8 files changed, 699 insertions, 6 deletions
diff --git a/tools/test/netfibs/reflector.sh b/tools/test/netfibs/reflector.sh
index b9500689a321..a68019532010 100755
--- a/tools/test/netfibs/reflector.sh
+++ b/tools/test/netfibs/reflector.sh
@@ -897,7 +897,7 @@ testrx_run_test()
 	*)	_opts="-d" ;;
 	esac
 
-	# Convert netcat options to reflect aguments.
+	# Convert netcat options to reflect arguments.
 	case "${_o}" in
 	-i)	_opts="${_opts} -T TCP6" ;;	# Use TCP for START/DONE.
 	-u)	_opts="${_opts} -T UDP6" ;;
diff --git a/tools/test/stress2/misc/all.exclude b/tools/test/stress2/misc/all.exclude
index f8a5ea4a91f1..f9b32db95799 100644
--- a/tools/test/stress2/misc/all.exclude
+++ b/tools/test/stress2/misc/all.exclude
@@ -16,8 +16,6 @@ fsck12.sh		Waiting for fix							20230319
 fsync.sh		panic: Journal overflow						20190208
 fuse.sh			https://people.freebsd.org/~pho/stress/log/log0546.txt		20240828
 fuse2.sh		https://people.freebsd.org/~pho/stress/log/log0547.txt		20240828
-getrandom.sh		Known DoS issue							20201107
-getrandom2.sh		Known DoS issue							20200302
 gjournal.sh		panic: Journal overflow						20190626
 gjournal2.sh		panic: Journal overflow						20180125
 gjournal3.sh		panic: Bio not on queue						20171225
@@ -34,6 +32,7 @@ maxvnodes2.sh		https://people.freebsd.org/~pho/stress/log/log0083.txt		20210329
 memguard.sh		https://people.freebsd.org/~pho/stress/log/log0088.txt		20210402
 memguard2.sh		Waiting for fix commit
 memguard3.sh		Waiting for fix commit
+mount7.sh		https://people.freebsd.org/~pho/stress/log/log0549.txt		20240912
 mlockall2.sh		Unrecoverable OOM killing seen					20190203
 mlockall6.sh		https://people.freebsd.org/~pho/stress/log/log0430.txt		20230403
 mlockall7.sh		Needs further investigation					20210123
@@ -46,6 +45,7 @@ nfs16.sh		panic: Failed to register NFS lock locally - error=11		20160608
 nullfs28.sh		Hang in "mount drain" seen					20220111
 oom2.sh			Hang in pfault							20180324
 overcommit2.sh		CAM stuck in vmwait seen					20200112
+pmc4.sh			https://people.freebsd.org/~pho/stress/log/log0548.txt		20240904
 pmc8.sh			panic: [pmc,2749] (ri21, rc1) waiting too long for pmc to ...	20210621
 rename14.sh		https://people.freebsd.org/~pho/stress/log/log0433.txt		20230409
 sctp2.sh		panic: Queues are not empty when handling SHUTDOWN-COMPLETE	20210211
@@ -71,8 +71,14 @@ syzkaller59.sh		Page fault							20220625
 syzkaller65.sh		panic: in_pcblookup_hash_locked: invalid local address		20230318
 syzkaller66.sh		panic: in_pcbconnect: inp is already connected			20230621
 syzkaller67.sh		panic: ASan: Invalid access, 8-byte read at ...			20230621
+syzkaller80.sh		panic								20250711
+syzkaller81.sh		panic								20250711
+syzkaller82.sh		panic: m_apply, length > size of mbuf chain			20250724
+quota3.sh		https://people.freebsd.org/~pho/stress/log/log0604.txt		20250728
 quota6.sh		https://people.freebsd.org/~pho/stress/log/log0456.txt		20240707
 truss3.sh		WiP								20200915
+zfs18.sh		https://people.freebsd.org/~pho/stress/log/log0560.txt		20241118
+zfs9.sh			panic: sacked_bytes < 0						20250711
 
 # Test not to run for other reasons:
 
diff --git a/tools/test/stress2/misc/fullpath2.sh b/tools/test/stress2/misc/fullpath2.sh
index e4024c32f317..413f832420d4 100755
--- a/tools/test/stress2/misc/fullpath2.sh
+++ b/tools/test/stress2/misc/fullpath2.sh
@@ -123,7 +123,7 @@ static volatile u_int *share;
 #define NB 1024
 #define RUNTIME 300
 
-/* dtrace -w -n 'fbt::*vn_fullpath1:entry {@rw[execname,probefunc] = count(); }' */
+/* dtrace -n 'fbt::vn_fullpath:entry {@rw[execname,probefunc] = count(); }' */
 
 static void
 getfiles(pid_t pid)
diff --git a/tools/test/stress2/misc/mmap43.sh b/tools/test/stress2/misc/mmap43.sh
index 98f1de174d54..8508d5865aef 100755
--- a/tools/test/stress2/misc/mmap43.sh
+++ b/tools/test/stress2/misc/mmap43.sh
@@ -10,7 +10,7 @@
 
 set -u
 prog=$(basename "$0" .sh)
-log=/tmp/$prog.log
+log=`dirname $diskimage`/$prog.log
 rm -f $log
 cat > /tmp/$prog.c <<EOF
 #include <sys/mman.h>
@@ -148,7 +148,12 @@ s=0
 start=`date +%s`
 while [ $((`date +%s` - start)) -lt 300 ]; do
 	st=`date +%s`
-	cp file.orig file
+	cp file.orig file || {
+		# Workaround for known UFS SU ENOSPC issue
+		echo "Flush file system buffers and retry."
+		(cd $mntpoint; umount $mntpoint) > /dev/null 2>&1 # busy umount
+		cp file.orig file || exit 1
+	}
 	for i in `jot $n`; do
 		timeout -k 70s 1m /tmp/$prog.sort /dev/zero &
 	done
diff --git a/tools/test/stress2/misc/syzkaller80.sh b/tools/test/stress2/misc/syzkaller80.sh
new file mode 100755
index 000000000000..31eae210d5b3
--- /dev/null
+++ b/tools/test/stress2/misc/syzkaller80.sh
@@ -0,0 +1,320 @@
+#!/bin/sh
+
+# panic: ../../../kern/uipc_usrreq.c:1256: uipc_sosend_stream_or_seqpacket: Empty stailq 0xfffffe00ffe5fc88->stqh_last is 0xfffffe00ffe5fcd0, not head's first field address
+# cpuid = 5
+# time = 1749593630
+# KDB: stack backtrace:
+# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00ffe5fab0
+# vpanic() at vpanic+0x136/frame 0xfffffe00ffe5fbe0
+# panic() at panic+0x43/frame 0xfffffe00ffe5fc40
+# uipc_sosend_stream_or_seqpacket() at uipc_sosend_stream_or_seqpacket+0xa39/frame 0xfffffe00ffe5fd10
+# sousrsend() at sousrsend+0x79/frame 0xfffffe00ffe5fd70
+# dofilewrite() at dofilewrite+0x81/frame 0xfffffe00ffe5fdc0
+# sys_writev() at sys_writev+0x69/frame 0xfffffe00ffe5fe00
+# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe00ffe5ff30
+# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00ffe5ff30
+# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x82330181a, rsp = 0x8238dbf68, rbp = 0x8238dbf90 ---
+# KDB: enter: panic
+# [ thread pid 4484 tid 101524 ]
+# Stopped at      kdb_enter+0x33: movq    $0,0x122ebc2(%rip)
+# db> x/s version
+# version: FreeBSD 15.0-CURRENT #0 main-n277833-948078b65c27-dirty: Tue Jun 10 06:01:36 CEST 2025
+# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
+# db> 
+
+[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
+
+. ../default.cfg
+set -u
+prog=$(basename "$0" .sh)
+cat > /tmp/$prog.c <<EOF
+// https://syzkaller.appspot.com/bug?id=210ae0bfcef6324abfffbfaf10120b767106a990
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+// syzbot+cfcb8520b0071b548fba@syzkaller.appspotmail.com
+
+#define _GNU_SOURCE
+
+#include <sys/types.h>
+
+#include <errno.h>
+#include <pthread.h>
+#include <pwd.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/endian.h>
+#include <sys/syscall.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+static unsigned long long procid;
+
+static void kill_and_wait(int pid, int* status)
+{
+  kill(pid, SIGKILL);
+  while (waitpid(-1, status, 0) != pid) {
+  }
+}
+
+static void sleep_ms(uint64_t ms)
+{
+  usleep(ms * 1000);
+}
+
+static uint64_t current_time_ms(void)
+{
+  struct timespec ts;
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    exit(1);
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static void thread_start(void* (*fn)(void*), void* arg)
+{
+  pthread_t th;
+  pthread_attr_t attr;
+  pthread_attr_init(&attr);
+  pthread_attr_setstacksize(&attr, 128 << 10);
+  int i = 0;
+  for (; i < 100; i++) {
+    if (pthread_create(&th, &attr, fn, arg) == 0) {
+      pthread_attr_destroy(&attr);
+      return;
+    }
+    if (errno == EAGAIN) {
+      usleep(50);
+      continue;
+    }
+    break;
+  }
+  exit(1);
+}
+
+typedef struct {
+  pthread_mutex_t mu;
+  pthread_cond_t cv;
+  int state;
+} event_t;
+
+static void event_init(event_t* ev)
+{
+  if (pthread_mutex_init(&ev->mu, 0))
+    exit(1);
+  if (pthread_cond_init(&ev->cv, 0))
+    exit(1);
+  ev->state = 0;
+}
+
+static void event_reset(event_t* ev)
+{
+  ev->state = 0;
+}
+
+static void event_set(event_t* ev)
+{
+  pthread_mutex_lock(&ev->mu);
+  if (ev->state)
+    exit(1);
+  ev->state = 1;
+  pthread_mutex_unlock(&ev->mu);
+  pthread_cond_broadcast(&ev->cv);
+}
+
+static void event_wait(event_t* ev)
+{
+  pthread_mutex_lock(&ev->mu);
+  while (!ev->state)
+    pthread_cond_wait(&ev->cv, &ev->mu);
+  pthread_mutex_unlock(&ev->mu);
+}
+
+static int event_isset(event_t* ev)
+{
+  pthread_mutex_lock(&ev->mu);
+  int res = ev->state;
+  pthread_mutex_unlock(&ev->mu);
+  return res;
+}
+
+static int event_timedwait(event_t* ev, uint64_t timeout)
+{
+  uint64_t start = current_time_ms();
+  uint64_t now = start;
+  pthread_mutex_lock(&ev->mu);
+  for (;;) {
+    if (ev->state)
+      break;
+    uint64_t remain = timeout - (now - start);
+    struct timespec ts;
+    ts.tv_sec = remain / 1000;
+    ts.tv_nsec = (remain % 1000) * 1000 * 1000;
+    pthread_cond_timedwait(&ev->cv, &ev->mu, &ts);
+    now = current_time_ms();
+    if (now - start > timeout)
+      break;
+  }
+  int res = ev->state;
+  pthread_mutex_unlock(&ev->mu);
+  return res;
+}
+
+struct thread_t {
+  int created, call;
+  event_t ready, done;
+};
+
+static struct thread_t threads[16];
+static void execute_call(int call);
+static int running;
+
+static void* thr(void* arg)
+{
+  struct thread_t* th = (struct thread_t*)arg;
+  for (;;) {
+    event_wait(&th->ready);
+    event_reset(&th->ready);
+    execute_call(th->call);
+    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
+    event_set(&th->done);
+  }
+  return 0;
+}
+
+static void execute_one(void)
+{
+  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
+  }
+  int i, call, thread;
+  for (call = 0; call < 5; call++) {
+    for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
+         thread++) {
+      struct thread_t* th = &threads[thread];
+      if (!th->created) {
+        th->created = 1;
+        event_init(&th->ready);
+        event_init(&th->done);
+        event_set(&th->done);
+        thread_start(thr, th);
+      }
+      if (!event_isset(&th->done))
+        continue;
+      event_reset(&th->done);
+      th->call = call;
+      __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
+      event_set(&th->ready);
+      if (call == 2)
+        break;
+      event_timedwait(&th->done, 50);
+      break;
+    }
+  }
+  for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
+    sleep_ms(1);
+}
+
+static void execute_one(void);
+
+#define WAIT_FLAGS 0
+
+static void loop(void)
+{
+  int iter = 0;
+  for (;; iter++) {
+    int pid = fork();
+    if (pid < 0)
+      exit(1);
+    if (pid == 0) {
+      execute_one();
+      exit(0);
+    }
+    int status = 0;
+    uint64_t start = current_time_ms();
+    for (;;) {
+      sleep_ms(10);
+      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
+        break;
+      if (current_time_ms() - start < 5000)
+        continue;
+      kill_and_wait(pid, &status);
+      break;
+    }
+  }
+}
+
+uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
+
+void execute_call(int call)
+{
+  intptr_t res = 0;
+  switch (call) {
+  case 0:
+    res = syscall(SYS_socketpair, /*domain=*/1ul, /*type=SOCK_STREAM*/ 1ul,
+                  /*proto=*/0, /*fds=*/0x200000000040ul);
+    if (res != -1) {
+      r[0] = *(uint32_t*)0x200000000040;
+      r[1] = *(uint32_t*)0x200000000044;
+    }
+    break;
+  case 1:
+    memcpy((void*)0x200000000100, "\x09\x00\x10\x00", 4);
+    syscall(SYS_setsockopt, /*fd=*/r[1], /*level=*/0, /*optname=*/3,
+            /*optval=*/0x200000000100ul, /*optlen=*/4ul);
+    break;
+  case 2:
+    *(uint64_t*)0x2000000018c0 = 0;
+    *(uint32_t*)0x2000000018c8 = 0;
+    *(uint64_t*)0x2000000018d0 = 0;
+    *(uint64_t*)0x2000000018d8 = 0;
+    *(uint64_t*)0x2000000018e0 = 0x200000001880;
+    memcpy((void*)0x200000001880, "\x10\x00\x00\x00\xff\xff\x00\x00\x06", 9);
+    *(uint64_t*)0x2000000018e8 = 0x10;
+    *(uint32_t*)0x2000000018f0 = 0;
+    syscall(SYS_sendmsg, /*fd=*/r[0], /*msg=*/0x2000000018c0ul, /*f=*/0ul);
+    for (int i = 0; i < 64; i++) {
+      syscall(SYS_sendmsg, /*fd=*/r[0], /*msg=*/0x2000000018c0ul, /*f=*/0ul);
+    }
+    break;
+  case 3:
+    syscall(SYS_writev, /*fd=*/r[0], /*vec=*/0ul, /*vlen=*/0ul);
+    for (int i = 0; i < 64; i++) {
+      syscall(SYS_writev, /*fd=*/r[0], /*vec=*/0ul, /*vlen=*/0ul);
+    }
+    break;
+  case 4:
+    syscall(SYS_setsockopt, /*fd=*/(intptr_t)-1, /*level=*/0, /*optname=*/0xa,
+            /*optval=*/0ul, /*optlen=*/0ul);
+    break;
+  }
+}
+int main(void)
+{
+  syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
+          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
+          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
+          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
+  const char* reason;
+  (void)reason;
+  for (procid = 0; procid < 4; procid++) {
+    if (fork() == 0) {
+      loop();
+    }
+  }
+  sleep(1000000);
+  return 0;
+}
+EOF
+mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c -lpthread || exit 1
+
+work=/tmp/$prog.dir
+rm -rf $work
+mkdir $work
+cd /tmp/$prog.dir
+timeout 3m /tmp/$prog > /dev/null 2>&1
+
+rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core /tmp/$prog.?????? $work
+exit 0
diff --git a/tools/test/stress2/misc/syzkaller81.sh b/tools/test/stress2/misc/syzkaller81.sh
new file mode 100755
index 000000000000..e3e4ec50aeea
--- /dev/null
+++ b/tools/test/stress2/misc/syzkaller81.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+
+# panic: kern_clock_gettime: 22
+# cpuid = 1
+# time = 1750181240
+# KDB: stack backtrace:
+# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01a6084ba0
+# vpanic() at vpanic+0x136/frame 0xfffffe01a6084cd0
+# panic() at panic+0x43/frame 0xfffffe01a6084d30
+# kern_clock_nanosleep() at kern_clock_nanosleep+0x38f/frame 0xfffffe01a6084db0
+# sys_clock_nanosleep() at sys_clock_nanosleep+0x49/frame 0xfffffe01a6084e00
+# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe01a6084f30
+# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01a6084f30
+# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x8233d281a, rsp = 0x820bfb2b8, rbp = 0x820bfb2e0 ---
+# KDB: enter: panic
+# [ thread pid 26119 tid 104417 ]
+# Stopped at      kdb_enter+0x33: movq    $0,0x122a7b2(%rip)
+# db> x/s version
+# version: FreeBSD 15.0-CURRENT #1 ufs-n278031-3296ff02387b: Tue Jun 17 16:40:44 CEST 2025
+# pho@mercat1.netperf.freebsd.org:/var/tmp/deviant3/sys/amd64/compile/PHO
+# db> 
+
+[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
+
+. ../default.cfg
+set -u
+prog=$(basename "$0" .sh)
+cat > /tmp/$prog.c <<EOF
+// https://syzkaller.appspot.com/bug?id=5eb7636bc26fcbd20412de35ec10944233b8577d
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+// syzbot+e17e46b1f0b65027b005@syzkaller.appspotmail.com
+
+#define _GNU_SOURCE
+
+#include <pwd.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/endian.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+
+int main(void)
+{
+  syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
+          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
+          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
+          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
+  const char* reason;
+  (void)reason;
+  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
+  }
+  *(uint64_t*)0x200000000040 = 0x10000000000;
+  *(uint64_t*)0x200000000048 = 0x4000000;
+  syscall(SYS_clock_nanosleep, /*id=*/0x10ul, /*flags=TIMER_ABSTIME*/ 1ul,
+          /*rqtp=*/0x200000000040ul, /*rmtp=*/0ul);
+  return 0;
+}
+EOF
+mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
+
+work=/tmp/$prog.dir
+rm -rf $work
+mkdir $work
+cd /tmp/$prog.dir
+timeout 3m /tmp/$prog > /dev/null 2>&1
+
+rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core /tmp/$prog.?????? $work
+exit 0
diff --git a/tools/test/stress2/misc/syzkaller82.sh b/tools/test/stress2/misc/syzkaller82.sh
new file mode 100755
index 000000000000..c810942eb060
--- /dev/null
+++ b/tools/test/stress2/misc/syzkaller82.sh
@@ -0,0 +1,122 @@
+#!/bin/sh
+
+# panic: m_apply, length > size of mbuf chain (8 extra)
+# cpuid = 1
+# time = 1753341719
+# KDB: stack backtrace:
+# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01f00c5080
+# vpanic() at vpanic+0x136/frame 0xfffffe01f00c51b0
+# panic() at panic+0x43/frame 0xfffffe01f00c5210
+# m_apply() at m_apply+0x2d3/frame 0xfffffe01f00c5260
+# sctp_delayed_cksum() at sctp_delayed_cksum+0x4c/frame 0xfffffe01f00c5290
+# ip6_output_delayed_csum() at ip6_output_delayed_csum+0xaa/frame 0xfffffe01f00c52d0
+# ip6_output() at ip6_output+0x19e6/frame 0xfffffe01f00c5490
+# sctp_lowlevel_chunk_output() at sctp_lowlevel_chunk_output+0x104f/frame 0xfffffe01f00c55d0
+# sctp_med_chunk_output() at sctp_med_chunk_output+0x2ad2/frame 0xfffffe01f00c5fb0
+# sctp_chunk_output() at sctp_chunk_output+0x121c/frame 0xfffffe01f00c6960
+# sctp_lower_sosend() at sctp_lower_sosend+0x146c/frame 0xfffffe01f00c6b50
+# sctp_sosend() at sctp_sosend+0x333/frame 0xfffffe01f00c6c70
+# sousrsend() at sousrsend+0x79/frame 0xffkern_sendit() at kern_sendit+0x1be/frame 0xfffffe01f00c6d60
+# sendit() at sendit+0x1ab/frame 0xfffffe01f00c6db0
+# sys_sendto() at sys_sendto+0x4d/frame 0xfffffe01f00c6e00
+# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe01f00c6f30
+# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01f00c6f30
+# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823035b0a, rsp = 0x8208fa048, rbp = 0x8208fa060 ---
+# KDB: enter: panic
+# [ thread pid 41871 tid 736799 ]
+# Stopped at      kdb_enter+0x33: movq    $0,0x1231b52(%rip)
+# db> x/s version
+# version: FreeBSD 15.0-CURRENT #0 main-n279001-7502c1f27082-dirty: Wed Jul 23 20:31:48 CEST 2025
+# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
+# db> 
+
+[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
+
+. ../default.cfg
+set -u
+prog=$(basename "$0" .sh)
+cat > /tmp/$prog.c <<EOF
+// https://syzkaller.appspot.com/bug?id=09297b76b7db4aa29c86ac971062bc078b06c0ff
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+// syzbot+73fe316271df473230eb@syzkaller.appspotmail.com
+
+#define _GNU_SOURCE
+
+#include <pwd.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/endian.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+
+uint64_t r[1] = {0xffffffffffffffff};
+
+int main(void)
+{
+  syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
+          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
+          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
+          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
+  const char* reason;
+  (void)reason;
+  intptr_t res = 0;
+  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
+  }
+  res = syscall(SYS_socket, /*domain=*/0x1cul, /*type=SOCK_STREAM*/ 1ul,
+                /*proto=*/0x84);
+  if (res != -1)
+    r[0] = res;
+  *(uint8_t*)0x2000000001c0 = 0x10;
+  *(uint8_t*)0x2000000001c1 = 2;
+  *(uint16_t*)0x2000000001c2 = htobe16(0x4e23);
+  *(uint32_t*)0x2000000001c4 = htobe32(0);
+  memset((void*)0x2000000001c8, 0, 8);
+  memset((void*)0x2000000001d0, 0, 112);
+  *(uint32_t*)0x200000000240 = 0;
+  *(uint32_t*)0x200000000244 = 0x5234;
+  *(uint32_t*)0x200000000248 = 0xffff;
+  *(uint32_t*)0x20000000024c = 0x314;
+  *(uint32_t*)0x200000000250 = 0x3bb;
+  *(uint16_t*)0x200000000254 = 2;
+  *(uint8_t*)0x200000000256 = 9;
+  syscall(SYS_setsockopt, /*fd=*/r[0], /*level=*/0x84, /*opt=*/0xa,
+          /*val=*/0x2000000001c0ul, /*len=*/0x98ul);
+  *(uint8_t*)0x200000000000 = 0x1c;
+  *(uint8_t*)0x200000000001 = 0x1c;
+  *(uint16_t*)0x200000000002 = htobe16(0x4e22);
+  *(uint32_t*)0x200000000004 = 0;
+  memset((void*)0x200000000008, 0, 16);
+  *(uint32_t*)0x200000000018 = 0;
+  syscall(SYS_bind, /*fd=*/r[0], /*addr=*/0x200000000000ul, /*addrlen=*/0x1cul);
+  *(uint8_t*)0x200000000180 = 0x5f;
+  *(uint8_t*)0x200000000181 = 0x1c;
+  *(uint16_t*)0x200000000182 = htobe16(0x4e22);
+  *(uint32_t*)0x200000000184 = 0;
+  *(uint64_t*)0x200000000188 = htobe64(0);
+  *(uint64_t*)0x200000000190 = htobe64(1);
+  *(uint32_t*)0x200000000198 = 0;
+  syscall(SYS_connect, /*fd=*/r[0], /*addr=*/0x200000000180ul,
+          /*addrlen=*/0x1cul);
+  memset((void*)0x2000000020c0, 209, 1);
+  syscall(SYS_sendto, /*fd=*/r[0], /*buf=*/0x2000000020c0ul, /*len=*/0xffeful,
+          /*f=MSG_NOSIGNAL|MSG_EOF|MSG_DONTWAIT|MSG_DONTROUTE*/ 0x20184ul,
+          /*addr=*/0ul, /*addrlen=*/0ul);
+  return 0;
+}
+EOF
+mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
+
+work=/tmp/$prog.dir
+rm -rf $work
+mkdir $work
+cd /tmp/$prog.dir
+kldstat | grep -q sctp || { kldload sctp.ko && loaded=1; }
+timeout 3m /tmp/$prog > /dev/null 2>&1
+
+rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core /tmp/$prog.?????? $work
+[ $loaded ] && kldunload sctp.ko
+exit 0
diff --git a/tools/test/stress2/misc/syzkaller83.sh b/tools/test/stress2/misc/syzkaller83.sh
new file mode 100755
index 000000000000..418bfd75982d
--- /dev/null
+++ b/tools/test/stress2/misc/syzkaller83.sh
@@ -0,0 +1,168 @@
+#!/bin/sh
+
+# panic: handle_workitem_remove: bad file delta
+# cpuid = 2
+# time = 1753799597
+# KDB: stack backtrace:
+# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00ffc84b70
+# vpanic() at vpanic+0x136/frame 0xfffffe00ffc84ca0
+# panic() at panic+0x43/frame 0xfffffe00ffc84d00
+# handle_workitem_remove() at handle_workitem_remove+0x68d/frame 0xfffffe00ffc84d70
+# handle_workitem_remove() at handle_workitem_remove+0x52d/frame 0xfffffe00ffc84de0
+# process_worklist_item() at process_worklist_item+0x21e/frame 0xfffffe00ffc84e70
+# softdep_process_worklist() at softdep_process_worklist+0xbd/frame 0xfffffe00ffc84eb0
+# softdep_flush() at softdep_flush+0x10f/frame 0xfffffe00ffc84ef0
+# fork_exit() at fork_exit+0x82/frame 0xfffffe00ffc84f30
+# fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00ffc84f30
+# --- trap 0, rip = 0, rsp = 0, rbp = 0 ---
+# KDB: enter: panic
+# [ thread pid 16 tid 100253 ]
+# Stopped at      kdb_enter+0x33: movq    $0,0x1230852(%rip)
+# db> x/s version
+# version: FreeBSD 15.0-CURRENT #0 main-n279158-f1f77adfd9bc-dirty: Tue Jul 29 15:49:28 CEST 2025
+# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
+
+[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
+
+. ../default.cfg
+set -u
+prog=$(basename "$0" .sh)
+cat > /tmp/$prog.c <<EOF
+// https://syzkaller.appspot.com/bug?id=0a60b828818a364deb4721d58b2ed5167b1f6296
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <sys/types.h>
+
+#include <pwd.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/endian.h>
+#include <sys/syscall.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+static void kill_and_wait(int pid, int* status)
+{
+  kill(pid, SIGKILL);
+  while (waitpid(-1, status, 0) != pid) {
+  }
+}
+
+static void sleep_ms(uint64_t ms)
+{
+  usleep(ms * 1000);
+}
+
+static uint64_t current_time_ms(void)
+{
+  struct timespec ts;
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    exit(1);
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static void execute_one(void);
+
+#define WAIT_FLAGS 0
+
+static void loop(void)
+{
+//  int iter = 0;
+  for (;; /*iter++*/) {
+    int pid = fork();
+    if (pid < 0)
+      exit(1);
+    if (pid == 0) {
+      execute_one();
+      exit(0);
+    }
+    int status = 0;
+    uint64_t start = current_time_ms();
+    for (;;) {
+      sleep_ms(10);
+      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
+        break;
+      if (current_time_ms() - start < 5000)
+        continue;
+      kill_and_wait(pid, &status);
+      break;
+    }
+  }
+}
+
+uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
+
+void execute_one(void)
+{
+  intptr_t res = 0;
+  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
+  }
+  memcpy((void*)0x200000000180, "./file0\000", 8);
+  syscall(SYS_mkdir, /*path=*/0x200000000180ul, /*mode=*/0ul);
+  memcpy((void*)0x200000000000, "./file0/file0\000", 14);
+  syscall(SYS_mkdir, /*path=*/0x200000000000ul, /*mode=*/0ul);
+  memcpy((void*)0x200000000080, ".\000", 2);
+  res = syscall(SYS_open, /*file=*/0x200000000080ul,
+                /*flags=O_DIRECT*/ 0x10000ul, /*mode=*/0ul);
+  if (res != -1)
+    r[0] = res;
+  memcpy((void*)0x200000000080, ".\000", 2);
+  res =
+      syscall(SYS_open, /*file=*/0x200000000080ul, /*flags=*/0ul, /*mode=*/0ul);
+  if (res != -1)
+    r[1] = res;
+  memcpy((void*)0x200000000080, ".\000", 2);
+  res = syscall(SYS_open, /*file=*/0x200000000080ul, /*flags=O_NONBLOCK*/ 4ul,
+                /*mode=*/0ul);
+  if (res != -1)
+    r[2] = res;
+  memcpy((void*)0x200000000100, "./file1\000", 8);
+  syscall(SYS_mkdirat, /*fd=*/r[2], /*path=*/0x200000000100ul,
+          /*mode=S_IROTH|S_IWUSR*/ 0x84ul);
+  memcpy((void*)0x200000000340, "./file0/file0\000", 14);
+  memcpy((void*)0x200000000380, "./file1\000", 8);
+  syscall(SYS_renameat, /*oldfd=*/r[0], /*old=*/0x200000000340ul,
+          /*newfd=*/r[1], /*new=*/0x200000000380ul);
+}
+int main(void)
+{
+  syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
+          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
+          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
+          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
+  const char* reason;
+  (void)reason;
+  loop();
+  return 0;
+}
+EOF
+mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
+
+(cd ../testcases/swap; ./swap -t 3m -i 30 -l 100 > /dev/null 2>&1) &
+sleep 5
+
+work=/tmp/$prog.dir
+rm -rf $work
+mkdir $work
+cd /tmp/$prog.dir
+for i in `jot 30`; do
+	(
+		mkdir d$i
+		cd d$i
+		timeout 3m /tmp/$prog > /dev/null 2>&1 &
+	)
+done
+while pgrep -q $prog; do sleep 2; done
+while pkill swap; do :; done
+wait
+
+rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core /tmp/$prog.?????? $work
+exit 0