login: panic: pool_cache_item_magic_chpeackn:i cm: bkuferpnl eclp udi fargeen oslitsict amsosdeirftieido:n "i!t_emke randderl _l0oxcffkf_hffeldd80(6f2d9300+16 0x0!=0xa8d9133851f0c252
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
427932 71 0 0 0x4000000 0 syz-executor.1
*188314 71 0 0 0x4000000 1 syz-executor.1
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff821f69d1) at panic+0x15c sys/kern/subr_prf.c:207
pool_cache_get(ffffffff8266d8c8) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline]
pool_cache_get(ffffffff8266d8c8) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884
pool_get(ffffffff8266d8c8,2) at pool_get+0x91 sys/kern/subr_pool.c:572
m_copym(fffffd806f17e300,4ed4,5a0,2) at m_copym+0x174 m_get sys/kern/uipc_mbuf.c:250 [inline]
m_copym(fffffd806f17e300,4ed4,5a0,2) at m_copym+0x174 sys/kern/uipc_mbuf.c:667
ip_fragment(fffffd806f17e300,ffff80000017b2a8,5b4) at ip_fragment+0x324
ip_output(fffffd806f17e300,0,fffffd806f6e1700,20,0,fffffd806f6e1690) at ip_output+0xfd7 sys/netinet/ip_output.c:499
rip_output(fffffd806f17e300,fffffd806ca20970,ffff800022bd72c8,ffff800021392000) at rip_output+0x252 sys/netinet/raw_ip.c:289
rip_usrreq(fffffd806ca20970,9,fffffd806f17e300,0,0,ffff800020ed8768) at rip_usrreq+0x46a sys/netinet/raw_ip.c:538
sosend(fffffd806ca20970,0,ffff800022bd7440,0,0,80) at sosend+0x671 sys/kern/uipc_socket.c:549
sendit(ffff800020ed8768,a,ffff800022bd7520,0,ffff800022bd7600) at sendit+0x52b sys/kern/uipc_syscalls.c:657
sys_sendto(ffff800020ed8768,ffff800022bd75b8,ffff800022bd7600) at sys_sendto+0x80 sys/kern/uipc_syscalls.c:522
syscall(ffff800022bd7680) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800022bd7680) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x373c0f4dc00, count: 1
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806f2d9300+16 0x0!=0xa8d9133851f0c252
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff821f69d1) at panic+0x15c sys/kern/subr_prf.c:207
pool_cache_get(ffffffff8266d8c8) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline]
pool_cache_get(ffffffff8266d8c8) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884
pool_get(ffffffff8266d8c8,2) at pool_get+0x91 sys/kern/subr_pool.c:572
m_copym(fffffd806f17e300,4ed4,5a0,2) at m_copym+0x174 m_get sys/kern/uipc_mbuf.c:250 [inline]
m_copym(fffffd806f17e300,4ed4,5a0,2) at m_copym+0x174 sys/kern/uipc_mbuf.c:667
ip_fragment(fffffd806f17e300,ffff80000017b2a8,5b4) at ip_fragment+0x324
ip_output(fffffd806f17e300,0,fffffd806f6e1700,20,0,fffffd806f6e1690) at ip_output+0xfd7 sys/netinet/ip_output.c:499
rip_output(fffffd806f17e300,fffffd806ca20970,ffff800022bd72c8,ffff800021392000) at rip_output+0x252 sys/netinet/raw_ip.c:289
rip_usrreq(fffffd806ca20970,9,fffffd806f17e300,0,0,ffff800020ed8768) at rip_usrreq+0x46a sys/netinet/raw_ip.c:538
