Fatal trap 12: page fault while in kernel mode cpuid = 1; apic id = 01 fault virtual address = 0xffffffffffffffff fault code = supervisor write data, page not present instruction pointer = 0x20:0xffffffff819a7883 stack pointer = 0x28:0xfffffe0056b4f380 frame pointer = 0x28:0xfffffe0056b4f3b0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 12 (swi1: netisr 0) rdi: fffffe0079c3da80 rsi: 0000000000000000 rdx: 0000000000000000 rcx: 000000000f387b50 r8: 0000000000000000 r9: 0000000000000001 rax: ffffffffffffffff rbx: fffffe0079c3dac4 rbp: fffffe0056b4f3b0 r10: 0000000000001450 r11: 0000000000000033 r12: ffffffffffffffff r13: fffffe0079c3dcd0 r14: fffffe0079c3da80 r15: fffffe0079c3da88 trap number = 12 panic: page fault cpuid = 1 time = 1755979339 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0056b4ebb0 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe0056b4ed10 vpanic() at vpanic+0x257/frame 0xfffffe0056b4eed0 panic() at panic+0xb5/frame 0xfffffe0056b4ef90 trap_pfault() at trap_pfault+0xaf2/frame 0xfffffe0056b4f0d0 trap() at trap+0x78e/frame 0xfffffe0056b4f2b0 calltrap() at calltrap+0x8/frame 0xfffffe0056b4f2b0 --- trap 0xc, rip = 0xffffffff819a7883, rsp = 0xfffffe0056b4f380, rbp = 0xfffffe0056b4f3b0 --- in_pcbremhash_locked() at in_pcbremhash_locked+0x263/frame 0xfffffe0056b4f3b0 in_pcbdrop() at in_pcbdrop+0x98/frame 0xfffffe0056b4f3d0 tcp_close() at tcp_close+0x177/frame 0xfffffe0056b4f490 tcp_do_segment() at tcp_do_segment+0x146c/frame 0xfffffe0056b4f770 tcp_input_with_port() at tcp_input_with_port+0x21a9/frame 0xfffffe0056b4fa20 tcp6_input_with_port() at tcp6_input_with_port+0x8e/frame 0xfffffe0056b4fa60 tcp6_input() at tcp6_input+0x26/frame 0xfffffe0056b4fa90 ip6_input() at ip6_input+0x2285/frame 0xfffffe0056b4fcf0 swi_net() at swi_net+0x2b8/frame 0xfffffe0056b4fd90 ithread_loop() at ithread_loop+0x4ec/frame 0xfffffe0056b4fef0 fork_exit() at fork_exit+0xcc/frame 0xfffffe0056b4ff30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0056b4ff30 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- KDB: enter: panic [ thread pid 12 tid 100033 ] Stopped at kdb_enter+0x6e: movq $0,0x25b6f77(%rip) db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe0002bf1850 rdx 0 rbx 0xffffffff827e1820 .str.27 rsp 0xfffffe0056b4ecf0 rbp 0xfffffe0056b4ed10 rsi 0 rdi 0xffffffff816260e9 printf+0x149 r8 0 r9 0xffffffff r10 0 r11 0x17 r12 0xfffffe0007821780 r13 0xfffffffffffffffd r14 0xffffffff827e1820 .str.27 r15 0 rip 0xffffffff8160fc1e kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x25b6f77(%rip) db> show proc Process 12 (intr) at 0xfffffe0007808560: state: NORMAL uid: 0 gids: 0 parent: pid 0 at 0xffffffff83b51080 ABI: null flag: 0x10000284 flag2: 0 reaper: 0xffffffff83b51080 reapsubtree: 12 sigparent: 20 vmspace: 0xffffffff83b52060 (map 0xffffffff83b52060) (map.pmap 0xffffffff83b52100) (pmap 0xffffffff83b52170) threads: 20 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 Run CPU 1 [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100047 I [irq24: virtio_pci0] 100048 I [irq25: virtio_pci0] 100049 I [irq26: virtio_pci0] 100050 I [irq27: virtio_pci0] 100051 I [irq28: virtio_pci1] 100052 L *tcphash 0xfffffe0007804540 [irq29: virtio_pci1] 100053 I [irq30: virtio_pci1] 100054 I [irq31: virtio_pci1] 100055 I [irq32: virtio_pci1] 100060 I [irq10: virtio_pci2] 100062 I [irq1: atkbd0] 100063 I [irq12: psm0] 100064 I [swi0: uart uart++] 100068 I [swi1: pf send] db> ps pid ppid pgrp uid state wmesg wchan cmd 991 944 991 0 Ts (threaded) syz-executor 100153 s syz-executor 100384 Run CPU 0 syz-executor 100385 RunQ syz-executor 100387 RunQ syz-executor 988 987 766 0 S uwait 0xfffffe0059893480 syz-executor 987 766 766 0 R (threaded) syz-executor 100166 RunQ syz-executor 100379 S lockf 0xfffffe0057d76980 syz-executor 100380 S uwait 0xfffffe006dff4b00 syz-executor 986 0 0 0 DL mdwait 0xfffffe0058632000 [md1] 984 1 766 -1 S uwait 0xfffffe00584dac00 syz-executor 982 980 896 0 SV uwait 0xfffffe005969b600 syz-executor 980 896 896 0 T (threaded) syz-executor 100095 s syz-executor 100372 D ppwait 0xfffffe000780a518 syz-executor 977 972 764 0 SV lockf 0xfffffe00595b4200 syz-executor 975 1 766 0 S uwait 0xfffffe006dff2c80 syz-executor 973 972 764 0 SV lockf 0xfffffe00595b4080 syz-executor 972 764 764 -1 T (threaded) syz-executor 100109 s syz-executor 100359 s syz-executor 100360 RunQ syz-executor 100365 D ppwait 0xfffffe0054120510 syz-executor 100369 s syz-executor 970 1 766 0 S uwait 0xfffffe006dff2780 syz-executor 969 1 764 0 S umtxn 0xfffffe0059893380 syz-executor 965 1 944 0 SV select 0xfffffe0077652b40 syz-executor 963 1 766 0 S uwait 0xfffffe0059892780 syz-executor 960 1 944 0 S uwait 0xfffffe006dff4580 syz-executor 944 1 944 0 R syz-executor 943 1 896 0 S uwait 0xfffffe005969ca80 syz-executor 937 1 763 0 S uwait 0xfffffe0059893680 syz-executor 930 1 763 0 S uwait 0xfffffe00584e6680 syz-executor 926 1 926 0 Ts+ getty 925 1 925 0 Ts+ getty 924 1 924 0 Ts+ getty 923 1 923 0 Ts+ getty 922 1 922 0 Ts+ getty 921 1 921 0 Ts+ getty 920 1 920 0 Ts+ getty 919 1 919 0 Ts+ getty 918 1 918 0 Ts+ getty 914 1 766 0 S uwait 0xfffffe0059893280 syz-executor 913 0 0 0 DL mdwait 0xfffffe00597f2000 [md0] 903 1 763 0 S uwait 0xfffffe0077653300 syz-executor 902 1 763 0 S uwait 0xfffffe0059892180 syz-executor 900 1 763 0 S uwait 0xfffffe006dff2e80 syz-executor 899 1 763 0 S uwait 0xfffffe0059892680 syz-executor 896 1 896 0 R syz-executor 895 0 0 0 DL (threaded) [KTLS] 100139 D - 0xfffffe0059b99000 [thr_0] 100201 D - 0xfffffe0059b99080 [thr_1] 100202 D - 0xffffffff83cb9628 [reclaim_0] 891 1 764 0 S uwait 0xfffffe006dff3600 syz-executor 890 1 764 0 S uwait 0xfffffe006dff3300 syz-executor 881 1 763 0 S uwait 0xfffffe006dff4380 syz-executor 872 1 423 0 S kqread 0xfffffe00083fbc00 rtsol 832 0 0 0 DL (threaded) [so_splice] 100119 D - 0xfffffe0007688880 [thr_0] 100138 D - 0xfffffe00076888c0 [thr_1] 820 1 765 0 S uwait 0xfffffe0059892280 syz-executor 818 0 0 0 DL aiordy 0xfffffe00540efab8 [aiod4] 817 0 0 0 DL aiordy 0xfffffe005410bac0 [aiod3] 815 0 0 0 DL aiordy 0xfffffe00540f0010 [aiod2] 814 0 0 0 DL aiordy 0xfffffe00540f0568 [aiod1] 811 1 765 0 S uwait 0xfffffe0059893600 syz-executor 766 1 766 0 R syz-executor 764 1 764 0 R syz-executor 736 1 17 0 S+ nanslp 0xffffffff83ba7c40 sleep 494 1 494 0 Rs syslogd 16 0 0 0 DL syncer 0xffffffff83cc5820 [syncer] 15 0 0 0 DL vlruwt 0xfffffe0054002558 [vnlru] 14 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83cc3d60 [bufdaemon] 100082 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100092 D sdflush 0xfffffe0053fe08e8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d0ec80 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83cf4d48 [dom0] 100080 D launds 0xffffffff83cf4d54 [laundry: dom0] 100081 D umarcl 0xffffffff81df2890 [uma] 7 0 0 0 DL - 0xffffffff839205d8 [rand_harvestq] 6 0 0 0 RL [pf purge] 5 0 0 0 DL waiting 0xffffffff84902700 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100045 D - 0xffffffff838ea340 [doneq0] 100046 D - 0xffffffff838ea2c0 [async] 100075 D - 0xffffffff838ea140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100042 D crypto_ 0xffffffff83cf0640 [crypto] 100043 D crypto_ 0xfffffe0007a95c30 [crypto returns 0] 100044 D crypto_ 0xfffffe0007a95c80 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83b50640 [g_event] 100038 D - 0xffffffff83b50660 [g_up] 100039 D - 0xffffffff83b50680 [g_down] 2 0 0 0 WL (threaded) [clock] 100031 I [clock (0)] 100032 I [clock (1)] 12 0 0 0 RL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 Run CPU 1 [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100047 I [irq24: virtio_pci0] 100048 I [irq25: virtio_pci0] 100049 I [irq26: virtio_pci0] 100050 I [irq27: virtio_pci0] 100051 I [irq28: virtio_pci1] 100052 L *tcphash 0xfffffe0007804540 [irq29: virtio_pci1] 100053 I [irq30: virtio_pci1] 100054 I [irq31: virtio_pci1] 100055 I [irq32: virtio_pci1] 100060 I [irq10: virtio_pci2] 100062 I [irq1: atkbd0] 100063 I [irq12: psm0] 100064 I [swi0: uart uart++] 100068 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 RLs [init] 10 0 0 0 DL audit_w 0xffffffff83cf10e0 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D parked 0xffffffff84c43ff0 [swapper] 100005 D - 0xfffffe0007a98b00 [softirq_0] 100006 D - 0xfffffe0007a98900 [softirq_1] 100007 D - 0xfffffe0007a98700 [if_io_tqg_0] 100008 D - 0xfffffe0007a98500 [if_io_tqg_1] 100009 D - 0xfffffe0007a98300 [if_config_tqg_0] 100010 D - 0xfffffe00083f9700 [kqueue_ctx taskq] 100011 D - 0xfffffe00083f9600 [jail_remove taskq] 100012 D - 0xfffffe00083f9500 [bus taskq] 100015 D - 0xfffffe00083f9000 [thread taskq] 100017 D - 0xfffffe00083f8c00 [aiod_kick taskq] 100018 D - 0xfffffe00083f8b00 [deferred_unmount ta] 100019 D - 0xfffffe00083f8a00 [inm_free taskq] 100020 D - 0xfffffe00083f8900 [in6m_free taskq] 100021 D - 0xfffffe00083f8800 [linuxkpi_irq_wq] 100022 D - 0xfffffe00083f8700 [linuxkpi_short_wq_0] 100023 D - 0xfffffe00083f8700 [linuxkpi_short_wq_1] 100024 D - 0xfffffe00083f8700 [linuxkpi_short_wq_2] 100025 D - 