panic: /syzkaller/managers/main/kernel/sys/kern/kern_timeout.c:607: callout_cc_add: Bad list head 0xfffffe0007fbdbd0 first->prev != head cpuid = 1 time = 1745881128 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe00576a8530 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe00576a8690 vpanic() at vpanic+0x257/frame 0xfffffe00576a8850 panic() at panic+0xb5/frame 0xfffffe00576a8910 callout_cc_add() at callout_cc_add+0x339/frame 0xfffffe00576a8970 callout_reset_sbt_on() at callout_reset_sbt_on+0x74f/frame 0xfffffe00576a8a90 kern_setitimer() at kern_setitimer+0x835/frame 0xfffffe00576a8bb0 sys_setitimer() at sys_setitimer+0x170/frame 0xfffffe00576a8d10 amd64_syscall() at amd64_syscall+0x4af/frame 0xfffffe00576a8f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00576a8f30 --- syscall (198, FreeBSD ELF64, __syscall), rip = 0x3a197a, rsp = 0x8211dcf08, rbp = 0x8211dcf80 --- KDB: enter: panic [ thread pid 4414 tid 103643 ] Stopped at kdb_enter+0x6e: movq $0,0x25be387(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe00033eee30 rdx 0xdffff7c000000000 rbx 0xffffffff827a7620 .str.27 rsp 0xfffffe00576a8670 rbp 0xfffffe00576a8690 rsi 0 rdi 0xffffffff830004c0 panicstr r8 0 r9 0xffffffff r10 0x69a56dcd713b5ac7 r11 0xfffffe0054925520 r12 0xfffffe0054925000 r13 0xfffffffffffffffd r14 0xffffffff827a7620 .str.27 r15 0 rip 0xffffffff815fce0e kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x25be387(%rip) db> show proc Process 4414 (syz-executor) at 0xfffffe005492f000: state: NORMAL uid: 0 gids: 0, 0, 5 parent: pid 3421 at 0xfffffe0054902ac0 ABI: FreeBSD ELF64 flag: 0x10000080 flag2: 0 arguments: ./syz-executor exec reaper: 0xfffffe0008007040 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe000800e920 (map 0xfffffe000800e920) (map.pmap 0xfffffe000800e9c0) (pmap 0xfffffe000800ea30) threads: 2 102430 RunQ syz-executor 103643 Run CPU 1 syz-executor db> ps pid ppid pgrp uid state wmesg wchan cmd 4414 3421 3421 0 R (threaded) syz-executor 102430 RunQ syz-executor 103643 Run CPU 1 syz-executor 4412 3267 3267 0 R (threaded) syz-executor 100126 Run CPU 0 syz-executor 103641 RunQ syz-executor 4411 3245 3245 0 R (threaded) syz-executor 100179 RunQ syz-executor 103640 S uwait 0xfffffe0059ecdc00 syz-executor 3486 3466 3486 0 Ss select 0xfffffe006ee13dc0 dhclient 3473 1 3473 0 Ss select 0xfffffe006edc7640 dhclient 3466 3447 424 65 S select 0xfffffe006ee14540 dhclient 3447 424 424 0 S wait 0xfffffe0054905060 sh 3421 774 3421 0 S nanslp 0xffffffff83b9c501 syz-executor 3296 774 3296 0 R syz-executor 3267 774 3267 0 S nanslp 0xffffffff83b9c500 syz-executor 3245 774 3245 0 S nanslp 0xffffffff83b9c501 syz-executor 864 0 0 0 DL aiordy 0xfffffe005490d580 [aiod4] 863 0 0 0 DL aiordy 0xfffffe005490dae0 [aiod3] 862 0 0 0 DL aiordy 0xfffffe00548e3060 [aiod2] 861 0 0 0 DL aiordy 0xfffffe005490c000 [aiod1] 774 773 771 0 S select 0xfffffe0059ecdec0 syz-executor 773 771 771 0 S (threaded) syz-execprog 100109 S uwait 0xfffffe0059bfbc00 syz-execprog 100112 S uwait 0xfffffe0059bfbf00 syz-execprog 100113 S uwait 0xfffffe0059bfc080 syz-execprog 100114 S uwait 0xfffffe0059bfc180 syz-execprog 100115 S kqread 0xfffffe0008bf4700 syz-execprog 100116 S uwait 0xfffffe006e3b2f00 syz-execprog 100117 S uwait 0xfffffe006e3b4080 syz-execprog 100118 S uwait 0xfffffe0059ecd800 syz-execprog 771 769 771 0 Ss pause 0xfffffe0054902610 csh 769 682 769 0 Ss select 0xfffffe0059ece8c0 sshd 750 1 750 0 Ss+ ttyin 0xfffffe0007ff78b0 getty 749 1 749 0 Ss+ ttyin 0xfffffe0058dcf4b0 getty 748 1 748 0 Ss+ ttyin 0xfffffe0058dcf8b0 getty 747 1 747 0 Ss+ ttyin 0xfffffe0058dcfcb0 getty 746 1 746 0 Ss+ ttyin 0xfffffe0058dd00b0 getty 745 1 745 0 Ss+ ttyin 0xfffffe0058dd04b0 getty 744 1 744 0 Ss+ ttyin 0xfffffe0058dd08b0 getty 743 1 743 0 Ss+ ttyin 0xfffffe0058dd0cb0 getty 742 1 742 0 Ss+ ttyin 0xfffffe0058dd10b0 getty 740 1 18 0 S+ piperd 0xfffffe006e7568a0 logger 739 738 18 0 S+ nanslp 0xffffffff83b9c501 sleep 738 1 18 0 S+ wait 0xfffffe0008007b00 sh 686 1 686 0 Ss nanslp 0xffffffff83b9c501 cron 682 1 682 0 Ss select 0xfffffe0059ecdd40 sshd 495 1 495 0 Ss select 0xfffffe006e3b4b40 syslogd 424 1 424 0 Ss wait 0xfffffe0054803580 devd 423 1 423 65 Ss select 0xfffffe0059ece140 dhclient 338 1 338 0 Ss select 0xfffffe0059ece0c0 dhclient 335 1 335 0 Ss select 0xfffffe006e3b4640 dhclient 17 0 0 0 DL syncer 0xffffffff83cb9da0 [syncer] 16 0 0 0 DL vlruwt 0xfffffe0008026040 [vnlru] 15 0 0 0 DL (threaded) [bufdaemon] 100080 D psleep 0xffffffff83cb8360 [bufdaemon] 100083 D - 0xffffffff83002140 [bufspacedaemon-0] 100094 D sdflush 0xfffffe0059e9c4e8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d03380 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100078 D psleep 0xffffffff83ce92f8 [dom0] 100081 D launds 0xffffffff83ce9304 [laundry: dom0] 100082 D umarcl 0xffffffff81dc63e0 [uma] 7 0 0 0 DL - 0xffffffff83919cd0 [rand_harvestq] 6 0 0 0 DL pftm 0xffffffff84771850 [pf purge] 5 0 0 0 DL waiting 0xffffffff845155c0 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100046 D - 0xffffffff838e4340 [doneq0] 100047 D - 0xffffffff838e42c0 [async] 100076 D - 0xffffffff838e4140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100043 D crypto_ 0xffffffff83ce4b00 [crypto] 100044 D crypto_ 0xfffffe005856e030 [crypto returns 0] 100045 D crypto_ 0xfffffe005856e080 [crypto returns 1] 14 0 0 0 DL seqstat 0xfffffe00547f6088 [sequencer 00] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83b44f00 [g_event] 100038 D - 0xffffffff83b44f20 [g_up] 100039 D - 0xffffffff83b44f40 [g_down] 2 0 0 0 WL (threaded) [clock] 100031 I [clock (0)] 100032 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100048 I [irq24: virtio_pci0] 100049 I [irq25: virtio_pci0] 100050 I [irq26: virtio_pci0] 100051 I [irq27: virtio_pci0] 100052 I [irq28: virtio_pci1] 100053 I [irq29: virtio_pci1] 100054 I [irq30: virtio_pci1] 100055 I [irq31: virtio_pci1] 100056 I [irq32: virtio_pci1] 100061 I [irq10: virtio_pci2] 100063 I [irq1: atkbd0] 100064 I [irq12: psm0] 100065 I [swi0: uart uart++] 100069 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0008007040 [init] 10 0 0 0 DL audit_w 0xffffffff83ce55a0 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D parked 0xffffffff84c29ff0 [swapper] 100005 D - 0xfffffe0008bf7d00 [softirq_0] 100006 D - 0xfffffe0008bf7c00 [softirq_1] 100007 D - 0xfffffe0008bf7b00 [if_io_tqg_0] 100008 D - 0xfffffe0008bf7a00 [if_io_tqg_1] 100009 D - 0xfffffe0008bf7900 [if_config_tqg_0] 100010 D - 0xfffffe0008bf7800 [kqueue_ctx taskq] 100011 D - 0xfffffe0008bf7700 [jail_remove taskq] 100012 D - 0xfffffe0008bf7600 [bus taskq] 100015 D - 0xfffffe0008bf7300 [thread taskq] 100017 D - 0xfffffe0008bf7100 [aiod_kick taskq] 100018 D - 0xfffffe0008bf7000 [deferred_unmount ta] 100019 D - 0xfffffe0008bf6e00 [inm_free taskq] 100020 D - 0xfffffe0008bf6d00 [in6m_free taskq] 100021 D - 0xfffffe0008bf6c00 [linuxkpi_irq_wq] 100022 D - 0xfffffe0008bf6b00 [linuxkpi_short_wq_0] 100023 D - 0xfffffe0008bf6b00 [linuxkpi_short_wq_1] 100024 D - 0xfffffe0008bf6b00 [linuxkpi_short_wq_2] 100025 D - 0xfffffe0008bf6b00 [linuxkpi_short_wq_3] 100026 D - 0xfffffe0008bf6a00 [linuxkpi_long_wq_0] 100027 D - 0xfffffe0008bf6a00 [linuxkpi_long_wq_1] 100028 D - 0xfffffe0008bf6a00 [linuxkpi_long_wq_2] 100029 D - 0xfffffe0008bf6a00 [linuxkpi_long_wq_3] 100036 D - 0xfffffe0008bf6900 [firmware taskq] 100041 D - 0xfffffe0008bf6600 [crypto_0] 100042 D - 0xfffffe0008bf6600 [crypto_1] 100057 D - 0xfffffe0008bf6400 [vtnet0 rxq 0] 100058 D - 0xfffffe0008bf6300 [vtnet0 txq 0] 100059 D - 0xfffffe0008bf6200 [vtnet0 rxq 1] 100060 D - 0xfffffe0008bf6100 [vtnet0 txq 1] 100062 D vtbslp 0xfffffe0058587680 [virtio_balloon] 100066 D - 0xffffffff827ac961 [deadlkres] 100070 D - 0xfffffe0058f59b00 [acpi_task_0] 100071 D - 0xfffffe0058f59b00 [acpi_task_1] 100072 D - 0xfffffe0058f59b00 [acpi_task_2] 100074 D - 0xfffffe0008bf8100 [mca taskq] 100075 D - 0xfffffe0008bf6500 [CAM taskq] 100077 D - 0xfffffe0008bf5e00 [ipsec_offload] db> show all locks Process 4414 (syz-executor) thread 0xfffffe0054925000 (103643) exclusive sleep mutex process lock (process lock) r = 0 (0xfffffe005492f128) locked @ /syzkaller/managers/main/kernel/sys/kern/kern_time.c:841 db> show malloc Type InUse MemUse Requests pf_hash 6 12804K 6 linker 376 5059K 486 tcp_hpts 7 4801K 7 devbuf 4188 4324K 4213 sysctloid 34854 2053K 34929 vtbuf 24 1968K 46 newblk 1830 1482K 5393 kobj 331 1324K 495 inodedep 1406 1039K 7080 vfscache 3 1025K 3 pcb 24 669K 66 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 dirrem 1330 333K 6980 subproc 134 254K 4493 vnet_data 2 224K 2 acpitask 1 224K 1 KTRACE 100 200K 100 acpica 1674 184K 54426 freefile 1333 167K 6965 vmem 5 144K 6 tidhash 3 141K 3 pagedep 49 140K 3537 tfo_ccache 1 128K 1 IP reass 1 128K 1 filedesc 16 121K 7145 DEVFS1 114 114K 141 sem 4 106K 4 gtaskqueue 18 98K 18 bus 997 82K 5063 mtx_pool 3 74K 3 syncache 1 68K 1 NFSD srvcache 3 68K 3 module 521 66K 521 ddb_capture 1 64K 1 umtx 336 42K 336 kdtrace 207 42K 8059 temp 35 37K 2354 BPF 22 36K 43 LRO 34 35K 44 hostcache 1 32K 1 shm 1 32K 1 DEVFS3 128 32K 143 msg 4 30K 4 kbdmux 6 28K 6 routetbl 357 23K 1142 DEVFS_RULE 56 20K 56 ifaddr 67 19K 117 ufs_mount 4 17K 5 proc 3 17K 3 tty 16 16K 16 ithread 90 15K 90 bus-sc 34 15K 1647 eventhandler 163 14K 163 lltable 43 14K 84 ifnet 7 13K 12 ether_multi 152 13K 330 kenv 95 12K 95 GEOM 61 11K 477 CAM queue 5 11K 1528 rman 82 10K 437 rpc 8 9K 8 bmsafemap 4 9K 7044 plimit 23 9K 503 in6_multi 65 9K 125 devstat 4 9K 4 UART 12 9K 12 ksem 1 8K 1 shmfd 1 8K 1 pfs_vncache 1 8K 1 audit_evclass 239 8K 301 taskqueue 69 8K 69 mkdir 56 7K 7048 diradd 56 7K 7039 kqueue 59 7K 4420 sglist 6 7K 6 cred 24 6K 295 CAM DEV 3 6K 510 newdirblk 44 6K 3524 pfs_nodes 22 6K 22 pf_ifnet 14 6K 45 ufs_dirhash 24 5K 24 UMA 266 5K 266 vt 11 5K 11 memdesc 1 4K 1 MCA 32 4K 32 evdev 4 4K 4 pwddesc 56 4K 7886 acpisem 28 4K 28 proc-args 83 4K 5752 selfd 48 3K 145771 terminal 11 3K 11 session 22 3K 56 indirdep 10 3K 10 acpidev 20 3K 20 hhook 8 3K 10 clone 9 3K 9 uidinfo 3 3K 9 lockf 21 3K 44 ip6ndp 13 3K 25 local_apic 1 2K 1 io_apic 1 2K 1 ipsec-saq 2 2K 2 Unitno 28 2K 70 sctp_ifa 13 2K 25 CAM XPT 22 2K 543 in_multi 6 2K 14 tun 4 2K 9 toponodes 6 2K 6 ipsecpolicy 2 2K 2 select 11 2K 45 freework 6 2K 3504 freeblks 5 2K 3503 msi 9 2K 9 netlink 2 2K 182 softdep 1 1K 1 sahead 1 1K 1 secasvar 1 1K 1 nhops 6 1K 8 vnodemarker 2 1K 10 NFSD session 1 1K 1 CAM periph 4 1K 271 sctp_ifn 6 1K 25 ipsec 3 1K 3 mld 6 1K 11 CC Mem 6 1K 13 igmp 6 1K 11 pfil 6 1K 6 isadev 6 1K 6 mount 16 1K 89 pci_link 10 1K 10 crypto 4 1K 4 encap_export_host 12 1K 12 osd 11 1K 29 DEVFSP 10 1K 47 cdev 2 1K 2 lkpikmalloc 8 1K 9 inpcbpolicy 14 1K 241 chacha20random 1 1K 1 biobuf 1 1K 1 vnodes 1 1K 1 procdesc 2 1K 12 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 DEVFS 9 1K 10 CAM SIM 2 1K 2 feeder 7 1K 7 tcpfunc 3 1K 3 loginclass 3 1K 7 prison 6 1K 6 cryptodev 2 1K 49 nexusdev 8 1K 8 apmdev 1 1K 1 atkbddev 2 1K 2 aio 4 1K 4 pmchooks 1 1K 1 filecaps 5 1K 84 CAM path 4 1K 1034 CAM dev queue 2 1K 2 CAM I/O Scheduler 1 1K 1 soname 4 1K 3466 sctp_vrf 1 1K 1 vnet 1 1K 1 pmc 1 1K 1 entropy 2 1K 62 acpiintr 1 1K 1 cpus 2 1K 2 vnet_data_free 1 1K 1 Per-cpu 1 1K 1 p1003.1b 1 1K 1 mqdata 0 0K 0 pf_table 0 0K 0 pf_rule 0 0K 0 pf_altq 0 0K 0 pf_osfp 0 0K 0 pf_krule_item 0 0K 0 pf_temp 0 0K 0 filemon 0 0K 0 tcp_pcm_rack 0 0K 0 tcp_do_rack 0 0K 0 tcp_fsb_rack 0 0K 0 sctp_mcore 0 0K 0 sctp_socko 0 0K 0 sctp_iter 0 0K 31 sctp_mvrf 0 0K 0 sctp_timw 0 0K 0 sctp_cpal 0 0K 0 sctp_cmsg 0 0K 0 sctp_stre 0 0K 0 sctp_athi 0 0K 0 sctp_athm 0 0K 0 sctp_atky 0 0K 0 sctp_atcl 0 0K 0 sctp_a_it 0 0K 31 sctp_aadr 0 0K 0 sctp_stro 0 0K 0 sctp_stri 0 0K 0 sctp_map 0 0K 0