panic: ASan: Invalid access, 8-byte read at 0xfffffe00077c3620, UMAUseAfterFree(fd) cpuid = 1 time = 1766493603 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe00570ce1d0 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe00570ce330 vpanic() at vpanic+0x257/frame 0xfffffe00570ce4f0 panic() at panic+0xb5/frame 0xfffffe00570ce5b0 kasan_report() at kasan_report+0xdf/frame 0xfffffe00570ce680 ip6_freemoptions() at ip6_freemoptions+0x1ff/frame 0xfffffe00570ce6e0 in_pcbfree() at in_pcbfree+0x682/frame 0xfffffe00570ce730 sorele_locked() at sorele_locked+0x264/frame 0xfffffe00570ce770 soclose() at soclose+0x41f/frame 0xfffffe00570ce860 _fdrop() at _fdrop+0x5c/frame 0xfffffe00570ce890 closef() at closef+0x655/frame 0xfffffe00570cea70 fdescfree() at fdescfree+0xa5e/frame 0xfffffe00570cec50 exit1() at exit1+0x887/frame 0xfffffe00570cecf0 sys__exit() at sys__exit+0x28/frame 0xfffffe00570ced10 amd64_syscall() at amd64_syscall+0x4e2/frame 0xfffffe00570cef30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00570cef30 --- syscall (1, FreeBSD ELF64, _exit), rip = 0x3a69ba, rsp = 0x82127d898, rbp = 0x82127d8a0 --- KDB: enter: panic [ thread pid 1117 tid 100246 ] Stopped at kdb_enter+0x6e: movq $0,0x2587a77(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xffffffff81663bce _vprintf+0x1ae rdx 0 rbx 0xffffffff8283c160 .str.27 rsp 0xfffffe00570ce310 rbp 0xfffffe00570ce330 rsi 0 rdi 0xffffffff81664139 printf+0x149 r8 0 r9 0xffffffff r10 0 r11 0xfffffe0058b40550 r12 0xfffffe0058b40000 r13 0xfffffffffffffffd r14 0xffffffff8283c160 .str.27 r15 0 rip 0xffffffff8164d41e kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x2587a77(%rip) db> show proc Process 1117 (syz-executor) at 0xfffffe0058b29570: state: NORMAL uid: 0 gid: 0 supp gids: 0, 5 parent: pid 766 at 0xfffffe0058ad5000 ABI: FreeBSD ELF64 flag: 0x10002000 flag2: 0x40000 arguments: ./syz-executor exec reaper: 0xfffffe0007809010 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe0058b2b6d8 (map 0xfffffe0058b2b6d8) (map.pmap 0xfffffe0058b2b778) (pmap 0xfffffe0058b2b7e8) threads: 1 100246 Run CPU 1 syz-executor db> ps pid ppid pgrp uid state wmesg wchan cmd 1122 1120 764 0 SV uwait 0xfffffe0058697480 syz-executor 1120 764 764 0 T (threaded) syz-executor 100235 s syz-executor 100379 D ppwait 0xfffffe0058ad7a68 syz-executor 1118 0 0 0 DL mdwait 0xfffffe0077d1b000 [md0] 1117 766 766 0 RE CPU 1 syz-executor 1115 1 763 0 S uwait 0xfffffe0058695d80 syz-executor 1092 1 1092 0 Ss+ ttyin 0xfffffe005422dcb0 getty 1091 1 1091 0 Ss+ ttyin 0xfffffe00599530b0 getty 1090 1 1090 0 Ss+ ttyin 0xfffffe00599538b0 getty 1089 1 1089 0 Ss+ ttyin 0xfffffe00542308b0 getty 1088 1 1088 0 Ss+ ttyin 0xfffffe0007bf70b0 getty 1087 1 1087 0 Ss+ ttyin 0xfffffe0007bf78b0 getty 1086 1 1086 0 Ss+ ttyin 0xfffffe0007bf90b0 getty 1085 1 1085 0 Ss+ ttyin 0xfffffe0007bf88b0 getty 1084 1 1084 0 Ss+ ttyin 0xfffffe0007bf80b0 getty 1021 0 0 0 DL (threaded) [so_splice] 100253 D - 0xfffffe0058697380 [thr_0] 100314 D - 0xfffffe00586973c0 [thr_1] 991 1 763 0 S uwait 0xfffffe0059a33d80 syz-executor 986 0 0 0 DL - 0xffffffff83cd60c0 [soaiod4] 985 0 0 0 DL - 0xffffffff83cd60c0 [soaiod3] 984 0 0 0 DL - 0xffffffff83cd60c0 [soaiod2] 983 0 0 0 DL - 0xffffffff83cd60c0 [soaiod1] 981 1 763 0 S uwait 0xfffffe0059a32c80 syz-executor 938 1 763 0 S uwait 0xfffffe0059a31e00 syz-executor 935 1 764 0 S uwait 0xfffffe0058695e80 syz-executor 833 1 766 0 SV uwait 0xfffffe0059a34100 syz-executor 821 0 0 0 DL aiordy 0xfffffe0058b0bab8 [aiod4] 820 0 0 0 DL aiordy 0xfffffe0058b0c010 [aiod3] 819 0 0 0 DL aiordy 0xfffffe0058b0c568 [aiod2] 818 0 0 0 DL aiordy 0xfffffe0058b0a000 [aiod1] 814 1 763 0 S uwait 0xfffffe0059a32a80 syz-executor 766 762 766 0 S nanslp 0xffffffff83bb5f41 syz-executor 764 762 764 0 S nanslp 0xffffffff83bb5f41 syz-executor 763 762 763 0 S piperd 0xfffffe0059bb7420 syz-executor 762 1 760 0 S nanslp 0xffffffff83bb5f41 syz-executor 737 1 17 0 S+ piperd 0xfffffe0059bb79e0 logger 736 735 17 0 S+ nanslp 0xffffffff83bb5f40 sleep 735 1 17 0 S+ wait 0xfffffe0058ad6008 sh 685 1 685 0 Ss nanslp 0xffffffff83bb5f40 cron 681 1 681 0 Ss select 0xfffffe0059a87940 sshd 494 1 494 0 Ss select 0xfffffe0059a878c0 syslogd 16 0 0 0 DL syncer 0xffffffff83ce3ae0 [syncer] 15 0 0 0 DL vlruwt 0xfffffe000780a018 [vnlru] 14 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83ce2020 [bufdaemon] 100082 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100093 D sdflush 0xfffffe0057f1fce8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d23380 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83d09448 [dom0] 100080 D launds 0xffffffff83d09454 [laundry: dom0] 100081 D umarcl 0xffffffff81e37c30 [uma] 7 0 0 0 DL - 0xffffffff8392e510 [rand_harvestq] 6 0 0 0 DL pftm 0xffffffff84453f80 [pf purge] 5 0 0 0 DL waiting 0xffffffff8491c700 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100045 D - 0xffffffff838f8340 [doneq0] 100046 D - 0xffffffff838f82c0 [async] 100075 D - 0xffffffff838f8140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100042 D crypto_ 0xffffffff83d04ce0 [crypto] 100043 D crypto_ 0xfffffe00077af830 [crypto returns 0] 100044 D crypto_ 0xfffffe00077af880 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83b5e520 [g_event] 100038 D - 0xffffffff83b5e540 [g_up] 100039 D - 0xffffffff83b5e560 [g_down] 2 0 0 0 WL (threaded) [clock] 100031 I [clock (0)] 100032 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100047 I [irq24: virtio_pci0] 100048 I [irq25: virtio_pci0] 