panic: Bad tailq NEXT(0xfffff80003af0910->tqh_last) != NULL cpuid = 1 time = 1592422548 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe0025a68040 vpanic() at vpanic+0x1c7/frame 0xfffffe0025a680a0 panic() at panic+0x43/frame 0xfffffe0025a68100 pf_tagname2tag() at pf_tagname2tag+0x2c5/frame 0xfffffe0025a68160 pfioctl() at pfioctl+0x76f2/frame 0xfffffe0025a68690 devfs_ioctl() at devfs_ioctl+0x14e/frame 0xfffffe0025a686f0 VOP_IOCTL_APV() at VOP_IOCTL_APV+0x78/frame 0xfffffe0025a68720 vn_ioctl() at vn_ioctl+0x27c/frame 0xfffffe0025a68840 devfs_ioctl_f() at devfs_ioctl_f+0x47/frame 0xfffffe0025a68880 kern_ioctl() at kern_ioctl+0x3d4/frame 0xfffffe0025a688f0 sys_ioctl() at sys_ioctl+0x22b/frame 0xfffffe0025a689c0 freebsd32_ioctl() at freebsd32_ioctl+0x2b5/frame 0xfffffe0025a68ab0 ia32_syscall() at ia32_syscall+0x24e/frame 0xfffffe0025a68bf0 int0x80_syscall_common() at int0x80_syscall_common+0x9c/frame 0xfbffcf78 KDB: enter: panic [ thread pid 1707 tid 100890 ] Stopped at kdb_enter+0x67: movq $0,0x14a5546(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b ll+0x1a es 0x3b ll+0x1a fs 0x13 gs 0x1b ss 0 rax 0x12 rcx 0xfffffe0027000000 rdx 0x3ffff rbx 0 rsp 0xfffffe0025a68020 rbp 0xfffffe0025a68040 rsi 0x40001 rdi 0xffffffff810bf396 vprintf+0x176 r8 0 r9 0xffffffff r10 0 r11 0xfffffe0025862510 r12 0xffffffff82068f70 ddb_dbbe r13 0 r14 0xffffffff819a919e r15 0xffffffff819a919e rip 0xffffffff810b46a7 kdb_enter+0x67 rflags 0x200082 kernphys+0x82 kdb_enter+0x67: movq $0,0x14a5546(%rip) db> show proc Process 1707 (syz-executor.3) at 0xfffff80016238a40: state: NORMAL uid: 0 gids: 0, 0, 5 parent: pid 779 at 0xfffff80003c77a40 ABI: FreeBSD ELF32 arguments: /root/syz-executor.3 reaper: 0xfffff8000331a000 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe00257b03d0 (map 0xfffffe00257b03d0) (map.pmap 0xfffffe00257b0490) (pmap 0xfffffe00257b04f0) threads: 2 100106 Run CPU 0 syz-executor.3 100890 Run CPU 1 syz-executor.3 db> ps pid ppid pgrp uid state wmesg wchan cmd 1707 779 779 0 R (threaded) syz-executor.3 100106 Run CPU 0 syz-executor.3 100890 Run CPU 1 syz-executor.3 1273 1268 1051 0 S+ kqread 0xfffff8000334b500 pwait 1268 1051 1051 0 S+ wait 0xfffff80016e50520 sh 1056 1054 1051 0 S+ nanslp 0xffffffff8252f201 sleep 1054 1051 1051 0 S+ wait 0xfffff80016409a40 sh 1051 1 1051 0 Ss+ wait 0xfffff80016e50a40 sh 828 816 828 0 Ss select 0xfffff80003dc2940 dhclient 822 1 822 0 Ss select 0xfffff800039eef40 dhclient 816 797 424 65 S select 0xfffff80003dc2bc0 dhclient 797 424 424 0 S wait 0xfffff80003c78a40 sh 779 768 779 0 Ss nanslp 0xffffffff8252f201 syz-executor.3 777 768 777 0 Ss piperd 0xfffff80003c8b8e8 syz-executor.1 773 768 773 0 Ss piperd 0xfffff80003c83be0 syz-executor.2 772 768 772 0 Ss piperd 0xfffff80003c888e8 syz-executor.0 768 766 766 0 S (threaded) syz-fuzzer 100080 S uwait 0xfffff800037c6980 syz-fuzzer 100108 S uwait 0xfffff800037c4780 syz-fuzzer 100109 S uwait 0xfffff80003a00200 syz-fuzzer 100110 S uwait 0xfffff800030fb980 syz-fuzzer 100111 S uwait 0xfffff800037c4c80 syz-fuzzer 100112 S uwait 0xfffff800030fb780 syz-fuzzer 100113 S uwait 0xfffff80003a00380 syz-fuzzer 100114 S uwait 0xfffff800037c3b00 syz-fuzzer 100115 S uwait 0xfffff800037c3c00 syz-fuzzer 100117 S kqread 0xfffff8000334b300 syz-fuzzer 100118 S uwait 0xfffff800037c3d00 syz-fuzzer 100119 S uwait 0xfffff800169a3180 syz-fuzzer 766 764 766 0 Ss pause 0xfffff8000331aae8 csh 764 1 764 0 Ss select 0xfffff800039ed340 sshd 495 1 495 0 Ss select 0xfffff800039f0b40 syslogd 424 1 424 0 Ss wait 0xfffff80003c76000 devd 423 1 423 65 Ss select 0xfffff80003dc2b40 dhclient 338 1 338 0 Ss select 0xfffff800039f02c0 dhclient 335 1 335 0 Ss select 0xfffff800039f03c0 dhclient 23 0 0 0 DL vlruwt 0xfffff800033fa520 [vnlru] 22 0 0 0 DL syncer 0xffffffff8261a458 [syncer] 21 0 0 0 DL (threaded) [bufdaemon] 100069 D qsleep 0xffffffff826197a0 [bufdaemon] 100076 D - 0xffffffff8200aa00 [bufspacedaemon-0] 100086 D sdflush 0xfffff80003d04ce8 [/ worker] 20 0 0 0 DL psleep 0xffffffff82640788 [vmdaemon] 19 0 0 0 DL (threaded) [pagedaemon] 100067 D psleep 0xffffffff82634c18 [dom0] 100074 D launds 0xffffffff82634c24 [laundry: dom0] 100075 D umarcl 0xffffffff8154f410 [uma] 18 0 0 0 DL - 0xffffffff82362e58 [rand_harvestq] 17 0 0 0 DL pftm 0xffffffff82bd63a0 [pf purge] 16 0 0 0 DL waiting 0xffffffff8261cbd0 [sctp_iterator] 15 0 0 0 DL - 0xffffffff82618dac [soaiod4] 9 0 0 0 DL - 0xffffffff82618dac [soaiod3] 8 0 0 0 DL - 0xffffffff82618dac [soaiod2] 7 0 0 0 DL - 0xffffffff82618dac [soaiod1] 6 0 0 0 DL (threaded) [cam] 100033 D - 0xffffffff8223abc0 [doneq0] 100066 D - 0xffffffff8223aa90 [scanner] 5 0 0 0 DL crypto_ 0xfffff8000334d690 [crypto returns 1] 4 0 0 0 DL crypto_ 0xfffff8000334d630 [crypto returns 0] 3 0 0 0 DL crypto_ 0xffffffff82632400 [crypto] 14 0 0 0 DL seqstat 0xfffff800030e2488 [sequencer 00] 13 0 0 0 DL (threaded) [geom] 100024 D - 0xffffffff8250e180 [g_event] 100025 D - 0xffffffff8250e188 [g_up] 100026 D - 0xffffffff8250e190 [g_down] 2 0 0 0 DL (threaded) [KTLS] 100017 D - 0xfffff800030f9c00 [thr_0] 100018 D - 0xfffff800030f9c40 [thr_1] 12 0 0 0 WL (threaded) [intr] 100010 I [swi5: fast taskq] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100019 I [swi4: clock (0)] 100020 I [swi4: clock (1)] 100021 I [swi3: vm] 100022 I [swi1: netisr 0] 100034 I [irq24: virtio_pci0] 100035 I [irq25: virtio_pci0] 100036 I [irq26: virtio_pci0] 100037 I [irq27: virtio_pci0] 100038 I [irq28: virtio_pci1] 100039 I [irq29: virtio_pci1] 100040 I [irq30: virtio_pci1] 100041 I [irq31: virtio_pci1] 100042 I [irq32: virtio_pci1] 100047 I [irq10: virtio_pci2] 100049 I [irq1: atkbd0] 100050 I [irq12: psm0] 100051 I [swi0: uart uart++] 100060 I [swi1: pf send] 100072 I [swi1: hpts] 100073 I [swi1: hpts] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffff8000331a000 [init] 10 0 0 0 DL audit_w 0xffffffff826328d8 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D swapin 0xffffffff8250e710 [swapper] 100005 D - 0xfffff80003217e00 [if_config_tqg_0] 100006 D - 0xfffff80003217d00 [softirq_0] 100007 D - 0xfffff80003217c00 [softirq_1] 100008 D - 0xfffff80003217b00 [if_io_tqg_0] 100009 D - 0xfffff80003217a00 [if_io_tqg_1] 100011 D - 0xfffff80003350000 [kqueue_ctx taskq] 100012 D - 0xfffff8000334de00 [aiod_kick taskq] 100015 D - 0xfffff8000334db00 [in6m_free taskq] 100016 D - 0xfffff8000334da00 [thread taskq] 100023 D - 0xfffff8000334d900 [firmware taskq] 100028 D - 0xfffff8000334d700 [crypto_0] 100029 D - 0xfffff8000334d700 [crypto_1] 100043 D - 0xfffff8000334d400 [vtnet0 rxq 0] 100044 D - 0xfffff8000334d300 [vtnet0 txq 0] 100045 D - 0xfffff8000334d200 [vtnet0 rxq 1] 100046 D - 0xfffff8000334d100 [vtnet0 txq 1] 100048 D vtbslp 0xfffff80003524580 [virtio_balloon] 100052 D - 0xfffff8000334d000 [mca taskq] 100056 D - 0xffffffff81d4e871 [deadlkres] 100061 D - 0xfffff80003b32300 [acpi_task_0] 100062 D - 0xfffff80003b32300 [acpi_task_1] 100063 D - 0xfffff80003b32300 [acpi_task_2] 100065 D - 0xfffff8000334d500 [CAM taskq] db> show all locks Process 1707 (syz-executor.3) thread 0xfffffe0025862000 (100890) exclusive rm pf rulesets (pf rulesets) r = 0 (0xffffffff82c29298) locked @ /syzkaller/managers/i386/kernel/sys/netpfil/pf/pf_ioctl.c:1590 db> show malloc Type InUse MemUse Requests pf_hash 5 11524K 5 devbuf 4212 4850K 4240 tcp_hpts 5 3201K 5 vtbuf 24 1968K 46 sysctloid 27951 1631K 28015 kobj 334 1336K 493 vfscache 4 1025K 4 newblk 2 1025K 1331 pcb 23 537K 147 inodedep 7 515K 1193 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 pf_rule 260 260K 446 subproc 119 221K 1787 acpica 1674 185K 55859 vnet_data 1 168K 1 pagedep 5 129K 795 tfo_ccache 1 128K 1 sem 4 106K 4 DEVFS1 105 105K 122 filedesc 15 101K 1433 linker 239 96K 280 bus 996 80K 3392 mtx_pool 2 72K 2 syncache 1 68K 1 acpitask 1 64K 1 ddb_capture 1 64K 1 module 501 63K 501 umtx 324 41K 324 BPF 22 36K 22 temp 35 33K 2479 pf_table 16 32K 22 hostcache 1 32K 1 shm 1 32K 1 DEVFS3 124 31K 134 kdtrace 158 31K 4252 msg 4 30K 4 routetbl 87 28K 111 DEVFS_RULE 56 27K 56 vmem 3 26K 5 gtaskqueue 18 26K 18 ifaddr 73 25K 73 kbdmux 6 22K 6 lltable 47 18K 47 ufs_mount 4 17K 5 proc 3 17K 3 tty 16 16K 16 tidhash 1 16K 1 ithread 98 16K 98 ether_multi 172 14K 177 bus-sc 30 14K 1439 KTRACE 100 13K 100 ifnet 7 13K 7 kenv 92 12K 92 eventhandler 132 12K 132 in6_multi 89 11K 89 pfs_nodes 20 10K 20 GEOM 60 10K 486 rman 82 10K 423 bmsafemap 2 9K 939 UART 12 9K 12 devstat 4 9K 4 rpc 2 8K 2 shmfd 1 8K 1 pfs_vncache 1 8K 1 audit_evclass 233 8K 291 CAM DEV 3 6K 510 kqueue 50 6K 1724 vt 11 6K 11 sglist 5 6K 5 CAM queue 5 6K 1528 select 39 5K 39 taskqueue 45 5K 45 ufs_dirhash 24 5K 24 pf_ifnet 11 5K 182 DEVFSP 72 5K 76 UMA 249 5K 249 memdesc 1 4K 1 MCA 32 4K 32 ioctlops 1 4K 587 evdev 4 4K 4 kcovinfo 64 4K 68 sctp_timw 13 4K 13 plimit 13 4K 560 cred 13 4K 239 hhook 13 4K 13 acpisem 22 3K 22 terminal 11 3K 11 uidinfo 3 3K 8 sctp_ifa 17 3K 17 local_apic 1 2K 1 io_apic serialport: VM disconnected.