panic: Bad link elm 0xfffff8004dd98500 prev->next != elm cpuid = 1 time = 1621767260 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe00517d1700 vpanic() at vpanic+0x1c7/frame 0xfffffe00517d1760 panic() at panic+0x43/frame 0xfffffe00517d17c0 sctp_inpcb_free() at sctp_inpcb_free+0x1647/frame 0xfffffe00517d1840 sctp_close() at sctp_close+0x12a/frame 0xfffffe00517d1890 soclose() at soclose+0x12c/frame 0xfffffe00517d1910 _fdrop() at _fdrop+0x3a/frame 0xfffffe00517d1940 closef() at closef+0x28b/frame 0xfffffe00517d19d0 closefp_impl() at closefp_impl+0xbb/frame 0xfffffe00517d1a10 kern_dup() at kern_dup+0x782/frame 0xfffffe00517d1ab0 amd64_syscall() at amd64_syscall+0x247/frame 0xfffffe00517d1bf0 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00517d1bf0 --- syscall (198, FreeBSD ELF64, nosys), rip = 0x285eda, rsp = 0x7fffdfffdf08, rbp = 0x7fffdfffdf70 --- KDB: enter: panic [ thread pid 5727 tid 105772 ] Stopped at kdb_enter+0x67: movq $0,0x163736e(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0x80 rdx 0xffffffff819c36cb rbx 0 rsp 0xfffffe00517d16e0 rbp 0xfffffe00517d1700 rsi 0x1 rdi 0 r8 0 r9 0x8080808080808080 r10 0xfffffe00517d15d0 r11 0x1ffaefff59c r12 0xffffffff82267b90 ddb_dbbe r13 0 r14 0xffffffff81a74c1a r15 0xffffffff81a74c1a rip 0xffffffff81131a97 kdb_enter+0x67 rflags 0x82 kdb_enter+0x67: movq $0,0x163736e(%rip) db> show proc Process 5727 (syz-executor.0) at 0xfffff8004d5b0530: state: NORMAL uid: 0 gids: 0, 0, 5 parent: pid 788 at 0xfffff8004d3d2000 ABI: FreeBSD ELF64 flag: 0x10000080 flag2: 0 arguments: /root/syz-executor.0 reaper: 0xfffff80004bc7530 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe009504f000 (map 0xfffffe009504f000) (map.pmap 0xfffffe009504f0c0) (pmap 0xfffffe009504f120) threads: 2 100126 RunQ syz-executor.0 105772 Run CPU 1 syz-executor.0 db> ps pid ppid pgrp uid state wmesg wchan cmd 5732 790 790 0 R CPU 0 syz-executor.2 5727 788 788 0 R (threaded) syz-executor.0 100126 RunQ syz-executor.0 105772 Run CPU 1 syz-executor.0 5263 5249 5263 0 Ss select 0xfffff800380442c0 dhclient 5255 1 5255 0 Ss select 0xfffff8004d5a2440 dhclient 5249 5232 436 65 S select 0xfffff8004dcd85c0 dhclient 5232 436 436 0 S wait 0xfffff8004d555000 sh 792 785 792 0 Rs syz-executor.1 790 785 790 0 Ss nanslp 0xffffffff8273c561 syz-executor.2 788 785 788 0 Ss nanslp 0xffffffff8273c561 syz-executor.0 787 785 787 0 Rs syz-executor.3 785 783 783 0 S (threaded) syz-execprog 100114 S uwait 0xfffff80015dbb700 syz-execprog 100117 S uwait 0xfffff80015dca900 syz-execprog 100118 S uwait 0xfffff80015dbff00 syz-execprog 100119 S uwait 0xfffff80015dbf100 syz-execprog 100120 S uwait 0xfffff80015db9f00 syz-execprog 100121 S kqread 0xfffff80015dcaf00 syz-execprog 100122 S uwait 0xfffff80015dbf300 syz-execprog 100123 S uwait 0xfffff80015dbf700 syz-execprog 100124 S uwait 0xfffff80015dbf900 syz-execprog 100125 S uwait 0xfffff80015d7dd00 syz-execprog 783 781 783 0 Ss pause 0xfffff8004d5b0b10 csh 781 694 781 0 Ss select 0xfffff8004d4d0bc0 sshd 760 1 760 0 Ss+ ttyin 0xfffff80015465cb0 getty 759 1 759 0 Ss+ ttyin 0xfffff80015afc4b0 getty 758 1 758 0 Ss+ ttyin 0xfffff80015afccb0 getty 757 1 757 0 Ss+ ttyin 0xfffff80015b004b0 getty 756 1 756 0 Ss+ ttyin 0xfffff80015b00cb0 getty 755 1 755 0 Ss+ ttyin 0xfffff80015a894b0 getty 754 1 754 0 Ss+ ttyin 0xfffff80015a89cb0 getty 753 1 753 0 Ss+ ttyin 0xfffff80015a8c4b0 getty 752 1 752 0 Ss+ ttyin 0xfffff80015a8ccb0 getty 750 1 24 0 S+ piperd 0xfffff80015dad5d0 logger 749 748 24 0 S+ nanslp 0xffffffff8273c560 sleep 748 1 24 0 S+ wait 0xfffff80015e46a60 sh 698 1 698 0 Ss nanslp 0xffffffff8273c561 cron 694 1 694 0 Ss select 0xfffff80015e42a40 sshd 507 1 507 0 Ss select 0xfffff80015f39bc0 syslogd 436 1 436 0 Ss wait 0xfffff80015e7b530 devd 435 1 435 65 Ss select 0xfffff80015e425c0 dhclient 350 1 350 0 Ss select 0xfffff80015d7f740 dhclient 347 1 347 0 Ss select 0xfffff80015d75bc0 dhclient 23 0 0 0 DL vlruwt 0xfffff80015ae7000 [vnlru] 22 0 0 0 DL syncer 0xffffffff8282b9d0 [syncer] 21 0 0 0 DL (threaded) [bufdaemon] 100081 D qsleep 0xffffffff8282aa80 [bufdaemon] 100086 D - 0xffffffff8220ae80 [bufspacedaemon-0] 100099 D sdflush 0xfffff80004dfc4e8 [/ worker] 20 0 0 0 DL psleep 0xffffffff828528c8 [vmdaemon] 19 0 0 0 DL (threaded) [pagedaemon] 100079 D psleep 0xffffffff82846d38 [dom0] 100087 D launds 0xffffffff82846d44 [laundry: dom0] 100088 D umarcl 0xffffffff815cd2b0 [uma] 18 0 0 0 DL - 0xffffffff82570908 [rand_harvestq] 17 0 0 0 DL waiting 0xffffffff82e59828 [sctp_iterator] 16 0 0 0 DL pftm 0xffffffff82f533c0 [pf purge] 15 0 0 0 DL - 0xffffffff828280dc [soaiod4] 9 0 0 0 DL - 0xffffffff828280dc [soaiod3] 8 0 0 0 DL - 0xffffffff828280dc [soaiod2] 7 0 0 0 DL - 0xffffffff828280dc [soaiod1] 6 0 0 0 DL (threaded) [cam] 100044 D - 0xffffffff82447dc0 [doneq0] 100045 D - 0xffffffff82447d40 [async] 100078 D - 0xffffffff82447c10 [scanner] 14 0 0 0 DL seqstat 0xfffff80004dcbc88 [sequencer 00] 5 0 0 0 DL crypto_ 0xfffff80004d99d80 [crypto returns 1] 4 0 0 0 DL crypto_ 0xfffff80004d99d30 [crypto returns 0] 3 0 0 0 DL crypto_ 0xffffffff82844220 [crypto] 13 0 0 0 DL (threaded) [geom] 100035 D - 0xffffffff8271bda0 [g_event] 100036 D - 0xffffffff8271bda8 [g_up] 100037 D - 0xffffffff8271bdb0 [g_down] 2 0 0 0 DL (threaded) [KTLS] 100028 D - 0xfffff80004c39d00 [thr_0] 100029 D - 0xfffff80004c39d80 [thr_1] 12 0 0 0 WL (threaded) [intr] 100012 I [swi5: fast taskq] 100015 I [swi6: task queue] 100017 I [swi6: Giant taskq] 100030 I [swi4: clock (0)] 100031 I [swi4: clock (1)] 100032 I [swi1: netisr 0] 100033 I [swi3: vm] 100046 I [irq24: virtio_pci0] 100047 I [irq25: virtio_pci0] 100048 I [irq26: virtio_pci0] 100049 I [irq27: virtio_pci0] 100050 I [irq28: virtio_pci1] 100051 I [irq29: virtio_pci1] 100052 I [irq30: virtio_pci1] 100053 I [irq31: virtio_pci1] 100054 I [irq32: virtio_pci1] 100059 I [irq10: virtio_pci2] 100061 I [irq1: atkbd0] 100062 I [irq12: psm0] 100063 I [swi0: uart uart++] 100071 I [swi1: pf send] 100084 I [swi1: hpts] 100085 I [swi1: hpts] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffff80004bc7530 [init] 10 0 0 0 DL audit_w 0xffffffff82844730 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D swapin 0xffffffff8271c330 [swapper] 100005 D - 0xfffff80004c63d00 [if_config_tqg_0] 100006 D - 0xfffff80004c63900 [softirq_0] 100007 D - 0xfffff80004c63500 [softirq_1] 100008 D - 0xfffff80004c63100 [if_io_tqg_0] 100009 D - 0xfffff80004c61d00 [if_io_tqg_1] 100010 D - 0xfffff80004c5fd00 [in6m_free taskq] 100011 D - 0xfffff80004c5f900 [aiod_kick taskq] 100013 D - 0xfffff80004c5f100 [kqueue_ctx taskq] 100014 D - 0xfffff80004c58d00 [pci_hp taskq] 100016 D - 0xfffff80004c58500 [inm_free taskq] 100018 D - 0xfffff80004c53d00 [linuxkpi_irq_wq] 100019 D - 0xfffff80004c53900 [thread taskq] 100020 D - 0xfffff80004c53500 [linuxkpi_short_wq_0] 100021 D - 0xfffff80004c53500 [linuxkpi_short_wq_1] 100022 D - 0xfffff80004c53500 [linuxkpi_short_wq_2] 100023 D - 0xfffff80004c53500 [linuxkpi_short_wq_3] 100024 D - 0xfffff80004c53100 [linuxkpi_long_wq_0] 100025 D - 0xfffff80004c53100 [linuxkpi_long_wq_1] 100026 D - 0xfffff80004c53100 [linuxkpi_long_wq_2] 100027 D - 0xfffff80004c53100 [linuxkpi_long_wq_3] 100034 D - 0xfffff80004c39900 [firmware taskq] 100038 D - 0xfffff80004c39500 [crypto_0] 100039 D - 0xfffff80004c39500 [crypto_1] 100055 D - 0xfffff800153dc900 [vtnet0 rxq 0] 100056 D - 0xfffff800153dc500 [vtnet0 txq 0] 100057 D - 0xfffff800153dc100 [vtnet0 rxq 1] 100058 D - 0xfffff800153c6d00 [vtnet0 txq 1] 100060 D vtbslp 0xfffff80015429500 [virtio_balloon] 100064 D - 0xfffff800153c6900 [mca taskq] 100066 D - 0xffffffff81e21530 [deadlkres] 100074 D - 0xfffff80015a1a900 [acpi_task_0] 100075 D - 0xfffff80015a1a900 [acpi_task_1] 100076 D - 0xfffff80015a1a900 [acpi_task_2] 100077 D - 0xfffff80004c39100 [CAM taskq] db> show all locks Process 5732 (syz-executor.2) thread 0xfffffe0095081900 (100222) exclusive sleep mutex process lock (process lock) r = 0 (0xfffff8004dc1bb88) locked @ /syzkaller/managers/main/kernel/sys/kern/subr_trap.c:116 Process 5727 (syz-executor.0) thread 0xfffffe0095055740 (105772) exclusive sleep mutex sctp-inp (inp) r = 0 (0xfffff8004dd98968) locked @ /syzkaller/managers/main/kernel/sys/netinet/sctp_pcb.c:3333 exclusive rw sctp-info (sctp-info) r = 0 (0xfffffe00041ae338) locked @ /syzkaller/managers/main/kernel/sys/netinet/sctp_pcb.c:3331 exclusive sleep mutex sctp-create (inp_create) r = 0 (0xfffff8004dd98988) locked @ /syzkaller/managers/main/kernel/sys/netinet/sctp_pcb.c:3330 db> show malloc Type InUse MemUse Requests sysctloid 34288 12858K 34355 pf_hash 5 11560K 5 devbuf 4216 6982K 4241 tcp_hpts 5 3219K 5 kobj 328 2624K 488 vtbuf 24 2064K 46 newblk 456 1260K 5313 vfscache 3 1035K 3 inodedep 166 685K 4898 acpica 1674 649K 55230 pcb 28 631K 38516 callout 2 528K 2 subproc 132 524K 5809 ufs_quota 1 520K 1 vfs_hash 1 520K 1 intr 4 480K 4 bus 990 378K 3499 linker