syzbot

 sign-in | mailing list | source | docs
🐞 Open [109]
🐞 Fixed [291]
🐞 Invalid [899]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

pool: free list modified: shmpl (6)

Status: upstream: reported on 2025/02/04 10:40
Reported-by: syzbot+640f5b53834a8559e680@syzkaller.appspotmail.com
First crash: 220d, last: 2d00h
Similar bugs (5)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd pool: free list modified: shmpl (3) -1 1 1927d 1927d 0/3 auto-closed as invalid on 2020/09/01 15:24
openbsd pool: free list modified: shmpl -1 C 22 2292d 2386d 3/3 fixed on 2019/10/29 17:45
openbsd pool: free list modified: shmpl (5) -1 43 299d 391d 0/3 auto-obsoleted due to no activity on 2025/01/07 01:02
openbsd pool: free list modified: shmpl (2) -1 1 2108d 2108d 0/3 auto-closed as invalid on 2020/03/04 23:09
openbsd pool: free list modified: shmpl (4) -1 1 669d 669d 0/3 auto-obsoleted due to no activity on 2024/02/11 22:36

Sample crash report:
panic: pool_do_get: shmpl free list modified: page 0xfffffd805e130000; item addr 0xfffffd805e1309a8; offset 0x0=0x0 != 0x570c1e2c6c75146f
Stopped at      db_enter+0x25:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
 141261  17511      0           0          0    1  syz-executor
*243322  20230      0           0  0x4000000    0  syz-executor
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833af1da) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff839b6048,1,ffff8000333e26c8) at pool_do_get+0x597 sys/kern/subr_pool.c:743
pool_get(ffffffff839b6048,1) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff8000fffe8fb0,ffff8000333e2920,172,ffff8000333e2870) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff8000fffe8fb0,ffff8000333e2920,ffff8000333e2870) at sys_shmget+0x195 sys/kern/sysv_shm.c:482
syscall(ffff8000333e2920) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff8000333e2920) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:746
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x5c15dc68560, count: 7
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{0}> 
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu0: pool_do_get: shmpl free list modified: page 0xfffffd805e130000; item addr 0xfffffd805e1309a8; offset 0x0=0x0 != 0x570c1e2c6c75146f
ddb{0}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833af1da) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff839b6048,1,ffff8000333e26c8) at pool_do_get+0x597 sys/kern/subr_pool.c:743
pool_get(ffffffff839b6048,1) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff8000fffe8fb0,ffff8000333e2920,172,ffff8000333e2870) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff8000fffe8fb0,ffff8000333e2920,ffff8000333e2870) at sys_shmget+0x195 sys/kern/sysv_shm.c:482
syscall(ffff8000333e2920) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff8000333e2920) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:746
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x5c15dc68560, count: -8
ddb{0}> show registers
rdi                                0
rsi                              0x1
rbp               0xffff8000333e24f0
rbx               0xffffffff83822ddf    cpu_info_full_primary+0x2ddf
rdx               0xffff800001472540
rcx               0xffff8000fffe8fb0
rax               0xffffffff83821ff0    cpu_info_full_primary+0x1ff0
r8                 0x101010101010101
r9                0x8080808080808080
r10               0xbc3bcf705409486a
r11               0x785a323bcc30d03b
r12               0xffffffff83822be0    cpu_info_full_primary+0x2be0
r13                                0
r14                                0
r15                              0x1
rip               0xffffffff8271f805    db_enter+0x25
cs                               0x8
rflags                         0x246
rsp               0xffff8000333e24e0
ss                              0x10
db_enter+0x25:  addq    $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor) tid=243322 pid=20230 tcnt=2 stat=onproc
    flags process=0 proc=4000000<THREAD>
    runpri=32, usrpri=86, slppri=32, nice=20
    wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
    forw=0xffffffffffffffff, list=0xffff8000fffe87e8,0xffff8000fffe8030
    process=0xffff8000fffece88 user=0xffff8000333dd000, vmspace=0xfffffd805bdd9210
    estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0
ddb{0}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 17511  141261  60543      0  7           0                syz-executor
 20230   10189  11267      0  2           0                syz-executor
*20230  243322  11267      0  7   0x4000000                syz-executor
  8331  386705  22796      0  3        0x80  nanoslp       syz-executor
  8331  327863  22796      0  3   0x4000080  kqsel         syz-executor
  8331   57325  22796      0  3   0x4000080  fsleep        syz-executor
 88353  336926  62727      0  3        0x80  nanoslp       syz-executor
 88353  356814  62727      0  3   0x4000080  ttyout        syz-executor
 88353   83243  62727      0  3   0x4000080  fsleep        syz-executor
 88353  348634  62727      0  3   0x4000080  fsleep        syz-executor
 60543  247688  85267      0  3        0x82  nanoslp       syz-executor
  6402  261148      0      0  3     0x14200  acct          acct
 74143  281290      0      0  3     0x14200  bored         sosplice
 70308  391014  85267      0  3         0x2  biowait       syz-executor
 62727  379264  85267      0  3        0x82  nanoslp       syz-executor
 22796  360592  85267      0  3        0x82  nanoslp       syz-executor
 11267  366193  85267      0  3        0x82  nanoslp       syz-executor
   958  498363  85267      0  3        0x82  nanoslp       syz-executor
 16365  414809  85267      0  3        0x82  nanoslp       syz-executor
 48910   87822  85267      0  3        0x82  nanoslp       syz-executor
 85267  132126  40613      0  3        0x82  kqread        syz-executor
 40613  516897  71288      0  3    0x10008a  sigsusp       ksh
 71288  118782  58230      0  3        0x98  kqread        sshd-session
 58230  456160  46456      0  3        0x92  kqread        sshd-session
 90036  317364      1      0  3    0x100083  ttyin         getty
 46456  439504      1      0  3        0x88  kqread        sshd
 62334  454733  41694     74  3   0x1100092  bpf           pflogd
 41694  463877      1      0  3        0x80  sbwait        pflogd
  7863  146348  10772     73  3   0x1100090  kqread        syslogd
 10772  477061      1      0  3    0x100082  sbwait        syslogd
 46121  180276      1      0  3    0x100080  kqread        resolvd
 17594  478946  56351     77  3    0x100092  kqread        dhcpleased
 38624  505686  56351     77  3    0x100092  kqread        dhcpleased
 56351  261168      1      0  3        0x80  kqread        dhcpleased
 19587  141355      0      0  3     0x14200  bored         smr
 20014  135210      0      0  3     0x14200  pgzero        zerothread
  5786  405868      0      0  3     0x14200  aiodoned      aiodoned
  6159   76906      0      0  3     0x14200  syncer        update
  4489  340372      0      0  3     0x14200  cleaner       cleaner
 98365  207076      0      0  3     0x14200  reaper        reaper
 86981  495118      0      0  3     0x14200  pgdaemon      pagedaemon
 20438  469674      0      0  3     0x14200  bored         viomb
   716  188875      0      0  3  0x40014200  acpi0         acpi0
 68569  305174      0      0  3  0x40014200                idle1
 98587  436682      0      0  3     0x14200  bored         softnet1
 30167  457651      0      0  3     0x14200  bored         softnet0
 15216  413660      0      0  3     0x14200  bored         systqmp
  3135  496216      0      0  3     0x14200  bored         systq
 94981  149770      0      0  3     0x14200  tmoslp        softclockmp
 87571  225962      0      0  3  0x40014200  tmoslp        softclock
 56031  358658      0      0  3  0x40014200                idle0
     1  432655      0      0  3        0x82  wait          init
     0       0     -1      0  3  0x10010200  scheduler     swapper
ddb{0}> show all locks
CPU 0:
exclusive mutex shmpl r = 0 (0xffffffff839b6060)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  mtx_enter_try+0x1ad sys/kern/kern_lock.c:311
#2  mtx_enter+0x62 sys/kern/kern_lock.c:261
#3  pool_get+0x124 sys/kern/subr_pool.c:581
#4  shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
#5  sys_shmget+0x195 sys/kern/sysv_shm.c:482
#6  syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#6  syscall+0xb17 sys/arch/amd64/amd64/trap.c:746
#7  Xsyscall+0x128
Process 20230 (syz-executor) thread 0xffff8000fffe8fb0 (243322)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff8390bf70)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline]
#1  syscall+0xaf4 sys/arch/amd64/amd64/trap.c:746
#2  Xsyscall+0x128
exclusive mutex shmpl r = 0 (0xffffffff839b6060)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  mtx_enter_try+0x1ad sys/kern/kern_lock.c:311
#2  mtx_enter+0x62 sys/kern/kern_lock.c:261
#3  pool_get+0x124 sys/kern/subr_pool.c:581
#4  shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
#5  sys_shmget+0x195 sys/kern/sysv_shm.c:482
#6  syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#6  syscall+0xb17 sys/arch/amd64/amd64/trap.c:746
#7  Xsyscall+0x128
Process 70308 (syz-executor) thread 0xffff80002a270a78 (391014)
exclusive rrwlock inode r = 0 (0xfffffd806a81bd98)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2  rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3  VOP_LOCK+0xa3 sys/kern/vfs_vops.c:527
#4  ufs_ihashins+0x4f ufs_ihash sys/ufs/ufs/ufs_ihash.c:-1 [inline]
#4  ufs_ihashins+0x4f sys/ufs/ufs/ufs_ihash.c:159
#5  ffs_vget+0x187 sys/ufs/ffs/ffs_vfsops.c:1232
#6  ffs_inode_alloc+0x279 sys/ufs/ffs/ffs_alloc.c:393
#7  ufs_mkdir+0xfc sys/ufs/ufs/ufs_vnops.c:1112
#8  VOP_MKDIR+0x101 sys/kern/vfs_vops.c:394
#9  domkdirat+0x179 sys/kern/vfs_syscalls.c:3113
#10 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#10 syscall+0xb17 sys/arch/amd64/amd64/trap.c:746
#11 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd806bf48a18)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2  rrw_enter+0xc6 sys/kern/kern_rwlock.c:621
#3  VOP_LOCK+0xa3 sys/kern/vfs_vops.c:527
#4  vn_lock+0xa4 sys/kern/vfs_vnops.c:570
#5  vfs_lookup+0x11c sys/kern/vfs_lookup.c:-1
#6  namei+0x7ca sys/kern/vfs_lookup.c:250
#7  domkdirat+0x8b sys/kern/vfs_syscalls.c:3098
#8  syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#8  syscall+0xb17 sys/arch/amd64/amd64/trap.c:746
#9  Xsyscall+0x128
ddb{0}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 10207  11153K   12265K 166960K     12750        0
            pcb    18     13K      14K 166960K       136        0
         rtable   205      8K      11K 166960K       361        0
             pf    33     17K      21K 166960K        99        0
         ifaddr    39      6K       8K 166960K        70        0
        ifgroup    51      2K       2K 166960K       104        0
         sysctl     3      1K       9K 166960K        10        0
       counters    66     36K      37K 166960K       122        0
       ioctlops     0      0K       4K 166960K      1554        0
            iov     0      0K      16K 166960K        28        0
          mount     1      1K       1K 166960K         1        0
            log     0      0K       0K 166960K         4        0
         vnodes  1452     91K      92K 166960K      2127        0
      UFS quota     1     32K      32K 166960K         1        0
      UFS mount     5     36K      36K 166960K         5        0
            shm     2      1K       5K 166960K        10        0
         VM map     2      1K       1K 166960K         2        0
            sem    12      0K       0K 166960K        66        0
        dirhash    12      2K       2K 166960K        21        0
           ACPI  1692    195K     286K 166960K     12470        0
      file desc    17     61K      93K 166960K       639        0
          sigio     0      0K       0K 166960K         5        0
           proc    72    115K     164K 166960K       617        0
        subproc    72      4K       4K 166960K        81        0
    NFS srvsock     1      0K       0K 166960K         1        0
     NFS daemon     1     16K      16K 166960K         1        0
    ip_moptions     1      0K       0K 166960K        54        0
       in_multi    88      6K       7K 166960K       140        0
    ether_multi     1      0K       0K 166960K         5        0
            mrt     0      0K       0K 166960K         1        0
    ISOFS mount     1     32K      32K 166960K         1        0
  MSDOSFS mount     1     16K      16K 166960K         1        0
           ttys    97    440K     440K 166960K        97        0
           exec     0      0K       1K 166960K       557        0
   fusefs mount     1     32K      32K 166960K         1        0
     pfkey data     0      0K       0K 166960K         1        0
            tdb     3      0K       0K 166960K         3        0
        VM swap     8     62K      64K 166960K        10        0
       UVM amap   251    161K     178K 166960K      7395        0
       UVM aobj    45     37K      37K 166960K        46        0
     pinsyscall    42     84K     104K 166960K      1754        0
        memdesc     1      4K       4K 166960K         1        0
    crypto data     1      1K       1K 166960K         1        0
    ip6_options     0      0K       0K 166960K        30        0
            NDP    11      0K       2K 166960K        46        0
           temp    47   8643K    8715K 166960K     29920        0
         kqueue    13     20K      26K 166960K       116        0
      SYN cache     2     16K      16K 166960K         2        0
ddb{0}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache    128       26    0        0     1     0     1     1     0     8    0
rtpcb      120       70    0       65     1     0     1     1     0     8    0
rtentry    176      118    0       31     5     0     5     5     0     8    0
unpcb      144      284    0      261     2     1     1     2     0     8    0
syncache   336        6    0        6     3     2     1     1     0     8    1
tcpcb      736      190    0      186     4     3     1     4     0     8    0
arp        136       13    0        4     1     0     1     1     0     8    0
inpcb      328      666    0      656     9     5     4     7     0     8    3
nd6        144       21    0        6     1     0     1     1     0     8    0
pkpcb       40        4    0        4     2     1     1     1     0     8    1
kcovpl      48        9    0        1     1     0     1     1     0     8    0
ppxss      1192      20    0       20     2     1     1     1     0     8    1
pppxif     1504       3    0        3     2     2     0     1     0     8    0
pffrag     232        5    0        0     1     0     1     1     0   482    0
pffrnode    88        5    0        0     1     0     1     1     0     8    0
pffrent     40        5    0        0     1     0     1     1     0     8    0
pfosfp      40     1428    0     1005     5     0     5     5     0     8    0
pfosfpen   112     1428    0      714    21     0    21    21     0     8    0
pfrktable  1344       9    0        9     2     2     0     1     0     8    0
pfanchor   1288       3    0        1     1     0     1     1     0     8    0
pftag       88        1    0        1     1     1     0     1     0     8    0
pfstitem    24       48    0        1     1     0     1     1     0     8    0
pfstkey    128       48    0        1     2     0     2     2     0     8    0
pfstate    384       47    0        1     5     0     5     5     0     8    0
pfrule     1344      24    0       18     2     0     2     2     0     8    0
art_heap8  4096       2    0        0     2     0     2     2     0     8    0
art_heap4  256      510    0      108    29     1    28    29     0     8    1
art_table   40      512    0      108     5     0     5     5     0     8    0
art_node    32      117    0       39     1     0     1     1     0     8    0
sysvmsgpl   40        4    0        0     1     0     1     1     0     8    0
semupl     112        1    0        1     1     1     0     1     0     8    0
semapl     112       60    0       50     1     0     1     1     0     8    0
shmpl      112       43    0        2     2     0     2     2     0     8    0
shmpl: pool(0xffffffff839b6048:shmpl): free list modified: page 0xfffffd805e130000; item ordinal 0; addr 0xfffffd805e1309a8 (p 0xfffffd805e130000); offset 0x0=0x0
shmpl: pool(0xffffffff839b6048:shmpl): page inconsistency: page 0xfffffd805e130000; item ordinal 1; addr 0x882534c1e8fd66ab
dirhash    1024      23    0        6     3     0     3     3     0     8    0
dino2pl    256     2593    0     1088    96     0    96    96     0     8    1
ffsino     296     2593    0     1088   118     1   117   118     0     8    0
nchpl      144     3477    0     1784    64     0    64    64     0     8    0
rtmask      32        4    0        4     1     1     0     1     0     8    0
uvmvnodes   80     3173    0        0    65     0    65    65     0     8    0
vnodes     216     3173    0        0   177     0   177   177     0     8    0
namei      1024   12757    0    12756     2     1     1     2     0     8    0
percpumem   16       76    0       28     1     0     1     1     0     8    0
pfiaddrpl  120        2    0        2     1     1     0     1     0     8    0
kstatmem   264       58    0       34     3     1     2     3     0     8    0
scsiplug    72        2    0        2     1     1     0     1     0     8    0
scxspl     216    21400    0    21399    10     9     1     8     1     8    0
plimitpl   152      206    0      188     1     0     1     1     0     8    0
sigapl     424      935    0      886     7     1     6     7     0     8    0
knotepl    120      453    0        0    14     0    14    14     0     8    0
kqueuepl   224      266    0      256     1     0     1     1     0     8    0
pipepl     344      245    0      218     3     0     3     3     0     8    0
fdescpl    528      916    0      885     3     0     3     3     0     8    0
filepl     160     5953    0     5720    22     8    14    17     0     8    3
lockfpl    104      333    0      330     2     1     1     2     0     8    0
lockfspl    48      136    0      133     1     0     1     1     0     8    0
sessionpl  144       26    0       17     1     0     1     1     0     8    0
pgrppl      48       39    0       21     1     0     1     1     0     8    0
ucredpl    104     1035    0     1022     1     0     1     1     0     8    0
zombiepl   144      954    0      951     1     0     1     1     0     8    0
processpl  1232     935    0      886     5     1     4     5     0     8    0
procpl     664     1806    0     1751     7     1     6     7     0     8    0
sosppl     168        6    0        6     2     1     1     1     0     8    1
sockpl     752     1069    0     1031    14     7     7    11     0     8    2
mcl64k     65536      5    0        0     1     0     1     1     0     8    0
mcl16k     16384      1    0        0     1     0     1     1     0     8    0
mcl8k      8192       3    0        0     1     0     1     1     0     8    0
mcl4k      4096     122    0        0    16     0    16    16     0     8    0
mcl2k      2048      32    0        0     4     0     4     4     0     8    0
mtagpl      96        4    0        0     1     0     1     1     0     8    0
mbufpl     256      274    0        0    18     0    18    18     0     8    0
bufpl      280     8984    0     2841   439     0   439   439     0     8    0
anonpl      32    12544    0        0   103     1   102   102     0   246    0
amapchunkpl 152   30678    0    30036    59    18    41    41     0   158    7
amappl16   200     3069    0     2999    38    20    18    27     0     8    7
amappl15   192        3    0        3     1     1     0     1     0     8    0
amappl14   184      120    0      108     1     0     1     1     0     8    0
amappl13   176       36    0       36     1     1     0     1     0     8    0
amappl12   168     1577    0     1546     3     1     2     2     0     8    0
amappl11   160       50    0       36     1     0     1     1     0     8    0
amappl10   152        3    0        3     1     1     0     1     0     8    0
amappl9    144      260    0      260     1     1     0     1     0     8    0
amappl8    136       35    0       32     1     0     1     1     0     8    0
amappl7    128      111    0       99     1     0     1     1     0     8    0
amappl6    120      179    0      176     1     0     1     1     0     8    0
amappl5    112      125    0      115     1     0     1     1     0     8    0
amappl4    104      311    0      292     1     0     1     1     0     8    0
amappl3     96     4103    0     4012     4     1     3     3     0     8    0
amappl2     88     1165    0     1088     2     0     2     2     0     8    0
amappl1     80    11003    0    10411    16     2    14    15     0     8    0
amappl      88     6597    0     6419     5     0     5     5     0    92    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma1024    1024       1    0        0     1     0     1     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      72       45    0        1     1     0     1     1     0     8    0
uaddrrnd    24      916    0      885     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      916    0      885     1     0     1     1     0     8    0
vmmpekpl   168     9424    0     9381     3     0     3     3     0     8    0
vmmpepl    168    63828    0    61814   117    14   103   115     0   357    3
vmsppl     488      915    0      885     6     1     5     5     0     8    0
rwobjpl     80    22671    0    18485    91     3    88    89     0     8    0
pdppl      4096    1840    0     1770   106    34    72    86     0     8    2
pvpl        32    21024    0        0   171     1   170   170     0   265    0
pmappl     256      915    0      885     3     0     3     3     0     8    0
extentpl    40       45    0       27     1     0     1     1     0     8    0
phpool     112      292    0       43     8     0     8     8     0     8    0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833af1da) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff839b6048,1,ffff8000333e26c8) at pool_do_get+0x597 sys/kern/subr_pool.c:743
pool_get(ffffffff839b6048,1) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff8000fffe8fb0,ffff8000333e2920,172,ffff8000333e2870) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff8000fffe8fb0,ffff8000333e2920,ffff8000333e2870) at sys_shmget+0x195 sys/kern/sysv_shm.c:482
syscall(ffff8000333e2920) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff8000333e2920) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:746
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x5c15dc68560, count: -8
ddb{0}> machine ddbcpu 1
Stopped at      x86_ipi_db+0x27:        addq    $0x8,%rsp
x86_ipi_db(ffff8000299edff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff8390bd68) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:134 [inline]
__mp_lock(ffffffff8390bd68) at __mp_lock+0x192 sys/kern/kern_lock.c:165
syscall(ffff8000303dbf80) at syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline]
syscall(ffff8000303dbf80) at syscall+0xaf4 sys/arch/amd64/amd64/trap.c:746
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x788a439b2a40, count: 9
ddb{1}> trace
x86_ipi_db(ffff8000299edff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff8390bd68) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:134 [inline]
__mp_lock(ffffffff8390bd68) at __mp_lock+0x192 sys/kern/kern_lock.c:165
syscall(ffff8000303dbf80) at syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline]
syscall(ffff8000303dbf80) at syscall+0xaf4 sys/arch/amd64/amd64/trap.c:746
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x788a439b2a40, count: -6

Crashes (399):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/09/11 04:47 openbsd 56696e8786be fdeaa69b .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/09/11 00:45 openbsd 56696e8786be fdeaa69b .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/09/10 23:32 openbsd 56696e8786be fdeaa69b .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/09/10 16:02 openbsd 98139c2399bf fdeaa69b .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/09/08 11:15 openbsd 1c9950446e51 d291dd2d .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2025/09/08 09:22 openbsd 1c9950446e51 d291dd2d .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/09/07 04:07 openbsd 5cacd2556075 d291dd2d .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/09/05 21:33 openbsd d33addc4bead d291dd2d .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/09/04 07:57 openbsd 052924c3ba50 d291dd2d .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/09/04 06:36 openbsd 052924c3ba50 d291dd2d .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/09/04 04:04 openbsd 052924c3ba50 d291dd2d .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/09/01 10:37 openbsd c92b9bbde912 807a3b61 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/31 20:13 openbsd d417098b3164 807a3b61 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2025/08/31 12:38 openbsd 928606ccd927 807a3b61 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/31 08:40 openbsd 956d2a6101a0 807a3b61 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2025/08/31 00:07 openbsd 956d2a6101a0 807a3b61 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/28 14:58 openbsd 0f23fd2bd678 bee60a83 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/28 13:37 openbsd 0f23fd2bd678 bee60a83 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/28 07:35 openbsd 0f23fd2bd678 e12e5ba4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/26 22:40 openbsd d9624900b8bd e12e5ba4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/24 07:26 openbsd 9279bdd4d788 bf27483f .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/08/24 03:24 openbsd e872a63396e1 bf27483f .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/23 21:57 openbsd e872a63396e1 bf27483f .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/22 22:40 openbsd e2756ba35432 bf27483f .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/22 12:17 openbsd 3468367b8f8a bf27483f .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/22 10:39 openbsd 3468367b8f8a bf27483f .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/21 17:11 openbsd 418e3d9a7b00 3e79b825 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/21 10:49 openbsd 70b219c460a6 0b9605c8 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/21 08:31 openbsd 70b219c460a6 0b9605c8 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/08/20 17:08 openbsd 8dd4d68c0f49 0b9605c8 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/08/20 08:31 openbsd 58b1a4a98d17 79512909 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/20 01:42 openbsd 58b1a4a98d17 79512909 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/19 21:39 openbsd 5f352b01c2c4 254a27c1 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/17 05:53 openbsd fd78d8b282be 1804e95e .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2025/08/15 05:39 openbsd bc42849e5050 1804e95e .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/15 00:44 openbsd bc42849e5050 1804e95e .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/08/13 09:09 openbsd 304c6f61d3c6 22ec1469 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/08/13 01:14 openbsd ca8bfee27b33 22ec1469 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/08/12 19:52 openbsd ca8bfee27b33 22ec1469 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/11 04:25 openbsd 9abff0b24f7a 32a0e5ed .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/10 00:41 openbsd 2a233d233692 32a0e5ed .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/09 18:52 openbsd 6d30732ef287 32a0e5ed .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/08/09 07:02 openbsd 86b9fcdd2575 32a0e5ed .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/08/07 16:29 openbsd efaa42f7482b 04cffc22 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/07 07:37 openbsd 01075e58a8ba 3cda49cf .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/07 00:47 openbsd 21888800dc4e 3cda49cf .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/06 14:11 openbsd 21888800dc4e 3cda49cf .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2025/08/05 01:37 openbsd ba714b803396 3cda49cf .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/04 22:42 openbsd ba714b803396 3cda49cf .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/04 14:28 openbsd 42a7be81bef7 3cda49cf .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2025/08/03 17:17 openbsd bf6d80a8c313 3cda49cf .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2025/02/04 10:39 openbsd 1eab3ea7ad62 8f267cef .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
* Struck through repros no longer work on HEAD.