[ 105.2178712] panic: ASan: Unauthorized Access In 0xffffffff8117ff15: Addr 0xffffc40013cdfa18 [8 bytes, read, PoolUseAfterFree] [ 105.2340831] cpu0: Begin traceback... [ 105.2479012] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 105.2779385] snprintf() at netbsd:snprintf [ 105.3179987] kasan_report() at netbsd:kasan_report+0x98 kasan_code_name sys/kern/subr_asan.c:186 [inline] [ 105.3179987] kasan_report() at netbsd:kasan_report+0x98 sys/kern/subr_asan.c:196 [ 105.3580627] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:346 [inline] [ 105.3580627] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:360 [inline] [ 105.3580627] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:412 [inline] [ 105.3580627] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1182 [ 105.3881084] mutex_oncpu() at netbsd:mutex_oncpu+0x38 mutex_oncpu sys/kern/kern_mutex.c:422 [inline] [ 105.3881084] mutex_oncpu() at netbsd:mutex_oncpu+0x38 sys/kern/kern_mutex.c:406 [ 105.4281580] mutex_enter() at netbsd:mutex_enter+0x1a1 sys/kern/kern_mutex.c:550 [ 105.4582004] lwp_exit() at netbsd:lwp_exit+0x378 sys/kern/kern_lwp.c:1184 [ 105.4982608] lwp_userret() at netbsd:lwp_userret+0x1f5 sys/kern/kern_lwp.c:1646 [ 105.5283048] syscall() at netbsd:syscall+0x882 x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] [ 105.5283048] syscall() at netbsd:syscall+0x882 KPREEMPT_DISABLE sys/sys/lwp.h:525 [inline] [ 105.5283048] syscall() at netbsd:syscall+0x882 mi_userret sys/sys/userret.h:101 [inline] [ 105.5283048] syscall() at netbsd:syscall+0x882 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 105.5283048] syscall() at netbsd:syscall+0x882 sys/arch/x86/x86/syscall.c:166 [ 105.5383151] --- syscall (number 4) --- [ 105.5583454] 7f7e728ade7a: [ 105.5583454] cpu0: End traceback... [ 105.5685729] fatal breakpoint trap in supervisor mode [ 105.5685729] trap type 1 code 0 rip 0xffffffff8021e4b5 cs 0x8 rflags 0x246 cr2 0x7f7e72bfb729 ilevel 0 rsp 0xffffc4017e807b90 [ 105.5853239] curlwp 0xffffc40012116640 pid 1459.2 lowest kstack 0xffffc4017e8002c0 Stopped in pid 1459.2 (syz-executor4389) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 snprintf() at netbsd:snprintf kasan_report() at netbsd:kasan_report+0x98 kasan_code_name sys/kern/subr_asan.c:186 [inline] kasan_report() at netbsd:kasan_report+0x98 sys/kern/subr_asan.c:196 __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:346 [inline] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:360 [inline] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:412 [inline] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1182 mutex_oncpu() at netbsd:mutex_oncpu+0x38 mutex_oncpu sys/kern/kern_mutex.c:422 [inline] mutex_oncpu() at netbsd:mutex_oncpu+0x38 sys/kern/kern_mutex.c:406 mutex_enter() at netbsd:mutex_enter+0x1a1 sys/kern/kern_mutex.c:550 lwp_exit() at netbsd:lwp_exit+0x378 sys/kern/kern_lwp.c:1184 lwp_userret() at netbsd:lwp_userret+0x1f5 sys/kern/kern_lwp.c:1646 syscall() at netbsd:syscall+0x882 x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] syscall() at netbsd:syscall+0x882 KPREEMPT_DISABLE sys/sys/lwp.h:525 [inline] syscall() at netbsd:syscall+0x882 mi_userret sys/sys/userret.h:101 [inline] syscall() at netbsd:syscall+0x882 userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] syscall() at netbsd:syscall+0x882 sys/arch/x86/x86/syscall.c:166 --- syscall (number 4) --- 7f7e728ade7a: ds 7bc0 es 663a fs 7b70 gs d314 rdi ffffc4000d92d488 rsi ffffc400121168f8 rbp ffffc4017e807b90 rbx ffffffff82810480 cpu_info_primary rdx 2 rcx ffffffff80d14f71 db_panic+0xd5 rax 0 r8 4 r9 1ffffffff0554be8 r10 ffffffff82aa5f43 db_onpanic+0x3 r11 10 r12 ffffc4016d8a4000 r13 ffffffff82440ae8 ostype+0x4e268 r14 ffffc4017e807c20 r15 ffffc4016d893068 rip ffffffff8021e4b5 breakpoint+0x5 cs 8 rflags 246 rsp ffffc4017e807b90 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 1707 2 2 0 0 ffffc40012086500 syz-executor4389 1707 1 2 0 0 ffffc400120d5180 syz-executor4389 1459 > 2 7 0 100000 ffffc40012116640 syz-executor4389 1459 1 2 0 10000000 ffffc400120618c0 syz-executor4389 930 2 2 0 0 ffffc400120d55c0 syz-executor4389 930 1 2 1 0 ffffc40012c9ca80 syz-executor4389 1557 2 3 1 80 ffffc400120704c0 syz-executor4389 parked 1557 1 2 0 10000000 ffffc40012bb56c0 syz-executor4389 1662 1 2 0 0 ffffc40011f48240 syz-executor4389 622 1 2 1 0 ffffc40013c66bc0 syz-executor4389 505 1 3 1 4 ffffc40013c66780 syz-executor4389 xclocv 413 1 2 1 0 ffffc400135fcb80 syz-executor4389 483 1 2 1 0 ffffc40012ca5ac0 syz-executor4389 613 1 2 1 0 ffffc40012ca5240 syz-executor4389 45 1 2 1 0 ffffc40011c8cb80 syz-executor4389 498 1 3 0 80 ffffc40011efb600 syz-executor4389 nanoslp 41 1 3 1 80 ffffc400116a1b00 sshd select 511 1 3 0 80 ffffc40012c7d9c0 getty nanoslp 518 1 3 1 80 ffffc40012c865c0 getty nanoslp 388 1 3 1 80 ffffc40012c86180 getty nanoslp 443 1 3 0 80 ffffc40012b96680 getty ttyraw 527 1 3 0 80 ffffc400121a99c0 cron nanoslp 536 1 3 0 80 ffffc40012c0f8c0 inetd kqueue 369 1 3 0 80 ffffc400121bc5c0 sshd select 436 1 3 0 80 ffffc40012156b80 powerd kqueue 202 1 3 1 80 ffffc40012bda700 syslogd kqueue 247 1 3 0 80 ffffc40012164340 dhcpcd kqueue 236 1 3 1 80 ffffc400120860c0 dhcpcd kqueue 1 1 3 0 80 ffffc40011e2d540 init wait 0 29 3 0 204 ffffc40011e84140 physiod physiod 0 48 3 0 204 ffffc40011e86180 pooldrain pooldrain 0 > 47 7 1 200 ffffc40011e849c0 ioflush 0 46 3 1 200 ffffc40011e84580 pgdaemon pgdaemon 0 44 3 1 200 ffffc40011e2d980 npfgc-0 npfgccv 0 43 3 1 204 ffffc40011e2d100 rt_free rt_free 0 42 3 1 204 ffffc40011e24940 unpgc unpgc 0 41 2 0 200 ffffc40011e24500 key_timehandler 0 40 3 1 204 ffffc40011e240c0 icmp6_wqinput/1 icmp6_wqinput 0 39 3 0 204 ffffc40011e1b900 icmp6_wqinput/0 icmp6_wqinput 0 38 2 0 200 ffffc40011e1b4c0 nd6_timer 0 37 3 1 204 ffffc40011e1b080 carp6_wqinput/1 carp6_wqinput 0 36 3 0 204 ffffc40011e168c0 carp6_wqinput/0 carp6_wqinput 0 35 3 1 204 ffffc40011e16480 carp_wqinput/1 carp_wqinput 0 34 3 0 204 ffffc40011e16040 carp_wqinput/0 carp_wqinput 0 33 3 1 204 ffffc40011c9bbc0 icmp_wqinput/1 icmp_wqinput 0 32 3 0 204 ffffc40011c9b780 icmp_wqinput/0 icmp_wqinput 0 31 3 1 204 ffffc40011c9b340 rt_timer rt_timer 0 30 3 0 204 ffffc40011c8c300 vmem_rehash vmem_rehash 0 28 3 0 204 ffffc4000f35dac0 scsibus0 sccomp 0 27 3 0 200 ffffc4000f35d680 pms0 pmsreset 0 26 3 1 204 ffffc4000f35d240 xcall/1 xcall 0 25 1 1 200 ffffc4000f35ca80 softser/1 0 24 1 1 200 ffffc4000f35c640 softclk/1 0 23 1 1 200 ffffc4000f35c200 softbio/1 0 22 1 1 200 ffffc4000f26ea40 softnet/1 0 21 1 1 201 ffffc4000f26e600 idle/1 0 20 3 0 204 ffffc4000f26e1c0 lnxpwrwq lnxpwrwq 0 19 3 0 204 ffffc4000f26ca00 lnxlngwq lnxlngwq 0 18 3 0 204 ffffc4000f26c5c0 lnxsyswq lnxsyswq 0 17 3 0 204 ffffc4000f26c180 lnxrcugc lnxrcugc 0 16 3 0 204 ffffc4000de4f9c0 sysmon smtaskq 0 15 3 0 204 ffffc4000de4f580 pmfsuspend pmfsuspend 0 14 3 0 204 ffffc4000de4f140 pmfevent pmfevent 0 13 3 0 204 ffffc4000de40980 sopendfree sopendfr 0 12 3 0 204 ffffc4000de40540 iflnkst iflnkst 0 11 3 0 204 ffffc4000de40100 nfssilly nfssilly 0 10 2 0 200 ffffc4000de34940 cachegc 0 9 3 0 204 ffffc4000de34500 vdrain vdrain 0 8 3 0 200 ffffc4000de340c0 modunload mod_unld 0 7 2 0 200 ffffc4000de24900 xcall/0 0 6 1 0 200 ffffc4000de244c0 softser/0 0 5 1 0 200 ffffc4000de24080 softclk/0 0 4 1 0 200 ffffc4000de218c0 softbio/0 0 3 1 0 200 ffffc4000de21480 softnet/0 0 2 1 0 201 ffffc4000de21040 idle/0 0 1 3 1 200 ffffffff82b6eec0 swapper uvm [Locks tracked through LWPs] ****** LWP 1459.2 (syz-executor4389) @ 0xffffc40012116640, l_stat=7 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at fork1) lock address : 0xffffc400120f2580 type : sleep/adaptive initialized : 0xffffffff81166c9f shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 1 relevant cpu : 0 last held: 0 relevant lwp : 0xffffc40012116640 last held: 000000000000000000 last locked : 0xffffffff81178509 unlocked*: 0xffffffff811464af owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 930.1 (syz-executor4389) @ 0xffffc40012c9ca80, l_stat=2 *** Locks held: * Lock 0 (initialized at uvm_obj_init) lock address : 0xffffc40011c6b940 type : sleep/adaptive initialized : 0xffffffff8110ca00 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffc40012c9ca80 last held: 0xffffc40012c9ca80 last locked* : 0xffffffff810f06dd unlocked : 0xffffffff810ede32 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at pmap_ctor) lock address : 0xffffc40012151980 type : sleep/adaptive initialized : 0xffffffff802772c1 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffc40012c9ca80 last held: 0xffffc40012c9ca80 last locked* : 0xffffffff80278f1f unlocked : 0xffffffff80279c65 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 1662.1 (syz-executor4389) @ 0xffffc40011f48240, l_stat=2 *** Locks held: * Lock 0 (initialized at uvm_map_setup) lock address : 0xffffc4001217fd28 type : sleep/adaptive initialized : 0xffffffff8110078d shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffc40011f48240 last held: 0xffffc40011f48240 last locked* : 0xffffffff810fa684 unlocked : 0xffffffff810f14d1 owner/count : 0xffffc40011f48240 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. *** Locks wanted: * Lock 0 (initialized at pool_init) lock address : 0xffffffff82dfa530 type : sleep/adaptive initialized : 0xffffffff81215609 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 1 relevant cpu : 0 last held: 1 relevant lwp : 0xffffc40011f48240 last held: 000000000000000000 last locked : 0xffffffff812161d8 unlocked*: 0xffffffff81216816 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 0.12 (iflnkst) @ 0xffffc4000de40540, l_stat=3 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at module_hook_init) lock address : 0xffffffff82d90140 type : sleep/adaptive initialized : 0xffffffff8117f222 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffc4000de40540 last held: 000000000000000000 last locked : 000000000000000000 unlocked*: 000000000000000000 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 0.5 (softclk/0) @ 0xffffc4000de24080, l_stat=1 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at module_hook_init) lock address : 0xffffffff82d90140 type : sleep/adaptive initialized : 0xffffffff8117f222 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffc4000de24080 last held: 000000000000000000 last locked : 000000000000000000 unlocked*: 000000000000000000 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. [Locks tracked through CPUs] PAGE FLAG PQ UOBJECT UANON 0xffffc40000014180 0041 00000000 0x0 0x0 0xffffc400000141f8 0041 00000000 0x0 0x0 0xffffc40000014270 0041 00000000 0x0 0x0 0xffffc400000142e8 0041 00000000 0x0 0x0 0xffffc40000014360 0041 00000000 0x0 0x0 0xffffc400000143d8 0041 00000000 0x0 0x0 0xffffc40000014450 0041 00000000 0x0 0x0 0xffffc400000144c8 0041 00000000 0x0 0x0 0xffffc40000014540 0041 00000000 0x0 0x0 0xffffc400000145b8 0041 00000000 0x0 0x0 0xffffc40000014630 0041 00000000 0x0 0x0 0xffffc400000146a8 0041 00000000 0x0 0x0 0xffffc40000014720 0041 00000000 0x0 0x0 0xffffc40000014798 0041 00000000 0x0 0x0 0xffffc40000014810 0041 00000000 0x0 0x0 0xffffc40000014888 0041 00000000 0x0 0x0 0xffffc40000014900 0041 00000000 0x0 0x0 0xffffc40000014978 0041 00000000 0x0 0x0 0xffffc400000149f0 0041 00000000 0x0 0x0 0xffffc40000014a68 0041 00000000 0x0 0x0 0xffffc40000014ae0 0041 00000000 0x0 0x0 0xffffc40000014b58 0041 00000000 0x0 0x0 0xffffc40000014bd0 0041 00000000 0x0 0x0 0xffffc40000014c48 0041 00000000 0x0 0x0 0xffffc40000014cc0 0041 00000000 0x0 0x0 0xffffc40000014d38 0041 00000000 0x0 0x0 0xffffc40000014db0 0041 00000000 0x0 0x0 0xffffc40000014e28 0041 00000000 0x0 0x0 0xffffc40000014ea0 0041 00000000 0x0 0x0 0xffffc40000014f18 0041 00000000 0x0 0x0 0xffffc40000014f90 0041 00000000 0x0 0x0 0xffffc40000015008 0041 00000000 0x0 0x0 0xffffc40000015080 0041 00000000 0x0 0x0 0xffffc400000150f8 0041 00000000 0x0 0x0 0xffffc40000015170 0041 00000000 0x0 0x0 0xffffc400000151e8 0041 00000000 0x0 0x0 0xffffc40000015260 0041 00000000 0x0 0x0 0xffffc400000152d8 0041 00000000 0x0 0x0 0xffffc40000015350 0041 00000000 0x0 0x0 0xffffc400000153c8 0041 00000000 0x0 0x0 0xffffc40000015440 0041 00000000 0x0 0x0 0xffffc400000154b8 0041 00000000 0x0 0x0 0xffffc40000015530 0041 00000000 0x0 0x0 0xffffc400000155a8 0041 00000000 0x0 0x0 0xffffc40000015620 0041 00000000 0x0 0x0 0xffffc40000015698 0041 00000000 0x0 0x0 0xffffc40000015710 0041 00000000 0x0 0x0 0xffffc40000015788 0041 00000000 0x0 0x0 0xffffc40000015800 0041 00000000 0x0 0x0 0xffffc40000015878 0041 00000000 0x0 0x0 0xffffc400000158f0 0041 00000000 0x0 0x0 0xffffc40000015968 0041 00000000 0x0 0x0 0xffffc400000159e0 0041 00000000 0x0 0x0 0xffffc40000015a58 0041 00000000 0x0 0x0 0xffffc40000015ad0 0041 00000000 0x0 0x0 0xffffc40000015b48 0041 00000000 0x0 0x0 0xffffc40000015bc0 0041 00000000 0x0 0x0 0xffffc40000015c38 0041 00000000 0x0 0x0 0xffffc40000015cb0 0041 00000000 0x0 0x0 0xffffc40000015d28 0041 00000000 0x0 0x0 0xffffc40000015da0 0041 00000000 0x0 0x0 0xffffc40000015e18 0041 00000000 0x0 0x0 0xffffc40000015e90 0041 00000000 0x0 0x0 0xffffc40000015f08 0041 00000000 0x0 0x0 0xffffc40000015f80 0041 00000000 0x0 0x0 0xffffc40000015ff8 0041 00000000 0x0 0x0 0xffffc40000016070 0041 00000000 0x0 0x0 0xffffc400000160e8 0041 00000000 0x0 0x0 0xffffc40000016160 0041 00000000 0x0 0x0 0xffffc400000161d8 0041 00000000 0x0 0x0 0xffffc40000016250 0041 00000000 0x0 0x0 0xffffc400000162c8 0041 00000000 0x0 0x0 0xffffc40000016340 0041 00000000 0x0 0x0 0xffffc400000163b8 0041 00000000 0x0 0x0 0xffffc40000016430 0041 00000000 0x0 0x0 0xffffc400000164a8 0045 00000000 0x0 0x0 0xffffc40000016520 0041 00000000 0x0 0x0 0xffffc40000016598 0045 00000000 0x0 0x0 0xffffc40000016610 0041 00000000 0x0 0x0 0xffffc40000016688 0041 00000000 0x0 0x0 0xffffc40000016700 0045 00000000 0x0 0x0 0xffffc40000016778 0045 00000000 0x0 0x0 0xffffc400000167f0 0041 00000000 0x0 0x0 0xffffc40000016868 0045 00000000 0x0 0x0 0xffffc400000168e0 0045 00000000 0x0 0x0 0xffffc40000016958 0045 00000000 0x0 0x0 0xffffc400000169d0 0045 00000000 0x0 0x0 0xffffc40000016a48 0045 00000000 0x0 0x0 0xffffc40000016ac0 0045 00000000 0x0 0x0 0xffffc40000016b38 0045 00000000 0x0 0x0 0xffffc40000016bb0 0045 00000000 0x0 0x0 0xffffc40000016c28 0041 00000000 0x0 0x0 0xffffc40000016ca0 0045 00000000 0x0 0x0 0xffffc40000016d18 0041 00000000 0x0 0x0 0xffffc40000016d90 0045 00000000 0x0 0x0 0xffffc40000016e08 0045 00000000 0x0 0x0 0xffffc40000016e80 0041 00000000 0x0 0x0 0xffffc40000016ef8 0041 00000000 0x0 0x0 0xffffc40000016f70 0045 00000000 0x0 0x0 0xffffc40000016fe8 0041 00000000 0x0 0x0 0xffffc40000017060 0041 00000000 0x0 0x0 0xffffc400000170d8 0041 00000000 0x0 0x0 0xffffc40000017150 0041 00000000 0x0 0x0 0xffffc400000171c8 0041 00000000 0x0 0x0 0xffffc40000017240 0041 00000000 0x0 0x0 0xffffc400000172b8 0041 00000000 0x0 0x0 0xffffc40000017330 0041 00000000 0x0 0x0 0xffffc400000173a8 0041 00000000 0x0 0x0 0xffffc40000017420 0041 00000000 0x0 0x0 0xff