panic: pool_do_get: pvpl free list modified: page 0xfffffd8053a51000; item addr 0xfffffd8053a51000; offset 0x0=0x0 != 0xd5aa0231b4bd13ef Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *427851 73964 0 0 0 0 syz-executor.0 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff8246a5db) at panic+0x15c sys/kern/subr_prf.c:207 pool_do_get(ffffffff82853770,2,ffff80001e7c11f8) at pool_do_get+0x42a sys/kern/subr_pool.c:738 pool_get(ffffffff82853770,2) at pool_get+0xb5 sys/kern/subr_pool.c:581 pmap_enter(fffffd805383e0d0,77363ebf000,53f48000,1,21) at pmap_enter+0x160 udv_fault(ffff80001e7c15a0,77363ebf000,ffff80001e7c14a0,1,0,0) at udv_fault+0x18b sys/uvm/uvm_device.c:340 uvm_fault(fffffd806bc09550,77363ebf000,0,1) at uvm_fault+0x81e sys/uvm/uvm_fault.c:718 pageflttrap(ffff80001e7c1730,1) at pageflttrap+0x156 sys/arch/amd64/amd64/trap.c:221 usertrap(ffff80001e7c1730) at usertrap+0x1fb sys/arch/amd64/amd64/trap.c:384 recall_trap() at recall_trap+0x8 end of kernel end trace frame: 0x7f7fffffa610, count: 5 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic pool_do_get: pvpl free list modified: page 0xfffffd8053a51000; item addr 0xfffffd8053a51000; offset 0x0=0x0 != 0xd5aa0231b4bd13ef ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff8246a5db) at panic+0x15c sys/kern/subr_prf.c:207 pool_do_get(ffffffff82853770,2,ffff80001e7c11f8) at pool_do_get+0x42a sys/kern/subr_pool.c:738 pool_get(ffffffff82853770,2) at pool_get+0xb5 sys/kern/subr_pool.c:581 pmap_enter(fffffd805383e0d0,77363ebf000,53f48000,1,21) at pmap_enter+0x160 udv_fault(ffff80001e7c15a0,77363ebf000,ffff80001e7c14a0,1,0,0) at udv_fault+0x18b sys/uvm/uvm_device.c:340 uvm_fault(fffffd806bc09550,77363ebf000,0,1) at uvm_fault+0x81e sys/uvm/uvm_fault.c:718 pageflttrap(ffff80001e7c1730,1) at pageflttrap+0x156 sys/arch/amd64/amd64/trap.c:221 usertrap(ffff80001e7c1730) at usertrap+0x1fb sys/arch/amd64/amd64/trap.c:384 recall_trap() at recall_trap+0x8 end of kernel end trace frame: 0x7f7fffffa610, count: -10 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80001e7c1060 rbx 0xffff80001e7c1110 rdx 0x2 rcx 0 rax 0x1 r8 0xffffffff81664bbf kprintf+0x15f r9 0x1 r10 0x2 r11 0x33f98bdeb6096453 r12 0x3000000008 r13 0xffff80001e7c1070 r14 0x100 r15 0x1 rip 0xffffffff816c65b8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff80001e7c1050 ss 0 db_enter+0x18: addq $0x8,%rsp ddb> show proc PROC (syz-executor.0) pid=427851 stat=onproc flags process=0 proc=0 pri=86, usrpri=86, nice=20 forw=0xffffffffffffffff, list=0xffff80001d709500,0xffff80001d70a890 process=0xffff80001f03e3c8 user=0xffff80001e7bc000, vmspace=0xfffffd806bc09550 estcpu=36, cpticks=6, pctcpu=0.0 user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND *73964 427851 57598 0 7 0 syz-executor.0 73964 167643 57598 0 3 0x4000080 fsleep syz-executor.0 77319 260579 0 0 3 0x14200 acct acct 57598 263045 49222 0 3 0x82 nanosleep syz-executor.0 63530 128927 0 0 3 0x14280 nfsidl nfsio 27064 466670 0 0 3 0x14280 nfsidl nfsio 7843 88382 0 0 3 0x14280 nfsidl nfsio 85996 168713 0 0 3 0x14280 nfsidl nfsio 8784 188569 0 0 3 0x14280 nfsidl nfsio 51298 307294 0 0 3 0x14280 nfsidl nfsio 44885 139470 0 0 3 0x14280 nfsidl nfsio 52869 472832 0 0 3 0x14280 nfsidl nfsio 41065 100969 0 0 3 0x14280 nfsidl nfsio 36144 180505 0 0 3 0x14280 nfsidl nfsio 70229 83814 0 0 3 0x14280 nfsidl nfsio 4844 492104 0 0 3 0x14280 nfsidl nfsio 27273 3341 0 0 3 0x14280 nfsidl nfsio 23023 63019 0 0 3 0x14280 nfsidl nfsio 65432 255727 0 0 3 0x14280 nfsidl nfsio 94379 272987 0 0 3 0x14280 nfsidl nfsio 12376 208917 0 0 3 0x14280 nfsidl nfsio 81712 63075 0 0 3 0x14280 nfsidl nfsio 23399 198380 0 0 3 0x14280 nfsidl nfsio 87687 63417 0 0 3 0x14280 nfsidl nfsio 9410 454886 0 0 3 0x14200 bored sosplice 49222 102770 47271 0 3 0x82 thrsleep syz-fuzzer 49222 443685 47271 0 3 0x4000082 nanosleep syz-fuzzer 49222 270603 47271 0 3 0x4000002 biowait syz-fuzzer 49222 43238 47271 0 3 0x4000082 thrsleep syz-fuzzer 49222 91164 47271 0 3 0x4000082 thrsleep syz-fuzzer 49222 493154 47271 0 3 0x4000082 thrsleep syz-fuzzer 49222 19659 47271 0 3 0x4000082 thrsleep syz-fuzzer 49222 159168 47271 0 3 0x4000082 kqread syz-fuzzer 47271 455012 93242 0 3 0x10008a pause ksh 93242 216816 81835 0 3 0x92 select sshd 75413 478276 1 0 3 0x100083 ttyopn getty 81835 125626 1 0 3 0x80 select sshd 31238 213865 14129 73 3 0x100090 kqread syslogd 14129 393930 1 0 3 0x100082 netio syslogd 61079 329061 1 77 3 0x100090 poll dhclient 12465 33206 1 0 3 0x80 poll dhclient 42786 69889 0 0 3 0x14200 bored smr 32505 50185 0 0 2 0x14200 zerothread 8121 165110 0 0 3 0x14200 aiodoned aiodoned 79130 121379 0 0 3 0x14200 syncer update 78728 379741 0 0 3 0x14200 cleaner cleaner 54937 93266 0 0 3 0x14200 reaper reaper 88107 263210 0 0 3 0x14200 pgdaemon pagedaemon 72303 260323 0 0 3 0x14200 bored crynlk 14336 316381 0 0 3 0x14200 bored crypto 46271 368086 0 0 3 0x40014200 acpi0 acpi0 58551 474436 0 0 3 0x14200 bored softnet 46547 179900 0 0 3 0x14200 bored systqmp 75286 409364 0 0 3 0x14200 bored systq 97081 382914 0 0 3 0x40014200 bored softclock 53283 104749 0 0 3 0x40014200 idle0 1 107607 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 9541 6371K 6714K 78643K 12027 0 pcb 13 8K 8K 78643K 136 0 rtable 89 7K 11K 78643K 1021 0 ifaddr 98 18K 21K 78643K 368 0 sysctl 2 0K 0K 78643K 2 0 counters 20 16K 16K 78643K 38 0 ioctlops 0 0K 4K 78643K 168 0 iov 0 0K 16K 78643K 143 0 mount 1 1K 1K 78643K 1 0 vnodes 1220 77K 77K 78643K 1822 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 5K 78643K 12 0 VM map 2 0K 0K 78643K 2 0 sem 12 0K 0K 78643K 189 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1809 195K 288K 78643K 12938 0 file desc 4 9K 25K 78643K 972 0 sigio 0 0K 0K 78643K 445 0 proc 51 38K 63K 78643K 577 0 subproc 16 1K 2K 78643K 85 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 313 0 in_multi 65 3K 3K 78643K 290 0 ether_multi 1 0K 0K 78643K 33 0 mrt 0 0K 0K 78643K 9 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 61 281K 281K 78643K 61 0 exec 0 0K 1K 78643K 292 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 147 129K 137K 78643K 3173 0 UVM aobj 36 2K 2K 78643K 42 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 1K 78643K 168 0 NDP 16 0K 0K 78643K 60 0 temp 149 3897K 3963K 78643K 27488 0 kqueue 4 6K 16K 78643K 147 0 SYN cache 2 16K 16K 78643K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 18 0 12 1 0 1 1 0 8 0 rtpcb 80 529 0 527 1 0 1 1 0 8 0 rtentry 112 143 0 120 2 0 2 2 0 8 0 unpcb 120 510 0 500 1 0 1 1 0 8 0 syncache 264 14 0 14 5 5 0 1 0 8 0 tcpqe 32 46 0 46 3 3 0 1 0 8 0 tcpcb 544 844 0 840 2 1 1 2 0 8 0 ipq 40 4 0 4 2 1 1 1 0 8 1 ipqe 40 96 0 96 2 1 1 1 0 8 1 inpcb 296 1745 0 1738 5 3 2 3 0 8 1 rttmr 72 1 0 1 1 1 0 1 0 8 0 nd6 48 37 0 36 1 0 1 1 0 8 0 pkpcb 40 2 0 2 1 1 0 1 0 8 0 swfcl 56 1 0 0 1 0 1 1 0 8 0 ppxss 1128 3 0 3 2 2 0 1 0 8 0 pfstscr 40 1 0 0 1 0 1 1 0 8 0 pfrktable 1344 198 0 188 3 2 1 2 0 8 0 pftag 88 53 0 52 4 3 1 1 0 8 0 pfstitem 24 6 0 0 1 0 1 1 0 8 0 pfstkey 112 6 0 0 1 0 1 1 0 8 0 pfstate 328 3 0 0 1 0 1 1 0 8 0 pfrule 1360 64 0 42 2 0 2 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 571 0 467 16 5 11 13 0 8 1 art_table 32 572 0 467 2 0 2 2 0 8 0 art_node 16 140 0 121 1 0 1 1 0 8 0 sysvmsgpl 40 57 0 34 1 0 1 1 0 8 0 semupl 112 2 0 2 1 1 0 1 0 8 0 semapl 112 187 0 177 1 0 1 1 0 8 0 shmpl 112 40 0 6 2 0 2 2 0 8 1 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 2745 0 1350 88 0 88 88 0 8 0 ffsino 240 2745 0 1350 83 0 83 83 0 8 0 nchpl 144 4258 0 2677 60 0 60 60 0 8 0 uvmvnodes 72 3220 0 0 59 0 59 59 0 8 0 vnodes 208 3220 0 0 170 0 170 170 0 8 0 namei 1024 12453 0 12453 2 1 1 1 0 8 1 vcpupl 1984 13 0 0 2 0 2 2 0 8 0 vmpool 528 15 0 2 2 1 1 1 0 8 0 pfiaddrpl 120 58 0 52 1 0 1 1 0 8 0 scxspl 192 12733 0 12732 1 0 1 1 0 8 0 plimitpl 152 80 0 74 1 0 1 1 0 8 0 sigapl 424 1171 0 1122 6 0 6 6 0 8 0 futexpl 56 22376 0 22375 2 1 1 1 0 8 0 knotepl 112 255 0 238 1 0 1 1 0 8 0 kqueuepl 144 279 0 274 1 0 1 1 0 8 0 pipelkpl 16 617 0 608 1 0 1 1 0 8 0 pipepl 120 1234 0 1219 1 0 1 1 0 8 0 fdescpl 432 1135 0 1122 2 0 2 2 0 8 0 filepl 120 8704 0 8625 4 0 4 4 0 8 1 lockfpl 104 203 0 202 1 0 1 1 0 8 0 lockfspl 48 76 0 75 1 0 1 1 0 8 0 sessionpl 112 20 0 11 1 0 1 1 0 8 0 pgrppl 48 26 0 17 1 0 1 1 0 8 0 ucredpl 96 887 0 880 1 0 1 1 0 8 0 zombiepl 144 1122 0 1122 1 0 1 1 0 8 1 processpl 920 1171 0 1122 7 0 7 7 0 8 0 procpl 624 2297 0 2240 5 0 5 5 0 8 0 sosppl 128 19 0 19 5 4 1 1 0 8 1 sockpl 400 2790 0 2771 5 2 3 4 0 8 0 mcl64k 65536 356 0 356 34 33 1 33 0 8 1 mcl16k 16384 4 0 4 4 3 1 1 0 8 1 mcl12k 12288 39 0 39 4 3 1 1 0 8 1 mcl9k 9216 22 0 22 5 4 1 1 0 8 1 mcl8k 8192 45 0 45 6 5 1 1 0 8 1 mcl4k 4096 93 0 93 4 3 1 1 0 8 1 mcl2k2 2112 7 0 7 5 4 1 1 0 8 1 mcl2k 2048 70495 0 70445 19 11 8 15 0 8 1 mtagpl 96 97 0 70 3 1 2 2 0 8 0 mbufpl 256 121701 0 121525 57 26 31 33 0 8 9 bufpl 280 5123 0 128 357 0 357 357 0 8 0 anonpl 16 155506 0 137688 100 28 72 83 0 107 0 amapchunkpl 152 5048 0 4906 17 10 7 11 0 158 0 amappl16 192 7597 0 6625 76 26 50 58 0 8 1 amappl15 184 1 0 0 1 0 1 1 0 8 0 amappl14 176 38 0 34 1 0 1 1 0 8 0 amappl13 168 279 0 277 1 0 1 1 0 8 0 amappl12 160 10 0 7 1 0 1 1 0 8 0 amappl11 152 54 0 45 1 0 1 1 0 8 0 amappl10 144 338 0 332 1 0 1 1 0 8 0 amappl9 136 628 0 626 1 0 1 1 0 8 0 amappl8 128 667 0 614 2 0 2 2 0 8 0 amappl7 120 134 0 120 1 0 1 1 0 8 0 amappl6 112 38 0 27 1 0 1 1 0 8 0 amappl5 104 1074 0 1063 1 0 1 1 0 8 0 amappl4 96 706 0 678 1 0 1 1 0 8 0 amappl3 88 158 0 153 1 0 1 1 0 8 0 amappl2 80 8090 0 8027 2 0 2 2 0 8 0 amappl1 72 30104 0 29693 23 13 10 17 0 8 0 amappl 80 2573 0 2527 2 0 2 2 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 64 41 0 6 1 0 1 1 0 8 0 uaddrrnd 24 1150 0 1124 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 1150 0 1124 1 0 1 1 0 8 0 vmmpekpl 168 12322 0 12281 2 0 2 2 0 8 0 vmmpepl 168 141729 0 139705 155 58 97 124 0 357 3 vmsppl 272 1149 0 1124 3 1 2 2 0 8 0 pdppl 4096 2306 0 2261 9 2 7 7 0 8 0 pvpl 32 405991 0 384893 219 44 175 196 0 265 4 pvpl: pool(0xffffffff82853770:pvpl): free list modified: page 0xfffffd8053a51000; item ordinal 0; addr 0xfffffd8053a51000 (p 0xfffffd8053a51000); offset 0x0=0x0 pool(pvpl): free list modified: page 0xfffffd8053a51000; item ordinal 0; addr 0xfffffd8053a51000 (p 0xfffffd8053a51000); offset 0x0=0x0 pvpl: pool(0xffffffff82853770:pvpl): page inconsistency: page 0xfffffd8053a51000; item ordinal 1; addr 0x4264d34f812a9c8f pmappl 200 1149 0 1124 2 0 2 2 0 8 0 extentpl 40 53 0 36 1 0 1 1 0 8 0 phpool 112 345 0 95 8 0 8 8 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff8246a5db) at panic+0x15c sys/kern/subr_prf.c:207 pool_do_get(ffffffff82853770,2,ffff80001e7c11f8) at pool_do_get+0x42a sys/kern/subr_pool.c:738 pool_get(ffffffff82853770,2) at pool_get+0xb5 sys/kern/subr_pool.c:581 pmap_enter(fffffd805383e0d0,77363ebf000,53f48000,1,21) at pmap_enter+0x160 udv_fault(ffff80001e7c15a0,77363ebf000,ffff80001e7c14a0,1,0,0) at udv_fault+0x18b sys/uvm/uvm_device.c:340 uvm_fault(fffffd806bc09550,77363ebf000,0,1) at uvm_fault+0x81e sys/uvm/uvm_fault.c:718 pageflttrap(ffff80001e7c1730,1) at pageflttrap+0x156 sys/arch/amd64/amd64/trap.c:221 usertrap(ffff80001e7c1730) at usertrap+0x1fb sys/arch/amd64/amd64/trap.c:384 recall_trap() at recall_trap+0x8 end of kernel end trace frame: 0x7f7fffffa610, count: -10 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff8246a5db) at panic+0x15c sys/kern/subr_prf.c:207 pool_do_get(ffffffff82853770,2,ffff80001e7c11f8) at pool_do_get+0x42a sys/kern/subr_pool.c:738 pool_get(ffffffff82853770,2) at pool_get+0xb5 sys/kern/subr_pool.c:581 pmap_enter(fffffd805383e0d0,77363ebf000,53f48000,1,21) at pmap_enter+0x160 udv_fault(ffff80001e7c15a0,77363ebf000,ffff80001e7c14a0,1,0,0) at udv_fault+0x18b sys/uvm/uvm_device.c:340 uvm_fault(fffffd806bc09550,77363ebf000,0,1) at uvm_fault+0x81e sys/uvm/uvm_fault.c:718 pageflttrap(ffff80001e7c1730,1) at pageflttrap+0x156 sys/arch/amd64/amd64/trap.c:221 usertrap(ffff80001e7c1730) at usertrap+0x1fb sys/arch/amd64/amd64/trap.c:384 recall_trap() at recall_trap+0x8 end of kernel end trace frame: 0x7f7fffffa610, count: -10