Expensive callout(9) function: 0xffffffff81afpanic: ASan: Invalid access, 8-byte read at 0xfffffe0058598318, UMAUseAfterFree(fd) cpuid = 1 time = 1766274621 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0056ec7cd0 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe0056ec7e30 vpanic() at vpanic+0x257/frame 0xfffffe0056ec7ff0 panic() at panic+0xb5/frame 0xfffffe0056ec80c0 kasan_report() at kasan_report+0xdf/frame 0xfffffe0056ec8190 mld_change_state() at mld_change_state+0xf2/frame 0xfffffe0056ec8330 in6_leavegroup_locked() at in6_leavegroup_locked+0x17b/frame 0xfffffe0056ec8450 in6_pcbpurgeif0() at in6_pcbpurgeif0+0x2f6/frame 0xfffffe0056ec8550 _in6_ifdetach() at _in6_ifdetach+0x1e6/frame 0xfffffe0056ec8640 in6_ifdeparture() at in6_ifdeparture+0x9f/frame 0xfffffe0056ec8670 if_detach_internal() at if_detach_internal+0x5c0/frame 0xfffffe0056ec8740 if_detach() at if_detach+0xb6/frame 0xfffffe0056ec8780 tun_destroy() at tun_destroy+0x3c9/frame 0xfffffe0056ec87e0 if_clone_destroyif_flags() at if_clone_destroyif_flags+0xc8/frame 0xfffffe0056ec8830 if_clone_destroy() at if_clone_destroy+0x1f6/frame 0xfffffe0056ec8870 ifioctl() at ifioctl+0x116f/frame 0xfffffe0056ec8ab0 kern_ioctl() at kern_ioctl+0x52a/frame 0xfffffe0056ec8b90 sys_ioctl() at sys_ioctl+0x36e/frame 0xfffffe0056ec8d10 amd64_syscall() at amd64_syscall+0x4e2/frame 0xfffffe0056ec8f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0056ec8f30 --- syscall (54, FreeBSD ELF64, ioctl), rip = 0x824ca82ca, rsp = 0x820e05b48, rbp = 0x820e05b60 --- KDB: enter: panic [ thread pid 1005 tid 100115 ] Stopped at kdb_enter+0x6e: movq $0,0x2589a07(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xffffffff81660c3e _vprintf+0x1ae rdx 0 rbx 0xffffffff82838a60 .str.27 rsp 0xfffffe0056ec7e10 rbp 0xfffffe0056ec7e30 rsi 0 rdi 0xffffffff816611a9 printf+0x149 r8 0 r9 0xffffffff r10 0 r11 0x3 r12 0xfffffe00586dc000 r13 0xfffffffffffffffd r14 0xffffffff82838a60 .str.27 r15 0 rip 0xffffffff8164a48e kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x2589a07(%rip) db> show proc Process 1005 (ifconfig) at 0xfffffe0007809ac0: state: NORMAL uid: 0 gid: 0 supp gids: 0, 5 parent: pid 1001 at 0xfffffe005870e008 ABI: FreeBSD ELF64 flag: 0x10004000 flag2: 0 arguments: ifconfig tap2 destroy reaper: 0xfffffe0007809010 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe00586c5db0 (map 0xfffffe00586c5db0) (map.pmap 0xfffffe00586c5e50) (pmap 0xfffffe00586c5ec0) threads: 1 100115 Run CPU 1 ifconfig db> ps pid ppid pgrp uid state wmesg wchan cmd 1005 1001 1001 0 R CPU 1 ifconfig 1004 766 766 0 R (threaded) syz-executor 100255 RunQ syz-executor 100258 RunQ syz-executor 100259 D ufs 0xfffffe006e8843e0 syz-executor 100260 S nanslp 0xffffffff83bb4f41 syz-executor 1003 768 768 0 R (threaded) syz-executor 100137 RunQ syz-executor 100257 S uwait 0xfffffe0058597c80 syz-executor 1002 765 765 0 R (threaded) syz-executor 100109 RunQ syz-executor 100256 RunQ syz-executor 1001 764 1001 0 S wait 0xfffffe005870e008 syz-executor 1000 1 765 -1 S uwait 0xfffffe00599ab700 syz-executor 999 1 765 -1 S uwait 0xfffffe005859af00 syz-executor 998 1 998 0 Ss+ ttyin 0xfffffe00595510b0 getty 997 1 997 0 Ss+ ttyin 0xfffffe0058330cb0 getty 996 1 768 0 S uwait 0xfffffe00599ab400 syz-executor 995 1 995 0 Ss+ ttyin 0xfffffe00595508b0 getty 990 1 990 0 Ss+ ttyin 0xfffffe0007bf70b0 getty 988 1 768 0 S uwait 0xfffffe00599aa200 syz-executor 984 1 984 0 Ss+ ttyin 0xfffffe0007bf90b0 getty 980 1 980 0 Ss+ ttyin 0xfffffe0007bf88b0 getty 978 1 978 0 Ss+ ttyin 0xfffffe00595518b0 getty 977 1 768 0 S umtxn 0xfffffe00599ac200 syz-executor 974 1 974 0 Ss+ ttyin 0xfffffe0007bf80b0 getty 970 1 970 0 Ss+ ttyin 0xfffffe0007bf78b0 getty 962 1 766 0 S uwait 0xfffffe00599aa080 syz-executor 961 1 768 0 S uwait 0xfffffe005859a580 syz-executor 954 1 766 0 S uwait 0xfffffe00599abb80 syz-executor 939 1 766 0 SV uwait 0xfffffe005859a900 syz-executor 937 1 765 0 S uwait 0xfffffe0058597a00 syz-executor 931 0 0 0 DL mdwait 0xfffffe006b804000 [md0] 926 1 765 0 S uwait 0xfffffe0058597500 syz-executor 925 1 765 0 S uwait 0xfffffe005859a700 syz-executor 910 0 0 0 DL (threaded) [so_splice] 100163 D - 0xfffffe006e879000 [thr_0] 100176 D - 0xfffffe006e879040 [thr_1] 892 1 768 0 S uwait 0xfffffe0058313b80 syz-executor 887 1 768 0 S uwait 0xfffffe00599ac000 syz-executor 877 0 0 0 DL (threaded) [KTLS] 100151 D - 0xfffffe005833b400 [thr_0] 100152 D - 0xfffffe005833b480 [thr_1] 100153 D - 0xffffffff83cd68e8 [reclaim_0] 816 0 0 0 DL aiordy 0xfffffe00586eb560 [aiod5] 815 0 0 0 DL aiordy 0xfffffe00586ebab8 [aiod4] 814 0 0 0 DL aiordy 0xfffffe00586ec010 [aiod3] 813 0 0 0 DL aiordy 0xfffffe00586d0568 [aiod2] 811 0 0 0 DL aiordy 0xfffffe00586ec568 [aiod1] 768 764 768 0 R syz-executor 766 764 766 0 R syz-executor 765 764 765 0 R syz-executor 764 1 762 0 S select 0xfffffe006dc720c0 syz-executor 16 0 0 0 DL syncer 0xffffffff83ce2ae0 [syncer] 15 0 0 0 DL vlruwt 0xfffffe0058602558 [vnlru] 14 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83ce1020 [bufdaemon] 100082 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100093 D sdflush 0xfffffe0057f1fce8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d223c0 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83d08488 [dom0] 100080 D launds 0xffffffff83d08494 [laundry: dom0] 100081 D umarcl 0xffffffff81e34af0 [uma] 7 0 0 0 DL - 0xffffffff8392d510 [rand_harvestq] 6 0 0 0 DL pftm 0xffffffff8484bf80 [pf purge] 5 0 0 0 DL waiting 0xffffffff844c9700 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100045 D - 0xffffffff838f7340 [doneq0] 100046 D - 0xffffffff838f72c0 [async] 100075 D - 0xffffffff838f7140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100042 D crypto_ 0xffffffff83d03d20 [crypto] 100043 D crypto_ 0xfffffe00077af830 [crypto returns 0] 100044 D crypto_ 0xfffffe00077af880 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83b5d520 [g_event] 100038 D - 0xffffffff83b5d540 [g_up] 100039 D - 0xffffffff83b5d560 [g_down] 2 0 0 0 RL (threaded) [clock] 100031 Run CPU 0 [clock (0)] 100032 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100047 I [irq24: virtio_pci0] 100048 I [irq25: virtio_pci0] 100049 I [irq26: virtio_pci0] 100050 I [irq27: virtio_pci0] 100051 I [irq28: virtio_pci1] 100052 I [irq29: virtio_pci1] 100053 I [irq30: virtio_pci1] 100054 I [irq31: virtio_pci1] 100055 I [irq32: virtio_pci1] 100060 I [irq10: virtio_pci2] 100062 I [irq1: atkbd0] 100063 I [irq12: psm0] 100064 I [swi0: uart uart++] 100068 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0007809010 [init] 10 0 0 0 DL audit_w 0xffffffff83d047c0 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D - 0xffffffff84c5bff0 [kernel] 100005 D - 0xfffffe00077cb000 [softirq_0] 100006 D - 0xfffffe00077cae00 [softirq_1] 100007 D - 0xfffffe00077cad00 [if_io_tqg_0] 100008 D - 0xfffffe00077cac00 [if_io_tqg_1] 100009 D - 0xfffffe00077cab00 [if_config_tqg_0] 100010 D - 0xfffffe00077caa00 [kqueue_ctx taskq] 100011 D - 0xfffffe00077ca900 [jail_remove taskq] 100012 D - 0xfffffe00077ca800 [bus taskq] 100015 D - 0xfffffe00077ca500 [thread taskq] 100017 D - 0xfffffe00077ca300 [aiod_kick taskq] 100018 D - 0xfffffe00077ca200 [deferred_unmount ta] 100019 D - 0xfffffe00077ca100 [inm_free taskq] 100020 D - 0xfffffe00077ca000 [in6m_free taskq] 100021 D - 0xfffffe00077c9e00 [linuxkpi_irq_wq] 100022 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_0] 100023 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_1] 100024 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_2] 100025 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_3] 100026 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_0] 100027 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_1] 100028 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_2] 100029 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_3] 100036 D - 0xfffffe00077c9b00 [firmware taskq] 100040 D - 0xfffffe00077c9100 [crypto_0] 100041 D - 0xfffffe00077c9100 [crypto_1] 100056 D - 0xfffffe00077c8900 [vtnet0 rxq 0] 100057 D - 0xfffffe00077c8800 [vtnet0 txq 0] 100058 D - 0xfffffe00077c8700 [vtnet0 rxq 1] 100059 D - 0xfffffe00077c8600 [vtnet0 txq 1] 100061 D vtbslp 0xfffffe005800d900 [virtio_balloon] 100065 D - 0xffffffff8283d141 [deadlkres] 100069 D - 0xfffffe00077c8b00 [acpi_task_0] 100070 D - 0xfffffe00077c8b00 [acpi_task_1] 100071 D - 0xfffffe00077c8b00 [acpi_task_2] 100073 D - 0xfffffe00077cb100 [mca taskq] 100074 D - 0xfffffe00077c8a00 [CAM taskq] 100076 D - 0xfffffe00077c8300 [ipsec_offload] db> show all locks Process 1005 (ifconfig) thread 0xfffffe00586dc000 (100115) exclusive sleep mutex in6_multi_list_mtx (in6_multi_list_mtx) r = 0 (0xffffffff83cff020) locked @ /syzkaller/managers/main/kernel/sys/netinet6/in6_mcast.c:1386 shared rw rawinp (rawinp) r = 0 (0xfffffe006de3d320) locked @ /syzkaller/managers/main/kernel/sys/netinet/in_pcb.c:1486 exclusive sx in6_multi_sx (in6_multi_sx) r = 0 (0xffffffff83cff060) locked @ /syzkaller/managers/main/kernel/sys/netinet6/in6_ifattach.c:875 exclusive sx ifnet_detach_sx (ifnet_detach_sx) r = 1 (0xffffffff83ce3280) locked @ /syzkaller/managers/main/kernel/sys/net/if.c:2910 Process 1004 (syz-executor) thread 0xfffffe0058734780 (100258) exclusive lockmgr bufwait (bufwait) r = 0 (0xfffffe0007d417e0) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_bio.c:1754 exclusive lockmgr ufs (ufs) r = 0 (0xfffffe006e8843e0) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_vnops.c:1315 Process 1004 (syz-executor) thread 0xfffffe005873d000 (100259) exclusive lockmgr rename (rename) r = 0 (0xfffffe005862c090) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_syscalls.c:3840 Process 1002 (syz-executor) thread 0xfffffe0058734000 (100256) exclusive lockmgr bufwait (bufwait) r = 0 (0xfffffe0007d17720) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_bio.c:1754 shared lockmgr ufs (ufs) r = 0 (0xfffffe006e802070) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_subr.c:3395 db> show malloc Type InUse MemUse Requests pf_hash 6 12804K 6 linker 385 5207K 572 tcp_hpts 8 4865K 8 devbuf 4187 4324K 4213 sysctloid 35395 2086K 35470 vtbuf 24 1968K 46 kobj 337 1348K 512 newblk 315 1103K 2143 vfscache 3 1025K 3 pcb 32 676K 104 inodedep 41 527K 251 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 filedesc 45 357K 324 subproc 135 258K 1082 vnet_data 2 224K 2 acpitask 1 224K 1 KTRACE 101 201K 1145 acpica 1674 184K 56983 vmem 5 146K 8 tidhash 3 141K 3 pagedep 26 135K 111 tfo_ccache 1 128K 1 IP reass 1 128K 1 DEVFS1 107 107K 142 sem 4 106K 4 gtaskqueue 18 98K 18 LRO 30 93K 44 bus 1020 83K 5178 mtx_pool 3 74K 3 syncache 1 68K 1 NFSD srvcache 3 68K 3 module 529 67K 531 ddb_capture 1 64K 1 umtx 336 42K 336