assert "(p->pfik_flagrefs == NUM) || (p->pfik_flagrefs == NUM)" failed in pf_if.c
0 views
Skip to first unread message
syzbot
May 10, 2026, 10:50:22 PM (6 days ago) May 10
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: bf258236f7c1 rsa_padding_test: %i -> %d
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1333c3ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1bc15e68cd2a49e5
dashboard link: https://syzkaller.appspot.com/bug?extid=0a311e96d7ced7bea566
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/698e5016b80f/disk-bf258236.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/e6f6a9fc09c6/bsd-bf258236.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/de106bd1d127/kernel-bf258236.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0a311e...@syzkaller.appspotmail.com
login: panic: kernel diagnostic assertion "(p->pfik_flagrefs == 0) || (p->pfik_flagrefs == 1)" failed: file "/syzkaller/managers/main/kernel/sys/net/pf_if.c", line 907
Stopped at db_enter+0x25: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*264625 2494 0 0 0x4000000 0 syz-executor
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff8341b4bc) at panic+0x1cf sys/kern/subr_prf.c:198
__assert(ffffffff83455408,ffffffff8343d459,38b,ffffffff833c936f) at __assert+0x29 sys/kern/subr_prf.c:-1
pfi_clear_flags(ffff8000314c7330,0) at pfi_clear_flags+0x41d sys/net/pf_if.c:893
pfioctl(14900,c028445a,ffff8000314c7330,3,ffff80002f0ba020) at pfioctl+0xf6a sys/net/pf_ioctl.c:3910
VOP_IOCTL(fffffd8072cd37a8,c028445a,ffff8000314c7330,3,fffffd8007ffd548,ffff80002f0ba020) at VOP_IOCTL+0xa3 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd807c2c35b0,c028445a,ffff8000314c7330,ffff80002f0ba020) at vn_ioctl+0xea sys/kern/vfs_vnops.c:537
sys_ioctl(ffff80002f0ba020,ffff8000314c7500,ffff8000314c7450) at sys_ioctl+0x660 sys/kern/sys_generic.c:-1
syscall(ffff8000314c7500) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline]
syscall(ffff8000314c7500) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xce8f8a564e0, count: 5
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: bf258236f7c1 rsa_padding_test: %i -> %d
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1333c3ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1bc15e68cd2a49e5
dashboard link: https://syzkaller.appspot.com/bug?extid=0a311e96d7ced7bea566
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/698e5016b80f/disk-bf258236.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/e6f6a9fc09c6/bsd-bf258236.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/de106bd1d127/kernel-bf258236.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0a311e...@syzkaller.appspotmail.com
login: panic: kernel diagnostic assertion "(p->pfik_flagrefs == 0) || (p->pfik_flagrefs == 1)" failed: file "/syzkaller/managers/main/kernel/sys/net/pf_if.c", line 907
Stopped at db_enter+0x25: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*264625 2494 0 0 0x4000000 0 syz-executor
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff8341b4bc) at panic+0x1cf sys/kern/subr_prf.c:198
__assert(ffffffff83455408,ffffffff8343d459,38b,ffffffff833c936f) at __assert+0x29 sys/kern/subr_prf.c:-1
pfi_clear_flags(ffff8000314c7330,0) at pfi_clear_flags+0x41d sys/net/pf_if.c:893
pfioctl(14900,c028445a,ffff8000314c7330,3,ffff80002f0ba020) at pfioctl+0xf6a sys/net/pf_ioctl.c:3910
VOP_IOCTL(fffffd8072cd37a8,c028445a,ffff8000314c7330,3,fffffd8007ffd548,ffff80002f0ba020) at VOP_IOCTL+0xa3 sys/kern/vfs_vops.c:264
vn_ioctl(fffffd807c2c35b0,c028445a,ffff8000314c7330,ffff80002f0ba020) at vn_ioctl+0xea sys/kern/vfs_vnops.c:537
sys_ioctl(ffff80002f0ba020,ffff8000314c7500,ffff8000314c7450) at sys_ioctl+0x660 sys/kern/sys_generic.c:-1
syscall(ffff8000314c7500) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline]
syscall(ffff8000314c7500) at syscall+0x962 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xce8f8a564e0, count: 5
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages