panic: pool_do_get: shmpl free list modified: page 0xfffffd806457e000; item addr 0xfffffd806457e620; offset 0x40=0x687a6326 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND * 62135 65167 32767 0x10 0x4000000 1K syz-executor 493196 35640 0 0x14000 0x40000200 0 softclock db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833d48b3) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff838d3fb8,1,ffff8000324028e8) at pool_do_get+0x5ea sys/kern/subr_pool.c:-1 pool_get(ffffffff838d3fb8,1) at pool_get+0x149 sys/kern/subr_pool.c:-1 shmget_allocate_segment(ffff80003c42c550,ffff800032402b40,0,ffff800032402a90) at shmget_allocate_segment+0x1a7 sys/kern/sysv_shm.c:-1 sys_shmget(ffff80003c42c550,ffff800032402b40,ffff800032402a90) at sys_shmget+0x1b2 sys/kern/sysv_shm.c:482 syscall(ffff800032402b40) at syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff800032402b40) at syscall+0xb08 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x26beaf35800, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic *cpu1: pool_do_get: shmpl free list modified: page 0xfffffd806457e000; item addr 0xfffffd806457e620; offset 0x40=0x687a6326 ddb{1}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833d48b3) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff838d3fb8,1,ffff8000324028e8) at pool_do_get+0x5ea sys/kern/subr_pool.c:-1 pool_get(ffffffff838d3fb8,1) at pool_get+0x149 sys/kern/subr_pool.c:-1 shmget_allocate_segment(ffff80003c42c550,ffff800032402b40,0,ffff800032402a90) at shmget_allocate_segment+0x1a7 sys/kern/sysv_shm.c:-1 sys_shmget(ffff80003c42c550,ffff800032402b40,ffff800032402a90) at sys_shmget+0x1b2 sys/kern/sysv_shm.c:482 syscall(ffff800032402b40) at syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff800032402b40) at syscall+0xb08 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x26beaf35800, count: -8 ddb{1}> show registers rdi 0 rsi 0x1 rbp 0xffff800032402720 rbx 0xffff8000299dedd7 rdx 0 rcx 0xffff80003c42c550 rax 0xffff8000299ddff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0x7ab90960c0067be5 r11 0x57b37c8ccd12a7b9 r12 0xffff8000299debd8 r13 0 r14 0 r15 0x1 rip 0xffffffff81717bb5 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff800032402710 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor) tid=62135 pid=65167 tcnt=3 stat=onproc flags process=10 proc=4000000 runpri=32, usrpri=50, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80003c42c030,0xffff80002a297738 process=0xffff800036412208 user=0xffff8000323fd000, vmspace=0xfffffd8071b3f3e0 estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 65167 508497 4159 32767 2 0x10 syz-executor *65167 62135 4159 32767 7 0x4000010 syz-executor 65167 230102 4159 32767 3 0x4000090 fsleep syz-executor 39806 368727 36758 32767 2 0x10 syz-executor 88030 406077 50891 32767 2 0x10 syz-executor 96633 33111 58539 32767 2 0x10 syz-executor 52562 94108 40258 32767 2 0x10 syz-executor 69223 329197 40429 32767 2 0x10 syz-executor 69223 415871 40429 32767 3 0x4000090 fsleep syz-executor 45476 375285 27071 32767 2 0x10 syz-executor 45476 173048 27071 32767 3 0x4000090 fsleep syz-executor 72400 251704 56978 0 2 0x2 syz-executor 11090 403730 0 0 3 0x14200 bored sosplice 4159 84083 28440 32767 3 0x90 nanoslp syz-executor 36758 11369 32808 32767 3 0x90 nanoslp syz-executor 50891 240491 89502 32767 2 0x10 syz-executor 58539 363894 84994 32767 2 0xc90 syz-executor 40258 174986 90755 32767 2 0xc90 syz-executor 27071 496604 57089 32767 2 0xc90 syz-executor 40429 231087 87007 32767 2 0xc90 syz-executor 32808 219992 56978 0 3 0x82 wait syz-executor 28440 89036 56978 0 3 0x82 wait syz-executor 89502 497369 56978 0 3 0x82 wait syz-executor 84994 486844 56978 0 3 0x82 wait syz-executor 90755 434060 56978 0 3 0x82 wait syz-executor 87007 307049 56978 0 3 0x82 wait syz-executor 57089 109272 56978 0 3 0x82 wait syz-executor 56978 12399 5941 0 2 0x2 syz-executor 5941 9288 40952 0 3 0x10008a sigsusp ksh 40952 329779 72241 0 3 0x98 kqread sshd-session 72241 160401 15044 0 3 0x92 kqread sshd-session 66979 489049 1 0 3 0x100083 ttyin getty 15044 480395 1 0 3 0x88 kqread sshd 85093 199886 23170 73 3 0x1100090 kqread syslogd 23170 276932 1 0 3 0x100082 sbwait syslogd 96357 59368 1 0 3 0x100080 kqread resolvd 89391 184706 82932 77 3 0x100092 kqread dhcpleased 52270 2049 82932 77 3 0x100092 kqread dhcpleased 82932 380296 1 0 3 0x80 kqread dhcpleased 78996 249831 0 0 3 0x14200 bored smr 13407 256294 0 0 2 0x14200 zerothread 21563 299441 0 0 3 0x14200 aiodoned aiodoned 14412 256977 0 0 3 0x14200 syncer update 19912 266445 0 0 3 0x14200 cleaner cleaner 95200 177772 0 0 3 0x14200 reaper reaper 44587 203618 0 0 3 0x14200 pgdaemon pagedaemon 41322 252385 0 0 3 0x14200 bored viomb 30155 179937 0 0 3 0x40014200 acpi0 acpi0 33216 441236 0 0 3 0x40014200 idle1 57612 347486 0 0 3 0x14200 bored softnet3 34760 157162 0 0 3 0x14200 bored softnet2 36726 337130 0 0 3 0x14200 bored softnet1 83503 278243 0 0 2 0x14200 softnet0 43234 116257 0 0 3 0x14200 bored systqmp 22353 259726 0 0 3 0x14200 bored systq 50526 90002 0 0 3 0x14200 tmoslp softclockmp 35640 493196 0 0 7 0x40014200 softclock 77724 362622 0 0 3 0x40014200 idle0 1 199264 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks CPU 1: exclusive mutex shmpl r = 0 (0xffffffff838d3fd0) #0 witness_lock+0x5bb stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5bb sys/kern/subr_witness.c:1160 #1 mtx_enter_try+0x1ad sys/kern/kern_lock.c:311 #2 mtx_enter+0x62 sys/kern/kern_lock.c:261 #3 pool_get+0x10b sys/kern/subr_pool.c:578 #4 shmget_allocate_segment+0x1a7 sys/kern/sysv_shm.c:-1 #5 sys_shmget+0x1b2 sys/kern/sysv_shm.c:482 #6 syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline] #6 syscall+0xb08 sys/arch/amd64/amd64/trap.c:748 #7 Xsyscall+0x128 Process 65167 (syz-executor) thread 0xffff80003c42c550 (62135) exclusive kernel_lock &kernel_lock r = 0 (0xffffffff839100a8) #0 witness_lock+0x5bb stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5bb sys/kern/subr_witness.c:1160 #1 syscall+0xae6 mi_syscall sys/sys/syscall_mi.h:176 [inline] #1 syscall+0xae6 sys/arch/amd64/amd64/trap.c:748 #2 Xsyscall+0x128 exclusive mutex shmpl r = 0 (0xffffffff838d3fd0) #0 witness_lock+0x5bb stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5bb sys/kern/subr_witness.c:1160 #1 mtx_enter_try+0x1ad sys/kern/kern_lock.c:311 #2 mtx_enter+0x62 sys/kern/kern_lock.c:261 #3 pool_get+0x10b sys/kern/subr_pool.c:578 #4 shmget_allocate_segment+0x1a7 sys/kern/sysv_shm.c:-1 #5 sys_shmget+0x1b2 sys/kern/sysv_shm.c:482 #6 syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline] #6 syscall+0xb08 sys/arch/amd64/amd64/trap.c:748 #7 Xsyscall+0x128 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10218 10957K 10967K 166960K 11301 0 pcb 17 12K 12K 166960K 17 0 rtable 197 5K 6K 166960K 277 0 pf 29 16K 16K 166960K 31 0 ifaddr 38 6K 7K 166960K 44 0 ifgroup 46 2K 2K 166960K 50 0 sysctl 3 1K 9K 166960K 8 0 counters 66 36K 36K 166960K 68 0 ioctlops 0 0K 2K 166960K 31 0 iov 0 0K 16K 166960K 9 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1335 84K 84K 166960K 1523 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 8 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 16 0 dirhash 12 2K 2K 166960K 12 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 24 89K 121K 166960K 416 0 sigio 0 0K 0K 166960K 2 0 proc 58 79K 139K 166960K 517 0 subproc 65 4K 4K 166960K 209 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 36 0 in_multi 88 6K 7K 166960K 104 0 ether_multi 1 0K 0K 166960K 3 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 253 1129K 1129K 166960K 253 0 exec 0 0K 1K 166960K 431 0 fusefs mount 1 32K 32K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 209 166K 176K 166960K 4795 0 UVM aobj 16 2K 3K 166960K 18 0 pinsyscall 45 90K 108K 166960K 1433 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 8 0 NDP 10 0K 2K 166960K 27 0 temp 36 8674K 8738K 166960K 4852 0 kqueue 13 20K 28K 166960K 53 0 SYN cache 2 16K 16K 166960K 2 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 52 0 49 1 0 1 1 0 8 0 rtentry 176 102 0 12 5 0 5 5 0 8 0 unpcb 144 183 0 168 1 0 1 1 0 8 0 syncache 336 7 0 7 1 0 1 1 0 8 1 tcpqe 32 2 0 2 1 1 0 1 0 8 0 tcpcb 736 91 0 85 2 1 1 2 0 8 0 arp 128 13 0 1 1 0 1 1 0 8 0 inpcb 328 312 0 302 4 2 2 4 0 8 0 nd6 144 20 0 4 1 0 1 1 0 8 0 kcovpl 48 23 0 16 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 447 0 46 28 1 27 28 0 8 0 art_table 40 448 0 46 5 0 5 5 0 8 0 art_node 32 102 0 21 1 0 1 1 0 8 0 sysvmsgpl 40 1 0 1 1 0 1 1 0 8 1 semapl 112 12 0 2 1 0 1 1 0 8 0 shmpl 112 15 0 2 1 0 1 1 0 8 0 pool(0xffffffff838d3fb8:shmpl): page inconsistency: page 0xfffffd806457e000; 21 on list, 13 missing, 35 items per page dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 1879 0 356 96 0 96 96 0 8 0 ffsino 288 1879 0 356 109 0 109 109 0 8 0 nchpl 144 2358 0 668 63 0 63 63 0 8 0 uvmvnodes 80 2097 0 0 43 0 43 43 0 8 0 vnodes 216 2097 0 0 117 0 117 117 0 8 0 namei 1024 7478 0 7478 2 1 1 2 0 8 1 percpumem 16 49 0 1 1 0 1 1 0 8 0 kstatmem 264 24 0 2 2 0 2 2 0 8 0 scxspl 216 8091 0 8091 10 2 8 8 1 8 8 plimitpl 152 102 0 79 2 0 2 2 0 8 0 sigapl 424 661 0 606 7 0 7 7 0 8 0 knotepl 120 318 0 0 10 0 10 10 0 8 0 kqueuepl 224 74 0 65 1 0 1 1 0 8 0 pipepl 336 298 0 270 9 1 8 8 0 8 5 fdescpl 520 642 0 606 3 0 3 3 0 8 0 filepl 160 3212 0 3015 17 3 14 17 0 8 5 lockfpl 104 47 0 45 1 0 1 1 0 8 0 lockfspl 48 21 0 19 1 0 1 1 0 8 0 sessionpl 144 39 0 24 1 0 1 1 0 8 0 pgrppl 48 67 0 44 1 0 1 1 0 8 0 ucredpl 104 529 0 511 1 0 1 1 0 8 0 zombiepl 144 606 0 606 1 0 1 1 0 8 1 processpl 1240 661 0 606 5 0 5 5 0 8 0 procpl 656 1019 0 960 7 1 6 7 0 8 0 sosppl 168 4 0 4 1 1 0 1 0 8 0 sockpl 728 552 0 524 7 3 4 7 0 8 0 mcl64k 65536 1 0 0 1 0 1 1 0 8 0 mcl16k 16384 2 0 0 1 0 1 1 0 8 0 mcl8k 8192 3 0 0 1 0 1 1 0 8 0 mcl4k 4096 112 0 0 14 0 14 14 0 8 0 mcl2k2 2112 1 0 0 1 0 1 1 0 8 0 mcl2k 2048 28 0 0 3 0 3 3 0 8 0 mtagpl 96 2 0 0 1 0 1 1 0 8 0 mbufpl 256 1196 0 0 75 0 75 75 0 8 0 bufpl 280 3072 0 116 212 0 212 212 0 8 0 anonpl 32 7285 0 0 59 0 59 59 0 246 0 amapchunkpl 152 15056 0 14641 30 3 27 27 0 158 7 amappl16 200 2733 0 2715 21 11 10 14 0 8 8 amappl15 192 7 0 7 1 1 0 1 0 8 0 amappl14 184 108 0 98 1 0 1 1 0 8 0 amappl13 176 2 0 2 1 1 0 1 0 8 0 amappl12 168 1245 0 1212 2 0 2 2 0 8 0 amappl11 160 47 0 37 1 0 1 1 0 8 0 amappl10 152 4 0 4 1 1 0 1 0 8 0 amappl9 144 244 0 244 1 1 0 1 0 8 0 amappl8 136 20 0 19 1 0 1 1 0 8 0 amappl7 128 100 0 90 1 0 1 1 0 8 0 amappl6 120 173 0 170 1 0 1 1 0 8 0 amappl5 112 115 0 109 1 0 1 1 0 8 0 amappl4 104 276 0 261 1 0 1 1 0 8 0 amappl3 96 2643 0 2546 4 0 4 4 0 8 0 amappl2 88 627 0 571 2 0 2 2 0 8 0 amappl1 80 9447 0 8884 14 0 14 14 0 8 1 amappl 88 4105 0 3961 5 0 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 17 0 2 1 0 1 1 0 8 0 uaddrrnd 24 642 0 606 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 642 0 606 1 0 1 1 0 8 0 vmmpekpl 168 7404 0 7366 3 1 2 3 0 8 0 vmmpepl 168 47163 0 45170 103 4 99 103 0 357 7 vmsppl 480 641 0 606 7 1 6 6 0 8 1 rwobjpl 72 17762 0 14860 58 0 58 58 0 8 1 pdppl 4096 1291 0 1212 113 32 81 95 0 8 2 pvpl 32 13874 0 0 112 0 112 112 0 265 0 pmappl 256 641 0 606 4 1 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 466 0 39 13 0 13 13 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffffffff8387dff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff8390fea0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:134 [inline] __mp_lock(ffffffff8390fea0) at __mp_lock+0x192 sys/kern/kern_lock.c:165 __mp_acquire_count(ffffffff8390fea0,1) at __mp_acquire_count+0x58 sys/kern/kern_lock.c:-1 sleep_finish(ffffffffffffffff,1) at sleep_finish+0x2da sys/kern/kern_synch.c:366 softclock_thread_run(ffffffff837d5118) at softclock_thread_run+0x79 sys/kern/kern_timeout.c:845 softclock_thread(ffff8000fffff480) at softclock_thread+0x10a sys/kern/kern_timeout.c:867 end trace frame: 0x0, count: 7 ddb{0}> trace x86_ipi_db(ffffffff8387dff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff8390fea0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:134 [inline] __mp_lock(ffffffff8390fea0) at __mp_lock+0x192 sys/kern/kern_lock.c:165 __mp_acquire_count(ffffffff8390fea0,1) at __mp_acquire_count+0x58 sys/kern/kern_lock.c:-1 sleep_finish(ffffffffffffffff,1) at sleep_finish+0x2da sys/kern/kern_synch.c:366 softclock_thread_run(ffffffff837d5118) at softclock_thread_run+0x79 sys/kern/kern_timeout.c:845 softclock_thread(ffff8000fffff480) at softclock_thread+0x10a sys/kern/kern_timeout.c:867 end trace frame: 0x0, count: -8 ddb{0}> machine ddbcpu 1 Stopped at db_enter+0x25: addq $0x8,%rsp db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833d48b3) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff838d3fb8,1,ffff8000324028e8) at pool_do_get+0x5ea sys/kern/subr_pool.c:-1 pool_get(ffffffff838d3fb8,1) at pool_get+0x149 sys/kern/subr_pool.c:-1 shmget_allocate_segment(ffff80003c42c550,ffff800032402b40,0,ffff800032402a90) at shmget_allocate_segment+0x1a7 sys/kern/sysv_shm.c:-1 sys_shmget(ffff80003c42c550,ffff800032402b40,ffff800032402a90) at sys_shmget+0x1b2 sys/kern/sysv_shm.c:482 syscall(ffff800032402b40) at syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff800032402b40) at syscall+0xb08 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x26beaf35800, count: 7 ddb{1}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833d48b3) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff838d3fb8,1,ffff8000324028e8) at pool_do_get+0x5ea sys/kern/subr_pool.c:-1 pool_get(ffffffff838d3fb8,1) at pool_get+0x149 sys/kern/subr_pool.c:-1 shmget_allocate_segment(ffff80003c42c550,ffff800032402b40,0,ffff800032402a90) at shmget_allocate_segment+0x1a7 sys/kern/sysv_shm.c:-1 sys_shmget(ffff80003c42c550,ffff800032402b40,ffff800032402a90) at sys_shmget+0x1b2 sys/kern/sysv_shm.c:482 syscall(ffff800032402b40) at syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff800032402b40) at syscall+0xb08 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x26beaf35800, count: -8