[ 284.6807326] panic: kernel diagnostic assertion "pmap->pm_ncsw == curlwp->l_ncsw" failed: file "/syzkaller/managers/netbsd/kernel/sys/arch/x86/x86/pmap.c", line 700 [ 284.7001214] cpu0: Begin traceback... [ 284.7140976] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 284.7586240] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 284.8031469] pmap_unmap_ptes() at netbsd:pmap_unmap_ptes+0x1c7 sys/arch/x86/x86/pmap.c:700 [ 284.8365370] pmap_remove() at netbsd:pmap_remove+0x491 sys/arch/x86/x86/pmap.c:3635 [ 284.8810609] uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 [ 284.9144483] uvm_unmap1() at netbsd:uvm_unmap1+0xd0 sys/uvm/uvm_map.c:4766 [ 284.9589730] lwp_ctl_exit() at netbsd:lwp_ctl_exit+0x15a sys/kern/kern_lwp.c:1966 [ 284.9923640] exit1() at netbsd:exit1+0x26f sys/kern/kern_exit.c:272 [ 285.0146239] sys_exit() at netbsd:sys_exit+0x77 sys/kern/kern_exit.c:179 [ 285.0591486] syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] [ 285.0591486] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 285.0591486] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 [ 285.0702807] --- syscall (number 1) --- [ 285.0925401] 788f7ab99a6a: [ 285.1046821] cpu0: End traceback... [ 285.1046821] fatal breakpoint trap in supervisor mode [ 285.1046821] trap type 1 code 0 rip 0xffffffff8021ccb5 cs 0x8 rflags 0x246 cr2 0x72cca8853800 ilevel 0 rsp 0xffffb4817aeab6a0 [ 285.1266586] curlwp 0xffffb4801306c2e0 pid 628.1 lowest kstack 0xffffb4817aea42c0 Stopped in pid 628.1 (syz-executor.1) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure pmap_unmap_ptes() at netbsd:pmap_unmap_ptes+0x1c7 sys/arch/x86/x86/pmap.c:700 pmap_remove() at netbsd:pmap_remove+0x491 sys/arch/x86/x86/pmap.c:3635 uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 uvm_unmap1() at netbsd:uvm_unmap1+0xd0 sys/uvm/uvm_map.c:4766 lwp_ctl_exit() at netbsd:lwp_ctl_exit+0x15a sys/kern/kern_lwp.c:1966 exit1() at netbsd:exit1+0x26f sys/kern/kern_exit.c:272 sys_exit() at netbsd:sys_exit+0x77 sys/kern/kern_exit.c:179 syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 --- syscall (number 1) --- 788f7ab99a6a: ds 5d0 es 26b8 fs b680 gs b6d0 rdi ffffb4800cb1a458 rsi ffffb4801306c5c8 rbp ffffb4817aeab6a0 rbx ffffffff82810340 cpu_info_primary rdx 2 rcx ffffffff80d00841 db_panic+0xd5 rax 0 r8 4 r9 1ffffffff0553818 r10 ffffffff82a9c0c3 db_onpanic+0x3 r11 0 r12 ffffb4816ca92000 r13 ffffffff81c22540 platform_private_nodes+0x140 r14 ffffb4817aeab730 r15 ffffb4816ca80060 rip ffffffff8021ccb5 breakpoint+0x5 cs 8 rflags 246 rsp ffffb4817aeab6a0 ss 0 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 591 1 3 1 80 ffffb48011461540 halt nanoslp 105 4 2 0 1000000 ffffb480114280c0 syz-executor.2 628 > 1 7 0 11000000 ffffb4801306c2e0 syz-executor.1 526 12 2 0 1000000 ffffb48012d7d680 syz-fuzzer 526 11 3 1 80 ffffb48012d7d240 syz-fuzzer parked 526 10 3 1 80 ffffb48012d4caa0 syz-fuzzer parked 526 9 2 0 0 ffffb480110d39e0 syz-fuzzer 526 8 3 1 80 ffffb48012d4c660 syz-fuzzer parked 526 7 3 1 80 ffffb48012715a80 syz-fuzzer parked 526 6 3 0 80 ffffb48012715640 syz-fuzzer parked 526 5 3 0 80 ffffb48011f34740 syz-fuzzer parked 526 4 2 0 0 ffffb48011f34300 syz-fuzzer 526 3 3 1 80 ffffb4801201b5c0 syz-fuzzer parked 526 2 2 0 0 ffffb4801201b180 syz-fuzzer 