xref: /freebsd/tools/test/stress2/misc/syzkaller76.sh (revision abe84e61107639cdb5b7854ff74f9a5a91984e3d) 
1#!/bin/sh
2
3# panic: aio_process_rw: opcode 70
4# cpuid = 7
5# time = 1746175480
6# KDB: stack backtrace:
7# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe010844ccb0
8# vpanic() at vpanic+0x136/frame 0xfffffe010844cde0
9# panic() at panic+0x43/frame 0xfffffe010844ce40
10# aio_process_rw() at aio_process_rw+0x28e/frame 0xfffffe010844cea0
11# aio_daemon() at aio_daemon+0x286/frame 0xfffffe010844cef0
12# fork_exit() at fork_exit+0x82/frame 0xfffffe010844cf30
13# fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe010844cf30
14# --- trap 0xc, rip = 0x2020f02a472a, rsp = 0x2020ec9bb8d8, rbp = 0x2020ec9bb9d0 ---
15# KDB: enter: panic
16# [ thread pid 71553 tid 100216 ]
17# Stopped at      kdb_enter+0x33: movq    $0,0x122f9c2(%rip)
18# db> x/s version
19# version: FreeBSD 15.0-CURRENT #0 main-n276945-2735c20d114f-dirty: Fri May  2 07:17:00 CEST 2025
20# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
21# db>
22
23[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
24
25. ../default.cfg
26set -u
27prog=$(basename "$0" .sh)
28cat > /tmp/$prog.c <<EOF
29// https://syzkaller.appspot.com/bug?id=0549d8c089382a2593078734cc8166a0fc9049f1
30// autogenerated by syzkaller (https://github.com/google/syzkaller)
31// syzbot+b6e15476c91852bb2264@syzkaller.appspotmail.com
32
33#define _GNU_SOURCE
34
35#include <pwd.h>
36#include <stdarg.h>
37#include <stdbool.h>
38#include <stdint.h>
39#include <stdio.h>
40#include <stdlib.h>
41#include <string.h>
42#include <sys/endian.h>
43#include <sys/syscall.h>
44#include <unistd.h>
45
46uint64_t r[1] = {0xffffffffffffffff};
47
48int main(void)
49{
50  syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
51          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
52          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
53          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
54  const char* reason;
55  (void)reason;
56  intptr_t res = 0;
57  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
58  }
59  res = syscall(SYS_freebsd10_pipe, /*pipefd=*/0x2000000005c0ul);
60  if (res != -1)
61    r[0] = *(uint32_t*)0x2000000005c4;
62  syscall(SYS_close, /*fd=*/r[0]);
63  memcpy((void*)0x200000000080, ".\000", 2);
64  syscall(SYS_open, /*file=*/0x200000000080ul, /*flags=*/0ul, /*mode=*/0ul);
65  *(uint32_t*)0x200000000080 = 0;
66  *(uint32_t*)0x200000000084 = 0;
67  *(uint32_t*)0x200000000088 = 4;
68  *(uint64_t*)0x200000000090 = 0;
69  *(uint64_t*)0x200000000098 = 0;
70  *(uint32_t*)0x2000000000a0 = 0;
71  *(uint32_t*)0x2000000000a4 = 8;
72  *(uint64_t*)0x2000000000a8 = 0x7fffffffffffffff;
73  *(uint32_t*)0x2000000000b0 = 0;
74  *(uint32_t*)0x2000000000b4 = 0x100;
75  *(uint64_t*)0x2000000000b8 = 0;
76  *(uint32_t*)0x2000000000c0 = 0;
77  *(uint32_t*)0x2000000000c4 = 0;
78  *(uint32_t*)0x2000000000c8 = 0;
79  *(uint32_t*)0x2000000000cc = 3;
80  *(uint32_t*)0x2000000000d0 = 0;
81  *(uint32_t*)0x2000000000d4 = 0;
82  *(uint32_t*)0x2000000000d8 = 0x400008;
83  *(uint32_t*)0x2000000000dc = 0x8e;
84  *(uint32_t*)0x2000000000e0 = 0xfffffffd;
85  *(uint32_t*)0x2000000000e4 = 0xf;
86  *(uint32_t*)0x2000000000e8 = 0xfffffffc;
87  *(uint32_t*)0x2000000000ec = 0;
88  *(uint32_t*)0x2000000000f0 = 0;
89  *(uint32_t*)0x2000000000f4 = 0;
90  *(uint32_t*)0x2000000000f8 = 0xff;
91  *(uint32_t*)0x2000000000fc = 0;
92  *(uint32_t*)0x200000000100 = 0;
93  *(uint32_t*)0x200000000104 = 2;
94  *(uint32_t*)0x200000000108 = 0;
95  *(uint32_t*)0x20000000010c = 2;
96  *(uint32_t*)0x200000000110 = 2;
97  *(uint32_t*)0x200000000114 = 0x5bee;
98  *(uint32_t*)0x200000000118 = 0;
99  *(uint32_t*)0x20000000011c = 0xc;
100  *(uint32_t*)0x200000000120 = 3;
101  *(uint32_t*)0x200000000124 = 2;
102  *(uint32_t*)0x200000000128 = 0;
103  *(uint32_t*)0x20000000012c = 0x10000000;
104  *(uint32_t*)0x200000000130 = 0;
105  *(uint32_t*)0x200000000134 = 1;
106  *(uint32_t*)0x200000000138 = 0;
107  *(uint32_t*)0x20000000013c = 0x83;
108  *(uint32_t*)0x200000000140 = 0;
109  *(uint32_t*)0x200000000144 = 0;
110  *(uint32_t*)0x200000000148 = 0;
111  *(uint32_t*)0x20000000014c = 0;
112  *(uint32_t*)0x200000000150 = 0;
113  *(uint32_t*)0x200000000154 = 0xfff;
114  *(uint32_t*)0x200000000158 = 1;
115  *(uint32_t*)0x20000000015c = 0x4c;
116  *(uint32_t*)0x200000000160 = 0x1fffffc;
117  *(uint32_t*)0x200000000164 = 4;
118  *(uint32_t*)0x200000000168 = 0x40000001;
119  *(uint32_t*)0x20000000016c = 0;
120  *(uint32_t*)0x200000000170 = 8;
121  *(uint32_t*)0x200000000174 = 0;
122  *(uint32_t*)0x200000000178 = 0;
123  *(uint32_t*)0x20000000017c = 0x100001;
124  *(uint32_t*)0x200000000180 = 0;
125  *(uint32_t*)0x200000000184 = 0x1ff;
126  *(uint32_t*)0x200000000188 = 0xe;
127  *(uint32_t*)0x20000000018c = 8;
128  *(uint32_t*)0x200000000190 = 0;
129  *(uint32_t*)0x200000000194 = 0;
130  *(uint32_t*)0x200000000198 = 0;
131  *(uint32_t*)0x20000000019c = 0xc;
132  *(uint32_t*)0x2000000001a0 = 9;
133  *(uint32_t*)0x2000000001a4 = 2;
134  *(uint32_t*)0x2000000001a8 = 0x10000002;
135  *(uint32_t*)0x2000000001ac = 0x100000;
136  *(uint32_t*)0x2000000001b0 = 0x46;
137  *(uint32_t*)0x2000000001b4 = 6;
138  *(uint32_t*)0x2000000001b8 = 0x3ff;
139  *(uint32_t*)0x2000000001bc = 2;
140  *(uint32_t*)0x2000000001c0 = 0;
141  *(uint32_t*)0x2000000001c4 = 0xfffffffa;
142  *(uint32_t*)0x2000000001c8 = 0x200;
143  *(uint32_t*)0x2000000001cc = 0;
144  *(uint32_t*)0x2000000001d0 = 1;
145  *(uint32_t*)0x2000000001d4 = 3;
146  *(uint32_t*)0x2000000001d8 = 0;
147  *(uint32_t*)0x2000000001dc = 0x100;
148  *(uint32_t*)0x2000000001e0 = 0;
149  *(uint32_t*)0x2000000001e4 = 8;
150  *(uint32_t*)0x2000000001e8 = 0x108c6b2;
151  *(uint32_t*)0x2000000001ec = 0xfffffffa;
152  *(uint32_t*)0x2000000001f0 = 0;
153  *(uint32_t*)0x2000000001f4 = 5;
154  *(uint32_t*)0x2000000001f8 = 0;
155  *(uint32_t*)0x2000000001fc = 0;
156  *(uint32_t*)0x200000000200 = 0;
157  *(uint32_t*)0x200000000204 = 0;
158  *(uint32_t*)0x200000000208 = 0;
159  *(uint32_t*)0x20000000020c = 0x80;
160  *(uint32_t*)0x200000000210 = 0;
161  *(uint32_t*)0x200000000214 = 1;
162  *(uint32_t*)0x200000000218 = 0;
163  *(uint32_t*)0x20000000021c = 6;
164  *(uint32_t*)0x200000000220 = 0;
165  *(uint32_t*)0x200000000224 = 0;
166  *(uint32_t*)0x200000000228 = 0;
167  *(uint32_t*)0x20000000022c = 6;
168  *(uint32_t*)0x200000000230 = 0;
169  *(uint32_t*)0x200000000234 = 0;
170  *(uint32_t*)0x200000000238 = 0;
171  *(uint32_t*)0x20000000023c = 0xa9f;
172  syscall(SYS_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc1c06d02ul,
173          /*arg=*/0x200000000080ul);
174  *(uint32_t*)0x200000000580 = -1;
175  *(uint64_t*)0x200000000588 = 0;
176  *(uint64_t*)0x200000000590 = 0x200000000180;
177  *(uint64_t*)0x200000000598 = 0;
178  *(uint32_t*)0x2000000005a0 = 0xfffff000;
179  *(uint32_t*)0x2000000005a4 = 3;
180  *(uint64_t*)0x2000000005a8 = 0;
181  *(uint32_t*)0x2000000005b0 = 0;
182  *(uint32_t*)0x2000000005b4 = 0;
183  *(uint64_t*)0x2000000005b8 = 0;
184  *(uint64_t*)0x2000000005c0 = 0;
185  *(uint64_t*)0x2000000005c8 = 0;
186  *(uint32_t*)0x2000000005d0 = 0;
187  *(uint32_t*)0x2000000005d4 = 0;
188  *(uint64_t*)0x2000000005d8 = 0;
189  *(uint16_t*)0x2000000005e0 = 0x4043;
190  *(uint32_t*)0x200000000620 = -1;
191  *(uint64_t*)0x200000000628 = 0;
192  *(uint64_t*)0x200000000630 = 0;
193  *(uint64_t*)0x200000000638 = 0;
194  *(uint32_t*)0x200000000640 = 0x10;
195  *(uint32_t*)0x200000000644 = 0;
196  *(uint64_t*)0x200000000648 = 0;
197  *(uint32_t*)0x200000000650 = 0;
198  *(uint32_t*)0x200000000654 = 0;
199  *(uint64_t*)0x200000000658 = 8;
200  *(uint64_t*)0x200000000660 = 0x3ff;
201  *(uint64_t*)0x200000000668 = 0;
202  *(uint32_t*)0x200000000670 = 1;
203  *(uint32_t*)0x200000000674 = 0;
204  *(uint32_t*)0x200000000678 = 3;
205  *(uint16_t*)0x200000000680 = 0;
206  *(uint32_t*)0x2000000006c0 = -1;
207  *(uint64_t*)0x2000000006c8 = 0;
208  *(uint64_t*)0x2000000006d0 = 0;
209  *(uint64_t*)0x2000000006d8 = 0;
210  *(uint32_t*)0x2000000006e0 = 0;
211  *(uint32_t*)0x2000000006e4 = 0;
212  *(uint64_t*)0x2000000006e8 = 2;
213  *(uint32_t*)0x2000000006f0 = 0;
214  *(uint32_t*)0x2000000006f4 = 0;
215  *(uint64_t*)0x2000000006f8 = 0x101;
216  *(uint64_t*)0x200000000700 = 0xb3;
217  *(uint64_t*)0x200000000708 = 0;
218  *(uint32_t*)0x200000000710 = 0;
219  *(uint32_t*)0x200000000714 = 0xa;
220  *(uint64_t*)0x200000000718 = 3;
221  *(uint32_t*)0x200000000720 = 0;
222  syscall(SYS_lio_listio, /*mode=*/0ul, /*list=*/0x200000000580ul, /*nent=*/3ul,
223          /*sig=*/0ul);
224  return 0;
225}
226EOF
227mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c -lpthread || exit 1
228work=/tmp/$prog.dir
229rm -rf $work
230mkdir $work
231cd /tmp/$prog.dir
232timeout 3m /tmp/$prog > /dev/null 2>&1
233
234rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core /tmp/$prog.?????? $work
235exit 0
236