[ 52.3250173] panic: ASan: Unauthorized Access In 0xffffffff816c77b9: Addr 0xffffaa0012bf3998 [8 bytes, read, PoolUseAfterFree] [ 52.3250173] cpu0: Begin traceback... [ 52.3350170] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 52.3550449] snprintf() at netbsd:snprintf [ 52.3850840] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] [ 52.3850840] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 [ 52.4051124] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] [ 52.4051124] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] [ 52.4051124] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] [ 52.4051124] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 [ 52.4351574] mutex_oncpu() at netbsd:mutex_oncpu+0x38 mutex_oncpu sys/kern/kern_mutex.c:422 [inline] [ 52.4351574] mutex_oncpu() at netbsd:mutex_oncpu+0x38 sys/kern/kern_mutex.c:406 [ 52.4651937] mutex_enter() at netbsd:mutex_enter+0x1a1 sys/kern/kern_mutex.c:550 [ 52.4852212] lwp_exit() at netbsd:lwp_exit+0x32e sys/kern/kern_lwp.c:1140 [ 52.5052507] lwp_userret() at netbsd:lwp_userret+0x1f5 sys/kern/kern_lwp.c:1639 [ 52.5352897] syscall() at netbsd:syscall+0x85e x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] [ 52.5352897] syscall() at netbsd:syscall+0x85e KPREEMPT_DISABLE sys/sys/lwp.h:536 [inline] [ 52.5352897] syscall() at netbsd:syscall+0x85e mi_userret sys/sys/userret.h:97 [inline] [ 52.5352897] syscall() at netbsd:syscall+0x85e userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 52.5352897] syscall() at netbsd:syscall+0x85e sys/arch/x86/x86/syscall.c:166 [ 52.5453015] --- syscall (number 4) --- [ 52.5553178] 79338dcade7a: [ 52.5662167] cpu0: End traceback... [ 52.5662167] fatal breakpoint trap in supervisor mode [ 52.5662167] trap type 1 code 0 rip 0xffffffff802209c5 cs 0x8 rflags 0x246 cr2 0x60d2a0 ilevel 0 rsp 0xffffaa018c328b90 [ 52.5854911] curlwp 0xffffaa0012c75200 pid 963.964 lowest kstack 0xffffaa018c3212c0 Stopped in pid 963.964 (syz-executor.0) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 snprintf() at netbsd:snprintf kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 mutex_oncpu() at netbsd:mutex_oncpu+0x38 mutex_oncpu sys/kern/kern_mutex.c:422 [inline] mutex_oncpu() at netbsd:mutex_oncpu+0x38 sys/kern/kern_mutex.c:406 mutex_enter() at netbsd:mutex_enter+0x1a1 sys/kern/kern_mutex.c:550 lwp_exit() at netbsd:lwp_exit+0x32e sys/kern/kern_lwp.c:1140 lwp_userret() at netbsd:lwp_userret+0x1f5 sys/kern/kern_lwp.c:1639 syscall() at netbsd:syscall+0x85e x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] syscall() at netbsd:syscall+0x85e KPREEMPT_DISABLE sys/sys/lwp.h:536 [inline] syscall() at netbsd:syscall+0x85e mi_userret sys/sys/userret.h:97 [inline] syscall() at netbsd:syscall+0x85e userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] syscall() at netbsd:syscall+0x85e sys/arch/x86/x86/syscall.c:166 --- syscall (number 4) --- 79338dcade7a: ds 5200 es a140 fs 8b70 gs ceb9 rdi ffffffff82bdf280 db_onpanic rsi 1ffffffff057be50 rbp ffffaa018c328b90 rbx ffffffff829bc3c0 cpu_info_primary rdx 3ffff rcx ffffaa017f840000 rax ffffaa0013718080 r8 4 r9 1ffffffff057be50 r10 ffffffff82bdf283 db_onpanic+0x3 r11 10 r12 ffffaa016e6aa000 r13 ffffffff824444d0 ostype+0x70890 r14 ffffaa018c328c20 r15 ffffaa016e699060 rip ffffffff802209c5 breakpoint+0x5 cs 8 rflags 246 rsp ffffaa018c328b90 ss 10 netbsd:breakpoint+0x5: leave PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 833 833 3 0 80 ffffaa0012bdf940 syz-executor.5 parked 1207 1207 3 1 80 ffffaa0012bdf500 syz-executor.0 parked 963 > 964 7 0 100000 ffffaa0012c75200 syz-executor.0 963 963 2 0 10000040 ffffaa0012c60a40 syz-executor.0 1215 1215 3 0 80 ffffaa0012d7b600 syz-executor.4 parked 804 804 3 1 80 ffffaa0014abdb40 syz-executor.4 parked 291 291 3 0 80 ffffaa0014abd700 syz-executor.4 parked 289 289 3 1 80 ffffaa0014abd2c0 syz-executor.5 parked 709 976 2 0 100000 ffffaa0012b98480 syz-executor.5 709 1214 5 1 100000 ffffaa0012ca7700 syz-executor.5 709 1506 2 0 100000 ffffaa0012a0a640 syz-executor.5 709 849 3 1 100000 ffffaa0014ab0b00 syz-executor.5 xclocv 709 709 3 1 10040000 ffffaa0012744300 syz-executor.5 xclocv 700 700 3 0 c0 ffffaa0014940140 syz-executor.4 pipe_rd 698 > 698 7 1 40 ffffaa00148f1980 syz-executor.5 1023 1023 3 0 c0 ffffaa00148f1100 syz-executor.2 pipe_rd 694 694 3 1 c0 ffffaa00148ce940 syz-executor.1 pipe_rd 693 693 2 0 40 ffffaa00148ce500 syz-executor.0 683 696 3 0 80 ffffaa00148ce0c0 syz-fuzzer parked 683 682 3 0 c0 ffffaa00147c4900 syz-fuzzer parked 683 689 3 1 c0 ffffaa001371eb00 syz-fuzzer parked 683 691 3 0 80 ffffaa00147c4080 syz-fuzzer parked 683 688 2 0 40 ffffaa00147c38c0 syz-fuzzer 683 685 3 1 c0 ffffaa00147c3480 syz-fuzzer parked 683 687 3 1 80 ffffaa00147c3040 syz-fuzzer parked 683 684 3 1 80 ffffaa001383ba40 syz-fuzzer parked 683 726 3 0 80 ffffaa001383b600 syz-fuzzer parked 683 729 3 1 c0 ffffaa00138325c0 syz-fuzzer parked 683 681 2 0 40 ffffaa001384f240 syz-fuzzer 683 683 3 0 80 ffffaa0013875300 syz-fuzzer parked 731 731 3 0 80 ffffaa00138299c0 sshd select 719 719 3 0 80 ffffaa001383b1c0 getty nanoslp 1374 1374 3 1 80 ffffaa00137a6b80 getty nanoslp 1373 1373 3 1 80 ffffaa0013812940 getty nanoslp 722 722 3 0 c0 ffffaa0013832a00 getty ttyraw 718 718 3 0 80 ffffaa00137a6740 cron nanoslp 715 715 3 1 80 ffffaa00137a6300 inetd kqueue 584 584 3 0 80 ffffaa0012d149c0 sshd select 596 596 3 0 80 ffffaa0012c1c180 powerd kqueue 458 458 3 0 80 ffffaa001371e6c0 syslogd kqueue 302 302 3 1 80 ffffaa0012cc7340 dhcpcd kqueue 333 333 3 0 80 ffffaa0012bdf0c0 dhcpcd kqueue 1 1 3 1 80 ffffaa0012933100 init wait 0 448 3 0 200 ffffaa001297c9c0 physiod physiod 0 123 3 0 200 ffffaa001298aa00 pooldrain pooldrain 0 122 3 1 200 ffffaa001298a5c0 ioflush syncer 0 121 3 1 200 ffffaa001298a180 pgdaemon pgdaemon 0 118 3 1 200 ffffaa001297c140 usb0 usbevt 0 117 3 1 200 ffffaa0012933980 usbtask-dr usbtsk 0 116 3 1 200 ffffaa0012933540 usbtask-hc usbtsk 0 115 2 0 240 ffffaa000fe5cac0 npfgc-0 0 114 3 0 200 ffffaa0012923940 rt_free rt_free 0 113 3 0 200 ffffaa0012923500 unpgc unpgc 0 112 3 0 200 ffffaa00129230c0 key_timehandler key_timehandler 0 111 3 1 200 ffffaa0012919900 icmp6_wqinput/1 icmp6_wqinput 0 110 3 0 200 ffffaa00129194c0 icmp6_wqinput/0 icmp6_wqinput 0 109 3 0 200 ffffaa0012919080 nd6_timer nd6_timer 0 108 3 1 200 ffffaa00127698c0 carp6_wqinput/1 