panic: Data modified on freelist: word 4 of object 0xffff800001674400 size 0x400 previous type free (0x0 != 0xdeadbeef) Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *421726 12665 0 0 0x4000000 0 syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833d9b9c) at panic+0x1cf sys/kern/subr_prf.c:198 malloc(400,3e,9) at malloc+0xdb6 sys/kern/kern_malloc.c:357 clalloc(ffff800001638048,2000,1) at clalloc+0xa5 sys/kern/tty_subr.c:64 ttymalloc(f4240) at ttymalloc+0x14b sys/kern/tty.c:2364 check_pty(50e) at check_pty+0x1f8 sys/kern/tty_pty.c:198 ptmioctl(5100,40287401,ffff80003c90dab0,3,ffff80003c923258) at ptmioctl+0x33a sys/kern/tty_pty.c:1111 VOP_IOCTL(fffffd807eaa0bd8,40287401,ffff80003c90dab0,3,fffffd8007ffd7b8,ffff80003c923258) at VOP_IOCTL+0xa3 sys/kern/vfs_vops.c:264 vn_ioctl(fffffd806c93f790,40287401,ffff80003c90dab0,ffff80003c923258) at vn_ioctl+0xea sys/kern/vfs_vnops.c:531 sys_ioctl(ffff80003c923258,ffff80003c90dc80,ffff80003c90dbd0) at sys_ioctl+0x660 sys/kern/sys_generic.c:-1 syscall(ffff80003c90dc80) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c90dc80) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd9e056f1260, count: 3 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: Data modified on freelist: word 4 of object 0xffff800001674400 size 0x400 previous type free (0x0 != 0xdeadbeef) ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833d9b9c) at panic+0x1cf sys/kern/subr_prf.c:198 malloc(400,3e,9) at malloc+0xdb6 sys/kern/kern_malloc.c:357 clalloc(ffff800001638048,2000,1) at clalloc+0xa5 sys/kern/tty_subr.c:64 ttymalloc(f4240) at ttymalloc+0x14b sys/kern/tty.c:2364 check_pty(50e) at check_pty+0x1f8 sys/kern/tty_pty.c:198 ptmioctl(5100,40287401,ffff80003c90dab0,3,ffff80003c923258) at ptmioctl+0x33a sys/kern/tty_pty.c:1111 VOP_IOCTL(fffffd807eaa0bd8,40287401,ffff80003c90dab0,3,fffffd8007ffd7b8,ffff80003c923258) at VOP_IOCTL+0xa3 sys/kern/vfs_vops.c:264 vn_ioctl(fffffd806c93f790,40287401,ffff80003c90dab0,ffff80003c923258) at vn_ioctl+0xea sys/kern/vfs_vnops.c:531 sys_ioctl(ffff80003c923258,ffff80003c90dc80,ffff80003c90dbd0) at sys_ioctl+0x660 sys/kern/sys_generic.c:-1 syscall(ffff80003c90dc80) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c90dc80) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd9e056f1260, count: -12 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80003c90d3b0 rbx 0xffff800001674400 rdx 0 rcx 0 rax 0xffff80003c923258 r8 0x101010101010101 r9 0x8080808080808080 r10 0x97c7cb8077d5a660 r11 0xca0185e28043a919 r12 0 r13 0xffffffff83a679f0 kmemstats+0xf80 r14 0 r15 0x1 rip 0xffffffff82289575 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003c90d3a0 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=421726 pid=12665 tcnt=3 stat=onproc flags process=0 proc=4000000 runpri=32, usrpri=86, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80003c923788,0xffff80003c922040 process=0xffff80003c985220 user=0xffff80003c908000, vmspace=0xfffffd80735c0d08 estcpu=36, cpticks=2, pctcpu=0.0, user=0, sys=2, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 12665 77239 99020 0 2 0 syz-executor *12665 421726 99020 0 7 0x4000000 syz-executor 12665 320845 99020 0 3 0x4000080 fsleep syz-executor 20801 131921 65912 0 3 0x80 fsleep syz-executor 20801 287102 65912 0 3 0x4000080 ttyretype syz-executor 50865 263353 45783 0 3 0x80 fsleep syz-executor 50865 45072 45783 0 3 0x4000080 nanoslp syz-executor 5854 296572 4193 0 3 0x80 fsleep syz-executor 5854 436424 4193 0 3 0x4000080 fifor syz-executor 5854 271989 4193 0 3 0x4000080 fsleep syz-executor 88345 26509 35546 0 3 0x80 fsleep syz-executor 88345 361742 35546 0 3 0x4000080 lockf syz-executor 88345 103734 35546 0 3 0x4000080 lockf syz-executor 81402 198145 85521 0 3 0x80 fsleep syz-executor 81402 352157 85521 0 3 0x4000080 dtread syz-executor 27546 135717 13406 0 3 0x2 biowait syz-executor 45783 494322 13406 0 3 0x82 nanoslp syz-executor 82477 130275 0 0 3 0x14200 acct acct 50258 159809 0 0 3 0x14280 nfsidl nfsio 40914 332084 0 0 3 0x14280 nfsidl nfsio 11153 97178 0 0 3 0x14280 nfsidl nfsio 60660 391260 0 0 3 0x14280 nfsidl nfsio 30856 222823 0 0 3 0x14280 nfsidl nfsio 74834 266409 0 0 3 0x14280 nfsidl nfsio 16054 382009 0 0 3 0x14280 nfsidl nfsio 63935 338189 0 0 3 0x14280 nfsidl nfsio 18563 242001 0 0 3 0x14280 nfsidl nfsio 10102 343045 0 0 3 0x14280 nfsidl nfsio 96590 351078 0 0 3 0x14280 nfsidl nfsio 95617 512318 0 0 3 0x14280 nfsidl nfsio 32690 55531 0 0 3 0x14280 nfsidl nfsio 41370 160799 0 0 3 0x14280 nfsidl nfsio 19492 191434 0 0 3 0x14280 nfsidl nfsio 19063 118038 0 0 3 0x14280 nfsidl nfsio 84146 258060 0 0 3 0x14280 nfsidl nfsio 96836 36532 0 0 3 0x14280 nfsidl nfsio 73140 144586 0 0 3 0x14280 nfsidl nfsio 3729 40502 0 0 3 0x14280 nfsidl nfsio 85521 373963 13406 0 3 0x82 nanoslp syz-executor 99020 72711 13406 0 3 0x82 nanoslp syz-executor 4193 405326 13406 0 3 0x82 nanoslp syz-executor 65912 79282 13406 0 3 0x82 nanoslp syz-executor 55223 440145 13406 0 3 0x82 wait syz-executor 35546 452029 13406 0 3 0x82 nanoslp syz-executor 13406 259115 27822 0 3 0x82 kqread syz-executor 27822 171414 15133 0 3 0x10008a sigsusp ksh 15133 161932 48631 0 3 0x98 kqread sshd-session 48631 227981 83037 0 3 0x92 kqread sshd-session 8606 121007 1 0 3 0x100083 ttyin getty 83037 465469 1 0 3 0x88 kqread sshd 48621 55498 34967 73 3 0x1100090 kqread syslogd 34967 15199 1 0 3 0x100082 sbwait syslogd 23277 8244 1 0 3 0x100080 kqread resolvd 2360 52411 30784 77 3 0x100092 kqread dhcpleased 64627 506574 30784 77 3 0x100092 kqread dhcpleased 30784 280563 1 0 3 0x80 kqread dhcpleased 62380 457570 0 0 3 0x14200 bored smr 92050 151823 0 0 2 0x14200 zerothread 17844 77654 0 0 3 0x14200 aiodoned aiodoned 63950 510889 0 0 3 0x14200 syncer update 8800 373961 0 0 3 0x14200 cleaner cleaner 28464 217388 0 0 3 0x14200 reaper reaper 22414 199585 0 0 3 0x14200 pgdaemon pagedaemon 46142 149876 0 0 3 0x14200 bored viomb 9944 197356 0 0 3 0x40014200 acpi0 acpi0 71564 428060 0 0 3 0x14200 bored softnet0 52351 26997 0 0 3 0x14200 bored systqmp 84959 333812 0 0 3 0x14200 bored systq 63256 75101 0 0 3 0x40014200 tmoslp softclock 50002 427480 0 0 3 0x40014200 idle0 1 290539 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 11057 12157K 12443K 166960K 12695 0 pcb 18 16K 17K 166960K 207 0 rtable 235 7K 7K 166960K 483 0 pf 33 13K 14K 166960K 89 0 ifaddr 42 7K 7K 166960K 78 0 ifgroup 50 2K 2K 166960K 117 0 sysctl 1 1K 9K 166960K 9 0 counters 33 17K 18K 166960K 59 0 ioctlops 0 0K 4K 166960K 152 0 iov 0 0K 12K 166960K 79 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1386 87K 87K 166960K 1806 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 3 5K 5K 166960K 9 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 27 0 dirhash 12 2K 2K 166960K 21 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 17 61K 240K 166960K 568 0 sigio 0 0K 0K 166960K 6 0 proc 60 59K 100K 166960K 561 0 subproc 72 4K 4K 166960K 90 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 24 0 in_multi 99 7K 7K 166960K 141 0 ether_multi 1 0K 0K 166960K 1 0 mrt 0 0K 0K 166960K 18 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 113 511K 510K 166960K 113 0 exec 0 0K 1K 166960K 479 0 fusefs mount 1 32K 32K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 220 150K 165K 166960K 6665 0 UVM aobj 50 10K 10K 166960K 51 0 pinsyscall 38 76K 94K 166960K 1708 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 35 0 NDP 11 0K 2K 166960K 48 0 temp 46 9068K 9132K 166960K 20724 0 kqueue 13 20K 30K 166960K 111 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 110 0 107 2 1 1 2 0 8 0 rtentry 136 152 0 48 4 0 4 4 0 8 0 unpcb 144 231 0 214 1 0 1 1 0 8 0 syncache 336 7 0 7 3 2 1 1 0 8 1 tcpqe 32 2 0 2 2 1 1 1 0 8 1 tcpcb 736 203 0 197 4 3 1 4 0 8 0 arp 96 22 0 4 1 0 1 1 0 8 0 ipq 40 1 0 0 1 0 1 1 0 8 0 ipqe 40 1 0 0 1 0 1 1 0 8 0 inpcb 328 605 0 595 13 11 2 7 0 8 0 ip6q 72 2 0 1 1 0 1 1 0 8 0 ip6af 40 4 0 3 1 0 1 1 0 8 0 nd6 112 32 0 7 1 0 1 1 0 8 0 pkpcb 40 2 0 2 2 2 0 1 0 8 0 kcovpl 48 10 0 2 1 0 1 1 0 8 0 ppxss 1072 14 0 14 3 2 1 1 0 8 1 pppxif 1384 6 0 6 3 2 1 1 0 8 1 pfstscr 40 2 0 2 1 1 0 1 0 8 0 pffrag 232 2 0 1 2 1 1 1 0 482 0 pffrnode 88 2 0 1 2 1 1 1 0 8 0 pffrent 40 3 0 2 2 1 1 1 0 8 0 pfstitem 24 4 0 0 1 0 1 1 0 8 0 pfstkey 128 8 0 4 1 0 1 1 0 8 0 pfstate 384 5 0 3 1 0 1 1 0 8 0 pfrule 1360 6 0 6 2 2 0 1 0 8 0 rttmr 136 1 0 1 1 1 0 1 0 8 0 art_heap8 4096 2 0 0 2 0 2 2 0 8 0 art_heap4 256 676 0 228 35 6 29 29 0 8 0 art_table 40 678 0 228 5 0 5 5 0 8 0 art_node 32 149 0 57 1 0 1 1 0 8 0 sysvmsgpl 40 2 0 2 2 2 0 1 0 8 0 semupl 112 2 0 2 2 2 0 1 0 8 0 semapl 112 25 0 15 1 0 1 1 0 8 0 shmpl 112 43 0 0 2 0 2 2 0 8 0 dirhash 1024 23 0 6 3 0 3 3 0 8 0 dino2pl 256 2302 0 846 92 0 92 92 0 8 0 ffsino 256 2302 0 846 92 0 92 92 0 8 0 nchpl 144 3035 0 1335 64 0 64 64 0 8 0 rtmask 32 2 0 2 1 1 0 1 0 8 0 vnodes 216 2660 0 0 148 0 148 148 0 8 0 namei 1024 10150 0 10149 3 2 1 2 0 8 0 vcpupl 3904 5 0 1 1 0 1 1 0 8 0 vmpool 808 5 0 1 1 0 1 1 0 8 0 kstatmem 264 56 0 34 2 0 2 2 0 8 0 scsiplug 72 3 0 3 2 1 1 1 0 8 1 scxspl 216 14371 0 14370 9 8 1 8 1 8 0 plimitpl 152 170 0 152 1 0 1 1 0 8 0 sigapl 424 867 0 804 8 0 8 8 0 8 0 knotepl 120 20945 0 20898 36 26 10 15 0 8 8 kqueuepl 184 242 0 233 6 5 1 4 0 8 0 pipepl 304 155 0 128 3 0 3 3 0 8 0 fdescpl 448 832 0 803 5 1 4 5 0 8 0 filepl 120 4608 0 4366 13 5 8 11 0 8 0 lockfpl 104 311 0 304 2 1 1 2 0 8 0 lockfspl 48 86 0 83 1 0 1 1 0 8 0 sessionpl 144 27 0 19 1 0 1 1 0 8 0 pgrppl 48 39 0 23 1 0 1 1 0 8 0 ucredpl 104 713 0 701 1 0 1 1 0 8 0 zombiepl 144 894 0 893 2 1 1 1 0 8 0 processpl 1152 867 0 804 5 0 5 5 0 8 0 procpl 664 1466 0 1394 7 0 7 7 0 8 0 sosppl 176 2 0 2 1 1 0 1 0 8 0 sockpl 552 960 0 930 11 8 3 7 0 8 0 mcl64k 65536 113 0 113 3 2 1 1 0 8 1 mcl9k 9216 1 0 1 1 0 1 1 0 8 1 mcl8k 8192 7 0 7 2 2 0 1 0 8 0 mcl4k 4096 3012 0 2957 16 8 8 16 0 8 0 mcl2k 2048 572 0 570 2 1 1 2 0 8 0 mtagpl 96 13 0 4 1 0 1 1 0 8 0 mbufpl 256 9075 0 8913 13 1 12 12 0 8 0 bufpl 280 5308 0 108 372 0 372 372 0 8 0 anonpl 24 159226 0 156093 73 41 32 68 0 187 5 amapchunkpl 152 21394 0 20916 40 13 27 27 0 158 8 amappl16 200 3272 0 3243 25 21 4 23 0 8 0 amappl15 192 7 0 7 1 1 0 1 0 8 0 amappl14 184 437 0 436 1 0 1 1 0 8 0 amappl13 176 138 0 127 1 0 1 1 0 8 0 amappl12 168 1077 0 1049 2 0 2 2 0 8 0 amappl11 160 10 0 10 1 1 0 1 0 8 0 amappl10 152 57 0 47 1 0 1 1 0 8 0 amappl9 144 261 0 261 1 1 0 1 0 8 0 amappl8 136 105 0 104 1 0 1 1 0 8 0 amappl7 128 42 0 39 1 0 1 1 0 8 0 amappl6 120 275 0 265 1 0 1 1 0 8 0 amappl5 112 92 0 84 1 0 1 1 0 8 0 amappl4 104 478 0 447 1 0 1 1 0 8 0 amappl3 96 3547 0 3459 3 0 3 3 0 8 0 amappl2 88 934 0 873 2 0 2 2 0 8 0 amappl1 80 11856 0 11314 14 1 13 13 0 8 0 amappl 88 5866 0 5707 5 0 5 5 0 92 0 uvmvnodes 80 107 0 0 3 0 3 3 0 8 0 dma8192 8192 2 0 2 2 2 0 1 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 3 0 2 1 0 1 1 0 8 0 dma256 256 7 0 7 2 2 0 1 0 8 0 dma128 128 254 0 254 2 2 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 50 0 1 1 0 1 1 0 8 0 uaddrrnd 24 832 0 803 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 832 0 803 1 0 1 1 0 8 0 vmmpekpl 168 8321 0 8277 3 0 3 3 0 8 0 vmmpepl 168 61435 0 59647 108 22 86 97 0 357 5 vmsppl 368 831 0 803 4 1 3 4 0 8 0 rwobjpl 40 20173 0 19172 14 1 13 14 0 8 0 pdppl 4096 1680 0 1612 116 45 71 82 0 8 3 pvpl 32 397127 0 387691 154 67 87 146 0 265 3 pmappl 216 836 0 804 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 404 0 81 10 0 10 10 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833d9b9c) at panic+0x1cf sys/kern/subr_prf.c:198 malloc(400,3e,9) at malloc+0xdb6 sys/kern/kern_malloc.c:357 clalloc(ffff800001638048,2000,1) at clalloc+0xa5 sys/kern/tty_subr.c:64 ttymalloc(f4240) at ttymalloc+0x14b sys/kern/tty.c:2364 check_pty(50e) at check_pty+0x1f8 sys/kern/tty_pty.c:198 ptmioctl(5100,40287401,ffff80003c90dab0,3,ffff80003c923258) at ptmioctl+0x33a sys/kern/tty_pty.c:1111 VOP_IOCTL(fffffd807eaa0bd8,40287401,ffff80003c90dab0,3,fffffd8007ffd7b8,ffff80003c923258) at VOP_IOCTL+0xa3 sys/kern/vfs_vops.c:264 vn_ioctl(fffffd806c93f790,40287401,ffff80003c90dab0,ffff80003c923258) at vn_ioctl+0xea sys/kern/vfs_vnops.c:531 sys_ioctl(ffff80003c923258,ffff80003c90dc80,ffff80003c90dbd0) at sys_ioctl+0x660 sys/kern/sys_generic.c:-1 syscall(ffff80003c90dc80) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c90dc80) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd9e056f1260, count: -12 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833d9b9c) at panic+0x1cf sys/kern/subr_prf.c:198 malloc(400,3e,9) at malloc+0xdb6 sys/kern/kern_malloc.c:357 clalloc(ffff800001638048,2000,1) at clalloc+0xa5 sys/kern/tty_subr.c:64 ttymalloc(f4240) at ttymalloc+0x14b sys/kern/tty.c:2364 check_pty(50e) at check_pty+0x1f8 sys/kern/tty_pty.c:198 ptmioctl(5100,40287401,ffff80003c90dab0,3,ffff80003c923258) at ptmioctl+0x33a sys/kern/tty_pty.c:1111 VOP_IOCTL(fffffd807eaa0bd8,40287401,ffff80003c90dab0,3,fffffd8007ffd7b8,ffff80003c923258) at VOP_IOCTL+0xa3 sys/kern/vfs_vops.c:264 vn_ioctl(fffffd806c93f790,40287401,ffff80003c90dab0,ffff80003c923258) at vn_ioctl+0xea sys/kern/vfs_vnops.c:531 sys_ioctl(ffff80003c923258,ffff80003c90dc80,ffff80003c90dbd0) at sys_ioctl+0x660 sys/kern/sys_generic.c:-1 syscall(ffff80003c90dc80) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c90dc80) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd9e056f1260, count: -12