1#!/bin/sh 2 3# panic: sleeping without a lock 4# cpuid = 17 5# time = 1594020733 6# KDB: stack backtrace: 7# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe013e99d6d0 8# vpanic() at vpanic+0x182/frame 0xfffffe013e99d720 9# panic() at panic+0x43/frame 0xfffffe013e99d780 10# _sleep() at _sleep+0x466/frame 0xfffffe013e99d820 11# soclose() at soclose+0x12a/frame 0xfffffe013e99d890 12# _fdrop() at _fdrop+0x1a/frame 0xfffffe013e99d8b0 13# closef() at closef+0x1db/frame 0xfffffe013e99d940 14# fdescfree_fds() at fdescfree_fds+0x3c/frame 0xfffffe013e99d990 15# fdescfree() at fdescfree+0x36c/frame 0xfffffe013e99da50 16# exit1() at exit1+0x487/frame 0xfffffe013e99dac0 17# sys_sys_exit() at sys_sys_exit+0xd/frame 0xfffffe013e99dad0 18# amd64_syscall() at amd64_syscall+0x159/frame 0xfffffe013e99dbf0 19# fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe013e99dbf0 20# --- syscall (1, FreeBSD ELF64, sys_sys_exit), rip = 0x8004513da, rsp = 0x7fffffffe548, rbp = 0x7fffffffe560 --- 21# KDB: enter: panic 22# [ thread pid 86998 tid 100362 ] 23# Stopped at kdb_enter+0x37: movq $0,0x10c3a16(%rip) 24# db> x/s version 25# version:FreeBSD 13.0-CURRENT #2 r362887+d0cb7ae7cb9-c248258(mlnx3): Sat 26# Jul 4 10:28:49 CEST 2020 pho@t2.osted.lan:/var/tmp/deviant2/sys/amd64/compile/PHO 27# db> 28 29[ `uname -p` != "amd64" ] && exit 0 30 31. ../default.cfg 32cat > /tmp/syzkaller19.c <<EOF 33// https://syzkaller.appspot.com/bug?id=2196001e8447f2133532abeabaea2ebc0351f67b 34// autogenerated by syzkaller (https://github.com/google/syzkaller) 35// Reported-by: syzbot+e625d92c1dd74e402c81@syzkaller.appspotmail.com 36 37#define _GNU_SOURCE 38 39#include <sys/types.h> 40 41#include <pwd.h> 42#include <signal.h> 43#include <stdarg.h> 44#include <stdbool.h> 45#include <stdint.h> 46#include <stdio.h> 47#include <stdlib.h> 48#include <string.h> 49#include <sys/endian.h> 50#include <sys/syscall.h> 51#include <sys/wait.h> 52#include <time.h> 53#include <unistd.h> 54 55static void kill_and_wait(int pid, int* status) 56{ 57 kill(pid, SIGKILL); 58 while (waitpid(-1, status, 0) != pid) { 59 } 60} 61 62static void sleep_ms(uint64_t ms) 63{ 64 usleep(ms * 1000); 65} 66 67static uint64_t current_time_ms(void) 68{ 69 struct timespec ts; 70 if (clock_gettime(CLOCK_MONOTONIC, &ts)) 71 exit(1); 72 return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; 73} 74 75static void execute_one(void); 76 77#define WAIT_FLAGS 0 78 79static void loop(void) 80{ 81 int iter; 82 for (iter = 0;; iter++) { 83 int pid = fork(); 84 if (pid < 0) 85 exit(1); 86 if (pid == 0) { 87 execute_one(); 88 exit(0); 89 } 90 int status = 0; 91 uint64_t start = current_time_ms(); 92 for (;;) { 93 if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) 94 break; 95 sleep_ms(1); 96 if (current_time_ms() - start < 5 * 1000) 97 continue; 98 kill_and_wait(pid, &status); 99 break; 100 } 101 } 102} 103 104uint64_t r[1] = {0xffffffffffffffff}; 105 106void execute_one(void) 107{ 108 intptr_t res = 0; 109 res = syscall(SYS_socket, 0x1cul, 1ul, 0x84); 110 if (res != -1) 111 r[0] = res; 112 *(uint8_t*)0x20000000 = 0x1c; 113 *(uint8_t*)0x20000001 = 0x1c; 114 *(uint16_t*)0x20000002 = htobe16(0x4e22); 115 *(uint32_t*)0x20000004 = 0; 116 *(uint8_t*)0x20000008 = 0; 117 *(uint8_t*)0x20000009 = 0; 118 *(uint8_t*)0x2000000a = 0; 119 *(uint8_t*)0x2000000b = 0; 120 *(uint8_t*)0x2000000c = 0; 121 *(uint8_t*)0x2000000d = 0; 122 *(uint8_t*)0x2000000e = 0; 123 *(uint8_t*)0x2000000f = 0; 124 *(uint8_t*)0x20000010 = 0; 125 *(uint8_t*)0x20000011 = 0; 126 *(uint8_t*)0x20000012 = 0; 127 *(uint8_t*)0x20000013 = 0; 128 *(uint8_t*)0x20000014 = 0; 129 *(uint8_t*)0x20000015 = 0; 130 *(uint8_t*)0x20000016 = 0; 131 *(uint8_t*)0x20000017 = 0; 132 *(uint32_t*)0x20000018 = 0; 133 syscall(SYS_bind, r[0], 0x20000000ul, 0x1cul); 134 *(uint8_t*)0x20000180 = 0x1c; 135 *(uint8_t*)0x20000181 = 0x1c; 136 *(uint16_t*)0x20000182 = htobe16(0x4e22); 137 *(uint32_t*)0x20000184 = 0; 138 *(uint64_t*)0x20000188 = htobe64(0); 139 *(uint64_t*)0x20000190 = htobe64(1); 140 *(uint32_t*)0x20000198 = 0; 141 syscall(SYS_connect, r[0], 0x20000180ul, 0x1cul); 142 *(uint64_t*)0x20000080 = 0; 143 *(uint32_t*)0x20000088 = 0; 144 *(uint64_t*)0x20000090 = 0; 145 *(uint64_t*)0x20000098 = 0; 146 *(uint64_t*)0x200000a0 = 0; 147 *(uint64_t*)0x200000a8 = 0x60; 148 *(uint32_t*)0x200000b0 = 0; 149 syscall(SYS_sendmsg, r[0], 0x20000080ul, 0x10cul); 150 *(uint32_t*)0x200000c0 = 0xbd; 151 *(uint32_t*)0x200000c4 = 0; 152 syscall(SYS_setsockopt, r[0], 0xffff, 0x80, 0x200000c0ul, 8ul); 153} 154int main(void) 155{ 156 syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); 157 loop(); 158 return 0; 159} 160EOF 161mycc -o /tmp/syzkaller19 -Wall -Wextra -O2 /tmp/syzkaller19.c -lpthread || 162 exit 1 163 164(cd ../testcases/swap; ./swap -t 1m -i 20 -h > /dev/null 2>&1) & 165(cd /tmp; ./syzkaller19) & 166sleep 60 167pkill -9 syzkaller19 swap 168wait 169 170rm -f /tmp/syzkaller19 /tmp/syzkaller19.c /tmp/syzkaller19.core 171exit 0 172