panic: pool_do_get: shmpl free list modified: page 0xfffffd806b730000; item addr 0xfffffd806b7308c8; offset 0x0=0x0 != 0x52a30546b4c25f69
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*516014 91683 0 0 0x4000000 0 syz-executor.0
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff8225218e) at panic+0x15c sys/kern/subr_prf.c:207
pool_do_get(ffffffff8257ffe0,1,ffff80001dc10778) at pool_do_get+0x42a sys/kern/subr_pool.c:738
pool_get(ffffffff8257ffe0,1) at pool_get+0xb5 sys/kern/subr_pool.c:581
shmget_allocate_segment(ffff80001d72a5f8,ffff80001dc10908,0,ffff80001dc10950) at shmget_allocate_segment+0x15e sys/kern/sysv_shm.c:416
sys_shmget(ffff80001d72a5f8,ffff80001dc10908,ffff80001dc10950) at sys_shmget+0x13f sys/kern/sysv_shm.c:479
syscall(ffff80001dc109d0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7bf6f52640, count: 7
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
pool_do_get: shmpl free list modified: page 0xfffffd806b730000; item addr 0xfffffd806b7308c8; offset 0x0=0x0 != 0x52a30546b4c25f69
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff8225218e) at panic+0x15c sys/kern/subr_prf.c:207
pool_do_get(ffffffff8257ffe0,1,ffff80001dc10778) at pool_do_get+0x42a sys/kern/subr_pool.c:738
pool_get(ffffffff8257ffe0,1) at pool_get+0xb5 sys/kern/subr_pool.c:581
shmget_allocate_segment(ffff80001d72a5f8,ffff80001dc10908,0,ffff80001dc10950) at shmget_allocate_segment+0x15e sys/kern/sysv_shm.c:416
sys_shmget(ffff80001d72a5f8,ffff80001dc10908,ffff80001dc10950) at sys_shmget+0x13f sys/kern/sysv_shm.c:479
syscall(ffff80001dc109d0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7bf6f52640, count: -8
ddb> show registers
rdi 0
rsi 0x1
rbp 0xffff80001dc105e0
rbx 0xffff80001dc10690
rdx 0x2
rcx 0
rax 0x1
r8 0xffffffff819e74bf kprintf+0x15f
r9 0x1
r10 0x2
r11 0xc91c0cf997915c64
r12 0x3000000008
r13 0xffff80001dc105f0
r14 0x100
r15 0x1
rip 0xffffffff811c20f8 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff80001dc105d0
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb> show proc
PROC (syz-executor.0) pid=516014 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=32, usrpri=81, nice=20
forw=0xffffffffffffffff, list=0xffff80001d729ea8,0xffffffff8257c440
process=0xffff8000ffffae70 user=0xffff80001dc0b000, vmspace=0xfffffd8068f36aa0
estcpu=36, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
91683 149182 34507 0 2 0 syz-executor.0
*91683 516014 34507 0 7 0x4000000 syz-executor.0
45691 238760 77938 0 2 0 syz-executor.1
45691 39412 77938 0 3 0x4000080 fsleep syz-executor.1
34507 378688 72518 0 3 0x82 nanosleep syz-executor.0
7110 285943 1 0 3 0x100083 ttyin getty
66030 195642 0 0 3 0x14200 bored sosplice
77938 396790 72518 0 2 0x482 syz-executor.1
72518 227048 88989 0 3 0x82 thrsleep syz-fuzzer
72518 260268 88989 0 3 0x4000082 thrsleep syz-fuzzer
72518 399227 88989 0 3 0x4000082 kqread syz-fuzzer
72518 368330 88989 0 3 0x4000082 thrsleep syz-fuzzer
72518 137686 88989 0 3 0x4000082 thrsleep syz-fuzzer
72518 498967 88989 0 3 0x4000082 thrsleep syz-fuzzer
72518 409826 88989 0 3 0x4000082 thrsleep syz-fuzzer
72518 402137 88989 0 3 0x4000082 thrsleep syz-fuzzer
88989 18702 534 0 3 0x10008a pause ksh
534 91862 92272 0 3 0x92 select sshd
92272 395398 1 0 3 0x80 select sshd
79797 512693 85086 73 3 0x100090 kqread syslogd
85086 193527 1 0 3 0x100082 netio syslogd
67383 131491 1 77 3 0x100090 poll dhclient
31835 183357 1 0 3 0x80 poll dhclient
23946 260152 0 0 3 0x14200 bored smr
66463 52647 0 0 2 0x14200 zerothread
58066 520756 0 0 3 0x14200 aiodoned aiodoned
94625 440757 0 0 3 0x14200 syncer update
47083 28328 0 0 3 0x14200 cleaner cleaner
64031 119299 0 0 3 0x14200 reaper reaper
34693 478106 0 0 3 0x14200 pgdaemon pagedaemon
71435 398492 0 0 3 0x14200 bored crynlk
11051 486978 0 0 3 0x14200 bored crypto
76111 89830 0 0 3 0x40014200 acpi0 acpi0
72511 386776 0 0 3 0x14200 bored softnet
71393 288681 0 0 3 0x14200 bored systqmp
59865 146800 0 0 3 0x14200 bored systq
23098 368141 0 0 2 0x40014200 softclock
85120 427662 0 0 3 0x40014200 idle0
1 281373 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show all locks
No such command
ddb> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 9516 6356K 7297K 78643K 17034 0
pcb 14 8K 8K 78643K 889 0
rtable 130 20K 23K 78643K 782 0
ifaddr 93 19K 20K 78643K 296 0
sysctl 2 0K 0K 78643K 2 0
counters 21 16K 17K 78643K 43 0
ioctlops 0 0K 4K 78643K 427 0
iov 0 0K 16K 78643K 165 0
mount 1 1K 1K 78643K 1 0
vnodes 1217 77K 77K 78643K 3167 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 5K 78643K 14 0
VM map 2 0K 0K 78643K 2 0
sem 12 0K 0K 78643K 376 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1809 195K 288K 78643K 12938 0
file desc 6 17K 25K 78643K 2066 0
sigio 0 0K 0K 78643K 10 0
proc 51 38K 63K 78643K 587 0
subproc 32 2K 2K 78643K 68 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 778 0
in_multi 88 4K 4K 78643K 230 0
ether_multi 1 0K 0K 78643K 38 0
mrt 0 0K 0K 78643K 6 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 73 334K 334K 78643K 73 0
exec 0 0K 1K 78643K 296 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 154 73K 89K 78643K 6655 0
UVM aobj 64 5K 5K 78643K 75 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 0K 78643K 167 0
NDP 13 0K 0K 78643K 49 0
temp 132 3039K 3103K 78643K 34034 0
kqueue 3 4K 12K 78643K 48 0
SYN cache 2 16K 16K 78643K 2 0
ddb> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp 64 11 0 7 1 0 1 1 0 8 0
rtpcb 80 73 0 71 1 0 1 1 0 8 0
rtentry 112 96 0 62 2 0 2 2 0 8 0
unpcb 120 1079 0 1071 1 0 1 1 0 8 0
syncache 264 16 0 16 7 7 0 1 0 8 0
tcpqe 32 170 0 170 2 2 0 1 0 8 0
tcpcb 544 550 0 545 3 2 1 2 0 8 0
ipq 40 5 0 5 2 2 0 1 0 8 0
ipqe 40 53 0 53 2 2 0 1 0 8 0
inpcb 280 2703 0 2695 12 10 2 2 0 8 1
rttmr 72 1 0 1 1 1 0 1 0 8 0
ip6q 72 1 0 1 1 1 0 1 0 8 0
ip6af 40 2 0 2 1 1 0 1 0 8 0
nd6 48 19 0 12 1 0 1 1 0 8 0
pkpcb 40 4 0 4 2 2 0 1 0 8 0
swfcl 56 2 0 0 1 0 1 1 0 8 0
ppxss 1128 4 0 4 3 3 0 1 0 8 0
pfstscr 40 6 0 5 2 1 1 1 0 8 0
pfosfp 40 1 0 0 1 0 1 1 0 8 0
pfosfpen 112 1 0 0 1 0 1 1 0 8 0
pfrktable 1344 138 0 120 4 2 2 2 0 8 0
pftag 88 49 0 44 1 0 1 1 0 8 0
pfqueue 264 2 0 0 1 0 1 1 0 8 0
pfstitem 24 9 0 7 2 1 1 1 0 8 0
pfstkey 112 11 0 9 2 1 1 1 0 8 0
pfstate 328 6 0 5 2 1 1 1 0 8 0
pfrule 1360 60 0 45 4 2 2 2 0 8 0
art_heap8 4096 2 0 0 2 0 2 2 0 8 0
art_heap4 256 483 0 298 16 4 12 13 0 8 0
art_table 32 485 0 298 2 0 2 2 0 8 0
art_node 16 95 0 67 1 0 1 1 0 8 0
sysvmsgpl 40 41 0 35 2 1 1 1 0 8 0
semapl 112 374 0 364 1 0 1 1 0 8 0
shmpl 112 73 0 12 2 0 2 2 0 8 0
shmpl: pool(0xffffffff8257ffe0:shmpl): free list modified: page 0xfffffd806b730000; item ordinal 0; addr 0xfffffd806b7308c8 (p 0xfffffd806b730000); offset 0x0=0x0
shmpl: pool(0xffffffff8257ffe0:shmpl): page inconsistency: page 0xfffffd806b730000; item ordinal 1; addr 0x8e9bb14b4ce03e0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 4401 0 3014 88 0 88 88 0 8 0
ffsino 240 4401 0 3014 83 0 83 83 0 8 0
nchpl 144 7161 0 5570 60 0 60 60 0 8 0
uvmvnodes 72 5926 0 0 108 0 108 108 0 8 0
vnodes 208 5926 0 0 312 0 312 312 0 8 0
namei 1024 21256 0 21256 3 2 1 1 0 8 1
vcpupl 1984 6 0 0 1 0 1 1 0 8 0
vmpool 528 14 0 8 2 1 1 1 0 8 0
pfiaddrpl 120 50 0 34 1 0 1 1 0 8 0
scsiplug 64 1 0 1 1 1 0 1 0 8 0
scxspl 192 20537 0 20537 3 2 1 1 0 8 1
plimitpl 152 112 0 105 1 0 1 1 0 8 0
sigapl 424 2251 0 2221 4 0 4 4 0 8 0
futexpl 56 37642 0 37641 2 1 1 1 0 8 0
knotepl 112 134 0 115 1 0 1 1 0 8 0
kqueuepl 144 417 0 413 1 0 1 1 0 8 0
pipelkpl 16 247 0 237 1 0 1 1 0 8 0
pipepl 120 494 0 475 1 0 1 1 0 8 0
fdescpl 432 2234 0 2219 2 0 2 2 0 8 0
filepl 120 13742 0 13644 6 2 4 4 0 8 1
lockfpl 104 2264 0 2263 1 0 1 1 0 8 0
lockfspl 48 647 0 646 1 0 1 1 0 8 0
sessionpl 112 21 0 11 1 0 1 1 0 8 0
pgrppl 48 33 0 23 1 0 1 1 0 8 0
ucredpl 96 962 0 955 1 0 1 1 0 8 0
zombiepl 144 2967 0 2967 3 2 1 1 0 8 1
processpl 920 2251 0 2221 4 0 4 4 0 8 0
procpl 624 5744 0 5705 5 1 4 4 0 8 1
sosppl 128 8 0 8 3 2 1 1 0 8 1
sockpl 400 3869 0 3851 13 10 3 5 0 8 1
mcl64k 65536 585 0 585 73 72 1 65 0 8 1
mcl16k 16384 7 0 7 3 3 0 1 0 8 0
mcl12k 12288 45 0 45 12 11 1 1 0 8 1
mcl9k 9216 21 0 21 9 9 0 1 0 8 0
mcl8k 8192 33 0 33 10 9 1 1 0 8 1
mcl4k 4096 161 0 161 15 14 1 1 0 8 1
mcl2k2 2112 14 0 14 9 9 0 1 0 8 0
mcl2k 2048 71570 0 71515 21 13 8 15 0 8 0
mtagpl 80 669 0 417 11 5 6 6 0 8 0
mbufpl 256 127592 0 127012 90 52 38 39 0 8 0
bufpl 280 7002 0 1642 383 0 383 383 0 8 0
anonpl 16 248043 0 231371 138 70 68 84 0 107 0
amapchunkpl 152 11874 0 11697 33 25 8 21 0 158 0
amappl16 192 12678 0 11778 111 65 46 58 0 8 1
amappl15 184 9 0 7 1 0 1 1 0 8 0
amappl14 176 976 0 967 1 0 1 1 0 8 0
amappl13 168 215 0 212 1 0 1 1 0 8 0
amappl12 160 953 0 951 2 1 1 1 0 8 0
amappl11 152 49 0 39 1 0 1 1 0 8 0
amappl10 144 259 0 253 1 0 1 1 0 8 0
amappl9 136 1027 0 1024 1 0 1 1 0 8 0
amappl8 128 1061 0 1004 2 0 2 2 0 8 0
amappl7 120 359 0 343 1 0 1 1 0 8 0
amappl6 112 22 0 19 1 0 1 1 0 8 0
amappl5 104 1208 0 1196 1 0 1 1 0 8 0
amappl4 96 1592 0 1560 1 0 1 1 0 8 0
amappl3 88 1116 0 1107 1 0 1 1 0 8 0
amappl2 80 16906 0 16832 2 0 2 2 0 8 0
amappl1 72 49150 0 48723 23 14 9 17 0 8 0
amappl 80 6030 0 5984 2 0 2 2 0 84 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 64 74 0 11 2 0 2 2 0 8 0
uaddrrnd 24 2248 0 2227 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 2248 0 2227 1 0 1 1 0 8 0
vmmpekpl 168 16347 0 16317 2 0 2 2 0 8 0
vmmpepl 168 270192 0 268061 196 101 95 123 0 357 1
vmsppl 272 2247 0 2227 4 2 2 2 0 8 0
pdppl 4096 4502 0 4460 7 1 6 6 0 8 0
pvpl 32 616083 0 597168 285 128 157 191 0 265 0
pmappl 200 2247 0 2227 2 0 2 2 0 8 0
extentpl 40 53 0 36 1 0 1 1 0 8 0
phpool 112 445 0 189 10 1 9 10 0 8 0
ddb> machine ddbcpu 0
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff8225218e) at panic+0x15c sys/kern/subr_prf.c:207
pool_do_get(ffffffff8257ffe0,1,ffff80001dc10778) at pool_do_get+0x42a sys/kern/subr_pool.c:738
pool_get(ffffffff8257ffe0,1) at pool_get+0xb5 sys/kern/subr_pool.c:581
shmget_allocate_segment(ffff80001d72a5f8,ffff80001dc10908,0,ffff80001dc10950) at shmget_allocate_segment+0x15e sys/kern/sysv_shm.c:416
sys_shmget(ffff80001d72a5f8,ffff80001dc10908,ffff80001dc10950) at sys_shmget+0x13f sys/kern/sysv_shm.c:479
syscall(ffff80001dc109d0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7bf6f52640, count: -8
ddb> machine ddbcpu 1
No such command
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff8225218e) at panic+0x15c sys/kern/subr_prf.c:207
pool_do_get(ffffffff8257ffe0,1,ffff80001dc10778) at pool_do_get+0x42a sys/kern/subr_pool.c:738
pool_get(ffffffff8257ffe0,1) at pool_get+0xb5 sys/kern/subr_pool.c:581
shmget_allocate_segment(ffff80001d72a5f8,ffff80001dc10908,0,ffff80001dc10950) at shmget_allocate_segment+0x15e sys/kern/sysv_shm.c:416
sys_shmget(ffff80001d72a5f8,ffff80001dc10908,ffff80001dc10950) at sys_shmget+0x13f sys/kern/sysv_shm.c:479
syscall(ffff80001dc109d0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7bf6f52640, count: -8