panic: pool_p_free: rttmr free list modified: page 0xfffffd8067308000; item addr 0xfffffd8067308aa8; offset 0x10=0x3c4525f0 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *345419 78154 0 0 0x4000000 0 syz-executor 126526 38149 0 0x2 0x1 1 syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83369c5b) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_p_free(ffffffff8393ae70,fffffd8067308f90) at pool_p_free+0x2d1 sys/kern/subr_pool.c:986 pool_reclaim(ffffffff8393ae70) at pool_reclaim+0x2c2 sys/kern/subr_pool.c:1152 pool_reclaim_all() at pool_reclaim_all+0x48 sys/kern/subr_pool.c:-1 kern_sysctl(ffff80003c486fb4,1,200000000180,ffff80003c486fe8,200000001180,4,e413a3414ca57d27) at kern_sysctl+0x1095 sys/kern/kern_sysctl.c:686 sys_sysctl(ffff80002a2c2a80,ffff80003c487120,ffff80003c487070) at sys_sysctl+0x3e5 sys/kern/kern_sysctl.c:-1 syscall(ffff80003c487120) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c487120) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x42489572e90, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: pool_p_free: rttmr free list modified: page 0xfffffd8067308000; item addr 0xfffffd8067308aa8; offset 0x10=0x3c4525f0 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83369c5b) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_p_free(ffffffff8393ae70,fffffd8067308f90) at pool_p_free+0x2d1 sys/kern/subr_pool.c:986 pool_reclaim(ffffffff8393ae70) at pool_reclaim+0x2c2 sys/kern/subr_pool.c:1152 pool_reclaim_all() at pool_reclaim_all+0x48 sys/kern/subr_pool.c:-1 kern_sysctl(ffff80003c486fb4,1,200000000180,ffff80003c486fe8,200000001180,4,e413a3414ca57d27) at kern_sysctl+0x1095 sys/kern/kern_sysctl.c:686 sys_sysctl(ffff80002a2c2a80,ffff80003c487120,ffff80003c487070) at sys_sysctl+0x3e5 sys/kern/kern_sysctl.c:-1 syscall(ffff80003c487120) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c487120) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x42489572e90, count: -9 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff80003c486bf0 rbx 0xffffffff8380fddf cpu_info_full_primary+0x2ddf rdx 0xffff80000144e780 rcx 0xffff80002a2c2a80 rax 0xffffffff8380eff0 cpu_info_full_primary+0x1ff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0x4d37df14fbc40c80 r11 0xcbe6e5bbab747778 r12 0xffffffff8380fbe0 cpu_info_full_primary+0x2be0 r13 0 r14 0 r15 0x1 rip 0xffffffff8272e245 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003c486be0 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor) tid=345419 pid=78154 tcnt=2 stat=onproc flags process=0 proc=4000000 runpri=32, usrpri=50, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80002a2c2550,0xffffffff838bc9e8 process=0xffff80003b8249e0 user=0xffff80003c482000, vmspace=0xfffffd806a7c63e8 estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 78154 57478 31529 0 3 0x80 fsleep syz-executor *78154 345419 31529 0 7 0x4000000 syz-executor 9608 291343 44658 0 3 0x80 fsleep syz-executor 9608 294752 44658 0 3 0x4000080 netcon syz-executor 52972 207546 38149 0 3 0x80 fsleep syz-executor 52972 369169 38149 0 3 0x4000080 sbwait syz-executor 16959 42699 86147 0 3 0x80 fsleep syz-executor 16959 337010 86147 0 3 0x4000080 pipewr syz-executor 13895 416783 58369 0 3 0x80 fsleep syz-executor 13895 448843 58369 0 3 0x4000080 fifor syz-executor 13895 494345 58369 0 3 0x4000080 fsleep syz-executor 42604 451913 57275 0 3 0x80 fsleep syz-executor 42604 150138 57275 0 3 0x4000080 piperd syz-executor 7310 273625 4060 0 3 0x80 fsleep syz-executor 7310 473862 4060 0 3 0x4000080 netcon syz-executor 7310 99833 4060 0 3 0x4000080 fsleep syz-executor 96422 228001 71348 0 3 0x80 fsleep syz-executor 96422 488991 71348 0 3 0x4000080 sbwait syz-executor 90760 8793 18981 0 3 0x82 sbwait sshd-session 67779 160463 1 0 3 0x80 nanoslp init 38149 126526 89866 0 7 0x3 syz-executor 71348 499070 89866 0 2 0xc82 syz-executor 86147 197802 89866 0 2 0xc82 syz-executor 57275 479693 89866 0 2 0xc82 syz-executor 97099 35289 0 0 3 0x14200 bored sosplice 58369 496595 89866 0 2 0xc82 syz-executor 31529 458953 89866 0 3 0x82 nanoslp syz-executor 4060 452067 89866 0 2 0xc82 syz-executor 44658 66372 89866 0 2 0x2 syz-executor 89866 279395 73817 0 3 0x82 kqread syz-executor 73817 409707 95984 0 3 0x10008a sigsusp ksh 95984 26585 80764 0 3 0x98 kqread sshd-session 80764 444153 18981 0 3 0x92 kqread sshd-session 18981 261538 1 0 3 0x88 kqread sshd 28719 88564 90063 74 3 0x1100092 bpf pflogd 90063 317685 1 0 3 0x80 sbwait pflogd 95736 57741 12398 73 3 0x1100090 kqread syslogd 12398 428343 1 0 3 0x100082 sbwait syslogd 6513 338973 1 0 3 0x100080 kqread resolvd 90444 44084 21921 77 3 0x100092 kqread dhcpleased 61483 186583 21921 77 3 0x100092 kqread dhcpleased 21921 318224 1 0 3 0x80 kqread dhcpleased 76960 347748 0 0 3 0x14200 bored smr 88762 104224 0 0 3 0x14200 pgzero zerothread 69376 426994 0 0 3 0x14200 aiodoned aiodoned 93927 301181 0 0 3 0x14200 syncer update 48909 96289 0 0 3 0x14200 cleaner cleaner 6187 187447 0 0 3 0x14200 reaper reaper 74338 367045 0 0 3 0x14200 pgdaemon pagedaemon 52652 358943 0 0 3 0x14200 bored viomb 16424 170848 0 0 3 0x40014200 acpi0 acpi0 18005 210393 0 0 3 0x40014200 idle1 47397 450590 0 0 3 0x14200 bored softnet7 20368 307871 0 0 3 0x14200 bored softnet6 57711 442281 0 0 3 0x14200 bored softnet5 28215 85385 0 0 3 0x14200 bored softnet4 56260 517904 0 0 3 0x14200 bored softnet3 56088 194891 0 0 3 0x14200 bored softnet2 53697 428351 0 0 3 0x14200 bored softnet1 4575 252192 0 0 3 0x14200 bored softnet0 61572 339029 0 0 3 0x14200 bored systqmp 8296 444980 0 0 3 0x14200 bored systq 36753 483982 0 0 3 0x14200 tmoslp softclockmp 41645 269871 0 0 2 0x40014200 softclock 68454 414943 0 0 3 0x40014200 idle0 1 425541 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb{0}> show all locks Process 78154 (syz-executor) thread 0xffff80002a2c2a80 (345419) shared rwlock pools r = 0 (0xffffffff8381ffb8) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 rw_do_enter_read+0x3e8 sys/kern/kern_rwlock.c:413 #2 pool_reclaim_all+0x25 sys/kern/subr_pool.c:1170 #3 kern_sysctl+0x1095 sys/kern/kern_sysctl.c:686 #4 sys_sysctl+0x3e5 sys/kern/kern_sysctl.c:-1 #5 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] #5 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:748 #6 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10254 11124K 11463K 166960K 15854 0 pcb 17 16K 18K 166960K 997 0 rtable 224 12K 12K 166960K 849 0 pf 42 19K 83K 166960K 368 0 ifaddr 38 8K 9K 166960K 209 0 ifgroup 55 2K 2K 166960K 391 0 sysctl 4 1K 9K 166960K 73 0 counters 68 36K 38K 166960K 416 0 ioctlops 0 0K 4K 166960K 2165 0 iov 0 0K 20K 166960K 193 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1517 95K 96K 166960K 4308 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 3 5K 9K 166960K 45 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 1K 166960K 163 0 dirhash 12 2K 2K 166960K 60 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 18 65K 240K 166960K 2873 0 sigio 1 0K 0K 166960K 58 0 proc 64 99K 164K 166960K 969 0 subproc 72 4K 4K 166960K 118 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 2 0K 0K 166960K 358 0 in_multi 79 5K 7K 166960K 254 0 ether_multi 2 0K 0K 166960K 38 0 mrt 1 0K 0K 166960K 19 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 253 1129K 1129K 166960K 253 0 exec 0 0K 1K 166960K 976 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 2 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 257 173K 186K 166960K 27904 0 UVM aobj 3 2K 2K 166960K 3 0 pinsyscall 44 88K 104K 166960K 4186 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 155 0 NDP 12 0K 2K 166960K 157 0 temp 86 8652K 8897K 166960K 152116 0 kqueue 13 20K 33K 166960K 545 0 SYN cache 2 16K 16K 166960K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 289 0 286 2 1 1 2 0 8 0 rtentry 176 256 0 169 5 0 5 5 0 8 0 unpcb 144 1992 0 1967 16 14 2 6 0 8 0 syncache 336 20 0 20 7 7 0 1 0 8 0 tcpqe 32 7 0 7 4 4 0 1 0 8 0 tcpcb 736 1086 0 1072 27 25 2 7 0 8 0 arp 128 29 0 16 1 0 1 1 0 8 0 inpcb 328 3882 0 3864 35 32 3 10 0 8 0 nd6 144 41 0 18 1 0 1 1 0 8 0 pkpcb 40 29 0 29 6 6 0 1 0 8 0 kcovpl 48 13 0 5 1 0 1 1 0 8 0 mppekey 1024 5 0 5 4 4 0 1 0 8 0 ppxss 1192 139 0 139 4 4 0 1 0 8 0 pppxif 1504 15 0 15 8 8 0 1 0 8 0 pfstscr 40 144 0 143 3 2 1 1 0 8 0 pffrag 232 24 0 16 1 0 1 1 0 482 0 pffrnode 88 19 0 12 1 0 1 1 0 8 0 pffrent 40 45 0 37 1 0 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfrktable 1344 3 0 3 2 2 0 1 0 8 0 pfanchor 1288 1 0 0 1 0 1 1 0 8 0 pftag 88 3 0 0 1 0 1 1 0 8 0 pfstitem 24 160 0 81 1 0 1 1 0 8 0 pfstkey 128 240 0 162 3 0 3 3 0 8 0 pfstate 384 233 0 155 9 0 9 9 0 8 0 pfrule 1344 45 0 34 3 2 1 2 0 8 0 rttmr 136 3 0 3 2 2 0 1 0 8 0 art_heap8 4096 4 0 0 4 0 4 4 0 8 0 art_heap4 256 927 0 555 36 10 26 30 0 8 2 art_table 40 931 0 555 5 0 5 5 0 8 0 art_node 32 220 0 144 1 0 1 1 0 8 0 sysvmsgpl 40 19 0 11 1 0 1 1 0 8 0 semapl 112 156 0 146 1 0 1 1 0 8 0 dirhash 1024 49 0 32 3 0 3 3 0 8 0 dino2pl 256 6830 0 5315 97 1 96 96 0 8 0 ffsino 296 6830 0 5315 118 0 118 118 0 8 0 nchpl 144 10970 0 10415 64 39 25 64 0 8 0 rtmask 32 24 0 24 7 6 1 1 0 8 1 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 38187 0 38187 6 5 1 2 0 8 1 percpumem 16 223 0 174 1 0 1 1 0 8 0 kstatmem 264 264 0 238 7 4 3 3 0 8 1 acpiwqpl 32 5 0 5 1 0 1 1 1 8 1 scsiplug 72 7 0 7 6 5 1 1 0 8 1 scxspl 216 66471 0 66471 16 14 2 8 1 8 2 plimitpl 152 720 0 702 1 0 1 1 0 8 0 sigapl 424 3183 0 3127 7 0 7 7 0 8 0 knotepl 120 821 0 0 24 0 24 24 0 8 0 kqueuepl 224 1281 0 1272 12 7 5 5 0 8 4 pipepl 344 462 0 433 7 4 3 6 0 8 0 fdescpl 528 3158 0 3125 3 0 3 3 0 8 0 filepl 160 22035 0 21800 36 19 17 18 0 8 5 lockfpl 104 1310 0 1308 2 1 1 2 0 8 0 lockfspl 48 600 0 598 1 0 1 1 0 8 0 sessionpl 144 45 0 36 1 0 1 1 0 8 0 pgrppl 48 94 0 77 1 0 1 1 0 8 0 ucredpl 104 3557 0 3542 1 0 1 1 0 8 0 zombiepl 144 4146 0 4146 2 1 1 1 0 8 1 processpl 1248 3183 0 3127 5 0 5 5 0 8 0 procpl 664 7865 0 7799 9 2 7 7 0 8 0 sosppl 168 12 0 12 4 3 1 1 0 8 1 sockpl 752 6253 0 6207 60 46 14 17 0 8 8 mcl64k 65536 19 0 0 3 0 3 3 0 8 0 mcl16k 16384 2 0 0 1 0 1 1 0 8 0 mcl12k 12288 1 0 0 1 0 1 1 0 8 0 mcl9k 9216 2 0 0 1 0 1 1 0 8 0 mcl8k 8192 3 0 0 1 0 1 1 0 8 0 mcl4k 4096 109 0 0 14 0 14 14 0 8 0 mcl2k2 2112 1 0 0 1 0 1 1 0 8 0 mcl2k 2048 72 0 0 9 1 8 9 0 8 0 mtagpl 96 100 0 0 3 0 3 3 0 8 0 mbufpl 256 3421 0 0 213 0 213 213 0 8 0 bufpl 280 26428 0 20285 441 1 440 440 0 8 0 anonpl 32 16527 0 0 133 0 133 133 0 246 0 amapchunkpl 152 100670 0 100059 78 46 32 35 0 158 2 amappl16 200 11496 0 11178 78 58 20 32 0 8 3 amappl15 192 6 0 6 1 1 0 1 0 8 0 amappl14 184 157 0 145 1 0 1 1 0 8 0 amappl13 176 27 0 27 3 3 0 1 0 8 0 amappl12 168 3915 0 3883 4 1 3 3 0 8 0 amappl11 160 53 0 38 1 0 1 1 0 8 0 amappl10 152 3 0 3 1 1 0 1 0 8 0 amappl9 144 256 0 256 1 1 0 1 0 8 0 amappl8 136 36 0 33 1 0 1 1 0 8 0 amappl7 128 136 0 123 1 0 1 1 0 8 0 amappl6 120 248 0 243 1 0 1 1 0 8 0 amappl5 112 154 0 143 1 0 1 1 0 8 0 amappl4 104 372 0 352 1 0 1 1 0 8 0 amappl3 96 19837 0 19719 5 1 4 4 0 8 0 amappl2 88 899 0 828 2 0 2 2 0 8 0 amappl1 80 23177 0 22515 16 0 16 16 0 8 0 amappl 88 26540 0 26359 5 0 5 5 0 92 0 dma32768 32768 1 0 1 1 1 0 1 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma512 512 1 0 1 1 1 0 1 0 8 0 dma256 256 7 0 7 2 2 0 1 0 8 0 dma128 128 255 0 255 3 2 1 1 0 8 1 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 9 0 9 2 2 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 2 0 0 1 0 1 1 0 8 0 uaddrrnd 24 3158 0 3125 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 3158 0 3125 1 0 1 1 0 8 0 vmmpekpl 168 24069 0 24012 3 0 3 3 0 8 0 vmmpepl 168 206979 0 204483 146 25 121 121 0 357 10 vmsppl 488 3157 0 3125 5 0 5 5 0 8 0 rwobjpl 80 60702 0 53475 159 5 154 154 0 8 6 pdppl 4096 6323 0 6250 129 56 73 85 0 8 0 pvpl 32 25142 0 0 201 0 201 201 0 265 0 pmappl 256 3157 0 3125 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 563 0 114 13 0 13 13 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83369c5b) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_p_free(ffffffff8393ae70,fffffd8067308f90) at pool_p_free+0x2d1 sys/kern/subr_pool.c:986 pool_reclaim(ffffffff8393ae70) at pool_reclaim+0x2c2 sys/kern/subr_pool.c:1152 pool_reclaim_all() at pool_reclaim_all+0x48 sys/kern/subr_pool.c:-1 kern_sysctl(ffff80003c486fb4,1,200000000180,ffff80003c486fe8,200000001180,4,e413a3414ca57d27) at kern_sysctl+0x1095 sys/kern/kern_sysctl.c:686 sys_sysctl(ffff80002a2c2a80,ffff80003c487120,ffff80003c487070) at sys_sysctl+0x3e5 sys/kern/kern_sysctl.c:-1 syscall(ffff80003c487120) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c487120) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x42489572e90, count: -9 ddb{0}> machine ddbcpu 1