xref: /freebsd/tools/test/stress2/misc/syzkaller42.sh (revision 7f658f99f7ed5d1d0e0802073bb22eb8a0a784fb) 
1afce5835SPeter Holm#!/bin/sh
2afce5835SPeter Holm
3afce5835SPeter Holm[ `uname -p` != "amd64" ] && exit 0
4afce5835SPeter Holm[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
5afce5835SPeter Holm
6afce5835SPeter Holm# panic: Assertion lock == sq->sq_lock failed at ../../../kern/subr_sleepqueue.c:371
7afce5835SPeter Holm# cpuid = 1
8afce5835SPeter Holm# time = 1623487895
9afce5835SPeter Holm# KDB: stack backtrace:
10afce5835SPeter Holm# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe06c14b4700
11afce5835SPeter Holm# vpanic() at vpanic+0x181/frame 0xfffffe06c14b4750
12afce5835SPeter Holm# panic() at panic+0x43/frame 0xfffffe06c14b47b0
13afce5835SPeter Holm# sleepq_add() at sleepq_add+0x3e6/frame 0xfffffe06c14b4800
14afce5835SPeter Holm# _sleep() at _sleep+0x20e/frame 0xfffffe06c14b48b0
15afce5835SPeter Holm# kern_sigtimedwait() at kern_sigtimedwait+0x532/frame 0xfffffe06c14b4a20
16afce5835SPeter Holm# sys_sigwaitinfo() at sys_sigwaitinfo+0x43/frame 0xfffffe06c14b4ac0
17afce5835SPeter Holm# amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe06c14b4bf0
18afce5835SPeter Holm# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe06c14b4bf0
19afce5835SPeter Holm# --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8003af5fa, rsp = 0x7fffffffe5f8, rbp = 0x7fffffffe610 ---
20afce5835SPeter Holm# KDB: enter: panic
21afce5835SPeter Holm# [ thread pid 15370 tid 356127 ]
22afce5835SPeter Holm# Stopped at      kdb_enter+0x37: movq    $0,0x1285b4e(%rip)
23afce5835SPeter Holm# db> x/s version
24afce5835SPeter Holm# version: FreeBSD 14.0-CURRENT #0 main-n247326-2349cda44fea: Sat Jun 12 03:57:33 CEST 2021
25afce5835SPeter Holm# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
26afce5835SPeter Holm# db>
27afce5835SPeter Holm
28afce5835SPeter Holm. ../default.cfg
29afce5835SPeter Holmcat > /tmp/syzkaller42.c <<EOF
30afce5835SPeter Holm// https://syzkaller.appspot.com/bug?id=b12f0c4dc1e73c25636e4c4d4787209d155cca0a
31afce5835SPeter Holm// autogenerated by syzkaller (https://github.com/google/syzkaller)
32afce5835SPeter Holm// Reported-by: syzbot+1d89fc2a9ef92ef64fa8@syzkaller.appspotmail.com
33afce5835SPeter Holm
34afce5835SPeter Holm#define _GNU_SOURCE
35afce5835SPeter Holm
36afce5835SPeter Holm#include <sys/types.h>
37afce5835SPeter Holm
38afce5835SPeter Holm#include <pwd.h>
39afce5835SPeter Holm#include <signal.h>
40afce5835SPeter Holm#include <stdarg.h>
41afce5835SPeter Holm#include <stdbool.h>
42afce5835SPeter Holm#include <stdint.h>
43afce5835SPeter Holm#include <stdio.h>
44afce5835SPeter Holm#include <stdlib.h>
45afce5835SPeter Holm#include <string.h>
46afce5835SPeter Holm#include <sys/endian.h>
47afce5835SPeter Holm#include <sys/syscall.h>
48afce5835SPeter Holm#include <sys/wait.h>
49afce5835SPeter Holm#include <time.h>
50afce5835SPeter Holm#include <unistd.h>
51afce5835SPeter Holm
52afce5835SPeter Holmstatic void kill_and_wait(int pid, int* status)
53afce5835SPeter Holm{
54afce5835SPeter Holm  kill(pid, SIGKILL);
55afce5835SPeter Holm  while (waitpid(-1, status, 0) != pid) {
56afce5835SPeter Holm  }
57afce5835SPeter Holm}
58afce5835SPeter Holm
59afce5835SPeter Holmstatic void sleep_ms(uint64_t ms)
60afce5835SPeter Holm{
61afce5835SPeter Holm  usleep(ms * 1000);
62afce5835SPeter Holm}
63afce5835SPeter Holm
64afce5835SPeter Holmstatic uint64_t current_time_ms(void)
65afce5835SPeter Holm{
66afce5835SPeter Holm  struct timespec ts;
67afce5835SPeter Holm  if (clock_gettime(CLOCK_MONOTONIC, &ts))
68afce5835SPeter Holm    exit(1);
69afce5835SPeter Holm  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
70afce5835SPeter Holm}
71afce5835SPeter Holm
72afce5835SPeter Holmstatic void execute_one(void);
73afce5835SPeter Holm
74afce5835SPeter Holm#define WAIT_FLAGS 0
75afce5835SPeter Holm
76afce5835SPeter Holmstatic void loop(void)
77afce5835SPeter Holm{
78*7f658f99SPeter Holm  int iter __unused = 0;
79afce5835SPeter Holm  for (;; iter++) {
80afce5835SPeter Holm    int pid = fork();
81afce5835SPeter Holm    if (pid < 0)
82afce5835SPeter Holm      exit(1);
83afce5835SPeter Holm    if (pid == 0) {
84afce5835SPeter Holm      execute_one();
85afce5835SPeter Holm      exit(0);
86afce5835SPeter Holm    }
87afce5835SPeter Holm    int status = 0;
88afce5835SPeter Holm    uint64_t start = current_time_ms();
89afce5835SPeter Holm    for (;;) {
90afce5835SPeter Holm      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
91afce5835SPeter Holm        break;
92afce5835SPeter Holm      sleep_ms(1);
93afce5835SPeter Holm      if (current_time_ms() - start < 5000) {
94afce5835SPeter Holm        continue;
95afce5835SPeter Holm      }
96afce5835SPeter Holm      kill_and_wait(pid, &status);
97afce5835SPeter Holm      break;
98afce5835SPeter Holm    }
99afce5835SPeter Holm  }
100afce5835SPeter Holm}
101afce5835SPeter Holm
102afce5835SPeter Holmvoid execute_one(void)
103afce5835SPeter Holm{
104afce5835SPeter Holm  syscall(SYS_rfork, 0x14034ul);
105afce5835SPeter Holm  *(uint32_t*)0x20000140 = 0x80000002;
106afce5835SPeter Holm  *(uint32_t*)0x20000144 = 0xfffffff7;
107afce5835SPeter Holm  *(uint32_t*)0x20000148 = 0x41;
108afce5835SPeter Holm  *(uint32_t*)0x2000014c = 3;
109afce5835SPeter Holm  syscall(SYS_sigwaitinfo, 0x20000140ul, 0ul);
110afce5835SPeter Holm}
111afce5835SPeter Holmint main(void)
112afce5835SPeter Holm{
113afce5835SPeter Holm  syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul);
114afce5835SPeter Holm  loop();
115afce5835SPeter Holm  return 0;
116afce5835SPeter Holm}
117afce5835SPeter HolmEOF
118afce5835SPeter Holmmycc -o /tmp/syzkaller42 -Wall -Wextra -O0 /tmp/syzkaller42.c -lpthread ||
119afce5835SPeter Holm    exit 1
120afce5835SPeter Holm
121afce5835SPeter Holm(cd /tmp; timeout 3m ./syzkaller42)
122afce5835SPeter Holm
123014a2b1aSPeter Holmrm -rf /tmp/syzkaller42 /tmp/syzkaller42.c /tmp/syzkaller.*
124afce5835SPeter Holmexit 0
125