xref: /freebsd/tools/test/stress2/misc/syzkaller25.sh (revision 014a2b1a1125fb0129258b8109dc33fd7bf24b14) 
18a272653SPeter Holm#!/bin/sh
28a272653SPeter Holm
38a272653SPeter Holm# Fatal trap 9: general protection fault while in kernel mode
48a272653SPeter Holm# cpuid = 5; apic id = 05
58a272653SPeter Holm# instruction pointer     = 0x20:0xffffffff8237cbac
68a272653SPeter Holm# stack pointer           = 0x28:0xfffffe01026e4910
78a272653SPeter Holm# frame pointer           = 0x28:0xfffffe01026e4980
88a272653SPeter Holm# code segment            = base 0x0, limit 0xfffff, type 0x1b
98a272653SPeter Holm#                         = DPL 0, pres 1, long 1, def32 0, gran 1
108a272653SPeter Holm# processor eflags        = interrupt enabled, resume, IOPL = 0
118a272653SPeter Holm# current process         = 45836 (syzkaller25)
128a272653SPeter Holm# trap number             = 9
138a272653SPeter Holm# panic: general protection fault
148a272653SPeter Holm# cpuid = 5
158a272653SPeter Holm# time = 1601745366
168a272653SPeter Holm# KDB: stack backtrace:
178a272653SPeter Holm# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01026e4620
188a272653SPeter Holm# vpanic() at vpanic+0x182/frame 0xfffffe01026e4670
198a272653SPeter Holm# panic() at panic+0x43/frame 0xfffffe01026e46d0
208a272653SPeter Holm# trap_fatal() at trap_fatal+0x387/frame 0xfffffe01026e4730
218a272653SPeter Holm# trap() at trap+0xa4/frame 0xfffffe01026e4840
228a272653SPeter Holm# calltrap() at calltrap+0x8/frame 0xfffffe01026e4840
238a272653SPeter Holm# --- trap 0x9, rip = 0xffffffff8237cbac, rsp = 0xfffffe01026e4910, rbp = 0xfffffe01026e4980 ---
248a272653SPeter Holm# sctp_inpcb_bind() at sctp_inpcb_bind+0x3cc/frame 0xfffffe01026e4980
258a272653SPeter Holm# sctp_connect() at sctp_connect+0x14f/frame 0xfffffe01026e49e0
268a272653SPeter Holm# soconnectat() at soconnectat+0xd0/frame 0xfffffe01026e4a30
278a272653SPeter Holm# kern_connectat() at kern_connectat+0xe2/frame 0xfffffe01026e4a90
288a272653SPeter Holm# sys_connect() at sys_connect+0x75/frame 0xfffffe01026e4ad0
298a272653SPeter Holm# amd64_syscall() at amd64_syscall+0x14e/frame 0xfffffe01026e4bf0
308a272653SPeter Holm# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01026e4bf0
318a272653SPeter Holm# --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8003b0a1a, rsp = 0x7fffdfffdbb8, rbp = 0x7fffdfffdf90 ---
328a272653SPeter Holm# KDB: enter: panic
338a272653SPeter Holm# [ thread pid 45836 tid 101772 ]
348a272653SPeter Holm# Stopped at      kdb_enter+0x37: movq    $0,0x10ac846(%rip)
358a272653SPeter Holm# db> x/s version
368a272653SPeter Holm# version: FreeBSD 13.0-CURRENT #0 r366401: Sat Oct  3 19:00:37 CEST 2020
378a272653SPeter Holm# pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO
388a272653SPeter Holm# db>
398a272653SPeter Holm
408a272653SPeter Holm[ `uname -p` != "amd64" ] && exit 0
418a272653SPeter Holm
428a272653SPeter Holm. ../default.cfg
438a272653SPeter Holmkldstat -v | grep -q sctp || kldload sctp.ko
448a272653SPeter Holm
458a272653SPeter Holmcat > /tmp/syzkaller25.c <<EOF
468a272653SPeter Holm// https://syzkaller.appspot.com/bug?id=2e4fc04b5a5775777770f7244613571ca85da78a
478a272653SPeter Holm// autogenerated by syzkaller (https://github.com/google/syzkaller)
488a272653SPeter Holm// Reported-by: syzbot+77fcf6a9d28f301bc2e5@syzkaller.appspotmail.com
498a272653SPeter Holm
508a272653SPeter Holm#define _GNU_SOURCE
518a272653SPeter Holm
528a272653SPeter Holm#include <sys/types.h>
538a272653SPeter Holm
548a272653SPeter Holm#include <dirent.h>
558a272653SPeter Holm#include <errno.h>
568a272653SPeter Holm#include <pthread.h>
578a272653SPeter Holm#include <pwd.h>
588a272653SPeter Holm#include <setjmp.h>
598a272653SPeter Holm#include <signal.h>
608a272653SPeter Holm#include <stdarg.h>
618a272653SPeter Holm#include <stdbool.h>
628a272653SPeter Holm#include <stdint.h>
638a272653SPeter Holm#include <stdio.h>
648a272653SPeter Holm#include <stdlib.h>
658a272653SPeter Holm#include <string.h>
668a272653SPeter Holm#include <sys/endian.h>
678a272653SPeter Holm#include <sys/resource.h>
688a272653SPeter Holm#include <sys/stat.h>
698a272653SPeter Holm#include <sys/syscall.h>
708a272653SPeter Holm#include <sys/wait.h>
718a272653SPeter Holm#include <time.h>
728a272653SPeter Holm#include <unistd.h>
738a272653SPeter Holm
748a272653SPeter Holmstatic unsigned long long procid;
758a272653SPeter Holm
768a272653SPeter Holmstatic __thread int skip_segv;
778a272653SPeter Holmstatic __thread jmp_buf segv_env;
788a272653SPeter Holm
798a272653SPeter Holmstatic void segv_handler(int sig, siginfo_t* info, void* ctx __unused)
808a272653SPeter Holm{
818a272653SPeter Holm  uintptr_t addr = (uintptr_t)info->si_addr;
828a272653SPeter Holm  const uintptr_t prog_start = 1 << 20;
838a272653SPeter Holm  const uintptr_t prog_end = 100 << 20;
848a272653SPeter Holm  int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0;
858a272653SPeter Holm  int valid = addr < prog_start || addr > prog_end;
868a272653SPeter Holm  if (sig == SIGBUS) {
878a272653SPeter Holm    valid = 1;
888a272653SPeter Holm  }
898a272653SPeter Holm  if (skip && valid) {
908a272653SPeter Holm    _longjmp(segv_env, 1);
918a272653SPeter Holm  }
928a272653SPeter Holm  exit(sig);
938a272653SPeter Holm}
948a272653SPeter Holm
958a272653SPeter Holmstatic void install_segv_handler(void)
968a272653SPeter Holm{
978a272653SPeter Holm  struct sigaction sa;
988a272653SPeter Holm  memset(&sa, 0, sizeof(sa));
998a272653SPeter Holm  sa.sa_sigaction = segv_handler;
1008a272653SPeter Holm  sa.sa_flags = SA_NODEFER | SA_SIGINFO;
1018a272653SPeter Holm  sigaction(SIGSEGV, &sa, NULL);
1028a272653SPeter Holm  sigaction(SIGBUS, &sa, NULL);
1038a272653SPeter Holm}
1048a272653SPeter Holm
1058a272653SPeter Holm#define NONFAILING(...)                                                        \
1068a272653SPeter Holm  ({                                                                           \
1078a272653SPeter Holm    int ok = 1;                                                                \
1088a272653SPeter Holm    __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
1098a272653SPeter Holm    if (_setjmp(segv_env) == 0) {                                              \
1108a272653SPeter Holm      __VA_ARGS__;                                                             \
1118a272653SPeter Holm    } else                                                                     \
1128a272653SPeter Holm      ok = 0;                                                                  \
1138a272653SPeter Holm    __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
1148a272653SPeter Holm    ok;                                                                        \
