[ 219.8244944] panic: LOCKDEBUG: Mutex error: mi_userret,116: sleep lock held [ 219.8344935] cpu1: Begin traceback... [ 219.8844963] vpanic() at netbsd:vpanic+0x265 sys/kern/subr_prf.c:290 [ 220.0144963] snprintf() at netbsd:snprintf [ 220.1444976] lockdebug_more() at netbsd:lockdebug_more [ 220.2744984] lockdebug_barrier() at netbsd:lockdebug_barrier+0x11d sys/kern/subr_lockdebug.c:650 [ 220.4144966] syscall() at netbsd:syscall+0x544 mi_userret sys/sys/userret.h:117 [inline] [ 220.4144966] syscall() at netbsd:syscall+0x544 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 220.4144966] syscall() at netbsd:syscall+0x544 sys/arch/x86/x86/syscall.c:166 [ 220.4445090] --- syscall (number 16) --- [ 220.4745061] netbsd:syscall+0x544: [ 220.4844943] cpu1: End traceback... [ 220.4844943] fatal breakpoint trap in supervisor mode [ 220.4944936] trap type 1 code 0 rip 0xffffffff80220a2d cs 0x8 rflags 0x282 cr2 0x73f77cc4e000 ilevel 0 rsp 0xffffa401a8e54c80 [ 220.5044952] curlwp 0xffffa40013c904c0 pid 1766.1592 lowest kstack 0xffffa401a8e4d2c0 Stopped in pid 1766.1592 (syz-executor.4) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0x105 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x265 sys/kern/subr_prf.c:290 snprintf() at netbsd:snprintf lockdebug_more() at netbsd:lockdebug_more lockdebug_barrier() at netbsd:lockdebug_barrier+0x11d sys/kern/subr_lockdebug.c:650 syscall() at netbsd:syscall+0x544 mi_userret sys/sys/userret.h:117 [inline] syscall() at netbsd:syscall+0x544 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] syscall() at netbsd:syscall+0x544 sys/arch/x86/x86/syscall.c:166 --- syscall (number 16) --- netbsd:syscall+0x544: Panic string: LOCKDEBUG: Mutex error: mi_userret,116: sleep lock held PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 1483 1483 3 0 180 ffffa4001547b940 syz-executor.2 parked 1763 1370 2 0 0 ffffa4001488b980 syz-executor.5 1763 1580 3 0 180 ffffa400136e92c0 syz-executor.5 parked 1763 1462 3 0 180 ffffa400147af5c0 syz-executor.5 parked 1763 1700 3 0 180 ffffa40014861340 syz-executor.5 parked 1763 716 3 0 180 ffffa400136ec740 syz-executor.5 parked 1763 1763 2 0 10000000 ffffa400136ec300 syz-executor.5 1591 1591 3 1 180 ffffa4001487f0c0 syz-executor.2 parked 1495 1490 2 0 0 ffffa4001547b500 syz-executor.0 1495 1597 3 0 180 ffffa4001547b0c0 syz-executor.0 parked 1495 1436 3 0 180 ffffa40014877900 syz-executor.0 parked 1495 1589 3 0 180 ffffa400148774c0 syz-executor.0 parked 1495 1495 2 0 10000000 ffffa400148b0140 syz-executor.0 1766 1581 3 1 180 ffffa40013ce1a80 syz-executor.4 parked 1766 >1592 7 1 100 ffffa40013c904c0 syz-executor.4 1766 1766 2 1 10000000 ffffa40014728980 syz-executor.4 1614 1340 3 0 180 ffffa40014877080 syz-executor.2 parked 1614 1617 3 0 180 ffffa40013ce1640 syz-executor.2 parked 1614 1614 2 0 10040000 ffffa400148132c0 syz-executor.2 1615 1615 3 0 180 ffffa40014861780 syz-executor.0 parked 1496 1496 3 1 180 ffffa400147c41c0 syz-executor.3 parked 1244 1244 3 0 180 ffffa40013cad980 syz-executor.3 parked 937 937 3 1 180 ffffa400153db300 syz-executor.4 parked 1195 1195 3 1 180 ffffa400153c82c0 syz-executor.4 parked 1222 1222 2 0 140 ffffa40015289a80 syz-executor.5 989 989 2 1 140 ffffa40015289200 syz-executor.4 1226 1226 2 1 140 ffffa40015247a40 syz-executor.2 1109 1109 2 0 40 ffffa40015247600 syz-executor.3 1191 1191 2 1 40 ffffa400152471c0 syz-executor.1 422 422 2 1 140 ffffa40015140a00 syz-executor.0 1255 1219 2 1 140 ffffa40013be4600 syz-fuzzer 1255 1218 3 1 180 ffffa40015140180 syz-fuzzer parked 1255 1221 3 1 180 ffffa4001486d8c0 syz-fuzzer parked 1255 1220 3 1 1c0 ffffa4001486d480 syz-fuzzer parked 1255 1110 3 1 180 ffffa4001486d040 syz-fuzzer parked 1255 1151 3 1 1c0 ffffa40013c6cbc0 syz-fuzzer parked 1255 1104 3 1 1c0 ffffa40013a4d340 syz-fuzzer parked 1255 1072 2 1 140 ffffa40013a95480 syz-fuzzer 1255 1255 3 1 180 ffffa40013bc85c0 syz-fuzzer parked 1083 1083 3 0 180 ffffa40013be41c0 sshd select 1070 1070 3 1 180 ffffa4001487f940 getty nanoslp 1071 1071 3 1 180 ffffa40013ab6900 getty nanoslp 1115 1115 3 1 180 ffffa40013ab64c0 getty nanoslp 1252 1252 3 1 1c0 ffffa40013b5a0c0 getty ttyraw 945 945 3 1 180 ffffa40014855300 sshd select 948 948 3 0 180 ffffa400147839c0 powerd kqueue 872 872 3 0 180 ffffa400147f9280 syslogd kqueue 596 596 3 1 180 ffffa400139f6b40 dhcpcd poll 737 737 3 1 180 ffffa40013cb6140 dhcpcd poll 595 595 3 0 180 ffffa40013a2a300 dhcpcd poll 589 589 3 1 180 ffffa40013c5c740 dhcpcd poll 482 482 3 0 180 ffffa40013d82900 dhcpcd poll 288 288 3 1 180 ffffa40013d824c0 dhcpcd poll 351 351 3 1 180 ffffa40013d82080 dhcpcd poll 1 1 3 0 180 ffffa4001385a140 init wait 0 1765 5 1 200 ffffa400147d2200 (zombie) 0 682 3 0 200 ffffa40013986240 physiod physiod 0 192 3 0 200 ffffa40013988280 pooldrain pooldrain 0 > 163 7 0 240 ffffa40013986ac0 ioflush 0 168 3 1 200 ffffa40013986680 pgdaemon pgdaemon 0 162 3 1 200 ffffa4001395a640 usb7 usbevt 0 161 3 1 200 ffffa4001395a200 usb6 usbevt 0 31 3 1 200 ffffa4001390ba40 usb5 usbevt 0 63 3 1 200 ffffa4001390b600 usb4 usbevt 0 126 3 1 200 ffffa4001390b1c0 usb3 usbevt 0 125 3 0 200 ffffa400138b8a00 usb2 usbevt 0 124 3 1 200 ffffa400138b85c0 usb1 usbevt 0 123 2 1 240 ffffa400138b8180 usb0 0 122 3 1 200 ffffa4001385a9c0 usbtask-dr usbtsk 0 121 3 0 200 ffffa40010dbaac0 usbtask-hc usbtsk 0 120 3 0 200 ffffa4001385a580 npfgc0 npfgcw 0 119 3 1 200 ffffa4001384c980 rt_free rt_free 0 118 3 1 200 ffffa4001384c540 unpgc unpgc 0 117 3 0 200 ffffa4001384c100 key_timehandler key_timehandler 0 116 3 1 200 ffffa4001371c940 icmp6_wqinput/1 icmp6_wqinput 0 115 3 0 200 ffffa4001371c500 icmp6_wqinput/0 icmp6_wqinput 0 114 3 0 200 ffffa4001371c0c0 nd6_timer nd6_timer 0 113 3 1 200 ffffa40013710900 carp6_wqinput/1 carp6_wqinput 0 112 3 0 200 ffffa400137104c0 carp6_wqinput/0 carp6_wqinput 0 111 3 1 200 ffffa40013710080 carp_wqinput/1 carp_wqinput 0 110 3 0 200 ffffa400136ff8c0 carp_wqinput/0 carp_wqinput 0 109 3 1 200 ffffa400136ff480 icmp_wqinput/1 icmp_wqinput 0 108 3 0 200 ffffa400136ff040 icmp_wqinput/0 icmp_wqinput 0 107 3 1 200 ffffa400136edbc0 rt_timer rt_timer 0 106 3 1 200 ffffa400136ed780 vmem_rehash vmem_rehash 0 105 3 0 200 ffffa400136ecb80 entbutler entropy 0 96 3 1 200 ffffa400130c0b00 viomb balloon 0 30 3 1 200 ffffa400130c06c0 vioif0_txrx/1 vioif0_txrx 0 29 3 0 200 ffffa400130c0280 vioif0_txrx/0 vioif0_txrx 0 27 3 0 200 ffffa40010dba680 scsibus0 sccomp 0 26 3 0 200 ffffa40010dba240 pms0 pmsreset 0 25 3 1 200 ffffa40010d0ea80 xcall/1 xcall 0 24 1 1 200 ffffa40010d0e640 softser/1 0 23 1 1 200 ffffa40010d0e200 softclk/1 0 22 1 1 200 ffffa40010d0ca40 softbio/1 0 21 1 1 200 ffffa40010d0c600 softnet/1 0 20 1 1 201 ffffa40010d0c1c0 idle/1 0 19 3 1 200 ffffa4000f77da00 lnxpwrwq lnxpwrwq 0 18 3 1 200 ffffa4000f77d5c0 lnxlngwq lnxlngwq 0 17 3 1 200 ffffa4000f77d180 lnxsyswq lnxsyswq 0 16 3 1 200 ffffa4000f7759c0 lnxrcugc lnxrcugc 0 15 3 0 200 ffffa4000f775580 sysmon smtaskq 0 14 3 0 200 ffffa4000f775140 pmfsuspend pmfsuspend 0 13 3 1 200 ffffa4000f771980 pmfevent pmfevent 0 12 3 0 200 ffffa4000f771540 sopendfree sopendfr 0 11 3 1 200 ffffa4000f771100 iflnkst iflnkst 0 10 3 0 200 ffffa4000f765940 nfssilly nfssilly 0 9 3 0 200 ffffa4000f765500 vdrain vdrain 0 8 3 0 200 ffffa4000f7650c0 modunload mod_unld 0 7 3 0 200 ffffa4000f758900 xcall/0 xcall 0 6 1 0 200 ffffa4000f7584c0 softser/0 0 5 1 0 200 ffffa4000f758080 softclk/0 0 4 1 0 200 ffffa4000f7568c0 softbio/0 0 3 1 0 200 ffffa4000f756480 softnet/0 0 2 1 0 201 ffffa4000f756040 idle/0 0 0 2 1 240 ffffffff82eee200 swapper [Locks tracked through LWPs] ****** LWP 1495.1495 (syz-executor.0) @ 0xffffa400148b0140, l_stat=2 *** Locks held: * Lock 0 (initialized at amap_ctor) lock address : 0xffffa40015152580 type : sleep/adaptive initialized : 0xffffffff8182910b shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffa400148b0140 last held: 0xffffa400148b0140 last locked* : 0xffffffff818398fd unlocked : 0xffffffff8183838f owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 1766.1592 (syz-executor.4) @ 0xffffa40013c904c0, l_stat=7 *** Locks held: * Lock 0 (initialized at sequencerget) lock address : 0xffffa400136bb050 type : sleep/adaptive initialized : 0xffffffff81ab7031 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffa40013c904c0 last held: 0xffffa40013c904c0 last locked* : 0xffffffff81ab76ef unlocked : 0xffffffff81abae55 owner field : 0xffffa40013c904c0 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 1614.1614 (syz-executor.2) @ 0xffffa400148132c0, l_stat=2 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at uvm_map_setup) lock address : 0xffffa40013c56740 type : sleep/adaptive initialized : 0xffffffff8184d9c2 shared holds : 0 exclusive: 0 shares wanted: 1 exclusive: 0 relevant cpu : 0 last held: 65535 relevant lwp : 0xffffa400148132c0 last held: 000000000000000000 last locked : 0xffffffff818393cc unlocked*: 0xffffffff818383b0 owner/count : 0xffffa400148132c0 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. ****** LWP 1222.1222 (syz-executor.5) @ 0xffffa40015289a80, l_stat=2 *** Locks held: * Lock 0 (initialized at uvm_map_setup) lock address : 0xffffa400148b2ba8 type : sleep/adaptive initialized : 0xffffffff8184d9c2 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffa40015289a80 last held: 0xffffa40015289a80 last locked* : 0xffffffff81847134 unlocked : 0xffffffff8183c5c9 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 1109.1109 (syz-executor.3) @ 0xffffa40015247600, l_stat=2 *** Locks held: * Lock 0 (initialized at filedesc_ctor) lock address : 0xffffa40013c67b80 type : sleep/adaptive initialized : 0xffffffff818a0dfd shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffa40015247600 last held: 0xffffa40015247600 last locked* : 0xffffffff818a3d66 unlocked : 0xffffffff818a883d owner field : 0xffffa40015247600 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 1191.1191 (syz-executor.1) @ 0xffffa400152471c0, l_stat=2 *** Locks held: * Lock 0 (initialized at vcache_alloc) lock address : 0xffffa40015243f40 type : sleep/adaptive initialized : 0xffffffff81a58500 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffa400152471c0 last held: 0xffffa400152471c0 last locked* : 0xffffffff81a8b2d0 unlocked : 0xffffffff81a8b332 owner/count : 0xffffa400152471c0 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at vcache_alloc) lock address : 0xffffa40015465f00 type : sleep/adaptive initialized : 0xffffffff81a58500 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffa400152471c0 last held: 0xffffa400152471c0 last locked* : 0xffffffff81a8b2d0 unlocked : 0xffffffff81a8b332 [ 220.5044952] Skipping crash dump on recursive panic [ 220.5044952] panic: ASan: Unauthorized Access In 0xffffffff81903dd0: Addr 0xffffa40015465f00 [8 bytes, read, PoolUseAfterFree] [ 220.5044952] cpu1: Begin traceback... [ 220.5044952] vpanic() at netbsd:vpanic+0x265 sys/kern/subr_prf.c:290 [ 220.5044952] snprintf() at netbsd:snprintf [ 220.5044952] kasan_report() at netbsd:kasan_report+0x8c kasan_code_name sys/kern/subr_asan.c:163 [inline] [ 220.5044952] kasan_report() at netbsd:kasan_report+0x8c sys/kern/subr_asan.c:195 [ 220.5044952] __asan_load8() at netbsd:__asan_load8+0x27e kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:345 [inline] [ 220.5044952] __asan_load8() at netbsd:__asan_load8+0x27e kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:359 [inline] [ 220.5044952] __asan_load8() at netbsd:__asan_load8+0x27e kasan_shadow_check sys/kern/subr_asan.c:411 [inline] [ 220.5044952] __asan_load8() at netbsd:__asan_load8+0x27e sys/kern/subr_asan.c:1198 [ 220.5044952] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:186 [ 220.5044952] lockdebug_dump() at netbsd:lockdebug_dump+0x23b sys/kern/subr_lockdebug.c:759 [ 220.5044952] lockdebug_show_one() at netbsd:lockdebug_show_one+0xa7 sys/kern/subr_lockdebug.c:839 [ 220.5044952] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x274 lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:877 [inline] [ 220.5044952] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x274 sys/kern/subr_lockdebug.c:941 [ 220.5044952] db_command() at netbsd:db_command+0x310 sys/ddb/db_command.c:957 [ 220.5044952] db_command_loop() at netbsd:db_command_loop+0x293 db_execute_commandlist sys/ddb/db_command.c:454 [inline] [ 220.5044952] db_command_loop() at netbsd:db_command_loop+0x293 sys/ddb/db_command.c:604 [ 220.5044952] db_trap() at netbsd:db_trap+0x22c sys/ddb/db_trap.c:94 [ 220.5044952] kdb_trap() at netbsd:kdb_trap+0x25c sys/arch/amd64/amd64/db_interface.c:250 [ 220.5044952] trap() at netbsd:trap+0x819 sys/arch/amd64/amd64/trap.c:315 [ 220.5044952] --- trap (number 1) --- [ 220.5044952] breakpoint() at netbsd:breakpoint+0x5 [ 220.5044952] db_panic() at netbsd:db_panic+0x105 sys/ddb/db_panic.c:67 [ 220.5044952] vpanic() at netbsd:vpanic+0x265 sys/kern/subr_prf.c:290 [ 220.5044952] snprintf() at netbsd:snprintf [ 220.5044952] lockdebug_more() at netbsd:lockdebug_more [ 220.5044952] lockdebug_barrier() at netbsd:lockdebug_barrier+0x11d sys/kern/subr_lockdebug.c:650 [ 220.5044952] syscall() at netbsd:syscall+0x544 mi_userret sys/sys/userret.h:117 [inline] [ 220.5044952] syscall() at netbsd:syscall+0x544 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 220.5044952] syscall() at netbsd:syscall+0x544 sys/arch/x86/x86/syscall.c:166 [ 220.5044952] --- syscall (number 16) --- [ 220.5044952] netbsd:syscall+0x544: [ 220.5044952] cpu1: End traceback... [ 220.5044952] fatal breakpoint trap in supervisor mode [ 220.5044952] trap type 1 code 0 rip 0xffffffff80220a2d cs 0x8 rflags 0x282 cr2 0x73f77cc4e000 ilevel 0x8 rsp 0xffffa401a8e54250 [ 220.5044952] curlwp 0xffffa40013c904c0 pid 1766.1592 lowest kstack 0xffffa401a8e4d2c0 Stopped in pid 1766.1592 (syz-executor.4) at netbsd:breakpoint+0x5: leave