syzbot


Title Repro Cause bisect Fix bisect Count Last Reported Patched Closed Patch
panic: tcp_default_fb_init: connection ADDR in unexpected state NUM 15 1d16h 4d21h 2/2 1d14h e0f7e7324884 tcp: remove an invalid KASSERT
Fatal trap NUM: page fault in in_pcbremhash_locked C 219 16d 131d 2/2 15d ba3d547967c8 tcp: Fix the SO_REUSEPORT_LB check
panic: mutex so_rcv not owned at /syzkaller/managers/main/kernel/sys/kern/uipc_usrreq.c:LINE C 7 50d 53d 2/2 40d c44d6f43a68f unix/stream: provide uipc_cantrcvmore()
panic: zone pf frag entries initialization after use. 1 58d 58d 2/2 55d b70fadca623f pf: fix dealing with 0 limits
panic: sofree:NUM curvnet is NULL, so=ADDR C 49 57d 58d 2/2 57d 9a7d03c7df35 sendfile: cover the entire sendfile operation under CURVNET_SET()
Fatal trap NUM: page fault in unp_dispose 2 57d 57d 2/2 57d 964fe0fd4d52 unix: fix skipping of M_NOTREADY mbufs in unp_dispose()
panic: aio_process_rw: opcode NUM C 2 62d 62d 2/2 61d ab01a5f5628e aio: Fix opcode handling in aio_process_rw()
panic: vm_pager_assert_in: page ADDR is mapped (2) C 3 69d 73d 2/2 69d 1cce7d86c86a vm_map: fix iterator jump size
panic: ktls_frame: mapped mbuf ADDR (top = ADDR) C 4 75d 75d 2/2 71d 1000cc4a0d39 so_splice: Disallow splicing with KTLS-enabled sockets
panic: _pctrie_lookup_node: freed node in iter path C 5 74d 75d 2/2 74d bcd96c3180d6 vm_object: reset iter in page_clean
freebsd build error (20) 23 74d 147d 2/2 74d b66e75bffc22 kcov: Fix the build
panic: neg writecount increment NUM + -NUM = -NUM C 2 84d 84d 2/2 81d 509189bb4109 fhopen: Enable handling of O_PATH, fix some bugs
panic: Bad link elm ADDR next->prev != elm (4) 2 101d 123d 2/2 81d a6268f89d58c proc: Disallow re-enabling of process itimers during exit
panic: vm_page_free_prep: attempting to free a PG_NOFREE page 2520 84d 334d 2/2 83d ae10431c9833 vm_page: Allow PG_NOFREE pages to be freed
panic: unhandled af NUM (2) C 5 84d 84d 2/2 83d 646b453110aa pf: fix pf_ioctl_add_addr() validation
panic: mutex sctp-inp not owned at /syzkaller/managers/main/kernel/sys/kern/kern_mutex.c:LINE 1 95d 95d 2/2 93d e8623834ca29 sctp: fix double unlock in case adding a remote address fails
panic: ASan: Invalid access, NUM-byte read at ADDR, StackMiddle(f2) (2) C 16 439d 983d 2/2 93d 68a3a7fc9483 kasan: fix false-positive kasan_report upon thread reuse
panic: ASan: Invalid access, NUM-byte read at ADDR, UseAfterScope(f8) (2) C 452 439d 1137d 2/2 93d 68a3a7fc9483 kasan: fix false-positive kasan_report upon thread reuse
panic: ASan: Invalid access, NUM-byte read at ADDR, StackRight(f3) syz 3 450d 453d 2/2 93d 68a3a7fc9483 kasan: fix false-positive kasan_report upon thread reuse
panic: mpred ADDR doesn't precede pindex 0x763 1 97d 97d 2/2 96d 93c4f310fc65 vm_fault: correct mpred update after alloc fail
panic: mpred ADDR doesn't precede pindex 0xbdc 1 98d 98d 2/2 96d 93c4f310fc65 vm_fault: correct mpred update after alloc fail
panic: Empty stailq ADDR->stqh_last is ADDR, not head's first field address (2) 1 102d 102d 2/2 96d e9a846468acf ktrace: Use STAILQ_EMPTY_ATOMIC when checking for records in userret()
panic: Assertion M_WRITABLE(m0) failed at /syzkaller/managers/main/kernel/sys/kern/uipc_mbuf.c:LINE C 40 294d 295d 2/2 96d 299175f2e52e Revert "Assert that mbufs are writable if we write to them"
panic: mpred ADDR doesn't precede pindex 0x5c2 1 97d 97d 2/2 96d 93c4f310fc65 vm_fault: correct mpred update after alloc fail
panic: unhandled af NUM 23 121d 121d 2/2 120d 80b64ef0a10b pf: don't assert on address family in pf_addrcpy()
panic: nl_buf_alloc: invalid length ADDR C 2 125d 125d 2/2 124d a80bbc4e9597 netlink: refuse a send(2) that is larger than socket buffer
panic: inpcb ADDR is not in a load balance group 4 160d 160d 2/2 131d 16369f33c5d9 inpcb: Remove an incorrect assertion in in_pcblbgroup_find()
panic: Empty stailq ADDR->stqh_last is ADDR, not head's first field address 1 147d 147d 2/2 131d 36631977d8c9 ktr: Use STAILQ_EMPTY_ATOMIC when checking for records in ktr_drain()
Fatal trap NUM: page fault in rtsock_msg_buffer C 9 226d 230d 2/2 226d dae64402b3e8 rtsock: fix panic in rtsock_msg_buffer()
Fatal trap NUM: general protection fault in rtsock_msg_buffer syz 1 226d 226d 2/2 226d dae64402b3e8 rtsock: fix panic in rtsock_msg_buffer()
freebsd test error: panic: ASan: Invalid access, NUM-byte write at ADDR, GenericRedZone(fa) 2 292d 292d 2/2 292d 47112d359b36 kassert: Remove KASAN marking from DEBUG_POISON_POINTER
panic: vtnet_txq_offload_ctx: mbuf ADDR start NUM offset NUM proto -NUM (2) C 70 415d 460d 2/2 339d 71867653008c udp: improve handling of cached route
freebsd test error: Fatal trap NUM: page fault while in kernel mode 11 383d 384d 2/2 383d 517c5854588e vm_phys: Make sure that vm_phys_enq_chunk() stays in bounds
freebsd boot error: Fatal trap NUM: page fault while in kernel mode (4) 1 441d 441d 2/2 433d d66399326cb4 kthread: Set *tdptr earlier in kproc_kthread_add()
Fatal trap NUM: page fault in strlcpy C 3 450d 450d 2/2 449d b112232e4fb9 uipc_shm: Copyin userpath for ktrace(2)
panic: Unaligned free of ADDR from zone ADDR(mbuf) slab ADDR(NUM) C 28 450d 450d 2/2 450d fb8a8333b481 unix: return immediately on MSG_OOB
Fatal trap NUM: page fault in uipc_soreceive_stream_or_seqpacket C 3 450d 450d 2/2 450d d1cbb17a873c unix: fix the ad hoc STAILQ_PREPEND()
panic: Assertion size > NUM failed at /syzkaller/managers/main/kernel/sys/kern/subr_vmem.c:LINE C 69 471d 476d 2/2 471d b5a9299bb8b9 ktls: catch invalid parameters earlier
panic: Assertion size > NUM failed at /syzkaller/managers/i386/kernel/sys/kern/subr_vmem.c:LINE 1 472d 472d 2/2 471d b5a9299bb8b9 ktls: catch invalid parameters earlier
panic: Assertion !callout_active(&tp->t_callout) failed at /syzkaller/managers/i386/kernel/sys/netinet/tcp_subr.c:LINE 3 507d 508d 2/2 506d 57e27ff07aff tcp: partially undo D43792
panic: Assertion !callout_active(&tp->t_callout) failed at /syzkaller/managers/main/kernel/sys/netinet/tcp_subr.c:LINE 13 506d 508d 2/2 506d 57e27ff07aff tcp: partially undo D43792
panic: lock (sleep mutex) sctp-inp not locked @ /syzkaller/managers/i386/kernel/sys/netinet/sctp_usrreq.c:LINE 565 532d 533d 2/2 532d a079c891c01b sctp: restore missing inpcb lock
panic: lock (sleep mutex) sctp-inp not locked @ /syzkaller/managers/main/kernel/sys/netinet/sctp_usrreq.c:LINE C 455 532d 533d 2/2 532d a079c891c01b sctp: restore missing inpcb lock
panic: sbflush_internal: ccc NUM mb ADDR mbcnt NUM C 3 544d 545d 2/2 541d 59ce044a7856 sockets: on shutdown(2) do sorflush() only in case of generic sockbuf
panic: vtnet_txq_offload_ctx: mbuf ADDR start NUM offset NUM proto -NUM C 4 576d 586d 2/2 548d 7df9da47e8f0 Fix udp IPv4-mapped address
panic: Assertion !tcp_in_hpts(tp) failed at /syzkaller/managers/i386/kernel/sys/netinet/tcp_subr.c:LINE 9 573d 576d 2/2 561d ade05d63b727 tcp: stop stack timers in tcp_switch_back_to_default()
freebsd boot error: Fatal trap NUM: page fault while in kernel mode (3) 1 572d 572d 2/2 571d ae77041e0714 kthread: Set *newtdp earlier in kthread_add1()
panic: Assertion !(tp->t_flags2 & TF2_HPTS_CPU_SET) failed at /syzkaller/managers/main/kernel/sys/netinet/tcp_hpts.c:LIN C 375 573d 576d 2/2 573d 3f46be6acadd tcp_hpts: let tcp_hpts_init() set a random CPU only once
panic: Assertion !tcp_in_hpts(tp) failed at /syzkaller/managers/main/kernel/sys/netinet/tcp_subr.c:LINE C 35 573d 576d 2/2 573d ade05d63b727 tcp: stop stack timers in tcp_switch_back_to_default()
panic: Assertion !(tp->t_flags2 & TF2_HPTS_CPU_SET) failed at /syzkaller/managers/i386/kernel/sys/netinet/tcp_hpts.c:LIN 211 573d 576d 2/2 573d 3f46be6acadd tcp_hpts: let tcp_hpts_init() set a random CPU only once
panic: ASan: Invalid access, NUM-byte read at ADDR, MallocRedZone(fb) (2) 6 626d 637d 2/2 624d 761ae1ce798a ktrace: Handle uio_resid underflow via MSG_TRUNC
panic: in_pcblookup_hash_locked: invalid local address (2) C 94 637d 848d 2/2 634d abca3ae7734f udp: fix sending of IPv4-mapped addresses
panic: in_pcblookup_hash_locked: invalid foreign address (2) C 38 642d 848d 2/2 634d abca3ae7734f udp: fix sending of IPv4-mapped addresses
panic: Rack:ADDR sb:ADDR rsm:ADDR -- first rsm mbuf not aligned to sb (2) 1 687d 687d 2/2 637d 8818f0f1124e TCP: Fix a rack bug that skyzall found which results in a crash.
panic: rsm:ADDR nrsm:ADDR hit at soff:NUM null m 1 714d 714d 2/2 637d 8818f0f1124e TCP: Fix a rack bug that skyzall found which results in a crash.
panic: mbuf:ADDR len:NUM rsm:ADDR oml:NUM soff:NUM C 4 638d 687d 2/2 637d 8818f0f1124e TCP: Fix a rack bug that skyzall found which results in a crash.
panic: Counter goes negative (3) C 595 660d 1216d 2/2 658d bb56b36d7188 sctp: further improve shutting down the read side of a socket
panic: sbflush_internal: residual data (3) C 33 751d 1118d 2/2 659d 81c5f0fac91d sctp: improve shutting down the read side of a socket
panic: malloc: called with spinlock or critical section held C 3 674d 674d 2/2 674d 6b635c74fd41 aesni: Push FPU sections down further
panic: sbcut_internal: no next, len NUM C 2 692d 692d 2/2 678d 847fa61fad5e sctp: improve handling of socket shutdown for reading
freebsd boot error: Fatal trap NUM: page fault while in kernel mode (2) 51 698d 699d 2/2 693d ccdb28275db7 vm_phys_enq_range: no alignment assert for npages==0
freebsd boot error: panic: vm_phys_enq_range: page ADDR and npages NUM are misaligned 18 701d 701d 2/2 700d b7370efade86 Revert "vm_phys_enqueue_contig: handle npages==0"
Fatal trap NUM: page fault in tcp_input_with_port C 6 723d 763d 2/2 707d a43e7a96b64e inpcb: use internal flag to mark pcbs that are inserted into lbgroup
panic: in_pcbconnect: inp is already connected C 2 748d 748d 2/2 740d de0a2eb2ef86 tcp: Disallow connecting a disconnected socket
panic: lock (sleep mutex) unp not locked @ /syzkaller/managers/main/kernel/sys/kern/uipc_usrreq.c:LINE C 2 742d 742d 2/2 742d 712079d38106 unix: Fix uipc_peeraddr() to handle self-connected sockets
panic: lock (sleep mutex) unp not locked @ /syzkaller/managers/i386/kernel/sys/kern/uipc_usrreq.c:LINE 1 742d 742d 2/2 742d 712079d38106 unix: Fix uipc_peeraddr() to handle self-connected sockets
panic: filesystem goof: vop_panic[vop_fplookup_vexec] 6 818d 818d 2/2 817d 4032c388146b ufs: add missing vop_fplookup ops to fifo vectors
panic: ASan: Invalid access, NUM-byte write at ADDR, StackMiddle(f2) (3) 4274 820d 820d 2/2 820d 030434acaf46 Update rack to the latest code used at NF.
panic: in6_pcblookup_hash_locked: invalid local address syz 37 864d 880d 2/2 842d aa71d6b4a2ec netinet: Disallow unspecified addresses in ICMP-embedded packets
panic: in_pcblookup_hash_l[o ctkherde:a di nvaplidi d 1l1o86 catlid a1d0dr0e6s9s1 ] 1 861d 861d 2/2 849d 713264f6b8bc netinet: Tighten checks for unspecified source addresses
panic: in_pcblookup_hash_locked: invalid local address syz 165751 849d 880d 2/2 849d 713264f6b8bc netinet: Tighten checks for unspecified source addresses
panic: in_pcblookup_hash_locked: invalid foreign address syz 152 849d 880d 2/2 849d 713264f6b8bc netinet: Tighten checks for unspecified source addresses
freebsd build error (16) 214 860d 876d 2/2 860d 8c8574acb851 config: Include errno.h in mkmakefile.cc
Fatal trap NUM: page fault in sctp_notify_stream_reset_tsn syz 2 882d 882d 2/2 881d 7b2f1a7fe944 sctp: improve delivery of stream reset notifications
Fatal trap NUM: page fault in kern_cpuset_getid C 3 885d 885d 2/2 884d 2058f075b4af cpuset: Handle CPU_WHICH_TIDPID wherever cpuset_which() is called.
panic: ipreass_callout: stray callout on bucket ADDR 10 1027d 1028d 2/2 1012d 15b73a2a14d1 ip_reass: use correct comparison in ipreass_callout()
panic: ipreass_callout: stray callout on bucket ADDR, NUM < NUM 34 1022d 1027d 2/2 1022d 15b73a2a14d1 ip_reass: use correct comparison in ipreass_callout()
panic: Assertion sb->sb_hiwat >= sb->uxdg_cc failed at /syzkaller/managers/main/kernel/sys/kern/uipc_usrreq.c:LINE C 2 1049d 1049d 2/2 1041d 820bafd0bc14 unix/dgram: don't panic if socket buffer has negative space
Fatal trap NUM: page fault in key_attach C 117 1055d 1056d 2/2 1055d b7bf3cb07fcf keysock: explicitly initialized LIST_HEAD
panic: Assertion done != job_total_nbytes failed at /syzkaller/managers/main/kernel/sys/kern/sys_socket.c:LINE (2) C 3 1163d 1186d 2/2 1057d bb995f2ef0e7 sctp: improve handling of send() calls with no user data`
panic: seq_out not found rack:ADDR tp:ADDR C 108 1082d 1480d 2/2 1079d 5b741298b11c tcp rack: fix switching to RACK when FIN has been sent
Fatal trap NUM: page fault in soclose C 245 1101d 1104d 2/2 1101d bafe71fd2720 sctp: do not clobber listening socket with sockbuf operations
panic: Assertion v != tid failed at /syzkaller/managers/main/kernel/sys/kern/kern_mutex.c:LINE C 245 1116d 1756d 2/2 1114d a14465e1b9a5 rip6: Fix a lock order reversal in rip6_bind()
panic: Assertion v != tid failed at /syzkaller/managers/i386/kernel/sys/kern/kern_mutex.c:LINE syz 115 1119d 1750d 2/2 1114d a14465e1b9a5 rip6: Fix a lock order reversal in rip6_bind()
panic: Assertion (t->parent->p_treeflag & P_TREE_REAPER) != NUM failed at /syzkaller/managers/main/kernel/sys/kern/kern_ 7 1117d 1161d 2/2 1115d 1575804961d2 reap_kill_proc(): avoid singlethreading any other process if we are exiting
panic: Thread not suspended syz 30 1117d 1161d 2/2 1115d 1575804961d2 reap_kill_proc(): avoid singlethreading any other process if we are exiting
panic: Assertion TD_CAN_RUN(td) failed at /syzkaller/managers/main/kernel/sys/kern/subr_turnstile.c:LINE C 1 1161d 1161d 2/2 1115d 1575804961d2 reap_kill_proc(): avoid singlethreading any other process if we are exiting
panic: td ADDR is not suspended C 11 1116d 1162d 2/2 1115d 1575804961d2 reap_kill_proc(): avoid singlethreading any other process if we are exiting
panic: already suspended C 130 1115d 1162d 2/2 1115d 1575804961d2 reap_kill_proc(): avoid singlethreading any other process if we are exiting
panic: Lock pf config not exclusively locked @ /syzkaller/managers/i386/kernel/sys/netpfil/pf/pf_ioctl.c:LINE 109 1149d 1192d 2/2 1115d 826c58d6656c pf: add missing unlock on error in DIOCCHANGERULE
panic: Lock pf config not exclusively locked @ /syzkaller/managers/main/kernel/sys/netpfil/pf/pf_ioctl.c:LINE C 142 1149d 1192d 2/2 1115d 826c58d6656c pf: add missing unlock on error in DIOCCHANGERULE
Fatal trap NUM: page fault in tcp_sack_output 4 1121d 1121d 2/2 1120d ce2525c8108a tcp: remove goto and address another NULL deref in SACK
panic: sctp_inpcb_free: inp ADDR still has socket syz 12 1154d 1343d 2/2 1124d a5c2009dd8ab sctp: improve handling of sctp inpcb flags
Fatal trap NUM: page fault in pf_krule_global_RB_INSERT (2) C 27 1130d 1147d 2/2 1128d a3d974082549 pf: make sure the rule tree is allocated in DIOCCHANGERULE
panic: sbflush_internal: residual data (2) C 263 1130d 1393d 2/2 1130d a6a596e102be sctp: improve handling of listen() call
panic: Queues are not empty when handling SHUTDOWN-ACK (2) 1 1131d 1131d 2/2 1131d 64b297e803bd sctp: improve handling of send() when association is shutdown
panic: Warning: Last msg marked incomplete, yet nothing left? (2) C 3 1132d 1140d 2/2 1131d 2646cd085850 sctp: use a consistent view of the send parameters
panic: Queues are not empty when handling SHUTDOWN-COMPLETE C 17 1169d 1698d 2/2 1131d 64b297e803bd sctp: improve handling of send() when association is shutdown
panic: sctp: no chunks on the queues (2) syz 1813 1132d 1775d 2/2 1131d 2646cd085850 sctp: use a consistent view of the send parameters
panic: Assertion clen >= sizeof(*cm) && clen <= cm->cmsg_len failed at /syzkaller/managers/i386/kernel/sys/kern/uipc_usr 18 1133d 1134d 2/2 1133d 75e7e3ce34d9 unix: fix incorrect assertion in 4682ac697ce
panic: Assertion clen >= sizeof(*cm) && clen <= cm->cmsg_len failed at /syzkaller/managers/main/kernel/sys/kern/uipc_usr C 6 1134d 1134d 2/2 1133d 75e7e3ce34d9 unix: fix incorrect assertion in 4682ac697ce
freebsd build error (13) 9 1140d 1140d 2/2 1139d 4a3e51335e86 cpuset: Fix the KASAN and KMSAN builds
Fatal trap NUM: page fault in sctp_wakeup_the_read_socket (3) syz 3 1164d 1169d 2/2 1162d 490a0f77de77 sctp: improve locking
panic: ASan: Invalid access, NUM-byte write at ADDR, UMAUseAfterFree(fd) 8 1172d 1185d 2/2 1170d 868868f14efc sctp: improve stopping of timers
panic: ASan: Invalid access, NUM-byte read at ADDR, UMAUseAfterFree(fd) (2) C 7 1170d 1172d 2/2 1170d a12d89332efe sctp: hold the inp lock while calling ip6_output
Fatal trap NUM: page fault in sctp_wakeup_the_read_socket (2) 1 1247d 1247d 2/2 1173d 3dc57df91e65 sctp: don't wakeup 1-to-1 listening sockets for data or notifications
Fatal trap NUM: page fault in __mtx_lock_flags (2) C 2 1183d 1183d 2/2 1173d 3dc57df91e65 sctp: don't wakeup 1-to-1 listening sockets for data or notifications
panic: ASan: Invalid access, NUM-byte read in sctp_med_chunk_output C 180 1327d 1384d 2/2 1174d eeba22217217 sctp: don't keep a pointer to a freed stcb around
panic: ASan: Invalid access, NUM-byte read at ADDR, UMAUseAfterFree(fd) C 515 1174d 1294d 2/2 1174d eeba22217217 sctp: don't keep a pointer to a freed stcb around
panic: ASan: Invalid access, 4-byte write at ADDR, UMAUseAfterFree(fd) C 462 1189d 1456d 2/2 1187d 52106f072fd0 sctp: don't refer to a potentially outdated stream
panic: ASan: Invalid access, NUM-byte write at ADDR, UseAfterScope(f8) 11 1189d 1311d 2/2 1188d 39a22011bbb8 sctp: clear pointer to stack when returning from function.
panic: ASan: Invalid access, NUM-byte write at ADDR, StackRight(f3) 102 1188d 1192d 2/2 1188d 39a22011bbb8 sctp: clear pointer to stack when returning from function.
panic: ASan: Invalid access, NUM-byte write at ADDR, KernelStack(fe) 149 1188d 1192d 2/2 1188d 39a22011bbb8 sctp: clear pointer to stack when returning from function.
panic: ASan: Invalid access, NUM-byte write at ADDR, StackMiddle(f2) (2) 1 1189d 1189d 2/2 1188d 39a22011bbb8 sctp: clear pointer to stack when returning from function.
panic: ASan: Invalid access, NUM-byte write at ADDR, StackLeft(f1) 48 1188d 1192d 2/2 1188d 39a22011bbb8 sctp: clear pointer to stack when returning from function.
Fatal trap NUM: page fault in pf_krule_global_RB_INSERT C 81 1191d 1192d 2/2 1191d e123e2294cb5 pf: guard against DIOCADDRULE without DIOCXBEGIN
panic: _mtx_lock_sleep: recursed on non-recursive mutex sctp-tcb @ /syzkaller/managers/i386/kernel/sys/netinet/sctp_outp 2 1192d 1192d 2/2 1191d 5d0c76c7302b sctp: don't lock an already locked stcb.
panic: Don't own TCB send lock C 8016 1192d 1376d 2/2 1192d 5ac91821f5d7 sctp: get rid of stcb send lock
panic: Association about to be freed (2) C 4834 1192d 1228d 2/2 1192d 5ac91821f5d7 sctp: get rid of stcb send lock
panic: hold_tcblock is false C 468 1229d 1229d 2/2 1228d e255f0c9fbd2 sctp: make sure new locking requirements are satisfied.
panic: Association about to be freed C 57 1228d 1229d 2/2 1228d bdb99f6f5e31 sctp: remove KASSERT() which not always holds
panic: create_lock_applied is true C 104 1228d 1229d 2/2 1228d 2f0656fb9ba2 sctp: don't hold the assoc create lock longer than needed
panic: refcount ADDR wraparound (4) 21 1252d 1319d 2/2 1240d 300cfb96fc22 file: Make fget*() and getvnode*() consistent about initializing *fpp
panic: Bad link elm ADDR prev->next != elm (3) 8 1252d 1304d 2/2 1245d b84ed4e7f626 filemon: Reject FILEMON_SET_FD commands when the fd is a kqueue
panic: lock ADDR is not initialized (2) 171 1248d 1263d 2/2 1248d 773e3a71b2f1 pf: Initialize pf_kpool mutexes earlier
freebsd boot error: can't ssh into the instance 22 1261d 1262d 2/2 1261d 46d35d415aa9 fork: Copy the vm_stacktop field into the new vmspace
panic: lock ADDR is not initialized 1457 1263d 1265d 2/2 1263d e5ca5e801d3c pf: ensure we don't destroy an uninitialised lock
Fatal trap NUM: page fault in inp_next syz 3 1282d 1288d 2/2 1278d 430df2abee90 in_pcb: improve inp_next()
panic: mutex blocked lock not owned at /syzkaller/managers/main/kernel/sys/kern/sched_ule.c:LINE C 33 1279d 1280d 2/2 1279d 6b95cf5bdedc callout: Wait for the softclock thread to switch before rescheduling
Fatal trap NUM: page fault in tcp_usr_send syz 1 1283d 1283d 2/2 1282d 4287aa56197f tcp_usr_shutdown: don't cast inp_ppcb to tcpcb before checking inp_flags
panic: overhead (NUM) not a multiple of NUM C 248 1283d 1283d 2/2 1282d ca0dd19f0933 sctp: check that the computed frag point is a multiple of 4
Fatal trap NUM: page fault in tcp_usr_shutdown C 5 1283d 1284d 2/2 1282d 4287aa56197f tcp_usr_shutdown: don't cast inp_ppcb to tcpcb before checking inp_flags
Fatal trap NUM: page fault in tcp_usr_rcvd C 7 1284d 1284d 2/2 1283d 37a7f5573716 tcp_usr_rcvd: don't cast inp_ppcb to tcpcb before checking inp_flags
panic: m_apply, offset > size of mbuf chain C 2 1289d 1289d 2/2 1283d 989453da0589 sctp: cleanup the SCTP_MAXSEG socket option.
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/net/if.c:LINE (2) C 314 1293d 1297d 2/2 1293d 9f5432d5e5f0 netinet6: ip6_setpktopt() requires NET_EPOCH
panic: ASan: Invalid access, 2-byte read at ADDR, UMAUseAfterFree(fd) C 1103 1294d 1455d 2/2 1294d 014f98b11992 udp: Fix a use-after-free in udp_multi_input()
Fatal trap NUM: page fault in memcpy_erms C 306 1295d 1301d 2/2 1295d aa2681752d0d cryptosoft: Don't treat CRYPTO_NULL_HMAC as an hmac algorithm.
Fatal trap NUM: page fault while in kernel mode (2) 1 1308d 1308d 2/2 1297d 12ae3476f35c tcp_drain(): initialize the inpcb iterator when curvnet is set
Fatal trap NUM: page fault in tcp_drain 12 1308d 1308d 2/2 1297d 12ae3476f35c tcp_drain(): initialize the inpcb iterator when curvnet is set
panic: Lock tcpinp not exclusively locked @ /syzkaller/managers/i386/kernel/sys/netinet/tcp_log_buf.c:LINE 13 1327d 1329d 2/2 1326d 2f62f92e3745 tcp: Fix a locking issue related to logging
panic: Lock tcpinp not exclusively locked @ /syzkaller/managers/main/kernel/sys/netinet/tcp_log_buf.c:LINE 6 1326d 1329d 2/2 1326d 2f62f92e3745 tcp: Fix a locking issue related to logging
panic: witness_warn (2) 29 1328d 1329d 2/2 1328d df07bfda67ad tcp: Fix a locking issue
panic: chacha20_poly1305_reinit: invalid nonce length 2 1338d 1338d 2/2 1331d 442ad83e38e8 crypto: Don't assert on valid IV length for Chacha20-Poly1305.
panic: condition vp->v_type == VDIR || VN_IS_DOOMED(vp) not met at /syzkaller/managers/i386/kernel/sys/kern/vfs_cache.c: 1 1350d 1350d 2/2 1344d 628c3b307fb2 cache: only let non-dir descriptors through when doing EMPTYPATH lookups
Fatal trap NUM: page fault in filt_bpfwrite C 4 1353d 1359d 2/2 1345d 426682b05a4c bpf: Fix the write filter for detached descriptors
panic: ASan: Invalid access, NUM-byte read in newreno_cong_signal C 4 1346d 1349d 2/2 1346d b15b0535968e tcp: allow new reno functions to be called from other CC modules
panic: ASan: Invalid access, NUM-byte read in newreno_ack_received 2 1347d 1347d 2/2 1346d b15b0535968e tcp: allow new reno functions to be called from other CC modules
panic: Assertion (cnp->cn_flags & (LOCKPARENT | WANTPARENT)) == NUM failed at /syzkaller/managers/main/kernel/sys/kern/v C 87 1355d 1355d 2/2 1355d 1045352f1503 cache: only assert on flags when dealing with EMPTYPATH
panic: TLS trailer length too long: NUM C 2 1363d 1363d 2/2 1358d a63752cce646 ktls: Reject attempts to enable AES-CBC with TLS 1.3.
panic: filesystem goof: vop_panic[vop_readdir] 1 1363d 1363d 2/2 1358d 03d5820f738d mount: Check for !VDIR mount points before handling -o emptydir
freebsd build error (9) 1 1360d 1360d 2/2 1360d c05b382edb17 Revert "bootstrap: No need to disable shared libraries for bootstrap tools"
panic: invalid payload start 6 1385d 1498d 2/2 1364d a0cbcbb7917b cryptodev: Allow some CIOCCRYPT operations with an empty payload.
panic: filt_timerattach: periodic timer has a calculated zero timeout 12 1370d 1370d 2/2 1370d 2f4dbe279f6b kqueue: fix recent assertion
panic: strq ADDR not scheduled 12189 1370d 1373d 2/2 1370d 3ff3733991ba sctp: don't keep being locked on a stream which is removed
panic: strq ADDR is not scheduled 541 1373d 1373d 2/2 1373d 28ea9470782d sctp: provide a specific stream scheduler function for FCFS
Fatal trap NUM: page fault in sctp_ss_rrp_packet_done 328 1373d 1376d 2/2 1373d 5b53e749a95e sctp: fix usage of stream scheduler functions
panic: _mtx_lock_sleep: recursed on non-recursive mutex sctp-send-tcb @ /syzkaller/managers/i386/kernel/sys/netinet/sctp 2 1373d 1375d 2/2 1373d 171633765c43 sctp: avoid locking an already locked mutex
Fatal trap NUM: page fault while in kernel mode 177 1373d 1376d 2/2 1373d 5b53e749a95e sctp: fix usage of stream scheduler functions
panic: _mtx_lock_sleep: recursed on non-recursive mutex sctp-send-tcb @ /syzkaller/managers/main/kernel/sys/netinet/sctp 10 1373d 1376d 2/2 1373d 171633765c43 sctp: avoid locking an already locked mutex
Fatal trap NUM: page fault in sctp_ss_default_select 20939 1373d 1376d 2/2 1373d 5b53e749a95e sctp: fix usage of stream scheduler functions
Fatal trap NUM: page fault in sctp_ss_fb_select 12 1373d 1376d 2/2 1373d 5b53e749a95e sctp: fix usage of stream scheduler functions
Fatal trap NUM: page fault in sctp_ss_prio_select 761 1373d 1376d 2/2 1373d 5b53e749a95e sctp: fix usage of stream scheduler functions
panic: runtime error: invalid memory address or nil pointer dereference 12 1374d 1376d 2/2 1374d b1e2f063ae91 amd64 sendsig: fix context corruption
freebsd boot error: panic: ASan: Invalid access, NUM-byte read at ADDR, UseAfterScope(f8) 270 1376d 1380d 2/2 1376d ca1e447b1048 amd64: Avoid copying td_frame from kernel procs
panic: ASan: Invalid access, 2-byte read in sctp_ss_prio_add 1 1450d 1450d 2/2 1381d 34b1efcea19d sctp: use a valid outstream when adding it to the scheduler
Fatal trap 9: general protection fault in sctp_ss_prio_add 1 1468d 1468d 2/2 1381d 34b1efcea19d sctp: use a valid outstream when adding it to the scheduler
Fatal trap 12: page fault in sctp_ss_default_add (2) 1 1458d 1458d 2/2 1381d 34b1efcea19d sctp: use a valid outstream when adding it to the scheduler
panic: ASan: Invalid access, 8-byte read in sctp_ss_default_add 326 1384d 1453d 2/2 1381d 34b1efcea19d sctp: use a valid outstream when adding it to the scheduler
panic: Bad tailq NEXT(ADDR->tqh_last) != NULL (4) C 147 1457d 1680d 2/2 1381d 34b1efcea19d sctp: use a valid outstream when adding it to the scheduler
panic: ASan: Invalid access, 8-byte read in sctp_ss_fb_add 22 1419d 1452d 2/2 1381d 34b1efcea19d sctp: use a valid outstream when adding it to the scheduler
panic: ASan: Invalid access, 8-byte read in kern_sendit 2 1385d 1425d 2/2 1382d fea1a98ead91 freebsd32: Fix a double copyin in sendmsg() and recvmsg()
panic: Bad link elm ADDR prev->next != elm (2) 8 1383d 1394d 2/2 1382d e19d93b19dce sctp: fix FCFS stream scheduler
Fatal trap 12: page fault while in kernel mode (3) C 140 1384d 1990d 2/2 1384d ade1daa5c0d6 socket: Synchronize soshutdown() with listen(2) and AIO
Fatal trap 12: page fault in soo_aio_queue C 349 1384d 1489d 2/2 1384d ade1daa5c0d6 socket: Synchronize soshutdown() with listen(2) and AIO
panic: Assertion done != job_total_nbytes failed at /syzkaller/managers/main/kernel/sys/kern/sys_socket.c:LINE C 3 1397d 1461d 2/2 1387d e6c19aa94da4 sctp: Allow blocking on I/O locks even with non-blocking sockets
Fatal trap 12: page fault in __mtx_lock_flags C 1065 1390d 1889d 2/2 1390d 2d5c48eccd9f sctp: Tighten up locking around sctp_aloc_assoc()
panic: Assertion job->uiop != &job->uio && job->uiop != NULL failed at /syzkaller/managers/i386/kernel/sys/kern/vfs_aio. 1 1394d 1394d 2/2 1390d 2884918c7338 aio: Fix up the opcode in aiocb32_copyin()
panic: ASan: Invalid access, 4-byte read in sctp_sendall_completes 39 1394d 1452d 2/2 1391d 173a7a4ee4fa sctp: Fix iterator synchronization in sctp_sendall()
panic: Assertion owner->td_proc->p_magic == P_MAGIC failed at /syzkaller/managers/i386/kernel/sys/kern/subr_turnstile.c: (2) 9 1442d 1535d 2/2 1391d 141fe2dceeae aio: Interlock with listen(2)
panic: ASan: Invalid access, 1-byte read in udp6_common_ctlinput 1 1433d 1433d 2/2 1391d b1e6a792d68e net: Enter a net epoch around protocol if_up/down notifications
panic: unexpected security protocol NUM syz 7 1393d 1407d 2/2 1391d 10eb2a2bde61 ipsec: Validate the protocol identifier in ipsec4_ctlinput()
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/i386/kernel/sys/kern/sys_socket.c:LINE (2) 68 1396d 1486d 2/2 1391d 141fe2dceeae aio: Interlock with listen(2)
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/kern/sys_socket.c:LINE (2) C 109 1394d 1489d 2/2 1391d 141fe2dceeae aio: Interlock with listen(2)
panic: Assertion owner->td_proc->p_magic == P_MAGIC failed at /syzkaller/managers/main/kernel/sys/kern/subr_turnstile.c: C 46 1455d 1710d 2/2 1391d 141fe2dceeae aio: Interlock with listen(2)
panic: Lock sctp-info not exclusively locked @ /syzkaller/managers/main/kernel/sys/netinet/sctp_pcb.c:LINE C 363 1392d 1393d 2/2 1392d 0c1a20beb456 sctp: use appropriate argument when freeing association
panic: ASan: Invalid access, 8-byte read in osd_get 13 1393d 1452d 2/2 1392d 187afc58791c osd: Fix racy assertions
Fatal trap 9: general protection fault in strlen C 1506 1457d 2215d 2/2 1392d 4250aa1188b5 sctp: Clear assoc socket references when freeing a PCB
panic: mtx_lock() of destroyed mutex at sys/kern/uipc_sockbuf.c:LINE syz 4 1543d 1732d 2/2 1392d 4250aa1188b5 sctp: Clear assoc socket references when freeing a PCB
panic: mutex so_snd not owned at /syzkaller/managers/i386/kernel/sys/kern/uipc_sockbuf.c:LINE syz 1 1686d 1686d 2/2 1392d 4250aa1188b5 sctp: Clear assoc socket references when freeing a PCB
panic: __rw_wlock_hard: recursing but non-recursive rw sctp-info @ /syzkaller/managers/main/kernel/sys/netinet/sctp_pcb. C 131 1393d 1394d 2/2 1393d 6e3af6321ba4 sctp: Fix lock recursion in sctp_swap_inpcb_for_listen()
panic: __rw_wlock_hard: recursing but non-recursive rw sctp-info @ /syzkaller/managers/i386/kernel/sys/netinet/sctp_pcb. 111 1393d 1394d 2/2 1393d 6e3af6321ba4 sctp: Fix lock recursion in sctp_swap_inpcb_for_listen()
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE syz 707 1416d 2301d 2/2 1394d bd4a39cc93d9 socket: Properly interlock when transitioning to a listening socket
panic: ASan: Invalid access, NUM-byte read in strncmp C 12 1394d 1399d 2/2 1394d 5402baa5b5d1 g_label: Handle small sector sizes when tasting
Fatal trap 12: page fault in knlist_remove_kq 3 1466d 1474d 2/2 1400d c511383de7a0 kevent: Fix races between timer detach and kqtimer_proc_continue()
Fatal trap 12: page fault in filt_timerdetach 1 1469d 1469d 2/2 1400d c511383de7a0 kevent: Fix races between timer detach and kqtimer_proc_continue()
panic: ASan: Invalid access, 8-byte read in sctp_free_assoc 112 1401d 1453d 2/2 1400d d35be50f5779 sctp: Hold association locks across socket wakeups when freeing
Fatal trap 9: general protection fault in sctp_free_assoc syz 14 1462d 1770d 2/2 1400d d35be50f5779 sctp: Hold association locks across socket wakeups when freeing
Fatal trap 9: general protection fault in itimer_proc_continue syz 2 1495d 1495d 2/2 1401d 3138392a46a4 itimer: Serialize access to the p_itimers array
panic: ASan: Invalid access, 1-byte read at ADDR, RedZonePartial(2) 17 1454d 1456d 2/2 1401d 9e9ba9c73de9 graid: Avoid tasting devices with small sector sizes
panic: ASan: Invalid access, 8-byte read in itimer_proc_continue 1 1439d 1439d 2/2 1401d 3138392a46a4 itimer: Serialize access to the p_itimers array
panic: ASan: Invalid access, 1-byte read at ADDR, RedZonePartial(1) 13 1411d 1455d 2/2 1401d 9e9ba9c73de9 graid: Avoid tasting devices with small sector sizes
panic: ASan: Invalid access, 1-byte read in g_raid_md_taste_ddf C 18 1406d 1453d 2/2 1401d 9e9ba9c73de9 graid: Avoid tasting devices with small sector sizes
panic: ASan: Invalid access, 2-byte read in g_raid_md_taste_sii C 7 1414d 1439d 2/2 1401d 9e9ba9c73de9 graid: Avoid tasting devices with small sector sizes
panic: Bad list head ADDR first->prev != head C 3409 1402d 2299d 2/2 1402d 4a36122b1db1 sctp: Fix racy UNBOUND flag check in sctp_inpcb_bind()
panic: ASan: Invalid access, 16-byte read at ADDR, RedZonePartial(7) 28 1454d 1457d 2/2 1402d 564b6aa7fccd aesni: Avoid a potential out-of-bounds load in aes_encrypt_icm()
panic: ASan: Invalid access, 16-byte read at ADDR, RedZonePartial(6) 20 1454d 1457d 2/2 1402d 564b6aa7fccd aesni: Avoid a potential out-of-bounds load in aes_encrypt_icm()
panic: ASan: Invalid access, 8-byte read at ADDR, StackMiddle(f2) 18 1454d 1456d 2/2 1402d 36226163fa48 x86: Mark the trapframe as initialized in ipi_bitmap_handler()
panic: ASan: Invalid access, 16-byte read at ADDR, RedZonePartial(3) 9 1454d 1455d 2/2 1402d 564b6aa7fccd aesni: Avoid a potential out-of-bounds load in aes_encrypt_icm()
panic: ASan: Invalid access, 16-byte read in aesni_encrypt_icm C 114 1403d 1454d 2/2 1402d 564b6aa7fccd aesni: Avoid a potential out-of-bounds load in aes_encrypt_icm()
panic: Assertion lock == sq->sq_lock failed at /syzkaller/managers/i386/kernel/sys/kern/subr_sleepqueue.c:LINE 1 1481d 1481d 2/2 1416d c4feb1ab0ae0 sigtimedwait: Use a unique wait channel for sleeping
panic: Assertion lock == sq->sq_lock failed at /syzkaller/managers/main/kernel/sys/kern/subr_sleepqueue.c:LINE (2) C 7 1459d 1482d 2/2 1416d c4feb1ab0ae0 sigtimedwait: Use a unique wait channel for sleeping
panic: ASan: Invalid access, 4-byte read in sctp6_connect 64 1430d 1454d 2/2 1425d 784692c74019 sctp: improve handling of IPv4 addresses on IPV6 sockets Reported by: syzbot+08fe66e4bfc2777cba95@syzkaller.appspotmail.com MFC after: 3 days
panic: ASan: Invalid access, 4-byte read in sctp_sosend C 518 1425d 1454d 2/2 1425d b732091a761a sctp: improve input validation of mapped addresses in send() Reported by: syzbot+35528f275f2eea6317cc@syzkaller.appspotmail.com Reported by: syzbot+ac29916d5f16d241553d@syzkaller.appspotmail.com MFC after: 3 days
freebsd boot error: panic: sleeping without a lock 6 1427d 1427d 2/2 1427d 2694c869ff9f ktls: fix a panic with INVARIANTS
panic: ASan: Invalid access, 4-byte read in tcp_usr_bind C 50 1428d 1452d 2/2 1427d 3f1f6b6ef7f6 tcp, udp: improve input validation in handling bind()
panic: ASan: Invalid access, 4-byte read in udp_bind C 69 1428d 1453d 2/2 1427d 3f1f6b6ef7f6 tcp, udp: improve input validation in handling bind()
panic: pmap_growkernel: no memory to grow kernel (2) syz 299 1430d 1890d 2/2 1427d 600745f1e226 pf: bound DIOCGETSTATES memory use
panic: pmap_kasan_enter_alloc_4k: no memory to grow shadow map C 20 1431d 1450d 2/2 1427d 600745f1e226 pf: bound DIOCGETSTATES memory use
panic: vm_fault_lookup: fault on nofault entry, addr: ADDR (2) C 75 1466d 1510d 2/2 1435d 64432ad2a2c4 pf: Validate user string nul-termination before copying
freebsd boot error: panic: ASan: Invalid access, 1-byte read at ADDR, MallocRedZone(fb) 156 1450d 1457d 2/2 1450d 4a9a41650c90 uart: Fix an out-of-bounds read in ns8250_bus_probe()
panic: Assertion (cnp->cn_flags & (LOCKPARENT | WANTPARENT)) == 0 failed at /syzkaller/managers/main/kernel/sys/kern/vfs C 4 1512d 1512d 2/2 1452d 6de3cf14c47d vn_open_cred(): disallow O_CREAT | O_EMPTY_PATH
panic: ASan: Invalid access, 32-byte read at ADDR, StackMiddle(f2) 1 1454d 1454d 2/2 1454d 36226163fa48 x86: Mark the trapframe as initialized in ipi_bitmap_handler()
panic: ASan: Invalid access, 8-byte read in handleevents 34 1454d 1454d 2/2 1454d 36226163fa48 x86: Mark the trapframe as initialized in ipi_bitmap_handler()
panic: thread_lock() of sleep mutex `*Fv @ /syzkaller/managers/main/kernel/sys/kern/kern_switch.c:LINE 1 1496d 1496d 2/2 1493d 4a59cbc12532 amd64: Avoid enabling interrupts when handling kernel mode prot faults
panic: thread_lock() of sleep mutex ` @ /syzkaller/managers/main/kernel/sys/kern/kern_switch.c:LINE C 1 1496d 1496d 2/2 1493d 4a59cbc12532 amd64: Avoid enabling interrupts when handling kernel mode prot faults
panic: Assertion p2->p_ktrioparms == NULL failed at /syzkaller/managers/i386/kernel/sys/kern/kern_ktrace.c:LINE 1 1500d 1500d 2/2 1497d f3851b235b23 ktrace: Fix a race with fork()
panic: Assertion p2->p_ktrioparms == NULL failed at /syzkaller/managers/main/kernel/sys/kern/kern_ktrace.c:LINE 1 1501d 1501d 2/2 1497d f3851b235b23 ktrace: Fix a race with fork()
Fatal trap 12: page fault in rack_process_to_cumack (2) syz 3 1501d 1501d 2/2 1499d 13c0e198ca27 tcp: Fix bugs related to the PUSH bit and rack and an ack war
panic: refcount ADDR wraparound (3) C 9 1501d 1502d 2/2 1501d 6f6cd1e8e8aa ktrace: Remove vrele() at the end of ktr_writerequest()
panic: Non-zero write count 98 1501d 1502d 2/2 1501d 6f6cd1e8e8aa ktrace: Remove vrele() at the end of ktr_writerequest()
Fatal trap 9: general protection fault in rack_ctloutput syz 2 1504d 1504d 2/2 1502d 8923ce630492 tcp: Handle stack switch while processing socket options
panic: ktrace_enter: flag set C 44 1502d 1504d 2/2 1502d e4b16f2fb18b ktrace: Avoid recursion in namei()
panic: _mtx_lock_sleep: recursed on non-recursive mutex so_snd @ /syzkaller/managers/i386/kernel/sys/modules/tcp/rack/.. 4 1503d 1504d 2/2 1503d 39756885633f rack: honor prior socket buffer lock when doing the upcall
panic: _mtx_lock_sleep: recursed on non-recursive mutex so_snd @ /syzkaller/managers/main/kernel/sys/modules/tcp/rack/.. 2 1503d 1504d 2/2 1503d 39756885633f rack: honor prior socket buffer lock when doing the upcall
panic: Memory modified after free ADDR(4096) val=ADDR @ ADDR C 1 1508d 1508d 2/2 1504d 500eb6dd8040 tcp: Fix sending of TCP segments with IP level options
freebsd boot error: panic: scsi_action: ccb ADDR, func_code 0x6 should not be allocated from UMA zone 42 1508d 1509d 2/2 1508d 5b81e2e1bcdc virtio_scsi: Zero stack-allocated CCBs
Fatal trap 12: page fault in callout_process (2) 7 1514d 1542d 2/2 1510d 2cca77ee0134 kqueue timer: Remove detached knotes from the process stop queue
Fatal trap 9: general protection fault in kqtimer_proc_continue 109 1511d 1545d 2/2 1510d 2cca77ee0134 kqueue timer: Remove detached knotes from the process stop queue
panic: releasing active pmap ADDR C 11 1513d 1556d 2/2 1511d 9246b3090cbc fork: Suspend other threads if both RFPROC and RFMEM are not set
panic: pmap active ADDR C 5 1519d 1556d 2/2 1511d 9246b3090cbc fork: Suspend other threads if both RFPROC and RFMEM are not set
Fatal trap 18: integer divide fault in realtimer_expire_l C 15 1512d 1540d 2/2 1511d 8b3c4231abf0 posix timers: Check for overflow when converting to ns
Fatal trap 18: integer divide fault in realtimer_expire C 20 1543d 1564d 2/2 1511d 8b3c4231abf0 posix timers: Check for overflow when converting to ns
Fatal trap 9: general protection fault in crypto_ioctl 1 1518d 1518d 2/2 1512d 1a04f0156c4e cryptodev: Fix some input validation bugs
panic: crp_iv_start set when IV isn't used C 2 1516d 1517d 2/2 1513d 1a04f0156c4e cryptodev: Fix some input validation bugs
panic: vm_fault_lookup: fault on nofault entry, addr: ADDR 5 1516d 1554d 2/2 1513d c8bbb1272c8b vfs: Fix error handling in vn_fullpath_hardlink()
panic: IV outside buffer length C 16 1513d 1518d 2/2 1513d 1a04f0156c4e cryptodev: Fix some input validation bugs
Fatal trap 9: general protection fault in mb_free_ext 1 1514d 1514d 2/2 1513d 1a04f0156c4e cryptodev: Fix some input validation bugs
panic: More encryption data than allowed C 2 1514d 1514d 2/2 1513d 1a04f0156c4e cryptodev: Fix some input validation bugs
panic: AEAD without a separate IV C 25 1513d 1519d 2/2 1513d 1a04f0156c4e cryptodev: Fix some input validation bugs
Fatal trap 12: page fault in memcpy_erms C 2 1514d 1514d 2/2 1513d 1a04f0156c4e cryptodev: Fix some input validation bugs
panic: IV_SEPARATE set when IV isn't used C 4 1514d 1517d 2/2 1513d 1a04f0156c4e cryptodev: Fix some input validation bugs
panic: _mtx_lock_sleep: recursed on non-recursive mutex process lock @ /syzkaller/managers/main/kernel/sys/kern/kern_sig syz 2 1542d 1542d 2/2 1513d 5cc1d199412e realtimer_expire: avoid proc lock recursion when called from itimer_proc_continue()
panic: _mtx_lock_sleep: recursed on non-recursive mutex process lock @ /syzkaller/managers/i386/kernel/sys/kern/kern_eve 2 1541d 1542d 2/2 1513d 75c5cf7a720f filt_timerexpire: avoid process lock recursion
panic: _mtx_lock_sleep: recursed on non-recursive mutex process lock @ /syzkaller/managers/main/kernel/sys/kern/kern_eve 1 1542d 1542d 2/2 1513d 75c5cf7a720f filt_timerexpire: avoid process lock recursion
panic: _mtx_lock_sleep: recursed on non-recursive mutex process lock @ /syzkaller/managers/i386/kernel/sys/kern/kern_sig 1 1545d 1545d 2/2 1513d 5cc1d199412e realtimer_expire: avoid proc lock recursion when called from itimer_proc_continue()
Fatal trap 12: page fault in pmap_kextract (2) C 8 1543d 1543d 2/2 1543d 5e98cae661f3 pf: Ensure that we don't use kif passed to pfi_kkif_attach()
panic: to_ticks == 0 for timer type 5 (2) syz 2 1565d 1565d 2/2 1563d d995cc7e5431 sctp: fix handling of RTO.initial of 1 ms
panic: to_ticks == 0 for timer type 5 C 2 1591d 1591d 2/2 1586d 70e95f0b6917 sctp: avoid integer overflow when starting the HB timer
Fatal trap 12: page fault in sctp_find_alternate_net syz 131 1592d 1736d 2/2 1592d b963ce4588b3 sctp: improve computation of an alternate net
panic: pfi_dynaddr_setup: non-NULL dyn (2) C 4 1623d 1623d 2/2 1617d 7a808c5ee329 pf: Improve pf_rule input validation
Fatal trap 12: page fault in copyin_nosmap_erms C 8 1660d 1707d 2/2 1631d ea36212bf571 pf: Don't hold PF_RULES_WLOCK during copyin() on DIOCRCLRTSTATS
freebsd boot error: panic: IPI scoreboard is zero, initiator 1 target 1 9 1633d 1633d 2/2 1632d 44121a0fbee0 amd64: fix tlb shootdown when all cpus are passed in the bitmap
freebsd boot error: panic: IPI scoreboard is zero, initiator 0 target 0 3 1633d 1633d 2/2 1632d 44121a0fbee0 amd64: fix tlb shootdown when all cpus are passed in the bitmap
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/kern/uipc_ktls.c:LINE C 11 1638d 1863d 2/2 1635d 6685e259e319 tcp: don't use KTLS socket option on listening sockets
panic: Memory modified after free ADDR(112) val=ADDR @ ADDR (2) syz 475 1640d 1883d 2/2 1639d a7aa5eea4fff sctp: improve handling of aborted associations
panic: sched_pickcpu: Failed to find a cpu. C 4 1668d 1668d 2/2 1667d f1b18a668deb cpuset_set{affinity,domain}: do not allow empty masks
Fatal trap 9: general protection fault in cpuset_setproc syz 2 1669d 1669d 2/2 1667d b2780e8537da kern: cpuset: resolve race between cpuset_lookup/cpuset_rel
panic: sleeping without a lock C 29 1673d 1839d 2/2 1671d 34af05ead3cf kern: soclose: don't sleep on SO_LINGER w/ timeout=0
panic: uma_zalloc_debug: called within spinlock or critical section C 9 1679d 1682d 2/2 1678d e07e3fa3c95c kern: cpuset: drop the lock to allocate domainsets
panic: Bad tailq NEXT(ADDR->tqh_last) != NULL (3) C 12 1681d 1682d 2/2 1680d 5d49283f8857 pf: Make tag hashing more robust
panic: fc_ioctls != NULL, but fc_nioctls=-NUM 5591 1683d 1683d 2/2 1683d 3d4ae1b3d110 kern: dup: do not assume oldfde is valid
Fatal trap 12: page fault in __mtx_lock_spin_flags 3 1687d 1692d 2/2 1686d a33fef5e25ac callout(9): Fix a race between CPU migration and callout_drain()
panic: spin lock held too long C 1 1691d 1691d 2/2 1686d a33fef5e25ac callout(9): Fix a race between CPU migration and callout_drain()
Fatal trap 12: page fault in _callout_stop_safe C 1 1691d 1691d 2/2 1686d a33fef5e25ac callout(9): Fix a race between CPU migration and callout_drain()
panic: Most recently used by pf_ifnet C 6 1724d 1724d 2/2 1723d 52b83a06184c pf: do not remove kifs that are referenced by rules
Fatal trap 9: general protection fault in sctp_lower_sosend C 22 1823d 1876d 2/2 1782d f5d30f7f7606 Improve the handling of concurrent send() calls for SCTP sockets, especially when having the explicit EOR mode enabled.
panic: in6p_lookup_mcast_ifp: not INP_IPV6 inpcb C 2 1830d 1830d 2/2 1793d cfae6a92ac01 Remove an incorrect assertion from in6p_lookup_mcast_ifp().
Fatal trap 12: page fault in uipc_ready C 5 1824d 1852d 2/2 1799d 1b778ba2609f Fix a logic error in uipc_ready_scan().
panic: witness_warn syz 1 1843d 1843d 2/2 1827d e54b7cd007b5 Fix the cleanup handling in a error path for TCP BBR.
Fatal trap 12: page fault in sctp_find_ifa_in_ep C 3 1830d 1830d 2/2 1828d 7a3f60e7f571 Fix a bug introduced in https://svnweb.freebsd.org/changeset/base/362173
freebsd test error: Fatal trap 12: page fault in in_pcb_lport_dest 9 1871d 1871d 2/2 1847d 1ec42007fec3 Fix NULL-pointer bug from r361228.
Fatal trap 12: page fault in sctp_process_control C 47 1878d 1879d 2/2 1878d 86fd36c502db Fix a copy and paste error introduced in r360878.
Fatal trap 9: general protection fault in sctp_process_control C 11 1878d 1879d 2/2 1878d 86fd36c502db Fix a copy and paste error introduced in r360878.
panic: sctp_timer_start of type 1: inp = ADDR, stcb = ADDR, net = 0 1 1883d 1883d 2/2 1879d efd5e6929194 Ensure that we have a path when starting the T3 RXT timer.
panic: sctp_timer_start of type 10: inp = ADDR, stcb->sctp_ep ADDR 1 1889d 1889d 2/2 1879d 83ed508055c0 Ensure that the SCTP iterator runs with an stcb and inp, which belong to each other.
panic: pfi_dynaddr_setup: dyn is ADDR (2) C 22 1889d 1900d 2/2 1886d 1ef06ed8def9 pf: Improve DIOCADDRULE validation
panic: mallocarray: ADDR * 1064 overflowed C 3 1897d 1901d 2/2 1893d a7c8533634ab pf: Improve input validation
Fatal trap 9: general protection fault in in6_selecthlim 25 1893d 1894d 2/2 1893d 17cb6ddba8ab Fix order of arguments in fib[46]_lookup calls in SCTP.
panic: pfi_dynaddr_setup: dyn is ADDR C 7 1901d 1905d 2/2 1900d 98582ce38183 pf: Improve ioctl() input validation
panic: Assertion size0 > 0 failed at /syzkaller/managers/main/kernel/sys/kern/subr_vmem.c:LINE C 2 1904d 1904d 2/2 1902d 95324dc3f4d2 pf: Do not allow negative ps_len in DIOCGETSTATES
panic: mtx_unlock() of destroyed mutex at sys/kern/sys_socket.c:LINE syz 1 1993d 1993d 2/2 1905d 99258935eb2b Lock the socket in soo_stat().
panic: sbfree: m ADDR !M_NOTREADY C 32 2276d 2301d 2/2 1908d dde1b5985fcc Properly handle disconnected sockets in uipc_ready().
panic: allocdirect_merge: old blkno 9384 != new 9384 || old size 4096 != new NUM 2 1913d 1913d 2/2 1909d Revert -r359612 as it can cause other panics. An updated version will be made when the issue has been resolved.
panic: Duplicate free of ADDR from zone ADDR(mbuf) slab ADDR(8) C 1 2299d 2299d 2/2 1909d 3d36b367cfb6 sbappendcontrol() needs to avoid clearing M_NOTREADY on data mbufs.
panic: to_ticks == 0 for timer type 2 C 27 1922d 1926d 2/2 1922d 25ec35535397 Handle integer overflows correctly when converting msecs and secs to ticks and vice versa. These issues were caught by recently added panic() calls on INVARIANTS systems.
panic: mtx_unlock() of spin mutex (null) @ /syzkaller/managers/i386/kernel/sys/kern/sys_socket.c:LINE 1 1944d 1944d 2/2 1930d 99258935eb2b Lock the socket in soo_stat().
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet/ip_output.c:LINE syz 1870 1931d 1989d 2/2 1931d 2bdebd0ce3e0 A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet6/ip6_output.c:LINE syz 229 1931d 1989d 2/2 1931d 2bdebd0ce3e0 A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/netinet6/ip6_output.c:LINE C 591 1931d 1989d 2/2 1931d 2bdebd0ce3e0 A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/netinet/ip_output.c:LINE C 2840 1931d 1989d 2/2 1931d 2bdebd0ce3e0 A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
freebsd boot error: Fatal trap 9: general protection fault in biotrack_buf 24 1970d 1970d 2/2 1931d dcebfcf3d468 Revert r357710 and 357711 until they can be debugged
panic: Most recently used by ip6opt (2) syz 4 1935d 1980d 2/2 1931d e02582d1ae44 Fix synchronization in the IPV6_2292PKTOPTIONS set handler.
panic: mutex process lock not owned at /syzkaller/managers/i386/kernel/sys/kern/kern_time.c:LINE C 33 1975d 1975d 2/2 1931d 55aa9af7e971 Remove unneeded assert for curproc. Simplify.
panic: cap_rights_is_vset:LINE (3) 1 1943d 1943d 2/2 1931d 429537caeb13 kern_dup(): Call filecaps_free_prep() in a write section.
panic: refcount ADDR wraparound C 6 1976d 1976d 2/2 1931d adbdb897689b fd: always nullify *fdp in fget* routines
panic: mutex process lock not owned at /syzkaller/managers/main/kernel/sys/kern/kern_time.c:LINE C 83 1975d 1975d 2/2 1974d 55aa9af7e971 Remove unneeded assert for curproc. Simplify.
panic: condition !vn_need_pageq_flush(vp) not met at /syzkaller/managers/main/kernel/sys/kern/vfs_subr.c:LINE (vgonel) 1 1980d 1980d 2/2 1979d 0f4d8b77c02c vfs: revert the overzealous assert added in r357285 to vgone
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/net/if.c:LINE 3062 2094d 2094d 2/2 1990d Remove epoch assertion from if_setlladdr(). Originally this function was protected by IF_ADDR_LOCK(), which was a mutex, so that two simultaneous if_setlladdr() can't execute. Later it was switched to IF_ADDR_RLOCK(), likely by a mistake. Later it was switched to NET_EPOCH_ENTER(). Then I incorrectly added NET_EPOCH_ASSERT() here.
panic: mutex if_addr_lock not owned at /syzkaller/managers/main/kernel/sys/netinet/in_mcast.c:LINE 1 2010d 2010d 2/2 1997d 31069f383af1 Take the ifnet's address lock in igmp_v3_cancel_link_timers().
panic: pipe_destroy_write_buffer: pipe map for ADDR contains residual data syz 11 2069d 2112d 2/2 2060d 1cbfe73da570 Fix handling of PIPE_EOF in the direct write path.
panic: mutex pcbinfohash not owned at /syzkaller/managers/main/kernel/sys/netinet6/in6_pcb.c:LINE C 5 2062d 2063d 2/2 2060d c17cd08f5302 It is unclear why in6_pcblookup_local() would require write access to the PCB hash. The function doesn't modify the hash. It always asserted write lock historically, but with epoch conversion this fails in some special cases.
panic: in_pcb_lport: laddrp NULL for v4 inp ADDR C 8 2105d 2222d 2/2 2078d 4a91aa8fc9b6 Ensure that the flags indicating IPv4/IPv6 are not changed by failing bind() calls. This would lead to inconsistent state resulting in a panic. A fix for stable/11 was committed in https://svnweb.freebsd.org/base?view=revision&revision=338986 An accelerated MFC is planned as discussed with emaste@.
panic: Assertion td->td_epochnest failed at /syzkaller/managers/i386/kernel/sys/kern/subr_epoch.c:LINE 3 2094d 2094d 2/2 2086d ip6_output() has a complex set of gotos, and some can jump out of the epoch section towards return statement. Since entering epoch is cheap, it is easier to cover the whole function with epoch, rather than try to properly maintain its state.
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet/igmp.c:LINE 2 2093d 2094d 2/2 2086d 7299f8c33d62 Enter network epoch in domain callouts.
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet6/in6_ifattach.c:LINE syz 2 2092d 2092d 2/2 2086d in6ifa_llaonifp() is never called from fast path, so do not require epoch being entered.
Fatal trap 12: page fault in uipc_send syz 123 2095d 2227d 2/2 2094d 4013d7268446 Fix handling of empty SCM_RIGHTS messages.
freebsd boot error: panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/net/if.c:LINE 18 2094d 2095d 2/2 2094d In DIAGNOSTIC block of if_delmulti_ifma_flags() enter the network epoch. This quickly plugs the regression from r353292. The locking of multicast definitely needs a broader review today...
Fatal trap 18: integer divide fault in kern_fcntl 22 2118d 2145d 2/2 2100d 4a7b33ecf4d8 Disallow fcntl(F_READAHEAD) when the vnode is not a regular file.
panic: rcv_start < rcv_end 1 2125d 2125d 2/2 2101d Only update SACK/DSACK lists when a non-empty segment was received. This fixes hitting a KASSERT with a valid packet exchange.
Fatal trap 12: page fault in inp_freemoptions (2) syz 14 2212d 2221d 2/2 2102d Convert all IPv4 and IPv6 multicast memberships into using a STAILQ instead of a linear array.
panic: vm_page_swapqueue: page ADDR is unmanaged 1 2112d 2112d 2/2 2105d 3a79b409bb89 Fix a race in vm_page_swapqueue().
freebsd boot error: panic: sched_pickcpu: Failed to find a cpu. 30 2108d 2108d 2/2 2107d 967c0718849e Fix wrong assertion in r352658.
panic: m_getm2: len is < 0 syz 13 2295d 2300d 2/2 2109d 2ef5bd2f0c46 Limit the number of bytes which can be queued for SCTP sockets. This is joint work with rrs@. Reported by: syzbot+307f167f9bc214f095bc@syzkaller.appspotmail.com MFC after: 1 week
panic: indir_trunc: Bad indirdep 0 from buf ADDR 1 2219d 2219d 2/2 2165d 577fca0e204d Lock the vnode before calling ufs_bmap_seekdata().
panic: ffs_blkfree_cg: freeing free block (2) 2 2235d 2256d 2/2 2165d 577fca0e204d Lock the vnode before calling ufs_bmap_seekdata().
Fatal trap 9: general protection fault in sctp_copy_skeylist syz 3 2218d 2218d 2/2 2180d 8a956abe12c6 When calling sctp_initialize_auth_params(), the inp must have at least a read lock. To avoid more complex locking dances, just call it in sctp_aloc_assoc() when the write lock is still held.
panic: udp6_output: non-excl udbinfo lock, excl inp lock: pcbinfo ADDR 0x1 inp ADDR 0x2 1 2201d 2201d 2/2 2181d 9e44bc22d884 r348494 fixes a race in udp_output(). The same race exists in udp_output6(), therefore apply a similar patch to IPv6.
panic: Most recently used by tty syz 24 2233d 2248d 2/2 2190d 6a01874c5afa Defer funsetown() calls for a TTY to tty_rel_free().
freebsd boot error: panic: Bad entry start/end for new stack entry 9 2199d 2199d 2/2 2192d 639f3e01b444 Revert r349393, which leads to an assertion failure on bootup, in vm_map_stack_locked.
panic: cap_rights_is_vset:LINE syz 3 2214d 2214d 2/2 2195d 7c3703a69466 Use a consistent snapshot of the fd's rights in fget_mmap().
Fatal trap 12: page fault in vm_page_unhold_pages C 1169 2203d 2297d 2/2 2195d 02476c44c5eb Fix mutual exclusion in pipe_direct_write().
panic: udp_output: shared udbinfo lock, excl inp lock (2) syz 7 2237d 2255d 2/2 2223d eafaa1bc35e9 After parts of the locking fixes in r346595, syzkaller found another one in udp_output(). This one is a race condition. We do check on the laddr and lport without holding a lock in order to determine whether we want a read or a write lock (this is in the "sendto/sendmsg" cases where addr (sin) is given).
Fatal trap 12: page fault in inp_freemoptions C 11 2243d 2297d 1/2 2241d 5a1e222bfda7 Close some races in multicast socket option handling.
panic: inp_leave_group: imf_sources not empty C 6 2243d 2264d 1/2 2241d 5a1e222bfda7 Close some races in multicast socket option handling.
panic: vm_object_vndeallocate: bad object reference count C 974 2242d 2242d 1/2 2242d 8cd6a80d7d68 Restore the pre-r347532 behaviour of ignoring wiring failures in mmap().
panic: ffs_blkfree_cg: freeing free block C 5 2299d 2299d 1/2 2256d a7a455c299b0 Optimize lseek(SEEK_DATA) on UFS.
panic: udp_output: shared udbinfo lock, excl inp lock C 46 2264d 2302d 1/2 2263d d86ecbe993a7 iFix udp_output() lock inconsistency.
Fatal trap 12: page fault in in6_cksum_partial syz 6 2266d 2296d 1/2 2266d 70a0f3dcdc1f When a checksum has to be computed for a received IPv6 packet because it is requested by the application using the IPPROTO_IPV6 level socket option IPV6_CHECKSUM on a raw socket, ensure that the packet contains enough bytes to contain the checksum at the specified offset.
panic: rtrequest1_fib: locked C 10 2273d 2299d 1/2 2271d e6481fd4c46a When sending a routing message, don't allow the user to set the RTF_RNH_LOCKED flag in rtm_flags, since this flag is used only internally.
panic: inp_join_group: imf_sources not empty C 398 2275d 2302d 1/2 2275d f1ef572a1ecd Reinitialize multicast source filter structures after invalidation.
Fatal trap 12: page fault in __mtx_assert syz 4 2292d 2294d 1/2 2290d 7854c63d6fbe Fix a small bug in the tcp_log_id where the bucket was unlocked and yet the bucket-unlock flag was not changed to false. This can cause a panic if INVARIANTS is on and we go through the right path (though rare).
panic: Can't clear local locks with F_UNLCKSYS C 9 2292d 2301d 1/2 2291d fd76e780a7c0 Reject F_SETLK_REMOTE commands when sysid == 0.
panic: Counter goes negative C 2 2298d 2298d 1/2 2292d 0d3cf13dabf8 Fix a signed/unsigned bug when receiving SCTP messages. This is joint work with rrs@.
panic: tcp_output: mbuf chain shorter than expected: 0 + 60 + 24 - 0 != 60 C 2 2300d 2300d 1/2 2294d 05fb056c068d Fix a KASSERT() in tcp_output().
panic: tcp_output: mbuf chain shorter than expected: 0 + 60 + 28 - 0 != 60 1 2297d 2297d 1/2 2294d 05fb056c068d Fix a KASSERT() in tcp_output().
panic: tcp_output: mbuf chain shorter than expected: 0 + 60 + 12 - 0 != 60 1 2301d 2301d 1/2 2294d 05fb056c068d Fix a KASSERT() in tcp_output().
panic: pmap_demote_pde: page table page for a wired mapping is missing C 56 2295d 2300d 1/2 2295d 64087fd7f372 Disallow preemptive creation of wired superpage mappings.
panic: invalid dst page ADDR C 33 2297d 2301d 1/2 2296d 45d72c7d7fca vm_fault_copy_entry: accept invalid source pages.