panic: mq notifiers left cpuid = 0 time = 1769304546 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0056ec1810 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe0056ec1970 vpanic() at vpanic+0x257/frame 0xfffffe0056ec1b30 panic() at panic+0xb5/frame 0xfffffe0056ec1c00 mq_proc_exit() at mq_proc_exit+0x1cc/frame 0xfffffe0056ec1c50 exit1() at exit1+0x62b/frame 0xfffffe0056ec1cf0 sys__exit() at sys__exit+0x28/frame 0xfffffe0056ec1d10 amd64_syscall() at amd64_syscall+0x4e2/frame 0xfffffe0056ec1f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0056ec1f30 --- syscall (1, FreeBSD ELF64, _exit), rip = 0x3a851a, rsp = 0x8213341b8, rbp = 0x8213341c0 --- KDB: enter: panic [ thread pid 966 tid 100232 ] Stopped at kdb_enter+0x6e: movq $0,0x2587a77(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe0002bf1850 rdx 0 rbx 0xffffffff8283c160 .str.27 rsp 0xfffffe0056ec1950 rbp 0xfffffe0056ec1970 rsi 0 rdi 0xffffffff81664139 printf+0x149 r8 0 r9 0xffffffff r10 0 r11 0xfffffe0058b16cd0 r12 0xfffffe0058b16780 r13 0xfffffffffffffffe r14 0xffffffff8283c160 .str.27 r15 0 rip 0xffffffff8164d41e kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x2587a77(%rip) db> show proc Process 966 (syz-executor) at 0xfffffe0058b24560: state: NORMAL uid: 0 gid: 0 supp gids: 0, 5 parent: pid 763 at 0xfffffe0058ace018 ABI: FreeBSD ELF64 flag: 0x10002000 flag2: 0x40000 arguments: ./syz-executor exec reaper: 0xfffffe0007809010 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe00078106d8 (map 0xfffffe00078106d8) (map.pmap 0xfffffe0007810778) (pmap 0xfffffe00078107e8) threads: 1 100232 Run CPU 0 syz-executor db> ps pid ppid pgrp uid state wmesg wchan cmd 966 763 763 0 RE CPU 0 syz-executor 965 766 766 0 R (threaded) syz-executor 100118 RunQ syz-executor 100302 S aiowc 0xfffffe0058ae4e48 syz-executor 100303 S uwait 0xfffffe00585f3400 syz-executor 100304 S uwait 0xfffffe0058696080 syz-executor 959 765 765 0 T (threaded) syz-executor 100117 s syz-executor 100294 Run CPU 1 syz-executor 955 1 763 0 S uwait 0xfffffe0058695100 syz-executor 954 1 763 0 S uwait 0xfffffe0059a34380 syz-executor 939 1 765 0 S uwait 0xfffffe0059a37080 syz-executor 933 931 931 0 S tun_con 0xfffffe00584cd538 ifconfig 931 762 931 0 S wait 0xfffffe0058a04010 syz-executor 929 1 924 0 S uwait 0xfffffe0059a34980 syz-executor 928 1 924 0 S uwait 0xfffffe0059a35100 syz-executor 927 1 764 0 S uwait 0xfffffe00585f3c00 syz-executor 926 1 924 0 S uwait 0xfffffe0059a34a80 syz-executor 916 1 763 0 S uwait 0xfffffe0059a34480 syz-executor 915 1 763 0 S uwait 0xfffffe0058697f00 syz-executor 913 1 764 0 S uwait 0xfffffe0059a36180 syz-executor 911 1 766 0 S uwait 0xfffffe0059a34b80 syz-executor 910 1 766 0 S uwait 0xfffffe0059a36680 syz-executor 891 1 766 0 S uwait 0xfffffe0059a35e00 syz-executor 