panic: ASan: Invalid access, 8-byte read at 0xfffffe0058311218, UMAUseAfterFree(fd) cpuid = 0 time = 1766119038 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0056fedcd0 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe0056fede30 vpanic() at vpanic+0x257/frame 0xfffffe0056fedff0 panic() at panic+0xb5/frame 0xfffffe0056fee0c0 kasan_report() at kasan_report+0xdf/frame 0xfffffe0056fee190 mld_change_state() at mld_change_state+0xf2/frame 0xfffffe0056fee330 in6_leavegroup_locked() at in6_leavegroup_locked+0x17b/frame 0xfffffe0056fee450 in6_pcbpurgeif0() at in6_pcbpurgeif0+0x2f6/frame 0xfffffe0056fee550 _in6_ifdetach() at _in6_ifdetach+0x18e/frame 0xfffffe0056fee640 in6_ifdeparture() at in6_ifdeparture+0x9f/frame 0xfffffe0056fee670 if_detach_internal() at if_detach_internal+0x5c0/frame 0xfffffe0056fee740 if_detach() at if_detach+0xb6/frame 0xfffffe0056fee780 tun_destroy() at tun_destroy+0x3c9/frame 0xfffffe0056fee7e0 if_clone_destroyif_flags() at if_clone_destroyif_flags+0xc8/frame 0xfffffe0056fee830 if_clone_destroy() at if_clone_destroy+0x1f6/frame 0xfffffe0056fee870 ifioctl() at ifioctl+0x116f/frame 0xfffffe0056feeab0 kern_ioctl() at kern_ioctl+0x52a/frame 0xfffffe0056feeb90 sys_ioctl() at sys_ioctl+0x36e/frame 0xfffffe0056feed10 amd64_syscall() at amd64_syscall+0x4e2/frame 0xfffffe0056feef30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0056feef30 --- syscall (54, FreeBSD ELF64, ioctl), rip = 0x823db42ca, rsp = 0x820a35e58, rbp = 0x820a35e70 --- KDB: enter: panic [ thread pid 914 tid 100116 ] Stopped at kdb_enter+0x6e: movq $0,0x2589d67(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xffffffff816607de _vprintf+0x1ae rdx 0 rbx 0xffffffff82838840 .str.27 rsp 0xfffffe0056fede10 rbp 0xfffffe0056fede30 rsi 0 rdi 0xffffffff81660d49 printf+0x149 r8 0 r9 0xffffffff r10 0 r11 0x1f r12 0xfffffe005870b000 r13 0xfffffffffffffffe r14 0xffffffff82838840 .str.27 r15 0 rip 0xffffffff8164a12e kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x2589d67(%rip) db> show proc Process 914 (ifconfig) at 0xfffffe00586d5ac0: state: NORMAL uid: 0 gid: 0 supp gids: 0, 5 parent: pid 911 at 0xfffffe00586a9560 ABI: FreeBSD ELF64 flag: 0x10004000 flag2: 0 arguments: ifconfig tap1 destroy reaper: 0xfffffe0007809010 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe005871d490 (map 0xfffffe005871d490) (map.pmap 0xfffffe005871d530) (pmap 0xfffffe005871d5a0) threads: 1 100116 Run CPU 0 ifconfig db> ps pid ppid pgrp uid state wmesg wchan cmd 916 913 766 0 S uwait 0xfffffe006ddcdf00 syz-executor 915 765 765 0 R (threaded) syz-executor 100117 RunQ syz-executor 100264 S uwait 0xfffffe006ddce080 syz-executor 914 911 911 0 R CPU 0 ifconfig 913 766 766 0 R (threaded) syz-executor 100113 RunQ syz-executor 100263 S uwait 0xfffffe0058312880 syz-executor 912 763 763 0 R (threaded) syz-executor 100146 Run CPU 1 syz-executor 100262 RunQ syz-executor 