panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd8000000000+16 0xf000ff53f000ff53!=0x343f02be1a14fb65 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 423045 86728 0 0 0 1 syz-executor.0 *345017 86728 0 0 0x4000000 0 syz-executor.0 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x15c sys/kern/subr_prf.c:207 pool_cache_get(ffffffff82636e20) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1789 [inline] pool_cache_get(ffffffff82636e20) at pool_cache_get+0x323 sys/kern/subr_pool.c:1892 pool_get() at pool_get+0x91 sys/kern/subr_pool.c:572 m_copym(fffffd80683ef000,0,3b9aca00,2) at m_copym+0x174 m_get sys/kern/uipc_mbuf.c:250 [inline] m_copym(fffffd80683ef000,0,3b9aca00,2) at m_copym+0x174 sys/kern/uipc_mbuf.c:667 ether_resolve(ffff8000001732a8,fffffd80683ef000,fffffd8074e65080,fffffd806f711000,ffff800022f93158) at ether_resolve+0x49f sys/net/if_ethersubr.c:224 ether_output(ffff8000001732a8,fffffd80683ef000,fffffd8074e65080,fffffd806f711000) at ether_output+0x47 ether_encap sys/net/if_ethersubr.c:307 [inline] ether_output(ffff8000001732a8,fffffd80683ef000,fffffd8074e65080,fffffd806f711000) at ether_output+0x47 sys/net/if_ethersubr.c:336 ip_output(fffffd807bf79100,0,fffffd8074e65070,20,0,fffffd8074e65000) at ip_output+0x125d sys/netinet/ip_output.c:511 rip_output(fffffd8071067900,fffffd80657d6078,ffff800022f93368,ffff80002157a000) at rip_output+0x252 sys/netinet/raw_ip.c:289 rip_usrreq(fffffd80657d6078,9,fffffd8071067900,0,0,ffff800020abf3d8) at rip_usrreq+0x46a sys/netinet/raw_ip.c:538 sosend(fffffd80657d6078,0,ffff800022f93600,0,0,80) at sosend+0x645 sys/kern/uipc_socket.c:524 dofilewritev(ffff800020abf3d8,4,ffff800022f93600,0,ffff800022f936f0) at dofilewritev+0x1b7 sys/kern/sys_generic.c:364 sys_writev(ffff800020abf3d8,ffff800022f936a8,ffff800022f936f0) at sys_writev+0xa7 sys/kern/sys_generic.c:311 syscall(ffff800022f93770) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline] syscall(ffff800022f93770) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555 end trace frame: 0xffff800022f937f0, count: 0 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd8000000000+16 0xf000ff53f000ff53!=0x343f02be1a14fb65 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x15c sys/kern/subr_prf.c:207 pool_cache_get(ffffffff82636e20) at pool_cache_get+0x323 pool_cache_item_magic_check sys/kern/subr_pool.c:1789 [inline] pool_cache_get(ffffffff82636e20) at pool_cache_get+0x323 sys/kern/subr_pool.c:1892 pool_get() at pool_get+0x91 sys/kern/subr_pool.c:572 m_copym(fffffd80683ef000,0,3b9aca00,2) at m_copym+0x174 m_get sys/kern/uipc_mbuf.c:250 [inline] m_copym(fffffd80683ef000,0,3b9aca00,2) at m_copym+0x174 sys/kern/uipc_mbuf.c:667 ether_resolve(ffff8000001732a8,fffffd80683ef000,fffffd8074e65080,fffffd806f711000,ffff800022f93158) at ether_resolve+0x49f sys/net/if_ethersubr.c:224 ether_output(ffff8000001732a8,fffffd80683ef000,fffffd8074e65080,fffffd806f711000) at ether_output+0x47 ether_encap sys/net/if_ethersubr.c:307 [inline] ether_output(ffff8000001732a8,fffffd80683ef000,fffffd8074e65080,fffffd806f711000) at ether_output+0x47 sys/net/if_ethersubr.c:336 ip_output(fffffd807bf79100,0,fffffd8074e65070,20,0,fffffd8074e65000) at ip_output+0x125d sys/netinet/ip_output.c:511 rip_output(fffffd8071067900,fffffd80657d6078,ffff800022f93368,ffff80002157a000) at rip_output+0x252 sys/netinet/raw_ip.c:289 rip_usrreq(fffffd80657d6078,9,fffffd8071067900,0,0,ffff800020abf3d8) at rip_usrreq+0x46a sys/netinet/raw_ip.c:538 sosend(fffffd80657d6078,0,ffff800022f93600,0,0,80) at sosend+0x645 sys/kern/uipc_socket.c:524 dofilewritev(ffff800020abf3d8,4,ffff800022f93600,0,ffff800022f936f0) at dofilewritev+0x1b7 sys/kern/sys_generic.c:364 sys_writev(ffff800020abf3d8,ffff800022f936a8,ffff800022f936f0) at sys_writev+0xa7 sys/kern/sys_generic.c:311 syscall(ffff800022f93770) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline] syscall(ffff800022f93770) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555 Xsyscall(6,0,d,0,3,3e7da09b0e0) at Xsyscall+0x128 end of kernel end trace frame: 0x3ea26674f70, count: -15 ddb{0}> show registers rdi 0xffffffff8213f9a7 db_enter+0x17 rsi 0x31ef __ALIGN_SIZE+0x21ef rbp 0xffff800022f92e30 rbx 0xffff800022f92ee0 rdx 0x31f0 __ALIGN_SIZE+0x21f0 rcx 0xffff80002157a000 rax 0xffff80002157a000 r8 0xffffffff8149ad7f kprintf+0x16f r9 0x1 r10 0x25 r11 0xa918fef8973ab9a3 r12 0x3000000008 r13 0xffff800022f92e40 r14 0x100 r15 0x1 rip 0xffffffff8213f9a8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800022f92e20 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.0) pid=345017 stat=onproc flags process=0 proc=4000000 pri=81, usrpri=81, nice=20 forw=0xffffffffffffffff, list=0xffff800020abf650,0xffffffff8266d588 process=0xffff800020a8b510 user=0xffff800022f8e000, vmspace=0xfffffd807f00b2e0 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 86728 423045 37140 0 7 0 syz-executor.0 86728 268381 37140 0 3 0x4000080 fsleep syz-executor.0 *86728 345017 37140 0 7 0x4000000 syz-executor.0 57947 240600 10287 0 3 0x2 biowait syz-executor.1 37140 9508 10287 0 3 0x82 nanosleep syz-executor.0 18249 185057 1 0 3 0x100083 ttyin getty 33560 119859 0 0 3 0x14200 acct acct 80708 148607 0 0 3 0x14200 bored sosplice 10287 471521 45677 0 3 0x82 kqread syz-fuzzer 10287 345882 45677 0 3 0x4000082 nanosleep syz-fuzzer 10287 378979 45677 0 3 0x4000082 thrsleep syz-fuzzer 10287 418367 45677 0 3 0x4000082 thrsleep syz-fuzzer 10287 416076 45677 0 3 0x4000082 thrsleep syz-fuzzer 10287 132737 45677 0 3 0x4000082 thrsleep syz-fuzzer 10287 8538 45677 0 3 0x4000082 thrsleep syz-fuzzer 10287 332953 45677 0 3 0x4000082 thrsleep syz-fuzzer 10287 237294 45677 0 3 0x4000082 thrsleep syz-fuzzer 10287 284748 45677 0 3 0x4000082 nanosleep syz-fuzzer 45677 488702 43226 0 3 0x10008a pause ksh 43226 149639 86032 0 3 0x92 select sshd 86032 518929 1 0 3 0x80 select sshd 89200 814 52093 74 3 0x100092 bpf pflogd 52093 256236 1 0 3 0x80 netio pflogd 75893 111161 89404 73 3 0x100090 kqread syslogd 89404 91049 1 0 3 0x100082 netio syslogd 88798 289416 1 77 3 0x100090 poll dhclient 64218 292484 1 0 3 0x80 poll dhclient 3330 64514 0 0 2 0x14200 zerothread 15613 165130 0 0 3 0x14200 aiodoned aiodoned 56488 281897 0 0 3 0x14200 syncer update 15263 364602 0 0 3 0x14200 cleaner cleaner 42522 390964 0 0 3 0x14200 reaper reaper 76492 323373 0 0 3 0x14200 pgdaemon pagedaemon 37085 55367 0 0 3 0x14200 bored crynlk 29023 494736 0 0 3 0x14200 bored crypto 51652 385283 0 0 3 0x40014200 acpi0 acpi0 10125 124733 0 0 3 0x40014200 idle1 58021 192962 0 0 3 0x14200 bored softnet 62299 422739 0 0 3 0x14200 bored systqmp 82204 342839 0 0 3 0x14200 bored systq 88955 461759 0 0 3 0x40014200 bored softclock 88255 43500 0 0 3 0x40014200 idle0 33700 410840 0 0 3 0x14200 bored smr 1 326766 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 86728 (syz-executor.0) thread 0xffff800020abf3d8 (345017) exclusive rwlock netlock r = 0 (0xffffffff8251b198) #0 witness_lock+0x52e sys/kern/subr_witness.c:1163 #1 solock+0x5a sys/kern/uipc_socket2.c:282 #2 sosend+0x51b sys/kern/uipc_socket.c:512 #3 dofilewritev+0x1b7 sys/kern/sys_generic.c:364 #4 sys_writev+0xa7 sys/kern/sys_generic.c:311 #5 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline] #5 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555 #6 Xsyscall+0x128 Process 57947 (syz-executor.1) thread 0xffff800020abe290 (240600) exclusive rrwlock inode r = 0 (0xfffffd806e507c58) #0 witness_lock+0x52e sys/kern/subr_witness.c:1163 #1 rw_enter+0x447 sys/kern/kern_rwlock.c:306 #2 rrw_enter+0x4f sys/kern/kern_rwlock.c:435 #3 ufs_ihashins+0x45 sys/ufs/ufs/ufs_ihash.c:140 #4 ffs_vget+0x13e sys/ufs/ffs/ffs_vfsops.c:1352 #5 ffs_inode_alloc+0x1cf sys/ufs/ffs/ffs_alloc.c:392 #6 ufs_mkdir+0xf4 sys/ufs/ufs/ufs_vnops.c:1164 #7 VOP_MKDIR+0xc6 sys/kern/vfs_vops.c:450 #8 domkdirat+0x121 sys/kern/vfs_syscalls.c:2983 #9 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline] #9 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555 #10 Xsyscall+0x128 exclusive rrwlock inode r = 0 (0xfffffd806ac65a28) #0 witness_lock+0x52e sys/kern/subr_witness.c:1163 #1 rw_enter+0x447 sys/kern/kern_rwlock.c:306 #2 rrw_enter+0x4f sys/kern/kern_rwlock.c:435 #3 VOP_LOCK+0xf0 sys/kern/vfs_vops.c:615 #4 vn_lock+0x81 sys/kern/vfs_vnops.c:574 #5 vfs_lookup+0xe6 sys/kern/vfs_lookup.c:419 #6 namei+0x63c sys/kern/vfs_lookup.c:249 #7 domkdirat+0x75 sys/kern/vfs_syscalls.c:2968 #8 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline] #8 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555 #9 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim devbuf 9578 6458K 7501K 78643K 17052 0 0 pcb 13 8K 9K 78643K 650 0 0 rtable 105 13K 14K 78643K 2143 0 0 ifaddr 79 18K 20K 78643K 653 0 0 counters 39 33K 33K 78643K 39 0 0 ioctlops 0 0K 4K 78643K 4828 0 0 iov 0 0K 28K 78643K 859 0 0 mount 1 1K 1K 78643K 1 0 0 vnodes 1214 76K 77K 78643K 4041 0 0 UFS quota 1 32K 32K 78643K 1 0 0 UFS mount 5 36K 36K 78643K 5 0 0 shm 2 1K 9K 78643K 175 0 0 VM map 32 16K 16K 78643K 44 0 0 sem 12 0K 0K 78643K 632 0 0 dirhash 12 2K 2K 78643K 12 0 0 ACPI 1808 196K 290K 78643K 12765 0 0 file desc 5 13K 25K 78643K 3532 0 0 sigio 1 0K 0K 78643K 47 0 0 proc 62 63K 95K 78643K 1542 0 0 subproc 32 2K 2K 78643K 340 0 0 NFS srvsock 1 0K 0K 78643K 1 0 0 NFS daemon 1 16K 16K 78643K 1 0 0 ip_moptions 0 0K 1K 78643K 306 0 0 in_multi 22 1K 2K 78643K 376 0 0 ether_multi 1 0K 0K 78643K 43 0 0 mrt 1 0K 0K 78643K 20 0 0 ISOFS mount 1 32K 32K 78643K 1 0 0 MSDOSFS mount 1 16K 16K 78643K 1 0 0 ttys 72 318K 318K 78643K 72 0 0 exec 0 0K 1K 78643K 1052 0 0 pagedep 1 8K 8K 78643K 1 0 0 inodedep 1 32K 32K 78643K 1 0 0 newblk 1 0K 0K 78643K 1 0 0 VM swap 7 26K 26K 78643K 7 0 0 UVM amap 175 275K 285K 78643K 13458 0 0 UVM aobj 130 4K 4K 78643K 139 0 0 memdesc 1 4K 4K 78643K 1 0 0 crypto data 1 1K 1K 78643K 1 0 0 ip6_options 0 0K 0K 78643K 668 0 0 NDP 19 0K 0K 78643K 197 0 0 temp 221 3560K 4200K 78643K 92373 0 0 kqueue 0 0K 0K 78643K 25 0 0 SYN cache 2 16K 16K 78643K 2 0 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 76 0 71 1 0 1 1 0 8 0 plcache 128 20 0 0 1 0 1 1 0 8 0 rtpcb 80 258 0 256 1 0 1 1 0 8 0 rtentry 112 340 0 304 2 0 2 2 0 8 0 unpcb 120 1737 0 1727 2 1 1 2 0 8 0 syncache 264 22 0 22 9 9 0 1 0 8 0 tcpqe 32 166 0 166 6 6 0 1 0 8 0 tcpcb 544 1133 0 1127 2 1 1 2 0 8 0 inpcb 280 9050 0 9039 15 12 3 4 0 8 1 rttmr 72 3 0 3 3 3 0 1 0 8 0 ip6q 72 2 0 1 2 1 1 1 0 8 0 ip6af 40 1 0 0 1 0 1 1 0 8 0 nd6 48 42 0 40 6 5 1 1 0 8 0 pkpcb 40 12 0 12 4 4 0 1 0 8 0 swfcl 56 2 0 0 1 0 1 1 0 8 0 ppxss 1128 93 0 93 8 7 1 1 0 8 1 pffrag 232 62 0 61 14 13 1 1 0 482 0 pffrnode 88 62 0 61 14 13 1 1 0 8 0 pffrent 40 1625 0 1623 14 13 1 1 0 8 0 pfosfp 40 846 0 423 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 251 0 192 1 0 1 1 0 8 0 pfstkey 112 251 0 192 3 0 3 3 0 8 0 pfstate 328 251 0 192 7 0 7 7 0 8 0 pfrule 1360 21 0 16 2 1 1 2 0 8 0 art_heap8 4096 5 0 4 4 3 1 3 0 8 0 art_heap4 256 1357 0 1176 34 22 12 15 0 8 0 art_table 32 1362 0 1180 2 0 2 2 0 8 0 art_node 16 338 0 306 1 0 1 1 0 8 0 sysvmsgpl 40 6 0 6 3 3 0 1 0 8 0 semupl 112 2 0 2 1 1 0 1 0 8 0 semapl 112 630 0 620 1 0 1 1 0 8 0 shmpl 112 137 0 9 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino1pl 128 7098 0 5682 46 0 46 46 0 8 0 ffsino 272 7098 0 5682 95 0 95 95 0 8 0 nchpl 144 12373 0 11918 61 41 20 61 0 8 0 uvmvnodes 72 5926 0 0 108 0 108 108 0 8 0 vnodes 208 5926 0 0 312 0 312 312 0 8 0 namei 1024 42054 0 42053 2 1 1 1 0 8 0 percpumem 16 30 0 0 1 0 1 1 0 8 0 vcpupl 1984 30 0 0 4 0 4 4 0 8 0 vmpool 552 42 0 12 3 0 3 3 0 8 0 scsiplug 64 5 0 5 4 4 0 1 0 8 0 scxspl 192 39060 0 39059 32 31 1 7 0 8 0 plimitpl 152 317 0 309 1 0 1 1 0 8 0 sigapl 432 3680 0 3665 3 1 2 3 0 8 0 futexpl 56 81339 0 81338 2 1 1 1 0 8 0 knotepl 112 803 0 784 1 0 1 1 0 8 0 kqueuepl 104 805 0 803 1 0 1 1 0 8 0 pipepl 112 4040 0 4021 16 15 1 3 0 8 0 fdescpl 488 3681 0 3665 3 0 3 3 0 8 0 filepl 152 33123 0 33021 22 17 5 8 0 8 1 lockfpl 104 1540 0 1539 1 0 1 1 0 8 0 lockfspl 48 562 0 561 1 0 1 1 0 8 0 sessionpl 112 38 0 27 1 0 1 1 0 8 0 pgrppl 48 50 0 39 1 0 1 1 0 8 0 ucredpl 96 3336 0 3327 1 0 1 1 0 8 0 zombiepl 144 3665 0 3665 2 1 1 1 0 8 1 processpl 896 3698 0 3665 4 0 4 4 0 8 0 procpl 632 11670 0 11626 6 1 5 5 0 8 1 srpgc 64 35 0 35 11 11 0 1 0 8 0 sosppl 128 49 0 49 10 10 0 1 0 8 0 sockpl 384 11098 0 11075 22 17 5 7 0 8 1 mcl64k 65536 268 0 0 34 13 21 34 0 8 1 mcl16k 16384 17 0 0 3 0 3 3 0 8 1 mcl12k 12288 17 0 0 2 0 2 2 0 8 0 mcl9k 9216 18 0 0 2 0 2 2 0 8 0 mcl8k 8192 17 0 0 3 0 3 3 0 8 0 mcl4k 4096 17 0 0 3 0 3 3 0 8 0 mcl2k2 2112 10 0 0 1 0 1 1 0 8 0 mcl2k 2048 210 0 0 23 3 20 23 0 8 0 mtagpl 80 41 0 0 1 0 1 1 0 8 0 mbufpl 256 664 0 0 31 0 31 31 0 8 0 bufpl 256 15505 0 8457 441 0 441 441 0 8 0 anonpl 16 412969 0 393187 150 60 90 96 0 124 5 amapchunkpl 152 26177 0 26041 47 36 11 14 0 158 4 amappl16 192 18916 0 17768 148 81 67 69 0 8 8 amappl15 184 443 0 443 2 2 0 1 0 8 0 amappl14 176 812 0 810 1 0 1 1 0 8 0 amappl13 168 578 0 576 1 0 1 1 0 8 0 amappl12 160 800 0 797 1 0 1 1 0 8 0 amappl11 152 627 0 612 1 0 1 1 0 8 0 amappl10 144 134 0 130 1 0 1 1 0 8 0 amappl9 136 870 0 863 1 0 1 1 0 8 0 amappl8 128 431 0 388 2 0 2 2 0 8 0 amappl7 120 220 0 212 1 0 1 1 0 8 0 amappl6 112 593 0 580 1 0 1 1 0 8 0 amappl5 104 1099 0 1083 1 0 1 1 0 8 0 amappl4 96 4007 0 3968 2 0 2 2 0 8 1 amappl3 88 1273 0 1265 1 0 1 1 0 8 0 amappl2 80 27991 0 27915 3 1 2 3 0 8 0 amappl1 72 91370 0 90918 25 15 10 20 0 8 0 amappl 80 12268 0 12208 2 0 2 2 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 17 0 17 1 1 0 1 0 8 0 aobjpl 64 138 0 9 3 0 3 3 0 8 0 uaddrrnd 24 3723 0 3665 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 3723 0 3665 1 0 1 1 0 8 0 vmmpekpl 168 36868 0 36818 4 1 3 3 0 8 0 vmmpepl 168 469802 0 467385 294 152 142 144 0 357 31 vmsppl 368 3680 0 3665 2 0 2 2 0 8 0 pdppl 4096 7453 0 7384 13 3 10 10 0 8 1 pvpl 32 1135442 0 1114020 347 145 202 215 0 265 15 pmappl 232 3722 0 3677 3 0 3 3 0 8 0 extentpl 40 41 0 26 1 0 1 1 0 8 0 phpool 112 697 0 49 19 0 19 19 0 8 0