1158a272653SPeter Holm  })
1168a272653SPeter Holm
1178a272653SPeter Holmstatic void kill_and_wait(int pid, int* status)
1188a272653SPeter Holm{
1198a272653SPeter Holm  kill(pid, SIGKILL);
1208a272653SPeter Holm  while (waitpid(-1, status, 0) != pid) {
1218a272653SPeter Holm  }
1228a272653SPeter Holm}
1238a272653SPeter Holm
1248a272653SPeter Holmstatic void sleep_ms(uint64_t ms)
1258a272653SPeter Holm{
1268a272653SPeter Holm  usleep(ms * 1000);
1278a272653SPeter Holm}
1288a272653SPeter Holm
1298a272653SPeter Holmstatic uint64_t current_time_ms(void)
1308a272653SPeter Holm{
1318a272653SPeter Holm  struct timespec ts;
1328a272653SPeter Holm  if (clock_gettime(CLOCK_MONOTONIC, &ts))
1338a272653SPeter Holm    exit(1);
1348a272653SPeter Holm  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
1358a272653SPeter Holm}
1368a272653SPeter Holm
1378a272653SPeter Holmstatic void use_temporary_dir(void)
1388a272653SPeter Holm{
1398a272653SPeter Holm  char tmpdir_template[] = "./syzkaller.XXXXXX";
1408a272653SPeter Holm  char* tmpdir = mkdtemp(tmpdir_template);
1418a272653SPeter Holm  if (!tmpdir)
1428a272653SPeter Holm    exit(1);
1438a272653SPeter Holm  if (chmod(tmpdir, 0777))
1448a272653SPeter Holm    exit(1);
1458a272653SPeter Holm  if (chdir(tmpdir))
1468a272653SPeter Holm    exit(1);
1478a272653SPeter Holm}
1488a272653SPeter Holm
1498a272653SPeter Holmstatic void __attribute__((noinline)) remove_dir(const char* dir)
1508a272653SPeter Holm{
1518a272653SPeter Holm  DIR* dp = opendir(dir);
1528a272653SPeter Holm  if (dp == NULL) {
1538a272653SPeter Holm    if (errno == EACCES) {
1548a272653SPeter Holm      if (rmdir(dir))
1558a272653SPeter Holm        exit(1);
1568a272653SPeter Holm      return;
1578a272653SPeter Holm    }
1588a272653SPeter Holm    exit(1);
1598a272653SPeter Holm  }
1608a272653SPeter Holm  struct dirent* ep = 0;
1618a272653SPeter Holm  while ((ep = readdir(dp))) {
1628a272653SPeter Holm    if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
1638a272653SPeter Holm      continue;
1648a272653SPeter Holm    char filename[FILENAME_MAX];
1658a272653SPeter Holm    snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
1668a272653SPeter Holm    struct stat st;
1678a272653SPeter Holm    if (lstat(filename, &st))
1688a272653SPeter Holm      exit(1);
1698a272653SPeter Holm    if (S_ISDIR(st.st_mode)) {
1708a272653SPeter Holm      remove_dir(filename);
1718a272653SPeter Holm      continue;
1728a272653SPeter Holm    }
1738a272653SPeter Holm    if (unlink(filename))
1748a272653SPeter Holm      exit(1);
1758a272653SPeter Holm  }
1768a272653SPeter Holm  closedir(dp);
1778a272653SPeter Holm  if (rmdir(dir))
1788a272653SPeter Holm    exit(1);
1798a272653SPeter Holm}
1808a272653SPeter Holm
1818a272653SPeter Holmstatic void thread_start(void* (*fn)(void*), void* arg)
1828a272653SPeter Holm{
1838a272653SPeter Holm  pthread_t th;
1848a272653SPeter Holm  pthread_attr_t attr;
1858a272653SPeter Holm  pthread_attr_init(&attr);
1868a272653SPeter Holm  pthread_attr_setstacksize(&attr, 128 << 10);
1878a272653SPeter Holm  int i = 0;
1888a272653SPeter Holm  for (; i < 100; i++) {
1898a272653SPeter Holm    if (pthread_create(&th, &attr, fn, arg) == 0) {
1908a272653SPeter Holm      pthread_attr_destroy(&attr);
1918a272653SPeter Holm      return;
1928a272653SPeter Holm    }
1938a272653SPeter Holm    if (errno == EAGAIN) {
1948a272653SPeter Holm      usleep(50);
1958a272653SPeter Holm      continue;
1968a272653SPeter Holm    }
1978a272653SPeter Holm    break;
1988a272653SPeter Holm  }
1998a272653SPeter Holm  exit(1);
2008a272653SPeter Holm}
2018a272653SPeter Holm
2028a272653SPeter Holmtypedef struct {
2038a272653SPeter Holm  pthread_mutex_t mu;
2048a272653SPeter Holm  pthread_cond_t cv;
2058a272653SPeter Holm  int state;
2068a272653SPeter Holm} event_t;
2078a272653SPeter Holm
2088a272653SPeter Holmstatic void event_init(event_t* ev)
2098a272653SPeter Holm{
2108a272653SPeter Holm  if (pthread_mutex_init(&ev->mu, 0))
2118a272653SPeter Holm    exit(1);
2128a272653SPeter Holm  if (pthread_cond_init(&ev->cv, 0))
2138a272653SPeter Holm    exit(1);
2148a272653SPeter Holm  ev->state = 0;
2158a272653SPeter Holm}
2168a272653SPeter Holm
2178a272653SPeter Holmstatic void event_reset(event_t* ev)
2188a272653SPeter Holm{
2198a272653SPeter Holm  ev->state = 0;
2208a272653SPeter Holm}
2218a272653SPeter Holm
2228a272653SPeter Holmstatic void event_set(event_t* ev)
2238a272653SPeter Holm{
2248a272653SPeter Holm  pthread_mutex_lock(&ev->mu);
2258a272653SPeter Holm  if (ev->state)
2268a272653SPeter Holm    exit(1);
2278a272653SPeter Holm  ev->state = 1;
2288a272653SPeter Holm  pthread_mutex_unlock(&ev->mu);
2298a272653SPeter Holm  pthread_cond_broadcast(&ev->cv);
2308a272653SPeter Holm}
2318a272653SPeter Holm
2328a272653SPeter Holmstatic void event_wait(event_t* ev)
2338a272653SPeter Holm{
2348a272653SPeter Holm  pthread_mutex_lock(&ev->mu);
2358a272653SPeter Holm  while (!ev->state)
2368a272653SPeter Holm    pthread_cond_wait(&ev->cv, &ev->mu);
2378a272653SPeter Holm  pthread_mutex_unlock(&ev->mu);
2388a272653SPeter Holm}
2398a272653SPeter Holm
2408a272653SPeter Holmstatic int event_isset(event_t* ev)
2418a272653SPeter Holm{
2428a272653SPeter Holm  pthread_mutex_lock(&ev->mu);
2438a272653SPeter Holm  int res = ev->state;
2448a272653SPeter Holm  pthread_mutex_unlock(&ev->mu);
2458a272653SPeter Holm  return res;
2468a272653SPeter Holm}
2478a272653SPeter Holm
2488a272653SPeter Holmstatic int event_timedwait(event_t* ev, uint64_t timeout)
2498a272653SPeter Holm{
2508a272653SPeter Holm  uint64_t start = current_time_ms();
2518a272653SPeter Holm  uint64_t now = start;
2528a272653SPeter Holm  pthread_mutex_lock(&ev->mu);
2538a272653SPeter Holm  for (;;) {
2548a272653SPeter Holm    if (ev->state)
2558a272653SPeter Holm      break;
2568a272653SPeter Holm    uint64_t remain = timeout - (now - start);
2578a272653SPeter Holm    struct timespec ts;
2588a272653SPeter Holm    ts.tv_sec = remain / 1000;
2598a272653SPeter Holm    ts.tv_nsec = (remain % 1000) * 1000 * 1000;
2608a272653SPeter Holm    pthread_cond_timedwait(&ev->cv, &ev->mu, &ts);
2618a272653SPeter Holm    now = current_time_ms();
2628a272653SPeter Holm    if (now - start > timeout)
2638a272653SPeter Holm      break;
2648a272653SPeter Holm  }
2658a272653SPeter Holm  int res = ev->state;
2668a272653SPeter Holm  pthread_mutex_unlock(&ev->mu);
2678a272653SPeter Holm  return res;
2688a272653SPeter Holm}
2698a272653SPeter Holm
2708a272653SPeter Holmstatic void sandbox_common()
2718a272653SPeter Holm{
2728a272653SPeter Holm  if (setsid() == -1)
2738a272653SPeter Holm    exit(1);
2748a272653SPeter Holm  struct rlimit rlim;
2758a272653SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 128 << 20;
2768a272653SPeter Holm  setrlimit(RLIMIT_AS, &rlim);
2778a272653SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 8 << 20;
2788a272653SPeter Holm  setrlimit(RLIMIT_MEMLOCK, &rlim);
2798a272653SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
2808a272653SPeter Holm  setrlimit(RLIMIT_FSIZE, &rlim);
2818a272653SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
2828a272653SPeter Holm  setrlimit(RLIMIT_STACK, &rlim);
2838a272653SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 0;
2848a272653SPeter Holm  setrlimit(RLIMIT_CORE, &rlim);
2858a272653SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 256;
2868a272653SPeter Holm  setrlimit(RLIMIT_NOFILE, &rlim);
2878a272653SPeter Holm}
2888a272653SPeter Holm
2898a272653SPeter Holmstatic void loop();
2908a272653SPeter Holm
2918a272653SPeter Holmstatic int do_sandbox_none(void)
2928a272653SPeter Holm{
2938a272653SPeter Holm  sandbox_common();
2948a272653SPeter Holm  loop();
2958a272653SPeter Holm  return 0;
2968a272653SPeter Holm}
2978a272653SPeter Holm
2988a272653SPeter Holmstruct thread_t {
2998a272653SPeter Holm  int created, call;
3008a272653SPeter Holm  event_t ready, done;
3018a272653SPeter Holm};
3028a272653SPeter Holm
3038a272653SPeter Holmstatic struct thread_t threads[16];
3048a272653SPeter Holmstatic void execute_call(int call);
3058a272653SPeter Holmstatic int running;
3068a272653SPeter Holm
3078a272653SPeter Holmstatic void* thr(void* arg)
3088a272653SPeter Holm{
3098a272653SPeter Holm  struct thread_t* th = (struct thread_t*)arg;
3108a272653SPeter Holm  for (;;) {
3118a272653SPeter Holm    event_wait(&th->ready);
3128a272653SPeter Holm    event_reset(&th->ready);
3138a272653SPeter Holm    execute_call(th->call);
3148a272653SPeter Holm    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
3158a272653SPeter Holm    event_set(&th->done);
3168a272653SPeter Holm  }
3178a272653SPeter Holm  return 0;
3188a272653SPeter Holm}
3198a272653SPeter Holm
3208a272653SPeter Holmstatic void execute_one(void)
3218a272653SPeter Holm{
3228a272653SPeter Holm  int i, call, thread;
3238a272653SPeter Holm  int collide = 0;
3248a272653SPeter Holmagain:
3258a272653SPeter Holm  for (call = 0; call < 4; call++) {
3268a272653SPeter Holm    for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
3278a272653SPeter Holm         thread++) {
3288a272653SPeter Holm      struct thread_t* th = &threads[thread];
3298a272653SPeter Holm      if (!th->created) {
3308a272653SPeter Holm        th->created = 1;
3318a272653SPeter Holm        event_init(&th->ready);
3328a272653SPeter Holm        event_init(&th->done);
3338a272653SPeter Holm        event_set(&th->done);
3348a272653SPeter Holm        thread_start(thr, th);
3358a272653SPeter Holm      }
3368a272653SPeter Holm      if (!event_isset(&th->done))
3378a272653SPeter Holm        continue;
3388a272653SPeter Holm      event_reset(&th->done);
3398a272653SPeter Holm      th->call = call;
3408a272653SPeter Holm      __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
3418a272653SPeter Holm      event_set(&th->ready);
3428a272653SPeter Holm      if (collide && (call % 2) == 0)
3438a272653SPeter Holm        break;
3448a272653SPeter Holm      event_timedwait(&th->done, 45);
3458a272653SPeter Holm      break;
3468a272653SPeter Holm    }
3478a272653SPeter Holm  }
3488a272653SPeter Holm  for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
3498a272653SPeter Holm    sleep_ms(1);
3508a272653SPeter Holm  if (!collide) {
3518a272653SPeter Holm    collide = 1;
3528a272653SPeter Holm    goto again;
3538a272653SPeter Holm  }
3548a272653SPeter Holm}
3558a272653SPeter Holm
3568a272653SPeter Holmstatic void execute_one(void);
3578a272653SPeter Holm
3588a272653SPeter Holm#define WAIT_FLAGS 0
3598a272653SPeter Holm
3608a272653SPeter Holmstatic void loop(void)
3618a272653SPeter Holm{
3628a272653SPeter Holm  int iter = 0;
3638a272653SPeter Holm  for (;; iter++) {
3648a272653SPeter Holm    char cwdbuf[32];
3658a272653SPeter Holm    sprintf(cwdbuf, "./%d", iter);
3668a272653SPeter Holm    if (mkdir(cwdbuf, 0777))
3678a272653SPeter Holm      exit(1);
3688a272653SPeter Holm    int pid = fork();
3698a272653SPeter Holm    if (pid < 0)
3708a272653SPeter Holm      exit(1);
3718a272653SPeter Holm    if (pid == 0) {
3728a272653SPeter Holm      if (chdir(cwdbuf))
3738a272653SPeter Holm        exit(1);
3748a272653SPeter Holm      execute_one();
3758a272653SPeter Holm      exit(0);
3768a272653SPeter Holm    }
3778a272653SPeter Holm    int status = 0;
3788a272653SPeter Holm    uint64_t start = current_time_ms();
3798a272653SPeter Holm    for (;;) {
3808a272653SPeter Holm      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
3818a272653SPeter Holm        break;
3828a272653SPeter Holm      sleep_ms(1);
3838a272653SPeter Holm      if (current_time_ms() - start < 5 * 1000)
3848a272653SPeter Holm        continue;
3858a272653SPeter Holm      kill_and_wait(pid, &status);
3868a272653SPeter Holm      break;
3878a272653SPeter Holm    }
3888a272653SPeter Holm    remove_dir(cwdbuf);
3898a272653SPeter Holm  }
3908a272653SPeter Holm}
3918a272653SPeter Holm
3928a272653SPeter Holmuint64_t r[1] = {0xffffffffffffffff};
3938a272653SPeter Holm
3948a272653SPeter Holmvoid execute_call(int call)
3958a272653SPeter Holm{
3968a272653SPeter Holm  intptr_t res = 0;
3978a272653SPeter Holm  switch (call) {
3988a272653SPeter Holm  case 0:
3998a272653SPeter Holm    res = syscall(SYS_socket, 2ul, 5ul, 0x84);
4008a272653SPeter Holm    if (res != -1)
4018a272653SPeter Holm      r[0] = res;
4028a272653SPeter Holm    break;
4038a272653SPeter Holm  case 1:
4048a272653SPeter Holm    NONFAILING(*(uint8_t*)0x20000300 = 0x10);
4058a272653SPeter Holm    NONFAILING(*(uint8_t*)0x20000301 = 2);
4068a272653SPeter Holm    NONFAILING(*(uint16_t*)0x20000302 = htobe16(0x4e23 + procid * 4));
4078a272653SPeter Holm    NONFAILING(*(uint32_t*)0x20000304 = htobe32(0));
4088a272653SPeter Holm    NONFAILING(*(uint8_t*)0x20000308 = 0);
4098a272653SPeter Holm    NONFAILING(*(uint8_t*)0x20000309 = 0);
4108a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000030a = 0);
4118a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000030b = 0);
4128a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000030c = 0);
4138a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000030d = 0);
4148a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000030e = 0);
4158a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000030f = 0);
4168a272653SPeter Holm    syscall(SYS_bind, r[0], 0x20000300ul, 0x10ul);
4178a272653SPeter Holm    break;
4188a272653SPeter Holm  case 2:
4198a272653SPeter Holm    NONFAILING(*(uint8_t*)0x20000040 = 0x10);
4208a272653SPeter Holm    NONFAILING(*(uint8_t*)0x20000041 = 2);
4218a272653SPeter Holm    NONFAILING(*(uint16_t*)0x20000042 = htobe16(0x4e23 + procid * 4));
4228a272653SPeter Holm    NONFAILING(*(uint32_t*)0x20000044 = htobe32(0x7f000001));
4238a272653SPeter Holm    NONFAILING(*(uint8_t*)0x20000048 = 0);
4248a272653SPeter Holm    NONFAILING(*(uint8_t*)0x20000049 = 0);
4258a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000004a = 0);
4268a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000004b = 0);
4278a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000004c = 0);
4288a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000004d = 0);
4298a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000004e = 0);
4308a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000004f = 0);
4318a272653SPeter Holm    syscall(SYS_connect, r[0], 0x20000040ul, 0x10ul);
4328a272653SPeter Holm    break;
4338a272653SPeter Holm  case 3:
4348a272653SPeter Holm    NONFAILING(*(uint8_t*)0x20000000 = 0x10);
4358a272653SPeter Holm    NONFAILING(*(uint8_t*)0x20000001 = 2);
4368a272653SPeter Holm    NONFAILING(*(uint16_t*)0x20000002 = htobe16(0x4e23 + procid * 4));
4378a272653SPeter Holm    NONFAILING(*(uint8_t*)0x20000004 = 0xac);
4388a272653SPeter Holm    NONFAILING(*(uint8_t*)0x20000005 = 0x14);
4398a272653SPeter Holm    NONFAILING(*(uint8_t*)0x20000006 = 0 + procid * 1);
4408a272653SPeter Holm    NONFAILING(*(uint8_t*)0x20000007 = 0xaa);
4418a272653SPeter Holm    NONFAILING(*(uint8_t*)0x20000008 = 0);
4428a272653SPeter Holm    NONFAILING(*(uint8_t*)0x20000009 = 0);
4438a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000000a = 0);
4448a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000000b = 0);
4458a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000000c = 0);
4468a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000000d = 0);
4478a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000000e = 0);
4488a272653SPeter Holm    NONFAILING(*(uint8_t*)0x2000000f = 0);
4498a272653SPeter Holm    syscall(SYS_connect, r[0], 0x20000000ul, 0x10ul);
4508a272653SPeter Holm    break;
4518a272653SPeter Holm  }
4528a272653SPeter Holm}
4538a272653SPeter Holmint main(void)
4548a272653SPeter Holm{
4558a272653SPeter Holm  syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul);
4568a272653SPeter Holm  install_segv_handler();
4578a272653SPeter Holm  for (procid = 0; procid < 4; procid++) {
4588a272653SPeter Holm    if (fork() == 0) {
4598a272653SPeter Holm      use_temporary_dir();
4608a272653SPeter Holm      do_sandbox_none();
4618a272653SPeter Holm    }
4628a272653SPeter Holm  }
4638a272653SPeter Holm  sleep(1000000);
4648a272653SPeter Holm  return 0;
4658a272653SPeter Holm}
4668a272653SPeter HolmEOF
4678a272653SPeter Holmmycc -o /tmp/syzkaller25 -Wall -Wextra -O0 /tmp/syzkaller25.c -lpthread ||
4688a272653SPeter Holm    exit 1
4698a272653SPeter Holm
4708a272653SPeter Holm(cd ../testcases/swap; ./swap -t 1m -i 20 -h > /dev/null 2>&1) &
4718a272653SPeter Holm(cd /tmp; timeout 3m ./syzkaller25)
4728a272653SPeter Holmwhile pkill swap; do :; done
4738a272653SPeter Holmwait
4748a272653SPeter Holm
475*014a2b1aSPeter Holmrm -rf /tmp/syzkaller25 /tmp/syzkaller25.c /tmp/syzkaller.*
4768a272653SPeter Holmexit 0
477