panic: /syzkaller/managers/main/kernel/sys/kern/kern_timeout.c:607: callout_cc_add: Bad list head 0xfffffe00077d61d8 first->prev != head cpuid = 0 time = 1754528638 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0056c21690 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe0056c217f0 vpanic() at vpanic+0x257/frame 0xfffffe0056c219b0 panic() at panic+0xb5/frame 0xfffffe0056c21a70 callout_cc_add() at callout_cc_add+0x339/frame 0xfffffe0056c21ad0 callout_reset_sbt_on() at callout_reset_sbt_on+0x74f/frame 0xfffffe0056c21bf0 sleepq_set_timeout_sbt() at sleepq_set_timeout_sbt+0x20b/frame 0xfffffe0056c21cb0 _sleep() at _sleep+0x468/frame 0xfffffe0056c21e10 pf_purge_thread() at pf_purge_thread+0x159/frame 0xfffffe0056c21ef0 fork_exit() at fork_exit+0xcc/frame 0xfffffe0056c21f30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0056c21f30 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- KDB: enter: panic [ thread pid 6 tid 100067 ] Stopped at kdb_enter+0x6e: movq $0,0x25c4417(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xfffffe0002bf1850 rdx 0 rbx 0xffffffff827cd4c0 .str.27 rsp 0xfffffe0056c217d0 rbp 0xfffffe0056c217f0 rsi 0 rdi 0xffffffff81614c49 printf+0x149 r8 0 r9 0xffffffff r10 0x21f6ed365a9fc287 r11 0xfffffe0054116cd0 r12 0xfffffe00079fc780 r13 0xfffffffffffffffe r14 0xffffffff827cd4c0 .str.27 r15 0 rip 0xffffffff815fe77e kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x25c4417(%rip) db> show proc Process 6 (pf purge) at 0xfffffe0054003008: state: NORMAL uid: 0 gids: 0 parent: pid 0 at 0xffffffff83b4d040 ABI: null flag: 0x10000204 flag2: 0 reaper: 0xffffffff83b4d040 reapsubtree: 6 sigparent: 20 vmspace: 0xffffffff83b4e020 (map 0xffffffff83b4e020) (map.pmap 0xffffffff83b4e0c0) (pmap 0xffffffff83b4e130) threads: 1 100067 Run pftm 0xffffffff845ccbd0 [pf purge] db> ps pid ppid pgrp uid state wmesg wchan cmd 1525 766 766 60928 R (threaded) syz-executor 100120 Run CPU 1 syz-executor 101081 D fork 0xffffffff827d1ba0 syz-executor 101082 D fork 0xffffffff827d1ba0 syz-executor 101083 D fork 0xffffffff827d1ba0 syz-executor 1521 763 763 0 R (threaded) syz-executor 100146 RunQ syz-executor 101076 S select 0xfffffe006e54f0c0 syz-executor 101080 S uwait 0xfffffe0077b38200 syz-executor 1515 1514 764 0 S uwait 0xfffffe0057e16500 syz-executor 1514 1513 764 0 SV wait 0xfffffe005411dab0 syz-executor 1513 764 764 0 T (threaded) syz-executor 100098 s syz-executor 101066 D ppwait 0xfffffe005411dfb0 syz-executor 101067 s syz-executor 1512 1 764 0 S uwait 0xfffffe00584f2980 syz-executor 1509 0 0 0 DL - 0xffffffff83b4e4e0 [accounting] 1506 1 763 0 S uwait 0xfffffe006e4e2280 syz-executor 1504 1503 765 0 S uwait 0xfffffe006e4e4200 syz-executor 1503 1502 765 0 SV wait 0xfffffe005417fac0 syz-executor 1502 765 765 0 T (threaded) syz-executor 100234 s syz-executor 101058 D ppwait 0xfffffe005417ffc0 syz-executor 101059 s syz-executor 1498 1 764 0 S uwait 0xfffffe0057e15780 syz-executor 1494 1 765 0 S uwait 0xfffffe0077b37d00 syz-executor 1474 1 765 60928 S uwait 0xfffffe0057e15680 syz-executor 1470 0 0 0 DL (threaded) [so_splice] 100094 D - 0xfffffe006e54ef00 [thr_0] 101007 D - 0xfffffe006e54ef40 [thr_1] 1466 1 765 0 S uwait 0xfffffe00584f3a00 syz-executor 1461 1 1461 0 Ss+ ttyin 0xfffffe0058298cb0 getty 1460 1 1460 0 Ss+ ttyin 0xfffffe00585be8b0 getty 1459 1 1459 0 Ss+ ttyin 0xfffffe00585becb0 getty 1458 1 1458 0 Ss+ ttyin 0xfffffe0058297cb0 getty 1457 1 1457 0 Ss+ ttyin 0xfffffe00585bf0b0 getty 1456 1 1456 0 Ss+ ttyin 0xfffffe00585bf4b0 getty 1455 1 1455 0 Ss+ ttyin 0xfffffe00585bf8b0 getty 1454 1 1454 0 Ss+ ttyin 0xfffffe00585c00b0 getty 1453 1 1453 0 Ss+ ttyin 0xfffffe00585bfcb0 getty 1402 1 766 -1 S uwait 0xfffffe006e4e3280 syz-executor 1236 0 0 0 DL mdwait 0xfffffe0077a9e000 [md127] 1166 0 0 0 DL (threaded) [KTLS] 100557 D - 0xfffffe007774fc00 [thr_0] 100558 D - 0xfffffe007774fc80 [thr_1] 100559 D - 0xffffffff83cb5628 [reclaim_0] 1162 0 0 0 DL mdwait 0xfffffe006de0b000 [md6] 1017 1008 1017 0 Ss select 0xfffffe0059b84240 dhclient 1008 1 423 65 S select 0xfffffe0059b845c0 dhclient 814 0 0 0 DL aiordy 0xfffffe00540efab8 [aiod4] 812 0 0 0 DL aiordy 0xfffffe00540f0ac0 [aiod3] 811 0 0 0 DL aiordy 0xfffffe00540f0010 [aiod2] 809 0 0 0 DL aiordy 0xfffffe005400d018 [aiod1] 766 762 766 0 S nanslp 0xffffffff83ba3c00 syz-executor 765 762 765 0 S nanslp 0xffffffff83ba3c00 syz-executor 764 762 764 0 S nanslp 0xffffffff83ba3c00 syz-executor 763 762 763 0 S nanslp 0xffffffff83ba3c00 syz-executor 762 760 760 0 S select 0xfffffe006dbe64c0 syz-executor 760 1 760 0 Ss sigsusp 0xfffffe005400c0c0 csh 16 0 0 0 DL syncer 0xffffffff83cc1820 [syncer] 15 0 0 0 DL vlruwt 0xfffffe0054002558 [vnlru] 14 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83cbfd60 [bufdaemon] 100080 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100096 D sdflush 0xfffffe0057dc74e8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d0ac80 [vmdaemon] 8 0 0 0 DL (threaded) [pagedaemon] 100077 D psleep 0xffffffff83cf0d48 [dom0] 100081 D launds 0xffffffff83cf0d54 [laundry: dom0] 100082 D umarcl 0xffffffff81de25a0 [uma] 7 0 0 0 DL - 0xffffffff8391c5d8 [rand_harvestq] 6 0 0 0 RL pftm 0xffffffff845ccbd0 [pf purge] 5 0 0 0 DL waiting 0xffffffff8449b700 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100045 D - 0xffffffff838e6340 [doneq0] 100046 D - 0xffffffff838e62c0 [async] 100075 D - 0xffffffff838e6140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100042 D crypto_ 0xffffffff83cec640 [crypto] 100043 D crypto_ 0xfffffe0053ea9030 [crypto returns 0] 100044 D crypto_ 0xfffffe0053ea9080 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83b4c600 [g_event] 100038 D - 0xffffffff83b4c620 [g_up] 100039 D - 0xffffffff83b4c640 [g_down] 2 0 0 0 WL (threaded) [clock] 100031 I [clock (0)] 100032 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100047 I [irq24: virtio_pci0] 100048 I [irq25: virtio_pci0] 100049 I [irq26: virtio_pci0] 100050 I [irq27: virtio_pci0] 100051 I [irq28: virtio_pci1] 100052 I [irq29: virtio_pci1] 100053 I [irq30: virtio_pci1] 100054 I [irq31: virtio_pci1] 100055 I [irq32: virtio_pci1] 100060 I [irq10: virtio_pci2] 100062 I [irq1: atkbd0] 100063 I [irq12: psm0] 100064 I [swi0: uart uart++] 100068 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0007809010 [init] 10 0 0 0 DL audit_w 0xffffffff83ced0e0 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D parked 0xffffffff84c40ff0 [swapper] 100005 D - 0xfffffe00083f7000 [softirq_0] 100006 D - 0xfffffe00083f6e00 [softirq_1] 100007 D - 0xfffffe00083f6d00 [if_io_tqg_0] 100008 D - 0xfffffe00083f6c00 [if_io_tqg_1] 100009 D - 0xfffffe00083f6b00 [if_config_tqg_0] 100010 D - 0xfffffe00083f6a00 [kqueue_ctx taskq] 100011 D - 0xfffffe00083f6900 [jail_remove taskq] 100012 D - 0xfffffe00083f6800 [bus taskq] 100015 D - 0xfffffe00083f6500 [thread taskq] 100017 D - 0xfffffe00083f6300 [aiod_kick taskq] 100018 D - 0xfffffe00083f6200 [deferred_unmount ta] 100019 D - 0xfffffe00083f6100 [inm_free taskq] 100020 D - 0xfffffe00083f6000 [in6m_free taskq] 100021 D - 0xfffffe00083f5e00 [linuxkpi_irq_wq] 100022 D - 0xfffffe00083f5d00 [linuxkpi_short_wq_0] 100023 D - 0xfffffe00083f5d00 [linuxkpi_short_wq_1] 100024 D - 0xfffffe00083f5d00 [linuxkpi_short_wq_2] 100025 D - 0xfffffe00083f5d00 [linuxkpi_short_wq_3] 100026 D - 0xfffffe00083f5c00 [linuxkpi_long_wq_0] 100027 D - 0xfffffe00083f5c00 [linuxkpi_long_wq_1] 100028 D - 0xfffffe00083f5c00 [linuxkpi_long_wq_2] 100029 D - 0xfffffe00083f5c00 [linuxkpi_long_wq_3] 100036 D - 0xfffffe00083f5b00 [firmware taskq] 100040 D - 0xfffffe00083f5a00 [crypto_0] 100041 D - 0xfffffe00083f5a00 [crypto_1] 100056 D - 0xfffffe00083f5800 [vtnet0 rxq 0] 100057 D - 0xfffffe00083f5700 [vtnet0 txq 0] 100058 D - 0xfffffe00083f5600 [vtnet0 rxq 1] 100059 D - 0xfffffe00083f5500 [vtnet0 txq 1] 100061 D vtbslp 0xfffffe0057d80e00 [virtio_balloon] 100065 D - 0xffffffff827d1ba1 [deadlkres] 100069 D - 0xfffffe005940c300 [acpi_task_0] 100070 D - 0xfffffe005940c300 [acpi_task_1] 100071 D - 0xfffffe005940c300 [acpi_task_2] 100073 D - 0xfffffe00083f7100 [mca taskq] 100074 D - 0xfffffe00083f5900 [CAM taskq] 100076 D - 0xfffffe00083f5400 [ipsec_offload] db> show all locks Process 1525 (syz-executor) thread 0xfffffe005410f000 (100120) exclusive sleep mutex umtxql (umtxql) r = 0 (0xffffffff83bb7870) locked @ /syzkaller/managers/main/kernel/sys/kern/kern_umtx.c:1299 Process 6 (pf purge) thread 0xfffffe00079fc780 (100067) exclusive sx pf end thread (pf end thread) r = 0 (0xffffffff84694e00) locked @ /syzkaller/managers/main/kernel/sys/netpfil/pf/pf.c:2598 db>