syzbot

 sign-in | mailing list | source | docs
🐞 Open [131]
🐞 Fixed [292]
🐞 Invalid [918]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

pool: free list modified: shmpl (6)

Status: upstream: reported on 2025/02/04 10:40
Reported-by: syzbot+640f5b53834a8559e680@syzkaller.appspotmail.com
First crash: 286d, last: 7h04m
Similar bugs (5)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd pool: free list modified: shmpl (3) -1 1 1993d 1993d 0/3 auto-closed as invalid on 2020/09/01 15:24
openbsd pool: free list modified: shmpl -1 C 22 2357d 2452d 3/3 fixed on 2019/10/29 17:45
openbsd pool: free list modified: shmpl (5) -1 43 365d 457d 0/3 auto-obsoleted due to no activity on 2025/01/07 01:02
openbsd pool: free list modified: shmpl (2) -1 1 2174d 2174d 0/3 auto-closed as invalid on 2020/03/04 23:09
openbsd pool: free list modified: shmpl (4) -1 1 735d 735d 0/3 auto-obsoleted due to no activity on 2024/02/11 22:36

Sample crash report:
panic: pool_do_get: shmpl free list modified: page 0xfffffd8066b61000; item addr 0xfffffd8066b615b0; offset 0x40=0x691b897c
Stopped at      db_enter+0x25:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
 423467  24787  32767        0x10          0    0  syz-executor
*394968  24787  32767        0x10  0x4000000    1K syz-executor
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff8339ab14) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff8397d6a0,1,ffff80003c423348) at pool_do_get+0x5df
pool_get(ffffffff8397d6a0,1) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff8000fffee018,ffff80003c4235a0,0,ffff80003c4234f0) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff8000fffee018,ffff80003c4235a0,ffff80003c4234f0) at sys_shmget+0x195 sys/kern/sysv_shm.c:482
syscall(ffff80003c4235a0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c4235a0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:765
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x6bffb953360, count: 7
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{1}> 
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: pool_do_get: shmpl free list modified: page 0xfffffd8066b61000; item addr 0xfffffd8066b615b0; offset 0x40=0x691b897c
ddb{1}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff8339ab14) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff8397d6a0,1,ffff80003c423348) at pool_do_get+0x5df
pool_get(ffffffff8397d6a0,1) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff8000fffee018,ffff80003c4235a0,0,ffff80003c4234f0) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff8000fffee018,ffff80003c4235a0,ffff80003c4234f0) at sys_shmget+0x195 sys/kern/sysv_shm.c:482
syscall(ffff80003c4235a0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c4235a0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:765
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x6bffb953360, count: -8
ddb{1}> show registers
rdi                                0
rsi                              0x1
rbp               0xffff80003c423170
rbx               0xffff8000299eee07
rdx               0xffff80000146cbc0
rcx               0xffff8000fffee018
rax               0xffff8000299edff0
r8                 0x101010101010101
r9                0x8080808080808080
r10               0x74720fbc9603f508
r11               0xcc976a0a4fbfcb82
r12               0xffff8000299eec08
r13                                0
r14                                0
r15                              0x1
rip               0xffffffff810542e5    db_enter+0x25
cs                               0x8
rflags                         0x246
rsp               0xffff80003c423160
ss                              0x10
db_enter+0x25:  addq    $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor) tid=394968 pid=24787 tcnt=2 stat=onproc
    flags process=10<SUGID> proc=4000000<THREAD>
    runpri=32, usrpri=50, slppri=32, nice=20
    wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
    forw=0xffffffffffffffff, list=0xffff800032ff5ca8,0xffffffff83998fd8
    process=0xffff800030fe49c0 user=0xffff80003c41e000, vmspace=0xfffffd806cd7e5d8
    estcpu=36, cpticks=0, pctcpu=0.0, user=0, sys=0, intr=0
ddb{1}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 81164  164814  78722  32767  2        0x10                syz-executor
 51968  189934  18196  32767  2        0x10                syz-executor
 51968  493457  18196  32767  3   0x4000090  fsleep        syz-executor
 51968  259407  18196  32767  3   0x4000090  fsleep        syz-executor
 24787  423467  66263  32767  7        0x10                syz-executor
*24787  394968  66263  32767  7   0x4000010                syz-executor
 59188  157700  47983  32767  3        0x10  biowait       syz-executor
 68613   89393  69137  32767  3        0x90  nanoslp       syz-executor
 78722  268658  62612  32767  3        0x90  nanoslp       syz-executor
 94357  404967  23443  32767  2  0x10000010                syz-executor
 66263  187169  13498  32767  3        0x90  nanoslp       syz-executor
 10370  350600   6734  32767  3        0x90  nanoslp       syz-executor
 18196  488964  40506  32767  3        0x90  nanoslp       syz-executor
 68155    1482   4134  32767  3        0x90  wait          syz-executor
 69137  445099  18071      0  3        0x82  wait          syz-executor
 47983  435489  18071      0  3        0x82  wait          syz-executor
 62612   62100  18071      0  3        0x82  wait          syz-executor
 23443  375832  18071      0  3        0x82  wait          syz-executor
 13498   31214  18071      0  3        0x82  wait          syz-executor
  6734  239688  18071      0  3        0x82  wait          syz-executor
  4134   65351  18071      0  3        0x82  wait          syz-executor
 40506  374047  18071      0  3        0x82  wait          syz-executor
 18071  314755  77400      0  3        0x82  kqread        syz-executor
 77400   80903  58132      0  3    0x10008a  sigsusp       ksh
 58132  180078  40873      0  3        0x98  kqread        sshd-session
 40873  475991  72753      0  3        0x92  kqread        sshd-session
 35362  176769      1      0  3    0x100083  ttyin         getty
 72753    1672      1      0  3        0x88  kqread        sshd
 37636   56347   2036     73  3   0x1100090  kqread        syslogd
  2036  115297      1      0  3    0x100082  sbwait        syslogd
 12160  171807      1      0  3    0x100080  kqread        resolvd
 97865  205478  88851     77  3    0x100092  kqread        dhcpleased
 56777  137062  88851     77  3    0x100092  kqread        dhcpleased
 88851   65914      1      0  3        0x80  kqread        dhcpleased
 19245  337526      0      0  3     0x14200  bored         smr
 59977  141038      0      0  2     0x14200                zerothread
  8850  486581      0      0  3     0x14200  aiodoned      aiodoned
 31992  237273      0      0  3     0x14200  syncer        update
 63449  469836      0      0  3     0x14200  cleaner       cleaner
 74594  296077      0      0  3     0x14200  reaper        reaper
 14353   96956      0      0  3     0x14200  pgdaemon      pagedaemon
 59974  227053      0      0  3     0x14200  bored         viomb
 93286  354509      0      0  3  0x40014200  acpi0         acpi0
 16874  311270      0      0  3  0x40014200                idle1
 29848  278171      0      0  3     0x14200  bored         softnet1
 63036  170252      0      0  3     0x14200  bored         softnet0
 75666   41392      0      0  3     0x14200  bored         systqmp
 49972  167567      0      0  3     0x14200  bored         systq
 71192  195334      0      0  3     0x14200  tmoslp        softclockmp
 76616   70845      0      0  3  0x40014200  tmoslp        softclock
 23576  225153      0      0  3  0x40014200                idle0
     1  225618      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex shmpl r = 0 (0xffffffff8397d6b8)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2  pool_get+0x124 sys/kern/subr_pool.c:581
#3  shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
#4  sys_shmget+0x195 sys/kern/sysv_shm.c:482
#5  syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#5  syscall+0xb17 sys/arch/amd64/amd64/trap.c:765
#6  Xsyscall+0x128
Process 24787 (syz-executor) thread 0xffff8000fffee018 (394968)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff83904d48)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline]
#1  syscall+0xaf4 sys/arch/amd64/amd64/trap.c:765
#2  Xsyscall+0x128
exclusive mutex shmpl r = 0 (0xffffffff8397d6b8)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2  pool_get+0x124 sys/kern/subr_pool.c:581
#3  shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
#4  sys_shmget+0x195 sys/kern/sysv_shm.c:482
#5  syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#5  syscall+0xb17 sys/arch/amd64/amd64/trap.c:765
#6  Xsyscall+0x128
Process 59188 (syz-executor) thread 0xffff800032ff4a80 (157700)
exclusive rrwlock inode r = 0 (0xfffffd8066bda580)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2  rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3  VOP_LOCK+0xbd sys/kern/vfs_vops.c:527
#4  ufs_ihashins+0x4f ufs_ihash sys/ufs/ufs/ufs_ihash.c:-1 [inline]
#4  ufs_ihashins+0x4f sys/ufs/ufs/ufs_ihash.c:159
#5  ffs_vget+0x187 sys/ufs/ffs/ffs_vfsops.c:1232
#6  ffs_inode_alloc+0x279 sys/ufs/ffs/ffs_alloc.c:393
#7  ufs_mkdir+0xfc sys/ufs/ufs/ufs_vnops.c:1112
#8  VOP_MKDIR+0x101 sys/kern/vfs_vops.c:394
#9  domkdirat+0x179 sys/kern/vfs_syscalls.c:3113
#10 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#10 syscall+0xb17 sys/arch/amd64/amd64/trap.c:765
#11 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806d6d4448)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2  rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3  VOP_LOCK+0xbd sys/kern/vfs_vops.c:527
#4  vn_lock+0xa4 sys/kern/vfs_vnops.c:570
#5  vfs_lookup+0x11c sys/kern/vfs_lookup.c:-1
#6  namei+0x7ca sys/kern/vfs_lookup.c:250
#7  domkdirat+0x8b sys/kern/vfs_syscalls.c:3098
#8  syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#8  syscall+0xb17 sys/arch/amd64/amd64/trap.c:765
#9  Xsyscall+0x128
ddb{1}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 10191  10958K   10973K 166960K     11282        0
            pcb    17     12K      12K 166960K        17        0
         rtable   243      6K       7K 166960K       358        0
             pf    31     16K      16K 166960K        31        0
         ifaddr    42      7K       7K 166960K        44        0
        ifgroup    50      2K       2K 166960K        50        0
         sysctl     3      1K       9K 166960K         7        0
       counters    68     36K      36K 166960K        68        0
       ioctlops     0      0K       2K 166960K        35        0
            iov     0      0K      12K 166960K         7        0
          mount     1      1K       1K 166960K         1        0
            log     0      0K       0K 166960K         4        0
         vnodes  1335     84K      84K 166960K      1368        0
      UFS quota     1     32K      32K 166960K         1        0
      UFS mount     5     36K      36K 166960K         5        0
            shm     2      1K       5K 166960K        10        0
         VM map     2      1K       1K 166960K         2        0
            sem    12      0K       0K 166960K        17        0
        dirhash    15      2K       3K 166960K        18        0
           ACPI  1692    195K     286K 166960K     12470        0
      file desc    24     89K     113K 166960K       302        0
          sigio     0      0K       0K 166960K         5        0
           proc    58     99K     131K 166960K       495        0
        subproc    72      4K       4K 166960K        72        0
    NFS srvsock     1      0K       0K 166960K         1        0
     NFS daemon     1     16K      16K 166960K         1        0
    ip_moptions     0      0K       0K 166960K        37        0
       in_multi    99      7K       7K 166960K       112        0
    ether_multi     1      0K       0K 166960K         3        0
    ISOFS mount     1     32K      32K 166960K         1        0
  MSDOSFS mount     1     16K      16K 166960K         1        0
           ttys    79    360K     360K 166960K        79        0
           exec     0      0K       1K 166960K       401        0
   fusefs mount     1     32K      32K 166960K         1        0
            tdb     3      0K       0K 166960K         3        0
        VM swap     8     62K      64K 166960K        10        0
       UVM amap   252    184K     199K 166960K      4534        0
       UVM aobj    14      4K       4K 166960K        15        0
     pinsyscall    45     90K     108K 166960K      1348        0
        memdesc     1      4K       4K 166960K         1        0
    crypto data     1      1K       1K 166960K         1        0
    ip6_options     0      0K       0K 166960K         9        0
            NDP    11      0K       2K 166960K        27        0
           temp    41   8659K    8723K 166960K      4433        0
         kqueue    13     20K      28K 166960K        56        0
      SYN cache     2     16K      16K 166960K         2        0
ddb{1}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache    128       26    0        0     1     0     1     1     0     8    0
rtpcb      120       41    0       38     1     0     1     1     0     8    0
rtentry    176      114    0        1     6     0     6     6     0     8    0
unpcb      144      165    0      150     2     0     2     2     0     8    1
syncache   336        4    0        4     1     0     1     1     0     8    1
tcpcb      736       89    0       85     4     0     4     4     0     8    3
arp        136       18    0        0     1     0     1     1     0     8    0
inpcb      328      249    0      241     4     0     4     4     0     8    3
ip6q        72        1    0        0     1     0     1     1     0     8    0
ip6af       40        2    0        0     1     0     1     1     0     8    0
nd6        152       27    0        0     2     0     2     2     0     8    0
kcovpl      48        8    0        0     1     0     1     1     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256      471    0        0    30     0    30    30     0     8    0
art_table   40      472    0        0     5     0     5     5     0     8    0
art_node    32      114    0       11     1     0     1     1     0     8    0
sysvmsgpl   40        4    0        2     1     0     1     1     0     8    0
semapl     112       14    0        4     1     0     1     1     0     8    0
shmpl      112       12    0        1     1     0     1     1     0     8    0
pool(0xffffffff8397d6a0:shmpl): page inconsistency: page 0xfffffd8066b61000; 23 on list, 11 missing, 35 items per page
dirhash    1024      21    0        2     3     0     3     3     0     8    0
dino2pl    256     1789    0      278    95     0    95    95     0     8    0
ffsino     296     1789    0      278   117     0   117   117     0     8    0
nchpl      144     2227    0      542    63     0    63    63     0     8    0
vnodes     216     1870    0        0   104     0   104   104     0     8    0
namei      1024    6609    0     6608     1     0     1     1     0     8    0
percpumem   16       49    0        0     1     0     1     1     0     8    0
kstatmem   264       24    0        0     2     0     2     2     0     8    0
scxspl     216     7741    0     7740    10     2     8     8     1     8    7
plimitpl   152       89    0       65     2     0     2     2     0     8    1
sigapl     424      584    0      531     7     0     7     7     0     8    0
knotepl    120      317    0        0    10     0    10    10     0     8    0
kqueuepl   224       71    0       62     1     0     1     1     0     8    0
pipepl     344      123    0       96     3     0     3     3     0     8    0
fdescpl    528      568    0      532     3     0     3     3     0     8    0
filepl     160     2320    0     2109    11     0    11    11     0     8    1
lockfpl    104       36    0       34     1     0     1     1     0     8    0
lockfspl    48       13    0       11     1     0     1     1     0     8    0
sessionpl  144       22    0        6     1     0     1     1     0     8    0
pgrppl      48       34    0       10     1     0     1     1     0     8    0
ucredpl    104      264    0      245     1     0     1     1     0     8    0
zombiepl   144      535    0      531     1     0     1     1     0     8    0
processpl  1232     584    0      531     5     0     5     5     0     8    0
procpl     664      873    0      817     7     0     7     7     0     8    1
sosppl     176        3    0        3     1     0     1     1     0     8    1
sockpl     752      459    0      433     7     0     7     7     0     8    4
mcl64k     65536      4    0        0     1     0     1     1     0     8    0
mcl8k      8192       2    0        0     1     0     1     1     0     8    0
mcl4k      4096     117    0        0    15     0    15    15     0     8    0
mcl2k2     2112       1    0        0     1     0     1     1     0     8    0
mcl2k      2048      21    0        0     3     0     3     3     0     8    0
mtagpl      96        3    0        0     1     0     1     1     0     8    0
mbufpl     256      287    0        0    18     0    18    18     0     8    0
bufpl      280     2570    0      118   176     0   176   176     0     8    0
anonpl      32     5565    0        0    46     1    45    45     0   246    0
amapchunkpl 152   13794    0    13274    31     0    31    31     0   158    5
amappl16   200     2148    0     2126     5     2     3     5     0     8    1
amappl15   192        4    0        4     1     1     0     1     0     8    0
amappl14   184       26    0       26     2     1     1     1     0     8    1
amappl13   176      413    0      412     1     0     1     1     0     8    0
amappl12   168      898    0      854     3     0     3     3     0     8    0
amappl11   160       16    0       16     1     1     0     1     0     8    0
amappl10   152       41    0       31     1     0     1     1     0     8    0
amappl9    144      253    0      253     1     1     0     1     0     8    0
amappl8    136       25    0       24     1     0     1     1     0     8    0
amappl7    128       76    0       75     1     0     1     1     0     8    0
amappl6    120      280    0      269     1     0     1     1     0     8    0
amappl5    112       80    0       72     1     0     1     1     0     8    0
amappl4    104      379    0      357     1     0     1     1     0     8    0
amappl3     96     2166    0     2070     3     0     3     3     0     8    0
amappl2     88      686    0      609     2     0     2     2     0     8    0
amappl1     80     9448    0     8878    14     0    14    14     0     8    0
amappl      88     3818    0     3640     5     0     5     5     0    92    0
uvmvnodes   80      100    0        0     3     0     3     3     0     8    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma1024    1024       1    0        0     1     0     1     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      72       14    0        1     1     0     1     1     0     8    0
uaddrrnd    24      568    0      532     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      568    0      532     1     0     1     1     0     8    0
vmmpekpl   168     6232    0     6203     2     0     2     2     0     8    0
vmmpepl    168    43733    0    41730    99     0    99    99     0   357    4
vmsppl     488      567    0      532     7     1     6     6     0     8    0
rwobjpl     80    14955    0    14010    22     0    22    22     0     8    0
pdppl      4096    1143    0     1064   105    20    85    93     0     8    6
pvpl        32    12515    0        0   101     0   101   101     0   265    0
pmappl     256      567    0      532     4     1     3     3     0     8    0
extentpl    40       45    0       27     1     0     1     1     0     8    0
phpool     112      285    0       23     8     0     8     8     0     8    0
ddb{1}> machine ddbcpu 0
Stopped at      x86_ipi_db+0x27:        addq    $0x8,%rsp
x86_ipi_db(ffffffff83831ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff83904b40) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff83904b40) at __mp_lock+0x192 sys/kern/kern_lock.c:173
intr_handler(ffff80002ebd5580,ffff80000006b400) at intr_handler+0xe9 sys/arch/amd64/amd64/intr.c:560
Xintr_ioapic_edge23_untramp() at Xintr_ioapic_edge23_untramp+0x18f
end of kernel
end trace frame: 0x736347ffeb80, count: 9
ddb{0}> trace
x86_ipi_db(ffffffff83831ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff83904b40) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff83904b40) at __mp_lock+0x192 sys/kern/kern_lock.c:173
intr_handler(ffff80002ebd5580,ffff80000006b400) at intr_handler+0xe9 sys/arch/amd64/amd64/intr.c:560
Xintr_ioapic_edge23_untramp() at Xintr_ioapic_edge23_untramp+0x18f
end of kernel
end trace frame: 0x736347ffeb80, count: -6
ddb{0}> machine ddbcpu 1
Stopped at      db_enter+0x25:  addq    $0x8,%rsp
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff8339ab14) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff8397d6a0,1,ffff80003c423348) at pool_do_get+0x5df
pool_get(ffffffff8397d6a0,1) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff8000fffee018,ffff80003c4235a0,0,ffff80003c4234f0) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff8000fffee018,ffff80003c4235a0,ffff80003c4234f0) at sys_shmget+0x195 sys/kern/sysv_shm.c:482
syscall(ffff80003c4235a0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c4235a0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:765
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x6bffb953360, count: 7
ddb{1}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff8339ab14) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff8397d6a0,1,ffff80003c423348) at pool_do_get+0x5df
pool_get(ffffffff8397d6a0,1) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff8000fffee018,ffff80003c4235a0,0,ffff80003c4234f0) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff8000fffee018,ffff80003c4235a0,ffff80003c4234f0) at sys_shmget+0x195 sys/kern/sysv_shm.c:482
syscall(ffff80003c4235a0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c4235a0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:765
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x6bffb953360, count: -8

Crashes (532):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/11/17 20:46 openbsd a49642845568 c1ade9dd .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/17 01:45 openbsd 59cee6408d9e f7988ea4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/16 09:35 openbsd 9c41abc406e3 f7988ea4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/16 00:48 openbsd 42d4ce758e42 f7988ea4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2025/11/14 17:10 openbsd 56163c0cd41e f7988ea4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/13 19:14 openbsd 3a7be1e428cc 07e030de .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/12 12:22 openbsd 30ee307006ea 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/11 18:31 openbsd 05de582f27ae 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2025/11/11 08:08 openbsd d046e1d8fd3f 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/10 07:28 openbsd 129ed0dedc2e 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/10 06:09 openbsd 129ed0dedc2e 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2025/11/10 00:43 openbsd ba1265228048 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/09 20:20 openbsd ba1265228048 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/09 12:09 openbsd e187005a6767 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/09 08:04 openbsd e187005a6767 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2025/11/08 19:44 openbsd f09b465a1938 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/08 13:24 openbsd f09b465a1938 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2025/11/08 12:20 openbsd f09b465a1938 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/07 21:50 openbsd cc3bb0869211 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/07 04:27 openbsd b51d00b45631 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/11/06 22:29 openbsd b51d00b45631 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/06 21:09 openbsd b51d00b45631 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/11/06 07:09 openbsd 05dcfb71c047 a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2025/11/06 06:05 openbsd 3c68d8d4395f a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/05 20:33 openbsd 69af9e93ff65 a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/04 20:51 openbsd e111ebd78232 a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/04 18:25 openbsd e111ebd78232 686bf657 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/04 14:45 openbsd 512bb19460b6 686bf657 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/11/03 06:35 openbsd dd6e4afad218 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/02 02:17 openbsd 61cf0bee8b67 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/11/01 04:29 openbsd c58a321e760c 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2025/10/30 19:42 openbsd f10db54d1e58 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/10/30 17:41 openbsd f10db54d1e58 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/10/30 12:18 openbsd 097630938d32 fd2207e7 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/10/29 07:38 openbsd 9abc5df53d8a fd2207e7 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/10/28 16:31 openbsd 46d840b2b363 fd2207e7 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/10/28 09:14 openbsd 0d28fdf4a95c fd2207e7 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/10/26 07:55 openbsd 1ff8d81aaa1e c0460fcd .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/10/25 18:16 openbsd 61d6733dbbce c0460fcd .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/10/24 17:21 openbsd f7635e2c043a c0460fcd .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/10/24 15:43 openbsd f7635e2c043a c0460fcd .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/10/24 11:56 openbsd f7635e2c043a c0460fcd .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/10/24 07:49 openbsd f7635e2c043a c0460fcd .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/10/24 05:22 openbsd 6cdaebff9937 c0460fcd .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/10/24 00:50 openbsd 6cdaebff9937 c0460fcd .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/02/04 10:39 openbsd 1eab3ea7ad62 8f267cef .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
* Struck through repros no longer work on HEAD.