Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x0 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff81a75d40 stack pointer = 0x28:0xfffffe0056c6e2c0 frame pointer = 0x28:0xfffffe0056c6e330 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 1111 (ifconfig) rdi: 0000000000000000 rsi: 0000000000000000 rdx: 0000000000000000 rcx: fffffe0002bf1850 r8: 0000000000000000 r9: 0000000000000001 rax: fffffe0000000000 rbx: 0000000000000000 rbp: fffffe0056c6e330 r10: 1b66264d3bf21fac r11: 0000000000000003 r12: fffffe0077839400 r13: fffffe006ddde000 r14: fffffe0077839424 r15: 0000000000000000 trap number = 12 panic: page fault cpuid = 0 time = 1754765920 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0056c6daf0 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe0056c6dc50 vpanic() at vpanic+0x257/frame 0xfffffe0056c6de10 panic() at panic+0xb5/frame 0xfffffe0056c6ded0 trap_pfault() at trap_pfault+0xaf2/frame 0xfffffe0056c6e010 trap() at trap+0x78e/frame 0xfffffe0056c6e1f0 calltrap() at calltrap+0x8/frame 0xfffffe0056c6e1f0 --- trap 0xc, rip = 0xffffffff81a75d40, rsp = 0xfffffe0056c6e2c0, rbp = 0xfffffe0056c6e330 --- in6m_disconnect_locked() at in6m_disconnect_locked+0x140/frame 0xfffffe0056c6e330 in6_leavegroup_locked() at in6_leavegroup_locked+0x1ef/frame 0xfffffe0056c6e450 in6_pcbpurgeif0() at in6_pcbpurgeif0+0x2f6/frame 0xfffffe0056c6e550 _in6_ifdetach() at _in6_ifdetach+0x18e/frame 0xfffffe0056c6e630 if_detach_internal() at if_detach_internal+0x3aa/frame 0xfffffe0056c6e720 if_detach() at if_detach+0xb6/frame 0xfffffe0056c6e760 tun_destroy() at tun_destroy+0x1b4/frame 0xfffffe0056c6e7b0 tun_clone_destroy() at tun_clone_destroy+0x112/frame 0xfffffe0056c6e7e0 if_clone_destroyif_flags() at if_clone_destroyif_flags+0xc8/frame 0xfffffe0056c6e830 if_clone_destroy() at if_clone_destroy+0x1f6/frame 0xfffffe0056c6e870 ifioctl() at ifioctl+0x112a/frame 0xfffffe0056c6eab0 kern_ioctl() at kern_ioctl+0x4ca/frame 0xfffffe0056c6eb90 sys_ioctl() at sys_ioctl+0x36e/frame 0xfffffe0056c6ed10 amd64_syscall() at amd64_syscall+0x4e2/frame 0xfffffe0056c6ef30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0056c6ef30 --- syscall (54, FreeBSD ELF64, ioctl), rip = 0x8239672ca, rsp = 0x820914fc8, rbp = 0x820914fe0 --- KDB: enter: panic [ thread pid 1111 tid 100089 ] Stopped at kdb_enter+0x6e: movq $0,0x25c3f57(%rip) db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe0002bf1850 rdx 0 rbx 0xffffffff827cd960 .str.27 rsp 0xfffffe0056c6dc30 rbp 0xfffffe0056c6dc50 rsi 0 rdi 0xffffffff81615109 printf+0x149 r8 0 r9 0xffffffff r10 0 r11 0x17 r12 0xfffffe005400e000 r13 0xfffffffffffffffe r14 0xffffffff827cd960 .str.27 r15 0 rip 0xffffffff815fec3e kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x25c3f57(%rip) db> show proc Process 1111 (ifconfig) at 0xfffffe0054003ab8: state: NORMAL uid: 0 gids: 0, 5 parent: pid 1108 at 0xfffffe00540cb568 ABI: FreeBSD ELF64 flag: 0x10004000 flag2: 0 arguments: ifconfig tap2 destroy reaper: 0xfffffe0007809010 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe00540d1b68 (map 0xfffffe00540d1b68) (map.pmap 0xfffffe00540d1c08) (pmap 0xfffffe00540d1c78) threads: 1 100089 Run CPU 0 ifconfig db> ps pid ppid pgrp uid state wmesg wchan cmd 1114 766 766 0 R (threaded) syz-executor 100094 RunQ syz-executor 100611 RunQ syz-executor 1112 763 763 0 R (threaded) syz-executor 100262 RunQ syz-executor 100608 S select 0xfffffe0059665c40 syz-executor 100610 S uwait 0xfffffe00584bb680 syz-executor 1111 1108 1108 0 R CPU 0 ifconfig 1110 1109 764 0 S uwait 0xfffffe0058236900 syz-executor 1109 1105 764 0 SV wait 0xfffffe0054124008 syz-executor 1108 762 1108 0 S wait 0xfffffe00540cb568 syz-executor 1105 764 764 0 T (threaded) syz-executor 100091 s syz-executor 100604 D ppwait 0xfffffe0054124508 syz-executor 100607 s syz-executor 1093 1 766 0 S uwait 0xfffffe00584bb080 syz-executor 1077 1 763 0 S uwait 0xfffffe0058238980 syz-executor 1063 0 0 0 DL (threaded) [so_splice] 100270 D - 0xfffffe005855e900 [thr_0] 100560 D - 0xfffffe005855e940 [thr_1] 1053 1 764 0 S uwait 0xfffffe0058236a00 syz-executor 1041 1 1041 0 Ss+ ttyin 0xfffffe00593c1cb0 getty 1040 1 1040 0 Ss+ ttyin 0xfffffe00593c18b0 getty 1039 1 1039 0 Ss+ ttyin 0xfffffe00593c14b0 getty 1038 1 1038 0 Ss+ ttyin 0xfffffe00593c10b0 getty 1037 1 1037 0 Ss+ ttyin 0xfffffe00593c0cb0 getty 1036 1 1036 0 Ss+ ttyin 0xfffffe00593c08b0 getty 1035 1 1035 0 Ss+ ttyin 0xfffffe00593c04b0 getty 1034 1 1034 0 Ss+ ttyin 0xfffffe00077f58b0 getty 1033 1 1033 0 Ss+ ttyin 0xfffffe00077f68b0 getty 1026 1 764 0 S uwait 0xfffffe0058237b80 syz-executor 1025 1 1022 0 S uwait 0xfffffe0058238f00 syz-executor 1024 1 766 0 S uwait 0xfffffe000778ab80 syz-executor 1023 1 766 0 S uwait 0xfffffe0058235680 syz-executor 1016 1 764 0 S uwait 0xfffffe000778a500 syz-executor 987 1 766 0 S uwait 0xfffffe00584bc200 syz-executor 858 0 0 0 DL mdwait 0xfffffe006ddea000 [md6] 847 0 0 0 DL (threaded) [KTLS] 100121 D - 0xfffffe006e462100 [thr_0] 100186 D - 0xfffffe006e462180 [thr_1] 100187 D - 0xffffffff83cb5628 [reclaim_0] 821 806 821 0 Ss select 0xfffffe00585eb540 dhclient 806 782 423 65 S select 0xfffffe00585eb240 dhclient 805 0 0 0 DL aiordy 0xfffffe00540e7560 [aiod4] 804 0 0 0 DL aiordy 0xfffffe00540e7ab8 [aiod3] 803 0 0 0 DL aiordy 0xfffffe00540cb010 [aiod2] 802 0 0 0 DL aiordy 0xfffffe00540e8010 [aiod1] 782 1 423 0 S wait 0xfffffe00540e9018 sh 766 762 766 0 R syz-executor 764 762 764 0 R syz-executor 763 762 763 0 R syz-executor 762 760 760 0 RE CPU 1 syz-executor 760 1 760 0 Ss sigsusp 0xfffffe00540e60b0 csh 736 1 17 0 S+ nanslp 0xffffffff83ba3c00 sleep 16 0 0 0 DL syncer 0xffffffff83cc1820 [syncer] 15 0 0 0 DL vlruwt 0xfffffe0054002558 [vnlru] 14 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83cbfd60 [bufdaemon] 100082 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100093 D sdflush 0xfffffe00596b88e8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d0ac80 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83cf0d48 [dom0] 100080 D launds 0xffffffff83cf0d54 [laundry: dom0] 100081 D umarcl 0xffffffff81de2bd0 [uma] 7 0 0 0 DL - 0xffffffff8391c5d8 [rand_harvestq] 6 0 0 0 TL pftm 0xffffffff843efbd0 [pf purge] 5 0 0 0 DL waiting 0xffffffff848f9700 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100045 D - 0xffffffff838e6340 [doneq0] 100046 D - 0xffffffff838e62c0 [async] 100075 D - 0xffffffff838e6140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100042 D crypto_ 0xffffffff83cec640 [crypto] 100043 D crypto_ 0xfffffe0057d38030 [crypto returns 0] 100044 D crypto_ 0xfffffe0057d38080 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83b4c600 [g_event] 100038 D - 0xffffffff83b4c620 [g_up] 100039 D - 0xffffffff83b4c640 [g_down] 2 0 0 0 LL (threaded) [clock] 100031 L *in6_mul 0xfffffe0007805a80 [clock (0)] 100032 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100047 I [irq24: virtio_pci0] 100048 I [irq25: virtio_pci0] 100049 I [irq26: virtio_pci0] 100050 I [irq27: virtio_pci0] 100051 I [irq28: virtio_pci1] 100052 I [irq29: virtio_pci1] 100053 I [irq30: virtio_pci1] 100054 I [irq31: virtio_pci1] 100055 I [irq32: virtio_pci1] 100060 I [irq10: virtio_pci2] 100062 I [irq1: atkbd0] 100063 I [irq12: psm0] 100064 I [swi0: uart uart++] 100068 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0007809010 [init] 10 0 0 0 DL audit_w 0xffffffff83ced0e0 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D parked 0xffffffff84c40ff0 [swapper] 100005 D - 0xfffffe0007770a00 [softirq_0] 100006 D - 0xfffffe0007770200 [softirq_1] 100007 D - 0xfffffe0007770100 [if_io_tqg_0] 100008 D - 0xfffffe0007770000 [if_io_tqg_1] 100009 D - 0xfffffe000776fe00 [if_config_tqg_0] 100010 D - 0xfffffe00077d2700 [kqueue_ctx taskq] 100011 D - 0xfffffe00077d2600 [jail_remove taskq] 100012 D - 0xfffffe00077d2500 [bus taskq] 100015 D - 0xfffffe00077d2000 [thread taskq] 100017 D - 0xfffffe00077d1c00 [aiod_kick taskq] 100018 D - 0xfffffe00077d1b00 [deferred_unmount ta] 100019 D - 0xfffffe00077d1a00 [inm_free taskq] 100020 D - 0xfffffe00077d1900 [in6m_free taskq] 100021 D - 0xfffffe00077d1800 [linuxkpi_irq_wq] 100022 D - 0xfffffe00077d1700 [linuxkpi_short_wq_0] 100023 D - 0xfffffe00077d1700 [linuxkpi_short_wq_1] 100024 D - 0xfffffe00077d1700 [linuxkpi_short_wq_2] 100025 D - 0xfffffe00077d1700 [linuxkpi_short_wq_3] 100026 D - 0xfffffe00077d1600 [linuxkpi_long_wq_0] 100027 D - 0xfffffe00077d1600 [linuxkpi_long_wq_1] 100028 D - 0xfffffe00077d1600 [linuxkpi_long_wq_2] 100029 D - 0xfffffe00077d1600 [linuxkpi_long_wq_3] 100036 D - 0xfffffe00077d1100 [firmware taskq] 100040 D - 0xfffffe00077d1000 [crypto_0] 100041 D - 0xfffffe00077d1000 [crypto_1] 100056 D - 0xfffffe00083ff900 [vtnet0 rxq 0] 100057 D - 0xfffffe00083ff800 [vtnet0 txq 0] 100058 D - 0xfffffe00083ff700 [vtnet0 rxq 1] 100059 D - 0xfffffe00083ff600 [vtnet0 txq 1] 100061 D vtbslp 0xfffffe0057dc1200 [virtio_balloon] 100065 D - 0xffffffff827d2041 [deadlkres] 100069 D - 0xfffffe00593b9200 [acpi_task_0] 100070 D - 0xfffffe00593b9200 [acpi_task_1] 100071 D - 0xfffffe00593b9200 [acpi_task_2] 100073 D - 0xfffffe00077d4100 [mca taskq] 100074 D - 0xfffffe00083ffe00 [CAM taskq] 100076 D - 0xfffffe005962f500 [ipsec_offload] db> show all locks Process 1114 (syz-executor) thread 0xfffffe0054115780 (100611) exclusive lockmgr ufs (ufs) r = 0 (0xfffffe0077b273e0) locked @ /syzkaller/managers/main/kernel/sys/ufs/ufs/ufs_vnops.c:1312 exclusive lockmgr rename (rename) r = 0 (0xfffffe0054014090) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_syscalls.c:3843 Process 1111 (ifconfig) thread 0xfffffe005400e000 (100089) exclusive sleep mutex if_addr_lock (if_addr_lock) r = 0 (0xfffffe006ddde1a0) locked @ /syzkaller/managers/main/kernel/sys/netinet6/in6_mcast.c:1401 exclusive sleep mutex in6_multi_list_mtx (in6_multi_list_mtx) r = 0 (0xffffffff83ce7ba0) locked @ /syzkaller/managers/main/kernel/sys/netinet6/in6_mcast.c:1387 shared rw udpinp (udpinp) r = 0 (0xfffffe0059af9020) locked @ /syzkaller/managers/main/kernel/sys/netinet/in_pcb.c:1487 exclusive sx in6_multi_sx (in6_multi_sx) r = 0 (0xffffffff83ce7be0) locked @ /syzkaller/managers/main/kernel/sys/netinet6/in6_ifattach.c:682 exclusive sx ifnet_detach_sx (ifnet_detach_sx) r = 1 (0xffffffff83cc2000) locked @ /syzkaller/managers/main/kernel/sys/net/if.c:1082 Process 2 (clock) thread 0xfffffe000781a780 (100031) shared rw vnet_rwlock (vnet_rwlock) r = 0 (0xffffffff83cc5de0) locked @ /syzkaller/managers/main/kernel/sys/netinet6/mld6.c:1307 db>