pool: cpu free list modified: mtagpl
0 views
Skip to first unread message
syzbot
Dec 26, 2025, 8:34:25 AM (10 days ago) 12/26/25
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 97e1364f97a2 Print ASPM stuff.
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1007509a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=7a8a39621beb88800f95
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a1c7c74d14cc/disk-97e1364f.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/acdc96b61954/bsd-97e1364f.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/18073a836544/kernel-97e1364f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7a8a39...@syzkaller.appspotmail.com
panic: pool_cache_item_magic_check: mtagpl cpu free list modified: item addr 0xfffffd806c5d3438+16 0x0!=0x7cccb3ad76527f23
Starting stack trace...
panic(ffffffff83402dfe) at panic+0x1d0 sys/kern/subr_prf.c:229
pool_cache_get(ffffffff83949a18) at pool_cache_get+0x3d4 sys/kern/subr_pool.c:1902
pool_get(ffffffff83949a18,1) at pool_get+0xd6 sys/kern/subr_pool.c:-1
m_tag_get(100,4,1) at m_tag_get+0x9c sys/kern/uipc_mbuf2.c:-1
bpf_movein(ffff8000fffe4fe8,ffff80000180f000,ffff8000fffe4d20,ffff8000fffe4c
20) at bpf_movein+0x552 sys/net/bpf.c:-1
bpfwrite(41700,ffff8000fffe4fe8,1) at bpfwrite+0x1fa sys/net/bpf.c:656
spec_write(ffff8000fffe4e30) at spec_write+0x11f sys/kern/spec_vnops.c:302
VOP_WRITE(fffffd805ef27de0,ffff8000fffe4fe8,1,fffffd80097fd618) at VOP_WRITE+0x101 sys/kern/vfs_vops.c:245
vn_write(fffffd806c7c3680,ffff8000fffe4fe8,0) at vn_write+0x1d3 sys/kern/vfs_vnops.c:408
dofilewritev(ffff8000fffe82b8,3,ffff8000fffe4fe8,0,ffff8000fffe50a0) at dofilewritev+0x242 sys/kern/sys_generic.c:380
sys_write(ffff8000fffe82b8,ffff8000fffe5150,ffff8000fffe50a0) at sys_write+0xa2 sys/kern/sys_generic.c:300
syscall(ffff8000fffe5150) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff8000fffe5150) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xe102a19dba0, count: 244
End of stack trace.
syncing disks...set $lines = 0
set $maxwidth = 0
show panic
trace
show registers
show proc
ps
show all locks
show malloc
show all pools
machine ddbcpu 0
trace
machine ddbcpu 1
trace
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 97e1364f97a2 Print ASPM stuff.
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1007509a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=7a8a39621beb88800f95
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a1c7c74d14cc/disk-97e1364f.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/acdc96b61954/bsd-97e1364f.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/18073a836544/kernel-97e1364f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7a8a39...@syzkaller.appspotmail.com
panic: pool_cache_item_magic_check: mtagpl cpu free list modified: item addr 0xfffffd806c5d3438+16 0x0!=0x7cccb3ad76527f23
Starting stack trace...
panic(ffffffff83402dfe) at panic+0x1d0 sys/kern/subr_prf.c:229
pool_cache_get(ffffffff83949a18) at pool_cache_get+0x3d4 sys/kern/subr_pool.c:1902
pool_get(ffffffff83949a18,1) at pool_get+0xd6 sys/kern/subr_pool.c:-1
m_tag_get(100,4,1) at m_tag_get+0x9c sys/kern/uipc_mbuf2.c:-1
bpf_movein(ffff8000fffe4fe8,ffff80000180f000,ffff8000fffe4d20,ffff8000fffe4c
20) at bpf_movein+0x552 sys/net/bpf.c:-1
bpfwrite(41700,ffff8000fffe4fe8,1) at bpfwrite+0x1fa sys/net/bpf.c:656
spec_write(ffff8000fffe4e30) at spec_write+0x11f sys/kern/spec_vnops.c:302
VOP_WRITE(fffffd805ef27de0,ffff8000fffe4fe8,1,fffffd80097fd618) at VOP_WRITE+0x101 sys/kern/vfs_vops.c:245
vn_write(fffffd806c7c3680,ffff8000fffe4fe8,0) at vn_write+0x1d3 sys/kern/vfs_vnops.c:408
dofilewritev(ffff8000fffe82b8,3,ffff8000fffe4fe8,0,ffff8000fffe50a0) at dofilewritev+0x242 sys/kern/sys_generic.c:380
sys_write(ffff8000fffe82b8,ffff8000fffe5150,ffff8000fffe50a0) at sys_write+0xa2 sys/kern/sys_generic.c:300
syscall(ffff8000fffe5150) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff8000fffe5150) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xe102a19dba0, count: 244
End of stack trace.
syncing disks...set $lines = 0
set $maxwidth = 0
show panic
trace
show registers
show proc
ps
show all locks
show malloc
show all pools
machine ddbcpu 0
trace
machine ddbcpu 1
trace
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages