kernel: protection fault trap, code=0 Stopped at pfi_ifhead_RB_REMOVE+0x58: movq 0x10(%r12),%rbx ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic the kernel did not panic ddb{0}> trace pfi_ifhead_RB_REMOVE(ffffffff82922240,ffff800000b14600) at pfi_ifhead_RB_REMOVE+0x58 sys/net/pf_if.c:80 pfi_detach_ifgroup(ffff800000b13080) at pfi_detach_ifgroup+0x11b pfi_kif_unref sys/net/pf_if.c:211 [inline] pfi_detach_ifgroup(ffff800000b13080) at pfi_detach_ifgroup+0x11b sys/net/pf_if.c:304 if_delgroup(ffff800000b27000,ffff800000b13080) at if_delgroup+0x1bc sys/net/if.c:2669 if_detach(ffff800000b27000) at if_detach+0x1d0 sys/net/if.c:1042 tun_clone_destroy(ffff800000b27000) at tun_clone_destroy+0x1e1 sys/net/if_tun.c:326 tun_dev_close(5d01,7) at tun_dev_close+0x160 sys/net/if_tun.c:477 spec_close(ffff8000240f1ff0) at spec_close+0x311 sys/kern/spec_vnops.c:560 VOP_CLOSE(fffffd8069b72c48,7,fffffd807f7bf9c0,ffff800024194a08) at VOP_CLOSE+0xc0 sys/kern/vfs_vops.c:174 vn_closefile(fffffd806cab93a0,ffff800024194a08) at vn_closefile+0xd7 vn_close sys/kern/vfs_vnops.c:298 [inline] vn_closefile(fffffd806cab93a0,ffff800024194a08) at vn_closefile+0xd7 sys/kern/vfs_vnops.c:614 fdrop(fffffd806cab93a0,ffff800024194a08) at fdrop+0xc2 sys/kern/kern_descrip.c:1279 closef(fffffd806cab93a0,ffff800024194a08) at closef+0x11c sys/kern/kern_descrip.c:1263 fdfree(ffff800024194a08) at fdfree+0x101 sys/kern/kern_descrip.c:1195 exit1(ffff800024194a08,0,19,1) at exit1+0x32c sys/kern/kern_exit.c:197 postsig(ffff800024194a08,19) at postsig+0x4ed sigexit sys/kern/kern_sig.c:1483 [inline] postsig(ffff800024194a08,19) at postsig+0x4ed sys/kern/kern_sig.c:1415 userret(ffff800024194a08) at userret+0x199 sys/kern/kern_sig.c:1872 syscall(ffff8000240f2470) at syscall+0x55f mi_syscall_return sys/sys/syscall_mi.h:129 [inline] syscall(ffff8000240f2470) at syscall+0x55f sys/arch/amd64/amd64/trap.c:592 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffff3090, count: -17 ddb{0}> show registers rdi 0xffffffff82922240 pfi_ifs rsi 0xffff800000b14600 rbp 0xffff8000240f1dd0 rbx 0xdeadbeefdeadbeef rdx 0 rcx 0 rax 0xffff800000b14610 r8 0xf8 r9 0x8080808080808080 r10 0x50e65791dbabf09e r11 0xf75dd6c6469a92d3 r12 0xdeadbeefdeadbeef r13 0xffff800000ac5440 r14 0xffff800000b14600 r15 0xffffffff82922240 pfi_ifs rip 0xffffffff818dff28 pfi_ifhead_RB_REMOVE+0x58 cs 0x8 rflags 0x10282 __ALIGN_SIZE+0xf282 rsp 0xffff8000240f1d70 ss 0x10 pfi_ifhead_RB_REMOVE+0x58: movq 0x10(%r12),%rbx ddb{0}> show proc PROC (syz-executor.1) pid=462816 stat=onproc flags process=a proc=2000 pri=32, usrpri=79, nice=20 forw=0xffffffffffffffff, list=0xffff800024194790,0xffffffff8293e730 process=0xffff8000ffffdb90 user=0xffff8000240ed000, vmspace=0xfffffd807efff2e0 estcpu=29, cpticks=1, pctcpu=0.8 user=0, sys=0, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 51647 401074 0 0 3 0x14200 acct acct 37572 461698 5586 0 3 0x2 biowait syz-executor.0 11811 223549 0 0 3 0x14200 bored sosplice 5973 78578 1 0 3 0x100083 ttyin getty 56454 295015 0 0 3 0x14280 nfsidl nfsio 10440 517680 0 0 3 0x14280 nfsidl nfsio 4107 337025 0 0 3 0x14280 nfsidl nfsio 30603 426440 0 0 3 0x14280 nfsidl nfsio 99050 72955 0 0 3 0x14280 nfsidl nfsio 2306 89539 0 0 3 0x14280 nfsidl nfsio 86655 369728 0 0 3 0x14280 nfsidl nfsio 42104 227733 0 0 3 0x14280 nfsidl nfsio 95305 416712 0 0 3 0x14280 nfsidl nfsio 62126 84038 0 0 3 0x14280 nfsidl nfsio 55877 113771 0 0 3 0x14280 nfsidl nfsio 10432 424339 0 0 3 0x14280 nfsidl nfsio 30892 279464 0 0 3 0x14280 nfsidl nfsio 69527 462862 0 0 3 0x14280 nfsidl nfsio 78961 507390 0 0 3 0x14280 nfsidl nfsio 25196 260458 0 0 3 0x14280 nfsidl nfsio 22016 330389 0 0 3 0x14280 nfsidl nfsio 95864 522142 0 0 3 0x14280 nfsidl nfsio 28046 75950 0 0 3 0x14280 nfsidl nfsio 93307 324190 0 0 3 0x14280 nfsidl nfsio 5586 345973 40542 0 3 0x82 nanosleep syz-fuzzer 5586 83502 40542 0 3 0x4000082 nanosleep syz-fuzzer 5586 403893 40542 0 3 0x4000082 thrsleep syz-fuzzer 5586 161827 40542 0 3 0x4000082 thrsleep syz-fuzzer 5586 46939 40542 0 3 0x4000082 thrsleep syz-fuzzer 5586 9275 40542 0 3 0x4000082 thrsleep syz-fuzzer 5586 381857 40542 0 3 0x4000082 kqread syz-fuzzer 5586 153647 40542 0 3 0x4000082 thrsleep syz-fuzzer 40542 319450 45290 0 3 0x10008a pause ksh 45290 210684 1172 0 3 0x92 select sshd 1172 364256 1 0 3 0x80 select sshd 92313 310074 58517 74 3 0x100092 bpf pflogd 58517 472835 1 0 3 0x80 netio pflogd 82916 265384 87320 73 3 0x100090 kqread syslogd 87320 60786 1 0 3 0x100082 netio syslogd 944 160073 1 77 3 0x100090 poll dhclient 84242 196744 1 0 3 0x80 poll dhclient 66992 363616 0 0 3 0x14200 bored smr 25178 178070 0 0 3 0x14200 pgzero zerothread 60461 171513 0 0 3 0x14200 aiodoned aiodoned 3142 427121 0 0 3 0x14200 syncer update 47408 411490 0 0 3 0x14200 cleaner cleaner 91288 449489 0 0 3 0x14200 reaper reaper 33984 342547 0 0 3 0x14200 pgdaemon pagedaemon 62082 149586 0 0 3 0x14200 bored crynlk 96248 502857 0 0 3 0x14200 bored crypto 96519 123920 0 0 3 0x40014200 acpi0 acpi0 62032 136562 0 0 7 0x40014200 idle1 98865 32542 0 0 3 0x14200 bored softnet 99723 471594 0 0 3 0x14200 bored systqmp 21321 188832 0 0 3 0x14200 bored systq 1130 81336 0 0 3 0x40014200 bored softclock 95699 320217 0 0 3 0x40014200 idle0 1 290100 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 37572 (syz-executor.0) thread 0xffff800020eb3650 (461698) exclusive rrwlock inode r = 0 (0xfffffd806f96fa38) #0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline] #0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164 #1 rw_enter+0x453 sys/kern/kern_rwlock.c:311 #2 rrw_enter+0x88 sys/kern/kern_rwlock.c:462 #3 ufs_ihashins+0x45 sys/ufs/ufs/ufs_ihash.c:140 #4 ffs_vget+0x13e sys/ufs/ffs/ffs_vfsops.c:1358 #5 ffs_inode_alloc+0x1e2 sys/ufs/ffs/ffs_alloc.c:394 #6 ufs_mkdir+0xf4 sys/ufs/ufs/ufs_vnops.c:1162 #7 VOP_MKDIR+0xc6 sys/kern/vfs_vops.c:450 #8 domkdirat+0x121 sys/kern/vfs_syscalls.c:3051 #9 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline] #9 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570 #10 Xsyscall+0x128 exclusive rrwlock inode r = 0 (0xfffffd806d91ce78) #0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline] #0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164 #1 rw_enter+0x453 sys/kern/kern_rwlock.c:311 #2 rrw_enter+0x88 sys/kern/kern_rwlock.c:462 #3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:603 #4 vn_lock+0x81 sys/kern/vfs_vnops.c:575 #5 vfs_lookup+0xe6 sys/kern/vfs_lookup.c:419 #6 namei+0x63c sys/kern/vfs_lookup.c:249 #7 domkdirat+0x75 sys/kern/vfs_syscalls.c:3036 #8 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline] #8 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570 #9 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 9549 6444K 6996K 78643K 11777 0 pcb 13 8K 8K 78643K 186 0 rtable 78 6K 8K 78643K 799 0 ifaddr 88 15K 17K 78643K 235 0 sysctl 2 0K 0K 78643K 2 0 counters 43 33K 34K 78643K 89 0 ioctlops 0 0K 4K 78643K 1674 0 iov 0 0K 24K 78643K 118 0 mount 1 1K 1K 78643K 1 0 vnodes 1221 77K 77K 78643K 1640 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 5K 78643K 26 0 VM map 2 1K 1K 78643K 2 0 sem 12 0K 0K 78643K 218 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1824 197K 290K 78643K 13058 0 file desc 4 9K 25K 78643K 1236 0 sigio 0 0K 0K 78643K 16 0 proc 62 63K 95K 78643K 707 0 subproc 23 1K 2K 78643K 102 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 597 0 in_multi 15 1K 2K 78643K 181 0 ether_multi 1 0K 0K 78643K 23 0 mrt 0 0K 0K 78643K 5 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 61 281K 281K 78643K 61 0 exec 0 0K 1K 78643K 335 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 203 111K 112K 78643K 4115 0 UVM aobj 56 7K 7K 78643K 70 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 141 0 NDP 17 0K 0K 78643K 60 0 temp 151 3877K 3952K 78643K 16038 0 kqueue 3 4K 18K 78643K 66 0 SYN cache 2 16K 16K 78643K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 22 0 17 1 0 1 1 0 8 0 plcache 128 20 0 0 1 0 1 1 0 8 0 rtpcb 88 93 0 91 1 0 1 1 0 8 0 rtentry 112 149 0 129 3 1 2 2 0 8 0 unpcb 120 2083 0 2073 1 0 1 1 0 8 0 syncache 272 9 0 9 4 4 0 1 0 8 0 tcpqe 32 176 0 176 2 2 0 1 0 8 0 tcpcb 592 529 0 520 6 4 2 3 0 8 0 inpcb 296 2104 0 2096 3 1 2 2 0 8 1 rttmr 72 2 0 2 1 1 0 1 0 8 0 ip6q 72 5 0 5 3 2 1 1 0 8 1 ip6af 40 15 0 15 3 2 1 1 0 8 1 nd6 48 32 0 31 1 0 1 1 0 8 0 pkpcb 40 10 0 10 2 2 0 1 0 8 0 ppxss 1136 1 0 1 1 1 0 1 0 8 0 pffrag 232 8 0 7 3 2 1 1 0 482 0 pffrnode 88 8 0 7 3 2 1 1 0 8 0 pffrent 40 233 0 232 3 2 1 1 0 8 0 pfosfp 40 846 0 423 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfrktable 1344 35 0 30 1 0 1 1 0 8 0 pfstitem 24 38 0 33 1 0 1 1 0 8 0 pfstkey 112 38 0 33 2 1 1 2 0 8 0 pfstate 328 38 0 33 4 1 3 4 0 8 0 pfsrctr 152 92 0 86 1 0 1 1 0 8 0 pfrule 1360 31 0 25 2 1 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 639 0 544 19 8 11 13 0 8 0 art_table 32 640 0 544 3 1 2 2 0 8 0 art_node 16 148 0 132 1 0 1 1 0 8 0 sysvmsgpl 40 89 0 49 1 0 1 1 0 8 0 semupl 112 2 0 2 1 1 0 1 0 8 0 semapl 112 216 0 206 1 0 1 1 0 8 0 shmpl 112 67 0 14 2 0 2 2 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 2882 0 1481 89 0 89 89 0 8 0 ffsino 272 2882 0 1481 94 0 94 94 0 8 0 nchpl 144 4764 0 3169 60 0 60 60 0 8 0 uvmvnodes 72 3246 0 0 60 0 60 60 0 8 0 vnodes 208 3246 0 0 171 0 171 171 0 8 0 namei 1024 13757 0 13756 3 2 1 1 0 8 0 percpumem 16 55 0 23 1 0 1 1 0 8 0 vcpupl 1984 13 0 1 2 0 2 2 0 8 0 vmpool 560 18 0 6 2 1 1 1 0 8 0 pfiaddrpl 120 12 0 8 1 0 1 1 0 8 0 scxspl 200 14533 0 14532 9 8 1 7 0 8 0 plimitpl 152 89 0 81 1 0 1 1 0 8 0 sigapl 424 1462 0 1410 9 2 7 7 0 8 1 futexpl 56 24975 0 24975 3 2 1 1 0 8 1 knotepl 112 197 0 179 2 1 1 2 0 8 0 kqueuepl 152 138 0 136 1 0 1 1 0 8 0 pipepl 304 254 0 244 3 0 3 3 0 8 1 fdescpl 496 1425 0 1410 3 0 3 3 0 8 0 filepl 152 9683 0 9592 9 2 7 7 0 8 3 lockfpl 104 284 0 283 1 0 1 1 0 8 0 lockfspl 48 91 0 90 1 0 1 1 0 8 0 sessionpl 120 23 0 12 1 0 1 1 0 8 0 pgrppl 48 43 0 32 1 0 1 1 0 8 0 ucredpl 96 604 0 595 1 0 1 1 0 8 0 zombiepl 144 1411 0 1410 1 0 1 1 0 8 0 processpl 1008 1462 0 1410 7 0 7 7 0 8 0 procpl 632 3051 0 2992 6 0 6 6 0 8 0 srpgc 72 2 0 2 1 0 1 1 0 8 1 sosppl 144 13 0 13 2 1 1 1 0 8 1 sockpl 400 4293 0 4273 8 3 5 5 0 8 2 mcl64k 65536 8 0 0 1 0 1 1 0 8 0 mcl16k 16384 3 0 0 1 0 1 1 0 8 0 mcl12k 12288 2 0 0 1 0 1 1 0 8 0 mcl9k 9216 2 0 0 1 0 1 1 0 8 0 mcl8k 8192 4 0 0 1 0 1 1 0 8 0 mcl4k 4096 10 0 0 2 0 2 2 0 8 0 mcl2k2 2112 1 0 0 1 0 1 1 0 8 0 mcl2k 2048 157 0 0 19 1 18 19 0 8 0 mtagpl 96 22 0 0 1 0 1 1 0 8 0 mbufpl 256 319 0 0 19 0 19 19 0 8 0 bufpl 280 6947 0 710 446 0 446 446 0 8 0 anonpl 16 154980 0 137410 105 25 80 84 0 124 6 amapchunkpl 152 8464 0 8130 52 33 19 27 0 158 3 amappl16 192 6602 0 5792 66 24 42 51 0 8 1 amappl15 184 182 0 181 1 0 1 1 0 8 0 amappl14 176 73 0 70 1 0 1 1 0 8 0 amappl13 168 457 0 452 1 0 1 1 0 8 0 amappl12 160 178 0 173 1 0 1 1 0 8 0 amappl11 152 133 0 118 1 0 1 1 0 8 0 amappl10 144 27 0 21 1 0 1 1 0 8 0 amappl9 136 470 0 468 1 0 1 1 0 8 0 amappl8 128 575 0 523 2 0 2 2 0 8 0 amappl7 120 148 0 136 1 0 1 1 0 8 0 amappl6 112 93 0 86 1 0 1 1 0 8 0 amappl5 104 1417 0 1400 1 0 1 1 0 8 0 amappl4 96 1010 0 983 1 0 1 1 0 8 0 amappl3 88 158 0 149 1 0 1 1 0 8 0 amappl2 80 10384 0 10319 2 0 2 2 0 8 0 amappl1 72 44470 0 44054 22 12 10 17 0 8 0 amappl 80 3424 0 3331 4 1 3 3 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 64 69 0 14 1 0 1 1 0 8 0 uaddrrnd 24 1443 0 1416 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 1443 0 1416 1 0 1 1 0 8 0 vmmpekpl 168 12329 0 12285 3 0 3 3 0 8 0 vmmpepl 168 181922 0 179980 166 48 118 123 0 357 22 vmsppl 368 1442 0 1416 3 0 3 3 0 8 0 pdppl 4096 2893 0 2844 7 0 7 7 0 8 0 pvpl 32 466805 0 446071 234 43 191 199 0 265 18 pmappl 232 1442 0 1416 3 1 2 2 0 8 0 extentpl 40 53 0 36 1 0 1 1 0 8 0 phpool 112 278 0 21 8 0 8 8 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace pfi_ifhead_RB_REMOVE(ffffffff82922240,ffff800000b14600) at pfi_ifhead_RB_REMOVE+0x58 sys/net/pf_if.c:80 pfi_detach_ifgroup(ffff800000b13080) at pfi_detach_ifgroup+0x11b pfi_kif_unref sys/net/pf_if.c:211 [inline] pfi_detach_ifgroup(ffff800000b13080) at pfi_detach_ifgroup+0x11b sys/net/pf_if.c:304 if_delgroup(ffff800000b27000,ffff800000b13080) at if_delgroup+0x1bc sys/net/if.c:2669 if_detach(ffff800000b27000) at if_detach+0x1d0 sys/net/if.c:1042 tun_clone_destroy(ffff800000b27000) at tun_clone_destroy+0x1e1 sys/net/if_tun.c:326 tun_dev_close(5d01,7) at tun_dev_close+0x160 sys/net/if_tun.c:477 spec_close(ffff8000240f1ff0) at spec_close+0x311 sys/kern/spec_vnops.c:560 VOP_CLOSE(fffffd8069b72c48,7,fffffd807f7bf9c0,ffff800024194a08) at VOP_CLOSE+0xc0 sys/kern/vfs_vops.c:174 vn_closefile(fffffd806cab93a0,ffff800024194a08) at vn_closefile+0xd7 vn_close sys/kern/vfs_vnops.c:298 [inline] vn_closefile(fffffd806cab93a0,ffff800024194a08) at vn_closefile+0xd7 sys/kern/vfs_vnops.c:614 fdrop(fffffd806cab93a0,ffff800024194a08) at fdrop+0xc2 sys/kern/kern_descrip.c:1279 closef(fffffd806cab93a0,ffff800024194a08) at closef+0x11c sys/kern/kern_descrip.c:1263 fdfree(ffff800024194a08) at fdfree+0x101 sys/kern/kern_descrip.c:1195 exit1(ffff800024194a08,0,19,1) at exit1+0x32c sys/kern/kern_exit.c:197 postsig(ffff800024194a08,19) at postsig+0x4ed sigexit sys/kern/kern_sig.c:1483 [inline] postsig(ffff800024194a08,19) at postsig+0x4ed sys/kern/kern_sig.c:1415 userret(ffff800024194a08) at userret+0x199 sys/kern/kern_sig.c:1872 syscall(ffff8000240f2470) at syscall+0x55f mi_syscall_return sys/sys/syscall_mi.h:129 [inline] syscall(ffff8000240f2470) at syscall+0x55f sys/arch/amd64/amd64/trap.c:592 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffff3090, count: -17 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp ddb{1}> trace x86_ipi_db(ffff800020d70ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352 x86_ipi_handler() at x86_ipi_handler+0xc6 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x331 sys/dev/acpi/acpicpu.c:1187 sched_idle(ffff800020d70ff0) at sched_idle+0x3f7 sys/kern/kern_sched.c:178 end trace frame: 0x0, count: -5