panic: pool_do_put: shmpl: double pool_put: 0xfffffd8066ad1ee0 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 137346 40900 32767 0x10 0x4000000 0 syz-executor *412117 12021 32767 0x10 0x4000000 1K syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff83070915) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_put(ffffffff8356b148,fffffd8066ad1ee0) at pool_do_put+0x1be sys/kern/subr_pool.c:841 pool_put(ffffffff8356b148,fffffd8066ad1ee0) at pool_put+0xb3 sys/kern/subr_pool.c:799 shm_delete_mapping(fffffd806c22d540,ffff800001194008) at shm_delete_mapping+0x1ac shm_deallocate_segment sys/kern/sysv_shm.c:153 [inline] shm_delete_mapping(fffffd806c22d540,ffff800001194008) at shm_delete_mapping+0x1ac sys/kern/sysv_shm.c:174 syscall(ffff8000371f4e00) at syscall+0xaf8 mi_syscall sys/sys/syscall_mi.h:179 [inline] syscall(ffff8000371f4e00) at syscall+0xaf8 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xf88688c1750, count: 8 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic *cpu1: pool_do_put: shmpl: double pool_put: 0xfffffd8066ad1ee0 ddb{1}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff83070915) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_put(ffffffff8356b148,fffffd8066ad1ee0) at pool_do_put+0x1be sys/kern/subr_pool.c:841 pool_put(ffffffff8356b148,fffffd8066ad1ee0) at pool_put+0xb3 sys/kern/subr_pool.c:799 shm_delete_mapping(fffffd806c22d540,ffff800001194008) at shm_delete_mapping+0x1ac shm_deallocate_segment sys/kern/sysv_shm.c:153 [inline] shm_delete_mapping(fffffd806c22d540,ffff800001194008) at shm_delete_mapping+0x1ac sys/kern/sysv_shm.c:174 syscall(ffff8000371f4e00) at syscall+0xaf8 mi_syscall sys/sys/syscall_mi.h:179 [inline] syscall(ffff8000371f4e00) at syscall+0xaf8 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xf88688c1750, count: -7 ddb{1}> show registers rdi 0 rsi 0x1 rbp 0xffff8000371f4b30 rbx 0xffff800029b7cd87 rdx 0 rcx 0xffff8000fffeaf58 rax 0xffff800029b7bff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0xc0867893ee54f7fd r11 0xb4e5c702bdc77749 r12 0xffff800029b7cb88 r13 0 r14 0 r15 0x1 rip 0xffffffff81e2a4b5 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff8000371f4b20 ss 0 db_enter+0x25: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor) tid=412117 pid=12021 tcnt=3 stat=onproc flags process=10 proc=4000000 runpri=32, usrpri=86, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff8000ffff7bf0,0xffff8000fffea548 process=0xffff8000ffff1fd0 user=0xffff8000371ef000, vmspace=0xfffffd806c22d540 estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 40390 462481 76672 32767 2 0x10 syz-executor 95367 190090 39784 32767 3 0x90 nanoslp syz-executor 95367 375151 39784 32767 3 0x4000090 fsleep syz-executor 95367 114682 39784 32767 3 0x4000090 fsleep syz-executor 40900 411566 92690 32767 2 0x10 syz-executor 40900 243702 92690 32767 2 0x4000010 syz-executor 40900 137346 92690 32767 7 0x4000010 syz-executor 12021 167681 474 32767 2 0x10 syz-executor *12021 412117 474 32767 7 0x4000010 syz-executor 12021 260448 474 32767 3 0x4000090 fsleep syz-executor 36063 39687 45545 32767 2 0x10 syz-executor 36063 241565 45545 32767 3 0x4000090 fsleep syz-executor 80066 518460 44667 32767 3 0x90 nanoslp syz-executor 80066 345865 44667 32767 3 0x4000090 msgwait syz-executor 80066 435685 44667 32767 3 0x4000090 fsleep syz-executor 58015 12019 748 32767 2 0x10 syz-executor 58015 355565 748 32767 3 0x4000090 kqread syz-executor 58015 456277 748 32767 3 0x4000090 fsleep syz-executor 27984 321085 27902 0 3 0x100082 sbwait arp 27902 62382 7461 0 3 0x10008a sigsusp sh 474 448865 92937 32767 3 0x90 nanoslp syz-executor 45545 392066 59911 32767 3 0x90 nanoslp syz-executor 44667 20566 31315 32767 3 0x90 nanoslp syz-executor 76672 196541 36180 32767 3 0x90 nanoslp syz-executor 748 151667 62454 32767 3 0x90 nanoslp syz-executor 39784 264299 97384 32767 3 0x90 nanoslp syz-executor 92690 238698 67803 32767 3 0x90 nanoslp syz-executor 7461 165082 59999 0 3 0x80 wait syz-executor 92937 101121 89148 0 3 0x82 wait syz-executor 59911 407504 89148 0 3 0x82 wait syz-executor 36180 196741 89148 0 3 0x82 wait syz-executor 31315 316346 89148 0 3 0x82 wait syz-executor 62454 241004 89148 0 3 0x82 wait syz-executor 67803 107603 89148 0 3 0x82 wait syz-executor 97384 451852 89148 0 3 0x82 wait syz-executor 59999 186835 89148 0 3 0x82 wait syz-executor 89148 352290 50735 0 3 0x82 kqread syz-executor 50735 358071 60660 0 3 0x10008a sigsusp ksh 60660 22610 83621 0 3 0x98 kqread sshd-session 83621 200469 43570 0 3 0x92 kqread sshd-session 87639 511793 1 0 3 0x100083 ttyin getty 43570 517250 1 0 3 0x88 kqread sshd 58628 521758 93367 73 3 0x1100090 kqread syslogd 93367 284749 1 0 3 0x100082 sbwait syslogd 40881 255479 1 0 3 0x100080 kqread resolvd 52538 371558 76923 77 3 0x100092 kqread dhcpleased 21779 369670 76923 77 3 0x100092 kqread dhcpleased 76923 347161 1 0 3 0x80 kqread dhcpleased 93046 476548 0 0 3 0x14200 bored smr 29932 479167 0 0 2 0x14200 zerothread 56153 429856 0 0 3 0x14200 aiodoned aiodoned 15916 401742 0 0 3 0x14200 syncer update 84127 282878 0 0 3 0x14200 cleaner cleaner 95485 254653 0 0 3 0x14200 reaper reaper 32241 514174 0 0 3 0x14200 pgdaemon pagedaemon 17659 358433 0 0 3 0x14200 bored viomb 65374 79433 0 0 3 0x40014200 acpi0 acpi0 43791 159828 0 0 3 0x40014200 idle1 3549 280353 0 0 3 0x14200 bored softnet3 99119 514479 0 0 3 0x14200 bored softnet2 94330 340022 0 0 3 0x14200 bored softnet1 55304 463545 0 0 3 0x14200 bored softnet0 18421 349948 0 0 3 0x14200 bored systqmp 82454 329475 0 0 3 0x14200 bored systq 44146 360288 0 0 3 0x14200 tmoslp softclockmp 43454 512738 0 0 3 0x40014200 tmoslp softclock 10485 280757 0 0 3 0x40014200 idle0 1 86933 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks CPU 1: exclusive mutex shmpl r = 0 (0xffffffff8356b158) #0 witness_lock+0x5b8 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5b8 sys/kern/subr_witness.c:1151 #1 mtx_enter_try+0x178 #2 mtx_enter+0x60 sys/kern/kern_lock.c:239 #3 pool_put+0x9f sys/kern/subr_pool.c:797 #4 shm_delete_mapping+0x1ac shm_deallocate_segment sys/kern/sysv_shm.c:153 [inline] #4 shm_delete_mapping+0x1ac sys/kern/sysv_shm.c:174 #5 syscall+0xaf8 mi_syscall sys/sys/syscall_mi.h:179 [inline] #5 syscall+0xaf8 sys/arch/amd64/amd64/trap.c:577 #6 Xsyscall+0x128 Process 12021 (syz-executor) thread 0xffff8000fffeaf58 (412117) exclusive kernel_lock &kernel_lock r = 0 (0xffffffff83543d28) #0 witness_lock+0x5b8 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5b8 sys/kern/subr_witness.c:1151 #1 __mp_acquire_count+0x58 #2 mi_switch+0x658 sys/kern/sched_bsd.c:460 #3 sleep_finish+0x219 sys/kern/kern_synch.c:416 #4 rw_enter+0x348 sys/kern/kern_rwlock.c:285 #5 vm_map_lock_ln+0x143 sys/uvm/uvm_map.c:5252 #6 uvm_unmap+0x81 sys/uvm/uvm_map.c:1792 #7 shm_delete_mapping+0xa0 sys/kern/sysv_shm.c:170 #8 syscall+0xaf8 mi_syscall sys/sys/syscall_mi.h:179 [inline] #8 syscall+0xaf8 sys/arch/amd64/amd64/trap.c:577 #9 Xsyscall+0x128 exclusive mutex shmpl r = 0 (0xffffffff8356b158) #0 witness_lock+0x5b8 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5b8 sys/kern/subr_witness.c:1151 #1 mtx_enter_try+0x178 #2 mtx_enter+0x60 sys/kern/kern_lock.c:239 #3 pool_put+0x9f sys/kern/subr_pool.c:797 #4 shm_delete_mapping+0x1ac shm_deallocate_segment sys/kern/sysv_shm.c:153 [inline] #4 shm_delete_mapping+0x1ac sys/kern/sysv_shm.c:174 #5 syscall+0xaf8 mi_syscall sys/sys/syscall_mi.h:179 [inline] #5 syscall+0xaf8 sys/arch/amd64/amd64/trap.c:577 #6 Xsyscall+0x128 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10176 10023K 10036K 166960K 11254 0 pcb 17 12K 12K 166960K 17 0 rtable 222 6K 6K 166960K 328 0 pf 31 16K 16K 166960K 31 0 ifaddr 40 7K 7K 166960K 42 0 ifgroup 50 2K 2K 166960K 50 0 counters 64 36K 36K 166960K 64 0 ioctlops 0 0K 2K 166960K 29 0 iov 0 0K 2K 166960K 1 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1363 86K 86K 166960K 1380 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 3 5K 5K 166960K 3 0 VM map 2 1K 1K 166960K 2 0 sem 3 0K 0K 166960K 3 0 dirhash 12 2K 2K 166960K 12 0 ACPI 1697 195K 286K 166960K 12548 0 file desc 27 101K 121K 166960K 175 0 proc 56 78K 127K 166960K 480 0 subproc 104 6K 6K 166960K 104 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 3 0 in_multi 89 6K 6K 166960K 89 0 ether_multi 1 0K 0K 166960K 1 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 37 175K 175K 166960K 37 0 exec 0 0K 1K 166960K 362 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 254 74K 74K 166960K 3046 0 UVM aobj 3 2K 2K 166960K 4 0 pinsyscall 49 98K 112K 166960K 1149 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 1 0K 0K 166960K 4 0 NDP 25 1K 1K 166960K 25 0 temp 37 6814K 6878K 166960K 3683 0 kqueue 14 22K 22K 166960K 26 0 SYN cache 2 16K 16K 166960K 2 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 24 0 0 1 0 1 1 0 8 0 rtpcb 120 36 0 32 1 0 1 1 0 8 0 rtentry 112 105 0 1 3 0 3 3 0 8 0 unpcb 144 60 0 42 1 0 1 1 0 8 0 syncache 336 3 0 3 2 1 1 1 0 8 1 tcpcb 808 28 0 22 2 0 2 2 0 8 1 arp 120 17 0 0 1 0 1 1 0 8 0 ipq 40 1 0 0 1 0 1 1 0 8 0 ipqe 40 1 0 0 1 0 1 1 0 8 0 inpcb 336 97 0 85 2 0 2 2 0 8 0 nd6 136 23 0 0 1 0 1 1 0 8 0 kcovpl 48 8 0 0 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 428 0 0 27 0 27 27 0 8 0 art_table 32 429 0 0 4 0 4 4 0 8 0 art_node 16 104 0 9 1 0 1 1 0 8 0 sysvmsgpl 40 1 0 1 1 0 1 1 0 8 1 semapl 112 1 0 0 1 0 1 1 0 8 0 shmpl 112 1 0 1 1 0 1 1 0 8 1 pool(shmpl): free list modified: page 0xfffffd8066ad1000; item ordinal 0; addr 0xfffffd8066ad1ee0 (p 0xfffffd8066ad1000); offset 0x1c=0xdeafbeac dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 1578 0 80 94 0 94 94 0 8 0 ffsino 272 1578 0 80 100 0 100 100 0 8 0 nchpl 144 1813 0 142 63 0 63 63 0 8 0 uvmvnodes 80 1691 0 0 35 0 35 35 0 8 0 vnodes 216 1691 0 0 94 0 94 94 0 8 0 namei 1024 5249 0 5249 1 0 1 1 0 8 1 percpumem 16 46 0 0 1 0 1 1 0 8 0 kstatmem 264 22 0 0 2 0 2 2 0 8 0 scxspl 216 5200 0 5200 3 1 2 2 1 8 2 plimitpl 152 39 0 15 2 0 2 2 0 8 1 sigapl 424 445 0 388 7 0 7 7 0 8 0 futexpl 64 481 0 475 1 0 1 1 0 8 0 knotepl 120 50 0 0 2 0 2 2 0 8 0 kqueuepl 216 30 0 20 1 0 1 1 0 8 0 pipepl 320 99 0 72 3 0 3 3 0 8 0 fdescpl 496 427 0 388 7 1 6 6 0 8 0 filepl 152 1462 0 1219 10 0 10 10 0 8 0 lockfpl 104 12 0 10 1 0 1 1 0 8 0 lockfspl 48 7 0 5 1 0 1 1 0 8 0 sessionpl 144 21 0 5 1 0 1 1 0 8 0 pgrppl 48 29 0 5 1 0 1 1 0 8 0 ucredpl 104 93 0 75 1 0 1 1 0 8 0 zombiepl 144 388 0 388 1 0 1 1 0 8 1 processpl 1160 445 0 388 5 0 5 5 0 8 0 procpl 648 514 0 446 7 0 7 7 0 8 1 sockpl 664 194 0 160 4 0 4 4 0 8 0 mcl16k 16384 1 0 0 1 0 1 1 0 8 0 mcl8k 8192 3 0 0 1 0 1 1 0 8 0 mcl4k 4096 3 0 0 1 0 1 1 0 8 0 mcl2k 2048 238 0 0 30 0 30 30 0 8 0 mtagpl 96 3 0 0 1 0 1 1 0 8 0 mbufpl 256 245 0 0 16 0 16 16 0 8 0 bufpl 280 2188 0 89 150 0 150 150 0 8 0 anonpl 24 159296 0 155924 47 1 46 46 0 185 24 amapchunkpl 152 10335 0 9777 25 1 24 24 0 158 0 amappl16 200 4318 0 4307 14 0 14 14 0 8 12 amappl15 192 11 0 11 1 0 1 1 0 8 1 amappl14 184 160 0 149 1 0 1 1 0 8 0 amappl13 176 17 0 17 1 0 1 1 0 8 1 amappl12 168 1042 0 1004 3 1 2 2 0 8 0 amappl11 160 53 0 43 1 0 1 1 0 8 0 amappl10 152 11 0 11 1 0 1 1 0 8 1 amappl9 144 137 0 137 1 0 1 1 0 8 1 amappl8 136 24 0 22 1 0 1 1 0 8 0 amappl7 128 100 0 89 1 0 1 1 0 8 0 amappl6 120 224 0 222 1 0 1 1 0 8 0 amappl5 112 121 0 113 1 0 1 1 0 8 0 amappl4 104 284 0 265 1 0 1 1 0 8 0 amappl3 96 1788 0 1681 3 0 3 3 0 8 0 amappl2 88 622 0 542 2 0 2 2 0 8 0 amappl1 80 7384 0 6804 14 0 14 14 0 8 0 amappl 88 2718 0 2521 5 0 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 3 0 1 1 0 1 1 0 8 0 pool(aobjpl): free list modified: page 0xfffffd80781f8000; item ordinal 0; addr 0xfffffd80781f8e10 (p 0xfffffd80781f8000); offset 0xc=0xdeadbeee uaddrrnd 24 427 0 388 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 427 0 388 1 0 1 1 0 8 0 vmmpekpl 168 5439 0 5400 2 0 2 2 0 8 0 vmmpepl 168 35691 0 33611 103 0 103 103 0 357 9 vmsppl 440 426 0 388 5 0 5 5 0 8 0 rwobjpl 56 16479 0 13892 41 0 41 41 0 8 1 pdppl 4096 861 0 776 109 14 95 95 0 8 10 pvpl 32 14516 0 0 119 1 118 118 0 265 0 pmappl 248 426 0 388 4 1 3 3 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 393 0 17 11 0 11 11 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffffffff834e9ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x33 kd_curproc sys/dev/kcov.c:590 [inline] __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x33 sys/dev/kcov.c:158 __mp_lock(ffffffff83543b20) at __mp_lock+0x1a3 __mp_lock_spin sys/kern/kern_lock.c:113 [inline] __mp_lock(ffffffff83543b20) at __mp_lock+0x1a3 sys/kern/kern_lock.c:144 end trace frame: 0x0, count: 10 ddb{0}> trace x86_ipi_db(ffffffff834e9ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x33 kd_curproc sys/dev/kcov.c:590 [inline] __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x33 sys/dev/kcov.c:158 __mp_lock(ffffffff83543b20) at __mp_lock+0x1a3 __mp_lock_spin sys/kern/kern_lock.c:113 [inline] __mp_lock(ffffffff83543b20) at __mp_lock+0x1a3 sys/kern/kern_lock.c:144 end trace frame: 0x0, count: -5 ddb{0}> machine ddbcpu 1 Stopped at db_enter+0x25: addq $0x8,%rsp db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff83070915) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_put(ffffffff8356b148,fffffd8066ad1ee0) at pool_do_put+0x1be sys/kern/subr_pool.c:841 pool_put(ffffffff8356b148,fffffd8066ad1ee0) at pool_put+0xb3 sys/kern/subr_pool.c:799 shm_delete_mapping(fffffd806c22d540,ffff800001194008) at shm_delete_mapping+0x1ac shm_deallocate_segment sys/kern/sysv_shm.c:153 [inline] shm_delete_mapping(fffffd806c22d540,ffff800001194008) at shm_delete_mapping+0x1ac sys/kern/sysv_shm.c:174 syscall(ffff8000371f4e00) at syscall+0xaf8 mi_syscall sys/sys/syscall_mi.h:179 [inline] syscall(ffff8000371f4e00) at syscall+0xaf8 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xf88688c1750, count: 8 ddb{1}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff83070915) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_put(ffffffff8356b148,fffffd8066ad1ee0) at pool_do_put+0x1be sys/kern/subr_pool.c:841 pool_put(ffffffff8356b148,fffffd8066ad1ee0) at pool_put+0xb3 sys/kern/subr_pool.c:799 shm_delete_mapping(fffffd806c22d540,ffff800001194008) at shm_delete_mapping+0x1ac shm_deallocate_segment sys/kern/sysv_shm.c:153 [inline] shm_delete_mapping(fffffd806c22d540,ffff800001194008) at shm_delete_mapping+0x1ac sys/kern/sysv_shm.c:174 syscall(ffff8000371f4e00) at syscall+0xaf8 mi_syscall sys/sys/syscall_mi.h:179 [inline] syscall(ffff8000371f4e00) at syscall+0xaf8 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xf88688c1750, count: -7