panic: pool_do_get: sockpl free list modified: page 0xfffffd80659a4000; item addr 0xfffffd80659a407a; offset 0x0=0x83fdedd14b45cdba != 0xedd14b45cdba03d3 Stopped at db_enter+0x1c: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *261012 9902 0 0 0x4000000 0 syz-executor.3 db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8290369e) at panic+0x165 sys/kern/subr_prf.c:198 pool_do_get(ffffffff82d93770,9,ffff80003295dae8) at pool_do_get+0x427 sys/kern/subr_pool.c:738 pool_get(ffffffff82d93770,9) at pool_get+0xb7 sys/kern/subr_pool.c:582 socreate(1,ffff80003295dbc8,1,0) at socreate+0xc6 soalloc sys/kern/uipc_socket.c:157 [inline] socreate(1,ffff80003295dbc8,1,0) at socreate+0xc6 sys/kern/uipc_socket.c:193 sys_socketpair(ffff80002a6877e8,ffff80003295dc50,ffff80003295dc90) at sys_socketpair+0xab sys/kern/uipc_syscalls.c:477 syscall(ffff80003295dd50) at syscall+0x5ef sys/arch/amd64/amd64/trap.c:591 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x73d1df18c40, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: pool_do_get: sockpl free list modified: page 0xfffffd80659a4000; item addr 0xfffffd80659a407a; offset 0x0=0x83fdedd14b45cdba != 0xedd14b45cdba03d3 ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8290369e) at panic+0x165 sys/kern/subr_prf.c:198 pool_do_get(ffffffff82d93770,9,ffff80003295dae8) at pool_do_get+0x427 sys/kern/subr_pool.c:738 pool_get(ffffffff82d93770,9) at pool_get+0xb7 sys/kern/subr_pool.c:582 socreate(1,ffff80003295dbc8,1,0) at socreate+0xc6 soalloc sys/kern/uipc_socket.c:157 [inline] socreate(1,ffff80003295dbc8,1,0) at socreate+0xc6 sys/kern/uipc_socket.c:193 sys_socketpair(ffff80002a6877e8,ffff80003295dc50,ffff80003295dc90) at sys_socketpair+0xab sys/kern/uipc_syscalls.c:477 syscall(ffff80003295dd50) at syscall+0x5ef sys/arch/amd64/amd64/trap.c:591 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x73d1df18c40, count: -8 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80003295d960 rbx 0xedd14b45cdba03d3 rdx 0 rcx 0 rax 0xffff80002a6877e8 r8 0x101010101010101 r9 0x8080808080808080 r10 0x4ebfc671cac5f8c8 r11 0xe9f073fed2fbea0e r12 0 r13 0xfffffd80659a407a r14 0 r15 0x1 rip 0xffffffff81727edc db_enter+0x1c cs 0x8 rflags 0x246 rsp 0xffff80003295d950 ss 0x10 db_enter+0x1c: addq $0x8,%rsp ddb> show proc PROC (syz-executor.3) tid=261012 pid=9902 tcnt=3 stat=onproc flags process=0 proc=4000000 runpri=32, usrpri=84, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 forw=0xffffffffffffffff, list=0xffff80002a687d38,0xffff80002a686560 process=0xffff80002daf2e30 user=0xffff800032958000, vmspace=0xfffffd807cc208b0 estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 49249 282829 59348 0 2 0 syz-executor.5 49249 414 59348 0 3 0x4000080 fsleep syz-executor.5 49249 317851 59348 0 3 0x4000080 fsleep syz-executor.5 10564 466437 10926 0 2 0 syz-executor.6 10564 467854 10926 0 2 0x4000000 syz-executor.6 9902 460508 73362 0 2 0 syz-executor.3 * 9902 261012 73362 0 7 0x4000000 syz-executor.3 9902 204258 73362 0 3 0x4000080 fsleep syz-executor.3 89221 313912 69419 0 2 0 syz-executor.0 89221 414539 69419 0 3 0x4000080 fsleep syz-executor.0 89221 69182 69419 0 3 0x4000080 netio syz-executor.0 89221 280800 69419 0 3 0x4000080 fsleep syz-executor.0 77289 420444 25588 0 2 0x2 syz-executor.7 91473 24182 0 0 3 0x14280 nfsidl nfsio 51992 197008 0 0 3 0x14280 nfsidl nfsio 25423 345169 0 0 3 0x14280 nfsidl nfsio 51546 193052 0 0 3 0x14280 nfsidl nfsio 98549 518798 0 0 3 0x14280 nfsidl nfsio 587 432577 0 0 3 0x14280 nfsidl nfsio 12997 254758 0 0 3 0x14280 nfsidl nfsio 13507 60481 0 0 3 0x14280 nfsidl nfsio 105 138800 0 0 3 0x14280 nfsidl nfsio 34040 64046 0 0 3 0x14280 nfsidl nfsio 29017 316146 0 0 3 0x14280 nfsidl nfsio 23914 56756 0 0 3 0x14280 nfsidl nfsio 59587 368751 0 0 3 0x14280 nfsidl nfsio 4813 383020 0 0 3 0x14280 nfsidl nfsio 83334 35759 0 0 3 0x14280 nfsidl nfsio 79755 232999 0 0 3 0x14280 nfsidl nfsio 1568 435282 0 0 3 0x14280 nfsidl nfsio 7803 387575 0 0 3 0x14280 nfsidl nfsio 10552 324467 0 0 3 0x14280 nfsidl nfsio 43895 455666 0 0 3 0x14280 nfsidl nfsio 68793 414212 1 0 3 0x80 nanoslp init 87304 299069 25588 0 3 0x82 nanoslp syz-executor.2 10926 150196 25588 0 3 0x82 nanoslp syz-executor.6 11601 198551 25588 0 2 0x2 syz-executor.1 69419 80227 25588 0 3 0x82 nanoslp syz-executor.0 59348 491627 25588 0 3 0x82 nanoslp syz-executor.5 68 34858 25588 0 3 0x82 nanoslp syz-executor.4 73362 145909 25588 0 3 0x82 nanoslp syz-executor.3 88373 31707 0 0 3 0x14200 acct acct 57798 234539 0 0 3 0x14200 bored sosplice 25588 35045 61828 0 3 0x2000082 wait syz-fuzzer 25588 378150 61828 0 3 0x6000082 nanoslp syz-fuzzer 25588 410071 61828 0 3 0x6000082 wait syz-fuzzer 25588 401049 61828 0 3 0x6000082 thrsleep syz-fuzzer 25588 58133 61828 0 3 0x6000082 wait syz-fuzzer 25588 197986 61828 0 3 0x6000082 wait syz-fuzzer 25588 310531 61828 0 3 0x6000082 kqread syz-fuzzer 25588 255859 61828 0 3 0x6000082 thrsleep syz-fuzzer 25588 416880 61828 0 3 0x6000082 wait syz-fuzzer 25588 220225 61828 0 3 0x6000082 thrsleep syz-fuzzer 25588 295178 61828 0 3 0x6000082 wait syz-fuzzer 25588 357161 61828 0 3 0x6000082 thrsleep syz-fuzzer 25588 31170 61828 0 3 0x6000082 wait syz-fuzzer 25588 285664 61828 0 3 0x6000082 wait syz-fuzzer 61828 263458 18625 0 3 0x10008a sigsusp ksh 18625 291400 26971 0 3 0x13 kernel: protection fault trap, code=0 Faulted in DDB; continuing... ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10235 6451K 8562K 166960K 41679 0 pcb 15 20K 22K 166960K 1126 0 rtable 188 14K 16K 166960K 5311 0 pf 37 10K 10K 166960K 375 0 ifaddr 38 11K 13K 166960K 422 0 ifgroup 66 2K 2K 166960K 636 0 sysctl 4 1K 3K 166960K 11 0 counters 34 18K 18K 166960K 182 0 ioctlops 0 0K 2K 166960K 890 0 iov 1 2K 24K 166960K 951 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1695 106K 106K 166960K 12044 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 9K 166960K 194 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 2093 0 dirhash 12 2K 2K 166960K 69 0 ACPI 1697 195K 286K 166960K 12548 0 file desc 14 49K 73K 166960K 12531 0 sigio 0 0K 0K 166960K 362 0 proc 51 50K 83K 166960K 2641 0 subproc 104 6K 6K 166960K 992 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 1199 0 in_multi 73 5K 7K 166960K 1005 0 ether_multi 1 0K 0K 166960K 4 0 mrt 1 0K 0K 166960K 1 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 235 1049K 1049K 166960K 235 0 exec 0 0K 1K 166960K 2663 0 pfkey data 0 0K 0K 166960K 14 0 tdb 3 0K 0K 166960K 3 0 pagedep 1 8K 8K 166960K 1 0 inodedep 1 32K 32K 166960K 1 0 newblk 1 0K 0K 166960K 1 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 468 588K 597K 166960K 114353 0 UVM aobj 131 4K 4K 166960K 131 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 585 0 NDP 15 0K 2K 166960K 326 0 temp 76 6706K 7343K 166960K 129577 0 kqueue 12 18K 30K 166960K 881 0 SYN cache 2 1236K 1244K 166960K 3 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 2124 0 2121 18 17 1 4 0 8 0 rtentry 112 1140 0 1061 5 2 3 4 0 8 0 unpcb 144 10044 0 10028 102 101 1 8 0 8 0 syncache 312 78 0 78 19 19 0 1 0 8 0 tcpqe 32 230 0 230 16 16 0 1 0 8 0 tcpcb 808 3194 0 3189 105 104 1 12 0 8 0 arp 88 203 0 193 1 0 1 1 0 8 0 ipq 40 111 0 109 6 5 1 1 0 8 0 ipqe 40 294 0 292 6 5 1 1 0 8 0 inpcb 336 14493 0 14485 156 154 2 14 0 8 1 nd6 104 251 0 235 1 0 1 1 0 8 0 pkpcb 40 133 0 133 9 9 0 1 0 8 0 kcovpl 48 76 0 68 1 0 1 1 0 8 0 ppxss 1072 32 0 32 8 8 0 1 0 8 0 art_heap8 4096 4 0 3 3 2 1 3 0 8 0 art_heap4 256 4203 0 3807 76 51 25 29 0 8 0 art_table 32 4207 0 3810 5 1 4 4 0 8 0 art_node 16 1060 0 987 1 0 1 1 0 8 0 sysvmsgpl 40 43 0 17 1 0 1 1 0 8 0 semapl 112 2091 0 2081 1 0 1 1 0 8 0 shmpl 112 128 0 0 4 0 4 4 0 8 0 dirhash 1024 55 0 38 3 0 3 3 0 8 0 dino2pl 256 16909 0 15422 94 0 94 94 0 8 0 ffsino 240 16909 0 15422 88 0 88 88 0 8 0 nchpl 144 32898 0 31251 63 0 63 63 0 8 0 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 119195 0 119195 8 7 1 3 0 8 1 vcpupl 2048 143 0 0 18 0 18 18 0 8 0 vmpool 664 158 0 15 12 0 12 12 0 8 0 kstatmem 264 326 0 296 5 2 3 3 0 8 0 scxspl 216 109969 0 109969 24 23 1 8 1 8 1 plimitpl 152 1697 0 1683 1 0 1 1 0 8 0 sigapl 424 13163 0 13098 8 0 8 8 0 8 0 futexpl 64 124351 0 124346 10 9 1 1 0 8 0 knotepl 120 104853 0 104768 34 30 4 18 0 8 0 kqueuepl 184 2130 0 2122 31 30 1 6 0 8 0 pipepl 288 2334 0 2305 51 48 3 7 0 8 0 fdescpl 432 12664 0 12639 4 0 4 4 0 8 0 filepl 120 84190 0 83950 118 108 10 18 0 8 0 lockfpl 104 3349 0 3347 6 5 1 2 0 8 0 lockfspl 48 1146 0 1144 1 0 1 1 0 8 0 sessionpl 144 97 0 82 1 0 1 1 0 8 0 pgrppl 48 407 0 392 1 0 1 1 0 8 0 ucredpl 104 9908 0 9893 1 0 1 1 0 8 0 zombiepl 144 13100 0 13098 3 2 1 1 0 8 0 processpl 1072 13163 0 13098 5 0 5 5 0 8 0 procpl 680 30575 0 30489 23 15 8 10 0 8 0 sosppl 168 110 0 110 17 17 0 1 0 8 0 sockpl 456 26903 0 26876 584 579 5 39 0 8 1 sockpl: pool(0xffffffff82d93770:sockpl): free list modified: page 0xfffffd80659a4000; item ordinal 0; addr 0xfffffd80659a407a (p 0xfffffd80659a4000); offset 0x0=0x83fdedd14b45cdba pool(sockpl): free list modified: page 0xfffffd80659a4000; item ordinal 0; addr 0xfffffd80659a407a (p 0xfffffd80659a4000); offset 0x0=0xbeefdead sockpl: pool(0xffffffff82d93770:sockpl): page inconsistency: page 0xfffffd80659a4000; item ordinal 1; addr 0xe6ef0a147dc58c51 mcl64k 65536 472 0 472 24 24 0 1 0 8 0 mcl16k 16384 265 0 265 25 25 0 1 0 8 0 mcl12k 12288 503 0 503 25 25 0 1 0 8 0 mcl9k 9216 223 0 223 32 31 1 1 0 8 1 mcl8k 8192 1048 0 1047 28 27 1 5 0 8 0 mcl4k 4096 1483 0 1483 26 25 1 3 0 8 1 mcl2k2 2112 126 0 126 27 26 1 1 0 8 1 mcl2k 2048 96440 0 96358 79 67 12 28 0 8 0 mtagpl 96 2109 0 1804 32 24 8 10 0 8 0 mbufpl 256 290214 0 289795 629 596 33 167 0 8 5 bufpl 288 23660 0 17269 457 0 457 457 0 8 0 anonpl 24 1256148 0 1243137 199 98 101 117 0 188 0 amapchunkpl 152 384292 0 383466 144 107 37 53 0 158 0 amappl16 200 22775 0 22271 74 46 28 34 0 8 0 amappl15 192 11 0 11 1 1 0 1 0 8 0 amappl14 184 388 0 375 2 1 1 2 0 8 0 amappl13 176 117 0 115 1 0 1 1 0 8 0 amappl12 168 14316 0 14288 2 0 2 2 0 8 0 amappl11 160 73 0 63 1 0 1 1 0 8 0 amappl10 152 94 0 84 2 1 1 1 0 8 0 amappl9 144 180 0 179 1 0 1 1 0 8 0 amappl8 136 586 0 485 4 0 4 4 0 8 0 amappl7 128 359 0 335 2 0 2 2 0 8 0 amappl6 120 1288 0 1277 1 0 1 1 0 8 0 amappl5 112 353 0 344 1 0 1 1 0 8 0 amappl4 104 993 0 967 2 1 1 2 0 8 0 amappl3 96 71131 0 71056 3 0 3 3 0 8 0 amappl2 88 13855 0 13782 3 1 2 3 0 8 0 amappl1 80 58502 0 58027 26 14 12 22 0 8 0 amappl 88 112960 0 112707 7 0 7 7 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 130 0 0 3 0 3 3 0 8 0 uaddrrnd 24 12822 0 12654 2 0 2 2 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 12822 0 12654 2 0 2 2 0 8 0 vmmpekpl 168 88960 0 88873 6 1 5 5 0 8 0 vmmpepl 168 775097 0 772773 389 262 127 138 0 357 0 vmsppl 352 12821 0 12654 19 3 16 16 0 8 0 rwobjpl 24 179503 0 171899 48 1 47 47 0 8 0 pdppl 4096 25650 0 25451 828 623 205 209 0 8 6 pvpl 32 3518444 0 3499963 492 315 177 333 0 265 0 pmappl 216 12821 0 12654 11 1 10 10 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 2743 0 1789 32 1 31 32 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8290369e) at panic+0x165 sys/kern/subr_prf.c:198 pool_do_get(ffffffff82d93770,9,ffff80003295dae8) at pool_do_get+0x427 sys/kern/subr_pool.c:738 pool_get(ffffffff82d93770,9) at pool_get+0xb7 sys/kern/subr_pool.c:582 socreate(1,ffff80003295dbc8,1,0) at socreate+0xc6 soalloc sys/kern/uipc_socket.c:157 [inline] socreate(1,ffff80003295dbc8,1,0) at socreate+0xc6 sys/kern/uipc_socket.c:193 sys_socketpair(ffff80002a6877e8,ffff80003295dc50,ffff80003295dc90) at sys_socketpair+0xab sys/kern/uipc_syscalls.c:477 syscall(ffff80003295dd50) at syscall+0x5ef sys/arch/amd64/amd64/trap.c:591 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x73d1df18c40, count: -8 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8290369e) at panic+0x165 sys/kern/subr_prf.c:198 pool_do_get(ffffffff82d93770,9,ffff80003295dae8) at pool_do_get+0x427 sys/kern/subr_pool.c:738 pool_get(ffffffff82d93770,9) at pool_get+0xb7 sys/kern/subr_pool.c:582 socreate(1,ffff80003295dbc8,1,0) at socreate+0xc6 soalloc sys/kern/uipc_socket.c:157 [inline] socreate(1,ffff80003295dbc8,1,0) at socreate+0xc6 sys/kern/uipc_socket.c:193 sys_socketpair(ffff80002a6877e8,ffff80003295dc50,ffff80003295dc90) at sys_socketpair+0xab sys/kern/uipc_syscalls.c:477 syscall(ffff80003295dd50) at syscall+0x5ef sys/arch/amd64/amd64/trap.c:591 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x73d1df18c40, count: -8