xref: /freebsd/tools/test/stress2/misc/syzkaller52.sh (revision 4d0adee4) 
14d0adee4SPeter Holm#!/bin/sh
24d0adee4SPeter Holm
34d0adee4SPeter Holm# panic: already suspended
44d0adee4SPeter Holm# cpuid = 6
54d0adee4SPeter Holm# time = 1651176216
64d0adee4SPeter Holm# KDB: stack backtrace:
74d0adee4SPeter Holm# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe014194ea70
84d0adee4SPeter Holm# vpanic() at vpanic+0x17f/frame 0xfffffe014194eac0
94d0adee4SPeter Holm# panic() at panic+0x43/frame 0xfffffe014194eb20
104d0adee4SPeter Holm# thread_single() at thread_single+0x774/frame 0xfffffe014194eb90
114d0adee4SPeter Holm# reap_kill_proc() at reap_kill_proc+0x296/frame 0xfffffe014194ebf0
124d0adee4SPeter Holm# reap_kill() at reap_kill+0x371/frame 0xfffffe014194ed00
134d0adee4SPeter Holm# kern_procctl() at kern_procctl+0x30b/frame 0xfffffe014194ed70
144d0adee4SPeter Holm# sys_procctl() at sys_procctl+0x11e/frame 0xfffffe014194ee00
154d0adee4SPeter Holm# amd64_syscall() at amd64_syscall+0x145/frame 0xfffffe014194ef30
164d0adee4SPeter Holm# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe014194ef30
174d0adee4SPeter Holm# --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8226f27aa, rsp = 0x82803ef48, rbp = 0x82803ef70 ---
184d0adee4SPeter Holm# KDB: enter: panic
194d0adee4SPeter Holm# [ thread pid 3074 tid 100404 ]
204d0adee4SPeter Holm# Stopped at      kdb_enter+0x32: movq    $0,0x12790b3(%rip)
214d0adee4SPeter Holm# db> x/s version
224d0adee4SPeter Holm# FreeBSD 14.0-CURRENT #0 main-n255099-0923ff82fb383: Thu Apr 28 09:48:48 CEST 2022
234d0adee4SPeter Holm# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
244d0adee4SPeter Holm# db>
254d0adee4SPeter Holm
264d0adee4SPeter Holm[ `uname -p` != "amd64" ] && exit 0
274d0adee4SPeter Holm
284d0adee4SPeter Holm. ../default.cfg
294d0adee4SPeter Holmcat > /tmp/syzkaller52.c <<EOF
304d0adee4SPeter Holm// https://syzkaller.appspot.com/bug?id=20185b6047d7371885412b56ff188be88f740eab
314d0adee4SPeter Holm// autogenerated by syzkaller (https://github.com/google/syzkaller)
324d0adee4SPeter Holm// Reported-by: syzbot+79cd12371d417441b175@syzkaller.appspotmail.com
334d0adee4SPeter Holm
344d0adee4SPeter Holm#define _GNU_SOURCE
354d0adee4SPeter Holm
364d0adee4SPeter Holm#include <sys/types.h>
374d0adee4SPeter Holm
384d0adee4SPeter Holm#include <dirent.h>
394d0adee4SPeter Holm#include <errno.h>
404d0adee4SPeter Holm#include <pthread.h>
414d0adee4SPeter Holm#include <pwd.h>
424d0adee4SPeter Holm#include <signal.h>
434d0adee4SPeter Holm#include <stdarg.h>
444d0adee4SPeter Holm#include <stdbool.h>
454d0adee4SPeter Holm#include <stdint.h>
464d0adee4SPeter Holm#include <stdio.h>
474d0adee4SPeter Holm#include <stdlib.h>
484d0adee4SPeter Holm#include <string.h>
494d0adee4SPeter Holm#include <sys/endian.h>
504d0adee4SPeter Holm#include <sys/resource.h>
514d0adee4SPeter Holm#include <sys/stat.h>
524d0adee4SPeter Holm#include <sys/syscall.h>
534d0adee4SPeter Holm#include <sys/wait.h>
544d0adee4SPeter Holm#include <time.h>
554d0adee4SPeter Holm#include <unistd.h>
564d0adee4SPeter Holm
574d0adee4SPeter Holmstatic unsigned long long procid;
584d0adee4SPeter Holm
594d0adee4SPeter Holmstatic void kill_and_wait(int pid, int* status)
604d0adee4SPeter Holm{
614d0adee4SPeter Holm  kill(pid, SIGKILL);
624d0adee4SPeter Holm  while (waitpid(-1, status, 0) != pid) {
634d0adee4SPeter Holm  }
644d0adee4SPeter Holm}
654d0adee4SPeter Holm
664d0adee4SPeter Holmstatic void sleep_ms(uint64_t ms)
674d0adee4SPeter Holm{
684d0adee4SPeter Holm  usleep(ms * 1000);
694d0adee4SPeter Holm}
704d0adee4SPeter Holm
714d0adee4SPeter Holmstatic uint64_t current_time_ms(void)
724d0adee4SPeter Holm{
734d0adee4SPeter Holm  struct timespec ts;
744d0adee4SPeter Holm  if (clock_gettime(CLOCK_MONOTONIC, &ts))
754d0adee4SPeter Holm    exit(1);
764d0adee4SPeter Holm  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
774d0adee4SPeter Holm}
784d0adee4SPeter Holm
794d0adee4SPeter Holmstatic void use_temporary_dir(void)
804d0adee4SPeter Holm{
814d0adee4SPeter Holm  char tmpdir_template[] = "./syzkaller.XXXXXX";
824d0adee4SPeter Holm  char* tmpdir = mkdtemp(tmpdir_template);
834d0adee4SPeter Holm  if (!tmpdir)
844d0adee4SPeter Holm    exit(1);
854d0adee4SPeter Holm  if (chmod(tmpdir, 0777))
864d0adee4SPeter Holm    exit(1);
874d0adee4SPeter Holm  if (chdir(tmpdir))
884d0adee4SPeter Holm    exit(1);
894d0adee4SPeter Holm}
904d0adee4SPeter Holm
914d0adee4SPeter Holmstatic void __attribute__((noinline)) remove_dir(const char* dir)
924d0adee4SPeter Holm{
934d0adee4SPeter Holm  DIR* dp = opendir(dir);
944d0adee4SPeter Holm  if (dp == NULL) {
954d0adee4SPeter Holm    if (errno == EACCES) {
964d0adee4SPeter Holm      if (rmdir(dir))
974d0adee4SPeter Holm        exit(1);
984d0adee4SPeter Holm      return;
994d0adee4SPeter Holm    }
1004d0adee4SPeter Holm    exit(1);
1014d0adee4SPeter Holm  }
1024d0adee4SPeter Holm  struct dirent* ep = 0;
1034d0adee4SPeter Holm  while ((ep = readdir(dp))) {
1044d0adee4SPeter Holm    if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
1054d0adee4SPeter Holm      continue;
1064d0adee4SPeter Holm    char filename[FILENAME_MAX];
1074d0adee4SPeter Holm    snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
1084d0adee4SPeter Holm    struct stat st;
1094d0adee4SPeter Holm    if (lstat(filename, &st))
1104d0adee4SPeter Holm      exit(1);
1114d0adee4SPeter Holm    if (S_ISDIR(st.st_mode)) {
1124d0adee4SPeter Holm      remove_dir(filename);
1134d0adee4SPeter Holm      continue;
1144d0adee4SPeter Holm    }
1154d0adee4SPeter Holm    if (unlink(filename))
1164d0adee4SPeter Holm      exit(1);
1174d0adee4SPeter Holm  }
1184d0adee4SPeter Holm  closedir(dp);
1194d0adee4SPeter Holm  if (rmdir(dir))
1204d0adee4SPeter Holm    exit(1);
1214d0adee4SPeter Holm}
1224d0adee4SPeter Holm
1234d0adee4SPeter Holmstatic void thread_start(void* (*fn)(void*), void* arg)
1244d0adee4SPeter Holm{
1254d0adee4SPeter Holm  pthread_t th;
1264d0adee4SPeter Holm  pthread_attr_t attr;
1274d0adee4SPeter Holm  pthread_attr_init(&attr);
1284d0adee4SPeter Holm  pthread_attr_setstacksize(&attr, 128 << 10);
1294d0adee4SPeter Holm  int i = 0;
1304d0adee4SPeter Holm  for (; i < 100; i++) {
1314d0adee4SPeter Holm    if (pthread_create(&th, &attr, fn, arg) == 0) {
1324d0adee4SPeter Holm      pthread_attr_destroy(&attr);
1334d0adee4SPeter Holm      return;
1344d0adee4SPeter Holm    }
1354d0adee4SPeter Holm    if (errno == EAGAIN) {
1364d0adee4SPeter Holm      usleep(50);
1374d0adee4SPeter Holm      continue;
1384d0adee4SPeter Holm    }
1394d0adee4SPeter Holm    break;
1404d0adee4SPeter Holm  }
1414d0adee4SPeter Holm  exit(1);
1424d0adee4SPeter Holm}
1434d0adee4SPeter Holm
1444d0adee4SPeter Holmtypedef struct {
1454d0adee4SPeter Holm  pthread_mutex_t mu;
1464d0adee4SPeter Holm  pthread_cond_t cv;
1474d0adee4SPeter Holm  int state;
1484d0adee4SPeter Holm} event_t;
1494d0adee4SPeter Holm
1504d0adee4SPeter Holmstatic void event_init(event_t* ev)
1514d0adee4SPeter Holm{
1524d0adee4SPeter Holm  if (pthread_mutex_init(&ev->mu, 0))
1534d0adee4SPeter Holm    exit(1);
1544d0adee4SPeter Holm  if (pthread_cond_init(&ev->cv, 0))
1554d0adee4SPeter Holm    exit(1);
1564d0adee4SPeter Holm  ev->state = 0;
1574d0adee4SPeter Holm}
1584d0adee4SPeter Holm
1594d0adee4SPeter Holmstatic void event_reset(event_t* ev)
1604d0adee4SPeter Holm{
1614d0adee4SPeter Holm  ev->state = 0;
1624d0adee4SPeter Holm}
1634d0adee4SPeter Holm
1644d0adee4SPeter Holmstatic void event_set(event_t* ev)
1654d0adee4SPeter Holm{
1664d0adee4SPeter Holm  pthread_mutex_lock(&ev->mu);
1674d0adee4SPeter Holm  if (ev->state)
1684d0adee4SPeter Holm    exit(1);
1694d0adee4SPeter Holm  ev->state = 1;
1704d0adee4SPeter Holm  pthread_mutex_unlock(&ev->mu);
1714d0adee4SPeter Holm  pthread_cond_broadcast(&ev->cv);
1724d0adee4SPeter Holm}
1734d0adee4SPeter Holm
1744d0adee4SPeter Holmstatic void event_wait(event_t* ev)
1754d0adee4SPeter Holm{
1764d0adee4SPeter Holm  pthread_mutex_lock(&ev->mu);
1774d0adee4SPeter Holm  while (!ev->state)
1784d0adee4SPeter Holm    pthread_cond_wait(&ev->cv, &ev->mu);
1794d0adee4SPeter Holm  pthread_mutex_unlock(&ev->mu);
1804d0adee4SPeter Holm}
1814d0adee4SPeter Holm
1824d0adee4SPeter Holmstatic int event_isset(event_t* ev)
1834d0adee4SPeter Holm{
1844d0adee4SPeter Holm  pthread_mutex_lock(&ev->mu);
1854d0adee4SPeter Holm  int res = ev->state;
1864d0adee4SPeter Holm  pthread_mutex_unlock(&ev->mu);
1874d0adee4SPeter Holm  return res;
1884d0adee4SPeter Holm}
1894d0adee4SPeter Holm
1904d0adee4SPeter Holmstatic int event_timedwait(event_t* ev, uint64_t timeout)
1914d0adee4SPeter Holm{
1924d0adee4SPeter Holm  uint64_t start = current_time_ms();
1934d0adee4SPeter Holm  uint64_t now = start;
1944d0adee4SPeter Holm  pthread_mutex_lock(&ev->mu);
1954d0adee4SPeter Holm  for (;;) {
1964d0adee4SPeter Holm    if (ev->state)
1974d0adee4SPeter Holm      break;
1984d0adee4SPeter Holm    uint64_t remain = timeout - (now - start);
1994d0adee4SPeter Holm    struct timespec ts;
2004d0adee4SPeter Holm    ts.tv_sec = remain / 1000;
2014d0adee4SPeter Holm    ts.tv_nsec = (remain % 1000) * 1000 * 1000;
2024d0adee4SPeter Holm    pthread_cond_timedwait(&ev->cv, &ev->mu, &ts);
2034d0adee4SPeter Holm    now = current_time_ms();
2044d0adee4SPeter Holm    if (now - start > timeout)
2054d0adee4SPeter Holm      break;
2064d0adee4SPeter Holm  }
2074d0adee4SPeter Holm  int res = ev->state;
2084d0adee4SPeter Holm  pthread_mutex_unlock(&ev->mu);
2094d0adee4SPeter Holm  return res;
2104d0adee4SPeter Holm}
2114d0adee4SPeter Holm
2124d0adee4SPeter Holmstatic void sandbox_common()
2134d0adee4SPeter Holm{
2144d0adee4SPeter Holm  struct rlimit rlim;
2154d0adee4SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 128 << 20;
2164d0adee4SPeter Holm  setrlimit(RLIMIT_AS, &rlim);
2174d0adee4SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 8 << 20;
2184d0adee4SPeter Holm  setrlimit(RLIMIT_MEMLOCK, &rlim);
2194d0adee4SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
2204d0adee4SPeter Holm  setrlimit(RLIMIT_FSIZE, &rlim);
2214d0adee4SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
2224d0adee4SPeter Holm  setrlimit(RLIMIT_STACK, &rlim);
2234d0adee4SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 0;
2244d0adee4SPeter Holm  setrlimit(RLIMIT_CORE, &rlim);
2254d0adee4SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 256;
2264d0adee4SPeter Holm  setrlimit(RLIMIT_NOFILE, &rlim);
2274d0adee4SPeter Holm}
2284d0adee4SPeter Holm
2294d0adee4SPeter Holmstatic void loop();
2304d0adee4SPeter Holm
2314d0adee4SPeter Holmstatic int do_sandbox_none(void)
2324d0adee4SPeter Holm{
2334d0adee4SPeter Holm  sandbox_common();
2344d0adee4SPeter Holm  loop();
2354d0adee4SPeter Holm  return 0;
2364d0adee4SPeter Holm}
2374d0adee4SPeter Holm
2384d0adee4SPeter Holmstruct thread_t {
2394d0adee4SPeter Holm  int created, call;
2404d0adee4SPeter Holm  event_t ready, done;
2414d0adee4SPeter Holm};
2424d0adee4SPeter Holm
2434d0adee4SPeter Holmstatic struct thread_t threads[16];
2444d0adee4SPeter Holmstatic void execute_call(int call);
2454d0adee4SPeter Holmstatic int running;
2464d0adee4SPeter Holm
2474d0adee4SPeter Holmstatic void* thr(void* arg)
2484d0adee4SPeter Holm{
2494d0adee4SPeter Holm  struct thread_t* th = (struct thread_t*)arg;
2504d0adee4SPeter Holm  for (;;) {
2514d0adee4SPeter Holm    event_wait(&th->ready);
2524d0adee4SPeter Holm    event_reset(&th->ready);
2534d0adee4SPeter Holm    execute_call(th->call);
2544d0adee4SPeter Holm    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
2554d0adee4SPeter Holm    event_set(&th->done);
2564d0adee4SPeter Holm  }
2574d0adee4SPeter Holm  return 0;
2584d0adee4SPeter Holm}
2594d0adee4SPeter Holm
2604d0adee4SPeter Holmstatic void execute_one(void)
2614d0adee4SPeter Holm{
2624d0adee4SPeter Holm  int i, call, thread;
2634d0adee4SPeter Holm  for (call = 0; call < 14; call++) {
2644d0adee4SPeter Holm    for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
2654d0adee4SPeter Holm         thread++) {
2664d0adee4SPeter Holm      struct thread_t* th = &threads[thread];
2674d0adee4SPeter Holm      if (!th->created) {
2684d0adee4SPeter Holm        th->created = 1;
2694d0adee4SPeter Holm        event_init(&th->ready);
2704d0adee4SPeter Holm        event_init(&th->done);
2714d0adee4SPeter Holm        event_set(&th->done);
2724d0adee4SPeter Holm        thread_start(thr, th);
2734d0adee4SPeter Holm      }
2744d0adee4SPeter Holm      if (!event_isset(&th->done))
2754d0adee4SPeter Holm        continue;
2764d0adee4SPeter Holm      event_reset(&th->done);
2774d0adee4SPeter Holm      th->call = call;
2784d0adee4SPeter Holm      __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
2794d0adee4SPeter Holm      event_set(&th->ready);
2804d0adee4SPeter Holm      event_timedwait(&th->done, 50);
2814d0adee4SPeter Holm      break;
2824d0adee4SPeter Holm    }
2834d0adee4SPeter Holm  }
2844d0adee4SPeter Holm  for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
2854d0adee4SPeter Holm    sleep_ms(1);
2864d0adee4SPeter Holm}
2874d0adee4SPeter Holm
2884d0adee4SPeter Holmstatic void execute_one(void);
2894d0adee4SPeter Holm
2904d0adee4SPeter Holm#define WAIT_FLAGS 0
2914d0adee4SPeter Holm
2924d0adee4SPeter Holmstatic void loop(void)
2934d0adee4SPeter Holm{
2944d0adee4SPeter Holm  int iter = 0;
2954d0adee4SPeter Holm  for (;; iter++) {
2964d0adee4SPeter Holm    char cwdbuf[32];
2974d0adee4SPeter Holm    sprintf(cwdbuf, "./%d", iter);
2984d0adee4SPeter Holm    if (mkdir(cwdbuf, 0777))
2994d0adee4SPeter Holm      exit(1);
3004d0adee4SPeter Holm    int pid = fork();
3014d0adee4SPeter Holm    if (pid < 0)
3024d0adee4SPeter Holm      exit(1);
3034d0adee4SPeter Holm    if (pid == 0) {
3044d0adee4SPeter Holm      if (chdir(cwdbuf))
3054d0adee4SPeter Holm        exit(1);
3064d0adee4SPeter Holm      execute_one();
3074d0adee4SPeter Holm      exit(0);
3084d0adee4SPeter Holm    }
3094d0adee4SPeter Holm    int status = 0;
3104d0adee4SPeter Holm    uint64_t start = current_time_ms();
3114d0adee4SPeter Holm    for (;;) {
3124d0adee4SPeter Holm      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
3134d0adee4SPeter Holm        break;
3144d0adee4SPeter Holm      sleep_ms(1);
3154d0adee4SPeter Holm      if (current_time_ms() - start < 5000)
3164d0adee4SPeter Holm        continue;
3174d0adee4SPeter Holm      kill_and_wait(pid, &status);
3184d0adee4SPeter Holm      break;
3194d0adee4SPeter Holm    }
3204d0adee4SPeter Holm    remove_dir(cwdbuf);
3214d0adee4SPeter Holm  }
3224d0adee4SPeter Holm}
3234d0adee4SPeter Holm
3244d0adee4SPeter Holmuint64_t r[4] = {0x0, 0x0, 0x0, 0x0};
3254d0adee4SPeter Holm
3264d0adee4SPeter Holmvoid execute_call(int call)
3274d0adee4SPeter Holm{
3284d0adee4SPeter Holm  intptr_t res = 0;
3294d0adee4SPeter Holm  switch (call) {
3304d0adee4SPeter Holm  case 0:
3314d0adee4SPeter Holm    *(uint32_t*)0x20000000 = 0x3f;
3324d0adee4SPeter Holm    *(uint32_t*)0x20000004 = 8;
3334d0adee4SPeter Holm    *(uint32_t*)0x20000008 = 0x1000;
3344d0adee4SPeter Holm    *(uint32_t*)0x2000000c = 7;
3354d0adee4SPeter Holm    syscall(SYS_sigsuspend, 0x20000000ul);
3364d0adee4SPeter Holm    break;
3374d0adee4SPeter Holm  case 1:
3384d0adee4SPeter Holm    syscall(SYS_setgid, 0);
3394d0adee4SPeter Holm    break;
3404d0adee4SPeter Holm  case 2:
3414d0adee4SPeter Holm    syscall(SYS_getgroups, 0ul, 0ul);
3424d0adee4SPeter Holm    break;
3434d0adee4SPeter Holm  case 3:
3444d0adee4SPeter Holm    syscall(SYS_setegid, 0);
3454d0adee4SPeter Holm    break;
3464d0adee4SPeter Holm  case 4:
3474d0adee4SPeter Holm    res = syscall(SYS_shmget, 0ul, 0x2000ul, 0x420ul, 0x20ffd000ul);
3484d0adee4SPeter Holm    if (res != -1)
3494d0adee4SPeter Holm      r[0] = res;
3504d0adee4SPeter Holm    break;
3514d0adee4SPeter Holm  case 5:
3524d0adee4SPeter Holm    res = syscall(SYS_getpid);
3534d0adee4SPeter Holm    if (res != -1)
3544d0adee4SPeter Holm      r[1] = res;
3554d0adee4SPeter Holm    break;
3564d0adee4SPeter Holm  case 6:
3574d0adee4SPeter Holm    *(uint32_t*)0x20000200 = -1;
3584d0adee4SPeter Holm    *(uint32_t*)0x20000204 = 0;
3594d0adee4SPeter Holm    *(uint32_t*)0x20000208 = -1;
3604d0adee4SPeter Holm    *(uint32_t*)0x2000020c = 0;
3614d0adee4SPeter Holm    *(uint16_t*)0x20000210 = 0xf965;
3624d0adee4SPeter Holm    *(uint16_t*)0x20000212 = 0x2000;
3634d0adee4SPeter Holm    *(uint32_t*)0x20000214 = 0;
3644d0adee4SPeter Holm    *(uint64_t*)0x20000218 = 0x2d;
3654d0adee4SPeter Holm    *(uint32_t*)0x20000220 = 0x1f;
3664d0adee4SPeter Holm    *(uint64_t*)0x20000228 = 2;
3674d0adee4SPeter Holm    *(uint64_t*)0x20000230 = 4;
3684d0adee4SPeter Holm    *(uint64_t*)0x20000238 = 0;
3694d0adee4SPeter Holm    *(uint32_t*)0x20000240 = r[1];
3704d0adee4SPeter Holm    *(uint32_t*)0x20000244 = -1;
3714d0adee4SPeter Holm    *(uint16_t*)0x20000248 = 7;
3724d0adee4SPeter Holm    *(uint16_t*)0x2000024a = 0;
3734d0adee4SPeter Holm    *(uint64_t*)0x20000250 = 0;
3744d0adee4SPeter Holm    *(uint64_t*)0x20000258 = 0;
3754d0adee4SPeter Holm    syscall(SYS_shmctl, r[0], 1ul, 0x20000200ul);
3764d0adee4SPeter Holm    break;
3774d0adee4SPeter Holm  case 7:
3784d0adee4SPeter Holm    syscall(SYS_getgid);
3794d0adee4SPeter Holm    break;
3804d0adee4SPeter Holm  case 8:
3814d0adee4SPeter Holm    syscall(SYS___semctl, 0, 0ul, 1ul, 0ul);
3824d0adee4SPeter Holm    break;
3834d0adee4SPeter Holm  case 9:
3844d0adee4SPeter Holm    *(uint32_t*)0x20000300 = 4;
3854d0adee4SPeter Holm    *(uint32_t*)0x20000304 = 0;
3864d0adee4SPeter Holm    *(uint16_t*)0x20000308 = 7;
3874d0adee4SPeter Holm    *(uint16_t*)0x2000030a = 6;
3884d0adee4SPeter Holm    memcpy((void*)0x2000030c,
3894d0adee4SPeter Holm           "\x26\xb9\x52\x60\x70\xe1\xb8\x97\x99\x4b\x39\xd3\xea\x42\xe7\xed",
3904d0adee4SPeter Holm           16);
3914d0adee4SPeter Holm    syscall(SYS_fhstat, 0x20000300ul, 0ul);
3924d0adee4SPeter Holm    break;
3934d0adee4SPeter Holm  case 10:
3944d0adee4SPeter Holm    res = syscall(SYS_getgid);
3954d0adee4SPeter Holm    if (res != -1)
3964d0adee4SPeter Holm      r[2] = res;
3974d0adee4SPeter Holm    break;
3984d0adee4SPeter Holm  case 11:
3994d0adee4SPeter Holm    *(uint32_t*)0x20000440 = 3;
4004d0adee4SPeter Holm    *(uint32_t*)0x20000444 = 0;
4014d0adee4SPeter Holm    *(uint32_t*)0x20000448 = r[1];
4024d0adee4SPeter Holm    *(uint32_t*)0x2000044c = 0x81;
4034d0adee4SPeter Holm    *(uint32_t*)0x20000450 = r[1];
4044d0adee4SPeter Holm    memset((void*)0x20000454, 0, 60);
4054d0adee4SPeter Holm    res = syscall(SYS_procctl, 0ul, r[1], 6ul, 0x20000440ul);
4064d0adee4SPeter Holm    if (res != -1)
4074d0adee4SPeter Holm      r[3] = *(uint32_t*)0x20000450;
4084d0adee4SPeter Holm    break;
4094d0adee4SPeter Holm  case 12:
4104d0adee4SPeter Holm    *(uint32_t*)0x200004c0 = 0;
4114d0adee4SPeter Holm    *(uint32_t*)0x200004c4 = 0;
4124d0adee4SPeter Holm    *(uint32_t*)0x200004c8 = 0;
4134d0adee4SPeter Holm    *(uint32_t*)0x200004cc = r[2];
4144d0adee4SPeter Holm    *(uint16_t*)0x200004d0 = 0x100;
4154d0adee4SPeter Holm    *(uint16_t*)0x200004d2 = 8;
4164d0adee4SPeter Holm    *(uint32_t*)0x200004d4 = 0;
4174d0adee4SPeter Holm    *(uint64_t*)0x200004d8 = 0x7ff;
4184d0adee4SPeter Holm    *(uint64_t*)0x200004e0 = 0x7f;
4194d0adee4SPeter Holm    *(uint64_t*)0x200004e8 = 0x81;
4204d0adee4SPeter Holm    *(uint64_t*)0x200004f0 = 0xfff;
4214d0adee4SPeter Holm    *(uint64_t*)0x200004f8 = 0x3a;
4224d0adee4SPeter Holm    *(uint64_t*)0x20000500 = 0x100000000;
4234d0adee4SPeter Holm    *(uint64_t*)0x20000508 = 9;
4244d0adee4SPeter Holm    *(uint32_t*)0x20000510 = r[1];
4254d0adee4SPeter Holm    *(uint32_t*)0x20000514 = r[3];
4264d0adee4SPeter Holm    *(uint64_t*)0x20000518 = 0;
4274d0adee4SPeter Holm    *(uint64_t*)0x20000520 = 0;
4284d0adee4SPeter Holm    syscall(SYS_msgctl, -1, 1ul, 0x200004c0ul);
4294d0adee4SPeter Holm    break;
4304d0adee4SPeter Holm  case 13:
4314d0adee4SPeter Holm    syscall(SYS_ioctl, -1, 0xc0f24425ul, 0ul);
4324d0adee4SPeter Holm    break;
4334d0adee4SPeter Holm  }
4344d0adee4SPeter Holm}
4354d0adee4SPeter Holmint main(void)
4364d0adee4SPeter Holm{
4374d0adee4SPeter Holm  syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul);
4384d0adee4SPeter Holm  for (procid = 0; procid < 4; procid++) {
4394d0adee4SPeter Holm    if (fork() == 0) {
4404d0adee4SPeter Holm      use_temporary_dir();
4414d0adee4SPeter Holm      do_sandbox_none();
4424d0adee4SPeter Holm    }
4434d0adee4SPeter Holm  }
4444d0adee4SPeter Holm  sleep(1000000);
4454d0adee4SPeter Holm  return 0;
4464d0adee4SPeter Holm}
4474d0adee4SPeter HolmEOF
4484d0adee4SPeter Holmmycc -o /tmp/syzkaller52 -Wall -Wextra -O0 /tmp/syzkaller52.c -l pthread ||
4494d0adee4SPeter Holm    exit 1
4504d0adee4SPeter Holm
4514d0adee4SPeter Holmstart=`date +%s`
4524d0adee4SPeter Holmwhile [ $((`date +%s` - start)) -lt 120 ]; do
4534d0adee4SPeter Holm	(cd /tmp; timeout 3m ./syzkaller52)
4544d0adee4SPeter Holmdone
4554d0adee4SPeter Holm
4564d0adee4SPeter Holmrm -rf /tmp/syzkaller52 /tmp/syzkaller52.c /tmp/syzkaller52.core \
4574d0adee4SPeter Holm    /tmp/syzkaller.??????
4584d0adee4SPeter Holmexit 0
459