[ 42.0105800] panic: ASan: Unauthorized Access In 0xffffffff816c7699: Addr 0xffffb88012cfd518 [8 bytes, read, PoolUseAfterFree] [ 42.0201052] cpu1: Begin traceback... [ 42.0344160] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 42.0534912] snprintf() at netbsd:snprintf executing program [ 42.0773366] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] [ 42.0773366] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 [ 42.1011853] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] [ 42.1011853] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] [ 42.1011853] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] [ 42.1011853] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 [ 42.1250285] mutex_oncpu() at netbsd:mutex_oncpu+0x38 mutex_oncpu sys/kern/kern_mutex.c:422 [inline] [ 42.1250285] mutex_oncpu() at netbsd:mutex_oncpu+0x38 sys/kern/kern_mutex.c:406 [ 42.1488772] mutex_enter() at netbsd:mutex_enter+0x1a1 sys/kern/kern_mutex.c:550 executing program [ 42.1727227] lwp_exit() at netbsd:lwp_exit+0x32e sys/kern/kern_lwp.c:1140 [ 42.1965720] lwp_userret() at netbsd:lwp_userret+0x1f5 sys/kern/kern_lwp.c:1639 [ 42.2204142] syscall() at netbsd:syscall+0x85e x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] [ 42.2204142] syscall() at netbsd:syscall+0x85e KPREEMPT_DISABLE sys/sys/lwp.h:536 [inline] [ 42.2204142] syscall() at netbsd:syscall+0x85e mi_userret sys/sys/userret.h:97 [inline] [ 42.2204142] syscall() at netbsd:syscall+0x85e userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 42.2204142] syscall() at netbsd:syscall+0x85e sys/arch/x86/x86/syscall.c:166 [ 42.2299519] --- syscall (number 4) --- [ 42.2442587] 75685d0ade7a: [ 42.2442587] cpu1: End traceback... [ 42.2490258] fatal breakpoint trap in supervisor mode [ 42.2537945] trap type 1 code 0 rip 0xffffffff802209c5 cs 0x8 rflags 0x246 cr2 0x75685d3fb729 ilevel 0 rsp 0xffffb8817f63fb90 [ 42.2633359] curlwp 0xffffb88012cfd0c0 pid 1492.1468 lowest kstack 0xffffb8817f6382c0 Stopped in pid 1492.1468 (syz-executor1541) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 snprintf() at netbsd:snprintf kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 mutex_oncpu() at netbsd:mutex_oncpu+0x38 mutex_oncpu sys/kern/kern_mutex.c:422 [inline] mutex_oncpu() at netbsd:mutex_oncpu+0x38 sys/kern/kern_mutex.c:406 mutex_enter() at netbsd:mutex_enter+0x1a1 sys/kern/kern_mutex.c:550 lwp_exit() at netbsd:lwp_exit+0x32e sys/kern/kern_lwp.c:1140 lwp_userret() at netbsd:lwp_userret+0x1f5 sys/kern/kern_lwp.c:1639 syscall() at netbsd:syscall+0x85e x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] syscall() at netbsd:syscall+0x85e KPREEMPT_DISABLE sys/sys/lwp.h:536 [inline] syscall() at netbsd:syscall+0x85e mi_userret sys/sys/userret.h:97 [inline] syscall() at netbsd:syscall+0x85e userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] syscall() at netbsd:syscall+0x85e sys/arch/x86/x86/syscall.c:166 --- syscall (number 4) --- 75685d0ade7a: ds d0c0 es 9f80 fs fb70 gs 2607 rdi ffffffff82bdf240 db_onpanic rsi 1ffffffff057be48 rbp ffffb8817f63fb90 rbx ffffb8816e699000 rdx 0 rcx ffffffff81265c09 db_panic+0xd5 rax 0 r8 4 r9 1ffffffff057be48 r10 ffffffff82bdf243 db_onpanic+0x3 r11 10 r12 ffffb8816e6aa000 r13 ffffffff824442b0 ostype+0x70890 r14 ffffb8817f63fc20 r15 ffffb8816e699060 rip ffffffff802209c5 breakpoint+0x5 cs 8 rflags 246 rsp ffffb8817f63fb90 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 1454 1454 2 0 0 ffffb88014085780 syz-executor1541 2079 2079 2 0 0 ffffb88014085340 syz-executor1541 2173 1617 2 0 0 ffffb88012c501c0 syz-executor1541 2173 1577 2 0 0 ffffb880137226c0 syz-executor1541 2173 2173 2 0 0 ffffb88012c85ac0 syz-executor1541 1492 >1468 7 1 100000 ffffb88012cfd0c0 syz-executor1541 1492 1492 2 1 10000040 ffffb88012ceb080 syz-executor1541 2080 1580 5 0 100000 ffffb88014837180 syz-executor1541 2080 2080 3 0 10000000 ffffb88012be10c0 syz-executor1541 xclocv 698 698 2 1 40 ffffb880147ae8c0 syz-executor1541 691 691 2 0 40 ffffb880147ae480 syz-executor1541 692 692 2 1 40 ffffb880147ae040 syz-executor1541 694 694 2 1 40 ffffb8801385fb00 syz-executor1541 713 713 2 0 40 ffffb8801385f6c0 syz-executor1541 712 712 2 0 40 ffffb880138375c0 syz-executor1541 689 689 3 0 80 ffffb880129bb600 syz-executor1541 nanoslp 683 683 3 0 80 ffffb8801297b580 sshd select 1374 1374 3 1 80 ffffb88013857680 getty nanoslp 677 677 3 1 80 ffffb8801384d640 getty nanoslp 1245 1245 3 1 80 ffffb8801384d200 getty nanoslp 867 867 3 0 c0 ffffb8801386a2c0 getty ttyraw 668 668 3 1 80 ffffb880137a0b80 cron nanoslp 719 719 3 1 80 ffffb880137d54c0 inetd kqueue 592 592 3 0 80 ffffb88012db7240 sshd select 560 560 3 0 80 ffffb88012ceb4c0 powerd kqueue 1247 1247 2 1 0 ffffb88012bf4980 makemandb 957 957 3 0 80 ffffb880137a0740 syslogd kqueue 301 301 3 0 80 ffffb88012cd9040 dhcpcd kqueue 334 334 3 0 80 ffffb88012bc8900 dhcpcd kqueue 1 1 3 1 80 ffffb88012933100 init wait 0 575 3 0 200 ffffb8801297b9c0 physiod physiod 0 123 3 0 200 ffffb88012989a00 pooldrain pooldrain 0 122 2 1 240 ffffb880129895c0 ioflush 0 121 3 1 200 ffffb88012989180 pgdaemon pgdaemon 0 118 3 0 200 ffffb8801297b140 usb0 usbevt 0 117 3 1 200 ffffb88012933980 usbtask-dr usbtsk 0 116 3 1 200 ffffb8800fe5dac0 usbtask-hc usbtsk 0 115 3 0 200 ffffb88012933540 npfgc-0 npfgccv 0 114 3 1 200 ffffb88012923940 rt_free rt_free 0 113 3 1 200 ffffb88012923500 unpgc unpgc 0 112 3 0 200 ffffb880129230c0 key_timehandler key_timehandler 0 111 3 1 200 ffffb88012919900 icmp6_wqinput/1 icmp6_wqinput 0 110 3 0 200 ffffb880129194c0 icmp6_wqinput/0 icmp6_wqinput 0 109 3 0 200 ffffb88012919080 nd6_timer nd6_timer 0 108 3 1 200 ffffb880127698c0 carp6_wqinput/1 carp6_wqinput 0 107 3 0 200 ffffb88012769480 carp6_wqinput/0 carp6_wqinput 0 106 3 1 200 ffffb88012769040 carp_wqinput/1 carp_wqinput 0 105 3 0 200 ffffb88012759bc0 carp_wqinput/0 carp_wqinput 0 104 3 1 200 ffffb88012759780 icmp_wqinput/1 icmp_wqinput 0 103 3 0 200 ffffb88012759340 icmp_wqinput/0 icmp_wqinput 0 102 2 1 200 ffffb88012745b80 rt_timer 0 101 3 0 200 ffffb88012745740 vmem_rehash vmem_rehash 0 100 3 0 200 ffffb880127416c0 entbutler entropy 0 27 3 0 200 ffffb8800fe5d680 scsibus0 sccomp 0 26 3 0 200 ffffb8800fe5d240 pms0 pmsreset 0 25 2 1 200 ffffb8800fd9ea80 xcall/1 0 24 1 1 200 ffffb8800fd9e640 softser/1 0 23 1 1 200 ffffb8800fd9e200 softclk/1 0 22 1 1 200 ffffb8800fd9ca40 softbio/1 0 21 1 1 200 ffffb8800fd9c600 softnet/1 0 20 1 1 201 ffffb8800fd9c1c0 idle/1 0 19 3 0 200 ffffb8800e80aa00 lnxpwrwq lnxpwrwq 0 18 3 0 200 ffffb8800e80a5c0 lnxlngwq lnxlngwq 0 17 3 0 200 ffffb8800e80a180 lnxsyswq lnxsyswq 0 16 3 0 200 ffffb8800e8039c0 lnxrcugc lnxrcugc 0 15 3 0 200 ffffb8800e803580 sysmon smtaskq 0 14 3 1 200 ffffb8800e803140 pmfsuspend pmfsuspend 0 13 3 0 200 ffffb8800e7fe980 pmfevent pmfevent 0 12 3 0 200 ffffb8800e7fe540 sopendfree sopendfr 0 11 3 1 200 ffffb8800e7fe100 iflnkst iflnkst 0 10 3 0 200 ffffb8800e7f3940 nfssilly nfssilly 0 9 3 0 200 ffffb8800e7f3500 vdrain vdrain 0 8 3 1 200 ffffb8800e7f30c0 modunload mod_unld 0 7 3 0 200 ffffb8800e7e6900 xcall/0 xcall 0 6 1 0 200 ffffb8800e7e64c0 softser/0 0 5 1 0 200 ffffb8800e7e6080 softclk/0 0 4 1 0 200 ffffb8800e7e38c0 softbio/0 0 3 1 0 200 ffffb8800e7e3480 softnet/0 0 2 1 0 201 ffffb8800e7e3040 idle/0 0 > 0 7 0 240 ffffffff82caa080 swapper [Locks tracked through LWPs] ****** LWP 2173.2173 (syz-executor1541) @ 0xffffb88012c85ac0, l_stat=2 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at amap_ctor) lock address : 0xffffb88014404cc0 type : sleep/adaptive initialized : 0xffffffff8161ffe3 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 1 relevant cpu : 0 last held: 0 relevant lwp : 0xffffb88012c85ac0 last held: 000000000000000000 last locked : 0xffffffff816249d0 unlocked*: 0xffffffff8163ac31 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. ****** LWP 1492.1468 (syz-executor1541) @ 0xffffb88012cfd0c0, l_stat=7 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at fork1) lock address : 0xffffb88012d39980 type : sleep/adaptive initialized : 0xffffffff816afb1a shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 1 relevant cpu : 1 last held: 1 relevant lwp : 0xffffb88012cfd0c0 last held: 000000000000000000 last locked : 0xffffffff816c02ef unlocked*: 0xffffffff81688713 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 2080.2080 (syz-executor1541) @ 0xffffb88012be10c0, l_stat=3 *** Locks held: * Lock 0 (initialized at amap_ctor) lock address : 0xffffb88014404c40 type : sleep/adaptive initialized : 0xffffffff8161ffe3 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffb88012be10c0 last held: 0xffffb88012be10c0 last locked* : 0xffffffff8162ebf6 unlocked : 0xffffffff8162c766 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 692.692 (syz-executor1541) @ 0xffffb880147ae040, l_stat=2 *** Locks held: * Lock 0 (initialized at vcache_alloc) lock address : 0xffffb88014770c80 type : sleep/adaptive initialized : 0xffffffff81815cd3 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffb880147ae040 last held: 0xffffb880147ae040 last locked* : 0xffffffff8184456e unlocked : 0xffffffff818445d0 owner/count : 0xffffb880147ae040 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at vcache_alloc) lock address : 0xffffb88012c87700 type : sleep/adaptive initialized : 0xffffffff81815cd3 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffb880147ae040 last held: 0xffffb880147ae040 last locked* : 0xffffffff8184456e unlocked : 000000000000000000 owner/count : 0xffffb880147ae040 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 713.713 (syz-executor1541) @ 0xffffb8801385f6c0, l_stat=2 *** Locks held: * Lock 0 (initialized at vcache_alloc) lock address : 0xffffb880147db7c0 type : sleep/adaptive initialized : 0xffffffff81815cd3 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffb8801385f6c0 last held: 0xffffb8801385f6c0 last locked* : 0xffffffff8184456e unlocked : 0xffffffff818445d0 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at vcache_alloc) lock address : 0xffffb88012c87480 type : sleep/adaptive initialized : 0xffffffff81815cd3 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffb8801385f6c0 last held: 0xffffb8801385f6c0 last locked* : 0xffffffff8184456e unlocked : 000000000000000000 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 712.712 (syz-executor1541) @ 0xffffb880138375c0, l_stat=2 *** Locks held: * Lock 0 (initialized at vcache_alloc) lock address : 0xffffb88014770500 type : sleep/adaptive initialized : 0xffffffff81815cd3 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 1 relevant lwp : 0xffffb880138375c0 last held: 0xffffb880138375c0 last locked* : 0xffffffff8184456e unlocked : 0xffffffff818445d0 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at vcache_alloc) lock address : 0xffffb8801388ec40 type : sleep/adaptive initialized : 0xffffffff81815cd3 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 1 relevant lwp : 0xffffb880138375c0 last held: 0xffffb880138375c0 last locked* : 0xffffffff8184456e unlocked : 0xffffffff818445d0 [ 42.2728714] Skipping crash dump on recursive panic [ 42.2728714] panic: ASan: Unauthorized Access In 0xffffffff816e6a20: Addr 0xffffb8801388ec40 [8 bytes, read, PoolUseAfterFree] [ 42.2728714] cpu1: Begin traceback... [ 42.2728714] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 42.2728714] snprintf() at netbsd:snprintf [ 42.2728714] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] [ 42.2728714] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 [ 42.2728714] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] [ 42.2728714] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] [ 42.2728714] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] [ 42.2728714] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 [ 42.2728714] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:186 [ 42.2728714] lockdebug_dump() at netbsd:lockdebug_dump+0x207 sys/kern/subr_lockdebug.c:750 [ 42.2728714] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb7 sys/kern/subr_lockdebug.c:830 [ 42.2728714] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26b lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:868 [inline] [ 42.2728714] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26b sys/kern/subr_lockdebug.c:932 [ 42.2728714] db_command() at netbsd:db_command+0x2ad sys/ddb/db_command.c:942 [ 42.2728714] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:439 [inline] [ 42.2728714] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:589 [ 42.2728714] db_trap() at netbsd:db_trap+0x206 sys/ddb/db_trap.c:94 [ 42.2728714] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:248 [ 42.2728714] trap() at netbsd:trap+0x57e sys/arch/amd64/amd64/trap.c:315 [ 42.2728714] --- trap (number 1) --- [ 42.2728714] breakpoint() at netbsd:breakpoint+0x5 [ 42.2728714] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 [ 42.2728714] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 42.2728714] snprintf() at netbsd:snprintf [ 42.2728714] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] [ 42.2728714] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 [ 42.2728714] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] [ 42.2728714] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] [ 42.2728714] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] [ 42.2728714] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 [ 42.2728714] mutex_oncpu() at netbsd:mutex_oncpu+0x38 mutex_oncpu sys/kern/kern_mutex.c:422 [inline] [ 42.2728714] mutex_oncpu() at netbsd:mutex_oncpu+0x38 sys/kern/kern_mutex.c:406 [ 42.2728714] mutex_enter() at netbsd:mutex_enter+0x1a1 sys/kern/kern_mutex.c:550 [ 42.2728714] lwp_exit() at netbsd:lwp_exit+0x32e sys/kern/kern_lwp.c:1140 [ 42.2728714] lwp_userret() at netbsd:lwp_userret+0x1f5 sys/kern/kern_lwp.c:1639 [ 42.2728714] syscall() at netbsd:syscall+0x85e x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] [ 42.2728714] syscall() at netbsd:syscall+0x85e KPREEMPT_DISABLE sys/sys/lwp.h:536 [inline] [ 42.2728714] syscall() at netbsd:syscall+0x85e mi_userret sys/sys/userret.h:97 [inline] [ 42.2728714] syscall() at netbsd:syscall+0x85e userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 42.2728714] syscall() at netbsd:syscall+0x85e sys/arch/x86/x86/syscall.c:166 [ 42.2728714] --- syscall (number 4) --- [ 42.2728714] 75685d0ade7a: [ 42.2728714] cpu1: End traceback... [ 42.2728714] fatal breakpoint trap in supervisor mode [ 42.2728714] trap type 1 code 0 rip 0xffffffff802209c5 cs 0x8 rflags 0x246 cr2 0x75685d3fb729 ilevel 0x8 rsp 0xffffb8817f63f130 [ 42.2728714] curlwp 0xffffb88012cfd0c0 pid 1492.1468 lowest kstack 0xffffb8817f6382c0 Stopped in pid 1492.1468 (syz-executor1541) at netbsd:breakpoint+0x5: leave