[ 52.3499520] panic: kernel diagnostic assertion "ci->ci_tlbstate != TLBSTATE_VALID" failed: file "/syzkaller/managers/netbsd/kernel/sys/arch/x86/x86/pmap.c", line 3412 [ 52.3599411] cpu1: Begin traceback... [ 52.3699430] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 52.3999442] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 52.4299495] pmap_activate() at netbsd:pmap_activate+0x173 sys/arch/x86/x86/pmap.c:3412 [ 52.4599432] mi_switch() at netbsd:mi_switch+0x673 sys/kern/kern_synch.c:808 [ 52.4799438] kpreempt() at netbsd:kpreempt+0x1fc sys/kern/kern_synch.c:428 [ 52.5099441] syscall() at netbsd:syscall+0x8fa KPREEMPT_ENABLE sys/sys/lwp.h:555 [inline] [ 52.5099441] syscall() at netbsd:syscall+0x8fa KPREEMPT_ENABLE sys/sys/lwp.h:545 [inline] [ 52.5099441] syscall() at netbsd:syscall+0x8fa mi_userret sys/sys/userret.h:114 [inline] [ 52.5099441] syscall() at netbsd:syscall+0x8fa userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 52.5099441] syscall() at netbsd:syscall+0x8fa sys/arch/x86/x86/syscall.c:166 [ 52.5199435] --- syscall (number 0) --- [ 52.5299478] netbsd:syscall+0x8fa: [ 52.5299478] cpu1: End traceback... [ 52.5399427] fatal breakpoint trap in supervisor mode [ 52.5399427] trap type 1 code 0 rip 0xffffffff8022094d cs 0x8 rflags 0x282 cr2 0x761fa7606ca0 ilevel 0x8 rsp 0xffffb981805dfb80 [ 52.5499416] curlwp 0xffffb98012c0da40 pid 2253.2253 lowest kstack 0xffffb981805d82c0 Stopped in pid 2253.2253 (syz-executor0827) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure pmap_activate() at netbsd:pmap_activate+0x173 sys/arch/x86/x86/pmap.c:3412 mi_switch() at netbsd:mi_switch+0x673 sys/kern/kern_synch.c:808 kpreempt() at netbsd:kpreempt+0x1fc sys/kern/kern_synch.c:428 syscall() at netbsd:syscall+0x8fa KPREEMPT_ENABLE sys/sys/lwp.h:555 [inline] syscall() at netbsd:syscall+0x8fa KPREEMPT_ENABLE sys/sys/lwp.h:545 [inline] syscall() at netbsd:syscall+0x8fa mi_userret sys/sys/userret.h:114 [inline] syscall() at netbsd:syscall+0x8fa userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] syscall() at netbsd:syscall+0x8fa sys/arch/x86/x86/syscall.c:166 --- syscall (number 0) --- netbsd:syscall+0x8fa: ds fc40 es c19e fs fb60 gs fbb0 rdi ffffffff82bd8280 db_onpanic rsi 1ffffffff057b050 rbp ffffb981805dfb80 rbx ffffb9816e699000 rdx 0 rcx ffffffff8126bf59 db_panic+0xd5 rax ffffb98012c0da40 r8 4 r9 1ffffffff057b050 r10 ffffffff82bd8283 db_onpanic+0x3 r11 8000000000 r12 ffffb9816e6aa000 r13 ffffffff81f89140 platform_private_nodes+0x160 r14 ffffb981805dfc10 r15 ffffb9816e699060 rip ffffffff8022094d breakpoint+0x5 cs 8 rflags 282 rsp ffffb981805dfb80 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 2266 2266 2 0 0 ffffb980137d80c0 syz-executor0827 2175 1575 2 0 100000 ffffb98012aefbc0 syz-executor0827 2175 2175 2 0 10000000 ffffb98012a88740 syz-executor0827 2090 2090 2 0 0 ffffb98012c6c2c0 syz-executor0827 2253 2229 2 0 0 ffffb98013846300 syz-executor0827 2253 2098 3 1 80 ffffb98012c0d600 syz-executor0827 parked 2253 >2253 7 1 0 ffffb98012c0da40 syz-executor0827 1659 1659 2 0 40 ffffb980147ae4c0 syz-executor0827 700 700 3 1 80 ffffb980147ae080 syz-executor0827 nanoslp 698 698 2 0 40 ffffb98013805a00 syz-executor0827 696 696 3 1 80 ffffb9801382cb00 syz-executor0827 nanoslp 695 695 3 0 40 ffffb9801382c6c0 syz-executor0827 xclocv 697 697 2 0 40 ffffb9801376ab80 syz-executor0827 694 694 3 0 80 ffffb98012747300 syz-executor0827 nanoslp 685 685 3 1 80 ffffb98012744700 sshd select 1509 1509 3 1 80 ffffb980138055c0 getty nanoslp 684 684 3 0 80 ffffb98013823240 getty nanoslp 1638 1638 3 1 80 ffffb98013817a80 getty nanoslp 871 871 3 1 c0 ffffb98013817200 getty ttyraw 1380 1380 3 1 80 ffffb980141548c0 cron nanoslp 724 724 3 1 80 ffffb980136f5700 inetd kqueue 1445 1445 3 1 80 ffffb98012ce8a00 sshd select 739 739 3 0 80 ffffb98012c0d1c0 powerd kqueue 1249 1249 2 1 40000 ffffb98012b09480 makemandb 449 449 3 1 80 ffffb9801376a300 syslogd kqueue 303 303 3 0 80 ffffb98012c9a480 dhcpcd kqueue 338 338 3 0 80 ffffb98012bb4100 dhcpcd kqueue 1 1 3 0 80 ffffb980128f5140 init wait 0 932 3 0 200 ffffb9801294da00 physiod physiod 0 63 3 0 200 ffffb9801295ca40 pooldrain pooldrain 0 > 126 7 0 240 ffffb9801295c600 ioflush 0 125 3 1 200 ffffb9801295c1c0 pgdaemon pgdaemon 0 122 3 0 200 ffffb9801294d180 usb0 usbevt 0 121 3 1 200 ffffb980128f59c0 usbtask-dr usbtsk 0 120 3 1 200 ffffb9800fe5cac0 usbtask-hc usbtsk 0 119 3 1 200 ffffb980128f5580 npfgc-0 npfgccv 0 118 3 1 200 ffffb980128e4980 rt_free rt_free 0 117 3 1 200 ffffb980128e4540 unpgc unpgc 0 116 3 0 200 ffffb980128e4100 key_timehandler key_timehandler 0 115 3 1 200 ffffb980128dc940 icmp6_wqinput/1 icmp6_wqinput 0 114 3 0 200 ffffb980128dc500 icmp6_wqinput/0 icmp6_wqinput 0 113 3 0 200 ffffb980128dc0c0 nd6_timer nd6_timer 0 112 3 1 200 ffffb980128d2900 carp6_wqinput/1 carp6_wqinput 0 111 3 0 200 ffffb980128d24c0 carp6_wqinput/0 carp6_wqinput 0 110 3 1 200 ffffb980128d2080 carp_wqinput/1 carp_wqinput 0 109 3 0 200 ffffb980127598c0 carp_wqinput/0 carp_wqinput 0 108 3 1 200 ffffb98012759480 icmp_wqinput/1 icmp_wqinput 0 107 3 0 200 ffffb98012759040 icmp_wqinput/0 icmp_wqinput 0 106 3 0 200 ffffb98012747b80 rt_timer rt_timer 0 105 3 1 200 ffffb98012748bc0 vmem_rehash vmem_rehash 0 104 3 1 200 ffffb98012748780 entbutler entropy 0 30 3 1 200 ffffb980121626c0 vioif0_txrx/1 vioif0_txrx 0 29 3 0 200 ffffb98012162280 vioif0_txrx/0 vioif0_txrx 0 27 3 0 200 ffffb9800fe5c680 scsibus0 sccomp 0 26 3 0 200 ffffb9800fe5c240 pms0 pmsreset 0 25 2 1 200 ffffb9800fd9da80 xcall/1 0 24 1 1 200 ffffb9800fd9d640 softser/1 0 23 1 1 200 ffffb9800fd9d200 softclk/1 0 22 1 1 200 ffffb9800fd9ba40 softbio/1 0 21 1 1 200 ffffb9800fd9b600 softnet/1 0 20 1 1 201 ffffb9800fd9b1c0 idle/1 0 19 3 0 200 ffffb9800e80aa00 lnxpwrwq lnxpwrwq 0 18 3 0 200 ffffb9800e80a5c0 lnxlngwq lnxlngwq 0 17 3 0 200 ffffb9800e80a180 lnxsyswq lnxsyswq 0 16 3 0 200 ffffb9800e8049c0 lnxrcugc lnxrcugc 0 15 3 0 200 ffffb9800e804580 sysmon smtaskq 0 14 3 0 200 ffffb9800e804140 pmfsuspend pmfsuspend 0 13 3 0 200 ffffb9800e7ff980 pmfevent pmfevent 0 12 3 0 200 ffffb9800e7ff540 sopendfree sopendfr 0 11 3 0 200 ffffb9800e7ff100 iflnkst iflnkst 0 10 3 0 200 ffffb9800e7f3940 nfssilly nfssilly 0 9 3 0 200 ffffb9800e7f3500 vdrain vdrain 0 8 3 0 200 ffffb9800e7f30c0 modunload mod_unld 0 7 3 0 200 ffffb9800e7e6900 xcall/0 xcall 0 6 1 0 200 ffffb9800e7e64c0 softser/0 0 5 1 0 200 ffffb9800e7e6080 softclk/0 0 4 1 0 200 ffffb9800e7e48c0 softbio/0 0 3 1 0 200 ffffb9800e7e4480 softnet/0 0 2 1 0 201 ffffb9800e7e4040 idle/0 0 0 3 0 200 ffffffff82ca3700 swapper uvm [Locks tracked through LWPs] ****** LWP 2090.2090 (syz-executor0827) @ 0xffffb98012c6c2c0, l_stat=2 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at amap_ctor) lock address : 0xffffb980143ba240 type : sleep/adaptive initialized : 0xffffffff81629013 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 1 relevant cpu : 0 last held: 0 relevant lwp : 0xffffb98012c6c2c0 last held: 000000000000000000 last locked : 0xffffffff81637e26 unlocked*: 0xffffffff81635dd8 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. ****** LWP 698.698 (syz-executor0827) @ 0xffffb98013805a00, l_stat=2 *** Locks held: * Lock 0 (initialized at vcache_alloc) lock address : 0xffffb980147cfa40 type : sleep/adaptive initialized : 0xffffffff81823e43 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffb98013805a00 last held: 0xffffb98013805a00 last locked* : 0xffffffff81852c3f unlocked : 0xffffffff81852ca1 owner/count : 0xffffb98013805a00 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at vcache_alloc) lock address : 0xffffb9801485f700 type : sleep/adaptive initialized : 0xffffffff81823e43 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffb98013805a00 last held: 0xffffb98013805a00 last locked* : 0xffffffff81852c3f unlocked : 0xffffffff81852ca1 [ 52.5599392] Skipping crash dump on recursive panic [ 52.5599392] panic: ASan: Unauthorized Access In 0xffffffff816ef6f0: Addr 0xffffb9801485f700 [8 bytes, read, PoolUseAfterFree] [ 52.5599392] cpu1: Begin traceback... [ 52.5599392] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 52.5599392] snprintf() at netbsd:snprintf [ 52.5599392] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] [ 52.5599392] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 [ 52.5599392] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] [ 52.5599392] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] [ 52.5599392] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] [ 52.5599392] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 [ 52.5599392] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:186 [ 52.5599392] lockdebug_dump() at netbsd:lockdebug_dump+0x205 sys/kern/subr_lockdebug.c:759 [ 52.5599392] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb7 sys/kern/subr_lockdebug.c:839 [ 52.5599392] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:877 [inline] [ 52.5599392] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a sys/kern/subr_lockdebug.c:941 [ 52.5599392] db_command() at netbsd:db_command+0x2ad sys/ddb/db_command.c:942 [ 52.5599392] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:439 [inline] [ 52.5599392] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:589 [ 52.5599392] db_trap() at netbsd:db_trap+0x206 sys/ddb/db_trap.c:94 [ 52.5599392] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:248 [ 52.5599392] trap() at netbsd:trap+0x579 sys/arch/amd64/amd64/trap.c:315 [ 52.5599392] --- trap (number 1) --- [ 52.5599392] breakpoint() at netbsd:breakpoint+0x5 [ 52.5599392] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 [ 52.5599392] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 52.5599392] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 52.5599392] pmap_activate() at netbsd:pmap_activate+0x173 sys/arch/x86/x86/pmap.c:3412 [ 52.5599392] mi_switch() at netbsd:mi_switch+0x673 sys/kern/kern_synch.c:808 [ 52.5599392] kpreempt() at netbsd:kpreempt+0x1fc sys/kern/kern_synch.c:428 [ 52.5599392] syscall() at netbsd:syscall+0x8fa KPREEMPT_ENABLE sys/sys/lwp.h:555 [inline] [ 52.5599392] syscall() at netbsd:syscall+0x8fa KPREEMPT_ENABLE sys/sys/lwp.h:545 [inline] [ 52.5599392] syscall() at netbsd:syscall+0x8fa mi_userret sys/sys/userret.h:114 [inline] [ 52.5599392] syscall() at netbsd:syscall+0x8fa userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 52.5599392] syscall() at netbsd:syscall+0x8fa sys/arch/x86/x86/syscall.c:166 [ 52.5599392] --- syscall (number 0) --- [ 52.5599392] netbsd:syscall+0x8fa: [ 52.5599392] cpu1: End traceback... [ 52.5599392] fatal breakpoint trap in supervisor mode [ 52.5599392] trap type 1 code 0 rip 0xffffffff8022094d cs 0x8 rflags 0x282 cr2 0x761fa7606ca0 ilevel 0x8 rsp 0xffffb981805df120 [ 52.5599392] curlwp 0xffffb98012c0da40 pid 2253.2253 lowest kstack 0xffffb981805d82c0 Stopped in pid 2253.2253 (syz-executor0827) at netbsd:breakpoint+0x5: leave