syzbot


fixed (53):
Title Repro Bisected Count Last Reported Closed Patch
panic: mtx_unlock() of spin mutex (null) @ /syzkaller/managers/i386/kernel/sys/kern/sys_socket.c:LINE 1 21d 21d 7d05h bfee5152 Lock the socket in soo_stat().
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet/ip_output.c:LINE syz 1870 8d01h 65d 7d19h a1bf1a3e A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet6/ip6_output.c:LINE syz 229 8d13h 65d 7d19h a1bf1a3e A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/netinet6/ip6_output.c:LINE C 591 8d11h 65d 7d19h a1bf1a3e A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/netinet/ip_output.c:LINE C 2840 8d10h 65d 7d19h a1bf1a3e A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
freebsd boot error: Fatal trap 9: general protection fault in biotrack_buf 24 46d 46d 8d08h dcebfcf3 Revert r357710 and 357711 until they can be debugged
panic: Most recently used by ip6opt (2) syz 4 11d 57d 8d08h 5707de0e Fix synchronization in the IPV6_2292PKTOPTIONS set handler.
panic: mutex process lock not owned at /syzkaller/managers/i386/kernel/sys/kern/kern_time.c:LINE C 33 52d 52d 8d08h 55aa9af7 Remove unneeded assert for curproc. Simplify.
panic: cap_rights_is_vset:LINE (3) 1 20d 20d 8d08h 217fa09b kern_dup(): Call filecaps_free_prep() in a write section.
panic: refcount ADDR wraparound C 6 53d 53d 8d08h adbdb897 fd: always nullify *fdp in fget* routines
panic: mutex process lock not owned at /syzkaller/managers/main/kernel/sys/kern/kern_time.c:LINE C 83 52d 52d 51d 55aa9af7 Remove unneeded assert for curproc. Simplify.
panic: condition !vn_need_pageq_flush(vp) not met at /syzkaller/managers/main/kernel/sys/kern/vfs_subr.c:LINE (vgonel) 1 56d 56d 56d 9250db86 vfs: revert the overzealous assert added in r357285 to vgone
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/net/if.c:LINE 3062 170d 171d 66d Remove epoch assertion from if_setlladdr(). Originally this function was protected by IF_ADDR_LOCK(), which was a mutex, so that two simultaneous if_setlladdr() can't execute. Later it was switched to IF_ADDR_RLOCK(), likely by a mistake. Later it was switched to NET_EPOCH_ENTER(). Then I incorrectly added NET_EPOCH_ASSERT() here.
panic: mutex if_addr_lock not owned at /syzkaller/managers/main/kernel/sys/netinet/in_mcast.c:LINE 1 87d 87d 73d bc00abc5 Take the ifnet's address lock in igmp_v3_cancel_link_timers().
panic: pipe_destroy_write_buffer: pipe map for ADDR contains residual data syz 11 146d 189d 137d 88b25bcb Fix handling of PIPE_EOF in the direct write path.
panic: mutex pcbinfohash not owned at /syzkaller/managers/main/kernel/sys/netinet6/in6_pcb.c:LINE C 5 139d 140d 137d 2d233300 It is unclear why in6_pcblookup_local() would require write access to the PCB hash. The function doesn't modify the hash. It always asserted write lock historically, but with epoch conversion this fails in some special cases.
panic: in_pcb_lport: laddrp NULL for v4 inp ADDR C 8 182d 298d 155d 56626fc5 Ensure that the flags indicating IPv4/IPv6 are not changed by failing bind() calls. This would lead to inconsistent state resulting in a panic. A fix for stable/11 was committed in https://svnweb.freebsd.org/base?view=revision&revision=338986 An accelerated MFC is planned as discussed with emaste@.
panic: Assertion td->td_epochnest failed at /syzkaller/managers/i386/kernel/sys/kern/subr_epoch.c:LINE 3 170d 170d 163d ip6_output() has a complex set of gotos, and some can jump out of the epoch section towards return statement. Since entering epoch is cheap, it is easier to cover the whole function with epoch, rather than try to properly maintain its state.
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet/igmp.c:LINE 2 170d 170d 163d 7299f8c3 Enter network epoch in domain callouts.
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet6/in6_ifattach.c:LINE syz 2 169d 169d 163d in6ifa_llaonifp() is never called from fast path, so do not require epoch being entered.
Fatal trap 12: page fault in uipc_send syz 123 172d 303d 170d bb579d18 Fix handling of empty SCM_RIGHTS messages.
freebsd boot error: panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/net/if.c:LINE 18 171d 171d 171d In DIAGNOSTIC block of if_delmulti_ifma_flags() enter the network epoch. This quickly plugs the regression from r353292. The locking of multicast definitely needs a broader review today...
Fatal trap 18: integer divide fault in kern_fcntl 22 195d 221d 177d 20c5c1bf Disallow fcntl(F_READAHEAD) when the vnode is not a regular file.
panic: rcv_start < rcv_end 1 202d 202d 178d Only update SACK/DSACK lists when a non-empty segment was received. This fixes hitting a KASSERT with a valid packet exchange.
Fatal trap 12: page fault in inp_freemoptions (2) syz 14 289d 298d 179d Convert all IPv4 and IPv6 multicast memberships into using a STAILQ instead of a linear array.
panic: vm_page_swapqueue: page ADDR is unmanaged 1 189d 189d 182d 3a79b409 Fix a race in vm_page_swapqueue().
freebsd boot error: panic: sched_pickcpu: Failed to find a cpu. 30 184d 185d 184d 967c0718 Fix wrong assertion in r352658.
panic: m_getm2: len is < 0 syz 13 371d 377d 185d 5e3a245f Limit the number of bytes which can be queued for SCTP sockets. This is joint work with rrs@. Reported by: syzbot+307f167f9bc214f095bc@syzkaller.appspotmail.com MFC after: 1 week
panic: indir_trunc: Bad indirdep 0 from buf ADDR 1 296d 296d 242d 577fca0e Lock the vnode before calling ufs_bmap_seekdata().
panic: ffs_blkfree_cg: freeing free block (2) 2 312d 332d 242d 577fca0e Lock the vnode before calling ufs_bmap_seekdata().
Fatal trap 9: general protection fault in sctp_copy_skeylist syz 3 295d 295d 257d eabf786d When calling sctp_initialize_auth_params(), the inp must have at least a read lock. To avoid more complex locking dances, just call it in sctp_aloc_assoc() when the write lock is still held.
panic: udp6_output: non-excl udbinfo lock, excl inp lock: pcbinfo ADDR 0x1 inp ADDR 0x2 1 278d 278d 258d 643dee5f r348494 fixes a race in udp_output(). The same race exists in udp_output6(), therefore apply a similar patch to IPv6.
panic: Most recently used by tty syz 24 310d 324d 267d 7de92ecf Defer funsetown() calls for a TTY to tty_rel_free().
freebsd boot error: panic: Bad entry start/end for new stack entry 9 276d 276d 269d 639f3e01 Revert r349393, which leads to an assertion failure on bootup, in vm_map_stack_locked.
panic: cap_rights_is_vset:LINE syz 3 291d 291d 272d 9d687d2f Use a consistent snapshot of the fd's rights in fget_mmap().
Fatal trap 12: page fault in vm_page_unhold_pages C 1169 280d 374d 272d 61294aa0 Fix mutual exclusion in pipe_direct_write().
panic: udp_output: shared udbinfo lock, excl inp lock (2) syz 7 313d 332d 300d 4dc2772c After parts of the locking fixes in r346595, syzkaller found another one in udp_output(). This one is a race condition. We do check on the laddr and lport without holding a lock in order to determine whether we want a read or a write lock (this is in the "sendto/sendmsg" cases where addr (sin) is given).
Fatal trap 12: page fault in inp_freemoptions C 11 320d 373d 318d 46ad7dbc Close some races in multicast socket option handling.
panic: inp_leave_group: imf_sources not empty C 6 320d 341d 318d 46ad7dbc Close some races in multicast socket option handling.
panic: vm_object_vndeallocate: bad object reference count C 974 319d 319d 319d 418ae39b Restore the pre-r347532 behaviour of ignoring wiring failures in mmap().
panic: ffs_blkfree_cg: freeing free block C 5 376d 376d 333d a7a455c2 Optimize lseek(SEEK_DATA) on UFS.
panic: udp_output: shared udbinfo lock, excl inp lock C 46 340d 378d 339d 87874d0b iFix udp_output() lock inconsistency.
Fatal trap 12: page fault in in6_cksum_partial syz 6 343d 373d 343d 36983a7b When a checksum has to be computed for a received IPv6 packet because it is requested by the application using the IPPROTO_IPV6 level socket option IPV6_CHECKSUM on a raw socket, ensure that the packet contains enough bytes to contain the checksum at the specified offset.
panic: rtrequest1_fib: locked C 10 350d 375d 348d 18c75290 When sending a routing message, don't allow the user to set the RTF_RNH_LOCKED flag in rtm_flags, since this flag is used only internally.
panic: inp_join_group: imf_sources not empty C 398 351d 378d 351d 9abf4945 Reinitialize multicast source filter structures after invalidation.
Fatal trap 12: page fault in __mtx_assert syz 4 369d 371d 367d b6ca75d7 Fix a small bug in the tcp_log_id where the bucket was unlocked and yet the bucket-unlock flag was not changed to false. This can cause a panic if INVARIANTS is on and we go through the right path (though rare).
panic: Can't clear local locks with F_UNLCKSYS C 9 368d 378d 368d fb4ce630 Reject F_SETLK_REMOTE commands when sysid == 0.
panic: Counter goes negative C 2 375d 375d 369d ff6cd9e9 Fix a signed/unsigned bug when receiving SCTP messages. This is joint work with rrs@.
panic: tcp_output: mbuf chain shorter than expected: 0 + 60 + 24 - 0 != 60 C 2 376d 377d 370d 202ab2ae Fix a KASSERT() in tcp_output().
panic: tcp_output: mbuf chain shorter than expected: 0 + 60 + 28 - 0 != 60 1 374d 374d 370d 202ab2ae Fix a KASSERT() in tcp_output().
panic: tcp_output: mbuf chain shorter than expected: 0 + 60 + 12 - 0 != 60 1 378d 378d 370d 202ab2ae Fix a KASSERT() in tcp_output().
panic: pmap_demote_pde: page table page for a wired mapping is missing C 56 372d 377d 372d 1ab80dda Disallow preemptive creation of wired superpage mappings.
panic: invalid dst page ADDR C 33 374d 378d 373d 609c32a7 vm_fault_copy_entry: accept invalid source pages.