Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x0 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff81ac8574 stack pointer = 0x28:0xf ffffe0056a7d200 frame pointer = 0x28:0xfffffe0056a7d710 code segment = base 0x0, limit 0xfffff, type 0x1b FreeBSD/amd64 = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 2 (clock (0)) rdi: 0000000000000000 rsi: 0000000000000000 rdx: 0000000000000000 rcx: fffffe0002bf1850 r8: 0000000000000000 r9: 00000000060080fe rax: fffffe0000000000 rbx: fffffe0058574800 rbp: fffffe0056a7d710 r10: aa03000000000000 r11: 000000000000001f r12: fffffe0056a7d630 r13: fffffe0056a7d440 r14: 0000000000000000 r15: fffffe00827eb320 trap number = 12 panic: page fault cpuid = 0 time = 25 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0056a7ca30 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe0056a7cb90 vpanic() at vpanic+0x257/frame 0xfffffe0056a7cd50 panic() at panic+0xb5/frame 0xfffffe0056a7ce10 trap_pfault() at trap_pfault+0xaf2/frame 0xfffffe0056a7cf50 trap() at trap+0x78e/frame 0xfffffe0056a7d130 calltrap() at calltrap+0x8/frame 0xfffffe0056a7d130 --- trap 0xc, rip = 0xffffffff81ac8574, rsp = 0xfffffe0056a7d200, rbp = 0xfffffe0056a7d710 --- ip6_output() at ip6_output+0x36e4/frame 0xfffffe0056a7d710 sctp_lowlevel_chunk_output() at sctp_lowlevel_chunk_output+0x1bb2/frame 0xfffffe0056a7d9c0 sctp_send_initiate() at sctp_send_initiate+0x1116/frame 0xfffffe0056a7db40 sctp_t1init_timer() at sctp_t1init_timer+0x4f/frame 0xfffffe0056a7db90 sctp_timeout_handler() at sctp_timeout_handler+0xc14/frame 0xfffffe0056a7dcd0 softclock_call_cc() at softclock_call_cc+0x422/frame 0xfffffe0056a7de80 softclock_thread() at softclock_thread+0x200/frame 0xfffffe0056a7def0 fork_exit() at fork_exit+0xcc/frame 0xfffffe0056a7df30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0056a7df30 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- KDB: enter: panic [ thread pid 2 tid 100031 ] Stopped at kdb_enter+0x6e: movq $0,0x259f897(%rip) db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe0002bf1850 rdx 0xdffff7c000000000 rbx 0xffffffff82807020 .str.27 rsp 0xfffffe0056a7cb70 rbp 0xfffffe0056a7cb90 rsi 0 rdi 0xffffffff830004e8 panicstr r8 0 r9 0xffffffff r10 0 r11 0x17 r12 0xfffffe000781a780 r13 0xfffffffffffffffe r14 0xffffffff82807020 .str.27 r15 0 rip 0xffffffff8162c37e kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x259f897(%rip) db> show proc Process 2 (clock) at 0xfffffe0007808008: state: NORMAL uid: 0 gid: 0 supp gids: 0 parent: pid 0 at 0xffffffff83b560a0 ABI: null flag: 0x10000284 flag2: 0 reaper: 0xffffffff83b560a0 reapsubtree: 2 sigparent: 20 vmspace: 0xffffffff83b57080 (map 0xffffffff83b57080) (map.pmap 0xffffffff83b57120) (pmap 0xffffffff83b57190) threads: 2 100031 Run CPU 0 [clock (0)] 100032 I [clock (1)] db> ps pid ppid pgrp uid state wmesg wchan cmd 1376 1 1376 0 Ss+ ttyin 0xfffffe0058630cb0 getty 1375 1 1375 0 Ss+ ttyin 0xfffffe00586308b0 getty 1374 1 1374 0 Ss+ ttyin 0xfffffe00586304b0 getty 1373 1 1373 0 Ss+ ttyin 0xfffffe00586300b0 getty 1372 1 1372 0 Ss+ ttyin 0xfffffe005862fcb0 getty 1371 1 1371 0 Ss+ ttyin 0xfffffe005862f8b0 getty 1370 1 1370 0 Ss+ ttyin 0xfffffe005862f4b0 getty 1369 1 1369 0 Ss+ ttyin 0xfffffe005862f0b0 getty 1368 1 1368 0 Ss+ ttyin 0xfffffe0058279cb0 getty 1217 0 0 0 DL mdwait 0xfffffe006b76a000 [md1] 1130 0 0 0 DL - 0xffffffff83cbce80 [soaiod4] 1129 0 0 0 DL - 0xffffffff83cbce80 [soaiod3] 1128 0 0 0 DL - 0xffffffff83cbce80 [soaiod2] 1127 0 0 0 DL - 0xffffffff83cbce80 [soaiod1] 968 0 0 0 DL (threaded) [so_splice] 100086 D - 0xfffffe005858f680 [thr_0] 100299 D - 0xfffffe005858f6c0 [thr_1] 920 0 0 0 DL (threaded) [KTLS] 100165 D - 0xfffffe00777e0200 [thr_0] 100220 D - 0xfffffe00777e0280 [thr_1] 100221 D - 0xffffffff83cbe6a8 [reclaim_0] 815 0 0 0 DL aiordy 0xfffffe00540f8570 [aiod4] 814 0 0 0 DL aiordy 0xfffffe0054005570 [aiod3] 812 0 0 0 DL aiordy 0xfffffe0054112010 [aiod2] 811 0 0 0 DL aiordy 0xfffffe0054112ac0 [aiod1] 16 0 0 0 DL syncer 0xffffffff83cca8a0 [syncer] 15 0 0 0 DL vlruwt 0xfffffe000780a018 [vnlru] 14 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83cc8de0 [bufdaemon] 100080 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100093 D sdflush 0xfffffe005862d8e8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d13d40 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83cf9e08 [dom0] 100081 D launds 0xffffffff83cf9e14 [laundry: dom0] 100082 D umarcl 0xffffffff81e12870 [uma] 7 0 0 0 DL - 0xffffffff839255f8 [rand_harvestq] 6 0 0 0 DL pftm 0xffffffff8466ff20 [pf purge] 5 0 0 0 DL waiting 0xffffffff844a2700 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100045 D - 0xffffffff838ef340 [doneq0] 100046 D - 0xffffffff838ef2c0 [async] 100075 D - 0xffffffff838ef140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100042 D crypto_ 0xffffffff83cf56e0 [crypto] 100043 D crypto_ 0xfffffe0053ee4d30 [crypto returns 0] 100044 D crypto_ 0xfffffe0053ee4d80 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83b55660 [g_event] 100038 D - 0xffffffff83b55680 [g_up] 100039 D - 0xffffffff83b556a0 [g_down] 2 0 0 0 RL (threaded) [clock] 100031 Run CPU 0 [clock (0)] 100032 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100047 I [irq24: virtio_pci0] 100048 I [irq25: virtio_pci0] 100049 I [irq26: virtio_pci0] 100050 I [irq27: virtio_pci0] 100051 I [irq28: virtio_pci1] 100052 I [irq29: virtio_pci1] 100053 I [irq30: virtio_pci1] 100054 I [irq31: virtio_pci1] 100055 I [irq32: virtio_pci1] 100060 I [irq10: virtio_pci2] 100062 I [irq1: atkbd0] 100063 I [irq12: psm0] 100064 I [swi0: uart uart++] 100068 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 Run CPU 1 [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0007809010 [init] 10 0 0 0 DL audit_w 0xffffffff83cf6180 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D parked 0xffffffff84c4aff0 [swapper] 100005 D - 0xfffffe0053ea0100 [softirq_0] 100006 D - 0xfffffe0053ea0000 [softirq_1] 100007 D - 0xfffffe0053e9fe00 [if_io_tqg_0] 100008 D - 0xfffffe0053e9fd00 [if_io_tqg_1] 100009 D - 0xfffffe0053e9fc00 [if_config_tqg_0] 100010 D - 0xfffffe000776eb00 [kqueue_ctx taskq] 100011 D - 0xfffffe000776ea00 [jail_remove taskq] 100012 D - 0xfffffe000776e900 [bus taskq] 100015 D - 0xfffffe000776e600 [thread taskq] 100017 D - 0xfffffe000776e400 [aiod_kick taskq] 100018 D - 0xfffffe000776e300 [deferred_unmount ta] 100019 D - 0xfffffe000776e200 [inm_free taskq] 100020 D - 0xfffffe000776e100 [in6m_free taskq] 100021 D - 0xfffffe000776e000 [linuxkpi_irq_wq] 100022 D - 0xfffffe000776de00 [linuxkpi_short_wq_0] 100023 D - 0xfffffe000776de00 [linuxkpi_short_wq_1] 100024 D - 0xfffffe000776de00 [linuxkpi_short_wq_2] 100025 D - 0xfffffe000776de00 [linuxkpi_short_wq_3] 100026 D - 0xfffffe000776dd00 [linuxkpi_long_wq_0] 100027 D - 0xfffffe000776dd00 [linuxkpi_long_wq_1] 100028 D - 0xfffffe000776dd00 [linuxkpi_long_wq_2] 100029 D - 0xfffffe000776dd00 [linuxkpi_long_wq_3] 100036 D - 0xfffffe000776db00 [firmware taskq] 100040 D - 0xfffffe000776da00 [crypto_0] 100041 D - 0xfffffe000776da00 [crypto_1] 100056 D - 0xfffffe0057de6e00 [vtnet0 rxq 0] 100057 D - 0xfffffe0057de6d00 [vtnet0 txq 0] 100058 D - 0xfffffe0057de6c00 [vtnet0 rxq 1] 100059 D - 0xfffffe0057de6b00 [vtnet0 txq 1] 100061 D vtbslp 0xfffffe0057de0380 [virtio_balloon] 100065 D - 0xffffffff8280b701 [deadlkres] 100069 D - 0xfffffe00593fd500 [acpi_task_0] 100070 D - 0xfffffe00593fd500 [acpi_task_1] 100071 D - 0xfffffe00593fd500 [acpi_task_2] 100073 D - 0xfffffe000776ec00 [mca taskq] 100074 D - 0xfffffe000776d800 [CAM taskq] 100076 D - 0xfffffe00593fd400 [ipsec_offload] db> show all locks Process 2 (clock) thread 0xfffffe000781a780 (100031) shared rw sctpinp (sctpinp) r = 0 (0xfffffe006e4f6220) locked @ /syzkaller/managers/main/kernel/sys/netinet/sctp_output.c:4550 exclusive sleep mutex sctp-tcb (tcb) r = 0 (0xfffffe007a386320) locked @ /syzkaller/managers/main/kernel/sys/netinet/sctputil.c:1776 db> show malloc Type InUse MemUse Requests pf_hash 6 12804K 6 linker 420 5547K 852 tcp_hpts 7 4801K 7 devbuf 4187 4324K 4214 sysctloid 35568 2096K 35760 vtbuf 24 1968K 46 kobj 331 1324K 515 newblk 48 1036K 3502 vfscache 3 1025K 3 pcb 24 671K 755 inodedep 184 581K 1272 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 vmem 5 276K 9 vnet_data 2 224K 2 acpitask 1 224K 1 subproc 225 219K 1692 KTRACE 101 201K 119470 acpica 1674 184K 54450 tidhash 3 141K 3 pagedep 16 132K 517 tfo_ccache 1 128K 1 IP reass 1 128K 1 DEVFS1 112 112K 143 sem 4 106K 4 gtaskqueue 18 98K 18 bus 1005 82K 5097 mtx_pool 3 74K 3 syncache 1 68K 1 umtx 544 68K 544 NFSD srvcache 3 68K 3 md_sectors 17 68K 34 module 525 66K 532 kdtrace 288 66K 2515 ddb_capture 1 64K 1 freework 217 55K 1238 DEVFS3 131 33K 143 hostcache 1 32K 1 shm 1 32K 12 freeblks 127 32K 620 msg 4 30K 4 kbdmux 6 28K 6 routetbl 543 27K 1483 ifnet 13 25K 14 temp 52 22K 2664 ifaddr 94 21K 121 LRO 20 21K 38 freefile 161 21K 766 DEVFS_RULE 56 20K 56 ufs_mount 4 17K 5 proc 3 17K 3 tty 16 16K 16 lltable 55 16K 96 ithread 90 15K 90 bus-sc 34 15K 1660 eventhandler 163 14K 163 shmfd 10 12K 24 kenv 95 12K 95 GEOM 54 12K 484 CAM queue 5 11K 1528 rman 82 10K 447 rpc 8 9K 8 bmsafemap 3 9K 908 cred 23 9K 352 devstat 4 9K 4 UART 12 9K 12 ksem 1 8K 9 pfs_vncache 1 8K 1 audit_evclass 240 8K 306 taskqueue 69 8K 111 sglist 6 7K 6 CAM DEV 3 6K 510 pf_ifnet 16 6K 41 pfs_nodes 22 6K 22 ufs_dirhash 24 5K 51 md_disk 18 5K 39 UMA 272 5K 273 vt 11 5K 11 memdesc 1 4K 1 MCA 32 4K 32 evdev 4 4K 4 plimit 10 4K 566 acpisem 28 4K 28 tun 9 4K 10 ether_multi 40 4K 357 mount 20 4K 732 dirrem 12 3K 820 in6_multi 25 3K 121 kqueue 45 3K 2113 terminal 11 3K 11 acpidev 20 3K 20 uidinfo 4 3K 23 hhook 8 3K 10 pwddesc 37 3K 1573 clone 9 3K 10 mkdir 17 3K 940 netlink 2 3K 213 pf_rule 1 2K 1 local_apic 1 2K 1 io_apic 1 2K 1 diradd 16 2K 855 ipsec-saq 2 2K 2 Unitno 30 2K 911 CAM XPT 22 2K 543 toponodes 6 2K 6 ipsecpolicy 2 2K 2 mld 11 2K 12 igmp 11 2K 12 BPF 11 2K 99 lockf 11 2K 213 session 10 2K 62 proc-args 36 2K 2760 ip6ndp 13 2K 25 msi 9 2K 9 newdirblk 9 2K 471 sctp_stro 1 1K 4 softdep 1 1K 1 sahead 1 1K 1 secasvar 1 1K 1 vnodemarker 2 1K 62 NFSD session 1 1K 1 CAM periph 4 1K 271 ipsec 3 1K 3 sctp_timw 3 1K 3 sctp_atcl 2 1K 272 nhops 6 1K 14 pfil 6 1K 6 isadev 6 1K 8 pci_link 10 1K 10 sctp_ifa 5 1K 24 crypto 4 1K 58 encap_export_host 12 1K 12 osd 6 1K 410 in_multi 2 1K 21 cdev 2 1K 2 lkpikmalloc 8 1K 9 counter_rate 13 1K 13 frag6 4 1K 4 ip_msource 6 1K 30 chacha20random 1 1K 1 biobuf 1 1K 1 sctp_ifn 2 1K 24 indirdep 1 1K 523 vnodes 1 1K 15 ktls 1 1K 38 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 DEVFS 9 1K 10 CAM SIM 2 1K 2 feeder 7 1K 7 tcpfunc 3 1K 3 loginclass 3 1K 5 prison 6 1K 6 inpcbpolicy 5 1K 1000 sctp_atky 3 1K 278 nexusdev 8 1K 8 apmdev 1 1K 1 atkbddev 2 1K 2 freefrag 1 1K 239 CC Mem 1 1K 392 aio 4 1K 7 pmchooks 1 1K 1 CAM path 4 1K 1034 CAM dev queue 2 1K 2 CAM I/O Scheduler 1 1K 1 sctp_vrf 1 1K 1 vnet 1 1K 1 accf 1 1K 1 iov 1 1K 22191 pmc 1 1K 1 entropy 2 1K 42 acpiintr 1 1K 1 sctp_athm 2 1K 272 sctp_map 2 1K 8 cpus 2 1K 2 vnet_data_free 1 1K 1 Per-cpu 1 1K 1 p1003.1b 1 1K 1 ext2_mount 0 0K 0 ext2_node 0 0K 0 ext2_extents 0 0K 0 tcp_pcm_rack 0 0K 4 tcp_do_rack 0 0K 0 tcp_fsb_rack 0 0K 4 filemon 0 0K 6 mqdata 0 0K 0 pf_table 0 0K 0 pf 0 0K 2 pf_altq 0 0K 0 pf_osfp 0 0K 0 pf_krule_item 0 0K 0 pf_temp 0 0K 0 ipcomp 0 0K 0 esp 0 0K 0 ah 0 0K 0 cryptodev 0 0K 184 sctp_mcore 0 0K 0 sctp_socko 0 0K 33 sctp_iter 0 0K 32 sctp_mvrf 0 0K 0 sctp_cpal 0 0K 0 sctp_cmsg 0 0K 0 sctp_stre 0 0K 0 sctp_athi 0 0K 0 sctp_a_it 0 0K 32 sctp_aadr 0 0K 0 sctp_stri 0 0K 0 madt_table 0 0K 2 smartpqi 0 0K 0 ixl 0 0K 0 ice-resmgr 0 0K 0 ice-osdep 0 0K 0 ice 0 0K 0 iavf 0 0K 0 axgbe 0 0K 0 fpukern_ctx 0 0K 0 xen_intr 0 0K 0 xen_hvm 0 0K 0 legacydrv 0 0K 0 NMI handlers 0 0K 0 bounce 0 0K 0 busdma 0 0K 0 qpidrv 0 0K 0 dmar_idpgtbl 0 0K 0 dmar_dom 0 0K