1*c1c58c00SPeter Holm#!/bin/sh 2*c1c58c00SPeter Holm 3*c1c58c00SPeter Holm# panic: handle_workitem_remove: bad file delta 4*c1c58c00SPeter Holm# cpuid = 2 5*c1c58c00SPeter Holm# time = 1753799597 6*c1c58c00SPeter Holm# KDB: stack backtrace: 7*c1c58c00SPeter Holm# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00ffc84b70 8*c1c58c00SPeter Holm# vpanic() at vpanic+0x136/frame 0xfffffe00ffc84ca0 9*c1c58c00SPeter Holm# panic() at panic+0x43/frame 0xfffffe00ffc84d00 10*c1c58c00SPeter Holm# handle_workitem_remove() at handle_workitem_remove+0x68d/frame 0xfffffe00ffc84d70 11*c1c58c00SPeter Holm# handle_workitem_remove() at handle_workitem_remove+0x52d/frame 0xfffffe00ffc84de0 12*c1c58c00SPeter Holm# process_worklist_item() at process_worklist_item+0x21e/frame 0xfffffe00ffc84e70 13*c1c58c00SPeter Holm# softdep_process_worklist() at softdep_process_worklist+0xbd/frame 0xfffffe00ffc84eb0 14*c1c58c00SPeter Holm# softdep_flush() at softdep_flush+0x10f/frame 0xfffffe00ffc84ef0 15*c1c58c00SPeter Holm# fork_exit() at fork_exit+0x82/frame 0xfffffe00ffc84f30 16*c1c58c00SPeter Holm# fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00ffc84f30 17*c1c58c00SPeter Holm# --- trap 0, rip = 0, rsp = 0, rbp = 0 --- 18*c1c58c00SPeter Holm# KDB: enter: panic 19*c1c58c00SPeter Holm# [ thread pid 16 tid 100253 ] 20*c1c58c00SPeter Holm# Stopped at kdb_enter+0x33: movq $0,0x1230852(%rip) 21*c1c58c00SPeter Holm# db> x/s version 22*c1c58c00SPeter Holm# version: FreeBSD 15.0-CURRENT #0 main-n279158-f1f77adfd9bc-dirty: Tue Jul 29 15:49:28 CEST 2025 23*c1c58c00SPeter Holm# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO 24*c1c58c00SPeter Holm 25*c1c58c00SPeter Holm[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 26*c1c58c00SPeter Holm 27*c1c58c00SPeter Holm. ../default.cfg 28*c1c58c00SPeter Holmset -u 29*c1c58c00SPeter Holmprog=$(basename "$0" .sh) 30*c1c58c00SPeter Holmcat > /tmp/$prog.c <<EOF 31*c1c58c00SPeter Holm// https://syzkaller.appspot.com/bug?id=0a60b828818a364deb4721d58b2ed5167b1f6296 32*c1c58c00SPeter Holm// autogenerated by syzkaller (https://github.com/google/syzkaller) 33*c1c58c00SPeter Holm 34*c1c58c00SPeter Holm#define _GNU_SOURCE 35*c1c58c00SPeter Holm 36*c1c58c00SPeter Holm#include <sys/types.h> 37*c1c58c00SPeter Holm 38*c1c58c00SPeter Holm#include <pwd.h> 39*c1c58c00SPeter Holm#include <signal.h> 40*c1c58c00SPeter Holm#include <stdarg.h> 41*c1c58c00SPeter Holm#include <stdbool.h> 42*c1c58c00SPeter Holm#include <stdint.h> 43*c1c58c00SPeter Holm#include <stdio.h> 44*c1c58c00SPeter Holm#include <stdlib.h> 45*c1c58c00SPeter Holm#include <string.h> 46*c1c58c00SPeter Holm#include <sys/endian.h> 47*c1c58c00SPeter Holm#include <sys/syscall.h> 48*c1c58c00SPeter Holm#include <sys/wait.h> 49*c1c58c00SPeter Holm#include <time.h> 50*c1c58c00SPeter Holm#include <unistd.h> 51*c1c58c00SPeter Holm 52*c1c58c00SPeter Holmstatic void kill_and_wait(int pid, int* status) 53*c1c58c00SPeter Holm{ 54*c1c58c00SPeter Holm kill(pid, SIGKILL); 55*c1c58c00SPeter Holm while (waitpid(-1, status, 0) != pid) { 56*c1c58c00SPeter Holm } 57*c1c58c00SPeter Holm} 58*c1c58c00SPeter Holm 59*c1c58c00SPeter Holmstatic void sleep_ms(uint64_t ms) 60*c1c58c00SPeter Holm{ 61*c1c58c00SPeter Holm usleep(ms * 1000); 62*c1c58c00SPeter Holm} 63*c1c58c00SPeter Holm 64*c1c58c00SPeter Holmstatic uint64_t current_time_ms(void) 65*c1c58c00SPeter Holm{ 66*c1c58c00SPeter Holm struct timespec ts; 67*c1c58c00SPeter Holm if (clock_gettime(CLOCK_MONOTONIC, &ts)) 68*c1c58c00SPeter Holm exit(1); 69*c1c58c00SPeter Holm return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; 70*c1c58c00SPeter Holm} 71*c1c58c00SPeter Holm 72*c1c58c00SPeter Holmstatic void execute_one(void); 73*c1c58c00SPeter Holm 74*c1c58c00SPeter Holm#define WAIT_FLAGS 0 75*c1c58c00SPeter Holm 