syzbot

 sign-in | mailing list | source | docs
🐞 Open [169]
🐞 Fixed [301]
🐞 Invalid [1030]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Closed Patch
protection_fault: done_flush (4) -1 1601 35d 163d 3/3 17d 54f7a0c00ad4 vmm: Handle reserved bits in debug registers
uvm_fault: dt_ioctl_record_stop (2) -1 4591 36d 271d 3/3 35d 7348976a6ac6 dt: Deny enabling probes after recording starts
assert "flags & (PR_WAITOK | PR_NOWAIT)" failed in subr_pool.c -1 2 78d 79d 3/3 76d eab2e406eb7b pfr_attach_table() needs wait flag.
panic: maddr rwlock ADDR: enter read deadlock 2 2529 114d 115d 3/3 114d 2b6fc957b059 Backout: Protect IGMP and MLD6 fast timer with rwlock.
witness: shared lock of (rwlock) maddr while exclusively locked -1 1910 114d 115d 3/3 114d 2b6fc957b059 Backout: Protect IGMP and MLD6 fast timer with rwlock.
panic: excl->share 2 98 114d 115d 3/3 114d 2b6fc957b059 Backout: Protect IGMP and MLD6 fast timer with rwlock.
protection_fault: in6_addmulti (5) -1 1 145d 145d 3/3 115d 80bc9799356e Protect IGMP and MLD6 fast timer with rwlock.
kernel: privileged instruction fault trap, code=NUM (2) -1 1 142d 142d 3/3 129d dca1e142a338 Fix race in vmm(4) where
uvm_fault: vm_terminate (2) -1 2 140d 157d 3/3 132d 10e7775f0707 Fix race in vmm(4) vm termination path.
assert "part >= NUM && part < MAXPARTITIONS" failed in subr_disk.c -1 117 164d 166d 3/3 162d b5bf9d3d0aeb bogus asserts; ok krw gnezdo
panic: mtx ADDR: locking against myself (2) 2 338 257d 414d 3/3 256d 5e82fd317c62 Prevent lock recursion in error path.
panic: malloc: allocation too large, type = NUM, size = ADDR (5) 2 1 279d 279d 3/3 270d 753a922a6fb4 Set the upper boundary of 'kern.seminfo.semopm' variable to "(MALLOC_MAX / sizeof(struct sembuf))". Otherwise the greater value could exceed the MALLOC_MAX limit and cause panic.
uvm_fault: dt_ioctl_record_stop -1 1306 271d 388d 3/3 271d 5b6ddc98dee7 Fix sleeping race in dt(4) ioctl(2).
assert "nlevel >= IPL_NONE" failed in intr.c (3) -1 1 324d 324d 3/3 318d b64faffc3616 run ifq_barrier against all ifqs in if_detach, not just if_snd.
assert "d->bd_in_uiomove == NUM" failed in bpf.c (3) -1 1 324d 324d 3/3 318d b64faffc3616 run ifq_barrier against all ifqs in if_detach, not just if_snd.
assert "(TAILQ_NEXT(inp, inp_queue) == NULL) || (TAILQ_NEXT(inp, inp_queue) == _Q_INVALID)" failed in in_pcb.c -1 16 320d 321d 3/3 320d 6bb594b93bf9 Fix use-after-free of inpcb.
protection_fault: in_pcb_iterator -1 4 320d 321d 3/3 320d 6bb594b93bf9 Fix use-after-free of inpcb.
witness: userret: sysctl -1 4 326d 327d 3/3 326d d8a43137eb27 Add forgotten NET_UNLOCK_SHARED() in FILLINPTABLE().
witness: thread exiting with locks held (3) -1 3 326d 327d 3/3 326d d8a43137eb27 Add forgotten NET_UNLOCK_SHARED() in FILLINPTABLE().
panic: mutex ADDR not held in in_pcb_iterator 2 5 328d 329d 3/3 328d b9215d49b9b3 Add forgotten mtx_enter() in FILLINPTABLE().
uvm_fault: ether_frm_ctloutput -1 3 361d 362d 3/3 361d 7d4a6d53c3d0 handle NULL for the option data mbufs in the ethernet setsockopt handling
panic: assertwaitok: non-zero mutex count: NUM (3) 2 1 379d 379d 3/3 377d 42337cd26dad Release `sb_mtx' mutex(9) while doing sleeping m_copym(..., M_WAIT) in soreceive() and somove(). It is possible in both places. We copy only `len' bytes from the single mbuf(9) pointed by `m'. The `len' is always less than m->m_len. The m->m_len could only grow while `sb_mtx' is unlocked, but concurrent thread will not override our chunk of m->m_data. There is no difference with the lockless uiomove(mtod(m)).
assert "va >= entry->start" failed in uvm_fault.c (2) -1 171 409d 450d 3/3 394d 818e6b572963 Make vslock(9) similar to mlock(2): silently ignore non-mapped ranges.
panic: uvm_fault_unwire_locked: address not in map (4) 2 C 638 410d 1486d 3/3 394d 818e6b572963 Make vslock(9) similar to mlock(2): silently ignore non-mapped ranges.
uvm_fault: rtrequest (4) -1 1 437d 437d 3/3 431d 45a541306066 Move kassert from resolve to add case in rtrequest().
panic: malloc: allocation too large, type = NUM, size = ADDR (3) 2 58 447d 449d 3/3 447d 910ed27a3d72 Limit net.bpf.maxbufsize sysctl(8) to a value that malloc(9) can handle. Introduce MALLOC_MAX definition to keep this value in sync and use it system wide.
openbsd test error: SYZFATAL: image testing failed w/o kernel bug -1 47 450d 456d 3/3 448d db5d28f093d6 Bump kcov buffer size limit
assert "nlevel >= IPL_NONE" failed in intr.c (2) -1 122 527d 784d 3/3 527d a921796a245d make sure bpfsdetach is holding a bpf_d ref when invalidating stuff.
pool: double put: shmpl -1 12 539d 613d 3/3 539d 4a445d448ac2 Prevent a double free by unlinking the descriptor before unmaping & freeing it.
panic: kernel diagnostic assertion "uvm_page_owner_locked_p(pg) 2 70 553d 557d 3/3 542d 0535051c104d Check if the mapping for an vm_map_entry exists while holding its lock.
panic: free: size too large NUM > NUM (ADDR) type sysctl 2 1 582d 582d 3/3 580d dd2b8016139a Fix sleeping race during malloc in sysctl hw.disknames.
assert "to_ticks >= NUM" failed in kern_timeout.c -1 1 639d 639d 3/3 631d 2293e68203ec restrict the maximum wait time you can set via BIOCSWTIMEOUT to 5 minutes.
multicore boot error: uvm_fault (2) -1 12 857d 858d 3/3 654d ef9354f58d69 sync
panic: lock (rwlock) solock not locked 2 C 33 1332d 1333d 3/3 657d ef9354f58d69 sync
witness: reversal: lock order data missing (3) -1 8192 657d 1505d 3/3 657d ef9354f58d69 sync
panic: vmxon failed 2 syz 3 746d 751d 3/3 745d ddfb6951b469 vmm: protect vmm activation with the vmm_softc rwlock.
uvm_fault: igmp_leavegroup (5) -1 C 12 747d 749d 3/3 747d 4733ced31b52 Prevent changing interface loopback flag from userland.
panic: unix: lock not held 2 C 2 759d 759d 3/3 753d e679c1f37540 Allow listen(2) only on sockets of type SOCK_STREAM or SOCK_SEQPACKET. listen(2) man(1) page clearly prohibits sockets of other types.
panic: rw_enter: unix locking against myself 2 C 2 777d 777d 3/3 772d d1ea0a7c7de9 Do UNP_CONNECTING and UNP_BINDING flags check in uipc_listen() and return EINVAL if set. This prevents concurrent solisten() thread to make this socket listening while socket is unlocked.
panic: malformed IPv4 option passed to ip_optcopy (3) 2 syz 40 784d 786d 3/3 784d c8a0ef6cb991 Validate IPv4 packet options in divert output.
assert "to->to_kclock == KCLOCK_UPTIME" failed in kern_timeout.c (3) -1 1 807d 807d 3/3 795d 0a34672fd384 timeout: make to_kclock validation more rigorous
kqueue: knote !ACTIVE (3) -1 1 814d 814d 3/3 813d d618cc99d763 Invert broken check of panic string in if_linkstate().
assert "sin6tosa(&ro->ro_dst)->sa_family == AF_INET6" failed in in6_src.c -1 C 218 816d 818d 3/3 816d 4a2c3c9ecbcf In in_pcbrtentry() add missing return of in6_pcbrtentry() value.
uvm_fault: refcnt_take -1 1 831d 831d 3/3 830d 470ec98d6191 Backout priterator() for walking allprocess list.
protection_fault: fill_file (3) -1 1 840d 840d 3/3 834d d221342b6cd4 Introduce priterator(), the `ps_list' iterator. Some of `allprocess' list walkthroughs have context switch within, so make exit1() wait until the last reference released.
witness: reversal: solock pf_lock -1 2 838d 845d 3/3 838d 66bd633ef3ce Use domain name for socket lock.
witness: reversal: pf_lock solock -1 syz 23 838d 845d 3/3 838d 66bd633ef3ce Use domain name for socket lock.
assert "dtlookup(unit) == NULL" failed in dt_dev.c (3) -1 1 849d 849d 3/3 847d c57c5c683707 Prevent simultaneous dt(4) open.
assert "__mp_lock_held(&sched_lock, curcpu()) == NUM" failed in kern_lock.c (4) -1 1 862d 862d 3/3 861d 540e94b5c59a soreceive() must not hold mutex when calling sblock().
panic: assertwaitok: non-zero mutex count: NUM 2 C 10 861d 862d 3/3 861d 540e94b5c59a soreceive() must not hold mutex when calling sblock().
uvm_fault: rtrequest (2) -1 C 15 897d 898d 3/3 897d a08e228de7c0 Fix rt_setgate() error handling.
assert "!_kernel_lock_held()" failed in kern_fork.c (3) -1 107 911d 1561d 3/3 911d 6d6c8141fa4d Adjust KERNEL_ASSERT_UNLOCKED() to not assert during a panic.
assert "!_kernel_lock_held()" failed in uvm_map.c (2) -1 13 946d 1164d 3/3 911d 6d6c8141fa4d Adjust KERNEL_ASSERT_UNLOCKED() to not assert during a panic.
assert "((len + sizeof(long) - NUM) &~ (sizeof(long) - NUM)) <= M_SIZE(m)" failed in uipc_mbuf.c -1 C 2 924d 924d 3/3 921d 7b4d35e0a60b Avoid assertion failure when splitting mbuf cluster.
multicore boot error: witness: lock_object uninitialized: ADDR -1 108 934d 936d 3/3 933d 33aa5105d87e Revert commitid: KtmyJEoS0WWxmlZ5 --- Protect interface queues with read once and mutex.
assert "p->p_stat == SONPROC || p->p_stat == SSLEEP || p->p_stat == SSTOP" failed in kern_synch.c -1 syz 10 955d 985d 3/3 952d de92f022b000 Before coredump or in pledge_fail use SINGLE_UNWIND to stop all threads.
assert "type != NULL" failed in subr_witness.c -1 syz 1 967d 967d 3/3 958d ed07db5bc17e Revert commitid: yfAefyNWibUyjkU2, ESyyH5EKxtrXGkS6 and itscfpFvJLOj8mHB;
assert "nlevel >= IPL_NONE" failed in intr.c -1 C 259 958d 967d 3/3 958d ed07db5bc17e Revert commitid: yfAefyNWibUyjkU2, ESyyH5EKxtrXGkS6 and itscfpFvJLOj8mHB;
witness: reversal: &sched_lock &pr->ps_mtx -1 syz 170 962d 963d 3/3 962d 4ab8b759f72e Fix SCHED_LOCK() leak in single_thread_set()
kernel: integer divide fault trap, code=NUM (4) -1 C 6 1047d 1102d 3/3 1040d 6d14abdcc245 Avoid division by 0 in m_pool_used
panic: rw_enter: rtlck locking against myself 2 5 1187d 1187d 3/3 1186d aa5e72b7343d Revert the `rt_lock' rwlock(9) diff to fix the recursive rwlock(9) acquisition.
panic: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock (7) 2 syz 9 1215d 1230d 3/3 1202d 9cf4e548dcbe Use solock() instead solock_shared() within sys_getsockopt(). Otherwise we acquiring kernel lock with mutex(9) held. This partially reverts rev 1.205 of sys/kern/uipc_syscalls.c. Shared solock() is still fine for getsockname(2) and getpeername(2).
pool: free list modified: semapl -1 syz 2 1360d 1360d 3/3 1308d 5bf1588a93fe Fix memory corruptions with sysv semaphores due to sleeps in copyin, copyout and malloc. During a sleep another thread could delete the semaphore (and possibly allocate another one at the same location with different permissions) which would lead to an invalid access after wake up. Therefore check the semaphore pointer, the sequence, the permissions and some values in seminfo after each sleep. OK bluhm@ Reported-by: syzbot+60ba811fe2e8a6b0f975@syzkaller.appspotmail.com
panic: solock: lock not held 2 C 19 1332d 1333d 3/3 1332d 536333f5835e Use pru_send function to check socket splicing compatibility. Only checking socket type is not sufficient as it could splice together unix and inet sockets resulting in crashes. As splicing is about sending, the same send function looks like a good criteria. Reported-by: syzbot+fc6901d63d858d5dd00a@syzkaller.appspotmail.com Reported-by: syzbot+0e026f1bf8b259c6395e@syzkaller.appspotmail.com OK gnezdo@
assert "uvn->u_obj.uo_refs == NUM" failed in uvm_vnode.c -1 syz 8 1348d 1399d 3/3 1336d ce1ab8dd6b18 Lock vmobjlock then check u_flags & UVM_VNODE_VALID in uvn_attach
kernel: integer divide fault trap, code=NUM (3) -1 C 157 1337d 1359d 3/3 1337d b18f9d9c6b70 Syzkaller found a missing input validation in pipex mppe keylenbits. Reported-by: syzbot+2eca95b271d07ab91b43@syzkaller.appspotmail.com tested yasuoka@; OK mvs@ yasuoka@
panic: tcp_output 2 C 762 1338d 1340d 3/3 1338d 355f588a8749 Sendmsg could crash in tcp_output due to a missing check after the introduction of tcp_send. OK mvs@, bluhm@, gnezdo@ Reported-by: syzbot+e859fd353c90eeac26f8@syzkaller.appspotmail.com
no output from test machine (7) -1 C 124310 1365d 1988d 3/3 1365d fa90ac5c787b Add a pool for the allocation of the pf_anchor struct. It was possible to exhaust kernel memory by repeatedly calling pfioctl DIOCXBEGIN with different anchor names. OK bluhm@ Reported-by: syzbot+9dd98cbce69e26f0fc11@syzkaller.appspotmail.com
witness: userret: sendmsg -1 C 28 1396d 1397d 3/3 1396d 635da3731041 Unlock peer in the SOCK_STREAM and SOCK_SEQPACKET error path.
assert "__mp_lock_held(&sched_lock, curcpu()) == NUM" failed in kern_lock.c -1 C 860 1399d 1510d 3/3 1399d 1690b19512cc Move the deep check back into the loop. There are ways that even though we're deep the code will SSTOP and sleep and then on wakeup we need to recheck the deep conditions. Issue analyzed and OK by mpi@
pool: free list modified: fdescpl (2) -1 C 6 1407d 1452d 3/3 1401d dc399801d5c5 kqueue: Clear task when closing kqueue
protection_fault: pf_anchor_global_RB_REMOVE -1 73 1440d 1528d 3/3 1402d 30d709c8a85c Allow waiting during ktable allocation in pf_ioctl.
uvm_fault: pf_anchor_global_RB_INSERT_COLOR (2) -1 1 1403d 1403d 3/3 1402d 30d709c8a85c Allow waiting during ktable allocation in pf_ioctl.
assert "TAILQ_EMPTY(&lock->lf_blkhd)" failed in vfs_lockf.c (2) -1 C 2 1433d 1433d 3/3 1427d ee8a225221fd Fix ambiguity with lock range end
panic: m_copydata: null mbuf (2) 2 syz 2 1439d 1439d 3/3 1436d 0271abd8e494 In pf the kernel paniced if IP options in packet within ICMP payload were truncated. Drop such packets instead. Reported-by: syzbot+91abd3aa2fdfe900f9ce@syzkaller.appspotmail.com OK sashan@ claudio@
multicore build error (15) -1 6 1455d 1455d 3/3 1454d ba537df4ec28 Using mutex initializer for static variable does not compile with witness. Make ratecheck mutex global. Reported-by: syzbot+9864ba1338526d0e8aca@syzkaller.appspotmail.com
witness: reversal: pf_lock netlock (3) -1 syz 25 1460d 1472d 3/3 1460d f3a753b5d089 Release PF und NET lock before calling copyout for DIOCIGETIFACES. OK sashan@ Reported-by: syzbot+b6afd166e314799e3809@syzkaller.appspotmail.com
protection_fault: lf_advlock -1 C 2 1508d 1552d 3/3 1462d c30ab30fe47b Remove the lock if an identical overlapping one is already present. Preventing a use after free discovered by syzkaller.
protection_fault: lf_findoverlap -1 C 2 1475d 1507d 3/3 1462d c30ab30fe47b Remove the lock if an identical overlapping one is already present. Preventing a use after free discovered by syzkaller.
assert "TAILQ_EMPTY(&lock->lf_blkhd)" failed in vfs_lockf.c -1 1 1475d 1475d 3/3 1462d c30ab30fe47b Remove the lock if an identical overlapping one is already present. Preventing a use after free discovered by syzkaller.
protection_fault: lf_clearlock -1 C 1 1477d 1477d 3/3 1462d c30ab30fe47b Remove the lock if an identical overlapping one is already present. Preventing a use after free discovered by syzkaller.
witness: reversal: pf_lock netlock (2) -1 C 2 1481d 1481d 3/3 1480d 2e34be423f16 Release PF und NET lock before calling copyin for DIOCXROLLBACK. OK bluhm@ Reported-by: syzbot+2945769fc3e6fd9ee413@syzkaller.appspotmail.com
witness: reversal: pf_lock netlock -1 C 19 1492d 1544d 3/3 1482d 82d8999861ab Release PF und NET lock before calling copyin and copyout for DIOCXBEGIN. OK bluhm@ OK sashan@ Reported-by: syzbot+b22ec16c5bf937578937@syzkaller.appspotmail.com
assert "next != NULL && next->start <= entry->end" failed in uvm_fault.c (4) -1 C 9 1486d 1499d 3/3 1485d f77c87828076 Replace KASSERT in uvm_fault_unwire_locked() with code that handles the case where not all pages are wired. The KASSERT can be triggered in multi-threaded applications when a thread calling munmap(2) races another thread that invokes sysctl(2). Properly written code shouldn't do this, but making the kernel crash in this case is a bit harsh.
openbsd build error (17) -1 2 1493d 1493d 3/3 1492d Put call to vmx_remote_vmclear() under #ifdef MULTIPROCESSOR to unbreak build of amd64 GENERIC
uvm_fault: igmp_leavegroup (3) -1 37 1492d 1584d 3/3 1492d a134c703e536 if_detach() does if_remove(ifp); NET_LOCK(); rti_delete(). New igmp groups may join while sleeping in interface destruction. In this case if_get() in igmp_joingroup() fails and rti_fill() is not called. Then inm->inm_rti may be NULL. This is the condition when syzkaller crashes in igmp_leavegroup(). Pass the ifp the current CPU is already holding down to igmp_joingroup() and igmp_leavegroup() to avoid half constructed igmp groups. Calling if_get() in caller and callee makes no sense anyway. Reported-by: syzbot+146823a676b7bea83649@syzkaller.appspotmail.com OK denis@
openbsd boot error: uvm_fault -1 9 1497d 1497d 3/3 1497d 475618162a2c Revert previous. Breaks probing native IDE devices.
multicore boot error: uvm_fault -1 21 1497d 1497d 3/3 1497d 475618162a2c Revert previous. Breaks probing native IDE devices.
panic:p a anciqc:uikerrinngel dbialgocnkoastbliec a s s e r t i o n "! _k er neslle_lepo lcokc_khe l dw ( )i 2 1 1498d 1498d 3/3 1497d d25fea59a0de For raw IP packets rip_input() traverses the loop of all PCBs. From there it calls sbappendaddr() while holding the raw table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. syzbot+ebe3f03a472fecf5e42e@syzkaller.appspotmail.com OK claudio@
panic: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock (6) 2 C 80 1497d 1498d 3/3 1497d 2be5be2c1f9e For raw IPv6 packets rip6_input() traverses the loop of all PCBs. From there it calls sbappendaddr() while holding the raw6 table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. Reported-by: syzbot+5b2679ee9be0895d26f9@syzkaller.appspotmail.com OK claudio@
panic: apcaqnuiicr:in g b l o kckearbnelle d isalgeneops t ic a s s leorctkio n " w!_iktehr nselp_inlolocckk_ 2 1 1498d 1498d 3/3 1497d d25fea59a0de For raw IP packets rip_input() traverses the loop of all PCBs. From there it calls sbappendaddr() while holding the raw table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. syzbot+ebe3f03a472fecf5e42e@syzkaller.appspotmail.com OK claudio@
panic: acquiring blockable sleep lock with spinlock or critical section held (pkanerinc:e l _l o c kke)r &nkeerl ndiea 2 1 1499d 1498d 3/3 1497d d25fea59a0de For raw IP packets rip_input() traverses the loop of all PCBs. From there it calls sbappendaddr() while holding the raw table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. syzbot+ebe3f03a472fecf5e42e@syzkaller.appspotmail.com OK claudio@
panic: apcaquniirci: ng bkloerckneabll de i a g n o st ic a s s er ti o n " ! _ ke r n e l_ l oc k _ h sel 2 1 1498d 1498d 3/3 1497d 2be5be2c1f9e For raw IPv6 packets rip6_input() traverses the loop of all PCBs. From there it calls sbappendaddr() while holding the raw6 table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. Reported-by: syzbot+5b2679ee9be0895d26f9@syzkaller.appspotmail.com OK claudio@
panic: acquiring blockable sleep lock with spinlock or critical section held (kernelp_alonicck): &kkerernnelel d_ilao 2 1 1498d 1498d 3/3 1497d d25fea59a0de For raw IP packets rip_input() traverses the loop of all PCBs. From there it calls sbappendaddr() while holding the raw table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. syzbot+ebe3f03a472fecf5e42e@syzkaller.appspotmail.com OK claudio@
panic: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock (5) 2 C 104 1498d never 3/3 1498d d25fea59a0de For raw IP packets rip_input() traverses the loop of all PCBs. From there it calls sbappendaddr() while holding the raw table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. syzbot+ebe3f03a472fecf5e42e@syzkaller.appspotmail.com OK claudio@
panic: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock (4) 2 C 249 1499d 1499d 3/3 1499d 63abc0ec39b5 For multicast and broadcast packets udp_input() traverses the loop of all UDP PCBs. From there it calls udp_sbappend() while holding the UDP table mutex. This ends in sorwakeup() where we finally grab the kernel lock while holding a mutex. Witness detects this misuse. Use the same solution as for PCB notify. Collect the affected PCBs in a temporary list. The list is protected by exclusive net lock. Reported-by: syzbot+7596cb96fb9f3c9d6f4f@syzkaller.appspotmail.com OK sashan@
witness: reversal: vmmaplk fdlock -1 syz 22 1508d 1508d 3/3 1506d 447db83cf4f0 Revert holding a read lock on the map while copying out data during sysctl(2).
witness: exclusive lock of (rwlock) vmmaplk while share locked -1 C 9 1508d 1508d 3/3 1506d 447db83cf4f0 Revert holding a read lock on the map while copying out data during sysctl(2).
witness: reversal: netlock vmmaplk -1 C 166 1508d 1508d 3/3 1506d 447db83cf4f0 Revert holding a read lock on the map while copying out data during sysctl(2).
panic: kmmaplk: lock not shared 2 C 15 1508d 1509d 3/3 1508d 447db83cf4f0 Revert holding a read lock on the map while copying out data during sysctl(2).
assert "next != NULL && next->start <= entry->end" failed in uvm_fault.c (3) -1 syz 11 1509d 1525d 3/3 1508d 5f69141a284a Hold a read lock on the map while copying out data during a sysctl(2) call to prevent another thread from unmapping the memory and triggering an assertion or even corrupting random physical memory pages.
uvm_fault: socreate -1 C 106 1523d 1523d 3/3 1523d 532245610f13 Reported-by: syzbot+1b5b209ce506db4d411d@syzkaller.appspotmail.com Revert the pr_usrreqs move: syzkaller found a NULL pointer deref and I won't be available to monitor for followup issues for a bit
assert "sc->sc_dev == NUM" failed in if_tun.c (2) -1 1 1529d 1529d 3/3 1523d 1c9104c31d3f have another go at fixing assert "sc->sc_dev == NUM" failed.
assert "m->m_pkthdr.pf.prio <= IFQ_MAXPRIO" failed in ifq.c -1 syz 2 1538d 1539d 3/3 1532d 2960c8affbaf check pf rule "set prio" values consistently.
assert "sc->sc_dev == NUM" failed in if_tun.c -1 24 1533d 1566d 3/3 1532d 156bbf72d5e4 prevent (re)opening of tun/tap interfaces that are being destroyed.
assert "len >= NUM && !M_READONLY(m)" failed in uipc_mbuf.c -1 syz 153 1534d 1543d 3/3 1534d 4be097b86868 The length value in bpf_movein() is casted to from size_t to u_int and then rounded before checking. Put the same check before the calculations to avoid overflow. Reported-by: syzbot+6f29d23eca959c5a9705@syzkaller.appspotmail.com OK claudio@
kernel: integer divide fault trap, code=NUM (2) -1 C 8 1540d 1543d 3/3 1539d 43496f5abc1b let pfattach() to also initialize pf_default_rule_new to avoid div-by-zero in pf_purge()
panic: unhandled af (4) 2 syz 11 1557d 1587d 3/3 1554d 035d4f5430cb An af-to pf rule must have an address family naf to use after translation. Make stricter sanity checks in pf ioctl to avoid later crashes during packet processing. Reported-by: syzbot+0ef9190e7d0195496d0d@syzkaller.appspotmail.com OK sashan@
uvm_fault: x86_ipi_db (7) -1 4 1581d 1581d 3/3 1580d 7945134bbda7 Use a distinct variable while iterating the list of existing devices.
uvm_fault: pppacopen -1 C 92 1580d 1581d 3/3 1580d 7945134bbda7 Use a distinct variable while iterating the list of existing devices.
assert "TAILQ_EMPTY(&ifp->if_addrhooks)" failed in if.c (2) -1 1 1582d 1582d 3/3 1581d 188a0a692db5 Prevent concurrent access to incomplete or dying `sc' caused by sleep points in pppacopen() and pppacclose() paths. Use the same "sc_ready" logic we use for 'pppx_if' structure.
panic: free: size too small NUM <= NUM / NUM (ADDR) type devbuf 2 1 1583d 1583d 3/3 1581d 61c8c0f0fd3e Prevent a double free by assigning the new keymap and corresponding size after the allocation and initialization is done. Otherwise, a race is possible if malloc ends up sleeping.
SYZFAIL: ioctl remote attach failed (3) -1 13 1582d 1586d 3/3 1581d 982627fcf222 Do not allow send/receive of kcov descriptors as the file descriptor can be kept alive longer than expected causing syzkaller to no longer being able to enable remote coverage.
assert "(rule != NULL) && (rule->ruleset != NULL)" failed in pf_ioctl.c -1 C 7 1584d 2127d 3/3 1584d 5a50f165b8ad DIOCHANGERRULE ioctl must set pointer to ruleset in rule it inserts.
witness: userret: ioctl (3) -1 syz 2 1588d 1588d 3/3 1587d 41a45098bac2 Disk lock was held when returning to userland. Add a missing unlock in vnd ioctl error path. Reported-by: syzbot+6dde3fda33074a256318@syzkaller.appspotmail.com OK jsg@ anton@
uvm_fault: sysctl_diskinit -1 1 1594d 1594d 3/3 1588d 278923c07fda While malloc sleeps, the disk list could change during sysctl. Then allocated memory could be too short for the list of disks. Retry allocating enough space until it did not change. The disk list and duid memory are protected by kernel lock. Use asserts to mark this explicitly. Reported-by: syzbot+807423f6868bbfb836bc@syzkaller.appspotmail.com OK anton@ mpi@
uvm_fault: pfsync_state_import -1 C 10 2075d 2145d 3/3 1588d d13e571b26fd Remove ptr_array from struct pf_ruleset
panic: uvm_fault_unwire_locked: address not in map (3) 2 1 1591d 1591d 3/3 1589d 65315d4d4359 Fix a typo in mlock(2) error path triggering a double-free.
panic: vndioctl: null vp 2 C 3 1594d 1595d 3/3 1589d 4d2db379fd33 Ensure that the disk has been initialized after acquiring the lock and not before as we might end up sleeping while acquiring the lock, introducing a potential race.
panic: malloc: allocation too large, type = NUM, size = ADDR 2 C 3 1595d 1596d 3/3 1589d 0b7f5aec6317 Let malloc return an error as opposed of panicking when sysctl kern.shminfo.shmseg is set to something ridiculously large.
openbsd build error (15) -1 37 1591d 1652d 3/3 1589d revert vnode: remove VLOCKSWORK and check locking when vop_islocked != nullop (both kernel and userland bits)
assert "suser(curproc) == NUM" failed in dt_dev.c -1 C 7 1590d 1590d 3/3 1590d cf997a482905 Remove useless suser assert from dt(4). The ioctl(2) path checks the user anyway and close(2) may crash after setuid(2). Reported-by: syzbot+90e094f33d329fb2c3ab@syzkaller.appspotmail.com OK deraadt@
uvm_fault: uvm_fault_lower -1 C 583 1590d 1595d 3/3 1590d f08b8e936de9 Do not try to unlock a NULL object.
kernel: integer divide fault trap, code=NUM -1 syz 2 1603d 1603d 3/3 1594d 38bfd041cb0f fix zero division found by syzkaller. The sanity checks in pf(4) ioctls are not powerful enough to detect invalid port ranges (or even invalid rules). syzkaller does not use pfctl(8), it uses ioctl(2) to pass some random chunk of memory as a rule to pf(4). Fix adds explicit check for 0 divider to pf_get_transaddr(). It should make syzkaller happy without disturbing anyone else.
uvm_fault: igmp_leavegroup (2) -1 1 1598d 1598d 3/3 1595d 5af2eee02794 Syzkaller found a dereference in igmp_leavegroup() where inm->inm_rti is NULL. It should be set in rti_fill(), but is not if malloc(9) fails. There is no rollback after malloc failure so the field stays uninitialized. The code is only called from ioctl, setsockopt or a task. Malloc should wait instead of failing, otherwise syscalls would be unreliable. While there also put an M_WAIT in the init code. During init malloc must not fail. OK mvs@ Reported-by: syzbot+e22326057ccf34908d78@syzkaller.appspotmail.com
uvm_fault: nd6_dad_duplicated (2) -1 76 1597d 1603d 3/3 1597d ce9bd2eccc20 nd6_dad_ns_input() could trigger a NULL deref in nd6_dad_duplicated(). It checks dp in two of three places. One check got lost in revision 1.83. Do a dp == NULL once at the beginning. OK jsg@ Reported-by: syzbot+88c0ce914a0b10b7e1c8@syzkaller.appspotmail.com
witness: userret: ioctl (2) -1 1 1604d 1604d 3/3 1603d aa5628258068 Add missing kernel unlock in error path.
panic: rw_enter: dklk locking against myself 2 C 6 1665d 1693d 3/3 1661d placing the same vnd underneath a vnd (with VNDIOCSET) is a lock violation, but other circumstances are also bad, so let's block all vnd on top of vnd. While here, fix some toctou multiple-copyin of the path, and restructure the ioctl defer all softc updates to the end. ok mpi
multicore test error: timed out (2) -1 66 1675d 1677d 3/3 1675d 11ad9ee57f54 regen
openbsd build error (14) -1 2 1677d 1677d 3/3 1675d 11ad9ee57f54 regen
openbsd test error: timed out (2) -1 33 1675d 1677d 3/3 1675d 11ad9ee57f54 regen
multicore build error (13) -1 3 1677d 1677d 3/3 1675d 11ad9ee57f54 regen
assert "_kernel_lock_held()" failed in uvm_vnode.c -1 4 1701d 1701d 3/3 1694d 8e114673a836 vmm(4): grab kernel lock before vmspace init
panic: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock (3) 2 C 2 1696d 1700d 3/3 1694d 8e114673a836 vmm(4): grab kernel lock before vmspace init
assert "_kernel_lock_held()" failed in uvm_device.c -1 7 1700d 1701d 3/3 1694d 8e114673a836 vmm(4): grab kernel lock before vmspace init
uvm_fault: rtm_output -1 C 14 1694d 1694d 3/3 1694d d2084f835172 Fix NULL pointer dereference introduced by previous commit.
panic: vcpulock: lock not held 2 1 1701d 1701d 3/3 1696d 5f3d69798ad5 vmm(4): fix vcpu locking issues reported by syzbot
panic: lock (rwlock) vcpulock not locked 2 C 1 1701d 1701d 3/3 1696d 5f3d69798ad5 vmm(4): fix vcpu locking issues reported by syzbot
panic: rw_enter: vcpulock locking against myself 2 1 1700d 1700d 3/3 1696d 5f3d69798ad5 vmm(4): fix vcpu locking issues reported by syzbot
assert "_kernel_lock_held()" failed in uvm_map.c -1 C 11 1700d 1701d 3/3 1698d 8e114673a836 vmm(4): grab kernel lock before vmspace init
panic: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock (2) 2 C 152 1701d 2421d 3/3 1700d 1be9dae600aa Prevent lock ordering issue by raising ipl level of vcpu_pool to IPL_MPFLOOR.
panic: mutex ADDR not held in knote_dequeue 2 C 24 1782d 1783d 3/3 1782d baa47be05351 Remember to lock kqueue mutex in filt_timermodify().
witness: reversal: lock order data missing -1 C 667 1811d 1881d 3/3 1811d 8b594b45f4b5 Move ktrfds() below fdpunlock(). This fixes lock order issue between vn_lock(9) and fdplock().
panic: acquiring blockable sleep lock with spinlock or critical section held (rwlock) solock 2 C 4 1828d 1829d 3/3 1828d Revert per-socket `so_lock' rwlock(9) and use it to protect routing (PF_ROUTE) sockets. There is a locking issue with timeouts that needs to be fixed. Requested by deraadt@
SYZFAIL: tun: can't open device -1 syz 4 1882d 1882d 3/3 1876d 43dfcaac64e4 Issuing FIOSETOWN and TIOCSPGRP ioctl commands on a tun(4) device leaks device references causing a hang while trying to remove the same interface since the reference count will never reach zero. Instead of returning, break out of the switch in order to ensure that tun_put() gets called.
assert "frag->fr_firstoff[index] != NULL" failed in pf_norm.c -1 syz 4 1893d 1913d 3/3 1891d be7274bff2cd When cutting of the head of an overlapping fragment during pf reassembly, reinsert the fragment into the lookup table with correct index. Reported-by: syzbot+d043455a5346f726f1c4@syzkaller.appspotmail.com OK claudio@
kernel: protection fault trap, code=0 (8) -1 syz 1348 1904d 2093d 3/3 1903d 44a45654aa78 Interface group names must fit into IFNAMSIZ and be unique. But the kernel made the unique check before trunkating with strlcpy(). So there could be two interface groups with the same name. The kif is created by a name lookup. The trunkated names are equal, so there was only one kif owned by both groups. When the groups got destroyed, the single kif was removed twice from the RB tree. Check length of group name before doing the unique check. The empty group name was allowed and is now invalid. Reported-by: syzbot+f47e8296ebd559f9bbff@syzkaller.appspotmail.com OK deraadt@ gnezdo@ anton@ mvs@ claudio@
panic: rw_enter: pf_state_lock locking against myself 2 C 8 1904d 1904d 3/3 1904d d7220220b7ed pfsync_state_import() must not be called with the pf state lock held, since the actual modification of the state table is done by a call to pf_state_insert(), which takes the pf state lock itself. Other calls to pfsync_state_import() also only have the pf lock.
panic: vrele: v_writecount != 0 (2) 2 C 1955 1909d 1909d 3/3 1909d df61468f8652 Revert previous commit. The vnode returned by ptm_vn_open() is open and can not simply be vrele()-ed on error. The code currently depends on closef() to do the cleanup.
assert "TAILQ_EMPTY(&kq->kq_head)" failed in kern_event.c -1 C 2 1918d 1918d 3/3 1917d 715db9d67ba3 kqueue: Fix termination assert
uvm_fault: pf_addr_compare -1 C 347 1924d 1924d 3/3 1923d c34fe1b3cf88 An invalid packet may not have set src and dst in packet descriptor. Add a NULL check to prevent crash in pflog(4) introduced in previous commit. Reported-by: syzbot+c6d2f2ad34b822bce98a@syzkaller.appspotmail.com
uvm_fault: m_copyback -1 69 1942d 2089d 3/3 1924d 2cbebc019f52 pflog(4) tried to log the translated packet with rdr-to, nat-to, and af-to addresses and ports applied. Therefore it created a mbuf chain on the stack with a partial copy. This is too complicated for IP options, extension header, NAT46 af-to, and fragmented mbuf chains. It even caused a crash in syzkaller. Usually the length checks in pf_setup_pdesc() rejected the faked mbuf and the goto copy logged the packet unmodified. Remove the pflog_mtap() function and call bpf_mtap_hdr() directly. As the old buggy code was bypassed in most cases, tcpdump(8) output of pflog does not change. Uncondionally log the unmodified packet. Reported-by: syzbot+947e89e06ac3fec187d0@syzkaller.appspotmail.com OK sashan@
kernel: double fault trap, code=0 (4) -1 C 493 1948d 2205d 3/3 1935d c11d76984715 Syzkaller has found a stack overflow in socket splicing. Broadcast packets were resent through simplex broadcast delivery and socket splicing. Although there is an M_LOOP check in somove(9), it did not take effect. if_input_local() cleared the M_BCAST and M_MCAST flags with m_resethdr(). As if_input_local() is used for broadcast and multicast delivery, it was a mistake to delete them. Keep the M_BCAST and M_MCAST mbuf flags when packets are reinjected into the network stack. Reported-by: syzbot+a43ace363f1b663238f8@syzkaller.appspotmail.com OK anton@; discussed with claudio@
kernel: integer divide fault trap, code=0 -1 syz 4 2122d 2151d 3/3 1959d 39c2a1337a94 Reject rules with invalid port ranges
openbsd test error: uvm_fault: spllower -1 6 1973d 1973d 3/3 1966d 3ba77c9295b2 Revert previous extension of the SCHED_LOCK(), the state isn't passed down.
multicore test error: uvm_fault: spllower -1 12 1973d 1973d 3/3 1966d 3ba77c9295b2 Revert previous extension of the SCHED_LOCK(), the state isn't passed down.
uvm_fault: wsevent_fini (3) -1 C 2 1972d 1972d 3/3 1969d 996a5b4d63fa Fix yet another wscons race. In the same subsystem, the following properties must always hold true:
no output from test machine (6) -1 C 2779 1988d 2010d 3/3 1988d 0124df67671a Fix handling of MSG_PEEK in soreceive() for the case where an empty mbuf is encountered in a seqpacket socket.
no output from test machine (5) -1 C 49467 2010d 2107d 3/3 2010d d6d1940044d6 Fix a deadlock between uvn_io() and uvn_flush(). While faulting on a page backed by a vnode, uvn_io() will end up being called in order to populate newly allocated pages using I/O on the backing vnode. Before performing the I/O, newly allocated pages are flagged as busy by uvn_get(), that is before uvn_io() tries to lock the vnode. Such pages could then end up being flushed by uvn_flush() which already has acquired the vnode lock. Since such pages are flagged as busy, uvn_flush() will wait for them to be flagged as not busy. This will never happens as uvn_io() cannot make progress until the vnode lock is released.
witness: userret: ioctl -1 C 3 2015d 2015d 3/3 2014d 610c242e11d3 - missing NET_UNLOCK() in pf_ioctl.c error path
panic: spl assertion failure in yield 2 C 12 2143d 2160d 3/3 2015d - move NET_LOCK() further down in pf_ioctl.c. Also move memory allocations outside of NET_LOCK()/PF_LOCK() scope in easy spots.
openbsd build error (11) -1 44 2016d 2021d 3/3 2016d a524e041107f timeout(9): fix compilation under NKCOV
multicore build error (8) -1 88 2016d 2021d 3/3 2016d a524e041107f timeout(9): fix compilation under NKCOV
panic: malloc: allocation too large, type = 98, size = ADDR 2 C 2 2033d 2033d 3/3 2031d Recent changes for PROT_NONE pages to not count against resource limits, failed to note this also guarded against heavy amap allocations in the MAP_SHARED case. Bring back the checks for MAP_SHARED from semarie, ok kettenis https://syzkaller.appspot.com/bug?extid=d80de26a8db6c009d060
openbsd build error (10) -1 3 2053d 2053d 3/3 2052d Unbreak tree. Instead of passing struct process to siginit() just pass the struct sigacts since that is the only thing that is modified by siginit.
multicore build error (7) -1 5 2053d 2054d 3/3 2052d Unbreak tree. Instead of passing struct process to siginit() just pass the struct sigacts since that is the only thing that is modified by siginit.
panic: syn_cache_insert: cacheoverflow: impossible (2) 2 C 6 2089d 2134d 3/3 2066d 7c72bba2fa26 Convert tcp_sysctl to sysctl_bounded_args
assert "curproc->p_kd == NULL" failed in kcov.c (2) -1 1 2079d 2079d 3/3 2066d ece33e2f6ca2 Before clearing the kcov descriptor associated with a thread make sure no other thread is currently within a remote section. Otherwise, the remote subsystem could end up in a broken state where it doesn't reset the necessary bits upon leaving the remote section.
assert "curproc->p_kd == NULL" failed in kcov.c -1 2 2083d 2084d 3/3 2083d 2fa3abdda1a4 When detaching common remote coverage, do not clear any fields. Instead, let kr_free() do the work. Otherwise a thread currently inside a remote section could end up not decrementing the number of ongoing sections while exiting the same remote section.
uvm_fault: pfi_address_add -1 syz 1359 2104d 2160d 3/3 2093d efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
pool: free list modified: phpool -1 1 2134d 2134d 3/3 2093d efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
panic: sbdrop 2 syz 183 2095d 2394d 3/3 2093d efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
uvm_fault: soreceive -1 syz 240 2103d 2369d 3/3 2093d efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
panic: ifa_update_broadaddr does not support dynamic length (2) 2 13 2097d 2247d 3/3 2093d efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
uvm_fault: in6ifa_ifpforlinklocal -1 1 2148d 2148d 3/3 2093d efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
uvm_fault: pool_do_put (2) -1 syz 53 2104d 2348d 3/3 2093d efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
kernel: protection fault trap, code=0 (7) -1 syz 774692 2093d 2337d 3/3 2093d efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
uvm_fault: in_delmulti -1 syz 375431 2093d 2379d 3/3 2093d efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
panic: tcp_output: template len != hdrlen - optlen 2 syz 487 2094d 2407d 3/3 2093d efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
soreceive 1a -1 syz 510 2095d 2252d 3/3 2093d efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
uvm_fault (2) -1 syz 1 2146d 2146d 3/3 2093d efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
pool: cpu free list modified: mbufpl -1 syz 15863 2093d 2380d 3/3 2093d efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
pool: free list modified: art_heap4 (2) -1 4 2135d 2166d 3/3 2093d efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
soreceive 3 -1 syz 755 2093d 2252d 3/3 2093d efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
uvm_fault: vio_rxeof -1 syz 15700 2103d 2414d 3/3 2093d efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
uvm_fault: ifa_update_broadaddr -1 3275 2103d 2347d 3/3 2093d efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
multicore build error (6) -1 4 2099d 2112d 3/3 2096d Revert r1.170. dlg and jmatthew simultaneously fixed this the correct way.
openbsd build error (9) -1 1 2112d 2112d 3/3 2096d Revert r1.170. dlg and jmatthew simultaneously fixed this the correct way.
uvm_fault: wsevent_fini (2) -1 1 2120d 2120d 3/3 2099d 25f2901d1c23 Fix yet another panic in which wsevent_fini() ends up being called with NULL. This one is a race caused by clearing the me_evp member before calling routines that could end up sleeping.
no output from test machine (3) -1 C 25293 2114d 2129d 3/3 2114d A pty write containing VDISCARD, VREPRINT, or various retyping cases of VERASE would perform (sometimes irrelevant) compute in the kernel which can be heavy (especially with our insufficient tty subsystem locking). Use tsleep_nsec for 1 tick in such circumstances to yield cpu, and also bring interruptability to ptcwrite() https://syzkaller.appspot.com/bug?extid=462539bc18fef8fc26cc ok kettenis millert, discussions with greg and anton
panic: unhandled af (2) 2 C 22 2131d 2157d 3/3 2130d 38e8113e1d44 state import should accept AF_INET/AF_INET6 only
panic: syn_cache_insert: bucketoverflow: impossible 2 C 5 2143d 2161d 3/3 2140d 2b10bfc1e665 Refuse to set 0 or a negative value for net.inet.tcp.synbucketlimit.
panic: syn_cache_insert: cacheoverflow: impossible 2 5 2140d 2159d 3/3 2140d 2b10bfc1e665 Refuse to set 0 or a negative value for net.inet.tcp.synbucketlimit.
no output from test machine -1 C 551400 2182d 2757d 3/3 2182d 7bb4371dccb1 Do not wait indefinitely for flushing when closing a tty.
panic: m_copydata: null mbuf 2 C 396 2186d 2373d 3/3 2183d 574b3a4fa98d Do sanity checks in ip6_pullexthdr() preventing a panic in m_copydata(9).
assert "!ISSET(rt->rt_flags, RTF_LOCAL)" failed in nd6.c -1 1 2248d 2248d 3/3 2197d 8e6c5245c1d8 Never update the ND entry (cache) corresponding to a RTF_LOCAL route.
uvm_fault: pfi_dynaddr_remove -1 C 17 2306d 2311d 3/3 2199d 3d97bff14298 fix insufficient input sanitization in pf_rulecopyin() and pf_pool_copyin()
uvm_fault: pfr_detach_table -1 C 12 2306d 2309d 3/3 2199d 3d97bff14298 fix insufficient input sanitization in pf_rulecopyin() and pf_pool_copyin()
openbsd build error (8) -1 2 2204d 2205d 3/3 2204d 20c8eb7cf336 Add bse(4) device to unbreak build.
multicore build error (5) -1 4 2204d 2205d 3/3 2204d 20c8eb7cf336 Add bse(4) device to unbreak build.
panic: rw_enter: netlock locking against myself 2 syz 2 2211d 2211d 3/3 2207d 27427a72e313 In sosplice(), temporarily release the socket lock before calling FRELE() as the last reference could be dropped which in turn will cause soclose() to be called where the socket lock is unconditionally acquired. Note that this is only a problem for sockets protected by the non-recursive NET_LOCK() right now.
assert "p == curproc" failed in vfs_vops.c -1 C 187 2219d 2220d 3/3 2217d fc5a743df3a9 Revert previous, syzkaller found a way to trigger the KASSERT().
uvm_fault: strlcpy (2) -1 1 2228d 2228d 3/3 2221d 9fcf6ed4d02d Prevent out of bounds read in strlcpy due to vcp_name not being NUL-terminated.
panic: vputonfreelist: lock count is not zero 2 C 2 2252d 2252d 3/3 2223d 2a9890d8c8d9 Relax the lockcount assertion in vputonfreelist(). Back when I fixed several problems with the vnode exclusive lock implementation, I overlooked the fact that a vnode can be in a state where the usecount is zero while the holdcount still being positive. There could still be threads waiting on the vnode lock in uvn_io() as long as the holdcount is positive.
uvm_fault: wsevent_fini -1 1 2232d 2232d 3/3 2226d be78d62e13f6 Ensure that me_evp is still NULL before assignment during open of wscons devices. This condition is checked early on during open but since the same routine could end up sleeping before assigning me_evp, a race against adding the same wscons device to a wsmux could be lost. This in turn can cause a NULL deference during close.
kernel: double fault trap, code=0 (3) -1 C 69 2238d 2247d 3/3 2238d aa1987fe7ce4 Fix unlimited recursion caused by local outbound bcast/mcast packet sent via spliced socket.
pool: free list modified: aobjpl -1 C 3 2336d 2348d 3/3 2246d c5a231fb6c1e Grab a reference for the shared memory segment before calling uvm_map() as the same function could end up putting the thread to sleep. Allowing another thread to free the shared memory segment, which in turns causes a use-after-free.
openbsd boot error: uvm_fault: softclock -1 33 2248d 2249d 3/3 2247d previous commit accidentally aliased two unique timeouts hit by millert
multicore boot error: uvm_fault: softclock -1 66 2248d 2249d 3/3 2247d previous commit accidentally aliased two unique timeouts hit by millert
kqueue: knote !QUEUED -1 syz 8 2263d 2299d 3/3 2263d 8c4786361ce1 Raise SPL when updating kn_status. Otherwise the field can become inconsistent if knote_acquire() or knote_release() is preempted by an interrupt that modifies the same knote.
panic: unhandled af 2 C 21 2306d 2308d 3/3 2301d 4804479228fb Check address family of pf ioctl(2) DIOCNATLOOK parameter at kernel entry instead of calling panic() due to unhandled af. Reported-by: syzbot+92be143c2dd1746cf2af@syzkaller.appspotmail.com from Benjamin Baier
panic: attempt to execute user address 2 syz 1539 2312d 2406d 3/3 2308d f30ff743e528 Fix some races in kqueue_register().
witness: reversal: vmmaplk inode -1 C 103124 2323d 2651d 3/3 2323d Use separate rwlock initializations for userland ("vmspace") and kernel maps. This lets witness know that these really are different classes avoiding false positives when detecting lock order reversals.
kernel: protection fault trap, code=0 (6) -1 C 55024 2337d 2421d 3/3 2337d 0f83bb56e561 Fix a bad offset calculation in uvm_share.
panic: uvm_mapent_clone: no space in map for entry in empty map 2 C 12 2337d 2343d 3/3 2337d 0f83bb56e561 Fix a bad offset calculation in uvm_share.
panic: amap_pp_adjref: negative reference count 2 C 98 2347d 2400d 3/3 2337d 0f83bb56e561 Fix a bad offset calculation in uvm_share.
uvm_fault: amap_pp_adjref -1 1 2400d 2400d 3/3 2337d 0f83bb56e561 Fix a bad offset calculation in uvm_share.
uvm_fault: uvm_unmap_remove (2) -1 C 7836 2337d 2421d 3/3 2337d 3c82c0b2df98 Fix uvm_unmap_remove panic when tearing down VMs.
panic: uvmspace_fork: no space in map for entry in empty map 2 C 450 2345d 2400d 3/3 2337d 0f83bb56e561 Fix a bad offset calculation in uvm_share.
assert "TAILQ_EMPTY(&ifp->if_addrhooks)" failed in if.c -1 2 2358d 2359d 3/3 2353d 9e254176dfa1 take care to avoid a race when creating the same interface.
panic: ifa_update_broadaddr does not support dynamic length 2 syz 6780 2364d 2422d 3/3 2364d b36fd3da6fde Do propper kernel input validation for in_control() ioctl(2) SIOCGIFADDR, SIOCGIFNETMASK, SIOCGIFDSTADDR, SIOCGIFBRDADDR, SIOCSIFADDR, SIOCSIFNETMASK, SIOCSIFDSTADDR, and SIOCSIFBRDADDR. Name in_ioctl_set_ifaddr() consistently. Use in_sa2sin() to validate inet address. Combine if_addrlist loops and add comment. Although netmask is not a inet address, length must be valid. Reported-by: syzbot+5fc6da002fc4e8d994be@syzkaller.appspotmail.com OK visa@
pool: free list modified: shmpl -1 C 22 2520d 2614d 3/3 2373d d13730a27993 Copy in the user-supplied buffer in shmctl(2) before looking up the shared memory segment. Otherwise, if copyin ends up sleeping it allows another thread to remove the same segment leading to a use-after-free.
malloc: free list modified: devbuf -1 syz 5 2381d 2387d 3/3 2380d put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
uvm_fault: kqueue_scan -1 1 2403d 2403d 3/3 2380d put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
uvm_fault: witness_checkorder -1 syz 2 2383d 2383d 3/3 2380d put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
uvm_fault: filt_bpfrdetach -1 syz 1 2381d 2381d 3/3 2380d put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
uvm_fault: bpfioctl -1 C 14 2388d 2472d 3/3 2380d put bpfdesc reference counting back, revert change introduced in 1.175 as: BPF: remove redundant reference counting of filedescriptors
assert "ps->ps_uvncount == 0" failed in kern_unveil.c -1 syz 226 2408d 2675d 3/3 2401d a239dbafd306 Only increment the ps_uvncount counter when a path is successfully added to the corresponding red-black tree; meaning the path was not already present in the tree. This prevents an assertion to trigger in unveil_destroy() later on when the process exits.
assert "ln != NULL" failed in nd6.c -1 1 2427d 2427d 3/3 2404d bdbfbec5cea8 Do more sanity checks when accepting socket addresses in routing messages from user land. Inspect length field early in rtm_xaddrs(). Strings must be NUL terminated. The socket address type and length depend on the routing message type. Currently checks are not super strict to avoid too much user land fallout. OK mpi@ Reported-by: syzbot+638dbf7851da8e255af5@syzkaller.appspotmail.com
assert "ifa == rt->rt_ifa" failed in nd6.c -1 9 2404d 2405d 3/3 2404d bdbfbec5cea8 Do more sanity checks when accepting socket addresses in routing messages from user land. Inspect length field early in rtm_xaddrs(). Strings must be NUL terminated. The socket address type and length depend on the routing message type. Currently checks are not super strict to avoid too much user land fallout. OK mpi@ Reported-by: syzbot+638dbf7851da8e255af5@syzkaller.appspotmail.com
uvm_fault: strlcpy -1 18 2411d 2531d 3/3 2409d bdbfbec5cea8 Do more sanity checks when accepting socket addresses in routing messages from user land. Inspect length field early in rtm_xaddrs(). Strings must be NUL terminated. The socket address type and length depend on the routing message type. Currently checks are not super strict to avoid too much user land fallout. OK mpi@ Reported-by: syzbot+638dbf7851da8e255af5@syzkaller.appspotmail.com
uvm_fault: uvm_unmap_remove -1 C 780 2421d 2440d 3/3 2421d 00ba8250173b vm_teardown() must be serialized since it modifies the global vmm_softc structure. Therefore grab the appropriate lock before calling the same function. This issue has been known for a while and reported before but lacking a way to easily reproduce it; until syzkaller came up with a reproducer.
panic: malloc: allocation too large, type = 2, size = ADDR (2) 2 C 16842 2422d 2440d 3/3 2422d 225e50e8a961 Do not decrement the number of VMs counter twice in one of vm_create() error paths. If creation of the first VM fails, the counter will wrap around to a huge value. The same value could later be passed to malloc() through vm_get_info() causing a panic.
kernel: protection fault trap, code=0 (5) -1 C 607 2428d 2502d 3/3 2427d a42056240bd9 Fix a route use after free in IPv6 multicast route. Move the mrt6_mcast6_del() out of the rtable_walk(). This avoids recursion to prevent stack overflow. Also it allows freeing the route outside of the walk. Now mrt6_mcast_del() frees the route only when it is deleted from the routing table. If that fails, it must not be freed. After the route is returned by mf6c_find(), it is reference counted. Then we need a rtfree(), but not in the other case. Name mrt6_mcast_add() and mrt6_mcast_del() consistently. Move rt_timer_remove_all() into mrt6_mcast_del(). Reported-by: syzbot+af7d510593d74c825960@syzkaller.appspotmail.com OK mpi@
panic: acquiring blockable sleep lock with spinlock or critical section held (kernel_lock) &kernel_lock 2 33 2437d 2441d 3/3 2436d d3f3cb99fa83 Do not use the flow of the first fragment to store ECN information. Handle the ECN in the fragment queue. Reported-by: syzbot+0aa80b25e9041001cac8@syzkaller.appspotmail.com fix from FreeBSD; OK claudio@
uvm_fault: frag6_input -1 24 2437d 2441d 3/3 2436d d3f3cb99fa83 Do not use the flow of the first fragment to store ECN information. Handle the ECN in the fragment queue. Reported-by: syzbot+0aa80b25e9041001cac8@syzkaller.appspotmail.com fix from FreeBSD; OK claudio@
witness: userret: returning with the following locks held: -1 C 315 2437d 2647d 3/3 2437d b808994cf339 When a thread tries to exclusively lock a vnode, the same thread must ensure that any other thread currently trying to acquire the underlying vnode lock has observed that the same vnode is about to be exclusively locked. Such threads must then sleep until the exclusive lock has been released and then try to acquire the lock again. Otherwise, exclusive access to the vnode cannot be guaranteed.
panic: vput: ref cnt 2 C 6 2450d 2452d 3/3 2448d d627fa5cc364 Serialize access to the vnode pointers associated with acct(2) system accounting. Prevents a race where the acct thread and the acct(2) syscall both tries to close a vnode.
assert "timo || _kernel_lock_held()" failed in kern_synch.c -1 C 2 2451d 2451d 3/3 2450d 93e05fce3bab Revert unlock of lseek(2) since vn_lock() could end up calling tsleep() which is not allowed without holding the kernel lock. Otherwise, wakeups could be lost.
panic: vrele: v_writecount != 0 2 C 51 2458d 2464d 3/3 2458d 3e253b4759f0 Favor vn_close() in the error path of diskmapioctl() since side-effects caused by calling vn_open() with write permissions must be reverted. Otherwise, the vfs subsystem could panic while releasing the last vnode reference if the writecount is still positive.
panic: vput: v_writecount != 0 (2) 2 C 112 2458d 2464d 3/3 2458d 3e253b4759f0 Favor vn_close() in the error path of diskmapioctl() since side-effects caused by calling vn_open() with write permissions must be reverted. Otherwise, the vfs subsystem could panic while releasing the last vnode reference if the writecount is still positive.
assert "cpipe->pipe_buffer.cnt == 0" failed in sys_pipe.c -1 C 8 2485d 2485d 3/3 2485d 40f8ed5eebb0 backout the unlock of pipe(2) and pipe2(2)
kernel: protection fault trap, code=0 (4) -1 C 759 2503d 2616d 3/3 2502d cf34c7c30780 Prevent recursions by not deleting entries inside rtable_walk(9).
uvm_fault: arp_rtrequest -1 C 79 2522d 2532d 3/3 2511d 4cb088386ee5 In arp_rtrequest and nd6_rtrequest return early if the RTF_MPLS flag is set. These mpls routes use the rt_llinfo structure to store the MPLS label and would confuse the arp and nd6 code. OK bluhm@ anton@
assert "(rt->rt_flags & RTF_MPATH) || mrt->rt_priority != prio" failed in rtable.c -1 C 143 2522d 2536d 3/3 2511d ff10691ed095 Copy the user provided sockaddr into a normalized sockaddr in rtrequest() before adding it to the routing table. The rtable code is doing memcmp() of those rt_dest sockaddrs so it is important that they are stored in a canonical form. To do this struct domain is extended to include the sockaddr size for this address family. OK bluhm@ anton@
uvm_fault: mrt6_ioctl -1 C 2 2532d 2532d 3/3 2520d a8f2b5c7d3d3 Add missing NULL check for the protocol control block (pcb) pointer in mrt{6,}_ioctl. Calling shutdown(2) on the socket prior to the ioctl command can cause it to be NULL.
uvm_fault: mrt_ioctl -1 C 2 2521d 2521d 3/3 2520d a8f2b5c7d3d3 Add missing NULL check for the protocol control block (pcb) pointer in mrt{6,}_ioctl. Calling shutdown(2) on the socket prior to the ioctl command can cause it to be NULL.
uvm_fault: pckbc_start (2) -1 syz 2 2533d 2533d 3/3 2521d bc79b6e32eb3 Prevent corruption of the pckbc command queue. If multiple synchronous commands are in flight and all corresponding threads are sleeping waiting for a response, the first command to timeout will clear the command queue. The remaining threads once awake will then try to remove a dequeued command from the queue, leading to corruption. Instead, remove commands from the queue before waking up the sleeping thread. A quirk is still needed to handle the case where tsleep() returns successfully during suspend.
assert "_kernel_lock_held()" failed in kern_event.c -1 C 11 2551d 2554d 3/3 2521d 1be240a95e4a Removed all diagnostic, calling printf() here might create a recursion.
witness: reversal: &pr->ps_mtx &sched_lock -1 C 141 2523d 2524d 3/3 2523d 17b25159f963 Revert to using the SCHED_LOCK() to protect time accounting.
uvm_fault: wsmux_do_ioctl (4) -1 C 3 2536d 2560d 3/3 2534d 78fe050fe549 A problem fixed in wskbd is also present in wsmux. Repeating the previous commit message:
panic: malloc: out of space in kmem_map 2 97 2586d 2651d 3/3 2535d During fuzzing, one or many fuzzing processes are often stuck waiting on memory from the subproc malloc subsystem which is exhausted. Attempt to circumvent such scenarios by allocation the kcov coverage buffer using km_alloc() instead.
uvm_fault: rtm_report -1 C 2 2560d 2560d 3/3 2544d 1b18c0494f67 Make rt_mpls_set() be more strict in what it accepts. Also ensure that the RTF_MPLS can't be toggled without rt_mpls_set() being called. While RTF_MPLS is part of RTF_FMASK it should be excluded from the flags and mask when they are applied to the route since toggling it requires a call to rt_mpls_set(). OK bluhm@
syzkaller: testing failed: failed to run ["go" "test" "-short" "./..."]: exit status 1 -1 36 2545d 2546d 3/3 2544d fbb8d265a895 Restore previous behavior of limiting deadlock detection to posix-style locks.
multicore build error (3) -1 4 2549d 2549d 3/3 2548d always rearm completion queues as leaving them disarmed would lead to rx or tx completion stalling.
openbsd build error (5) -1 2 2549d 2549d 3/3 2548d always rearm completion queues as leaving them disarmed would lead to rx or tx completion stalling.
panic: timeout_add: to_ticks < 0 (3) 2 1 2572d 2572d 3/3 2560d 1af424413523 Lower the accepted upper bound for bd_rtout to INT_MAX in order to prevent passing negative values to timeout_add().
panic: mtx ADDR: locking against myself 2 C 3 2565d 2566d 3/3 2564d vmm(4): remove a debug printf that was causing lock issues (it was being called from an IPI routine).
panic: timeout_add: to_ticks < 0 (2) 2 syz 12 2582d 2584d 3/3 2582d bf2018479c9a Reject negative and too large timeouts passed to BIOCSRTIMEOUT. Since the timeout converted to ticks is later passed timeout_add(), it could cause a panic if the timeout is negative.
uvm_fault: rtable_satoplen (2) -1 syz 101 2585d 2594d 3/3 2582d 575ef11475ca Add a more strict rtm_hdrlen size check. Make sure that at least struct rt_msghdr bytes are passed in. Also return a failure from rtm_xaddrs() if rti_addrs has bad flags or run out of space. Ok bluhm@
uvm_fault: memcpy -1 C 460 2585d 2605d 3/3 2585d 575ef11475ca Add a more strict rtm_hdrlen size check. Make sure that at least struct rt_msghdr bytes are passed in. Also return a failure from rtm_xaddrs() if rti_addrs has bad flags or run out of space. Ok bluhm@
panic: malloc: allocation too large, type = 2, size = ADDR 2 C 914 2586d 2649d 3/3 2586d fd7c80607c62 Restrict the number of allowed wsmux devices, just like wskbd and wsmouse already does. Otherwise, malloc could panic if the device minor is sufficiently large.
openbsd build error (2) -1 1 2590d 2590d 3/3 2590d 6baecefef8fe Tweak previous: include <sys/stdint.h> for INT64_MAX/INT64_MIN.
assert "tname->un_flags & UNVEIL_USERSET" failed in kern_unveil.c -1 C 1447 2590d 2592d 3/3 2590d f4c23aa848ae Remove this assert, I can't do this here with UNVEIL_INSPECT added aggressively today. Hopefully post release a glorious flensing will remove UNVEIL_INSPECT anyway
uvm_fault: rtable_satoplen -1 158 2595d 2611d 3/3 2594d fab4809e7ec2 Make sure pointer is within bounds before dereferencing it.
witness: acquiring duplicate lock of same type: "&sc->sc_lock" -1 C 231 2624d 2626d 3/3 2624d 1f8a38b155bf When adding a wsmux device to an existing wsmux device using ioctl(WSMUXIO_ADD_DEVICE), two distinct locks of the same type are acquired. Thus, witness will emit warning. Since acquiring two different locks of the same type is harmless in this context, relax the witness check by flagging the locks as RWL_DUPOK.
panic: timeout_add: to_ticks < 0 2 C 66 2624d 2629d 3/3 2624d 3cfc9cae129c Reject negative input from userland in spkrioctl(). One of the arguments are later passed to timeout_add() which panics if the given ticks are negative. While here, clamp arguments in pcppi_bell() in order to prevent overflow.
uvm_fault: pckbc_start -1 1 2626d 2626d 3/3 2625d 0c0bf6318018 Serialize access to the list of attached child devices belonging to a wsmux. When invoking wsevsrc_* functions on a attached child device, underlying driver can sleep; this introduces a race where another thread is able to modify the list leading to all kinds of corruptions.
uvm_fault: wsmux_detach_sc -1 syz 10 2628d 2640d 3/3 2626d 0c0bf6318018 Serialize access to the list of attached child devices belonging to a wsmux. When invoking wsevsrc_* functions on a attached child device, underlying driver can sleep; this introduces a race where another thread is able to modify the list leading to all kinds of corruptions.
panic: vmmaplk: lock not shared 2 C 16 2637d 2649d 3/3 2637d Always refault if relocking maps fails after IO. This fixes a regression
panic: pool_p_free: semupl free list modified: page ADDR; item addr ADDR; offset 0x0=ADDR 2 C 5 2637d 2757d 3/3 2637d When freeing the sem_undo structure in semundo_adjust(), update the
pool: free list modified: semupl -1 C 6 2643d 2757d 3/3 2637d When freeing the sem_undo structure in semundo_adjust(), update the
pool: double put: mbufpl -1 6 2703d 2704d 3/3 2637d Avoid an mbuf double free in the oob soreceive() path. In the
uvm_fault: wsmux_do_ioctl (2) -1 C 17 2644d 2648d 3/3 2643d In wskbdclose(), use the same logic as in wskbdopen() to determine if
kernel: protection fault trap, code=0 (3) -1 C 3 2649d 2649d 3/3 2648d Validate the user-supplied device index given to WSMUXIO_ADD_DEVICE. The same
uvm_fault: VOP_ACCESS -1 393 2653d 2695d 3/3 2653d namei can return a null dvp on success. check this before access.
kernel: protection fault trap, code=0 (2) -1 syz 109 2654d 2678d 3/3 2654d Introduce a dedicated entry point data structure for file locks. This new data
panic: malformed IPv4 option passed to ip_optcopy (2) 2 C 149 2659d 2663d 3/3 2656d Bring back the ip_pcbopts() refactor. Pad the option buffer and therefor the mbuf to the next word length as it is required by the standard. Also use the correct offset from the input mbuf. OK visa@, input & OK bluhm@
panic: uvm_fault_unwire_locked: address not in map 2 C 2 2681d 2681d 3/3 2665d Hold a read lock on the map while doing the actual device I/O during in
assert "next != NULL && next->start <= entry->end" failed in uvm_fault.c -1 C 2 2679d 2679d 3/3 2665d Hold a read lock on the map while doing the actual device I/O during in
panic: malformed IPv4 option passed to ip_optcopy 2 C 10 2679d 2688d 3/3 2668d Validate the version, and all length fields of IP packets passed to a raw socket
panic: m_zero: M_READONLY 2 C 3 2673d 2673d 3/3 2668d It is possible to call m_zero with a read-only cluster. In that case just
assert "__mp_lock_held(&sched_lock, curcpu()) == 0" failed in kern_lock.c -1 C 17 2670d 2682d 3/3 2669d ec412da11be4 Fix unsafe use of ptsignal() in mi_switch().
uvm_fault: m_free -1 12 2680d 2702d 3/3 2670d 54e30ac1a804 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
pool: free list modified: mbufpl -1 syz 13 2689d 2703d 3/3 2670d 54e30ac1a804 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pr_find_pagehead: mbufpl: incorrect page 2 3 2683d 2699d 3/3 2670d 54e30ac1a804 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pool_cache_item_magic_check: mcl64k cpu free list modified: item addr ADDR+24 ADDR!=ADDR 2 1 2700d 2700d 3/3 2670d 54e30ac1a804 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
uvm_fault: switchread -1 1 2697d 2697d 3/3 2670d 54e30ac1a804 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
uvm_fault: switchwrite -1 syz 7 2680d 2700d 3/3 2670d 54e30ac1a804 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pool_cache_item_magic_check: mbufpl cpu free list modified: item addr ADDR+16 0x0!=ADDR 2 1 2690d 2690d 3/3 2672d 54e30ac1a804 Fix mbuf releated crashes in switch(4). They have been found by syzkaller as pool corruption panic. It is unclear which bug caused what, but it should be better now. - Check M_PKTHDR with assertion before accessing m_pkthdr. - Do not access oh_length without m_pullup(). - After checking if there is space at the end of the mbuf, don't overwrite the data at the beginning. Append the new content. - Do not set m_len and m_pkthdr.len when it is unclear whether the ofp_error header fits at all. Use m_makespace() to adjust the mbuf. Reported-by: syzbot+6efc0a9d5b700b54392e@syzkaller.appspotmail.com test akoshibe@; OK claudio@
panic: pr_find_pagehead: mbufpl: page header missing 2 C 10 2689d 2702d 3/3 2678d Fix mbuf releated crashes in switch(4). They have been found by
pool: free list modified: mcl2k -1 C 4 2687d 2741d 3/3 2686d Replace a wrong poor mans m_trailingspace() with the real thing. The mbuf
panic: receive 3: so ADDR, so_type 1, m ADDR, m_type 6 2 C 18 2689d 2698d 3/3 2688d When using MSG_WAITALL, soreceive() can sleep while processing the receive buffer of a stream socket. Then a new pair of control and data mbuf can be appended to the mbuf queue. In this case, terminate the loop with a short read to prevent a panic. Userland should read the control message with the next system call. OK claudio@ deraadt@
panic: kernel diagnostic assertion "M_DATABUF(m) + M_SIZE(m) >= (m->m_data + m->m_len)" failed: file "/syzkaller/manager 2 C 7 2697d 2703d 3/3 2688d 49729d6ed45f In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees the inpcb apart from the disconnect. Just call soisdisconnected() and clear the inp->inp_faddr since the socket is still valid after a disconnect. Problem found by syzkaller via Greg Steuck OK visa@ Fixes: Reported-by: syzbot+2cd350dfe5c96f6469f2@syzkaller.appspotmail.com Reported-by: syzbot+139ac2d7d3d60162334b@syzkaller.appspotmail.com Reported-by: syzbot+02168317bd0156c13b69@syzkaller.appspotmail.com Reported-by: syzbot+de8d2459ecf4cdc576a1@syzkaller.appspotmail.com
pool: double put: lockfpl -1 1 2765d 2757d 3/3 2688d Rework previous lockf fix; bluhm@ noticed a regress failure during consecutive runs. This is a second attempt in which the lockf structure is turned into a doubly linked list which makes it easier to ensure correctness during list insertion and deletion.
uvm_fault: killjobc -1 1 2692d 2692d 3/3 2688d When no child devices are attached to a wsmux device, make sure to return an
uvm_fault: wsmux_do_ioctl -1 2 2718d 2757d 3/3 2688d Utilize sigio with wscons. The old behavior of always making the process group of the process who opens the device the default recipient of sigio is removed as a side-effect of this change. Issuing ioctl(FIOSETOWN) is therefore mandatory in order to receive sigio, which is more consistent with other subsystems supporting sigio.
uvm_fault: sogetopt -1 C 2 2705d 2705d 1/3 2702d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
kernel: protection fault trap, code=0 -1 C 16 2702d 2707d 1/3 2702d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
uvm_fault: ip_ctloutput -1 C 11 2702d 2706d 1/3 2702d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees
uvm_fault: ip_pcbopts -1 C 6 2702d 2706d 1/3 2702d In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees