panic: pool_p_free: rttmr free list modified: page 0xfffffd805ee57000; item addr 0xfffffd805ee57ee8; offset 0x10=0x3c99d058 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND * 64113 33440 0 0 0x4000000 0 syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8334aa01) at panic+0x1cf sys/kern/subr_prf.c:198 pool_p_free(ffffffff83917d10,fffffd805ee57f90) at pool_p_free+0x2d1 sys/kern/subr_pool.c:986 pool_reclaim(ffffffff83917d10) at pool_reclaim+0x2c2 sys/kern/subr_pool.c:1152 pool_reclaim_all() at pool_reclaim_all+0x48 sys/kern/subr_pool.c:-1 kern_sysctl(ffff80003c96bb94,1,200000000180,ffff80003c96bbc8,200000001180,4,32414ccb20766822) at kern_sysctl+0x1094 sys/kern/kern_sysctl.c:686 sys_sysctl(ffff80003c99da20,ffff80003c96bcf0,ffff80003c96bc40) at sys_sysctl+0x3e5 sys/kern/kern_sysctl.c:-1 syscall(ffff80003c96bcf0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c96bcf0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:765 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7b381937da0, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: pool_p_free: rttmr free list modified: page 0xfffffd805ee57000; item addr 0xfffffd805ee57ee8; offset 0x10=0x3c99d058 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8334aa01) at panic+0x1cf sys/kern/subr_prf.c:198 pool_p_free(ffffffff83917d10,fffffd805ee57f90) at pool_p_free+0x2d1 sys/kern/subr_pool.c:986 pool_reclaim(ffffffff83917d10) at pool_reclaim+0x2c2 sys/kern/subr_pool.c:1152 pool_reclaim_all() at pool_reclaim_all+0x48 sys/kern/subr_pool.c:-1 kern_sysctl(ffff80003c96bb94,1,200000000180,ffff80003c96bbc8,200000001180,4,32414ccb20766822) at kern_sysctl+0x1094 sys/kern/kern_sysctl.c:686 sys_sysctl(ffff80003c99da20,ffff80003c96bcf0,ffff80003c96bc40) at sys_sysctl+0x3e5 sys/kern/kern_sysctl.c:-1 syscall(ffff80003c96bcf0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c96bcf0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:765 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7b381937da0, count: -9 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80003c96b7e0 rbx 0xe09205c22dfa07c4 rdx 0 rcx 0 rax 0xffff80003c99da20 r8 0x101010101010101 r9 0x8080808080808080 r10 0xfd135fe53e973283 r11 0x4ee73fb04937a657 r12 0 r13 0xfffffd805ee57f90 r14 0 r15 0x1 rip 0xffffffff82188345 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003c96b7d0 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=64113 pid=33440 tcnt=4 stat=onproc flags process=0 proc=4000000 runpri=32, usrpri=86, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80003c99d788,0xffff80003c99c570 process=0xffff80002a7ecd90 user=0xffff80003c966000, vmspace=0xfffffd806edc0178 estcpu=36, cpticks=2, pctcpu=0.0, user=0, sys=2, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 52235 153 0 0 3 0x14200 acct acct 33440 334470 51548 0 2 0 syz-executor *33440 64113 51548 0 7 0x4000000 syz-executor 33440 321674 51548 0 2 0x4000000 syz-executor 33440 418487 51548 0 3 0x4000080 fsleep syz-executor 58203 360583 6318 0 3 0x80 fsleep syz-executor 58203 444628 6318 0 3 0x4000080 kqsel syz-executor 29035 185243 56370 0 3 0x80 fsleep syz-executor 29035 190644 56370 0 3 0x4000080 kqpoll syz-executor 13280 408734 53042 -1 3 0x90 fsleep syz-executor 13280 44262 53042 -1 3 0x4000090 kqread syz-executor 64475 378691 98783 0 3 0x80 fsleep syz-executor 64475 91409 98783 0 3 0x4000080 sbwait syz-executor 41405 328269 55679 0 3 0x80 fsleep syz-executor 41405 496957 55679 0 3 0x4000080 sbwait syz-executor 10759 372841 7185 0 3 0x80 fsleep syz-executor 10759 264377 7185 0 3 0x4000080 pipewr syz-executor 68902 214557 91418 0 3 0x80 fsleep syz-executor 68902 400444 91418 0 3 0x4000080 lockf syz-executor 6318 340082 38481 0 2 0xc82 syz-executor 98783 338684 38481 0 2 0xc82 syz-executor 56370 303907 38481 0 2 0xc82 syz-executor 86687 219350 1 0 3 0x100083 ttyin getty 7185 428039 38481 0 2 0xc82 syz-executor 55679 341823 38481 0 2 0x3 syz-executor 22982 311121 0 0 3 0x14200 bored sosplice 53042 421772 38481 0 2 0x3 syz-executor 51548 157577 38481 0 2 0xc82 syz-executor 91418 419303 38481 0 2 0x3 syz-executor 38481 200909 62965 0 3 0x82 kqread syz-executor 62965 145577 6821 0 3 0x10008a sigsusp ksh 6821 165192 6776 0 3 0x98 kqread sshd-session 6776 3977 94047 0 3 0x92 kqread sshd-session 94047 442684 1 0 3 0x88 kqread sshd 81831 94389 87567 73 3 0x1100090 kqread syslogd 87567 274588 1 0 3 0x100082 sbwait syslogd 98893 448413 1 0 3 0x100080 kqread resolvd 17917 83273 30217 77 3 0x100092 kqread dhcpleased 45993 327941 30217 77 3 0x100092 kqread dhcpleased 30217 22448 1 0 3 0x80 kqread dhcpleased 24891 140219 0 0 3 0x14200 bored smr 35170 237651 0 0 2 0x14200 zerothread 6024 46169 0 0 3 0x14200 aiodoned aiodoned 23917 203496 0 0 3 0x14200 syncer update 69400 322111 0 0 3 0x14200 cleaner cleaner 9264 427735 0 0 3 0x14200 reaper reaper 11019 223691 0 0 3 0x14200 pgdaemon pagedaemon 87689 403119 0 0 3 0x14200 bored viomb 38562 173954 0 0 3 0x40014200 acpi0 acpi0 64597 29580 0 0 3 0x14200 bored softnet0 77337 247933 0 0 3 0x14200 bored systqmp 29173 323442 0 0 3 0x14200 bored systq 17843 78619 0 0 3 0x40014200 tmoslp softclock 15479 116201 0 0 3 0x40014200 idle0 1 295515 0 0 3 0x80082 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10218 11063K 11623K 166960K 17194 0 pcb 18 16K 22K 166960K 1035 0 rtable 227 13K 14K 166960K 1200 0 pf 39 15K 67482K 166960K 421 0 ifaddr 35 7K 9K 166960K 257 0 ifgroup 57 2K 2K 166960K 461 0 sysctl 4 1K 9K 166960K 34 0 counters 33 17K 18K 166960K 255 0 ioctlops 0 0K 4K 166960K 910 0 iov 1 2K 44K 166960K 303 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1506 95K 95K 166960K 5041 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 9K 166960K 55 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 139 0 dirhash 12 2K 2K 166960K 39 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 18 65K 240K 166960K 3431 0 sigio 0 0K 0K 166960K 131 0 proc 61 59K 124K 166960K 964 0 subproc 72 4K 4K 166960K 135 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 504 0 in_multi 64 4K 7K 166960K 336 0 ether_multi 1 0K 0K 166960K 33 0 mrt 2 0K 0K 166960K 27 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 271 1208K 1208K 166960K 271 0 exec 0 0K 1K 166960K 775 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 4 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 236 152K 177K 166960K 32958 0 UVM aobj 70 5K 6K 166960K 80 0 pinsyscall 39 78K 96K 166960K 4665 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 1K 166960K 170 0 NDP 12 0K 2K 166960K 181 0 temp 112 8648K 8732K 166960K 125562 0 kqueue 16 22K 32K 166960K 651 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 543 0 540 3 2 1 3 0 8 0 rtentry 136 326 0 250 5 0 5 5 0 8 0 unpcb 144 2399 0 2380 11 10 1 6 0 8 0 syncache 336 7 0 7 2 2 0 1 0 8 0 tcpqe 32 1 0 1 1 1 0 1 0 8 0 tcpcb 736 1462 0 1454 10 9 1 7 0 8 0 arp 96 44 0 28 1 0 1 1 0 8 0 ipq 40 17 0 15 1 0 1 1 0 8 0 ipqe 40 26 0 24 1 0 1 1 0 8 0 inpcb 328 3767 0 3755 19 17 2 10 0 8 0 ip6q 72 16 0 14 2 1 1 1 0 8 0 ip6af 40 27 0 24 2 1 1 1 0 8 0 nd6 112 58 0 39 1 0 1 1 0 8 0 pkpcb 40 23 0 23 2 2 0 1 0 8 0 kcovpl 48 15 0 7 1 0 1 1 0 8 0 mppekey 1024 6 0 6 1 1 0 1 0 8 0 ppxss 1072 175 0 175 1 1 0 1 0 8 0 pppxif 1384 23 0 23 1 1 0 1 0 8 0 pfstscr 40 4 0 3 2 1 1 1 0 8 0 pfosfp 40 1 0 0 1 0 1 1 0 8 0 pfosfpen 112 1 0 0 1 0 1 1 0 8 0 pfrktable 1344 71 0 71 1 1 0 1 0 8 0 pfanchor 1288 6 0 1 1 0 1 1 0 8 0 pftag 88 4 0 1 1 0 1 1 0 8 0 pfstitem 24 13 0 4 1 0 1 1 0 8 0 pfstkey 128 26 0 16 1 0 1 1 0 8 0 pfstate 384 14 0 9 1 0 1 1 0 8 0 pfrule 1344 17 0 16 1 0 1 1 0 8 0 rttmr 136 5 0 5 2 2 0 1 0 8 0 art_heap8 4096 4 0 0 4 0 4 4 0 8 0 art_heap4 256 1443 0 1129 31 3 28 31 0 8 7 art_table 40 1447 0 1129 5 0 5 5 0 8 0 art_node 32 288 0 221 1 0 1 1 0 8 0 sysvmsgpl 40 27 0 6 1 0 1 1 0 8 0 semupl 112 4 0 4 2 1 1 1 0 8 1 semapl 112 135 0 125 1 0 1 1 0 8 0 shmpl 112 77 0 10 2 0 2 2 0 8 0 dirhash 1024 35 0 18 3 0 3 3 0 8 0 dino2pl 256 7887 0 6382 95 0 95 95 0 8 0 ffsino 256 7887 0 6382 95 0 95 95 0 8 0 nchpl 144 12660 0 10948 64 0 64 64 0 8 0 rtmask 32 34 0 34 2 1 1 1 0 8 1 vnodes 216 3257 0 0 181 0 181 181 0 8 0 namei 1024 45557 0 45557 4 2 2 2 0 8 2 pfiaddrpl 120 1 0 1 1 0 1 1 0 8 1 kstatmem 264 300 0 276 3 0 3 3 0 8 1 acpiwqpl 32 2 0 2 1 0 1 1 1 8 1 scsiplug 72 14 0 14 1 0 1 1 0 8 1 scxspl 216 47187 0 47187 10 2 8 8 1 8 8 plimitpl 152 1051 0 1034 1 0 1 1 0 8 0 sigapl 424 3705 0 3660 8 0 8 8 0 8 2 knotepl 120 172117 0 172066 61 48 13 24 0 8 8 kqueuepl 184 1461 0 1448 4 0 4 4 0 8 3 pipepl 304 574 0 546 8 0 8 8 0 8 5 fdescpl 448 3660 0 3630 5 1 4 5 0 8 0 filepl 120 27277 0 27053 20 4 16 16 0 8 8 lockfpl 104 1403 0 1399 2 0 2 2 0 8 1 lockfspl 48 503 0 500 1 0 1 1 0 8 0 sessionpl 144 32 0 24 1 0 1 1 0 8 0 pgrppl 48 128 0 112 1 0 1 1 0 8 0 ucredpl 104 5065 0 5053 1 0 1 1 0 8 0 zombiepl 144 5479 0 5479 2 1 1 1 0 8 1 processpl 1152 3705 0 3660 5 0 5 5 0 8 1 procpl 664 9117 0 9062 8 0 8 8 0 8 3 sosppl 168 18 0 18 2 1 1 1 0 8 1 sockpl 552 6877 0 6843 31 20 11 15 0 8 8 mcl64k 65536 634 0 632 2 1 1 1 0 8 0 mcl16k 16384 10 0 9 1 0 1 1 0 8 0 mcl12k 12288 1 0 1 1 0 1 1 0 8 1 mcl9k 9216 8 0 8 2 1 1 1 0 8 1 mcl8k 8192 39 0 39 2 1 1 1 0 8 1 mcl4k 4096 6950 0 6900 16 8 8 15 0 8 1 mcl2k2 2112 2 0 2 1 0 1 1 0 8 1 mcl2k 2048 4932 0 4928 5 1 4 4 0 8 2 mtagpl 96 24 0 21 1 0 1 1 0 8 0 mbufpl 256 43078 0 42697 149 114 35 89 0 8 8 bufpl 280 15559 0 9337 445 0 445 445 0 8 0 anonpl 24 513665 0 509885 79 10 69 69 0 187 30 amapchunkpl 152 114100 0 113584 51 12 39 39 0 158 15 amappl16 200 10734 0 10696 56 42 14 24 0 8 7 amappl15 192 10 0 10 2 1 1 1 0 8 1 amappl14 184 7 0 7 2 1 1 1 0 8 1 amappl13 176 493 0 492 1 0 1 1 0 8 0 amappl12 168 4052 0 4013 2 0 2 2 0 8 0 amappl11 160 2 0 2 1 1 0 1 0 8 0 amappl10 152 47 0 37 1 0 1 1 0 8 0 amappl9 144 251 0 251 1 1 0 1 0 8 0 amappl8 136 20 0 18 1 0 1 1 0 8 0 amappl7 128 107 0 106 1 0 1 1 0 8 0 amappl6 120 376 0 363 1 0 1 1 0 8 0 amappl5 112 237 0 228 1 0 1 1 0 8 0 amappl4 104 435 0 406 1 0 1 1 0 8 0 amappl3 96 20209 0 20116 3 0 3 3 0 8 0 amappl2 88 3799 0 3722 2 0 2 2 0 8 0 amappl1 80 22936 0 22394 15 1 14 14 0 8 1 amappl 88 31546 0 31379 5 0 5 5 0 92 0 uvmvnodes 80 3257 0 0 67 0 67 67 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma2048 2048 1 0 1 1 0 1 1 0 8 1 dma1024 1024 3 0 2 1 0 1 1 0 8 0 dma512 512 1 0 1 1 0 1 1 0 8 1 dma256 256 10 0 10 2 1 1 1 0 8 1 dma128 128 256 0 256 2 1 1 1 0 8 1 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 19 0 18 1 0 1 1 0 8 0 aobjpl 72 79 0 10 2 0 2 2 0 8 0 uaddrrnd 24 3660 0 3630 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 3660 0 3630 1 0 1 1 0 8 0 vmmpekpl 168 28335 0 28277 3 0 3 3 0 8 0 vmmpepl 168 230423 0 228559 106 6 100 100 0 357 13 vmsppl 368 3659 0 3630 4 1 3 4 0 8 0 rwobjpl 40 60739 0 56547 46 0 46 46 0 8 1 pdppl 4096 7327 0 7260 131 62 69 83 0 8 2 pvpl 32 1523576 0 1513830 171 15 156 156 0 265 57 pmappl 216 3659 0 3630 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 566 0 208 12 0 12 12 0 8 1 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8334aa01) at panic+0x1cf sys/kern/subr_prf.c:198 pool_p_free(ffffffff83917d10,fffffd805ee57f90) at pool_p_free+0x2d1 sys/kern/subr_pool.c:986 pool_reclaim(ffffffff83917d10) at pool_reclaim+0x2c2 sys/kern/subr_pool.c:1152 pool_reclaim_all() at pool_reclaim_all+0x48 sys/kern/subr_pool.c:-1 kern_sysctl(ffff80003c96bb94,1,200000000180,ffff80003c96bbc8,200000001180,4,32414ccb20766822) at kern_sysctl+0x1094 sys/kern/kern_sysctl.c:686 sys_sysctl(ffff80003c99da20,ffff80003c96bcf0,ffff80003c96bc40) at sys_sysctl+0x3e5 sys/kern/kern_sysctl.c:-1 syscall(ffff80003c96bcf0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c96bcf0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:765 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7b381937da0, count: -9 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8334aa01) at panic+0x1cf sys/kern/subr_prf.c:198 pool_p_free(ffffffff83917d10,fffffd805ee57f90) at pool_p_free+0x2d1 sys/kern/subr_pool.c:986 pool_reclaim(ffffffff83917d10) at pool_reclaim+0x2c2 sys/kern/subr_pool.c:1152 pool_reclaim_all() at pool_reclaim_all+0x48 sys/kern/subr_pool.c:-1 kern_sysctl(ffff80003c96bb94,1,200000000180,ffff80003c96bbc8,200000001180,4,32414ccb20766822) at kern_sysctl+0x1094 sys/kern/kern_sysctl.c:686 sys_sysctl(ffff80003c99da20,ffff80003c96bcf0,ffff80003c96bc40) at sys_sysctl+0x3e5 sys/kern/kern_sysctl.c:-1 syscall(ffff80003c96bcf0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c96bcf0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:765 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7b381937da0, count: -9