panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806d131800+16 0x0!=0x6c2aef85e920c75 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND * 47280 2680 0 0 0x4000000 0 syz-executor.0 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff8240ef1a) at panic+0x164 sys/kern/subr_prf.c:218 pool_cache_get(ffffffff82933910) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline] pool_cache_get(ffffffff82933910) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884 pool_get(ffffffff82933910,2) at pool_get+0x91 sys/kern/subr_pool.c:572 m_gethdr(2,2) at m_gethdr+0x4c sys/kern/uipc_mbuf.c:283 ip_fragment(fffffd80690d7600,ffff80000017c2a8,5b4) at ip_fragment+0x13a sys/netinet/ip_output.c:680 ip_output(fffffd80690d7600,0,fffffd806f664198,0,0,fffffd806f664128) at ip_output+0xfd7 sys/netinet/ip_output.c:499 udp_output(fffffd806f664128,fffffd80690d7600,0,0) at udp_output+0x5af sys/netinet/udp_usrreq.c:1017 sosend(fffffd8068421b28,0,ffff800023f9ae90,0,0,0) at sosend+0x671 sys/kern/uipc_socket.c:555 sendit(ffff800020e40c88,6,ffff800023f9af70,0,ffff800023f9b050) at sendit+0x52b sys/kern/uipc_syscalls.c:657 sys_sendto(ffff800020e40c88,ffff800023f9b008,ffff800023f9b050) at sys_sendto+0x80 sys/kern/uipc_syscalls.c:522 syscall(ffff800023f9b0d0) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff800023f9b0d0) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xb64f362eca0, count: 2 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806d131800+16 0x0!=0x6c2aef85e920c75 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff8240ef1a) at panic+0x164 sys/kern/subr_prf.c:218 pool_cache_get(ffffffff82933910) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline] pool_cache_get(ffffffff82933910) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884 pool_get(ffffffff82933910,2) at pool_get+0x91 sys/kern/subr_pool.c:572 m_gethdr(2,2) at m_gethdr+0x4c sys/kern/uipc_mbuf.c:283 ip_fragment(fffffd80690d7600,ffff80000017c2a8,5b4) at ip_fragment+0x13a sys/netinet/ip_output.c:680 ip_output(fffffd80690d7600,0,fffffd806f664198,0,0,fffffd806f664128) at ip_output+0xfd7 sys/netinet/ip_output.c:499 udp_output(fffffd806f664128,fffffd80690d7600,0,0) at udp_output+0x5af sys/netinet/udp_usrreq.c:1017 sosend(fffffd8068421b28,0,ffff800023f9ae90,0,0,0) at sosend+0x671 sys/kern/uipc_socket.c:555 sendit(ffff800020e40c88,6,ffff800023f9af70,0,ffff800023f9b050) at sendit+0x52b sys/kern/uipc_syscalls.c:657 sys_sendto(ffff800020e40c88,ffff800023f9b008,ffff800023f9b050) at sys_sendto+0x80 sys/kern/uipc_syscalls.c:522 syscall(ffff800023f9b0d0) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff800023f9b0d0) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xb64f362eca0, count: -13 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff800023f9a900 rbx 0xffff800023f9a9b0 rdx 0x8b rcx 0x2 rax 0x1 r8 0xffff800023f9a8c0 r9 0xffffffff8108ddff kprintf+0x16f r10 0x1 r11 0x5f40179fe2ff9383 r12 0x3000000008 r13 0xffff800023f9a910 r14 0x100 r15 0x1 rip 0xffffffff822b91e8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800023f9a8f0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.0) pid=47280 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=86, nice=20 forw=0xffffffffffffffff, list=0xffff800020e41b58,0xffffffff828cde18 process=0xffff800023f823f0 user=0xffff800023f96000, vmspace=0xfffffd807effe8a0 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 2680 452029 46041 0 2 0 syz-executor.0 * 2680 47280 46041 0 7 0x4000000 syz-executor.0 74236 55903 0 0 3 0x14280 nfsidl nfsio 96989 134372 0 0 3 0x14280 nfsidl nfsio 100 216970 0 0 3 0x14280 nfsidl nfsio 91336 287460 0 0 3 0x14280 nfsidl nfsio 4484 264148 0 0 3 0x14280 nfsidl nfsio 28066 500869 0 0 3 0x14280 nfsidl nfsio 96193 369714 0 0 3 0x14280 nfsidl nfsio 80900 185868 0 0 3 0x14280 nfsidl nfsio 4547 191128 0 0 3 0x14280 nfsidl nfsio 95477 267817 0 0 3 0x14280 nfsidl nfsio 2521 23648 0 0 3 0x14280 nfsidl nfsio 89740 110540 0 0 3 0x14280 nfsidl nfsio 53967 479515 0 0 3 0x14280 nfsidl nfsio 25090 228838 0 0 3 0x14280 nfsidl nfsio 62598 53391 0 0 3 0x14280 nfsidl nfsio 73197 319866 0 0 3 0x14280 nfsidl nfsio 49318 412 0 0 3 0x14280 nfsidl nfsio 98083 437080 0 0 3 0x14280 nfsidl nfsio 98431 357907 0 0 3 0x14280 nfsidl nfsio 3584 28603 0 0 3 0x14280 nfsidl nfsio 47400 394401 1 0 3 0x100083 ttyin getty 46041 24429 85207 0 3 0x82 nanosleep syz-executor.0 3403 78175 85207 0 3 0x82 piperd syz-executor.1 85443 52881 0 0 3 0x14200 bored sosplice 85207 163555 45591 0 3 0x82 thrsleep syz-fuzzer 85207 36215 45591 0 3 0x4000082 nanosleep syz-fuzzer 85207 271174 45591 0 3 0x4000082 thrsleep syz-fuzzer 85207 165864 45591 0 3 0x4000082 thrsleep syz-fuzzer 85207 435266 45591 0 3 0x4000082 thrsleep syz-fuzzer 85207 489885 45591 0 3 0x4000082 thrsleep syz-fuzzer 85207 256364 45591 0 2 0x4000002 syz-fuzzer 85207 412465 45591 0 3 0x4000082 kqread syz-fuzzer 45591 146714 94473 0 3 0x10008a pause ksh 94473 206682 71217 0 3 0x92 select sshd 71217 28774 1 0 3 0x80 select sshd 26747 483783 95198 74 3 0x100092 bpf pflogd 95198 13053 1 0 3 0x80 netio pflogd 85313 440244 54511 73 3 0x100090 kqread syslogd 54511 515686 1 0 3 0x100082 netio syslogd 60670 499137 1 77 3 0x100090 poll dhclient 76871 207279 1 0 3 0x80 poll dhclient 369 482521 0 0 3 0x14200 bored smr 85561 492850 0 0 2 0x14200 zerothread 19455 409038 0 0 3 0x14200 aiodoned aiodoned 69813 91915 0 0 3 0x14200 syncer update 84021 469317 0 0 3 0x14200 cleaner cleaner 73800 229343 0 0 3 0x14200 reaper reaper 39917 482545 0 0 3 0x14200 pgdaemon pagedaemon 59561 219862 0 0 3 0x14200 bored crynlk 23532 452397 0 0 3 0x14200 bored crypto 961 13032 0 0 3 0x40014200 acpi0 acpi0 95772 275736 0 0 7 0x40014200 idle1 72792 392950 0 0 3 0x14200 bored softnet 77919 372923 0 0 3 0x14200 bored systqmp 19919 89416 0 0 3 0x14200 bored systq 5233 453997 0 0 3 0x40014200 bored softclock 42851 352419 0 0 3 0x40014200 idle0 1 462152 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 2680 (syz-executor.0) thread 0xffff800020e40c88 (47280) ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 9554 6452K 7029K 78643K 12496 0 pcb 13 8K 8K 78643K 385 0 rtable 131 10K 11K 78643K 701 0 ifaddr 119 22K 23K 78643K 224 0 sysctl 2 0K 0K 78643K 2 0 counters 43 33K 34K 78643K 67 0 ioctlops 0 0K 4K 78643K 1645 0 iov 0 0K 16K 78643K 100 0 mount 1 1K 1K 78643K 1 0 vnodes 1222 77K 77K 78643K 1876 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 5K 78643K 20 0 VM map 2 1K 1K 78643K 2 0 sem 12 0K 1K 78643K 229 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1824 197K 290K 78643K 13058 0 file desc 5 13K 25K 78643K 1588 0 sigio 1 0K 0K 78643K 22 0 proc 62 63K 95K 78643K 698 0 subproc 32 2K 2K 78643K 102 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 423 0 in_multi 77 4K 4K 78643K 202 0 ether_multi 1 0K 0K 78643K 14 0 mrt 0 0K 0K 78643K 6 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 55 254K 254K 78643K 55 0 exec 0 0K 1K 78643K 356 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 188 52K 53K 78643K 5613 0 UVM aobj 43 2K 3K 78643K 52 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 122 0 NDP 17 0K 0K 78643K 48 0 temp 163 3897K 3961K 78643K 29079 0 kqueue 3 4K 12K 78643K 46 0 SYN cache 2 16K 16K 78643K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 24 0 14 1 0 1 1 0 8 0 plcache 128 20 0 0 1 0 1 1 0 8 0 rtpcb 88 55 0 53 1 0 1 1 0 8 0 rtentry 112 151 0 110 2 0 2 2 0 8 0 unpcb 120 2737 0 2690 2 0 2 2 0 8 0 syncache 272 9 0 9 3 3 0 1 0 8 0 tcpqe 32 194 0 194 2 2 0 1 0 8 0 tcpcb 592 939 0 932 13 11 2 3 0 8 1 ipq 40 6 0 6 1 1 0 1 0 8 0 ipqe 40 12 0 12 1 1 0 1 0 8 0 inpcb 296 2396 0 2388 13 12 1 2 0 8 0 rttmr 72 4 0 4 3 3 0 1 0 8 0 nd6 48 28 0 23 1 0 1 1 0 8 0 pkpcb 40 49 0 49 7 7 0 1 0 8 0 pfstscr 40 6 0 6 2 2 0 1 0 8 0 pffrag 232 33 0 33 7 7 0 1 0 482 0 pffrnode 88 33 0 33 7 7 0 1 0 8 0 pffrent 40 1319 0 1319 7 7 0 1 0 8 0 pfosfp 40 846 0 423 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfrktable 1344 35 0 20 5 3 2 2 0 8 0 pftag 88 1 0 1 1 1 0 1 0 8 0 pfstitem 24 37 0 35 1 0 1 1 0 8 0 pfstkey 112 43 0 41 1 0 1 1 0 8 0 pfstate 328 39 0 37 2 1 1 2 0 8 0 pfsrctr 152 180 0 180 2 1 1 1 0 8 1 pfrule 1360 44 0 25 3 1 2 2 0 8 0 art_heap8 4096 2 0 0 2 0 2 2 0 8 0 art_heap4 256 645 0 441 18 5 13 14 0 8 0 art_table 32 647 0 441 2 0 2 2 0 8 0 art_node 16 141 0 107 1 0 1 1 0 8 0 sysvmsgpl 40 34 0 18 1 0 1 1 0 8 0 semupl 112 5 0 5 2 2 0 1 0 8 0 semapl 112 218 0 208 1 0 1 1 0 8 0 shmpl 112 49 0 9 3 1 2 2 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 3483 0 2080 88 0 88 88 0 8 0 ffsino 272 3483 0 2080 94 0 94 94 0 8 0 nchpl 144 5909 0 4314 60 0 60 60 0 8 0 uvmvnodes 72 4048 0 0 74 0 74 74 0 8 0 vnodes 208 4048 0 0 214 0 214 214 0 8 0 namei 1024 15788 0 15788 4 3 1 1 0 8 1 percpumem 16 44 0 12 1 0 1 1 0 8 0 vcpupl 1984 2 0 0 1 0 1 1 0 8 0 vmpool 560 4 0 2 2 1 1 1 0 8 0 pfiaddrpl 120 22 0 4 1 0 1 1 0 8 0 scsiplug 72 1 0 1 1 1 0 1 0 8 0 scxspl 200 17759 0 17759 13 12 1 7 0 8 1 plimitpl 152 73 0 65 1 0 1 1 0 8 0 sigapl 424 1813 0 1761 6 0 6 6 0 8 0 futexpl 56 24565 0 24565 4 3 1 1 0 8 1 knotepl 112 158 0 138 1 0 1 1 0 8 0 kqueuepl 152 155 0 152 1 0 1 1 0 8 0 pipepl 304 795 0 784 3 1 2 2 0 8 0 fdescpl 496 1777 0 1761 6 3 3 3 0 8 0 filepl 152 12134 0 12028 5 0 5 5 0 8 0 lockfpl 104 278 0 277 1 0 1 1 0 8 0 lockfspl 48 89 0 88 1 0 1 1 0 8 0 sessionpl 120 23 0 12 1 0 1 1 0 8 0 pgrppl 48 35 0 24 1 0 1 1 0 8 0 ucredpl 96 592 0 583 1 0 1 1 0 8 0 zombiepl 144 1761 0 1761 3 2 1 1 0 8 1 processpl 1008 1813 0 1761 7 0 7 7 0 8 0 procpl 632 4572 0 4512 7 1 6 6 0 8 0 srpgc 72 4 0 4 2 2 0 1 0 8 0 sosppl 144 12 0 12 5 5 0 1 0 8 0 sockpl 400 5238 0 5181 17 10 7 7 0 8 1 mcl64k 65536 8 0 0 1 0 1 1 0 8 0 mcl16k 16384 1 0 0 1 0 1 1 0 8 0 mcl12k 12288 13 0 0 2 0 2 2 0 8 0 mcl9k 9216 7 0 0 1 0 1 1 0 8 0 mcl8k 8192 7 0 0 1 0 1 1 0 8 0 mcl4k 4096 13 0 0 2 0 2 2 0 8 0 mcl2k2 2112 3 0 0 1 0 1 1 0 8 0 mcl2k 2048 203 0 0 24 1 23 24 0 8 0 mtagpl 96 76 0 0 2 0 2 2 0 8 0 mbufpl 256 556 0 0 22 0 22 22 0 8 0 bufpl 280 5992 0 131 419 0 419 419 0 8 0 anonpl 16 194605 0 175529 123 40 83 87 0 124 6 amapchunkpl 152 10166 0 9869 35 20 15 25 0 158 1 amappl16 192 7251 0 6347 96 50 46 55 0 8 0 amappl15 184 70 0 69 2 1 1 1 0 8 0 amappl14 176 863 0 857 1 0 1 1 0 8 0 amappl13 168 626 0 622 1 0 1 1 0 8 0 amappl12 160 591 0 587 1 0 1 1 0 8 0 amappl11 152 374 0 359 1 0 1 1 0 8 0 amappl10 144 85 0 80 1 0 1 1 0 8 0 amappl9 136 373 0 370 1 0 1 1 0 8 0 amappl8 128 486 0 417 3 0 3 3 0 8 0 amappl7 120 209 0 196 1 0 1 1 0 8 0 amappl6 112 341 0 331 1 0 1 1 0 8 0 amappl5 104 890 0 872 1 0 1 1 0 8 0 amappl4 96 1322 0 1296 1 0 1 1 0 8 0 amappl3 88 1372 0 1363 1 0 1 1 0 8 0 amappl2 80 13105 0 13035 2 0 2 2 0 8 0 amappl1 72 59557 0 59115 23 13 10 18 0 8 0 amappl 80 4896 0 4814 2 0 2 2 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 64 51 0 9 1 0 1 1 0 8 0 uaddrrnd 24 1781 0 1763 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 1781 0 1763 1 0 1 1 0 8 0 vmmpekpl 168 17599 0 17560 2 0 2 2 0 8 0 vmmpepl 168 233595 0 231445 219 123 96 127 0 357 1 vmsppl 368 1780 0 1763 2 0 2 2 0 8 0 pdppl 4096 3569 0 3528 11 5 6 6 0 8 0 pvpl 32 570350 0 547973 290 91 199 204 0 265 18 pmappl 232 1780 0 1763 4 2 2 2 0 8 1 extentpl 40 53 0 36 1 0 1 1 0 8 0 phpool 112 298 0 30 8 0 8 8 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff8240ef1a) at panic+0x164 sys/kern/subr_prf.c:218 pool_cache_get(ffffffff82933910) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1781 [inline] pool_cache_get(ffffffff82933910) at pool_cache_get+0x323 sys/kern/subr_pool.c:1884 pool_get(ffffffff82933910,2) at pool_get+0x91 sys/kern/subr_pool.c:572 m_gethdr(2,2) at m_gethdr+0x4c sys/kern/uipc_mbuf.c:283 ip_fragment(fffffd80690d7600,ffff80000017c2a8,5b4) at ip_fragment+0x13a sys/netinet/ip_output.c:680 ip_output(fffffd80690d7600,0,fffffd806f664198,0,0,fffffd806f664128) at ip_output+0xfd7 sys/netinet/ip_output.c:499 udp_output(fffffd806f664128,fffffd80690d7600,0,0) at udp_output+0x5af sys/netinet/udp_usrreq.c:1017 sosend(fffffd8068421b28,0,ffff800023f9ae90,0,0,0) at sosend+0x671 sys/kern/uipc_socket.c:555 sendit(ffff800020e40c88,6,ffff800023f9af70,0,ffff800023f9b050) at sendit+0x52b sys/kern/uipc_syscalls.c:657 sys_sendto(ffff800020e40c88,ffff800023f9b008,ffff800023f9b050) at sys_sendto+0x80 sys/kern/uipc_syscalls.c:522 syscall(ffff800023f9b0d0) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff800023f9b0d0) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xb64f362eca0, count: -13 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp x86_ipi_db(ffff800020d70ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352 x86_ipi_handler() at x86_ipi_handler+0xc6 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x331 sys/dev/acpi/acpicpu.c:1187 sched_idle(ffff800020d70ff0) at sched_idle+0x3f7 sys/kern/kern_sched.c:178 end trace frame: 0x0, count: 10 ddb{1}> trace x86_ipi_db(ffff800020d70ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352 x86_ipi_handler() at x86_ipi_handler+0xc6 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x331 sys/dev/acpi/acpicpu.c:1187 sched_idle(ffff800020d70ff0) at sched_idle+0x3f7 sys/kern/kern_sched.c:178 end trace frame: 0x0, count: -5