pool: free list modified: shmpl (6)

pool: free list modified: shmpl (6)

Status: upstream: reported on 2025/02/04 10:40
Reported-by: syzbot+640f5b53834a8559e680@syzkaller.appspotmail.com
First crash: 122d, last: 7h47m

▶ ▼ Similar bugs (5)

Kernel	Title	Repro	Count	Last	Reported	Patched	Status
openbsd	pool: free list modified: shmpl (3)		1	1829d	1829d	0/3	auto-closed as invalid on 2020/09/01 15:24
openbsd	pool: free list modified: shmpl	C	22	2193d	2288d	3/3	fixed on 2019/10/29 17:45
openbsd	pool: free list modified: shmpl (5)		43	200d	293d	0/3	auto-obsoleted due to no activity on 2025/01/07 01:02
openbsd	pool: free list modified: shmpl (2)		1	2009d	2009d	0/3	auto-closed as invalid on 2020/03/04 23:09
openbsd	pool: free list modified: shmpl (4)		1	570d	570d	0/3	auto-obsoleted due to no activity on 2024/02/11 22:36

Sample crash report:

./file0ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½./file0ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ ï¿½ï¿½êÏï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½panic: pool_do_get: shmpl free list modified: page 0xfffffd805e26f000; item addr 0xfffffd805e26fbd0; offset 0x40=0x6842fad4
Stopped at      db_enter+0x25:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
 516459  52467      0           0          0    1  syz-executor
* 43843  52467      0           0  0x4000000    0K syz-executor
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833cf8e9) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff8391a840,1,ffff80003c44f108) at pool_do_get+0x5ea sys/kern/subr_pool.c:-1
pool_get(ffffffff8391a840,1) at pool_get+0x149 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff80003c410a70,ffff80003c44f360,165,ffff80003c44f2b0) at shmget_allocate_segment+0x1a7 sys/kern/sysv_shm.c:-1
sys_shmget(ffff80003c410a70,ffff80003c44f360,ffff80003c44f2b0) at sys_shmget+0x1b2 sys/kern/sysv_shm.c:482
syscall(ffff80003c44f360) at syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c44f360) at syscall+0xb08 sys/arch/amd64/amd64/trap.c:579
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xe7e80962530, count: 7
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{0}> 
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu0: pool_do_get: shmpl free list modified: page 0xfffffd805e26f000; item addr 0xfffffd805e26fbd0; offset 0x40=0x6842fad4
ddb{0}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833cf8e9) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff8391a840,1,ffff80003c44f108) at pool_do_get+0x5ea sys/kern/subr_pool.c:-1
pool_get(ffffffff8391a840,1) at pool_get+0x149 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff80003c410a70,ffff80003c44f360,165,ffff80003c44f2b0) at shmget_allocate_segment+0x1a7 sys/kern/sysv_shm.c:-1
sys_shmget(ffff80003c410a70,ffff80003c44f360,ffff80003c44f2b0) at sys_shmget+0x1b2 sys/kern/sysv_shm.c:482
syscall(ffff80003c44f360) at syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c44f360) at syscall+0xb08 sys/arch/amd64/amd64/trap.c:579
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xe7e80962530, count: -8
ddb{0}> show registers
rdi                                0
rsi                              0x1
rbp               0xffff80003c44ef40
rbx               0xffffffff8382fdd7    cpu_info_full_primary+0x2dd7
rdx               0xffff800001473e00
rcx               0xffff80003c410a70
rax               0xffffffff8382eff0    cpu_info_full_primary+0x1ff0
r8                 0x101010101010101
r9                0x8080808080808080
r10               0x308bfc4c10689a6c
r11               0x626352f71bbd7835
r12               0xffffffff8382fbd8    cpu_info_full_primary+0x2bd8
r13                                0
r14                                0
r15                              0x1
rip               0xffffffff82907a95    db_enter+0x25
cs                               0x8
rflags                         0x246
rsp               0xffff80003c44ef30
ss                              0x10
db_enter+0x25:  addq    $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor) tid=43843 pid=52467 tcnt=3 stat=onproc
    flags process=0 proc=4000000<THREAD>
    runpri=32, usrpri=50, slppri=32, nice=20
    wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
    forw=0xffffffffffffffff, list=0xffff80003c4107e0,0xffffffff839d9308
    process=0xffff800039bef568 user=0xffff80003c44a000, vmspace=0xfffffd806c1c7018
    estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0
ddb{0}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 61935  470883  43988      0  2           0                syz-executor
 61935  308109  43988      0  3   0x4000080  fsleep        syz-executor
 61935  393794  43988      0  3   0x4000080  fsleep        syz-executor
 61935  229717  43988      0  2   0x4000000                syz-executor
 46179  116798  79476      0  2           0                syz-executor
 46179   95445  79476      0  3   0x4000080  fsleep        syz-executor
 72274   61723  65975      0  2           0                syz-executor
 72274  275947  65975      0  3   0x4000080  fsleep        syz-executor
 52467  516459  71065      0  7           0                syz-executor
 52467   58070  71065      0  2   0x4000000                syz-executor
*52467   43843  71065      0  7   0x4000000                syz-executor
 79539  336293   2224      0  2           0                syz-executor
 79539  176163   2224      0  3   0x4000080  ttyout        syz-executor
 99905  462072  90722      0  2           0                syz-executor
 99905   96588  90722      0  3   0x4000080  kqsel         syz-executor
 99905   48309  90722      0  3   0x4000080  fsleep        syz-executor
 91258  179453      0      0  3     0x14200  bored         sosplice
 79476  259234  57948      0  3        0x82  nanoslp       syz-executor
 90722  171389  57948      0  2         0x2                syz-executor
 71065  342241  57948      0  3        0x82  nanoslp       syz-executor
 46628  266772  57948      0  3        0x82  nanoslp       syz-executor
 43988  150723  57948      0  3        0x82  nanoslp       syz-executor
 61023  388751  57948      0  3        0x82  nanoslp       syz-executor
 65975  249735  57948      0  3        0x82  nanoslp       syz-executor
  2224  394424  57948      0  3        0x82  nanoslp       syz-executor
 57948   74564  81027      0  3        0x82  kqread        syz-executor
 81027  319547  35139      0  3    0x10008a  sigsusp       ksh
 35139  441983   9038      0  3        0x98  kqread        sshd-session
  9038  166670  33936      0  3        0x92  kqread        sshd-session
 30559  396806      1      0  3    0x100083  ttyin         getty
 33936  468277      1      0  3        0x88  kqread        sshd
 55203  266519  74806     74  3   0x1100092  bpf           pflogd
 74806  501679      1      0  3        0x80  sbwait        pflogd
 23796  326743  73868     73  3   0x1100090  kqread        syslogd
 73868  145624      1      0  3    0x100082  sbwait        syslogd
 83428  370506      1      0  3    0x100080  kqread        resolvd
 48192   24855  64730     77  3    0x100092  kqread        dhcpleased
 71756  479624  64730     77  3    0x100092  kqread        dhcpleased
 64730  237729      1      0  3        0x80  kqread        dhcpleased
 10193  202665      0      0  3     0x14200  pause         smr
 21483  454573      0      0  2     0x14200                zerothread
 19272  481063      0      0  3     0x14200  aiodoned      aiodoned
 14757  486745      0      0  3     0x14200  syncer        update
  4718   20080      0      0  3     0x14200  cleaner       cleaner
 86021  116751      0      0  3     0x14200  reaper        reaper
 82209  102169      0      0  3     0x14200  pgdaemon      pagedaemon
 64703  427333      0      0  3     0x14200  bored         viomb
 73789  110253      0      0  3  0x40014200  acpi0         acpi0
 89454  324472      0      0  3  0x40014200                idle1
 93391   89729      0      0  3     0x14200  bored         softnet3
 78396  270678      0      0  3     0x14200  bored         softnet2
 27514  417456      0      0  3     0x14200  bored         softnet1
 68160  379519      0      0  3     0x14200  bored         softnet0
 77566  442404      0      0  3     0x14200  bored         systqmp
 50776  201011      0      0  3     0x14200  bored         systq
 34768  298378      0      0  3     0x14200  tmoslp        softclockmp
 42677  168486      0      0  3  0x40014200  tmoslp        softclock
 28145  460067      0      0  3  0x40014200                idle0
     1  335756      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{0}> show all locks
CPU 0:
exclusive mutex shmpl r = 0 (0xffffffff8391a858)
#0  witness_lock+0x5bb stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5bb sys/kern/subr_witness.c:1160
#1  mtx_enter_try+0x1ad sys/kern/kern_lock.c:296
#2  mtx_enter+0x62 sys/kern/kern_lock.c:253
#3  pool_get+0x10b sys/kern/subr_pool.c:578
#4  shmget_allocate_segment+0x1a7 sys/kern/sysv_shm.c:-1
#5  sys_shmget+0x1b2 sys/kern/sysv_shm.c:482
#6  syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#6  syscall+0xb08 sys/arch/amd64/amd64/trap.c:579
#7  Xsyscall+0x128
Process 52467 (syz-executor) thread 0xffff80003c410a70 (43843)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff83a23cb0)
#0  witness_lock+0x5bb stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5bb sys/kern/subr_witness.c:1160
#1  syscall+0xae6 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#1  syscall+0xae6 sys/arch/amd64/amd64/trap.c:579
#2  Xsyscall+0x128
exclusive mutex shmpl r = 0 (0xffffffff8391a858)
#0  witness_lock+0x5bb stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5bb sys/kern/subr_witness.c:1160
#1  mtx_enter_try+0x1ad sys/kern/kern_lock.c:296
#2  mtx_enter+0x62 sys/kern/kern_lock.c:253
#3  pool_get+0x10b sys/kern/subr_pool.c:578
#4  shmget_allocate_segment+0x1a7 sys/kern/sysv_shm.c:-1
#5  sys_shmget+0x1b2 sys/kern/sysv_shm.c:482
#6  syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#6  syscall+0xb08 sys/arch/amd64/amd64/trap.c:579
#7  Xsyscall+0x128
ddb{0}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 10215  11034K   11494K 166960K     11882        0
            pcb    17     13K      14K 166960K        94        0
         rtable   254      9K       9K 166960K       437        0
             pf    37     18K      18K 166960K        68        0
         ifaddr    46      8K       8K 166960K        63        0
        ifgroup    59      2K       2K 166960K        87        0
         sysctl     1      1K       9K 166960K         5        0
       counters    70     37K      38K 166960K       292        0
       ioctlops     0      0K       4K 166960K      1613        0
            iov     1      0K      16K 166960K        11        0
          mount     1      1K       1K 166960K         1        0
            log     0      0K       0K 166960K         4        0
         vnodes  1375     86K      87K 166960K      1651        0
      UFS quota     1     32K      32K 166960K         1        0
      UFS mount     5     36K      36K 166960K         5        0
            shm     2      1K       5K 166960K         4        0
         VM map     2      1K       1K 166960K         2        0
            sem    12      0K       0K 166960K        18        0
        dirhash    12      2K       2K 166960K        27        0
           ACPI  1692    195K     286K 166960K     12470        0
      file desc    18     65K      93K 166960K       423        0
          sigio     0      0K       0K 166960K        12        0
           proc    72     91K     128K 166960K       557        0
        subproc    72      4K       4K 166960K        72        0
    NFS srvsock     1      0K       0K 166960K         1        0
     NFS daemon     1     16K      16K 166960K         1        0
    ip_moptions     0      0K       0K 166960K        41        0
       in_multi    93      6K       7K 166960K       115        0
    ether_multi     1      0K       0K 166960K         2        0
            mrt     1      0K       0K 166960K         6        0
    ISOFS mount     1     32K      32K 166960K         1        0
  MSDOSFS mount     1     16K      16K 166960K         1        0
           ttys    97    440K     440K 166960K        97        0
           exec     0      0K       1K 166960K       406        0
   fusefs mount     1     32K      32K 166960K         1        0
     pfkey data     0      0K       0K 166960K         1        0
            tdb     3      0K       0K 166960K         3        0
        VM swap     8     62K      64K 166960K        10        0
       UVM amap   240    159K     173K 166960K      5537        0
       UVM aobj     6      2K       2K 166960K         7        0
     pinsyscall    43     86K     106K 166960K      1541        0
        memdesc     1      4K       4K 166960K         1        0
    crypto data     1      1K       1K 166960K         1        0
    ip6_options     0      0K       0K 166960K        16        0
            NDP    13      0K       2K 166960K        37        0
           temp    77   8696K    8764K 166960K     19479        0
         kqueue    13     20K      28K 166960K        74        0
      SYN cache     2     16K      16K 166960K         2        0
ddb{0}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache    128       26    0        0     1     0     1     1     0     8    0
rtpcb      120      122    0      119     3     0     3     3     0     8    2
rtentry    176      133    0       18     6     0     6     6     0     8    0
unpcb      144      173    0      155     1     0     1     1     0     8    0
syncache   336        3    0        3     1     1     0     1     0     8    0
tcpcb      808      109    0      103     4     0     4     4     0     8    3
arp        128       23    0        1     1     0     1     1     0     8    0
inpcb      328      417    0      407     7     0     7     7     0     8    5
nd6        144       25    0        3     1     0     1     1     0     8    0
pkpcb       40        5    0        5     1     0     1     1     0     8    1
kcovpl      48        8    0        0     1     0     1     1     0     8    0
ppxss      1192     107    0      107     1     0     1     1     0     8    1
pppxif     1504       3    0        3     1     0     1     1     0     8    1
pfstscr     40        1    0        0     1     0     1     1     0     8    0
pffrag     232        2    0        0     1     0     1     1     0   482    0
pffrnode    88        2    0        0     1     0     1     1     0     8    0
pffrent     40        5    0        2     1     0     1     1     0     8    0
pfosfp      40     1428    0     1005     5     0     5     5     0     8    0
pfosfpen   112     1428    0      714    21     0    21    21     0     8    0
pfstitem    24       37    0        1     1     0     1     1     0     8    0
pfstkey    128       37    0        1     2     0     2     2     0     8    0
pfstate    384       36    0        1     4     0     4     4     0     8    0
pfrule     1344      22    0       17     2     1     1     2     0     8    0
rttmr      136        2    0        2     1     0     1     1     0     8    1
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256      510    0       93    31     0    31    31     0     8    3
art_table   32      511    0       93     4     0     4     4     0     8    0
art_node    16      131    0       35     1     0     1     1     0     8    0
sysvmsgpl   40        1    0        0     1     0     1     1     0     8    0
semupl     112        1    0        1     1     1     0     1     0     8    0
semapl     112       16    0        6     1     0     1     1     0     8    0
shmpl      112        4    0        1     1     0     1     1     0     8    0
pool(0xffffffff8391a840:shmpl): page inconsistency: page 0xfffffd805e26f000; 31 on list, 3 missing, 35 items per page
dirhash    1024      27    0       10     3     0     3     3     0     8    0
dino2pl    256     2114    0      605    96     0    96    96     0     8    1
ffsino     288     2114    0      605   109     0   109   109     0     8    0
nchpl      144     2687    0      996    63     0    63    63     0     8    0
rtmask      32        2    0        2     1     0     1     1     0     8    1
uvmvnodes   80     2386    0        0    49     0    49    49     0     8    0
vnodes     216     2386    0        0   133     0   133   133     0     8    0
namei      1024    9060    0     9060     1     0     1     1     0     8    1
percpumem   16      161    0      111     1     0     1     1     0     8    0
kstatmem   264       46    0       16     3     0     3     3     0     8    0
scsiplug    72        3    0        3     2     1     1     1     0     8    1
scxspl     216    12507    0    12507     5     4     1     4     1     8    1
plimitpl   152       58    0       39     1     0     1     1     0     8    0
sigapl     424      734    0      683     8     2     6     7     0     8    0
knotepl    120      518    0        0    16     0    16    16     0     8    0
kqueuepl   224      105    0       94     1     0     1     1     0     8    0
pipepl     336      129    0      102     3     0     3     3     0     8    0
fdescpl    520      715    0      683     3     0     3     3     0     8    0
filepl     160     3508    0     3283    16     0    16    16     0     8    6
lockfpl    104       73    0       71     1     0     1     1     0     8    0
lockfspl    48       34    0       32     1     0     1     1     0     8    0
sessionpl  144       22    0       13     1     0     1     1     0     8    0
pgrppl      48       36    0       19     1     0     1     1     0     8    0
ucredpl    104      338    0      325     1     0     1     1     0     8    0
zombiepl   144      685    0      683     1     0     1     1     0     8    0
processpl  1240     734    0      683     5     0     5     5     0     8    0
procpl     656     1257    0     1196     7     1     6     6     0     8    0
sosppl     168        3    0        3     1     0     1     1     0     8    1
sockpl     728      721    0      688    16     0    16    16     0     8   12
mcl64k     65536      2    0        0     1     0     1     1     0     8    0
mcl8k      8192       3    0        0     1     0     1     1     0     8    0
mcl4k      4096     112    0        0    14     0    14    14     0     8    0
mcl2k      2048      32    0        0     4     0     4     4     0     8    0
mtagpl      96       83    0        0     3     0     3     3     0     8    0
mbufpl     256      953    0        0    60     0    60    60     0     8    0
bufpl      280     4962    0      123   346     0   346   346     0     8    0
anonpl      32     7584    0        0    63     1    62    63     0   246    0
amapchunkpl 152   17222    0    16720    28     0    28    28     0   158    8
amappl16   200     3099    0     3068    18     7    11    15     0     8    8
amappl15   192        5    0        5     1     1     0     1     0     8    0
amappl14   184      110    0       98     1     0     1     1     0     8    0
amappl13   176        5    0        5     1     1     0     1     0     8    0
amappl12   168     1396    0     1363     3     1     2     2     0     8    0
amappl11   160       49    0       35     1     0     1     1     0     8    0
amappl10   152       20    0       20     1     1     0     1     0     8    0
amappl9    144      245    0      245     1     1     0     1     0     8    0
amappl8    136       21    0       19     1     0     1     1     0     8    0
amappl7    128      112    0      100     1     0     1     1     0     8    0
amappl6    120      183    0      180     1     0     1     1     0     8    0
amappl5    112      126    0      117     1     0     1     1     0     8    0
amappl4    104      325    0      307     1     0     1     1     0     8    0
amappl3     96     3255    0     3138     4     0     4     4     0     8    1
amappl2     88      657    0      594     2     0     2     2     0     8    0
amappl1     80     9650    0     9047    14     1    13    14     0     8    0
amappl      88     4797    0     4629     5     0     5     5     0    92    1
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma1024    1024       1    0        0     1     0     1     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      254    0      254     2     1     1     1     0     8    1
dma64       64        7    0        7     2     1     1     1     0     8    1
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      72        6    0        1     1     0     1     1     0     8    0
uaddrrnd    24      715    0      683     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      715    0      683     1     0     1     1     0     8    0
vmmpekpl   168     7323    0     7292     2     0     2     2     0     8    0
vmmpepl    168    51901    0    49880   100     0   100   100     0   357   12
vmsppl     480      714    0      683     5     1     4     5     0     8    0
rwobjpl     72    19121    0    15797    62     0    62    62     0     8    1
pdppl      4096    1437    0     1366    99    28    71    85     0     8    0
pvpl        32    17518    0        0   143     1   142   142     0   265    0
pmappl     256      714    0      683     3     0     3     3     0     8    0
extentpl    40       45    0       27     1     0     1     1     0     8    0
phpool     112      434    0       31    12     0    12    12     0     8    0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833cf8e9) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff8391a840,1,ffff80003c44f108) at pool_do_get+0x5ea sys/kern/subr_pool.c:-1
pool_get(ffffffff8391a840,1) at pool_get+0x149 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff80003c410a70,ffff80003c44f360,165,ffff80003c44f2b0) at shmget_allocate_segment+0x1a7 sys/kern/sysv_shm.c:-1
sys_shmget(ffff80003c410a70,ffff80003c44f360,ffff80003c44f2b0) at sys_shmget+0x1b2 sys/kern/sysv_shm.c:482
syscall(ffff80003c44f360) at syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c44f360) at syscall+0xb08 sys/arch/amd64/amd64/trap.c:579
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xe7e80962530, count: -8
ddb{0}> machine ddbcpu 1
Stopped at      x86_ipi_db+0x27:        addq    $0x8,%rsp
x86_ipi_db(ffff8000299ddff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
end of kernel
end trace frame: 0x789289c6ac80, count: 12
ddb{1}> trace
x86_ipi_db(ffff8000299ddff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
end of kernel
end trace frame: 0x789289c6ac80, count: -3

Crashes (266):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Assets (help?)	Manager	Title
2025/06/06 14:27	openbsd	402b23ce0ef8	3d899f2c	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/06/06 00:54	openbsd	b57dcb7bc7e3	6b6b5f21	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/06/04 18:27	openbsd	98b1dda24a5c	e565f08d	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/06/04 16:32	openbsd	98b1dda24a5c	e565f08d	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/06/03 22:41	openbsd	e4273848146a	a30356b7	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/06/03 20:51	openbsd	e4273848146a	a30356b7	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/05/31 18:19	openbsd	a5ad0817f1ce	3d2f584d	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/30 15:38	openbsd	0ce5489608ba	3d2f584d	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/29 18:48	openbsd	225f0e6a7aa3	3d2f584d	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/28 05:11	openbsd	f55e6d8632c3	874a1386	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/27 22:41	openbsd	34392d87e208	874a1386	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/27 13:06	openbsd	bd1b66ffebcd	874a1386	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/26 13:28	openbsd	248a4f81b1c2	874a1386	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/23 21:27	openbsd	3f82bc0a57fc	f8cc0c83	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/23 19:07	openbsd	3f82bc0a57fc	f8cc0c83	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/22 23:48	openbsd	896a7df4dc11	fa44301a	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/05/22 20:19	openbsd	ba45935f401b	0919b50b	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/05/22 19:00	openbsd	ba45935f401b	0919b50b	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/05/21 23:15	openbsd	c902741cb17b	0919b50b	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	pool: free list modified: shmpl
2025/05/21 13:03	openbsd	b67b1feba291	dc5d3808	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/21 02:20	openbsd	1363fb036962	b47f9e02	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	pool: free list modified: shmpl
2025/05/20 15:25	openbsd	75dab2ae6040	b47f9e02	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/05/20 03:16	openbsd	03d4002980cf	b84f0537	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/05/18 18:46	openbsd	3f7d12af86be	f41472b0	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	pool: free list modified: shmpl
2025/05/18 16:53	openbsd	3f7d12af86be	f41472b0	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	pool: free list modified: shmpl
2025/05/18 13:39	openbsd	6decc3d5f4d6	f41472b0	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/05/18 05:10	openbsd	8c9607973553	f41472b0	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/05/17 23:55	openbsd	8c9607973553	f41472b0	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/05/17 16:25	openbsd	007267a8c99a	f41472b0	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/17 11:49	openbsd	007267a8c99a	f41472b0	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/05/17 05:48	openbsd	f47d9bee1200	f41472b0	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/05/16 18:46	openbsd	f47d9bee1200	f41472b0	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/16 13:51	openbsd	84d74105a289	cfde8269	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/05/16 12:25	openbsd	84d74105a289	cfde8269	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	pool: free list modified: shmpl
2025/05/16 03:36	openbsd	8b901a85ba65	cfde8269	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/14 09:19	openbsd	b0ff9b09a8b9	7344edeb	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	pool: free list modified: shmpl
2025/05/14 06:27	openbsd	6405849dc70d	7344edeb	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/13 20:57	openbsd	6405849dc70d	7344edeb	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	pool: free list modified: shmpl
2025/05/13 13:11	openbsd	0de99af22586	9497799b	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/05/13 10:26	openbsd	0de99af22586	9497799b	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	pool: free list modified: shmpl
2025/05/12 20:05	openbsd	78dde0c318c4	f6671af7	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-main	pool: free list modified: shmpl
2025/05/12 10:34	openbsd	1d7d4b26237d	77908e5f	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/05/10 22:32	openbsd	a6f021db2a6c	77908e5f	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/10 19:05	openbsd	a6f021db2a6c	77908e5f	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/10 09:04	openbsd	6096bd70fba2	77908e5f	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/08 01:15	openbsd	857ee2693eb3	dbf35fa1	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/05/07 19:44	openbsd	857ee2693eb3	dbf35fa1	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-setuid	pool: free list modified: shmpl
2025/05/07 13:50	openbsd	b9cb822a9415	350f4ffc	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/05/07 10:23	openbsd	b9cb822a9415	350f4ffc	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl
2025/02/04 10:39	openbsd	1eab3ea7ad62	8f267cef	.config	console log	report	[disk image] [bsd.gdb] [kernel image]	ci-openbsd-multicore	pool: free list modified: shmpl

* ~~Struck through~~ repros no longer work on HEAD.