syzbot


Title Repro Cause bisect Fix bisect Count Last Reported Closed Patch
freebsd boot error: can't ssh into the instance 22 7d11h 8d03h 7d09h fork: Copy the vm_stacktop field into the new vmspace
panic: lock ADDR is not initialized 1457 9d07h 11d 9d07h pf: ensure we don't destroy an uninitialised lock
Fatal trap NUM: page fault in inp_next syz 3 28d 33d 24d in_pcb: improve inp_next()
panic: mutex blocked lock not owned at /syzkaller/managers/main/kernel/sys/kern/sched_ule.c:LINE C 33 24d 25d 24d callout: Wait for the softclock thread to switch before rescheduling
Fatal trap NUM: page fault in tcp_usr_send syz 1 28d 28d 27d tcp_usr_shutdown: don't cast inp_ppcb to tcpcb before checking inp_flags
panic: overhead (NUM) not a multiple of NUM C 248 28d 29d 28d sctp: check that the computed frag point is a multiple of 4
Fatal trap NUM: page fault in tcp_usr_shutdown C 5 28d 29d 28d tcp_usr_shutdown: don't cast inp_ppcb to tcpcb before checking inp_flags
Fatal trap NUM: page fault in tcp_usr_rcvd C 7 29d 30d 29d tcp_usr_rcvd: don't cast inp_ppcb to tcpcb before checking inp_flags
panic: m_apply, offset > size of mbuf chain C 2 35d 35d 29d sctp: cleanup the SCTP_MAXSEG socket option.
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/net/if.c:LINE (2) C 314 39d 43d 38d netinet6: ip6_setpktopt() requires NET_EPOCH
panic: ASan: Invalid access, 2-byte read at ADDR, UMAUseAfterFree(fd) C 1103 40d 201d 40d udp: Fix a use-after-free in udp_multi_input()
Fatal trap NUM: page fault in memcpy_erms C 306 40d 47d 40d cryptosoft: Don't treat CRYPTO_NULL_HMAC as an hmac algorithm.
Fatal trap NUM: page fault while in kernel mode (2) 1 54d 54d 43d tcp_drain(): initialize the inpcb iterator when curvnet is set
Fatal trap NUM: page fault in tcp_drain 12 53d 54d 43d tcp_drain(): initialize the inpcb iterator when curvnet is set
panic: Lock tcpinp not exclusively locked @ /syzkaller/managers/i386/kernel/sys/netinet/tcp_log_buf.c:LINE 13 72d 75d 72d tcp: Fix a locking issue related to logging
panic: Lock tcpinp not exclusively locked @ /syzkaller/managers/main/kernel/sys/netinet/tcp_log_buf.c:LINE 6 72d 75d 72d tcp: Fix a locking issue related to logging
panic: witness_warn (2) 29 73d 75d 73d tcp: Fix a locking issue
panic: chacha20_poly1305_reinit: invalid nonce length 2 84d 84d 77d crypto: Don't assert on valid IV length for Chacha20-Poly1305.
panic: condition vp->v_type == VDIR || VN_IS_DOOMED(vp) not met at /syzkaller/managers/i386/kernel/sys/kern/vfs_cache.c: 1 96d 96d 90d cache: only let non-dir descriptors through when doing EMPTYPATH lookups
Fatal trap NUM: page fault in filt_bpfwrite C 4 98d 104d 91d bpf: Fix the write filter for detached descriptors
panic: ASan: Invalid access, NUM-byte read in newreno_cong_signal C 4 92d 95d 91d tcp: allow new reno functions to be called from other CC modules
panic: ASan: Invalid access, NUM-byte read in newreno_ack_received 2 93d 93d 91d tcp: allow new reno functions to be called from other CC modules
panic: Assertion (cnp->cn_flags & (LOCKPARENT | WANTPARENT)) == NUM failed at /syzkaller/managers/main/kernel/sys/kern/v C 87 100d 101d 100d cache: only assert on flags when dealing with EMPTYPATH
panic: TLS trailer length too long: NUM C 2 109d 109d 104d ktls: Reject attempts to enable AES-CBC with TLS 1.3.
panic: filesystem goof: vop_panic[vop_readdir] 1 109d 109d 104d mount: Check for !VDIR mount points before handling -o emptydir
freebsd build error (9) 1 106d 106d 105d Revert "bootstrap: No need to disable shared libraries for bootstrap tools"
panic: invalid payload start 6 131d 243d 110d cryptodev: Allow some CIOCCRYPT operations with an empty payload.
panic: filt_timerattach: periodic timer has a calculated zero timeout 12 115d 116d 115d kqueue: fix recent assertion
panic: strq ADDR not scheduled 12189 115d 119d 115d sctp: don't keep being locked on a stream which is removed
panic: strq ADDR is not scheduled 541 118d 119d 118d sctp: provide a specific stream scheduler function for FCFS
Fatal trap NUM: page fault in sctp_ss_rrp_packet_done 328 118d 122d 118d sctp: fix usage of stream scheduler functions
panic: _mtx_lock_sleep: recursed on non-recursive mutex sctp-send-tcb @ /syzkaller/managers/i386/kernel/sys/netinet/sctp 2 119d 121d 118d sctp: avoid locking an already locked mutex
Fatal trap NUM: page fault while in kernel mode 177 118d 122d 118d sctp: fix usage of stream scheduler functions
panic: _mtx_lock_sleep: recursed on non-recursive mutex sctp-send-tcb @ /syzkaller/managers/main/kernel/sys/netinet/sctp 10 119d 122d 118d sctp: avoid locking an already locked mutex
Fatal trap NUM: page fault in sctp_ss_default_select 20939 118d 122d 118d sctp: fix usage of stream scheduler functions
Fatal trap NUM: page fault in sctp_ss_fb_select 12 119d 122d 118d sctp: fix usage of stream scheduler functions
Fatal trap NUM: page fault in sctp_ss_prio_select 761 118d 122d 118d sctp: fix usage of stream scheduler functions
panic: runtime error: invalid memory address or nil pointer dereference 12 120d 122d 120d amd64 sendsig: fix context corruption
freebsd boot error: panic: ASan: Invalid access, NUM-byte read at ADDR, UseAfterScope(f8) 270 122d 126d 122d amd64: Avoid copying td_frame from kernel procs
panic: ASan: Invalid access, 2-byte read in sctp_ss_prio_add 1 196d 196d 126d sctp: use a valid outstream when adding it to the scheduler
Fatal trap 9: general protection fault in sctp_ss_prio_add 1 214d 214d 127d sctp: use a valid outstream when adding it to the scheduler
Fatal trap 12: page fault in sctp_ss_default_add (2) 1 204d 204d 127d sctp: use a valid outstream when adding it to the scheduler
panic: ASan: Invalid access, 8-byte read in sctp_ss_default_add 326 130d 199d 127d sctp: use a valid outstream when adding it to the scheduler
panic: Bad tailq NEXT(ADDR->tqh_last) != NULL (4) C 147 202d 426d 127d sctp: use a valid outstream when adding it to the scheduler
panic: ASan: Invalid access, 8-byte read in sctp_ss_fb_add 22 164d 198d 127d sctp: use a valid outstream when adding it to the scheduler
panic: ASan: Invalid access, 8-byte read in kern_sendit 2 131d 171d 128d freebsd32: Fix a double copyin in sendmsg() and recvmsg()
panic: Bad link elm ADDR prev->next != elm (2) 8 128d 140d 128d sctp: fix FCFS stream scheduler
Fatal trap 12: page fault while in kernel mode (3) C 140 130d 736d 130d socket: Synchronize soshutdown() with listen(2) and AIO
Fatal trap 12: page fault in soo_aio_queue C 349 130d 235d 130d socket: Synchronize soshutdown() with listen(2) and AIO
panic: Assertion done != job_total_nbytes failed at /syzkaller/managers/main/kernel/sys/kern/sys_socket.c:LINE C 3 142d 206d 133d sctp: Allow blocking on I/O locks even with non-blocking sockets
Fatal trap 12: page fault in __mtx_lock_flags C 1065 136d 635d 136d sctp: Tighten up locking around sctp_aloc_assoc()
panic: Assertion job->uiop != &job->uio && job->uiop != NULL failed at /syzkaller/managers/i386/kernel/sys/kern/vfs_aio. 1 140d 140d 136d aio: Fix up the opcode in aiocb32_copyin()
panic: ASan: Invalid access, 4-byte read in sctp_sendall_completes 39 140d 198d 136d sctp: Fix iterator synchronization in sctp_sendall()
panic: Assertion owner->td_proc->p_magic == P_MAGIC failed at /syzkaller/managers/i386/kernel/sys/kern/subr_turnstile.c: (2) 9 188d 281d 137d aio: Interlock with listen(2)
panic: ASan: Invalid access, 1-byte read in udp6_common_ctlinput 1 179d 179d 137d net: Enter a net epoch around protocol if_up/down notifications
panic: unexpected security protocol NUM syz 7 138d 153d 137d ipsec: Validate the protocol identifier in ipsec4_ctlinput()
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/i386/kernel/sys/kern/sys_socket.c:LINE (2) 68 142d 232d 137d aio: Interlock with listen(2)
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/kern/sys_socket.c:LINE (2) C 109 140d 235d 137d aio: Interlock with listen(2)
panic: Assertion owner->td_proc->p_magic == P_MAGIC failed at /syzkaller/managers/main/kernel/sys/kern/subr_turnstile.c: C 46 200d 456d 137d aio: Interlock with listen(2)
panic: Lock sctp-info not exclusively locked @ /syzkaller/managers/main/kernel/sys/netinet/sctp_pcb.c:LINE C 363 138d 138d 138d sctp: use appropriate argument when freeing association
panic: ASan: Invalid access, 8-byte read in osd_get 13 139d 198d 138d osd: Fix racy assertions
Fatal trap 9: general protection fault in strlen C 1506 203d 961d 138d sctp: Clear assoc socket references when freeing a PCB
panic: mtx_lock() of destroyed mutex at sys/kern/uipc_sockbuf.c:LINE syz 4 288d 478d 138d sctp: Clear assoc socket references when freeing a PCB
panic: mutex so_snd not owned at /syzkaller/managers/i386/kernel/sys/kern/uipc_sockbuf.c:LINE syz 1 432d 432d 138d sctp: Clear assoc socket references when freeing a PCB
panic: __rw_wlock_hard: recursing but non-recursive rw sctp-info @ /syzkaller/managers/main/kernel/sys/netinet/sctp_pcb. C 131 139d 139d 139d sctp: Fix lock recursion in sctp_swap_inpcb_for_listen()
panic: __rw_wlock_hard: recursing but non-recursive rw sctp-info @ /syzkaller/managers/i386/kernel/sys/netinet/sctp_pcb. 111 139d 139d 139d sctp: Fix lock recursion in sctp_swap_inpcb_for_listen()
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE syz 707 162d 1047d 139d socket: Properly interlock when transitioning to a listening socket
panic: ASan: Invalid access, NUM-byte read in strncmp C 12 140d 144d 140d g_label: Handle small sector sizes when tasting
Fatal trap 12: page fault in knlist_remove_kq 3 211d 219d 145d kevent: Fix races between timer detach and kqtimer_proc_continue()
Fatal trap 12: page fault in filt_timerdetach 1 215d 215d 145d kevent: Fix races between timer detach and kqtimer_proc_continue()
panic: ASan: Invalid access, 8-byte read in sctp_free_assoc 112 146d 199d 146d sctp: Hold association locks across socket wakeups when freeing
Fatal trap 9: general protection fault in sctp_free_assoc syz 14 208d 516d 146d sctp: Hold association locks across socket wakeups when freeing
Fatal trap 9: general protection fault in itimer_proc_continue syz 2 240d 240d 147d itimer: Serialize access to the p_itimers array
panic: ASan: Invalid access, 1-byte read at ADDR, RedZonePartial(2) 17 200d 202d 147d graid: Avoid tasting devices with small sector sizes
panic: ASan: Invalid access, 8-byte read in itimer_proc_continue 1 185d 185d 147d itimer: Serialize access to the p_itimers array
panic: ASan: Invalid access, 1-byte read at ADDR, RedZonePartial(1) 13 157d 201d 147d graid: Avoid tasting devices with small sector sizes
panic: ASan: Invalid access, 1-byte read in g_raid_md_taste_ddf C 18 152d 199d 147d graid: Avoid tasting devices with small sector sizes
panic: ASan: Invalid access, 2-byte read in g_raid_md_taste_sii C 7 160d 185d 147d graid: Avoid tasting devices with small sector sizes
panic: Bad list head ADDR first->prev != head C 3409 147d 1044d 147d sctp: Fix racy UNBOUND flag check in sctp_inpcb_bind()
panic: ASan: Invalid access, 16-byte read at ADDR, RedZonePartial(7) 28 200d 202d 148d aesni: Avoid a potential out-of-bounds load in aes_encrypt_icm()
panic: ASan: Invalid access, 16-byte read at ADDR, RedZonePartial(6) 20 200d 202d 148d aesni: Avoid a potential out-of-bounds load in aes_encrypt_icm()
panic: ASan: Invalid access, 8-byte read at ADDR, StackMiddle(f2) 18 200d 202d 148d x86: Mark the trapframe as initialized in ipi_bitmap_handler()
panic: ASan: Invalid access, 16-byte read at ADDR, RedZonePartial(3) 9 200d 201d 148d aesni: Avoid a potential out-of-bounds load in aes_encrypt_icm()
panic: ASan: Invalid access, 16-byte read in aesni_encrypt_icm C 114 149d 200d 148d aesni: Avoid a potential out-of-bounds load in aes_encrypt_icm()
panic: Assertion lock == sq->sq_lock failed at /syzkaller/managers/i386/kernel/sys/kern/subr_sleepqueue.c:LINE 1 227d 227d 162d sigtimedwait: Use a unique wait channel for sleeping
panic: Assertion lock == sq->sq_lock failed at /syzkaller/managers/main/kernel/sys/kern/subr_sleepqueue.c:LINE (2) C 7 204d 227d 162d sigtimedwait: Use a unique wait channel for sleeping
panic: ASan: Invalid access, 4-byte read in sctp6_connect 64 175d 200d 171d sctp: improve handling of IPv4 addresses on IPV6 sockets Reported by: syzbot+08fe66e4bfc2777cba95@syzkaller.appspotmail.com MFC after: 3 days
panic: ASan: Invalid access, 4-byte read in sctp_sosend C 518 171d 200d 171d sctp: improve input validation of mapped addresses in send() Reported by: syzbot+35528f275f2eea6317cc@syzkaller.appspotmail.com Reported by: syzbot+ac29916d5f16d241553d@syzkaller.appspotmail.com MFC after: 3 days
freebsd boot error: panic: sleeping without a lock 6 173d 173d 172d ktls: fix a panic with INVARIANTS
panic: ASan: Invalid access, 4-byte read in tcp_usr_bind C 50 173d 198d 173d tcp, udp: improve input validation in handling bind()
panic: ASan: Invalid access, 4-byte read in udp_bind C 69 173d 199d 173d tcp, udp: improve input validation in handling bind()
panic: pmap_growkernel: no memory to grow kernel (2) syz 299 176d 636d 173d pf: bound DIOCGETSTATES memory use
panic: pmap_kasan_enter_alloc_4k: no memory to grow shadow map C 20 176d 195d 173d pf: bound DIOCGETSTATES memory use
panic: vm_fault_lookup: fault on nofault entry, addr: ADDR (2) C 75 212d 256d 181d pf: Validate user string nul-termination before copying
freebsd boot error: panic: ASan: Invalid access, 1-byte read at ADDR, MallocRedZone(fb) 156 196d 202d 196d uart: Fix an out-of-bounds read in ns8250_bus_probe()
panic: Assertion (cnp->cn_flags & (LOCKPARENT | WANTPARENT)) == 0 failed at /syzkaller/managers/main/kernel/sys/kern/vfs C 4 258d 258d 198d vn_open_cred(): disallow O_CREAT | O_EMPTY_PATH
panic: ASan: Invalid access, 32-byte read at ADDR, StackMiddle(f2) 1 200d 200d 199d x86: Mark the trapframe as initialized in ipi_bitmap_handler()
panic: ASan: Invalid access, 8-byte read in handleevents 34 199d 200d 199d x86: Mark the trapframe as initialized in ipi_bitmap_handler()
panic: thread_lock() of sleep mutex `*Fv @ /syzkaller/managers/main/kernel/sys/kern/kern_switch.c:LINE 1 241d 241d 238d amd64: Avoid enabling interrupts when handling kernel mode prot faults
panic: thread_lock() of sleep mutex ` @ /syzkaller/managers/main/kernel/sys/kern/kern_switch.c:LINE C 1 241d 241d 238d amd64: Avoid enabling interrupts when handling kernel mode prot faults
panic: Assertion p2->p_ktrioparms == NULL failed at /syzkaller/managers/i386/kernel/sys/kern/kern_ktrace.c:LINE 1 246d 246d 243d ktrace: Fix a race with fork()
panic: Assertion p2->p_ktrioparms == NULL failed at /syzkaller/managers/main/kernel/sys/kern/kern_ktrace.c:LINE 1 246d 246d 243d ktrace: Fix a race with fork()
Fatal trap 12: page fault in rack_process_to_cumack (2) syz 3 246d 246d 244d tcp: Fix bugs related to the PUSH bit and rack and an ack war
panic: refcount ADDR wraparound (3) C 9 247d 247d 247d ktrace: Remove vrele() at the end of ktr_writerequest()
panic: Non-zero write count 98 247d 247d 247d ktrace: Remove vrele() at the end of ktr_writerequest()
Fatal trap 9: general protection fault in rack_ctloutput syz 2 250d 250d 248d tcp: Handle stack switch while processing socket options
panic: ktrace_enter: flag set C 44 248d 250d 248d ktrace: Avoid recursion in namei()
panic: _mtx_lock_sleep: recursed on non-recursive mutex so_snd @ /syzkaller/managers/i386/kernel/sys/modules/tcp/rack/.. 4 249d 249d 249d rack: honor prior socket buffer lock when doing the upcall
panic: _mtx_lock_sleep: recursed on non-recursive mutex so_snd @ /syzkaller/managers/main/kernel/sys/modules/tcp/rack/.. 2 249d 249d 249d rack: honor prior socket buffer lock when doing the upcall
panic: Memory modified after free ADDR(4096) val=ADDR @ ADDR C 1 253d 253d 249d tcp: Fix sending of TCP segments with IP level options
freebsd boot error: panic: scsi_action: ccb ADDR, func_code 0x6 should not be allocated from UMA zone 42 254d 255d 253d virtio_scsi: Zero stack-allocated CCBs
Fatal trap 12: page fault in callout_process (2) 7 259d 287d 256d kqueue timer: Remove detached knotes from the process stop queue
Fatal trap 9: general protection fault in kqtimer_proc_continue 109 257d 290d 256d kqueue timer: Remove detached knotes from the process stop queue
panic: releasing active pmap ADDR C 11 258d 301d 257d fork: Suspend other threads if both RFPROC and RFMEM are not set
panic: pmap active ADDR C 5 264d 301d 257d fork: Suspend other threads if both RFPROC and RFMEM are not set
Fatal trap 18: integer divide fault in realtimer_expire_l C 15 258d 285d 257d posix timers: Check for overflow when converting to ns
Fatal trap 18: integer divide fault in realtimer_expire C 20 288d 310d 257d posix timers: Check for overflow when converting to ns
Fatal trap 9: general protection fault in crypto_ioctl 1 263d 263d 258d cryptodev: Fix some input validation bugs
panic: crp_iv_start set when IV isn't used C 2 262d 262d 258d cryptodev: Fix some input validation bugs
panic: vm_fault_lookup: fault on nofault entry, addr: ADDR 5 262d 299d 258d vfs: Fix error handling in vn_fullpath_hardlink()
panic: IV outside buffer length C 16 258d 264d 258d cryptodev: Fix some input validation bugs
Fatal trap 9: general protection fault in mb_free_ext 1 260d 260d 258d cryptodev: Fix some input validation bugs
panic: More encryption data than allowed C 2 260d 260d 258d cryptodev: Fix some input validation bugs
panic: AEAD without a separate IV C 25 258d 264d 258d cryptodev: Fix some input validation bugs
Fatal trap 12: page fault in memcpy_erms C 2 260d 260d 258d cryptodev: Fix some input validation bugs
panic: IV_SEPARATE set when IV isn't used C 4 260d 262d 258d cryptodev: Fix some input validation bugs
panic: _mtx_lock_sleep: recursed on non-recursive mutex process lock @ /syzkaller/managers/main/kernel/sys/kern/kern_sig syz 2 287d 287d 258d realtimer_expire: avoid proc lock recursion when called from itimer_proc_continue()
panic: _mtx_lock_sleep: recursed on non-recursive mutex process lock @ /syzkaller/managers/i386/kernel/sys/kern/kern_eve 2 287d 288d 258d filt_timerexpire: avoid process lock recursion
panic: _mtx_lock_sleep: recursed on non-recursive mutex process lock @ /syzkaller/managers/main/kernel/sys/kern/kern_eve 1 288d 288d 258d filt_timerexpire: avoid process lock recursion
panic: _mtx_lock_sleep: recursed on non-recursive mutex process lock @ /syzkaller/managers/i386/kernel/sys/kern/kern_sig 1 290d 290d 258d realtimer_expire: avoid proc lock recursion when called from itimer_proc_continue()
Fatal trap 12: page fault in pmap_kextract (2) C 8 288d 289d 288d pf: Ensure that we don't use kif passed to pfi_kkif_attach()
panic: to_ticks == 0 for timer type 5 (2) syz 2 310d 310d 308d sctp: fix handling of RTO.initial of 1 ms
panic: to_ticks == 0 for timer type 5 C 2 336d 336d 332d sctp: avoid integer overflow when starting the HB timer
Fatal trap 12: page fault in sctp_find_alternate_net syz 131 338d 481d 337d sctp: improve computation of an alternate net
panic: pfi_dynaddr_setup: non-NULL dyn (2) C 4 369d 369d 362d pf: Improve pf_rule input validation
Fatal trap 12: page fault in copyin_nosmap_erms C 8 406d 452d 377d pf: Don't hold PF_RULES_WLOCK during copyin() on DIOCRCLRTSTATS
freebsd boot error: panic: IPI scoreboard is zero, initiator 1 target 1 9 378d 378d 378d amd64: fix tlb shootdown when all cpus are passed in the bitmap
freebsd boot error: panic: IPI scoreboard is zero, initiator 0 target 0 3 378d 378d 378d amd64: fix tlb shootdown when all cpus are passed in the bitmap
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/kern/uipc_ktls.c:LINE C 11 384d 609d 381d tcp: don't use KTLS socket option on listening sockets
panic: Memory modified after free ADDR(112) val=ADDR @ ADDR (2) syz 475 385d 629d 385d sctp: improve handling of aborted associations
panic: sched_pickcpu: Failed to find a cpu. C 4 413d 414d 413d 387ed1c633ec cpuset_set{affinity,domain}: do not allow empty masks
Fatal trap 9: general protection fault in cpuset_setproc syz 2 414d 414d 413d 7797617b36d1 kern: cpuset: resolve race between cpuset_lookup/cpuset_rel
panic: sleeping without a lock C 29 418d 584d 417d ccc7c37f7f1e kern: soclose: don't sleep on SO_LINGER w/ timeout=0
panic: uma_zalloc_debug: called within spinlock or critical section C 9 424d 428d 423d b57c24f1c99a kern: cpuset: drop the lock to allocate domainsets
panic: Bad tailq NEXT(ADDR->tqh_last) != NULL (3) C 12 427d 428d 426d d641b8b5198f pf: Make tag hashing more robust
panic: fc_ioctls != NULL, but fc_nioctls=-NUM 5591 428d 429d 428d 3d4ae1b3d110 kern: dup: do not assume oldfde is valid
Fatal trap 12: page fault in __mtx_lock_spin_flags 3 433d 437d 432d 24a92577ae4a callout(9): Fix a race between CPU migration and callout_drain()
panic: spin lock held too long C 1 437d 437d 432d 24a92577ae4a callout(9): Fix a race between CPU migration and callout_drain()
Fatal trap 12: page fault in _callout_stop_safe C 1 437d 437d 432d 24a92577ae4a callout(9): Fix a race between CPU migration and callout_drain()
panic: Most recently used by pf_ifnet C 6 470d 470d 469d a91340b6cb2b pf: do not remove kifs that are referenced by rules
Fatal trap 9: general protection fault in sctp_lower_sosend C 22 569d 621d 527d a62795a30ffc Improve the handling of concurrent send() calls for SCTP sockets, especially when having the explicit EOR mode enabled.
panic: in6p_lookup_mcast_ifp: not INP_IPV6 inpcb C 2 575d 575d 539d 774824c1fda2 Remove an incorrect assertion from in6p_lookup_mcast_ifp().
Fatal trap 12: page fault in uipc_ready C 5 569d 597d 544d d058b7c3b1eb Fix a logic error in uipc_ready_scan().
panic: witness_warn syz 1 589d 589d 573d f84906429677 Fix the cleanup handling in a error path for TCP BBR.
Fatal trap 12: page fault in sctp_find_ifa_in_ep C 3 576d 576d 573d 3a67faed10c4 Fix a bug introduced in https://svnweb.freebsd.org/changeset/base/362173
freebsd test error: Fatal trap 12: page fault in in_pcb_lport_dest 9 617d 617d 593d 1ec42007fec3 Fix NULL-pointer bug from r361228.
Fatal trap 12: page fault in sctp_process_control C 47 623d 624d 623d 53e0269fab4f Fix a copy and paste error introduced in r360878.
Fatal trap 9: general protection fault in sctp_process_control C 11 623d 624d 623d 53e0269fab4f Fix a copy and paste error introduced in r360878.
panic: sctp_timer_start of type 1: inp = ADDR, stcb = ADDR, net = 0 1 629d 629d 624d 541cb8e134d9 Ensure that we have a path when starting the T3 RXT timer.
panic: sctp_timer_start of type 10: inp = ADDR, stcb->sctp_ep ADDR 1 634d 634d 624d c3ef0c259239 Ensure that the SCTP iterator runs with an stcb and inp, which belong to each other.
panic: pfi_dynaddr_setup: dyn is ADDR (2) C 22 635d 646d 632d 0300ecad73f7 pf: Improve DIOCADDRULE validation
panic: mallocarray: ADDR * 1064 overflowed C 3 642d 646d 639d 4cc49383369b pf: Improve input validation
Fatal trap 9: general protection fault in in6_selecthlim 25 639d 640d 639d 770f0899b4ff Fix order of arguments in fib[46]_lookup calls in SCTP.
panic: pfi_dynaddr_setup: dyn is ADDR C 7 647d 651d 646d 96abf553f822 pf: Improve ioctl() input validation
panic: Assertion size0 > 0 failed at /syzkaller/managers/main/kernel/sys/kern/subr_vmem.c:LINE C 2 650d 650d 648d 9319f3ce0296 pf: Do not allow negative ps_len in DIOCGETSTATES
panic: mtx_unlock() of destroyed mutex at sys/kern/sys_socket.c:LINE syz 1 739d 739d 651d bfee51521ac8 Lock the socket in soo_stat().
panic: sbfree: m ADDR !M_NOTREADY C 32 1021d 1046d 653d dde1b5985fcc Properly handle disconnected sockets in uipc_ready().
panic: allocdirect_merge: old blkno 9384 != new 9384 || old size 4096 != new NUM 2 659d 659d 654d Revert -r359612 as it can cause other panics. An updated version will be made when the issue has been resolved.
panic: Duplicate free of ADDR from zone ADDR(mbuf) slab ADDR(8) C 1 1044d 1044d 654d 3d36b367cfb6 sbappendcontrol() needs to avoid clearing M_NOTREADY on data mbufs.
panic: to_ticks == 0 for timer type 2 C 27 668d 672d 668d b68fccd4d480 Handle integer overflows correctly when converting msecs and secs to ticks and vice versa. These issues were caught by recently added panic() calls on INVARIANTS systems.
panic: mtx_unlock() of spin mutex (null) @ /syzkaller/managers/i386/kernel/sys/kern/sys_socket.c:LINE 1 689d 689d 676d bfee51521ac8 Lock the socket in soo_stat().
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet/ip_output.c:LINE syz 1870 676d 734d 676d a1bf1a3e5fea A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet6/ip6_output.c:LINE syz 229 677d 734d 676d a1bf1a3e5fea A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/netinet6/ip6_output.c:LINE C 591 677d 734d 676d a1bf1a3e5fea A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/netinet/ip_output.c:LINE C 2840 677d 734d 676d a1bf1a3e5fea A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
freebsd boot error: Fatal trap 9: general protection fault in biotrack_buf 24 715d 715d 677d dcebfcf3d468 Revert r357710 and 357711 until they can be debugged
panic: Most recently used by ip6opt (2) syz 4 680d 726d 677d 5707de0ed806 Fix synchronization in the IPV6_2292PKTOPTIONS set handler.
panic: mutex process lock not owned at /syzkaller/managers/i386/kernel/sys/kern/kern_time.c:LINE C 33 720d 721d 677d 55aa9af7e971 Remove unneeded assert for curproc. Simplify.
panic: cap_rights_is_vset:LINE (3) 1 689d 689d 677d 217fa09bf639 kern_dup(): Call filecaps_free_prep() in a write section.
panic: refcount ADDR wraparound C 6 721d 722d 677d adbdb897689b fd: always nullify *fdp in fget* routines
panic: mutex process lock not owned at /syzkaller/managers/main/kernel/sys/kern/kern_time.c:LINE C 83 720d 721d 720d 55aa9af7e971 Remove unneeded assert for curproc. Simplify.
panic: condition !vn_need_pageq_flush(vp) not met at /syzkaller/managers/main/kernel/sys/kern/vfs_subr.c:LINE (vgonel) 1 725d 725d 725d 0f4d8b77c02c vfs: revert the overzealous assert added in r357285 to vgone
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/net/if.c:LINE 3062 839d 840d 735d Remove epoch assertion from if_setlladdr(). Originally this function was protected by IF_ADDR_LOCK(), which was a mutex, so that two simultaneous if_setlladdr() can't execute. Later it was switched to IF_ADDR_RLOCK(), likely by a mistake. Later it was switched to NET_EPOCH_ENTER(). Then I incorrectly added NET_EPOCH_ASSERT() here.
panic: mutex if_addr_lock not owned at /syzkaller/managers/main/kernel/sys/netinet/in_mcast.c:LINE 1 756d 756d 742d 31069f383af1 Take the ifnet's address lock in igmp_v3_cancel_link_timers().
panic: pipe_destroy_write_buffer: pipe map for ADDR contains residual data syz 11 814d 858d 806d 88b25bcb9d1b Fix handling of PIPE_EOF in the direct write path.
panic: mutex pcbinfohash not owned at /syzkaller/managers/main/kernel/sys/netinet6/in6_pcb.c:LINE C 5 808d 809d 806d 2d2333004ca8 It is unclear why in6_pcblookup_local() would require write access to the PCB hash. The function doesn't modify the hash. It always asserted write lock historically, but with epoch conversion this fails in some special cases.
panic: in_pcb_lport: laddrp NULL for v4 inp ADDR C 8 851d 967d 824d 56626fc5ade2 Ensure that the flags indicating IPv4/IPv6 are not changed by failing bind() calls. This would lead to inconsistent state resulting in a panic. A fix for stable/11 was committed in https://svnweb.freebsd.org/base?view=revision&revision=338986 An accelerated MFC is planned as discussed with emaste@.
panic: Assertion td->td_epochnest failed at /syzkaller/managers/i386/kernel/sys/kern/subr_epoch.c:LINE 3 839d 839d 832d ip6_output() has a complex set of gotos, and some can jump out of the epoch section towards return statement. Since entering epoch is cheap, it is easier to cover the whole function with epoch, rather than try to properly maintain its state.
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet/igmp.c:LINE 2 839d 839d 832d 7299f8c33d62 Enter network epoch in domain callouts.
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet6/in6_ifattach.c:LINE syz 2 838d 838d 832d in6ifa_llaonifp() is never called from fast path, so do not require epoch being entered.
Fatal trap 12: page fault in uipc_send syz 123 840d 972d 839d bb579d181e35 Fix handling of empty SCM_RIGHTS messages.
freebsd boot error: panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/net/if.c:LINE 18 840d 840d 840d In DIAGNOSTIC block of if_delmulti_ifma_flags() enter the network epoch. This quickly plugs the regression from r353292. The locking of multicast definitely needs a broader review today...
Fatal trap 18: integer divide fault in kern_fcntl 22 864d 890d 846d 20c5c1bf19b5 Disallow fcntl(F_READAHEAD) when the vnode is not a regular file.
panic: rcv_start < rcv_end 1 871d 871d 847d Only update SACK/DSACK lists when a non-empty segment was received. This fixes hitting a KASSERT with a valid packet exchange.
Fatal trap 12: page fault in inp_freemoptions (2) syz 14 957d 967d 848d Convert all IPv4 and IPv6 multicast memberships into using a STAILQ instead of a linear array.
panic: vm_page_swapqueue: page ADDR is unmanaged 1 858d 858d 851d 3a79b409bb89 Fix a race in vm_page_swapqueue().
freebsd boot error: panic: sched_pickcpu: Failed to find a cpu. 30 853d 854d 853d 967c0718849e Fix wrong assertion in r352658.
panic: m_getm2: len is < 0 syz 13 1040d 1045d 854d 5e3a245f1b86 Limit the number of bytes which can be queued for SCTP sockets. This is joint work with rrs@. Reported by: syzbot+307f167f9bc214f095bc@syzkaller.appspotmail.com MFC after: 1 week
panic: indir_trunc: Bad indirdep 0 from buf ADDR 1 965d 965d 911d 577fca0e204d Lock the vnode before calling ufs_bmap_seekdata().
panic: ffs_blkfree_cg: freeing free block (2) 2 981d 1001d 911d 577fca0e204d Lock the vnode before calling ufs_bmap_seekdata().
Fatal trap 9: general protection fault in sctp_copy_skeylist syz 3 964d 964d 926d eabf786dc9c0 When calling sctp_initialize_auth_params(), the inp must have at least a read lock. To avoid more complex locking dances, just call it in sctp_aloc_assoc() when the write lock is still held.
panic: udp6_output: non-excl udbinfo lock, excl inp lock: pcbinfo ADDR 0x1 inp ADDR 0x2 1 947d 947d 927d 643dee5f1e86 r348494 fixes a race in udp_output(). The same race exists in udp_output6(), therefore apply a similar patch to IPv6.
panic: Most recently used by tty syz 24 979d 993d 935d 7de92ecfe71b Defer funsetown() calls for a TTY to tty_rel_free().
freebsd boot error: panic: Bad entry start/end for new stack entry 9 945d 945d 938d 639f3e01b444 Revert r349393, which leads to an assertion failure on bootup, in vm_map_stack_locked.
panic: cap_rights_is_vset:LINE syz 3 960d 960d 940d 9d687d2f39a1 Use a consistent snapshot of the fd's rights in fget_mmap().
Fatal trap 12: page fault in vm_page_unhold_pages C 1169 949d 1043d 940d 61294aa00722 Fix mutual exclusion in pipe_direct_write().
panic: udp_output: shared udbinfo lock, excl inp lock (2) syz 7 982d 1001d 969d 4dc2772cf136 After parts of the locking fixes in r346595, syzkaller found another one in udp_output(). This one is a race condition. We do check on the laddr and lport without holding a lock in order to determine whether we want a read or a write lock (this is in the "sendto/sendmsg" cases where addr (sin) is given).
Fatal trap 12: page fault in inp_freemoptions C 11 989d 1042d 986d 46ad7dbca8a2 Close some races in multicast socket option handling.
panic: inp_leave_group: imf_sources not empty C 6 989d 1010d 986d 46ad7dbca8a2 Close some races in multicast socket option handling.
panic: vm_object_vndeallocate: bad object reference count C 974 987d 988d 987d 418ae39b39c0 Restore the pre-r347532 behaviour of ignoring wiring failures in mmap().
panic: ffs_blkfree_cg: freeing free block C 5 1044d 1045d 1002d a7a455c299b0 Optimize lseek(SEEK_DATA) on UFS.
panic: udp_output: shared udbinfo lock, excl inp lock C 46 1009d 1047d 1008d 87874d0b3ea0 iFix udp_output() lock inconsistency.
Fatal trap 12: page fault in in6_cksum_partial syz 6 1012d 1042d 1012d 36983a7b31b7 When a checksum has to be computed for a received IPv6 packet because it is requested by the application using the IPPROTO_IPV6 level socket option IPV6_CHECKSUM on a raw socket, ensure that the packet contains enough bytes to contain the checksum at the specified offset.
panic: rtrequest1_fib: locked C 10 1019d 1044d 1017d 18c75290c739 When sending a routing message, don't allow the user to set the RTF_RNH_LOCKED flag in rtm_flags, since this flag is used only internally.
panic: inp_join_group: imf_sources not empty C 398 1020d 1047d 1020d 9abf4945e622 Reinitialize multicast source filter structures after invalidation.
Fatal trap 12: page fault in __mtx_assert syz 4 1038d 1039d 1036d b6ca75d73988 Fix a small bug in the tcp_log_id where the bucket was unlocked and yet the bucket-unlock flag was not changed to false. This can cause a panic if INVARIANTS is on and we go through the right path (though rare).
panic: Can't clear local locks with F_UNLCKSYS C 9 1037d 1046d 1037d fb4ce630e036 Reject F_SETLK_REMOTE commands when sysid == 0.
panic: Counter goes negative C 2 1044d 1044d 1038d ff6cd9e93ea3 Fix a signed/unsigned bug when receiving SCTP messages. This is joint work with rrs@.
panic: tcp_output: mbuf chain shorter than expected: 0 + 60 + 24 - 0 != 60 C 2 1045d 1045d 1039d 202ab2ae5b2d Fix a KASSERT() in tcp_output().
panic: tcp_output: mbuf chain shorter than expected: 0 + 60 + 28 - 0 != 60 1 1043d 1043d 1039d 202ab2ae5b2d Fix a KASSERT() in tcp_output().
panic: tcp_output: mbuf chain shorter than expected: 0 + 60 + 12 - 0 != 60 1 1047d 1047d 1039d 202ab2ae5b2d Fix a KASSERT() in tcp_output().
panic: pmap_demote_pde: page table page for a wired mapping is missing C 56 1041d 1045d 1041d 1ab80ddad826 Disallow preemptive creation of wired superpage mappings.
panic: invalid dst page ADDR C 33 1042d 1047d 1042d 609c32a75e58 vm_fault_copy_entry: accept invalid source pages.