pool: cpu free list modified: mbufpl (5)
0 views
Skip to first unread message
syzbot
Feb 12, 2026, 5:25:31 PM (6 days ago) Feb 12
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 829f23bb157c very basic testing of multiple files in Revok..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=102c2eef980000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=3c938cb8b47df8e82ebc
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8b5f020af2bd/disk-829f23bb.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/cddba83945d0/bsd-829f23bb.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/381c51551be5/kernel-829f23bb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3c938c...@syzkaller.appspotmail.com
panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806c902600+16 0x0!=0xc097549255240e8e
Starting stack trace...
panic(ffffffff83402c82) at panic+0x1d0 sys/kern/subr_prf.c:229
pool_cache_get(ffffffff838f4df8) at pool_cache_get+0x3d4 sys/kern/subr_pool.c:1906
pool_get(ffffffff838f4df8,2) at pool_get+0xd6 sys/kern/subr_pool.c:-1
m_gethdr(2,2) at m_gethdr+0x7e sys/kern/uipc_mbuf.c:266
tcp_output(ffff800001560000) at tcp_output+0x1c90 sys/netinet/tcp_output.c:-1
tcp_send(ffff800010fdc5f0,fffffd807a22fc00,0,0) at
tcp_send+0x191
sosend(ffff800010fdc5f0,0,ffff80002a28e888,0,0,80) at sosend+0x804 sys/kern/uipc_socket.c:-1
dofilewritev(ffff80002a262fa0,3,ffff80002a28e888,0,ffff80002a28e940) at dofilewritev+0x242 sys/kern/sys_generic.c:380
sys_write(ffff80002a262fa0,ffff80002a28e9f0,ffff80002a28e940) at sys_write+0xa2 sys/kern/sys_generic.c:300
syscall(ffff80002a28e9f0) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002a28e9f0) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7d385b697920, count: 246
End of stack trace.
panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806c902600+16 0x0!=0xc097549255240e8e
Starting stack trace...
panic(ffffffff83402c82) at panic+0x1d0 sys/kern/subr_prf.c:229
pool_cache_get(ffffffff838f4df8) at pool_cache_get+0x3d4 sys/kern/subr_pool.c:1906
pool_get(ffffffff838f4df8,2) at pool_get+0xd6 sys/kern/subr_pool.c:-1
m_clget(0,2,1000) at m_clget+0x25e m_gethdr sys/kern/uipc_mbuf.c:-1 [inline]
m_clget(0,2,1000) at m_clget+0x25e sys/kern/uipc_mbuf.c:380
vio_populate_rx_mbufs(ffff800000050800,ffff8000002a4d00) at vio_populate_rx_mbufs+0x197 vio_add_rx_mbuf sys/dev/pv/if_vio.c:-1 [inline]
vio_populate_rx_mbufs(ffff800000050800,ffff8000002a4d00) at vio_populate_rx_mbufs+0x197 sys/dev/pv/if_vio.c:1485
vio_rx_intr(ffff8000002a5000) at vio_rx_intr+0xc9 sys/dev/pv/if_vio.c:1645
vio_queue_intr(ffff8000002a4d00) at vio_queue_intr+0x59 sys/dev/pv/if_vio.c:981
intr_handler(ffff80002a28dbc0,ffff8000002a3b80) at intr_handler+0x125 sys/arch/amd64/amd64/intr.c:564
Xintr_ioapic_edge26_untramp() at Xintr_ioapic_edge26_untramp+0x18f
Xspllower() at Xspllower+0x1d
tsleep_nsec(fffffd800b07b348,11,ffffffff8345b2c0,ffffffffffffffff) at tsleep_nsec+0x1e4 sys/kern/kern_synch.c:143
biowait(fffffd800b07b348) at biowait+0xc6 sys/kern/vfs_bio.c:1242
bwrite(fffffd800b07b348) at bwrite+0x2e7 sys/kern/vfs_bio.c:754
ffs_update(fffffd806e797250,1) at ffs_update+0x2fe sys/ufs/ffs/ffs_inode.c:111
ffs_truncate(fffffd806e797250,0,0,ffffffffffffffff) at ffs_truncate+0xc9b sys/ufs/ffs/ffs_inode.c:-1
ufs_inactive(ffff80002a28e0c0) at ufs_inactive+0x202 sys/ufs/ufs/ufs_inode.c:84
VOP_INACTIVE(fffffd80739dfcb8,ffff80002a262fa0) at VOP_INACTIVE+0x104 sys/kern/vfs_vops.c:498
vput(fffffd80739dfcb8) at vput+0xe5 sys/kern/vfs_subr.c:789
vn_close(fffffd80739dfcb8,2,ffffffffffffffff,ffff80002a262fa0) at vn_close+0xb7 sys/kern/vfs_vnops.c:294
acct_shutdown() at acct_shutdown+0x8a sys/kern/kern_acct.c:361
vfs_shutdown(ffff80002a262fa0) at vfs_shutdown+0x23 sys/kern/vfs_subr.c:1791
boot(100) at boot+0x16f sys/arch/amd64/amd64/machdep.c:927
reboot(100) at reboot+0xb1
panic(ffffffff83402c82) at panic+0x1f9
pool_cache_get(ffffffff838f4df8) at pool_cache_get+0x3d4 sys/kern/subr_pool.c:1906
pool_get(ffffffff838f4df8,2) at pool_get+0xd6 sys/kern/subr_pool.c:-1
m_gethdr(2,2) at m_gethdr+0x7e sys/kern/uipc_mbuf.c:266
tcp_output(ffff800001560000) at tcp_output+0x1c90 sys/netinet/tcp_output.c:-1
tcp_send(ffff800010fdc5f0,fffffd807a22fc00,0,0) at tcp_send+0x191 sys/netinet/tcp_usrreq.c:859
sosend(ffff800010fdc5f0,0,ffff80002a28e888,0,0,80) at sosend+0x804 sys/kern/uipc_socket.c:-1
dofilewritev(ffff80002a262fa0,3,ffff80002a28e888,0,ffff80002a28e940) at dofilewritev+0x242 sys/kern/sys_generic.c:380
sys_write(ffff80002a262fa0,ffff80002a28e9f0,ffff80002a28e940) at sys_write+0xa2 sys/kern/sys_generic.c:300
syscall(ffff80002a28e9f0) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002a28e9f0) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7d385b697920, count: 223
End of stack trace.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 829f23bb157c very basic testing of multiple files in Revok..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=102c2eef980000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=3c938cb8b47df8e82ebc
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8b5f020af2bd/disk-829f23bb.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/cddba83945d0/bsd-829f23bb.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/381c51551be5/kernel-829f23bb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3c938c...@syzkaller.appspotmail.com
panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806c902600+16 0x0!=0xc097549255240e8e
Starting stack trace...
panic(ffffffff83402c82) at panic+0x1d0 sys/kern/subr_prf.c:229
pool_cache_get(ffffffff838f4df8) at pool_cache_get+0x3d4 sys/kern/subr_pool.c:1906
pool_get(ffffffff838f4df8,2) at pool_get+0xd6 sys/kern/subr_pool.c:-1
m_gethdr(2,2) at m_gethdr+0x7e sys/kern/uipc_mbuf.c:266
tcp_output(ffff800001560000) at tcp_output+0x1c90 sys/netinet/tcp_output.c:-1
tcp_send(ffff800010fdc5f0,fffffd807a22fc00,0,0) at
tcp_send+0x191
sosend(ffff800010fdc5f0,0,ffff80002a28e888,0,0,80) at sosend+0x804 sys/kern/uipc_socket.c:-1
dofilewritev(ffff80002a262fa0,3,ffff80002a28e888,0,ffff80002a28e940) at dofilewritev+0x242 sys/kern/sys_generic.c:380
sys_write(ffff80002a262fa0,ffff80002a28e9f0,ffff80002a28e940) at sys_write+0xa2 sys/kern/sys_generic.c:300
syscall(ffff80002a28e9f0) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002a28e9f0) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7d385b697920, count: 246
End of stack trace.
panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr 0xfffffd806c902600+16 0x0!=0xc097549255240e8e
Starting stack trace...
panic(ffffffff83402c82) at panic+0x1d0 sys/kern/subr_prf.c:229
pool_cache_get(ffffffff838f4df8) at pool_cache_get+0x3d4 sys/kern/subr_pool.c:1906
pool_get(ffffffff838f4df8,2) at pool_get+0xd6 sys/kern/subr_pool.c:-1
m_clget(0,2,1000) at m_clget+0x25e m_gethdr sys/kern/uipc_mbuf.c:-1 [inline]
m_clget(0,2,1000) at m_clget+0x25e sys/kern/uipc_mbuf.c:380
vio_populate_rx_mbufs(ffff800000050800,ffff8000002a4d00) at vio_populate_rx_mbufs+0x197 vio_add_rx_mbuf sys/dev/pv/if_vio.c:-1 [inline]
vio_populate_rx_mbufs(ffff800000050800,ffff8000002a4d00) at vio_populate_rx_mbufs+0x197 sys/dev/pv/if_vio.c:1485
vio_rx_intr(ffff8000002a5000) at vio_rx_intr+0xc9 sys/dev/pv/if_vio.c:1645
vio_queue_intr(ffff8000002a4d00) at vio_queue_intr+0x59 sys/dev/pv/if_vio.c:981
intr_handler(ffff80002a28dbc0,ffff8000002a3b80) at intr_handler+0x125 sys/arch/amd64/amd64/intr.c:564
Xintr_ioapic_edge26_untramp() at Xintr_ioapic_edge26_untramp+0x18f
Xspllower() at Xspllower+0x1d
tsleep_nsec(fffffd800b07b348,11,ffffffff8345b2c0,ffffffffffffffff) at tsleep_nsec+0x1e4 sys/kern/kern_synch.c:143
biowait(fffffd800b07b348) at biowait+0xc6 sys/kern/vfs_bio.c:1242
bwrite(fffffd800b07b348) at bwrite+0x2e7 sys/kern/vfs_bio.c:754
ffs_update(fffffd806e797250,1) at ffs_update+0x2fe sys/ufs/ffs/ffs_inode.c:111
ffs_truncate(fffffd806e797250,0,0,ffffffffffffffff) at ffs_truncate+0xc9b sys/ufs/ffs/ffs_inode.c:-1
ufs_inactive(ffff80002a28e0c0) at ufs_inactive+0x202 sys/ufs/ufs/ufs_inode.c:84
VOP_INACTIVE(fffffd80739dfcb8,ffff80002a262fa0) at VOP_INACTIVE+0x104 sys/kern/vfs_vops.c:498
vput(fffffd80739dfcb8) at vput+0xe5 sys/kern/vfs_subr.c:789
vn_close(fffffd80739dfcb8,2,ffffffffffffffff,ffff80002a262fa0) at vn_close+0xb7 sys/kern/vfs_vnops.c:294
acct_shutdown() at acct_shutdown+0x8a sys/kern/kern_acct.c:361
vfs_shutdown(ffff80002a262fa0) at vfs_shutdown+0x23 sys/kern/vfs_subr.c:1791
boot(100) at boot+0x16f sys/arch/amd64/amd64/machdep.c:927
reboot(100) at reboot+0xb1
panic(ffffffff83402c82) at panic+0x1f9
pool_cache_get(ffffffff838f4df8) at pool_cache_get+0x3d4 sys/kern/subr_pool.c:1906
pool_get(ffffffff838f4df8,2) at pool_get+0xd6 sys/kern/subr_pool.c:-1
m_gethdr(2,2) at m_gethdr+0x7e sys/kern/uipc_mbuf.c:266
tcp_output(ffff800001560000) at tcp_output+0x1c90 sys/netinet/tcp_output.c:-1
tcp_send(ffff800010fdc5f0,fffffd807a22fc00,0,0) at tcp_send+0x191 sys/netinet/tcp_usrreq.c:859
sosend(ffff800010fdc5f0,0,ffff80002a28e888,0,0,80) at sosend+0x804 sys/kern/uipc_socket.c:-1
dofilewritev(ffff80002a262fa0,3,ffff80002a28e888,0,ffff80002a28e940) at dofilewritev+0x242 sys/kern/sys_generic.c:380
sys_write(ffff80002a262fa0,ffff80002a28e9f0,ffff80002a28e940) at sys_write+0xa2 sys/kern/sys_generic.c:300
syscall(ffff80002a28e9f0) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002a28e9f0) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7d385b697920, count: 223
End of stack trace.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages