xref: /freebsd/tools/test/stress2/misc/syzkaller52.sh (revision 4d0adee4e678d1e1b973fd7cf0650950f609a44b) 
1*4d0adee4SPeter Holm#!/bin/sh
2*4d0adee4SPeter Holm
3*4d0adee4SPeter Holm# panic: already suspended
4*4d0adee4SPeter Holm# cpuid = 6
5*4d0adee4SPeter Holm# time = 1651176216
6*4d0adee4SPeter Holm# KDB: stack backtrace:
7*4d0adee4SPeter Holm# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe014194ea70
8*4d0adee4SPeter Holm# vpanic() at vpanic+0x17f/frame 0xfffffe014194eac0
9*4d0adee4SPeter Holm# panic() at panic+0x43/frame 0xfffffe014194eb20
10*4d0adee4SPeter Holm# thread_single() at thread_single+0x774/frame 0xfffffe014194eb90
11*4d0adee4SPeter Holm# reap_kill_proc() at reap_kill_proc+0x296/frame 0xfffffe014194ebf0
12*4d0adee4SPeter Holm# reap_kill() at reap_kill+0x371/frame 0xfffffe014194ed00
13*4d0adee4SPeter Holm# kern_procctl() at kern_procctl+0x30b/frame 0xfffffe014194ed70
14*4d0adee4SPeter Holm# sys_procctl() at sys_procctl+0x11e/frame 0xfffffe014194ee00
15*4d0adee4SPeter Holm# amd64_syscall() at amd64_syscall+0x145/frame 0xfffffe014194ef30
16*4d0adee4SPeter Holm# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe014194ef30
17*4d0adee4SPeter Holm# --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8226f27aa, rsp = 0x82803ef48, rbp = 0x82803ef70 ---
18*4d0adee4SPeter Holm# KDB: enter: panic
19*4d0adee4SPeter Holm# [ thread pid 3074 tid 100404 ]
20*4d0adee4SPeter Holm# Stopped at      kdb_enter+0x32: movq    $0,0x12790b3(%rip)
21*4d0adee4SPeter Holm# db> x/s version
22*4d0adee4SPeter Holm# FreeBSD 14.0-CURRENT #0 main-n255099-0923ff82fb383: Thu Apr 28 09:48:48 CEST 2022
23*4d0adee4SPeter Holm# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
24*4d0adee4SPeter Holm# db>
25*4d0adee4SPeter Holm
26*4d0adee4SPeter Holm[ `uname -p` != "amd64" ] && exit 0
27*4d0adee4SPeter Holm
28*4d0adee4SPeter Holm. ../default.cfg
29*4d0adee4SPeter Holmcat > /tmp/syzkaller52.c <<EOF
30*4d0adee4SPeter Holm// https://syzkaller.appspot.com/bug?id=20185b6047d7371885412b56ff188be88f740eab
31*4d0adee4SPeter Holm// autogenerated by syzkaller (https://github.com/google/syzkaller)
32*4d0adee4SPeter Holm// Reported-by: syzbot+79cd12371d417441b175@syzkaller.appspotmail.com
33*4d0adee4SPeter Holm
34*4d0adee4SPeter Holm#define _GNU_SOURCE
35*4d0adee4SPeter Holm
36*4d0adee4SPeter Holm#include <sys/types.h>
37*4d0adee4SPeter Holm
38*4d0adee4SPeter Holm#include <dirent.h>
39*4d0adee4SPeter Holm#include <errno.h>
40*4d0adee4SPeter Holm#include <pthread.h>
41*4d0adee4SPeter Holm#include <pwd.h>
42*4d0adee4SPeter Holm#include <signal.h>
43*4d0adee4SPeter Holm#include <stdarg.h>
44*4d0adee4SPeter Holm#include <stdbool.h>
45*4d0adee4SPeter Holm#include <stdint.h>
46*4d0adee4SPeter Holm#include <stdio.h>
47*4d0adee4SPeter Holm#include <stdlib.h>
48*4d0adee4SPeter Holm#include <string.h>
49*4d0adee4SPeter Holm#include <sys/endian.h>
50*4d0adee4SPeter Holm#include <sys/resource.h>
51*4d0adee4SPeter Holm#include <sys/stat.h>
52*4d0adee4SPeter Holm#include <sys/syscall.h>
53*4d0adee4SPeter Holm#include <sys/wait.h>
54*4d0adee4SPeter Holm#include <time.h>
55*4d0adee4SPeter Holm#include <unistd.h>
56*4d0adee4SPeter Holm
57*4d0adee4SPeter Holmstatic unsigned long long procid;
58*4d0adee4SPeter Holm
59*4d0adee4SPeter Holmstatic void kill_and_wait(int pid, int* status)
60*4d0adee4SPeter Holm{
61*4d0adee4SPeter Holm  kill(pid, SIGKILL);
62*4d0adee4SPeter Holm  while (waitpid(-1, status, 0) != pid) {
63*4d0adee4SPeter Holm  }
64*4d0adee4SPeter Holm}
65*4d0adee4SPeter Holm
66*4d0adee4SPeter Holmstatic void sleep_ms(uint64_t ms)
67*4d0adee4SPeter Holm{
68*4d0adee4SPeter Holm  usleep(ms * 1000);
69*4d0adee4SPeter Holm}
70*4d0adee4SPeter Holm
71*4d0adee4SPeter Holmstatic uint64_t current_time_ms(void)
72*4d0adee4SPeter Holm{
73*4d0adee4SPeter Holm  struct timespec ts;
74*4d0adee4SPeter Holm  if (clock_gettime(CLOCK_MONOTONIC, &ts))
75*4d0adee4SPeter Holm    exit(1);
76*4d0adee4SPeter Holm  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
77*4d0adee4SPeter Holm}
78*4d0adee4SPeter Holm
79*4d0adee4SPeter Holmstatic void use_temporary_dir(void)
80*4d0adee4SPeter Holm{
81*4d0adee4SPeter Holm  char tmpdir_template[] = "./syzkaller.XXXXXX";
82*4d0adee4SPeter Holm  char* tmpdir = mkdtemp(tmpdir_template);
83*4d0adee4SPeter Holm  if (!tmpdir)
84*4d0adee4SPeter Holm    exit(1);
85*4d0adee4SPeter Holm  if (chmod(tmpdir, 0777))
86*4d0adee4SPeter Holm    exit(1);
87*4d0adee4SPeter Holm  if (chdir(tmpdir))
88*4d0adee4SPeter Holm    exit(1);
89*4d0adee4SPeter Holm}
90*4d0adee4SPeter Holm
91*4d0adee4SPeter Holmstatic void __attribute__((noinline)) remove_dir(const char* dir)
92*4d0adee4SPeter Holm{
93*4d0adee4SPeter Holm  DIR* dp = opendir(dir);
94*4d0adee4SPeter Holm  if (dp == NULL) {
95*4d0adee4SPeter Holm    if (errno == EACCES) {
96*4d0adee4SPeter Holm      if (rmdir(dir))
97*4d0adee4SPeter Holm        exit(1);
98*4d0adee4SPeter Holm      return;
99*4d0adee4SPeter Holm    }
100*4d0adee4SPeter Holm    exit(1);
101*4d0adee4SPeter Holm  }
102*4d0adee4SPeter Holm  struct dirent* ep = 0;
103*4d0adee4SPeter Holm  while ((ep = readdir(dp))) {
104*4d0adee4SPeter Holm    if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
105*4d0adee4SPeter Holm      continue;
106*4d0adee4SPeter Holm    char filename[FILENAME_MAX];
107*4d0adee4SPeter Holm    snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
108*4d0adee4SPeter Holm    struct stat st;
109*4d0adee4SPeter Holm    if (lstat(filename, &st))
110*4d0adee4SPeter Holm      exit(1);
111*4d0adee4SPeter Holm    if (S_ISDIR(st.st_mode)) {
112*4d0adee4SPeter Holm      remove_dir(filename);
113*4d0adee4SPeter Holm      continue;
114*4d0adee4SPeter Holm    }
115*4d0adee4SPeter Holm    if (unlink(filename))
116*4d0adee4SPeter Holm      exit(1);
117*4d0adee4SPeter Holm  }
118*4d0adee4SPeter Holm  closedir(dp);
119*4d0adee4SPeter Holm  if (rmdir(dir))
120*4d0adee4SPeter Holm    exit(1);
121*4d0adee4SPeter Holm}
122*4d0adee4SPeter Holm
123*4d0adee4SPeter Holmstatic void thread_start(void* (*fn)(void*), void* arg)
124*4d0adee4SPeter Holm{
125*4d0adee4SPeter Holm  pthread_t th;
126*4d0adee4SPeter Holm  pthread_attr_t attr;
127*4d0adee4SPeter Holm  pthread_attr_init(&attr);
128*4d0adee4SPeter Holm  pthread_attr_setstacksize(&attr, 128 << 10);
129*4d0adee4SPeter Holm  int i = 0;
130*4d0adee4SPeter Holm  for (; i < 100; i++) {
131*4d0adee4SPeter Holm    if (pthread_create(&th, &attr, fn, arg) == 0) {
132*4d0adee4SPeter Holm      pthread_attr_destroy(&attr);
133*4d0adee4SPeter Holm      return;
134*4d0adee4SPeter Holm    }
135*4d0adee4SPeter Holm    if (errno == EAGAIN) {
136*4d0adee4SPeter Holm      usleep(50);
137*4d0adee4SPeter Holm      continue;
138*4d0adee4SPeter Holm    }
139*4d0adee4SPeter Holm    break;
140*4d0adee4SPeter Holm  }
141*4d0adee4SPeter Holm  exit(1);
142*4d0adee4SPeter Holm}
143*4d0adee4SPeter Holm
144*4d0adee4SPeter Holmtypedef struct {
145*4d0adee4SPeter Holm  pthread_mutex_t mu;
146*4d0adee4SPeter Holm  pthread_cond_t cv;
147*4d0adee4SPeter Holm  int state;
148*4d0adee4SPeter Holm} event_t;
149*4d0adee4SPeter Holm
150*4d0adee4SPeter Holmstatic void event_init(event_t* ev)
151*4d0adee4SPeter Holm{
152*4d0adee4SPeter Holm  if (pthread_mutex_init(&ev->mu, 0))
153*4d0adee4SPeter Holm    exit(1);
154*4d0adee4SPeter Holm  if (pthread_cond_init(&ev->cv, 0))
155*4d0adee4SPeter Holm    exit(1);
156*4d0adee4SPeter Holm  ev->state = 0;
157*4d0adee4SPeter Holm}
158*4d0adee4SPeter Holm
159*4d0adee4SPeter Holmstatic void event_reset(event_t* ev)
160*4d0adee4SPeter Holm{
161*4d0adee4SPeter Holm  ev->state = 0;
162*4d0adee4SPeter Holm}
163*4d0adee4SPeter Holm
164*4d0adee4SPeter Holmstatic void event_set(event_t* ev)
165*4d0adee4SPeter Holm{
166*4d0adee4SPeter Holm  pthread_mutex_lock(&ev->mu);
167*4d0adee4SPeter Holm  if (ev->state)
168*4d0adee4SPeter Holm    exit(1);
169*4d0adee4SPeter Holm  ev->state = 1;
170*4d0adee4SPeter Holm  pthread_mutex_unlock(&ev->mu);
171*4d0adee4SPeter Holm  pthread_cond_broadcast(&ev->cv);
172*4d0adee4SPeter Holm}
173*4d0adee4SPeter Holm
174*4d0adee4SPeter Holmstatic void event_wait(event_t* ev)
175*4d0adee4SPeter Holm{
176*4d0adee4SPeter Holm  pthread_mutex_lock(&ev->mu);
177*4d0adee4SPeter Holm  while (!ev->state)
178*4d0adee4SPeter Holm    pthread_cond_wait(&ev->cv, &ev->mu);
179*4d0adee4SPeter Holm  pthread_mutex_unlock(&ev->mu);
180*4d0adee4SPeter Holm}
181*4d0adee4SPeter Holm
182*4d0adee4SPeter Holmstatic int event_isset(event_t* ev)
183*4d0adee4SPeter Holm{
184*4d0adee4SPeter Holm  pthread_mutex_lock(&ev->mu);
185*4d0adee4SPeter Holm  int res = ev->state;
186*4d0adee4SPeter Holm  pthread_mutex_unlock(&ev->mu);
187*4d0adee4SPeter Holm  return res;
188*4d0adee4SPeter Holm}
189*4d0adee4SPeter Holm
190*4d0adee4SPeter Holmstatic int event_timedwait(event_t* ev, uint64_t timeout)
191*4d0adee4SPeter Holm{
192*4d0adee4SPeter Holm  uint64_t start = current_time_ms();
193*4d0adee4SPeter Holm  uint64_t now = start;
194*4d0adee4SPeter Holm  pthread_mutex_lock(&ev->mu);
195*4d0adee4SPeter Holm  for (;;) {
196*4d0adee4SPeter Holm    if (ev->state)
197*4d0adee4SPeter Holm      break;
198*4d0adee4SPeter Holm    uint64_t remain = timeout - (now - start);
199*4d0adee4SPeter Holm    struct timespec ts;
200*4d0adee4SPeter Holm    ts.tv_sec = remain / 1000;
201*4d0adee4SPeter Holm    ts.tv_nsec = (remain % 1000) * 1000 * 1000;
202*4d0adee4SPeter Holm    pthread_cond_timedwait(&ev->cv, &ev->mu, &ts);
203*4d0adee4SPeter Holm    now = current_time_ms();
204*4d0adee4SPeter Holm    if (now - start > timeout)
205*4d0adee4SPeter Holm      break;
206*4d0adee4SPeter Holm  }
207*4d0adee4SPeter Holm  int res = ev->state;
208*4d0adee4SPeter Holm  pthread_mutex_unlock(&ev->mu);
209*4d0adee4SPeter Holm  return res;
210*4d0adee4SPeter Holm}
211*4d0adee4SPeter Holm
212*4d0adee4SPeter Holmstatic void sandbox_common()
213*4d0adee4SPeter Holm{
214*4d0adee4SPeter Holm  struct rlimit rlim;
215*4d0adee4SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 128 << 20;
216*4d0adee4SPeter Holm  setrlimit(RLIMIT_AS, &rlim);
217*4d0adee4SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 8 << 20;
218*4d0adee4SPeter Holm  setrlimit(RLIMIT_MEMLOCK, &rlim);
219*4d0adee4SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
220*4d0adee4SPeter Holm  setrlimit(RLIMIT_FSIZE, &rlim);
221*4d0adee4SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
222*4d0adee4SPeter Holm  setrlimit(RLIMIT_STACK, &rlim);
223*4d0adee4SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 0;
224*4d0adee4SPeter Holm  setrlimit(RLIMIT_CORE, &rlim);
225*4d0adee4SPeter Holm  rlim.rlim_cur = rlim.rlim_max = 256;
226*4d0adee4SPeter Holm  setrlimit(RLIMIT_NOFILE, &rlim);
227*4d0adee4SPeter Holm}
228*4d0adee4SPeter Holm
229*4d0adee4SPeter Holmstatic void loop();
230*4d0adee4SPeter Holm
231*4d0adee4SPeter Holmstatic int do_sandbox_none(void)
232*4d0adee4SPeter Holm{
233*4d0adee4SPeter Holm  sandbox_common();
234*4d0adee4SPeter Holm  loop();
235*4d0adee4SPeter Holm  return 0;
236*4d0adee4SPeter Holm}
237*4d0adee4SPeter Holm
238*4d0adee4SPeter Holmstruct thread_t {
239*4d0adee4SPeter Holm  int created, call;
240*4d0adee4SPeter Holm  event_t ready, done;
241*4d0adee4SPeter Holm};
242*4d0adee4SPeter Holm
243*4d0adee4SPeter Holmstatic struct thread_t threads[16];
244*4d0adee4SPeter Holmstatic void execute_call(int call);
245*4d0adee4SPeter Holmstatic int running;
246*4d0adee4SPeter Holm
247*4d0adee4SPeter Holmstatic void* thr(void* arg)
248*4d0adee4SPeter Holm{
249*4d0adee4SPeter Holm  struct thread_t* th = (struct thread_t*)arg;
250*4d0adee4SPeter Holm  for (;;) {
251*4d0adee4SPeter Holm    event_wait(&th->ready);
252*4d0adee4SPeter Holm    event_reset(&th->ready);
253*4d0adee4SPeter Holm    execute_call(th->call);
254*4d0adee4SPeter Holm    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
255*4d0adee4SPeter Holm    event_set(&th->done);
256*4d0adee4SPeter Holm  }
257*4d0adee4SPeter Holm  return 0;
258*4d0adee4SPeter Holm}
259*4d0adee4SPeter Holm
260*4d0adee4SPeter Holmstatic void execute_one(void)
261*4d0adee4SPeter Holm{
262*4d0adee4SPeter Holm  int i, call, thread;
263*4d0adee4SPeter Holm  for (call = 0; call < 14; call++) {
264*4d0adee4SPeter Holm    for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
265*4d0adee4SPeter Holm         thread++) {
266*4d0adee4SPeter Holm      struct thread_t* th = &threads[thread];
267*4d0adee4SPeter Holm      if (!th->created) {
268*4d0adee4SPeter Holm        th->created = 1;
269*4d0adee4SPeter Holm        event_init(&th->ready);
270*4d0adee4SPeter Holm        event_init(&th->done);
271*4d0adee4SPeter Holm        event_set(&th->done);
272*4d0adee4SPeter Holm        thread_start(thr, th);
273*4d0adee4SPeter Holm      }
274*4d0adee4SPeter Holm      if (!event_isset(&th->done))
275*4d0adee4SPeter Holm        continue;
276*4d0adee4SPeter Holm      event_reset(&th->done);
277*4d0adee4SPeter Holm      th->call = call;
278*4d0adee4SPeter Holm      __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
279*4d0adee4SPeter Holm      event_set(&th->ready);
280*4d0adee4SPeter Holm      event_timedwait(&th->done, 50);
281*4d0adee4SPeter Holm      break;
282*4d0adee4SPeter Holm    }
283*4d0adee4SPeter Holm  }
284*4d0adee4SPeter Holm  for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
285*4d0adee4SPeter Holm    sleep_ms(1);
286*4d0adee4SPeter Holm}
287*4d0adee4SPeter Holm
288*4d0adee4SPeter Holmstatic void execute_one(void);
289*4d0adee4SPeter Holm
290*4d0adee4SPeter Holm#define WAIT_FLAGS 0
291*4d0adee4SPeter Holm
292*4d0adee4SPeter Holmstatic void loop(void)
293*4d0adee4SPeter Holm{
294*4d0adee4SPeter Holm  int iter = 0;
295*4d0adee4SPeter Holm  for (;; iter++) {
296*4d0adee4SPeter Holm    char cwdbuf[32];
297*4d0adee4SPeter Holm    sprintf(cwdbuf, "./%d", iter);
298*4d0adee4SPeter Holm    if (mkdir(cwdbuf, 0777))
299*4d0adee4SPeter Holm      exit(1);
300*4d0adee4SPeter Holm    int pid = fork();
301*4d0adee4SPeter Holm    if (pid < 0)
302*4d0adee4SPeter Holm      exit(1);
303*4d0adee4SPeter Holm    if (pid == 0) {
304*4d0adee4SPeter Holm      if (chdir(cwdbuf))
305*4d0adee4SPeter Holm        exit(1);
306*4d0adee4SPeter Holm      execute_one();
307*4d0adee4SPeter Holm      exit(0);
308*4d0adee4SPeter Holm    }
309*4d0adee4SPeter Holm    int status = 0;
310*4d0adee4SPeter Holm    uint64_t start = current_time_ms();
311*4d0adee4SPeter Holm    for (;;) {
312*4d0adee4SPeter Holm      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
313*4d0adee4SPeter Holm        break;
314*4d0adee4SPeter Holm      sleep_ms(1);
315*4d0adee4SPeter Holm      if (current_time_ms() - start < 5000)
316*4d0adee4SPeter Holm        continue;
317*4d0adee4SPeter Holm      kill_and_wait(pid, &status);
318*4d0adee4SPeter Holm      break;
319*4d0adee4SPeter Holm    }
320*4d0adee4SPeter Holm    remove_dir(cwdbuf);
321*4d0adee4SPeter Holm  }
322*4d0adee4SPeter Holm}
323*4d0adee4SPeter Holm
324*4d0adee4SPeter Holmuint64_t r[4] = {0x0, 0x0, 0x0, 0x0};
325*4d0adee4SPeter Holm
326*4d0adee4SPeter Holmvoid execute_call(int call)
327*4d0adee4SPeter Holm{
328*4d0adee4SPeter Holm  intptr_t res = 0;
329*4d0adee4SPeter Holm  switch (call) {
330*4d0adee4SPeter Holm  case 0:
331*4d0adee4SPeter Holm    *(uint32_t*)0x20000000 = 0x3f;
332*4d0adee4SPeter Holm    *(uint32_t*)0x20000004 = 8;
333*4d0adee4SPeter Holm    *(uint32_t*)0x20000008 = 0x1000;
334*4d0adee4SPeter Holm    *(uint32_t*)0x2000000c = 7;
335*4d0adee4SPeter Holm    syscall(SYS_sigsuspend, 0x20000000ul);
336*4d0adee4SPeter Holm    break;
337*4d0adee4SPeter Holm  case 1:
338*4d0adee4SPeter Holm    syscall(SYS_setgid, 0);
339*4d0adee4SPeter Holm    break;
340*4d0adee4SPeter Holm  case 2:
341*4d0adee4SPeter Holm    syscall(SYS_getgroups, 0ul, 0ul);
342*4d0adee4SPeter Holm    break;
343*4d0adee4SPeter Holm  case 3:
344*4d0adee4SPeter Holm    syscall(SYS_setegid, 0);
345*4d0adee4SPeter Holm    break;
346*4d0adee4SPeter Holm  case 4:
347*4d0adee4SPeter Holm    res = syscall(SYS_shmget, 0ul, 0x2000ul, 0x420ul, 0x20ffd000ul);
348*4d0adee4SPeter Holm    if (res != -1)
349*4d0adee4SPeter Holm      r[0] = res;
350*4d0adee4SPeter Holm    break;
351*4d0adee4SPeter Holm  case 5:
352*4d0adee4SPeter Holm    res = syscall(SYS_getpid);
353*4d0adee4SPeter Holm    if (res != -1)
354*4d0adee4SPeter Holm      r[1] = res;
355*4d0adee4SPeter Holm    break;
356*4d0adee4SPeter Holm  case 6:
357*4d0adee4SPeter Holm    *(uint32_t*)0x20000200 = -1;
358*4d0adee4SPeter Holm    *(uint32_t*)0x20000204 = 0;
359*4d0adee4SPeter Holm    *(uint32_t*)0x20000208 = -1;
360*4d0adee4SPeter Holm    *(uint32_t*)0x2000020c = 0;
361*4d0adee4SPeter Holm    *(uint16_t*)0x20000210 = 0xf965;
362*4d0adee4SPeter Holm    *(uint16_t*)0x20000212 = 0x2000;
363*4d0adee4SPeter Holm    *(uint32_t*)0x20000214 = 0;
364*4d0adee4SPeter Holm    *(uint64_t*)0x20000218 = 0x2d;
365*4d0adee4SPeter Holm    *(uint32_t*)0x20000220 = 0x1f;
366*4d0adee4SPeter Holm    *(uint64_t*)0x20000228 = 2;
367*4d0adee4SPeter Holm    *(uint64_t*)0x20000230 = 4;
368*4d0adee4SPeter Holm    *(uint64_t*)0x20000238 = 0;
369*4d0adee4SPeter Holm    *(uint32_t*)0x20000240 = r[1];
370*4d0adee4SPeter Holm    *(uint32_t*)0x20000244 = -1;
371*4d0adee4SPeter Holm    *(uint16_t*)0x20000248 = 7;
372*4d0adee4SPeter Holm    *(uint16_t*)0x2000024a = 0;
373*4d0adee4SPeter Holm    *(uint64_t*)0x20000250 = 0;
374*4d0adee4SPeter Holm    *(uint64_t*)0x20000258 = 0;
375*4d0adee4SPeter Holm    syscall(SYS_shmctl, r[0], 1ul, 0x20000200ul);
376*4d0adee4SPeter Holm    break;
377*4d0adee4SPeter Holm  case 7:
378*4d0adee4SPeter Holm    syscall(SYS_getgid);
379*4d0adee4SPeter Holm    break;
380*4d0adee4SPeter Holm  case 8:
381*4d0adee4SPeter Holm    syscall(SYS___semctl, 0, 0ul, 1ul, 0ul);
382*4d0adee4SPeter Holm    break;
383*4d0adee4SPeter Holm  case 9:
384*4d0adee4SPeter Holm    *(uint32_t*)0x20000300 = 4;
385*4d0adee4SPeter Holm    *(uint32_t*)0x20000304 = 0;
386*4d0adee4SPeter Holm    *(uint16_t*)0x20000308 = 7;
387*4d0adee4SPeter Holm    *(uint16_t*)0x2000030a = 6;
388*4d0adee4SPeter Holm    memcpy((void*)0x2000030c,
389*4d0adee4SPeter Holm           "\x26\xb9\x52\x60\x70\xe1\xb8\x97\x99\x4b\x39\xd3\xea\x42\xe7\xed",
390*4d0adee4SPeter Holm           16);
391*4d0adee4SPeter Holm    syscall(SYS_fhstat, 0x20000300ul, 0ul);
392*4d0adee4SPeter Holm    break;
393*4d0adee4SPeter Holm  case 10:
394*4d0adee4SPeter Holm    res = syscall(SYS_getgid);
395*4d0adee4SPeter Holm    if (res != -1)
396*4d0adee4SPeter Holm      r[2] = res;
397*4d0adee4SPeter Holm    break;
398*4d0adee4SPeter Holm  case 11:
399*4d0adee4SPeter Holm    *(uint32_t*)0x20000440 = 3;
400*4d0adee4SPeter Holm    *(uint32_t*)0x20000444 = 0;
401*4d0adee4SPeter Holm    *(uint32_t*)0x20000448 = r[1];
402*4d0adee4SPeter Holm    *(uint32_t*)0x2000044c = 0x81;
403*4d0adee4SPeter Holm    *(uint32_t*)0x20000450 = r[1];
404*4d0adee4SPeter Holm    memset((void*)0x20000454, 0, 60);
405*4d0adee4SPeter Holm    res = syscall(SYS_procctl, 0ul, r[1], 6ul, 0x20000440ul);
406*4d0adee4SPeter Holm    if (res != -1)
407*4d0adee4SPeter Holm      r[3] = *(uint32_t*)0x20000450;
408*4d0adee4SPeter Holm    break;
409*4d0adee4SPeter Holm  case 12:
410*4d0adee4SPeter Holm    *(uint32_t*)0x200004c0 = 0;
411*4d0adee4SPeter Holm    *(uint32_t*)0x200004c4 = 0;
412*4d0adee4SPeter Holm    *(uint32_t*)0x200004c8 = 0;
413*4d0adee4SPeter Holm    *(uint32_t*)0x200004cc = r[2];
414*4d0adee4SPeter Holm    *(uint16_t*)0x200004d0 = 0x100;
415*4d0adee4SPeter Holm    *(uint16_t*)0x200004d2 = 8;
416*4d0adee4SPeter Holm    *(uint32_t*)0x200004d4 = 0;
417*4d0adee4SPeter Holm    *(uint64_t*)0x200004d8 = 0x7ff;
418*4d0adee4SPeter Holm    *(uint64_t*)0x200004e0 = 0x7f;
419*4d0adee4SPeter Holm    *(uint64_t*)0x200004e8 = 0x81;
420*4d0adee4SPeter Holm    *(uint64_t*)0x200004f0 = 0xfff;
421*4d0adee4SPeter Holm    *(uint64_t*)0x200004f8 = 0x3a;
422*4d0adee4SPeter Holm    *(uint64_t*)0x20000500 = 0x100000000;
423*4d0adee4SPeter Holm    *(uint64_t*)0x20000508 = 9;
424*4d0adee4SPeter Holm    *(uint32_t*)0x20000510 = r[1];
425*4d0adee4SPeter Holm    *(uint32_t*)0x20000514 = r[3];
426*4d0adee4SPeter Holm    *(uint64_t*)0x20000518 = 0;
427*4d0adee4SPeter Holm    *(uint64_t*)0x20000520 = 0;
428*4d0adee4SPeter Holm    syscall(SYS_msgctl, -1, 1ul, 0x200004c0ul);
429*4d0adee4SPeter Holm    break;
430*4d0adee4SPeter Holm  case 13:
431*4d0adee4SPeter Holm    syscall(SYS_ioctl, -1, 0xc0f24425ul, 0ul);
432*4d0adee4SPeter Holm    break;
433*4d0adee4SPeter Holm  }
434*4d0adee4SPeter Holm}
435*4d0adee4SPeter Holmint main(void)
436*4d0adee4SPeter Holm{
437*4d0adee4SPeter Holm  syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul);
438*4d0adee4SPeter Holm  for (procid = 0; procid < 4; procid++) {
439*4d0adee4SPeter Holm    if (fork() == 0) {
440*4d0adee4SPeter Holm      use_temporary_dir();
441*4d0adee4SPeter Holm      do_sandbox_none();
442*4d0adee4SPeter Holm    }
443*4d0adee4SPeter Holm  }
444*4d0adee4SPeter Holm  sleep(1000000);
445*4d0adee4SPeter Holm  return 0;
446*4d0adee4SPeter Holm}
447*4d0adee4SPeter HolmEOF
448*4d0adee4SPeter Holmmycc -o /tmp/syzkaller52 -Wall -Wextra -O0 /tmp/syzkaller52.c -l pthread ||
449*4d0adee4SPeter Holm    exit 1
450*4d0adee4SPeter Holm
451*4d0adee4SPeter Holmstart=`date +%s`
452*4d0adee4SPeter Holmwhile [ $((`date +%s` - start)) -lt 120 ]; do
453*4d0adee4SPeter Holm	(cd /tmp; timeout 3m ./syzkaller52)
454*4d0adee4SPeter Holmdone
455*4d0adee4SPeter Holm
456*4d0adee4SPeter Holmrm -rf /tmp/syzkaller52 /tmp/syzkaller52.c /tmp/syzkaller52.core \
457*4d0adee4SPeter Holm    /tmp/syzkaller.??????
458*4d0adee4SPeter Holmexit 0
459