panic: Association about to be freed cpuid = 1 time = 2000001303 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc7/frame 0xfffffe0092bbf050 kdb_backtrace() at kdb_backtrace+0xd3/frame 0xfffffe0092bbf1b0 vpanic() at vpanic+0x2b8/frame 0xfffffe0092bbf290 panic() at panic+0xb5/frame 0xfffffe0092bbf350 sctp_lower_sosend() at sctp_lower_sosend+0x2751/frame 0xfffffe0092bbf740 sctp_sosend() at sctp_sosend+0x72c/frame 0xfffffe0092bbf9e0 sosend() at sosend+0xfc/frame 0xfffffe0092bbfa50 kern_sendit() at kern_sendit+0x58a/frame 0xfffffe0092bbfbc0 sendit() at sendit+0x2b0/frame 0xfffffe0092bbfc10 sys_sendto() at sys_sendto+0x182/frame 0xfffffe0092bbfd30 ia32_syscall() at ia32_syscall+0x419/frame 0xfffffe0092bbff30 int0x80_syscall_common() at int0x80_syscall_common+0x9c/frame 0xfbffcf78 KDB: enter: panic [ thread pid 53711 tid 159414 ] Stopped at kdb_enter+0x6b: movq $0,0x270a69a(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0 rax 0x12 rcx 0x9e6d48c5a03fe78 rdx 0x1 rbx 0 rsp 0xfffffe0092bbf190 rbp 0xfffffe0092bbf1b0 rsi 0 rdi 0xffffffff8177a5ea vprintf+0x35a r8 0 r9 0xffffffff r10 0 r11 0xfffffe0092469530 r12 0xfffffe0092469020 r13 0xfffffe0092bbf201 r14 0xffffffff82bb9d20 .str.26 r15 0xffffffff82bb9d20 .str.26 rip 0xffffffff8176db7b kdb_enter+0x6b rflags 0x200046 kernload+0x46 kdb_enter+0x6b: movq $0,0x270a69a(%rip) db> show proc Process 53711 (syz-executor.2) at 0xfffffe009a183000: state: NORMAL uid: 0 gids: 0, 0, 5 parent: pid 14035 at 0xfffffe009a184548 ABI: FreeBSD ELF32 flag: 0x10000080 flag2: 0 arguments: /root/syz-executor.2 exec reaper: 0xfffffe0053dde000 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe00926603f0 (map 0xfffffe00926603f0) (map.pmap 0xfffffe00926604b0) (pmap 0xfffffe0092660518) threads: 3 155410 RunQ syz-executor.2 159414 Run CPU 1 syz-executor.2 159415 S uwait 0xfffffe0058aedf00 syz-executor.2 db> ps pid ppid pgrp uid state wmesg wchan cmd 53712 49950 49950 0 R syz-executor.1 53711 14035 14035 0 R (threaded) syz-executor.2 155410 RunQ syz-executor.2 159414 Run CPU 1 syz-executor.2 159415 S uwait 0xfffffe0058aedf00 syz-executor.2 53709 14075 14075 0 R (threaded) syz-executor.0 155560 RunQ syz-executor.0 159416 RunQ syz-executor.0 53707 51820 51820 0 R (threaded) syz-executor.3 156109 RunQ syz-executor.3 159412 S uwait 0xfffffe0058aed880 syz-executor.3 51820 774 51820 0 Rs syz-executor.3 50039 50033 50039 0 Ss select 0xfffffe009a07bbc0 dhclient 50036 1 50036 0 Ss select 0xfffffe009ad05940 dhclient 