panic: pool_do_get: shmpl free list modified: page 0xfffffd8068ae3000; item addr 0xfffffd8068ae3700; offset 0x40=0x68b90fa6 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *168425 38588 0 0 0x4000000 0K syz-executor 307737 52827 0 0x2 0x1 1 syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8336bd01) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff839b9068,1,ffff800033007548) at pool_do_get+0x5df pool_get(ffffffff839b9068,1) at pool_get+0x162 sys/kern/subr_pool.c:-1 shmget_allocate_segment(ffff80003b4382c8,ffff8000330077a0,0,ffff8000330076f0) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1 sys_shmget(ffff80003b4382c8,ffff8000330077a0,ffff8000330076f0) at sys_shmget+0x195 sys/kern/sysv_shm.c:482 syscall(ffff8000330077a0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff8000330077a0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:746 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xcb8e6c68010, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: pool_do_get: shmpl free list modified: page 0xfffffd8068ae3000; item addr 0xfffffd8068ae3700; offset 0x40=0x68b90fa6 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8336bd01) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff839b9068,1,ffff800033007548) at pool_do_get+0x5df pool_get(ffffffff839b9068,1) at pool_get+0x162 sys/kern/subr_pool.c:-1 shmget_allocate_segment(ffff80003b4382c8,ffff8000330077a0,0,ffff8000330076f0) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1 sys_shmget(ffff80003b4382c8,ffff8000330077a0,ffff8000330076f0) at sys_shmget+0x195 sys/kern/sysv_shm.c:482 syscall(ffff8000330077a0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff8000330077a0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:746 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xcb8e6c68010, count: -8 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff800033007370 rbx 0xffffffff83863ddf cpu_info_full_primary+0x2ddf rdx 0 rcx 0xffff80003b4382c8 rax 0xffffffff83862ff0 cpu_info_full_primary+0x1ff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0xec7f12eb36048186 r11 0x6a9a4143620c0d4e r12 0xffffffff83863be0 cpu_info_full_primary+0x2be0 r13 0 r14 0 r15 0x1 rip 0xffffffff82e305a5 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff800033007360 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor) tid=168425 pid=38588 tcnt=4 stat=onproc flags process=0 proc=4000000 runpri=32, usrpri=83, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80002a2a0d20,0xffff80003b439798 process=0xffff80003ac29360 user=0xffff800033002000, vmspace=0xfffffd806b7995d8 estcpu=33, cpticks=0, pctcpu=0.0, user=0, sys=0, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 38588 73916 89491 0 2 0 syz-executor *38588 168425 89491 0 7 0x4000000 syz-executor 38588 343060 89491 0 3 0x4000080 fsleep syz-executor 38588 128249 89491 0 3 0x4000080 fsleep syz-executor 34105 481434 45896 0 2 0 syz-executor 34105 205038 45896 0 3 0x4000080 ttyin syz-executor 34105 77464 45896 0 3 0x4000080 fsleep syz-executor 61866 137483 0 0 3 0x14200 acct acct 35664 48946 0 0 3 0x14200 bored sosplice 80742 224575 52827 0 3 0x2 biowait syz-executor 62003 511892 52827 0 3 0x2 biowait syz-executor 89491 446871 52827 0 3 0x82 nanoslp syz-executor 45896 173064 52827 0 3 0x82 nanoslp syz-executor 52740 55107 52827 0 3 0x2 biowait syz-executor 44881 136846 52827 0 3 0x2 getblk syz-executor 75843 112712 52827 0 3 0x2 biowait