[ 66.4688555] panic: ASan: Unauthorized Access In 0xffffffff817142e5: Addr 0xffffaa0013716298 [8 bytes, read, PoolUseAfterFree] [ 66.4788335] cpu1: Begin traceback... [ 66.4888307] vpanic() at netbsd:vpanic+0x244 sys/kern/subr_prf.c:290 [ 66.5088249] snprintf() at netbsd:snprintf [ 66.5388139] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] [ 66.5388139] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 [ 66.5588075] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] [ 66.5588075] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] [ 66.5588075] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] [ 66.5588075] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 [ 66.5887980] mutex_oncpu() at netbsd:mutex_oncpu+0x38 mutex_oncpu sys/kern/kern_mutex.c:422 [inline] [ 66.5887980] mutex_oncpu() at netbsd:mutex_oncpu+0x38 sys/kern/kern_mutex.c:406 [ 66.6087904] mutex_enter() at netbsd:mutex_enter+0x1a4 sys/kern/kern_mutex.c:550 [ 66.6287859] lwp_exit() at netbsd:lwp_exit+0x157 sys/kern/kern_lwp.c:1069 [ 66.6587743] lwp_userret() at netbsd:lwp_userret+0x1f5 sys/kern/kern_lwp.c:1639 [ 66.6787674] syscall() at netbsd:syscall+0x882 x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] [ 66.6787674] syscall() at netbsd:syscall+0x882 KPREEMPT_DISABLE sys/sys/lwp.h:536 [inline] [ 66.6787674] syscall() at netbsd:syscall+0x882 mi_userret sys/sys/userret.h:97 [inline] [ 66.6787674] syscall() at netbsd:syscall+0x882 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 66.6787674] syscall() at netbsd:syscall+0x882 sys/arch/x86/x86/syscall.c:166 [ 66.6887651] --- syscall (number 4) --- [ 66.6987630] 7e1f8b6ade7a: [ 66.6987630] cpu1: End traceback... [ 66.7087584] fatal breakpoint trap in supervisor mode [ 66.7087584] trap type 1 code 0 rip 0xffffffff802209c5 cs 0x8 rflags 0x246 cr2 0x7e1f8b9fb729 ilevel 0 rsp 0xffffaa017f607b90 [ 66.7187534] curlwp 0xffffaa0012cc3bc0 pid 5374.3105 lowest kstack 0xffffaa017f6002c0 Stopped in pid 5374.3105 (syz-executor6381) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x244 sys/kern/subr_prf.c:290 snprintf() at netbsd:snprintf kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 mutex_oncpu() at netbsd:mutex_oncpu+0x38 mutex_oncpu sys/kern/kern_mutex.c:422 [inline] mutex_oncpu() at netbsd:mutex_oncpu+0x38 sys/kern/kern_mutex.c:406 mutex_enter() at netbsd:mutex_enter+0x1a4 sys/kern/kern_mutex.c:550 lwp_exit() at netbsd:lwp_exit+0x157 sys/kern/kern_lwp.c:1069 lwp_userret() at netbsd:lwp_userret+0x1f5 sys/kern/kern_lwp.c:1639 syscall() at netbsd:syscall+0x882 x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] syscall() at netbsd:syscall+0x882 KPREEMPT_DISABLE sys/sys/lwp.h:536 [inline] syscall() at netbsd:syscall+0x882 mi_userret sys/sys/userret.h:97 [inline] syscall() at netbsd:syscall+0x882 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] syscall() at netbsd:syscall+0x882 sys/arch/x86/x86/syscall.c:166 --- syscall (number 4) --- 7e1f8b6ade7a: ds 3bc0 es 6ef0 fs 7b70 gs b291 rdi ffffffff82bdf200 db_onpanic rsi 1ffffffff057be40 rbp ffffaa017f607b90 rbx ffffaa016e699000 rdx 0 rcx ffffffff812a7109 db_panic+0xd5 rax 0 r8 4 r9 1ffffffff057be40 r10 ffffffff82bdf203 db_onpanic+0x3 r11 10 r12 ffffaa016e6aa000 r13 ffffffff82444348 ostype+0x708a8 r14 ffffaa017f607c20 r15 ffffaa016e699060 rip ffffffff802209c5 breakpoint+0x5 cs 8 rflags 246 rsp ffffaa017f607b90 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 4687 4649 2 0 0 ffffaa00136e8680 syz-executor6381 4687 4687 2 0 0 ffffaa00129bb600 syz-executor6381 5374 >3105 7 1 100000 ffffaa0012cc3bc0 syz-executor6381 5374 5374 2 1 10000040 ffffaa0012cf5940 syz-executor6381 5055 5055 2 0 0 ffffaa0012cb1b80 syz-executor6381 5538 4772 3 0 80 ffffaa00148501c0 syz-executor6381 parked 5538 5538 2 0 0 ffffaa0012d13580 syz-executor6381 4807 4807 2 0 0 ffffaa0012bf3540 syz-executor6381 2106 2106 2 1 40 ffffaa0012b95040 shutdown 691 > 691 7 0 40 ffffaa00147e3080 syz-executor6381 690 690 2 1 40 ffffaa00147d28c0 syz-executor6381 692 692 2 1 40 ffffaa00147d2040 syz-executor6381 689 689 2 1 40 ffffaa0013850ac0 syz-executor6381 686 686 2 0 40 ffffaa0013850680 syz-executor6381 688 688 2 1 40 ffffaa0013850240 syz-executor6381 685 685 3 0 80 ffffaa0012741b00 syz-executor6381 nanoslp 730 730 3 0 80 ffffaa0013873300 sshd select 1312 1312 3 1 80 ffffaa001383b1c0 getty nanoslp 720 720 3 0 80 ffffaa00136e8ac0 getty nanoslp 927 927 3 1 80 ffffaa001381b980 getty nanoslp 1374 1374 3 1 c0 ffffaa0013832a00 getty ttyraw 585 585 3 0 80 ffffaa0012d139c0 sshd select 597 597 3 1 80 ffffaa0012c1b5c0 powerd kqueue 460 460 3 0 80 ffffaa0013716b00 syslogd kqueue 303 303 3 0 80 ffffaa0012cc3780 dhcpcd kqueue 333 333 3 0 80 ffffaa0012be00c0 dhcpcd kqueue 1 1 3 0 80 ffffaa0012933100 init wait 0 454 3 0 200 ffffaa001297b9c0 physiod physiod 0 123 3 0 200 ffffaa0012989a00 pooldrain pooldrain 0 122 3 0 200 ffffaa00129895c0 ioflush syncer 0 121 3 1 200 ffffaa0012989180 pgdaemon pgdaemon 0 118 3 1 200 ffffaa001297b140 usb0 usbevt 0 117 3 1 200 ffffaa0012933980 usbtask-dr usbtsk 0 116 3 1 200 ffffaa000fe5dac0 usbtask-hc usbtsk 0 115 3 0 200 ffffaa0012933540 npfgc-0 npfgccv 0 114 3 1 200 ffffaa0012925940 rt_free rt_free 0 113 3 1 200 ffffaa0012925500 unpgc unpgc 0 112 3 0 200 ffffaa00129250c0 key_timehandler key_timehandler 0 111 3 1 200 ffffaa001291c900 icmp6_wqinput/1 icmp6_wqinput 0 110 3 0 200 ffffaa001291c4c0 icmp6_wqinput/0 icmp6_wqinput 0 109 3 0 200 ffffaa001291c080 nd6_timer nd6_timer 0 108 3 1 200 ffffaa00129128c0 carp6_wqinput/1 carp6_wqinput 0 107 3 0 200 ffffaa0012912480 carp6_wqinput/0 carp6_wqinput 0 106 3 1 200 ffffaa0012912040 carp_wqinput/1 carp_wqinput 0 105 3 0 200 ffffaa001275bbc0 carp_wqinput/0 carp_wqinput 0 104 3 1 200 ffffaa001275b780 icmp_wqinput/1 icmp_wqinput 0 103 3 0 200 ffffaa001275b340 icmp_wqinput/0 icmp_wqinput 0 102 3 0 200 ffffaa0012745b80 rt_timer rt_timer 0 101 3 0 200 ffffaa0012745740 vmem_rehash vmem_rehash 0 100 3 1 200 ffffaa00127422c0 entbutler entropy 0 27 3 0 200 ffffaa000fe5d680 scsibus0 sccomp 0 26 3 0 200 ffffaa000fe5d240 pms0 pmsreset 0 25 3 1 200 ffffaa000fd9ea80 xcall/1 xcall 0 24 1 1 200 ffffaa000fd9e640 softser/1 0 23 1 1 200 ffffaa000fd9e200 softclk/1 0 22 1 1 200 ffffaa000fd9ca40 softbio/1 0 21 1 1 200 ffffaa000fd9c600 softnet/1 0 20 1 1 201 ffffaa000fd9c1c0 idle/1 0 19 3 1 200 ffffaa000e80aa00 lnxpwrwq lnxpwrwq 0 18 3 1 200 ffffaa000e80a5c0 lnxlngwq lnxlngwq 0 17 3 1 200 ffffaa000e80a180 lnxsyswq lnxsyswq 0 16 3 1 200 ffffaa000e8039c0 lnxrcugc lnxrcugc 0 15 3 0 200 ffffaa000e803580 sysmon smtaskq 0 14 3 0 200 ffffaa000e803140 pmfsuspend pmfsuspend 0 13 3 1 200 ffffaa000e7fe980 pmfevent pmfevent 0 12 3 0 200 ffffaa000e7fe540 sopendfree sopendfr 0 11 3 0 200 ffffaa000e7fe100 iflnkst iflnkst 0 10 3 0 200 ffffaa000e7f3940 nfssilly nfssilly 0 9 3 0 200 ffffaa000e7f3500 vdrain vdrain 0 8 3 1 200 ffffaa000e7f30c0 modunload mod_unld 0 7 3 0 200 ffffaa000e7e6900 xcall/0 xcall 0 6 1 0 200 ffffaa000e7e64c0 softser/0 0 5 1 0 200 ffffaa000e7e6080 softclk/0 0 4 1 0 200 ffffaa000e7e38c0 softbio/0 0 3 1 0 200 ffffaa000e7e3480 softnet/0 0 2 1 0 201 ffffaa000e7e3040 idle/0 0 0 2 1 240 ffffffff82caa040 swapper [Locks tracked through LWPs] ****** LWP 5374.3105 (syz-executor6381) @ 0xffffaa0012cc3bc0, l_stat=7 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at fork1) lock address : 0xffffaa00129b73c0 type : sleep/adaptive initialized : 0xffffffff816fc493 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 1 relevant cpu : 1 last held: 1 relevant lwp : 0xffffaa0012cc3bc0 last held: 000000000000000000 last locked : 0xffffffff8170ce09 unlocked*: 0xffffffff816d4a53 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 5055.5055 (syz-executor6381) @ 0xffffaa0012cb1b80, l_stat=2 *** Locks held: * Lock 0 (initialized at uvm_map_setup) lock address : 0xffffaa0012c7ca00 type : sleep/adaptive initialized : 0xffffffff8168d001 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffaa0012cb1b80 last held: 0xffffaa0012cb1b80 last locked* : 0xffffffff81687275 unlocked : 0xffffffff8167cf14 owner/count : 0xffffaa0012cb1b80 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 4807.4807 (syz-executor6381) @ 0xffffaa0012bf3540, l_stat=2 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at pmap_ctor) lock address : 0xffffaa0012c8f980 type : sleep/adaptive initialized : 0xffffffff8087e6aa shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 1 relevant cpu : 0 last held: 0 relevant lwp : 0xffffaa0012bf3540 last held: 000000000000000000 last locked : 0xffffffff80880292 unlocked*: 0xffffffff80880a6d owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 730.730 (sshd) @ 0xffffaa0013873300, l_stat=3 *** Locks held: * Lock 0 (initialized at soinit) lock address : 0xffffaa000e733080 type : sleep/adaptive initialized : 0xffffffff8181706d shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffaa0013873300 last held: 0xffffaa0013873300 last locked* : 0xffffffff8181626c unlocked : 0xffffffff818162ec owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 0.15 (sysmon) @ 0xffffaa000e803580, l_stat=3 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at module_hook_init) lock address : 0xffffffff82da12c0 type : sleep/adaptive initialized : 0xffffffff81713612 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffaa000e803580 last held: 000000000000000000 last locked : 000000000000000000 unlocked*: 000000000000000000 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 0.11 (iflnkst) @ 0xffffaa000e7fe100, l_stat=3 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at module_hook_init) lock address : 0xffffffff82da12c0 type : sleep/adaptive initialized : 0xffffffff81713612 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffaa000e7fe100 last held: 000000000000000000 last locked : 000000000000000000 unlocked*: 000000000000000000 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 0.5 (softclk/0) @ 0xffffaa000e7e6080, l_stat=1 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at module_hook_init) lock address : 0xffffffff82da12c0 type : sleep/adaptive initialized : 0xffffffff81713612 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffaa000e7e6080 last held: 000000000000000000 last locked : 00000000000000