890 1 890 0 Ss+ ttyin 0xfffffe0007bf70b0 getty 889 1 889 0 Ss+ ttyin 0xfffffe00599530b0 getty 888 1 888 0 Ss+ ttyin 0xfffffe0007bf88b0 getty 885 1 885 0 Ss+ ttyin 0xfffffe0007bf90b0 getty 883 1 883 0 Ss+ ttyin 0xfffffe005422dcb0 getty 880 1 880 0 Ss+ ttyin 0xfffffe0007bf80b0 getty 879 1 879 0 Ss+ ttyin 0xfffffe0007bf78b0 getty 877 1 877 0 Ss+ ttyin 0xfffffe00599518b0 getty 876 1 876 0 Ss+ ttyin 0xfffffe00599538b0 getty 856 1 764 0 S uwait 0xfffffe0059a35500 syz-executor 831 0 0 0 DL (threaded) [so_splice] 100112 D - 0xfffffe0058697800 [thr_0] 100152 D - 0xfffffe0058697840 [thr_1] 826 0 0 0 DL aiordy 0xfffffe0058b07ac0 [aiod4] 825 0 0 0 DL aiordy 0xfffffe0058a0d570 [aiod3] 824 0 0 0 DL aiordy 0xfffffe0058acb000 [aiod2] 823 0 0 0 DL aiordy 0xfffffe0058acb558 [aiod1] 818 0 0 0 DL (threaded) [KTLS] 100121 D - 0xfffffe0054238b00 [thr_0] 100128 D - 0xfffffe0054238b80 [thr_1] 100129 D - 0xffffffff83cd78e8 [reclaim_0] 766 762 766 0 S nanslp 0xffffffff83bb5f40 syz-executor 765 762 765 0 S nanslp 0xffffffff83bb5f40 syz-executor 763 762 763 0 S nanslp 0xffffffff83bb5f40 syz-executor 762 1 760 0 S select 0xfffffe006df774c0 syz-executor 737 1 17 0 S+ piperd 0xfffffe0059baeb80 logger 736 735 17 0 S+ nanslp 0xffffffff83bb5f40 sleep 735 1 17 0 S+ wait 0xfffffe0058a04ac0 sh 685 1 685 0 Ss nanslp 0xffffffff83bb5f41 cron 681 1 681 0 Ss select 0xfffffe006df77640 sshd 494 1 494 0 Ss select 0xfffffe0059a851c0 syslogd 16 0 0 0 DL syncer 0xffffffff83ce3ae0 [syncer] 15 0 0 0 DL vlruwt 0xfffffe0058a02558 [vnlru] 14 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83ce2020 [bufdaemon] 100082 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100094 D sdflush 0xfffffe0057f1fce8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d23380 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83d09448 [dom0] 100080 D launds 0xffffffff83d09454 [laundry: dom0] 100081 D umarcl 0xffffffff81e37c30 [uma] 7 0 0 0 DL - 0xffffffff8392e510 [rand_harvestq] 6 0 0 0 RL [pf purge] 5 0 0 0 DL waiting 0xffffffff84695700 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100045 D - 0xffffffff838f8340 [doneq0] 100046 D - 0xffffffff838f82c0 [async] 100075 D - 0xffffffff838f8140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100042 D crypto_ 0xffffffff83d04ce0 [crypto] 100043 D crypto_ 0xfffffe00077af830 [crypto returns 0] 100044 D crypto_ 0xfffffe00077af880 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83b5e520 [g_event] 100038 D - 0xffffffff83b5e540 [g_up] 100039 D - 0xffffffff83b5e560 [g_down] 2 0 0 0 WL (threaded) [clock] 100031 I [clock (0)] 100032 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100047 I [irq24: virtio_pci0] 100048 I [irq25: virtio_pci0] 100049 I [irq26: virtio_pci0] 100050 I [irq27: virtio_pci0] 100051 I [irq28: virtio_pci1] 100052 I [irq29: virtio_pci1] 100053 I [irq30: virtio_pci1] 100054 I [irq31: virtio_pci1] 100055 I [irq32: virtio_pci1] 100060 I [irq10: virtio_pci2] 100062 I [irq1: atkbd0] 100063 I [irq12: psm0] 100064 I [swi0: uart uart++] 100068 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0007809010 [init] 10 0 0 0 DL audit_w 0xffffffff83d05780 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D - 0xffffffff84c5dff0 [kernel] 100005 D - 0xfffffe00077cb000 [softirq_0] 100006 D - 0xfffffe00077cae00 [softirq_1] 100007 D - 0xfffffe00077cad00 [if_io_tqg_0] 100008 D - 0xfffffe00077cac00 [if_io_tqg_1] 100009 D - 0xfffffe00077cab00 [if_config_tqg_0] 100010 D - 0xfffffe00077caa00 [kqueue_ctx taskq] 100011 D - 0xfffffe00077ca900 [jail_remove taskq] 100012 D - 0xfffffe00077ca800 [bus taskq] 100015 D - 0xfffffe00077ca500 [thread taskq] 100017 D - 0xfffffe00077ca300 [aiod_kick taskq] 100018 D - 0xfffffe00077ca200 [deferred_unmount ta] 100019 D - 0xfffffe00077ca100 [inm_free taskq] 100020 D - 0xfffffe00077ca000 [in6m_free taskq] 100021 D - 0xfffffe00077c9e00 [linuxkpi_irq_wq] 100022 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_0] 100023 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_1] 100024 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_2] 100025 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_3] 100026 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_0] 100027 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_1] 100028 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_2] 100029 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_3] 100036 D - 0xfffffe00077c9b00 [firmware taskq] 100040 D - 0xfffffe00077c9100 [crypto_0] 100041 D - 0xfffffe00077c9100 [crypto_1] 100056 D - 0xfffffe00077c8900 [vtnet0 rxq 0] 100057 D - 0xfffffe00077c8800 [vtnet0 txq 0] 100058 D - 0xfffffe00077c8700 [vtnet0 rxq 1] 100059 D - 0xfffffe00077c8600 [vtnet0 txq 1] 100061 D vtbslp 0xfffffe005800d900 [virtio_balloon] 100065 D - 0xffffffff82840840 [deadlkres] 100069 D - 0xfffffe00077c8b00 [acpi_task_0] 100070 D - 0xfffffe00077c8b00 [acpi_task_1] 100071 D - 0xfffffe00077c8b00 [acpi_task_2] 100073 D - 0xfffffe00077cb100 [mca taskq] 100074 D - 0xfffffe00077c8a00 [CAM taskq] 100076 D - 0xfffffe00077c8300 [ipsec_offload] db> show all locks Process 959 (syz-executor) thread 0xfffffe0058b34780 (100294) exclusive lockmgr ufs (ufs) r = 0 (0xfffffe006e304598) locked @ /syzkaller/managers/main/kernel/sys/kern/link_elf_obj.c:1247 exclusive sx kernel linker (kernel linker) r = 0 (0xffffffff83b62a40) locked @ /syzkaller/managers/main/kernel/sys/kern/kern_linker.c:1156 Process 933 (ifconfig) thread 0xfffffe0058b0d000 (100246) exclusive sx ifnet_detach_sx (ifnet_detach_sx) r = 0 (0xffffffff83ce4280) locked @ /syzkaller/managers/main/kernel/sys/net/if.c:2904 db> show malloc Type InUse MemUse Requests pf_hash 6 12804K 6 linker 411 11950K 539 devbuf 8283 7252K 8308 tcp_hpts 8 4865K 8 sysctloid 35395 2086K 35470 vtbuf 24 1968K 46 kobj 337 1348K 501 newblk 463 1140K 1038 vfscache 3 1025K 3 pcb 23 669K 122 inodedep 85 544K 249 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 filedesc 44 345K 290 subproc 139 274K 1046 vnet_data 2 224K 2 acpitask 1 224K 1 KTRACE 101 201K 4712 acpica 1674 184K 56977 vmem 5 144K 7 tidhash 3 141K 3 pagedep 32 136K 139 tfo_ccache 1 128K 1 IP reass 1 128K 1 sem 4 106K 4 DEVFS1 106 106K 123 gtaskqueue 18 98K 18 LRO 22 85K 22 bus 1015 83K 5167 mtx_pool 3 74K 3 syncache 1 68K 1 NFSD srvcache 3 68K 3 module 529 67K 529 ddb_capture 1 64K 1 umtx 320 40K 320 kdtrace 200 39K 1274 hostcache 1 32K 1 shm 1 32K 1 DEVFS3 126 32K 136 msg 4 30K 4 kbdmux 6 28K 6 temp 32 21K 2032 DEVFS_RULE 56 20K 56 ifaddr 72 20K 74 ufs_mount 4 17K 5 proc 3 17K 3 tty 16 16K 16 routetbl 130 16K 410 lltable 48 15K 49 ithread 90 15K 90 bus-sc 34 15K 1690 eventhandler 170 14K 170 ether_multi 152 13K 184 kenv 95 12K 95 GEOM 49 11K 431 CAM queue 5 11K 1528 rman 75 10K 430 cred 25 10K 255 rpc 8 9K 8 bmsafemap 4 9K 223 in6_multi 65 9K 66 devstat 4 9K 4 UART 12 9K 12 ksem 1 8K 2 shmfd 1 8K 4 pfs_vncache 1 8K 1 plimit 21 8K 869 audit_evclass 240 8K 306 taskqueue 69 8K 72 ifnet 7 7K 7 sglist 6 7K 6 CAM DEV 3 6K 510 pfs_nodes 22 6K 22 dirrem 20 5K 185 ufs_dirhash 24 5K 24 freework 19 5K 300 UMA 271 5K 271 diradd 35 5K 204 pf_ifnet 10 5K 20 vt 11 5K 11 memdesc 1 4K 1 MCA 32 4K 32 evdev 4 4K 4 kqueue 62 4K 1066 pwddesc 61 4K 982 acpisem 28 4K 28 DEVFSP 52 4K 136 indirdep 12 3K 134 kcovinfo 45 3K 45 terminal 11 3K 11 newdirblk 20 3K 124 acpidev 20 3K 20 uidinfo 4 3K 14 hhook 8 3K 10 mkdir 18 3K 248 proc-args 78 3K 2088 netlink 2 3K 73 local_apic 1 2K 1 io_apic 1 2K 1 ipsec-saq 2 2K 2 clone 8 2K 8 session 16 2K 67 ip6ndp 13 2K 14 sctp_ifa 13 2K 14 selfd 26 2K 27440 Unitno 27 2K 966 CAM XPT 22 2K 543 in_multi 6 2K 12 tun 4 2K 4 toponodes 6 2K 6 lockf 13 2K 44 ipsecpolicy 2 2K 2 CC Mem 10 2K 56 msi 9 2K 9 softdep 1 1K 1 freeblks 4 1K 158 sahead 1 1K 1 secasvar 1 1K 1 nhops 6 1K 8 vnodemarker 2 1K 8 NFSD session 1 1K 1 mld 7 1K 7 igmp 7 1K 7 CAM periph 4 1K 271 ipsec 3 1K 3 sctp_ifn 6 1K 14 pfil 6 1K 6 BPF 6 1K 26 isadev 6 1K 6 mount 16 1K 272 pci_link 10 1K 10 osd 15 1K 73 crypto 4 1K 19 encap_export_host 12 1K 12 inpcbpolicy 19 1K 325 ip6opt 3 1K 15 sctp_timw 2 1K 2 freefile 4 1K 142 cdev 2 1K 2 lkpikmalloc 8 1K 9 counter_rate 13 1K 13 chacha20random 1 1K 1 biobuf 1 1K 1 select 3 1K 32 inotify 3 1K 12 DEVFS 10 1K 11 freefrag 2 1K 58 vnodes 1 1K 7 ktls 1 1K 16 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 CAM SIM 2 1K 2 cryptodev 3 1K 124 tcpfunc 3 1K 3 loginclass 3 1K 5 prison 6 1K 6 nexusdev 8 1K 8 apmdev 1 1K 1 atkbddev 2 1K 2 ip6_msource 2 1K 3 VN POLL 1 1K 4 aio 4 1K 4 pmchooks 1 1K 1 CAM path 4 1K 1034 CAM dev queue 2 1K 2 CAM I/O Scheduler 1 1K 1 filecaps 3 1K 76 sctp_vrf 1 1K 1 vnet 1 1K 1 pmc 1 1K 1 entropy 2 1K 35 acpiintr 1 1K 1 soname 2 1K 3504 DEVFS4 2 1K 2 cpus 2 1K 2 vnet_data_free 1 1K 1 Per-cpu 1 1K 1 p1003.1b 1 1K 1 pf_table 0 0K 0 pf 0 0K 1 pf_rule 0 0K 0 pf_altq 0 0K 0 pf_osfp 0 0K 0 pf_krule_item 0 0K 0 pf_temp 0 0K 0 ipcomp 0 0K 0 esp 0 0K 0 ah 0 0K 0 filemon 0 0K 3 sctp_mcore 0 0K 0 sctp_socko 0 0K 13 sctp_iter 0 0K 12 sctp_mvrf 0 0K 0 sctp_cpal 0 0K 0 sctp_cmsg 0 0K 0 sctp_stre 0 0K 0 sctp_athi 0 0K 0 sctp_athm 0 0K 17 sctp_atky 0 0K 19 sctp_atcl 0 0K 16 sctp_a_it 0 0K 12 sctp_aadr 0 0K 0 sctp_stro 0 0K 2 sctp_stri 0 0K 2 sctp_map 0 0K 4 mqdata 0 0K 0 tcp_pcm_rack 0 0K 0 tcp_do_rack 0 0K 0 tcp_fsb_rack 0 0K 0 madt_table 0 0K 2 smartpqi 0 0K 0 ixl 0 0K 0 ice-resmgr 0 0K 0 ice-osdep 0 0K 0 ice 0 0K 0 iavf 0 0K 0 axgbe 0 0K 0 fpukern_ctx 0 0K 0 xen_intr 0 0K 0 xen_hvm 0 0K 0 legacydrv 0 0K 0 NMI handlers 0 0K 0 bounce 0 0K 0 busdma 0 0K 0 qpidrv 0 0K 0 dmar_idpgtbl 0 0K 0 dmar_dom 0 0K 0 dmar_ctx 0 0K 0 amdiommu_dom 0 0K 0 amdiommu_ctx 0 0K 0 isci 0 0K 0 iommu_dmamap 0 0K 0 hyperv_socket 0 0K 0 bxe_ilt 0 0K 0 aesni_data 0 0K 0 xenbus 0 0K 0 vm_fictitious 0 0K 0 UMAHash 0 0K 0 vm_pgdata 0 0K 0 jblocks 0 0K 0 savedino 0 0K 137 sentinel 0 0K 0 jfsync 0 0K 0 jtrunc 0 0K 0 sbdep 0 0K 2 jsegdep 0 0K 0 jseg 0 0K 0 jfreefrag 0 0K 0 jfreeblk 0 0K 0 jnewblk 0 0K 0 jmvref 0 0K 0 jremref 0 0K 0 jaddref 0 0K 0 freedep 0 0K 0 allocindir 0 0K 0 allocdirect 0 0K 0 ufs_trim 0 0K 0 mactemp 0 0K 0 audit_trigger 0 0K 0 audit_pipe_presel 0 0K 0 audit_pipeent 0 0K 0 audit_pipe 0 0K 0 audit_evname 0 0K 0 audit_bsm 0 0K 0 audit_gidset 0 0K 0 audit_text 0 0K 0 audit_path 0 0K 0 audit_data 0 0K 0 audit_cred 0 0K 0 ktls_ocf 0 0K 3 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5E_TLS_RX 0 0K 0 MLX5EEPROM 0 0K 0 MLX5E_TLS 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EN 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5DUMP 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 simple_attr 0 0K 0 seq_file 0 0K 0 lkpiskb 0 0K 0 radix 0 0K 0 idr 0 0K 0 lkpindev 0 0K 0 lkpimhi 0 0K 0 lkpifw 0 0K 0 lkpi80211 0 0K 0 NLM 0 0K 0 ipsec-spdcache 0 0K 0 ipsec-reg 0 0K 0 ipsec-misc 0 0K 0 ipsecrequest 0 0K 0 ip6_moptions 0 0K 3 in6_mfilter 0 0K 7 frag6 0 0K 0 tcplog 0 0K 0 tcp_hwpace 0 0K 0 ip_msource 0 0K 5 ip_moptions 0 0K 4 in_mfilter 0 0K 9 ipid 0 0K 0 80211scan 0 0K 0 80211ratectl 0 0K 0 80211power 0 0K 0 80211nodeie 0 0K 0 80211node 0 0K 0 80211mesh_gt 0 0K 0 80211mesh_rt 0 0K 0 80211perr 0 0K 0 80211prep 0 0K 0 80211preq 0 0K 0 80211dfs 0 0K 0 80211crypto 0 0K 0 80211vap 0 0K 0 iflib 0 0K 0 vlan 0