50033 50026 430 65 S select 0xfffffe009ab6a0c0 dhclient 50026 430 430 0 S wait 0xfffffe009a3ec548 sh 49950 774 49950 0 Rs CPU 0 syz-executor.1 18427 1 18427 65 Ss select 0xfffffe0099b5cf40 dhclient 17777 1 17777 0 Ss select 0xfffffe0099f37940 dhclient 17773 1 17773 0 Ss select 0xfffffe009a0b27c0 dhclient 17746 1 17746 65 Ss select 0xfffffe0058aefec0 dhclient 16917 1 16917 0 Ss select 0xfffffe0099f39140 dhclient 16914 1 16914 0 Ss select 0xfffffe0058aec0c0 dhclient 14075 774 14075 0 Rs syz-executor.0 14035 774 14035 0 Rs syz-executor.2 10366 0 0 0 DL mdwait 0xfffffe0092dc4000 [md0] 6458 0 0 0 DL aiordy 0xfffffe0099af5a90 [aiod4] 6457 0 0 0 DL aiordy 0xfffffe0092dbb000 [aiod3] 6456 0 0 0 DL aiordy 0xfffffe009a183a90 [aiod2] 6455 0 0 0 DL aiordy 0xfffffe0099af4000 [aiod1] 774 772 772 0 S (threaded) syz-fuzzer 100097 S uwait 0xfffffe0053f7c380 syz-fuzzer 100114 S uwait 0xfffffe0053f7bc00 syz-fuzzer 100115 S uwait 0xfffffe0053f7bd00 syz-fuzzer 100116 S kqread 0xfffffe000817fb00 syz-fuzzer 100117 S uwait 0xfffffe0053f7bf00 syz-fuzzer 100118 S uwait 0xfffffe0058aeed00 syz-fuzzer 100119 S uwait 0xfffffe0053f7c080 syz-fuzzer 100121 S uwait 0xfffffe0058aee180 syz-fuzzer 100123 S uwait 0xfffffe0058aeee00 syz-fuzzer 772 770 772 0 Ss pause 0xfffffe0053f05b40 csh 770 688 770 0 Ss select 0xfffffe0092323c40 sshd 754 1 754 0 Ss+ ttyin 0xfffffe00574d7cb0 getty 753 1 753 0 Ss+ ttyin 0xfffffe005873dcb0 getty 752 1 752 0 Ss+ ttyin 0xfffffe00574d50b0 getty 751 1 751 0 Ss+ ttyin 0xfffffe00574d54b0 getty 750 1 750 0 Ss+ ttyin 0xfffffe00574d58b0 getty 749 1 749 0 Ss+ ttyin 0xfffffe00574d5cb0 getty 748 1 748 0 Ss+ ttyin 0xfffffe00574d60b0 getty 747 1 747 0 Ss+ ttyin 0xfffffe00574d64b0 getty 746 1 746 0 Ss+ ttyin 0xfffffe00574d68b0 getty 692 1 692 0 Ss nanslp 0xffffffff83e458c0 cron 688 1 688 0 Ss select 0xfffffe0058aee4c0 sshd 501 1 501 0 Ss select 0xfffffe0092323cc0 syslogd 430 1 430 0 Ss wait 0xfffffe008fe02000 devd 429 1 429 65 Ss select 0xfffffe0058aee540 dhclient 344 1 344 0 Ss select 0xfffffe0092323dc0 dhclient 341 1 341 0 Ss select 0xfffffe0058aef0c0 dhclient 17 0 0 0 DL syncer 0xffffffff83f6b0e0 [syncer] 16 0 0 0 DL vlruwt 0xfffffe0058a91a90 [vnlru] 15 0 0 0 DL (threaded) [bufdaemon] 100080 D psleep 0xffffffff83f696e0 [bufdaemon] 100083 D - 0xffffffff83211f80 [bufspacedaemon-0] 100094 D sdflush 0xfffffe005862f4e8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83f9d180 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100078 D psleep 