syzbot

 sign-in | mailing list | source | docs
🐞 Open [177]
🐞 Fixed [301]
🐞 Invalid [1057]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

pool: free list modified: shmpl (6)

Status: upstream: reported on 2025/02/04 10:40
Reported-by: syzbot+640f5b53834a8559e680@syzkaller.appspotmail.com
First crash: 486d, last: 15h22m
Similar bugs (5)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd pool: free list modified: shmpl (3) -1 1 2193d 2193d 0/3 auto-closed as invalid on 2020/09/01 15:24
openbsd pool: free list modified: shmpl -1 C 22 2558d 2652d 3/3 fixed on 2019/10/29 17:45
openbsd pool: free list modified: shmpl (5) -1 43 565d 657d 0/3 auto-obsoleted due to no activity on 2025/01/07 01:02
openbsd pool: free list modified: shmpl (2) -1 1 2374d 2374d 0/3 auto-closed as invalid on 2020/03/04 23:09
openbsd pool: free list modified: shmpl (4) -1 1 935d 935d 0/3 auto-obsoleted due to no activity on 2024/02/11 22:36

Sample crash report:
panic: pool_do_get: shmpl free list modified: page 0xfffffa006c720000; item addr 0xfffffa006c720540; offset 0x40=0x6a231f25
Stopped at      db_enter+0x25:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
 477784    197  32767        0x10          0    0  syz-executor
* 22806    197  32767        0x10  0x4000000    1K syz-executor
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff834b0eff) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff83b41050,2,ffff80003c3dc5b8) at pool_do_get+0x5df
pool_get(ffffffff83b41050,2) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff80003c3f0fb8,ffff80003c3dc810,14c,ffff80003c3dc760) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff80003c3f0fb8,ffff80003c3dc810,ffff80003c3dc760) at sys_shmget+0x195 sys/kern/sysv_shm.c:501
syscall(ffff80003c3dc810) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c3dc810) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7e732211ea0, count: 7
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{1}> 
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: pool_do_get: shmpl free list modified: page 0xfffffa006c720000; item addr 0xfffffa006c720540; offset 0x40=0x6a231f25
ddb{1}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff834b0eff) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff83b41050,2,ffff80003c3dc5b8) at pool_do_get+0x5df
pool_get(ffffffff83b41050,2) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff80003c3f0fb8,ffff80003c3dc810,14c,ffff80003c3dc760) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff80003c3f0fb8,ffff80003c3dc810,ffff80003c3dc760) at sys_shmget+0x195 sys/kern/sysv_shm.c:501
syscall(ffff80003c3dc810) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c3dc810) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7e732211ea0, count: -8
ddb{1}> show registers
rdi                                0
rsi                              0x1
rbp               0xffff80003c3dc3e0
rbx               0xffff80002999ee07
rdx                                0
rcx               0xffff80003c3f0fb8
rax               0xffff80002999dff0
r8                 0x101010101010101
r9                0x8080808080808080
r10               0xb75618c93c4651ce
r11               0x69d4fab204d8c932
r12               0xffff80002999ec08
r13                                0
r14                                0
r15                              0x1
rip               0xffffffff821d5135    db_enter+0x25
cs                               0x8
rflags                         0x246
rsp               0xffff80003c3dc3d0
ss                              0x10
db_enter+0x25:  addq    $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor) tid=22806 pid=197 tcnt=2 stat=onproc
    flags process=10<SUGID> proc=4000000<THREAD>
    runpri=32, usrpri=60, slppri=32, nice=20
    wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
    forw=0xffffffffffffffff, list=0xffff80003c3f02c0,0xffff80003c3f14f8
    process=0xffff8000fffe9360 user=0xffff80003c3d7000, vmspace=0xfffffa006c97d7c0
    estcpu=10, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0
ddb{1}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 18194  389894  56509  32767  2        0x10                syz-executor
 45912  163673  35669  32767  2        0x10                syz-executor
 45912  215942  35669  32767  3   0x4000090  fsleep        syz-executor
   197  477784  84011  32767  7        0x10                syz-executor
*  197   22806  84011  32767  7   0x4000010                syz-executor
 57057   38182  42991  32767  2        0x10                syz-executor
 57057  503564  42991  32767  3   0x4000090  ttyretype     syz-executor
 57057   52060  42991  32767  3   0x4000090  ttyretype     syz-executor
 19539  105900   6499  32767  2        0x10                syz-executor
 19539  466936   6499  32767  3   0x4000090  fsleep        syz-executor
 92949  202250  42579  32767  2        0x10                syz-executor
 92949  301850  42579  32767  3   0x4000090  fsleep        syz-executor
 92949  124552  42579  32767  3   0x4000090  fsleep        syz-executor
 40695  455853  93516  32767  2        0x10                syz-executor
 40695  297917  93516  32767  3   0x4000090  fsleep        syz-executor
 93516  327904  60531  32767  3        0x90  nanoslp       syz-executor
 70116  461820   2770  32767  3        0x90  nanoslp       syz-executor
 42991  155135   3747  32767  3        0x90  nanoslp       syz-executor
 56509  124174  75638  32767  3        0x90  nanoslp       syz-executor
  6499  283045   5077  32767  3        0x90  nanoslp       syz-executor
 35669  340505  75127  32767  3        0x90  nanoslp       syz-executor
 42579  463933  75902  32767  3        0x90  nanoslp       syz-executor
 84011  231974  35260  32767  3        0x90  nanoslp       syz-executor
 60531  289547  22621      0  3        0x82  wait          syz-executor
 35260  336746  22621      0  3        0x82  wait          syz-executor
  3747  264214  22621      0  3        0x82  wait          syz-executor
 75902  406762  22621      0  3        0x82  wait          syz-executor
 75127  522160  22621      0  3        0x82  wait          syz-executor
 75638  214406  22621      0  3        0x82  wait          syz-executor
  2770  105361  22621      0  3        0x82  wait          syz-executor
  5077  186950  22621      0  3        0x82  wait          syz-executor
 22621   22615   3691      0  3        0x82  kqread        syz-executor
  3691  111511  63873      0  3    0x10008a  sigsusp       ksh
 63873  199190  46680      0  3        0x98  kqread        sshd-session
 46680  132589  79982      0  3        0x92  kqread        sshd-session
 62058   15027      1      0  3    0x100083  ttyin         getty
 79982  274223      1      0  3        0x88  kqread        sshd
 19142   22952  84289     73  3   0x1100090  kqread        syslogd
 84289  338050      1      0  3    0x100082  sbwait        syslogd
 52052  377560      1      0  3    0x100080  kqread        resolvd
 49387  442301  22971     77  3    0x100092  kqread        dhcpleased
 68139  438255  22971     77  3    0x100092  kqread        dhcpleased
 22971  429831      1      0  3        0x80  kqread        dhcpleased
 63654  474469      0      0  3     0x14200  bored         smr
 97047  468272      0      0  2     0x14200                zerothread
 67979  196864      0      0  3     0x14200  aiodoned      aiodoned
  8626  383967      0      0  3     0x14200  syncer        update
 74485  192981      0      0  3     0x14200  cleaner       cleaner
  7078  197757      0      0  3     0x14200  reaper        reaper
 16539  300365      0      0  3     0x14200  pgdaemon      pagedaemon
 54672   48624      0      0  3     0x14200  bored         viomb
  5573    5200      0      0  3  0x40014200  acpi0         acpi0
 89216  338595      0      0  3  0x40014200                idle1
 36542  422428      0      0  3     0x14200  bored         softnet1
 55001  472073      0      0  3     0x14200  bored         softnet0
 90524  521942      0      0  3     0x14200  bored         systqmp
 78272  152708      0      0  3     0x14200  bored         systq
 14361  105059      0      0  3     0x14200  tmoslp        softclockmp
 78841  465090      0      0  3  0x40014200  tmoslp        softclock
 77296   89769      0      0  3  0x40014200                idle0
     1  502809      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex shmpl r = 0 (0xffffffff83b41068)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2  pool_get+0x124 sys/kern/subr_pool.c:585
#3  shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
#4  sys_shmget+0x195 sys/kern/sysv_shm.c:501
#5  syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#5  syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#6  Xsyscall+0x128
Process 197 (syz-executor) thread 0xffff80003c3f0fb8 (22806)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff83b41ac0)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline]
#1  syscall+0xaf4 sys/arch/amd64/amd64/trap.c:783
#2  Xsyscall+0x128
exclusive mutex shmpl r = 0 (0xffffffff83b41068)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2  pool_get+0x124 sys/kern/subr_pool.c:585
#3  shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
#4  sys_shmget+0x195 sys/kern/sysv_shm.c:501
#5  syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#5  syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#6  Xsyscall+0x128
ddb{1}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 11056  12019K   12034K 166960K     12147        0
            pcb    17     12K      12K 166960K        17        0
         rtable   241      6K       7K 166960K       461        0
             pf    31     16K      16K 166960K        31        0
         ifaddr    42      7K       7K 166960K        44        0
        ifgroup    50      2K       2K 166960K        50        0
         sysctl     2      1K       9K 166960K         7        0
       counters    70     37K      37K 166960K        70        0
       ioctlops     0      0K       2K 166960K        44        0
            iov     0      0K      16K 166960K       163        0
          mount     1      1K       1K 166960K         1        0
            log     0      0K       0K 166960K         4        0
         vnodes  1288     81K      81K 166960K      1525        0
      UFS quota     1     32K      32K 166960K         1        0
      UFS mount     5     36K      36K 166960K         5        0
            shm     2      1K       5K 166960K        18        0
         VM map     2      1K       1K 166960K         2        0
            sem    12      1K       1K 166960K        14        0
        dirhash    12      2K       2K 166960K        21        0
           ACPI  1692    195K     286K 166960K     12470        0
      file desc    26     97K     125K 166960K       689        0
          sigio     0      0K       0K 166960K       142        0
           proc    59    115K     131K 166960K       592        0
        subproc    72      4K       4K 166960K        72        0
    NFS srvsock     1      0K       0K 166960K         1        0
     NFS daemon     1     16K      16K 166960K         1        0
    ip_moptions     0      0K       0K 166960K       139        0
       in_multi    99      7K       7K 166960K       127        0
    ether_multi     1      0K       0K 166960K         6        0
            mrt     1      0K       0K 166960K        18        0
    ISOFS mount     1     32K      32K 166960K         1        0
  MSDOSFS mount     1     16K      16K 166960K         1        0
           ttys    97    440K     440K 166960K        97        0
           exec     0      0K       1K 166960K       502        0
   fusefs mount     1     32K      32K 166960K         1        0
            tdb     3      0K       0K 166960K         3        0
        VM swap     8     62K      64K 166960K        10        0
       UVM amap   257    182K     200K 166960K      8010        0
       UVM aobj    26      2K       2K 166960K        29        0
     pinsyscall    47     94K     114K 166960K      1802        0
        memdesc     1      4K       4K 166960K         1        0
    crypto data     1      1K       1K 166960K         1        0
    ip6_options     0      0K       0K 166960K        50        0
            NDP    11      0K       2K 166960K        27        0
           temp    60   9124K    9138K 166960K      4995        0
         kqueue    17     25K      28K 166960K       147        0
      SYN cache     2     16K      16K 166960K         2        0
ddb{1}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache    128       26    0        0     1     0     1     1     0     8    0
rtpcb      120      153    0      150     3     0     3     3     0     8    2
rtentry    176      117    0        5     6     0     6     6     0     8    0
unpcb      144      548    0      531     6     0     6     6     0     8    5
syncache   336       14    0       14     1     0     1     1     0     8    1
tcpqe       32        1    0        1     1     0     1     1     0     8    1
tcpcb      736      250    0      245     4     0     4     4     0     8    3
arp        136       18    0        0     1     0     1     1     0     8    0
ipq         40        3    0        0     1     0     1     1     0     8    0
ipqe        40        6    0        3     1     0     1     1     0     8    0
inpcb      328      722    0      709     8     0     8     8     0     8    6
ip6q        72        1    0        0     1     0     1     1     0     8    0
ip6af       40        1    0        0     1     0     1     1     0     8    0
nd6        152       30    0        4     2     0     2     2     0     8    1
kcovpl      48        8    0        0     1     0     1     1     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256      501    0       32    31     0    31    31     0     8    1
art_table   40      502    0       32     5     0     5     5     0     8    0
art_node    32      117    0       15     1     0     1     1     0     8    0
sysvmsgpl   40       20    0       13     1     0     1     1     0     8    0
semupl     112        1    0        1     1     1     0     1     0     8    0
semapl      72       10    0        0     1     0     1     1     0     8    0
shmpl      112       26    0        3     1     0     1     1     0     8    0
pool(0xffffffff83b41050:shmpl): page inconsistency: page 0xfffffa006c720000; 11 on list, 23 missing, 35 items per page
dirhash    1024      23    0        6     3     0     3     3     0     8    0
dino2pl    256     2500    0     1035    92     0    92    92     0     8    0
ffsino     296     2500    0     1035   114     0   114   114     0     8    0
nchpl      144     3501    0     1804    64     0    64    64     0     8    0
vnodes     216     2581    0        0   144     0   144   144     0     8    0
namei      1024   12155    0    12155     1     0     1     1     0     8    1
percpumem   16       50    0        0     1     0     1     1     0     8    0
kstatmem   264       25    0        0     2     0     2     2     0     8    0
scxspl     216    11025    0    11025    11     5     6     8     1     8    6
plimitpl   152      218    0      192     2     0     2     2     0     8    0
sigapl     424      987    0      933     7     0     7     7     0     8    0
knotepl    120      362    0        0    11     0    11    11     0     8    0
kqueuepl   224      241    0      230     5     0     5     5     0     8    4
pipepl     344      157    0      130     3     0     3     3     0     8    0
fdescpl    528      971    0      933     4     0     4     4     0     8    0
filepl     160     5973    0     5752    20     2    18    20     0     8    8
lockfpl    104      290    0      287     1     0     1     1     0     8    0
lockfspl    48       80    0       77     1     0     1     1     0     8    0
sessionpl  144       61    0       45     1     0     1     1     0     8    0
pgrppl      48       72    0       48     1     0     1     1     0     8    0
ucredpl    104     1349    0     1330     1     0     1     1     0     8    0
zombiepl   144      934    0      933     1     0     1     1     0     8    0
processpl  1232     987    0      933     5     0     5     5     0     8    0
procpl     664     1927    0     1865     7     0     7     7     0     8    1
sosppl     176        8    0        8     1     0     1     1     0     8    1
sockpl     752     1434    0     1401    24    12    12    24     0     8    8
mcl64k     65536      5    0        0     1     0     1     1     0     8    0
mcl8k      8192       2    0        0     1     0     1     1     0     8    0
mcl4k      4096     128    0        0    16     0    16    16     0     8    0
mcl2k      2048      23    0        0     3     0     3     3     0     8    0
mtagpl      96        4    0        0     1     0     1     1     0     8    0
mbufpl     256      251    0        0    16     0    16    16     0     8    0
bufpl      280     3108    0      102   215     0   215   215     0     8    0
anonpl      32     9556    0        0    77     0    77    77     0   246    0
amapchunkpl 152   27093    0    26331    40     0    40    40     0   158    8
amappl16   200     3346    0     3319    20     8    12    15     0     8    8
amappl15   192        5    0        5     1     1     0     1     0     8    0
amappl14   184      402    0      401     1     0     1     1     0     8    0
amappl13   176      124    0      114     1     0     1     1     0     8    0
amappl12   168     1206    0     1170     2     0     2     2     0     8    0
amappl11   160        6    0        6     1     1     0     1     0     8    0
amappl10   152       59    0       49     1     0     1     1     0     8    0
amappl9    144      267    0      267     1     1     0     1     0     8    0
amappl8    136       92    0       90     1     0     1     1     0     8    0
amappl7    128      161    0      150     1     0     1     1     0     8    0
amappl6    120      152    0      150     1     0     1     1     0     8    0
amappl5    112      111    0      102     1     0     1     1     0     8    0
amappl4    104      286    0      268     1     0     1     1     0     8    0
amappl3     96     5110    0     4973     5     1     4     4     0     8    0
amappl2     88      570    0      516     2     0     2     2     0     8    0
amappl1     80    14160    0    13578    16     0    16    16     0     8    0
amappl      88     7177    0     6986     6     0     6     6     0    92    1
uvmvnodes   80      123    0        0     3     0     3     3     0     8    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma1024    1024       1    0        0     1     0     1     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      72       28    0        3     1     0     1     1     0     8    0
uaddrrnd    24      971    0      933     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      971    0      933     1     0     1     1     0     8    0
vmmpekpl   168    10007    0     9977     2     0     2     2     0     8    0
vmmpepl    168    72084    0    69968   107     0   107   107     0   357    5
vmsppl     488      970    0      933     7     2     5     6     0     8    0
rwobjpl     80    23123    0    22107    26     0    26    26     0     8    0
pdppl      4096    1949    0     1866   119    32    87    97     0     8    4
pvpl        32    17011    0        0   139     1   138   138     0   265    0
pmappl     256      970    0      933     4     1     3     3     0     8    0
extentpl    40       45    0       27     1     0     1     1     0     8    0
phpool     112      296    0       35     8     0     8     8     0     8    0
ddb{1}> machine ddbcpu 0
Stopped at      x86_ipi_db+0x27:        addq    $0x8,%rsp
x86_ipi_db(ffffffff83912ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff83b412c0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff83b412c0) at __mp_lock+0x192 sys/kern/kern_lock.c:173
softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83
dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
end of kernel
end trace frame: 0x73eaf8182540, count: 8
ddb{0}> trace
x86_ipi_db(ffffffff83912ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff83b412c0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff83b412c0) at __mp_lock+0x192 sys/kern/kern_lock.c:173
softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83
dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
end of kernel
end trace frame: 0x73eaf8182540, count: -7
ddb{0}> machine ddbcpu 1
Stopped at      db_enter+0x25:  addq    $0x8,%rsp
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff834b0eff) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff83b41050,2,ffff80003c3dc5b8) at pool_do_get+0x5df
pool_get(ffffffff83b41050,2) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff80003c3f0fb8,ffff80003c3dc810,14c,ffff80003c3dc760) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff80003c3f0fb8,ffff80003c3dc810,ffff80003c3dc760) at sys_shmget+0x195 sys/kern/sysv_shm.c:501
syscall(ffff80003c3dc810) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c3dc810) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7e732211ea0, count: 7
ddb{1}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff834b0eff) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff83b41050,2,ffff80003c3dc5b8) at pool_do_get+0x5df
pool_get(ffffffff83b41050,2) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff80003c3f0fb8,ffff80003c3dc810,14c,ffff80003c3dc760) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff80003c3f0fb8,ffff80003c3dc810,ffff80003c3dc760) at sys_shmget+0x195 sys/kern/sysv_shm.c:501
syscall(ffff80003c3dc810) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c3dc810) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7e732211ea0, count: -8

Crashes (900):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/06/05 19:10 openbsd ce89dc54e9c4 48b6c3fa .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/25 08:12 openbsd 3ca1fbf96c86 c69befb3 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/23 00:29 openbsd dbd5cf8c5e8a c69befb3 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/22 20:44 openbsd 54bbd1fe416a 95d90255 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/12 20:43 openbsd 7bfd65388e23 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/12 18:47 openbsd 7bfd65388e23 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/11 10:35 openbsd bf258236f7c1 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/11 08:17 openbsd bf258236f7c1 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/11 01:46 openbsd bf258236f7c1 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/10 01:17 openbsd e291ae399501 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/09 18:44 openbsd 387d82fb614c 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/09 10:20 openbsd 387d82fb614c 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/08 23:44 openbsd 34e7bded0e8b 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/08 20:08 openbsd 34e7bded0e8b 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/08 14:25 openbsd d1081477e0e5 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/08 08:06 openbsd d1081477e0e5 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/07 11:45 openbsd eea3785ced43 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/07 09:19 openbsd eea3785ced43 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/06 21:44 openbsd 3f03630caf4d 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/06 10:05 openbsd eec9cf095b26 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/06 08:32 openbsd eec9cf095b26 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/06 05:03 openbsd eec9cf095b26 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2026/05/06 03:27 openbsd eec9cf095b26 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2026/05/03 02:04 openbsd 3c6f8ccfe730 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/03 00:47 openbsd 3c6f8ccfe730 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/02 22:54 openbsd 3c6f8ccfe730 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/02 17:01 openbsd cdbf859d9674 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/02 08:34 openbsd cdbf859d9674 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/02 04:31 openbsd bedf3632bee6 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/05/01 09:02 openbsd d15801fa3705 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2026/04/30 23:19 openbsd 2117c4c4e299 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/30 20:55 openbsd 2117c4c4e299 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/30 04:38 openbsd 04e2410ca848 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/29 21:15 openbsd 167506022718 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/29 14:36 openbsd 167506022718 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/29 10:30 openbsd 7697f4315e16 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/29 05:54 openbsd 7697f4315e16 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/29 01:30 openbsd 7697f4315e16 340bcdf0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/27 10:38 openbsd 80ba1745ccfd 0f700595 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/27 09:28 openbsd 80ba1745ccfd 0f700595 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/27 07:23 openbsd 80ba1745ccfd 9c2d0995 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/26 20:36 openbsd 443952c09f98 9c2d0995 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2026/04/26 00:40 openbsd 6c5f0280b621 9c2d0995 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/25 21:21 openbsd 6c5f0280b621 9c2d0995 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/25 11:57 openbsd 2f70c1a437bc 9c2d0995 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/25 10:30 openbsd 2f70c1a437bc 9c2d0995 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/25 05:12 openbsd 2f70c1a437bc 9c2d0995 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/23 08:41 openbsd 18dcbfb1f230 b10da5ec .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/23 01:10 openbsd 18dcbfb1f230 b10da5ec .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/22 22:33 openbsd 3802f0c790f9 4595e353 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/22 18:21 openbsd 3802f0c790f9 4595e353 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/22 03:37 openbsd 9a8e8d261fbe 0b6ab7ec .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/30 15:25 openbsd d3e6ebe0e992 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2025/02/04 10:39 openbsd 1eab3ea7ad62 8f267cef .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
* Struck through repros no longer work on HEAD.