panic: ASan: Invalid access, 8-byte read at 0xfffffe0058571b98, UMAUseAfterFree(fd) cpuid = 0 time = 7 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0056d2b1d0 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe0056d2b330 vpanic() at vpanic+0x257/frame 0xfffffe0056d2b4f0 panic() at panic+0xb5/frame 0xfffffe0056d2b5b0 kasan_report() at kasan_report+0xdf/frame 0xfffffe0056d2b680 ip6_freemoptions() at ip6_freemoptions+0x1ff/frame 0xfffffe0056d2b6e0 in_pcbfree() at in_pcbfree+0x682/frame 0xfffffe0056d2b730 sorele_locked() at sorele_locked+0x264/frame 0xfffffe0056d2b770 soclose() at soclose+0x41f/frame 0xfffffe0056d2b860 _fdrop() at _fdrop+0x5c/frame 0xfffffe0056d2b890 closef() at closef+0x655/frame 0xfffffe0056d2ba70 fdescfree() at fdescfree+0xa5e/frame 0xfffffe0056d2bc50 exit1() at exit1+0x887/frame 0xfffffe0056d2bcf0 sys__exit() at sys__exit+0x28/frame 0xfffffe0056d2bd10 amd64_syscall() at amd64_syscall+0x4e2/frame 0xfffffe0056d2bf30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0056d2bf30 --- syscall (1, FreeBSD ELF64, _exit), rip = 0x3a1f5a, rsp = 0x820560068, rbp = 0x820560070 --- KDB: enter: panic [ thread pid 1693 tid 100112 ] Stopped at kdb_enter+0x6e: movq $0,0x25b6f77(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xffffffff81625b7e _vprintf+0x1ae rdx 0 rbx 0xffffffff827e1820 .str.27 rsp 0xfffffe0056d2b310 rbp 0xfffffe0056d2b330 rsi 0 rdi 0xffffffff816260e9 printf+0x149 r8 0 r9 0xffffffff r10 0 r11 0x7 r12 0xfffffe00540f6780 r13 0xfffffffffffffffe r14 0xffffffff827e1820 .str.27 r15 0 rip 0xffffffff8160fc1e kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x25b6f77(%rip) db> show proc Process 1693 (syz-executor) at 0xfffffe0054103570: state: NORMAL uid: 0 gids: 0, 5 parent: pid 763 at 0xfffffe00540a8000 ABI: FreeBSD ELF64 flag: 0x10002000 flag2: 0x40000 arguments: ./syz-executor exec reaper: 0xfffffe0007809010 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe0054121db0 (map 0xfffffe0054121db0) (map.pmap 0xfffffe0054121e50) (pmap 0xfffffe0054121ec0) threads: 1 100112 Run CPU 0 syz-executor db> ps pid ppid pgrp uid state wmesg wchan cmd 1695 1590 1590 0 R (threaded) syz-executor 100103 S uwait 0xfffffe006b4dd900 syz-executor 101106 RunQ syz-executor 1694 1686 1686 0 R sh 1693 763 763 0 RE CPU 0 syz-executor 1692 1175 1175 0 R (threaded) syz-executor 100178 RunQ syz-executor 101104 RunQ syz-executor 1686 762 1686 0 R CPU 1 syz-executor 1636 0 0 0 DL mdwait 0xfffffe0077948000 [md3] 1620 0 0 0 DL mdwait 0xfffffe0058632000 [md2] 1590 762 1590 0 S nanslp 0xffffffff83ba7c41 syz-executor 1556 1 765 0 S uwait 0xfffffe006e59c280 syz-executor 1553 1 765 0 S uwait 0xfffffe00593ea280 syz-executor 1296 0 0 0 DL (threaded) [so_splice] 100116 D - 0xfffffe0058587900 [thr_0] 100645 D - 0xfffffe0058587940 [thr_1] 1175 762 1175 0 S nanslp 0xffffffff83ba7c40 syz-executor 1162 1 1162 0 Ss+ ttyin 0xfffffe00585be8b0 getty 1161 1 1161 0 Ss+ ttyin 0xfffffe00585be4b0 getty 1160 1 1160 0 Ss+ ttyin 0xfffffe00585be0b0 getty 1159 1 1159 0 Ss+ ttyin 0xfffffe00585bdcb0 getty 1158 1 1158 0 Ss+ ttyin 0xfffffe00585bd8b0 getty 1157 1 1157 0 Ss+ ttyin 0xfffffe00585bd4b0 getty 1156 1 1156 0 Ss+ ttyin 0xfffffe00585bd0b0 getty 1155 1 1155 0 Ss+ ttyin 0xfffffe00585bccb0 getty 1154 1 1154 0 Ss+ ttyin 0xfffffe00077fd8b0 getty 1149 0 0 0 DL mdwait 0xfffffe006b434000 [md1] 919 0 0 0 DL (threaded) [KTLS] 100150 D - 0xfffffe0053ef6400 [thr_0] 100231 D - 0xfffffe0053ef6480 [thr_1] 100232 D - 0xffffffff83cb9628 [reclaim_0] 866 0 0 0 DL - 0xffffffff83cb7e00 [soaiod4] 865 0 0 0 DL - 0xffffffff83cb7e00 [soaiod3] 864 0 0 0 DL - 0xffffffff83cb7e00 [soaiod2] 863 0 0 0 DL - 0xffffffff83cb7e00 [soaiod1] 862 0 0 0 DL aiordy 0xfffffe00540e0570 [aiod4] 861 0 0 0 DL aiordy 0xfffffe005410a010 [aiod3] 860 0 0 0 DL aiordy 0xfffffe0054109ab8 [aiod2] 859 0 0 0 DL aiordy 0xfffffe0054109560 [aiod1] 834 0 0 0 DL mdwait 0xfffffe006b435000 [md0] 825 807 825 0 Ss piperd 0xfffffe006e4d75c0 dhclient 807 784 423 65 S select 0xfffffe0059701ac0 dhclient 784 423 423 0 S wait 0xfffffe0054103018 sh 763 762 763 0 S nanslp 0xffffffff83ba7c40 syz-executor 762 760 760 0 S select 0xfffffe006ddee140 syz-executor 760 1 760 0 Ss sigsusp 0xfffffe00540dd608 csh 737 1 17 0 S+ piperd 0xfffffe006b42a2e0 logger 736 735 17 0 S+ nanslp 0xffffffff83ba7c40 sleep 735 1 17 0 S+ wait 0xfffffe00540aaac0 sh 494 1 494 0 Ss select 0xfffffe0059703740 syslogd 423 1 423 0 Ss wait 0xfffffe00540a9008 devd 16 0 0 0 DL syncer 0xffffffff83cc5820 [syncer] 15 0 0 0 DL vlruwt 0xfffffe000780a018 [vnlru] 14 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83cc3d60 [bufdaemon] 100082 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100092 D sdflush 0xfffffe0053fe08e8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d0ec80 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83cf4d48 [dom0] 100080 D launds 0xffffffff83cf4d54 [laundry: dom0] 100081 D umarcl 0xffffffff81df2890 [uma] 7 0 0 0 DL - 0xffffffff839205d8 [rand_harvestq] 6 0 0 0 TL pftm 0xffffffff84854c30 [pf purge] 5 0 0 0 DL waiting 0xffffffff8449e700 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100045 D - 0xffffffff838ea340 [doneq0] 100046 D - 0xffffffff838ea2c0 [async] 100075 D - 0xffffffff838ea140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100042 D crypto_ 0xffffffff83cf0640 [crypto] 100043 D crypto_ 0xfffffe0007a95c30 [crypto returns 0] 100044 D crypto_ 0xfffffe0007a95c80 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83b50640 [g_event] 100038 D - 0xffffffff83b50660 [g_up] 100039 D - 0xffffffff83b50680 [g_down] 2 0 0 0 WL (threaded) [clock] 100031 I [clock (0)] 100032 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100047 I [irq24: virtio_pci0] 100048 I [irq25: virtio_pci0] 100049 I [irq26: virtio_pci0] 100050 I [irq27: virtio_pci0] 100051 I [irq28: virtio_pci1] 100052 I [irq29: virtio_pci1] 100053 I [irq30: virtio_pci1] 100054 I [irq31: virtio_pci1] 100055 I [irq32: virtio_pci1] 100060 I [irq10: virtio_pci2] 100062 I [irq1: atkbd0] 100063 I [irq12: psm0] 100064 I [swi0: uart uart++] 100068 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0007809010 [init] 10 0 0 0 DL audit_w 0xffffffff83cf10e0 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D parked 0xffffffff84c43ff0 [swapper] 100005 D - 0xfffffe0007a98b00 [softirq_0] 100006 D - 0xfffffe0007a98900 [softirq_1] 100007 D - 0xfffffe0007a98700 [if_io_tqg_0] 100008 D - 0xfffffe0007a98500 [if_io_tqg_1] 100009 D - 0xfffffe0007a98300 [if_config_tqg_0] 100010 D - 0xfffffe00083f9700 [kqueue_ctx taskq] 100011 D - 0xfffffe00083f9600 [jail_remove taskq] 100012 D - 0xfffffe00083f9500 [bus taskq] 100015 D - 0xfffffe00083f9000 [thread taskq] 100017 D - 0xfffffe00083f8c00 [aiod_kick taskq] 100018 D - 0xfffffe00083f8b00 [deferred_unmount ta] 100019 D - 0xfffffe00083f8a00 [inm_free taskq] 100020 D - 0xfffffe00083f8900 [in6m_free taskq] 100021 D - 0xfffffe00083f8800 [linuxkpi_irq_wq] 100022 D - 0xfffffe00083f8700 [linuxkpi_short_wq_0] 100023 D - 0xfffffe00083f8700 [linuxkpi_short_wq_1] 100024 D - 0xfffffe00083f8700 [linuxkpi_short_wq_2] 100025 D - 0xfffffe00083f8700 [linuxkpi_short_wq_3] 100026 D - 0xfffffe00083f8600 [linuxkpi_long_wq_0] 100027 D - 0xfffffe00083f8600 [linuxkpi_long_wq_1] 100028 D - 0xfffffe00083f8600 [linuxkpi_long_wq_2] 100029 D - 0xfffffe00083f8600 [linuxkpi_long_wq_3] 100036