login: panic: pool_do_get: shmpl free list modified: page 0xfffffd807181a000; item addr 0xfffffd807181a9a0; offset 0x10=0xdead4000
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
75083 64649 32767 0x10 0 0 syz-executor.0
*474699 64649 32767 0x10 0x4000000 1K syz-executor.0
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x174 sys/kern/subr_prf.c:208
pool_do_get(ffffffff82321ba8,2,ffff800020c5f558) at pool_do_get+0x4a3 sys/kern/subr_pool.c:750
pool_get() at pool_get+0xf7 sys/kern/subr_pool.c:587
shmget_allocate_segment(ffff800020b49c38,ffff800020c5f6f8,0,ffff800020c5f760) at shmget_allocate_segment+0x15e sys/kern/sysv_shm.c:409
sys_shmget(ffff800020b49c38,ffff800020c5f6f8,ffff800020c5f760) at sys_shmget+0x13f sys/kern/sysv_shm.c:472
syscall(ffff800020c5f7d0) at syscall+0x576 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(ffff800020c5f7d0) at syscall+0x576 sys/arch/amd64/amd64/trap.c:574
Xsyscall(6,0,fffffffffffffff3,0,4,4ff2f778010) at Xsyscall+0x128
end of kernel
end trace frame: 0x354, count: 7
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
pool_do_get: shmpl free list modified: page 0xfffffd807181a000; item addr 0xfffffd807181a9a0; offset 0x10=0xdead4000
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x174 sys/kern/subr_prf.c:208
pool_do_get(ffffffff82321ba8,2,ffff800020c5f558) at pool_do_get+0x4a3 sys/kern/subr_pool.c:750
pool_get() at pool_get+0xf7 sys/kern/subr_pool.c:587
shmget_allocate_segment(ffff800020b49c38,ffff800020c5f6f8,0,ffff800020c5f760) at shmget_allocate_segment+0x15e sys/kern/sysv_shm.c:409
sys_shmget(ffff800020b49c38,ffff800020c5f6f8,ffff800020c5f760) at sys_shmget+0x13f sys/kern/sysv_shm.c:472
syscall(ffff800020c5f7d0) at syscall+0x576 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(ffff800020c5f7d0) at syscall+0x576 sys/arch/amd64/amd64/trap.c:574
Xsyscall(6,0,fffffffffffffff3,0,4,4ff2f778010) at Xsyscall+0x128
end of kernel
end trace frame: 0x354, count: -8
ddb{1}> show registers
rdi 0xffffffff81c5f7b7 db_enter+0x17
rsi 0x54fa __ALIGN_SIZE+0x44fa
rbp 0xffff800020c5f3a0
rbx 0xffff800020c5f450
rdx 0x54fb __ALIGN_SIZE+0x44fb
rcx 0xffff80000094b000
rax 0xffff80000094b000
r8 0xffffffff81c2d3d3 kprintf+0x173
r9 0x1
r10 0x25
r11 0x7605a48500f6ae59
r12 0x3000000008
r13 0xffff800020c5f3b0
r14 0x100
r15 0x1
rip 0xffffffff81c5f7b8 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020c5f390
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor.0) pid=474699 stat=onproc
flags process=10<SUGID> proc=4000000<THREAD>
pri=86, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff800020b48018,0xffffffff823349b8
process=0xffff800020b9c6a8 user=0xffff800020c5a000, vmspace=0xfffffd807f00b708
estcpu=36, cpticks=2, pctcpu=0.0
user=0, sys=2, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
64649 75083 53939 32767 7 0x10 syz-executor.0
*64649 474699 53939 32767 7 0x4000010 syz-executor.0
53939 179740 66249 32767 3 0x90 nanosleep syz-executor.0
66249 326567 3205 0 3 0x82 wait syz-executor.0
81209 371176 0 0 3 0x14200 bored sosplice
38061 179090 27188 32767 3 0x10 biowait syz-executor.1
27188 417406 3205 0 3 0x82 wait syz-executor.1
3205 74818 3771 0 3 0x82 thrsleep syz-fuzzer
3205 348943 3771 0 3 0x4000082 nanosleep syz-fuzzer
3205 24063 3771 0 3 0x4000082 thrsleep syz-fuzzer
3205 429170 3771 0 3 0x4000082 thrsleep syz-fuzzer
3205 217102 3771 0 3 0x4000082 thrsleep syz-fuzzer
3205 326747 3771 0 3 0x4000082 thrsleep syz-fuzzer
3205 233531 3771 0 3 0x4000082 thrsleep syz-fuzzer
3205 514049 3771 0 3 0x4000082 thrsleep syz-fuzzer
3205 240051 3771 0 3 0x4000082 thrsleep syz-fuzzer
3205 339523 3771 0 3 0x4000082 kqread syz-fuzzer
3771 221208 22369 0 3 0x10008a pause ksh
22369 512578 97469 0 3 0x92 select sshd
39601 168244 1 0 3 0x100083 ttyin getty
97469 227792 1 0 3 0x80 select sshd
87047 196601 11721 73 3 0x100090 kqread syslogd
11721 373113 1 0 3 0x100082 netio syslogd
17471 153793 1 77 3 0x100090 poll dhclient
48540 4718 1 0 3 0x80 poll dhclient
83918 520224 0 0 3 0x14200 pgzero zerothread
53228 142514 0 0 3 0x14200 aiodoned aiodoned
61975 37970 0 0 3 0x14200 syncer update
90854 466328 0 0 3 0x14200 cleaner cleaner
60756 186373 0 0 3 0x14200 reaper reaper
44453 220325 0 0 3 0x14200 pgdaemon pagedaemon
66801 113288 0 0 3 0x14200 bored crynlk
73346 454605 0 0 3 0x14200 bored crypto
87133 438094 0 0 3 0x40014200 acpi0 acpi0
79598 181983 0 0 3 0x40014200 idle1
36908 320419 0 0 3 0x14200 bored softnet
17157 242814 0 0 3 0x14200 bored systqmp
68467 165311 0 0 3 0x14200 bored systq
70087 144203 0 0 3 0x40014200 bored softclock
2675 137095 0 0 3 0x40014200 idle0
53840 38517 0 0 3 0x14200 bored smr
1 258218 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex shmpl r = 0 (0xffffffff82321bb8) locked @ /syzkaller/managers/setuid/kernel/sys/kern/subr_pool.c:583
#0 witness_lock+0x5a4 sys/kern/subr_witness.c:1201
#1 pool_get+0xcb sys/kern/subr_pool.c:584
#2 shmget_allocate_segment+0x15e sys/kern/sysv_shm.c:409
#3 sys_shmget+0x13f sys/kern/sysv_shm.c:472
#4 syscall+0x576 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#4 syscall+0x576 sys/arch/amd64/amd64/trap.c:574
#5 Xsyscall+0x128
Process 64649 (syz-executor.0) thread 0xffff800020b49c38 (474699)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82316250) locked @ /syzkaller/managers/setuid/kernel/sys/sys/syscall_mi.h:90
#0 witness_lock+0x5a4 sys/kern/subr_witness.c:1201
#1 syscall+0x45e mi_syscall sys/sys/syscall_mi.h:91 [inline]
#1 syscall+0x45e sys/arch/amd64/amd64/trap.c:574
#2 Xsyscall+0x128
exclusive mutex shmpl r = 0 (0xffffffff82321bb8) locked @ /syzkaller/managers/setuid/kernel/sys/kern/subr_pool.c:583
#0 witness_lock+0x5a4 sys/kern/subr_witness.c:1201
#1 pool_get+0xcb sys/kern/subr_pool.c:584
#2 shmget_allocate_segment+0x15e sys/kern/sysv_shm.c:409
#3 sys_shmget+0x13f sys/kern/sysv_shm.c:472
#4 syscall+0x576 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#4 syscall+0x576 sys/arch/amd64/amd64/trap.c:574
#5 Xsyscall+0x128
Process 38061 (syz-executor.1) thread 0xffff800020b499e0 (179090)
exclusive rrwlock inode r = 0 (0xfffffd80701b2700) locked @ /syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547
#0 witness_lock+0x5a4 sys/kern/subr_witness.c:1201
#1 _rw_enter+0x43c sys/kern/kern_rwlock.c:280
#2 _rrw_enter+0x60 sys/kern/kern_rwlock.c:410
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602
#4 vn_lock+0x6e sys/kern/vfs_vnops.c:549
#5 vget+0x1c3 sys/kern/vfs_subr.c:672
#6 ufs_ihashget+0x141 sys/ufs/ufs/ufs_ihash.c:119
#7 ffs_vget+0x74 sys/ufs/ffs/ffs_vfsops.c:1323
#8 ufs_lookup+0x1575 sys/ufs/ufs/ufs_lookup.c:487
#9 VOP_LOOKUP+0x5b sys/kern/vfs_vops.c:90
#10 vfs_lookup+0x575 sys/kern/vfs_lookup.c:523
#11 namei+0x45f sys/kern/vfs_lookup.c:224
#12 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1673
#13 syscall+0x576 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#13 syscall+0x576 sys/arch/amd64/amd64/trap.c:574
#14 Xsyscall+0x128
exclusive rrwlock inode r = 0 (0xfffffd80701b24e0) locked @ /syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547
#0 witness_lock+0x5a4 sys/kern/subr_witness.c:1201
#1 _rw_enter+0x43c sys/kern/kern_rwlock.c:280
#2 _rrw_enter+0x60 sys/kern/kern_rwlock.c:410
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602
#4 vn_lock+0x6e sys/kern/vfs_vnops.c:549
#5 vget+0x1c3 sys/kern/vfs_subr.c:672
#6 cache_lookup+0x2cf sys/kern/vfs_cache.c:224
#7 ufs_lookup+0x1ad sys/ufs/ufs/ufs_lookup.c:162
#8 VOP_LOOKUP+0x5b sys/kern/vfs_vops.c:90
#9 vfs_lookup+0x575 sys/kern/vfs_lookup.c:523
#10 namei+0x45f sys/kern/vfs_lookup.c:224
#11 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1673
#12 syscall+0x576 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#12 syscall+0x576 sys/arch/amd64/amd64/trap.c:574
#13 Xsyscall+0x128
ddb{1}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9459 6321K 6321K 78643K 10566 0 0
pcb 23 9K 10K 78643K 151 0 0
rtable 97 3K 3K 78643K 295 0 0
ifaddr 34 9K 9K 78643K 59 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 2K 78643K 19 0 0
iov 0 0K 24K 78643K 32 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1200 75K 75K 78643K 1336 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 5K 78643K 10 0 0
VM map 2 1K 1K 78643K 2 0 0
sem 12 0K 1K 78643K 47 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1808 196K 290K 78643K 12628 0 0
file desc 7 21K 25K 78643K 228 0 0
sigio 0 0K 0K 78643K 4 0 0
proc 41 38K 58K 78643K 343 0 0
subproc 68 69634K 69634K 78643K 204 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
ip_moptions 0 0K 0K 78643K 18 0 0
in_multi 33 2K 2K 78643K 88 0 0
ether_multi 1 0K 0K 78643K 4 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 54 238K 238K 78643K 54 0 0
exec 0 0K 1K 78643K 186 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 78 20K 21K 78643K 1501 0 0
UVM aobj 10 2K 2K 78643K 13 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
ip6_options 2 0K 0K 78643K 18 0 0
NDP 7 0K 0K 78643K 21 0 0
temp 103 2369K 2436K 78643K 3634 0 0
kqueue 0 0K 0K 78643K 2 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb{1}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp 64 8 0 4 1 0 1 1 0 8 0
inpcbpl 280 155 0 147 1 0 1 1 0 8 0
plimitpl 152 38 0 29 1 0 1 1 0 8 0
plcache 128 20 0 0 1 0 1 1 0 8 0
rtentry 112 77 0 37 2 0 2 2 0 8 0
syncache 264 4 0 4 1 1 0 1 0 8 0
tcpqe 32 13 0 13 1 1 0 1 0 8 0
tcpcb 544 63 0 58 1 0 1 1 0 8 0
nd6 48 12 0 8 1 0 1 1 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 349 0 164 12 0 12 12 0 8 0
art_table 32 350 0 164 2 0 2 2 0 8 0
art_node 16 76 0 42 1 0 1 1 0 8 0
sysvmsgpl 40 3 0 3 1 1 0 1 0 8 0
semupl 112 1 0 1 1 1 0 1 0 8 0
semapl 112 45 0 35 1 0 1 1 0 8 0
shmpl 112 11 0 3 1 0 1 1 0 8 0
shmpl: pool(0xffffffff82321ba8:shmpl): page inconsistency: page 0xfffffd807181a000; item ordinal 0; addr 0x388d58114beb3936
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino1pl 128 1717 0 299 46 0 46 46 0 8 0
ffsino 272 1717 0 299 95 0 95 95 0 8 0
nchpl 144 2235 0 622 61 0 61 61 0 8 0
uvmvnodes 72 1828 0 0 34 0 34 34 0 8 0
vnodes 200 1828 0 0 97 0 97 97 0 8 0
namei 1024 6301 0 6301 2 1 1 1 0 8 1
percpumem 16 30 0 0 1 0 1 1 0 8 0
scxspl 192 6052 0 6051 9 8 1 5 0 8 0
sigapl 432 386 0 371 2 0 2 2 0 8 0
futexpl 56 2443 0 2443 1 0 1 1 0 8 1
knotepl 112 182 0 163 1 0 1 1 0 8 0
kqueuepl 104 66 0 64 1 0 1 1 0 8 0
pipepl 112 338 0 319 3 2 1 2 0 8 0
fdescpl 488 387 0 371 3 0 3 3 0 8 0
filepl 152 2522 0 2424 6 1 5 5 0 8 1
lockfpl 104 87 0 87 2 1 1 1 0 8 1
lockfspl 32 100 0 100 2 1 1 1 0 8 1
sessionpl 112 21 0 11 1 0 1 1 0 8 0
pgrppl 48 21 0 11 1 0 1 1 0 8 0
ucredpl 96 589 0 580 1 0 1 1 0 8 0
zombiepl 144 371 0 371 2 1 1 1 0 8 1
processpl 840 403 0 371 4 0 4 4 0 8 0
procpl 600 840 0 798 4 0 4 4 0 8 0
srpgc 64 24 0 24 1 0 1 1 0 8 1
sosppl 128 2 0 2 1 0 1 1 0 8 1
sockpl 384 299 0 281 3 0 3 3 0 8 1
mcl64k 65536 3 0 0 1 0 1 1 0 8 0
mcl12k 12288 2 0 0 1 0 1 1 0 8 0
mcl9k 9216 1 0 0 1 0 1 1 0 8 0
mcl8k 8192 2 0 0 1 0 1 1 0 8 0
mcl4k 4096 5 0 0 1 0 1 1 0 8 0
mcl2k2 2112 1 0 0 1 0 1 1 0 8 0
mcl2k 2048 123 0 0 15 0 15 15 0 8 0
mtagpl 80 1 0 0 1 0 1 1 0 8 0
mbufpl 256 147 0 0 9 0 9 9 0 8 0
bufpl 256 6154 0 1139 314 0 314 314 0 8 0
anonpl 16 49607 0 43736 42 1 41 41 0 125 14
amapchunkpl 152 2205 0 2121 9 0 9 9 0 158 5
amappl16 192 1572 0 1232 30 4 26 30 0 8 8
amappl15 184 2 0 2 1 1 0 1 0 8 0
amappl14 176 85 0 80 2 1 1 1 0 8 0
amappl13 168 27 0 27 1 1 0 1 0 8 0
amappl12 160 116 0 111 1 0 1 1 0 8 0
amappl11 152 40 0 26 1 0 1 1 0 8 0
amappl10 144 70 0 64 2 1 1 1 0 8 0
amappl9 136 568 0 563 1 0 1 1 0 8 0
amappl8 128 148 0 130 1 0 1 1 0 8 0
amappl7 120 35 0 30 1 0 1 1 0 8 0
amappl6 112 55 0 47 1 0 1 1 0 8 0
amappl5 104 227 0 216 1 0 1 1 0 8 0
amappl4 96 520 0 493 2 1 1 2 0 8 0
amappl3 88 195 0 189 1 0 1 1 0 8 0
amappl2 80 2242 0 2189 2 0 2 2 0 8 0
amappl1 72 17426 0 16992 23 13 10 19 0 8 0
amappl 72 1074 0 1040 1 0 1 1 0 75 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma64 64 259 0 259 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 17 0 17 1 1 0 1 0 8 0
aobjpl 64 12 0 3 1 0 1 1 0 8 0
uaddrrnd 24 387 0 371 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 387 0 371 1 0 1 1 0 8 0
vmmpekpl 168 7242 0 7217 2 0 2 2 0 8 0
vmmpepl 168 49859 0 48494 95 19 76 76 0 357 16
vmsppl 360 386 0 371 2 0 2 2 0 8 0
pdppl 4096 781 0 742 6 0 6 6 0 8 0
pvpl 32 164130 0 155153 126 15 111 111 0 265 32
pmappl 232 386 0 371 1 0 1 1 0 8 0
extentpl 40 39 0 25 1 0 1 1 0 8 0
phpool 112 463 0 3 14 0 14 14 0 8 0