panic: pool_do_get: pdppl free list modified: page 0xfffffd8078ba7000; item addr 0xfffffd8078ba7000; offset 0x0=0x51c7f00e9b87d938 != 0x51c7f00e9b87d97a Stopped at db_enter+0x1c: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND * 40462 92595 0 0x8000002 0 0 syz-executor.2 db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8285a9f0) at panic+0x165 sys/kern/subr_prf.c:198 pool_do_get(ffffffff82dc3c48,1,ffff80002a69580c) at pool_do_get+0x434 pool_get(ffffffff82dc3c48,1) at pool_get+0xba sys/kern/subr_pool.c:582 pmap_create() at pmap_create+0x139 sys/arch/amd64/amd64/pmap.c:1369 uvmspace_fork(ffff8000ffff94f8) at uvmspace_fork+0x64 uvmspace_init sys/uvm/uvm_map.c:3302 [inline] uvmspace_fork(ffff8000ffff94f8) at uvmspace_fork+0x64 uvmspace_alloc sys/uvm/uvm_map.c:3280 [inline] uvmspace_fork(ffff8000ffff94f8) at uvmspace_fork+0x64 sys/uvm/uvm_map.c:3852 process_new(ffff80002a6b3740,ffff8000ffff94f8,1) at process_new+0x3dc sys/kern/kern_fork.c:278 fork1(ffff80002a6779c0,1,ffffffff81efb410,0,ffff80002a695a90,0) at fork1+0x2ef sys/kern/kern_fork.c:399 syscall(ffff80002a695b40) at syscall+0x72a sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x76ca68444840, count: 5 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: pool_do_get: pdppl free list modified: page 0xfffffd8078ba7000; item addr 0xfffffd8078ba7000; offset 0x0=0x51c7f00e9b87d938 != 0x51c7f00e9b87d97a ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8285a9f0) at panic+0x165 sys/kern/subr_prf.c:198 pool_do_get(ffffffff82dc3c48,1,ffff80002a69580c) at pool_do_get+0x434 pool_get(ffffffff82dc3c48,1) at pool_get+0xba sys/kern/subr_pool.c:582 pmap_create() at pmap_create+0x139 sys/arch/amd64/amd64/pmap.c:1369 uvmspace_fork(ffff8000ffff94f8) at uvmspace_fork+0x64 uvmspace_init sys/uvm/uvm_map.c:3302 [inline] uvmspace_fork(ffff8000ffff94f8) at uvmspace_fork+0x64 uvmspace_alloc sys/uvm/uvm_map.c:3280 [inline] uvmspace_fork(ffff8000ffff94f8) at uvmspace_fork+0x64 sys/uvm/uvm_map.c:3852 process_new(ffff80002a6b3740,ffff8000ffff94f8,1) at process_new+0x3dc sys/kern/kern_fork.c:278 fork1(ffff80002a6779c0,1,ffffffff81efb410,0,ffff80002a695a90,0) at fork1+0x2ef sys/kern/kern_fork.c:399 syscall(ffff80002a695b40) at syscall+0x72a sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x76ca68444840, count: -10 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80002a695680 rbx 0xfffffd8078ba7000 rdx 0 rcx 0 rax 0xffff80002a6779c0 r8 0x101010101010101 r9 0x8080808080808080 r10 0x253d7b7d329741dd r11 0xd476db0665231fcd r12 0 r13 0xfffffd806d3a6510 r14 0 r15 0x1 rip 0xffffffff82453c3c db_enter+0x1c cs 0x8 rflags 0x246 rsp 0xffff80002a695670 ss 0x10 db_enter+0x1c: addq $0x8,%rsp ddb> show proc PROC (syz-executor.2) tid=40462 pid=92595 tcnt=1 stat=onproc flags process=8000002 proc=0 runpri=72, usrpri=86, slppri=17, nice=20 wchan=0x0, wmesg=, ps_single=0x0 forw=0xffffffffffffffff, list=0xffff80002a6c3748,0xffff80002a676550 process=0xffff8000ffff94f8 user=0xffff80002a690000, vmspace=0xfffffd806956a570 estcpu=36, cpticks=2, pctcpu=0.10, user=0, sys=2, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 84746 346501 56357 0 2 0x8000000 syz-executor.1 42562 232050 44412 0 2 0x8000000 syz-executor.4 42562 68251 44412 0 3 0xc000080 fsleep syz-executor.4 67385 19407 44925 0 2 0x8000000 syz-executor.0 67385 48980 44925 0 3 0xc000080 fsleep syz-executor.0 6859 508170 40616 0 2 0x8000000 syz-executor.5 6859 294015 40616 0 3 0xc000080 fsleep syz-executor.5 6859 7079 40616 0 3 0xc000080 lockf syz-executor.5 6859 15068 40616 0 3 0xc000080 fsleep syz-executor.5 22485 214328 25792 60928 2 0x8000010 syz-executor.7 22485 215845 25792 60928 3 0xc000090 fsleep syz-executor.7 44925 60930 56658 0 3 0x8000082 nanoslp syz-executor.0 40616 252487 56658 0 3 0x8000082 nanoslp syz-executor.5 56357 167694 56658 0 3 0x8000082 nanoslp syz-executor.1 89903 191605 56658 0 3 0x8000082 nanoslp syz-executor.3 44412 401917 56658 0 3 0x8000082 nanoslp syz-executor.4 *92595 40462 56658 0 7 0x8000002 syz-executor.2 23350 119755 0 0 3 0x14200 acct acct 25792 477067 56658 0 3 0x8000082 nanoslp syz-executor.7 30019 40220 56658 0 3 0x8000002 biowait syz-executor.6 40205 510052 1 0 3 0x18100083 ttyin getty 23735 264879 0 0 3 0x14200 bored sosplice 56658 62728 52074 0 3 0x1a000082 thrsleep syz-fuzzer 56658 426952 52074 0 3 0x1e000082 nanoslp syz-fuzzer 56658 15455 52074 0 3 0x1e000082 wait syz-fuzzer 56658 370832 52074 0 3 0x1e000082 wait syz-fuzzer 56658 435079 52074 0 3 0x1e000082 wait syz-fuzzer 56658 488650 52074 0 3 0x1e000082 kqread syz-fuzzer 56658 439298 52074 0 3 0x1e000082 thrsleep syz-fuzzer 56658 521089 52074 0 3 0x1e000082 wait syz-fuzzer 56658 162729 52074 0 3 0x1e000082 wait syz-fuzzer 56658 276424 52074 0 3 0x1e000082 thrsleep syz-fuzzer 56658 96825 52074 0 3 0x1e000082 thrsleep syz-fuzzer 56658 136854 52074 0 3 0x1e000082 wait syz-fuzzer 56658 184817 52074 0 3 0x1e000082 wait syz-fuzzer 56658 115997 52074 0 3 0x1e000082 wait syz-fuzzer 52074 387869 15373 0 3 0x810008a sigsusp ksh 15373 93158 91446 0 3 0x1800009a kqread sshd 91446 111269 1 0 3 0x18000088 kqread sshd 69608 429419 81177 73 3 0x19100090 kqread syslogd 81177 214503 1 0 3 0x18100082 sbwait syslogd 27789 203529 1 0 3 0x18100080 kqread resolvd 31849 117724 87827 77 3 0x18100092 kqread dhcpleased 99943 330903 87827 77 3 0x18100092 kqread dhcpleased 87827 347462 1 0 3 0x18000080 kqread dhcpleased 41045 253309 0 0 3 0x14200 bored smr 49110 240515 0 0 2 0x14200 zerothread 5058 220038 0 0 3 0x14200 aiodoned aiodoned 98591 164585 0 0 3 0x14200 syncer update 97148 368723 0 0 3 0x14200 cleaner cleaner 72170 488746 0 0 3 0x14200 reaper reaper 41795 51795 0 0 3 0x14200 pgdaemon pagedaemon 81908 495968 0 0 3 0x14200 bored viomb 86218 166277 0 0 3 0x40014200 acpi0 acpi0 29424 282481 0 0 3 0x14200 bored softnet3 33223 79615 0 0 3 0x14200 bored softnet2 8679 410403 0 0 3 0x14200 bored softnet1 64190 161068 0 0 3 0x14200 bored softnet0 69665 165350 0 0 3 0x14200 bored systqmp 52445 423050 0 0 3 0x14200 bored systq 38885 401338 0 0 3 0x40014200 tmoslp softclock 11903 134328 0 0 3 0x40014200 idle0 1 284167 0 0 3 0x8080082 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10210 6440K 7329K 166960K 32435 0 pcb 17 18K 20K 166960K 1533 0 rtable 233 12K 13K 166960K 9133 0 pf 34 9K 10K 166960K 798 0 ifaddr 47 16K 17K 166960K 1171 0 ifgroup 61 2K 3K 166960K 1573 0 sysctl 4 1K 3K 166960K 21 0 counters 32 17K 18K 166960K 355 0 ioctlops 0 0K 2K 166960K 958 0 iov 0 0K 20K 166960K 526 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1535 96K 97K 166960K 14553 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 68K 76K 166960K 227 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 905 0 dirhash 12 2K 3K 166960K 300 0 ACPI 1697 195K 286K 166960K 12548 0 file desc 17 61K 113K 166960K 12611 0 sigio 0 0K 0K 166960K 217 0 proc 58 59K 124K 166960K 8335 0 subproc 104 6K 9K 166960K 4031 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 1433 0 in_multi 89 6K 7K 166960K 3183 0 ether_multi 1 0K 0K 166960K 74 0 mrt 1 0K 0K 166960K 31 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 235 1049K 1049K 166960K 235 0 exec 0 0K 1K 166960K 5413 0 pfkey data 0 0K 0K 166960K 8 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 319 214K 231K 166960K 99356 0 UVM aobj 438 13K 13K 166960K 482 0 pinsyscall 37 74K 112K 166960K 20681 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 664 0 NDP 13 0K 2K 166960K 860 0 temp 78 6812K 14748K 166960K 440368 0 kqueue 13 20K 32K 166960K 1246 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 1549 0 1546 2 0 2 2 0 8 1 rtentry 112 3172 0 3072 5 1 4 4 0 8 1 unpcb 144 8185 0 8170 12 6 6 6 0 8 5 syncache 336 10 0 10 2 2 0 1 0 8 0 sackhl 24 1 8 1 1 1 0 1 0 8 0 tcpqe 32 69 0 69 3 2 1 1 0 8 1 tcpcb 808 3086 0 3081 12 8 4 8 0 8 3 arp 88 599 0 582 1 0 1 1 0 8 0 ipq 40 40 0 39 2 1 1 1 0 8 0 ipqe 40 156 0 155 2 1 1 1 0 8 0 inpcb 352 12679 0 12671 38 29 9 17 0 8 8 nd6 104 841 0 818 1 0 1 1 0 8 0 pkpcb 40 72 0 72 3 2 1 1 0 8 1 kcovpl 48 310 0 302 1 0 1 1 0 8 0 ppxss 1072 17 0 17 3 2 1 1 0 8 1 art_heap8 4096 2 0 0 2 0 2 2 0 8 0 art_heap4 256 12236 0 11818 158 131 27 29 0 8 0 art_table 32 12238 0 11818 5 1 4 4 0 8 0 art_node 16 3153 0 3064 1 0 1 1 0 8 0 sysvmsgpl 40 25 0 15 1 0 1 1 0 8 0 semupl 112 1 0 1 1 0 1 1 0 8 1 semapl 112 901 0 891 1 0 1 1 0 8 0 shmpl 112 479 0 44 13 0 13 13 0 8 0 dirhash 1024 209 0 192 3 0 3 3 0 8 0 dino2pl 256 18505 0 16927 100 0 100 100 0 8 0 ffsino 240 18505 0 16927 94 0 94 94 0 8 0 nchpl 144 34971 0 34350 67 42 25 66 0 8 0 uvmvnodes 80 11508 0 0 235 0 235 235 0 8 0 vnodes 216 11508 0 0 640 0 640 640 0 8 0 namei 1024 145012 0 145011 6 4 2 2 0 8 1 vcpupl 3904 41 0 3 5 0 5 5 0 8 0 vmpool 664 82 0 44 4 0 4 4 0 8 0 kstatmem 264 672 0 646 3 0 3 3 0 8 0 scsiplug 72 16 0 16 3 2 1 1 0 8 1 scxspl 216 189353 0 189350 11 8 3 8 1 8 2 plimitpl 152 2333 0 2318 1 0 1 1 0 8 0 sigapl 424 12362 0 12316 10 1 9 9 0 8 3 futexpl 64 173877 0 173872 2 1 1 1 0 8 0 knotepl 120 44018 0 43934 40 27 13 18 0 8 6 kqueuepl 184 3188 0 3178 7 3 4 4 0 8 3 pipepl 288 2508 0 2480 7 0 7 7 0 8 4 fdescpl 432 12299 0 12271 5 0 5 5 0 8 1 filepl 120 82183 0 81936 24 9 15 15 0 8 6 lockfpl 104 3332 0 3328 3 1 2 2 0 8 1 lockfspl 48 1309 0 1306 1 0 1 1 0 8 0 sessionpl 144 288 0 272 1 0 1 1 0 8 0 pgrppl 48 490 0 474 1 0 1 1 0 8 0 ucredpl 104 13197 0 13184 1 0 1 1 0 8 0 zombiepl 144 12317 0 12316 1 0 1 1 0 8 0 processpl 1072 12362 0 12316 6 0 6 6 0 8 1 procpl 656 23545 0 23480 11 2 9 9 0 8 1 sosppl 168 147 0 147 2 1 1 1 0 8 1 sockpl 504 22595 0 22568 119 107 12 33 0 8 8 mcl64k 65536 42 0 42 3 2 1 1 0 8 1 mcl16k 16384 1 0 1 1 1 0 1 0 8 0 mcl12k 12288 20 0 20 3 2 1 1 0 8 1 mcl9k 9216 4 0 4 2 1 1 1 0 8 1 mcl8k 8192 220 0 220 3 2 1 1 0 8 1 mcl4k 4096 20 0 20 3 2 1 1 0 8 1 mcl2k2 2112 5 0 5 3 2 1 1 0 8 1 mcl2k 2048 107432 0 107325 65 44 21 38 0 8 5 mtagpl 96 527 0 503 5 4 1 3 0 8 0 mbufpl 256 354430 0 354215 1187 1166 21 110 0 8 6 bufpl 280 28250 0 16690 826 0 826 826 0 8 0 anonpl 24 1367130 0 1360440 160 90 70 110 0 188 3 amapchunkpl 152 316464 0 315793 90 49 41 56 0 158 11 amappl16 200 26881 0 26707 94 71 23 23 0 8 7 amappl15 192 54 0 52 1 0 1 1 0 8 0 amappl14 184 1009 0 997 2 1 1 2 0 8 0 amappl13 176 15 0 15 3 2 1 1 0 8 1 amappl12 168 17043 0 17014 5 2 3 3 0 8 1 amappl11 160 70 0 60 1 0 1 1 0 8 0 amappl10 152 450 0 439 1 0 1 1 0 8 0 amappl9 144 153 0 153 2 1 1 1 0 8 1 amappl8 136 781 0 751 2 0 2 2 0 8 0 amappl7 128 91 0 76 1 0 1 1 0 8 0 amappl6 120 3650 0 3636 2 1 1 2 0 8 0 amappl5 112 1188 0 1176 1 0 1 1 0 8 0 amappl4 104 2555 0 2520 2 0 2 2 0 8 0 amappl3 96 58412 0 58332 3 0 3 3 0 8 0 amappl2 88 13708 0 13637 5 2 3 4 0 8 0 amappl1 80 64020 0 63523 23 9 14 22 0 8 1 amappl 88 96426 0 96224 6 0 6 6 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 481 0 44 8 0 8 8 0 8 0 uaddrrnd 24 12380 0 12315 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 12380 0 12315 1 0 1 1 0 8 0 vmmpekpl 168 89263 0 89186 4 0 4 4 0 8 0 vmmpepl 168 805158 0 803257 142 34 108 114 0 357 13 vmsppl 344 12380 0 12315 7 0 7 7 0 8 0 rwobjpl 24 186672 0 173594 80 0 80 80 0 8 0 pdppl 4096 24767 0 24668 998 898 100 114 0 8 1 pdppl: pool(0xffffffff82dc3c48:pdppl): free list modified: page 0xfffffd8078ba7000; item ordinal 0; addr 0xfffffd8078ba7000 (p 0xfffffd806d3a6000); offset 0x0=0x51c7f00e9b87d938 pvpl 32 4316181 0 4303066 567 378 189 392 0 265 46 pmappl 216 12380 0 12315 4 0 4 4 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 2766 0 2369 14 1 13 14 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8285a9f0) at panic+0x165 sys/kern/subr_prf.c:198 pool_do_get(ffffffff82dc3c48,1,ffff80002a69580c) at pool_do_get+0x434 pool_get(ffffffff82dc3c48,1) at pool_get+0xba sys/kern/subr_pool.c:582 pmap_create() at pmap_create+0x139 sys/arch/amd64/amd64/pmap.c:1369 uvmspace_fork(ffff8000ffff94f8) at uvmspace_fork+0x64 uvmspace_init sys/uvm/uvm_map.c:3302 [inline] uvmspace_fork(ffff8000ffff94f8) at uvmspace_fork+0x64 uvmspace_alloc sys/uvm/uvm_map.c:3280 [inline] uvmspace_fork(ffff8000ffff94f8) at uvmspace_fork+0x64 sys/uvm/uvm_map.c:3852 process_new(ffff80002a6b3740,ffff8000ffff94f8,1) at process_new+0x3dc sys/kern/kern_fork.c:278 fork1(ffff80002a6779c0,1,ffffffff81efb410,0,ffff80002a695a90,0) at fork1+0x2ef sys/kern/kern_fork.c:399 syscall(ffff80002a695b40) at syscall+0x72a sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x76ca68444840, count: -10 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8285a9f0) at panic+0x165 sys/kern/subr_prf.c:198 pool_do_get(ffffffff82dc3c48,1,ffff80002a69580c) at pool_do_get+0x434 pool_get(ffffffff82dc3c48,1) at pool_get+0xba sys/kern/subr_pool.c:582 pmap_create() at pmap_create+0x139 sys/arch/amd64/amd64/pmap.c:1369 uvmspace_fork(ffff8000ffff94f8) at uvmspace_fork+0x64 uvmspace_init sys/uvm/uvm_map.c:3302 [inline] uvmspace_fork(ffff8000ffff94f8) at uvmspace_fork+0x64 uvmspace_alloc sys/uvm/uvm_map.c:3280 [inline] uvmspace_fork(ffff8000ffff94f8) at uvmspace_fork+0x64 sys/uvm/uvm_map.c:3852 process_new(ffff80002a6b3740,ffff8000ffff94f8,1) at process_new+0x3dc sys/kern/kern_fork.c:278 fork1(ffff80002a6779c0,1,ffffffff81efb410,0,ffff80002a695a90,0) at fork1+0x2ef sys/kern/kern_fork.c:399 syscall(ffff80002a695b40) at syscall+0x72a sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x76ca68444840, count: -10