panic: pool_do_get: shmpl free list modified: page 0xfffffd8063c02000; item addr 0xfffffd8063c02070; offset 0x0=0x0 != 0x19da7bc6fa387450 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND * 10465 35032 0 0 0x4000000 0 syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82fe75d7) at panic+0x1cf sys/kern/subr_prf.c:198 pool_do_get(ffffffff83593718,2,ffff80002a532f5c) at pool_do_get+0x57e pool_get(ffffffff83593718,2) at pool_get+0xf0 shmget_allocate_segment(ffff80002a502038,ffff80002a5331b0,20,ffff80002a533100) at shmget_allocate_segment+0x1a7 sys_shmget(ffff80002a502038,ffff80002a5331b0,ffff80002a533100) at sys_shmget+0x1b2 sys/kern/sysv_shm.c:480 syscall(ffff80002a5331b0) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xfbeb0ade250, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: pool_do_get: shmpl free list modified: page 0xfffffd8063c02000; item addr 0xfffffd8063c02070; offset 0x0=0x0 != 0x19da7bc6fa387450 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82fe75d7) at panic+0x1cf sys/kern/subr_prf.c:198 pool_do_get(ffffffff83593718,2,ffff80002a532f5c) at pool_do_get+0x57e pool_get(ffffffff83593718,2) at pool_get+0xf0 shmget_allocate_segment(ffff80002a502038,ffff80002a5331b0,20,ffff80002a533100) at shmget_allocate_segment+0x1a7 sys_shmget(ffff80002a502038,ffff80002a5331b0,ffff80002a533100) at sys_shmget+0x1b2 sys/kern/sysv_shm.c:480 syscall(ffff80002a5331b0) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xfbeb0ade250, count: -8 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80002a532dd0 rbx 0xfffffd8063c02070 rdx 0xffff800001571b80 rcx 0 rax 0xffff80002a502038 r8 0 r9 0x8080808080808080 r10 0x6a945a50b5fbab1c r11 0xf62875e56617247e r12 0 r13 0xfffffd8063c02f90 r14 0 r15 0x1 rip 0xffffffff812f8295 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80002a532dc0 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=10465 pid=35032 tcnt=3 stat=onproc flags process=0 proc=4000000 runpri=32, usrpri=84, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80002a502f68,0xffff80002a503c20 process=0xffff8000ffff77c0 user=0xffff80002a52e000, vmspace=0xfffffd806befcc28 estcpu=34, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 83528 380716 36566 0 2 0 syz-executor 82735 223070 73803 0 2 0 syz-executor 82735 289683 73803 0 2 0x4000000 syz-executor 82735 522066 73803 0 2 0x4000000 syz-executor 35032 374143 9983 0 2 0 syz-executor *35032 10465 9983 0 7 0x4000000 syz-executor 35032 35346 9983 0 2 0x4000000 syz-executor 46463 152373 57110 0 2 0 syz-executor 46463 409769 57110 0 3 0x4000080 fsleep syz-executor 46463 267064 57110 0 2 0x4000000 syz-executor 13606 112190 30734 0 2 0 syz-executor 13606 59544 30734 0 2 0x4000000 syz-executor 13606 363416 30734 0 2 0x4000000 syz-executor 13369 468762 25859 0 2 0 syz-executor 13369 455106 25859 0 3 0x4000080 fsleep syz-executor 13369 281612 25859 0 3 0x4000080 fsleep syz-executor 13369 304670 25859 0 2 0x4000000 syz-executor 99805 10529 51710 0 2 0x2 syz-executor 25859 3677 51710 0 2 0x482 syz-executor 30734 463837 51710 0 2 0x482 syz-executor 55769 401612 51710 0 2 0x2 syz-executor 57110 297425 51710 0 2 0x482 syz-executor 36566 132817 51710 0 2 0x482 syz-executor 9983 350047 51710 0 2 0x482 syz-executor 73803 23790 51710 0 2 0x482 syz-executor 5104 161685 0 0 3 0x14280 nfsidl nfsio 49092 325666 0 0 3 0x14280 nfsidl nfsio 13357 319923 0 0 3 0x14280 nfsidl nfsio 63916 356233 0 0 3 0x14280 nfsidl nfsio 7211 216232 0 0 3 0x14280 nfsidl nfsio 12507 347826 0 0 3 0x14280 nfsidl nfsio 67980 514162 0 0 3 0x14280 nfsidl nfsio 20833 499470 0 0 3 0x14280 nfsidl nfsio 71409 414605 0 0 3 0x14280 nfsidl nfsio 98796 406304 0 0 3 0x14280 nfsidl nfsio 16919 412549 0 0 3 0x14280 nfsidl nfsio 61112 483250 0 0 3 0x14280 nfsidl nfsio 36311 499118 0 0 3 0x14280 nfsidl nfsio 94901 279258 0 0 3 0x14280 nfsidl nfsio 8557 103122 0 0 3 0x14280 nfsidl nfsio 5861 371648 0 0 3 0x14280 nfsidl nfsio 84577 492846 0 0 3 0x14280 nfsidl nfsio 44616 267499 0 0 3 0x14280 nfsidl nfsio 45735 439813 0 0 3 0x14280 nfsidl nfsio 32414 233454 0 0 3 0x14280 nfsidl nfsio 34483 65965 1 0 3 0x100083 ttyin getty 12072 13174 0 0 3 0x14200 bored sosplice 51710 506265 89126 0 3 0x82 kqread syz-executor 89126 320107 40106 0 3 0x10008a sigsusp ksh 40106 105202 16818 0 3 0x98 kqread sshd-session 16818 186371 44670 0 3 0x92 kqread sshd-session 44670 366807 1 0 3 0x88 kqread sshd 40907 111086 62124 73 3 0x1100090 kqread syslogd 62124 70031 1 0 3 0x100082 sbwait syslogd 62094 432417 1 0 3 0x100080 kqread resolvd 2494 110868 97970 77 3 0x100092 kqread dhcpleased 40751 152379 97970 77 3 0x100092 kqread dhcpleased 97970 256282 1 0 3 0x80 kqread dhcpleased 39954 204379 0 0 3 0x14200 bored smr 45216 22772 0 0 2 0x14200 zerothread 78700 150004 0 0 3 0x14200 aiodoned aiodoned 92284 13376 0 0 3 0x14200 syncer update 85056 146576 0 0 3 0x14200 cleaner cleaner 54744 272517 0 0 3 0x14200 reaper reaper 24870 480851 0 0 3 0x14200 pgdaemon pagedaemon 13604 503036 0 0 3 0x14200 bored viomb 40918 489969 0 0 3 0x40014200 acpi0 acpi0 7351 330332 0 0 3 0x14200 bored softnet3 88842 221036 0 0 3 0x14200 bored softnet2 95039 139554 0 0 3 0x14200 bored softnet1 60136 158460 0 0 3 0x14200 bored softnet0 16527 207551 0 0 3 0x14200 bored systqmp 31552 173222 0 0 3 0x14200 bored systq 24412 299891 0 0 2 0x40014200 softclock 51594 210599 0 0 3 0x40014200 idle0 1 351814 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10193 14194K 14329K 166960K 11959 0 pcb 17 13K 14K 166960K 129 0 rtable 225 8K 9K 166960K 1620 0 pf 36 14K 269K 166960K 125 0 ifaddr 44 8K 8K 166960K 190 0 ifgroup 58 2K 2K 166960K 203 0 sysctl 3 0K 0K 166960K 3 0 counters 32 17K 18K 166960K 71 0 ioctlops 0 0K 4K 166960K 132 0 iov 0 0K 16K 166960K 37 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1377 87K 87K 166960K 2194 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 9K 166960K 17 0 VM map 2 1K 1K 166960K 2 0 sem 10 0K 0K 166960K 15 0 dirhash 12 2K 3K 166960K 36 0 ACPI 1690 195K 286K 166960K 12418 0 file desc 16 57K 97K 166960K 1151 0 sigio 0 0K 0K 166960K 17 0 proc 63 67K 124K 166960K 1429 0 subproc 104 6K 6K 166960K 520 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 56 0 in_multi 99 7K 7K 166960K 468 0 ether_multi 1 0K 0K 166960K 2 0 mrt 0 0K 0K 166960K 1 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 79 360K 360K 166960K 79 0 exec 0 0K 1K 166960K 832 0 pfkey data 0 0K 0K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 208 71K 90K 166960K 10414 0 UVM aobj 20 2K 2K 166960K 22 0 pinsyscall 37 74K 102K 166960K 3005 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 38 0 NDP 13 0K 2K 166960K 133 0 temp 55 6811K 6937K 166960K 39004 0 kqueue 14 22K 30K 166960K 109 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 172 0 169 2 0 2 2 0 8 1 rtentry 112 567 0 466 4 0 4 4 0 8 1 unpcb 144 382 0 365 2 1 1 2 0 8 0 syncache 336 5 0 5 2 1 1 1 0 8 1 tcpqe 32 1 0 1 1 0 1 1 0 8 1 tcpcb 808 198 0 194 5 1 4 4 0 8 3 arp 88 95 0 77 1 0 1 1 0 8 0 ipq 40 7 0 7 1 0 1 1 0 8 1 ipqe 40 52 0 52 1 0 1 1 0 8 1 inpcb 336 848 0 840 12 5 7 7 0 8 6 nd6 104 123 0 98 1 0 1 1 0 8 0 pkpcb 40 3 0 3 2 1 1 1 0 8 1 kcovpl 48 40 0 32 1 0 1 1 0 8 0 ppxss 1072 7 0 7 2 1 1 1 0 8 1 pfanchor 1288 3 0 3 1 1 0 1 0 8 0 pfstkey 128 1 0 1 1 1 0 1 0 8 0 pfstate 344 1 0 1 1 1 0 1 0 8 0 pfrule 1344 1 0 1 1 1 0 1 0 8 0 art_heap8 4096 3 0 0 3 0 3 3 0 8 0 art_heap4 256 1959 0 1501 33 3 30 30 0 8 0 art_table 32 1962 0 1501 4 0 4 4 0 8 0 art_node 16 500 0 411 1 0 1 1 0 8 0 sysvmsgpl 40 4 0 0 1 0 1 1 0 8 0 semupl 112 1 0 1 1 0 1 1 0 8 1 semapl 112 13 0 5 1 0 1 1 0 8 0 shmpl 112 19 0 3 1 0 1 1 0 8 0 shmpl: pool(0xffffffff83593718:shmpl): free list modified: page 0xfffffd8063c02000; item ordinal 0; addr 0xfffffd8063c02070 (p 0xfffffd8063c02000); offset 0x0=0x0 shmpl: pool(0xffffffff83593718:shmpl): page inconsistency: page 0xfffffd8063c02000; item ordinal 1; addr 0xcb2c9ddfbbb5d22c dirhash 1024 33 0 16 3 0 3 3 0 8 0 dino2pl 256 2649 0 1091 99 0 99 99 0 8 0 ffsino 240 2649 0 1091 93 0 93 93 0 8 0 nchpl 144 3617 0 1905 64 0 64 64 0 8 0 uvmvnodes 80 3375 0 0 69 0 69 69 0 8 0 vnodes 216 3375 0 0 188 0 188 188 0 8 0 namei 1024 14667 0 14665 4 1 3 3 0 8 2 kstatmem 264 104 0 78 3 0 3 3 0 8 1 scxspl 216 27710 0 27710 10 2 8 8 1 8 8 plimitpl 152 190 0 174 1 0 1 1 0 8 0 sigapl 424 1387 0 1322 9 1 8 8 0 8 0 futexpl 64 8723 0 8720 1 0 1 1 0 8 0 knotepl 120 23254 0 23202 24 14 10 17 0 8 8 kqueuepl 184 165 0 153 1 0 1 1 0 8 0 pipepl 288 289 0 261 5 0 5 5 0 8 2 fdescpl 432 1350 0 1322 5 1 4 5 0 8 0 filepl 120 6249 0 6008 13 2 11 11 0 8 3 lockfpl 104 228 0 226 1 0 1 1 0 8 0 lockfspl 48 90 0 88 1 0 1 1 0 8 0 sessionpl 144 55 0 47 1 0 1 1 0 8 0 pgrppl 48 105 0 89 1 0 1 1 0 8 0 ucredpl 104 801 0 790 1 0 1 1 0 8 0 zombiepl 144 1654 0 1654 2 1 1 1 0 8 1 processpl 1096 1387 0 1322 5 0 5 5 0 8 0 procpl 648 2362 0 2286 8 0 8 8 0 8 0 sosppl 168 4 0 4 2 1 1 1 0 8 1 sockpl 504 1475 0 1447 25 13 12 17 0 8 8 mcl64k 65536 17 0 17 2 1 1 1 0 8 1 mcl16k 16384 9 0 9 2 1 1 1 0 8 1 mcl12k 12288 2 0 2 1 1 0 1 0 8 0 mcl9k 9216 1 0 1 1 0 1 1 0 8 1 mcl8k 8192 25 0 25 2 1 1 1 0 8 1 mcl4k 4096 10 0 10 2 1 1 1 0 8 1 mcl2k 2048 7029 0 6932 32 16 16 29 0 8 3 mtagpl 96 84 0 78 2 0 2 2 0 8 1 mbufpl 256 17004 0 16775 78 57 21 73 0 8 5 bufpl 280 7658 0 1411 447 0 447 447 0 8 0 anonpl 24 236792 0 233593 78 27 51 51 0 187 22 amapchunkpl 152 33383 0 32950 41 10 31 31 0 158 9 amappl16 200 4589 0 4567 17 7 10 14 0 8 8 amappl15 192 8 0 8 1 1 0 1 0 8 0 amappl14 184 176 0 166 1 0 1 1 0 8 0 amappl13 176 9 0 9 2 1 1 1 0 8 1 amappl12 168 2474 0 2446 3 1 2 3 0 8 0 amappl11 160 49 0 39 1 0 1 1 0 8 0 amappl10 152 13 0 13 1 1 0 1 0 8 0 amappl9 144 160 0 159 1 0 1 1 0 8 0 amappl8 136 20 0 19 1 0 1 1 0 8 0 amappl7 128 158 0 148 1 0 1 1 0 8 0 amappl6 120 485 0 483 1 0 1 1 0 8 0 amappl5 112 255 0 246 1 0 1 1 0 8 0 amappl4 104 382 0 366 1 0 1 1 0 8 0 amappl3 96 6434 0 6336 4 0 4 4 0 8 0 amappl2 88 1098 0 1037 2 0 2 2 0 8 0 amappl1 80 12410 0 11897 14 2 12 14 0 8 0 amappl 88 9783 0 9628 5 0 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 21 0 2 1 0 1 1 0 8 0 uaddrrnd 24 1350 0 1322 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 1350 0 1322 1 0 1 1 0 8 0 vmmpekpl 168 12108 0 12049 3 0 3 3 0 8 0 vmmpepl 168 88536 0 86876 85 3 82 82 0 357 3 vmsppl 344 1349 0 1322 4 1 3 4 0 8 0 rwobjpl 24 30975 0 26756 26 0 26 26 0 8 0 pdppl 4096 2706 0 2644 140 74 66 82 0 8 4 pvpl 32 665773 0 656053 355 132 223 223 0 265 128 pmappl 216 1349 0 1322 3 1 2 3 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 545 0 177 12 0 12 12 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82fe75d7) at panic+0x1cf sys/kern/subr_prf.c:198 pool_do_get(ffffffff83593718,2,ffff80002a532f5c) at pool_do_get+0x57e pool_get(ffffffff83593718,2) at pool_get+0xf0 shmget_allocate_segment(ffff80002a502038,ffff80002a5331b0,20,ffff80002a533100) at shmget_allocate_segment+0x1a7 sys_shmget(ffff80002a502038,ffff80002a5331b0,ffff80002a533100) at sys_shmget+0x1b2 sys/kern/sysv_shm.c:480 syscall(ffff80002a5331b0) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xfbeb0ade250, count: -8 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82fe75d7) at panic+0x1cf sys/kern/subr_prf.c:198 pool_do_get(ffffffff83593718,2,ffff80002a532f5c) at pool_do_get+0x57e pool_get(ffffffff83593718,2) at pool_get+0xf0 shmget_allocate_segment(ffff80002a502038,ffff80002a5331b0,20,ffff80002a533100) at shmget_allocate_segment+0x1a7 sys_shmget(ffff80002a502038,ffff80002a5331b0,ffff80002a533100) at sys_shmget+0x1b2 sys/kern/sysv_shm.c:480 syscall(ffff80002a5331b0) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xfbeb0ade250, count: -8