carp6_wqinput 0 107 3 0 200 ffffaa0012769480 carp6_wqinput/0 carp6_wqinput 0 106 3 1 200 ffffaa0012769040 carp_wqinput/1 carp_wqinput 0 105 3 0 200 ffffaa0012759bc0 carp_wqinput/0 carp_wqinput 0 104 3 1 200 ffffaa0012759780 icmp_wqinput/1 icmp_wqinput 0 103 3 0 200 ffffaa0012759340 icmp_wqinput/0 icmp_wqinput 0 102 3 0 200 ffffaa0012744b80 rt_timer rt_timer 0 101 3 0 200 ffffaa0012744740 vmem_rehash vmem_rehash 0 100 3 0 200 ffffaa00127412c0 entbutler entropy 0 27 3 0 200 ffffaa000fe5c680 scsibus0 sccomp 0 26 3 0 200 ffffaa000fe5c240 pms0 pmsreset 0 25 3 1 200 ffffaa000fd9da80 xcall/1 xcall 0 24 1 1 200 ffffaa000fd9d640 softser/1 0 23 1 1 200 ffffaa000fd9d200 softclk/1 0 22 1 1 200 ffffaa000fd9ba40 softbio/1 0 21 1 1 200 ffffaa000fd9b600 softnet/1 0 20 1 1 201 ffffaa000fd9b1c0 idle/1 0 19 3 0 200 ffffaa000e80aa00 lnxpwrwq lnxpwrwq 0 18 3 0 200 ffffaa000e80a5c0 lnxlngwq lnxlngwq 0 17 3 0 200 ffffaa000e80a180 lnxsyswq lnxsyswq 0 16 3 0 200 ffffaa000e8049c0 lnxrcugc lnxrcugc 0 15 3 0 200 ffffaa000e804580 sysmon smtaskq 0 14 3 0 200 ffffaa000e804140 pmfsuspend pmfsuspend 0 13 3 0 200 ffffaa000e7ff980 pmfevent pmfevent 0 12 3 0 200 ffffaa000e7ff540 sopendfree sopendfr 0 11 3 0 200 ffffaa000e7ff100 iflnkst iflnkst 0 10 3 0 200 ffffaa000e7f3940 nfssilly nfssilly 0 9 3 0 200 ffffaa000e7f3500 vdrain vdrain 0 8 3 1 200 ffffaa000e7f30c0 modunload mod_unld 0 7 2 0 200 ffffaa000e7e5900 xcall/0 0 6 1 0 200 ffffaa000e7e54c0 softser/0 0 5 1 0 200 ffffaa000e7e5080 softclk/0 0 4 1 0 200 ffffaa000e7e38c0 softbio/0 0 3 1 0 200 ffffaa000e7e3480 softnet/0 0 2 1 0 201 ffffaa000e7e3040 idle/0 0 0 3 0 200 ffffffff82caa0c0 swapper uvm [Locks tracked through LWPs] ****** LWP 963.964 (syz-executor.0) @ 0xffffaa0012c75200, l_stat=7 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at fork1) lock address : 0xffffaa0013fbb200 type : sleep/adaptive initialized : 0xffffffff816afc3a shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 1 relevant cpu : 0 last held: 0 relevant lwp : 0xffffaa0012c75200 last held: 000000000000000000 last locked : 0xffffffff816c040f unlocked*: 0xffffffff81688833 owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 694.694 (syz-executor.1) @ 0xffffaa00148ce940, l_stat=3 *** Locks held: * Lock 0 (initialized at vcache_alloc) lock address : 0xffffaa0014add780 type : sleep/adaptive initialized : 0xffffffff81816433 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffaa00148ce940 last held: 0xffffaa00148ce940 last locked* : 0xffffffff81844cce unlocked : 0xffffffff81844d30 [ 52.5854911] Skipping crash dump on recursive panic [ 52.5854911] panic: ASan: Unauthorized Access In 0xffffffff816e6be0: Addr 0xffffaa0014add780 [8 bytes, read, PoolUseAfterFree] [ 52.5854911] cpu0: Begin traceback... [ 52.5854911] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 52.5854911] snprintf() at netbsd:snprintf [ 52.5854911] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] [ 52.5854911] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 [ 52.5854911] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] [ 52.5854911] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] [ 52.5854911] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] [ 52.5854911] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 [ 52.5854911] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:186 [ 52.5854911] lockdebug_dump() at netbsd:lockdebug_dump+0x207 sys/kern/subr_lockdebug.c:750 [ 52.5854911] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb7 sys/kern/subr_lockdebug.c:830 [ 52.5854911] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26b lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:868 [inline] [ 52.5854911] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x26b sys/kern/subr_lockdebug.c:932 [ 52.5854911] db_command() at netbsd:db_command+0x2ad sys/ddb/db_command.c:942 [ 52.5854911] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:439 [inline] [ 52.5854911] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:589 [ 52.5854911] db_trap() at netbsd:db_trap+0x206 sys/ddb/db_trap.c:94 [ 52.5854911] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:248 [ 52.5854911] trap() at netbsd:trap+0x57e sys/arch/amd64/amd64/trap.c:315 [ 52.5854911] --- trap (number 1) --- [ 52.5854911] breakpoint() at netbsd:breakpoint+0x5 [ 52.5854911] db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67 [ 52.5854911] vpanic() at netbsd:vpanic+0x22e sys/kern/subr_prf.c:290 [ 52.5854911] snprintf() at netbsd:snprintf [ 52.5854911] kasan_report() at netbsd:kasan_report+0x9c kasan_code_name sys/kern/subr_asan.c:187 [inline] [ 52.5854911] kasan_report() at netbsd:kasan_report+0x9c sys/kern/subr_asan.c:197 [ 52.5854911] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline] [ 52.5854911] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline] [ 52.5854911] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline] [ 52.5854911] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1210 [ 52.5854911] mutex_oncpu() at netbsd:mutex_oncpu+0x38 mutex_oncpu sys/kern/kern_mutex.c:422 [inline] [ 52.5854911] mutex_oncpu() at netbsd:mutex_oncpu+0x38 sys/kern/kern_mutex.c:406 [ 52.5854911] mutex_enter() at netbsd:mutex_enter+0x1a1 sys/kern/kern_mutex.c:550 [ 52.5854911] lwp_exit() at netbsd:lwp_exit+0x32e sys/kern/kern_lwp.c:1140 [ 52.5854911] lwp_userret() at netbsd:lwp_userret+0x1f5 sys/kern/kern_lwp.c:1639 [ 52.5854911] syscall() at netbsd:syscall+0x85e x86_curlwp sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:68 [inline] [ 52.5854911] syscall() at netbsd:syscall+0x85e KPREEMPT_DISABLE sys/sys/lwp.h:536 [inline] [ 52.5854911] syscall() at netbsd:syscall+0x85e mi_userret sys/sys/userret.h:97 [inline] [ 52.5854911] syscall() at netbsd:syscall+0x85e userret sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/userret.h:81 [inline] [ 52.5854911] syscall() at netbsd:syscall+0x85e sys/arch/x86/x86/syscall.c:166 [ 52.5854911] --- syscall (number 4) --- [ 52.5854911] 79338dcade7a: [ 52.5854911] cpu0: End traceback... [ 52.5854911] fatal breakpoint trap in supervisor mode [ 52.5854911] trap type 1 code 0 rip 0xffffffff802209c5 cs 0x8 rflags 0x246 cr2 0x60d2a0 ilevel 0x8 rsp 0xffffaa018c328130 [ 52.5854911] curlwp 0xffffaa0012c75200 pid 963.964 lowest kstack 0xffffaa018c3212c0 Stopped in pid 963.964 (syz-executor.0) at netbsd:breakpoint+0x5: leave