[ 71.2173280] panic: kernel diagnostic assertion "lwpcnt >= 0" failed: file "/syzkaller/managers/ci2-netbsd-kmsan/kernel/sys/kern/kern_uidinfo.c", line 259 uid=60928 diff=-1 lwpcnt=-1 [ 71.2419362] cpu0: Begin traceback... [ 71.2673154] vpanic() at netbsd:vpanic+0xc9d [ 71.3272987] kern_assert() at netbsd:kern_assert+0x228 [ 71.3873041] chglwpcnt() at netbsd:chglwpcnt+0x22e sys/kern/kern_uidinfo.c:258 [ 71.4573002] lwp_free() at netbsd:lwp_free+0x3e9 [ 71.5173009] lwp_wait() at netbsd:lwp_wait+0x1366 sys/kern/kern_lwp.c:592 [ 71.5873285] exit_lwps() at netbsd:exit_lwps+0x642 sys/kern/kern_exit.c:651 [ 71.6473050] exit1() at netbsd:exit1+0x338 sys/kern/kern_exit.c:210 [ 71.6973259] sys_exit() at netbsd:sys_exit+0x1d6 [ 71.7573009] syscall() at netbsd:syscall+0x576 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 71.7573009] syscall() at netbsd:syscall+0x576 sys/arch/x86/x86/syscall.c:137 [ 71.7673038] --- syscall (number 1) --- [ 71.7873043] netbsd:syscall+0x576: [ 71.7873043] cpu0: End traceback... [ 71.7977641] fatal breakpoint trap in supervisor mode [ 71.7977641] trap type 1 code 0 rip 0xffffffff8023687d cs 0x8 rflags 0x282 cr2 0x750270c1e0d0 ilevel 0 rsp 0xffffb780c7a90700 [ 71.8136473] curlwp 0xffffb7801360b600 pid 4688.4688 lowest kstack 0xffffb780c7a892c0 Stopped in pid 4688.4688 (syz-executor3508) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 vpanic() at netbsd:vpanic+0xc9d kern_assert() at netbsd:kern_assert+0x228 chglwpcnt() at netbsd:chglwpcnt+0x22e sys/kern/kern_uidinfo.c:258 lwp_free() at netbsd:lwp_free+0x3e9 lwp_wait() at netbsd:lwp_wait+0x1366 sys/kern/kern_lwp.c:592 exit_lwps() at netbsd:exit_lwps+0x642 sys/kern/kern_exit.c:651 exit1() at netbsd:exit1+0x338 sys/kern/kern_exit.c:210 sys_exit() at netbsd:sys_exit+0x1d6 syscall() at netbsd:syscall+0x576 sy_invoke sys/sys/syscallvar.h:94 [inline] syscall() at netbsd:syscall+0x576 sys/arch/x86/x86/syscall.c:137 --- syscall (number 1) --- netbsd:syscall+0x576: Panic string: kernel diagnostic assertion "lwpcnt >= 0" failed: file "/syzkaller/managers/ci2-netbsd-kmsan/kernel/sys/kern/kern_uidinfo.c", line 259 uid=60928 diff=-1 lwpcnt=-1 PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 5560 5682 2 0 0 ffffb7801231ab00 syz-executor3508 5560 5560 2 1 10040000 ffffb7801354b580 syz-executor3508 5844 5853 2 0 0 ffffb780123b7100 syz-executor3508 5844 5971 2 0 0 ffffb78013610a80 syz-executor3508 5844 5844 2 1 10040000 ffffb78013610640 syz-executor3508 4688 5335 5 1 100100 ffffb7801354b140 syz-executor3508 4688 > 4688 7 0 10000000 ffffb7801360b600 syz-executor3508 5467 5467 2 0 0 ffffb7801360b1c0 syz-executor3508 5556 6080 2 0 0 ffffb780123b7980 syz-executor3508 5556 4939 2 0 0 ffffb780123b7540 syz-executor3508 5556 5556 2 1 10000000 ffffb7801354b9c0 syz-executor3508 4812 4812 2 0 10000000 ffffb7801360ba40 syz-executor3508 1109 1109 2 1 0 ffffb78012cd1940 syz-executor3508 1240 1240 2 0 140 ffffb78012cd1500 syz-executor3508 1113 1113 2 0 140 ffffb78012cd10c0 syz-executor3508 1073 1073 2 0 140 ffffb7801231a6c0 syz-executor3508 829 829 2 1 140 ffffb7801231a280 syz-executor3508 930 930 2 1 140 ffffb78012b818c0 syz-executor3508 