kern/60159: assert failed: hispgrp->pg_jobc > NUM

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/60159: assert failed: hispgrp->pg_jobc > NUM
From: "r772577952%gmail.com@localhost via gnats" <gnats-admin%NetBSD.org@localhost>
Date: Thu, 2 Apr 2026 08:05:00 +0000 (UTC)

>Number:         60159
>Category:       kern
>Synopsis:       assert failed: hispgrp->pg_jobc > NUM
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Apr 02 08:05:00 +0000 2026
>Originator:     Jiaming Zhang
>Release:        image: NetBSD-10.1; kernel: trunk branch, commit fcca2226d50a3222f4010b6ef59cb5a1f9aa319b
>Organization:
>Environment:
NetBSD  11.99.5 NetBSD 11.99.5 (CLOUD) #0: Wed Apr  1 18:34:06 CST 2026  root@ustb520lab-MS-7E07:/vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/arch/amd64/compile/obj/CLOUD amd64
>Description:
When fuzzing NetBSD kernel with syzkaller and our generated syscall descriptions, we encountered an issue: assert failed: hispgrp->pg_jobc > NUM. This issues is reproducible in a recent version of NetBSD kernel (commit fcca2226d50a3222f4010b6ef59cb5a1f9aa319b).

The kernel console output, kernel config, and reproducers are available at: https://drive.google.com/drive/folders/1ISrwbSWRS2qOja26IuNivsWuwAaAmz1k?usp=sharing

The symbolized issue report is also shown below to help with analysis:

```
TITLE: assert failed: hispgrp->pg_jobc > NUM
CORRUPTED: false ()
SUPPRESSED: false
MAINTAINERS (TO): []
MAINTAINERS (CC): []

[  44.4569792] panic: kernel diagnostic assertion "hispgrp->pg_jobc > 0" failed: file "/vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_proc.c", line 1604 
[  44.4672539] cpu0: Begin traceback...
[  44.4672539] asan.module_ctor() at ffffffff81ebbd0e
[  44.4769854] asan.module_ctor() at ffffffff8229fb3e
[  44.4769854] proc_free_pid_internal() at netbsd:proc_free_pid_internal+0x163d vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_proc.c:-1
[  44.4869791] asan.module_dtor() at ffffffff81dcb100
[  44.4969793] asan.module_dtor() at ffffffff81dca9ce
[  44.5069810] syscall() at netbsd:syscall+0x26d sy_call vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/sys/syscallvar.h:65 [inline]
[  44.5069810] syscall() at netbsd:syscall+0x26d sy_invoke vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/sys/syscallvar.h:94 [inline]
[  44.5069810] syscall() at netbsd:syscall+0x26d vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/arch/x86/x86/syscall.c:137
[  44.5069810] --- syscall (number 1) ---
[  44.5069810] netbsd:syscall+0x26d:
[  44.5069810] cpu0: End traceback...
[  44.5069810] Mutex error: mutex_vector_enter,551: locking against myself

[  44.5069810] lock address : netbsd:fileassoc_global+0xc0
[  44.5069810] type         : sleep/adaptive
[  44.5069810] initialized  : ffffffff81e00edb
[  44.5069810] shared holds :                  0 exclusive:                  1
[  44.5069810] shares wanted:                  0 exclusive:                  0
[  44.5069810] relevant cpu :                  0 last held:                  0
[  44.5069810] relevant lwp : 0xffffdd8004ce01c0 last held: 0xffffdd8004ce01c0
[  44.5069810] last locked* : ffffffff81dcae24
[  44.5069810] unlocked     : ffffffff81dccb68
[  44.5069810] owner field  : 0xffffdd8004ce01c0 wait/spin:                1/0
[  44.5069810] Turnstile:
[  44.5069810] => 0 waiting readers:
[  44.5069810] => 2 waiting writers: 0xffffdd8007042040 0xffffdd80048d5940

[  44.5252610] Skipping crash dump on recursive panic
[  44.5252610] panic: LOCKDEBUG: Mutex error: mutex_vector_enter,551: locking against myself
[  44.5252610] cpu0: Begin traceback...
[  44.5269743] asan.module_ctor() at ffffffff81ebbd0e
[  44.5269743] asan.module_ctor() at ffffffff81ebb905
[  44.5371646] asan.module_ctor() at ffffffff81ea5c53
[  44.5469756] mutex_abort() at netbsd:mutex_abort+0xa80 vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_mutex.c:-1
[  44.5569823] sched_lendpri() at netbsd:sched_lendpri+0x370f vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_synch.c:-1
[  44.5669848] asan.module_dtor() at netbsd:asan.module_dtor+-0x121194f
[  44.5669848] asan.module_ctor() at ffffffff81e10ba0
[  44.5769791] asan.module_ctor() at ffffffff81ebbd1e
[  44.5869780] asan.module_ctor() at ffffffff8229fb3e
[  44.5969798] proc_free_pid_internal() at netbsd:proc_free_pid_internal+0x163d vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_proc.c:-1
[  44.6069931] asan.module_dtor() at ffffffff81dcb100
[  44.6069931] asan.module_dtor() at ffffffff81dca9ce
[  44.6169888] syscall() at netbsd:syscall+0x26d sy_call vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/sys/syscallvar.h:65 [inline]
[  44.6169888] syscall() at netbsd:syscall+0x26d sy_invoke vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/sys/syscallvar.h:94 [inline]
[  44.6169888] syscall() at netbsd:syscall+0x26d vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/arch/x86/x86/syscall.c:137
[  44.6169888] --- syscall (number 1) ---
[  44.6269769] netbsd:syscall+0x26d:
[  44.6269769] cpu0: End traceback...
```

>How-To-Repeat:
The issues can be reproduced by running the syz reproducer on the kernel under a specified config.
>Fix:

Prev by Date: kern/60158: assert failed: chp->ch_drive[drive].drv_softc == NULL
Next by Date: kern/60160: assert failed: it->it_time.it_value.tv_sec >= NUM
Previous by Thread: kern/60158: assert failed: chp->ch_drive[drive].drv_softc == NULL
Next by Thread: kern/60160: assert failed: it->it_time.it_value.tv_sec >= NUM
Indexes:

Home | Main Index | Thread Index | Old Index