syzbot

 sign-in | mailing list | source | docs
🐞 Open [176]
🐞 Fixed [301]
🐞 Invalid [1021]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

pool: free list modified: shmpl (6)

Status: upstream: reported on 2025/02/04 10:40
Reported-by: syzbot+640f5b53834a8559e680@syzkaller.appspotmail.com
First crash: 441d, last: 6h06m
Similar bugs (5)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd pool: free list modified: shmpl (3) -1 1 2148d 2148d 0/3 auto-closed as invalid on 2020/09/01 15:24
openbsd pool: free list modified: shmpl -1 C 22 2512d 2607d 3/3 fixed on 2019/10/29 17:45
openbsd pool: free list modified: shmpl (5) -1 43 519d 612d 0/3 auto-obsoleted due to no activity on 2025/01/07 01:02
openbsd pool: free list modified: shmpl (2) -1 1 2329d 2329d 0/3 auto-closed as invalid on 2020/03/04 23:09
openbsd pool: free list modified: shmpl (4) -1 1 890d 890d 0/3 auto-obsoleted due to no activity on 2024/02/11 22:36

Sample crash report:
panic: pool_do_get: shmpl free list modified: page 0xfffffd806a265000; item addr 0xfffffd806a265a80; offset 0x40=0x69e7b500
Stopped at      db_enter+0x25:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
*245651  71368  32767        0x10  0x4000000    1K syz-executor
  44460  22165  32767        0x10          0    0  syz-executor
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff83443873) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff83a460c0,1,ffff80003c44eea8) at pool_do_get+0x5df
pool_get(ffffffff83a460c0,1) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff80003c3f3250,ffff80003c44f100,41,ffff80003c44f050) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff80003c3f3250,ffff80003c44f100,ffff80003c44f050) at sys_shmget+0x195 sys/kern/sysv_shm.c:484
syscall(ffff80003c44f100) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c44f100) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x43186b70e80, count: 7
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{1}> 
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: pool_do_get: shmpl free list modified: page 0xfffffd806a265000; item addr 0xfffffd806a265a80; offset 0x40=0x69e7b500
ddb{1}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff83443873) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff83a460c0,1,ffff80003c44eea8) at pool_do_get+0x5df
pool_get(ffffffff83a460c0,1) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff80003c3f3250,ffff80003c44f100,41,ffff80003c44f050) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff80003c3f3250,ffff80003c44f100,ffff80003c44f050) at sys_shmget+0x195 sys/kern/sysv_shm.c:484
syscall(ffff80003c44f100) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c44f100) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x43186b70e80, count: -8
ddb{1}> show registers
rdi                                0
rsi                              0x1
rbp               0xffff80003c44ecd0
rbx               0xffff8000299bee07
rdx               0xffff8000015d72c0
rcx               0xffff80003c3f3250
rax               0xffff8000299bdff0
r8                 0x101010101010101
r9                0x8080808080808080
r10               0x7f5e782f7b1bdba1
r11               0x84b7ad6c4980e236
r12               0xffff8000299bec08
r13                                0
r14                                0
r15                              0x1
rip               0xffffffff82ead295    db_enter+0x25
cs                               0x8
rflags                         0x246
rsp               0xffff80003c44ecc0
ss                              0x10
db_enter+0x25:  addq    $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor) tid=245651 pid=71368 tcnt=2 stat=onproc
    flags process=10<SUGID> proc=4000000<THREAD>
    runpri=32, usrpri=86, slppri=32, nice=20
    wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
    forw=0xffffffffffffffff, list=0xffff80003c3f27f0,0xffff80003c3f2568
    process=0xffff80003c3f5360 user=0xffff80003c44a000, vmspace=0xfffffd806c7ecba0
    estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0
ddb{1}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
  7173  201059  41777  32767  2        0x10                syz-executor
 71368  252568  30956  32767  2        0x10                syz-executor
*71368  245651  30956  32767  7   0x4000010                syz-executor
 30951   35908  75060  32767  2        0x10                syz-executor
 22165   44460   1141  32767  7        0x10                syz-executor
 22165  434752   1141  32767  3   0x4000090  nanoslp       syz-executor
 86083   40289  72348  32767  2        0x10                syz-executor
 86083  286621  72348  32767  3   0x4000090  pipewr        syz-executor
 68397  241247  80435  32767  2        0x10                syz-executor
 68397   62483  80435  32767  2   0x4000010                syz-executor
 93323  182629  33742      0  3    0x100082  sbwait        arp
 33742  319143  41030      0  3    0x10008a  sigsusp       sh
 75060  500605  30171  32767  3        0x90  nanoslp       syz-executor
 80435   29538  97677  32767  3        0x90  nanoslp       syz-executor
  1141  522141  24938  32767  3        0x90  nanoslp       syz-executor
 35580  310883  49782  32767  3        0x90  nanoslp       syz-executor
 30956  288255  42919  32767  3        0x90  nanoslp       syz-executor
 72348  322907  76275  32767  3        0x90  nanoslp       syz-executor
 41777  171741  27932  32767  3        0x90  nanoslp       syz-executor
 41030  169885   9996      0  3        0x80  wait          syz-executor
 24938  495229  30590      0  3        0x82  wait          syz-executor
 42919  426688  30590      0  3        0x82  wait          syz-executor
 49782  164629  30590      0  3        0x82  wait          syz-executor
 76275  132630  30590      0  3        0x82  wait          syz-executor
 27932  323556  30590      0  3        0x82  wait          syz-executor
  9996   29389  30590      0  3        0x82  wait          syz-executor
 30171  428962  30590      0  3        0x82  wait          syz-executor
 97677   54056  30590      0  3        0x82  wait          syz-executor
 30590   30164  63089      0  3        0x82  kqread        syz-executor
 63089  515770  42983      0  3    0x10008a  sigsusp       ksh
 42983   89374   6961      0  3        0x98  kqread        sshd-session
  6961  280432  33575      0  3        0x92  kqread        sshd-session
  9650  156158      1      0  3    0x100083  ttyin         getty
 33575   28600      1      0  3        0x88  kqread        sshd
 64059  347629  20509     73  3   0x1100090  kqread        syslogd
 20509  254951      1      0  3    0x100082  sbwait        syslogd
 18670  322852      1      0  3    0x100080  kqread        resolvd
 21941  114689  73779     77  3    0x100092  kqread        dhcpleased
 75237  306522  73779     77  3    0x100092  kqread        dhcpleased
 73779  129787      1      0  3        0x80  kqread        dhcpleased
  3605  513466      0      0  3     0x14200  bored         smr
 41574  269522      0      0  2     0x14200                zerothread
 68863  365494      0      0  3     0x14200  aiodoned      aiodoned
 96267   28907      0      0  3     0x14200  syncer        update
  7040  170404      0      0  3     0x14200  cleaner       cleaner
  2183  493968      0      0  3     0x14200  reaper        reaper
 50786  277564      0      0  3     0x14200  pgdaemon      pagedaemon
 15150  427530      0      0  3     0x14200  bored         viomb
   431   60649      0      0  3  0x40014200  acpi0         acpi0
 33990  456774      0      0  3  0x40014200                idle1
 90532   99734      0      0  3     0x14200  bored         softnet1
 59654  492742      0      0  3     0x14200  bored         softnet0
 89169  157334      0      0  3     0x14200  bored         systqmp
 75487  185248      0      0  3     0x14200  bored         systq
  8607     974      0      0  3     0x14200  tmoslp        softclockmp
 14323  123894      0      0  3  0x40014200  tmoslp        softclock
 92889  352794      0      0  3  0x40014200                idle0
     1  508555      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex shmpl r = 0 (0xffffffff83a460d8)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2  pool_get+0x124 sys/kern/subr_pool.c:585
#3  shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
#4  sys_shmget+0x195 sys/kern/sysv_shm.c:484
#5  syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#5  syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#6  Xsyscall+0x128
Process 71368 (syz-executor) thread 0xffff80003c3f3250 (245651)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff83a5eb80)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline]
#1  syscall+0xaf4 sys/arch/amd64/amd64/trap.c:783
#2  Xsyscall+0x128
exclusive mutex shmpl r = 0 (0xffffffff83a460d8)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2  pool_get+0x124 sys/kern/subr_pool.c:585
#3  shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
#4  sys_shmget+0x195 sys/kern/sysv_shm.c:484
#5  syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#5  syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
#6  Xsyscall+0x128
ddb{1}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 11054  12018K   12034K 166960K     12145        0
            pcb    17     12K      12K 166960K        17        0
         rtable   223      6K       6K 166960K       333        0
             pf    31     16K      16K 166960K        31        0
         ifaddr    40      7K       7K 166960K        42        0
        ifgroup    50      2K       2K 166960K        50        0
         sysctl     1      1K       9K 166960K         5        0
       counters    70     37K      37K 166960K        70        0
       ioctlops     0      0K       2K 166960K        30        0
            iov     0      0K      16K 166960K        74        0
          mount     1      1K       1K 166960K         1        0
            log     0      0K       0K 166960K         4        0
         vnodes  1287     81K      81K 166960K      1361        0
      UFS quota     1     32K      32K 166960K         1        0
      UFS mount     5     36K      36K 166960K         5        0
            shm     2      1K       9K 166960K         9        0
         VM map     2      1K       1K 166960K         2        0
            sem     6      0K       0K 166960K         8        0
        dirhash    12      2K       2K 166960K        15        0
           ACPI  1692    195K     286K 166960K     12470        0
      file desc    27    101K     121K 166960K       251        0
          sigio     0      0K       0K 166960K         3        0
           proc    58     99K     147K 166960K       510        0
        subproc    72      4K       4K 166960K        72        0
    NFS srvsock     1      0K       0K 166960K         1        0
     NFS daemon     1     16K      16K 166960K         1        0
    ip_moptions     0      0K       0K 166960K        12        0
       in_multi    89      6K       6K 166960K        91        0
    ether_multi     1      0K       0K 166960K         1        0
            mrt     0      0K       0K 166960K         4        0
    ISOFS mount     1     32K      32K 166960K         1        0
  MSDOSFS mount     1     16K      16K 166960K         1        0
           ttys    67    307K     307K 166960K        67        0
           exec     0      0K       1K 166960K       367        0
   fusefs mount     1     32K      32K 166960K         1        0
            tdb     3      0K       0K 166960K         3        0
        VM swap     8     62K      64K 166960K        10        0
       UVM amap   238    169K     208K 166960K      4051        0
       UVM aobj     8      2K       2K 166960K        11        0
     pinsyscall    49     98K     115K 166960K      1333        0
        memdesc     1      4K       4K 166960K         1        0
    crypto data     1      1K       1K 166960K         1        0
    ip6_options     0      0K       0K 166960K         1        0
            NDP    11      0K       1K 166960K        25        0
           temp    43   9076K    9140K 166960K      4363        0
         kqueue    16     22K      28K 166960K        58        0
      SYN cache     2     16K      16K 166960K         2        0
ddb{1}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache    128       26    0        0     1     0     1     1     0     8    0
rtpcb      120       75    0       71     2     0     2     2     0     8    1
rtentry    176      104    0        1     5     0     5     5     0     8    0
unpcb      144      127    0      112     2     0     2     2     0     8    1
syncache   336        9    0        9     1     0     1     1     0     8    1
tcpcb      736       54    0       50     2     0     2     2     0     8    1
arp        136       17    0        0     1     0     1     1     0     8    0
ipq         40        3    0        0     1     0     1     1     0     8    0
ipqe        40        6    0        1     1     0     1     1     0     8    0
inpcb      328      146    0      139     2     0     2     2     0     8    1
ip6q        72        1    0        0     1     0     1     1     0     8    0
ip6af       40        1    0        0     1     0     1     1     0     8    0
nd6        152       22    0        0     1     0     1     1     0     8    0
kcovpl      48        8    0        0     1     0     1     1     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256      412    0        0    26     0    26    26     0     8    0
art_table   40      413    0        0     5     0     5     5     0     8    0
art_node    32      104    0       10     1     0     1     1     0     8    0
sysvmsgpl   40        9    0        8     1     0     1     1     0     8    0
semapl     112        6    0        2     1     0     1     1     0     8    0
shmpl      112        8    0        3     1     0     1     1     0     8    0
pool(0xffffffff83a460c0:shmpl): page inconsistency: page 0xfffffd806a265000; 29 on list, 5 missing, 35 items per page
dirhash    1024      19    0        2     3     0     3     3     0     8    0
dino2pl    256     1722    0      262    92     0    92    92     0     8    0
ffsino     296     1722    0      262   113     0   113   113     0     8    0
nchpl      144     2088    0      402    63     0    63    63     0     8    0
vnodes     216     1803    0        0   101     0   101   101     0     8    0
namei      1024    6240    0     6240     2     0     2     2     0     8    2
percpumem   16       50    0        0     1     0     1     1     0     8    0
kstatmem   264       25    0        0     2     0     2     2     0     8    0
scxspl     216     7116    0     7116     6     1     5     5     1     8    5
plimitpl   152       50    0       26     2     0     2     2     0     8    1
sigapl     424      543    0      488     7     0     7     7     0     8    0
knotepl    120      316    0        0    10     0    10    10     0     8    0
kqueuepl   224       55    0       45     1     0     1     1     0     8    0
pipepl     344      131    0      103     3     0     3     3     0     8    0
fdescpl    528      527    0      488     3     0     3     3     0     8    0
filepl     160     2170    0     1957    11     0    11    11     0     8    1
lockfpl    104       40    0       37     1     0     1     1     0     8    0
lockfspl    48       13    0       10     1     0     1     1     0     8    0
sessionpl  144       28    0       12     1     0     1     1     0     8    0
pgrppl      48       36    0       12     1     0     1     1     0     8    0
ucredpl    104      216    0      198     1     0     1     1     0     8    0
zombiepl   144      489    0      488     1     0     1     1     0     8    0
processpl  1232     543    0      488     5     0     5     5     0     8    0
procpl     664      746    0      687     7     0     7     7     0     8    0
sosppl     176        1    0        1     1     0     1     1     0     8    1
sockpl     752      349    0      323     8     0     8     8     0     8    5
mcl64k     65536      1    0        0     1     0     1     1     0     8    0
mcl16k     16384      1    0        0     1     0     1     1     0     8    0
mcl8k      8192       2    0        0     1     0     1     1     0     8    0
mcl4k      4096     113    0        0    15     0    15    15     0     8    0
mcl2k      2048      31    0        0     4     0     4     4     0     8    0
mtagpl      96        2    0        0     1     0     1     1     0     8    0
mbufpl     256      239    0        0    15     0    15    15     0     8    0
bufpl      280     2357    0      102   162     0   162   162     0     8    0
anonpl      32     5529    0        0    45     0    45    45     0   246    0
amapchunkpl 152   12404    0    11900    30     0    30    30     0   158    8
amappl16   200     2071    0     2047     5     2     3     5     0     8    1
amappl15   192        7    0        7     1     1     0     1     0     8    0
amappl14   184      399    0      397     1     0     1     1     0     8    0
amappl13   176      118    0      107     1     0     1     1     0     8    0
amappl12   168      756    0      721     2     0     2     2     0     8    0
amappl11   160        4    0        4     1     1     0     1     0     8    0
amappl10   152       60    0       50     1     0     1     1     0     8    0
amappl9    144      261    0      261     1     1     0     1     0     8    0
amappl8    136       96    0       95     1     0     1     1     0     8    0
amappl7    128      138    0      126     1     0     1     1     0     8    0
amappl6    120      152    0      148     1     0     1     1     0     8    0
amappl5    112       98    0       91     1     0     1     1     0     8    0
amappl4    104      268    0      252     1     0     1     1     0     8    0
amappl3     96     2160    0     2039     5     1     4     4     0     8    0
amappl2     88      541    0      486     2     0     2     2     0     8    0
amappl1     80    11372    0    10767    19     0    19    19     0     8    1
amappl      88     3340    0     3171     5     0     5     5     0    92    0
uvmvnodes   80      105    0        0     3     0     3     3     0     8    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma1024    1024       1    0        0     1     0     1     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      72       10    0        3     1     0     1     1     0     8    0
uaddrrnd    24      527    0      488     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      527    0      488     1     0     1     1     0     8    0
vmmpekpl   168     6715    0     6683     2     0     2     2     0     8    0
vmmpepl    168    44435    0    42328   116     0   116   116     0   357   13
vmsppl     488      526    0      488     7     1     6     6     0     8    0
rwobjpl     80    16410    0    15423    28     0    28    28     0     8    3
pdppl      4096    1061    0      976   113    22    91    95     0     8    6
pvpl        32    13324    0        0   108     0   108   108     0   265    0
pmappl     256      526    0      488     4     1     3     3     0     8    0
extentpl    40       45    0       27     1     0     1     1     0     8    0
phpool     112      284    0       25     8     0     8     8     0     8    0
ddb{1}> machine ddbcpu 0
Stopped at      x86_ipi_db+0x27:        addq    $0x8,%rsp
x86_ipi_db(ffffffff8388cff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff83a5e380) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff83a5e380) at __mp_lock+0x192 sys/kern/kern_lock.c:173
softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83
dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
__mp_lock(ffffffff83a5e380) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff83a5e380) at __mp_lock+0x192 sys/kern/kern_lock.c:173
syscall(ffff80003c433d30) at syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline]
syscall(ffff80003c433d30) at syscall+0xaf4 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x718abbb99520, count: 5
ddb{0}> trace
x86_ipi_db(ffffffff8388cff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff83a5e380) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff83a5e380) at __mp_lock+0x192 sys/kern/kern_lock.c:173
softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83
dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
__mp_lock(ffffffff83a5e380) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff83a5e380) at __mp_lock+0x192 sys/kern/kern_lock.c:173
syscall(ffff80003c433d30) at syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline]
syscall(ffff80003c433d30) at syscall+0xaf4 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x718abbb99520, count: -10
ddb{0}> machine ddbcpu 1
Stopped at      db_enter+0x25:  addq    $0x8,%rsp
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff83443873) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff83a460c0,1,ffff80003c44eea8) at pool_do_get+0x5df
pool_get(ffffffff83a460c0,1) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff80003c3f3250,ffff80003c44f100,41,ffff80003c44f050) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff80003c3f3250,ffff80003c44f100,ffff80003c44f050) at sys_shmget+0x195 sys/kern/sysv_shm.c:484
syscall(ffff80003c44f100) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c44f100) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x43186b70e80, count: 7
ddb{1}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff83443873) at panic+0x1e5 sys/kern/subr_prf.c:198
pool_do_get(ffffffff83a460c0,1,ffff80003c44eea8) at pool_do_get+0x5df
pool_get(ffffffff83a460c0,1) at pool_get+0x162 sys/kern/subr_pool.c:-1
shmget_allocate_segment(ffff80003c3f3250,ffff80003c44f100,41,ffff80003c44f050) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1
sys_shmget(ffff80003c3f3250,ffff80003c44f100,ffff80003c44f050) at sys_shmget+0x195 sys/kern/sysv_shm.c:484
syscall(ffff80003c44f100) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c44f100) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x43186b70e80, count: -8

Crashes (844):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/04/21 17:34 openbsd 4470fcda88d1 9765efe0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/21 14:27 openbsd 4470fcda88d1 9765efe0 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/20 08:24 openbsd be10f67bca99 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/19 04:59 openbsd a6d33878ee16 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/19 01:46 openbsd a6d33878ee16 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/18 18:38 openbsd a9044055e1bf 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/18 17:08 openbsd a9044055e1bf 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/18 09:14 openbsd a9044055e1bf 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/18 00:40 openbsd e5e15d037d1c 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/17 21:35 openbsd e5e15d037d1c 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/17 07:58 openbsd 2dd8b2a80c95 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/17 02:16 openbsd f79dbf8c692a 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/17 00:49 openbsd f79dbf8c692a 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/16 21:18 openbsd f79dbf8c692a 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/16 18:49 openbsd f79dbf8c692a 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/16 09:51 openbsd 2a36b3c3c2a3 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/16 04:08 openbsd 2a36b3c3c2a3 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/15 21:52 openbsd 8928aa246822 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/15 15:30 openbsd 8928aa246822 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/15 04:00 openbsd 35f31cb19b6a 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/14 22:31 openbsd 84c70f1e56c7 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/14 19:37 openbsd 84c70f1e56c7 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/14 10:08 openbsd bb890fd2477a 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/14 08:32 openbsd bb890fd2477a 1a086e7c .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/13 19:11 openbsd ef90b149a753 9530ccf9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/13 17:06 openbsd ef90b149a753 9530ccf9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/13 07:09 openbsd 4ec71eeccea4 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/12 23:09 openbsd 4ec71eeccea4 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/12 10:42 openbsd 6018ae1d0153 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/12 07:00 openbsd de62a587e27d 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/12 01:54 openbsd de62a587e27d 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/11 12:06 openbsd 9bac450dd51b 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/11 02:26 openbsd 411a0c209e89 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/10 09:24 openbsd 7bdd0d20c161 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/10 05:09 openbsd 7bdd0d20c161 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/09 11:56 openbsd b0cdb9e75fee 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/09 09:44 openbsd b0cdb9e75fee 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/09 02:47 openbsd b0cdb9e75fee 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/08 13:42 openbsd 15cb22fda4ec 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/07 23:15 openbsd 008d3704691e 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/07 21:22 openbsd c0c2c6a525e1 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/07 13:37 openbsd c0c2c6a525e1 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2026/04/07 10:04 openbsd c0c2c6a525e1 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
2026/04/05 23:21 openbsd bc22b0de1984 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/05 09:14 openbsd c9c58e023502 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/04/03 13:26 openbsd de6be2070bf6 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-setuid pool: free list modified: shmpl
2026/03/30 15:25 openbsd d3e6ebe0e992 4b3d9a38 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main pool: free list modified: shmpl
2025/02/04 10:39 openbsd 1eab3ea7ad62 8f267cef .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore pool: free list modified: shmpl
* Struck through repros no longer work on HEAD.