login: panic: Data modified on freelist: word 4 of object 0xffff8000014dc600 size 0x188 previous type free (0x6563 != 0xdeadbeef) Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 346029 96643 0 0 0 1 syz-executor *134073 60535 0 0 0x4000000 0K syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff83385e06) at panic+0x1e5 sys/kern/subr_prf.c:198 malloc(188,2,a) at malloc+0xd7c sys/kern/kern_malloc.c:353 bpfopen(51700,11,2000,ffff8000358b6548) at bpfopen+0x11b spec_open_clone(ffff80002a3f8238) at spec_open_clone+0x287 sys/kern/spec_vnops.c:722 spec_open(ffff80002a3f8238) at spec_open+0x329 sys/kern/spec_vnops.c:148 VOP_OPEN(fffffd806ed5e2b8,11,fffffd807f7d36e8,ffff8000358b6548) at VOP_OPEN+0x8b sys/kern/vfs_vops.c:138 vn_open(ffff80002a3f8488,11,0) at vn_open+0x708 sys/kern/vfs_vnops.c:177 doopenat(ffff8000358b6548,ffffff9c,400000000100,10,0,ffff80002a3f8630) at doopenat+0x32e sys/kern/vfs_syscalls.c:1124 syscall(ffff80002a3f86e0) at syscall+0xbc6 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80002a3f86e0) at syscall+0xbc6 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x13f5579af50, count: 4 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: Data modified on freelist: word 4 of object 0xffff8000014dc600 size 0x188 previous type free (0x6563 != 0xdeadbeef) ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff83385e06) at panic+0x1e5 sys/kern/subr_prf.c:198 malloc(188,2,a) at malloc+0xd7c sys/kern/kern_malloc.c:353 bpfopen(51700,11,2000,ffff8000358b6548) at bpfopen+0x11b spec_open_clone(ffff80002a3f8238) at spec_open_clone+0x287 sys/kern/spec_vnops.c:722 spec_open(ffff80002a3f8238) at spec_open+0x329 sys/kern/spec_vnops.c:148 VOP_OPEN(fffffd806ed5e2b8,11,fffffd807f7d36e8,ffff8000358b6548) at VOP_OPEN+0x8b sys/kern/vfs_vops.c:138 vn_open(ffff80002a3f8488,11,0) at vn_open+0x708 sys/kern/vfs_vnops.c:177 doopenat(ffff8000358b6548,ffffff9c,400000000100,10,0,ffff80002a3f8630) at doopenat+0x32e sys/kern/vfs_syscalls.c:1124 syscall(ffff80002a3f86e0) at syscall+0xbc6 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80002a3f86e0) at syscall+0xbc6 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x13f5579af50, count: -11 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff80002a3f7f40 rbx 0xffffffff83884dc7 cpu_info_full_primary+0x2dc7 rdx 0 rcx 0xffff8000358b6548 rax 0xffffffff83883ff0 cpu_info_full_primary+0x1ff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0xd49e6a6e12f5322f r11 0x12cac039aeb3c0c5 r12 0xffffffff83884bc8 cpu_info_full_primary+0x2bc8 r13 0 r14 0 r15 0x1 rip 0xffffffff811241e5 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80002a3f7f30 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor) tid=134073 pid=60535 tcnt=3 stat=onproc flags process=0 proc=4000000 runpri=86, usrpri=86, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff8000ffff71e0,0xffff8000358b6f78 process=0xffff80003c4f7930 user=0xffff80002a3f3000, vmspace=0xfffffd806bef4ac8 estcpu=36, cpticks=2, pctcpu=0.0, user=0, sys=2, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 45047 276683 40094 0 2 0 syz-executor 96643 346029 94370 0 7 0 syz-executor 96643 230080 94370 0 2 0x4000000 syz-executor 62887 158165 86741 0 2 0 syz-executor 62887 95374 86741 0 3 0x4000080 fsleep syz-executor 40207 392046 1276 0 2 0 syz-executor 40207 187379 1276 0 3 0x4000080 fsleep syz-executor 40207 175065 1276 0 3 0x4000080 fsleep syz-executor 60535 380720 45124 0 2 0 syz-executor *60535 134073 45124 0 7 0x4000000 syz-executor 60535 92928 45124 0 3 0x4000080 fsleep syz-executor 57160 461794 1 0 3 0x100083 ttyin getty 91258 70447 48242 0 3 0x82 wait syz-executor 45124 52692 48242 0 2 0x3 syz-executor 94370 518291 48242 0 3 0x82 nanoslp syz-executor 50724 99986 0 0 3 0x14200 bored sosplice 52848 469485 91797 0 3 0x100082 sbwait arp 91797 419756 37527 0 3 0x10008a sigsusp sh 1276 422073 48242 0 3 0x82 nanoslp syz-executor 37527 234805 48242 0 3 0x82 wait syz-executor 86741 454350 48242 0 3 0x82 nanoslp syz-executor 40094 96722 48242 0 3 0x82 nanoslp syz-executor 5732 204987 48242 0 3 0x82 piperd syz-executor 48242 493027 16707 0 2 0x3 syz-executor 16707 224424 90266 0 3 0x10008a sigsusp ksh 90266 165175 8924 0 3 0x98 kqread sshd-session 8924 93079 68323 0 3 0x92 kqread sshd-session 68323 296158 1 0 3 0x88 kqread sshd 95074 116122 73923 74 3 0x1100092 bpf pflogd 73923 365735 1 0 3 0x80 sbwait pflogd 47846 190684 25045 73 3 0x1100090 kqread syslogd 25045 503481 1 0 3 0x100082 sbwait syslogd 12715 136388 1 0 3 0x100080 kqread resolvd 83585 182199 81141 77 3 0x100092 kqread dhcpleased 60530 408071 81141 77 3 0x100092 kqread dhcpleased 81141 20381 1 0 3 0x80 kqread dhcpleased 11736 271685 0 0 3 0x14200 bored smr 4945 250978 0 0 2 0x14200 zerothread 99524 318435 0 0 3 0x14200 aiodoned aiodoned 75491 288180 0 0 3 0x14200 syncer update 29324 436412 0 0 3 0x14200 cleaner cleaner 3708 295572 0 0 3 0x14200 reaper reaper 90072 448507 0 0 3 0x14200 pgdaemon pagedaemon 39860 377199 0 0 3 0x14200 bored viomb 98648 61522 0 0 3 0x40014200 acpi0 acpi0 82704 212977 0 0 3 0x40014200 idle1 64377 138416 0 0 3 0x14200 bored softnet3 28292 43796 0 0 3 0x14200 bored softnet2 7763 303288 0 0 3 0x14200 bored softnet1 94908 512139 0 0 3 0x14200 bored softnet0 85904 346146 0 0 3 0x14200 bored systqmp 58961 298932 0 0 3 0x14200 bored systq 79235 145662 0 0 3 0x14200 tmoslp softclockmp 71856 487693 0 0 3 0x40014200 tmoslp softclock 48367 279855 0 0 3 0x40014200 idle0 1 222783 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks CPU 0: exclusive mutex /syzkaller/managers/multicore/kernel/sys/kern/kern_malloc.c:96 r = 0 (0xffffffff83794ed8) #0 witness_lock+0x5bb stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5bb sys/kern/subr_witness.c:1155 #1 mtx_enter_try+0x178 #2 mtx_enter+0x60 sys/kern/kern_lock.c:239 #3 malloc+0x2f9 sys/kern/kern_malloc.c:199 #4 bpfopen+0x11b #5 spec_open_clone+0x287 sys/kern/spec_vnops.c:722 #6 spec_open+0x329 sys/kern/spec_vnops.c:148 #7 VOP_OPEN+0x8b sys/kern/vfs_vops.c:138 #8 vn_open+0x708 sys/kern/vfs_vnops.c:177 #9 doopenat+0x32e sys/kern/vfs_syscalls.c:1124 #10 syscall+0xbc6 mi_syscall sys/sys/syscall_mi.h:176 [inline] #10 syscall+0xbc6 sys/arch/amd64/amd64/trap.c:577 #11 Xsyscall+0x128 Process 96643 (syz-executor) thread 0xffff8000ffff6028 (230080) Process 60535 (syz-executor) thread 0xffff8000358b6548 (134073) ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10225 11309K 11926K 166960K 13478 0 pcb 18 17K 18K 166960K 327 0 rtable 169 11K 12K 166960K 606 0 pf 41 18K 22K 166960K 199 0 ifaddr 36 5K 7K 166960K 100 0 ifgroup 63 2K 2K 166960K 153 0 sysctl 4 1K 1K 166960K 12 0 counters 68 36K 37K 166960K 132 0 ioctlops 0 0K 4K 166960K 1803 0 iov 0 0K 16K 166960K 157 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1417 89K 90K 166960K 2845 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 9K 166960K 25 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 107 0 dirhash 12 2K 2K 166960K 36 0 ACPI 1690 195K 286K 166960K 12468 0 file desc 18 65K 93K 166960K 1550 0 sigio 0 0K 0K 166960K 18 0 proc 73 91K 128K 166960K 807 0 subproc 72 4K 4K 166960K 99 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 206 0 in_multi 60 4K 6K 166960K 199 0 ether_multi 1 0K 0K 166960K 10 0 mrt 2 0K 0K 166960K 3 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 115 519K 519K 166960K 115 0 exec 0 0K 1K 166960K 742 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 4 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 232 73K 90K 166960K 16050 0 UVM aobj 41 2K 4K 166960K 44 0 pinsyscall 44 88K 106K 166960K 2729 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 1 0K 0K 166960K 104 0 NDP 14 0K 1K 166960K 67 0 temp 78 8644K 8772K 166960K 55313 0 kqueue 13 20K 30K 166960K 254 0 SYN cache 2 16K 16K 166960K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 24 0 0 1 0 1 1 0 8 0 rtpcb 120 295 0 258 5 3 2 3 0 8 0 rtentry 112 186 0 118 3 0 3 3 0 8 0 unpcb 144 1363 0 1346 18 16 2 10 0 8 1 syncache 336 7 0 7 4 4 0 1 0 8 0 tcpqe 32 6 0 6 2 2 0 1 0 8 0 tcpcb 808 692 0 687 18 17 1 8 0 8 0 arp 120 40 0 26 1 0 1 1 0 8 0 inpcb 376 2082 0 2073 25 23 2 14 0 8 0 nd6 136 34 0 19 1 0 1 1 0 8 0 pkpcb 40 9 0 9 3 2 1 1 0 8 1 kcovpl 48 11 0 3 1 0 1 1 0 8 0 ppxss 1168 19 0 19 3 2 1 1 0 8 1 pppxif 1472 3 0 3 2 2 0 1 0 8 0 pfstscr 40 4 0 4 2 2 0 1 0 8 0 pffrag 232 12 0 3 1 0 1 1 0 482 0 pffrnode 88 12 0 3 1 0 1 1 0 8 0 pffrent 40 67 0 58 1 0 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfanchor 1288 1 0 1 1 1 0 1 0 8 0 pftag 88 1 0 0 1 0 1 1 0 8 0 pfstitem 24 118 0 35 1 0 1 1 0 8 0 pfstkey 128 122 0 39 3 0 3 3 0 8 0 pfstate 376 121 0 38 9 0 9 9 0 8 0 pfrule 1344 33 0 25 2 1 1 2 0 8 0 art_heap8 4096 3 0 0 3 0 3 3 0 8 0 art_heap4 256 761 0 490 32 7 25 28 0 8 1 art_table 32 764 0 490 4 0 4 4 0 8 0 art_node 16 181 0 125 1 0 1 1 0 8 0 semupl 112 1 0 1 1 1 0 1 0 8 0 semapl 112 104 0 94 1 0 1 1 0 8 0 shmpl 112 41 0 3 2 0 2 2 0 8 0 dirhash 1024 33 0 16 3 0 3 3 0 8 0 dino2pl 256 4393 0 2892 95 0 95 95 0 8 0 ffsino 280 4393 0 2892 109 0 109 109 0 8 0 nchpl 144 6601 0 4909 64 0 64 64 0 8 0 rtmask 32 2 0 2 2 2 0 1 0 8 0 uvmvnodes 80 5243 0 0 107 0 107 107 0 8 0 vnodes 216 5243 0 0 292 0 292 292 0 8 0 namei 1024 22729 0 22728 4 3 1 2 0 8 0 percpumem 16 80 0 32 1 0 1 1 0 8 0 kstatmem 264 82 0 54 5 2 3 3 0 8 1 scsiplug 72 5 0 5 3 3 0 1 0 8 0 scxspl 216 19311 0 19311 12 11 1 8 1 8 1 plimitpl 152 330 0 313 1 0 1 1 0 8 0 sigapl 424 1854 0 1803 8 1 7 7 0 8 0 futexpl 64 22103 0 22099 1 0 1 1 0 8 0 knotepl 120 563 0 0 18 0 18 18 0 8 0 kqueuepl 216 538 0 529 9 8 1 5 0 8 0 pipepl 328 232 0 205 3 0 3 3 0 8 0 fdescpl 504 1831 0 1799 5 0 5 5 0 8 0 filepl 152 13093 0 12837 22 10 12 18 0 8 1 lockfpl 104 459 0 456 1 0 1 1 0 8 0 lockfspl 48 176 0 173 1 0 1 1 0 8 0 sessionpl 144 32 0 23 1 0 1 1 0 8 0 pgrppl 48 54 0 37 1 0 1 1 0 8 0 ucredpl 104 2799 0 2786 1 0 1 1 0 8 0 zombiepl 144 1991 0 1990 1 0 1 1 0 8 0 processpl 1168 1854 0 1803 5 0 5 5 0 8 0 procpl 648 4266 0 4209 8 1 7 7 0 8 0 srpgc 96 10 0 10 3 2 1 1 0 8 1 sosppl 168 1 0 1 1 1 0 1 0 8 0 sockpl 688 3824 0 3761 51 45 6 25 0 8 0 mcl64k 65536 3 0 0 1 0 1 1 0 8 0 mcl16k 16384 1 0 0 1 0 1 1 0 8 0 mcl12k 12288 1 0 0 1 0 1 1 0 8 0 mcl8k 8192 5 0 0 1 0 1 1 0 8 0 mcl4k 4096 130 0 0 17 0 17 17 0 8 0 mcl2k 2048 30 0 0 4 0 4 4 0 8 0 mtagpl 96 55 0 0 2 0 2 2 0 8 0 mbufpl 256 385 0 0 24 0 24 24 0 8 0 bufpl 280 5463 0 171 378 0 378 378 0 8 0 anonpl 24 258560 0 252943 113 36 77 80 0 184 32 amapchunkpl 152 52666 0 52110 41 9 32 32 0 158 7 amappl16 200 5021 0 4925 60 48 12 28 0 8 5 amappl15 192 25 0 25 1 1 0 1 0 8 0 amappl14 184 132 0 119 1 0 1 1 0 8 0 amappl13 176 3 0 3 1 1 0 1 0 8 0 amappl12 168 2588 0 2555 3 0 3 3 0 8 0 amappl11 160 50 0 36 1 0 1 1 0 8 0 amappl10 152 2 0 2 1 1 0 1 0 8 0 amappl9 144 248 0 246 1 0 1 1 0 8 0 amappl8 136 25 0 22 1 0 1 1 0 8 0 amappl7 128 131 0 117 1 0 1 1 0 8 0 amappl6 120 223 0 218 1 0 1 1 0 8 0 amappl5 112 140 0 130 1 0 1 1 0 8 0 amappl4 104 332 0 311 1 0 1 1 0 8 0 amappl3 96 10658 0 10545 4 0 4 4 0 8 0 amappl2 88 720 0 654 2 0 2 2 0 8 0 amappl1 80 13230 0 12627 16 1 15 15 0 8 0 amappl 88 15533 0 15360 5 0 5 5 0 92 0 dma32768 32768 1 0 1 1 1 0 1 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma512 512 1 0 1 1 0 1 1 0 8 1 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 256 0 256 3 3 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 43 0 3 1 0 1 1 0 8 0 uaddrrnd 24 1831 0 1799 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 1831 0 1799 1 0 1 1 0 8 0 vmmpekpl 168 15188 0 15142 3 0 3 3 0 8 0 vmmpepl 168 116031 0 114057 123 17 106 109 0 357 15 vmsppl 456 1830 0 1799 5 0 5 5 0 8 0 rwobjpl 64 36517 0 30182 103 0 103 103 0 8 0 pdppl 4096 3669 0 3598 105 32 73 85 0 8 2 pvpl 32 21329 0 0 173 1 172 173 0 265 0 pmappl 248 1830 0 1799 3 0 3 3 0 8 0 extentpl 40 55 0 38 1 0 1 1 0 8 0 phpool 112 330 0 68 8 0 8 8 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff83385e06) at panic+0x1e5 sys/kern/subr_prf.c:198 malloc(188,2,a) at malloc+0xd7c sys/kern/kern_malloc.c:353 bpfopen(51700,11,2000,ffff8000358b6548) at bpfopen+0x11b spec_open_clone(ffff80002a3f8238) at spec_open_clone+0x287 sys/kern/spec_vnops.c:722 spec_open(ffff80002a3f8238) at spec_open+0x329 sys/kern/spec_vnops.c:148 VOP_OPEN(fffffd806ed5e2b8,11,fffffd807f7d36e8,ffff8000358b6548) at VOP_OPEN+0x8b sys/kern/vfs_vops.c:138 vn_open(ffff80002a3f8488,11,0) at vn_open+0x708 sys/kern/vfs_vnops.c:177 doopenat(ffff8000358b6548,ffffff9c,400000000100,10,0,ffff80002a3f8630) at doopenat+0x32e sys/kern/vfs_syscalls.c:1124 syscall(ffff80002a3f86e0) at syscall+0xbc6 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80002a3f86e0) at syscall+0xbc6 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x13f5579af50, count: -11 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffff800029aabff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 end of kernel end trace frame: 0x779b0f3791d0, count: 12 ddb{1}> trace x86_ipi_db(ffff800029aabff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 end of kernel end trace frame: 0x779b0f3791d0, count: -3