syz-executor 66033 217093 52827 0 3 0x2 biowait syz-executor 52827 307737 28940 0 7 0x3 syz-executor 28940 131212 7271 0 3 0x10008a sigsusp ksh 7271 324805 55363 0 3 0x98 kqread sshd-session 55363 449975 28159 0 3 0x92 kqread sshd-session 34601 229375 1 0 3 0x100083 ttyin getty 28159 220004 1 0 3 0x88 kqread sshd 55074 364440 69010 74 3 0x1100092 bpf pflogd 69010 10526 1 0 3 0x80 sbwait pflogd 49684 365457 18131 73 3 0x1100090 kqread syslogd 18131 517682 1 0 3 0x100082 sbwait syslogd 17917 490498 1 0 3 0x100080 kqread resolvd 63500 306245 24454 77 3 0x100092 kqread dhcpleased 14543 64489 24454 77 3 0x100092 kqread dhcpleased 24454 312018 1 0 3 0x80 kqread dhcpleased 38460 163021 0 0 3 0x14200 bored smr 69247 351680 0 0 2 0x14200 zerothread 29791 360596 0 0 3 0x14200 aiodoned aiodoned 12723 164973 0 0 3 0x14200 syncer update 35256 160917 0 0 3 0x14200 cleaner cleaner 82530 99711 0 0 3 0x14200 reaper reaper 49672 94476 0 0 3 0x14200 pgdaemon pagedaemon 62321 235791 0 0 3 0x14200 bored viomb 84981 236889 0 0 3 0x40014200 acpi0 acpi0 59103 480158 0 0 3 0x40014200 idle1 3856 482491 0 0 3 0x14200 bored softnet7 45984 247549 0 0 3 0x14200 bored softnet6 76804 515252 0 0 3 0x14200 bored softnet5 54135 153394 0 0 3 0x14200 bored softnet4 47226 303591 0 0 3 0x14200 bored softnet3 72162 155010 0 0 3 0x14200 bored softnet2 14578 335197 0 0 3 0x14200 bored softnet1 75616 344328 0 0 3 0x14200 bored softnet0 27308 290348 0 0 3 0x14200 smrbar systqmp 32424 436739 0 0 3 0x14200 bored systq 24308 349510 0 0 3 0x14200 tmoslp softclockmp 76142 14488 0 0 3 0x40014200 tmoslp softclock 39333 349382 0 0 3 0x40014200 idle0 1 63734 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb{0}> show all locks CPU 0: exclusive mutex shmpl r = 0 (0xffffffff839b9080) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 mtx_enter_try+0x1ad sys/kern/kern_lock.c:311 #2 mtx_enter+0x62 sys/kern/kern_lock.c:261 #3 pool_get+0x124 sys/kern/subr_pool.c:581 #4 shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1 #5 sys_shmget+0x195 sys/kern/sysv_shm.c:482 #6 syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] #6 syscall+0xb17 sys/arch/amd64/amd64/trap.c:746 #7 Xsyscall+0x128 Process 38588 (syz-executor) thread 0xffff80003b4382c8 (168425) Process 80742 (syz-executor) thread 0xffff8000ffff22a8 (224575) Process 62003 (syz-executor) thread 0xffff8000ffff2fa0 (511892) Process 52740 (syz-executor) thread 0xffff8000ffff3768 (55107) Process 44881 (syz-executor) thread 0xffff80002a2b9ca0 (136846) Process 75843 (syz-executor) thread 0xffff80002a2b9240 (112712) Process 66033 (syz-executor) thread 0xffff80002a2b9770 (217093) Process 27308 (systqmp) thread 0xffff8000ffffe7c8 (290348) ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10220 11037K 11695K 166960K 11770 0 pcb 18 13K 14K 166960K 141 0 rtable 179 8K 9K 166960K 339 0 pf 38 18K 20K 166960K 89 0 ifaddr 41 6K 8K 166960K 68 0 ifgroup 63 2K 2K 166960K 101 0 sysctl 4 1K 9K 166960K 11 0 counters 72 37K 37K 166960K 112 0 ioctlops 0 0K 4K 166960K 1635 0 iov 0 0K 12K 166960K 18 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1429 90K 90K 166960K 1774 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 9 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 14 0 dirhash 12 2K 2K 166960K 33 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 12 41K 93K 166960K 569 0 sigio 0 0K 0K 166960K 16 0 proc 72 115K 164K 166960K 588 0 subproc 72 4K 4K 166960K 72 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 75 0 in_multi 84 6K 7K 166960K 130 0 ether_multi 1 0K 0K 166960K 3 0 mrt 0 0K 0K 166960K 4 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 79 360K 360K 166960K 79 0 exec 0 0K 1K 166960K 455 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 2 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 201 166K 183K 166960K 6989 0 UVM aobj 12 2K 4K 166960K 15 0 pinsyscall 37 74K 104K 166960K 1672 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 1K 166960K 33 0 NDP 14 0K 2K 166960K 43 0 temp 60 8648K 8728K 166960K 19643 0 kqueue 13 20K 29K 166960K 116 0 SYN cache 2 16K 16K 166960K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 62 0 59 1 0 1 1 0 8 0 rtentry 176 110 0 39 4 0 4 4 0 8 0 unpcb 144 309 0 292 3 2 1 3 0 8 0 syncache 336 8 0 8 2 1 1 1 0 8 1 tcpcb 736 196 0 192 7 0 7 7 0 8 6 arp 136 13 0 3 1 0 1 1 0 8 0 inpcb 328 541 0 533 8 2 6 6 0 8 5 nd6 144 18 0 4 1 0 1 1 0 8 0 pkpcb 40 4 0 4 2 2 0 1 0 8 0 kcovpl 48 8 0 0 1 0 1 1 0 8 0 ppxss 1192 15 0 15 1 0 1 1 0 8 1 pppxif 1504 3 0 3 2 1 1 1 0 8 1 pffrag 232 7 0 2 1 0 1 1 0 482 0 pffrnode 88 7 0 2 1 0 1 1 0 8 0 pffrent 40 10 0 5 1 0 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 47 0 10 1 0 1 1 0 8 0 pfstkey 128 47 0 10 2 0 2 2 0 8 0 pfstate 384 47 0 10 5 0 5 5 0 8 0 pfrule 1344 22 0 17 2 1 1 2 0 8 0 rttmr 136 2 0 2 2 1 1 1 0 8 1 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 543 0 187 29 2 27 29 0 8 2 art_table 40 544 0 187 5 0 5 5 0 8 0 art_node 32 110 0 44 1 0 1 1 0 8 0 sysvmsgpl 40 48 0 8 1 0 1 1 0 8 0 semapl 112 12 0 2 1 0 1 1 0 8 0 shmpl 112 12 0 3 1 0 1 1 0 8 0 pool(0xffffffff839b9068:shmpl): page inconsistency: page 0xfffffd8068ae3000; 25 on list, 9 missing, 35 items per page dirhash 1024 31 0 14 3 0 3 3 0 8 0 dino2pl 256 2460 0 961 95 0 95 95 0 8 0 ffsino 296 2462 0 961 117 0 117 117 0 8 0 nchpl 144 3243 0 1560 64 0 64 64 0 8 0 uvmvnodes 80 2764 0 0 57 0 57 57 0 8 0 vnodes 216 2764 0 0 154 0 154 154 0 8 0 namei 1024 10674 0 10670 2 1 1 2 0 8 0 percpumem 16 71 0 20 1 0 1 1 0 8 0 kstatmem 264 60 0 26 3 0 3 3 0 8 0 acpiwqpl 32 1 0 1 1 0 1 1 1 8 1 scsiplug 72 2 0 2 2 2 0 1 0 8 0 scxspl 216 17404 0 17399 10 8 2 8 1 8 1 plimitpl 152 124 0 106 1 0 1 1 0 8 0 sigapl 424 879 0 829 7 0 7 7 0 8 0 knotepl 120 530 0 0 16 0 16 16 0 8 0 kqueuepl 224 232 0 223 3 0 3 3 0 8 2 pipepl 344 248 0 221 9 3 6 9 0 8 3 fdescpl 528 854 0 828 3 0 3 3 0 8 0 filepl 160 4636 0 4420 18 0 18 18 0 8 8 lockfpl 104 127 0 125 1 0 1 1 0 8 0 lockfspl 48 56 0 54 1 0 1 1 0 8 0 sessionpl 144 27 0 18 1 0 1 1 0 8 0 pgrppl 48 44 0 27 1 0 1 1 0 8 0 ucredpl 104 533 0 520 1 0 1 1 0 8 0 zombiepl 144 829 0 829 1 0 1 1 0 8 1 processpl 1232 879 0 829 5 0 5 5 0 8 0 procpl 664 1694 0 1639 7 0 7 7 0 8 1 sosppl 168 2 0 2 1 0 1 1 0 8 1 sockpl 752 927 0 899 13 3 10 10 0 8 7 mcl64k 65536 3 0 0 1 0 1 1 0 8 0 mcl16k 16384 4 0 0 1 0 1 1 0 8 0 mcl12k 12288 1 0 0 1 0 1 1 0 8 0 mcl9k 9216 1 0 0 1 0 1 1 0 8 0 mcl8k 8192 3 0 0 1 0 1 1 0 8 0 mcl4k 4096 120 0 0 15 0 15 15 0 8 0 mcl2k 2048 23 0 0 3 0 3 3 0 8 0 mtagpl 96 4 0 0 1 0 1 1 0 8 0 mbufpl 256 245 0 0 16 0 16 16 0 8 0 bufpl 280 8097 0 1954 440 0 440 440 0 8 0 anonpl 32 12453 0 0 101 0 101 101 0 246 0 amapchunkpl 152 22651 0 22274 38 9 29 35 0 158 8 amappl16 200 3601 0 3571 28 13 15 25 0 8 5 amappl15 192 24 0 24 1 1 0 1 0 8 0 amappl14 184 119 0 107 1 0 1 1 0 8 0 amappl13 176 5 0 5 1 1 0 1 0 8 0 amappl12 168 1499 0 1473 3 1 2 2 0 8 0 amappl11 160 49 0 35 1 0 1 1 0 8 0 amappl10 152 8 0 7 1 0 1 1 0 8 0 amappl9 144 254 0 254 1 1 0 1 0 8 0 amappl8 136 85 0 82 1 0 1 1 0 8 0 amappl7 128 114 0 101 1 0 1 1 0 8 0 amappl6 120 185 0 182 1 0 1 1 0 8 0 amappl5 112 122 0 112 1 0 1 1 0 8 0 amappl4 104 313 0 293 1 0 1 1 0 8 0 amappl3 96 3794 0 3726 4 1 3 3 0 8 0 amappl2 88 1119 0 1045 2 0 2 2 0 8 0 amappl1 80 11113 0 10530 15 0 15 15 0 8 0 amappl 88 6216 0 6088 5 0 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 7 0 7 2 2 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 19 0 18 1 0 1 1 0 8 0 aobjpl 72 14 0 3 1 0 1 1 0 8 0 uaddrrnd 24 854 0 828 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 854 0 828 1 0 1 1 0 8 0 vmmpekpl 168 9417 0 9375 3 1 2 3 0 8 0 vmmpepl 168 61568 0 59854 108 3 105 108 0 357 9 vmsppl 488 853 0 828 5 0 5 5 0 8 1 rwobjpl 80 22473 0 18808 77 0 77 77 0 8 0 pdppl 4096 1715 0 1656 107 36 71 85 0 8 12 pvpl 32 21669 0 0 176 1 175 175 0 265 0 pmappl 256 853 0 828 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 289 0 42 8 0 8 8 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8336bd01) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff839b9068,1,ffff800033007548) at pool_do_get+0x5df pool_get(ffffffff839b9068,1) at pool_get+0x162 sys/kern/subr_pool.c:-1 shmget_allocate_segment(ffff80003b4382c8,ffff8000330077a0,0,ffff8000330076f0) at shmget_allocate_segment+0x1af sys/kern/sysv_shm.c:-1 sys_shmget(ffff80003b4382c8,ffff8000330077a0,ffff8000330076f0) at sys_shmget+0x195 sys/kern/sysv_shm.c:482 syscall(ffff8000330077a0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff8000330077a0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:746 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xcb8e6c68010, count: -8 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffff8000299edff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff839b0840) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:134 [inline] __mp_lock(ffffffff839b0840) at __mp_lock+0x192 sys/kern/kern_lock.c:165 ktrstruct(ffff80002a2b8548,ffffffff833a3a35,ffff800001521e18,8) at ktrstruct+0xdf sys/kern/kern_ktrace.c:313 dopselect(ffff80002a2b8548,32,7de7af9cd380,0,0,ffff80002a30f550,d71e21d63e12fef3,ffff80002a30f5f0) at dopselect+0xc6b sys/kern/sys_generic.c:720 sys_pselect(ffff80002a2b8548,ffff80002a30f6a0,ffff80002a30f5f0) at sys_pselect+0x25a sys/kern/sys_generic.c:589 syscall(ffff80002a30f6a0) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80002a30f6a0) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:746 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7de7af9cd330, count: 6 ddb{1}> trace x86_ipi_db(ffff8000299edff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff839b0840) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:134 [inline] __mp_lock(ffffffff839b0840) at __mp_lock+0x192 sys/kern/kern_lock.c:165 ktrstruct(ffff80002a2b8548,ffffffff833a3a35,ffff800001521e18,8) at ktrstruct+0xdf sys/kern/kern_ktrace.c:313 dopselect(ffff80002a2b8548,32,7de7af9cd380,0,0,ffff80002a30f550,d71e21d63e12fef3,ffff80002a30f5f0) at dopselect+0xc6b sys/kern/sys_generic.c:720 sys_pselect(ffff80002a2b8548,ffff80002a30f6a0,ffff80002a30f5f0) at sys_pselect+0x25a sys/kern/sys_generic.c:589 syscall(ffff80002a30f6a0) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80002a30f6a0) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:746 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7de7af9cd330, count: -9