panic: pool_do_get: inpcb free list modified: page 0xfffffd80626f2000; item addr 0xfffffd80626f2e98; offset 0x0=0x0 != 0xcbd1fba971b51cc3
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*131711 77275 0 0 0x4000000 0 syz-executor.4
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8261beb0) at panic+0x161 sys/kern/subr_prf.c:198
pool_do_get(ffffffff829c4028,9,ffff80002e9a3698) at pool_do_get+0x427 sys/kern/subr_pool.c:738
pool_get(ffffffff829c4028,9) at pool_get+0xb3 sys/kern/subr_pool.c:582
in_pcballoc(fffffd8068a6ddc0,ffffffff829bd6e8,1) at in_pcballoc+0x59 sys/netinet/in_pcb.c:235
udp_attach(fffffd8068a6ddc0,0,1) at udp_attach+0xe4 sys/netinet/udp_usrreq.c:1091
socreate(2,ffff80002e9a3838,2,0) at socreate+0x22b pru_attach sys/sys/protosw.h:272 [inline]
socreate(2,ffff80002e9a3838,2,0) at socreate+0x22b sys/kern/uipc_socket.c:197
sys_socket(ffff8000231d27e8,ffff80002e9a38c8,ffff80002e9a3910) at sys_socket+0xd8 sys/kern/uipc_syscalls.c:98
syscall(ffff80002e9a3990) at syscall+0x446 sys/arch/amd64/amd64/trap.c:599
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xbc8c0602620, count: 5
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
*cpu0: pool_do_get: inpcb free list modified: page 0xfffffd80626f2000; item addr 0xfffffd80626f2e98; offset 0x0=0x0 != 0xcbd1fba971b51cc3
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8261beb0) at panic+0x161 sys/kern/subr_prf.c:198
pool_do_get(ffffffff829c4028,9,ffff80002e9a3698) at pool_do_get+0x427 sys/kern/subr_pool.c:738
pool_get(ffffffff829c4028,9) at pool_get+0xb3 sys/kern/subr_pool.c:582
in_pcballoc(fffffd8068a6ddc0,ffffffff829bd6e8,1) at in_pcballoc+0x59 sys/netinet/in_pcb.c:235
udp_attach(fffffd8068a6ddc0,0,1) at udp_attach+0xe4 sys/netinet/udp_usrreq.c:1091
socreate(2,ffff80002e9a3838,2,0) at socreate+0x22b pru_attach sys/sys/protosw.h:272 [inline]
socreate(2,ffff80002e9a3838,2,0) at socreate+0x22b sys/kern/uipc_socket.c:197
sys_socket(ffff8000231d27e8,ffff80002e9a38c8,ffff80002e9a3910) at sys_socket+0xd8 sys/kern/uipc_syscalls.c:98
syscall(ffff80002e9a3990) at syscall+0x446 sys/arch/amd64/amd64/trap.c:599
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xbc8c0602620, count: -10
ddb> show registers
rdi 0
rsi 0x1
rbp 0xffff80002e9a3510
rbx 0xcbd1fba971b51cc3
rdx 0
rcx 0
rax 0xffff8000231d27e8
r8 0x101010101010101
r9 0x8080808080808080
r10 0xade8f56cd63b0f8d
r11 0x95870711cd5b5590
r12 0
r13 0xfffffd80626f2e98
r14 0
r15 0x1
rip 0xffffffff814e1d98 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff80002e9a3500
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb> show proc
PROC (syz-executor.4) pid=131711 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=79, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff8000231d2d28,0xffffffff829d0a90
process=0xffff8000217a2818 user=0xffff80002e99e000, vmspace=0xfffffd806b8b3de0
estcpu=36, cpticks=2, pctcpu=0.0
user=0, sys=1, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
84773 262141 19684 0 2 0 syz-executor.1
77275 405337 25598 0 2 0 syz-executor.4
77275 473928 25598 0 2 0x4000000 syz-executor.4
*77275 131711 25598 0 7 0x4000000 syz-executor.4
39350 182724 2393 0 2 0 syz-executor.0
39350 365335 2393 0 3 0x4000080 fsleep syz-executor.0
20455 182524 25289 0 2 0x2 syz-executor.2
55752 353835 0 0 3 0x14280 nfsidl nfsio
71295 43933 0 0 3 0x14280 nfsidl nfsio
85815 228556 0 0 3 0x14280 nfsidl nfsio
20015 509326 0 0 3 0x14280 nfsidl nfsio
70608 316215 0 0 3 0x14280 nfsidl nfsio
10148 362837 0 0 3 0x14280 nfsidl nfsio
55537 79669 0 0 3 0x14280 nfsidl nfsio
88583 63064 0 0 3 0x14280 nfsidl nfsio
20778 323784 0 0 3 0x14280 nfsidl nfsio
49095 449152 0 0 3 0x14280 nfsidl nfsio
451 429883 0 0 3 0x14280 nfsidl nfsio
29877 472722 0 0 3 0x14280 nfsidl nfsio
6154 61943 0 0 3 0x14280 nfsidl nfsio
76197 127242 0 0 3 0x14280 nfsidl nfsio
43983 520605 0 0 3 0x14280 nfsidl nfsio
2448 92947 0 0 3 0x14280 nfsidl nfsio
73312 52454 0 0 3 0x14280 nfsidl nfsio
17955 359494 0 0 3 0x14280 nfsidl nfsio
64106 149227 0 0 3 0x14280 nfsidl nfsio
38439 445979 0 0 3 0x14280 nfsidl nfsio
39275 337400 0 0 3 0x14200 bored sosplice
39570 178328 25289 0 2 0x2 syz-executor.7
70741 188780 25289 0 2 0x2 syz-executor.6
34098 163282 25289 0 2 0x2 syz-executor.5
25598 88488 25289 0 3 0x82 nanoslp syz-executor.4
77856 14682 25289 0 3 0x82 nanoslp syz-executor.3
2393 247990 25289 0 3 0x82 nanoslp syz-executor.0
19684 128900 25289 0 3 0x82 nanoslp syz-executor.1
25289 350212 95289 0 3 0x82 kqread syz-fuzzer
25289 205997 95289 0 3 0x4000082 nanoslp syz-fuzzer
25289 363458 95289 0 3 0x4000082 wait syz-fuzzer
25289 89753 95289 0 3 0x4000082 wait syz-fuzzer
25289 420815 95289 0 3 0x4000082 wait syz-fuzzer
25289 499823 95289 0 3 0x4000082 thrsleep syz-fuzzer
25289 174035 95289 0 3 0x4000082 thrsleep syz-fuzzer
25289 131111 95289 0 3 0x4000082 wait syz-fuzzer
25289 513011 95289 0 3 0x4000082 thrsleep syz-fuzzer
25289 355427 95289 0 3 0x4000082 wait syz-fuzzer
25289 369419 95289 0 3 0x4000082 wait syz-fuzzer
25289 480923 95289 0 3 0x4000082 wait syz-fuzzer
25289 68513 95289 0 3 0x4000082 wait syz-fuzzer
25289 384777 95289 0 3 0x4000082 thrsleep syz-fuzzer
95289 177183 64064 0 3 0x10008a sigsusp ksh
64064 71316 75975 0 3 0x9a kqread sshd
60769 393121 1 0 3 0x100083 ttyin getty
75975 15137 1 0 3 0x88 kqread sshd
9299 48320 21718 73 3 0x1100090 kqread syslogd
21718 380075 1 0 3 0x100082 netio syslogd
21995 407862 1 0 3 0x100080 kqread resolvd
88097 450064 98869 77 3 0x100092 kqread dhcpleased
67752 212585 98869 77 3 0x100092 kqread dhcpleased
98869 456592 1 0 3 0x80 kqread dhcpleased
58669 494746 0 0 3 0x14200 bored smr
41860 163893 0 0 2 0x14200 zerothread
13324 313247 0 0 3 0x14200 aiodoned aiodoned
47593 255250 0 0 3 0x14200 syncer update
75755 393126 0 0 3 0x14200 cleaner cleaner
20974 283677 0 0 3 0x14200 reaper reaper
99493 7966 0 0 3 0x14200 pgdaemon pagedaemon
49099 223596 0 0 3 0x14200 bored viomb
79605 54027 0 0 3 0x40014200 acpi0 acpi0
61575 40653 0 0 3 0x14200 bored softnet
63483 148689 0 0 3 0x14200 bored softnet
80459 73609 0 0 3 0x14200 bored softnet
18194 35372 0 0 3 0x14200 bored softnet
38725 313321 0 0 3 0x14200 bored systqmp
83484 189533 0 0 3 0x14200 bored systq
47435 334328 0 0 3 0x40014200 bored softclock
29942 435575 0 0 3 0x40014200 idle0
1 24044 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10204 6405K 6923K 78643K 13135 0
pcb 13 14K 15K 78643K 418 0
rtable 161 6K 7K 78643K 719 0
ifaddr 83 17K 19K 78643K 243 0
sysctl 2 0K 0K 78643K 5 0
counters 27 17K 17K 78643K 64 0
ioctlops 0 0K 2K 78643K 176 0
iov 0 0K 20K 78643K 354 0
mount 1 1K 1K 78643K 1 0
log 0 0K 0K 78643K 4 0
vnodes 1397 87K 88K 78643K 2344 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 5K 78643K 20 0
VM map 2 0K 0K 78643K 2 0
sem 12 0K 0K 78643K 244 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1697 195K 286K 78643K 12548 0
file desc 13 45K 73K 78643K 1576 0
sigio 0 0K 0K 78643K 53 0
proc 58 59K 83K 78643K 630 0
subproc 104 6K 6K 78643K 156 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 50 0
in_multi 63 4K 6K 78643K 188 0
ether_multi 1 0K 0K 78643K 11 0
mrt 1 0K 0K 78643K 7 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 205 917K 917K 78643K 205 0
exec 0 0K 1K 78643K 726 0
tdb 3 0K 0K 78643K 3 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 8 62K 64K 78643K 10 0
UVM amap 260 214K 235K 78643K 11377 0
UVM aobj 131 4K 4K 78643K 135 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 0K 78643K 63 0
NDP 11 0K 1K 78643K 67 0
temp 124 4694K 4758K 78643K 23262 0
kqueue 12 18K 24K 78643K 132 0
SYN cache 2 16K 16K 78643K 2 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
rtpcb 120 116 0 113 1 0 1 1 0 8 0
rtentry 112 174 0 105 4 0 4 4 0 8 0
unpcb 144 2019 0 2006 15 11 4 6 0 8 3
syncache 296 9 0 9 3 3 0 1 0 8 0
tcpqe 32 93 0 93 2 2 0 1 0 8 0
tcpcb 776 1951 0 1913 31 24 7 14 0 8 3
arp 88 27 0 15 1 0 1 1 0 8 0
ipq 40 1 0 1 1 1 0 1 0 8 0
ipqe 40 4 0 4 1 1 0 1 0 8 0
inpcb 336 3089 0 3041 26 19 7 12 0 8 3
inpcb: pool(0xffffffff829c4028:inpcb): free list modified: page 0xfffffd80626f2000; item ordinal 0; addr 0xfffffd80626f2e98 (p 0xfffffd8068c4b000); offset 0x0=0x0
pool(inpcb): free list modified: page 0xfffffd80626f2000; item ordinal 0; addr 0xfffffd80626f2e98 (p 0xfffffd8068c4b000); offset 0x0=0x0
inpcb: pool(0xffffffff829c4028:inpcb): page inconsistency: page 0xfffffd80626f2000; item ordinal 1; addr 0x739b6bb4b342fbed
nd6 48 39 0 24 1 0 1 1 0 8 0
kcovpl 48 12 0 4 1 0 1 1 0 8 0
mppekey 1024 3 0 3 1 0 1 1 0 8 1
ppxss 1160 16 0 16 2 1 1 1 0 8 1
pppxif 1608 7 0 7 1 0 1 1 0 8 1
pfstscr 40 8 0 7 1 0 1 1 0 8 0
pfstitem 24 5 0 3 1 0 1 1 0 8 0
pfstkey 120 13 0 11 1 0 1 1 0 8 0
pfstate 352 8 0 7 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 727 0 448 32 6 26 30 0 8 4
art_table 32 728 0 448 4 0 4 4 0 8 0
art_node 16 170 0 111 1 0 1 1 0 8 0
sysvmsgpl 40 6 0 3 1 0 1 1 0 8 0
semapl 112 242 0 232 1 0 1 1 0 8 0
shmpl 112 132 0 4 4 0 4 4 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 3460 0 2035 90 0 90 90 0 8 0
ffsino 240 3460 0 2035 85 0 85 85 0 8 0
nchpl 144 5773 0 5287 63 41 22 63 0 8 0
uvmvnodes 80 4378 0 0 90 0 90 90 0 8 0
vnodes 216 4378 0 0 244 0 244 244 0 8 0
namei 1024 21743 0 21741 2 1 1 2 0 8 0
vcpupl 2048 10 0 1 2 0 2 2 0 8 0
vmpool 536 14 0 5 2 1 1 1 0 8 0
kstatmem 264 82 0 60 2 0 2 2 0 8 0
scsiplug 72 3 0 3 1 1 0 1 0 8 0
scxspl 216 17728 0 17728 12 10 2 8 0 8 2
plimitpl 152 329 0 314 1 0 1 1 0 8 0
sigapl 424 1882 0 1820 8 0 8 8 0 8 0
futexpl 64 16105 0 16104 1 0 1 1 0 8 0
knotepl 120 34512 0 34432 13 9 4 7 0 8 0
kqueuepl 184 288 0 280 5 4 1 4 0 8 0
pipepl 288 472 0 444 13 10 3 7 0 8 0
fdescpl 432 1845 0 1821 4 0 4 4 0 8 0
filepl 120 15829 0 15555 27 15 12 15 0 8 3
lockfpl 104 986 0 984 5 3 2 2 0 8 1
lockfspl 48 287 0 285 1 0 1 1 0 8 0
sessionpl 144 27 0 11 1 0 1 1 0 8 0
pgrppl 48 27 0 11 1 0 1 1 0 8 0
ucredpl 104 1776 0 1765 1 0 1 1 0 8 0
zombiepl 144 1821 0 1820 1 0 1 1 0 8 0
processpl 1000 1882 0 1820 10 1 9 9 0 8 0
procpl 672 4156 0 4078 10 1 9 9 0 8 1
sosppl 168 4 0 4 2 1 1 1 0 8 1
sockpl 456 5225 0 5160 88 76 12 22 0 8 3
mcl64k 65536 45 0 45 2 1 1 1 0 8 1
mcl16k 16384 34 0 34 3 2 1 1 0 8 1
mcl12k 12288 46 0 46 3 2 1 1 0 8 1
mcl9k 9216 12 0 12 3 3 0 1 0 8 0
mcl8k 8192 84 0 84 4 3 1 1 0 8 1
mcl4k 4096 171 0 171 3 2 1 1 0 8 1
mcl2k2 2112 12 0 12 5 4 1 1 0 8 1
mcl2k 2048 76494 0 76419 31 20 11 30 0 8 0
mtagpl 96 283 0 32 8 1 7 7 0 8 0
mbufpl 256 142554 0 142126 148 119 29 119 0 8 0
bufpl 288 7001 0 597 458 0 458 458 0 8 0
anonpl 24 407216 0 391584 132 8 124 124 0 188 11
amapchunkpl 152 33455 0 32835 47 18 29 40 0 158 1
amappl16 200 5784 0 5201 56 17 39 45 0 8 8
amappl15 192 3 0 3 1 1 0 1 0 8 0
amappl14 184 166 0 154 2 1 1 2 0 8 0
amappl13 176 11 0 11 1 1 0 1 0 8 0
amappl12 168 450 0 444 1 0 1 1 0 8 0
amappl11 160 51 0 40 1 0 1 1 0 8 0
amappl10 152 37 0 25 1 0 1 1 0 8 0
amappl9 144 961 0 958 1 0 1 1 0 8 0
amappl8 136 182 0 125 3 0 3 3 0 8 0
amappl7 128 46 0 33 1 0 1 1 0 8 0
amappl6 120 319 0 302 2 1 1 2 0 8 0
amappl5 112 96 0 88 1 0 1 1 0 8 0
amappl4 104 535 0 513 1 0 1 1 0 8 0
amappl3 96 4728 0 4687 2 0 2 2 0 8 0
amappl2 88 2190 0 2127 3 1 2 3 0 8 0
amappl1 80 43345 0 42721 21 5 16 21 0 8 0
amappl 88 11016 0 10851 5 0 5 5 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 134 0 4 3 0 3 3 0 8 0
uaddrrnd 24 1859 0 1826 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 1859 0 1826 1 0 1 1 0 8 0
vmmpekpl 168 18430 0 18378 3 0 3 3 0 8 0
vmmpepl 168 175217 0 172870 157 26 131 132 0 357 14
vmsppl 272 1858 0 1826 5 2 3 3 0 8 0
rwobjpl 24 52389 0 46282 38 0 38 38 0 8 0
pdppl 4096 3724 0 3661 159 86 73 74 0 8 10
pvpl 32 819806 0 799081 288 75 213 254 0 265 23
pmappl 216 1858 0 1826 3 0 3 3 0 8 0
extentpl 40 56 0 38 1 0 1 1 0 8 0
phpool 112 1071 0 273 25 0 25 25 0 8 0
ddb> machine ddbcpu 0
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8261beb0) at panic+0x161 sys/kern/subr_prf.c:198
pool_do_get(ffffffff829c4028,9,ffff80002e9a3698) at pool_do_get+0x427 sys/kern/subr_pool.c:738
pool_get(ffffffff829c4028,9) at pool_get+0xb3 sys/kern/subr_pool.c:582
in_pcballoc(fffffd8068a6ddc0,ffffffff829bd6e8,1) at in_pcballoc+0x59 sys/netinet/in_pcb.c:235
udp_attach(fffffd8068a6ddc0,0,1) at udp_attach+0xe4 sys/netinet/udp_usrreq.c:1091
socreate(2,ffff80002e9a3838,2,0) at socreate+0x22b pru_attach sys/sys/protosw.h:272 [inline]
socreate(2,ffff80002e9a3838,2,0) at socreate+0x22b sys/kern/uipc_socket.c:197
sys_socket(ffff8000231d27e8,ffff80002e9a38c8,ffff80002e9a3910) at sys_socket+0xd8 sys/kern/uipc_syscalls.c:98
syscall(ffff80002e9a3990) at syscall+0x446 sys/arch/amd64/amd64/trap.c:599
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xbc8c0602620, count: -10
ddb> machine ddbcpu 1
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8261beb0) at panic+0x161 sys/kern/subr_prf.c:198
pool_do_get(ffffffff829c4028,9,ffff80002e9a3698) at pool_do_get+0x427 sys/kern/subr_pool.c:738
pool_get(ffffffff829c4028,9) at pool_get+0xb3 sys/kern/subr_pool.c:582
in_pcballoc(fffffd8068a6ddc0,ffffffff829bd6e8,1) at in_pcballoc+0x59 sys/netinet/in_pcb.c:235
udp_attach(fffffd8068a6ddc0,0,1) at udp_attach+0xe4 sys/netinet/udp_usrreq.c:1091
socreate(2,ffff80002e9a3838,2,0) at socreate+0x22b pru_attach sys/sys/protosw.h:272 [inline]
socreate(2,ffff80002e9a3838,2,0) at socreate+0x22b sys/kern/uipc_socket.c:197
sys_socket(ffff8000231d27e8,ffff80002e9a38c8,ffff80002e9a3910) at sys_socket+0xd8 sys/kern/uipc_syscalls.c:98
syscall(ffff80002e9a3990) at syscall+0x446 sys/arch/amd64/amd64/trap.c:599
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xbc8c0602620, count: -10