panic: in_pcblookup_hash_locked: invalid local address cpuid = 1 time = 1677170464 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc7/frame 0xfffffe0092c76310 kdb_backtrace() at kdb_backtrace+0xd1/frame 0xfffffe0092c76470 vpanic() at vpanic+0x254/frame 0xfffffe0092c76550 panic() at panic+0xb5/frame 0xfffffe0092c76610 in_pcblookup_hash_locked() at in_pcblookup_hash_locked+0xf32/frame 0xfffffe0092c76750 in_pcb_lport_dest() at in_pcb_lport_dest+0x476/frame 0xfffffe0092c76810 in_pcbconnect_setup() at in_pcbconnect_setup+0x7e5/frame 0xfffffe0092c76970 in_pcbconnect() at in_pcbconnect+0x174/frame 0xfffffe0092c76a80 tcp_connect() at tcp_connect+0xf0/frame 0xfffffe0092c76ad0 tcp_usr_connect() at tcp_usr_connect+0x244/frame 0xfffffe0092c76bb0 soconnectat() at soconnectat+0x1b9/frame 0xfffffe0092c76c10 kern_connectat() at kern_connectat+0x2cc/frame 0xfffffe0092c76cf0 sys_connect() at sys_connect+0xfb/frame 0xfffffe0092c76d30 amd64_syscall() at amd64_syscall+0x410/frame 0xfffffe0092c76f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0092c76f30 --- syscall (198, FreeBSD ELF64, __syscall), rip = 0x28e66a, rsp = 0x8210386d8, rbp = 0x821038740 --- KDB: enter: panic [ thread pid 898 tid 100133 ] Stopped at kdb_enter+0x6b: movq $0,0x25823fa(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe00033eee30 rdx 0xdffff7c000000000 rbx 0 rsp 0xfffffe0092c76450 rbp 0xfffffe0092c76470 rsi 0x1 rdi 0 r8 0x3 r9 0xffffffff r10 0 r11 0x7a6db74d r12 0 r13 0xfffffe009274d740 r14 0xffffffff82ae6760 .str.26 r15 0xffffffff82ae6760 .str.26 rip 0xffffffff8170f89b kdb_enter+0x6b rflags 0x46 kdb_enter+0x6b: movq $0,0x25823fa(%rip) db> show proc Process 898 (syz-executor.0) at 0xfffffe0092717568: state: NORMAL uid: 0 gids: 0, 0, 5 parent: pid 781 at 0xfffffe008fe94010 ABI: FreeBSD ELF64 flag: 0x10000000 flag2: 0 arguments: /root/syz-executor.0 exec reaper: 0xfffffe00541d4010 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe0092b32000 (map 0xfffffe0092b32000) (map.pmap 0xfffffe0092b320c0) (pmap 0xfffffe0092b32130) threads: 1 100133 Run CPU 1 syz-executor.0 db> ps pid ppid pgrp uid state wmesg wchan cmd 898 781 781 0 R CPU 1 syz-executor.0 897 891 897 0 Ss select 0xfffffe0007983ac0 dhclient 894 1 894 0 Ss select 0xfffffe0007983c40 dhclient 891 884 430 65 S select 0xfffffe0007983e40 dhclient 884 430 430 0 S wait 0xfffffe0092664010 sh 781 779 781 0 Ss nanslp 0xffffffff83c5f400 syz-executor.0 779 777 777 0 S (threaded) syz-execprog 100090 S uwait 0xfffffe00541dfd00 syz-execprog 100125 S uwait 0xfffffe0058df9500 syz-execprog 100126 S uwait 0xfffffe0057879580 syz-execprog 100127 S kqread 0xfffffe0058aef200 syz-execprog 100128 S wait 0xfffffe00541d5018 syz-execprog 100129 S uwait 0xfffffe00541df180 syz-execprog 100130 S uwait 0xfffffe00541df280 syz-execprog 100132 S uwait 0xfffffe0057879880 syz-execprog 777 775 777 0 Ss pause 0xfffffe005799c0b8 csh 775 688 775 0 Ss select 0xfffffe0007983dc0 sshd 754 1 754 0 Ss+ ttyin 0xfffffe00540620b0 getty 753 1 753 0 Ss+ ttyin 0xfffffe0057a59cb0 getty 752 1 752 0 Ss+ ttyin 0xfffffe0057a5a0b0 getty 751 1 751 0 Ss+ ttyin 0xfffffe0057a5a4b0 getty 750 1 750 0 Ss+ ttyin 0xfffffe00079ff8b0 getty 749 1 749 0 Ss+ ttyin 0xfffffe0057a5a8b0 getty 748 1 748 0 Ss+ ttyin 0xfffffe0057a5acb0 getty 747 1 747 0 Ss+ ttyin 0xfffffe0057a5b0b0 getty 746 1 746 0 Ss+ ttyin 0xfffffe0057a5b4b0 getty 744 1 18 0 S+ piperd 0xfffffe0058b7c5b0 logger 743 742 18 0 S+ nanslp 0xffffffff83c5f400 sleep 742 1 18 0 S+ wait 0xfffffe00541d5570 sh 692 1 692 0 Ss nanslp 0xffffffff83c5f400 cron 688 1 688 0 Ss select 0xfffffe0007984140 sshd 501 1 501 0 Ss select 0xfffffe00079847c0 syslogd 430 1 430 0 Ss wait 0xfffffe005799c560 devd 429 1 429 65 Ss select 0xfffffe0007984340 dhclient 344 1 344 0 Ss select 0xfffffe0007984440 dhclient 341 1 341 0 Ss select 0xfffffe0007984c40 dhclient 17 0 0 0 DL syncer 0xffffffff83d848a0 [syncer] 16 0 0 0 DL vlruwt 0xfffffe0056fa3010 [vnlru] 15 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83d82ec0 [bufdaemon] 100082 D - 0xffffffff83012180 [bufspacedaemon-0] 100095 D sdflush 0xfffffe00586b90e8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83dba740 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83dae5f8 [dom0] 100080 D launds 0xffffffff83dae604 [laundry: dom0] 100081 D umarcl 0xffffffff81e70740 [uma] 7 0 0 0 DL - 0xffffffff83a28e48 [rand_harvestq] 6 0 0 0 DL pftm 0xffffffff8437b270 [pf purge] 5 0 0 0 DL waiting 0xffffffff8479df80 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100044 D - 0xffffffff838cb340 [doneq0] 100045 D - 0xffffffff838cb2c0 [async] 100076 D - 0xffffffff838cb140 [scanner] 14 0 0 0 DL seqstat 0xfffffe0056ef6c88 [sequencer 00] 3 0 0 0 DL (threaded) [crypto] 100040 D crypto_ 0xffffffff83da9d60 [crypto] 100041 D crypto_ 0xfffffe0007a89030 [crypto returns 0] 100042 D crypto_ 0xfffffe0007a89080 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100035 D - 0xffffffff83c34860 [g_event] 100036 D - 0xffffffff83c34880 [g_up] 100037 D - 0xffffffff83c348a0 [g_down] 2 0 0 0 WL (threaded) [clock] 100030 I [clock (0)] 100031 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100010 I [swi5: fast taskq] 100013 I [swi6: task queue] 100018 I [swi6: Giant taskq] 100029 I [swi1: netisr 0] 100032 I [swi1: hpts] 100033 I [swi1: hpts] 100046 I [irq24: virtio_pci0] 100047 I [irq25: virtio_pci0] 100048 I [irq26: virtio_pci0] 100049 I [irq27: virtio_pci0] 100050 I [irq28: virtio_pci1] 100051 I [irq29: virtio_pci1] 100052 I [irq30: virtio_pci1] 100053 I [irq31: virtio_pci1] 100054 I [irq32: virtio_pci1] 100059 I [irq33: virtio_pci2] 100060 I [irq34: virtio_pci2] 100061 I [irq35: virtio_pci2] 100063 I [irq1: atkbd0] 100064 I [irq12: psm0] 100065 I [swi0: uart uart++] 100069 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 Run CPU 0 [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe00541d4010 [init] 10 0 0 0 DL audit_w 0xffffffff83daa8e0 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D swapin 0xffffffff83c35280 [swapper] 100005 D - 0xfffffe0054085000 [if_config_tqg_0] 100006 D - 0xfffffe0054084e00 [softirq_0] 100007 D - 0xfffffe0054084d00 [softirq_1] 100008 D - 0xfffffe0054084c00 [if_io_tqg_0] 100009 D - 0xfffffe0054084b00 [if_io_tqg_1] 100011 D - 0xfffffe000795f400 [kqueue_ctx taskq] 100012 D - 0xfffffe000795f300 [pci_hp taskq] 100014 D - 0xfffffe000795f100 [inm_free taskq] 100015 D - 0xfffffe000795f000 [aiod_kick taskq] 100016 D - 0xfffffe000795ee00 [in6m_free taskq] 100017 D - 0xfffffe000795ed00 [deferred_unmount ta] 100019 D - 0xfffffe000795eb00 [thread taskq] 100020 D - 0xfffffe000795ea00 [linuxkpi_irq_wq] 100021 D - 0xfffffe000795e900 [linuxkpi_short_wq_0] 100022 D - 0xfffffe000795e900 [linuxkpi_short_wq_1] 100023 D - 0xfffffe000795e900 [linuxkpi_short_wq_2] 100024 D - 0xfffffe000795e900 [linuxkpi_short_wq_3] 100025 D - 0xfffffe000795e800 [linuxkpi_long_wq_0] 100026 D - 0xfffffe000795e800 [linuxkpi_long_wq_1] 100027 D - 0xfffffe000795e800 [linuxkpi_long_wq_2] 100028 D - 0xfffffe000795e800 [linuxkpi_long_wq_3] 100034 D - 0xfffffe000795e500 [firmware taskq] 100038 D - 0xfffffe000795e400 [crypto_0] 100039 D - 0xfffffe000795e400 [crypto_1] 100055 D - 0xfffffe000795e200 [vtnet0 rxq 0] 100056 D - 0xfffffe000795e100 [vtnet0 txq 0] 100057 D - 0xfffffe000795e000 [vtnet0 rxq 1] 100058 D - 0xfffffe000795de00 [vtnet0 txq 1] 100062 D vtbslp 0xfffffe0007985800 [virtio_balloon] 100066 D - 0xffffffff82aeb6a0 [deadlkres] 100070 D - 0xfffffe000795fc00 [mca taskq] 100071 D - 0xfffffe0057917200 [acpi_task_0] 100072 D - 0xfffffe0057917200 [acpi_task_1] 100073 D - 0xfffffe0057917200 [acpi_task_2] 100075 D - 0xfffffe000795e300 [CAM taskq] db> show all locks Process 898 (syz-executor.0) thread 0xfffffe009274d740 (100133) exclusive sleep mutex tcphash (tcphash) r = 0 (0xfffffe00079db7e0) locked @ /syzkaller/managers/main/kernel/sys/netinet/tcp_usrreq.c:1404 exclusive rw tcpinp (tcpinp) r = 0 (0xfffffe0092b3a010) locked @ /syzkaller/managers/main/kernel/sys/netinet/tcp_usrreq.c:474 db> show malloc Type InUse MemUse Requests pf_hash 5 11524K 5 tcp_hpts 7 4801K 7 devbuf 4216 4323K 4241 sysctloid 34757 2048K 34828 vtbuf 24 1968K 46 kobj 330 1320K 493 newblk 673 1192K 704 vfscache 3 1025K 3 pcb 20 537K 45 inodedep 34 525K 84 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 subproc 113 210K 966 acpica 1674 184K 58126 vmem 3 146K 5 tidhash 3 141K 3 pagedep 12 131K 27 tfo_ccache 1 128K 1 IP reass 1 128K 1 linker 324 127K 353 vnet_data 1 112K 1 DEVFS1 106 106K 117 sem 4 106K 4 bus 1000 82K 5215 mtx_pool 2 72K 2 NFSD srvcache 3 68K 3 syncache 1 68K 1 module 513 65K 513 acpitask 1 64K 1 ddb_capture 1 64K 1 kdtrace 183 38K 1036 temp 23 37K 1824 filedesc 5 37K 27 umtx 286 36K 286 BPF 19 36K 19 hostcache 1 32K 1 shm 1 32K 1 DEVFS3 125 32K 135 msg 4 30K 4 kbdmux 6 28K 6 gtaskqueue 18 26K 18 DEVFS_RULE 56 20K 56 ufs_mount 4 17K 5 proc 3 17K 3 tty 16 16K 16 ithread 97 16K 97 bus-sc 34 15K 1682 ifaddr 40 14K 42 eventhandler 154 13K 154 KTRACE 100 13K 100 kenv 95 12K 95 routetbl 62 11K 227 rman 88 11K 431 GEOM 61 11K 481 CAM queue 5 11K 1528 bmsafemap 2 9K 52 UART 12 9K 12 devstat 4 9K 4 ksem 1 8K 1 rpc 2 8K 2 shmfd 1 8K 1 pfs_vncache 1 8K 1 pfs_nodes 20 8K 20 audit_evclass 237 8K 296 taskqueue 63 7K 63 cred 26 7K 243 ifnet 4 7K 4 sglist 5 7K 5 lltable 20 6K 20 CAM DEV 3 6K 510 ether_multi 68 6K 78 kqueue 48 6K 905 plimit 19 5K 344 ufs_dirhash 24 5K 24 dirrem 18 5K 33 in6_multi 35 5K 35 UMA 267 5K 267 vt 11 5K 11 memdesc 1 4K 1 MCA 32 4K 32 evdev 4 4K 4 pf_ifnet 7 4K 10 acpisem 28 4K 28 hhook 15 4K 17 session 23 3K 37 pwddesc 46 3K 899 proc-args 73 3K 1976 terminal 11 3K 11 clone 9 3K 9 uidinfo 3 3K 8 local_apic 1 2K 1 io_apic 1 2K 1 fpukern_ctx 2 2K 2 ipsec-saq 2 2K 2 lockf 19 2K 29 selfd 31 2K 11289 diradd 14 2K 49 Unitno 27 2K 43 CAM XPT 22 2K 543 msi 12 2K 12 ipsecpolicy 2 2K 2 acpidev 20 2K 20 select 10 2K 40 mkdir 9 2K 32 NFSD session 1 1K 1 softdep 1 1K 1 indirdep 4 1K 4 sahead 1 1K 1 secasvar 1 1K 1 vnodemarker 2 1K 10 ip6ndp 6 1K 7 sctp_ifa 7 1K 8 newdirblk 7 1K 16 CAM periph 4 1K 271 ipsec 3 1K 3 in_multi 3 1K 5 nhops 6 1K 6 toponodes 6 1K 6 isadev 6 1K 6 mount 16 1K 89 pci_link 10 1K 10 crypto 4 1K 4 encap_export_host 12 1K 12 CC Mem 4 1K 13 pfil 4 1K 4 cdev 2 1K 2 DEVFSP 7 1K 12 osd 8 1K 25 sctp_ifn 3 1K 8 inpcbpolicy 12 1K 179 mld 3 1K 3 igmp 3 1K 3 chacha20random 1 1K 1 tun 4 1K 4 freework 2 1K 31 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 DEVFS 9 1K 10 freeblks 1 1K 30 vnodes 1 1K 1 CAM SIM 2 1K 2 procdesc 2 1K 12 feeder 7 1K 7 tcpfunc 3 1K 3 loginclass 3 1K 7 prison 6 1K 6 lkpikmalloc 5 1K 6 aesni_data 2 1K 2 cryptodev 2 1K 49 nexusdev 8 1K 8 apmdev 1 1K 1 atkbddev 2 1K 2 freefile 1 1K 14 CAM dev queue 2 1K 2 netlink 1 1K 1 CAM I/O Scheduler 1 1K 1 CAM path 4 1K 1034 soname 5 1K 3455 pmchooks 1 1K 1 filecaps 5 1K 90 sctp_vrf 1 1K 1 vnet 1 1K 1 entropy 2 1K 40 pmc 1 1K 1 acpiintr 1 1K 1 cpus 2 1K 2 vnet_data_free 1 1K 1 Per-cpu 1