11025baecSPeter Holm#!/bin/sh 21025baecSPeter Holm 31025baecSPeter Holm# panic: Assertion (cnp->cn_flags & (LOCKPARENT | WANTPARENT)) == 0 failed at ../../../kern/vfs_lookup.c:490 41025baecSPeter Holm# cpuid = 22 51025baecSPeter Holm# time = 1620845561 61025baecSPeter Holm# KDB: stack backtrace: 71025baecSPeter Holm# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01499e7690 81025baecSPeter Holm# vpanic() at vpanic+0x181/frame 0xfffffe01499e76e0 91025baecSPeter Holm# panic() at panic+0x43/frame 0xfffffe01499e7740 101025baecSPeter Holm# namei() at namei+0xb4e/frame 0xfffffe01499e77f0 111025baecSPeter Holm# vn_open_cred() at vn_open_cred+0x11d/frame 0xfffffe01499e7960 121025baecSPeter Holm# kern_openat() at kern_openat+0x28f/frame 0xfffffe01499e7ac0 131025baecSPeter Holm# amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe01499e7bf0 141025baecSPeter Holm# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01499e7bf0 151025baecSPeter Holm# --- syscall (0, FreeBSD ELF64, nosys), rip = 0x80038254a, rsp = 0x7fffffffe4f8, rbp = 0x7fffffffe540 --- 161025baecSPeter Holm# KDB: enter: panic 171025baecSPeter Holm# [ thread pid 2990 tid 100320 ] 181025baecSPeter Holm# Stopped at kdb_enter+0x37: movq $0,0x12819de(%rip) 191025baecSPeter Holm# db> x/s version 201025baecSPeter Holm# version: FreeBSD 14.0-CURRENT #0 main-n246600-e681dd3e2c1-dirty: Wed May 12 07:56:58 CEST 2021 211025baecSPeter Holm# pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO\012 221025baecSPeter Holm# db> 231025baecSPeter Holm 241025baecSPeter Holm# Fixed by: 6de3cf14c47d - main - vn_open_cred(): disallow O_CREAT | O_EMPTY_PATH 251025baecSPeter Holm 261025baecSPeter Holm[ `uname -p` != "amd64" ] && exit 0 271025baecSPeter Holm[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 281025baecSPeter Holm 291025baecSPeter Holm. ../default.cfg 301025baecSPeter Holmcat > /tmp/syzkaller38.c <<EOF 311025baecSPeter Holm// https://syzkaller.appspot.com/bug?id=72344b68a3a10a92bf1ef18b0c8286409c81b1c9 321025baecSPeter Holm// autogenerated by syzkaller (https://github.com/google/syzkaller) 331025baecSPeter Holm// Reported-by: syzbot+dbfd5b122ad66ae9a14b@syzkaller.appspotmail.com 341025baecSPeter Holm 351025baecSPeter Holm#define _GNU_SOURCE 361025baecSPeter Holm 371025baecSPeter Holm#include <pwd.h> 381025baecSPeter Holm#include <stdarg.h> 391025baecSPeter Holm#include <stdbool.h> 401025baecSPeter Holm#include <stdint.h> 411025baecSPeter Holm#include <stdio.h> 421025baecSPeter Holm#include <stdlib.h> 431025baecSPeter Holm#include <string.h> 441025baecSPeter Holm#include <sys/endian.h> 451025baecSPeter Holm#include <sys/syscall.h> 461025baecSPeter Holm#include <unistd.h> 471025baecSPeter Holm 481025baecSPeter Holmint main(void) 491025baecSPeter Holm{ 501025baecSPeter Holm syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); 511025baecSPeter Holm 521025baecSPeter Holm memset((void*)0x20000180, 0, 1); 531025baecSPeter Holm syscall(SYS_open, 0x20000180ul, 0x20c0200ul, 0ul); 541025baecSPeter Holm return 0; 551025baecSPeter Holm} 561025baecSPeter HolmEOF 571025baecSPeter Holmmycc -o /tmp/syzkaller38 -Wall -Wextra -O0 /tmp/syzkaller38.c || 581025baecSPeter Holm exit 1 591025baecSPeter Holm 601025baecSPeter Holm(cd /tmp; timeout 3m ./syzkaller38) 611025baecSPeter Holm 62*014a2b1aSPeter Holmrm -rf /tmp/syzkaller38 /tmp/syzkaller38.c /tmp/syzkaller.* 631025baecSPeter Holmexit 0 64