1#!/bin/sh 2 3# panic: Assertion sb->sb_hiwat >= sb->uxdg_cc failed at ../../../kern/uipc_usrreq.c:1099 4# cpuid = 9 5# time = 1660909804 6# KDB: stack backtrace: 7# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01401e7970 8# vpanic() at vpanic+0x151/frame 0xfffffe01401e79c0 9# panic() at panic+0x43/frame 0xfffffe01401e7a20 10# uipc_dgram_sbspace() at uipc_dgram_sbspace+0x51/frame 0xfffffe01401e7a30 11# uipc_sosend_dgram() at uipc_sosend_dgram+0x690/frame 0xfffffe01401e7ac0 12# sosend() at sosend+0x49/frame 0xfffffe01401e7af0 13# soo_write() at soo_write+0x43/frame 0xfffffe01401e7b20 14# filemon_close_log() at filemon_close_log+0xd5/frame 0xfffffe01401e7b90 15# filemon_dtr() at filemon_dtr+0x31/frame 0xfffffe01401e7bb0 16# devfs_destroy_cdevpriv() at devfs_destroy_cdevpriv+0xab/frame 0xfffffe01401e7bd0 17# devfs_close_f() at devfs_close_f+0x64/frame 0xfffffe01401e7c00 18# _fdrop() at _fdrop+0x1b/frame 0xfffffe01401e7c20 19# closef() at closef+0x1db/frame 0xfffffe01401e7cb0 20# fdescfree() at fdescfree+0x433/frame 0xfffffe01401e7d80 21# exit1() at exit1+0x4df/frame 0xfffffe01401e7df0 22# sys_exit() at sys_exit+0xd/frame 0xfffffe01401e7e00 23# amd64_syscall() at amd64_syscall+0x145/frame 0xfffffe01401e7f30 24# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01401e7f30 25# --- syscall (1, FreeBSD ELF64, sys_exit), rip = 0x82301d16a, rsp = 0x8209bf628, rbp = 0x8209bf640 --- 26# KDB: enter: panic 27# [ thread pid 2876 tid 100222 ] 28# Stopped at x32: movq $0,0x12a1323(%rip) 29# db> x/s version 30# version: FreeBSD 14.0-CURRENT #0 main-n257506-eed634d113d-dirty: Thu Aug 18 13:56:53 CEST 2022 31# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO\012 32# db> 33 34. ../default.cfg 35cat > /tmp/syzkaller62.c <<EOF 36// https://syzkaller.appspot.com/bug?id=582310beb894769fc836748eec49b8d2f905e5ef 37// autogenerated by syzkaller (https://github.com/google/syzkaller) 38// Reported-by: syzbot+6e8be1ec8d77578a3df4@syzkaller.appspotmail.com 39 40#define _GNU_SOURCE 41 42#include <pwd.h> 43#include <stdarg.h> 44#include <stdbool.h> 45#include <stdint.h> 46#include <stdio.h> 47#include <stdlib.h> 48#include <string.h> 49#include <sys/endian.h> 50#include <sys/syscall.h> 51#include <unistd.h> 52 53uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; 54 55int main(void) 56{ 57 syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); 58 intptr_t res = 0; 59 memcpy((void*)0x20000040, "/dev/filemon\000", 13); 60 res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000040ul, 0ul, 0ul); 61 if (res != -1) 62 r[0] = res; 63 res = syscall(SYS_socketpair, 1ul, 2ul, 0, 0x20000080ul); 64 if (res != -1) 65 r[1] = *(uint32_t*)0x20000084; 66 *(uint32_t*)0x200000c0 = r[1]; 67 syscall(SYS_ioctl, r[0], 0xc0045301ul, 0x200000c0ul); 68 *(uint32_t*)0x20000040 = 3; 69 syscall(SYS_setsockopt, r[1], 0xffff, 0x1001, 0x20000040ul, 4ul); 70 return 0; 71} 72EOF 73mycc -o /tmp/syzkaller62 -Wall -Wextra -O0 /tmp/syzkaller62.c || exit 1 74 75kldstat | grep -q filemon || { kldload filemon.ko && loaded=1; } 76 77(cd /tmp; timeout -k 3s 2s ./syzkaller62) 78 79rm -rf /tmp/syzkaller62 /tmp/syzkaller62.c /tmp/syzkaller62.core \ 80 /tmp/syzkaller.?????? 81# Unload causes: Fatal trap 12: page fault while in kernel mode 82#[ $loaded ] && kldunload -f filemon.ko 83exit 0 84