0xffffffff83f91038 [dom0] 100081 D launds 0xffffffff83f91044 [laundry: dom0] 100082 D umarcl 0xffffffff81ea4540 [uma] 7 0 0 0 DL - 0xffffffff83c01688 [rand_harvestq] 6 0 0 0 DL pftm 0xffffffff8493a530 [pf purge] 5 0 0 0 DL waiting 0xffffffff8471a5a0 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100045 D - 0xffffffff83aa35c0 [doneq0] 100046 D - 0xffffffff83aa3540 [async] 100077 D - 0xffffffff83aa33c0 [scanner] 14 0 0 0 DL seqstat 0xfffffe0056ec5488 [sequencer 00] 3 0 0 0 DL (threaded) [crypto] 100041 D crypto_ 0xffffffff83f8c840 [crypto] 100042 D crypto_ 0xfffffe0053ed6c30 [crypto returns 0] 100043 D crypto_ 0xfffffe0053ed6c80 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100036 D - 0xffffffff83e1ae80 [g_event] 100037 D - 0xffffffff83e1aea0 [g_up] 100038 D - 0xffffffff83e1aec0 [g_down] 2 0 0 0 WL (threaded) [clock] 100030 I [clock (0)] 100031 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100010 I [swi6: Giant taskq] 100017 I [swi5: fast taskq] 100020 I [swi6: task queue] 100029 I [swi1: netisr 0] 100032 I [swi3: busdma] 100033 I [swi1: hpts] 100034 I [swi1: hpts] 100047 I [irq24: virtio_pci0] 100048 I [irq25: virtio_pci0] 100049 I [irq26: virtio_pci0] 100050 I [irq27: virtio_pci0] 100051 I [irq28: virtio_pci1] 100052 I [irq29: virtio_pci1] 100053 I [irq30: virtio_pci1] 100054 I [irq31: virtio_pci1] 100055 I [irq32: virtio_pci1] 100060 I [irq33: virtio_pci2] 100061 I [irq34: virtio_pci2] 100062 I [irq35: virtio_pci2] 100064 I [irq1: atkbd0] 100065 I [irq12: psm0] 100066 I [swi0: uart uart++] 100070 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0053dde000 [init] 10 0 0 0 DL audit_w 0xffffffff83f8d340 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D swapin 0xffffffff83e1b8c0 [swapper] 100005 D - 0xfffffe0053c95b00 [softirq_0] 100006 D - 0xfffffe0053c95900 [softirq_1] 100007 D - 0xfffffe0053c95700 [if_io_tqg_0] 100008 D - 0xfffffe0053c95500 [if_io_tqg_1] 100009 D - 0xfffffe0053c95300 [if_config_tqg_0] 100011 D - 0xfffffe0008181c00 [aiod_kick taskq] 100012 D - 0xfffffe0008181b00 [inm_free taskq] 100013 D - 0xfffffe0008181a00 [linuxkpi_irq_wq] 100014 D - 0xfffffe0008181900 [in6m_free taskq] 100015 D - 0xfffffe0008181800 [deferred_unmount ta] 100016 D - 0xfffffe0008181700 [thread taskq] 100018 D - 0xfffffe0008181500 [kqueue_ctx taskq] 100019 D - 0xfffffe0008181400 [pci_hp taskq] 100021 D - 0xfffffe0008181200 [linuxkpi_short_wq_0] 100022 D - 0xfffffe0008181200 [linuxkpi_short_wq_1] 100023 D - 