panic: Counter goes negative cpuid = 1 time = 1694205939 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe006a499250 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe006a4993b0 vpanic() at vpanic+0x271/frame 0xfffffe006a499550 panic() at panic+0xb5/frame 0xfffffe006a499620 sctp_inpcb_free() at sctp_inpcb_free+0x1fcb/frame 0xfffffe006a4996b0 sctp_close() at sctp_close+0x219/frame 0xfffffe006a499790 soclose() at soclose+0x3d0/frame 0xfffffe006a499880 _fdrop() at _fdrop+0x58/frame 0xfffffe006a4998b0 closef() at closef+0x655/frame 0xfffffe006a499a90 fdescfree() at fdescfree+0xa99/frame 0xfffffe006a499c70 exit1() at exit1+0x880/frame 0xfffffe006a499d10 sys_exit() at sys_exit+0x28/frame 0xfffffe006a499d30 ia32_syscall() at ia32_syscall+0x412/frame 0xfffffe006a499f30 int0x80_syscall_common() at int0x80_syscall_common+0x9c/frame 0xffffd72c KDB: enter: panic [ thread pid 29813 tid 122423 ] Stopped at kdb_enter+0x6e: movq $0,0x2179737(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0 rax 0x12 rcx 0xffffffff815d5065 printf+0xf5 rdx 0x1 rbx 0xffffffff826db780 .str.28 rsp 0xfffffe006a499390 rbp 0xfffffe006a4993b0 rsi 0 rdi 0xffffffff815d50c6 printf+0x156 r8 0 r9 0xffffffff r10 0x1000000000d09 r11 0x6 r12 0 r13 0xfffffe0075cbb3a0 r14 0xffffffff826db780 .str.28 r15 0 rip 0xffffffff815c40de kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x2179737(%rip) db> show proc Process 29813 (syz-executor.1) at 0xfffffe0073f4b000: state: NORMAL uid: 0 gids: 0, 0, 5 parent: pid 771 at 0xfffffe006d170000 ABI: FreeBSD ELF32 flag: 0x10002000 flag2: 0x40000 arguments: /root/syz-executor.1 exec reaper: 0xfffffe0054216040 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe0058a3b268 (map 0xfffffe0058a3b268) (map.pmap 0xfffffe0058a3b328) (pmap 0xfffffe0058a3b398) threads: 1 122423 Run CPU 1 syz-executor.1 db> ps pid ppid pgrp uid state wmesg wchan cmd 29813 771 771 0 RE CPU 1 syz-executor.1 29809 770 770 0 R (threaded) syz-executor.0 119649 RunQ syz-executor.0 137015 S uwait 0xfffffe006d1a5300 syz-executor.0 29808 817 817 0 R (threaded) syz-executor.3 134722 RunQ syz-executor.3 137014 S connec 0xfffffe007675c0da syz-executor.3 9937 0 0 0 DL - 0xffffffff8382ea40 [soaiod4] 9936 0 0 0 DL - 0xffffffff8382ea40 [soaiod3] 9935 0 0 0 DL - 0xffffffff8382ea40 [soaiod2] 9934 0 0 0 DL - 0xffffffff8382ea40 [soaiod1] 9933 0 0 0 DL aiordy 0xfffffe0073cfc040 [aiod4] 9932 0 0 0 DL aiordy 0xfffffe006cd61040 [aiod3] 9931 0 0 0 DL aiordy 0xfffffe0057be6ac0 [aiod2] 9930 0 0 0 DL aiordy 0xfffffe00542175c0 [aiod1] 7343 1 7343 65 Ss select 0xfffffe00589f4a40 dhclient 5665 1 5665 0 Ss select 0xfffffe000784e2c0 dhclient 5662 1 5662 0 Ss select 0xfffffe0073eab1c0 dhclient 5643 1 5643 65 Ss select 0xfffffe00589f4940 dhclient 4492 1 4492 0 Ss select 0xfffffe00589f4740 dhclient 4489 1 4489 0 Ss select 0xfffffe00589f46c0 dhclient 4462 1 4462 65 Ss select 0xfffffe00589f47c0 dhclient 3704 1 770 0 S uwait 0xfffffe0073d34680 syz-executor.0 3690 1 770 0 S uwait 0xfffffe006d1a4b80 syz-executor.0 3686 1 770 0 S uwait 0xfffffe006d1a5400 syz-executor.0 3681 1 770 0 S uwait 0xfffffe00576afa80 syz-executor.0 3679 1 770 0 S uwait 0xfffffe0057ac9480 syz-executor.0 3383 1 3383 0 Ss select 0xfffffe0073eab140 dhclient 3380 1 3380 0 Ss select 0xfffffe00589f4c40 dhclient 3353 1 3353 65 Ss select 0xfffffe0073eab0c0 dhclient 1960 1 1960 0 Ss select 0xfffffe0073eab2c0 dhclient 1957 1 1957 0 Ss select 0xfffffe000784e140 dhclient 817 768 817 0 Rs syz-executor.3 804 768 804 0 Rs syz-executor.2 771 768 771 0 Rs syz-executor.1 770 768 770 0 Rs syz-executor.0 768 766 766 0 R (threaded) syz-fuzzer 100098 S uwait 0xfffffe00576b0e00 syz-fuzzer 100113 RunQ syz-fuzzer 100114 S wait 0xfffffe0057be7580 syz-fuzzer 100115 S uwait 0xfffffe00576af680 syz-fuzzer 100116 S uwait 0xfffffe00542f5e00 syz-fuzzer 100117 S wait 0xfffffe0057be7580 syz-fuzzer 100118 S wait 0xfffffe0057be7580 syz-fuzzer 100119 S wait 0xfffffe0057be7580 syz-fuzzer 100125 S uwait 0xfffffe00576af080 syz-fuzzer 100126 S uwait 0xfffffe00576af180 syz-fuzzer 100134 S kqread 0xfffffe006cd87400 syz-fuzzer 100141 S uwait 0xfffffe0057ac9a80 syz-fuzzer 100344 S uwait 0xfffffe0057ac8200 syz-fuzzer 766 764 766 0 Ss pause 0xfffffe00571dcb70 csh 764 682 764 0 Ss select 0xfffffe000784e5c0 sshd 748 1 748 0 Ss+ ttyin 0xfffffe00572198b0 getty 747 1 747 0 Ss+ ttyin 0xfffffe00587f54b0 getty 746 1 746 0 Ss+ ttyin 0xfffffe00587f5cb0 getty 745 1 745 0 Ss+ ttyin 0xfffffe00587f64b0 getty 744 1 744 0 Ss+ ttyin 0xfffffe00587f6cb0 getty 743 1 743 0 Ss+ ttyin 0xfffffe005437a4b0 getty 742 1 742 0 Ss+ ttyin 0xfffffe005437acb0 getty 741 1 741 0 Ss+ ttyin 0xfffffe005437b4b0 getty 740 1 740 0 Ss+ ttyin 0xfffffe005437bcb0 getty 686 1 686 0 Ss nanslp 0xffffffff8371ec01 cron 682 1 682 0 Ss select 0xfffffe000784e6c0 sshd 495 1 495 0 Ss select 0xfffffe00589f5040 syslogd 424 1 424 0 Ss select 0xfffffe00589f50c0 devd 423 1 423 65 Ss select 0xfffffe000784e7c0 dhclient 338 1 338 0 Ss select 0xfffffe000784e740 dhclient 335 1 335 0 Ss select 0xfffffe00589f4f40 dhclient 17 0 0 0 DL syncer 0xffffffff8383c2e0 [syncer] 16 0 0 0 DL vlruwt 0xfffffe00571de040 [vnlru] 15 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff8383a900 [bufdaemon] 100082 D - 0xffffffff82c0a140 [bufspacedaemon-0] 100094 D sdflush 0xfffffe00570c04e8 [/ worker] 9 0 0 0 DL psleep 0xffffffff838ad480 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83895338 [dom0] 100080 D launds 0xffffffff83895344 [laundry: dom0] 100081 D umarcl 0xffffffff81d4cef0 [uma] 7 0 0 0 DL - 0xffffffff834b3c28 [rand_harvestq] 6 0 0 0 DL pftm 0xffffffff83f993d0 [pf purge] 5 0 0 0 DL waiting 0xffffffff84526380 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100044 D - 0xffffffff8347e340 [doneq0] 100045 D - 0xffffffff8347e2c0 [async] 100076 D - 0xffffffff8347e140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100041 D crypto_ 0xffffffff83890ba0 [crypto] 100042 D crypto_ 0xfffffe00540bfe30 [crypto returns 0] 100043 D crypto_ 0xfffffe00540bfe80 [crypto returns 1] 14 0 0 0 DL seqstat 0xfffffe00570ca088 [sequencer 00] 13 0 0 0 DL (threaded) [geom] 100035 D - 0xffffffff836c75e0 [g_event] 100036 D - 0xffffffff836c7600 [g_up] 100037 D - 0xffffffff836c7620 [g_down] 2 0 0 0 WL (threaded) [clock] 100029 I [clock (0)] 100030 I [clock (1)] 12 0 0 0 RL (threaded) [intr] 100012 I [swi6: task queue] 100013 I [swi6: Giant taskq] 100015 I [swi5: fast taskq] 100031 I [swi1: netisr 0] 100032 Run CPU 0 [swi1: hpts] 100033 I [swi1: hpts] 100046 I [irq24: virtio_pci0] 100047 I [irq25: virtio_pci0] 100048 I [irq26: virtio_pci0] 100049 I [irq27: virtio_pci0] 100050 I [irq28: virtio_pci1] 100051 I [irq29: virtio_pci1] 100052 I [irq30: virtio_pci1] 100053 I [irq31: virtio_pci1] 100054 I [irq32: virtio_pci1] 100059 I [irq33: virtio_pci2] 100060 I [irq34: virtio_pci2] 100061 I [irq35: virtio_pci2] 100063 I [irq1: atkbd0] 100064 I [irq12: psm0] 100065 I [swi0: uart uart++] 100069 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0054216040 [init] 10 0 0 0 DL audit_w 0xffffffff838915e0 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D swapin 0xffffffff836c7fa0 [swapper] 100005 D - 0xfffffe00542d0100 [softirq_0] 100006 D - 0xfffffe00542d0000 [softirq_1] 100007 D - 0xfffffe00542cfe00 [if_io_tqg_0] 100008 D - 0xfffffe00542cfd00 [if_io_tqg_1] 100009 D - 0xfffffe00542cfc00 [if_config_tqg_0] 100010 D - 0xfffffe00085fe000 [pci_hp taskq] 100011 D - 0xfffffe00085fde00 [kqueue_ctx taskq] 100014 D - 0xfffffe00085fdb00 [thread taskq] 100016 D - 0xfffffe00085fd900 [aiod_kick taskq] 100017 D - 0xfffffe00085fd800 [deferred_unmount ta] 100018 D - 0xfffffe00085fd700 [inm_free taskq] 100019 D - 0xfffffe00085fd600 [in6m_free taskq] 100020 D - 0xfffffe00085fd500 [linuxkpi_irq_wq] 100021 D - 0xfffffe00085fd400 [linuxkpi_short_wq_0] 100022 D - 0xfffffe00085fd400 [linuxkpi_short_wq_1] 100023 D - 0xfffffe00085fd400 [linuxkpi_short_wq_2] 100024 D - 0xfffffe00085fd400 [linuxkpi_short_wq_3] 100025 D - 0xfffffe00085fd300 [linuxkpi_long_wq_0] 100026 D - 0xfffffe00085fd300 [linuxkpi_long_wq_1] 100027 D - 0xfffffe00085fd300 [linuxkpi_long_wq_2] 100028 D - 0xfffffe00085fd300 [linuxkpi_long_wq_3] 100034 D - 0xfffffe00085fd200 [firmware taskq] 100039 D - 0xfffffe00085fd100 [crypto_0] 100040 D - 0xfffffe00085fd100 [crypto_1] 100055 D - 0xfffffe00085fce00 [vtnet0 rxq 0] 100056 D - 0xfffffe00085fcd00 [vtnet0 txq 0] 100057 D - 0xfffffe00085fcc00 [vtnet0 rxq 1] 100058 D - 0xfffffe00085fcb00 [vtnet0 txq 1] 100062 D vtbslp 0xfffffe00571af480 [virtio_balloon] 100066 D - 0xffffffff826e08c1 [deadlkres] 100070 D - 0xfffffe005875f300 [acpi_task_0] 100071 D - 0xfffffe005875f300 [acpi_task_1] 100072 D - 0xfffffe005875f300 [acpi_task_2] 100074 D - 0xfffffe00085fe100 [mca taskq] 100075 D - 0xfffffe00085fd000 [CAM taskq] db> show all locks Process 12 (intr) thread 0xfffffe00542ede40 (100032) exclusive sleep mutex tcp_hpts_lck (hpts) r = 0 (0xfffffe00079aec00) locked @ /syzkaller/managers/i386/kernel/sys/netinet/tcp_hpts.c:1389 db> show malloc Type InUse MemUse Requests pf_hash 5 11524K 5 tcp_hpts 7 4801K 7 devbuf 4192 4324K 4220 sysctloid 34926 2058K 34997 vtbuf 24 1968K 46 kobj 326 1304K 488 pcb 490 1191K 74975 newblk 9 1026K 135889 vfscache 3 1025K 3 inodedep 80 542K 36156 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 subproc 158 310K 29903 vmem 3 266K 6 sctp_stro 231 231K 12331 acpitask 1 224K 1 acpica 1674 184K 60310 sctp_atcl 464 174K 50853 tidhash 3 141K 3 filedesc 18 137K 57561 pagedep 9 130K 28786 linker 352 130K 385 tfo_ccache 1 128K 1 IP reass 1 128K 1 vnet_data 1 112K 1 DEVFS1 109 109K 126 sem 4 106K 4 gtaskqueue 18 98K 18 BPF 46 88K 387 bus 985 81K 5155 mtx_pool 2 72K 2 syncache 1 68K 1 NFSD srvcache 3 68K 3 module 512 64K 512 ddb_capture 1 64K 1 umtx 418 53K 418 kdtrace 241 48K 66835 sctp_timw 166 42K 166 temp 35 37K 8266 shm 2 34K 18 hostcache 1 32K 1 DEVFS3 128 32K 138 msg 4 30K 4 sctp_atky 695 29K 64443 kbdmux 6 28K 6 pf_osfp 189 23K 189 ifaddr 70 20K 72 DEVFS_RULE 56 20K 56 dirrem 71 18K 32704 ufs_mount 4 17K 5 proc 3 17K 3 tty 16 16K 16 routetbl 130 16K 410 ithread 97 16K 97 bus-sc 34 15K 1687 eventhandler 157 13K 157 KTRACE 100 13K 100 ifnet 7 13K 7 ether_multi 152 13K 162 lltable 40 12K 136 kenv 95 12K 95 rman 88 11K 431 GEOM 61 11K 481 CAM queue 5 11K 1528 freefile 71 9K 32694 in6_multi 65 9K 65 bmsafemap 2 9K 34604 rpc 4 9K 4 devstat 4 9K 4 UART 12 9K 12 ksem 1 8K 61 shmfd 1 8K 2 pfs_vncache 1 8K 1 audit_evclass 238 8K 300 sctp_athm 464 8K 51763 sctp_map 462 8K 24726 kqueue 71 7K 29881 taskqueue 63 7K 63 cred 26 7K 348 CC Mem 25 7K 11142 sglist 6 7K 6 plimit 24 6K 531 CAM DEV 3 6K 510 pfs_nodes 20 5K 20 hhook 15 5K 17 ufs_dirhash 24 5K 24 pf_ifnet 11 5K 23 UMA 268 5K 268 session 35 5K 57 pwddesc 68 5K 29814 DEVFSP 68 5K 1080 vt 11 5K 11 memdesc 1 4K 1 MCA 32 4K 32 evdev 4 4K 4 lockf 33 4K 88 proc-args 96 4K 31262 acpisem 28 4K 28 selfd 55 4K 387466 kcovinfo 52 4K 52 terminal 11 3K 11 select 19 3K 58 clone 9 3K 9 uidinfo 3 3K 20 local_apic 1 2K 1 io_apic 1 2K 1 ipsec-saq 2 2K 2 ip6ndp 12 2K 14 Unitno 29 2K 49 sctp_ifa 13 2K 14 CAM XPT 22 2K 543 msi 12 2K 12 in_multi 6 2K 8 toponodes 6 2K 6 ipsecpolicy 2 2K 2 acpidev 20 2K 20 inpcbpolicy 36 2K 11813 tun 7 2K 7 freework 5 2K 74219 softdep 1 1K 1 mkdir 8 1K 57530 freeblks 4 1K 33828 sahead 1 1K 1 secasvar 1 1K 1 nhops 6 1K 8 vnodemarker 2 1K 112 NFSD session 1 1K 1 CAM periph 4 1K 271 osd 30 1K 11151 ipsec 3 1K 3 sctp_ifn 6 1K 14 mld 6 1K 6 igmp 6 1K 6 pfil 6 1K 6 isadev 6 1K 6 mount 16 1K 89 pci_link 10 1K 10 crypto 4 1K 4 encap_export_host 12 1K 12 procdesc 5 1K 18 sctp_stri 1 1K 1944 newdirblk 4 1K 28765 diradd 4 1K 32746 cdev 2 1K 2 chacha20random 1 1K 1 biobuf 1 1K 1 vnodes 1 1K 1 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 DEVFS 9 1K 10 CAM SIM 2 1K 2 feeder 7 1K 7 tcpfunc 3 1K 3 loginclass 3 1K 6 prison 6 1K 6 lkpikmalloc 5 1K 6 cryptodev 2 1K 767 nexusdev 8 1K 8 apmdev 1 1K 1 atkbddev 2 1K 2 netlink 1 1K 1 aio 4 1K 4 soname 5 1K 44355 pmchooks 1 1K 1 CAM path 4 1K 1034 CAM dev queue 2 1K 2 CAM I/O Scheduler 1 1K 1 filecaps 5 1K 124 sctp_vrf 1 1K 1 vnet 1 1K 1 pmc 1 1K 1 entropy 2 1K 49 acpiintr 1 1K 1 cpus 2 1K 2 vnet_data_free 1 1K 1 Per-cpu 1 1K 1 p1003.1b 1 1K 1 ipcomp 0 0K 0 esp 0 0K 0 ah 0 0K 0