panic: pool_do_put: shmpl: double pool_put: 0xfffffd806b841000
Stopped at db_enter+0x25: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
370794 75282 0 0 0 1 syz-executor
* 32309 75282 0 0 0x4000000 0 syz-executor
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8307b4ef) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_put(ffffffff835a59f0,fffffd806b841000) at pool_do_put+0x1be sys/kern/subr_pool.c:841
pool_put(ffffffff835a59f0,fffffd806b841000) at pool_put+0xb3 sys/kern/subr_pool.c:799
shm_delete_mapping(fffffd806bf86aa0,ffff8000012b8008) at shm_delete_mapping+0x1ac shm_deallocate_segment sys/kern/sysv_shm.c:153 [inline]
shm_delete_mapping(fffffd806bf86aa0,ffff8000012b8008) at shm_delete_mapping+0x1ac sys/kern/sysv_shm.c:174
syscall(ffff8000359b0770) at syscall+0xaf8 mi_syscall sys/sys/syscall_mi.h:178 [inline]
syscall(ffff8000359b0770) at syscall+0xaf8 sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xbc5efb2e410, count: 8
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu0: pool_do_put: shmpl: double pool_put: 0xfffffd806b841000
ddb{0}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8307b4ef) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_put(ffffffff835a59f0,fffffd806b841000) at pool_do_put+0x1be sys/kern/subr_pool.c:841
pool_put(ffffffff835a59f0,fffffd806b841000) at pool_put+0xb3 sys/kern/subr_pool.c:799
shm_delete_mapping(fffffd806bf86aa0,ffff8000012b8008) at shm_delete_mapping+0x1ac shm_deallocate_segment sys/kern/sysv_shm.c:153 [inline]
shm_delete_mapping(fffffd806bf86aa0,ffff8000012b8008) at shm_delete_mapping+0x1ac sys/kern/sysv_shm.c:174
syscall(ffff8000359b0770) at syscall+0xaf8 mi_syscall sys/sys/syscall_mi.h:178 [inline]
syscall(ffff8000359b0770) at syscall+0xaf8 sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xbc5efb2e410, count: -7
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff8000359b04a0
rbx 0xffffffff83414dbf cpu_info_full_primary+0x2dbf
rdx 0
rcx 0xffff80002a12b988
rax 0xffffffff83413ff0 cpu_info_full_primary+0x1ff0
r8 0x101010101010101
r9 0x8080808080808080
r10 0x4a48cb04455536fd
r11 0x811011338b87bfe1
r12 0xffffffff83414bc0 cpu_info_full_primary+0x2bc0
r13 0
r14 0
r15 0x1
rip 0xffffffff81d0d485 db_enter+0x25
cs 0x8
rflags 0x246
rsp 0xffff8000359b0490
ss 0
db_enter+0x25: addq $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor) tid=32309 pid=75282 tcnt=3 stat=onproc
flags process=0 proc=4000000<THREAD>
runpri=32, usrpri=50, slppri=32, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff80002a12bc10,0xffff80002a12af78
process=0xffff800037260910 user=0xffff8000359ab000, vmspace=0xfffffd806bf86aa0
estcpu=36, cpticks=0, pctcpu=0.0, user=0, sys=0, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
39909 58017 33378 0 2 0 syz-executor
39909 40427 33378 0 3 0x4000080 lockf syz-executor
75282 370794 9457 0 7 0 syz-executor
*75282 32309 9457 0 7 0x4000000 syz-executor
75282 71030 9457 0 3 0x4000080 fsleep syz-executor
90167 265184 42103 0 2 0 syz-executor
90167 88108 42103 0 3 0x4000080 fsleep syz-executor
94615 120482 50219 0 3 0x80 nanoslp syz-executor
94615 118560 50219 0 3 0x4000080 kqread syz-executor
94615 434251 50219 0 3 0x4000080 fifor syz-executor
94615 414718 50219 0 3 0x4000080 fsleep syz-executor
21627 299928 38431 0 3 0x80 nanoslp syz-executor
21627 157729 38431 0 3 0x4000080 fifor syz-executor
21627 164438 38431 0 3 0x4000080 fsleep syz-executor
37099 123644 92680 0 3 0x80 nanoslp syz-executor
37099 119570 92680 0 3 0x4000080 netcon syz-executor
37099 446981 92680 0 3 0x4000080 fsleep syz-executor
29265 454461 1 0 3 0x80 nanoslp init
65729 62349 90532 0 3 0x82 netio sshd-session
68178 305701 0 0 3 0x14280 nfsidl nfsio
74314 443761 0 0 3 0x14280 nfsidl nfsio
36752 314017 0 0 3 0x14280 nfsidl nfsio
14841 305602 0 0 3 0x14280 nfsidl nfsio
60386 335792 0 0 3 0x14280 nfsidl nfsio
5687 276915 0 0 3 0x14280 nfsidl nfsio
95088 92255 0 0 3 0x14280 nfsidl nfsio
96690 468015 0 0 3 0x14280 nfsidl nfsio
24160 502413 0 0 3 0x14280 nfsidl nfsio
97161 430378 0 0 3 0x14280 nfsidl nfsio
22206 264669 0 0 3 0x14280 nfsidl nfsio
63686 273812 0 0 3 0x14280 nfsidl nfsio
46294 370466 0 0 3 0x14280 nfsidl nfsio
29814 71865 0 0 3 0x14280 nfsidl nfsio
58516 240085 0 0 3 0x14280 nfsidl nfsio
46707 130851 0 0 3 0x14280 nfsidl nfsio
90630 155695 0 0 3 0x14280 nfsidl nfsio
27641 273189 0 0 3 0x14280 nfsidl nfsio
16783 102313 0 0 3 0x14280 nfsidl nfsio
20317 143692 0 0 3 0x14280 nfsidl nfsio
54064 73022 0 0 3 0x14200 bored sosplice
40783 218799 61832 0 3 0x82 nanoslp syz-executor
38431 259361 61832 0 3 0x82 nanoslp syz-executor
9457 407930 61832 0 3 0x82 nanoslp syz-executor
92680 354593 61832 0 3 0x82 nanoslp syz-executor
50219 101679 61832 0 3 0x82 nanoslp syz-executor
46803 390522 61832 0 3 0x2 biowait syz-executor
33378 388619 61832 0 3 0x82 nanoslp syz-executor
42103 93252 61832 0 3 0x82 nanoslp syz-executor
61832 418152 51505 0 3 0x82 kqread syz-executor
51505 237784 54966 0 3 0x10008a sigsusp ksh
54966 493777 60378 0 3 0x98 kqread sshd-session
60378 319487 90532 0 3 0x92 kqread sshd-session
90532 223299 1 0 3 0x88 kqread sshd
37470 92470 55792 74 3 0x1100092 bpf pflogd
55792 139216 1 0 3 0x80 sbwait pflogd
15872 385193 55834 73 3 0x1100090 kqread syslogd
55834 508734 1 0 3 0x100082 sbwait syslogd
27395 474732 1 0 3 0x100080 kqread resolvd
13402 483316 71690 77 3 0x100092 kqread dhcpleased
21676 279765 71690 77 3 0x100092 kqread dhcpleased
71690 301963 1 0 3 0x80 kqread dhcpleased
69130 328342 0 0 3 0x14200 bored smr
29225 82288 0 0 2 0x14200 zerothread
76444 238450 0 0 3 0x14200 aiodoned aiodoned
90318 462376 0 0 3 0x14200 syncer update
61412 72624 0 0 3 0x14200 cleaner cleaner
63179 307224 0 0 3 0x14200 reaper reaper
85523 360327 0 0 3 0x14200 pgdaemon pagedaemon
52991 508265 0 0 3 0x14200 bored viomb
91931 504689 0 0 3 0x40014200 acpi0 acpi0
23196 50615 0 0 3 0x40014200 idle1
61214 159181 0 0 3 0x14200 bored softnet3
45271 454340 0 0 3 0x14200 bored softnet2
98598 141987 0 0 3 0x14200 bored softnet1
9517 44211 0 0 3 0x14200 bored softnet0
84088 227675 0 0 3 0x14200 bored systqmp
31821 425315 0 0 3 0x14200 bored systq
9655 365639 0 0 3 0x14200 tmoslp softclockmp
18496 125336 0 0 3 0x40014200 tmoslp softclock
61599 28989 0 0 3 0x40014200 idle0
1 445453 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
CPU 0:
exclusive mutex shmpl r = 0 (0xffffffff835a5a00)
#0 witness_lock+0x5bb stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5bb sys/kern/subr_witness.c:1155
#1 mtx_enter_try+0x178
#2 mtx_enter+0x60 sys/kern/kern_lock.c:239
#3 pool_put+0x9f sys/kern/subr_pool.c:797
#4 shm_delete_mapping+0x1ac shm_deallocate_segment sys/kern/sysv_shm.c:153 [inline]
#4 shm_delete_mapping+0x1ac sys/kern/sysv_shm.c:174
#5 syscall+0xaf8 mi_syscall sys/sys/syscall_mi.h:178 [inline]
#5 syscall+0xaf8 sys/arch/amd64/amd64/trap.c:577
#6 Xsyscall+0x128
Process 75282 (syz-executor) thread 0xffff80002a12b988 (32309)
Process 75282 (syz-executor) thread 0xffff80002a12a2c0 (71030)
Process 46803 (syz-executor) thread 0xffff80002a03ea38 (390522)
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10209 11265K 11656K 166960K 12582 0
pcb 18 13K 14K 166960K 167 0
rtable 205 7K 8K 166960K 461 0
pf 40 18K 82K 166960K 84 0
ifaddr 42 6K 8K 166960K 67 0
ifgroup 67 2K 3K 166960K 106 0
sysctl 3 0K 0K 166960K 3 0
counters 70 37K 37K 166960K 94 0
ioctlops 0 0K 4K 166960K 1536 0
iov 0 0K 16K 166960K 44 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1427 90K 90K 166960K 1997 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 3 5K 5K 166960K 16 0
VM map 2 1K 1K 166960K 2 0
sem 12 0K 0K 166960K 45 0
dirhash 12 2K 2K 166960K 33 0
ACPI 1690 195K 286K 166960K 12468 0
file desc 17 61K 93K 166960K 812 0
sigio 1 0K 0K 166960K 19 0
proc 64 79K 140K 166960K 634 0
subproc 104 6K 6K 166960K 138 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 187 0
in_multi 83 6K 7K 166960K 130 0
ether_multi 1 0K 0K 166960K 3 0
mrt 1 0K 0K 166960K 3 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 85 387K 387K 166960K 85 0
exec 0 0K 1K 166960K 543 0
fusefs mount 1 32K 32K 166960K 1 0
pfkey data 0 0K 0K 166960K 1 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 258 74K 87K 166960K 9383 0
UVM aobj 23 2K 2K 166960K 29 0
pinsyscall 43 86K 106K 166960K 1896 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 0K 166960K 41 0
NDP 15 0K 1K 166960K 46 0
temp 56 6822K 6893K 166960K 35385 0
kqueue 16 26K 30K 166960K 150 0
SYN cache 2 16K 16K 166960K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 24 0 0 1 0 1 1 0 8 0
rtpcb 120 114 0 111 2 0 2 2 0 8 1
rtentry 112 146 0 55 4 0 4 4 0 8 0
unpcb 144 770 0 682 7 1 6 6 0 8 2
syncache 336 5 0 5 3 2 1 1 0 8 1
tcpqe 32 2 0 2 1 0 1 1 0 8 1
tcpcb 808 269 0 260 8 0 8 8 0 8 7
arp 120 25 0 9 1 0 1 1 0 8 0
inpcb 336 1068 0 1052 8 0 8 8 0 8 6
nd6 136 33 0 7 1 0 1 1 0 8 0
pkpcb 40 4 0 4 2 1 1 1 0 8 1
kcovpl 48 8 0 0 1 0 1 1 0 8 0
ppxss 1168 8 0 8 1 0 1 1 0 8 1
pffrag 232 5 0 1 1 0 1 1 0 482 0
pffrnode 88 5 0 1 1 0 1 1 0 8 0
pffrent 40 10 0 6 1 0 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 78 0 13 1 0 1 1 0 8 0
pfstkey 128 78 0 13 3 0 3 3 0 8 0
pfstate 376 78 0 13 7 0 7 7 0 8 0
pfrule 1344 21 0 15 2 0 2 2 0 8 0
art_heap8 4096 3 0 0 3 0 3 3 0 8 0
art_heap4 256 593 0 184 30 1 29 30 0 8 1
art_table 32 596 0 184 4 0 4 4 0 8 0
art_node 16 144 0 64 1 0 1 1 0 8 0
sysvmsgpl 40 11 0 2 1 0 1 1 0 8 0
semapl 112 37 0 27 1 0 1 1 0 8 0
shmpl 112 26 0 6 1 0 1 1 0 8 0
pool(shmpl): free list modified: page 0xfffffd806b841000; item ordinal 0; addr 0xfffffd806b841000 (p 0xfffffd806b841000); offset 0x1c=0xdeafbeac
dirhash 1024 32 0 15 3 0 3 3 0 8 0
dino2pl 256 2849 0 1353 95 0 95 95 0 8 0
ffsino 272 2849 0 1353 101 0 101 101 0 8 0
nchpl 144 4009 0 2321 63 0 63 63 0 8 0
uvmvnodes 80 3333 0 0 69 0 69 69 0 8 0
vnodes 216 3333 0 0 186 0 186 186 0 8 0
namei 1024 14244 0 14244 2 0 2 2 0 8 2
percpumem 16 61 0 12 1 0 1 1 0 8 0
kstatmem 264 54 0 24 3 0 3 3 0 8 1
scsiplug 72 2 0 2 1 1 0 1 0 8 0
scxspl 216 13684 0 13683 10 8 2 8 1 8 1
plimitpl 152 113 0 94 1 0 1 1 0 8 0
sigapl 424 1137 0 1066 9 0 9 9 0 8 0
futexpl 64 11135 0 11130 1 0 1 1 0 8 0
knotepl 120 514 0 0 16 0 16 16 0 8 0
kqueuepl 216 226 0 214 2 0 2 2 0 8 1
pipepl 320 236 0 208 6 0 6 6 0 8 3
fdescpl 496 1096 0 1064 5 0 5 5 0 8 0
filepl 152 6798 0 6471 18 0 18 18 0 8 5
lockfpl 104 227 0 223 1 0 1 1 0 8 0
lockfspl 48 94 0 91 1 0 1 1 0 8 0
sessionpl 144 25 0 16 1 0 1 1 0 8 0
pgrppl 48 42 0 25 1 0 1 1 0 8 0
ucredpl 104 898 0 885 1 0 1 1 0 8 0
zombiepl 144 1067 0 1066 1 0 1 1 0 8 0
processpl 1160 1137 0 1066 6 0 6 6 0 8 0
procpl 648 2298 0 2216 8 0 8 8 0 8 0
srpgc 96 2 0 2 1 0 1 1 0 8 1
sosppl 168 4 0 4 1 0 1 1 0 8 1
sockpl 664 1966 0 1860 17 6 11 15 0 8 2
mcl64k 65536 3 0 0 1 0 1 1 0 8 0
mcl12k 12288 2 0 0 1 0 1 1 0 8 0
mcl8k 8192 4 0 0 1 0 1 1 0 8 0
mcl4k 4096 135 0 0 17 0 17 17 0 8 0
mcl2k 2048 21 0 0 3 0 3 3 0 8 0
mtagpl 96 83 0 0 3 0 3 3 0 8 0
mbufpl 256 286 0 0 18 0 18 18 0 8 0
bufpl 280 4581 0 100 321 0 321 321 0 8 0
anonpl 24 242536 0 237042 73 12 61 69 0 185 3
amapchunkpl 152 30674 0 30044 31 1 30 31 0 158 4
amappl16 200 6840 0 6770 26 9 17 23 0 8 6
amappl15 192 11 0 11 1 1 0 1 0 8 0
amappl14 184 123 0 111 1 0 1 1 0 8 0
amappl13 176 20 0 20 1 1 0 1 0 8 0
amappl12 168 1770 0 1739 4 2 2 3 0 8 0
amappl11 160 71 0 57 1 0 1 1 0 8 0
amappl10 152 9 0 9 1 1 0 1 0 8 0
amappl9 144 157 0 157 1 1 0 1 0 8 0
amappl8 136 22 0 19 1 0 1 1 0 8 0
amappl7 128 121 0 109 1 0 1 1 0 8 0
amappl6 120 170 0 169 1 0 1 1 0 8 0
amappl5 112 141 0 126 1 0 1 1 0 8 0
amappl4 104 328 0 310 1 0 1 1 0 8 0
amappl3 96 5567 0 5463 3 0 3 3 0 8 0
amappl2 88 1388 0 1299 4 1 3 3 0 8 0
amappl1 80 9989 0 9362 18 2 16 16 0 8 1
amappl 88 8905 0 8711 5 0 5 5 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 19 0 18 1 0 1 1 0 8 0
aobjpl 72 28 0 6 1 0 1 1 0 8 0
pool(aobjpl): free list modified: page 0xfffffd80709fe000; item ordinal 0; addr 0xfffffd80709fe5e8 (p 0xfffffd80709fe000); offset 0xc=0xdead410f
uaddrrnd 24 1096 0 1064 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 1096 0 1064 1 0 1 1 0 8 0
vmmpekpl 168 10503 0 10462 3 0 3 3 0 8 0
vmmpepl 168 76128 0 74094 106 3 103 104 0 357 6
vmsppl 448 1095 0 1064 6 2 4 5 0 8 0
rwobjpl 56 28230 0 23811 63 0 63 63 0 8 0
pdppl 4096 2199 0 2128 109 36 73 85 0 8 2
pvpl 32 17277 0 0 140 0 140 140 0 265 0
pmappl 248 1095 0 1064 3 0 3 3 0 8 0
extentpl 40 55 0 38 1 0 1 1 0 8 0
phpool 112 412 0 43 11 0 11 11 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8307b4ef) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_put(ffffffff835a59f0,fffffd806b841000) at pool_do_put+0x1be sys/kern/subr_pool.c:841
pool_put(ffffffff835a59f0,fffffd806b841000) at pool_put+0xb3 sys/kern/subr_pool.c:799
shm_delete_mapping(fffffd806bf86aa0,ffff8000012b8008) at shm_delete_mapping+0x1ac shm_deallocate_segment sys/kern/sysv_shm.c:153 [inline]
shm_delete_mapping(fffffd806bf86aa0,ffff8000012b8008) at shm_delete_mapping+0x1ac sys/kern/sysv_shm.c:174
syscall(ffff8000359b0770) at syscall+0xaf8 mi_syscall sys/sys/syscall_mi.h:178 [inline]
syscall(ffff8000359b0770) at syscall+0xaf8 sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xbc5efb2e410, count: -7
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x27: addq $0x8,%rsp
x86_ipi_db(ffff800029b7bff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
end of kernel
end trace frame: 0x76ec6ae30080, count: 12
ddb{1}> trace
x86_ipi_db(ffff800029b7bff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
end of kernel
end trace frame: 0x76ec6ae30080, count: -3