login: panic: pool_do_get: shmpl free list modified: page 0xfffffd807181a000; item addr 0xfffffd807181a9a0; offset 0x10=0xdead4000 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 75083 64649 32767 0x10 0 0 syz-executor.0 *474699 64649 32767 0x10 0x4000000 1K syz-executor.0 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x174 sys/kern/subr_prf.c:208 pool_do_get(ffffffff82321ba8,2,ffff800020c5f558) at pool_do_get+0x4a3 sys/kern/subr_pool.c:750 pool_get() at pool_get+0xf7 sys/kern/subr_pool.c:587 shmget_allocate_segment(ffff800020b49c38,ffff800020c5f6f8,0,ffff800020c5f760) at shmget_allocate_segment+0x15e sys/kern/sysv_shm.c:409 sys_shmget(ffff800020b49c38,ffff800020c5f6f8,ffff800020c5f760) at sys_shmget+0x13f sys/kern/sysv_shm.c:472 syscall(ffff800020c5f7d0) at syscall+0x576 mi_syscall sys/sys/syscall_mi.h:99 [inline] syscall(ffff800020c5f7d0) at syscall+0x576 sys/arch/amd64/amd64/trap.c:574 Xsyscall(6,0,fffffffffffffff3,0,4,4ff2f778010) at Xsyscall+0x128 end of kernel end trace frame: 0x354, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic pool_do_get: shmpl free list modified: page 0xfffffd807181a000; item addr 0xfffffd807181a9a0; offset 0x10=0xdead4000 ddb{1}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x174 sys/kern/subr_prf.c:208 pool_do_get(ffffffff82321ba8,2,ffff800020c5f558) at pool_do_get+0x4a3 sys/kern/subr_pool.c:750 pool_get() at pool_get+0xf7 sys/kern/subr_pool.c:587 shmget_allocate_segment(ffff800020b49c38,ffff800020c5f6f8,0,ffff800020c5f760) at shmget_allocate_segment+0x15e sys/kern/sysv_shm.c:409 sys_shmget(ffff800020b49c38,ffff800020c5f6f8,ffff800020c5f760) at sys_shmget+0x13f sys/kern/sysv_shm.c:472 syscall(ffff800020c5f7d0) at syscall+0x576 mi_syscall sys/sys/syscall_mi.h:99 [inline] syscall(ffff800020c5f7d0) at syscall+0x576 sys/arch/amd64/amd64/trap.c:574 Xsyscall(6,0,fffffffffffffff3,0,4,4ff2f778010) at Xsyscall+0x128 end of kernel end trace frame: 0x354, count: -8 ddb{1}> show registers rdi 0xffffffff81c5f7b7 db_enter+0x17 rsi 0x54fa __ALIGN_SIZE+0x44fa rbp 0xffff800020c5f3a0 rbx 0xffff800020c5f450 rdx 0x54fb __ALIGN_SIZE+0x44fb rcx 0xffff80000094b000 rax 0xffff80000094b000 r8 0xffffffff81c2d3d3 kprintf+0x173 r9 0x1 r10 0x25 r11 0x7605a48500f6ae59 r12 0x3000000008 r13 0xffff800020c5f3b0 r14 0x100 r15 0x1 rip 0xffffffff81c5f7b8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800020c5f390 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor.0) pid=474699 stat=onproc flags process=10 proc=4000000 pri=86, usrpri=86, nice=20 forw=0xffffffffffffffff, list=0xffff800020b48018,0xffffffff823349b8 process=0xffff800020b9c6a8 user=0xffff800020c5a000, vmspace=0xfffffd807f00b708 estcpu=36, cpticks=2, pctcpu=0.0 user=0, sys=2, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 64649 75083 53939 32767 7 0x10 syz-executor.0 *64649 474699 53939 32767 7 0x4000010 syz-executor.0 53939 179740 66249 32767 3 0x90 nanosleep syz-executor.0 66249 326567 3205 0 3 0x82 wait syz-executor.0 81209 371176 0 0 3 0x14200 bored sosplice 38061 179090 27188 32767 3 0x10 biowait syz-executor.1 27188 417406 3205 0 3 0x82 wait