panic: ip6_deletefraghdr: ext headers not contigous in mbuf 0xfffffe006e3f9000 m_len 40 >= offset 48 + 8 cpuid = 0 time = 33 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0057351ed0 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe0057352030 vpanic() at vpanic+0x257/frame 0xfffffe00573521f0 panic() at panic+0xb5/frame 0xfffffe00573522b0 frag6_input() at frag6_input/frame 0xfffffe00573522f0 pf_normalize_ip6() at pf_normalize_ip6+0xd8b/frame 0xfffffe0057352450 pf_test() at pf_test+0xbc9/frame 0xfffffe0057352a00 pf_check6_in() at pf_check6_in+0xac/frame 0xfffffe0057352a50 pfil_mbuf_in() at pfil_mbuf_in+0x8c/frame 0xfffffe0057352a90 ip6_input() at ip6_input+0x16dd/frame 0xfffffe0057352cf0 swi_net() at swi_net+0x2b8/frame 0xfffffe0057352d90 ithread_loop() at ithread_loop+0x4ec/frame 0xfffffe0057352ef0 fork_exit() at fork_exit+0xcc/frame 0xfffffe0057352f30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0057352f30 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- KDB: enter: panic [ thread pid 12 tid 100033 ] Stopped at kdb_enter+0x6e: movq $0,0x25be9d7(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe00033eee30 rdx 0 rbx 0xffffffff827b0760 .str.27 rsp 0xfffffe0057352010 rbp 0xfffffe0057352030 rsi 0 rdi 0xffffffff81614619 printf+0x149 r8 0 r9 0xffffffff r10 0x100000000000000 r11 0x4 r12 0xfffffe0008021780 r13 0xfffffffffffffffe r14 0xffffffff827b0760 .str.27 r15 0 rip 0xffffffff815fe7be kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x25be9d7(%rip) db> show proc Process 12 (intr) at 0xfffffe0008008580: state: NORMAL uid: 0 gids: 0 parent: pid 0 at 0xffffffff83b478e0 ABI: null flag: 0x10000284 flag2: 0 reaper: 0xffffffff83b478e0 reapsubtree: 12 sigparent: 20 vmspace: 0xffffffff83b488c0 (map 0xffffffff83b488c0) (map.pmap 0xffffffff83b48960) (pmap 0xffffffff83b489d0) threads: 20 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 Run CPU 0 [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100048 I [irq24: virtio_pci0] 100049 I [irq25: virtio_pci0] 100050 I [irq26: virtio_pci0] 100051 I [irq27: virtio_pci0] 100052 I [irq28: virtio_pci1] 100053 I [irq29: virtio_pci1] 100054 I [irq30: virtio_pci1] 100055 I [irq31: virtio_pci1] 100056 I [irq32: virtio_pci1] 100061 I [irq10: virtio_pci2] 100063 I [irq1: atkbd0] 100064 I [irq12: psm0] 100065 I [swi0: uart uart++] 100069 I [swi1: pf send] db> ps pid ppid pgrp uid state wmesg wchan cmd 1190 767 767 0 R (threaded) syz-executor 100541 Run CPU 1 syz-executor 100665 S uwait 0xfffffe0058a6be80 syz-executor 100667 S uwait 0xfffffe006eca0b80 syz-executor 1188 766 766 0 R (threaded) syz-executor 100101 RunQ syz-executor 100666 RunQ syz-executor 100668 S uwait 0xfffffe0058cf3900 syz-executor 1186 1181 764 60929 S uwait 0xfffffe0058a6b780 syz-executor 1182 1 765 0 S uwait 0xfffffe0058a6b980 syz-executor 1181 764 764 60929 R (threaded) syz-executor 100565 RunQ syz-executor 100653 S select 0xfffffe0059efcec0 syz-executor 100659 S uwait 0xfffffe006ef60100 syz-executor 1172 1 767 0 S uwait 0xfffffe0058a6ce00 syz-executor 1169 1 765 0 S uwait 0xfffffe006ef60d00 syz-executor 1165 1 764 0 S uwait 0xfffffe0058a6b180 syz-executor 1153 1 767 0 S uwait 0xfffffe006eca0880 syz-executor 1151 1 767 0 S uwait 0xfffffe006ef61480 syz-executor 1146 1 766 0 S uwait 0xfffffe006ef5fd80 syz-executor 1141 1 765 0 S uwait 0xfffffe006ef60000 syz-executor 1139 0 0 0 DL mdwait 0xfffffe00786df000 [md2] 1137 1 766 0 S uwait 0xfffffe006ef5fb80 syz-executor 1135 1 766 0 S uwait 0xfffffe006ef5fe80 syz-executor 1133 1 767 0 S uwait 0xfffffe006ef60800 syz-executor 1126 1 765 0 S uwait 0xfffffe0058a6aa80 syz-executor 1124 1 1124 0 Ss+ ttyin 0xfffffe0059c09cb0 getty 1123 1 1123 0 Ss+ ttyin 0xfffffe0059c098b0 getty 1122 1 1122 0 Ss+ ttyin 0xfffffe0059c094b0 getty 1121 1 1121 0 Ss+ ttyin 0xfffffe0059c090b0 getty 1120 1 1120 0 Ss+ ttyin 0xfffffe0059c08cb0 getty 1119 1 1119 0 Ss+ ttyin 0xfffffe0059c088b0 getty 1118 1 1118 0 Ss+ ttyin 0xfffffe0059c084b0 getty 1117 1 1117 0 Ss+ ttyin 0xfffffe0059c080b0 getty 1116 1 1116 0 Ss+ ttyin 0xfffffe0058a95cb0 getty 1111 1 764 0 S uwait 0xfffffe006ec9fe80 syz-executor 1110 1 765 0 S uwait 0xfffffe006ef60700 syz-executor 1108 1 765 0 S uwait 0xfffffe006eca0000 syz-executor 1106 1 766 0 S uwait 0xfffffe000828c580 syz-executor 1099 1 764 0 S uwait 0xfffffe000828c900 syz-executor 1097 1 765 0 S uwait 0xfffffe0058a6a780 syz-executor 1089 1 764 0 S uwait 0xfffffe0058cf3880 syz-executor 1086 1 764 0 S uwait 0xfffffe0058cf5900 syz-executor 1077 0 0 0 DL mdwait 0xfffffe0078de9000 [md1] 1063 0 0 0 DL (threaded) [KTLS] 100465 D - 0xfffffe005a2a4b00 [thr_0] 100466 D - 0xfffffe005a2a4b80 [thr_1] 100467 D - 0xffffffff83cafc28 [reclaim_0] 1050 1 764 0 S uwait 0xfffffe000828ca80 syz-executor 1039 1 764 0 S uwait 0xfffffe006ef60900 syz-executor 1035 1033 765 0 S uwait 0xfffffe006ef61080 syz-executor 1033 1 765 0 SV uwait 0xfffffe0058a6d700 syz-executor 1030 1 767 0 S uwait 0xfffffe0058a6d500 syz-executor 1029 1 767 0 SV uwait 0xfffffe0058a6c600 syz-executor 1021 0 0 0 DL mdwait 0xfffffe006eca8000 [md0] 1017 1 767 0 S uwait 0xfffffe0058a6d600 syz-executor 1009 1 764 0 S uwait 0xfffffe006eca2300 syz-executor 1005 1 766 0 S uwait 0xfffffe0058a6b680 syz-executor 998 1 766 0 S uwait 0xfffffe006ef60f00 syz-executor 990 1 764 0 S uwait 0xfffffe0058a6c300 syz-executor 981 1 765 0 S uwait 0xfffffe006ef61380 syz-executor 979 1 764 0 S uwait 0xfffffe000828c780 syz-executor 972 1 766 0 S uwait 0xfffffe0058a6dc80 syz-executor 968 1 765 0 SV uwait 0xfffffe000828cb80 syz-executor 966 1 764 0 SV uwait 0xfffffe006ef61280 syz-executor 958 1 766 0 S uwait 0xfffffe0058a6c700 syz-executor 951 1 764 0 S uwait 0xfffffe0058a6c000 syz-executor 940 1 764 0 S uwait 0xfffffe0058a6d400 syz-executor 932 0 0 0 DL - 0xffffffff83b48d80 [accounting] 926 1 766 0 S uwait 0xfffffe0058a6b080 syz-executor 917 1 767 0 S uwait 0xfffffe0058a6ad80 syz-executor 914 1 766 0 S uwait 0xfffffe006ef61180 syz-executor 904 1 767 0 S uwait 0xfffffe0058a6da00 syz-executor 895 0 0 0 DL (threaded) [so_splice] 100114 D - 0xfffffe007805e400 [thr_0] 100183 D - 0xfffffe007805e440 [thr_1] 872 781 424 0 S kqread 0xfffffe0008bfe100 rtsol 831 0 0 0 DL aiordy 0xfffffe00548f3ae0 [aiod4] 828 0 0 0 DL aiordy 0xfffffe00548f4040 [aiod3] 827 0 0 0 DL aiordy 0xfffffe00549075a0 [aiod2] 826 0 0 0 DL aiordy 0xfffffe00548f45a0 [aiod1] 781 771 424 0 S wait 0xfffffe00548f55c0 sh 771 1 424 0 S wait 0xfffffe00548cc5c0 sh 767 763 767 0 R syz-executor 766 763 766 0 R syz-executor 765 763 765 0 R syz-executor 764 763 764 0 R syz-executor 763 761 761 0 S select 0xfffffe0059e587c0 syz-executor 761 1 761 0 Ss pause 0xfffffe0008027b90 csh 737 1 18 0 S+ nanslp 0xffffffff83b9e541 sleep 17 0 0 0 DL syncer 0xffffffff83cbbda0 [syncer] 16 0 0 0 DL vlruwt 0xfffffe0008029060 [vnlru] 15 0 0 0 DL (threaded) [bufdaemon] 100080 D psleep 0xffffffff83cba360 [bufdaemon] 100083 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100094 D sdflush 0xfffffe005860d0e8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d05380 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100078 D psleep 0xffffffff83ceb2f8 [dom0] 100081 D launds 0xffffffff83ceb304 [laundry: dom0] 100082 D umarcl 0xffffffff81dd02b0 [uma] 7 0 0 0 DL - 0xffffffff8391bcd0 [rand_harvestq] 6 0 0 0 TL pftm 0xffffffff843c9850 [pf purge] 5 0 0 0 DL waiting 0xffffffff84697700 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100046 D - 0xffffffff838e6340 [doneq0] 100047 D - 0xffffffff838e62c0 [async] 100076 D - 0xffffffff838e6140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100043 D crypto_ 0xffffffff83ce6b40 [crypto] 100044 D crypto_ 0xfffffe00546b2030 [crypto returns 0] 100045 D crypto_ 0xfffffe00546b2080 [crypto returns 1] 14 0 0 0 DL seqstat 0xfffffe00547e8c88 [sequencer 00] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83b46f00 [g_event] 100038 D - 0xffffffff83b46f20 [g_up] 100039 D - 0xffffffff83b46f40 [g_down] 2 0 0 0 WL (threaded) [clock] 100031 I [clock (0)] 100032 I [clock (1)] 12 0 0 0 RL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 Run CPU 0 [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100048 I [irq24: virtio_pci0] 100049 I [irq25: virtio_pci0] 100050 I [irq26: virtio_pci0] 100051 I [irq27: virtio_pci0] 100052 I [irq28: virtio_pci1] 100053 I [irq29: virtio_pci1] 100054 I [irq30: virtio_pci1] 100055 I [irq31: virtio_pci1] 100056 I [irq32: virtio_pci1] 100061 I [irq10: virtio_pci2] 100063 I [irq1: atkbd0] 100064 I [irq12: psm0] 100065 I [swi0: uart uart++] 100069 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0008009040 [init] 10 0 0 0 DL audit_w 0xffffffff83ce75e0 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D parked 0xffffffff84c2dff0 [swapper] 100005 D - 0xfffffe0008286900 [softirq_0] 100006 D - 0xfffffe0008286700 [softirq_1] 100007 D - 0xfffffe0008286500 [if_io_tqg_0] 100008 D - 0xfffffe0008286300 [if_io_tqg_1] 100009 D - 0xfffffe0008286100 [if_config_tqg_0] 100010 D - 0xfffffe0007fd1000 [kqueue_ctx taskq] 100011 D - 0xfffffe0007fd0e00 [jail_remove taskq] 100012 D - 0xfffffe0007fd0d00 [bus taskq] 100015 D - 0xfffffe0007fd0a00 [thread taskq] 100017 D - 0xfffffe0007fd0800 [aiod_kick taskq] 100018 D - 0xfffffe0007fd0700 [deferred_unmount ta] 100019 D - 0xfffffe0007fd0600 [inm_free taskq] 100020 D - 0xfffffe0007fd0500 [in6m_free taskq] 100021 D - 0xfffffe0007fd0400 [linuxkpi_irq_wq] 100022 D - 0xfffffe0007fd0300 [linuxkpi_short_wq_0] 100023 D - 0xfffffe0007fd0300 [linuxkpi_short_wq_1] 100024 D - 0xfffffe0007fd0300 [linuxkpi_short_wq_2] 100025 D - 0xfffffe0007fd0300 [linuxkpi_short_wq_3] 100026 D - 0xfffffe0007fd0200 [linuxkpi_long_wq_0] 100027 D - 0xfffffe0007fd0200 [linuxkpi_long_wq_1] 100028 D - 0xfffffe0007fd0200 [linuxkpi_long_wq_2] 100029 D - 0xfffffe0007fd0200 [linuxkpi_long_wq_3] 100036 D - 0xfffffe0007fd0100 [firmware taskq] 100041 D - 0xfffffe0007fcfe00 [crypto_0] 100042 D - 0xfffffe0007fcfe00 [crypto_1] 100057 D - 0xfffffe0007fcfc00 [vtnet0 rxq 0] 100058 D - 0xfffffe0007fcfb00 [vtnet0 txq 0] 100059 D - 0xfffffe0007fcfa00 [vtnet0 rxq 1] 100060 D - 0xfffffe0007fcf900 [vtnet0 txq 1] 100062 D vtbslp 0xfffffe0058583b00 [virtio_balloon] 100066 D - 0xffffffff827b5aa0 [deadlkres] 100070 D - 0xfffffe0058d69700 [acpi_task_0] 100071 D - 0xfffffe0058d69700 [acpi_task_1] 100072 D - 0xfffffe0058d69700 [acpi_task_2] 100074 D - 0xfffffe0007fd1100 [mca taskq] 100075 D - 0xfffffe0007fcfd00 [CAM taskq] 100077 D - 0xfffffe0007fcf800 [ipsec_offload] 100638 D - 0xfffffe007802c600 [netlink_socket (PID] 969 968 765 0 Z syz-executor db> show all locks Process 1188 (syz-executor) thread 0xfffffe005490e780 (100666) shared rw sctpinp (sctpinp) r = 0 (0xfffffe006ec99020) locked @ /syzkaller/managers/main/kernel/sys/netinet/sctp_output.c:4550 exclusive sleep mutex sctp-tcb (tcb) r = 0 (0xfffffe006edb9a50) locked @ /syzkaller/managers/main/kernel/sys/netinet/sctp_output.c:13193 Process 12 (intr) thread 0xfffffe0008021780 (100033) shared rm pf rulesets (pf rulesets) r = 0 (0xfffffe00082408d8) locked @ /syzkaller/managers/main/kernel/sys/netpfil/pf/pf.c:10336 db> show malloc Type InUse MemUse Requests pf_hash 6 12804K 6 linker 400 5458K 831 tcp_hpts 7 4801K 7 devbuf 4188 4324K 4216 sctp_stro 4 2311K 6 sysctloid 35338 2082K 35413 vtbuf 24 1968K 46 kobj 331 1324K 530 newblk 16 1028K 3228 vfscache 3 1025K 3 filedesc 99 790K 679 pcb 66 708K 330 inodedep 25 521K 780 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 subproc 207 422K 1304 vmem 5 272K 8 vnet_data 2 224K 2 acpitask 1 224K 1 KTRACE 101 201K 13868 acpica 1674 184K 54450 tidhash 3 141K 3 pagedep 17 132K 383 tfo_ccache 1 128K 1 IP reass 1 128K 1 DEVFS1 112 112K 129 sem 4 106K 4 gtaskqueue 18 98K 18 bus 1008 82K 5098 mtx_pool 3 74K 3 md_sectors 18 72K 18 syncache 1 68K 1 NFSD srvcache 3 68K 3 module 522 66K 531 ddb_capture 1 64K 1 kdtrace 273 51K 1864 umtx 384 48K 384 temp 37 40K 2116 shm 3 36K 14 DEVFS3 131 33K 141 hostcache 1 32K 1 msg 4 30K 4 kbdmux 6 28K 6 DEVFS_RULE 56 20K 56 routetbl 132 19K 407 ifaddr 66 19K 68 ufs_mount 4 17K 5 proc 3 17K 3 LRO 16 17K 16 tty 16 16K 16 ithread 90 15K 90 bus-sc 34 15K 1659 GEOM 82 14K 583 eventhandler 163 14K 163 lltable 43 14K 47 ether_multi 164 14K 183 md_disk 21 13K 23 ifnet 7 13K 7 kenv 95 12K 95 CAM queue 5 11K 1528 rman 82 10K 477 shmfd 4 10K 25 kqueue 103 10K 1608 in6_multi 67 10K 67 rpc 8 9K 8 sctp_atcl 23 9K 110 bmsafemap 2 9K 617 ksem 2 9K 3 devstat 4 9K 4 UART 12 9K 12 filemon 1 8K 12 pfs_vncache 1 8K 1 audit_evclass 239 8K 301 taskqueue 72 8K 87 cred 28 7K 335 plimit 18 7K 470 sglist 6 7K 6 CAM DEV 3 6K 510 pwddesc 94 6K 1216 pfs_nodes 22 6K 22 ufs_dirhash 24 5K 39 pf_ifnet 12 5K 21 UMA 270 5K 270 vt 11 5K 11 pf_table 2 4K 3 memdesc 1 4K 1 MCA 32 4K 32 evdev 4 4K 4 acpisem 28 4K 28 BPF 14 4K 33 DEVFSP 50 4K 183 terminal 11 3K 11 proc-args 103 3K 2239 CC Mem 20 3K 220 uidinfo 5 3K 25 acpidev 20 3K 20 hhook 8 3K 10 dirrem 9 3K 554 clone 9 3K 9 kcovinfo 36 3K 36 mkdir 17 3K 648 local_apic 1 2K 1 io_apic