[ 69.5942572] panic: ASan: Unauthorized Access In 0xffffffff81178155: Addr 0xffffb28011ec0158 [8 bytes, read, PoolUseAfterFree] [ 69.6042532] uvm_fault(0xffffb280131425f0, 0xffff900000000000, 1) -> e [ 69.6042532] fatal page fault in supervisor mode [ 69.6042532] trap type 6 code 0 rip 0xffffffff811db564 cs 0x8 rflags 0x10283 cr2 0xffff900000000007 ilevel 0x8 rsp 0xffffb2816fc53c20 [ 69.6042532] curlwp 0xffffb280138cdae0 pid 606.1 lowest kstack 0xffffb2816fc4c2c0 k[ er n6e9l.6:0 p42ag5e3 2]f auflatta ltr paapg,e cofdauel=0t [ Stopped in pid 606.1 (syz-executor.5) at netbsd:__asan_load8+0x62: movzbl 0(%rax),%r8d ? __asan_load8() at netbsd:__asan_load8+0x62 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:356 [inline] __asan_load8() at netbsd:__asan_load8+0x62 kasan_shadow_check sys/kern/subr_asan.c:410 [inline] __asan_load8() at netbsd:__asan_load8+0x62 sys/kern/subr_asan.c:1180 setrunnable() at netbsd:setrunnable+0x1d5 spc_lock sys/sys/lwp.h:449 [inline] setrunnable() at netbsd:setrunnable+0x1d5 sys/kern/kern_synch.c:848 fork1() at netbsd:fork1+0x14cf sys/kern/kern_fork.c:577 sys_fork() at netbsd:sys_fork+0x3a sys/kern/kern_fork.c:121 syscall() at netbsd:syscall+0x559 sy_call sys/sys/syscallvar.h:65 [inline] syscall() at netbsd:syscall+0x559 sy_invoke sys/sys/syscallvar.h:94 [inline] syscall() at netbsd:syscall+0x559 sys/arch/x86/x86/syscall.c:138 --- syscall (number 2) --- 7357d6591bea: ds 3c30 es c87a fs 3060 gs d1b4 rdi 38 rsi 7 rbp ffffb2816fc53c30 rbx ffffb28012a1d0e0 rdx 800000000000 rcx ffffffff811af85f setrunnable+0x1d5 rax ffff900000000007 r8 0 r9 3f r10 7 r11 0 r12 0 r13 ffffb28012a1d0f8 r14 ffffb28012a1d134 r15 ffffb28012a1d130 rip ffffffff811db564 __asan_load8+0x62 cs 8 rflags 10283 rsp ffffb2816fc53c20 ss 10 netbsd:__asan_load8+0x62: movzbl 0(%rax),%r8d PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 657 1 1 -1 0 ffffb28012a1d0e0 syz-executor.5 136 1 2 0 0 ffffb280129d4080 syz-executor.2 683 3 3 0 80 ffffb280129ac040 syz-executor.0 parked 774 3 3 0 80 ffffb28011ed09e0 syz-executor.3 parked 774 1 2 0 10040000 ffffb28013b07340 syz-executor.3 161 3 3 0 40080 ffffb28011fd9b40 syz-executor.0 parked 329 3 3 1 40080 ffffb28011f3c680 syz-executor.0 parked 816 3 3 1 80 ffffb28011eda5c0 syz-executor.0 parked 590 3 3 0 80 ffffb28013b678c0 syz-executor.5 parked 77 3 3 1 80 ffffb28013931b00 syz-executor.5 parked 743 3 3 0 80 ffffb28012989320 syz-executor.5 parked 806 3 3 1 80 ffffb28011cd0b20 syz-executor.0 parked 291 3 3 0 80 ffffb28011ddbba0 syz-executor.5 parked 96 3 3 1 80 ffffb28013a646e0 syz-executor.0 parked 804 3 3 1 80 ffffb28012a1d960 syz-executor.0 parked 130 4 3 1 80 ffffb28013af2320 syz-executor.4 parked 661 3 3 1 80 ffffb28011e9e980 syz-executor.4 parked 601 1 3 0 4 ffffb28013931280 syz-executor.4 biowait 606 > 1 7 0 20000000 ffffb280138cdae0 syz-executor.5 45 1 3 -1 0 ffffb280138cd6a0 syz-executor.3 554 1 3 0 80 ffffb280138cd260 syz-executor.2 nanoslp 607 1 2 0 0 ffffb2801379aac0 syz-executor.1 40 > 1 7 1 20000000 ffffb2801379a680 syz-executor.0 381 11 3 0 80 ffffb2801379a240 syz-fuzzer kqueue 381 10 3 0 80 ffffb28013778aa0 syz-fuzzer parked 381 9 3 1 80 ffffb28011ae71a0 syz-fuzzer parked 381 8 3 1 80 ffffb28013778660 syz-fuzzer parked 381 7 3 0 80 ffffb28013152a80 syz-fuzzer parked 381 6 3 1 80 ffffb28013152640 syz-fuzzer parked 381 5 3 1 80 ffffb2801292db60 syz-fuzzer parked 381 4 3 1 80 ffffb2801292d2e0 syz-fuzzer parked 381 3 3 0 80 ffffb28012a3d9c0 syz-fuzzer parked 381 2 3 0 80 ffffb28012a3d580 syz-fuzzer parked 381 1 3 0 80 ffffb28012962b80 syz-fuzzer parked 532 1 3 0 80 ffffb28012a61a20 sshd select 523 1 3 0 80 ffffb28012a2f560 getty nanoslp 558 1 3 0 80 ffffb28012a2f120 getty nanoslp 357 1 3 0 80 ffffb28012a27980 getty nanoslp 561 1 3 1 80 ffffb28012a27540 getty ttyraw 538 1 3 1 80 ffffb28012962740 cron nanoslp 434 1 3 0 80 ffffb280129ac8c0 inetd kqueue 376 1 3 0 80 ffffb28011fb6b20 sshd select 439 1 3 1 80 ffffb28011efd600 powerd kqueue 195 1 3 1 80 ffffb28012989ba0 syslogd kqueue 278 1 3 0 80 ffffb28011f0e1e0 dhcpcd kqueue 220 1 3 0 80 ffffb28011e25080 dhcpcd kqueue 1 1 2 1 0 ffffb28011bfdaa0 init 0 58 3 0 204 ffffb28011c10680 physiod physiod 0 57 3 0 204 ffffb28011c52ae0 aiodoned aiodoned 0 56 3 1 204 ffffb28011c526a0 pooldrain pooldrain 0 55 3 0 200 ffffb28011c52260 ioflush syncer 0 54 3 0 200 ffffb28011c10ac0 pgdaemon pgdaemon 0 51 3 1 200 ffffb28011c10240 npfgc-0 npfgccv 0 50 3 1 204 ffffb28011bfd660 rt_free rt_free 0 49 3 1 204 ffffb28011bfd220 unpgc unpgc 0 48 3 0 204 ffffb28011bf5a80 key_timehandler key_timehandler 0 47 3 1 204 ffffb28011bf5640 icmp6_wqinput/1 icmp6_wqinput 0 46 3 0 204 ffffb28011bf5200 icmp6_wqinput/0 icmp6_wqinput 0 45 3 1 204 ffffb28011b0ca60 nd6_timer nd6_timer 0 44 3 1 204 ffffb28011b0c620 carp6_wqinput/1 carp6_wqinput 0 43 3 0 204 ffffb28011b0c1e0 carp6_wqinput/0 carp6_wqinput 0 42 3 1 204 ffffb28011af7a40 carp_wqinput/1 carp_wqinput 0 41 3 0 204 ffffb28011af7600 carp_wqinput/0 carp_wqinput 0 40 3 1 204 ffffb28011af71c0 icmp_wqinput/1 icmp_wqinput 0 39 3 0 204 ffffb28011ae7a20 icmp_wqinput/0 icmp_wqinput 0 38 3 0 204 ffffb28011ae4a00 rt_timer rt_timer 0 37 3 0 204 ffffb28011ae75e0 vmem_rehash vmem_rehash 0 27 3 0 204 ffffb2800f3c4580 scsibus0 sccomp 0 26 3 0 200 ffffb2800f3c4140 pms0 pmsreset 0 25 3 1 204 ffffb2800f3359a0 xcall/1 xcall 0 24 1 1 200 ffffb2800f335560 softser/1 0 > 23 7 1 20000200 ffffb2800f335120 softclk/1 0 22 1 1 200 ffffb2800f331980 softbio/1 0 21 1 1 200 ffffb2800f331540 softnet/1 0 20 1 1 201 ffffb2800f331100 idle/1 0 19 3 0 204 ffffb2800de52960 lnxpwrwq lnxpwrwq 0 18 3 0 204 ffffb2800de52520 lnxlngwq lnxlngwq 0 17 3 0 204 ffffb2800de520e0 lnxsyswq lnxsyswq 0 16 3 0 204 ffffb2800de4d940 lnxrcugc lnxrcugc 0 15 3 0 204 ffffb2800de4d500 sysmon smtaskq 0 14 3 0 204 ffffb2800de4d0c0 pmfsuspend pmfsuspend 0 13 3 0 204 ffffb2800de3e920 pmfevent pmfevent 0 12 3 0 204 ffffb2800de3e4e0 sopendfree sopendfr 0 11 3 0 204 ffffb2800de3e0a0 nfssilly nfssilly 0 10 3 1 200 ffffb2800de32900 cachegc cachegc 0 9 3 1 204 ffffb2800de324c0 vdrain vdrain 0 8 3 1 200 ffffb2800de32080 modunload mod_unld 0 7 3 0 204 ffffb2800de228e0 xcall/0 xcall 0 6 1 0 200 ffffb2800de224a0 softser/0 0 5 1 0 200 ffffb2800de22060 softclk/0 0 4 1 0 200 ffffb2800de1f8c0 softbio/0 0 3 1 0 200 ffffb2800de1f480 softnet/0 0 2 1 0 201 ffffb2800de1f040 idle/0 0 1 3 1 200 ffffffff82b66bc0 swapper uvm [Locks tracked through LWPs] Locks held by an LWP (syz-executor.3): Lock 0 (initialized at uvm_obj_init) lock address : 0xffffb2801394e400 type : sleep/adaptive initialized : 0xffffffff8110a5f7 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 1 current lwp : 0xffffb280138cdae0 last held: 0xffffb28013b07340 last locked* : 0xffffffff810ee398 unlocked : 0xffffffff810eb5d6 owner field : 0xffffb28013b07340 wait/spin: 0/0 Turnstile chain at 0xffffffff82d8c700 with mutex 0xffffffff82d8aa80. => No active turnstile for this lock. Locks held by an LWP (syz-executor.4): Lock 0 (initialized at vcache_alloc) lock address : 0xffffb28013782700 type : sleep/adaptive initialized : 0xffffffff812c7c42 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffb280138cdae0 last held: 0xffffb28013931280 last locked* : 0xffffffff812f4760 unlocked : 0xffffffff812f461d owner/count : 0xffffb28013931280 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d8c760 with mutex 0xffffffff82d8ad80. => No active turnstile for this lock. Lock 1 (initialized at vcache_alloc) lock address : 0xffffb28011fb0700 type : sleep/adaptive initialized : 0xffffffff812c7c42 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffb280138cdae0 last held: 0xffffb28013931280 last locked* : 0xffffffff812f4760 unlocked : 0xffffffff812f461d