xref: /freebsd/tools/test/stress2/misc/syzkaller79.sh (revision abe84e61107639cdb5b7854ff74f9a5a91984e3d) 
1#!/bin/sh
2
3# panic: mutex so_rcv not owned at ../../../kern/uipc_usrreq.c:1750
4# cpuid = 5
5# time = 1746938647
6# KDB: stack backtrace:
7# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01e75c5b40
8# vpanic() at vpanic+0x136/frame 0xfffffe01e75c5c70
9# panic() at panic+0x43/frame 0xfffffe01e75c5cd0
10# __mtx_assert() at __mtx_assert+0xa9/frame 0xfffffe01e75c5ce0
11# knote() at knote+0x45/frame 0xfffffe01e75c5d30
12# sowwakeup_locked() at sowwakeup_locked+0xc8/frame 0xfffffe01e75c5d50
13# socantsendmore() at socantsendmore+0x4f/frame 0xfffffe01e75c5d70
14# uipc_shutdown() at uipc_shutdown+0x113/frame 0xfffffe01e75c5db0
15# soshutdown() at soshutdown+0x3e/frame 0xfffffe01e75c5dd0
16# kern_shutdown() at kern_shutdown+0x5e/frame 0xfffffe01e75c5e00
17# amd64_syscall() at amd64_syscall+0x15a/frame 0xfffffe01e75c5f30
18# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01e75c5f30
19# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x82281772a, rsp = 0x82092efd8, rbp = 0x82092f000 ---
20# KDB: enter: panic
21# [ thread pid 54792 tid 1014483 ]
22# Stopped at      kdb_enter+0x33: movq    $0,0x122f192(%rip)
23# db> x/s version
24# version: FreeBSD 15.0-CURRENT #0 main-n277201-48578dcb6b7e-dirty: Sat May 10 13:10:42 CEST 2025
25# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
26# db>
27
28[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
29
30. ../default.cfg
31set -u
32prog=$(basename "$0" .sh)
33cat > /tmp/$prog.c <<EOF
34// https://syzkaller.appspot.com/bug?id=ac94349a29f2efc40e9274239e4ca9b2c473a4e7
35// autogenerated by syzkaller (https://github.com/google/syzkaller)
36// syzkaller.appspot.com/x/repro.c?x=16c074d4580000
37
38#define _GNU_SOURCE
39
40#include <pwd.h>
41#include <stdarg.h>
42#include <stdbool.h>
43#include <stdint.h>
44#include <stdio.h>
45#include <stdlib.h>
46#include <string.h>
47#include <sys/endian.h>
48#include <sys/syscall.h>
49#include <unistd.h>
50
51uint64_t r[1] = {0xffffffffffffffff};
52
53int main(void)
54{
55  syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
56          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
57          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
58          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
59  const char* reason;
60  (void)reason;
61  intptr_t res = 0;
62  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
63  }
64  res = syscall(SYS_socketpair, /*domain=*/1ul, /*type=SOCK_SEQPACKET*/ 5ul,
65                /*proto=*/0, /*fds=*/0x200000000040ul);
66  if (res != -1)
67    r[0] = *(uint32_t*)0x200000000044;
68  syscall(SYS_fcntl, /*fd=*/r[0], /*cmd=*/4ul, /*flags=FASYNC*/ 0x40ul);
69  syscall(SYS_shutdown, /*fd=*/r[0], /*how=*/2ul);
70  return 0;
71}
72EOF
73mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c -lpthread || exit 1
74
75work=/tmp/$prog.dir
76rm -rf $work
77mkdir $work
78cd /tmp/$prog.dir
79timeout 3m /tmp/$prog > /dev/null 2>&1
80
81rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core /tmp/$prog.?????? $work
82exit 0
83