login: panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet6/ip6_output.c:409 cpuid = 1 time = 1582081559 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe0024c1cf70 vpanic() at vpanic+0x1ce/frame 0xfffffe0024c1cfe0 panic() at panic+0x43/frame 0xfffffe0024c1d040 ip6_output() at ip6_output+0x3a9a/frame 0xfffffe0024c1d320 sctp_lowlevel_chunk_output() at sctp_lowlevel_chunk_output+0x18ea/frame 0xfffffe0024c1d470 sctp_send_initiate() at sctp_send_initiate+0xa53/frame 0xfffffe0024c1d570 sctp_lower_sosend() at sctp_lower_sosend+0x3f73/frame 0xfffffe0024c1d780 sctp_sosend() at sctp_sosend+0x4fe/frame 0xfffffe0024c1d8b0 sosend() at sosend+0xc6/frame 0xfffffe0024c1d920 kern_sendit() at kern_sendit+0x32d/frame 0xfffffe0024c1d9d0 freebsd32_sendmsg() at freebsd32_sendmsg+0x256/frame 0xfffffe0024c1dab0 ia32_syscall() at ia32_syscall+0x2cf/frame 0xfffffe0024c1dbf0 int0x80_syscall_common() at int0x80_syscall_common+0x9c/frame 0x8142fc9 KDB: enter: panic [ thread pid 798 tid 100093 ] Stopped at kdb_enter+0x67: movq $0,0x1464f96(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b ll+0x1a es 0x3b ll+0x1a fs 0x13 gs 0x1b ss 0 rax 0x12 rcx 0x80 ll+0x5f rdx 0xffffffff818f4ce4 rbx 0 rsp 0xfffffe0024c1cf50 rbp 0xfffffe0024c1cf70 rsi 0x1 rdi 0 r8 0 r9 0xffffffff r10 0xa0b6 ll+0xa095 r11 0xfffffe0024957c00 r12 0xffffffff82068f00 ddb_dbbe r13 0 r14 0xffffffff8193ce0b r15 0xffffffff8193ce0b rip 0xffffffff810b2127 kdb_enter+0x67 rflags 0x200082 kernphys+0x82 kdb_enter+0x67: movq $0,0x1464f96(%rip) db> show proc Process 798 (syz-executor.0) at 0xfffff8003a128a60: state: NORMAL uid: 0 gids: 0, 0, 5 parent: pid 773 at 0xfffff8003a2ce530 ABI: FreeBSD ELF32 arguments: /root/syz-executor.0 reaper: 0xfffff800032d3000 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe002498f9e8 (map 0xfffffe002498f9e8) (map.pmap 0xfffffe002498faa8) (pmap 0xfffffe002498fb08) threads: 1 100093 Run CPU 1 syz-executor.0 db> ps pid ppid pgrp uid state wmesg wchan cmd 799 797 422 0 R dhclient 798 773 773 0 R CPU 1 syz-executor.0 797 796 422 0 S select 0xfffff800039d1dc0 dhclient 796 795 422 0 R dhclient 795 788 422 0 R CPU 0 dhclient 788 422 422 0 S wait 0xfffff8003a2d0530 sh 773 771 773 0 Ss nanslp 0xffffffff824ffcc1 syz-executor.0 771 769 769 0 S (threaded) syz-execprog 100104 S uwait 0xfffff800039b5880 syz-execprog 100105 S uwait 0xfffff800039b5180 syz-execprog 100106 S uwait 0xfffff800039b5280 syz-execprog 100107 S uwait 0xfffff800039b5380 syz-execprog 100108 S kqread 0xfffff80003aaca00 syz-execprog 100109 S uwait 0xfffff800039b5b80 syz-execprog 100111 S uwait 0xfffff800039b5d80 syz-execprog 100112 S uwait 0xfffff800039b2c80 syz-execprog 100113 S uwait 0xfffff800039b2d80 syz-execprog 769 767 769 0 Ss pause 0xfffff8003a2cd0a8 csh 767 680 767 0 Ss select 0xfffff8000352a1c0 sshd 746 1 746 0 Ss+ ttyin 0xfffff800033a78b0 getty 745 1 745 0 Ss+ ttyin 0xfffff80003a920b0 getty 744 1 744 0 Ss+ ttyin 0xfffff80003a924b0 getty 743 1 743 0 Ss+ ttyin 0xfffff80003a928b0 getty 742 1 742 0 Ss+ ttyin 0xfffff80003a92cb0 getty 741 1 741 0 Ss+ ttyin 0xfffff80003a950b0 getty 740 1 740 0 Ss+ ttyin 0xfffff80003a954b0 getty 739 1 739 0 Ss+ ttyin 0xfffff80003a958b0 getty 738 1 738 0 Ss+ ttyin 0xfffff80003a95cb0 getty 736 1 22 0 S+ piperd 0xfffff80003bf78e8 logger 735 734 22 0 S+ nanslp 0xffffffff824ffcc0 sleep 734 1 22 0 S+ wait 0xfffff80003c96000 sh 684 1 684 0 Ss nanslp 0xffffffff824ffcc1 cron 680 1 680 0 Ss select 0xfffff800039d1e40 sshd 493 1 493 0 Ss select 0xfffff8000352a5c0 syslogd 422 1 422 0 Ss wait 0xfffff8003a192530 devd 421 1 421 65 Ss select 0xfffff800039d1b40 dhclient 336 1 336 0 Ss select 0xfffff800039d1d40 dhclient 333 1 333 0 Ss select 0xfffff800039d1cc0 dhclient 21 0 0 0 DL syncer 0xffffffff825d6158 [syncer] 20 0 0 0 DL vlruwt 0xfffff80003a62000 [vnlru] 19 0 0 0 DL (threaded) [bufdaemon] 100065 D qsleep 0xffffffff825d5658 [bufdaemon] 100066 D - 0xffffffff8200a980 [bufspacedaemon-0] 100077 D sdflush 0xfffff800033a48e8 [/ worker] 18 0 0 0 DL psleep 0xffffffff825f10c8 [vmdaemon] 17 0 0 0 DL (threaded) [pagedaemon] 100063 D psleep 0xffffffff8261cfd8 [dom0] 100069 D launds 0xffffffff8261cfe4 [laundry: dom0] 100070 D umarcl 0xffffffff81542420 [uma] 16 0 0 0 DL - 0xffffffff8235a530 [rand_harvestq] 15 0 0 0 DL waiting 0xffffffff826625a0 [sctp_iterator] 9 0 0 0 DL - 0xffffffff825d505c [soaiod4] 8 0 0 0 DL - 0xffffffff825d505c [soaiod3] 7 0 0 0 DL - 0xffffffff825d505c [soaiod2] 6 0 0 0 DL - 0xffffffff825d505c [soaiod1] 5 0 0 0 DL (threaded) [cam] 100031 D - 0xffffffff82235940 [doneq0] 100062 D - 0xffffffff82235808 [scanner] 4 0 0 0 DL crypto_ 0xfffff800033aa190 [crypto returns 1] 3 0 0 0 DL crypto_ 0xfffff800033aa130 [crypto returns 0] 2 0 0 0 DL crypto_ 0xffffffff825eb138 [crypto] 14 0 0 0 DL seqstat 0xfffff80003321888 [sequencer 00] 13 0 0 0 DL (threaded) [geom] 100022 D - 0xffffffff8261b608 [g_event] 100023 D - 0xffffffff8261b618 [g_up] 100024 D - 0xffffffff8261b610 [g_down] 12 0 0 0 WL (threaded) [intr] 100005 I [swi5: fast taskq] 100009 I [swi6: task queue] 100010 I [swi6: Giant taskq] 100017 I [swi3: vm] 100018 I [swi1: netisr 0] 100019 I [swi4: clock (0)] 100020 I [swi4: clock (1)] 100032 I [irq24: virtio_pci0] 100033 I [irq25: virtio_pci0] 100034 I [irq26: virtio_pci0] 100035 I [irq27: virtio_pci0] 100036 I [irq28: virtio_pci1] 100037 I [irq29: virtio_pci1] 100038 I [irq30: virtio_pci1] 100039 I [irq31: virtio_pci1] 100040 I [irq32: virtio_pci1] 100045 I [irq10: virtio_pci2] 100047 I [irq1: atkbd0] 100048 I [irq12: psm0] 100049 I [swi0: uart uart++] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffff800032d3000 [init] 10 0 0 0 DL audit_w 0xffffffff82663230 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D swapin 0xffffffff8260ac48 [swapper] 100006 D - 0xfffff800031c5e00 [config_0] 100007 D - 0xfffff800031cce00 [kqueue_ctx taskq] 100008 D - 0xfffff800031ccd00 [aiod_kick taskq] 100011 D - 0xfffff800031cca00 [thread taskq] 100012 D - 0xfffff800031c5d00 [softirq_0] 100013 D - 0xfffff800031c5c00 [softirq_1] 100014 D - 0xfffff800031c5b00 [if_io_tqg_0] 100015 D - 0xfffff800031c5a00 [if_io_tqg_1] 100016 D - 0xfffff800031c5900 [if_config_tqg_0] 100021 D - 0xfffff800031cc900 [firmware taskq] 100026 D - 0xfffff800031cc800 [crypto_0] 100027 D - 0xfffff800031cc800 [crypto_1] 100041 D - 0xfffff800031cc600 [vtnet0 rxq 0] 100042 D - 0xfffff800031cc500 [vtnet0 txq 0] 100043 D - 0xfffff800031cc400 [vtnet0 rxq 1] 100044 D - 0xfffff800031cc300 [vtnet0 txq 1] 100046 D vtbslp 0xfffff80003542d80 [virtio_balloon] 100050 D - 0xfffff800031cc200 [mca taskq] 100055 D - 0xffffffff81ce0c30 [deadlkres] 100057 D - 0xfffff80003a82a00 [acpi_task_0] 100058 D - 0xfffff80003a82a00 [acpi_task_1] 100059 D - 0xfffff80003a82a00 [acpi_task_2] 100061 D - 0xfffff800031cc700 [CAM taskq] db> show all locks Process 799 (dhclient) thread 0xfffffe0004cd6500 (100074) exclusive sx so_rcv_sx (so_rcv_sx) r = 0 (0xfffffe0004dda500) locked @ /syzkaller/managers/i386/kernel/sys/kern/uipc_sockbuf.c:393 Process 798 (syz-executor.0) thread 0xfffffe0024957700 (100093) exclusive sleep mutex sctp-tcb (tcb) r = 0 (0xfffffe0024a3e380) locked @ /syzkaller/managers/i386/kernel/sys/netinet/sctp_output.c:13643 db> show malloc Type InUse MemUse Requests devbuf 4213 4851K 4238 vtbuf 24 1968K 46 sysctloid 26636 1559K 26700 kobj 332 1328K 488 newblk 368 1116K 410 vfscache 4 1025K 4 pcb 23 539K 79 inodedep 54 539K 77 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 388K 4 subproc 109 233K 858 acpica 1674 185K 50140 vnet_data 1 168K 1 pagedep 17 132K 21 tfo_ccache 1 128K 1 sem 4 106K 4 DEVFS1 102 102K 113 linker 222 89K 244 bus 964 78K 3311 mtx_pool 2 72K 2 syncache 1 68K 1 acpitask 1 64K 1 ddb_capture 1 64K 1 module 494 62K 494 filedesc 5 37K 17 gtaskqueue 22 34K 22 hostcache 1 32K 1 shm 1 32K 1 umtx 252 32K 252 kdtrace 160 31K 1658 DEVFS3 121 31K 131 msg 4 30K 4 DEVFS_RULE 56 27K 56 vmem 3 22K 4 kbdmux 6 22K 6 BPF 11 18K 11 temp 22 17K 1656 ufs_mount 3 17K 4 proc 3 17K 3 tty 16 16K 16 tidhash 1 16K 1 ifaddr 40 15K 42 ithread 89 15K 89 bus-sc 30 14K 1397 KTRACE 100 13K 100 kenv 95 12K 99 eventhandler 122 11K 122 pfs_nodes 20 10K 20 GEOM 60 10K 487 rman 82 10K 423 bmsafemap 3 9K 45 devstat 4 9K 4 UART 12 9K 12 rpc 2 8K 2 shmfd 1 8K 1 pfs_vncache 1 8K 1 audit_evclass 231 8K 289 lltable 20 7K 20 cred 27 7K 234 ifnet 4 7K 4 CAM DEV 3 6K 510 ether_multi 73 6K 78 routetbl 36 6K 40 vt 11 6K 11 kqueue 53 6K 804 sglist 5 6K 5 CAM queue 5 6K 1528 in6_multi 41 5K 41 plimit 19 5K 344 ufs_dirhash 24 5K 24 taskqueue 42 5K 42 dirrem 17 5K 28 memdesc 1 4K 1 MCA 32 4K 32 evdev 4 4K 4 diradd 31 4K 42 UMA 235 4K 235 hhook 13 4K 13 acpisem 22 3K 22 terminal 11 3K 11 select 21 3K 21 session 21 3K 32 pgrp 21 3K 32 uidinfo 4 3K 4 proc-args 43 3K 504 local_apic 1 2K 1 io_apic 1 2K 1 ipsec-saq 2 2K 2 CAM XPT 22 2K 543 lockf 15 2K 22 Unitno 25 2K 39 ip6ndp 8 2K 9 acpidev 20 2K 20 mkdir 10 2K 22 crypto 2 2K 2 msi 9 2K 9 softdep 1 1K 1 indirdep 4 1K 4 ipsecpolicy 1 1K 1 sahead 1 1K 1 secasvar 1 1K 1 sctp_ifa 8 1K 8 sctp_atcl 2 1K 2 sctp_stro 1 1K 1 clone 8 1K 8 vnodemarker 2 1K 6 NFSD session 1 1K 1 CAM periph 4 1K 271 newdirblk 7 1K 11 in_multi 3 1K 4 toponodes 6 1K 6 isadev 6 1K 6 mount 16 1K 86 pci_link 10 1K 10 CAM SIM 2 1K 2 pfil 4 1K 4 chacha20random 1 1K 1 epoch 4 1K 4 cdev 2 1K 2 encap_export_host 8 1K 8 mld 3 1K 3 sctp_ifn 3 1K 3 igmp 3 1K 3 tun 4 1K 4 osd 3 1K 9 vnodes 1 1K 1 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 DEVFS 9 1K 10 feeder 7 1K 7 inpcbpolicy 6 1K 143 loginclass 3 1K 3 DEVFSP 3 1K 3 filecaps 5 1K 70 soname 5 1K 5763 CAM path 4 1K 1034 apmdev 1 1K 1 atkbddev 2 1K 2 sctp_atky 3 1K 3 pmchooks 1 1K 1 prison 4 1K 4 CAM dev queue 2 1K 2 CAM I/O Scheduler 1 1K 1 nexusdev 5 1K 5 entropy 2 1K 37 tcpfunc 1 1K 1 sctp_vrf 1 1K 1 vnet 1 1K 1 acpiintr 1 1K 1 pmc 1 1K 1 cpus 2 1K 2 freework 1 1K 26 sctp_athm 2 1K 2 sctp_map 2 1K 2 vnet_data_free 1 1K 1 Per-cpu 1 1K 1 iov 1 1K 13320 p1003.1b 1 1K 1 CAM CCB 0 0K 1765 madt_table 0 0K 2 PUC 0 0K 0 ppbusdev 0 0K 0 agtiapi_MemAlloc malloc 0 0K 0 osti_cacheable 0 0K 0 tempbuff 0 0K 0 pvscsi 0 0K 0 smartpqi 0 0K 0 tempbuff 0 0K 0 ag_tgt_map_t malloc 0 0K 0 ag_slr_map_t malloc 0 0K 0 lDevFlags * malloc 0 0K 0 tiDeviceHandle_t * malloc 0 0K 0 ag_portal_data_t malloc 0 0K 0 ag_device_t malloc 0 0K 0 STLock malloc 0 0K 0 iavf 0 0K 0 ixl 0 0K 0 CCB List 0 0K 0 sr_iov 0 0K 0 OCS 0 0K 0 OCS 0 0K 0 nvme 0 0K 0 nvd 0 0K 0 netmap 0 0K 0 mwldev 0 0K 0 fpukern_ctx 0 0K 0 MVS driver 0 0K 0 xen_intr 0 0K 0 xen_hvm 0 0K 0 legacydrv 0 0K 0 qpidrv 0 0K 0 CAM ccb queue 0 0K 0 mrsasbuf 0 0K 0 dmar_idpgtbl 0 0K 0 dmar_dom 0 0K 0 dmar_ctx 0 0K 0 dmar_dmamap 0 0K 0 mpt_user 0 0K 0 mps_user 0 0K 0 isci 0 0K 0 bxe_ilt 0 0K 0 xenbus 0 0K 0 vm_fictitious 0 0K 0 MPSSAS 0 0K 0 mps 0 0K 0 mpr_user 0 0K 0 MPRSAS 0 0K 0 UMAHash 0 0K 0 vm_pgdata 0 0K 0 jblocks 0 0K 0 savedino 0 0K 12 sentinel 0 0K 0 jfsync 0 0K 0 jtrunc 0 0K 0 sbdep 0 0K 2 jsegdep 0 0K 0 jseg 0 0K 0 jfreefrag 0 0K 0 jfreeblk 0 0K 0 jnewblk 0 0K 0 jmvref 0 0K 0 jremref 0 0K 0 jaddref 0 0K 0 freedep 0 0K 0 freefile 0 0K 9 freeblks 0 0K 25 freefrag 0 0K 5 allocindir 0 0K 0 allocdirect 0 0K 0 ufs_trim 0 0K 0 mactemp 0 0K 0 audit_trigger 0 0K 0 audit_pipe_presel 0 0K 0 audit_pipeent 0 0K 0 audit_pipe 0 0K 0 audit_evname 0 0K 0 audit_bsm 0 0K 0 audit_gidset 0 0K 0 audit_text 0 0K 0 audit_path 0 0K 0 audit_data 0 0K 0 audit_cred 0 0K 0 xform 0 0K 0 NLM 0 0K 0 nfsclient_nlminfo 0 0K 0 nfsclient_lock 0 0K 0 NFS FHA 0 0K 0 ipsec-spdcache 0 0K 0 ipsec-reg 0 0K 0 ipsec-misc 0 0K 0 ipsecrequest 0 0K 0 ip6opt 0 0K 3 ip6_msource 0 0K 0 ip6_moptions 0 0K 0 in6_mfilter 0 0K 0 frag6 0 0K 0 tcplog 0 0K 0 LRO 0 0K 0 sctp_mcore 0 0K 0 sctp_socko 0 0K 0 sctp_iter 0 0K 5 sctp_mvrf 0 0K 0 sctp_timw 0 0K 0 sctp_cpal 0 0K 0 sctp_cmsg 0 0K 0 sctp_stre 0 0K 0 sctp_athi 0 0K 0 sctp_a_it 0 0K 5 sctp_aadr 0 0K 0 sctp_stri 0 0K 0 newreno data 0 0K 0 ip_msource 0 0K 0 ip_moptions 0 0K 0 in_mfilter 0 0K 0 ipid 0 0K 0 80211scan 0 0K 0 80211ratectl 0 0K 0 80211power 0 0K 0 80211nodeie 0 0K 0 80211node 0 0K 0 80211mesh_gt 0 0K 0 80211mesh_rt 0 0K 0 80211perr 0 0K 0 80211prep 0 0K 0 80211preq 0 0K 0 80211dfs 0 0K 0 80211crypto 0 0K 0 80211vap 0 0K 0 iflib 0 0K 0 vlan 0 0K 0 gif 0 0K 0 ifdescr 0 0K 0 zlib 0 0K 0 fadvise 0 0K 0 mpr 0 0K 0 statfs 0 0K 195 export_host 0 0K 0 cl_savebuf 0 0K 2 biobuf 0 0K 0 aios 0 0K 0 lio 0 0K 0 acl 0 0K 0 mfibuf 0 0K 0 mbuf_tag 0 0K 46 accf 0 0K 0 pts 0 0K 0 ioctlops 0 0K 92 Witness 0 0K 0 stack 0 0K 0 md_sectors 0 0K 0 sbuf 0 0K 288 md_disk 0 0K 0 compressor 0 0K 0 malodev 0 0K 0 SWAP 0 0K 0 LED 0 0K 0 sysctltmp 0 0K 590 sysctl 0 0K 1 ekcd 0 0K 0 dumper 0 0K 0 rctl 0 0K 0 ix_sriov 0 0K 0 aacraidcam 0 0K 0 ix 0 0K 0 ipsbuf 0 0K 0 iirbuf 0 0K 0 cache 0 0K 0 aacraid_buf 0 0K 0 kcovinfo 0 0K 0 prison_racct 0 0K 0 Fail Points 0 0K 0 sigio 0 0K 1 filedesc_to_leader 0 0K 0 tty console 0 0K 0 aaccam 0 0K 0 aacbuf 0 0K 0 zstd 0 0K 0 nvlist 0 0K 0 SCSI ENC 0 0K 0 SCSI sa 0 0K 0 isofs_node 0 0K 0 isofs_mount 0 0K 0 tr_raid5_data 0 0K 0 tr_raid1e_data 0 0K 0 tr_raid1_data 0 0K 0 tr_raid0_data 0 0K 0 tr_concat_data 0 0K 0 md_sii_data 0 0K 0 md_promise_data 0 0K 0 md_nvidia_data 0 0K 0 md_jmicron_data 0 0K 0 md_intel_data 0 0K 0 md_ddf_data 0 0K 0 raid_data 0 0K 72 geom_flashmap 0 0K 0 newnfsmnt 0 0K 0 newnfsclient_req 0 0K 0 NFSCL layrecall 0 0K 0 NFSCL session 0 0K 0 NFSCL sockreq 0 0K 0 NFSCL devinfo 0 0K 0 NFSCL flayout 0 0K 0 NFSCL layout 0 0K 0 NFSD rollback 0 0K 0 NFSCL diroffdiroff 0 0K 0 NEWdirectio 0 0K 0 NEWNFSnode 0 0K 0 NFSCL lck 0 0K 0 NFSCL lckown 0 0K 0 NFSCL client 0 0K 0 NFSCL deleg 0 0K 0 NFSCL open 0 0K 0 NFSCL owner 0 0K 0 NFS fh 0 0K 0 NFS req 0 0K 0 NFSD usrgroup 0 0K 0 NFSD string 0 0K 0 NFSD V4lock 0 0K 0 NFSD V4state 0 0K 0 NFSD srvcache 0 0K 0 msdosfs_fat 0 0K 0 msdosfs_mount 0 0K 0 msdosfs_node 0 0K 0 DEVFS4 0 0K 0 DEVFS2 0 0K 0 gntdev 0 0K 0 privcmd_dev 0 0K 0 evtchn_dev 0 0K 0 xenstore 0 0K 0 scsi_pass 0 0K 0 ciss_data 0 0K 0 xnb 0 0K 0 xbbd 0 0K 0 xbd 0 0K 0 Balloon 0 0K 0 sysmouse 0 0K 0 vtfont 0 0K 0 ath_hal 0 0K 0 athdev 0 0K 0 ata_pci 0 0K 0 ata_dma 0 0K 0 ata_generic 0 0K 0 amr 0 0K 0 scsi_da 0 0K 69 ata_da 0 0K 0 scsi_ch 0 0K 0 scsi_cd 0 0K 0 USBdev 0 0K 0 USB 0 0K 0 AHCI driver 0 0K 0 agp 0 0K 0 nvme_da 0 0K 0 acpipwr 0 0K 0 twsbuf 0 0K 0 twe_commands 0 0K 0 twa_commands 0 0K 0 tcp_log_dev 0 0K 0 midi buffers 0 0K 0 mixer 0 0K 0 ac97 0 0K 0 hdacc 0 0K 0 hdac 0 0K 0 hdaa 0 0K 0 acpi_perf 0 0K 0 acpicmbat 0 0K 0 SIIS driver 0 0K 0 db> show ktr No such command; use "help" to list available commands