syzbot

 sign-in | mailing list | source | docs
🐞 Open [178]
🐞 Fixed [300]
🐞 Invalid [1015]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

pool: free list modified: shmpl (6)

Status: upstream: reported on 2025/02/04 10:40
Reported-by: syzbot+640f5b53834a8559e680@syzkaller.appspotmail.com
First crash: 430d, last: 13h49m
Similar bugs (5)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd pool: free list modified: shmpl (3) -1 1 2137d 2137d 0/3 auto-closed as invalid on 2020/09/01 15:24
openbsd pool: free list modified: shmpl -1 C 22 2501d 2596d 3/3 fixed on 2019/10/29 17:45
openbsd pool: free list modified: shmpl (5) -1 43 508d 601d 0/3 auto-obsoleted due to no activity on 2025/01/07 01:02
openbsd pool: free list modified: shmpl (2) -1 1 2318d 2318d 0/3 auto-closed as invalid on 2020/03/04 23:09
openbsd pool: free list modified: shmpl (4) -1 1 879d 879d 0/3 auto-obsoleted due to no activity on 2024/02/11 22:36

Sample crash report:
panic: pool_do_get: shmpl free list modified: page 0xfffffd8066939000; item addr 0xfffffd8066939008; offset 0x40=0x69d8c197
Stopped at      db_enter+0x25:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
 204030  62611  32767        0x10          0    0  syz-executor
*184126  62611  32767        0x10  0x4000000    1K syz-executor
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff83446ca9) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff839cee68,1,ffff8000383c7e78) at pool_do_get+0x5df
pool_get(ffffffff839cee68,1) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff8000fffe7a10,ffff8000383c80d0,0,ffff8000383c8020) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff8000fffe7a10,ffff8000383c80d0,ffff8000383c8020) at sys_shmget+0x195 sys/kern/sysv_shm.c:482
syscall(ffff8000383c80d0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff8000383c80d0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x39545660ba0, count: 7
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{1}> 
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: pool_do_get: shmpl free list modified: page 0xfffffd8066939000; item addr 0xfffffd8066939008; offset 0x40=0x69d8c197
ddb{1}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff83446ca9) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff839cee68,1,ffff8000383c7e78) at pool_do_get+0x5df
pool_get(ffffffff839cee68,1) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff8000fffe7a10,ffff8000383c80d0,0,ffff8000383c8020) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff8000fffe7a10,ffff8000383c80d0,ffff8000383c8020) at sys_shmget+0x195 sys/kern/sysv_shm.c:482
syscall(ffff8000383c80d0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff8000383c80d0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x39545660ba0, count: -8
ddb{1}> show registers
rdi                                0
rsi                              0x1
rbp               0xffff8000383c7ca0
rbx               0xffff8000299aee07
rdx                                0
rcx               0xffff8000fffe7a10
rax               0xffff8000299adff0
r8                 0x101010101010101
r9                0x8080808080808080
r10               0xac0fdbf399562ae5
r11               0x12fede0a7698fbc3
r12               0xffff8000299aec08
r13                                0
r14                                0
r15                              0x1
rip               0xffffffff81f9e005    db_enter+0x25
cs                               0x8
rflags                         0x246
rsp               0xffff8000383c7c90
ss                              0x10
db_enter+0x25:  addq    $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor) tid=184126 pid=62611 tcnt=2 stat=onproc
    flags process=10<SUGID> proc=4000000<THREAD>
    runpri=32, usrpri=86, slppri=32, nice=20
    wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
    forw=0xffffffffffffffff, list=0xffff8000fffe62b8,0xffffffff839d3900
    process=0xffff800039fde1d0 user=0xffff8000383c3000, vmspace=0xfffffd800f8177d0
    estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0
ddb{1}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 62611  204030  26293  32767  7        0x10                syz-executor
*62611  184126  26293  32767  7   0x4000010                syz-executor
 53149  255911   4059  32767  2        0x10                syz-executor
 53149  140810   4059  32767  3   0x4000090  fsleep        syz-executor
  3845  167763  55615  32767  3        0x90  nanoslp       syz-executor
  3845  122893  55615  32767  3   0x4000090  fsleep        syz-executor
  3845  495515  55615  32767  3   0x4000090  fsleep        syz-executor
 38320   63084   8594      0  3    0x100082  sbwait        ndp
  8594  489303  61740      0  3    0x10008a  sigsusp       sh
 55615  425070   4334  32767  3        0x90  nanoslp       syz-executor
 61740  445310  19177      0  3        0x80  wait          syz-executor
 26293  431114  38005  32767  3        0x90  nanoslp       syz-executor
  4059  117542   2952  32767  3        0x90  nanoslp       syz-executor
 96240   40284  48833  32767  3        0x90  wait          syz-executor
 47438  355856  10968  32767  3        0x90  wait          syz-executor
 79100  331309  53535  32767  3        0x90  wait          syz-executor
 93956  283487   2389  32767  3        0x10  biowait       syz-executor
  4334  214102   6962      0  3        0x82  wait          syz-executor
 38005   20874   6962      0  3        0x82  wait          syz-executor
  2952  118327   6962      0  3        0x82  wait          syz-executor
 19177  460682   6962      0  3        0x82  wait          syz-executor
  2389  498458   6962      0  3        0x82  wait          syz-executor
 10968  386531   6962      0  3        0x82  wait          syz-executor
 48833  259424   6962      0  3        0x82  wait          syz-executor
 53535  127654   6962      0  3        0x82  wait          syz-executor
  6962  218297   2243      0  3        0x82  kqread        syz-executor
  2243   72609  75370      0  3    0x10008a  sigsusp       ksh
 75370  325780  98322      0  3        0x98  kqread        sshd-session
 98322  378743  35818      0  3        0x92  kqread        sshd-session
 62047  217167      1      0  3    0x100083  ttyin         getty
 35818  117657      1      0  3        0x88  kqread        sshd
 81249  111767  53133     73  3   0x1100090  kqread        syslogd
 53133   70377      1      0  3    0x100082  sbwait        syslogd
 84935  424236      1      0  3    0x100080  kqread        resolvd
 51644  489722  27773     77  3    0x100092  kqread        dhcpleased
 68123  410059  27773     77  3    0x100092  kqread        dhcpleased
 27773  341622      1      0  3        0x80  kqread        dhcpleased
 30573   53545      0      0  3     0x14200  bored         smr
 20337  461880      0      0  3     0x14200  pgzero        zerothread
 48405  501455      0      0  3     0x14200  aiodoned      aiodoned
 31465  282651      0      0  3     0x14200  syncer        update
 12939  240522      0      0  3     0x14200  cleaner       cleaner
 64738  460984      0      0  3     0x14200  reaper        reaper
 52688  135973      0      0  3     0x14200  pgdaemon      pagedaemon
 84186  329312      0      0  3     0x14200  bored         viomb
 21040  194481      0      0  3  0x40014200  acpi0         acpi0
 53102  139046      0      0  3  0x40014200                idle1
 41793    2718      0      0  3     0x14200  bored         softnet1
 21534  354643      0      0  3     0x14200  bored         softnet0
 92096  378490      0      0  3     0x14200  bored         systqmp
 56850  179851      0      0  3     0x14200  bored         systq
 41017  101031      0      0  3     0x14200  tmoslp        softclockmp
 37693  296786      0      0  3  0x40014200  tmoslp        softclock
 31747  211654      0      0  3  0x40014200                idle0
     1  473397      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex shmpl r = 0 (0xffffffff839cee80)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2  pool_get+0x124 sys/kern/subr_pool.c:585
#3  shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
#4  sys_shmget+0x195 sys/kern/sysv_shm.c:482
#5  syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#5  syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#6  Xsyscall+0x128
Process 62611 (syz-executor) thread 0xffff8000fffe7a10 (184126)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff839d8100)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline]
#1  syscall+0xaf4 sys/arch/amd64/amd64/trap.c:783
#2  Xsyscall+0x128
exclusive mutex shmpl r = 0 (0xffffffff839cee80)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2  pool_get+0x124 sys/kern/subr_pool.c:585
#3  shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
#4  sys_shmget+0x195 sys/kern/sysv_shm.c:482
#5  syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#5  syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#6  Xsyscall+0x128
Process 93956 (syz-executor) thread 0xffff8000fffef240 (283487)
exclusive rrwlock inode r = 0 (0xfffffd806cadf1e8)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2  rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3  VOP_LOCK+0xbd sys/kern/vfs_vops.c:527
#4  vn_lock+0xa4 sys/kern/vfs_vnops.c:576
#5  vget+0x2a2 sys/kern/vfs_subr.c:686
#6  ufs_ihashget+0x185 sys/ufs/ufs/ufs_ihash.c:98
#7  ffs_vget+0x8c sys/ufs/ffs/ffs_vfsops.c:1203
#8  ufs_lookup+0x1a36 sys/ufs/ufs/ufs_lookup.c:478
#9  VOP_LOOKUP+0x6e sys/kern/vfs_vops.c:85
#10 vfs_lookup+0x98a sys/kern/vfs_lookup.c:567
#11 namei+0x7ca sys/kern/vfs_lookup.c:250
#12 dounlinkat+0xc1 sys/kern/vfs_syscalls.c:1887
#13 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#13 syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806da211d8)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2  rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3  VOP_LOCK+0xbd sys/kern/vfs_vops.c:527
#4  vn_lock+0xa4 sys/kern/vfs_vnops.c:576
#5  vfs_lookup+0x11c sys/kern/vfs_lookup.c:-1
#6  namei+0x7ca sys/kern/vfs_lookup.c:250
#7  dounlinkat+0xc1 sys/kern/vfs_syscalls.c:1887
#8  syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#8  syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#9  Xsyscall+0x128
ddb{1}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 11074  12021K   12034K 166960K     12166        0
            pcb    17     12K      12K 166960K        17        0
         rtable   237      6K       7K 166960K       411        0
             pf    31     16K      16K 166960K        31        0
         ifaddr    42      7K       7K 166960K        44        0
        ifgroup    50      2K       2K 166960K        50        0
         sysctl     3      1K       9K 166960K         9        0
       counters    70     37K      37K 166960K        70        0
       ioctlops     0      0K       4K 166960K        39        0
            iov     0      0K      12K 166960K        15        0
          mount     1      1K       1K 166960K         1        0
            log     0      0K       0K 166960K         4        0
         vnodes  1288     81K      81K 166960K      1393        0
      UFS quota     1     32K      32K 166960K         1        0
      UFS mount     5     36K      36K 166960K         5        0
            shm     2      1K       5K 166960K        10        0
         VM map     2      1K       1K 166960K         2        0
            sem    12      1K       1K 166960K        29        0
        dirhash    12      2K       2K 166960K        18        0
           ACPI  1692    195K     286K 166960K     12470        0
      file desc    26     97K     125K 166960K       628        0
          sigio     0      0K       0K 166960K         9        0
           proc    58     99K     147K 166960K       570        0
        subproc    72      4K       4K 166960K        72        0
    NFS srvsock     1      0K       0K 166960K         1        0
     NFS daemon     1     16K      16K 166960K         1        0
    ip_moptions     0      0K       0K 166960K        98        0
       in_multi    99      7K       7K 166960K       123        0
    ether_multi     1      0K       0K 166960K         3        0
            mrt     0      0K       0K 166960K        17        0
    ISOFS mount     1     32K      32K 166960K         1        0
  MSDOSFS mount     1     16K      16K 166960K         1        0
           ttys   187    837K     837K 166960K       187        0
           exec     0      0K       1K 166960K       760        0
   fusefs mount     1     32K      32K 166960K         1        0
            tdb     3      0K       0K 166960K         3        0
        VM swap     8     62K      64K 166960K        10        0
       UVM amap   246    145K     164K 166960K      7539        0
       UVM aobj    51      2K       3K 166960K        54        0
     pinsyscall    48     96K     114K 166960K      1769        0
        memdesc     1      4K       4K 166960K         1        0
    crypto data     1      1K       1K 166960K         1        0
    ip6_options     0      0K       0K 166960K        41        0
            NDP    11      0K       2K 166960K        27        0
           temp    54   9078K    9143K 166960K      6065        0
         kqueue    14     22K      37K 166960K       138        0
      SYN cache     2     16K      16K 166960K         2        0
ddb{1}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache    128       26    0        0     1     0     1     1     0     8    0
rtpcb      120      108    0      104     2     0     2     2     0     8    1
rtentry    176      114    0        4     6     0     6     6     0     8    0
unpcb      144      544    0      529     4     0     4     4     0     8    3
syncache   336       10    0       10     1     0     1     1     0     8    1
tcpqe       32        1    0        1     1     1     0     1     0     8    0
tcpcb      736      375    0      367     8     1     7     7     0     8    6
arp        136       19    0        0     1     0     1     1     0     8    0
ipq         40        6    0        2     1     0     1     1     0     8    0
ipqe        40       17    0       13     1     0     1     1     0     8    0
inpcb      328      659    0      645     8     1     7     7     0     8    5
ip6q        72        4    0        0     1     0     1     1     0     8    0
ip6af       40        3    0        0     1     0     1     1     0     8    0
nd6        152       26    0        3     1     0     1     1     0     8    0
kcovpl      48        8    0        0     1     0     1     1     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256      481    0       28    30     0    30    30     0     8    1
art_table   40      482    0       28     5     0     5     5     0     8    0
art_node    32      114    0       14     1     0     1     1     0     8    0
sysvmsgpl   40       11    0        2     1     0     1     1     0     8    0
semupl     112        1    0        1     1     1     0     1     0     8    0
semapl     112       25    0       15     1     0     1     1     0     8    0
shmpl      112       51    0        3     2     0     2     2     0     8    0
pool(0xffffffff839cee68:shmpl): page inconsistency: page 0xfffffd8066939000; 21 on list, 13 missing, 35 items per page
dirhash    1024      21    0        4     3     0     3     3     0     8    0
dino2pl    256     2273    0      809    92     0    92    92     0     8    0
ffsino     296     2273    0      809   114     0   114   114     0     8    0
nchpl      144     3194    0     1504    64     0    64    64     0     8    0
vnodes     216     2354    0        0   131     0   131   131     0     8    0
namei      1024   11045    0    11045     2     1     1     2     0     8    1
percpumem   16       50    0        0     1     0     1     1     0     8    0
kstatmem   264       24    0        0     2     0     2     2     0     8    0
scxspl     216    10438    0    10437    11     5     6     8     1     8    5
plimitpl   152      344    0      320     2     0     2     2     0     8    1
sigapl     424      933    0      879     7     0     7     7     0     8    0
knotepl    120      358    0        0    11     0    11    11     0     8    0
kqueuepl   224      296    0      286     5     0     5     5     0     8    4
pipepl     344      163    0      136     3     0     3     3     0     8    0
fdescpl    528      917    0      879     4     0     4     4     0     8    0
filepl     160     5210    0     4993    16     1    15    15     0     8    3
lockfpl    104      242    0      240     1     0     1     1     0     8    0
lockfspl    48       63    0       61     1     0     1     1     0     8    0
sessionpl  144       57    0       40     1     0     1     1     0     8    0
pgrppl      48       77    0       52     1     0     1     1     0     8    0
ucredpl    104      933    0      915     1     0     1     1     0     8    0
zombiepl   144      882    0      879     1     0     1     1     0     8    0
processpl  1232     933    0      879     5     0     5     5     0     8    0
procpl     664     1767    0     1709     6     0     6     6     0     8    0
sosppl     176        5    0        5     1     0     1     1     0     8    1
sockpl     752     1319    0     1286    17     4    13    17     0     8    8
mcl64k     65536      4    0        0     1     0     1     1     0     8    0
mcl16k     16384      1    0        0     1     0     1     1     0     8    0
mcl12k     12288      1    0        0     1     0     1     1     0     8    0
mcl8k      8192       3    0        0     1     0     1     1     0     8    0
mcl4k      4096     114    0        0    15     0    15    15     0     8    0
mcl2k      2048      26    0        0     4     0     4     4     0     8    0
mtagpl      96        3    0        0     1     0     1     1     0     8    0
mbufpl     256      345    0        0    22     0    22    22     0     8    0
bufpl      280     2907    0      103   201     0   201   201     0     8    0
anonpl      32     7587    0        0    62     0    62    62     0   246    0
amapchunkpl 152   23732    0    23189    30     0    30    30     0   158    6
amappl16   200     3253    0     3229    19     6    13    15     0     8    8
amappl15   192        5    0        5     1     1     0     1     0     8    0
amappl14   184      448    0      446     1     0     1     1     0     8    0
amappl13   176      129    0      117     1     0     1     1     0     8    0
amappl12   168     1158    0     1122     2     0     2     2     0     8    0
amappl11   160       32    0       31     1     0     1     1     0     8    0
amappl10   152      140    0      130     1     0     1     1     0     8    0
amappl9    144      265    0      264     1     0     1     1     0     8    0
amappl8    136      101    0      100     1     0     1     1     0     8    0
amappl7    128      150    0      137     1     0     1     1     0     8    0
amappl6    120      158    0      156     1     0     1     1     0     8    0
amappl5    112      108    0      100     1     0     1     1     0     8    0
amappl4    104      286    0      269     1     0     1     1     0     8    0
amappl3     96     4732    0     4601     5     1     4     4     0     8    0
amappl2     88      614    0      556     2     0     2     2     0     8    0
amappl1     80    14035    0    13425    17     0    17    17     0     8    3
amappl      88     6704    0     6524     5     0     5     5     0    92    0
uvmvnodes   80      110    0        0     3     0     3     3     0     8    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma1024    1024       1    0        0     1     0     1     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      72       53    0        3     1     0     1     1     0     8    0
uaddrrnd    24      917    0      879     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      917    0      879     1     0     1     1     0     8    0
vmmpekpl   168     9869    0     9837     2     0     2     2     0     8    0
vmmpepl    168    69500    0    67397   108     1   107   108     0   357    6
vmsppl     488      916    0      879     7     1     6     6     0     8    0
rwobjpl     80    22597    0    21534    27     0    27    27     0     8    1
pdppl      4096    1841    0     1758   119    30    89    97     0     8    6
pvpl        32    15973    0        0   129     0   129   129     0   265    0
pmappl     256      916    0      879     4     1     3     3     0     8    0
extentpl    40       45    0       27     1     0     1     1     0     8    0
phpool     112      307    0       35     8     0     8     8     0     8    0
ddb{1}> machine ddbcpu 0
Stopped at      x86_ipi_db+0x27:        addq    $0x8,%rsp
x86_ipi_db(ffffffff83965ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff839d7900) at __mp_lock+0x1a3 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff839d7900) at __mp_lock+0x1a3 sys/kern/kern_lock.c:173
intr_handler(ffff80003c3ebe90,ffff8000002a3480) at intr_handler+0xe9 sys/arch/amd64/amd64/intr.c:560
Xintr_ioapic_edge23_untramp() at Xintr_ioapic_edge23_untramp+0x18f
end of kernel
end trace frame: 0x7e25fc3c37b0, count: 9
ddb{0}> trace
x86_ipi_db(ffffffff83965ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff839d7900) at __mp_lock+0x1a3 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff839d7900) at __mp_lock+0x1a3 sys/kern/kern_lock.c:173
intr_handler(ffff80003c3ebe90,ffff8000002a3480) at intr_handler+0xe9 sys/arch/amd64/amd64/intr.c:560
Xintr_ioapic_edge23_untramp() at Xintr_ioapic_edge23_untramp+0x18f
end of kernel
end trace frame: 0x7e25fc3c37b0, count: -6
ddb{0}> machine ddbcpu 1
Stopped at      db_enter+0x25:  addq    $0x8,%rsp
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff83446ca9) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff839cee68,1,ffff8000383c7e78) at pool_do_get+0x5df
pool_get(ffffffff839cee68,1) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff8000fffe7a10,ffff8000383c80d0,0,ffff8000383c8020) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff8000fffe7a10,ffff8000383c80d0,ffff8000383c8020) at sys_shmget+0x195 sys/kern/sysv_shm.c:482
syscall(ffff8000383c80d0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff8000383c80d0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x39545660ba0, count: 7
ddb{1}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff83446ca9) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff839cee68,1,ffff8000383c7e78) at pool_do_get+0x5df
pool_get(ffffffff839cee68,1) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff8000fffe7a10,ffff8000383c80d0,0,ffff8000383c8020) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff8000fffe7a10,ffff8000383c80d0,ffff8000383c8020) at sys_shmget+0x195 sys/kern/sysv_shm.c:482
syscall(ffff8000383c80d0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff8000383c80d0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x39545660ba0, count: -8

Crashes (809):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/04/10 09:24 openbsd 7bdd0d20c161 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/10 05:09 openbsd 7bdd0d20c161 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/09 11:56 openbsd b0cdb9e75fee 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/09 09:44 openbsd b0cdb9e75fee 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/09 02:47 openbsd b0cdb9e75fee 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/08 13:42 openbsd 15cb22fda4ec 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/07 23:15 openbsd 008d3704691e 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/07 21:22 openbsd c0c2c6a525e1 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/07 13:37 openbsd c0c2c6a525e1 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2026/04/07 10:04 openbsd c0c2c6a525e1 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2026/04/05 23:21 openbsd bc22b0de1984 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/05 09:14 openbsd c9c58e023502 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/03 13:26 openbsd de6be2070bf6 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/31 20:02 openbsd 077f28b4c6a4 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2026/03/31 17:14 openbsd 077f28b4c6a4 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/31 01:22 openbsd 0a71aa187b1b 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/31 00:20 openbsd 0a71aa187b1b 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/30 20:12 openbsd d3e6ebe0e992 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/30 15:25 openbsd d3e6ebe0e992 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2026/03/30 10:35 openbsd d3e6ebe0e992 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/30 04:14 openbsd 7ab78e8bd090 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/30 01:33 openbsd 7ab78e8bd090 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/29 16:15 openbsd 8c0bc7d7b019 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/29 12:15 openbsd 8c0bc7d7b019 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/29 11:35 openbsd 8c0bc7d7b019 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/29 10:00 openbsd 8c0bc7d7b019 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/29 07:16 openbsd 8c0bc7d7b019 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/28 14:54 openbsd 9d790fdba930 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/28 12:52 openbsd 9d790fdba930 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/27 20:13 openbsd f3ad7971a235 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/27 15:32 openbsd f3ad7971a235 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/27 13:41 openbsd 2f434a4256f3 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/27 11:46 openbsd 2f434a4256f3 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/27 08:02 openbsd 2f434a4256f3 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/26 20:51 openbsd 9c6370df4fcd 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/26 13:09 openbsd 9c6370df4fcd 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/26 09:36 openbsd 84b7e477fd25 c6143aac .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/26 07:40 openbsd 84b7e477fd25 c6143aac .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/25 23:39 openbsd ee1bf64f5bae 4367a094 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/24 13:40 openbsd 7348976a6ac6 74e70d19 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2026/03/24 02:41 openbsd 2084961b940b baf8bf12 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/21 16:04 openbsd 8aa14d77a9ab 5b92003d .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2026/03/21 01:16 openbsd 65032adb4937 85bf2a64 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/20 23:14 openbsd 65032adb4937 85bf2a64 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/20 20:50 openbsd 65032adb4937 85bf2a64 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/20 09:23 openbsd f53d362946f9 2f245add .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2026/03/19 17:46 openbsd e3f28ea82b45 0291cd06 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2026/03/18 20:32 openbsd 561bf2d2294a 0199f9a1 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2026/03/17 02:44 openbsd 5eccae830399 0737c18f .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/02/04 10:39 openbsd 1eab3ea7ad62 8f267cef .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
* Struck through repros no longer work on HEAD.