kernel: protection fault trap, code=0 Stopped at pf_anchor_global_RB_REMOVE+0x58: movq 0(%r12),%rbx ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic the kernel did not panic ddb{0}> trace pf_anchor_global_RB_REMOVE(ffffffff829d8728,ffff800000cf3800) at pf_anchor_global_RB_REMOVE+0x58 sys/net/pf_ruleset.c:84 pf_remove_if_empty_ruleset(ffff800000cf3c90) at pf_remove_if_empty_ruleset+0xdd sys/net/pf_ruleset.c:300 pfi_dynaddr_setup(ffff800000d58580,0) at pfi_dynaddr_setup+0x411 sys/net/pf_if.c:485 pfioctl(4900,cd60441a,ffff800000bec000,2,ffff8000ffff2d28) at pfioctl+0x8c8a pf_addr_setup sys/net/pf_ioctl.c:894 [inline] pfioctl(4900,cd60441a,ffff800000bec000,2,ffff8000ffff2d28) at pfioctl+0x8c8a sys/net/pf_ioctl.c:1650 VOP_IOCTL(fffffd806f685aa8,cd60441a,ffff800000bec000,2,fffffd807f7d8660,ffff8000ffff2d28) at VOP_IOCTL+0x96 sys/kern/vfs_vops.c:264 vn_ioctl(fffffd80659bf4d0,cd60441a,ffff800000bec000,ffff8000ffff2d28) at vn_ioctl+0xbc sys/kern/vfs_vnops.c:531 sys_ioctl(ffff8000ffff2d28,ffff80002e3750c8,ffff80002e375120) at sys_ioctl+0x4a2 syscall(ffff80002e375190) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff80002e375190) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x923591cce50, count: -9 ddb{0}> show registers rdi 0xffff800024699000 rsi 0x10d0 __ALIGN_SIZE+0xd0 rbp 0xffff80002e374ba0 rbx 0xffffffff829d8728 pf_anchors rdx 0xffff800024699000 rcx 0x10cf __ALIGN_SIZE+0xcf rax 0xffffffff81475c5b pf_anchor_global_RB_REMOVE+0x2b r8 0x400 r9 0x8080808080808080 r10 0x8dcb1f108fb2f1ca r11 0x193b8314a38479ba r12 0x51437bb0d725533 r13 0xffffffff829d8730 pf_main_anchor r14 0xffff800000cf3800 r15 0xdeaf007fdeaf4152 rip 0xffffffff81475c88 pf_anchor_global_RB_REMOVE+0x58 cs 0x8 rflags 0x10206 __ALIGN_SIZE+0xf206 rsp 0xffff80002e374b50 ss 0x10 pf_anchor_global_RB_REMOVE+0x58: movq 0(%r12),%rbx ddb{0}> show proc PROC (syz-executor.6) pid=116976 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=78, nice=20 forw=0xffffffffffffffff, list=0xffff8000ffff5500,0xffff8000ffff3a58 process=0xffff8000211a0860 user=0xffff80002e370000, vmspace=0xfffffd806aa038b0 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=0, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 30217 129426 10743 0 2 0 syz-executor.5 44112 365805 88832 0 7 0 syz-executor.6 *44112 116976 88832 0 7 0x4000000 syz-executor.6 85597 224500 37028 0 3 0x82 nanoslp syz-executor.3 88832 45699 37028 0 3 0x82 nanoslp syz-executor.6 79318 305294 37028 0 3 0x82 piperd syz-executor.0 98999 41191 37028 0 3 0x82 piperd syz-executor.7 17116 117148 37028 0 3 0x82 piperd syz-executor.4 10743 208340 37028 0 3 0x82 nanoslp syz-executor.5 79724 281280 37028 0 3 0x82 piperd syz-executor.1 22239 208102 37028 0 2 0x2 syz-executor.2 73713 451538 0 0 3 0x14200 acct acct 77590 74058 0 0 3 0x14200 bored sosplice 37028 386339 55100 0 3 0x82 thrsleep syz-fuzzer 37028 215955 55100 0 3 0x4000082 nanoslp syz-fuzzer 37028 494889 55100 0 3 0x4000082 kqread syz-fuzzer 37028 435613 55100 0 3 0x4000082 thrsleep syz-fuzzer 37028 236452 55100 0 3 0x4000082 thrsleep syz-fuzzer 37028 193180 55100 0 3 0x4000082 thrsleep syz-fuzzer 37028 169011 55100 0 3 0x4000082 thrsleep syz-fuzzer 37028 69573 55100 0 3 0x4000082 thrsleep syz-fuzzer 37028 471752 55100 0 3 0x4000082 thrsleep syz-fuzzer 55100 511667 5570 0 3 0x10008a sigsusp ksh 5570 465134 96901 0 3 0x9a kqread sshd 42702 105425 1 0 3 0x100083 ttyin getty 96901 11994 1 0 3 0x88 kqread sshd 44138 29388 6720 74 3 0x1100092 bpf pflogd 6720 169236 1 0 3 0x80 netio pflogd 83721 121549 86463 73 3 0x1100090 kqread syslogd 86463 488043 1 0 3 0x100082 netio syslogd 82854 32969 1 0 3 0x100080 kqread resolvd 85103 11625 71933 77 3 0x100092 kqread dhcpleased 95212 69601 71933 77 3 0x100092 kqread dhcpleased 71933 189669 1 0 3 0x80 kqread dhcpleased 22165 471508 0 0 3 0x14200 bored smr 7585 515721 0 0 2 0x14200 zerothread 27903 232184 0 0 3 0x14200 aiodoned aiodoned 60777 390481 0 0 3 0x14200 syncer update 70435 394109 0 0 3 0x14200 cleaner cleaner 10764 261148 0 0 3 0x14200 reaper reaper 61863 473416 0 0 3 0x14200 pgdaemon pagedaemon 47502 224152 0 0 3 0x14200 bored viomb 49093 214831 0 0 3 0x40014200 acpi0 acpi0 84477 54890 0 0 3 0x40014200 idle1 1818 37754 0 0 3 0x14200 bored softnet 31448 424451 0 0 3 0x14200 bored systqmp 56440 77170 0 0 3 0x14200 bored systq 31454 201598 0 0 3 0x40014200 bored softclock 70067 307528 0 0 3 0x40014200 idle0 1 279642 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 44112 (syz-executor.6) thread 0xffff8000ffff2d28 (116976) exclusive rwlock pf_lock r = 0 (0xffffffff82969ae0) #0 witness_lock+0x44d #1 pfioctl+0x5dc5 sys/net/pf_ioctl.c:1608 #2 VOP_IOCTL+0x96 sys/kern/vfs_vops.c:264 #3 vn_ioctl+0xbc sys/kern/vfs_vnops.c:531 #4 sys_ioctl+0x4a2 #5 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #5 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #6 Xsyscall+0x128 exclusive rwlock netlock r = 0 (0xffffffff829045b0) #0 witness_lock+0x44d #1 pfioctl+0x38c8 sys/net/pf_ioctl.c:1608 #2 VOP_IOCTL+0x96 sys/kern/vfs_vops.c:264 #3 vn_ioctl+0xbc sys/kern/vfs_vnops.c:531 #4 sys_ioctl+0x4a2 #5 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #5 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #6 Xsyscall+0x128 exclusive rwlock pfioctl_rw r = 0 (0xffffffff82969b40) #0 witness_lock+0x44d #1 pfioctl+0x15e sys/net/pf_ioctl.c:1148 #2 VOP_IOCTL+0x96 sys/kern/vfs_vops.c:264 #3 vn_ioctl+0xbc sys/kern/vfs_vnops.c:531 #4 sys_ioctl+0x4a2 #5 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #5 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #6 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 0 (0xffffffff829ca490) #0 witness_lock+0x44d #1 vn_ioctl+0x41 sys/kern/vfs_vnops.c:514 #2 sys_ioctl+0x4a2 #3 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #3 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #4 Xsyscall+0x128 Process 22239 (syz-executor.2) thread 0xffff80002e3bb510 (208102) exclusive rrwlock inode r = 0 (0xfffffd806816e1b0) #0 witness_lock+0x44d #1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310 #2 rrw_enter+0x8b sys/kern/kern_rwlock.c:461 #3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:534 #4 vn_lock+0x84 sys/kern/vfs_vnops.c:579 #5 vget+0x1d3 sys/kern/vfs_subr.c:678 #6 ufs_ihashget+0x121 sys/ufs/ufs/ufs_ihash.c:119 #7 ffs_vget+0x7c sys/ufs/ffs/ffs_vfsops.c:1318 #8 ufs_lookup+0x13ba sys/ufs/ufs/ufs_lookup.c:487 #9 VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85 #10 vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:561 #11 namei+0x36a sys/kern/vfs_lookup.c:245 #12 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1850 #13 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #13 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #14 Xsyscall+0x128 exclusive rrwlock inode r = 0 (0xfffffd806c9c51b8) #0 witness_lock+0x44d #1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310 #2 rrw_enter+0x8b sys/kern/kern_rwlock.c:461 #3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:534 #4 vn_lock+0x84 sys/kern/vfs_vnops.c:579 #5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:413 #6 namei+0x36a sys/kern/vfs_lookup.c:245 #7 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1850 #8 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #8 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #9 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10221 6578K 6968K 78643K 19499 0 pcb 13 16K 18K 78643K 949 0 rtable 250 10K 12K 78643K 1964 0 ifaddr 100 21K 22K 78643K 738 0 sysctl 3 1K 1K 78643K 5 0 counters 56 35K 35K 78643K 232 0 ioctlops 1 4K 4K 78643K 4214 0 iov 0 0K 32K 78643K 934 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 5 0 vnodes 1365 85K 86K 78643K 6843 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 5K 78643K 48 0 VM map 2 1K 1K 78643K 2 0 sem 12 1K 1K 78643K 840 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 12 41K 93K 78643K 6485 0 sigio 0 0K 0K 78643K 97 0 proc 70 87K 136K 78643K 1571 0 subproc 104 6K 6K 78643K 507 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 360 0 in_multi 103 6K 7K 78643K 613 0 ether_multi 1 0K 0K 78643K 76 0 mrt 1 0K 0K 78643K 52 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 253 1129K 1129K 78643K 253 0 exec 0 0K 2K 78643K 2046 0 pfkey data 0 0K 0K 78643K 4 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 273 91K 94K 78643K 40648 0 UVM aobj 57 7K 7K 78643K 61 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 370 0 NDP 14 0K 1K 78643K 184 0 temp 162 4772K 4844K 78643K 59169 0 kqueue 14 18K 24K 78643K 452 0 SYN cache 2 16K 16K 78643K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 526 0 523 8 7 1 3 0 8 0 rtentry 112 545 0 437 6 2 4 4 0 8 0 unpcb 136 3840 0 3825 60 51 9 9 0 8 8 syncache 296 35 0 35 9 8 1 1 0 8 1 sackhl 24 1 0 1 1 1 0 1 0 8 0 tcpqe 32 215 0 215 7 6 1 1 0 8 1 tcpcb 736 2251 0 2206 100 89 11 13 0 8 5 arp 120 90 0 71 1 0 1 1 0 8 0 inpcb 312 6324 0 6313 135 129 6 12 0 8 5 rttmr 72 14 0 14 3 3 0 1 0 8 0 nd6 48 127 0 99 1 0 1 1 0 8 0 pkpcb 40 14 0 14 4 4 0 1 0 8 0 kcovpl 48 39 0 31 1 0 1 1 0 8 0 ppxss 1248 20 0 20 7 6 1 1 0 8 1 pfstscr 40 145 0 145 3 3 0 1 0 8 0 pffrag 232 16 0 14 5 4 1 1 0 482 0 pffrnode 88 16 0 14 5 4 1 1 0 8 0 pffrent 40 46 0 44 5 4 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfrktable 1344 55 9 52 3 2 1 1 0 8 0 pftag 88 11 0 9 3 2 1 1 0 8 0 pfqueue 264 67 0 67 1 1 0 1 0 8 0 pfstitem 24 46 0 44 1 0 1 1 0 8 0 pfstkey 112 196 0 194 1 0 1 1 0 8 0 pfstate 320 120 0 118 2 1 1 2 0 8 0 pfrule 1360 244 0 229 4 2 2 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 2165 0 1684 52 21 31 31 0 8 0 art_table 32 2166 0 1684 4 0 4 4 0 8 0 art_node 16 532 0 437 1 0 1 1 0 8 0 sysvmsgpl 40 43 0 3 1 0 1 1 0 8 0 semupl 112 2 0 2 1 1 0 1 0 8 0 semapl 112 834 0 824 1 0 1 1 0 8 0 shmpl 112 58 0 4 2 0 2 2 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 11961 0 10510 92 0 92 92 0 8 0 ffsino 272 11961 0 10510 98 0 98 98 0 8 0 nchpl 144 20302 0 18664 63 0 63 63 0 8 0 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 224 5926 0 0 349 0 349 349 0 8 0 namei 1024 82479 0 82479 7 6 1 2 0 8 1 percpumem 16 128 0 88 1 0 1 1 0 8 0 pfiaddrpl 120 26 0 25 3 2 1 1 0 8 0 scsiplug 72 16 0 16 5 5 0 1 0 8 0 scxspl 216 49372 0 49372 20 19 1 8 0 8 1 plimitpl 152 720 0 705 1 0 1 1 0 8 0 sigapl 424 6744 0 6702 8 2 6 8 0 8 0 futexpl 64 54269 0 54269 1 0 1 1 0 8 1 knotepl 120 766 0 0 17 2 15 17 0 8 0 kqueuepl 216 1705 0 1696 36 33 3 5 0 8 2 pipepl 336 814 0 785 18 15 3 8 0 8 0 fdescpl 496 6708 0 6683 6 2 4 5 0 8 0 filepl 152 55184 0 54936 143 125 18 22 0 8 7 lockfpl 104 2081 0 2078 6 5 1 2 0 8 0 lockfspl 48 551 0 548 1 0 1 1 0 8 0 sessionpl 144 55 0 38 1 0 1 1 0 8 0 pgrppl 48 66 0 49 1 0 1 1 0 8 0 ucredpl 96 16588 0 16576 1 0 1 1 0 8 0 zombiepl 144 6703 0 6702 4 3 1 1 0 8 0 processpl 1064 6744 0 6702 5 0 5 5 0 8 0 procpl 672 19160 0 19109 13 5 8 9 0 8 0 srpgc 96 56 0 56 15 14 1 1 0 8 1 sosppl 168 74 0 73 14 13 1 1 0 8 0 sockpl 480 10708 0 10679 348 336 12 34 0 8 7 mcl64k 65536 17 0 0 3 0 3 3 0 8 0 mcl16k 16384 17 0 0 3 1 2 3 0 8 0 mcl12k 12288 29 0 0 2 0 2 2 0 8 0 mcl9k 9216 21 0 0 2 0 2 2 0 8 0 mcl8k 8192 17 0 0 3 0 3 3 0 8 0 mcl4k 4096 37 0 0 3 1 2 3 0 8 0 mcl2k2 2112 6 0 0 1 0 1 1 0 8 0 mcl2k 2048 242 0 0 21 4 17 21 0 8 0 mtagpl 96 399 0 0 7 0 7 7 0 8 0 mbufpl 256 7300 0 0 434 0 434 434 0 8 0 bufpl 288 12362 0 6029 453 0 453 453 0 8 0 anonpl 24 1291956 0 1276408 188 69 119 141 0 186 0 amapchunkpl 152 115198 0 114590 51 18 33 40 0 158 0 amappl16 200 16094 0 15502 91 59 32 44 0 8 0 amappl15 192 1404 0 1401 1 0 1 1 0 8 0 amappl14 184 389 0 382 1 0 1 1 0 8 0 amappl13 176 1352 0 1349 1 0 1 1 0 8 0 amappl12 168 1079 0 1071 1 0 1 1 0 8 0 amappl11 160 761 0 741 1 0 1 1 0 8 0 amappl10 152 824 0 816 1 0 1 1 0 8 0 amappl9 144 910 0 906 1 0 1 1 0 8 0 amappl8 136 1626 0 1531 5 1 4 4 0 8 0 amappl7 128 648 0 635 1 0 1 1 0 8 0 amappl6 120 827 0 805 2 1 1 2 0 8 0 amappl5 112 5662 0 5646 1 0 1 1 0 8 0 amappl4 104 2371 0 2342 2 1 1 2 0 8 0 amappl3 96 21025 0 20987 2 0 2 2 0 8 0 amappl2 88 8972 0 8913 3 1 2 3 0 8 0 amappl1 80 160964 0 160404 20 5 15 20 0 8 0 amappl 88 39536 0 39378 6 1 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 60 0 4 2 0 2 2 0 8 0 uaddrrnd 24 6708 0 6683 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 6708 0 6683 1 0 1 1 0 8 0 vmmpekpl 168 55613 0 55560 3 0 3 3 0 8 0 vmmpepl 168 662655 0 660366 360 229 131 172 0 357 5 vmsppl 368 6707 0 6683 4 1 3 4 0 8 0 rwobjpl 56 166783 0 159221 119 9 110 112 0 8 0 pdppl 4096 13423 0 13366 569 500 69 83 0 8 12 pvpl 32 2609591 0 2589594 381 190 191 243 0 265 0 pmappl 248 6707 0 6683 3 1 2 3 0 8 0 extentpl 40 58 0 38 1 0 1 1 0 8 0 phpool 112 2006 0 771 36 0 36 36 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace pf_anchor_global_RB_REMOVE(ffffffff829d8728,ffff800000cf3800) at pf_anchor_global_RB_REMOVE+0x58 sys/net/pf_ruleset.c:84 pf_remove_if_empty_ruleset(ffff800000cf3c90) at pf_remove_if_empty_ruleset+0xdd sys/net/pf_ruleset.c:300 pfi_dynaddr_setup(ffff800000d58580,0) at pfi_dynaddr_setup+0x411 sys/net/pf_if.c:485 pfioctl(4900,cd60441a,ffff800000bec000,2,ffff8000ffff2d28) at pfioctl+0x8c8a pf_addr_setup sys/net/pf_ioctl.c:894 [inline] pfioctl(4900,cd60441a,ffff800000bec000,2,ffff8000ffff2d28) at pfioctl+0x8c8a sys/net/pf_ioctl.c:1650 VOP_IOCTL(fffffd806f685aa8,cd60441a,ffff800000bec000,2,fffffd807f7d8660,ffff8000ffff2d28) at VOP_IOCTL+0x96 sys/kern/vfs_vops.c:264 vn_ioctl(fffffd80659bf4d0,cd60441a,ffff800000bec000,ffff8000ffff2d28) at vn_ioctl+0xbc sys/kern/vfs_vnops.c:531 sys_ioctl(ffff8000ffff2d28,ffff80002e3750c8,ffff80002e375120) at sys_ioctl+0x4a2 syscall(ffff80002e375190) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff80002e375190) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x923591cce50, count: -9 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp ddb{1}> trace x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 end of kernel end trace frame: 0x7f7ffffde5d0, count: -3