panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd8063daf500+24 0xb019f5e329035860!=0xb019f5634ad99260 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *281649 10842 0 0 0x4000000 0 syz-executor.0 172769 52991 0 0x14000 0x200 1 systqmp db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff8240acfd) at panic+0x164 sys/kern/subr_prf.c:218 pool_cache_get(ffffffff828ce6d0) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline] pool_cache_get(ffffffff828ce6d0) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884 pool_get(ffffffff828ce6d0,2) at pool_get+0x91 sys/kern/subr_pool.c:572 m_get(2,3) at m_get+0x4c sys/kern/uipc_mbuf.c:250 sbappendaddr(fffffd806f65f190,fffffd806f65f218,ffffffff82560788,fffffd8063db6900,0) at sbappendaddr+0x2e9 sys/kern/uipc_socket2.c:804 rtm_sendup(fffffd806f65f190,fffffd8063db6900,0) at rtm_sendup+0xef sys/net/rtsock.c:594 route_input(fffffd8063db6900,0,18) at route_input+0x489 sys/net/rtsock.c:572 rtm_send(fffffd806462b158,2,0,0) at rtm_send+0x18d sys/net/rtsock.c:1659 rt_ifa_del(ffff800000b2d700,200404,ffff800000b2d740,0) at rt_ifa_del+0x3bb sys/net/route.c:1192 rt_ifa_dellocal(ffff800000b2d700) at rt_ifa_dellocal+0x149 sys/net/route.c:1292 in6_purgeaddr(ffff800000b2d700) at in6_purgeaddr+0x114 sys/netinet6/in6.c:922 ifnewlladdr(ffff800000b10000) at ifnewlladdr+0x108 sys/net/if.c:3039 ifioctl(fffffd806c991b00,8020691f,ffff800021eca790,ffff800020eb2780) at ifioctl+0x1b3e sys/net/if.c:2095 end trace frame: 0xffff800021eca780, count: 0 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd8063daf500+24 0xb019f5e329035860!=0xb019f5634ad99260 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff8240acfd) at panic+0x164 sys/kern/subr_prf.c:218 pool_cache_get(ffffffff828ce6d0) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline] pool_cache_get(ffffffff828ce6d0) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884 pool_get(ffffffff828ce6d0,2) at pool_get+0x91 sys/kern/subr_pool.c:572 m_get(2,3) at m_get+0x4c sys/kern/uipc_mbuf.c:250 sbappendaddr(fffffd806f65f190,fffffd806f65f218,ffffffff82560788,fffffd8063db6900,0) at sbappendaddr+0x2e9 sys/kern/uipc_socket2.c:804 rtm_sendup(fffffd806f65f190,fffffd8063db6900,0) at rtm_sendup+0xef sys/net/rtsock.c:594 route_input(fffffd8063db6900,0,18) at route_input+0x489 sys/net/rtsock.c:572 rtm_send(fffffd806462b158,2,0,0) at rtm_send+0x18d sys/net/rtsock.c:1659 rt_ifa_del(ffff800000b2d700,200404,ffff800000b2d740,0) at rt_ifa_del+0x3bb sys/net/route.c:1192 rt_ifa_dellocal(ffff800000b2d700) at rt_ifa_dellocal+0x149 sys/net/route.c:1292 in6_purgeaddr(ffff800000b2d700) at in6_purgeaddr+0x114 sys/netinet6/in6.c:922 ifnewlladdr(ffff800000b10000) at ifnewlladdr+0x108 sys/net/if.c:3039 ifioctl(fffffd806c991b00,8020691f,ffff800021eca790,ffff800020eb2780) at ifioctl+0x1b3e sys/net/if.c:2095 soo_ioctl(fffffd80669fa020,8020691f,ffff800021eca790,ffff800020eb2780) at soo_ioctl+0x27c sys/kern/sys_socket.c:138 sys_ioctl(ffff800020eb2780,ffff800021eca8a8,ffff800021eca8f0) at sys_ioctl+0x4a5 syscall(ffff800021eca970) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff800021eca970) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xbab8676d2b0, count: -18 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff800021ec9e80 rbx 0xffff800021ec9f30 rdx 0x8b rcx 0x2 rax 0x1 r8 0xffff800021ec9e40 r9 0xffffffff814bc41f kprintf+0x16f r10 0x1 r11 0xd881cc3264a43d92 r12 0x3000000008 r13 0xffff800021ec9e90 r14 0x100 r15 0x1 rip 0xffffffff81c991c8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800021ec9e70 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.0) pid=281649 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=79, nice=20 forw=0xffffffffffffffff, list=0xffff800020eb2508,0xffffffff828c88f8 process=0xffff800020eb4bd8 user=0xffff800021ec5000, vmspace=0xfffffd806e8fd2e8 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 10842 463855 16768 0 2 0 syz-executor.0 *10842 281649 16768 0 7 0x4000000 syz-executor.0 16768 195560 79497 0 3 0x82 nanosleep syz-executor.0 43653 389206 0 0 3 0x14200 bored sosplice 47575 198438 79497 0 3 0x82 piperd syz-executor.1 79497 141457 31276 0 3 0x82 thrsleep syz-fuzzer 79497 186094 31276 0 3 0x4000082 nanosleep syz-fuzzer 79497 305393 31276 0 2 0x4000002 syz-fuzzer 79497 350977 31276 0 3 0x4000082 thrsleep syz-fuzzer 79497 304303 31276 0 3 0x4000082 thrsleep syz-fuzzer 79497 79558 31276 0 3 0x4000082 thrsleep syz-fuzzer 79497 251323 31276 0 3 0x4000082 thrsleep syz-fuzzer 79497 168897 31276 0 3 0x4000082 kqread syz-fuzzer 31276 306327 32002 0 3 0x10008a pause ksh 32002 90811 93722 0 3 0x92 select sshd 79411 216055 1 0 3 0x100083 ttyin getty 93722 235638 1 0 3 0x80 select sshd 34590 143707 55200 74 3 0x100092 bpf pflogd 55200 39203 1 0 3 0x80 netio pflogd 27649 354500 5802 73 3 0x100090 kqread syslogd 5802 134944 1 0 3 0x100082 netio syslogd 11470 104077 1 77 3 0x100090 poll dhclient 49414 381497 1 0 3 0x80 poll dhclient 65579 483684 0 0 3 0x14200 bored smr 63383 470080 0 0 2 0x14200 zerothread 92637 164242 0 0 3 0x14200 aiodoned aiodoned 99496 307414 0 0 3 0x14200 syncer update 21018 119973 0 0 3 0x14200 cleaner cleaner 3122 464581 0 0 3 0x14200 reaper reaper 77766 480022 0 0 3 0x14200 pgdaemon pagedaemon 20499 463256 0 0 3 0x14200 bored crynlk 5450 419388 0 0 3 0x14200 bored crypto 49636 30473 0 0 3 0x40014200 acpi0 acpi0 28354 37479 0 0 3 0x40014200 idle1 67192 274191 0 0 3 0x14200 bored softnet 52991 172769 0 0 7 0x14200 systqmp 2388 5258 0 0 3 0x14200 bored systq 39743 206752 0 0 3 0x40014200 bored softclock 4154 22904 0 0 3 0x40014200 idle0 1 66199 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks CPU 1: exclusive mutex art_node r = 0 (0xffffffff828d6600) #0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline] #0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164 #1 mtx_enter_try+0x102 #2 mtx_enter+0x4b sys/kern/kern_lock.c:266 #3 pool_put+0x64 sys/kern/subr_pool.c:792 #4 art_gc+0x89 sys/net/art.c:930 #5 taskq_thread+0xfa sys/kern/kern_task.c:449 #6 proc_trampoline+0x1c Process 10842 (syz-executor.0) thread 0xffff800020eb2780 (281649) exclusive rwlock netlock r = 0 (0xffffffff827a6120) #0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline] #0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164 #1 ifioctl+0x117b sys/net/if.c:2078 #2 soo_ioctl+0x27c sys/kern/sys_socket.c:138 #3 sys_ioctl+0x4a5 #4 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline] #4 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570 #5 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 1 (0xffffffff828dd3d0) #0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline] #0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164 #1 soo_ioctl+0x26a sys/kern/sys_socket.c:138 #2 sys_ioctl+0x4a5 #3 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline] #3 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570 #4 Xsyscall+0x128 Process 52991 (systqmp) thread 0xffff800020d88768 (172769) shared rwlock systqmp r = 0 (0xffffffff827492b0) #0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline] #0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164 #1 taskq_thread+0xdf sys/kern/kern_task.c:445 #2 proc_trampoline+0x1c ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 9518 6540K 6606K 78643K 10967 0 pcb 13 8K 8K 78643K 45 0 rtable 121 6K 9K 78643K 469 0 ifaddr 71 14K 15K 78643K 163 0 counters 43 33K 34K 78643K 61 0 ioctlops 0 0K 4K 78643K 1532 0 iov 0 0K 12K 78643K 38 0 mount 1 1K 1K 78643K 1 0 vnodes 1219 77K 77K 78643K 1349 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 5K 78643K 4 0 VM map 2 1K 1K 78643K 2 0 sem 12 0K 0K 78643K 95 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1824 197K 290K 78643K 13058 0 file desc 5 13K 25K 78643K 407 0 sigio 0 0K 0K 78643K 8 0 proc 61 63K 83K 78643K 509 0 subproc 32 2K 2K 78643K 53 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 35 0 in_multi 46 2K 2K 78643K 139 0 ether_multi 1 0K 0K 78643K 10 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 49 228K 228K 78643K 49 0 exec 0 0K 1K 78643K 240 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 170 58K 59K 78643K 2230 0 UVM aobj 9 2K 2K 78643K 9 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 36 0 NDP 11 0K 0K 78643K 38 0 temp 101 3869K 3933K 78643K 17162 0 kqueue 3 4K 8K 78643K 21 0 SYN cache 2 16K 16K 78643K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 10 0 4 1 0 1 1 0 8 0 plcache 128 20 0 0 1 0 1 1 0 8 0 rtpcb 88 44 0 41 1 0 1 1 0 8 0 rtentry 112 89 0 43 2 0 2 2 0 8 0 unpcb 120 284 0 273 1 0 1 1 0 8 0 syncache 272 10 0 10 3 3 0 1 0 8 0 tcpqe 32 1 0 1 1 1 0 1 0 8 0 tcpcb 592 140 0 135 4 3 1 2 0 8 0 inpcb 296 911 0 900 3 1 2 2 0 8 1 nd6 48 27 0 21 1 0 1 1 0 8 0 pkpcb 40 2 0 2 1 1 0 1 0 8 0 pfstscr 40 2 0 2 1 1 0 1 0 8 0 pffrag 232 5 0 4 2 1 1 1 0 482 0 pffrnode 88 5 0 4 2 1 1 1 0 8 0 pffrent 40 96 0 95 2 1 1 1 0 8 0 pfosfp 40 846 0 423 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfrktable 1344 43 0 39 1 0 1 1 0 8 0 pftag 88 1 0 0 1 0 1 1 0 8 0 pfqueue 264 2 0 2 1 1 0 1 0 8 0 pfstitem 24 23 0 14 1 0 1 1 0 8 0 pfstkey 112 27 0 18 1 0 1 1 0 8 0 pfstate 328 25 0 16 2 0 2 2 0 8 0 pfrule 1360 31 0 20 3 2 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 301 0 125 13 0 13 13 0 8 1 art_table 32 302 0 125 2 0 2 2 0 8 0 art_node 16 88 0 48 1 0 1 1 0 8 0 sysvmsgpl 40 4 0 4 1 0 1 1 0 8 1 semapl 112 93 0 83 1 0 1 1 0 8 0 shmpl 112 6 0 0 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 1887 0 485 88 0 88 88 0 8 0 ffsino 272 1887 0 485 94 0 94 94 0 8 0 nchpl 144 2899 0 1305 60 0 60 60 0 8 0 uvmvnodes 72 2027 0 0 37 0 37 37 0 8 0 vnodes 208 2027 0 0 107 0 107 107 0 8 0 namei 1024 7598 0 7598 1 0 1 1 0 8 1 percpumem 16 41 0 9 1 0 1 1 0 8 0 vcpupl 1984 4 0 0 1 0 1 1 0 8 0 vmpool 560 6 0 2 1 0 1 1 0 8 0 pfiaddrpl 120 16 0 12 1 0 1 1 0 8 0 scxspl 200 8133 0 8133 8 7 1 7 0 8 1 plimitpl 152 42 0 34 1 0 1 1 0 8 0 sigapl 424 620 0 588 4 0 4 4 0 8 0 futexpl 56 7538 0 7538 1 0 1 1 0 8 1 knotepl 112 95 0 75 1 0 1 1 0 8 0 kqueuepl 152 75 0 72 1 0 1 1 0 8 0 pipepl 304 128 0 117 3 1 2 2 0 8 1 fdescpl 496 604 0 588 3 0 3 3 0 8 0 filepl 152 4034 0 3927 5 0 5 5 0 8 0 lockfpl 104 70 0 69 1 0 1 1 0 8 0 lockfspl 48 27 0 26 1 0 1 1 0 8 0 sessionpl 120 19 0 8 1 0 1 1 0 8 0 pgrppl 48 21 0 10 1 0 1 1 0 8 0 ucredpl 96 291 0 282 1 0 1 1 0 8 0 zombiepl 144 588 0 588 1 0 1 1 0 8 1 processpl 1008 620 0 588 5 0 5 5 0 8 0 procpl 632 1353 0 1313 4 0 4 4 0 8 0 sosppl 144 6 0 6 2 2 0 1 0 8 0 sockpl 400 1242 0 1215 5 1 4 4 0 8 1 mcl64k 65536 12 0 0 2 0 2 2 0 8 0 mcl12k 12288 4 0 0 1 0 1 1 0 8 0 mcl9k 9216 2 0 0 1 0 1 1 0 8 0 mcl8k 8192 3 0 0 1 0 1 1 0 8 0 mcl4k 4096 8 0 0 1 0 1 1 0 8 0 mcl2k2 2112 3 0 0 1 0 1 1 0 8 0 mcl2k 2048 209 0 0 26 0 26 26 0 8 0 mtagpl 96 19 0 0 1 0 1 1 0 8 0 mbufpl 256 478 0 0 29 0 29 29 0 8 0 bufpl 280 4231 0 127 294 0 294 294 0 8 0 anonpl 16 73981 0 56003 80 4 76 78 0 124 1 amapchunkpl 152 3408 0 3104 16 0 16 16 0 158 1 amappl16 192 2658 0 1783 47 3 44 46 0 8 0 amappl15 184 24 0 22 1 0 1 1 0 8 0 amappl14 176 38 0 34 2 1 1 1 0 8 0 amappl13 168 35 0 32 1 0 1 1 0 8 0 amappl12 160 32 0 28 1 0 1 1 0 8 0 amappl11 152 361 0 346 1 0 1 1 0 8 0 amappl10 144 22 0 16 1 0 1 1 0 8 0 amappl9 136 377 0 373 1 0 1 1 0 8 0 amappl8 128 382 0 339 2 0 2 2 0 8 0 amappl7 120 123 0 110 1 0 1 1 0 8 0 amappl6 112 337 0 328 1 0 1 1 0 8 0 amappl5 104 494 0 478 1 0 1 1 0 8 0 amappl4 96 506 0 474 1 0 1 1 0 8 0 amappl3 88 168 0 159 1 0 1 1 0 8 0 amappl2 80 3853 0 3782 2 0 2 2 0 8 0 amappl1 72 25934 0 25482 23 13 10 18 0 8 0 amappl 80 1665 0 1586 2 0 2 2 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 64 8 0 0 1 0 1 1 0 8 0 uaddrrnd 24 610 0 590 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 610 0 590 1 0 1 1 0 8 0 vmmpekpl 168 8397 0 8363 2 0 2 2 0 8 0 vmmpepl 168 84058 0 81945 157 29 128 128 0 357 34 vmsppl 368 609 0 590 2 0 2 2 0 8 0 pdppl 4096 1227 0 1184 6 0 6 6 0 8 0 pvpl 32 239792 0 218629 187 6 181 185 0 265 4 pmappl 232 609 0 590 2 0 2 2 0 8 0 extentpl 40 53 0 36 1 0 1 1 0 8 0 phpool 112 280 0 8 8 0 8 8 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff8240acfd) at panic+0x164 sys/kern/subr_prf.c:218 pool_cache_get(ffffffff828ce6d0) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline] pool_cache_get(ffffffff828ce6d0) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884 pool_get(ffffffff828ce6d0,2) at pool_get+0x91 sys/kern/subr_pool.c:572 m_get(2,3) at m_get+0x4c sys/kern/uipc_mbuf.c:250 sbappendaddr(fffffd806f65f190,fffffd806f65f218,ffffffff82560788,fffffd8063db6900,0) at sbappendaddr+0x2e9 sys/kern/uipc_socket2.c:804 rtm_sendup(fffffd806f65f190,fffffd8063db6900,0) at rtm_sendup+0xef sys/net/rtsock.c:594 route_input(fffffd8063db6900,0,18) at route_input+0x489 sys/net/rtsock.c:572 rtm_send(fffffd806462b158,2,0,0) at rtm_send+0x18d sys/net/rtsock.c:1659 rt_ifa_del(ffff800000b2d700,200404,ffff800000b2d740,0) at rt_ifa_del+0x3bb sys/net/route.c:1192 rt_ifa_dellocal(ffff800000b2d700) at rt_ifa_dellocal+0x149 sys/net/route.c:1292 in6_purgeaddr(ffff800000b2d700) at in6_purgeaddr+0x114 sys/netinet6/in6.c:922 ifnewlladdr(ffff800000b10000) at ifnewlladdr+0x108 sys/net/if.c:3039 ifioctl(fffffd806c991b00,8020691f,ffff800021eca790,ffff800020eb2780) at ifioctl+0x1b3e sys/net/if.c:2095 soo_ioctl(fffffd80669fa020,8020691f,ffff800021eca790,ffff800020eb2780) at soo_ioctl+0x27c sys/kern/sys_socket.c:138 sys_ioctl(ffff800020eb2780,ffff800021eca8a8,ffff800021eca8f0) at sys_ioctl+0x4a5 syscall(ffff800021eca970) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff800021eca970) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xbab8676d2b0, count: -18 ddb{0}> machine ddbcpu 1