kern/60161: assert failed: kn->kn_fop == &proc_filtops

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/60161: assert failed: kn->kn_fop == &proc_filtops
From: "r772577952%gmail.com@localhost via gnats" <gnats-admin%NetBSD.org@localhost>
Date: Thu, 2 Apr 2026 08:10:01 +0000 (UTC)

>Number:         60161
>Category:       kern
>Synopsis:       assert failed: kn->kn_fop == &proc_filtops
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Apr 02 08:10:00 +0000 2026
>Originator:     Jiaming Zhang
>Release:        image: NetBSD-10.1; kernel: trunk branch, commit fcca2226d50a3222f4010b6ef59cb5a1f9aa319b
>Organization:
>Environment:
NetBSD  11.99.5 NetBSD 11.99.5 (CLOUD) #0: Wed Apr  1 18:34:06 CST 2026  root@ustb520lab-MS-7E07:/vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/arch/amd64/compile/obj/CLOUD amd64
>Description:
When fuzzing NetBSD kernel with syzkaller and our generated syscall descriptions, we encountered an issue: assert failed: kn->kn_fop == &proc_filtops. This issues is reproducible in a recent version of NetBSD kernel (commit fcca2226d50a3222f4010b6ef59cb5a1f9aa319b).

The kernel console output, kernel config, and reproducers are available at: https://drive.google.com/drive/folders/1009tmIJ8X2VE6iYpKUTstQnVY3oC24CO?usp=sharing

The symbolized issue report is also shown below to help with analysis:

```
TITLE: assert failed: kn->kn_fop == &proc_filtops
CORRUPTED: false ()
SUPPRESSED: false
MAINTAINERS (TO): []
MAINTAINERS (CC): []

login: [  17.9042977] panic: kernel diagnostic assertion "kn->kn_fop == &proc_filtops" failed: file "/vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_event.c", line 1289 
[  17.9042977] cpu0: Begin traceback...
[  17.9042977] asan.module_ctor() at ffffffff81ebbd0e
[  17.9042977] asan.module_ctor() at ffffffff8229fb3e
[  17.9042977] knote_proc_fork_track() at netbsd:knote_proc_fork_track+0xbc8 vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_event.c:-1
[  17.9042977] asan.module_dtor() at ffffffff81dcb963
[  17.9042977] asan.module_dtor() at ffffffff81dca9ce
[  17.9042977] syscall() at netbsd:syscall+0x26d sy_call vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/sys/syscallvar.h:65 [inline]
[  17.9042977] syscall() at netbsd:syscall+0x26d sy_invoke vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/sys/syscallvar.h:94 [inline]
[  17.9042977] syscall() at netbsd:syscall+0x26d vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/arch/x86/x86/syscall.c:137
[  17.9042977] --- syscall (number 1) ---
[  17.9042977] netbsd:syscall+0x26d:
[  17.9042977] cpu0: End traceback...
[  17.9042977] Mutex error: mutex_vector_enter,551: locking against myself

[  17.9042977] lock address : netbsd:fileassoc_global+0xc0
[  17.9042977] type         : sleep/adaptive
[  17.9042977] initialized  : ffffffff81e00edb
[  17.9042977] shared holds :                  0 exclusive:                  1
[  17.9042977] shares wanted:                  0 exclusive:                  1
[  17.9042977] relevant cpu :                  0 last held:                  0
[  17.9042977] relevant lwp : 0xffff9a8004c768c0 last held: 0xffff9a8004c768c0
[  17.9042977] last locked* : ffffffff81dcae24
[  17.9042977] unlocked     : netbsd:cv_enter+0x109
[  17.9042977] owner field  : 0xffff9a8004c768c0 wait/spin:                0/0
[  17.9042977] Turnstile: no active turnstile for this lock.

[  17.9042977] Skipping crash dump on recursive panic
[  17.9042977] panic: LOCKDEBUG: Mutex error: mutex_vector_enter,551: locking against myself
[  17.9042977] cpu0: Begin traceback...
[  17.9042977] asan.module_ctor() at ffffffff81ebbd0e
[  17.9042977] asan.module_ctor() at ffffffff81ebb905
[  17.9042977] asan.module_ctor() at ffffffff81ea5c53
[  17.9042977] mutex_abort() at netbsd:mutex_abort+0xa80 vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_mutex.c:-1
[  17.9042977] sched_lendpri() at netbsd:sched_lendpri+0x370f vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_synch.c:-1
[  17.9042977] asan.module_dtor() at netbsd:asan.module_dtor+-0x121194f
[  17.9042977] asan.module_ctor() at ffffffff81e10ba0
[  17.9042977] asan.module_ctor() at ffffffff81ebbd1e
[  17.9042977] asan.module_ctor() at ffffffff8229fb3e
[  17.9042977] knote_proc_fork_track() at netbsd:knote_proc_fork_track+0xbc8 vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_event.c:-1
[  17.9042977] asan.module_dtor() at ffffffff81dcb963
[  17.9042977] asan.module_dtor() at ffffffff81dca9ce
[  17.9042977] syscall() at netbsd:syscall+0x26d sy_call vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/sys/syscallvar.h:65 [inline]
[  17.9042977] syscall() at netbsd:syscall+0x26d sy_invoke vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/sys/syscallvar.h:94 [inline]
[  17.9042977] syscall() at netbsd:syscall+0x26d vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/arch/x86/x86/syscall.c:137
[  17.9042977] --- syscall (number 1) ---
[  17.9042977] netbsd:syscall+0x26d:
[  17.9042977] cpu0: End traceback...
[  17.9042977] WARNING: lwp 0 (system swapper) flags 0x20020080: timecounter went backwards from (18 + 0x9febed40921e0518/2^64) sec to (18 + 0x5acbb08a23a5ccf8/2^64) sec in netbsd:sched_lendpri+0x12fc
```
>How-To-Repeat:
The issues can be reproduced by running the C or syz reproducer on the kernel under a specified config.
>Fix:

Prev by Date: kern/60160: assert failed: it->it_time.it_value.tv_sec >= NUM
Next by Date: kern/60162: assert failed: kq->kq_fdp == fdp
Previous by Thread: kern/60160: assert failed: it->it_time.it_value.tv_sec >= NUM
Next by Thread: kern/60162: assert failed: kq->kq_fdp == fdp
Indexes:

Home | Main Index | Thread Index | Old Index