1*abe84e61SPeter Holm#!/bin/sh 2*abe84e61SPeter Holm 3*abe84e61SPeter Holm# panic: sofree:1883 curvnet is NULL, so=0xfffff8017ca59000 4*abe84e61SPeter Holm# cpuid = 8 5*abe84e61SPeter Holm# time = 1746559098 6*abe84e61SPeter Holm# KDB: stack backtrace: 7*abe84e61SPeter Holm# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0182b5c8d0 8*abe84e61SPeter Holm# vpanic() at vpanic+0x136/frame 0xfffffe0182b5ca00 9*abe84e61SPeter Holm# panic() at panic+0x43/frame 0xfffffe0182b5ca60 10*abe84e61SPeter Holm# sorele_locked() at sorele_locked+0x25f/frame 0xfffffe0182b5ca90 11*abe84e61SPeter Holm# uipc_sendfile_wait() at uipc_sendfile_wait+0x1df/frame 0xfffffe0182b5caf0 12*abe84e61SPeter Holm# vn_sendfile() at vn_sendfile+0x59b/frame 0xfffffe0182b5cd70 13*abe84e61SPeter Holm# sendfile() at sendfile+0x129/frame 0xfffffe0182b5ce00 14*abe84e61SPeter Holm# amd64_syscall() at amd64_syscall+0x15a/frame 0xfffffe0182b5cf30 15*abe84e61SPeter Holm# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0182b5cf30 16*abe84e61SPeter Holm# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x8223fb72a, rsp = 0x824baaf58, rbp = 0x824baaf90 --- 17*abe84e61SPeter Holm# KDB: enter: panic 18*abe84e61SPeter Holm# [ thread pid 6382 tid 103296 ] 19*abe84e61SPeter Holm# Stopped at kdb_enter+0x33: movq $0,0x122f202(%rip) 20*abe84e61SPeter Holm# db> x/s version 21*abe84e61SPeter Holm# version: FreeBSD 15.0-CURRENT #0 main-n277057-794e792121ba-dirty: Tue May 6 18:34:20 CEST 2025 22*abe84e61SPeter Holm# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO 23*abe84e61SPeter Holm# db> 24*abe84e61SPeter Holm 25*abe84e61SPeter Holm[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 26*abe84e61SPeter Holm 27*abe84e61SPeter Holm. ../default.cfg 28*abe84e61SPeter Holmset -u 29*abe84e61SPeter Holmprog=$(basename "$0" .sh) 30*abe84e61SPeter Holmcat > /tmp/$prog.c <<EOF 31*abe84e61SPeter Holm// https://syzkaller.appspot.com/bug?id=f04b36c4f2b84533225a1bd695a0aed2efa559e5 32*abe84e61SPeter Holm// autogenerated by syzkaller (https://github.com/google/syzkaller) 33*abe84e61SPeter Holm// syzbot+7b0b20cf2c672c181d98@syzkaller.appspotmail.com 34*abe84e61SPeter Holm 35*abe84e61SPeter Holm#define _GNU_SOURCE 36*abe84e61SPeter Holm 37*abe84e61SPeter Holm#include <errno.h> 38*abe84e61SPeter Holm#include <pthread.h> 39*abe84e61SPeter Holm#include <pwd.h> 40*abe84e61SPeter Holm#include <stdarg.h> 41*abe84e61SPeter Holm#include <stdbool.h> 42*abe84e61SPeter Holm#include <stdint.h> 43*abe84e61SPeter Holm#include <stdio.h> 44*abe84e61SPeter Holm#include <stdlib.h> 45*abe84e61SPeter Holm#include <string.h> 46*abe84e61SPeter Holm#include <sys/endian.h> 47*abe84e61SPeter Holm#include <sys/syscall.h> 48*abe84e61SPeter Holm#include <time.h> 49*abe84e61SPeter Holm#include <unistd.h> 50*abe84e61SPeter Holm 51*abe84e61SPeter Holmstatic void sleep_ms(uint64_t ms) 52*abe84e61SPeter Holm{ 53*abe84e61SPeter Holm usleep(ms * 1000); 54*abe84e61SPeter Holm} 55*abe84e61SPeter Holm 56*abe84e61SPeter Holmstatic uint64_t current_time_ms(void) 57*abe84e61SPeter Holm{ 58*abe84e61SPeter Holm struct timespec ts; 59*abe84e61SPeter Holm if (clock_gettime(CLOCK_MONOTONIC, &ts)) 60*abe84e61SPeter Holm exit(1); 61*abe84e61SPeter Holm return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; 62*abe84e61SPeter Holm} 63*abe84e61SPeter Holm 64*abe84e61SPeter Holmstatic void thread_start(void* (*fn)(void*), void* arg) 65*abe84e61SPeter Holm{ 66*abe84e61SPeter Holm pthread_t th; 67*abe84e61SPeter Holm pthread_attr_t attr; 68*abe84e61SPeter Holm pthread_attr_init(&attr); 69*abe84e61SPeter Holm pthread_attr_setstacksize(&attr, 128 << 10); 70*abe84e61SPeter Holm int i = 0; 71*abe84e61SPeter Holm for (; i < 100; i++) { 72*abe84e61SPeter Holm if (pthread_create(&th, &attr, fn, arg) == 0) { 73*abe84e61SPeter Holm pthread_attr_destroy(&attr); 74*abe84e61SPeter Holm return; 75*abe84e61SPeter Holm } 76*abe84e61SPeter Holm if (errno == EAGAIN) { 77*abe84e61SPeter Holm usleep(50); 78*abe84e61SPeter Holm continue; 79*abe84e61SPeter Holm } 80*abe84e61SPeter Holm break; 81*abe84e61SPeter Holm } 82*abe84e61SPeter Holm exit(1); 83*abe84e61SPeter Holm} 84*abe84e61SPeter Holm 85*abe84e61SPeter Holmtypedef struct { 86*abe84e61SPeter Holm pthread_mutex_t mu; 87*abe84e61SPeter Holm pthread_cond_t cv; 88*abe84e61SPeter Holm int state; 89*abe84e61SPeter Holm} event_t; 90*abe84e61SPeter Holm 91*abe84e61SPeter Holmstatic void event_init(event_t* ev) 92*abe84e61SPeter Holm{ 93*abe84e61SPeter Holm if (pthread_mutex_init(&ev->mu, 0)) 94*abe84e61SPeter Holm exit(1); 95*abe84e61SPeter Holm if (pthread_cond_init(&ev->cv, 0)) 96*abe84e61SPeter Holm exit(1); 97*abe84e61SPeter Holm ev->state = 0; 98*abe84e61SPeter Holm} 99*abe84e61SPeter Holm 100*abe84e61SPeter Holmstatic void event_reset(event_t* ev) 101*abe84e61SPeter Holm{ 102*abe84e61SPeter Holm ev->state = 0; 103*abe84e61SPeter Holm} 104*abe84e61SPeter Holm 105*abe84e61SPeter Holmstatic void event_set(event_t* ev) 106*abe84e61SPeter Holm{ 107*abe84e61SPeter Holm pthread_mutex_lock(&ev->mu); 108*abe84e61SPeter Holm if (ev->state) 109*abe84e61SPeter Holm exit(1); 110*abe84e61SPeter Holm ev->state = 1; 111*abe84e61SPeter Holm pthread_mutex_unlock(&ev->mu); 112*abe84e61SPeter Holm pthread_cond_broadcast(&ev->cv); 113*abe84e61SPeter Holm} 114*abe84e61SPeter Holm 115*abe84e61SPeter Holmstatic void event_wait(event_t* ev) 116*abe84e61SPeter Holm{ 117*abe84e61SPeter Holm pthread_mutex_lock(&ev->mu); 118*abe84e61SPeter Holm while (!ev->state) 119*abe84e61SPeter Holm pthread_cond_wait(&ev->cv, &ev->mu); 120*abe84e61SPeter Holm pthread_mutex_unlock(&ev->mu); 121*abe84e61SPeter Holm} 122*abe84e61SPeter Holm 123*abe84e61SPeter Holmstatic int event_isset(event_t* ev) 124*abe84e61SPeter Holm{ 125*abe84e61SPeter Holm pthread_mutex_lock(&ev->mu); 126*abe84e61SPeter Holm int res = ev->state; 127*abe84e61SPeter Holm pthread_mutex_unlock(&ev->mu); 128*abe84e61SPeter Holm return res; 129*abe84e61SPeter Holm} 130*abe84e61SPeter Holm 131*abe84e61SPeter Holmstatic int event_timedwait(event_t* ev, uint64_t timeout) 132*abe84e61SPeter Holm{ 133*abe84e61SPeter Holm uint64_t start = current_time_ms(); 134*abe84e61SPeter Holm uint64_t now = start; 135*abe84e61SPeter Holm pthread_mutex_lock(&ev->mu); 136*abe84e61SPeter Holm for (;;) { 137*abe84e61SPeter Holm if (ev->state) 138*abe84e61SPeter Holm break; 139*abe84e61SPeter Holm uint64_t remain = timeout - (now - start); 140*abe84e61SPeter Holm struct timespec ts; 141*abe84e61SPeter Holm ts.tv_sec = remain / 1000; 142*abe84e61SPeter Holm ts.tv_nsec = (remain % 1000) * 1000 * 1000; 143*abe84e61SPeter Holm pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); 144*abe84e61SPeter Holm now = current_time_ms(); 145*abe84e61SPeter Holm if (now - start > timeout) 146*abe84e61SPeter Holm break; 147*abe84e61SPeter Holm } 148*abe84e61SPeter Holm int res = ev->state; 149*abe84e61SPeter Holm pthread_mutex_unlock(&ev->mu); 150*abe84e61SPeter Holm return res; 151*abe84e61SPeter Holm} 152*abe84e61SPeter Holm 153*abe84e61SPeter Holmstruct thread_t { 154*abe84e61SPeter Holm int created, call; 155*abe84e61SPeter Holm event_t ready, done; 156*abe84e61SPeter Holm}; 157*abe84e61SPeter Holm 158*abe84e61SPeter Holmstatic struct thread_t threads[16]; 159*abe84e61SPeter Holmstatic void execute_call(int call); 160*abe84e61SPeter Holmstatic int running; 161*abe84e61SPeter Holm 162*abe84e61SPeter Holmstatic void* thr(void* arg) 163*abe84e61SPeter Holm{ 164*abe84e61SPeter Holm struct thread_t* th = (struct thread_t*)arg; 165*abe84e61SPeter Holm for (;;) { 166*abe84e61SPeter Holm event_wait(&th->ready); 167*abe84e61SPeter Holm event_reset(&th->ready); 168*abe84e61SPeter Holm execute_call(th->call); 169*abe84e61SPeter Holm __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); 170*abe84e61SPeter Holm event_set(&th->done); 171*abe84e61SPeter Holm } 172*abe84e61SPeter Holm return 0; 173*abe84e61SPeter Holm} 174*abe84e61SPeter Holm 175*abe84e61SPeter Holmstatic void loop(void) 176*abe84e61SPeter Holm{ 177*abe84e61SPeter Holm if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { 178*abe84e61SPeter Holm } 179*abe84e61SPeter Holm int i, call, thread; 180*abe84e61SPeter Holm for (call = 0; call < 8; call++) { 181*abe84e61SPeter Holm for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); 182*abe84e61SPeter Holm thread++) { 183*abe84e61SPeter Holm struct thread_t* th = &threads[thread]; 184*abe84e61SPeter Holm if (!th->created) { 185*abe84e61SPeter Holm th->created = 1; 186*abe84e61SPeter Holm event_init(&th->ready); 187*abe84e61SPeter Holm event_init(&th->done); 188*abe84e61SPeter Holm event_set(&th->done); 189*abe84e61SPeter Holm thread_start(thr, th); 190*abe84e61SPeter Holm } 191*abe84e61SPeter Holm if (!event_isset(&th->done)) 192*abe84e61SPeter Holm continue; 193*abe84e61SPeter Holm event_reset(&th->done); 194*abe84e61SPeter Holm th->call = call; 195*abe84e61SPeter Holm __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); 196*abe84e61SPeter Holm event_set(&th->ready); 197*abe84e61SPeter Holm event_timedwait(&th->done, 50); 198*abe84e61SPeter Holm break; 199*abe84e61SPeter Holm } 200*abe84e61SPeter Holm } 201*abe84e61SPeter Holm for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) 202*abe84e61SPeter Holm sleep_ms(1); 203*abe84e61SPeter Holm} 204*abe84e61SPeter Holm 205*abe84e61SPeter Holmuint64_t r[5] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 206*abe84e61SPeter Holm 0xffffffffffffffff, 0xffffffffffffffff}; 207*abe84e61SPeter Holm 208*abe84e61SPeter Holmvoid execute_call(int call) 209*abe84e61SPeter Holm{ 210*abe84e61SPeter Holm intptr_t res = 0; 211*abe84e61SPeter Holm switch (call) { 212*abe84e61SPeter Holm case 0: 213*abe84e61SPeter Holm memcpy((void*)0x200000000480, "./file0\000", 8); 214*abe84e61SPeter Holm res = syscall( 215*abe84e61SPeter Holm SYS_open, /*file=*/0x200000000480ul, 216*abe84e61SPeter Holm /*flags=O_NONBLOCK|O_CREAT|O_RDWR|0x80000000000000*/ 0x80000000000206ul, 217*abe84e61SPeter Holm /*mode=*/0ul); 218*abe84e61SPeter Holm if (res != -1) 219*abe84e61SPeter