login: panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806d499100+16 0x656fd022b81e6500!=0x656fd022b81e658c
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*425262 20121 0 0 0x4000000 1K syz-executor.1
311862 40267 0 0x2 0x4000000 0 syz-fuzzer
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
pool_cache_get(ffffffff8263f268) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1789 [inline]
pool_cache_get(ffffffff8263f268) at pool_cache_get+0x323 sys/kern/subr_pool.c:1892
pool_get() at pool_get+0x91 sys/kern/subr_pool.c:572
m_gethdr(2,1) at m_gethdr+0x4c sys/kern/uipc_mbuf.c:283
rtm_msg1(2,ffff800021b7b030) at rtm_msg1+0x6e sys/net/rtsock.c:1511
rtm_send(fffffd806f49cc40,2,0,0) at rtm_send+0x120 rtm_miss sys/net/rtsock.c:1656 [inline]
rtm_send(fffffd806f49cc40,2,0,0) at rtm_send+0x120 sys/net/rtsock.c:1634
rtdeletemsg(fffffd806f49cc40,ffff800000a99000,0) at rtdeletemsg+0x199 sys/net/route.c:682
rt_ifa_purge(ffff800000a47000) at rt_ifa_purge+0x104 sys/net/route.c:1324
in6_unlink_ifa(ffff800000a47000,ffff800000a99000) at in6_unlink_ifa+0x580 sys/netinet6/in6.c:939
in6_purgeaddr(ffff800000a47000) at in6_purgeaddr+0x1d7 sys/netinet6/in6.c:920
ifnewlladdr(ffff800000a99000) at ifnewlladdr+0x108 sys/net/if.c:3039
ifioctl(fffffd806f6cb480,8020691f,ffff800021b7b4f0,ffff800020ab1160) at ifioctl+0x17b0 sys/net/if.c:2144
sys_ioctl(ffff800020ab1160,ffff800021b7b608,ffff800021b7b650) at sys_ioctl+0x5b9
end trace frame: 0xffff800021b7b6c0, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806d499100+16 0x656fd022b81e6500!=0x656fd022b81e658c
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
pool_cache_get(ffffffff8263f268) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1789 [inline]
pool_cache_get(ffffffff8263f268) at pool_cache_get+0x323 sys/kern/subr_pool.c:1892
pool_get() at pool_get+0x91 sys/kern/subr_pool.c:572
m_gethdr(2,1) at m_gethdr+0x4c sys/kern/uipc_mbuf.c:283
rtm_msg1(2,ffff800021b7b030) at rtm_msg1+0x6e sys/net/rtsock.c:1511
rtm_send(fffffd806f49cc40,2,0,0) at rtm_send+0x120 rtm_miss sys/net/rtsock.c:1656 [inline]
rtm_send(fffffd806f49cc40,2,0,0) at rtm_send+0x120 sys/net/rtsock.c:1634
rtdeletemsg(fffffd806f49cc40,ffff800000a99000,0) at rtdeletemsg+0x199 sys/net/route.c:682
rt_ifa_purge(ffff800000a47000) at rt_ifa_purge+0x104 sys/net/route.c:1324
in6_unlink_ifa(ffff800000a47000,ffff800000a99000) at in6_unlink_ifa+0x580 sys/netinet6/in6.c:939
in6_purgeaddr(ffff800000a47000) at in6_purgeaddr+0x1d7 sys/netinet6/in6.c:920
ifnewlladdr(ffff800000a99000) at ifnewlladdr+0x108 sys/net/if.c:3039
ifioctl(fffffd806f6cb480,8020691f,ffff800021b7b4f0,ffff800020ab1160) at ifioctl+0x17b0 sys/net/if.c:2144
sys_ioctl(ffff800020ab1160,ffff800021b7b608,ffff800021b7b650) at sys_ioctl+0x5b9
syscall(ffff800021b7b6d0) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline]
syscall(ffff800021b7b6d0) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555
Xsyscall(6,0,ffffffffffffff36,0,3,1ec309de010) at Xsyscall+0x128
end of kernel
end trace frame: 0x1ee599fc4f0, count: -16
ddb{1}> show registers
rdi 0xffffffff82030057 db_enter+0x17
rsi 0x268f3 acpi_pdirpa+0x1275b
rbp 0xffff800021b7ad50
rbx 0xffff800021b7ae00
rdx 0x268f4 acpi_pdirpa+0x1275c
rcx 0xffff800022b84000
rax 0xffff800022b84000
r8 0xffffffff81f4bdef kprintf+0x16f
r9 0x1
r10 0x25
r11 0xe734126250baf2f2
r12 0x3000000008
r13 0xffff800021b7ad60
r14 0x100
r15 0x1
rip 0xffffffff82030058 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800021b7ad40
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor.1) pid=425262 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=86, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff800020ab0ee8,0xffffffff82677a30
process=0xffff800020adca80 user=0xffff800021b76000, vmspace=0xfffffd807f00a8a0
estcpu=36, cpticks=2, pctcpu=0.0
user=0, sys=2, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
20121 273800 44204 0 2 0 syz-executor.1
*20121 425262 44204 0 7 0x4000000 syz-executor.1
21700 241063 1 0 3 0x100083 ttyin getty
22219 108459 0 0 3 0x14200 bored sosplice
44204 155155 40267 0 3 0x82 nanosleep syz-executor.1
99808 235364 40267 0 3 0x2 biowait syz-executor.0
40267 30257 78986 0 3 0x82 thrsleep syz-fuzzer
40267 159087 78986 0 3 0x4000082 nanosleep syz-fuzzer
40267 182494 78986 0 3 0x4000082 thrsleep syz-fuzzer
40267 142058 78986 0 3 0x4000082 thrsleep syz-fuzzer
40267 7276 78986 0 3 0x4000082 thrsleep syz-fuzzer
40267 49371 78986 0 3 0x4000082 kqread syz-fuzzer
40267 180640 78986 0 3 0x4000082 thrsleep syz-fuzzer
40267 155157 78986 0 3 0x4000082 thrsleep syz-fuzzer
40267 311862 78986 0 7 0x4000002 syz-fuzzer
40267 192736 78986 0 3 0x4000082 thrsleep syz-fuzzer
78986 268596 66283 0 3 0x10008a pause ksh
66283 421715 75273 0 3 0x92 select sshd
75273 79200 1 0 3 0x80 select sshd
37481 402799 46875 74 3 0x100092 bpf pflogd
46875 177412 1 0 3 0x80 netio pflogd
40916 114889 64039 73 3 0x100090 kqread syslogd
64039 264956 1 0 3 0x100082 netio syslogd
7847 428442 1 77 3 0x100090 poll dhclient
46692 389466 1 0 3 0x80 poll dhclient
58931 448986 0 0 2 0x14200 zerothread
73144 471706 0 0 3 0x14200 aiodoned aiodoned
47057 121454 0 0 3 0x14200 syncer update
67418 262835 0 0 3 0x14200 cleaner cleaner
24188 500000 0 0 3 0x14200 reaper reaper
61965 303672 0 0 3 0x14200 pgdaemon pagedaemon
141 191758 0 0 3 0x14200 bored crynlk
47490 441922 0 0 3 0x14200 bored crypto
28792 101434 0 0 3 0x40014200 acpi0 acpi0
75533 369362 0 0 3 0x40014200 idle1
59639 88207 0 0 3 0x14200 bored softnet
95822 63627 0 0 2 0x14200 systqmp
46877 198480 0 0 3 0x14200 bored systq
786 175929 0 0 3 0x40014200 bored softclock
38216 199448 0 0 3 0x40014200 idle0
14729 483505 0 0 3 0x14200 bored smr
1 299480 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
Process 20121 (syz-executor.1) thread 0xffff800020ab1160 (425262)
exclusive rwlock netlock r = 0 (0xffffffff8248fc78)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 ifioctl+0xdcf sys/net/if.c:2127
#2 sys_ioctl+0x5b9
#3 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline]
#3 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555
#4 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82649290)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 syscall+0x400 mi_syscall sys/sys/syscall_mi.h:83 [inline]
#1 syscall+0x400 sys/arch/amd64/amd64/trap.c:555
#2 Xsyscall+0x128
Process 99808 (syz-executor.0) thread 0xffff800020ab0c70 (235364)
exclusive rrwlock inode r = 0 (0xfffffd80623eb1b0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 rw_enter+0x447 sys/kern/kern_rwlock.c:306
#2 rrw_enter+0x4f sys/kern/kern_rwlock.c:435
#3 VOP_LOCK+0xf0 sys/kern/vfs_vops.c:615
#4 vn_lock+0x81 sys/kern/vfs_vnops.c:574
#5 vget+0x1c3 sys/kern/vfs_subr.c:672
#6 ufs_ihashget+0x141 sys/ufs/ufs/ufs_ihash.c:119
#7 ffs_vget+0x74 sys/ufs/ffs/ffs_vfsops.c:1323
#8 ufs_lookup+0x14b4 sys/ufs/ufs/ufs_lookup.c:487
#9 VOP_LOOKUP+0x5b sys/kern/vfs_vops.c:91
#10 vfs_lookup+0x7a6 sys/kern/vfs_lookup.c:568
#11 namei+0x63c sys/kern/vfs_lookup.c:249
#12 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1785
#13 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline]
#13 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806ac6d1a8)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1163
#1 rw_enter+0x447 sys/kern/kern_rwlock.c:306
#2 rrw_enter+0x4f sys/kern/kern_rwlock.c:435
#3 VOP_LOCK+0xf0 sys/kern/vfs_vops.c:615
#4 vn_lock+0x81 sys/kern/vfs_vnops.c:574
#5 vfs_lookup+0xe6 sys/kern/vfs_lookup.c:419
#6 namei+0x63c sys/kern/vfs_lookup.c:249
#7 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1785
#8 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline]
#8 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555
#9 Xsyscall+0x128
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9500 6526K 6913K 78643K 10876 0 0
pcb 13 8K 8K 78643K 69 0 0
rtable 96 3K 4K 78643K 252 0 0
ifaddr 49 11K 12K 78643K 64 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 4K 78643K 1482 0 0
iov 0 0K 16K 78643K 43 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1215 76K 77K 78643K 1309 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 5K 78643K 4 0 0
VM map 2 1K 1K 78643K 3 0 0
sem 12 1K 1K 78643K 13 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1808 196K 290K 78643K 12765 0 0
file desc 5 13K 25K 78643K 193 0 0
sigio 0 0K 0K 78643K 1 0 0
proc 61 63K 95K 78643K 462 0 0
subproc 32 2K 2K 78643K 34 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
ip_moptions 0 0K 0K 78643K 25 0 0
in_multi 29 1K 2K 78643K 42 0 0
ether_multi 1 0K 0K 78643K 2 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 36 159K 159K 78643K 36 0 0
exec 0 0K 1K 78643K 225 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 103 21K 38K 78643K 1643 0 0
UVM aobj 17 2K 2K 78643K 17 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
ip6_options 0 0K 0K 78643K 40 0 0
NDP 9 0K 0K 78643K 16 0 0
temp 152 3559K 3632K 78643K 8926 0 0
kqueue 0 0K 0K 78643K 2 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp 64 8 0 3 1 0 1 1 0 8 0
plcache 128 20 0 0 1 0 1 1 0 8 0
rtpcb 80 23 0 21 1 0 1 1 0 8 0
rtentry 112 51 0 13 2 0 2 2 0 8 0
unpcb 120 197 0 187 2 0 2 2 0 8 1
syncache 264 4 0 4 1 1 0 1 0 8 0
tcpqe 32 26 0 26 1 1 0 1 0 8 0
tcpcb 544 103 0 99 1 0 1 1 0 8 0
inpcb 280 321 0 313 2 0 2 2 0 8 1
nd6 48 4 0 1 1 0 1 1 0 8 0
pkpcb 40 4 0 4 1 0 1 1 0 8 1
ppxss 1128 3 0 3 2 1 1 1 0 8 1
pfosfp 40 846 0 423 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 25 0 1 1 0 1 1 0 8 0
pfstkey 112 25 0 1 1 0 1 1 0 8 0
pfstate 328 25 0 1 2 0 2 2 0 8 0
pfrule 1360 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 220 0 8 14 0 14 14 0 8 0
art_table 32 221 0 8 2 0 2 2 0 8 0
art_node 16 50 0 13 1 0 1 1 0 8 0
sysvmsgpl 40 125 0 120 1 0 1 1 0 8 0
semupl 112 3 0 3 1 1 0 1 0 8 0
semapl 112 11 0 1 1 0 1 1 0 8 0
shmpl 112 15 0 0 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino1pl 128 1742 0 336 46 0 46 46 0 8 0
ffsino 272 1742 0 336 95 0 95 95 0 8 0
nchpl 144 2262 0 645 61 0 61 61 0 8 0
uvmvnodes 72 1849 0 0 34 0 34 34 0 8 0
vnodes 208 1849 0 0 98 0 98 98 0 8 0
namei 1024 6115 0 6115 1 0 1 1 0 8 1
percpumem 16 30 0 0 1 0 1 1 0 8 0
vmpool 552 1 0 1 1 1 0 1 0 8 0
scxspl 192 7056 0 7055 8 3 5 7 0 8 4
plimitpl 152 31 0 23 1 0 1 1 0 8 0
sigapl 432 394 0 379 3 1 2 3 0 8 0
futexpl 56 4115 0 4115 1 0 1 1 0 8 1
knotepl 112 65 0 46 1 0 1 1 0 8 0
kqueuepl 104 26 0 24 1 0 1 1 0 8 0
pipepl 112 248 0 227 2 1 1 2 0 8 0
fdescpl 488 395 0 379 3 0 3 3 0 8 0
filepl 152 2667 0 2564 6 0 6 6 0 8 1
lockfpl 104 319 0 318 1 0 1 1 0 8 0
lockfspl 48 84 0 83 1 0 1 1 0 8 0
sessionpl 112 19 0 8 1 0 1 1 0 8 0
pgrppl 48 21 0 10 1 0 1 1 0 8 0
ucredpl 96 150 0 141 1 0 1 1 0 8 0
zombiepl 144 379 0 379 1 0 1 1 0 8 1
processpl 896 411 0 379 4 0 4 4 0 8 0
procpl 632 859 0 817 5 0 5 5 0 8 1
sosppl 128 4 0 4 1 0 1 1 0 8 1
sockpl 384 547 0 527 6 0 6 6 0 8 4
mcl64k 65536 5 0 0 1 0 1 1 0 8 0
mcl16k 16384 5 0 0 1 0 1 1 0 8 0
mcl12k 12288 1 0 0 1 0 1 1 0 8 0
mcl9k 9216 3 0 0 1 0 1 1 0 8 0
mcl8k 8192 3 0 0 1 0 1 1 0 8 0
mcl4k 4096 5 0 0 1 0 1 1 0 8 0
mcl2k 2048 150 0 0 18 0 18 18 0 8 0
mtagpl 80 8 0 0 1 0 1 1 0 8 0
mbufpl 256 177 0 0 11 0 11 11 0 8 0
bufpl 256 6988 0 1318 355 0 355 355 0 8 0
anonpl 16 57877 0 38652 88 1 87 87 0 124 8
amapchunkpl 152 2389 0 2260 11 0 11 11 0 158 5
amappl16 192 1853 0 780 55 0 55 55 0 8 1
amappl15 184 169 0 165 1 0 1 1 0 8 0
amappl14 176 27 0 26 1 0 1 1 0 8 0
amappl13 168 7 0 4 1 0 1 1 0 8 0
amappl12 160 11 0 10 2 1 1 1 0 8 0
amappl11 152 53 0 38 1 0 1 1 0 8 0
amappl10 144 93 0 86 1 0 1 1 0 8 0
amappl9 136 620 0 614 1 0 1 1 0 8 0
amappl8 128 174 0 149 1 0 1 1 0 8 0
amappl7 120 114 0 109 1 0 1 1 0 8 0
amappl6 112 75 0 65 1 0 1 1 0 8 0
amappl5 104 137 0 123 1 0 1 1 0 8 0
amappl4 96 669 0 635 1 0 1 1 0 8 0
amappl3 88 118 0 113 1 0 1 1 0 8 0
amappl2 80 2337 0 2263 3 1 2 3 0 8 0
amappl1 72 18613 0 18179 26 16 10 20 0 8 0
amappl 80 1118 0 1079 2 0 2 2 0 84 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 17 0 17 1 1 0 1 0 8 0
aobjpl 64 16 0 0 1 0 1 1 0 8 0
uaddrrnd 24 396 0 379 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 396 0 379 1 0 1 1 0 8 0
vmmpekpl 168 7243 0 7207 2 0 2 2 0 8 0
vmmpepl 168 55862 0 53655 134 16 118 127 0 357 16
vmsppl 368 394 0 379 2 0 2 2 0 8 0
pdppl 4096 799 0 760 6 0 6 6 0 8 0
pvpl 32 183071 0 160683 209 0 209 209 0 265 24
pmappl 232 395 0 380 2 1 1 2 0 8 0
extentpl 40 41 0 26 1 0 1 1 0 8 0
phpool 112 515 0 3 15 0 15 15 0 8 0