kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd. starting local daemons:. Mon Jun 15 12:57:19 PDT 2020 OpenBSD/amd64 (ci-openbsd-multicore-0.c.syzkaller.internal) (tty00) Warning: Permanently added '10.128.0.233' (ECDSA) to the list of known hosts. 2020/06/15 12:57:49 parsed 1 programs 2020/06/15 12:57:52 executed programs: 0 2020/06/15 12:57:57 executed programs: 239 login: panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806d6f9000+16 0x0!=0x73fac7f82dbb4b0d Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 195578 16795 0 0x2 0x4000080 0 syz-execprog *411121 39682 0 0x12 0 1 sshd db_enter() at db_enter+0x18 panic(ffffffff823e2c40) at panic+0x15c pool_cache_get(ffffffff828cc008) at pool_cache_get+0x323 pool_get(ffffffff828cc008,2) at pool_get+0x91 m_copym(fffffd806d6f8f00,0,54,2) at m_copym+0x174 tcp_output(ffff800000ad7980) at tcp_output+0x15ba tcp_usrreq(fffffd806ead9328,9,fffffd806d6f8f00,0,0,ffff800020e41600) at tcp_usrreq+0xa55 sosend(fffffd806ead9328,0,ffff800020e63228,0,0,80) at sosend+0x671 dofilewritev(ffff800020e41600,4,ffff800020e63228,0,ffff800020e63310) at dofilewritev+0x1b6 sys_write(ffff800020e41600,ffff800020e632c0,ffff800020e63310) at sys_write+0x83 syscall(ffff800020e63390) at syscall+0x4a4 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffff0a00, count: 3 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806d6f9000+16 0x0!=0x73fac7f82dbb4b0d ddb{1}> trace db_enter() at db_enter+0x18 panic(ffffffff823e2c40) at panic+0x15c pool_cache_get(ffffffff828cc008) at pool_cache_get+0x323 pool_get(ffffffff828cc008,2) at pool_get+0x91 m_copym(fffffd806d6f8f00,0,54,2) at m_copym+0x174 tcp_output(ffff800000ad7980) at tcp_output+0x15ba tcp_usrreq(fffffd806ead9328,9,fffffd806d6f8f00,0,0,ffff800020e41600) at tcp_usrreq+0xa55 sosend(fffffd806ead9328,0,ffff800020e63228,0,0,80) at sosend+0x671 dofilewritev(ffff800020e41600,4,ffff800020e63228,0,ffff800020e63310) at dofilewritev+0x1b6 sys_write(ffff800020e41600,ffff800020e632c0,ffff800020e63310) at sys_write+0x83 syscall(ffff800020e63390) at syscall+0x4a4 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffff0a00, count: -12 ddb{1}> show registers rdi 0 rsi 0x1 rbp 0xffff800020e62bc0 rbx 0xffff800020e62c70 rdx 0x8b rcx 0x2 rax 0x1 r8 0xffffffff81bc79af kprintf+0x16f r9 0x1 r10 0x2 r11 0x41dfa8168890ccb0 r12 0x3000000008 r13 0xffff800020e62bd0 r14 0x100 r15 0x1 rip 0xffffffff81da3c38 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800020e62bb0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (sshd) pid=411121 stat=onproc flags process=12 proc=0 pri=50, usrpri=50, nice=20 forw=0xffffffffffffffff, list=0xffff800020e40760,0xffff800020e409e0 process=0xffff800020e383f0 user=0xffff800020e5e000, vmspace=0xfffffd806e8efa18 estcpu=0, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 79254 122215 16795 0 2 0x2 syz-executor.0 16795 23279 87342 0 3 0x82 thrsleep syz-execprog 16795 376611 87342 0 3 0x4000082 nanosleep syz-execprog 16795 374620 87342 0 3 0x4000082 thrsleep syz-execprog 16795 385058 87342 0 3 0x4000082 thrsleep syz-execprog 16795 165070 87342 0 3 0x4000082 thrsleep syz-execprog 16795 466047 87342 0 3 0x4000082 thrsleep syz-execprog 16795 513019 87342 0 3 0x4000082 thrsleep syz-execprog 16795 473989 87342 0 3 0x4000082 nanosleep syz-execprog 16795 195578 87342 0 7 0x4000082 syz-execprog 87342 479119 39682 0 3 0x10008a pause ksh *39682 411121 69796 0 7 0x12 sshd 36766 230758 1 0 3 0x100083 ttyin getty 69796 176554 1 0 3 0x80 select sshd 24861 113704 82785 74 3 0x100092 bpf pflogd 82785 245820 1 0 3 0x80 netio pflogd 45387 216057 51198 73 3 0x100090 kqread syslogd 51198 129160 1 0 3 0x100082 netio syslogd 89993 470175 1 77 3 0x100090 poll dhclient 14287 151990 1 0 3 0x80 poll dhclient 97648 405720 0 0 3 0x14200 bored smr 13464 351929 0 0 3 0x14200 pgzero zerothread 68357 417178 0 0 3 0x14200 aiodoned aiodoned 47772 240414 0 0 3 0x14200 syncer update 98814 149877 0 0 3 0x14200 cleaner cleaner 16549 423493 0 0 3 0x14200 reaper reaper 32913 113861 0 0 3 0x14200 pgdaemon pagedaemon 21948 510937 0 0 3 0x14200 bored crynlk 79947 198796 0 0 3 0x14200 bored crypto 62983 21479 0 0 3 0x40014200 acpi0 acpi0 88411 59434 0 0 3 0x40014200 idle1 68242 94244 0 0 3 0x14200 bored softnet 67704 473840 0 0 3 0x14200 bored systqmp 74555 244124 0 0 3 0x14200 bored systq 87783 205771 0 0 3 0x40014200 bored softclock 71305 216393 0 0 3 0x40014200 idle0 1 439505 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks Process 79254 (syz-executor.0) thread 0xffff800020ddc9c8 (122215) exclusive rrwlock inode r = 0 (0xfffffd806b7d9808) #0 witness_lock+0x4c7 #1 rw_enter+0x453 #2 rrw_enter+0x88 #3 VOP_LOCK+0x4b #4 vn_lock+0x81 #5 vget+0x1c8 #6 ufs_ihashget+0x141 #7 ffs_vget+0x74 #8 ufs_lookup+0x14b7 #9 VOP_LOOKUP+0x5b #10 vfs_lookup+0x7a6 #11 namei+0x63c #12 dounlinkat+0x99 #13 syscall+0x4a4 #14 Xsyscall+0x128 exclusive rrwlock inode r = 0 (0xfffffd806b7d9098) #0 witness_lock+0x4c7 #1 rw_enter+0x453 #2 rrw_enter+0x88 #3 VOP_LOCK+0x4b #4 vn_lock+0x81 #5 vfs_lookup+0xe6 #6 namei+0x63c #7 dounlinkat+0x99 #8 syscall+0x4a4 #9 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82896708) #0 witness_lock+0x4c7 #1 syscall+0x400 #2 Xsyscall+0x128 Process 39682 (sshd) thread 0xffff800020e41600 (411121) exclusive rwlock netlock r = 0 (0xffffffff827254e8) #0 witness_lock+0x4c7 #1 solock+0x5a #2 sosend+0x559 #3 dofilewritev+0x1b6 #4 sys_write+0x83 #5 syscall+0x4a4 #6 Xsyscall+0x128 ddb{1}>