last executing test programs: 1m5.527935689s ago: executing program 3 (id=354): r0 = open(&(0x7f0000000480)='./file0\x00', 0x80400000000206, 0x0) mmap(&(0x7f0000000000/0x200000)=nil, 0x200000, 0x3, 0x20011, r0, 0x0) mount(0x0, 0x0, 0x0, 0x0) r1 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$sock_int(r1, 0xffff, 0x1014, &(0x7f0000000480), 0x4) 1m5.483016696s ago: executing program 3 (id=357): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) setsockopt(r1, 0x0, 0x3, &(0x7f0000000100)="09001000", 0x4) sendmsg$unix(r0, &(0x7f00000018c0)={0x0, 0x0, 0x0, 0x0, &(0x7f0000001880)=ANY=[@ANYBLOB="10000000ffff000006"], 0x10}, 0x0) sigqueue(0x0, 0x63, @sigval_ptr=0xfffffff) rfork(0x11000) 1m5.335314803s ago: executing program 3 (id=360): open$dir(&(0x7f0000000200)='./file0\x00', 0x10258, 0x0) r0 = open$dir(&(0x7f0000000200)='./file0\x00', 0x10258, 0x0) fcntl$lock(r0, 0xd, &(0x7f0000000040)={0x0, 0x4, 0x3, 0x1000100000003}) r1 = open(&(0x7f0000000200)='./file0\x00', 0x200, 0x0) fcntl$lock(r1, 0xb, &(0x7f0000000080)={0x2, 0x2, 0x0, 0x100000001}) 1m5.110178613s ago: executing program 3 (id=365): mknodat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x1000, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x200201, 0x0) rfork(0x3060) open$dir(&(0x7f0000000240)='./file0\x00', 0x40000400000002c2, 0x0) 1m4.812804318s ago: executing program 3 (id=370): r0 = open$dir(&(0x7f0000000000)='.\x00', 0x0, 0x0) mkdirat(r0, &(0x7f0000000600)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x0) symlinkat(&(0x7f0000000700)='./file0\x00', r0, &(0x7f00000004c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00') unlink(&(0x7f0000000340)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00') freebsd11_mknod(&(0x7f00000000c0)='./file0\x00', 0xe109, 0x0) 1m4.539439298s ago: executing program 3 (id=375): open(&(0x7f0000000000)='./file0\x00', 0x200, 0x2) r0 = open$dir(&(0x7f00000016c0)='./file0\x00', 0x1, 0x0) pwritev(r0, &(0x7f0000000080)=[{&(0x7f00000006c0), 0x100000}], 0x1, 0x0) r1 = kqueue() kevent(r1, &(0x7f00000001c0)=[{0x3, 0xffffffffffffffff, 0x21}], 0x1, &(0x7f0000000300)=[{}], 0x1, 0x0) 1m4.526797583s ago: executing program 32 (id=375): open(&(0x7f0000000000)='./file0\x00', 0x200, 0x2) r0 = open$dir(&(0x7f00000016c0)='./file0\x00', 0x1, 0x0) pwritev(r0, &(0x7f0000000080)=[{&(0x7f00000006c0), 0x100000}], 0x1, 0x0) r1 = kqueue() kevent(r1, &(0x7f00000001c0)=[{0x3, 0xffffffffffffffff, 0x21}], 0x1, &(0x7f0000000300)=[{}], 0x1, 0x0) 5.792168152s ago: executing program 1 (id=1477): r0 = socket(0x1c, 0x1, 0x0) setsockopt$inet6_IPV6_HOPOPTS(r0, 0x29, 0x31, &(0x7f00000016c0)=ANY=[@ANYBLOB="0004000000000000040100040100c2"], 0x28) setsockopt$inet_tcp_TCP_FUNCTION_BLK(r0, 0x6, 0x2000, &(0x7f0000000040)={'bbr\x00'}, 0x24) sendto(r0, 0x0, 0x0, 0x0, &(0x7f0000000080)=@in6={0x1c, 0x1c, 0x3, 0x0, @empty}, 0x1c) setsockopt$inet_tcp_TCP_FUNCTION_BLK(r0, 0x6, 0x2000, &(0x7f0000000180)={'freebsd\x00', 0x3}, 0x24) sendto$inet6(r0, &(0x7f0000000040)="14", 0x1, 0x5, &(0x7f0000000080)={0x1c, 0x1c, 0x1, 0x0, @rand_addr="fee3a38e5cac1c51deba3c6b07a430a0"}, 0x1c) 5.724012305s ago: executing program 1 (id=1487): openat$crypto(0xffffffffffffff9c, &(0x7f0000000000), 0x80, 0x0) r0 = open(&(0x7f00000000c0)='./file0\x00', 0x205, 0x0) fcntl$lock(r0, 0x9, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x1000300010005}) r1 = open(&(0x7f0000000040)='./file0\x00', 0x0, 0x0) r2 = getpgid(0x0) fcntl$lock(r1, 0xe, &(0x7f0000000100)={0x0, 0x0, 0x4000000000000000, 0x100000001, r2}) 5.525596477s ago: executing program 1 (id=1483): openat$evdev(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x1) r0 = freebsd12_shm_open(&(0x7f0000000000)='./file0\x00', 0x200, 0x1) mmap(&(0x7f0000000000/0x200000)=nil, 0x200000, 0x0, 0x12, r0, 0x0) r1 = socket$inet(0x2, 0x2, 0x0) setsockopt$inet_int(r1, 0x0, 0x13, &(0x7f00000001c0)=0x2, 0x4) 5.357911998s ago: executing program 1 (id=1486): r0 = socket$inet6_udp(0x1c, 0x2, 0x0) setsockopt$inet6_group_source_req(r0, 0x29, 0x52, &(0x7f00000000c0)={0x5, {{0x1c, 0x1c, 0x0, 0x0, @mcast2}}, {{0x1c, 0x1c, 0xffffffffffffffff, 0x0, @rand_addr="19fdb123c091ae3db1f1c5f51d8be800"}}}, 0x108) setsockopt$inet6_group_source_req(r0, 0x29, 0x52, &(0x7f00000000c0)={0x5, {{0x1c, 0x1c, 0x3, 0x0, @mcast2}}, {{0x1c, 0x1c, 0x2, 0x0, @remote={0xfe, 0x80, '\x00', 0x0}}}}, 0x108) setsockopt$inet6_group_source_req(r0, 0x29, 0x52, &(0x7f00000000c0)={0x5, {{0x1c, 0x1c, 0x0, 0x0, @mcast2}}, {{0x1c, 0x1c, 0x1, 0x0, @loopback}}}, 0x108) setsockopt$inet6_group_source_req(r0, 0x29, 0x52, &(0x7f00000000c0)={0x5, {{0x1c, 0x1c, 0x0, 0x0, @mcast2, 0xf}}, {{0x1c, 0x1c, 0x1, 0x0, @empty}}}, 0x108) rfork(0x3060) 5.250977936s ago: executing program 1 (id=1488): r0 = open$dir(&(0x7f0000000140)='.\x00', 0x0, 0x0) mkdirat(r0, &(0x7f0000000080)='./file0\x00', 0x0) mknodat(r0, &(0x7f0000000040)='./file0/file0\x00', 0xe004, 0x0) chown(&(0x7f0000000240)='./file0/file0/file0\x00', 0x0, 0x0) faccessat(r0, &(0x7f0000000180)='./file0/file0/file0\x00', 0x0, 0x0) freebsd11_stat(&(0x7f0000000280)='./file0/file0\x00', 0x0) 5.049351405s ago: executing program 1 (id=1500): mkdir(&(0x7f00000002c0)='./file0\x00', 0x0) chroot(&(0x7f0000000080)='./file0\x00') setgroups(0x0, 0x0) setresgid(0xee00, 0xee01, 0x0) setuid(0xee01) openat$smbus(0xffffffffffffff9c, &(0x7f0000000140), 0x400, 0x0) 4.935117527s ago: executing program 33 (id=1500): mkdir(&(0x7f00000002c0)='./file0\x00', 0x0) chroot(&(0x7f0000000080)='./file0\x00') setgroups(0x0, 0x0) setresgid(0xee00, 0xee01, 0x0) setuid(0xee01) openat$smbus(0xffffffffffffff9c, &(0x7f0000000140), 0x400, 0x0) 951.045351ms ago: executing program 2 (id=1585): sigaltstack(&(0x7f0000ffe000/0x1000)=nil, 0x0) fork() minherit(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x0) sigaltstack(&(0x7f0000ffd000/0x3000)=nil, 0x0) fork() mlock(&(0x7f0000ffd000/0x3000)=nil, 0x3000) 930.167143ms ago: executing program 2 (id=1586): openat$crypto(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x1) r0 = freebsd12_shm_open(&(0x7f0000000000)='./file0\x00', 0x200, 0x1) mmap(&(0x7f0000000000/0x200000)=nil, 0x200000, 0x0, 0x12, r0, 0x0) mprotect(&(0x7f000016d000/0x1000)=nil, 0x1000, 0x2) fork() 896.508575ms ago: executing program 2 (id=1587): r0 = socket$inet6_sctp(0x1c, 0x1, 0x84) bind(r0, &(0x7f0000000000)=@in6={0x1c, 0x1c, 0x2, 0x0, @empty, 0x2}, 0x1c) connect$inet6(r0, &(0x7f0000000180)={0x1c, 0x1c, 0x2, 0x0, @loopback}, 0x1c) setsockopt$inet6_sctp_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0xa, &(0x7f0000000040)={@in6={{0x1c, 0x1c, 0x1, 0x2, @loopback, 0x3}}, 0x0, 0x4, 0x0, 0x315}, 0x98) r1 = fcntl$dupfd(r0, 0x11, r0) sendto$inet(r1, &(0x7f0000000300)="75b03b2d57", 0x5, 0x0, 0x0, 0x0) 874.879797ms ago: executing program 2 (id=1588): setsockopt$inet6_group_source_req(0xffffffffffffffff, 0x29, 0x52, &(0x7f00000000c0)={0x5, {{0x1c, 0x1c, 0x3, 0x21596174, @mcast2, 0xfffffffc}}, {{0x1c, 0x1c, 0x2, 0x7, @remote={0xfe, 0x80, '\x00', 0x0}}}}, 0x108) mprotect(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1) r0 = socket$inet6_udp(0x1c, 0x2, 0x0) setsockopt$inet6_group_source_req(r0, 0x29, 0x52, &(0x7f00000000c0)={0x5, {{0x1c, 0x1c, 0x3, 0x21596174, @mcast2, 0xfffffffc}}, {{0x1c, 0x1c, 0x2, 0x7, @remote={0xfe, 0x80, '\x00', 0x0}}}}, 0x108) setsockopt$inet6_group_source_req(r0, 0x29, 0x53, &(0x7f00000000c0)={0x7, {{0x1c, 0x1c, 0x0, 0x0, @mcast2}}, {{0x1c, 0x1c, 0x1, 0x0, @ipv4={'\x00', '\xff\xff', @multicast1}}}}, 0x108) setsockopt$inet6_group_source_req(r0, 0x29, 0x53, &(0x7f00000000c0)={0x5, {{0x1c, 0x1c, 0x0, 0x0, @mcast2}}, {{0x1c, 0x1c, 0x2, 0x0, @ipv4={'\x00', '\xff\xff', @rand_addr=0x2}, 0x2}}}, 0x108) 858.077782ms ago: executing program 2 (id=1589): r0 = socket$inet6_sctp(0x1c, 0x1, 0x84) listen(r0, 0x0) freebsd10_pipe(&(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) close(r1) accept4(r0, 0x0, 0x0, 0x0) kevent(r2, 0x0, 0x0, 0x0, 0x0, 0x0) 766.492689ms ago: executing program 5 (id=1590): r0 = open$dir(&(0x7f0000000100)='./file0\x00', 0x200, 0x0) r1 = open$dir(&(0x7f0000000000)='.\x00', 0x0, 0x0) poll(&(0x7f0000000600)=[{r1, 0x68eb5a13814a4a3a}, {r0, 0x2000}], 0x2, 0x0) r2 = open$dir(&(0x7f0000000000)='.\x00', 0x0, 0x100) renameat(r2, &(0x7f00000000c0)='./file0\x00', r2, &(0x7f0000000180)='./file1\x00') linkat(r2, &(0x7f0000000040)='./file1\x00', r2, &(0x7f0000000080)='./file0\x00', 0x0) 748.717308ms ago: executing program 5 (id=1591): socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000280)={0xffffffffffffffff, 0xffffffffffffffff}) openat$evdev(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x1) r1 = freebsd12_shm_open(&(0x7f0000000000)='./file0\x00', 0x200, 0x1) mmap(&(0x7f0000000000/0x200000)=nil, 0x200000, 0x0, 0x12, r1, 0x0) setsockopt(r0, 0x0, 0x3, &(0x7f0000000000)="f1010100", 0x4) 733.359167ms ago: executing program 5 (id=1592): r0 = socket(0x1, 0x1, 0xfd) r1 = kqueue() kevent(r1, &(0x7f0000000080)=[{0x3, 0xfffffffffffffff3, 0xc023, 0x0, 0x0, 0x0, [0x0, 0x4000000]}], 0x1, 0x0, 0x0, 0x0) kevent(r1, &(0x7f00000000c0)=[{0x3, 0xfffffffffffffffe, 0x45}], 0x1, 0x0, 0x0, 0x0) r2 = kqueue() dup2(r2, r0) 720.756455ms ago: executing program 5 (id=1593): setgroups(0x0, 0x0) r0 = getpid() rtprio(0x1, r0, &(0x7f0000000580)={0x4, 0x4}) freebsd11_mknod(0x0, 0x1000, 0x0) sendmsg$unix(0xffffffffffffff9c, 0x0, 0x0) mount(&(0x7f00000004c0)='hammer\x00', 0x0, 0x0, 0x0) 615.174395ms ago: executing program 5 (id=1598): r0 = socket$inet6_tcp(0x1c, 0x1, 0x0) listen(r0, 0x3) accept(r0, &(0x7f0000000000)=@in6={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @mcast2}, &(0x7f00000000c0)=0x1c) r1 = socket$inet6_tcp(0x1c, 0x1, 0x0) dup2(r1, r0) rfork(0x85000) 516.668912ms ago: executing program 5 (id=1599): setresuid(0x0, 0xee01, 0x0) vfork() setuid(0xee01) thr_self(&(0x7f0000000280)=0x0) sigtimedwait(&(0x7f0000000740), 0x0, 0x0) rtprio_thread(0x1, r0, 0x0) 420.510489ms ago: executing program 0 (id=1603): r0 = open$dir(&(0x7f0000000000)='.\x00', 0x0, 0x0) mkdirat(r0, &(0x7f0000000380)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x129) symlinkat(0x0, 0xffffffffffffffff, 0x0) rename(0x0, 0x0) unlink(0x0) unlink(&(0x7f0000000080)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00') 404.785257ms ago: executing program 0 (id=1604): mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x5) r0 = socket(0x26, 0x2, 0x0) setsockopt$sock_int(r0, 0xffff, 0x1002, &(0x7f0000000000)=0x101, 0x4) sendto(r0, &(0x7f0000000240)="d452343e8c73853962bb43637f2c7953", 0x10, 0x20000, 0x0, 0x0) sendto$unix(r0, &(0x7f0000000200)="6525157ff4eaad91af928a3c9cf88031", 0x10, 0x8, 0x0, 0x0) rfork(0x3060) 391.68597ms ago: executing program 0 (id=1605): r0 = socket$unix(0x1, 0x1, 0x0) bind$unix(r0, &(0x7f00000002c0)=@file={0xa, 0x1, './file1\x00'}, 0xa) listen(r0, 0x0) r1 = kqueue() kevent(r1, &(0x7f00000000c0)=[{0x3, 0xfffffffffffffffe, 0x45}], 0x1, 0x0, 0x0, 0x0) rfork(0x85000) 378.531666ms ago: executing program 0 (id=1606): mkdir(&(0x7f0000000180)='./file0\x00', 0x0) syz_emit_ethernet(0x0, 0x0) mkdir(&(0x7f0000000000)='./file0/file0\x00', 0x0) chroot(&(0x7f0000000100)='./file0/file0\x00') chroot(&(0x7f0000000280)='./file0\x00') chroot(&(0x7f0000000100)='./file0/file0/..\x00') 332.720116ms ago: executing program 0 (id=1607): r0 = socket(0x1c, 0x1, 0x0) bind$inet6(r0, &(0x7f00000000c0)={0x1c, 0x1c, 0x0, 0x0, @loopback}, 0x1c) connect$inet6(r0, &(0x7f0000000140)={0x1c, 0x1c, 0x0, 0x0, @empty}, 0x1c) setresuid(0x0, 0xee01, 0xee00) r1 = socket(0x1c, 0x1, 0x0) bind$inet6(r1, &(0x7f00000000c0)={0x1c, 0x1c, 0x0, 0x0, @loopback}, 0x1c) 332.502517ms ago: executing program 0 (id=1608): r0 = socket$inet6_sctp(0x1c, 0x1, 0x84) listen(r0, 0x0) freebsd10_pipe(&(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) close(r1) accept4(r0, 0x0, 0x0, 0x0) aio_cancel(r2, 0x0) 182.758644ms ago: executing program 4 (id=1612): mprotect(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x40000) mprotect(&(0x7f0000c7b000/0x1000)=nil, 0x1000, 0x4) mlock(&(0x7f0000a00000/0x600000)=nil, 0x600000) msync(&(0x7f0000860000/0x600000)=nil, 0x600000, 0x2) madvise(&(0x7f00009d6000/0x600000)=nil, 0x600000, 0x3) madvise(&(0x7f00009d6000/0x600000)=nil, 0x600000, 0x5) 81.071782ms ago: executing program 4 (id=1613): mkdir(&(0x7f0000001040)='./file0\x00', 0x1) r0 = open$dir(&(0x7f0000000080)='.\x00', 0x10000, 0x0) r1 = open$dir(&(0x7f0000000080)='.\x00', 0x0, 0x0) mkdirat(r1, &(0x7f00000001c0)='./file1\x00', 0x0) renameat(r1, &(0x7f0000000200)='./file1\x00', r1, &(0x7f0000000140)='./file0/file0\x00') renameat(r0, &(0x7f0000000340)='./file0\x00', r1, &(0x7f00000000c0)='./file0/file0\x00') 80.793257ms ago: executing program 4 (id=1614): munmap(&(0x7f0000001000/0x3000)=nil, 0x3000) r0 = shmget$private(0x0, 0x2000, 0x508, &(0x7f0000007000/0x2000)=nil) r1 = shmat(r0, &(0x7f0000001000/0x3000)=nil, 0x1000) shmctl$IPC_RMID(r0, 0x0) munmap(&(0x7f0000001000/0x4000)=nil, 0x4000) shmdt(r1) 80.658938ms ago: executing program 4 (id=1615): setpgid(0x0, 0x0) r0 = getppid() r1 = vfork() lio_listio(0x0, 0x0, 0x0, &(0x7f00000047c0)={0x1, 0x8, @sigval_ptr=0x1, @spare=[0x1, 0x2, 0x800, 0x77e, 0xfffffffffffffffe, 0x2, 0x0, 0x4]}) setpgid(0x0, r0) setpgid(r1, r1) 21.145415ms ago: executing program 4 (id=1616): socket$inet(0x2, 0x3, 0x0) getpeername$inet(0xffffffffffffffff, 0x0, 0x0) openat$bpf(0xffffff9c, &(0x7f0000000000), 0x0, 0x0) setresuid(0x0, 0xee00, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x1) unlink(&(0x7f0000000000)='./file0\x00') 20.939489ms ago: executing program 4 (id=1617): mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(&(0x7f00000000c0)='cd9660\x00', &(0x7f0000000000)='./file0\x00', 0x0, &(0x7f00000001c0)) symlink(&(0x7f00000001c0)='./file0\x00', &(0x7f0000000240)='./file0/file0\x00') open$dir(&(0x7f0000000040)='./file1\x00', 0x4000040000100ac2, 0x100) r0 = open$dir(&(0x7f0000000080)='.\x00', 0x0, 0x0) renameat(r0, &(0x7f0000000200)='./file1\x00', r0, &(0x7f0000000140)='./file0/file0\x00') 0s ago: executing program 2 (id=1618): socket$inet_icmp_raw(0x2, 0x3, 0x1) socket(0x1c, 0x1, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x5) mprotect(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1) mlock(&(0x7f0000000000/0x800000)=nil, 0x800000) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x2) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.10.8' (ED25519) to the list of known hosts. FreeBSD/amd64 (ci-freebsd-main-7.us-central1-b.c.syzkaller.internal) (ttyu0) login: ktrace write failed, errno 27, tracing stopped for pid 763 ktrace write failed, errno 27, tracing stopped for pid 767 ktrace write failed, errno 27, tracing stopped for pid 766 ktrace write failed, errno 27, tracing stopped for pid 764 ktrace write failed, errno 27, tracing stopped for pid 765 ktrace write failed, errno 27, tracing stopped for pid 818 if_delmulti_locked: detaching ifnet instance 0xfffffe0058d8f800 if_delmulti_locked: detaching ifnet instance 0xfffffe0007fff800 ktrace write failed, errno 27, tracing stopped for pid 1 if_delmulti_locked: detaching ifnet instance 0xfffffe0007fff800 Out of ktrace request objects. if_delmulti_locked: detaching ifnet instance 0xfffffe000825c000 Expensive callout(9) function: 0xffffffff81965e50(0) 0.007414762 s if_delmulti_locked: detaching ifnet instance 0xfffffe000825c000 lock order reversal: 1st 0xfffffe0077ecb070 ufs (ufs, lockmgr) @ /syzkaller/managers/main/kernel/sys/kern/vfs_subr.c:3373 2nd 0xffffffff83001c40 proctree (proctree, sx) @ /syzkaller/managers/main/kernel/sys/kern/subr_prf.c:189 lock order proctree -> ufs established at: #0 0xffffffff81652e61 at witness_checkorder+0x781 #1 0xffffffff814b94f6 at lockmgr_lock_flags+0x1d6 #2 0xffffffff81d8115b at ffs_lock+0x18b #3 0xffffffff822de26b at VOP_LOCK1_APV+0x6b #4 0xffffffff817b620e at _vn_lock+0x14e #5 0xffffffff817b6ab8 at vn_close1+0x1e8 #6 0xffffffff814aaf6a at ktrops+0x41a #7 0xffffffff814aa6ed at sys_ktrace+0xa7d #8 0xffffffff8212196f at amd64_syscall+0x4af #9 0xffffffff820c636b at fast_syscall_common+0xf8 lock order ufs -> proctree attempted at: #0 0xffffffff81653d32 at witness_checkorder+0x1652 #1 0xffffffff81544b8f at _sx_slock_int+0x13f #2 0xffffffff8161067d at uprintf+0x14d #3 0xffffffff81dad45f at ufs_rmdir+0xdf #4 0xffffffff822dd0b1 at VOP_RMDIR_APV+0xe1 #5 0xffffffff817ab287 at kern_frmdirat+0x8a7 #6 0xffffffff8212196f at amd64_syscall+0x4af #7 0xffffffff820c636b at fast_syscall_common+0xf8 tap4: Ethernet address: 58:9c:fc:10:ff:8e tap4: link state changed to UP FreeBSD/amd64 (ci-freebsd-main-7.us-central1-b.c.syzkaller.internal) (ttyu0) login: if_delmulti_locked: detaching ifnet instance 0xfffffe0058d8f800 ktrace write failed, errno 27, tracing stopped for pid 763 ktrace write failed, errno 27, tracing stopped for pid 766 ktrace write failed, errno 27, tracing stopped for pid 765 ktrace write failed, errno 27, tracing stopped for pid 764 ktrace write failed, errno 27, tracing stopped for pid 1233 pid 1376 (syz-executor), jid 0, uid 0: exited on signal 4 (no core dump - too large) vnode_pager_putpages: zero-length write at 0 resid 4 0xfffffe0059ee6370: type VREG state VSTATE_CONSTRUCTED op 0xffffffff83715620 usecount 3, writecount 2, refcount 3 seqc users 0 hold count flags () flags (VIRF_PGREAD|VMP_LAZYLIST) v_object 0xfffffe005495ee88 ref 1 pages 1 cleanbuf 0 dirtybuf 1 lock type ufs: EXCL by thread 0xfffffe005493d000 (pid 1745, syz-executor, tid 101208) nlink=1, effnlink=1, size=4, extsize 0 generation=7ba630c5, uid=0, gid=0, flags=0x4 ino 140, on dev gpt/rootfs vnode_pager_putpages: zero-length write at 0 resid 4 0xfffffe005a076000: type VREG state VSTATE_CONSTRUCTED op 0xffffffff83715620 usecount 3, writecount 2, refcount 3 seqc users 0 hold count flags () flags (VIRF_PGREAD|VMP_LAZYLIST) v_object 0xfffffe00549754d8 ref 1 pages 1 cleanbuf 0 dirtybuf 1 lock type ufs: EXCL by thread 0xfffffe005495c000 (pid 1826, syz-executor, tid 101300) nlink=1, effnlink=1, size=4, extsize 0 generation=40dcc2e4, uid=0, gid=0, flags=0x4 ino 137, on dev gpt/rootfs if_delmulti_locked: detaching ifnet instance 0xfffffe0058d8f800 pid 1943 (syz-executor), jid 0, uid 0: exited on signal 4 (no core dump - too large) pid 1988 (syz-executor), jid 0, uid 0: exited on signal 4 (no core dump - too large) pid 2224 (syz-executor) is attempting to use unsafe AIO requests - not logging anymore ifaddr cache = 0xfffffe0059ea2600 is deleted if_delmulti_locked: detaching ifnet instance 0xfffffe0058d8f800 Connection to 10.128.10.8 closed by remote host. pid 866 (syz-executor), tap2: tun/tap protocol violation, non-controlling process closed last. ifaddr cache = 0xfffffe006e5cc600 is deleted tap2: link state changed to DOWN if_delmulti_locked: detaching ifnet instance 0xfffffe0007fff000 FreeBSD/amd64if_delmulti_locked: detaching ifnet instance 0xfffffe0007fff000 (ci-freebsd-maiif_delmulti_locked: detaching ifnet instance 0xfffffe0007fff000 n-7.us-central1-pid 1188 (syz-executor), tap3: tun/tap protocol violation, non-controlling process closed last. b.c.syzkaller.internal) (ttyu0) login: ifaddr cache = 0xfffffe0059ea2780 is deleted if_delmulti_locked: detaching ifnet instance 0xfffffe0058d8f000 if_delmulti_locked: detaching ifnet instance 0xfffffe0058d8f000 if_delmulti_locked: detaching ifnet instance 0xfffffe0058d8f000 tap3: link state changed to DOWN if_delmulti_locked: detaching ifnet instance 0xfffffe0007fff000 if_delmulti_locked: detaching ifnet instance 0xfffffe0007fff000 if_delmulti_locked: detaching ifnet instance 0xfffffe0007fff000 tap2: Ethernet address: 58:9c:fc:10:8a:4f tap2: link state changed to UP ifaddr cache = 0xfffffe006e5cc000 is deleted if_delmulti_locked: detaching ifnet instance 0xfffffe0058d8e800 tap1: link state changed to DOWN if_delmulti_locked: detaching ifnet instance 0xfffffe0058d8e800 if_delmulti_locked: detaching ifnet instance 0xfffffe0058d8e800 pid 2489 (syz-executor), jid 0, uid 0: exited on signal 8 (no core dump - too large) tap5: Ethernet address: 58:9c:fc:10:ff:fb tap5: link state changed to UP if_delmulti_locked: detaching ifnet instance 0xfffffe000825c000 if_delmulti_locked: detaching ifnet instance 0xfffffe000825c000 if_delmulti_locked: detaching ifnet instance 0xfffffe000825c000 pid 2517 (syz-executor), jid 0, uid 0: exited on signal 8 (no core dump - too large) if_delmulti_locked: detaching ifnet instance 0xfffffe0058d8f000 if_delmulti_locked: detaching ifnet instance 0xfffffe0058d8f000 if_delmulti_locked: detaching ifnet instance 0xfffffe0058d8f000 if_delmulti_locked: detaching ifnet instance 0xfffffe0058d8e800 if_delmulti_locked: detaching ifnet instance 0xfffffe0058d8e800 if_delmulti_locked: detaching ifnet instance 0xfffffe0058d8e800 pid 2592 (syz-executor), jid 0, uid 0: exited on signal 8 (no core dump - too large) pid 2637 (syz-executor), jid 0, uid 0: exited on signal 8 (no core dump - too large) panic: /syzkaller/managers/main/kernel/sys/kern/kern_timeout.c:607: callout_cc_add: Bad list head 0xfffffe0007fe36a8 first->prev != head cpuid = 0 time = 1747267317 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe00573ac9b0 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe00573acb10 vpanic() at vpanic+0x257/frame 0xfffffe00573accd0 panic() at panic+0xb5/frame 0xfffffe00573acd90 callout_cc_add() at callout_cc_add+0x339/frame 0xfffffe00573acdf0 callout_reset_sbt_on() at callout_reset_sbt_on+0x74f/frame 0xfffffe00573acf10 tcp_timer_activate() at tcp_timer_activate+0x56c/frame 0xfffffe00573acf90 tcp_do_segment() at tcp_do_segment+0x3f4f/frame 0xfffffe00573ad270 tcp_input_with_port() at tcp_input_with_port+0x2214/frame 0xfffffe00573ad530 tcp_input() at tcp_input+0x1f/frame 0xfffffe00573ad550 ip_input() at ip_input+0xaa2/frame 0xfffffe00573ad670 netisr_dispatch_src() at netisr_dispatch_src+0x219/frame 0xfffffe00573ad750 ether_demux() at ether_demux+0x447/frame 0xfffffe00573ad810 ether_nh_input() at ether_nh_input+0xb61/frame 0xfffffe00573ad8f0 netisr_dispatch_src() at netisr_dispatch_src+0x219/frame 0xfffffe00573ad9d0 ether_input() at ether_input+0x1db/frame 0xfffffe00573adab0 vtnet_rxq_eof() at vtnet_rxq_eof+0x16d2/frame 0xfffffe00573adcd0 vtnet_rx_vq_process() at vtnet_rx_vq_process+0x189/frame 0xfffffe00573add90 ithread_loop() at ithread_loop+0x4ec/frame 0xfffffe00573adef0 fork_exit() at fork_exit+0xcc/frame 0xfffffe00573adf30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00573adf30 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- KDB: enter: panic [ thread pid 12 tid 100053 ] Stopped at kdb_enter+0x6e: movq $0,0x25bda37(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe00033eee30 rdx 0 rbx 0xffffffff827b0020 .str.27 rsp 0xfffffe00573acaf0 rbp 0xfffffe00573acb10 rsi 0 rdi 0xffffffff816145e9 printf+0x149 r8 0 r9 0xffffffff r10 0x97bb5adb70e6c22f r11 0x1ff r12 0xfffffe000802c000 r13 0xfffffffffffffffe r14 0xffffffff827b0020 .str.27 r15 0 rip 0xffffffff815fe75e kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x25bda37(%rip) db>