Holm r[0] = res; 220*abe84e61SPeter Holm break; 221*abe84e61SPeter Holm case 1: 222*abe84e61SPeter Holm syscall(SYS_ftruncate, /*fd=*/r[0], /*len=*/0x3862ul); 223*abe84e61SPeter Holm break; 224*abe84e61SPeter Holm case 2: 225*abe84e61SPeter Holm res = syscall(SYS_socket, /*domain=*/2ul, /*type=*/2ul, /*proto=*/0x88); 226*abe84e61SPeter Holm if (res != -1) 227*abe84e61SPeter Holm r[1] = res; 228*abe84e61SPeter Holm break; 229*abe84e61SPeter Holm case 3: 230*abe84e61SPeter Holm res = syscall(SYS_socketpair, /*domain=*/1ul, /*type=SOCK_STREAM*/ 1ul, 231*abe84e61SPeter Holm /*proto=*/0, /*fds=*/0x200000000180ul); 232*abe84e61SPeter Holm if (res != -1) { 233*abe84e61SPeter Holm r[2] = *(uint32_t*)0x200000000180; 234*abe84e61SPeter Holm r[3] = *(uint32_t*)0x200000000184; 235*abe84e61SPeter Holm } 236*abe84e61SPeter Holm break; 237*abe84e61SPeter Holm case 4: 238*abe84e61SPeter Holm syscall(SYS_dup2, /*oldfd=*/r[2], /*newfd=*/r[1]); 239*abe84e61SPeter Holm break; 240*abe84e61SPeter Holm case 5: 241*abe84e61SPeter Holm memcpy((void*)0x200000000140, "./file0\000", 8); 242*abe84e61SPeter Holm res = syscall(SYS_open, /*file=*/0x200000000140ul, /*flags=*/0ul, 243*abe84e61SPeter Holm /*mode=*/0ul); 244*abe84e61SPeter Holm if (res != -1) 245*abe84e61SPeter Holm r[4] = res; 246*abe84e61SPeter Holm break; 247*abe84e61SPeter Holm case 6: 248*abe84e61SPeter Holm syscall(SYS_sendfile, /*fd=*/r[4], /*s=*/r[1], /*offset=*/0ul, 249*abe84e61SPeter Holm /*nbytes=*/0ul, /*hdtr=*/0ul, /*sbytes=*/0ul, 250*abe84e61SPeter Holm /*flags=SF_SYNC|SF_NOCACHE*/ 0x14ul); 251*abe84e61SPeter Holm break; 252*abe84e61SPeter Holm case 7: 253*abe84e61SPeter Holm syscall(SYS_dup2, /*oldfd=*/r[4], /*newfd=*/r[3]); 254*abe84e61SPeter Holm break; 255*abe84e61SPeter Holm } 256*abe84e61SPeter Holm} 257*abe84e61SPeter Holmint main(void) 258*abe84e61SPeter Holm{ 259*abe84e61SPeter Holm syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, 260*abe84e61SPeter Holm /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, 261*abe84e61SPeter Holm /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, 262*abe84e61SPeter Holm /*fd=*/(intptr_t)-1, /*offset=*/0ul); 263*abe84e61SPeter Holm const char* reason; 264*abe84e61SPeter Holm (void)reason; 265*abe84e61SPeter Holm loop(); 266*abe84e61SPeter Holm return 0; 267*abe84e61SPeter Holm} 268*abe84e61SPeter HolmEOF 269*abe84e61SPeter Holmmycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c -lpthread || exit 1 270*abe84e61SPeter Holm 271*abe84e61SPeter Holm(cd ../testcases/swap; ./swap -t 3m -i 30 -l 100 > /dev/null 2>&1) & 272*abe84e61SPeter Holmsleep 5 273*abe84e61SPeter Holm 274*abe84e61SPeter Holmwork=/tmp/$prog.dir 275*abe84e61SPeter Holmrm -rf $work 276*abe84e61SPeter Holmmkdir $work 277*abe84e61SPeter Holmcd /tmp/$prog.dir 278*abe84e61SPeter Holmfor i in `jot 30`; do 279*abe84e61SPeter Holm ( 280*abe84e61SPeter Holm mkdir d$i 281*abe84e61SPeter Holm cd d$i 282*abe84e61SPeter Holm timeout 3m /tmp/$prog > /dev/null 2>&1 & 283*abe84e61SPeter Holm ) 284*abe84e61SPeter Holmdone 285*abe84e61SPeter Holmwhile pgrep -q $prog; do sleep 2; done 286*abe84e61SPeter Holmwhile pkill swap; do :; done 287*abe84e61SPeter Holmwait 288*abe84e61SPeter Holm 289*abe84e61SPeter Holmrm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core /tmp/$prog.?????? $work 290*abe84e61SPeter Holmexit 0 291