login: panic: pool_p_free: rttmr free list modified: page 0xfffffd8073bf5000; item addr 0xfffffd8073bf5c40; offset 0x10=0x838c4e30 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *273644 76486 0 0 0x4000000 0 syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8338267b) at panic+0x1cf sys/kern/subr_prf.c:198 pool_p_free(ffffffff83969bd0,fffffd8073bf5f90) at pool_p_free+0x2c1 sys/kern/subr_pool.c:-1 pool_reclaim(ffffffff83969bd0) at pool_reclaim+0x2b6 sys/kern/subr_pool.c:1155 pool_reclaim_all() at pool_reclaim_all+0x48 sys/kern/subr_pool.c:-1 kern_sysctl_locked(ffff8000381373b4,1,0,ffff8000381373e8,200000001440,4,7f081c286c8127f0) at kern_sysctl_locked+0x156e sys/kern/kern_sysctl.c:760 kern_sysctl(ffff8000381373b4,1,0,ffff8000381373e8,200000001440,4,89a6bbd999f845b9) at kern_sysctl+0xa6e sys/kern/kern_sysctl.c:630 sys_sysctl(ffff80002a7cfc48,ffff800038137520,ffff800038137470) at sys_sysctl+0x425 sys/kern/kern_sysctl.c:-1 syscall(ffff800038137520) at syscall+0x97e mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff800038137520) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x1350f393860, count: 5 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: pool_p_free: rttmr free list modified: page 0xfffffd8073bf5000; item addr 0xfffffd8073bf5c40; offset 0x10=0x838c4e30 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8338267b) at panic+0x1cf sys/kern/subr_prf.c:198 pool_p_free(ffffffff83969bd0,fffffd8073bf5f90) at pool_p_free+0x2c1 sys/kern/subr_pool.c:-1 pool_reclaim(ffffffff83969bd0) at pool_reclaim+0x2b6 sys/kern/subr_pool.c:1155 pool_reclaim_all() at pool_reclaim_all+0x48 sys/kern/subr_pool.c:-1 kern_sysctl_locked(ffff8000381373b4,1,0,ffff8000381373e8,200000001440,4,7f081c286c8127f0) at kern_sysctl_locked+0x156e sys/kern/kern_sysctl.c:760 kern_sysctl(ffff8000381373b4,1,0,ffff8000381373e8,200000001440,4,89a6bbd999f845b9) at kern_sysctl+0xa6e sys/kern/kern_sysctl.c:630 sys_sysctl(ffff80002a7cfc48,ffff800038137520,ffff800038137470) at sys_sysctl+0x425 sys/kern/kern_sysctl.c:-1 syscall(ffff800038137520) at syscall+0x97e mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff800038137520) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x1350f393860, count: -10 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff800038136f20 rbx 0x97452226a9ba049 rdx 0xffff80000149c180 rcx 0 rax 0xffff80002a7cfc48 r8 0x101010101010101 r9 0x8080808080808080 r10 0x6fdc119eb3480441 r11 0x87d1c65272c802de r12 0 r13 0x1 r14 0 r15 0x1 rip 0xffffffff824bdd35 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff800038136f10 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=273644 pid=76486 tcnt=2 stat=onproc flags process=0 proc=4000000 runpri=50, usrpri=86, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80002a7cf728,0xffff80002a7ce7d8 process=0xffff8000ffff9a30 user=0xffff800038132000, vmspace=0xfffffd806c082178 estcpu=36, cpticks=20, pctcpu=0.0, user=0, sys=20, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 20816 234684 617 0 2 0 syz-executor 20816 213858 617 0 2 0x4000000 syz-executor 76486 245365 88769 0 2 0 syz-executor *76486 273644 88769 0 7 0x4000000 syz-executor 84413 412555 73478 0 2 0 syz-executor 84413 167892 73478 0 3 0x4000080 netacc syz-executor 83423 198828 63842 0 2 0 syz-executor 83423 131993 63842 0 3 0x4000080 fsleep syz-executor 59189 209788 84725 0 2 0x480 syz-executor 59189 238512 84725 0 3 0x4000080 kqpoll syz-executor 59189 117518 84725 0 3 0x4000080 fsleep syz-executor 59602 269743 44061 0 2 0 syz-executor 59602 480994 44061 0 2 0x4000000 syz-executor 80517 489587 0 0 3 0x14200 acct acct 68311 65460 29982 0 2 0x400000 syz-executor 68311 72476 29982 0 3 0x4400080 fsleep syz-executor 68311 56257 29982 0 3 0x4400080 fsleep syz-executor 13211 83499 56306 0 2 0x1 syz-executor 13211 141819 56306 0 3 0x4000080 pipewr syz-executor 13211 56779 56306 0 3 0x4000080 fsleep syz-executor 55632 514567 1 0 3 0x100083 ttyin getty 84725 298356 83571 0 2 0x2 syz-executor 88769 504112 83571 0 2 0x3 syz-executor 44061 207996 83571 0 2 0x3 syz-executor 73478 270635 83571 0 2 0x3 syz-executor 63842 24357 83571 0 2 0x3 syz-executor 29982 272539 83571 0 2 0x3 syz-executor 56306 221880 83571 0 2 0x3 syz-executor 51159 217264 0 0 3 0x14200 bored sosplice 617 130514 83571 0 2 0x3 syz-executor 83571 365303 82490 0 3 0x82 kqread syz-executor 82490 336488 53443 0 3 0x10008a sigsusp ksh 53443 143216 67854 0 3 0x98 kqread sshd-session 67854 164597 78983 0 3 0x92 kqread sshd-session 78983 278610 1 0 3 0x88 kqread sshd 91420 101921 47492 73 3 0x1100090 kqread syslogd 47492 495567 1 0 3 0x100082 sbwait syslogd 57124 76286 1 0 3 0x100080 kqread resolvd 74448 451019 99923 77 3 0x100092 kqread dhcpleased 96503 279145 99923 77 3 0x100092 kqread dhcpleased 99923 374184 1 0 3 0x80 kqread dhcpleased 52469 172208 0 0 2 0x14200 smr 34108 392941 0 0 2 0x14200 zerothread 88912 46554 0 0 3 0x14200 aiodoned aiodoned 84094 303521 0 0 3 0x14200 syncer update 8834 404279 0 0 3 0x14200 cleaner cleaner 43247 36043 0 0 3 0x14200 reaper reaper 39382 396640 0 0 3 0x14200 pgdaemon pagedaemon 63498 291850 0 0 3 0x14200 bored viomb 85299 12169 0 0 3 0x40014200 acpi0 acpi0 1381 323650 0 0 3 0x14200 bored softnet3 62952 79631 0 0 3 0x14200 bored softnet2 12579 53894 0 0 3 0x14200 bored softnet1 93238 228420 0 0 2 0x14200 softnet0 17790 100196 0 0 3 0x14200 bored systqmp 9463 473510 0 0 3 0x14200 bored systq 69900 242091 0 0 2 0x40014200 softclock 75391 310207 0 0 3 0x40014200 idle0 1 394990 0 0 3 0x80082 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10215 11128K 11665K 166960K 17879 0 pcb 17 18K 20K 166960K 1004 0 rtable 235 13K 14K 166960K 1751 0 pf 40 15K 22K 166960K 348 0 ifaddr 38 8K 9K 166960K 240 0 ifgroup 62 2K 3K 166960K 427 0 sysctl 4 1K 1K 166960K 16 0 counters 32 17K 18K 166960K 250 0 ioctlops 0 0K 4K 166960K 1058 0 iov 0 0K 20K 166960K 300 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1460 92K 92K 166960K 5222 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 2K 13K 166960K 84 0 VM map 2 1K 1K 166960K 2 0 sem 25 193K 353K 166960K 169 0 dirhash 12 2K 3K 166960K 81 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 18 65K 240K 166960K 4466 0 sigio 0 0K 0K 166960K 112 0 proc 60 59K 91K 166960K 1264 0 subproc 72 4K 4K 166960K 190 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 796 0 in_multi 78 5K 7K 166960K 376 0 ether_multi 1 0K 0K 166960K 45 0 mrt 2 0K 0K 166960K 18 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 241 1076K 1076K 166960K 241 0 exec 0 0K 1K 166960K 1417 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 42 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 238 149K 177K 166960K 40107 0 UVM aobj 112 7K 7K 166960K 115 0 pinsyscall 39 78K 90K 166960K 5815 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 1K 166960K 342 0 NDP 13 0K 2K 166960K 187 0 temp 77 8684K 8812K 166960K 144925 0 kqueue 14 22K 30K 166960K 748 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 455 0 452 3 2 1 2 0 8 0 rtentry 136 564 0 471 4 0 4 4 0 8 0 unpcb 144 3379 0 3363 14 13 1 6 0 8 0 syncache 336 9 0 9 3 3 0 1 0 8 0 tcpqe 32 2 0 2 1 1 0 1 0 8 0 tcpcb 808 1546 0 1537 29 27 2 14 0 8 0 arp 88 130 0 109 1 0 1 1 0 8 0 ipq 40 17 0 15 3 2 1 1 0 8 0 ipqe 40 28 0 25 3 2 1 1 0 8 0 inpcb 344 5276 0 5259 37 35 2 14 0 8 0 nd6 104 97 0 69 1 0 1 1 0 8 0 pkpcb 40 43 0 43 4 4 0 1 0 8 0 kcovpl 48 21 0 13 1 0 1 1 0 8 0 mppekey 1024 4 0 4 3 3 0 1 0 8 0 ppxss 1072 176 0 176 3 3 0 1 0 8 0 pppxif 1384 16 0 16 2 2 0 1 0 8 0 pfstscr 40 1 0 0 1 0 1 1 0 8 0 pfrktable 1344 5 0 2 1 0 1 1 0 8 0 pfanchor 1288 3 0 0 1 0 1 1 0 8 0 pftag 88 2 0 0 1 0 1 1 0 8 0 pfqueue 320 3 0 2 1 0 1 1 0 8 0 pfstitem 24 5 0 0 1 0 1 1 0 8 0 pfstkey 128 7 0 2 1 0 1 1 0 8 0 pfstate 344 4 0 1 1 0 1 1 0 8 0 pfrule 1344 8 0 6 2 1 1 1 0 8 0 rttmr 136 8 0 8 2 2 0 1 0 8 0 art_heap8 4096 4 0 0 4 0 4 4 0 8 0 art_heap4 256 1834 0 1438 38 10 28 29 0 8 0 art_table 32 1838 0 1438 4 0 4 4 0 8 0 art_node 16 552 0 471 1 0 1 1 0 8 0 sysvmsgpl 40 12 0 5 1 0 1 1 0 8 0 semupl 112 2 0 2 2 1 1 1 0 8 1 semapl 112 158 0 135 1 0 1 1 0 8 0 shmpl 112 112 0 3 4 0 4 4 0 8 0 dirhash 1024 65 0 48 3 0 3 3 0 8 0 dino2pl 256 9447 0 7922 96 0 96 96 0 8 0 ffsino 248 9447 0 7922 96 0 96 96 0 8 0 nchpl 144 15761 0 14046 64 0 64 64 0 8 0 rtmask 32 24 0 24 3 2 1 1 0 8 1 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 58678 0 58678 5 3 2 2 0 8 2 pfiaddrpl 120 1 0 0 1 0 1 1 0 8 0 kstatmem 264 280 0 254 3 0 3 3 0 8 1 acpiwqpl 32 3 0 3 1 0 1 1 1 8 1 scsiplug 72 10 0 10 3 2 1 1 0 8 1 scxspl 216 51361 0 51361 25 21 4 8 1 8 4 plimitpl 152 1288 0 1272 1 0 1 1 0 8 0 sigapl 424 4717 0 4669 9 1 8 8 0 8 1 futexpl 64 65186 0 65180 1 0 1 1 0 8 0 knotepl 120 336044 0 335996 83 73 10 17 0 8 7 kqueuepl 184 1544 0 1532 8 4 4 5 0 8 3 pipepl 296 850 0 822 18 10 8 8 0 8 5 fdescpl 440 4653 0 4623 5 1 4 5 0 8 0 filepl 120 33844 0 33624 26 14 12 15 0 8 2 lockfpl 104 1847 0 1845 4 2 2 2 0 8 1 lockfspl 48 706 0 704 1 0 1 1 0 8 0 sessionpl 144 42 0 34 1 0 1 1 0 8 0 pgrppl 48 167 0 151 1 0 1 1 0 8 0 ucredpl 104 6350 0 6339 1 0 1 1 0 8 0 zombiepl 144 5661 0 5661 3 2 1 1 0 8 1 processpl 1112 4717 0 4669 6 1 5 6 0 8 0 procpl 656 11373 0 11314 10 2 8 8 0 8 2 sosppl 168 13 0 13 3 2 1 1 0 8 1 sockpl 528 9290 0 9254 32 20 12 15 0 8 7 mcl64k 65536 85 0 84 4 3 1 1 0 8 0 mcl16k 16384 5 0 5 2 1 1 1 0 8 1 mcl12k 12288 3 0 3 1 0 1 1 0 8 1 mcl9k 9216 10 0 10 3 2 1 1 0 8 1 mcl8k 8192 103 0 103 4 3 1 1 0 8 1 mcl4k 4096 8389 0 8332 16 7 9 14 0 8 1 mcl2k 2048 4691 0 4683 7 4 3 5 0 8 1 mtagpl 96 472 0 381 6 2 4 5 0 8 1 mbufpl 256 50669 0 50382 41 16 25 31 0 8 2 bufpl 280 17558 0 11331 447 1 446 446 0 8 0 anonpl 24 559416 0 552743 121 55 66 66 0 187 8 amapchunkpl 152 172793 0 172201 84 40 44 44 0 158 18 amappl16 200 9816 0 9658 64 43 21 21 0 8 8 amappl15 192 8 0 8 1 1 0 1 0 8 0 amappl14 184 145 0 135 1 0 1 1 0 8 0 amappl13 176 8 0 8 3 2 1 1 0 8 1 amappl12 168 5473 0 5443 3 1 2 3 0 8 0 amappl11 160 42 0 32 1 0 1 1 0 8 0 amappl10 152 20 0 18 1 0 1 1 0 8 0 amappl9 144 256 0 256 1 1 0 1 0 8 0 amappl8 136 25 0 23 1 0 1 1 0 8 0 amappl7 128 141 0 130 1 0 1 1 0 8 0 amappl6 120 304 0 300 1 0 1 1 0 8 0 amappl5 112 166 0 158 1 0 1 1 0 8 0 amappl4 104 387 0 372 1 0 1 1 0 8 0 amappl3 96 29294 0 29177 5 1 4 4 0 8 0 amappl2 88 850 0 794 2 0 2 2 0 8 0 amappl1 80 27272 0 26721 15 0 15 15 0 8 0 amappl 88 38201 0 38027 5 0 5 5 0 92 0 dma65536 65536 1 0 1 1 1 0 1 0 8 0 dma16384 16384 1 0 1 1 1 0 1 0 8 0 dma8192 8192 2 0 2 2 2 0 1 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 7 0 7 2 1 1 1 0 8 1 dma128 128 257 0 257 4 3 1 1 0 8 1 dma64 64 11 0 11 3 2 1 1 0 8 1 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 20 0 19 1 0 1 1 0 8 0 aobjpl 72 114 0 3 3 0 3 3 0 8 0 uaddrrnd 24 4653 0 4623 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 4653 0 4623 1 0 1 1 0 8 0 vmmpekpl 168 34883 0 34833 4 0 4 4 0 8 0 vmmpepl 168 286972 0 284895 126 25 101 105 0 357 4 vmsppl 360 4652 0 4623 4 1 3 4 0 8 0 rwobjpl 32 71342 0 64302 61 2 59 60 0 8 0 pdppl 4096 9313 0 9246 157 90 67 79 0 8 0 pvpl 32 1827306 0 1814910 241 91 150 150 0 265 25 pmappl 216 4652 0 4623 2 0 2 2 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 420 0 176 8 0 8 8 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8338267b) at panic+0x1cf sys/kern/subr_prf.c:198 pool_p_free(ffffffff83969bd0,fffffd8073bf5f90) at pool_p_free+0x2c1 sys/kern/subr_pool.c:-1 pool_reclaim(ffffffff83969bd0) at pool_reclaim+0x2b6 sys/kern/subr_pool.c:1155 pool_reclaim_all() at pool_reclaim_all+0x48 sys/kern/subr_pool.c:-1 kern_sysctl_locked(ffff8000381373b4,1,0,ffff8000381373e8,200000001440,4,7f081c286c8127f0) at kern_sysctl_locked+0x156e sys/kern/kern_sysctl.c:760 kern_sysctl(ffff8000381373b4,1,0,ffff8000381373e8,200000001440,4,89a6bbd999f845b9) at kern_sysctl+0xa6e sys/kern/kern_sysctl.c:630 sys_sysctl(ffff80002a7cfc48,ffff800038137520,ffff800038137470) at sys_sysctl+0x425 sys/kern/kern_sysctl.c:-1 syscall(ffff800038137520) at syscall+0x97e mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff800038137520) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x1350f393860, count: -10 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8338267b) at panic+0x1cf sys/kern/subr_prf.c:198 pool_p_free(ffffffff83969bd0,fffffd8073bf5f90) at pool_p_free+0x2c1 sys/kern/subr_pool.c:-1 pool_reclaim(ffffffff83969bd0) at pool_reclaim+0x2b6 sys/kern/subr_pool.c:1155 pool_reclaim_all() at pool_reclaim_all+0x48 sys/kern/subr_pool.c:-1 kern_sysctl_locked(ffff8000381373b4,1,0,ffff8000381373e8,200000001440,4,7f081c286c8127f0) at kern_sysctl_locked+0x156e sys/kern/kern_sysctl.c:760 kern_sysctl(ffff8000381373b4,1,0,ffff8000381373e8,200000001440,4,89a6bbd999f845b9) at kern_sysctl+0xa6e sys/kern/kern_sysctl.c:630 sys_sysctl(ffff80002a7cfc48,ffff800038137520,ffff800038137470) at sys_sysctl+0x425 sys/kern/kern_sysctl.c:-1 syscall(ffff800038137520) at syscall+0x97e mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff800038137520) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x1350f393860, count: -10