syz-executor.1 3205 74818 3771 0 3 0x82 thrsleep syz-fuzzer 3205 348943 3771 0 3 0x4000082 nanosleep syz-fuzzer 3205 24063 3771 0 3 0x4000082 thrsleep syz-fuzzer 3205 429170 3771 0 3 0x4000082 thrsleep syz-fuzzer 3205 217102 3771 0 3 0x4000082 thrsleep syz-fuzzer 3205 326747 3771 0 3 0x4000082 thrsleep syz-fuzzer 3205 233531 3771 0 3 0x4000082 thrsleep syz-fuzzer 3205 514049 3771 0 3 0x4000082 thrsleep syz-fuzzer 3205 240051 3771 0 3 0x4000082 thrsleep syz-fuzzer 3205 339523 3771 0 3 0x4000082 kqread syz-fuzzer 3771 221208 22369 0 3 0x10008a pause ksh 22369 512578 97469 0 3 0x92 select sshd 39601 168244 1 0 3 0x100083 ttyin getty 97469 227792 1 0 3 0x80 select sshd 87047 196601 11721 73 3 0x100090 kqread syslogd 11721 373113 1 0 3 0x100082 netio syslogd 17471 153793 1 77 3 0x100090 poll dhclient 48540 4718 1 0 3 0x80 poll dhclient 83918 520224 0 0 3 0x14200 pgzero zerothread 53228 142514 0 0 3 0x14200 aiodoned aiodoned 61975 37970 0 0 3 0x14200 syncer update 90854 466328 0 0 3 0x14200 cleaner cleaner 60756 186373 0 0 3 0x14200 reaper reaper 44453 220325 0 0 3 0x14200 pgdaemon pagedaemon 66801 113288 0 0 3 0x14200 bored crynlk 73346 454605 0 0 3 0x14200 bored crypto 87133 438094 0 0 3 0x40014200 acpi0 acpi0 79598 181983 0 0 3 0x40014200 idle1 36908 320419 0 0 3 0x14200 bored softnet 17157 242814 0 0 3 0x14200 bored systqmp 68467 165311 0 0 3 0x14200 bored systq 70087 144203 0 0 3 0x40014200 bored softclock 2675 137095 0 0 3 0x40014200 idle0 53840 38517 0 0 3 0x14200 bored smr 1 258218 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks CPU 1: exclusive mutex shmpl r = 0 (0xffffffff82321bb8) locked @ /syzkaller/managers/setuid/kernel/sys/kern/subr_pool.c:583 #0 witness_lock+0x5a4 sys/kern/subr_witness.c:1201 #1 pool_get+0xcb sys/kern/subr_pool.c:584 #2 shmget_allocate_segment+0x15e sys/kern/sysv_shm.c:409 #3 sys_shmget+0x13f sys/kern/sysv_shm.c:472 #4 syscall+0x576 mi_syscall sys/sys/syscall_mi.h:99 [inline] #4 syscall+0x576 sys/arch/amd64/amd64/trap.c:574 #5 Xsyscall+0x128 Process 64649 (syz-executor.0) thread 0xffff800020b49c38 (474699) exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82316250) locked @ /syzkaller/managers/setuid/kernel/sys/sys/syscall_mi.h:90 #0 witness_lock+0x5a4 sys/kern/subr_witness.c:1201 #1 syscall+0x45e mi_syscall sys/sys/syscall_mi.h:91 [inline] #1 syscall+0x45e sys/arch/amd64/amd64/trap.c:574 #2 Xsyscall+0x128 exclusive mutex shmpl r = 0 (0xffffffff82321bb8) locked @ /syzkaller/managers/setuid/kernel/sys/kern/subr_pool.c:583 #0 witness_lock+0x5a4 sys/kern/subr_witness.c:1201 #1 pool_get+0xcb sys/kern/subr_pool.c:584 #2 shmget_allocate_segment+0x15e sys/kern/sysv_shm.c:409 #3 sys_shmget+0x13f sys/kern/sysv_shm.c:472 #4 syscall+0x576 mi_syscall sys/sys/syscall_mi.h:99 [inline] #4 syscall+0x576 sys/arch/amd64/amd64/trap.c:574 #5 Xsyscall+0x128 Process 38061 (syz-executor.1) thread 0xffff800020b499e0 (179090) exclusive rrwlock inode r = 0 (0xfffffd80701b2700) locked @ /syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547 #0 witness_lock+0x5a4 sys/kern/subr_witness.c:1201 #1 _rw_enter+0x43c sys/kern/kern_rwlock.c:280 #2 _rrw_enter+0x60 sys/kern/kern_rwlock.c:410 #3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602 #4 vn_lock+0x6e sys/kern/vfs_vnops.c:549 #5 vget+0x1c3 sys/kern/vfs_subr.c:672 #6 ufs_ihashget+0x141 sys/ufs/ufs/ufs_ihash.c:119 #7 ffs_vget+0x74 sys/ufs/ffs/ffs_vfsops.c:1323 #8 ufs_lookup+0x1575 sys/ufs/ufs/ufs_lookup.c:487 #9 VOP_LOOKUP+0x5b sys/kern/vfs_vops.c:90 #10 vfs_lookup+0x575 sys/kern/vfs_lookup.c:523 #11 namei+0x45f sys/kern/vfs_lookup.c:224 #12 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1673 #13 syscall+0x576 mi_syscall sys/sys/syscall_mi.h:99 [inline] #13 syscall+0x576 sys/arch/amd64/amd64/trap.c:574 #14 Xsyscall+0x128 exclusive rrwlock inode r = 0 (0xfffffd80701b24e0) locked @ /syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547 #0 witness_lock+0x5a4 sys/kern/subr_witness.c:1201 #1 _rw_enter+0x43c sys/kern/kern_rwlock.c:280 #2 _rrw_enter+0x60 sys/kern/kern_rwlock.c:410 #3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602 #4 vn_lock+0x6e sys/kern/vfs_vnops.c:549 #5 vget+0x1c3 sys/kern/vfs_subr.c:672 #6 cache_lookup+0x2cf sys/kern/vfs_cache.c:224 #7 ufs_lookup+0x1ad sys/ufs/ufs/ufs_lookup.c:162 #8 VOP_LOOKUP+0x5b sys/kern/vfs_vops.c:90 #9 vfs_lookup+0x575 sys/kern/vfs_lookup.c:523 #10 namei+0x45f sys/kern/vfs_lookup.c:224 #11 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1673 #12 syscall+0x576 mi_syscall sys/sys/syscall_mi.h:99 [inline] #12 syscall+0x576 sys/arch/amd64/amd64/trap.c:574 #13 Xsyscall+0x128 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim devbuf 9459 6321K 6321K 78643K 10566 0 0 pcb 23 9K 10K 78643K 151 0 0 rtable 97 3K 3K 78643K 295 0 0 ifaddr 34 9K 9K 78643K 59 0 0 counters 39 33K 33K 78643K 39 0 0 ioctlops 0 0K 2K 78643K 19 0 0 iov 0 0K 24K 78643K 32 0 0 mount 1 1K 1K 78643K 1 0 0 vnodes 1200 75K 75K 78643K 1336 0 0 UFS quota 1 32K 32K 78643K 1 0 0 UFS mount 5 36K 36K 78643K 5 0 0 shm 2 1K 5K 78643K 10 0 0 VM map 2 1K 1K 78643K 2 0 0 sem 12 0K 1K 78643K 47 0 0 dirhash 12 2K 2K 78643K 12 0 0 ACPI 1808 196K 290K 78643K 12628 0 0 file desc 7 21K 25K 78643K 228 0 0 sigio 0 0K 0K 78643K 4 0 0 proc 41 38K 58K 78643K 343 0 0 subproc 68 69634K 69634K 78643K 204 0 0 NFS srvsock 1 0K 0K 78643K 1 0 0 NFS daemon 1 16K 16K 78643K 1 0 0 ip_moptions 0 0K 0K 78643K 18 0 0 in_multi 33 2K 2K 78643K 88 0 0 ether_multi 1 0K 0K 78643K 4 0 0 ISOFS mount 1 32K 32K 78643K 1 0 0 MSDOSFS mount 1 16K 16K 78643K 1 0 0 ttys 54 238K 238K 78643K 54 0 0 exec 0 0K 1K 78643K 186 0 0 pagedep 1 8K 8K 78643K 1 0 0 inodedep 1 32K 32K 78643K 1 0 0 newblk 1 0K 0K 78643K 1 0 0 VM swap 7 26K 26K 78643K 7 0 0 UVM amap 78 20K 21K 78643K 1501 0 0 UVM aobj 10 2K 2K 78643K 13 0 0 memdesc 1 4K 4K 78643K 1 0 0 crypto data 1 1K 1K 78643K 1 0 0 ip6_options 2 0K 0K 78643K 18 0 0 NDP 7 0K 0K 78643K 21 0 0 temp 103 2369K 2436K 78643K 3634 0 0 kqueue 0 0K 0K 78643K 2 0 0 SYN cache 2 16K 16K 78643K 2 0 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 8 0 4 1 0 1 1 0 8 0 inpcbpl 280 155 0 147 1 0 1 1 0 8 0 plimitpl 152 38 0 29 1 0 1 1 0 8 0 plcache 128 20 0 0 1 0 1 1 0 8 0 rtentry 112 77 0 37 2 0 2 2 0 8 0 syncache 264 4 0 4 1 1 0 1 0 8 0 tcpqe 32 13 0 13 1 1 0 1 0 8 0 tcpcb 544 63 0 58 1 0 1 1 0 8 0 nd6 48 12 0 8 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 349 0 164 12 0 12 12 0 8 0 art_table 32 350 0 164 2 0 2 2 0 8 0 art_node 16 76 0 42 1 0 1 1 0 8 0 sysvmsgpl 40 3 0 3 1 1 0 1 0 8 0 semupl 112 1 0 1 1 1 0 1 0 8 0 semapl 112 45 0 35 1 0 1 1 0 8 0 shmpl 112 11 0 3 1 0 1 1 0 8 0 shmpl: pool(0xffffffff82321ba8:shmpl): page inconsistency: page 0xfffffd807181a000; item ordinal 0; addr 0x388d58114beb3936 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino1pl 128 1717 0 299 46 0 46 46 0 8 0 ffsino 272 1717 0 299 95 0 95 95 0 8 0 nchpl 144 2235 0 622 61 0 61 61 0 8 0 uvmvnodes 72 1828 0 0 34 0 34 34 0 8 0 vnodes 200 1828 0 0 97 0 97 97 0 8 0 namei 1024 6301 0 6301 2 1 1 1 0 8 1 percpumem 16 30 0 0 1 0 1 1 0 8 0 scxspl 192 6052 0 6051 9 8 1 5 0 8 0 sigapl 432 386 0 371 2 0 2 2 0 8 0 futexpl 56 2443 0 2443 1 0 1 1 0 8 1 knotepl 112 182 0 163 1 0 1 1 0 8 0 kqueuepl 104 66 0 64 1 0 1 1 0 8 0 pipepl 112 338 0 319 3 2 1 2 0 8 0 fdescpl 488 387 0 371 3 0 3 3 0 8 0 filepl 152 2522 0 2424 6 1 5 5 0 8 1 lockfpl 104 87 0 87 2 1 1 1 0 8 1 lockfspl 32 100 0 100 2 1 1 1 0 8 1 sessionpl 112 21 0 11 1 0 1 1 0 8 0 pgrppl 48 21 0 11 1 0 1 1 0 8 0 ucredpl 96 589 0 580 1 0 1 1 0 8 0 zombiepl 144 371 0 371 2 1 1 1 0 8 1 processpl 840 403 0 371 4 0 4 4 0 8 0 procpl 600 840 0 798 4 0 4 4 0 8 0 srpgc 64 24 0 24 1 0 1 1 0 8 1 sosppl 128 2 0 2 1 0 1 1 0 8 1 sockpl 384 299 0 281 3 0 3 3 0 8 1 mcl64k 65536 3 0 0 1 0 1 1 0 8 0 mcl12k 12288 2 0 0 1 0 1 1 0 8 0 mcl9k 9216 1 0 0 1 0 1 1 0 8 0 mcl8k 8192 2 0 0 1 0 1 1 0 8 0 mcl4k 4096 5 0 0 1 0 1 1 0 8 0 mcl2k2 2112 1 0 0 1 0 1 1 0 8 0 mcl2k 2048 123 0 0 15 0 15 15 0 8 0 mtagpl 80 1 0 0 1 0 1 1 0 8 0 mbufpl 256 147 0 0 9 0 9 9 0 8 0 bufpl 256 6154 0 1139 314 0 314 314 0 8 0 anonpl 16 49607 0 43736 42 1 41 41 0 125 14 amapchunkpl 152 2205 0 2121 9 0 9 9 0 158 5 amappl16 192 1572 0 1232 30 4 26 30 0 8 8 amappl15 184 2 0 2 1 1 0 1 0 8 0 amappl14 176 85 0 80 2 1 1 1 0 8 0 amappl13 168 27 0 27 1 1 0 1 0 8 0 amappl12 160 116 0 111 1 0 1 1 0 8 0 amappl11 152 40 0 26 1 0 1 1 0 8 0 amappl10 144 70 0 64 2 1 1 1 0 8 0 amappl9 136 568 0 563 1 0 1 1 0 8 0 amappl8 128 148 0 130 1 0 1 1 0 8 0 amappl7 120 35 0 30 1 0 1 1 0 8 0 amappl6 112 55 0 47 1 0 1 1 0 8 0 amappl5 104 227 0 216 1 0 1 1 0 8 0 amappl4 96 520 0 493 2 1 1 2 0 8 0 amappl3 88 195 0 189 1 0 1 1 0 8 0 amappl2 80 2242 0 2189 2 0 2 2 0 8 0 amappl1 72 17426 0 16992 23 13 10 19 0 8 0 amappl 72 1074 0 1040 1 0 1 1 0 75 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma64 64 259 0 259 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 17 0 17 1 1 0 1 0 8 0 aobjpl 64 12 0 3 1 0 1 1 0 8 0 uaddrrnd 24 387 0 371 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 387 0 371 1 0 1 1 0 8 0 vmmpekpl 168 7242 0 7217 2 0 2 2 0 8 0 vmmpepl 168 49859 0 48494 95 19 76 76 0 357 16 vmsppl 360 386 0 371 2 0 2 2 0 8 0 pdppl 4096 781 0 742 6 0 6 6 0 8 0 pvpl 32 164130 0 155153 126 15 111 111 0 265 32 pmappl 232 386 0 371 1 0 1 1 0 8 0 extentpl 40 39 0 25 1 0 1 1 0 8 0 phpool 112 463 0 3 14 0 14 14 0 8 0