xref: /freebsd/tools/test/stress2/misc/syzkaller24.sh (revision fd45b686f9d92f583366c75b22c04c7ee49709c0)
1#!/bin/sh
2
3# panic: sleepq_add: td 0xfffffe00dffd8800 to sleep on wchan 0xffffffff81d9bee8 with sleeping prohibited
4# cpuid = 7
5# time = 1599685416
6# KDB: stack backtrace:
7# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00e656d5e0
8# vpanic() at vpanic+0x182/frame 0xfffffe00e656d630
9# panic() at panic+0x43/frame 0xfffffe00e656d690
10# sleepq_add() at sleepq_add+0x359/frame 0xfffffe00e656d6e0
11# _sx_xlock_hard() at _sx_xlock_hard+0x405/frame 0xfffffe00e656d780
12# _sx_xlock() at _sx_xlock+0xba/frame 0xfffffe00e656d7c0
13# inp_setmoptions() at inp_setmoptions+0xd5c/frame 0xfffffe00e656d970
14# ip_ctloutput() at ip_ctloutput+0x103/frame 0xfffffe00e656d9c0
15# rip_ctloutput() at rip_ctloutput+0x158/frame 0xfffffe00e656d9f0
16# sosetopt() at sosetopt+0xed/frame 0xfffffe00e656da50
17# kern_setsockopt() at kern_setsockopt+0xa8/frame 0xfffffe00e656dab0
18# sys_setsockopt() at sys_setsockopt+0x24/frame 0xfffffe00e656dad0
19# amd64_syscall() at amd64_syscall+0x159/frame 0xfffffe00e656dbf0
20# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00e656dbf0
21# --- syscall (0, FreeBSD ELF64, nosys), rip = 0x80042819a, rsp = 0x7fffffffe958, rbp = 0x7fffffffe970 ---
22# KDB: enter: panic
23# [ thread pid 27447 tid 100183 ]
24# Stopped at      kdb_enter+0x37: movq    $0,0x10b7246(%rip)
25# db> x/s version
26# version: FreeBSD 13.0-CURRENT #0 r365508: Wed Sep  9 21:36:20 CEST 2020
27# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
28# db>
29
30# Fixed by r366795.
31
32[ `uname -p` != "amd64" ] && exit 0
33
34. ../default.cfg
35cat > /tmp/syzkaller24.c <<EOF
36// https://syzkaller.appspot.com/bug?id=0f4996e03d94b16bb9e945ede3c9de343748e6ed
37// autogenerated by syzkaller (https://github.com/google/syzkaller)
38// Reported-by: syzbot+34f419947239a738ed34@syzkaller.appspotmail.com
39
40#define _GNU_SOURCE
41
42#include <sys/types.h>
43
44#include <pwd.h>
45#include <signal.h>
46#include <stdarg.h>
47#include <stdbool.h>
48#include <stdint.h>
49#include <stdio.h>
50#include <stdlib.h>
51#include <string.h>
52#include <sys/endian.h>
53#include <sys/syscall.h>
54#include <sys/wait.h>
55#include <time.h>
56#include <unistd.h>
57
58static void kill_and_wait(int pid, int* status)
59{
60  kill(pid, SIGKILL);
61  while (waitpid(-1, status, 0) != pid) {
62  }
63}
64
65static void sleep_ms(uint64_t ms)
66{
67  usleep(ms * 1000);
68}
69
70static uint64_t current_time_ms(void)
71{
72  struct timespec ts;
73  if (clock_gettime(CLOCK_MONOTONIC, &ts))
74    exit(1);
75  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
76}
77
78static void execute_one(void);
79
80#define WAIT_FLAGS 0
81
82static void loop(void)
83{
84  int iter __unused = 0;
85  for (;; iter++) {
86    int pid = fork();
87    if (pid < 0)
88      exit(1);
89    if (pid == 0) {
90      execute_one();
91      exit(0);
92    }
93    int status = 0;
94    uint64_t start = current_time_ms();
95    for (;;) {
96      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
97        break;
98      sleep_ms(1);
99      if (current_time_ms() - start < 5 * 1000)
100        continue;
101      kill_and_wait(pid, &status);
102      break;
103    }
104  }
105}
106
107uint64_t r[1] = {0xffffffffffffffff};
108
109void execute_one(void)
110{
111  intptr_t res = 0;
112  res = syscall(SYS_socket, 2ul, 3ul, 1);
113  if (res != -1)
114    r[0] = res;
115  *(uint32_t*)0x20000180 = htobe32(0xe0000002);
116  *(uint32_t*)0x20000184 = htobe32(0x7f000001);
117  *(uint32_t*)0x20000188 = htobe32(0x7f000001);
118  syscall(SYS_setsockopt, r[0], 0, 0x46, 0x20000180ul, 0x4414ae3732a778ful);
119}
120int main(void)
121{
122  syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul);
123  loop();
124  return 0;
125}
126EOF
127mycc -o /tmp/syzkaller24 -Wall -Wextra -O0 /tmp/syzkaller24.c ||
128    exit 1
129
130(cd /tmp; timeout 3m ./syzkaller24)
131
132rm -rf /tmp/syzkaller24 /tmp/syzkaller24.c /tmp/syzkaller.*
133exit 0
134