syzbot


fixed (91):
Title Repro Bisected Count Last Reported Closed Patch
panic: unhandled af C 21 17d 19d 13d 48044792 Check address family of pf ioctl(2) DIOCNATLOOK parameter at kernel entry instead of calling panic() due to unhandled af. Reported-by: syzbot+92be143c2dd1746cf2af@syzkaller.appspotmail.com from Benjamin Baier
panic: attempt to execute user address syz 1539 24d 118d 20d f30ff743 Fix some races in kqueue_register().
witness: reversal: vmmaplk inode C 103124 35d 362d 35d Use separate rwlock initializations for userland ("vmspace") and kernel maps. This lets witness know that these really are different classes avoiding false positives when detecting lock order reversals.
kernel: protection fault trap, code=0 (6) C 55024 48d 133d 48d 0f83bb56 Fix a bad offset calculation in uvm_share.
panic: uvm_mapent_clone: no space in map for entry in empty map C 12 49d 55d 49d 0f83bb56 Fix a bad offset calculation in uvm_share.
panic: amap_pp_adjref: negative reference count C 98 59d 111d 49d 0f83bb56 Fix a bad offset calculation in uvm_share.
uvm_fault: amap_pp_adjref 1 111d 111d 49d 0f83bb56 Fix a bad offset calculation in uvm_share.
uvm_fault: uvm_unmap_remove (2) C 7836 49d 132d 49d 3c82c0b2 Fix uvm_unmap_remove panic when tearing down VMs.
panic: uvmspace_fork: no space in map for entry in empty map C 450 57d 111d 49d 0f83bb56 Fix a bad offset calculation in uvm_share.
assert "TAILQ_EMPTY(&ifp->if_addrhooks)" failed in if.c 2 69d 71d 64d 9e254176 take care to avoid a race when creating the same interface.
panic: ifa_update_broadaddr does not support dynamic length syz 6780 76d 134d 76d b36fd3da Do propper kernel input validation for in_control() ioctl(2) SIOCGIFADDR, SIOCGIFNETMASK, SIOCGIFDSTADDR, SIOCGIFBRDADDR, SIOCSIFADDR, SIOCSIFNETMASK, SIOCSIFDSTADDR, and SIOCSIFBRDADDR. Name in_ioctl_set_ifaddr() consistently. Use in_sa2sin() to validate inet address. Combine if_addrlist loops and add comment. Although netmask is not a inet address, length must be valid. Reported-by: syzbot+5fc6da002fc4e8d994be@syzkaller.appspotmail.com OK visa@
pool: free list modified: shmpl C 22 231d 326d 85d d13730a2 Copy in the user-supplied buffer in shmctl(2) before looking up the shared memory segment. Otherwise, if copyin ends up sleeping it allows another thread to remove the same segment leading to a use-after-free.
malloc: free list modified: devbuf syz 5 92d 99d 92d put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
uvm_fault: kqueue_scan 1 114d 114d 92d put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
uvm_fault: witness_checkorder syz 2 95d 95d 92d put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
uvm_fault: filt_bpfrdetach syz 1 92d 92d 92d put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
uvm_fault: bpfioctl C 14 100d 184d 92d put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
assert "ps->ps_uvncount == 0" failed in kern_unveil.c syz 226 119d 387d 112d a239dbaf Only increment the ps_uvncount counter when a path is successfully added to the corresponding red-black tree; meaning the path was not already present in the tree. This prevents an assertion to trigger in unveil_destroy() later on when the process exits.
assert "ln != NULL" failed in nd6.c 1 138d 138d 115d bdbfbec5 Do more sanity checks when accepting socket addresses in routing messages from user land. Inspect length field early in rtm_xaddrs(). Strings must be NUL terminated. The socket address type and length depend on the routing message type. Currently checks are not super strict to avoid too much user land fallout. OK mpi@ Reported-by: syzbot+638dbf7851da8e255af5@syzkaller.appspotmail.com
assert "ifa == rt->rt_ifa" failed in nd6.c 9 115d 116d 115d bdbfbec5 Do more sanity checks when accepting socket addresses in routing messages from user land. Inspect length field early in rtm_xaddrs(). Strings must be NUL terminated. The socket address type and length depend on the routing message type. Currently checks are not super strict to avoid too much user land fallout. OK mpi@ Reported-by: syzbot+638dbf7851da8e255af5@syzkaller.appspotmail.com
uvm_fault: strlcpy 18 123d 243d 121d bdbfbec5 Do more sanity checks when accepting socket addresses in routing messages from user land. Inspect length field early in rtm_xaddrs(). Strings must be NUL terminated. The socket address type and length depend on the routing message type. Currently checks are not super strict to avoid too much user land fallout. OK mpi@ Reported-by: syzbot+638dbf7851da8e255af5@syzkaller.appspotmail.com
uvm_fault: uvm_unmap_remove C 780 132d 151d 132d 00ba8250 vm_teardown() must be serialized since it modifies the global vmm_softc structure. Therefore grab the appropriate lock before calling the same function. This issue has been known for a while and reported before but lacking a way to easily reproduce it; until syzkaller came up with a reproducer.
panic: malloc: allocation too large, type = 2, size = ADDR (2) C 16842 134d 151d 134d 225e50e8 Do not decrement the number of VMs counter twice in one of vm_create() error paths. If creation of the first VM fails, the counter will wrap around to a huge value. The same value could later be passed to malloc() through vm_get_info() causing a panic.
kernel: protection fault trap, code=0 (5) C 607 140d 214d 139d a4205624 Fix a route use after free in IPv6 multicast route. Move the mrt6_mcast6_del() out of the rtable_walk(). This avoids recursion to prevent stack overflow. Also it allows freeing the route outside of the walk. Now mrt6_mcast_del() frees the route only when it is deleted from the routing table. If that fails, it must not be freed. After the route is returned by mf6c_find(), it is reference counted. Then we need a rtfree(), but not in the other case. Name mrt6_mcast_add() and mrt6_mcast_del() consistently. Move rt_timer_remove_all() into mrt6_mcast_del(). Reported-by: syzbot+af7d510593d74c825960@syzkaller.appspotmail.com OK mpi@
panic: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock 33 148d 153d 148d d3f3cb99 Do not use the flow of the first fragment to store ECN information. Handle the ECN in the fragment queue. Reported-by: syzbot+0aa80b25e9041001cac8@syzkaller.appspotmail.com fix from FreeBSD; OK claudio@
uvm_fault: frag6_input 24 148d 152d 148d d3f3cb99 Do not use the flow of the first fragment to store ECN information. Handle the ECN in the fragment queue. Reported-by: syzbot+0aa80b25e9041001cac8@syzkaller.appspotmail.com fix from FreeBSD; OK claudio@
witness: userret: returning with the following locks held: C 315 148d 359d 148d b808994c When a thread tries to exclusively lock a vnode, the same thread must ensure that any other thread currently trying to acquire the underlying vnode lock has observed that the same vnode is about to be exclusively locked. Such threads must then sleep until the exclusive lock has been released and then try to acquire the lock again. Otherwise, exclusive access to the vnode cannot be guaranteed.
panic: vput: ref cnt C 6 162d 163d 160d d627fa5c Serialize access to the vnode pointers associated with acct(2) system accounting. Prevents a race where the acct thread and the acct(2) syscall both tries to close a vnode.
assert "timo || _kernel_lock_held()" failed in kern_synch.c C 2 162d 163d 162d 93e05fce Revert unlock of lseek(2) since vn_lock() could end up calling tsleep() which is not allowed without holding the kernel lock. Otherwise, wakeups could be lost.
panic: vrele: v_writecount != 0 C 51 170d 175d 170d 3e253b47 Favor vn_close() in the error path of diskmapioctl() since side-effects caused by calling vn_open() with write permissions must be reverted. Otherwise, the vfs subsystem could panic while releasing the last vnode reference if the writecount is still positive.
panic: vput: v_writecount != 0 (2) C 112 170d 176d 170d 3e253b47 Favor vn_close() in the error path of diskmapioctl() since side-effects caused by calling vn_open() with write permissions must be reverted. Otherwise, the vfs subsystem could panic while releasing the last vnode reference if the writecount is still positive.
assert "cpipe->pipe_buffer.cnt == 0" failed in sys_pipe.c C 8 197d 197d 196d 40f8ed5e backout the unlock of pipe(2) and pipe2(2)
kernel: protection fault trap, code=0 (4) C 759 215d 328d 214d cf34c7c3 Prevent recursions by not deleting entries inside rtable_walk(9).
uvm_fault: arp_rtrequest C 79 233d 244d 222d 4cb08838 In arp_rtrequest and nd6_rtrequest return early if the RTF_MPLS flag is set. These mpls routes use the rt_llinfo structure to store the MPLS label and would confuse the arp and nd6 code. OK bluhm@ anton@
assert "(rt->rt_flags & RTF_MPATH) || mrt->rt_priority != prio" failed in rtable.c C 143 234d 247d 222d ff10691e Copy the user provided sockaddr into a normalized sockaddr in rtrequest() before adding it to the routing table. The rtable code is doing memcmp() of those rt_dest sockaddrs so it is important that they are stored in a canonical form. To do this struct domain is extended to include the sockaddr size for this address family. OK bluhm@ anton@
uvm_fault: mrt6_ioctl C 2 244d 244d 232d a8f2b5c7 Add missing NULL check for the protocol control block (pcb) pointer in mrt{6,}_ioctl. Calling shutdown(2) on the socket prior to the ioctl command can cause it to be NULL.
uvm_fault: mrt_ioctl C 2 233d 233d 232d a8f2b5c7 Add missing NULL check for the protocol control block (pcb) pointer in mrt{6,}_ioctl. Calling shutdown(2) on the socket prior to the ioctl command can cause it to be NULL.
uvm_fault: pckbc_start (2) syz 2 245d 245d 233d bc79b6e3 Prevent corruption of the pckbc command queue. If multiple synchronous commands are in flight and all corresponding threads are sleeping waiting for a response, the first command to timeout will clear the command queue. The remaining threads once awake will then try to remove a dequeued command from the queue, leading to corruption. Instead, remove commands from the queue before waking up the sleeping thread. A quirk is still needed to handle the case where tsleep() returns successfully during suspend.
assert "_kernel_lock_held()" failed in kern_event.c C 11 263d 266d 233d 1be240a9 Removed all diagnostic, calling printf() here might create a recursion.
witness: reversal: &pr->ps_mtx &sched_lock C 141 235d 236d 235d 17b25159 Revert to using the SCHED_LOCK() to protect time accounting.
uvm_fault: wsmux_do_ioctl (4) C 3 248d 272d 245d 78fe050f A problem fixed in wskbd is also present in wsmux. Repeating the previous commit message:
panic: malloc: out of space in kmem_map 97 298d 363d 246d During fuzzing, one or many fuzzing processes are often stuck waiting on memory from the subproc malloc subsystem which is exhausted. Attempt to circumvent such scenarios by allocation the kcov coverage buffer using km_alloc() instead.
uvm_fault: rtm_report C 2 271d 271d 255d 1b18c049 Make rt_mpls_set() be more strict in what it accepts. Also ensure that the RTF_MPLS can't be toggled without rt_mpls_set() being called. While RTF_MPLS is part of RTF_FMASK it should be excluded from the flags and mask when they are applied to the route since toggling it requires a call to rt_mpls_set(). OK bluhm@
syzkaller: testing failed: failed to run ["go" "test" "-short" "./..."]: exit status 1 36 256d 258d 256d fbb8d265 Restore previous behavior of limiting deadlock detection to posix-style locks.
multicore build error (3) 4 260d 260d 260d always rearm completion queues as leaving them disarmed would lead to rx or tx completion stalling.
openbsd build error (5) 2 260d 260d 260d always rearm completion queues as leaving them disarmed would lead to rx or tx completion stalling.
panic: timeout_add: to_ticks < 0 (3) 1 283d 283d 272d 1af42441 Lower the accepted upper bound for bd_rtout to INT_MAX in order to prevent passing negative values to timeout_add().
panic: mtx ADDR: locking against myself C 3 277d 277d 275d vmm(4): remove a debug printf that was causing lock issues (it was being called from an IPI routine).
panic: timeout_add: to_ticks < 0 (2) syz 12 294d 295d 293d bf201847 Reject negative and too large timeouts passed to BIOCSRTIMEOUT. Since the timeout converted to ticks is later passed timeout_add(), it could cause a panic if the timeout is negative.
uvm_fault: rtable_satoplen (2) syz 101 297d 306d 293d 575ef114 Add a more strict rtm_hdrlen size check. Make sure that at least struct rt_msghdr bytes are passed in. Also return a failure from rtm_xaddrs() if rti_addrs has bad flags or run out of space. Ok bluhm@
uvm_fault: memcpy C 460 297d 317d 297d 575ef114 Add a more strict rtm_hdrlen size check. Make sure that at least struct rt_msghdr bytes are passed in. Also return a failure from rtm_xaddrs() if rti_addrs has bad flags or run out of space. Ok bluhm@
panic: malloc: allocation too large, type = 2, size = ADDR C 914 298d 361d 298d fd7c8060 Restrict the number of allowed wsmux devices, just like wskbd and wsmouse already does. Otherwise, malloc could panic if the device minor is sufficiently large.
openbsd build error (2) 1 302d 302d 301d 6baecefe Tweak previous: include <sys/stdint.h> for INT64_MAX/INT64_MIN.
assert "tname->un_flags & UNVEIL_USERSET" failed in kern_unveil.c C 1447 301d 304d 301d f4c23aa8 Remove this assert, I can't do this here with UNVEIL_INSPECT added aggressively today. Hopefully post release a glorious flensing will remove UNVEIL_INSPECT anyway
uvm_fault: rtable_satoplen 158 306d 323d 306d fab4809e Make sure pointer is within bounds before dereferencing it.
witness: acquiring duplicate lock of same type: "&sc->sc_lock" C 231 336d 337d 336d 1f8a38b1 When adding a wsmux device to an existing wsmux device using ioctl(WSMUXIO_ADD_DEVICE), two distinct locks of the same type are acquired. Thus, witness will emit warning. Since acquiring two different locks of the same type is harmless in this context, relax the witness check by flagging the locks as RWL_DUPOK.
panic: timeout_add: to_ticks < 0 C 66 336d 341d 336d 3cfc9cae Reject negative input from userland in spkrioctl(). One of the arguments are later passed to timeout_add() which panics if the given ticks are negative. While here, clamp arguments in pcppi_bell() in order to prevent overflow.
uvm_fault: pckbc_start 1 338d 338d 337d 0c0bf631 Serialize access to the list of attached child devices belonging to a wsmux. When invoking wsevsrc_* functions on a attached child device, underlying driver can sleep; this introduces a race where another thread is able to modify the list leading to all kinds of corruptions.
uvm_fault: wsmux_detach_sc syz 10 340d 351d 337d 0c0bf631 Serialize access to the list of attached child devices belonging to a wsmux. When invoking wsevsrc_* functions on a attached child device, underlying driver can sleep; this introduces a race where another thread is able to modify the list leading to all kinds of corruptions.
panic: vmmaplk: lock not shared C 16 348d 360d 348d Always refault if relocking maps fails after IO. This fixes a regression
panic: pool_p_free: semupl free list modified: page ADDR; item addr ADDR; offset 0x0=ADDR C 5 349d 468d 348d When freeing the sem_undo structure in semundo_adjust(), update the
pool: free list modified: semupl C 6 355d 468d 348d When freeing the sem_undo structure in semundo_adjust(), update the
pool: double put: mbufpl 6 414d 416d 348d Avoid an mbuf double free in the oob soreceive() path. In the
uvm_fault: wsmux_do_ioctl (2) C 17 356d 360d 355d In wskbdclose(), use the same logic as in wskbdopen() to determine if
kernel: protection fault trap, code=0 (3) C 3 360d 360d 360d Validate the user-supplied device index given to WSMUXIO_ADD_DEVICE. The same
uvm_fault: VOP_ACCESS 393 364d 407d 364d namei can return a null dvp on success. check this before access.
kernel: protection fault trap, code=0 (2) syz 109 365d 389d 365d Introduce a dedicated entry point data structure for file locks. This new data
panic: malformed IPv4 option passed to ip_optcopy (2) C 149 371d 374d 368d Bring back the ip_pcbopts() refactor. Pad the option buffer and therefor the mbuf to the next word length as it is required by the standard. Also use the correct offset from the input mbuf. OK visa@, input & OK bluhm@
panic: uvm_fault_unwire_locked: address not in map C 2 393d 393d 377d Hold a read lock on the map while doing the actual device I/O during in
assert "next != NULL && next->start <= entry->end" failed in uvm_fault.c C 2 391d 391d 377d Hold a read lock on the map while doing the actual device I/O during in
panic: malformed IPv4 option passed to ip_optcopy C 10 391d 400d 380d Validate the version, and all length fields of IP packets passed to a raw socket
panic: m_zero: M_READONLY C 3 385d 385d 380d It is possible to call m_zero with a read-only cluster. In that case just
assert "__mp_lock_held(&sched_lock, curcpu()) == 0" failed in kern_lock.c C 17 382d 393d 381d ec412da1 Fix unsafe use of ptsignal() in mi_switch().
uvm_fault: m_free 12 391d 414d 381d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
pool: free list modified: mbufpl syz 13 400d 414d 381d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pr_find_pagehead: mbufpl: incorrect page 3 395d 411d 381d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pool_cache_item_magic_check: mcl64k cpu free list modified: item addr ADDR+24 ADDR!=ADDR 1 412d 412d 381d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
uvm_fault: switchread 1 409d 409d 381d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
uvm_fault: switchwrite syz 7 391d 411d 381d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr ADDR+16 0x0!=ADDR 1 402d 402d 384d 54e30ac1 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pr_find_pagehead: mbufpl: page header missing C 10 401d 414d 390d Fix mbuf releated crashes in switch(4). They have been found by
pool: free list modified: mcl2k C 4 399d 453d 398d Replace a wrong poor mans m_trailingspace() with the real thing. The mbuf
panic: receive 3: so ADDR, so_type 1, m ADDR, m_type 6 C 18 400d 409d 399d When using MSG_WAITALL, soreceive() can sleep while processing the receive buffer of a stream socket. Then a new pair of control and data mbuf can be appended to the mbuf queue. In this case, terminate the loop with a short read to prevent a panic. Userland should read the control message with the next system call. OK claudio@ deraadt@
panic: kernel diagnostic assertion "M_DATABUF(m) + M_SIZE(m) >= (m->m_data + m->m_len)" failed: file "/syzkaller/manager C 7 409d 415d 399d 49729d6e In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees the inpcb apart from the disconnect. Just call soisdisconnected() and clear the inp->inp_faddr since the socket is still valid after a disconnect. Problem found by syzkaller via Greg Steuck OK visa@ Fixes: Reported-by: syzbot+2cd350dfe5c96f6469f2@syzkaller.appspotmail.com Reported-by: syzbot+139ac2d7d3d60162334b@syzkaller.appspotmail.com Reported-by: syzbot+02168317bd0156c13b69@syzkaller.appspotmail.com Reported-by: syzbot+de8d2459ecf4cdc576a1@syzkaller.appspotmail.com
pool: double put: lockfpl 1 476d 468d 399d Rework previous lockf fix; bluhm@ noticed a regress failure during consecutive runs. This is a second attempt in which the lockf structure is turned into a doubly linked list which makes it easier to ensure correctness during list insertion and deletion.
uvm_fault: killjobc 1 404d 404d 400d When no child devices are attached to a wsmux device, make sure to return an
uvm_fault: wsmux_do_ioctl 2 430d 468d 400d Utilize sigio with wscons. The old behavior of always making the process group of the process who opens the device the default recipient of sigio is removed as a side-effect of this change. Issuing ioctl(FIOSETOWN) is therefore mandatory in order to receive sigio, which is more consistent with other subsystems supporting sigio.
uvm_fault: sogetopt C 2 417d 417d 414d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
kernel: protection fault trap, code=0 C 16 414d 419d 414d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
uvm_fault: ip_ctloutput C 11 414d 418d 414d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
uvm_fault: ip_pcbopts C 6 414d 418d 414d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees