panic: ASan: Invalid access, 8-byte read at 0xfffffe00585f1c98, UMAUseAfterFree(fd) cpuid = 1 time = 1768541536 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0056eb2cd0 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe0056eb2e30 vpanic() at vpanic+0x257/frame 0xfffffe0056eb2ff0 panic() at panic+0xb5/frame 0xfffffe0056eb30c0 kasan_report() at kasan_report+0xdf/frame 0xfffffe0056eb3190 mld_change_state() at mld_change_state+0xf2/frame 0xfffffe0056eb3330 in6_leavegroup_locked() at in6_leavegroup_locked+0x17b/frame 0xfffffe0056eb3450 in6_pcbpurgeif0() at in6_pcbpurgeif0+0x2f6/frame 0xfffffe0056eb3550 _in6_ifdetach() at _in6_ifdetach+0x18e/frame 0xfffffe0056eb3640 in6_ifdeparture() at in6_ifdeparture+0x9f/frame 0xfffffe0056eb3670 if_detach_internal() at if_detach_internal+0x46b/frame 0xfffffe0056eb3740 if_detach() at if_detach+0xb6/frame 0xfffffe0056eb3780 tun_destroy() at tun_destroy+0x3c9/frame 0xfffffe0056eb37e0 if_clone_destroyif_flags() at if_clone_destroyif_flags+0xc8/frame 0xfffffe0056eb3830 if_clone_destroy() at if_clone_destroy+0x1f6/frame 0xfffffe0056eb3870 ifioctl() at ifioctl+0x116f/frame 0xfffffe0056eb3ab0 kern_ioctl() at kern_ioctl+0x52a/frame 0xfffffe0056eb3b90 sys_ioctl() at sys_ioctl+0x36e/frame 0xfffffe0056eb3d10 amd64_syscall() at amd64_syscall+0x4e2/frame 0xfffffe0056eb3f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0056eb3f30 --- syscall (54, FreeBSD ELF64, ioctl), rip = 0x8247032ca, rsp = 0x820f39b18, rbp = 0x820f39b30 --- KDB: enter: panic [ thread pid 958 tid 100180 ] Stopped at kdb_enter+0x6e: movq $0,0x2587a77(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xffffffff81663bce _vprintf+0x1ae rdx 0 rbx 0xffffffff8283c160 .str.27 rsp 0xfffffe0056eb2e10 rbp 0xfffffe0056eb2e30 rsi 0 rdi 0xffffffff81664139 printf+0x149 r8 0 r9 0xffffffff r10 0 r11 0x3 r12 0xfffffe0058b19000 r13 0xfffffffffffffffd r14 0xffffffff8283c160 .str.27 r15 0 rip 0xffffffff8164d41e kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x2587a77(%rip) db> show proc Process 958 (ifconfig) at 0xfffffe0058add000: state: NORMAL uid: 0 gid: 0 supp gids: 0, 5 parent: pid 954 at 0xfffffe0058add558 ABI: FreeBSD ELF64 flag: 0x10004000 flag2: 0 arguments: ifconfig tap3 destroy reaper: 0xfffffe0007809010 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe000780f920 (map 0xfffffe000780f920) (map.pmap 0xfffffe000780f9c0) (pmap 0xfffffe000780fa30) threads: 1 100180 Run CPU 1 ifconfig db> ps pid ppid pgrp uid state wmesg wchan cmd 959 763 763 0 RE CPU 0 syz-executor 958 954 954 0 R CPU 1 ifconfig 954 762 954 0 S wait 0xfffffe0058add558 syz-executor 952 765 765 0 R (threaded) syz-executor 100104 RunQ syz-executor 100238 S sbwait 0xfffffe0059c46e0c syz-executor 100242 S uwait 0xfffffe006eb84200 syz-executor 946 1 946 0 Ss+ ttyin 0xfffffe0007bf80b0 getty 944 937 764 0 SV uwait 0xfffffe00585f4500 syz-executor 942 1 942 0 Ss+ ttyin 0xfffffe0007bf78b0 getty 939 1 939 0 Ss+ ttyin 0xfffffe00542308b0 getty 937 764 764 0 T (threaded) syz-executor 100099 s syz-executor 100230 RunQ syz-executor 936 1 936 0 Ss+ ttyin 0xfffffe005422dcb0 getty 928 1 928 0 Ss+ ttyin 0xfffffe005997d8b0 getty 927 1 927 0 Ss+ ttyin 0xfffffe00542300b0 getty 926 1 926 0 Ss+ ttyin 0xfffffe0007bf70b0 getty 925 1 763 0 S uwait 0xfffffe00585f4800 syz-executor 924 1 924 0 Ss+ ttyin 0xfffffe0007bf88b0 getty 919 1 765 0 S uwait 0xfffffe006eb83380 syz-executor 918 1 918 0 Ss+ ttyin 0xfffffe0007bf90b0 getty 905 1 763 0 S uwait 0xfffffe006eb84000 syz-executor 904 1 763 0 S uwait 0xfffffe0058694680 syz-executor 902 1 763 0 S uwait 0xfffffe0058694380 syz-executor 877 0 0 0 DL mdwait 0xfffffe0059f32000 [md0] 867 1 765 0 S uwait 0xfffffe00585f3800 syz-executor 836 0 0 0 DL (threaded) [so_splice] 100152 D - 0xfffffe00585f1f00 [thr_0] 100153 D - 0xfffffe00585f1f40 [thr_1] 826 0 0 0 DL aiordy 0xfffffe0058afa008 [aiod4] 825 0 0 0 DL aiordy 0xfffffe0058afa560 [aiod3] 824 0 0 0 DL aiordy 0xfffffe0058afaab8 [aiod2] 823 0 0 0 DL aiordy 0xfffffe0058a05018 [aiod1] 765 762 765 0 S nanslp 0xffffffff83bb5f40 syz-executor 764 762 764 0 S nanslp 0xffffffff83bb5f41 syz-executor 763 762 763 0 S nanslp 0xffffffff83bb5f41 syz-executor 762 1 760 0 S select 0xfffffe0059cbfec0 syz-executor 16 0 0 0 DL syncer 0xffffffff83ce3ae0 [syncer] 15 0 0 0 DL vlruwt 0xfffffe000780a018 [vnlru] 14 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83ce2020 [bufdaemon] 100082 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100092 D sdflush 0xfffffe0057f1fce8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d23380 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83d09448 [dom0] 100080 D launds 0xffffffff83d09454 [laundry: dom0] 100081 D umarcl 0xffffffff81e37c30 [uma] 7 0 0 0 DL - 0xffffffff8392e510 [rand_harvestq] 6 0 0 0 DL pftm 0xffffffff84867f80 [pf purge] 5 0 0 0 DL waiting 0xffffffff84558700 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100045 D - 0xffffffff838f8340 [doneq0] 100046 D - 0xffffffff838f82c0 [async] 100075 D - 0xffffffff838f8140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100042 D crypto_ 0xffffffff83d04ce0 [crypto] 100043 D crypto_ 0xfffffe00077af830 [crypto returns 0] 100044 D crypto_ 0xfffffe00077af880 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83b5e520 [g_event] 100038 D - 0xffffffff83b5e540 [g_up] 100039 D - 0xffffffff83b5e560 [g_down] 2 0 0 0 WL (threaded) [clock] 100031 I [clock (0)] 100032 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100047 I [irq24: virtio_pci0] 100048 I [irq25: virtio_pci0] 100049 I [irq26: virtio_pci0] 100050 I [irq27: virtio_pci0] 100051 I [irq28: virtio_pci1] 100052 I [irq29: virtio_pci1] 100053 I [irq30: virtio_pci1] 100054 I [irq31: virtio_pci1] 100055 I [irq32: virtio_pci1] 100060 I [irq10: virtio_pci2] 100062 I [irq1: atkbd0] 100063 I [irq12: psm0] 100064 I [swi0: uart uart++] 100068 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0007809010 [init] 10 0 0 0 DL audit_w 0xffffffff83d05780 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D - 0xffffffff84c5dff0 [kernel] 100005 D - 0xfffffe00077cb000 [softirq_0] 100006 D - 0xfffffe00077cae00 [softirq_1] 100007 D - 0xfffffe00077cad00 [if_io_tqg_0] 100008 D - 0xfffffe00077cac00 [if_io_tqg_1] 100009 D - 0xfffffe00077cab00 [if_config_tqg_0] 100010 D - 0xfffffe00077caa00 [kqueue_ctx taskq] 100011 D - 0xfffffe00077ca900 [jail_remove taskq] 100012 D - 0xfffffe00077ca800 [bus taskq] 100015 D - 0xfffffe00077ca500 [thread taskq] 100017 D - 0xfffffe00077ca300 [aiod_kick taskq] 100018 D - 0xfffffe00077ca200 [deferred_unmount ta] 100019 D - 0xfffffe00077ca100 [inm_free taskq] 100020 D - 0xfffffe00077ca000 [in6m_free taskq] 100021 D - 0xfffffe00077c9e00 [linuxkpi_irq_wq] 100022 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_0] 100023 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_1] 100024 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_2] 100025 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_3] 100026 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_0] 100027 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_1] 100028 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_2] 100029 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_3] 100036 D - 0xfffffe00077c9b00 [firmware taskq] 100040 D - 0xfffffe00077c9100 [crypto_0] 100041 D - 0xfffffe00077c9100 [crypto_1] 100056 D - 0xfffffe00077c8900 [vtnet0 rxq 0] 100057 D - 0xfffffe00077c8800 [vtnet0 txq 0] 100058 D - 0xfffffe00077c8700 [vtnet0 rxq 1] 100059 D - 0xfffffe00077c8600 [vtnet0 txq 1] 100061 D vtbslp 0xfffffe005800d900 [virtio_balloon] 100065 D - 0xffffffff82840841 [deadlkres] 100069 D - 0xfffffe00077c8b00 [acpi_task_0] 100070 D - 0xfffffe00077c8b00 [acpi_task_1] 100071 D - 0xfffffe00077c8b00 [acpi_task_2] 100073 D - 0xfffffe00077cb100 [mca taskq] 100074 D - 0xfffffe00077c8a00 [CAM taskq] 100076 D - 0xfffffe00077c8d00 [ipsec_offload] db> show all locks Process 959 (syz-executor) thread 0xfffffe0058b20000 (100239) exclusive rw pmap pv list (pmap pv list) r = 0 (0xfffffe00074cf180) locked @ /syzkaller/managers/main/kernel/sys/amd64/amd64/pmap.c:8616 exclusive sleep mutex pmap (pmap) r = 0 (0xfffffe0058abeec0) locked @ /syzkaller/managers/main/kernel/sys/amd64/amd64/pmap.c:8526 Process 958 (ifconfig) thread 0xfffffe0058b19000 (100180) exclusive sleep mutex in6_multi_list_mtx (in6_multi_list_mtx) r = 0 (0xffffffff83cfffe0) locked @ /syzkaller/managers/main/kernel/sys/netinet6/in6_mcast.c:1386 shared rw udpinp (udpinp) r = 0 (0xfffffe0059ef08e0) locked @ /syzkaller/managers/main/kernel/sys/netinet/in_pcb.c:1486 exclusive sx in6_multi_sx (in6_multi_sx) r = 0 (0xffffffff83d00020) locked @ /syzkaller/managers/main/kernel/sys/netinet6/in6_ifattach.c:876 exclusive sx ifnet_detach_sx (ifnet_detach_sx) r = 1 (0xffffffff83ce4280) locked @ /syzkaller/managers/main/kernel/sys/net/if.c:2904 Process 952 (syz-executor) thread 0xfffffe0058ac0000 (100238) exclusive sx so_rcv_sx (so_rcv_sx) r = 0 (0xfffffe0059c46dc0) locked @ /syzkaller/managers/main/kernel/sys/kern/uipc_socket.c:4838 db> show malloc Type InUse MemUse Requests pf_hash 6 12804K 6 devbuf 8283 7252K 8309 linker 385 5207K 499 tcp_hpts 8 4865K 8 sysctloid 35182 2073K 35257 vtbuf 24 1968K 46 kobj 337 1348K 510 newblk 208 1076K 1296 vfscache 3 1025K 3 pcb 30 675K 226 inodedep 52 532K 219 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 filedesc 29 229K 313 vnet_data 2 224K 2 acpitask 1 224K 1 subproc 115 218K 1027 KTRACE 101 201K 13997 acpica 1674 184K 56977 vmem 5 144K 7 tidhash 3 141K 3 pagedep 29 135K 115 tfo_ccache 1 128K 1 IP reass 1 128K 1 DEVFS1 107 107K 139 sem 4 106K 4 gtaskqueue 18 98K 18 LRO 30 93K 42 bus 1015 83K 5167 mtx_pool 3 74K 3 syncache 1 68K 1 NFSD srvcache 3 68K 3 module 529 67K 529 ddb_capture 1 64K 1 umtx 320 40K 320 kdtrace 187 38K 1210 shm 2 34K 6 hostcache 1 32K 1 DEVFS3 126 32K 141 msg 4 30K 4 kbdmux 6 28K 6 routetbl 380 24K 1156 temp 28 21K 3133 DEVFS_RULE 56 20K 56 ifaddr 69 19K 119 ufs_mount 4 17K 5 proc 3 17K 3 tty 16 16K 16 ithread 90 15K 90 bus-sc 34 15K 1690 eventhandler 170 14K 170 lltable 42 13K 87 kenv 95 12K 95 GEOM 54 12K 448 CAM queue 5