panic: pool_do_get: mbufpl free list modified: page 0xfffffd806bc22000; item addr 0xfffffd806bc22400; offset 0x0=0x2c00000000000000 != 0x2c0be8ec6c99c8fc Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *455268 48243 0 0x12 0 0 sshd db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff824724b2) at panic+0x164 sys/kern/subr_prf.c:218 pool_do_get(ffffffff827f4398,2,ffff80001d7236b8) at pool_do_get+0x42a sys/kern/subr_pool.c:738 pool_get(ffffffff827f4398,2) at pool_get+0xb5 sys/kern/subr_pool.c:581 m_copym(fffffd806bc22600,654,580,2) at m_copym+0x174 m_get sys/kern/uipc_mbuf.c:250 [inline] m_copym(fffffd806bc22600,654,580,2) at m_copym+0x174 sys/kern/uipc_mbuf.c:667 tcp_output(ffff800000ac3980) at tcp_output+0x154d sys/netinet/tcp_output.c:673 tcp_usrreq(fffffd805da73328,9,fffffd806bc22300,0,0,ffff80001d71c010) at tcp_usrreq+0xa54 sosend(fffffd805da73328,0,ffff80001d723b98,0,0,80) at sosend+0x669 sys/kern/uipc_socket.c:555 dofilewritev(ffff80001d71c010,4,ffff80001d723b98,0,ffff80001d723c80) at dofilewritev+0x1ab sys/kern/sys_generic.c:365 sys_write(ffff80001d71c010,ffff80001d723c30,ffff80001d723c80) at sys_write+0x83 sys/kern/sys_generic.c:285 syscall(ffff80001d723d00) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7ffffe9a80, count: 3 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic pool_do_get: mbufpl free list modified: page 0xfffffd806bc22000; item addr 0xfffffd806bc22400; offset 0x0=0x2c00000000000000 != 0x2c0be8ec6c99c8fc ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff824724b2) at panic+0x164 sys/kern/subr_prf.c:218 pool_do_get(ffffffff827f4398,2,ffff80001d7236b8) at pool_do_get+0x42a sys/kern/subr_pool.c:738 pool_get(ffffffff827f4398,2) at pool_get+0xb5 sys/kern/subr_pool.c:581 m_copym(fffffd806bc22600,654,580,2) at m_copym+0x174 m_get sys/kern/uipc_mbuf.c:250 [inline] m_copym(fffffd806bc22600,654,580,2) at m_copym+0x174 sys/kern/uipc_mbuf.c:667 tcp_output(ffff800000ac3980) at tcp_output+0x154d sys/netinet/tcp_output.c:673 tcp_usrreq(fffffd805da73328,9,fffffd806bc22300,0,0,ffff80001d71c010) at tcp_usrreq+0xa54 sosend(fffffd805da73328,0,ffff80001d723b98,0,0,80) at sosend+0x669 sys/kern/uipc_socket.c:555 dofilewritev(ffff80001d71c010,4,ffff80001d723b98,0,ffff80001d723c80) at dofilewritev+0x1ab sys/kern/sys_generic.c:365 sys_write(ffff80001d71c010,ffff80001d723c30,ffff80001d723c80) at sys_write+0x83 sys/kern/sys_generic.c:285 syscall(ffff80001d723d00) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7ffffe9a80, count: -12 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80001d723520 rbx 0xffff80001d7235d0 rdx 0x2 rcx 0 rax 0x1 r8 0xffffffff816eac3f kprintf+0x15f r9 0x1 r10 0x2 r11 0xd132420be566196b r12 0x3000000008 r13 0xffff80001d723530 r14 0x100 r15 0x1 rip 0xffffffff8121b298 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff80001d723510 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb> show proc PROC (sshd) pid=455268 stat=onproc flags process=12 proc=0 pri=24, usrpri=50, nice=20 forw=0xffffffffffffffff, list=0xffff80001d71dae0,0xffff80001d71c500 process=0xffff80001d700e98 user=0xffff80001d71e000, vmspace=0xfffffd806bc09bb0 estcpu=0, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 44301 198467 0 0 3 0x14200 bored sosplice 50380 155543 65629 0 2 0x2 syz-executor.0 7433 316582 65629 0 2 0x482 syz-executor.1 65629 127310 11967 0 2 0x2 syz-fuzzer 65629 439453 11967 0 2 0x4000482 syz-fuzzer 65629 28192 11967 0 3 0x4000082 thrsleep syz-fuzzer 65629 366440 11967 0 3 0x4000082 thrsleep syz-fuzzer 65629 337349 11967 0 3 0x4000082 thrsleep syz-fuzzer 65629 229985 11967 0 3 0x4000082 thrsleep syz-fuzzer 65629 194978 11967 0 3 0x4000082 thrsleep syz-fuzzer 11967 28801 48243 0 3 0x10008a pause ksh *48243 455268 34390 0 7 0x12 sshd 11366 258776 1 0 3 0x100083 ttyin getty 34390 139019 1 0 3 0x80 select sshd 31892 76058 40119 73 3 0x100090 kqread syslogd 40119 452711 1 0 3 0x100082 netio syslogd 44241 248678 1 77 3 0x100090 poll dhclient 61308 331452 1 0 3 0x80 poll dhclient 90181 201006 0 0 3 0x14200 bored smr 77534 381186 0 0 3 0x14200 pgzero zerothread 11370 322401 0 0 3 0x14200 aiodoned aiodoned 96340 523413 0 0 3 0x14200 syncer update 39967 48976 0 0 3 0x14200 cleaner cleaner 94402 267139 0 0 3 0x14200 reaper reaper 17846 248672 0 0 3 0x14200 pgdaemon pagedaemon 41177 208253 0 0 3 0x14200 bored crynlk 86070 361289 0 0 3 0x14200 bored crypto 35387 263475 0 0 3 0x40014200 acpi0 acpi0 12148 116051 0 0 2 0x14200 softnet 85595 145341 0 0 3 0x14200 bored systqmp 59426 310986 0 0 3 0x14200 bored systq 41597 254291 0 0 3 0x40014200 bored softclock 3141 444984 0 0 3 0x40014200 idle0 1 320705 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 9466 6353K 6611K 78643K 10787 0 pcb 13 8K 8K 78643K 49 0 rtable 116 4K 7K 78643K 310 0 ifaddr 53 12K 12K 78643K 97 0 counters 21 16K 16K 78643K 24 0 ioctlops 0 0K 4K 78643K 47 0 iov 0 0K 12K 78643K 23 0 mount 1 1K 1K 78643K 1 0 vnodes 1216 76K 77K 78643K 1284 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 5K 78643K 3 0 VM map 2 0K 0K 78643K 2 0 sem 11 1K 1K 78643K 13 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1809 195K 288K 78643K 12938 0 file desc 4 9K 25K 78643K 243 0 proc 49 38K 54K 78643K 372 0 subproc 32 2K 2K 78643K 34 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 19 0 in_multi 47 2K 3K 78643K 71 0 ether_multi 1 0K 0K 78643K 6 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 49 228K 228K 78643K 49 0 exec 0 0K 1K 78643K 203 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 125 23K 23K 78643K 1413 0 UVM aobj 7 2K 2K 78643K 7 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 24 0 NDP 7 0K 0K 78643K 17 0 temp 83 3856K 3920K 78643K 7537 0 kqueue 3 4K 10K 78643K 14 0 SYN cache 2 16K 16K 78643K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 8 0 1 1 0 1 1 0 8 0 rtpcb 80 23 0 21 1 0 1 1 0 8 0 rtentry 112 57 0 10 2 0 2 2 0 8 0 unpcb 120 315 0 307 1 0 1 1 0 8 0 syncache 264 4 0 4 1 1 0 1 0 8 0 tcpqe 32 83 0 83 1 1 0 1 0 8 0 tcpcb 544 68 0 62 2 0 2 2 0 8 1 inpcb 296 222 0 215 3 2 1 2 0 8 0 nd6 48 9 0 3 1 0 1 1 0 8 0 ppxss 1136 3 0 3 2 2 0 1 0 8 0 pfrktable 1344 35 0 34 2 1 1 1 0 8 0 pftag 88 6 0 6 1 1 0 1 0 8 0 pfrule 1360 12 0 8 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 204 0 3 13 0 13 13 0 8 0 art_table 32 205 0 3 2 0 2 2 0 8 0 art_node 16 56 0 13 1 0 1 1 0 8 0 sysvmsgpl 40 9 0 4 1 0 1 1 0 8 0 semupl 112 2 0 2 1 1 0 1 0 8 0 semapl 112 9 0 0 1 0 1 1 0 8 0 shmpl 112 4 0 0 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 1688 0 292 88 0 88 88 0 8 0 ffsino 240 1688 0 292 83 0 83 83 0 8 0 nchpl 144 2214 0 611 60 0 60 60 0 8 0 uvmvnodes 72 1775 0 0 33 0 33 33 0 8 0 vnodes 208 1775 0 0 94 0 94 94 0 8 0 namei 1024 5756 0 5756 2 1 1 1 0 8 1 pfiaddrpl 120 10 0 10 1 1 0 1 0 8 0 scxspl 192 6916 0 6916 1 0 1 1 0 8 1 plimitpl 152 26 0 19 1 0 1 1 0 8 0 sigapl 424 430 0 402 4 0 4 4 0 8 0 futexpl 56 4320 0 4320 2 1 1 1 0 8 1 knotepl 112 73 0 54 1 0 1 1 0 8 0 kqueuepl 144 34 0 32 1 0 1 1 0 8 0 pipepl 272 104 0 94 1 0 1 1 0 8 0 fdescpl 432 415 0 402 2 0 2 2 0 8 0 filepl 120 2388 0 2293 4 0 4 4 0 8 1 lockfpl 104 59 0 58 1 0 1 1 0 8 0 lockfspl 48 21 0 20 1 0 1 1 0 8 0 sessionpl 112 17 0 7 1 0 1 1 0 8 0 pgrppl 48 19 0 9 1 0 1 1 0 8 0 ucredpl 96 180 0 173 1 0 1 1 0 8 0 zombiepl 144 402 0 401 1 0 1 1 0 8 0 processpl 928 430 0 401 4 0 4 4 0 8 0 procpl 624 705 0 670 4 0 4 4 0 8 1 sosppl 128 7 0 7 1 1 0 1 0 8 0 sockpl 400 562 0 545 6 2 4 5 0 8 2 mcl64k 65536 3 0 3 2 1 1 1 0 8 1 mcl16k 16384 1 0 1 1 1 0 1 0 8 0 mcl12k 12288 4 0 4 2 1 1 1 0 8 1 mcl9k 9216 5 0 5 2 1 1 1 0 8 1 mcl8k 8192 6 0 6 3 2 1 1 0 8 1 mcl4k 4096 22 0 21 4 3 1 1 0 8 0 mcl2k 2048 93350 0 93306 18 11 7 13 0 8 1 mtagpl 96 13 0 5 2 1 1 1 0 8 0 mbufpl 256 148240 0 148121 14 4 10 12 0 8 0 mbufpl: pool(0xffffffff827f4398:mbufpl): free list modified: page 0xfffffd806bc22000; item ordinal 0; addr 0xfffffd806bc22400 (p 0xfffffd806c3c4000); offset 0x0=0x2c00000000000000 bufpl 280 3763 0 132 260 0 260 260 0 8 0 anonpl 16 57927 0 41320 86 16 70 80 0 107 3 amapchunkpl 152 1790 0 1650 11 4 7 10 0 158 0 amappl16 192 2017 0 1119 57 9 48 51 0 8 3 amappl15 184 114 0 111 1 0 1 1 0 8 0 amappl14 176 24 0 19 1 0 1 1 0 8 0 amappl13 168 122 0 118 1 0 1 1 0 8 0 amappl12 160 107 0 104 1 0 1 1 0 8 0 amappl11 152 52 0 43 1 0 1 1 0 8 0 amappl10 144 125 0 119 1 0 1 1 0 8 0 amappl9 136 339 0 338 1 0 1 1 0 8 0 amappl8 128 327 0 285 2 0 2 2 0 8 0 amappl7 120 107 0 95 1 0 1 1 0 8 0 amappl6 112 25 0 19 1 0 1 1 0 8 0 amappl5 104 424 0 412 1 0 1 1 0 8 0 amappl4 96 419 0 394 1 0 1 1 0 8 0 amappl3 88 110 0 104 1 0 1 1 0 8 0 amappl2 80 2671 0 2610 2 0 2 2 0 8 0 amappl1 72 18364 0 17964 23 14 9 17 0 8 0 amappl 80 931 0 890 2 0 2 2 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 64 6 0 0 1 0 1 1 0 8 0 uaddrrnd 24 415 0 402 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 415 0 402 1 0 1 1 0 8 0 vmmpekpl 168 6868 0 6840 2 0 2 2 0 8 0 vmmpepl 168 58204 0 56310 125 29 96 118 0 357 7 vmsppl 272 414 0 402 2 1 1 2 0 8 0 pdppl 4096 836 0 804 6 1 5 6 0 8 0 pvpl 32 183754 0 164241 192 20 172 186 0 265 13 pmappl 200 414 0 402 1 0 1 1 0 8 0 extentpl 40 53 0 36 1 0 1 1 0 8 0 phpool 112 256 0 29 7 0 7 7 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff824724b2) at panic+0x164 sys/kern/subr_prf.c:218 pool_do_get(ffffffff827f4398,2,ffff80001d7236b8) at pool_do_get+0x42a sys/kern/subr_pool.c:738 pool_get(ffffffff827f4398,2) at pool_get+0xb5 sys/kern/subr_pool.c:581 m_copym(fffffd806bc22600,654,580,2) at m_copym+0x174 m_get sys/kern/uipc_mbuf.c:250 [inline] m_copym(fffffd806bc22600,654,580,2) at m_copym+0x174 sys/kern/uipc_mbuf.c:667 tcp_output(ffff800000ac3980) at tcp_output+0x154d sys/netinet/tcp_output.c:673 tcp_usrreq(fffffd805da73328,9,fffffd806bc22300,0,0,ffff80001d71c010) at tcp_usrreq+0xa54 sosend(fffffd805da73328,0,ffff80001d723b98,0,0,80) at sosend+0x669 sys/kern/uipc_socket.c:555 dofilewritev(ffff80001d71c010,4,ffff80001d723b98,0,ffff80001d723c80) at dofilewritev+0x1ab sys/kern/sys_generic.c:365 sys_write(ffff80001d71c010,ffff80001d723c30,ffff80001d723c80) at sys_write+0x83 sys/kern/sys_generic.c:285 syscall(ffff80001d723d00) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7ffffe9a80, count: -12 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff824724b2) at panic+0x164 sys/kern/subr_prf.c:218 pool_do_get(ffffffff827f4398,2,ffff80001d7236b8) at pool_do_get+0x42a sys/kern/subr_pool.c:738 pool_get(ffffffff827f4398,2) at pool_get+0xb5 sys/kern/subr_pool.c:581 m_copym(fffffd806bc22600,654,580,2) at m_copym+0x174 m_get sys/kern/uipc_mbuf.c:250 [inline] m_copym(fffffd806bc22600,654,580,2) at m_copym+0x174 sys/kern/uipc_mbuf.c:667 tcp_output(ffff800000ac3980) at tcp_output+0x154d sys/netinet/tcp_output.c:673 tcp_usrreq(fffffd805da73328,9,fffffd806bc22300,0,0,ffff80001d71c010) at tcp_usrreq+0xa54 sosend(fffffd805da73328,0,ffff80001d723b98,0,0,80) at sosend+0x669 sys/kern/uipc_socket.c:555 dofilewritev(ffff80001d71c010,4,ffff80001d723b98,0,ffff80001d723c80) at dofilewritev+0x1ab sys/kern/sys_generic.c:365 sys_write(ffff80001d71c010,ffff80001d723c30,ffff80001d723c80) at sys_write+0x83 sys/kern/sys_generic.c:285 syscall(ffff80001d723d00) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7ffffe9a80, count: -12