syzbot

 sign-in | mailing list | source | docs
🐞 Open [194]
🐞 Fixed [377]
🐞 Invalid [1352]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Closed Patch
UBSan: Undefined Behavior in usb_free_device (2) -1 C 117 1517d 1618d 0/3 never 63debb924f1a usb(9): Record config index, not just number, in struct usbd_device. 445a3fe90a9a usb(9): Use ud_configidx, not ud_config, to see if unconfigured.
MSan: Uninitialized Memory in ip6_hopopts_input -1 C 6 755d 758d 3/3 755d f09779b4fc4e ip6_output: Initialize plen for ip6_hopopts_input.
UBSan: Undefined Behavior in dounmount -1 C 130 755d 758d 3/3 755d b7772f668d24 dounmount: Avoid &((struct vnode_impl *)NULL)->vi_vnode.
assert failed: sc->sc_parent->dk_rawopens > NUM -1 C 59 1324d 1355d 3/3 1019d 804127267a30 dk(4): Use disk_begindetach and rely on vdevgone to close instances.
panic: kernel di.NUM=S2dagnostic assertion "uio->uio_iovcnt > NUM" failed: file "/syzkaller/managers/ci2-netbs 2 1 1131d 1131d 3/3 1087d a7a3e2ad8d57 tty(9): Make ttwrite update uio with only how much it has consumed.
assert failed: uAiio->uio_iovcnt > NUM -1 1 1119d 1119d 3/3 1087d a7a3e2ad8d57 tty(9): Make ttwrite update uio with only how much it has consumed.
assert failed: uio->uio_iovcnt > NUM -1 C 34 1094d 1556d 3/3 1087d a7a3e2ad8d57 tty(9): Make ttwrite update uio with only how much it has consumed.
assert failed: %uio->uio_iovcnt > NUM -1 C 1 1129d 1129d 3/3 1087d a7a3e2ad8d57 tty(9): Make ttwrite update uio with only how much it has consumed.
panic: keexecrnel diagnostic assertion "uio->uio_iovcnt > NUM" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kerne 2 syz 1 1334d 1334d 3/3 1087d a7a3e2ad8d57 tty(9): Make ttwrite update uio with only how much it has consumed.
panic: F8kernel diagnostic assertion "uio->uio_iovcnt > NUM" failed: file "/syzkaller/managers/ci2-netbsd- 2 C 1 1556d 1556d 3/3 1087d a7a3e2ad8d57 tty(9): Make ttwrite update uio with only how much it has consumed.
ASan: Unauthorized Access in uiomove -1 C 16 1130d 1583d 3/3 1087d a7a3e2ad8d57 tty(9): Make ttwrite update uio with only how much it has consumed.
panic: kernel dAiagnos@t ic assertion "uio->uio_iovcnt > NUM" failed: f 2 1 1131d 1131d 3/3 1087d a7a3e2ad8d57 tty(9): Make ttwrite update uio with only how much it has consumed.
assert failed: uio->uio_iohsyz-vcnt > NUM -1 C 1 1130d 1130d 3/3 1087d a7a3e2ad8d57 tty(9): Make ttwrite update uio with only how much it has consumed.
panic: kernel diagnostic assertion "uio->uio_iovcnt > NUM" failed: file "/syzkaller/managers/ci2-netbsd-kmsa 2 1 1121d 1121d 3/3 1087d a7a3e2ad8d57 tty(9): Make ttwrite update uio with only how much it has consumed.
assert failed: !netq->netq_stopping -1 1 1110d 1110d 3/3 1099d 2b696ab4fdff Fix missing check for netq->netq_stopping in vioif_rx_intr()
assert failed: sc->sc_dk.dk_openmask == NUM -1 C 22 1100d 1117d 3/3 1100d 17fe932c5f6c dk(4): dkclose must handle a dying wedge too to close the parent. 76abd28dc391 ioctl(DIOCRMWEDGES): Delete only idle wedges.
assert failed: mutex_owned(&sc->sc_dk.dk_openlock) -1 4 1112d 1118d 3/3 1110d 76e8386e9976 dk(4): Fix lock assertion in size increase: parent's, not wedge's.
UBSan: Undefined Behavior in tmpfs_reg_resize -1 1 1113d 1113d 3/3 1110d 08655e8aab1e tmpfs: Refuse sizes that overflow round_page.
panic: LOCKDEBUG: Mutex error: mi_userret,NUM: sleep lock held 2 6 1117d 1118d 3/3 1117d 569b1a993381 disk(9): Fix missing unlock in error branch in previous change.
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/kern/subr_pserialize.c:LINE, member -1 39 1126d 1128d 3/3 1124d 245f5e21b00b pserialize(9): Fix bug in recent micro-optimization.
panic: kernel debugging assertion "notin" failed: file "/syzkaller/managers/ci2-netbsd/kernel/sys/kern/subr_pserialize.c 2 1 1125d 1125d 3/3 1124d 8727589ebb95 pserialize(9): Fix buggy assertion inside assertion.
UBSan: Undefined Behavior in playtone -1 C 1 1140d 1140d 3/3 1139d 5d38fb5bcae7 spkr(4): Avoid some overflow issues.
ASan: Unauthorized Access in playtone -1 C 2 1140d 1140d 3/3 1139d 5d38fb5bcae7 spkr(4): Avoid some overflow issues.
panic: sockaddr_copy: source too long, NUM < NUM bytes 2 C 9 1142d 1150d 3/3 1140d 4813aab66c53 atalk(4): Don't let userland control sa_len when adding addresses.
ASan: Unauthorized Access in ifreq_setaddr (2) -1 7 1140d 1166d 3/3 1140d 4813aab66c53 atalk(4): Don't let userland control sa_len when adding addresses.
MSan: Uninitialized Memory in ifreq_setaddr -1 C 8 1141d 1150d 3/3 1140d 4813aab66c53 atalk(4): Don't let userland control sa_len when adding addresses.
ASan: Unauthorized Access in sockaddr_dup -1 C 3 1146d 1149d 3/3 1140d 4813aab66c53 atalk(4): Don't let userland control sa_len when adding addresses.
MSan: Uninitialized Memory in sin_print -1 C 4 1166d 1182d 3/3 1140d d425b16c66a5 sockaddr_alloc(9): Avoid uninitialized buffer in sockaddr_checklen.
assert failed: sa->sa_len <= sizeof(ifr.ifr_ifru) -1 C 10 1141d 1147d 3/3 1140d 4813aab66c53 atalk(4): Don't let userland control sa_len when adding addresses.
ASan: Unauthorized Access in sat_print -1 C 10 1141d 1162d 3/3 1140d 4813aab66c53 atalk(4): Don't let userland control sa_len when adding addresses.
netbsd boot error: ASan: Unauthorized Access in evcnt_attach_dynamic -1 33 1147d 1148d 3/3 1142d 317ef74dd360 vioif(4): fix wrong memory allocation size
netbsd boot error: assert failed: len <= map->dm_mapsize - offset (2) -1 135 1142d 1145d 3/3 1142d 31edf7b5b57e virtio(4): Fix sizing of virtqueue allocation.
netbsd boot error: page fault in virtio_free_vq -1 27 1146d 1148d 3/3 1142d a66d32465828 Added check of pointer for allocated memory before release of resource
panic: kernel debugging assertion "off + len <= m_length(m0)" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel 2 syz 5 1151d 1169d 3/3 1149d 4ae0945c2b68 in6: make sure a user-specified checksum field is within a packet
panic: kernel debugging assertion "off + len <= m_length(m0)" failed: file "/syzkaller/managers/ci2-netbsd/kernel/sys/ke 2 syz 1 1151d 1151d 3/3 1149d 4ae0945c2b68 in6: make sure a user-specified checksum field is within a packet
panic: kernel debugging assertion "off + len <= m_length(m0)" failed: file "/syzkaller/managers/ci2-netbsd-kmsan/kernel/ 2 syz 3 1151d 1169d 3/3 1149d 4ae0945c2b68 in6: make sure a user-specified checksum field is within a packet
assert failed: fmi->fmi_mount->mnt_lower == NULL -1 C 5 1191d 1200d 3/3 1185d af759f02178d When mounting a union file system set its lower mount only on success.
assert failed: size > NUM -1 C 4 1218d 1218d 3/3 1216d 9e1aa1e4ed1b It is not sufficient to have a comment /* Sanity check the size. */, also check the size is greater than zero and a multiple of DEV_BSIZE.
protection fault in __asan_load4 -1 C 3 1304d 1457d 3/3 1239d 238664abb5cc ppp: remove ioctls that never worked and crash the kernel
page fault in __asan_load4 (3) -1 C 64 1254d 1409d 3/3 1239d 238664abb5cc ppp: remove ioctls that never worked and crash the kernel
page fault in ppptioctl -1 C 6 1293d 1398d 3/3 1239d 238664abb5cc ppp: remove ioctls that never worked and crash the kernel
protection fault in ppptioctl -1 C 3 1265d 1456d 3/3 1239d 238664abb5cc ppp: remove ioctls that never worked and crash the kernel
UBSan: Undefined Behavior in ppptioctl -1 C 9 1251d 1398d 3/3 1239d 238664abb5cc ppp: remove ioctls that never worked and crash the kernel
assert failed: bp->b_vp == vp -1 C 125 1241d 1961d 3/3 1240d 1f3bc2830b81 swap: disallow user opens of swap block device
panic: dead fs operation used (2) 2 C 8 1250d 1260d 3/3 1249d 85cb97f0d716 Harden layered file systems usage of field "mnt_lower" against forced unmounts of the lower layer.
page fault in VFS_STATVFS -1 syz 1 1257d 1257d 3/3 1249d 85cb97f0d716 Harden layered file systems usage of field "mnt_lower" against forced unmounts of the lower layer.
UBSan: Undefined Behavior in ip_ctloutput -1 C 22 1290d 1294d 3/3 1263d 74557efd80ae tcp: restore NULL check for inp in tcp_ctloutput
page fault in ip_ctloutput -1 C 18 1291d 1293d 3/3 1263d 74557efd80ae tcp: restore NULL check for inp in tcp_ctloutput
UBSan: Undefined Behavior in tcp_bind_wrapper -1 C 8 1291d 1294d 3/3 1263d 443b5cdb2251 tcp: restore NULL checks for inp
UBSan: Undefined Behavior in tcp_shutdown_wrapper -1 C 45 1290d 1294d 3/3 1263d 443b5cdb2251 tcp: restore NULL checks for inp
page fault in tcp_bind_wrapper -1 C 9 1292d 1294d 3/3 1263d 443b5cdb2251 tcp: restore NULL checks for inp
page fault in tcp_recvoob_wrapper -1 C 23 1290d 1294d 3/3 1263d 443b5cdb2251 tcp: restore NULL checks for inp
page fault in tcp_sockaddr_wrapper -1 C 32 1290d 1293d 3/3 1263d 443b5cdb2251 tcp: restore NULL checks for inp
UBSan: Undefined Behavior in ip6_ctloutput -1 C 5 1291d 1293d 3/3 1263d 74557efd80ae tcp: restore NULL check for inp in tcp_ctloutput
page fault in ip_setmoptions -1 C 2 1293d 1293d 3/3 1263d 74557efd80ae tcp: restore NULL check for inp in tcp_ctloutput
page fault in ip6_ctloutput -1 C 4 1291d 1293d 3/3 1263d 74557efd80ae tcp: restore NULL check for inp in tcp_ctloutput
UBSan: Undefined Behavior in tcp_listen_wrapper -1 C 15 1290d 1294d 3/3 1263d 443b5cdb2251 tcp: restore NULL checks for inp
UBSan: Undefined Behavior in tcp_connect_wrapper -1 C 23 1291d 1294d 3/3 1263d 443b5cdb2251 tcp: restore NULL checks for inp
UBSan: Undefined Behavior in tcp_recvoob_wrapper -1 C 26 1290d 1294d 3/3 1263d 443b5cdb2251 tcp: restore NULL checks for inp
UBSan: Undefined Behavior in tcp_sockaddr_wrapper -1 C 25 1290d 1294d 3/3 1263d 443b5cdb2251 tcp: restore NULL checks for inp
page fault in tcp_connect_wrapper -1 C 18 1290d 1293d 3/3 1263d 443b5cdb2251 tcp: restore NULL checks for inp
page fault in tcp_listen_wrapper -1 C 17 1290d 1293d 3/3 1263d 443b5cdb2251 tcp: restore NULL checks for inp
page fault in tcp_shutdown_wrapper -1 C 36 1290d 1293d 3/3 1263d 443b5cdb2251 tcp: restore NULL checks for inp
UBSan: Undefined Behavior in lf_advlock (3) -1 C 2 1287d 1287d 3/3 1263d 1a4aa843e5ad kern/vfs_lockf.c: Parenthesize to make arithmetic match check.
assert failed: !topdown || hint <= orig_hint -1 C 474 1266d 1439d 3/3 1266d 4d78161c33fb mmap(2): Avoid arithmetic overflow in search for free space.
page fault in umap_bypass -1 C 9 1269d 1275d 3/3 1267d db9cd5dd3e78 When testing whiteout support on the underlying file system union_mount() should not use a NULL componentname as not all file systems can handle it.
UBSan: Undefined behavior (7) -1 1 1274d 1274d 3/3 1267d db9cd5dd3e78 When testing whiteout support on the underlying file system union_mount() should not use a NULL componentname as not all file systems can handle it.
UBSan: Undefined Behavior in umap_bypass -1 C 30 1268d 1275d 3/3 1267d db9cd5dd3e78 When testing whiteout support on the underlying file system union_mount() should not use a NULL componentname as not all file systems can handle it.
assert failed: fstrans_is_owner(mp) (2) -1 C 3 1298d 1298d 3/3 1280d aac0938bfe9c Tmpfs_mount() uses tmpfs_unmount() for cleanup if set_statvfs_info() fails. This will not work as tmpfs_unmount() needs a suspended file system.
UBSan: Undefined Behavior in quota1_handle_cmd_get -1 C 2 1331d 1331d 3/3 1330d d111e83da20a compat_50_quota: reject invalid quota id types.
UBSan: Undefined Behavior in bpf_ioctl (2) -1 C 2 1350d 1350d 3/3 1349d 5e84044ef5a3 bpf(4): Reject bogus timeout values before arithmetic overflows.
page fault in raidioctl -1 1 1356d 1356d 3/3 1355d 8c026762c3a1 RAIDframe must be initialized for the RAIDFRAME_SET_LAST_UNIT and RAIDFRAME_SHUTDOWN ioctls.
assert failed: (l = dev->dv_detaching) == curlwp -1 C 2 1359d 1359d 3/3 1357d e7c9fe41a3a1 audio(4): Fix bug in detaching audio16 and beyond.
UBSan: Undefined Behavior in config_detach_commit -1 C 13 1358d 1369d 3/3 1357d e7c9fe41a3a1 audio(4): Fix bug in detaching audio16 and beyond.
panic: netbsd:vpanic+0x282 2 1 1377d 1377d 3/3 1357d e7c9fe41a3a1 audio(4): Fix bug in detaching audio16 and beyond.
page fault in __asan_load8 (6) -1 C 23 1358d 1397d 3/3 1357d e7c9fe41a3a1 audio(4): Fix bug in detaching audio16 and beyond.
page fault in config_detach_commit -1 C 8 1359d 1369d 3/3 1357d e7c9fe41a3a1 audio(4): Fix bug in detaching audio16 and beyond.
assert failed: dev->dv_detaching == curlwp -1 C 236 1370d 1485d 3/3 1357d e7c9fe41a3a1 audio(4): Fix bug in detaching audio16 and beyond.
assert failed: kpreempt_disabled() (2) -1 syz 4 1366d 1367d 3/3 1360d 1e8b246aa870 KERNEL_LOCK(9): Need kpreempt_disable to ipi_send, oops.
assert failed: curcpu() != ci -1 C 1 1366d 1366d 3/3 1365d e94ab9ad30fc KERNEL_LOCK(9): Record kernel lock holder in fast path too.
assert failed: lktype != LK_NONE -1 C 8 1488d 1488d 3/3 1368d Fix mistake in error branch locking caused by previous changes. vput(vp) also unlocks vp, thus unlocking happens twice in error flow causing kernel to panic with failed assertion lktype != LK_NONE in vfs_vnode.c#778. Thanks riastradh with finding the issue.
assert failed: sn->sn_opencnt -1 18 1376d 1473d 3/3 1370d 2ab99543441b specfs: Refuse to open a closing-in-progress block device.
MSan: Uninitialized Memory in rum_attach -1 syz 2 1371d 1371d 3/3 1370d 3259e3c92306 rum(4): Avoid uninitialized garbage in failed register read.
assert failed: sd->sd_closing -1 C 20 1402d 1489d 3/3 1370d 2ab99543441b specfs: Refuse to open a closing-in-progress block device.
assert failed: !fmi->fmi_gone -1 C 3 1393d 1393d 3/3 1372d 3221343e60bf Finish previous, evaluate the lowest mount on first access to "struct mount_info" and store it here so we no longer derefence the "struct mount" from fstrans_alloc_lwp_info().
page fault in vrefcnt -1 syz 2 1376d 1376d 3/3 1372d 440d02956565 raidframe: reject invalid values for numCol and numSpares
MSan: Uninitialized Memory in rf_UnconfigureVnodes -1 syz 5 1376d 1378d 3/3 1372d 440d02956565 raidframe: reject invalid values for numCol and numSpares
ASan: Unauthorized Access in rf_UnconfigureVnodes -1 syz 8 1376d 1378d 3/3 1372d 440d02956565 raidframe: reject invalid values for numCol and numSpares
panic: kmem_free(ADDR, NUM) != allocated size NUM; overwrote? 2 C 3 1381d 1381d 3/3 1372d bd3b97511997 ptyfs: Don't copy out cookies past end of buffer.
UBSan: Undefined Behavior in vrefcnt -1 syz 5 1376d 1378d 3/3 1372d 440d02956565 raidframe: reject invalid values for numCol and numSpares
UBSan: Undefined Behavior in sys_rasctl (2) -1 C 4 1374d 1375d 3/3 1374d 9bb32e73c033 rasctl(2): Avoid arithmetic overflow.
panic: mutex_destroy,NUM: uninitialized lock (lock=ADDR, from=ADDR) (4) 2 C 4 1376d 1376d 3/3 1375d 388438075058 uirda(4): Unconditionally initializes mutexes and selq on attach.
netbsd boot error: panic: pmap_get_physpage: out of memory -1 51 1377d 1380d 3/3 1377d 1369379d4106 allow KMSAN to work again by restoring the limiting of kva even with NKMEMPAGES_MAX_UNLIMITED. we used to limit kva to 1/8 of physmem but limiting to 1/4 should be enough, and 1/4 still gives the kernel enough kva to map all of the RAM that KMSAN has not stolen.
UBSan: Undefined Behavior in sys_rasctl -1 C 10 1377d 1380d 3/3 1377d ab293a4a7778 rasctl(2): Avoid overflow in address range arithmetic.
ASan: Unauthorized Access in _prop_object_internalize_context_alloc -1 C 6 1379d 1380d 3/3 1377d efe5c7855eb5 proplib: Don't run off end of buffer with memcmp.
panic: ASan: Unauthorized Access In ADDR: Addr ADDR [NUM bytes, write, MallocRedZone] 2 C 1 1381d 1381d 3/3 1377d bd3b97511997 ptyfs: Don't copy out cookies past end of buffer.
UBSan: Undefined Behavior in lf_advlock (2) -1 C 2 1380d 1381d 3/3 1377d c176bd8b3461 kern/vfs_lockf.c: Fix overflow in overflow detection.
UBSan: Undefined Behavior in physio.cold -1 C 2 1895d 1895d 3/3 1403d c02dc4be552e physio(9): Avoid left shift of negative in alignment check.
assert failed: l->l_lid == pls->pl_lwpid -1 C 133 1404d 2183d 3/3 1403d 3f5ac2f440aa ptrace(PT_LWPSTATUS): Fix lid=0 case.
UBSan: Undefined Behavior in compat_43_ttioctl.cold (2) -1 C 119 1405d 1994d 3/3 1403d 1ee0fc7f9c22 tty_43: Do unsigned arithmetic to avoid shift into sign bits.
UBSan: Undefined Behavior in cpuctl_ioctl.cold -1 C 44 1406d 1876d 3/3 1404d 72a9875cfdda cpuio.h: Use uint8_t, not bool.
UBSan: Undefined Behavior in tty_get_qsize.cold.5 -1 C 63 2071d 2086d 3/3 1404d ad11505eeb84 tty: Avoid undefined behaviour (left shift of 1 by 31 places overflows int)
UBSan: Undefined Behavior in compat_43_ttioctl.cold.0 -1 C 122 2070d 2132d 3/3 1404d c32467e14928 tty_43: Check a bitset from userspace is valid before shifting it
assert failed: fli != NULL && !fli->fli_mountinfo->fmi_gone -1 C 4 1890d 1890d 3/3 1405d 42ef1506f14b While one thread runs vgone() it is possible for another thread to grab a "v_mount" that will be freed before it uses this mount for fstrans_start().
panic: dead fs operation used 2 C 109 1408d 1999d 3/3 1405d 4c6398a93d72 Make dead vfs ops "vfs_statvfs" and "vfs_vptofh" return EOPNOTSUPP. Both operations may originate from (possible dead) vnodes.
page fault in __asan_load8 (5) -1 C 2 1407d 1407d 3/3 1406d 98368ce402c5 ifioctl(9): Don't touch ifconf or ifreq until command is validated.
page fault in compat_ifconf -1 C 1 1407d 1407d 3/3 1406d 98368ce402c5 ifioctl(9): Don't touch ifconf or ifreq until command is validated.
UBSan: Undefined Behavior in compat_ifconf -1 C 37 1407d 1612d 3/3 1406d 98368ce402c5 ifioctl(9): Don't touch ifconf or ifreq until command is validated.
UBSan: Undefined Behavior in udv_attach -1 C 2 1408d 1409d 3/3 1408d 583a8e6e3a6f mmap(2): Prohibit overflowing offsets for non-D_NEGOFFSAFE devices.
MSan: Uninitialized Memory in pppioctl -1 C 3 1448d 1471d 3/3 1408d 59e62decad23 net/if_ppp.c: Avoid user-controlled overrun in PPPIOCSCOMPRESS.
MSan: Uninitialized Memory in ifq_enqueue (2) -1 C 6 1439d 1610d 3/3 1412d 311083ee523b sendto(2), recvfrom(2): Scrub internal struct msghdr on stack.
UBSan: Undefined Behavior in settime1.constprop.5 -1 C 6 2070d 2170d 3/3 1412d d5c20c2f7d03 kern_time: prevent the system clock from being set too low or high
page fault in __asan_store1 -1 C 23 1778d 1779d 3/3 1412d 6cfadad833d3 Improve Christos's vn_open fix.
UBSan: Undefined Behavior in route_filter -1 C 3 1413d 1413d 3/3 1412d 54579f919bf1 route(4): Use m_copydata, not misaligned mtod struct access.
UBSan: Undefined Behavior in lf_advlock -1 C 138 1415d 2176d 3/3 1413d 3ca83894cccd vfs(9): Avoid arithmetic overflow in lf_advlock.
assert failed: p != NULL (2) -1 C 5 1433d 1433d 3/3 1413d ee077f1ff323 uvideo(4): Make alloc logic match free logic.
MSan: Uninitialized Memory in comintr (2) -1 syz 3 1452d 1455d 3/3 1413d 501a519f2746 ktrace(9): Zero-initialize padding for ktr_psig records.
panic: mutex_destroy,NUM: uninitialized lock (lock=ADDR, from=ADDR) (3) 2 C 4 1414d 1414d 3/3 1413d 1595c1ec759c upgt(4): Make upgt_free_cmd match upgt_alloc_cmd.
panic: LOCKDEBUG: Mutex error: mi_userret,116: sleep lock held 2 C 704 1413d 2053d 3/3 1413d 5d4501959988 sequencer(4): Fix lock leak in ioctl(FIOASYNC).
assert failed: (!cpu_intr_p() && !cpu_softintr_p()) || (pc->pc_pool.pr_ipl != IPL_NONE || cold || panicstr != NULL) -1 C 5398 1414d 1662d 3/3 1414d 9b17a1de3d64 ktrace(9): Fix mutex detection in ktrcsw. 7baa9e8e9079 sleepq(9): Pass syncobj through to sleepq_block.
panic: vfs load failed for `compat_12', error NUM (2) 2 1 1489d 1489d 3/3 1414d 9b17a1de3d64 ktrace(9): Fix mutex detection in ktrcsw.
UBSan: Undefined Behavior in compat_50_route_output (2) -1 C 3 1414d 1414d 3/3 1414d 0ac8a4883e80 route(4): Avoid unaligned access to struct rt_msghdr, take two.
assert failed: usp->tv_nsec >= NUM -1 C 31 1414d 1415d 3/3 1414d 85232e61d86a recvmmsg(2): More timespec validation.
assert failed: usp->tv_nsec < ADDRL -1 C 79 1414d 1415d 3/3 1414d 85232e61d86a recvmmsg(2): More timespec validation.
panic: ernel diagnostic assertion "(!cpu_intr_p() && !cpu_softintr_p()) || (pc->pc_pool.pr_ipl != IPL_NONE || cold || pa 2 1 1488d 1488d 3/3 1414d 9b17a1de3d64 ktrace(9): Fix mutex detection in ktrcsw.
page fault in rf_fail_disk -1 C 1 1417d 1417d 3/3 1415d cb9f2873bc80 RAIDframe must be initialized for the RAIDFRAME_FAIL_DISK80 ioctl.
page fault in uaudio_attach -1 C 3 1603d 1604d 3/3 1415d fccfc6a75979 Fix a null-deref
assert failed: pipe != NULL -1 C 5 1608d 1968d 3/3 1415d 04d39af408ac umidi(4): Fix fencepost in error branch.
panic: tcp_output: no template 2 C 5612 1417d 2634d 3/3 1415d 9515e062613e tcp(4): Bail early on sendoob if not connected.
assert failed: tp->t_oproc != NULL -1 C 3 1430d 1430d 3/3 1415d 332204ac46c2 remove KASSERT() checking for t_oproc at open since assigning this line discipline to a pty may not have that set. Instead do a runtime check to ensure that the function exists before calling it, as ttstart() handles it.
UBSan: Undefined Behavior in rf_fail_disk -1 C 2 1417d 1417d 3/3 1415d cb9f2873bc80 RAIDframe must be initialized for the RAIDFRAME_FAIL_DISK80 ioctl.
UBSan: Undefined Behavior in gettimeleft -1 C 20 1422d 1885d 3/3 1415d eaf33ef422b2 kern: Avoid arithmetic overflow in gettimeleft.
UBSan: Undefined Behavior in sys_recvmmsg -1 C 491 1417d 2105d 3/3 1415d f068c6af2cca recvmmsg(2): Avoid arithmetic overflow in timeout calculations.
ASan: Unauthorized Access in ktr_kuser -1 C 23 1425d 1661d 3/3 1416d c3bf6f9596ea sendmsg(2): Avoid buffer overrun in ktrace of invalid cmsghdr.
UBSan: Undefined Behavior in ts2timo (3) -1 C 16 1418d 1519d 3/3 1417d 54baa6cf231f kern: Use timespecsubok in ts2timo.
assert failed: requested_size > NUM -1 C 7 1419d 1442d 3/3 1417d 2b1f9e508ead umcs(4): Reject invalid interrupt endpoints.
UBSan: Undefined Behavior in dosetitimer.part.NUM -1 C 147 1418d 1540d 3/3 1417d 36bb851c524a setitimer(2): Guard against overflow in arithmetic.
UBSan: Undefined behavior (5) -1 1 1434d 1434d 3/3 1417d 8ebaf25c4728 route(4): Avoid unaligned access to struct rt_msghdr.
assert failed: ci != NULL -1 C 4 1447d 1447d 3/3 1417d ff733a254dd9 opencrypto(9): Fix missing initialization in error branch.
panic: mutex_destroy,NUM: uninitialized lock (lock=ADDR, from=ADDR) (2) 2 C 8 1417d 1453d 3/3 1417d 9bef90fe6e34 emdtv(4): More attach/detach bugs.
UBSan: Undefined Behavior in itimer_callout -1 C 6 1425d 1480d 3/3 1417d 2699443359f1 setitimer(2): Avoid arithmetic overflow in periodic bookkeeping.
UBSan: Undefined Behavior in uao_detach -1 2 1486d 1486d 3/3 1485d 3e14ad04ec73 Revert "mmap(2): If we fail with a hint, try again without it."
ASan: Unauthorized Access in uvm_unmap_detach -1 C 7 1486d 1486d 3/3 1485d 3e14ad04ec73 Revert "mmap(2): If we fail with a hint, try again without it."
page fault in udv_detach -1 1 1486d 1486d 3/3 1485d 3e14ad04ec73 Revert "mmap(2): If we fail with a hint, try again without it."
panic: vrelel: bad ref count 2 C 2 1485d 1486d 3/3 1485d 3e14ad04ec73 Revert "mmap(2): If we fail with a hint, try again without it."
ASan: Unauthorized Access in uao_reference -1 1 1486d 1486d 3/3 1485d 3e14ad04ec73 Revert "mmap(2): If we fail with a hint, try again without it."
assert failed: (use & VUSECOUNT_MASK) > NUM -1 C 22 1485d 1486d 3/3 1485d 3e14ad04ec73 Revert "mmap(2): If we fail with a hint, try again without it."
page fault in uvm_mmap -1 1 1486d 1486d 3/3 1485d 3e14ad04ec73 Revert "mmap(2): If we fail with a hint, try again without it."
panic: [ NUM.ADDR] vpanic() at netbsd:vpanic+0x2f2 2 1 1486d 1486d 3/3 1485d 3e14ad04ec73 Revert "mmap(2): If we fail with a hint, try again without it."
ASan: Unauthorized Access in audio_track_set_format -1 1 1489d 1489d 3/3 1485d 2348e3fa2200 audio(4): Wait for opens to drain in detach.
assert failed: VOP_ISLOCKED(vp) == LK_EXCLUSIVE -1 C 73 1489d 1489d 3/3 1486d 7f28edca2400 sequencer(4): VOP_CLOSE requires vnode lock.
UBSan: Undefined Behavior in rnd_detach_source -1 C 9 1586d 1586d 3/3 1486d 89f519024a36 ucom(4): Make sure rndsource is attached before use and detach.
panic: spkr1 at audio1kernel diagnostic assertion "(target->prt_class == class)" failed: file "/syzkaller/managers/ci2-n 2 1 1506d 1506d 3/3 1486d 65a628cc3991 audio(4): Use d_cfdriver/devtounit to avoid open/detach races.
ASan: Unauthorized Access in uvideo_attach -1 1 1567d 1567d 3/3 1486d 0207ad5e9c01 uvideo(4): Parse descriptors more robustly.
netbsd boot error: fault in supervisor mode -1 9 1503d 1503d 3/3 1486d e86caeaead15 cgd(4): Omit technically-correct-but-broken adiantum dependency again.
netbsd boot error: assert failed: locks == curcpu()->ci_biglock_count -1 2 1506d 1506d 3/3 1486d a2bbd8e60824 Revert "kern: Sprinkle biglock-slippage assertions."
netbsd boot error: UBSan: Undefined Behavior in node_insert -1 1 1506d 1506d 3/3 1486d 0916fe48b6c1 thmap(9): Handle memory allocation failure in root_try_put.
netbsd boot error: assert failed: ci->ci_ilevel <= IPL_VM -1 18 1504d 1504d 3/3 1486d 22a2be59f9a4 cgd(4): Remove recently added dependency on adiantum.
MSan: Uninitialized Memory in umcs7840_attach -1 C 5 1486d 1488d 3/3 1486d d67e9a1cf03e umcs(4): Avoid using uninitialized data if register read fails.
netbsd boot error: assert failed: curlwp->l_pflag & LP_BOUND -1 36 1512d 1512d 3/3 1486d 517fa18875c3 entropy(9): Call entropy_softintr while bound to CPU.
netbsd boot error: MSan: Uninitialized Memory in bus_dmamap_sync -1 177 1559d 1567d 3/3 1504d 9fdc83c65c2c Initialize "replun" -- found with KMSAN.
ASan: Unauthorized Access in umidi_attach -1 C 69 1518d 2145d 3/3 1516d 4d8f12e265c1 umidi(4): Parse descriptors a little more robustly.
ASan: Unauthorized Access in usbd_get_no_alts -1 C 4 1603d 1879d 3/3 1516d 4fc17b686835 usbdi(9): Fix usbd_get_no_alts.
assert failed: filter->bf_insn != NULL -1 C 114 1522d 2100d 3/3 1520d b90f3afc19bc bpf(4): Handle null bf_insn on free.
UBSan: Undefined Behavior in do_posix_fadvise -1 1 1521d 1521d 3/3 1520d 841c8d016803 posix_fadvise(2): Detect arithmetic overflow without UB.
assert failed: fvp != tvp -1 C 11 1667d 1667d 3/3 1520d Don't use genfs_rename_knote() in the "rename foo over hard-link to itself" case, which simply results in removing the "from" name; there are assertions in genfs_rename_knote() that are too strong for that case.
assert failed: !(timo == NUM && intr == false) -1 C 4 1671d 1671d 3/3 1520d - microtime -> microuptime - avoid kpause with timeo=0
assert failed: kpreempt_disabled() -1 C 12 1521d 1522d 3/3 1521d 9529bac45e11 tun(4): Fix bug introduced in previous locking change.
assert failed: requested_size > 0 (2) -1 C 20 1603d 1967d 3/3 1521d 8d83d79bc57a umidi(4): Bail early if no endpoints.
panic: ugen0 at uhub3kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kmsan/kernel/ 2 1 1528d 1528d 3/3 1521d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
assert failed: pb->pb_pathcopyuses == NUM -1 C 3 1592d 1592d 3/3 1521d 5a9cf8fcf6e0 ccd(4): Only pathbuf_destroy if pathbuf_copyin succeeded.
assert failed: maxblksize > NUM -1 C 4 1572d 1588d 3/3 1521d 5bdcc4fe2017 pad(4): Do harmless, not harmful, integer truncation.
panic: pad3: outputs: 44100Hz, NUM-bit, stereo 2 C 1 1588d 1588d 3/3 1521d 5bdcc4fe2017 pad(4): Do harmless, not harmful, integer truncation.
panic: audio0: detached 2 1 1572d 1572d 3/3 1521d 5bdcc4fe2017 pad(4): Do harmless, not harmful, integer truncation.
UBSan: Undefined Behavior in vn_open -1 C 34 1778d 1779d 3/3 1521d PR/56286: Martin Husemann: Fix NULL deref on kmod load. - No need to set ret_domove and ret_fd in the regular case, they are meaningless - KASSERT instead of setting errno and then doing the NULL deref.
UBSan: Undefined Behavior in sys_lseek -1 C 2 2060d 2060d 3/3 1521d c7cd46af4347 vfs(9): Avoid arithmetic overflow in vn_seek.
assert failed: pb->pb_pathcopy == NULL -1 C 2 1592d 1592d 3/3 1521d 5a9cf8fcf6e0 ccd(4): Only pathbuf_destroy if pathbuf_copyin succeeded.
panic: cdce0: could not find data bulk in 2 syz 2 1607d 1607d 3/3 1521d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
assert failed: KERNEL_LOCKED_P() -1 C 32 1796d 1796d 3/3 1521d ea2ec439285b autoconf(9): Take kernel lock in a few entry points.
panic: uhidev0: no report descriptor 2 syz 18 1532d 2132d 3/3 1521d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
assert failed: ret == 0 -1 C 6950 1523d 2141d 3/3 1521d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: _bpfattach: out of memory (2) 2 3 1584d 1586d 3/3 1521d 6583daf00fe7 bpf(4): Nix KM_NOSLEEP and prune dead branch.
panic: vfs load failed for `compat_12', error NUM 2 1 1554d 1554d 3/3 1521d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
assert failed: un->un_ops->uno_init -1 C 72 1531d 1533d 3/3 1521d ee8fc1216476 usbnet(9): uno_init is now optional.
panic: port NUM (addr NUM) disconnected 2 2 1560d 1588d 3/3 1521d 5ee164d90cec tun(4): Reduce lock from IPL_NET to IPL_SOFTNET.
panic: LOCKDEBUG: Mutex error: mutex_vector_enter,517: spin lock held 2 C 3 1767d 1767d 3/3 1522d 5ee164d90cec tun(4): Reduce lock from IPL_NET to IPL_SOFTNET.
panic: LOCKDEBUG: Mutex error: mutex_vector_enter,516: spin lock held (2) 2 C 1221 1522d 2149d 3/3 1522d 5ee164d90cec tun(4): Reduce lock from IPL_NET to IPL_SOFTNET.
UBSan: Undefined Behavior in ntp_adjtime1.cold -1 syz 17 1538d 1572d 3/3 1522d 2daa45d976fc ntp(9): Avoid left shift of negative.
panic: mutex_destroy,NUM: uninitialized lock (lock=ADDR, from=ADDR) 2 C 16 1558d 1610d 3/3 1522d 6b71feb71da5 auvitek(4): Fix i2c detach if attach failed.
ASan: Unauthorized Access in usbd_fill_iface_data (2) -1 C 44 1525d 1978d 3/3 1522d 8c8ba8c43de4 usb: Parse descriptors a little more robustly.
UBSan: Undefined Behavior in nanosleep1 -1 C 2 1524d 1524d 3/3 1522d 7b0b7a803fb0 kern: Handle clock winding back in nanosleep1 without overflow.
UBSan: Undefined Behavior in ts2timo (2) -1 C 9 1526d 1618d 3/3 1522d 98755d357962 kern: Fix fencepost error in ts2timo overflow checks.
panic: kernel debugging assertion "pserialize_not_in_read_section()" failed: file "/syzkaller/managers/ci2-netbsd-kmsan/ (2) 2 1 1538d 1538d 3/3 1522d 9ab52bf87195 kern: Fix ordering of loads for pid_table and pid_tbl_mask.
panic: todo(ADDR) > MAXPHYS; minphys broken 2 C 98 1526d 2138d 3/3 1522d de8552b00ba2 kern: Use harmless, not harmful, integer truncation in physio.
MSan: Uninitialized Memory in proc_find_lwp_unlocked (3) -1 2 1610d 1691d 3/3 1522d 9ab52bf87195 kern: Fix ordering of loads for pid_table and pid_tbl_mask.
UBSan: Undefined Behavior in ntp_adjtime1 (2) -1 syz 4 1531d 1541d 3/3 1522d 9accb05adf48 ntp(9): Clamp ntv->offset to avoid arithmetic overflow on adjtime.
UBSan: Undefined Behavior in vn_seek -1 C 3 1525d 1582d 3/3 1522d c7cd46af4347 vfs(9): Avoid arithmetic overflow in vn_seek.
panic: kernel debugging assertion "pserialize_not_in_read_section()" failed: file "/syzkaller/managers/ci2-netbsd-kubsan 2 1 1537d 1537d 3/3 1522d 9ab52bf87195 kern: Fix ordering of loads for pid_table and pid_tbl_mask.
UBSan: Undefined Behavior in ktrace_thread -1 C 74 1524d 1661d 3/3 1523d 46605d0471d3 ktrace(9): Avoid stomping over colliding KTROP_SET.
netbsd boot error: panic: kmem_intr_free: zero size with pointer ADDR -1 12 1567d 1567d 3/3 1523d e68bc10fdb5f scsi(9): Handle bogus number of LUNs in SCSI_REPORT_LUNS.
UBSan: Undefined Behavior in config_devalloc -1 C 149 1998d 2115d 3/3 1523d 625d175f6f6b autoconf(9): Refuse to consider negative unit numbers in cfdata.
panic: TAILQ_* forw ADDR /syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/kern/kern_ktrace.c:LINE 2 C 5 1580d 1614d 3/3 1523d 46605d0471d3 ktrace(9): Avoid stomping over colliding KTROP_SET.
ASan: Unauthorized Access in cryptodev_mop -1 1 1579d 1579d 3/3 1523d b943dbddef07 crypto(4): Refuse count>1 for old CIOCNCRYPTM.
panic: TAILQ_* forw ADDR /syzkaller/managers/ci2-netbsd/kernel/sys/kern/kern_ktrace.c:LINE 2 C 22 1525d 1612d 3/3 1523d 46605d0471d3 ktrace(9): Avoid stomping over colliding KTROP_SET.
ASan: Unauthorized Access in ktrace_thread -1 1 1598d 1598d 3/3 1523d 46605d0471d3 ktrace(9): Avoid stomping over colliding KTROP_SET.
MSan: Uninitialized Memory in pathbuf_destroy -1 C 3 1592d 1592d 3/3 1523d 5a9cf8fcf6e0 ccd(4): Only pathbuf_destroy if pathbuf_copyin succeeded.
panic: genfs: bad op (2) 2 C 6 1523d 1597d 3/3 1523d 0dbc06c160e9 kernfs: Just fail with EOPNOTSUPP, don't panic, on VOP_BMAP.
page fault in ktrace_thread -1 syz 82 1524d 1619d 3/3 1523d 46605d0471d3 ktrace(9): Avoid stomping over colliding KTROP_SET.
panic: : playback 2 C 1 1572d 1572d 3/3 1523d 5bdcc4fe2017 pad(4): Do harmless, not harmful, integer truncation.
panic: TAILQ_PREREMOVE head ADDR elm ADDR /syzkaller/managers/ci2-netbsd/kernel/sys/kern/kern_ktrace.c:LINE 2 C 56 1523d 1661d 3/3 1523d 46605d0471d3 ktrace(9): Avoid stomping over colliding KTROP_SET.
panic: TAILQ_PREREMOVE head ADDR elm ADDR /syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/kern/kern_ktrace.c:LINE 2 syz 16 1524d 1655d 3/3 1523d 46605d0471d3 ktrace(9): Avoid stomping over colliding KTROP_SET.
UBSan: Undefined Behavior in adjtime1 -1 C 16 1524d 1567d 3/3 1523d 9ce97ae81c62 kern: Clamp time_adjtime to avoid overflow.
panic: TAILQ_PREREMOVE head ADDR elm ADDR /syzkaller/managers/ci2-netbsd/kernel/sys/kern/kern_ktrace.c:LINEuhub5: device 2 1 1594d 1594d 3/3 1523d 46605d0471d3 ktrace(9): Avoid stomping over colliding KTROP_SET.
MSan: Uninitialized Memory in emdtv_i2c_exec -1 C 5 1973d 1974d 3/3 1523d 6dc364f9e2c2 emdtv(4): If register read fails, read as all zero.
MSan: Uninitialized Memory in ktrace_thread -1 C 450 1524d 1662d 3/3 1523d 46605d0471d3 ktrace(9): Avoid stomping over colliding KTROP_SET.
panic: uhidev0: (0x0000) syz (0x0000), rev NUM.NUM/NUM.NUM, addr NUM, iclass NUM/NUM 2 1 1568d 1568d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: l diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/dev/usb/vhci.c 2 1 1599d 1599d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: ugen0: setting configuration index NUM failed 2 2 1572d 1614d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: urtwn0: failed to set configuration, err=IOERROR 2 1 1570d 1570d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: uhidev0: detached 2 3 1534d 1597d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: uhub5: device problem, disabling port NUM 2 6 1525d 1609d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: cdce0: faking address 2 1 1543d 1543d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
UBSan: Undefined Behavior in compat_30_sys_getdents -1 C 3 1527d 1527d 3/3 1523d 8d388c5e20ee compat_30: Avoid what might be technically undefined behaviour.
panic: port NUM configuration NUM interface 0kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers 2 syz 1 1587d 1587d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: device problem, disabling port NUM 2 1 1591d 1591d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: cdce0: detached 2 1 1534d 1534d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: uhidev0: no input interrupt endpoint 2 C 6 1579d 1612d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: uhub4: device problem, disabling port NUM 2 7 1542d 1612d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: "/syzkaller/managers/ci2-netbsd/kernel/sys/dev/usb/vhci.c", line NUM 2 1 1595d 1595d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: uhub3: device problem, disabling port NUM 2 6 1533d 1600d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: (addr NUM) disconnected 2 1 1536d 1536d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: uhub0: device problem, disabling port NUM 2 8 1524d 1597d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: urtwn0: failed to set configuration, err=TIMEOUT 2 1 1604d 1604d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: [ NUM.ADDR] vpanic() at netbsd:vpanic+0x2d0 2 6 1528d 1683d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: ernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/dev/usb/vh 2 4 1536d 1646d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: uhub1: device problem, disabling port NUM 2 1 1554d 1554d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
UBSan: Undefined Behavior in bpf_ioctl -1 C 2 1557d 1557d 3/3 1523d 05192700cd5d bpf(4): Clamp read timeout to INT_MAX ticks to avoid overflow.
panic: ernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd/kernel/sys/dev/usb/vhci.c", 2 1 1587d 1587d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: [ NUM.ADDR] kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kmsan/kernel/sy 2 1 1545d 1545d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: [ NUM.ADDR] vpanic() at netbsd:vpanic+0x9ec 2 2 1533d 1593d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
UBSan: Undefined Behavior in ffs_init_vnode.cold -1 C 2 1527d 1527d 3/3 1523d d8cd23d6aa6c ffs: Fix 64-bit inode integer truncation.
UBSan: Undefined Behavior in soreceive (2) -1 1 1532d 1532d 3/3 1523d 1c4297a22980 kern: m_copym(M_DONTWAIT) can fail; handle that case gracefully.
panic: ugen0 at uhub4 port 1kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd/kernel 2 1 1584d 1584d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: [ NUM.ADDR] kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd/kernel/sys/dev 2 2 1598d 1611d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: uhub2: device problem, disabling port NUM 2 2 1526d 1577d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: nostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/dev/usb/vhci.c", lin 2 1 1539d 1539d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: [ NUM.ADDR] kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel/ 2 1 1580d 1580d 3/3 1523d 8934564b15e9 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
ASan: Unauthorized Access in psignal (2) -1 C 7 1567d 1927d 3/3 1529d e30c3d8025bf usb(4): Use atomics for usb_async_proc.
panic: kernel diagnostic assertion "searchdir != foundobj" failed: file "/syzkaller/managers/ci2-netbsd- 2 1 1581d 1581d 3/3 1553d d832c645c7cf Remove the assertion "searchdir != foundobj" from lookup_crossmount().
assert failed: searchdir != foundobj -1 C 2326 1554d 2111d 3/3 1553d d832c645c7cf Remove the assertion "searchdir != foundobj" from lookup_crossmount().
panic: [ NUM.ADDR] kernel diagnostic assertion "searchdir != foundobj" failed: file "/syzkaller/managers/ci2-netbsd-kms 2 1 1580d 1580d 3/3 1553d d832c645c7cf Remove the assertion "searchdir != foundobj" from lookup_crossmount().
panic: spkr1 at audio1kernel diagnostic assertion "searchdir != foundobj" failed: file "/syzkaller/managers/ci2-netbsd/k 2 1 1576d 1576d 3/3 1553d d832c645c7cf Remove the assertion "searchdir != foundobj" from lookup_crossmount().
panic: vfs load failed for `udf', error 2kernel diagnostic assertion "searchdir != foundobj" failed: file "/syzkaller/ma 2 1 1574d 1574d 3/3 1553d d832c645c7cf Remove the assertion "searchdir != foundobj" from lookup_crossmount().
UBSan: Undefined Behavior in ntp_adjtime1 -1 1 1560d 1560d 3/3 1558d 13b44dbbb69d kernel: Avoid arithmetic overflow in ntp_adjtime.
UBSan: Undefined behavior (3) -1 1 1614d 1614d 3/3 1613d ee532b2421c3 Use unsigned to avoid undefined behavior. Found by kUBSan.
UBSan: Undefined Behavior in usb_free_device -1 syz 1 1675d 1675d 3/3 1672d 02983654f25e Revert "usb: uhub: remove unnecessary delays when powering on ports"
page fault in __asan_load1 -1 1 1675d 1675d 3/3 1672d 02983654f25e Revert "usb: uhub: remove unnecessary delays when powering on ports"
UBSan: Undefined Behavior in pppasyncstart.cold -1 18 1699d 1721d 3/3 1689d 44b1f8a1c3ff Use unsigned to avoid undefined behavior in pppasyncstart().
panic: _uvm_mapent_check: bad entry ADDR, line 2299 2 C 2 1783d 1783d 3/3 1777d 388be8fd3b90 in uvm_mapent_forkzero(), if the old entry was an object mapping, appease a debug check by setting the new entry offset to zero along with setting the new entry object pointer to NULL.
panic: _uvm_mapent_check: bad entry ADDR, line 1704 2 C 2 1783d 1783d 3/3 1777d 388be8fd3b90 in uvm_mapent_forkzero(), if the old entry was an object mapping, appease a debug check by setting the new entry offset to zero along with setting the new entry object pointer to NULL.
panic: _uvm_mapent_check: bad entry ADDR, line 2306 2 C 37 1851d 2124d 3/3 1777d 388be8fd3b90 in uvm_mapent_forkzero(), if the old entry was an object mapping, appease a debug check by setting the new entry offset to zero along with setting the new entry object pointer to NULL.
panic: genfs: bad op 2 C 31 1855d 2071d 3/3 1780d e3beb3764561 VOP_BMAP() may be called via ioctl(FIOGETBMAP) on any vnode that applications can open. change various pseudo-fs *_bmap methods return an error instead of panic.
netbsd boot error: UBSan: Undefined Behavior in AcpiNsRootInitialize -1 120 1810d 1815d 3/3 1809d d5b984e0de7e avoid dereferencing a constant string address as a UINT32 pointer, KUBSAN complains about bad alignment.
UBSan: Undefined Behavior in ts2timo -1 C 40 1819d 2177d 3/3 1809d 6f5e84c07140 ts2timo(9): refactor TIMER_ABSTIME handling
assert failed: (cnp->cn_flags & LOCKPARENT) == 0 || searchdir == NULL || VOP_ISLOCKED(searchdir) == LK_EXCLUSIVE (2) -1 C 1614 1822d 2149d 3/3 1809d 4af96c872b34 Honor LOCKPARENT for ".." of the root directory.
UBSan: Undefined Behavior in free_pipe -1 C 6 1898d 1968d 3/3 1809d 8c601f6c5ae7 fix free_all_endpoints() to not try calling free_pipe() when no endpoints are allocated; this can happen during config_detach() after attach fails
page fault in free_all_endpoints -1 C 2 1968d 1968d 3/3 1809d 8c601f6c5ae7 fix free_all_endpoints() to not try calling free_pipe() when no endpoints are allocated; this can happen during config_detach() after attach fails
UBSan: Undefined Behavior in fss_close -1 C 3 2017d 2028d 3/3 1964d e5ad6630f80f Check the return value of device_lookup_private against NULL.
UBSan: Undefined Behavior in quota1_handle_cmd_quotaoff -1 C 22 1975d 2107d 3/3 1965d 479d6bd7aed1 Avoid potentially accessing an array with an index out of range.
UBSan: Undefined Behavior in quota1_handle_cmd_quotaon -1 C 310 1968d 2113d 3/3 1965d 479d6bd7aed1 Avoid potentially accessing an array with an index out of range.
UBSan: Undefined Behavior in fsetown -1 C 643 1966d 2150d 3/3 1966d fe22bed11b62 Avoid negating the minimum size of pid_t (this overflows).
assert failed: semcnt >= 0 -1 C 1460 1976d 2118d 3/3 1976d d1d48122addb when updating the per-uid "semcnt", decrement the counter for the uid that created the ksem, not the uid of the process freeing the ksem. fixes PR 55509.
UBSan: Undefined Behavior in dosetitimer -1 C 62 1985d 1985d 3/3 1984d 46944f1c4d5d Fix an uninitialized pointer deref introduced in rev 1.207.
assert failed: ! (2) -1 C 4 2009d 2009d 3/3 2000d 98e71a6eeb52 When validating the mount device string make sure its length is below *data_len and below PATH_MAX.
panic: Suspending fresh file system failed 2 syz 44 2002d 2036d 3/3 2001d 0b5a6352dcf7 We have to ignore interrupts when suspending here the same way we have to do with revoke.
assert failed: fstrans_is_owner(mp) -1 C 789 2003d 2111d 3/3 2003d d8a571076ba6 Suspend file system before unmounting in mount_domount() error path to prevent diagnostic assertions from unmount/flush.
panic: kernel diagnostic assertion "fstrans_is_owner(mp)" failed: file "/syzkaller/managers/netbsd-kmsan/kernel/s 2 1 2055d 2055d 3/3 2003d d8a571076ba6 Suspend file system before unmounting in mount_domount() error path to prevent diagnostic assertions from unmount/flush.
panic: [ 222.ADDR] kernel diagnostic assertion "fstrans_is_owner(mp)" failed: file "/syzkaller/managers/netbsd-kmsan/ker 2 1 2067d 2067d 3/3 2003d d8a571076ba6 Suspend file system before unmounting in mount_domount() error path to prevent diagnostic assertions from unmount/flush.
UBSan: Undefined Behavior in ttioctl -1 1 2126d 2126d 3/3 2003d bf7b939a1a2d tty: Negating INT_MIN will overflow int, bail out with EINVAL
assert failed: (length != 0 || extblocks || LIST_EMPTY(&ovp->v_cleanblkhd)) -1 C 6 2030d 2126d 3/3 2003d 9235b59ee381 Lock the vnode while calling VOP_BMAP() for FIOGETBMAP.
UBSan: Undefined behavior -1 8 2036d 2111d 3/3 2003d ad11505eeb84 tty: Avoid undefined behaviour (left shift of 1 by 31 places overflows int)
panic: kernel diagnostic assertion "fstrans_is_owner(mp)" failed: file "/syzkaller/managers/netbsd-kmsan/kernel 2 1 2057d 2057d 3/3 2003d d8a571076ba6 Suspend file system before unmounting in mount_domount() error path to prevent diagnostic assertions from unmount/flush.
panic: kernel diagnostic assertion "fstrans_is_owner(mp)" failed: file "/syzkaller/managers/netbsd-kubsan/kernel/sys/ke 2 1 2056d 2056d 3/3 2003d d8a571076ba6 Suspend file system before unmounting in mount_domount() error path to prevent diagnostic assertions from unmount/flush.
UBSan: Undefined Behavior in compat_43_ttioctl.cold -1 C 116 2005d 2060d 3/3 2003d c32467e14928 tty_43: Check a bitset from userspace is valid before shifting it
UBSan: Undefined Behavior in tty_get_qsize -1 C 19 2086d 2132d 3/3 2085d 699b2c0a0a86 Add a check to prevent shift by -1. Not really important in this case, but to appease KUBSAN.
assert failed: rb_tree_find_node(&ugenif.tree, &sc->sc_unit) == sc -1 C 8 2095d 2095d 3/3 2094d 257aaf9afb72 Fix ugen detach after partial attach.
ASan: Unauthorized Access in nvlist_copyin -1 C 2 2120d 2120d 3/3 2094d 17ffbcbdab9a Add missing cases, to prevent memory corruption.
assert failed: 0 <= space && space <= ifc->ifc_len -1 C 4 2129d 2129d 3/3 2127d 0be10c48cf6f Don't accept negative value.
page fault in statvfs_to_statfs12_copy -1 C 5 2147d 2147d 3/3 2147d f2af77cb3adc Yet another idiotic compat syscall that was developed with literally zero test made. Simply invoking this syscall with _valid parameters_ triggers a fatal fault, because the kernel tries to write to userland addresses.
page fault in usbd_add_drv_event -1 C 2 2148d 2148d 3/3 2147d 6cac1dde29fb Fix NULL deref on attach failure. Found via vHCI fuzzing.
UBSan: Undefined Behavior in pipe_ioctl -1 C 1 2149d 2149d 3/3 2147d 60b6b2cd7463 Fix NULL deref. The original code before Jaromir's cleanup had an #ifndef block that wrongly contained the 'else' statement, causing the NULL check to have no effect.
ASan: Unauthorized Access in m_copydata -1 C 1 2150d 2150d 3/3 2149d 305ae8585db2 Ensure sockaddrs have valid lengths for RO_MISSFILTER.
assert failed: (cnp->cn_flags & LOCKPARENT) == 0 || searchdir == NULL || VOP_ISLOCKED(searchdir) == LK_EXCLUSIVE -1 C 2815 2150d 2198d 3/3 2150d 3e5fbb6583a3 remove special handling for symbolic links for COMPAT_43 lstat, it's not necessary; this removes the only places in kernel which did namei LOOKUP with LOCKPARENT
UBSan: Undefined Behavior in tunwrite -1 C 5 2151d 2151d 3/3 2150d 521e747162a6 Hum. Fix NULL deref triggerable with just write(0).
assert failed: p != NULL -1 1 2249d 2249d 3/3 2166d 3c214a3d995e Fix bohr bug triggered only once by syzkaller 2,5 months ago.
UBSan: Undefined Behavior in db_read_bytes -1 1 2170d 2170d 3/3 2168d 0f48bfb53e25 If the frame is not aligned, leave right away. This place probably needs to be revisited, because %rbp could easily contain garbage.
netbsd boot error: MSan: Uninitialized Memory in pmap_ctor -1 60 2173d 2177d 3/3 2172d 248fe10b7a27 Reported-by: syzbot+6dd5a230d19f0cbc7814@syzkaller.appspotmail.com
panic: LOCKDEBUG: Mutex error: mutex_vector_enter,516: spin lock held 2 C 95 2173d 2192d 3/3 2172d 134b16ca64ab Reported-by: syzbot+c1770938bb3fa7c085f2@syzkaller.appspotmail.com Reported-by: syzbot+ae26209c7d7f06e0b29f@syzkaller.appspotmail.com
ASan: Unauthorized Access in usbd_fill_iface_data -1 C 5 2174d 2174d 3/3 2172d 3774168381e9 If we failed because we didn't encounter an endpoint, do not attempt to read 'ed', because its value is past the end of the buffer, and we thus perform out-of-bounds accesses.
panic: kmem_intr_free: zero size with pointer ADDR 2 C 1 2174d 2174d 3/3 2172d 39045d90bd43 also set ifc->ui_endpoints to NULL in usbd_free_iface_data() when the value is freed, to make it impossible to re-enter this by mistake
UBSan: Undefined Behavior in process_read_fpregs -1 C 2 2180d 2180d 3/3 2172d 4660020b03f4 Introduce PTRACE_REGS_ALIGN, and on x86, enforce a 16-byte alignment, due to fpregs having fxsave which requires 16-byte alignment.
ASan: Unauthorized Access in usb_free_device -1 C 3 2173d 2174d 3/3 2172d 869e8f7b28b0 Reset ud_ifaces and ud_cdesc to NULL, to prevent use-after-free in usb_free_device().
assert failed: pmap->pm_ncsw == lwp_pctr() (2) -1 4 2175d 2177d 3/3 2172d 2ac4ea76ffcd Reported-by: syzbot+fd9be59aa613bbf4eba8@syzkaller.appspotmail.com Reported-by: syzbot+15dd4dbac6ed159faa4a@syzkaller.appspotmail.com Reported-by: syzbot+38fa02d3b0e46e57c156@syzkaller.appspotmail.com
assert failed: !pmap_extract(pmap, va, NULL) -1 syz 1 2249d 2249d 3/3 2186d 4cd60295b346 Reported-by: syzbot+3e3c7cfa8093f8de047e@syzkaller.appspotmail.com
panic: LOCKDEBUG: Mutex error: mutex_vector_enter,512: locking against myself 2 C 52 2186d 2192d 3/3 2186d fbbe5c9112a1 Reported-by: syzbot+0f38e4aed17c14cf0af8@syzkaller.appspotmail.com Reported-by: syzbot+c1770938bb3fa7c085f2@syzkaller.appspotmail.com Reported-by: syzbot+92ca248f1137c4b345d7@syzkaller.appspotmail.com Reported-by: syzbot+acfd688740461f7edf2f@syzkaller.appspotmail.com
MSan: Uninitialized Memory in ifq_enqueue -1 1 2190d 2190d 3/3 2190d 145523e8345f igmp_sendpkt() expects ip_output() to set 'imo.imo_multicast_ttl' into 'ip->ip_ttl'; but ip_output() won't if the target is not a multicast address, meaning that the uninitialized 'ip->ip_ttl' byte gets sent to the network. This leaks one byte of kernel heap.
MSan: Uninitialized Memory in nanosleep1 -1 C 8 2206d 2239d 3/3 2190d d9377f809390 Fix uninitialized memory access. Found by KMSAN.
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/arch/x86/x86/intr.c:LINE, member access -1 15 2202d 2204d 3/3 2200d 37beba86ee63 Explicitly align to 8 bytes, found by kUBSan.
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/vfs_cache.c:LINE, left shift of AD -1 36 2243d 2243d 3/3 2235d 395a577cab63 Pacify a syzbot complaint about bit shifting.
assert failed: pmap->pm_stats.resident_count == PDP_SIZE -1 syz 22 2246d 2247d 3/3 2246d 398f36d55ce0 PR port-amd64/55083 (assertion "pmap->pm_stats.resident_count == PDP_SIZE" failed)
assert failed: ptp->wire_count == 1 -1 C 16 2247d 2248d 3/3 2247d 4538c4a0a4c9 Pacify assertion in a failure path.
assert failed: (opte & (PTE_A | PTE_P)) != PTE_A -1 C 15 2248d 2250d 3/3 2248d 4f0135d6fae3 - pmap_enter(): under low memory conditions, if PTP allocation succeeded and then PV entry allocation failed, PTP pages were being freed without their struct pmap_page being reset back to the non-PTP setup, which then caused havoc with pmap_page_removed(). Fix it.
panic: pmap_check_pv: ADDR/ADDR missing on pp ADDR 2 syz 60 2248d 2248d 3/3 2248d 4f0135d6fae3 - pmap_enter(): under low memory conditions, if PTP allocation succeeded and then PV entry allocation failed, PTP pages were being freed without their struct pmap_page being reset back to the non-PTP setup, which then caused havoc with pmap_page_removed(). Fix it.
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/vfs_mount.c:LINE, member access wi -1 1446 2258d 2334d 3/3 2258d 431ed6f61bc2 - Pad kmem cache names with zeros so vmstat -m and -C are readable. - Exclude caches with size not a factor or multiple of the coherency unit. 4c7232d4a136 KMEM_SIZE: append the size_t to the allocated buffer, rather than prepending, so it doesn't screw up the alignment of the buffer.
ASan: Unauthorized Access in ifreq_setaddr -1 C 6 2323d 2323d 3/3 2258d 36f08dfcb97c Don't forget to initialize 'sin6_len'. With kASan, from time to time the value will be bigger than the size of the source, and we get a read overflow. With kMSan the uninitialized access is detected immediately.
MSan: Uninitialized Memory in getsockopt -1 C 37 2272d 2273d 3/3 2258d 559c53d028d6 Zero out 'tv', to prevent uninitialized bytes in its padding from leaking to userland. Found by kMSan.
assert failed: l->l_stat == LSONPROC -1 C 645 2270d 2283d 3/3 2258d f61617cee78c exit1(): remove from the radix tree before setting zombie status, as radix_tree_remove_node() can block on locks when freeing.
ASan: Unauthorized Access in mutex_oncpu -1 C 24521 2258d 2319d 3/3 2258d e78f9b4fde02 A final set of scheduler tweaks:
MSan: Uninitialized Memory in bus_dmamap_sync -1 C 16 2269d 2273d 3/3 2258d b1f6fd939ed8 Zero out the padding in 'd_namlen', to prevent info leaks. Same logic as ufs_makedirentry().
assert failed: ci->ci_tlbstate != TLBSTATE_VALID -1 C 123 2341d 2342d 3/3 2274d ea92f12b1800 uvm_pagerealloc() can now block because of radixtree manipulation, so defer freeing PTPs until pmap_unmap_ptes(), where we still have the pmap locked but can finally tolerate context switches again.
assert failed: pmap->pm_ncsw == curlwp->l_ncsw -1 C 30 2341d 2342d 3/3 2274d ea92f12b1800 uvm_pagerealloc() can now block because of radixtree manipulation, so defer freeing PTPs until pmap_unmap_ptes(), where we still have the pmap locked but can finally tolerate context switches again.
assert failed: pmap->pm_ncsw == lwp_pctr() -1 2 2335d 2338d 3/3 2274d 680f3a8667de pmap_get_ptp(): the uvm_pagefree() call in the failure case can block too. Pacify the assertion in pmap_unmap_ptes().
assert failed: pg->offset >= nextoff -1 C 10 2339d 2341d 3/3 2274d 3f49a1ff579b genfs_do_putpages(): add a missing call to uvm_page_array_advance().
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/init_main.c:LINE, left shift of AD -1 9 2335d 2335d 3/3 2274d 1e5952fd4837 Fix integer overflow when printing available memory size (resulting from a cast lost during merges).
netbsd boot error: panic: LOCKDEBUG: Mutex error: _mutex_init,363: already initialized -1 51 2340d 2340d 3/3 2274d dc1bd2c9382b Fix LOCKDEBUG panic on mutex_init().
assert failed: lwp_locked(l, l->l_cpu->ci_schedstate.spc_lwplock) -1 C 2676 2362d 2363d 2/3 2359d lwp_start(): don't try to change the target CPU. Fixes potential panic in setrunnable(). Oops, experimental change that escaped.
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/netinet/tcp_congctl.c:LINE, unsigned in 2 syz 28 2368d 2380d 2/3 2368d 1f03898791a3 Don't allow zero sized segments that will panic the stack. Reported-by: syzbot+5542516fa4afe7a101e6@syzkaller.appspotmail.com
ASan: Unauthorized Access in __asan_load8 -1 syz 39 2372d 2492d 2/3 2370d 9ea67c54e50f in uvm_fault_lower_io(), fetch all the map entry values that we need before we unlock everything.
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/dev/raidframe/rf_netbsdkintf.c:LINE, me -1 114 2389d 2392d 2/3 2370d 41eeee0166bf Get &rsc->sc_dksc only when we know 'rsc' is not NULL. This was actually harmless because we didn't use the pointer then.
panic: m_copydata(ADDR,2,48,ADDR): m=NULL, off=0 (48), len=2 (0) 2 C 3 2375d 2375d 2/3 2370d 624f3f7406ee Add more checks in ip6_pullexthdr, to prevent a panic in m_copydata. The Rip6 entry point could see a garbage Hop6 option.
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/arch/x86/x86/pmap.c:LINE, member access -1 6 2370d 2371d 2/3 2370d 4acdfa6ced5b Add a NULL check on the structure pointer, not to retrieve its first field if it is NULL. The previous code was not buggy strictly speaking. This change probably doesn't change anything, except removing assumptions in the compiler optimization passes, which too probably doesn't change anything in this case.
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/subr_disk_mbr.c:LINE, member acces -1 135 2381d 2386d 2/3 2370d 4e5cb50b58af Avoid unaligned pointer arithmetic in check_label_magic()
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/vfs_subr.c:LINE, member access wit -1 99 2371d 2381d 2/3 2370d 473e202ba108 NULL-check the structure pointer, not the address of its first field. This is clearer and also appeases syzbot.
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/uipc_socket.c:LINE, null pointer p 2 C 3 2408d 2416d 2/3 2403d 7b43da9e77aa Add a check before the memcpy. memcpy is defined to never take NULL as second argument, and the compiler is free to perform optimizations knowing that this argument is never NULL.
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/net/rtsock_shared.c:LINE, shift exponen 2 C 91 2404d 2408d 2/3 2403d a1bd50f5a7d5 Error out if the type is beyond the storage size. No functional change, since the shift would otherwise 'and' against zero, returning EEXIST.
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/sys_ptrace_common.c:LINE, negation 2 C 2 2407d 2407d 2/3 2406d c18c9a670f07 Avoid signed integer overflow for -lwp where lwp is INT_MIN
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/kern_time.c:LINE, signed integer o 2 C 3 2412d 2413d 2/3 2412d 8e3fd5b6989c Check for valid timespec in clock_settime1()
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/subr_time.c:LINE, signed integer o 2 C 2 2414d 2414d 2/3 2413d ffd5d3e30b5f Avoid signed integer overflow in ts2timo() for ts->tv_nsec
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/uvm/uvm_mmap.c:LINE, left shift of 1 by 2 C 2 2413d 2413d 2/3 2413d 6c69d9fad1ca Avoid left shift changing the signedness flag
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/sysv_msg.c:LINE, negation of -ADDR 2 C 2 2413d 2413d 2/3 2413d fa6363e63652 Avoid -LONG_MIN msgtyp in msgrcv(2) and treat it as LONG_MAX
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/crypto/nist_hash_drbg/nist_hash_drbg.c: -1 39 2428d 2430d 2/3 2415d 338a6d8211a1 Use an explicit run-time assertion where compile-time doesn't work.
panic: ifmedia_add: can't malloc entry 2 28 2417d 2493d 2/3 2416d 0ab44a811f8a in ifmedia_add(), use a wait-style memory allocation rather than not waiting and panic'ing if the allocation fails.
page fault in __asan_load8 -1 C 4 2418d 2450d 2/3 2416d db38f3713d52 in shmdt(), wait until shmat() completes before detaching.
page fault in shm_delete_mapping -1 syz 17 2551d 2563d 2/3 2416d db38f3713d52 in shmdt(), wait until shmat() completes before detaching.
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/kern_rndq.c:LINE, negation of -ADD 2 9 2420d 2426d 2/3 2418d 1c7f0224e7e0 Do all delta calculations strictly using uint32_t. Avoid integer overflows in calculating absolute deltas by subtracting the right way around.
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/net/rtsock_shared.c:LINE, member access 2 1 2425d 2425d 2/3 2424d 00ccc35339cc Disable __NO_STRICT_ALIGNMENT on amd64/i386 for UBSan builds
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/netinet6/scope6.c:LINE, member access w (2) 2 syz 91 2424d 2427d 2/3 2424d 00ccc35339cc Disable __NO_STRICT_ALIGNMENT on amd64/i386 for UBSan builds
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/sys_select.c:LINE, signed integer 2 C 2 2428d 2428d 2/3 2427d 7049e5e68831 Validate usec ranges in sys___select50()
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/netinet6/scope6.c:LINE, member access w 2 syz 73 2427d 2428d 2/3 2427d a5df2084c7a4 Decorate in6_clearscope() with __noubsan
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/vfs_syscalls.c:LINE, signed intege 2 C 11 2427d 2428d 2/3 2427d 43bc9355ea3c Validate usec ranges in do_sys_utimes()
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/subr_percpu.c:LINE, null pointer p -1 12 2430d 2430d 2/3 2428d 360cafb4be56 Decorate percpu_cpu_swap() with __noubsan
assert failed: buflen != 0 -1 syz 18 2435d 2435d 1/3 2435d 75eea5b7359a As I suspected, the KASSERT I added yesterday can fire if we try to process zero-sized packets. Skip them to prevent a type confusion that can trigger random page faults later.
assert failed: (c->c_flags & CALLOUT_PENDING) == 0 -1 C 2918 2498d 2636d 1/3 2436d 80a06cecc711 Fix race in timer destruction.
assert failed: c->c_cpu->cc_lwp == curlwp || c->c_cpu->cc_active != c -1 C 247 2497d 2637d 1/3 2454d 80a06cecc711 Fix race in timer destruction.
assert failed: to_ticks >= 0 (2) -1 C 70 2509d 2568d 1/3 2454d 4952945bc9cb Clamp tcp timer quantities to reasonable ranges.
assert failed: pg->wire_count != 0 (2) -1 C 174 2498d 2520d 1/3 2454d 95ce9a69b407 fix two bugs reported in https://syzkaller.appspot.com/bug?id=8840dce484094a926e1ec388ffb83acb2fa291c9
assert failed: pg->wire_count > 0 -1 C 6 2622d 2634d 1/3 2454d 6eb7fd2b53ce Acquire shmseg uobj reference while we hold shm_lock.
assert failed: uvm_page_locked_p(pg) -1 C 44 2498d 2508d 1/3 2498d b5e559801c7e Add missing lock around pmap_protect. ok, chs@
panic: LOCKDEBUG: Reader / writer lock error: rw_vector_exit,449: not held by current LWP 2 C 3 2512d 2513d 1/3 2511d e4c2eafeb5ab Fix bug, don't release the reflock if we didn't take it in the first place. Looks like there are other locking issues in here.
ASan: Unauthorized Access in exec_makepathbuf -1 syz 2 2519d 2519d 1/3 2514d abb1684df1f5 Fix buffer overflow. It seems that some people need to go back to the basics of C programming.
page fault in uvm_fault -1 C 2 2521d 2521d 1/3 2520d 00dad9ea5158 Correct wrong type of uio_seg passed to do_sys_mknodat()
assert failed: ! -1 2 2520d 2521d 1/3 2520d 00dad9ea5158 Correct wrong type of uio_seg passed to do_sys_mknodat()
assert failed: pmap->pm_obj[i].uo_npages == 0 -1 C 58 2550d 2631d 1/3 2521d in uvm_map_protect(), do a pmap_update() before possibly switching from removing pmap entries to creating them. this fixes the problem reported in https://syzkaller.appspot.com/bug?id=cc89e47f05e4eea2fd69bcccb5e837f8d1ab4d60
assert failed: pg->wire_count != 0 -1 C 45 2553d 2617d 1/3 2521d shmctl(SHM_LOCK) does not need to mess with mappings of the shm segment, uvm_obj_wirepages() is sufficient. this fixes the problem reported in https://syzkaller.appspot.com/bug?id=71f9271d761f5b6ed517a18030dc04f0135e6179
assert failed: mutex_owned(pipe->pipe_lock) -1 39 2574d 2634d 1/3 2566d 7abfdd368b0d Clean up pipe structure before recycling it.
assert failed: to_ticks >= 0 -1 C 2547 2586d 2636d 1/3 2586d 797b68a5c224 Add more checks, if the values are negative we hit a KASSERT later in the timeout.
ASan: Unauthorized Access in vioscsi_scsipi_request -1 syz 1841 2587d 2624d 1/3 2587d b60093a0824f Fix use-after-free. If we're not polling, virtio_enqueue_commit() will send the transaction, and it means 'xs' can be immediately freed. So, save the value of xs_control beforehand.
panic: receive 3 2 C 5 2628d 2637d 1/3 2600d c78c83f0efb3 Also check for MT_CONTROL, and end the receive operation if we see one. It is possible to get an MT_CONTROL if we sleep in MSG_WAITALL. The other BSDs do the same.
assert failed: vp->v_usecount != 0 -1 C 108 2619d 2635d 1/3 2619d 713042b84b5e Take a reference on ndp->ni_rootdir and ndp->ni_erootdir.
assert failed: vp->v_type == VREG -1 C 139 2625d 2635d 1/3 2624d 21e56f354bb4 Change vn_openchk() to fail VNON and VBAD with error ENXIO.
assert failed: vp->v_type == VREG || vp->v_type == VDIR -1 C 1085 2624d 2636d 1/3 2624d 21e56f354bb4 Change vn_openchk() to fail VNON and VBAD with error ENXIO.
assert failed: c->c_magic == CALLOUT_MAGIC -1 C 1645 2636d 2637d 1/3 2628d The callout is used by any nonvirtual timer including CLOCK_MONOTONIC and needs to be initialized.
assert failed: so->so_lock == NULL -1 C 5 2634d 2635d 1/3 2633d 516d295318eb Fix locking: it is fine if the lock is already key_so_mtx, this can happen in socketpair. In that case don't take it.
assert failed: so->so_pcb == NULL -1 C 6 2635d 2635d 1/3 2635d fa4f0f367829 Fix the order in udp6_attach: soreserve should be called before in6_pcballoc, otherwise if it fails there is still a PCB attached, and we hit a KASSERT in socreate. In !DIAGNOSTIC this would have caused a memory leak.
assert failed: requested_size > 0 -1 C 19 2635d 2636d 1/3 2635d 09915c34c237 Reading a directory may trigger a panic when the buffer is too small. Adjust necessary checks.
ASan bug (2) -1 C 347 2635d 2636d 1/3 2635d d020c71c0cee RIP6, CAN, SCTP and SCTP6 lack a length check in their _send() functions. Fix RIP6 and CAN, add a big XXX in the SCTP ones.
ASan bug -1 C 302 2636d 2637d 1/3 2636d d26f60da72b3 RIP, RIP6, DDP, SCTP and SCTP6 lack a length check in their _connect() functions. Fix the first three, and add a big XXX in the SCTP ones.