syzbot

 sign-in | mailing list | source | docs
🐞 Open [182]
🐞 Fixed [298]
🐞 Invalid [942]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

uvm_fault: sys_shmat (2)

Status: upstream: reported on 2025/10/01 08:49
Reported-by: syzbot+9669e87e543ae1f05884@syzkaller.appspotmail.com
First crash: 110d, last: 2d01h
Similar bugs (1)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd uvm_fault: sys_shmat -1 1 205d 205d 0/3 auto-obsoleted due to no activity on 2025/09/26 10:39

Sample crash report:
login: uvm_fault(0xffffffff8394ac78, 0xffff80000168c000, 0, 2) -> e
kernel: page fault trap, code=2
Stopped at      sys_shmat+0xe0: movl    $0xffffffffffffffff,0(%r14)
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
*250564  34325      0           0  0x4000000    0  syz-executor
sys_shmat(ffff80002a7bcfa8,ffff800038111060,ffff800038110fb0) at sys_shmat+0xe0 sys/kern/sysv_shm.c:235
syscall(ffff800038111060) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline]
syscall(ffff800038111060) at syscall+0x962 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xb4824ee1c70, count: 12
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb> 
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
*cpu0: uvm_fault(0xffffffff8394ac78, 0xffff80000168c000, 0, 2) -> e
ddb> trace
sys_shmat(ffff80002a7bcfa8,ffff800038111060,ffff800038110fb0) at sys_shmat+0xe0 sys/kern/sysv_shm.c:235
syscall(ffff800038111060) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline]
syscall(ffff800038111060) at syscall+0x962 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xb4824ee1c70, count: -3
ddb> show registers
rdi                                0
rsi                       0x3e92675a
rbp               0xffff800038110f90
rbx               0xffff800038111060
rdx                                0
rcx               0xffff800038110e5c
rax               0xffff80002a7bcfa8
r8                0xffffffffffffffff
r9                                 0
r10               0xed420aacdca20e11
r11               0xe70101e3feb0c19c
r12               0xffff80002a7bcfa8
r13               0xffff800001573000
r14               0xffff80000168c000
r15                          0x11900    __ALIGN_SIZE+0x10900
rip               0xffffffff81e16e40    sys_shmat+0xe0
cs                               0x8
rflags                       0x10216    __ALIGN_SIZE+0xf216
rsp               0xffff800038110f00
ss                              0x10
sys_shmat+0xe0: movl    $0xffffffffffffffff,0(%r14)
ddb> show proc
PROC (syz-executor) tid=250564 pid=34325 tcnt=4 stat=onproc
    flags process=0 proc=4000000<THREAD>
    runpri=84, usrpri=85, slppri=32, nice=20
    wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
    forw=0xffffffffffffffff, list=0xffff80002a7bc7e0,0xffff80002a7bd780
    process=0xffff80002a785f88 user=0xffff80003810c000, vmspace=0xfffffd806c3615d0
    estcpu=35, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0
ddb> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 27534  406037  66953      0  2           0                syz-executor
 27534   34789  66953      0  3   0x4000080  fsleep        syz-executor
 28331   16889  45387      0  2           0                syz-executor
 28331  425688  45387      0  3   0x4000080  fsleep        syz-executor
 76668  184449  80566      0  2           0                syz-executor
 76668  294498  80566      0  3   0x4000080  fsleep        syz-executor
 76668  138361  80566      0  2   0x4000000                syz-executor
 40017  344719  98646      0  2           0                syz-executor
 40017  329860  98646      0  2   0x4000000                syz-executor
 34325  327578  30887      0  2           0                syz-executor
*34325  250564  30887      0  7   0x4000000                syz-executor
 34325  281374  30887      0  3   0x4000080  fsleep        syz-executor
 34325   62447  30887      0  3   0x4000080  fsleep        syz-executor
 73834  183693  58349      0  2           0                syz-executor
 73834   95152  58349      0  3   0x4000080  fsleep        syz-executor
 25956  300406  81600      0  2           0                syz-executor
 25956  145823  81600      0  3   0x4000080  fsleep        syz-executor
 38632  275989  44941      0  2           0                syz-executor
 38632  196309  44941      0  3   0x4000080  fsleep        syz-executor
 38632  447933  44941      0  2   0x4000000                syz-executor
 17771  226246      1      0  3    0x100083  ttyin         getty
 66953  282514  68987      0  3        0x82  nanoslp       syz-executor
 83025   75368      0      0  3     0x14200  acct          acct
 80566  347712  68987      0  2         0x3                syz-executor
 98646   21250  68987      0  2         0x3                syz-executor
 81600  373945  68987      0  2         0x3                syz-executor
 58349  357174  68987      0  2         0x3                syz-executor
 44941  489330  68987      0  2         0x3                syz-executor
 30887  281408  68987      0  2         0x3                syz-executor
 45387  106059  68987      0  3        0x82  nanoslp       syz-executor
 68987  179386  56161      0  3        0x82  kqread        syz-executor
 56161  462112   9327      0  3    0x10008a  sigsusp       ksh
  9327  236936  14785      0  3        0x98  kqread        sshd-session
 14785  364450  26414      0  3        0x92  kqread        sshd-session
 26414  387906      1      0  3        0x88  kqread        sshd
 32922  411726  70316     73  3   0x1100090  kqread        syslogd
 70316   21760      1      0  3    0x100082  sbwait        syslogd
 62434   55441      1      0  3    0x100080  kqread        resolvd
 58274  450947      0      0  3     0x14200  bored         smr
  7611  187406      0      0  2     0x14200                zerothread
 68527  190096      0      0  3     0x14200  aiodoned      aiodoned
 55135  496474      0      0  3     0x14200  syncer        update
 30251   79971      0      0  3     0x14200  cleaner       cleaner
 25809  272040      0      0  3     0x14200  reaper        reaper
 39032  244736      0      0  3     0x14200  pgdaemon      pagedaemon
 27211  102690      0      0  3     0x14200  bored         viomb
 15076  384342      0      0  3  0x40014200  acpi0         acpi0
 52196  337552      0      0  3     0x14200  bored         softnet0
 52155   26725      0      0  3     0x14200  bored         systqmp
 11839  300447      0      0  3     0x14200  bored         systq
 62890  445592      0      0  3  0x40014200  tmoslp        softclock
 14429  285560      0      0  3  0x40014200                idle0
     1  120971      0      0  3        0x82  wait          init
     0       0     -1      0  3  0x10010200  scheduler     swapper
ddb> show all locks
No such command
ddb> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 11059  12122K   12590K 166960K     13111        0
            pcb    17     16K      19K 166960K       627        0
         rtable   233     10K      11K 166960K       598        0
             pf    31     13K      14K 166960K       138        0
         ifaddr    37      6K       8K 166960K       112        0
        ifgroup    51      2K       2K 166960K       196        0
         sysctl     4      1K       9K 166960K        83        0
       counters    34     17K      18K 166960K       170        0
       ioctlops     0      0K       4K 166960K       314        0
            iov     0      0K      24K 166960K       188        0
          mount     1      1K       1K 166960K         1        0
            log     0      0K       0K 166960K         4        0
         vnodes  1354     85K      87K 166960K      2390        0
      UFS quota     1     32K      32K 166960K         1        0
      UFS mount     5     36K      36K 166960K         5        0
            shm     3      5K       9K 166960K        33        0
         VM map     2      1K       1K 166960K         2        0
            sem    12      0K       1K 166960K        56        0
        dirhash    12      2K       2K 166960K        27        0
           ACPI  1692    195K     286K 166960K     12470        0
      file desc    18     65K     110K 166960K      1559        0
          sigio     0      0K       0K 166960K       159        0
           proc    54     43K     100K 166960K       714        0
        subproc    72      4K       4K 166960K        90        0
    NFS srvsock     1      0K       0K 166960K         1        0
     NFS daemon     1     16K      16K 166960K         1        0
    ip_moptions     0      0K       0K 166960K       289        0
       in_multi    78      5K       7K 166960K       166        0
    ether_multi     1      0K       0K 166960K        18        0
            mrt     1      0K       0K 166960K        17        0
    ISOFS mount     1     32K      32K 166960K         1        0
  MSDOSFS mount     1     16K      16K 166960K         1        0
           ttys   217    970K     970K 166960K       217        0
           exec     0      0K       1K 166960K       528        0
   fusefs mount     1     32K      32K 166960K         1        0
     pfkey data     0      0K       0K 166960K         3        0
            tdb     3      0K       0K 166960K         3        0
        VM swap     8     62K      64K 166960K        10        0
       UVM amap   207    119K     154K 166960K     15903        0
       UVM aobj    54      8K      10K 166960K        62        0
     pinsyscall    33     66K      94K 166960K      2687        0
        memdesc     1      4K       4K 166960K         1        0
    crypto data     1      1K       1K 166960K         1        0
    ip6_options     0      0K       0K 166960K        98        0
            NDP    12      0K       2K 166960K        80        0
           temp    81   8672K    8747K 166960K     62641        0
         kqueue     7     12K      30K 166960K       296        0
      SYN cache     2     16K      16K 166960K         2        0
ddb> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
rtpcb      120      203    0      202     3     0     3     3     0     8    2
rtentry    136      174    0       82     4     0     4     4     0     8    0
unpcb      144     1302    0     1294    11     5     6     6     0     8    5
syncache   336        4    0        4     2     1     1     1     0     8    1
tcpcb      736      628    0      624    10     3     7     7     0     8    6
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 0; addr 0xffff8000015b3ce0 (p 0xfffffd806cbd2000); offset 0x0=0xe40e5538ffffffff
pool(tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 0; addr 0xffff8000015b3ce0 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 1; addr 0xffff8000015b3a00 (p 0xfffffd806cbd2000); offset 0x0=0xe40e5538ffffffff
pool(tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 1; addr 0xffff8000015b3a00 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 2; addr 0xffff8000015b3720 (p 0xfffffd806cbd2000); offset 0x0=0xe40e5538ffffffff
pool(tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 2; addr 0xffff8000015b3720 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 3; addr 0xffff8000015b3440 (p 0xfffffd806cbd2000); offset 0x0=0xe40e5538ffffffff
pool(tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 3; addr 0xffff8000015b3440 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 4; addr 0xffff8000015b3160 (p 0xfffffd806cbd2000); offset 0x0=0xe40e5538ffffffff
pool(tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 4; addr 0xffff8000015b3160 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 5; addr 0xffff8000015b2e80 (p 0xfffffd806cbd2000); offset 0x0=0xe40e5538ffffffff
pool(tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 5; addr 0xffff8000015b2e80 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 6; addr 0xffff8000015b2020 (p 0xfffffd806cbd2000); offset 0x0=0xe40e5538ffffffff
pool(tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 6; addr 0xffff8000015b2020 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 7; addr 0xffff8000015b2300 (p 0xfffffd806cbd2000); offset 0x0=0xe40e5538ffffffff
pool(tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 7; addr 0xffff8000015b2300 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 8; addr 0xffff8000015b25e0 (p 0xfffffd806cbd2000); offset 0x0=0xe40e5538ffffffff
pool(tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 8; addr 0xffff8000015b25e0 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 9; addr 0xffff8000015b28c0 (p 0xfffffd806cbd2000); offset 0x0=0xe40e5538ffffffff
pool(tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 9; addr 0xffff8000015b28c0 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 10; addr 0xffff8000015b2ba0 (p 0xfffffd806cbd2000); offset 0x0=0xe40e5538ffffffff
pool(tcpcb): free list modified: page 0xffff8000015b2000; item ordinal 10; addr 0xffff8000015b2ba0 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
pool(tcpcb): free list modified: page 0xffff8000015b8000; item ordinal 0; addr 0xffff8000015b9ce8 (p 0xfffffd806cbd2000); offset 0x8=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): page inconsistency: page 0xffff8000015b8000; item ordinal 1; addr 0xffff800049653718
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 0; addr 0xffff8000015f0730 (p 0xfffffd806cbd2000); offset 0x0=0xc773be4effffffff
pool(tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 0; addr 0xffff8000015f0730 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 1; addr 0xffff8000015efe90 (p 0xfffffd806cbd2000); offset 0x0=0xc773be4effffffff
pool(tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 1; addr 0xffff8000015efe90 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 2; addr 0xffff8000015efbb0 (p 0xfffffd806cbd2000); offset 0x0=0xc773be4effffffff
pool(tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 2; addr 0xffff8000015efbb0 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 3; addr 0xffff8000015ef030 (p 0xfffffd806cbd2000); offset 0x0=0xc773be4effffffff
pool(tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 3; addr 0xffff8000015ef030 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 4; addr 0xffff8000015ef310 (p 0xfffffd806cbd2000); offset 0x0=0xc773be4effffffff
pool(tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 4; addr 0xffff8000015ef310 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 5; addr 0xffff8000015ef5f0 (p 0xfffffd806cbd2000); offset 0x0=0xc773be4effffffff
pool(tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 5; addr 0xffff8000015ef5f0 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 6; addr 0xffff8000015ef8d0 (p 0xfffffd806cbd2000); offset 0x0=0xc773be4effffffff
pool(tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 6; addr 0xffff8000015ef8d0 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 7; addr 0xffff8000015f0170 (p 0xfffffd806cbd2000); offset 0x0=0xc773be4effffffff
pool(tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 7; addr 0xffff8000015f0170 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 8; addr 0xffff8000015f0450 (p 0xfffffd806cbd2000); offset 0x0=0xc773be4effffffff
pool(tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 8; addr 0xffff8000015f0450 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 9; addr 0xffff8000015f0a10 (p 0xfffffd806cbd2000); offset 0x0=0xc773be4effffffff
pool(tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 9; addr 0xffff8000015f0a10 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 10; addr 0xffff8000015f0cf0 (p 0xfffffd806cbd2000); offset 0x0=0xc773be4effffffff
pool(tcpcb): free list modified: page 0xffff8000015ef000; item ordinal 10; addr 0xffff8000015f0cf0 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
pool(tcpcb): free list modified: page 0xffff8000015f5000; item ordinal 0; addr 0xffff8000015f6d08 (p 0xfffffd806cbd2000); offset 0x8=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): page inconsistency: page 0xffff8000015f5000; item ordinal 1; addr 0xffff8000f94d9d0a
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 0; addr 0xffff8000015f4d00 (p 0xfffffd806cbd2000); offset 0x0=0xac343e16ffffffff
pool(tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 0; addr 0xffff8000015f4d00 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 1; addr 0xffff8000015f4740 (p 0xfffffd806cbd2000); offset 0x0=0xac343e16ffffffff
pool(tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 1; addr 0xffff8000015f4740 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 2; addr 0xffff8000015f4460 (p 0xfffffd806cbd2000); offset 0x0=0xac343e16ffffffff
pool(tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 2; addr 0xffff8000015f4460 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 3; addr 0xffff8000015f3bc0 (p 0xfffffd806cbd2000); offset 0x0=0xac343e16ffffffff
pool(tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 3; addr 0xffff8000015f3bc0 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 4; addr 0xffff8000015f3600 (p 0xfffffd806cbd2000); offset 0x0=0xac343e16ffffffff
pool(tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 4; addr 0xffff8000015f3600 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 5; addr 0xffff8000015f3320 (p 0xfffffd806cbd2000); offset 0x0=0xac343e16ffffffff
pool(tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 5; addr 0xffff8000015f3320 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 6; addr 0xffff8000015f3040 (p 0xfffffd806cbd2000); offset 0x0=0xac343e16ffffffff
pool(tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 6; addr 0xffff8000015f3040 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 7; addr 0xffff8000015f38e0 (p 0xfffffd806cbd2000); offset 0x0=0xac343e16ffffffff
pool(tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 7; addr 0xffff8000015f38e0 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 8; addr 0xffff8000015f3ea0 (p 0xfffffd806cbd2000); offset 0x0=0xac343e16ffffffff
pool(tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 8; addr 0xffff8000015f3ea0 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 9; addr 0xffff8000015f4180 (p 0xfffffd806cbd2000); offset 0x0=0xac343e16ffffffff
pool(tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 9; addr 0xffff8000015f4180 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 10; addr 0xffff8000015f4a20 (p 0xfffffd806cbd2000); offset 0x0=0xac343e16ffffffff
pool(tcpcb): free list modified: page 0xffff8000015f3000; item ordinal 10; addr 0xffff8000015f4a20 (p 0xfffffd806cbd2000); offset 0x0=0xffffffff
pool(tcpcb): free list modified: page 0xffff8000015f1000; item ordinal 0; addr 0xffff8000015f1318 (p 0xfffffd806cbd2000); offset 0x8=0xffffffff
tcpcb: pool(0xffffffff838bfc48:tcpcb): page inconsistency: page 0xffff8000015f1000; item ordinal 1; addr 0xffff800062219e86
arp         96       27    0       10     1     0     1     1     0     8    0
ipq         40        5    0        5     1     0     1     1     0     8    1
ipqe        40        8    0        8     1     0     1     1     0     8    1
inpcb      328     1870    0     1865    23    16     7    12     0     8    6
ip6q        72       41    0       39     1     0     1     1     0     8    0
ip6af       40       76    0       74     1     0     1     1     0     8    0
nd6        112       39    0       13     1     0     1     1     0     8    0
pkpcb       40        5    0        5     2     1     1     1     0     8    1
kcovpl      48       10    0        2     1     0     1     1     0     8    0
mppekey    1024       1    0        1     1     1     0     1     0     8    0
ppxss      1072     118    0      118     3     2     1     1     0     8    1
pppxif     1384       7    0        7     2     1     1     1     0     8    1
rttmr      136        3    0        3     1     1     0     1     0     8    0
art_heap8  4096       4    0        0     4     0     4     4     0     8    0
art_heap4  256      720    0      371    32     2    30    31     0     8    8
art_table   40      724    0      371     5     0     5     5     0     8    0
art_node    32      171    0       88     1     0     1     1     0     8    0
sysvmsgpl   40        6    0        4     1     0     1     1     0     8    0
semupl     112        1    0        1     1     1     0     1     0     8    0
semapl     112       52    0       42     1     0     1     1     0     8    0
shmpl      112       53    0        5     2     0     2     2     0     8    0
dirhash    1024      27    0       10     3     0     3     3     0     8    0
dino2pl    256     4488    0     2991    95     0    95    95     0     8    0
ffsino     256     4489    0     2991    95     0    95    95     0     8    0
nchpl      144     6685    0     4991    64     0    64    64     0     8    0
rtmask      32       13    0       13     2     1     1     1     0     8    1
vnodes     216     4786    0        0   266     0   266   266     0     8    0
namei      1024   25490    0    25488     2     1     1     1     0     8    0
vcpupl     3904       4    0        1     1     0     1     1     0     8    0
vmpool     808        6    0        3     1     0     1     1     0     8    0
kstatmem   264      120    0       96     3     0     3     3     0     8    1
acpiwqpl    32        1    0        1     1     0     1     1     1     8    1
scsiplug    72        8    0        8     3     2     1     1     0     8    1
scxspl     216    21823    0    21823     9     8     1     8     1     8    1
plimitpl   152      427    0      412     1     0     1     1     0     8    0
sigapl     424     1857    0     1816     8     0     8     8     0     8    3
knotepl    120    74041    0    74010    42    32    10    17     0     8    8
kqueuepl   184      558    0      552     6     2     4     4     0     8    3
pipepl     304      352    0      325     5     2     3     5     0     8    0
fdescpl    448     1820    0     1793     5     1     4     5     0     8    0
filepl     120    14443    0    14255    17     5    12    13     0     8    3
lockfpl    104      946    0      945     2     1     1     2     0     8    0
lockfspl    48      175    0      174     1     0     1     1     0     8    0
sessionpl  144       26    0       19     1     0     1     1     0     8    0
pgrppl      48       98    0       83     1     0     1     1     0     8    0
ucredpl    104     2679    0     2670     1     0     1     1     0     8    0
zombiepl   144     2371    0     2371     1     0     1     1     0     8    1
processpl  1152    1857    0     1816     5     0     5     5     0     8    1
procpl     664     4216    0     4163     8     1     7     8     0     8    2
sosppl     176        3    0        3     3     2     1     1     0     8    1
sockpl     552     3514    0     3500    27    17    10    12     0     8    8
sockpl: pool(0xffffffff839169f8:sockpl): page inconsistency: page 0xffff8000ffffffff; at page head addr 0xffff8000015b5f90 (p 0xffff8000015b4000)
uvm_fault(0xffffffff8394ac78, 0xffff80010000004f, 0, 1) -> e
kernel: page fault trap, code=0
Faulted in DDB; continuing...
ddb> machine ddbcpu 0
No such command
ddb> trace
sys_shmat(ffff80002a7bcfa8,ffff800038111060,ffff800038110fb0) at sys_shmat+0xe0 sys/kern/sysv_shm.c:235
syscall(ffff800038111060) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline]
syscall(ffff800038111060) at syscall+0x962 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xb4824ee1c70, count: -3
ddb> machine ddbcpu 1
No such command
ddb> trace
sys_shmat(ffff80002a7bcfa8,ffff800038111060,ffff800038110fb0) at sys_shmat+0xe0 sys/kern/sysv_shm.c:235
syscall(ffff800038111060) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline]
syscall(ffff800038111060) at syscall+0x962 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xb4824ee1c70, count: -3

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/01/18 06:56 openbsd f5df22e61f89 56f88057 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: sys_shmat
2025/12/05 14:18 openbsd 4f07d5022fc4 cee4cb10 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore uvm_fault: sys_shmat
2025/12/01 22:42 openbsd 6cbdb9457802 d4611817 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore uvm_fault: sys_shmat
2025/11/18 14:29 openbsd ae8b598acb72 ef766cd7 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: sys_shmat
2025/10/01 08:49 openbsd ae814b404f5c 770ff59f .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore uvm_fault: sys_shmat
* Struck through repros no longer work on HEAD.