panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd8062dbbf00+24 0x54d02ce19057614f!=0x54d0d161f28cdd4f Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND * 7676 67594 0 0 0x4000000 1K syz-executor.0 434445 18569 0 0x14000 0x200 0 softnet db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x15c sys/kern/subr_prf.c:207 pool_cache_get(ffffffff82652290) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1789 [inline] pool_cache_get(ffffffff82652290) at pool_cache_get+0x323 sys/kern/subr_pool.c:1892 pool_get() at pool_get+0x91 sys/kern/subr_pool.c:572 m_get(2,3) at m_get+0x4c sys/kern/uipc_mbuf.c:250 sbappendaddr(fffffd806f6ca180,fffffd806f6ca208,ffffffff823dbbe0,fffffd8062e5fa00,0) at sbappendaddr+0x140 sys/kern/uipc_socket2.c:802 rtm_sendup(fffffd806f6ca180,fffffd8062e5fa00,0) at rtm_sendup+0xe7 sys/net/rtsock.c:594 route_input(fffffd8062e5fa00,0,2) at route_input+0x489 sys/net/rtsock.c:572 rtm_send(fffffd8065fb4318,1,0,0) at rtm_send+0x18d sys/net/rtsock.c:1636 rt_ifa_add(ffff800000ae0a00,840100,ffff800000ae0a58,0) at rt_ifa_add+0x2ee sys/net/route.c:1143 in_ifinit(ffff800000ae1000,ffff800000ae0a00,ffff800022b717f0,1) at in_ifinit+0x37a in_insert_prefix sys/netinet/in.c:717 [inline] in_ifinit(ffff800000ae1000,ffff800000ae0a00,ffff800022b717f0,1) at in_ifinit+0x37a sys/netinet/in.c:648 in_ioctl_change_ifaddr(8040691a,ffff800022b717e0,ffff800000ae1000,1) at in_ioctl_change_ifaddr+0x5de sys/netinet/in.c:452 in_ioctl(8040691a,ffff800022b717e0,ffff800000ae1000,1) at in_ioctl+0x205 sys/netinet/in.c:234 ifioctl(fffffd806f6ca480,8040691a,ffff800022b717e0,ffff800020ab18c8) at ifioctl+0xb64 sys/net/if.c:2202 end trace frame: 0xffff800022b718e0, count: 0 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd8062dbbf00+24 0x54d02ce19057614f!=0x54d0d161f28cdd4f ddb{1}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x15c sys/kern/subr_prf.c:207 pool_cache_get(ffffffff82652290) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1789 [inline] pool_cache_get(ffffffff82652290) at pool_cache_get+0x323 sys/kern/subr_pool.c:1892 pool_get() at pool_get+0x91 sys/kern/subr_pool.c:572 m_get(2,3) at m_get+0x4c sys/kern/uipc_mbuf.c:250 sbappendaddr(fffffd806f6ca180,fffffd806f6ca208,ffffffff823dbbe0,fffffd8062e5fa00,0) at sbappendaddr+0x140 sys/kern/uipc_socket2.c:802 rtm_sendup(fffffd806f6ca180,fffffd8062e5fa00,0) at rtm_sendup+0xe7 sys/net/rtsock.c:594 route_input(fffffd8062e5fa00,0,2) at route_input+0x489 sys/net/rtsock.c:572 rtm_send(fffffd8065fb4318,1,0,0) at rtm_send+0x18d sys/net/rtsock.c:1636 rt_ifa_add(ffff800000ae0a00,840100,ffff800000ae0a58,0) at rt_ifa_add+0x2ee sys/net/route.c:1143 in_ifinit(ffff800000ae1000,ffff800000ae0a00,ffff800022b717f0,1) at in_ifinit+0x37a in_insert_prefix sys/netinet/in.c:717 [inline] in_ifinit(ffff800000ae1000,ffff800000ae0a00,ffff800022b717f0,1) at in_ifinit+0x37a sys/netinet/in.c:648 in_ioctl_change_ifaddr(8040691a,ffff800022b717e0,ffff800000ae1000,1) at in_ioctl_change_ifaddr+0x5de sys/netinet/in.c:452 in_ioctl(8040691a,ffff800022b717e0,ffff800000ae1000,1) at in_ioctl+0x205 sys/netinet/in.c:234 ifioctl(fffffd806f6ca480,8040691a,ffff800022b717e0,ffff800020ab18c8) at ifioctl+0xb64 sys/net/if.c:2202 sys_ioctl(ffff800020ab18c8,ffff800022b718f8,ffff800022b71940) at sys_ioctl+0x5b9 syscall(ffff800022b719c0) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline] syscall(ffff800022b719c0) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555 Xsyscall(6,0,ffffffffffffff36,0,3,dff12290010) at Xsyscall+0x128 end of kernel end trace frame: 0xe01a9774980, count: -17 ddb{1}> show registers rdi 0xffffffff812d2ac7 db_enter+0x17 rsi 0x5218 __ALIGN_SIZE+0x4218 rbp 0xffff800022b70ef0 rbx 0xffff800022b70fa0 rdx 0x5219 __ALIGN_SIZE+0x4219 rcx 0xffff800023da8000 rax 0xffff800023da8000 r8 0xffffffff81c6670f kprintf+0x16f r9 0x1 r10 0x25 r11 0x6f5e8fd169306f14 r12 0x3000000008 r13 0xffff800022b70f00 r14 0x100 r15 0x1 rip 0xffffffff812d2ac8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800022b70ee0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor.0) pid=7676 stat=onproc flags process=0 proc=4000000 pri=71, usrpri=71, nice=20 forw=0xffffffffffffffff, list=0xffff800020ab1650,0xffffffff8264fc48 process=0xffff800020adc700 user=0xffff800022b6c000, vmspace=0xfffffd807f00bb80 estcpu=36, cpticks=2, pctcpu=0.0 user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 67594 522476 77487 0 2 0 syz-executor.0 *67594 7676 77487 0 7 0x4000000 syz-executor.0 91117 471574 53342 0 2 0 syz-executor.1 91117 267735 53342 0 3 0x4000080 fsleep syz-executor.1 77487 390959 12985 0 3 0x82 nanosleep syz-executor.0 53342 263037 12985 0 3 0x82 nanosleep syz-executor.1 2513 429198 0 0 3 0x14200 bored sosplice 12985 247405 3796 0 3 0x82 thrsleep syz-fuzzer 12985 170509 3796 0 3 0x4000082 thrsleep syz-fuzzer 12985 138092 3796 0 3 0x4000082 thrsleep syz-fuzzer 12985 46889 3796 0 3 0x4000082 thrsleep syz-fuzzer 12985 28480 3796 0 3 0x4000082 thrsleep syz-fuzzer 12985 313856 3796 0 3 0x4000082 thrsleep syz-fuzzer 12985 362121 3796 0 3 0x4000082 thrsleep syz-fuzzer 12985 32005 3796 0 3 0x4000082 kqread syz-fuzzer 12985 257331 3796 0 3 0x4000082 thrsleep syz-fuzzer 12985 324928 3796 0 3 0x4000082 thrsleep syz-fuzzer 3796 404371 75345 0 3 0x10008a pause ksh 75345 450828 75669 0 3 0x92 select sshd 84203 201219 1 0 3 0x100083 ttyin getty 75669 372232 1 0 3 0x80 select sshd 36902 520515 79980 74 3 0x100092 bpf pflogd 79980 50286 1 0 3 0x80 netio pflogd 18680 7769 99945 73 3 0x100090 kqread syslogd 99945 439525 1 0 3 0x100082 netio syslogd 62307 46314 1 77 2 0x100090 dhclient 40323 337998 1 0 3 0x80 poll dhclient 6579 422541 0 0 2 0x14200 zerothread 54374 217849 0 0 3 0x14200 aiodoned aiodoned 99168 335225 0 0 3 0x14200 syncer update 63139 489020 0 0 3 0x14200 cleaner cleaner 59762 278205 0 0 3 0x14200 reaper reaper 91521 335781 0 0 3 0x14200 pgdaemon pagedaemon 87195 436205 0 0 3 0x14200 bored crynlk 5133 359610 0 0 3 0x14200 bored crypto 4422 442206 0 0 3 0x40014200 acpi0 acpi0 33010 170263 0 0 3 0x40014200 idle1 18569 434445 0 0 7 0x14200 softnet 63431 131093 0 0 3 0x14200 bored systqmp 86203 224522 0 0 3 0x14200 bored systq 61114 313316 0 0 3 0x40014200 bored softclock 43132 351250 0 0 3 0x40014200 idle0 67134 24823 0 0 3 0x14200 bored smr 1 86112 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks Process 67594 (syz-executor.0) thread 0xffff800020ab18c8 (7676) exclusive rwlock netlock r = 0 (0xffffffff8246c0b8) #0 witness_lock+0x52e sys/kern/subr_witness.c:1163 #1 in_ioctl_change_ifaddr+0x3f #2 in_ioctl+0x205 sys/netinet/in.c:234 #3 ifioctl+0xb64 sys/net/if.c:2202 #4 sys_ioctl+0x5b9 #5 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline] #5 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555 #6 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 1 (0xffffffff82651848) #0 witness_lock+0x52e sys/kern/subr_witness.c:1163 #1 syscall+0x400 mi_syscall sys/sys/syscall_mi.h:83 [inline] #1 syscall+0x400 sys/arch/amd64/amd64/trap.c:555 #2 Xsyscall+0x128 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim devbuf 9522 6478K 6969K 78643K 15951 0 0 pcb 14 8K 8K 78643K 3341 0 0 rtable 112 12K 13K 78643K 364 0 0 ifaddr 60 13K 13K 78643K 88 0 0 counters 39 33K 33K 78643K 39 0 0 ioctlops 0 0K 4K 78643K 1481 0 0 iov 0 0K 16K 78643K 38 0 0 mount 1 1K 1K 78643K 1 0 0 vnodes 1219 77K 77K 78643K 2441 0 0 UFS quota 1 32K 32K 78643K 1 0 0 UFS mount 5 36K 36K 78643K 5 0 0 shm 3 5K 9K 78643K 1024 0 0 VM map 2 1K 1K 78643K 2 0 0 sem 12 0K 0K 78643K 1102 0 0 dirhash 12 2K 2K 78643K 12 0 0 ACPI 1808 196K 290K 78643K 12765 0 0 file desc 6 17K 25K 78643K 1873 0 0 sigio 0 0K 0K 78643K 2 0 0 proc 60 63K 95K 78643K 534 0 0 subproc 32 2K 2K 78643K 68 0 0 NFS srvsock 1 0K 0K 78643K 1 0 0 NFS daemon 1 16K 16K 78643K 1 0 0 ip_moptions 0 0K 0K 78643K 5911 0 0 in_multi 33 2K 2K 78643K 64 0 0 ether_multi 1 0K 0K 78643K 5 0 0 ISOFS mount 1 32K 32K 78643K 1 0 0 MSDOSFS mount 1 16K 16K 78643K 1 0 0 ttys 48 212K 212K 78643K 48 0 0 exec 0 0K 1K 78643K 242 0 0 pagedep 1 8K 8K 78643K 1 0 0 inodedep 1 32K 32K 78643K 1 0 0 newblk 1 0K 0K 78643K 1 0 0 VM swap 7 26K 26K 78643K 7 0 0 UVM amap 110 22K 24K 78643K 6600 0 0 UVM aobj 130 4K 4K 78643K 130 0 0 memdesc 1 4K 4K 78643K 1 0 0 crypto data 1 1K 1K 78643K 1 0 0 ip6_options 0 0K 1K 78643K 732 0 0 NDP 12 0K 0K 78643K 25 0 0 temp 171 3555K 3622K 78643K 13413 0 0 kqueue 0 0K 0K 78643K 1 0 0 SYN cache 2 16K 16K 78643K 2 0 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 12 0 6 1 0 1 1 0 8 0 plcache 128 20 0 0 1 0 1 1 0 8 0 rtpcb 80 39 0 37 1 0 1 1 0 8 0 rtentry 112 74 0 31 2 0 2 2 0 8 0 unpcb 120 189 0 179 1 0 1 1 0 8 0 syncache 264 4 0 4 1 1 0 1 0 8 0 tcpqe 32 5855 0 5855 1 1 0 1 0 8 0 tcpcb 544 5298 0 5294 4 3 1 2 0 8 0 inpcb 280 9396 0 9387 2 0 2 2 0 8 1 nd6 48 12 0 8 1 0 1 1 0 8 0 pkpcb 40 1 0 1 1 1 0 1 0 8 0 ppxss 1128 2 0 2 2 1 1 1 0 8 1 pffrag 232 3 0 3 2 2 0 1 0 482 0 pffrnode 88 3 0 3 2 2 0 1 0 8 0 pffrent 40 51 0 51 2 1 1 1 0 8 1 pfosfp 40 846 0 423 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 64 0 17 1 0 1 1 0 8 0 pfstkey 112 64 0 17 2 0 2 2 0 8 0 pfstate 328 64 0 17 5 0 5 5 0 8 0 pfrule 1360 21 0 16 2 1 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 320 0 103 15 1 14 15 0 8 0 art_table 32 321 0 103 2 0 2 2 0 8 0 art_node 16 73 0 34 1 0 1 1 0 8 0 sysvmsgpl 40 24 0 24 1 1 0 1 0 8 0 semupl 112 9 0 9 1 1 0 1 0 8 0 semapl 112 1100 0 1090 1 0 1 1 0 8 0 shmpl 112 128 0 0 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino1pl 128 3413 0 2006 46 0 46 46 0 8 0 ffsino 272 3413 0 2006 96 1 95 95 0 8 0 nchpl 144 8028 0 6419 61 0 61 61 0 8 0 uvmvnodes 72 4598 0 0 84 0 84 84 0 8 0 vnodes 208 4598 0 0 242 0 242 242 0 8 0 namei 1024 20692 0 20692 3 2 1 1 0 8 1 percpumem 16 30 0 0 1 0 1 1 0 8 0 scxspl 192 16877 0 16877 12 9 3 7 0 8 3 plimitpl 152 24 0 16 1 0 1 1 0 8 0 sigapl 432 2067 0 2051 3 1 2 3 0 8 0 futexpl 56 59444 0 59443 1 0 1 1 0 8 0 knotepl 112 110 0 91 1 0 1 1 0 8 0 kqueuepl 104 44 0 42 1 0 1 1 0 8 0 pipepl 112 6430 0 6411 2 1 1 1 0 8 0 fdescpl 488 2068 0 2051 3 0 3 3 0 8 0 filepl 152 26671 0 26564 10 4 6 6 0 8 1 lockfpl 104 2188 0 2186 1 0 1 1 0 8 0 lockfspl 48 1065 0 1063 1 0 1 1 0 8 0 sessionpl 112 20 0 9 1 0 1 1 0 8 0 pgrppl 48 24 0 13 1 0 1 1 0 8 0 ucredpl 96 557 0 548 1 0 1 1 0 8 0 zombiepl 144 2051 0 2051 3 2 1 1 0 8 1 processpl 896 2084 0 2051 4 0 4 4 0 8 0 procpl 632 4716 0 4672 6 1 5 5 0 8 1 srpgc 64 4 0 4 2 2 0 1 0 8 0 sosppl 128 2 0 2 1 1 0 1 0 8 0 sockpl 384 9638 0 9617 8 4 4 4 0 8 1 mcl64k 65536 7 0 0 1 0 1 1 0 8 0 mcl16k 16384 1 0 0 1 0 1 1 0 8 0 mcl12k 12288 9 0 0 1 0 1 1 0 8 0 mcl9k 9216 6 0 0 1 0 1 1 0 8 0 mcl8k 8192 17 0 0 3 0 3 3 0 8 0 mcl4k 4096 9 0 0 2 0 2 2 0 8 0 mcl2k2 2112 3 0 0 1 0 1 1 0 8 0 mcl2k 2048 179 0 0 21 0 21 21 0 8 0 mtagpl 80 294 0 0 6 0 6 6 0 8 0 mbufpl 256 837 0 0 48 0 48 48 0 8 0 bufpl 256 8941 0 1893 441 0 441 441 0 8 0 anonpl 16 161589 0 145191 85 18 67 83 0 124 0 amapchunkpl 152 8927 0 8790 18 6 12 13 0 158 6 amappl16 192 9461 0 8558 56 10 46 56 0 8 0 amappl15 184 3 0 3 2 2 0 1 0 8 0 amappl14 176 1209 0 1207 2 1 1 1 0 8 0 amappl13 168 1 0 1 1 1 0 1 0 8 0 amappl12 160 6 0 6 1 1 0 1 0 8 0 amappl11 152 59 0 44 1 0 1 1 0 8 0 amappl10 144 13 0 10 1 0 1 1 0 8 0 amappl9 136 647 0 639 1 0 1 1 0 8 0 amappl8 128 187 0 161 1 0 1 1 0 8 0 amappl7 120 48 0 43 1 0 1 1 0 8 0 amappl6 112 97 0 81 1 0 1 1 0 8 0 amappl5 104 147 0 133 1 0 1 1 0 8 0 amappl4 96 1150 0 1120 1 0 1 1 0 8 0 amappl3 88 2481 0 2476 1 0 1 1 0 8 0 amappl2 80 16537 0 16458 3 1 2 3 0 8 0 amappl1 72 47046 0 46590 26 16 10 20 0 8 0 amappl 80 5003 0 4958 2 0 2 2 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 17 0 17 1 1 0 1 0 8 0 aobjpl 64 129 0 0 3 0 3 3 0 8 0 uaddrrnd 24 2068 0 2051 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 2068 0 2051 1 0 1 1 0 8 0 vmmpekpl 168 27640 0 27609 2 0 2 2 0 8 0 vmmpepl 168 245316 0 243182 191 85 106 128 0 357 13 vmsppl 368 2067 0 2051 2 0 2 2 0 8 0 pdppl 4096 4143 0 4102 7 1 6 6 0 8 0 pvpl 32 464295 0 444627 215 50 165 195 0 265 6 pmappl 232 2067 0 2051 3 2 1 2 0 8 0 extentpl 40 41 0 26 1 0 1 1 0 8 0 phpool 112 652 0 11 19 0 19 19 0 8 0