xref: /freebsd/tools/test/stress2/misc/syzkaller66.sh (revision 734e82fe33aa764367791a7d603b383996c6b40b) 
1#!/bin/sh
2
3# panic: in_pcbconnect: inp is already connected
4# cpuid = 2
5# time = 1687326262
6# KDB: stack backtrace:
7# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe016e604b60
8# vpanic() at vpanic+0x150/frame 0xfffffe016e604bb0
9# panic() at panic+0x43/frame 0xfffffe016e604c10
10# in_pcbconnect_setup() at in_pcbconnect_setup/frame 0xfffffe016e604c60
11# tcp_connect() at tcp_connect+0xa3/frame 0xfffffe016e604ca0
12# tcp_usr_connect() at tcp_usr_connect+0xf3/frame 0xfffffe016e604d10
13# soconnectat() at soconnectat+0xaf/frame 0xfffffe016e604d60
14# kern_connectat() at kern_connectat+0xe1/frame 0xfffffe016e604dc0
15# sys_connect() at sys_connect+0x75/frame 0xfffffe016e604e00
16# amd64_syscall() at amd64_syscall+0x157/frame 0xfffffe016e604f30
17# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe016e604f30
18# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823c81a6a, rsp = 0x8210ed3c8, rbp = 0x8210ed3e0 ---
19# KDB: enter: panic
20# [ thread pid 46907 tid 100356 ]
21# Stopped at      kdb_enter+0x32: movq    $0,0xddf693(%rip)
22# db> x/s version
23# version:        FreeBSD 14.0-CURRENT #0 main-n263725-1efa7dbc0798e: Wed Jun 21 09:13:50 CEST 2023
24# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO-KASAN\012
25# db>
26
27[ `uname -p` != "amd64" ] && exit 0
28[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
29
30. ../default.cfg
31prog=$(basename "$0" .sh)
32cat > /tmp/$prog.c <<EOF
33// https://syzkaller.appspot.com/bug?id=44e3d85e927362a22cc594b9d1d3072f38da7972
34// autogenerated by syzkaller (https://github.com/google/syzkaller)
35// Reported-by: syzbot+f0f7871ec5397602b446@syzkaller.appspotmail.com
36
37#define _GNU_SOURCE
38
39#include <sys/types.h>
40
41#include <pwd.h>
42#include <signal.h>
43#include <stdarg.h>
44#include <stdbool.h>
45#include <stdint.h>
46#include <stdio.h>
47#include <stdlib.h>
48#include <string.h>
49#include <sys/endian.h>
50#include <sys/syscall.h>
51#include <sys/wait.h>
52#include <time.h>
53#include <unistd.h>
54
55static void kill_and_wait(int pid, int* status)
56{
57  kill(pid, SIGKILL);
58  while (waitpid(-1, status, 0) != pid) {
59  }
60}
61
62static void sleep_ms(uint64_t ms)
63{
64  usleep(ms * 1000);
65}
66
67static uint64_t current_time_ms(void)
68{
69  struct timespec ts;
70  if (clock_gettime(CLOCK_MONOTONIC, &ts))
71    exit(1);
72  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
73}
74
75static void execute_one(void);
76
77#define WAIT_FLAGS 0
78
79static void loop(void)
80{
81  int iter __unused = 0;
82  for (;; iter++) {
83    int pid = fork();
84    if (pid < 0)
85      exit(1);
86    if (pid == 0) {
87      execute_one();
88      exit(0);
89    }
90    int status = 0;
91    uint64_t start = current_time_ms();
92    for (;;) {
93      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
94        break;
95      sleep_ms(1);
96      if (current_time_ms() - start < 5000)
97        continue;
98      kill_and_wait(pid, &status);
99      break;
100    }
101  }
102}
103
104uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
105
106void execute_one(void)
107{
108  intptr_t res = 0;
109  res = syscall(SYS_socket, 2ul, 1ul, 0);
110  if (res != -1)
111    r[0] = res;
112  *(uint8_t*)0x200001c0 = 0x10;
113  *(uint8_t*)0x200001c1 = 2;
114  *(uint16_t*)0x200001c2 = htobe16(0x4e22);
115  *(uint32_t*)0x200001c4 = htobe32(0x7f000001);
116  memset((void*)0x200001c8, 0, 8);
117  syscall(SYS_bind, r[0], 0x200001c0ul, 0x10ul);
118  syscall(SYS_listen, r[0], 0);
119  res = syscall(SYS_socket, 2ul, 1ul, 0);
120  if (res != -1)
121    r[1] = res;
122  *(uint8_t*)0x200000c0 = 0x10;
123  *(uint8_t*)0x200000c1 = 2;
124  *(uint16_t*)0x200000c2 = htobe16(0x4e22);
125  *(uint32_t*)0x200000c4 = htobe32(0x7f000001);
126  memset((void*)0x200000c8, 0, 8);
127  syscall(SYS_connect, r[1], 0x200000c0ul, 0x10ul);
128  *(uint64_t*)0x20002580 = 0;
129  *(uint32_t*)0x20002588 = 0;
130  *(uint64_t*)0x20002590 = 0;
131  *(uint64_t*)0x20002598 = 0;
132  *(uint64_t*)0x200025a0 = 0;
133  *(uint64_t*)0x200025a8 = 0;
134  *(uint32_t*)0x200025b0 = 0;
135  syscall(SYS_sendmsg, r[1], 0x20002580ul, 0x20104ul);
136  syscall(SYS_shutdown, r[1], 1ul);
137  *(uint8_t*)0x200000c0 = 0x10;
138  *(uint8_t*)0x200000c1 = 2;
139  *(uint16_t*)0x200000c2 = htobe16(0x4e22);
140  *(uint32_t*)0x200000c4 = htobe32(0x7f000001);
141  memset((void*)0x200000c8, 0, 8);
142  syscall(SYS_connect, r[1], 0x200000c0ul, 0x10ul);
143}
144int main(void)
145{
146  syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul);
147  loop();
148  return 0;
149}
150EOF
151mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
152
153(cd /tmp; timeout 2m ./$prog)
154
155rm -rf /tmp/$prog /tmp/$prog.c /tmp/syzkaller.*
156exit 0
157