assert failed: ci->ci_tlbstate != TLBSTATE_VALID (2)

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: aa85acd0 - make AP{IB,DA,DB}Key are also enabled when ARMV..
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=17f1c1ba100000
kernel config: https://syzkaller.appspot.com/x/.config?x=5702129db7f7788d
dashboard link: https://syzkaller.appspot.com/bug?extid=15dd4dbac6ed159faa4a
compiler: g++ (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+15dd4d...@syzkaller.appspotmail.com

[ 66.7693017] panic: kernel diagnostic assertion "ci->ci_tlbstate != TLBSTATE_VALID" failed: file "/syzkaller/managers/netbsd/kernel/sys/arch/x86/x86/pmap.c", line 3412
[ 66.7693017] cpu0: Begin traceback...
[ 66.7693017] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
[ 66.7693017] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure
[ 66.7693017] pmap_activate() at netbsd:pmap_activate+0x173 sys/arch/x86/x86/pmap.c:3412
[ 66.7693017] mi_switch() at netbsd:mi_switch+0x673 sys/kern/kern_synch.c:808
[ 66.7693017] sleepq_block() at netbsd:sleepq_block+0x2c2 sys/kern/kern_sleepq.c:340
[ 66.7693017] kpause() at netbsd:kpause+0x19b sys/kern/kern_synch.c:246
[ 66.7693017] nanosleep1() at netbsd:nanosleep1+0x289 sys/kern/kern_time.c:348
[ 66.7693017] sys___nanosleep50() at netbsd:sys___nanosleep50+0xe5 sys/kern/kern_time.c:286
[ 66.7693017] syscall() at netbsd:syscall+0x553 sy_call sys/sys/syscallvar.h:65 [inline]
[ 66.7693017] syscall() at netbsd:syscall+0x553 sy_invoke sys/sys/syscallvar.h:94 [inline]
[ 66.7693017] syscall() at netbsd:syscall+0x553 sys/arch/x86/x86/syscall.c:138
[ 66.7693017] --- syscall (number 430) ---
[ 66.7693017] netbsd:syscall+0x553:
[ 66.7693017] cpu0: End traceback...
[ 66.7693017] fatal breakpoint trap in supervisor mode
[ 66.7693017] trap type 1 code 0 rip 0xffffffff8022094d cs 0x8 rflags 0x282 cr2 0x73172c44d000 ilevel 0x8 rsp 0xffffaa018023b8b0
[ 66.7693017] curlwp 0xffffaa001386dbc0 pid 692.693 lowest kstack 0xffffaa01802342c0
Stopped in pid 692.693 (syz-fuzzer) at netbsd:breakpoint+0x5: leave
?
breakpoint() at netbsd:breakpoint+0x5
db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67
vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
_GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure
pmap_activate() at netbsd:pmap_activate+0x173 sys/arch/x86/x86/pmap.c:3412
mi_switch() at netbsd:mi_switch+0x673 sys/kern/kern_synch.c:808
sleepq_block() at netbsd:sleepq_block+0x2c2 sys/kern/kern_sleepq.c:340
kpause() at netbsd:kpause+0x19b sys/kern/kern_synch.c:246
nanosleep1() at netbsd:nanosleep1+0x289 sys/kern/kern_time.c:348
sys___nanosleep50() at netbsd:sys___nanosleep50+0xe5 sys/kern/kern_time.c:286
syscall() at netbsd:syscall+0x553 sy_call sys/sys/syscallvar.h:65 [inline]
syscall() at netbsd:syscall+0x553 sy_invoke sys/sys/syscallvar.h:94 [inline]
syscall() at netbsd:syscall+0x553 sys/arch/x86/x86/syscall.c:138
--- syscall (number 430) ---
netbsd:syscall+0x553:
ds c168
es 4425
fs b890
gs b8e0
rdi ffffffff82bd8280 db_onpanic
rsi 1ffffffff057b050
rbp ffffaa018023b8b0
rbx ffffffff829b5080 cpu_info_primary
rdx 0
rcx ffffffff8126bf59 db_panic+0xd5
rax ffffaa001386dbc0
r8 4
r9 1ffffffff057b050
r10 ffffffff82bd8283 db_onpanic+0x3
r11 8000000000
r12 ffffaa016e6aa000
r13 ffffffff81f89140 platform_private_nodes+0x160
r14 ffffaa018023b940
r15 ffffaa016e699060
rip ffffffff8022094d breakpoint+0x5
cs 8
rflags 282
rsp ffffaa018023b8b0
ss 10
netbsd:breakpoint+0x5: leave
PID LID S CPU FLAGS STRUCT LWP * NAME WAIT
2266 2266 3 1 10000000 ffffaa0012bc9140 syz-executor.3 xclocv
3301 3301 3 0 80 ffffaa0012a82740 syz-executor.3 parked
1831 1831 2 0 10000000 ffffaa0012c0ca40 syz-executor.2
2218 2218 3 1 40080 ffffaa00149201c0 syz-executor.3 parked
3259 3259 3 0 40080 ffffaa00129daac0 syz-executor.3 parked
839 839 3 1 40 ffffaa00147ee9c0 syz-executor.5 xclocv
701 701 3 1 40 ffffaa00147ee580 syz-executor.4 biowait
1186 >1186 7 1 40 ffffaa00147ee140 syz-executor.2
836 836 2 1 40 ffffaa00147c1540 syz-executor.3
702 702 3 1 40 ffffaa00147c1100 syz-executor.1 xclocv
1436 1436 2 1 40 ffffaa0014796940 syz-executor.0
692 1313 3 0 80 ffffaa00147c1980 syz-fuzzer parked
692 728 3 0 c0 ffffaa00136f4b40 syz-fuzzer parked
692 1659 3 1 80 ffffaa0014796500 syz-fuzzer parked
692 700 3 1 80 ffffaa00147960c0 syz-fuzzer parked
692 696 2 0 40 ffffaa00147884c0 syz-fuzzer
692 695 3 1 80 ffffaa0014788080 syz-fuzzer parked
692 697 3 1 80 ffffaa0013815a80 syz-fuzzer parked
692 714 3 1 80 ffffaa001382ab00 syz-fuzzer parked
692 694 3 0 c0 ffffaa001382a6c0 syz-fuzzer parked
692 > 693 7 0 40 ffffaa001386dbc0 syz-fuzzer
692 692 3 1 c0 ffffaa00127442c0 syz-fuzzer kqueue
691 691 3 1 80 ffffaa001380c1c0 sshd select
689 689 3 1 80 ffffaa0013815640 getty nanoslp
684 684 3 1 80 ffffaa0013815200 getty nanoslp
683 683 3 1 80 ffffaa00140dc8c0 getty nanoslp
722 722 3 1 c0 ffffaa001380ca40 getty ttyraw
733 733 3 0 80 ffffaa00136f4700 cron nanoslp
252 252 3 0 80 ffffaa0013778bc0 inetd kqueue
1445 1445 3 1 80 ffffaa0012ceaa00 sshd select
739 739 3 1 80 ffffaa0012c0c600 powerd kqueue
449 449 3 0 80 ffffaa00136c0b00 syslogd kqueue
303 303 3 0 80 ffffaa0012c9c480 dhcpcd kqueue
337 337 3 0 80 ffffaa0012bb3100 dhcpcd kqueue
1 1 3 0 80 ffffaa00128f7140 init wait
0 598 3 0 200 ffffaa001294da00 physiod physiod
0 63 3 0 200 ffffaa001295ca40 pooldrain pooldrain
0 126 3 1 200 ffffaa001295c600 ioflush syncer
0 125 3 1 200 ffffaa001295c1c0 pgdaemon pgdaemon
0 122 3 1 200 ffffaa001294d180 usb0 usbevt
0 121 3 1 200 ffffaa00128f79c0 usbtask-dr usbtsk
0 120 3 1 200 ffffaa00128f7580 usbtask-hc usbtsk
0 119 3 1 200 ffffaa000fe5cac0 npfgc-0 npfgccv
0 118 3 1 200 ffffaa00128e8980 rt_free rt_free
0 117 3 1 200 ffffaa00128e8540 unpgc unpgc
0 116 3 1 200 ffffaa00128e8100 key_timehandler key_timehandler
0 115 3 1 200 ffffaa00128de940 icmp6_wqinput/1 icmp6_wqinput
0 114 3 0 200 ffffaa00128de500 icmp6_wqinput/0 icmp6_wqinput
0 113 3 1 200 ffffaa00128de0c0 nd6_timer nd6_timer
0 112 3 1 200 ffffaa00128d6900 carp6_wqinput/1 carp6_wqinput
0 111 3 0 200 ffffaa00128d64c0 carp6_wqinput/0 carp6_wqinput
0 110 3 1 200 ffffaa00128d6080 carp_wqinput/1 carp_wqinput
0 109 3 0 200 ffffaa001275c8c0 carp_wqinput/0 carp_wqinput
0 108 3 1 200 ffffaa001275c480 icmp_wqinput/1 icmp_wqinput
0 107 3 0 200 ffffaa001275c040 icmp_wqinput/0 icmp_wqinput
0 106 3 0 200 ffffaa0012747b80 rt_timer rt_timer
0 105 3 1 200 ffffaa0012748bc0 vmem_rehash vmem_rehash
0 104 3 1 200 ffffaa0012748780 entbutler entropy
0 30 3 1 200 ffffaa00121626c0 vioif0_txrx/1 vioif0_txrx
0 29 3 0 200 ffffaa0012162280 vioif0_txrx/0 vioif0_txrx
0 27 3 0 200 ffffaa000fe5c680 scsibus0 sccomp
0 26 3 0 200 ffffaa000fe5c240 pms0 pmsreset
0 25 3 1 200 ffffaa000fd9da80 xcall/1 xcall
0 24 1 1 200 ffffaa000fd9d640 softser/1
0 23 1 1 200 ffffaa000fd9d200 softclk/1
0 22 1 1 200 ffffaa000fd9ba40 softbio/1
0 21 1 1 200 ffffaa000fd9b600 softnet/1
0 20 1 1 201 ffffaa000fd9b1c0 idle/1
0 19 3 0 200 ffffaa000e80aa00 lnxpwrwq lnxpwrwq
0 18 3 0 200 ffffaa000e80a5c0 lnxlngwq lnxlngwq
0 17 3 0 200 ffffaa000e80a180 lnxsyswq lnxsyswq
0 16 3 0 200 ffffaa000e8049c0 lnxrcugc lnxrcugc
0 15 3 0 200 ffffaa000e804580 sysmon smtaskq
0 14 3 0 200 ffffaa000e804140 pmfsuspend pmfsuspend
0 13 3 0 200 ffffaa000e7ff980 pmfevent pmfevent
0 12 3 0 200 ffffaa000e7ff540 sopendfree sopendfr
0 11 3 0 200 ffffaa000e7ff100 iflnkst iflnkst
0 10 3 0 200 ffffaa000e7f3940 nfssilly nfssilly
0 9 3 0 200 ffffaa000e7f3500 vdrain vdrain
0 8 3 0 200 ffffaa000e7f30c0 modunload mod_unld
0 7 2 0 200 ffffaa000e7e6900 xcall/0
0 6 1 0 200 ffffaa000e7e64c0 softser/0
0 5 1 0 200 ffffaa000e7e6080 softclk/0
0 4 1 0 200 ffffaa000e7e48c0 softbio/0
0 3 1 0 200 ffffaa000e7e4480 softnet/0
0 2 1 0 201 ffffaa000e7e4040 idle/0
0 0 3 0 200 ffffffff82ca3700 swapper uvm
[Locks tracked through LWPs]

****** LWP 1831.1831 (syz-executor.2) @ 0xffffaa0012c0ca40, l_stat=2

*** Locks held:

* Lock 0 (initialized at fork1)
lock address : 0xffffaa0013818bd0 type : sleep/adaptive
initialized : 0xffffffff816b76d8
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffaa0012c0ca40 last held: 0xffffaa0012c0ca40
last locked* : 0xffffffff816b3fa4 unlocked : 000000000000000000
owner/count : 0xffffaa0012c0ca40 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.

* Lock 1 (initialized at pmap_ctor)
lock address : 0xffffaa001383a380 type : sleep/adaptive
initialized : 0xffffffff80870a87
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffaa0012c0ca40 last held: 0xffffaa0012c0ca40
last locked* : 0xffffffff80876dfc unlocked : 0xffffffff80871480
owner field : 0xffffaa0012c0ca40 wait/spin: 0/0
Turnstile: no active turnstile for this lock.

*** Locks wanted:

* Lock 0 (initialized at pool_init)
lock address : 0xffffffff82dca1b0 type : sleep/adaptive
initialized : 0xffffffff8175dd47
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 1
relevant cpu : 0 last held: 1
relevant lwp : 0xffffaa0012c0ca40 last held: 000000000000000000
last locked : 0xffffffff81760585 unlocked*: 0xffffffff8176064c
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.

****** LWP 701.701 (syz-executor.4) @ 0xffffaa00147ee580, l_stat=3

*** Locks held:

* Lock 0 (initialized at vcache_alloc)
lock address : 0xffffaa00147d4f00 type : sleep/adaptive
initialized : 0xffffffff81823e43
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffaa00147ee580 last held: 0xffffaa00147ee580
last locked* : 0xffffffff81852c3f unlocked : 0xffffffff81852ca1
owner/count : 0xffffaa00147ee580 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.

* Lock 1 (initialized at vcache_alloc)
lock address : 0xffffaa00149ab700 type : sleep/adaptive
initialized : 0xffffffff81823e43
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffaa00147ee580 last held: 0xffffaa00147ee580
last locked* : 0xffffffff81852c3f unlocked : 000000000000000000
owner/count : 0xffffaa00147ee580 flags : 0x0000000000000004
Turnstile: no active turnstile for this lock.

*** Locks wanted: none

****** LWP 0.11 (iflnkst) @ 0xffffaa000e7ff100, l_stat=3

*** Locks held: none

*** Locks wanted:

* Lock 0 (initialized at module_hook_init)
lock address : 0xffffffff82d9bc40 type : sleep/adaptive
initialized : 0xffffffff816cf3f2
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffaa000e7ff100 last held: 000000000000000000
last locked : 000000000000000000 unlocked*: 000000000000000000
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.

****** LWP 0.5 (softclk/0) @ 0xffffaa000e7e6080, l_stat=1

*** Locks held: none

*** Locks wanted:

* Lock 0 (initialized at module_hook_init)
lock address : 0xffffffff82d9bc40 type : sleep/adaptive
initialized : 0xffffffff816cf3f2
shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 0
relevant cpu : 0 last held: 0
relevant lwp : 0xffffaa000e7e6080 last held: 000000000000000000
last locked : 000000000000000000 unlocked*: 000000000000000000
owner field : 000000000000000000 wait/spin: 0/0
Turnstile: no active turnstile for this lock.

[Locks tracked through CPUs]

******* Locks held on cpu1:

* Lock 0 (initialized at main)
lock address : 0xffffffff82d9bb40 type : spin
initialized : 0xffffffff81a24945
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffaa00147ee140 last held: 0xffffaa00147ee580
last locked* : 0xffffffff80262599 unlocked : 0xffffffff80860a0f
curcpu holds : 0 wanted by: 000000000000000000

* Lock 1 (initialized at vioscsi_attach)
lock address : 0xffffaa000fd4ba10 type : spin
initialized : 0xffffffff819b9806
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0
relevant cpu : 1 last held: 1
relevant lwp : 0xffffaa00147ee140 last held: 0xffffaa00147ee580
last locked* : 0xffffffff819b8b8b unlocked : 0xffffffff819b89c7
owner field : 0x0000000000000600 wait/spin: 0/1

PAGE FLAG PQ UOBJECT UANON
0xffffaa0000017180 0041 00000000 0x0 0x0
0xffffaa0000017200 0041 00000000 0x0 0x0
0xffffaa0000017280 0041 00000000 0x0 0x0
0xffffaa0000017300 0041 00000000 0x0 0x0
0xffffaa0000017380 0041 00000000 0x0 0x0
0xffffaa0000017400 0041 00000000 0x0 0x0
0xffffaa0000017480 0041 00000000 0x0 0x0
0xffffaa0000017500 0041 00000000 0x0 0x0
0xffffaa0000017580 0041 00000000 0x0 0x0
0xffffaa0000017600 0041 00000000 0x0 0x0
0xffffaa0000017680 0041 00000000 0x0 0x0
0xffffaa0000017700 0041 00000000 0x0 0x0
0xffffaa0000017780 0041 00000000 0x0 0x0
0xffffaa0000017800 0041 00000000 0x0 0x0
0xffffaa0000017880 0041 00000000 0x0 0x0
0xffffaa0000017900 0041 00000000 0x0 0x0
0xffffaa0000017980 0041 00000000 0x0 0x0
0xffffaa0000017a00 0041 00000000 0x0 0x0
0xffffaa0000017a80 0041 00000000 0x0 0x0
0xffffaa0000017b00 0041 00000000 0x0 0x0
0xffffaa0000017b80 0041 00000000 0x0 0x0
0xffffaa0000017c00 0041 00000000 0x0 0x0
0xffffaa0000017c80 0041 00000000 0x0 0x0
0xffffaa0000017d00 0041 00000000 0x0 0x0
0xffffaa0000017d80 0041 00000000 0x0 0x0
0xffffaa0000017e00 0041 00000000 0x0 0x0
0xffffaa0000017e80 0041 00000000 0x0 0x0
0xffffaa0000017f00 0041 00000000 0x0 0x0
0xffffaa0000017f80 0041 00000000 0x0 0x0
0xffffaa0000018000 0041 00000000 0x0 0x0
0xffffaa0000018080 0041 00000000 0x0 0x0
0xffffaa0000018100 0041 00000000 0x0 0x0
0xffffaa0000018180 0041 00000000 0x0 0x0
0xffffaa0000018200 0041 00000000 0x0 0x0
0xffffaa0000018280 0041 00000000 0x0 0x0
0xffffaa0000018300 0041 00000000 0x0 0x0
0xffffaa0000018380 0041 00000000 0x0 0x0
0xffffaa0000018400 0041 00000000 0x0 0x0
0xffffaa0000018480 0041 00000000 0x0 0x0
0xffffaa0000018500 0041 00000000 0x0 0x0
0xffffaa0000018580 0041 00000000 0x0 0x0
0xffffaa0000018600 0041 00000000 0x0 0x0
0xffffaa0000018680 0041 00000000 0x0 0x0
0xffffaa0000018700 0041 00000000 0x0 0x0
0xffffaa0000018780 0041 00000000 0x0 0x0
0xffffaa0000018800 0041 00000000 0x0 0x0
0xffffaa0000018880 0041 00000000 0x0 0x0
0xffffaa0000018900 0041 00000000 0x0 0x0
0xffffaa0000018980 0041 00000000 0x0 0x0
0xffffaa0000018a00 0041 00000000 0x0 0x0
0xffffaa0000018a80 0041 00000000 0x0 0x0
0xffffaa0000018b00 0041 00000000 0x0 0x0
0xffffaa0000018b80 0041 00000000 0x0 0x0
0xffffaa0000018c00 0041 00000000 0x0 0x0
0xffffaa0000018c80 0041 00000000 0x0 0x0
0xffffaa0000018d00 0041 00000000 0x0 0x0
0xffffaa0000018d80 0041 00000000 0x0 0x0
0xffffaa0000018e00 0041 00000000 0x0 0x0
0xffffaa0000018e80 0041 00000000 0x0 0x0
0xffffaa0000018f00 0041 00000000 0x0 0x0
0xffffaa0000018f80 0041 00000000 0x0 0x0
0xffffaa0000019000 0041 00000000 0x0 0x0
0xffffaa0000019080 0041 00000000 0x0 0x0
0xffffaa0000019100 0041 00000000 0x0 0x0
0xffffaa0000019180 0041 00000000 0x0 0x0
0xffffaa0000019200 0041 00000000 0x0 0x0
0xffffaa0000019280 0041 00000000 0x0 0x0
0xffffaa0000019300 0041 00000000 0x0 0x0
0xffffaa0000019380 0041 00000000 0x0 0x0
0xffffaa0000019400 0041 00000000 0x0 0x0
0xffffaa0000019480 0041 00000000 0x0 0x0
0xffffaa0000019500 0041 00000000 0x0 0x0
0xffffaa0000019580 0041 00000000 0x0 0x0
0xffffaa0000019600 0041 00000000 0x0 0x0
0xffffaa0000019680 0041 00000000 0x0 0x0
0xffffaa0000019700 0041 00000000 0x0 0x0
0xffffaa0000019780 0041 00000000 0x0 0x0
0xffffaa0000019800 0041 00000000 0x0 0x0
0xffffaa0000019880 0041 00000000 0x0 0x0
0xffffaa0000019900 0041 00000000 0x0 0x0
0xffffaa0000019980 0041 00000000 0x0 0x0
0xffffaa0000019a00 0041 00000000 0x0 0x0
0xffffaa0000019a80 0041 00000000 0x0 0x0
0xffffaa0000019b00 0041 00000000 0x0 0x0
0xffffaa0000019b80 0041 00000000 0x0 0x0
0xffffaa0000019c00 0041 00000000 0x0 0x0
0xffffaa0000019c80 0041 00000000 0x0 0x0
0xffffaa0000019d00 0041 00000000 0x0 0x0
0xffffaa0000019d80 0041 00000000 0x0 0x0
0xffffaa0000019e00 0041 00000000 0x0 0x0
0xffffaa0000019e80 0041 00000000 0x0 0x0
0xffffaa0000019f00 0041 00000000 0x0 0x0
0xffffaa0000019f80 0041 00000000 0x0 0x0
0xffffaa000001a000 0041 00000000 0x0 0x0
0xffffaa000001a080 0041 00000000 0x0 0x0
0xffffaa000001a100 0041 00000000 0x0 0x0
0xffffaa000001a180 0041 00000000 0x0 0x0
0xffffaa000001a200 0041 00000000 0x0 0x0
0xffffaa000001a280 0041 00000000 0x0 0x0
0xffffaa000001a300 0041 00000000 0x0 0x0
0xffffaa000001a380 0041 00000000 0x0 0x0
0xffffaa000001a400 0041 00000000 0x0 0x0
0xffffaa000001a480 0041 00000000 0x0 0x0
0xffffaa000001a500 0041 00000000 0x0 0x0
0xffffaa000001a580 0041 00000000 0x0 0x0
0xffffaa000001a600 0041 00000000 0x0 0x0
0xffffaa000001a680 0041 00000000 0x0 0x0
0xffffaa000001a700 0041 00000000 0x0 0x0
0xffffaa000001a780 0041 00000000 0x0 0x0
0xffffaa000001a800 0041 00000000 0x0 0x0
0xffffaa000001a880 0041 00000000 0x0 0x0
0xffffaa000001a900 0041 00000000 0x0 0x0
0xffffaa000001a980 0041 00000000 0x0 0x0
0xffffaa000001aa00 0041 00000000 0x0 0x0
0xffffaa000001aa80 0041 00000000 0x0 0x0
0xffffaa000001ab00 0041 00000000 0x0 0x0
0xffffaa000001ab80 0041 00000000 0x0 0x0
0xffffaa000001ac00 0041 00000000 0x0 0x0
0xffffaa000001ac80 0041 00000000 0x0 0x0
0xffffaa000001ad00 0041 00000000 0x0 0x0
0xffffaa000001ad80 0041 00000000 0x0 0x0
0xffffaa000001ae00 0041 00000000 0x0 0x0
0xffffaa000001ae80 0041 00000000 0x0 0x0
0xffffaa000001af00 0041 00000000 0x0 0x0
0xffffaa000001af80 0041 00000000 0x0 0x0
0xffffaa000001b000 0041 00000000 0x0 0x0
0xffffaa000001b080 0041 00000000 0x0 0x0
0xffffaa000001b100 0041 00000000 0x0 0x0
0xffffaa000001b180 0041 00000000 0x0 0x0
0xffffaa000001b200 0041 00000000 0x0 0x0
0xffffaa000001b280 0041 00000000 0x0 0x0
0xffffaa000001b300 0041 00000000 0x0 0x0
0xffffaa000001b380 0041 00000000 0x0 0x0
0xffffaa000001b400 0041 00000000 0x0 0x0
0xffffaa000001b480 0041 00000000 0x0 0x0
0xffffaa000001b500 0041 00000000 0x0 0x0
0xffffaa000001b580 0041 00000000 0x0 0x0
0xffffaa000001b600 0041 00000000 0x0 0x0
0xffffaa000001b680 0041 00000000 0x0 0x0
0xffffaa000001b700 0041 00000000 0x0 0x0
0xffffaa000001b780 0041 00000000 0x0 0x0
0xffffaa000001b800 0041 00000000 0x0 0x0
0xffffaa000001b880 0041 00000000 0x0 0x0
0xffffaa000001b900 0041 00000000 0x0 0x0
0xffffaa000001b980 0041 00000000 0x0 0x0
0xffffaa000001ba00 0041 00000000 0x0 0x0
0xffffaa000001ba80 0041 00000000 0x0 0x0
0xffffaa000001bb00 0041 00000000 0x0 0x0
0xffffaa000001bb80 0041 00000000 0x0 0x0
0xffffaa000001bc00 0041 00000000 0x0 0x0
0xffffaa000001bc80 0041 00000000 0x0 0x0
0xffffaa000001bd00 0041 00000000 0x0 0x0
0xffffaa000001bd80 0041 00000000 0x0 0x0
0xffffaa000001be00 0041 00000000 0x0 0x0
0xffffaa000001be80 0041 00000000 0x0 0x0
0xffffaa000001bf00 0041 00000000 0x0 0x0
0xffffaa000001bf80 0041 00000000 0x0 0x0
0xffffaa000001c000 0041 00000000 0x0 0x0
0xffffaa000001c080 0041 00000000 0x0 0x0
0xffffaa000001c100 0041 00000000 0x0 0x0
0xffffaa000001c180 0041 00000000 0x0 0x0
0xffffaa000001c200 0045 00000000 0x0 0x0
0xffffaa000001c280 0041 00000000 0x0 0x0
0xffffaa000001c300 0041 00000000 0x0 0x0
0xffffaa000001c380 0041 00000000 0x0 0x0
0xffffaa000001c400 0041 00000000 0x0 0x0
0xffffaa000001c480 0041 00000000 0x0 0x0
0xffffaa000001c500 0041 00000000 0x0 0x0
0xffffaa000001c580 0041 00000000 0x0 0x0
0xffffaa000001c600 0045 00000000 0x0 0x0
0xffffaa000001c680 0041 00000000 0x0 0x0
0xffffaa000001c700 0041 00000000 0x0 0x0
0xffffaa000001c780 0041 00000000 0x0 0x0
0xffffaa000001c800 0041 00000000 0x0 0x0
0xffffaa000001c880 0041 00000000 0x0 0x0
0xffffaa000001c900 0041 00000000 0x0 0x0
0xffffaa000001c980 0045 00000000 0x0 0x0
0xffffaa000001ca00 0041 00000000 0x0 0x0
0xffffaa000001ca80 0041 00000000 0x0 0x0
0xffffaa000001cb00 0045 00000000 0x0 0x0
0xffffaa000001cb80 0045 00000000 0x0 0x0
0xffffaa000001cc00 0045 00000000 0x0 0x0
0xffffaa000001cc80 0045 00000000 0x0 0x0
0xffffaa000001cd00 0045 00000000 0x0 0x0
0xffffaa000001cd80 0045 00000000 0x0 0x0
0xffffaa000001ce00 0041 00000000 0x0 0x0
0xffffaa000001ce80 0045 00000000 0x0 0x0
0xffffaa000001cf00 0045 00000000 0x0 0x0
0xffffaa000001cf80 0045 00000000 0x0 0x0
0xffffaa000001d000 0045 00000000 0x0 0x0
0xffffaa000001d080 0045 00000000 0x0 0x0
0xffffaa000001d100 0045 00000000 0x0 0x0
0xffffaa000001d180 0041 00000000 0x0 0x0
0xffffaa000001d200 0041 00000000 0x0 0x0
0xffffaa000001d280 0045 00000000 0x0 0x0
0xffffaa000001d300 0041 00000000 0x0 0x0
0xffffaa000001d380 0041 00000000 0x0 0x0
0xffffaa000001d400 0041 00000000 0x0 0x0
0xffffaa000001d480 0041 00000000 0x0 0x0
0xffffaa000001d500 0041 00000000 0x0 0x0
0xffffaa000001d580 0041 00000000 0x0 0x0
0xffffaa000001d600 0041 00000000 0x0 0x0
0xffffaa000001d680 0041 00000000 0x0 0x0
0xffffaa000001d700 0041 00000000 0x0 0x0
0xffffaa000001d780 0041 00000000 0x0 0x0
0xffffaa000001d800 0041 00000000 0x0 0x0
0xffffaa000001d880 0041 00000000 0x0 0x0
0xffffaa000001d900 0041 00000000 0x0 0x0
0xffffaa000001d980 0041 00000000 0x0 0x0
0xffffaa000001da00 0041 00000000 0x0 0x0
0xffffaa000001da80 0041 00000000 0x0 0x0
0xffffaa000001db00 0041 00000000 0x0 0x0
0xffffaa000001db80 0041 00000000 0x0 0x0
0xffffaa000001dc00 0041 00000000 0x0 0x0
0xffffaa000001dc80 0041 00000000 0x0 0x0
0xffffaa000001dd00 0041 00000000 0x0 0x0
0xffffaa000001dd80 0041 00000000 0x0 0x0
0xffffaa000001de00 0041 00000000 0x0 0x0
0xffffaa000001de80 0041 00000000 0x0 0x0
0xffffaa000001df00 0041 00000000 0x0 0x0
0xffffaa000001df80 0041 00000000 0x0 0x0
0xffffaa000001e000 0041 00000000 0x0 0x0
0xffffaa000001e080 0041 00000000 0x0 0x0
0xffffaa000001e100 0041 00000000 0x0 0x0
0xffffaa000001e180 0041 00000000 0x0 0x0
0xffffaa000001e200 0041 00000000 0x0 0x0
0xffffaa000001e280 0041 00000000 0x0 0x0
0xffffaa000001e300 0041 00000000 0x0 0x0
0xffffaa000001e380 0041 00000000 0x0 0x0
0xffffaa000001e400 0041 00000000 0x0 0x0
0xffffaa000001e480 0041 00000000 0x0 0x0
0xffffaa000001e500 0041 00000000 0x0 0x0
0xffffaa000001e580 0041 00000000 0x0 0x0
0xffffaa000001e600 0041 00000000 0x0 0x0
0xffffaa000001e680 0041 00000000 0x0 0x0
0xffffaa000001e700 0041 00000000 0x0 0x0
0xffffaa000001e780 0041 00000000 0x0 0x0
0xffffaa000001e800 0041 00000000 0x0 0x0
0xffffaa000001e880 0041 00000000 0x0 0x0
0xffffaa000001e900 0041 00000000 0x0 0x0
0xffffaa000001e980 0041 00000000 0x0 0x0
0xffffaa000001ea00 0041 00000000 0x0 0x0
0xffffaa000001ea80 0041 00000000 0x0 0x0
0xffffaa000001eb00 0041 00000000 0x0 0x0
0xffffaa000001eb80 0041 00000000 0x0 0x0
0xffffaa000001ec00 0041 00000000 0x0 0x0
0xffffaa000001ec80 0041 00000000 0x0 0x0
0xffffaa000001ed00 0041 00000000 0x0 0x0
0xffffaa000001ed80 0041 00000000 0x0 0x0
0xffffaa000001ee00 0041 00000000 0x0 0x0
0xffffaa000001ee80 0041 00000000 0x0 0x0
0xffffaa000001ef00 0041 00000000 0x0 0x0
0xffffaa000001ef80 0041 00000000 0x0 0x0
0xffffaa000001f000 0041 00000000 0x0 0x0
0xffffaa000001f080 0041 00000000 0x0 0x0
0xffffaa000001f100 0041 00000000 0x0 0x0
0xffffaa000001f180 0041 00000000 0x0 0x0
0xffffaa000001f200 0041 00000000 0x0 0x0
0xffffaa000001f280 0041 00000000 0x0 0x0
0xffffaa000001f300 0041 00000000 0x0 0x0
0xffffaa000001f380 0041 00000000 0x0 0x0
0xffffaa000001f400 0041 00000000 0x0 0x0
0xffffaa000001f480 0041 00000000 0x0 0x0
0xffffaa000001f500 0041 00000000 0x0 0x0
0xffffaa000001f580 0041 00000000 0x0 0x0
0xffffaa000001f600 0041 00000000 0x0 0x0
0xffffaa000001f680 0041 00000000 0x0 0x0
0xffffaa000001f700 0041 00000000 0x0 0x0
0xffffaa000001f780 0041 00000000 0x0 0x0
0xffffaa000001f800 0041 00000000 0x0 0x0
0xffffaa000001f880 0041 00000000 0x0 0x0
0xffffaa000001f900 0041 00000000 0x0 0x0
0xffffaa000001f980 0041 00000000 0x0 0x0
0xffffaa000001fa00 0041 00000000 0x0 0x0
0xffffaa000001fa80 0041 00000000 0x0 0x0
0xffffaa000001fb00 0041 00000000 0x0 0x0
0xffffaa000001fb80 0041 00000000 0x0 0x0
0xffffaa000001fc00 0041 00000000 0x0 0x0
0xffffaa000001fc80 0041 00000000 0x0 0x0
0xffffaa000001fd00 0041 00000000 0x0 0x0
0xffffaa000001fd80 0041 00000000 0x0 0x0
0xffffaa000001fe00 0041 00000000 0x0 0x0
0xffffaa000001fe80 0041 00000000 0x0 0x0
0xffffaa000001ff00 0041 00000000 0x0 0x0
0xffffaa000001ff80 0041 00000000 0x0 0x0
0xffffaa0000020000 0041 00000000 0x0 0x0
0xffffaa0000020080 0041 00000000 0x0 0x0
0xffffaa0000020100 0041 00000000 0x0 0x0
0xffffaa0000020180 0041 00000000 0x0 0x0
0xffffaa0000020200 0041 00000000 0x0 0x0
0xffffaa0000020280 0041 00000000 0x0 0x0
0xffffaa0000020300 0041 00000000 0x0 0x0
0xffffaa0000020380 0041 00000000 0x0 0x0
0xffffaa0000020400 0041 00000000 0x0 0x0
0xffffaa0000020480 0041 00000000 0x0 0x0
0xffffaa0000020500 0041 00000000 0x0 0x0
0xffffaa0000020580 0041 00000000 0x0 0x0
0xffffaa0000020600 0041 00000000 0x0 0x0
0xffffaa0000020680 0041 00000000 0x0 0x0
0xffffaa0000020700 0041 00000000 0x0 0x0
0xffffaa0000020780 0041 00000000 0x0 0x0
0xffffaa0000020800 0041 00000000 0x0 0x0
0xffffaa0000020880 0041 00000000 0x0 0x0
0xffffaa0000020900 0041 00000000 0x0 0x0
0xffffaa0000020980 0041 00000000 0x0 0x0
0xffffaa0000020a00 0041 00000000 0x0 0x0
0xffffaa0000020a80 0041 00000000 0x0 0x0
0xffffaa0000020b00 0041 00000000 0x0 0x0
0xffffaa0000020b80 0041 00000000 0x0 0x0
0xffffaa0000020c00 0041 00000000 0x0 0x0
0xffffaa0000020c80 0041 00000000 0x0 0x0
0xffffaa0000020d00 0041 00000000 0x0 0x0
0xffffaa0000020d80 0041 00000000 0x0 0x0
0xffffaa0000020e00 0041 00000000 0x0 0x0
0xffffaa0000020e80 0041 00000000 0x0 0x0
0xffffaa0000020f00 0041 00000000 0x0 0x0
0xffffaa0000020f80 0041 00000000 0x0 0x0
0xffffaa0000021000 0041 00000000 0x0 0x0
0xffffaa0000021080 0041 00000000 0x0 0x0
0xffffaa0000021100 0041 00000000 0x0 0x0
0xffffaa0000021180 0041 00000000 0x0 0x0
0xffffaa0000021200 0041 00000000 0x0 0x0
0xffffaa0000021280 0041 00000000 0x0 0x0
0xffffaa0000021300 0041 00000000 0x0 0x0
0xffffaa0000021380 0041 00000000 0x0 0x0
0xffffaa0000021400 0041 00000000 0x0 0x0
0xffffaa0000021480 0041 00000000 0x0 0x0
0xffffaa0000021500 0041 00000000 0x0 0x0
0xffffaa0000021580 0041 00000000 0x0 0x0
0xffffaa0000021600 0041 00000000 0x0 0x0
0xffffaa0000021680 0041 00000000 0x0 0x0
0xffffaa0000021700 0041 00000000 0x0 0x0
0xffffaa0000021780 0041 00000000 0x0 0x0
0xffffaa0000021800 0041 00000000 0x0 0x0
0xffffaa0000021880 0041 00000000 0x0 0x0
0xffffaa0000021900 0041 00000000 0x0 0x0
0xffffaa0000021980 0041 00000000 0x0 0x0
0xffffaa0000021a00 0041 00000000 0x0 0x0
0xffffaa0000021a80 0041 00000000 0x0 0x0
0xffffaa0000021b00 0041 00000000 0x0 0x0
0xffffaa0000021b80 0041 00000000 0x0 0x0
0xffffaa0000021c00 0041 00000000 0x0 0x0
0xffffaa0000021c80 0041 00000000 0x0 0x0
0xffffaa0000021d00 0041 00000000 0x0 0x0
0xffffaa0000021d80 0041 00000000 0x0 0x0
0xffffaa0000021e00 0041 00000000 0x0 0x0
0xffffaa0000021e80 0041 00000000 0x0 0x0
0xffffaa0000021f00 0041 00000000 0x0 0x0
0xffffaa0000021f80 0041 00000000 0x0 0x0
0xffffaa0000022000 0041 00000000 0x0 0x0
0xffffaa0000022080 0041 00000000 0x0 0x0
0xffffaa0000022100 0041 00000000 0x0 0x0
0xffffaa0000022180 0041 00000000 0x0 0x0
0xffffaa0000022200 0041 00000000 0x0 0x0
0xffffaa0000022280 0041 00000000 0x0 0x0
0xffffaa0000022300 0041 00000000 0x0 0x0
0xffffaa0000022380 0041 00000000 0x0 0x0
0xffffaa0000022400 0041 00000000 0x0 0x0
0xffffaa0000022480 0041 00000000 0x0 0x0
0xffffaa0000022500 0041 00000000 0x0 0x0
0xffffaa0000022580 0041 00000000 0x0 0x0
0xffffaa0000022600 0041 00000000 0x0 0x0
0xffffaa0000022680 0041 00000000 0x0 0x0
0xffffaa0000022700 0041 00000000 0x0 0x0
0xffffaa0000022780 0041 00000000 0x0 0x0
0xffffaa0000022800 0041 00000000 0x0 0x0
0xffffaa0000022880 0041 00000000 0x0 0x0
0xffffaa0000022900 0041 00000000 0x0 0x0
0xffffaa0000022980 0041 00000000 0x0 0x0
0xffffaa0000022a00 0041 00000000 0x0 0x0
0xffffaa0000022a80 0041 00000000 0x0 0x0
0xffffaa0000022b00 0041 00000000 0x0 0x0
0xffffaa0000022b80 0041 00000000 0x0 0x0
0xffffaa0000022c00 0041 00000000 0x0 0x0
0xffffaa0000022c80 0041 00000000 0x0 0x0
0xffffaa0000022d00 0041 00000000 0x0 0x0
0xffffaa0000022d80 0041 00000000 0x0 0x0
0xffffaa0000022e00 0041 00000000 0x0 0x0
0xffffaa0000022e80 0041 00000000 0x0 0x0
0xffffaa0000022f00 0041 00000000 0x0 0x0
0xffffaa0000022f80 0041 00000000 0x0 0x0
0xffffaa0000023000 0041 00000000 0x0 0x0
0xffffaa0000023080 0041 00000000 0x0 0x0
0xffffaa0000023100 0041 00000000 0x0 0x0
0xffffaa0000023180 0041 00000000 0x0 0x0
0xffffaa0000023200 0041 00000000 0x0 0x0
0xffffaa0000023280 0041 00000000 0x0 0x0
0xffffaa0000023300 0041 00000000 0x0 0x0
0xffffaa0000023380 0041 00000000 0x0 0x0
0xffffaa0000023400 0041 00000000 0x0 0x0
0xffffaa0000023480 0041 00000000 0x0 0x0
0xffffaa0000023500 0041 00000000 0x0 0x0
0xffffaa0000023580 0041 00000000 0x0 0x0
0xffffaa0000023600 0041 00000000 0x0 0x0
0xffffaa0000023680 0041 00000000 0x0 0x0
0xffffaa0000023700 0041 00000000 0x0 0x0
0xffffaa0000023780 0041 00000000 0x0 0x0
0xffffaa0000023800 0041 00000000 0x0 0x0
0xffffaa0000023880 0041 00000000 0x0 0x0
0xffffaa0000023900 0041 00000000 0x0 0x0
0xffffaa0000023980 0041 00000000 0x0 0x0
0xffffaa0000023a00 0041 00000000 0x0 0x0
0xffffaa0000023a80 0041 00000000 0x0 0x0
0xffffaa0000023b00 0041 00000000 0x0 0x0
0xffffaa0000023b80 0041 00000000 0x0 0x0
0xffffaa0000023c00 0041 00000000 0x0 0x0
0xffffaa0000023c80 0041 00000000 0x0 0x0
0xffffaa0000023d00 0041 00000000 0x0 0x0
0xffffaa0000023d80 0041 00000000 0x0 0x0
0xffffaa0000023e00 0041 00000000 0x0 0x0
0xffffaa0000023e80 0041 00000000 0x0 0x0
0xffffaa0000023f00 0041 00000000 0x0 0x0
0xffffaa0000023f80 0041 00000000 0x0 0x0
0xffffaa0000024000 0041 00000000 0x0 0x0
0xffffaa0000024080 0041 00000000 0x0 0x0
0xffffaa0000024100 0041 00000000 0x0 0x0
0xffffaa0000024180 0041 00000000 0x0 0x0
0xffffaa0000024200 0041 00000000 0x0 0x0
0xffffaa0000024280 0041 00000000 0x0 0x0
0xffffaa0000024300 0041 00000000 0x0 0x0
0xffffaa0000024380 0041 00000000 0x0 0x0
0xffffaa0000024400 0041 00000000 0x0 0x0
0xffffaa0000024480 0041 00000000 0x0 0x0
0xffffaa0000024500 0041 00000000 0x0 0x0
0xffffaa0000024580 0041 00000000 0x0 0x0
0xffffaa0000024600 0041 00000000 0x0 0x0
0xffffaa0000024680 0041 00000000 0x0 0x0
0xffffaa0000024700 0041 00000000 0x0 0x0
0xffffaa0000024780 0041 00000000 0x0 0x0
0xffffaa0000024800 0041 00000000 0x0 0x0
0xffffaa0000024880 0041 00000000 0x0 0x0
0xffffaa0000024900 0041 00000000 0x0 0x0
0xffffaa0000024980 0041 00000000 0x0 0x0
0xffffaa0000024a00 0041 00000000 0x0 0x0
0xffffaa0000024a80 0041 00000000 0x0 0x0
0xffffaa0000024b00 0041 00000000 0x0 0x0
0xffffaa0000024b80 0041 00000000 0x0 0x0
0xffffaa0000024c00 0041 00000000 0x0 0x0
0xffffaa0000024c80 0041 00000000 0x0 0x0
0xffffaa0000024d00 0041 00000000 0x0 0x0
0xffffaa0000024d80 0041 00000000 0x0 0x0
0xffffaa0000024e00 0041 00000000 0x0 0x0
0xffffaa0000024e80 0041 00000000 0x0 0x0
0xffffaa0000024f00 0041 00000000 0x0 0x0
0xffffaa0000024f80 0041 00000000 0x0 0x0
0xffffaa0000025000 0041 00000000 0x0 0x0
0xffffaa0000025080 0041 00000000 0x0 0x0
0xffffaa0000025100 0041 00000000 0x0 0x0
0xffffaa0000025180 0041 00000000 0x0 0x0
0xffffaa0000025200 0041 00000000 0x0 0x0
0xffffaa0000025280 0041 00000000 0x0 0x0
0xffffaa0000025300 0041 00000000 0x0 0x0
0xffffaa0000025380 0041 00000000 0x0 0x0
0xffffaa0000025400 0041 00000000 0x0 0x0
0xffffaa0000025480 0041 00000000 0x0 0x0
0xffffaa0000025500 0041 00000000 0x0 0x0
0xffffaa0000025580 0041 00000000 0x0 0x0
0xffffaa0000025600 0041 00000000 0x0 0x0
0xffffaa0000025680 0041 00000000 0x0 0x0
0xffffaa0000025700 0041 00000000 0x0 0x0
0xffffaa0000025780 0041 00000000 0x0 0x0
0xffffaa0000025800 0041 00000000 0x0 0x0
0xffffaa0000025880 0041 00000000 0x0 0x0
0xffffaa0000025900 0041 00000000 0x0 0x0
0xffffaa0000025980 0041 00000000 0x0 0x0
0xffffaa0000025a00 0041 00000000 0x0 0x0
0xffffaa0000025a80 0041 00000000 0x0 0x0
0xffffaa0000025b00 0041 00000000 0x0 0x0
0xffffaa0000025b80 0041 00000000 0x0 0x0
0xffffaa0000025c00 0041 00000000 0x0 0x0
0xffffaa0000025c80 0041 00000000 0x0 0x0
0xffffaa0000025d00 0041 00000000 0x0 0x0
0xffffaa0000025d80 0041 00000000 0x0 0x0
0xffffaa0000025e00 0041 00000000 0x0 0x0
0xffffaa0000025e80 0041 00000000 0x0 0x0
0xffffaa0000025f00 0041 00000000 0x0 0x0
0xffffaa0000025f80 0041 00000000 0x0 0x0
0xffffaa0000026000 0041 00000000 0x0 0x0
0xffffaa0000026080 0041 00000000 0x0 0x0
0xffffaa0000026100 0041 00000000 0x0 0x0
0xffffaa0000026180 0041 00000000 0x0 0x0
0xffffaa0000026200 0041 00000000 0x0 0x0
0xffffaa0000026280 0041 00000000 0x0 0x0
0xffffaa0000026300 0041 00000000 0x0 0x0
0xffffaa0000026380 0041 00000000 0x0 0x0
0xffffaa0000026400 0041 00000000 0x0 0x0
0xffffaa0000026480 0041 00000000 0x0 0x0
0xffffaa0000026500 0041 00000000 0x0 0x0
0xffffaa0000026580 0041 00000000 0x0 0x0
0xffffaa0000026600 0041 00000000 0x0 0x0
0xffffaa0000026680 0041 00000000 0x0 0x0
0xffffaa0000026700 0041 00000000 0x0 0x0
0xffffaa0000026780 0041 00000000 0x0 0x0
0xffffaa0000026800 0041 00000000 0x0 0x0
0xffffaa0000026880 0041 00000000 0x0 0x0
0xffffaa0000026900 0041 00000000 0x0 0x0
0xffffaa0000026980 0041 00000000 0x0 0x0
0xffffaa0000026a00 0001 00000000 0x0 0x0
0xffffaa0000026a80 0001 00000000 0x0 0x0
0xffffaa0000026b00 0001 00000000 0x0 0x0
0xffffaa0000026b80 0001 00000000 0x0 0x0
0xffffaa0000026c00 0001 00000000 0x0 0x0
0xffffaa0000026c80 0001 00000000 0x0 0x0
0xffffaa0000026d00 0001 00000000 0x0 0x0
0xffffaa0000026d80 0001 00000000 0x0 0x0
0xffffaa0000026e00 0001 00000000 0x0 0x0
0xffffaa0000026e80 0001 00000000 0x0 0x0
0xffffaa0000026f00 0001 00000000 0x0 0x0
0xffffaa0000026f80 0001 00000000 0x0 0x0
0xffffaa0000027000 0001 00000000 0x0 0x0
0xffffaa0000027080 0001 00000000 0x0 0x0
0xffffaa0000027100 0001 00000000 0x0 0x0
0xffffaa0000027180 0001 00000000 0x0 0x0
0xffffaa0000027200 0001 00000000 0x0 0x0
0xffffaa0000027280 0001 00000000 0x0 0x0
0xffffaa0000027300 0001 00000000 0x0 0x0
0xffffaa0000027380 0001 00000000 0x0 0x0
0xffffaa0000027400 0001 00000000 0x0 0x0
0xffffaa0000027480 0001 00000000 0x0 0x0
0xffffaa0000027500 0001 00000000 0x0 0x0
0xffffaa0000027580 0001 00000000 0x0 0x0
0xffffaa0000027600 0001 00000000 0x0 0x0
0xffffaa0000027680 0001 00000000 0x0 0x0
0xffffaa0000027700 0001 00000000 0x0 0x0
0xffffaa0000027780 0001 00000000 0x0 0x0
0xffffaa0000027800 0001 00000000 0x0 0x0
0xffffaa0000027880 0001 00000000 0x0 0x0
0xffffaa0000027900 0001 00000000 0x0 0x0
0xffffaa0000027980 0001 00000000 0x0 0x0
0xffffaa0000027a00 0001 00000000 0x0 0x0
0xffffaa0000027a80 0001 00000000 0x0 0x0
0xffffaa0000027b00 0001 00000000 0x0 0x0
0xffffaa0000027b80 0001 00000000 0x0 0x0
0xffffaa0000027c00 0001 00000000 0x0 0x0
0xffffaa0000027c80 0001 00000000 0x0 0x0
0xffffaa0000027d00 0001 00000000 0x0 0x0
0xffffaa0000027d80 0001 00000000 0x0 0x0
0xffffaa0000027e00 0001 00000000 0x0 0x0
0xffffaa0000027e80 0001 00000000 0x0 0x0
0xffffaa0000027f00 0001 00000000 0x0 0x0
0xffffaa0000027f80 0001 00000000 0x0 0x0
0xffffaa0000028000 0001 00000000 0x0 0x0
0xffffaa0000028080 0001 00000000 0x0 0x0
0xffffaa0000028100 0001 00000000 0x0 0x0
0xffffaa0000028180 0001 00000000 0x0 0x0
0xffffaa0000028200 0001 00000000 0x0 0x0
0xffffaa0000028280 0001 00000000 0x0 0x0
0xffffaa0000028300 0001 00000000 0x0 0x0
0xffffaa0000028380 0001 00000000 0x0 0x0
0xffffaa0000028400 0001 00000000 0x0 0x0
0xffffaa0000028480 0001 00000000 0x0 0x0
0xffffaa0000028500 0001 00000000 0x0 0x0
0xffffaa0000028580 0001 00000000 0x0 0x0
0xffffaa0000028600 0001 00000000 0x0 0x0
0xffffaa0000028680 0001 00000000 0x0 0x0
0xffffaa0000028700 0001 00000000 0x0 0x0
0xffffaa0000028780 0001 00000000 0x0 0x0
0xffffaa0000028800 0001 00000000 0x0 0x0
0xffffaa0000028880 0001 00000000 0x0 0x0
0xffffaa0000028900 0001 00000000 0x0 0x0
0xffffaa0000028980 0001 00000000 0x0 0x0
0xffffaa0000028a00 0001 00000000 0x0 0x0
0xffffaa0000028a80 0001 00000000 0x0 0x0
0xffffaa0000028b00 0001 00000000 0x0 0x0
0xffffaa0000028b80 0001 00000000 0x0 0x0
0xffffaa0000028c00 0001 00000000 0x0 0x0
0xffffaa0000028c80 0001 00000000 0x0 0x0
0xffffaa0000028d00 0001 00000000 0x0 0x0
0xffffaa0000028d80 0001 00000000 0x0 0x0
0xffffaa0000028e00 0001 00000000 0x0 0x0
0xffffaa0000028e80 0001 00000000 0x0 0x0
0xffffaa0000028f00 0001 00000000 0x0 0x0
0xffffaa0000028f80 0001 00000000 0x0 0x0
0xffffaa0000029000 0001 00000000 0x0 0x0
0xffffaa0000029080 0001 00000000 0x0 0x0
0xffffaa0000029100 0001 00000000 0x0 0x0
0xffffaa0000029180 0001 00000000 0x0 0x0
0xffffaa0000029200 0001 00000000 0x0 0x0
0xffffaa0000029280 0001 00000000 0x0 0x0
0xffffaa0000029300 0001 00000000 0x0 0x0
0xffffaa0000029380 0001 00000000 0x0 0x0
0xffffaa0000029400 0001 00000000 0x0 0x0
0xffffaa0000029480 0001 00000000 0x0 0x0
0xffffaa0000029500 0001 00000000 0x0 0x0
0xffffaa0000029580 0001 00000000 0x0 0x0
0xffffaa0000029600 0001 00000000 0x0 0x0
0xffffaa0000029680 0001 00000000 0x0 0x0
0xffffaa0000029700 0001 00000000 0x0 0x0
0xffffaa0000029780 0001 00000000 0x0 0x0
0xffffaa0000029800 0001 00000000 0x0 0x0
0xffffaa0000029880 0001 00000000 0x0 0x0
0xffffaa0000029900 0001 00000000 0x0 0x0
0xffffaa0000029980 0001 00000000 0x0 0x0
0xffffaa0000029a00 0001 00000000 0x0 0x0
0xffffaa0000029a80 0001 00000000 0x0 0x0
0xffffaa0000029b00 0001 00000000 0x0 0x0
0xffffaa0000029b80 0001 00000000 0x0 0x0
0xffffaa0000029c00 0001 00000000 0x0 0x0
0xffffaa0000029c80 0001 00000000 0x0 0x0
0xffffaa0000029d00 0001 00000000 0x0 0x0
0xffffaa0000029d80 0001 00000000 0x0 0x0
0xffffaa0000029e00 0001 00000000 0x0 0x0
0xffffaa0000029e80 0001 00000000 0x0 0x0
0xffffaa0000029f00 0001 00000000 0x0 0x0
0xffffaa0000029f80 0001 00000000 0x0 0x0
0xffffaa000002a000 0001 00000000 0x0 0x0
0xffffaa000002a080 0001 00000000 0x0 0x0
0xffffaa000002a100 0001 00000000 0x0 0x0
0xffffaa000002a180 0001 00000000 0x0 0x0
0xffffaa000002a200 0001 00000000 0x0 0x0
0xffffaa000002a280 0001 00000000 0x0 0x0
0xffffaa000002a300 0001 00000000 0x0 0x0
0xffffaa000002a380 0001 00000000 0x0 0x0
0xffffaa000002a400 0001 00000000 0x0 0x0
0xffffaa000002a480 0001 00000000 0x0 0x0
0xffffaa000002a500 0001 00000000 0x0 0x0
0xffffaa000002a580 0001 00000000 0x0 0x0
0xffffaa000002a600 0001 00000000 0x0 0x0
0xffffaa000002a680 0001 00000000 0x0 0x0
0xffffaa000002a700 0001 00000000 0x0 0x0
0xffffaa000002a780 0001 00000000 0x0 0x0
0xffffaa000002a800 0001 00000000 0x0 0x0
0xffffaa000002a880 0001 00000000 0x0 0x0
0xffffaa000002a900 0001 00000000 0x0 0x0
0xffffaa000002a980 0001 00000000 0x0 0x0
0xffffaa000002aa00 0001 00000000 0x0 0x0
0xffffaa000002aa80 0001 00000000 0x0 0x0
0xffffaa000002ab00 0001 00000000 0x0 0x0
0xffffaa000002ab80 0001 00000000 0x0 0x0
0xffffaa000002ac00 0001 00000000 0x0 0x0
0xffffaa000002ac80 0001 00000000 0x0 0x0
0xffffaa000002ad00 0001 00000000 0x0 0x0
0xffffaa000002ad80 0001 00000000 0x0 0x0
0xffffaa000002ae00 0001 00000000 0x0 0x0
0xffffaa000002ae80 0001 00000000 0x0 0x0
0xffffaa000002af00 0001 00000000 0x0 0x0
0xffffaa000002af80 0001 00000000 0x0 0x0
0xffffaa000002b000 0001 00000000 0x0 0x0
0xffffaa000002b080 0001 00000000 0x0 0x0
0xffffaa000002b100 0001 00000000 0x0 0x0
0xffffaa000002b180 0001 00000000 0x0 0x0
0xffffaa000002b200 0001 00000000 0x0 0x0
0xffffaa000002b280 0001 00000000 0x0 0x0
0xffffaa000002b300 0001 00000000 0x0 0x0
0xffffaa000002b380 0001 00000000 0x0 0x0
0xffffaa000002b400 0001 00000000 0x0 0x0
0xffffaa000002b480 0001 00000000 0x0 0x0
0xffffaa000002b500 0001 00000000 0x0 0x0
0xffffaa000002b580 0001 00000000 0x0 0x0
0xffffaa000002b600 0001 00000000 0x0 0x0
0xffffaa000002b680 0001 00000000 0x0 0x0
0xffffaa000002b700 0001 00000000 0x0 0x0
0xffffaa000002b780 0001 00000000 0x0 0x0
0xffffaa000002b800 0001 00000000 0x0 0x0
0xffffaa000002b880 0001 00000000 0x0 0x0
0xffffaa000002b900 0001 00000000 0x0 0x0
0xffffaa000002b980 0001 00000000 0x0 0x0
0xffffaa000002ba00 0001 00000000 0x0 0x0
0xffffaa000002ba80 0001 00000000 0x0 0x0
0xffffaa000002bb00 0001 00000000 0x0 0x0
0xffffaa000002bb80 0001 00000000 0x0 0x0
0xffffaa000002bc00 0001 00000000 0x0 0x0
0xffffaa000002bc80 0001 00000000 0x0 0x0
0xffffaa000002bd00 0001 00000000 0x0 0x0
0xffffaa000002bd80 0001 00000000 0x0 0x0
0xffffaa000002be00 0001 00000000 0x0 0x0
0xffffaa000002be80 0001 00000000 0x0 0x0
0xffffaa000002bf00 0001 00000000 0x0 0x0
0xffffaa000002bf80 0001 00000000 0x0 0x0
0xffffaa000002c000 0001 00000000 0x0 0x0
0xffffaa000002c080 0001 00000000 0x0 0x0
0xffffaa000002c100 0001 00000000 0x0 0x0
0xffffaa000002c180 0001 00000000 0x0 0x0
0xffffaa000002c200 0001 00000000 0x0 0x0
0xffffaa000002c280 0001 00000000 0x0 0x0
0xffffaa000002c300 0001 00000000 0x0 0x0
0xffffaa000002c380 0001 00000000 0x0 0x0
0xffffaa000002c400 0001 00000000 0x0 0x0
0xffffaa000002c480 0001 00000000 0x0 0x0
0xffffaa000002c500 0001 00000000 0x0 0x0
0xffffaa000002c580 0001 00000000 0x0 0x0
0xffffaa000002c600 0001 00000000 0x0 0x0
0xffffaa000002c680 0001 00000000 0x0 0x0
0xffffaa000002c700 0001 00000000 0x0 0x0
0xffffaa000002c780 0001 00000000 0x0 0x0
0xffffaa000002c800 0001 00000000 0x0 0x0
0xffffaa000002c880 0001 00000000 0x0 0x0
0xffffaa000002c900 0001 00000000 0x0 0x0
0xffffaa000002c980 0001 00000000 0x0 0x0
0xffffaa000002ca00 0001 00000000 0x0 0x0
0xffffaa000002ca80 0001 00000000 0x0 0x0
0xffffaa000002cb00 0001 00000000 0x0 0x0
0xffffaa000002cb80 0001 00000000 0x0 0x0
0xffffaa000002cc00 0001 00000000 0x0 0x0
0xffffaa000002cc80 0001 00000000 0x0 0x0
0xffffaa000002cd00 0001 00000000 0x0 0x0
0xffffaa000002cd80 0001 00000000 0x0 0x0
0xffffaa000002ce00 0001 00000000 0x0 0x0
0xffffaa000002ce80 0001 00000000 0x0 0x0
0xffffaa000002cf00 0001 00000000 0x0 0x0
0xffffaa000002cf80 0001 00000000 0x0 0x0
0xffffaa000002d000 0001 00000000 0x0 0x0
0xffffaa000002d080 0001 00000000 0x0 0x0
0xffffaa000002d100 0001 00000000 0x0 0x0
0xffffaa000002d180 0001 00000000 0x0 0x0
0xffffaa000002d200 0001 00000000 0x0 0x0
0xffffaa000002d280 0001 00000000 0x0 0x0
0xffffaa000002d300 0001 00000000 0x0 0x0
0xffffaa000002d380 0001 00000000 0x0 0x0
0xffffaa000002d400 0001 00000000

---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: aa85acd0 - make AP{IB,DA,DB}Key are also enabled when ARMV..
git tree: netbsd

console output: https://syzkaller.appspot.com/x/log.txt?x=15647d26100000

kernel config: https://syzkaller.appspot.com/x/.config?x=5702129db7f7788d
dashboard link: https://syzkaller.appspot.com/bug?extid=15dd4dbac6ed159faa4a
compiler: g++ (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=159623f6100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16255df6100000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+15dd4d...@syzkaller.appspotmail.com

[ 52.3499520] panic: kernel diagnostic assertion "ci->ci_tlbstate != TLBSTATE_VALID" failed: file "/syzkaller/managers/netbsd/kernel/sys/arch/x86/x86/pmap.c", line 3412
[ 52.3599411] cpu1: Begin traceback...
[ 52.3699430] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
[ 52.3999442] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure
[ 52.4299495] pmap_activate() at netbsd:pmap_activate+0x173 sys/arch/x86/x86/pmap.c:3412
[ 52.4599432] mi_switch() at netbsd:mi_switch+0x673 sys/kern/kern_synch.c:808
[ 52.4799438] kpreempt() at netbsd:kpreempt+0x1fc sys/kern/kern_synch.c:428
[ 52.5099441] syscall() at netbsd:syscall+0x8fa KPREEMPT_ENABLE sys/sys/lwp.h:555 [inline]
[ 52.5099441] syscall() at netbsd:syscall+0x8fa KPREEMPT_ENABLE sys/sys/lwp.h:545 [inline]
[ 52.5099441] syscall() at netbsd:syscall+0x8fa mi_userret sys/sys/userret.h:114 [inline]
[ 52.5099441] syscall() at netbsd:syscall+0x8fa userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline]
[ 52.5099441] syscall() at netbsd:syscall+0x8fa sys/arch/x86/x86/syscall.c:166
[ 52.5199435] --- syscall (number 0) ---
[ 52.5299478] netbsd:syscall+0x8fa:
[ 52.5299478] cpu1: End traceback...
[ 52.5399427] fatal breakpoint trap in supervisor mode
[ 52.5399427] trap type 1 code 0 rip 0xffffffff8022094d cs 0x8 rflags 0x282 cr2 0x761fa7606ca0 ilevel 0x8 rsp 0xffffb981805dfb80
[ 52.5499416] curlwp 0xffffb98012c0da40 pid 2253.2253 lowest kstack 0xffffb981805d82c0
Stopped in pid 2253.2253 (syz-executor0827) at netbsd:breakpoint+0x5: leave

?
breakpoint() at netbsd:breakpoint+0x5
db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67
vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
_GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure
pmap_activate() at netbsd:pmap_activate+0x173 sys/arch/x86/x86/pmap.c:3412
mi_switch() at netbsd:mi_switch+0x673 sys/kern/kern_synch.c:808

kpreempt() at netbsd:kpreempt+0x1fc sys/kern/kern_synch.c:428
syscall() at netbsd:syscall+0x8fa KPREEMPT_ENABLE sys/sys/lwp.h:555 [inline]
syscall() at netbsd:syscall+0x8fa KPREEMPT_ENABLE sys/sys/lwp.h:545 [inline]
syscall() at netbsd:syscall+0x8fa mi_userret sys/sys/userret.h:114 [inline]
syscall() at netbsd:syscall+0x8fa userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline]
syscall() at netbsd:syscall+0x8fa sys/arch/x86/x86/syscall.c:166
--- syscall (number 0) ---
netbsd:syscall+0x8fa:
ds fc40
es c19e
fs fb60
gs fbb0

rdi ffffffff82bd8280 db_onpanic
rsi 1ffffffff057b050

rbp ffffb981805dfb80
rbx ffffb9816e699000

rdx 0
rcx ffffffff8126bf59 db_panic+0xd5

rax ffffb98012c0da40

r8 4
r9 1ffffffff057b050
r10 ffffffff82bd8283 db_onpanic+0x3
r11 8000000000

r12 ffffb9816e6aa000
r13 ffffffff81f89140 platform_private_nodes+0x160
r14 ffffb981805dfc10
r15 ffffb9816e699060

rip ffffffff8022094d breakpoint+0x5
cs 8
rflags 282

rsp ffffb981805dfb80

ss 10
netbsd:breakpoint+0x5: leave
PID LID S CPU FLAGS STRUCT LWP * NAME WAIT

2266 2266 2 0 0 ffffb980137d80c0 syz-executor0827
2175 1575 2 0 100000 ffffb98012aefbc0 syz-executor0827
2175 2175 2 0 10000000 ffffb98012a88740 syz-executor0827
2090 2090 2 0 0 ffffb98012c6c2c0 syz-executor0827
2253 2229 2 0 0 ffffb98013846300 syz-executor0827
2253 2098 3 1 80 ffffb98012c0d600 syz-executor0827 parked
2253 >2253 7 1 0 ffffb98012c0da40 syz-executor0827
1659 1659 2 0 40 ffffb980147ae4c0 syz-executor0827
700 700 3 1 80 ffffb980147ae080 syz-executor0827 nanoslp
698 698 2 0 40 ffffb98013805a00 syz-executor0827
696 696 3 1 80 ffffb9801382cb00 syz-executor0827 nanoslp
695 695 3 0 40 ffffb9801382c6c0 syz-executor0827 xclocv
697 697 2 0 40 ffffb9801376ab80 syz-executor0827
694 694 3 0 80 ffffb98012747300 syz-executor0827 nanoslp
685 685 3 1 80 ffffb98012744700 sshd select
1509 1509 3 1 80 ffffb980138055c0 getty nanoslp
684 684 3 0 80 ffffb98013823240 getty nanoslp
1638 1638 3 1 80 ffffb98013817a80 getty nanoslp
871 871 3 1 c0 ffffb98013817200 getty ttyraw
1380 1380 3 1 80 ffffb980141548c0 cron nanoslp
724 724 3 1 80 ffffb980136f5700 inetd kqueue
1445 1445 3 1 80 ffffb98012ce8a00 sshd select
739 739 3 0 80 ffffb98012c0d1c0 powerd kqueue
1249 1249 2 1 40000 ffffb98012b09480 makemandb
449 449 3 1 80 ffffb9801376a300 syslogd kqueue
303 303 3 0 80 ffffb98012c9a480 dhcpcd kqueue
338 338 3 0 80 ffffb98012bb4100 dhcpcd kqueue
1 1 3 0 80 ffffb980128f5140 init wait
0 932 3 0 200 ffffb9801294da00 physiod physiod
0 63 3 0 200 ffffb9801295ca40 pooldrain pooldrain
0 > 126 7 0 240 ffffb9801295c600 ioflush
0 125 3 1 200 ffffb9801295c1c0 pgdaemon pgdaemon
0 122 3 0 200 ffffb9801294d180 usb0 usbevt
0 121 3 1 200 ffffb980128f59c0 usbtask-dr usbtsk
0 120 3 1 200 ffffb9800fe5cac0 usbtask-hc usbtsk
0 119 3 1 200 ffffb980128f5580 npfgc-0 npfgccv
0 118 3 1 200 ffffb980128e4980 rt_free rt_free
0 117 3 1 200 ffffb980128e4540 unpgc unpgc
0 116 3 0 200 ffffb980128e4100 key_timehandler key_timehandler
0 115 3 1 200 ffffb980128dc940 icmp6_wqinput/1 icmp6_wqinput
0 114 3 0 200 ffffb980128dc500 icmp6_wqinput/0 icmp6_wqinput
0 113 3 0 200 ffffb980128dc0c0 nd6_timer nd6_timer
0 112 3 1 200 ffffb980128d2900 carp6_wqinput/1 carp6_wqinput
0 111 3 0 200 ffffb980128d24c0 carp6_wqinput/0 carp6_wqinput
0 110 3 1 200 ffffb980128d2080 carp_wqinput/1 carp_wqinput
0 109 3 0 200 ffffb980127598c0 carp_wqinput/0 carp_wqinput
0 108 3 1 200 ffffb98012759480 icmp_wqinput/1 icmp_wqinput
0 107 3 0 200 ffffb98012759040 icmp_wqinput/0 icmp_wqinput
0 106 3 0 200 ffffb98012747b80 rt_timer rt_timer
0 105 3 1 200 ffffb98012748bc0 vmem_rehash vmem_rehash
0 104 3 1 200 ffffb98012748780 entbutler entropy
0 30 3 1 200 ffffb980121626c0 vioif0_txrx/1 vioif0_txrx
0 29 3 0 200 ffffb98012162280 vioif0_txrx/0 vioif0_txrx
0 27 3 0 200 ffffb9800fe5c680 scsibus0 sccomp
0 26 3 0 200 ffffb9800fe5c240 pms0 pmsreset
0 25 2 1 200 ffffb9800fd9da80 xcall/1
0 24 1 1 200 ffffb9800fd9d640 softser/1
0 23 1 1 200 ffffb9800fd9d200 softclk/1
0 22 1 1 200 ffffb9800fd9ba40 softbio/1
0 21 1 1 200 ffffb9800fd9b600 softnet/1
0 20 1 1 201 ffffb9800fd9b1c0 idle/1
0 19 3 0 200 ffffb9800e80aa00 lnxpwrwq lnxpwrwq
0 18 3 0 200 ffffb9800e80a5c0 lnxlngwq lnxlngwq
0 17 3 0 200 ffffb9800e80a180 lnxsyswq lnxsyswq
0 16 3 0 200 ffffb9800e8049c0 lnxrcugc lnxrcugc
0 15 3 0 200 ffffb9800e804580 sysmon smtaskq
0 14 3 0 200 ffffb9800e804140 pmfsuspend pmfsuspend
0 13 3 0 200 ffffb9800e7ff980 pmfevent pmfevent
0 12 3 0 200 ffffb9800e7ff540 sopendfree sopendfr
0 11 3 0 200 ffffb9800e7ff100 iflnkst iflnkst
0 10 3 0 200 ffffb9800e7f3940 nfssilly nfssilly
0 9 3 0 200 ffffb9800e7f3500 vdrain vdrain
0 8 3 0 200 ffffb9800e7f30c0 modunload mod_unld
0 7 3 0 200 ffffb9800e7e6900 xcall/0 xcall
0 6 1 0 200 ffffb9800e7e64c0 softser/0
0 5 1 0 200 ffffb9800e7e6080 softclk/0
0 4 1 0 200 ffffb9800e7e48c0 softbio/0
0 3 1 0 200 ffffb9800e7e4480 softnet/0
0 2 1 0 201 ffffb9800e7e4040 idle/0

0 0 3 0 200 ffffffff82ca3700 swapper uvm
[Locks tracked through LWPs]

****** LWP 2090.2090 (syz-executor0827) @ 0xffffb98012c6c2c0, l_stat=2

*** Locks held: none

*** Locks wanted:

* Lock 0 (initialized at amap_ctor)
lock address : 0xffffb980143ba240 type : sleep/adaptive
initialized : 0xffffffff81629013

shared holds : 0 exclusive: 0
shares wanted: 0 exclusive: 1

relevant cpu : 0 last held: 0
relevant lwp : 0xffffb98012c6c2c0 last held: 000000000000000000
last locked : 0xffffffff81637e26 unlocked*: 0xffffffff81635dd8
owner/count : 000000000000000000 flags : 000000000000000000

Turnstile: no active turnstile for this lock.

****** LWP 698.698 (syz-executor0827) @ 0xffffb98013805a00, l_stat=2

*** Locks held:

* Lock 0 (initialized at vcache_alloc)
lock address : 0xffffb980147cfa40 type : sleep/adaptive

initialized : 0xffffffff81823e43
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0

relevant cpu : 0 last held: 0

relevant lwp : 0xffffb98013805a00 last held: 0xffffb98013805a00

last locked* : 0xffffffff81852c3f unlocked : 0xffffffff81852ca1

owner/count : 0xffffb98013805a00 flags : 0x0000000000000004

Turnstile: no active turnstile for this lock.

* Lock 1 (initialized at vcache_alloc)

lock address : 0xffffb9801485f700 type : sleep/adaptive

initialized : 0xffffffff81823e43
shared holds : 0 exclusive: 1
shares wanted: 0 exclusive: 0

relevant cpu : 0 last held: 0

relevant lwp : 0xffffb98013805a00 last held: 0xffffb98013805a00

last locked* : 0xffffffff81852c3f unlocked : 0xffffffff81852ca1

[ 52.5599392] Skipping crash dump on recursive panic
[ 52.5599392] panic: ASan: Unauthorized Access In 0xffffffff816ef6f0: Addr 0xffffb9801485f700 [8 bytes, read, PoolUseAfterFree]

[ 52.5599392] cpu1: Begin traceback...
[ 52.5599392] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
[ 52.5599392] snprintf() at netbsd:snprintf
[ 52.5599392] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline]
[ 52.5599392] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197
[ 52.5599392] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline]
[ 52.5599392] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline]
[ 52.5599392] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline]
[ 52.5599392] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210
[ 52.5599392] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:186
[ 52.5599392] lockdebug_dump() at netbsd:lockdebug_dump+0x205 sys/kern/subr_lockdebug.c:759
[ 52.5599392] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb7 sys/kern/subr_lockdebug.c:839
[ 52.5599392] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:877 [inline]
[ 52.5599392] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26a sys/kern/subr_lockdebug.c:941
[ 52.5599392] db_command() at netbsd:db_command+0x2ad sys/ddb/db_command.c:942
[ 52.5599392] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:439 [inline]
[ 52.5599392] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:589
[ 52.5599392] db_trap() at netbsd:db_trap+0x206 sys/ddb/db_trap.c:94
[ 52.5599392] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:248
[ 52.5599392] trap() at netbsd:trap+0x579 sys/arch/amd64/amd64/trap.c:315
[ 52.5599392] --- trap (number 1) ---
[ 52.5599392] breakpoint() at netbsd:breakpoint+0x5
[ 52.5599392] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67
[ 52.5599392] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290
[ 52.5599392] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure
[ 52.5599392] pmap_activate() at netbsd:pmap_activate+0x173 sys/arch/x86/x86/pmap.c:3412
[ 52.5599392] mi_switch() at netbsd:mi_switch+0x673 sys/kern/kern_synch.c:808
[ 52.5599392] kpreempt() at netbsd:kpreempt+0x1fc sys/kern/kern_synch.c:428
[ 52.5599392] syscall() at netbsd:syscall+0x8fa KPREEMPT_ENABLE sys/sys/lwp.h:555 [inline]
[ 52.5599392] syscall() at netbsd:syscall+0x8fa KPREEMPT_ENABLE sys/sys/lwp.h:545 [inline]
[ 52.5599392] syscall() at netbsd:syscall+0x8fa mi_userret sys/sys/userret.h:114 [inline]
[ 52.5599392] syscall() at netbsd:syscall+0x8fa userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline]
[ 52.5599392] syscall() at netbsd:syscall+0x8fa sys/arch/x86/x86/syscall.c:166
[ 52.5599392] --- syscall (number 0) ---
[ 52.5599392] netbsd:syscall+0x8fa:
[ 52.5599392] cpu1: End traceback...
[ 52.5599392] fatal breakpoint trap in supervisor mode
[ 52.5599392] trap type 1 code 0 rip 0xffffffff8022094d cs 0x8 rflags 0x282 cr2 0x761fa7606ca0 ilevel 0x8 rsp 0xffffb981805df120
[ 52.5599392] curlwp 0xffffb98012c0da40 pid 2253.2253 lowest kstack 0xffffb981805d82c0
Stopped in pid 2253.2253 (syz-executor0827) at netbsd:breakpoint+0x5: leave

[Maxime Villard]

dup of pending

#syz dup: assert failed: pmap->pm_ncsw == lwp_pctr() (2)