xref: /freebsd/tools/test/stress2/misc/syzkaller42.sh (revision 43e29d03f416d7dda52112a29600a7c82ee1a91e)
1#!/bin/sh
2
3[ `uname -p` != "amd64" ] && exit 0
4[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
5
6# panic: Assertion lock == sq->sq_lock failed at ../../../kern/subr_sleepqueue.c:371
7# cpuid = 1
8# time = 1623487895
9# KDB: stack backtrace:
10# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe06c14b4700
11# vpanic() at vpanic+0x181/frame 0xfffffe06c14b4750
12# panic() at panic+0x43/frame 0xfffffe06c14b47b0
13# sleepq_add() at sleepq_add+0x3e6/frame 0xfffffe06c14b4800
14# _sleep() at _sleep+0x20e/frame 0xfffffe06c14b48b0
15# kern_sigtimedwait() at kern_sigtimedwait+0x532/frame 0xfffffe06c14b4a20
16# sys_sigwaitinfo() at sys_sigwaitinfo+0x43/frame 0xfffffe06c14b4ac0
17# amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe06c14b4bf0
18# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe06c14b4bf0
19# --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8003af5fa, rsp = 0x7fffffffe5f8, rbp = 0x7fffffffe610 ---
20# KDB: enter: panic
21# [ thread pid 15370 tid 356127 ]
22# Stopped at      kdb_enter+0x37: movq    $0,0x1285b4e(%rip)
23# db> x/s version
24# version: FreeBSD 14.0-CURRENT #0 main-n247326-2349cda44fea: Sat Jun 12 03:57:33 CEST 2021
25# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
26# db>
27
28. ../default.cfg
29cat > /tmp/syzkaller42.c <<EOF
30// https://syzkaller.appspot.com/bug?id=b12f0c4dc1e73c25636e4c4d4787209d155cca0a
31// autogenerated by syzkaller (https://github.com/google/syzkaller)
32// Reported-by: syzbot+1d89fc2a9ef92ef64fa8@syzkaller.appspotmail.com
33
34#define _GNU_SOURCE
35
36#include <sys/types.h>
37
38#include <pwd.h>
39#include <signal.h>
40#include <stdarg.h>
41#include <stdbool.h>
42#include <stdint.h>
43#include <stdio.h>
44#include <stdlib.h>
45#include <string.h>
46#include <sys/endian.h>
47#include <sys/syscall.h>
48#include <sys/wait.h>
49#include <time.h>
50#include <unistd.h>
51
52static void kill_and_wait(int pid, int* status)
53{
54  kill(pid, SIGKILL);
55  while (waitpid(-1, status, 0) != pid) {
56  }
57}
58
59static void sleep_ms(uint64_t ms)
60{
61  usleep(ms * 1000);
62}
63
64static uint64_t current_time_ms(void)
65{
66  struct timespec ts;
67  if (clock_gettime(CLOCK_MONOTONIC, &ts))
68    exit(1);
69  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
70}
71
72static void execute_one(void);
73
74#define WAIT_FLAGS 0
75
76static void loop(void)
77{
78  int iter __unused = 0;
79  for (;; iter++) {
80    int pid = fork();
81    if (pid < 0)
82      exit(1);
83    if (pid == 0) {
84      execute_one();
85      exit(0);
86    }
87    int status = 0;
88    uint64_t start = current_time_ms();
89    for (;;) {
90      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
91        break;
92      sleep_ms(1);
93      if (current_time_ms() - start < 5000) {
94        continue;
95      }
96      kill_and_wait(pid, &status);
97      break;
98    }
99  }
100}
101
102void execute_one(void)
103{
104  syscall(SYS_rfork, 0x14034ul);
105  *(uint32_t*)0x20000140 = 0x80000002;
106  *(uint32_t*)0x20000144 = 0xfffffff7;
107  *(uint32_t*)0x20000148 = 0x41;
108  *(uint32_t*)0x2000014c = 3;
109  syscall(SYS_sigwaitinfo, 0x20000140ul, 0ul);
110}
111int main(void)
112{
113  syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul);
114  loop();
115  return 0;
116}
117EOF
118mycc -o /tmp/syzkaller42 -Wall -Wextra -O0 /tmp/syzkaller42.c -lpthread ||
119    exit 1
120
121(cd /tmp; timeout 3m ./syzkaller42)
122
123rm -rf /tmp/syzkaller42 /tmp/syzkaller42.c /tmp/syzkaller.*
124exit 0
125