syzbot


panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr ADDR+16 0x0!=ADDR
Status: fixed on 2019/01/03 23:04
Reported-by: syzbot+6237a20c91fa048719ea@syzkaller.appspotmail.com
Fix commit: 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
First crash: 273d, last: 273d
duplicates (1):
Title Repro Bisected Count Last Reported Patched Status
panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr ADDR+24 ADDR!=ADDR 1 281d 281d 0/3 closed as dup on 2019/01/02 21:02

Sample crash report:

All crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro
ci-openbsd-multicore 2018/12/16 17:43 openbsd 4e9c4198 1749e412 .config log report