1#!/bin/sh 2 3# Fatal trap 12: page fault while in kernel mode 4# cpuid = 8; apic id = 08 5# fault virtual address = 0x8 6# fault code = supervisor read data, page not present 7# instruction pointer = 0x20:0xffffffff80b98b73 8# stack pointer = 0x0:0xfffffe06996fc700 9# frame pointer = 0x0:0xfffffe06996fc730 10# code segment = base 0x0, limit 0xfffff, type 0x1b 11# = DPL 0, pres 1, long 1, def32 0, gran 1 12# processor eflags = interrupt enabled, resume, IOPL = 0 13# current process = 46538 (repro11) 14# trap number = 12 15# panic: page fault 16# cpuid = 8 17# time = 1655883715 18# KDB: stack backtrace: 19# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe06996fc4c0 20# vpanic() at vpanic+0x151/frame 0xfffffe06996fc510 21# panic() at panic+0x43/frame 0xfffffe06996fc570 22# trap_fatal() at trap_fatal+0x387/frame 0xfffffe06996fc5d0 23# trap_pfault() at trap_pfault+0xab/frame 0xfffffe06996fc630 24# calltrap() at calltrap+0x8/frame 0xfffffe06996fc630 25# --- trap 0xc, rip = 0xffffffff80b98b73, rsp = 0xfffffe06996fc700, rbp = 0xfffffe06996fc730 --- 26# knlist_remove_kq() at knlist_remove_kq+0xa3/frame 0xfffffe06996fc730 27# kqueue_drain() at kqueue_drain+0x2c8/frame 0xfffffe06996fc770 28# kqueue_close() at kqueue_close+0x7e/frame 0xfffffe06996fc7b0 29# _fdrop() at _fdrop+0x1b/frame 0xfffffe06996fc7d0 30# closef() at closef+0x1db/frame 0xfffffe06996fc860 31# fdescfree() at fdescfree+0x433/frame 0xfffffe06996fc930 32# exit1() at exit1+0x4ef/frame 0xfffffe06996fc9a0 33# sigexit() at sigfce20 34# postsig() at postsig+0x1aa/frame 0xfffffe06996fcef0 35# ast() at ast+0x4fb/frame 0xfffffe06996fcf30 36# doreti_ast() at doreti_ast+0x1f/frame 0x821076840 37# KDB: enter: panic 38# [ thread pid 46538 tid 356284 ] 39# Stopped at kdb_enter+0x32: movq $0,0x129f1a3(%rip) 40# db> x/s version 41# version: FreeBSD 14.0-CURRENT #0 main-n256236-4f1d91e413d7e: Wed Jun 22 07:47:51 CEST 2022 42# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO 43# db> 44 45[ `uname -p` != "amd64" ] && exit 0 46 47. ../default.cfg 48cat > /tmp/syzkaller59.c <<EOF 49// https://syzkaller.appspot.com/bug?id=17dea08cb46e51310db9047c400d1ff4646d2f9a 50// autogenerated by syzkaller (https://github.com/google/syzkaller) 51// Reported-by: syzbot+c94f6c97744bd9f9d14d@syzkaller.appspotmail.com 52 53#define _GNU_SOURCE 54 55#include <sys/types.h> 56 57#include <pwd.h> 58#include <signal.h> 59#include <stdarg.h> 60#include <stdbool.h> 61#include <stdint.h> 62#include <stdio.h> 63#include <stdlib.h> 64#include <string.h> 65#include <sys/endian.h> 66#include <sys/syscall.h> 67#include <sys/wait.h> 68#include <time.h> 69#include <unistd.h> 70 71static void kill_and_wait(int pid, int* status) 72{ 73 kill(pid, SIGKILL); 74 while (waitpid(-1, status, 0) != pid) { 75 } 76} 77 78static void sleep_ms(uint64_t ms) 79{ 80 usleep(ms * 1000); 81} 82 83static uint64_t current_time_ms(void) 84{ 85 struct timespec ts; 86 if (clock_gettime(CLOCK_MONOTONIC, &ts)) 87 exit(1); 88 return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; 89} 90 91static void execute_one(void); 92 93#define WAIT_FLAGS 0 94 95static void loop(void) 96{ 97 int iter = 0; 98 for (;; iter++) { 99 int pid = fork(); 100 if (pid < 0) 101 exit(1); 102 if (pid == 0) { 103 execute_one(); 104 exit(0); 105 } 106 int status = 0; 107 uint64_t start = current_time_ms(); 108 for (;;) { 109 if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) 110 break; 111 sleep_ms(1); 112 if (current_time_ms() - start < 5000) 113 continue; 114 kill_and_wait(pid, &status); 115 break; 116 } 117 } 118} 119 120uint64_t r[1] = {0xffffffffffffffff}; 121 122void execute_one(void) 123{ 124 intptr_t res = 0; 125 res = syscall(SYS_kqueue); 126 if (res != -1) 127 r[0] = res; 128 *(uint64_t*)0x20000140 = 0; 129 *(uint16_t*)0x20000148 = 0xfffa; 130 *(uint16_t*)0x2000014a = 0x4021; 131 *(uint32_t*)0x2000014c = 0; 132 *(uint64_t*)0x20000150 = 0; 133 *(uint64_t*)0x20000158 = 0; 134 *(uint64_t*)0x20000160 = 0; 135 *(uint64_t*)0x20000168 = 0; 136 *(uint64_t*)0x20000170 = 0; 137 *(uint64_t*)0x20000178 = 0; 138 syscall(SYS_kevent, r[0], 0x20000140ul, 1ul, 0ul, 0ul, 0ul); 139 syscall(SYS_rfork, 0x90030ul); 140} 141int main(void) 142{ 143 syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); 144 loop(); 145 return 0; 146} 147EOF 148mycc -o /tmp/syzkaller59 -Wall -Wextra -O0 /tmp/syzkaller59.c || exit 1 149 150(cd /tmp; timeout 3m ./syzkaller59) 151 152rm -rf /tmp/syzkaller59 /tmp/syzkaller59.c /tmp/syzkaller59.core \ 153 /tmp/syzkaller.?????? 154exit 0 155