526 1 3 0 80 ffffb480120109e0 syz-fuzzer parked 453 1 2 0 0 ffffb48011f53760 sshd 280 1 2 0 0 ffffb48011f53ba0 syslogd 268 1 2 0 0 ffffb480114ed1e0 dhcpcd 220 1 3 1 4 ffffb480113f68e0 dhcpcd xclocv 1 1 2 0 0 ffffb480111fa240 init 0 58 3 0 204 ffffb480111faac0 physiod physiod 0 57 3 0 204 ffffb48011243280 aiodoned aiodoned 0 56 2 0 200 ffffb48011242ae0 ioflush 0 55 3 0 204 ffffb480112426a0 pooldrain pooldrain 0 54 3 0 200 ffffb48011242260 pgdaemon pgdaemon 0 51 3 1 200 ffffb480111fa680 npfgc-0 npfgccv 0 50 3 0 204 ffffb480111ecaa0 rt_free rt_free 0 49 3 0 204 ffffb480111ec660 unpgc unpgc 0 48 3 1 204 ffffb480111ec220 key_timehandler key_timehandler 0 47 3 1 204 ffffb480111e4a80 icmp6_wqinput/1 icmp6_wqinput 0 46 3 0 204 ffffb480111e4640 icmp6_wqinput/0 icmp6_wqinput 0 45 3 0 204 ffffb480111e4200 nd6_timer nd6_timer 0 44 3 1 204 ffffb480110fba60 carp6_wqinput/1 carp6_wqinput 0 43 3 0 204 ffffb480110fb620 carp6_wqinput/0 carp6_wqinput 0 42 3 1 204 ffffb480110fb1e0 carp_wqinput/1 carp_wqinput 0 41 3 0 204 ffffb480110e9a40 carp_wqinput/0 carp_wqinput 0 40 3 1 204 ffffb480110e9600 icmp_wqinput/1 icmp_wqinput 0 39 3 0 204 ffffb480110e91c0 icmp_wqinput/0 icmp_wqinput 0 38 3 1 204 ffffb480110d7a20 rt_timer rt_timer 0 37 3 1 204 ffffb480110d4180 vmem_rehash vmem_rehash 0 27 3 0 204 ffffb4800e9b9580 scsibus0 sccomp 0 26 3 0 200 ffffb4800e9b9140 pms0 pmsreset 0 25 3 1 204 ffffb4800e92b9a0 xcall/1 xcall 0 24 1 1 200 ffffb4800e92b560 softser/1 0 23 1 1 200 ffffb4800e92b120 softclk/1 0 22 1 1 200 ffffb4800e927980 softbio/1 0 21 1 1 200 ffffb4800e927540 softnet/1 0 20 1 1 201 ffffb4800e927100 idle/1 0 19 3 1 204 ffffb4800e85d960 lnxpwrwq lnxpwrwq 0 18 3 0 204 ffffb4800e85d520 lnxlngwq lnxlngwq 0 17 3 0 204 ffffb4800e85d0e0 lnxsyswq lnxsyswq 0 16 3 0 204 ffffb4800d042940 lnxrcugc lnxrcugc 0 15 3 0 204 ffffb4800d042500 sysmon smtaskq 0 14 3 0 204 ffffb4800d0420c0 pmfsuspend pmfsuspend 0 13 3 0 204 ffffb4800d033920 pmfevent pmfevent 0 12 3 0 204 ffffb4800d0334e0 sopendfree sopendfr 0 11 3 1 204 ffffb4800d0330a0 nfssilly nfssilly 0 10 3 1 200 ffffb4800d027900 cachegc cachegc 0 9 3 1 204 ffffb4800d0274c0 vdrain vdrain 0 8 3 0 200 ffffb4800d027080 modunload mod_unld 0 7 2 0 200 ffffb4800d0188e0 xcall/0 0 6 1 0 200 ffffb4800d0184a0 softser/0 0 5 1 0 200 ffffb4800d018060 softclk/0 0 4 1 0 200 ffffb4800d0148c0 softbio/0 0 3 1 0 200 ffffb4800d014480 softnet/0 0 2 1 0 201 ffffb4800d014040 idle/0 0 > 1 7 1 200 ffffffff82b62fa0 swapper [Locks tracked through LWPs] Locks held by an LWP (syz-executor.2): Lock 0 (initialized at fork1) lock address : 0xffffb480130b33e8 type : sleep/adaptive initialized : 0xffffffff8114750c shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffb4801306c2e0 last held: 0xffffb480114280c0 last locked* : 0xffffffff81143bfd unlocked : 000000000000000000 owner/count : 0xffffb480114280c0 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d839f8 with mutex 0xffffb4800d00b5c0. => No active turnstile for this lock. Lock 1 (initialized at vcache_alloc) lock address : 0xffffb48012d53bc0 type : sleep/adaptive initialized : 0xffffffff812ad172 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffb4801306c2e0 last held: 0xffffb480114280c0 last locked* : 0xffffffff812da828 unlocked : 0xffffffff812da79d owner/count : 0xffffb480114280c0 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d83af8 with mutex 0xffffb4800d00bdc0. => No active turnstile for this lock. Locks held by an LWP (syz-executor.1): Lock 0 (initialized at uvm_map_setup) lock address : 0xffffb48012703e98 type : sleep/adaptive initialized : 0xffffffff810e792d shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffb4801306c2e0 last held: 0xffffb4801306c2e0 last locked* : 0xffffffff810e17d4 unlocked : 0xffffffff810d42d7 owner/count : 0xffffb4801306c2e0 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d83b50 with mutex 0xffffb4800d00c0c0. => No active turnstile for this lock. Lock 1 (initialized at uvm_obj_init) lock address : 0xffffb48012ae3180 type : sleep/adaptive initialized : 0xffffffff810f33bc shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffb4801306c2e0 last held: 0xffffb4801306c2e0 last locked* : 0xffffffff810e7c10 unlocked : 0xffffffff810e7c8f owner field : 0xffffb4801306c2e0 wait/spin: 0/0 Turnstile chain at 0xffffffff82d839b0 with mutex 0xffffb4800d00b380. => No active turnstile for this lock. Lock 2 (initialized at pmap_create) lock address : 0xffffb48013066180 type : sleep/adaptive initialized : 0xffffffff80272166 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffb4801306c2e0 last held: 0xffffb4801306c2e0 last locked* : 0xffffffff80274a67 unlocked : 0xffffffff80274b88 owner field : 0xffffb4801306c2e0 wait/spin: 0/0 Turnstile chain at 0xffffffff82d837b0 with mutex 0xffffb4800cb2f340. => No active turnstile for this lock. Locks held by an LWP (sshd): Lock 0 (initialized at filedesc_ctor) lock address : 0xffffb48012033400 type : sleep/adaptive initialized : 0xffffffff8112d4a4 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffb4801306c2e0 last held: 0xffffb48011f53760 last locked* : 0xffffffff8112f93f unlocked : 0xffffffff8112ee2e owner field : 0xffffb48011f53760 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83a00 with mutex 0xffffb4800d00b600. => No active turnstile for this lock. Locks held by an LWP (syslogd): Lock 0 (initialized at uvm_obj_init) lock address : 0xffffb480125721c0 type : sleep/adaptive initialized : 0xffffffff810f33bc shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffb4801306c2e0 last held: 0xffffb48011f53ba0 last locked* : 0xffffffff810d79ce unlocked : 0xffffffff810d4872 owner field : 0xffffb48011f53ba0 wait/spin: 0/0 Turnstile chain at 0xffffffff82d837b8 with mutex 0xffffb4800cb2f380. => No active turnstile for this lock. Locks held by an LWP (dhcpcd): Lock 0 (initialized at amap_alloc) lock address : 0xffffb4801146c880 type : sleep/adaptive initialized : 0xffffffff810c6fb1 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffb4801306c2e0 last held: 0xffffb480114ed1e0 last locked* : 0xffffffff810d65a5 unlocked : 0xffffffff810d42b8 owner field : 0xffffb480114ed1e0 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83890 with mutex 0xffffb4800cb2fa40. => No active turnstile for this lock. Locks held by an LWP (dhcpcd): Lock 0 (initialized at do_posix_spawn) lock address : 0xffffb480113c03d0 type : sleep/adaptive initialized : 0xffffffff8113d91c shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 1 current lwp : 0xffffb4801306c2e0 last held: 0xffffb480113f68e0 last locked* : 0xffffffff8113d924 unlocked : 000000000000000000 [ 285.1266586] Skipping crash dump on recursive panic [ 285.1266586] panic: ASan: Unauthorized Access In 0xffffffff8115fa0e: Addr 0xffffb480113c03d0 [8 bytes, read, PoolUseAfterFree] [ 285.1266586] cpu0: Begin traceback... [ 285.1266586] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 285.1266586] snprintf() at netbsd:snprintf [ 285.1266586] kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:172 [inline] [ 285.1266586] kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:194 [ 285.1266586] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:344 [inline] [ 285.1266586] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:358 [inline] [ 285.1266586] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:410 [inline] [ 285.1266586] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1180 [ 285.1266586] mutex_dump() at netbsd:mutex_dump+0x1e sys/kern/kern_mutex.c:316 [ 285.1266586] lockdebug_dump() at netbsd:lockdebug_dump+0x281 sys/kern/subr_lockdebug.c:777 [ 285.1266586] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb9 sys/kern/subr_lockdebug.c:855 [ 285.1266586] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:886 [inline] [ 285.1266586] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f sys/kern/subr_lockdebug.c:933 [ 285.1266586] db_command() at netbsd:db_command+0x2c0 sys/ddb/db_command.c:935 [ 285.1266586] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:432 [inline] [ 285.1266586] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:582 [ 285.1266586] db_trap() at netbsd:db_trap+0x219 sys/ddb/db_trap.c:94 [ 285.1266586] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:246 [ 285.1266586] trap() at netbsd:trap+0x650 sys/arch/amd64/amd64/trap.c:313 [ 285.1266586] --- trap (number 1) --- [ 285.1266586] breakpoint() at netbsd:breakpoint+0x5 [ 285.1266586] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 [ 285.1266586] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 285.1266586] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 285.1266586] pmap_unmap_ptes() at netbsd:pmap_unmap_ptes+0x1c7 sys/arch/x86/x86/pmap.c:700 [ 285.1266586] pmap_remove() at netbsd:pmap_remove+0x491 sys/arch/x86/x86/pmap.c:3635 [ 285.1266586] uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 [ 285.1266586] uvm_unmap1() at netbsd:uvm_unmap1+0xd0 sys/uvm/uvm_map.c:4766 [ 285.1266586] lwp_ctl_exit() at netbsd:lwp_ctl_exit+0x15a sys/kern/kern_lwp.c:1966 [ 285.1266586] exit1() at netbsd:exit1+0x26f sys/kern/kern_exit.c:272 [ 285.1266586] sys_exit() at netbsd:sys_exit+0x77 sys/kern/kern_exit.c:179 [ 285.1266586] syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] [ 285.1266586] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 285.1266586] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 [ 285.1266586] --- syscall (number 1) --- [ 285.1266586] 788f7ab99a6a: [ 285.1266586] cpu0: End traceback... [ 285.1266586] fatal breakpoint trap in supervisor mode [ 285.1266586] trap type 1 code 0 rip 0xffffffff8021ccb5 cs 0x8 rflags 0x246 cr2 0x72cca8853800 ilevel 0x8 rsp 0xffffb4817aeaac60 [ 285.1266586] curlwp 0xffffb4801306c2e0 pid 628.1 lowest kstack 0xffffb4817aea42c0 Stopped in pid 628.1 (syz-executor.1) at netbsd:breakpoint+0x5: leave