panic: pool_do_get: fdescpl free list modified: page 0xfffffd806c92a000; item addr 0xfffffd806c92a1f0; offset 0x48=0xdead4113 Stopped at db_enter+0x1c: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 357434 7196 32767 0x10 0 1 syz-executor.5 *305276 48352 32767 0x10 0 0K syz-executor.7 db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8280c56e) at panic+0x17b sys/kern/subr_prf.c:198 pool_do_get(ffffffff82d8e798,9,ffff80002c9f4de8) at pool_do_get+0x484 sys/kern/subr_pool.c:739 pool_get(ffffffff82d8e798,9) at pool_get+0xed sys/kern/subr_pool.c:582 fdcopy(ffff800029589d68) at fdcopy+0x48 fdinit sys/kern/kern_descrip.c:1067 [inline] fdcopy(ffff800029589d68) at fdcopy+0x48 sys/kern/kern_descrip.c:1106 process_new(ffff80002120b010,ffff800029589d68,1) at process_new+0x2bc sys/kern/kern_fork.c:257 fork1(ffff800021261540,1,ffffffff813f0280,0,ffff80002c9f5040,0) at fork1+0x318 sys/kern/kern_fork.c:383 syscall(ffff80002c9f50c0) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline] syscall(ffff80002c9f50c0) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x73a8533a7280, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: pool_do_get: fdescpl free list modified: page 0xfffffd806c92a000; item addr 0xfffffd806c92a1f0; offset 0x48=0xdead4113 ddb{0}> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8280c56e) at panic+0x17b sys/kern/subr_prf.c:198 pool_do_get(ffffffff82d8e798,9,ffff80002c9f4de8) at pool_do_get+0x484 sys/kern/subr_pool.c:739 pool_get(ffffffff82d8e798,9) at pool_get+0xed sys/kern/subr_pool.c:582 fdcopy(ffff800029589d68) at fdcopy+0x48 fdinit sys/kern/kern_descrip.c:1067 [inline] fdcopy(ffff800029589d68) at fdcopy+0x48 sys/kern/kern_descrip.c:1106 process_new(ffff80002120b010,ffff800029589d68,1) at process_new+0x2bc sys/kern/kern_fork.c:257 fork1(ffff800021261540,1,ffffffff813f0280,0,ffff80002c9f5040,0) at fork1+0x318 sys/kern/kern_fork.c:383 syscall(ffff80002c9f50c0) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline] syscall(ffff80002c9f50c0) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x73a8533a7280, count: -9 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff80002c9f4c30 rbx 0xffffffff82b9aba7 cpu_info_full_primary+0x2ba7 rdx 0 rcx 0xffff800021261540 rax 0xffffffff82b99ff0 cpu_info_full_primary+0x1ff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0x580d5d499873bb0f r11 0x6073d869d256f025 r12 0xffffffff82b9a9a8 cpu_info_full_primary+0x29a8 r13 0 r14 0 r15 0x1 rip 0xffffffff8142465c db_enter+0x1c cs 0x8 rflags 0x246 rsp 0xffff80002c9f4c20 ss 0x10 db_enter+0x1c: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.7) tid=305276 pid=48352 tcnt=1 stat=onproc flags process=10 proc=0 runpri=16, usrpri=55, slppri=16, nice=20 wchan=0x0, wmesg=, ps_single=0x0 forw=0xffffffffffffffff, list=0xffff800021261a90,0xffff80002120aad0 process=0xffff800029589d68 user=0xffff80002c9f0000, vmspace=0xfffffd80643041f8 estcpu=23, cpticks=1, pctcpu=0.1, user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 23728 159334 1546 32767 2 0x10 syz-executor.4 23728 311381 1546 32767 3 0x4000090 fsleep syz-executor.4 23728 188356 1546 32767 3 0x4000090 fsleep syz-executor.4 7196 357434 76477 32767 7 0x10 syz-executor.5 1284 346124 6842 32767 2 0x10 syz-executor.0 64094 78032 26573 32767 2 0x10 syz-executor.2 64094 326851 26573 32767 2 0x4000010 syz-executor.2 72734 396658 31505 32767 2 0x490 syz-executor.3 72734 213696 31505 32767 3 0x4000090 piperd syz-executor.3 72734 203937 31505 32767 3 0x4000090 fsleep syz-executor.3 72734 280162 31505 32767 3 0x4000090 fsleep syz-executor.3 18868 251261 85381 32767 2 0x490 syz-executor.1 18868 302651 85381 32767 3 0x4000090 fsleep syz-executor.1 18868 284592 85381 32767 3 0x4000010 fdlock syz-executor.1 1546 222191 16748 32767 2 0x490 syz-executor.4 16748 396327 9424 0 3 0x82 wait syz-executor.4 56596 152373 0 0 3 0x14200 bored sosplice *48352 305276 29433 32767 7 0x10 syz-executor.7 29433 16158 9424 0 3 0x82 wait syz-executor.7 79473 259792 69433 32767 2 0x490 syz-executor.6 26573 295363 64021 32767 3 0x90 nanoslp syz-executor.2 69433 273076 9424 0 3 0x82 wait syz-executor.6 64021 109964 9424 0 3 0x82 wait syz-executor.2 76477 230058 37171 32767 3 0x90 nanoslp syz-executor.5 31505 15626 72247 32767 2 0x490 syz-executor.3 37171 12151 9424 0 3 0x82 wait syz-executor.5 85381 157246 35399 32767 3 0x90 nanoslp syz-executor.1 72247 110609 9424 0 3 0x82 wait syz-executor.3 35399 97260 9424 0 3 0x82 wait syz-executor.1 6842 17164 36565 32767 3 0x90 nanoslp syz-executor.0 36565 324903 9424 0 3 0x82 wait syz-executor.0 9424 262429 79788 0 3 0x2000082 wait syz-fuzzer 9424 185090 79788 0 2 0x6000082 syz-fuzzer 9424 512226 79788 0 3 0x6000082 wait syz-fuzzer 9424 158749 79788 0 3 0x6000082 wait syz-fuzzer 9424 142135 79788 0 3 0x6000082 thrsleep syz-fuzzer 9424 458619 79788 0 3 0x6000082 wait syz-fuzzer 9424 90912 79788 0 3 0x6000082 wait syz-fuzzer 9424 343604 79788 0 3 0x6000082 thrsleep syz-fuzzer 9424 460507 79788 0 3 0x6000082 thrsleep syz-fuzzer 9424 150775 79788 0 3 0x6000082 wait syz-fuzzer 9424 293937 79788 0 3 0x6000082 wait syz-fuzzer 9424 428778 79788 0 3 0x6000082 thrsleep syz-fuzzer 9424 55998 79788 0 3 0x6000082 wait syz-fuzzer 9424 14260 79788 0 3 0x6000082 thrsleep syz-fuzzer 9424 49585 79788 0 3 0x6000082 kqread syz-fuzzer 9424 281818 79788 0 2 0x6000082 syz-fuzzer 79788 411923 84197 0 3 0x10008a sigsusp ksh 84197 446589 89511 0 2 0x9a sshd 8105 208066 1 0 3 0x100083 ttyin getty 89511 266110 1 0 3 0x88 kqread sshd 62296 283676 50261 73 3 0x1100090 kqread syslogd 50261 388420 1 0 3 0x100082 netio syslogd 93712 55826 1 0 3 0x100080 kqread resolvd 75375 211028 48657 77 3 0x100092 kqread dhcpleased 8929 336801 48657 77 3 0x100092 kqread dhcpleased 48657 390635 1 0 3 0x80 kqread dhcpleased 14912 230379 0 0 3 0x14200 bored smr 78139 100109 0 0 2 0x14200 zerothread 60122 452513 0 0 3 0x14200 aiodoned aiodoned 60069 70529 0 0 3 0x14200 syncer update 67958 66116 0 0 3 0x14200 cleaner cleaner 14821 488520 0 0 3 0x14200 reaper reaper 5896 480020 0 0 3 0x14200 pgdaemon pagedaemon 80338 494695 0 0 3 0x14200 bored viomb 59772 441466 0 0 3 0x40014200 acpi0 acpi0 65961 466252 0 0 3 0x40014200 idle1 30837 156819 0 0 3 0x14200 bored softnet3 58430 234055 0 0 3 0x14200 bored softnet2 2142 383257 0 0 3 0x14200 bored softnet1 90931 380545 0 0 3 0x14200 bored softnet0 65505 275977 0 0 2 0x14200 systqmp 90886 43962 0 0 3 0x14200 bored systq 91970 329906 0 0 3 0x40014200 bored softclock 75947 170906 0 0 3 0x40014200 idle0 1 249967 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks CPU 0: exclusive mutex fdescpl r = 0 (0xffffffff82d8e7a8) #0 witness_lock+0x447 #1 mtx_enter_try+0x104 #2 mtx_enter+0x4f sys/kern/kern_lock.c:266 #3 pool_get+0xc1 sys/kern/subr_pool.c:579 #4 fdcopy+0x48 fdinit sys/kern/kern_descrip.c:1067 [inline] #4 fdcopy+0x48 sys/kern/kern_descrip.c:1106 #5 process_new+0x2bc sys/kern/kern_fork.c:257 #6 fork1+0x318 sys/kern/kern_fork.c:383 #7 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline] #7 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623 #8 Xsyscall+0x128 Process 18868 (syz-executor.1) thread 0xffff8000211c9008 (284592) exclusive rwlock sysctllk r = 0 (0xffffffff82c3c630) #0 witness_lock+0x447 #1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309 #2 sys_sysctl+0x1c3 sys/kern/kern_sysctl.c:235 #3 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline] #3 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623 #4 Xsyscall+0x128 Process 48352 (syz-executor.7) thread 0xffff800021261540 (305276) exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82c7f000) #0 witness_lock+0x447 #1 syscall+0x5cd mi_syscall sys/sys/syscall_mi.h:110 [inline] #1 syscall+0x5cd sys/arch/amd64/amd64/trap.c:623 #2 Xsyscall+0x128 exclusive mutex fdescpl r = 0 (0xffffffff82d8e7a8) #0 witness_lock+0x447 #1 mtx_enter_try+0x104 #2 mtx_enter+0x4f sys/kern/kern_lock.c:266 #3 pool_get+0xc1 sys/kern/subr_pool.c:579 #4 fdcopy+0x48 fdinit sys/kern/kern_descrip.c:1067 [inline] #4 fdcopy+0x48 sys/kern/kern_descrip.c:1106 #5 process_new+0x2bc sys/kern/kern_fork.c:257 #6 fork1+0x318 sys/kern/kern_fork.c:383 #7 syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline] #7 syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623 #8 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10186 6409K 6420K 78643K 11270 0 pcb 13 8K 8K 78643K 13 0 rtable 234 6K 6K 78643K 423 0 pf 29 8K 8K 78643K 33 0 ifaddr 44 15K 15K 78643K 54 0 ifgroup 50 2K 2K 78643K 58 0 sysctl 2 0K 0K 78643K 2 0 counters 60 35K 35K 78643K 64 0 ioctlops 0 0K 2K 78643K 34 0 iov 1 0K 24K 78643K 169 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 4 0 vnodes 1278 80K 80K 78643K 1370 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 5K 78643K 17 0 VM map 2 1K 1K 78643K 2 0 sem 12 0K 1K 78643K 87 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 25 93K 113K 78643K 1167 0 sigio 0 0K 0K 78643K 10 0 proc 56 78K 115K 78643K 578 0 subproc 104 6K 6K 78643K 130 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 14 0 in_multi 99 7K 7K 78643K 127 0 ether_multi 1 0K 0K 78643K 1 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 55 254K 254K 78643K 55 0 exec 0 0K 1K 78643K 563 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 8 62K 64K 78643K 10 0 UVM amap 373 88K 89K 78643K 13590 0 UVM aobj 65 3K 4K 78643K 71 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 27 0 NDP 11 0K 2K 78643K 33 0 temp 74 5917K 5981K 78643K 6391 0 kqueue 14 20K 22K 78643K 85 0 SYN cache 2 16K 16K 78643K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 62 0 59 1 0 1 1 0 8 0 rtentry 112 136 0 26 4 0 4 4 0 8 0 unpcb 144 2564 0 2541 16 10 6 10 0 8 5 syncache 304 14 0 14 2 1 1 1 0 8 1 tcpqe 32 199 0 199 3 2 1 1 0 8 1 tcpcb 808 616 0 539 10 2 8 8 0 8 0 arp 120 22 0 4 1 0 1 1 0 8 0 inpcb 368 830 0 750 9 1 8 8 0 8 0 nd6 136 33 0 9 1 0 1 1 0 8 0 kcovpl 48 10 0 2 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 546 0 94 29 0 29 29 0 8 0 art_table 32 547 0 94 4 0 4 4 0 8 0 art_node 16 135 0 35 1 0 1 1 0 8 0 sysvmsgpl 40 5 0 5 2 2 0 1 0 8 0 semupl 112 3 0 3 1 1 0 1 0 8 0 semapl 112 82 0 72 1 0 1 1 0 8 0 shmpl 112 68 0 6 2 0 2 2 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 2711 0 1270 91 0 91 91 0 8 0 ffsino 272 2711 0 1270 97 0 97 97 0 8 0 nchpl 144 4397 0 2758 63 0 63 63 0 8 0 uvmvnodes 80 2850 0 0 59 0 59 59 0 8 0 vnodes 216 2850 0 0 159 0 159 159 0 8 0 namei 1024 13739 0 13739 2 1 1 2 0 8 1 percpumem 16 45 0 2 1 0 1 1 0 8 0 kstatmem 264 26 0 4 2 0 2 2 0 8 0 scxspl 216 13758 0 13758 10 9 1 8 1 8 1 plimitpl 152 175 0 151 2 0 2 2 0 8 1 sigapl 424 1448 0 1394 7 0 7 7 0 8 0 futexpl 64 8247 0 8242 1 0 1 1 0 8 0 knotepl 120 179 0 0 6 0 6 6 0 8 0 kqueuepl 216 256 0 247 5 0 5 5 0 8 4 pipepl 320 353 0 291 11 5 6 8 0 8 0 fdescpl 496 1430 0 1394 7 2 5 6 0 8 0 pool(0xffffffff82d8e798:fdescpl): page inconsistency: page 0xfffffd806c92a000; 0 on list, 7 missing, 8 items per page filepl 152 8496 0 8116 25 8 17 19 0 8 2 lockfpl 104 146 0 144 1 0 1 1 0 8 0 lockfspl 48 66 0 64 1 0 1 1 0 8 0 sessionpl 144 25 0 9 1 0 1 1 0 8 0 pgrppl 48 25 0 9 1 0 1 1 0 8 0 ucredpl 104 471 0 453 1 0 1 1 0 8 0 zombiepl 144 1395 0 1394 1 0 1 1 0 8 0 processpl 1072 1449 0 1394 4 0 4 4 0 8 0 procpl 680 3300 0 3222 9 1 8 8 0 8 0 sosppl 168 18 0 18 2 1 1 1 0 8 1 sockpl 488 3463 0 3357 102 88 14 35 0 8 0 mcl64k 65536 9 0 0 2 0 2 2 0 8 0 mcl16k 16384 6 0 0 1 0 1 1 0 8 0 mcl12k 12288 8 0 0 1 0 1 1 0 8 0 mcl9k 9216 5 0 0 1 0 1 1 0 8 0 mcl8k 8192 15 0 0 2 0 2 2 0 8 0 mcl4k 4096 11 0 0 2 0 2 2 0 8 0 mcl2k2 2112 3 0 0 1 0 1 1 0 8 0 mcl2k 2048 267 0 0 34 0 34 34 0 8 0 mtagpl 96 3 0 0 1 0 1 1 0 8 0 mbufpl 256 977 0 0 60 0 60 60 0 8 0 bufpl 288 5381 0 142 375 0 375 375 0 8 0 anonpl 24 280919 0 269582 93 2 91 91 0 186 20 amapchunkpl 152 43479 0 42506 44 2 42 42 0 158 1 amappl16 200 7118 0 6841 26 4 22 26 0 8 7 amappl15 192 13 0 12 1 0 1 1 0 8 0 amappl14 184 157 0 146 2 1 1 2 0 8 0 amappl13 176 14 0 12 1 0 1 1 0 8 0 amappl12 168 2081 0 2045 2 0 2 2 0 8 0 amappl11 160 69 0 58 1 0 1 1 0 8 0 amappl10 152 38 0 27 1 0 1 1 0 8 0 amappl9 144 213 0 212 1 0 1 1 0 8 0 amappl8 136 284 0 210 3 0 3 3 0 8 0 amappl7 128 66 0 55 2 0 2 2 0 8 0 amappl6 120 222 0 207 2 1 1 2 0 8 0 amappl5 112 191 0 182 1 0 1 1 0 8 0 amappl4 104 556 0 520 2 0 2 2 0 8 0 amappl3 96 8790 0 8686 4 0 4 4 0 8 1 amappl2 88 1689 0 1618 3 1 2 3 0 8 0 amappl1 80 13282 0 12757 22 9 13 22 0 8 0 amappl 88 13038 0 12768 7 0 7 7 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 70 0 6 2 0 2 2 0 8 0 uaddrrnd 24 1430 0 1394 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 1430 0 1394 1 0 1 1 0 8 0 vmmpekpl 168 16791 0 16733 3 0 3 3 0 8 0 vmmpepl 168 104937 0 102543 124 9 115 115 0 357 9 vmsppl 464 1429 0 1394 7 2 5 6 0 8 0 rwobjpl 56 35600 0 31366 62 2 60 60 0 8 0 pdppl 4096 2868 0 2788 134 52 82 90 0 8 2 pvpl 32 654503 0 637229 352 43 309 351 0 265 163 pmappl 248 1429 0 1394 4 1 3 3 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 864 0 59 23 0 23 23 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8280c56e) at panic+0x17b sys/kern/subr_prf.c:198 pool_do_get(ffffffff82d8e798,9,ffff80002c9f4de8) at pool_do_get+0x484 sys/kern/subr_pool.c:739 pool_get(ffffffff82d8e798,9) at pool_get+0xed sys/kern/subr_pool.c:582 fdcopy(ffff800029589d68) at fdcopy+0x48 fdinit sys/kern/kern_descrip.c:1067 [inline] fdcopy(ffff800029589d68) at fdcopy+0x48 sys/kern/kern_descrip.c:1106 process_new(ffff80002120b010,ffff800029589d68,1) at process_new+0x2bc sys/kern/kern_fork.c:257 fork1(ffff800021261540,1,ffffffff813f0280,0,ffff80002c9f5040,0) at fork1+0x318 sys/kern/kern_fork.c:383 syscall(ffff80002c9f50c0) at syscall+0x5e2 mi_syscall sys/sys/syscall_mi.h:110 [inline] syscall(ffff80002c9f50c0) at syscall+0x5e2 sys/arch/amd64/amd64/trap.c:623 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x73a8533a7280, count: -9 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x1e: addq $0x8,%rsp x86_ipi_db(ffff800020d48ff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff82c7edf8) at __mp_lock+0x129 __mp_lock_spin sys/kern/kern_lock.c:116 [inline] __mp_lock(ffffffff82c7edf8) at __mp_lock+0x129 sys/kern/kern_lock.c:147 end trace frame: 0x0, count: 11 ddb{1}> trace x86_ipi_db(ffff800020d48ff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff82c7edf8) at __mp_lock+0x129 __mp_lock_spin sys/kern/kern_lock.c:116 [inline] __mp_lock(ffffffff82c7edf8) at __mp_lock+0x129 sys/kern/kern_lock.c:147 end trace frame: 0x0, count: -4