[  66.8589025] panic: ASan: Unauthorized Access In 0xffffffff81178895: Addr 0xffff9a0011d86b18 [8 bytes, read, PoolUseAfterFree]
[  66.8688970] fatal page fault in supervisor mode
[  66.8688970] trap type 6 code 0 rip 0xffffffff811dbe04 cs 0x8 rflags 0x10283 cr2 0xffff900000000007 ilevel 0x8 rsp 0xffff9a016da9fda0
[  66.8688970] curlwp 0xffff9a000de22080 pid 0.5 lowest kstack 0xffff9a016da982c0
k
efranetla:l  ppaaggee  ffaauulltt  itrn aps,up cerovdie=s0o[
 Stopped in pid 0.5 (system) at  netbsd:__asan_load8+0x62:       movzbl  0(%rax),%r8d
?
__asan_load8() at netbsd:__asan_load8+0x62 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:356 [inline]
__asan_load8() at netbsd:__asan_load8+0x62 kasan_shadow_check sys/kern/subr_asan.c:410 [inline]
__asan_load8() at netbsd:__asan_load8+0x62 sys/kern/subr_asan.c:1180
sleepq_remove() at netbsd:sleepq_remove+0x26c spc_lock sys/sys/lwp.h:447 [inline]
sleepq_remove() at netbsd:sleepq_remove+0x26c sys/kern/kern_sleepq.c:159
sleepq_unsleep() at netbsd:sleepq_unsleep+0x74 sys/kern/kern_sleepq.c:356
sleepq_timeout() at netbsd:sleepq_timeout+0x6b sys/kern/kern_sleepq.c:385
callout_softclock() at netbsd:callout_softclock+0x272 sys/kern/kern_timeout.c:761
softint_dispatch() at netbsd:softint_dispatch+0x269 x86_curcpu sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:56 [inline]
softint_dispatch() at netbsd:softint_dispatch+0x269 softint_execute sys/kern/kern_softint.c:592 [inline]
softint_dispatch() at netbsd:softint_dispatch+0x269 sys/kern/kern_softint.c:878
DDB lost frame for netbsd:Xsoftintr+0x5a, trying 0xffff9a016da9fff0
Xsoftintr() at netbsd:Xsoftintr+0x5a
--- interrupt ---
0:
ds          fdb0
es          d19a
fs          3060
gs          d5b0
rdi         38
rsi         7
rbp         ffff9a016da9fdb0
rbx         ffff9a00138dd500
rdx         800000000000
rcx         ffffffff811a8921    sleepq_remove+0x26c
rax         ffff900000000007
r8          0
r9          3f
r10         7
r11         0
r12         0
r13         38
r14         195f
r15         ffff9a00138dd58c
rip         ffffffff811dbe04    __asan_load8+0x62
cs          8
rflags      10283
rsp         ffff9a016da9fda0
ss          10
netbsd:__asan_load8+0x62:       movzbl  0(%rax),%r8d
PID    LID S CPU     FLAGS       STRUCT LWP *               NAME WAIT
686      3 3   0        80   ffff9a0011e4d100     syz-executor.1 parked
519      1 2   0         0   ffff9a0011cd11c0     syz-executor.5
446      3 3   1         4   ffff9a0011deb740     syz-executor.1 vfork
446      1 2   0  10040000   ffff9a0011ddf700     syz-executor.1
635      5 3   0     40080   ffff9a0011d1f240     syz-executor.0 parked
34       3 3   1        80   ffff9a0011c815c0     syz-executor.2 parked
73   >   1 7   1  20040000   ffff9a0013ab6ac0     syz-executor.4
565      3 3   0     40080   ffff9a0013ab6240     syz-executor.2 parked
619      4 3   1        80   ffff9a0013a751c0     syz-executor.0 parked
45       1 3  -1         0   ffff9a00138dd940     syz-executor.4
522      1 3  -1         0   ffff9a00138dd500     syz-executor.5
607      1 3   0        80   ffff9a00138dd0c0     syz-executor.3 pipe_rd
483      1 3   0        80   ffff9a0013793900     syz-executor.2 pipe_rd
464      1 3   0        80   ffff9a00137934c0     syz-executor.1 nanoslp
40   >   1 7   0  20000000   ffff9a001295c240     syz-executor.0
562     11 3   1        80   ffff9a0013793080         syz-fuzzer parked
562     10 3   1        80   ffff9a00137808c0         syz-fuzzer parked
562      9 3   1        80   ffff9a0011ae2b00         syz-fuzzer parked
562      8 3   0        80   ffff9a0013780480         syz-fuzzer parked
562      7 3   1        80   ffff9a001377dbc0         syz-fuzzer parked
562      6 3   1        80   ffff9a001377d780         syz-fuzzer parked
562      5 3   1        80   ffff9a001377d340         syz-fuzzer parked
562      4 3   0        80   ffff9a0012a51ac0         syz-fuzzer parked
562      3 3   1        80   ffff9a0012a51240         syz-fuzzer kqueue
562      2 2   1         0   ffff9a0012a46640         syz-fuzzer
562      1 3   0        80   ffff9a0011ae7300         syz-fuzzer parked
390      1 3   0        80   ffff9a001297a280               sshd select
535      1 3   1        80   ffff9a0012a30180              getty nanoslp
564      1 3   1        80   ffff9a0012a3e600              getty nanoslp
569      1 3   1        80   ffff9a0012a3e1c0              getty nanoslp
420      1 3   1        80   ffff9a0012a28580              getty ttyraw
433      1 3   0        80   ffff9a0011fdaa40               cron nanoslp
463      1 3   0        80   ffff9a00129abb80              inetd kqueue
317      1 3   0        80   ffff9a0011f639c0               sshd select
440      1 3   0        80   ffff9a0011e5e580             powerd kqueue
314      1 3   1        80   ffff9a001297ab00            syslogd kqueue
268      1 3   0        80   ffff9a0011f10340             dhcpcd kqueue
220      1 3   0        80   ffff9a0011e28080             dhcpcd kqueue
1        1 3   1        80   ffff9a0011bfc940               init wait
0       58 3   0       204   ffff9a0011c50540            physiod physiod
0       57 3   1       204   ffff9a0011c529c0           aiodoned aiodoned
0       56 3   0       204   ffff9a0011c52580          pooldrain pooldrain
0       55 3   0       200   ffff9a0011c52140            ioflush syncer
0       54 3   0       200   ffff9a0011c50980           pgdaemon pgdaemon
0       51 3   1       200   ffff9a000f3c4ac0            npfgc-0 npfgccv
0       50 3   1       204   ffff9a0011bfc500            rt_free rt_free
0       49 3   1       204   ffff9a0011bfc0c0              unpgc unpgc
0       48 3   1       204   ffff9a0011bf5900    key_timehandler key_timehandler
0       47 3   1       204   ffff9a0011bf54c0    icmp6_wqinput/1 icmp6_wqinput
0       46 3   0       204   ffff9a0011bf5080    icmp6_wqinput/0 icmp6_wqinput
0       45 3   1       204   ffff9a0011b0c8c0          nd6_timer nd6_timer
0       44 3   1       204   ffff9a0011b0c480    carp6_wqinput/1 carp6_wqinput
0       43 3   0       204   ffff9a0011b0c040    carp6_wqinput/0 carp6_wqinput
0       42 3   1       204   ffff9a0011af7bc0     carp_wqinput/1 carp_wqinput
0       41 3   0       204   ffff9a0011af7780     carp_wqinput/0 carp_wqinput
0       40 3   1       204   ffff9a0011af7340     icmp_wqinput/1 icmp_wqinput
0       39 3   0       204   ffff9a0011ae7b80     icmp_wqinput/0 icmp_wqinput
0       38 3   0       204   ffff9a0011ae7740           rt_timer rt_timer
0       37 3   0       204   ffff9a0011ae4b40        vmem_rehash vmem_rehash
0       27 3   0       204   ffff9a000f3c4680           scsibus0 sccomp
0       26 3   0       200   ffff9a000f3c4240               pms0 pmsreset
0       25 3   1       204   ffff9a000f335a80            xcall/1 xcall
0       24 1   1       200   ffff9a000f335640          softser/1
0    >  23 7   1  20000200   ffff9a000f335200          softclk/1
0       22 1   1       200   ffff9a000f331a40          softbio/1
0       21 1   1       200   ffff9a000f331600          softnet/1
0       20 1   1       201   ffff9a000f3311c0             idle/1
0       19 3   0       204   ffff9a000de52a00           lnxpwrwq lnxpwrwq
0       18 3   0       204   ffff9a000de525c0           lnxlngwq lnxlngwq
0       17 3   0       204   ffff9a000de52180           lnxsyswq lnxsyswq
0       16 3   0       204   ffff9a000de4d9c0           lnxrcugc lnxrcugc
0       15 3   0       204   ffff9a000de4d580             sysmon smtaskq
0       14 3   0       204   ffff9a000de4d140         pmfsuspend pmfsuspend
0       13 3   0       204   ffff9a000de3e980           pmfevent pmfevent
0       12 3   0       204   ffff9a000de3e540         sopendfree sopendfr
0       11 3   0       204   ffff9a000de3e100           nfssilly nfssilly
0       10 3   0       200   ffff9a000de32940            cachegc cachegc
0        9 3   0       204   ffff9a000de32500             vdrain vdrain
0        8 3   1       200   ffff9a000de320c0          modunload mod_unld
0        7 3   0       204   ffff9a000de22900            xcall/0 xcall
0        6 1   0       200   ffff9a000de224c0          softser/0
0    >   5 7   0  20000200   ffff9a000de22080          softclk/0
0        4 1   0       200   ffff9a000de1f8c0          softbio/0
0        3 1   0       200   ffff9a000de1f480          softnet/0
0        2 1   0       201   ffff9a000de1f040             idle/0
0        1 3   0       200   ffffffff82b66d80            swapper uvm
[Locks tracked through LWPs]
Locks held by an LWP (syz-executor.5):
Lock 0 (initialized at uvm_map_setup)
lock address : 0xffff9a0011c055c8 type     :     sleep/adaptive
initialized  : 0xffffffff810fe8cd
shared holds :                  0 exclusive:                  1
shares wanted:                  0 exclusive:                  0
current cpu  :                  0 last held:                  0
current lwp  : 0xffff9a000de22080 last held: 0xffff9a0011cd11c0
last locked* : 0xffffffff810f87b4 unlocked : 0xffffffff810ef721
owner/count  : 0x0000000000000010 flags    : 000000000000000000

Turnstile chain at 0xffffffff82d8cbb8 with mutex 0xffffffff82d8bec0.
=> No active turnstile for this lock.

Locks held by an LWP (syz-executor.4):
Lock 0 (initialized at uvm_obj_init)
lock address : 0xffff9a00136b9d00 type     :     sleep/adaptive
initialized  : 0xffffffff8110aa97
shared holds :                  0 exclusive:                  1
shares wanted:                  0 exclusive:                  0
current cpu  :                  0 last held:                  0
current lwp  : 0xffff9a000de22080 last held: 0xffff9a0013ab6ac0
last locked* : 0xffffffff810ee8e8 unlocked : 0xffffffff810f7b87
owner field  : 0xffff9a0013ab6ac0 wait/spin:                0/0

Turnstile chain at 0xffffffff82d8cca0 with mutex 0xffffffff82d8c600.
=> No active turnstile for this lock.
Lock 1 (initialized at pmap_ctor)
lock address : 0xffff9a0012a37f80 type     :     sleep/adaptive
initialized  : 0xffffffff80276a44
shared holds :                  0 exclusive:                  1
shares wanted:                  0 exclusive:                  0
current cpu  :                  0 last held:                  0
current lwp  : 0xffff9a000de22080 last held: 0xffff9a0013ab6ac0
last locked* : 0xffffffff80278e7f unlocked : 0xffffffff802799ff
owner field  : 0xffff9a0013ab6ac0 wait/spin:                0/0

Turnstile chain at 0xffffffff82d8ccf0 with mutex 0xffffffff82d8c880.
=> No active turnstile for this lock.

Locks held by an LWP (syz-executor.0):
Lock 0 (initialized at vcache_alloc)
lock address : 0xffff9a0013784a40 type     :     sleep/adaptive
initialized  : 0xffffffff812c85b2
shared holds :                  0 exclusive:                  1
shares wanted:                  0 exclusive:                  0
current cpu  :                  0 last held:                  0
current lwp  : 0xffff9a000de22080 last held: 0xffff9a001295c240
last locked* : 0xffffffff812f51f0 unlocked : 0xffffffff812f50ad
owner/count  : 0xffff9a001295c240 flags    : 0x0000000000000004

Turnstile chain at 0xffffffff82d8ca48 with mutex 0xffffffff82d8b340.
=> No active turnstile for this lock.
Lock 1 (initialized at vcache_alloc)
lock address : 0xffff9a0013784a80 type     :     sleep/adaptive
initialized  : 0xffffffff812c85b2
shared holds :                  0 exclusive:                  1
shares wanted:                  0 exclusive:                  0
current cpu  :                  0 last held:                  0
current lwp  : 0xffff9a000de22080 last held: 0xffff9a001295c240
last locked* : 0xffffffff812f51f0 unlocked : 0xffffffff812f50ad