YO0~6IZa?sw7zANa@iEd )}_=ʁB8*ۤې05pXh=(l^íЙmI8fAc1}Htϳɗfh u!.d.[.8> R%rwO[ 1225.6140215] ASan: Unauthorized Access In 0xffffffff80f718dc: Addr 0xffff9a8012f126e0 [8 bytes, read, PoolUseAfterFree] [ 1225.6340709] #0 0xffffffff80f718dc in knote [ 1225.6440739] #1 0xffffffff8102e96b in selnotify 00:01:08 executing program 0: mkdir(&(0x7f0000000180)='./file1\x00', 0x0) open$dir(&(0x7f0000000140)='./file1/file0\x00', 0x200000, 0x20) mknod$loop(&(0x7f0000000040)='./file1/file0\x00', 0x6, 0x0) r0 = paccept(0xffffffffffffffff, &(0x7f00000000c0)=@in6, &(0x7f0000000100)=0xc, 0x20000000) close(r0) open(&(0x7f0000000080)='./file1/file0\x00', 0x1000000, 0x8b) r1 = open(&(0x7f0000000000)='./file1\x00', 0x0, 0x0) fchroot(r1) fcntl$getflags(r1, 0x1) close(r1) socket$unix(0x1, 0x1, 0x0) fcntl$getown(r1, 0x5) 00:01:08 executing program 4: r0 = socket(0x11, 0x3, 0x0) open$dir(&(0x7f0000000000)='./file0\x00', 0x60221, 0x0) r1 = open$dir(&(0x7f0000000040)='./file0\x00', 0x0, 0x0) setsockopt$sock_linger(r0, 0xffff, 0x80, &(0x7f0000000100)={0x8, 0x20}, 0x8) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x5, 0x10, r1, 0x0, 0x0) getpeername(r0, &(0x7f0000000080)=@un=@abs, &(0x7f00000000c0)=0x8) getsockopt$sock_cred(r0, 0xffff, 0x11, &(0x7f0000000140), &(0x7f0000000180)=0xc) 00:01:08 executing program 3: r0 = open(&(0x7f0000000000)='./file0\x00', 0x1000000, 0x2) mkdirat(r0, &(0x7f0000000040)='./file0\x00', 0x162) r1 = shmget$private(0x0, 0x2000, 0x8, &(0x7f0000ffc000/0x2000)=nil) getsockopt$sock_cred(r0, 0xffff, 0x11, &(0x7f0000000080)={0x0, 0x0, 0x0}, &(0x7f00000000c0)=0xc) setgid(r4) chown(&(0x7f0000000100)='./file0\x00', r3, r4) bind$unix(r0, &(0x7f0000000140)=@abs={0x1, 0x0, 0x3}, 0x8) execve(&(0x7f0000000180)='./file0\x00', &(0x7f0000000300)=[&(0x7f00000001c0)='{m:\x00', &(0x7f0000000200)='\'^\x00', &(0x7f0000000240)='\x00', &(0x7f0000000280)='\x00', &(0x7f00000002c0)='\\$\x00'], &(0x7f00000004c0)=[&(0x7f0000000340)='\x00', &(0x7f0000000380)='^\x00', &(0x7f00000003c0)=':).\\\xe2[\x00', &(0x7f0000000400)='\x00', &(0x7f0000000440)='$\x00', &(0x7f0000000480)='}!^\x00']) r5 = msgget$private(0x0, 0xa2) msgsnd(r5, &(0x7f0000000500)={0x3, "0cdcbc5fb6019784c12d016ad4d99e66e42b0c02391fae09ee7cd7040a54af91d2815f4fc10fcffbb747e6c64f6f50ed27d557c692dd40ae6d9c351a01f08aee38e256d8"}, 0x4c, 0x800) unlink(&(0x7f0000000580)='./file0\x00') sendto(r0, &(0x7f00000005c0)="7cbb8f3396a5c8224c7af9b2f0d0ab2f7ec308c820274a6fddb91cca2f3502302bf6e3d0a2a72cc11611920d9330fc5598", 0x31, 0x8, &(0x7f0000000600)=@in={0x2, 0x3}, 0xc) msgrcv(r5, &(0x7f0000000640)={0x0, ""/191}, 0xc7, 0x2, 0x800) sendmsg(r0, &(0x7f0000000cc0)={&(0x7f0000000740)=@un=@file={0x1, './file0\x00'}, 0xa, &(0x7f0000000c00)=[{&(0x7f0000000780)="22c100a02b450052bbd55395980d4d3b6b71a8116842f12dc244a3ff60184708adade5ff32", 0x25}, {&(0x7f00000007c0)="f9f55572f797121b31da75b1774eaf1cfbef02211bc5cc676af86b83e589b5f3e1937d2960b803ecdd0e80f68a3f738f2459993f17657afb3fb6e2c2ee14aadcc2c66f5104bdef25d90cf64c5d7d1cfad125f737b483b9f2f6e8e728761d8619bc7a00a0156ac5831bb1057f251fc796295726dd40034f082f6ff9721488cce2a50373ee4678ed44b4526ea7adad18b2394674f0a3411d3747c833c6b2f3afc5d93a", 0xa2}, {&(0x7f0000000880)="ae42f3e8840a8f9a21652e1ea284874e4944f388a8f6971e79eb12625f32efcc01d673ee22ad3ff1b17f6263b8ae272e4b3aa6e344586e50758b13d3c72cd5f7fcbca9068f489f3612d03fa1054a72f00ab49b7886e7608e165ca0841bc149cc6c6e153207542a98165e27af772edc34a858a3c424da785415a232245e5612122b11c3bac19f9babe412d16c7b6ea3565dcd1fcfa71e18577ea8edd33db5e94dd9ee081efb4c1a174e9d2baee5ece7df7fc211d49b8334c6386f3e234f93ebb96002d0ddb9d24fec3cd4ca18cb65fb3f5a77a2407a670716aae1f597942cff7ba6e77a1432a819211d7648b9aa0dc89dd74b6ea30414", 0xf6}, {&(0x7f0000000980)="655f990095e3409168f38e0e5a110760604cfaf43b482de5e7254ac0ccafd4eb1a86c7ec7fbe3a7388e151f337cd12c42e9b43de1bc22363a69f963a9ca6f2e1812a92e27bb7ef4e728415c0fe753880aa8d44febd0fa59aa4e86b1da1daadc943cd943ac34b59fb0e8682b54a64878795e253a5ede2e28c245df0885a3612963e3a3097cd0b3e2fd7bda54a83b4080fc1a43b3fee8ee2d9513484bb61cbe1ab36cea6bf1107b1a4", 0xa8}, {&(0x7f0000000a40)="78b8875b48ab6b32763c160295e29bb503fa7e6b79f097210357e47ef29bf4eb494dfb8376546b2e2570aeb085c76dc8483db7d9a230b55d96f4c5b4424754b0c071f2478a39064e30d44465f6a22731f7f4972dcbf9390f28fb11858dfd247a995172fb92a3368590384966fa835fdb7636d12e8e791dc7fb9451b2f36802d74f3ff1cf9c8143deedc9c0c18a7cb8504a", 0x91}, {&(0x7f0000000b00)="dea6d49eb7cd613a10a75bf205e14a540a94bb7006d31ff80d86ba4c4987b068e84583c89ca1b3bee88d8c6d76ac3bfc13f7626f18c211949dee972f794c69de729af7418595bae3b80012809dc84be892f9a2f2de", 0x55}, {&(0x7f0000000b80)="79d5bb02fdb8d3299322946b6814e58b9e8357c3cc5b97ddb1ead8d3f1320211653f12c078d8469db7e83086f3c0088271ab15a30a2e9295caa1a00e4fe08b8dd7955f18c5c2a21025a878c9843783d9c148822e68e4e8", 0x57}], 0x7, &(0x7f0000000c80)=[{0x38, 0xffff, 0x0, "7d120be5caf6a81efc10db91489ed1c0fdce17aa6bd1c685187cf1aa69cb6019adc6"}], 0x38}, 0x0) mknodat(r0, &(0x7f0000000d00)='./file0\x00', 0x8050, 0x4) shmctl$IPC_SET(r1, 0x1, &(0x7f0000000d40)={{0x8, r3, r4, r3, r4, 0x2, 0xb60e}, 0x0, 0xfffffffeffffffff, r2, r2, 0x100, 0xc467, 0x676e7661}) mincore(&(0x7f0000ffd000/0x1000)=nil, 0x1000, &(0x7f0000000dc0)=""/186) getsockname(r0, &(0x7f0000000e80)=@in6, &(0x7f0000000ec0)=0xc) bind(r0, &(0x7f0000000f00)=@in6={0x18, 0x3, 0x80000000, 0x40}, 0xc) chdir(&(0x7f0000000f40)='./file0\x00') chdir(&(0x7f0000000f80)='./file0\x00') r6 = dup(r0) getsockopt$SO_PEERCRED(r0, 0xffff, 0x11, &(0x7f0000000fc0), 0xc) symlinkat(&(0x7f0000001000)='./file0\x00', r0, &(0x7f0000001040)='.\x00') getsockopt$sock_cred(r6, 0xffff, 0x11, &(0x7f0000001080), &(0x7f00000010c0)=0xc) getppid() execve(&(0x7f0000001100)='./file0/file0\x00', &(0x7f0000001280)=[&(0x7f0000001140)=':).\\\xe2[\x00', &(0x7f0000001180)='{m:\x00', &(0x7f00000011c0)='\\$\x00', &(0x7f0000001200)='+}}\x00', &(0x7f0000001240)='*\x00'], &(0x7f0000001400)=[&(0x7f00000012c0)='\x00', &(0x7f0000001300)='(\xbd-*\x00', &(0x7f0000001340)='\\$\x00', &(0x7f0000001380)='\xdc\x00', &(0x7f00000013c0)='^\x00']) msgsnd(r5, &(0x7f0000001440)={0x3, "ad17af988600d4cf8af0b19c3dd3e1ab95a3be82c9c6e5499b2e6798c5c1252d92588d8fbcd1844b3403b1dbda9957e90234dc36a30dbdf46521a0a41c5983ee97d5a8d129ecb71b3a1373bbd2682adcc16c2fb95a95b94f39664929d32377f6b0f6d7b29990209739626fa45dd465354dcd9c9eb8df82"}, 0x7f, 0x800) chown(&(0x7f00000014c0)='./file0\x00', r3, r4) open(&(0x7f0000001500)='./file0/file0\x00', 0xa, 0x1) [ 1225.6540959] #2 0xffffffff81026b93 in pipeselwakeup [ 1225.6741235] #3 0xffffffff81026ef3 in pipeclose.part.0 [ 1225.6841452] #4 0xffffffff81028262 in pipe1 [ 1225.6841452] #5 0xffffffff8101d691 in sys_pipe [ 1225.6942246] #6 0xffffffff80fb14d4 in sys___syscall [ 1225.7042289] #7 0xffffffff8026b3ae in syscall [ 1225.7042289] ASan: Unauthorized Access In 0xffffffff80f718ec: Addr 0xffff9a8012f12740 [8 bytes, read, PoolUseAfterFree] [ 1225.7242586] #0 0xffffffff80f718ec in knote [ 1225.7242586] #1 0xffffffff8102e96b in selnotify [ 1225.7342795] #2 0xffffffff81026b93 in pipeselwakeup [ 1225.7442432] #3 0xffffffff81026ef3 in pipeclose.part.0 [ 1225.7442432] #4 0xffffffff81028262 in pipe1 [ 1225.7542663] #5 0xffffffff8101d691 in sys_pipe [ 1225.7642778] #6 0xffffffff80fb14d4 in sys___syscall [ 1225.7642778] #7 0xffffffff8026b3ae in syscall [ 1225.7742973] panic: kernel diagnostic assertion "kn->kn_fop != NULL" failed: file "/syzkaller/managers/netbsd/kernel/sys/kern/kern_event.c", line 1653 [ 1225.7843125] cpu1: Begin traceback... [ 1225.7943328] vpanic() at netbsd:vpanic+0x214 [ 1225.8043459] _GLOBAL__sub_D_65535_0_cpu_configure() at netbsd:_GLOBAL__sub_D_65535_0_cpu_configure [ 1225.8243811] knote() at netbsd:knote+0x117 [ 1225.8344022] selnotify() at netbsd:selnotify+0x30 [ 1225.8444161] pipeselwakeup() at netbsd:pipeselwakeup+0x47 [ 1225.8544334] pipeclose.part.0() at netbsd:pipeclose.part.0+0x10b [ 1225.8744683] pipe1() at netbsd:pipe1+0x15d [ 1225.8844845] sys_pipe() at netbsd:sys_pipe+0x5c [ 1225.8945039] sys___syscall() at netbsd:sys___syscall+0xe2 [ 1225.9045180] syscall() at netbsd:syscall+0x32e [ 1225.9145366] --- syscall (number 198) --- [ 1225.9145366] 7d6ef4c3f4aa: [ 1225.9245521] cpu1: End traceback... [ 1225.9245521] dumping to dev 4,1 (offset=0, size=0): not possible [ 1225.9345702] rebooting... SeaBIOS (version 1.8.2-20190322_093631-google) Total RAM Size = 0x00000001e0000000 = 7680 MiB CPUs found: 2 Max CPUs supported: 2 found virtio-scsi at 0:3 virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0 removable=0 virtio-scsi blksize=512 sectors=4194304 = 2048 MiB drive 0x000f29c0: PCHS=0/0/0 translation=lba LCHS=520/128/63 s=4194304 Booting from Hard Disk 0... >> NetBSD/x86 BIOS Boot, Revision 5.10 (Tue Jul 17 14:59:51 UTC 2018) (from NetBSD 8.0) >> Memory: 639/3144640 k 1. Boot normally 2. Boot single user 3. Disable ACPI 4. Disable ACPI and SMP 5. Drop to boot prompt