1#!/bin/sh 2 3# panic: Assertion mtx_unowned(m) failed at ../../../kern/kern_mutex.c:1179 4# cpuid = 2 5# time = 1581180711 6# KDB: stack backtrace: 7# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00e57958c0 8# vpanic() at vpanic+0x185/frame 0xfffffe00e5795920 9# panic() at panic+0x43/frame 0xfffffe00e5795980 10# _mtx_destroy() at _mtx_destroy+0x4c/frame 0xfffffe00e57959a0 11# solisten_proto() at solisten_proto+0xdb/frame 0xfffffe00e5795a00 12# tcp6_usr_listen() at tcp6_usr_listen+0x16d/frame 0xfffffe00e5795a60 13# solisten() at solisten+0x42/frame 0xfffffe00e5795a80 14# kern_listen() at kern_listen+0x80/frame 0xfffffe00e5795ac0 15# amd64_syscall() at amd64_syscall+0x2f1/frame 0xfffffe00e5795bf0 16# fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe00e5795bf0 17 18[ `uname -p` = "i386" ] && exit 0 19 20. ../default.cfg 21cat > /tmp/syzkaller4.c <<EOF 22// https://syzkaller.appspot.com/bug?id=db195d1b0b8ca408a46f301eba33f9457bd2d429 23// autogenerated by syzkaller (https://github.com/google/syzkaller) 24 25#define _GNU_SOURCE 26 27#include <sys/types.h> 28 29#include <errno.h> 30#include <pthread.h> 31#include <pwd.h> 32#include <signal.h> 33#include <stdarg.h> 34#include <stdbool.h> 35#include <stdint.h> 36#include <stdio.h> 37#include <stdlib.h> 38#include <string.h> 39#include <sys/endian.h> 40#include <sys/syscall.h> 41#include <sys/wait.h> 42#include <time.h> 43#include <unistd.h> 44 45static void kill_and_wait(int pid, int* status) 46{ 47 kill(pid, SIGKILL); 48 while (waitpid(-1, status, 0) != pid) { 49 } 50} 51 52static void sleep_ms(uint64_t ms) 53{ 54 usleep(ms * 1000); 55} 56 57static uint64_t current_time_ms(void) 58{ 59 struct timespec ts; 60 if (clock_gettime(CLOCK_MONOTONIC, &ts)) 61 exit(1); 62 return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; 63} 64 65static void thread_start(void* (*fn)(void*), void* arg) 66{ 67 pthread_t th; 68 pthread_attr_t attr; 69 pthread_attr_init(&attr); 70 pthread_attr_setstacksize(&attr, 128 << 10); 71 int i; 72 for (i = 0; i < 100; i++) { 73 if (pthread_create(&th, &attr, fn, arg) == 0) { 74 pthread_attr_destroy(&attr); 75 return; 76 } 77 if (errno == EAGAIN) { 78 usleep(50); 79 continue; 80 } 81 break; 82 } 83 exit(1); 84} 85 86typedef struct { 87 pthread_mutex_t mu; 88 pthread_cond_t cv; 89 int state; 90} event_t; 91 92static void event_init(event_t* ev) 93{ 94 if (pthread_mutex_init(&ev->mu, 0)) 95 exit(1); 96 if (pthread_cond_init(&ev->cv, 0)) 97 exit(1); 98 ev->state = 0; 99} 100 101static void event_reset(event_t* ev) 102{ 103 ev->state = 0; 104} 105 106static void event_set(event_t* ev) 107{ 108 pthread_mutex_lock(&ev->mu); 109 if (ev->state) 110 exit(1); 111 ev->state = 1; 112 pthread_mutex_unlock(&ev->mu); 113 pthread_cond_broadcast(&ev->cv); 114} 115 116static void event_wait(event_t* ev) 117{ 118 pthread_mutex_lock(&ev->mu); 119 while (!ev->state) 120 pthread_cond_wait(&ev->cv, &ev->mu); 121 pthread_mutex_unlock(&ev->mu); 122} 123 124static int event_isset(event_t* ev) 125{ 126 pthread_mutex_lock(&ev->mu); 127 int res = ev->state; 128 pthread_mutex_unlock(&ev->mu); 129 return res; 130} 131 132static int event_timedwait(event_t* ev, uint64_t timeout) 133{ 134 uint64_t start = current_time_ms(); 135 uint64_t now = start; 136 pthread_mutex_lock(&ev->mu); 137 for (;;) { 138 if (ev->state) 139 break; 140 uint64_t remain = timeout - (now - start); 141 struct timespec ts; 142 ts.tv_sec = remain / 1000; 143 ts.tv_nsec = (remain % 1000) * 1000 * 1000; 144 pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); 145 now = current_time_ms(); 146 if (now - start > timeout) 147 break; 148 } 149 int res = ev->state; 150 pthread_mutex_unlock(&ev->mu); 151 return res; 152} 153 154struct thread_t { 155 int created, call; 156 event_t ready, done; 157}; 158 159static struct thread_t threads[16]; 160static void execute_call(int call); 161static int running; 162 163static void* thr(void* arg) 164{ 165 struct thread_t* th = (struct thread_t*)arg; 166 for (;;) { 167 event_wait(&th->ready); 168 event_reset(&th->ready); 169 execute_call(th->call); 170 __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); 171 event_set(&th->done); 172 } 173 return 0; 174} 175 176static void execute_one(void) 177{ 178 int i, call, thread; 179 int collide = 0; 180again: 181 for (call = 0; call < 19; call++) { 182 for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); 183 thread++) { 184 struct thread_t* th = &threads[thread]; 185 if (!th->created) { 186 th->created = 1; 187 event_init(&th->ready); 188 event_init(&th->done); 189 event_set(&th->done); 190 thread_start(thr, th); 191 } 192 if (!event_isset(&th->done)) 193 continue; 194 event_reset(&th->done); 195 th->call = call; 196 __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); 197 event_set(&th->ready); 198 if (collide && (call % 2) == 0) 199 break; 200 event_timedwait(&th->done, 45); 201 break; 202 } 203 } 204 for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) 205 sleep_ms(1); 206 if (!collide) { 207 collide = 1; 208 goto again; 209 } 210} 211 212static void execute_one(void); 213 214#define WAIT_FLAGS 0 215 216static void loop(void) 217{ 218 int iter; 219 for (iter = 0;; iter++) { 220 int pid = fork(); 221 if (pid < 0) 222 exit(1); 223 if (pid == 0) { 224 execute_one(); 225 exit(0); 226 } 227 int status = 0; 228 uint64_t start = current_time_ms(); 229 for (;;) { 230 if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) 231 break; 232 sleep_ms(1); 233 if (current_time_ms() - start < 5 * 1000) 234 continue; 235 kill_and_wait(pid, &status); 236 break; 237 } 238 } 239} 240 241uint64_t r[6] = {0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 242 0x0, 0xffffffffffffffff}; 243 244void execute_call(int call) 245{ 246 intptr_t res; 247 switch (call) { 248 case 0: 249 *(uint32_t*)0x20000040 = 0x284002b0; 250 *(uint32_t*)0x20000044 = 0; 251 *(uint32_t*)0x20000048 = 0; 252 *(uint32_t*)0x2000004c = 0; 253 *(uint32_t*)0x20000050 = 0; 254 *(uint32_t*)0x20000054 = 0; 255 *(uint16_t*)0x20000058 = 0; 256 *(uint16_t*)0x2000005a = 0; 257 *(uint64_t*)0x20000060 = 0; 258 *(uint64_t*)0x20000068 = 0; 259 *(uint64_t*)0x20000070 = 0; 260 *(uint64_t*)0x20000078 = 0; 261 *(uint64_t*)0x20000080 = 0; 262 *(uint64_t*)0x20000088 = 0; 263 *(uint64_t*)0x20000090 = 0; 264 syscall(SYS___semctl, 0, 0ul, 0xaul, 0x20000040ul); 265 break; 266 case 1: 267 memcpy( 268 (void*)0x20000340, 269 "\x82\x02\xf3\x89\x9c\x53\x3e\x9e\x79\x9b\xd7\xc7\x3c\xcc\x8e\xf9\xba" 270 "\xb3\x80\xca\x99\xbc\x30\xf1\x8e\x7c\xb0\xc5\x3f\xd6\xa9\xe6\xc6\xa8" 271 "\xa8\x85\x82\x5b\xdf\x69\xb0\xb9\xed\x55\x59\xd8\x3d\x18\x64\x0d\x49" 272 "\xdd\x0c\x5b\xba\x14\x0e\xe4\x61\xce\xcf\x6c\x04\x6a\xa1\xda\xa6\x9a" 273 "\x50\xf8\xa5\xbf\x52\xc2\x63\xf1\x48\xad\xb2\x3e\x5b\x74\xd4\xd3\xe2" 274 "\x77\x4e\xe8\xef\x92\x6d\x3e\xf6\x35\x76\x60\x9b\x83\xfd\xbc\x00\x45" 275 "\xd8\x01\x38\x8b\x7b\x9f\x82\x1e\xf2\xe6\x42\xd3\x73\x00\x00\xc4\x05" 276 "\xc0\xc2\x1a\x82\xc5\x8e\x64\x2d\x07\x86\x09\x4f\xb0\x60\x2a\x5b\xfd" 277 "\x33\x73\x24\x41\xb5\xaa\x99\xd6\xdf\xbe\x06\xc7\x27\x48\x7e\x13\xfb" 278 "\x57\xd6\x2f\xcb\x0c\xda\x92\xcc\xc7\x0f\xb4\x6f\x95\xcb\x5d\x0c\x28" 279 "\x93\x70\xbc\x25\x88\x76\x2f\xd7\x86\x9e\x5e\x03\xfa\x9c\x68\xde\x52" 280 "\x23\xc5\xae\xa1\x1c\x58\x79\x1a\x6f\xfa\x52\x31\xfc\x2b\xd5\x33\x3d" 281 "\x49\x60\x80\xa0\x31\x16\x7e\xa5\xd5\x09\x94\x53\x1e\x3b\x56\x3f\x1e" 282 "\x4d\x95\x76\x44\x9d\x59\x7a\x2d\xbc\xea\xe3\x26\x0d\xf6\x68\xee\xba" 283 "\xc3\xbb\x9f\xb6\xf1\xa2\x44\xc2\x96\xd5\xdc\xc4\x1c\xa2\xaf\xeb\x92" 284 "\x4e\xaf\xfc\x1d\x5d\xaf\x30\x9b\x0b\xfd\x19\x1c\x40\xf9\xd0\x0d\xf5" 285 "\x15\x94\xb7\xe9", 286 276); 287 syscall(SYS_connect, -1, 0x20000340ul, 0x10ul); 288 break; 289 case 2: 290 res = syscall(SYS_semget, 0ul, 0ul, 0x284ul); 291 if (res != -1) 292 r[0] = res; 293 break; 294 case 3: 295 res = syscall(SYS_socket, 0x1cul, 1ul, 0ul); 296 if (res != -1) 297 r[1] = res; 298 break; 299 case 4: 300 syscall(SYS_listen, r[1], 0); 301 break; 302 case 5: 303 res = syscall(SYS_fstat, r[1], 0x20000080ul); 304 if (res != -1) 305 r[2] = *(uint32_t*)0x200000a0; 306 break; 307 case 6: 308 *(uint32_t*)0x20000180 = 0x2840029c; 309 *(uint32_t*)0x20000184 = 0; 310 *(uint32_t*)0x20000188 = 0; 311 *(uint32_t*)0x2000018c = 0; 312 *(uint32_t*)0x20000190 = r[2]; 313 *(uint32_t*)0x20000194 = 0; 314 *(uint16_t*)0x20000198 = 0; 315 *(uint16_t*)0x2000019a = 0; 316 *(uint64_t*)0x200001a0 = 0; 317 *(uint64_t*)0x200001a8 = 0; 318 *(uint64_t*)0x200001b0 = 0; 319 *(uint64_t*)0x200001b8 = 0; 320 *(uint64_t*)0x200001c0 = 0; 321 *(uint64_t*)0x200001c8 = 0; 322 *(uint64_t*)0x200001d0 = 0; 323 syscall(SYS___semctl, r[0], 0ul, 0xaul, 0x20000180ul); 324 break; 325 case 7: 326 res = syscall(SYS_socket, 0x1cul, 1ul, 0x84ul); 327 if (res != -1) 328 r[3] = res; 329 break; 330 case 8: 331 syscall(SYS_connect, r[3], 0ul, 0ul); 332 break; 333 case 9: 334 syscall(SYS_fcntl, r[3], 5ul, 0); 335 break; 336 case 10: 337 syscall(SYS_getresuid, 0x20000040ul, 0ul, 0ul); 338 break; 339 case 11: 340 syscall(SYS___semctl, 0, 0ul, 0xaul, 0ul); 341 break; 342 case 12: 343 syscall(SYS___semctl, 0, 0ul, 1ul, 0ul); 344 break; 345 case 13: 346 res = syscall(SYS_semget, 0ul, 0ul, 0x284ul); 347 if (res != -1) 348 r[4] = res; 349 break; 350 case 14: 351 syscall(SYS_freebsd11_fstat, -1, 0ul); 352 break; 353 case 15: 354 syscall(SYS___semctl, r[4], 0ul, 1ul, 0ul); 355 break; 356 case 16: 357 res = syscall(SYS_socket, 0x1cul, 1ul, 0ul); 358 if (res != -1) 359 r[5] = res; 360 break; 361 case 17: 362 syscall(SYS_listen, r[5], 0); 363 break; 364 case 18: 365 syscall(SYS_fstat, r[5], 0ul); 366 break; 367 } 368} 369int main(void) 370{ 371 syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul); 372 loop(); 373 return 0; 374} 375EOF 376mycc -o /tmp/syzkaller4 -Wall -Wextra -O2 /tmp/syzkaller4.c -lpthread || 377 exit 1 378 379(cd /tmp; timeout 5m ./syzkaller4) 380 381rm -f /tmp/syzkaller4 /tmp/syzkaller4.c 382exit 0 383