panic: pool_do_get: mbufpl free list modified: page 0xfffffd805354a000; item addr 0xfffffd805354a000; offset 0x0=0x0 != 0xc1411e6e93f1265d Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *377311 74270 0 0x2 0 0 syz-executor.0 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff82479573) at panic+0x164 sys/kern/subr_prf.c:218 pool_do_get(ffffffff82820de0,2,ffff8000209daa78) at pool_do_get+0x42a sys/kern/subr_pool.c:738 pool_get(ffffffff82820de0,2) at pool_get+0xb5 sys/kern/subr_pool.c:581 m_clget(0,2,800) at m_clget+0x1b1 m_gethdr sys/kern/uipc_mbuf.c:283 [inline] m_clget(0,2,800) at m_clget+0x1b1 sys/kern/uipc_mbuf.c:400 vio_populate_rx_mbufs(ffff80000017a000) at vio_populate_rx_mbufs+0xf9 vio_add_rx_mbuf sys/dev/pv/if_vio.c:908 [inline] vio_populate_rx_mbufs(ffff80000017a000) at vio_populate_rx_mbufs+0xf9 sys/dev/pv/if_vio.c:951 vio_rx_intr(ffff80000017a050) at vio_rx_intr+0x69 virtio_check_vqs(ffff80000002ea00) at virtio_check_vqs+0x150 sys/dev/pv/virtio.c:228 intr_handler(ffff8000209dacb0,ffff800000655380) at intr_handler+0x4d sys/arch/amd64/amd64/intr.c:537 Xintr_ioapic_edge19_untramp() at Xintr_ioapic_edge19_untramp+0x19f spllower(0) at spllower+0x74 sys/arch/amd64/amd64/intr.c:727 vm_map_lock_ln(fffffd80567fe338,fffffd80579a8770,0) at vm_map_lock_ln+0xf4 sys/uvm/uvm_map.c:5445 uvmspace_fork(ffff80001d6c19e0) at uvmspace_fork+0x10a sys/uvm/uvm_map.c:4069 process_new(ffff80001d6bf8c8,ffff80001d6c19e0,1) at process_new+0x16f sys/kern/kern_fork.c:258 end trace frame: 0xffff8000209dafb0, count: 0 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic pool_do_get: mbufpl free list modified: page 0xfffffd805354a000; item addr 0xfffffd805354a000; offset 0x0=0x0 != 0xc1411e6e93f1265d ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff82479573) at panic+0x164 sys/kern/subr_prf.c:218 pool_do_get(ffffffff82820de0,2,ffff8000209daa78) at pool_do_get+0x42a sys/kern/subr_pool.c:738 pool_get(ffffffff82820de0,2) at pool_get+0xb5 sys/kern/subr_pool.c:581 m_clget(0,2,800) at m_clget+0x1b1 m_gethdr sys/kern/uipc_mbuf.c:283 [inline] m_clget(0,2,800) at m_clget+0x1b1 sys/kern/uipc_mbuf.c:400 vio_populate_rx_mbufs(ffff80000017a000) at vio_populate_rx_mbufs+0xf9 vio_add_rx_mbuf sys/dev/pv/if_vio.c:908 [inline] vio_populate_rx_mbufs(ffff80000017a000) at vio_populate_rx_mbufs+0xf9 sys/dev/pv/if_vio.c:951 vio_rx_intr(ffff80000017a050) at vio_rx_intr+0x69 virtio_check_vqs(ffff80000002ea00) at virtio_check_vqs+0x150 sys/dev/pv/virtio.c:228 intr_handler(ffff8000209dacb0,ffff800000655380) at intr_handler+0x4d sys/arch/amd64/amd64/intr.c:537 Xintr_ioapic_edge19_untramp() at Xintr_ioapic_edge19_untramp+0x19f spllower(0) at spllower+0x74 sys/arch/amd64/amd64/intr.c:727 vm_map_lock_ln(fffffd80567fe338,fffffd80579a8770,0) at vm_map_lock_ln+0xf4 sys/uvm/uvm_map.c:5445 uvmspace_fork(ffff80001d6c19e0) at uvmspace_fork+0x10a sys/uvm/uvm_map.c:4069 process_new(ffff80001d6bf8c8,ffff80001d6c19e0,1) at process_new+0x16f sys/kern/kern_fork.c:258 fork1(ffff80001d6bfb40,1,ffffffff813c3d30,0,ffff8000209db010,0) at fork1+0x31b sys/kern/kern_fork.c:377 syscall(ffff8000209db090) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7ffffd4570, count: -17 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff8000209da8e0 rbx 0xffff8000209da990 rdx 0x8b rcx 0x2 rax 0x1 r8 0xffff8000209da8a0 r9 0xffffffff81de213f kprintf+0x15f r10 0x1 r11 0x1dc234a78a5c990a r12 0x3000000008 r13 0xffff8000209da8f0 r14 0x100 r15 0x1 rip 0xffffffff81da82d8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff8000209da8d0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb> show proc PROC (syz-executor.0) pid=377311 stat=onproc flags process=2 proc=0 pri=16, usrpri=86, nice=20 forw=0xffffffffffffffff, list=0xffff80001d6be508,0xffff80001d6be2a0 process=0xffff80001d6c19e0 user=0xffff8000209d6000, vmspace=0xfffffd80567fe778 estcpu=36, cpticks=1, pctcpu=0.1 user=0, sys=0, intr=1 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 40318 129200 0 0 3 0x14280 nfsidl nfsio 81589 194174 0 0 3 0x14280 nfsidl nfsio 17584 135063 0 0 3 0x14280 nfsidl nfsio 83808 243639 0 0 3 0x14280 nfsidl nfsio 92083 320989 0 0 3 0x14280 nfsidl nfsio 56908 351805 0 0 3 0x14280 nfsidl nfsio 1201 205426 0 0 3 0x14280 nfsidl nfsio 85351 271051 0 0 3 0x14280 nfsidl nfsio 38522 393695 0 0 3 0x14280 nfsidl nfsio 10095 136732 0 0 3 0x14280 nfsidl nfsio 56431 410813 0 0 3 0x14280 nfsidl nfsio 52083 361638 0 0 3 0x14280 nfsidl nfsio 65309 469120 0 0 3 0x14280 nfsidl nfsio 32926 505991 0 0 3 0x14280 nfsidl nfsio 81578 56353 0 0 3 0x14280 nfsidl nfsio 80668 213813 0 0 3 0x14280 nfsidl nfsio 10336 93132 0 0 3 0x14280 nfsidl nfsio 80348 229061 0 0 3 0x14280 nfsidl nfsio 2913 140462 0 0 3 0x14280 nfsidl nfsio 14172 15653 0 0 3 0x14280 nfsidl nfsio *74270 377311 76899 0 7 0x2 syz-executor.0 76106 91834 1 0 3 0x100083 ttyin getty 35405 203787 0 0 3 0x14200 acct acct 9481 363423 0 0 3 0x14200 bored sosplice 5633 238906 76899 0 3 0x82 piperd syz-executor.1 76899 108851 8598 0 3 0x82 thrsleep syz-fuzzer 76899 311157 8598 0 3 0x4000082 nanosleep syz-fuzzer 76899 521570 8598 0 2 0x4000002 syz-fuzzer 76899 375161 8598 0 3 0x4000082 thrsleep syz-fuzzer 76899 321276 8598 0 3 0x4000082 thrsleep syz-fuzzer 76899 229452 8598 0 3 0x4000082 thrsleep syz-fuzzer 76899 173610 8598 0 3 0x4000082 thrsleep syz-fuzzer 8598 419795 55246 0 3 0x10008a pause ksh 55246 126968 77253 0 3 0x92 select sshd 77253 233973 1 0 3 0x80 select sshd 6969 279824 21674 73 3 0x100090 kqread syslogd 21674 367869 1 0 3 0x100082 netio syslogd 28374 121778 1 77 3 0x100090 poll dhclient 18832 19159 1 0 3 0x80 poll dhclient 54942 131311 0 0 3 0x14200 bored smr 80196 23367 0 0 2 0x14200 zerothread 28347 269353 0 0 3 0x14200 aiodoned aiodoned 36954 327276 0 0 3 0x14200 syncer update 55783 431604 0 0 3 0x14200 cleaner cleaner 64172 100851 0 0 3 0x14200 reaper reaper 10312 126172 0 0 3 0x14200 pgdaemon pagedaemon 60230 113496 0 0 3 0x14200 bored crynlk 80526 69833 0 0 3 0x14200 bored crypto 36269 171494 0 0 3 0x40014200 acpi0 acpi0 51293 361418 0 0 2 0x14200 softnet 90978 474625 0 0 3 0x14200 bored systqmp 53312 60391 0 0 3 0x14200 bored systq 56051 370297 0 0 3 0x40014200 bored softclock 77440 107935 0 0 3 0x40014200 idle0 1 183353 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 9501 6352K 6737K 78643K 11178 0 pcb 13 8K 8K 78643K 73 0 rtable 101 5K 8K 78643K 632 0 ifaddr 79 16K 16K 78643K 200 0 sysctl 2 0K 0K 78643K 2 0 counters 21 16K 16K 78643K 30 0 ioctlops 0 0K 4K 78643K 106 0 iov 0 0K 16K 78643K 60 0 mount 1 1K 1K 78643K 1 0 vnodes 1216 76K 77K 78643K 1479 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 5K 78643K 10 0 VM map 2 0K 0K 78643K 2 0 sem 12 0K 1K 78643K 99 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1809 195K 288K 78643K 12938 0 file desc 5 13K 25K 78643K 591 0 sigio 0 0K 0K 78643K 8 0 proc 49 38K 63K 78643K 538 0 subproc 32 2K 2K 78643K 85 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 28 0 in_multi 64 3K 3K 78643K 174 0 ether_multi 1 0K 0K 78643K 12 0 mrt 0 0K 0K 78643K 2 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 55 254K 254K 78643K 55 0 exec 0 0K 1K 78643K 258 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 162 73K 89K 78643K 2271 0 UVM aobj 10 2K 2K 78643K 10 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 35 0 NDP 12 0K 0K 78643K 39 0 temp 107 3858K 3922K 78643K 9252 0 kqueue 3 4K 12K 78643K 37 0 SYN cache 2 16K 16K 78643K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 12 0 6 1 0 1 1 0 8 0 rtpcb 88 49 0 47 1 0 1 1 0 8 0 rtentry 112 106 0 70 2 0 2 2 0 8 0 unpcb 120 349 0 341 1 0 1 1 0 8 0 syncache 272 9 0 9 2 2 0 1 0 8 0 tcpqe 32 23 0 23 2 2 0 1 0 8 0 tcpcb 592 154 0 150 4 3 1 2 0 8 0 ipq 40 1 0 1 1 1 0 1 0 8 0 ipqe 40 2 0 2 1 1 0 1 0 8 0 inpcb 296 526 0 519 4 2 2 2 0 8 1 nd6 48 33 0 27 1 0 1 1 0 8 0 pfstscr 40 2 0 1 1 0 1 1 0 8 0 pfrktable 1344 87 0 83 3 2 1 2 0 8 0 pftag 88 26 0 26 3 3 0 1 0 8 0 pfstitem 24 2 0 0 1 0 1 1 0 8 0 pfstkey 112 4 0 2 1 0 1 1 0 8 0 pfstate 328 2 0 1 1 0 1 1 0 8 0 pfrule 1360 26 0 16 1 0 1 1 0 8 0 art_heap8 4096 2 0 0 2 0 2 2 0 8 0 art_heap4 256 512 0 323 20 8 12 18 0 8 0 art_table 32 514 0 323 3 0 3 3 0 8 0 art_node 16 105 0 74 1 0 1 1 0 8 0 sysvmsgpl 40 18 0 17 3 2 1 1 0 8 0 semapl 112 95 0 85 1 0 1 1 0 8 0 shmpl 112 7 0 0 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 2106 0 708 88 0 88 88 0 8 0 ffsino 240 2106 0 708 83 0 83 83 0 8 0 nchpl 144 3407 0 1828 60 0 60 60 0 8 0 uvmvnodes 72 2331 0 0 43 0 43 43 0 8 0 vnodes 208 2331 0 0 123 0 123 123 0 8 0 namei 1024 9350 0 9350 2 1 1 1 0 8 1 vcpupl 1984 8 0 0 1 0 1 1 0 8 0 vmpool 528 11 0 3 1 0 1 1 0 8 0 pfiaddrpl 120 26 0 22 2 1 1 1 0 8 0 scxspl 200 9173 0 9173 6 5 1 1 0 8 1 plimitpl 152 54 0 47 1 0 1 1 0 8 0 sigapl 424 792 0 742 6 0 6 6 0 8 0 futexpl 56 10935 0 10935 2 1 1 1 0 8 1 knotepl 112 136 0 116 1 0 1 1 0 8 0 kqueuepl 152 71 0 69 1 0 1 1 0 8 0 pipepl 272 145 0 134 2 1 1 2 0 8 0 fdescpl 432 756 0 742 2 0 2 2 0 8 0 filepl 120 4701 0 4604 4 0 4 4 0 8 0 lockfpl 104 132 0 131 1 0 1 1 0 8 0 lockfspl 48 45 0 44 1 0 1 1 0 8 0 sessionpl 120 22 0 12 1 0 1 1 0 8 0 pgrppl 48 26 0 16 1 0 1 1 0 8 0 ucredpl 96 456 0 449 1 0 1 1 0 8 0 zombiepl 144 742 0 742 2 1 1 1 0 8 1 processpl 944 792 0 742 7 0 7 7 0 8 0 procpl 632 1396 0 1340 6 0 6 6 0 8 1 sosppl 144 2 0 2 1 1 0 1 0 8 0 sockpl 400 924 0 907 7 3 4 5 0 8 2 mcl64k 65536 31 0 31 3 2 1 1 0 8 1 mcl16k 16384 6 0 6 3 3 0 1 0 8 0 mcl12k 12288 18 0 18 3 2 1 1 0 8 1 mcl9k 9216 7 0 6 5 4 1 1 0 8 0 mcl8k 8192 20 0 20 3 2 1 1 0 8 1 mcl4k 4096 49 0 49 3 2 1 1 0 8 1 mcl2k 2048 92835 0 92798 15 9 6 13 0 8 0 mtagpl 96 34 0 19 2 1 1 1 0 8 0 mbufpl 256 150326 0 150170 21 5 16 19 0 8 0 mbufpl: pool(0xffffffff82820de0:mbufpl): free list modified: page 0xfffffd805354a000; item ordinal 0; addr 0xfffffd805354a000 (p 0xfffffd8058faa000); offset 0x0=0x0 pool(mbufpl): free list modified: page 0xfffffd805354a000; item ordinal 0; addr 0xfffffd805354a000 (p 0xfffffd8058faa000); offset 0x0=0x0 mbufpl: pool(0xffffffff82820de0:mbufpl): page inconsistency: page 0xfffffd805354a000; item ordinal 1; addr 0x6cf63f292e3efcd3 bufpl 280 4420 0 118 308 0 308 308 0 8 0 anonpl 16 96121 0 78788 97 20 77 89 0 107 0 amapchunkpl 152 3841 0 3648 29 21 8 22 0 158 0 amappl16 192 3146 0 2142 64 13 51 63 0 8 0 amappl15 184 349 0 347 1 0 1 1 0 8 0 amappl14 176 137 0 134 1 0 1 1 0 8 0 amappl13 168 76 0 73 1 0 1 1 0 8 0 amappl12 160 49 0 47 1 0 1 1 0 8 0 amappl11 152 194 0 183 1 0 1 1 0 8 0 amappl10 144 275 0 271 1 0 1 1 0 8 0 amappl9 136 359 0 358 1 0 1 1 0 8 0 amappl8 128 411 0 355 2 0 2 2 0 8 0 amappl7 120 144 0 134 1 0 1 1 0 8 0 amappl6 112 29 0 21 1 0 1 1 0 8 0 amappl5 104 534 0 523 1 0 1 1 0 8 0 amappl4 96 620 0 590 1 0 1 1 0 8 0 amappl3 88 283 0 273 1 0 1 1 0 8 0 amappl2 80 5373 0 5310 2 0 2 2 0 8 0 amappl1 72 25942 0 25545 23 14 9 17 0 8 0 amappl 80 1666 0 1609 2 0 2 2 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 64 9 0 0 1 0 1 1 0 8 0 uaddrrnd 24 767 0 745 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 767 0 745 1 0 1 1 0 8 0 vmmpekpl 168 8516 0 8487 2 0 2 2 0 8 0 vmmpepl 168 100733 0 98676 184 56 128 138 0 357 32 vmsppl 272 766 0 745 2 0 2 2 0 8 0 pdppl 4096 1540 0 1498 7 1 6 6 0 8 0 pvpl 32 275986 0 255866 211 30 181 204 0 265 0 pmappl 200 766 0 745 2 0 2 2 0 8 0 extentpl 40 53 0 36 1 0 1 1 0 8 0 phpool 112 269 0 41 7 0 7 7 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff82479573) at panic+0x164 sys/kern/subr_prf.c:218 pool_do_get(ffffffff82820de0,2,ffff8000209daa78) at pool_do_get+0x42a sys/kern/subr_pool.c:738 pool_get(ffffffff82820de0,2) at pool_get+0xb5 sys/kern/subr_pool.c:581 m_clget(0,2,800) at m_clget+0x1b1 m_gethdr sys/kern/uipc_mbuf.c:283 [inline] m_clget(0,2,800) at m_clget+0x1b1 sys/kern/uipc_mbuf.c:400 vio_populate_rx_mbufs(ffff80000017a000) at vio_populate_rx_mbufs+0xf9 vio_add_rx_mbuf sys/dev/pv/if_vio.c:908 [inline] vio_populate_rx_mbufs(ffff80000017a000) at vio_populate_rx_mbufs+0xf9 sys/dev/pv/if_vio.c:951 vio_rx_intr(ffff80000017a050) at vio_rx_intr+0x69 virtio_check_vqs(ffff80000002ea00) at virtio_check_vqs+0x150 sys/dev/pv/virtio.c:228 intr_handler(ffff8000209dacb0,ffff800000655380) at intr_handler+0x4d sys/arch/amd64/amd64/intr.c:537 Xintr_ioapic_edge19_untramp() at Xintr_ioapic_edge19_untramp+0x19f spllower(0) at spllower+0x74 sys/arch/amd64/amd64/intr.c:727 vm_map_lock_ln(fffffd80567fe338,fffffd80579a8770,0) at vm_map_lock_ln+0xf4 sys/uvm/uvm_map.c:5445 uvmspace_fork(ffff80001d6c19e0) at uvmspace_fork+0x10a sys/uvm/uvm_map.c:4069 process_new(ffff80001d6bf8c8,ffff80001d6c19e0,1) at process_new+0x16f sys/kern/kern_fork.c:258 fork1(ffff80001d6bfb40,1,ffffffff813c3d30,0,ffff8000209db010,0) at fork1+0x31b sys/kern/kern_fork.c:377 syscall(ffff8000209db090) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7ffffd4570, count: -17 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff82479573) at panic+0x164 sys/kern/subr_prf.c:218 pool_do_get(ffffffff82820de0,2,ffff8000209daa78) at pool_do_get+0x42a sys/kern/subr_pool.c:738 pool_get(ffffffff82820de0,2) at pool_get+0xb5 sys/kern/subr_pool.c:581 m_clget(0,2,800) at m_clget+0x1b1 m_gethdr sys/kern/uipc_mbuf.c:283 [inline] m_clget(0,2,800) at m_clget+0x1b1 sys/kern/uipc_mbuf.c:400 vio_populate_rx_mbufs(ffff80000017a000) at vio_populate_rx_mbufs+0xf9 vio_add_rx_mbuf sys/dev/pv/if_vio.c:908 [inline] vio_populate_rx_mbufs(ffff80000017a000) at vio_populate_rx_mbufs+0xf9 sys/dev/pv/if_vio.c:951 vio_rx_intr(ffff80000017a050) at vio_rx_intr+0x69 virtio_check_vqs(ffff80000002ea00) at virtio_check_vqs+0x150 sys/dev/pv/virtio.c:228 intr_handler(ffff8000209dacb0,ffff800000655380) at intr_handler+0x4d sys/arch/amd64/amd64/intr.c:537 Xintr_ioapic_edge19_untramp() at Xintr_ioapic_edge19_untramp+0x19f spllower(0) at spllower+0x74 sys/arch/amd64/amd64/intr.c:727 vm_map_lock_ln(fffffd80567fe338,fffffd80579a8770,0) at vm_map_lock_ln+0xf4 sys/uvm/uvm_map.c:5445 uvmspace_fork(ffff80001d6c19e0) at uvmspace_fork+0x10a sys/uvm/uvm_map.c:4069 process_new(ffff80001d6bf8c8,ffff80001d6c19e0,1) at process_new+0x16f sys/kern/kern_fork.c:258 fork1(ffff80001d6bfb40,1,ffffffff813c3d30,0,ffff8000209db010,0) at fork1+0x31b sys/kern/kern_fork.c:377 syscall(ffff8000209db090) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7ffffd4570, count: -17