panic: kernel diagnostic assertion "(TAILQ_NEXT(inp, inp_queue) == NULL) || (TAILQ_NEXT(inp, inp_queue) == _Q_INVALID)" failed: file "/syzkaller/managers/main/kernel/sys/netinet/in_pcb.c", line 673 Starting stack trace... panic(ffffffff8342de09) at panic+0x1ba sys/kern/subr_prf.c:229 __assert(ffffffff833de45c,ffffffff833c8dfd,2a1,ffffffff833a183a) at __assert+0x29 sys/kern/subr_prf.c:-1 in_pcbunref(fffffd806f8e7920) at in_pcbunref+0x206 sys/netinet/in_pcb.c:672 tcp_input_solocked(ffff80002a74b350,ffff80002a74b35c,0,2,ffff80002a74b348) at tcp_input_solocked+0xfd sys/netinet/tcp_input.c:2229 tcp_input_mlist(ffffffff839cae60 ,2) at tcp_input_mlist+0x93 sys/netinet/tcp_input.c:-1 if_input_process(ffff800000b11800,ffff80002a74b428,0) at if_input_process+0x229 sys/net/if.c:1015 ifiq_process(ffff800000b11c18) at ifiq_process+0xcd sys/net/ifq.c:874 taskq_thread(ffff80000002c000) at taskq_thread+0xd4 sys/kern/kern_task.c:446 end trace frame: 0x0, count: 249 End of stack trace. syncing disks...52 45 done WARNING: SPL NOT LOWERED ON SYSCALL 46 2 EXIT 0 3 Stopped at savectx+0xae: movl $0,%gs:0x688 TID PID UID PRFLAGS PFLAGS CPU COMMAND *211904 56570 0 0x100003 0 0 getty savectx() at savectx+0xae end of kernel end trace frame: 0x7e012fdb7d90, count: 14 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "(TAILQ_NEXT(inp, inp_queue) == NULL) || (TAILQ_NEXT(inp, inp_queue) == _Q_INVALID)" failed: file "/syzkaller/managers/main/kernel/sys/netinet/in_pcb.c", line 673 ddb> trace savectx() at savectx+0xae end of kernel end trace frame: 0x7e012fdb7d90, count: -1 ddb> show registers rdi 0 rsi 0 rbp 0xffff80002a82b9b0 rbx 0 rdx 0 rcx 0 rax 0x32 r8 0xffff80002a82b8e0 r9 0xffff80002a82b508 r10 0x188ed89716d570e7 r11 0xe1743c951c27b56a r12 0 r13 0 r14 0xffff80002a7e3c48 r15 0 rip 0xffffffff818273ee savectx+0xae cs 0x8 rflags 0x46 rsp 0xffff80002a82b930 ss 0x10 savectx+0xae: movl $0,%gs:0x688 ddb> show proc PROC (getty) tid=211904 pid=56570 tcnt=1 stat=onproc flags process=100003 proc=0 runpri=50, usrpri=50, slppri=25, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80002a815730,0xffff80002a7e3738 process=0xffff8000ffff96b8 user=0xffff80002a826000, vmspace=0xfffffd806fa009e0 estcpu=0, cpticks=0, pctcpu=0.0, user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 79202 201127 59893 60928 2 0x10 syz-executor 79202 294728 59893 60928 3 0x4000090 fsleep syz-executor 27923 26233 94931 0 2 0 syz-executor 27923 214682 94931 0 3 0x4000080 kqpoll syz-executor 27923 426228 94931 0 3 0x4000080 fsleep syz-executor 27923 223912 94931 0 2 0x4000000 syz-executor 63200 196905 29876 0 2 0 syz-executor 63200 362192 29876 0 3 0x4000080 fsleep syz-executor 63200 58821 29876 0 3 0x4000080 fsleep syz-executor 63200 58746 29876 0 3 0x4000080 fsleep syz-executor 98823 318731 79836 0 2 0 syz-executor 98823 177852 79836 0 3 0x4000080 fsleep syz-executor 98823 36379 79836 0 3 0x4000080 fsleep syz-executor 98823 397523 79836 0 2 0x4000000 syz-executor 21611 441669 96855 0 2 0 syz-executor 21611 446175 96855 0 3 0x4000080 fsleep syz-executor 21611 259456 96855 0 3 0x4000080 fsleep syz-executor 21611 489569 96855 0 2 0x4000000 syz-executor 97843 173508 46664 0 2 0x100002 sh 36335 193124 73045 0 2 0 syz-executor 36335 125205 73045 0 3 0x4000080 fsleep syz-executor 62458 326872 34572 0 2 0 syz-executor 62458 434174 34572 0 3 0x4000000 netlock syz-executor 62458 334448 34572 0 3 0x4000080 fsleep syz-executor 62458 223420 34572 0 3 0x4000080 fsleep syz-executor 46664 517087 84880 0 3 0x82 wait syz-executor 96855 373598 84880 0 2 0x3 syz-executor 47325 415487 0 0 3 0x14200 acct acct 73045 324721 84880 0 2 0x3 syz-executor 79836 286711 84880 0 2 0x3 syz-executor 29876 352385 84880 0 2 0x3 syz-executor 94931 200028 84880 0 2 0x3 syz-executor 59893 367299 84880 0 2 0x3 syz-executor *56570 211904 1 0 7 0x100003 getty 34572 203556 84880 0 2 0x3 syz-executor 56364 176146 0 0 3 0x14200 bored sosplice 84880 161363 56951 0 2 0x3 syz-executor 56951 75335 40630 0 3 0x10008a sigsusp ksh 40630 25108 1447 0 3 0x98 kqread sshd-session 1447 127107 4167 0 3 0x92 kqread sshd-session 4167 404236 1 0 3 0x88 kqread sshd 24283 469781 74807 73 3 0x1100090 kqread syslogd 74807 114145 1 0 3 0x100082 sbwait syslogd 99752 355367 1 0 3 0x100080 kqread resolvd 76263 93302 23746 77 3 0x100092 kqread dhcpleased 55877 411879 23746 77 3 0x100092 kqread dhcpleased 23746 163838 1 0 3 0x80 kqread dhcpleased 79155 416070 0 0 3 0x14200 bored smr 95769 306802 0 0 2 0x14200 zerothread 74517 35579 0 0 3 0x14200 aiodoned aiodoned 16178 220509 0 0 2 0x14200 update 7283 94843 0 0 3 0x14200 cleaner cleaner 55651 510756 0 0 3 0x14200 reaper reaper 52313 501244 0 0 3 0x14200 pgdaemon pagedaemon 73631 48796 0 0 3 0x14200 bored viomb 88555 111608 0 0 3 0x40014200 acpi0 acpi0 65805 20614 0 0 3 0x14200 bored softnet3 97673 463629 0 0 3 0x14200 bored softnet2 26402 407710 0 0 3 0x14200 bored softnet1 19469 367557 0 0 3 0x14200 netlock softnet0 92327 111343 0 0 3 0x14200 bored systqmp 96799 466342 0 0 3 0x14200 bored systq 51522 31121 0 0 3 0x40014200 netlock softclock 82887 113453 0 0 3 0x40014200 idle0 1 290501 0 0 3 0x80082 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10198 11081K 11570K 166960K 18353 0 pcb 17 14K 16K 166960K 750 0 rtable 221 13K 14K 166960K 1476 0 pf 37 14K 22K 166960K 636 0 ifaddr 41 8K 10K 166960K 352 0 ifgroup 57 2K 2K 166960K 566 0 sysctl 4 1K 9K 166960K 43 0 counters 36 18K 18K 166960K 320 0 ioctlops 0 0K 4K 166960K 851 0 iov 0 0K 20K 166960K 155 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1429 90K 90K 166960K 6124 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 2K 6K 166960K 61 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 147 0 dirhash 6 1K 3K 166960K 54 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 19 69K 240K 166960K 6959 0 sigio 0 0K 0K 166960K 57 0 proc 61 59K 116K 166960K 1577 0 subproc 72 4K 4K 166960K 340 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 684 0 in_multi 84 6K 7K 166960K 568 0 ether_multi 1 0K 0K 166960K 97 0 mrt 1 0K 0K 166960K 50 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 97 440K 440K 166960K 97 0 exec 0 0K 1K 166960K 1092 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 4 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 256 154K 171K 166960K 61237 0 UVM aobj 120 12K 12K 166960K 131 0 pinsyscall 40 80K 96K 166960K 8582 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 227 0 NDP 13 0K 2K 166960K 263 0 temp 77 8688K 8818K 166960K 206150 0 kqueue 14 22K 34K 166960K 707 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 327 0 324 1 0 1 1 0 8 0 rtentry 136 499 0 412 5 1 4 5 0 8 0 unpcb 144 2222 0 2207 9 5 4 6 0 8 3 syncache 336 11 0 11 5 4 1 1 0 8 1 tcpqe 32 2 0 2 2 2 0 1 0 8 0 tcpcb 736 1025 0 1018 7 3 4 4 0 8 3 arp 88 82 0 66 1 0 1 1 0 8 0 ipq 40 22 0 21 3 2 1 1 0 8 0 ipqe 40 32 0 31 3 2 1 1 0 8 0 inpcb 328 3946 0 3933 15 8 7 7 0 8 5 ip6q 72 6 0 6 2 2 0 1 0 8 0 ip6af 40 9 0 9 2 2 0 1 0 8 0 nd6 104 127 0 105 1 0 1 1 0 8 0 pkpcb 40 32 0 32 3 2 1 1 0 8 1 kcovpl 48 38 0 30 1 0 1 1 0 8 0 ppxss 1072 225 0 222 4 3 1 1 0 8 0 pppxif 1384 21 0 21 4 3 1 1 0 8 1 pfrktable 1344 4 0 4 4 3 1 1 0 8 1 rttmr 136 5 0 5 3 3 0 1 0 8 0 art_heap8 4096 3 0 0 3 0 3 3 0 8 0 art_heap4 256 2306 0 1893 49 18 31 32 0 8 3 art_table 32 2309 0 1893 6 1 5 5 0 8 0 art_node 16 484 0 406 1 0 1 1 0 8 0 sysvmsgpl 40 16 0 14 1 0 1 1 0 8 0 semupl 112 1 0 1 1 1 0 1 0 8 0 semapl 112 136 0 126 1 0 1 1 0 8 0 shmpl 112 128 0 11 4 0 4 4 0 8 0 dirhash 1024 46 0 42 4 2 2 4 0 8 0 dino2pl 256 11782 0 10206 99 0 99 99 0 8 0 ffsino 248 11782 0 10206 99 0 99 99 0 8 0 nchpl 144 19711 0 17938 66 0 66 66 0 8 0 rtmask 32 58 0 56 5 4 1 1 0 8 0 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 58073 0 58072 9 7 2 4 0 8 1 kstatmem 264 388 0 362 4 1 3 3 0 8 1 acpiwqpl 32 4 0 4 1 0 1 1 1 8 1 scsiplug 72 53 0 53 5 4 1 1 0 8 1 scxspl 216 58111 0 58109 17 14 3 8 1 8 2 plimitpl 152 784 0 768 1 0 1 1 0 8 0 sigapl 424 7081 0 7032 7 1 6 7 0 8 0 knotepl 120 443058 0 443010 52 40 12 17 0 8 8 kqueuepl 184 1272 0 1258 1 0 1 1 0 8 0 pipepl 296 501 0 474 5 2 3 5 0 8 0 fdescpl 440 7057 0 7026 5 1 4 5 0 8 0 filepl 120 28324 0 28104 18 8 10 12 0 8 2 lockfpl 104 1443 0 1441 1 0 1 1 0 8 0 lockfspl 48 653 0 651 1 0 1 1 0 8 0 sessionpl 144 65 0 57 1 0 1 1 0 8 0 pgrppl 48 159 0 143 1 0 1 1 0 8 0 ucredpl 104 4769 0 4756 1 0 1 1 0 8 0 zombiepl 144 10146 0 10146 6 5 1 1 0 8 1 processpl 1160 7081 0 7032 4 0 4 4 0 8 0 procpl 656 16762 0 16695 6 0 6 6 0 8 0 sosppl 168 51 0 51 4 3 1 1 0 8 1 sockpl 528 6662 0 6631 20 13 7 12 0 8 4 mcl64k 65536 1485 0 1485 6 5 1 1 0 8 1 mcl16k 16384 603 0 603 6 5 1 1 0 8 1 mcl12k 12288 476 0 476 6 5 1 1 0 8 1 mcl9k 9216 198 0 198 5 4 1 1 0 8 1 mcl8k 8192 1071 0 1071 6 5 1 1 0 8 1 mcl4k 4096 15827 0 15776 17 9 8 14 0 8 1 mcl2k2 2112 47 0 47 5 4 1 1 0 8 1 mcl2k 2048 3902 0 3897 6 3 3 3 0 8 2 mtagpl 96 115 0 85 2 1 1 1 0 8 0 mbufpl 256 82751 0 82604 19 2 17 17 0 8 2 bufpl 280 14160 0 7933 446 0 446 446 0 8 0 anonpl 24 826196 0 819031 135 67 68 72 0 187 13 amapchunkpl 152 207976 0 207277 58 22 36 36 0 158 9 amappl16 200 14864 0 14719 92 71 21 28 0 8 7 amappl15 192 3 0 3 1 1 0 1 0 8 0 amappl14 184 165 0 155 1 0 1 1 0 8 0 amappl13 176 12 0 11 3 2 1 1 0 8 0 amappl12 168 8089 0 8058 3 1 2 3 0 8 0 amappl11 160 48 0 38 1 0 1 1 0 8 0 amappl10 152 13 0 12 1 0 1 1 0 8 0 amappl9 144 256 0 256 1 1 0 1 0 8 0 amappl8 136 24 0 22 1 0 1 1 0 8 0 amappl7 128 161 0 149 1 0 1 1 0 8 0 amappl6 120 423 0 419 1 0 1 1 0 8 0 amappl5 112 218 0 211 1 0 1 1 0 8 0 amappl4 104 373 0 357 1 0 1 1 0 8 0 amappl3 96 44998 0 44879 4 0 4 4 0 8 0 amappl2 88 1027 0 967 2 0 2 2 0 8 0 amappl1 80 36900 0 36352 15 3 12 14 0 8 0 amappl 88 59285 0 59093 6 1 5 5 0 92 0 dma8192 8192 1 0 1 1 1 0 1 0 8 0 dma4096 4096 2 0 2 2 2 0 1 0 8 0 dma2048 2048 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 9 0 9 3 2 1 1 0 8 1 dma128 128 282 0 282 6 5 1 1 0 8 1 dma64 64 7 0 7 2 2 0 1 0 8 0 dma32 32 8 0 8 2 2 0 1 0 8 0 dma16 16 19 0 18 1 0 1 1 0 8 0 aobjpl 72 130 0 11 3 0 3 3 0 8 0 uaddrrnd 24 7056 0 7026 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 7056 0 7026 1 0 1 1 0 8 0 vmmpekpl 168 39983 0 39932 3 0 3 3 0 8 0 vmmpepl 168 425695 0 423641 129 28 101 101 0 357 11 vmsppl 360 7056 0 7026 4 1 3 4 0 8 0 rwobjpl 32 101449 0 94389 61 2 59 59 0 8 0 pdppl 4096 14118 0 14052 267 199 68 82 0 8 2 pvpl 32 2889841 0 2876279 268 117 151 151 0 265 32 pmappl 216 7055 0 7026 3 1 2 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 511 0 268 8 0 8 8 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace savectx() at savectx+0xae end of kernel end trace frame: 0x7e012fdb7d90, count: -1 ddb> machine ddbcpu 1 No such command ddb> trace savectx() at savectx+0xae end of kernel end trace frame: 0x7e012fdb7d90, count: -1