syzbot


Title Repro Cause bisect Fix bisect Count Last Reported Patched Closed Patch
UBSan: Undefined Behavior in ip_ctloutput C 22 36d 39d 3/3 8d22h 74557efd80ae tcp: restore NULL check for inp in tcp_ctloutput
page fault in ip_ctloutput C 18 36d 39d 3/3 8d22h 74557efd80ae tcp: restore NULL check for inp in tcp_ctloutput
UBSan: Undefined Behavior in tcp_bind_wrapper C 8 37d 39d 3/3 8d22h 443b5cdb2251 tcp: restore NULL checks for inp
UBSan: Undefined Behavior in tcp_shutdown_wrapper C 45 36d 39d 3/3 8d22h 443b5cdb2251 tcp: restore NULL checks for inp
page fault in tcp_bind_wrapper C 9 38d 39d 3/3 8d22h 443b5cdb2251 tcp: restore NULL checks for inp
page fault in tcp_recvoob_wrapper C 23 36d 39d 3/3 8d22h 443b5cdb2251 tcp: restore NULL checks for inp
page fault in tcp_sockaddr_wrapper C 32 36d 39d 3/3 8d22h 443b5cdb2251 tcp: restore NULL checks for inp
UBSan: Undefined Behavior in ip6_ctloutput C 5 37d 39d 3/3 8d22h 74557efd80ae tcp: restore NULL check for inp in tcp_ctloutput
page fault in ip_setmoptions C 2 39d 39d 3/3 8d22h 74557efd80ae tcp: restore NULL check for inp in tcp_ctloutput
page fault in ip6_ctloutput C 4 37d 39d 3/3 8d22h 74557efd80ae tcp: restore NULL check for inp in tcp_ctloutput
UBSan: Undefined Behavior in tcp_listen_wrapper C 15 36d 39d 3/3 8d22h 443b5cdb2251 tcp: restore NULL checks for inp
UBSan: Undefined Behavior in tcp_connect_wrapper C 23 36d 39d 3/3 8d22h 443b5cdb2251 tcp: restore NULL checks for inp
UBSan: Undefined Behavior in tcp_recvoob_wrapper C 26 36d 39d 3/3 8d22h 443b5cdb2251 tcp: restore NULL checks for inp
UBSan: Undefined Behavior in tcp_sockaddr_wrapper C 25 36d 39d 3/3 8d22h 443b5cdb2251 tcp: restore NULL checks for inp
page fault in tcp_connect_wrapper C 18 36d 39d 3/3 8d22h 443b5cdb2251 tcp: restore NULL checks for inp
page fault in tcp_listen_wrapper C 17 36d 39d 3/3 8d22h 443b5cdb2251 tcp: restore NULL checks for inp
page fault in tcp_shutdown_wrapper C 36 36d 39d 3/3 8d22h 443b5cdb2251 tcp: restore NULL checks for inp
UBSan: Undefined Behavior in lf_advlock (3) C 2 32d 32d 3/3 9d09h e0ee0bc32a6c kern/vfs_lockf.c: Parenthesize to make arithmetic match check.
assert failed: !topdown || hint <= orig_hint C 474 12d 184d 3/3 12d 49a9e42355ae mmap(2): Avoid arithmetic overflow in search for free space.
page fault in umap_bypass C 9 14d 20d 3/3 13d fefafd42995a When testing whiteout support on the underlying file system union_mount() should not use a NULL componentname as not all file systems can handle it.
UBSan: Undefined behavior (7) 1 19d 19d 3/3 13d fefafd42995a When testing whiteout support on the underlying file system union_mount() should not use a NULL componentname as not all file systems can handle it.
UBSan: Undefined Behavior in umap_bypass C 30 14d 20d 3/3 13d fefafd42995a When testing whiteout support on the underlying file system union_mount() should not use a NULL componentname as not all file systems can handle it.
assert failed: fstrans_is_owner(mp) (2) C 3 43d 43d 3/3 26d 37e47eb3a7f8 Tmpfs_mount() uses tmpfs_unmount() for cleanup if set_statvfs_info() fails. This will not work as tmpfs_unmount() needs a suspended file system.
UBSan: Undefined Behavior in quota1_handle_cmd_get C 2 77d 77d 3/3 76d 6241f37f7221 compat_50_quota: reject invalid quota id types.
UBSan: Undefined Behavior in bpf_ioctl (2) C 2 95d 95d 3/3 94d 96084e21d7d0 bpf(4): Reject bogus timeout values before arithmetic overflows.
page fault in raidioctl 1 101d 101d 3/3 101d e3bae91b3a9c RAIDframe must be initialized for the RAIDFRAME_SET_LAST_UNIT and RAIDFRAME_SHUTDOWN ioctls.
assert failed: (l = dev->dv_detaching) == curlwp C 2 105d 105d 3/3 102d 5842e5235641 audio(4): Fix bug in detaching audio16 and beyond.
UBSan: Undefined Behavior in config_detach_commit C 13 104d 115d 3/3 102d 5842e5235641 audio(4): Fix bug in detaching audio16 and beyond.
panic: netbsd:vpanic+0x282 1 123d 123d 3/3 102d 5842e5235641 audio(4): Fix bug in detaching audio16 and beyond.
page fault in __asan_load8 (6) C 23 104d 143d 3/3 102d 5842e5235641 audio(4): Fix bug in detaching audio16 and beyond.
page fault in config_detach_commit C 8 104d 115d 3/3 102d 5842e5235641 audio(4): Fix bug in detaching audio16 and beyond.
assert failed: dev->dv_detaching == curlwp C 236 116d 231d 3/3 102d 5842e5235641 audio(4): Fix bug in detaching audio16 and beyond.
assert failed: kpreempt_disabled() (2) syz 4 112d 112d 3/3 106d 1e8b246aa870 KERNEL_LOCK(9): Need kpreempt_disable to ipi_send, oops.
assert failed: curcpu() != ci C 1 112d 112d 3/3 111d e94ab9ad30fc KERNEL_LOCK(9): Record kernel lock holder in fast path too.
assert failed: lktype != LK_NONE C 8 234d 234d 3/3 113d Fix mistake in error branch locking caused by previous changes. vput(vp) also unlocks vp, thus unlocking happens twice in error flow causing kernel to panic with failed assertion lktype != LK_NONE in vfs_vnode.c#778. Thanks riastradh with finding the issue.
assert failed: sn->sn_opencnt 18 121d 219d 3/3 115d e36719e62463 specfs: Refuse to open a closing-in-progress block device.
MSan: Uninitialized Memory in rum_attach syz 2 116d 116d 3/3 115d eeae2d6aafc0 rum(4): Avoid uninitialized garbage in failed register read.
assert failed: sd->sd_closing C 20 148d 235d 3/3 115d e36719e62463 specfs: Refuse to open a closing-in-progress block device.
assert failed: !fmi->fmi_gone C 3 138d 139d 3/3 117d 5a9a0651d6d1 Finish previous, evaluate the lowest mount on first access to "struct mount_info" and store it here so we no longer derefence the "struct mount" from fstrans_alloc_lwp_info().
page fault in vrefcnt syz 2 122d 122d 3/3 117d 99225d721c88 raidframe: reject invalid values for numCol and numSpares
MSan: Uninitialized Memory in rf_UnconfigureVnodes syz 5 121d 123d 3/3 117d 99225d721c88 raidframe: reject invalid values for numCol and numSpares
ASan: Unauthorized Access in rf_UnconfigureVnodes syz 8 121d 123d 3/3 117d 99225d721c88 raidframe: reject invalid values for numCol and numSpares
panic: kmem_free(ADDR, NUM) != allocated size NUM; overwrote? C 3 127d 127d 3/3 117d 1bfb199dffe9 ptyfs: Don't copy out cookies past end of buffer.
UBSan: Undefined Behavior in vrefcnt syz 5 121d 123d 3/3 118d 99225d721c88 raidframe: reject invalid values for numCol and numSpares
UBSan: Undefined Behavior in sys_rasctl (2) C 4 120d 121d 3/3 120d 750664289176 rasctl(2): Avoid arithmetic overflow.
panic: mutex_destroy,NUM: uninitialized lock (lock=ADDR, from=ADDR) (4) C 4 122d 122d 3/3 121d 18706df55dd2 uirda(4): Unconditionally initializes mutexes and selq on attach.
netbsd boot error: panic: pmap_get_physpage: out of memory 51 123d 126d 3/3 122d e43aa3d0a720 allow KMSAN to work again by restoring the limiting of kva even with NKMEMPAGES_MAX_UNLIMITED. we used to limit kva to 1/8 of physmem but limiting to 1/4 should be enough, and 1/4 still gives the kernel enough kva to map all of the RAM that KMSAN has not stolen.
UBSan: Undefined Behavior in sys_rasctl C 10 123d 126d 3/3 123d 5a2ff75e91f2 rasctl(2): Avoid overflow in address range arithmetic.
ASan: Unauthorized Access in _prop_object_internalize_context_alloc C 6 125d 125d 3/3 123d b07b55c43e9d proplib: Don't run off end of buffer with memcmp.
panic: ASan: Unauthorized Access In ADDR: Addr ADDR [NUM bytes, write, MallocRedZone] C 1 127d 127d 3/3 123d 1bfb199dffe9 ptyfs: Don't copy out cookies past end of buffer.
UBSan: Undefined Behavior in lf_advlock (2) C 2 126d 126d 3/3 123d 6160c84baeee kern/vfs_lockf.c: Fix overflow in overflow detection.
UBSan: Undefined Behavior in physio.cold C 2 641d 641d 3/3 149d 231bda81c428 physio(9): Avoid left shift of negative in alignment check.
assert failed: l->l_lid == pls->pl_lwpid C 133 149d 929d 3/3 149d 3f5ac2f440aa ptrace(PT_LWPSTATUS): Fix lid=0 case.
UBSan: Undefined Behavior in compat_43_ttioctl.cold (2) C 119 151d 740d 3/3 149d db2a7d4c4cc1 tty_43: Do unsigned arithmetic to avoid shift into sign bits.
UBSan: Undefined Behavior in cpuctl_ioctl.cold C 44 152d 622d 3/3 149d e62908ab2c73 cpuio.h: Use uint8_t, not bool.
UBSan: Undefined Behavior in tty_get_qsize.cold.5 C 63 817d 831d 3/3 149d 813e77a1763b tty: Avoid undefined behaviour (left shift of 1 by 31 places overflows int)
UBSan: Undefined Behavior in compat_43_ttioctl.cold.0 C 122 816d 878d 3/3 149d defc761d62d0 tty_43: Check a bitset from userspace is valid before shifting it
assert failed: fli != NULL && !fli->fli_mountinfo->fmi_gone C 4 636d 636d 3/3 151d 671da12271d4 While one thread runs vgone() it is possible for another thread to grab a "v_mount" that will be freed before it uses this mount for fstrans_start().
panic: dead fs operation used C 109 153d 744d 3/3 151d 32be16051d40 Make dead vfs ops "vfs_statvfs" and "vfs_vptofh" return EOPNOTSUPP. Both operations may originate from (possible dead) vnodes.
page fault in __asan_load8 (5) C 2 153d 153d 3/3 152d 6b856c8f6e96 ifioctl(9): Don't touch ifconf or ifreq until command is validated.
page fault in compat_ifconf C 1 153d 153d 3/3 152d 6b856c8f6e96 ifioctl(9): Don't touch ifconf or ifreq until command is validated.
UBSan: Undefined Behavior in compat_ifconf C 37 153d 358d 3/3 152d 6b856c8f6e96 ifioctl(9): Don't touch ifconf or ifreq until command is validated.
UBSan: Undefined Behavior in udv_attach C 2 154d 154d 3/3 153d 6d1b75178a5e mmap(2): Prohibit overflowing offsets for non-D_NEGOFFSAFE devices.
MSan: Uninitialized Memory in pppioctl C 3 194d 216d 3/3 153d e177be5238ae net/if_ppp.c: Avoid user-controlled overrun in PPPIOCSCOMPRESS.
MSan: Uninitialized Memory in ifq_enqueue (2) C 6 185d 356d 3/3 157d 3b433a78ee01 sendto(2), recvfrom(2): Scrub internal struct msghdr on stack.
UBSan: Undefined Behavior in settime1.constprop.5 C 6 816d 916d 3/3 158d d5c20c2f7d03 kern_time: prevent the system clock from being set too low or high
page fault in __asan_store1 C 23 524d 525d 3/3 158d 6cfadad833d3 Improve Christos's vn_open fix.
UBSan: Undefined Behavior in route_filter C 3 159d 159d 3/3 158d 70513b4f7423 route(4): Use m_copydata, not misaligned mtod struct access.
UBSan: Undefined Behavior in lf_advlock C 138 161d 921d 3/3 158d d6d3d639ad0f vfs(9): Avoid arithmetic overflow in lf_advlock.
assert failed: p != NULL (2) C 5 178d 178d 3/3 158d a34629910b8a uvideo(4): Make alloc logic match free logic.
MSan: Uninitialized Memory in comintr (2) syz 3 198d 201d 3/3 158d 9c684c9e3ef6 ktrace(9): Zero-initialize padding for ktr_psig records.
panic: mutex_destroy,NUM: uninitialized lock (lock=ADDR, from=ADDR) (3) C 4 160d 160d 3/3 158d c3b2e7e402eb upgt(4): Make upgt_free_cmd match upgt_alloc_cmd.
panic: LOCKDEBUG: Mutex error: mi_userret,116: sleep lock held C 704 159d 798d 3/3 158d da30acf63b89 sequencer(4): Fix lock leak in ioctl(FIOASYNC).
assert failed: (!cpu_intr_p() && !cpu_softintr_p()) || (pc->pc_pool.pr_ipl != IPL_NONE || cold || panicstr != NULL) C 5398 160d 408d 3/3 160d 4f46ee441c5f ktrace(9): Fix mutex detection in ktrcsw. 1d15b657dfc5 sleepq(9): Pass syncobj through to sleepq_block.
panic: vfs load failed for `compat_12', error NUM (2) 1 234d 234d 3/3 160d 4f46ee441c5f ktrace(9): Fix mutex detection in ktrcsw.
UBSan: Undefined Behavior in compat_50_route_output (2) C 3 160d 160d 3/3 160d b9a4870fdb04 route(4): Avoid unaligned access to struct rt_msghdr, take two.
assert failed: usp->tv_nsec >= NUM C 31 160d 160d 3/3 160d 330d9a16b68d recvmmsg(2): More timespec validation.
assert failed: usp->tv_nsec < ADDRL C 79 160d 161d 3/3 160d 330d9a16b68d recvmmsg(2): More timespec validation.
panic: ernel diagnostic assertion "(!cpu_intr_p() && !cpu_softintr_p()) || (pc->pc_pool.pr_ipl != IPL_NONE || cold || pa 1 234d 234d 3/3 160d 4f46ee441c5f ktrace(9): Fix mutex detection in ktrcsw.
page fault in rf_fail_disk C 1 163d 163d 3/3 161d 6e31bf7e569b RAIDframe must be initialized for the RAIDFRAME_FAIL_DISK80 ioctl.
page fault in uaudio_attach C 3 349d 350d 3/3 161d ecda112d2906 Fix a null-deref
assert failed: pipe != NULL C 5 354d 714d 3/3 161d 5d65fbf22096 umidi(4): Fix fencepost in error branch.
panic: tcp_output: no template C 5612 163d 1379d 3/3 161d a47097a91a2f tcp(4): Bail early on sendoob if not connected.
assert failed: tp->t_oproc != NULL C 3 176d 176d 3/3 161d 8817d8b129ca remove KASSERT() checking for t_oproc at open since assigning this line discipline to a pty may not have that set. Instead do a runtime check to ensure that the function exists before calling it, as ttstart() handles it.
UBSan: Undefined Behavior in rf_fail_disk C 2 163d 163d 3/3 161d 6e31bf7e569b RAIDframe must be initialized for the RAIDFRAME_FAIL_DISK80 ioctl.
UBSan: Undefined Behavior in gettimeleft C 20 168d 631d 3/3 161d 149cd1f02f69 kern: Avoid arithmetic overflow in gettimeleft.
UBSan: Undefined Behavior in sys_recvmmsg C 491 162d 850d 3/3 161d 47b7f8298b9c recvmmsg(2): Avoid arithmetic overflow in timeout calculations.
ASan: Unauthorized Access in ktr_kuser C 23 170d 406d 3/3 162d 32940ff2d05e sendmsg(2): Avoid buffer overrun in ktrace of invalid cmsghdr.
UBSan: Undefined Behavior in ts2timo (3) C 16 163d 264d 3/3 163d 050d0d0e0df3 kern: Use timespecsubok in ts2timo.
assert failed: requested_size > NUM C 7 165d 188d 3/3 163d b1bf11ebc734 umcs(4): Reject invalid interrupt endpoints.
UBSan: Undefined Behavior in dosetitimer.part.NUM C 147 164d 285d 3/3 163d bdea235f0e41 setitimer(2): Guard against overflow in arithmetic.
UBSan: Undefined behavior (5) 1 180d 180d 3/3 163d 98f42405fa12 route(4): Avoid unaligned access to struct rt_msghdr.
assert failed: ci != NULL C 4 192d 192d 3/3 163d 30f5279af5f2 opencrypto(9): Fix missing initialization in error branch.
panic: mutex_destroy,NUM: uninitialized lock (lock=ADDR, from=ADDR) (2) C 8 163d 198d 3/3 163d bbad64b1ef71 emdtv(4): More attach/detach bugs.
UBSan: Undefined Behavior in itimer_callout C 6 171d 225d 3/3 163d 1fc081913bbe setitimer(2): Avoid arithmetic overflow in periodic bookkeeping.
UBSan: Undefined Behavior in uao_detach 2 231d 231d 3/3 231d d2452b9cc320 Revert "mmap(2): If we fail with a hint, try again without it."
ASan: Unauthorized Access in uvm_unmap_detach C 7 231d 232d 3/3 231d d2452b9cc320 Revert "mmap(2): If we fail with a hint, try again without it."
page fault in udv_detach 1 231d 231d 3/3 231d d2452b9cc320 Revert "mmap(2): If we fail with a hint, try again without it."
panic: vrelel: bad ref count C 2 231d 231d 3/3 231d d2452b9cc320 Revert "mmap(2): If we fail with a hint, try again without it."
ASan: Unauthorized Access in uao_reference 1 232d 232d 3/3 231d d2452b9cc320 Revert "mmap(2): If we fail with a hint, try again without it."
assert failed: (use & VUSECOUNT_MASK) > NUM C 22 231d 232d 3/3 231d d2452b9cc320 Revert "mmap(2): If we fail with a hint, try again without it."
page fault in uvm_mmap 1 231d 231d 3/3 231d d2452b9cc320 Revert "mmap(2): If we fail with a hint, try again without it."
panic: [ NUM.ADDR] vpanic() at netbsd:vpanic+0x2f2 1 231d 231d 3/3 231d d2452b9cc320 Revert "mmap(2): If we fail with a hint, try again without it."
ASan: Unauthorized Access in audio_track_set_format 1 235d 235d 3/3 231d a6fe4e24ed8a audio(4): Wait for opens to drain in detach.
assert failed: VOP_ISLOCKED(vp) == LK_EXCLUSIVE C 73 234d 235d 3/3 231d 1e4795ce6417 sequencer(4): VOP_CLOSE requires vnode lock.
UBSan: Undefined Behavior in rnd_detach_source C 9 331d 332d 3/3 231d aebb1bb3f2aa ucom(4): Make sure rndsource is attached before use and detach.
panic: spkr1 at audio1kernel diagnostic assertion "(target->prt_class == class)" failed: file "/syzkaller/managers/ci2-n 1 251d 251d 3/3 231d 65a628cc3991 audio(4): Use d_cfdriver/devtounit to avoid open/detach races.
ASan: Unauthorized Access in uvideo_attach 1 312d 312d 3/3 231d a2b03bc4c5c6 uvideo(4): Parse descriptors more robustly.
netbsd boot error: fault in supervisor mode 9 249d 249d 3/3 231d e86caeaead15 cgd(4): Omit technically-correct-but-broken adiantum dependency again.
netbsd boot error: assert failed: locks == curcpu()->ci_biglock_count 2 251d 251d 3/3 231d a2bbd8e60824 Revert "kern: Sprinkle biglock-slippage assertions."
netbsd boot error: UBSan: Undefined Behavior in node_insert 1 251d 251d 3/3 231d bdb3b6ca37d5 thmap(9): Handle memory allocation failure in root_try_put.
netbsd boot error: assert failed: ci->ci_ilevel <= IPL_VM 18 250d 250d 3/3 231d 7711fbd98321 cgd(4): Remove recently added dependency on adiantum.
MSan: Uninitialized Memory in umcs7840_attach C 5 232d 234d 3/3 231d fed82111aa68 umcs(4): Avoid using uninitialized data if register read fails.
netbsd boot error: assert failed: curlwp->l_pflag & LP_BOUND 36 257d 258d 3/3 231d 517fa18875c3 entropy(9): Call entropy_softintr while bound to CPU.
netbsd boot error: MSan: Uninitialized Memory in bus_dmamap_sync 177 304d 313d 3/3 249d 9fdc83c65c2c Initialize "replun" -- found with KMSAN.
ASan: Unauthorized Access in umidi_attach C 69 264d 891d 3/3 261d c93ed7949833 umidi(4): Parse descriptors a little more robustly.
ASan: Unauthorized Access in usbd_get_no_alts C 4 348d 625d 3/3 262d 4fc17b686835 usbdi(9): Fix usbd_get_no_alts.
assert failed: filter->bf_insn != NULL C 114 268d 845d 3/3 266d 2423db936554 bpf(4): Handle null bf_insn on free.
UBSan: Undefined Behavior in do_posix_fadvise 1 267d 267d 3/3 266d 3286f906fb15 posix_fadvise(2): Detect arithmetic overflow without UB.
assert failed: fvp != tvp C 11 413d 413d 3/3 266d Don't use genfs_rename_knote() in the "rename foo over hard-link to itself" case, which simply results in removing the "from" name; there are assertions in genfs_rename_knote() that are too strong for that case.
assert failed: !(timo == NUM && intr == false) C 4 416d 416d 3/3 266d - microtime -> microuptime - avoid kpause with timeo=0
assert failed: kpreempt_disabled() C 12 267d 267d 3/3 266d bd8b949ef376 tun(4): Fix bug introduced in previous locking change.
assert failed: requested_size > 0 (2) C 20 348d 712d 3/3 267d 10451e2cccd7 umidi(4): Bail early if no endpoints.
panic: ugen0 at uhub3kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kmsan/kernel/ 1 274d 274d 3/3 267d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
assert failed: pb->pb_pathcopyuses == NUM C 3 337d 337d 3/3 267d 7514fbbbd886 ccd(4): Only pathbuf_destroy if pathbuf_copyin succeeded.
assert failed: maxblksize > NUM C 4 318d 334d 3/3 267d e6b54244c0ea pad(4): Do harmless, not harmful, integer truncation.
panic: pad3: outputs: 44100Hz, NUM-bit, stereo C 1 334d 333d 3/3 267d e6b54244c0ea pad(4): Do harmless, not harmful, integer truncation.
panic: audio0: detached 1 318d 318d 3/3 267d e6b54244c0ea pad(4): Do harmless, not harmful, integer truncation.
UBSan: Undefined Behavior in vn_open C 34 524d 525d 3/3 267d PR/56286: Martin Husemann: Fix NULL deref on kmod load. - No need to set ret_domove and ret_fd in the regular case, they are meaningless - KASSERT instead of setting errno and then doing the NULL deref.
UBSan: Undefined Behavior in sys_lseek C 2 805d 805d 3/3 267d 3df3ff399023 vfs(9): Avoid arithmetic overflow in vn_seek.
assert failed: pb->pb_pathcopy == NULL C 2 337d 337d 3/3 267d 7514fbbbd886 ccd(4): Only pathbuf_destroy if pathbuf_copyin succeeded.
panic: cdce0: could not find data bulk in syz 2 352d 352d 3/3 267d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
assert failed: KERNEL_LOCKED_P() C 32 542d 542d 3/3 267d ea2ec439285b autoconf(9): Take kernel lock in a few entry points.
panic: uhidev0: no report descriptor syz 18 278d 877d 3/3 267d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
assert failed: ret == 0 C 6950 269d 887d 3/3 267d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: _bpfattach: out of memory (2) 3 329d 332d 3/3 267d 6583daf00fe7 bpf(4): Nix KM_NOSLEEP and prune dead branch.
panic: vfs load failed for `compat_12', error NUM 1 299d 299d 3/3 267d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
assert failed: un->un_ops->uno_init C 72 276d 278d 3/3 267d ee8fc1216476 usbnet(9): uno_init is now optional.
panic: port NUM (addr NUM) disconnected 2 306d 334d 3/3 267d 66c98a4e0989 tun(4): Reduce lock from IPL_NET to IPL_SOFTNET.
panic: LOCKDEBUG: Mutex error: mutex_vector_enter,517: spin lock held C 3 512d 512d 3/3 267d 66c98a4e0989 tun(4): Reduce lock from IPL_NET to IPL_SOFTNET.
panic: LOCKDEBUG: Mutex error: mutex_vector_enter,516: spin lock held (2) C 1221 268d 895d 3/3 267d 66c98a4e0989 tun(4): Reduce lock from IPL_NET to IPL_SOFTNET.
UBSan: Undefined Behavior in ntp_adjtime1.cold syz 17 284d 318d 3/3 268d 474e77ba55fc ntp(9): Avoid left shift of negative.
panic: mutex_destroy,NUM: uninitialized lock (lock=ADDR, from=ADDR) C 16 304d 355d 3/3 268d 2fdd42007862 auvitek(4): Fix i2c detach if attach failed.
ASan: Unauthorized Access in usbd_fill_iface_data (2) C 44 270d 724d 3/3 268d c99728e8e835 usb: Parse descriptors a little more robustly.
UBSan: Undefined Behavior in nanosleep1 C 2 270d 270d 3/3 268d ea5d6c83afbb kern: Handle clock winding back in nanosleep1 without overflow.
UBSan: Undefined Behavior in ts2timo (2) C 9 272d 364d 3/3 268d 436b0e7a824d kern: Fix fencepost error in ts2timo overflow checks.
panic: kernel debugging assertion "pserialize_not_in_read_section()" failed: file "/syzkaller/managers/ci2-netbsd-kmsan/ (2) 1 284d 284d 3/3 268d 2e583ee4fb34 kern: Fix ordering of loads for pid_table and pid_tbl_mask.
panic: todo(ADDR) > MAXPHYS; minphys broken C 98 272d 883d 3/3 268d a0b28ef05dea kern: Use harmless, not harmful, integer truncation in physio.
MSan: Uninitialized Memory in proc_find_lwp_unlocked (3) 2 355d 436d 3/3 268d 2e583ee4fb34 kern: Fix ordering of loads for pid_table and pid_tbl_mask.
UBSan: Undefined Behavior in ntp_adjtime1 (2) syz 4 277d 287d 3/3 268d d09dda326024 ntp(9): Clamp ntv->offset to avoid arithmetic overflow on adjtime.
UBSan: Undefined Behavior in vn_seek C 3 270d 328d 3/3 268d 3df3ff399023 vfs(9): Avoid arithmetic overflow in vn_seek.
panic: kernel debugging assertion "pserialize_not_in_read_section()" failed: file "/syzkaller/managers/ci2-netbsd-kubsan 1 283d 283d 3/3 268d 2e583ee4fb34 kern: Fix ordering of loads for pid_table and pid_tbl_mask.
UBSan: Undefined Behavior in ktrace_thread C 74 269d 406d 3/3 268d 43695d47669a ktrace(9): Avoid stomping over colliding KTROP_SET.
netbsd boot error: panic: kmem_intr_free: zero size with pointer ADDR 12 312d 312d 3/3 268d 9cc20f90b6dc scsi(9): Handle bogus number of LUNs in SCSI_REPORT_LUNS.
UBSan: Undefined Behavior in config_devalloc C 149 743d 861d 3/3 268d d26fcc454c02 autoconf(9): Refuse to consider negative unit numbers in cfdata.
panic: TAILQ_* forw ADDR /syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/kern/kern_ktrace.c:LINE C 5 325d 360d 3/3 268d 43695d47669a ktrace(9): Avoid stomping over colliding KTROP_SET.
ASan: Unauthorized Access in cryptodev_mop 1 325d 325d 3/3 268d 0b42c65f0e14 crypto(4): Refuse count>1 for old CIOCNCRYPTM.
panic: TAILQ_* forw ADDR /syzkaller/managers/ci2-netbsd/kernel/sys/kern/kern_ktrace.c:LINE C 22 271d 357d 3/3 268d 43695d47669a ktrace(9): Avoid stomping over colliding KTROP_SET.
ASan: Unauthorized Access in ktrace_thread 1 343d 343d 3/3 268d 43695d47669a ktrace(9): Avoid stomping over colliding KTROP_SET.
MSan: Uninitialized Memory in pathbuf_destroy C 3 337d 337d 3/3 268d 7514fbbbd886 ccd(4): Only pathbuf_destroy if pathbuf_copyin succeeded.
panic: genfs: bad op (2) C 6 269d 342d 3/3 268d 8a0f95e19745 kernfs: Just fail with EOPNOTSUPP, don't panic, on VOP_BMAP.
page fault in ktrace_thread syz 82 269d 364d 3/3 268d 43695d47669a ktrace(9): Avoid stomping over colliding KTROP_SET.
panic: : playback C 1 318d 318d 3/3 268d e6b54244c0ea pad(4): Do harmless, not harmful, integer truncation.
panic: TAILQ_PREREMOVE head ADDR elm ADDR /syzkaller/managers/ci2-netbsd/kernel/sys/kern/kern_ktrace.c:LINE C 56 269d 406d 3/3 268d 43695d47669a ktrace(9): Avoid stomping over colliding KTROP_SET.
panic: TAILQ_PREREMOVE head ADDR elm ADDR /syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/kern/kern_ktrace.c:LINE syz 16 269d 400d 3/3 268d 43695d47669a ktrace(9): Avoid stomping over colliding KTROP_SET.
UBSan: Undefined Behavior in adjtime1 C 16 270d 313d 3/3 268d 8c7c3aafc611 kern: Clamp time_adjtime to avoid overflow.
panic: TAILQ_PREREMOVE head ADDR elm ADDR /syzkaller/managers/ci2-netbsd/kernel/sys/kern/kern_ktrace.c:LINEuhub5: device 1 340d 340d 3/3 268d 43695d47669a ktrace(9): Avoid stomping over colliding KTROP_SET.
MSan: Uninitialized Memory in emdtv_i2c_exec C 5 719d 720d 3/3 268d e377a775995a emdtv(4): If register read fails, read as all zero.
MSan: Uninitialized Memory in ktrace_thread C 450 269d 407d 3/3 268d 43695d47669a ktrace(9): Avoid stomping over colliding KTROP_SET.
panic: uhidev0: (0x0000) syz (0x0000), rev NUM.NUM/NUM.NUM, addr NUM, iclass NUM/NUM 1 313d 313d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: l diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/dev/usb/vhci.c 1 344d 344d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: ugen0: setting configuration index NUM failed 2 318d 360d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: urtwn0: failed to set configuration, err=IOERROR 1 316d 316d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: uhidev0: detached 3 280d 343d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: uhub5: device problem, disabling port NUM 6 271d 355d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: cdce0: faking address 1 289d 289d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
UBSan: Undefined Behavior in compat_30_sys_getdents C 3 272d 272d 3/3 269d 70f60ac004a0 compat_30: Avoid what might be technically undefined behaviour.
panic: port NUM configuration NUM interface 0kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers syz 1 332d 332d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: device problem, disabling port NUM 1 336d 336d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: cdce0: detached 1 280d 280d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: uhidev0: no input interrupt endpoint C 6 325d 358d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: uhub4: device problem, disabling port NUM 7 288d 357d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: "/syzkaller/managers/ci2-netbsd/kernel/sys/dev/usb/vhci.c", line NUM 1 340d 340d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: uhub3: device problem, disabling port NUM 6 279d 346d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: (addr NUM) disconnected 1 282d 282d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: uhub0: device problem, disabling port NUM 8 269d 342d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: urtwn0: failed to set configuration, err=TIMEOUT 1 350d 350d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: [ NUM.ADDR] vpanic() at netbsd:vpanic+0x2d0 6 274d 429d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: ernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/dev/usb/vh 4 281d 391d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: uhub1: device problem, disabling port NUM 1 300d 300d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
UBSan: Undefined Behavior in bpf_ioctl C 2 302d 302d 3/3 269d 5fc53f70fbd5 bpf(4): Clamp read timeout to INT_MAX ticks to avoid overflow.
panic: ernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd/kernel/sys/dev/usb/vhci.c", 1 332d 332d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: [ NUM.ADDR] kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kmsan/kernel/sy 1 291d 291d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: [ NUM.ADDR] vpanic() at netbsd:vpanic+0x9ec 2 279d 339d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
UBSan: Undefined Behavior in ffs_init_vnode.cold C 2 272d 272d 3/3 269d af0c4127e53d ffs: Fix 64-bit inode integer truncation.
UBSan: Undefined Behavior in soreceive (2) 1 278d 278d 3/3 269d a696f0e7b478 kern: m_copym(M_DONTWAIT) can fail; handle that case gracefully.
panic: ugen0 at uhub4 port 1kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd/kernel 1 330d 330d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: [ NUM.ADDR] kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd/kernel/sys/dev 2 344d 357d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: uhub2: device problem, disabling port NUM 2 272d 323d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: nostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/dev/usb/vhci.c", lin 1 284d 284d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
panic: [ NUM.ADDR] kernel diagnostic assertion "ret == NUM" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel/ 1 325d 325d 3/3 269d 2a45874ea846 vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.
ASan: Unauthorized Access in psignal (2) C 7 312d 672d 3/3 275d 39697e3841eb usb(4): Use atomics for usb_async_proc.
panic: kernel diagnostic assertion "searchdir != foundobj" failed: file "/syzkaller/managers/ci2-netbsd- 1 326d 326d 3/3 299d d848e76b2db6 Remove the assertion "searchdir != foundobj" from lookup_crossmount().
assert failed: searchdir != foundobj C 2326 299d 856d 3/3 299d d848e76b2db6 Remove the assertion "searchdir != foundobj" from lookup_crossmount().
panic: [ NUM.ADDR] kernel diagnostic assertion "searchdir != foundobj" failed: file "/syzkaller/managers/ci2-netbsd-kms 1 326d 326d 3/3 299d d848e76b2db6 Remove the assertion "searchdir != foundobj" from lookup_crossmount().
panic: spkr1 at audio1kernel diagnostic assertion "searchdir != foundobj" failed: file "/syzkaller/managers/ci2-netbsd/k 1 322d 322d 3/3 299d d848e76b2db6 Remove the assertion "searchdir != foundobj" from lookup_crossmount().
panic: vfs load failed for `udf', error 2kernel diagnostic assertion "searchdir != foundobj" failed: file "/syzkaller/ma 1 320d 320d 3/3 299d d848e76b2db6 Remove the assertion "searchdir != foundobj" from lookup_crossmount().
UBSan: Undefined Behavior in ntp_adjtime1 1 306d 306d 3/3 304d c4bf1cbe0ae2 kernel: Avoid arithmetic overflow in ntp_adjtime.
UBSan: Undefined behavior (3) 1 360d 360d 3/3 358d cb0d3ac0b2f0 Use unsigned to avoid undefined behavior. Found by kUBSan.
UBSan: Undefined Behavior in usb_free_device syz 1 421d 421d 3/3 417d 7a39e013fede Revert "usb: uhub: remove unnecessary delays when powering on ports"
page fault in __asan_load1 1 421d 421d 3/3 417d 7a39e013fede Revert "usb: uhub: remove unnecessary delays when powering on ports"
UBSan: Undefined Behavior in pppasyncstart.cold 18 444d 466d 3/3 435d 710579096c2c Use unsigned to avoid undefined behavior in pppasyncstart().
panic: _uvm_mapent_check: bad entry ADDR, line 2299 C 2 529d 529d 3/3 523d b82e1cbee4e4 in uvm_mapent_forkzero(), if the old entry was an object mapping, appease a debug check by setting the new entry offset to zero along with setting the new entry object pointer to NULL.
panic: _uvm_mapent_check: bad entry ADDR, line 1704 C 2 529d 529d 3/3 523d b82e1cbee4e4 in uvm_mapent_forkzero(), if the old entry was an object mapping, appease a debug check by setting the new entry offset to zero along with setting the new entry object pointer to NULL.
panic: _uvm_mapent_check: bad entry ADDR, line 2306 C 37 596d 870d 3/3 523d b82e1cbee4e4 in uvm_mapent_forkzero(), if the old entry was an object mapping, appease a debug check by setting the new entry offset to zero along with setting the new entry object pointer to NULL.
panic: genfs: bad op C 31 601d 817d 3/3 526d 5f207669d514 VOP_BMAP() may be called via ioctl(FIOGETBMAP) on any vnode that applications can open. change various pseudo-fs *_bmap methods return an error instead of panic.
netbsd boot error: UBSan: Undefined Behavior in AcpiNsRootInitialize 120 555d 560d 3/3 555d f267d3dd7ced avoid dereferencing a constant string address as a UINT32 pointer, KUBSAN complains about bad alignment.
UBSan: Undefined Behavior in ts2timo C 40 564d 922d 3/3 555d 45cf5c9a9beb ts2timo(9): refactor TIMER_ABSTIME handling
assert failed: (cnp->cn_flags & LOCKPARENT) == 0 || searchdir == NULL || VOP_ISLOCKED(searchdir) == LK_EXCLUSIVE (2) C 1614 567d 895d 3/3 555d db1eb07930cb Honor LOCKPARENT for ".." of the root directory.
UBSan: Undefined Behavior in free_pipe C 6 644d 713d 3/3 555d 74f2a225b441 fix free_all_endpoints() to not try calling free_pipe() when no endpoints are allocated; this can happen during config_detach() after attach fails
page fault in free_all_endpoints C 2 713d 713d 3/3 555d 74f2a225b441 fix free_all_endpoints() to not try calling free_pipe() when no endpoints are allocated; this can happen during config_detach() after attach fails
UBSan: Undefined Behavior in fss_close C 3 763d 774d 3/3 710d 04369c6342db Check the return value of device_lookup_private against NULL.
UBSan: Undefined Behavior in quota1_handle_cmd_quotaoff C 22 721d 853d 3/3 711d 0ed0fec9dda7 Avoid potentially accessing an array with an index out of range.
UBSan: Undefined Behavior in quota1_handle_cmd_quotaon C 310 713d 858d 3/3 711d 0ed0fec9dda7 Avoid potentially accessing an array with an index out of range.
UBSan: Undefined Behavior in fsetown C 643 712d 896d 3/3 712d e7d28209c419 Avoid negating the minimum size of pid_t (this overflows).
assert failed: semcnt >= 0 C 1460 722d 863d 3/3 722d a0fbdf293ceb when updating the per-uid "semcnt", decrement the counter for the uid that created the ksem, not the uid of the process freeing the ksem. fixes PR 55509.
UBSan: Undefined Behavior in dosetitimer C 62 730d 731d 3/3 730d fbb685bb0b17 Fix an uninitialized pointer deref introduced in rev 1.207.
assert failed: ! (2) C 4 754d 754d 3/3 746d af283323908f When validating the mount device string make sure its length is below *data_len and below PATH_MAX.
panic: Suspending fresh file system failed syz 44 747d 782d 3/3 747d 79192450587f We have to ignore interrupts when suspending here the same way we have to do with revoke.
assert failed: fstrans_is_owner(mp) C 789 749d 856d 3/3 748d 184c870bf835 Suspend file system before unmounting in mount_domount() error path to prevent diagnostic assertions from unmount/flush.
panic: kernel diagnostic assertion "fstrans_is_owner(mp)" failed: file "/syzkaller/managers/netbsd-kmsan/kernel/s 1 800d 800d 3/3 748d 184c870bf835 Suspend file system before unmounting in mount_domount() error path to prevent diagnostic assertions from unmount/flush.
panic: [ 222.ADDR] kernel diagnostic assertion "fstrans_is_owner(mp)" failed: file "/syzkaller/managers/netbsd-kmsan/ker 1 812d 812d 3/3 748d 184c870bf835 Suspend file system before unmounting in mount_domount() error path to prevent diagnostic assertions from unmount/flush.
UBSan: Undefined Behavior in ttioctl 1 871d 871d 3/3 748d 84a9e026f13a tty: Negating INT_MIN will overflow int, bail out with EINVAL
assert failed: (length != 0 || extblocks || LIST_EMPTY(&ovp->v_cleanblkhd)) C 6 776d 872d 3/3 748d f7052f01027d Lock the vnode while calling VOP_BMAP() for FIOGETBMAP.
UBSan: Undefined behavior 8 782d 857d 3/3 748d 813e77a1763b tty: Avoid undefined behaviour (left shift of 1 by 31 places overflows int)
panic: kernel diagnostic assertion "fstrans_is_owner(mp)" failed: file "/syzkaller/managers/netbsd-kmsan/kernel 1 803d 803d 3/3 748d 184c870bf835 Suspend file system before unmounting in mount_domount() error path to prevent diagnostic assertions from unmount/flush.
panic: kernel diagnostic assertion "fstrans_is_owner(mp)" failed: file "/syzkaller/managers/netbsd-kubsan/kernel/sys/ke 1 802d 802d 3/3 748d 184c870bf835 Suspend file system before unmounting in mount_domount() error path to prevent diagnostic assertions from unmount/flush.
UBSan: Undefined Behavior in compat_43_ttioctl.cold C 116 751d 806d 3/3 748d defc761d62d0 tty_43: Check a bitset from userspace is valid before shifting it
UBSan: Undefined Behavior in tty_get_qsize C 19 832d 878d 3/3 830d 6a50dd0272f2 Add a check to prevent shift by -1. Not really important in this case, but to appease KUBSAN.
assert failed: rb_tree_find_node(&ugenif.tree, &sc->sc_unit) == sc C 8 841d 841d 3/3 840d 1c72caa6ef34 Fix ugen detach after partial attach.
ASan: Unauthorized Access in nvlist_copyin C 2 866d 866d 3/3 840d 6982a35fdfd5 Add missing cases, to prevent memory corruption.
assert failed: 0 <= space && space <= ifc->ifc_len C 4 875d 875d 3/3 873d fc897702c542 Don't accept negative value.
page fault in statvfs_to_statfs12_copy C 5 893d 893d 3/3 892d 8d25bda61d0b Yet another idiotic compat syscall that was developed with literally zero test made. Simply invoking this syscall with _valid parameters_ triggers a fatal fault, because the kernel tries to write to userland addresses.
page fault in usbd_add_drv_event C 2 893d 893d 3/3 892d 861d49589522 Fix NULL deref on attach failure. Found via vHCI fuzzing.
UBSan: Undefined Behavior in pipe_ioctl C 1 894d 894d 3/3 892d 8db9507239c1 Fix NULL deref. The original code before Jaromir's cleanup had an #ifndef block that wrongly contained the 'else' statement, causing the NULL check to have no effect.
ASan: Unauthorized Access in m_copydata C 1 896d 896d 3/3 895d 305ae8585db2 Ensure sockaddrs have valid lengths for RO_MISSFILTER.
assert failed: (cnp->cn_flags & LOCKPARENT) == 0 || searchdir == NULL || VOP_ISLOCKED(searchdir) == LK_EXCLUSIVE C 2815 895d 943d 3/3 895d a8be99190564 remove special handling for symbolic links for COMPAT_43 lstat, it's not necessary; this removes the only places in kernel which did namei LOOKUP with LOCKPARENT
UBSan: Undefined Behavior in tunwrite C 5 896d 896d 3/3 896d 524a0f1e9770 Hum. Fix NULL deref triggerable with just write(0).
assert failed: p != NULL 1 995d 995d 3/3 912d 52d76d6e0068 Fix bohr bug triggered only once by syzkaller 2,5 months ago.
UBSan: Undefined Behavior in db_read_bytes 1 915d 915d 3/3 913d f7d1fd51a462 If the frame is not aligned, leave right away. This place probably needs to be revisited, because %rbp could easily contain garbage.
netbsd boot error: MSan: Uninitialized Memory in pmap_ctor 60 919d 923d 3/3 917d 5340091e9fe3 Reported-by: syzbot+6dd5a230d19f0cbc7814@syzkaller.appspotmail.com
panic: LOCKDEBUG: Mutex error: mutex_vector_enter,516: spin lock held C 95 918d 938d 3/3 918d ca141aa04c23 Reported-by: syzbot+c1770938bb3fa7c085f2@syzkaller.appspotmail.com Reported-by: syzbot+ae26209c7d7f06e0b29f@syzkaller.appspotmail.com
ASan: Unauthorized Access in usbd_fill_iface_data C 5 919d 920d 3/3 918d 2249d34b023a If we failed because we didn't encounter an endpoint, do not attempt to read 'ed', because its value is past the end of the buffer, and we thus perform out-of-bounds accesses.
panic: kmem_intr_free: zero size with pointer ADDR C 1 919d 919d 3/3 918d 2be2c89e0524 also set ifc->ui_endpoints to NULL in usbd_free_iface_data() when the value is freed, to make it impossible to re-enter this by mistake
UBSan: Undefined Behavior in process_read_fpregs C 2 926d 926d 3/3 918d 8472f807ca69 Introduce PTRACE_REGS_ALIGN, and on x86, enforce a 16-byte alignment, due to fpregs having fxsave which requires 16-byte alignment.
ASan: Unauthorized Access in usb_free_device C 3 919d 919d 3/3 918d eedc54e27f01 Reset ud_ifaces and ud_cdesc to NULL, to prevent use-after-free in usb_free_device().
assert failed: pmap->pm_ncsw == lwp_pctr() (2) 4 920d 923d 3/3 918d 20bcbe871c9b Reported-by: syzbot+fd9be59aa613bbf4eba8@syzkaller.appspotmail.com Reported-by: syzbot+15dd4dbac6ed159faa4a@syzkaller.appspotmail.com Reported-by: syzbot+38fa02d3b0e46e57c156@syzkaller.appspotmail.com
assert failed: !pmap_extract(pmap, va, NULL) syz 1 995d 995d 3/3 932d 924ce12c3493 Reported-by: syzbot+3e3c7cfa8093f8de047e@syzkaller.appspotmail.com
panic: LOCKDEBUG: Mutex error: mutex_vector_enter,512: locking against myself C 52 932d 938d 3/3 932d a463a9f300a4 Reported-by: syzbot+0f38e4aed17c14cf0af8@syzkaller.appspotmail.com Reported-by: syzbot+c1770938bb3fa7c085f2@syzkaller.appspotmail.com Reported-by: syzbot+92ca248f1137c4b345d7@syzkaller.appspotmail.com Reported-by: syzbot+acfd688740461f7edf2f@syzkaller.appspotmail.com
MSan: Uninitialized Memory in ifq_enqueue 1 936d 936d 3/3 935d 5886cd66edf3 igmp_sendpkt() expects ip_output() to set 'imo.imo_multicast_ttl' into 'ip->ip_ttl'; but ip_output() won't if the target is not a multicast address, meaning that the uninitialized 'ip->ip_ttl' byte gets sent to the network. This leaks one byte of kernel heap.
MSan: Uninitialized Memory in nanosleep1 C 8 951d 985d 3/3 936d 724bb3d0d332 Fix uninitialized memory access. Found by KMSAN.
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/arch/x86/x86/intr.c:LINE, member access 15 948d 950d 3/3 946d 2dc1ea629096 Explicitly align to 8 bytes, found by kUBSan.
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/vfs_cache.c:LINE, left shift of AD 36 988d 989d 3/3 981d d200df7c5d61 Pacify a syzbot complaint about bit shifting.
assert failed: pmap->pm_stats.resident_count == PDP_SIZE syz 22 992d 993d 3/3 992d 28e26e2b0f5a PR port-amd64/55083 (assertion "pmap->pm_stats.resident_count == PDP_SIZE" failed)
assert failed: ptp->wire_count == 1 C 16 993d 993d 3/3 993d 5b0bcf219d04 Pacify assertion in a failure path.
assert failed: (opte & (PTE_A | PTE_P)) != PTE_A C 15 994d 996d 3/3 993d 5b29d3e218d4 - pmap_enter(): under low memory conditions, if PTP allocation succeeded and then PV entry allocation failed, PTP pages were being freed without their struct pmap_page being reset back to the non-PTP setup, which then caused havoc with pmap_page_removed(). Fix it.
panic: pmap_check_pv: ADDR/ADDR missing on pp ADDR syz 60 993d 994d 3/3 993d 5b29d3e218d4 - pmap_enter(): under low memory conditions, if PTP allocation succeeded and then PV entry allocation failed, PTP pages were being freed without their struct pmap_page being reset back to the non-PTP setup, which then caused havoc with pmap_page_removed(). Fix it.
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/vfs_mount.c:LINE, member access wi 1446 1004d 1080d 3/3 1003d 4d7207db691f - Pad kmem cache names with zeros so vmstat -m and -C are readable. - Exclude caches with size not a factor or multiple of the coherency unit. 53375fc8fa4e KMEM_SIZE: append the size_t to the allocated buffer, rather than prepending, so it doesn't screw up the alignment of the buffer.
ASan: Unauthorized Access in ifreq_setaddr C 6 1069d 1069d 3/3 1004d 5185168a6938 Don't forget to initialize 'sin6_len'. With kASan, from time to time the value will be bigger than the size of the source, and we get a read overflow. With kMSan the uninitialized access is detected immediately.
MSan: Uninitialized Memory in getsockopt C 37 1018d 1019d 3/3 1004d eb11dac516ec Zero out 'tv', to prevent uninitialized bytes in its padding from leaking to userland. Found by kMSan.
assert failed: l->l_stat == LSONPROC C 645 1015d 1029d 3/3 1004d 97e2d6ea09e0 exit1(): remove from the radix tree before setting zombie status, as radix_tree_remove_node() can block on locks when freeing.
ASan: Unauthorized Access in mutex_oncpu C 24521 1004d 1065d 3/3 1004d 892179991a88 A final set of scheduler tweaks:
MSan: Uninitialized Memory in bus_dmamap_sync C 16 1014d 1019d 3/3 1004d 23a2ab5c20bf Zero out the padding in 'd_namlen', to prevent info leaks. Same logic as ufs_makedirentry().
assert failed: ci->ci_tlbstate != TLBSTATE_VALID C 123 1087d 1088d 3/3 1020d 23b2e54ebac4 uvm_pagerealloc() can now block because of radixtree manipulation, so defer freeing PTPs until pmap_unmap_ptes(), where we still have the pmap locked but can finally tolerate context switches again.
assert failed: pmap->pm_ncsw == curlwp->l_ncsw C 30 1087d 1088d 3/3 1020d 23b2e54ebac4 uvm_pagerealloc() can now block because of radixtree manipulation, so defer freeing PTPs until pmap_unmap_ptes(), where we still have the pmap locked but can finally tolerate context switches again.
assert failed: pmap->pm_ncsw == lwp_pctr() 2 1080d 1084d 3/3 1020d 9e90a906aefa pmap_get_ptp(): the uvm_pagefree() call in the failure case can block too. Pacify the assertion in pmap_unmap_ptes().
assert failed: pg->offset >= nextoff C 10 1085d 1086d 3/3 1020d bf2882ea03f2 genfs_do_putpages(): add a missing call to uvm_page_array_advance().
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/init_main.c:LINE, left shift of AD 9 1080d 1081d 3/3 1020d 3d8d3a5b0f60 Fix integer overflow when printing available memory size (resulting from a cast lost during merges).
netbsd boot error: panic: LOCKDEBUG: Mutex error: _mutex_init,363: already initialized 51 1085d 1086d 3/3 1020d 20861b8eb23a Fix LOCKDEBUG panic on mutex_init().
assert failed: lwp_locked(l, l->l_cpu->ci_schedstate.spc_lwplock) C 2676 1108d 1108d 2/3 1105d lwp_start(): don't try to change the target CPU. Fixes potential panic in setrunnable(). Oops, experimental change that escaped.
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/netinet/tcp_congctl.c:LINE, unsigned in syz 28 1114d 1126d 2/3 1114d 86432df29b3c Don't allow zero sized segments that will panic the stack. Reported-by: syzbot+5542516fa4afe7a101e6@syzkaller.appspotmail.com
ASan: Unauthorized Access in __asan_load8 syz 39 1118d 1237d 2/3 1116d 1f864cd0b6b7 in uvm_fault_lower_io(), fetch all the map entry values that we need before we unlock everything.
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/dev/raidframe/rf_netbsdkintf.c:LINE, me 114 1134d 1138d 2/3 1116d a32ffe9d1324 Get &rsc->sc_dksc only when we know 'rsc' is not NULL. This was actually harmless because we didn't use the pointer then.
panic: m_copydata(ADDR,2,48,ADDR): m=NULL, off=0 (48), len=2 (0) C 3 1121d 1121d 2/3 1116d af2e74070a78 Add more checks in ip6_pullexthdr, to prevent a panic in m_copydata. The Rip6 entry point could see a garbage Hop6 option.
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/arch/x86/x86/pmap.c:LINE, member access 6 1116d 1117d 2/3 1116d bdec8cbe5764 Add a NULL check on the structure pointer, not to retrieve its first field if it is NULL. The previous code was not buggy strictly speaking. This change probably doesn't change anything, except removing assumptions in the compiler optimization passes, which too probably doesn't change anything in this case.
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/subr_disk_mbr.c:LINE, member acces 135 1126d 1131d 2/3 1116d f6f1cc40a4ad Avoid unaligned pointer arithmetic in check_label_magic()
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/vfs_subr.c:LINE, member access wit 99 1117d 1126d 2/3 1116d 6cb2a5fa8498 NULL-check the structure pointer, not the address of its first field. This is clearer and also appeases syzbot.
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/uipc_socket.c:LINE, null pointer p C 3 1154d 1162d 2/3 1149d c79708337116 Add a check before the memcpy. memcpy is defined to never take NULL as second argument, and the compiler is free to perform optimizations knowing that this argument is never NULL.
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/net/rtsock_shared.c:LINE, shift exponen C 91 1149d 1154d 2/3 1149d d9cad9525198 Error out if the type is beyond the storage size. No functional change, since the shift would otherwise 'and' against zero, returning EEXIST.
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/sys_ptrace_common.c:LINE, negation C 2 1153d 1153d 2/3 1151d cd6dd739cba3 Avoid signed integer overflow for -lwp where lwp is INT_MIN
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/kern_time.c:LINE, signed integer o C 3 1158d 1158d 2/3 1158d 46ff3a13f114 Check for valid timespec in clock_settime1()
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/subr_time.c:LINE, signed integer o C 2 1160d 1160d 2/3 1159d 2ade1021b4fc Avoid signed integer overflow in ts2timo() for ts->tv_nsec
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/uvm/uvm_mmap.c:LINE, left shift of 1 by C 2 1159d 1159d 2/3 1159d 83b9c08ceaeb Avoid left shift changing the signedness flag
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/sysv_msg.c:LINE, negation of -ADDR C 2 1159d 1159d 2/3 1159d 9cb4ef149ebf Avoid -LONG_MIN msgtyp in msgrcv(2) and treat it as LONG_MAX
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/crypto/nist_hash_drbg/nist_hash_drbg.c: 39 1174d 1175d 2/3 1161d 338a6d8211a1 Use an explicit run-time assertion where compile-time doesn't work.
panic: ifmedia_add: can't malloc entry 28 1162d 1239d 2/3 1162d a630837c7729 in ifmedia_add(), use a wait-style memory allocation rather than not waiting and panic'ing if the allocation fails.
page fault in __asan_load8 C 4 1164d 1195d 2/3 1162d 13fbc0821e8e in shmdt(), wait until shmat() completes before detaching.
page fault in shm_delete_mapping syz 17 1296d 1309d 2/3 1162d 13fbc0821e8e in shmdt(), wait until shmat() completes before detaching.
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/kern_rndq.c:LINE, negation of -ADD 9 1165d 1172d 2/3 1164d 7cac47a10509 Do all delta calculations strictly using uint32_t. Avoid integer overflows in calculating absolute deltas by subtracting the right way around.
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/net/rtsock_shared.c:LINE, member access 1 1171d 1171d 2/3 1170d b31ed8ab67ac Disable __NO_STRICT_ALIGNMENT on amd64/i386 for UBSan builds
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/netinet6/scope6.c:LINE, member access w (2) syz 91 1170d 1173d 2/3 1170d b31ed8ab67ac Disable __NO_STRICT_ALIGNMENT on amd64/i386 for UBSan builds
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/sys_select.c:LINE, signed integer C 2 1173d 1173d 2/3 1173d 7049e5e68831 Validate usec ranges in sys___select50()
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/netinet6/scope6.c:LINE, member access w syz 73 1173d 1174d 2/3 1173d 03d0e0d45651 Decorate in6_clearscope() with __noubsan
panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/vfs_syscalls.c:LINE, signed intege C 11 1173d 1173d 2/3 1173d 263d48443521 Validate usec ranges in do_sys_utimes()
netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/subr_percpu.c:LINE, null pointer p 12 1175d 1175d 2/3 1174d 360cafb4be56 Decorate percpu_cpu_swap() with __noubsan
assert failed: buflen != 0 syz 18 1181d 1181d 1/3 1180d b2ec06b1c2b8 As I suspected, the KASSERT I added yesterday can fire if we try to process zero-sized packets. Skip them to prevent a type confusion that can trigger random page faults later.
assert failed: (c->c_flags & CALLOUT_PENDING) == 0 C 2918 1244d 1382d 1/3 1182d 79ef7cca0478 Fix race in timer destruction.
assert failed: c->c_cpu->cc_lwp == curlwp || c->c_cpu->cc_active != c C 247 1242d 1382d 1/3 1200d 79ef7cca0478 Fix race in timer destruction.
assert failed: to_ticks >= 0 (2) C 70 1255d 1313d 1/3 1200d 9dcd3d552fbf Clamp tcp timer quantities to reasonable ranges.
assert failed: pg->wire_count != 0 (2) C 174 1244d 1266d 1/3 1200d 05db12c848fc fix two bugs reported in https://syzkaller.appspot.com/bug?id=8840dce484094a926e1ec388ffb83acb2fa291c9
assert failed: pg->wire_count > 0 C 6 1367d 1380d 1/3 1200d e5adac7a31c1 Acquire shmseg uobj reference while we hold shm_lock.
assert failed: uvm_page_locked_p(pg) C 44 1243d 1254d 1/3 1243d c6cd9224e962 Add missing lock around pmap_protect. ok, chs@
panic: LOCKDEBUG: Reader / writer lock error: rw_vector_exit,449: not held by current LWP C 3 1258d 1259d 1/3 1256d e665d6ee6c55 Fix bug, don't release the reflock if we didn't take it in the first place. Looks like there are other locking issues in here.
ASan: Unauthorized Access in exec_makepathbuf syz 2 1264d 1264d 1/3 1260d c958d6fe028e Fix buffer overflow. It seems that some people need to go back to the basics of C programming.
page fault in uvm_fault C 2 1266d 1266d 1/3 1266d 00dad9ea5158 Correct wrong type of uio_seg passed to do_sys_mknodat()
assert failed: ! 2 1266d 1266d 1/3 1266d 00dad9ea5158 Correct wrong type of uio_seg passed to do_sys_mknodat()
assert failed: pmap->pm_obj[i].uo_npages == 0 C 58 1296d 1376d 1/3 1267d in uvm_map_protect(), do a pmap_update() before possibly switching from removing pmap entries to creating them. this fixes the problem reported in https://syzkaller.appspot.com/bug?id=cc89e47f05e4eea2fd69bcccb5e837f8d1ab4d60
assert failed: pg->wire_count != 0 C 45 1298d 1363d 1/3 1267d shmctl(SHM_LOCK) does not need to mess with mappings of the shm segment, uvm_obj_wirepages() is sufficient. this fixes the problem reported in https://syzkaller.appspot.com/bug?id=71f9271d761f5b6ed517a18030dc04f0135e6179
assert failed: mutex_owned(pipe->pipe_lock) 39 1320d 1380d 1/3 1312d 7abfdd368b0d Clean up pipe structure before recycling it.
assert failed: to_ticks >= 0 C 2547 1332d 1381d 1/3 1332d 03f00c6312f9 Add more checks, if the values are negative we hit a KASSERT later in the timeout.
ASan: Unauthorized Access in vioscsi_scsipi_request syz 1841 1333d 1369d 1/3 1333d 1321c57412a7 Fix use-after-free. If we're not polling, virtio_enqueue_commit() will send the transaction, and it means 'xs' can be immediately freed. So, save the value of xs_control beforehand.
panic: receive 3 C 5 1374d 1382d 1/3 1346d 98c7c314d887 Also check for MT_CONTROL, and end the receive operation if we see one. It is possible to get an MT_CONTROL if we sleep in MSG_WAITALL. The other BSDs do the same.
assert failed: vp->v_usecount != 0 C 108 1365d 1381d 1/3 1365d 094e14272c30 Take a reference on ndp->ni_rootdir and ndp->ni_erootdir.
assert failed: vp->v_type == VREG C 139 1370d 1381d 1/3 1370d 7380dc541060 Change vn_openchk() to fail VNON and VBAD with error ENXIO.
assert failed: vp->v_type == VREG || vp->v_type == VDIR C 1085 1370d 1382d 1/3 1370d 7380dc541060 Change vn_openchk() to fail VNON and VBAD with error ENXIO.
assert failed: c->c_magic == CALLOUT_MAGIC C 1645 1381d 1382d 1/3 1374d The callout is used by any nonvirtual timer including CLOCK_MONOTONIC and needs to be initialized.
assert failed: so->so_lock == NULL C 5 1379d 1380d 1/3 1379d e5d22f7ead7e Fix locking: it is fine if the lock is already key_so_mtx, this can happen in socketpair. In that case don't take it.
assert failed: so->so_pcb == NULL C 6 1380d 1381d 1/3 1380d e8d09f86fc12 Fix the order in udp6_attach: soreserve should be called before in6_pcballoc, otherwise if it fails there is still a PCB attached, and we hit a KASSERT in socreate. In !DIAGNOSTIC this would have caused a memory leak.
assert failed: requested_size > 0 C 19 1381d 1382d 1/3 1381d 4328f8e5bd44 Reading a directory may trigger a panic when the buffer is too small. Adjust necessary checks.
ASan bug (2) C 347 1381d 1381d 1/3 1381d 033896d695d0 RIP6, CAN, SCTP and SCTP6 lack a length check in their _send() functions. Fix RIP6 and CAN, add a big XXX in the SCTP ones.
ASan bug C 302 1381d 1382d 1/3 1381d dd5151c72efb RIP, RIP6, DDP, SCTP and SCTP6 lack a length check in their _connect() functions. Fix the first three, and add a big XXX in the SCTP ones.