sosend(fffffd806ca20970,0,ffff800022bd7440,0,0,80) at sosend+0x671 sys/kern/uipc_socket.c:549
sendit(ffff800020ed8768,a,ffff800022bd7520,0,ffff800022bd7600) at sendit+0x52b sys/kern/uipc_syscalls.c:657
sys_sendto(ffff800020ed8768,ffff800022bd75b8,ffff800022bd7600) at sys_sendto+0x80 sys/kern/uipc_syscalls.c:522
syscall(ffff800022bd7680) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800022bd7680) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x373c0f4dc00, count: -14
ddb{1}> show registers
rdi 0xffffffff8166ea07 db_enter+0x17
rsi 0x7e75 __ALIGN_SIZE+0x6e75
rbp 0xffff800022bd6e00
rbx 0xffff800022bd6eb0
rdx 0x7e76 __ALIGN_SIZE+0x6e76
rcx 0xffff800021392000
rax 0xffff800021392000
r8 0xffffffff81ce227f kprintf+0x16f
r9 0x1
r10 0x25
r11 0x4247b99ada39951a
r12 0x3000000008
r13 0xffff800022bd6e10
r14 0x100
r15 0x1
rip 0xffffffff8166ea08 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800022bd6df0
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor.1) pid=188314 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff800020ed9128,0xffffffff82675f18
process=0xffff800020ecf358 user=0xffff800022bd2000, vmspace=0xfffffd807efff8a0
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
51204 321050 66481 0 2 0 syz-executor.0
51204 518198 66481 0 3 0x4000080 pipewr syz-executor.0
51204 418010 66481 0 2 0x4000000 syz-executor.0
71 148013 54719 0 2 0 syz-executor.1
71 432158 54719 0 3 0x4000080 netio syz-executor.1
71 427932 54719 0 7 0x4000000 syz-executor.1
* 71 188314 54719 0 7 0x4000000 syz-executor.1
82674 135714 0 0 3 0x14200 bored sosplice
66481 409081 42569 0 2 0x482 syz-executor.0
54719 126615 42569 0 2 0x482 syz-executor.1
42569 49897 78250 0 3 0x82 kqread syz-fuzzer
42569 203632 78250 0 3 0x4000082 thrsleep syz-fuzzer
42569 459817 78250 0 3 0x4000082 thrsleep syz-fuzzer
42569 73175 78250 0 3 0x4000082 thrsleep syz-fuzzer
42569 71049 78250 0 3 0x4000082 thrsleep syz-fuzzer
42569 518392 78250 0 3 0x4000082 thrsleep syz-fuzzer
42569 301455 78250 0 3 0x4000082 thrsleep syz-fuzzer
42569 59574 78250 0 3 0x4000082 thrsleep syz-fuzzer
42569 28157 78250 0 3 0x4000082 thrsleep syz-fuzzer
42569 268460 78250 0 3 0x4000082 thrsleep syz-fuzzer
78250 106245 81289 0 3 0x10008a pause ksh
81289 253545 92724 0 3 0x92 select sshd
15046 408170 1 0 3 0x100083 ttyin getty
92724 495657 1 0 3 0x80 select sshd
2058 151790 89154 74 3 0x100092 bpf pflogd
89154 517691 1 0 3 0x80 netio pflogd
46205 521625 15670 73 3 0x100090 kqread syslogd
15670 180650 1 0 3 0x100082 netio syslogd
76418 99203 1 77 3 0x100090 poll dhclient
84515 273223 1 0 3 0x80 poll dhclient
3415 363431 0 0 3 0x14200 bored smr
79458 144214 0 0 2 0x14200 zerothread
23853 229085 0 0 3 0x14200 aiodoned aiodoned
19950 429596 0 0 3 0x14200 syncer update
20243 293202 0 0 3 0x14200 cleaner cleaner
23372 249048 0 0 3 0x14200 reaper reaper
87930 70203 0 0 3 0x14200 pgdaemon pagedaemon
49216 446889 0 0 3 0x14200 bored crynlk
21338 327616 0 0 3 0x14200 bored crypto
51640 360292 0 0 3 0x40014200 acpi0 acpi0
47917 103541 0 0 3 0x40014200 idle1
71634 353360 0 0 3 0x14200 bored softnet
46812 359986 0 0 3 0x14200 bored systqmp
75708 132911 0 0 3 0x14200 bored systq
35662 471158 0 0 3 0x40014200 bored softclock
33372 485371 0 0 3 0x40014200 idle0
1 445055 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
Process 71 (syz-executor.1) thread 0xffff800020ed8768 (188314)
exclusive rwlock netlock r = 0 (0xffffffff82494738)
#0 witness_lock+0x4c5 sys/kern/subr_witness.c:1164
#1 solock+0x5a sys/kern/uipc_socket2.c:282
#2 sosend+0x559 sys/kern/uipc_socket.c:537
#3 sendit+0x52b sys/kern/uipc_syscalls.c:657
#4 sys_sendto+0x80 sys/kern/uipc_syscalls.c:522
#5 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#5 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570
#6 Xsyscall+0x128
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 9494 6407K 7180K 78643K 10985 0
pcb 13 8K 8K 78643K 41 0
rtable 108 4K 4K 78643K 238 0
ifaddr 62 13K 13K 78643K 91 0
counters 43 33K 34K 78643K 51 0
ioctlops 0 0K 4K 78643K 1469 0
iov 0 0K 12K 78643K 10 0
mount 1 1K 1K 78643K 1 0
vnodes 1228 77K 77K 78643K 1319 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 5K 78643K 4 0
VM map 2 1K 1K 78643K 2 0
sem 4 0K 0K 78643K 8 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1809 196K 290K 78643K 12766 0
file desc 6 17K 25K 78643K 128 0
proc 60 63K 95K 78643K 455 0
subproc 32 2K 2K 78643K 34 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 59 0
in_multi 50 2K 2K 78643K 63 0
ether_multi 1 0K 0K 78643K 3 0
mrt 0 0K 0K 78643K 2 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 31 148K 148K 78643K 31 0
exec 0 0K 1K 78643K 215 0
pfkey data 0 0K 0K 78643K 1 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 101 21K 37K 78643K 1359 0
UVM aobj 8 2K 2K 78643K 8 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 0K 78643K 16 0
NDP 9 0K 0K 78643K 17 0
temp 83 3040K 3104K 78643K 2393 0
kqueue 3 4K 8K 78643K 11 0
SYN cache 2 16K 16K 78643K 2 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp 64 6 0 0 1 0 1 1 0 8 0
plcache 128 20 0 0 1 0 1 1 0 8 0
rtpcb 80 23 0 21 1 0 1 1 0 8 0
rtentry 112 46 0 2 2 0 2 2 0 8 0
unpcb 120 98 0 83 1 0 1 1 0 8 0
syncache 264 6 0 6 2 1 1 1 0 8 1
tcpcb 544 66 0 62 1 0 1 1 0 8 0
inpcb 280 189 0 181 1 0 1 1 0 8 0
rttmr 72 1 0 1 1 1 0 1 0 8 0
nd6 48 6 0 0 1 0 1 1 0 8 0
pkpcb 40 2 0 2 1 0 1 1 0 8 1
ppxss 1128 1 0 1 1 0 1 1 0 8 1
pfosfp 40 846 0 423 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 25 0 0 1 0 1 1 0 8 0
pfstkey 112 25 0 0 1 0 1 1 0 8 0
pfstate 328 25 0 0 3 0 3 3 0 8 0
