1#!/bin/sh 2 3# panic: mtx_lock() of spin mutex (null) @ ../../../kern/sys_socket.c:785 4# cpuid = 7 5# time = 1622878256 6# KDB: stack backtrace: 7# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01aaec6880 8# vpanic() at vpanic+0x181/frame 0xfffffe01aaec68d0 9# panic() at panic+0x43/frame 0xfffffe01aaec6930 10# __mtx_lock_flags() at __mtx_lock_flags+0x13c/frame 0xfffffe01aaec6980 11# soo_aio_cancel() at soo_aio_cancel+0x51/frame 0xfffffe01aaec69b0 12# aio_cancel_job() at aio_cancel_job+0x95/frame 0xfffffe01aaec69f0 13# aio_proc_rundown() at aio_proc_rundown+0xcf/frame 0xfffffe01aaec6a40 14# exit1() at exit1+0x36e/frame 0xfffffe01aaec6ab0 15# sys_sys_exit() at sys_sys_exit+0xd/frame 0xfffffe01aaec6ac0 16# amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe01aaec6bf0 17# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01aaec6bf0 18# --- syscall (1, FreeBSD ELF64, sys_sys_exit), rip = 0x8003b230a, rsp = 0x7fffffffe528, rbp = 0x7fffffffe540 --- 19# KDB: enter: panic 20# [ thread pid 3000 tid 100365 ] 21# Stopped at kdb_enter+0x37: movq $0,0x127fb8e(%rip) 22# db> x/s version 23# version: FreeBSD 14.0-CURRENT #0 main-n247181-1b5bc3a54b6: Sat Jun 5 04:12:19 CEST 2021 24# pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO 25# db> 26 27[ `uname -p` != "amd64" ] && exit 0 28[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 29 30. ../default.cfg 31cat > /tmp/syzkaller40.c <<EOF 32// https://syzkaller.appspot.com/bug?id=00ad0c11fe2e5d29ae3d19d529251a14abe1f335 33// autogenerated by syzkaller (https://github.com/google/syzkaller) 34// Reported-by: syzbot+c8aa122fa2c6a4e2a28b@syzkaller.appspotmail.com 35 36#define _GNU_SOURCE 37 38#include <pwd.h> 39#include <stdarg.h> 40#include <stdbool.h> 41#include <stdint.h> 42#include <stdio.h> 43#include <stdlib.h> 44#include <string.h> 45#include <sys/endian.h> 46#include <sys/syscall.h> 47#include <unistd.h> 48 49uint64_t r[1] = {0xffffffffffffffff}; 50 51int main(void) 52{ 53 syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); 54 intptr_t res = 0; 55 res = syscall(SYS_socket, 0x1cul, 1ul, 0); 56 if (res != -1) 57 r[0] = res; 58 *(uint32_t*)0x20000200 = r[0]; 59 *(uint64_t*)0x20000208 = 8; 60 *(uint64_t*)0x20000210 = 0; 61 *(uint64_t*)0x20000218 = 0; 62 *(uint32_t*)0x20000220 = 0x100; 63 *(uint32_t*)0x20000224 = 9; 64 *(uint64_t*)0x20000228 = 0x80000000; 65 *(uint32_t*)0x20000230 = 5; 66 *(uint32_t*)0x20000234 = 1; 67 *(uint64_t*)0x20000238 = 6; 68 *(uint64_t*)0x20000240 = 2; 69 *(uint64_t*)0x20000248 = 0; 70 *(uint32_t*)0x20000250 = 1; 71 *(uint32_t*)0x20000254 = 3; 72 *(uint64_t*)0x20000258 = 0x109; 73 *(uint32_t*)0x20000260 = 0; 74 syscall(SYS_aio_read, 0x20000200ul); 75 syscall(SYS_listen, r[0], 0x8273); 76 return 0; 77} 78EOF 79mycc -o /tmp/syzkaller40 -Wall -Wextra -O0 /tmp/syzkaller40.c -lpthread || 80 exit 1 81 82(cd /tmp; timeout 3m ./syzkaller40) 83 84rm -rf /tmp/syzkaller40 /tmp/syzkaller40.c /tmp/syzkaller.* 85exit 0 86