[ 450.6061382] panic: ASan: Unauthorized Access In 0xffffffff81857eb6: Addr 0xffffa68012c4fa70 [8 bytes, read, PoolUseAfterFree] [ 450.6179987] cpu0: Begin traceback... [ 450.6361745] vpanic() at netbsd:vpanic+0x282 sys/kern/subr_prf.c:288 [ 450.6962655] panic() at netbsd:panic+0x9e sys/kern/subr_prf.c:1084 [ 450.7463405] kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:169 [inline] [ 450.7463405] kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:201 [ 450.7864008] __asan_load8() at netbsd:__asan_load8+0xac kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:371 [inline] [ 450.7864008] __asan_load8() at netbsd:__asan_load8+0xac kasan_shadow_check sys/kern/subr_asan.c:421 [inline] [ 450.7864008] __asan_load8() at netbsd:__asan_load8+0xac sys/kern/subr_asan.c:1208 [ 450.8364778] wsmux_do_ioctl() at netbsd:wsmux_do_ioctl+0x76e sys/dev/wscons/wsmux.c:520 [ 450.8765380] cdev_ioctl() at netbsd:cdev_ioctl+0x197 sys/kern/subr_devsw.c:1525 [ 450.9166004] spec_ioctl() at netbsd:spec_ioctl+0x148 sys/miscfs/specfs/spec_vnops.c:1331 [ 450.9666739] VOP_IOCTL() at netbsd:VOP_IOCTL+0x132 sys/kern/vnode_if.c:933 [ 451.0067357] vn_ioctl() at netbsd:vn_ioctl+0x1c3 sys/kern/vfs_vnops.c:894 [ 451.0568103] sys_ioctl() at netbsd:sys_ioctl+0x8f6 sys/kern/sys_generic.c:675 [ 451.0968757] sys___syscall() at netbsd:sys___syscall+0x10e sy_call sys/sys/syscallvar.h:65 [inline] [ 451.0968757] sys___syscall() at netbsd:sys___syscall+0x10e sys/kern/sys_syscall.c:90 [ 451.1369318] syscall() at netbsd:syscall+0x246 sy_call sys/sys/syscallvar.h:65 [inline] [ 451.1369318] syscall() at netbsd:syscall+0x246 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 451.1369318] syscall() at netbsd:syscall+0x246 sys/arch/x86/x86/syscall.c:137 [ 451.1469472] --- syscall (number 54 via SYS_syscall) --- [ 451.1669768] netbsd:syscall+0x246: [ 451.1669768] cpu0: End traceback... [ 451.1774675] fatal breakpoint trap in supervisor mode [ 451.1774675] trap type 1 code 0 rip 0xffffffff8023240d cs 0x8 rflags 0x286 cr2 0x62e118 ilevel 0 rsp 0xffffa68249840690 [ 451.1928898] curlwp 0xffffa68012d7a040 pid 8577.8607 lowest kstack 0xffffa682498392c0 Stopped in pid 8577.8607 (syz-executor.5) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 db_panic() at netbsd:db_panic+0x105 sys/ddb/db_panic.c:71 vpanic() at netbsd:vpanic+0x282 sys/kern/subr_prf.c:288 panic() at netbsd:panic+0x9e sys/kern/subr_prf.c:1084 kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:169 [inline] kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:201 __asan_load8() at netbsd:__asan_load8+0xac kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:371 [inline] __asan_load8() at netbsd:__asan_load8+0xac kasan_shadow_check sys/kern/subr_asan.c:421 [inline] __asan_load8() at netbsd:__asan_load8+0xac sys/kern/subr_asan.c:1208 wsmux_do_ioctl() at netbsd:wsmux_do_ioctl+0x76e sys/dev/wscons/wsmux.c:520 cdev_ioctl() at netbsd:cdev_ioctl+0x197 sys/kern/subr_devsw.c:1525 spec_ioctl() at netbsd:spec_ioctl+0x148 sys/miscfs/specfs/spec_vnops.c:1331 VOP_IOCTL() at netbsd:VOP_IOCTL+0x132 sys/kern/vnode_if.c:933 vn_ioctl() at netbsd:vn_ioctl+0x1c3 sys/kern/vfs_vnops.c:894 sys_ioctl() at netbsd:sys_ioctl+0x8f6 sys/kern/sys_generic.c:675 sys___syscall() at netbsd:sys___syscall+0x10e sy_call sys/sys/syscallvar.h:65 [inline] sys___syscall() at netbsd:sys___syscall+0x10e sys/kern/sys_syscall.c:90 syscall() at netbsd:syscall+0x246 sy_call sys/sys/syscallvar.h:65 [inline] syscall() at netbsd:syscall+0x246 sy_invoke sys/sys/syscallvar.h:94 [inline] syscall() at netbsd:syscall+0x246 sys/arch/x86/x86/syscall.c:137 --- syscall (number 54 via SYS_syscall) --- netbsd:syscall+0x246: Panic string: ASan: Unauthorized Access In 0xffffffff81857eb6: Addr 0xffffa68012c4fa70 [8 bytes, read, PoolUseAfterFree] PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 12467 12467 2 0 0 ffffa68012d2ab80 syz-executor.0 8577 > 8607 7 0 0 ffffa68012d7a040 syz-executor.5 8577 8577 2 0 10000000 ffffa68014aef100 syz-executor.5 8444 8444 3 1 180 ffffa68013494180 syz-executor.5 parked 8510 8510 3 1 40180 ffffa68012b86980 syz-executor.0 wait 8601 8601 3 1 180 ffffa68012d5d340 init nanoslp 8091 8091 3 1 180 ffffa68014edd640 syz-executor.4 parked 8338 9280 3 1 11100000 ffffa68012d06240 syz-executor.4 vfork 8338 8338 2 0 11000040 ffffa68013432740 syz-executor.4 9650 9650 3 1 180 ffffa68012c18240 syz-executor.4 wait 8176 8176 3 1 180 ffffa68012c6c300 syz-executor.2 parked 11938 9286 3 1 1100000 ffffa68014305a00 syz-executor.2 vfork 11938 11938 2 1 11000040 ffffa68012c4b700 syz-executor.2 8259 8259 2 0 140 ffffa6801416e980 syz-executor.5 8487 8487 3 1 180 ffffa68014c119c0 syz-executor.1 parked 11309 11309 3 1 1c0 ffffa68012cc4980 syz-executor.2 wait 7417 7417 3 1 180 ffffa68012bf0a40 syz-executor.4 parked 10196 10196 3 1 180 ffffa680148c9780 syz-executor.0 parked 9068 7315 3 1 11100000 ffffa68014093500 syz-executor.4 vfork 9068 9068 2 0 11000040 ffffa68013463100 syz-executor.4 6395 6395 3 0 180 ffffa68012b86100 syz-executor.1 parked 6251 6251 3 0 180 ffffa6801470b2c0 syz-executor.4 parked 9377 9377 3 1 180 ffffa68013494a00 syz-executor.2 parked 5368 6734 3 1 11100000 ffffa68013ff9780 syz-executor.2 vfork 5368 5368 2 1 11000040 ffffa68013f192c0 syz-executor.2 9020 9020 3 0 180 ffffa68014366a40 syz-executor.5 parked 5160 > 5357 7 1 1140000 ffffa680149d1480 syz-executor.0 5160 5160 2 1 11000040 ffffa68012c2c280 syz-executor.0 7237 7237 3 0 180 ffffa680149d1040 syz-executor.0 parked 5252 5252 3 1 180 ffffa680134458c0 syz-executor.2 parked 6359 5107 3 1 11100000 ffffa680133805c0 syz-executor.2 vfork 6359 6359 2 0 11000040 ffffa6801343c340 syz-executor.2 7762 7762 3 1 180 ffffa68013359580 syz-executor.4 parked 4435 4435 3 1 180 ffffa6801436ba80 syz-executor.0 parked 4752 4752 3 1 180 ffffa680141f39c0 syz-executor.1 parked 5713 4995 3 1 1100000 ffffa680141f3140 syz-executor.1 vfork 5713 5713 2 1 11000040 ffffa68012cd19c0 syz-executor.1 4762 4762 3 1 180 ffffa68012cd1580 syz-executor.2 parked 4202 4202 3 1 180 ffffa6801404e4c0 syz-executor.5 parked address 0x41b58ab3 is invalid 794603520 4202 3 1 180 41b58ab3 parked 6475 5194 3 1 11100000 ffffa68012c18ac0 syz-executor.5 vfork 6475 6475 2 0 11000040 ffffa68012caa4c0 syz-executor.5 3298 3298 3 0 180 ffffa68012d1b700 syz-executor.5 parked 4436 4436 3 0 180 ffffa68012c09a80 syz-executor.4 parked 2116 2116 3 1 180 ffffa6801345b0c0 syz-executor.1 parked 6332 5711 3 1 11100000 ffffa68012a5cbc0 syz-executor.1 vfork 6332 6332 2 0 11000040 ffffa68013348980 syz-executor.1 1410 1410 3 1 180 ffffa680141f3580 syz-executor.0 parked 2336 2336 3 1 180 ffffa68013432300 syz-executor.1 parked 1700 1318 3 1 11100000 ffffa6801436f240 syz-executor.1 vfork 1700 1700 2 1 11000040 ffffa68014366600 syz-executor.1 4440 4440 3 1 180 ffffa6801339b600 syz-executor.5 parked 3643 3643 3 0 180 ffffa68012cc4540 syz-executor.2 parked 3639 1082 3 0 11100000 ffffa68012c86bc0 syz-executor.2 vfork 3639 3639 2 1 11000040 ffffa680133b3ac0 syz-executor.2 1465 1465 3 1 180 ffffa68012d06680 syz-executor.1 parked 1376 1376 3 0 180 ffffa68013ff9bc0 syz-executor.3 parked 1222 1460 3 0 1100000 ffffa68012cb4500 syz-executor.3 vfork 1222 1222 2 0 11000040 ffffa68012c86780 syz-executor.3 1367 1085 3 1 11100000 ffffa68012c09200 syz-executor.1 vfork 1367 1367 2 0 11000040 ffffa68012cec600 syz-executor.1 1238 6345 3 0 180 ffffa68012adc940 syz-fuzzer parked 1238 1609 3 0 180 ffffa680140178c0 syz-fuzzer parked 1238 464 3 1 180 ffffa68012c6cb80 syz-fuzzer wait 1238 1074 3 0 180 ffffa68013e6cb00 syz-fuzzer wait 1238 1205 3 0 180 ffffa68013e6c280 syz-fuzzer parked 1238 942 2 0 140 ffffa68013e02240 syz-fuzzer 1238 1244 3 0 180 ffffa68013df5a80 syz-fuzzer wait 1238 990 3 0 180 ffffa68013df5200 syz-fuzzer wait 1238 1241 3 1 180 ffffa680133ce6c0 syz-fuzzer parked 1238 1235 3 0 180 ffffa68013d5ca40 syz-fuzzer parked 1238 449 3 0 180 ffffa68013d5c600 syz-fuzzer parked 1238 1226 3 0 180 ffffa680133b3680 syz-fuzzer parked 1238 1229 3 1 180 ffffa680126d7740 syz-fuzzer parked 1238 1233 2 0 140 ffffa680129c1b40 syz-fuzzer 1238 1238 3 1 180 ffffa68012ab64c0 syz-fuzzer wait 1230 1230 3 0 180 ffffa68012c09640 sshd select 1216 1216 3 1 180 ffffa68013463540 getty nanoslp 954 954 3 1 180 ffffa6801347e9c0 getty nanoslp 1184 1184 3 1 180 ffffa680134945c0 getty nanoslp 1109 1109 3 0 180 ffffa6801339ba40 sshd select 1023 1023 3 1 180 ffffa68012caa080 powerd kqueue 702 702 3 1 180 ffffa68013428b40 syslogd kqueue 746 746 3 1 180 ffffa68012c18680 dhcpcd poll 747 747 3 0 180 ffffa68012cb40c0 dhcpcd poll 742 742 3 1 180 ffffa68012c4bb40 dhcpcd poll 602 602 3 0 180 ffffa68012c86340 dhcpcd poll 487 487 3 0 180 ffffa68012d93900 dhcpcd poll 292 292 3 0 180 ffffa68012d934c0 dhcpcd poll 485 485 3 1 180 ffffa68012d93080 dhcpcd poll 1 1 3 0 180 ffffa680128679c0 init wait 0 5521 3 0 200 ffffa680147076c0 ktrace ktrwait 0 10949 3 1 200 ffffa68013432b80 ktrace ktrwait 0 11561 3 1 200 ffffa680126db480 poolthread pooljob 0 7581 3 0 200 ffffa680126d9bc0 ktrace ktrwait 0 3235 3 0 200 ffffa68012a78480 ktrace ktrwait 0 3670 3 0 200 ffffa68014017480 ktrace ktrwait 0 2186 3 1 200 ffffa6801344f900 ktrace ktrwait 0 919 3 0 200 ffffa68012dca940 ktrace ktrwait 0 4013 3 0 200 ffffa68012ab6900 ktrace ktrwait 0 1896 3 0 200 ffffa68012d1b2c0 ktrace ktrwait 0 967 3 0 200 ffffa680129c0280 physiod physiod 0 196 3 0 200 ffffa680129c12c0 pooldrain pooldrain 0 195 3 1 200 ffffa680129c0b00 ioflush syncer 0 194 3 1 200 ffffa680129c06c0 pgdaemon pgdaemon 0 167 3 1 200 ffffa68012990680 usb7 usbevt 0 172 3 0 200 ffffa68012990240 usb6 usbevt 0 170 3 1 200 ffffa6801293ba80 usb5 usbevt 0 168 3 1 200 ffffa6801293b640 usb4 usbevt 0 166 3 1 200 ffffa6801293b200 usb3 usbevt 0 165 3 0 200 ffffa680128d1a40 usb2 usbevt 0 31 3 1 200 ffffa680128d1600 usb1 usbevt 0 63 3 1 200 ffffa680128d11c0 usb0 usbevt 0 126 3 1 200 ffffa6801287ca00 usbtask-dr usbtsk 0 125 3 1 200 ffffa6801287c5c0 usbtask-hc usbtsk 0 124 3 0 200 ffffa68010d66b00 swwreboot swwreboot 0 123 3 1 200 ffffa6801287c180 npfgc0 npfgcw 0 122 3 1 200 ffffa68012867580 rt_free rt_free 0 121 3 1 200 ffffa68012867140 unpgc unpgc 0 120 2 0 200 ffffa68012707980 key_timehandler 0 119 3 1 200 ffffa68012707540 icmp6_wqinput/1 icmp6_wqinput 0 118 3 0 200 ffffa68012707100 icmp6_wqinput/0 icmp6_wqinput 0 117 2 0 200 ffffa680126fd940 nd6_timer 0 116 3 1 200 ffffa680126fd500 carp6_wqinput/1 carp6_wqinput 0 115 3 0 200 ffffa680126fd0c0 carp6_wqinput/0 carp6_wqinput 0 114 3 1 200 ffffa680126ed900 carp_wqinput/1 carp_wqinput 0 113 3 0 200 ffffa680126ed4c0 carp_wqinput/0 carp_wqinput 0 112 3 1 200 ffffa680126ed080 icmp_wqinput/1 icmp_wqinput 0 111 3 0 200 ffffa680126db8c0 icmp_wqinput/0 icmp_wqinput 0 110 2 0 200 ffffa680126db040 rt_timer 0 109 3 1 200 ffffa680126d9780 vmem_rehash vmem_rehash 0 100 3 0 200 ffffa680126d7300 entbutler entropy 0 99 3 0 200 ffffa680120bdb40 viomb balloon 0 98 3 1 200 ffffa680120bd700 vioif0_txrx/1 vioif0_txrx 0 97 3 0 200 ffffa680120bd2c0 vioif0_txrx/0 vioif0_txrx 0 30 3 0 200 ffffa68010d666c0 scsibus0 sccomp 0 29 3 0 200 ffffa68010d66280 pms0 pmsreset 0 28 3 1 200 ffffa68010cacac0 xcall/1 xcall 0 27 1 1 200 ffffa68010cac680 softser/1 0 26 1 1 200 ffffa68010cac240 softclk/1 0 25 1 1 200 ffffa68010ca9a80 softbio/1 0 24 1 1 200 ffffa68010ca9640 softnet/1 0 23 1 1 201 ffffa68010ca9200 idle/1 0 22 3 0 200 ffffa6800fb55a40 lnxsyswq lnxsyswq 0 21 3 0 200 ffffa6800fb55600 lnxubdwq lnxubdwq 0 20 3 0 200 ffffa6800fb551c0 lnxpwrwq lnxpwrwq 0 19 3 0 200 ffffa6800fb54a00 lnxlngwq lnxlngwq 0 18 3 0 200 ffffa6800fb545c0 lnxhipwq lnxhipwq 0 17 3 0 200 ffffa6800fb54180 lnxrcugc lnxrcugc 0 16 3 0 200 ffffa6800fb4d9c0 sysmon smtaskq 0 15 3 0 200 ffffa6800fb4d580 pmfsuspend pmfsuspend 0 14 3 0 200 ffffa6800fb4d140 pmfevent pmfevent 0 13 3 0 200 ffffa6800fb4a980 sopendfree sopendfr 0 12 3 0 200 ffffa6800fb4a540 ifwdog ifwdog 0 11 3 0 200 ffffa6800fb4a100 iflnkst iflnkst 0 10 3 0 200 ffffa6800fb3b940 nfssilly nfssilly 0 9 3 0 200 ffffa6800fb3b500 pooldisp pooldisp 0 8 3 1 200 ffffa6800fb3b0c0 modunload mod_unld 0 7 3 0 200 ffffa6800fb32900 xcall/0 xcall 0 6 1 0 200 ffffa6800fb324c0 softser/0 0 5 1 0 200 ffffa6800fb32080 softclk/0 0 4 1 0 200 ffffa6800fb308c0 softbio/0 0 3 1 0 200 ffffa6800fb30480 softnet/0 0 2 1 0 201 ffffa6800fb30040 idle/0 0 0 2 1 200 ffffffff83350200 swapper [Locks tracked through LWPs] ****** LWP 12467.12467 (syz-executor.0) @ 0xffffa68012d2ab80, l_stat=2 *** Locks held: * Lock 0 (initialized at netbsd:fork1+0x365 sys/kern/kern_fork.c:366) lock address : ffffa68012b96b90 type : sleep/adaptive initialized : netbsd:fork1+0x365 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 1 relevant lwp : 0xffffa68012d2ab80 last held: 0xffffa68012d2ab80 last locked* : netbsd:execve_loadvm+0x308 unlocked : 0 owner/count : 0xffffa68012d2ab80 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 9650.9650 (syz-executor.4) @ 0xffffa68012c18240, l_stat=3 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at netbsd:procinit+0x5c sys/kern/kern_proc.c:387) lock address : netbsd:proc_lock type : sleep/adaptive initialized : netbsd:procinit+0x5c shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 1 relevant cpu : 1 last held: 1 relevant lwp : 0xffffa68012c18240 last held: 0xffffa680149d1480 last locked* : netbsd:proclist_foreach_call+0xc1 unlocked : netbsd:proclist_foreach_call+0x359 owner field : 0xffffa680149d1480 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 5160.5357 (syz-executor.0) @ 0xffffa680149d1480, l_stat=7 *** Locks held: * Lock 0 (initialized at netbsd:fork1+0x365 sys/kern/kern_fork.c:366) lock address : ffffa68013f81c10 type : sleep/adaptive initialized : netbsd:fork1+0x365 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffa680149d1480 last held: 0xffffa680149d1480 last locked* : netbsd:execve_loadvm+0x308 unlocked : 0 owner/count : 0xffffa680149d1480 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at netbsd:procinit+0x5c sys/kern/kern_proc.c:387) lock address : netbsd:proc_lock type : sleep/adaptive initialized : netbsd:procinit+0x5c shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 1 relevant cpu : 1 last held: 1 relevant lwp : 0xffffa680149d1480 last held: 0xffffa680149d1480 last locked* : netbsd:proclist_foreach_call+0xc1 unlocked : netbsd:proclist_foreach_call+0x359 owner field : 0xffffa680149d1480 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: none [ 451.2005195] uvm_fault(0xffffa6801291c580, 0x41b58000, 1) -> e [ 451.2005195] fatal page fault in supervisor mode [ 451.2005195] trap type 6 code 0 rip 0xffffffff81c19d25 cs 0x8 rflags 0x10282 cr2 0x41b58e73 ilevel 0x8 rsp 0xffffa6824983fd10 [ 451.2005195] curlwp 0xffffa68012d7a040 pid 8577.8607 lowest kstack 0xffffa682498392c0 kernel: page fault trap, code=0 Faulted in DDB; continuing...