panic: pool_do_get: semupl free list modified: page 0xffffff001a4a5000; item addr 0xffffff001a4a5e08; offset 0x10=0xdeafbeae Stopped at db_enter+0xa: popq %rbp TID PID UID PRFLAGS PFLAGS CPU COMMAND *347257 98765 0 0 0x4000000 0 syz-executor0 db_enter() at db_enter+0xa panic() at panic+0x147 pool_do_get(2,ffffffff81ea22f0,0) at pool_do_get+0x3e9 pool_get(ffff80000e39aed8,ffff80000e2a2018) at pool_get+0x77 semundo_adjust(ffffffffffffffff,ffff80000e39aed8,ffff80000e2a2018,ffffff0019480 690,ffff80000e39aede) at semundo_adjust+0xd5 sys_semop(ffff80000e39b020,ffff80000e2a2018,ffff80000e2b15f0) at sys_semop+0x5a 8 syscall(0) at syscall+0x3e4 Xsyscall(6,0,a7,0,3,19ce0fda0010) at Xsyscall+0x128 end of kernel end trace frame: 0x19d0cf24ee00, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> trace db_enter() at db_enter+0xa panic() at panic+0x147 pool_do_get(2,ffffffff81ea22f0,0) at pool_do_get+0x3e9 pool_get(ffff80000e39aed8,ffff80000e2a2018) at pool_get+0x77 semundo_adjust(ffffffffffffffff,ffff80000e39aed8,ffff80000e2a2018,ffffff0019480 690,ffff80000e39aede) at semundo_adjust+0xd5 sys_semop(ffff80000e39b020,ffff80000e2a2018,ffff80000e2b15f0) at sys_semop+0x5a 8 syscall(0) at syscall+0x3e4 Xsyscall(6,0,a7,0,3,19ce0fda0010) at Xsyscall+0x128 end of kernel end trace frame: 0x19d0cf24ee00, count: -8 ddb> show registers rdi 0xffffffff81e04628 kprintf_mutex rsi 0xffffffff814ccc09 db_enter+0x9 rbp 0xffff80000e39ac80 rbx 0xffff80000e39ad20 rdx 0xffff8000006d9000 rcx 0xf22 rax 0xffff8000006d9000 r8 0xffff80000e39ac50 r9 0x8080808080808080 r10 0xd1047868f09787c1 r11 0xffffffff818fd840 x86_bus_space_io_read_1 r12 0x3000000008 r13 0xffff80000e39ac90 r14 0x100 r15 0xffffffff81de2972 forcewake_domain_names+0x5a2 rip 0xffffffff814ccc0a db_enter+0xa cs 0x8 rflags 0x206 rsp 0xffff80000e39ac80 ss 0x10 db_enter+0xa: popq %rbp