1#!/bin/sh 2 3# 4# SPDX-License-Identifier: BSD-2-Clause 5# 6# Copyright (c) 2019 Dell EMC Isilon 7# 8# Redistribution and use in source and binary forms, with or without 9# modification, are permitted provided that the following conditions 10# are met: 11# 1. Redistributions of source code must retain the above copyright 12# notice, this list of conditions and the following disclaimer. 13# 2. Redistributions in binary form must reproduce the above copyright 14# notice, this list of conditions and the following disclaimer in the 15# documentation and/or other materials provided with the distribution. 16# 17# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27# SUCH DAMAGE. 28# 29 30# Reported by syzkaller. 31# "panic: vm_page_free_prep: page 0x61e5968 has unexpected ref_count ." seen 32# Fixed by r352748 33 34# Test scenario by: Mark Johnston <markj@freebsd.org> 35 36cat > /tmp/fexecve.c <<EOF 37#include <sys/param.h> 38#include <sys/mman.h> 39#include <sys/stat.h> 40 41#include <fcntl.h> 42#include <err.h> 43#include <stdlib.h> 44#include <stdio.h> 45#include <unistd.h> 46 47int 48main(int argc __unused, char **argv) 49{ 50 char template[PATH_MAX]; 51 void *addr; 52 size_t sz; 53 int fd; 54 55 sz = 16 * 4096; 56 57 (void)snprintf(template, sizeof(template), "fexecve.XXXXXX"); 58 fd = mkstemp(template); 59 if (fd < 0) 60 err(1, "mkstemp"); 61 if (fchmod(fd, 0700) < 0) 62 err(1, "fchmod"); 63 if (ftruncate(fd, sz) < 0) 64 err(1, "ftruncate"); 65 66 addr = mmap(NULL, sz, PROT_MAX(PROT_READ) | PROT_READ, MAP_SHARED, 67 fd, 0); 68 if (addr == MAP_FAILED) 69 err(1, "mmap"); 70 71 if (mlock(addr, sz) != 0) 72 err(1, "mlock"); 73 74 if (ftruncate(fd, 0) != 0) 75 err(1, "ftruncate"); 76 if (ftruncate(fd, sz) != 0) 77 err(1, "ftruncate"); 78 79 (void)close(fd); 80 81 fd = open(template, O_EXEC); 82 if (fd < 0) 83 err(1, "open"); 84 fexecve(fd, argv, NULL); 85 err(1, "fexecve"); 86 87 return (0); 88} 89EOF 90cc -o /tmp/fexecve -Wall -Wextra -O2 /tmp/fexecve.c || exit 1 91echo "Expect: fexecve: fexecve: Input/output error" 92(cd /tmp; /tmp/fexecve) 93 94rm -f /tmp/fexecve /tmp/fexecve.c /tmp/fexecve.?????? 95