panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806159e900+16 0x0!=0x504a8e40551d63c6 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *342197 63966 0 0 0x4000000 0 syz-executor.0 194650 3720 0 0 0 1 syz-executor.1 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x15c sys/kern/subr_prf.c:207 pool_cache_get(ffffffff82644168) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1789 [inline] pool_cache_get(ffffffff82644168) at pool_cache_get+0x323 sys/kern/subr_pool.c:1892 pool_get() at pool_get+0x91 sys/kern/subr_pool.c:572 m_copym(fffffd8068929100,2774,5a0,2) at m_copym+0x174 m_get sys/kern/uipc_mbuf.c:250 [inline] m_copym(fffffd8068929100,2774,5a0,2) at m_copym+0x174 sys/kern/uipc_mbuf.c:667 ip_fragment(fffffd8068929100,ffff8000001732a8,5b4) at ip_fragment+0x324 ip_output(fffffd8068929100,0,fffffd806f6cd930,20,0,fffffd806f6cd8c0) at ip_output+0xfc1 sys/netinet/ip_output.c:501 rip_output(fffffd8068929100,fffffd8064dd0338,ffff800021b67a98,ffff800023d7c000) at rip_output+0x252 sys/netinet/raw_ip.c:289 rip_usrreq(fffffd8064dd0338,9,fffffd8068929100,0,0,ffff800020ab0508) at rip_usrreq+0x46a sys/netinet/raw_ip.c:538 sosend(fffffd8064dd0338,0,ffff800021b67c00,0,0,80) at sosend+0x645 sys/kern/uipc_socket.c:524 sendit(ffff800020ab0508,8,ffff800021b67ce0,0,ffff800021b67dc0) at sendit+0x52b sys/kern/uipc_syscalls.c:662 sys_sendto(ffff800020ab0508,ffff800021b67d78,ffff800021b67dc0) at sys_sendto+0x80 sys/kern/uipc_syscalls.c:527 syscall(ffff800021b67e40) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline] syscall(ffff800021b67e40) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555 Xsyscall(6,0,ffffffffffffffd7,0,6,ba20ee24010) at Xsyscall+0x128 end of kernel end trace frame: 0xba501c316e0, count: 1 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806159e900+16 0x0!=0x504a8e40551d63c6 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x15c sys/kern/subr_prf.c:207 pool_cache_get(ffffffff82644168) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1789 [inline] pool_cache_get(ffffffff82644168) at pool_cache_get+0x323 sys/kern/subr_pool.c:1892 pool_get() at pool_get+0x91 sys/kern/subr_pool.c:572 m_copym(fffffd8068929100,2774,5a0,2) at m_copym+0x174 m_get sys/kern/uipc_mbuf.c:250 [inline] m_copym(fffffd8068929100,2774,5a0,2) at m_copym+0x174 sys/kern/uipc_mbuf.c:667 ip_fragment(fffffd8068929100,ffff8000001732a8,5b4) at ip_fragment+0x324 ip_output(fffffd8068929100,0,fffffd806f6cd930,20,0,fffffd806f6cd8c0) at ip_output+0xfc1 sys/netinet/ip_output.c:501 rip_output(fffffd8068929100,fffffd8064dd0338,ffff800021b67a98,ffff800023d7c000) at rip_output+0x252 sys/netinet/raw_ip.c:289 rip_usrreq(fffffd8064dd0338,9,fffffd8068929100,0,0,ffff800020ab0508) at rip_usrreq+0x46a sys/netinet/raw_ip.c:538 sosend(fffffd8064dd0338,0,ffff800021b67c00,0,0,80) at sosend+0x645 sys/kern/uipc_socket.c:524 sendit(ffff800020ab0508,8,ffff800021b67ce0,0,ffff800021b67dc0) at sendit+0x52b sys/kern/uipc_syscalls.c:662 sys_sendto(ffff800020ab0508,ffff800021b67d78,ffff800021b67dc0) at sys_sendto+0x80 sys/kern/uipc_syscalls.c:527 syscall(ffff800021b67e40) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline] syscall(ffff800021b67e40) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555 Xsyscall(6,0,ffffffffffffffd7,0,6,ba20ee24010) at Xsyscall+0x128 end of kernel end trace frame: 0xba501c316e0, count: -14 ddb{0}> show registers rdi 0xffffffff81923337 db_enter+0x17 rsi 0x61f1 __ALIGN_SIZE+0x51f1 rbp 0xffff800021b675c0 rbx 0xffff800021b67670 rdx 0x61f2 __ALIGN_SIZE+0x51f2 rcx 0xffff800023d7c000 rax 0xffff800023d7c000 r8 0xffffffff8130092f kprintf+0x16f r9 0x1 r10 0x25 r11 0xe20727ede63d7675 r12 0x3000000008 r13 0xffff800021b675d0 r14 0x100 r15 0x1 rip 0xffffffff81923338 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800021b675b0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.0) pid=342197 stat=onproc flags process=0 proc=4000000 pri=76, usrpri=76, nice=20 forw=0xffffffffffffffff, list=0xffff800020ab0ee8,0xffffffff82676510 process=0xffff800020a4b888 user=0xffff800021b62000, vmspace=0xfffffd807f00bb80 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 63966 505911 88787 0 2 0 syz-executor.0 *63966 342197 88787 0 7 0x4000000 syz-executor.0 3720 194650 654 0 7 0 syz-executor.1 3720 121974 654 0 3 0x4000080 poll syz-executor.1 3720 389191 654 0 3 0x4000080 fsleep syz-executor.1 654 6195 50150 0 3 0x82 nanosleep syz-executor.1 88787 388654 50150 0 3 0x82 nanosleep syz-executor.0 11001 73162 0 0 3 0x14200 acct acct 78478 461323 0 0 3 0x14200 bored sosplice 50150 505822 95329 0 3 0x82 thrsleep syz-fuzzer 50150 426802 95329 0 3 0x4000082 thrsleep syz-fuzzer 50150 188420 95329 0 3 0x4000082 thrsleep syz-fuzzer 50150 358324 95329 0 3 0x4000082 thrsleep syz-fuzzer 50150 268023 95329 0 3 0x4000082 thrsleep syz-fuzzer 50150 126798 95329 0 3 0x4000082 thrsleep syz-fuzzer 50150 463504 95329 0 3 0x4000082 thrsleep syz-fuzzer 50150 429546 95329 0 3 0x4000082 kqread syz-fuzzer 50150 509220 95329 0 3 0x4000082 thrsleep syz-fuzzer 50150 91511 95329 0 3 0x4000082 thrsleep syz-fuzzer 95329 167837 2602 0 3 0x10008a pause ksh 2602 439729 50770 0 3 0x92 select sshd 50429 193459 1 0 3 0x100083 ttyopn getty 50770 231594 1 0 3 0x80 select sshd 50054 446087 35658 74 3 0x100092 bpf pflogd 35658 463071 1 0 3 0x80 netio pflogd 82028 103535 55804 73 3 0x100090 kqread syslogd 55804 74913 1 0 3 0x100082 netio syslogd 85597 230818 1 77 3 0x100090 poll dhclient 55159 174654 1 0 3 0x80 poll dhclient 52491 281304 0 0 2 0x14200 zerothread 18289 177801 0 0 3 0x14200 aiodoned aiodoned 47923 479994 0 0 3 0x14200 syncer update 1709 283587 0 0 3 0x14200 cleaner cleaner 67767 168430 0 0 3 0x14200 reaper reaper 78401 286403 0 0 3 0x14200 pgdaemon pagedaemon 16108 4044 0 0 3 0x14200 bored crynlk 57875 435455 0 0 3 0x14200 bored crypto 77812 237585 0 0 3 0x40014200 acpi0 acpi0 71603 200902 0 0 3 0x40014200 idle1 95695 191141 0 0 3 0x14200 bored softnet 97982 481631 0 0 3 0x14200 bored systqmp 32397 118134 0 0 3 0x14200 bored systq 21128 506069 0 0 3 0x40014200 bored softclock 5187 521313 0 0 3 0x40014200 idle0 84640 419190 0 0 3 0x14200 bored smr 1 35168 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 63966 (syz-executor.0) thread 0xffff800020ab0508 (342197) exclusive rwlock netlock r = 0 (0xffffffff8248cb28) #0 witness_lock+0x52e sys/kern/subr_witness.c:1163 #1 solock+0x5a sys/kern/uipc_socket2.c:282 #2 sosend+0x51b sys/kern/uipc_socket.c:512 #3 sendit+0x52b sys/kern/uipc_syscalls.c:662 #4 sys_sendto+0x80 sys/kern/uipc_syscalls.c:527 #5 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline] #5 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555 #6 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim devbuf 9560 6490K 8017K 78643K 15592 0 0 pcb 13 8K 8K 78643K 215 0 0 rtable 96 12K 12K 78643K 875 0 0 ifaddr 75 17K 18K 78643K 307 0 0 counters 39 33K 33K 78643K 39 0 0 ioctlops 0 0K 4K 78643K 1517 0 0 iov 0 0K 24K 78643K 164 0 0 mount 1 1K 1K 78643K 1 0 0 vnodes 1233 77K 78K 78643K 2794 0 0 UFS quota 1 32K 32K 78643K 1 0 0 UFS mount 5 36K 36K 78643K 5 0 0 shm 2 1K 9K 78643K 165 0 0 VM map 2 1K 1K 78643K 11 0 0 sem 12 0K 1K 78643K 148 0 0 dirhash 12 2K 2K 78643K 12 0 0 ACPI 1808 196K 290K 78643K 12765 0 0 file desc 6 17K 25K 78643K 1119 0 0 sigio 1 0K 0K 78643K 12 0 0 proc 62 63K 95K 78643K 770 0 0 subproc 32 2K 2K 78643K 136 0 0 NFS srvsock 1 0K 0K 78643K 1 0 0 NFS daemon 1 16K 16K 78643K 1 0 0 ip_moptions 0 0K 0K 78643K 59 0 0 in_multi 26 1K 2K 78643K 179 0 0 ether_multi 1 0K 0K 78643K 20 0 0 mrt 1 0K 0K 78643K 16 0 0 ISOFS mount 1 32K 32K 78643K 1 0 0 MSDOSFS mount 1 16K 16K 78643K 1 0 0 ttys 60 265K 265K 78643K 60 0 0 exec 0 0K 1K 78643K 426 0 0 pagedep 1 8K 8K 78643K 1 0 0 inodedep 1 32K 32K 78643K 1 0 0 newblk 1 0K 0K 78643K 1 0 0 VM swap 7 26K 26K 78643K 7 0 0 UVM amap 119 22K 38K 78643K 4785 0 0 UVM aobj 130 4K 4K 78643K 132 0 0 memdesc 1 4K 4K 78643K 1 0 0 crypto data 1 1K 1K 78643K 1 0 0 ip6_options 0 0K 0K 78643K 231 0 0 NDP 16 0K 0K 78643K 89 0 0 temp 201 3560K 4199K 78643K 49639 0 0 kqueue 0 0K 0K 78643K 8 0 0 SYN cache 2 16K 16K 78643K 2 0 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 18 0 13 1 0 1 1 0 8 0 plcache 128 20 0 0 1 0 1 1 0 8 0 rtpcb 80 106 0 104 1 0 1 1 0 8 0 rtentry 112 142 0 107 2 0 2 2 0 8 0 unpcb 120 859 0 848 1 0 1 1 0 8 0 syncache 264 9 0 9 3 3 0 1 0 8 0 tcpqe 32 7632 0 7632 3 3 0 2 0 8 0 tcpcb 544 355 0 350 1 0 1 1 0 8 0 inpcb 280 1537 0 1526 5 3 2 2 0 8 1 rttmr 72 5 0 5 4 4 0 1 0 8 0 nd6 48 23 0 21 2 1 1 1 0 8 0 pkpcb 40 2 0 2 1 1 0 1 0 8 0 ppxss 1128 31 0 31 4 3 1 1 0 8 1 pffrag 232 23 0 23 4 3 1 1 0 482 1 pffrnode 88 23 0 23 4 3 1 1 0 8 1 pffrent 40 306 0 306 4 3 1 1 0 8 1 pfosfp 40 846 0 423 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 85 0 50 1 0 1 1 0 8 0 pfstkey 112 85 0 50 2 0 2 2 0 8 0 pfstate 328 85 0 50 4 0 4 4 0 8 0 pfrule 1360 21 0 16 2 1 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 694 0 519 19 5 14 15 0 8 0 art_table 32 695 0 519 2 0 2 2 0 8 0 art_node 16 141 0 109 1 0 1 1 0 8 0 sysvmsgpl 40 4 0 2 1 0 1 1 0 8 0 semupl 112 2 0 2 1 1 0 1 0 8 0 semapl 112 144 0 134 1 0 1 1 0 8 0 shmpl 112 130 0 2 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino1pl 128 3007 0 1601 46 0 46 46 0 8 0 ffsino 272 3007 0 1601 97 2 95 95 0 8 0 nchpl 144 4714 0 3119 61 0 61 61 0 8 0 uvmvnodes 72 4391 0 0 80 0 80 80 0 8 0 vnodes 208 4391 0 0 232 0 232 232 0 8 0 namei 1024 15309 0 15309 3 2 1 1 0 8 1 percpumem 16 30 0 0 1 0 1 1 0 8 0 vmpool 552 9 0 9 2 2 0 1 0 8 0 scsiplug 64 2 0 2 2 2 0 1 0 8 0 scxspl 192 15151 0 15151 19 16 3 7 0 8 3 plimitpl 152 103 0 95 1 0 1 1 0 8 0 sigapl 432 1301 0 1285 3 1 2 3 0 8 0 futexpl 56 21653 0 21652 1 0 1 1 0 8 0 knotepl 112 285 0 266 1 0 1 1 0 8 0 kqueuepl 104 240 0 238 1 0 1 1 0 8 0 pipepl 112 628 0 609 3 2 1 2 0 8 0 fdescpl 488 1302 0 1285 3 0 3 3 0 8 0 filepl 152 9708 0 9603 11 5 6 6 0 8 1 lockfpl 104 329 0 328 1 0 1 1 0 8 0 lockfspl 48 113 0 112 1 0 1 1 0 8 0 sessionpl 112 24 0 13 1 0 1 1 0 8 0 pgrppl 48 30 0 19 1 0 1 1 0 8 0 ucredpl 96 1023 0 1014 1 0 1 1 0 8 0 zombiepl 144 1285 0 1285 3 2 1 1 0 8 1 processpl 896 1319 0 1285 4 0 4 4 0 8 0 procpl 632 3693 0 3647 5 0 5 5 0 8 1 srpgc 64 8 0 8 3 2 1 1 0 8 1 sosppl 128 6 0 6 3 3 0 1 0 8 0 sockpl 384 2537 0 2513 9 5 4 4 0 8 1 mcl64k 65536 511 0 0 64 4 60 64 0 8 1 mcl16k 16384 3 0 0 1 0 1 1 0 8 0 mcl12k 12288 17 0 0 2 0 2 2 0 8 0 mcl9k 9216 5 0 0 1 0 1 1 0 8 0 mcl8k 8192 9 0 0 2 0 2 2 0 8 0 mcl4k 4096 11 0 0 2 0 2 2 0 8 0 mcl2k2 2112 4 0 0 1 0 1 1 0 8 0 mcl2k 2048 239 0 0 28 0 28 28 0 8 0 mtagpl 80 18 0 0 1 0 1 1 0 8 0 mbufpl 256 659 0 0 37 0 37 37 0 8 0 bufpl 256 9348 0 2300 441 0 441 441 0 8 0 anonpl 16 152346 0 135719 114 28 86 87 0 124 14 amapchunkpl 152 9104 0 8965 28 15 13 20 0 158 6 amappl16 192 6621 0 5668 88 32 56 60 0 8 8 amappl15 184 76 0 72 3 2 1 1 0 8 0 amappl14 176 81 0 76 2 1 1 1 0 8 0 amappl13 168 35 0 34 1 0 1 1 0 8 0 amappl12 160 121 0 116 1 0 1 1 0 8 0 amappl11 152 495 0 480 1 0 1 1 0 8 0 amappl10 144 105 0 96 1 0 1 1 0 8 0 amappl9 136 798 0 792 1 0 1 1 0 8 0 amappl8 128 359 0 326 2 0 2 2 0 8 0 amappl7 120 137 0 130 1 0 1 1 0 8 0 amappl6 112 503 0 496 1 0 1 1 0 8 0 amappl5 104 318 0 302 1 0 1 1 0 8 0 amappl4 96 1615 0 1579 2 1 1 2 0 8 0 amappl3 88 157 0 152 1 0 1 1 0 8 0 amappl2 80 9179 0 9095 4 2 2 3 0 8 0 amappl1 72 39235 0 38778 25 15 10 20 0 8 0 amappl 80 4070 0 4023 2 0 2 2 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 17 0 17 1 1 0 1 0 8 0 aobjpl 64 131 0 2 3 0 3 3 0 8 0 uaddrrnd 24 1311 0 1285 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 1311 0 1285 1 0 1 1 0 8 0 vmmpekpl 168 13279 0 13244 2 0 2 2 0 8 0 vmmpepl 168 171166 0 168950 203 74 129 129 0 357 30 vmsppl 368 1301 0 1285 2 0 2 2 0 8 0 pdppl 4096 2629 0 2588 7 1 6 6 0 8 0 pvpl 32 437725 0 417777 265 62 203 205 0 265 36 pmappl 232 1310 0 1294 4 3 1 2 0 8 0 extentpl 40 41 0 26 1 0 1 1 0 8 0 phpool 112 712 0 17 20 0 20 20 0 8 0