[ 59.5560304] panic: ASan: Unauthorized Access In 0xffffffff816c76c9: Addr 0xffffbc80137932d8 [8 bytes, read, PoolUseAfterFree] [ 59.5660466] cpu1: Begin traceback... [ 59.5861088] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 59.6061669] snprintf() at netbsd:snprintf [ 59.6362531] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] [ 59.6362531] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 [ 59.6663423] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] [ 59.6663423] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] [ 59.6663423] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] [ 59.6663423] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 [ 59.6964285] mutex_oncpu() at netbsd:mutex_oncpu+0x38 mutex_oncpu sys/kern/kern_mutex.c:422 [inline] [ 59.6964285] mutex_oncpu() at netbsd:mutex_oncpu+0x38 sys/kern/kern_mutex.c:406 [ 59.7164831] mutex_enter() at netbsd:mutex_enter+0x1a1 sys/kern/kern_mutex.c:550 [ 59.7465738] lwp_exit() at netbsd:lwp_exit+0x32e sys/kern/kern_lwp.c:1140 [ 59.7766611] lwp_userret() at netbsd:lwp_userret+0x1f5 sys/kern/kern_lwp.c:1639 [ 59.8067480] syscall() at netbsd:syscall+0x85e x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] [ 59.8067480] syscall() at netbsd:syscall+0x85e KPREEMPT_DISABLE sys/sys/lwp.h:536 [inline] [ 59.8067480] syscall() at netbsd:syscall+0x85e mi_userret sys/sys/userret.h:97 [inline] [ 59.8067480] syscall() at netbsd:syscall+0x85e userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 59.8067480] syscall() at netbsd:syscall+0x85e sys/arch/x86/x86/syscall.c:166 [ 59.8167779] --- syscall (number 4) --- [ 59.8268048] 7d37114ade7a: [ 59.8268048] cpu1: End traceback... [ 59.8368335] fatal breakpoint trap in supervisor mode [ 59.8368335] trap type 1 code 0 rip 0xffffffff802209c5 cs 0x8 rflags 0x246 cr2 0x7f0829c00000 ilevel 0 rsp 0xffffbc818c35fb90 [ 59.8468613] curlwp 0xffffbc801381e980 pid 1574.1577 lowest kstack 0xffffbc818c3582c0 Stopped in pid 1574.1577 (syz-executor.5) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 snprintf() at netbsd:snprintf kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 mutex_oncpu() at netbsd:mutex_oncpu+0x38 mutex_oncpu sys/kern/kern_mutex.c:422 [inline] mutex_oncpu() at netbsd:mutex_oncpu+0x38 sys/kern/kern_mutex.c:406 mutex_enter() at netbsd:mutex_enter+0x1a1 sys/kern/kern_mutex.c:550 lwp_exit() at netbsd:lwp_exit+0x32e sys/kern/kern_lwp.c:1140 lwp_userret() at netbsd:lwp_userret+0x1f5 sys/kern/kern_lwp.c:1639 syscall() at netbsd:syscall+0x85e x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] syscall() at netbsd:syscall+0x85e KPREEMPT_DISABLE sys/sys/lwp.h:536 [inline] syscall() at netbsd:syscall+0x85e mi_userret sys/sys/userret.h:97 [inline] syscall() at netbsd:syscall+0x85e userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] syscall() at netbsd:syscall+0x85e sys/arch/x86/x86/syscall.c:166 --- syscall (number 4) --- 7d37114ade7a: ds e980 es 9fb0 fs fb70 gs 9156 rdi ffffffff82bdf240 db_onpanic rsi 1ffffffff057be48 rbp ffffbc818c35fb90 rbx ffffbc816e699000 rdx 3ffff rcx ffffbc81844b8000 rax ffffbc80148ecdc0 r8 4 r9 1ffffffff057be48 r10 ffffffff82bdf243 db_onpanic+0x3 r11 10 r12 ffffbc816e6aa000 r13 ffffffff82444490 ostype+0x70890 r14 ffffbc818c35fc20 r15 ffffbc816e699060 rip ffffffff802209c5 breakpoint+0x5 cs 8 rflags 246 rsp ffffbc818c35fb90 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 1604 1604 2 0 0 ffffbc801385b6c0 syz-executor.4 2206 1576 2 0 0 ffffbc8014adf2c0 syz-executor.1 2206 1983 2 0 0 ffffbc8013793b40 syz-executor.1 2206 >2206 7 0 0 ffffbc8012ceb900 syz-executor.1 1574 1573 2 1 100000 ffffbc80137c9480 syz-executor.5 1574 >1577 7 1 100000 ffffbc801381e980 syz-executor.5 1574 1574 2 1 10000040 ffffbc8014aeb740 syz-executor.5 1612 1593 2 1 0 ffffbc8012da3a80 syz-executor.0 1612 1612 2 0 10000000 ffffbc8012d2c5c0 syz-executor.0 1623 1564 3 0 80 ffffbc801381e540 syz-executor.2 parked 1623 1623 2 0 10000000 ffffbc8012a74b00 syz-executor.2 1618 1618 3 0 40080 ffffbc8012ca12c0 syz-executor.5 parked 1505 1505 3 1 80 ffffbc8012c1d180 syz-executor.2 parked 1598 1598 3 0 80 ffffbc8012b98040 syz-executor.4 parked 1663 1663 3 1 80 ffffbc80149ae600 syz-executor.4 parked 1341 1341 3 1 80 ffffbc8012d07980 syz-executor.1 parked 1109 1109 3 0 80 ffffbc8012d07540 syz-executor.1 parked 220 220 3 0 80 ffffbc8012b1b740 syz-executor.3 parked 705 705 3 0 80 ffffbc8014a1e200 syz-executor.3 parked 376 376 3 0 80 ffffbc8012a0da80 syz-executor.3 parked 834 834 3 0 80 ffffbc8012a0d200 syz-executor.3 parked 1247 1247 2 1 40 ffffbc8014928140 syz-executor.5 729 729 2 0 40 ffffbc80148af980 syz-executor.3 689 689 2 1 40 ffffbc80148af100 syz-executor.2 563 563 2 0 40 ffffbc8014884500 syz-executor.4 1335 1335 2 0 40 ffffbc80148840c0 syz-executor.1 694 694 2 1 40 ffffbc8012741700 syz-executor.0 709 698 3 1 80 ffffbc80148af540 syz-fuzzer parked 709 693 3 0 c0 ffffbc8014884940 syz-fuzzer parked 709 692 3 1 c0 ffffbc8013869b40 syz-fuzzer parked 709 572 3 1 c0 ffffbc80147cc4c0 syz-fuzzer parked 709 683 3 0 80 ffffbc80147cc080 syz-fuzzer parked 709 688 3 0 80 ffffbc801406a8c0 syz-fuzzer parked 709 723 3 1 80 ffffbc801406a480 syz-fuzzer parked 709 685 3 1 80 ffffbc8012c88680 syz-fuzzer parked 709 686 3 1 c0 ffffbc80136e8ac0 syz-fuzzer kqueue 709 724 3 1 c0 ffffbc80136e8680 syz-fuzzer parked 709 684 3 0 80 ffffbc8013848a80 syz-fuzzer parked 709 709 3 0 80 ffffbc8013876300 syz-fuzzer parked 867 867 3 0 80 ffffbc8013869700 sshd select 1183 1183 3 0 80 ffffbc801383c600 getty nanoslp 719 719 3 0 80 ffffbc801383c1c0 getty nanoslp 1374 1374 3 1 80 ffffbc8013833a00 getty nanoslp 1373 1373 3 1 c0 ffffbc80138335c0 getty ttyraw 894 894 3 0 80 ffffbc80136e8240 cron nanoslp 1184 1184 3 0 80 ffffbc80137a3b80 inetd kqueue 584 584 3 0 80 ffffbc8012d179c0 sshd select 602 602 3 1 80 ffffbc8012c1d5c0 powerd kqueue 459 459 3 1 80 ffffbc8013793700 syslogd kqueue 303 303 3 0 80 ffffbc8012cc7780 dhcpcd kqueue 333 333 3 0 80 ffffbc8012be30c0 dhcpcd kqueue 1 1 3 0 80 ffffbc8012932100 init wait 0 590 3 0 200 ffffbc801297c9c0 physiod physiod 0 123 3 0 200 ffffbc801298aa00 pooldrain pooldrain 0 122 3 0 240 ffffbc801298a5c0 ioflush biolock 0 121 3 1 200 ffffbc801298a180 pgdaemon pgdaemon 0 118 3 1 200 ffffbc801297c140 usb0 usbevt 0 117 3 1 200 ffffbc8012932980 usbtask-dr usbtsk 0 116 3 1 200 ffffbc800fe5cac0 usbtask-hc usbtsk 0 115 3 1 200 ffffbc8012932540 npfgc-0 npfgccv 0 114 3 1 200 ffffbc8012923940 rt_free rt_free 0 113 3 1 200 ffffbc8012923500 unpgc unpgc 0 112 3 0 200 ffffbc80129230c0 key_timehandler key_timehandler 0 111 3 1 200 ffffbc8012919900 icmp6_wqinput/1 icmp6_wqinput 0 110 3 0 200 ffffbc80129194c0 icmp6_wqinput/0 icmp6_wqinput 0 109 3 0 200 ffffbc8012919080 nd6_timer nd6_timer 0 108 3 1 200 ffffbc80127698c0 carp6_wqinput/1 carp6_wqinput 0 107 3 0 200 ffffbc8012769480 carp6_wqinput/0 carp6_wqinput 0 106 3 1 200 ffffbc8012769040 carp_wqinput/1 carp_wqinput 0 105 3 0 200 ffffbc8012758bc0 carp_wqinput/0 carp_wqinput 0 104 3 1 200 ffffbc8012758780 icmp_wqinput/1 icmp_wqinput 0 103 3 0 200 ffffbc8012758340 icmp_wqinput/0 icmp_wqinput 0 102 3 0 200 ffffbc8012744b80 rt_timer rt_timer 0 101 3 0 200 ffffbc8012744740 vmem_rehash vmem_rehash 0 100 3 0 200 ffffbc8012741b40 entbutler entropy 0 27 3 0 200 ffffbc800fe5c680 scsibus0 sccomp 0 26 3 0 200 ffffbc800fe5c240 pms0 pmsreset 0 25 3 1 200 ffffbc800fd9da80 xcall/1 xcall 0 24 1 1 200 ffffbc800fd9d640 softser/1 0 23 1 1 200 ffffbc800fd9d200 softclk/1 0 22 1 1 200 ffffbc800fd9ba40 softbio/1 0 21 1 1 200 ffffbc800fd9b600 softnet/1 0 20 1 1 201 ffffbc800fd9b1c0 idle/1 0 19 3 0 200 ffffbc800e80aa00 lnxpwrwq lnxpwrwq 0 18 3 0 200 ffffbc800e80a5c0 lnxlngwq lnxlngwq 0 17 3 0 200 ffffbc800e80a180 lnxsyswq lnxsyswq 0 16 3 0 200 ffffbc800e8049c0 lnxrcugc lnxrcugc 0 15 3 0 200 ffffbc800e804580 sysmon smtaskq 0 14 3 0 200 ffffbc800e804140 pmfsuspend pmfsuspend 0 13 3 0 200 ffffbc800e7ff980 pmfevent pmfevent 0 12 3 0 200 ffffbc800e7ff540 sopendfree sopendfr 0 11 3 0 200 ffffbc800e7ff100 iflnkst iflnkst 0 10 3 0 200 ffffbc800e7f3940 nfssilly nfssilly 0 9 3 0 200 ffffbc800e7f3500 vdrain vdrain 0 8 3 1 200 ffffbc800e7f30c0 modunload mod_unld 0 7 3 0 200 ffffbc800e7e5900 xcall/0 xcall 0 6 1 0 200 ffffbc800e7e54c0 softser/0 0 5 1 0 200 ffffbc800e7e5080 softclk/0 0 4 1 0 200 ffffbc800e7e38c0 softbio/0 0 3 1 0 200 ffffbc800e7e3480 softnet/0 0 2 1 0 201 ffffbc800e7e3040 idle/0 0 0 3 0 200 ffffffff82caa080 swapper uvm [Locks tracked through LWPs] ****** LWP 1574.1577 (syz-executor.5) @ 0xffffbc801381e980, l_stat=7 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at fork1) lock address : 0xffffbc8014531ac0 type : sleep/adaptive initialized : 0xffffffff816afb4a shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 1 relevant cpu : 1 last held: 1 relevant lwp : 0xffffbc801381e980 last held: 000000000000000000 last locked : 0xffffffff816c031f unlocked*: 0xffffffff81688743 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 1612.1612 (syz-executor.0) @ 0xffffbc8012d2c5c0, l_stat=2 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at pmap_ctor) lock address : 0xffffbc8012c92180 type : sleep/adaptive initialized : 0xffffffff8086bc67 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 1 relevant cpu : 0 last held: 0 relevant lwp : 0xffffbc8012d2c5c0 last held: 000000000000000000 last locked : 0xffffffff8086d812 unlocked*: 0xffffffff8086dfed owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 729.729 (syz-executor.3) @ 0xffffbc80148af980, l_stat=2 *** Locks held: * Lock 0 (initialized at vcache_alloc) lock address : 0xffffbc80129a7700 type : sleep/adaptive initialized : 0xffffffff818162a3 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffbc80148af980 last held: 0xffffbc80148af980 last locked* : 0xffffffff81844b3e unlocked : 0xffffffff81844ba0 owner/count : 0xffffbc80148af980 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at vcache_alloc) lock address : 0xffffbc8013899c80 type : sleep/adaptive initialized : 0xffffffff818162a3 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffbc80148af980 last held: 0xffffbc80148af980 last locked* : 0xffffffff81844b3e unlocked : 0xffffffff81844ba0 [ 59.8568896] Skipping crash dump on recursive panic [ 59.8568896] panic: ASan: Unauthorized Access In 0xffffffff816e6a50: Addr 0xffffbc8013899c80 [8 bytes, read, PoolUseAfterFree] [ 59.8568896] cpu1: Begin traceback... [ 59.8568896] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 59.8568896] snprintf() at netbsd:snprintf [ 59.8568896] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] [ 59.8568896] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 [ 59.8568896] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] [ 59.8568896] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] [ 59.8568896] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] [ 59.8568896] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 [ 59.8568896] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:186 [ 59.8568896] lockdebug_dump() at netbsd:lockdebug_dump+0x207 sys/kern/subr_lockdebug.c:750 [ 59.8568896] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb7 sys/kern/subr_lockdebug.c:830 [ 59.8568896] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26b lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:868 [inline] [ 59.8568896] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26b sys/kern/subr_lockdebug.c:932 [ 59.8568896] db_command() at netbsd:db_command+0x2ad sys/ddb/db_command.c:942 [ 59.8568896] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:439 [inline] [ 59.8568896] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:589 [ 59.8568896] db_trap() at netbsd:db_trap+0x206 sys/ddb/db_trap.c:94 [ 59.8568896] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:248 [ 59.8568896] trap() at netbsd:trap+0x57e sys/arch/amd64/amd64/trap.c:315 [ 59.8568896] --- trap (number 1) --- [ 59.8568896] breakpoint() at netbsd:breakpoint+0x5 [ 59.8568896] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 [ 59.8568896] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 59.8568896] snprintf() at netbsd:snprintf [ 59.8568896] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] [ 59.8568896] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 [ 59.8568896] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] [ 59.8568896] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] [ 59.8568896] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] [ 59.8568896] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 [ 59.8568896] mutex_oncpu() at netbsd:mutex_oncpu+0x38 mutex_oncpu sys/kern/kern_mutex.c:422 [inline] [ 59.8568896] mutex_oncpu() at netbsd:mutex_oncpu+0x38 sys/kern/kern_mutex.c:406 [ 59.8568896] mutex_enter() at netbsd:mutex_enter+0x1a1 sys/kern/kern_mutex.c:550 [ 59.8568896] lwp_exit() at netbsd:lwp_exit+0x32e sys/kern/kern_lwp.c:1140 [ 59.8568896] lwp_userret() at netbsd:lwp_userret+0x1f5 sys/kern/kern_lwp.c:1639 [ 59.8568896] syscall() at netbsd:syscall+0x85e x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] [ 59.8568896] syscall() at netbsd:syscall+0x85e KPREEMPT_DISABLE sys/sys/lwp.h:536 [inline] [ 59.8568896] syscall() at netbsd:syscall+0x85e mi_userret sys/sys/userret.h:97 [inline] [ 59.8568896] syscall() at netbsd:syscall+0x85e userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 59.8568896] syscall() at netbsd:syscall+0x85e sys/arch/x86/x86/syscall.c:166 [ 59.8568896] --- syscall (number 4) --- [ 59.8568896] 7d37114ade7a: [ 59.8568896] cpu1: End traceback... [ 59.8568896] fatal breakpoint trap in supervisor mode [ 59.8568896] trap type 1 code 0 rip 0xffffffff802209c5 cs 0x8 rflags 0x246 cr2 0x7f0829c00000 ilevel 0x8 rsp 0xffffbc818c35f130 [ 59.8568896] curlwp 0xffffbc801381e980 pid 1574.1577 lowest kstack 0xffffbc818c3582c0 Stopped in pid 1574.1577 (syz-executor.5) at netbsd:breakpoint+0x5: leave