SYZFAIL: SIGFPE if_delmulti_locked: detaching ifnet instance 0xfffffe005421f000 if_delmulti_locked: detaching ifnet instance 0xfffffe005421f000 if_delmulti_locked: detaching ifnet instance 0xfffffe005421f000 Connection to 10.128.0.251 closed by remote host. FreeBSD/amd64 (ci-freebsd-main-5.c.syzkaller.internal) (ttyu0) login: if_delmulti_locked: detaching ifnet instance 0xfffffe006e3eb800 if_delmulti_locked: detaching ifnet instance 0xfffffe006e3eb800 if_delmulti_locked: detaching ifnet instance 0xfffffe006e3eb800 if_delmulti_locked: detaching ifnet instance 0xfffffe006e3eb000 if_delmulti_locked: detaching ifnet instance 0xfffffe006e3eb000 if_delmulti_locked: detaching ifnet instance 0xfffffe006e3eb000 if_delmulti_locked: detaching ifnet instance 0xfffffe006e3eb000 if_delmulti_locked: detaching ifnet instance 0xfffffe006e3eb000 if_delmulti_locked: detaching ifnet instance 0xfffffe006e3eb000 if_delmulti_locked: detaching ifnet instance 0xfffffe0058725800 if_delmulti_locked: detaching ifnet instance 0xfffffe0058725800 if_delmulti_locked: detaching ifnet instance 0xfffffe0058725800 if_delmulti_locked: detaching ifnet instance 0xfffffe0058726000 if_delmulti_locked: detaching ifnet instance 0xfffffe0058726000 if_delmulti_locked: detaching ifnet instance 0xfffffe0058726000 FreeBSD/amd64 (ci-freebsd-main-5.c.syzkaller.internal) (ttyu0) login: set $lines = 0 pid 749 (getty), jid 0, uid 0: exited on signal 8 (core dumped) ktrace write failed, errno 27, tracing stopped for pid 749 Password:pid 821 (dhclient), jid 0, uid 0: exited on signal 8 (core dumped) ktrace write failed, errno 27, tracing stopped for pid 821 pid 738 (sh), jid 0, uid 0: exited on signal 8 (core dumped) pid 748 (getty), jid 0, uid 0: exited on signal 8 (core dumped) ktrace write failed, errno 27, tracing stopped for pid 748 pid 338 (dhclient), jid 0, uid 0: exited on signal 8 (core dumped) ktrace write failed, errno 27, tracing stopped for pid 338 pid 747 (getty), jid 0, uid 0: exited on signal 8 (core dumped) ktrace write failed, errno 27, tracing stopped for pid 747 pid 746 (getty), jid 0, uid 0: exited on signal 8 (core dumped) ktrace write failed, errno 27, tracing stopped for pid 746 pid 335 (dhclient), jid 0, uid 0: exited on signal 8 (core dumped) ktrace write failed, errno 27, tracing stopped for pid 335 pid 745 (getty), jid 0, uid 0: exited on signal 8 (core dumped) ktrace write failed, errno 27, tracing stopped for pid 745 Kernel page fault with the following non-sleepable locks held: shared rw sctpinp (sctpinp) r = 0 (0xfffffe0074c486a0) locked @ /syzkaller/managers/main/kernel/sys/netinet/sctp_output.c:4552 exclusive sleep mutex sctp-tcb (tcb) r = 0 (0xfffffe0074ce5320) locked @ /syzkaller/managers/main/kernel/sys/netinet/sctputil.c:1776 stack backtrace: #0 0xffffffff8160a096 at witness_debugger+0x156 #1 0xffffffff8160c544 at witness_warn+0x894 #2 0xffffffff820a1937 at trap_pfault+0x157 #3 0xffffffff820a00f8 at trap+0x648 #4 0xffffffff82048848 at calltrap+0x8 #5 0xffffffff84681d5c at sctp_lowlevel_chunk_output+0x216c #6 0xffffffff8467faa1 at sctp_send_initiatpid 744 (getty), jid 0, uid 0: exited on signal 8 (core dumped) e+0x1591 #7 0xffffffff846e3e96 ktrace write failed, errno 27, tracing stopped for pid 744 at sctp_t1init_timer+0x66 #8 0xffffffff8471228b at sctp_timeout_handler+0xb3b #9 0xffffffff8152baa5 at softclock_call_cc+0x395 #10 0xffffffff8152ee30 at softclock_thread+0x200 #11 0xffffffff8144866c at fork_exit+0xcc #12 0xffffffff820498ae at fork_trampoline+0xe Fatal trap 12: page fault while in kernel mode cpuid = 1; apic id = 01 fault virtual address = 0x0 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff81a262e3 stack pointer = 0x28:0xfffffe0056c8a1c0 frame pointer = 0x28:0xfffffe0056c8a6f0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 2 (clock (0)) rdi: 0000000000000000 rsi: 0000000000000000 rdx: 000000000dc7d760 rcx: fffffe00033eee30 r8: 0000000000000000 r9: 00000000060080fe rax: fffffe00033eee30 rbx: fffffe00756bb2e0 rbp: fffffe0056c8a6f0 r10: aa03000000000000 r11: 000000000000001f r12: fffffe0056c8a4c0 r13: fffffe0056c8a500 r14: 0000000000000000 r15: fffffe00829b6338 trap number = 12 panic: page fault cpuid = 1 time = 6 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0056c898f0 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe0056c89a50 vpanic() at vpanic+0x280/frame 0xfffffe0056c89c10 panic() at panic+0xb5/frame 0xfffffe0056c89cd0 trap_fatal() at trap_fatal+0x7f2/frame 0xfffffe0056c89df0 trap_pfault() at trap_pfault+0x179/frame 0xfffffe0056c89f10 trap() at trap+0x648/frame 0xfffffe0056c8a0f0 calltrap() at calltrap+0x8/frame 0xfffffe0056c8a0f0 --- trap 0xc, rip = 0xffffffff81a262e3, rsp = 0xfffffe0056c8a1c0, rbp = 0xfffffe0056c8a6f0 --- ip6_output() at ip6_output+0x30d3/frame 0xfffffe0056c8a6f0 sctp_lowlevel_chunk_output() at sctp_lowlevel_chunk_output+0x216c/frame 0xfffffe0056c8a9a0 sctp_send_initiate() at sctp_send_initiate+0x1591/frame 0xfffffe0056c8ab20 sctp_t1init_timer() at sctp_t1init_timer+0x66/frame 0xfffffe0056c8ab70 sctp_timeout_handler() at sctp_timeout_handler+0xb3b/frame 0xfffffe0056c8acb0 softclock_call_cc() at softclock_call_cc+0x395/frame 0xfffffe0056c8ae80 softclock_thread() at softclock_thread+0x200/frame 0xfffffe0056c8aef0 fork_exit() at fork_exit+0xcc/frame 0xfffffe0056c8af30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0056c8af30 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- KDB: enter: panic [ thread pid 2 tid 100030 ] Stopped at kdb_enter+0x6e: movq $0,0x23dedc7(%rip) db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe00033eee30 rdx 0xdffff7c000000000 rbx 0xffffffff827109c0 .str.27 rsp 0xfffffe0056c89a30 rbp 0xfffffe0056c89a50 rsi 0 rdi 0xffffffff82e004c0 panicstr r8 0 r9 0xffffffff r10 0 r11 0x17 r12 0xfffffe0007a19000 r13 0xfffffffffffffffd --More-- r14 0xffffffff827109c0 .str.27 r15 0 rip 0xffffffff815b624e kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x23dedc7(%rip) db> proc No such command; use "help" to list available commands db> ps pid ppid pgrp uid state wmesg wchan cmd 1073 1 1073 0 Ss+ ttyin 0xfffffe0054354cb0 getty 1072 1 1072 0 Ss+ ttyin 0xfffffe00543544b0 getty 1071 1 1071 0 Ss+ ttyin 0xfffffe005957bcb0 getty 1070 1 1070 0 Ss+ ttyin 0xfffffe005957b4b0 getty 1069 1 1069 0 Ss+ ttyin 0xfffffe005957acb0 getty 1068 1 1068 0 Ss+ ttyin 0xfffffe005957a4b0 getty 1067 1 1067 0 Ss+ select 0xfffffe005847bbc0 login 866 0 0 0 DL - 0xffffffff83a86200 [soaiod4] 865 0 0 0 DL - 0xffffffff83a86200 [soaiod3] 864 0 0 0 DL - 0xffffffff83a86200 [soaiod2] 863 0 0 0 DL - 0xffffffff83a86200 [soaiod1] 853 0 0 0 DL (threaded) [KTLS] 100118 D - 0xfffffe005973d200 [thr_0] 100188 D - 0xfffffe005973d280 [thr_1] 100189 D - 0xffffffff83a87a48 [reclaim_0] 841 0 0 0 DL mdwait 0xfffffe00596a9000 [md0] 813 0 0 0 DL aiordy 0xfffffe005b2e75a0 [aiod4] 812 0 0 0 DL aiordy 0xfffffe005b2e7b00 [aiod3] 811 0 0 0 DL aiordy 0xfffffe005b2be580 [aiod2] --More-- 810 0 0 0 DL aiordy 0xfffffe005b2beae0 [aiod1] 743 1 743 0 Rs+ CPU 0 getty 742 1 742 0 Ds+ range 0xfffffe00598d0de8 getty 17 0 0 0 DL syncer 0xffffffff83a93ae0 [syncer] 16 0 0 0 DL vlruwt 0xfffffe0007a27060 [vnlru] 15 0 0 0 DL (threaded) [bufdaemon] 100080 D psleep 0xffffffff83a920c0 [bufdaemon] 100083 D - 0xffffffff82e02140 [bufspacedaemon-0] 100092 D sdflush 0xfffffe00580114e8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83add760 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100078 D psleep 0xffffffff83ac36f8 [dom0] 100081 D launds 0xffffffff83ac3704 [laundry: dom0] 100082 D umarcl 0xffffffff81d623d0 [uma] 7 0 0 0 DL - 0xffffffff836f3b70 [rand_harvestq] 6 0 0 0 RL [pf purge] 5 0 0 0 DL waiting 0xffffffff84756a40 [sctp_iterator] 4 0 0 0 RL (threaded) [cam] 100045 RunQ [doneq0] 100046 D - 0xffffffff836be2c0 [async] --More-- 100077 D - 0xffffffff836be140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100042 D crypto_ 0xffffffff83abeee0 [crypto] 100043 D crypto_ 0xfffffe0057f78030 [crypto returns 0] 100044 D crypto_ 0xfffffe0057f78080 [crypto returns 1] 14 0 0 0 DL seqstat 0xfffffe00085f6488 [sequencer 00] 13 0 0 0 DL (threaded) [geom] 100036 D - 0xffffffff8391ed40 [g_event] 100037 D - 0xffffffff8391ed60 [g_up] 100038 D - 0xffffffff8391ed80 [g_down] 2 0 0 0 RL (threaded) [clock] 100030 Run CPU 1 [clock (0)] 100031 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100012 I [swi6: task queue] 100013 I [swi6: Giant taskq] 100015 I [swi5: fast taskq] 100032 I [swi1: netisr 0] 100033 I [swi1: hpts] 100034 I [swi1: hpts] --More-- 100047 I [irq24: virtio_pci0] --More-- 100048 I [irq25: virtio_pci0] 100049 I [irq26: virtio_pci0] 100050 I [irq27: virtio_pci0] 100051 I [irq28: virtio_pci1] 100052 I [irq29: virtio_pci1] 100053 I [irq30: virtio_pci1] 100054 I [irq31: virtio_pci1] 100055 I [irq32: virtio_pci1] 100060 I [irq33: virtio_pci2] 100061 I [irq34: virtio_pci2] 100062 I [irq35: virtio_pci2] 100064 I [irq1: atkbd0] 100065 I [irq12: psm0] 100066 I [swi0: uart uart++] 100070 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0007a07040 [init] 10 0 0 0 DL audit_w 0xffffffff83abf940 [audit] --More-- 0 0 0 0 DLs (threaded) [kernel] --More-- 100000 D parked 0xffffffff84c06ff0 [swapper] 100005 D - 0xfffffe00085fba00 [softirq_0] 100006 D - 0xfffffe00085fb800 [softirq_1] 100007 D - 0xfffffe00085fb600 [if_io_tqg_0] 100008 D - 0xfffffe00085fb400 [if_io_tqg_1] 100009 D - 0xfffffe00085fb200 [if_config_tqg_0] 100010 D - 0xfffffe00085fb000 [pci_hp taskq] 100011 D - 0xfffffe00085fad00 [kqueue_ctx taskq] 100014 D - 0xfffffe00085fa700 [thread taskq] 100016 D - 0xfffffe00085fa300 [aiod_kick taskq] 100017 D - 0xfffffe00085fa100 [deferred_unmount ta] 100018 D - 0xfffffe00085f9e00 [inm_free taskq] 100019 D - 0xfffffe00085f9c00 [in6m_free taskq] 100020 D - 0xfffffe00085f9a00 [linuxkpi_irq_wq] 100021 D - 0xfffffe00085f9800 [linuxkpi_short_wq_0] 100022 D - 0xfffffe00085f9800 [linuxkpi_short_wq_1] 100023 D - 0xfffffe00085f9800 [linuxkpi_short_wq_2] 100024 D - 0xfffffe00085f9800 [linuxkpi_short_wq_3] 100025 D - 0xfffffe00085f9300 [linuxkpi_long_wq_0] 100026 D - 0xfffffe00085f9300 [linuxkpi_long_wq_1] --More-- 100027 D - 0xfffffe00085f9300 [linuxkpi_long_wq_2] --More--