panic: pool_do_get: shmpl free list modified: page 0xfffffd806cb05000; item addr 0xfffffd806cb05e70; offset 0x40=0x698c2749 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND * 87352 71274 32767 0x10 0x4000000 1K syz-executor 424199 40231 0 0x100002 0 0 sh db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833a7c2e) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff839daa20,1,ffff80003b3fe528) at pool_do_get+0x5df pool_get(ffffffff839daa20,1) at pool_get+0x162 sys/kern/subr_pool.c:-1 shmget_allocate_segment(ffff80003c41dcb0,ffff80003b3fe780,4,ffff80003b3fe6d0) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1 sys_shmget(ffff80003c41dcb0,ffff80003b3fe780,ffff80003b3fe6d0) at sys_shmget+0x195 sys/kern/sysv_shm.c:482 syscall(ffff80003b3fe780) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003b3fe780) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xce84308dd0, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic *cpu1: pool_do_get: shmpl free list modified: page 0xfffffd806cb05000; item addr 0xfffffd806cb05e70; offset 0x40=0x698c2749 ddb{1}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833a7c2e) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff839daa20,1,ffff80003b3fe528) at pool_do_get+0x5df pool_get(ffffffff839daa20,1) at pool_get+0x162 sys/kern/subr_pool.c:-1 shmget_allocate_segment(ffff80003c41dcb0,ffff80003b3fe780,4,ffff80003b3fe6d0) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1 sys_shmget(ffff80003c41dcb0,ffff80003b3fe780,ffff80003b3fe6d0) at sys_shmget+0x195 sys/kern/sysv_shm.c:482 syscall(ffff80003b3fe780) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003b3fe780) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xce84308dd0, count: -8 ddb{1}> show registers rdi 0 rsi 0x1 rbp 0xffff80003b3fe350 rbx 0xffff8000299dee07 rdx 0xffff800001545740 rcx 0xffff80003c41dcb0 rax 0xffff8000299ddff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0xabc2e6e5ea268fbe r11 0xb78104d2b12c7e7a r12 0xffff8000299dec08 r13 0 r14 0 r15 0x1 rip 0xffffffff82b4f155 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003b3fe340 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor) tid=87352 pid=71274 tcnt=2 stat=onproc flags process=10 proc=4000000 runpri=32, usrpri=50, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80003c41c028,0xffff80003c41cd30 process=0xffff80003c40f9e0 user=0xffff80003b3f9000, vmspace=0xfffffd806cb699b0 estcpu=2, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 66793 131607 31439 0 2 0x2 arp 74319 180987 59962 32767 2 0x10 syz-executor 99683 428206 11275 0 2 0x40 syz-executor 93190 211028 8597 32767 2 0x10 syz-executor 71274 507298 2048 32767 2 0x10 syz-executor *71274 87352 2048 32767 7 0x4000010 syz-executor 32092 448766 91499 32767 2 0x10 syz-executor 31439 414413 73784 0 3 0x10008a sigsusp sh 40231 424199 30653 0 7 0x100002 sh 61804 12523 63545 32767 2 0x10 syz-executor 73784 324866 80336 0 3 0x80 wait syz-executor 8597 366768 7306 32767 2 0x10 syz-executor 59962 143840 19755 32767 3 0x90 nanoslp syz-executor 2048 105527 88377 32767 3 0x90 nanoslp syz-executor 11275 461108 76394 0 3 0x80 ppwait syz-executor 30653 189152 11742 0 3 0x80 wait syz-executor 91499 523954 75435 32767 3 0x90 nanoslp syz-executor 7306 343002 99025 0 3 0x82 wait syz-executor 80336 55483 99025 0 3 0x82 wait syz-executor 75435 454810 99025 0 3 0x82 wait syz-executor 19755 359517 99025 0 3 0x82 wait syz-executor 76394 29486 99025 0 3 0x82 wait syz-executor 11742 226752 99025 0 3 0x82 wait syz-executor 88377 241044 99025 0 3 0x82 wait syz-executor 63545 81299 99025 0 3 0x82 wait syz-executor 99025 199954 26951 0 3 0x82 kqread syz-executor 26951 270272 76988 0 3 0x10008a sigsusp ksh 76988 151569 77863 0 3 0x98 kqread sshd-session 77863 441738 552 0 3 0x92 kqread sshd-session 40074 338171 1 0 3 0x100083 ttyin getty 552 369948 1 0 3 0x88 kqread sshd 85788 187538 71745 73 3 0x1100090 kqread syslogd 71745 357852 1 0 3 0x100082 sbwait syslogd 75494 178 1 0 3 0x100080 kqread resolvd 39948 256072 29552 77 3 0x100092 kqread dhcpleased 15247 71037 29552 77 3 0x100092 kqread dhcpleased 29552 271264 1 0 3 0x80 kqread dhcpleased 23144 6544 0 0 3 0x14200 bored smr 81468 9271 0 0 2 0x14200 zerothread 23285 97350 0 0 3 0x14200 aiodoned aiodoned 67655 113221 0 0 3 0x14200 syncer update 67998 503745 0 0 3 0x14200 cleaner cleaner 50441 414610 0 0 3 0x14200 reaper reaper 40156 8687 0 0 3 0x14200 pgdaemon pagedaemon 87447 264119 0 0 3 0x14200 bored viomb 93167 65067 0 0 3 0x40014200 acpi0 acpi0 98342 320456 0 0 3 0x40014200 idle1 2208 512980 0 0 3 0x14200 bored softnet1 98380 503281 0 0 3 0x14200 bored softnet0 52764 313885 0 0 3 0x14200 smrbar systqmp 96075 24514 0 0 3 0x14200 bored systq 4002 412198 0 0 3 0x14200 tmoslp softclockmp 14196 432097 0 0 3 0x40014200 tmoslp softclock 46531 455356 0 0 3 0x40014200 idle0 1 384852 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks CPU 1: exclusive mutex shmpl r = 0 (0xffffffff839daa38) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487 #2 pool_get+0x124 sys/kern/subr_pool.c:585 #3 shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1 #4 sys_shmget+0x195 sys/kern/sysv_shm.c:482 #5 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] #5 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775 #6 Xsyscall+0x128 Process 71274 (syz-executor) thread 0xffff80003c41dcb0 (87352) exclusive kernel_lock &kernel_lock r = 0 (0xffffffff83929d40) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline] #1 syscall+0xaf4 sys/arch/amd64/amd64/trap.c:775 #2 Xsyscall+0x128 exclusive mutex shmpl r = 0 (0xffffffff839daa38) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487 #2 pool_get+0x124 sys/kern/subr_pool.c:585 #3 shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1 #4 sys_shmget+0x195 sys/kern/sysv_shm.c:482 #5 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] #5 syscall+0xb17 sys/arch/amd64/amd64/trap.c:775 #6 Xsyscall+0x128 Process 52764 (systqmp) thread 0xffff8000ffffe7c8 (313885) shared rwlock systqmp r = 0 (0xffffffff83880778) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 taskq_thread+0x12a sys/kern/kern_task.c:442 #2 proc_trampoline+0x10 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 11044 12017K 12034K 166960K 12135 0 pcb 17 12K 12K 166960K 17 0 rtable 203 5K 5K 166960K 293 0 pf 31 16K 16K 166960K 31 0 ifaddr 38 6K 6K 166960K 40 0 ifgroup 50 2K 2K 166960K 50 0 sysctl 1 1K 9K 166960K 5 0 counters 70 37K 37K 166960K 70 0 ioctlops 0 0K 2K 166960K 27 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1335 84K 84K 166960K 1355 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 3 0 VM map 2 1K 1K 166960K 2 0 sem 3 0K 0K 166960K 3 0 dirhash 12 2K 2K 166960K 12 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 26 97K 121K 166960K 137 0 proc 58 99K 131K 166960K 458 0 subproc 72 4K 4K 166960K 72 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 in_multi 79 5K 5K 166960K 79 0 ether_multi 1 0K 0K 166960K 1 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 25 122K 122K 166960K 25 0 exec 0 0K 1K 166960K 336 0 fusefs mount 1 32K 32K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 213 177K 185K 166960K 2782 0 UVM aobj 3 2K 3K 166960K 4 0 pinsyscall 47 94K 109K 166960K 1146 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 NDP 23 1K 1K 166960K 23 0 temp 34 8670K 8734K 166960K 3642 0 kqueue 13 20K 20K 166960K 22 0 SYN cache 2 16K 16K 166960K 2 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 28 0 25 1 0 1 1 0 8 0 rtentry 176 94 0 1 5 0 5 5 0 8 0 unpcb 144 33 0 18 1 0 1 1 0 8 0 syncache 336 3 0 3 1 0 1 1 0 8 1 tcpcb 736 9 0 5 1 0 1 1 0 8 0 arp 136 16 0 0 1 0 1 1 0 8 0 inpcb 328 58 0 51 1 0 1 1 0 8 0 nd6 152 17 0 0 1 0 1 1 0 8 0 kcovpl 48 8 0 0 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 369 0 0 24 0 24 24 0 8 0 art_table 40 370 0 0 4 0 4 4 0 8 0 art_node 32 94 0 7 1 0 1 1 0 8 0 semapl 112 1 0 0 1 0 1 1 0 8 0 shmpl 112 1 0 1 1 0 1 1 0 8 1 pool(0xffffffff839daa20:shmpl): page inconsistency: page 0xfffffd806cb05000; 34 on list, 0 missing, 35 items per page dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 1555 0 54 94 0 94 94 0 8 0 ffsino 296 1555 0 54 116 0 116 116 0 8 0 nchpl 144 1745 0 67 63 0 63 63 0 8 0 vnodes 216 1636 0 0 91 0 91 91 0 8 0 namei 1024 4905 0 4905 2 0 2 2 0 8 2 percpumem 16 50 0 0 1 0 1 1 0 8 0 kstatmem 264 24 0 0 2 0 2 2 0 8 0 scxspl 216 5707 0 5707 3 1 2 2 1 8 2 plimitpl 152 35 0 11 1 0 1 1 0 8 0 sigapl 424 417 0 363 7 0 7 7 0 8 0 knotepl 120 51 0 0 2 0 2 2 0 8 0 kqueuepl 224 83 0 74 5 0 5 5 0 8 4 pipepl 344 109 0 82 3 0 3 3 0 8 0 fdescpl 528 401 0 363 3 0 3 3 0 8 0 filepl 160 1392 0 1188 12 0 12 12 0 8 3 lockfpl 104 6 0 4 1 0 1 1 0 8 0 lockfspl 48 4 0 2 1 0 1 1 0 8 0 sessionpl 144 21 0 5 1 0 1 1 0 8 0 pgrppl 48 29 0 5 1 0 1 1 0 8 0 ucredpl 104 78 0 62 1 0 1 1 0 8 0 zombiepl 144 363 0 363 1 0 1 1 0 8 1 processpl 1232 417 0 363 5 0 5 5 0 8 0 procpl 664 427 0 372 6 0 6 6 0 8 0 sockpl 752 119 0 94 3 0 3 3 0 8 0 mcl64k 65536 1 0 0 1 0 1 1 0 8 0 mcl16k 16384 1 0 0 1 0 1 1 0 8 0 mcl8k 8192 1 0 0 1 0 1 1 0 8 0 mcl4k 4096 108 0 0 14 0 14 14 0 8 0 mcl2k 2048 13 0 0 2 0 2 2 0 8 0 mtagpl 96 2 0 0 1 0 1 1 0 8 0 mbufpl 256 131 0 0 9 0 9 9 0 8 0 bufpl 280 2240 0 118 152 0 152 152 0 8 0 anonpl 32 3730 0 0 31 0 31 31 0 246 0 amapchunkpl 152 8089 0 7711 25 0 25 25 0 158 9 amappl16 200 2003 0 1993 5 0 5 5 0 8 4 amappl15 192 23 0 23 1 0 1 1 0 8 1 amappl14 184 4 0 4 1 0 1 1 0 8 1 amappl13 176 397 0 394 1 0 1 1 0 8 0 amappl12 168 711 0 672 2 0 2 2 0 8 0 amappl11 160 10 0 9 1 0 1 1 0 8 0 amappl10 152 43 0 33 1 0 1 1 0 8 0 amappl9 144 247 0 247 1 0 1 1 0 8 1 amappl8 136 26 0 25 1 0 1 1 0 8 0 amappl7 128 70 0 69 1 0 1 1 0 8 0 amappl6 120 253 0 239 1 0 1 1 0 8 0 amappl5 112 75 0 68 1 0 1 1 0 8 0 amappl4 104 350 0 328 1 0 1 1 0 8 0 amappl3 96 1180 0 1112 3 0 3 3 0 8 0 amappl2 88 496 0 426 2 0 2 2 0 8 0 amappl1 80 8452 0 7899 13 0 13 13 0 8 0 amappl 88 2146 0 2008 4 0 4 4 0 92 0 uvmvnodes 80 96 0 0 2 0 2 2 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 3 0 1 1 0 1 1 0 8 0 uaddrrnd 24 401 0 363 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 401 0 363 1 0 1 1 0 8 0 vmmpekpl 168 4862 0 4834 2 0 2 2 0 8 0 vmmpepl 168 33394 0 31472 87 0 87 87 0 357 2 vmsppl 488 400 0 363 7 1 6 6 0 8 1 rwobjpl 80 12640 0 11740 21 0 21 21 0 8 1 pdppl 4096 810 0 726 106 10 96 96 0 8 12 pvpl 32 8584 0 0 70 0 70 70 0 265 0 pmappl 256 400 0 363 4 1 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 267 0 13 8 0 8 8 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffffffff837c8ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x19 kd_curproc sys/dev/kcov.c:580 [inline] __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x19 sys/dev/kcov.c:153 softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83 dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862 Xsoftclock() at Xsoftclock+0x27 __mp_lock(ffffffff83929540) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline] __mp_lock(ffffffff83929540) at __mp_lock+0x192 sys/kern/kern_lock.c:173 syscall(ffff800035fd4b60) at syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline] syscall(ffff800035fd4b60) at syscall+0xaf4 sys/arch/amd64/amd64/trap.c:775 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7556a5a37320, count: 5 ddb{0}> trace x86_ipi_db(ffffffff837c8ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x19 kd_curproc sys/dev/kcov.c:580 [inline] __sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x19 sys/dev/kcov.c:153 softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83 dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862 Xsoftclock() at Xsoftclock+0x27 __mp_lock(ffffffff83929540) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline] __mp_lock(ffffffff83929540) at __mp_lock+0x192 sys/kern/kern_lock.c:173 syscall(ffff800035fd4b60) at syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline] syscall(ffff800035fd4b60) at syscall+0xaf4 sys/arch/amd64/amd64/trap.c:775 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7556a5a37320, count: -10 ddb{0}> machine ddbcpu 1 Stopped at db_enter+0x25: addq $0x8,%rsp db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833a7c2e) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff839daa20,1,ffff80003b3fe528) at pool_do_get+0x5df pool_get(ffffffff839daa20,1) at pool_get+0x162 sys/kern/subr_pool.c:-1 shmget_allocate_segment(ffff80003c41dcb0,ffff80003b3fe780,4,ffff80003b3fe6d0) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1 sys_shmget(ffff80003c41dcb0,ffff80003b3fe780,ffff80003b3fe6d0) at sys_shmget+0x195 sys/kern/sysv_shm.c:482 syscall(ffff80003b3fe780) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003b3fe780) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xce84308dd0, count: 7 ddb{1}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833a7c2e) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff839daa20,1,ffff80003b3fe528) at pool_do_get+0x5df pool_get(ffffffff839daa20,1) at pool_get+0x162 sys/kern/subr_pool.c:-1 shmget_allocate_segment(ffff80003c41dcb0,ffff80003b3fe780,4,ffff80003b3fe6d0) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1 sys_shmget(ffff80003c41dcb0,ffff80003b3fe780,ffff80003b3fe6d0) at sys_shmget+0x195 sys/kern/sysv_shm.c:482 syscall(ffff80003b3fe780) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003b3fe780) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xce84308dd0, count: -8