panic: /syzkaller/managers/main/kernel/sys/kern/kern_timeout.c:607: callout_cc_add: Bad list head 0xfffffe000845d770 first->prev != head cpuid = 1 time = 1767763345 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0056f61b30 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe0056f61c90 vpanic() at vpanic+0x257/frame 0xfffffe0056f61e50 panic() at panic+0xb5/frame 0xfffffe0056f61f10 callout_cc_add() at callout_cc_add+0x339/frame 0xfffffe0056f61f70 callout_reset_sbt_on() at callout_reset_sbt_on+0x74f/frame 0xfffffe0056f62090 tcp_timer_activate() at tcp_timer_activate+0x56c/frame 0xfffffe0056f62110 tcp_default_output() at tcp_default_output+0x6149/frame 0xfffffe0056f626b0 tcp_usr_send() at tcp_usr_send+0xb85/frame 0xfffffe0056f62810 sosend_generic_locked() at sosend_generic_locked+0xc62/frame 0xfffffe0056f629d0 sosend_generic() at sosend_generic+0x87/frame 0xfffffe0056f62a30 sousrsend() at sousrsend+0x112/frame 0xfffffe0056f62ac0 dofilewrite() at dofilewrite+0x133/frame 0xfffffe0056f62b30 kern_writev() at kern_writev+0xd4/frame 0xfffffe0056f62bf0 sys_write() at sys_write+0x230/frame 0xfffffe0056f62d10 amd64_syscall() at amd64_syscall+0x4e2/frame 0xfffffe0056f62f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0056f62f30 --- syscall (4, FreeBSD ELF64, write), rip = 0x3a8a7a, rsp = 0x820b4dff8, rbp = 0x820b4e030 --- KDB: enter: panic [ thread pid 762 tid 100104 ] Stopped at kdb_enter+0x6e: movq $0,0x2587a77(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe0002bf1850 rdx 0 rbx 0xffffffff8283c160 .str.27 rsp 0xfffffe0056f61c70 rbp 0xfffffe0056f61c90 rsi 0 rdi 0xffffffff81664139 printf+0x149 r8 0 r9 0xffffffff r10 0 r11 0x33 r12 0xfffffe0058acd000 r13 0xfffffffffffffffd r14 0xffffffff8283c160 .str.27 r15 0 rip 0xffffffff8164d41e kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x2587a77(%rip) db> show proc Process 762 (syz-executor) at 0xfffffe0058ad4560: state: NORMAL uid: 0 gid: 0 supp gids: 0, 5 parent: pid 1 at 0xfffffe0007809010 ABI: FreeBSD ELF64 flag: 0x10004000 flag2: 0 arguments: ./syz-executor runner 1 10.128.0.248 30000 reaper: 0xfffffe0007809010 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe0007811248 (map 0xfffffe0007811248) (map.pmap 0xfffffe00078112e8) (pmap 0xfffffe0007811358) threads: 1 100104 Run CPU 1 syz-executor db> ps pid ppid pgrp uid state wmesg wchan cmd 975 764 764 0 R (threaded) syz-executor 100147 RunQ syz-executor 100314 D reapst 0xfffffe0056ecfa08 syz-executor 100315 RunQ syz-executor 100316 S uwait 0xfffffe00585f2700 syz-executor 967 766 766 -1 TL (threaded) syz-executor 100105 s syz-executor 100302 RunQ syz-executor 100307 s syz-executor 100309 s syz-executor 965 763 763 0 S (threaded) syz-executor 100166 S nanslp 0xffffffff83bb5f40 syz-executor 100298 S lockf 0xfffffe005800d200 syz-executor 100301 S uwait 0xfffffe00585f3b00 syz-executor 961 0 0 0 DL mdwait 0xfffffe00077d6000 [md0] 955 1 765 0 S uwait 0xfffffe0058694100 syz-executor 944 1 766 0 S uwait 0xfffffe00585f3280 syz-executor 942 1 766 0 S uwait 0xfffffe0058694d80 syz-executor 939 1 764 0 SV uwait 0xfffffe00585f1080 syz-executor 933 1 933 0 Ts+ ttyin 0xfffffe0007bf70b0 getty 931 1 931 0 Ts+ ttyin 0xfffffe00599538b0 getty 930 1 764 0 S uwait 0xfffffe0058695000 syz-executor 927 1 927 0 Ts+ ttyin 0xfffffe0007bf78b0 getty 922 1 922 0 Ts+ ttyin 0xfffffe0007bf90b0 getty 921 0 0 0 DL (threaded) [so_splice] 100088 D - 0xfffffe0007a95a80 [thr_0] 100229 D - 0xfffffe0007a95ac0 [thr_1] 919 1 919 0 Ts+ ttyin 0xfffffe0007bf80b0 getty 916 1 916 0 Ts+ ttyin 0xfffffe0007bf88b0 getty 914 1 764 0 S uwait 0xfffffe00585f4e80 syz-executor 912 1 764 0 S uwait 0xfffffe0058694600 syz-executor 908 1 908 0 Ts+ ttyin 0xfffffe00542308b0 getty 906 1 764 0 S uwait 0xfffffe00585f1980 syz-executor 905 1 905 0 Ts+ ttyin 0xfffffe005422dcb0 getty 902 1 765 0 SV uwait 0xfffffe0058695100 syz-executor 897 1 765 0 S uwait 0xfffffe00585f4c80 syz-executor 896 1 896 0 Ts+ ttyin 0xfffffe00542300b0 getty 895 1 763 0 S uwait 0xfffffe00585f1180 syz-executor 893 1 765 0 S uwait 0xfffffe0058694700 syz-executor 890 1 764 0 S uwait 0xfffffe0058695700 syz-executor 889 1 764 0 S uwait 0xfffffe00585f4980 syz-executor 887 1 766 0 S uwait 0xfffffe00585f3900 syz-executor 881 1 764 0 S uwait 0xfffffe00585f1c80 syz-executor 880 1 764 0 S uwait 0xfffffe00585f1b80 syz-executor 870 1 765 0 S uwait 0xfffffe00585f2d80 syz-executor 852 1 766 0 S uwait 0xfffffe0058695300 syz-executor 848 1 766 0 S uwait 0xfffffe00585f2c00 syz-executor 821 1 764 0 S uwait 0xfffffe00585f3580 syz-executor 819 0 0 0 DL aiordy 0xfffffe0058af2560 [aiod4] 818 0 0 0 DL aiordy 0xfffffe0058a04010 [aiod3] 817 0 0 0 DL aiordy 0xfffffe0058af3010 [aiod2] 816 0 0 0 DL aiordy 0xfffffe0058af2ab8 [aiod1] 766 762 766 0 S nanslp 0xffffffff83bb5f40 syz-executor 765 762 765 0 R CPU 0 syz-executor 764 762 764 0 S nanslp 0xffffffff83bb5f40 syz-executor 763 762 763 0 S nanslp 0xffffffff83bb5f40 syz-executor 762 1 760 0 R CPU 1 syz-executor 16 0 0 0 DL syncer 0xffffffff83ce3ae0 [syncer] 15 0 0 0 DL vlruwt 0xfffffe000780a018 [vnlru] 14 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83ce2020 [bufdaemon] 100082 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100095 D sdflush 0xfffffe0057f1fce8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d23380 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83d09448 [dom0] 100080 D launds 0xffffffff83d09454 [laundry: dom0] 100081 D umarcl 0xffffffff81e37c30 [uma] 7 0 0 0 DL - 0xffffffff8392e510 [rand_harvestq] 6 0 0 0 DL pftm 0xffffffff843cff80 [pf purge] 5