syzbot


fixed (51):
Title Repro Bisected Count Last Reported Closed Patch
uvm_fault: wsmux_do_ioctl (4) C 3 4d05h 28d 1d20h 78fe050f A problem fixed in wskbd is also present in wsmux. Repeating the previous commit message:
panic: malloc: out of space in kmem_map 97 54d 119d 2d20h During fuzzing, one or many fuzzing processes are often stuck waiting on memory from the subproc malloc subsystem which is exhausted. Attempt to circumvent such scenarios by allocation the kcov coverage buffer using km_alloc() instead.
uvm_fault: rtm_report C 2 27d 27d 11d 1b18c049 Make rt_mpls_set() be more strict in what it accepts. Also ensure that the RTF_MPLS can't be toggled without rt_mpls_set() being called. While RTF_MPLS is part of RTF_FMASK it should be excluded from the flags and mask when they are applied to the route since toggling it requires a call to rt_mpls_set(). OK bluhm@
syzkaller: testing failed: failed to run ["go" "test" "-short" "./..."]: exit status 1 36 12d 14d 12d fbb8d265 Restore previous behavior of limiting deadlock detection to posix-style locks.
multicore build error (3) 4 16d 16d 16d always rearm completion queues as leaving them disarmed would lead to rx or tx completion stalling.
openbsd build error (5) 2 16d 16d 16d always rearm completion queues as leaving them disarmed would lead to rx or tx completion stalling.
panic: timeout_add: to_ticks < 0 (3) 1 39d 39d 27d 1af42441 Lower the accepted upper bound for bd_rtout to INT_MAX in order to prevent passing negative values to timeout_add().
panic: mtx ADDR: locking against myself C 3 33d 33d 31d vmm(4): remove a debug printf that was causing lock issues (it was being called from an IPI routine).
panic: timeout_add: to_ticks < 0 (2) syz 12 50d 51d 49d bf201847 Reject negative and too large timeouts passed to BIOCSRTIMEOUT. Since the timeout converted to ticks is later passed timeout_add(), it could cause a panic if the timeout is negative.
uvm_fault: rtable_satoplen (2) syz 101 53d 62d 49d 575ef114 Add a more strict rtm_hdrlen size check. Make sure that at least struct rt_msghdr bytes are passed in. Also return a failure from rtm_xaddrs() if rti_addrs has bad flags or run out of space. Ok bluhm@
uvm_fault: memcpy C 460 53d 73d 53d 575ef114 Add a more strict rtm_hdrlen size check. Make sure that at least struct rt_msghdr bytes are passed in. Also return a failure from rtm_xaddrs() if rti_addrs has bad flags or run out of space. Ok bluhm@
panic: malloc: allocation too large, type = 2, size = ADDR C 914 54d 117d 54d fd7c8060 Restrict the number of allowed wsmux devices, just like wskbd and wsmouse already does. Otherwise, malloc could panic if the device minor is sufficiently large.
openbsd build error (2) 1 58d 58d 57d 6baecefe Tweak previous: include <sys/stdint.h> for INT64_MAX/INT64_MIN.
assert "tname->un_flags & UNVEIL_USERSET" failed in kern_unveil.c C 1447 57d 60d 57d f4c23aa8 Remove this assert, I can't do this here with UNVEIL_INSPECT added aggressively today. Hopefully post release a glorious flensing will remove UNVEIL_INSPECT anyway
uvm_fault: rtable_satoplen 158 62d 79d 62d fab4809e Make sure pointer is within bounds before dereferencing it.
witness: acquiring duplicate lock of same type: "&sc->sc_lock" C 231 92d 93d 92d 1f8a38b1 When adding a wsmux device to an existing wsmux device using ioctl(WSMUXIO_ADD_DEVICE), two distinct locks of the same type are acquired. Thus, witness will emit warning. Since acquiring two different locks of the same type is harmless in this context, relax the witness check by flagging the locks as RWL_DUPOK.
panic: timeout_add: to_ticks < 0 C 66 92d 96d 92d 3cfc9cae Reject negative input from userland in spkrioctl(). One of the arguments are later passed to timeout_add() which panics if the given ticks are negative. While here, clamp arguments in pcppi_bell() in order to prevent overflow.
uvm_fault: pckbc_start 1 94d 94d 93d 0c0bf631 Serialize access to the list of attached child devices belonging to a wsmux. When invoking wsevsrc_* functions on a attached child device, underlying driver can sleep; this introduces a race where another thread is able to modify the list leading to all kinds of corruptions.
uvm_fault: wsmux_detach_sc syz 10 96d 107d 93d 0c0bf631 Serialize access to the list of attached child devices belonging to a wsmux. When invoking wsevsrc_* functions on a attached child device, underlying driver can sleep; this introduces a race where another thread is able to modify the list leading to all kinds of corruptions.
panic: vmmaplk: lock not shared C 16 104d 116d 104d Always refault if relocking maps fails after IO. This fixes a regression
panic: pool_p_free: semupl free list modified: page ADDR; item addr ADDR; offset 0x0=ADDR C 5 104d 224d 104d When freeing the sem_undo structure in semundo_adjust(), update the
pool: free list modified: semupl C 6 110d 224d 104d When freeing the sem_undo structure in semundo_adjust(), update the
pool: double put: mbufpl 6 170d 172d 104d Avoid an mbuf double free in the oob soreceive() path. In the
uvm_fault: wsmux_do_ioctl (2) C 17 112d 116d 111d In wskbdclose(), use the same logic as in wskbdopen() to determine if
kernel: protection fault trap, code=0 (3) C 3 116d 116d 116d Validate the user-supplied device index given to WSMUXIO_ADD_DEVICE. The same
uvm_fault: VOP_ACCESS 393 120d 163d 120d namei can return a null dvp on success. check this before access.
kernel: protection fault trap, code=0 (2) syz 109 121d 145d 121d Introduce a dedicated entry point data structure for file locks. This new data
panic: malformed IPv4 option passed to ip_optcopy (2) C 149 127d 130d 124d Bring back the ip_pcbopts() refactor. Pad the option buffer and therefor the mbuf to the next word length as it is required by the standard. Also use the correct offset from the input mbuf. OK visa@, input & OK bluhm@
panic: uvm_fault_unwire_locked: address not in map C 2 149d 149d 133d Hold a read lock on the map while doing the actual device I/O during in
assert "next != NULL && next->start <= entry->end" failed in uvm_fault.c C 2 147d 147d 133d Hold a read lock on the map while doing the actual device I/O during in
panic: malformed IPv4 option passed to ip_optcopy C 10 147d 156d 136d Validate the version, and all length fields of IP packets passed to a raw socket
panic: m_zero: M_READONLY C 3 141d 141d 136d It is possible to call m_zero with a read-only cluster. In that case just
assert "__mp_lock_held(&sched_lock, curcpu()) == 0" failed in kern_lock.c C 17 138d 149d 137d ec412da1 Fix unsafe use of ptsignal() in mi_switch().
uvm_fault: m_free 12 147d 170d 137d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
pool: free list modified: mbufpl syz 13 156d 170d 137d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pr_find_pagehead: mbufpl: incorrect page 3 151d 166d 137d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pool_cache_item_magic_check: mcl64k cpu free list modified: item addr ADDR+24 ADDR!=ADDR 1 168d 168d 137d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
uvm_fault: switchread 1 165d 165d 137d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
uvm_fault: switchwrite syz 7 147d 167d 137d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr ADDR+16 0x0!=ADDR 1 158d 158d 140d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pr_find_pagehead: mbufpl: page header missing C 10 157d 170d 146d Fix mbuf releated crashes in switch(4). They have been found by
pool: free list modified: mcl2k C 4 155d 209d 154d Replace a wrong poor mans m_trailingspace() with the real thing. The mbuf
panic: receive 3: so ADDR, so_type 1, m ADDR, m_type 6 C 18 156d 165d 155d When using MSG_WAITALL, soreceive() can sleep while processing the receive buffer of a stream socket. Then a new pair of control and data mbuf can be appended to the mbuf queue. In this case, terminate the loop with a short read to prevent a panic. Userland should read the control message with the next system call. OK claudio@ deraadt@
panic: kernel diagnostic assertion "M_DATABUF(m) + M_SIZE(m) >= (m->m_data + m->m_len)" failed: file "/syzkaller/manager C 7 165d 171d 155d 49729d6e In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees the inpcb apart from the disconnect. Just call soisdisconnected() and clear the inp->inp_faddr since the socket is still valid after a disconnect. Problem found by syzkaller via Greg Steuck OK visa@ Fixes: Reported-by: syzbot+2cd350dfe5c96f6469f2@syzkaller.appspotmail.com Reported-by: syzbot+139ac2d7d3d60162334b@syzkaller.appspotmail.com Reported-by: syzbot+02168317bd0156c13b69@syzkaller.appspotmail.com Reported-by: syzbot+de8d2459ecf4cdc576a1@syzkaller.appspotmail.com
pool: double put: lockfpl 1 232d 224d 155d Rework previous lockf fix; bluhm@ noticed a regress failure during consecutive runs. This is a second attempt in which the lockf structure is turned into a doubly linked list which makes it easier to ensure correctness during list insertion and deletion.
uvm_fault: killjobc 1 160d 160d 156d When no child devices are attached to a wsmux device, make sure to return an
uvm_fault: wsmux_do_ioctl 2 186d 224d 156d Utilize sigio with wscons. The old behavior of always making the process group of the process who opens the device the default recipient of sigio is removed as a side-effect of this change. Issuing ioctl(FIOSETOWN) is therefore mandatory in order to receive sigio, which is more consistent with other subsystems supporting sigio.
uvm_fault: sogetopt C 2 173d 173d 170d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
kernel: protection fault trap, code=0 C 16 170d 175d 170d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
uvm_fault: ip_ctloutput C 11 170d 174d 170d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
uvm_fault: ip_pcbopts C 6 170d 174d 170d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees