panic: kernel diagnostic assertion "(TAILQ_NEXT(inp, inp_queue) == NULL) || (TAILQ_NEXT(inp, inp_queue) == _Q_INVALID)" failed: file "/syzkaller/managers/main/kernel/sys/netinet/in_pcb.c", line 673 Starting stack trace... panic(ffffffff8342cfde) at panic+0x1ba sys/kern/subr_prf.c:229 __assert(ffffffff833df4e4,ffffffff833caf1a,2a1,ffffffff833a396f) at __assert+0x29 sys/kern/subr_prf.c:-1 in_pcbunref(fffffd8075364520) at in_pcbunref+0x206 sys/netinet/in_pcb.c:672 tcp_input_solocked(ffff80002a74b4a0,ffff80002a74b4ac,0,2,ffff80002a74b498) at tcp_input_solocked+0xfd sys/netinet/tcp_input.c:2229 tcp_input_mlist(ffffffff838ebd20,2) at tcp_input_mlist+0x93 sys/netinet/tcp_input.c:-1 if_input_process(ffff800000b11800,ffff80002a74b578,0) at if_input_process+0x229 sys/net/if.c:1015 ifiq_process(ffff800000b11c18) at ifiq_process+0xcd sys/net/ifq.c:874 taskq_thread(ffff80000002c000) at taskq_thread+0xd4 sys/kern/kern_task.c:446 end trace frame: 0x0, count: 249 End of stack trace. syncing disks...37 21 1 1 1 1 1 1 set $lines = 0 1 1 1 set $maxwidth = 0 1 1 show panic 1 1 trace 1 1 show registers 1 show proc 1 1 ps giving up WARNING: SPL NOT LOWERED ON SYSCALL 3 0 EXIT 0 3 Stopped at savectx+0xae: movl $0,%gs:0x688 TID PID UID PRFLAGS PFLAGS CPU COMMAND *157656 90648 0 0x100003 0 0 getty savectx() at savectx+0xae end of kernel end trace frame: 0x7295cce85590, count: 14 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10183 11123K 11976K 166960K 15257 0 pcb 18 15K 17K 166960K 396 0 rtable 185 8K 9K 166960K 666 0 pf 28 12K 20K 166960K 143 0 ifaddr 34 6K 8K 166960K 121 0 ifgroup 44 1K 2K 166960K 183 0 sysctl 4 1K 9K 166960K 49 0 counters 31 17K 18K 166960K 126 0 ioctlops 0 0K 4K 166960K 443 0 iov 0 0K 24K 166960K 235 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1462 92K 93K 166960K 3662 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 9K 166960K 29 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 76 0 dirhash 12 2K 2K 166960K 33 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 18 65K 236K 166960K 1768 0 sigio 0 0K 0K 166960K 93 0 proc 60 59K 83K 166960K 764 0 subproc 72 4K 4K 166960K 117 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 338 0 in_multi 73 5K 7K 166960K 236 0 ether_multi 1 0K 0K 166960K 23 0 mrt 2 0K 0K 166960K 8 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 91 413K 413K 166960K 91 0 exec 0 0K 1K 166960K 752 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 5 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 247 153K 167K 166960K 16483 0 UVM aobj 54 3K 3K 166960K 59 0 pinsyscall 39 78K 88K 166960K 2910 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 264 0 NDP 10 0K 2K 166960K 81 0 temp 68 8686K 8752K 166960K 77428 0 kqueue 14 22K 31K 166960K 278 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 146 0 142 1 0 1 1 0 8 0 rtentry 136 212 0 133 4 0 4 4 0 8 0 unpcb 144 1200 0 1185 7 6 1 6 0 8 0 syncache 336 4 0 4 2 1 1 1 0 8 1 tcpcb 736 574 0 566 10 9 1 7 0 8 0 arp 88 30 0 15 1 0 1 1 0 8 0 ipq 40 5 0 0 1 0 1 1 0 8 0 ipqe 40 70 0 65 1 0 1 1 0 8 0 inpcb 328 1823 0 1809 12 10 2 7 0 8 0 ip6q 72 3 0 0 1 0 1 1 0 8 0 ip6af 40 3 0 0 1 0 1 1 0 8 0 nd6 104 55 0 34 1 0 1 1 0 8 0 pkpcb 40 13 0 13 2 2 0 1 0 8 0 kcovpl 48 13 0 5 1 0 1 1 0 8 0 mppekey 1024 2 0 2 1 1 0 1 0 8 0 ppxss 1072 77 0 76 3 2 1 1 0 8 0 pppxif 1384 8 0 8 2 2 0 1 0 8 0 pfrktable 1344 2 0 2 1 1 0 1 0 8 0 pfrule 1344 1 0 1 1 1 0 1 0 8 0 art_heap8 4096 2 0 0 2 0 2 2 0 8 0 art_heap4 256 960 0 594 30 7 23 30 0 8 0 art_table 32 962 0 594 4 0 4 4 0 8 0 art_node 16 205 0 133 1 0 1 1 0 8 0 sysvmsgpl 40 17 0 11 1 0 1 1 0 8 0 semupl 112 1 0 1 1 1 0 1 0 8 0 semapl 112 73 0 63 1 0 1 1 0 8 0 shmpl 112 56 0 5 2 0 2 2 0 8 0 dirhash 1024 31 0 14 3 0 3 3 0 8 0 dino2pl 256 4577 0 3069 95 0 95 95 0 8 0 ffsino 248 4577 0 3069 95 0 95 95 0 8 0 nchpl 144 6927 0 5227 64 0 64 64 0 8 0 rtmask 32 9 0 9 2 2 0 1 0 8 0 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 25937 0 25936 4 2 2 2 0 8 1 kstatmem 264 108 0 88 2 0 2 2 0 8 0 scsiplug 72 4 0 4 2 2 0 1 0 8 0 scxspl 216 22196 0 22195 10 8 2 8 1 8 1 plimitpl 152 233 0 216 1 0 1 1 0 8 0 sigapl 424 2042 0 1974 8 0 8 8 0 8 0 knotepl 120 360769 0 360720 31 28 3 17 0 8 0 kqueuepl 184 526 0 515 3 2 1 3 0 8 0 pipepl 296 377 0 350 8 5 3 8 0 8 0 fdescpl 440 2002 0 1972 4 0 4 4 0 8 0 filepl 120 13714 0 13490 20 10 10 13 0 8 2 lockfpl 104 979 0 974 3 1 2 2 0 8 1 lockfspl 48 452 0 447 1 0 1 1 0 8 0 sessionpl 144 26 0 18 1 0 1 1 0 8 0 pgrppl 48 121 0 105 1 0 1 1 0 8 0 ucredpl 104 2384 0 2370 1 0 1 1 0 8 0 zombiepl 144 2003 0 1999 1 0 1 1 0 8 0 processpl 1160 2042 0 1974 6 0 6 6 0 8 0 procpl 656 4298 0 4222 8 1 7 8 0 8 0 sosppl 168 15 0 15 2 2 0 1 0 8 0 sockpl 528 3352 0 3319 17 14 3 12 0 8 0 mcl64k 65536 36 0 36 2 2 0 1 0 8 0 mcl16k 16384 13 0 13 2 2 0 1 0 8 0 mcl12k 12288 1 2 1 1 1 0 1 0 8 0 mcl9k 9216 3 1 3 1 1 0 1 0 8 0 mcl8k 8192 23 2 23 2 2 0 1 0 8 0 mcl4k 4096 4686 0 4626 15 7 8 15 0 8 0 mcl2k2 2112 11 0 11 1 1 0 1 0 8 0 mcl2k 2048 1769 0 1763 12 10 2 11 0 8 0 mtagpl 96 292 0 261 4 1 3 4 0 8 0 mbufpl 256 26278 0 26099 29 11 18 26 0 8 0 bufpl 280 6712 0 485 445 0 445 445 0 8 0 anonpl 24 294875 0 286436 113 39 74 76 0 187 0 amapchunkpl 152 56776 0 56157 48 19 29 33 0 158 5 amappl16 200 5848 0 5585 47 22 25 27 0 8 0 amappl15 192 10 0 9 1 0 1 1 0 8 0 amappl14 184 114 0 104 1 0 1 1 0 8 0 amappl13 176 2 0 2 2 2 0 1 0 8 0 amappl12 168 2697 0 2667 2 0 2 2 0 8 0 amappl11 160 46 0 36 1 0 1 1 0 8 0 amappl10 152 2 0 2 1 1 0 1 0 8 0 amappl9 144 239 0 239 1 1 0 1 0 8 0 amappl8 136 30 0 28 1 0 1 1 0 8 0 amappl7 128 112 0 101 1 0 1 1 0 8 0 amappl6 120 223 0 219 1 0 1 1 0 8 0 amappl5 112 140 0 134 1 0 1 1 0 8 0 amappl4 104 324 0 309 1 0 1 1 0 8 0 amappl3 96 11506 0 11384 4 0 4 4 0 8 0 amappl2 88 701 0 645 2 0 2 2 0 8 0 amappl1 80 14619 0 14065 13 1 12 13 0 8 0 amappl 88 15471 0 15288 5 0 5 5 0 92 0 dma32768 32768 1 0 1 1 1 0 1 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 7 0 7 2 2 0 1 0 8 0 dma128 128 255 0 255 2 2 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 19 0 18 1 0 1 1 0 8 0 aobjpl 72 58 0 5 1 0 1 1 0 8 0 uaddrrnd 24 2002 0 1972 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 2002 0 1972 1 0 1 1 0 8 0 vmmpekpl 168 15583 0 15543 3 0 3 3 0 8 0 vmmpepl 168 127813 0 125627 119 18 101 106 0 357 0 vmsppl 360 2001 0 1972 4 1 3 4 0 8 0 rwobjpl 32 37892 0 30804 58 0 58 58 0 8 0 pdppl 4096 4010 0 3944 102 36 66 74 0 8 0 pvpl 32 863169 0 848426 219 73 146 155 0 265 0 pmappl 216 2001 0 1972 2 0 2 2 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 316 0 94 8 0 8 8 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace savectx() at savectx+0xae end of kernel end trace frame: 0x7295cce85590, count: -1 ddb> machine ddbcpu 1 No such command ddb> trace savectx() at savectx+0xae end of kernel end trace frame: 0x7295cce85590, count: -1