pfrule 1360 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 188 0 0 12 0 12 12 0 8 0
art_table 32 189 0 0 2 0 2 2 0 8 0
art_node 16 45 0 5 1 0 1 1 0 8 0
sysvmsgpl 40 2 0 0 1 0 1 1 0 8 0
semupl 112 1 0 1 1 0 1 1 0 8 1
semapl 112 2 0 0 1 0 1 1 0 8 0
shmpl 112 6 0 0 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 1564 0 158 89 0 89 89 0 8 0
ffsino 272 1564 0 158 95 0 95 95 0 8 0
nchpl 144 1949 0 331 61 0 61 61 0 8 1
uvmvnodes 72 1695 0 0 31 0 31 31 0 8 0
vnodes 208 1695 0 0 90 0 90 90 0 8 0
namei 1024 5089 0 5089 1 0 1 1 0 8 1
percpumem 16 36 0 4 1 0 1 1 0 8 0
scxspl 192 5819 0 5819 8 5 3 7 0 8 3
plimitpl 152 27 0 19 1 0 1 1 0 8 0
sigapl 424 344 0 311 4 0 4 4 0 8 0
futexpl 56 1738 0 1738 1 0 1 1 0 8 1
knotepl 112 61 0 42 1 0 1 1 0 8 0
kqueuepl 144 14 0 12 1 0 1 1 0 8 0
pipelkpl 48 143 0 132 1 0 1 1 0 8 0
pipepl 120 286 0 265 2 0 2 2 0 8 1
fdescpl 496 328 0 311 3 0 3 3 0 8 0
filepl 152 1866 0 1757 7 0 7 7 0 8 2
lockfpl 104 25 0 24 1 0 1 1 0 8 0
lockfspl 48 12 0 11 1 0 1 1 0 8 0
sessionpl 112 18 0 7 1 0 1 1 0 8 0
pgrppl 48 20 0 9 1 0 1 1 0 8 0
ucredpl 96 85 0 76 1 0 1 1 0 8 0
zombiepl 144 311 0 311 1 0 1 1 0 8 1
processpl 984 344 0 311 5 0 5 5 0 8 0
procpl 624 601 0 554 5 0 5 5 0 8 1
sockpl 400 312 0 287 4 0 4 4 0 8 0
mcl64k 65536 2 0 0 1 0 1 1 0 8 0
mcl16k 16384 1 0 0 1 0 1 1 0 8 0
mcl12k 12288 2 0 0 1 0 1 1 0 8 0
mcl9k 9216 1 0 0 1 0 1 1 0 8 0
mcl8k 8192 1 0 0 1 0 1 1 0 8 0
mcl4k 4096 5 0 0 1 0 1 1 0 8 0
mcl2k 2048 176 0 0 21 0 21 21 0 8 0
mtagpl 80 10 0 0 1 0 1 1 0 8 0
mbufpl 256 184 0 0 11 0 11 11 0 8 0
bufpl 280 4274 0 190 292 0 292 292 0 8 0
anonpl 16 43584 0 29078 60 1 59 59 0 124 0
amapchunkpl 152 2048 0 1901 20 0 20 20 0 158 11
amappl16 192 1367 0 590 39 0 39 39 0 8 0
amappl15 184 1 0 0 1 0 1 1 0 8 0
amappl14 176 65 0 60 1 0 1 1 0 8 0
amappl13 168 25 0 24 1 0 1 1 0 8 0
amappl12 160 14 0 11 1 0 1 1 0 8 0
amappl11 152 60 0 42 1 0 1 1 0 8 0
amappl10 144 21 0 15 1 0 1 1 0 8 0
amappl9 136 391 0 388 1 0 1 1 0 8 0
amappl8 128 300 0 287 1 0 1 1 0 8 0
amappl7 120 127 0 115 1 0 1 1 0 8 0
amappl6 112 27 0 23 1 0 1 1 0 8 0
amappl5 104 182 0 166 1 0 1 1 0 8 0
amappl4 96 536 0 504 1 0 1 1 0 8 0
amappl3 88 158 0 150 1 0 1 1 0 8 0
amappl2 80 1703 0 1624 3 1 2 3 0 8 0
amappl1 72 17413 0 16954 25 15 10 20 0 8 0
amappl 80 858 0 810 2 0 2 2 0 84 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 64 7 0 0 1 0 1 1 0 8 0
uaddrrnd 24 328 0 311 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 328 0 311 1 0 1 1 0 8 0
vmmpekpl 168 6878 0 6846 2 0 2 2 0 8 0
vmmpepl 168 46919 0 44904 133 8 125 130 0 357 37
vmsppl 368 327 0 311 2 0 2 2 0 8 0
pdppl 4096 664 0 622 6 0 6 6 0 8 0
pvpl 32 153771 0 136034 145 0 145 145 0 265 1
pmappl 232 327 0 311 2 1 1 2 0 8 0
extentpl 40 46 0 29 1 0 1 1 0 8 0
phpool 112 259 0 3 8 0 8 8 0 8 0