login: [ 69.4245017] panic: kernel diagnostic assertion "pmap->pm_ncsw == curlwp->l_ncsw" failed: file "/syzkaller/managers/netbsd/kernel/sys/arch/x86/x86/pmap.c", line 700 [ 69.4444966] cpu1: Begin traceback... [ 69.4545069] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 69.4945366] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 69.5345675] pmap_unmap_ptes() at netbsd:pmap_unmap_ptes+0x1c7 sys/arch/x86/x86/pmap.c:700 [ 69.5745978] pmap_remove() at netbsd:pmap_remove+0x491 sys/arch/x86/x86/pmap.c:3635 [ 69.6146301] uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 [ 69.6546683] uvm_map_enter() at netbsd:uvm_map_enter+0x565 sys/uvm/uvm_map.c:1343 [ 69.6946946] uvm_map() at netbsd:uvm_map+0x1d9 sys/uvm/uvm_map.c:1102 [ 69.7347232] uvm_mmap.part.0() at netbsd:uvm_mmap.part.0+0x25e [ 69.7747534] sys_mmap() at netbsd:sys_mmap+0x8d9 uvm_mmap sys/uvm/uvm_mmap.c:401 [inline] [ 69.7747534] sys_mmap() at netbsd:sys_mmap+0x8d9 sys/uvm/uvm_mmap.c:401 [ 69.8147866] sys___syscall() at netbsd:sys___syscall+0xf5 sy_call sys/sys/syscallvar.h:65 [inline] [ 69.8147866] sys___syscall() at netbsd:sys___syscall+0xf5 sys/kern/sys_syscall.c:77 [ 69.8548158] syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] [ 69.8548158] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 69.8548158] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 [ 69.8648268] --- syscall (number 198) --- [ 69.8948452] 778ac2843b9a: [ 69.8948452] cpu1: End traceback... [ 69.8948452] fatal breakpoint trap in supervisor mode [ 69.9048546] trap type 1 code 0 rip 0xffffffff8021ccb5 cs 0x8 rflags 0x246 cr2 0x778ac1c8d000 ilevel 0 rsp 0xffffa0017a4e73d0 [ 69.9148573] curlwp 0xffffa00011386760 pid 666.3 lowest kstack 0xffffa0017a4e02c0 Stopped in pid 666.3 (syz-executor.1) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure pmap_unmap_ptes() at netbsd:pmap_unmap_ptes+0x1c7 sys/arch/x86/x86/pmap.c:700 pmap_remove() at netbsd:pmap_remove+0x491 sys/arch/x86/x86/pmap.c:3635 uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 uvm_map_enter() at netbsd:uvm_map_enter+0x565 sys/uvm/uvm_map.c:1343 uvm_map() at netbsd:uvm_map+0x1d9 sys/uvm/uvm_map.c:1102 uvm_mmap.part.0() at netbsd:uvm_mmap.part.0+0x25e sys_mmap() at netbsd:sys_mmap+0x8d9 uvm_mmap sys/uvm/uvm_mmap.c:401 [inline] sys_mmap() at netbsd:sys_mmap+0x8d9 sys/uvm/uvm_mmap.c:401 sys___syscall() at netbsd:sys___syscall+0xf5 sy_call sys/sys/syscallvar.h:65 [inline] sys___syscall() at netbsd:sys___syscall+0xf5 sys/kern/sys_syscall.c:77 syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 --- syscall (number 198) --- 778ac2843b9a: ds 5d0 es 2280 fs 73b0 gs 7400 rdi ffffa0000cb1a458 rsi ffffa00011386a48 rbp ffffa0017a4e73d0 rbx ffffa0016ca80000 rdx 3ffff rcx ffffa0016e7f0000 rax ffffa0000e945a08 r8 4 r9 1ffffffff0553818 r10 ffffffff82a9c0c3 db_onpanic+0x3 r11 8000000000 r12 ffffa0016ca92000 r13 ffffffff81c22540 platform_private_nodes+0x140 r14 ffffa0017a4e7460 r15 ffffa0016ca80060 rip ffffffff8021ccb5 breakpoint+0x5 cs 8 rflags 246 rsp ffffa0017a4e73d0 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 618 1 2 0 0 ffffa000130c44a0 syz-executor.0 542 4 3 1 80 ffffa000130c4060 syz-executor.4 parked 630 5 3 0 80 ffffa000130bf040 syz-executor.5 parked 630 4 3 0 80 ffffa000115af700 syz-executor.5 parked 630 3 3 0 80 ffffa000115a0b20 syz-executor.5 parked 630 1 2 0 10040000 ffffa00011386ba0 syz-executor.5 666 5 3 1 80 ffffa00011426500 syz-executor.1 parked 666 4 3 0 80 ffffa00012008160 syz-executor.1 pipe_rd 666 > 3 7 1 0 ffffa00011386760 syz-executor.1 666 1 2 1 10040000 ffffa000113cabc0 syz-executor.1 568 9 3 1 80 ffffa000130bf8c0 syz-executor.3 parked 568 8 3 1 80 ffffa000130bf480 syz-executor.3 parked 568 7 3 1 80 ffffa00013088bc0 syz-executor.3 parked 568 6 3 0 80 ffffa00013088780 syz-executor.3 parked 568 5 3 1 80 ffffa000114160a0 syz-executor.3 parked 568 4 3 0 80 ffffa00011f2fb80 syz-executor.3 parked 568 3 2 1 0 ffffa000113f4060 syz-executor.3 568 1 2 1 10040000 ffffa00013088340 syz-executor.3 451 3 3 1 80 ffffa00013081320 syz-executor.4 parked 77 4 3 1 10000004 ffffa0001306f300 syz-executor.4 vfork 77 3 3 1 10000004 ffffa00011386320 syz-executor.4 vfork 77 1 2 0 10040000 ffffa00012031600 syz-executor.4 401 3 3 1 80 ffffa00012fbab40 syz-executor.1 parked 519 1 2 0 0 ffffa00012025a20 syz-executor.5 530 > 1 7 0 0 ffffa00012f706c0 syz-executor.4 40 1 2 0 0 ffffa00012e99ae0 syz-executor.3 41 1 3 0 4 ffffa00012e996a0 syz-executor.2 biowait 501 1 2 0 0 ffffa00012e99260 syz-executor.1 560 1 2 0 0 ffffa00012d81ac0 syz-executor.0 564 12 2 0 0 ffffa00012d81680 syz-fuzzer 564 11 3 1 80 ffffa00012d81240 syz-fuzzer parked 564 10 3 0 80 ffffa000110d4a00 syz-fuzzer kqueue 564 9 3 1 80 ffffa00012d3b660 syz-fuzzer parked 564 8 3 1 80 ffffa00012d3b220 syz-fuzzer parked 564 7 3 1 80 ffffa0001271fa80 syz-fuzzer parked 564 6 3 0 80 ffffa0001271f640 syz-fuzzer parked 564 5 3 1 80 ffffa00011f7a8c0 syz-fuzzer parked 564 4 3 0 80 ffffa00012016a00 syz-fuzzer parked 564 3 3 0 80 ffffa000120311c0 syz-fuzzer parked 564 2 3 1 80 ffffa00011feb540 syz-fuzzer parked 564 1 3 1 80 ffffa000110d4180 syz-fuzzer parked 603 1 3 0 80 ffffa00011f4d760 sshd select 495 1 3 1 80 ffffa00011fff9c0 getty nanoslp 595 1 3 1 80 ffffa00011fff580 getty nanoslp 587 1 3 1 80 ffffa000120165c0 getty nanoslp 575 1 3 0 80 ffffa000120089e0 getty ttyraw 492 1 3 0 80 ffffa00011f4dba0 cron nanoslp 548 1 3 0 80 ffffa00011f4d320 inetd kqueue 317 1 3 1 80 ffffa000115a06e0 sshd select 473 1 3 1 80 ffffa000114daa40 powerd kqueue 462 1 2 0 0 ffffa0001148a9a0 makemandb 198 1 3 0 80 ffffa00011f6c780 syslogd kqueue 247 1 3 0 80 ffffa000114e81e0 dhcpcd kqueue 220 1 3 1 80 ffffa000113f48e0 dhcpcd kqueue 1 1 3 1 80 ffffa000111fa240 init wait 0 58 3 0 204 ffffa000111faac0 physiod physiod 0 57 3 0 204 ffffa00011242280 aiodoned aiodoned 0 56 3 1 200 ffffa00011241ae0 ioflush syncer 0 55 3 0 204 ffffa000112416a0 pooldrain pooldrain 0 54 3 0 200 ffffa00011241260 pgdaemon pgdaemon 0 51 3 1 200 ffffa000111fa680 npfgc-0 npfgccv 0 50 3 0 204 ffffa000111ecaa0 rt_free rt_free 0 49 3 1 204 ffffa000111ec660 unpgc unpgc 0 48 2 1 200 ffffa000111ec220 key_timehandler 0 47 3 1 204 ffffa00011104a80 icmp6_wqinput/1 icmp6_wqinput 0 46 3 0 204 ffffa00011104640 icmp6_wqinput/0 icmp6_wqinput 0 45 3 0 204 ffffa00011104200 nd6_timer nd6_timer 0 44 3 1 204 ffffa000110f9a60 carp6_wqinput/1 carp6_wqinput 0 43 3 0 204 ffffa000110f9620 carp6_wqinput/0 carp6_wqinput 0 42 3 1 204 ffffa000110f91e0 carp_wqinput/1 carp_wqinput 0 41 3 0 204 ffffa000110e8a40 carp_wqinput/0 carp_wqinput 0 40 3 1 204 ffffa000110e8600 icmp_wqinput/1 icmp_wqinput 0 39 3 0 204 ffffa000110e81c0 icmp_wqinput/0 icmp_wqinput 0 38 2 1 200 ffffa000110d7a20 rt_timer 0 37 3 0 204 ffffa000110d35a0 vmem_rehash vmem_rehash 0 27 3 0 204 ffffa0000e9b9580 scsibus0 sccomp 0 26 3 0 200 ffffa0000e9b9140 pms0 pmsreset 0 25 3 1 204 ffffa0000e92b9a0 xcall/1 xcall 0 24 1 1 200 ffffa0000e92b560 softser/1 0 23 1 1 200 ffffa0000e92b120 softclk/1 0 22 1 1 200 ffffa0000e927980 softbio/1 0 21 1 1 200 ffffa0000e927540 softnet/1 0 20 1 1 201 ffffa0000e927100 idle/1 0 19 3 0 204 ffffa0000e85d960 lnxpwrwq lnxpwrwq 0 18 3 0 204 ffffa0000e85d520 lnxlngwq lnxlngwq 0 17 3 0 204 ffffa0000e85d0e0 lnxsyswq lnxsyswq 0 16 3 0 204 ffffa0000d042940 lnxrcugc lnxrcugc 0 15 3 0 204 ffffa0000d042500 sysmon smtaskq 0 14 3 0 204 ffffa0000d0420c0 pmfsuspend pmfsuspend 0 13 3 0 204 ffffa0000d033920 pmfevent pmfevent 0 12 3 0 204 ffffa0000d0334e0 sopendfree sopendfr 0 11 3 1 204 ffffa0000d0330a0 nfssilly nfssilly 0 10 3 0 200 ffffa0000d027900 cachegc cachegc 0 9 3 1 204 ffffa0000d0274c0 vdrain vdrain 0 8 3 0 200 ffffa0000d027080 modunload mod_unld 0 7 3 0 204 ffffa0000d0188e0 xcall/0 xcall 0 6 1 0 200 ffffa0000d0184a0 softser/0 0 5 1 0 200 ffffa0000d018060 softclk/0 0 4 1 0 200 ffffa0000d0148c0 softbio/0 0 3 1 0 200 ffffa0000d014480 softnet/0 0 2 1 0 201 ffffa0000d014040 idle/0 0 1 3 1 200 ffffffff82b62fa0 swapper uvm [Locks tracked through LWPs] Locks held by an LWP (syz-executor.1): Lock 0 (initialized at uvm_map_setup) lock address : 0xffffa000111f7458 type : sleep/adaptive initialized : 0xffffffff810e792d shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffa00011386760 last held: 0xffffa00011386760 last locked* : 0xffffffff810e182c unlocked : 0xffffffff810d48b4 owner/count : 0xffffa00011386760 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d83a08 with mutex 0xffffa0000d00b640. => No active turnstile for this lock. Lock 1 (initialized at amap_alloc) lock address : 0xffffa00013051840 type : sleep/adaptive initialized : 0xffffffff810c6fb1 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffa00011386760 last held: 0xffffa00011386760 last locked* : 0xffffffff810e7bd1 unlocked : 0xffffffff810dfa95 owner field : 0xffffa00011386760 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83a88 with mutex 0xffffa0000d00ba40. => No active turnstile for this lock. Lock 2 (initialized at pmap_create) lock address : 0xffffa000111f8448 type : sleep/adaptive initialized : 0xffffffff80272166 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 1 current lwp : 0xffffa00011386760 last held: 0xffffa00011386760 last locked* : 0xffffffff80274a67 unlocked : 0xffffffff80274537 owner field : 0xffffa00011386760 wait/spin: 0/0 Turnstile chain at 0xffffffff82d83808 with mutex 0xffffa0000cb2f600. => No active turnstile for this lock. Locks held by an LWP (syz-executor.2): Lock 0 (initialized at vcache_alloc) lock address : 0xffffa00012d44ac0 type : sleep/adaptive initialized : 0xffffffff812ad172 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffa00011386760 last held: 0xffffa00012e996a0 last locked* : 0xffffffff812da8e0 unlocked : 0xffffffff812da79d owner/count : 0xffffa00012e996a0 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d838d8 with mutex 0xffffa0000cb2fc80. => No active turnstile for this lock. Lock 1 (initialized at vcache_alloc) lock address : 0xffffa00012d44c40 type : sleep/adaptive initialized : 0xffffffff812ad172 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 1 last held: 0 current lwp : 0xffffa00011386760 last held: 0xffffa00012e996a0 last locked* : 0xffffffff812da8e0 unlocked : 0xffffffff812da79d [ 69.9248653] Skipping crash dump on recursive panic [ 69.9248653] panic: ASan: Unauthorized Access In 0xffffffff81182840: Addr 0xffffa00012d44c40 [8 bytes, read, PoolUseAfterFree] [ 69.9248653] cpu1: Begin traceback... [ 69.9248653] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 69.9248653] snprintf() at netbsd:snprintf [ 69.9248653] kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:172 [inline] [ 69.9248653] kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:194 [ 69.9248653] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:344 [inline] [ 69.9248653] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:358 [inline] [ 69.9248653] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:410 [inline] [ 69.9248653] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1180 [ 69.9248653] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:191 [ 69.9248653] lockdebug_dump() at netbsd:lockdebug_dump+0x281 sys/kern/subr_lockdebug.c:777 [ 69.9248653] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb9 sys/kern/subr_lockdebug.c:855 [ 69.9248653] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:886 [inline] [ 69.9248653] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f sys/kern/subr_lockdebug.c:933 [ 69.9248653] db_command() at netbsd:db_command+0x2c0 sys/ddb/db_command.c:935 [ 69.9248653] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:432 [inline] [ 69.9248653] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:582 [ 69.9248653] db_trap() at netbsd:db_trap+0x219 sys/ddb/db_trap.c:94 [ 69.9248653] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:246 [ 69.9248653] trap() at netbsd:trap+0x650 sys/arch/amd64/amd64/trap.c:313 [ 69.9248653] --- trap (number 1) --- [ 69.9248653] breakpoint() at netbsd:breakpoint+0x5 [ 69.9248653] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 [ 69.9248653] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 69.9248653] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 69.9248653] pmap_unmap_ptes() at netbsd:pmap_unmap_ptes+0x1c7 sys/arch/x86/x86/pmap.c:700 [ 69.9248653] pmap_remove() at netbsd:pmap_remove+0x491 sys/arch/x86/x86/pmap.c:3635 [ 69.9248653] uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x61b sys/uvm/uvm_map.c:2317 [ 69.9248653] uvm_map_enter() at netbsd:uvm_map_enter+0x565 sys/uvm/uvm_map.c:1343 [ 69.9248653] uvm_map() at netbsd:uvm_map+0x1d9 sys/uvm/uvm_map.c:1102 [ 69.9248653] uvm_mmap.part.0() at netbsd:uvm_mmap.part.0+0x25e [ 69.9248653] sys_mmap() at netbsd:sys_mmap+0x8d9 uvm_mmap sys/uvm/uvm_mmap.c:401 [inline] [ 69.9248653] sys_mmap() at netbsd:sys_mmap+0x8d9 sys/uvm/uvm_mmap.c:401 [ 69.9248653] sys___syscall() at netbsd:sys___syscall+0xf5 sy_call sys/sys/syscallvar.h:65 [inline] [ 69.9248653] sys___syscall() at netbsd:sys___syscall+0xf5 sys/kern/sys_syscall.c:77 [ 69.9248653] syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] [ 69.9248653] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 69.9248653] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 [ 69.9248653] --- syscall (number 198) --- [ 69.9248653] 778ac2843b9a: [ 69.9248653] cpu1: End traceback... [ 69.9248653] fatal breakpoint trap in supervisor mode [ 69.9248653] trap type 1 code 0 rip 0xffffffff8021ccb5 cs 0x8 rflags 0x246 cr2 0x778ac1c8d000 ilevel 0x8 rsp 0xffffa0017a4e6990 [ 69.9248653] curlwp 0xffffa00011386760 pid 666.3 lowest kstack 0xffffa0017a4e02c0 Stopped in pid 666.3 (syz-executor.1) at netbsd:breakpoint+0x5: leave