0xfffffe00083f8700 [linuxkpi_short_wq_3] 100026 D - 0xfffffe00083f8600 [linuxkpi_long_wq_0] 100027 D - 0xfffffe00083f8600 [linuxkpi_long_wq_1] 100028 D - 0xfffffe00083f8600 [linuxkpi_long_wq_2] 100029 D - 0xfffffe00083f8600 [linuxkpi_long_wq_3] 100036 D - 0xfffffe00083f8100 [firmware taskq] 100040 D - 0xfffffe00083f7e00 [crypto_0] 100041 D - 0xfffffe00083f7e00 [crypto_1] 100056 D - 0xfffffe00083f7700 [vtnet0 rxq 0] 100057 D - 0xfffffe00083f7600 [vtnet0 txq 0] 100058 D - 0xfffffe00083f7500 [vtnet0 rxq 1] 100059 D - 0xfffffe00083f7400 [vtnet0 txq 1] 100061 D vtbslp 0xfffffe0057d76f00 [virtio_balloon] 100065 D - 0xffffffff827e5f00 [deadlkres] 100069 D - 0xfffffe00593db000 [acpi_task_0] 100070 D - 0xfffffe00593db000 [acpi_task_1] 100071 D - 0xfffffe00593db000 [acpi_task_2] 100073 D - 0xfffffe00083fb100 [mca taskq] 100074 D - 0xfffffe00083f7d00 [CAM taskq] 100076 D - 0xfffffe005825fe00 [ipsec_offload] 762 1 760 0 Z syz-executor db> show all locks Process 12 (intr) thread 0xfffffe0007821780 (100033) exclusive sleep mutex tcphash (tcphash) r = 0 (0xfffffe0007a49a00) locked @ /syzkaller/managers/main/kernel/sys/netinet/in_pcb.c:2734 exclusive rw tcpinp (tcpinp) r = 0 (0xfffffe0079c3daa0) locked @ /syzkaller/managers/main/kernel/sys/netinet/in_pcb.c:1471 Process 12 (intr) thread 0xfffffe0007828780 (100052) exclusive rw tcpinp (tcpinp) r = 0 (0xfffffe006df40020) locked @ /syzkaller/managers/main/kernel/sys/netinet/in_pcb.c:1487 exclusive sleep mutex vtnet0-rx0 (vtnet0-rx0) r = 0 (0xfffffe0057d5c000) locked @ /syzkaller/managers/main/kernel/sys/dev/virtio/network/if_vtnet.c:2213 db> show malloc Type InUse MemUse Requests pf_hash 6 12804K 6 linker 377 5100K 563 tcp_hpts 7 4801K 7 devbuf 4187 4323K 4214 sysctloid 35455 2089K 35530 vtbuf 24 1968K 46 kobj 331 1324K 515 newblk 440 1134K 965 vfscache 3 1025K 3 pcb 41 683K 233 inodedep 60 535K 255 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 filedesc 62 481K 300 intr 4 472K 4 subproc 159 314K 1082 vnet_data 2 224K 2 acpitask 1 224K 1 KTRACE 100 200K 103 acpica 1674 184K 54450 vmem 5 144K 7 tidhash 3 141K 3 pagedep 34 137K 117 tfo_ccache 1 128K 1 IP reass 1 128K 1 DEVFS1 110 110K 131 sem 4 106K 4 gtaskqueue 18 98K 18 bus 1005 82K 5097 mtx_pool 3 74K 3 syncache 1 68K 1 NFSD srvcache 3 68K 3 module 523 66K 525 ddb_capture 1 64K 1 umtx 464 58K 464 kdtrace 232 45K 1380 shm 2 34K 6 DEVFS3 129 33K 140 hostcache 1 32K 1 msg 4 30K 4 kbdmux 6 28K 6 LRO 24 25K 24 ifaddr 84 22K 86 temp 41 21K 2030 routetbl 188 21K 543 DEVFS_RULE 56 20K 56 lltable 59 19K 60 ether_multi 208 17K 225 ufs_mount 4 17K 5 proc 3 17K 3 ifnet 9 17K 10 tty 16 16K 16 ithread 90 15K 90 bus-sc 34 15K 1660 eventhandler 163 14K 163 GEOM 59 13K 483 in6_multi 85 12K 86 kenv 95 12K 95 shmfd 7 11K 8 BPF 13 11K 33 CAM queue 5 11K 1528 rman 82 10K 447 rpc 8 9K 8 cred 23 9K 219 bmsafemap 2 9K 217 devstat 4 9K 4 UART 12 9K 12 ksem 1 8K 3 filemon 1 8K 3 pfs_vncache 1 8K 1 md_disk 2 8K 2 plimit 21 8K 484 audit_evclass 240 8K 304 kqueue 75 8K 1148 taskqueue 69 8K 279 sglist 6 7K 6 CAM DEV 3 6K 510 pfs_nodes 22 6K 22 lockf 56 5K 146 pf_ifnet 12 5K 25 ufs_dirhash 24 5K 30 UMA 271 5K 271 pwddesc 69 5K 1000 vt 11 5K 11 memdesc 1 4K 1 MCA 32 4K 32 DEVFSP 64 4K 94 evdev 4 4K 4 newdirblk 28 4K 102 acpisem 28 4K 28 kcovinfo 54 4K 54 dirrem 13 4K 181 terminal 11 3K 11 sctp_atcl 7 3K 27 ip6ndp 16 3K 18 acpidev 20 3K 20 diradd 19 3K 201 hhook 8 3K 10 tun 6 3K 6 clone 9 3K 9 uidinfo 3 3K 16 proc-args 81 3K 2095 sctp_ifa 17 3K 18 mkdir 17 3K 204 netlink 2 3K 94 local_apic 1 2K 1 io_apic 1 2K 1 ipsec-saq 2 2K 2 in_multi 8 2K 12 session 15 2K 47 Unitno 26 2K 237 CAM XPT 22 2K 543 freefile 12 2K 134 toponodes 6 2K 6 ipsecpolicy 2 2K 2 indirdep 5 2K 102 nhops 6 2K 9 msi 9 2K 9 CC Mem 9 2K 123 sctp_ifn 8 1K 18 sctp_stro 1 1K 2 softdep 1 1K 1 sahead 1 1K 1 secasvar 1 1K 1 mld 8 1K 8 igmp 8 1K 8 vnodemarker 2 1K 10 NFSD session 1 1K 1 mount 19 1K 279 inpcbpolicy 28 1K 466 CAM periph 4 1K 271 ipsec 3 1K 3 pfil 6 1K 6 isadev 6 1K 8 pci_link 10 1K 10 osd 14 1K 140 crypto 4 1K 12 encap_export_host 12 1K 12 ip6opt 4 1K 15 cdev 2 1K 2 lkpikmalloc 8 1K 9 selfd 7 1K 66497 counter_rate 13 1K 13 chacha20random 1 1K 1 biobuf 1 1K 1 select 3 1K 44 sctp_atky 8 1K 29 sctp_timw 1 1K 1 vnodes 1 1K 4 ktls 1 1K 6 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 DEVFS 9 1K 11 CAM SIM 2 1K 2 feeder 7 1K 7 tcpfunc 3 1K 3 loginclass 3 1K 5 prison 6 1K 6 nexusdev 8 1K 8 apmdev 1 1K 1 atkbddev 2 1K 2 ip_msource 2 1K 5 VN POLL 1 1K 4 aio 4 1K 4 eventfd 1 1K 3 pmchooks 1 1K 1 CAM path 4 1K 1034 CAM dev queue 2 1K 2 CAM I/O Scheduler 1 1K 1 sctp_athm 7 1K 27 filecaps 3 1K 79 soname 3 1K 3396 sctp_vrf 1 1K 1 ip6_msource 1 1K 1 vnet 1 1K 1 sendfile 1 1K 3 pmc 1 1K 1 entropy 2 1K 35 acpiintr 1 1K 1 sctp_map 2 1K 4 cpus 2 1K 2 vnet_data_free 1 1K 1 fadvise 1 1K 3 Per-cpu 1 1K 1 freework 1 1K 207 p1003.1b 1 1K 1 sctp_mcore 0 0K 0 sctp_socko 0 0K 13 sctp_iter 0 0K 14 sctp_mvrf 0 0K 0 sctp_cpal 0 0K 0 sctp_cmsg 0 0K 0 sctp_stre 0 0K 0 sctp_athi 0 0K 0 sctp_a_it 0 0K 14 sctp_aadr 0 0K 0 sctp_stri 0 0K 0 ipcomp 0 0K 0 esp 0 0K 0 ah 0 0K 0 mqdata 0 0K 0 pf_table 0 0K 0 pf_rule 0 0K 1 pf_altq 0 0K 0 pf_osfp 0 0K 0 pf_krule_item 0 0K 0 pf_temp 0 0K 0 tcp_pcm_rack 0 0K 0 tcp_do_rack 0 0K 0 tcp_fsb_rack 0 0K 0 cryptodev 0 0K 55 madt_table 0 0K 2 smartpqi 0 0K 0 ixl 0 0K 0 ice-resmgr 0 0K 0 ice-osdep 0 0K 0 ice 0 0K 0 iavf 0 0K 0 axgbe 0 0K 0 fpukern_ctx 0 0K 0 xen_intr 0 0K 0 xen_hvm 0 0K 0 legacydrv 0 0K 0 NMI handlers 0 0K 0 bounce 0 0K 0 busdma 0 0K 0 qpidrv 0 0K 0 dmar_idpgtbl 0 0K 0 dmar_dom 0 0K 0 dmar_ctx 0 0K 0 amdiommu_dom 0 0K 0 amdiommu_ctx 0 0K 0 isci 0 0K 0 iommu_dmamap 0 0K 0 hyperv_socket 0 0K 0 bxe_ilt 0 0K 0 aesni_data 0 0K 0 xenbus 0 0K 0 vm_fictitious 0 0K 0 UMAHash 0 0K 0 vm_pgdata 0 0K 0 jblocks 0 0K 0 savedino 0 0K 99 sentinel 0 0K 0 jfsync 0 0K 0 jtrunc 0 0K 0 sbdep 0 0K 3 jsegdep 0 0K 0 jseg 0 0K 0 jfreefrag 0 0K 0 jfreeblk 0 0K 0 jnewblk 0 0K 0 jmvref 0 0K 0 jremref 0 0K 0 jaddref 0 0K 0 freedep 0 0K 0 freeblks 0 0K 118 freefrag 0 0K 19 a