1#!/bin/sh 2 3# panic: Assertion clen >= sizeof(*cm) && clen <= cm->cmsg_len failed at ../../../kern/uipc_usrreq.c:2018 4# cpuid = 8 5# time = 1653654831 6# KDB: stack backtrace: 7# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0158aebaa0 8# vpanic() at vpanic+0x17f/frame 0xfffffe0158aebaf0 9# panic() at panic+0x43/frame 0xfffffe0158aebb50 10# unp_externalize() at unp_externalize+0x3b7/frame 0xfffffe0158aebbe0 11# soreceive_generic() at soreceive_generic+0x73d/frame 0xfffffe0158aebca0 12# soreceive() at soreceive+0x4b/frame 0xfffffe0158aebcc0 13# kern_recvit() at kern_recvit+0x1ba/frame 0xfffffe0158aebd70 14# sys_recvfrom() at sys_recvfrom+0x95/frame 0xfffffe0158aebe00 15# amd64_syscall() at amd64_syscall+0x145/frame 0xfffffe0158aebf30 16# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0158aebf30 17# --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8230797da, rsp = 0x827bc4f48, rbp = 0x827bc4f70 --- 18# KDB: enter: panic 19# [ thread pid 32490 tid 141239 ] 20# Stopped at 78043(%rip) 21# db> x/s version 22# FreeBSD 14.0-CURRENT #0 n255820-4682ac697ce9b: Fri May 27 07:06:21 CEST 2022 23# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO 24# db> 25 26 27[ `uname -p` != "amd64" ] && exit 0 28 29. ../default.cfg 30cat > /tmp/syzkaller56.c <<EOF 31// https://syzkaller.appspot.com/bug?id=10ad96d3c8f58f42ad73650e339a4952f9d82254 32// autogenerated by syzkaller (https://github.com/google/syzkaller) 33// Reported-by: syzbot+c48c62e7fbd8ef327088@syzkaller.appspotmail.com 34 35#define _GNU_SOURCE 36 37#include <errno.h> 38#include <pthread.h> 39#include <pwd.h> 40#include <stdarg.h> 41#include <stdbool.h> 42#include <stdint.h> 43#include <stdio.h> 44#include <stdlib.h> 45#include <string.h> 46#include <sys/endian.h> 47#include <sys/syscall.h> 48#include <time.h> 49#include <unistd.h> 50 51static void sleep_ms(uint64_t ms) 52{ 53 usleep(ms * 1000); 54} 55 56static uint64_t current_time_ms(void) 57{ 58 struct timespec ts; 59 if (clock_gettime(CLOCK_MONOTONIC, &ts)) 60 exit(1); 61 return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; 62} 63 64static void thread_start(void* (*fn)(void*), void* arg) 65{ 66 pthread_t th; 67 pthread_attr_t attr; 68 pthread_attr_init(&attr); 69 pthread_attr_setstacksize(&attr, 128 << 10); 70 int i = 0; 71 for (; i < 100; i++) { 72 if (pthread_create(&th, &attr, fn, arg) == 0) { 73 pthread_attr_destroy(&attr); 74 return; 75 } 76 if (errno == EAGAIN) { 77 usleep(50); 78 continue; 79 } 80 break; 81 } 82 exit(1); 83} 84 85typedef struct { 86 pthread_mutex_t mu; 87 pthread_cond_t cv; 88 int state; 89} event_t; 90 91static void event_init(event_t* ev) 92{ 93 if (pthread_mutex_init(&ev->mu, 0)) 94 exit(1); 95 if (pthread_cond_init(&ev->cv, 0)) 96 exit(1); 97 ev->state = 0; 98} 99 100static void event_reset(event_t* ev) 101{ 102 ev->state = 0; 103} 104 105static void event_set(event_t* ev) 106{ 107 pthread_mutex_lock(&ev->mu); 108 if (ev->state) 109 exit(1); 110 ev->state = 1; 111 pthread_mutex_unlock(&ev->mu); 112 pthread_cond_broadcast(&ev->cv); 113} 114 115static void event_wait(event_t* ev) 116{ 117 pthread_mutex_lock(&ev->mu); 118 while (!ev->state) 119 pthread_cond_wait(&ev->cv, &ev->mu); 120 pthread_mutex_unlock(&ev->mu); 121} 122 123static int event_isset(event_t* ev) 124{ 125 pthread_mutex_lock(&ev->mu); 126 int res = ev->state; 127 pthread_mutex_unlock(&ev->mu); 128 return res; 129} 130 131static int event_timedwait(event_t* ev, uint64_t timeout) 132{ 133 uint64_t start = current_time_ms(); 134 uint64_t now = start; 135 pthread_mutex_lock(&ev->mu); 136 for (;;) { 137 if (ev->state) 138 break; 139 uint64_t remain = timeout - (now - start); 140 struct timespec ts; 141 ts.tv_sec = remain / 1000; 142 ts.tv_nsec = (remain % 1000) * 1000 * 1000; 143 pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); 144 now = current_time_ms(); 145 if (now - start > timeout) 146 break; 147 } 148 int res = ev->state; 149 pthread_mutex_unlock(&ev->mu); 150 return res; 151} 152 153struct thread_t { 154 int created, call; 155 event_t ready, done; 156}; 157 158static struct thread_t threads[16]; 159static void execute_call(int call); 160static int running; 161 162static void* thr(void* arg) 163{ 164 struct thread_t* th = (struct thread_t*)arg; 165 for (;;) { 166 event_wait(&th->ready); 167 event_reset(&th->ready); 168 execute_call(th->call); 169 __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); 170 event_set(&th->done); 171 } 172 return 0; 173} 174 175static void loop(void) 176{ 177 int i, call, thread; 178 for (call = 0; call < 3; call++) { 179 for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); 180 thread++) { 181 struct thread_t* th = &threads[thread]; 182 if (!th->created) { 183 th->created = 1; 184 event_init(&th->ready); 185 event_init(&th->done); 186 event_set(&th->done); 187 thread_start(thr, th); 188 } 189 if (!event_isset(&th->done)) 190 continue; 191 event_reset(&th->done); 192 th->call = call; 193 __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); 194 event_set(&th->ready); 195 event_timedwait(&th->done, 50); 196 break; 197 } 198 } 199 for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) 200 sleep_ms(1); 201} 202 203uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; 204 205void execute_call(int call) 206{ 207 intptr_t res = 0; 208 switch (call) { 209 case 0: 210 res = syscall(SYS_socketpair, 1ul, 5ul, 0, 0x20000100ul); 211 if (res != -1) { 212 r[0] = *(uint32_t*)0x20000100; 213 r[1] = *(uint32_t*)0x20000104; 214 } 215 break; 216 case 1: 217 syscall(SYS_recvfrom, r[0], 0x20000140ul, 0x1000ul, 0ul, 0ul, 0ul); 218 break; 219 case 2: 220 *(uint64_t*)0x20001e40 = 0; 221 *(uint32_t*)0x20001e48 = 0; 222 *(uint64_t*)0x20001e50 = 0; 223 *(uint64_t*)0x20001e58 = 0; 224 *(uint64_t*)0x20001e60 = 0x20001f80; 225 memcpy((void*)0x20001f80, 226 "\x60\x00\x00\x00\xff\xff\x00\x00\x03\x00\x00\x00", 12); 227 *(uint32_t*)0x20001f8c = -1; 228 *(uint32_t*)0x20001f90 = 0; 229 *(uint32_t*)0x20001f94 = 0; 230 *(uint32_t*)0x20001f98 = 0; 231 memcpy((void*)0x20001f9c, "\x10\x00\x26\x00", 4); 232 *(uint32_t*)0x20001fa0 = 0; 233 *(uint32_t*)0x20001fa4 = 0; 234 *(uint32_t*)0x20001fa8 = 0; 235 *(uint32_t*)0x20001fac = 0; 236 *(uint32_t*)0x20001fb0 = 0; 237 *(uint32_t*)0x20001fb4 = 0; 238 *(uint32_t*)0x20001fb8 = -1; 239 *(uint32_t*)0x20001fbc = 0; 240 *(uint32_t*)0x20001fc0 = -1; 241 *(uint32_t*)0x20001fc4 = 0; 242 *(uint32_t*)0x20001fc8 = 0; 243 *(uint32_t*)0x20001fcc = 0; 244 *(uint32_t*)0x20001fd0 = 0; 245 *(uint32_t*)0x20001fd4 = 0; 246 *(uint32_t*)0x20001fd8 = 0; 247 *(uint32_t*)0x20001fdc = 0; 248 memcpy((void*)0x20001fe0, 249 "\x60\x00\x00\x00\xff\xff\x00\x00\x03\x00\x00\x00", 12); 250 *(uint32_t*)0x20001fec = 0; 251 *(uint32_t*)0x20001ff0 = 0; 252 *(uint32_t*)0x20001ff4 = 0; 253 *(uint32_t*)0x20001ff8 = -1; 254 memcpy((void*)0x20001ffc, "\x10\x00\x00\x00", 4); 255 *(uint32_t*)0x20002000 = -1; 256 *(uint32_t*)0x20002004 = 0; 257 *(uint32_t*)0x20002008 = 0; 258 *(uint32_t*)0x2000200c = 0; 259 *(uint32_t*)0x20002010 = 0; 260 *(uint32_t*)0x20002014 = 0; 261 *(uint32_t*)0x20002018 = -1; 262 *(uint32_t*)0x2000201c = 0; 263 *(uint32_t*)0x20002020 = -1; 264 *(uint32_t*)0x20002024 = 0; 265 *(uint32_t*)0x20002028 = 0; 266 *(uint32_t*)0x2000202c = 0; 267 *(uint32_t*)0x20002030 = 0; 268 *(uint32_t*)0x20002034 = 0; 269 *(uint32_t*)0x20002038 = 0; 270 *(uint32_t*)0x2000203c = -1; 271 memcpy((void*)0x20002040, 272 "\x14\x00\x00\x00\xff\xff\x00\x00\x01\x00\x00\x00", 12); 273 *(uint32_t*)0x2000204c = -1; 274 *(uint32_t*)0x20002050 = r[1]; 275 *(uint64_t*)0x20001e68 = 0xd4; 276 *(uint32_t*)0x20001e70 = 0; 277 syscall(SYS_sendmsg, r[1], 0x20001e40ul, 0ul); 278 break; 279 } 280} 281int main(void) 282{ 283 syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); 284 loop(); 285 return 0; 286} 287EOF 288mycc -o /tmp/syzkaller56 -Wall -Wextra -O0 /tmp/syzkaller56.c -lpthread || 289 exit 1 290 291start=`date +%s` 292while [ $((`date +%s` - start)) -lt 60 ]; do 293 (cd /tmp; timeout 3m ./syzkaller56) 294done 295 296rm -rf /tmp/syzkaller56 /tmp/syzkaller56.c /tmp/syzkaller56.core \ 297 /tmp/syzkaller.?????? 298exit 0 299