panic: pool_do_get: pfstkey: page empty (2)
0 views
Skip to first unread message
syzbot
Dec 28, 2025, 10:43:23 AM (8 days ago) 12/28/25
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: b86add70dd7c print Boot File URL options
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=168764fc580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=73d3c0926e530bb0f9b2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3a57680ce974/disk-b86add70.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/bf5e4ce34084/bsd-b86add70.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/07a538088c86/kernel-b86add70.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+73d3c0...@syzkaller.appspotmail.com
panic: pool_do_get: pfstkey: page empty
Starting stack trace...
panic(ffffffff83358919) at panic+0x1d0 sys/kern/subr_prf.c:229
pool_do_get(ffffffff83a10650,a,ffff8000357fd108) at pool_do_get+0x55a sys/kern/subr_pool.c:728
pool_get(ffffffff83a10650,a) at pool_get+0x162 sys/kern/subr_pool.c:-1
pf_state_key_setup(ffff8000357fd4c8,ffff8000357fd320,ffff8000357fd328,0) at pf_state_key_setup+0x88 pf_alloc_state_key sys/net/pf.c:-1 [inline]
pf_state_key_setup(ffff8000357fd4c8,ffff8000357fd320,ffff8000357fd328,0) at pf_state_key_setup+0x88 sys/net/pf.c:1218
pf_create_state(ffff8000357fd4c8,ffff800001504008,0,0,ffff8000357fd320,ffff8000357fd328,ce34d83749b16d39,ffff8000357fd340,ffff8000357fd4c8,ffff8000357fd338,0,ffff800001504008,ffff8000357fd40c) at pf_create_state+0x776 sys/net/pf.c:5195
pf_test_rule(ffff8000357fd4c8,ffff8000357fd5b8,ffff8000357fd5c0,ffff8000357fd5a8,ffff8000357fd598,1) at pf_test_rule+0x1371 sys/net/pf.c:4991
pf_test(18,2,ffff80000157e800,ffff8000357fd748) at pf_test+0x1ef5 sys/net/pf.c:8398
ip6_output(fffffd807c449900,0,0,1,ffff8000357fd7d8,0) at ip6_output+0x1b86 sys/netinet6/ip6_output.c:621
nd6_ns_output(ffff80000157e800,0,ffff800001539e58,0,1) at nd6_ns_output+0x67d icmp6stat_inc sys/netinet/icmp6.h:-1 [inline]
nd6_ns_output(ffff80000157e800,0,ffff800001539e58,0,1) at nd6_ns_output+0x67d sys/netinet6/nd6_nbr.c:492
nd6_dad_start(ffff800001539e00) at nd6_dad_start+0x286 nd6_dad_starttimer sys/netinet6/nd6_nbr.c:1013 [inline]
nd6_dad_start(ffff800001539e00) at nd6_dad_start+0x286 sys/netinet6/nd6_nbr.c:1078
in6_ifattach_linklocal(ffff80000157e800,0) at in6_ifattach_linklocal+0x3d0 sys/netinet6/in6_ifattach.c:276
in6_ifattach(ffff80000157e800) at in6_ifattach+0x2d0 sys/netinet6/in6_ifattach.c:384
ifioctl(ffff8000015de958,801169ab,ffff8000357fdb20,ffff80003c435cb0) at ifioctl+0x1b13 sys/net/if.c:2217
sys_ioctl(ffff80003c435cb0,ffff8000357fdd00,ffff8000357fdc50) at sys_ioctl+0x674 sys/kern/sys_generic.c:-1
syscall(ffff8000357fdd00) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff8000357fdd00) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x75f7f4143d90, count: 241
End of stack trace.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: b86add70dd7c print Boot File URL options
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=168764fc580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=73d3c0926e530bb0f9b2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3a57680ce974/disk-b86add70.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/bf5e4ce34084/bsd-b86add70.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/07a538088c86/kernel-b86add70.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+73d3c0...@syzkaller.appspotmail.com
panic: pool_do_get: pfstkey: page empty
Starting stack trace...
panic(ffffffff83358919) at panic+0x1d0 sys/kern/subr_prf.c:229
pool_do_get(ffffffff83a10650,a,ffff8000357fd108) at pool_do_get+0x55a sys/kern/subr_pool.c:728
pool_get(ffffffff83a10650,a) at pool_get+0x162 sys/kern/subr_pool.c:-1
pf_state_key_setup(ffff8000357fd4c8,ffff8000357fd320,ffff8000357fd328,0) at pf_state_key_setup+0x88 pf_alloc_state_key sys/net/pf.c:-1 [inline]
pf_state_key_setup(ffff8000357fd4c8,ffff8000357fd320,ffff8000357fd328,0) at pf_state_key_setup+0x88 sys/net/pf.c:1218
pf_create_state(ffff8000357fd4c8,ffff800001504008,0,0,ffff8000357fd320,ffff8000357fd328,ce34d83749b16d39,ffff8000357fd340,ffff8000357fd4c8,ffff8000357fd338,0,ffff800001504008,ffff8000357fd40c) at pf_create_state+0x776 sys/net/pf.c:5195
pf_test_rule(ffff8000357fd4c8,ffff8000357fd5b8,ffff8000357fd5c0,ffff8000357fd5a8,ffff8000357fd598,1) at pf_test_rule+0x1371 sys/net/pf.c:4991
pf_test(18,2,ffff80000157e800,ffff8000357fd748) at pf_test+0x1ef5 sys/net/pf.c:8398
ip6_output(fffffd807c449900,0,0,1,ffff8000357fd7d8,0) at ip6_output+0x1b86 sys/netinet6/ip6_output.c:621
nd6_ns_output(ffff80000157e800,0,ffff800001539e58,0,1) at nd6_ns_output+0x67d icmp6stat_inc sys/netinet/icmp6.h:-1 [inline]
nd6_ns_output(ffff80000157e800,0,ffff800001539e58,0,1) at nd6_ns_output+0x67d sys/netinet6/nd6_nbr.c:492
nd6_dad_start(ffff800001539e00) at nd6_dad_start+0x286 nd6_dad_starttimer sys/netinet6/nd6_nbr.c:1013 [inline]
nd6_dad_start(ffff800001539e00) at nd6_dad_start+0x286 sys/netinet6/nd6_nbr.c:1078
in6_ifattach_linklocal(ffff80000157e800,0) at in6_ifattach_linklocal+0x3d0 sys/netinet6/in6_ifattach.c:276
in6_ifattach(ffff80000157e800) at in6_ifattach+0x2d0 sys/netinet6/in6_ifattach.c:384
ifioctl(ffff8000015de958,801169ab,ffff8000357fdb20,ffff80003c435cb0) at ifioctl+0x1b13 sys/net/if.c:2217
sys_ioctl(ffff80003c435cb0,ffff8000357fdd00,ffff8000357fdc50) at sys_ioctl+0x674 sys/kern/sys_generic.c:-1
syscall(ffff8000357fdd00) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff8000357fdd00) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x75f7f4143d90, count: 241
End of stack trace.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages