panic: in_pcblookup_hash_locked: invalid local address cpuid = 0 time = 1677400954 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc7/frame 0xfffffe0092c1b310 kdb_backtrace() at kdb_backtrace+0xd1/frame 0xfffffe0092c1b470 vpanic() at vpanic+0x254/frame 0xfffffe0092c1b550 panic() at panic+0xb5/frame 0xfffffe0092c1b610 in_pcblookup_hash_locked() at in_pcblookup_hash_locked+0xf32/frame 0xfffffe0092c1b750 in_pcb_lport_dest() at in_pcb_lport_dest+0x476/frame 0xfffffe0092c1b810 in_pcbconnect_setup() at in_pcbconnect_setup+0x7e5/frame 0xfffffe0092c1b970 in_pcbconnect() at in_pcbconnect+0x174/frame 0xfffffe0092c1ba80 tcp_connect() at tcp_connect+0x11c/frame 0xfffffe0092c1bad0 tcp_usr_connect() at tcp_usr_connect+0x246/frame 0xfffffe0092c1bbb0 soconnectat() at soconnectat+0x1b9/frame 0xfffffe0092c1bc10 kern_connectat() at kern_connectat+0x2cc/frame 0xfffffe0092c1bcf0 sys_connect() at sys_connect+0xfb/frame 0xfffffe0092c1bd30 amd64_syscall() at amd64_syscall+0x410/frame 0xfffffe0092c1bf30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0092c1bf30 --- syscall (198, FreeBSD ELF64, __syscall), rip = 0x28e66a, rsp = 0x821264ac8, rbp = 0x821264b30 --- KDB: enter: panic [ thread pid 898 tid 100111 ] Stopped at kdb_enter+0x6b: movq $0,0x257823a(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe00033eee30 rdx 0xdffff7c000000000 rbx 0 rsp 0xfffffe0092c1b450 rbp 0xfffffe0092c1b470 rsi 0x1 rdi 0 r8 0x3 r9 0xffffffff r10 0 r11 0x5aee53f6 r12 0 r13 0xfffffe00925c5900 r14 0xffffffff82af6820 .str.26 r15 0xffffffff82af6820 .str.26 rip 0xffffffff8171785b kdb_enter+0x6b rflags 0x46 kdb_enter+0x6b: movq $0,0x257823a(%rip) db> show proc Process 898 (syz-executor.0) at 0xfffffe009278e000: state: NORMAL uid: 0 gids: 0, 0, 5 parent: pid 781 at 0xfffffe0058d59018 ABI: FreeBSD ELF64 flag: 0x10000000 flag2: 0 arguments: /root/syz-executor.0 exec reaper: 0xfffffe00541ea010 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe0092753400 (map 0xfffffe0092753400) (map.pmap 0xfffffe00927534c0) (pmap 0xfffffe0092753530) threads: 1 100111 Run CPU 0 syz-executor.0 db> ps pid ppid pgrp uid state wmesg wchan cmd 898 781 781 0 R CPU 0 syz-executor.0 897 891 897 0 Ss select 0xfffffe0092376cc0 dhclient 894 1 894 0 Ss select 0xfffffe00923777c0 dhclient 891 884 430 65 S select 0xfffffe0092376bc0 dhclient 884 430 430 0 S wait 0xfffffe009278eab0 sh 781 779 781 0 Ss nanslp 0xffffffff83c5d201 syz-executor.0 779 777 777 0 S (threaded) syz-execprog 100110 S uwait 0xfffffe00574a3a00 syz-execprog 100113 S uwait 0xfffffe00574a3d00 syz-execprog 100114 S uwait 0xfffffe00574a3e00 syz-execprog 100115 S wait 0xfffffe009278e558 syz-execprog 100116 S uwait 0xfffffe00574a4880 syz-execprog 100117 S kqread 0xfffffe0058b16800 syz-execprog 100119 S uwait 0xfffffe005789c800 syz-execprog 100125 S uwait 0xfffffe00574a4980 syz-execprog 777 775 777 0 Ss pause 0xfffffe0058d59620 csh 775 688 775 0 Ss select 0xfffffe00923775c0 sshd 754 1 754 0 Ss+ ttyin 0xfffffe00574794b0 getty 753 1 753 0 Ss+ ttyin 0xfffffe00586ed8b0 getty 752 1 752 0 Ss+ ttyin 0xfffffe00586ee0b0 getty 751 1 751 0 Ss+ ttyin 0xfffffe00586ee8b0 getty 750 1 750 0 Ss+ ttyin 0xfffffe0007b4f0b0 getty 749 1 749 0 Ss+ ttyin 0xfffffe0007b4f8b0 getty 748 1 748 0 Ss+ ttyin 0xfffffe0007b510b0 getty 747 1 747 0 Ss+ ttyin 0xfffffe0007b518b0 getty 746 1 746 0 Ss+ ttyin 0xfffffe0007b530b0 getty 744 1 18 0 S+ piperd 0xfffffe0058baf888 logger 743 742 18 0 S+ nanslp 0xffffffff83c5d200 sleep 742 1 18 0 S+ wait 0xfffffe0058d58010 sh 692 1 692 0 Ss nanslp 0xffffffff83c5d201 cron 688 1 688 0 Ss select 0xfffffe0092377a40 sshd 501 1 501 0 Ss select 0xfffffe0092377e40 syslogd 430 1 430 0 Ss wait 0xfffffe00579b9008 devd 429 1 429 65 Ss select 0xfffffe00923788c0 dhclient 344 1 344 0 Ss select 0xfffffe0092378140 dhclient 341 1 341 0 Ss select 0xfffffe009237b4c0 dhclient 17 0 0 0 DL syncer 0xffffffff83d826a0 [syncer] 16 0 0 0 DL vlruwt 0xfffffe0056f91000 [vnlru] 15 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83d80cc0 [bufdaemon] 100082 D - 0xffffffff83012180 [bufspacedaemon-0] 100094 D sdflush 0xfffffe0058c94ce8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83db8400 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83dac2b8 [dom0] 100080 D launds 0xffffffff83dac2c4 [laundry: dom0] 100081 D umarcl 0xffffffff81e7b120 [uma] 7 0 0 0 DL - 0xffffffff83a2ae48 [rand_harvestq] 6 0 0 0 DL pftm 0xffffffff843a5270 [pf purge] 5 0 0 0 DL waiting 0xffffffff84942f80 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100044 D - 0xffffffff838cd340 [doneq0] 100045 D - 0xffffffff838cd2c0 [async] 100076 D - 0xffffffff838cd140 [scanner] 14 0 0 0 DL seqstat 0xfffffe0056ee5c88 [sequencer 00] 3 0 0 0 DL (threaded) [crypto] 100040 D crypto_ 0xffffffff83da7b60 [crypto] 100041 D crypto_ 0xfffffe0007b63030 [crypto returns 0] 100042 D crypto_ 0xfffffe0007b63080 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100035 D - 0xffffffff83c32640 [g_event] 100036 D - 0xffffffff83c32660 [g_up] 100037 D - 0xffffffff83c32680 [g_down] 2 0 0 0 WL (threaded) [clock] 100030 I [clock (0)] 100031 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100010 I [swi5: fast taskq] 100013 I [swi6: task queue] 100018 I [swi6: Giant taskq] 100029 I [swi1: netisr 0] 100032 I [swi1: hpts] 100033 I [swi1: hpts] 100046 I [irq24: virtio_pci0] 100047 I [irq25: virtio_pci0] 100048 I [irq26: virtio_pci0] 100049 I [irq27: virtio_pci0] 100050 I [irq28: virtio_pci1] 100051 I [irq29: virtio_pci1] 100052 I [irq30: virtio_pci1] 100053 I [irq31: virtio_pci1] 100054 I [irq32: virtio_pci1] 100059 I [irq33: virtio_pci2] 100060 I [irq34: virtio_pci2] 100061 I [irq35: virtio_pci2] 100063 I [irq1: atkbd0] 100064 I [irq12: psm0] 100065 I [swi0: uart uart++] 100069 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 Run CPU 1 [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe00541ea010 [init] 10 0 0 0 DL audit_w 0xffffffff83da85a0 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D swapin 0xffffffff83c33060 [swapper] 100005 D - 0xfffffe005409e000 [if_config_tqg_0] 100006 D - 0xfffffe005409de00 [softirq_0] 100007 D - 0xfffffe005409dd00 [softirq_1] 100008 D - 0xfffffe005409dc00 [if_io_tqg_0] 100009 D - 0xfffffe005409db00 [if_io_tqg_1] 100011 D - 0xfffffe00085f2500 [kqueue_ctx taskq] 100012 D - 0xfffffe00085f2400 [pci_hp taskq] 100014 D - 0xfffffe00085f2100 [inm_free taskq] 100015 D - 0xfffffe00085f2000 [aiod_kick taskq] 100016 D - 0xfffffe00085f1e00 [in6m_free taskq] 100017 D - 0xfffffe00085f1d00 [deferred_unmount ta] 100019 D - 0xfffffe00085f1a00 [thread taskq] 100020 D - 0xfffffe00085f1900 [linuxkpi_irq_wq] 100021 D - 0xfffffe00085f1800 [linuxkpi_short_wq_0] 100022 D - 0xfffffe00085f1800 [linuxkpi_short_wq_1] 100023 D - 0xfffffe00085f1800 [linuxkpi_short_wq_2] 100024 D - 0xfffffe00085f1800 [linuxkpi_short_wq_3] 100025 D - 0xfffffe00085f1700 [linuxkpi_long_wq_0] 100026 D - 0xfffffe00085f1700 [linuxkpi_long_wq_1] 100027 D - 0xfffffe00085f1700 [linuxkpi_long_wq_2] 100028 D - 0xfffffe00085f1700 [linuxkpi_long_wq_3] 100034 D - 0xfffffe00085f1200 [firmware taskq] 100038 D - 0xfffffe00085f0700 [crypto_0] 100039 D - 0xfffffe00085f0700 [crypto_1] 100055 D - 0xfffffe0056fdbe00 [vtnet0 rxq 0] 100056 D - 0xfffffe0056fdbd00 [vtnet0 txq 0] 100057 D - 0xfffffe0056fdbc00 [vtnet0 rxq 1] 100058 D - 0xfffffe0056fdbb00 [vtnet0 txq 1] 100062 D vtbslp 0xfffffe0056f45000 [virtio_balloon] 100066 D - 0xffffffff82afb760 [deadlkres] 100070 D - 0xfffffe00085f4100 [mca taskq] 100071 D - 0xfffffe00085f0200 [acpi_task_0] 100072 D - 0xfffffe00085f0200 [acpi_task_1] 100073 D - 0xfffffe00085f0200 [acpi_task_2] 100075 D - 0xfffffe00085f0000 [CAM taskq] db> show all locks Process 898 (syz-executor.0) thread 0xfffffe00925c5900 (100111) exclusive sleep mutex tcphash (tcphash) r = 0 (0xfffffe00540499f0) locked @ /syzkaller/managers/main/kernel/sys/netinet/tcp_usrreq.c:1435 exclusive rw tcpinp (tcpinp) r = 0 (0xfffffe0092b81550) locked @ /syzkaller/managers/main/kernel/sys/netinet/tcp_usrreq.c:493 db> show malloc Type InUse MemUse Requests pf_hash 5 11524K 5 tcp_hpts 7 4801K 7 devbuf 4216 4323K 4241 sysctloid 34757 2048K 34828 vtbuf 24 1968K 46 kobj 330 1320K 493 newblk 649 1186K 704 vfscache 3 1025K 3 pcb 20 537K 45 inodedep 51 531K 84 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 subproc 113 210K 966 acpica 1674 184K 58126 tidhash 3 141K 3 vmem 3 138K 4 pagedep 17 132K 27 tfo_ccache 1 128K 1 IP reass 1 128K 1 linker 324 127K 353 vnet_data 1 112K 1 DEVFS1 106 106K 117 sem 4 106K 4 bus 1000 82K 5215 mtx_pool 2 72K 2 NFSD srvcache 3 68K 3 syncache 1 68K 1 module 513 65K 513 acpitask 1 64K 1 ddb_capture 1 64K 1 temp 24 53K 1829 filedesc 5 37K 27 BPF 19 36K 19 kdtrace 174 35K 1027 umtx 264 33K 264 hostcache 1 32K 1 shm 1 32K 1 DEVFS3 125 32K 135 msg 4 30K 4 kbdmux 6 28K 6 gtaskqueue 18 26K 18 DEVFS_RULE 56 20K 56 ufs_mount 4 17K 5 proc 3 17K 3 tty 16 16K 16 ithread 97 16K 97 bus-sc 34 15K 1682 ifaddr 40 14K 42 eventhandler 154 13K 154 KTRACE 100 13K 100 kenv 95 12K 95 routetbl 62 11K 227 rman 88 11K 431 GEOM 61 11K 481 CAM queue 5 11K 1528 bmsafemap 2 9K 51 rpc 4 9K 4 UART 12 9K 12 devstat 4 9K 4 ksem 1 8K 1 shmfd 1 8K 1 pfs_vncache 1 8K 1 cred 30 8K 243 pfs_nodes 20 8K 20 audit_evclass 237 8K 296 taskqueue 63 7K 63 ifnet 4 7K 4 sglist 5 7K 5 CAM DEV 3 6K 510 lltable 19 6K 19 ether_multi 68 6K 78 kqueue 48 6K 905 plimit 19 5K 344 ufs_dirhash 24 5K 24 dirrem 18 5K 33 in6_multi 35 5K 35 UMA 267 5K 267 vt 11 5K 11 memdesc 1 4K 1 MCA 32 4K 32 diradd 32 4K 49 evdev 4 4K 4 pf_ifnet 7 4K 10 acpisem 28 4K 28 hhook 15 4K 17 session 23 3K 37 pwddesc 46 3K 899 proc-args 73 3K 1977 terminal 11 3K 11 clone 9 3K 9 uidinfo 3 3K 8 local_apic 1 2K 1 io_apic 1 2K 1 fpukern_ctx 2 2K 2 ipsec-saq 2 2K 2 lockf 19 2K 29 selfd 31 2K 10892 Unitno 27 2K 43 CAM XPT 22 2K 543 msi 12 2K 12 ipsecpolicy 2 2K 2 acpidev 20 2K 20 select 10 2K 40 mkdir 9 2K 32 NFSD session 1 1K 1 softdep 1 1K 1 indirdep 4 1K 4 sahead 1 1K 1 secasvar 1 1K 1 vnodemarker 2 1K 10 ip6ndp 6 1K 8 sctp_ifa 7 1K 8 newdirblk 7 1K 16 CAM periph 4 1K 271 ipsec 3 1K 3 in_multi 3 1K 5 nhops 6 1K 6 toponodes 6 1K 6 isadev 6 1K 6 mount 16 1K 89 pci_link 10 1K 10 crypto 4 1K 4 encap_export_host 12 1K 12 CC Mem 4 1K 13 pfil 4 1K 4 cdev 2 1K 2 DEVFSP 7 1K 12 osd 8 1K 25 sctp_ifn 3 1K 8 inpcbpolicy 12 1K 183 mld 3 1K 3 igmp 3 1K 3 chacha20random 1 1K 1 tun 4 1K 4 freework 2 1K 31 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 DEVFS 9 1K 10 freeblks 1 1K 30 vnodes 1 1K 1 CAM SIM 2 1K 2 procdesc 2 1K 12 feeder 7 1K 7 tcpfunc 3 1K 3 loginclass 3 1K 7 prison 6 1K 6 lkpikmalloc 5 1K 6 aesni_data 2 1K 2 cryptodev 2 1K 49 nexusdev 8 1K 8 apmdev 1 1K 1 atkbddev 2 1K 2 freefile 1 1K 14 CAM dev queue 2 1K 2 netlink 1 1K 1 CAM I/O Scheduler 1 1K 1 CAM path 4 1K 1034 soname 5 1K 3455 pmchooks 1 1K 1 filecaps 5 1K 90 sctp_vrf 1 1K 1 vnet 1 1K 1 entropy 2 1K 40 pmc 1 1K 1 acpiintr 1 1K 1 cpus 2 1K 2 vnet_data_free 1 1K 1 Per-cpu 1 1K 1 p1003.1b 1 1K 1 sctp_mcore 0 0K 0 sctp_socko 0 0K 0 sctp_iter 0 0K 6 sctp_mvrf 0 0K 0 sctp_timw 0 0K 0 sctp_cpal 0 0K 0 sctp_cmsg 0 0K 0 sctp_stre 0 0K 0 sctp_athi 0 0K 0 sctp_athm 0 0K 0 sctp_atky 0 0K 0 sctp_atcl 0 0K 0 sctp_a_it 0 0K 6 sctp_aadr 0 0K 0 sctp_stro 0 0K 0 sctp_stri 0 0K 0 sctp_map 0 0K 0 tcp_do 0 0K 0 tcp_fsb 0 0K 0 ipcomp 0 0K 0 esp 0 0K 0 ah 0 0K 0 filemon 0 0K 0 pf_table 0 0K 0 pf_rule 0 0K 0 pf_altq 0 0K 0 pf_osfp 0 0K 0 pf_temp 0 0K 0 mqdata 0 0K 0 newnfsclient_req 0 0K 0 madt_table 0 0K 2 smartpqi 0 0K 0 NFSCL layrecall 0 0K 0 NFSCL session 0 0K 0 NFSCL sockreq 0 0K 0 ixl 0 0K 0 NFSCL devinfo 0 0K 0 NFSCL flayout 0 0K 0 NFSCL layout 0 0K 0 NFSD rollback 0 0K 0 NFSCL diroff 0 0K 0 NEWdirectio 0 0K 0 NEWNFSnode 0 0K 0 ice-resmgr 0 0K 0 ice-osdep 0 0K 0 ice 0 0K 0 iavf 0 0K 0 axgbe 0 0K 0 NFSCL lck 0 0K