#!/bin/sh

# panic: Assertion sb->sb_hiwat >= sb->uxdg_cc failed at ../../../kern/uipc_usrreq.c:1099
# cpuid = 9
# time = 1660909804
# KDB: stack backtrace:
# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01401e7970
# vpanic() at vpanic+0x151/frame 0xfffffe01401e79c0
# panic() at panic+0x43/frame 0xfffffe01401e7a20
# uipc_dgram_sbspace() at uipc_dgram_sbspace+0x51/frame 0xfffffe01401e7a30
# uipc_sosend_dgram() at uipc_sosend_dgram+0x690/frame 0xfffffe01401e7ac0
# sosend() at sosend+0x49/frame 0xfffffe01401e7af0
# soo_write() at soo_write+0x43/frame 0xfffffe01401e7b20
# filemon_close_log() at filemon_close_log+0xd5/frame 0xfffffe01401e7b90
# filemon_dtr() at filemon_dtr+0x31/frame 0xfffffe01401e7bb0
# devfs_destroy_cdevpriv() at devfs_destroy_cdevpriv+0xab/frame 0xfffffe01401e7bd0
# devfs_close_f() at devfs_close_f+0x64/frame 0xfffffe01401e7c00
# _fdrop() at _fdrop+0x1b/frame 0xfffffe01401e7c20
# closef() at closef+0x1db/frame 0xfffffe01401e7cb0
# fdescfree() at fdescfree+0x433/frame 0xfffffe01401e7d80
# exit1() at exit1+0x4df/frame 0xfffffe01401e7df0
# sys_exit() at sys_exit+0xd/frame 0xfffffe01401e7e00
# amd64_syscall() at amd64_syscall+0x145/frame 0xfffffe01401e7f30
# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01401e7f30
# --- syscall (1, FreeBSD ELF64, sys_exit), rip = 0x82301d16a, rsp = 0x8209bf628, rbp = 0x8209bf640 ---
# KDB: enter: panic
# [ thread pid 2876 tid 100222 ]
# Stopped at      x32: movq    $0,0x12a1323(%rip)
# db> x/s version
# version: FreeBSD 14.0-CURRENT #0 main-n257506-eed634d113d-dirty: Thu Aug 18 13:56:53 CEST 2022
# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO\012
# db> 

. ../default.cfg
cat > /tmp/syzkaller62.c <<EOF
// https://syzkaller.appspot.com/bug?id=582310beb894769fc836748eec49b8d2f905e5ef
// autogenerated by syzkaller (https://github.com/google/syzkaller)
// Reported-by: syzbot+6e8be1ec8d77578a3df4@syzkaller.appspotmail.com

#define _GNU_SOURCE

#include <pwd.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/endian.h>
#include <sys/syscall.h>
#include <unistd.h>

uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};

int main(void)
{
  syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul);
  intptr_t res = 0;
  memcpy((void*)0x20000040, "/dev/filemon\000", 13);
  res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000040ul, 0ul, 0ul);
  if (res != -1)
    r[0] = res;
  res = syscall(SYS_socketpair, 1ul, 2ul, 0, 0x20000080ul);
  if (res != -1)
    r[1] = *(uint32_t*)0x20000084;
  *(uint32_t*)0x200000c0 = r[1];
  syscall(SYS_ioctl, r[0], 0xc0045301ul, 0x200000c0ul);
  *(uint32_t*)0x20000040 = 3;
  syscall(SYS_setsockopt, r[1], 0xffff, 0x1001, 0x20000040ul, 4ul);
  return 0;
}
EOF
mycc -o /tmp/syzkaller62 -Wall -Wextra -O0 /tmp/syzkaller62.c || exit 1

kldstat | grep -q filemon   || { kldload filemon.ko && loaded=1; }

(cd /tmp; timeout -k 3s 2s ./syzkaller62)

rm -rf /tmp/syzkaller62 /tmp/syzkaller62.c /tmp/syzkaller62.core \
    /tmp/syzkaller.??????
# Unload causes: Fatal trap 12: page fault while in kernel mode
#[ $loaded ] && kldunload -f filemon.ko
exit 0