffffbf817c2bb6c0 [ 207.4004514] curlwp 0xffffbf8012dbc4e0 pid 2469.1 lowest kstack 0xffffbf817c2b42c0 Stopped in pid 2469.1 (syz-executor.4) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xf9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure pmap_remove_pte() at netbsd:pmap_remove_pte+0x47f pmap_remove_pte sys/arch/x86/x86/pmap.c:3526 [inline] pmap_remove_pte() at netbsd:pmap_remove_pte+0x47f sys/arch/x86/x86/pmap.c:3473 pmap_remove() at netbsd:pmap_remove+0x481 pmap_remove_ptes sys/arch/x86/x86/pmap.c:3432 [inline] pmap_remove() at netbsd:pmap_remove+0x481 sys/arch/x86/x86/pmap.c:3631 uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 uvmspace_free() at netbsd:uvmspace_free+0x23b sys/uvm/uvm_map.c:4304 uvm_proc_exit() at netbsd:uvm_proc_exit+0xc4 sys/uvm/uvm_glue.c:443 exit1() at netbsd:exit1+0x3bd sys/kern/kern_exit.c:332 sys_exit() at netbsd:sys_exit+0x77 sys/kern/kern_exit.c:179 syscall() at netbsd:syscall+0x550 sy_call sys/sys/syscallvar.h:65 [inline] syscall() at netbsd:syscall+0x550 sy_invoke sys/sys/syscallvar.h:94 [inline] syscall() at netbsd:syscall+0x550 sys/arch/x86/x86/syscall.c:138 --- syscall (number 1) --- 751c81599a6a: ds b6e0 es edd5 fs b6a0 gs b6f0 rdi ffffbf800d92c458 rsi ffffbf8012dbc7c8 rbp ffffbf817c2bb6c0 rbx ffffbf816d892000 rdx 2 rcx ffffffff80cef021 db_panic+0xe5 rax 0 r8 4 r9 1ffffffff05536c0 r10 ffffffff82a9b603 db_onpanic+0x3 r11 8000000000 r12 ffffbf816d8a4000 r13 ffffffff81c229e0 platform_private_nodes+0x140 r14 ffffbf817c2bb750 r15 ffffbf816d892058 rip ffffffff8021ccc5 breakpoint+0x5 cs 8 rflags 246 rsp ffffbf817c2bb6c0 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 2225 3 2 0 0 ffffbf801410c260 syz-executor.3 3134 6 3 1 80 ffffbf80148749e0 syz-executor.4 parked 2077 7 3 0 80 ffffbf8012dc6500 syz-executor.4 parked 2108 3 4 1 1040000 ffffbf8014567660 syz-executor.4 2370 3 4 0 1000000 ffffbf801478a0c0 syz-executor.3 1849 3 4 1 1000000 ffffbf80143c5980 syz-executor.4 1453 3 4 0 1000000 ffffbf8012226940 syz-executor.3 1408 3 3 1 80 ffffbf80121cf780 syz-executor.0 parked 1588 3 3 0 80 ffffbf80121cfbc0 syz-executor.3 parked 1588 1 2 0 10040000 ffffbf80120bc2a0 syz-executor.3 2469 > 1 7 1 10040000 ffffbf8012dbc4e0 syz-executor.4 1917 3 3 1 80 ffffbf8011eec1a0 syz-executor.4 parked 2113 4 3 0 80 ffffbf8014226780 syz-executor.3 parked 3070 3 3 1 80 ffffbf8013d39ba0 syz-executor.4 parked 2936 3 3 0 80 ffffbf801230a660 syz-executor.3 parked 1393 3 3 0 80 ffffbf8012de49a0 syz-executor.4 parked 2118 6 3 0 80 ffffbf8013f13940 syz-executor.4 parked 1386 3 3 1 80 ffffbf8012317240 syz-executor.4 parked 2155 3 3 1 80 ffffbf8012dcf0e0 syz-executor.4 parked 1750 3 3 1 80 ffffbf8013cec700 syz-executor.3 parked 1098 3 3 1 80 ffffbf801466cb40 syz-executor.3 parked 2241 3 3 0 80 ffffbf80143dc160 syz-executor.1 parked 2491 3 3 1 80 ffffbf8013d02b60 syz-executor.5 parked 2843 3 3 1 80 ffffbf8014561a80 syz-executor.5 parked 1418 3 3 1 80 ffffbf80141f6300 syz-executor.5 parked 1924 3 3 1 80 ffffbf8014661b20 syz-executor.5 parked 3231 4 3 1 80 ffffbf8014561200 syz-executor.5 parked 2340 3 3 0 80 ffffbf8011ee9180 syz-executor.5 parked 2322 3 3 1 80 ffffbf8012317ac0 syz-executor.0 parked 3022 3 3 1 80 ffffbf801229c140 syz-executor.0 parked 2907 3 3 1 80 ffffbf80122daa40 syz-executor.5 parked 1330 3 3 1 80 ffffbf8013d28300 syz-executor.0 parked 1592 3 3 1 80 ffffbf8013c57b00 syz-executor.0 parked 2480 4 3 0 80 ffffbf80120bc6e0 syz-executor.4 parked 1436 3 3 0 80 ffffbf80146a7760 syz-executor.2 parked 1165 3 3 0 80 ffffbf80141f6b80 syz-executor.4 parked 1289 3 3 1 80 ffffbf80121f6060 syz-executor.3 parked 2591 4 4 1 1000000 ffffbf80123256a0 syz-executor.2 1736 3 3 0 80 ffffbf8013f39580 syz-executor.3 parked 1834 4 4 1 1000000 ffffbf8013f4f9e0 syz-executor.2 1834 3 4 0 11000000 ffffbf8012d778c0 syz-executor.2 1834 1 4 0 1000000 ffffbf801452b1e0 syz-executor.2 2163 3 3 0 80 ffffbf801465e280 syz-executor.0 parked 1787 3 3 0 80 ffffbf80140b2a80 syz-executor.0 parked 1268 3 3 1 80 ffffbf8012325ae0 syz-executor.4 parked 616 3 3 1 80 ffffbf80143d1580 syz-executor.4 parked 1390 3 3 1 80 ffffbf8013f39140 syz-executor.4 parked 2019 4 3 1 80 ffffbf8014338520 syz-executor.4 parked 1775 4 3 0 80 ffffbf80140b2200 syz-executor.4 parked 1772 3 3 1 80 ffffbf8014200ba0 syz-executor.4 parked 1125 3 3 1 80 ffffbf801409d1e0 syz-executor.4 parked 1250 4 3 0 80 ffffbf8011ee85a0 syz-executor.4 parked 1252 4 3 1 80 ffffbf801461d6a0 syz-executor.4 parked 1897 4 3 1 80 ffffbf8011ee8160 syz-executor.0 parked 1753 4 3 1 80 ffffbf80143380e0 syz-executor.4 parked 1608 3 3 1 80 ffffbf801225f980 syz-executor.2 parked 2220 3 3 1 80 ffffbf8013dd88e0 syz-executor.5 parked 815 3 3 1 80 ffffbf801205e6c0 syz-executor.5 parked 2212 4 3 0 80 ffffbf8014227040 syz-executor.1 parked 1193 6 3 0 80 ffffbf8012ddb100 syz-executor.2 parked 1962 3 3 1 80 ffffbf80143ce9a0 syz-executor.1 parked 520 3 3 0 80 ffffbf801230a220 syz-executor.4 parked 2238 7 3 1 80 ffffbf801410cae0 syz-executor.2 parked 2083 3 3 0 80 ffffbf8012d2cb80 syz-executor.4 parked 743 3 3 1 80 ffffbf80141bfb40 syz-executor.5 parked 1254 3 3 1 80 ffffbf801430c500 syz-executor.5 parked 1749 4 3 0 80 ffffbf80144de600 syz-executor.5 parked 1107 3 3 1 80 ffffbf8012de4560 syz-executor.5 parked 333 3 3 1 80 ffffbf8013f4f5a0 syz-executor.5 parked 1740 5 3 1 80 ffffbf80140c2220 syz-executor.5 parked 1078 3 3 0 80 ffffbf801410f6c0 syz-executor.3 parked 1579 3 3 0 80 ffffbf8012233960 syz-executor.2 parked 424 4 3 1 80 ffffbf801225f540 syz-executor.2 parked 290 6 3 1 80 ffffbf8013f32540 syz-executor.1 parked 1559 3 3 1 80 ffffbf8012174b80 syz-executor.4 parked 917 3 3 0 80 ffffbf80143dc5a0 syz-executor.4 parked 788 4 3 0 80 ffffbf80143d19c0 syz-executor.1 parked 1297 3 3 1 80 ffffbf80143c5100 syz-executor.1 parked 912 3 3 1 80 ffffbf8014338960 syz-executor.1 parked 2062 3 3 1 80 ffffbf8014227480 syz-executor.1 parked 652 3 3 1 80 ffffbf8012d63340 syz-executor.1 parked 775 3 3 1 80 ffffbf8013cecb40 syz-executor.1 parked 2310 3 3 1 80 ffffbf8012365b20 syz-executor.1 parked 773 3 3 1 80 ffffbf8014108680 syz-executor.1 parked 2435 3 3 1 80 ffffbf801228c120 syz-executor.5 parked 385 3 3 1 80 ffffbf80121f64a0 syz-executor.5 parked 1504 3 3 1 80 ffffbf801212c2c0 syz-executor.1 parked 2040 3 3 1 80 ffffbf8013de8920 syz-executor.1 parked 2267 4 3 1 80 ffffbf8013f34560 syz-executor.2 parked 1584 4 3 1 80 ffffbf8014200760 syz-executor.0 parked 1918 3 3 1 80 ffffbf8013f81a00 syz-executor.5 parked 1399 4 3 1 80 ffffbf8013d4b780 syz-executor.3 parked 1934 5 3 0 80 ffffbf80122da600 syz-executor.3 parked 1947 6 3 1 80 ffffbf8012def140 syz-executor.3 parked 1620 4 3 1 80 ffffbf8014091600 syz-executor.3 parked 2037 3 3 1 80 ffffbf80142364a0 syz-executor.2 parked 1282 3 3 0 80 ffffbf8013de6900 syz-executor.4 parked 1218 3 3 0 80 ffffbf80135281e0 syz-executor.4 parked 1365 3 3 0 80 ffffbf8012325260 syz-executor.4 parked 1580 4 3 1 80 ffffbf8012204080 syz-executor.3 parked 1135 3 3 1 80 ffffbf80141116e0 syz-executor.2 parked 1471 5 3 0 80 ffffbf8013c576c0 syz-executor.1 parked 1318 3 3 1 80 ffffbf80122cb5e0 syz-executor.3 parked 926 3 3 1 80 ffffbf8013f32980 syz-executor.3 parked 576 3 3 1 80 ffffbf80122174e0 syz-executor.3 parked 956 4 3 1 80 ffffbf801229c9c0 syz-executor.4 parked 1306 3 3 1 80 ffffbf801410f280 syz-executor.4 parked 1046 3 3 0 80 ffffbf8014200320 syz-executor.3 parked 1225 3 3 0 80 ffffbf8012020680 syz-executor.0 parked 1169 4 3 0 80 ffffbf801218b320 syz-executor.0 parked 1138 3 3 1 80 ffffbf8012217920 syz-executor.0 parked 817 3 3 1 80 ffffbf8013528620 syz-executor.0 parked 1006 3 3 1 80 ffffbf8012dbc920 syz-executor.0 parked 1061 3 3 0 80 ffffbf8012233520 syz-executor.4 parked 1779 3 3 0 80 ffffbf80141bf2c0 syz-executor.1 parked 1379 3 3 0 80 ffffbf80121da8c0 syz-executor.4 parked 610 3 3 1 80 ffffbf8013dd84a0 syz-executor.0 parked 679 3 3 0 80 ffffbf8012df9160 syz-executor.1 parked 1373 3 3 0 80 ffffbf8012174740 syz-executor.1 parked 540 3 3 0 80 ffffbf8013f349a0 syz-executor.0 parked 1220 3 3 1 80 ffffbf8013de84e0 syz-executor.5 parked 1475 3 3 0 80 ffffbf8013d022e0 syz-executor.1 parked 1495 3 3 1 80 ffffbf8014108ac0 syz-executor.3 parked 1021 3 3 1 80 ffffbf80122da1c0 syz-executor.3 parked 697 4 3 1 80 ffffbf8013de80a0 syz-executor.0 parked 1339 3 3 0 80 ffffbf8012145720 syz-executor.0 parked 1451 3 3 1 80 ffffbf80123b9720 syz-executor.4 parked 1431 3 3 0 80 ffffbf8013528a60 syz-executor.3 parked 1132 3 3 0 80 ffffbf80122170a0 syz-executor.3 parked 1142 3 3 0 80 ffffbf8013dd8060 syz-executor.4 parked 628 3 3 1 80 ffffbf8012def580 syz-executor.4 parked 232 3 3 0 80 ffffbf801218bba0 syz-executor.1 parked 481 3 3 1 80 ffffbf8012145b60 syz-executor.3 parked 1113 3 3 0 80 ffffbf80122260c0 syz-executor.5 parked 1043 3 3 1 80 ffffbf80140c2660 syz-executor.0 parked 528 3 3 1 80 ffffbf801409da60 syz-executor.0 parked 527 3 3 1 80 ffffbf801409d620 syz-executor.0 parked 269 3 3 1 80 ffffbf8014091a40 syz-executor.0 parked 651 3 3 1 80 ffffbf8013cdb6e0 syz-executor.0 parked 266 3 3 1 80 ffffbf8013f32100 syz-executor.0 parked 839 4 3 1 80 ffffbf8013d7b8c0 syz-executor.1 parked 837 3 3 1 80 ffffbf8012e04a00 syz-executor.1 parked 553 4 3 1 80 ffffbf8012dcf520 syz-executor.1 parked 1259 3 3 1 80 ffffbf8013f13500 syz-executor.0 parked 1222 3 3 1 80 ffffbf8013de6080 syz-executor.0 parked 649 3 3 0 80 ffffbf80123a2b40 syz-executor.0 parked 416 5 3 1 80 ffffbf8013f130c0 syz-executor.0 parked 925 3 3 1 80 ffffbf80122cb1a0 syz-executor.4 parked 1147 4 3 0 80 ffffbf8012d984c0 syz-executor.0 parked 921 3 3 1 80 ffffbf8012df95a0 syz-executor.5 parked 1119 3 3 0 80 ffffbf8012e111a0 syz-executor.5 parked 636 5 3 0 80 ffffbf8013f845e0 syz-executor.3 parked 1023 4 3 1 80 ffffbf8013f81180 syz-executor.0 parked 979 4 3 1 80 ffffbf80123b92e0 syz-executor.3 parked 647 3 3 0 80 ffffbf8013f34120 syz-executor.3 parked 950 3 3 0 80 ffffbf8013f2e520 syz-executor.3 parked 952 3 3 0 80 ffffbf8013cdbb20 syz-executor.5 parked 858 3 3 1 80 ffffbf801212c700 syz-executor.2 parked 772 3 3 0 80 ffffbf8012204900 syz-executor.5 parked 701 3 3 1 80 ffffbf8012dcf960 syz-executor.0 parked 870 3 3 1 80 ffffbf8012dc6940 syz-executor.0 parked 490 3 3 0 80 ffffbf8013d28740 syz-executor.0 parked 721 4 3 1 80 ffffbf8012d63780 syz-executor.0 parked 660 4 3 0 80 ffffbf8012d98900 syz-executor.0 parked 289 3 3 1 80 ffffbf8012d2c300 syz-executor.3 parked 752 3 3 1 80 ffffbf8012d77040 syz-executor.3 parked 205 3 3 1 80 ffffbf8012e20a40 syz-executor.2 parked 762 3 3 1 80 ffffbf80123652a0 syz-executor.1 parked 136 5 3 0 80 ffffbf8013d4bbc0 syz-executor.2 parked 690 4 3 1 80 ffffbf8012dbc0a0 syz-executor.5 parked 463 3 3 1 80 ffffbf801230aaa0 syz-executor.2 parked 741 3 3 0 80 ffffbf80122fa200 syz-executor.2 parked 612 3 3 0 80 ffffbf80122cba20 syz-executor.4 parked 162 3 3 1 80 ffffbf80122b05a0 syz-executor.2 parked 645 3 3 1 80 ffffbf801229c580 syz-executor.2 parked 45 > 1 7 0 0 ffffbf8013c57280 syz-executor.5 464 1 2 1 0 ffffbf8013c30ae0 syz-executor.4 567 1 2 1 0 ffffbf8013c306a0 syz-executor.3 600 1 2 0 0 ffffbf8013c30260 syz-executor.2 594 1 3 0 4 ffffbf8013af7ac0 syz-executor.1 xclocv 40 1 2 0 0 ffffbf8011ee95c0 syz-executor.0 533 12 3 0 80 ffffbf8013af7680 syz-fuzzer parked 533 11 3 0 80 ffffbf8013af7240 syz-fuzzer kqueue 533 10 3 0 80 ffffbf8011ee89e0 syz-fuzzer parked 533 9 3 1 80 ffffbf8013ad5660 syz-fuzzer parked 533 8 3 1 80 ffffbf8013ad5220 syz-fuzzer parked 533 7 3 0 80 ffffbf8013ad3a80 syz-fuzzer parked 533 6 3 1 80 ffffbf8013ad3640 syz-fuzzer parked 533 5 2 1 0 ffffbf8013ad3200 syz-fuzzer 533 4 3 1 80 ffffbf8012e11a20 syz-fuzzer parked 533 3 3 0 80 ffffbf8012e115e0 syz-fuzzer parked 533 2 2 0 0 ffffbf8012e045c0 syz-fuzzer 533 1 3 0 80 ffffbf8012d848e0 syz-fuzzer parked 598 1 3 0 80 ffffbf8011eec5e0 sshd select 497 1 3 0 80 ffffbf8012ddb980 getty nanoslp 587 1 3 0 80 ffffbf8012def9c0 getty nanoslp 505 1 3 0 80 ffffbf8012de4120 getty nanoslp 558 1 3 1 80 ffffbf8012e04180 getty ttyraw 478 1 3 0 80 ffffbf80123b9b60 cron nanoslp 436 1 3 0 80 ffffbf8012d844a0 inetd kqueue 431 1 3 0 80 ffffbf80123a2700 sshd select 359 1 3 1 80 ffffbf80122fa640 powerd kqueue 202 1 3 1 80 ffffbf8012d4cba0 syslogd kqueue 268 1 3 1 80 ffffbf80122eb1e0 dhcpcd kqueue 220 1 3 1 80 ffffbf80121f68e0 dhcpcd kqueue 1 1 3 1 80 ffffbf801200baa0 init wait 0 58 3 0 204 ffffbf8012020ac0 physiod physiod 0 57 3 0 204 ffffbf801205d6a0 pooldrain pooldrain 0 56 3 1 204 ffffbf801205e280 aiodoned aiodoned 0 55 3 1 200 ffffbf801205dae0 ioflush syncer 0 54 3 0 200 ffffbf801205d260 pgdaemon pgdaemon 0 51 2 1 200 ffffbf8012020240 npfgc-0 0 50 3 0 204 ffffbf801200b660 rt_free rt_free 0 49 3 0 204 ffffbf801200b220 unpgc unpgc 0 48 3 1 204 ffffbf800f7cb9c0 key_timehandler key_timehandler 0 47 3 1 204 ffffbf8011ffda80 icmp6_wqinput/1 icmp6_wqinput 0 46 3 0 204 ffffbf8011ffd640 icmp6_wqinput/0 icmp6_wqinput 0 45 2 0 200 ffffbf8011ffd200 nd6_timer 0 44 3 1 204 ffffbf8011f13a60 carp6_wqinput/1 carp6_wqinput 0 43 3 0 204 ffffbf8011f13620 carp6_wqinput/0 carp6_wqinput 0 42 3 1 204 ffffbf8011f131e0 carp_wqinput/1 carp_wqinput 0 41 3 0 204 ffffbf8011f01a40 carp_wqinput/0 carp_wqinput 0 40 3 1 204 ffffbf8011f01600 icmp_wqinput/1 icmp_wqinput 0 39 3 0 204 ffffbf8011f011c0 icmp_wqinput/0 icmp_wqinput 0 38 3 1 204 ffffbf8011eeca20 rt_timer rt_timer 0 37 3 1 204 ffffbf8011ee9a00 vmem_rehash vmem_rehash 0 27 3 0 204 ffffbf800f7cb580 scsibus0 sccomp 0 26 3 0 200 ffffbf800f7cb140 pms0 pmsreset 0 25 2 1 200 ffffbf800f73d9a0 xcall/1 0 24 1 1 200 ffffbf800f73d560 softser/1 0 23 1 1 200 ffffbf800f73d120 softclk/1 0 22 1 1 200 ffffbf800f739980 softbio/1 0 21 1 1 200 ffffbf800f739540 softnet/1 0 20 1 1 201 ffffbf800f739100 idle/1 0 19 3 1 204 ffffbf800f66f960 lnxpwrwq lnxpwrwq 0 18 3 0 204 ffffbf800f66f520 lnxlngwq lnxlngwq 0 17 3 1 204 ffffbf800f66f0e0 lnxsyswq lnxsyswq 0 16 3 0 204 ffffbf800de54940 lnxrcugc lnxrcugc 0 15 3 0 204 ffffbf800de54500 sysmon smtaskq 0 14 3 1 204 ffffbf800de540c0 pmfsuspend pmfsuspend 0 13 3 1 204 ffffbf800de45920 pmfevent pmfevent 0 12 3 0 204 ffffbf800de454e0 sopendfree sopendfr 0 11 3 0 204 ffffbf800de450a0 nfssilly nfssilly 0 10 2 1 200 ffffbf800de3a900 cachegc 0 9 3 0 204 ffffbf800de3a4c0 vdrain vdrain 0 8 3 0 200 ffffbf800de3a080 modunload mod_unld 0 7 3 0 204 ffffbf800de2c8e0 xcall/0 xcall 0 6 1 0 200 ffffbf800de2c4a0 softser/0 0 5 1 0 200 ffffbf800de2c060 softclk/0 0 4 1 0 200 ffffbf800de278c0 softbio/0 0 3 1 0 200 ffffbf800de27480 softnet/0 0 2 1 0 201 ffffbf800de27040 idle/0 0 1 3 1 200 ffffffff82b62c80 swapper uvm [Locks tracked through LWPs] Locks held by an LWP (syz-executor.3): Lock 0 (initialized at filedesc_ctor) lock address : 0xffffbf8014556380 type : sleep/adaptive initialized : 0xffffffff8111c984 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffbf8012dbc4e0 last held: 