[ 389.3243266]kernel diagnostic assertion "sn->sn_o panic: pencnt" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/miscfs/specfs/spec_vnops.c", line 1705 [ 389.3443015] cpu1: Begin traceback... [ 389.3743036] vpanic() at netbsd:vpanic+0x2f0 sys/kern/subr_prf.c:288 [ 389.4943077] kern_assert() at netbsd:kern_assert+0x65 sys/arch/amd64/amd64/db_disasm.c:1074 [ 389.5943027] spec_close() at netbsd:spec_close+0x98a sys/miscfs/specfs/spec_vnops.c:1705 [ 389.6743055] VOP_CLOSE() at netbsd:VOP_CLOSE+0x133 sys/kern/vnode_if.c:605 [ 389.7443008] cnclose() at netbsd:cnclose+0xff sys/dev/cons.c:196 [ 389.8243032] cdev_close() at netbsd:cdev_close+0x15a sys/kern/subr_devsw.c:1471 [ 389.9043012] spec_close() at netbsd:spec_close+0x76b sys/miscfs/specfs/spec_vnops.c:1756 [ 389.9843043] VOP_CLOSE() at netbsd:VOP_CLOSE+0x133 sys/kern/vnode_if.c:605 [ 390.0643007] vn_close() at netbsd:vn_close+0x4c sys/kern/vfs_vnops.c:493 [ 390.1443016] closef() at netbsd:closef+0x249 sys/kern/kern_descrip.c:861 [ 390.2243026] fd_free() at netbsd:fd_free+0x4e8 sys/kern/kern_descrip.c:1597 [ 390.3043020] exit1() at netbsd:exit1+0x3a7 sys/kern/kern_exit.c:302 [ 390.3843012] sigexit() at netbsd:sigexit+0x5ce sys/kern/kern_sig.c:2264 [ 390.4643019] postsig() at netbsd:postsig+0x9b8 sys/kern/kern_sig.c:2144 [ 390.5443019] lwp_userret() at netbsd:lwp_userret+0x645 sys/kern/kern_lwp.c:1730 [ 390.6343031] mi_userret() at netbsd:mi_userret+0x40d sys/sys/userret.h:59 [ 390.7143011] syscall() at netbsd:syscall+0x38b sys/arch/x86/x86/syscall.c:166 [ 390.7343010] --- syscall (number 0 via SYS_syscall) --- [ 390.7643050] netbsd:syscall+0x38b: [ 390.7743036] cpu1: End traceback... [ 390.7743036] fatal breakpoint trap in supervisor mode [ 390.7743036] trap type 1 code 0 rip 0xffffffff80235475 cs 0x8 rflags 0x246 cr2 0x71e465bc9000 ilevel 0 rsp 0xffffb9024943f840 [ 390.7943051] curlwp 0xffffdf1ff49d48c0 pid 6835.6835 lowest kstack 0xffffb9024943b2c0 Stopped in pid 6835.6835 (getty) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xec sys/ddb/db_panic.c:71 vpanic() at netbsd:vpanic+0x2f0 sys/kern/subr_prf.c:288 kern_assert() at netbsd:kern_assert+0x65 sys/arch/amd64/amd64/db_disasm.c:1074 spec_close() at netbsd:spec_close+0x98a sys/miscfs/specfs/spec_vnops.c:1705 VOP_CLOSE() at netbsd:VOP_CLOSE+0x133 sys/kern/vnode_if.c:605 cnclose() at netbsd:cnclose+0xff sys/dev/cons.c:196 cdev_close() at netbsd:cdev_close+0x15a sys/kern/subr_devsw.c:1471 spec_close() at netbsd:spec_close+0x76b sys/miscfs/specfs/spec_vnops.c:1756 VOP_CLOSE() at netbsd:VOP_CLOSE+0x133 sys/kern/vnode_if.c:605 vn_close() at netbsd:vn_close+0x4c sys/kern/vfs_vnops.c:493 closef() at netbsd:closef+0x249 sys/kern/kern_descrip.c:861 fd_free() at netbsd:fd_free+0x4e8 sys/kern/kern_descrip.c:1597 exit1() at netbsd:exit1+0x3a7 sys/kern/kern_exit.c:302 sigexit() at netbsd:sigexit+0x5ce sys/kern/kern_sig.c:2264 postsig() at netbsd:postsig+0x9b8 sys/kern/kern_sig.c:2144 lwp_userret() at netbsd:lwp_userret+0x645 sys/kern/kern_lwp.c:1730 mi_userret() at netbsd:mi_userret+0x40d sys/sys/userret.h:59 syscall() at netbsd:syscall+0x38b sys/arch/x86/x86/syscall.c:166 --- syscall (number 0 via SYS_syscall) --- netbsd:syscall+0x38b: Panic string: kernel diagnostic assertion "sn->sn_opencnt" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/miscfs/specfs/spec_vnops.c", line 1705 PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 7893 7893 2 0 0 ffffdf1fef3e01c0 syz-executor.3 8636 8636 2 0 0 ffffdf200486b180 syz-executor.4 4855 4855 2 1 0 ffffdf1fda4fe8c0 sh 6337 6337 3 1 40180 ffffdf1ffb6d1980 syz-executor.3 wait 5103 5103 3 1 180 ffffdf1ff24b1bc0 syz-executor.4 wait 6502 6502 2 0 10000000 ffffdf1feef4b200 syz-executor.2 5512 5512 3 1 180 ffffdf1ff7c386c0 syz-executor.5 wait 8909 8909 2 0 1000000 ffffdf1feef4b640 syz-executor.0 6329 6329 3 0 180 ffffdf1fef5fe680 syz-executor.2 wait 4860 4860 2 0 1000000 ffffdf1fe1c7b540 syz-executor.1 4676 > 7214 7 0 1140000 ffffdf1ffb6d1540 syz-executor.1 4676 4676 2 1 11000040 ffffdf1ff9a46300 syz-executor.1 5225 5225 3 1 180 ffffdf1ff81f9b40 syz-executor.4 parked 4508 4508 3 1 180 ffffdf1fdc2ef6c0 syz-executor.0 parked 6835 > 6835 7 1 1000140 ffffdf1ff49d48c0 getty 7093 7093 3 1 180 ffffdf1ffb6d1100 syz-executor.5 parked 4141 4141 3 0 180 ffffdf1fdb558080 syz-executor.2 parked 3463 3463 3 1 180 ffffdf1fe0520080 syz-executor.0 parked 6709 4562 3 1 1100000 ffffdf1fe05204c0 syz-executor.0 vfork 6709 6709 2 1 11000040 ffffdf1fef5feac0 syz-executor.0 3486 4939 3 0 1100000 ffffdf1fdae95940 syz-executor.2 vfork 3486 3486 2 1 11000040 ffffdf1ff9a46b80 syz-executor.2 4184 4184 3 0 180 ffffdf1fda4d7780 syz-executor.1 parked 3887 3138 3 1 1000000 ffffdf1ff49d4480 syz-executor.1 lwpwait 3887 3059 3 0 51a0000 ffffdf1ff24b1340 syz-executor.1 vfork 3887 3887 8 1 111a0000 ffffdf1fdb558900 syz-executor.1 3219 3219 3 1 180 ffffdf1ffae9b4c0 syz-executor.0 parked 2290 2290 3 0 180 ffffdf1ff81f9700 syz-executor.1 parked 2369 2369 3 0 180 ffffdf1fe054a0c0 syz-executor.1 parked 1270 1270 3 1 180 ffffdf1fe9a38a40 syz-executor.1 parked 1272 1272 3 1 180 ffffdf1fe9a381c0 syz-executor.1 parked 1166 1166 3 0 180 ffffdf1fde6f2a00 syz-executor.5 parked 1157 1157 3 0 180 ffffdf1fdae95500 syz-executor.4 parked 1156 1156 3 1 180 ffffdf1fde6f25c0 syz-executor.4 parked 2894 2894 3 0 180 ffffdf1fd9ffdb00 syz-executor.0 parked 2027 2027 3 1 180 ffffdf1fda0052c0 syz-executor.4 parked 869 869 3 1 180 ffffdf1fe054a500 syz-executor.3 parked 1835 1375 3 1 11100000 ffffdf1fe530f9c0 syz-executor.3 vfork 1835 1835 2 1 11000040 ffffdf1fdf2b22c0 syz-executor.3 667 667 3 1 180 ffffdf1fe530f580 syz-executor.2 parked 666 666 3 1 180 ffffdf1fdc2efb00 syz-executor.2 parked 660 665 3 1 11100000 ffffdf1fe1c7b980 syz-executor.2 vfork 660 3808 3 1 11100000 ffffdf1fe1c7b100 syz-executor.2 vfork 660 660 2 1 11000040 ffffdf1fe0520900 syz-executor.2 3144 3144 3 0 180 ffffdf1fe8252040 syz-executor.3 parked 2749 2624 3 0 11100000 ffffdf1fdbb93680 syz-executor.3 vfork 2749 2749 2 1 11000040 ffffdf1fe7d68300 syz-executor.3 1100 1100 3 0 180 ffffdf1fda4fe480 syz-executor.2 parked 1510 1510 3 0 180 ffffdf1fe7a85bc0 syz-executor.4 parked 1626 1626 3 1 180 ffffdf1fdf2b2b40 syz-executor.5 parked 592 1535 3 1 11100000 ffffdf1fe7a85340 syz-executor.5 vfork 592 592 2 1 11000040 ffffdf1fdb411180 syz-executor.5 1236 581 2 0 1000100 ffffdf1fe7a85780 syz-fuzzer 1236 1211 3 1 180 ffffdf1fdf2b2700 syz-fuzzer wait 1236 1208 2 0 0 ffffdf1fd9ffd6c0 syz-fuzzer 1236 1387 3 1 180 ffffdf1fdb0671c0 syz-fuzzer wait 1236 1202 3 0 180 ffffdf1fdacf4580 syz-fuzzer wait 1236 1201 2 1 0 ffffdf1fdba5c200 syz-fuzzer 1236 991 3 1 180 ffffdf1fda25fb80 syz-fuzzer wait 1236 1240 3 1 180 ffffdf1fdba5c640 syz-fuzzer wait 1236 1098 3 0 180 ffffdf1fdb067a40 syz-fuzzer parked 1236 943 3 1 180 ffffdf1fdb620540 syz-fuzzer parked 1236 801 3 0 180 ffffdf1fda25f740 syz-fuzzer parked 1236 1081 3 1 180 ffffdf1fda005b40 syz-fuzzer parked 1236 1235 2 1 140 ffffdf1fdb4115c0 syz-fuzzer 1236 1236 3 1 180 ffffdf1fdb067600 syz-fuzzer wait 1244 1244 3 0 180 ffffdf1fdbb93240 sshd select 1225 1225 3 0 180 ffffdf1fdc2ef280 getty nanoslp 941 941 3 0 180 ffffdf1fd9cacac0 getty nanoslp 1086 1086 3 1 180 ffffdf1fd9ffd280 getty nanoslp 1094 1094 3 0 180 ffffdf1fdba5ca80 sshd select 985 985 3 0 180 ffffdf1fdbb93ac0 powerd kqueue 812 812 3 1 180 ffffdf1fdb411a00 syslogd kqueue 606 606 3 0 180 ffffdf1fda4fe040 dhcpcd poll 744 744 3 0 180 ffffdf1fdb620980 dhcpcd poll 748 748 3 0 180 ffffdf1fdacf4140 dhcpcd poll 603 603 3 1 180 ffffdf1fda4d7340 dhcpcd poll 487 487 3 0 180 ffffdf1fda005700 dhcpcd poll 292 292 3 0 180 ffffdf1fda25f300 dhcpcd poll 485 485 3 0 180 ffffdf1fda4d7bc0 dhcpcd poll 1 1 3 1 180 ffffdf1fd1a8f100 init wait 0 5977 5 1 200 ffffdf1fd9cb7200 (zombie) 0 3221 3 1 200 ffffdf1ff81f92c0 ktrace ktrwait 0 1529 3 0 200 ffffdf1fe530f140 ktrace ktrwait 0 874 3 0 200 ffffdf1fd9cb7640 physiod physiod 0 196 3 0 200 ffffdf1fd9cac680 pooldrain pooldrain 0 195 3 0 240 ffffdf1fd9cac240 ioflush mutex 0 194 3 1 200 ffffdf1fd9cb7a80 pgdaemon pgdaemon 0 170 3 0 200 ffffdf1fd7bc6a40 usb7 usbevt 0 169 3 1 200 ffffdf1fd7bc6600 usb6 usbevt 0 168 3 0 200 ffffdf1fd7bc61c0 usb5 usbevt 0 167 3 0 200 ffffdf1fd4b59a00 usb4 usbevt 0 166 3 1 200 ffffdf1fd4b595c0 usb3 usbevt 0 165 3 1 200 ffffdf1fd4b59180 usb2 usbevt 0 31 3 1 200 ffffdf1fd2b049c0 usb1 usbevt 0 63 3 1 200 ffffdf1fd2b04580 usb0 usbevt 0 126 3 1 200 ffffdf1fd2b04140 usbtask-dr usbtsk 0 125 3 0 200 ffffdf1fd1a8f980 usbtask-hc usbtsk 0 124 3 0 200 ffffdf1fcfe95b00 swwreboot swwreboot 0 123 3 0 200 ffffdf1fd1a8f540 npfgc0 npfgcw 0 122 3 1 200 ffffdf1fd184d940 rt_free rt_free 0 121 3 0 200 ffffdf1fd184d500 unpgc unpgc 0 120 3 0 200 ffffdf1fd184d0c0 key_timehandler key_timehandler 0 119 3 1 200 ffffdf1fd1a47900 icmp6_wqinput/1 icmp6_wqinput 0 118 3 0 200 ffffdf1fd1a474c0 icmp6_wqinput/0 icmp6_wqinput 0 117 3 0 200 ffffdf1fd1a47080 nd6_timer nd6_timer 0 116 3 1 200 ffffdf1fd1a328c0 carp6_wqinput/1 carp6_wqinput 0 115 3 0 200 ffffdf1fd1a32480 carp6_wqinput/0 carp6_wqinput 0 114 3 1 200 ffffdf1fd1a32040 carp_wqinput/1 carp_wqinput 0 113 3 0 200 ffffdf1fd19debc0 carp_wqinput/0 carp_wqinput 0 112 3 1 200 ffffdf1fd18ff740 icmp_wqinput/1 icmp_wqinput 0 111 3 0 200 ffffdf1fd18ffb80 icmp_wqinput/0 icmp_wqinput 0 110 2 1 200 ffffdf1fd19de340 rt_timer 0 109 3 0 200 ffffdf1fd19de780 vmem_rehash vmem_rehash 0 100 3 0 200 ffffdf1fd18ff300 entbutler entropy 0 99 3 0 200 ffffdf1fd133eb40 viomb balloon 0 98 3 1 200 ffffdf1fd133e700 vioif0_txrx/1 vioif0_txrx 0 97 3 0 200 ffffdf1fd133e2c0 vioif0_txrx/0 vioif0_txrx 0 30 3 1 200 ffffdf1fcfe956c0 scsibus0 sccomp 0 29 3 0 200 ffffdf1fcfe95280 pms0 pmsreset 0 28 3 1 200 ffffdf1fcfdb5ac0 xcall/1 xcall 0 27 1 1 200 ffffdf1fcfdb5680 softser/1 0 26 1 1 200 ffffdf1fcfdb5240 softclk/1 0 25 1 1 200 ffffdf1fcfd98a80 softbio/1 0 24 1 1 200 ffffdf1fcfd98640 softnet/1 0 23 1 1 201 ffffdf1fcfd98200 idle/1 0 22 3 0 200 ffffdf20fe133a40 lnxsyswq lnxsyswq 0 21 3 1 200 ffffdf20fe133600 lnxubdwq lnxubdwq 0 20 3 0 200 ffffdf20fe1331c0 lnxpwrwq lnxpwrwq 0 19 3 1 200 ffffdf20fe142a00 lnxlngwq lnxlngwq 0 18 3 1 200 ffffdf20fe1425c0 lnxhipwq lnxhipwq 0 17 3 1 200 ffffdf20fe142180 lnxrcugc lnxrcugc 0 16 3 0 200 ffffdf20fe1599c0 sysmon smtaskq 0 15 3 0 200 ffffdf20fe159580 pmfsuspend pmfsuspend 0 14 3 1 200 ffffdf20fe159140 pmfevent pmfevent 0 13 3 0 200 ffffdf20fe16c980 sopendfree sopendfr 0 12 3 0 200 ffffdf20fe16c540 ifwdog ifwdog 0 11 3 1 200 ffffdf20fe16c100 iflnkst iflnkst 0 10 3 1 200 ffffdf20ff197940 nfssilly nfssilly 0 9 3 0 200 ffffdf20ff197500 pooldisp pooldisp 0 8 3 1 200 ffffdf20ff1970c0 modunload mod_unld 0 7 3 0 200 ffffdf20ff1c2900 xcall/0 xcall 0 6 1 0 200 ffffdf20ff1c24c0 softser/0 0 5 1 0 200 ffffdf20ff1c2080 softclk/0 0 4 1 0 200 ffffdf20ff1ed8c0 softbio/0 0 3 1 0 200 ffffdf20ff1ed480 softnet/0 0 2 1 0 201 ffffdf20ff1ed040 idle/0 0 0 2 1 240 ffffffff86795cc0 swapper [Locks tracked through LWPs] ****** LWP 7893.7893 (syz-executor.3) @ 0xffffdf1fef3e01c0, l_stat=2 *** Locks held: * Lock 0 (initialized at netbsd:fork1+0x4c5 sys/kern/kern_fork.c:366) lock address : ffffdf1ffb356810 type : sleep/adaptive initialized : netbsd:fork1+0x4c5 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 1 relevant lwp : 0xffffdf1fef3e01c0 last held: 0xffffdf1fef3e01c0 last locked* : netbsd:execve_loadvm+0x22d unlocked : 0 owner/count : 0xffffdf1fef3e01c0 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP -9670400.0 (KI@KI{) @ 0xffffffff86d09e08, l_stat=0 *** Locks held: none *** Locks wanted: [ 390.7943051] Skipping crash dump on recursive panic [ 390.7943051] panic: UBSan: Undefined Behavior in /syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/kern/subr_lockdebug.c:874:43, member access within misaligned address 0xffffffff86d09e0a for type 'volatile struct lockdebug_t' which requires 8 byte alignment [ 390.7943051] cpu1: Begin traceback... [ 390.7943051] vpanic() at netbsd:vpanic+0x2f0 sys/kern/subr_prf.c:288 [ 390.7943051] Report() at netbsd:Report+0x3b sys/../common/lib/libc/misc/ubsan.c:1352 [ 390.7943051] HandleTypeMismatch() at netbsd:HandleTypeMismatch+0xfc sys/../common/lib/libc/misc/ubsan.c:432 [ 390.7943051] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0xa0c lockdebug_show_one sys/kern/subr_lockdebug.c:874 [inline] [ 390.7943051] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0xa0c lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:920 [inline] [ 390.7943051] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0xa0c sys/kern/subr_lockdebug.c:974 [ 390.7943051] db_command() at netbsd:db_command+0x240 sys/ddb/db_command.c:972 [ 390.7943051] db_command_loop() at netbsd:db_command_loop+0x221 db_execute_commandlist sys/ddb/db_command.c:468 [inline] [ 390.7943051] db_command_loop() at netbsd:db_command_loop+0x221 sys/ddb/db_command.c:618 [ 390.7943051] db_trap() at netbsd:db_trap+0x261 sys/ddb/db_trap.c:94 [ 390.7943051] kdb_trap() at netbsd:kdb_trap+0x1aa sys/arch/amd64/amd64/db_interface.c:252 [ 390.7943051] trap() at netbsd:trap+0x569 sys/arch/amd64/amd64/trap.c:314 [ 390.7943051] --- trap (number 1) --- [ 390.7943051] breakpoint() at netbsd:breakpoint+0x5 [ 390.7943051] db_panic() at netbsd:db_panic+0xec sys/ddb/db_panic.c:71 [ 390.7943051] vpanic() at netbsd:vpanic+0x2f0 sys/kern/subr_prf.c:288 [ 390.7943051] kern_assert() at netbsd:kern_assert+0x65 sys/arch/amd64/amd64/db_disasm.c:1074 [ 390.7943051] spec_close() at netbsd:spec_close+0x98a sys/miscfs/specfs/spec_vnops.c:1705 [ 390.7943051] VOP_CLOSE() at netbsd:VOP_CLOSE+0x133 sys/kern/vnode_if.c:605 [ 390.7943051] cnclose() at netbsd:cnclose+0xff sys/dev/cons.c:196 [ 390.7943051] cdev_close() at netbsd:cdev_close+0x15a sys/kern/subr_devsw.c:1471 [ 390.7943051] spec_close() at netbsd:spec_close+0x76b sys/miscfs/specfs/spec_vnops.c:1756 [ 390.7943051] VOP_CLOSE() at netbsd:VOP_CLOSE+0x133 sys/kern/vnode_if.c:605 [ 390.7943051] vn_close() at netbsd:vn_close+0x4c sys/kern/vfs_vnops.c:493 [ 390.7943051] closef() at netbsd:closef+0x249 sys/kern/kern_descrip.c:861 [ 390.7943051] fd_free() at netbsd:fd_free+0x4e8 sys/kern/kern_descrip.c:1597 [ 390.7943051] exit1() at netbsd:exit1+0x3a7 sys/kern/kern_exit.c:302 [ 390.7943051] sigexit() at netbsd:sigexit+0x5ce sys/kern/kern_sig.c:2264 [ 390.7943051] postsig() at netbsd:postsig+0x9b8 sys/kern/kern_sig.c:2144 [ 390.7943051] lwp_userret() at netbsd:lwp_userret+0x645 sys/kern/kern_lwp.c:1730 [ 390.7943051] mi_userret() at netbsd:mi_userret+0x40d sys/sys/userret.h:59 [ 390.7943051] syscall() at netbsd:syscall+0x38b sys/arch/x86/x86/syscall.c:166 [ 390.7943051] --- syscall (number 0 via SYS_syscall) --- [ 390.7943051] netbsd:syscall+0x38b: [ 390.7943051] cpu1: End traceback... [ 390.7943051] fatal breakpoint trap in supervisor mode [ 390.7943051] trap type 1 code 0 rip 0xffffffff80235475 cs 0x8 rflags 0x246 cr2 0x71e465bc9000 ilevel 0x8 rsp 0xffffb9024943ed00 [ 390.7943051] curlwp 0xffffdf1ff49d48c0 pid 6835.6835 lowest kstack 0xffffb9024943b2c0 Stopped in pid 6835.6835 (getty) at netbsd:breakpoint+0x5: leave