panic: Memory modified after free 0xfffffe0025134420(736) val=deadc0e6 @ 0xfffffe0025134568 cpuid = 0 time = 1605941094 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe0003635e10 vpanic() at vpanic+0x1c7/frame 0xfffffe0003635e70 panic() at panic+0x43/frame 0xfffffe0003635ed0 trash_ctor() at trash_ctor+0xa8/frame 0xfffffe0003635f10 item_ctor() at item_ctor+0x1e2/frame 0xfffffe0003635f70 sctp_add_remote_addr() at sctp_add_remote_addr+0x570/frame 0xfffffe0003635fe0 sctp_handle_asconf() at sctp_handle_asconf+0x14a7/frame 0xfffffe00036362d0 sctp_process_control() at sctp_process_control+0x1697/frame 0xfffffe0003636750 sctp_common_input_processing() at sctp_common_input_processing+0x7db/frame 0xfffffe00036368e0 sctp_input_with_port() at sctp_input_with_port+0x308/frame 0xfffffe00036369d0 sctp_input() at sctp_input+0x1f/frame 0xfffffe00036369f0 ip_input() at ip_input+0x388/frame 0xfffffe0003636a90 swi_net() at swi_net+0x20d/frame 0xfffffe0003636b10 ithread_loop() at ithread_loop+0x33f/frame 0xfffffe0003636bb0 fork_exit() at fork_exit+0xb3/frame 0xfffffe0003636bf0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0003636bf0 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- KDB: enter: panic [ thread pid 12 tid 100020 ] Stopped at kdb_enter+0x67: movq $0,0x14882a6(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0x80 rdx 0xffffffff81918550 rbx 0 rsp 0xfffffe0003635df0 rbp 0xfffffe0003635e10 rsi 0x1 rdi 0 r8 0 r9 0xffffffff r10 0xaa0114ac08000500 r11 0x13c82083 r12 0xffffffff820671c0 ddb_dbbe r13 0 r14 0xffffffff81964435 r15 0xffffffff81964435 rip 0xffffffff810d3357 kdb_enter+0x67 rflags 0x86 kdb_enter+0x67: movq $0,0x14882a6(%rip) db> show proc Process 12 (intr) at 0xfffff800042b9a50: state: NORMAL uid: 0 gids: 0 parent: pid 0 at 0xffffffff8250ebb0 ABI: null reaper: 0xffffffff8250ebb0 reapsubtree: 12 sigparent: 20 vmspace: 0xffffffff8250f800 (map 0xffffffff8250f800) (map.pmap 0xffffffff8250f8c0) (pmap 0xffffffff8250f920) threads: 23 100011 I [swi5: fast taskq] 100014 I [swi6: task queue] 100015 I [swi6: Giant taskq] 100020 Run CPU 0 [swi1: netisr 0] 100021 I [swi4: clock (0)] 100022 I [swi4: clock (1)] 100023 I [swi3: vm] 100035 I [irq24: virtio_pci0] 100036 I [irq25: virtio_pci0] 100037 I [irq26: virtio_pci0] 100038 I [irq27: virtio_pci0] 100039 I [irq28: virtio_pci1] 100040 I [irq29: virtio_pci1] 100041 I [irq30: virtio_pci1] 100042 I [irq31: virtio_pci1] 100043 I [irq32: virtio_pci1] 100048 I [irq10: virtio_pci2] 100050 I [irq1: atkbd0] 100051 I [irq12: psm0] 100052 I [swi0: uart uart++] 100060 I [swi1: pf send] 100076 I [swi1: hpts] 100077 I [swi1: hpts] db> ps pid ppid pgrp uid state wmesg wchan cmd 2575 2567 2567 0 RV syz-executor.3 2574 2559 2574 0 Ss select 0xfffff8003f8cca40 dhclient 2568 2544 2544 0 R (threaded) syz-executor.0 100089 RunQ syz-executor.0 100378 RunQ syz-executor.0 2567 767 2567 0 Ds ppwait 0xfffff8003f4a1a10 syz-executor.3 2565 2537 2537 0 R (threaded) syz-executor.2 100133 Run CPU 1 syz-executor.2 100377 RunQ syz-executor.2 2562 1 2562 0 Ss select 0xfffff8003f8f1a40 dhclient 2559 2536 424 0 R dhclient 2544 767 2544 0 Rs syz-executor.0 2537 767 2537 0 Rs syz-executor.2 2536 424 424 0 S wait 0xfffff8003f0d3528 sh 2529 767 2529 0 REs syz-executor.1 767 765 765 0 S (threaded) syz-execprog 100106 S uwait 0xfffff80026e98c00 syz-execprog 100107 S uwait 0xfffff80004b9b380 syz-execprog 100108 S uwait 0xfffff80004b9b480 syz-execprog 100109 S uwait 0xfffff80026f45500 syz-execprog 100111 S uwait 0xfffff80004a5b180 syz-execprog 100112 S uwait 0xfffff80026f45600 syz-execprog 100113 S uwait 0xfffff80004a5b280 syz-execprog 100114 S kqread 0xfffff80004b40d00 syz-execprog 100115 S uwait 0xfffff80026f45700 syz-execprog 100116 S uwait 0xfffff80004a5b480 syz-execprog 100261 S uwait 0xfffff8003f5b8c00 syz-execprog 765 763 765 0 Ss pause 0xfffff8003f322b00 csh 763 682 763 0 Ss select 0xfffff80026f45cc0 sshd 742 1 742 0 Ss+ ttyin 0xfffff800046a1cb0 getty 741 1 741 0 Ss+ ttyin 0xfffff800049a88b0 getty 740 1 740 0 Ss+ ttyin 0xfffff800049a8cb0 getty 739 1 739 0 Ss+ ttyin 0xfffff8000499f0b0 getty 738 1 738 0 Ss+ ttyin 0xfffff8000499f4b0 getty 737 1 737 0 Ss+ ttyin 0xfffff8000499f8b0 getty 736 1 736 0 Ss+ ttyin 0xfffff8000499fcb0 getty 735 1 735 0 Ss+ ttyin 0xfffff8000493f0b0 getty 734 1 734 0 Ss+ ttyin 0xfffff8000493f4b0 getty 732 1 24 0 S+ piperd 0xfffff80004aa2000 logger 731 730 24 0 S+ nanslp 0xffffffff8252ed90 sleep 730 1 24 0 S+ wait 0xfffff80004b00000 sh 686 1 686 0 Ss nanslp 0xffffffff8252ed90 cron 682 1 682 0 Ss select 0xfffff80026f45ec0 sshd 495 1 495 0 Ss select 0xfffff80026f45f40 syslogd 424 1 424 0 Ss wait 0xfffff80004b7e000 devd 423 1 423 65 Ss select 0xfffff80026e98140 dhclient 338 1 338 0 Ss select 0xfffff80026e981c0 dhclient 335 1 335 0 Ss select 0xfffff80004a5b940 dhclient 23 0 0 0 DL vlruwt 0xfffff80004a03528 [vnlru] 22 0 0 0 DL syncer 0xffffffff8261c138 [syncer] 21 0 0 0 DL (threaded) [bufdaemon] 100070 D qsleep 0xffffffff8261b200 [bufdaemon] 100075 D - 0xffffffff8200ac80 [bufspacedaemon-0] 100088 D sdflush 0xfffff800041818e8 [/ worker] 20 0 0 0 DL psleep 0xffffffff826426c8 [vmdaemon] 19 0 0 0 DL (threaded) [pagedaemon] 100068 D psleep 0xffffffff82636b38 [dom0] 100073 D launds 0xffffffff82636b44 [laundry: dom0] 100074 D umarcl 0xffffffff814df0a0 [uma] 18 0 0 0 DL - 0xffffffff82363278 [rand_harvestq] 17 0 0 0 RL [sctp_iterator] 16 0 0 0 DL pftm 0xffffffff82bdb390 [pf purge] 15 0 0 0 DL - 0xffffffff8261a7dc [soaiod4] 9 0 0 0 DL - 0xffffffff8261a7dc [soaiod3] 8 0 0 0 DL - 0xffffffff8261a7dc [soaiod2] 7 0 0 0 DL - 0xffffffff8261a7dc [soaiod1] 6 0 0 0 DL (threaded) [cam] 100034 D - 0xffffffff8223afc0 [doneq0] 100067 D - 0xffffffff8223ae90 [scanner] 5 0 0 0 DL crypto_ 0xfffff80004189c90 [crypto returns 1] 4 0 0 0 DL crypto_ 0xfffff80004189c30 [crypto returns 0] 3 0 0 0 DL crypto_ 0xffffffff82634030 [crypto] 14 0 0 0 DL seqstat 0xfffff80004300488 [sequencer 00] 13 0 0 0 DL (threaded) [geom] 100025 D - 0xffffffff8250e620 [g_event] 100026 D - 0xffffffff8250e628 [g_up] 100027 D - 0xffffffff8250e630 [g_down] 2 0 0 0 DL (threaded) [KTLS] 100018 D - 0xfffff800042b3300 [thr_0] 100019 D - 0xfffff800042b3380 [thr_1] 12 0 0 0 RL (threaded) [intr] 100011 I [swi5: fast taskq] 100014 I [swi6: task queue] 100015 I [swi6: Giant taskq] 100020 Run CPU 0 [swi1: netisr 0] 100021 I [swi4: clock (0)] 100022 I [swi4: clock (1)] 100023 I [swi3: vm] 100035 I [irq24: virtio_pci0] 100036 I [irq25: virtio_pci0] 100037 I [irq26: virtio_pci0] 100038 I [irq27: virtio_pci0] 100039 I [irq28: virtio_pci1] 100040 I [irq29: virtio_pci1] 100041 I [irq30: virtio_pci1] 100042 I [irq31: virtio_pci1] 100043 I [irq32: virtio_pci1] 100048 I [irq10: virtio_pci2] 100050 I [irq1: atkbd0] 100051 I [irq12: psm0] 100052 I [swi0: uart uart++] 100060 I [swi1: pf send] 100076 I [swi1: hpts] 100077 I [swi1: hpts] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffff80004291528 [init] 10 0 0 0 DL audit_w 0xffffffff82634550 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D swapin 0xffffffff8250ebb0 [swapper] 100005 D - 0xfffff800042b8e00 [if_io_tqg_0] 100006 D - 0xfffff800042b8d00 [if_io_tqg_1] 100007 D - 0xfffff800042b8c00 [if_config_tqg_0] 100008 D - 0xfffff800042b8b00 [softirq_0] 100009 D - 0xfffff800042b8a00 [softirq_1] 100010 D - 0xfffff80004183200 [in6m_free taskq] 100012 D - 0xfffff800042bcd00 [kqueue_ctx taskq] 100013 D - 0xfffff800042bcb00 [inm_free taskq] 100016 D - 0xfffff800042bc500 [aiod_kick taskq] 100017 D - 0xfffff800042bc300 [thread taskq] 100024 D - 0xfffff800042cda00 [firmware taskq] 100029 D - 0xfffff800042cd300 [crypto_0] 100030 D - 0xfffff800042cd300 [crypto_1] 100044 D - 0xfffff80004342300 [vtnet0 rxq 0] 100045 D - 0xfffff80004342200 [vtnet0 txq 0] 100046 D - 0xfffff80004342100 [vtnet0 rxq 1] 100047 D - 0xfffff80004342000 [vtnet0 txq 1] 100049 D vtbslp 0xfffff80004486880 [virtio_balloon] 100053 D - 0xfffff800046ade00 [mca taskq] 100055 D - 0xffffffff81d0b290 [deadlkres] 100062 D - 0xfffff800048c9200 [acpi_task_0] 100063 D - 0xfffff800048c9200 [acpi_task_1] 100064 D - 0xfffff800048c9200 [acpi_task_2] 100066 D - 0xfffff80004342b00 [CAM taskq] db> show all locks Process 2565 (syz-executor.2) thread 0xfffffe0024ff6000 (100377) exclusive lockmgr ufs (ufs) r = 0 (0xfffff8003f97dbe0) locked @ /syzkaller/managers/i386/kernel/sys/kern/vfs_lookup.c:1047 Process 2559 (dhclient) thread 0xfffffe002504a300 (100154) exclusive lockmgr bufwait (bufwait) r = 0 (0xfffffe0003f5a280) locked @ /syzkaller/managers/i386/kernel/sys/kern/vfs_bio.c:3875 exclusive lockmgr ufs (ufs) r = 0 (0xfffff8003f8c99f8) locked @ /syzkaller/managers/i386/kernel/sys/kern/vfs_syscalls.c:3506 Process 17 (sctp_iterator) thread 0xfffffe0019fa7c00 (100061) exclusive sleep mutex sctp-it (iterator) r = 0 (0xffffffff82e157d8) locked @ /syzkaller/managers/i386/kernel/sys/netinet/sctputil.c:1452 shared rw sctp-info (sctp-info) r = 0 (0xfffffe0004941200) locked @ /syzkaller/managers/i386/kernel/sys/netinet/sctputil.c:1451 Process 12 (intr) thread 0xfffffe00048b2a00 (100020) exclusive sleep mutex sctp-tcb (tcb) r = 0 (0xfffffe002510b8b0) locked @ /syzkaller/managers/i386/kernel/sys/netinet/sctp_pcb.c:1326 db>