xref: /freebsd/tools/test/stress2/misc/syzkaller66.sh (revision 83c701af5340d2aa0a665498ad5a54f025c74c4c) 
1*83c701afSPeter Holm#!/bin/sh
2*83c701afSPeter Holm
3*83c701afSPeter Holm# panic: in_pcbconnect: inp is already connected
4*83c701afSPeter Holm# cpuid = 2
5*83c701afSPeter Holm# time = 1687326262
6*83c701afSPeter Holm# KDB: stack backtrace:
7*83c701afSPeter Holm# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe016e604b60
8*83c701afSPeter Holm# vpanic() at vpanic+0x150/frame 0xfffffe016e604bb0
9*83c701afSPeter Holm# panic() at panic+0x43/frame 0xfffffe016e604c10
10*83c701afSPeter Holm# in_pcbconnect_setup() at in_pcbconnect_setup/frame 0xfffffe016e604c60
11*83c701afSPeter Holm# tcp_connect() at tcp_connect+0xa3/frame 0xfffffe016e604ca0
12*83c701afSPeter Holm# tcp_usr_connect() at tcp_usr_connect+0xf3/frame 0xfffffe016e604d10
13*83c701afSPeter Holm# soconnectat() at soconnectat+0xaf/frame 0xfffffe016e604d60
14*83c701afSPeter Holm# kern_connectat() at kern_connectat+0xe1/frame 0xfffffe016e604dc0
15*83c701afSPeter Holm# sys_connect() at sys_connect+0x75/frame 0xfffffe016e604e00
16*83c701afSPeter Holm# amd64_syscall() at amd64_syscall+0x157/frame 0xfffffe016e604f30
17*83c701afSPeter Holm# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe016e604f30
18*83c701afSPeter Holm# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823c81a6a, rsp = 0x8210ed3c8, rbp = 0x8210ed3e0 ---
19*83c701afSPeter Holm# KDB: enter: panic
20*83c701afSPeter Holm# [ thread pid 46907 tid 100356 ]
21*83c701afSPeter Holm# Stopped at      kdb_enter+0x32: movq    $0,0xddf693(%rip)
22*83c701afSPeter Holm# db> x/s version
23*83c701afSPeter Holm# version:        FreeBSD 14.0-CURRENT #0 main-n263725-1efa7dbc0798e: Wed Jun 21 09:13:50 CEST 2023
24*83c701afSPeter Holm# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO-KASAN\012
25*83c701afSPeter Holm# db>
26*83c701afSPeter Holm
27*83c701afSPeter Holm[ `uname -p` != "amd64" ] && exit 0
28*83c701afSPeter Holm[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
29*83c701afSPeter Holm
30*83c701afSPeter Holm. ../default.cfg
31*83c701afSPeter Holmprog=$(basename "$0" .sh)
32*83c701afSPeter Holmcat > /tmp/$prog.c <<EOF
33*83c701afSPeter Holm// https://syzkaller.appspot.com/bug?id=44e3d85e927362a22cc594b9d1d3072f38da7972
34*83c701afSPeter Holm// autogenerated by syzkaller (https://github.com/google/syzkaller)
35*83c701afSPeter Holm// Reported-by: syzbot+f0f7871ec5397602b446@syzkaller.appspotmail.com
36*83c701afSPeter Holm
37*83c701afSPeter Holm#define _GNU_SOURCE
38*83c701afSPeter Holm
39*83c701afSPeter Holm#include <sys/types.h>
40*83c701afSPeter Holm
41*83c701afSPeter Holm#include <pwd.h>
42*83c701afSPeter Holm#include <signal.h>
43*83c701afSPeter Holm#include <stdarg.h>
44*83c701afSPeter Holm#include <stdbool.h>
45*83c701afSPeter Holm#include <stdint.h>
46*83c701afSPeter Holm#include <stdio.h>
47*83c701afSPeter Holm#include <stdlib.h>
48*83c701afSPeter Holm#include <string.h>
49*83c701afSPeter Holm#include <sys/endian.h>
50*83c701afSPeter Holm#include <sys/syscall.h>
51*83c701afSPeter Holm#include <sys/wait.h>
52*83c701afSPeter Holm#include <time.h>
53*83c701afSPeter Holm#include <unistd.h>
54*83c701afSPeter Holm
55*83c701afSPeter Holmstatic void kill_and_wait(int pid, int* status)
56*83c701afSPeter Holm{
57*83c701afSPeter Holm  kill(pid, SIGKILL);
58*83c701afSPeter Holm  while (waitpid(-1, status, 0) != pid) {
59*83c701afSPeter Holm  }
60*83c701afSPeter Holm}
61*83c701afSPeter Holm
62*83c701afSPeter Holmstatic void sleep_ms(uint64_t ms)
63*83c701afSPeter Holm{
64*83c701afSPeter Holm  usleep(ms * 1000);
65*83c701afSPeter Holm}
66*83c701afSPeter Holm
67*83c701afSPeter Holmstatic uint64_t current_time_ms(void)
68*83c701afSPeter Holm{
69*83c701afSPeter Holm  struct timespec ts;
70*83c701afSPeter Holm  if (clock_gettime(CLOCK_MONOTONIC, &ts))
71*83c701afSPeter Holm    exit(1);
72*83c701afSPeter Holm  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
73*83c701afSPeter Holm}
74*83c701afSPeter Holm
75*83c701afSPeter Holmstatic void execute_one(void);
76*83c701afSPeter Holm
77*83c701afSPeter Holm#define WAIT_FLAGS 0
78*83c701afSPeter Holm
79*83c701afSPeter Holmstatic void loop(void)
80*83c701afSPeter Holm{
81*83c701afSPeter Holm  int iter __unused = 0;
82*83c701afSPeter Holm  for (;; iter++) {
83*83c701afSPeter Holm    int pid = fork();
84*83c701afSPeter Holm    if (pid < 0)
85*83c701afSPeter Holm      exit(1);
86*83c701afSPeter Holm    if (pid == 0) {
87*83c701afSPeter Holm      execute_one();
88*83c701afSPeter Holm      exit(0);
89*83c701afSPeter Holm    }
90*83c701afSPeter Holm    int status = 0;
91*83c701afSPeter Holm    uint64_t start = current_time_ms();
92*83c701afSPeter Holm    for (;;) {
93*83c701afSPeter Holm      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
94*83c701afSPeter Holm        break;
95*83c701afSPeter Holm      sleep_ms(1);
96*83c701afSPeter Holm      if (current_time_ms() - start < 5000)
97*83c701afSPeter Holm        continue;
98*83c701afSPeter Holm      kill_and_wait(pid, &status);
99*83c701afSPeter Holm      break;
100*83c701afSPeter Holm    }
101*83c701afSPeter Holm  }
102*83c701afSPeter Holm}
103*83c701afSPeter Holm
104*83c701afSPeter Holmuint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
105*83c701afSPeter Holm
106*83c701afSPeter Holmvoid execute_one(void)
107*83c701afSPeter Holm{
108*83c701afSPeter Holm  intptr_t res = 0;
109*83c701afSPeter Holm  res = syscall(SYS_socket, 2ul, 1ul, 0);
110*83c701afSPeter Holm  if (res != -1)
111*83c701afSPeter Holm    r[0] = res;
112*83c701afSPeter Holm  *(uint8_t*)0x200001c0 = 0x10;
113*83c701afSPeter Holm  *(uint8_t*)0x200001c1 = 2;
114*83c701afSPeter Holm  *(uint16_t*)0x200001c2 = htobe16(0x4e22);
115*83c701afSPeter Holm  *(uint32_t*)0x200001c4 = htobe32(0x7f000001);
116*83c701afSPeter Holm  memset((void*)0x200001c8, 0, 8);
117*83c701afSPeter Holm  syscall(SYS_bind, r[0], 0x200001c0ul, 0x10ul);
118*83c701afSPeter Holm  syscall(SYS_listen, r[0], 0);
119*83c701afSPeter Holm  res = syscall(SYS_socket, 2ul, 1ul, 0);
120*83c701afSPeter Holm  if (res != -1)
121*83c701afSPeter Holm    r[1] = res;
122*83c701afSPeter Holm  *(uint8_t*)0x200000c0 = 0x10;
123*83c701afSPeter Holm  *(uint8_t*)0x200000c1 = 2;
124*83c701afSPeter Holm  *(uint16_t*)0x200000c2 = htobe16(0x4e22);
125*83c701afSPeter Holm  *(uint32_t*)0x200000c4 = htobe32(0x7f000001);
126*83c701afSPeter Holm  memset((void*)0x200000c8, 0, 8);
127*83c701afSPeter Holm  syscall(SYS_connect, r[1], 0x200000c0ul, 0x10ul);
128*83c701afSPeter Holm  *(uint64_t*)0x20002580 = 0;
129*83c701afSPeter Holm  *(uint32_t*)0x20002588 = 0;
130*83c701afSPeter Holm  *(uint64_t*)0x20002590 = 0;
131*83c701afSPeter Holm  *(uint64_t*)0x20002598 = 0;
132*83c701afSPeter Holm  *(uint64_t*)0x200025a0 = 0;
133*83c701afSPeter Holm  *(uint64_t*)0x200025a8 = 0;
134*83c701afSPeter Holm  *(uint32_t*)0x200025b0 = 0;
135*83c701afSPeter Holm  syscall(SYS_sendmsg, r[1], 0x20002580ul, 0x20104ul);
136*83c701afSPeter Holm  syscall(SYS_shutdown, r[1], 1ul);
137*83c701afSPeter Holm  *(uint8_t*)0x200000c0 = 0x10;
138*83c701afSPeter Holm  *(uint8_t*)0x200000c1 = 2;
139*83c701afSPeter Holm  *(uint16_t*)0x200000c2 = htobe16(0x4e22);
140*83c701afSPeter Holm  *(uint32_t*)0x200000c4 = htobe32(0x7f000001);
141*83c701afSPeter Holm  memset((void*)0x200000c8, 0, 8);
142*83c701afSPeter Holm  syscall(SYS_connect, r[1], 0x200000c0ul, 0x10ul);
143*83c701afSPeter Holm}
144*83c701afSPeter Holmint main(void)
145*83c701afSPeter Holm{
146*83c701afSPeter Holm  syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul);
147*83c701afSPeter Holm  loop();
148*83c701afSPeter Holm  return 0;
149*83c701afSPeter Holm}
150*83c701afSPeter HolmEOF
151*83c701afSPeter Holmmycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
152*83c701afSPeter Holm
153*83c701afSPeter Holm(cd /tmp; timeout 2m ./$prog)
154*83c701afSPeter Holm
155*83c701afSPeter Holmrm -rf /tmp/$prog /tmp/$prog.c /tmp/syzkaller.*
156*83c701afSPeter Holmexit 0
157