panic: pool_do_get: bufpl free list modified: page 0xfffffd807cfa1000; item addr 0xfffffd807cfa1808; offset 0x0=0x0 != 0x84800d13c49d5b03
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*127141 82807 0 0x2 0 0 syz-executor.1
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8260d5d9) at panic+0x161 sys/kern/subr_prf.c:202
pool_do_get(ffffffff82aab218,9,ffff8000230f4b18) at pool_do_get+0x427 sys/kern/subr_pool.c:740
pool_get(ffffffff82aab218,9) at pool_get+0xb3 sys/kern/subr_pool.c:584
buf_get(fffffd8079d15a10,0,4000) at buf_get+0x55c sys/kern/vfs_bio.c:1139
getblk(fffffd8079d15a10,0,4000,0,ffffffffffffffff) at getblk+0xfd sys/kern/vfs_bio.c:1050
ffs2_balloc(fffffd806c8e8c30,0,200,fffffd807f7d7900,1,ffff8000230f51b0) at ffs2_balloc+0x664 sys/ufs/ffs/ffs_balloc.c:575
ufs_mkdir(ffff8000230f5220) at ufs_mkdir+0x4ca sys/ufs/ufs/ufs_vnops.c:1211
VOP_MKDIR(fffffd806864a408,ffff8000230f5380,ffff8000230f53b0,ffff8000230f52b0) at VOP_MKDIR+0xbf sys/kern/vfs_vops.c:404
domkdirat(ffff8000215f0fc0,ffffff9c,7f7fffff9fd0,1ff) at domkdirat+0x121 sys/kern/vfs_syscalls.c:3116
syscall(ffff8000230f5530) at syscall+0x44e sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7fffffa040, count: 3
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
*cpu0: pool_do_get: bufpl free list modified: page 0xfffffd807cfa1000; item addr 0xfffffd807cfa1808; offset 0x0=0x0 != 0x84800d13c49d5b03
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8260d5d9) at panic+0x161 sys/kern/subr_prf.c:202
pool_do_get(ffffffff82aab218,9,ffff8000230f4b18) at pool_do_get+0x427 sys/kern/subr_pool.c:740
pool_get(ffffffff82aab218,9) at pool_get+0xb3 sys/kern/subr_pool.c:584
buf_get(fffffd8079d15a10,0,4000) at buf_get+0x55c sys/kern/vfs_bio.c:1139
getblk(fffffd8079d15a10,0,4000,0,ffffffffffffffff) at getblk+0xfd sys/kern/vfs_bio.c:1050
ffs2_balloc(fffffd806c8e8c30,0,200,fffffd807f7d7900,1,ffff8000230f51b0) at ffs2_balloc+0x664 sys/ufs/ffs/ffs_balloc.c:575
ufs_mkdir(ffff8000230f5220) at ufs_mkdir+0x4ca sys/ufs/ufs/ufs_vnops.c:1211
VOP_MKDIR(fffffd806864a408,ffff8000230f5380,ffff8000230f53b0,ffff8000230f52b0) at VOP_MKDIR+0xbf sys/kern/vfs_vops.c:404
domkdirat(ffff8000215f0fc0,ffffff9c,7f7fffff9fd0,1ff) at domkdirat+0x121 sys/kern/vfs_syscalls.c:3116
syscall(ffff8000230f5530) at syscall+0x44e sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7fffffa040, count: -12
ddb> show registers
rdi 0
rsi 0x1
rbp 0xffff8000230f4990
rbx 0x84800d13c49d5b03
rdx 0
rcx 0
rax 0xffff8000215f0fc0
r8 0x101010101010101
r9 0x8080808080808080
r10 0x650c199e0855200
r11 0x83c1b8a128fe090d
r12 0
r13 0xfffffd807cfa1808
r14 0
r15 0x1
rip 0xffffffff81d0ea58 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff8000230f4980
ss 0
db_enter+0x18: addq $0x8,%rsp
ddb> show proc
PROC (syz-executor.1) pid=127141 stat=onproc
flags process=2<EXEC> proc=0
pri=17, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff8000215f0540,0xffff8000215f1510
process=0xffff80002160e028 user=0xffff8000230f0000, vmspace=0xfffffd806c535780
estcpu=36, cpticks=2, pctcpu=0.1
user=0, sys=1, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
8103 436207 42917 0 2 0 syz-executor.5
8103 380941 42917 0 3 0x4000080 kqpoll syz-executor.5
51072 256512 68003 0 2 0 syz-executor.2
51072 57312 68003 0 3 0x4000080 kqpoll syz-executor.2
98326 52510 66986 0 2 0 syz-executor.6
98326 16162 66986 0 3 0x4000080 fsleep syz-executor.6
33463 432684 14478 0 2 0 syz-executor.0
33463 275155 14478 0 3 0x4000080 fsleep syz-executor.0
22729 38163 83385 0 2 0 syz-executor.7
22729 426246 83385 0 3 0x4000080 fsleep syz-executor.7
66854 243014 89764 0 2 0 syz-executor.4
66854 148381 89764 0 3 0x4000080 fsleep syz-executor.4
61916 197069 0 0 3 0x14200 bored sosplice
66986 271914 16109 0 3 0x82 nanoslp syz-executor.6
83385 186700 16109 0 3 0x82 nanoslp syz-executor.7
161 469214 16109 0 3 0x82 nanoslp syz-executor.3
42917 452402 16109 0 3 0x82 nanoslp syz-executor.5
89764 267300 16109 0 3 0x82 nanoslp syz-executor.4
*82807 127141 16109 0 7 0x2 syz-executor.1
68003 187995 16109 0 3 0x82 nanoslp syz-executor.2
14478 369643 16109 0 3 0x82 nanoslp syz-executor.0
16109 412163 57471 0 3 0x82 thrsleep syz-fuzzer
16109 48190 57471 0 3 0x4000082 nanoslp syz-fuzzer
16109 415661 57471 0 3 0x4000082 thrsleep syz-fuzzer
16109 898 57471 0 3 0x4000082 thrsleep syz-fuzzer
16109 118662 57471 0 3 0x4000082 thrsleep syz-fuzzer
16109 136355 57471 0 3 0x4000082 kqread syz-fuzzer
16109 240426 57471 0 3 0x4000082 thrsleep syz-fuzzer
16109 425593 57471 0 3 0x4000082 thrsleep syz-fuzzer
16109 93172 57471 0 3 0x4000082 thrsleep syz-fuzzer
57471 242463 11506 0 3 0x10008a sigsusp ksh
11506 449378 1096 0 3 0x9a kqread sshd
26503 252920 1 0 3 0x100083 ttyin getty
1096 233168 1 0 3 0x88 kqread sshd
16282 173395 64440 73 3 0x1100090 kqread syslogd
64440 63063 1 0 3 0x100082 netio syslogd
41683 307294 1 0 3 0x100080 kqread resolvd
92928 299582 17489 77 3 0x100092 kqread dhcpleased
35341 100202 17489 77 3 0x100092 kqread dhcpleased
17489 77999 1 0 3 0x80 kqread dhcpleased
36380 402620 0 0 3 0x14200 bored smr
82185 121803 0 0 2 0x14200 zerothread
34551 27872 0 0 3 0x14200 aiodoned aiodoned
63077 125301 0 0 3 0x14200 syncer update
78302 171112 0 0 3 0x14200 cleaner cleaner
13818 226723 0 0 3 0x14200 reaper reaper
95168 279739 0 0 3 0x14200 pgdaemon pagedaemon
67748 234531 0 0 3 0x14200 bored viomb
84601 62290 0 0 3 0x40014200 acpi0 acpi0
38331 194546 0 0 3 0x14200 bored softnet
14072 19697 0 0 3 0x14200 bored softnet
28898 462076 0 0 3 0x14200 bored softnet
23850 108240 0 0 3 0x14200 bored softnet
18858 131181 0 0 3 0x14200 bored systqmp
55652 300549 0 0 3 0x14200 bored systq
12421 324625 0 0 3 0x40014200 bored softclock
70879 99128 0 0 3 0x40014200 idle0
1 481036 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10167 6417K 6805K 78643K 12015 0
pcb 13 8K 8K 78643K 29 0
rtable 242 6K 6K 78643K 370 0
ifaddr 82 17K 17K 78643K 101 0
counters 27 17K 17K 78643K 30 0
ioctlops 0 0K 4K 78643K 71 0
iov 0 0K 16K 78643K 23 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 4 0
vnodes 1402 88K 88K 78643K 1834 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 9K 78643K 33 0
VM map 2 0K 0K 78643K 2 0
sem 19 1K 1K 78643K 25 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 16 57K 73K 78643K 1278 0
sigio 0 0K 0K 78643K 8 0
proc 57 59K 75K 78643K 464 0
subproc 104 6K 6K 78643K 107 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
in_multi 99 6K 6K 78643K 115 0
ether_multi 1 0K 0K 78643K 1 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 61 281K 281K 78643K 61 0
exec 0 0K 2K 78643K 667 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 225 194K 194K 78643K 7564 0
UVM aobj 24 2K 2K 78643K 24 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 0K 78643K 4 0
NDP 11 0K 1K 78643K 34 0
temp 104 4724K 4788K 78643K 6353 0
kqueue 14 22K 22K 78643K 83 0
SYN cache 2 16K 16K 78643K 2 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
rtpcb 120 40 0 37 1 0 1 1 0 8 0
rtentry 112 121 0 7 4 0 4 4 0 8 0
unpcb 136 284 0 271 1 0 1 1 0 8 0
syncache 296 8 0 8 2 1 1 1 0 8 1
tcpqe 32 399 0 399 2 1 1 1 0 8 1
tcpcb 736 141 0 20 12 1 11 11 0 8 0
arp 88 19 0 0 1 0 1 1 0 8 0
inpcb 312 256 0 248 6 0 6 6 0 8 5
nd6 48 31 0 6 1 0 1 1 0 8 0
pkpcb 40 2 0 2 1 1 0 1 0 8 0
kcovpl 48 8 0 0 1 0 1 1 0 8 0
ppxss 1152 3 0 3 1 1 0 1 0 8 0
pfrule 1360 1 0 1 1 1 0 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 468 0 3 30 0 30 30 0 8 0
art_table 32 469 0 3 4 0 4 4 0 8 0
art_node 16 120 0 16 1 0 1 1 0 8 0
sysvmsgpl 40 13 0 5 1 0 1 1 0 8 0
semapl 112 17 0 0 1 0 1 1 0 8 0
shmpl 112 21 0 0 1 0 1 1 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 3055 0 1626 90 0 90 90 0 8 0
ffsino 240 3055 0 1626 85 0 85 85 0 8 0
nchpl 144 4800 0 3126 63 0 63 63 0 8 0
uvmvnodes 80 3379 0 0 69 0 69 69 0 8 0
vnodes 224 3379 0 0 199 0 199 199 0 8 0
namei 1024 14468 0 14467 2 1 1 2 0 8 0
vcpupl 1984 10 0 1 2 0 2 2 0 8 0
vmpool 528 10 0 1 1 0 1 1 0 8 0
kstatmem 264 28 0 6 2 0 2 2 0 8 0
scxspl 216 12626 0 12626 9 8 1 8 0 8 1
plimitpl 152 52 0 37 1 0 1 1 0 8 0
sigapl 424 1564 0 1519 6 0 6 6 0 8 0
futexpl 64 5382 0 5378 1 0 1 1 0 8 0
knotepl 120 19112 0 19031 6 3 3 6 0 8 0
kqueuepl 184 143 0 132 1 0 1 1 0 8 0
pipepl 304 188 0 160 3 0 3 3 0 8 0
fdescpl 432 1547 0 1520 4 0 4 4 0 8 0
filepl 120 6027 0 5785 16 2 14 14 0 8 4
lockfpl 104 38 0 36 1 0 1 1 0 8 0
lockfspl 48 18 0 16 1 0 1 1 0 8 0
sessionpl 144 23 0 7 1 0 1 1 0 8 0
pgrppl 48 24 0 8 1 0 1 1 0 8 0
ucredpl 96 1742 0 1732 1 0 1 1 0 8 0
zombiepl 144 1520 0 1519 1 0 1 1 0 8 0
processpl 1000 1564 0 1519 7 1 6 6 0 8 0
procpl 672 2888 0 2829 6 0 6 6 0 8 0
sosppl 168 9 0 9 1 1 0 1 0 8 0
sockpl 448 582 0 558 12 1 11 11 0 8 8
mcl64k 65536 13 0 13 2 1 1 1 0 8 1
mcl16k 16384 13 0 13 2 1 1 1 0 8 1
mcl12k 12288 10 0 10 1 1 0 1 0 8 0
mcl9k 9216 5 0 5 1 0 1 1 0 8 1
mcl8k 8192 70 0 70 2 1 1 1 0 8 1
mcl4k 4096 43 0 43 3 2 1 1 0 8 1
mcl2k2 2112 3 0 3 2 1 1 1 0 8 1
mcl2k 2048 65536 0 65477 27 17 10 24 0 8 2
mtagpl 96 60 0 4 3 1 2 2 0 8 0
mbufpl 256 110090 0 109726 25 0 25 25 0 8 1
bufpl 288 4748 0 141 330 0 330 330 0 8 0
bufpl: pool(0xffffffff82aab218:bufpl): free list modified: page 0xfffffd807cfa1000; item ordinal 0; addr 0xfffffd807cfa1808 (p 0xfffffd806aa0b000); offset 0x0=0x0
pool(bufpl): free list modified: page 0xfffffd807cfa1000; item ordinal 0; addr 0xfffffd807cfa1808 (p 0xfffffd806aa0b000); offset 0x0=0x0
bufpl: pool(0xffffffff82aab218:bufpl): page inconsistency: page 0xfffffd807cfa1000; item ordinal 1; addr 0x7db7884f89ea7cc9
anonpl 24 255115 0 240363 110 10 100 109 0 188 1
amapchunkpl 152 20711 0 20161 26 3 23 25 0 158 0
amappl16 200 3637 0 3018 40 7 33 39 0 8 0
amappl15 192 152 0 148 1 0 1 1 0 8 0
amappl14 184 284 0 278 1 0 1 1 0 8 0
amappl13 176 80 0 78 1 0 1 1 0 8 0
amappl12 168 168 0 166 2 1 1 1 0 8 0
amappl11 160 227 0 210 1 0 1 1 0 8 0
amappl10 152 17 0 15 1 0 1 1 0 8 0
amappl9 144 787 0 781 1 0 1 1 0 8 0
amappl8 136 694 0 648 2 0 2 2 0 8 0
amappl7 128 252 0 239 1 0 1 1 0 8 0
amappl6 120 490 0 472 2 1 1 2 0 8 0
amappl5 112 941 0 927 1 0 1 1 0 8 0
amappl4 104 1079 0 1051 2 1 1 2 0 8 0
amappl3 96 3712 0 3667 2 0 2 2 0 8 0
amappl2 88 1983 0 1918 3 1 2 3 0 8 0
amappl1 80 36692 0 36065 19 5 14 19 0 8 0
amappl 88 7112 0 6966 4 0 4 4 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 23 0 0 1 0 1 1 0 8 0
uaddrrnd 24 1557 0 1521 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 1557 0 1521 1 0 1 1 0 8 0
vmmpekpl 168 13601 0 13560 2 0 2 2 0 8 0
vmmpepl 168 146978 0 144438 138 15 123 138 0 357 4
vmsppl 272 1556 0 1521 4 1 3 3 0 8 0
rwobjpl 24 37626 0 32667 31 0 31 31 0 8 0
pdppl 4096 3120 0 3051 119 46 73 73 0 8 4
pvpl 32 599970 0 580769 239 23 216 239 0 265 49
pmappl 216 1556 0 1521 3 0 3 3 0 8 0
extentpl 40 58 0 38 1 0 1 1 0 8 0
phpool 112 759 0 75 20 0 20 20 0 8 0
ddb> machine ddbcpu 0
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8260d5d9) at panic+0x161 sys/kern/subr_prf.c:202
pool_do_get(ffffffff82aab218,9,ffff8000230f4b18) at pool_do_get+0x427 sys/kern/subr_pool.c:740
pool_get(ffffffff82aab218,9) at pool_get+0xb3 sys/kern/subr_pool.c:584
buf_get(fffffd8079d15a10,0,4000) at buf_get+0x55c sys/kern/vfs_bio.c:1139
getblk(fffffd8079d15a10,0,4000,0,ffffffffffffffff) at getblk+0xfd sys/kern/vfs_bio.c:1050
ffs2_balloc(fffffd806c8e8c30,0,200,fffffd807f7d7900,1,ffff8000230f51b0) at ffs2_balloc+0x664 sys/ufs/ffs/ffs_balloc.c:575
ufs_mkdir(ffff8000230f5220) at ufs_mkdir+0x4ca sys/ufs/ufs/ufs_vnops.c:1211
VOP_MKDIR(fffffd806864a408,ffff8000230f5380,ffff8000230f53b0,ffff8000230f52b0) at VOP_MKDIR+0xbf sys/kern/vfs_vops.c:404
domkdirat(ffff8000215f0fc0,ffffff9c,7f7fffff9fd0,1ff) at domkdirat+0x121 sys/kern/vfs_syscalls.c:3116
syscall(ffff8000230f5530) at syscall+0x44e sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7fffffa040, count: -12
ddb> machine ddbcpu 1
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8260d5d9) at panic+0x161 sys/kern/subr_prf.c:202
pool_do_get(ffffffff82aab218,9,ffff8000230f4b18) at pool_do_get+0x427 sys/kern/subr_pool.c:740
pool_get(ffffffff82aab218,9) at pool_get+0xb3 sys/kern/subr_pool.c:584
buf_get(fffffd8079d15a10,0,4000) at buf_get+0x55c sys/kern/vfs_bio.c:1139
getblk(fffffd8079d15a10,0,4000,0,ffffffffffffffff) at getblk+0xfd sys/kern/vfs_bio.c:1050
ffs2_balloc(fffffd806c8e8c30,0,200,fffffd807f7d7900,1,ffff8000230f51b0) at ffs2_balloc+0x664 sys/ufs/ffs/ffs_balloc.c:575
ufs_mkdir(ffff8000230f5220) at ufs_mkdir+0x4ca sys/ufs/ufs/ufs_vnops.c:1211
VOP_MKDIR(fffffd806864a408,ffff8000230f5380,ffff8000230f53b0,ffff8000230f52b0) at VOP_MKDIR+0xbf sys/kern/vfs_vops.c:404
domkdirat(ffff8000215f0fc0,ffffff9c,7f7fffff9fd0,1ff) at domkdirat+0x121 sys/kern/vfs_syscalls.c:3116
syscall(ffff8000230f5530) at syscall+0x44e sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7fffffa040, count: -12