assert failed: ci->ci_tlbstate != TLBSTATE_VAMLID
0 views
Skip to first unread message
syzbot
May 28, 2020, 4:33:12 PM5/28/20
to syzkaller-...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: aa85acd0 - make AP{IB,DA,DB}Key are also enabled when ARMV..
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=168f6aee100000
kernel config: https://syzkaller.appspot.com/x/.config?x=5702129db7f7788d
dashboard link: https://syzkaller.appspot.com/bug?extid=38fa02d3b0e46e57c156
compiler: g++ (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+38fa02...@syzkaller.appspotmail.com
[ 284.0759791] panic: kernel diagnostic assertion "ci->ci_tlbstate != TLBSTATE_VAMLID" failed: file "/syzkaller/managers/netbsd/kernel/sys/arch/x86/x86/pmap.c", line 3412
[ 284.0859594] cpu1: Begin traceback...
ay 28 20:32:19 ci2-netbsd-1 syslogd[449]: Exiting on signal 15
[ 284.0960054] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
[ 284.1259616] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure
[ 284.1559619] pmap_activate() at netbsd:pmap_activate+0x173 sys/arch/x86/x86/pmap.c:3412
[ 284.1859630] mi_switch() at netbsd:mi_switch+0x673 sys/kern/kern_synch.c:808
[ 284.2059637] sleepq_block() at netbsd:sleepq_block+0x130 sys/kern/kern_sleepq.c:345
[ 284.2359682] turnstile_block() at netbsd:turnstile_block+0x9c9 sys/kern/kern_turnstile.c:438
[ 284.2559832] mutex_enter() at netbsd:mutex_enter+0x230 sys/kern/kern_mutex.c:693
[ 284.2759825] pool_put() at netbsd:pool_put+0x86 pool_put_quarantine sys/kern/subr_pool.c:2957 [inline]
[ 284.2759825] pool_put() at netbsd:pool_put+0x86 sys/kern/subr_pool.c:1316
[ 284.2959994] fd_free() at netbsd:fd_free+0x52c sys/kern/kern_descrip.c:1577
[ 284.3159821] exit1() at netbsd:exit1+0x2bf sys/kern/kern_exit.c:301
[ 284.3359923] sigexit() at netbsd:sigexit+0x39f sys/kern/kern_sig.c:2305
[ 284.3559904] sendsig() at netbsd:sendsig
[ 284.3759884] lwp_userret() at netbsd:lwp_userret+0x38a sys/kern/kern_lwp.c:1633
[ 284.3959887] syscall() at netbsd:syscall+0x858 x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline]
[ 284.3959887] syscall() at netbsd:syscall+0x858 KPREEMPT_DISABLE sys/sys/lwp.h:539 [inline]
[ 284.3959887] syscall() at netbsd:syscall+0x858 mi_userret sys/sys/userret.h:97 [inline]
[ 284.3959887] syscall() at netbsd:syscall+0x858 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline]
[ 284.3959887] syscall() at netbsd:syscall+0x858 sys/arch/x86/x86/syscall.c:166
[ 284.4059828] --- syscall (number 4) ---
[ 284.4159844] netbsd:syscall+0x858:
[ 284.4159844] cpu1: End traceback...
[ 284.4259859] fatal breakpoint trap in supervisor mode
[ 284.4259859] trap type 1 code 0 rip 0xffffffff8022094d cs 0x8 rflags 0x286 cr2 0xffffdb016fc35248 ilevel 0x8 rsp 0xffffdb018b4d44d0
[ 284.4459927] curlwp 0xffffdb0012d05600 pid 1097.1097 lowest kstack 0xffffdb018b4cd2c0
Stopped in pid 1097.1097 (syz-executor.3) at netbsd:breakpoint+0x5: leave
?
breakpoint() at netbsd:breakpoint+0x5
db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67
vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
_GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure
pmap_activate() at netbsd:pmap_activate+0x173 sys/arch/x86/x86/pmap.c:3412
mi_switch() at netbsd:mi_switch+0x673 sys/kern/kern_synch.c:808
sleepq_block() at netbsd:sleepq_block+0x130 sys/kern/kern_sleepq.c:345
turnstile_block() at netbsd:turnstile_block+0x9c9 sys/kern/kern_turnstile.c:438
mutex_enter() at netbsd:mutex_enter+0x230 sys/kern/kern_mutex.c:693
pool_put() at netbsd:pool_put+0x86 pool_put_quarantine sys/kern/subr_pool.c:2957 [inline]
pool_put() at netbsd:pool_put+0x86 sys/kern/subr_pool.c:1316
fd_free() at netbsd:fd_free+0x52c sys/kern/kern_descrip.c:1577
exit1() at netbsd:exit1+0x2bf sys/kern/kern_exit.c:301
sigexit() at netbsd:sigexit+0x39f sys/kern/kern_sig.c:2305
sendsig() at netbsd:sendsig
lwp_userret() at netbsd:lwp_userret+0x38a sys/kern/kern_lwp.c:1633
syscall() at netbsd:syscall+0x858 x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline]
syscall() at netbsd:syscall+0x858 KPREEMPT_DISABLE sys/sys/lwp.h:539 [inline]
syscall() at netbsd:syscall+0x858 mi_userret sys/sys/userret.h:97 [inline]
syscall() at netbsd:syscall+0x858 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline]
syscall() at netbsd:syscall+0x858 sys/arch/x86/x86/syscall.c:166
--- syscall (number 4) ---
netbsd:syscall+0x858:
ds ffff
es b580
fs 44b0
gs 980
rdi ffffffff82bd8280 db_onpanic
rsi 1ffffffff057b050
rbp ffffdb018b4d44d0
rbx ffffdb016e699000
rdx 0
rcx ffffffff8126bf59 db_panic+0xd5
rax ffffdb0012d05600
r8 4
r9 1ffffffff057b050
r10 ffffffff82bd8283 db_onpanic+0x3
r11 8000000000
r12 ffffdb016e6aa000
r13 ffffffff81f89140 platform_private_nodes+0x160
r14 ffffdb018b4d4560
r15 ffffdb016e699060
rip ffffffff8022094d breakpoint+0x5
cs 8
rflags 286
rsp ffffdb018b4d44d0
ss 10
netbsd:breakpoint+0x5: leave
PID LID S CPU FLAGS STRUCT LWP * NAME WAIT
1882 1882 3 0 0 ffffdb0012b35340 dhcpcd fstchg
1357 1357 3 1 80 ffffdb001295a180 halt nanoslp
1222 1222 2 1 1000000 ffffdb00137e20c0 syz-executor.1
1254 608 5 0 11100000 ffffdb001295ca40 syz-executor.1
1254 1254 3 0 11000000 ffffdb001380b600 syz-executor.1 xclocv
767 767 2 1 1000000 ffffdb0012d75ac0 syz-executor.3
1097 >1097 7 1 1000000 ffffdb0012d05600 syz-executor.3
965 965 2 1 1000000 ffffdb0012b35bc0 syz-executor.1
1313 1313 2 1 1000040 ffffdb001490c980 syz-executor.5
702 702 3 0 1000040 ffffdb001490c100 syz-executor.3 tstile
1436 1436 3 0 1000040 ffffdb00148ca940 syz-executor.4 tstile
1659 1659 3 0 1000040 ffffdb00148ca500 syz-executor.2 tstile
700 700 3 0 1000040 ffffdb0014789900 syz-executor.0 tstile
690 695 3 0 0 ffffdb0014789080 syz-fuzzer xclocv
690 697 2 1 100000 ffffdb0013813a80 syz-fuzzer
690 714 3 0 100000 ffffdb0013813640 syz-fuzzer xclocv
690 694 2 1 100040 ffffdb0013813200 syz-fuzzer
690 693 2 1 100040 ffffdb00136da6c0 syz-fuzzer
690 692 5 0 100000 ffffdb0013827280 syz-fuzzer
690 690 5 0 100000 ffffdb00127442c0 syz-fuzzer
734 734 3 0 0 ffffdb00138035c0 sshd fstchg
800 800 3 0 10000c0 ffffdb0013803180 getty fstcnt
1443 1443 3 0 0 ffffdb0012cf0a00 sshd tstile
449 449 3 0 0 ffffdb001374db40 syslogd tstile
303 303 3 0 0 ffffdb0012c9b040 dhcpcd fstchg
338 338 3 0 80 ffffdb0012b7a900 dhcpcd wait
1 1 3 0 0 ffffdb00128e8980 init xclocv
0 932 3 0 200 ffffdb001295a5c0 physiod physiod
0 63 3 0 200 ffffdb001295c600 pooldrain pooldrain
0 126 3 0 200 ffffdb001295c1c0 ioflush syncer
0 125 3 1 200 ffffdb001295aa00 pgdaemon pgdaemon
0 122 3 0 200 ffffdb00128fd9c0 usb0 usbevt
0 121 3 1 200 ffffdb00128fd580 usbtask-dr usbtsk
0 120 3 0 200 ffffdb000fe5cac0 usbtask-hc usbtsk
0 119 3 0 200 ffffdb00128fd140 npfgc-0 npfgccv
0 118 3 1 200 ffffdb00128e8540 rt_free rt_free
0 117 3 1 200 ffffdb00128e8100 unpgc unpgc
0 116 3 0 200 ffffdb00128df940 key_timehandler key_timehandler
0 115 3 1 200 ffffdb00128df500 icmp6_wqinput/1 icmp6_wqinput
0 114 3 0 200 ffffdb00128df0c0 icmp6_wqinput/0 icmp6_wqinput
0 113 3 0 200 ffffdb00128d6900 nd6_timer nd6_timer
0 112 3 1 200 ffffdb00128d64c0 carp6_wqinput/1 carp6_wqinput
0 111 3 0 200 ffffdb00128d6080 carp6_wqinput/0 carp6_wqinput
0 110 3 1 200 ffffdb00127598c0 carp_wqinput/1 carp_wqinput
0 109 3 0 200 ffffdb0012759480 carp_wqinput/0 carp_wqinput
0 108 3 1 200 ffffdb0012759040 icmp_wqinput/1 icmp_wqinput
0 107 3 0 200 ffffdb0012748bc0 icmp_wqinput/0 icmp_wqinput
0 106 3 0 200 ffffdb0012747740 rt_timer rt_timer
0 105 3 0 200 ffffdb0012748780 vmem_rehash vmem_rehash
0 104 3 1 200 ffffdb0012748340 entbutler entropy
0 30 3 1 200 ffffdb00121626c0 vioif0_txrx/1 vioif0_txrx
0 29 3 0 200 ffffdb0012162280 vioif0_txrx/0 vioif0_txrx
0 27 3 0 200 ffffdb000fe5c680 scsibus0 sccomp
0 26 3 0 200 ffffdb000fe5c240 pms0 pmsreset
0 25 2 1 200 ffffdb000fd9da80 xcall/1
0 24 1 1 200 ffffdb000fd9d640 softser/1
0 23 1 1 200 ffffdb000fd9d200 softclk/1
0 22 1 1 200 ffffdb000fd9ba40 softbio/1
0 21 1 1 200 ffffdb000fd9b600 softnet/1
0 20 1 1 201 ffffdb000fd9b1c0 idle/1
0 19 3 0 200 ffffdb000e80aa00 lnxpwrwq lnxpwrwq
0 18 3 0 200 ffffdb000e80a5c0 lnxlngwq lnxlngwq
0 17 3 0 200 ffffdb000e80a180 lnxsyswq lnxsyswq
0 16 3 0 200 ffffdb000e8049c0 lnxrcugc lnxrcugc
0 15 3 0 200 ffffdb000e804580 sysmon smtaskq
0 14 3 0 200 ffffdb000e804140 pmfsuspend pmfsuspend
0 13 3 0 200 ffffdb000e7ff980 pmfevent pmfevent
0 12 3 0 200 ffffdb000e7ff540 sopendfree sopendfr
0 11 3 0 200 ffffdb000e7ff100 iflnkst iflnkst
0 10 3 0 200 ffffdb000e7f3940 nfssilly nfssilly
0 9 3 0 200 ffffdb000e7f3500 vdrain vdrain
0 8 3 0 200 ffffdb000e7f30c0 modunload mod_unld
0 7 3 0 200 ffffdb000e7e6900 xcall/0 xcall
0 6 1 0 200 ffffdb000e7e64c0 softser/0
0 5 1 0 200 ffffdb000e7e6080 softclk/0
0 4 1 0 200 ffffdb000e7e48c0 softbio/0
0 3 1 0 200 ffffdb000e7e4480 softnet/0
0 > 2 1 0 201 ffffdb000e7e4040 idle/0
0 0 3 0 200 ffffffff82ca3700 swapper uvm
[Locks tracked through LWPs]
****** LWP 1222.1222 (syz-executor.1) @ 0xffffdb00137e20c0, l_stat=2
*** Locks held:
* Lock 0 (initialized at fork1)
lock address : 0xffffdb0012b4f490 type : sleep/adaptive
initialized : 0xffffffff816b76d8
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb00137e20c0 last held: 0xffffdb00137e20c0
last locked* : 0xffffffff816b3fa4 unlocked : 000000000000000000
owner/count : 0xffffdb00137e20c0 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
* Lock 1 (initialized at pmap_ctor)
lock address : 0xffffdb0012bcf180 type : sleep/adaptive
initialized : 0xffffffff80870a87
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb00137e20c0 last held: 0xffffdb00137e20c0
last locked* : 0xffffffff8086fd29 unlocked : 0xffffffff808773c9
owner field : 0xffffdb00137e20c0 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
* Lock 2 (initialized at pmap_ctor)
lock address : 0xffffdb0012bcf188 type : sleep/adaptive
initialized : 0xffffffff80870a93
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb00137e20c0 last held: 0xffffdb00137e20c0
last locked* : 0xffffffff8086fe22 unlocked : 0xffffffff8086fe36
owner/count : 0xffffdb00137e20c0 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
*** Locks wanted:
* Lock 0 (initialized at pool_init)
lock address : 0xffffdb000e741130 type : sleep/adaptive
initialized : 0xffffffff8175dd47
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 1
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb00137e20c0 last held: 000000000000000000
last locked : 0xffffffff81760585 unlocked*: 0xffffffff8176064c
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 767.767 (syz-executor.3) @ 0xffffdb0012d75ac0, l_stat=2
*** Locks held:
* Lock 0 (initialized at fork1)
lock address : 0xffffdb0012a79790 type : sleep/adaptive
initialized : 0xffffffff816b76d8
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb0012d75ac0 last held: 0xffffdb0012d75ac0
last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff81792c12
owner/count : 0xffffdb0012d75ac0 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
* Lock 1 (initialized at pmap_ctor)
lock address : 0xffffdb0013854780 type : sleep/adaptive
initialized : 0xffffffff80870a87
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb0012d75ac0 last held: 0xffffdb0012d75ac0
last locked* : 0xffffffff80876dfc unlocked : 0xffffffff80872daa
owner field : 0xffffdb0012d75ac0 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
*** Locks wanted:
* Lock 0 (initialized at pool_init)
lock address : 0xffffffff82dca1b0 type : sleep/adaptive
initialized : 0xffffffff8175dd47
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 1
relevant cpu : 1 last held: 0
relevant lwp : 0xffffdb0012d75ac0 last held: 000000000000000000
last locked : 0xffffffff81760585 unlocked*: 0xffffffff8176064c
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 1097.1097 (syz-executor.3) @ 0xffffdb0012d05600, l_stat=7
*** Locks held:
* Lock 0 (initialized at fork1)
lock address : 0xffffdb0012b27ed0 type : sleep/adaptive
initialized : 0xffffffff816b76d8
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb0012d05600 last held: 0xffffdb0012d05600
last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff81792c12
owner/count : 0xffffdb0012d05600 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
*** Locks wanted:
* Lock 0 (initialized at pool_init)
lock address : 0xffffdb000fca2170 type : sleep/adaptive
initialized : 0xffffffff8175dd47
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 2
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb0012d05600 last held: 000000000000000000
last locked : 0xffffffff81760585 unlocked*: 0xffffffff8176064c
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 965.965 (syz-executor.1) @ 0xffffdb0012b35bc0, l_stat=2
*** Locks held:
* Lock 0 (initialized at fork1)
lock address : 0xffffdb0014ab9890 type : sleep/adaptive
initialized : 0xffffffff816b76d8
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb0012b35bc0 last held: 0xffffdb0012b35bc0
last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff81792c12
owner/count : 0xffffdb0012b35bc0 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
*** Locks wanted:
* Lock 0 (initialized at pool_init)
lock address : 0xffffdb000fca2170 type : sleep/adaptive
initialized : 0xffffffff8175dd47
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 2
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb0012b35bc0 last held: 000000000000000000
last locked : 0xffffffff81760585 unlocked*: 0xffffffff8176064c
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 1313.1313 (syz-executor.5) @ 0xffffdb001490c980, l_stat=2
*** Locks held:
* Lock 0 (initialized at fork1)
lock address : 0xffffdb001406ded0 type : sleep/adaptive
initialized : 0xffffffff816b76d8
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 0
relevant lwp : 0xffffdb001490c980 last held: 0xffffdb001490c980
last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff816b1947
owner/count : 0xffffdb001490c980 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
* Lock 1 (initialized at uvm_map_setup)
lock address : 0xffffffff82e217e8 type : sleep/adaptive
initialized : 0xffffffff8164a151
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 4
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb001490c980 last held: 0xffffdb001490c980
last locked* : 0xffffffff81644405 unlocked : 0xffffffff8164d90d
owner/count : 0xffffdb001490c980 flags : 0x0000000000000007
Turnstile:
=> 1 waiting readers: 0xffffdb001374db40
=> 4 waiting writers: 0xffffdb00148ca940 0xffffdb00148ca500 0xffffdb0014789900 0xffffdb001490c100
* Lock 2 (initialized at uvm_obj_init)
lock address : 0xffffdb001495c480 type : sleep/adaptive
initialized : 0xffffffff81656de0
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb001490c980 last held: 0xffffdb001490c980
last locked* : 0xffffffff8164a39f unlocked : 0xffffffff81631225
owner/count : 0xffffdb001490c980 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
* Lock 3 (initialized at pmap_bootstrap)
lock address : 0xffffffff82d99040 type : sleep/adaptive
initialized : 0xffffffff8086da6e
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb001490c980 last held: 0xffffdb001490c980
last locked* : 0xffffffff80871f1d unlocked : 0xffffffff808720be
owner field : 0xffffdb001490c980 wait/spin: 1/0
Turnstile:
=> 0 waiting readers:
=> 1 waiting writers: 0xffffdb0012cf0a00
*** Locks wanted: none
****** LWP 702.702 (syz-executor.3) @ 0xffffdb001490c100, l_stat=3
*** Locks held:
* Lock 0 (initialized at fork1)
lock address : 0xffffdb0012c4cb10 type : sleep/adaptive
initialized : 0xffffffff816b76d8
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffdb001490c100 last held: 0xffffdb001490c100
last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff816b1947
owner/count : 0xffffdb001490c100 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
*** Locks wanted:
* Lock 0 (initialized at uvm_map_setup)
lock address : 0xffffffff82e217e8 type : sleep/adaptive
initialized : 0xffffffff8164a151
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 4
relevant cpu : 0 last held: 1
relevant lwp : 0xffffdb001490c100 last held: 0xffffdb001490c980
last locked* : 0xffffffff81644405 unlocked : 0xffffffff8164d90d
owner/count : 0xffffdb001490c980 flags : 0x0000000000000007
Turnstile:
=> 1 waiting readers: 0xffffdb001374db40
=> 4 waiting writers: 0xffffdb00148ca940 0xffffdb00148ca500 0xffffdb0014789900 0xffffdb001490c100
****** LWP 1436.1436 (syz-executor.4) @ 0xffffdb00148ca940, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at uvm_map_setup)
lock address : 0xffffffff82e217e8 type : sleep/adaptive
initialized : 0xffffffff8164a151
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 4
relevant cpu : 0 last held: 1
relevant lwp : 0xffffdb00148ca940 last held: 0xffffdb001490c980
last locked* : 0xffffffff81644405 unlocked : 0xffffffff8164d90d
owner/count : 0xffffdb001490c980 flags : 0x0000000000000007
Turnstile:
=> 1 waiting readers: 0xffffdb001374db40
=> 4 waiting writers: 0xffffdb00148ca940 0xffffdb00148ca500 0xffffdb0014789900 0xffffdb001490c100
****** LWP 1659.1659 (syz-executor.2) @ 0xffffdb00148ca500, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at uvm_map_setup)
lock address : 0xffffffff82e217e8 type : sleep/adaptive
initialized : 0xffffffff8164a151
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 4
relevant cpu : 0 last held: 1
relevant lwp : 0xffffdb00148ca500 last held: 0xffffdb001490c980
last locked* : 0xffffffff81644405 unlocked : 0xffffffff8164d90d
owner/count : 0xffffdb001490c980 flags : 0x0000000000000007
Turnstile:
=> 1 waiting readers: 0xffffdb001374db40
=> 4 waiting writers: 0xffffdb00148ca940 0xffffdb00148ca500 0xffffdb0014789900 0xffffdb001490c100
****** LWP 700.700 (syz-executor.0) @ 0xffffdb0014789900, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at uvm_map_setup)
lock address : 0xffffffff82e217e8 type : sleep/adaptive
initialized : 0xffffffff8164a151
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 4
relevant cpu : 0 last held: 1
relevant lwp : 0xffffdb0014789900 last held: 0xffffdb001490c980
last locked* : 0xffffffff81644405 unlocked : 0xffffffff8164d90d
owner/count : 0xffffdb001490c980 flags : 0x0000000000000007
Turnstile:
=> 1 waiting readers: 0xffffdb001374db40
=> 4 waiting writers: 0xffffdb00148ca940 0xffffdb00148ca500 0xffffdb0014789900 0xffffdb001490c100
****** LWP 800.800 (getty) @ 0xffffdb0013803180, l_stat=3
*** Locks held:
* Lock 0 (initialized at fork1)
lock address : 0xffffdb00137f97d0 type : sleep/adaptive
initialized : 0xffffffff816b76d8
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffdb0013803180 last held: 0xffffdb0013803180
last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff816b1947
owner/count : 0xffffdb0013803180 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
* Lock 1 (initialized at pmap_ctor)
lock address : 0xffffdb0013818380 type : sleep/adaptive
initialized : 0xffffffff80870a87
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffdb0013803180 last held: 0xffffdb0013803180
last locked* : 0xffffffff80876dfc unlocked : 0xffffffff80872daa
[ 284.4459927] Skipping crash dump on recursive panic
[ 284.4459927] panic: ASan: Unauthorized Access In 0xffffffff816cff80: Addr 0xffffdb0013818380 [8 bytes, read, PoolUseAfterFree]
[ 284.4459927] cpu1: Begin traceback...
[ 284.4459927] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
[ 284.4459927] snprintf() at netbsd:snprintf
[ 284.4459927] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline]
[ 284.4459927] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197
[ 284.4459927] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline]
[ 284.4459927] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline]
[ 284.4459927] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline]
[ 284.4459927] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210
[ 284.4459927] mutex_dump() at netbsd:mutex_dump+0x20 sys/kern/kern_mutex.c:313
[ 284.4459927] lockdebug_dump() at netbsd:lockdebug_dump+0x205 sys/kern/subr_lockdebug.c:759
[ 284.4459927] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb7 sys/kern/subr_lockdebug.c:839
[ 284.4459927] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:877 [inline]
[ 284.4459927] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a sys/kern/subr_lockdebug.c:941
[ 284.4459927] db_command() at netbsd:db_command+0x2ad sys/ddb/db_command.c:942
[ 284.4459927] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:439 [inline]
[ 284.4459927] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:589
[ 284.4459927] db_trap() at netbsd:db_trap+0x206 sys/ddb/db_trap.c:94
[ 284.4459927] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:248
[ 284.4459927] trap() at netbsd:trap+0x579 sys/arch/amd64/amd64/trap.c:315
[ 284.4459927] --- trap (number 1) ---
[ 284.4459927] breakpoint() at netbsd:breakpoint+0x5
[ 284.4459927] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67
[ 284.4459927] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
[ 284.4459927] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure
[ 284.4459927] pmap_activate() at netbsd:pmap_activate+0x173 sys/arch/x86/x86/pmap.c:3412
[ 284.4459927] mi_switch() at netbsd:mi_switch+0x673 sys/kern/kern_synch.c:808
[ 284.4459927] sleepq_block() at netbsd:sleepq_block+0x130 sys/kern/kern_sleepq.c:345
[ 284.4459927] turnstile_block() at netbsd:turnstile_block+0x9c9 sys/kern/kern_turnstile.c:438
[ 284.4459927] mutex_enter() at netbsd:mutex_enter+0x230 sys/kern/kern_mutex.c:693
[ 284.4459927] pool_put() at netbsd:pool_put+0x86 pool_put_quarantine sys/kern/subr_pool.c:2957 [inline]
[ 284.4459927] pool_put() at netbsd:pool_put+0x86 sys/kern/subr_pool.c:1316
[ 284.4459927] fd_free() at netbsd:fd_free+0x52c sys/kern/kern_descrip.c:1577
[ 284.4459927] exit1() at netbsd:exit1+0x2bf sys/kern/kern_exit.c:301
[ 284.4459927] sigexit() at netbsd:sigexit+0x39f sys/kern/kern_sig.c:2305
[ 284.4459927] sendsig() at netbsd:sendsig
[ 284.4459927] lwp_userret() at netbsd:lwp_userret+0x38a sys/kern/kern_lwp.c:1633
[ 284.4459927] syscall() at netbsd:syscall+0x858 x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline]
[ 284.4459927] syscall() at netbsd:syscall+0x858 KPREEMPT_DISABLE sys/sys/lwp.h:539 [inline]
[ 284.4459927] syscall() at netbsd:syscall+0x858 mi_userret sys/sys/userret.h:97 [inline]
[ 284.4459927] syscall() at netbsd:syscall+0x858 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline]
[ 284.4459927] syscall() at netbsd:syscall+0x858 sys/arch/x86/x86/syscall.c:166
[ 284.4459927] --- syscall (number 4) ---
[ 284.4459927] netbsd:syscall+0x858:
[ 284.4459927] cpu1: End traceback...
[ 284.4459927] fatal breakpoint trap in supervisor mode
[ 284.4459927] trap type 1 code 0 rip 0xffffffff8022094d cs 0x8 rflags 0x282 cr2 0xffffdb016fc35248 ilevel 0x8 rsp 0xffffdb018b4d3a70
[ 284.4459927] curlwp 0xffffdb0012d05600 pid 1097.1097 lowest kstack 0xffffdb018b4cd2c0
Stopped in pid 1097.1097 (syz-executor.3) at netbsd:breakpoint+0x5: leave
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: aa85acd0 - make AP{IB,DA,DB}Key are also enabled when ARMV..
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=168f6aee100000
kernel config: https://syzkaller.appspot.com/x/.config?x=5702129db7f7788d
dashboard link: https://syzkaller.appspot.com/bug?extid=38fa02d3b0e46e57c156
compiler: g++ (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+38fa02...@syzkaller.appspotmail.com
[ 284.0759791] panic: kernel diagnostic assertion "ci->ci_tlbstate != TLBSTATE_VAMLID" failed: file "/syzkaller/managers/netbsd/kernel/sys/arch/x86/x86/pmap.c", line 3412
[ 284.0859594] cpu1: Begin traceback...
ay 28 20:32:19 ci2-netbsd-1 syslogd[449]: Exiting on signal 15
[ 284.0960054] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
[ 284.1259616] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure
[ 284.1559619] pmap_activate() at netbsd:pmap_activate+0x173 sys/arch/x86/x86/pmap.c:3412
[ 284.1859630] mi_switch() at netbsd:mi_switch+0x673 sys/kern/kern_synch.c:808
[ 284.2059637] sleepq_block() at netbsd:sleepq_block+0x130 sys/kern/kern_sleepq.c:345
[ 284.2359682] turnstile_block() at netbsd:turnstile_block+0x9c9 sys/kern/kern_turnstile.c:438
[ 284.2559832] mutex_enter() at netbsd:mutex_enter+0x230 sys/kern/kern_mutex.c:693
[ 284.2759825] pool_put() at netbsd:pool_put+0x86 pool_put_quarantine sys/kern/subr_pool.c:2957 [inline]
[ 284.2759825] pool_put() at netbsd:pool_put+0x86 sys/kern/subr_pool.c:1316
[ 284.2959994] fd_free() at netbsd:fd_free+0x52c sys/kern/kern_descrip.c:1577
[ 284.3159821] exit1() at netbsd:exit1+0x2bf sys/kern/kern_exit.c:301
[ 284.3359923] sigexit() at netbsd:sigexit+0x39f sys/kern/kern_sig.c:2305
[ 284.3559904] sendsig() at netbsd:sendsig
[ 284.3759884] lwp_userret() at netbsd:lwp_userret+0x38a sys/kern/kern_lwp.c:1633
[ 284.3959887] syscall() at netbsd:syscall+0x858 x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline]
[ 284.3959887] syscall() at netbsd:syscall+0x858 KPREEMPT_DISABLE sys/sys/lwp.h:539 [inline]
[ 284.3959887] syscall() at netbsd:syscall+0x858 mi_userret sys/sys/userret.h:97 [inline]
[ 284.3959887] syscall() at netbsd:syscall+0x858 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline]
[ 284.3959887] syscall() at netbsd:syscall+0x858 sys/arch/x86/x86/syscall.c:166
[ 284.4059828] --- syscall (number 4) ---
[ 284.4159844] netbsd:syscall+0x858:
[ 284.4159844] cpu1: End traceback...
[ 284.4259859] fatal breakpoint trap in supervisor mode
[ 284.4259859] trap type 1 code 0 rip 0xffffffff8022094d cs 0x8 rflags 0x286 cr2 0xffffdb016fc35248 ilevel 0x8 rsp 0xffffdb018b4d44d0
[ 284.4459927] curlwp 0xffffdb0012d05600 pid 1097.1097 lowest kstack 0xffffdb018b4cd2c0
Stopped in pid 1097.1097 (syz-executor.3) at netbsd:breakpoint+0x5: leave
?
breakpoint() at netbsd:breakpoint+0x5
db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67
vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
_GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure
pmap_activate() at netbsd:pmap_activate+0x173 sys/arch/x86/x86/pmap.c:3412
mi_switch() at netbsd:mi_switch+0x673 sys/kern/kern_synch.c:808
sleepq_block() at netbsd:sleepq_block+0x130 sys/kern/kern_sleepq.c:345
turnstile_block() at netbsd:turnstile_block+0x9c9 sys/kern/kern_turnstile.c:438
mutex_enter() at netbsd:mutex_enter+0x230 sys/kern/kern_mutex.c:693
pool_put() at netbsd:pool_put+0x86 pool_put_quarantine sys/kern/subr_pool.c:2957 [inline]
pool_put() at netbsd:pool_put+0x86 sys/kern/subr_pool.c:1316
fd_free() at netbsd:fd_free+0x52c sys/kern/kern_descrip.c:1577
exit1() at netbsd:exit1+0x2bf sys/kern/kern_exit.c:301
sigexit() at netbsd:sigexit+0x39f sys/kern/kern_sig.c:2305
sendsig() at netbsd:sendsig
lwp_userret() at netbsd:lwp_userret+0x38a sys/kern/kern_lwp.c:1633
syscall() at netbsd:syscall+0x858 x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline]
syscall() at netbsd:syscall+0x858 KPREEMPT_DISABLE sys/sys/lwp.h:539 [inline]
syscall() at netbsd:syscall+0x858 mi_userret sys/sys/userret.h:97 [inline]
syscall() at netbsd:syscall+0x858 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline]
syscall() at netbsd:syscall+0x858 sys/arch/x86/x86/syscall.c:166
--- syscall (number 4) ---
netbsd:syscall+0x858:
ds ffff
es b580
fs 44b0
gs 980
rdi ffffffff82bd8280 db_onpanic
rsi 1ffffffff057b050
rbp ffffdb018b4d44d0
rbx ffffdb016e699000
rdx 0
rcx ffffffff8126bf59 db_panic+0xd5
rax ffffdb0012d05600
r8 4
r9 1ffffffff057b050
r10 ffffffff82bd8283 db_onpanic+0x3
r11 8000000000
r12 ffffdb016e6aa000
r13 ffffffff81f89140 platform_private_nodes+0x160
r14 ffffdb018b4d4560
r15 ffffdb016e699060
rip ffffffff8022094d breakpoint+0x5
cs 8
rflags 286
rsp ffffdb018b4d44d0
ss 10
netbsd:breakpoint+0x5: leave
PID LID S CPU FLAGS STRUCT LWP * NAME WAIT
1882 1882 3 0 0 ffffdb0012b35340 dhcpcd fstchg
1357 1357 3 1 80 ffffdb001295a180 halt nanoslp
1222 1222 2 1 1000000 ffffdb00137e20c0 syz-executor.1
1254 608 5 0 11100000 ffffdb001295ca40 syz-executor.1
1254 1254 3 0 11000000 ffffdb001380b600 syz-executor.1 xclocv
767 767 2 1 1000000 ffffdb0012d75ac0 syz-executor.3
1097 >1097 7 1 1000000 ffffdb0012d05600 syz-executor.3
965 965 2 1 1000000 ffffdb0012b35bc0 syz-executor.1
1313 1313 2 1 1000040 ffffdb001490c980 syz-executor.5
702 702 3 0 1000040 ffffdb001490c100 syz-executor.3 tstile
1436 1436 3 0 1000040 ffffdb00148ca940 syz-executor.4 tstile
1659 1659 3 0 1000040 ffffdb00148ca500 syz-executor.2 tstile
700 700 3 0 1000040 ffffdb0014789900 syz-executor.0 tstile
690 695 3 0 0 ffffdb0014789080 syz-fuzzer xclocv
690 697 2 1 100000 ffffdb0013813a80 syz-fuzzer
690 714 3 0 100000 ffffdb0013813640 syz-fuzzer xclocv
690 694 2 1 100040 ffffdb0013813200 syz-fuzzer
690 693 2 1 100040 ffffdb00136da6c0 syz-fuzzer
690 692 5 0 100000 ffffdb0013827280 syz-fuzzer
690 690 5 0 100000 ffffdb00127442c0 syz-fuzzer
734 734 3 0 0 ffffdb00138035c0 sshd fstchg
800 800 3 0 10000c0 ffffdb0013803180 getty fstcnt
1443 1443 3 0 0 ffffdb0012cf0a00 sshd tstile
449 449 3 0 0 ffffdb001374db40 syslogd tstile
303 303 3 0 0 ffffdb0012c9b040 dhcpcd fstchg
338 338 3 0 80 ffffdb0012b7a900 dhcpcd wait
1 1 3 0 0 ffffdb00128e8980 init xclocv
0 932 3 0 200 ffffdb001295a5c0 physiod physiod
0 63 3 0 200 ffffdb001295c600 pooldrain pooldrain
0 126 3 0 200 ffffdb001295c1c0 ioflush syncer
0 125 3 1 200 ffffdb001295aa00 pgdaemon pgdaemon
0 122 3 0 200 ffffdb00128fd9c0 usb0 usbevt
0 121 3 1 200 ffffdb00128fd580 usbtask-dr usbtsk
0 120 3 0 200 ffffdb000fe5cac0 usbtask-hc usbtsk
0 119 3 0 200 ffffdb00128fd140 npfgc-0 npfgccv
0 118 3 1 200 ffffdb00128e8540 rt_free rt_free
0 117 3 1 200 ffffdb00128e8100 unpgc unpgc
0 116 3 0 200 ffffdb00128df940 key_timehandler key_timehandler
0 115 3 1 200 ffffdb00128df500 icmp6_wqinput/1 icmp6_wqinput
0 114 3 0 200 ffffdb00128df0c0 icmp6_wqinput/0 icmp6_wqinput
0 113 3 0 200 ffffdb00128d6900 nd6_timer nd6_timer
0 112 3 1 200 ffffdb00128d64c0 carp6_wqinput/1 carp6_wqinput
0 111 3 0 200 ffffdb00128d6080 carp6_wqinput/0 carp6_wqinput
0 110 3 1 200 ffffdb00127598c0 carp_wqinput/1 carp_wqinput
0 109 3 0 200 ffffdb0012759480 carp_wqinput/0 carp_wqinput
0 108 3 1 200 ffffdb0012759040 icmp_wqinput/1 icmp_wqinput
0 107 3 0 200 ffffdb0012748bc0 icmp_wqinput/0 icmp_wqinput
0 106 3 0 200 ffffdb0012747740 rt_timer rt_timer
0 105 3 0 200 ffffdb0012748780 vmem_rehash vmem_rehash
0 104 3 1 200 ffffdb0012748340 entbutler entropy
0 30 3 1 200 ffffdb00121626c0 vioif0_txrx/1 vioif0_txrx
0 29 3 0 200 ffffdb0012162280 vioif0_txrx/0 vioif0_txrx
0 27 3 0 200 ffffdb000fe5c680 scsibus0 sccomp
0 26 3 0 200 ffffdb000fe5c240 pms0 pmsreset
0 25 2 1 200 ffffdb000fd9da80 xcall/1
0 24 1 1 200 ffffdb000fd9d640 softser/1
0 23 1 1 200 ffffdb000fd9d200 softclk/1
0 22 1 1 200 ffffdb000fd9ba40 softbio/1
0 21 1 1 200 ffffdb000fd9b600 softnet/1
0 20 1 1 201 ffffdb000fd9b1c0 idle/1
0 19 3 0 200 ffffdb000e80aa00 lnxpwrwq lnxpwrwq
0 18 3 0 200 ffffdb000e80a5c0 lnxlngwq lnxlngwq
0 17 3 0 200 ffffdb000e80a180 lnxsyswq lnxsyswq
0 16 3 0 200 ffffdb000e8049c0 lnxrcugc lnxrcugc
0 15 3 0 200 ffffdb000e804580 sysmon smtaskq
0 14 3 0 200 ffffdb000e804140 pmfsuspend pmfsuspend
0 13 3 0 200 ffffdb000e7ff980 pmfevent pmfevent
0 12 3 0 200 ffffdb000e7ff540 sopendfree sopendfr
0 11 3 0 200 ffffdb000e7ff100 iflnkst iflnkst
0 10 3 0 200 ffffdb000e7f3940 nfssilly nfssilly
0 9 3 0 200 ffffdb000e7f3500 vdrain vdrain
0 8 3 0 200 ffffdb000e7f30c0 modunload mod_unld
0 7 3 0 200 ffffdb000e7e6900 xcall/0 xcall
0 6 1 0 200 ffffdb000e7e64c0 softser/0
0 5 1 0 200 ffffdb000e7e6080 softclk/0
0 4 1 0 200 ffffdb000e7e48c0 softbio/0
0 3 1 0 200 ffffdb000e7e4480 softnet/0
0 > 2 1 0 201 ffffdb000e7e4040 idle/0
0 0 3 0 200 ffffffff82ca3700 swapper uvm
[Locks tracked through LWPs]
****** LWP 1222.1222 (syz-executor.1) @ 0xffffdb00137e20c0, l_stat=2
*** Locks held:
* Lock 0 (initialized at fork1)
lock address : 0xffffdb0012b4f490 type : sleep/adaptive
initialized : 0xffffffff816b76d8
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb00137e20c0 last held: 0xffffdb00137e20c0
last locked* : 0xffffffff816b3fa4 unlocked : 000000000000000000
owner/count : 0xffffdb00137e20c0 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
* Lock 1 (initialized at pmap_ctor)
lock address : 0xffffdb0012bcf180 type : sleep/adaptive
initialized : 0xffffffff80870a87
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb00137e20c0 last held: 0xffffdb00137e20c0
last locked* : 0xffffffff8086fd29 unlocked : 0xffffffff808773c9
owner field : 0xffffdb00137e20c0 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
* Lock 2 (initialized at pmap_ctor)
lock address : 0xffffdb0012bcf188 type : sleep/adaptive
initialized : 0xffffffff80870a93
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb00137e20c0 last held: 0xffffdb00137e20c0
last locked* : 0xffffffff8086fe22 unlocked : 0xffffffff8086fe36
owner/count : 0xffffdb00137e20c0 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
*** Locks wanted:
* Lock 0 (initialized at pool_init)
lock address : 0xffffdb000e741130 type : sleep/adaptive
initialized : 0xffffffff8175dd47
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 1
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb00137e20c0 last held: 000000000000000000
last locked : 0xffffffff81760585 unlocked*: 0xffffffff8176064c
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 767.767 (syz-executor.3) @ 0xffffdb0012d75ac0, l_stat=2
*** Locks held:
* Lock 0 (initialized at fork1)
lock address : 0xffffdb0012a79790 type : sleep/adaptive
initialized : 0xffffffff816b76d8
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb0012d75ac0 last held: 0xffffdb0012d75ac0
last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff81792c12
owner/count : 0xffffdb0012d75ac0 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
* Lock 1 (initialized at pmap_ctor)
lock address : 0xffffdb0013854780 type : sleep/adaptive
initialized : 0xffffffff80870a87
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb0012d75ac0 last held: 0xffffdb0012d75ac0
last locked* : 0xffffffff80876dfc unlocked : 0xffffffff80872daa
owner field : 0xffffdb0012d75ac0 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
*** Locks wanted:
* Lock 0 (initialized at pool_init)
lock address : 0xffffffff82dca1b0 type : sleep/adaptive
initialized : 0xffffffff8175dd47
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 1
relevant cpu : 1 last held: 0
relevant lwp : 0xffffdb0012d75ac0 last held: 000000000000000000
last locked : 0xffffffff81760585 unlocked*: 0xffffffff8176064c
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 1097.1097 (syz-executor.3) @ 0xffffdb0012d05600, l_stat=7
*** Locks held:
* Lock 0 (initialized at fork1)
lock address : 0xffffdb0012b27ed0 type : sleep/adaptive
initialized : 0xffffffff816b76d8
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb0012d05600 last held: 0xffffdb0012d05600
last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff81792c12
owner/count : 0xffffdb0012d05600 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
*** Locks wanted:
* Lock 0 (initialized at pool_init)
lock address : 0xffffdb000fca2170 type : sleep/adaptive
initialized : 0xffffffff8175dd47
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 2
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb0012d05600 last held: 000000000000000000
last locked : 0xffffffff81760585 unlocked*: 0xffffffff8176064c
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 965.965 (syz-executor.1) @ 0xffffdb0012b35bc0, l_stat=2
*** Locks held:
* Lock 0 (initialized at fork1)
lock address : 0xffffdb0014ab9890 type : sleep/adaptive
initialized : 0xffffffff816b76d8
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb0012b35bc0 last held: 0xffffdb0012b35bc0
last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff81792c12
owner/count : 0xffffdb0012b35bc0 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
*** Locks wanted:
* Lock 0 (initialized at pool_init)
lock address : 0xffffdb000fca2170 type : sleep/adaptive
initialized : 0xffffffff8175dd47
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 2
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb0012b35bc0 last held: 000000000000000000
last locked : 0xffffffff81760585 unlocked*: 0xffffffff8176064c
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.
****** LWP 1313.1313 (syz-executor.5) @ 0xffffdb001490c980, l_stat=2
*** Locks held:
* Lock 0 (initialized at fork1)
lock address : 0xffffdb001406ded0 type : sleep/adaptive
initialized : 0xffffffff816b76d8
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 0
relevant lwp : 0xffffdb001490c980 last held: 0xffffdb001490c980
last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff816b1947
owner/count : 0xffffdb001490c980 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
* Lock 1 (initialized at uvm_map_setup)
lock address : 0xffffffff82e217e8 type : sleep/adaptive
initialized : 0xffffffff8164a151
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 4
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb001490c980 last held: 0xffffdb001490c980
last locked* : 0xffffffff81644405 unlocked : 0xffffffff8164d90d
owner/count : 0xffffdb001490c980 flags : 0x0000000000000007
Turnstile:
=> 1 waiting readers: 0xffffdb001374db40
=> 4 waiting writers: 0xffffdb00148ca940 0xffffdb00148ca500 0xffffdb0014789900 0xffffdb001490c100
* Lock 2 (initialized at uvm_obj_init)
lock address : 0xffffdb001495c480 type : sleep/adaptive
initialized : 0xffffffff81656de0
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb001490c980 last held: 0xffffdb001490c980
last locked* : 0xffffffff8164a39f unlocked : 0xffffffff81631225
owner/count : 0xffffdb001490c980 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
* Lock 3 (initialized at pmap_bootstrap)
lock address : 0xffffffff82d99040 type : sleep/adaptive
initialized : 0xffffffff8086da6e
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffdb001490c980 last held: 0xffffdb001490c980
last locked* : 0xffffffff80871f1d unlocked : 0xffffffff808720be
owner field : 0xffffdb001490c980 wait/spin: 1/0
Turnstile:
=> 0 waiting readers:
=> 1 waiting writers: 0xffffdb0012cf0a00
*** Locks wanted: none
****** LWP 702.702 (syz-executor.3) @ 0xffffdb001490c100, l_stat=3
*** Locks held:
* Lock 0 (initialized at fork1)
lock address : 0xffffdb0012c4cb10 type : sleep/adaptive
initialized : 0xffffffff816b76d8
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffdb001490c100 last held: 0xffffdb001490c100
last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff816b1947
owner/count : 0xffffdb001490c100 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
*** Locks wanted:
* Lock 0 (initialized at uvm_map_setup)
lock address : 0xffffffff82e217e8 type : sleep/adaptive
initialized : 0xffffffff8164a151
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 4
relevant cpu : 0 last held: 1
relevant lwp : 0xffffdb001490c100 last held: 0xffffdb001490c980
last locked* : 0xffffffff81644405 unlocked : 0xffffffff8164d90d
owner/count : 0xffffdb001490c980 flags : 0x0000000000000007
Turnstile:
=> 1 waiting readers: 0xffffdb001374db40
=> 4 waiting writers: 0xffffdb00148ca940 0xffffdb00148ca500 0xffffdb0014789900 0xffffdb001490c100
****** LWP 1436.1436 (syz-executor.4) @ 0xffffdb00148ca940, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at uvm_map_setup)
lock address : 0xffffffff82e217e8 type : sleep/adaptive
initialized : 0xffffffff8164a151
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 4
relevant cpu : 0 last held: 1
relevant lwp : 0xffffdb00148ca940 last held: 0xffffdb001490c980
last locked* : 0xffffffff81644405 unlocked : 0xffffffff8164d90d
owner/count : 0xffffdb001490c980 flags : 0x0000000000000007
Turnstile:
=> 1 waiting readers: 0xffffdb001374db40
=> 4 waiting writers: 0xffffdb00148ca940 0xffffdb00148ca500 0xffffdb0014789900 0xffffdb001490c100
****** LWP 1659.1659 (syz-executor.2) @ 0xffffdb00148ca500, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at uvm_map_setup)
lock address : 0xffffffff82e217e8 type : sleep/adaptive
initialized : 0xffffffff8164a151
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 4
relevant cpu : 0 last held: 1
relevant lwp : 0xffffdb00148ca500 last held: 0xffffdb001490c980
last locked* : 0xffffffff81644405 unlocked : 0xffffffff8164d90d
owner/count : 0xffffdb001490c980 flags : 0x0000000000000007
Turnstile:
=> 1 waiting readers: 0xffffdb001374db40
=> 4 waiting writers: 0xffffdb00148ca940 0xffffdb00148ca500 0xffffdb0014789900 0xffffdb001490c100
****** LWP 700.700 (syz-executor.0) @ 0xffffdb0014789900, l_stat=3
*** Locks held: none
*** Locks wanted:
* Lock 0 (initialized at uvm_map_setup)
lock address : 0xffffffff82e217e8 type : sleep/adaptive
initialized : 0xffffffff8164a151
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 4
relevant cpu : 0 last held: 1
relevant lwp : 0xffffdb0014789900 last held: 0xffffdb001490c980
last locked* : 0xffffffff81644405 unlocked : 0xffffffff8164d90d
owner/count : 0xffffdb001490c980 flags : 0x0000000000000007
Turnstile:
=> 1 waiting readers: 0xffffdb001374db40
=> 4 waiting writers: 0xffffdb00148ca940 0xffffdb00148ca500 0xffffdb0014789900 0xffffdb001490c100
****** LWP 800.800 (getty) @ 0xffffdb0013803180, l_stat=3
*** Locks held:
* Lock 0 (initialized at fork1)
lock address : 0xffffdb00137f97d0 type : sleep/adaptive
initialized : 0xffffffff816b76d8
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffdb0013803180 last held: 0xffffdb0013803180
last locked* : 0xffffffff816b3fa4 unlocked : 0xffffffff816b1947
owner/count : 0xffffdb0013803180 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.
* Lock 1 (initialized at pmap_ctor)
lock address : 0xffffdb0013818380 type : sleep/adaptive
initialized : 0xffffffff80870a87
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffdb0013803180 last held: 0xffffdb0013803180
last locked* : 0xffffffff80876dfc unlocked : 0xffffffff80872daa
[ 284.4459927] Skipping crash dump on recursive panic
[ 284.4459927] panic: ASan: Unauthorized Access In 0xffffffff816cff80: Addr 0xffffdb0013818380 [8 bytes, read, PoolUseAfterFree]
[ 284.4459927] cpu1: Begin traceback...
[ 284.4459927] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
[ 284.4459927] snprintf() at netbsd:snprintf
[ 284.4459927] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline]
[ 284.4459927] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197
[ 284.4459927] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline]
[ 284.4459927] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline]
[ 284.4459927] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline]
[ 284.4459927] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210
[ 284.4459927] mutex_dump() at netbsd:mutex_dump+0x20 sys/kern/kern_mutex.c:313
[ 284.4459927] lockdebug_dump() at netbsd:lockdebug_dump+0x205 sys/kern/subr_lockdebug.c:759
[ 284.4459927] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb7 sys/kern/subr_lockdebug.c:839
[ 284.4459927] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:877 [inline]
[ 284.4459927] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a sys/kern/subr_lockdebug.c:941
[ 284.4459927] db_command() at netbsd:db_command+0x2ad sys/ddb/db_command.c:942
[ 284.4459927] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:439 [inline]
[ 284.4459927] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:589
[ 284.4459927] db_trap() at netbsd:db_trap+0x206 sys/ddb/db_trap.c:94
[ 284.4459927] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:248
[ 284.4459927] trap() at netbsd:trap+0x579 sys/arch/amd64/amd64/trap.c:315
[ 284.4459927] --- trap (number 1) ---
[ 284.4459927] breakpoint() at netbsd:breakpoint+0x5
[ 284.4459927] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67
[ 284.4459927] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
[ 284.4459927] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure
[ 284.4459927] pmap_activate() at netbsd:pmap_activate+0x173 sys/arch/x86/x86/pmap.c:3412
[ 284.4459927] mi_switch() at netbsd:mi_switch+0x673 sys/kern/kern_synch.c:808
[ 284.4459927] sleepq_block() at netbsd:sleepq_block+0x130 sys/kern/kern_sleepq.c:345
[ 284.4459927] turnstile_block() at netbsd:turnstile_block+0x9c9 sys/kern/kern_turnstile.c:438
[ 284.4459927] mutex_enter() at netbsd:mutex_enter+0x230 sys/kern/kern_mutex.c:693
[ 284.4459927] pool_put() at netbsd:pool_put+0x86 pool_put_quarantine sys/kern/subr_pool.c:2957 [inline]
[ 284.4459927] pool_put() at netbsd:pool_put+0x86 sys/kern/subr_pool.c:1316
[ 284.4459927] fd_free() at netbsd:fd_free+0x52c sys/kern/kern_descrip.c:1577
[ 284.4459927] exit1() at netbsd:exit1+0x2bf sys/kern/kern_exit.c:301
[ 284.4459927] sigexit() at netbsd:sigexit+0x39f sys/kern/kern_sig.c:2305
[ 284.4459927] sendsig() at netbsd:sendsig
[ 284.4459927] lwp_userret() at netbsd:lwp_userret+0x38a sys/kern/kern_lwp.c:1633
[ 284.4459927] syscall() at netbsd:syscall+0x858 x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline]
[ 284.4459927] syscall() at netbsd:syscall+0x858 KPREEMPT_DISABLE sys/sys/lwp.h:539 [inline]
[ 284.4459927] syscall() at netbsd:syscall+0x858 mi_userret sys/sys/userret.h:97 [inline]
[ 284.4459927] syscall() at netbsd:syscall+0x858 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline]
[ 284.4459927] syscall() at netbsd:syscall+0x858 sys/arch/x86/x86/syscall.c:166
[ 284.4459927] --- syscall (number 4) ---
[ 284.4459927] netbsd:syscall+0x858:
[ 284.4459927] cpu1: End traceback...
[ 284.4459927] fatal breakpoint trap in supervisor mode
[ 284.4459927] trap type 1 code 0 rip 0xffffffff8022094d cs 0x8 rflags 0x282 cr2 0xffffdb016fc35248 ilevel 0x8 rsp 0xffffdb018b4d3a70
[ 284.4459927] curlwp 0xffffdb0012d05600 pid 1097.1097 lowest kstack 0xffffdb018b4cd2c0
Stopped in pid 1097.1097 (syz-executor.3) at netbsd:breakpoint+0x5: leave
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Maxime Villard
May 30, 2020, 3:42:39 AM5/30/20
to syzbot, syzkaller-...@googlegroups.com
#syz invalid
Reply all
Reply to author
Forward
0 new messages