syzbot


Title Repro Cause bisect Fix bisect Count Last Reported Closed Patch
panic: mutex ADDR not held in knote_dequeue C 24 5d07h 5d18h 5d05h baa47be0 Remember to lock kqueue mutex in filt_timermodify().
witness: reversal: lock order data missing C 667 34d 104d 33d 8b594b45 Move ktrfds() below fdpunlock(). This fixes lock order issue between vn_lock(9) and fdplock().
panic: acquiring blockable sleep lock with spinlock or critical section held (rwlock) solock C 4 50d 51d 50d Revert per-socket `so_lock' rwlock(9) and use it to protect routing (PF_ROUTE) sockets. There is a locking issue with timeouts that needs to be fixed. Requested by deraadt@
SYZFAIL: tun: can't open device syz 4 104d 104d 98d 43dfcaac Issuing FIOSETOWN and TIOCSPGRP ioctl commands on a tun(4) device leaks device references causing a hang while trying to remove the same interface since the reference count will never reach zero. Instead of returning, break out of the switch in order to ensure that tun_put() gets called.
assert "frag->fr_firstoff[index] != NULL" failed in pf_norm.c syz 4 116d 135d 113d be7274bf When cutting of the head of an overlapping fragment during pf reassembly, reinsert the fragment into the lookup table with correct index. Reported-by: syzbot+d043455a5346f726f1c4@syzkaller.appspotmail.com OK claudio@
kernel: protection fault trap, code=0 (8) syz 1348 126d 315d 126d 44a45654 Interface group names must fit into IFNAMSIZ and be unique. But the kernel made the unique check before trunkating with strlcpy(). So there could be two interface groups with the same name. The kif is created by a name lookup. The trunkated names are equal, so there was only one kif owned by both groups. When the groups got destroyed, the single kif was removed twice from the RB tree. Check length of group name before doing the unique check. The empty group name was allowed and is now invalid. Reported-by: syzbot+f47e8296ebd559f9bbff@syzkaller.appspotmail.com OK deraadt@ gnezdo@ anton@ mvs@ claudio@
panic: rw_enter: pf_state_lock locking against myself C 8 126d 126d 126d d7220220 pfsync_state_import() must not be called with the pf state lock held, since the actual modification of the state table is done by a call to pf_state_insert(), which takes the pf state lock itself. Other calls to pfsync_state_import() also only have the pf lock.
panic: vrele: v_writecount != 0 (2) C 1955 131d 132d 131d df61468f Revert previous commit. The vnode returned by ptm_vn_open() is open and can not simply be vrele()-ed on error. The code currently depends on closef() to do the cleanup.
assert "TAILQ_EMPTY(&kq->kq_head)" failed in kern_event.c C 2 141d 141d 140d 715db9d6 kqueue: Fix termination assert
uvm_fault: pf_addr_compare C 347 146d 146d 146d c34fe1b3 An invalid packet may not have set src and dst in packet descriptor. Add a NULL check to prevent crash in pflog(4) introduced in previous commit. Reported-by: syzbot+c6d2f2ad34b822bce98a@syzkaller.appspotmail.com
uvm_fault: m_copyback 69 164d 312d 146d 2cbebc01 pflog(4) tried to log the translated packet with rdr-to, nat-to, and af-to addresses and ports applied. Therefore it created a mbuf chain on the stack with a partial copy. This is too complicated for IP options, extension header, NAT46 af-to, and fragmented mbuf chains. It even caused a crash in syzkaller. Usually the length checks in pf_setup_pdesc() rejected the faked mbuf and the goto copy logged the packet unmodified. Remove the pflog_mtap() function and call bpf_mtap_hdr() directly. As the old buggy code was bypassed in most cases, tcpdump(8) output of pflog does not change. Uncondionally log the unmodified packet. Reported-by: syzbot+947e89e06ac3fec187d0@syzkaller.appspotmail.com OK sashan@
kernel: double fault trap, code=0 (4) C 493 171d 428d 157d c11d7698 Syzkaller has found a stack overflow in socket splicing. Broadcast packets were resent through simplex broadcast delivery and socket splicing. Although there is an M_LOOP check in somove(9), it did not take effect. if_input_local() cleared the M_BCAST and M_MCAST flags with m_resethdr(). As if_input_local() is used for broadcast and multicast delivery, it was a mistake to delete them. Keep the M_BCAST and M_MCAST mbuf flags when packets are reinjected into the network stack. Reported-by: syzbot+a43ace363f1b663238f8@syzkaller.appspotmail.com OK anton@; discussed with claudio@
kernel: integer divide fault trap, code=0 syz 4 344d 373d 181d 39c2a133 Reject rules with invalid port ranges
openbsd test error: uvm_fault: spllower 6 195d 195d 189d 3ba77c92 Revert previous extension of the SCHED_LOCK(), the state isn't passed down.
multicore test error: uvm_fault: spllower 12 195d 195d 189d 3ba77c92 Revert previous extension of the SCHED_LOCK(), the state isn't passed down.
uvm_fault: wsevent_fini (3) C 2 194d 194d 192d 996a5b4d Fix yet another wscons race. In the same subsystem, the following properties must always hold true:
no output from test machine (6) C 2779 210d 232d 210d 0124df67 Fix handling of MSG_PEEK in soreceive() for the case where an empty mbuf is encountered in a seqpacket socket.
no output from test machine (5) C 49467 232d 330d 232d d6d19400 Fix a deadlock between uvn_io() and uvn_flush(). While faulting on a page backed by a vnode, uvn_io() will end up being called in order to populate newly allocated pages using I/O on the backing vnode. Before performing the I/O, newly allocated pages are flagged as busy by uvn_get(), that is before uvn_io() tries to lock the vnode. Such pages could then end up being flushed by uvn_flush() which already has acquired the vnode lock. Since such pages are flagged as busy, uvn_flush() will wait for them to be flagged as not busy. This will never happens as uvn_io() cannot make progress until the vnode lock is released.
witness: userret: ioctl C 3 237d 238d 237d 610c242e - missing NET_UNLOCK() in pf_ioctl.c error path
panic: spl assertion failure in yield C 12 365d 382d 238d - move NET_LOCK() further down in pf_ioctl.c. Also move memory allocations outside of NET_LOCK()/PF_LOCK() scope in easy spots.
openbsd build error (11) 44 238d 243d 238d a524e041 timeout(9): fix compilation under NKCOV
multicore build error (8) 88 238d 243d 238d a524e041 timeout(9): fix compilation under NKCOV
panic: malloc: allocation too large, type = 98, size = ADDR C 2 255d 255d 254d Recent changes for PROT_NONE pages to not count against resource limits, failed to note this also guarded against heavy amap allocations in the MAP_SHARED case. Bring back the checks for MAP_SHARED from semarie, ok kettenis https://syzkaller.appspot.com/bug?extid=d80de26a8db6c009d060
openbsd build error (10) 3 276d 276d 274d Unbreak tree. Instead of passing struct process to siginit() just pass the struct sigacts since that is the only thing that is modified by siginit.
multicore build error (7) 5 276d 276d 274d Unbreak tree. Instead of passing struct process to siginit() just pass the struct sigacts since that is the only thing that is modified by siginit.
panic: syn_cache_insert: cacheoverflow: impossible (2) C 6 311d 356d 288d 7c72bba2 Convert tcp_sysctl to sysctl_bounded_args
assert "curproc->p_kd == NULL" failed in kcov.c (2) 1 301d 301d 288d ece33e2f Before clearing the kcov descriptor associated with a thread make sure no other thread is currently within a remote section. Otherwise, the remote subsystem could end up in a broken state where it doesn't reset the necessary bits upon leaving the remote section.
assert "curproc->p_kd == NULL" failed in kcov.c 2 305d 307d 305d 2fa3abdd When detaching common remote coverage, do not clear any fields. Instead, let kr_free() do the work. Otherwise a thread currently inside a remote section could end up not decrementing the number of ongoing sections while exiting the same remote section.
uvm_fault: pfi_address_add syz 1359 326d 382d 315d efa3c3dd Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
pool: free list modified: phpool 1 357d 357d 315d efa3c3dd Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
panic: sbdrop syz 183 317d 616d 315d efa3c3dd Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
uvm_fault: soreceive syz 240 325d 591d 315d efa3c3dd Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
panic: ifa_update_broadaddr does not support dynamic length (2) 13 320d 470d 315d efa3c3dd Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
uvm_fault: in6ifa_ifpforlinklocal 1 371d 371d 315d efa3c3dd Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
uvm_fault: pool_do_put (2) syz 53 327d 570d 315d efa3c3dd Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
kernel: protection fault trap, code=0 (7) syz 774692 315d 559d 315d efa3c3dd Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
uvm_fault: in_delmulti syz 375431 315d 602d 315d efa3c3dd Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
panic: tcp_output: template len != hdrlen - optlen syz 487 317d 629d 315d efa3c3dd Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
soreceive 1a syz 510 318d 474d 315d efa3c3dd Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
uvm_fault (2) syz 1 368d 368d 315d efa3c3dd Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
pool: cpu free list modified: mbufpl syz 15863 315d 602d 315d efa3c3dd Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
pool: free list modified: art_heap4 (2) 4 358d 388d 315d efa3c3dd Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
soreceive 3 syz 755 315d 474d 315d efa3c3dd Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
uvm_fault: vio_rxeof syz 15700 325d 637d 315d efa3c3dd Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
uvm_fault: ifa_update_broadaddr 3275 325d 570d 315d efa3c3dd Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
multicore build error (6) 4 321d 334d 318d Revert r1.170. dlg and jmatthew simultaneously fixed this the correct way.
openbsd build error (9) 1 334d 334d 318d Revert r1.170. dlg and jmatthew simultaneously fixed this the correct way.
uvm_fault: wsevent_fini (2) 1 342d 342d 321d 25f2901d Fix yet another panic in which wsevent_fini() ends up being called with NULL. This one is a race caused by clearing the me_evp member before calling routines that could end up sleeping.
no output from test machine (3) C 25293 336d 351d 336d A pty write containing VDISCARD, VREPRINT, or various retyping cases of VERASE would perform (sometimes irrelevant) compute in the kernel which can be heavy (especially with our insufficient tty subsystem locking). Use tsleep_nsec for 1 tick in such circumstances to yield cpu, and also bring interruptability to ptcwrite() https://syzkaller.appspot.com/bug?extid=462539bc18fef8fc26cc ok kettenis millert, discussions with greg and anton
panic: unhandled af (2) C 22 354d 380d 353d 38e8113e state import should accept AF_INET/AF_INET6 only
panic: syn_cache_insert: bucketoverflow: impossible C 5 366d 384d 362d 2b10bfc1 Refuse to set 0 or a negative value for net.inet.tcp.synbucketlimit.
panic: syn_cache_insert: cacheoverflow: impossible 5 362d 381d 362d 2b10bfc1 Refuse to set 0 or a negative value for net.inet.tcp.synbucketlimit.
no output from test machine C 551400 404d 979d 404d 7bb4371d Do not wait indefinitely for flushing when closing a tty.
panic: m_copydata: null mbuf C 396 408d 595d 405d 574b3a4f Do sanity checks in ip6_pullexthdr() preventing a panic in m_copydata(9).
assert "!ISSET(rt->rt_flags, RTF_LOCAL)" failed in nd6.c 1 471d 471d 419d 8e6c5245 Never update the ND entry (cache) corresponding to a RTF_LOCAL route.
uvm_fault: pfi_dynaddr_remove C 17 528d 533d 422d 3d97bff1 fix insufficient input sanitization in pf_rulecopyin() and pf_pool_copyin()
uvm_fault: pfr_detach_table C 12 528d 532d 422d 3d97bff1 fix insufficient input sanitization in pf_rulecopyin() and pf_pool_copyin()
openbsd build error (8) 2 427d 427d 427d 20c8eb7c Add bse(4) device to unbreak build.
multicore build error (5) 4 427d 427d 427d 20c8eb7c Add bse(4) device to unbreak build.
panic: rw_enter: netlock locking against myself syz 2 433d 433d 429d 27427a72 In sosplice(), temporarily release the socket lock before calling FRELE() as the last reference could be dropped which in turn will cause soclose() to be called where the socket lock is unconditionally acquired. Note that this is only a problem for sockets protected by the non-recursive NET_LOCK() right now.
assert "p == curproc" failed in vfs_vops.c C 187 442d 442d 439d fc5a743d Revert previous, syzkaller found a way to trigger the KASSERT().
uvm_fault: strlcpy (2) 1 450d 450d 443d 9fcf6ed4 Prevent out of bounds read in strlcpy due to vcp_name not being NUL-terminated.
panic: vputonfreelist: lock count is not zero C 2 474d 474d 446d 2a9890d8 Relax the lockcount assertion in vputonfreelist(). Back when I fixed several problems with the vnode exclusive lock implementation, I overlooked the fact that a vnode can be in a state where the usecount is zero while the holdcount still being positive. There could still be threads waiting on the vnode lock in uvn_io() as long as the holdcount is positive.
uvm_fault: wsevent_fini 1 454d 454d 449d be78d62e Ensure that me_evp is still NULL before assignment during open of wscons devices. This condition is checked early on during open but since the same routine could end up sleeping before assigning me_evp, a race against adding the same wscons device to a wsmux could be lost. This in turn can cause a NULL deference during close.
kernel: double fault trap, code=0 (3) C 69 461d 470d 461d aa1987fe Fix unlimited recursion caused by local outbound bcast/mcast packet sent via spliced socket.
pool: free list modified: aobjpl C 3 558d 571d 468d c5a231fb Grab a reference for the shared memory segment before calling uvm_map() as the same function could end up putting the thread to sleep. Allowing another thread to free the shared memory segment, which in turns causes a use-after-free.
openbsd boot error: uvm_fault: softclock 33 470d 471d 470d previous commit accidentally aliased two unique timeouts hit by millert
multicore boot error: uvm_fault: softclock 66 470d 471d 470d previous commit accidentally aliased two unique timeouts hit by millert
kqueue: knote !QUEUED syz 8 485d 521d 485d 8c478636 Raise SPL when updating kn_status. Otherwise the field can become inconsistent if knote_acquire() or knote_release() is preempted by an interrupt that modifies the same knote.
panic: unhandled af C 21 528d 530d 524d 48044792 Check address family of pf ioctl(2) DIOCNATLOOK parameter at kernel entry instead of calling panic() due to unhandled af. Reported-by: syzbot+92be143c2dd1746cf2af@syzkaller.appspotmail.com from Benjamin Baier
panic: attempt to execute user address syz 1539 534d 629d 530d f30ff743 Fix some races in kqueue_register().
witness: reversal: vmmaplk inode C 103124 546d 873d 546d Use separate rwlock initializations for userland ("vmspace") and kernel maps. This lets witness know that these really are different classes avoiding false positives when detecting lock order reversals.
kernel: protection fault trap, code=0 (6) C 55024 559d 644d 559d 0f83bb56 Fix a bad offset calculation in uvm_share.
panic: uvm_mapent_clone: no space in map for entry in empty map C 12 560d 566d 560d 0f83bb56 Fix a bad offset calculation in uvm_share.
panic: amap_pp_adjref: negative reference count C 98 570d 622d 560d 0f83bb56 Fix a bad offset calculation in uvm_share.
uvm_fault: amap_pp_adjref 1 622d 622d 560d 0f83bb56 Fix a bad offset calculation in uvm_share.
uvm_fault: uvm_unmap_remove (2) C 7836 560d 643d 560d 3c82c0b2 Fix uvm_unmap_remove panic when tearing down VMs.
panic: uvmspace_fork: no space in map for entry in empty map C 450 568d 622d 560d 0f83bb56 Fix a bad offset calculation in uvm_share.
assert "TAILQ_EMPTY(&ifp->if_addrhooks)" failed in if.c 2 580d 582d 575d 9e254176 take care to avoid a race when creating the same interface.
panic: ifa_update_broadaddr does not support dynamic length syz 6780 586d 645d 586d b36fd3da Do propper kernel input validation for in_control() ioctl(2) SIOCGIFADDR, SIOCGIFNETMASK, SIOCGIFDSTADDR, SIOCGIFBRDADDR, SIOCSIFADDR, SIOCSIFNETMASK, SIOCSIFDSTADDR, and SIOCSIFBRDADDR. Name in_ioctl_set_ifaddr() consistently. Use in_sa2sin() to validate inet address. Combine if_addrlist loops and add comment. Although netmask is not a inet address, length must be valid. Reported-by: syzbot+5fc6da002fc4e8d994be@syzkaller.appspotmail.com OK visa@
pool: free list modified: shmpl C 22 742d 837d 596d d13730a2 Copy in the user-supplied buffer in shmctl(2) before looking up the shared memory segment. Otherwise, if copyin ends up sleeping it allows another thread to remove the same segment leading to a use-after-free.
malloc: free list modified: devbuf syz 5 603d 609d 603d put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
uvm_fault: kqueue_scan 1 625d 625d 603d put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
uvm_fault: witness_checkorder syz 2 605d 605d 603d put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
uvm_fault: filt_bpfrdetach syz 1 603d 603d 603d put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
uvm_fault: bpfioctl C 14 611d 695d 603d put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
assert "ps->ps_uvncount == 0" failed in kern_unveil.c syz 226 630d 898d 623d a239dbaf Only increment the ps_uvncount counter when a path is successfully added to the corresponding red-black tree; meaning the path was not already present in the tree. This prevents an assertion to trigger in unveil_destroy() later on when the process exits.
assert "ln != NULL" failed in nd6.c 1 649d 649d 626d bdbfbec5 Do more sanity checks when accepting socket addresses in routing messages from user land. Inspect length field early in rtm_xaddrs(). Strings must be NUL terminated. The socket address type and length depend on the routing message type. Currently checks are not super strict to avoid too much user land fallout. OK mpi@ Reported-by: syzbot+638dbf7851da8e255af5@syzkaller.appspotmail.com
assert "ifa == rt->rt_ifa" failed in nd6.c 9 626d 627d 626d bdbfbec5 Do more sanity checks when accepting socket addresses in routing messages from user land. Inspect length field early in rtm_xaddrs(). Strings must be NUL terminated. The socket address type and length depend on the routing message type. Currently checks are not super strict to avoid too much user land fallout. OK mpi@ Reported-by: syzbot+638dbf7851da8e255af5@syzkaller.appspotmail.com
uvm_fault: strlcpy 18 633d 754d 631d bdbfbec5 Do more sanity checks when accepting socket addresses in routing messages from user land. Inspect length field early in rtm_xaddrs(). Strings must be NUL terminated. The socket address type and length depend on the routing message type. Currently checks are not super strict to avoid too much user land fallout. OK mpi@ Reported-by: syzbot+638dbf7851da8e255af5@syzkaller.appspotmail.com
uvm_fault: uvm_unmap_remove C 780 643d 662d 643d 00ba8250 vm_teardown() must be serialized since it modifies the global vmm_softc structure. Therefore grab the appropriate lock before calling the same function. This issue has been known for a while and reported before but lacking a way to easily reproduce it; until syzkaller came up with a reproducer.
panic: malloc: allocation too large, type = 2, size = ADDR (2) C 16842 644d 662d 644d 225e50e8 Do not decrement the number of VMs counter twice in one of vm_create() error paths. If creation of the first VM fails, the counter will wrap around to a huge value. The same value could later be passed to malloc() through vm_get_info() causing a panic.
kernel: protection fault trap, code=0 (5) C 607 650d 725d 650d a4205624 Fix a route use after free in IPv6 multicast route. Move the mrt6_mcast6_del() out of the rtable_walk(). This avoids recursion to prevent stack overflow. Also it allows freeing the route outside of the walk. Now mrt6_mcast_del() frees the route only when it is deleted from the routing table. If that fails, it must not be freed. After the route is returned by mf6c_find(), it is reference counted. Then we need a rtfree(), but not in the other case. Name mrt6_mcast_add() and mrt6_mcast_del() consistently. Move rt_timer_remove_all() into mrt6_mcast_del(). Reported-by: syzbot+af7d510593d74c825960@syzkaller.appspotmail.com OK mpi@
panic: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock 33 659d 663d 659d d3f3cb99 Do not use the flow of the first fragment to store ECN information. Handle the ECN in the fragment queue. Reported-by: syzbot+0aa80b25e9041001cac8@syzkaller.appspotmail.com fix from FreeBSD; OK claudio@
uvm_fault: frag6_input 24 659d 663d 659d d3f3cb99 Do not use the flow of the first fragment to store ECN information. Handle the ECN in the fragment queue. Reported-by: syzbot+0aa80b25e9041001cac8@syzkaller.appspotmail.com fix from FreeBSD; OK claudio@
witness: userret: returning with the following locks held: C 315 659d 869d 659d b808994c When a thread tries to exclusively lock a vnode, the same thread must ensure that any other thread currently trying to acquire the underlying vnode lock has observed that the same vnode is about to be exclusively locked. Such threads must then sleep until the exclusive lock has been released and then try to acquire the lock again. Otherwise, exclusive access to the vnode cannot be guaranteed.
panic: vput: ref cnt C 6 672d 674d 671d d627fa5c Serialize access to the vnode pointers associated with acct(2) system accounting. Prevents a race where the acct thread and the acct(2) syscall both tries to close a vnode.
assert "timo || _kernel_lock_held()" failed in kern_synch.c C 2 673d 673d 673d 93e05fce Revert unlock of lseek(2) since vn_lock() could end up calling tsleep() which is not allowed without holding the kernel lock. Otherwise, wakeups could be lost.
panic: vrele: v_writecount != 0 C 51 681d 686d 680d 3e253b47 Favor vn_close() in the error path of diskmapioctl() since side-effects caused by calling vn_open() with write permissions must be reverted. Otherwise, the vfs subsystem could panic while releasing the last vnode reference if the writecount is still positive.
panic: vput: v_writecount != 0 (2) C 112 681d 686d 680d 3e253b47 Favor vn_close() in the error path of diskmapioctl() since side-effects caused by calling vn_open() with write permissions must be reverted. Otherwise, the vfs subsystem could panic while releasing the last vnode reference if the writecount is still positive.
assert "cpipe->pipe_buffer.cnt == 0" failed in sys_pipe.c C 8 707d 708d 707d 40f8ed5e backout the unlock of pipe(2) and pipe2(2)
kernel: protection fault trap, code=0 (4) C 759 726d 838d 725d cf34c7c3 Prevent recursions by not deleting entries inside rtable_walk(9).
uvm_fault: arp_rtrequest C 79 744d 755d 733d 4cb08838 In arp_rtrequest and nd6_rtrequest return early if the RTF_MPLS flag is set. These mpls routes use the rt_llinfo structure to store the MPLS label and would confuse the arp and nd6 code. OK bluhm@ anton@
assert "(rt->rt_flags & RTF_MPATH) || mrt->rt_priority != prio" failed in rtable.c C 143 744d 758d 733d ff10691e Copy the user provided sockaddr into a normalized sockaddr in rtrequest() before adding it to the routing table. The rtable code is doing memcmp() of those rt_dest sockaddrs so it is important that they are stored in a canonical form. To do this struct domain is extended to include the sockaddr size for this address family. OK bluhm@ anton@
uvm_fault: mrt6_ioctl C 2 754d 754d 742d a8f2b5c7 Add missing NULL check for the protocol control block (pcb) pointer in mrt{6,}_ioctl. Calling shutdown(2) on the socket prior to the ioctl command can cause it to be NULL.
uvm_fault: mrt_ioctl C 2 743d 743d 742d a8f2b5c7 Add missing NULL check for the protocol control block (pcb) pointer in mrt{6,}_ioctl. Calling shutdown(2) on the socket prior to the ioctl command can cause it to be NULL.
uvm_fault: pckbc_start (2) syz 2 756d 756d 743d bc79b6e3 Prevent corruption of the pckbc command queue. If multiple synchronous commands are in flight and all corresponding threads are sleeping waiting for a response, the first command to timeout will clear the command queue. The remaining threads once awake will then try to remove a dequeued command from the queue, leading to corruption. Instead, remove commands from the queue before waking up the sleeping thread. A quirk is still needed to handle the case where tsleep() returns successfully during suspend.
assert "_kernel_lock_held()" failed in kern_event.c C 11 774d 777d 744d 1be240a9 Removed all diagnostic, calling printf() here might create a recursion.
witness: reversal: &pr->ps_mtx &sched_lock C 141 745d 746d 745d 17b25159 Revert to using the SCHED_LOCK() to protect time accounting.
uvm_fault: wsmux_do_ioctl (4) C 3 759d 783d 756d 78fe050f A problem fixed in wskbd is also present in wsmux. Repeating the previous commit message:
panic: malloc: out of space in kmem_map 97 809d 873d 757d During fuzzing, one or many fuzzing processes are often stuck waiting on memory from the subproc malloc subsystem which is exhausted. Attempt to circumvent such scenarios by allocation the kcov coverage buffer using km_alloc() instead.
uvm_fault: rtm_report C 2 782d 782d 766d 1b18c049 Make rt_mpls_set() be more strict in what it accepts. Also ensure that the RTF_MPLS can't be toggled without rt_mpls_set() being called. While RTF_MPLS is part of RTF_FMASK it should be excluded from the flags and mask when they are applied to the route since toggling it requires a call to rt_mpls_set(). OK bluhm@
syzkaller: testing failed: failed to run ["go" "test" "-short" "./..."]: exit status 1 36 767d 769d 767d fbb8d265 Restore previous behavior of limiting deadlock detection to posix-style locks.
multicore build error (3) 4 771d 771d 771d always rearm completion queues as leaving them disarmed would lead to rx or tx completion stalling.
openbsd build error (5) 2 771d 771d 771d always rearm completion queues as leaving them disarmed would lead to rx or tx completion stalling.
panic: timeout_add: to_ticks < 0 (3) 1 794d 794d 782d 1af42441 Lower the accepted upper bound for bd_rtout to INT_MAX in order to prevent passing negative values to timeout_add().
panic: mtx ADDR: locking against myself C 3 787d 788d 786d vmm(4): remove a debug printf that was causing lock issues (it was being called from an IPI routine).
panic: timeout_add: to_ticks < 0 (2) syz 12 804d 806d 804d bf201847 Reject negative and too large timeouts passed to BIOCSRTIMEOUT. Since the timeout converted to ticks is later passed timeout_add(), it could cause a panic if the timeout is negative.
uvm_fault: rtable_satoplen (2) syz 101 808d 817d 804d 575ef114 Add a more strict rtm_hdrlen size check. Make sure that at least struct rt_msghdr bytes are passed in. Also return a failure from rtm_xaddrs() if rti_addrs has bad flags or run out of space. Ok bluhm@
uvm_fault: memcpy C 460 808d 828d 807d 575ef114 Add a more strict rtm_hdrlen size check. Make sure that at least struct rt_msghdr bytes are passed in. Also return a failure from rtm_xaddrs() if rti_addrs has bad flags or run out of space. Ok bluhm@
panic: malloc: allocation too large, type = 2, size = ADDR C 914 809d 871d 809d fd7c8060 Restrict the number of allowed wsmux devices, just like wskbd and wsmouse already does. Otherwise, malloc could panic if the device minor is sufficiently large.
openbsd build error (2) 1 813d 813d 812d 6baecefe Tweak previous: include <sys/stdint.h> for INT64_MAX/INT64_MIN.
assert "tname->un_flags & UNVEIL_USERSET" failed in kern_unveil.c C 1447 812d 815d 812d f4c23aa8 Remove this assert, I can't do this here with UNVEIL_INSPECT added aggressively today. Hopefully post release a glorious flensing will remove UNVEIL_INSPECT anyway
uvm_fault: rtable_satoplen 158 817d 834d 817d fab4809e Make sure pointer is within bounds before dereferencing it.
witness: acquiring duplicate lock of same type: "&sc->sc_lock" C 231 846d 848d 846d 1f8a38b1 When adding a wsmux device to an existing wsmux device using ioctl(WSMUXIO_ADD_DEVICE), two distinct locks of the same type are acquired. Thus, witness will emit warning. Since acquiring two different locks of the same type is harmless in this context, relax the witness check by flagging the locks as RWL_DUPOK.
panic: timeout_add: to_ticks < 0 C 66 846d 851d 846d 3cfc9cae Reject negative input from userland in spkrioctl(). One of the arguments are later passed to timeout_add() which panics if the given ticks are negative. While here, clamp arguments in pcppi_bell() in order to prevent overflow.
uvm_fault: pckbc_start 1 849d 849d 848d 0c0bf631 Serialize access to the list of attached child devices belonging to a wsmux. When invoking wsevsrc_* functions on a attached child device, underlying driver can sleep; this introduces a race where another thread is able to modify the list leading to all kinds of corruptions.
uvm_fault: wsmux_detach_sc syz 10 851d 862d 848d 0c0bf631 Serialize access to the list of attached child devices belonging to a wsmux. When invoking wsevsrc_* functions on a attached child device, underlying driver can sleep; this introduces a race where another thread is able to modify the list leading to all kinds of corruptions.
panic: vmmaplk: lock not shared C 16 859d 871d 859d Always refault if relocking maps fails after IO. This fixes a regression
panic: pool_p_free: semupl free list modified: page ADDR; item addr ADDR; offset 0x0=ADDR C 5 859d 979d 859d When freeing the sem_undo structure in semundo_adjust(), update the
pool: free list modified: semupl C 6 865d 979d 859d When freeing the sem_undo structure in semundo_adjust(), update the
pool: double put: mbufpl 6 925d 926d 859d Avoid an mbuf double free in the oob soreceive() path. In the
uvm_fault: wsmux_do_ioctl (2) C 17 867d 871d 866d In wskbdclose(), use the same logic as in wskbdopen() to determine if
kernel: protection fault trap, code=0 (3) C 3 871d 871d 870d Validate the user-supplied device index given to WSMUXIO_ADD_DEVICE. The same
uvm_fault: VOP_ACCESS 393 875d 918d 875d namei can return a null dvp on success. check this before access.
kernel: protection fault trap, code=0 (2) syz 109 876d 900d 876d Introduce a dedicated entry point data structure for file locks. This new data
panic: malformed IPv4 option passed to ip_optcopy (2) C 149 881d 885d 879d Bring back the ip_pcbopts() refactor. Pad the option buffer and therefor the mbuf to the next word length as it is required by the standard. Also use the correct offset from the input mbuf. OK visa@, input & OK bluhm@
panic: uvm_fault_unwire_locked: address not in map C 2 904d 904d 887d Hold a read lock on the map while doing the actual device I/O during in
assert "next != NULL && next->start <= entry->end" failed in uvm_fault.c C 2 902d 902d 887d Hold a read lock on the map while doing the actual device I/O during in
panic: malformed IPv4 option passed to ip_optcopy C 10 902d 911d 890d Validate the version, and all length fields of IP packets passed to a raw socket
panic: m_zero: M_READONLY C 3 896d 896d 890d It is possible to call m_zero with a read-only cluster. In that case just
assert "__mp_lock_held(&sched_lock, curcpu()) == 0" failed in kern_lock.c C 17 892d 904d 891d ec412da1 Fix unsafe use of ptsignal() in mi_switch().
uvm_fault: m_free 12 902d 925d 892d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
pool: free list modified: mbufpl syz 13 911d 925d 892d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pr_find_pagehead: mbufpl: incorrect page 3 905d 921d 892d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pool_cache_item_magic_check: mcl64k cpu free list modified: item addr ADDR+24 ADDR!=ADDR 1 923d 923d 892d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
uvm_fault: switchread 1 920d 920d 892d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
uvm_fault: switchwrite syz 7 902d 922d 892d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr ADDR+16 0x0!=ADDR 1 913d 913d 894d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pr_find_pagehead: mbufpl: page header missing C 10 912d 925d 900d Fix mbuf releated crashes in switch(4). They have been found by
pool: free list modified: mcl2k C 4 909d 964d 909d Replace a wrong poor mans m_trailingspace() with the real thing. The mbuf
panic: receive 3: so ADDR, so_type 1, m ADDR, m_type 6 C 18 911d 920d 910d When using MSG_WAITALL, soreceive() can sleep while processing the receive buffer of a stream socket. Then a new pair of control and data mbuf can be appended to the mbuf queue. In this case, terminate the loop with a short read to prevent a panic. Userland should read the control message with the next system call. OK claudio@ deraadt@
panic: kernel diagnostic assertion "M_DATABUF(m) + M_SIZE(m) >= (m->m_data + m->m_len)" failed: file "/syzkaller/manager C 7 920d 926d 910d 49729d6e In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees the inpcb apart from the disconnect. Just call soisdisconnected() and clear the inp->inp_faddr since the socket is still valid after a disconnect. Problem found by syzkaller via Greg Steuck OK visa@ Fixes: Reported-by: syzbot+2cd350dfe5c96f6469f2@syzkaller.appspotmail.com Reported-by: syzbot+139ac2d7d3d60162334b@syzkaller.appspotmail.com Reported-by: syzbot+02168317bd0156c13b69@syzkaller.appspotmail.com Reported-by: syzbot+de8d2459ecf4cdc576a1@syzkaller.appspotmail.com
pool: double put: lockfpl 1 987d 979d 910d Rework previous lockf fix; bluhm@ noticed a regress failure during consecutive runs. This is a second attempt in which the lockf structure is turned into a doubly linked list which makes it easier to ensure correctness during list insertion and deletion.
uvm_fault: killjobc 1 915d 915d 911d When no child devices are attached to a wsmux device, make sure to return an
uvm_fault: wsmux_do_ioctl 2 941d 979d 911d Utilize sigio with wscons. The old behavior of always making the process group of the process who opens the device the default recipient of sigio is removed as a side-effect of this change. Issuing ioctl(FIOSETOWN) is therefore mandatory in order to receive sigio, which is more consistent with other subsystems supporting sigio.
uvm_fault: sogetopt C 2 928d 928d 925d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
kernel: protection fault trap, code=0 C 16 925d 929d 925d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
uvm_fault: ip_ctloutput C 11 925d 929d 925d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
uvm_fault: ip_pcbopts C 6 925d 928d 925d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees