[ 69.2521257] panic: kernel diagnostic assertion "(cnp->cn_flags & LOCKPARENT) == 0 || searchdir == NULL || VOP_ISLOCKED(searchdir) == LK_EXCLUSIVE" failed: file "/syzkaller/managers/netbsd/kernel/sys/kern/vfs_lookup.c", line 1758 [ 69.2787431] cpu0: Begin traceback... [ 69.2830446] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 69.3121140] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 69.3421107] namei_tryemulroot() at netbsd:namei_tryemulroot+0x14f8 namei_oneroot sys/kern/vfs_lookup.c:1760 [inline] [ 69.3421107] namei_tryemulroot() at netbsd:namei_tryemulroot+0x14f8 sys/kern/vfs_lookup.c:1909 [ 69.3721108] namei() at netbsd:namei+0x6a sys/kern/vfs_lookup.c:1945 [ 69.4021120] compat_43_sys_lstat() at netbsd:compat_43_sys_lstat+0x194 sys/compat/common/vfs_syscalls_43.c:198 [ 69.4221131] sys___syscall() at netbsd:sys___syscall+0xde sy_call sys/sys/syscallvar.h:65 [inline] [ 69.4221131] sys___syscall() at netbsd:sys___syscall+0xde sys/kern/sys_syscall.c:77 [ 69.4521148] syscall() at netbsd:syscall+0x553 sy_call sys/sys/syscallvar.h:65 [inline] [ 69.4521148] syscall() at netbsd:syscall+0x553 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 69.4521148] syscall() at netbsd:syscall+0x553 sys/arch/x86/x86/syscall.c:138 [ 69.4623384] --- syscall (number 198) --- [ 69.4738771] netbsd:syscall+0x553: [ 69.4831938] cpu0: End traceback... [ 69.4831938] fatal breakpoint trap in supervisor mode [ 69.4923728] trap type 1 code 0 rip 0xffffffff80220a2d cs 0x8 rflags 0x286 cr2 0x796c91800000 ilevel 0 rsp 0xffffa9019366f530 [ 69.5035605] curlwp 0xffffa90012d7b680 pid 2275.2146 lowest kstack 0xffffa901936682c0 Stopped in pid 2275.2146 (syz-executor.2) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure namei_tryemulroot() at netbsd:namei_tryemulroot+0x14f8 namei_oneroot sys/kern/vfs_lookup.c:1760 [inline] namei_tryemulroot() at netbsd:namei_tryemulroot+0x14f8 sys/kern/vfs_lookup.c:1909 namei() at netbsd:namei+0x6a sys/kern/vfs_lookup.c:1945 compat_43_sys_lstat() at netbsd:compat_43_sys_lstat+0x194 sys/compat/common/vfs_syscalls_43.c:198 sys___syscall() at netbsd:sys___syscall+0xde sy_call sys/sys/syscallvar.h:65 [inline] sys___syscall() at netbsd:sys___syscall+0xde sys/kern/sys_syscall.c:77 syscall() at netbsd:syscall+0x553 sy_call sys/sys/syscallvar.h:65 [inline] syscall() at netbsd:syscall+0x553 sy_invoke sys/sys/syscallvar.h:94 [inline] syscall() at netbsd:syscall+0x553 sys/arch/x86/x86/syscall.c:138 --- syscall (number 198) --- netbsd:syscall+0x553: ds f5d0 es 2b00 fs f510 gs f560 rdi ffffffff82bd6c40 db_onpanic rsi 1ffffffff057ad88 rbp ffffa9019366f530 rbx ffffffff829b4f80 cpu_info_primary rdx ffffa90189190000 rcx ffffffff812645e9 db_panic+0xd5 rax 3ffff r8 4 r9 1ffffffff057ad88 r10 ffffffff82bd6c43 db_onpanic+0x3 r11 10 r12 ffffa9016e6aa000 r13 ffffffff823453e0 vfs_special_vnodeopv_descs+0x760 r14 ffffa9019366f5c0 r15 ffffa9016e699060 rip ffffffff80220a2d breakpoint+0x5 cs 8 rflags 286 rsp ffffa9019366f530 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 2275 >2146 7 0 100000 ffffa90012d7b680 syz-executor.2 2275 2081 2 0 100000 ffffa90012d08480 syz-executor.2 2275 2275 3 1 10040000 ffffa90012d30100 syz-executor.2 xclocv 1853 1856 3 0 80 ffffa900137bd0c0 syz-executor.0 parked 1853 1720 3 0 80 ffffa90012de9780 syz-executor.0 parked 1853 1853 2 0 10040000 ffffa90012d5da40 syz-executor.0 1094 1987 2 0 100000 ffffa900145244c0 syz-executor.5 1094 1715 2 0 100000 ffffa900138e8b80 syz-executor.5 1094 1094 2 0 10040040 ffffa90012c445c0 syz-executor.5 1609 1609 3 0 80 ffffa90012772b80 syz-executor.5 parked 1491 1491 3 0 80 ffffa900138e8300 syz-executor.0 parked 1205 1205 3 0 80 ffffa900138601c0 syz-executor.0 parked 1099 1099 2 1 40 ffffa90014372640 syz-executor.4 1151 1151 2 0 40 ffffa90014372200 syz-executor.5 1095 1095 3 1 c0 ffffa90014316a40 syz-executor.3 pipe_rd 419 419 2 1 40 ffffa90014316600 syz-executor.2 1084 1084 2 0 40 ffffa900143161c0 syz-executor.1 1083 1083 2 1 40 ffffa900141c4a00 syz-executor.0 1067 1124 3 0 80 ffffa900141c45c0 syz-fuzzer parked 1067 1081 3 0 80 ffffa90012bdf940 syz-fuzzer parked 1067 1082 3 1 c0 ffffa900141c4180 syz-fuzzer parked 1067 1079 3 1 80 ffffa90013870640 syz-fuzzer parked 1067 1068 3 1 80 ffffa90013870200 syz-fuzzer parked 1067 973 3 1 80 ffffa900141059c0 syz-fuzzer parked 1067 1074 2 0 0 ffffa90012d3e9c0 syz-fuzzer 1067 1066 3 1 80 ffffa90013860a40 syz-fuzzer parked 1067 1067 3 1 80 ffffa90012bc54c0 syz-fuzzer parked 1070 1070 3 1 80 ffffa90012bc5080 sshd select 1119 1119 3 0 80 ffffa90012770b40 getty nanoslp 1096 1096 3 1 80 ffffa900127702c0 getty nanoslp 1089 1089 3 0 80 ffffa90013937540 getty nanoslp 945 945 3 0 c0 ffffa90012a3eb00 getty ttyraw 976 976 3 1 80 ffffa9001384f180 sshd select 815 815 3 0 80 ffffa90012d8ab00 powerd kqueue 734 734 3 1 80 ffffa900138f0340 syslogd kqueue 597 597 3 0 80 ffffa90012c82ac0 dhcpcd kqueue 593 593 3 0 80 ffffa90012d124c0 dhcpcd kqueue 591 591 3 1 80 ffffa90012c72a80 dhcpcd kqueue 578 578 3 1 80 ffffa90012cdc300 dhcpcd kqueue 480 480 3 1 80 ffffa900137bd500 dhcpcd kqueue 348 348 3 1 80 ffffa90012e0f8c0 dhcpcd kqueue 347 347 3 0 80 ffffa90012e0f480 dhcpcd kqueue 346 346 3 0 80 ffffa90012e0f040 dhcpcd kqueue 1 1 3 0 80 ffffa900128d6980 init wait 0 820 3 0 200 ffffa900129f7a80 physiod physiod 0 162 3 0 200 ffffa90012a0dac0 pooldrain pooldrain 0 > 167 7 1 240 ffffa90012a0d680 ioflush 0 165 3 1 240 ffffa90012a0d240 pgdaemon pgdaemon 0 160 3 0 200 ffffa900129f7200 usb7 usbevt 0 31 3 0 200 ffffa900129aea40 usb6 usbevt 0 63 3 0 200 ffffa900129ae600 usb5 usbevt 0 126 3 0 200 ffffa900129ae1c0 usb4 usbevt 0 125 3 0 200 ffffa9001295aa00 usb3 usbevt 0 124 3 0 200 ffffa9001295a5c0 usb2 usbevt 0 123 3 0 200 ffffa9001295a180 usb1 usbevt 0 122 3 1 200 ffffa900128ea9c0 usb0 usbevt 0 121 3 1 200 ffffa900128ea580 usbtask-dr usbtsk 0 120 3 0 200 ffffa9000fe47ac0 usbtask-hc usbtsk 0 119 3 1 200 ffffa900128ea140 npfgc0 npfgcw 0 118 3 1 200 ffffa900128d6540 rt_free rt_free 0 117 3 1 200 ffffa900128d6100 unpgc unpgc 0 116 2 0 200 ffffa900127a6940 key_timehandler 0 115 3 1 200 ffffa900127a6500 icmp6_wqinput/1 icmp6_wqinput 0 114 3 0 200 ffffa900127a60c0 icmp6_wqinput/0 icmp6_wqinput 0 113 3 1 200 ffffa9001279c900 nd6_timer nd6_timer 0 112 3 1 200 ffffa9001279c4c0 carp6_wqinput/1 carp6_wqinput 0 111 3 0 200 ffffa9001279c080 carp6_wqinput/0 carp6_wqinput 0 110 3 1 200 ffffa900127878c0 carp_wqinput/1 carp_wqinput 0 109 3 0 200 ffffa90012787480 carp_wqinput/0 carp_wqinput 0 108 3 1 200 ffffa90012787040 icmp_wqinput/1 icmp_wqinput 0 107 3 0 200 ffffa90012776bc0 icmp_wqinput/0 icmp_wqinput 0 106 3 1 200 ffffa90012776780 rt_timer rt_timer 0 105 3 1 200 ffffa90012776340 vmem_rehash vmem_rehash 0 104 2 0 240 ffffa90012772740 entbutler 0 30 3 1 200 ffffa9001214d6c0 vioif0_txrx/1 vioif0_txrx 0 29 3 0 200 ffffa9001214d280 vioif0_txrx/0 vioif0_txrx 0 27 3 0 200 ffffa9000fe47680 scsibus0 sccomp 0 26 3 0 200 ffffa9000fe47240 pms0 pmsreset 0 25 3 1 200 ffffa9000fd9aa80 xcall/1 xcall 0 24 1 1 200 ffffa9000fd9a640 softser/1 0 23 1 1 200 ffffa9000fd9a200 softclk/1 0 22 1 1 200 ffffa9000fd98a40 softbio/1 0 21 1 1 200 ffffa9000fd98600 softnet/1 0 20 1 1 201 ffffa9000fd981c0 idle/1 0 19 3 0 200 ffffa9000e809a00 lnxpwrwq lnxpwrwq 0 18 3 0 200 ffffa9000e8095c0 lnxlngwq lnxlngwq 0 17 3 0 200 ffffa9000e809180 lnxsyswq lnxsyswq 0 16 3 0 200 ffffa9000e8039c0 lnxrcugc lnxrcugc 0 15 3 0 200 ffffa9000e803580 sysmon smtaskq 0 14 3 0 200 ffffa9000e803140 pmfsuspend pmfsuspend 0 13 3 0 200 ffffa9000e7fe980 pmfevent pmfevent 0 12 3 0 200 ffffa9000e7fe540 sopendfree sopendfr 0 11 3 0 200 ffffa9000e7fe100 iflnkst iflnkst 0 10 3 0 200 ffffa9000e7f3940 nfssilly nfssilly 0 9 3 0 200 ffffa9000e7f3500 vdrain vdrain 0 8 3 0 200 ffffa9000e7f30c0 modunload mod_unld 0 7 2 0 200 ffffa9000e7e6900 xcall/0 0 6 1 0 200 ffffa9000e7e64c0 softser/0 0 5 1 0 200 ffffa9000e7e6080 softclk/0 0 4 1 0 200 ffffa9000e7e48c0 softbio/0 0 3 1 0 200 ffffa9000e7e4480 softnet/0 0 2 1 0 201 ffffa9000e7e4040 idle/0 0 0 3 0 200 ffffffff82ca1fc0 swapper uvm [Locks tracked through LWPs] ****** LWP 1099.1099 (syz-executor.4) @ 0xffffa90014372640, l_stat=2 *** Locks held: * Lock 0 (initialized at amap_ctor) lock address : 0xffffa9001437b740 type : sleep/adaptive initialized : 0xffffffff816215f3 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffa90014372640 last held: 0xffffa90014372640 last locked* : 0xffffffff81630406 unlocked : 0xffffffff8162e3b8 owner/count : 0xffffa90014372640 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. *** Locks wanted: * Lock 0 (initialized at pmap_ctor) lock address : 0xffffa90013948f80 type : sleep/adaptive initialized : 0xffffffff80872a37 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 1 relevant cpu : 1 last held: 1 relevant lwp : 0xffffa90014372640 last held: 000000000000000000 last locked : 0xffffffff80874566 unlocked*: 0xffffffff80874d4a owner field : 0xffffa90014372640 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 1095.1095 (syz-executor.3) @ 0xffffa90014316a40, l_stat=3 *** Locks held: * Lock 0 (initialized at vcache_alloc) lock address : 0xffffa900143584c0 type : sleep/adaptive initialized : 0xffffffff8181c783 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffa90014316a40 last held: 0xffffa90014316a40 last locked* : 0xffffffff8184b4bf unlocked : 0xffffffff8184b521 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at vcache_alloc) lock address : 0xffffa90012c9ba00 type : sleep/adaptive initialized : 0xffffffff8181c783 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffa90014316a40 last held: 0xffffa90014316a40 last locked* : 0xffffffff8184b4bf unlocked : 0xffffffff8184b521 [ 69.5124284] Skipping crash dump on recursive panic [ 69.5124284] panic: ASan: Unauthorized Access In 0xffffffff816e6d30: Addr 0xffffa90012c9ba00 [8 bytes, read, PoolUseAfterFree] [ 69.5124284] cpu0: Begin traceback... [ 69.5124284] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 69.5124284] snprintf() at netbsd:snprintf [ 69.5124284] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] [ 69.5124284] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 [ 69.5124284] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] [ 69.5124284] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] [ 69.5124284] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] [ 69.5124284] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 [ 69.5124284] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:186 [ 69.5124284] lockdebug_dump() at netbsd:lockdebug_dump+0x205 sys/kern/subr_lockdebug.c:759 [ 69.5124284] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb7 sys/kern/subr_lockdebug.c:839 [ 69.5124284] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:877 [inline] [ 69.5124284] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a sys/kern/subr_lockdebug.c:941 [ 69.5124284] db_command() at netbsd:db_command+0x2ad sys/ddb/db_command.c:942 [ 69.5124284] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:439 [inline] [ 69.5124284] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:589 [ 69.5124284] db_trap() at netbsd:db_trap+0x206 sys/ddb/db_trap.c:94 [ 69.5124284] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:248 [ 69.5124284] trap() at netbsd:trap+0x579 sys/arch/amd64/amd64/trap.c:315 [ 69.5124284] --- trap (number 1) --- [ 69.5124284] breakpoint() at netbsd:breakpoint+0x5 [ 69.5124284] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 [ 69.5124284] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 69.5124284] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 69.5124284] namei_tryemulroot() at netbsd:namei_tryemulroot+0x14f8 namei_oneroot sys/kern/vfs_lookup.c:1760 [inline] [ 69.5124284] namei_tryemulroot() at netbsd:namei_tryemulroot+0x14f8 sys/kern/vfs_lookup.c:1909 [ 69.5124284] namei() at netbsd:namei+0x6a sys/kern/vfs_lookup.c:1945 [ 69.5124284] compat_43_sys_lstat() at netbsd:compat_43_sys_lstat+0x194 sys/compat/common/vfs_syscalls_43.c:198 [ 69.5124284] sys___syscall() at netbsd:sys___syscall+0xde sy_call sys/sys/syscallvar.h:65 [inline] [ 69.5124284] sys___syscall() at netbsd:sys___syscall+0xde sys/kern/sys_syscall.c:77 [ 69.5124284] syscall() at netbsd:syscall+0x553 sy_call sys/sys/syscallvar.h:65 [inline] [ 69.5124284] syscall() at netbsd:syscall+0x553 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 69.5124284] syscall() at netbsd:syscall+0x553 sys/arch/x86/x86/syscall.c:138 [ 69.5124284] --- syscall (number 198) --- [ 69.5124284] netbsd:syscall+0x553: [ 69.5124284] cpu0: End traceback... [ 69.5124284] fatal breakpoint trap in supervisor mode [ 69.5124284] trap type 1 code 0 rip 0xffffffff80220a2d cs 0x8 rflags 0x286 cr2 0x796c91800000 ilevel 0x8 rsp 0xffffa9019366ead0 [ 69.5124284] curlwp 0xffffa90012d7b680 pid 2275.2146 lowest kstack 0xffffa901936682c0 Stopped in pid 2275.2146 (syz-executor.2) at netbsd:breakpoint+0x5: leave