|
assert failed: sc->sc_parent->dk_rawopens > NUM
|
C |
|
|
59 |
428d |
459d
|
3/3 |
123d |
804127267a30
dk(4): Use disk_begindetach and rely on vdevgone to close instances.
|
|
panic: kernel di.NUM=S2dagnostic assertion "uio->uio_iovcnt > NUM" failed: file "/syzkaller/managers/ci2-netbs
|
|
|
|
1 |
235d |
235d
|
3/3 |
190d |
a7a3e2ad8d57
tty(9): Make ttwrite update uio with only how much it has consumed.
|
|
assert failed: uAiio->uio_iovcnt > NUM
|
|
|
|
1 |
223d |
223d
|
3/3 |
190d |
a7a3e2ad8d57
tty(9): Make ttwrite update uio with only how much it has consumed.
|
|
assert failed: uio->uio_iovcnt > NUM
|
C |
|
|
34 |
197d |
660d
|
3/3 |
190d |
a7a3e2ad8d57
tty(9): Make ttwrite update uio with only how much it has consumed.
|
|
assert failed: %uio->uio_iovcnt > NUM
|
C |
|
|
1 |
233d |
233d
|
3/3 |
190d |
a7a3e2ad8d57
tty(9): Make ttwrite update uio with only how much it has consumed.
|
|
panic: keexecrnel diagnostic assertion "uio->uio_iovcnt > NUM" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kerne
|
syz |
|
|
1 |
438d |
438d
|
3/3 |
190d |
a7a3e2ad8d57
tty(9): Make ttwrite update uio with only how much it has consumed.
|
|
panic: F8kernel diagnostic assertion "uio->uio_iovcnt > NUM" failed: file "/syzkaller/managers/ci2-netbsd-
|
C |
|
|
1 |
660d |
660d
|
3/3 |
190d |
a7a3e2ad8d57
tty(9): Make ttwrite update uio with only how much it has consumed.
|
|
ASan: Unauthorized Access in uiomove
|
C |
|
|
16 |
233d |
687d
|
3/3 |
190d |
a7a3e2ad8d57
tty(9): Make ttwrite update uio with only how much it has consumed.
|
|
panic: kernel dAiagnos@t ic assertion "uio->uio_iovcnt > NUM" failed: f
|
|
|
|
1 |
235d |
235d
|
3/3 |
190d |
a7a3e2ad8d57
tty(9): Make ttwrite update uio with only how much it has consumed.
|
|
assert failed: uio->uio_iohsyz-vcnt > NUM
|
C |
|
|
1 |
233d |
233d
|
3/3 |
190d |
a7a3e2ad8d57
tty(9): Make ttwrite update uio with only how much it has consumed.
|
|
panic: kernel diagnostic assertion "uio->uio_iovcnt > NUM" failed: file "/syzkaller/managers/ci2-netbsd-kmsa
|
|
|
|
1 |
224d |
224d
|
3/3 |
190d |
a7a3e2ad8d57
tty(9): Make ttwrite update uio with only how much it has consumed.
|
|
assert failed: !netq->netq_stopping
|
|
|
|
1 |
214d |
214d
|
3/3 |
202d |
2b696ab4fdff
Fix missing check for netq->netq_stopping in vioif_rx_intr()
|
|
assert failed: sc->sc_dk.dk_openmask == NUM
|
C |
|
|
22 |
204d |
221d
|
3/3 |
204d |
17fe932c5f6c
dk(4): dkclose must handle a dying wedge too to close the parent.
76abd28dc391
ioctl(DIOCRMWEDGES): Delete only idle wedges.
|
|
assert failed: mutex_owned(&sc->sc_dk.dk_openlock)
|
|
|
|
4 |
215d |
221d
|
3/3 |
214d |
76e8386e9976
dk(4): Fix lock assertion in size increase: parent's, not wedge's.
|
|
UBSan: Undefined Behavior in tmpfs_reg_resize
|
|
|
|
1 |
216d |
216d
|
3/3 |
214d |
08655e8aab1e
tmpfs: Refuse sizes that overflow round_page.
|
|
panic: LOCKDEBUG: Mutex error: mi_userret,NUM: sleep lock held
|
|
|
|
6 |
221d |
222d
|
3/3 |
221d |
569b1a993381
disk(9): Fix missing unlock in error branch in previous change.
|
|
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/kern/subr_pserialize.c:LINE, member
|
|
|
|
39 |
229d |
232d
|
3/3 |
227d |
245f5e21b00b
pserialize(9): Fix bug in recent micro-optimization.
|
|
panic: kernel debugging assertion "notin" failed: file "/syzkaller/managers/ci2-netbsd/kernel/sys/kern/subr_pserialize.c
|
|
|
|
1 |
228d |
228d
|
3/3 |
227d |
8727589ebb95
pserialize(9): Fix buggy assertion inside assertion.
|
|
UBSan: Undefined Behavior in playtone
|
C |
|
|
1 |
243d |
243d
|
3/3 |
242d |
5d38fb5bcae7
spkr(4): Avoid some overflow issues.
|
|
ASan: Unauthorized Access in playtone
|
C |
|
|
2 |
244d |
244d
|
3/3 |
242d |
5d38fb5bcae7
spkr(4): Avoid some overflow issues.
|
|
panic: sockaddr_copy: source too long, NUM < NUM bytes
|
C |
|
|
9 |
245d |
254d
|
3/3 |
243d |
4813aab66c53
atalk(4): Don't let userland control sa_len when adding addresses.
|
|
ASan: Unauthorized Access in ifreq_setaddr (2)
|
|
|
|
7 |
244d |
269d
|
3/3 |
243d |
4813aab66c53
atalk(4): Don't let userland control sa_len when adding addresses.
|
|
MSan: Uninitialized Memory in ifreq_setaddr
|
C |
|
|
8 |
244d |
254d
|
3/3 |
243d |
4813aab66c53
atalk(4): Don't let userland control sa_len when adding addresses.
|
|
ASan: Unauthorized Access in sockaddr_dup
|
C |
|
|
3 |
249d |
253d
|
3/3 |
243d |
4813aab66c53
atalk(4): Don't let userland control sa_len when adding addresses.
|
|
MSan: Uninitialized Memory in sin_print
|
C |
|
|
4 |
269d |
286d
|
3/3 |
243d |
d425b16c66a5
sockaddr_alloc(9): Avoid uninitialized buffer in sockaddr_checklen.
|
|
assert failed: sa->sa_len <= sizeof(ifr.ifr_ifru)
|
C |
|
|
10 |
245d |
250d
|
3/3 |
243d |
4813aab66c53
atalk(4): Don't let userland control sa_len when adding addresses.
|
|
ASan: Unauthorized Access in sat_print
|
C |
|
|
10 |
245d |
266d
|
3/3 |
243d |
4813aab66c53
atalk(4): Don't let userland control sa_len when adding addresses.
|
|
netbsd boot error: ASan: Unauthorized Access in evcnt_attach_dynamic
|
|
|
|
33 |
250d |
251d
|
3/3 |
245d |
317ef74dd360
vioif(4): fix wrong memory allocation size
|
|
netbsd boot error: assert failed: len <= map->dm_mapsize - offset (2)
|
|
|
|
135 |
245d |
248d
|
3/3 |
245d |
31edf7b5b57e
virtio(4): Fix sizing of virtqueue allocation.
|
|
netbsd boot error: page fault in virtio_free_vq
|
|
|
|
27 |
249d |
251d
|
3/3 |
245d |
a66d32465828
Added check of pointer for allocated memory before release of resource
|
|
panic: kernel debugging assertion "off + len <= m_length(m0)" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel
|
syz |
|
|
5 |
255d |
273d
|
3/3 |
252d |
4ae0945c2b68
in6: make sure a user-specified checksum field is within a packet
|
|
panic: kernel debugging assertion "off + len <= m_length(m0)" failed: file "/syzkaller/managers/ci2-netbsd/kernel/sys/ke
|
syz |
|
|
1 |
255d |
255d
|
3/3 |
252d |
4ae0945c2b68
in6: make sure a user-specified checksum field is within a packet
|
|
panic: kernel debugging assertion "off + len <= m_length(m0)" failed: file "/syzkaller/managers/ci2-netbsd-kmsan/kernel/
|
syz |
|
|
3 |
255d |
273d
|
3/3 |
252d |
4ae0945c2b68
in6: make sure a user-specified checksum field is within a packet
|
|
assert failed: fmi->fmi_mount->mnt_lower == NULL
|
C |
|
|
5 |
295d |
303d
|
3/3 |
289d |
af759f02178d
When mounting a union file system set its lower mount only on success.
|
|
assert failed: size > NUM
|
C |
|
|
4 |
321d |
321d
|
3/3 |
319d |
9e1aa1e4ed1b
It is not sufficient to have a comment /* Sanity check the size. */, also check the size is greater than zero and a multiple of DEV_BSIZE.
|
|
protection fault in __asan_load4
|
C |
|
|
3 |
408d |
560d
|
3/3 |
342d |
238664abb5cc
ppp: remove ioctls that never worked and crash the kernel
|
|
page fault in __asan_load4 (3)
|
C |
|
|
64 |
357d |
513d
|
3/3 |
342d |
238664abb5cc
ppp: remove ioctls that never worked and crash the kernel
|
|
page fault in ppptioctl
|
C |
|
|
6 |
397d |
501d
|
3/3 |
342d |
238664abb5cc
ppp: remove ioctls that never worked and crash the kernel
|
|
protection fault in ppptioctl
|
C |
|
|
3 |
369d |
560d
|
3/3 |
342d |
238664abb5cc
ppp: remove ioctls that never worked and crash the kernel
|
|
UBSan: Undefined Behavior in ppptioctl
|
C |
|
|
9 |
354d |
501d
|
3/3 |
342d |
238664abb5cc
ppp: remove ioctls that never worked and crash the kernel
|
|
assert failed: bp->b_vp == vp
|
C |
|
|
125 |
345d |
1064d
|
3/3 |
343d |
1f3bc2830b81
swap: disallow user opens of swap block device
|
|
panic: dead fs operation used (2)
|
C |
|
|
8 |
354d |
363d
|
3/3 |
352d |
85cb97f0d716
Harden layered file systems usage of field "mnt_lower" against forced unmounts of the lower layer.
|
|
page fault in VFS_STATVFS
|
syz |
|
|
1 |
360d |
360d
|
3/3 |
352d |
85cb97f0d716
Harden layered file systems usage of field "mnt_lower" against forced unmounts of the lower layer.
|
|
UBSan: Undefined Behavior in ip_ctloutput
|
C |
|
|
22 |
394d |
397d
|
3/3 |
366d |
74557efd80ae
tcp: restore NULL check for inp in tcp_ctloutput
|
|
page fault in ip_ctloutput
|
C |
|
|
18 |
394d |
397d
|
3/3 |
366d |
74557efd80ae
tcp: restore NULL check for inp in tcp_ctloutput
|
|
UBSan: Undefined Behavior in tcp_bind_wrapper
|
C |
|
|
8 |
395d |
397d
|
3/3 |
366d |
443b5cdb2251
tcp: restore NULL checks for inp
|
|
UBSan: Undefined Behavior in tcp_shutdown_wrapper
|
C |
|
|
45 |
394d |
397d
|
3/3 |
366d |
443b5cdb2251
tcp: restore NULL checks for inp
|
|
page fault in tcp_bind_wrapper
|
C |
|
|
9 |
396d |
397d
|
3/3 |
366d |
443b5cdb2251
tcp: restore NULL checks for inp
|
|
page fault in tcp_recvoob_wrapper
|
C |
|
|
23 |
394d |
397d
|
3/3 |
366d |
443b5cdb2251
tcp: restore NULL checks for inp
|
|
page fault in tcp_sockaddr_wrapper
|
C |
|
|
32 |
394d |
397d
|
3/3 |
366d |
443b5cdb2251
tcp: restore NULL checks for inp
|
|
UBSan: Undefined Behavior in ip6_ctloutput
|
C |
|
|
5 |
394d |
397d
|
3/3 |
366d |
74557efd80ae
tcp: restore NULL check for inp in tcp_ctloutput
|
|
page fault in ip_setmoptions
|
C |
|
|
2 |
396d |
396d
|
3/3 |
366d |
74557efd80ae
tcp: restore NULL check for inp in tcp_ctloutput
|
|
page fault in ip6_ctloutput
|
C |
|
|
4 |
394d |
396d
|
3/3 |
366d |
74557efd80ae
tcp: restore NULL check for inp in tcp_ctloutput
|
|
UBSan: Undefined Behavior in tcp_listen_wrapper
|
C |
|
|
15 |
394d |
397d
|
3/3 |
366d |
443b5cdb2251
tcp: restore NULL checks for inp
|
|
UBSan: Undefined Behavior in tcp_connect_wrapper
|
C |
|
|
23 |
394d |
397d
|
3/3 |
366d |
443b5cdb2251
tcp: restore NULL checks for inp
|
|
UBSan: Undefined Behavior in tcp_recvoob_wrapper
|
C |
|
|
26 |
394d |
397d
|
3/3 |
366d |
443b5cdb2251
tcp: restore NULL checks for inp
|
|
UBSan: Undefined Behavior in tcp_sockaddr_wrapper
|
C |
|
|
25 |
394d |
397d
|
3/3 |
366d |
443b5cdb2251
tcp: restore NULL checks for inp
|
|
page fault in tcp_connect_wrapper
|
C |
|
|
18 |
394d |
397d
|
3/3 |
366d |
443b5cdb2251
tcp: restore NULL checks for inp
|
|
page fault in tcp_listen_wrapper
|
C |
|
|
17 |
394d |
397d
|
3/3 |
366d |
443b5cdb2251
tcp: restore NULL checks for inp
|
|
page fault in tcp_shutdown_wrapper
|
C |
|
|
36 |
394d |
397d
|
3/3 |
366d |
443b5cdb2251
tcp: restore NULL checks for inp
|
|
UBSan: Undefined Behavior in lf_advlock (3)
|
C |
|
|
2 |
390d |
390d
|
3/3 |
367d |
1a4aa843e5ad
kern/vfs_lockf.c: Parenthesize to make arithmetic match check.
|
|
assert failed: !topdown || hint <= orig_hint
|
C |
|
|
474 |
370d |
542d
|
3/3 |
370d |
4d78161c33fb
mmap(2): Avoid arithmetic overflow in search for free space.
|
|
page fault in umap_bypass
|
C |
|
|
9 |
372d |
378d
|
3/3 |
371d |
db9cd5dd3e78
When testing whiteout support on the underlying file system union_mount() should not use a NULL componentname as not all file systems can handle it.
|
|
UBSan: Undefined behavior (7)
|
|
|
|
1 |
377d |
377d
|
3/3 |
371d |
db9cd5dd3e78
When testing whiteout support on the underlying file system union_mount() should not use a NULL componentname as not all file systems can handle it.
|
|
UBSan: Undefined Behavior in umap_bypass
|
C |
|
|
30 |
371d |
378d
|
3/3 |
371d |
db9cd5dd3e78
When testing whiteout support on the underlying file system union_mount() should not use a NULL componentname as not all file systems can handle it.
|
|
assert failed: fstrans_is_owner(mp) (2)
|
C |
|
|
3 |
401d |
401d
|
3/3 |
384d |
aac0938bfe9c
Tmpfs_mount() uses tmpfs_unmount() for cleanup if set_statvfs_info() fails. This will not work as tmpfs_unmount() needs a suspended file system.
|
|
UBSan: Undefined Behavior in quota1_handle_cmd_get
|
C |
|
|
2 |
435d |
435d
|
3/3 |
434d |
d111e83da20a
compat_50_quota: reject invalid quota id types.
|
|
UBSan: Undefined Behavior in bpf_ioctl (2)
|
C |
|
|
2 |
453d |
453d
|
3/3 |
452d |
5e84044ef5a3
bpf(4): Reject bogus timeout values before arithmetic overflows.
|
|
page fault in raidioctl
|
|
|
|
1 |
459d |
459d
|
3/3 |
458d |
8c026762c3a1
RAIDframe must be initialized for the RAIDFRAME_SET_LAST_UNIT and RAIDFRAME_SHUTDOWN ioctls.
|
|
assert failed: (l = dev->dv_detaching) == curlwp
|
C |
|
|
2 |
462d |
463d
|
3/3 |
460d |
e7c9fe41a3a1
audio(4): Fix bug in detaching audio16 and beyond.
|
|
UBSan: Undefined Behavior in config_detach_commit
|
C |
|
|
13 |
462d |
473d
|
3/3 |
460d |
e7c9fe41a3a1
audio(4): Fix bug in detaching audio16 and beyond.
|
|
panic: netbsd:vpanic+0x282
|
|
|
|
1 |
481d |
481d
|
3/3 |
460d |
e7c9fe41a3a1
audio(4): Fix bug in detaching audio16 and beyond.
|
|
page fault in __asan_load8 (6)
|
C |
|
|
23 |
462d |
500d
|
3/3 |
460d |
e7c9fe41a3a1
audio(4): Fix bug in detaching audio16 and beyond.
|
|
page fault in config_detach_commit
|
C |
|
|
8 |
462d |
473d
|
3/3 |
460d |
e7c9fe41a3a1
audio(4): Fix bug in detaching audio16 and beyond.
|
|
assert failed: dev->dv_detaching == curlwp
|
C |
|
|
236 |
474d |
589d
|
3/3 |
460d |
e7c9fe41a3a1
audio(4): Fix bug in detaching audio16 and beyond.
|
|
assert failed: kpreempt_disabled() (2)
|
syz |
|
|
4 |
469d |
470d
|
3/3 |
464d |
1e8b246aa870
KERNEL_LOCK(9): Need kpreempt_disable to ipi_send, oops.
|
|
assert failed: curcpu() != ci
|
C |
|
|
1 |
469d |
469d
|
3/3 |
469d |
e94ab9ad30fc
KERNEL_LOCK(9): Record kernel lock holder in fast path too.
|
|
assert failed: lktype != LK_NONE
|
C |
|
|
8 |
592d |
592d
|
3/3 |
471d |
Fix mistake in error branch locking caused by previous changes. vput(vp) also unlocks vp, thus unlocking happens twice in error flow causing kernel to panic with failed assertion lktype != LK_NONE in vfs_vnode.c#778. Thanks riastradh with finding the issue.
|
|
assert failed: sn->sn_opencnt
|
|
|
|
18 |
479d |
577d
|
3/3 |
473d |
2ab99543441b
specfs: Refuse to open a closing-in-progress block device.
|
|
MSan: Uninitialized Memory in rum_attach
|
syz |
|
|
2 |
474d |
474d
|
3/3 |
473d |
3259e3c92306
rum(4): Avoid uninitialized garbage in failed register read.
|
|
assert failed: sd->sd_closing
|
C |
|
|
20 |
505d |
593d
|
3/3 |
473d |
2ab99543441b
specfs: Refuse to open a closing-in-progress block device.
|
|
assert failed: !fmi->fmi_gone
|
C |
|
|
3 |
496d |
496d
|
3/3 |
475d |
3221343e60bf
Finish previous, evaluate the lowest mount on first access to "struct mount_info" and store it here so we no longer derefence the "struct mount" from fstrans_alloc_lwp_info().
|
|
page fault in vrefcnt
|
syz |
|
|
2 |
479d |
479d
|
3/3 |
475d |
440d02956565
raidframe: reject invalid values for numCol and numSpares
|
|
MSan: Uninitialized Memory in rf_UnconfigureVnodes
|
syz |
|
|
5 |
479d |
481d
|
3/3 |
475d |
440d02956565
raidframe: reject invalid values for numCol and numSpares
|
|
ASan: Unauthorized Access in rf_UnconfigureVnodes
|
syz |
|
|
8 |
479d |
481d
|
3/3 |
475d |
440d02956565
raidframe: reject invalid values for numCol and numSpares
|
|
panic: kmem_free(ADDR, NUM) != allocated size NUM; overwrote?
|
C |
|
|
3 |
484d |
484d
|
3/3 |
475d |
bd3b97511997
ptyfs: Don't copy out cookies past end of buffer.
|
|
UBSan: Undefined Behavior in vrefcnt
|
syz |
|
|
5 |
479d |
481d
|
3/3 |
476d |
440d02956565
raidframe: reject invalid values for numCol and numSpares
|
|
UBSan: Undefined Behavior in sys_rasctl (2)
|
C |
|
|
4 |
478d |
479d
|
3/3 |
478d |
9bb32e73c033
rasctl(2): Avoid arithmetic overflow.
|
|
panic: mutex_destroy,NUM: uninitialized lock (lock=ADDR, from=ADDR) (4)
|
C |
|
|
4 |
479d |
479d
|
3/3 |
479d |
388438075058
uirda(4): Unconditionally initializes mutexes and selq on attach.
|
|
netbsd boot error: panic: pmap_get_physpage: out of memory
|
|
|
|
51 |
480d |
483d
|
3/3 |
480d |
1369379d4106
allow KMSAN to work again by restoring the limiting of kva even with NKMEMPAGES_MAX_UNLIMITED. we used to limit kva to 1/8 of physmem but limiting to 1/4 should be enough, and 1/4 still gives the kernel enough kva to map all of the RAM that KMSAN has not stolen.
|
|
UBSan: Undefined Behavior in sys_rasctl
|
C |
|
|
10 |
480d |
484d
|
3/3 |
480d |
ab293a4a7778
rasctl(2): Avoid overflow in address range arithmetic.
|
|
ASan: Unauthorized Access in _prop_object_internalize_context_alloc
|
C |
|
|
6 |
483d |
483d
|
3/3 |
480d |
efe5c7855eb5
proplib: Don't run off end of buffer with memcmp.
|
|
panic: ASan: Unauthorized Access In ADDR: Addr ADDR [NUM bytes, write, MallocRedZone]
|
C |
|
|
1 |
484d |
484d
|
3/3 |
480d |
bd3b97511997
ptyfs: Don't copy out cookies past end of buffer.
|
|
UBSan: Undefined Behavior in lf_advlock (2)
|
C |
|
|
2 |
484d |
484d
|
3/3 |
480d |
c176bd8b3461
kern/vfs_lockf.c: Fix overflow in overflow detection.
|
|
UBSan: Undefined Behavior in physio.cold
|
C |
|
|
2 |
998d |
998d
|
3/3 |
507d |
c02dc4be552e
physio(9): Avoid left shift of negative in alignment check.
|
|
assert failed: l->l_lid == pls->pl_lwpid
|
C |
|
|
133 |
507d |
1287d
|
3/3 |
507d |
3f5ac2f440aa
ptrace(PT_LWPSTATUS): Fix lid=0 case.
|
|
UBSan: Undefined Behavior in compat_43_ttioctl.cold (2)
|
C |
|
|
119 |
509d |
1098d
|
3/3 |
507d |
1ee0fc7f9c22
tty_43: Do unsigned arithmetic to avoid shift into sign bits.
|
|
UBSan: Undefined Behavior in cpuctl_ioctl.cold
|
C |
|
|
44 |
510d |
979d
|
3/3 |
507d |
72a9875cfdda
cpuio.h: Use uint8_t, not bool.
|
|
UBSan: Undefined Behavior in tty_get_qsize.cold.5
|
C |
|
|
63 |
1175d |
1189d
|
3/3 |
507d |
ad11505eeb84
tty: Avoid undefined behaviour (left shift of 1 by 31 places overflows int)
|
|
UBSan: Undefined Behavior in compat_43_ttioctl.cold.0
|
C |
|
|
122 |
1173d |
1236d
|
3/3 |
507d |
c32467e14928
tty_43: Check a bitset from userspace is valid before shifting it
|
|
assert failed: fli != NULL && !fli->fli_mountinfo->fmi_gone
|
C |
|
|
4 |
994d |
994d
|
3/3 |
509d |
42ef1506f14b
While one thread runs vgone() it is possible for another thread to grab a "v_mount" that will be freed before it uses this mount for fstrans_start().
|
|
panic: dead fs operation used
|
C |
|
|
109 |
511d |
1102d
|
3/3 |
509d |
4c6398a93d72
Make dead vfs ops "vfs_statvfs" and "vfs_vptofh" return EOPNOTSUPP. Both operations may originate from (possible dead) vnodes.
|
|
page fault in __asan_load8 (5)
|
C |
|
|
2 |
510d |
510d
|
3/3 |
509d |
98368ce402c5
ifioctl(9): Don't touch ifconf or ifreq until command is validated.
|
|
page fault in compat_ifconf
|
C |
|
|
1 |
510d |
510d
|
3/3 |
509d |
98368ce402c5
ifioctl(9): Don't touch ifconf or ifreq until command is validated.
|
|
UBSan: Undefined Behavior in compat_ifconf
|
C |
|
|
37 |
510d |
715d
|
3/3 |
509d |
98368ce402c5
ifioctl(9): Don't touch ifconf or ifreq until command is validated.
|
|
UBSan: Undefined Behavior in udv_attach
|
C |
|
|
2 |
512d |
512d
|
3/3 |
511d |
583a8e6e3a6f
mmap(2): Prohibit overflowing offsets for non-D_NEGOFFSAFE devices.
|
|
MSan: Uninitialized Memory in pppioctl
|
C |
|
|
3 |
552d |
574d
|
3/3 |
511d |
59e62decad23
net/if_ppp.c: Avoid user-controlled overrun in PPPIOCSCOMPRESS.
|
|
MSan: Uninitialized Memory in ifq_enqueue (2)
|
C |
|
|
6 |
543d |
714d
|
3/3 |
515d |
311083ee523b
sendto(2), recvfrom(2): Scrub internal struct msghdr on stack.
|
|
UBSan: Undefined Behavior in settime1.constprop.5
|
C |
|
|
6 |
1173d |
1274d
|
3/3 |
516d |
d5c20c2f7d03
kern_time: prevent the system clock from being set too low or high
|
|
page fault in __asan_store1
|
C |
|
|
23 |
882d |
882d
|
3/3 |
516d |
6cfadad833d3
Improve Christos's vn_open fix.
|
|
UBSan: Undefined Behavior in route_filter
|
C |
|
|
3 |
517d |
517d
|
3/3 |
516d |
54579f919bf1
route(4): Use m_copydata, not misaligned mtod struct access.
|
|
UBSan: Undefined Behavior in lf_advlock
|
C |
|
|
138 |
518d |
1279d
|
3/3 |
516d |
3ca83894cccd
vfs(9): Avoid arithmetic overflow in lf_advlock.
|
|
assert failed: p != NULL (2)
|
C |
|
|
5 |
536d |
536d
|
3/3 |
516d |
ee077f1ff323
uvideo(4): Make alloc logic match free logic.
|
|
MSan: Uninitialized Memory in comintr (2)
|
syz |
|
|
3 |
556d |
558d
|
3/3 |
516d |
501a519f2746
ktrace(9): Zero-initialize padding for ktr_psig records.
|
|
panic: mutex_destroy,NUM: uninitialized lock (lock=ADDR, from=ADDR) (3)
|
C |
|
|
4 |
518d |
518d
|
3/3 |
516d |
1595c1ec759c
upgt(4): Make upgt_free_cmd match upgt_alloc_cmd.
|
|
panic: LOCKDEBUG: Mutex error: mi_userret,116: sleep lock held
|
C |
|
|
704 |
517d |
1156d
|
3/3 |
516d |
5d4501959988
sequencer(4): Fix lock leak in ioctl(FIOASYNC).
|
|
assert failed: (!cpu_intr_p() && !cpu_softintr_p()) || (pc->pc_pool.pr_ipl != IPL_NONE || cold || panicstr != NULL)
|
C |
|
|
5398 |
517d |
766d
|
3/3 |
517d |
9b17a1de3d64
ktrace(9): Fix mutex detection in ktrcsw.
7baa9e8e9079
sleepq(9): Pass syncobj through to sleepq_block.
|
|
panic: vfs load failed for `compat_12', error NUM (2)
|
|
|
|
1 |
592d |
592d
|
3/3 |
517d |
9b17a1de3d64
ktrace(9): Fix mutex detection in ktrcsw.
|
|
UBSan: Undefined Behavior in compat_50_route_output (2)
|
C |
|
|
3 |
517d |
518d
|
3/3 |
517d |
0ac8a4883e80
route(4): Avoid unaligned access to struct rt_msghdr, take two.
|
|
assert failed: usp->tv_nsec >= NUM
|
C |
|
|
31 |
517d |
518d
|
3/3 |
517d |
85232e61d86a
recvmmsg(2): More timespec validation.
|
|
assert failed: usp->tv_nsec < ADDRL
|
C |
|
|
79 |
517d |
518d
|
3/3 |
517d |
85232e61d86a
recvmmsg(2): More timespec validation.
|
|
panic: ernel diagnostic assertion "(!cpu_intr_p() && !cpu_softintr_p()) || (pc->pc_pool.pr_ipl != IPL_NONE || cold || pa
|
|
|
|
1 |
592d |
592d
|
3/3 |
517d |
9b17a1de3d64
ktrace(9): Fix mutex detection in ktrcsw.
|
|
page fault in rf_fail_disk
|
C |
|
|
1 |
520d |
520d
|
3/3 |
518d |
cb9f2873bc80
RAIDframe must be initialized for the RAIDFRAME_FAIL_DISK80 ioctl.
|
|
page fault in uaudio_attach
|
C |
|
|
3 |
706d |
707d
|
3/3 |
518d |
fccfc6a75979
Fix a null-deref
|
|
assert failed: pipe != NULL
|
C |
|
|
5 |
711d |
1072d
|
3/3 |
518d |
04d39af408ac
umidi(4): Fix fencepost in error branch.
|
|
panic: tcp_output: no template
|
C |
|
|
5612 |
520d |
1737d
|
3/3 |
518d |
9515e062613e
tcp(4): Bail early on sendoob if not connected.
|
|
assert failed: tp->t_oproc != NULL
|
C |
|
|
3 |
534d |
534d
|
3/3 |
518d |
332204ac46c2
remove KASSERT() checking for t_oproc at open since assigning this line discipline to a pty may not have that set. Instead do a runtime check to ensure that the function exists before calling it, as ttstart() handles it.
|
|
UBSan: Undefined Behavior in rf_fail_disk
|
C |
|
|
2 |
520d |
520d
|
3/3 |
518d |
cb9f2873bc80
RAIDframe must be initialized for the RAIDFRAME_FAIL_DISK80 ioctl.
|
|
UBSan: Undefined Behavior in gettimeleft
|
C |
|
|
20 |
526d |
989d
|
3/3 |
518d |
eaf33ef422b2
kern: Avoid arithmetic overflow in gettimeleft.
|
|
UBSan: Undefined Behavior in sys_recvmmsg
|
C |
|
|
491 |
520d |
1208d
|
3/3 |
518d |
f068c6af2cca
recvmmsg(2): Avoid arithmetic overflow in timeout calculations.
|
|
ASan: Unauthorized Access in ktr_kuser
|
C |
|
|
23 |
528d |
764d
|
3/3 |
520d |
c3bf6f9596ea
sendmsg(2): Avoid buffer overrun in ktrace of invalid cmsghdr.
|
|
UBSan: Undefined Behavior in ts2timo (3)
|
C |
|
|
16 |
521d |
622d
|
3/3 |
520d |
54baa6cf231f
kern: Use timespecsubok in ts2timo.
|
|
assert failed: requested_size > NUM
|
C |
|
|
7 |
522d |
546d
|
3/3 |
520d |
2b1f9e508ead
umcs(4): Reject invalid interrupt endpoints.
|
|
UBSan: Undefined Behavior in dosetitimer.part.NUM
|
C |
|
|
147 |
521d |
643d
|
3/3 |
520d |
36bb851c524a
setitimer(2): Guard against overflow in arithmetic.
|
|
UBSan: Undefined behavior (5)
|
|
|
|
1 |
538d |
538d
|
3/3 |
520d |
8ebaf25c4728
route(4): Avoid unaligned access to struct rt_msghdr.
|
|
assert failed: ci != NULL
|
C |
|
|
4 |
550d |
550d
|
3/3 |
520d |
ff733a254dd9
opencrypto(9): Fix missing initialization in error branch.
|
|
panic: mutex_destroy,NUM: uninitialized lock (lock=ADDR, from=ADDR) (2)
|
C |
|
|
8 |
521d |
556d
|
3/3 |
520d |
9bef90fe6e34
emdtv(4): More attach/detach bugs.
|
|
UBSan: Undefined Behavior in itimer_callout
|
C |
|
|
6 |
529d |
583d
|
3/3 |
520d |
2699443359f1
setitimer(2): Avoid arithmetic overflow in periodic bookkeeping.
|
|
UBSan: Undefined Behavior in uao_detach
|
|
|
|
2 |
589d |
589d
|
3/3 |
589d |
3e14ad04ec73
Revert "mmap(2): If we fail with a hint, try again without it."
|
|
ASan: Unauthorized Access in uvm_unmap_detach
|
C |
|
|
7 |
589d |
589d
|
3/3 |
589d |
3e14ad04ec73
Revert "mmap(2): If we fail with a hint, try again without it."
|
|
page fault in udv_detach
|
|
|
|
1 |
589d |
589d
|
3/3 |
589d |
3e14ad04ec73
Revert "mmap(2): If we fail with a hint, try again without it."
|
|
panic: vrelel: bad ref count
|
C |
|
|
2 |
589d |
589d
|
3/3 |
589d |
3e14ad04ec73
Revert "mmap(2): If we fail with a hint, try again without it."
|
|
ASan: Unauthorized Access in uao_reference
|
|
|
|
1 |
589d |
589d
|
3/3 |
589d |
3e14ad04ec73
Revert "mmap(2): If we fail with a hint, try again without it."
|
|
assert failed: (use & VUSECOUNT_MASK) > NUM
|
C |
|
|
22 |
589d |
589d
|
3/3 |
589d |
3e14ad04ec73
Revert "mmap(2): If we fail with a hint, try again without it."
|
|
page fault in uvm_mmap
|
|
|
|
1 |
589d |
589d
|
3/3 |
589d |
3e14ad04ec73
Revert "mmap(2): If we fail with a hint, try again without it."
|
|
panic: [ NUM.ADDR] vpanic() at netbsd:vpanic+0x2f2
|
|
|
|
1 |
589d |
589d
|
3/3 |
589d |
3e14ad04ec73
Revert "mmap(2): If we fail with a hint, try again without it."
|
|
ASan: Unauthorized Access in audio_track_set_format
|
|
|
|
1 |
593d |
593d
|
3/3 |
589d |
2348e3fa2200
audio(4): Wait for opens to drain in detach.
|
|
assert failed: VOP_ISLOCKED(vp) == LK_EXCLUSIVE
|
C |
|
|
73 |
592d |
593d
|
3/3 |
589d |
7f28edca2400
sequencer(4): VOP_CLOSE requires vnode lock.
|
|
UBSan: Undefined Behavior in rnd_detach_source
|
C |
|
|
9 |
689d |
690d
|
3/3 |
589d |
89f519024a36
ucom(4): Make sure rndsource is attached before use and detach.
|
|
panic: spkr1 at audio1kernel diagnostic assertion "(target->prt_class == class)" failed: file "/syzkaller/managers/ci2-n
|
|
|
|
1 |
609d |
609d
|
3/3 |
589d |
65a628cc3991
audio(4): Use d_cfdriver/devtounit to avoid open/detach races.
|
|
ASan: Unauthorized Access in uvideo_attach
|
|
|
|
1 |
670d |
670d
|
3/3 |
589d |
0207ad5e9c01
uvideo(4): Parse descriptors more robustly.
|
|
netbsd boot error: fault in supervisor mode
|
|
|
|
9 |
606d |
606d
|
3/3 |
589d |
e86caeaead15
cgd(4): Omit technically-correct-but-broken adiantum dependency again.
|
|
netbsd boot error: assert failed: locks == curcpu()->ci_biglock_count
|
|
|
|
2 |
609d |
609d
|
3/3 |
589d |
a2bbd8e60824
Revert "kern: Sprinkle biglock-slippage assertions."
|
|
netbsd boot error: UBSan: Undefined Behavior in node_insert
|
|
|
|
1 |
609d |
609d
|
3/3 |
589d |
0916fe48b6c1
thmap(9): Handle memory allocation failure in root_try_put.
|
|
netbsd boot error: assert failed: ci->ci_ilevel <= IPL_VM
|
|
|
|
18 |
608d |
608d
|
3/3 |
589d |
22a2be59f9a4
cgd(4): Remove recently added dependency on adiantum.
|
|
MSan: Uninitialized Memory in umcs7840_attach
|
C |
|
|
5 |
589d |
591d
|
3/3 |
589d |
d67e9a1cf03e
umcs(4): Avoid using uninitialized data if register read fails.
|
|
netbsd boot error: assert failed: curlwp->l_pflag & LP_BOUND
|
|
|
|
36 |
615d |
615d
|
3/3 |
589d |
517fa18875c3
entropy(9): Call entropy_softintr while bound to CPU.
|
|
netbsd boot error: MSan: Uninitialized Memory in bus_dmamap_sync
|
|
|
|
177 |
662d |
671d
|
3/3 |
607d |
9fdc83c65c2c
Initialize "replun" -- found with KMSAN.
|
|
ASan: Unauthorized Access in umidi_attach
|
C |
|
|
69 |
621d |
1249d
|
3/3 |
619d |
4d8f12e265c1
umidi(4): Parse descriptors a little more robustly.
|
|
ASan: Unauthorized Access in usbd_get_no_alts
|
C |
|
|
4 |
706d |
982d
|
3/3 |
620d |
4fc17b686835
usbdi(9): Fix usbd_get_no_alts.
|
|
assert failed: filter->bf_insn != NULL
|
C |
|
|
114 |
626d |
1203d
|
3/3 |
624d |
b90f3afc19bc
bpf(4): Handle null bf_insn on free.
|
|
UBSan: Undefined Behavior in do_posix_fadvise
|
|
|
|
1 |
624d |
624d
|
3/3 |
624d |
841c8d016803
posix_fadvise(2): Detect arithmetic overflow without UB.
|
|
assert failed: fvp != tvp
|
C |
|
|
11 |
770d |
770d
|
3/3 |
624d |
Don't use genfs_rename_knote() in the "rename foo over hard-link to itself" case, which simply results in removing the "from" name; there are assertions in genfs_rename_knote() that are too strong for that case.
|
|
assert failed: !(timo == NUM && intr == false)
|
C |
|
|
4 |
774d |
774d
|
3/3 |
624d |
- microtime -> microuptime - avoid kpause with timeo=0
|
|
assert failed: kpreempt_disabled()
|
C |
|
|
12 |
625d |
625d
|
3/3 |
624d |
9529bac45e11
tun(4): Fix bug introduced in previous locking change.
|
|
assert failed: requested_size > 0 (2)
|
C |
|
|
20 |
706d |
1070d
|
3/3 |
624d |
8d83d79bc57a
umidi(4): Bail early if no endpoints.
|
|
panic: ugen0 at uhub3kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kmsan/kernel/
|
|
|
|
1 |
632d |
632d
|
3/3 |
625d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
assert failed: pb->pb_pathcopyuses == NUM
|
C |
|
|
3 |
695d |
695d
|
3/3 |
625d |
5a9cf8fcf6e0
ccd(4): Only pathbuf_destroy if pathbuf_copyin succeeded.
|
|
assert failed: maxblksize > NUM
|
C |
|
|
4 |
675d |
691d
|
3/3 |
625d |
5bdcc4fe2017
pad(4): Do harmless, not harmful, integer truncation.
|
|
panic: pad3: outputs: 44100Hz, NUM-bit, stereo
|
C |
|
|
1 |
691d |
691d
|
3/3 |
625d |
5bdcc4fe2017
pad(4): Do harmless, not harmful, integer truncation.
|
|
panic: audio0: detached
|
|
|
|
1 |
675d |
675d
|
3/3 |
625d |
5bdcc4fe2017
pad(4): Do harmless, not harmful, integer truncation.
|
|
UBSan: Undefined Behavior in vn_open
|
C |
|
|
34 |
882d |
882d
|
3/3 |
625d |
PR/56286: Martin Husemann: Fix NULL deref on kmod load. - No need to set ret_domove and ret_fd in the regular case, they are meaningless - KASSERT instead of setting errno and then doing the NULL deref.
|
|
UBSan: Undefined Behavior in sys_lseek
|
C |
|
|
2 |
1163d |
1163d
|
3/3 |
625d |
c7cd46af4347
vfs(9): Avoid arithmetic overflow in vn_seek.
|
|
assert failed: pb->pb_pathcopy == NULL
|
C |
|
|
2 |
695d |
695d
|
3/3 |
625d |
5a9cf8fcf6e0
ccd(4): Only pathbuf_destroy if pathbuf_copyin succeeded.
|
|
panic: cdce0: could not find data bulk in
|
syz |
|
|
2 |
710d |
710d
|
3/3 |
625d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
assert failed: KERNEL_LOCKED_P()
|
C |
|
|
32 |
900d |
900d
|
3/3 |
625d |
ea2ec439285b
autoconf(9): Take kernel lock in a few entry points.
|
|
panic: uhidev0: no report descriptor
|
syz |
|
|
18 |
636d |
1235d
|
3/3 |
625d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
assert failed: ret == 0
|
C |
|
|
6950 |
626d |
1245d
|
3/3 |
625d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: _bpfattach: out of memory (2)
|
|
|
|
3 |
687d |
689d
|
3/3 |
625d |
6583daf00fe7
bpf(4): Nix KM_NOSLEEP and prune dead branch.
|
|
panic: vfs load failed for `compat_12', error NUM
|
|
|
|
1 |
657d |
657d
|
3/3 |
625d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
assert failed: un->un_ops->uno_init
|
C |
|
|
72 |
634d |
636d
|
3/3 |
625d |
ee8fc1216476
usbnet(9): uno_init is now optional.
|
|
panic: port NUM (addr NUM) disconnected
|
|
|
|
2 |
664d |
691d
|
3/3 |
625d |
5ee164d90cec
tun(4): Reduce lock from IPL_NET to IPL_SOFTNET.
|
|
panic: LOCKDEBUG: Mutex error: mutex_vector_enter,517: spin lock held
|
C |
|
|
3 |
870d |
870d
|
3/3 |
625d |
5ee164d90cec
tun(4): Reduce lock from IPL_NET to IPL_SOFTNET.
|
|
panic: LOCKDEBUG: Mutex error: mutex_vector_enter,516: spin lock held (2)
|
C |
|
|
1221 |
625d |
1253d
|
3/3 |
625d |
5ee164d90cec
tun(4): Reduce lock from IPL_NET to IPL_SOFTNET.
|
|
UBSan: Undefined Behavior in ntp_adjtime1.cold
|
syz |
|
|
17 |
641d |
676d
|
3/3 |
625d |
2daa45d976fc
ntp(9): Avoid left shift of negative.
|
|
panic: mutex_destroy,NUM: uninitialized lock (lock=ADDR, from=ADDR)
|
C |
|
|
16 |
662d |
713d
|
3/3 |
625d |
6b71feb71da5
auvitek(4): Fix i2c detach if attach failed.
|
|
ASan: Unauthorized Access in usbd_fill_iface_data (2)
|
C |
|
|
44 |
628d |
1081d
|
3/3 |
625d |
8c8ba8c43de4
usb: Parse descriptors a little more robustly.
|
|
UBSan: Undefined Behavior in nanosleep1
|
C |
|
|
2 |
628d |
628d
|
3/3 |
625d |
7b0b7a803fb0
kern: Handle clock winding back in nanosleep1 without overflow.
|
|
UBSan: Undefined Behavior in ts2timo (2)
|
C |
|
|
9 |
629d |
721d
|
3/3 |
625d |
98755d357962
kern: Fix fencepost error in ts2timo overflow checks.
|
|
panic: kernel debugging assertion "pserialize_not_in_read_section()" failed: file "/syzkaller/managers/ci2-netbsd-kmsan/ (2)
|
|
|
|
1 |
642d |
642d
|
3/3 |
625d |
9ab52bf87195
kern: Fix ordering of loads for pid_table and pid_tbl_mask.
|
|
panic: todo(ADDR) > MAXPHYS; minphys broken
|
C |
|
|
98 |
630d |
1241d
|
3/3 |
625d |
de8552b00ba2
kern: Use harmless, not harmful, integer truncation in physio.
|
|
MSan: Uninitialized Memory in proc_find_lwp_unlocked (3)
|
|
|
|
2 |
713d |
794d
|
3/3 |
625d |
9ab52bf87195
kern: Fix ordering of loads for pid_table and pid_tbl_mask.
|
|
UBSan: Undefined Behavior in ntp_adjtime1 (2)
|
syz |
|
|
4 |
635d |
645d
|
3/3 |
625d |
9accb05adf48
ntp(9): Clamp ntv->offset to avoid arithmetic overflow on adjtime.
|
|
UBSan: Undefined Behavior in vn_seek
|
C |
|
|
3 |
628d |
686d
|
3/3 |
625d |
c7cd46af4347
vfs(9): Avoid arithmetic overflow in vn_seek.
|
|
panic: kernel debugging assertion "pserialize_not_in_read_section()" failed: file "/syzkaller/managers/ci2-netbsd-kubsan
|
|
|
|
1 |
641d |
641d
|
3/3 |
625d |
9ab52bf87195
kern: Fix ordering of loads for pid_table and pid_tbl_mask.
|
|
UBSan: Undefined Behavior in ktrace_thread
|
C |
|
|
74 |
627d |
764d
|
3/3 |
626d |
46605d0471d3
ktrace(9): Avoid stomping over colliding KTROP_SET.
|
|
netbsd boot error: panic: kmem_intr_free: zero size with pointer ADDR
|
|
|
|
12 |
670d |
670d
|
3/3 |
626d |
e68bc10fdb5f
scsi(9): Handle bogus number of LUNs in SCSI_REPORT_LUNS.
|
|
UBSan: Undefined Behavior in config_devalloc
|
C |
|
|
149 |
1101d |
1218d
|
3/3 |
626d |
625d175f6f6b
autoconf(9): Refuse to consider negative unit numbers in cfdata.
|
|
panic: TAILQ_* forw ADDR /syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/kern/kern_ktrace.c:LINE
|
C |
|
|
5 |
683d |
717d
|
3/3 |
626d |
46605d0471d3
ktrace(9): Avoid stomping over colliding KTROP_SET.
|
|
ASan: Unauthorized Access in cryptodev_mop
|
|
|
|
1 |
683d |
683d
|
3/3 |
626d |
b943dbddef07
crypto(4): Refuse count>1 for old CIOCNCRYPTM.
|
|
panic: TAILQ_* forw ADDR /syzkaller/managers/ci2-netbsd/kernel/sys/kern/kern_ktrace.c:LINE
|
C |
|
|
22 |
629d |
715d
|
3/3 |
626d |
46605d0471d3
ktrace(9): Avoid stomping over colliding KTROP_SET.
|
|
ASan: Unauthorized Access in ktrace_thread
|
|
|
|
1 |
701d |
701d
|
3/3 |
626d |
46605d0471d3
ktrace(9): Avoid stomping over colliding KTROP_SET.
|
|
MSan: Uninitialized Memory in pathbuf_destroy
|
C |
|
|
3 |
695d |
695d
|
3/3 |
626d |
5a9cf8fcf6e0
ccd(4): Only pathbuf_destroy if pathbuf_copyin succeeded.
|
|
panic: genfs: bad op (2)
|
C |
|
|
6 |
627d |
700d
|
3/3 |
626d |
0dbc06c160e9
kernfs: Just fail with EOPNOTSUPP, don't panic, on VOP_BMAP.
|
|
page fault in ktrace_thread
|
syz |
|
|
82 |
627d |
722d
|
3/3 |
626d |
46605d0471d3
ktrace(9): Avoid stomping over colliding KTROP_SET.
|
|
panic: : playback
|
C |
|
|
1 |
675d |
675d
|
3/3 |
626d |
5bdcc4fe2017
pad(4): Do harmless, not harmful, integer truncation.
|
|
panic: TAILQ_PREREMOVE head ADDR elm ADDR /syzkaller/managers/ci2-netbsd/kernel/sys/kern/kern_ktrace.c:LINE
|
C |
|
|
56 |
627d |
764d
|
3/3 |
626d |
46605d0471d3
ktrace(9): Avoid stomping over colliding KTROP_SET.
|
|
panic: TAILQ_PREREMOVE head ADDR elm ADDR /syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/kern/kern_ktrace.c:LINE
|
syz |
|
|
16 |
627d |
758d
|
3/3 |
626d |
46605d0471d3
ktrace(9): Avoid stomping over colliding KTROP_SET.
|
|
UBSan: Undefined Behavior in adjtime1
|
C |
|
|
16 |
628d |
671d
|
3/3 |
626d |
9ce97ae81c62
kern: Clamp time_adjtime to avoid overflow.
|
|
panic: TAILQ_PREREMOVE head ADDR elm ADDR /syzkaller/managers/ci2-netbsd/kernel/sys/kern/kern_ktrace.c:LINEuhub5: device
|
|
|
|
1 |
698d |
698d
|
3/3 |
626d |
46605d0471d3
ktrace(9): Avoid stomping over colliding KTROP_SET.
|
|
MSan: Uninitialized Memory in emdtv_i2c_exec
|
C |
|
|
5 |
1077d |
1078d
|
3/3 |
626d |
6dc364f9e2c2
emdtv(4): If register read fails, read as all zero.
|
|
MSan: Uninitialized Memory in ktrace_thread
|
C |
|
|
450 |
627d |
765d
|
3/3 |
626d |
46605d0471d3
ktrace(9): Avoid stomping over colliding KTROP_SET.
|
|
panic: uhidev0: (0x0000) syz (0x0000), rev NUM.NUM/NUM.NUM, addr NUM, iclass NUM/NUM
|
|
|
|
1 |
671d |
671d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: l diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/dev/usb/vhci.c
|
|
|
|
1 |
702d |
702d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: ugen0: setting configuration index NUM failed
|
|
|
|
2 |
676d |
718d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: urtwn0: failed to set configuration, err=IOERROR
|
|
|
|
1 |
673d |
673d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: uhidev0: detached
|
|
|
|
3 |
638d |
701d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: uhub5: device problem, disabling port NUM
|
|
|
|
6 |
629d |
712d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: cdce0: faking address
|
|
|
|
1 |
646d |
646d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
UBSan: Undefined Behavior in compat_30_sys_getdents
|
C |
|
|
3 |
630d |
630d
|
3/3 |
626d |
8d388c5e20ee
compat_30: Avoid what might be technically undefined behaviour.
|
|
panic: port NUM configuration NUM interface 0kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers
|
syz |
|
|
1 |
690d |
690d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: device problem, disabling port NUM
|
|
|
|
1 |
694d |
694d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: cdce0: detached
|
|
|
|
1 |
637d |
637d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: uhidev0: no input interrupt endpoint
|
C |
|
|
6 |
683d |
715d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: uhub4: device problem, disabling port NUM
|
|
|
|
7 |
646d |
715d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: "/syzkaller/managers/ci2-netbsd/kernel/sys/dev/usb/vhci.c", line NUM
|
|
|
|
1 |
698d |
698d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: uhub3: device problem, disabling port NUM
|
|
|
|
6 |
637d |
703d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: (addr NUM) disconnected
|
|
|
|
1 |
640d |
640d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: uhub0: device problem, disabling port NUM
|
|
|
|
8 |
627d |
700d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: urtwn0: failed to set configuration, err=TIMEOUT
|
|
|
|
1 |
708d |
708d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: [ NUM.ADDR] vpanic() at netbsd:vpanic+0x2d0
|
|
|
|
6 |
632d |
787d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: ernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/dev/usb/vh
|
|
|
|
4 |
639d |
749d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: uhub1: device problem, disabling port NUM
|
|
|
|
1 |
658d |
658d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
UBSan: Undefined Behavior in bpf_ioctl
|
C |
|
|
2 |
660d |
660d
|
3/3 |
626d |
05192700cd5d
bpf(4): Clamp read timeout to INT_MAX ticks to avoid overflow.
|
|
panic: ernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd/kernel/sys/dev/usb/vhci.c",
|
|
|
|
1 |
690d |
690d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: [ NUM.ADDR] kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kmsan/kernel/sy
|
|
|
|
1 |
649d |
649d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: [ NUM.ADDR] vpanic() at netbsd:vpanic+0x9ec
|
|
|
|
2 |
636d |
697d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
UBSan: Undefined Behavior in ffs_init_vnode.cold
|
C |
|
|
2 |
630d |
630d
|
3/3 |
626d |
d8cd23d6aa6c
ffs: Fix 64-bit inode integer truncation.
|
|
UBSan: Undefined Behavior in soreceive (2)
|
|
|
|
1 |
635d |
635d
|
3/3 |
626d |
1c4297a22980
kern: m_copym(M_DONTWAIT) can fail; handle that case gracefully.
|
|
panic: ugen0 at uhub4 port 1kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd/kernel
|
|
|
|
1 |
688d |
688d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: [ NUM.ADDR] kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd/kernel/sys/dev
|
|
|
|
2 |
702d |
715d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: uhub2: device problem, disabling port NUM
|
|
|
|
2 |
630d |
681d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: nostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/dev/usb/vhci.c", lin
|
|
|
|
1 |
642d |
642d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
panic: [ NUM.ADDR] kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel/
|
|
|
|
1 |
683d |
683d
|
3/3 |
626d |
8934564b15e9
vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
|
|
ASan: Unauthorized Access in psignal (2)
|
C |
|
|
7 |
670d |
1030d
|
3/3 |
633d |
e30c3d8025bf
usb(4): Use atomics for usb_async_proc.
|
|
panic: kernel diagnostic assertion "searchdir != foundobj" failed: file "/syzkaller/managers/ci2-netbsd-
|
|
|
|
1 |
684d |
684d
|
3/3 |
657d |
d832c645c7cf
Remove the assertion "searchdir != foundobj" from lookup_crossmount().
|
|
assert failed: searchdir != foundobj
|
C |
|
|
2326 |
657d |
1214d
|
3/3 |
657d |
d832c645c7cf
Remove the assertion "searchdir != foundobj" from lookup_crossmount().
|
|
panic: [ NUM.ADDR] kernel diagnostic assertion "searchdir != foundobj" failed: file "/syzkaller/managers/ci2-netbsd-kms
|
|
|
|
1 |
683d |
683d
|
3/3 |
657d |
d832c645c7cf
Remove the assertion "searchdir != foundobj" from lookup_crossmount().
|
|
panic: spkr1 at audio1kernel diagnostic assertion "searchdir != foundobj" failed: file "/syzkaller/managers/ci2-netbsd/k
|
|
|
|
1 |
680d |
680d
|
3/3 |
657d |
d832c645c7cf
Remove the assertion "searchdir != foundobj" from lookup_crossmount().
|
|
panic: vfs load failed for `udf', error 2kernel diagnostic assertion "searchdir != foundobj" failed: file "/syzkaller/ma
|
|
|
|
1 |
677d |
677d
|
3/3 |
657d |
d832c645c7cf
Remove the assertion "searchdir != foundobj" from lookup_crossmount().
|
|
UBSan: Undefined Behavior in ntp_adjtime1
|
|
|
|
1 |
664d |
664d
|
3/3 |
662d |
13b44dbbb69d
kernel: Avoid arithmetic overflow in ntp_adjtime.
|
|
UBSan: Undefined behavior (3)
|
|
|
|
1 |
717d |
717d
|
3/3 |
716d |
ee532b2421c3
Use unsigned to avoid undefined behavior. Found by kUBSan.
|
|
UBSan: Undefined Behavior in usb_free_device
|
syz |
|
|
1 |
779d |
779d
|
3/3 |
775d |
02983654f25e
Revert "usb: uhub: remove unnecessary delays when powering on ports"
|
|
page fault in __asan_load1
|
|
|
|
1 |
779d |
779d
|
3/3 |
775d |
02983654f25e
Revert "usb: uhub: remove unnecessary delays when powering on ports"
|
|
UBSan: Undefined Behavior in pppasyncstart.cold
|
|
|
|
18 |
802d |
824d
|
3/3 |
793d |
44b1f8a1c3ff
Use unsigned to avoid undefined behavior in pppasyncstart().
|
|
panic: _uvm_mapent_check: bad entry ADDR, line 2299
|
C |
|
|
2 |
887d |
887d
|
3/3 |
881d |
388be8fd3b90
in uvm_mapent_forkzero(), if the old entry was an object mapping, appease a debug check by setting the new entry offset to zero along with setting the new entry object pointer to NULL.
|
|
panic: _uvm_mapent_check: bad entry ADDR, line 1704
|
C |
|
|
2 |
887d |
887d
|
3/3 |
881d |
388be8fd3b90
in uvm_mapent_forkzero(), if the old entry was an object mapping, appease a debug check by setting the new entry offset to zero along with setting the new entry object pointer to NULL.
|
|
panic: _uvm_mapent_check: bad entry ADDR, line 2306
|
C |
|
|
37 |
954d |
1228d
|
3/3 |
881d |
388be8fd3b90
in uvm_mapent_forkzero(), if the old entry was an object mapping, appease a debug check by setting the new entry offset to zero along with setting the new entry object pointer to NULL.
|
|
panic: genfs: bad op
|
C |
|
|
31 |
958d |
1174d
|
3/3 |
884d |
e3beb3764561
VOP_BMAP() may be called via ioctl(FIOGETBMAP) on any vnode that applications can open. change various pseudo-fs *_bmap methods return an error instead of panic.
|
|
netbsd boot error: UBSan: Undefined Behavior in AcpiNsRootInitialize
|
|
|
|
120 |
913d |
918d
|
3/3 |
912d |
d5b984e0de7e
avoid dereferencing a constant string address as a UINT32 pointer, KUBSAN complains about bad alignment.
|
|
UBSan: Undefined Behavior in ts2timo
|
C |
|
|
40 |
922d |
1280d
|
3/3 |
913d |
6f5e84c07140
ts2timo(9): refactor TIMER_ABSTIME handling
|
|
assert failed: (cnp->cn_flags & LOCKPARENT) == 0 || searchdir == NULL || VOP_ISLOCKED(searchdir) == LK_EXCLUSIVE (2)
|
C |
|
|
1614 |
925d |
1253d
|
3/3 |
913d |
4af96c872b34
Honor LOCKPARENT for ".." of the root directory.
|
|
UBSan: Undefined Behavior in free_pipe
|
C |
|
|
6 |
1001d |
1071d
|
3/3 |
913d |
8c601f6c5ae7
fix free_all_endpoints() to not try calling free_pipe() when no endpoints are allocated; this can happen during config_detach() after attach fails
|
|
page fault in free_all_endpoints
|
C |
|
|
2 |
1071d |
1071d
|
3/3 |
913d |
8c601f6c5ae7
fix free_all_endpoints() to not try calling free_pipe() when no endpoints are allocated; this can happen during config_detach() after attach fails
|
|
UBSan: Undefined Behavior in fss_close
|
C |
|
|
3 |
1121d |
1131d
|
3/3 |
1068d |
e5ad6630f80f
Check the return value of device_lookup_private against NULL.
|
|
UBSan: Undefined Behavior in quota1_handle_cmd_quotaoff
|
C |
|
|
22 |
1079d |
1211d
|
3/3 |
1069d |
479d6bd7aed1
Avoid potentially accessing an array with an index out of range.
|
|
UBSan: Undefined Behavior in quota1_handle_cmd_quotaon
|
C |
|
|
310 |
1071d |
1216d
|
3/3 |
1069d |
479d6bd7aed1
Avoid potentially accessing an array with an index out of range.
|
|
UBSan: Undefined Behavior in fsetown
|
C |
|
|
643 |
1070d |
1254d
|
3/3 |
1069d |
fe22bed11b62
Avoid negating the minimum size of pid_t (this overflows).
|
|
assert failed: semcnt >= 0
|
C |
|
|
1460 |
1080d |
1221d
|
3/3 |
1079d |
d1d48122addb
when updating the per-uid "semcnt", decrement the counter for the uid that created the ksem, not the uid of the process freeing the ksem. fixes PR 55509.
|
|
UBSan: Undefined Behavior in dosetitimer
|
C |
|
|
62 |
1088d |
1088d
|
3/3 |
1088d |
46944f1c4d5d
Fix an uninitialized pointer deref introduced in rev 1.207.
|
|
assert failed: ! (2)
|
C |
|
|
4 |
1112d |
1112d
|
3/3 |
1103d |
98e71a6eeb52
When validating the mount device string make sure its length is below *data_len and below PATH_MAX.
|
|
panic: Suspending fresh file system failed
|
syz |
|
|
44 |
1105d |
1140d
|
3/3 |
1105d |
0b5a6352dcf7
We have to ignore interrupts when suspending here the same way we have to do with revoke.
|
|
assert failed: fstrans_is_owner(mp)
|
C |
|
|
789 |
1106d |
1214d
|
3/3 |
1106d |
d8a571076ba6
Suspend file system before unmounting in mount_domount() error path to prevent diagnostic assertions from unmount/flush.
|
|
panic: kernel diagnostic assertion "fstrans_is_owner(mp)" failed: file "/syzkaller/managers/netbsd-kmsan/kernel/s
|
|
|
|
1 |
1158d |
1158d
|
3/3 |
1106d |
d8a571076ba6
Suspend file system before unmounting in mount_domount() error path to prevent diagnostic assertions from unmount/flush.
|
|
panic: [ 222.ADDR] kernel diagnostic assertion "fstrans_is_owner(mp)" failed: file "/syzkaller/managers/netbsd-kmsan/ker
|
|
|
|
1 |
1170d |
1170d
|
3/3 |
1106d |
d8a571076ba6
Suspend file system before unmounting in mount_domount() error path to prevent diagnostic assertions from unmount/flush.
|
|
UBSan: Undefined Behavior in ttioctl
|
|
|
|
1 |
1229d |
1229d
|
3/3 |
1106d |
bf7b939a1a2d
tty: Negating INT_MIN will overflow int, bail out with EINVAL
|
|
assert failed: (length != 0 || extblocks || LIST_EMPTY(&ovp->v_cleanblkhd))
|
C |
|
|
6 |
1134d |
1230d
|
3/3 |
1106d |
9235b59ee381
Lock the vnode while calling VOP_BMAP() for FIOGETBMAP.
|
|
UBSan: Undefined behavior
|
|
|
|
8 |
1140d |
1214d
|
3/3 |
1106d |
ad11505eeb84
tty: Avoid undefined behaviour (left shift of 1 by 31 places overflows int)
|
|
panic: kernel diagnostic assertion "fstrans_is_owner(mp)" failed: file "/syzkaller/managers/netbsd-kmsan/kernel
|
|
|
|
1 |
1160d |
1160d
|
3/3 |
1106d |
d8a571076ba6
Suspend file system before unmounting in mount_domount() error path to prevent diagnostic assertions from unmount/flush.
|
|
panic: kernel diagnostic assertion "fstrans_is_owner(mp)" failed: file "/syzkaller/managers/netbsd-kubsan/kernel/sys/ke
|
|
|
|
1 |
1160d |
1160d
|
3/3 |
1106d |
d8a571076ba6
Suspend file system before unmounting in mount_domount() error path to prevent diagnostic assertions from unmount/flush.
|
|
UBSan: Undefined Behavior in compat_43_ttioctl.cold
|
C |
|
|
116 |
1108d |
1164d
|
3/3 |
1106d |
c32467e14928
tty_43: Check a bitset from userspace is valid before shifting it
|
|
UBSan: Undefined Behavior in tty_get_qsize
|
C |
|
|
19 |
1189d |
1236d
|
3/3 |
1188d |
699b2c0a0a86
Add a check to prevent shift by -1. Not really important in this case, but to appease KUBSAN.
|
|
assert failed: rb_tree_find_node(&ugenif.tree, &sc->sc_unit) == sc
|
C |
|
|
8 |
1198d |
1199d
|
3/3 |
1198d |
257aaf9afb72
Fix ugen detach after partial attach.
|
|
ASan: Unauthorized Access in nvlist_copyin
|
C |
|
|
2 |
1224d |
1224d
|
3/3 |
1198d |
17ffbcbdab9a
Add missing cases, to prevent memory corruption.
|
|
assert failed: 0 <= space && space <= ifc->ifc_len
|
C |
|
|
4 |
1233d |
1233d
|
3/3 |
1231d |
0be10c48cf6f
Don't accept negative value.
|
|
page fault in statvfs_to_statfs12_copy
|
C |
|
|
5 |
1250d |
1251d
|
3/3 |
1250d |
f2af77cb3adc
Yet another idiotic compat syscall that was developed with literally zero test made. Simply invoking this syscall with _valid parameters_ triggers a fatal fault, because the kernel tries to write to userland addresses.
|
|
page fault in usbd_add_drv_event
|
C |
|
|
2 |
1251d |
1251d
|
3/3 |
1250d |
6cac1dde29fb
Fix NULL deref on attach failure. Found via vHCI fuzzing.
|
|
UBSan: Undefined Behavior in pipe_ioctl
|
C |
|
|
1 |
1252d |
1252d
|
3/3 |
1250d |
60b6b2cd7463
Fix NULL deref. The original code before Jaromir's cleanup had an #ifndef block that wrongly contained the 'else' statement, causing the NULL check to have no effect.
|
|
ASan: Unauthorized Access in m_copydata
|
C |
|
|
1 |
1253d |
1253d
|
3/3 |
1252d |
305ae8585db2
Ensure sockaddrs have valid lengths for RO_MISSFILTER.
|
|
assert failed: (cnp->cn_flags & LOCKPARENT) == 0 || searchdir == NULL || VOP_ISLOCKED(searchdir) == LK_EXCLUSIVE
|
C |
|
|
2815 |
1253d |
1301d
|
3/3 |
1253d |
3e5fbb6583a3
remove special handling for symbolic links for COMPAT_43 lstat, it's not necessary; this removes the only places in kernel which did namei LOOKUP with LOCKPARENT
|
|
UBSan: Undefined Behavior in tunwrite
|
C |
|
|
5 |
1254d |
1254d
|
3/3 |
1254d |
521e747162a6
Hum. Fix NULL deref triggerable with just write(0).
|
|
assert failed: p != NULL
|
|
|
|
1 |
1353d |
1353d
|
3/3 |
1270d |
3c214a3d995e
Fix bohr bug triggered only once by syzkaller 2,5 months ago.
|
|
UBSan: Undefined Behavior in db_read_bytes
|
|
|
|
1 |
1273d |
1273d
|
3/3 |
1271d |
0f48bfb53e25
If the frame is not aligned, leave right away. This place probably needs to be revisited, because %rbp could easily contain garbage.
|
|
netbsd boot error: MSan: Uninitialized Memory in pmap_ctor
|
|
|
|
60 |
1277d |
1280d
|
3/3 |
1275d |
248fe10b7a27
Reported-by: syzbot+6dd5a230d19f0cbc7814@syzkaller.appspotmail.com
|
|
panic: LOCKDEBUG: Mutex error: mutex_vector_enter,516: spin lock held
|
C |
|
|
95 |
1276d |
1295d
|
3/3 |
1276d |
134b16ca64ab
Reported-by: syzbot+c1770938bb3fa7c085f2@syzkaller.appspotmail.com Reported-by: syzbot+ae26209c7d7f06e0b29f@syzkaller.appspotmail.com
|
|
ASan: Unauthorized Access in usbd_fill_iface_data
|
C |
|
|
5 |
1277d |
1277d
|
3/3 |
1276d |
3774168381e9
If we failed because we didn't encounter an endpoint, do not attempt to read 'ed', because its value is past the end of the buffer, and we thus perform out-of-bounds accesses.
|
|
panic: kmem_intr_free: zero size with pointer ADDR
|
C |
|
|
1 |
1277d |
1277d
|
3/3 |
1276d |
39045d90bd43
also set ifc->ui_endpoints to NULL in usbd_free_iface_data() when the value is freed, to make it impossible to re-enter this by mistake
|
|
UBSan: Undefined Behavior in process_read_fpregs
|
C |
|
|
2 |
1284d |
1284d
|
3/3 |
1276d |
4660020b03f4
Introduce PTRACE_REGS_ALIGN, and on x86, enforce a 16-byte alignment, due to fpregs having fxsave which requires 16-byte alignment.
|
|
ASan: Unauthorized Access in usb_free_device
|
C |
|
|
3 |
1277d |
1277d
|
3/3 |
1276d |
869e8f7b28b0
Reset ud_ifaces and ud_cdesc to NULL, to prevent use-after-free in usb_free_device().
|
|
assert failed: pmap->pm_ncsw == lwp_pctr() (2)
|
|
|
|
4 |
1278d |
1280d
|
3/3 |
1276d |
2ac4ea76ffcd
Reported-by: syzbot+fd9be59aa613bbf4eba8@syzkaller.appspotmail.com Reported-by: syzbot+15dd4dbac6ed159faa4a@syzkaller.appspotmail.com Reported-by: syzbot+38fa02d3b0e46e57c156@syzkaller.appspotmail.com
|
|
assert failed: !pmap_extract(pmap, va, NULL)
|
syz |
|
|
1 |
1353d |
1353d
|
3/3 |
1290d |
4cd60295b346
Reported-by: syzbot+3e3c7cfa8093f8de047e@syzkaller.appspotmail.com
|
|
panic: LOCKDEBUG: Mutex error: mutex_vector_enter,512: locking against myself
|
C |
|
|
52 |
1290d |
1295d
|
3/3 |
1290d |
fbbe5c9112a1
Reported-by: syzbot+0f38e4aed17c14cf0af8@syzkaller.appspotmail.com Reported-by: syzbot+c1770938bb3fa7c085f2@syzkaller.appspotmail.com Reported-by: syzbot+92ca248f1137c4b345d7@syzkaller.appspotmail.com Reported-by: syzbot+acfd688740461f7edf2f@syzkaller.appspotmail.com
|
|
MSan: Uninitialized Memory in ifq_enqueue
|
|
|
|
1 |
1294d |
1294d
|
3/3 |
1293d |
145523e8345f
igmp_sendpkt() expects ip_output() to set 'imo.imo_multicast_ttl' into 'ip->ip_ttl'; but ip_output() won't if the target is not a multicast address, meaning that the uninitialized 'ip->ip_ttl' byte gets sent to the network. This leaks one byte of kernel heap.
|
|
MSan: Uninitialized Memory in nanosleep1
|
C |
|
|
8 |
1309d |
1343d
|
3/3 |
1294d |
d9377f809390
Fix uninitialized memory access. Found by KMSAN.
|
|
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/arch/x86/x86/intr.c:LINE, member access
|
|
|
|
15 |
1306d |
1308d
|
3/3 |
1303d |
37beba86ee63
Explicitly align to 8 bytes, found by kUBSan.
|
|
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/vfs_cache.c:LINE, left shift of AD
|
|
|
|
36 |
1346d |
1347d
|
3/3 |
1339d |
395a577cab63
Pacify a syzbot complaint about bit shifting.
|
|
assert failed: pmap->pm_stats.resident_count == PDP_SIZE
|
syz |
|
|
22 |
1350d |
1351d
|
3/3 |
1350d |
398f36d55ce0
PR port-amd64/55083 (assertion "pmap->pm_stats.resident_count == PDP_SIZE" failed)
|
|
assert failed: ptp->wire_count == 1
|
C |
|
|
16 |
1351d |
1351d
|
3/3 |
1351d |
4538c4a0a4c9
Pacify assertion in a failure path.
|
|
assert failed: (opte & (PTE_A | PTE_P)) != PTE_A
|
C |
|
|
15 |
1351d |
1354d
|
3/3 |
1351d |
4f0135d6fae3
- pmap_enter(): under low memory conditions, if PTP allocation succeeded and then PV entry allocation failed, PTP pages were being freed without their struct pmap_page being reset back to the non-PTP setup, which then caused havoc with pmap_page_removed(). Fix it.
|
|
panic: pmap_check_pv: ADDR/ADDR missing on pp ADDR
|
syz |
|
|
60 |
1351d |
1352d
|
3/3 |
1351d |
4f0135d6fae3
- pmap_enter(): under low memory conditions, if PTP allocation succeeded and then PV entry allocation failed, PTP pages were being freed without their struct pmap_page being reset back to the non-PTP setup, which then caused havoc with pmap_page_removed(). Fix it.
|
|
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/vfs_mount.c:LINE, member access wi
|
|
|
|
1446 |
1362d |
1437d
|
3/3 |
1361d |
431ed6f61bc2
- Pad kmem cache names with zeros so vmstat -m and -C are readable. - Exclude caches with size not a factor or multiple of the coherency unit.
4c7232d4a136
KMEM_SIZE: append the size_t to the allocated buffer, rather than prepending, so it doesn't screw up the alignment of the buffer.
|
|
ASan: Unauthorized Access in ifreq_setaddr
|
C |
|
|
6 |
1427d |
1427d
|
3/3 |
1362d |
36f08dfcb97c
Don't forget to initialize 'sin6_len'. With kASan, from time to time the value will be bigger than the size of the source, and we get a read overflow. With kMSan the uninitialized access is detected immediately.
|
|
MSan: Uninitialized Memory in getsockopt
|
C |
|
|
37 |
1376d |
1377d
|
3/3 |
1362d |
559c53d028d6
Zero out 'tv', to prevent uninitialized bytes in its padding from leaking to userland. Found by kMSan.
|
|
assert failed: l->l_stat == LSONPROC
|
C |
|
|
645 |
1373d |
1387d
|
3/3 |
1362d |
f61617cee78c
exit1(): remove from the radix tree before setting zombie status, as radix_tree_remove_node() can block on locks when freeing.
|
|
ASan: Unauthorized Access in mutex_oncpu
|
C |
|
|
24521 |
1362d |
1423d
|
3/3 |
1362d |
e78f9b4fde02
A final set of scheduler tweaks:
|
|
MSan: Uninitialized Memory in bus_dmamap_sync
|
C |
|
|
16 |
1372d |
1377d
|
3/3 |
1362d |
b1f6fd939ed8
Zero out the padding in 'd_namlen', to prevent info leaks. Same logic as ufs_makedirentry().
|
|
assert failed: ci->ci_tlbstate != TLBSTATE_VALID
|
C |
|
|
123 |
1445d |
1446d
|
3/3 |
1378d |
ea92f12b1800
uvm_pagerealloc() can now block because of radixtree manipulation, so defer freeing PTPs until pmap_unmap_ptes(), where we still have the pmap locked but can finally tolerate context switches again.
|
|
assert failed: pmap->pm_ncsw == curlwp->l_ncsw
|
C |
|
|
30 |
1445d |
1446d
|
3/3 |
1378d |
ea92f12b1800
uvm_pagerealloc() can now block because of radixtree manipulation, so defer freeing PTPs until pmap_unmap_ptes(), where we still have the pmap locked but can finally tolerate context switches again.
|
|
assert failed: pmap->pm_ncsw == lwp_pctr()
|
|
|
|
2 |
1438d |
1442d
|
3/3 |
1378d |
680f3a8667de
pmap_get_ptp(): the uvm_pagefree() call in the failure case can block too. Pacify the assertion in pmap_unmap_ptes().
|
|
assert failed: pg->offset >= nextoff
|
C |
|
|
10 |
1443d |
1444d
|
3/3 |
1378d |
3f49a1ff579b
genfs_do_putpages(): add a missing call to uvm_page_array_advance().
|
|
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/init_main.c:LINE, left shift of AD
|
|
|
|
9 |
1438d |
1439d
|
3/3 |
1378d |
1e5952fd4837
Fix integer overflow when printing available memory size (resulting from a cast lost during merges).
|
|
netbsd boot error: panic: LOCKDEBUG: Mutex error: _mutex_init,363: already initialized
|
|
|
|
51 |
1443d |
1444d
|
3/3 |
1378d |
dc1bd2c9382b
Fix LOCKDEBUG panic on mutex_init().
|
|
assert failed: lwp_locked(l, l->l_cpu->ci_schedstate.spc_lwplock)
|
C |
|
|
2676 |
1465d |
1466d
|
2/3 |
1462d |
lwp_start(): don't try to change the target CPU. Fixes potential panic in setrunnable(). Oops, experimental change that escaped.
|
|
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/netinet/tcp_congctl.c:LINE, unsigned in
|
syz |
|
|
28 |
1471d |
1483d
|
2/3 |
1471d |
1f03898791a3
Don't allow zero sized segments that will panic the stack. Reported-by: syzbot+5542516fa4afe7a101e6@syzkaller.appspotmail.com
|
|
ASan: Unauthorized Access in __asan_load8
|
syz |
|
|
39 |
1476d |
1595d
|
2/3 |
1473d |
9ea67c54e50f
in uvm_fault_lower_io(), fetch all the map entry values that we need before we unlock everything.
|
|
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/dev/raidframe/rf_netbsdkintf.c:LINE, me
|
|
|
|
114 |
1492d |
1496d
|
2/3 |
1473d |
41eeee0166bf
Get &rsc->sc_dksc only when we know 'rsc' is not NULL. This was actually harmless because we didn't use the pointer then.
|
|
panic: m_copydata(ADDR,2,48,ADDR): m=NULL, off=0 (48), len=2 (0)
|
C |
|
|
3 |
1478d |
1479d
|
2/3 |
1473d |
624f3f7406ee
Add more checks in ip6_pullexthdr, to prevent a panic in m_copydata. The Rip6 entry point could see a garbage Hop6 option.
|
|
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/arch/x86/x86/pmap.c:LINE, member access
|
|
|
|
6 |
1473d |
1475d
|
2/3 |
1473d |
4acdfa6ced5b
Add a NULL check on the structure pointer, not to retrieve its first field if it is NULL. The previous code was not buggy strictly speaking. This change probably doesn't change anything, except removing assumptions in the compiler optimization passes, which too probably doesn't change anything in this case.
|
|
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/subr_disk_mbr.c:LINE, member acces
|
|
|
|
135 |
1484d |
1489d
|
2/3 |
1473d |
4e5cb50b58af
Avoid unaligned pointer arithmetic in check_label_magic()
|
|
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/vfs_subr.c:LINE, member access wit
|
|
|
|
99 |
1475d |
1484d
|
2/3 |
1473d |
473e202ba108
NULL-check the structure pointer, not the address of its first field. This is clearer and also appeases syzbot.
|
|
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/uipc_socket.c:LINE, null pointer p
|
C |
|
|
3 |
1512d |
1519d
|
2/3 |
1507d |
7b43da9e77aa
Add a check before the memcpy. memcpy is defined to never take NULL as second argument, and the compiler is free to perform optimizations knowing that this argument is never NULL.
|
|
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/net/rtsock_shared.c:LINE, shift exponen
|
C |
|
|
91 |
1507d |
1512d
|
2/3 |
1507d |
a1bd50f5a7d5
Error out if the type is beyond the storage size. No functional change, since the shift would otherwise 'and' against zero, returning EEXIST.
|
|
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/sys_ptrace_common.c:LINE, negation
|
C |
|
|
2 |
1511d |
1511d
|
2/3 |
1509d |
c18c9a670f07
Avoid signed integer overflow for -lwp where lwp is INT_MIN
|
|
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/kern_time.c:LINE, signed integer o
|
C |
|
|
3 |
1516d |
1516d
|
2/3 |
1516d |
8e3fd5b6989c
Check for valid timespec in clock_settime1()
|
|
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/subr_time.c:LINE, signed integer o
|
C |
|
|
2 |
1517d |
1517d
|
2/3 |
1517d |
ffd5d3e30b5f
Avoid signed integer overflow in ts2timo() for ts->tv_nsec
|
|
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/uvm/uvm_mmap.c:LINE, left shift of 1 by
|
C |
|
|
2 |
1517d |
1517d
|
2/3 |
1517d |
6c69d9fad1ca
Avoid left shift changing the signedness flag
|
|
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/sysv_msg.c:LINE, negation of -ADDR
|
C |
|
|
2 |
1517d |
1517d
|
2/3 |
1517d |
fa6363e63652
Avoid -LONG_MIN msgtyp in msgrcv(2) and treat it as LONG_MAX
|
|
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/crypto/nist_hash_drbg/nist_hash_drbg.c:
|
|
|
|
39 |
1532d |
1533d
|
2/3 |
1519d |
338a6d8211a1
Use an explicit run-time assertion where compile-time doesn't work.
|
|
panic: ifmedia_add: can't malloc entry
|
|
|
|
28 |
1520d |
1596d
|
2/3 |
1520d |
0ab44a811f8a
in ifmedia_add(), use a wait-style memory allocation rather than not waiting and panic'ing if the allocation fails.
|
|
page fault in __asan_load8
|
C |
|
|
4 |
1522d |
1553d
|
2/3 |
1520d |
db38f3713d52
in shmdt(), wait until shmat() completes before detaching.
|
|
page fault in shm_delete_mapping
|
syz |
|
|
17 |
1654d |
1667d
|
2/3 |
1520d |
db38f3713d52
in shmdt(), wait until shmat() completes before detaching.
|
|
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/kern_rndq.c:LINE, negation of -ADD
|
|
|
|
9 |
1523d |
1530d
|
2/3 |
1522d |
1c7f0224e7e0
Do all delta calculations strictly using uint32_t. Avoid integer overflows in calculating absolute deltas by subtracting the right way around.
|
|
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/net/rtsock_shared.c:LINE, member access
|
|
|
|
1 |
1529d |
1529d
|
2/3 |
1528d |
00ccc35339cc
Disable __NO_STRICT_ALIGNMENT on amd64/i386 for UBSan builds
|
|
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/netinet6/scope6.c:LINE, member access w (2)
|
syz |
|
|
91 |
1528d |
1531d
|
2/3 |
1528d |
00ccc35339cc
Disable __NO_STRICT_ALIGNMENT on amd64/i386 for UBSan builds
|
|
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/sys_select.c:LINE, signed integer
|
C |
|
|
2 |
1531d |
1531d
|
2/3 |
1531d |
7049e5e68831
Validate usec ranges in sys___select50()
|
|
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/netinet6/scope6.c:LINE, member access w
|
syz |
|
|
73 |
1531d |
1532d
|
2/3 |
1531d |
a5df2084c7a4
Decorate in6_clearscope() with __noubsan
|
|
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/vfs_syscalls.c:LINE, signed intege
|
C |
|
|
11 |
1531d |
1531d
|
2/3 |
1531d |
43bc9355ea3c
Validate usec ranges in do_sys_utimes()
|
|
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/subr_percpu.c:LINE, null pointer p
|
|
|
|
12 |
1533d |
1533d
|
2/3 |
1532d |
360cafb4be56
Decorate percpu_cpu_swap() with __noubsan
|
|
assert failed: buflen != 0
|
syz |
|
|
18 |
1538d |
1539d
|
1/3 |
1538d |
75eea5b7359a
As I suspected, the KASSERT I added yesterday can fire if we try to process zero-sized packets. Skip them to prevent a type confusion that can trigger random page faults later.
|
|
assert failed: (c->c_flags & CALLOUT_PENDING) == 0
|
C |
|
|
2918 |
1602d |
1739d
|
1/3 |
1539d |
80a06cecc711
Fix race in timer destruction.
|
|
assert failed: c->c_cpu->cc_lwp == curlwp || c->c_cpu->cc_active != c
|
C |
|
|
247 |
1600d |
1740d
|
1/3 |
1558d |
80a06cecc711
Fix race in timer destruction.
|
|
assert failed: to_ticks >= 0 (2)
|
C |
|
|
70 |
1613d |
1671d
|
1/3 |
1558d |
4952945bc9cb
Clamp tcp timer quantities to reasonable ranges.
|
|
assert failed: pg->wire_count != 0 (2)
|
C |
|
|
174 |
1602d |
1624d
|
1/3 |
1558d |
95ce9a69b407
fix two bugs reported in https://syzkaller.appspot.com/bug?id=8840dce484094a926e1ec388ffb83acb2fa291c9
|
|
assert failed: pg->wire_count > 0
|
C |
|
|
6 |
1725d |
1738d
|
1/3 |
1558d |
6eb7fd2b53ce
Acquire shmseg uobj reference while we hold shm_lock.
|
|
assert failed: uvm_page_locked_p(pg)
|
C |
|
|
44 |
1601d |
1612d
|
1/3 |
1601d |
b5e559801c7e
Add missing lock around pmap_protect. ok, chs@
|
|
panic: LOCKDEBUG: Reader / writer lock error: rw_vector_exit,449: not held by current LWP
|
C |
|
|
3 |
1616d |
1617d
|
1/3 |
1614d |
e4c2eafeb5ab
Fix bug, don't release the reflock if we didn't take it in the first place. Looks like there are other locking issues in here.
|
|
ASan: Unauthorized Access in exec_makepathbuf
|
syz |
|
|
2 |
1622d |
1622d
|
1/3 |
1618d |
abb1684df1f5
Fix buffer overflow. It seems that some people need to go back to the basics of C programming.
|
|
page fault in uvm_fault
|
C |
|
|
2 |
1624d |
1624d
|
1/3 |
1624d |
00dad9ea5158
Correct wrong type of uio_seg passed to do_sys_mknodat()
|
|
assert failed: !
|
|
|
|
2 |
1624d |
1624d
|
1/3 |
1624d |
00dad9ea5158
Correct wrong type of uio_seg passed to do_sys_mknodat()
|
|
assert failed: pmap->pm_obj[i].uo_npages == 0
|
C |
|
|
58 |
1654d |
1734d
|
1/3 |
1624d |
in uvm_map_protect(), do a pmap_update() before possibly switching from removing pmap entries to creating them. this fixes the problem reported in https://syzkaller.appspot.com/bug?id=cc89e47f05e4eea2fd69bcccb5e837f8d1ab4d60
|
|
assert failed: pg->wire_count != 0
|
C |
|
|
45 |
1656d |
1720d
|
1/3 |
1624d |
shmctl(SHM_LOCK) does not need to mess with mappings of the shm segment, uvm_obj_wirepages() is sufficient. this fixes the problem reported in https://syzkaller.appspot.com/bug?id=71f9271d761f5b6ed517a18030dc04f0135e6179
|
|
assert failed: mutex_owned(pipe->pipe_lock)
|
|
|
|
39 |
1678d |
1738d
|
1/3 |
1670d |
7abfdd368b0d
Clean up pipe structure before recycling it.
|
|
assert failed: to_ticks >= 0
|
C |
|
|
2547 |
1690d |
1739d
|
1/3 |
1690d |
797b68a5c224
Add more checks, if the values are negative we hit a KASSERT later in the timeout.
|
|
ASan: Unauthorized Access in vioscsi_scsipi_request
|
syz |
|
|
1841 |
1691d |
1727d
|
1/3 |
1691d |
b60093a0824f
Fix use-after-free. If we're not polling, virtio_enqueue_commit() will send the transaction, and it means 'xs' can be immediately freed. So, save the value of xs_control beforehand.
|
|
panic: receive 3
|
C |
|
|
5 |
1732d |
1740d
|
1/3 |
1703d |
c78c83f0efb3
Also check for MT_CONTROL, and end the receive operation if we see one. It is possible to get an MT_CONTROL if we sleep in MSG_WAITALL. The other BSDs do the same.
|
|
assert failed: vp->v_usecount != 0
|
C |
|
|
108 |
1723d |
1739d
|
1/3 |
1723d |
713042b84b5e
Take a reference on ndp->ni_rootdir and ndp->ni_erootdir.
|
|
assert failed: vp->v_type == VREG
|
C |
|
|
139 |
1728d |
1739d
|
1/3 |
1728d |
21e56f354bb4
Change vn_openchk() to fail VNON and VBAD with error ENXIO.
|
|
assert failed: vp->v_type == VREG || vp->v_type == VDIR
|
C |
|
|
1085 |
1728d |
1739d
|
1/3 |
1728d |
21e56f354bb4
Change vn_openchk() to fail VNON and VBAD with error ENXIO.
|
|
assert failed: c->c_magic == CALLOUT_MAGIC
|
C |
|
|
1645 |
1739d |
1740d
|
1/3 |
1732d |
The callout is used by any nonvirtual timer including CLOCK_MONOTONIC and needs to be initialized.
|
|
assert failed: so->so_lock == NULL
|
C |
|
|
5 |
1737d |
1738d
|
1/3 |
1737d |
516d295318eb
Fix locking: it is fine if the lock is already key_so_mtx, this can happen in socketpair. In that case don't take it.
|
|
assert failed: so->so_pcb == NULL
|
C |
|
|
6 |
1738d |
1739d
|
1/3 |
1738d |
fa4f0f367829
Fix the order in udp6_attach: soreserve should be called before in6_pcballoc, otherwise if it fails there is still a PCB attached, and we hit a KASSERT in socreate. In !DIAGNOSTIC this would have caused a memory leak.
|
|
assert failed: requested_size > 0
|
C |
|
|
19 |
1738d |
1740d
|
1/3 |
1738d |
09915c34c237
Reading a directory may trigger a panic when the buffer is too small. Adjust necessary checks.
|
|
ASan bug (2)
|
C |
|
|
347 |
1738d |
1739d
|
1/3 |
1738d |
d020c71c0cee
RIP6, CAN, SCTP and SCTP6 lack a length check in their _send() functions. Fix RIP6 and CAN, add a big XXX in the SCTP ones.
|
|
ASan bug
|
C |
|
|
302 |
1739d |
1740d
|
1/3 |
1739d |
d26f60da72b3
RIP, RIP6, DDP, SCTP and SCTP6 lack a length check in their _connect() functions. Fix the first three, and add a big XXX in the SCTP ones.
|