panic: sx_xlock() of destroyed sx @ /syzkaller/managers/main/kernel/sys/kern/uipc_sockbuf.c:393 cpuid = 1 time = 1579187314 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe002457d6f0 vpanic() at vpanic+0x1ce/frame 0xfffffe002457d760 panic() at panic+0x43/frame 0xfffffe002457d7c0 _sx_xlock() at _sx_xlock+0x1ca/frame 0xfffffe002457d810 sosend_generic() at sosend_generic+0x197/frame 0xfffffe002457d8d0 sosend() at sosend+0xc6/frame 0xfffffe002457d940 kern_sendit() at kern_sendit+0x32d/frame 0xfffffe002457d9f0 sendit() at sendit+0x226/frame 0xfffffe002457da50 sys_sendto() at sys_sendto+0x5c/frame 0xfffffe002457dab0 amd64_syscall() at amd64_syscall+0x499/frame 0xfffffe002457dbf0 fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe002457dbf0 --- syscall (198, FreeBSD ELF64, nosys), rip = 0x4132ea, rsp = 0x7fffdfffdf38, rbp = 0x6 --- KDB: enter: panic [ thread pid 3227 tid 100811 ] Stopped at kdb_enter+0x67: movq $0,0x1467466(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b ll+0x1a es 0x3b ll+0x1a fs 0x13 gs 0x1b ss 0x28 ll+0x7 rax 0x12 rcx 0x80 ll+0x5f rdx 0xffffffff81896255 rbx 0 rsp 0xfffffe002457d6d0 rbp 0xfffffe002457d6f0 rsi 0x1 rdi 0 r8 0 r9 0xffffffff r10 0xbb0014ac r11 0xfffff8003aba54f0 r12 0xffffffff82068d90 ddb_dbbe r13 0 r14 0xffffffff819341b8 r15 0xffffffff819341b8 rip 0xffffffff810aec37 kdb_enter+0x67 rflags 0x86 ll+0x65 kdb_enter+0x67: movq $0,0x1467466(%rip) db> show proc Process 3227 (syz-executor.0) at 0xfffff8003ab92000: state: NORMAL uid: 0 gids: 0, 0, 5 parent: pid 774 at 0xfffff8003a5be000 ABI: FreeBSD ELF64 arguments: /root/syz-executor.0 reaper: 0xfffff800032fa530 reapsubtree: 1 sigparent: 20 vmspace: 0xfffff8003aa30000 (map 0xfffff8003aa30000) (map.pmap 0xfffff8003aa300c0) (pmap 0xfffff8003aa30120) threads: 3 101140 RunQ syz-executor.0 100811 Run CPU 1 syz-executor.0 100813 Run CPU 0 syz-executor.0 db> ps pid ppid pgrp uid state wmesg wchan cmd 3227 774 774 0 R (threaded) syz-executor.0 101140 RunQ syz-executor.0 100811 Run CPU 1 syz-executor.0 100813 Run CPU 0 syz-executor.0 3225 773 773 0 T (threaded) syz-executor.2 100235 RunQ syz-executor.2 846 819 846 0 Ss select 0xfffff8003aa970c0 dhclient 825 1 825 0 Ss select 0xfffff8003aa97140 dhclient 819 804 422 65 S select 0xfffff8003aa97240 dhclient 804 422 422 0 S wait 0xfffff80003afc530 sh 778 771 778 0 Rs syz-executor.1 775 771 775 0 Rs syz-executor.3 774 771 774 0 Ss nanslp 0xffffffff824feca0 syz-executor.0 773 771 773 0 Ss nanslp 0xffffffff824feca0 syz-executor.2 771 769 769 0 S (threaded) syz-execprog 100104 S uwait 0xfffff80003a47180 syz-execprog 100105 S uwait 0xfffff80003e0ab00 syz-execprog 100106 S uwait 0xfffff80003e0ac00 syz-execprog 100107 S uwait 0xfffff80003e09880 syz-execprog 100108 S uwait 0xfffff80003a47280 syz-execprog 100109 S uwait 0xfffff80003e09980 syz-execprog 100110 S uwait 0xfffff80003e09a80 syz-execprog 100111 S uwait 0xfffff80003e09b80 syz-execprog 100112 S uwait 0xfffff80003e09c80 syz-execprog 100113 S kqread 0xfffff8000333b600 syz-execprog 100114 S uwait 0xfffff80003e09480 syz-execprog 769 767 769 0 Ss pause 0xfffff8003a35d5d8 csh 767 680 767 0 Ss select 0xfffff80003cc6a40 sshd 746 1 746 0 Ss+ ttyin 0xfffff800033f7cb0 getty 745 1 745 0 Ss+ ttyin 0xfffff800033f8cb0 getty 744 1 744 0 Ss+ ttyin 0xfffff80003aba0b0 getty 743 1 743 0 Ss+ ttyin 0xfffff80003aba4b0 getty 742 1 742 0 Ss+ ttyin 0xfffff80003aba8b0 getty 741 1 741 0 Ss+ ttyin 0xfffff80003abacb0 getty 740 1 740 0 Ss+ ttyin 0xfffff80003abb0b0 getty 739 1 739 0 Ss+ ttyin 0xfffff80003abb4b0 getty 738 1 738 0 Ss+ ttyin 0xfffff80003abb8b0 getty 736 1 22 0 S+ piperd 0xfffff8003a485be0 logger 735 734 22 0 S+ nanslp 0xffffffff824feca0 sleep 734 1 22 0 S+ wait 0xfffff80003d9c000 sh 684 1 684 0 Ss nanslp 0xffffffff824feca1 cron 680 1 680 0 Ss select 0xfffff80003d28d40 sshd 493 1 493 0 Ss select 0xfffff80003cc6ec0 syslogd 422 1 422 0 Ss wait 0xfffff80003544a60 devd 421 1 421 65 Ss select 0xfffff80003cc6e40 dhclient 336 1 336 0 Ss select 0xfffff80003ce9740 dhclient 333 1 333 0 Ss select 0xfffff80003ce97c0 dhclient 21 0 0 0 DL syncer 0xffffffff825d5118 [syncer] 20 0 0 0 DL vlruwt 0xfffff80003b01000 [vnlru] 19 0 0 0 DL (threaded) [bufdaemon] 100065 D qsleep 0xffffffff825d4618 [bufdaemon] 100070 D - 0xffffffff8200a980 [bufspacedaemon-0] 100080 D sdflush 0xfffff80003cf58e8 [/ worker] 18 0 0 0 DL psleep 0xffffffff825f0088 [vmdaemon] 17 0 0 0 DL (threaded) [pagedaemon] 100063 D psleep 0xffffffff8261cfd8 [dom0] 100068 D launds 0xffffffff8261cfe4 [laundry: dom0] 100069 D umarcl 0xffffffff8153b820 [uma] 16 0 0 0 DL - 0xffffffff82359530 [rand_harvestq] 15 0 0 0 DL waiting 0xffffffff826625a0 [sctp_iterator] 9 0 0 0 DL - 0xffffffff825d401c [soaiod4] 8 0 0 0 DL - 0xffffffff825d401c [soaiod3] 7 0 0 0 DL - 0xffffffff825d401c [soaiod2] 6 0 0 0 DL - 0xffffffff825d401c [soaiod1] 5 0 0 0 DL (threaded) [cam] 100031 D - 0xffffffff82234940 [doneq0] 100062 D - 0xffffffff82234808 [scanner] 4 0 0 0 DL crypto_ 0xfffff800031f8e90 [crypto returns 1] 3 0 0 0 DL crypto_ 0xfffff800031f8e30 [crypto returns 0] 2 0 0 0 DL crypto_ 0xffffffff825ea0e8 [crypto] 14 0 0 0 DL seqstat 0xfffff80003362888 [sequencer 00] 13 0 0 0 DL (threaded) [geom] 100022 D - 0xffffffff8261b608 [g_event] 100023 D - 0xffffffff8261b618 [g_up] 100024 D - 0xffffffff8261b610 [g_down] 12 0 0 0 WL (threaded) [intr] 100006 I [swi5: fast taskq] 100010 I [swi6: task queue] 100011 I [swi6: Giant taskq] 100017 I [swi3: vm] 100018 I [swi4: clock (0)] 100019 I [swi4: clock (1)] 100020 I [swi1: netisr 0] 100032 I [irq24: virtio_pci0] 100033 I [irq25: virtio_pci0] 100034 I [irq26: virtio_pci0] 100035 I [irq27: virtio_pci0] 100036 I [irq28: virtio_pci1] 100037 I [irq29: virtio_pci1] 100038 I [irq30: virtio_pci1] 100039 I [irq31: virtio_pci1] 100040 I [irq32: virtio_pci1] 100045 I [irq10: virtio_pci2] 100047 I [irq1: atkbd0] 100048 I [irq12: psm0] 100049 I [swi0: uart uart++] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffff800032fa530 [init] 10 0 0 0 DL audit_w 0xffffffff82663230 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D swapin 0xffffffff82609bf8 [swapper] 100005 D - 0xfffff8000333d000 [thread taskq] 100007 D - 0xfffff8000333cd00 [kqueue_ctx taskq] 100008 D - 0xfffff8000333cc00 [config_0] 100009 D - 0xfffff8000333cb00 [aiod_kick taskq] 100012 D - 0xfffff8000333c800 [if_config_tqg_0] 100013 D - 0xfffff8000333c700 [if_io_tqg_0] 100014 D - 0xfffff8000333c600 [if_io_tqg_1] 100015 D - 0xfffff8000333c500 [softirq_0] 100016 D - 0xfffff8000333c400 [softirq_1] 100021 D - 0xfffff8000333c300 [firmware taskq] 100026 D - 0xfffff8000333c200 [crypto_0] 100027 D - 0xfffff8000333c200 [crypto_1] 100041 D - 0xfffff8000333c000 [vtnet0 rxq 0] 100042 D - 0xfffff8000333be00 [vtnet0 txq 0] 100043 D - 0xfffff8000333bd00 [vtnet0 rxq 1] 100044 D - 0xfffff8000333bc00 [vtnet0 txq 1] 100046 D vtbslp 0xfffff800034d4400 [virtio_balloon] 100050 D - 0xfffff8000333bb00 [mca taskq] 100055 D - 0xffffffff81cd7a01 [deadlkres] 100057 D - 0xfffff80003b31100 [acpi_task_0] 100058 D - 0xfffff80003b31100 [acpi_task_1] 100059 D - 0xfffff80003b31100 [acpi_task_2] 100061 D - 0xfffff8000333c100 [CAM taskq] 3222 775 775 0 Z syz-executor.3 3226 778 778 0 Z syz-executor.1 db> show all locks Process 3227 (syz-executor.0) thread 0xfffff8003aaee000 (100813) exclusive sleep mutex eventhandler (eventhandler) r = 0 (0xffffffff82515260) locked @ /syzkaller/managers/main/kernel/sys/kern/subr_eventhandler.c:271 exclusive sleep mutex socket (socket) r = 0 (0xfffff80003e86388) locked @ /syzkaller/managers/main/kernel/sys/netinet/tcp_usrreq.c:442 exclusive rw tcpinp (tcpinp) r = 0 (0xfffff8003a506020) locked @ /syzkaller/managers/main/kernel/sys/netinet/tcp_usrreq.c:435 db> show malloc Type InUse MemUse Requests devbuf 4213 4851K 4238 vtbuf 24 1968K 46 sysctloid 26527 1553K 26591 kobj 331 1324K 487 inodedep 1536 1280K 2495 newblk 393 1122K 2845 vfscache 4 1025K 4 pcb 30 537K 4894 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 388K 4 subproc 138 265K 3310 freefile 1502 188K 2423 dirrem 1493 187K 2429 acpica 1674 185K 49750 vnet_data 1 168K 1 pagedep 20 133K 2432 tfo_ccache 1 128K 1 filedesc 18 121K 4872 sem 4 106K 4 DEVFS1 105 105K 122 linker 221 89K 252 bus 986 79K 3330 mtx_pool 2 72K 2 syncache 1 68K 1 acpitask 1 64K 1 ddb_capture 1 64K 1 module 493 62K 493 umtx 312 39K 312 BPF 22 36K 22 gtaskqueue 22 34K 22 kdtrace 175 34K 9251 hostcache 1 32K 1 shm 1 32K 1 DEVFS3 124 31K 134 msg 4 30K 4 DEVFS_RULE 56 27K 56 ifaddr 71 24K 73 kbdmux 6 22K 6 vmem 3 19K 4 lltable 47 18K 47 temp 34 17K 1837 ufs_mount 3 17K 4 proc 3 17K 3 tty 16 16K 16 tidhash 1 16K 1 ithread 89 15K 89 ether_multi 172 14K 177 bus-sc 30 14K 1394 KTRACE 100 13K 100 ifnet 7 13K 7 kenv 95 12K 99 eventhandler 123 11K 123 in6_multi 89 11K 89 pfs_nodes 20 10K 20 GEOM 60 10K 487 rman 82 10K 423 bmsafemap 2 9K 2464 devstat 4 9K 4 UART 12 9K 12 rpc 2 8K 2 shmfd 1 8K 1 pfs_vncache 1 8K 1 audit_evclass 231 8K 289 cred 28 7K 240 routetbl 58 7K 62 CAM DEV 3 6K 508 kqueue 58 6K 3232 plimit 22 6K 365 vt 11 6K 11 sglist 5 6K 5 CAM queue 5 6K 1522 ufs_dirhash 24 5K 24 taskqueue 42 5K 42 memdesc 1 4K 1 MCA 32 4K 32 evdev 4 4K 4 diradd 31 4K 2463 UMA 234 4K 234 session 26 4K 37 pgrp 26 4K 37 hhook 13 4K 13 acpisem 22 3K 22 select 22 3K 22 terminal 11 3K 11 proc-args 47 3K 548 mkdir 20 3K 4842 indirdep 10 3K 10 uidinfo 4 3K 4 sctp_ifa 17 3K 17 local_apic 1 2K 1 io_apic 1 2K 1 ipsec-saq 2 2K 2 lockf 19 2K 29 ip6ndp 12 2K 21 Unitno 32 2K 3463 CAM XPT 22 2K 541 in_multi 6 2K 7 acpidev 20 2K 20 crypto 2 2K 2 msi 9 2K 9 tun 7 2K 7 freework 5 2K 2427 newdirblk 16 1K 2421 freeblks 4 1K 2426 ipsecpolicy 1 1K 1 sahead 1 1K 1 secasvar 1 1K 1 clone 8 1K 8 NFSD session 1 1K 1 CAM periph 4 1K 270 mld 6 1K 6 sctp_ifn 6 1K 6 igmp 6 1K 6 toponodes 6 1K 6 isadev 6 1K 6 mount 16 1K 86 pci_link 10 1K 10 CAM SIM 2 1K 2 softdep 1 1K 1 pfil 4 1K 4 chacha20random 1 1K 1 vnodemarker 1 1K 9 epoch 4 1K 4 cdev 2 1K 2 DEVFSP 8 1K 8 inpcbpolicy 15 1K 4978 encap_export_host 8 1K 8 osd 3 1K 9 vnodes 1 1K 1 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 DEVFS 9 1K 10 feeder 7 1K 7 loginclass 3 1K 3 soname 5 1K 10563 CAM path 4 1K 1030 apmdev 1 1K 1 atkbddev 2 1K 2 pmchooks 1 1K 1 prison 4 1K 4 filecaps 5 1K 72 CAM dev queue 2 1K 2 CAM I/O Scheduler 1 1K 1 nexusdev 5 1K 5 entropy 2 1K 41 tcpfunc 1 1K 1 sctp_vrf 1 1K 1 vnet 1 1K 1 acpiintr 1 1K 1 pmc 1 1K 1 cpus 2 1K 2 vnet_data_free 1 1K 1 Per-cpu 1 1K 1 p1003.1b 1 1K 1 CAM CCB 0 0K 1857 madt_table 0 0K 2 PUC 0 0K 0 ppbusdev 0 0K 0 agtiapi_MemAlloc malloc 0 0K 0 osti_cacheable 0 0K 0 tempbuff 0 0K 0 tempbuff 0 0K 0 pvscsi 0 0K 0 smartpqi 0 0K 0 ag_tgt_map_t malloc 0 0K 0 ag_slr_map_t malloc 0 0K 0 lDevFlags * malloc 0 0K 0 tiDeviceHandle_t * malloc 0 0K 0 ag_portal_data_t malloc 0 0K 0 ag_device_t malloc 0 0K 0 STLock malloc 0 0K 0 CCB List 0 0K 0 iavf 0 0K 0 ixl 0 0K 0 sr_iov 0 0K 0 OCS 0 0K 0 OCS 0 0K 0 nvme 0 0K 0 nvd 0 0K 0 netmap 0 0K 0 mwldev 0 0K 0 MVS driver 0 0K 0 fpukern_ctx 0 0K 0 xen_intr 0 0K 0 CAM ccb queue 0 0K 0 xen_hvm 0 0K 0 legacydrv 0 0K 0 qpidrv 0 0K 0 mrsasbuf 0 0K 0 mpt_user