panic: pool_do_get: shmpl free list modified: page 0xfffffd806c294000; item addr 0xfffffd806c294620; offset 0x40=0x69bdd4ba Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 89901 57305 32767 0x10 0 0 syz-executor *392516 57305 32767 0x10 0x4000000 1K syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83441c23) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff83a10458,1,ffff80003c463618) at pool_do_get+0x5df pool_get(ffffffff83a10458,1) at pool_get+0x162 sys/kern/subr_pool.c:-1 shmget_allocate_segment(ffff8000fffe6020,ffff80003c463870,0,ffff80003c4637c0) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1 sys_shmget(ffff8000fffe6020,ffff80003c463870,ffff80003c4637c0) at sys_shmget+0x195 sys/kern/sysv_shm.c:482 syscall(ffff80003c463870) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c463870) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xa22ded770a0, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic *cpu1: pool_do_get: shmpl free list modified: page 0xfffffd806c294000; item addr 0xfffffd806c294620; offset 0x40=0x69bdd4ba ddb{1}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83441c23) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff83a10458,1,ffff80003c463618) at pool_do_get+0x5df pool_get(ffffffff83a10458,1) at pool_get+0x162 sys/kern/subr_pool.c:-1 shmget_allocate_segment(ffff8000fffe6020,ffff80003c463870,0,ffff80003c4637c0) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1 sys_shmget(ffff8000fffe6020,ffff80003c463870,ffff80003c4637c0) at sys_shmget+0x195 sys/kern/sysv_shm.c:482 syscall(ffff80003c463870) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c463870) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xa22ded770a0, count: -8 ddb{1}> show registers rdi 0 rsi 0x1 rbp 0xffff80003c463440 rbx 0xffff8000299bee07 rdx 0 rcx 0xffff8000fffe6020 rax 0xffff8000299bdff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0x32f6c40f83d54d0f r11 0xb2ca258c1659e0d r12 0xffff8000299bec08 r13 0 r14 0 r15 0x1 rip 0xffffffff82fbc905 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003c463430 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor) tid=392516 pid=57305 tcnt=2 stat=onproc flags process=10 proc=4000000 runpri=32, usrpri=86, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff8000fffe7248,0xffffffff83a0be00 process=0xffff80003c3ef9e0 user=0xffff80003c45e000, vmspace=0xfffffd806cae55e8 estcpu=36, cpticks=2, pctcpu=0.0, user=0, sys=2, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 57305 89901 11355 32767 7 0x10 syz-executor *57305 392516 11355 32767 7 0x4000010 syz-executor 20254 231418 45991 32767 3 0x90 nanoslp syz-executor 20254 499296 45991 32767 3 0x4000090 fsleep syz-executor 69361 64522 60519 32767 3 0x90 nanoslp syz-executor 69361 142162 60519 32767 3 0x4000090 kqsel syz-executor 69361 112480 60519 32767 3 0x4000090 kqread syz-executor 69361 470440 60519 32767 3 0x4000090 fsleep syz-executor 7702 63281 60322 32767 3 0x90 nanoslp syz-executor 7702 124715 60322 32767 3 0x4000090 fsleep syz-executor 7702 331455 60322 32767 3 0x4000090 ttyout syz-executor 47120 314568 15104 32767 3 0x90 nanoslp syz-executor 47120 511219 15104 32767 3 0x4000090 kqpoll syz-executor 47120 332438 15104 32767 3 0x4000090 fsleep syz-executor 85868 232200 59963 32767 3 0x90 nanoslp syz-executor 85868 148606 59963 32767 3 0x4000090 kqsel syz-executor 85868 91302 59963 32767 3 0x4000090 fsleep syz-executor 15104 243686 73024 32767 3 0x90 nanoslp syz-executor 45991 199947 60646 32767 3 0x90 nanoslp syz-executor 68568 410675 32345 32767 3 0x90 wait syz-executor 60519 106461 51571 32767 3 0x90 nanoslp syz-executor 60322 281965 66396 32767 3 0x90 nanoslp syz-executor 59963 43289 96995 32767 3 0x90 nanoslp syz-executor 11355 23592 30908 32767 3 0x90 nanoslp syz-executor 32345 34682 52365 0 3 0x82 wait syz-executor 51571 399239 52365 0 3 0x82 wait syz-executor 60646 305221 52365 0 3 0x82 wait syz-executor 66396 86066 52365 0 3 0x82 wait syz-executor 18462 288769 52365 0 3 0x82 wait syz-executor 73024 11508 52365 0 3 0x82 wait syz-executor 96995 314507 52365 0 3 0x82 wait syz-executor 30908 106319 52365 0 3 0x82 wait syz-executor 52365 153381 95653 0 3 0x82 kqread syz-executor 95653 98879 78760 0 3 0x10008a sigsusp ksh 78760 474017 4020 0 3 0x98 kqread sshd-session 4020 59922 16034 0 3 0x92 kqread sshd-session 78851 68760 1 0 3 0x100083 ttyin getty 16034 366516 1 0 3 0x88 kqread sshd 14392 378120 81011 73 3 0x1100090 kqread syslogd 81011 518768 1 0 3 0x100082 sbwait syslogd 29870 219570 1 0 3 0x100080 kqread resolvd 59229 468517 70864 77 3 0x100092 kqread dhcpleased 22897 77491 70864 77 3 0x100092 kqread dhcpleased 70864 229527 1 0 3 0x80 kqread dhcpleased 37580 149458 0 0 3 0x14200 bored smr 4196 209025 0 0 3 0x14200 pgzero zerothread 42378 63948 0 0 3 0x14200 aiodoned aiodoned 78200 334930 0 0 3 0x14200 syncer update 5554 79056 0 0 3 0x14200 cleaner cleaner 41395 508981 0 0 3 0x14200 reaper reaper 21546 349199 0 0 3 0x14200 pgdaemon pagedaemon 10179 200721 0 0 3 0x14200 bored viomb 85469 258776 0 0 3 0x40014200 acpi0 acpi0 94709 20552 0 0 3 0x40014200 idle1 67495 310498 0 0 3 0x14200 bored softnet1 43529 189106 0 0 3 0x14200 bored softnet0 7487 107260 0 0 3 0x14200 bored systqmp 75972 177534 0 0 3 0x14200 bored systq 86559 291917 0 0 3 0x14200 tmoslp softclockmp 83527 333907 0 0 3 0x40014200 tmoslp softclock 7986 400608 0 0 3 0x40014200 idle0 1 203820 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks CPU 1: exclusive mutex shmpl r = 0 (0xffffffff83a10470) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487 #2 pool_get+0x124 sys/kern/subr_pool.c:585 #3 shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1 #4 sys_shmget+0x195 sys/kern/sysv_shm.c:482 #5 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] #5 syscall+0xb17 sys/arch/amd64/amd64/trap.c:783 #6 Xsyscall+0x128 Process 57305 (syz-executor) thread 0xffff8000fffe6020 (392516) exclusive kernel_lock &kernel_lock r = 0 (0xffffffff83a0e3c0) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline] #1 syscall+0xaf4 sys/arch/amd64/amd64/trap.c:783 #2 Xsyscall+0x128 exclusive mutex shmpl r = 0 (0xffffffff83a10470) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 mtx_enter+0x4b4 sys/kern/kern_lock.c:487 #2 pool_get+0x124 sys/kern/subr_pool.c:585 #3 shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1 #4 sys_shmget+0x195 sys/kern/sysv_shm.c:482 #5 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] #5 syscall+0xb17 sys/arch/amd64/amd64/trap.c:783 #6 Xsyscall+0x128 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 11087 12023K 12034K 166960K 12180 0 pcb 17 14K 16K 166960K 19 0 rtable 249 7K 7K 166960K 379 0 pf 31 16K 16K 166960K 31 0 ifaddr 42 7K 7K 166960K 44 0 ifgroup 50 2K 2K 166960K 50 0 sysctl 3 1K 9K 166960K 12 0 counters 70 37K 37K 166960K 70 0 ioctlops 0 0K 2K 166960K 39 0 iov 0 0K 12K 166960K 15 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1287 81K 81K 166960K 1397 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 16 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 61 0 dirhash 12 2K 2K 166960K 18 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 25 93K 121K 166960K 582 0 sigio 0 0K 0K 166960K 12 0 proc 58 99K 147K 166960K 562 0 subproc 72 4K 4K 166960K 72 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 82 0 in_multi 99 7K 7K 166960K 121 0 ether_multi 1 0K 0K 166960K 5 0 mrt 1 0K 0K 166960K 18 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 265 1182K 1182K 166960K 265 0 exec 0 0K 1K 166960K 499 0 fusefs mount 1 32K 32K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 266 168K 198K 166960K 7232 0 UVM aobj 16 4K 6K 166960K 20 0 pinsyscall 46 92K 117K 166960K 1743 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 2 0K 0K 166960K 33 0 NDP 11 0K 2K 166960K 27 0 temp 61 9080K 9144K 166960K 6659 0 kqueue 17 24K 34K 166960K 113 0 SYN cache 2 16K 16K 166960K 2 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 73 0 70 1 0 1 1 0 8 0 rtentry 176 118 0 2 6 0 6 6 0 8 0 unpcb 144 393 0 378 2 0 2 2 0 8 1 syncache 336 19 0 19 1 0 1 1 0 8 1 tcpqe 32 1 0 1 1 1 0 1 0 8 0 tcpcb 736 298 0 292 7 2 5 7 0 8 4 arp 136 19 0 0 1 0 1 1 0 8 0 ipq 40 7 0 2 1 0 1 1 0 8 0 ipqe 40 11 0 4 1 0 1 1 0 8 0 inpcb 328 735 0 723 10 0 10 10 0 8 8 ip6q 72 2 0 0 1 0 1 1 0 8 0 ip6af 40 2 0 0 1 0 1 1 0 8 0 nd6 152 30 0 1 2 0 2 2 0 8 0 kcovpl 48 8 0 0 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 502 0 14 31 0 31 31 0 8 0 art_table 40 503 0 14 5 0 5 5 0 8 0 art_node 32 118 0 12 1 0 1 1 0 8 0 sysvmsgpl 40 16 0 8 1 0 1 1 0 8 0 semupl 112 1 0 1 1 1 0 1 0 8 0 semapl 112 57 0 47 1 0 1 1 0 8 0 shmpl 112 17 0 4 1 0 1 1 0 8 0 pool(0xffffffff83a10458:shmpl): page inconsistency: page 0xfffffd806c294000; 21 on list, 13 missing, 35 items per page dirhash 1024 21 0 4 3 0 3 3 0 8 0 dino2pl 256 2214 0 747 93 0 93 93 0 8 0 ffsino 296 2214 0 747 114 0 114 114 0 8 0 nchpl 144 3056 0 1369 63 0 63 63 0 8 0 vnodes 216 2295 0 0 128 0 128 128 0 8 0 namei 1024 9984 0 9984 2 1 1 2 0 8 1 percpumem 16 50 0 0 1 0 1 1 0 8 0 kstatmem 264 24 0 0 2 0 2 2 0 8 0 scxspl 216 10172 0 10172 10 5 5 8 1 8 5 plimitpl 152 138 0 111 2 0 2 2 0 8 0 sigapl 424 888 0 835 7 0 7 7 0 8 0 knotepl 120 363 0 0 11 0 11 11 0 8 0 kqueuepl 224 164 0 149 2 1 1 2 0 8 0 pipepl 344 173 0 144 3 0 3 3 0 8 0 fdescpl 528 872 0 835 4 0 4 4 0 8 0 filepl 160 4719 0 4494 14 0 14 14 0 8 3 lockfpl 104 300 0 298 1 0 1 1 0 8 0 lockfspl 48 58 0 56 1 0 1 1 0 8 0 sessionpl 144 32 0 16 1 0 1 1 0 8 0 pgrppl 48 46 0 22 1 0 1 1 0 8 0 ucredpl 104 870 0 851 1 0 1 1 0 8 0 zombiepl 144 837 0 835 1 0 1 1 0 8 0 processpl 1232 888 0 835 5 0 5 5 0 8 0 procpl 664 1667 0 1603 7 0 7 7 0 8 1 sosppl 176 7 0 7 1 0 1 1 0 8 1 sockpl 752 1212 0 1182 14 1 13 14 0 8 8 mcl64k 65536 5 0 0 1 0 1 1 0 8 0 mcl16k 16384 2 0 0 1 0 1 1 0 8 0 mcl12k 12288 1 0 0 1 0 1 1 0 8 0 mcl9k 9216 1 0 0 1 0 1 1 0 8 0 mcl8k 8192 2 0 0 1 0 1 1 0 8 0 mcl4k 4096 129 0 0 17 0 17 17 0 8 0 mcl2k 2048 27 0 0 4 0 4 4 0 8 0 mtagpl 96 4 0 0 1 0 1 1 0 8 0 mbufpl 256 240 0 0 15 0 15 15 0 8 0 bufpl 280 3060 0 102 212 0 212 212 0 8 0 anonpl 32 9359 0 0 77 1 76 76 0 246 0 amapchunkpl 152 22426 0 21815 30 0 30 30 0 158 4 amappl16 200 1697 0 1664 23 12 11 15 0 8 7 amappl15 192 4 0 4 2 1 1 1 0 8 1 amappl14 184 397 0 396 1 0 1 1 0 8 0 amappl13 176 147 0 137 1 0 1 1 0 8 0 amappl12 168 1110 0 1074 2 0 2 2 0 8 0 amappl11 160 1 0 1 1 1 0 1 0 8 0 amappl10 152 85 0 75 1 0 1 1 0 8 0 amappl9 144 267 0 267 1 1 0 1 0 8 0 amappl8 136 92 0 90 1 0 1 1 0 8 0 amappl7 128 174 0 162 1 0 1 1 0 8 0 amappl6 120 149 0 146 1 0 1 1 0 8 0 amappl5 112 127 0 119 1 0 1 1 0 8 0 amappl4 104 306 0 290 1 0 1 1 0 8 0 amappl3 96 4416 0 4278 5 1 4 4 0 8 0 amappl2 88 646 0 591 2 0 2 2 0 8 0 amappl1 80 16093 0 15515 18 0 18 18 0 8 0 amappl 88 6345 0 6144 5 0 5 5 0 92 0 uvmvnodes 80 120 0 0 3 0 3 3 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 19 0 4 1 0 1 1 0 8 0 uaddrrnd 24 872 0 835 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 872 0 835 1 0 1 1 0 8 0 vmmpekpl 168 10611 0 10577 2 0 2 2 0 8 0 vmmpepl 168 69069 0 66978 116 0 116 116 0 357 8 vmsppl 488 871 0 835 7 1 6 6 0 8 0 rwobjpl 80 22531 0 21518 28 1 27 27 0 8 0 pdppl 4096 1751 0 1670 123 32 91 99 0 8 10 pvpl 32 15957 0 0 129 0 129 129 0 265 0 pmappl 256 871 0 835 4 1 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 307 0 38 8 0 8 8 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffffffff8392cff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff83a0dbc0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline] __mp_lock(ffffffff83a0dbc0) at __mp_lock+0x192 sys/kern/kern_lock.c:173 softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83 dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862 Xsoftclock() at Xsoftclock+0x27 end of kernel end trace frame: 0x7aa026eefc00, count: 8 ddb{0}> trace x86_ipi_db(ffffffff8392cff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff83a0dbc0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline] __mp_lock(ffffffff83a0dbc0) at __mp_lock+0x192 sys/kern/kern_lock.c:173 softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83 dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862 Xsoftclock() at Xsoftclock+0x27 end of kernel end trace frame: 0x7aa026eefc00, count: -7 ddb{0}> machine ddbcpu 1 Stopped at db_enter+0x25: addq $0x8,%rsp db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83441c23) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff83a10458,1,ffff80003c463618) at pool_do_get+0x5df pool_get(ffffffff83a10458,1) at pool_get+0x162 sys/kern/subr_pool.c:-1 shmget_allocate_segment(ffff8000fffe6020,ffff80003c463870,0,ffff80003c4637c0) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1 sys_shmget(ffff8000fffe6020,ffff80003c463870,ffff80003c4637c0) at sys_shmget+0x195 sys/kern/sysv_shm.c:482 syscall(ffff80003c463870) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c463870) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xa22ded770a0, count: 7 ddb{1}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83441c23) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff83a10458,1,ffff80003c463618) at pool_do_get+0x5df pool_get(ffffffff83a10458,1) at pool_get+0x162 sys/kern/subr_pool.c:-1 shmget_allocate_segment(ffff8000fffe6020,ffff80003c463870,0,ffff80003c4637c0) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1 sys_shmget(ffff8000fffe6020,ffff80003c463870,ffff80003c4637c0) at sys_shmget+0x195 sys/kern/sysv_shm.c:482 syscall(ffff80003c463870) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c463870) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xa22ded770a0, count: -8