panic: pool_do_get: shmpl free list modified: page 0xfffffd806bd8f000; item addr 0xfffffd806bd8f230; offset 0x2c=0xdeaf4151 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 435231 6799 0 0 0 1 syz-executor *354830 32727 0 0 0x4000000 0K syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8305e11a) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff8361d158,2,ffff800034794338) at pool_do_get+0x5e6 pool_get(ffffffff8361d158,2) at pool_get+0x141 shmget_allocate_segment(ffff8000359ae028,ffff800034794590,80,ffff8000347944e0) at shmget_allocate_segment+0x1a7 sys_shmget(ffff8000359ae028,ffff800034794590,ffff8000347944e0) at sys_shmget+0x1b2 sys/kern/sysv_shm.c:480 syscall(ffff800034794590) at syscall+0xaf8 mi_syscall sys/sys/syscall_mi.h:179 [inline] syscall(ffff800034794590) at syscall+0xaf8 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd63567af610, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: pool_do_get: shmpl free list modified: page 0xfffffd806bd8f000; item addr 0xfffffd806bd8f230; offset 0x2c=0xdeaf4151 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8305e11a) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff8361d158,2,ffff800034794338) at pool_do_get+0x5e6 pool_get(ffffffff8361d158,2) at pool_get+0x141 shmget_allocate_segment(ffff8000359ae028,ffff800034794590,80,ffff8000347944e0) at shmget_allocate_segment+0x1a7 sys_shmget(ffff8000359ae028,ffff800034794590,ffff8000347944e0) at sys_shmget+0x1b2 sys/kern/sysv_shm.c:480 syscall(ffff800034794590) at syscall+0xaf8 mi_syscall sys/sys/syscall_mi.h:179 [inline] syscall(ffff800034794590) at syscall+0xaf8 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd63567af610, count: -8 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff800034794180 rbx 0xffffffff83467d87 cpu_info_full_primary+0x2d87 rdx 0xffff800001191d80 rcx 0xffff8000359ae028 rax 0xffffffff83466ff0 cpu_info_full_primary+0x1ff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0x630358518fa49ab5 r11 0x732868b8e964a99d r12 0xffffffff83467b88 cpu_info_full_primary+0x2b88 r13 0 r14 0 r15 0x1 rip 0xffffffff82f9a525 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff800034794170 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor) tid=354830 pid=32727 tcnt=2 stat=onproc flags process=0 proc=4000000 runpri=32, usrpri=86, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff8000359aecd0,0xffff8000359af700 process=0xffff8000ffff4928 user=0xffff80003478f000, vmspace=0xfffffd806bd29008 estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 42893 342141 12592 0 2 0 syz-executor 6799 435231 72578 0 7 0 syz-executor 6799 338431 72578 0 2 0x4000000 syz-executor 32727 450428 46601 0 2 0 syz-executor *32727 354830 46601 0 7 0x4000000 syz-executor 78465 77322 14549 0 2 0 syz-executor 78465 109733 14549 0 3 0x4000080 fsleep syz-executor 78465 31711 14549 0 3 0x4000080 fsleep syz-executor 85250 398820 92221 0 2 0 syz-executor 85250 212223 92221 0 3 0x4000080 kqpoll syz-executor 85250 370517 92221 0 3 0x4000080 fsleep syz-executor 54367 44027 78112 0 3 0x80 nanoslp syz-executor 54367 21564 78112 0 3 0x4000080 kqread syz-executor 54367 498288 78112 0 3 0x4000080 fsleep syz-executor 92221 64931 3110 0 3 0x82 nanoslp syz-executor 46601 388901 3110 0 3 0x82 nanoslp syz-executor 12592 386563 3110 0 3 0x82 nanoslp syz-executor 14549 137958 3110 0 3 0x82 nanoslp syz-executor 82225 46201 3110 0 3 0x82 wait syz-executor 78112 303886 3110 0 3 0x82 nanoslp syz-executor 72578 118261 3110 0 3 0x82 nanoslp syz-executor 74672 325547 3110 0 3 0x82 wait syz-executor 77408 12017 1 0 3 0x100083 ttyin getty 7791 487691 0 0 3 0x14200 bored sosplice 3110 465681 51479 0 3 0x82 kqread syz-executor 51479 496786 70907 0 3 0x10008a sigsusp ksh 70907 508698 592 0 3 0x98 kqread sshd-session 592 90237 35599 0 3 0x92 kqread sshd-session 35599 342307 1 0 3 0x88 kqread sshd 82985 321041 8989 74 3 0x1100092 bpf pflogd 8989 370007 1 0 3 0x80 sbwait pflogd 5826 159274 74160 73 3 0x1100090 kqread syslogd 74160 25091 1 0 3 0x100082 sbwait syslogd 7712 97360 1 0 3 0x100080 kqread resolvd 10531 362475 21679 77 3 0x100092 kqread dhcpleased 42016 471545 21679 77 3 0x100092 kqread dhcpleased 21679 86190 1 0 3 0x80 kqread dhcpleased 39457 457699 0 0 3 0x14200 bored smr 80552 74397 0 0 2 0x14200 zerothread 81678 399490 0 0 3 0x14200 aiodoned aiodoned 19060 69989 0 0 3 0x14200 syncer update 93353 297591 0 0 3 0x14200 cleaner cleaner 619 148645 0 0 3 0x14200 reaper reaper 62429 62665 0 0 3 0x14200 pgdaemon pagedaemon 49996 453127 0 0 3 0x14200 bored viomb 98150 281466 0 0 3 0x40014200 acpi0 acpi0 75408 103612 0 0 3 0x40014200 idle1 88076 363070 0 0 3 0x14200 bored softnet3 25175 282363 0 0 3 0x14200 bored softnet2 40684 98735 0 0 3 0x14200 bored softnet1 57445 364566 0 0 3 0x14200 bored softnet0 53778 294946 0 0 3 0x14200 bored systqmp 1639 402293 0 0 3 0x14200 bored systq 33556 133838 0 0 3 0x14200 tmoslp softclockmp 13263 324540 0 0 3 0x40014200 tmoslp softclock 85653 507629 0 0 3 0x40014200 idle0 1 64494 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks CPU 0: exclusive mutex shmpl r = 0 (0xffffffff8361d168) #0 witness_lock+0x5b8 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5b8 sys/kern/subr_witness.c:1151 #1 mtx_enter_try+0x178 #2 mtx_enter+0x60 sys/kern/kern_lock.c:239 #3 pool_get+0x103 sys/kern/subr_pool.c:579 #4 shmget_allocate_segment+0x1a7 #5 sys_shmget+0x1b2 sys/kern/sysv_shm.c:480 #6 syscall+0xaf8 mi_syscall sys/sys/syscall_mi.h:179 [inline] #6 syscall+0xaf8 sys/arch/amd64/amd64/trap.c:577 #7 Xsyscall+0x128 Process 32727 (syz-executor) thread 0xffff8000359ae028 (354830) exclusive kernel_lock &kernel_lock r = 0 (0xffffffff8362f4e0) #0 witness_lock+0x5b8 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5b8 sys/kern/subr_witness.c:1151 #1 syscall+0xad6 mi_syscall sys/sys/syscall_mi.h:179 [inline] #1 syscall+0xad6 sys/arch/amd64/amd64/trap.c:577 #2 Xsyscall+0x128 exclusive mutex shmpl r = 0 (0xffffffff8361d168) #0 witness_lock+0x5b8 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5b8 sys/kern/subr_witness.c:1151 #1 mtx_enter_try+0x178 #2 mtx_enter+0x60 sys/kern/kern_lock.c:239 #3 pool_get+0x103 sys/kern/subr_pool.c:579 #4 shmget_allocate_segment+0x1a7 #5 sys_shmget+0x1b2 sys/kern/sysv_shm.c:480 #6 syscall+0xaf8 mi_syscall sys/sys/syscall_mi.h:179 [inline] #6 syscall+0xaf8 sys/arch/amd64/amd64/trap.c:577 #7 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10205 10174K 10553K 166960K 12262 0 pcb 18 16K 18K 166960K 200 0 rtable 202 7K 8K 166960K 1847 0 pf 35 17K 21K 166960K 143 0 ifaddr 38 6K 8K 166960K 213 0 ifgroup 55 2K 2K 166960K 221 0 sysctl 2 0K 0K 166960K 2 0 counters 64 36K 36K 166960K 150 0 ioctlops 0 0K 4K 166960K 1628 0 iov 0 0K 24K 166960K 36 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1428 90K 90K 166960K 2429 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 11 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 21 0 dirhash 12 2K 2K 166960K 24 0 ACPI 1690 195K 286K 166960K 12418 0 file desc 18 65K 97K 166960K 1275 0 sigio 0 0K 0K 166960K 47 0 proc 73 91K 140K 166960K 1691 0 subproc 104 6K 6K 166960K 611 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 85 0 in_multi 81 5K 7K 166960K 567 0 ether_multi 1 0K 0K 166960K 1 0 mrt 1 0K 0K 166960K 1 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 85 387K 387K 166960K 85 0 exec 0 0K 1K 166960K 914 0 pfkey data 0 0K 0K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 249 73K 101K 166960K 11121 0 UVM aobj 17 2K 2K 166960K 19 0 pinsyscall 43 86K 112K 166960K 3386 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 63 0 NDP 12 0K 2K 166960K 152 0 temp 77 6824K 6938K 166960K 54180 0 kqueue 15 24K 28K 166960K 106 0 SYN cache 2 16K 16K 166960K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 24 0 0 1 0 1 1 0 8 0 rtpcb 120 193 0 189 2 1 1 2 0 8 0 rtentry 112 633 0 544 5 1 4 4 0 8 0 unpcb 144 926 0 908 12 10 2 6 0 8 1 syncache 336 8 0 8 3 3 0 1 0 8 0 tcpcb 808 167 0 163 3 2 1 2 0 8 0 arp 120 101 0 87 1 0 1 1 0 8 0 inpcb 336 1094 0 1085 28 24 4 13 0 8 3 nd6 136 147 0 128 1 0 1 1 0 8 0 pkpcb 40 4 0 3 2 1 1 1 0 8 0 kcovpl 48 47 0 39 1 0 1 1 0 8 0 ppxss 1168 3 0 3 3 2 1 1 0 8 1 pffrag 232 23 0 20 1 0 1 1 0 482 0 pffrnode 88 23 0 20 1 0 1 1 0 8 0 pffrent 40 45 0 42 2 1 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfanchor 1288 1 0 0 1 0 1 1 0 8 0 pfstitem 24 109 0 77 1 0 1 1 0 8 0 pfstkey 128 109 0 77 2 0 2 2 0 8 0 pfstate 376 109 0 77 5 1 4 4 0 8 0 pfrule 1344 26 0 19 2 1 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 2264 0 1890 34 3 31 31 0 8 3 art_table 32 2265 0 1890 4 0 4 4 0 8 0 art_node 16 565 0 484 1 0 1 1 0 8 0 sysvmsgpl 40 11 0 4 1 0 1 1 0 8 0 semupl 112 1 0 1 1 1 0 1 0 8 0 semapl 112 18 0 8 1 0 1 1 0 8 0 shmpl 112 16 0 2 1 0 1 1 0 8 0 pool(0xffffffff8361d158:shmpl): page inconsistency: page 0xfffffd806bd8f000; 20 on list, 14 missing, 35 items per page dirhash 1024 25 0 8 3 0 3 3 0 8 0 dino2pl 256 2592 0 1011 100 0 100 100 0 8 0 ffsino 272 2592 0 1011 108 1 107 107 0 8 0 nchpl 144 3613 0 1872 65 0 65 65 0 8 0 uvmvnodes 80 3597 0 0 74 0 74 74 0 8 0 vnodes 216 3597 0 0 200 0 200 200 0 8 0 namei 1024 15801 0 15801 3 2 1 2 0 8 1 percpumem 16 89 0 43 1 0 1 1 0 8 0 kstatmem 264 110 0 86 2 0 2 2 0 8 0 acpiwqpl 32 1 0 1 1 0 1 1 1 8 1 scsiplug 72 1 0 1 1 0 1 1 0 8 1 scxspl 216 30208 0 30208 10 9 1 7 1 8 1 plimitpl 152 273 0 256 1 0 1 1 0 8 0 sigapl 424 1522 0 1471 11 5 6 9 0 8 0 futexpl 64 9121 0 9117 6 5 1 1 0 8 0 knotepl 120 547 0 0 17 0 17 17 0 8 0 kqueuepl 216 187 0 175 3 2 1 3 0 8 0 pipepl 320 284 0 257 3 0 3 3 0 8 0 fdescpl 496 1483 0 1451 9 4 5 6 0 8 0 filepl 152 7423 0 7164 25 13 12 16 0 8 1 lockfpl 104 634 0 632 3 2 1 2 0 8 0 lockfspl 48 209 0 207 1 0 1 1 0 8 0 sessionpl 144 67 0 58 1 0 1 1 0 8 0 pgrppl 48 122 0 105 1 0 1 1 0 8 0 ucredpl 104 713 0 700 1 0 1 1 0 8 0 zombiepl 144 1473 0 1471 1 0 1 1 0 8 0 processpl 1160 1522 0 1471 7 3 4 6 0 8 0 procpl 648 2500 0 2441 8 2 6 8 0 8 0 srpgc 96 6 0 6 2 1 1 1 0 8 1 sosppl 168 10 0 10 4 3 1 1 0 8 1 sockpl 664 2230 0 2198 32 26 6 15 0 8 3 mcl64k 65536 4 0 0 1 0 1 1 0 8 0 mcl8k 8192 7 0 0 1 0 1 1 0 8 0 mcl4k 4096 1 0 0 1 0 1 1 0 8 0 mcl2k 2048 227 0 0 29 0 29 29 0 8 0 mtagpl 96 9 0 0 1 0 1 1 0 8 0 mbufpl 256 1025 0 0 63 0 63 63 0 8 0 bufpl 280 7417 0 1243 442 0 442 442 0 8 0 anonpl 24 274789 0 269156 91 10 81 89 0 185 34 amapchunkpl 152 36148 0 35548 45 10 35 43 0 158 10 amappl16 200 5528 0 5463 21 9 12 12 0 8 4 amappl15 192 10 0 9 1 0 1 1 0 8 0 amappl14 184 207 0 195 1 0 1 1 0 8 0 amappl13 176 14 0 14 1 1 0 1 0 8 0 amappl12 168 2753 0 2722 4 2 2 3 0 8 0 amappl11 160 50 0 36 1 0 1 1 0 8 0 amappl10 152 12 0 12 1 1 0 1 0 8 0 amappl9 144 129 0 128 1 0 1 1 0 8 0 amappl8 136 28 0 25 1 0 1 1 0 8 0 amappl7 128 193 0 181 1 0 1 1 0 8 0 amappl6 120 557 0 556 1 0 1 1 0 8 0 amappl5 112 296 0 284 1 0 1 1 0 8 0 amappl4 104 438 0 420 1 0 1 1 0 8 0 amappl3 96 6818 0 6701 4 0 4 4 0 8 0 amappl2 88 1276 0 1206 2 0 2 2 0 8 0 amappl1 80 14260 0 13690 15 1 14 15 0 8 0 amappl 88 10366 0 10181 6 1 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 254 0 254 2 1 1 1 0 8 1 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 18 0 2 1 0 1 1 0 8 0 uaddrrnd 24 1483 0 1451 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 1483 0 1451 1 0 1 1 0 8 0 vmmpekpl 168 14009 0 13960 3 0 3 3 0 8 0 vmmpepl 168 99612 0 97654 103 9 94 94 0 357 5 vmsppl 440 1482 0 1451 6 2 4 5 0 8 0 rwobjpl 56 34672 0 30074 68 1 67 67 0 8 0 pdppl 4096 2973 0 2902 159 88 71 87 0 8 0 pvpl 32 46165 0 0 373 1 372 372 0 265 0 pmappl 248 1482 0 1451 3 0 3 3 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 543 0 127 12 0 12 12 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8305e11a) at panic+0x1e5 sys/kern/subr_prf.c:198 pool_do_get(ffffffff8361d158,2,ffff800034794338) at pool_do_get+0x5e6 pool_get(ffffffff8361d158,2) at pool_get+0x141 shmget_allocate_segment(ffff8000359ae028,ffff800034794590,80,ffff8000347944e0) at shmget_allocate_segment+0x1a7 sys_shmget(ffff8000359ae028,ffff800034794590,ffff8000347944e0) at sys_shmget+0x1b2 sys/kern/sysv_shm.c:480 syscall(ffff800034794590) at syscall+0xaf8 mi_syscall sys/sys/syscall_mi.h:179 [inline] syscall(ffff800034794590) at syscall+0xaf8 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd63567af610, count: -8 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffff800029b7bff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 end of kernel end trace frame: 0x792e8adcba50, count: 12 ddb{1}> trace x86_ipi_db(ffff800029b7bff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 end of kernel end trace frame: 0x792e8adcba50, count: -3