[ 89.1286006] panic: ASan: Unauthorized Access In 0xffffffff81178415: Addr 0xffffb20011f10a78 [8 bytes, read, PoolUseAfterFree] [ 89.1428886] fatal page fault in supervisor mode [ 89.1428886] trap type 6 code 0 rip 0xffffffff811db824 cs 0x8 rflags 0x10283 cr2 0xffff900000000007 ilevel 0x8 rsp 0xffffb2016db57da0 [ 89.1428886] fatal page fault in supervisor mode [ 89.1428886] trap type 6 code 0 rip 0xffffffff811db824 cs 0x8 rflags 0x10283 cr2 0xffff900000000007 ilevel 0x8 rsp 0xffffb2016da9fda0 [ 89.1428886] curlwp 0xffffb2000de22060 pid 0.5 lowest kstack 0xffffb2016da982c0 k[ e rn89el.:14 p28ag8e86 f] aculutr ltwpr a0px,f cffofdbe=2000 [Stopped in pid 0.5 (system) at netbsd:__asan_load8+0x62: movzbl 0(%rax),%r8d ? __asan_load8() at netbsd:__asan_load8+0x62 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:356 [inline] __asan_load8() at netbsd:__asan_load8+0x62 kasan_shadow_check sys/kern/subr_asan.c:410 [inline] __asan_load8() at netbsd:__asan_load8+0x62 sys/kern/subr_asan.c:1180 sleepq_remove() at netbsd:sleepq_remove+0x262 spc_lock sys/sys/lwp.h:449 [inline] sleepq_remove() at netbsd:sleepq_remove+0x262 sys/kern/kern_sleepq.c:159 sleepq_unsleep() at netbsd:sleepq_unsleep+0x74 sys/kern/kern_sleepq.c:357 sleepq_timeout() at netbsd:sleepq_timeout+0x6b sys/kern/kern_sleepq.c:386 callout_softclock() at netbsd:callout_softclock+0x272 sys/kern/kern_timeout.c:761 softint_dispatch() at netbsd:softint_dispatch+0x264 x86_curcpu sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:56 [inline] softint_dispatch() at netbsd:softint_dispatch+0x264 softint_execute sys/kern/kern_softint.c:592 [inline] softint_dispatch() at netbsd:softint_dispatch+0x264 sys/kern/kern_softint.c:878 DDB lost frame for netbsd:Xsoftintr+0x5a, trying 0xffffb2016da9fff0 Xsoftintr() at netbsd:Xsoftintr+0x5a --- interrupt --- 0: ds fdb0 es cb3a fs 3060 gs 9714 rdi 38 rsi 7 rbp ffffb2016da9fdb0 rbx ffffb20013179640 rdx 800000000000 rcx ffffffff811a83c7 sleepq_remove+0x262 rax ffff900000000007 r8 0 r9 3f r10 7 r11 0 r12 0 r13 38 r14 2217 r15 ffffb20013179694 rip ffffffff811db824 __asan_load8+0x62 cs 8 rflags 10283 rsp ffffb2016da9fda0 ss 10 netbsd:__asan_load8+0x62: movzbl 0(%rax),%r8d PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 1058 1 2 0 0 ffffb20011debbc0 syz-executor3100 1418 > 4 7 0 20100000 ffffb20011fb82a0 syz-executor3100 1418 3 5 1 100000 ffffb2001299c780 syz-executor3100 1418 1 2 0 10000000 ffffb20011f3e680 syz-executor3100 1000 5 3 1 80 ffffb20011f10620 syz-executor3100 parked 1000 4 3 1 80 ffffb20011f4c260 syz-executor3100 parked 1000 3 3 0 80 ffffb20011eef1a0 syz-executor3100 parked 1000 1 2 0 10000000 ffffb20011fdd2c0 syz-executor3100 1458 3 2 1 0 ffffb20012a100c0 syz-executor3100 1458 > 1 7 1 20000000 ffffb20012a61a20 syz-executor3100 1451 5 3 1 80 ffffb20011edc180 syz-executor3100 parked 1451 4 3 1 80 ffffb200129bf8e0 syz-executor3100 parked 1451 3 3 0 80 ffffb200129d2080 syz-executor3100 parked 1451 1 2 0 10000000 ffffb20012a080a0 syz-executor3100 1484 3 3 0 80 ffffb20011f3e240 syz-executor3100 parked 1484 1 2 0 10000000 ffffb20011e64940 syz-executor3100 496 1 3 0 80 ffffb20013179a80 syz-executor3100 nanoslp 463 1 3 -1 0 ffffb20013179640 syz-executor3100 486 1 3 1 80 ffffb20012967b80 syz-executor3100 nanoslp 606 1 2 0 0 ffffb20011f63b00 syz-executor3100 603 1 3 -1 0 ffffb20012a449e0 syz-executor3100 45 1 3 1 80 ffffb2001299c340 syz-executor3100 nanoslp 504 1 3 0 80 ffffb20011ae2160 syz-executor3100 nanoslp 41 1 3 0 80 ffffb20011ae45c0 sshd select 381 1 3 1 80 ffffb20012a2e9a0 getty nanoslp 511 1 3 1 80 ffffb20012a2e120 getty nanoslp 534 1 3 1 80 ffffb20012a26980 getty nanoslp 561 1 3 1 80 ffffb20012a26540 getty ttyraw 538 1 3 0 80 ffffb20011f1fa80 cron nanoslp 501 1 3 0 80 ffffb200129a98c0 inetd kqueue 487 1 3 0 80 ffffb20011fb8b20 sshd select 375 1 3 1 80 ffffb20011eff1c0 powerd kqueue 195 1 3 0 80 ffffb20012990760 syslogd kqueue 244 1 3 0 80 ffffb20011eff600 dhcpcd kqueue 220 1 3 0 80 ffffb20011e27080 dhcpcd kqueue 1 1 3 0 80 ffffb20011bfdaa0 init wait 0 58 3 0 204 ffffb20011c10680 physiod physiod 0 57 3 0 204 ffffb20011c52ae0 aiodoned aiodoned 0 56 3 0 204 ffffb20011c526a0 pooldrain pooldrain 0 55 3 0 200 ffffb20011c52260 ioflush syncer 0 54 3 1 200 ffffb20011c10ac0 pgdaemon pgdaemon 0 51 3 1 200 ffffb20011c10240 npfgc-0 npfgccv 0 50 3 0 204 ffffb20011bfd660 rt_free rt_free 0 49 3 0 204 ffffb20011bfd220 unpgc unpgc 0 48 3 0 204 ffffb20011bf5a80 key_timehandler key_timehandler 0 47 3 1 204 ffffb20011bf5640 icmp6_wqinput/1 icmp6_wqinput 0 46 3 0 204 ffffb20011bf5200 icmp6_wqinput/0 icmp6_wqinput 0 45 3 0 204 ffffb20011b0ca60 nd6_timer nd6_timer 0 44 3 1 204 ffffb20011b0c620 carp6_wqinput/1 carp6_wqinput 0 43 3 0 204 ffffb20011b0c1e0 carp6_wqinput/0 carp6_wqinput 0 42 3 1 204 ffffb20011af7a40 carp_wqinput/1 carp_wqinput 0 41 3 0 204 ffffb20011af7600 carp_wqinput/0 carp_wqinput 0 40 3 1 204 ffffb20011af71c0 icmp_wqinput/1 icmp_wqinput 0 39 3 0 204 ffffb20011ae7a20 icmp_wqinput/0 icmp_wqinput 0 38 3 0 204 ffffb20011ae75e0 rt_timer rt_timer 0 37 3 1 204 ffffb20011ae4a00 vmem_rehash vmem_rehash 0 27 3 0 204 ffffb2000f3c4580 scsibus0 sccomp 0 26 3 0 200 ffffb2000f3c4140 pms0 pmsreset 0 25 3 1 204 ffffb2000f3359a0 xcall/1 xcall 0 24 1 1 200 ffffb2000f335560 softser/1 0 > 23 7 1 20000200 ffffb2000f335120 softclk/1 0 22 1 1 200 ffffb2000f331980 softbio/1 0 21 1 1 200 ffffb2000f331540 softnet/1 0 20 1 1 201 ffffb2000f331100 idle/1 0 19 3 0 204 ffffb2000de52960 lnxpwrwq lnxpwrwq 0 18 3 0 204 ffffb2000de52520 lnxlngwq lnxlngwq 0 17 3 0 204 ffffb2000de520e0 lnxsyswq lnxsyswq 0 16 3 0 204 ffffb2000de4d940 lnxrcugc lnxrcugc 0 15 3 0 204 ffffb2000de4d500 sysmon smtaskq 0 14 3 0 204 ffffb2000de4d0c0 pmfsuspend pmfsuspend 0 13 3 0 204 ffffb2000de3e920 pmfevent pmfevent 0 12 3 0 204 ffffb2000de3e4e0 sopendfree sopendfr 0 11 3 0 204 ffffb2000de3e0a0 nfssilly nfssilly 0 10 3 0 200 ffffb2000de32900 cachegc cachegc 0 9 3 0 204 ffffb2000de324c0 vdrain vdrain 0 8 3 1 200 ffffb2000de32080 modunload mod_unld 0 7 3 0 204 ffffb2000de228e0 xcall/0 xcall 0 6 1 0 200 ffffb2000de224a0 softser/0 0 > 5 7 0 20000200 ffffb2000de22060 softclk/0 0 4 1 0 200 ffffb2000de1f8c0 softbio/0 0 3 1 0 200 ffffb2000de1f480 softnet/0 0 2 1 0 201 ffffb2000de1f040 idle/0 0 1 3 0 200 ffffffff82b66bc0 swapper uvm [Locks tracked through LWPs] Locks held by an LWP (syz-executor3100): Lock 0 (initialized at uvm_obj_init) lock address : 0xffffb2000d92aec0 type : sleep/adaptive initialized : 0xffffffff8110a8b7 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffb2000de22060 last held: 0xffffb20011debbc0 last locked* : 0xffffffff810ee658 unlocked : 0xffffffff810eb896 owner field : 0xffffb20011debbc0 wait/spin: 0/0 Turnstile chain at 0xffffffff82d8c858 with mutex 0xffffffff82d8b540. => No active turnstile for this lock. Lock 1 (initialized at pmap_ctor) lock address : 0xffffb20011ea0380 type : sleep/adaptive initialized : 0xffffffff80276a34 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffb2000de22060 last held: 0xffffb20011debbc0 last locked* : 0xffffffff80278fdc unlocked : 0xffffffff802799e8 owner field : 0xffffb20011debbc0 wait/spin: 0/0 Turnstile chain at 0xffffffff82d8c6f0 with mutex 0xffffffff82d8aa00. => No active turnstile for this lock. Locks held by an LWP (syz-executor3100): Lock 0 (initialized at uvm_map_setup) lock address : 0xffffb20011e01b98 type : sleep/adaptive initialized : 0xffffffff810fe6bd shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 1 current lwp : 0xffffb2000de22060 last held: 0xffffb20012a61a20 last locked* : 0xffffffff810f8554 unlocked : 0xffffffff810ef491 owner/count : 000000000000000000 flags : 000000000000000000 Turnstile chain at 0xffffffff82d8c9f0 with mutex 0xffffffff82d8c200. => No active turnstile for this lock. [Locks tracked through CPUs] Locks held on CPU 1: Lock 0 (initialized at pool_init) lock address : 0xffffb2000d8f71f0 type : spin initialized : 0xffffffff8120b329 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 1 current lwp : 0xffffb2000de22060 last held: 0xffffb20012a61a20 last locked* : 0xffffffff8120db7c unlocked : 0xffffffff8120c536 owner field : 0x0000000000000600 wait/spin: 0/1 PAGE FLAG PQ UOBJECT UANON 0xffffb20000014180 0048 00000000 0x0 0x0 0xffffb200000141f8 0048 00000000 0x0 0x0 0xffffb20000014270 0048 00000000 0x0 0x0 0xffffb200000142e8 0048 00000000 0x0 0x0 0xffffb20000014360 0048 00000000 0x0 0x0 0xffffb200000143d8 0048 00000000 0x0 0x0 0xffffb20000014450 0048 00000000 0x0 0x0 0xffffb200000144c8 0040 00000000 0x0 0x0 0xffffb20000014540 0040 00000000 0x0 0x0 0xffffb200000145b8 0040 00000000 0x0 0x0 0xffffb20000014630 0048 00000000 0x0 0x0 0xffffb200000146a8 0048 00000000 0x0 0x0 0xffffb20000014720 0048 00000000 0x0 0x0 0xffffb20000014798 0048 00000000 0x0 0x0 0xffffb20000014810 0048 00000000 0x0 0x0 0xffffb20000014888 0048 00000000 0x0 0x0 0xffffb20000014900 0048 00000000 0x0 0x0 0xffffb20000014978 0048 00000000 0x0 0x0 0xffffb200000149f0 0040 00000000 0x0 0x0 0xffffb20000014a68 0040 00000000 0x0 0x0 0xffffb20000014ae0 0040 00000000 0x0 0x0 0xffffb20000014b58 0040 00000000 0x0 0x0 0xffffb20000014bd0 0040 00000000 0x0 0x0 0xffffb20000014c48 0040 00000000 0x0 0x0 0xffffb20000014cc0 0048 00000000 0x0 0x0 0xffffb20000014d38 0048 00000000 0x0 0x0 0xffffb20000014db0 0048 00000000 0x0 0x0 0xffffb20000014e28 0048 00000000 0x0 0x0 0xffffb20000014ea0 0048 00000000 0x0 0x0 0xffffb20000014f18 0048 00000000 0x0 0x0 0xffffb20000014f90 0048 00000000 0x0 0x0 0xffffb20000015008 0048 00000000 0x0 0x0 0xffffb20000015080 0048 00000000 0x0 0x0 0xffffb200000150f8 0048 00000000 0x0 0x0 0xffffb20000015170 0048 00000000 0x0 0x0 0xffffb200000151e8 0048 00000000 0x0 0x0 0xffffb20000015260 0048 00000000 0x0 0x0 0xffffb200000152d8 0048 00000000 0x0 0x0 0xffffb20000015350 0048 00000000 0x0 0x0 0xffffb200000153c8 0048 00000000 0x0 0x0 0xffffb20000015440 0048 00000000 0x0 0x0 0xffffb200000154b8 0048 00000000 0x0 0x0 0xffffb20000015530 0048 00000000 0x0 0x0 0xffffb200000155a8 0048 00000000 0x0 0x0 0