login: panic: sx lock still held cpuid = 1 time = 1580545264 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe00244d3870 vpanic() at vpanic+0x1ce/frame 0xfffffe00244d38e0 panic() at panic+0x43/frame 0xfffffe00244d3940 sx_destroy() at sx_destroy+0x63/frame 0xfffffe00244d3960 solisten_proto() at solisten_proto+0xde/frame 0xfffffe00244d39c0 tcp6_usr_listen() at tcp6_usr_listen+0x1dc/frame 0xfffffe00244d3a30 solisten() at solisten+0x7a/frame 0xfffffe00244d3a70 kern_listen() at kern_listen+0x125/frame 0xfffffe00244d3ab0 amd64_syscall() at amd64_syscall+0x499/frame 0xfffffe00244d3bf0 fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe00244d3bf0 --- syscall (198, FreeBSD ELF64, nosys), rip = 0x4132ea, rsp = 0x7fffdfffdf38, rbp = 0x2 --- KDB: enter: panic [ thread pid 807 tid 100136 ] Stopped at kdb_enter+0x67: movq $0,0x1466be6(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b ll+0x1a es 0x3b ll+0x1a fs 0x13 gs 0x1b ss 0x28 ll+0x7 rax 0x12 rcx 0x80 ll+0x5f rdx 0xffffffff81899f37 rbx 0 rsp 0xfffffe00244d3850 rbp 0xfffffe00244d3870 rsi 0x1 rdi 0 r8 0 r9 0xffffffff r10 0xa03515d2 r11 0x3c8de3c5 r12 0xffffffff82068d90 ddb_dbbe r13 0 r14 0xffffffff81938d96 r15 0xffffffff81938d96 rip 0xffffffff810af4b7 kdb_enter+0x67 rflags 0x82 ll+0x61 kdb_enter+0x67: movq $0,0x1466be6(%rip) db> show proc Process 807 (syz-executor.0) at 0xfffff8003aa51530: state: NORMAL uid: 0 gids: 0, 0, 5 parent: pid 773 at 0xfffff8003aa51a60 ABI: FreeBSD ELF64 arguments: /root/syz-executor.0 reaper: 0xfffff800032fb530 reapsubtree: 1 sigparent: 20 vmspace: 0xfffff8003a6e5000 (map 0xfffff8003a6e5000) (map.pmap 0xfffff8003a6e50c0) (pmap 0xfffff8003a6e5120) threads: 5 100108 RunQ syz-executor.0 100136 Run CPU 1 syz-executor.0 100137 S msgrcv 0xfffffe0004cf74b0 syz-executor.0 100138 S msgrcv 0xfffffe0004cf74b0 syz-executor.0 100139 Run CPU 0 syz-executor.0 db> ps pid ppid pgrp uid state wmesg wchan cmd 807 773 773 60929 R (threaded) syz-executor.0 100108 RunQ syz-executor.0 100136 Run CPU 1 syz-executor.0 100137 S msgrcv 0xfffffe0004cf74b0 syz-executor.0 100138 S msgrcv 0xfffffe0004cf74b0 syz-executor.0 100139 Run CPU 0 syz-executor.0 802 796 802 0 Ss select 0xfffff80003d26e40 dhclient 799 1 799 0 Ss select 0xfffff8003a264b40 dhclient 796 788 422 65 S select 0xfffff80003d26ec0 dhclient 788 422 422 0 S wait 0xfffff80003d8aa60 sh 773 771 773 0 Ss nanslp 0xffffffff824feca0 syz-executor.0 771 769 769 0 S (threaded) syz-execprog 100090 S uwait 0xfffff80003a5c000 syz-execprog 100099 S uwait 0xfffff80003a5c100 syz-execprog 100100 S kqread 0xfffff80003b46000 syz-execprog 100101 S uwait 0xfffff80003a5b180 syz-execprog 100102 S uwait 0xfffff80003a5b280 syz-execprog 100103 S uwait 0xfffff80003a5b380 syz-execprog 100105 S uwait 0xfffff80003d61e80 syz-execprog 100106 S uwait 0xfffff80003d60000 syz-execprog 100107 S uwait 0xfffff80003d60100 syz-execprog 769 767 769 0 Ss pause 0xfffff80003df65d8 csh 767 680 767 0 Ss select 0xfffff8003a2634c0 sshd 746 1 746 0 Ss+ ttyin 0xfffff800033f9cb0 getty 745 1 745 0 Ss+ ttyin 0xfffff800033facb0 getty 744 1 744 0 Ss+ ttyin 0xfffff80003acb0b0 getty 743 1 743 0 Ss+ ttyin 0xfffff80003acb4b0 getty 742 1 742 0 Ss+ ttyin 0xfffff80003acb8b0 getty 741 1 741 0 Ss+ ttyin 0xfffff80003acbcb0 getty 740 1 740 0 Ss+ ttyin 0xfffff80003ace0b0 getty 739 1 739 0 Ss+ ttyin 0xfffff80003ace4b0 getty 738 1 738 0 Ss+ ttyin 0xfffff80003ace8b0 getty 736 1 22 0 S+ piperd 0xfffff80003d9abe0 logger 735 734 22 0 S+ nanslp 0xffffffff824feca1 sleep 734 1 22 0 S+ wait 0xfffff80003f29000 sh 684 1 684 0 Ss nanslp 0xffffffff824feca0 cron 680 1 680 0 Ss select 0xfffff8003a263dc0 sshd 493 1 493 0 Ss select 0xfffff8003a263540 syslogd 422 1 422 0 Ss wait 0xfffff80003b0d530 devd 421 1 421 65 Ss select 0xfffff80003d29240 dhclient 336 1 336 0 Ss select 0xfffff80003d29340 dhclient 333 1 333 0 Ss select 0xfffff80003d292c0 dhclient 21 0 0 0 DL vlruwt 0xfffff80003b0da60 [vnlru] 20 0 0 0 DL syncer 0xffffffff825d5158 [syncer] 19 0 0 0 DL (threaded) [bufdaemon] 100065 D qsleep 0xffffffff825d4658 [bufdaemon] 100066 D - 0xffffffff8200a980 [bufspacedaemon-0] 100081 D sdflush 0xfffff80003d01ce8 [/ worker] 18 0 0 0 DL psleep 0xffffffff825f00c8 [vmdaemon] 17 0 0 0 DL (threaded) [pagedaemon] 100063 D psleep 0xffffffff8261cfd8 [dom0] 100069 D launds 0xffffffff8261cfe4 [laundry: dom0] 100070 D umarcl 0xffffffff8153efa0 [uma] 16 0 0 0 DL - 0xffffffff82359530 [rand_harvestq] 15 0 0 0 DL waiting 0xffffffff826625a0 [sctp_iterator] 9 0 0 0 DL - 0xffffffff825d405c [soaiod4] 8 0 0 0 DL - 0xffffffff825d405c [soaiod3] 7 0 0 0 DL - 0xffffffff825d405c [soaiod2] 6 0 0 0 DL - 0xffffffff825d405c [soaiod1] 5 0 0 0 DL (threaded) [cam] 100031 D - 0xffffffff82234940 [doneq0] 100062 D - 0xffffffff82234808 [scanner] 4 0 0 0 DL crypto_ 0xfffff800031f8e90 [crypto returns 1] 3 0 0 0 DL crypto_ 0xfffff800031f8e30 [crypto returns 0] 2 0 0 0 DL crypto_ 0xffffffff825ea138 [crypto] 14 0 0 0 DL seqstat 0xfffff8000336a888 [sequencer 00] 13 0 0 0 DL (threaded) [geom] 100022 D - 0xffffffff8261b608 [g_event] 100023 D - 0xffffffff8261b618 [g_up] 100024 D - 0xffffffff8261b610 [g_down] 12 0 0 0 WL (threaded) [intr] 100006 I [swi5: fast taskq] 100010 I [swi6: task queue] 100011 I [swi6: Giant taskq] 100017 I [swi3: vm] 100018 I [swi4: clock (0)] 100019 I [swi4: clock (1)] 100020 I [swi1: netisr 0] 100032 I [irq24: virtio_pci0] 100033 I [irq25: virtio_pci0] 100034 I [irq26: virtio_pci0] 100035 I [irq27: virtio_pci0] 100036 I [irq28: virtio_pci1] 100037 I [irq29: virtio_pci1] 100038 I [irq30: virtio_pci1] 100039 I [irq31: virtio_pci1] 100040 I [irq32: virtio_pci1] 100045 I [irq10: virtio_pci2] 100047 I [irq1: atkbd0] 100048 I [irq12: psm0] 100049 I [swi0: uart uart++] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffff800032fb530 [init] 10 0 0 0 DL audit_w 0xffffffff82663230 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D swapin 0xffffffff82609c48 [swapper] 100005 D - 0xfffff80003342000 [thread taskq] 100007 D - 0xfffff80003341d00 [kqueue_ctx taskq] 100008 D - 0xfffff80003341c00 [config_0] 100009 D - 0xfffff80003341b00 [aiod_kick taskq] 100012 D - 0xfffff80003341800 [if_config_tqg_0] 100013 D - 0xfffff80003341700 [if_io_tqg_0] 100014 D - 0xfffff80003341600 [if_io_tqg_1] 100015 D - 0xfffff80003341500 [softirq_0] 100016 D - 0xfffff80003341400 [softirq_1] 100021 D - 0xfffff80003341300 [firmware taskq] 100026 D - 0xfffff80003341200 [crypto_0] 100027 D - 0xfffff80003341200 [crypto_1] 100041 D - 0xfffff80003341000 [vtnet0 rxq 0] 100042 D - 0xfffff80003340e00 [vtnet0 txq 0] 100043 D - 0xfffff80003340d00 [vtnet0 rxq 1] 100044 D - 0xfffff80003340c00 [vtnet0 txq 1] 100046 D vtbslp 0xfffff800034d9400 [virtio_balloon] 100050 D - 0xfffff80003340b00 [mca taskq] 100055 D - 0xffffffff81cdcd50 [deadlkres] 100057 D - 0xfffff80003b46100 [acpi_task_0] 100058 D - 0xfffff80003b46100 [acpi_task_1] 100059 D - 0xfffff80003b46100 [acpi_task_2] 100061 D - 0xfffff80003341100 [CAM taskq] db> show all locks Process 807 (syz-executor.0) thread 0xfffff8003aaad000 (100136) exclusive sleep mutex socket (socket) r = 0 (0xfffff80003effa98) locked @ /syzkaller/managers/main/kernel/sys/netinet/tcp_usrreq.c:483 exclusive rw tcpinp (tcpinp) r = 0 (0xfffff8003a67fd78) locked @ /syzkaller/managers/main/kernel/sys/netinet/tcp_usrreq.c:475 db> show malloc Type InUse MemUse Requests devbuf 4213 4851K 4238 vtbuf 24 1968K 46 sysctloid 26737 1565K 26801 kobj 332 1328K 488 newblk 382 1120K 428 vfscache 4 1025K 4 inodedep 60 542K 84 pcb 25 537K 101 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 388K 4 subproc 114 232K 872 acpica 1674 185K 49750 vnet_data 1 168K 1 pagedep 17 132K 27 tfo_ccache 1 128K 1 sem 4 106K 4 DEVFS1 102 102K 113 linker 222 89K 244 bus 964 78K 3308 mtx_pool 2 72K 2 syncache 1 68K 1 acpitask 1 64K 1 ddb_capture 1 64K 1 module 494 62K 494 filedesc 5 37K 27 BPF 19 36K 19 gtaskqueue 22 34K 22 umtx 260 33K 260 hostcache 1 32K 1 shm 1 32K 1 kdtrace 162 32K 1699 DEVFS3 121 31K 131 msg 4 30K 4 DEVFS_RULE 56 27K 56 kbdmux 6 22K 6 vmem 3 19K 4 temp 22 17K 1665 ufs_mount 3 17K 4 proc 3 17K 3 tty 16 16K 16 tidhash 1 16K 1 ifaddr 41 16K 43 ithread 89 15K 89 bus-sc 30 14K 1394 KTRACE 100 13K 100 kenv 95 12K 99 eventhandler 123 11K 123 cred 40 10K 252 pfs_nodes 20 10K 20 GEOM 60 10K 487 rman 82 10K 423 bmsafemap 3 9K 52 devstat 4 9K 4 UART 12 9K 12 rpc 2 8K 2 shmfd 1 8K 1 pfs_vncache 1 8K 1 audit_evclass 231 8K 289 lltable 20 7K 20 ifnet 4 7K 4 CAM DEV 3 6K 510 ether_multi 73 6K 78 routetbl 37 6K 41 vt 11 6K 11 kqueue 52 6K 812 sglist 5 6K 5 CAM queue 5 6K 1528 in6_multi 41 5K 41 plimit 19 5K 344 ufs_dirhash 24 5K 24 taskqueue 42 5K 42 memdesc 1 4K 1 MCA 32 4K 32 diradd 32 4K 49 evdev 4 4K 4 UMA 236 4K 236 select 27 4K 27 hhook 13 4K 13 session 23 3K 34 pgrp 23 3K 34 acpisem 22 3K 22 dirrem 22 3K 33 terminal 11 3K 11 uidinfo 5 3K 5 proc-args 44 3K 509 local_apic 1 2K 1 io_apic 1 2K 1 ipsec-saq 2 2K 2 lockf 19 2K 29 CAM XPT 22 2K 543 Unitno 25 2K 39 acpidev 20 2K 20 crypto 2 2K 2 msi 9 2K 9 mkdir 9 2K 32 indirdep 4 1K 4 ipsecpolicy 1 1K 1 sahead 1 1K 1 secasvar 1 1K 1 sctp_ifa 8 1K 8 clone 8 1K 8 vnodemarker 2 1K 6 NFSD session 1 1K 1 ip6ndp 6 1K 9 CAM periph 4 1K 271 in_multi 3 1K 4 toponodes 6 1K 6 isadev 6 1K 6 mount 16 1K 86 pci_link 10 1K 10 freefile 5 1K 14 CAM SIM 2 1K 2 softdep 1 1K 1 pfil 4 1K 4 chacha20random 1 1K 1 epoch 4 1K 4 cdev 2 1K 2 newdirblk 7 1K 16 encap_export_host 8 1K 8 inpcbpolicy 13 1K 193 mld 3 1K 3 sctp_ifn 3 1K 3 igmp 3 1K 3 tun 4 1K 4 osd 3 1K 9 DEVFSP 5 1K 5 freework 2 1K 31 freeblks 1 1K 30 vnodes 1 1K 1 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 DEVFS 9 1K 10 feeder 7 1K 7 loginclass 3 1K 3 CAM path 4 1K 1034 apmdev 1 1K 1 atkbddev 2 1K 2 pmchooks 1 1K 1 prison 4 1K 4 filecaps 5 1K 72 CAM dev queue 2 1K 2 CAM I/O Scheduler 1 1K 1 soname 4 1K 5765 nexusdev 5 1K 5 entropy 2 1K 38 tcpfunc 1 1K 1 sctp_vrf 1 1K 1 vnet 1 1K 1 acpiintr 1 1K 1 pmc 1 1K 1 cpus 2 1K 2 vnet_data_free 1 1K 1 Per-cpu 1 1K 1 p1003.1b 1 1K 1 CAM CCB 0 0K 1771 madt_table 0 0K 2 PUC 0 0K 0 ppbusdev 0 0K 0 agtiapi_MemAlloc malloc 0 0K 0 osti_cacheable 0 0K 0 tempbuff 0 0K 0 tempbuff 0 0K 0 pvscsi 0 0K 0 smartpqi 0 0K 0 ag_tgt_map_t malloc 0 0K 0 ag_slr_map_t malloc 0 0K 0 lDevFlags * malloc 0 0K 0 tiDeviceHandle_t * malloc 0 0K 0 ag_portal_data_t malloc 0 0K 0 ag_device_t malloc 0 0K 0 STLock malloc 0 0K 0 CCB List 0 0K 0 iavf 0 0K 0 ixl 0 0K 0 sr_iov 0 0K 0 OCS 0 0K 0 OCS 0 0K 0 nvme 0 0K 0 nvd 0 0K 0 netmap 0 0K 0 mwldev 0 0K 0 MVS driver 0 0K 0 fpukern_ctx 0 0K 0 xen_intr 0 0K 0 CAM ccb queue 0 0K 0 xen_hvm 0 0K 0 legacydrv 0 0K 0 qpidrv 0 0K 0 mrsasbuf 0 0K 0 mpt_user 0 0K 0 dmar_idpgtbl 0 0K 0 dmar_dom 0 0K 0 dmar_ctx 0 0K 0 dmar_dmamap 0 0K 0 mps_user 0 0K 0 MPSSAS 0 0K 0 isci 0 0K 0 bxe_ilt 0 0K 0 xenbus 0 0K 0 vm_fictitious 0 0K 0 mps 0 0K 0 mpr_user 0 0K 0 MPRSAS 0 0K 0 UMAHash 0 0K 0 vm_pgdata 0 0K 0 jblocks 0 0K 0 savedino 0 0K 11 sentinel 0 0K 0 jfsync 0 0K 0 jtrunc 0 0K 0 sbdep 0 0K 2 jsegdep 0 0K 0 jseg 0 0K 0 jfreefrag 0 0K 0 jfreeblk 0 0K 0 jnewblk 0 0K 0 jmvref 0 0K 0 jremref 0 0K 0 jaddref 0 0K 0 freedep 0 0K 0 freefrag 0 0K 5 allocindir 0 0K 0 allocdirect 0 0K 0 ufs_trim 0 0K 0 mactemp 0 0K 0 audit_trigger 0 0K 0 audit_pipe_presel 0 0K 0 audit_pipeent 0 0K 0 audit_pipe 0 0K 0 audit_evname 0 0K 0 audit_bsm 0 0K 0 audit_gidset 0 0K 0 audit_text 0 0K 0 audit_path 0 0K 0 audit_data 0 0K 0 audit_cred 0 0K 0 xform 0 0K 0 NLM 0 0K 0 nfsclient_nlminfo 0 0K 0 nfsclient_lock 0 0K 0 NFS FHA 0 0K 0 ipsec-spdcache 0 0K 0 ipsec-reg 0 0K 0 ipsec-misc 0 0K 0 ipsecrequest 0 0K 0 ip6opt 0 0K 3 ip6_msource 0 0K 0 ip6_moptions 0 0K 0 in6_mfilter 0 0K 0 frag6 0 0K 0 tcplog 0 0K 0 LRO 0 0K 0 sctp_mcore 0 0K 0 sctp_socko 0 0K 0 sctp_iter 0 0K 5 sctp_mvrf 0 0K 0 sctp_timw 0 0K 0 sctp_cpal 0 0K 0 sctp_cmsg 0 0K 0 sctp_stre 0 0K 0 sctp_athi 0 0K 0 sctp_athm 0 0K 0 sctp_atky 0 0K 0 sctp_atcl 0 0K 0 sctp_a_it 0 0K 5 sctp_aadr 0 0K 0 sctp_stro 0 0K 0 sctp_stri 0 0K 0 sctp_map 0 0K 0 newreno data 0 0K 0 ip_msource 0 0K 0 ip_moptions 0 0K 0 in_mfilter 0 0K 0 ipid 0 0K 0 80211scan 0 0K 0 80211ratectl 0 0K 0 80211power 0 0K 0 80211nodeie 0 0K 0 80211node 0 0K 0 80211mesh_gt 0 0K 0 80211mesh_rt 0 0K 0 80211perr 0 0K 0 80211prep 0 0K 0 80211preq 0 0K 0 80211dfs 0 0K 0 80211crypto 0 0K 0 80211vap 0 0K 0 iflib 0 0K 0 vlan 0 0K 0 gif 0 0K 0 ifdescr 0 0K 0 zlib 0 0K 0 fadvise 0 0K 0 mpr 0 0K 0 statfs 0 0K 201 export_host 0 0K 0 cl_savebuf 0 0K 2 biobuf 0 0K 0 aios 0 0K 0 lio 0 0K 0 acl 0 0K 0 mfibuf 0 0K 0 mbuf_tag 0 0K 48 accf 0 0K 0 pts 0 0K 0 iov 0 0K 13380 ioctlops 0 0K 92 Witness 0 0K 0 stack 0 0K 0 md_sectors 0 0K 0 sbuf 0 0K 288 md_disk 0 0K 0 compressor 0 0K 0 malodev 0 0K 0 SWAP 0 0K 0 LED 0 0K 0 sysctltmp 0 0K 589 sysctl 0 0K 1 ekcd 0 0K 0 dumper 0 0K 0 rctl 0 0K 0 ix_sriov 0 0K 0 aacraidcam 0 0K 0 ix 0 0K 0 ipsbuf 0 0K 0 iirbuf 0 0K 0 cache 0 0K 0 aacraid_buf 0 0K 0 kcovinfo 0 0K 0 prison_racct 0 0K 0 Fail Points 0 0K 0 sigio 0 0K 1 filedesc_to_leader 0 0K 0 tty console 0 0K 0 aaccam 0 0K 0 aacbuf 0 0K 0 zstd 0 0K 0 nvlist 0 0K 0 SCSI ENC 0 0K 0 SCSI sa 0 0K 0 isofs_node 0 0K 0 isofs_mount 0 0K 0 tr_raid5_data 0 0K 0 tr_raid1e_data 0 0K 0 tr_raid1_data 0 0K 0 tr_raid0_data 0 0K 0 tr_concat_data 0 0K 0 md_sii_data 0 0K 0 md_promise_data 0 0K 0 md_nvidia_data 0 0K 0 md_jmicron_data 0 0K 0 md_intel_data 0 0K 0 md_ddf_data 0 0K 0 raid_data 0 0K 72 geom_flashmap 0 0K 0 newnfsmnt 0 0K 0 newnfsclient_req 0 0K 0 NFSCL layrecall 0 0K 0 NFSCL session 0 0K 0 NFSCL sockreq 0 0K 0 NFSCL devinfo 0 0K 0 NFSCL flayout 0 0K 0 NFSCL layout 0 0K 0 NFSD rollback 0 0K 0 NFSCL diroffdiroff 0 0K 0 NEWdirectio 0 0K 0 NEWNFSnode 0 0K 0 NFSCL lck 0 0K 0 NFSCL lckown 0 0K 0 NFSCL client 0 0K 0 NFSCL deleg 0 0K 0 NFSCL open 0 0K 0 NFSCL owner 0 0K 0 NFS fh 0 0K 0 NFS req 0 0K 0 NFSD usrgroup 0 0K 0 NFSD string 0 0K 0 NFSD V4lock 0 0K 0 NFSD V4state 0 0K 0 NFSD srvcache 0 0K 0 msdosfs_fat 0 0K 0 msdosfs_mount 0 0K 0 msdosfs_node 0 0K 0 DEVFS4 0 0K 0 DEVFS2 0 0K 0 gntdev 0 0K 0 privcmd_dev 0 0K 0 evtchn_dev 0 0K 0 xenstore 0 0K 0 scsi_pass 0 0K 0 ciss_data 0 0K 0 xnb 0 0K 0 xbbd 0 0K 0 xbd 0 0K 0 Balloon 0 0K 0 sysmouse 0 0K 0 vtfont 0 0K 0 ath_hal 0 0K 0 athdev 0 0K 0 ata_pci 0 0K 0 ata_dma 0 0K 0 ata_generic 0 0K 0 amr 0 0K 0 scsi_da 0 0K 69 ata_da 0 0K 0 scsi_ch 0 0K 0 scsi_cd 0 0K 0 USBdev 0 0K 0 USB 0 0K 0 AHCI driver 0 0K 0 agp 0 0K 0 nvme_da 0 0K 0 acpipwr 0 0K 0 twsbuf 0 0K 0 twe_commands 0 0K 0 twa_commands 0 0K 0 tcp_log_dev 0 0K 0 midi buffers 0 0K 0 mixer 0 0K 0 ac97 0 0K 0 hdacc 0 0K 0 hdac 0 0K 0 hdaa 0 0K 0 acpi_perf 0 0K 0 acpicmbat 0 0K 0 SIIS driver 0 0K 0 db> show ktr No such command; use "help" to list available commands db>