0xfffffe0008181200 [linuxkpi_short_wq_2] 100024 D - 0xfffffe0008181200 [linuxkpi_short_wq_3] 100025 D - 0xfffffe0008181100 [linuxkpi_long_wq_0] 100026 D - 0xfffffe0008181100 [linuxkpi_long_wq_1] 100027 D - 0xfffffe0008181100 [linuxkpi_long_wq_2] 100028 D - 0xfffffe0008181100 [linuxkpi_long_wq_3] 100035 D - 0xfffffe0053f33300 [firmware taskq] 100039 D - 0xfffffe0053f33200 [crypto_0] 100040 D - 0xfffffe0053f33200 [crypto_1] 100056 D - 0xfffffe0053f32d00 [vtnet0 rxq 0] 100057 D - 0xfffffe0053f32c00 [vtnet0 txq 0] 100058 D - 0xfffffe0053f32b00 [vtnet0 rxq 1] 100059 D - 0xfffffe0053f32a00 [vtnet0 txq 1] 100063 D vtbslp 0xfffffe0056fa1480 [virtio_balloon] 100067 D - 0xffffffff82bbfba0 [deadlkres] 100071 D - 0xfffffe0008182100 [mca taskq] 100073 D - 0xfffffe0053f32500 [acpi_task_0] 100074 D - 0xfffffe0053f32500 [acpi_task_1] 100075 D - 0xfffffe0053f32500 [acpi_task_2] 100076 D - 0xfffffe0053f32e00 [CAM taskq] db> show all locks Process 53711 (syz-executor.2) thread 0xfffffe0092469020 (159414) exclusive sleep mutex sctp-tcb (tcb) r = 0 (0xfffffe009b5b51a0) locked @ /syzkaller/managers/i386/kernel/sys/netinet/sctp_output.c:13506 Process 49950 (syz-executor.1) thread 0xfffffe009a5513a0 (155387) shared sx vm map (user) (vm map (user)) r = 0 (0xfffffe00927d7060) locked @ /syzkaller/managers/i386/kernel/sys/vm/vm_map.c:4934 db> show malloc Type InUse MemUse Requests pf_hash 5 11524K 5 tcp_hpts 6 4801K 6 devbuf 4217 4323K 4246 pcb 2640 3482K 193273 sysctloid 35306 2080K 35377 vtbuf 24 1968K 46 sctp_stro 1315 1315K 33410 kobj 327 1308K 497 newblk 14 1028K 68602 vfscache 3 1025K 3 inodedep 1356 1021K 53551 sctp_atcl 2629 986K 131105 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 dirrem 1338 335K 52985 vmem 3 274K 6 subproc 142 271K 53821 acpica 1674 184K 56014 vnet_data 1 168K 1 freefile 1333 167K 52951 sctp_atky 3947 165K 167530 tidhash 3 141K 3 filedesc 18 137K 104417 linker 358 134K 386 pagedep 13 131K 52268 tfo_ccache 1 128K 1 DEVFS1 110 110K 163 sctp_timw 425 107K 425 sem 4 106K 4 bus 991 81K 5140 mtx_pool 2 72K 2 BPF 38 71K 102 syncache 1 68K 1 module 512 64K 512 acpitask 1 64K 1 ddb_capture 1 64K 1 umtx 396 50K 396 kdtrace 222 45K 113130 sctp_map 2630 42K 65588 sctp_athm 2629 42K 132957 routetbl 724 37K 2505 temp 35 35K 16508 DEVFS3 129 33K 151 hostcache 1 32K 1 shm 1 32K 846 msg 4 30K 4 gtaskqueue 18 26K 18 kbdmux 6 22K 6 DEVFS_RULE 56 20K 56 ifaddr 70 20K 190 ufs_mount 4 17K 5 proc 3 17K 3 tty 16 16K 16 ithread 100 16K 100 bus-sc 34 15K 1651 ifnet 8 15K 19 lltable 43 14K 403 KTRACE 100 13K 202 ether_multi 152 13K 541 kenv 95 12K 95 GEOM 68 12K 536 eventhandler 134 12K 134 rman 88 11K 429 CAM queue 5 11K 1528 in6_multi 65 9K 207 bmsafemap 2 9K 53451 UART 12 9K 12 devstat 4 9K 4 ksem 1 8K 144 rpc 2 8K 2 shmfd 1 8K 48 pfs_vncache 1 8K 1 pfs_nodes 20 8K 20 audit_evclass 237 8K 296 taskqueue 63 7K 63 cred 26 7K 458 sglist 5 7K 5 CAM DEV 3 6K 510 kqueue 62 6K 53803 plimit 23 6K 806 pf_ifnet 13 5K 124 ufs_dirhash 24 5K 24 UMA 272 5K 272 DEVFSP 66 5K 4597 vt 11 5K 11 pf_table 2 4K 51 memdesc 1 4K 1 MCA 32 4K 32 md_disk 1 4K 1 evdev 4 4K 4 session 31 4K 160 pwddesc 60 4K 54475 acpisem 28 4K 28 hhook 15 4K 17 proc-args 88 4K 56179 sctp_ifa 26 4K 42 kcovinfo 52 4K 260 lockf 29 4K 114 selfd 45 3K 715014 terminal 11 3K 11 ip6ndp 15 3K 43 sctp_stri 5 3K 3610 uidinfo 3 3K 34 local_apic 1 2K 1 io_apic 1 2K 1 fpukern_ctx 2 2K 2 ipsec-saq 2 2K 2 select 16 2K 117 mkdir 13 2K 104454 diradd 13 2K 53029 CAM XPT 22 2K 543 Unitno 25 2K 453 sctp_aadr 24 2K 3758 msi 12 2K 12 in_multi 6 2K 22 freework 5 2K 59019 ipsecpolicy 2 2K 2 acpidev 20 2K 20 clone 9 2K 9 tun 7 2K 19 softdep 1 1K 1 newdirblk 8 1K 52227 freeblks 4 1K 53263 sahead 1 1K 1 secasvar 1 1K 1 nhops 6 1K 14 vnodemarker 2 1K 156 NFSD session 1 1K 1 CAM periph 4 1K 271 sctp_ifn 6 1K 42 ipsec 3 1K 3 mld 6 1K 18 igmp 6 1K 18 toponodes 6 1K 6 isadev 6 1K 6 mount 16 1K 89 pci_link 10 1K 10 tcp_fsb 21 1K 4498 crypto 4 1K 4 encap_export_host 12 1K 12 pf_osfp 5 1K 5 inpcbpolicy 16 1K 35814 pfil 4 1K 4 procdesc 4 1K 36 cdev 2 1K 2 osd 8 1K 15851 chacha20random 1 1K 1 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 DEVFS 9 1K 10 CC Mem 4 1K 15883 vnodes 1 1K 1 CAM SIM 2 1K 2 sigio 4 1K 5 feeder 7 1K 7 tcpfunc 3 1K 3 loginclass 3 1K 6 prison 6 1K 6 lkpikmalloc 5 1K 6 aesni_data 2 1K 2 soname 5 1K 90201 pf_rule 1 1K 24 cryptodev 2 1K 3999 nexusdev 8 1K 8 apmdev 1 1K 1 atkbddev 2 1K 2 CAM dev queue 2 1K 2 CAM I/O Scheduler 1 1K 1 CAM path 4 1K 1034 pmchooks 1 1K 1 sctp_vrf 1 1K 1 vnet 1 1K 1 entropy 2 1K 79 pmc 1 1K 1 acpiintr 1 1K 1 filecaps 4 1K 205 cpus 2 1K 2 vnet_data_free 1 1K 1 Per-cpu 1 1K 1 p1003.1b 1 1K 1 mqdata 0 0K 0 pf_altq 0 0K 0 pf_temp 0 0K 0 filemon 0 0K 753 sctp_mcore 0 0K 0 sctp_socko 0 0K 45176 sctp_iter 0 0K 424 sctp_mvrf 0 0K 0 sctp_cpal 0 0K 384 sctp_cmsg 0 0K 0 sctp_stre 0 0K 0 sctp_athi 0 0K 0 sctp_a_it 0 0K 56 ipcomp 0 0K 0 esp 0 0K 0 ah 0 0K 0 NFSCL session 0 0K 0 NFSCL sockreq 0 0K 0 madt_table 0 0K