syzbot



OpenBSD

fixed (37):
Title Repro Bisected Count Last Reported Closed Patch
uvm_fault: rtable_satoplen 158 4d01h 20d 3d19h fab4809e Make sure pointer is within bounds before dereferencing it.
witness: acquiring duplicate lock of same type: "&sc->sc_lock" C 231 33d 35d 33d 1f8a38b1 When adding a wsmux device to an existing wsmux device using ioctl(WSMUXIO_ADD_DEVICE), two distinct locks of the same type are acquired. Thus, witness will emit warning. Since acquiring two different locks of the same type is harmless in this context, relax the witness check by flagging the locks as RWL_DUPOK.
panic: timeout_add: to_ticks < 0 C 66 33d 38d 33d 3cfc9cae Reject negative input from userland in spkrioctl(). One of the arguments are later passed to timeout_add() which panics if the given ticks are negative. While here, clamp arguments in pcppi_bell() in order to prevent overflow.
uvm_fault: pckbc_start 1 35d 35d 34d 0c0bf631 Serialize access to the list of attached child devices belonging to a wsmux. When invoking wsevsrc_* functions on a attached child device, underlying driver can sleep; this introduces a race where another thread is able to modify the list leading to all kinds of corruptions.
uvm_fault: wsmux_detach_sc syz 10 37d 49d 35d 0c0bf631 Serialize access to the list of attached child devices belonging to a wsmux. When invoking wsevsrc_* functions on a attached child device, underlying driver can sleep; this introduces a race where another thread is able to modify the list leading to all kinds of corruptions.
panic: vmmaplk: lock not shared C 16 46d 58d 46d Always refault if relocking maps fails after IO. This fixes a regression
panic: pool_p_free: semupl free list modified: page ADDR; item addr ADDR; offset 0x0=ADDR C 5 46d 166d 46d When freeing the sem_undo structure in semundo_adjust(), update the
pool: free list modified: semupl C 6 52d 166d 46d When freeing the sem_undo structure in semundo_adjust(), update the
pool: double put: mbufpl 6 112d 113d 46d Avoid an mbuf double free in the oob soreceive() path. In the
uvm_fault: wsmux_do_ioctl (2) C 17 53d 57d 52d In wskbdclose(), use the same logic as in wskbdopen() to determine if
kernel: protection fault trap, code=0 (3) C 3 58d 58d 57d Validate the user-supplied device index given to WSMUXIO_ADD_DEVICE. The same
uvm_fault: VOP_ACCESS 393 62d 104d 62d namei can return a null dvp on success. check this before access.
kernel: protection fault trap, code=0 (2) syz 109 63d 87d 63d Introduce a dedicated entry point data structure for file locks. This new data
panic: malformed IPv4 option passed to ip_optcopy (2) C 149 68d 72d 65d Bring back the ip_pcbopts() refactor. Pad the option buffer and therefor the mbuf to the next word length as it is required by the standard. Also use the correct offset from the input mbuf. OK visa@, input & OK bluhm@
panic: uvm_fault_unwire_locked: address not in map C 2 90d 90d 74d Hold a read lock on the map while doing the actual device I/O during in
assert "next != NULL && next->start <= entry->end" failed in uvm_fault.c C 2 88d 89d 74d Hold a read lock on the map while doing the actual device I/O during in
panic: malformed IPv4 option passed to ip_optcopy C 10 88d 97d 77d Validate the version, and all length fields of IP packets passed to a raw socket
panic: m_zero: M_READONLY C 3 82d 82d 77d It is possible to call m_zero with a read-only cluster. In that case just
assert "__mp_lock_held(&sched_lock, curcpu()) == 0" failed in kern_lock.c C 17 79d 91d 78d ec412da1 Fix unsafe use of ptsignal() in mi_switch().
uvm_fault: m_free 12 89d 111d 79d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
pool: free list modified: mbufpl syz 13 98d 112d 79d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pr_find_pagehead: mbufpl: incorrect page 3 92d 108d 79d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pool_cache_item_magic_check: mcl64k cpu free list modified: item addr ADDR+24 ADDR!=ADDR 1 109d 109d 79d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
uvm_fault: switchread 1 106d 106d 79d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
uvm_fault: switchwrite syz 7 89d 109d 79d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr ADDR+16 0x0!=ADDR 1 99d 99d 81d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pr_find_pagehead: mbufpl: page header missing C 10 98d 111d 87d Fix mbuf releated crashes in switch(4). They have been found by
pool: free list modified: mcl2k C 4 96d 150d 95d Replace a wrong poor mans m_trailingspace() with the real thing. The mbuf
panic: receive 3: so ADDR, so_type 1, m ADDR, m_type 6 C 18 98d 107d 97d When using MSG_WAITALL, soreceive() can sleep while processing the receive buffer of a stream socket. Then a new pair of control and data mbuf can be appended to the mbuf queue. In this case, terminate the loop with a short read to prevent a panic. Userland should read the control message with the next system call. OK claudio@ deraadt@
panic: kernel diagnostic assertion "M_DATABUF(m) + M_SIZE(m) >= (m->m_data + m->m_len)" failed: file "/syzkaller/manager C 7 106d 112d 97d 49729d6e In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees the inpcb apart from the disconnect. Just call soisdisconnected() and clear the inp->inp_faddr since the socket is still valid after a disconnect. Problem found by syzkaller via Greg Steuck OK visa@ Fixes: Reported-by: syzbot+2cd350dfe5c96f6469f2@syzkaller.appspotmail.com Reported-by: syzbot+139ac2d7d3d60162334b@syzkaller.appspotmail.com Reported-by: syzbot+02168317bd0156c13b69@syzkaller.appspotmail.com Reported-by: syzbot+de8d2459ecf4cdc576a1@syzkaller.appspotmail.com
pool: double put: lockfpl 1 174d 166d 97d Rework previous lockf fix; bluhm@ noticed a regress failure during consecutive runs. This is a second attempt in which the lockf structure is turned into a doubly linked list which makes it easier to ensure correctness during list insertion and deletion.
uvm_fault: killjobc 1 102d 102d 97d When no child devices are attached to a wsmux device, make sure to return an
uvm_fault: wsmux_do_ioctl 2 127d 166d 97d Utilize sigio with wscons. The old behavior of always making the process group of the process who opens the device the default recipient of sigio is removed as a side-effect of this change. Issuing ioctl(FIOSETOWN) is therefore mandatory in order to receive sigio, which is more consistent with other subsystems supporting sigio.
uvm_fault: sogetopt C 2 114d 114d 111d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
kernel: protection fault trap, code=0 C 16 111d 116d 111d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
uvm_fault: ip_ctloutput C 11 111d 115d 111d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
uvm_fault: ip_pcbopts C 6 111d 115d 111d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees