[ 149.9070788] panic: kernel diagnostic assertion "ci->ci_tlbstate != TLBSTATE_VALID" failed: file "/syzkaller/managers/netbsd/kernel/sys/arch/x86/x86/pmap.c", line 2790 [ 149.9181954] cpu1: Begin traceback... [ 149.9404488] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 149.9738302] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 150.0183384] pmap_activate() at netbsd:pmap_activate+0x179 sys/arch/x86/x86/pmap.c:2790 [ 150.0628508] mi_switch() at netbsd:mi_switch+0x5bc sys/kern/kern_synch.c:738 [ 150.1073564] sleepq_block() at netbsd:sleepq_block+0x2b4 sys/kern/kern_sleepq.c:276 [ 150.1407374] lwp_park() at netbsd:lwp_park+0x264 sys/kern/sys_lwp.c:575 [ 150.1852495] sys____lwp_park60() at netbsd:sys____lwp_park60+0x11e sys/kern/sys_lwp.c:628 [ 150.2297547] syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] [ 150.2297547] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 150.2297547] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 [ 150.2408836] --- syscall (number 478) --- [ 150.2520126] 459233: [ 150.2631359] cpu1: End traceback... [ 150.2631359] fatal breakpoint trap in supervisor mode [ 150.2631359] trap type 1 code 0 rip 0xffffffff8021ccb5 cs 0x8 rflags 0x246 cr2 0x624f5c ilevel 0x8 rsp 0xffffad016cf919d0 [ 150.2853848] curlwp 0xffffad0011ff2540 pid 602.2 lowest kstack 0xffffad016cf8a2c0 Stopped in pid 602.2 (syz-fuzzer) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure pmap_activate() at netbsd:pmap_activate+0x179 sys/arch/x86/x86/pmap.c:2790 mi_switch() at netbsd:mi_switch+0x5bc sys/kern/kern_synch.c:738 sleepq_block() at netbsd:sleepq_block+0x2b4 sys/kern/kern_sleepq.c:276 lwp_park() at netbsd:lwp_park+0x264 sys/kern/sys_lwp.c:575 sys____lwp_park60() at netbsd:sys____lwp_park60+0x11e sys/kern/sys_lwp.c:628 syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 --- syscall (number 478) --- 459233: ds 360 es 2cb fs 19b0 gs 1a00 rdi ffffad000cb1a458 rsi ffffad0011ff2828 rbp ffffad016cf919d0 rbx ffffad016ca80000 rdx 2 rcx ffffffff80d00841 db_panic+0xd5 rax 0 r8 4 r9 1ffffffff0553818 r10 ffffffff82a9c0c3 db_onpanic+0x3 r11 8000000000 r12 ffffad016ca92000 r13 ffffffff81c22540 platform_private_nodes+0x140 r14 ffffad016cf91a60 r15 ffffad016ca80060 rip ffffffff8021ccb5 breakpoint+0x5 cs 8 rflags 246 rsp ffffad016cf919d0 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 97 1 2 1 10000000 ffffad0011f7e480 syz-executor.2 96 3 3 1 80 ffffad0011f7e040 syz-executor.0 parked 613 5 2 0 0 ffffad00130e7480 syz-executor.3 613 4 2 0 0 ffffad00114dc600 syz-executor.3 613 3 2 0 0 ffffad0011461100 syz-executor.3 613 1 2 0 0 ffffad00115cdb60 syz-executor.3 716 1 2 0 0 ffffad00114af5a0 syz-executor.4 519 4 3 1 80 ffffad0011f72780 syz-executor.0 parked 519 3 3 1 80 ffffad00115cd2e0 syz-executor.0 parked 519 1 2 1 10000000 ffffad0011f4f320 syz-executor.0 747 5 3 1 80 ffffad001149a140 syz-executor.1 parked 747 4 3 0 80 ffffad00114fa640 syz-executor.1 parked 747 3 3 0 40080 ffffad00115a42a0 syz-executor.1 lockf 747 1 2 1 10040000 ffffad001151a240 syz-executor.1 598 5 3 1 80 ffffad00130db340 syz-executor.0 parked 639 4 3 1 80 ffffad00113d7480 syz-executor.0 parked 537 3 3 1 80 ffffad001148c560 syz-executor.0 parked 580 3 3 1 80 ffffad001138c760 syz-executor.0 parked 560 1 2 0 0 ffffad0012ed2ae0 syz-executor.5 45 > 1 7 0 0 ffffad0012ed26a0 syz-executor.3 600 1 2 0 0 ffffad0012ed2260 syz-executor.4 531 1 3 1 80 ffffad0012e9e680 syz-executor.2 nanoslp 40 1 3 1 80 ffffad0012e9e240 syz-executor.1 nanoslp 41 1 3 1 80 ffffad0012d33aa0 syz-executor.0 nanoslp 602 11 3 0 80 ffffad0012e9eac0 syz-fuzzer parked 602 10 3 0 80 ffffad00112af6e0 syz-fuzzer parked 602 9 3 1 80 ffffad00110d45c0 syz-fuzzer parked 602 8 3 1 80 ffffad0012d33220 syz-fuzzer parked 602 7 3 0 80 ffffad0012911a80 syz-fuzzer kqueue 602 6 3 0 80 ffffad0012911640 syz-fuzzer parked 602 5 3 0 80 ffffad0011fe7520 syz-fuzzer parked 602 4 3 0 80 ffffad00120271a0 syz-fuzzer parked 602 3 3 0 80 ffffad00120351c0 syz-fuzzer parked 602 > 2 7 1 0 ffffad0011ff2540 syz-fuzzer 602 1 3 1 80 ffffad00110d4a00 syz-fuzzer parked 558 1 3 0 80 ffffad00110d4180 sshd select 503 1 3 1 80 ffffad001201b5c0 getty nanoslp 465 1 3 0 80 ffffad001201b180 getty nanoslp 463 1 3 1 80 ffffad0012010160 getty nanoslp 586 1 3 0 80 ffffad0011f33740 getty ttyraw 562 1 3 0 80 ffffad0012911200 cron nanoslp 539 1 3 0 80 ffffad0011f8c4a0 inetd kqueue 317 1 3 0 80 ffffad00115a46e0 sshd select 478 1 3 0 80 ffffad00114fa200 powerd kqueue 195 1 3 1 80 ffffad0011f4fba0 syslogd kqueue 276 1 3 1 80 ffffad00114ed1e0 dhcpcd kqueue 220 1 3 0 80 ffffad00113f58e0 dhcpcd kqueue 1 1 3 0 80 ffffad00111fb240 init wait 0 58 3 0 204 ffffad00111fbac0 physiod physiod 0 57 3 1 204 ffffad0011242280 aiodoned aiodoned 0 56 3 1 200 ffffad0011241ae0 ioflush syncer 0 55 3 0 204 ffffad00112416a0 pooldrain pooldrain 0 54 3 0 200 ffffad0011241260 pgdaemon pgdaemon 0 51 3 1 200 ffffad00111fb680 npfgc-0 npfgccv 0 50 3 0 204 ffffad00111edaa0 rt_free rt_free 0 49 3 0 204 ffffad00111ed660 unpgc unpgc 0 48 3 1 204 ffffad00111ed220 key_timehandler key_timehandler 0 47 3 1 204 ffffad00111e5a80 icmp6_wqinput/1 icmp6_wqinput 0 46 3 0 204 ffffad00111e5640 icmp6_wqinput/0 icmp6_wqinput 0 45 3 1 204 ffffad00111e5200 nd6_timer nd6_timer 0 44 3 1 204 ffffad00110fca60 carp6_wqinput/1 carp6_wqinput 0 43 3 0 204 ffffad00110fc620 carp6_wqinput/0 carp6_wqinput 0 42 3 1 204 ffffad00110fc1e0 carp_wqinput/1 carp_wqinput 0 41 3 0 204 ffffad00110e9a40 carp_wqinput/0 carp_wqinput 0 40 3 1 204 ffffad00110e9600 icmp_wqinput/1 icmp_wqinput 0 39 3 0 204 ffffad00110e91c0 icmp_wqinput/0 icmp_wqinput 0 38 3 0 204 ffffad00110d7a20 rt_timer rt_timer 0 37 3 1 204 ffffad00110d35a0 vmem_rehash vmem_rehash 0 27 3 0 204 ffffad000e9b9580 scsibus0 sccomp 0 26 3 0 200 ffffad000e9b9140 pms0 pmsreset 0 25 3 1 204 ffffad000e92b9a0 xcall/1 xcall 0 24 1 1 200 ffffad000e92b560 softser/1 0 23 1 1 200 ffffad000e92b120 softclk/1 0 22 1 1 200 ffffad000e927980 softbio/1 0 21 1 1 200 ffffad000e927540 softnet/1 0 20 1 1 201 ffffad000e927100 idle/1 0 19 3 0 204 ffffad000e85d960 lnxpwrwq lnxpwrwq 0 18 3 1 204 ffffad000e85d520 lnxlngwq lnxlngwq 0 17 3 0 204 ffffad000e85d0e0 lnxsyswq lnxsyswq 0 16 3 0 204 ffffad000d042940 lnxrcugc lnxrcugc 0 15 3 0 204 ffffad000d042500 sysmon smtaskq 0 14 3 0 204 ffffad000d0420c0 pmfsuspend pmfsuspend 0 13 3 0 204 ffffad000d033920 pmfevent pmfevent 0 12 3 0 204 ffffad000d0334e0 sopendfree sopendfr 0 11 3 1 204 ffffad000d0330a0 nfssilly nfssilly 0 10 3 0 200 ffffad000d027900 cachegc cachegc 0 9 3 1 204 ffffad000d0274c0 vdrain vdrain 0 8 3 0 200 ffffad000d027080 modunload mod_unld 0 7 3 0 204 ffffad000d0188e0 xcall/0 xcall 0 6 1 0 200 ffffad000d0184a0 softser/0 0 5 1 0 200 ffffad000d018060 softclk/0 0 4 1 0 200 ffffad000d0148c0 softbio/0 0 3 1 0 200 ffffad000d014480 softnet/0 0 2 1 0 201 ffffad000d014040 idle/0 0 1 3 1 200 ffffffff82b62fa0 swapper uvm [Locks tracked through LWPs] Locks held by an LWP (syz-executor.2): Lock 0 (initialized at fork1) lock address : 0xffffad00114156b0 type : sleep/adaptive initialized : 0xffffffff8114751c shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffad0011ff2540 last held: 0xffffad0011f7e480 last locked* : 0xffffffff81143c0d unlocked : 000000000000000000 owner/count : 0xffffad0011f7e480 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d83a50 with mutex 0xffffad000d00b880. => No active turnstile for this lock. Lock 1 (initialized at amap_alloc) lock address : 0xffffad0012eb1700 type : sleep/adaptive initialized : 0xffffffff810c6fb1 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffad0011ff2540 last held: 0xffffad0011f7e480 last locked* : 0xffffffff810e7bd1 unlocked : 0xffffffff810d42b8 owner field : 0xffffad0011f7e480 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83a60 with mutex 0xffffad000d00b900. => No active turnstile for this lock. Lock 2 (initialized at pmap_create) lock address : 0xffffad001133fe40 type : sleep/adaptive initialized : 0xffffffff80272166 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffad0011ff2540 last held: 0xffffad0011f7e480 last locked* : 0xffffffff80274a67 unlocked : 0xffffffff80274456 owner field : 0xffffad0011f7e480 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83b48 with mutex 0xffffad000d00c080. => No active turnstile for this lock. Locks held by an LWP (syz-executor.3): Lock 0 (initialized at kcov_open) lock address : 0xffffad0012f500c8 type : sleep/adaptive initialized : 0xffffffff811e1f3f shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffad0011ff2540 last held: 0xffffad0011461100 last locked* : 0xffffffff811e2102 unlocked : 0xffffffff811e22e7 owner field : 0xffffad0011461100 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83798 with mutex 0xffffad000cb2f280. => No active turnstile for this lock. Lock 1 (initialized at specificdata_domain_create) lock address : 0xffffad000cb1a458 type : sleep/adaptive initialized : 0xffffffff811fe7eb shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffad0011ff2540 last held: 0xffffad0011461100 last locked* : 0xffffffff811feafb unlocked : 0xffffffff811fea14 owner field : 0xffffad0011461100 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83808 with mutex 0xffffad000cb2f600. => No active turnstile for this lock. Locks held by an LWP (syz-executor.0): Lock 0 (initialized at uvm_obj_init) lock address : 0xffffad0012cfac00 type : sleep/adaptive initialized : 0xffffffff810f33bc shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffad0011ff2540 last held: 0xffffad0011f4f320 last locked* : 0xffffffff810d79ce unlocked : 0xffffffff810d4872 owner field : 0xffffad0011f4f320 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83900 with mutex 0xffffad000cb2fdc0. => No active turnstile for this lock. Locks held by an LWP (syz-executor.1): Lock 0 (initialized at uvm_obj_init) lock address : 0xffffad00126f5e00 type : sleep/adaptive initialized : 0xffffffff810f33bc shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffad0011ff2540 last held: 0xffffad00114fa640 last locked* : 0xffffffff810cf65d unlocked : 0xffffffff810f3a6b [ 150.2853848] Skipping crash dump on recursive panic [ 150.2853848] panic: ASan: Unauthorized Access In 0xffffffff8115fa1e: Addr 0xffffad00126f5e00 [8 bytes, read, PoolUseAfterFree] [ 150.2853848] cpu1: Begin traceback... [ 150.2853848] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 150.2853848] snprintf() at netbsd:snprintf [ 150.2853848] kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:172 [inline] [ 150.2853848] kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:194 [ 150.2853848] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:344 [inline] [ 150.2853848] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:358 [inline] [ 150.2853848] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:410 [inline] [ 150.2853848] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1180 [ 150.2853848] mutex_dump() at netbsd:mutex_dump+0x1e sys/kern/kern_mutex.c:316 [ 150.2853848] lockdebug_dump() at netbsd:lockdebug_dump+0x281 sys/kern/subr_lockdebug.c:777 [ 150.2853848] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb9 sys/kern/subr_lockdebug.c:855 [ 150.2853848] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:886 [inline] [ 150.2853848] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f sys/kern/subr_lockdebug.c:933 [ 150.2853848] db_command() at netbsd:db_command+0x2c0 sys/ddb/db_command.c:935 [ 150.2853848] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:432 [inline] [ 150.2853848] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:582 [ 150.2853848] db_trap() at netbsd:db_trap+0x219 sys/ddb/db_trap.c:94 [ 150.2853848] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:246 [ 150.2853848] trap() at netbsd:trap+0x650 sys/arch/amd64/amd64/trap.c:313 [ 150.2853848] --- trap (number 1) --- [ 150.2853848] breakpoint() at netbsd:breakpoint+0x5 [ 150.2853848] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 [ 150.2853848] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 150.2853848] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 150.2853848] pmap_activate() at netbsd:pmap_activate+0x179 sys/arch/x86/x86/pmap.c:2790 [ 150.2853848] mi_switch() at netbsd:mi_switch+0x5bc sys/kern/kern_synch.c:738 [ 150.2853848] sleepq_block() at netbsd:sleepq_block+0x2b4 sys/kern/kern_sleepq.c:276 [ 150.2853848] lwp_park() at netbsd:lwp_park+0x264 sys/kern/sys_lwp.c:575 [ 150.2853848] sys____lwp_park60() at netbsd:sys____lwp_park60+0x11e sys/kern/sys_lwp.c:628 [ 150.2853848] syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] [ 150.2853848] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 150.2853848] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 [ 150.2853848] --- syscall (number 478) --- [ 150.2853848] 459233: [ 150.2853848] cpu1: End traceback... [ 150.2853848] fatal breakpoint trap in supervisor mode [ 150.2853848] trap type 1 code 0 rip 0xffffffff8021ccb5 cs 0x8 rflags 0x246 cr2 0x624f5c ilevel 0x8 rsp 0xffffad016cf90f90 [ 150.2853848] curlwp 0xffffad0011ff2540 pid 602.2 lowest kstack 0xffffad016cf8a2c0 Stopped in pid 602.2 (syz-fuzzer) at netbsd:breakpoint+0x5: leave