[ 52.4643943] panic: ASan: Unauthorized Access In 0xffffffff811784c5: Addr 0xffffaf8011c81b18 [8 bytes, read, PoolUseAfterFree] [ 52.4808567] fatal page fault in supervisor mode [ 52.4808567] trap type 6 code 0 rip 0xffffffff811db8d4 cs 0x8 rflags 0x10283 cr2 0xffff900000000007 ilevel 0x8 rsp 0xffffaf816da9fda0 [ 52.4808567] curlwp 0xffffaf800de22060 pid 0.5 lowest kstack 0xffffaf816da982c0 kernel: page fault trap, code=0 Stopped in pid 0.5 (system) at netbsd:__asan_load8+0x62: movzbl 0(%rax),%r8d ? __asan_load8() at netbsd:__asan_load8+0x62 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:356 [inline] __asan_load8() at netbsd:__asan_load8+0x62 kasan_shadow_check sys/kern/subr_asan.c:410 [inline] __asan_load8() at netbsd:__asan_load8+0x62 sys/kern/subr_asan.c:1180 sleepq_remove() at netbsd:sleepq_remove+0x262 spc_lock sys/sys/lwp.h:449 [inline] sleepq_remove() at netbsd:sleepq_remove+0x262 sys/kern/kern_sleepq.c:159 sleepq_unsleep() at netbsd:sleepq_unsleep+0x74 sys/kern/kern_sleepq.c:357 sleepq_timeout() at netbsd:sleepq_timeout+0x6b sys/kern/kern_sleepq.c:386 callout_softclock() at netbsd:callout_softclock+0x272 sys/kern/kern_timeout.c:761 softint_dispatch() at netbsd:softint_dispatch+0x264 x86_curcpu sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:56 [inline] softint_dispatch() at netbsd:softint_dispatch+0x264 softint_execute sys/kern/kern_softint.c:592 [inline] softint_dispatch() at netbsd:softint_dispatch+0x264 sys/kern/kern_softint.c:878 DDB lost frame for netbsd:Xsoftintr+0x5a, trying 0xffffaf816da9fff0 Xsoftintr() at netbsd:Xsoftintr+0x5a --- interrupt --- 0: ds fdb0 es cbea fs 3060 gs 6a34 rdi 38 rsi 7 rbp ffffaf816da9fdb0 rbx ffffaf8012a26960 rdx 800000000000 rcx ffffffff811a8477 sleepq_remove+0x262 rax ffff900000000007 r8 0 r9 3f r10 7 r11 0 r12 0 r13 38 r14 13c6 r15 ffffaf8012a269b4 rip ffffffff811db8d4 __asan_load8+0x62 cs 8 rflags 10283 rsp ffffaf816da9fda0 ss 0 netbsd:__asan_load8+0x62: movzbl 0(%rax),%r8d PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 567 1 2 0 0 ffffaf8011ccf6e0 syz-executor1907 634 1 2 0 0 ffffaf8011ccfb20 syz-executor1907 571 > 1 7 0 20000000 ffffaf8012a66a20 syz-executor1907 45 1 2 0 0 ffffaf8012a665e0 syz-executor1907 389 > 1 7 1 20000000 ffffaf8012a661a0 syz-executor1907 568 1 3 1 0 ffffaf8013164a80 syz-executor1907 tstile 41 1 3 1 0 ffffaf8013164640 syz-executor1907 nodebug 40 1 3 -1 0 ffffaf8012a26960 syz-executor1907 486 1 3 1 80 ffffaf8011ae2160 syz-executor1907 nanoslp 551 1 3 0 40080 ffffaf8011ae45c0 sshd select 561 1 3 0 80 ffffaf8012a30540 getty nanoslp 563 1 3 1 80 ffffaf8012a4f9e0 getty nanoslp 575 1 3 1 80 ffffaf8012a4f160 getty nanoslp 580 1 3 0 80 ffffaf8012a469c0 getty ttyraw 432 1 3 1 80 ffffaf8012969740 cron nanoslp 554 1 3 1 80 ffffaf8012994760 inetd kqueue 317 1 3 1 80 ffffaf8011fba2a0 sshd select 460 1 3 0 80 ffffaf8011f04600 powerd kqueue 382 1 2 0 40000 ffffaf8011ea3540 makemandb 195 1 3 1 80 ffffaf8012994ba0 syslogd kqueue 182 1 3 0 80 ffffaf8011f161e0 dhcpcd kqueue 220 1 3 0 80 ffffaf8011e2a080 dhcpcd kqueue 1 1 3 0 80 ffffaf8011bfcaa0 init wait 0 58 3 0 204 ffffaf8011c10680 physiod physiod 0 57 3 0 204 ffffaf8011c52ae0 aiodoned aiodoned 0 56 3 0 204 ffffaf8011c526a0 pooldrain pooldrain 0 55 3 0 200 ffffaf8011c52260 ioflush syncer 0 54 3 1 200 ffffaf8011c10ac0 pgdaemon pgdaemon 0 51 3 1 200 ffffaf8011c10240 npfgc-0 npfgccv 0 50 3 1 204 ffffaf8011bfc660 rt_free rt_free 0 49 3 0 204 ffffaf8011bfc220 unpgc unpgc 0 48 3 0 204 ffffaf8011bf5a80 key_timehandler key_timehandler 0 47 3 1 204 ffffaf8011bf5640 icmp6_wqinput/1 icmp6_wqinput 0 46 3 0 204 ffffaf8011bf5200 icmp6_wqinput/0 icmp6_wqinput 0 45 3 0 204 ffffaf8011b0ca60 nd6_timer nd6_timer 0 44 3 1 204 ffffaf8011b0c620 carp6_wqinput/1 carp6_wqinput 0 43 3 0 204 ffffaf8011b0c1e0 carp6_wqinput/0 carp6_wqinput 0 42 3 1 204 ffffaf8011af7a40 carp_wqinput/1 carp_wqinput 0 41 3 0 204 ffffaf8011af7600 carp_wqinput/0 carp_wqinput 0 40 3 1 204 ffffaf8011af71c0 icmp_wqinput/1 icmp_wqinput 0 39 3 0 204 ffffaf8011ae7a20 icmp_wqinput/0 icmp_wqinput 0 38 3 0 204 ffffaf8011ae75e0 rt_timer rt_timer 0 37 3 0 204 ffffaf8011ae4a00 vmem_rehash vmem_rehash 0 27 3 0 204 ffffaf800f3c4580 scsibus0 sccomp 0 26 3 0 200 ffffaf800f3c4140 pms0 pmsreset 0 25 3 1 204 ffffaf800f3359a0 xcall/1 xcall 0 24 1 1 200 ffffaf800f335560 softser/1 0 23 1 1 200 ffffaf800f335120 softclk/1 0 22 1 1 200 ffffaf800f331980 softbio/1 0 21 1 1 200 ffffaf800f331540 softnet/1 0 20 1 1 201 ffffaf800f331100 idle/1 0 19 3 1 204 ffffaf800de52960 lnxpwrwq lnxpwrwq 0 18 3 1 204 ffffaf800de52520 lnxlngwq lnxlngwq 0 17 3 0 204 ffffaf800de520e0 lnxsyswq lnxsyswq 0 16 3 1 204 ffffaf800de4d940 lnxrcugc lnxrcugc 0 15 3 0 204 ffffaf800de4d500 sysmon smtaskq 0 14 3 0 204 ffffaf800de4d0c0 pmfsuspend pmfsuspend 0 13 3 0 204 ffffaf800de3e920 pmfevent pmfevent 0 12 3 0 204 ffffaf800de3e4e0 sopendfree sopendfr 0 11 3 1 204 ffffaf800de3e0a0 nfssilly nfssilly 0 10 3 0 200 ffffaf800de32900 cachegc cachegc 0 9 3 1 204 ffffaf800de324c0 vdrain vdrain 0 8 3 1 200 ffffaf800de32080 modunload mod_unld 0 7 3 0 204 ffffaf800de228e0 xcall/0 xcall 0 6 1 0 200 ffffaf800de224a0 softser/0 0 > 5 7 0 20000200 ffffaf800de22060 softclk/0 0 4 1 0 200 ffffaf800de1f8c0 softbio/0 0 3 1 0 200 ffffaf800de1f480 softnet/0 0 2 1 0 201 ffffaf800de1f040 idle/0 0 1 3 0 200 ffffffff82b66bc0 swapper uvm [Locks tracked through LWPs] Locks held by an LWP (syz-executor1907): Lock 0 (initialized at uvm_obj_init) lock address : 0xffffaf800d92aec0 type : sleep/adaptive initialized : 0xffffffff8110a8b7 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffaf800de22060 last held: 0xffffaf8011ccf6e0 last locked* : 0xffffffff810ee658 unlocked : 0xffffffff810eb896 owner field : 0xffffaf8011ccf6e0 wait/spin: 0/0 Turnstile chain at 0xffffffff82d8c898 with mutex 0xffffffff82d8b580. => No active turnstile for this lock. Locks held by an LWP (syz-executor1907): Lock 0 (initialized at amap_ctor) lock address : 0xffffaf8013269e80 type : sleep/adaptive initialized : 0xffffffff810de605 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 1 current cpu : 0 last held: 0 current lwp : 0xffffaf800de22060 last held: 0xffffaf8011ccfb20 last locked* : 0xffffffff810ed1a4 unlocked : 0xffffffff810eb24c owner field : 0xffffaf8011ccfb20 wait/spin: 1/0 Turnstile chain at 0xffffffff82d8ca90 with mutex 0xffffffff82d8c540. => Turnstile at 0xffffaf8012a73440 (wrq=0xffffaf8012a73460, rdq=0xffffaf8012a73470). => 0 waiting readers: => 1 waiting writers: 0xffffaf8013164a80 Locks held by an LWP (syz-executor1907): Lock 0 (initialized at vcache_alloc) lock address : 0xffffaf8013785100 type : sleep/adaptive initialized : 0xffffffff812c7fb2 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffaf800de22060 last held: 0xffffaf8012a665e0 last locked* : 0xffffffff812f4ad0 unlocked : 0xffffffff812f498d owner/count : 0xffffaf8012a665e0 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d8c8e0 with mutex 0xffffffff82d8b7c0. => No active turnstile for this lock. Lock 1 (initialized at vcache_alloc) lock address : 0xffffaf80137853c0 type : sleep/adaptive initialized : 0xffffffff812c7fb2 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffaf800de22060 last held: 0xffffaf8012a665e0 last locked* : 0xffffffff812f4ad0 unlocked : 0xffffffff812f498d owner/count : 0xffffaf8012a665e0 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d8c938 with mutex 0xffffffff82d8ba80. => No active turnstile for this lock. Lock 2 (initialized at genfs_node_init) lock address : 0xffffaf8013794ae0 type : sleep/adaptive initialized : 0xffffffff812f4c54 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 0 current lwp : 0xffffaf800de22060 last held: 0xffffaf8012a665e0 last locked* : 0xffffffff8103e384 unlocked : 000000000000000000 owner/count : 0xffffaf8012a665e0 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d8c818 with mutex 0xffffffff82d8b180. => No active turnstile for this lock. Locks held by an LWP (syz-executor1907): Lock 0 (initialized at vcache_alloc) lock address : 0xffffaf8013708f80 type : sleep/adaptive initialized : 0xffffffff812c7fb2 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 1 current lwp : 0xffffaf800de22060 last held: 0xffffaf8013164640 last locked* : 0xffffffff812f4ad0 unlocked : 0xffffffff812f498d owner/count : 0xffffaf8013164640 flags : 0x0000000000000004 Turnstile chain at 0xffffffff82d8c8b0 with mutex 0xffffffff82d8b640. => No active turnstile for this lock. Lock 1 (initialized at vcache_alloc) lock address : 0xffffaf8013785380 type : sleep/adaptive initialized : 0xffffffff812c7fb2 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 current cpu : 0 last held: 1 current lwp : 0xffffaf800de22060 last held: 0xffffaf8013164640 last locked* : 0xffffffff812f4ad0 unlocked : 0xffffffff812f498d [ 52.4808567] Skipping crash dump on recursive panic [ 52.4808567] panic: ASan: Unauthorized Access In 0xffffffff8119b800: Addr 0xffffaf8013785380 [8 bytes, read, PoolUseAfterFree] [ 52.4808567] cpu0: Begin traceback... [ 52.4808567] vpanic() at netbsd:vpanic+0x241 sys/kern/subr_prf.c:336 [ 52.4808567] snprintf() at netbsd:snprintf [ 52.4808567] kasan_report() at netbsd:kasan_report+0x8f kasan_code_name sys/kern/subr_asan.c:172 [inline] [ 52.4808567] kasan_report() at netbsd:kasan_report+0x8f sys/kern/subr_asan.c:194 [ 52.4808567] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:344 [inline] [ 52.4808567] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:358 [inline] [ 52.4808567] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:410 [inline] [ 52.4808567] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1180 [ 52.4808567] rw_dump() at netbsd:rw_dump+0x20 sys/kern/kern_rwlock.c:191 [ 52.4808567] lockdebug_dump() at netbsd:lockdebug_dump+0x281 sys/kern/subr_lockdebug.c:780 [ 52.4808567] lockdebug_show_one() at netbsd:lockdebug_show_one+0xb9 sys/kern/subr_lockdebug.c:858 [ 52.4808567] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f lockdebug_show_all_locks_lwp sys/kern/subr_lockdebug.c:889 [inline] [ 52.4808567] lockdebug_show_all_locks() at netbsd:lockdebug_show_all_locks+0x12f sys/kern/subr_lockdebug.c:936 [ 52.4808567] db_command() at netbsd:db_command+0x2c0 sys/ddb/db_command.c:942 [ 52.4808567] db_command_loop() at netbsd:db_command_loop+0x26c db_execute_commandlist sys/ddb/db_command.c:439 [inline] [ 52.4808567] db_command_loop() at netbsd:db_command_loop+0x26c sys/ddb/db_command.c:589 [ 52.4808567] db_trap() at netbsd:db_trap+0x219 sys/ddb/db_trap.c:94 [ 52.4808567] kdb_trap() at netbsd:kdb_trap+0x1ce sys/arch/amd64/amd64/db_interface.c:246 [ 52.4808567] trap() at netbsd:trap+0x650 sys/arch/amd64/amd64/trap.c:313 [ 52.4808567] --- trap (number 6) --- [ 52.4808567] __asan_load8() at netbsd:__asan_load8+0x62 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:356 [inline] [ 52.4808567] __asan_load8() at netbsd:__asan_load8+0x62 kasan_shadow_check sys/kern/subr_asan.c:410 [inline] [ 52.4808567] __asan_load8() at netbsd:__asan_load8+0x62 sys/kern/subr_asan.c:1180 [ 52.4808567] sleepq_remove() at netbsd:sleepq_remove+0x262 spc_lock sys/sys/lwp.h:449 [inline] [ 52.4808567] sleepq_remove() at netbsd:sleepq_remove+0x262 sys/kern/kern_sleepq.c:159 [ 52.4808567] sleepq_unsleep() at netbsd:sleepq_unsleep+0x74 sys/kern/kern_sleepq.c:357 [ 52.4808567] sleepq_timeout() at netbsd:sleepq_timeout+0x6b sys/kern/kern_sleepq.c:386 [ 52.4808567] callout_softclock() at netbsd:callout_softclock+0x272 sys/kern/kern_timeout.c:761 [ 52.4808567] softint_dispatch() at netbsd:softint_dispatch+0x264 x86_curcpu sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/cpu.h:56 [inline] [ 52.4808567] softint_dispatch() at netbsd:softint_dispatch+0x264 softint_execute sys/kern/kern_softint.c:592 [inline] [ 52.4808567] softint_dispatch() at netbsd:softint_dispatch+0x264 sys/kern/kern_softint.c:878 [ 52.4808567] DDB lost frame for netbsd:Xsoftintr+0x5a, trying 0xffffaf816da9fff0 [ 52.4808567] Xsoftintr() at netbsd:Xsoftintr+0x5a [ 52.4808567] --- interrupt --- [ 52.4808567] 0: [ 52.4808567] cpu0: End traceback... [ 52.4808567] fatal breakpoint trap in supervisor mode [ 52.4808567] trap type 1 code 0 rip 0xffffffff8021e4b5 cs 0x8 rflags 0x246 cr2 0xffff900000000007 ilevel 0x8 rsp 0xffffaf816da9f360 [ 52.4808567] curlwp 0xffffaf800de22060 pid 0.5 lowest kstack 0xffffaf816da982c0 Stopped in pid 0.5 (system) at netbsd:breakpoint+0x5: leave