100049 I [irq26: virtio_pci0] 100050 I [irq27: virtio_pci0] 100051 I [irq28: virtio_pci1] 100052 I [irq29: virtio_pci1] 100053 I [irq30: virtio_pci1] 100054 I [irq31: virtio_pci1] 100055 I [irq32: virtio_pci1] 100060 I [irq10: virtio_pci2] 100062 I [irq1: atkbd0] 100063 I [irq12: psm0] 100064 I [swi0: uart uart++] 100068 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 Run CPU 0 [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0007809010 [init] 10 0 0 0 DL audit_w 0xffffffff83d05780 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D - 0xffffffff84c5dff0 [kernel] 100005 D - 0xfffffe00077cb000 [softirq_0] 100006 D - 0xfffffe00077cae00 [softirq_1] 100007 D - 0xfffffe00077cad00 [if_io_tqg_0] 100008 D - 0xfffffe00077cac00 [if_io_tqg_1] 100009 D - 0xfffffe00077cab00 [if_config_tqg_0] 100010 D - 0xfffffe00077caa00 [kqueue_ctx taskq] 100011 D - 0xfffffe00077ca900 [jail_remove taskq] 100012 D - 0xfffffe00077ca800 [bus taskq] 100015 D - 0xfffffe00077ca500 [thread taskq] 100017 D - 0xfffffe00077ca300 [aiod_kick taskq] 100018 D - 0xfffffe00077ca200 [deferred_unmount ta] 100019 D - 0xfffffe00077ca100 [inm_free taskq] 100020 D - 0xfffffe00077ca000 [in6m_free taskq] 100021 D - 0xfffffe00077c9e00 [linuxkpi_irq_wq] 100022 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_0] 100023 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_1] 100024 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_2] 100025 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_3] 100026 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_0] 100027 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_1] 100028 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_2] 100029 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_3] 100036 D - 0xfffffe00077c9b00 [firmware taskq] 100040 D - 0xfffffe00077c9100 [crypto_0] 100041 D - 0xfffffe00077c9100 [crypto_1] 100056 D - 0xfffffe00077c8900 [vtnet0 rxq 0] 100057 D - 0xfffffe00077c8800 [vtnet0 txq 0] 100058 D - 0xfffffe00077c8700 [vtnet0 rxq 1] 100059 D - 0xfffffe00077c8600 [vtnet0 txq 1] 100061 D vtbslp 0xfffffe005800d900 [virtio_balloon] 100065 D - 0xffffffff82840841 [deadlkres] 100069 D - 0xfffffe00077c8b00 [acpi_task_0] 100070 D - 0xfffffe00077c8b00 [acpi_task_1] 100071 D - 0xfffffe00077c8b00 [acpi_task_2] 100073 D - 0xfffffe00077cb100 [mca taskq] 100074 D - 0xfffffe00077c8a00 [CAM taskq] 100076 D - 0xfffffe00077c8d00 [ipsec_offload] db> show all locks db> show malloc Type InUse MemUse Requests pf_hash 6 12804K 6 devbuf 8283 7252K 8310 linker 403 5231K 622 tcp_hpts 8 4865K 8 sysctloid 35299 2080K 35491 vtbuf 24 1968K 46 kobj 337 1348K 521 newblk 170 1067K 2065 vfscache 3 1025K 3 pcb 22 669K 131 inodedep 45 529K 424 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 subproc 145 258K 1222 vnet_data 2 224K 2 acpitask 1 224K 1 filedesc 26 201K 440 KTRACE 102 201K 795 acpica 1674 184K 56983 vmem 5 144K 6 tidhash 3 141K 3 pagedep 21 133K 198 tfo_ccache 1 128K 1 IP reass 1 128K 1 DEVFS1 107 107K 146 sem 4 106K 4 gtaskqueue 18 98K 18 LRO 32 95K 48 bus 1020 83K 5178 mtx_pool 3 74K 3 syncache 1 68K 1 NFSD srvcache 3 68K 3 module 530 67K 532 ddb_capture 1 64K 1 umtx 336 42K 336 kdtrace 206 41K 1514 hostcache 1 32K 1 shm 1 32K 4 DEVFS3 126 32K 144 msg 4 30K 4 kbdmux 6 28K 6 routetbl 466 27K 1383 temp 32 21K 2473 DEVFS_RULE 56 20K 56 ifaddr 69 19K 136 ufs_mount 4 17K 5 proc 3 17K 3 tty 16 16K 16 ithread 90 15K 90 bus-sc 34 15K 1693 eventhandler 170 14K 170 lltable 44 13K 105 kenv 95 12K 95 GEOM 54 12K 499 shmfd 7 11K 12 CAM queue 5 11K 1528 ether_multi 124 10K 372 rman 75 10K 440 cred 25 10K 361 rpc 8 9K 8 bmsafemap 3 9K 351 freework 34 9K 485 devstat 4 9K 4 UART 12 9K 12 ksem 1 8K 1 pfs_vncache 1 8K 1 audit_evclass 240 8K 306 in6_multi 56 8K 137 taskqueue 69 8K 81 plimit 19 8K 705 ifnet 7 7K 14 sglist 6 7K 6 pf_ifnet 17 6K 54 CAM DEV 3 6K 510 pfs_nodes 22 6K 22 ufs_dirhash 24 5K 30 UMA 270 5K 271 vt 11 5K 11 md_disk 2 5K 7 memdesc 1 4K 1 MCA 32 4K 32 md_sectors 1 4K 4 evdev 4 4K 4 kqueue 57 4K 1301 acpisem 28 4K 28 pwddesc 55 4K 1155 dirrem 12 3K 292 mkdir 23 3K 336 diradd 23 3K 327 terminal 11 3K 11 acpidev 20 3K 20 hhook 8 3K 10 netlink 2 3K 217 uidinfo 2 3K 21 local_apic 1 2K 1 io_apic 1 2K 1 freeblks 8 2K 222 indirdep 8 2K 529 ipsec-saq 2 2K 2 clone 8 2K 8 proc-args 66 2K 2437 DEVFSP 31 2K 139 session 15 2K 63 lockf 17 2K 101 newdirblk 14 2K 168 ip6ndp 12 2K 28 kcovinfo 27 2K 99 Unitno 27 2K 376 CAM XPT 22 2K 543 tun 4 2K 11 toponodes 6 2K 6 sctp_ifa 11 2K 28 ipsecpolicy 2 2K 2 freefile 10 2K 245 in_multi 5 2K 17 msi 9 2K 9 softdep 1 1K 1 sahead 1 1K 1 secasvar 1 1K 1 CC Mem 8 1K 69 nhops 6 1K 8 vnodemarker 2 1K 26 NFSD session 1 1K 1 mld 7 1K 14 igmp 7 1K 14 CAM periph 4 1K 271 ipsec 3 1K 3 pfil 6 1K 6 BPF 6 1K 28 isadev 6 1K 8 mount 16 1K 469 pci_link 10 1K 10 osd 13 1K 87 sctp_ifn 5 1K 28 crypto 4 1K 12 encap_export_host 12 1K 12 selfd 9 1K 21418 sctp_timw 2 1K 2 inpcbpolicy 16 1K 354 ip_msource 8 1K 15 cdev 2 1K 2 lkpikmalloc 8 1K 9 counter_rate 13 1K 13 chacha20random 1 1K 1 biobuf 1 1K 1 select 3 1K 39 ip6opt 2 1K 16 in6_mfilter 4 1K 26 vnodes 1 1K 8 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 DEVFS 9 1K 10 CAM SIM 2 1K 2 ip6_msource 3 1K 15 frag6 2 1K 2 tcpfunc 3 1K 3 loginclass 3 1K 5 prison 6 1K 6 nexusdev 8 1K 8 apmdev 1 1K 1 atkbddev 2 1K 2 VN POLL 1 1K 11 aio 4 1K 6 pmchooks 1 1K 1 CAM path 4 1K 1034 CAM dev queue 2 1K 2 CAM I/O Scheduler 1 1K 1 filecaps 3 1K 78 sctp_vrf 1 1K 1 cryptodev 1 1K 70