911 762 911 0 S wait 0xfffffe00586a9560 syz-executor 895 0 0 0 DL (threaded) [KTLS] 100221 D - 0xfffffe006e619100 [thr_0] 100244 D - 0xfffffe006e619180 [thr_1] 100245 D - 0xffffffff83cd68e8 [reclaim_0] 875 1 766 0 S uwait 0xfffffe006ddce780 syz-executor 866 1 763 0 S uwait 0xfffffe0058313e00 syz-executor 861 1 763 0 S uwait 0xfffffe0058598700 syz-executor 855 1 763 0 S uwait 0xfffffe006ddceb80 syz-executor 850 1 766 0 S uwait 0xfffffe006ddce680 syz-executor 845 1 845 0 Ts+ ttyin 0xfffffe0007bf80b0 getty 844 1 844 0 Ts+ ttyin 0xfffffe0007bf90b0 getty 843 1 843 0 Ts+ ttyin 0xfffffe0007bf88b0 getty 841 1 841 0 Ts+ ttyin 0xfffffe0007bf78b0 getty 840 1 840 0 Ts+ ttyin 0xfffffe0007bf70b0 getty 839 1 839 0 Ts+ ttyin 0xfffffe00595568b0 getty 838 1 838 0 Ts+ ttyin 0xfffffe0058330cb0 getty 837 1 837 0 Ts+ ttyin 0xfffffe00595560b0 getty 836 1 836 0 Ts+ ttyin 0xfffffe00583338b0 getty 812 0 0 0 DL aiordy 0xfffffe00586f8018 [aiod4] 811 0 0 0 DL aiordy 0xfffffe00586f6ab8 [aiod3] 810 0 0 0 DL aiordy 0xfffffe00586f7ac0 [aiod2] 809 0 0 0 DL aiordy 0xfffffe00586f7010 [aiod1] 766 762 766 0 R syz-executor 765 762 765 0 R syz-executor 763 762 763 0 R syz-executor 762 1 760 0 S select 0xfffffe006dc9cdc0 syz-executor 737 1 17 0 S+ piperd 0xfffffe0059900420 logger 736 735 17 0 S+ nanslp 0xffffffff83bb4f40 sleep 735 1 17 0 S+ wait 0xfffffe0058604568 sh 685 1 685 0 Ss nanslp 0xffffffff83bb4f41 cron 681 1 681 0 Ss select 0xfffffe00597ac0c0 sshd 494 1 494 0 Ss select 0xfffffe00597ac740 syslogd 16 0 0 0 DL syncer 0xffffffff83ce2ae0 [syncer] 15 0 0 0 DL vlruwt 0xfffffe000780a018 [vnlru] 14 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83ce1020 [bufdaemon] 100082 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100094 D sdflush 0xfffffe0057f1fce8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d223c0 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83d08488 [dom0] 100080 D launds 0xffffffff83d08494 [laundry: dom0] 100081 D umarcl 0xffffffff81e34670 [uma] 7 0 0 0 DL - 0xffffffff8392d510 [rand_harvestq] 6 0 0 0 DL pftm 0xffffffff847c5f80 [pf purge] 5 0 0 0 DL waiting 0xffffffff8467d700 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100045 D - 0xffffffff838f7340 [doneq0] 100046 D - 0xffffffff838f72c0 [async] 100075 D - 0xffffffff838f7140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100042 D crypto_ 0xffffffff83d03d20 [crypto] 100043 D crypto_ 0xfffffe00077af830 [crypto returns 0] 100044 D crypto_ 0xfffffe00077af880 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83b5d520 [g_event] 100038 D - 0xffffffff83b5d540 [g_up] 100039 D - 0xffffffff83b5d560 [g_down] 2 0 0 0 WL (threaded) [clock] 100031 I [clock (0)] 100032 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100047 I [irq24: virtio_pci0] 100048 I [irq25: virtio_pci0] 100049 I [irq26: virtio_pci0] 100050 I [irq27: virtio_pci0] 100051 I [irq28: virtio_pci1] 100052 I [irq29: