| panic: m_copydata: null mbuf (2) |
syz |
|
|
2 |
6d05h |
6d05h
|
3d09h |
0271abd8e494
In pf the kernel paniced if IP options in packet within ICMP payload were truncated. Drop such packets instead. Reported-by: syzbot+91abd3aa2fdfe900f9ce@syzkaller.appspotmail.com OK sashan@ claudio@
|
| multicore build error (15) |
|
|
|
6 |
21d |
21d
|
21d |
ba537df4ec28
Using mutex initializer for static variable does not compile with witness. Make ratecheck mutex global. Reported-by: syzbot+9864ba1338526d0e8aca@syzkaller.appspotmail.com
|
| witness: reversal: pf_lock netlock (3) |
syz |
|
|
25 |
27d |
39d
|
27d |
f3a753b5d089
Release PF und NET lock before calling copyout for DIOCIGETIFACES. OK sashan@ Reported-by: syzbot+b6afd166e314799e3809@syzkaller.appspotmail.com
|
| protection_fault: lf_advlock |
C |
|
|
2 |
75d |
119d
|
29d |
c30ab30fe47b
Remove the lock if an identical overlapping one is already present. Preventing a use after free discovered by syzkaller.
|
| protection_fault: lf_findoverlap |
C |
|
|
2 |
42d |
74d
|
29d |
c30ab30fe47b
Remove the lock if an identical overlapping one is already present. Preventing a use after free discovered by syzkaller.
|
| assert "TAILQ_EMPTY(&lock->lf_blkhd)" failed in vfs_lockf.c |
|
|
|
1 |
42d |
42d
|
29d |
c30ab30fe47b
Remove the lock if an identical overlapping one is already present. Preventing a use after free discovered by syzkaller.
|
| protection_fault: lf_clearlock |
C |
|
|
1 |
44d |
44d
|
29d |
c30ab30fe47b
Remove the lock if an identical overlapping one is already present. Preventing a use after free discovered by syzkaller.
|
| witness: reversal: pf_lock netlock (2) |
C |
|
|
2 |
48d |
48d
|
47d |
2e34be423f16
Release PF und NET lock before calling copyin for DIOCXROLLBACK. OK bluhm@ Reported-by: syzbot+2945769fc3e6fd9ee413@syzkaller.appspotmail.com
|
| witness: reversal: pf_lock netlock |
C |
|
|
19 |
59d |
111d
|
49d |
82d8999861ab
Release PF und NET lock before calling copyin and copyout for DIOCXBEGIN. OK bluhm@ OK sashan@ Reported-by: syzbot+b22ec16c5bf937578937@syzkaller.appspotmail.com
|
| assert "next != NULL && next->start <= entry->end" failed in uvm_fault.c (4) |
C |
|
|
9 |
53d |
66d
|
52d |
f77c87828076
Replace KASSERT in uvm_fault_unwire_locked() with code that handles the case where not all pages are wired. The KASSERT can be triggered in multi-threaded applications when a thread calling munmap(2) races another thread that invokes sysctl(2). Properly written code shouldn't do this, but making the kernel crash in this case is a bit harsh.
|
| openbsd build error (17) |
|
|
|
2 |
59d |
60d
|
59d |
Put call to vmx_remote_vmclear() under #ifdef MULTIPROCESSOR to unbreak build of amd64 GENERIC
|
| uvm_fault: igmp_leavegroup (3) |
|
|
|
37 |
59d |
151d
|
59d |
a134c703e536
if_detach() does if_remove(ifp); NET_LOCK(); rti_delete(). New igmp groups may join while sleeping in interface destruction. In this case if_get() in igmp_joingroup() fails and rti_fill() is not called. Then inm->inm_rti may be NULL. This is the condition when syzkaller crashes in igmp_leavegroup(). Pass the ifp the current CPU is already holding down to igmp_joingroup() and igmp_leavegroup() to avoid half constructed igmp groups. Calling if_get() in caller and callee makes no sense anyway. Reported-by: syzbot+146823a676b7bea83649@syzkaller.appspotmail.com OK denis@
|
| openbsd boot error: uvm_fault |
|
|
|
9 |
63d |
64d
|
63d |
475618162a2c
Revert previous. Breaks probing native IDE devices.
|
| multicore boot error: uvm_fault |
|
|
|
21 |
63d |
64d
|
63d |
475618162a2c
Revert previous. Breaks probing native IDE devices.
|
| panic:p a anciqc:uikerrinngel dbialgocnkoastbliec a s s e r t i o n "! _k er neslle_lepo lcokc_khe l dw ( )i |
|
|
|
1 |
65d |
65d
|
63d |
d25fea59a0de
For raw IP packets rip_input() traverses the loop of all PCBs. From there it calls sbappendaddr() while holding the raw table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. syzbot+ebe3f03a472fecf5e42e@syzkaller.appspotmail.com OK claudio@
|
| panic: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock (6) |
C |
|
|
80 |
64d |
65d
|
63d |
2be5be2c1f9e
For raw IPv6 packets rip6_input() traverses the loop of all PCBs. From there it calls sbappendaddr() while holding the raw6 table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. Reported-by: syzbot+5b2679ee9be0895d26f9@syzkaller.appspotmail.com OK claudio@
|
| panic: apcaqnuiicr:in g b l o kckearbnelle d isalgeneops t ic a s s leorctkio n " w!_iktehr nselp_inlolocckk_ |
|
|
|
1 |
65d |
65d
|
63d |
d25fea59a0de
For raw IP packets rip_input() traverses the loop of all PCBs. From there it calls sbappendaddr() while holding the raw table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. syzbot+ebe3f03a472fecf5e42e@syzkaller.appspotmail.com OK claudio@
|
| panic: acquiring blockable sleep lock with spinlock or critical section held (pkanerinc:e l _l o c kke)r &nkeerl ndiea |
|
|
|
1 |
65d |
65d
|
63d |
d25fea59a0de
For raw IP packets rip_input() traverses the loop of all PCBs. From there it calls sbappendaddr() while holding the raw table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. syzbot+ebe3f03a472fecf5e42e@syzkaller.appspotmail.com OK claudio@
|
| panic: apcaquniirci: ng bkloerckneabll de i a g n o st ic a s s er ti o n " ! _ ke r n e l_ l oc k _ h sel |
|
|
|
1 |
64d |
64d
|
63d |
2be5be2c1f9e
For raw IPv6 packets rip6_input() traverses the loop of all PCBs. From there it calls sbappendaddr() while holding the raw6 table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. Reported-by: syzbot+5b2679ee9be0895d26f9@syzkaller.appspotmail.com OK claudio@
|
| panic: acquiring blockable sleep lock with spinlock or critical section held (kernelp_alonicck): &kkerernnelel d_ilao |
|
|
|
1 |
65d |
65d
|
63d |
d25fea59a0de
For raw IP packets rip_input() traverses the loop of all PCBs. From there it calls sbappendaddr() while holding the raw table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. syzbot+ebe3f03a472fecf5e42e@syzkaller.appspotmail.com OK claudio@
|
| panic: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock (5) |
C |
|
|
104 |
65d |
never
|
65d |
d25fea59a0de
For raw IP packets rip_input() traverses the loop of all PCBs. From there it calls sbappendaddr() while holding the raw table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. syzbot+ebe3f03a472fecf5e42e@syzkaller.appspotmail.com OK claudio@
|
| panic: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock (4) |
C |
|
|
249 |
65d |
66d
|
65d |
63abc0ec39b5
For multicast and broadcast packets udp_input() traverses the loop of all UDP PCBs. From there it calls udp_sbappend() while holding the UDP table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. Reported-by: syzbot+7596cb96fb9f3c9d6f4f@syzkaller.appspotmail.com OK sashan@
|
| witness: reversal: vmmaplk fdlock |
syz |
|
|
22 |
75d |
75d
|
73d |
447db83cf4f0
Revert holding a read lock on the map while copying out data during sysctl(2).
|
| witness: exclusive lock of (rwlock) vmmaplk while share locked |
C |
|
|
9 |
75d |
75d
|
73d |
447db83cf4f0
Revert holding a read lock on the map while copying out data during sysctl(2).
|
| witness: reversal: netlock vmmaplk |
C |
|
|
166 |
75d |
75d
|
73d |
447db83cf4f0
Revert holding a read lock on the map while copying out data during sysctl(2).
|
| panic: kmmaplk: lock not shared |
C |
|
|
15 |
75d |
76d
|
75d |
447db83cf4f0
Revert holding a read lock on the map while copying out data during sysctl(2).
|
| assert "next != NULL && next->start <= entry->end" failed in uvm_fault.c (3) |
syz |
|
|
11 |
76d |
92d
|
75d |
5f69141a284a
Hold a read lock on the map while copying out data during a sysctl(2) call to prevent another thread from unmapping the memory and triggering an assertion or even corrupting random physical memory pages.
|
| uvm_fault: socreate |
C |
|
|
106 |
90d |
90d
|
89d |
532245610f13
Reported-by: syzbot+1b5b209ce506db4d411d@syzkaller.appspotmail.com Revert the pr_usrreqs move: syzkaller found a NULL pointer deref and I won't be available to monitor for followup issues for a bit
|
| assert "sc->sc_dev == NUM" failed in if_tun.c (2) |
|
|
|
1 |
96d |
96d
|
89d |
1c9104c31d3f
have another go at fixing assert "sc->sc_dev == NUM" failed.
|
| assert "m->m_pkthdr.pf.prio <= IFQ_MAXPRIO" failed in ifq.c |
syz |
|
|
2 |
105d |
105d
|
99d |
2960c8affbaf
check pf rule "set prio" values consistently.
|
| assert "sc->sc_dev == NUM" failed in if_tun.c |
|
|
|
24 |
100d |
133d
|
99d |
156bbf72d5e4
prevent (re)opening of tun/tap interfaces that are being destroyed.
|
| assert "len >= NUM && !M_READONLY(m)" failed in uipc_mbuf.c |
syz |
|
|
153 |
101d |
110d
|
101d |
4be097b86868
The length value in bpf_movein() is casted to from size_t to u_int and then rounded before checking. Put the same check before the calculations to avoid overflow. Reported-by: syzbot+6f29d23eca959c5a9705@syzkaller.appspotmail.com OK claudio@
|
| kernel: integer divide fault trap, code=NUM (2) |
C |
|
|
8 |
107d |
110d
|
106d |
43496f5abc1b
let pfattach() to also initialize pf_default_rule_new to avoid div-by-zero in pf_purge()
|
| panic: unhandled af (4) |
syz |
|
|
11 |
124d |
153d
|
121d |
035d4f5430cb
An af-to pf rule must have an address family naf to use after translation. Make stricter sanity checks in pf ioctl to avoid later crashes during packet processing. Reported-by: syzbot+0ef9190e7d0195496d0d@syzkaller.appspotmail.com OK sashan@
|
| uvm_fault: x86_ipi_db (7) |
|
|
|
4 |
147d |
147d
|
147d |
7945134bbda7
Use a distinct variable while iterating the list of existing devices.
|
| uvm_fault: pppacopen |
C |
|
|
92 |
147d |
147d
|
147d |
7945134bbda7
Use a distinct variable while iterating the list of existing devices.
|
| assert "TAILQ_EMPTY(&ifp->if_addrhooks)" failed in if.c (2) |
|
|
|
1 |
149d |
149d
|
147d |
188a0a692db5
Prevent concurrent access to incomplete or dying `sc' caused by sleep points in pppacopen() and pppacclose() paths. Use the same "sc_ready" logic we use for 'pppx_if' structure.
|
| panic: free: size too small NUM <= NUM / NUM (ADDR) type devbuf |
|
|
|
1 |
150d |
150d
|
147d |
61c8c0f0fd3e
Prevent a double free by assigning the new keymap and corresponding size after the allocation and initialization is done. Otherwise, a race is possible if malloc ends up sleeping.
|
| SYZFAIL: ioctl remote attach failed (3) |
|
|
|
13 |
149d |
153d
|
148d |
982627fcf222
Do not allow send/receive of kcov descriptors as the file descriptor can be kept alive longer than expected causing syzkaller to no longer being able to enable remote coverage.
|
| assert "(rule != NULL) && (rule->ruleset != NULL)" failed in pf_ioctl.c |
C |
|
|
7 |
151d |
694d
|
151d |
5a50f165b8ad
DIOCHANGERRULE ioctl must set pointer to ruleset in rule it inserts.
|
| witness: userret: ioctl (3) |
syz |
|
|
2 |
155d |
155d
|
154d |
41a45098bac2
Disk lock was held when returning to userland. Add a missing unlock in vnd ioctl error path. Reported-by: syzbot+6dde3fda33074a256318@syzkaller.appspotmail.com OK jsg@ anton@
|
| uvm_fault: sysctl_diskinit |
|
|
|
1 |
161d |
161d
|
155d |
278923c07fda
While malloc sleeps, the disk list could change during sysctl. Then allocated memory could be too short for the list of disks. Retry allocating enough space until it did not change. The disk list and duid memory are protected by kernel lock. Use asserts to mark this explicitly. Reported-by: syzbot+807423f6868bbfb836bc@syzkaller.appspotmail.com OK anton@ mpi@
|
| uvm_fault: pfsync_state_import |
C |
|
|
10 |
642d |
712d
|
155d |
d13e571b26fd
Remove ptr_array from struct pf_ruleset
|
| panic: uvm_fault_unwire_locked: address not in map (3) |
|
|
|
1 |
158d |
158d
|
156d |
65315d4d4359
Fix a typo in mlock(2) error path triggering a double-free.
|
| panic: vndioctl: null vp |
C |
|
|
3 |
161d |
162d
|
156d |
4d2db379fd33
Ensure that the disk has been initialized after acquiring the lock and not before as we might end up sleeping while acquiring the lock, introducing a potential race.
|
| panic: malloc: allocation too large, type = NUM, size = ADDR |
C |
|
|
3 |
162d |
163d
|
156d |
0b7f5aec6317
Let malloc return an error as opposed of panicking when sysctl kern.shminfo.shmseg is set to something ridiculously large.
|
| openbsd build error (15) |
|
|
|
37 |
157d |
219d
|
156d |
revert vnode: remove VLOCKSWORK and check locking when vop_islocked != nullop (both kernel and userland bits)
|
| assert "suser(curproc) == NUM" failed in dt_dev.c |
C |
|
|
7 |
157d |
157d
|
157d |
cf997a482905
Remove useless suser assert from dt(4). The ioctl(2) path checks the user anyway and close(2) may crash after setuid(2). Reported-by: syzbot+90e094f33d329fb2c3ab@syzkaller.appspotmail.com OK deraadt@
|
| uvm_fault: uvm_fault_lower |
C |
|
|
583 |
157d |
162d
|
157d |
f08b8e936de9
Do not try to unlock a NULL object.
|
| kernel: integer divide fault trap, code=NUM |
syz |
|
|
2 |
170d |
170d
|
161d |
38bfd041cb0f
fix zero division found by syzkaller. The sanity checks in pf(4) ioctls are not powerful enough to detect invalid port ranges (or even invalid rules). syzkaller does not use pfctl(8), it uses ioctl(2) to pass some random chunk of memory as a rule to pf(4). Fix adds explicit check for 0 divider to pf_get_transaddr(). It should make syzkaller happy without disturbing anyone else.
|
| uvm_fault: igmp_leavegroup (2) |
|
|
|
1 |
165d |
165d
|
162d |
5af2eee02794
Syzkaller found a dereference in igmp_leavegroup() where inm->inm_rti is NULL. It should be set in rti_fill(), but is not if malloc(9) fails. There is no rollback after malloc failure so the field stays uninitialized. The code is only called from ioctl, setsockopt or a task. Malloc should wait instead of failing, otherwise syscalls would be unreliable. While there also put an M_WAIT in the init code. During init malloc must not fail. OK mvs@ Reported-by: syzbot+e22326057ccf34908d78@syzkaller.appspotmail.com
|
| uvm_fault: nd6_dad_duplicated (2) |
|
|
|
76 |
164d |
170d
|
164d |
ce9bd2eccc20
nd6_dad_ns_input() could trigger a NULL deref in nd6_dad_duplicated(). It checks dp in two of three places. One check got lost in revision 1.83. Do a dp == NULL once at the beginning. OK jsg@ Reported-by: syzbot+88c0ce914a0b10b7e1c8@syzkaller.appspotmail.com
|
| witness: userret: ioctl (2) |
|
|
|
1 |
171d |
171d
|
170d |
aa5628258068
Add missing kernel unlock in error path.
|
| panic: rw_enter: dklk locking against myself |
C |
|
|
6 |
232d |
260d
|
228d |
placing the same vnd underneath a vnd (with VNDIOCSET) is a lock violation, but other circumstances are also bad, so let's block all vnd on top of vnd. While here, fix some toctou multiple-copyin of the path, and restructure the ioctl defer all softc updates to the end. ok mpi
|
| multicore test error: timed out (2) |
|
|
|
66 |
242d |
244d
|
242d |
11ad9ee57f54
regen
|
| openbsd build error (14) |
|
|
|
2 |
244d |
244d
|
242d |
11ad9ee57f54
regen
|
| openbsd test error: timed out (2) |
|
|
|
33 |
242d |
244d
|
242d |
11ad9ee57f54
regen
|
| multicore build error (13) |
|
|
|
3 |
244d |
244d
|
242d |
11ad9ee57f54
regen
|
| assert "_kernel_lock_held()" failed in uvm_vnode.c |
|
|
|
4 |
268d |
268d
|
261d |
8e114673a836
vmm(4): grab kernel lock before vmspace init
|
| panic: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock (3) |
C |
|
|
2 |
263d |
266d
|
261d |
8e114673a836
vmm(4): grab kernel lock before vmspace init
|
| assert "_kernel_lock_held()" failed in uvm_device.c |
|
|
|
7 |
267d |
268d
|
261d |
8e114673a836
vmm(4): grab kernel lock before vmspace init
|
| uvm_fault: rtm_output |
C |
|
|
14 |
261d |
261d
|
261d |
d2084f835172
Fix NULL pointer dereference introduced by previous commit.
|
| panic: vcpulock: lock not held |
|
|
|
1 |
268d |
268d
|
263d |
5f3d69798ad5
vmm(4): fix vcpu locking issues reported by syzbot
|
| panic: lock (rwlock) vcpulock not locked |
C |
|
|
1 |
268d |
268d
|
263d |
5f3d69798ad5
vmm(4): fix vcpu locking issues reported by syzbot
|
| panic: rw_enter: vcpulock locking against myself |
|
|
|
1 |
267d |
267d
|
263d |
5f3d69798ad5
vmm(4): fix vcpu locking issues reported by syzbot
|
| assert "_kernel_lock_held()" failed in uvm_map.c |
C |
|
|
11 |
267d |
268d
|
265d |
8e114673a836
vmm(4): grab kernel lock before vmspace init
|
| panic: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock (2) |
C |
|
|
152 |
268d |
988d
|
267d |
1be9dae600aa
Prevent lock ordering issue by raising ipl level of vcpu_pool to IPL_MPFLOOR.
|
| panic: mutex ADDR not held in knote_dequeue |
C |
|
|
24 |
349d |
350d
|
349d |
baa47be05351
Remember to lock kqueue mutex in filt_timermodify().
|
| witness: reversal: lock order data missing |
C |
|
|
667 |
378d |
448d
|
378d |
8b594b45f4b5
Move ktrfds() below fdpunlock(). This fixes lock order issue between vn_lock(9) and fdplock().
|
| panic: acquiring blockable sleep lock with spinlock or critical section held (rwlock) solock |
C |
|
|
4 |
395d |
396d
|
394d |
Revert per-socket `so_lock' rwlock(9) and use it to protect routing (PF_ROUTE) sockets. There is a locking issue with timeouts that needs to be fixed. Requested by deraadt@
|
| SYZFAIL: tun: can't open device |
syz |
|
|
4 |
448d |
449d
|
443d |
43dfcaac64e4
Issuing FIOSETOWN and TIOCSPGRP ioctl commands on a tun(4) device leaks device references causing a hang while trying to remove the same interface since the reference count will never reach zero. Instead of returning, break out of the switch in order to ensure that tun_put() gets called.
|
| assert "frag->fr_firstoff[index] != NULL" failed in pf_norm.c |
syz |
|
|
4 |
460d |
479d
|
458d |
be7274bff2cd
When cutting of the head of an overlapping fragment during pf reassembly, reinsert the fragment into the lookup table with correct index. Reported-by: syzbot+d043455a5346f726f1c4@syzkaller.appspotmail.com OK claudio@
|
| kernel: protection fault trap, code=0 (8) |
syz |
|
|
1348 |
470d |
659d
|
470d |
44a45654aa78
Interface group names must fit into IFNAMSIZ and be unique. But the kernel made the unique check before trunkating with strlcpy(). So there could be two interface groups with the same name. The kif is created by a name lookup. The trunkated names are equal, so there was only one kif owned by both groups. When the groups got destroyed, the single kif was removed twice from the RB tree. Check length of group name before doing the unique check. The empty group name was allowed and is now invalid. Reported-by: syzbot+f47e8296ebd559f9bbff@syzkaller.appspotmail.com OK deraadt@ gnezdo@ anton@ mvs@ claudio@
|
| panic: rw_enter: pf_state_lock locking against myself |
C |
|
|
8 |
471d |
471d
|
470d |
d7220220b7ed
pfsync_state_import() must not be called with the pf state lock held, since the actual modification of the state table is done by a call to pf_state_insert(), which takes the pf state lock itself. Other calls to pfsync_state_import() also only have the pf lock.
|
| panic: vrele: v_writecount != 0 (2) |
C |
|
|
1955 |
476d |
476d
|
476d |
df61468f8652
Revert previous commit. The vnode returned by ptm_vn_open() is open and can not simply be vrele()-ed on error. The code currently depends on closef() to do the cleanup.
|
| assert "TAILQ_EMPTY(&kq->kq_head)" failed in kern_event.c |
C |
|
|
2 |
485d |
485d
|
484d |
715db9d67ba3
kqueue: Fix termination assert
|
| uvm_fault: pf_addr_compare |
C |
|
|
347 |
490d |
491d
|
490d |
c34fe1b3cf88
An invalid packet may not have set src and dst in packet descriptor. Add a NULL check to prevent crash in pflog(4) introduced in previous commit. Reported-by: syzbot+c6d2f2ad34b822bce98a@syzkaller.appspotmail.com
|
| uvm_fault: m_copyback |
|
|
|
69 |
509d |
656d
|
491d |
2cbebc019f52
pflog(4) tried to log the translated packet with rdr-to, nat-to, and af-to addresses and ports applied. Therefore it created a mbuf chain on the stack with a partial copy. This is too complicated for IP options, extension header, NAT46 af-to, and fragmented mbuf chains. It even caused a crash in syzkaller. Usually the length checks in pf_setup_pdesc() rejected the faked mbuf and the goto copy logged the packet unmodified. Remove the pflog_mtap() function and call bpf_mtap_hdr() directly. As the old buggy code was bypassed in most cases, tcpdump(8) output of pflog does not change. Uncondionally log the unmodified packet. Reported-by: syzbot+947e89e06ac3fec187d0@syzkaller.appspotmail.com OK sashan@
|
| kernel: double fault trap, code=0 (4) |
C |
|
|
493 |
515d |
772d
|
502d |
c11d76984715
Syzkaller has found a stack overflow in socket splicing. Broadcast packets were resent through simplex broadcast delivery and socket splicing. Although there is an M_LOOP check in somove(9), it did not take effect. if_input_local() cleared the M_BCAST and M_MCAST flags with m_resethdr(). As if_input_local() is used for broadcast and multicast delivery, it was a mistake to delete them. Keep the M_BCAST and M_MCAST mbuf flags when packets are reinjected into the network stack. Reported-by: syzbot+a43ace363f1b663238f8@syzkaller.appspotmail.com OK anton@; discussed with claudio@
|
| kernel: integer divide fault trap, code=0 |
syz |
|
|
4 |
689d |
718d
|
525d |
39c2a1337a94
Reject rules with invalid port ranges
|
| openbsd test error: uvm_fault: spllower |
|
|
|
6 |
540d |
540d
|
533d |
3ba77c9295b2
Revert previous extension of the SCHED_LOCK(), the state isn't passed down.
|
| multicore test error: uvm_fault: spllower |
|
|
|
12 |
540d |
540d
|
533d |
3ba77c9295b2
Revert previous extension of the SCHED_LOCK(), the state isn't passed down.
|
| uvm_fault: wsevent_fini (3) |
C |
|
|
2 |
539d |
539d
|
536d |
996a5b4d63fa
Fix yet another wscons race. In the same subsystem, the following properties must always hold true:
|
| no output from test machine (6) |
C |
|
|
2779 |
555d |
577d
|
555d |
0124df67671a
Fix handling of MSG_PEEK in soreceive() for the case where an empty mbuf is encountered in a seqpacket socket.
|
| no output from test machine (5) |
C |
|
|
49467 |
577d |
674d
|
577d |
d6d1940044d6
Fix a deadlock between uvn_io() and uvn_flush(). While faulting on a page backed by a vnode, uvn_io() will end up being called in order to populate newly allocated pages using I/O on the backing vnode. Before performing the I/O, newly allocated pages are flagged as busy by uvn_get(), that is before uvn_io() tries to lock the vnode. Such pages could then end up being flushed by uvn_flush() which already has acquired the vnode lock. Since such pages are flagged as busy, uvn_flush() will wait for them to be flagged as not busy. This will never happens as uvn_io() cannot make progress until the vnode lock is released.
|
| witness: userret: ioctl |
C |
|
|
3 |
582d |
582d
|
581d |
610c242e11d3
- missing NET_UNLOCK() in pf_ioctl.c error path
|
| panic: spl assertion failure in yield |
C |
|
|
12 |
710d |
727d
|
582d |
- move NET_LOCK() further down in pf_ioctl.c. Also move memory allocations outside of NET_LOCK()/PF_LOCK() scope in easy spots.
|
| openbsd build error (11) |
|
|
|
44 |
583d |
587d
|
582d |
a524e041107f
timeout(9): fix compilation under NKCOV
|
| multicore build error (8) |
|
|
|
88 |
583d |
587d
|
582d |
a524e041107f
timeout(9): fix compilation under NKCOV
|
| panic: malloc: allocation too large, type = 98, size = ADDR |
C |
|
|
2 |
599d |
599d
|
598d |
Recent changes for PROT_NONE pages to not count against resource limits, failed to note this also guarded against heavy amap allocations in the MAP_SHARED case. Bring back the checks for MAP_SHARED from semarie, ok kettenis https://syzkaller.appspot.com/bug?extid=d80de26a8db6c009d060
|
| openbsd build error (10) |
|
|
|
3 |
620d |
620d
|
618d |
Unbreak tree. Instead of passing struct process to siginit() just pass the struct sigacts since that is the only thing that is modified by siginit.
|
| multicore build error (7) |
|
|
|
5 |
620d |
621d
|
618d |
Unbreak tree. Instead of passing struct process to siginit() just pass the struct sigacts since that is the only thing that is modified by siginit.
|
| panic: syn_cache_insert: cacheoverflow: impossible (2) |
C |
|
|
6 |
655d |
701d
|
633d |
7c72bba2fa26
Convert tcp_sysctl to sysctl_bounded_args
|
| assert "curproc->p_kd == NULL" failed in kcov.c (2) |
|
|
|
1 |
645d |
645d
|
633d |
ece33e2f6ca2
Before clearing the kcov descriptor associated with a thread make sure no other thread is currently within a remote section. Otherwise, the remote subsystem could end up in a broken state where it doesn't reset the necessary bits upon leaving the remote section.
|
| assert "curproc->p_kd == NULL" failed in kcov.c |
|
|
|
2 |
650d |
651d
|
650d |
2fa3abdda1a4
When detaching common remote coverage, do not clear any fields. Instead, let kr_free() do the work. Otherwise a thread currently inside a remote section could end up not decrementing the number of ongoing sections while exiting the same remote section.
|
| uvm_fault: pfi_address_add |
syz |
|
|
1359 |
670d |
727d
|
660d |
efa3c3dd644f
Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
|
| pool: free list modified: phpool |
|
|
|
1 |
701d |
701d
|
660d |
efa3c3dd644f
Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
|
| panic: sbdrop |
syz |
|
|
183 |
662d |
961d
|
660d |
efa3c3dd644f
Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
|
| uvm_fault: soreceive |
syz |
|
|
240 |
670d |
936d
|
660d |
efa3c3dd644f
Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
|
| panic: ifa_update_broadaddr does not support dynamic length (2) |
|
|
|
13 |
664d |
814d
|
660d |
efa3c3dd644f
Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
|
| uvm_fault: in6ifa_ifpforlinklocal |
|
|
|
1 |
715d |
715d
|
660d |
efa3c3dd644f
Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
|
| uvm_fault: pool_do_put (2) |
syz |
|
|
53 |
671d |
915d
|
660d |
efa3c3dd644f
Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
|
| kernel: protection fault trap, code=0 (7) |
syz |
|
|
774692 |
660d |
904d
|
660d |
efa3c3dd644f
Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
|
| uvm_fault: in_delmulti |
syz |
|
|
375431 |
660d |
946d
|
660d |
efa3c3dd644f
Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
|
| panic: tcp_output: template len != hdrlen - optlen |
syz |
|
|
487 |
661d |
973d
|
660d |
efa3c3dd644f
Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
|
| soreceive 1a |
syz |
|
|
510 |
662d |
819d
|
660d |
efa3c3dd644f
Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
|
| uvm_fault (2) |
syz |
|
|
1 |
712d |
712d
|
660d |
efa3c3dd644f
Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
|
| pool: cpu free list modified: mbufpl |
syz |
|
|
15863 |
660d |
946d
|
660d |
efa3c3dd644f
Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
|
| pool: free list modified: art_heap4 (2) |
|
|
|
4 |
702d |
733d
|
660d |
efa3c3dd644f
Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
|
| soreceive 3 |
syz |
|
|
755 |
660d |
819d
|
660d |
efa3c3dd644f
Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
|
| uvm_fault: vio_rxeof |
syz |
|
|
15700 |
670d |
981d
|
660d |
efa3c3dd644f
Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
|
| uvm_fault: ifa_update_broadaddr |
|
|
|
3275 |
670d |
914d
|
660d |
efa3c3dd644f
Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
|
| multicore build error (6) |
|
|
|
4 |
666d |
678d
|
662d |
Revert r1.170. dlg and jmatthew simultaneously fixed this the correct way.
|
| openbsd build error (9) |
|
|
|
1 |
678d |
678d
|
662d |
Revert r1.170. dlg and jmatthew simultaneously fixed this the correct way.
|
| uvm_fault: wsevent_fini (2) |
|
|
|
1 |
686d |
686d
|
665d |
25f2901d1c23
Fix yet another panic in which wsevent_fini() ends up being called with NULL. This one is a race caused by clearing the me_evp member before calling routines that could end up sleeping.
|
| no output from test machine (3) |
C |
|
|
25293 |
681d |
696d
|
681d |
A pty write containing VDISCARD, VREPRINT, or various retyping cases of VERASE would perform (sometimes irrelevant) compute in the kernel which can be heavy (especially with our insufficient tty subsystem locking). Use tsleep_nsec for 1 tick in such circumstances to yield cpu, and also bring interruptability to ptcwrite() https://syzkaller.appspot.com/bug?extid=462539bc18fef8fc26cc ok kettenis millert, discussions with greg and anton
|
| panic: unhandled af (2) |
C |
|
|
22 |
698d |
724d
|
697d |
38e8113e1d44
state import should accept AF_INET/AF_INET6 only
|
| panic: syn_cache_insert: bucketoverflow: impossible |
C |
|
|
5 |
710d |
728d
|
707d |
2b10bfc1e665
Refuse to set 0 or a negative value for net.inet.tcp.synbucketlimit.
|
| panic: syn_cache_insert: cacheoverflow: impossible |
|
|
|
5 |
707d |
726d
|
707d |
2b10bfc1e665
Refuse to set 0 or a negative value for net.inet.tcp.synbucketlimit.
|
| no output from test machine |
C |
|
|
551400 |
748d |
1323d
|
748d |
7bb4371dccb1
Do not wait indefinitely for flushing when closing a tty.
|
| panic: m_copydata: null mbuf |
C |
|
|
396 |
752d |
939d
|
750d |
574b3a4fa98d
Do sanity checks in ip6_pullexthdr() preventing a panic in m_copydata(9).
|
| assert "!ISSET(rt->rt_flags, RTF_LOCAL)" failed in nd6.c |
|
|
|
1 |
815d |
815d
|
764d |
8e6c5245c1d8
Never update the ND entry (cache) corresponding to a RTF_LOCAL route.
|
| uvm_fault: pfi_dynaddr_remove |
C |
|
|
17 |
873d |
877d
|
766d |
3d97bff14298
fix insufficient input sanitization in pf_rulecopyin() and pf_pool_copyin()
|
| uvm_fault: pfr_detach_table |
C |
|
|
12 |
873d |
876d
|
766d |
3d97bff14298
fix insufficient input sanitization in pf_rulecopyin() and pf_pool_copyin()
|
| openbsd build error (8) |
|
|
|
2 |
771d |
771d
|
771d |
20c8eb7cf336
Add bse(4) device to unbreak build.
|
| multicore build error (5) |
|
|
|
4 |
771d |
771d
|
771d |
20c8eb7cf336
Add bse(4) device to unbreak build.
|
| panic: rw_enter: netlock locking against myself |
syz |
|
|
2 |
777d |
777d
|
774d |
27427a72e313
In sosplice(), temporarily release the socket lock before calling FRELE() as the last reference could be dropped which in turn will cause soclose() to be called where the socket lock is unconditionally acquired. Note that this is only a problem for sockets protected by the non-recursive NET_LOCK() right now.
|
| assert "p == curproc" failed in vfs_vops.c |
C |
|
|
187 |
786d |
787d
|
784d |
fc5a743df3a9
Revert previous, syzkaller found a way to trigger the KASSERT().
|
| uvm_fault: strlcpy (2) |
|
|
|
1 |
795d |
795d
|
788d |
9fcf6ed4d02d
Prevent out of bounds read in strlcpy due to vcp_name not being NUL-terminated.
|
| panic: vputonfreelist: lock count is not zero |
C |
|
|
2 |
819d |
819d
|
790d |
2a9890d8c8d9
Relax the lockcount assertion in vputonfreelist(). Back when I fixed several problems with the vnode exclusive lock implementation, I overlooked the fact that a vnode can be in a state where the usecount is zero while the holdcount still being positive. There could still be threads waiting on the vnode lock in uvn_io() as long as the holdcount is positive.
|
| uvm_fault: wsevent_fini |
|
|
|
1 |
799d |
799d
|
793d |
be78d62e13f6
Ensure that me_evp is still NULL before assignment during open of wscons devices. This condition is checked early on during open but since the same routine could end up sleeping before assigning me_evp, a race against adding the same wscons device to a wsmux could be lost. This in turn can cause a NULL deference during close.
|
| kernel: double fault trap, code=0 (3) |
C |
|
|
69 |
805d |
814d
|
805d |
aa1987fe7ce4
Fix unlimited recursion caused by local outbound bcast/mcast packet sent via spliced socket.
|
| pool: free list modified: aobjpl |
C |
|
|
3 |
903d |
915d
|
813d |
c5a231fb6c1e
Grab a reference for the shared memory segment before calling uvm_map() as the same function could end up putting the thread to sleep. Allowing another thread to free the shared memory segment, which in turns causes a use-after-free.
|
| openbsd boot error: uvm_fault: softclock |
|
|
|
33 |
814d |
815d
|
814d |
previous commit accidentally aliased two unique timeouts hit by millert
|
| multicore boot error: uvm_fault: softclock |
|
|
|
66 |
814d |
815d
|
814d |
previous commit accidentally aliased two unique timeouts hit by millert
|
| kqueue: knote !QUEUED |
syz |
|
|
8 |
830d |
866d
|
829d |
8c4786361ce1
Raise SPL when updating kn_status. Otherwise the field can become inconsistent if knote_acquire() or knote_release() is preempted by an interrupt that modifies the same knote.
|
| panic: unhandled af |
C |
|
|
21 |
873d |
874d
|
868d |
4804479228fb
Check address family of pf ioctl(2) DIOCNATLOOK parameter at kernel entry instead of calling panic() due to unhandled af. Reported-by: syzbot+92be143c2dd1746cf2af@syzkaller.appspotmail.com from Benjamin Baier
|
| panic: attempt to execute user address |
syz |
|
|
1539 |
879d |
973d
|
875d |
f30ff743e528
Fix some races in kqueue_register().
|
| witness: reversal: vmmaplk inode |
C |
|
|
103124 |
890d |
1218d
|
890d |
Use separate rwlock initializations for userland ("vmspace") and kernel maps. This lets witness know that these really are different classes avoiding false positives when detecting lock order reversals.
|
| kernel: protection fault trap, code=0 (6) |
C |
|
|
55024 |
904d |
988d
|
904d |
0f83bb56e561
Fix a bad offset calculation in uvm_share.
|
| panic: uvm_mapent_clone: no space in map for entry in empty map |
C |
|
|
12 |
904d |
910d
|
904d |
0f83bb56e561
Fix a bad offset calculation in uvm_share.
|
| panic: amap_pp_adjref: negative reference count |
C |
|
|
98 |
914d |
966d
|
904d |
0f83bb56e561
Fix a bad offset calculation in uvm_share.
|
| uvm_fault: amap_pp_adjref |
|
|
|
1 |
966d |
966d
|
904d |
0f83bb56e561
Fix a bad offset calculation in uvm_share.
|
| uvm_fault: uvm_unmap_remove (2) |
C |
|
|
7836 |
904d |
987d
|
904d |
3c82c0b2df98
Fix uvm_unmap_remove panic when tearing down VMs.
|
| panic: uvmspace_fork: no space in map for entry in empty map |
C |
|
|
450 |
912d |
967d
|
904d |
0f83bb56e561
Fix a bad offset calculation in uvm_share.
|
| assert "TAILQ_EMPTY(&ifp->if_addrhooks)" failed in if.c |
|
|
|
2 |
924d |
926d
|
919d |
9e254176dfa1
take care to avoid a race when creating the same interface.
|
| panic: ifa_update_broadaddr does not support dynamic length |
syz |
|
|
6780 |
931d |
989d
|
931d |
b36fd3da6fde
Do propper kernel input validation for in_control() ioctl(2) SIOCGIFADDR, SIOCGIFNETMASK, SIOCGIFDSTADDR, SIOCGIFBRDADDR, SIOCSIFADDR, SIOCSIFNETMASK, SIOCSIFDSTADDR, and SIOCSIFBRDADDR. Name in_ioctl_set_ifaddr() consistently. Use in_sa2sin() to validate inet address. Combine if_addrlist loops and add comment. Although netmask is not a inet address, length must be valid. Reported-by: syzbot+5fc6da002fc4e8d994be@syzkaller.appspotmail.com OK visa@
|
| pool: free list modified: shmpl |
C |
|
|
22 |
1087d |
1181d
|
940d |
d13730a27993
Copy in the user-supplied buffer in shmctl(2) before looking up the shared memory segment. Otherwise, if copyin ends up sleeping it allows another thread to remove the same segment leading to a use-after-free.
|
| malloc: free list modified: devbuf |
syz |
|
|
5 |
948d |
954d
|
947d |
put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
|
| uvm_fault: kqueue_scan |
|
|
|
1 |
969d |
969d
|
947d |
put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
|
| uvm_fault: witness_checkorder |
syz |
|
|
2 |
950d |
950d
|
947d |
put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
|
| uvm_fault: filt_bpfrdetach |
syz |
|
|
1 |
948d |
948d
|
947d |
put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
|
| uvm_fault: bpfioctl |
C |
|
|
14 |
955d |
1039d
|
947d |
put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
|
| assert "ps->ps_uvncount == 0" failed in kern_unveil.c |
syz |
|
|
226 |
974d |
1242d
|
967d |
a239dbafd306
Only increment the ps_uvncount counter when a path is successfully added to the corresponding red-black tree; meaning the path was not already present in the tree. This prevents an assertion to trigger in unveil_destroy() later on when the process exits.
|
| assert "ln != NULL" failed in nd6.c |
|
|
|
1 |
994d |
994d
|
970d |
bdbfbec5cea8
Do more sanity checks when accepting socket addresses in routing messages from user land. Inspect length field early in rtm_xaddrs(). Strings must be NUL terminated. The socket address type and length depend on the routing message type. Currently checks are not super strict to avoid too much user land fallout. OK mpi@ Reported-by: syzbot+638dbf7851da8e255af5@syzkaller.appspotmail.com
|
| assert "ifa == rt->rt_ifa" failed in nd6.c |
|
|
|
9 |
970d |
972d
|
970d |
bdbfbec5cea8
Do more sanity checks when accepting socket addresses in routing messages from user land. Inspect length field early in rtm_xaddrs(). Strings must be NUL terminated. The socket address type and length depend on the routing message type. Currently checks are not super strict to avoid too much user land fallout. OK mpi@ Reported-by: syzbot+638dbf7851da8e255af5@syzkaller.appspotmail.com
|
| uvm_fault: strlcpy |
|
|
|
18 |
978d |
1098d
|
976d |
bdbfbec5cea8
Do more sanity checks when accepting socket addresses in routing messages from user land. Inspect length field early in rtm_xaddrs(). Strings must be NUL terminated. The socket address type and length depend on the routing message type. Currently checks are not super strict to avoid too much user land fallout. OK mpi@ Reported-by: syzbot+638dbf7851da8e255af5@syzkaller.appspotmail.com
|
| uvm_fault: uvm_unmap_remove |
C |
|
|
780 |
987d |
1006d
|
987d |
00ba8250173b
vm_teardown() must be serialized since it modifies the global vmm_softc structure. Therefore grab the appropriate lock before calling the same function. This issue has been known for a while and reported before but lacking a way to easily reproduce it; until syzkaller came up with a reproducer.
|
| panic: malloc: allocation too large, type = 2, size = ADDR (2) |
C |
|
|
16842 |
989d |
1006d
|
989d |
225e50e8a961
Do not decrement the number of VMs counter twice in one of vm_create() error paths. If creation of the first VM fails, the counter will wrap around to a huge value. The same value could later be passed to malloc() through vm_get_info() causing a panic.
|
| kernel: protection fault trap, code=0 (5) |
C |
|
|
607 |
995d |
1069d
|
994d |
a42056240bd9
Fix a route use after free in IPv6 multicast route. Move the mrt6_mcast6_del() out of the rtable_walk(). This avoids recursion to prevent stack overflow. Also it allows freeing the route outside of the walk. Now mrt6_mcast_del() frees the route only when it is deleted from the routing table. If that fails, it must not be freed. After the route is returned by mf6c_find(), it is reference counted. Then we need a rtfree(), but not in the other case. Name mrt6_mcast_add() and mrt6_mcast_del() consistently. Move rt_timer_remove_all() into mrt6_mcast_del(). Reported-by: syzbot+af7d510593d74c825960@syzkaller.appspotmail.com OK mpi@
|
| panic: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock |
|
|
|
33 |
1004d |
1008d
|
1003d |
d3f3cb99fa83
Do not use the flow of the first fragment to store ECN information. Handle the ECN in the fragment queue. Reported-by: syzbot+0aa80b25e9041001cac8@syzkaller.appspotmail.com fix from FreeBSD; OK claudio@
|
| uvm_fault: frag6_input |
|
|
|
24 |
1004d |
1008d
|
1003d |
d3f3cb99fa83
Do not use the flow of the first fragment to store ECN information. Handle the ECN in the fragment queue. Reported-by: syzbot+0aa80b25e9041001cac8@syzkaller.appspotmail.com fix from FreeBSD; OK claudio@
|
| witness: userret: returning with the following locks held: |
C |
|
|
315 |
1004d |
1214d
|
1004d |
b808994cf339
When a thread tries to exclusively lock a vnode, the same thread must ensure that any other thread currently trying to acquire the underlying vnode lock has observed that the same vnode is about to be exclusively locked. Such threads must then sleep until the exclusive lock has been released and then try to acquire the lock again. Otherwise, exclusive access to the vnode cannot be guaranteed.
|
| panic: vput: ref cnt |
C |
|
|
6 |
1017d |
1018d
|
1015d |
d627fa5cc364
Serialize access to the vnode pointers associated with acct(2) system accounting. Prevents a race where the acct thread and the acct(2) syscall both tries to close a vnode.
|
| assert "timo || _kernel_lock_held()" failed in kern_synch.c |
C |
|
|
2 |
1018d |
1018d
|
1017d |
93e05fce3bab
Revert unlock of lseek(2) since vn_lock() could end up calling tsleep() which is not allowed without holding the kernel lock. Otherwise, wakeups could be lost.
|
| panic: vrele: v_writecount != 0 |
C |
|
|
51 |
1025d |
1031d
|
1025d |
3e253b4759f0
Favor vn_close() in the error path of diskmapioctl() since side-effects caused by calling vn_open() with write permissions must be reverted. Otherwise, the vfs subsystem could panic while releasing the last vnode reference if the writecount is still positive.
|
| panic: vput: v_writecount != 0 (2) |
C |
|
|
112 |
1025d |
1031d
|
1025d |
3e253b4759f0
Favor vn_close() in the error path of diskmapioctl() since side-effects caused by calling vn_open() with write permissions must be reverted. Otherwise, the vfs subsystem could panic while releasing the last vnode reference if the writecount is still positive.
|
| assert "cpipe->pipe_buffer.cnt == 0" failed in sys_pipe.c |
C |
|
|
8 |
1052d |
1052d
|
1052d |
40f8ed5eebb0
backout the unlock of pipe(2) and pipe2(2)
|
| kernel: protection fault trap, code=0 (4) |
C |
|
|
759 |
1070d |
1183d
|
1069d |
cf34c7c30780
Prevent recursions by not deleting entries inside rtable_walk(9).
|
| uvm_fault: arp_rtrequest |
C |
|
|
79 |
1089d |
1099d
|
1078d |
4cb088386ee5
In arp_rtrequest and nd6_rtrequest return early if the RTF_MPLS flag is set. These mpls routes use the rt_llinfo structure to store the MPLS label and would confuse the arp and nd6 code. OK bluhm@ anton@
|
| assert "(rt->rt_flags & RTF_MPATH) || mrt->rt_priority != prio" failed in rtable.c |
C |
|
|
143 |
1089d |
1102d
|
1078d |
ff10691ed095
Copy the user provided sockaddr into a normalized sockaddr in rtrequest() before adding it to the routing table. The rtable code is doing memcmp() of those rt_dest sockaddrs so it is important that they are stored in a canonical form. To do this struct domain is extended to include the sockaddr size for this address family. OK bluhm@ anton@
|
| uvm_fault: mrt6_ioctl |
C |
|
|
2 |
1099d |
1099d
|
1087d |
a8f2b5c7d3d3
Add missing NULL check for the protocol control block (pcb) pointer in mrt{6,}_ioctl. Calling shutdown(2) on the socket prior to the ioctl command can cause it to be NULL.
|
| uvm_fault: mrt_ioctl |
C |
|
|
2 |
1088d |
1088d
|
1087d |
a8f2b5c7d3d3
Add missing NULL check for the protocol control block (pcb) pointer in mrt{6,}_ioctl. Calling shutdown(2) on the socket prior to the ioctl command can cause it to be NULL.
|
| uvm_fault: pckbc_start (2) |
syz |
|
|
2 |
1100d |
1100d
|
1088d |
bc79b6e32eb3
Prevent corruption of the pckbc command queue. If multiple synchronous commands are in flight and all corresponding threads are sleeping waiting for a response, the first command to timeout will clear the command queue. The remaining threads once awake will then try to remove a dequeued command from the queue, leading to corruption. Instead, remove commands from the queue before waking up the sleeping thread. A quirk is still needed to handle the case where tsleep() returns successfully during suspend.
|
| assert "_kernel_lock_held()" failed in kern_event.c |
C |
|
|
11 |
1118d |
1121d
|
1088d |
1be240a95e4a
Removed all diagnostic, calling printf() here might create a recursion.
|
| witness: reversal: &pr->ps_mtx &sched_lock |
C |
|
|
141 |
1090d |
1091d
|
1090d |
17b25159f963
Revert to using the SCHED_LOCK() to protect time accounting.
|
| uvm_fault: wsmux_do_ioctl (4) |
C |
|
|
3 |
1103d |
1127d
|
1101d |
78fe050fe549
A problem fixed in wskbd is also present in wsmux. Repeating the previous commit message:
|
| panic: malloc: out of space in kmem_map |
|
|
|
97 |
1153d |
1218d
|
1102d |
During fuzzing, one or many fuzzing processes are often stuck waiting on memory from the subproc malloc subsystem which is exhausted. Attempt to circumvent such scenarios by allocation the kcov coverage buffer using km_alloc() instead.
|
| uvm_fault: rtm_report |
C |
|
|
2 |
1127d |
1127d
|
1111d |
1b18c0494f67
Make rt_mpls_set() be more strict in what it accepts. Also ensure that the RTF_MPLS can't be toggled without rt_mpls_set() being called. While RTF_MPLS is part of RTF_FMASK it should be excluded from the flags and mask when they are applied to the route since toggling it requires a call to rt_mpls_set(). OK bluhm@
|
| syzkaller: testing failed: failed to run ["go" "test" "-short" "./..."]: exit status 1 |
|
|
|
36 |
1112d |
1113d
|
1111d |
fbb8d265a895
Restore previous behavior of limiting deadlock detection to posix-style locks.
|
| multicore build error (3) |
|
|
|
4 |
1116d |
1116d
|
1115d |
always rearm completion queues as leaving them disarmed would lead to rx or tx completion stalling.
|
| openbsd build error (5) |
|
|
|
2 |
1116d |
1116d
|
1115d |
always rearm completion queues as leaving them disarmed would lead to rx or tx completion stalling.
|
| panic: timeout_add: to_ticks < 0 (3) |
|
|
|
1 |
1138d |
1138d
|
1127d |
1af424413523
Lower the accepted upper bound for bd_rtout to INT_MAX in order to prevent passing negative values to timeout_add().
|
| panic: mtx ADDR: locking against myself |
C |
|
|
3 |
1132d |
1132d
|
1130d |
vmm(4): remove a debug printf that was causing lock issues (it was being called from an IPI routine).
|
| panic: timeout_add: to_ticks < 0 (2) |
syz |
|
|
12 |
1149d |
1150d
|
1149d |
bf2018479c9a
Reject negative and too large timeouts passed to BIOCSRTIMEOUT. Since the timeout converted to ticks is later passed timeout_add(), it could cause a panic if the timeout is negative.
|
| uvm_fault: rtable_satoplen (2) |
syz |
|
|
101 |
1152d |
1161d
|
1149d |
575ef11475ca
Add a more strict rtm_hdrlen size check. Make sure that at least struct rt_msghdr bytes are passed in. Also return a failure from rtm_xaddrs() if rti_addrs has bad flags or run out of space. Ok bluhm@
|
| uvm_fault: memcpy |
C |
|
|
460 |
1152d |
1172d
|
1152d |
575ef11475ca
Add a more strict rtm_hdrlen size check. Make sure that at least struct rt_msghdr bytes are passed in. Also return a failure from rtm_xaddrs() if rti_addrs has bad flags or run out of space. Ok bluhm@
|
| panic: malloc: allocation too large, type = 2, size = ADDR |
C |
|
|
914 |
1153d |
1216d
|
1153d |
fd7c80607c62
Restrict the number of allowed wsmux devices, just like wskbd and wsmouse already does. Otherwise, malloc could panic if the device minor is sufficiently large.
|
| openbsd build error (2) |
|
|
|
1 |
1157d |
1157d
|
1156d |
6baecefef8fe
Tweak previous: include <sys/stdint.h> for INT64_MAX/INT64_MIN.
|
| assert "tname->un_flags & UNVEIL_USERSET" failed in kern_unveil.c |
C |
|
|
1447 |
1156d |
1159d
|
1156d |
f4c23aa848ae
Remove this assert, I can't do this here with UNVEIL_INSPECT added aggressively today. Hopefully post release a glorious flensing will remove UNVEIL_INSPECT anyway
|
| uvm_fault: rtable_satoplen |
|
|
|
158 |
1161d |
1178d
|
1161d |
fab4809e7ec2
Make sure pointer is within bounds before dereferencing it.
|
| witness: acquiring duplicate lock of same type: "&sc->sc_lock" |
C |
|
|
231 |
1191d |
1193d
|
1191d |
1f8a38b155bf
When adding a wsmux device to an existing wsmux device using ioctl(WSMUXIO_ADD_DEVICE), two distinct locks of the same type are acquired. Thus, witness will emit warning. Since acquiring two different locks of the same type is harmless in this context, relax the witness check by flagging the locks as RWL_DUPOK.
|
| panic: timeout_add: to_ticks < 0 |
C |
|
|
66 |
1191d |
1196d
|
1191d |
3cfc9cae129c
Reject negative input from userland in spkrioctl(). One of the arguments are later passed to timeout_add() which panics if the given ticks are negative. While here, clamp arguments in pcppi_bell() in order to prevent overflow.
|
| uvm_fault: pckbc_start |
|
|
|
1 |
1193d |
1193d
|
1192d |
0c0bf6318018
Serialize access to the list of attached child devices belonging to a wsmux. When invoking wsevsrc_* functions on a attached child device, underlying driver can sleep; this introduces a race where another thread is able to modify the list leading to all kinds of corruptions.
|
| uvm_fault: wsmux_detach_sc |
syz |
|
|
10 |
1195d |
1207d
|
1193d |
0c0bf6318018
Serialize access to the list of attached child devices belonging to a wsmux. When invoking wsevsrc_* functions on a attached child device, underlying driver can sleep; this introduces a race where another thread is able to modify the list leading to all kinds of corruptions.
|
| panic: vmmaplk: lock not shared |
C |
|
|
16 |
1204d |
1216d
|
1203d |
Always refault if relocking maps fails after IO. This fixes a regression
|
| panic: pool_p_free: semupl free list modified: page ADDR; item addr ADDR; offset 0x0=ADDR |
C |
|
|
5 |
1204d |
1323d
|
1203d |
When freeing the sem_undo structure in semundo_adjust(), update the
|
| pool: free list modified: semupl |
C |
|
|
6 |
1210d |
1323d
|
1203d |
When freeing the sem_undo structure in semundo_adjust(), update the
|
| pool: double put: mbufpl |
|
|
|
6 |
1270d |
1271d
|
1203d |
Avoid an mbuf double free in the oob soreceive() path. In the
|
| uvm_fault: wsmux_do_ioctl (2) |
C |
|
|
17 |
1211d |
1215d
|
1210d |
In wskbdclose(), use the same logic as in wskbdopen() to determine if
|
| kernel: protection fault trap, code=0 (3) |
C |
|
|
3 |
1216d |
1216d
|
1215d |
Validate the user-supplied device index given to WSMUXIO_ADD_DEVICE. The same
|
| uvm_fault: VOP_ACCESS |
|
|
|
393 |
1219d |
1262d
|
1219d |
namei can return a null dvp on success. check this before access.
|
| kernel: protection fault trap, code=0 (2) |
syz |
|
|
109 |
1221d |
1244d
|
1221d |
Introduce a dedicated entry point data structure for file locks. This new data
|
| panic: malformed IPv4 option passed to ip_optcopy (2) |
C |
|
|
149 |
1226d |
1230d
|
1223d |
Bring back the ip_pcbopts() refactor. Pad the option buffer and therefor the mbuf to the next word length as it is required by the standard. Also use the correct offset from the input mbuf. OK visa@, input & OK bluhm@
|
| panic: uvm_fault_unwire_locked: address not in map |
C |
|
|
2 |
1248d |
1248d
|
1232d |
Hold a read lock on the map while doing the actual device I/O during in
|
| assert "next != NULL && next->start <= entry->end" failed in uvm_fault.c |
C |
|
|
2 |
1246d |
1246d
|
1232d |
Hold a read lock on the map while doing the actual device I/O during in
|
| panic: malformed IPv4 option passed to ip_optcopy |
C |
|
|
10 |
1246d |
1255d
|
1235d |
Validate the version, and all length fields of IP packets passed to a raw socket
|
| panic: m_zero: M_READONLY |
C |
|
|
3 |
1240d |
1240d
|
1235d |
It is possible to call m_zero with a read-only cluster. In that case just
|
| assert "__mp_lock_held(&sched_lock, curcpu()) == 0" failed in kern_lock.c |
C |
|
|
17 |
1237d |
1248d
|
1236d |
ec412da11be4
Fix unsafe use of ptsignal() in mi_switch().
|
| uvm_fault: m_free |
|
|
|
12 |
1247d |
1269d
|
1236d |
54e30ac1a804
Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
|
| pool: free list modified: mbufpl |
syz |
|
|
13 |
1256d |
1269d
|
1236d |
54e30ac1a804
Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
|
| panic: pr_find_pagehead: mbufpl: incorrect page |
|
|
|
3 |
1250d |
1266d
|
1236d |
54e30ac1a804
Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
|
| panic: pool_cache_item_magic_check: mcl64k cpu free list modified: item addr ADDR+24 ADDR!=ADDR |
|
|
|
1 |
1267d |
1267d
|
1236d |
54e30ac1a804
Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
|
| uvm_fault: switchread |
|
|
|
1 |
1264d |
1264d
|
1236d |
54e30ac1a804
Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
|
| uvm_fault: switchwrite |
syz |
|
|
7 |
1247d |
1267d
|
1236d |
54e30ac1a804
Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
|
| panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr ADDR+16 0x0!=ADDR |
|
|
|
1 |
1257d |
1257d
|
1239d |
54e30ac1a804
Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
|
| panic: pr_find_pagehead: mbufpl: page header missing |
C |
|
|
10 |
1256d |
1269d
|
1245d |
Fix mbuf releated crashes in switch(4). They have been found by
|
| pool: free list modified: mcl2k |
C |
|
|
4 |
1254d |
1308d
|
1253d |
Replace a wrong poor mans m_trailingspace() with the real thing. The mbuf
|
| panic: receive 3: so ADDR, so_type 1, m ADDR, m_type 6 |
C |
|
|
18 |
1255d |
1265d
|
1254d |
When using MSG_WAITALL, soreceive() can sleep while processing the receive buffer of a stream socket. Then a new pair of control and data mbuf can be appended to the mbuf queue. In this case, terminate the loop with a short read to prevent a panic. Userland should read the control message with the next system call. OK claudio@ deraadt@
|
| panic: kernel diagnostic assertion "M_DATABUF(m) + M_SIZE(m) >= (m->m_data + m->m_len)" failed: file "/syzkaller/manager |
C |
|
|
7 |
1264d |
1270d
|
1254d |
49729d6ed45f
In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees the inpcb apart from the disconnect. Just call soisdisconnected() and clear the inp->inp_faddr since the socket is still valid after a disconnect. Problem found by syzkaller via Greg Steuck OK visa@ Fixes: Reported-by: syzbot+2cd350dfe5c96f6469f2@syzkaller.appspotmail.com Reported-by: syzbot+139ac2d7d3d60162334b@syzkaller.appspotmail.com Reported-by: syzbot+02168317bd0156c13b69@syzkaller.appspotmail.com Reported-by: syzbot+de8d2459ecf4cdc576a1@syzkaller.appspotmail.com
|
| pool: double put: lockfpl |
|
|
|
1 |
1332d |
1323d
|
1254d |
Rework previous lockf fix; bluhm@ noticed a regress failure during consecutive runs. This is a second attempt in which the lockf structure is turned into a doubly linked list which makes it easier to ensure correctness during list insertion and deletion.
|
| uvm_fault: killjobc |
|
|
|
1 |
1259d |
1259d
|
1255d |
When no child devices are attached to a wsmux device, make sure to return an
|
| uvm_fault: wsmux_do_ioctl |
|
|
|
2 |
1285d |
1323d
|
1255d |
Utilize sigio with wscons. The old behavior of always making the process group of the process who opens the device the default recipient of sigio is removed as a side-effect of this change. Issuing ioctl(FIOSETOWN) is therefore mandatory in order to receive sigio, which is more consistent with other subsystems supporting sigio.
|
| uvm_fault: sogetopt |
C |
|
|
2 |
1272d |
1272d
|
1269d |
In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
|
| kernel: protection fault trap, code=0 |
C |
|
|
16 |
1269d |
1274d
|
1269d |
In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
|
| uvm_fault: ip_ctloutput |
C |
|
|
11 |
1269d |
1273d
|
1269d |
In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
|
| uvm_fault: ip_pcbopts |
C |
|
|
6 |
1269d |
1273d
|
1269d |
In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
|