| panic: vput: ref cnt |
C |
|
6 |
11d |
12d
|
9d17h |
d627fa5c
Serialize access to the vnode pointers associated with acct(2) system accounting. Prevents a race where the acct thread and the acct(2) syscall both tries to close a vnode.
|
| assert "timo || _kernel_lock_held()" failed in kern_synch.c |
C |
|
2 |
12d |
12d
|
11d |
93e05fce
Revert unlock of lseek(2) since vn_lock() could end up calling tsleep() which is not allowed without holding the kernel lock. Otherwise, wakeups could be lost.
|
| panic: vrele: v_writecount != 0 |
C |
|
51 |
19d |
25d
|
19d |
3e253b47
Favor vn_close() in the error path of diskmapioctl() since side-effects caused by calling vn_open() with write permissions must be reverted. Otherwise, the vfs subsystem could panic while releasing the last vnode reference if the writecount is still positive.
|
| panic: vput: v_writecount != 0 (2) |
C |
|
112 |
19d |
25d
|
19d |
3e253b47
Favor vn_close() in the error path of diskmapioctl() since side-effects caused by calling vn_open() with write permissions must be reverted. Otherwise, the vfs subsystem could panic while releasing the last vnode reference if the writecount is still positive.
|
| assert "cpipe->pipe_buffer.cnt == 0" failed in sys_pipe.c |
C |
|
8 |
46d |
46d
|
46d |
40f8ed5e
backout the unlock of pipe(2) and pipe2(2)
|
| kernel: protection fault trap, code=0 (4) |
C |
|
759 |
64d |
177d
|
63d |
cf34c7c3
Prevent recursions by not deleting entries inside rtable_walk(9).
|
| uvm_fault: arp_rtrequest |
C |
|
79 |
83d |
93d
|
72d |
4cb08838
In arp_rtrequest and nd6_rtrequest return early if the RTF_MPLS flag is set. These mpls routes use the rt_llinfo structure to store the MPLS label and would confuse the arp and nd6 code. OK bluhm@ anton@
|
| assert "(rt->rt_flags & RTF_MPATH) || mrt->rt_priority != prio" failed in rtable.c |
C |
|
143 |
83d |
96d
|
72d |
ff10691e
Copy the user provided sockaddr into a normalized sockaddr in rtrequest() before adding it to the routing table. The rtable code is doing memcmp() of those rt_dest sockaddrs so it is important that they are stored in a canonical form. To do this struct domain is extended to include the sockaddr size for this address family. OK bluhm@ anton@
|
| uvm_fault: mrt6_ioctl |
C |
|
2 |
93d |
93d
|
81d |
a8f2b5c7
Add missing NULL check for the protocol control block (pcb) pointer in mrt{6,}_ioctl. Calling shutdown(2) on the socket prior to the ioctl command can cause it to be NULL.
|
| uvm_fault: mrt_ioctl |
C |
|
2 |
82d |
82d
|
81d |
a8f2b5c7
Add missing NULL check for the protocol control block (pcb) pointer in mrt{6,}_ioctl. Calling shutdown(2) on the socket prior to the ioctl command can cause it to be NULL.
|
| uvm_fault: pckbc_start (2) |
syz |
|
2 |
94d |
94d
|
82d |
bc79b6e3
Prevent corruption of the pckbc command queue. If multiple synchronous commands are in flight and all corresponding threads are sleeping waiting for a response, the first command to timeout will clear the command queue. The remaining threads once awake will then try to remove a dequeued command from the queue, leading to corruption. Instead, remove commands from the queue before waking up the sleeping thread. A quirk is still needed to handle the case where tsleep() returns successfully during suspend.
|
| assert "_kernel_lock_held()" failed in kern_event.c |
C |
|
11 |
112d |
115d
|
82d |
1be240a9
Removed all diagnostic, calling printf() here might create a recursion.
|
| witness: reversal: &pr->ps_mtx &sched_lock |
C |
|
141 |
84d |
85d
|
84d |
17b25159
Revert to using the SCHED_LOCK() to protect time accounting.
|
| uvm_fault: wsmux_do_ioctl (4) |
C |
|
3 |
97d |
121d
|
95d |
78fe050f
A problem fixed in wskbd is also present in wsmux. Repeating the previous commit message:
|
| panic: malloc: out of space in kmem_map |
|
|
97 |
147d |
212d
|
96d |
During fuzzing, one or many fuzzing processes are often stuck waiting on memory from the subproc malloc subsystem which is exhausted. Attempt to circumvent such scenarios by allocation the kcov coverage buffer using km_alloc() instead.
|
| uvm_fault: rtm_report |
C |
|
2 |
121d |
121d
|
105d |
1b18c049
Make rt_mpls_set() be more strict in what it accepts. Also ensure that the RTF_MPLS can't be toggled without rt_mpls_set() being called. While RTF_MPLS is part of RTF_FMASK it should be excluded from the flags and mask when they are applied to the route since toggling it requires a call to rt_mpls_set(). OK bluhm@
|
| syzkaller: testing failed: failed to run ["go" "test" "-short" "./..."]: exit status 1 |
|
|
36 |
106d |
107d
|
105d |
fbb8d265
Restore previous behavior of limiting deadlock detection to posix-style locks.
|
| multicore build error (3) |
|
|
4 |
110d |
110d
|
109d |
always rearm completion queues as leaving them disarmed would lead to rx or tx completion stalling.
|
| openbsd build error (5) |
|
|
2 |
110d |
110d
|
109d |
always rearm completion queues as leaving them disarmed would lead to rx or tx completion stalling.
|
| panic: timeout_add: to_ticks < 0 (3) |
|
|
1 |
132d |
132d
|
121d |
1af42441
Lower the accepted upper bound for bd_rtout to INT_MAX in order to prevent passing negative values to timeout_add().
|
| panic: mtx ADDR: locking against myself |
C |
|
3 |
126d |
127d
|
124d |
vmm(4): remove a debug printf that was causing lock issues (it was being called from an IPI routine).
|
| panic: timeout_add: to_ticks < 0 (2) |
syz |
|
12 |
143d |
144d
|
143d |
bf201847
Reject negative and too large timeouts passed to BIOCSRTIMEOUT. Since the timeout converted to ticks is later passed timeout_add(), it could cause a panic if the timeout is negative.
|
| uvm_fault: rtable_satoplen (2) |
syz |
|
101 |
146d |
155d
|
143d |
575ef114
Add a more strict rtm_hdrlen size check. Make sure that at least struct rt_msghdr bytes are passed in. Also return a failure from rtm_xaddrs() if rti_addrs has bad flags or run out of space. Ok bluhm@
|
| uvm_fault: memcpy |
C |
|
460 |
146d |
166d
|
146d |
575ef114
Add a more strict rtm_hdrlen size check. Make sure that at least struct rt_msghdr bytes are passed in. Also return a failure from rtm_xaddrs() if rti_addrs has bad flags or run out of space. Ok bluhm@
|
| panic: malloc: allocation too large, type = 2, size = ADDR |
C |
|
914 |
147d |
210d
|
147d |
fd7c8060
Restrict the number of allowed wsmux devices, just like wskbd and wsmouse already does. Otherwise, malloc could panic if the device minor is sufficiently large.
|
| openbsd build error (2) |
|
|
1 |
151d |
151d
|
150d |
6baecefe
Tweak previous: include <sys/stdint.h> for INT64_MAX/INT64_MIN.
|
| assert "tname->un_flags & UNVEIL_USERSET" failed in kern_unveil.c |
C |
|
1447 |
150d |
153d
|
150d |
f4c23aa8
Remove this assert, I can't do this here with UNVEIL_INSPECT added aggressively today. Hopefully post release a glorious flensing will remove UNVEIL_INSPECT anyway
|
| uvm_fault: rtable_satoplen |
|
|
158 |
155d |
172d
|
155d |
fab4809e
Make sure pointer is within bounds before dereferencing it.
|
| witness: acquiring duplicate lock of same type: "&sc->sc_lock" |
C |
|
231 |
185d |
187d
|
185d |
1f8a38b1
When adding a wsmux device to an existing wsmux device using ioctl(WSMUXIO_ADD_DEVICE), two distinct locks of the same type are acquired. Thus, witness will emit warning. Since acquiring two different locks of the same type is harmless in this context, relax the witness check by flagging the locks as RWL_DUPOK.
|
| panic: timeout_add: to_ticks < 0 |
C |
|
66 |
185d |
190d
|
185d |
3cfc9cae
Reject negative input from userland in spkrioctl(). One of the arguments are later passed to timeout_add() which panics if the given ticks are negative. While here, clamp arguments in pcppi_bell() in order to prevent overflow.
|
| uvm_fault: pckbc_start |
|
|
1 |
187d |
187d
|
186d |
0c0bf631
Serialize access to the list of attached child devices belonging to a wsmux. When invoking wsevsrc_* functions on a attached child device, underlying driver can sleep; this introduces a race where another thread is able to modify the list leading to all kinds of corruptions.
|
| uvm_fault: wsmux_detach_sc |
syz |
|
10 |
189d |
201d
|
187d |
0c0bf631
Serialize access to the list of attached child devices belonging to a wsmux. When invoking wsevsrc_* functions on a attached child device, underlying driver can sleep; this introduces a race where another thread is able to modify the list leading to all kinds of corruptions.
|
| panic: vmmaplk: lock not shared |
C |
|
16 |
198d |
210d
|
197d |
Always refault if relocking maps fails after IO. This fixes a regression
|
| panic: pool_p_free: semupl free list modified: page ADDR; item addr ADDR; offset 0x0=ADDR |
C |
|
5 |
198d |
317d
|
197d |
When freeing the sem_undo structure in semundo_adjust(), update the
|
| pool: free list modified: semupl |
C |
|
6 |
204d |
317d
|
197d |
When freeing the sem_undo structure in semundo_adjust(), update the
|
| pool: double put: mbufpl |
|
|
6 |
264d |
265d
|
197d |
Avoid an mbuf double free in the oob soreceive() path. In the
|
| uvm_fault: wsmux_do_ioctl (2) |
C |
|
17 |
205d |
209d
|
204d |
In wskbdclose(), use the same logic as in wskbdopen() to determine if
|
| kernel: protection fault trap, code=0 (3) |
C |
|
3 |
210d |
210d
|
209d |
Validate the user-supplied device index given to WSMUXIO_ADD_DEVICE. The same
|
| uvm_fault: VOP_ACCESS |
|
|
393 |
213d |
256d
|
213d |
namei can return a null dvp on success. check this before access.
|
| kernel: protection fault trap, code=0 (2) |
syz |
|
109 |
215d |
238d
|
215d |
Introduce a dedicated entry point data structure for file locks. This new data
|
| panic: malformed IPv4 option passed to ip_optcopy (2) |
C |
|
149 |
220d |
224d
|
217d |
Bring back the ip_pcbopts() refactor. Pad the option buffer and therefor the mbuf to the next word length as it is required by the standard. Also use the correct offset from the input mbuf. OK visa@, input & OK bluhm@
|
| panic: uvm_fault_unwire_locked: address not in map |
C |
|
2 |
242d |
242d
|
226d |
Hold a read lock on the map while doing the actual device I/O during in
|
| assert "next != NULL && next->start <= entry->end" failed in uvm_fault.c |
C |
|
2 |
240d |
240d
|
226d |
Hold a read lock on the map while doing the actual device I/O during in
|
| panic: malformed IPv4 option passed to ip_optcopy |
C |
|
10 |
240d |
249d
|
229d |
Validate the version, and all length fields of IP packets passed to a raw socket
|
| panic: m_zero: M_READONLY |
C |
|
3 |
234d |
234d
|
229d |
It is possible to call m_zero with a read-only cluster. In that case just
|
| assert "__mp_lock_held(&sched_lock, curcpu()) == 0" failed in kern_lock.c |
C |
|
17 |
231d |
242d
|
230d |
ec412da1
Fix unsafe use of ptsignal() in mi_switch().
|
| uvm_fault: m_free |
|
|
12 |
241d |
263d
|
230d |
54e30ac1
Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
|
| pool: free list modified: mbufpl |
syz |
|
13 |
250d |
263d
|
230d |
54e30ac1
Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
|
| panic: pr_find_pagehead: mbufpl: incorrect page |
|
|
3 |
244d |
260d
|
230d |
54e30ac1
Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
|
| panic: pool_cache_item_magic_check: mcl64k cpu free list modified: item addr ADDR+24 ADDR!=ADDR |
|
|
1 |
261d |
261d
|
230d |
54e30ac1
Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
|
| uvm_fault: switchread |
|
|
1 |
258d |
258d
|
230d |
54e30ac1
Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
|
| uvm_fault: switchwrite |
syz |
|
7 |
241d |
261d
|
230d |
54e30ac1
Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
|
| panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr ADDR+16 0x0!=ADDR |
|
|
1 |
251d |
251d
|
233d |
54e30ac1
Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
|
| panic: pr_find_pagehead: mbufpl: page header missing |
C |
|
10 |
250d |
263d
|
239d |
Fix mbuf releated crashes in switch(4). They have been found by
|
| pool: free list modified: mcl2k |
C |
|
4 |
248d |
302d
|
247d |
Replace a wrong poor mans m_trailingspace() with the real thing. The mbuf
|
| panic: receive 3: so ADDR, so_type 1, m ADDR, m_type 6 |
C |
|
18 |
249d |
259d
|
248d |
When using MSG_WAITALL, soreceive() can sleep while processing the receive buffer of a stream socket. Then a new pair of control and data mbuf can be appended to the mbuf queue. In this case, terminate the loop with a short read to prevent a panic. Userland should read the control message with the next system call. OK claudio@ deraadt@
|
| panic: kernel diagnostic assertion "M_DATABUF(m) + M_SIZE(m) >= (m->m_data + m->m_len)" failed: file "/syzkaller/manager |
C |
|
7 |
258d |
264d
|
248d |
49729d6e
In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees the inpcb apart from the disconnect. Just call soisdisconnected() and clear the inp->inp_faddr since the socket is still valid after a disconnect. Problem found by syzkaller via Greg Steuck OK visa@ Fixes: Reported-by: syzbot+2cd350dfe5c96f6469f2@syzkaller.appspotmail.com Reported-by: syzbot+139ac2d7d3d60162334b@syzkaller.appspotmail.com Reported-by: syzbot+02168317bd0156c13b69@syzkaller.appspotmail.com Reported-by: syzbot+de8d2459ecf4cdc576a1@syzkaller.appspotmail.com
|
| pool: double put: lockfpl |
|
|
1 |
326d |
317d
|
248d |
Rework previous lockf fix; bluhm@ noticed a regress failure during consecutive runs. This is a second attempt in which the lockf structure is turned into a doubly linked list which makes it easier to ensure correctness during list insertion and deletion.
|
| uvm_fault: killjobc |
|
|
1 |
253d |
253d
|
249d |
When no child devices are attached to a wsmux device, make sure to return an
|
| uvm_fault: wsmux_do_ioctl |
|
|
2 |
279d |
317d
|
249d |
Utilize sigio with wscons. The old behavior of always making the process group of the process who opens the device the default recipient of sigio is removed as a side-effect of this change. Issuing ioctl(FIOSETOWN) is therefore mandatory in order to receive sigio, which is more consistent with other subsystems supporting sigio.
|
| uvm_fault: sogetopt |
C |
|
2 |
266d |
266d
|
263d |
In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
|
| kernel: protection fault trap, code=0 |
C |
|
16 |
263d |
268d
|
263d |
In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
|
| uvm_fault: ip_ctloutput |
C |
|
11 |
263d |
267d
|
263d |
In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
|
| uvm_fault: ip_pcbopts |
C |
|
6 |
263d |
267d
|
263d |
In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
|