1#!/bin/sh 2 3# panic: sleepq_add: td 0xfffffe00dffd8800 to sleep on wchan 0xffffffff81d9bee8 with sleeping prohibited 4# cpuid = 7 5# time = 1599685416 6# KDB: stack backtrace: 7# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00e656d5e0 8# vpanic() at vpanic+0x182/frame 0xfffffe00e656d630 9# panic() at panic+0x43/frame 0xfffffe00e656d690 10# sleepq_add() at sleepq_add+0x359/frame 0xfffffe00e656d6e0 11# _sx_xlock_hard() at _sx_xlock_hard+0x405/frame 0xfffffe00e656d780 12# _sx_xlock() at _sx_xlock+0xba/frame 0xfffffe00e656d7c0 13# inp_setmoptions() at inp_setmoptions+0xd5c/frame 0xfffffe00e656d970 14# ip_ctloutput() at ip_ctloutput+0x103/frame 0xfffffe00e656d9c0 15# rip_ctloutput() at rip_ctloutput+0x158/frame 0xfffffe00e656d9f0 16# sosetopt() at sosetopt+0xed/frame 0xfffffe00e656da50 17# kern_setsockopt() at kern_setsockopt+0xa8/frame 0xfffffe00e656dab0 18# sys_setsockopt() at sys_setsockopt+0x24/frame 0xfffffe00e656dad0 19# amd64_syscall() at amd64_syscall+0x159/frame 0xfffffe00e656dbf0 20# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00e656dbf0 21# --- syscall (0, FreeBSD ELF64, nosys), rip = 0x80042819a, rsp = 0x7fffffffe958, rbp = 0x7fffffffe970 --- 22# KDB: enter: panic 23# [ thread pid 27447 tid 100183 ] 24# Stopped at kdb_enter+0x37: movq $0,0x10b7246(%rip) 25# db> x/s version 26# version: FreeBSD 13.0-CURRENT #0 r365508: Wed Sep 9 21:36:20 CEST 2020 27# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO 28# db> 29 30# Fixed by r366795. 31 32[ `uname -p` != "amd64" ] && exit 0 33 34. ../default.cfg 35cat > /tmp/syzkaller24.c <<EOF 36// https://syzkaller.appspot.com/bug?id=0f4996e03d94b16bb9e945ede3c9de343748e6ed 37// autogenerated by syzkaller (https://github.com/google/syzkaller) 38// Reported-by: syzbot+34f419947239a738ed34@syzkaller.appspotmail.com 39 40#define _GNU_SOURCE 41 42#include <sys/types.h> 43 44#include <pwd.h> 45#include <signal.h> 46#include <stdarg.h> 47#include <stdbool.h> 48#include <stdint.h> 49#include <stdio.h> 50#include <stdlib.h> 51#include <string.h> 52#include <sys/endian.h> 53#include <sys/syscall.h> 54#include <sys/wait.h> 55#include <time.h> 56#include <unistd.h> 57 58static void kill_and_wait(int pid, int* status) 59{ 60 kill(pid, SIGKILL); 61 while (waitpid(-1, status, 0) != pid) { 62 } 63} 64 65static void sleep_ms(uint64_t ms) 66{ 67 usleep(ms * 1000); 68} 69 70static uint64_t current_time_ms(void) 71{ 72 struct timespec ts; 73 if (clock_gettime(CLOCK_MONOTONIC, &ts)) 74 exit(1); 75 return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; 76} 77 78static void execute_one(void); 79 80#define WAIT_FLAGS 0 81 82static void loop(void) 83{ 84 int iter __unused = 0; 85 for (;; iter++) { 86 int pid = fork(); 87 if (pid < 0) 88 exit(1); 89 if (pid == 0) { 90 execute_one(); 91 exit(0); 92 } 93 int status = 0; 94 uint64_t start = current_time_ms(); 95 for (;;) { 96 if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) 97 break; 98 sleep_ms(1); 99 if (current_time_ms() - start < 5 * 1000) 100 continue; 101 kill_and_wait(pid, &status); 102 break; 103 } 104 } 105} 106 107uint64_t r[1] = {0xffffffffffffffff}; 108 109void execute_one(void) 110{ 111 intptr_t res = 0; 112 res = syscall(SYS_socket, 2ul, 3ul, 1); 113 if (res != -1) 114 r[0] = res; 115 *(uint32_t*)0x20000180 = htobe32(0xe0000002); 116 *(uint32_t*)0x20000184 = htobe32(0x7f000001); 117 *(uint32_t*)0x20000188 = htobe32(0x7f000001); 118 syscall(SYS_setsockopt, r[0], 0, 0x46, 0x20000180ul, 0x4414ae3732a778ful); 119} 120int main(void) 121{ 122 syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); 123 loop(); 124 return 0; 125} 126EOF 127mycc -o /tmp/syzkaller24 -Wall -Wextra -O0 /tmp/syzkaller24.c || 128 exit 1 129 130(cd /tmp; timeout 3m ./syzkaller24) 131 132rm -rf /tmp/syzkaller24 /tmp/syzkaller24.c /tmp/syzkaller.* 133exit 0 134