| Fatal trap NUM: page fault in soclose |
C |
|
|
245 |
8d01h |
11d
|
2/2 |
8d01h |
bafe71fd2720
sctp: do not clobber listening socket with sockbuf operations
|
| panic: Assertion v != tid failed at /syzkaller/managers/main/kernel/sys/kern/kern_mutex.c:LINE |
C |
|
|
245 |
23d |
663d
|
2/2 |
21d |
a14465e1b9a5
rip6: Fix a lock order reversal in rip6_bind()
|
| panic: Assertion v != tid failed at /syzkaller/managers/i386/kernel/sys/kern/kern_mutex.c:LINE |
syz |
|
|
115 |
26d |
657d
|
2/2 |
21d |
a14465e1b9a5
rip6: Fix a lock order reversal in rip6_bind()
|
| panic: Assertion (t->parent->p_treeflag & P_TREE_REAPER) != NUM failed at /syzkaller/managers/main/kernel/sys/kern/kern_ |
|
|
|
7 |
24d |
68d
|
2/2 |
22d |
1575804961d2
reap_kill_proc(): avoid singlethreading any other process if we are exiting
|
| panic: Thread not suspended |
syz |
|
|
30 |
24d |
68d
|
2/2 |
22d |
1575804961d2
reap_kill_proc(): avoid singlethreading any other process if we are exiting
|
| panic: Assertion TD_CAN_RUN(td) failed at /syzkaller/managers/main/kernel/sys/kern/subr_turnstile.c:LINE |
C |
|
|
1 |
68d |
68d
|
2/2 |
22d |
1575804961d2
reap_kill_proc(): avoid singlethreading any other process if we are exiting
|
| panic: td ADDR is not suspended |
C |
|
|
11 |
23d |
68d
|
2/2 |
22d |
1575804961d2
reap_kill_proc(): avoid singlethreading any other process if we are exiting
|
| panic: already suspended |
C |
|
|
130 |
22d |
68d
|
2/2 |
22d |
1575804961d2
reap_kill_proc(): avoid singlethreading any other process if we are exiting
|
| panic: Lock pf config not exclusively locked @ /syzkaller/managers/i386/kernel/sys/netpfil/pf/pf_ioctl.c:LINE |
|
|
|
109 |
56d |
98d
|
2/2 |
22d |
826c58d6656c
pf: add missing unlock on error in DIOCCHANGERULE
|
| panic: Lock pf config not exclusively locked @ /syzkaller/managers/main/kernel/sys/netpfil/pf/pf_ioctl.c:LINE |
C |
|
|
142 |
56d |
99d
|
2/2 |
22d |
826c58d6656c
pf: add missing unlock on error in DIOCCHANGERULE
|
| Fatal trap NUM: page fault in tcp_sack_output |
|
|
|
4 |
27d |
28d
|
2/2 |
27d |
ce2525c8108a
tcp: remove goto and address another NULL deref in SACK
|
| panic: sctp_inpcb_free: inp ADDR still has socket |
syz |
|
|
12 |
61d |
249d
|
2/2 |
31d |
a5c2009dd8ab
sctp: improve handling of sctp inpcb flags
|
| Fatal trap NUM: page fault in pf_krule_global_RB_INSERT (2) |
C |
|
|
27 |
37d |
54d
|
2/2 |
35d |
a3d974082549
pf: make sure the rule tree is allocated in DIOCCHANGERULE
|
| panic: sbflush_internal: residual data (2) |
C |
|
|
263 |
37d |
299d
|
2/2 |
37d |
a6a596e102be
sctp: improve handling of listen() call
|
| panic: Queues are not empty when handling SHUTDOWN-ACK (2) |
|
|
|
1 |
38d |
38d
|
2/2 |
38d |
64b297e803bd
sctp: improve handling of send() when association is shutdown
|
| panic: Warning: Last msg marked incomplete, yet nothing left? (2) |
C |
|
|
3 |
39d |
47d
|
2/2 |
38d |
2646cd085850
sctp: use a consistent view of the send parameters
|
| panic: Queues are not empty when handling SHUTDOWN-COMPLETE |
C |
|
|
17 |
76d |
605d
|
2/2 |
38d |
64b297e803bd
sctp: improve handling of send() when association is shutdown
|
| panic: sctp: no chunks on the queues (2) |
syz |
|
|
1813 |
38d |
682d
|
2/2 |
38d |
2646cd085850
sctp: use a consistent view of the send parameters
|
| panic: Assertion clen >= sizeof(*cm) && clen <= cm->cmsg_len failed at /syzkaller/managers/i386/kernel/sys/kern/uipc_usr |
|
|
|
18 |
40d |
41d
|
2/2 |
40d |
75e7e3ce34d9
unix: fix incorrect assertion in 4682ac697ce
|
| panic: Assertion clen >= sizeof(*cm) && clen <= cm->cmsg_len failed at /syzkaller/managers/main/kernel/sys/kern/uipc_usr |
C |
|
|
6 |
41d |
41d
|
2/2 |
40d |
75e7e3ce34d9
unix: fix incorrect assertion in 4682ac697ce
|
| freebsd build error (13) |
|
|
|
9 |
46d |
47d
|
2/2 |
46d |
4a3e51335e86
cpuset: Fix the KASAN and KMSAN builds
|
| Fatal trap NUM: page fault in sctp_wakeup_the_read_socket (3) |
syz |
|
|
3 |
70d |
76d
|
2/2 |
69d |
490a0f77de77
sctp: improve locking
|
| panic: ASan: Invalid access, NUM-byte write at ADDR, UMAUseAfterFree(fd) |
|
|
|
8 |
79d |
92d
|
2/2 |
77d |
868868f14efc
sctp: improve stopping of timers
|
| panic: ASan: Invalid access, NUM-byte read at ADDR, UMAUseAfterFree(fd) (2) |
C |
|
|
7 |
77d |
79d
|
2/2 |
77d |
a12d89332efe
sctp: hold the inp lock while calling ip6_output
|
| Fatal trap NUM: page fault in sctp_wakeup_the_read_socket (2) |
|
|
|
1 |
154d |
154d
|
2/2 |
80d |
3dc57df91e65
sctp: don't wakeup 1-to-1 listening sockets for data or notifications
|
| Fatal trap NUM: page fault in __mtx_lock_flags (2) |
C |
|
|
2 |
90d |
90d
|
2/2 |
80d |
3dc57df91e65
sctp: don't wakeup 1-to-1 listening sockets for data or notifications
|
| panic: ASan: Invalid access, NUM-byte read in sctp_med_chunk_output |
C |
|
|
180 |
234d |
291d
|
2/2 |
81d |
eeba22217217
sctp: don't keep a pointer to a freed stcb around
|
| panic: ASan: Invalid access, NUM-byte read at ADDR, UMAUseAfterFree(fd) |
C |
|
|
515 |
81d |
201d
|
2/2 |
81d |
eeba22217217
sctp: don't keep a pointer to a freed stcb around
|
| panic: ASan: Invalid access, 4-byte write at ADDR, UMAUseAfterFree(fd) |
C |
|
|
462 |
96d |
363d
|
2/2 |
93d |
52106f072fd0
sctp: don't refer to a potentially outdated stream
|
| panic: ASan: Invalid access, NUM-byte write at ADDR, UseAfterScope(f8) |
|
|
|
11 |
96d |
218d
|
2/2 |
95d |
39a22011bbb8
sctp: clear pointer to stack when returning from function.
|
| panic: ASan: Invalid access, NUM-byte write at ADDR, StackRight(f3) |
|
|
|
102 |
95d |
98d
|
2/2 |
95d |
39a22011bbb8
sctp: clear pointer to stack when returning from function.
|
| panic: ASan: Invalid access, NUM-byte write at ADDR, KernelStack(fe) |
|
|
|
149 |
95d |
99d
|
2/2 |
95d |
39a22011bbb8
sctp: clear pointer to stack when returning from function.
|
| panic: ASan: Invalid access, NUM-byte write at ADDR, StackMiddle(f2) (2) |
|
|
|
1 |
96d |
96d
|
2/2 |
95d |
39a22011bbb8
sctp: clear pointer to stack when returning from function.
|
| panic: ASan: Invalid access, NUM-byte write at ADDR, StackLeft(f1) |
|
|
|
48 |
95d |
98d
|
2/2 |
95d |
39a22011bbb8
sctp: clear pointer to stack when returning from function.
|
| Fatal trap NUM: page fault in pf_krule_global_RB_INSERT |
C |
|
|
81 |
98d |
99d
|
2/2 |
98d |
e123e2294cb5
pf: guard against DIOCADDRULE without DIOCXBEGIN
|
| panic: _mtx_lock_sleep: recursed on non-recursive mutex sctp-tcb @ /syzkaller/managers/i386/kernel/sys/netinet/sctp_outp |
|
|
|
2 |
98d |
99d
|
2/2 |
98d |
5d0c76c7302b
sctp: don't lock an already locked stcb.
|
| panic: Don't own TCB send lock |
C |
|
|
8016 |
99d |
283d
|
2/2 |
99d |
5ac91821f5d7
sctp: get rid of stcb send lock
|
| panic: Association about to be freed (2) |
C |
|
|
4834 |
99d |
135d
|
2/2 |
99d |
5ac91821f5d7
sctp: get rid of stcb send lock
|
| panic: hold_tcblock is false |
C |
|
|
468 |
135d |
136d
|
2/2 |
135d |
e255f0c9fbd2
sctp: make sure new locking requirements are satisfied.
|
| panic: Association about to be freed |
C |
|
|
57 |
135d |
136d
|
2/2 |
135d |
bdb99f6f5e31
sctp: remove KASSERT() which not always holds
|
| panic: create_lock_applied is true |
C |
|
|
104 |
135d |
136d
|
2/2 |
135d |
2f0656fb9ba2
sctp: don't hold the assoc create lock longer than needed
|
| panic: refcount ADDR wraparound (4) |
|
|
|
21 |
159d |
226d
|
2/2 |
147d |
300cfb96fc22
file: Make fget*() and getvnode*() consistent about initializing *fpp
|
| panic: Bad link elm ADDR prev->next != elm (3) |
|
|
|
8 |
159d |
211d
|
2/2 |
152d |
b84ed4e7f626
filemon: Reject FILEMON_SET_FD commands when the fd is a kqueue
|
| panic: lock ADDR is not initialized (2) |
|
|
|
171 |
155d |
170d
|
2/2 |
154d |
773e3a71b2f1
pf: Initialize pf_kpool mutexes earlier
|
| freebsd boot error: can't ssh into the instance |
|
|
|
22 |
168d |
169d
|
2/2 |
168d |
46d35d415aa9
fork: Copy the vm_stacktop field into the new vmspace
|
| panic: lock ADDR is not initialized |
|
|
|
1457 |
170d |
172d
|
2/2 |
170d |
e5ca5e801d3c
pf: ensure we don't destroy an uninitialised lock
|
| Fatal trap NUM: page fault in inp_next |
syz |
|
|
3 |
189d |
194d
|
2/2 |
185d |
430df2abee90
in_pcb: improve inp_next()
|
| panic: mutex blocked lock not owned at /syzkaller/managers/main/kernel/sys/kern/sched_ule.c:LINE |
C |
|
|
33 |
186d |
186d
|
2/2 |
186d |
6b95cf5bdedc
callout: Wait for the softclock thread to switch before rescheduling
|
| Fatal trap NUM: page fault in tcp_usr_send |
syz |
|
|
1 |
189d |
189d
|
2/2 |
189d |
4287aa56197f
tcp_usr_shutdown: don't cast inp_ppcb to tcpcb before checking inp_flags
|
| panic: overhead (NUM) not a multiple of NUM |
C |
|
|
248 |
189d |
190d
|
2/2 |
189d |
ca0dd19f0933
sctp: check that the computed frag point is a multiple of 4
|
| Fatal trap NUM: page fault in tcp_usr_shutdown |
C |
|
|
5 |
190d |
190d
|
2/2 |
189d |
4287aa56197f
tcp_usr_shutdown: don't cast inp_ppcb to tcpcb before checking inp_flags
|
| Fatal trap NUM: page fault in tcp_usr_rcvd |
C |
|
|
7 |
191d |
191d
|
2/2 |
190d |
37a7f5573716
tcp_usr_rcvd: don't cast inp_ppcb to tcpcb before checking inp_flags
|
| panic: m_apply, offset > size of mbuf chain |
C |
|
|
2 |
196d |
196d
|
2/2 |
190d |
989453da0589
sctp: cleanup the SCTP_MAXSEG socket option.
|
| panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/net/if.c:LINE (2) |
C |
|
|
314 |
200d |
204d
|
2/2 |
200d |
9f5432d5e5f0
netinet6: ip6_setpktopt() requires NET_EPOCH
|
| panic: ASan: Invalid access, 2-byte read at ADDR, UMAUseAfterFree(fd) |
C |
|
|
1103 |
201d |
362d
|
2/2 |
201d |
014f98b11992
udp: Fix a use-after-free in udp_multi_input()
|
| Fatal trap NUM: page fault in memcpy_erms |
C |
|
|
306 |
202d |
208d
|
2/2 |
202d |
aa2681752d0d
cryptosoft: Don't treat CRYPTO_NULL_HMAC as an hmac algorithm.
|
| Fatal trap NUM: page fault while in kernel mode (2) |
|
|
|
1 |
215d |
215d
|
2/2 |
204d |
12ae3476f35c
tcp_drain(): initialize the inpcb iterator when curvnet is set
|
| Fatal trap NUM: page fault in tcp_drain |
|
|
|
12 |
214d |
215d
|
2/2 |
204d |
12ae3476f35c
tcp_drain(): initialize the inpcb iterator when curvnet is set
|
| panic: Lock tcpinp not exclusively locked @ /syzkaller/managers/i386/kernel/sys/netinet/tcp_log_buf.c:LINE |
|
|
|
13 |
234d |
236d
|
2/2 |
233d |
2f62f92e3745
tcp: Fix a locking issue related to logging
|
| panic: Lock tcpinp not exclusively locked @ /syzkaller/managers/main/kernel/sys/netinet/tcp_log_buf.c:LINE |
|
|
|
6 |
233d |
236d
|
2/2 |
233d |
2f62f92e3745
tcp: Fix a locking issue related to logging
|
| panic: witness_warn (2) |
|
|
|
29 |
235d |
236d
|
2/2 |
235d |
df07bfda67ad
tcp: Fix a locking issue
|
| panic: chacha20_poly1305_reinit: invalid nonce length |
|
|
|
2 |
245d |
245d
|
2/2 |
238d |
442ad83e38e8
crypto: Don't assert on valid IV length for Chacha20-Poly1305.
|
| panic: condition vp->v_type == VDIR || VN_IS_DOOMED(vp) not met at /syzkaller/managers/i386/kernel/sys/kern/vfs_cache.c: |
|
|
|
1 |
257d |
257d
|
2/2 |
251d |
628c3b307fb2
cache: only let non-dir descriptors through when doing EMPTYPATH lookups
|
| Fatal trap NUM: page fault in filt_bpfwrite |
C |
|
|
4 |
259d |
265d
|
2/2 |
252d |
426682b05a4c
bpf: Fix the write filter for detached descriptors
|
| panic: ASan: Invalid access, NUM-byte read in newreno_cong_signal |
C |
|
|
4 |
253d |
256d
|
2/2 |
252d |
b15b0535968e
tcp: allow new reno functions to be called from other CC modules
|
| panic: ASan: Invalid access, NUM-byte read in newreno_ack_received |
|
|
|
2 |
254d |
254d
|
2/2 |
252d |
b15b0535968e
tcp: allow new reno functions to be called from other CC modules
|
| panic: Assertion (cnp->cn_flags & (LOCKPARENT | WANTPARENT)) == NUM failed at /syzkaller/managers/main/kernel/sys/kern/v |
C |
|
|
87 |
261d |
262d
|
2/2 |
261d |
1045352f1503
cache: only assert on flags when dealing with EMPTYPATH
|
| panic: TLS trailer length too long: NUM |
C |
|
|
2 |
270d |
270d
|
2/2 |
265d |
a63752cce646
ktls: Reject attempts to enable AES-CBC with TLS 1.3.
|
| panic: filesystem goof: vop_panic[vop_readdir] |
|
|
|
1 |
270d |
270d
|
2/2 |
265d |
03d5820f738d
mount: Check for !VDIR mount points before handling -o emptydir
|
| freebsd build error (9) |
|
|
|
1 |
267d |
267d
|
2/2 |
267d |
c05b382edb17
Revert "bootstrap: No need to disable shared libraries for bootstrap tools"
|
| panic: invalid payload start |
|
|
|
6 |
292d |
405d
|
2/2 |
271d |
a0cbcbb7917b
cryptodev: Allow some CIOCCRYPT operations with an empty payload.
|
| panic: filt_timerattach: periodic timer has a calculated zero timeout |
|
|
|
12 |
277d |
277d
|
2/2 |
277d |
2f4dbe279f6b
kqueue: fix recent assertion
|
| panic: strq ADDR not scheduled |
|
|
|
12189 |
277d |
280d
|
2/2 |
277d |
3ff3733991ba
sctp: don't keep being locked on a stream which is removed
|
| panic: strq ADDR is not scheduled |
|
|
|
541 |
279d |
280d
|
2/2 |
279d |
28ea9470782d
sctp: provide a specific stream scheduler function for FCFS
|
| Fatal trap NUM: page fault in sctp_ss_rrp_packet_done |
|
|
|
328 |
280d |
283d
|
2/2 |
279d |
5b53e749a95e
sctp: fix usage of stream scheduler functions
|
| panic: _mtx_lock_sleep: recursed on non-recursive mutex sctp-send-tcb @ /syzkaller/managers/i386/kernel/sys/netinet/sctp |
|
|
|
2 |
280d |
282d
|
2/2 |
279d |
171633765c43
sctp: avoid locking an already locked mutex
|
| Fatal trap NUM: page fault while in kernel mode |
|
|
|
177 |
279d |
283d
|
2/2 |
279d |
5b53e749a95e
sctp: fix usage of stream scheduler functions
|
| panic: _mtx_lock_sleep: recursed on non-recursive mutex sctp-send-tcb @ /syzkaller/managers/main/kernel/sys/netinet/sctp |
|
|
|
10 |
280d |
283d
|
2/2 |
279d |
171633765c43
sctp: avoid locking an already locked mutex
|
| Fatal trap NUM: page fault in sctp_ss_default_select |
|
|
|
20939 |
279d |
283d
|
2/2 |
279d |
5b53e749a95e
sctp: fix usage of stream scheduler functions
|
| Fatal trap NUM: page fault in sctp_ss_fb_select |
|
|
|
12 |
280d |
283d
|
2/2 |
279d |
5b53e749a95e
sctp: fix usage of stream scheduler functions
|
| Fatal trap NUM: page fault in sctp_ss_prio_select |
|
|
|
761 |
279d |
283d
|
2/2 |
279d |
5b53e749a95e
sctp: fix usage of stream scheduler functions
|
| panic: runtime error: invalid memory address or nil pointer dereference |
|
|
|
12 |
281d |
283d
|
2/2 |
281d |
b1e2f063ae91
amd64 sendsig: fix context corruption
|
| freebsd boot error: panic: ASan: Invalid access, NUM-byte read at ADDR, UseAfterScope(f8) |
|
|
|
270 |
283d |
287d
|
2/2 |
283d |
ca1e447b1048
amd64: Avoid copying td_frame from kernel procs
|
| panic: ASan: Invalid access, 2-byte read in sctp_ss_prio_add |
|
|
|
1 |
357d |
357d
|
2/2 |
288d |
34b1efcea19d
sctp: use a valid outstream when adding it to the scheduler
|
| Fatal trap 9: general protection fault in sctp_ss_prio_add |
|
|
|
1 |
375d |
375d
|
2/2 |
288d |
34b1efcea19d
sctp: use a valid outstream when adding it to the scheduler
|
| Fatal trap 12: page fault in sctp_ss_default_add (2) |
|
|
|
1 |
365d |
365d
|
2/2 |
288d |
34b1efcea19d
sctp: use a valid outstream when adding it to the scheduler
|
| panic: ASan: Invalid access, 8-byte read in sctp_ss_default_add |
|
|
|
326 |
291d |
360d
|
2/2 |
288d |
34b1efcea19d
sctp: use a valid outstream when adding it to the scheduler
|
| panic: Bad tailq NEXT(ADDR->tqh_last) != NULL (4) |
C |
|
|
147 |
363d |
587d
|
2/2 |
288d |
34b1efcea19d
sctp: use a valid outstream when adding it to the scheduler
|
| panic: ASan: Invalid access, 8-byte read in sctp_ss_fb_add |
|
|
|
22 |
325d |
359d
|
2/2 |
288d |
34b1efcea19d
sctp: use a valid outstream when adding it to the scheduler
|
| panic: ASan: Invalid access, 8-byte read in kern_sendit |
|
|
|
2 |
292d |
332d
|
2/2 |
289d |
fea1a98ead91
freebsd32: Fix a double copyin in sendmsg() and recvmsg()
|
| panic: Bad link elm ADDR prev->next != elm (2) |
|
|
|
8 |
290d |
301d
|
2/2 |
289d |
e19d93b19dce
sctp: fix FCFS stream scheduler
|
| Fatal trap 12: page fault while in kernel mode (3) |
C |
|
|
140 |
291d |
897d
|
2/2 |
291d |
ade1daa5c0d6
socket: Synchronize soshutdown() with listen(2) and AIO
|
| Fatal trap 12: page fault in soo_aio_queue |
C |
|
|
349 |
291d |
396d
|
2/2 |
291d |
ade1daa5c0d6
socket: Synchronize soshutdown() with listen(2) and AIO
|
| panic: Assertion done != job_total_nbytes failed at /syzkaller/managers/main/kernel/sys/kern/sys_socket.c:LINE |
C |
|
|
3 |
303d |
368d
|
2/2 |
294d |
e6c19aa94da4
sctp: Allow blocking on I/O locks even with non-blocking sockets
|
| Fatal trap 12: page fault in __mtx_lock_flags |
C |
|
|
1065 |
297d |
796d
|
2/2 |
297d |
2d5c48eccd9f
sctp: Tighten up locking around sctp_aloc_assoc()
|
| panic: Assertion job->uiop != &job->uio && job->uiop != NULL failed at /syzkaller/managers/i386/kernel/sys/kern/vfs_aio. |
|
|
|
1 |
301d |
301d
|
2/2 |
297d |
2884918c7338
aio: Fix up the opcode in aiocb32_copyin()
|
| panic: ASan: Invalid access, 4-byte read in sctp_sendall_completes |
|
|
|
39 |
301d |
359d
|
2/2 |
297d |
173a7a4ee4fa
sctp: Fix iterator synchronization in sctp_sendall()
|
| panic: Assertion owner->td_proc->p_magic == P_MAGIC failed at /syzkaller/managers/i386/kernel/sys/kern/subr_turnstile.c: (2) |
|
|
|
9 |
349d |
442d
|
2/2 |
298d |
141fe2dceeae
aio: Interlock with listen(2)
|
| panic: ASan: Invalid access, 1-byte read in udp6_common_ctlinput |
|
|
|
1 |
340d |
340d
|
2/2 |
298d |
b1e6a792d68e
net: Enter a net epoch around protocol if_up/down notifications
|
| panic: unexpected security protocol NUM |
syz |
|
|
7 |
299d |
314d
|
2/2 |
298d |
10eb2a2bde61
ipsec: Validate the protocol identifier in ipsec4_ctlinput()
|
| panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/i386/kernel/sys/kern/sys_socket.c:LINE (2) |
|
|
|
68 |
303d |
393d
|
2/2 |
298d |
141fe2dceeae
aio: Interlock with listen(2)
|
| panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/kern/sys_socket.c:LINE (2) |
C |
|
|
109 |
301d |
396d
|
2/2 |
298d |
141fe2dceeae
aio: Interlock with listen(2)
|
| panic: Assertion owner->td_proc->p_magic == P_MAGIC failed at /syzkaller/managers/main/kernel/sys/kern/subr_turnstile.c: |
C |
|
|
46 |
361d |
617d
|
2/2 |
298d |
141fe2dceeae
aio: Interlock with listen(2)
|
| panic: Lock sctp-info not exclusively locked @ /syzkaller/managers/main/kernel/sys/netinet/sctp_pcb.c:LINE |
C |
|
|
363 |
299d |
299d
|
2/2 |
299d |
0c1a20beb456
sctp: use appropriate argument when freeing association
|
| panic: ASan: Invalid access, 8-byte read in osd_get |
|
|
|
13 |
300d |
359d
|
2/2 |
299d |
187afc58791c
osd: Fix racy assertions
|
| Fatal trap 9: general protection fault in strlen |
C |
|
|
1506 |
364d |
1122d
|
2/2 |
299d |
4250aa1188b5
sctp: Clear assoc socket references when freeing a PCB
|
| panic: mtx_lock() of destroyed mutex at sys/kern/uipc_sockbuf.c:LINE |
syz |
|
|
4 |
449d |
639d
|
2/2 |
299d |
4250aa1188b5
sctp: Clear assoc socket references when freeing a PCB
|
| panic: mutex so_snd not owned at /syzkaller/managers/i386/kernel/sys/kern/uipc_sockbuf.c:LINE |
syz |
|
|
1 |
593d |
593d
|
2/2 |
299d |
4250aa1188b5
sctp: Clear assoc socket references when freeing a PCB
|
| panic: __rw_wlock_hard: recursing but non-recursive rw sctp-info @ /syzkaller/managers/main/kernel/sys/netinet/sctp_pcb. |
C |
|
|
131 |
300d |
300d
|
2/2 |
300d |
6e3af6321ba4
sctp: Fix lock recursion in sctp_swap_inpcb_for_listen()
|
| panic: __rw_wlock_hard: recursing but non-recursive rw sctp-info @ /syzkaller/managers/i386/kernel/sys/netinet/sctp_pcb. |
|
|
|
111 |
300d |
300d
|
2/2 |
300d |
6e3af6321ba4
sctp: Fix lock recursion in sctp_swap_inpcb_for_listen()
|
| panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE |
syz |
|
|
707 |
323d |
1208d
|
2/2 |
300d |
bd4a39cc93d9
socket: Properly interlock when transitioning to a listening socket
|
| panic: ASan: Invalid access, NUM-byte read in strncmp |
C |
|
|
12 |
301d |
306d
|
2/2 |
301d |
5402baa5b5d1
g_label: Handle small sector sizes when tasting
|
| Fatal trap 12: page fault in knlist_remove_kq |
|
|
|
3 |
372d |
380d
|
2/2 |
307d |
c511383de7a0
kevent: Fix races between timer detach and kqtimer_proc_continue()
|
| Fatal trap 12: page fault in filt_timerdetach |
|
|
|
1 |
376d |
376d
|
2/2 |
307d |
c511383de7a0
kevent: Fix races between timer detach and kqtimer_proc_continue()
|
| panic: ASan: Invalid access, 8-byte read in sctp_free_assoc |
|
|
|
112 |
308d |
360d
|
2/2 |
307d |
d35be50f5779
sctp: Hold association locks across socket wakeups when freeing
|
| Fatal trap 9: general protection fault in sctp_free_assoc |
syz |
|
|
14 |
369d |
677d
|
2/2 |
307d |
d35be50f5779
sctp: Hold association locks across socket wakeups when freeing
|
| Fatal trap 9: general protection fault in itimer_proc_continue |
syz |
|
|
2 |
401d |
401d
|
2/2 |
308d |
3138392a46a4
itimer: Serialize access to the p_itimers array
|
| panic: ASan: Invalid access, 1-byte read at ADDR, RedZonePartial(2) |
|
|
|
17 |
361d |
363d
|
2/2 |
308d |
9e9ba9c73de9
graid: Avoid tasting devices with small sector sizes
|
| panic: ASan: Invalid access, 8-byte read in itimer_proc_continue |
|
|
|
1 |
346d |
346d
|
2/2 |
308d |
3138392a46a4
itimer: Serialize access to the p_itimers array
|
| panic: ASan: Invalid access, 1-byte read at ADDR, RedZonePartial(1) |
|
|
|
13 |
318d |
362d
|
2/2 |
308d |
9e9ba9c73de9
graid: Avoid tasting devices with small sector sizes
|
| panic: ASan: Invalid access, 1-byte read in g_raid_md_taste_ddf |
C |
|
|
18 |
313d |
360d
|
2/2 |
308d |
9e9ba9c73de9
graid: Avoid tasting devices with small sector sizes
|
| panic: ASan: Invalid access, 2-byte read in g_raid_md_taste_sii |
C |
|
|
7 |
321d |
346d
|
2/2 |
308d |
9e9ba9c73de9
graid: Avoid tasting devices with small sector sizes
|
| panic: Bad list head ADDR first->prev != head |
C |
|
|
3409 |
308d |
1206d
|
2/2 |
308d |
4a36122b1db1
sctp: Fix racy UNBOUND flag check in sctp_inpcb_bind()
|
| panic: ASan: Invalid access, 16-byte read at ADDR, RedZonePartial(7) |
|
|
|
28 |
361d |
364d
|
2/2 |
309d |
564b6aa7fccd
aesni: Avoid a potential out-of-bounds load in aes_encrypt_icm()
|
| panic: ASan: Invalid access, 16-byte read at ADDR, RedZonePartial(6) |
|
|
|
20 |
361d |
364d
|
2/2 |
309d |
564b6aa7fccd
aesni: Avoid a potential out-of-bounds load in aes_encrypt_icm()
|
| panic: ASan: Invalid access, 8-byte read at ADDR, StackMiddle(f2) |
|
|
|
18 |
361d |
363d
|
2/2 |
309d |
36226163fa48
x86: Mark the trapframe as initialized in ipi_bitmap_handler()
|
| panic: ASan: Invalid access, 16-byte read at ADDR, RedZonePartial(3) |
|
|
|
9 |
361d |
362d
|
2/2 |
309d |
564b6aa7fccd
aesni: Avoid a potential out-of-bounds load in aes_encrypt_icm()
|
| panic: ASan: Invalid access, 16-byte read in aesni_encrypt_icm |
C |
|
|
114 |
310d |
361d
|
2/2 |
309d |
564b6aa7fccd
aesni: Avoid a potential out-of-bounds load in aes_encrypt_icm()
|
| panic: Assertion lock == sq->sq_lock failed at /syzkaller/managers/i386/kernel/sys/kern/subr_sleepqueue.c:LINE |
|
|
|
1 |
388d |
388d
|
2/2 |
323d |
c4feb1ab0ae0
sigtimedwait: Use a unique wait channel for sleeping
|
| panic: Assertion lock == sq->sq_lock failed at /syzkaller/managers/main/kernel/sys/kern/subr_sleepqueue.c:LINE (2) |
C |
|
|
7 |
365d |
389d
|
2/2 |
323d |
c4feb1ab0ae0
sigtimedwait: Use a unique wait channel for sleeping
|
| panic: ASan: Invalid access, 4-byte read in sctp6_connect |
|
|
|
64 |
336d |
361d
|
2/2 |
332d |
784692c74019
sctp: improve handling of IPv4 addresses on IPV6 sockets Reported by: syzbot+08fe66e4bfc2777cba95@syzkaller.appspotmail.com MFC after: 3 days
|
| panic: ASan: Invalid access, 4-byte read in sctp_sosend |
C |
|
|
518 |
332d |
361d
|
2/2 |
332d |
b732091a761a
sctp: improve input validation of mapped addresses in send() Reported by: syzbot+35528f275f2eea6317cc@syzkaller.appspotmail.com Reported by: syzbot+ac29916d5f16d241553d@syzkaller.appspotmail.com MFC after: 3 days
|
| freebsd boot error: panic: sleeping without a lock |
|
|
|
6 |
334d |
334d
|
2/2 |
334d |
2694c869ff9f
ktls: fix a panic with INVARIANTS
|
| panic: ASan: Invalid access, 4-byte read in tcp_usr_bind |
C |
|
|
50 |
334d |
359d
|
2/2 |
334d |
3f1f6b6ef7f6
tcp, udp: improve input validation in handling bind()
|
| panic: ASan: Invalid access, 4-byte read in udp_bind |
C |
|
|
69 |
334d |
360d
|
2/2 |
334d |
3f1f6b6ef7f6
tcp, udp: improve input validation in handling bind()
|
| panic: pmap_growkernel: no memory to grow kernel (2) |
syz |
|
|
299 |
337d |
797d
|
2/2 |
334d |
600745f1e226
pf: bound DIOCGETSTATES memory use
|
| panic: pmap_kasan_enter_alloc_4k: no memory to grow shadow map |
C |
|
|
20 |
337d |
356d
|
2/2 |
334d |
600745f1e226
pf: bound DIOCGETSTATES memory use
|
| panic: vm_fault_lookup: fault on nofault entry, addr: ADDR (2) |
C |
|
|
75 |
373d |
417d
|
2/2 |
342d |
64432ad2a2c4
pf: Validate user string nul-termination before copying
|
| freebsd boot error: panic: ASan: Invalid access, 1-byte read at ADDR, MallocRedZone(fb) |
|
|
|
156 |
357d |
364d
|
2/2 |
357d |
4a9a41650c90
uart: Fix an out-of-bounds read in ns8250_bus_probe()
|
| panic: Assertion (cnp->cn_flags & (LOCKPARENT | WANTPARENT)) == 0 failed at /syzkaller/managers/main/kernel/sys/kern/vfs |
C |
|
|
4 |
419d |
419d
|
2/2 |
359d |
6de3cf14c47d
vn_open_cred(): disallow O_CREAT | O_EMPTY_PATH
|
| panic: ASan: Invalid access, 32-byte read at ADDR, StackMiddle(f2) |
|
|
|
1 |
361d |
361d
|
2/2 |
360d |
36226163fa48
x86: Mark the trapframe as initialized in ipi_bitmap_handler()
|
| panic: ASan: Invalid access, 8-byte read in handleevents |
|
|
|
34 |
360d |
361d
|
2/2 |
360d |
36226163fa48
x86: Mark the trapframe as initialized in ipi_bitmap_handler()
|
| panic: thread_lock() of sleep mutex `*Fv @ /syzkaller/managers/main/kernel/sys/kern/kern_switch.c:LINE |
|
|
|
1 |
403d |
403d
|
2/2 |
399d |
4a59cbc12532
amd64: Avoid enabling interrupts when handling kernel mode prot faults
|
| panic: thread_lock() of sleep mutex ` @ /syzkaller/managers/main/kernel/sys/kern/kern_switch.c:LINE |
C |
|
|
1 |
403d |
403d
|
2/2 |
399d |
4a59cbc12532
amd64: Avoid enabling interrupts when handling kernel mode prot faults
|
| panic: Assertion p2->p_ktrioparms == NULL failed at /syzkaller/managers/i386/kernel/sys/kern/kern_ktrace.c:LINE |
|
|
|
1 |
407d |
407d
|
2/2 |
404d |
f3851b235b23
ktrace: Fix a race with fork()
|
| panic: Assertion p2->p_ktrioparms == NULL failed at /syzkaller/managers/main/kernel/sys/kern/kern_ktrace.c:LINE |
|
|
|
1 |
408d |
408d
|
2/2 |
404d |
f3851b235b23
ktrace: Fix a race with fork()
|
| Fatal trap 12: page fault in rack_process_to_cumack (2) |
syz |
|
|
3 |
407d |
408d
|
2/2 |
406d |
13c0e198ca27
tcp: Fix bugs related to the PUSH bit and rack and an ack war
|
| panic: refcount ADDR wraparound (3) |
C |
|
|
9 |
408d |
409d
|
2/2 |
408d |
6f6cd1e8e8aa
ktrace: Remove vrele() at the end of ktr_writerequest()
|
| panic: Non-zero write count |
|
|
|
98 |
408d |
409d
|
2/2 |
408d |
6f6cd1e8e8aa
ktrace: Remove vrele() at the end of ktr_writerequest()
|
| Fatal trap 9: general protection fault in rack_ctloutput |
syz |
|
|
2 |
411d |
411d
|
2/2 |
409d |
8923ce630492
tcp: Handle stack switch while processing socket options
|
| panic: ktrace_enter: flag set |
C |
|
|
44 |
409d |
411d
|
2/2 |
409d |
e4b16f2fb18b
ktrace: Avoid recursion in namei()
|
| panic: _mtx_lock_sleep: recursed on non-recursive mutex so_snd @ /syzkaller/managers/i386/kernel/sys/modules/tcp/rack/.. |
|
|
|
4 |
410d |
410d
|
2/2 |
410d |
39756885633f
rack: honor prior socket buffer lock when doing the upcall
|
| panic: _mtx_lock_sleep: recursed on non-recursive mutex so_snd @ /syzkaller/managers/main/kernel/sys/modules/tcp/rack/.. |
|
|
|
2 |
410d |
410d
|
2/2 |
410d |
39756885633f
rack: honor prior socket buffer lock when doing the upcall
|
| panic: Memory modified after free ADDR(4096) val=ADDR @ ADDR |
C |
|
|
1 |
415d |
415d
|
2/2 |
410d |
500eb6dd8040
tcp: Fix sending of TCP segments with IP level options
|
| freebsd boot error: panic: scsi_action: ccb ADDR, func_code 0x6 should not be allocated from UMA zone |
|
|
|
42 |
415d |
416d
|
2/2 |
414d |
5b81e2e1bcdc
virtio_scsi: Zero stack-allocated CCBs
|
| Fatal trap 12: page fault in callout_process (2) |
|
|
|
7 |
420d |
449d
|
2/2 |
417d |
2cca77ee0134
kqueue timer: Remove detached knotes from the process stop queue
|
| Fatal trap 9: general protection fault in kqtimer_proc_continue |
|
|
|
109 |
418d |
452d
|
2/2 |
417d |
2cca77ee0134
kqueue timer: Remove detached knotes from the process stop queue
|
| panic: releasing active pmap ADDR |
C |
|
|
11 |
420d |
463d
|
2/2 |
418d |
9246b3090cbc
fork: Suspend other threads if both RFPROC and RFMEM are not set
|
| panic: pmap active ADDR |
C |
|
|
5 |
425d |
463d
|
2/2 |
418d |
9246b3090cbc
fork: Suspend other threads if both RFPROC and RFMEM are not set
|
| Fatal trap 18: integer divide fault in realtimer_expire_l |
C |
|
|
15 |
419d |
446d
|
2/2 |
418d |
8b3c4231abf0
posix timers: Check for overflow when converting to ns
|
| Fatal trap 18: integer divide fault in realtimer_expire |
C |
|
|
20 |
450d |
471d
|
2/2 |
418d |
8b3c4231abf0
posix timers: Check for overflow when converting to ns
|
| Fatal trap 9: general protection fault in crypto_ioctl |
|
|
|
1 |
425d |
425d
|
2/2 |
419d |
1a04f0156c4e
cryptodev: Fix some input validation bugs
|
| panic: crp_iv_start set when IV isn't used |
C |
|
|
2 |
423d |
424d
|
2/2 |
420d |
1a04f0156c4e
cryptodev: Fix some input validation bugs
|
| panic: vm_fault_lookup: fault on nofault entry, addr: ADDR |
|
|
|
5 |
423d |
461d
|
2/2 |
420d |
c8bbb1272c8b
vfs: Fix error handling in vn_fullpath_hardlink()
|
| panic: IV outside buffer length |
C |
|
|
16 |
420d |
425d
|
2/2 |
420d |
1a04f0156c4e
cryptodev: Fix some input validation bugs
|
| Fatal trap 9: general protection fault in mb_free_ext |
|
|
|
1 |
421d |
421d
|
2/2 |
420d |
1a04f0156c4e
cryptodev: Fix some input validation bugs
|
| panic: More encryption data than allowed |
C |
|
|
2 |
421d |
421d
|
2/2 |
420d |
1a04f0156c4e
cryptodev: Fix some input validation bugs
|
| panic: AEAD without a separate IV |
C |
|
|
25 |
420d |
425d
|
2/2 |
420d |
1a04f0156c4e
cryptodev: Fix some input validation bugs
|
| Fatal trap 12: page fault in memcpy_erms |
C |
|
|
2 |
421d |
421d
|
2/2 |
420d |
1a04f0156c4e
cryptodev: Fix some input validation bugs
|
| panic: IV_SEPARATE set when IV isn't used |
C |
|
|
4 |
421d |
424d
|
2/2 |
420d |
1a04f0156c4e
cryptodev: Fix some input validation bugs
|
| panic: _mtx_lock_sleep: recursed on non-recursive mutex process lock @ /syzkaller/managers/main/kernel/sys/kern/kern_sig |
syz |
|
|
2 |
448d |
448d
|
2/2 |
420d |
5cc1d199412e
realtimer_expire: avoid proc lock recursion when called from itimer_proc_continue()
|
| panic: _mtx_lock_sleep: recursed on non-recursive mutex process lock @ /syzkaller/managers/i386/kernel/sys/kern/kern_eve |
|
|
|
2 |
448d |
449d
|
2/2 |
420d |
75c5cf7a720f
filt_timerexpire: avoid process lock recursion
|
| panic: _mtx_lock_sleep: recursed on non-recursive mutex process lock @ /syzkaller/managers/main/kernel/sys/kern/kern_eve |
|
|
|
1 |
449d |
449d
|
2/2 |
420d |
75c5cf7a720f
filt_timerexpire: avoid process lock recursion
|
| panic: _mtx_lock_sleep: recursed on non-recursive mutex process lock @ /syzkaller/managers/i386/kernel/sys/kern/kern_sig |
|
|
|
1 |
451d |
451d
|
2/2 |
420d |
5cc1d199412e
realtimer_expire: avoid proc lock recursion when called from itimer_proc_continue()
|
| Fatal trap 12: page fault in pmap_kextract (2) |
C |
|
|
8 |
449d |
450d
|
2/2 |
449d |
5e98cae661f3
pf: Ensure that we don't use kif passed to pfi_kkif_attach()
|
| panic: to_ticks == 0 for timer type 5 (2) |
syz |
|
|
2 |
472d |
472d
|
2/2 |
470d |
d995cc7e5431
sctp: fix handling of RTO.initial of 1 ms
|
| panic: to_ticks == 0 for timer type 5 |
C |
|
|
2 |
497d |
497d
|
2/2 |
493d |
70e95f0b6917
sctp: avoid integer overflow when starting the HB timer
|
| Fatal trap 12: page fault in sctp_find_alternate_net |
syz |
|
|
131 |
499d |
643d
|
2/2 |
499d |
b963ce4588b3
sctp: improve computation of an alternate net
|
| panic: pfi_dynaddr_setup: non-NULL dyn (2) |
C |
|
|
4 |
530d |
530d
|
2/2 |
524d |
7a808c5ee329
pf: Improve pf_rule input validation
|
| Fatal trap 12: page fault in copyin_nosmap_erms |
C |
|
|
8 |
567d |
614d
|
2/2 |
538d |
ea36212bf571
pf: Don't hold PF_RULES_WLOCK during copyin() on DIOCRCLRTSTATS
|
| freebsd boot error: panic: IPI scoreboard is zero, initiator 1 target 1 |
|
|
|
9 |
540d |
540d
|
2/2 |
539d |
44121a0fbee0
amd64: fix tlb shootdown when all cpus are passed in the bitmap
|
| freebsd boot error: panic: IPI scoreboard is zero, initiator 0 target 0 |
|
|
|
3 |
540d |
540d
|
2/2 |
539d |
44121a0fbee0
amd64: fix tlb shootdown when all cpus are passed in the bitmap
|
| panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/kern/uipc_ktls.c:LINE |
C |
|
|
11 |
545d |
770d
|
2/2 |
542d |
6685e259e319
tcp: don't use KTLS socket option on listening sockets
|
| panic: Memory modified after free ADDR(112) val=ADDR @ ADDR (2) |
syz |
|
|
475 |
546d |
790d
|
2/2 |
546d |
a7aa5eea4fff
sctp: improve handling of aborted associations
|
| panic: sched_pickcpu: Failed to find a cpu. |
C |
|
|
4 |
575d |
575d
|
2/2 |
574d |
f1b18a668deb
cpuset_set{affinity,domain}: do not allow empty masks
|
| Fatal trap 9: general protection fault in cpuset_setproc |
syz |
|
|
2 |
576d |
576d
|
2/2 |
574d |
b2780e8537da
kern: cpuset: resolve race between cpuset_lookup/cpuset_rel
|
| panic: sleeping without a lock |
C |
|
|
29 |
579d |
746d
|
2/2 |
578d |
34af05ead3cf
kern: soclose: don't sleep on SO_LINGER w/ timeout=0
|
| panic: uma_zalloc_debug: called within spinlock or critical section |
C |
|
|
9 |
585d |
589d
|
2/2 |
584d |
e07e3fa3c95c
kern: cpuset: drop the lock to allocate domainsets
|
| panic: Bad tailq NEXT(ADDR->tqh_last) != NULL (3) |
C |
|
|
12 |
588d |
589d
|
2/2 |
587d |
5d49283f8857
pf: Make tag hashing more robust
|
| panic: fc_ioctls != NULL, but fc_nioctls=-NUM |
|
|
|
5591 |
590d |
590d
|
2/2 |
590d |
3d4ae1b3d110
kern: dup: do not assume oldfde is valid
|
| Fatal trap 12: page fault in __mtx_lock_spin_flags |
|
|
|
3 |
594d |
598d
|
2/2 |
593d |
a33fef5e25ac
callout(9): Fix a race between CPU migration and callout_drain()
|
| panic: spin lock held too long |
C |
|
|
1 |
598d |
598d
|
2/2 |
593d |
a33fef5e25ac
callout(9): Fix a race between CPU migration and callout_drain()
|
| Fatal trap 12: page fault in _callout_stop_safe |
C |
|
|
1 |
598d |
598d
|
2/2 |
593d |
a33fef5e25ac
callout(9): Fix a race between CPU migration and callout_drain()
|
| panic: Most recently used by pf_ifnet |
C |
|
|
6 |
631d |
631d
|
2/2 |
630d |
52b83a06184c
pf: do not remove kifs that are referenced by rules
|
| Fatal trap 9: general protection fault in sctp_lower_sosend |
C |
|
|
22 |
730d |
782d
|
2/2 |
688d |
f5d30f7f7606
Improve the handling of concurrent send() calls for SCTP sockets, especially when having the explicit EOR mode enabled.
|
| panic: in6p_lookup_mcast_ifp: not INP_IPV6 inpcb |
C |
|
|
2 |
736d |
736d
|
2/2 |
700d |
cfae6a92ac01
Remove an incorrect assertion from in6p_lookup_mcast_ifp().
|
| Fatal trap 12: page fault in uipc_ready |
C |
|
|
5 |
731d |
758d
|
2/2 |
705d |
1b778ba2609f
Fix a logic error in uipc_ready_scan().
|
| panic: witness_warn |
syz |
|
|
1 |
750d |
750d
|
2/2 |
734d |
e54b7cd007b5
Fix the cleanup handling in a error path for TCP BBR.
|
| Fatal trap 12: page fault in sctp_find_ifa_in_ep |
C |
|
|
3 |
737d |
737d
|
2/2 |
734d |
7a3f60e7f571
Fix a bug introduced in https://svnweb.freebsd.org/changeset/base/362173
|
| freebsd test error: Fatal trap 12: page fault in in_pcb_lport_dest |
|
|
|
9 |
778d |
778d
|
2/2 |
754d |
1ec42007fec3
Fix NULL-pointer bug from r361228.
|
| Fatal trap 12: page fault in sctp_process_control |
C |
|
|
47 |
785d |
786d
|
2/2 |
785d |
86fd36c502db
Fix a copy and paste error introduced in r360878.
|
| Fatal trap 9: general protection fault in sctp_process_control |
C |
|
|
11 |
785d |
786d
|
2/2 |
785d |
86fd36c502db
Fix a copy and paste error introduced in r360878.
|
| panic: sctp_timer_start of type 1: inp = ADDR, stcb = ADDR, net = 0 |
|
|
|
1 |
790d |
790d
|
2/2 |
786d |
efd5e6929194
Ensure that we have a path when starting the T3 RXT timer.
|
| panic: sctp_timer_start of type 10: inp = ADDR, stcb->sctp_ep ADDR |
|
|
|
1 |
796d |
796d
|
2/2 |
786d |
83ed508055c0
Ensure that the SCTP iterator runs with an stcb and inp, which belong to each other.
|
| panic: pfi_dynaddr_setup: dyn is ADDR (2) |
C |
|
|
22 |
796d |
807d
|
2/2 |
793d |
1ef06ed8def9
pf: Improve DIOCADDRULE validation
|
| panic: mallocarray: ADDR * 1064 overflowed |
C |
|
|
3 |
804d |
808d
|
2/2 |
800d |
a7c8533634ab
pf: Improve input validation
|
| Fatal trap 9: general protection fault in in6_selecthlim |
|
|
|
25 |
800d |
801d
|
2/2 |
800d |
17cb6ddba8ab
Fix order of arguments in fib[46]_lookup calls in SCTP.
|
| panic: pfi_dynaddr_setup: dyn is ADDR |
C |
|
|
7 |
808d |
812d
|
2/2 |
807d |
98582ce38183
pf: Improve ioctl() input validation
|
| panic: Assertion size0 > 0 failed at /syzkaller/managers/main/kernel/sys/kern/subr_vmem.c:LINE |
C |
|
|
2 |
811d |
811d
|
2/2 |
809d |
95324dc3f4d2
pf: Do not allow negative ps_len in DIOCGETSTATES
|
| panic: mtx_unlock() of destroyed mutex at sys/kern/sys_socket.c:LINE |
syz |
|
|
1 |
900d |
900d
|
2/2 |
812d |
99258935eb2b
Lock the socket in soo_stat().
|
| panic: sbfree: m ADDR !M_NOTREADY |
C |
|
|
32 |
1182d |
1208d
|
2/2 |
815d |
dde1b5985fcc
Properly handle disconnected sockets in uipc_ready().
|
| panic: allocdirect_merge: old blkno 9384 != new 9384 || old size 4096 != new NUM |
|
|
|
2 |
820d |
820d
|
2/2 |
816d |
Revert -r359612 as it can cause other panics. An updated version will be made when the issue has been resolved.
|
| panic: Duplicate free of ADDR from zone ADDR(mbuf) slab ADDR(8) |
C |
|
|
1 |
1205d |
1205d
|
2/2 |
816d |
3d36b367cfb6
sbappendcontrol() needs to avoid clearing M_NOTREADY on data mbufs.
|
| panic: to_ticks == 0 for timer type 2 |
C |
|
|
27 |
829d |
833d
|
2/2 |
829d |
25ec35535397
Handle integer overflows correctly when converting msecs and secs to ticks and vice versa. These issues were caught by recently added panic() calls on INVARIANTS systems.
|
| panic: mtx_unlock() of spin mutex (null) @ /syzkaller/managers/i386/kernel/sys/kern/sys_socket.c:LINE |
|
|
|
1 |
851d |
851d
|
2/2 |
837d |
99258935eb2b
Lock the socket in soo_stat().
|
| panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet/ip_output.c:LINE |
syz |
|
|
1870 |
838d |
895d
|
2/2 |
837d |
2bdebd0ce3e0
A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
|
| panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet6/ip6_output.c:LINE |
syz |
|
|
229 |
838d |
895d
|
2/2 |
837d |
2bdebd0ce3e0
A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
|
| panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/netinet6/ip6_output.c:LINE |
C |
|
|
591 |
838d |
895d
|
2/2 |
837d |
2bdebd0ce3e0
A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
|
| panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/netinet/ip_output.c:LINE |
C |
|
|
2840 |
838d |
895d
|
2/2 |
837d |
2bdebd0ce3e0
A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
|
| freebsd boot error: Fatal trap 9: general protection fault in biotrack_buf |
|
|
|
24 |
876d |
876d
|
2/2 |
838d |
dcebfcf3d468
Revert r357710 and 357711 until they can be debugged
|
| panic: Most recently used by ip6opt (2) |
syz |
|
|
4 |
841d |
887d
|
2/2 |
838d |
e02582d1ae44
Fix synchronization in the IPV6_2292PKTOPTIONS set handler.
|
| panic: mutex process lock not owned at /syzkaller/managers/i386/kernel/sys/kern/kern_time.c:LINE |
C |
|
|
33 |
882d |
882d
|
2/2 |
838d |
55aa9af7e971
Remove unneeded assert for curproc. Simplify.
|
| panic: cap_rights_is_vset:LINE (3) |
|
|
|
1 |
850d |
850d
|
2/2 |
838d |
429537caeb13
kern_dup(): Call filecaps_free_prep() in a write section.
|
| panic: refcount ADDR wraparound |
C |
|
|
6 |
883d |
883d
|
2/2 |
838d |
adbdb897689b
fd: always nullify *fdp in fget* routines
|
| panic: mutex process lock not owned at /syzkaller/managers/main/kernel/sys/kern/kern_time.c:LINE |
C |
|
|
83 |
882d |
882d
|
2/2 |
881d |
55aa9af7e971
Remove unneeded assert for curproc. Simplify.
|
| panic: condition !vn_need_pageq_flush(vp) not met at /syzkaller/managers/main/kernel/sys/kern/vfs_subr.c:LINE (vgonel) |
|
|
|
1 |
886d |
886d
|
2/2 |
886d |
0f4d8b77c02c
vfs: revert the overzealous assert added in r357285 to vgone
|
| panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/net/if.c:LINE |
|
|
|
3062 |
1000d |
1001d
|
2/2 |
896d |
Remove epoch assertion from if_setlladdr(). Originally this function was protected by IF_ADDR_LOCK(), which was a mutex, so that two simultaneous if_setlladdr() can't execute. Later it was switched to IF_ADDR_RLOCK(), likely by a mistake. Later it was switched to NET_EPOCH_ENTER(). Then I incorrectly added NET_EPOCH_ASSERT() here.
|
| panic: mutex if_addr_lock not owned at /syzkaller/managers/main/kernel/sys/netinet/in_mcast.c:LINE |
|
|
|
1 |
917d |
917d
|
2/2 |
903d |
31069f383af1
Take the ifnet's address lock in igmp_v3_cancel_link_timers().
|
| panic: pipe_destroy_write_buffer: pipe map for ADDR contains residual data |
syz |
|
|
11 |
976d |
1019d
|
2/2 |
967d |
1cbfe73da570
Fix handling of PIPE_EOF in the direct write path.
|
| panic: mutex pcbinfohash not owned at /syzkaller/managers/main/kernel/sys/netinet6/in6_pcb.c:LINE |
C |
|
|
5 |
969d |
970d
|
2/2 |
967d |
c17cd08f5302
It is unclear why in6_pcblookup_local() would require write access to the PCB hash. The function doesn't modify the hash. It always asserted write lock historically, but with epoch conversion this fails in some special cases.
|
| panic: in_pcb_lport: laddrp NULL for v4 inp ADDR |
C |
|
|
8 |
1012d |
1128d
|
2/2 |
985d |
4a91aa8fc9b6
Ensure that the flags indicating IPv4/IPv6 are not changed by failing bind() calls. This would lead to inconsistent state resulting in a panic. A fix for stable/11 was committed in https://svnweb.freebsd.org/base?view=revision&revision=338986 An accelerated MFC is planned as discussed with emaste@.
|
| panic: Assertion td->td_epochnest failed at /syzkaller/managers/i386/kernel/sys/kern/subr_epoch.c:LINE |
|
|
|
3 |
1000d |
1000d
|
2/2 |
993d |
ip6_output() has a complex set of gotos, and some can jump out of the epoch section towards return statement. Since entering epoch is cheap, it is easier to cover the whole function with epoch, rather than try to properly maintain its state.
|
| panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet/igmp.c:LINE |
|
|
|
2 |
1000d |
1000d
|
2/2 |
993d |
7299f8c33d62
Enter network epoch in domain callouts.
|
| panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet6/in6_ifattach.c:LINE |
syz |
|
|
2 |
999d |
999d
|
2/2 |
993d |
in6ifa_llaonifp() is never called from fast path, so do not require epoch being entered.
|
| Fatal trap 12: page fault in uipc_send |
syz |
|
|
123 |
1002d |
1133d
|
2/2 |
1000d |
4013d7268446
Fix handling of empty SCM_RIGHTS messages.
|
| freebsd boot error: panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/net/if.c:LINE |
|
|
|
18 |
1001d |
1001d
|
2/2 |
1001d |
In DIAGNOSTIC block of if_delmulti_ifma_flags() enter the network epoch. This quickly plugs the regression from r353292. The locking of multicast definitely needs a broader review today...
|
| Fatal trap 18: integer divide fault in kern_fcntl |
|
|
|
22 |
1025d |
1051d
|
2/2 |
1007d |
4a7b33ecf4d8
Disallow fcntl(F_READAHEAD) when the vnode is not a regular file.
|
| panic: rcv_start < rcv_end |
|
|
|
1 |
1032d |
1032d
|
2/2 |
1008d |
Only update SACK/DSACK lists when a non-empty segment was received. This fixes hitting a KASSERT with a valid packet exchange.
|
| Fatal trap 12: page fault in inp_freemoptions (2) |
syz |
|
|
14 |
1119d |
1128d
|
2/2 |
1009d |
Convert all IPv4 and IPv6 multicast memberships into using a STAILQ instead of a linear array.
|
| panic: vm_page_swapqueue: page ADDR is unmanaged |
|
|
|
1 |
1019d |
1019d
|
2/2 |
1012d |
3a79b409bb89
Fix a race in vm_page_swapqueue().
|
| freebsd boot error: panic: sched_pickcpu: Failed to find a cpu. |
|
|
|
30 |
1015d |
1015d
|
2/2 |
1014d |
967c0718849e
Fix wrong assertion in r352658.
|
| panic: m_getm2: len is < 0 |
syz |
|
|
13 |
1201d |
1207d
|
2/2 |
1015d |
2ef5bd2f0c46
Limit the number of bytes which can be queued for SCTP sockets. This is joint work with rrs@. Reported by: syzbot+307f167f9bc214f095bc@syzkaller.appspotmail.com MFC after: 1 week
|
| panic: indir_trunc: Bad indirdep 0 from buf ADDR |
|
|
|
1 |
1126d |
1126d
|
2/2 |
1072d |
577fca0e204d
Lock the vnode before calling ufs_bmap_seekdata().
|
| panic: ffs_blkfree_cg: freeing free block (2) |
|
|
|
2 |
1142d |
1162d
|
2/2 |
1072d |
577fca0e204d
Lock the vnode before calling ufs_bmap_seekdata().
|
| Fatal trap 9: general protection fault in sctp_copy_skeylist |
syz |
|
|
3 |
1125d |
1125d
|
2/2 |
1087d |
8a956abe12c6
When calling sctp_initialize_auth_params(), the inp must have at least a read lock. To avoid more complex locking dances, just call it in sctp_aloc_assoc() when the write lock is still held.
|
| panic: udp6_output: non-excl udbinfo lock, excl inp lock: pcbinfo ADDR 0x1 inp ADDR 0x2 |
|
|
|
1 |
1108d |
1108d
|
2/2 |
1088d |
9e44bc22d884
r348494 fixes a race in udp_output(). The same race exists in udp_output6(), therefore apply a similar patch to IPv6.
|
| panic: Most recently used by tty |
syz |
|
|
24 |
1140d |
1154d
|
2/2 |
1097d |
6a01874c5afa
Defer funsetown() calls for a TTY to tty_rel_free().
|
| freebsd boot error: panic: Bad entry start/end for new stack entry |
|
|
|
9 |
1106d |
1106d
|
2/2 |
1099d |
639f3e01b444
Revert r349393, which leads to an assertion failure on bootup, in vm_map_stack_locked.
|
| panic: cap_rights_is_vset:LINE |
syz |
|
|
3 |
1121d |
1121d
|
2/2 |
1102d |
7c3703a69466
Use a consistent snapshot of the fd's rights in fget_mmap().
|
| Fatal trap 12: page fault in vm_page_unhold_pages |
C |
|
|
1169 |
1110d |
1204d
|
2/2 |
1102d |
02476c44c5eb
Fix mutual exclusion in pipe_direct_write().
|
| panic: udp_output: shared udbinfo lock, excl inp lock (2) |
syz |
|
|
7 |
1143d |
1162d
|
2/2 |
1130d |
eafaa1bc35e9
After parts of the locking fixes in r346595, syzkaller found another one in udp_output(). This one is a race condition. We do check on the laddr and lport without holding a lock in order to determine whether we want a read or a write lock (this is in the "sendto/sendmsg" cases where addr (sin) is given).
|
| Fatal trap 12: page fault in inp_freemoptions |
C |
|
|
11 |
1150d |
1203d
|
1/2 |
1148d |
5a1e222bfda7
Close some races in multicast socket option handling.
|
| panic: inp_leave_group: imf_sources not empty |
C |
|
|
6 |
1150d |
1171d
|
1/2 |
1148d |
5a1e222bfda7
Close some races in multicast socket option handling.
|
| panic: vm_object_vndeallocate: bad object reference count |
C |
|
|
974 |
1149d |
1149d
|
1/2 |
1149d |
8cd6a80d7d68
Restore the pre-r347532 behaviour of ignoring wiring failures in mmap().
|
| panic: ffs_blkfree_cg: freeing free block |
C |
|
|
5 |
1206d |
1206d
|
1/2 |
1163d |
a7a455c299b0
Optimize lseek(SEEK_DATA) on UFS.
|
| panic: udp_output: shared udbinfo lock, excl inp lock |
C |
|
|
46 |
1171d |
1208d
|
1/2 |
1169d |
d86ecbe993a7
iFix udp_output() lock inconsistency.
|
| Fatal trap 12: page fault in in6_cksum_partial |
syz |
|
|
6 |
1173d |
1203d
|
1/2 |
1173d |
70a0f3dcdc1f
When a checksum has to be computed for a received IPv6 packet because it is requested by the application using the IPPROTO_IPV6 level socket option IPV6_CHECKSUM on a raw socket, ensure that the packet contains enough bytes to contain the checksum at the specified offset.
|
| panic: rtrequest1_fib: locked |
C |
|
|
10 |
1180d |
1205d
|
1/2 |
1178d |
e6481fd4c46a
When sending a routing message, don't allow the user to set the RTF_RNH_LOCKED flag in rtm_flags, since this flag is used only internally.
|
| panic: inp_join_group: imf_sources not empty |
C |
|
|
398 |
1181d |
1208d
|
1/2 |
1181d |
f1ef572a1ecd
Reinitialize multicast source filter structures after invalidation.
|
| Fatal trap 12: page fault in __mtx_assert |
syz |
|
|
4 |
1199d |
1201d
|
1/2 |
1197d |
7854c63d6fbe
Fix a small bug in the tcp_log_id where the bucket was unlocked and yet the bucket-unlock flag was not changed to false. This can cause a panic if INVARIANTS is on and we go through the right path (though rare).
|
| panic: Can't clear local locks with F_UNLCKSYS |
C |
|
|
9 |
1198d |
1208d
|
1/2 |
1198d |
fd76e780a7c0
Reject F_SETLK_REMOTE commands when sysid == 0.
|
| panic: Counter goes negative |
C |
|
|
2 |
1205d |
1205d
|
1/2 |
1199d |
0d3cf13dabf8
Fix a signed/unsigned bug when receiving SCTP messages. This is joint work with rrs@.
|
| panic: tcp_output: mbuf chain shorter than expected: 0 + 60 + 24 - 0 != 60 |
C |
|
|
2 |
1207d |
1207d
|
1/2 |
1200d |
05fb056c068d
Fix a KASSERT() in tcp_output().
|
| panic: tcp_output: mbuf chain shorter than expected: 0 + 60 + 28 - 0 != 60 |
|
|
|
1 |
1204d |
1204d
|
1/2 |
1200d |
05fb056c068d
Fix a KASSERT() in tcp_output().
|
| panic: tcp_output: mbuf chain shorter than expected: 0 + 60 + 12 - 0 != 60 |
|
|
|
1 |
1208d |
1208d
|
1/2 |
1200d |
05fb056c068d
Fix a KASSERT() in tcp_output().
|
| panic: pmap_demote_pde: page table page for a wired mapping is missing |
C |
|
|
56 |
1202d |
1207d
|
1/2 |
1202d |
64087fd7f372
Disallow preemptive creation of wired superpage mappings.
|
| panic: invalid dst page ADDR |
C |
|
|
33 |
1204d |
1208d
|
1/2 |
1203d |
45d72c7d7fca
vm_fault_copy_entry: accept invalid source pages.
|