panic: pool_do_get: anonpl free list modified: page 0xfffffd803ebc6000; item addr 0xfffffd803ebc6000; offset 0x0=0x0 != 0x3f0ab0a329c1bbcc Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *490797 38222 0 0 0 0 syz-executor.0 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x15c sys/kern/subr_prf.c:207 pool_do_get(ffffffff8257aac8,2,ffff80001592e828) at pool_do_get+0x42a sys/kern/subr_pool.c:746 pool_get(ffffffff8257aac8,2) at pool_get+0xb5 sys/kern/subr_pool.c:581 uvm_analloc() at uvm_analloc+0x29 sys/uvm/uvm_anon.c:64 uvm_fault(fffffd803f013dd0,e601fe2d000,0,2) at uvm_fault+0xfa9 sys/uvm/uvm_fault.c:1114 pageflttrap() at pageflttrap+0x239 sys/arch/amd64/amd64/trap.c:199 usertrap(ffff80001592ebc0) at usertrap+0x1fb sys/arch/amd64/amd64/trap.c:369 recall_trap() at recall_trap+0x8 end of kernel end trace frame: 0x7f7ffffeb690, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic pool_do_get: anonpl free list modified: page 0xfffffd803ebc6000; item addr 0xfffffd803ebc6000; offset 0x0=0x0 != 0x3f0ab0a329c1bbcc ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x15c sys/kern/subr_prf.c:207 pool_do_get(ffffffff8257aac8,2,ffff80001592e828) at pool_do_get+0x42a sys/kern/subr_pool.c:746 pool_get(ffffffff8257aac8,2) at pool_get+0xb5 sys/kern/subr_pool.c:581 uvm_analloc() at uvm_analloc+0x29 sys/uvm/uvm_anon.c:64 uvm_fault(fffffd803f013dd0,e601fe2d000,0,2) at uvm_fault+0xfa9 sys/uvm/uvm_fault.c:1114 pageflttrap() at pageflttrap+0x239 sys/arch/amd64/amd64/trap.c:199 usertrap(ffff80001592ebc0) at usertrap+0x1fb sys/arch/amd64/amd64/trap.c:369 recall_trap() at recall_trap+0x8 end of kernel end trace frame: 0x7f7ffffeb690, count: -9 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80001592e690 rbx 0xffff80001592e740 rdx 0x2 rcx 0 rax 0 r8 0xffff80001592e650 r9 0x1 r10 0 r11 0x2e2b86e51580836c r12 0x3000000008 r13 0xffff80001592e6a0 r14 0x100 r15 0x1 rip 0xffffffff81210978 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff80001592e680 ss 0 db_enter+0x18: addq $0x8,%rsp ddb> show proc PROC (syz-executor.0) pid=490797 stat=onproc flags process=0 proc=0 pri=82, usrpri=82, nice=20 forw=0xffffffffffffffff, list=0xffff8000ffff3650,0xffffffff8257d7e0 process=0xffff8000148a2d98 user=0xffff800015929000, vmspace=0xfffffd803f013dd0 estcpu=36, cpticks=2, pctcpu=0.0 user=0, sys=2, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND *38222 490797 49313 0 7 0 syz-executor.0 10072 488237 4786 0 2 0 syz-executor.1 10072 435630 4786 0 3 0x4000080 fsleep syz-executor.1 4786 348753 49324 0 2 0x482 syz-executor.1 49313 505303 49324 0 2 0x482 syz-executor.0 91654 340610 0 0 3 0x14200 acct acct 62066 483678 1 0 3 0x100083 ttyin getty 38098 8169 0 0 3 0x14200 bored sosplice 49324 331471 22095 0 3 0x82 thrsleep syz-fuzzer 49324 55933 22095 0 2 0x4000482 syz-fuzzer 49324 38420 22095 0 3 0x4000082 thrsleep syz-fuzzer 49324 196621 22095 0 3 0x4000082 thrsleep syz-fuzzer 49324 287320 22095 0 3 0x4000082 thrsleep syz-fuzzer 49324 12216 22095 0 3 0x4000082 thrsleep syz-fuzzer 49324 452833 22095 0 3 0x4000082 thrsleep syz-fuzzer 49324 367432 22095 0 3 0x4000082 kqread syz-fuzzer 22095 497930 14503 0 3 0x10008a pause ksh 14503 81258 74786 0 3 0x92 select sshd 74786 268309 1 0 3 0x80 select sshd 52936 351813 79795 73 3 0x100090 kqread syslogd 79795 105185 1 0 3 0x100082 netio syslogd 71275 74846 0 0 2 0x14200 zerothread 41871 435974 0 0 3 0x14200 aiodoned aiodoned 30032 494360 0 0 3 0x14200 syncer update 44592 406853 0 0 3 0x14200 cleaner cleaner 83570 332530 0 0 3 0x14200 reaper reaper 42115 328920 0 0 3 0x14200 pgdaemon pagedaemon 45686 387561 0 0 3 0x14200 bored crynlk 73947 161764 0 0 3 0x14200 bored crypto 64509 115324 0 0 3 0x40014200 acpi0 acpi0 36968 428148 0 0 3 0x14200 bored softnet 48845 436123 0 0 3 0x14200 bored systqmp 56583 360688 0 0 3 0x14200 bored systq 80434 148007 0 0 3 0x40014200 bored softclock 42962 262167 0 0 3 0x40014200 idle0 68425 505594 0 0 3 0x14200 bored smr 1 489856 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim devbuf 9527 6945K 8567K 78643K 19234 0 0 pcb 13 10K 12K 78643K 516 0 0 rtable 122 12K 13K 78643K 1055 0 0 ifaddr 159 21K 22K 78643K 709 0 0 counters 19 16K 16K 78643K 19 0 0 ioctlops 0 0K 2K 78643K 162 0 0 iov 0 0K 24K 78643K 886 0 0 mount 1 1K 1K 78643K 1 0 0 vnodes 1231 77K 78K 78643K 4126 0 0 UFS quota 1 32K 32K 78643K 1 0 0 UFS mount 5 36K 36K 78643K 5 0 0 shm 2 1K 5K 78643K 26 0 0 VM map 30 7K 7K 78643K 36 0 0 sem 12 1K 1K 78643K 586 0 0 dirhash 12 2K 2K 78643K 12 0 0 ACPI 1793 195K 288K 78643K 12645 0 0 file desc 6 17K 25K 78643K 2506 0 0 sigio 0 0K 0K 78643K 48 0 0 proc 43 30K 63K 78643K 1145 0 0 subproc 32 2K 2K 78643K 272 0 0 NFS srvsock 1 0K 0K 78643K 1 0 0 NFS daemon 1 16K 16K 78643K 1 0 0 ip_moptions 0 0K 0K 78643K 310 0 0 in_multi 33 2K 2K 78643K 338 0 0 ether_multi 1 0K 0K 78643K 23 0 0 mrt 0 0K 0K 78643K 5 0 0 ISOFS mount 1 32K 32K 78643K 1 0 0 MSDOSFS mount 1 16K 16K 78643K 1 0 0 ttys 72 318K 318K 78643K 72 0 0 exec 0 0K 1K 78643K 596 0 0 pfkey data 0 0K 4K 78643K 5 0 0 pagedep 1 8K 8K 78643K 1 0 0 inodedep 1 32K 32K 78643K 1 0 0 newblk 1 0K 0K 78643K 1 0 0 VM swap 7 26K 26K 78643K 7 0 0 UVM amap 155 218K 218K 78643K 7226 0 0 UVM aobj 130 6K 6K 78643K 140 0 0 memdesc 1 4K 4K 78643K 1 0 0 crypto data 1 1K 1K 78643K 1 0 0 ip6_options 0 0K 0K 78643K 727 0 0 NDP 18 0K 0K 78643K 123 0 0 temp 159 3535K 4175K 78643K 93201 0 0 kqueue 0 0K 0K 78643K 32 0 0 SYN cache 2 16K 16K 78643K 2 0 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 72 0 66 1 0 1 1 0 8 0 rtpcb 80 306 0 306 6 5 1 1 0 8 1 rtentry 112 314 0 269 2 0 2 2 0 8 0 unpcb 120 2104 0 2095 1 0 1 1 0 8 0 syncache 264 15 0 15 7 7 0 1 0 8 0 tcpqe 32 110 0 110 4 4 0 1 0 8 0 tcpcb 544 2330 0 2326 19 17 2 15 0 8 1 ipq 40 41 0 41 12 11 1 1 0 8 1 ipqe 40 1382 0 1382 12 11 1 1 0 8 1 inpcb 280 5934 0 5930 20 18 2 9 0 8 1 rttmr 72 1 0 0 1 0 1 1 0 8 0 ip6q 72 4 0 4 2 2 0 1 0 8 0 ip6af 40 12 0 12 2 2 0 1 0 8 0 nd6 48 42 0 38 1 0 1 1 0 8 0 pkpcb 40 16 0 16 8 8 0 1 0 8 0 ppxss 1128 29 0 29 8 7 1 1 0 8 1 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 1277 0 1037 27 12 15 16 0 8 0 art_table 32 1278 0 1037 3 0 3 3 0 8 1 art_node 16 313 0 272 1 0 1 1 0 8 0 sysvmsgpl 40 52 0 12 1 0 1 1 0 8 0 semupl 112 2 0 2 1 1 0 1 0 8 0 semapl 112 582 0 572 1 0 1 1 0 8 0 shmpl 112 138 0 10 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino1pl 128 5057 0 3655 46 0 46 46 0 8 0 ffsino 240 5057 0 3655 83 0 83 83 0 8 0 nchpl 144 8875 0 8423 60 39 21 60 0 8 0 uvmvnodes 72 6495 0 0 119 0 119 119 0 8 0 vnodes 208 6495 0 0 342 0 342 342 0 8 0 namei 1024 31295 0 31295 4 3 1 1 0 8 1 vcpupl 1984 28 0 0 4 0 4 4 0 8 0 vmpool 520 34 0 6 2 0 2 2 0 8 0 scsiplug 64 2 0 2 2 2 0 1 0 8 0 scxspl 192 30127 0 30127 17 15 2 7 0 8 2 plimitpl 152 205 0 199 1 0 1 1 0 8 0 sigapl 432 2635 0 2623 2 0 2 2 0 8 0 futexpl 56 80039 0 80038 4 3 1 1 0 8 0 knotepl 112 591 0 572 2 1 1 2 0 8 0 kqueuepl 104 952 0 950 4 3 1 4 0 8 0 pipepl 128 1552 0 1533 10 9 1 2 0 8 0 fdescpl 424 2636 0 2623 2 0 2 2 0 8 0 filepl 120 25108 0 25024 21 17 4 10 0 8 1 lockfpl 104 1214 0 1214 4 3 1 1 0 8 1 lockfspl 48 417 0 417 4 3 1 1 0 8 1 sessionpl 112 32 0 24 1 0 1 1 0 8 0 pgrppl 48 88 0 80 1 0 1 1 0 8 0 ucredpl 96 3582 0 3576 1 0 1 1 0 8 0 zombiepl 144 2625 0 2625 1 0 1 1 0 8 1 processpl 864 2654 0 2625 4 0 4 4 0 8 0 procpl 632 5748 0 5711 6 2 4 5 0 8 0 sosppl 128 41 0 41 11 10 1 1 0 8 1 sockpl 384 8408 0 8395 36 32 4 13 0 8 2 mcl64k 65536 519 0 519 39 38 1 33 0 8 1 mcl16k 16384 48 0 48 10 9 1 1 0 8 1 mcl12k 12288 100 0 100 9 8 1 1 0 8 1 mcl9k 9216 40 0 40 10 9 1 1 0 8 1 mcl8k 8192 149 0 149 8 7 1 1 0 8 1 mcl4k 4096 250 0 250 6 5 1 1 0 8 1 mcl2k2 2112 27 0 27 11 11 0 1 0 8 0 mcl2k 2048 75465 0 75417 20 13 7 15 0 8 0 mtagpl 80 317 0 317 5 3 2 2 0 8 2 mbufpl 256 143110 0 143001 99 82 17 32 0 8 1 bufpl 256 16451 0 9955 407 0 407 407 0 8 0 anonpl 16 343102 0 324529 178 90 88 111 0 62 0 anonpl: pool(0xffffffff8257aac8:anonpl): free list modified: page 0xfffffd803ebc6000; item ordinal 0; addr 0xfffffd803ebc6000 (p 0xfffffd803ebc6000); offset 0x0=0x0 anonpl: pool(0xffffffff8257aac8:anonpl): page inconsistency: page 0xfffffd803ebc6000; item ordinal 1; addr 0xc5e83528246c8415 amapchunkpl 152 13984 0 13840 42 34 8 31 0 158 0 amappl16 192 16049 0 14885 189 129 60 80 0 8 1 amappl15 184 286 0 286 3 3 0 1 0 8 0 amappl14 176 157 0 149 1 0 1 1 0 8 0 amappl13 168 569 0 568 2 1 1 1 0 8 0 amappl12 160 669 0 664 1 0 1 1 0 8 0 amappl11 152 317 0 313 1 0 1 1 0 8 0 amappl10 144 404 0 402 1 0 1 1 0 8 0 amappl9 136 1049 0 1046 1 0 1 1 0 8 0 amappl8 128 632 0 585 2 0 2 2 0 8 0 amappl7 120 471 0 466 1 0 1 1 0 8 0 amappl6 112 283 0 270 1 0 1 1 0 8 0 amappl5 104 941 0 931 1 0 1 1 0 8 0 amappl4 96 2655 0 2623 1 0 1 1 0 8 0 amappl3 88 832 0 825 1 0 1 1 0 8 0 amappl2 80 19749 0 19680 3 1 2 3 0 8 0 amappl1 72 57452 0 57057 26 17 9 20 0 8 0 amappl 80 6236 0 6182 2 0 2 2 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 17 0 17 1 1 0 1 0 8 0 aobjpl 64 139 0 10 3 0 3 3 0 8 0 uaddrrnd 24 2670 0 2623 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 2670 0 2623 1 0 1 1 0 8 0 vmmpekpl 168 20192 0 20161 2 0 2 2 0 8 0 vmmpepl 168 328789 0 326467 329 185 144 173 0 357 40 vmsppl 272 2635 0 2623 2 1 1 2 0 8 0 pdppl 4096 5346 0 5286 11 3 8 8 0 8 0 pvpl 32 893401 0 871668 369 147 222 268 0 265 23 pmappl 200 2669 0 2629 3 0 3 3 0 8 0 extentpl 40 41 0 26 1 0 1 1 0 8 0 phpool 112 741 0 192 17 0 17 17 0 8 0