1#!/bin/sh 2 3# panic: Assertion done != job_total_nbytes failed at ../../../kern/sys_socket.c:670 4# cpuid = 10 5# time = 1649059964 6# KDB: stack backtrace: 7# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe069a27fd70 8# vpanic() at vpanic+0x17f/frame 0xfffffe069a27fdc0 9# panic() at panic+0x43/frame 0xfffffe069a27fe20 10# soaio_process_sb() at soaio_process_sb+0x751/frame 0xfffffe069a27feb0 11# soaio_kproc_loop() at soaio_kproc_loop+0xa9/frame 0xfffffe069a27fef0 12# fork_exit() at fork_exit+0x80/frame 0xfffffe069a27ff30 13# fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe069a27ff30 14# --- trap 0xc, rip = 0x36633df4a5ca, rsp = 0x36633cd66d98, rbp = 0x36633cd66db0 --- 15# KDB: enter: panic 16# [ thread pid 36460 tid 546462 ] 17# Stopped at kdb_enter+0x37: movq $0,0x127b48e(%rip) 18# db> x/s version 19# version: FreeBSD 14.0-CURRENT #0 main-n254248-88b3e65fcff2a: Sun Apr 3 11:21:34 CEST 2022\012 pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO\012 20# db> 21 22[ `uname -p` != "amd64" ] && exit 0 23 24. ../default.cfg 25cat > /tmp/syzkaller50.c <<EOF 26// https://syzkaller.appspot.com/bug?id=3d4fdc415d285b4de0dbf5709b4f2bb451a0a382 27// autogenerated by syzkaller (https://github.com/google/syzkaller) 28// Reported-by: syzbot+3b4dc5d1d63e9bd01eda@syzkaller.appspotmail.com 29 30#define _GNU_SOURCE 31 32#include <sys/types.h> 33 34#include <pwd.h> 35#include <signal.h> 36#include <stdarg.h> 37#include <stdbool.h> 38#include <stdint.h> 39#include <stdio.h> 40#include <stdlib.h> 41#include <string.h> 42#include <sys/endian.h> 43#include <sys/syscall.h> 44#include <sys/wait.h> 45#include <time.h> 46#include <unistd.h> 47 48static void kill_and_wait(int pid, int* status) 49{ 50 kill(pid, SIGKILL); 51 while (waitpid(-1, status, 0) != pid) { 52 } 53} 54 55static void sleep_ms(uint64_t ms) 56{ 57 usleep(ms * 1000); 58} 59 60static uint64_t current_time_ms(void) 61{ 62 struct timespec ts; 63 if (clock_gettime(CLOCK_MONOTONIC, &ts)) 64 exit(1); 65 return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; 66} 67 68static void execute_one(void); 69 70#define WAIT_FLAGS 0 71 72static void loop(void) 73{ 74 int iter = 0; 75 for (;; iter++) { 76 int pid = fork(); 77 if (pid < 0) 78 exit(1); 79 if (pid == 0) { 80 execute_one(); 81 exit(0); 82 } 83 int status = 0; 84 uint64_t start = current_time_ms(); 85 for (;;) { 86 if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) 87 break; 88 sleep_ms(1); 89 if (current_time_ms() - start < 5000) 90 continue; 91 kill_and_wait(pid, &status); 92 break; 93 } 94 } 95} 96 97uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; 98 99void execute_one(void) 100{ 101 intptr_t res = 0; 102 res = syscall(SYS_socket, 0x1cul, 1ul, 0x84); 103 if (res != -1) 104 r[0] = res; 105 *(uint8_t*)0x20000240 = 0x1c; 106 *(uint8_t*)0x20000241 = 0x1c; 107 *(uint16_t*)0x20000242 = htobe16(0x4e23); 108 *(uint32_t*)0x20000244 = 0; 109 *(uint64_t*)0x20000248 = htobe64(0); 110 *(uint64_t*)0x20000250 = htobe64(1); 111 *(uint32_t*)0x20000258 = 0; 112 syscall(SYS_bind, r[0], 0x20000240ul, 0x1cul); 113 *(uint8_t*)0x20000080 = 0x1c; 114 *(uint8_t*)0x20000081 = 0x1c; 115 *(uint16_t*)0x20000082 = htobe16(0x4e23); 116 *(uint32_t*)0x20000084 = 0; 117 *(uint64_t*)0x20000088 = htobe64(0); 118 *(uint64_t*)0x20000090 = htobe64(1); 119 *(uint32_t*)0x20000098 = 0; 120 syscall(SYS_connect, r[0], 0x20000080ul, 0x1cul); 121 *(uint32_t*)0x20000000 = r[0]; 122 *(uint64_t*)0x20000008 = 0; 123 *(uint64_t*)0x20000010 = 0x200002c0; 124 *(uint64_t*)0x20000018 = 0; 125 *(uint32_t*)0x20000020 = 0; 126 *(uint32_t*)0x20000024 = 0; 127 *(uint64_t*)0x20000028 = 0; 128 *(uint32_t*)0x20000030 = 0; 129 *(uint32_t*)0x20000034 = 0; 130 *(uint64_t*)0x20000038 = 0; 131 *(uint64_t*)0x20000040 = 0; 132 *(uint64_t*)0x20000048 = 0; 133 *(uint32_t*)0x20000050 = 0; 134 *(uint32_t*)0x20000054 = 0; 135 *(uint32_t*)0x20000058 = 0; 136 *(uint32_t*)0x20000060 = 0; 137 syscall(SYS_aio_write, 0x20000000ul); 138 res = syscall(SYS_fcntl, r[0], 0ul, r[0]); 139 if (res != -1) 140 r[1] = res; 141 *(uint32_t*)0x20001540 = 0; 142 memset((void*)0x20001544, 6, 1); 143 syscall(SYS_setsockopt, r[1], 0x84, 0x901, 0x20001540ul, 8ul); 144} 145int main(void) 146{ 147 syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); 148 loop(); 149 return 0; 150} 151EOF 152mycc -o /tmp/syzkaller50 -Wall -Wextra -O0 /tmp/syzkaller50.c || exit 1 153 154kldstat | grep -q sctp || { kldload sctp.ko && loaded=1; } 155 156(cd ../testcases/swap; ./swap -t 3m -i 10 -l 100) & 157for i in `jot 3`; do 158 (cd /tmp; timeout 3m ./syzkaller50) & 159 pids="$pids $!" 160done 161for pid in $pids; do 162 wait $pid 163done 164while pkill swap; do :; done 165wait 166 167rm -rf /tmp/syzkaller50 /tmp/syzkaller50.c /tmp/syzkaller.* 168[ $loaded ] && kldunload sctp.ko 169exit 0 170