[ 184.0247117] panic: kernel diagnostic assertion "uvm_page_locked_p(pg)" failed: file "/syzkaller/managers/netbsd/kernel/sys/arch/x86/x86/pmap.c", line 3533 [ 184.0468766] cpu1: Begin traceback... [ 184.0579698] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 184.1023368] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 184.1466955] pmap_remove_pte() at netbsd:pmap_remove_pte+0x34d pmap_remove_pte sys/arch/x86/x86/pmap.c:3533 [inline] [ 184.1466955] pmap_remove_pte() at netbsd:pmap_remove_pte+0x34d sys/arch/x86/x86/pmap.c:3480 [ 184.1799720] pmap_remove() at netbsd:pmap_remove+0x3b1 pmap_remove_ptes sys/arch/x86/x86/pmap.c:3439 [inline] [ 184.1799720] pmap_remove() at netbsd:pmap_remove+0x3b1 sys/arch/x86/x86/pmap.c:3641 [ 184.2243339] uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 [ 184.2576087] uvmspace_free() at netbsd:uvmspace_free+0x23b sys/uvm/uvm_map.c:4301 [ 184.3019723] uvm_proc_exit() at netbsd:uvm_proc_exit+0xc4 sys/uvm/uvm_glue.c:443 [ 184.3463341] exit1() at netbsd:exit1+0x3bd sys/kern/kern_exit.c:333 [ 184.3796058] sys_exit() at netbsd:sys_exit+0x77 sys/kern/kern_exit.c:179 [ 184.4239702] syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] [ 184.4239702] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 184.4239702] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 [ 184.4350650] --- syscall (number 1) --- [ 184.4461499] 7c580b399a6a: [ 184.4572408] cpu1: End traceback... [ 184.4572408] fatal breakpoint trap in supervisor mode [ 184.4683276] trap type 1 code 0 rip 0xffffffff8021d6e5 cs 0x8 rflags 0x246 cr2 0x60b2a0 ilevel 0 rsp 0xffffac017a887680 [ 184.4794182] curlwp 0xffffac001152ab00 pid 4661.1 lowest kstack 0xffffac017a8802c0 Stopped in pid 4661.1 (syz-executor.0) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure pmap_remove_pte() at netbsd:pmap_remove_pte+0x34d pmap_remove_pte sys/arch/x86/x86/pmap.c:3533 [inline] pmap_remove_pte() at netbsd:pmap_remove_pte+0x34d sys/arch/x86/x86/pmap.c:3480 pmap_remove() at netbsd:pmap_remove+0x3b1 pmap_remove_ptes sys/arch/x86/x86/pmap.c:3439 [inline] pmap_remove() at netbsd:pmap_remove+0x3b1 sys/arch/x86/x86/pmap.c:3641 uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 uvmspace_free() at netbsd:uvmspace_free+0x23b sys/uvm/uvm_map.c:4301 uvm_proc_exit() at netbsd:uvm_proc_exit+0xc4 sys/uvm/uvm_glue.c:443 exit1() at netbsd:exit1+0x3bd sys/kern/kern_exit.c:333 sys_exit() at netbsd:sys_exit+0x77 sys/kern/kern_exit.c:179 syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 --- syscall (number 1) --- 7c580b399a6a: ds 76a0 es 1055 fs 7660 gs 76b0 rdi ffffac000cb1a458 rsi ffffac001152ade8 rbp ffffac017a887680 rbx ffffac016ca81000 rdx 2 rcx ffffffff80d083e1 db_panic+0xd5 rax 0 r8 4 r9 1ffffffff0553a44 r10 ffffffff82a9d223 db_onpanic+0x3 r11 10 r12 ffffac016ca92000 r13 ffffffff81c225e0 platform_private_nodes+0x140 r14 ffffac017a887710 r15 ffffac016ca81060 rip ffffffff8021d6e5 breakpoint+0x5 cs 8 rflags 246 rsp ffffac017a887680 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 4645 1 2 0 0 ffffac00114b25c0 syz-executor.4 4465 4 2 0 0 ffffac00130462c0 syz-executor.1 4465 3 2 0 0 ffffac00114bf1a0 syz-executor.1 4465 1 2 0 0 ffffac00114a6160 syz-executor.1 4695 3 3 1 80 ffffac0011ff8140 syz-executor.0 parked 4562 1 2 0 0 ffffac00110d15a0 syz-executor.2 3458 1 3 0 10000004 ffffac00112f8720 syz-executor.5 xclocv 3846 3 3 1 80 ffffac00114ee640 syz-executor.0 parked 4647 3 2 0 0 ffffac001266f620 syz-executor.3 4647 1 2 0 0 ffffac0011fd9960 syz-executor.3 4661 > 1 7 1 0 ffffac001152ab00 syz-executor.0 4436 3 3 0 80 ffffac001151a6a0 syz-executor.0 parked 4304 3 3 1 80 ffffac00115c1720 syz-executor.0 parked 495 1 2 1 0 ffffac0012edb280 syz-executor.5 603 > 1 7 0 0 ffffac0012e98ae0 syz-executor.4 45 1 2 1 0 ffffac0012e986a0 syz-executor.3 555 1 2 1 0 ffffac0012e98260 syz-executor.2 40 1 2 0 0 ffffac0012e72680 syz-executor.1 41 1 2 1 0 ffffac0012e72240 syz-executor.0 590 11 3 0 80 ffffac0012e72ac0 syz-fuzzer parked 590 10 3 1 80 ffffac0012d24aa0 syz-fuzzer parked 590 9 3 1 80 ffffac00110d55e0 syz-fuzzer parked 590 8 3 1 80 ffffac0012d24220 syz-fuzzer parked 590 7 3 1 80 ffffac0012682a80 syz-fuzzer parked 590 6 3 1 80 ffffac0012682640 syz-fuzzer parked 590 5 3 0 80 ffffac0011f738c0 syz-fuzzer parked 590 4 3 0 80 ffffac0011fe4980 syz-fuzzer kqueue 590 3 3 0 80 ffffac0011fe4540 syz-fuzzer parked 590 2 3 1 80 ffffac00120039e0 syz-fuzzer parked 590 1 3 1 80 ffffac0011f26740 syz-fuzzer parked 580 1 3 0 80 ffffac001202d1c0 sshd select 586 1 3 1 80 ffffac0011ff89c0 getty nanoslp 569 1 3 1 80 ffffac00120035a0 getty nanoslp 538 1 3 1 80 ffffac0011ff8580 getty nanoslp 502 1 3 0 80 ffffac001200d180 getty ttyraw 563 1 3 0 80 ffffac0011f47320 cron nanoslp 376 1 3 0 80 ffffac00115c1b60 inetd kqueue 317 1 3 0 80 ffffac00115836e0 sshd select 478 1 3 0 80 ffffac00114ee200 powerd kqueue 195 1 3 0 80 ffffac0011f47ba0 syslogd kqueue 268 1 3 0 80 ffffac00114e01e0 dhcpcd kqueue 220 1 3 1 80 ffffac00113f18e0 dhcpcd kqueue 1 1 3 1 80 ffffac00111f8240 init wait 0 58 3 0 204 ffffac00111f8ac0 physiod physiod 0 57 3 0 204 ffffac0011242280 aiodoned aiodoned 0 56 3 1 200 ffffac0011241ae0 ioflush syncer 0 55 3 0 204 ffffac00112416a0 pooldrain pooldrain 0 54 3 0 200 ffffac0011241260 pgdaemon pgdaemon 0 51 2 1 200 ffffac00111f8680 npfgc-0 0 50 3 1 204 ffffac00111eaaa0 rt_free rt_free 0 49 3 1 204 ffffac00111ea660 unpgc unpgc 0 48 3 1 204 ffffac00111ea220 key_timehandler key_timehandler 0 47 3 1 204 ffffac0011102a80 icmp6_wqinput/1 icmp6_wqinput 0 46 3 0 204 ffffac0011102640 icmp6_wqinput/0 icmp6_wqinput 0 45 3 0 204 ffffac0011102200 nd6_timer nd6_timer 0 44 3 1 204 ffffac00110f7a60 carp6_wqinput/1 carp6_wqinput 0 43 3 0 204 ffffac00110f7620 carp6_wqinput/0 carp6_wqinput 0 42 3 1 204 ffffac00110f71e0 carp_wqinput/1 carp_wqinput 0 41 3 0 204 ffffac00110e6a40 carp_wqinput/0 carp_wqinput 0 40 3 1 204 ffffac00110e6600 icmp_wqinput/1 icmp_wqinput 0 39 3 0 204 ffffac00110e61c0 icmp_wqinput/0 icmp_wqinput 0 38 2 1 200 ffffac00110d5a20 rt_timer 0 37 3 1 204 ffffac00110d51a0 vmem_rehash vmem_rehash 0 27 3 0 204 ffffac000e9b5580 scsibus0 sccomp 0 26 3 0 200 ffffac000e9b5140 pms0 pmsreset 0 25 2 1 200 ffffac000e9259a0 xcall/1 0 24 1 1 200 ffffac000e925560 softser/1 0 23 1 1 200 ffffac000e925120 softclk/1 0 22 1 1 200 ffffac000e921980 softbio/1 0 21 1 1 200 ffffac000e921540 softnet/1 0 20 1 1 201 ffffac000e921100 idle/1 0 19 3 1 204 ffffac000d041960 lnxpwrwq lnxpwrwq 0 18 3 1 204 ffffac000d041520 lnxlngwq lnxlngwq 0 17 3 1 204 ffffac000d0410e0 lnxsyswq lnxsyswq 0 16 3 1 204 ffffac000d03c940 lnxrcugc lnxrcugc 0 15 3 0 204 ffffac000d03c500 sysmon smtaskq 0 14 3 1 204 ffffac000d03c0c0 pmfsuspend pmfsuspend 0 13 3 0 204 ffffac000d02d920 pmfevent pmfevent 0 12 3 0 204 ffffac000d02d4e0 sopendfree sopendfr 0 11 3 1 204 ffffac000d02d0a0 nfssilly nfssilly 0 10 3 0 200 ffffac000d021900 cachegc cachegc 0 9 3 0 204 ffffac000d0214c0 vdrain vdrain 0 8 3 0 200 ffffac000d021080 modunload mod_unld 0 7 3 0 204 ffffac000d0118e0 xcall/0 xcall 0 6 1 0 200 ffffac000d0114a0 softser/0 0 5 1 0 200 ffffac000d011060 softclk/0 0 4 1 0 200 ffffac000d00e8c0 softbio/0 0 3 1 0 200 ffffac000d00e480 softnet/0 0 2 1 0 201 ffffac000d00e040 idle/0 0 1 2 1 200 ffffffff82b63f60 swapper [Locks tracked through LWPs] Locks held by an LWP (syz-executor.2): Lock 0 (initialized at amap_alloc) lock address : 0xffffac0012e8ee40 type : sleep/adaptive initialized : 0xffffffff810cd201 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffac001152ab00 last held: 0xffffac00110d15a0 last locked* : 0xffffffff810dbec4 unlocked : 0xffffffff810d9f98 owner field : 000000000000000000 wait/spin: 0/0 Turnstile chain at 0xffffffff82d89188 with mutex 0xffffffff82d87e00. => No active turnstile for this lock. Locks held by an LWP (syz-executor.3): Lock 0 (initialized at amap_alloc) lock address : 0xffffac0012ea3500 type : sleep/adaptive initialized : 0xffffffff810cd201 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffac001152ab00 last held: 0xffffac0011fd9960 last locked* : 0xffffffff810dbec4 unlocked : 0xffffffff810da575 owner field : 000000000000000000 wait/spin: 0/0 Turnstile chain at 0xffffffff82d89260 with mutex 0xffffffff82d884c0. => No active turnstile for this lock. Locks held by an LWP (syz-executor.0): Lock 0 (initialized at fork1) lock address : 0xffffac0012ffa0d0 type : sleep/adaptive initialized : 0xffffffff8114c9fc shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffac001152ab00 last held: 0xffffac001152ab00 last locked* : 0xffffffff811490ed unlocked : 000000000000000000 owner/count : 0xffffac001152ab00 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d88fd8 with mutex 0xffffffff82d87080. => No active turnstile for this lock. Lock 1 (initialized at amap_copy) lock address : 0xffffac001257e680 type : sleep/adaptive initialized : 0xffffffff810d0ab0 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffac001152ab00 last held: 0xffffac001152ab00 last locked* : 0xffffffff810ed4c1 unlocked : 0xffffffff810da575 owner field : 0xffffac001152ab00 wait/spin: 0/0 Turnstile chain at 0xffffffff82d89090 with mutex 0xffffffff82d87640. => No active turnstile for this lock. Lock 2 (initialized at pmap_create) lock address : 0xffffac0012044e70 type : sleep/adaptive initialized : 0xffffffff802735da shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffac001152ab00 last held: 0xffffac001152ab00 last locked* : 0xffffffff80274622 unlocked : 0xffffffff80273fe2 owner field : 0xffffac001152ab00 wait/spin: 0/0 Turnstile chain at 0xffffffff82d89188 with mutex 0xffffffff82d87e00. => No active turnstile for this lock. Locks held by an LWP (syz-executor.4): Lock 0 (initialized at vcache_alloc) lock address : 0xffffac0012d2c700 type : sleep/adaptive initialized : 0xffffffff812b43b2 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffac001152ab00 last held: 0xffffac0012e98ae0 last locked* : 0xffffffff812e0e70 unlocked : 0xffffffff812e0d2d owner/count : 000000000000000000 flags : 000000000000000000 Turnstile chain at 0xffffffff82d890a0 with mutex 0xffffffff82d876c0. => No active turnstile for this lock. Lock 1 (initialized at vcache_alloc) lock address : 0xffffac00130785c0 type : sleep/adaptive initialized : 0xffffffff812b43b2 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffac001152ab00 last held: 0xffffac0012e98ae0 last locked* : 0xffffffff812e0e70 unlocked : 0xffffffff812e0d2d [ 184.4794182] Skipping crash dump on recursive panic [ 184.4794182] panic: ASan: Unauthorized Access In 0xffffffff81187f80: Addr 0xffffac00130785c0 [8 bytes, read, PoolUseAfterFree] [ 184.4794182] cpu1: Begin traceback... [ 184.4794182] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 184.4794182] snprintf() at netbsd:snprintf [ 184.4794182] kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:172 [inline] [ 184.4794182] kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:194 [ 184.4794182] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:344 [inline] [ 184.4794182] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:358 [inline] [ 184.4794182] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:410 [inline] [ 184.4794182] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1180 [ 184.4794182] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:191 [ 184.4794182] lockdebug_dump() at netbsd:lockdebug_dump+0x281 sys/kern/subr_lockdebug.c:777 [ 184.4794182] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb9 sys/kern/subr_lockdebug.c:855 [ 184.4794182] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:886 [inline] [ 184.4794182] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f sys/kern/subr_lockdebug.c:933 [ 184.4794182] db_command() at netbsd:db_command+0x2c0 sys/ddb/db_command.c:938 [ 184.4794182] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:435 [inline] [ 184.4794182] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:585 [ 184.4794182] db_trap() at netbsd:db_trap+0x219 sys/ddb/db_trap.c:94 [ 184.4794182] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:246 [ 184.4794182] trap() at netbsd:trap+0x650 sys/arch/amd64/amd64/trap.c:313 [ 184.4794182] --- trap (number 1) --- [ 184.4794182] breakpoint() at netbsd:breakpoint+0x5 [ 184.4794182] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 [ 184.4794182] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 184.4794182] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 184.4794182] pmap_remove_pte() at netbsd:pmap_remove_pte+0x34d pmap_remove_pte sys/arch/x86/x86/pmap.c:3533 [inline] [ 184.4794182] pmap_remove_pte() at netbsd:pmap_remove_pte+0x34d sys/arch/x86/x86/pmap.c:3480 [ 184.4794182] pmap_remove() at netbsd:pmap_remove+0x3b1 pmap_remove_ptes sys/arch/x86/x86/pmap.c:3439 [inline] [ 184.4794182] pmap_remove() at netbsd:pmap_remove+0x3b1 sys/arch/x86/x86/pmap.c:3641 [ 184.4794182] uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 [ 184.4794182] uvmspace_free() at netbsd:uvmspace_free+0x23b sys/uvm/uvm_map.c:4301 [ 184.4794182] uvm_proc_exit() at netbsd:uvm_proc_exit+0xc4 sys/uvm/uvm_glue.c:443 [ 184.4794182] exit1() at netbsd:exit1+0x3bd sys/kern/kern_exit.c:333 [ 184.4794182] sys_exit() at netbsd:sys_exit+0x77 sys/kern/kern_exit.c:179 [ 184.4794182] syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] [ 184.4794182] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 184.4794182] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 [ 184.4794182] --- syscall (number 1) --- [ 184.4794182] 7c580b399a6a: [ 184.4794182] cpu1: End traceback... [ 184.4794182] fatal breakpoint trap in supervisor mode [ 184.4794182] trap type 1 code 0 rip 0xffffffff8021d6e5 cs 0x8 rflags 0x246 cr2 0x60b2a0 ilevel 0x8 rsp 0xffffac017a886c40 [ 184.4794182] curlwp 0xffffac001152ab00 pid 4661.1 lowest kstack 0xffffac017a8802c0 Stopped in pid 4661.1 (syz-executor.0) at netbsd:breakpoint+0x5: leave