0xffffbf80121cfbc0 last locked* : 0xffffffff81121ff8 unlocked : 0xffffffff8111f5a6 owner field : 000000000000000000 wait/spin: 0/0 Turnstile chain at 0xffffffff82d82770 with mutex 0xffffbf800d942540. => No active turnstile for this lock. Locks held by an LWP (syz-executor.4): Lock 0 (initialized at fork1) lock address : 0xffffbf8012d8acc0 type : sleep/adaptive initialized : 0xffffffff8113698c shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffbf8012dbc4e0 last held: 0xffffbf8012dbc4e0 last locked* : 0xffffffff811330bd unlocked : 000000000000000000 owner/count : 0xffffbf8012dbc4e0 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d82898 with mutex 0xffffbf800d942e80. => No active turnstile for this lock. Lock 1 (initialized at amap_copy) lock address : 0xffffbf8014823980 type : sleep/adaptive initialized : 0xffffffff810b95f0 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffbf8012dbc4e0 last held: 0xffffbf8012dbc4e0 last locked* : 0xffffffff810d6b91 unlocked : 0xffffffff810c3abb owner field : 0xffffbf8012dbc4e0 wait/spin: 0/0 Turnstile chain at 0xffffffff82d82a30 with mutex 0xffffbf800de1eb80. => No active turnstile for this lock. Lock 2 (initialized at pmap_create) lock address : 0xffffbf8014333188 type : sleep/adaptive initialized : 0xffffffff802727da shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffbf8012dbc4e0 last held: 0xffffbf8012dbc4e0 last locked* : 0xffffffff80275095 unlocked : 0xffffffff80274abf owner field : 0xffffbf8012dbc4e0 wait/spin: 0/0 Turnstile chain at 0xffffffff82d82930 with mutex 0xffffbf800de1e380. => No active turnstile for this lock. Locks held by an LWP (syz-executor.5): Lock 0 (initialized at vcache_alloc) lock address : 0xffffbf8013d1a350 type : sleep/adaptive initialized : 0xffffffff8129cf7e shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffbf8012dbc4e0 last held: 0xffffbf8013c57280 last locked* : 0xffffffff812ca855 unlocked : 0xffffffff812ca888 owner/count : 0xffffbf8013c57280 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d82768 with mutex 0xffffbf800d942500. => No active turnstile for this lock. Lock 1 (initialized at vcache_alloc) lock address : 0xffffbf8012e3ad00 type : sleep/adaptive initialized : 0xffffffff8129cf7e shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffbf8012dbc4e0 last held: 0xffffbf8013c57280 last locked* : 0xffffffff812ca855 unlocked : 0xffffffff812ca888 [ 207.4104715] Skipping crash dump on recursive panic [ 207.4104715] panic: ASan: Unauthorized Access In 0xffffffff81171d10: Addr 0xffffbf8012e3ad00 [8 bytes, read, PoolUseAfterFree] [ 207.4104715] cpu1: Begin traceback... [ 207.4104715] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 207.4104715] snprintf() at netbsd:snprintf [ 207.4104715] kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:172 [inline] [ 207.4104715] kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:194 [ 207.4104715] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:344 [inline] [ 207.4104715] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:358 [inline] [ 207.4104715] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:410 [inline] [ 207.4104715] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1180 [ 207.4104715] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:191 [ 207.4104715] lockdebug_dump() at netbsd:lockdebug_dump+0x289 sys/kern/subr_lockdebug.c:777 [ 207.4104715] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb9 sys/kern/subr_lockdebug.c:855 [ 207.4104715] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:886 [inline] [ 207.4104715] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f sys/kern/subr_lockdebug.c:933 [ 207.4104715] db_command() at netbsd:db_command+0x2c0 sys/ddb/db_command.c:935 [ 207.4104715] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:432 [inline] [ 207.4104715] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:582 [ 207.4104715] db_trap() at netbsd:db_trap+0x219 sys/ddb/db_trap.c:94 [ 207.4104715] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:246 [ 207.4104715] trap() at netbsd:trap+0x641 sys/arch/amd64/amd64/trap.c:313 [ 207.4104715] --- trap (number 1) --- [ 207.4104715] breakpoint() at netbsd:breakpoint+0x5 [ 207.4104715] db_panic() at netbsd:db_panic+0xf9 sys/ddb/db_panic.c:67 [ 207.4104715] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 207.4104715] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 207.4104715] pmap_remove_pte() at netbsd:pmap_remove_pte+0x47f pmap_remove_pte sys/arch/x86/x86/pmap.c:3526 [inline] [ 207.4104715] pmap_remove_pte() at netbsd:pmap_remove_pte+0x47f sys/arch/x86/x86/pmap.c:3473 [ 207.4104715] pmap_remove() at netbsd:pmap_remove+0x481 pmap_remove_ptes sys/arch/x86/x86/pmap.c:3432 [inline] [ 207.4104715] pmap_remove() at netbsd:pmap_remove+0x481 sys/arch/x86/x86/pmap.c:3631 [ 207.4104715] uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 [ 207.4104715] uvmspace_free() at netbsd:uvmspace_free+0x23b sys/uvm/uvm_map.c:4304 [ 207.4104715] uvm_proc_exit() at netbsd:uvm_proc_exit+0xc4 sys/uvm/uvm_glue.c:443 [ 207.4104715] exit1() at netbsd:exit1+0x3bd sys/kern/kern_exit.c:332 [ 207.4104715] sys_exit() at netbsd:sys_exit+0x77 sys/kern/kern_exit.c:179 [ 207.4104715] syscall() at netbsd:syscall+0x550 sy_call sys/sys/syscallvar.h:65 [inline] [ 207.4104715] syscall() at netbsd:syscall+0x550 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 207.4104715] syscall() at netbsd:syscall+0x550 sys/arch/x86/x86/syscall.c:138 [ 207.4104715] --- syscall (number 1) --- [ 207.4104715] 751c81599a6a: [ 207.4104715] cpu1: End traceback... [ 207.4104715] fatal breakpoint trap in supervisor mode [ 207.4104715] trap type 1 code 0 rip 0xffffffff8021ccc5 cs 0x8 rflags 0x246 cr2 0x7d534d773743 ilevel 0x8 rsp 0xffffbf817c2bac80 [ 207.4104715] curlwp 0xffffbf8012dbc4e0 pid 2469.1 lowest kstack 0xffffbf817c2b42c0 Stopped in pid 2469.1 (syz-executor.4) at netbsd:breakpoint+0x5: leave