xref: /freebsd/tools/test/stress2/misc/syzkaller39.sh (revision 014a2b1a1125fb0129258b8109dc33fd7bf24b14) 
1b3b69560SPeter Holm#!/bin/sh
2b3b69560SPeter Holm
3b3b69560SPeter Holm# panic: ktrace_enter: flag set
4b3b69560SPeter Holm# cpuid = 0
5b3b69560SPeter Holm# time = 1621577415
6b3b69560SPeter Holm# KDB: stack backtrace:
7b3b69560SPeter Holm# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01c0025670
8b3b69560SPeter Holm# vpanic() at vpanic+0x181/frame 0xfffffe01c00256c0
9b3b69560SPeter Holm# panic() at panic+0x43/frame 0xfffffe01c0025720
10b3b69560SPeter Holm# ktrnamei() at ktrnamei+0xdb/frame 0xfffffe01c0025750
11b3b69560SPeter Holm# namei() at namei+0x805/frame 0xfffffe01c0025800
12b3b69560SPeter Holm# vn_open_cred() at vn_open_cred+0x497/frame 0xfffffe01c0025970
13b3b69560SPeter Holm# sys_ktrace() at sys_ktrace+0x1a0/frame 0xfffffe01c0025ac0
14b3b69560SPeter Holm# amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe01c0025bf0
15b3b69560SPeter Holm# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01c0025bf0
16b3b69560SPeter Holm# --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8003b054a, rsp = 0x7fffdfffdf68, rbp = 0x7fffdfffdf90 ---
17b3b69560SPeter Holm# KDB: enter: panic
18b3b69560SPeter Holm# [ thread pid 80729 tid 101297 ]
19b3b69560SPeter Holm# Stopped at      kdb_enter+0x37: movq    $0,0x1281d9e(%rip)
20b3b69560SPeter Holm# db> x/s version
21b3b69560SPeter Holm# version: FreeBSD 14.0-CURRENT #0 main-n246739-fc0dc94029d-dirty: Wed May 19 05:54:45 CEST 2021
22b3b69560SPeter Holm# pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO
23b3b69560SPeter Holm# db>
24b3b69560SPeter Holm
25b3b69560SPeter Holm[ `uname -p` != "amd64" ] && exit 0
26b3b69560SPeter Holm[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
27b3b69560SPeter Holm
28b3b69560SPeter Holm. ../default.cfg
29b3b69560SPeter Holmcat > /tmp/syzkaller39.c <<EOF
30b3b69560SPeter Holm// https://syzkaller.appspot.com/bug?id=01d7251d81bbf2bf91279ecc73897961cd72beea
31b3b69560SPeter Holm// autogenerated by syzkaller (https://github.com/google/syzkaller)
32b3b69560SPeter Holm// Reported-by: syzbot+d0a4de45e58d3c08af4b@syzkaller.appspotmail.com
33b3b69560SPeter Holm
34b3b69560SPeter Holm#define _GNU_SOURCE
35b3b69560SPeter Holm
36b3b69560SPeter Holm#include <errno.h>
37b3b69560SPeter Holm#include <pthread.h>
38b3b69560SPeter Holm#include <pwd.h>
39b3b69560SPeter Holm#include <stdarg.h>
40b3b69560SPeter Holm#include <stdbool.h>
41b3b69560SPeter Holm#include <stdint.h>
42b3b69560SPeter Holm#include <stdio.h>
43b3b69560SPeter Holm#include <stdlib.h>
44b3b69560SPeter Holm#include <string.h>
45b3b69560SPeter Holm#include <sys/endian.h>
46b3b69560SPeter Holm#include <sys/syscall.h>
47b3b69560SPeter Holm#include <time.h>
48b3b69560SPeter Holm#include <unistd.h>
49b3b69560SPeter Holm
50b3b69560SPeter Holmstatic void sleep_ms(uint64_t ms)
51b3b69560SPeter Holm{
52b3b69560SPeter Holm  usleep(ms * 1000);
53b3b69560SPeter Holm}
54b3b69560SPeter Holm
55b3b69560SPeter Holmstatic uint64_t current_time_ms(void)
56b3b69560SPeter Holm{
57b3b69560SPeter Holm  struct timespec ts;
58b3b69560SPeter Holm  if (clock_gettime(CLOCK_MONOTONIC, &ts))
59b3b69560SPeter Holm    exit(1);
60b3b69560SPeter Holm  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
61b3b69560SPeter Holm}
62b3b69560SPeter Holm
63b3b69560SPeter Holmstatic void thread_start(void* (*fn)(void*), void* arg)
64b3b69560SPeter Holm{
65b3b69560SPeter Holm  pthread_t th;
66b3b69560SPeter Holm  pthread_attr_t attr;
67b3b69560SPeter Holm  pthread_attr_init(&attr);
68b3b69560SPeter Holm  pthread_attr_setstacksize(&attr, 128 << 10);
69b3b69560SPeter Holm  int i = 0;
70b3b69560SPeter Holm  for (; i < 100; i++) {
71b3b69560SPeter Holm    if (pthread_create(&th, &attr, fn, arg) == 0) {
72b3b69560SPeter Holm      pthread_attr_destroy(&attr);
73b3b69560SPeter Holm      return;
74b3b69560SPeter Holm    }
75b3b69560SPeter Holm    if (errno == EAGAIN) {
76b3b69560SPeter Holm      usleep(50);
77b3b69560SPeter Holm      continue;
78b3b69560SPeter Holm    }
79b3b69560SPeter Holm    break;
80b3b69560SPeter Holm  }
81b3b69560SPeter Holm  exit(1);
82b3b69560SPeter Holm}
83b3b69560SPeter Holm
84b3b69560SPeter Holmtypedef struct {
85b3b69560SPeter Holm  pthread_mutex_t mu;
86b3b69560SPeter Holm  pthread_cond_t cv;
87b3b69560SPeter Holm  int state;
88b3b69560SPeter Holm} event_t;
89b3b69560SPeter Holm
90b3b69560SPeter Holmstatic void event_init(event_t* ev)
91b3b69560SPeter Holm{
92b3b69560SPeter Holm  if (pthread_mutex_init(&ev->mu, 0))
93b3b69560SPeter Holm    exit(1);
94b3b69560SPeter Holm  if (pthread_cond_init(&ev->cv, 0))
95b3b69560SPeter Holm    exit(1);
96b3b69560SPeter Holm  ev->state = 0;
97b3b69560SPeter Holm}
98b3b69560SPeter Holm
99b3b69560SPeter Holmstatic void event_reset(event_t* ev)
100b3b69560SPeter Holm{
101b3b69560SPeter Holm  ev->state = 0;
102b3b69560SPeter Holm}
103b3b69560SPeter Holm
104b3b69560SPeter Holmstatic void event_set(event_t* ev)
105b3b69560SPeter Holm{
106b3b69560SPeter Holm  pthread_mutex_lock(&ev->mu);
107b3b69560SPeter Holm  if (ev->state)
108b3b69560SPeter Holm    exit(1);
109b3b69560SPeter Holm  ev->state = 1;
110b3b69560SPeter Holm  pthread_mutex_unlock(&ev->mu);
111b3b69560SPeter Holm  pthread_cond_broadcast(&ev->cv);
112b3b69560SPeter Holm}
113b3b69560SPeter Holm
114b3b69560SPeter Holmstatic void event_wait(event_t* ev)
115b3b69560SPeter Holm{
116b3b69560SPeter Holm  pthread_mutex_lock(&ev->mu);
117b3b69560SPeter Holm  while (!ev->state)
118b3b69560SPeter Holm    pthread_cond_wait(&ev->cv, &ev->mu);
119b3b69560SPeter Holm  pthread_mutex_unlock(&ev->mu);
120b3b69560SPeter Holm}
121b3b69560SPeter Holm
122b3b69560SPeter Holmstatic int event_isset(event_t* ev)
123b3b69560SPeter Holm{
124b3b69560SPeter Holm  pthread_mutex_lock(&ev->mu);
125b3b69560SPeter Holm  int res = ev->state;
126b3b69560SPeter Holm  pthread_mutex_unlock(&ev->mu);
127b3b69560SPeter Holm  return res;
128b3b69560SPeter Holm}
129b3b69560SPeter Holm
130b3b69560SPeter Holmstatic int event_timedwait(event_t* ev, uint64_t timeout)
131b3b69560SPeter Holm{
132b3b69560SPeter Holm  uint64_t start = current_time_ms();
133b3b69560SPeter Holm  uint64_t now = start;
134b3b69560SPeter Holm  pthread_mutex_lock(&ev->mu);
135b3b69560SPeter Holm  for (;;) {
136b3b69560SPeter Holm    if (ev->state)
137b3b69560SPeter Holm      break;
138b3b69560SPeter Holm    uint64_t remain = timeout - (now - start);
139b3b69560SPeter Holm    struct timespec ts;
140b3b69560SPeter Holm    ts.tv_sec = remain / 1000;
141b3b69560SPeter Holm    ts.tv_nsec = (remain % 1000) * 1000 * 1000;
142b3b69560SPeter Holm    pthread_cond_timedwait(&ev->cv, &ev->mu, &ts);
143b3b69560SPeter Holm    now = current_time_ms();
144b3b69560SPeter Holm    if (now - start > timeout)
145b3b69560SPeter Holm      break;
146b3b69560SPeter Holm  }
147b3b69560SPeter Holm  int res = ev->state;
148b3b69560SPeter Holm  pthread_mutex_unlock(&ev->mu);
149b3b69560SPeter Holm  return res;
150b3b69560SPeter Holm}
151b3b69560SPeter Holm
152b3b69560SPeter Holmstruct thread_t {
153b3b69560SPeter Holm  int created, call;
154b3b69560SPeter Holm  event_t ready, done;
155b3b69560SPeter Holm};
156b3b69560SPeter Holm
157b3b69560SPeter Holmstatic struct thread_t threads[16];
158b3b69560SPeter Holmstatic void execute_call(int call);
159b3b69560SPeter Holmstatic int running;
160b3b69560SPeter Holm
161b3b69560SPeter Holmstatic void* thr(void* arg)
162b3b69560SPeter Holm{
163b3b69560SPeter Holm  struct thread_t* th = (struct thread_t*)arg;
164b3b69560SPeter Holm  for (;;) {
165b3b69560SPeter Holm    event_wait(&th->ready);
166b3b69560SPeter Holm    event_reset(&th->ready);
167b3b69560SPeter Holm    execute_call(th->call);
168b3b69560SPeter Holm    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
169b3b69560SPeter Holm    event_set(&th->done);
170b3b69560SPeter Holm  }
171b3b69560SPeter Holm  return 0;
172b3b69560SPeter Holm}
173b3b69560SPeter Holm
174b3b69560SPeter Holmstatic void loop(void)
175b3b69560SPeter Holm{
176b3b69560SPeter Holm  int i, call, thread;
177b3b69560SPeter Holm  int collide = 0;
178b3b69560SPeter Holmagain:
179b3b69560SPeter Holm  for (call = 0; call < 3; call++) {
180b3b69560SPeter Holm    for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
181b3b69560SPeter Holm         thread++) {
182b3b69560SPeter Holm      struct thread_t* th = &threads[thread];
183b3b69560SPeter Holm      if (!th->created) {
184b3b69560SPeter Holm        th->created = 1;
185b3b69560SPeter Holm        event_init(&th->ready);
186b3b69560SPeter Holm        event_init(&th->done);
187b3b69560SPeter Holm        event_set(&th->done);
188b3b69560SPeter Holm        thread_start(thr, th);
189b3b69560SPeter Holm      }
190b3b69560SPeter Holm      if (!event_isset(&th->done))
191b3b69560SPeter Holm        continue;
192b3b69560SPeter Holm      event_reset(&th->done);
193b3b69560SPeter Holm      th->call = call;
194b3b69560SPeter Holm      __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
195b3b69560SPeter Holm      event_set(&th->ready);
196b3b69560SPeter Holm      if (collide && (call % 2) == 0)
197b3b69560SPeter Holm        break;
198b3b69560SPeter Holm      event_timedwait(&th->done, 50);
199b3b69560SPeter Holm      break;
200b3b69560SPeter Holm    }
201b3b69560SPeter Holm  }
202b3b69560SPeter Holm  for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
203b3b69560SPeter Holm    sleep_ms(1);
204b3b69560SPeter Holm  if (!collide) {
205b3b69560SPeter Holm    collide = 1;
206b3b69560SPeter Holm    goto again;
207b3b69560SPeter Holm  }
208b3b69560SPeter Holm}
209b3b69560SPeter Holm
210b3b69560SPeter Holmuint64_t r[1] = {0x0};
211b3b69560SPeter Holm
212b3b69560SPeter Holmvoid execute_call(int call)
213b3b69560SPeter Holm{
214b3b69560SPeter Holm  intptr_t res = 0;
215b3b69560SPeter Holm  switch (call) {
216b3b69560SPeter Holm  case 0:
217b3b69560SPeter Holm    memcpy((void*)0x20000140, "./file0\000", 8);
218b3b69560SPeter Holm    syscall(SYS_open, 0x20000140ul, 0x200ul, 0ul);
219b3b69560SPeter Holm    break;
220b3b69560SPeter Holm  case 1:
221b3b69560SPeter Holm    res = syscall(SYS_getpid);
222b3b69560SPeter Holm    if (res != -1)
223b3b69560SPeter Holm      r[0] = res;
224b3b69560SPeter Holm    break;
225b3b69560SPeter Holm  case 2:
226b3b69560SPeter Holm    memcpy((void*)0x20000040, "./file0\000", 8);
227b3b69560SPeter Holm    syscall(SYS_ktrace, 0x20000040ul, 0ul, 0x4722db8820f38dbbul, r[0]);
228b3b69560SPeter Holm    break;
229b3b69560SPeter Holm  }
230b3b69560SPeter Holm}
231b3b69560SPeter Holmint main(void)
232b3b69560SPeter Holm{
233b3b69560SPeter Holm  syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul);
234b3b69560SPeter Holm  loop();
235b3b69560SPeter Holm  return 0;
236b3b69560SPeter Holm}
237b3b69560SPeter HolmEOF
238b3b69560SPeter Holmmycc -o /tmp/syzkaller39 -Wall -Wextra -O0 /tmp/syzkaller39.c -lpthread ||
239b3b69560SPeter Holm    exit 1
240b3b69560SPeter Holm
241b3b69560SPeter Holm(cd /tmp; timeout 3m ./syzkaller39)
242b3b69560SPeter Holm
243*014a2b1aSPeter Holmrm -rf /tmp/syzkaller39 /tmp/syzkaller39.c /tmp/syzkaller.*
244b3b69560SPeter Holmexit 0
245