panic: in_pcblookup_hash_locked: invalid local address cpuid = 0 time = 1676539937 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc7/frame 0xfffffe0007dc1310 kdb_backtrace() at kdb_backtrace+0xd1/frame 0xfffffe0007dc1470 vpanic() at vpanic+0x254/frame 0xfffffe0007dc1550 panic() at panic+0xb5/frame 0xfffffe0007dc1610 in_pcblookup_hash_locked() at in_pcblookup_hash_locked+0xf32/frame 0xfffffe0007dc1750 in_pcb_lport_dest() at in_pcb_lport_dest+0x476/frame 0xfffffe0007dc1810 in_pcbconnect_setup() at in_pcbconnect_setup+0x7e5/frame 0xfffffe0007dc1970 in_pcbconnect() at in_pcbconnect+0x174/frame 0xfffffe0007dc1a80 tcp_connect() at tcp_connect+0xf0/frame 0xfffffe0007dc1ad0 tcp_usr_connect() at tcp_usr_connect+0x244/frame 0xfffffe0007dc1bb0 soconnectat() at soconnectat+0x1b9/frame 0xfffffe0007dc1c10 kern_connectat() at kern_connectat+0x2cc/frame 0xfffffe0007dc1cf0 sys_connect() at sys_connect+0xfb/frame 0xfffffe0007dc1d30 amd64_syscall() at amd64_syscall+0x410/frame 0xfffffe0007dc1f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0007dc1f30 --- syscall (198, FreeBSD ELF64, __syscall), rip = 0x28e66a, rsp = 0x820773f18, rbp = 0x820773f80 --- KDB: enter: panic [ thread pid 897 tid 100123 ] Stopped at kdb_enter+0x6b: movq $0,0x25823fa(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe00033eee30 rdx 0xdffff7c000000000 rbx 0 rsp 0xfffffe0007dc1450 rbp 0xfffffe0007dc1470 rsi 0x1 rdi 0 r8 0x3 r9 0xffffffff r10 0 r11 0x45fdb472 r12 0 r13 0xfffffe0092b09720 r14 0xffffffff82ae6760 .str.26 r15 0xffffffff82ae6760 .str.26 rip 0xffffffff8170f89b kdb_enter+0x6b rflags 0x46 kdb_enter+0x6b: movq $0,0x25823fa(%rip) db> show proc Process 897 (syz-executor.0) at 0xfffffe00926f5570: state: NORMAL uid: 0 gids: 0, 0, 5 parent: pid 781 at 0xfffffe008fe92568 ABI: FreeBSD ELF64 flag: 0x10000000 flag2: 0 arguments: /root/syz-executor.0 exec reaper: 0xfffffe00541d4010 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe0092b69400 (map 0xfffffe0092b69400) (map.pmap 0xfffffe0092b694c0) (pmap 0xfffffe0092b69530) threads: 1 100123 Run CPU 0 syz-executor.0 db> ps pid ppid pgrp uid state wmesg wchan cmd 897 781 781 0 R CPU 0 syz-executor.0 896 890 896 0 Ss select 0xfffffe0007983f40 dhclient 893 1 893 0 Ss select 0xfffffe00079840c0 dhclient 890 883 430 65 S select 0xfffffe0007984040 dhclient 883 430 430 0 S wait 0xfffffe00926f5018 sh 781 779 781 0 Ss nanslp 0xffffffff83c5f401 syz-executor.0 779 777 777 0 S (threaded) syz-execprog 100113 S uwait 0xfffffe008fe2fa00 syz-execprog 100118 S uwait 0xfffffe005787a000 syz-execprog 100119 S wait 0xfffffe008fe93570 syz-execprog 100120 S uwait 0xfffffe005787a200 syz-execprog 100121 S kqread 0xfffffe0058b03500 syz-execprog 100122 S uwait 0xfffffe008fe30280 syz-execprog 100124 S uwait 0xfffffe008fe2f400 syz-execprog 100126 S uwait 0xfffffe008fe30380 syz-execprog 777 775 777 0 Ss pause 0xfffffe0092b020b0 csh 775 688 775 0 Ss select 0xfffffe0007984540 sshd 754 1 754 0 Ss+ ttyin 0xfffffe00540620b0 getty 753 1 753 0 Ss+ ttyin 0xfffffe0057a828b0 getty 752 1 752 0 Ss+ ttyin 0xfffffe0057a82cb0 getty 751 1 751 0 Ss+ ttyin 0xfffffe0057a830b0 getty 750 1 750 0 Ss+ ttyin 0xfffffe0057a834b0 getty 749 1 749 0 Ss+ ttyin 0xfffffe0057a838b0 getty 748 1 748 0 Ss+ ttyin 0xfffffe0057a83cb0 getty 747 1 747 0 Ss+ ttyin 0xfffffe0057a840b0 getty 746 1 746 0 Ss+ ttyin 0xfffffe0057a844b0 getty 744 1 18 0 S+ piperd 0xfffffe0058b852d8 logger 743 742 18 0 S+ nanslp 0xffffffff83c5f401 sleep 742 1 18 0 S+ wait 0xfffffe0057992010 sh 692 1 692 0 Ss nanslp 0xffffffff83c5f400 cron 688 1 688 0 Ss select 0xfffffe0007984440 sshd 501 1 501 0 Ss select 0xfffffe0007984640 syslogd 430 1 430 0 Ss wait 0xfffffe0057991560 devd 429 1 429 65 Ss select 0xfffffe0007984940 dhclient 344 1 344 0 Ss select 0xfffffe0007984a40 dhclient 341 1 341 0 Ss select 0xfffffe00079845c0 dhclient 17 0 0 0 DL syncer 0xffffffff83d848a0 [syncer] 16 0 0 0 DL vlruwt 0xfffffe0056fa3010 [vnlru] 15 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83d82ec0 [bufdaemon] 100082 D - 0xffffffff83012180 [bufspacedaemon-0] 100094 D sdflush 0xfffffe00589af4e8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83dba740 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83dae5f8 [dom0] 100080 D launds 0xffffffff83dae604 [laundry: dom0] 100081 D umarcl 0xffffffff81e70740 [uma] 7 0 0 0 DL - 0xffffffff83a28e48 [rand_harvestq] 6 0 0 0 DL pftm 0xffffffff848ef270 [pf purge] 5 0 0 0 DL waiting 0xffffffff844b0f80 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100044 D - 0xffffffff838cb340 [doneq0] 100045 D - 0xffffffff838cb2c0 [async] 100076 D - 0xffffffff838cb140 [scanner] 14 0 0 0 DL seqstat 0xfffffe0056ef6c88 [sequencer 00] 3 0 0 0 DL (threaded) [crypto] 100040 D crypto_ 0xffffffff83da9d60 [crypto] 100041 D crypto_ 0xfffffe0007a89030 [crypto returns 0] 100042 D crypto_ 0xfffffe0007a89080 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100035 D - 0xffffffff83c34860 [g_event] 100036 D - 0xffffffff83c34880 [g_up] 100037 D - 0xffffffff83c348a0 [g_down] 2 0 0 0 WL (threaded) [clock] 100030 I [clock (0)] 100031 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100010 I [swi5: fast taskq] 100013 I [swi6: task queue] 100018 I [swi6: Giant taskq] 100029 I [swi1: netisr 0] 100032 I [swi1: hpts] 100033 I [swi1: hpts] 100046 I [irq24: virtio_pci0] 100047 I [irq25: virtio_pci0] 100048 I [irq26: virtio_pci0] 100049 I [irq27: virtio_pci0] 100050 I [irq28: virtio_pci1] 100051 I [irq29: virtio_pci1] 100052 I [irq30: virtio_pci1] 100053 I [irq31: virtio_pci1] 100054 I [irq32: virtio_pci1] 100059 I [irq33: virtio_pci2] 100060 I [irq34: virtio_pci2] 100061 I [irq35: virtio_pci2] 100063 I [irq1: atkbd0] 100064 I [irq12: psm0] 100065 I [swi0: uart uart++] 100069 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 Run CPU 1 [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe00541d4010 [init] 10 0 0 0 DL audit_w 0xffffffff83daa8e0 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D swapin 0xffffffff83c35280 [swapper] 100005 D - 0xfffffe0054085000 [if_config_tqg_0] 100006 D - 0xfffffe0054084e00 [softirq_0] 100007 D - 0xfffffe0054084d00 [softirq_1] 100008 D - 0xfffffe0054084c00 [if_io_tqg_0] 100009 D - 0xfffffe0054084b00 [if_io_tqg_1] 100011 D - 0xfffffe000795f400 [kqueue_ctx taskq] 100012 D - 0xfffffe000795f300 [pci_hp taskq] 100014 D - 0xfffffe000795f100 [inm_free taskq] 100015 D - 0xfffffe000795f000 [aiod_kick taskq] 100016 D - 0xfffffe000795ee00 [in6m_free taskq] 100017 D - 0xfffffe000795ed00 [deferred_unmount ta] 100019 D - 0xfffffe000795eb00 [thread taskq] 100020 D - 0xfffffe000795ea00 [linuxkpi_irq_wq] 100021 D - 0xfffffe000795e900 [linuxkpi_short_wq_0] 100022 D - 0xfffffe000795e900 [linuxkpi_short_wq_1] 100023 D - 0xfffffe000795e900 [linuxkpi_short_wq_2] 100024 D - 0xfffffe000795e900 [linuxkpi_short_wq_3] 100025 D - 0xfffffe000795e800 [linuxkpi_long_wq_0] 100026 D - 0xfffffe000795e800 [linuxkpi_long_wq_1] 100027 D - 0xfffffe000795e800 [linuxkpi_long_wq_2] 100028 D - 0xfffffe000795e800 [linuxkpi_long_wq_3] 100034 D - 0xfffffe000795e500 [firmware taskq] 100038 D - 0xfffffe000795e400 [crypto_0] 100039 D - 0xfffffe000795e400 [crypto_1] 100055 D - 0xfffffe000795e200 [vtnet0 rxq 0] 100056 D - 0xfffffe000795e100 [vtnet0 txq 0] 100057 D - 0xfffffe000795e000 [vtnet0 rxq 1] 100058 D - 0xfffffe000795de00 [vtnet0 txq 1] 100062 D vtbslp 0xfffffe0007985800 [virtio_balloon] 100066 D - 0xffffffff82aeb6a0 [deadlkres] 100070 D - 0xfffffe000795f700 [mca taskq] 100071 D - 0xfffffe0057917200 [acpi_task_0] 100072 D - 0xfffffe0057917200 [acpi_task_1] 100073 D - 0xfffffe0057917200 [acpi_task_2] 100075 D - 0xfffffe000795e300 [CAM taskq] db> show all locks Process 897 (syz-executor.0) thread 0xfffffe0092b09720 (100123) exclusive sleep mutex tcphash (tcphash) r = 0 (0xfffffe00079db7e0) locked @ /syzkaller/managers/main/kernel/sys/netinet/tcp_usrreq.c:1404 exclusive rw tcpinp (tcpinp) r = 0 (0xfffffe0092b67010) locked @ /syzkaller/managers/main/kernel/sys/netinet/tcp_usrreq.c:474 db> show malloc Type InUse MemUse Requests pf_hash 5 11524K 5 tcp_hpts 7 4801K 7 devbuf 4216 4323K 4241 sysctloid 34757 2048K 34828 vtbuf 24 1968K 46 kobj 330 1320K 493 newblk 648 1186K 703 vfscache 3 1025K 3 pcb 20 537K 45 inodedep 28 523K 83 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 subproc 113 210K 965 acpica 1674 184K 58126 tidhash 3 141K 3 vmem 3 138K 4 pagedep 11 131K 27 tfo_ccache 1 128K 1 IP reass 1 128K 1 linker 324 127K 353 vnet_data 1 112K 1 DEVFS1 106 106K 117 sem 4 106K 4 bus 1000 82K 5215 mtx_pool 2 72K 2 NFSD srvcache 3 68K 3 syncache 1 68K 1 module 513 65K 513 acpitask 1 64K 1 ddb_capture 1 64K 1 temp 23 37K 1826 filedesc 5 37K 25 BPF 19 36K 19 kdtrace 175 36K 1027 umtx 264 33K 264 hostcache 1 32K 1 shm 1 32K 1 DEVFS3 125 32K 135 msg 4 30K 4 kbdmux 6 28K 6 gtaskqueue 18 26K 18 DEVFS_RULE 56 20K 56 ufs_mount 4 17K 5 proc 3 17K 3 tty 16 16K 16 ithread 97 16K 97 bus-sc 34 15K 1682 ifaddr 40 14K 42 eventhandler 154 13K 154 KTRACE 100 13K 100 kenv 95 12K 95 routetbl 62 11K 227 rman 88 11K 431 GEOM 61 11K 481 CAM queue 5 11K 1528 bmsafemap 2 9K 52 cred 33 9K 243 UART 12 9K 12 devstat 4 9K 4 ksem 1 8K 1 rpc 2 8K 2 shmfd 1 8K 1 pfs_vncache 1 8K 1 pfs_nodes 20 8K 20 audit_evclass 237 8K 296 taskqueue 63 7K 63 ifnet 4 7K 4 sglist 5 7K 5 CAM DEV 3 6K 510 lltable 19 6K 19 ether_multi 68 6K 78 kqueue 48 6K 904 plimit 19 5K 344 ufs_dirhash 24 5K 24 in6_multi 35 5K 35 UMA 267 5K 267 vt 11 5K 11 memdesc 1 4K 1 MCA 32 4K 32 evdev 4 4K 4 pf_ifnet 7 4K 10 acpisem 28 4K 28 hhook 15 4K 17 session 23 3K 37 pwddesc 46 3K 898 proc-args 73 3K 1975 terminal 11 3K 11 clone 9 3K 9 uidinfo 3 3K 8 local_apic 1 2K 1 io_apic 1 2K 1 fpukern_ctx 2 2K 2 dirrem 8 2K 32 ipsec-saq 2 2K 2 lockf 19 2K 29 selfd 31 2K 10875 diradd 14 2K 48 Unitno 27 2K 43 CAM XPT 22 2K 543 msi 12 2K 12 mkdir 10 2K 30 ipsecpolicy 2 2K 2 acpidev 20 2K 20 select 10 2K 40 NFSD session 1 1K 1 softdep 1 1K 1 freefile 8 1K 26 indirdep 4 1K 4 sahead 1 1K 1 secasvar 1 1K 1 vnodemarker 2 1K 12 ip6ndp 6 1K 7 sctp_ifa