| panic: in6p_lookup_mcast_ifp: not INP_IPV6 inpcb |
C |
|
2 |
38d |
38d
|
2d02h |
774824c1
Remove an incorrect assertion from in6p_lookup_mcast_ifp().
|
| Fatal trap 12: page fault in uipc_ready |
C |
|
5 |
32d |
60d
|
7d16h |
d058b7c3
Fix a logic error in uipc_ready_scan().
|
| panic: witness_warn |
syz |
|
1 |
52d |
52d
|
36d |
f8490642
Fix the cleanup handling in a error path for TCP BBR.
|
| Fatal trap 12: page fault in sctp_find_ifa_in_ep |
C |
|
3 |
39d |
39d
|
36d |
3a67faed
Fix a bug introduced in https://svnweb.freebsd.org/changeset/base/362173
|
| freebsd test error: Fatal trap 12: page fault in in_pcb_lport_dest |
|
|
9 |
80d |
80d
|
56d |
1ec42007
Fix NULL-pointer bug from r361228.
|
| Fatal trap 12: page fault in sctp_process_control |
C |
|
47 |
86d |
87d
|
86d |
53e0269f
Fix a copy and paste error introduced in r360878.
|
| Fatal trap 9: general protection fault in sctp_process_control |
C |
|
11 |
86d |
87d
|
86d |
53e0269f
Fix a copy and paste error introduced in r360878.
|
| panic: sctp_timer_start of type 1: inp = ADDR, stcb = ADDR, net = 0 |
|
|
1 |
92d |
92d
|
87d |
541cb8e1
Ensure that we have a path when starting the T3 RXT timer.
|
| panic: sctp_timer_start of type 10: inp = ADDR, stcb->sctp_ep ADDR |
|
|
1 |
97d |
97d
|
87d |
c3ef0c25
Ensure that the SCTP iterator runs with an stcb and inp, which belong to each other.
|
| panic: pfi_dynaddr_setup: dyn is ADDR (2) |
C |
|
22 |
98d |
109d
|
95d |
0300ecad
pf: Improve DIOCADDRULE validation
|
| panic: mallocarray: ADDR * 1064 overflowed |
C |
|
3 |
105d |
109d
|
102d |
4cc49383
pf: Improve input validation
|
| Fatal trap 9: general protection fault in in6_selecthlim |
|
|
25 |
102d |
103d
|
102d |
770f0899
Fix order of arguments in fib[46]_lookup calls in SCTP.
|
| panic: pfi_dynaddr_setup: dyn is ADDR |
C |
|
7 |
110d |
114d
|
109d |
96abf553
pf: Improve ioctl() input validation
|
| panic: Assertion size0 > 0 failed at /syzkaller/managers/main/kernel/sys/kern/subr_vmem.c:LINE |
C |
|
2 |
112d |
112d
|
111d |
9319f3ce
pf: Do not allow negative ps_len in DIOCGETSTATES
|
| panic: mtx_unlock() of destroyed mutex at sys/kern/sys_socket.c:LINE |
syz |
|
1 |
202d |
202d
|
114d |
bfee5152
Lock the socket in soo_stat().
|
| panic: sbfree: m ADDR !M_NOTREADY |
C |
|
32 |
484d |
509d
|
116d |
dde1b598
Properly handle disconnected sockets in uipc_ready().
|
| panic: allocdirect_merge: old blkno 9384 != new 9384 || old size 4096 != new NUM |
|
|
2 |
122d |
122d
|
117d |
Revert -r359612 as it can cause other panics. An updated version will be made when the issue has been resolved.
|
| panic: Duplicate free of ADDR from zone ADDR(mbuf) slab ADDR(8) |
C |
|
1 |
507d |
507d
|
117d |
3d36b367
sbappendcontrol() needs to avoid clearing M_NOTREADY on data mbufs.
|
| panic: to_ticks == 0 for timer type 2 |
C |
|
27 |
131d |
134d
|
131d |
b68fccd4
Handle integer overflows correctly when converting msecs and secs to ticks and vice versa. These issues were caught by recently added panic() calls on INVARIANTS systems.
|
| panic: mtx_unlock() of spin mutex (null) @ /syzkaller/managers/i386/kernel/sys/kern/sys_socket.c:LINE |
|
|
1 |
152d |
152d
|
139d |
bfee5152
Lock the socket in soo_stat().
|
| panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet/ip_output.c:LINE |
syz |
|
1870 |
139d |
197d
|
139d |
a1bf1a3e
A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
|
| panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet6/ip6_output.c:LINE |
syz |
|
229 |
140d |
197d
|
139d |
a1bf1a3e
A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
|
| panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/netinet6/ip6_output.c:LINE |
C |
|
591 |
140d |
197d
|
139d |
a1bf1a3e
A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
|
| panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/netinet/ip_output.c:LINE |
C |
|
2840 |
140d |
197d
|
139d |
a1bf1a3e
A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
|
| freebsd boot error: Fatal trap 9: general protection fault in biotrack_buf |
|
|
24 |
178d |
178d
|
140d |
dcebfcf3
Revert r357710 and 357711 until they can be debugged
|
| panic: Most recently used by ip6opt (2) |
syz |
|
4 |
143d |
189d
|
140d |
5707de0e
Fix synchronization in the IPV6_2292PKTOPTIONS set handler.
|
| panic: mutex process lock not owned at /syzkaller/managers/i386/kernel/sys/kern/kern_time.c:LINE |
C |
|
33 |
183d |
184d
|
140d |
55aa9af7
Remove unneeded assert for curproc. Simplify.
|
| panic: cap_rights_is_vset:LINE (3) |
|
|
1 |
152d |
152d
|
140d |
217fa09b
kern_dup(): Call filecaps_free_prep() in a write section.
|
| panic: refcount ADDR wraparound |
C |
|
6 |
184d |
184d
|
140d |
adbdb897
fd: always nullify *fdp in fget* routines
|
| panic: mutex process lock not owned at /syzkaller/managers/main/kernel/sys/kern/kern_time.c:LINE |
C |
|
83 |
183d |
184d
|
183d |
55aa9af7
Remove unneeded assert for curproc. Simplify.
|
| panic: condition !vn_need_pageq_flush(vp) not met at /syzkaller/managers/main/kernel/sys/kern/vfs_subr.c:LINE (vgonel) |
|
|
1 |
188d |
188d
|
188d |
9250db86
vfs: revert the overzealous assert added in r357285 to vgone
|
| panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/net/if.c:LINE |
|
|
3062 |
302d |
303d
|
198d |
Remove epoch assertion from if_setlladdr(). Originally this function was protected by IF_ADDR_LOCK(), which was a mutex, so that two simultaneous if_setlladdr() can't execute. Later it was switched to IF_ADDR_RLOCK(), likely by a mistake. Later it was switched to NET_EPOCH_ENTER(). Then I incorrectly added NET_EPOCH_ASSERT() here.
|
| panic: mutex if_addr_lock not owned at /syzkaller/managers/main/kernel/sys/netinet/in_mcast.c:LINE |
|
|
1 |
219d |
219d
|
205d |
bc00abc5
Take the ifnet's address lock in igmp_v3_cancel_link_timers().
|
| panic: pipe_destroy_write_buffer: pipe map for ADDR contains residual data |
syz |
|
11 |
277d |
321d
|
268d |
88b25bcb
Fix handling of PIPE_EOF in the direct write path.
|
| panic: mutex pcbinfohash not owned at /syzkaller/managers/main/kernel/sys/netinet6/in6_pcb.c:LINE |
C |
|
5 |
271d |
272d
|
269d |
2d233300
It is unclear why in6_pcblookup_local() would require write access to the PCB hash. The function doesn't modify the hash. It always asserted write lock historically, but with epoch conversion this fails in some special cases.
|
| panic: in_pcb_lport: laddrp NULL for v4 inp ADDR |
C |
|
8 |
314d |
430d
|
287d |
56626fc5
Ensure that the flags indicating IPv4/IPv6 are not changed by failing bind() calls. This would lead to inconsistent state resulting in a panic. A fix for stable/11 was committed in https://svnweb.freebsd.org/base?view=revision&revision=338986 An accelerated MFC is planned as discussed with emaste@.
|
| panic: Assertion td->td_epochnest failed at /syzkaller/managers/i386/kernel/sys/kern/subr_epoch.c:LINE |
|
|
3 |
302d |
302d
|
295d |
ip6_output() has a complex set of gotos, and some can jump out of the epoch section towards return statement. Since entering epoch is cheap, it is easier to cover the whole function with epoch, rather than try to properly maintain its state.
|
| panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet/igmp.c:LINE |
|
|
2 |
302d |
302d
|
295d |
7299f8c3
Enter network epoch in domain callouts.
|
| panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet6/in6_ifattach.c:LINE |
syz |
|
2 |
301d |
301d
|
295d |
in6ifa_llaonifp() is never called from fast path, so do not require epoch being entered.
|
| Fatal trap 12: page fault in uipc_send |
syz |
|
123 |
303d |
435d
|
302d |
bb579d18
Fix handling of empty SCM_RIGHTS messages.
|
| freebsd boot error: panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/net/if.c:LINE |
|
|
18 |
303d |
303d
|
303d |
In DIAGNOSTIC block of if_delmulti_ifma_flags() enter the network epoch. This quickly plugs the regression from r353292. The locking of multicast definitely needs a broader review today...
|
| Fatal trap 18: integer divide fault in kern_fcntl |
|
|
22 |
327d |
353d
|
309d |
20c5c1bf
Disallow fcntl(F_READAHEAD) when the vnode is not a regular file.
|
| panic: rcv_start < rcv_end |
|
|
1 |
334d |
334d
|
310d |
Only update SACK/DSACK lists when a non-empty segment was received. This fixes hitting a KASSERT with a valid packet exchange.
|
| Fatal trap 12: page fault in inp_freemoptions (2) |
syz |
|
14 |
420d |
430d
|
311d |
Convert all IPv4 and IPv6 multicast memberships into using a STAILQ instead of a linear array.
|
| panic: vm_page_swapqueue: page ADDR is unmanaged |
|
|
1 |
321d |
321d
|
314d |
3a79b409
Fix a race in vm_page_swapqueue().
|
| freebsd boot error: panic: sched_pickcpu: Failed to find a cpu. |
|
|
30 |
316d |
317d
|
316d |
967c0718
Fix wrong assertion in r352658.
|
| panic: m_getm2: len is < 0 |
syz |
|
13 |
503d |
508d
|
317d |
5e3a245f
Limit the number of bytes which can be queued for SCTP sockets. This is joint work with rrs@. Reported by: syzbot+307f167f9bc214f095bc@syzkaller.appspotmail.com MFC after: 1 week
|
| panic: indir_trunc: Bad indirdep 0 from buf ADDR |
|
|
1 |
428d |
428d
|
373d |
577fca0e
Lock the vnode before calling ufs_bmap_seekdata().
|
| panic: ffs_blkfree_cg: freeing free block (2) |
|
|
2 |
444d |
464d
|
373d |
577fca0e
Lock the vnode before calling ufs_bmap_seekdata().
|
| Fatal trap 9: general protection fault in sctp_copy_skeylist |
syz |
|
3 |
427d |
427d
|
388d |
eabf786d
When calling sctp_initialize_auth_params(), the inp must have at least a read lock. To avoid more complex locking dances, just call it in sctp_aloc_assoc() when the write lock is still held.
|
| panic: udp6_output: non-excl udbinfo lock, excl inp lock: pcbinfo ADDR 0x1 inp ADDR 0x2 |
|
|
1 |
410d |
410d
|
390d |
643dee5f
r348494 fixes a race in udp_output(). The same race exists in udp_output6(), therefore apply a similar patch to IPv6.
|
| panic: Most recently used by tty |
syz |
|
24 |
441d |
456d
|
398d |
7de92ecf
Defer funsetown() calls for a TTY to tty_rel_free().
|
| freebsd boot error: panic: Bad entry start/end for new stack entry |
|
|
9 |
408d |
408d
|
401d |
639f3e01
Revert r349393, which leads to an assertion failure on bootup, in vm_map_stack_locked.
|
| panic: cap_rights_is_vset:LINE |
syz |
|
3 |
423d |
423d
|
403d |
9d687d2f
Use a consistent snapshot of the fd's rights in fget_mmap().
|
| Fatal trap 12: page fault in vm_page_unhold_pages |
C |
|
1169 |
411d |
506d
|
403d |
61294aa0
Fix mutual exclusion in pipe_direct_write().
|
| panic: udp_output: shared udbinfo lock, excl inp lock (2) |
syz |
|
7 |
445d |
464d
|
431d |
4dc2772c
After parts of the locking fixes in r346595, syzkaller found another one in udp_output(). This one is a race condition. We do check on the laddr and lport without holding a lock in order to determine whether we want a read or a write lock (this is in the "sendto/sendmsg" cases where addr (sin) is given).
|
| Fatal trap 12: page fault in inp_freemoptions |
C |
|
11 |
452d |
505d
|
449d |
46ad7dbc
Close some races in multicast socket option handling.
|
| panic: inp_leave_group: imf_sources not empty |
C |
|
6 |
452d |
473d
|
449d |
46ad7dbc
Close some races in multicast socket option handling.
|
| panic: vm_object_vndeallocate: bad object reference count |
C |
|
974 |
450d |
451d
|
450d |
418ae39b
Restore the pre-r347532 behaviour of ignoring wiring failures in mmap().
|
| panic: ffs_blkfree_cg: freeing free block |
C |
|
5 |
507d |
508d
|
465d |
a7a455c2
Optimize lseek(SEEK_DATA) on UFS.
|
| panic: udp_output: shared udbinfo lock, excl inp lock |
C |
|
46 |
472d |
510d
|
471d |
87874d0b
iFix udp_output() lock inconsistency.
|
| Fatal trap 12: page fault in in6_cksum_partial |
syz |
|
6 |
475d |
505d
|
475d |
36983a7b
When a checksum has to be computed for a received IPv6 packet because it is requested by the application using the IPPROTO_IPV6 level socket option IPV6_CHECKSUM on a raw socket, ensure that the packet contains enough bytes to contain the checksum at the specified offset.
|
| panic: rtrequest1_fib: locked |
C |
|
10 |
482d |
507d
|
480d |
18c75290
When sending a routing message, don't allow the user to set the RTF_RNH_LOCKED flag in rtm_flags, since this flag is used only internally.
|
| panic: inp_join_group: imf_sources not empty |
C |
|
398 |
483d |
510d
|
483d |
9abf4945
Reinitialize multicast source filter structures after invalidation.
|
| Fatal trap 12: page fault in __mtx_assert |
syz |
|
4 |
501d |
502d
|
499d |
b6ca75d7
Fix a small bug in the tcp_log_id where the bucket was unlocked and yet the bucket-unlock flag was not changed to false. This can cause a panic if INVARIANTS is on and we go through the right path (though rare).
|
| panic: Can't clear local locks with F_UNLCKSYS |
C |
|
9 |
500d |
509d
|
499d |
fb4ce630
Reject F_SETLK_REMOTE commands when sysid == 0.
|
| panic: Counter goes negative |
C |
|
2 |
507d |
507d
|
501d |
ff6cd9e9
Fix a signed/unsigned bug when receiving SCTP messages. This is joint work with rrs@.
|
| panic: tcp_output: mbuf chain shorter than expected: 0 + 60 + 24 - 0 != 60 |
C |
|
2 |
508d |
508d
|
502d |
202ab2ae
Fix a KASSERT() in tcp_output().
|
| panic: tcp_output: mbuf chain shorter than expected: 0 + 60 + 28 - 0 != 60 |
|
|
1 |
505d |
505d
|
502d |
202ab2ae
Fix a KASSERT() in tcp_output().
|
| panic: tcp_output: mbuf chain shorter than expected: 0 + 60 + 12 - 0 != 60 |
|
|
1 |
510d |
510d
|
502d |
202ab2ae
Fix a KASSERT() in tcp_output().
|
| panic: pmap_demote_pde: page table page for a wired mapping is missing |
C |
|
56 |
504d |
508d
|
504d |
1ab80dda
Disallow preemptive creation of wired superpage mappings.
|
| panic: invalid dst page ADDR |
C |
|
33 |
505d |
510d
|
505d |
609c32a7
vm_fault_copy_entry: accept invalid source pages.
|