panic: pr_find_pagehead: mbufpl: incorrect page Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND * 41962 64025 0 0 0x4000000 0 syz-executor.1 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff823e4807) at panic+0x15c sys/kern/subr_prf.c:207 pool_do_put(ffffffff828189f0,fffffd8058600000) at pool_do_put+0x36a pool_put(ffffffff828189f0,fffffd8058600000) at pool_put+0x4b sys/kern/subr_pool.c:794 m_free(fffffd8058600000) at m_free+0x119 sys/kern/uipc_mbuf.c:459 ml_purge(ffff80001f7b1c08) at ml_purge+0x50 m_freem sys/kern/uipc_mbuf.c:538 [inline] ml_purge(ffff80001f7b1c08) at ml_purge+0x50 sys/kern/uipc_mbuf.c:1628 ifq_purge(ffff800000ad4278) at ifq_purge+0x97 sys/net/ifq.c:462 if_down(ffff800000ad4000) at if_down+0x9c if_linkstate sys/net/if.c:1668 [inline] if_down(ffff800000ad4000) at if_down+0x9c sys/net/if.c:1619 if_setrdomain(ffff800000ad4000,6) at if_setrdomain+0x17c sys/net/if.c:1871 ifioctl(fffffd805fd6d960,8020699f,ffff80001f7b1dd0,ffff80001d6ce888) at ifioctl+0x169d sys/net/if.c:2139 sys_ioctl(ffff80001d6ce888,ffff80001f7b1ee8,ffff80001f7b1f30) at sys_ioctl+0x4a1 syscall(ffff80001f7b1fb0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x735dd14a870, count: 2 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic pr_find_pagehead: mbufpl: incorrect page ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff823e4807) at panic+0x15c sys/kern/subr_prf.c:207 pool_do_put(ffffffff828189f0,fffffd8058600000) at pool_do_put+0x36a pool_put(ffffffff828189f0,fffffd8058600000) at pool_put+0x4b sys/kern/subr_pool.c:794 m_free(fffffd8058600000) at m_free+0x119 sys/kern/uipc_mbuf.c:459 ml_purge(ffff80001f7b1c08) at ml_purge+0x50 m_freem sys/kern/uipc_mbuf.c:538 [inline] ml_purge(ffff80001f7b1c08) at ml_purge+0x50 sys/kern/uipc_mbuf.c:1628 ifq_purge(ffff800000ad4278) at ifq_purge+0x97 sys/net/ifq.c:462 if_down(ffff800000ad4000) at if_down+0x9c if_linkstate sys/net/if.c:1668 [inline] if_down(ffff800000ad4000) at if_down+0x9c sys/net/if.c:1619 if_setrdomain(ffff800000ad4000,6) at if_setrdomain+0x17c sys/net/if.c:1871 ifioctl(fffffd805fd6d960,8020699f,ffff80001f7b1dd0,ffff80001d6ce888) at ifioctl+0x169d sys/net/if.c:2139 sys_ioctl(ffff80001d6ce888,ffff80001f7b1ee8,ffff80001f7b1f30) at sys_ioctl+0x4a1 syscall(ffff80001f7b1fb0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x735dd14a870, count: -13 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80001f7b19b0 rbx 0xffff80001f7b1a60 rdx 0x2 rcx 0 rax 0x1 r8 0xffffffff8201b2ff kprintf+0x15f r9 0x1 r10 0x2 r11 0x37fb2bd486afbf7c r12 0x3000000008 r13 0xffff80001f7b19c0 r14 0x100 r15 0x1 rip 0xffffffff822f9738 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff80001f7b19a0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb> show proc PROC (syz-executor.1) pid=41962 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=50, nice=20 forw=0xffffffffffffffff, list=0xffff80001d6cdec8,0xffffffff8284cea8 process=0xffff800020a46af8 user=0xffff80001f7ad000, vmspace=0xfffffd80685b5670 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 64025 382410 18043 0 2 0 syz-executor.1 *64025 41962 18043 0 7 0x4000000 syz-executor.1 99300 457832 27405 0 3 0x2 biowait syz-executor.0 62957 31784 0 0 3 0x14280 nfsidl nfsio 38742 2611 0 0 3 0x14280 nfsidl nfsio 21947 77156 0 0 3 0x14280 nfsidl nfsio 51200 293322 0 0 3 0x14280 nfsidl nfsio 50666 11915 0 0 3 0x14280 nfsidl nfsio 90895 462076 0 0 3 0x14280 nfsidl nfsio 97982 18213 0 0 3 0x14280 nfsidl nfsio 6453 47875 0 0 3 0x14280 nfsidl nfsio 86465 100061 0 0 3 0x14280 nfsidl nfsio 72584 8287 0 0 3 0x14280 nfsidl nfsio 86776 404510 0 0 3 0x14280 nfsidl nfsio 22475 1370 0 0 3 0x14280 nfsidl nfsio 76880 62108 0 0 3 0x14280 nfsidl nfsio 1463 352337 0 0 3 0x14280 nfsidl nfsio 41049 412084 0 0 3 0x14280 nfsidl nfsio 65996 419652 0 0 3 0x14280 nfsidl nfsio 28216 320947 0 0 3 0x14280 nfsidl nfsio 45142 57510 0 0 3 0x14280 nfsidl nfsio 78243 187847 0 0 3 0x14280 nfsidl nfsio 88148 407017 0 0 3 0x14280 nfsidl nfsio 71880 156472 0 0 3 0x14200 acct acct 70530 19684 0 0 3 0x14200 bored sosplice 18043 337435 27405 0 3 0x82 nanosleep syz-executor.1 27405 480799 50351 0 3 0x82 thrsleep syz-fuzzer 27405 322786 50351 0 3 0x4000082 nanosleep syz-fuzzer 27405 313271 50351 0 3 0x4000082 thrsleep syz-fuzzer 27405 63104 50351 0 3 0x4000082 thrsleep syz-fuzzer 27405 110528 50351 0 3 0x4000082 thrsleep syz-fuzzer 27405 97131 50351 0 3 0x4000082 kqread syz-fuzzer 27405 249110 50351 0 3 0x4000082 thrsleep syz-fuzzer 27405 186076 50351 0 2 0x4000002 syz-fuzzer 50351 51434 13808 0 3 0x10008a pause ksh 13808 273818 94945 0 3 0x92 select sshd 58090 206303 1 0 3 0x100083 ttyin getty 94945 93919 1 0 3 0x80 select sshd 36765 59742 80152 73 3 0x100090 kqread syslogd 80152 92003 1 0 3 0x100082 netio syslogd 98219 9861 1 77 2 0x100090 dhclient 67444 275921 1 0 3 0x80 poll dhclient 38794 17866 0 0 3 0x14200 bored smr 76737 252709 0 0 2 0x14200 zerothread 52271 48768 0 0 3 0x14200 aiodoned aiodoned 23921 71455 0 0 3 0x14200 syncer update 58146 428046 0 0 3 0x14200 cleaner cleaner 34139 78026 0 0 3 0x14200 reaper reaper 5616 452489 0 0 3 0x14200 pgdaemon pagedaemon 71854 409906 0 0 3 0x14200 bored crynlk 55024 72665 0 0 3 0x14200 bored crypto 73388 380683 0 0 3 0x40014200 acpi0 acpi0 4550 497161 0 0 3 0x14200 bored softnet 37765 151085 0 0 3 0x14200 bored systqmp 40260 141982 0 0 3 0x14200 bored systq 69979 131813 0 0 3 0x40014200 bored softclock 4764 278136 0 0 3 0x40014200 idle0 1 213077 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 9533 6552K 7170K 78643K 12962 0 pcb 13 8K 8K 78643K 92 0 rtable 115 8K 13K 78643K 734 0 ifaddr 90 17K 17K 78643K 237 0 sysctl 3 1K 1K 78643K 3 0 counters 21 16K 17K 78643K 36 0 ioctlops 0 0K 4K 78643K 106 0 iov 0 0K 16K 78643K 71 0 mount 1 1K 1K 78643K 1 0 vnodes 1221 77K 77K 78643K 1832 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 5K 78643K 11 0 VM map 2 0K 0K 78643K 2 0 sem 12 1K 1K 78643K 22 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1809 195K 288K 78643K 12938 0 file desc 5 13K 25K 78643K 585 0 sigio 0 0K 0K 78643K 8 0 proc 49 38K 55K 78643K 491 0 subproc 32 2K 2K 78643K 68 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 38 0 in_multi 73 4K 4K 78643K 153 0 ether_multi 1 0K 0K 78643K 14 0 mrt 0 0K 0K 78643K 12 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 43 201K 201K 78643K 43 0 exec 0 0K 1K 78643K 268 0 pfkey data 0 0K 0K 78643K 1 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 137 72K 88K 78643K 2260 0 UVM aobj 33 2K 2K 78643K 40 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 58 0 NDP 14 0K 0K 78643K 41 0 temp 130 3867K 3931K 78643K 29837 0 kqueue 3 4K 13K 78643K 31 0 SYN cache 2 16K 16K 78643K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 13 0 7 1 0 1 1 0 8 0 rtpcb 80 67 0 65 1 0 1 1 0 8 0 rtentry 112 92 0 58 2 0 2 2 0 8 0 unpcb 120 328 0 320 1 0 1 1 0 8 0 syncache 264 6 0 6 2 2 0 1 0 8 0 tcpqe 32 501 0 501 2 2 0 1 0 8 0 tcpcb 544 170 0 165 1 0 1 1 0 8 0 ipq 40 10 0 9 3 2 1 1 0 8 0 ipqe 40 110 0 109 3 2 1 1 0 8 0 inpcb 296 677 0 669 4 2 2 2 0 8 1 rttmr 72 2 0 2 1 1 0 1 0 8 0 nd6 48 19 0 14 1 0 1 1 0 8 0 pkpcb 40 324 0 322 3 2 1 1 0 8 0 ppxss 1128 5 0 5 4 3 1 1 0 8 1 pfrktable 1344 128 0 118 3 2 1 2 0 8 0 pftag 88 19 0 18 2 1 1 1 0 8 0 pfrule 1360 36 0 18 2 0 2 2 0 8 0 art_heap8 4096 2 0 0 2 0 2 2 0 8 0 art_heap4 256 431 0 276 15 4 11 15 0 8 0 art_table 32 433 0 276 2 0 2 2 0 8 0 art_node 16 89 0 60 1 0 1 1 0 8 0 sysvmsgpl 40 23 0 19 1 0 1 1 0 8 0 semupl 112 6 0 6 1 1 0 1 0 8 0 semapl 112 20 0 10 1 0 1 1 0 8 0 shmpl 112 38 0 7 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 2178 0 779 88 0 88 88 0 8 0 ffsino 240 2178 0 779 83 0 83 83 0 8 0 nchpl 144 3190 0 1609 60 0 60 60 0 8 0 uvmvnodes 72 2757 0 0 51 0 51 51 0 8 0 vnodes 208 2757 0 0 146 0 146 146 0 8 0 namei 1024 9579 0 9579 3 2 1 1 0 8 1 vcpupl 1984 5 0 0 1 0 1 1 0 8 0 vmpool 528 5 0 0 1 0 1 1 0 8 0 pfiaddrpl 120 50 0 38 1 0 1 1 0 8 0 scxspl 192 9874 0 9873 1 0 1 1 0 8 0 plimitpl 152 69 0 62 1 0 1 1 0 8 0 sigapl 424 787 0 737 6 0 6 6 0 8 0 futexpl 56 12882 0 12882 2 1 1 1 0 8 1 knotepl 112 127 0 108 1 0 1 1 0 8 0 kqueuepl 144 82 0 76 1 0 1 1 0 8 0 pipepl 272 159 0 149 4 3 1 2 0 8 0 fdescpl 432 751 0 737 2 0 2 2 0 8 0 filepl 120 5176 0 5077 5 1 4 4 0 8 0 lockfpl 104 167 0 166 1 0 1 1 0 8 0 lockfspl 48 61 0 60 1 0 1 1 0 8 0 sessionpl 112 19 0 9 1 0 1 1 0 8 0 pgrppl 48 19 0 9 1 0 1 1 0 8 0 ucredpl 96 697 0 690 1 0 1 1 0 8 0 zombiepl 144 737 0 737 3 2 1 1 0 8 1 processpl 920 787 0 737 7 0 7 7 0 8 0 procpl 624 1463 0 1405 6 1 5 5 0 8 0 sosppl 128 10 0 10 4 4 0 1 0 8 0 sockpl 400 1399 0 1379 6 3 3 4 0 8 1 mcl64k 65536 42 0 42 2 2 0 1 0 8 0 mcl16k 16384 9 0 9 2 2 0 1 0 8 0 mcl12k 12288 14 0 14 4 3 1 1 0 8 1 mcl9k 9216 6 0 6 2 2 0 1 0 8 0 mcl8k 8192 33 0 33 3 2 1 1 0 8 1 mcl4k 4096 71 0 71 4 3 1 1 0 8 1 mcl2k2 2112 4 0 4 2 1 1 1 0 8 1 mcl2k 2048 76133 0 76072 24 15 9 18 0 8 0 mtagpl 96 334 0 197 7 1 6 6 0 8 0 mbufpl 256 126008 0 125621 44 3 41 41 0 8 1 bufpl 280 8978 0 3626 383 0 383 383 0 8 0 anonpl 16 87583 0 73245 101 31 70 83 0 107 1 amapchunkpl 152 3708 0 3567 25 12 13 20 0 158 7 amappl16 192 3610 0 2673 71 23 48 59 0 8 1 amappl15 184 1 0 0 1 0 1 1 0 8 0 amappl14 176 155 0 151 1 0 1 1 0 8 0 amappl13 168 415 0 409 1 0 1 1 0 8 0 amappl12 160 120 0 117 2 1 1 1 0 8 0 amappl11 152 180 0 170 1 0 1 1 0 8 0 amappl10 144 23 0 17 1 0 1 1 0 8 0 amappl9 136 367 0 366 1 0 1 1 0 8 0 amappl8 128 372 0 327 2 0 2 2 0 8 0 amappl7 120 128 0 114 1 0 1 1 0 8 0 amappl6 112 26 0 18 1 0 1 1 0 8 0 amappl5 104 452 0 441 1 0 1 1 0 8 0 amappl4 96 967 0 935 1 0 1 1 0 8 0 amappl3 88 363 0 357 1 0 1 1 0 8 0 amappl2 80 5087 0 5018 2 0 2 2 0 8 0 amappl1 72 22984 0 22567 23 13 10 17 0 8 0 amappl 80 1700 0 1654 2 0 2 2 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 64 39 0 7 1 0 1 1 0 8 0 uaddrrnd 24 756 0 737 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 756 0 737 1 0 1 1 0 8 0 vmmpekpl 168 8358 0 8328 3 1 2 2 0 8 0 vmmpepl 168 96277 0 94215 176 45 131 133 0 357 39 vmsppl 272 755 0 737 3 1 2 2 0 8 0 pdppl 4096 1518 0 1479 7 1 6 6 0 8 0 pvpl 32 256520 0 239347 234 54 180 194 0 265 20 pmappl 200 755 0 737 2 0 2 2 0 8 0 extentpl 40 53 0 36 1 0 1 1 0 8 0 phpool 112 304 0 44 8 0 8 8 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff823e4807) at panic+0x15c sys/kern/subr_prf.c:207 pool_do_put(ffffffff828189f0,fffffd8058600000) at pool_do_put+0x36a pool_put(ffffffff828189f0,fffffd8058600000) at pool_put+0x4b sys/kern/subr_pool.c:794 m_free(fffffd8058600000) at m_free+0x119 sys/kern/uipc_mbuf.c:459 ml_purge(ffff80001f7b1c08) at ml_purge+0x50 m_freem sys/kern/uipc_mbuf.c:538 [inline] ml_purge(ffff80001f7b1c08) at ml_purge+0x50 sys/kern/uipc_mbuf.c:1628 ifq_purge(ffff800000ad4278) at ifq_purge+0x97 sys/net/ifq.c:462 if_down(ffff800000ad4000) at if_down+0x9c if_linkstate sys/net/if.c:1668 [inline] if_down(ffff800000ad4000) at if_down+0x9c sys/net/if.c:1619 if_setrdomain(ffff800000ad4000,6) at if_setrdomain+0x17c sys/net/if.c:1871 ifioctl(fffffd805fd6d960,8020699f,ffff80001f7b1dd0,ffff80001d6ce888) at ifioctl+0x169d sys/net/if.c:2139 sys_ioctl(ffff80001d6ce888,ffff80001f7b1ee8,ffff80001f7b1f30) at sys_ioctl+0x4a1 syscall(ffff80001f7b1fb0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x735dd14a870, count: -13 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff823e4807) at panic+0x15c sys/kern/subr_prf.c:207 pool_do_put(ffffffff828189f0,fffffd8058600000) at pool_do_put+0x36a pool_put(ffffffff828189f0,fffffd8058600000) at pool_put+0x4b sys/kern/subr_pool.c:794 m_free(fffffd8058600000) at m_free+0x119 sys/kern/uipc_mbuf.c:459 ml_purge(ffff80001f7b1c08) at ml_purge+0x50 m_freem sys/kern/uipc_mbuf.c:538 [inline] ml_purge(ffff80001f7b1c08) at ml_purge+0x50 sys/kern/uipc_mbuf.c:1628 ifq_purge(ffff800000ad4278) at ifq_purge+0x97 sys/net/ifq.c:462 if_down(ffff800000ad4000) at if_down+0x9c if_linkstate sys/net/if.c:1668 [inline] if_down(ffff800000ad4000) at if_down+0x9c sys/net/if.c:1619 if_setrdomain(ffff800000ad4000,6) at if_setrdomain+0x17c sys/net/if.c:1871 ifioctl(fffffd805fd6d960,8020699f,ffff80001f7b1dd0,ffff80001d6ce888) at ifioctl+0x169d sys/net/if.c:2139 sys_ioctl(ffff80001d6ce888,ffff80001f7b1ee8,ffff80001f7b1f30) at sys_ioctl+0x4a1 syscall(ffff80001f7b1fb0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x735dd14a870, count: -13