xref: /freebsd/tools/test/stress2/misc/syzkaller26.sh (revision 81ad6265) 
1#!/bin/sh
2
3# panic: Bad link elm 0xfffff8001a83db00 prev->next != elm
4# cpuid = 21
5# time = 1605387390
6# KDB: stack backtrace:
7# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0100a983e0
8# vpanic() at vpanic+0x182/frame 0xfffffe0100a98430
9# panic() at panic+0x43/frame 0xfffffe0100a98490
10# _callout_stop_safe() at _callout_stop_safe+0x726/frame 0xfffffe0100a98520
11# filt_timerdetach() at filt_timerdetach+0x20/frame 0xfffffe0100a98540
12# kqueue_drain() at kqueue_drain+0x2c8/frame 0xfffffe0100a98580
13# kqueue_close() at kqueue_close+0x7d/frame 0xfffffe0100a985c0
14# _fdrop() at _fdrop+0x1b/frame 0xfffffe0100a985e0
15# closef() at closef+0x1ea/frame 0xfffffe0100a98670
16# fdescfree_fds() at fdescfree_fds+0x8c/frame 0xfffffe0100a986d0
17# fdescfree() at fdescfree+0x3cd/frame 0xfffffe0100a987a0
18# exit1() at exit1+0x487/frame 0xfffffe0100a98810
19# sigexit() at sigexit+0x15c/frame 0xfffffe0100a98ae0
20# postsig() at postsig+0x2cc/frame 0xfffffe0100a98bb0
21# ast() at ast+0x5eb/frame 0xfffffe0100a98bf0
22# doreti_ast() at doreti_ast+0x1f/frame 0x7fffffffe570
23# KDB: enter: panic
24# [ thread pid 82279 tid 100717 ]
25# Stopped at      kdb_enter+0x37: movq    $0,0x10aa7f6(%rip)
26# db> x/s version
27# version:        FreeBSD 13.0-CURRENT #0 r367672: Sat Nov 14 08:42:14 CET 2020
28# pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO
29# db>
30
31[ `uname -p` != "amd64" ] && exit 0
32
33# Fixed by r367849
34
35. ../default.cfg
36cat > /tmp/syzkaller26.c <<EOF
37// https://syzkaller.appspot.com/bug?id=95ac7e30218c63bc9322b1dd775101f8f88de4ff
38// autogenerated by syzkaller (https://github.com/google/syzkaller)
39// Reported-by: syzbot+1b27e0237aa22d8adffa@syzkaller.appspotmail.com
40
41#define _GNU_SOURCE
42
43#include <sys/types.h>
44
45#include <pwd.h>
46#include <signal.h>
47#include <stdarg.h>
48#include <stdbool.h>
49#include <stdint.h>
50#include <stdio.h>
51#include <stdlib.h>
52#include <string.h>
53#include <sys/endian.h>
54#include <sys/syscall.h>
55#include <sys/wait.h>
56#include <time.h>
57#include <unistd.h>
58
59static void kill_and_wait(int pid, int* status)
60{
61  kill(pid, SIGKILL);
62  while (waitpid(-1, status, 0) != pid) {
63  }
64}
65
66static void sleep_ms(uint64_t ms)
67{
68  usleep(ms * 1000);
69}
70
71static uint64_t current_time_ms(void)
72{
73  struct timespec ts;
74  if (clock_gettime(CLOCK_MONOTONIC, &ts))
75    exit(1);
76  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
77}
78
79static void execute_one(void);
80
81#define WAIT_FLAGS 0
82
83static void loop(void)
84{
85  int iter = 0;
86  for (;; iter++) {
87    int pid = fork();
88    if (pid < 0)
89      exit(1);
90    if (pid == 0) {
91      execute_one();
92      exit(0);
93    }
94    int status = 0;
95    uint64_t start = current_time_ms();
96    for (;;) {
97      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
98        break;
99      sleep_ms(1);
100      if (current_time_ms() - start < 5 * 1000)
101        continue;
102      kill_and_wait(pid, &status);
103      break;
104    }
105  }
106}
107
108uint64_t r[1] = {0xffffffffffffffff};
109
110void execute_one(void)
111{
112  intptr_t res = 0;
113  res = syscall(SYS_kqueue);
114  if (res != -1)
115    r[0] = res;
116  *(uint64_t*)0x20000000 = 3;
117  *(uint16_t*)0x20000008 = 0xfff3;
118  *(uint16_t*)0x2000000a = 0x4000;
119  *(uint32_t*)0x2000000c = 0x1000000;
120  *(uint64_t*)0x20000010 = 0xe;
121  *(uint64_t*)0x20000018 = 0xff;
122  *(uint64_t*)0x20000020 = 2;
123  *(uint64_t*)0x20000028 = 2;
124  *(uint64_t*)0x20000030 = 4;
125  *(uint64_t*)0x20000038 = 0xffffffffffffff90;
126  *(uint64_t*)0x20000040 = 0x101;
127  *(uint16_t*)0x20000048 = 0xfff6;
128  *(uint16_t*)0x2000004a = 0x22;
129  *(uint32_t*)0x2000004c = 0x20;
130  *(uint64_t*)0x20000050 = 0xe1;
131  *(uint64_t*)0x20000058 = -1;
132  *(uint64_t*)0x20000060 = 0x81;
133  *(uint64_t*)0x20000068 = 4;
134  *(uint64_t*)0x20000070 = 0x8000;
135  *(uint64_t*)0x20000078 = 9;
136  *(uint64_t*)0x20000080 = 0;
137  *(uint16_t*)0x20000088 = 0xfff9;
138  *(uint16_t*)0x2000008a = 0xefc9;
139  *(uint32_t*)0x2000008c = 4;
140  *(uint64_t*)0x20000090 = 0;
141  *(uint64_t*)0x20000098 = 0x400;
142  *(uint64_t*)0x200000a0 = 0x2e77;
143  *(uint64_t*)0x200000a8 = 2;
144  *(uint64_t*)0x200000b0 = 0x7fffffff;
145  *(uint64_t*)0x200000b8 = 7;
146  syscall(SYS_kevent, r[0], 0x20000000ul, 3ul, 0x200000c0ul, 9ul, 0ul);
147}
148int main(void)
149{
150  sleep(2);	/* pho */
151  syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul);
152  loop();
153  return 0;
154}
155EOF
156mycc -o /tmp/syzkaller26 -Wall -Wextra -O0 /tmp/syzkaller26.c ||
157    exit 1
158
159(cd ../testcases/swap; ./swap -t 1m -i 20 -h > /dev/null 2>&1) &
160for i in `jot 256`; do
161	(cd /tmp; timeout 3m ./syzkaller26) &
162done
163wait
164
165rm -rf /tmp/syzkaller26 /tmp/syzkaller26.c /tmp/syzkaller.*
166exit 0
167