panic: Bad list head 0xfffffe0007fb4b98 first->prev != head cpuid = 0 time = 9 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0057280450 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe00572805b0 vpanic() at vpanic+0x257/frame 0xfffffe0057280770 panic() at panic+0xb5/frame 0xfffffe0057280830 callout_cc_add() at callout_cc_add+0x32b/frame 0xfffffe0057280890 callout_reset_sbt_on() at callout_reset_sbt_on+0x72d/frame 0xfffffe00572809b0 igmp_fasttimo() at igmp_fasttimo+0x1dbb/frame 0xfffffe0057280cd0 softclock_call_cc() at softclock_call_cc+0x422/frame 0xfffffe0057280e80 softclock_thread() at softclock_thread+0x200/frame 0xfffffe0057280ef0 fork_exit() at fork_exit+0xcc/frame 0xfffffe0057280f30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0057280f30 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- KDB: enter: panic [ thread pid 2 tid 100031 ] Stopped at kdb_enter+0x6e: movq $0,0x23e7cb7(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe00033eee30 rdx 0 rbx 0xffffffff827575a0 .str.27 rsp 0xfffffe0057280590 rbp 0xfffffe00572805b0 rsi 0 rdi 0xffffffff815dca59 printf+0x149 r8 0 r9 0xffffffff r10 0x40afbd850b765e81 r11 0x17 r12 0xfffffe0008018740 r13 0xfffffffffffffffe r14 0xffffffff827575a0 .str.27 r15 0 rip 0xffffffff815c73de kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x23e7cb7(%rip) db> show proc Process 2 (clock) at 0xfffffe0008006020: state: NORMAL uid: 0 gids: 0 parent: pid 0 at 0xffffffff839397c0 ABI: null flag: 0x10000284 flag2: 0 reaper: 0xffffffff839397c0 reapsubtree: 2 sigparent: 20 vmspace: 0xffffffff8393a760 (map 0xffffffff8393a760) (map.pmap 0xffffffff8393a800) (pmap 0xffffffff8393a870) threads: 2 100031 Run CPU 0 [clock (0)] 100032 I [clock (1)] db> ps pid ppid pgrp uid state wmesg wchan cmd 1074 1074 0 0 N syz-executor 1073 1072 766 0 RV syz-executor 1072 1071 766 0 DV ppwait 0xfffffe005497bac0 syz-executor 1071 1070 766 0 DV ppwait 0xfffffe0054978500 syz-executor 1070 1069 766 0 DV ppwait 0xfffffe0054978a60 syz-executor 1069 1068 766 0 DV ppwait 0xfffffe005497c500 syz-executor 1068 1067 766 0 DV ppwait 0xfffffe0054978fc0 syz-executor 1067 1066 766 0 DV ppwait 0xfffffe0054979520 syz-executor 1066 1065 766 0 DV ppwait 0xfffffe0054960ac0 syz-executor 1065 1064 766 0 DV ppwait 0xfffffe005496c500 syz-executor 1064 766 766 0 T (threaded) syz-executor 100422 s syz-executor 100447 D ppwait 0xfffffe005496ca60 syz-executor 100453 s syz-executor 1063 767 767 0 R (threaded) syz-executor 100099 RunQ syz-executor 100445 Run CPU 1 syz-executor 100450 S uwait 0xfffffe0077d72300 syz-executor 100452 S uwait 0xfffffe006e401580 syz-executor 1062 765 765 0 T (threaded) syz-executor 100104 s syz-executor 100444 RunQ syz-executor 100446 s syz-executor 100448 s syz-executor 100449 s syz-executor 100451 s syz-executor 100459 s syz-executor 1061 1060 764 0 SV uwait 0xfffffe007862b300 syz-executor 1060 764 764 0 T (threaded) syz-executor 100420 s syz-executor 100442 D ppwait 0xfffffe005496cfc0 syz-executor 1056 1 765 0 S uwait 0xfffffe0059e90980 syz-executor 1051 1 766 0 S uwait 0xfffffe0077d72200 syz-executor 1048 1047 767 0 SV uwait 0xfffffe0077d72000 syz-executor 1047 1046 767 0 DV ppwait 0xfffffe005496dfe0 syz-executor 1046 1045 767 0 DV ppwait 0xfffffe005496e540 syz-executor 1045 1044 767 0 DV ppwait 0xfffffe005495dfc0 syz-executor 1044 1043 767 0 DV ppwait 0xfffffe005495e520 syz-executor 1043 1042 767 0 DV ppwait 0xfffffe005495ea80 syz-executor 1042 1041 767 0 DV ppwait 0xfffffe005495efe0 syz-executor 1041 1040 767 0 DV ppwait 0xfffffe005495f540 syz-executor 1040 1039 767 0 DV ppwait 0xfffffe005495faa0 syz-executor 1039 1037 767 0 DV ppwait 0xfffffe0054960000 syz-executor 1037 1036 767 0 DV ppwait 0xfffffe0054960560 syz-executor 1036 1035 767 0 DV ppwait 0xfffffe0054936520 syz-executor 1035 1034 767 0 DV ppwait 0xfffffe0054936a80 syz-executor 1034 1033 767 0 DV ppwait 0xfffffe0054936fe0 syz-executor 1033 1032 767 0 DV ppwait 0xfffffe0054937540 syz-executor 1032 1031 767 0 DV ppwait 0xfffffe0054937aa0 syz-executor 1031 1030 767 0 DV ppwait 0xfffffe0054938000 syz-executor 1030 1029 767 0 DV ppwait 0xfffffe0054938560 syz-executor 1029 1028 767 0 DV ppwait 0xfffffe0054805ac0 syz-executor 1028 1027 767 0 DV ppwait 0xfffffe0008024a60 syz-executor 1027 1026 767 0 DV ppwait 0xfffffe0054954540 syz-executor 1026 1025 767 0 DV ppwait 0xfffffe0054954aa0 syz-executor 1025 1024 767 0 DV ppwait 0xfffffe0054955000 syz-executor 1024 1023 767 0 DV ppwait 0xfffffe0054955560 syz-executor 1023 1021 767 0 DV ppwait 0xfffffe0054955ac0 syz-executor 1022 1 767 0 SV uwait 0xfffffe0077d72e80 syz-executor 1021 1020 767 0 DV ppwait 0xfffffe005495d500 syz-executor 1020 1019 767 0 DV ppwait 0xfffffe0054951000 syz-executor 1019 1018 767 0 DV ppwait 0xfffffe0054951560 syz-executor 1018 1017 767 0 DV ppwait 0xfffffe005490cfc0 syz-executor 1017 1016 767 0 DV ppwait 0xfffffe0054951ac0 syz-executor 1016 1015 767 0 DV ppwait 0xfffffe0054805000 syz-executor 1015 1014 767 0 DV ppwait 0xfffffe00548dd560 syz-executor 1014 1012 767 0 DV ppwait 0xfffffe0054952500 syz-executor 1012 1011 767 0 DV ppwait 0xfffffe0054952a60 syz-executor 1011 1010 767 0 DV ppwait 0xfffffe0054952fc0 syz-executor 1010 1009 767 0 DV ppwait 0xfffffe0054953520 syz-executor 1009 1008 767 0 DV ppwait 0xfffffe0054953a80 syz-executor 1008 1007 767 0 DV ppwait 0xfffffe005494e500 syz-executor 1007 1006 767 0 DV ppwait 0xfffffe005494ea60 syz-executor 1006 1005 767 0 DV ppwait 0xfffffe005494efc0 syz-executor 1005 1004 767 0 DV ppwait 0xfffffe005494f520 syz-executor 1004 1003 767 0 DV ppwait 0xfffffe005494fa80 syz-executor 1003 1002 767 0 DV ppwait 0xfffffe005494ffe0 syz-executor 1002 1001 767 0 DV ppwait 0xfffffe0054950540 syz-executor 1001 1000 767 0 DV ppwait 0xfffffe0054950aa0 syz-executor 1000 999 767 0 DV ppwait 0xfffffe005490f560 syz-executor 999 998 767 0 DV ppwait 0xfffffe005490fac0 syz-executor 998 997 767 0 DV ppwait 0xfffffe005492f500 syz-executor 997 996 767 0 DV ppwait 0xfffffe005492fa60 syz-executor 996 995 767 0 DV ppwait 0xfffffe005492ffc0 syz-executor 995 994 767 0 DV ppwait 0xfffffe0054930a80 syz-executor 994 993 767 0 DV ppwait 0xfffffe005490f000 syz-executor 993 992 767 0 DV ppwait 0xfffffe0054935fc0 syz-executor 992 991 767 0 DV ppwait 0xfffffe00548e7fe0 syz-executor 991 990 767 0 DV ppwait 0xfffffe005490ca60 syz-executor 990 989 767 0 DV ppwait 0xfffffe0054935a60 syz-executor 989 988 767 0 DV ppwait 0xfffffe0054935500 syz-executor 988 987 767 0 DV ppwait 0xfffffe00548e7a80 syz-executor 987 986 767 0 DV ppwait 0xfffffe00548dd000 syz-executor 986 985 767 0 DV ppwait 0xfffffe00548e8540 syz-executor 985 984 767 0 DV ppwait 0xfffffe005490d520 syz-executor 984 983 767 0 DV ppwait 0xfffffe00548e9000 syz-executor 983 982 767 0 DV ppwait 0xfffffe00548e8aa0 syz-executor 982 981 767 0 DV ppwait 0xfffffe0008024fc0 syz-executor 981 1 767 0 DV ppwait 0xfffffe0008008560 syz-executor 980 1 764 0 S uwait 0xfffffe006e401300 syz-executor 979 1 764 0 S uwait 0xfffffe006e403700 syz-executor 972 1 765 60928 SV uwait 0xfffffe0059bfdf00 syz-executor 968 1 968 0 Ss+ ttyin 0xfffffe0058dd30b0 getty 967 1 967 0 Ss+ ttyin 0xfffffe0058dd28b0 getty 966 1 966 0 Ss+ ttyin 0xfffffe0058dd1cb0 getty 964 1 964 0 Ss+ ttyin 0xfffffe0058dd2cb0 getty 963 1 963 0 Ss+ ttyin 0xfffffe0058dd14b0 getty 962 1 962 0 Ss+ ttyin 0xfffffe0058dd20b0 getty 961 1 961 0 Ss+ ttyin 0xfffffe0058dd24b0 getty 960 1 960 0 Ss+ ttyin 0xfffffe0058dd18b0 getty 959 1 959 0 Ss+ ttyin 0xfffffe0007ff98b0 getty 947 1 765 0 SV uwait 0xfffffe006e401980 syz-executor 943 1 766 0 S uwait 0xfffffe006e401400 syz-executor 941 1 766 0 S uwait 0xfffffe0059e8fe00 syz-executor 934 0 0 0 DL mdwait 0xfffffe0077ed6000 [md0] 906 0 0 0 DL - 0xffffffff83aa0300 [soaiod4] 905 0 0 0 DL - 0xffffffff83aa0300 [soaiod3] 904 0 0 0 DL - 0xffffffff83aa0300 [soaiod2] 903 0 0 0 DL - 0xffffffff83aa0300 [soaiod1] 884 1 764 0 S uwait 0xfffffe0059e8ef00 syz-executor 883 1 764 0 S uwait 0xfffffe006e401000 syz-executor 876 0 0 0 DL - 0xffffffff8393ac20 [accounting] 873 0 0 0 DL (threaded) [KTLS] 100219 D - 0xfffffe006e627000 [thr_0] 100220 D - 0xfffffe006e627080 [thr_1] 100221 D - 0xffffffff83aa1b28 [reclaim_0] 824 0 0 0 DL aiordy 0xfffffe00548e9060 [aiod4] 823 0 0 0 DL aiordy 0xfffffe005490d580 [aiod3] 822 0 0 0 DL aiordy 0xfffffe005490dae0 [aiod2] 821 0 0 0 DL aiordy 0xfffffe00548e95c0 [aiod1] 819 0 0 0 DL (threaded) [so_splice] 100131 D - 0xfffffe0007e87000 [thr_0] 100132 D - 0xfffffe0007e87040 [thr_1] 767 763 767 0 S nanslp 0xffffffff83990401 syz-executor 766 763 766 0 S nanslp 0xffffffff83990400 syz-executor 765 763 765 0 S nanslp 0xffffffff83990401 syz-executor 764 763 764 0 S nanslp 0xffffffff83990401 syz-executor 763 761 761 0 S select 0xfffffe006e403340 syz-executor 761 1 761 0 Ss pause 0xfffffe00548e60b0 csh 17 0 0 0 DL syncer 0xffffffff83aadca0 [syncer] 16 0 0 0 DL vlruwt 0xfffffe0008026040 [vnlru] 15 0 0 0 DL (threaded) [bufdaemon] 100080 D psleep 0xffffffff83aac260 [bufdaemon] 100081 D - 0xffffffff82e02140 [bufspacedaemon-0] 100095 D sdflush 0xfffffe0059ed28e8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83af7280 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100078 D psleep 0xffffffff83add1f8 [dom0] 100082 D launds 0xffffffff83add204 [laundry: dom0] 100083 D umarcl 0xffffffff81d8bd90 [uma] 7 0 0 0 DL - 0xffffffff8370dbd0 [rand_harvestq] 6 0 0 0 DL pftm 0xffffffff841a7710 [pf purge] 5 0 0 0 DL waiting 0xffffffff84653580 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100046 D - 0xffffffff836d8340 [doneq0] 100047 D - 0xffffffff836d82c0 [async] 100076 D - 0xffffffff836d8140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100043 D crypto_ 0xffffffff83ad8a00 [crypto] 100044 D crypto_ 0xfffffe0058570030 [crypto returns 0] 100045 D crypto_ 0xfffffe0058570080 [crypto returns 1] 14 0 0 0 DL seqstat 0xfffffe00547f8088 [sequencer 00] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83938de0 [g_event] 100038 D - 0xffffffff83938e00 [g_up] 100039 D - 0xffffffff83938e20 [g_down] 2 0 0 0 RL (threaded) [clock] 100031 Run CPU 0 [clock (0)] 100032 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100048 I [irq24: virtio_pci0] 100049 I [irq25: virtio_pci0] 100050 I [irq26: virtio_pci0] 100051 I [irq27: virtio_pci0] 100052 I [irq28: virtio_pci1] 100053 I [irq29: virtio_pci1] 100054 I [irq30: virtio_pci1] 100055 I [irq31: virtio_pci1] 100056 I [irq32: virtio_pci1] 100061 I [irq10: virtio_pci2] 100063 I [irq1: atkbd0] 100064 I [irq12: psm0] 100065 I [swi0: uart uart++] 100069 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0008007040 [init] 10 0 0 0 DL audit_w 0xffffffff83ad94a0 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D parked 0xffffffff84a16ff0 [swapper] 100005 D - 0xfffffe0008bf9d00 [softirq_0] 100006 D - 0xfffffe0008bf9c00 [softirq_1] 100007 D - 0xfffffe0008bf9b00 [if_io_tqg_0] 100008 D - 0xfffffe0008bf9a00 [if_io_tqg_1] 100009 D - 0xfffffe0008bf9900 [if_config_tqg_0] 100010 D - 0xfffffe0008bf9800 [kqueue_ctx taskq] 100011 D - 0xfffffe0008bf9700 [jail_remove taskq] 100012 D - 0xfffffe0008bf9600 [bus taskq] 100015 D - 0xfffffe0008bf9300 [thread taskq] 100017 D - 0xfffffe0008bf9100 [aiod_kick taskq] 100018 D - 0xfffffe0008bf9000 [deferred_unmount ta] 100019 D - 0xfffffe0008bf8e00 [inm_free taskq] 100020 D - 0xfffffe0008bf8d00 [in6m_free taskq] 100021 D - 0xfffffe0008bf8c00 [linuxkpi_irq_wq] 100022 D - 0xfffffe0008bf8b00 [linuxkpi_short_wq_0] 100023 D - 0xfffffe0008bf8b00 [linuxkpi_short_wq_1] 100024 D - 0xfffffe0008bf8b00 [linuxkpi_short_wq_2] 100025 D - 0xfffffe0008bf8b00 [linuxkpi_short_wq_3] 100026 D - 0xfffffe0008bf8a00 [linuxkpi_long_wq_0] 100027 D - 0xfffffe0008bf8a00 [linuxkpi_long_wq_1] 100028 D - 0xfffffe0008bf8a00 [linuxkpi_long_wq_2] 100029 D - 0xfffffe0008bf8a00 [linuxkpi_long_wq_3] 100036 D - 0xfffffe0008bf8900 [firmware taskq] 100041 D - 0xfffffe0008bf8600 [crypto_0] 100042 D - 0xfffffe0008bf8600 [crypto_1] 100057 D - 0xfffffe0008bf8400 [vtnet0 rxq 0] 100058 D - 0xfffffe0008bf8300 [vtnet0 txq 0] 100059 D - 0xfffffe0008bf8200 [vtnet0 rxq 1] 100060 D - 0xfffffe0008bf8100 [vtnet0 txq 1] 100062 D vtbslp 0xfffffe0058589700 [virtio_balloon] 100066 D - 0xffffffff8275c8e1 [deadlkres] 100070 D - 0xfffffe0058f5bb00 [acpi_task_0] 100071 D - 0xfffffe0058f5bb00 [acpi_task_1] 100072 D - 0xfffffe0058f5bb00 [acpi_task_2] 100074 D - 0xfffffe0008bfa100 [mca taskq] 100075 D - 0xfffffe0008bf8500 [CAM taskq] 100077 D - 0xfffffe0058f5ba00 [ipsec_offload] db> show all locks Process 1073 (syz-executor) thread 0xfffffe0054974000 (100463) shared sx killpg racer (killpg racer) r = 0 (0xfffffe00548d1508) locked @ /syzkaller/managers/main/kernel/sys/kern/kern_fork.c:976 Process 1062 (syz-executor) thread 0xfffffe0054971000 (100444) exclusive lockmgr bufwait (bufwait) r = 0 (0xfffffe000850ba88) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_bio.c:1752 exclusive lockmgr bufwait (bufwait) r = 0 (0xfffffe0008509478) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_bio.c:4023 exclusive lockmgr ufs (ufs) r = 0 (0xfffffe005a097228) locked @ /syzkaller/managers/main/kernel/sys/kern/vfs_vnops.c:1240 db> show malloc Type InUse MemUse Requests pf_hash 6 12804K 6 linker 376 5023K 583 tcp_hpts 7 4801K 7 devbuf 4188 4324K 4214 sysctloid 35301 2080K 35376 vtbuf 24 1968K 46 filedesc 187 1495K 491 kobj 330 1320K 505 newblk 282 1095K 2594 vfscache 3 1025K 3 pcb 40 687K 461 subproc 290 599K 1237 inodedep 30 523K 408 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 vnet_data 2 224K 2 acpitask 1 224K 1 KTRACE 100 200K 24403 acpica 1674 184K 54414 vmem 5 146K 8 tidhash 3 141K 3 pagedep 21 133K 182 tfo_ccache 1 128K 1 IP reass 1 128K 1 DEVFS1 110 110K 127 sem 4 106