login: panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806d6f9000+16 0x0!=0x73fac7f82dbb4b0d Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 195578 16795 0 0x2 0x4000080 0 syz-execprog *411121 39682 0 0x12 0 1 sshd db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff823e2c40) at panic+0x15c sys/kern/subr_prf.c:207 pool_cache_get(ffffffff828cc008) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline] pool_cache_get(ffffffff828cc008) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884 pool_get(ffffffff828cc008,2) at pool_get+0x91 sys/kern/subr_pool.c:572 m_copym(fffffd806d6f8f00,0,54,2) at m_copym+0x174 m_get sys/kern/uipc_mbuf.c:250 [inline] m_copym(fffffd806d6f8f00,0,54,2) at m_copym+0x174 sys/kern/uipc_mbuf.c:667 tcp_output(ffff800000ad7980) at tcp_output+0x15ba sys/netinet/tcp_output.c:673 tcp_usrreq(fffffd806ead9328,9,fffffd806d6f8f00,0,0,ffff800020e41600) at tcp_usrreq+0xa55 sosend(fffffd806ead9328,0,ffff800020e63228,0,0,80) at sosend+0x671 sys/kern/uipc_socket.c:549 dofilewritev(ffff800020e41600,4,ffff800020e63228,0,ffff800020e63310) at dofilewritev+0x1b6 sys/kern/sys_generic.c:365 sys_write(ffff800020e41600,ffff800020e632c0,ffff800020e63310) at sys_write+0x83 sys/kern/sys_generic.c:285 syscall(ffff800020e63390) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff800020e63390) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffff0a00, count: 3 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806d6f9000+16 0x0!=0x73fac7f82dbb4b0d ddb{1}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff823e2c40) at panic+0x15c sys/kern/subr_prf.c:207 pool_cache_get(ffffffff828cc008) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline] pool_cache_get(ffffffff828cc008) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884 pool_get(ffffffff828cc008,2) at pool_get+0x91 sys/kern/subr_pool.c:572 m_copym(fffffd806d6f8f00,0,54,2) at m_copym+0x174 m_get sys/kern/uipc_mbuf.c:250 [inline] m_copym(fffffd806d6f8f00,0,54,2) at m_copym+0x174 sys/kern/uipc_mbuf.c:667 tcp_output(ffff800000ad7980) at tcp_output+0x15ba sys/netinet/tcp_output.c:673 tcp_usrreq(fffffd806ead9328,9,fffffd806d6f8f00,0,0,ffff800020e41600) at tcp_usrreq+0xa55 sosend(fffffd806ead9328,0,ffff800020e63228,0,0,80) at sosend+0x671 sys/kern/uipc_socket.c:549 dofilewritev(ffff800020e41600,4,ffff800020e63228,0,ffff800020e63310) at dofilewritev+0x1b6 sys/kern/sys_generic.c:365 sys_write(ffff800020e41600,ffff800020e632c0,ffff800020e63310) at sys_write+0x83 sys/kern/sys_generic.c:285 syscall(ffff800020e63390) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff800020e63390) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffff0a00, count: -12 ddb{1}> show registers rdi 0 rsi 0x1 rbp 0xffff800020e62bc0 rbx 0xffff800020e62c70 rdx 0x8b rcx 0x2 rax 0x1 r8 0xffffffff81bc79af kprintf+0x16f r9 0x1 r10 0x2 r11 0x41dfa8168890ccb0 r12 0x3000000008 r13 0xffff800020e62bd0 r14 0x100 r15 0x1 rip 0xffffffff81da3c38 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800020e62bb0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (sshd) pid=411121 stat=onproc flags process=12 proc=0 pri=50, usrpri=50, nice=20 forw=0xffffffffffffffff, list=0xffff800020e40760,0xffff800020e409e0 process=0xffff800020e383f0 user=0xffff800020e5e000, vmspace=0xfffffd806e8efa18 estcpu=0, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 79254 122215 16795 0 2 0x2 syz-executor.0 16795 23279 87342 0 3 0x82 thrsleep syz-execprog 16795 376611 87342 0 3 0x4000082 nanosleep syz-execprog 16795 374620 87342 0 3 0x4000082 thrsleep syz-execprog 16795 385058 87342 0 3 0x4000082 thrsleep syz-execprog 16795 165070 87342 0 3 0x4000082 thrsleep syz-execprog 16795 466047 87342 0 3 0x4000082 thrsleep syz-execprog 16795 513019 87342 0 3 0x4000082 thrsleep syz-execprog 16795 473989 87342 0 3 0x4000082 nanosleep syz-execprog 16795 195578 87342 0 7 0x4000082 syz-execprog 87342 479119 39682 0 3 0x10008a pause ksh *39682 411121 69796 0 7 0x12 sshd 36766 230758 1 0 3 0x100083 ttyin getty 69796 176554 1 0 3 0x80 select sshd 24861 113704 82785 74 3 0x100092 bpf pflogd 82785 245820 1 0 3 0x80 netio pflogd 45387 216057 51198 73 3 0x100090 kqread syslogd 51198 129160 1 0 3 0x100082 netio syslogd 89993 470175 1 77 3 0x100090 poll dhclient 14287 151990 1 0 3 0x80 poll dhclient 97648 405720 0 0 3 0x14200 bored smr 13464 351929 0 0 3 0x14200 pgzero zerothread 68357 417178 0 0 3 0x14200 aiodoned aiodoned 47772 240414 0 0 3 0x14200 syncer update 98814 149877 0 0 3 0x14200 cleaner cleaner 16549 423493 0 0 3 0x14200 reaper reaper 32913 113861 0 0 3 0x14200 pgdaemon pagedaemon 21948 510937 0 0 3 0x14200 bored crynlk 79947 198796 0 0 3 0x14200 bored crypto 62983 21479 0 0 3 0x40014200 acpi0 acpi0 88411 59434 0 0 3 0x40014200 idle1 68242 94244 0 0 3 0x14200 bored softnet 67704 473840 0 0 3 0x14200 bored systqmp 74555 244124 0 0 3 0x14200 bored systq 87783 205771 0 0 3 0x40014200 bored softclock 71305 216393 0 0 3 0x40014200 idle0 1 439505 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks Process 79254 (syz-executor.0) thread 0xffff800020ddc9c8 (122215) exclusive rrwlock inode r = 0 (0xfffffd806b7d9808) #0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline] #0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164 #1 rw_enter+0x453 sys/kern/kern_rwlock.c:311 #2 rrw_enter+0x88 sys/kern/kern_rwlock.c:462 #3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:603 #4 vn_lock+0x81 sys/kern/vfs_vnops.c:575 #5 vget+0x1c8 sys/kern/vfs_subr.c:671 #6 ufs_ihashget+0x141 sys/ufs/ufs/ufs_ihash.c:119 #7 ffs_vget+0x74 sys/ufs/ffs/ffs_vfsops.c:1329 #8 ufs_lookup+0x14b7 sys/ufs/ufs/ufs_lookup.c:487 #9 VOP_LOOKUP+0x5b sys/kern/vfs_vops.c:90 #10 vfs_lookup+0x7a6 sys/kern/vfs_lookup.c:568 #11 namei+0x63c sys/kern/vfs_lookup.c:249 #12 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1853 #13 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline] #13 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570 #14 Xsyscall+0x128 exclusive rrwlock inode r = 0 (0xfffffd806b7d9098) #0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline] #0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164 #1 rw_enter+0x453 sys/kern/kern_rwlock.c:311 #2 rrw_enter+0x88 sys/kern/kern_rwlock.c:462 #3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:603 #4 vn_lock+0x81 sys/kern/vfs_vnops.c:575 #5 vfs_lookup+0xe6 sys/kern/vfs_lookup.c:419 #6 namei+0x63c sys/kern/vfs_lookup.c:249 #7 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1853 #8 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline] #8 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570 #9 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82896708) #0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline] #0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164 #1 syscall+0x400 mi_syscall sys/sys/syscall_mi.h:93 [inline] #1 syscall+0x400 sys/arch/amd64/amd64/trap.c:570 #2 Xsyscall+0x128 Process 39682 (sshd) thread 0xffff800020e41600 (411121) exclusive rwlock netlock r = 0 (0xffffffff827254e8) #0 witness_lock+0x4c7 stacktrace_save sys/sys/stacktrace.h:36 [inline] #0 witness_lock+0x4c7 sys/kern/subr_witness.c:1164 #1 solock+0x5a sys/kern/uipc_socket2.c:282 #2 sosend+0x559 sys/kern/uipc_socket.c:537 #3 dofilewritev+0x1b6 sys/kern/sys_generic.c:365 #4 sys_write+0x83 sys/kern/sys_generic.c:285 #5 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline] #5 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570 #6 Xsyscall+0x128 ddb{1}>