panic: Kernel lock error: _kernel_lock,188: locking against myself

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: f40c1b94 Convert #if 0'ed code to uvm_hotplug api
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=15ff7ed1e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=6e4d6bd2b8e377a2
dashboard link: https://syzkaller.appspot.com/bug?extid=fb945a331dabd0b6ba9e
compiler: g++ (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fb945a...@syzkaller.appspotmail.com

./file1 ./file0 ./file1 ./file0 d� [ 68.8726772] panic: Kernel lock error: _kernel_lock,188: locking against myself

[ 68.8726772] lock address : 0xffffffff82d84300 type : spin
[ 68.8726772] initialized : 0xffffffff81a4fda5
[ 68.8726772] shared holds : 0 exclusive: 1
[ 68.8726772] shares wanted: 0 exclusive: 1
[ 68.8726772] current cpu : 0 last held: 0
[ 68.8726772] current lwp : 0xffffcd000de24000 last held: 0xffffcd0013bd7800
[ 68.8726772] last locked* : 0xffffffff811ad30d unlocked : 0xffffffff802a282c
[ 68.8726772] curcpu holds : 0 wanted by: 000000000000000000
[ 68.8726772] kernel diagnostic assertion "ci->ci_biglock_count == 0" failed: file "/syzkaller/managers/netbsd/kernel/sys/sys/userret.h", line 88

[ 68.9496003] cpu1: Begin traceback...
[ 68.9627574] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336
[ 68.9927947] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure
[ 69.0428582] syscall() at netbsd:syscall+0x8d6 mi_userret sys/sys/userret.h:88 [inline]
[ 69.0428582] syscall() at netbsd:syscall+0x8d6 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline]
[ 69.0428582] syscall() at netbsd:syscall+0x8d6 sys/arch/x86/x86/syscall.c:166
[ 69.0528683] --- syscall (number 0) ---
[ 69.0628835] 459431:
[ 69.0728930] cpu1: End traceback...
[ 69.0728930] fatal breakpoint trap in supervisor mode
[ 69.0829088] trap type 1 code 0 rip 0xffffffff8021e4b5 cs 0x8 rflags 0x246 cr2 0x7b338961d400 ilevel 0 rsp 0xffffcd017e7a7d10
[ 69.0929201] curlwp 0xffffcd00137eb400 pid 603.10 lowest kstack 0xffffcd017e7a02c0
Stopped in pid 603.10 (syz-fuzzer) at netbsd:breakpoint+0x5: leave
?
breakpoint() at netbsd:breakpoint+0x5
db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67
vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336
_GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure
syscall() at netbsd:syscall+0x8d6 mi_userret sys/sys/userret.h:88 [inline]
syscall() at netbsd:syscall+0x8d6 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline]
syscall() at netbsd:syscall+0x8d6 sys/arch/x86/x86/syscall.c:166
--- syscall (number 0) ---
459431:
ds e524
es dc6b
fs 7cf0
gs 7d40
rdi ffffcd000d92b458
rsi ffffcd00137eb6a8
rbp ffffcd017e7a7d10
rbx ffffcd016d893000
rdx 2
rcx ffffffff80d1a151 db_panic+0xd5
rax 0
r8 4
r9 1ffffffff0553ebc
r10 ffffffff82a9f5e3 db_onpanic+0x3
r11 10
r12 ffffcd016d8a4000
r13 ffffffff81c2a5e0 x86_features+0x1560
r14 ffffcd017e7a7da0
r15 ffffcd016d893068
rip ffffffff8021e4b5 breakpoint+0x5
cs 8
rflags 246
rsp ffffcd017e7a7d10
ss 10
netbsd:breakpoint+0x5: leave
PID LID S CPU FLAGS STRUCT LWP * NAME WAIT
807 1 2 0 40000 ffffcd0011d46400 syz-executor.5
550 3 3 1 4 ffffcd0011d46000 syz-executor.3 biowait
550 1 2 0 10040000 ffffcd0012a63800 syz-executor.3
549 3 3 1 40080 ffffcd00129ee800 syz-executor.1 parked
579 3 3 1 40080 ffffcd0011ff0800 syz-executor.1 parked
130 4 3 1 80 ffffcd0011c94800 syz-executor.4 parked
130 > 3 7 0 20000000 ffffcd0013bd7800 syz-executor.4
130 1 2 0 10040000 ffffcd0011f13c00 syz-executor.4
97 3 3 1 40080 ffffcd0013bd7400 syz-executor.0 parked
98 3 3 0 80 ffffcd0012a0fc00 syz-executor.1 parked
758 3 3 0 80 ffffcd0012a0f800 syz-executor.1 parked
693 3 3 0 80 ffffcd0011eeb400 syz-executor.0 parked
547 3 3 1 80 ffffcd0011f79400 syz-executor.0 parked
624 3 3 1 80 ffffcd0011f3c000 syz-executor.5 parked
45 1 2 1 0 ffffcd0013a2ac00 syz-executor.5
606 1 2 1 0 ffffcd0013a2a000 syz-executor.4
587 1 2 1 0 ffffcd0013922c00 syz-executor.3
612 1 3 1 0 ffffcd0013922800 syz-executor.2 biolock
454 1 3 0 4 ffffcd0013922400 syz-executor.1 biowait
41 1 2 0 0 ffffcd0013922000 syz-executor.0
603 12 3 0 80 ffffcd00137ebc00 syz-fuzzer parked
603 11 3 1 80 ffffcd00137eb800 syz-fuzzer parked
603 > 10 7 1 20000000 ffffcd00137eb400 syz-fuzzer
603 9 3 1 80 ffffcd000f3c2c00 syz-fuzzer parked
603 8 3 0 80 ffffcd00137eb000 syz-fuzzer parked
603 7 2 1 0 ffffcd00137e1800 syz-fuzzer
603 6 3 1 80 ffffcd00137e1400 syz-fuzzer parked
603 5 3 0 80 ffffcd00137e1000 syz-fuzzer parked
603 4 3 1 80 ffffcd0012a8c400 syz-fuzzer parked
603 3 3 0 80 ffffcd0012a8c000 syz-fuzzer parked
603 2 2 1 0 ffffcd0012a7e800 syz-fuzzer
603 1 3 0 80 ffffcd0011ae3400 syz-fuzzer parked
453 1 3 1 80 ffffcd0012991c00 sshd select
505 1 3 1 80 ffffcd0012a63c00 getty nanoslp
536 1 3 1 80 ffffcd0012a63400 getty nanoslp
431 1 3 0 80 ffffcd0012a6dc00 getty nanoslp
564 1 3 1 80 ffffcd0012a6d800 getty ttyraw
494 1 3 0 80 ffffcd0011eebc00 cron nanoslp
529 1 3 1 80 ffffcd00129dc800 inetd kqueue
317 1 3 0 80 ffffcd0011f94c00 sshd select
479 1 3 0 80 ffffcd0011e8b800 powerd kqueue
314 1 3 0 80 ffffcd00129cec00 syslogd kqueue
268 1 3 0 80 ffffcd0011f3c400 dhcpcd kqueue
220 1 3 1 80 ffffcd0011e5f000 dhcpcd kqueue
1 1 3 1 80 ffffcd0011c3ec00 init wait
0 58 3 0 204 ffffcd0011c54400 physiod physiod
0 57 3 1 204 ffffcd0011c94400 aiodoned aiodoned
0 56 3 0 204 ffffcd0011c94000 pooldrain pooldrain
0 55 3 0 200 ffffcd0011c54c00 ioflush syncer
0 54 3 1 200 ffffcd0011c54800 pgdaemon pgdaemon
0 51 3 1 200 ffffcd0011c54000 npfgc-0 npfgccv
0 50 3 1 204 ffffcd0011c3e800 rt_free rt_free
0 49 3 1 204 ffffcd0011c3e400 unpgc unpgc
0 48 3 1 204 ffffcd0011c3e000 key_timehandler key_timehandler
0 47 3 1 204 ffffcd0011b08c00 icmp6_wqinput/1 icmp6_wqinput
0 46 3 0 204 ffffcd0011b08800 icmp6_wqinput/0 icmp6_wqinput
0 45 3 0 204 ffffcd0011b08400 nd6_timer nd6_timer
0 44 3 1 204 ffffcd0011b08000 carp6_wqinput/1 carp6_wqinput
0 43 3 0 204 ffffcd0011af3c00 carp6_wqinput/0 carp6_wqinput
0 42 3 1 204 ffffcd0011af3800 carp_wqinput/1 carp_wqinput
0 41 3 0 204 ffffcd0011af3400 carp_wqinput/0 carp_wqinput
0 40 3 1 204 ffffcd0011af3000 icmp_wqinput/1 icmp_wqinput
0 39 3 0 204 ffffcd0011ae3c00 icmp_wqinput/0 icmp_wqinput
0 38 3 1 204 ffffcd0011ae3800 rt_timer rt_timer
0 37 3 0 204 ffffcd0011ae3000 vmem_rehash vmem_rehash
0 27 3 0 204 ffffcd000f3c2400 scsibus0 sccomp
0 26 3 0 200 ffffcd000f3c2000 pms0 pmsreset
0 25 3 1 204 ffffcd000f333c00 xcall/1 xcall
0 24 1 1 200 ffffcd000f333800 softser/1
0 23 1 1 200 ffffcd000f333400 softclk/1
0 22 1 1 200 ffffcd000f333000 softbio/1
0 21 1 1 200 ffffcd000de51c00 softnet/1
0 20 1 1 201 ffffcd000de51800 idle/1
0 19 3 0 204 ffffcd000de51400 lnxpwrwq lnxpwrwq
0 18 3 0 204 ffffcd000de51000 lnxlngwq lnxlngwq
0 17 3 0 204 ffffcd000de4cc00 lnxsyswq lnxsyswq
0 16 3 0 204 ffffcd000de4c800 lnxrcugc lnxrcugc
0 15 3 0 204 ffffcd000de4c400 sysmon smtaskq
0 14 3 0 204 ffffcd000de4c000 pmfsuspend pmfsuspend
0 13 3 0 204 ffffcd000de35c00 pmfevent pmfevent
0 12 3 0 204 ffffcd000de35800 sopendfree sopendfr
0 11 3 0 204 ffffcd000de35400 nfssilly nfssilly
0 10 3 0 200 ffffcd000de35000 cachegc cachegc
0 9 3 0 204 ffffcd000de24c00 vdrain vdrain
0 8 3 1 200 ffffcd000de24800 modunload mod_unld
0 7 3 0 204 ffffcd000de24400 xcall/0 xcall
0 > 6 7 0 20000200 ffffcd000de24000 softser/0
0 5 1 0 200 ffffcd000de1fc00 softclk/0
0 4 1 0 40200 ffffcd000de1f800 softbio/0
0 3 1 0 200 ffffcd000de1f400 softnet/0
0 2 1 0 201 ffffcd000de1f000 idle/0
0 1 3 0 200 ffffffff82b67ac0 swapper uvm
[Locks tracked through LWPs]
Locks held by an LWP (syz-executor.5):
Lock 0 (initialized at uvm_obj_init)
lock address : 0xffffcd001378d640 type : sleep/adaptive
initialized : 0xffffffff8110caf7
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
current cpu : 1 last held: 1
current lwp : 0xffffcd00137eb400 last held: 0xffffcd0011d46400
last locked* : 0xffffffff810f0759 unlocked : 0xffffffff810edefd
owner field : 0xffffcd0011d46400 wait/spin: 0/0

Turnstile chain at 0xffffffff82d8da08 with mutex 0xffffffff82d8cd80.
=> No active turnstile for this lock.

Locks held by an LWP (syz-executor.3):
Lock 0 (initialized at vcache_alloc)
lock address : 0xffffcd0013b65780 type : sleep/adaptive
initialized : 0xffffffff812cc9d2
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
current cpu : 1 last held: 1
current lwp : 0xffffcd00137eb400 last held: 0xffffcd0011d46000
last locked* : 0xffffffff812f98e0 unlocked : 0xffffffff812f979d
owner/count : 0xffffcd0011d46000 flags : 0x0000000000000004

Turnstile chain at 0xffffffff82d8da30 with mutex 0xffffffff82d8cec0.
=> No active turnstile for this lock.
Lock 1 (initialized at genfs_node_init)
lock address : 0xffffcd0013b86f08 type : sleep/adaptive
initialized : 0xffffffff812f9a64
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
current cpu : 1 last held: 1
current lwp : 0xffffcd00137eb400 last held: 0xffffcd0011d46000
last locked* : 0xffffffff81057826 unlocked : 0xffffffff812efa05
owner/count : 0xffffcd0011d46000 flags : 0x0000000000000004

Turnstile chain at 0xffffffff82d8d920 with mutex 0xffffffff82d8c640.
=> No active turnstile for this lock.

Locks held by an LWP (syz-executor.2):
Lock 0 (initialized at vcache_alloc)
lock address : 0xffffcd00137ec540 type : sleep/adaptive
initialized : 0xffffffff812cc9d2
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
current cpu : 1 last held: 1
current lwp : 0xffffcd00137eb400 last held: 0xffffcd0013922800
last locked* : 0xffffffff812f98e0 unlocked : 0xffffffff812f979d
owner/count : 0xffffcd0013922800 flags : 0x0000000000000004

Turnstile chain at 0xffffffff82d8d7e8 with mutex 0xffffffff82d8bc80.
=> No active turnstile for this lock.
Lock 1 (initialized at vcache_alloc)
lock address : 0xffffcd0013b654c0 type : sleep/adaptive
initialized : 0xffffffff812cc9d2
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
current cpu : 1 last held: 1
current lwp : 0xffffcd00137eb400 last held: 0xffffcd0013922800
last locked* : 0xffffffff812f98e0 unlocked : 0xffffffff812f979d
owner/count : 0xffffcd0013922800 flags : 0x0000000000000004

Turnstile chain at 0xffffffff82d8d9d8 with mutex 0xffffffff82d8cc00.
=> No active turnstile for this lock.
Lock 2 (initialized at genfs_node_init)
lock address : 0xffffcd0013b86408 type : sleep/adaptive
initialized : 0xffffffff812f9a64
shared holds : 0

---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.