449 449 3 0 180 ffffb78012c19900 syz-executor3508 nanoslp 1233 1233 2 0 0 ffffb78012c194c0 sshd 1222 1222 3 0 180 ffffb78012c19080 getty nanoslp 1226 1226 3 1 180 ffffb780123472c0 getty nanoslp 1225 1225 3 1 180 ffffb7801227fac0 getty nanoslp 1106 1106 3 0 180 ffffb780121e1200 getty ttyraw 814 814 3 0 180 ffffb7801252a300 sshd select 1096 1096 3 0 180 ffffb78012559bc0 powerd kqueue 810 810 3 0 180 ffffb78012b81480 syslogd kqueue 744 744 3 1 180 ffffb7801252ab80 dhcpcd poll 559 559 3 0 180 ffffb78012b81040 dhcpcd poll 745 745 3 0 180 ffffb78012347700 dhcpcd poll 620 620 3 0 180 ffffb78012559780 dhcpcd poll 487 487 3 0 180 ffffb78012559340 dhcpcd poll 292 292 3 0 180 ffffb78012347b40 dhcpcd poll 485 485 3 1 180 ffffb7801252a740 dhcpcd poll 1 1 3 0 180 ffffb78011ea1100 init wait 0 874 3 0 200 ffffb780121e1640 physiod physiod 0 195 3 0 200 ffffb7801227f680 pooldrain pooldrain 0 196 3 1 200 ffffb7801227f240 ioflush syncer 0 194 3 1 200 ffffb780121e1a80 pgdaemon pgdaemon 0 167 3 0 200 ffffb780121b1a40 usb7 usbevt 0 171 3 0 200 ffffb780121b1600 usb6 usbevt 0 169 3 0 200 ffffb780121b11c0 usb5 usbevt 0 168 3 0 200 ffffb78012125a00 usb4 usbevt 0 166 3 0 200 ffffb780121255c0 usb3 usbevt 0 165 3 0 200 ffffb78012125180 usb2 usbevt 0 31 3 0 200 ffffb780120759c0 usb1 usbevt 0 63 3 0 200 ffffb78012075580 usb0 usbevt 0 126 3 0 200 ffffb78012075140 usbtask-dr usbtsk 0 125 3 1 200 ffffb78011ea1980 usbtask-hc usbtsk 0 124 3 0 200 ffffb780103d3b00 swwreboot swwreboot 0 123 3 0 200 ffffb78011ea1540 npfgc0 npfgcw 0 122 3 0 200 ffffb78011e95940 rt_free rt_free 0 121 3 0 200 ffffb78011e95500 unpgc unpgc 0 120 2 0 200 ffffb78011e950c0 key_timehandler 0 119 3 1 200 ffffb78011e8f900 icmp6_wqinput/1 icmp6_wqinput 0 118 3 0 200 ffffb78011e8f4c0 icmp6_wqinput/0 icmp6_wqinput 0 117 2 0 200 ffffb78011e8f080 nd6_timer 0 116 3 1 200 ffffb78011ccd8c0 carp6_wqinput/1 carp6_wqinput 0 115 3 0 200 ffffb78011ccd480 carp6_wqinput/0 carp6_wqinput 0 114 3 1 200 ffffb78011ccd040 carp_wqinput/1 carp_wqinput 0 113 3 0 200 ffffb78011cc9b80 carp_wqinput/0 carp_wqinput 0 112 3 1 200 ffffb78011cc9740 icmp_wqinput/1 icmp_wqinput 0 111 3 0 200 ffffb78011cccbc0 icmp_wqinput/0 icmp_wqinput 0 110 2 0 200 ffffb78011ccc780 rt_timer 0 109 2 0 200 ffffb78011ccc340 vmem_rehash 0 100 2 0 240 ffffb78011cc9300 entbutler 0 99 3 1 200 ffffb780117c0b40 viomb balloon 0 98 3 1 200 ffffb780117c0700 vioif0_txrx/1 vioif0_txrx 0 97 3 0 200 ffffb780117c02c0 vioif0_txrx/0 vioif0_txrx 0 30 3 0 200 ffffb780103d36c0 scsibus0 sccomp 0 29 3 0 200 ffffb780103d3280 pms0 pmsreset 0 28 3 1 200 ffffb780103baac0 xcall/1 xcall 0 27 1 1 200 ffffb780103ba680 softser/1 0 26 1 1 200 ffffb780103ba240 softclk/1 0 25 1 1 200 ffffb780103b7a80 softbio/1 0 24 1 1 200 ffffb780103b7640 softnet/1 0 23 1 1 201 ffffb780103b7200 idle/1 0 22 3 0 200 ffffb7800f1d2a40 lnxsyswq lnxsyswq 0 21 3 0 200 ffffb7800f1d2600 lnxubdwq lnxubdwq 0 20 3 0 200 ffffb7800f1d21c0 lnxpwrwq lnxpwrwq 0 19 3 0 200 ffffb7800f1d1a00 lnxlngwq lnxlngwq 0 18 3 0 200 ffffb7800f1d15c0 lnxhipwq lnxhipwq 0 17 3 0 200 ffffb7800f1d1180 lnxrcugc lnxrcugc 0 16 3 0 200 ffffb7800f1ca9c0 sysmon smtaskq 0 15 3 0 200 ffffb7800f1ca580 pmfsuspend pmfsuspend 0 14 3 0 200 ffffb7800f1ca140 pmfevent pmfevent 0 13 3 0 200 ffffb7800f1c8980 sopendfree sopendfr 0 12 3 1 200 ffffb7800f1c8540 ifwdog ifwdog 0 11 3 0 200 ffffb7800f1c8100 iflnkst iflnkst 0 10 3 0 200 ffffb7800f1be940 nfssilly nfssilly 0 9 3 0 200 ffffb7800f1be500 pooldisp pooldisp 0 8 3 0 200 ffffb7800f1be0c0 modunload mod_unld 0 7 3 0 200 ffffb7800ebc9900 xcall/0 xcall 0 6 1 0 200 ffffb7800ebc94c0 softser/0 0 5 1 0 200 ffffb7800ebc9080 softclk/0 0 4 1 0 200 ffffb7800ebc88c0 softbio/0 0 3 1 0 200 ffffb7800ebc8480 softnet/0 0 2 1 0 201 ffffb7800ebc8040 idle/0 0 > 0 7 1 240 ffffffff86a6f8c0 swapper [Locks tracked through LWPs] ****** LWP 5844.5844 (syz-executor3508) @ 0xffffb78013610640, l_stat=2 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at netbsd:amap_ctor+0xdf sys/uvm/uvm_amap.c:265) lock address : ffffb780133cfa00 type : sleep/adaptive initialized : netbsd:amap_ctor+0xdf shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 1 relevant cpu : 1 last held: 1 relevant lwp : 0xffffb78013610640 last held: 0xffffb78012cd1940 last locked* : netbsd:uvm_fault_internal+0x1d08 unlocked : netbsd:uvm_fault_upper_enter+0x12e9 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. ****** LWP 4688.4688 (syz-executor3508) @ 0xffffb7801360b600, l_stat=7 *** Locks held: * Lock 0 (initialized at netbsd:fork1+0xa35 sys/kern/kern_fork.c:377) lock address : ffffb780103b6500 type : sleep/adaptive initialized : netbsd:fork1+0xa35 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffb7801360b600 last held: 0xffffb7801360b600 last locked* : netbsd:cv_timedwait+0x1aa unlocked : netbsd:lwp_exit+0x1dd5 owner field : 0xffffb7801360b600 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 5556.5556 (syz-executor3508) @ 0xffffb7801354b9c0, l_stat=2 *** Locks held: * Lock 0 (initialized at netbsd:uvmspace_fork+0x3d8 uvm_map_setup sys/uvm/uvm_map.c:4786 [inline]) * Lock 0 (initialized at netbsd:uvmspace_fork+0x3d8 uvmspace_init sys/uvm/uvm_map.c:4129 [inline]) * Lock 0 (initialized at netbsd:uvmspace_fork+0x3d8 uvmspace_alloc sys/uvm/uvm_map.c:4108 [inline]) * Lock 0 (initialized at netbsd:uvmspace_fork+0x3d8 sys/uvm/uvm_map.c:4585) lock address : ffffb78013548208 type : sleep/adaptive initialized : netbsd:uvmspace_fork+0x3d8 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffb7801354b9c0 last held: 0xffffb7801354b9c0 last locked* : netbsd:vm_map_lock+0x57 unlocked : netbsd:uvm_fault_internal+0x667e owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 1109.1109 (syz-executor3508) @ 0xffffb78012cd1940, l_stat=2 *** Locks held: * Lock 0 (initialized at netbsd:amap_ctor+0xdf sys/uvm/uvm_amap.c:265) lock address : ffffb780133cfa00 type : sleep/adaptive initialized : netbsd:amap_ctor+0xdf shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 1 relevant cpu : 1 last held: 1 relevant lwp : 0xffffb78012cd1940 last held: 0xffffb78012cd1940 last locked* : netbsd:uvm_fault_internal+0x1d08 unlocked : netbsd:uvm_fault_upper_enter+0x12e9 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at netbsd:pmap_ctor+0xc0 sys/arch/x86/x86/pmap.c:2872) lock address : ffffb78012c24a80 type : sleep/adaptive initialized : netbsd:pmap_ctor+0xc0 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffb78012cd1940 last held: 0xffffb78012cd1940 last locked* : netbsd:pmap_extract+0x130 unlocked : netbsd:pmap_extract+0x72d owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 559.559 (dhcpcd) @ 0xffffb78012b81040, l_stat=3 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at netbsd:module_hook_init+0x43 sys/kern/kern_module_hook.c:132) lock address : netbsd:module_hook type : sleep/adaptive initialized : netbsd:module_hook_init+0x43 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffb78012b81040 last held: 000000000000000000 last locked : 0 unlocked* : 0 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 745.745 (dhcpcd) @ 0xffffb78012347700, l_stat=3 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at netbsd:module_hook_init+0x43 sys/kern/kern_module_hook.c:132) lock address : netbsd:module_hook type : sleep/adaptive initialized : netbsd:module_hook_init+0x43 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffb78012347700 last held: 000000000000000000 last locked : 0 unlocked* : 0 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 292.292 (dhcpcd) @ 0xffffb78012347b40, l_stat=3 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at netbsd:module_hook_init+0x43 sys/kern/kern_module_hook.c:132) lock address : netbsd:module_hook type : sleep/adaptive initialized : netbsd:module_hook_init+0x43 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffb78012347b40 last held: 000000000000000000 last locked : 0 unlocked* : 0 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 485.485 (dhcpcd) @ 0xffffb7801252a740, l_stat=3 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at netbsd:module_hook_init+0x43 sys/kern/kern_module_hook.c:132) lock address : netbsd:module_hook type : sleep/adaptive initialized : netbsd:module_hook_init+0x43 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 0 relevant lwp : 0xffffb7801252a740 last held: 000000000000000000 last locked : 0 unlocked* : 0 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 0.11 (iflnkst) @ 0xffffb7800f1c8100, l_stat=3 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at netbsd:module_hook_init+0x43 sys/kern/kern_module_hook.c:132) lock address : netbsd:module_hook type : sleep/adaptive initialized : netbsd:module_hook_init+0x43 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffb7800f1c8100 last held: 000000000000000000 last locked : 0 unlocked* : 0 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 0.5 (softclk/0) @ 0xffffb7800ebc9080, l_stat=1 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at netbsd:module_hook_init+0x43 sys/kern/kern_module_hook.c:132) lock address : netbsd:module_hook type : sleep/adaptive initialized : netbsd:module_hook_init+0x43 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffb7800ebc9080 last held: 000000000000000000 last locked : 0 unlocked* : 0 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 0.0 (swapper) @ 0xffffffff86a6f8c0, l_stat=7 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at netbsd:module_hook_init+0x43 sys/kern/kern_module_hook.c:132) l