panic: tcp_default_fb_init: connection 0xfffffe0079dd2000 in unexpected state 10 cpuid = 1 time = 1751132753 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0057192290 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe00571923f0 vpanic() at vpanic+0x257/frame 0xfffffe00571925b0 panic() at panic+0xb5/frame 0xfffffe0057192680 tcp_default_fb_init() at tcp_default_fb_init+0x697/frame 0xfffffe00571926d0 tcp_ctloutput_set() at tcp_ctloutput_set+0x607/frame 0xfffffe0057192850 tcp_ctloutput() at tcp_ctloutput+0x128/frame 0xfffffe0057192950 sosetopt() at sosetopt+0x236/frame 0xfffffe0057192b50 kern_setsockopt() at kern_setsockopt+0x2b0/frame 0xfffffe0057192cc0 sys_setsockopt() at sys_setsockopt+0x77/frame 0xfffffe0057192d10 amd64_syscall() at amd64_syscall+0x4e2/frame 0xfffffe0057192f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0057192f30 --- syscall (198, FreeBSD ELF64, __syscall), rip = 0x3a197a, rsp = 0x825d99f08, rbp = 0x825d99f80 --- KDB: enter: panic [ thread pid 1307 tid 100956 ] Stopped at kdb_enter+0x6e: movq $0,0x25b9ce7(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe0002bf1850 rdx 0 rbx 0xffffffff827bb8c0 .str.27 rsp 0xfffffe00571923d0 rbp 0xfffffe00571923f0 rsi 0 rdi 0xffffffff81618b29 printf+0x149 r8 0 r9 0xffffffff r10 0x3 r11 0xfffffe00541be550 r12 0xfffffe00541be000 r13 0xfffffffffffffffd r14 0xffffffff827bb8c0 .str.27 r15 0 rip 0xffffffff816026ae kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x25b9ce7(%rip) db> show proc Process 1307 (syz-executor) at 0xfffffe00541b4000: state: NORMAL uid: 0 gids: 0, 0, 5 parent: pid 765 at 0xfffffe0054101000 ABI: FreeBSD ELF64 flag: 0x10000080 flag2: 0 arguments: ./syz-executor exec reaper: 0xfffffe0007809040 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe00540b7db0 (map 0xfffffe00540b7db0) (map.pmap 0xfffffe00540b7e50) (pmap 0xfffffe00540b7ec0) threads: 3 100941 RunQ syz-executor 100956 Run CPU 1 syz-executor 100957 S uwait 0xfffffe0078dced80 syz-executor db> ps pid ppid pgrp uid state wmesg wchan cmd 1308 767 767 0 R (threaded) syz-executor 100279 Run CPU 0 syz-executor 100959 RunQ syz-executor 1307 765 765 0 R (threaded) syz-executor 100941 RunQ syz-executor 100956 Run CPU 1 syz-executor 100957 S uwait 0xfffffe0078dced80 syz-executor 1306 766 766 0 R (threaded) syz-executor 100245 RunQ syz-executor 100955 S uwait 0xfffffe006e52b280 syz-executor 100958 RunQ syz-executor 1304 1 1304 0 Ss+ ttyin 0xfffffe0053f700b0 getty 1303 1 1303 0 Ss+ ttyin 0xfffffe0053f6f8b0 getty 1302 1 1302 0 Ss+ ttyin 0xfffffe0053f6f0b0 getty 1301 1 1301 0 Ss+ ttyin 0xfffffe0053f6e8b0 getty 1300 1 1300 0 Ss+ ttyin 0xfffffe0053f6e0b0 getty 1299 1 1299 0 Ss+ ttyin 0xfffffe00582924b0 getty 1298 1 1298 0 Ss+ ttyin 0xfffffe00594918b0 getty 1297 1 1297 0 Ss+ ttyin 0xfffffe00594910b0 getty 1296 1 1296 0 Ss+ ttyin 0xfffffe0057dfa8b0 getty 1295 764 764 0 R (threaded) syz-executor 100947 RunQ syz-executor 100952 S uwait 0xfffffe0053ec2780 syz-executor 100953 S uwait 0xfffffe007922c800 syz-executor 1291 1 765 0 T syz-executor 1231 1 764 0 S uwait 0xfffffe007922e000 syz-executor 1138 1137 764 0 S uwait 0xfffffe007922d880 syz-executor 1137 1136 764 0 SV wait 0xfffffe0054197b00 syz-executor 1136 1 764 0 DV ppwait 0xfffffe0054198000 syz-executor 1113 0 0 0 DL mdwait 0xfffffe005861f000 [md7] 945 0 0 0 DL mdwait 0xfffffe006b761000 [md1] 927 0 0 0 DL mdwait 0xfffffe006b760000 [md0] 913 0 0 0 DL (threaded) [KTLS] 100236 D - 0xfffffe0007a6c600 [thr_0] 100237 D - 0xfffffe0007a6c680 [thr_1] 100238 D - 0xffffffff83caee28 [reclaim_0] 892 0 0 0 DL (threaded) [so_splice] 100106 D - 0xfffffe006b452b00 [thr_0] 100195 D - 0xfffffe006b452b40 [thr_1] 847 0 0 0 DL - 0xffffffff83b47da0 [accounting] 814 0 0 0 DL aiordy 0xfffffe0054007020 [aiod4] 813 0 0 0 DL aiordy 0xfffffe00540085a0 [aiod3] 812 0 0 0 DL aiordy 0xfffffe0054008b00 [aiod2] 811 0 0 0 DL aiordy 0xfffffe00540e2020 [aiod1] 767 763 767 0 S nanslp 0xffffffff83b9d580 syz-executor 766 763 766 0 R syz-executor 765 763 765 0 R syz-executor 764 763 764 0 R syz-executor 763 761 761 0 S select 0xfffffe006ddfca40 syz-executor 761 1 761 0 Ss sigsusp 0xfffffe0054007b90 csh 17 0 0 0 DL syncer 0xffffffff83cbafa0 [syncer] 16 0 0 0 DL vlruwt 0xfffffe0007828040 [vnlru] 15 0 0 0 DL (threaded) [bufdaemon] 100080 D psleep 0xffffffff83cb9560 [bufdaemon] 100083 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100094 D sdflush 0xfffffe00596dbce8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d04400 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100078 D psleep 0xffffffff83cea4c8 [dom0] 100081 D launds 0xffffffff83cea4d4 [laundry: dom0] 100082 D umarcl 0xffffffff81dd8c90 [uma] 7 0 0 0 DL - 0xffffffff8391acd0 [rand_harvestq] 6 0 0 0 TL pftm 0xffffffff84838980 [pf purge] 5 0 0 0 DL waiting 0xffffffff84701700 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100046 D - 0xffffffff838e5340 [doneq0] 100047 D - 0xffffffff838e52c0 [async] 100076 D - 0xffffffff838e5140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100043 D crypto_ 0xffffffff83ce5d80 [crypto] 100044 D crypto_ 0xfffffe0007a6fc30 [crypto returns 0] 100045 D crypto_ 0xfffffe0007a6fc80 [crypto returns 1] 14 0 0 0 DL seqstat 0xfffffe0053ff0088 [sequencer 00] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83b45f20 [g_event] 100038 D - 0xffffffff83b45f40 [g_up] 100039 D - 0xffffffff83b45f60 [g_down] 2 0 0 0 WL (threaded) [clock] 100031 I [clock (0)] 100032 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100048 I [irq24: virtio_pci0] 100049 I [irq25: virtio_pci0] 100050 I [irq26: virtio_pci0] 100051 I [irq27: virtio_pci0] 100052 I [irq28: virtio_pci1] 100053 I [irq29: virtio_pci1] 100054 I [irq30: virtio_pci1] 100055 I [irq31: virtio_pci1] 100056 I [irq32: virtio_pci1] 100061 I [irq10: virtio_pci2] 100063 I [irq1: atkbd0] 100064 I [irq12: psm0] 100065 I [swi0: uart uart++] 100069 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0007809040 [init] 10 0 0 0 DL audit_w 0xffffffff83ce6820 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D parked 0xffffffff84c36ff0 [swapper] 100005 D - 0xfffffe0053e9c800 [softirq_0] 100006 D - 0xfffffe0053e9c700 [softirq_1] 100007 D - 0xfffffe0053e9c600 [if_io_tqg_0] 100008 D - 0xfffffe0053e9c500 [if_io_tqg_1] 100009 D - 0xfffffe0053e9c400 [if_config_tqg_0] 100010 D - 0xfffffe000776ab00 [kqueue_ctx taskq] 100011 D - 0xfffffe000776aa00 [jail_remove taskq] 100012 D - 0xfffffe000776a900 [bus taskq] 100015 D - 0xfffffe000776a600 [thread taskq] 100017 D - 0xfffffe000776a400 [aiod_kick taskq] 100018 D - 0xfffffe000776a300 [deferred_unmount ta] 100019 D - 0xfffffe000776a200 [inm_free taskq] 100020 D - 0xfffffe000776a100 [in6m_free taskq] 100021 D - 0xfffffe000776a000 [linuxkpi_irq_wq] 100022 D - 0xfffffe0007769e00 [linuxkpi_short_wq_0] 100023 D - 0xfffffe0007769e00 [linuxkpi_short_wq_1] 100024 D - 0xfffffe0007769e00 [linuxkpi_short_wq_2] 100025 D - 0xfffffe0007769e00 [linuxkpi_short_wq_3] 100026 D - 0xfffffe0007769d00 [linuxkpi_long_wq_0] 100027 D - 0xfffffe0007769d00 [linuxkpi_long_wq_1] 100028 D - 0xfffffe0007769d00 [linuxkpi_long_wq_2] 100029 D - 0xfffffe0007769d00 [linuxkpi_long_wq_3] 100036 D - 0xfffffe0007769a00 [firmware taskq] 100041 D - 0xfffffe0007769700 [crypto_0] 100042 D - 0xfffffe0007769700 [crypto_1] 100057 D - 0xfffffe0007769300 [vtnet0 rxq 0] 100058 D - 0xfffffe0007769200 [vtnet0 txq 0] 100059 D - 0xfffffe0007769100 [vtnet0 rxq 1] 100060 D - 0xfffffe0007769000 [vtnet0 txq 1] 100062 D vtbslp 0xfffffe0057d7eb80 [virtio_balloon] 100066 D - 0xffffffff827c0c61 [deadlkres] 100070 D - 0xfffffe00593dc300 [acpi_task_0] 100071 D - 0xfffffe00593dc300 [acpi_task_1] 100072 D - 0xfffffe00593dc300 [acpi_task_2] 100074 D - 0xfffffe000776ac00 [mca taskq] 100075 D - 0xfffffe0007769600 [CAM taskq] 100077 D - 0xfffffe00593db700 [ipsec_offload] 100468 D - 0xfffffe00593d9500 [system_taskq_0] 100469 D - 0xfffffe00593d9500 [system_taskq_1] 100470 D - 0xfffffe0078dcc900 [system_delay_taskq_] 100471 D - 0xfffffe0078dcc900 [system_delay_taskq_] 100472 D - 0xfffffe0078dcc800 [zvol_tq-0_0] 100473 D - 0xfffffe0078dcc800 [zvol_tq-0_1] 100474 D - 0xfffffe0078dcc800 [zvol_tq-0_2] 100475 D - 0xfffffe0078dcc800 [zvol_tq-0_3] 100476 D - 0xfffffe0078dcc800 [zvol_tq-0_4] 100477 D - 0xfffffe0078dcc800 [zvol_tq-0_5] 100478 D - 0xfffffe0078dcc800 [zvol_tq-0_6] 100479 D - 0xfffffe0078dcc800 [zvol_tq-0_7] 100480 D - 0xfffffe0078dcc800 [zvol_tq-0_8] 100481 D - 0xfffffe0078dcc800 [zvol_tq-0_9] 100482 D - 0xfffffe0078dcc800 [zvol_tq-0_10] 100483 D - 0xfffffe0078dcc800 [zvol_tq-0_11] 100484 D - 0xfffffe0078dcc800 [zvol_tq-0_12] 100485 D - 0xfffffe0078dcc800 [zvol_tq-0_13] 100486 D - 0xfffffe0078dcc800 [zvol_tq-0_14] 100487 D - 0xfffffe0078dcc800 [zvol_tq-0_15] 100488 D - 0xfffffe0078dcc800 [zvol_tq-0_16] 100489 D - 0xfffffe0078dcc800 [zvol_tq-0_17] 100490 D - 0xfffffe0078dcc800 [zvol_tq-0_18] 100491 D - 0xfffffe0078dcc800 [zvol_tq-0_19] 100492 D - 0xfffffe0078dcc800 [zvol_tq-0_20] 100493 D - 0xfffffe0078dcc800 [zvol_tq-0_21] 100494 D - 0xfffffe0078dcc800 [zvol_tq-0_22] 100495 D - 0xfffffe0078dcc800 [zvol_tq-0_23] 100496 D - 0xfffffe0078dcc800 [zvol_tq-0_24] 100497 D - 0xfffffe0078dcc800 [zvol_tq-0_25] 100498 D - 0xfffffe0078dcc800 [zvol_tq-0_26] 100499 D - 0xfffffe0078dcc800 [zvol_tq-0_27] 100500 D - 0xfffffe0078dcc800 [zvol_tq-0_28] 100501 D - 0xfffffe0078dcc800 [zvol_tq-0_29] 100502 D - 0xfffffe0078dcc800 [zvol_tq-0_30] 100503 D - 0xfffffe0078dcc800 [zvol_tq-0_31] 100504 D - 0xfffffe0078dcc600 [arc_prune] 100505 D - 0xfffffe0078dcc500 [arc_flush_0] 100506 D - 0xfffffe0078dcc500 [arc_flush_1] 100520 D - 0xfffffe000776c600 [dbu_evict] 100535 D - 0xfffffe00593d9900 [z_vdev_file_0] 100536 D - 0xfffffe00593d9900 [z_vdev_file_1] 100537 D - 0xfffffe00593d9900 [z_vdev_file_2] 100538 D - 0xfffffe00593d9900 [z_vdev_file_3] 100539 D - 0xfffffe00593d9900 [z_vdev_file_4] 100540 D - 0xfffffe00593d9900 [z_vdev_file_5] 100541 D - 0xfffffe00593d9900 [z_vdev_file_6] 100542 D - 0xfffffe00593d9900 [z_vdev_file_7] 100543 D - 0xfffffe00593d9900 [z_vdev_file_8] 100544 D - 0xfffffe00593d9900 [z_vdev_file_9] 100545 D - 0xfffffe00593d9900 [z_vdev_file_10] 100546 D - 0xfffffe00593d9900 [z_vdev_file_11] 100547 D - 0xfffffe00593d9900 [z_vdev_file_12] 100548 D - 0xfffffe00593d9900 [z_vdev_file_13] 100549 D - 0xfffffe00593d9900 [z_vdev_file_14] 100550 D - 0xfffffe00593d9900 [z_vdev_file_15] 100565 D - 0xfffffe00593da600 [zfsvfs] 100799 D - 0xfffffe0059668e00 [netlink_socket (PID] db> show all locks Process 1308 (syz-executor) thread 0xfffffe0054129000 (100279) exclusive sleep mutex umtxql (umtxql) r = 0 (0xffffffff83baa940) locked @ /syzkaller/managers/main/kernel/sys/kern/kern_umtx.c:1299 Process 1307 (syz-executor) thread 0xfffffe00541be000 (100956) exclusive rw tcpinp (tcpinp) r = 0 (0xfffffe0079dd2020) locked @ /syzkaller/managers/main/kernel/sys/netinet/tcp_usrreq.c:1734 db> show malloc Type InUse MemUse Requests sctp_stro 9 23051K 13 pf_hash 6 12804K 6 linker 425 12680K 793 tcp_hpts 7 4801K 7 devbuf 4188 4324K 4217 solaris 2246 3597K 4472 sysctloid 45027 2645K 45139 vtbuf 24 1968K 46 kobj 331 1324K 524 newblk 97 1048K 3612 vfscache 3 1025K 3 pcb 44 690K 736 inodedep 18 519K 876 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 vmem 5 274K 8 subproc 207 267K 1474 vnet_data 2 224K 2 acpitask 1 224K 1 filedesc 27 213K 785 KTRACE 102 201K 75073 acpica 1674 184K 54432 tidhash 3 141K 3 pagedep 11 131K 413 tfo_ccache 1 128K 1 IP reass 1 128K 1 DEVFS1 113 113K 130 sem 4 106K 4 gtaskqueue 18 98K 18 bus 1002 82K 5074 mtx_pool 3 74K 3 md_sectors 18 72K 18 umtx 560 70K 560 kdtrace 319 70K 2270 syncache 1 68K 1 NFSD srvcache 3 68K 3 module 526 66K 531 ddb_capture 1 64K 1 temp 40 44K 2457 DEVFS3 132 33K 142 hostcache 1 32K 1 shm 1 32K 23 msg 4 30K 4 kbdmux 6 28K 6 DEVFS_RULE 56 20K 56 kstat_data 19 19K 19 ifaddr 67 19K 69 LRO 18 19K 18 ufs_mount 4 17K 5 proc 3 17K 3 tty 16 16K 16 routetbl 135 16K 424 ithread 90 15K 90 bus-sc 34 15K 1650 lltable 45 14K 46 eventhandler 166 14K 166 GEOM 82 14K 574 md_disk 21 13K 23 ifnet 7 13K 7 ether_multi 152 13K 174 shmfd 10 12K 32 kenv 95 12K 95 taskqueue 96 11K 168 CAM queue 5 11K