panic: ASan: Invalid access, 8-byte read at 0xfffffe0058582498, UMAUseAfterFree(fd) cpuid = 0 time = 1755434719 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0056c89cd0 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe0056c89e30 vpanic() at vpanic+0x257/frame 0xfffffe0056c89ff0 panic() at panic+0xb5/frame 0xfffffe0056c8a0c0 kasan_report() at kasan_report+0xdf/frame 0xfffffe0056c8a190 mld_change_state() at mld_change_state+0xf2/frame 0xfffffe0056c8a330 in6_leavegroup_locked() at in6_leavegroup_locked+0x17b/frame 0xfffffe0056c8a450 in6_pcbpurgeif0() at in6_pcbpurgeif0+0x2f6/frame 0xfffffe0056c8a550 _in6_ifdetach() at _in6_ifdetach+0x18e/frame 0xfffffe0056c8a630 if_detach_internal() at if_detach_internal+0x3aa/frame 0xfffffe0056c8a720 if_detach() at if_detach+0xb6/frame 0xfffffe0056c8a760 tun_destroy() at tun_destroy+0x1b4/frame 0xfffffe0056c8a7b0 tun_clone_destroy() at tun_clone_destroy+0x112/frame 0xfffffe0056c8a7e0 if_clone_destroyif_flags() at if_clone_destroyif_flags+0xc8/frame 0xfffffe0056c8a830 if_clone_destroy() at if_clone_destroy+0x1f6/frame 0xfffffe0056c8a870 ifioctl() at ifioctl+0x112a/frame 0xfffffe0056c8aab0 kern_ioctl() at kern_ioctl+0x4ca/frame 0xfffffe0056c8ab90 sys_ioctl() at sys_ioctl+0x36e/frame 0xfffffe0056c8ad10 amd64_syscall() at amd64_syscall+0x4e2/frame 0xfffffe0056c8af30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0056c8af30 --- syscall (54, FreeBSD ELF64, ioctl), rip = 0x8243762ca, rsp = 0x820cabf58, rbp = 0x820cabf70 --- KDB: enter: panic [ thread pid 1028 tid 100086 ] Stopped at kdb_enter+0x6e: movq $0,0x25b6ed7(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xffffffff81625c1e _vprintf+0x1ae rdx 0 rbx 0xffffffff827e1820 .str.27 rsp 0xfffffe0056c89e10 rbp 0xfffffe0056c89e30 rsi 0 rdi 0xffffffff81626189 printf+0x149 r8 0 r9 0xffffffff r10 0 r11 0x3 r12 0xfffffe005404f000 r13 0xfffffffffffffffe r14 0xffffffff827e1820 .str.27 r15 0 rip 0xffffffff8160fcbe kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x25b6ed7(%rip) db> show proc Process 1028 (ifconfig) at 0xfffffe00540a8000: state: NORMAL uid: 0 gids: 0, 5 parent: pid 1026 at 0xfffffe00540d7010 ABI: FreeBSD ELF64 flag: 0x10004000 flag2: 0 arguments: ifconfig tap1 destroy reaper: 0xfffffe0007809010 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe0054133490 (map 0xfffffe0054133490) (map.pmap 0xfffffe0054133530) (pmap 0xfffffe00541335a0) threads: 1 100086 Run CPU 0 ifconfig db> ps pid ppid pgrp uid state wmesg wchan cmd 1028 1026 1026 0 R CPU 0 ifconfig 1027 768 768 0 R (threaded) syz-executor 100140 RunQ syz-executor 100288 D getblk 0xfffffe0007c02948 syz-executor 1026 764 1026 0 S wait 0xfffffe00540d7010 syz-executor 1025 767 767 0 R (threaded) syz-executor 100270 Run CPU 1 syz-executor 100287 D biowr 0xfffffe0007c028c8 syz-executor 100289 D ufs 0xfffffe00776d4070 syz-executor 100290 D ufs 0xfffffe00776d4c78 syz-executor 100291 D ufs 0xfffffe00776d4c78 syz-executor 1021 1012 765 0 S uwait 0xfffffe0057da2700 syz-executor 1020 1012 765 0 S uwait 0xfffffe005829b200 syz-executor 1016 1012 765 0 S uwait 0xfffffe005829ae80 syz-executor 1012 765 765 0 R (threaded) syz-executor 100238 RunQ syz-executor 100276 S uwait 0xfffffe0057da2c00 syz-executor 100277 S uwait 0xfffffe0057da2b00 syz-executor 100278 S sigwait 0xfffffe005410b620 syz-executor 100280 S uwait 0xfffffe0057da2600 syz-executor 1009 1 767 60928 S uwait 0xfffffe0058299480 syz-executor 1007 0 0 0 DL mdwait 0xfffffe0059582000 [md0] 1003 1 765 0 S uwait 0xfffffe005829d000 syz-executor 999 1 765 0 S uwait 0xfffffe00584f3080 syz-executor 992 1 992 0 Ss+ ttyin 0xfffffe005828bcb0 getty 991 1 991 0 Ss+ ttyin 0xfffffe0058627cb0 getty 988 1 988 0 Ss+ ttyin 0xfffffe00586274b0 getty 987 1 1 0 S nanslp 0xffffffff83ba7c41 init 985 1 985 0 Ss+ ttyin 0xfffffe0058626cb0 getty 980 1 768 0 S uwait 0xfffffe0057d10380 syz-executor 979 1 979 0 Ss+ ttyin 0xfffffe00586284b0 getty 972 1 972 0 Ss+ ttyin 0xfffffe005828acb0 getty 971 1 768 60928 S uwait 0xfffffe00584f1280 syz-executor 967 1 967 0 Ss+ ttyin 0xfffffe00586280b0 getty 959 1 959 0 Ss+ ttyin 0xfffffe00586278b0 getty 933 1 768 0 SV uwait 0xfffffe0057da2500 syz-executor 932 1 768 0 SV uwait 0xfffffe00584f1e00 syz-executor 931 0 0 0 DL (threaded) [so_splice] 100190 D - 0xfffffe00584f1a80 [thr_0] 100231 D - 0xfffffe00584f1ac0 [thr_1] 927 1 768 0 S uwait 0xfffffe00584f3480 syz-executor 924 1 767 0 S uwait 0xfffffe005829b680 syz-executor 923 1 767 0 S uwait 0xfffffe00584f2680 syz-executor 922 1 768 0 S uwait 0xfffffe00584f2580 syz-executor 911 1 768 0 S uwait 0xfffffe0058299380 syz-executor 906 1 768 0 S uwait 0xfffffe00584f3180 syz-executor 896 1 768 0 S uwait 0xfffffe00584f1d00 syz-executor 891 1 768 0 S uwait 0xfffffe00584f1c00 syz-executor 852 1 765 -1 S uwait 0xfffffe00584f2780 syz-executor 832 1 768 0 S uwait 0xfffffe0058299180 syz-executor 828 0 0 0 DL aiordy 0xfffffe0054109ab8 [aiod4] 827 0 0 0 DL aiordy 0xfffffe005410a010 [aiod3] 826 0 0 0 DL aiordy 0xfffffe005410a568 [aiod2] 825 0 0 0 DL aiordy 0xfffffe005410aac0 [aiod1] 768 764 768 0 S nanslp 0xffffffff83ba7c40 syz-executor 767 764 767 0 S nanslp 0xffffffff83ba7c40 syz-executor 765 764 765 0 S nanslp 0xffffffff83ba7c40 syz-executor 764 1 762 0 S select 0xfffffe0057da2cc0 syz-executor 737 1 17 0 S+ piperd 0xfffffe00598289e0 logger 736 735 17 0 S+ nanslp 0xffffffff83ba7c40 sleep 735 1 17 0 S+ wait 0xfffffe00540ed000 sh 685 1 685 0 Ss nanslp 0xffffffff83ba7c41 cron 681 1 681 0 Ss select 0xfffffe0058299f40 sshd 494 1 494 0 Ss select 0xfffffe005829b7c0 syslogd 16 0 0 0 DL syncer 0xffffffff83cc5820 [syncer] 15 0 0 0 DL vlruwt 0xfffffe000780a018 [vnlru] 14 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83cc3d60 [bufdaemon] 100082 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100094 D sdflush 0xfffffe005828a4e8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d0ec80 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83cf4d48 [dom0] 100080 D launds 0xffffffff83cf4d54 [laundry: dom0] 100081 D umarcl 0xffffffff81df2880 [uma] 7 0 0 0 DL - 0xffffffff839205d8 [rand_harvestq] 6 0 0 0 DL pftm 0xffffffff8485ac30 [pf purge] 5 0 0 0 DL waiting 0xffffffff84522700 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100045 D - 0xffffffff838ea340 [doneq0] 100046 D - 0xffffffff838ea2c0 [async] 100075 D - 0xffffffff838ea140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100042 D crypto_ 0xffffffff83cf0640 [crypto] 100043 D crypto_ 0xfffffe0053efb730 [crypto returns 0] 100044 D crypto_ 0xfffffe0053efb780 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83b50640 [g_event] 100038 D - 0xffffffff83b50660 [g_up] 100039 D - 0xffffffff83b50680 [g_down] 2 0 0 0 WL (threaded) [clock] 100031 I [clock (0)] 100032 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100047 I [irq24: virtio_pci0] 100048 I [irq25: virtio_pci0] 100049 I [irq26: virtio_pci0] 100050 I [irq27: virtio_pci0] 100051 I [irq28: virtio_pci1] 100052 I [irq29: virtio_pci1] 100053 I [irq30: virtio_pci1] 100054 I [irq31: virtio_pci1] 100055 I [irq32: virtio_pci1] 100060 I [irq10: virtio_pci2] 100062 I [irq1: atkbd0] 100063 I [irq12: psm0] 100064 I [swi0: uart uart++] 100068 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0007809010 [init] 10 0 0 0 DL audit_w 0xffffffff83cf10e0 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D parked 0xffffffff84c43ff0 [swapper] 100005 D - 0xfffffe0053eb2100 [softirq_0] 100006 D - 0xfffffe0053eb2000 [softirq_1] 100007 D - 0xfffffe0053eb1e00 [if_io_tqg_0] 100008 D - 0xfffffe0053eb1d00 [if_io_tqg_1] 100009 D - 0xfffffe0053eb1c00 [if_config_tqg_0] 100010 D - 0xfffffe0007775200 [kqueue_ctx taskq] 100011 D - 0xfffffe0007775100 [jail_remove taskq] 100012 D - 0xfffffe0007775000 [bus taskq] 100015 D - 0xfffffe0007774c00 [thread taskq] 100017 D - 0xfffffe0007774a00 [aiod_kick taskq] 100018 D - 0xfffffe0007774900 [deferred_unmount ta] 100019 D - 0xfffffe0007774800 [inm_free taskq] 100020 D - 0xfffffe0007774700 [in6m_free taskq] 100021 D - 0xfffffe0007774600 [linuxkpi_irq_wq] 100022 D - 0xfffffe0007774500 [linuxkpi_short_wq_0] 100023 D - 0xfffffe0007774500 [linuxkpi_short_wq_1] 100024 D - 0xfffffe0007774500 [linuxkpi_short_wq_2] 100025 D - 0xfffffe0007774500 [linuxkpi_short_wq_3] 100026 D - 0xfffffe0007774400 [linuxkpi_long_wq_0] 100027 D - 0xfffffe0007774400 [linuxkpi_long_wq_1] 100028 D - 0xfffffe0007774400 [linuxkpi_long_wq_2] 100029 D - 0xfffffe0007774400 [linuxkpi_long_wq_3] 100036 D - 0xfffffe0007774300 [firmware taskq] 100040 D - 0xfffffe0007774200 [crypto_0] 100041 D - 0xfffffe0007774200 [crypto_1] 100056 D - 0xfffffe0007773e00 [vtnet0 rxq 0] 100057 D - 0xfffffe0007773d00 [vtnet0 txq 0] 100058 D - 0xfffffe0007773c00 [vtnet0 rxq 1] 100059 D - 0xfffffe0007773b00 [vtnet0 txq 1] 100061 D vtbslp 0xfffffe0057d9e680 [virtio_balloon] 100065 D - 0xffffffff827e5f00 [deadlkres] 100069 D - 0xfffffe00593f6a00 [acpi_task_0] 100070 D - 0xfffffe00593f6a00 [acpi_task_1] 100071 D - 0xfffffe00593f6a00 [acpi_task_2] 100073 D - 0xfffffe0007775900 [mca taskq] 100074 D - 0xfffffe0007774100 [CAM taskq] 100076 D - 0xfffffe0007773a00 [ipsec_offload] 100180 D - 0xfffffe007792c600 [netlink_socket (PID] db> show all locks Process 1028 (ifconfig) thread 0xfffffe005404f000 (100086) exclusive sleep mutex in6_multi_list_mtx (in6_multi_list_mtx) r = 0 (0xffffffff83cebba0) locked @ /syzkaller/managers/main/kernel/sys/netinet6/in6_mcast.c:1387 shared rw udpinp (udpinp) r = 0 (0xfffffe006b719aa0) locked @ /syzkaller/managers/main/kernel/sys/netinet/in_pcb.c:1487 exclusive sx in6_multi_sx (in6_multi_sx) r = 0 (0xffffffff83cebbe0) locked @ /syzkaller/managers/main/kernel/sys/netinet6/in6_ifattach.c:682 exclusive sx ifnet_detach_sx (ifnet_detach_sx) r = 1 (0xffffffff83cc6000) locked @ /syzkaller/managers/main/kernel/sys/net/if.c:1082 Process 1027 (syz-executor) thread 0xfffffe0054125780 (100288) exclusive lockmgr ufs (ufs) r = 0 (0xfffffe00599b33e0) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_syscalls.c:3595 Process 1025 (syz-executor) thread 0xfffffe0054124000 (100287) exclusive lockmgr bufwait (bufwait) r = 0 (0xfffffe0007c02948) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_bio.c:4022 exclusive lockmgr ufs (ufs) r = 0 (0xfffffe00776d4070) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_vnops.c:1243 Process 1025 (syz-executor) thread 0xfffffe0054116000 (100289) exclusive lockmgr ufs (ufs) r = 0 (0xfffffe00776d4c78) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_cache.c:4844 db> show malloc Type InUse MemUse Requests pf_hash 6 12804K 6 linker 377 5100K 495 tcp_hpts 7 4801K 7 devbuf 4187 4323K 4213 sysctloid 35242 2076K 35317 vtbuf 24 1968K 46 kobj 331 1324K 504 newblk 13 1027K 1175 vfscache 3 1025K 3 pcb 43 685K 150 inodedep 15 518K 269 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 filedesc 56 441K 310 subproc 146 298K 1114 vnet_data 2 224K 2