panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr ADDR+16 0x0!=ADDR (2)
2 views
Skip to first unread message
syzbot
Sep 18, 2019, 2:24:06 PM9/18/19
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: dd27a176 Let snmpd's regress test make use of our very own..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=175c7455600000
kernel config: https://syzkaller.appspot.com/x/.config?x=26ca0a9c07f16a3a
dashboard link: https://syzkaller.appspot.com/bug?extid=00ce0617548fcbf1a48e
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=137d3f21600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+00ce06...@syzkaller.appspotmail.com
login: panic: pool_cache_item_magic_check: mbufpl cpu free list modified:
item addr 0xfffffd806d732400+16 0x0!=0xf9ef81fdec24a3af
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
343728 60677 0 0x14000 0x200 1 reaper
*209997 87037 0 0x14000 0x40000200 0K softclock
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
pool_cache_get(ffffffff82658ba8) at pool_cache_get+0x323
pool_cache_item_magic_check sys/kern/subr_pool.c:1789 [inline]
pool_cache_get(ffffffff82658ba8) at pool_cache_get+0x323
sys/kern/subr_pool.c:1892
pool_get() at pool_get+0x91 sys/kern/subr_pool.c:572
m_get(2,1) at m_get+0x4c sys/kern/uipc_mbuf.c:250
mld6_sendpkt(ffff800000a5d100,83,0) at mld6_sendpkt+0xaf
sys/netinet6/mld6.c:410
mld6_fasttimeo() at mld6_fasttimeo+0x162 mld6_checktimer
sys/netinet6/mld6.c:363 [inline]
mld6_fasttimeo() at mld6_fasttimeo+0x162 sys/netinet6/mld6.c:341
pffasttimo(ffffffff8254c978) at pffasttimo+0x85 sys/kern/uipc_domain.c:292
timeout_run(ffffffff8254c978) at timeout_run+0xc4 timeout_sync_leave
sys/kern/kern_timeout.c:177 [inline]
timeout_run(ffffffff8254c978) at timeout_run+0xc4
sys/kern/kern_timeout.c:477
softclock_thread(ffff800020a10000) at softclock_thread+0x16a
sys/kern/kern_timeout.c:558
end trace frame: 0x0, count: 5
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
pool_cache_item_magic_check: mbufpl cpu free list modified: item addr
0xfffffd806d732400+16 0x0!=0xf9ef81fdec24a3af
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
pool_cache_get(ffffffff82658ba8) at pool_cache_get+0x323
pool_cache_item_magic_check sys/kern/subr_pool.c:1789 [inline]
pool_cache_get(ffffffff82658ba8) at pool_cache_get+0x323
sys/kern/subr_pool.c:1892
pool_get() at pool_get+0x91 sys/kern/subr_pool.c:572
m_get(2,1) at m_get+0x4c sys/kern/uipc_mbuf.c:250
mld6_sendpkt(ffff800000a5d100,83,0) at mld6_sendpkt+0xaf
sys/netinet6/mld6.c:410
mld6_fasttimeo() at mld6_fasttimeo+0x162 mld6_checktimer
sys/netinet6/mld6.c:363 [inline]
mld6_fasttimeo() at mld6_fasttimeo+0x162 sys/netinet6/mld6.c:341
pffasttimo(ffffffff8254c978) at pffasttimo+0x85 sys/kern/uipc_domain.c:292
timeout_run(ffffffff8254c978) at timeout_run+0xc4 timeout_sync_leave
sys/kern/kern_timeout.c:177 [inline]
timeout_run(ffffffff8254c978) at timeout_run+0xc4
sys/kern/kern_timeout.c:477
softclock_thread(ffff800020a10000) at softclock_thread+0x16a
sys/kern/kern_timeout.c:558
end trace frame: 0x0, count: -10
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff800020a25750
rbx 0xffff800020a25800
rdx 0x8b
rcx 0x2
rax 0x1
r8 0xffffffff81ebdc8f kprintf+0x16f
r9 0x1
r10 0x6d5e77c31ce9713f
r11 0xe4fd54fa694ca076
r12 0x3000000008
r13 0xffff800020a25760
r14 0x100
r15 0x1
rip 0xffffffff81c5afd8 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020a25740
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc
PROC (softclock) pid=209997 stat=onproc
flags process=14000<NOZOMBIE,SYSTEM> proc=40000200<SYSTEM,CPUPEG>
pri=0, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff800020a104f0,0xffff800020a10288
process=0xffff800020a12700 user=0xffff800020a20000,
vmspace=0xffffffff82626ed8
estcpu=0, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}>
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: dd27a176 Let snmpd's regress test make use of our very own..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=175c7455600000
kernel config: https://syzkaller.appspot.com/x/.config?x=26ca0a9c07f16a3a
dashboard link: https://syzkaller.appspot.com/bug?extid=00ce0617548fcbf1a48e
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=137d3f21600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+00ce06...@syzkaller.appspotmail.com
login: panic: pool_cache_item_magic_check: mbufpl cpu free list modified:
item addr 0xfffffd806d732400+16 0x0!=0xf9ef81fdec24a3af
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
343728 60677 0 0x14000 0x200 1 reaper
*209997 87037 0 0x14000 0x40000200 0K softclock
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
pool_cache_get(ffffffff82658ba8) at pool_cache_get+0x323
pool_cache_item_magic_check sys/kern/subr_pool.c:1789 [inline]
pool_cache_get(ffffffff82658ba8) at pool_cache_get+0x323
sys/kern/subr_pool.c:1892
pool_get() at pool_get+0x91 sys/kern/subr_pool.c:572
m_get(2,1) at m_get+0x4c sys/kern/uipc_mbuf.c:250
mld6_sendpkt(ffff800000a5d100,83,0) at mld6_sendpkt+0xaf
sys/netinet6/mld6.c:410
mld6_fasttimeo() at mld6_fasttimeo+0x162 mld6_checktimer
sys/netinet6/mld6.c:363 [inline]
mld6_fasttimeo() at mld6_fasttimeo+0x162 sys/netinet6/mld6.c:341
pffasttimo(ffffffff8254c978) at pffasttimo+0x85 sys/kern/uipc_domain.c:292
timeout_run(ffffffff8254c978) at timeout_run+0xc4 timeout_sync_leave
sys/kern/kern_timeout.c:177 [inline]
timeout_run(ffffffff8254c978) at timeout_run+0xc4
sys/kern/kern_timeout.c:477
softclock_thread(ffff800020a10000) at softclock_thread+0x16a
sys/kern/kern_timeout.c:558
end trace frame: 0x0, count: 5
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
pool_cache_item_magic_check: mbufpl cpu free list modified: item addr
0xfffffd806d732400+16 0x0!=0xf9ef81fdec24a3af
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
pool_cache_get(ffffffff82658ba8) at pool_cache_get+0x323
pool_cache_item_magic_check sys/kern/subr_pool.c:1789 [inline]
pool_cache_get(ffffffff82658ba8) at pool_cache_get+0x323
sys/kern/subr_pool.c:1892
pool_get() at pool_get+0x91 sys/kern/subr_pool.c:572
m_get(2,1) at m_get+0x4c sys/kern/uipc_mbuf.c:250
mld6_sendpkt(ffff800000a5d100,83,0) at mld6_sendpkt+0xaf
sys/netinet6/mld6.c:410
mld6_fasttimeo() at mld6_fasttimeo+0x162 mld6_checktimer
sys/netinet6/mld6.c:363 [inline]
mld6_fasttimeo() at mld6_fasttimeo+0x162 sys/netinet6/mld6.c:341
pffasttimo(ffffffff8254c978) at pffasttimo+0x85 sys/kern/uipc_domain.c:292
timeout_run(ffffffff8254c978) at timeout_run+0xc4 timeout_sync_leave
sys/kern/kern_timeout.c:177 [inline]
timeout_run(ffffffff8254c978) at timeout_run+0xc4
sys/kern/kern_timeout.c:477
softclock_thread(ffff800020a10000) at softclock_thread+0x16a
sys/kern/kern_timeout.c:558
end trace frame: 0x0, count: -10
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff800020a25750
rbx 0xffff800020a25800
rdx 0x8b
rcx 0x2
rax 0x1
r8 0xffffffff81ebdc8f kprintf+0x16f
r9 0x1
r10 0x6d5e77c31ce9713f
r11 0xe4fd54fa694ca076
r12 0x3000000008
r13 0xffff800020a25760
r14 0x100
r15 0x1
rip 0xffffffff81c5afd8 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020a25740
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc
PROC (softclock) pid=209997 stat=onproc
flags process=14000<NOZOMBIE,SYSTEM> proc=40000200<SYSTEM,CPUPEG>
pri=0, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff800020a104f0,0xffff800020a10288
process=0xffff800020a12700 user=0xffff800020a20000,
vmspace=0xffffffff82626ed8
estcpu=0, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}>
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages