syzbot

Applied filters: WithRepro (drop)

Title	Rank 🛈	Repro	Count	Last	Reported	Patched	Closed	Patch
panic: m_apply, length > size of mbuf chain (NUM extra)	2	C	3	318d	318d	0/2	never	1f5b1de1fdf2 ipv6: account for jumbo payload option
Fatal trap NUM: page fault in __mtx_lock_flags (5)	-1	C	3	215d	249d	2/2	205d	9d9fa9a2c22f unix: Fix handling of listening sockets during garbage collection
panic: freevnode: cannot lock vp ADDR for pollinfo destroy	2	C	4	258d	267d	2/2	208d	99cb3dca4773 vnode: Rework vput() to avoid holding the vnode lock after decrementing
panic: Assertion !(sb->sb_state & SBS_CANTRCVMORE) failed at /syzkaller/managers/main/kernel/sys/kern/uipc_usrreq.c:LINE	2	C	9	285d	301d	2/2	234d	4548b9f3a816 unix/stream: plug a corner case when control externalization failed
panic: kern_clock_gettime: NUM	2	C	88	305d	357d	2/2	304d	7556b55f0d67 time: Handle kern_clock_gettime() failures in kern_clock_nanosleep()
panic: Assertion too many supplementary groups failed at /syzkaller/managers/main/kernel/sys/kern/kern_prot.c:LINE	2	syz	227	306d	311d	2/2	306d	28f618fcc2b4 kern: fix a panic in crcopysafe() found by syzkaller
panic: handle_workitem_remove: bad file delta	2	C	91	312d	313d	2/2	312d	2bc355c0182a ufs: Pass the new parent inode number to ufs_dirrewrite()
panic: Assertion ip->i_mode != NUM failed at /syzkaller/managers/main/kernel/sys/ufs/ffs/ffs_softdep.c:LINE	2	C	244	312d	313d	2/2	312d	2bc355c0182a ufs: Pass the new parent inode number to ufs_dirrewrite()
Fatal trap NUM: page fault in _vn_lock	-1	C	561	338d	339d	2/2	338d	5ae9f8e9ac5e md: Restore guards in mddestroy()
Fatal trap NUM: page fault in destroy_indir	-1	C	503	338d	339d	2/2	338d	5ae9f8e9ac5e md: Restore guards in mddestroy()
Fatal trap NUM: page fault in in_pcbremhash_locked	-1	C	219	355d	471d	2/2	355d	ba3d547967c8 tcp: Fix the SO_REUSEPORT_LB check
panic: mutex so_rcv not owned at /syzkaller/managers/main/kernel/sys/kern/uipc_usrreq.c:LINE	2	C	7	390d	392d	2/2	379d	c44d6f43a68f unix/stream: provide uipc_cantrcvmore()
panic: sofree:NUM curvnet is NULL, so=ADDR	2	C	49	396d	398d	2/2	396d	9a7d03c7df35 sendfile: cover the entire sendfile operation under CURVNET_SET()
panic: aio_process_rw: opcode NUM	2	C	2	401d	401d	2/2	400d	ab01a5f5628e aio: Fix opcode handling in aio_process_rw()
panic: vm_pager_assert_in: page ADDR is mapped (2)	2	C	3	409d	412d	2/2	409d	1cce7d86c86a vm_map: fix iterator jump size
panic: ktls_frame: mapped mbuf ADDR (top = ADDR)	2	C	4	414d	414d	2/2	410d	1000cc4a0d39 so_splice: Disallow splicing with KTLS-enabled sockets
panic: _pctrie_lookup_node: freed node in iter path	2	C	5	414d	415d	2/2	413d	bcd96c3180d6 vm_object: reset iter in page_clean
panic: neg writecount increment NUM + -NUM = -NUM	2	C	2	423d	423d	2/2	420d	509189bb4109 fhopen: Enable handling of O_PATH, fix some bugs
panic: unhandled af NUM (2)	2	C	5	423d	424d	2/2	422d	646b453110aa pf: fix pf_ioctl_add_addr() validation
panic: ASan: Invalid access, NUM-byte read at ADDR, StackMiddle(f2) (2)	2	C	16	778d	1322d	2/2	433d	68a3a7fc9483 kasan: fix false-positive kasan_report upon thread reuse
panic: ASan: Invalid access, NUM-byte read at ADDR, UseAfterScope(f8) (2)	2	C	452	778d	1476d	2/2	433d	68a3a7fc9483 kasan: fix false-positive kasan_report upon thread reuse
panic: ASan: Invalid access, NUM-byte read at ADDR, StackRight(f3)	2	syz	3	789d	793d	2/2	433d	68a3a7fc9483 kasan: fix false-positive kasan_report upon thread reuse
panic: Assertion M_WRITABLE(m0) failed at /syzkaller/managers/main/kernel/sys/kern/uipc_mbuf.c:LINE	2	C	40	633d	634d	2/2	435d	299175f2e52e Revert "Assert that mbufs are writable if we write to them"
panic: nl_buf_alloc: invalid length ADDR	2	C	2	464d	464d	2/2	463d	a80bbc4e9597 netlink: refuse a send(2) that is larger than socket buffer
Fatal trap NUM: page fault in rtsock_msg_buffer	-1	C	9	566d	569d	2/2	565d	dae64402b3e8 rtsock: fix panic in rtsock_msg_buffer()
Fatal trap NUM: general protection fault in rtsock_msg_buffer	-1	syz	1	566d	566d	2/2	565d	dae64402b3e8 rtsock: fix panic in rtsock_msg_buffer()
panic: vtnet_txq_offload_ctx: mbuf ADDR start NUM offset NUM proto -NUM (2)	2	C	70	754d	800d	2/2	678d	71867653008c udp: improve handling of cached route
Fatal trap NUM: page fault in strlcpy	-1	C	3	789d	789d	2/2	788d	b112232e4fb9 uipc_shm: Copyin userpath for ktrace(2)
panic: Unaligned free of ADDR from zone ADDR(mbuf) slab ADDR(NUM)	2	C	28	789d	790d	2/2	789d	fb8a8333b481 unix: return immediately on MSG_OOB
Fatal trap NUM: page fault in uipc_soreceive_stream_or_seqpacket	-1	C	3	789d	790d	2/2	789d	d1cbb17a873c unix: fix the ad hoc STAILQ_PREPEND()
panic: Assertion size > NUM failed at /syzkaller/managers/main/kernel/sys/kern/subr_vmem.c:LINE	2	C	69	810d	815d	2/2	810d	b5a9299bb8b9 ktls: catch invalid parameters earlier
panic: lock (sleep mutex) sctp-inp not locked @ /syzkaller/managers/main/kernel/sys/netinet/sctp_usrreq.c:LINE	2	C	455	872d	872d	2/2	871d	a079c891c01b sctp: restore missing inpcb lock
panic: sbflush_internal: ccc NUM mb ADDR mbcnt NUM	2	C	3	884d	884d	2/2	880d	59ce044a7856 sockets: on shutdown(2) do sorflush() only in case of generic sockbuf
panic: vtnet_txq_offload_ctx: mbuf ADDR start NUM offset NUM proto -NUM	2	C	4	916d	926d	2/2	887d	7df9da47e8f0 Fix udp IPv4-mapped address
panic: Assertion !(tp->t_flags2 & TF2_HPTS_CPU_SET) failed at /syzkaller/managers/main/kernel/sys/netinet/tcp_hpts.c:LIN	2	C	375	913d	915d	2/2	912d	3f46be6acadd tcp_hpts: let tcp_hpts_init() set a random CPU only once
panic: Assertion !tcp_in_hpts(tp) failed at /syzkaller/managers/main/kernel/sys/netinet/tcp_subr.c:LINE	2	C	35	912d	915d	2/2	912d	ade05d63b727 tcp: stop stack timers in tcp_switch_back_to_default()
panic: in_pcblookup_hash_locked: invalid local address (2)	2	C	94	977d	1187d	2/2	974d	abca3ae7734f udp: fix sending of IPv4-mapped addresses
panic: in_pcblookup_hash_locked: invalid foreign address (2)	2	C	38	981d	1187d	2/2	974d	abca3ae7734f udp: fix sending of IPv4-mapped addresses
panic: mbuf:ADDR len:NUM rsm:ADDR oml:NUM soff:NUM	2	C	4	977d	1027d	2/2	976d	8818f0f1124e TCP: Fix a rack bug that skyzall found which results in a crash.
panic: Counter goes negative (3)	2	C	595	999d	1555d	2/2	998d	bb56b36d7188 sctp: further improve shutting down the read side of a socket
panic: sbflush_internal: residual data (3)	2	C	33	1091d	1457d	2/2	998d	81c5f0fac91d sctp: improve shutting down the read side of a socket
panic: malloc: called with spinlock or critical section held	2	C	3	1013d	1013d	2/2	1013d	6b635c74fd41 aesni: Push FPU sections down further
panic: sbcut_internal: no next, len NUM	2	C	2	1031d	1031d	2/2	1018d	847fa61fad5e sctp: improve handling of socket shutdown for reading
Fatal trap NUM: page fault in tcp_input_with_port	-1	C	6	1062d	1102d	2/2	1046d	a43e7a96b64e inpcb: use internal flag to mark pcbs that are inserted into lbgroup
panic: in_pcbconnect: inp is already connected	2	C	2	1087d	1087d	2/2	1080d	de0a2eb2ef86 tcp: Disallow connecting a disconnected socket
panic: lock (sleep mutex) unp not locked @ /syzkaller/managers/main/kernel/sys/kern/uipc_usrreq.c:LINE	2	C	2	1082d	1082d	2/2	1081d	712079d38106 unix: Fix uipc_peeraddr() to handle self-connected sockets
panic: in6_pcblookup_hash_locked: invalid local address	2	syz	37	1203d	1219d	2/2	1182d	aa71d6b4a2ec netinet: Disallow unspecified addresses in ICMP-embedded packets
panic: in_pcblookup_hash_locked: invalid local address	2	syz	165751	1188d	1219d	2/2	1188d	713264f6b8bc netinet: Tighten checks for unspecified source addresses
panic: in_pcblookup_hash_locked: invalid foreign address	2	syz	152	1188d	1219d	2/2	1188d	713264f6b8bc netinet: Tighten checks for unspecified source addresses
Fatal trap NUM: page fault in sctp_notify_stream_reset_tsn	-1	syz	2	1221d	1221d	2/2	1220d	7b2f1a7fe944 sctp: improve delivery of stream reset notifications
Fatal trap NUM: page fault in kern_cpuset_getid	-1	C	3	1224d	1224d	2/2	1223d	2058f075b4af cpuset: Handle CPU_WHICH_TIDPID wherever cpuset_which() is called.
panic: Assertion sb->sb_hiwat >= sb->uxdg_cc failed at /syzkaller/managers/main/kernel/sys/kern/uipc_usrreq.c:LINE	2	C	2	1388d	1388d	2/2	1381d	820bafd0bc14 unix/dgram: don't panic if socket buffer has negative space
Fatal trap NUM: page fault in key_attach	-1	C	117	1395d	1396d	2/2	1395d	b7bf3cb07fcf keysock: explicitly initialized LIST_HEAD
panic: Assertion done != job_total_nbytes failed at /syzkaller/managers/main/kernel/sys/kern/sys_socket.c:LINE (2)	2	C	3	1502d	1525d	2/2	1397d	bb995f2ef0e7 sctp: improve handling of send() calls with no user data`
panic: seq_out not found rack:ADDR tp:ADDR	2	C	108	1422d	1819d	2/2	1419d	5b741298b11c tcp rack: fix switching to RACK when FIN has been sent
Fatal trap NUM: page fault in soclose	-1	C	245	1440d	1444d	2/2	1440d	bafe71fd2720 sctp: do not clobber listening socket with sockbuf operations
panic: Assertion v != tid failed at /syzkaller/managers/main/kernel/sys/kern/kern_mutex.c:LINE	2	C	245	1455d	2096d	2/2	1454d	a14465e1b9a5 rip6: Fix a lock order reversal in rip6_bind()
panic: Assertion v != tid failed at /syzkaller/managers/i386/kernel/sys/kern/kern_mutex.c:LINE	2	syz	115	1459d	2090d	2/2	1454d	a14465e1b9a5 rip6: Fix a lock order reversal in rip6_bind()
panic: Thread not suspended	2	syz	30	1456d	1501d	2/2	1454d	1575804961d2 reap_kill_proc(): avoid singlethreading any other process if we are exiting
panic: Assertion TD_CAN_RUN(td) failed at /syzkaller/managers/main/kernel/sys/kern/subr_turnstile.c:LINE	2	C	1	1501d	1501d	2/2	1454d	1575804961d2 reap_kill_proc(): avoid singlethreading any other process if we are exiting
panic: td ADDR is not suspended	2	C	11	1456d	1501d	2/2	1454d	1575804961d2 reap_kill_proc(): avoid singlethreading any other process if we are exiting
panic: already suspended	2	C	130	1454d	1501d	2/2	1454d	1575804961d2 reap_kill_proc(): avoid singlethreading any other process if we are exiting
panic: Lock pf config not exclusively locked @ /syzkaller/managers/main/kernel/sys/netpfil/pf/pf_ioctl.c:LINE	2	C	142	1488d	1532d	2/2	1455d	826c58d6656c pf: add missing unlock on error in DIOCCHANGERULE
panic: sctp_inpcb_free: inp ADDR still has socket	2	syz	12	1493d	1682d	2/2	1463d	a5c2009dd8ab sctp: improve handling of sctp inpcb flags
Fatal trap NUM: page fault in pf_krule_global_RB_INSERT (2)	-1	C	27	1470d	1486d	2/2	1467d	a3d974082549 pf: make sure the rule tree is allocated in DIOCCHANGERULE
panic: sbflush_internal: residual data (2)	2	C	263	1470d	1732d	2/2	1469d	a6a596e102be sctp: improve handling of listen() call
panic: Warning: Last msg marked incomplete, yet nothing left? (2)	2	C	3	1471d	1480d	2/2	1470d	2646cd085850 sctp: use a consistent view of the send parameters
panic: Queues are not empty when handling SHUTDOWN-COMPLETE	2	C	17	1508d	2038d	2/2	1470d	64b297e803bd sctp: improve handling of send() when association is shutdown
panic: sctp: no chunks on the queues (2)	2	syz	1813	1471d	2115d	2/2	1470d	2646cd085850 sctp: use a consistent view of the send parameters
panic: Assertion clen >= sizeof(*cm) && clen <= cm->cmsg_len failed at /syzkaller/managers/main/kernel/sys/kern/uipc_usr	2	C	6	1473d	1473d	2/2	1472d	75e7e3ce34d9 unix: fix incorrect assertion in 4682ac697ce
Fatal trap NUM: page fault in sctp_wakeup_the_read_socket (3)	-1	syz	3	1503d	1509d	2/2	1501d	490a0f77de77 sctp: improve locking
panic: ASan: Invalid access, NUM-byte read at ADDR, UMAUseAfterFree(fd) (2)	2	C	7	1510d	1512d	2/2	1510d	a12d89332efe sctp: hold the inp lock while calling ip6_output
Fatal trap NUM: page fault in __mtx_lock_flags (2)	-1	C	2	1522d	1522d	2/2	1512d	3dc57df91e65 sctp: don't wakeup 1-to-1 listening sockets for data or notifications
panic: ASan: Invalid access, NUM-byte read in sctp_med_chunk_output	2	C	180	1666d	1723d	2/2	1513d	eeba22217217 sctp: don't keep a pointer to a freed stcb around
panic: ASan: Invalid access, NUM-byte read at ADDR, UMAUseAfterFree(fd)	2	C	515	1513d	1633d	2/2	1513d	eeba22217217 sctp: don't keep a pointer to a freed stcb around
panic: ASan: Invalid access, 4-byte write at ADDR, UMAUseAfterFree(fd)	2	C	462	1529d	1795d	2/2	1526d	52106f072fd0 sctp: don't refer to a potentially outdated stream
Fatal trap NUM: page fault in pf_krule_global_RB_INSERT	-1	C	81	1530d	1532d	2/2	1530d	e123e2294cb5 pf: guard against DIOCADDRULE without DIOCXBEGIN
panic: Don't own TCB send lock	2	C	8016	1531d	1715d	2/2	1531d	5ac91821f5d7 sctp: get rid of stcb send lock
panic: Association about to be freed (2)	2	C	4834	1531d	1568d	2/2	1531d	5ac91821f5d7 sctp: get rid of stcb send lock
panic: hold_tcblock is false	2	C	468	1568d	1568d	2/2	1568d	e255f0c9fbd2 sctp: make sure new locking requirements are satisfied.
panic: Association about to be freed	2	C	57	1568d	1568d	2/2	1568d	bdb99f6f5e31 sctp: remove KASSERT() which not always holds
panic: create_lock_applied is true	2	C	104	1568d	1568d	2/2	1568d	2f0656fb9ba2 sctp: don't hold the assoc create lock longer than needed
Fatal trap NUM: page fault in inp_next	-1	syz	3	1621d	1627d	2/2	1618d	430df2abee90 in_pcb: improve inp_next()
panic: mutex blocked lock not owned at /syzkaller/managers/main/kernel/sys/kern/sched_ule.c:LINE	2	C	33	1618d	1619d	2/2	1618d	6b95cf5bdedc callout: Wait for the softclock thread to switch before rescheduling
Fatal trap NUM: page fault in tcp_usr_send	-1	syz	1	1622d	1622d	2/2	1621d	4287aa56197f tcp_usr_shutdown: don't cast inp_ppcb to tcpcb before checking inp_flags
panic: overhead (NUM) not a multiple of NUM	2	C	248	1622d	1622d	2/2	1622d	ca0dd19f0933 sctp: check that the computed frag point is a multiple of 4
Fatal trap NUM: page fault in tcp_usr_shutdown	-1	C	5	1622d	1623d	2/2	1622d	4287aa56197f tcp_usr_shutdown: don't cast inp_ppcb to tcpcb before checking inp_flags
Fatal trap NUM: page fault in tcp_usr_rcvd	-1	C	7	1623d	1623d	2/2	1622d	37a7f5573716 tcp_usr_rcvd: don't cast inp_ppcb to tcpcb before checking inp_flags
panic: m_apply, offset > size of mbuf chain	2	C	2	1629d	1629d	2/2	1622d	989453da0589 sctp: cleanup the SCTP_MAXSEG socket option.
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/net/if.c:LINE (2)	2	C	314	1632d	1636d	2/2	1632d	9f5432d5e5f0 netinet6: ip6_setpktopt() requires NET_EPOCH
panic: ASan: Invalid access, 2-byte read at ADDR, UMAUseAfterFree(fd)	2	C	1103	1633d	1794d	2/2	1633d	014f98b11992 udp: Fix a use-after-free in udp_multi_input()
Fatal trap NUM: page fault in memcpy_erms	-1	C	306	1634d	1641d	2/2	1634d	aa2681752d0d cryptosoft: Don't treat CRYPTO_NULL_HMAC as an hmac algorithm.
Fatal trap NUM: page fault in filt_bpfwrite	-1	C	4	1692d	1698d	2/2	1684d	426682b05a4c bpf: Fix the write filter for detached descriptors
panic: ASan: Invalid access, NUM-byte read in newreno_cong_signal	2	C	4	1686d	1688d	2/2	1685d	b15b0535968e tcp: allow new reno functions to be called from other CC modules
panic: Assertion (cnp->cn_flags & (LOCKPARENT \| WANTPARENT)) == NUM failed at /syzkaller/managers/main/kernel/sys/kern/v	2	C	87	1694d	1694d	2/2	1694d	1045352f1503 cache: only assert on flags when dealing with EMPTYPATH
panic: TLS trailer length too long: NUM	2	C	2	1702d	1702d	2/2	1697d	a63752cce646 ktls: Reject attempts to enable AES-CBC with TLS 1.3.
panic: Bad tailq NEXT(ADDR->tqh_last) != NULL (4)	2	C	147	1796d	2019d	2/2	1721d	34b1efcea19d sctp: use a valid outstream when adding it to the scheduler
Fatal trap 12: page fault while in kernel mode (3)	-1	C	140	1723d	2330d	2/2	1723d	ade1daa5c0d6 socket: Synchronize soshutdown() with listen(2) and AIO
Fatal trap 12: page fault in soo_aio_queue	-1	C	349	1724d	1828d	2/2	1723d	ade1daa5c0d6 socket: Synchronize soshutdown() with listen(2) and AIO
panic: Assertion done != job_total_nbytes failed at /syzkaller/managers/main/kernel/sys/kern/sys_socket.c:LINE	2	C	3	1736d	1800d	2/2	1727d	e6c19aa94da4 sctp: Allow blocking on I/O locks even with non-blocking sockets
Fatal trap 12: page fault in __mtx_lock_flags	-1	C	1065	1729d	2228d	2/2	1729d	2d5c48eccd9f sctp: Tighten up locking around sctp_aloc_assoc()
panic: unexpected security protocol NUM	2	syz	7	1732d	1747d	2/2	1730d	10eb2a2bde61 ipsec: Validate the protocol identifier in ipsec4_ctlinput()
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/kern/sys_socket.c:LINE (2)	2	C	109	1733d	1828d	2/2	1730d	141fe2dceeae aio: Interlock with listen(2)
panic: Assertion owner->td_proc->p_magic == P_MAGIC failed at /syzkaller/managers/main/kernel/sys/kern/subr_turnstile.c:	2	C	46	1794d	2049d	2/2	1730d	141fe2dceeae aio: Interlock with listen(2)
panic: Lock sctp-info not exclusively locked @ /syzkaller/managers/main/kernel/sys/netinet/sctp_pcb.c:LINE	2	C	363	1731d	1732d	2/2	1731d	0c1a20beb456 sctp: use appropriate argument when freeing association
Fatal trap 9: general protection fault in strlen	-1	C	1506	1797d	2555d	2/2	1731d	4250aa1188b5 sctp: Clear assoc socket references when freeing a PCB
panic: mtx_lock() of destroyed mutex at sys/kern/uipc_sockbuf.c:LINE	2	syz	4	1882d	2072d	2/2	1731d	4250aa1188b5 sctp: Clear assoc socket references when freeing a PCB
panic: mutex so_snd not owned at /syzkaller/managers/i386/kernel/sys/kern/uipc_sockbuf.c:LINE	2	syz	1	2026d	2026d	2/2	1731d	4250aa1188b5 sctp: Clear assoc socket references when freeing a PCB
panic: __rw_wlock_hard: recursing but non-recursive rw sctp-info @ /syzkaller/managers/main/kernel/sys/netinet/sctp_pcb.	2	C	131	1733d	1733d	2/2	1732d	6e3af6321ba4 sctp: Fix lock recursion in sctp_swap_inpcb_for_listen()
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/netinet/tcp_output.c:LINE	2	syz	707	1756d	2641d	2/2	1733d	bd4a39cc93d9 socket: Properly interlock when transitioning to a listening socket
panic: ASan: Invalid access, NUM-byte read in strncmp	2	C	12	1734d	1738d	2/2	1734d	5402baa5b5d1 g_label: Handle small sector sizes when tasting
Fatal trap 9: general protection fault in sctp_free_assoc	-1	syz	14	1801d	2110d	2/2	1740d	d35be50f5779 sctp: Hold association locks across socket wakeups when freeing
Fatal trap 9: general protection fault in itimer_proc_continue	-1	syz	2	1834d	1834d	2/2	1740d	3138392a46a4 itimer: Serialize access to the p_itimers array
panic: ASan: Invalid access, 1-byte read in g_raid_md_taste_ddf	2	C	18	1745d	1792d	2/2	1740d	9e9ba9c73de9 graid: Avoid tasting devices with small sector sizes
panic: ASan: Invalid access, 2-byte read in g_raid_md_taste_sii	2	C	7	1753d	1779d	2/2	1740d	9e9ba9c73de9 graid: Avoid tasting devices with small sector sizes
panic: Bad list head ADDR first->prev != head	2	C	3409	1741d	2638d	2/2	1741d	4a36122b1db1 sctp: Fix racy UNBOUND flag check in sctp_inpcb_bind()
panic: ASan: Invalid access, 16-byte read in aesni_encrypt_icm	2	C	114	1743d	1793d	2/2	1741d	564b6aa7fccd aesni: Avoid a potential out-of-bounds load in aes_encrypt_icm()
panic: Assertion lock == sq->sq_lock failed at /syzkaller/managers/main/kernel/sys/kern/subr_sleepqueue.c:LINE (2)	2	C	7	1798d	1821d	2/2	1755d	c4feb1ab0ae0 sigtimedwait: Use a unique wait channel for sleeping
panic: ASan: Invalid access, 4-byte read in sctp_sosend	2	C	518	1765d	1793d	2/2	1765d	b732091a761a sctp: improve input validation of mapped addresses in send() Reported by: syzbot+35528f275f2eea6317cc@syzkaller.appspotmail.com Reported by: syzbot+ac29916d5f16d241553d@syzkaller.appspotmail.com MFC after: 3 days
panic: ASan: Invalid access, 4-byte read in tcp_usr_bind	2	C	50	1767d	1791d	2/2	1767d	3f1f6b6ef7f6 tcp, udp: improve input validation in handling bind()
panic: ASan: Invalid access, 4-byte read in udp_bind	2	C	69	1767d	1792d	2/2	1767d	3f1f6b6ef7f6 tcp, udp: improve input validation in handling bind()
panic: pmap_growkernel: no memory to grow kernel (2)	2	syz	299	1769d	2230d	2/2	1767d	600745f1e226 pf: bound DIOCGETSTATES memory use
panic: pmap_kasan_enter_alloc_4k: no memory to grow shadow map	2	C	20	1770d	1789d	2/2	1767d	600745f1e226 pf: bound DIOCGETSTATES memory use
panic: vm_fault_lookup: fault on nofault entry, addr: ADDR (2)	2	C	75	1806d	1849d	2/2	1775d	64432ad2a2c4 pf: Validate user string nul-termination before copying
panic: Assertion (cnp->cn_flags & (LOCKPARENT \| WANTPARENT)) == 0 failed at /syzkaller/managers/main/kernel/sys/kern/vfs	2	C	4	1852d	1852d	2/2	1792d	6de3cf14c47d vn_open_cred(): disallow O_CREAT \| O_EMPTY_PATH
panic: thread_lock() of sleep mutex ` @ /syzkaller/managers/main/kernel/sys/kern/kern_switch.c:LINE	2	C	1	1835d	1835d	2/2	1832d	4a59cbc12532 amd64: Avoid enabling interrupts when handling kernel mode prot faults
Fatal trap 12: page fault in rack_process_to_cumack (2)	-1	syz	3	1840d	1840d	2/2	1838d	13c0e198ca27 tcp: Fix bugs related to the PUSH bit and rack and an ack war
panic: refcount ADDR wraparound (3)	2	C	9	1841d	1841d	2/2	1841d	6f6cd1e8e8aa ktrace: Remove vrele() at the end of ktr_writerequest()
Fatal trap 9: general protection fault in rack_ctloutput	-1	syz	2	1844d	1844d	2/2	1842d	8923ce630492 tcp: Handle stack switch while processing socket options
panic: ktrace_enter: flag set	2	C	44	1842d	1843d	2/2	1842d	e4b16f2fb18b ktrace: Avoid recursion in namei()
panic: Memory modified after free ADDR(4096) val=ADDR @ ADDR	2	C	1	1847d	1847d	2/2	1843d	500eb6dd8040 tcp: Fix sending of TCP segments with IP level options
panic: releasing active pmap ADDR	2	C	11	1852d	1895d	2/2	1850d	9246b3090cbc fork: Suspend other threads if both RFPROC and RFMEM are not set
panic: pmap active ADDR	2	C	5	1858d	1895d	2/2	1850d	9246b3090cbc fork: Suspend other threads if both RFPROC and RFMEM are not set
Fatal trap 18: integer divide fault in realtimer_expire_l	-1	C	15	1852d	1879d	2/2	1850d	8b3c4231abf0 posix timers: Check for overflow when converting to ns
Fatal trap 18: integer divide fault in realtimer_expire	-1	C	20	1882d	1903d	2/2	1850d	8b3c4231abf0 posix timers: Check for overflow when converting to ns
panic: crp_iv_start set when IV isn't used	2	C	2	1855d	1856d	2/2	1852d	1a04f0156c4e cryptodev: Fix some input validation bugs
panic: IV outside buffer length	2	C	16	1852d	1858d	2/2	1852d	1a04f0156c4e cryptodev: Fix some input validation bugs
panic: More encryption data than allowed	2	C	2	1853d	1853d	2/2	1852d	1a04f0156c4e cryptodev: Fix some input validation bugs
panic: AEAD without a separate IV	2	C	25	1852d	1858d	2/2	1852d	1a04f0156c4e cryptodev: Fix some input validation bugs
Fatal trap 12: page fault in memcpy_erms	-1	C	2	1853d	1853d	2/2	1852d	1a04f0156c4e cryptodev: Fix some input validation bugs
panic: IV_SEPARATE set when IV isn't used	2	C	4	1853d	1856d	2/2	1852d	1a04f0156c4e cryptodev: Fix some input validation bugs
panic: _mtx_lock_sleep: recursed on non-recursive mutex process lock @ /syzkaller/managers/main/kernel/sys/kern/kern_sig	2	syz	2	1881d	1881d	2/2	1852d	5cc1d199412e realtimer_expire: avoid proc lock recursion when called from itimer_proc_continue()
Fatal trap 12: page fault in pmap_kextract (2)	-1	C	8	1882d	1883d	2/2	1882d	5e98cae661f3 pf: Ensure that we don't use kif passed to pfi_kkif_attach()
panic: to_ticks == 0 for timer type 5 (2)	2	syz	2	1904d	1904d	2/2	1902d	d995cc7e5431 sctp: fix handling of RTO.initial of 1 ms
panic: to_ticks == 0 for timer type 5	2	C	2	1930d	1930d	2/2	1925d	70e95f0b6917 sctp: avoid integer overflow when starting the HB timer
Fatal trap 12: page fault in sctp_find_alternate_net	-1	syz	131	1932d	2075d	2/2	1931d	b963ce4588b3 sctp: improve computation of an alternate net
panic: pfi_dynaddr_setup: non-NULL dyn (2)	2	C	4	1962d	1963d	2/2	1956d	7a808c5ee329 pf: Improve pf_rule input validation
Fatal trap 12: page fault in copyin_nosmap_erms	-1	C	8	2000d	2046d	2/2	1970d	ea36212bf571 pf: Don't hold PF_RULES_WLOCK during copyin() on DIOCRCLRTSTATS
panic: mtx_lock() of spin mutex (null) @ /syzkaller/managers/main/kernel/sys/kern/uipc_ktls.c:LINE	2	C	11	1977d	2203d	2/2	1975d	6685e259e319 tcp: don't use KTLS socket option on listening sockets
panic: Memory modified after free ADDR(112) val=ADDR @ ADDR (2)	2	syz	475	1979d	2222d	2/2	1979d	a7aa5eea4fff sctp: improve handling of aborted associations
panic: sched_pickcpu: Failed to find a cpu.	2	C	4	2007d	2007d	2/2	2006d	f1b18a668deb cpuset_set{affinity,domain}: do not allow empty masks
Fatal trap 9: general protection fault in cpuset_setproc	-1	syz	2	2008d	2008d	2/2	2006d	b2780e8537da kern: cpuset: resolve race between cpuset_lookup/cpuset_rel
panic: sleeping without a lock	2	C	29	2012d	2178d	2/2	2011d	34af05ead3cf kern: soclose: don't sleep on SO_LINGER w/ timeout=0
panic: uma_zalloc_debug: called within spinlock or critical section	2	C	9	2018d	2022d	2/2	2017d	e07e3fa3c95c kern: cpuset: drop the lock to allocate domainsets
panic: Bad tailq NEXT(ADDR->tqh_last) != NULL (3)	2	C	12	2021d	2022d	2/2	2020d	5d49283f8857 pf: Make tag hashing more robust
panic: spin lock held too long	2	C	1	2031d	2031d	2/2	2026d	a33fef5e25ac callout(9): Fix a race between CPU migration and callout_drain()
Fatal trap 12: page fault in _callout_stop_safe	-1	C	1	2030d	2030d	2/2	2026d	a33fef5e25ac callout(9): Fix a race between CPU migration and callout_drain()
panic: Most recently used by pf_ifnet	2	C	6	2064d	2064d	2/2	2063d	52b83a06184c pf: do not remove kifs that are referenced by rules
Fatal trap 9: general protection fault in sctp_lower_sosend	-1	C	22	2162d	2215d	2/2	2121d	f5d30f7f7606 Improve the handling of concurrent send() calls for SCTP sockets, especially when having the explicit EOR mode enabled.
panic: in6p_lookup_mcast_ifp: not INP_IPV6 inpcb	2	C	2	2169d	2169d	2/2	2132d	cfae6a92ac01 Remove an incorrect assertion from in6p_lookup_mcast_ifp().
Fatal trap 12: page fault in uipc_ready	-1	C	5	2163d	2191d	2/2	2138d	1b778ba2609f Fix a logic error in uipc_ready_scan().
panic: witness_warn	2	syz	1	2183d	2183d	2/2	2167d	e54b7cd007b5 Fix the cleanup handling in a error path for TCP BBR.
Fatal trap 12: page fault in sctp_find_ifa_in_ep	-1	C	3	2169d	2169d	2/2	2167d	7a3f60e7f571 Fix a bug introduced in https://svnweb.freebsd.org/changeset/base/362173
Fatal trap 12: page fault in sctp_process_control	-1	C	47	2217d	2218d	2/2	2217d	86fd36c502db Fix a copy and paste error introduced in r360878.
Fatal trap 9: general protection fault in sctp_process_control	-1	C	11	2217d	2218d	2/2	2217d	86fd36c502db Fix a copy and paste error introduced in r360878.
panic: pfi_dynaddr_setup: dyn is ADDR (2)	2	C	22	2228d	2239d	2/2	2225d	1ef06ed8def9 pf: Improve DIOCADDRULE validation
panic: mallocarray: ADDR * 1064 overflowed	2	C	3	2236d	2240d	2/2	2233d	a7c8533634ab pf: Improve input validation
panic: pfi_dynaddr_setup: dyn is ADDR	2	C	7	2241d	2245d	2/2	2240d	98582ce38183 pf: Improve ioctl() input validation
panic: Assertion size0 > 0 failed at /syzkaller/managers/main/kernel/sys/kern/subr_vmem.c:LINE	2	C	2	2243d	2243d	2/2	2242d	95324dc3f4d2 pf: Do not allow negative ps_len in DIOCGETSTATES
panic: mtx_unlock() of destroyed mutex at sys/kern/sys_socket.c:LINE	2	syz	1	2333d	2333d	2/2	2245d	99258935eb2b Lock the socket in soo_stat().
panic: sbfree: m ADDR !M_NOTREADY	2	C	32	2615d	2640d	2/2	2247d	dde1b5985fcc Properly handle disconnected sockets in uipc_ready().
panic: Duplicate free of ADDR from zone ADDR(mbuf) slab ADDR(8)	2	C	1	2638d	2638d	2/2	2248d	3d36b367cfb6 sbappendcontrol() needs to avoid clearing M_NOTREADY on data mbufs.
panic: to_ticks == 0 for timer type 2	2	C	27	2262d	2265d	2/2	2261d	25ec35535397 Handle integer overflows correctly when converting msecs and secs to ticks and vice versa. These issues were caught by recently added panic() calls on INVARIANTS systems.
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet/ip_output.c:LINE	2	syz	1870	2270d	2328d	2/2	2270d	2bdebd0ce3e0 A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet6/ip6_output.c:LINE	2	syz	229	2271d	2328d	2/2	2270d	2bdebd0ce3e0 A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/netinet6/ip6_output.c:LINE	2	C	591	2271d	2328d	2/2	2270d	2bdebd0ce3e0 A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/main/kernel/sys/netinet/ip_output.c:LINE	2	C	2840	2271d	2328d	2/2	2270d	2bdebd0ce3e0 A a missing NET_EPOCH_ENTER/NET_EPOCH_EXIT pair. This was affecting implicit connection setups via sendmsg().
panic: Most recently used by ip6opt (2)	2	syz	4	2274d	2319d	2/2	2270d	e02582d1ae44 Fix synchronization in the IPV6_2292PKTOPTIONS set handler.
panic: mutex process lock not owned at /syzkaller/managers/i386/kernel/sys/kern/kern_time.c:LINE	2	C	33	2314d	2315d	2/2	2270d	55aa9af7e971 Remove unneeded assert for curproc. Simplify.
panic: refcount ADDR wraparound	2	C	6	2315d	2315d	2/2	2270d	adbdb897689b fd: always nullify fdp in fget routines
panic: mutex process lock not owned at /syzkaller/managers/main/kernel/sys/kern/kern_time.c:LINE	2	C	83	2314d	2315d	2/2	2313d	55aa9af7e971 Remove unneeded assert for curproc. Simplify.
panic: pipe_destroy_write_buffer: pipe map for ADDR contains residual data	2	syz	11	2408d	2452d	2/2	2399d	1cbfe73da570 Fix handling of PIPE_EOF in the direct write path.
panic: mutex pcbinfohash not owned at /syzkaller/managers/main/kernel/sys/netinet6/in6_pcb.c:LINE	2	C	5	2401d	2403d	2/2	2400d	c17cd08f5302 It is unclear why in6_pcblookup_local() would require write access to the PCB hash. The function doesn't modify the hash. It always asserted write lock historically, but with epoch conversion this fails in some special cases.
panic: in_pcb_lport: laddrp NULL for v4 inp ADDR	2	C	8	2445d	2561d	2/2	2417d	4a91aa8fc9b6 Ensure that the flags indicating IPv4/IPv6 are not changed by failing bind() calls. This would lead to inconsistent state resulting in a panic. A fix for stable/11 was committed in https://svnweb.freebsd.org/base?view=revision&revision=338986 An accelerated MFC is planned as discussed with emaste@.
panic: Assertion in_epoch(net_epoch_preempt) failed at /syzkaller/managers/i386/kernel/sys/netinet6/in6_ifattach.c:LINE	2	syz	2	2432d	2432d	2/2	2426d	in6ifa_llaonifp() is never called from fast path, so do not require epoch being entered.
Fatal trap 12: page fault in uipc_send	-1	syz	123	2434d	2566d	2/2	2433d	4013d7268446 Fix handling of empty SCM_RIGHTS messages.
Fatal trap 12: page fault in inp_freemoptions (2)	-1	syz	14	2551d	2561d	2/2	2441d	Convert all IPv4 and IPv6 multicast memberships into using a STAILQ instead of a linear array.
panic: m_getm2: len is < 0	2	syz	13	2634d	2639d	2/2	2448d	2ef5bd2f0c46 Limit the number of bytes which can be queued for SCTP sockets. This is joint work with rrs@. Reported by: syzbot+307f167f9bc214f095bc@syzkaller.appspotmail.com MFC after: 1 week
Fatal trap 9: general protection fault in sctp_copy_skeylist	-1	syz	3	2558d	2558d	2/2	2519d	8a956abe12c6 When calling sctp_initialize_auth_params(), the inp must have at least a read lock. To avoid more complex locking dances, just call it in sctp_aloc_assoc() when the write lock is still held.
panic: Most recently used by tty	2	syz	24	2572d	2587d	2/2	2529d	6a01874c5afa Defer funsetown() calls for a TTY to tty_rel_free().
panic: cap_rights_is_vset:LINE	2	syz	3	2554d	2554d	2/2	2534d	7c3703a69466 Use a consistent snapshot of the fd's rights in fget_mmap().
Fatal trap 12: page fault in vm_page_unhold_pages	-1	C	1169	2542d	2636d	2/2	2534d	02476c44c5eb Fix mutual exclusion in pipe_direct_write().
panic: udp_output: shared udbinfo lock, excl inp lock (2)	2	syz	7	2576d	2594d	2/2	2562d	eafaa1bc35e9 After parts of the locking fixes in r346595, syzkaller found another one in udp_output(). This one is a race condition. We do check on the laddr and lport without holding a lock in order to determine whether we want a read or a write lock (this is in the "sendto/sendmsg" cases where addr (sin) is given).
Fatal trap 12: page fault in inp_freemoptions	-1	C	11	2582d	2636d	1/2	2580d	5a1e222bfda7 Close some races in multicast socket option handling.
panic: inp_leave_group: imf_sources not empty	2	C	6	2583d	2603d	1/2	2580d	5a1e222bfda7 Close some races in multicast socket option handling.
panic: vm_object_vndeallocate: bad object reference count	2	C	974	2581d	2582d	1/2	2581d	8cd6a80d7d68 Restore the pre-r347532 behaviour of ignoring wiring failures in mmap().
panic: ffs_blkfree_cg: freeing free block	2	C	5	2638d	2638d	1/2	2595d	a7a455c299b0 Optimize lseek(SEEK_DATA) on UFS.
panic: udp_output: shared udbinfo lock, excl inp lock	2	C	46	2603d	2641d	1/2	2602d	d86ecbe993a7 iFix udp_output() lock inconsistency.
Fatal trap 12: page fault in in6_cksum_partial	-1	syz	6	2606d	2636d	1/2	2606d	70a0f3dcdc1f When a checksum has to be computed for a received IPv6 packet because it is requested by the application using the IPPROTO_IPV6 level socket option IPV6_CHECKSUM on a raw socket, ensure that the packet contains enough bytes to contain the checksum at the specified offset.
panic: rtrequest1_fib: locked	2	C	10	2612d	2638d	1/2	2611d	e6481fd4c46a When sending a routing message, don't allow the user to set the RTF_RNH_LOCKED flag in rtm_flags, since this flag is used only internally.
panic: inp_join_group: imf_sources not empty	2	C	398	2614d	2641d	1/2	2614d	f1ef572a1ecd Reinitialize multicast source filter structures after invalidation.
Fatal trap 12: page fault in __mtx_assert	-1	syz	4	2632d	2633d	1/2	2630d	7854c63d6fbe Fix a small bug in the tcp_log_id where the bucket was unlocked and yet the bucket-unlock flag was not changed to false. This can cause a panic if INVARIANTS is on and we go through the right path (though rare).
panic: Can't clear local locks with F_UNLCKSYS	2	C	9	2631d	2640d	1/2	2630d	fd76e780a7c0 Reject F_SETLK_REMOTE commands when sysid == 0.
panic: Counter goes negative	2	C	2	2637d	2637d	1/2	2632d	0d3cf13dabf8 Fix a signed/unsigned bug when receiving SCTP messages. This is joint work with rrs@.
panic: tcp_output: mbuf chain shorter than expected: 0 + 60 + 24 - 0 != 60	2	C	2	2639d	2639d	1/2	2633d	05fb056c068d Fix a KASSERT() in tcp_output().
panic: pmap_demote_pde: page table page for a wired mapping is missing	2	C	56	2635d	2639d	1/2	2634d	64087fd7f372 Disallow preemptive creation of wired superpage mappings.
panic: invalid dst page ADDR	2	C	33	2636d	2641d	1/2	2635d	45d72c7d7fca vm_fault_copy_entry: accept invalid source pages.