login: panic: pool_do_get: mcl2k free list modified: page 0xffffff00040ae000; item addr 0xffffff00040b1000; offset 0x0=0x4c8f5670978b69ca != 0x4c8f5670c8362dba Stopped at db_enter+0xa: popq %rbp TID PID UID PRFLAGS PFLAGS CPU COMMAND *143299 94947 0 0 0x4000000 0 syz-executor0 db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399 panic() at panic+0x147 sys/kern/subr_prf.c:208 pool_do_get(2,ffffffff81eb5100,ffffffff81eb5100) at pool_do_get+0x3ae sys/kern/subr_pool.c:752 pool_get(ffffff0036d06200,2) at pool_get+0x77 sys/kern/subr_pool.c:587 m_clget(3,ffff800000171000,1) at m_clget+0x1e0 sys/kern/uipc_mbuf.c:394 vio_populate_rx_mbufs(ffff800000171050) at vio_populate_rx_mbufs+0xd4 vio_add_rx_mbuf sys/dev/pv/if_vio.c:906 [inline] vio_populate_rx_mbufs(ffff800000171050) at vio_populate_rx_mbufs+0xd4 sys/dev/pv/if_vio.c:950 vio_rx_intr(ffffffff) at vio_rx_intr+0x4d sys/dev/pv/if_vio.c:1062 virtio_check_vqs(ffff80000001c300) at virtio_check_vqs+0x166 sys/dev/pv/virtio.c:228 intr_handler(0,ffff80000024b980) at intr_handler+0x3f sys/arch/amd64/amd64/intr.c:530 Xintr_ioapic_edge19_untramp(0,ffff800001acb800,a975,0,8,ffffff002b524f00) at Xintr_ioapic_edge19_untramp+0x19f __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x35 sys/dev/kcov.c:101 ofp_split_mbuf(ffff800001aeb000,ffff800014af9dc8) at ofp_split_mbuf+0x68 sys/net/if_switch.c:1497 switchwrite(ffffff002b48bc50,ffffff002b48bc50,ffff800014af9fa8) at switchwrite+0x32a sys/net/switchctl.c:271 spec_write(ffffffff81e0f468) at spec_write+0xa0 sys/kern/spec_vnops.c:310 end trace frame: 0xffff800014af9ee0, count: 0 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> show panic pool_do_get: mcl2k free list modified: page 0xffffff00040ae000; item addr 0xffffff00040b1000; offset 0x0=0x4c8f5670978b69ca != 0x4c8f5670c8362dba ddb> trace db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399 panic() at panic+0x147 sys/kern/subr_prf.c:208 pool_do_get(2,ffffffff81eb5100,ffffffff81eb5100) at pool_do_get+0x3ae sys/kern/subr_pool.c:752 pool_get(ffffff0036d06200,2) at pool_get+0x77 sys/kern/subr_pool.c:587 m_clget(3,ffff800000171000,1) at m_clget+0x1e0 sys/kern/uipc_mbuf.c:394 vio_populate_rx_mbufs(ffff800000171050) at vio_populate_rx_mbufs+0xd4 vio_add_rx_mbuf sys/dev/pv/if_vio.c:906 [inline] vio_populate_rx_mbufs(ffff800000171050) at vio_populate_rx_mbufs+0xd4 sys/dev/pv/if_vio.c:950 vio_rx_intr(ffffffff) at vio_rx_intr+0x4d sys/dev/pv/if_vio.c:1062 virtio_check_vqs(ffff80000001c300) at virtio_check_vqs+0x166 sys/dev/pv/virtio.c:228 intr_handler(0,ffff80000024b980) at intr_handler+0x3f sys/arch/amd64/amd64/intr.c:530 Xintr_ioapic_edge19_untramp(0,ffff800001acb800,a975,0,8,ffffff002b524f00) at Xintr_ioapic_edge19_untramp+0x19f __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x35 sys/dev/kcov.c:101 ofp_split_mbuf(ffff800001aeb000,ffff800014af9dc8) at ofp_split_mbuf+0x68 sys/net/if_switch.c:1497 switchwrite(ffffff002b48bc50,ffffff002b48bc50,ffff800014af9fa8) at switchwrite+0x32a sys/net/switchctl.c:271 spec_write(ffffffff81e0f468) at spec_write+0xa0 sys/kern/spec_vnops.c:310 VOP_WRITE(1,ffffff002b48bc50,1,ffffff002f834e20) at VOP_WRITE+0x65 sys/kern/vfs_vops.c:268 vn_write(ffffff002f834e20,ffff800014af9fa8,1) at vn_write+0x161 sys/kern/vfs_vnops.c:397 dofilewritev(ffff800014afa0d0,1,ffff800014afa0e8,ffff800014a22040,0) at dofilewritev+0x13e sys/kern/sys_generic.c:364 sys_pwritev(ffff800014afa170,ffff800014a22040,ffff800014a16950) at sys_pwritev+0xbf sys/kern/vfs_syscalls.c:3141 syscall(0) at syscall+0x3e4 Xsyscall(6,0,ffffffffffffffb8,0,4,ff17d8a010) at Xsyscall+0x128 end of kernel end trace frame: 0x101fa4e88c0, count: -20 ddb> show registers rdi 0xffffffff81e38b38 kprintf_mutex rsi 0x5 rbp 0xffff800014af9980 rbx 0xffff800014af9a20 rdx 0x3fd rcx 0 rax 0x1 r8 0xffff800014af9950 r9 0x8080808080808080 r10 0x4c8f5670978b69ca r11 0xffffffff81687d20 x86_bus_space_io_read_1 r12 0x3000000008 r13 0xffff800014af9990 r14 0x100 r15 0xffffffff81c47d22 cy_pio_rec+0xf15f rip 0xffffffff814c7f1a db_enter+0xa cs 0x8 rflags 0x202 rsp 0xffff800014af9980 ss 0x10 db_enter+0xa: popq %rbp ddb> show proc PROC (syz-executor0) pid=143299 stat=onproc flags process=0 proc=4000000 pri=86, usrpri=86, nice=20 forw=0xffffffffffffffff, list=0xffff800014a229a0,0xffffffff81e92b98 process=0xffff800014a16950 user=0xffff800014af5000, vmspace=0xffffff003f12bd68 estcpu=36, cpticks=18, pctcpu=0.0 user=0, sys=15, intr=2 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 94947 470445 36578 0 2 0 syz-executor0 *94947 143299 36578 0 7 0x4000000 syz-executor0 42832 451903 69853 0 2 0x480 syz-executor1 42832 195297 69853 0 3 0x4000080 msgwait syz-executor1 42832 272023 69853 0 3 0x4000080 fsleep syz-executor1 15173 86401 1 0 3 0x100083 ttyin getty 57179 112274 0 0 3 0x14200 bored sosplice 36578 222741 84749 0 2 0x482 syz-executor0 69853 268752 84749 0 2 0x482 syz-executor1 84749 511428 42983 0 3 0x82 thrsleep syz-fuzzer 84749 174452 42983 0 2 0x4000482 syz-fuzzer 84749 459086 42983 0 3 0x4000082 thrsleep syz-fuzzer 84749 51312 42983 0 3 0x4000082 kqread syz-fuzzer 84749 84396 42983 0 3 0x4000082 thrsleep syz-fuzzer 84749 457981 42983 0 3 0x4000082 thrsleep syz-fuzzer 84749 81512 42983 0 3 0x4000082 thrsleep syz-fuzzer 42983 332779 88895 0 3 0x10008a pause ksh 88895 279104 13948 0 3 0x92 select sshd 13948 450931 1 0 3 0x80 select sshd 55520 270084 60251 73 3 0x100090 kqread syslogd 60251 309050 1 0 3 0x100082 netio syslogd 27347 317631 1 77 3 0x100090 poll dhclient 92341 187178 1 0 3 0x80 poll dhclient 21338 452903 0 0 2 0x14200 zerothread 22526 380145 0 0 3 0x14200 aiodoned aiodoned 86975 193557 0 0 3 0x14200 syncer update 59745 293889 0 0 3 0x14200 cleaner cleaner 84078 160943 0 0 3 0x14200 reaper reaper 38884 101735 0 0 3 0x14200 pgdaemon pagedaemon 84125 403130 0 0 3 0x14200 bored crynlk 43876 299734 0 0 3 0x14200 bored crypto 30235 199505 0 0 3 0x40014200 acpi0 acpi0 30553 261838 0 0 2 0x14200 softnet 45154 227912 0 0 3 0x14200 bored systqmp 80648 324644 0 0 3 0x14200 bored systq 565 46632 0 0 2 0x40014200 softclock 43917 222715 0 0 3 0x40014200 idle0 1 449179 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper