panic: pool_do_get: sockpl free list modified: page 0xfffffd807b49e000; item addr 0xfffffd807b49e403; offset 0x0=0xcfe360a95c62ddc3 != 0xa95c62ddc3c60cee Stopped at db_enter+0x1c: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *510658 78017 0 0 0x4000000 0 syz-executor.2 db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8282a00b) at panic+0x165 sys/kern/subr_prf.c:198 pool_do_get(ffffffff82d1aa90,9,ffff80002e8a5d68) at pool_do_get+0x427 sys/kern/subr_pool.c:738 pool_get(ffffffff82d1aa90,9) at pool_get+0xb7 sys/kern/subr_pool.c:582 socreate(1,ffff80002e8a5e40,2,0) at socreate+0xb8 soalloc sys/kern/uipc_socket.c:157 [inline] socreate(1,ffff80002e8a5e40,2,0) at socreate+0xb8 sys/kern/uipc_socket.c:193 sys_socketpair(ffff8000216ac558,ffff80002e8a5ed0,ffff80002e8a5f20) at sys_socketpair+0x72 sys/kern/uipc_syscalls.c:474 syscall(ffff80002e8a5fa0) at syscall+0x4a8 sys/arch/amd64/amd64/trap.c:623 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xf99bfb9b100, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: pool_do_get: sockpl free list modified: page 0xfffffd807b49e000; item addr 0xfffffd807b49e403; offset 0x0=0xcfe360a95c62ddc3 != 0xa95c62ddc3c60cee ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8282a00b) at panic+0x165 sys/kern/subr_prf.c:198 pool_do_get(ffffffff82d1aa90,9,ffff80002e8a5d68) at pool_do_get+0x427 sys/kern/subr_pool.c:738 pool_get(ffffffff82d1aa90,9) at pool_get+0xb7 sys/kern/subr_pool.c:582 socreate(1,ffff80002e8a5e40,2,0) at socreate+0xb8 soalloc sys/kern/uipc_socket.c:157 [inline] socreate(1,ffff80002e8a5e40,2,0) at socreate+0xb8 sys/kern/uipc_socket.c:193 sys_socketpair(ffff8000216ac558,ffff80002e8a5ed0,ffff80002e8a5f20) at sys_socketpair+0x72 sys/kern/uipc_syscalls.c:474 syscall(ffff80002e8a5fa0) at syscall+0x4a8 sys/arch/amd64/amd64/trap.c:623 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xf99bfb9b100, count: -8 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80002e8a5be0 rbx 0xa95c62ddc3c60cee rdx 0xffff800000d60480 rcx 0 rax 0xffff8000216ac558 r8 0x101010101010101 r9 0x8080808080808080 r10 0x4dbe900cc1abd8ee r11 0x9ddbb610a743c2e r12 0 r13 0xfffffd807b49e403 r14 0 r15 0x1 rip 0xffffffff8191472c db_enter+0x1c cs 0x8 rflags 0x246 rsp 0xffff80002e8a5bd0 ss 0x10 db_enter+0x1c: addq $0x8,%rsp ddb> show proc PROC (syz-executor.2) pid=510658 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=81, nice=20 forw=0xffffffffffffffff, list=0xffff8000216ab568,0xffff8000216acd60 process=0xffff8000216eabd8 user=0xffff80002e8a1000, vmspace=0xfffffd8069b9b180 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 78017 310951 15485 0 2 0 syz-executor.2 *78017 510658 15485 0 7 0x4000000 syz-executor.2 64366 444178 44712 0 3 0x4081001 kernel: protection fault trap, code=0 Faulted in DDB; continuing... ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10182 6478K 7416K 78643K 18644 0 pcb 13 14K 15K 78643K 295 0 rtable 236 6K 7K 78643K 488 0 pf 29 8K 9K 78643K 82 0 ifaddr 43 11K 12K 78643K 83 0 ifgroup 50 2K 2K 78643K 129 0 sysctl 2 0K 0K 78643K 2 0 counters 28 17K 17K 78643K 50 0 ioctlops 0 0K 2K 78643K 255 0 iov 0 0K 16K 78643K 110 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 4 0 vnodes 1412 88K 89K 78643K 3458 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 5K 78643K 31 0 VM map 2 1K 1K 78643K 2 0 sem 12 0K 1K 78643K 690 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 15 53K 69K 78643K 2395 0 sigio 0 0K 0K 78643K 202 0 proc 56 58K 75K 78643K 693 0 subproc 104 6K 6K 78643K 156 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 79 0 in_multi 99 7K 7K 78643K 146 0 ether_multi 1 0K 0K 78643K 1 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 67 307K 307K 78643K 67 0 exec 0 0K 1K 78643K 665 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 8 62K 64K 78643K 10 0 UVM amap 358 89K 93K 78643K 24336 0 UVM aobj 131 4K 4K 78643K 140 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 59 0 NDP 11 0K 1K 78643K 57 0 temp 74 5912K 5992K 78643K 23986 0 kqueue 13 20K 24K 78643K 183 0 SYN cache 2 16K 16K 78643K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 79 0 76 1 0 1 1 0 8 0 rtentry 112 159 0 48 4 0 4 4 0 8 0 unpcb 144 4271 0 4127 32 23 9 10 0 8 3 syncache 304 18 0 18 4 3 1 1 0 8 1 tcpqe 32 274 0 274 2 2 0 1 0 8 0 tcpcb 808 1900 0 1885 30 27 3 11 0 8 0 arp 88 27 0 9 1 0 1 1 0 8 0 ipq 40 1 0 0 1 0 1 1 0 8 0 ipqe 40 4 0 3 1 0 1 1 0 8 0 inpcb 336 3484 0 3464 37 34 3 12 0 8 0 nd6 104 39 0 14 1 0 1 1 0 8 0 pkpcb 40 7 0 7 2 1 1 1 0 8 1 kcovpl 48 12 0 4 1 0 1 1 0 8 0 ppxss 1160 9 0 9 3 3 0 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 641 0 181 29 0 29 29 0 8 0 art_table 32 642 0 181 4 0 4 4 0 8 0 art_node 16 158 0 57 1 0 1 1 0 8 0 sysvmsgpl 40 22 0 2 1 0 1 1 0 8 0 semupl 112 5 0 5 1 1 0 1 0 8 0 semapl 112 683 0 673 1 0 1 1 0 8 0 shmpl 112 137 0 9 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 4472 0 3025 91 0 91 91 0 8 0 ffsino 240 4472 0 3025 86 0 86 86 0 8 0 nchpl 144 8066 0 6424 63 0 63 63 0 8 0 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 31393 0 31393 3 2 1 2 0 8 1 vmpool 664 141 0 141 3 3 0 1 0 8 0 kstatmem 264 66 0 44 2 0 2 2 0 8 0 scxspl 216 27427 0 27427 14 13 1 8 1 8 1 plimitpl 152 481 0 466 1 0 1 1 0 8 0 sigapl 424 2741 0 2677 8 0 8 8 0 8 0 futexpl 64 26198 0 26197 1 0 1 1 0 8 0 knotepl 120 22745 0 22664 3 0 3 3 0 8 0 kqueuepl 184 350 0 340 4 3 1 4 0 8 0 pipepl 288 834 0 806 24 21 3 7 0 8 0 fdescpl 432 2664 0 2638 4 0 4 4 0 8 0 filepl 120 23779 0 23340 44 29 15 16 0 8 1 lockfpl 104 2386 0 2383 7 6 1 3 0 8 0 lockfspl 48 470 0 467 1 0 1 1 0 8 0 sessionpl 144 27 0 11 1 0 1 1 0 8 0 pgrppl 48 111 0 95 1 0 1 1 0 8 0 ucredpl 104 2918 0 2908 1 0 1 1 0 8 0 zombiepl 144 2680 0 2677 1 0 1 1 0 8 0 processpl 1008 2741 0 2677 10 1 9 9 0 8 0 procpl 680 6253 0 6169 12 4 8 9 0 8 0 sosppl 168 9 0 9 2 2 0 1 0 8 0 sockpl 456 7848 0 7681 209 188 21 35 0 8 0 sockpl: pool(0xffffffff82d1aa90:sockpl): free list modified: page 0xfffffd807b49e000; item ordinal 0; addr 0xfffffd807b49e403 (p 0xfffffd807b49e000); offset 0x0=0xcfe360a95c62ddc3 pool(sockpl): free list modified: page 0xfffffd807b49e000; item ordinal 0; addr 0xfffffd807b49e403 (p 0xfffffd807b49e000); offset 0x0=0xad4110de sockpl: pool(0xffffffff82d1aa90:sockpl): page inconsistency: page 0xfffffd807b49e000; item ordinal 1; addr 0x415c2c1a3ef31543 mcl64k 65536 109 0 106 4 3 1 1 0 8 0 mcl16k 16384 43 0 43 6 5 1 1 0 8 1 mcl12k 12288 99 0 99 6 5 1 1 0 8 1 mcl9k 9216 60 0 60 8 7 1 1 0 8 1 mcl8k 8192 195 0 195 5 4 1 1 0 8 1 mcl4k 4096 388 0 388 2 1 1 1 0 8 1 mcl2k2 2112 13 0 13 8 8 0 1 0 8 0 mcl2k 2048 69989 0 69937 52 43 9 45 0 8 1 mtagpl 96 1094 0 541 18 1 17 17 0 8 0 mbufpl 256 143062 0 142350 168 116 52 103 0 8 0 bufpl 288 9703 0 3303 458 0 458 458 0 8 0 anonpl 24 415058 0 402959 118 31 87 102 0 188 0 amapchunkpl 152 77814 0 76959 47 12 35 38 0 158 1 amappl16 200 10167 0 9801 50 29 21 33 0 8 1 amappl15 192 21 0 21 1 1 0 1 0 8 0 amappl14 184 168 0 154 2 1 1 2 0 8 0 amappl13 176 76 0 76 2 2 0 1 0 8 0 amappl12 168 3342 0 3313 2 0 2 2 0 8 0 amappl11 160 50 0 40 1 0 1 1 0 8 0 amappl10 152 37 0 29 2 1 1 1 0 8 0 amappl9 144 235 0 235 2 2 0 1 0 8 0 amappl8 136 221 0 156 3 0 3 3 0 8 0 amappl7 128 65 0 55 1 0 1 1 0 8 0 amappl6 120 258 0 241 2 1 1 2 0 8 0 amappl5 112 236 0 225 1 0 1 1 0 8 0 amappl4 104 577 0 547 2 1 1 2 0 8 0 amappl3 96 15761 0 15678 4 1 3 3 0 8 0 amappl2 88 3005 0 2945 3 1 2 3 0 8 0 amappl1 80 17959 0 17452 22 11 11 22 0 8 0 amappl 88 23719 0 23485 6 0 6 6 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 139 0 9 3 0 3 3 0 8 0 uaddrrnd 24 2805 0 2779 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 2805 0 2779 1 0 1 1 0 8 0 vmmpekpl 168 25892 0 25840 3 0 3 3 0 8 0 vmmpepl 168 176820 0 174703 155 49 106 114 0 357 9 vmsppl 368 2804 0 2779 3 0 3 3 0 8 0 rwobjpl 24 55077 0 47641 46 1 45 45 0 8 0 pdppl 4096 5616 0 5558 178 114 64 66 0 8 6 pvpl 32 958732 0 941350 383 218 165 358 0 265 8 pmappl 216 2804 0 2779 2 0 2 2 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 1195 0 376 25 0 25 25 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8282a00b) at panic+0x165 sys/kern/subr_prf.c:198 pool_do_get(ffffffff82d1aa90,9,ffff80002e8a5d68) at pool_do_get+0x427 sys/kern/subr_pool.c:738 pool_get(ffffffff82d1aa90,9) at pool_get+0xb7 sys/kern/subr_pool.c:582 socreate(1,ffff80002e8a5e40,2,0) at socreate+0xb8 soalloc sys/kern/uipc_socket.c:157 [inline] socreate(1,ffff80002e8a5e40,2,0) at socreate+0xb8 sys/kern/uipc_socket.c:193 sys_socketpair(ffff8000216ac558,ffff80002e8a5ed0,ffff80002e8a5f20) at sys_socketpair+0x72 sys/kern/uipc_syscalls.c:474 syscall(ffff80002e8a5fa0) at syscall+0x4a8 sys/arch/amd64/amd64/trap.c:623 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xf99bfb9b100, count: -8 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8282a00b) at panic+0x165 sys/kern/subr_prf.c:198 pool_do_get(ffffffff82d1aa90,9,ffff80002e8a5d68) at pool_do_get+0x427 sys/kern/subr_pool.c:738 pool_get(ffffffff82d1aa90,9) at pool_get+0xb7 sys/kern/subr_pool.c:582 socreate(1,ffff80002e8a5e40,2,0) at socreate+0xb8 soalloc sys/kern/uipc_socket.c:157 [inline] socreate(1,ffff80002e8a5e40,2,0) at socreate+0xb8 sys/kern/uipc_socket.c:193 sys_socketpair(ffff8000216ac558,ffff80002e8a5ed0,ffff80002e8a5f20) at sys_socketpair+0x72 sys/kern/uipc_syscalls.c:474 syscall(ffff80002e8a5fa0) at syscall+0x4a8 sys/arch/amd64/amd64/trap.c:623 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xf99bfb9b100, count: -8