[ 91.7078170] panic: ASan: Unauthorized Access In 0xffffffff81a48954: Addr 0xffffbc8012cb4ac0 [8 bytes, read, PoolUseAfterFree] [ 91.7178032] cpu1: Begin traceback... [ 91.7378019] vpanic() at netbsd:vpanic+0x26f sys/kern/subr_prf.c:290 [ 91.7778014] snprintf() at netbsd:snprintf [ 91.8178010] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:186 [inline] [ 91.8178010] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:196 [ 91.8578006] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:346 [inline] [ 91.8578006] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:360 [inline] [ 91.8578006] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:412 [inline] [ 91.8578006] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1199 [ 91.8978030] mount_domount() at netbsd:mount_domount+0x64b mount_checkdirs sys/kern/vfs_mount.c:670 [inline] [ 91.8978030] mount_domount() at netbsd:mount_domount+0x64b sys/kern/vfs_mount.c:816 [ 91.9378011] do_sys_mount() at netbsd:do_sys_mount+0x74a sys/kern/vfs_syscalls.c:552 [ 91.9777998] sys___mount50() at netbsd:sys___mount50+0x89 sys/kern/vfs_syscalls.c:473 [ 92.0178026] sys___syscall() at netbsd:sys___syscall+0xfe sy_call sys/sys/syscallvar.h:65 [inline] [ 92.0178026] sys___syscall() at netbsd:sys___syscall+0xfe sys/kern/sys_syscall.c:77 [ 92.0577997] syscall() at netbsd:syscall+0x281 sy_call sys/sys/syscallvar.h:65 [inline] [ 92.0577997] syscall() at netbsd:syscall+0x281 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 92.0577997] syscall() at netbsd:syscall+0x281 sys/arch/x86/x86/syscall.c:138 [ 92.0677994] --- syscall (number 198) --- [ 92.0878017] netbsd:syscall+0x281: [ 92.0878017] cpu1: End traceback... [ 92.0878017] fatal breakpoint trap in supervisor mode [ 92.0977998] trap type 1 code 0 rip 0xffffffff80220a1d cs 0x8 rflags 0x282 cr2 0x638000 ilevel 0 rsp 0xffffbc8193427850 [ 92.1077991] curlwp 0xffffbc8012cbdb40 pid 1723.804 lowest kstack 0xffffbc81934202c0 Stopped in pid 1723.804 (syz-executor.5) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0x105 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x26f sys/kern/subr_prf.c:290 snprintf() at netbsd:snprintf kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:186 [inline] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:196 __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:346 [inline] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:360 [inline] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:412 [inline] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1199 mount_domount() at netbsd:mount_domount+0x64b mount_checkdirs sys/kern/vfs_mount.c:670 [inline] mount_domount() at netbsd:mount_domount+0x64b sys/kern/vfs_mount.c:816 do_sys_mount() at netbsd:do_sys_mount+0x74a sys/kern/vfs_syscalls.c:552 sys___mount50() at netbsd:sys___mount50+0x89 sys/kern/vfs_syscalls.c:473 sys___syscall() at netbsd:sys___syscall+0xfe sy_call sys/sys/syscallvar.h:65 [inline] sys___syscall() at netbsd:sys___syscall+0xfe sys/kern/sys_syscall.c:77 syscall() at netbsd:syscall+0x281 sy_call sys/sys/syscallvar.h:65 [inline] syscall() at netbsd:syscall+0x281 sy_invoke sys/sys/syscallvar.h:94 [inline] syscall() at netbsd:syscall+0x281 sys/arch/x86/x86/syscall.c:138 --- syscall (number 198) --- netbsd:syscall+0x281: Panic string: ASan: Unauthorized Access In 0xffffffff81a48954: Addr 0xffffbc8012cb4ac0 [8 bytes, read, PoolUseAfterFree] PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 1622 1622 3 0 0 ffffbc8012cbd700 syz-executor.4 tstile 842 842 2 0 0 ffffbc8012cea780 syz-executor.0 1723 > 804 7 1 0 ffffbc8012cbdb40 syz-executor.5 1723 1723 2 1 10000000 ffffbc80138c9b80 syz-executor.5 1092 1092 2 0 40040 ffffbc801438f200 syz-executor.5 419 419 3 0 40 ffffbc8014325a40 syz-executor.1 biolock 1079 1079 2 1 40 ffffbc8014325600 syz-executor.4 1081 1081 3 0 40 ffffbc80143251c0 syz-executor.2 biolock 1082 1082 2 1 40 ffffbc8014251a00 syz-executor.3 1069 1069 3 0 40 ffffbc80142515c0 syz-executor.0 tstile 1255 1097 3 1 80 ffffbc8014251180 syz-fuzzer kqueue 1255 1076 3 1 80 ffffbc8012bb8080 syz-fuzzer parked 1255 1065 3 0 80 ffffbc80140e2580 syz-fuzzer parked 1255 1100 3 1 80 ffffbc8012d23540 syz-fuzzer parked 1255 808 3 0 80 ffffbc8013841a40 syz-fuzzer parked 1255 1119 3 0 80 ffffbc8013841600 syz-fuzzer parked 1255 1250 3 0 80 ffffbc8013867ac0 syz-fuzzer parked 1255 1067 3 1 80 ffffbc80138c9740 syz-fuzzer parked 1255 1255 3 0 80 ffffbc8013818580 syz-fuzzer parked 817 817 3 1 80 ffffbc8012bb84c0 sshd select 949 949 3 0 80 ffffbc8012824700 getty nanoslp 1091 1091 3 1 80 ffffbc8013923980 getty nanoslp 1096 1096 3 1 80 ffffbc8013923540 getty nanoslp 1088 1088 3 1 c0 ffffbc8012826300 getty ttyraw 942 942 3 1 80 ffffbc80138411c0 sshd select 979 979 3 0 80 ffffbc8012d93700 powerd kqueue 865 865 3 0 80 ffffbc80138b06c0 syslogd kqueue 592 592 3 1 80 ffffbc8012cbd2c0 dhcpcd poll 590 590 3 1 80 ffffbc8012d06080 dhcpcd poll 589 589 3 0 80 ffffbc8012c88b00 dhcpcd poll 545 545 3 1 80 ffffbc8012c68a80 dhcpcd poll 347 347 3 0 80 ffffbc8012e02480 dhcpcd poll 346 346 3 0 80 ffffbc8012e02040 dhcpcd poll 345 345 3 1 80 ffffbc8012de6bc0 dhcpcd poll 1 1 3 0 80 ffffbc80128c3980 init wait 0 861 3 0 200 ffffbc80129e6a80 physiod physiod 0 162 3 0 200 ffffbc80129faac0 pooldrain pooldrain 0 > 167 7 0 240 ffffbc80129fa680 ioflush 0 165 3 1 200 ffffbc80129fa240 pgdaemon pgdaemon 0 160 3 1 200 ffffbc80129e6200 usb7 usbevt 0 31 3 1 200 ffffbc801299da40 usb6 usbevt 0 63 3 1 200 ffffbc801299d600 usb5 usbevt 0 126 3 0 200 ffffbc801299d1c0 usb4 usbevt 0 125 3 1 200 ffffbc8012949a00 usb3 usbevt 0 124 3 1 200 ffffbc80129495c0 usb2 usbevt 0 123 3 1 200 ffffbc8012949180 usb1 usbevt 0 122 3 1 200 ffffbc80128d89c0 usb0 usbevt 0 121 3 0 200 ffffbc80128d8580 usbtask-dr usbtsk 0 120 3 0 200 ffffbc800fe35ac0 usbtask-hc usbtsk 0 119 3 1 200 ffffbc80128d8140 npfgc0 npfgcw 0 118 3 1 200 ffffbc80128c3540 rt_free rt_free 0 117 3 0 200 ffffbc80128c3100 unpgc unpgc 0 116 3 0 200 ffffbc8012859940 key_timehandler key_timehandler 0 115 3 1 200 ffffbc8012859500 icmp6_wqinput/1 icmp6_wqinput 0 114 3 0 200 ffffbc80128590c0 icmp6_wqinput/0 icmp6_wqinput 0 113 3 0 200 ffffbc801284f900 nd6_timer nd6_timer 0 112 3 1 200 ffffbc801284f4c0 carp6_wqinput/1 carp6_wqinput 0 111 3 0 200 ffffbc801284f080 carp6_wqinput/0 carp6_wqinput 0 110 3 1 200 ffffbc801283b8c0 carp_wqinput/1 carp_wqinput 0 109 3 0 200 ffffbc801283b480 carp_wqinput/0 carp_wqinput 0 108 3 1 200 ffffbc801283b040 icmp_wqinput/1 icmp_wqinput 0 107 3 0 200 ffffbc801282abc0 icmp_wqinput/0 icmp_wqinput 0 106 3 0 200 ffffbc801282a780 rt_timer rt_timer 0 105 3 1 200 ffffbc801282a340 vmem_rehash vmem_rehash 0 104 3 1 200 ffffbc8012826740 entbutler entropy 0 30 3 1 200 ffffbc801213b6c0 vioif0_txrx/1 vioif0_txrx 0 29 3 0 200 ffffbc801213b280 vioif0_txrx/0 vioif0_txrx 0 27 3 0 200 ffffbc800fe35680 scsibus0 sccomp 0 26 3 0 200 ffffbc800fe35240 pms0 pmsreset 0 25 3 1 200 ffffbc800fd89a80 xcall/1 xcall 0 24 1 1 200 ffffbc800fd89640 softser/1 0 23 1 1 200 ffffbc800fd89200 softclk/1 0 22 1 1 200 ffffbc800fd87a40 softbio/1 0 21 1 1 200 ffffbc800fd87600 softnet/1 0 20 1 1 201 ffffbc800fd871c0 idle/1 0 19 3 0 200 ffffbc800e7f7a00 lnxpwrwq lnxpwrwq 0 18 3 0 200 ffffbc800e7f75c0 lnxlngwq lnxlngwq 0 17 3 0 200 ffffbc800e7f7180 lnxsyswq lnxsyswq 0 16 3 0 200 ffffbc800e7f19c0 lnxrcugc lnxrcugc 0 15 3 0 200 ffffbc800e7f1580 sysmon smtaskq 0 14 3 0 200 ffffbc800e7f1140 pmfsuspend pmfsuspend 0 13 3 0 200 ffffbc800e7ec980 pmfevent pmfevent 0 12 3 0 200 ffffbc800e7ec540 sopendfree sopendfr 0 11 3 0 200 ffffbc800e7ec100 iflnkst iflnkst 0 10 3 0 200 ffffbc800e7e1940 nfssilly nfssilly 0 9 3 0 200 ffffbc800e7e1500 vdrain vdrain 0 8 3 0 200 ffffbc800e7e10c0 modunload mod_unld 0 7 3 0 200 ffffbc800e7d4900 xcall/0 xcall 0 6 1 0 200 ffffbc800e7d44c0 softser/0 0 5 1 0 200 ffffbc800e7d4080 softclk/0 0 4 1 0 200 ffffbc800e7d28c0 softbio/0 0 3 1 0 200 ffffbc800e7d2480 softnet/0 0 2 1 0 201 ffffbc800e7d2040 idle/0 0 0 3 0 240 ffffffff82ee52c0 swapper tstile [Locks tracked through LWPs] ****** LWP 1622.1622 (syz-executor.4) @ 0xffffbc8012cbd700, l_stat=3 *** Locks held: * Lock 0 (initialized at fork1) lock address : 0xffffbc8012de24d0 type : sleep/adaptive initialized : 0xffffffff818cd301 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffbc8012cbd700 last held: 0xffffbc8012cbd700 last locked* : 0xffffffff818c96e3 unlocked : 000000000000000000 owner/count : 0xffffbc8012cbd700 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at pmap_ctor) lock address : 0xffffbc8013797b80 type : sleep/adaptive initialized : 0xffffffff808d26e3 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffbc8012cbd700 last held: 0xffffbc8012cbd700 last locked* : 0xffffffff808d185b unlocked : 0xffffffff808d9a73 [ 92.1177984] Skipping crash dump on recursive panic [ 92.1177984] panic: ASan: Unauthorized Access In 0xffffffff818e86f0: Addr 0xffffbc8013797b80 [8 bytes, read, PoolUseAfterFree] [ 92.1177984] cpu1: Begin traceback... [ 92.1177984] vpanic() at netbsd:vpanic+0x26f sys/kern/subr_prf.c:290 [ 92.1177984] snprintf() at netbsd:snprintf [ 92.1177984] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:186 [inline] [ 92.1177984] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:196 [ 92.1177984] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:346 [inline] [ 92.1177984] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:360 [inline] [ 92.1177984] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:412 [inline] [ 92.1177984] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1199 [ 92.1177984] mutex_dump() at netbsd:mutex_dump+0x20 sys/kern/kern_mutex.c:313 [ 92.1177984] lockdebug_dump() at netbsd:lockdebug_dump+0x234 sys/kern/subr_lockdebug.c:759 [ 92.1177984] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb7 sys/kern/subr_lockdebug.c:839 [ 92.1177984] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x27c lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:877 [inline] [ 92.1177984] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x27c sys/kern/subr_lockdebug.c:941 [ 92.1177984] db_command() at netbsd:db_command+0x320 sys/ddb/db_command.c:942 [ 92.1177984] db_command_loop() at netbsd:db_command_loop+0x2b1 db_execute_commandlist sys/ddb/db_command.c:439 [inline] [ 92.1177984] db_command_loop() at netbsd:db_command_loop+0x2b1 sys/ddb/db_command.c:589 [ 92.1177984] db_trap() at netbsd:db_trap+0x24e sys/ddb/db_trap.c:94 [ 92.1177984] kdb_trap() at netbsd:kdb_trap+0x1ec sys/arch/amd64/amd64/db_interface.c:250 [ 92.1177984] trap() at netbsd:trap+0x655 sys/arch/amd64/amd64/trap.c:315 [ 92.1177984] --- trap (number 1) --- [ 92.1177984] breakpoint() at netbsd:breakpoint+0x5 [ 92.1177984] db_panic() at netbsd:db_panic+0x105 sys/ddb/db_panic.c:67 [ 92.1177984] vpanic() at netbsd:vpanic+0x26f sys/kern/subr_prf.c:290 [ 92.1177984] snprintf() at netbsd:snprintf [ 92.1177984] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:186 [inline] [ 92.1177984] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:196 [ 92.1177984] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:346 [inline] [ 92.1177984] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:360 [inline] [ 92.1177984] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:412 [inline] [ 92.1177984] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1199 [ 92.1177984] mount_domount() at netbsd:mount_domount+0x64b mount_checkdirs sys/kern/vfs_mount.c:670 [inline] [ 92.1177984] mount_domount() at netbsd:mount_domount+0x64b sys/kern/vfs_mount.c:816 [ 92.1177984] do_sys_mount() at netbsd:do_sys_mount+0x74a sys/kern/vfs_syscalls.c:552 [ 92.1177984] sys___mount50() at netbsd:sys___mount50+0x89 sys/kern/vfs_syscalls.c:473 [ 92.1177984] sys___syscall() at netbsd:sys___syscall+0xfe sy_call sys/sys/syscallvar.h:65 [inline] [ 92.1177984] sys___syscall() at netbsd:sys___syscall+0xfe sys/kern/sys_syscall.c:77 [ 92.1177984] syscall() at netbsd:syscall+0x281 sy_call sys/sys/syscallvar.h:65 [inline] [ 92.1177984] syscall() at netbsd:syscall+0x281 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 92.1177984] syscall() at netbsd:syscall+0x281 sys/arch/x86/x86/syscall.c:138 [ 92.1177984] --- syscall (number 198) --- [ 92.1177984] netbsd:syscall+0x281: [ 92.1177984] cpu1: End traceback... [ 92.1177984] fatal breakpoint trap in supervisor mode [ 92.1177984] trap type 1 code 0 rip 0xffffffff80220a1d cs 0x8 rflags 0x282 cr2 0x638000 ilevel 0x8 rsp 0xffffbc8193426de0 [ 92.1177984] curlwp 0xffffbc8012cbdb40 pid 1723.804 lowest kstack 0xffffbc81934202c0 Stopped in pid 1723.804 (syz-executor.5) at netbsd:breakpoint+0x5: leave