login: panic: sx lock still held cpuid = 1 time = 1579285040 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe00244f4870 vpanic() at vpanic+0x1ce/frame 0xfffffe00244f48e0 panic() at panic+0x43/frame 0xfffffe00244f4940 sx_destroy() at sx_destroy+0x63/frame 0xfffffe00244f4960 solisten_proto() at solisten_proto+0xd2/frame 0xfffffe00244f49c0 tcp6_usr_listen() at tcp6_usr_listen+0x1dc/frame 0xfffffe00244f4a30 solisten() at solisten+0x7a/frame 0xfffffe00244f4a70 kern_listen() at kern_listen+0x125/frame 0xfffffe00244f4ab0 ia32_syscall() at ia32_syscall+0x48c/frame 0xfffffe00244f4bf0 int0x80_syscall_common() at int0x80_syscall_common+0x9c/frame 0x8142e7d KDB: enter: panic [ thread pid 808 tid 100123 ] Stopped at kdb_enter+0x67: movq $0,0x1467376(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b ll+0x1a es 0x3b ll+0x1a fs 0x13 gs 0x1b ss 0 rax 0x12 rcx 0x80 ll+0x5f rdx 0xffffffff818ed59d rbx 0 rsp 0xfffffe00244f4850 rbp 0xfffffe00244f4870 rsi 0x1 rdi 0 r8 0 r9 0xffffffff r10 0 r11 0xfffff8003aa2d4f0 r12 0xffffffff82068d90 ddb_dbbe r13 0 r14 0xffffffff819350cb r15 0xffffffff819350cb rip 0xffffffff810aed27 kdb_enter+0x67 rflags 0x200082 kernphys+0x82 kdb_enter+0x67: movq $0,0x1467376(%rip) db> show proc Process 808 (syz-executor.0) at 0xfffff80003d8b530: state: NORMAL uid: 0 gids: 0, 0, 5 parent: pid 773 at 0xfffff8003a2fe530 ABI: FreeBSD ELF32 arguments: /root/syz-executor.0 reaper: 0xfffff800032fa530 reapsubtree: 1 sigparent: 20 vmspace: 0xfffff8003a508000 (map 0xfffff8003a508000) (map.pmap 0xfffff8003a5080c0) (pmap 0xfffff8003a508120) threads: 3 100079 RunQ syz-executor.0 100122 Run CPU 0 syz-executor.0 100123 Run CPU 1 syz-executor.0 db> ps pid ppid pgrp uid state wmesg wchan cmd 808 773 773 0 R (threaded) syz-executor.0 100079 RunQ syz-executor.0 100122 Run CPU 0 syz-executor.0 100123 Run CPU 1 syz-executor.0 805 797 805 0 Ss select 0xfffff8003a9ec5c0 dhclient 801 1 801 0 Ss select 0xfffff80003ceb7c0 dhclient 797 788 422 65 S select 0xfffff80003cec0c0 dhclient 788 422 422 0 S wait 0xfffff8003a4a1a60 sh 773 771 773 0 Ss nanslp 0xffffffff824feca0 syz-executor.0 771 769 769 0 S (threaded) syz-execprog 100096 S uwait 0xfffff80003a48800 syz-execprog 100102 S uwait 0xfffff80003e04900 syz-execprog 100103 S uwait 0xfffff80003e04a00 syz-execprog 100104 S uwait 0xfffff80003e04b00 syz-execprog 100105 S uwait 0xfffff80003e03f00 syz-execprog 100106 S uwait 0xfffff80003e04080 syz-execprog 100107 S uwait 0xfffff80003e04180 syz-execprog 100108 S uwait 0xfffff80003e04e80 syz-execprog 100109 S uwait 0xfffff80003a47a80 syz-execprog 100110 S kqread 0xfffff80003b30e00 syz-execprog 769 767 769 0 Ss pause 0xfffff8003a4a10a8 csh 767 680 767 0 Ss select 0xfffff80003cebf40 sshd 748 1 748 0 Ss+ ttyin 0xfffff800033f7cb0 getty 747 1 747 0 Ss+ ttyin 0xfffff800033f8cb0 getty 746 1 746 0 Ss+ ttyin 0xfffff80003aba0b0 getty 745 1 745 0 Ss+ ttyin 0xfffff80003aba4b0 getty 744 1 744 0 Ss+ ttyin 0xfffff80003aba8b0 getty 743 1 743 0 Ss+ ttyin 0xfffff80003abacb0 getty 742 1 742 0 Ss+ ttyin 0xfffff80003abb0b0 getty 741 1 741 0 Ss+ ttyin 0xfffff80003abb4b0 getty 740 1 740 0 Ss+ ttyin 0xfffff80003abb8b0 getty 738 1 22 0 S+ piperd 0xfffff80003d898e8 logger 737 736 22 0 S+ nanslp 0xffffffff824feca1 sleep 736 1 22 0 S+ wait 0xfffff8003a2fe000 sh 684 1 684 0 Ss nanslp 0xffffffff824feca1 cron 680 1 680 0 Ss select 0xfffff80003cec1c0 sshd 493 1 493 0 Ss select 0xfffff80003cec240 syslogd 422 1 422 0 Ss wait 0xfffff80003544530 devd 421 1 421 65 Ss select 0xfffff80003cec340 dhclient 336 1 336 0 Ss select 0xfffff80003ced8c0 dhclient 333 1 333 0 Ss select 0xfffff80003cec2c0 dhclient 21 0 0 0 DL syncer 0xffffffff825d5118 [syncer] 20 0 0 0 DL vlruwt 0xfffff80003b01000 [vnlru] 19 0 0 0 DL (threaded) [bufdaemon] 100065 D qsleep 0xffffffff825d4618 [bufdaemon] 100070 D - 0xffffffff8200a980 [bufspacedaemon-0] 100080 D sdflush 0xfffff80003cf46e8 [/ worker] 18 0 0 0 DL psleep 0xffffffff825f0088 [vmdaemon] 17 0 0 0 DL (threaded) [pagedaemon] 100063 D psleep 0xffffffff8261cfd8 [dom0] 100068 D launds 0xffffffff8261cfe4 [laundry: dom0] 100069 D umarcl 0xffffffff8153bf50 [uma] 16 0 0 0 DL - 0xffffffff82359530 [rand_harvestq] 15 0 0 0 DL waiting 0xffffffff826625a0 [sctp_iterator] 9 0 0 0 DL - 0xffffffff825d401c [soaiod4] 8 0 0 0 DL - 0xffffffff825d401c [soaiod3] 7 0 0 0 DL - 0xffffffff825d401c [soaiod2] 6 0 0 0 DL - 0xffffffff825d401c [soaiod1] 5 0 0 0 DL (threaded) [cam] 100031 D - 0xffffffff82234940 [doneq0] 100062 D - 0xffffffff82234808 [scanner] 4 0 0 0 DL crypto_ 0xfffff800031f8e90 [crypto returns 1] 3 0 0 0 DL crypto_ 0xfffff800031f8e30 [crypto returns 0] 2 0 0 0 DL crypto_ 0xffffffff825ea0f8 [crypto] 14 0 0 0 DL seqstat 0xfffff80003362888 [sequencer 00] 13 0 0 0 DL (threaded) [geom] 100022 D - 0xffffffff8261b608 [g_event] 100023 D - 0xffffffff8261b618 [g_up] 100024 D - 0xffffffff8261b610 [g_down] 12 0 0 0 WL (threaded) [intr] 100006 I [swi5: fast taskq] 100010 I [swi6: task queue] 100011 I [swi6: Giant taskq] 100017 I [swi3: vm] 100018 I [swi4: clock (0)] 100019 I [swi4: clock (1)] 100020 I [swi1: netisr 0] 100032 I [irq24: virtio_pci0] 100033 I [irq25: virtio_pci0] 100034 I [irq26: virtio_pci0] 100035 I [irq27: virtio_pci0] 100036 I [irq28: virtio_pci1] 100037 I [irq29: virtio_pci1] 100038 I [irq30: virtio_pci1] 100039 I [irq31: virtio_pci1] 100040 I [irq32: virtio_pci1] 100045 I [irq10: virtio_pci2] 100047 I [irq1: atkbd0] 100048 I [irq12: psm0] 100049 I [swi0: uart uart++] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffff800032fa530 [init] 10 0 0 0 DL audit_w 0xffffffff82663230 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D swapin 0xffffffff82609bf8 [swapper] 100005 D - 0xfffff8000333d000 [thread taskq] 100007 D - 0xfffff8000333cd00 [kqueue_ctx taskq] 100008 D - 0xfffff8000333cc00 [config_0] 100009 D - 0xfffff8000333cb00 [aiod_kick taskq] 100012 D - 0xfffff8000333c800 [if_config_tqg_0] 100013 D - 0xfffff8000333c700 [if_io_tqg_0] 100014 D - 0xfffff8000333c600 [if_io_tqg_1] 100015 D - 0xfffff8000333c500 [softirq_0] 100016 D - 0xfffff8000333c400 [softirq_1] 100021 D - 0xfffff8000333c300 [firmware taskq] 100026 D - 0xfffff8000333c200 [crypto_0] 100027 D - 0xfffff8000333c200 [crypto_1] 100041 D - 0xfffff8000333c000 [vtnet0 rxq 0] 100042 D - 0xfffff8000333be00 [vtnet0 txq 0] 100043 D - 0xfffff8000333bd00 [vtnet0 rxq 1] 100044 D - 0xfffff8000333bc00 [vtnet0 txq 1] 100046 D vtbslp 0xfffff800034d4400 [virtio_balloon] 100050 D - 0xfffff8000333bb00 [mca taskq] 100055 D - 0xffffffff81cd8ac1 [deadlkres] 100057 D - 0xfffff80003b31100 [acpi_task_0] 100058 D - 0xfffff80003b31100 [acpi_task_1] 100059 D - 0xfffff80003b31100 [acpi_task_2] 100061 D - 0xfffff8000333c100 [CAM taskq] db> show all locks Process 808 (syz-executor.0) thread 0xfffff8003aa2d6e0 (100122) exclusive sx so_snd_sx (so_snd_sx) r = 0 (0xfffff80003eee278) locked @ /syzkaller/managers/i386/kernel/sys/kern/uipc_sockbuf.c:393 Process 808 (syz-executor.0) thread 0xfffff8003aa2d000 (100123) exclusive sleep mutex socket (socket) r = 0 (0xfffff80003eee000) locked @ /syzkaller/managers/i386/kernel/sys/netinet/tcp_usrreq.c:489 exclusive rw tcpinp (tcpinp) r = 0 (0xfffff8003a5115d8) locked @ /syzkaller/managers/i386/kernel/sys/netinet/tcp_usrreq.c:481 db> show malloc Type InUse MemUse Requests devbuf 4213 4851K 4238 vtbuf 24 1968K 46 sysctloid 26527 1553K 26591 kobj 331 1324K 487 newblk 370 1117K 417 vfscache 4 1025K 4 inodedep 58 541K 85 pcb 26 537K 92 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 388K 4 subproc 105 228K 864 acpica 1674 185K 49750 vnet_data 1 168K 1 pagedep 17 132K 28 tfo_ccache 1 128K 1 sem 4 106K 4 DEVFS1 102 102K 113 linker 221 89K 243 bus 962 78K 3306 mtx_pool 2 72K 2 syncache 1 68K 1 acpitask 1 64K 1 ddb_capture 1 64K 1 module 493 62K 493 filedesc 5 37K 29 BPF 19 36K 19 gtaskqueue 22 34K 22 hostcache 1 32K 1 shm 1 32K 1 kdtrace 161 31K 1687 DEVFS3 121 31K 131 msg 4 30K 4 umtx 240 30K 240 DEVFS_RULE 56 27K 56 kbdmux 6 22K 6 vmem 3 19K 4 temp 22 17K 1665 ufs_mount 3 17K 4 proc 3 17K 3 tty 16 16K 16 tidhash 1 16K 1 ifaddr 41 16K 43 ithread 89 15K 89 bus-sc 30 14K 1394 KTRACE 100 13K 100 kenv 95 12K 99 eventhandler 123 11K 123 pfs_nodes 20 10K 20 GEOM 60 10K 487 rman 82 10K 423 bmsafemap 2 9K 52 devstat 4 9K 4 UART 12 9K 12 rpc 2 8K 2 shmfd 1 8K 1 pfs_vncache 1 8K 1 lltable 21 8K 21 audit_evclass 231 8K 289 cred 28 7K 240 ifnet 4 7K 4 CAM DEV 3 6K 508 ether_multi 73 6K 78 vt 11 6K 11 kqueue 52 6K 813 sglist 5 6K 5 CAM queue 5 6K 1522 in6_multi 41 5K 41 routetbl 37 5K 41 plimit 19 5K 344 ufs_dirhash 24 5K 24 taskqueue 42 5K 42 memdesc 1 4K 1 MCA 32 4K 32 diradd 32 4K 50 evdev 4 4K 4 UMA 234 4K 234 hhook 13 4K 13 select 24 3K 24 dirrem 23 3K 34 session 23 3K 34 pgrp 23 3K 34 acpisem 22 3K 22 terminal 11 3K 11 uidinfo 4 3K 4 proc-args 44 3K 509 local_apic 1 2K 1 io_apic 1 2K 1 ipsec-saq 2 2K 2 lockf 19 2K 29 CAM XPT 22 2K 541 Unitno 25 2K 39 ip6ndp 8 2K 9 acpidev 20 2K 20 crypto 2 2K 2 msi 9 2K 9 mkdir 9 2K 34 indirdep 4 1K 4 ipsecpolicy 1 1K 1 sahead 1 1K 1 secasvar 1 1K 1 sctp_ifa 8 1K 8 clone 8 1K 8 vnodemarker 2 1K 8 NFSD session 1 1K 1 CAM periph 4 1K 270 freefile 6 1K 15 in_multi 3 1K 4 toponodes 6 1K 6 isadev 6 1K 6 mount 16 1K 86 pci_link 10 1K 10 CAM SIM 2 1K 2 softdep 1 1K 1 pfil 4 1K 4 chacha20random 1 1K 1 epoch 4 1K 4 cdev 2 1K 2 inpcbpolicy 15 1K 175 newdirblk 7 1K 17 encap_export_host 8 1K 8 mld 3 1K 3 sctp_ifn 3 1K 3 igmp 3 1K 3 tun 4 1K 4 osd 3 1K 9 DEVFSP 5 1K 5 freework 2 1K 32 freeblks 1 1K 31 vnodes 1 1K 1 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 DEVFS 9 1K 10 feeder 7 1K 7 loginclass 3 1K 3 soname 5 1K 5779 CAM path 4 1K 1030 apmdev 1 1K 1 atkbddev 2 1K 2 pmchooks 1 1K 1 prison 4 1K 4 filecaps 5 1K 72 CAM dev queue 2 1K 2 CAM I/O Scheduler 1 1K 1 nexusdev 5 1K 5 entropy 2 1K 38 tcpfunc 1 1K 1 sctp_vrf 1 1K 1 vnet 1 1K 1 acpiintr 1 1K 1 pmc 1 1K 1 cpus 2 1K 2 vnet_data_free 1 1K 1 Per-cpu 1 1K 1 p1003.1b 1 1K 1 CAM CCB 0 0K 1766 madt_table 0 0K 2 PUC 0 0K 0 ppbusdev 0 0K 0 agtiapi_MemAlloc malloc 0 0K 0 osti_cacheable 0 0K 0 tempbuff 0 0K 0 tempbuff 0 0K 0 pvscsi 0 0K 0 smartpqi 0 0K 0 ag_tgt_map_t malloc 0 0K 0 ag_slr_map_t malloc 0 0K 0 lDevFlags * malloc 0 0K 0 tiDeviceHandle_t * malloc 0 0K 0 ag_portal_data_t malloc 0 0K 0 ag_device_t malloc 0 0K 0 STLock malloc 0 0K 0 CCB List 0 0K 0 iavf 0 0K 0 ixl 0 0K 0 sr_iov 0 0K 0 OCS 0 0K 0 OCS 0 0K 0 nvme 0 0K 0 nvd 0 0K 0 netmap 0 0K 0 mwldev 0 0K 0 MVS driver 0 0K 0 fpukern_ctx 0 0K 0 xen_intr 0 0K 0 CAM ccb queue 0 0K 0 xen_hvm 0 0K 0 legacydrv 0 0K 0 qpidrv 0 0K 0 mrsasbuf 0 0K 0 mpt_user 0 0K 0 dmar_idpgtbl 0 0K 0 dmar_dom 0 0K 0 dmar_ctx 0 0K 0 dmar_dmamap 0 0K 0 mps_user 0 0K 0 MPSSAS 0 0K 0 isci 0 0K 0 bxe_ilt 0 0K 0 xenbus 0 0K 0 vm_fictitious 0 0K 0 mps 0 0K 0 mpr_user 0 0K 0 MPRSAS 0 0K 0 UMAHash 0 0K 0 vm_pgdata 0 0K 0 jblocks 0 0K 0 savedino 0 0K 14 sentinel 0 0K 0 jfsync 0 0K 0 jtrunc 0 0K 0 sbdep 0 0K 2 jsegdep 0 0K 0 jseg 0 0K 0 jfreefrag 0 0K 0 jfreeblk 0 0K 0 jnewblk 0 0K 0 jmvref 0 0K 0 jremref 0 0K 0 jaddref 0 0K 0 freedep 0 0K 0 freefrag 0 0K 5 allocindir 0 0K 0 allocdirect 0 0K 0 ufs_trim 0 0K 0 mactemp 0 0K 0 audit_trigger 0 0K 0 audit_pipe_presel 0 0K 0 audit_pipeent 0 0K 0 audit_pipe 0 0K 0 audit_evname 0 0K 0 audit_bsm 0 0K 0 audit_gidset 0 0K 0 audit_text 0 0K 0 audit_path 0 0K 0 audit_data 0 0K 0 audit_cred 0 0K 0 xform 0 0K 0 NLM 0 0K 0 nfsclient_nlminfo 0 0K 0 nfsclient_lock 0 0K 0 NFS FHA 0 0K 0 ipsec-spdcache 0 0K 0 ipsec-reg 0 0K 0 ipsec-misc 0 0K 0 ipsecrequest 0 0K 0 ip6opt 0 0K 3 ip6_msource 0 0K 0 ip6_moptions 0 0K 0 in6_mfilter 0 0K 0 frag6 0 0K 0 tcplog 0 0K 0 LRO 0 0K 0 sctp_mcore 0 0K 0 sctp_socko 0 0K 0 sctp_iter 0 0K 5 sctp_mvrf 0 0K 0 sctp_timw 0 0K 0 sctp_cpal 0 0K 0 sctp_cmsg 0 0K 0 sctp_stre 0 0K 0 sctp_athi 0 0K 0 sctp_athm 0 0K 0 sctp_atky 0 0K 0 sctp_atcl 0 0K 0 sctp_a_it 0 0K 5 sctp_aadr 0 0K 0 sctp_stro 0 0K 0 sctp_stri 0 0K 0 sctp_map 0 0K 0 newreno data 0 0K 0 ip_msource 0 0K 0 ip_moptions 0 0K 0 in_mfilter 0 0K 0 ipid 0 0K 0 80211scan 0 0K 0 80211ratectl 0 0K 0 80211power 0 0K 0 80211nodeie 0 0K 0 80211node 0 0K 0 80211mesh_gt 0 0K 0 80211mesh_rt 0 0K 0 80211perr 0 0K 0 80211prep 0 0K 0 80211preq 0 0K 0 80211dfs 0 0K 0 80211crypto 0 0K 0 80211vap 0 0K 0 iflib 0 0K 0 vlan 0 0K 0 gif 0 0K 0 ifdescr 0 0K 0 zlib 0 0K 0 fadvise 0 0K 0 mpr 0 0K 0 statfs 0 0K 201 export_host 0 0K 0 cl_savebuf 0 0K 2 biobuf 0 0K 0 aios 0 0K 0 lio 0 0K 0 acl 0 0K 0 mfibuf 0 0K 0 mbuf_tag 0 0K 48 accf 0 0K 0 pts 0 0K 0 iov 0 0K 13358 ioctlops 0 0K 92 Witness 0 0K 0 stack 0 0K 0 md_sectors 0 0K 0 sbuf 0 0K 364 md_disk 0 0K 0 compressor 0 0K 0 malodev 0 0K 0 SWAP 0 0K 0 LED 0 0K 0 sysctltmp 0 0K 589 sysctl 0 0K 1 ekcd 0 0K 0 dumper 0 0K 0 rctl 0 0K 0 ix_sriov 0 0K 0 aacraidcam 0 0K 0 ix 0 0K 0 ipsbuf 0 0K 0 iirbuf 0 0K 0 cache 0 0K 0 aacraid_buf 0 0K 0 kcovinfo 0 0K 0 prison_racct 0 0K 0 Fail Points 0 0K 0 sigio 0 0K 1 filedesc_to_leader 0 0K 0 tty console 0 0K 0 aaccam 0 0K 0 aacbuf 0 0K 0 zstd 0 0K 0 nvlist 0 0K 0 SCSI ENC 0 0K 0 SCSI sa 0 0K 0 isofs_node 0 0K 0 isofs_mount 0 0K 0 tr_raid5_data 0 0K 0 tr_raid1e_data 0 0K 0 tr_raid1_data 0 0K 0 tr_raid0_data 0 0K 0 tr_concat_data 0 0K 0 md_sii_data 0 0K 0 md_promise_data 0 0K 0 md_nvidia_data 0 0K 0 md_jmicron_data 0 0K 0 md_intel_data 0 0K 0 md_ddf_data 0 0K 0 raid_data 0 0K 72 geom_flashmap 0 0K 0 newnfsmnt 0 0K 0 newnfsclient_req 0 0K 0 NFSCL layrecall 0 0K 0 NFSCL session 0 0K 0 NFSCL sockreq 0 0K 0 NFSCL devinfo 0 0K 0 NFSCL flayout 0 0K 0 NFSCL layout 0 0K 0 NFSD rollback 0 0K 0 NFSCL diroffdiroff 0 0K 0 NEWdirectio 0 0K 0 NEWNFSnode 0 0K 0 NFSCL lck 0 0K 0 NFSCL lckown 0 0K 0 NFSCL client 0 0K 0 NFSCL deleg 0 0K 0 NFSCL open 0 0K 0 NFSCL owner 0 0K 0 NFS fh 0 0K 0 NFS req 0 0K 0 NFSD usrgroup 0 0K 0 NFSD string 0 0K 0 NFSD V4lock 0 0K 0 NFSD V4state 0 0K 0 NFSD srvcache 0 0K 0 msdosfs_fat 0 0K 0 msdosfs_mount 0 0K 0 msdosfs_node 0 0K 0 DEVFS4 0 0K 0 DEVFS2 0 0K 0 gntdev 0 0K 0 privcmd_dev 0 0K 0 evtchn_dev 0 0K 0 xenstore 0 0K 0 scsi_pass 0 0K 0 ciss_data 0 0K 0 xnb 0 0K 0 xbbd 0 0K 0 xbd 0 0K 0 Balloon 0 0K 0 sysmouse 0 0K 0 vtfont 0 0K 0 ath_hal 0 0K 0 athdev 0 0K 0 ata_pci 0 0K 0 ata_dma 0 0K 0 ata_generic 0 0K 0 amr 0 0K 0 scsi_da 0 0K 69 ata_da 0 0K 0 scsi_ch 0 0K 0 scsi_cd 0 0K 0 USBdev 0 0K 0 USB 0 0K 0 AHCI driver 0 0K 0 agp 0 0K 0 nvme_da 0 0K 0 acpipwr 0 0K 0 twsbuf 0 0K 0 twe_commands 0 0K 0 twa_commands 0 0K 0 tcp_log_dev 0 0K 0 midi buffers 0 0K 0 mixer 0 0K 0 ac97 0 0K 0 hdacc 0 0K 0 hdac 0 0K 0 hdaa 0 0K 0 acpi_perf 0 0K 0 acpicmbat 0 0K 0 SIIS driver 0 0K 0 db> show ktr No such command; use "help" to list available commands