76*c1c58c00SPeter Holmstatic void loop(void) 77*c1c58c00SPeter Holm{ 78*c1c58c00SPeter Holm// int iter = 0; 79*c1c58c00SPeter Holm for (;; /*iter++*/) { 80*c1c58c00SPeter Holm int pid = fork(); 81*c1c58c00SPeter Holm if (pid < 0) 82*c1c58c00SPeter Holm exit(1); 83*c1c58c00SPeter Holm if (pid == 0) { 84*c1c58c00SPeter Holm execute_one(); 85*c1c58c00SPeter Holm exit(0); 86*c1c58c00SPeter Holm } 87*c1c58c00SPeter Holm int status = 0; 88*c1c58c00SPeter Holm uint64_t start = current_time_ms(); 89*c1c58c00SPeter Holm for (;;) { 90*c1c58c00SPeter Holm sleep_ms(10); 91*c1c58c00SPeter Holm if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) 92*c1c58c00SPeter Holm break; 93*c1c58c00SPeter Holm if (current_time_ms() - start < 5000) 94*c1c58c00SPeter Holm continue; 95*c1c58c00SPeter Holm kill_and_wait(pid, &status); 96*c1c58c00SPeter Holm break; 97*c1c58c00SPeter Holm } 98*c1c58c00SPeter Holm } 99*c1c58c00SPeter Holm} 100*c1c58c00SPeter Holm 101*c1c58c00SPeter Holmuint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; 102*c1c58c00SPeter Holm 103*c1c58c00SPeter Holmvoid execute_one(void) 104*c1c58c00SPeter Holm{ 105*c1c58c00SPeter Holm intptr_t res = 0; 106*c1c58c00SPeter Holm if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { 107*c1c58c00SPeter Holm } 108*c1c58c00SPeter Holm memcpy((void*)0x200000000180, "./file0\000", 8); 109*c1c58c00SPeter Holm syscall(SYS_mkdir, /*path=*/0x200000000180ul, /*mode=*/0ul); 110*c1c58c00SPeter Holm memcpy((void*)0x200000000000, "./file0/file0\000", 14); 111*c1c58c00SPeter Holm syscall(SYS_mkdir, /*path=*/0x200000000000ul, /*mode=*/0ul); 112*c1c58c00SPeter Holm memcpy((void*)0x200000000080, ".\000", 2); 113*c1c58c00SPeter Holm res = syscall(SYS_open, /*file=*/0x200000000080ul, 114*c1c58c00SPeter Holm /*flags=O_DIRECT*/ 0x10000ul, /*mode=*/0ul); 115*c1c58c00SPeter Holm if (res != -1) 116*c1c58c00SPeter Holm r[0] = res; 117*c1c58c00SPeter Holm memcpy((void*)0x200000000080, ".\000", 2); 118*c1c58c00SPeter Holm res = 119*c1c58c00SPeter Holm syscall(SYS_open, /*file=*/0x200000000080ul, /*flags=*/0ul, /*mode=*/0ul); 120*c1c58c00SPeter Holm if (res != -1) 121*c1c58c00SPeter Holm r[1] = res; 122*c1c58c00SPeter Holm memcpy((void*)0x200000000080, ".\000", 2); 123*c1c58c00SPeter Holm res = syscall(SYS_open, /*file=*/0x200000000080ul, /*flags=O_NONBLOCK*/ 4ul, 124*c1c58c00SPeter Holm /*mode=*/0ul); 125*c1c58c00SPeter Holm if (res != -1) 126*c1c58c00SPeter Holm r[2] = res; 127*c1c58c00SPeter Holm memcpy((void*)0x200000000100, "./file1\000", 8); 128*c1c58c00SPeter Holm syscall(SYS_mkdirat, /*fd=*/r[2], /*path=*/0x200000000100ul, 129*c1c58c00SPeter Holm /*mode=S_IROTH|S_IWUSR*/ 0x84ul); 130*c1c58c00SPeter Holm memcpy((void*)0x200000000340, "./file0/file0\000", 14); 131*c1c58c00SPeter Holm memcpy((void*)0x200000000380, "./file1\000", 8); 132*c1c58c00SPeter Holm syscall(SYS_renameat, /*oldfd=*/r[0], /*old=*/0x200000000340ul, 133*c1c58c00SPeter Holm /*newfd=*/r[1], /*new=*/0x200000000380ul); 134*c1c58c00SPeter Holm} 135*c1c58c00SPeter Holmint main(void) 136*c1c58c00SPeter Holm{ 137*c1c58c00SPeter Holm syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, 138*c1c58c00SPeter Holm /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, 139*c1c58c00SPeter Holm /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, 140*c1c58c00SPeter Holm /*fd=*/(intptr_t)-1, /*offset=*/0ul); 141*c1c58c00SPeter Holm const char* reason; 142*c1c58c00SPeter Holm (void)reason; 143*c1c58c00SPeter Holm loop(); 144*c1c58c00SPeter Holm return 0; 145*c1c58c00SPeter Holm} 146*c1c58c00SPeter HolmEOF 147*c1c58c00SPeter Holmmycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1 148*c1c58c00SPeter Holm 149*c1c58c00SPeter Holm(cd ../testcases/swap; ./swap -t 3m -i 30 -l 100 > /dev/null 2>&1) & 150*c1c58c00SPeter Holmsleep 5 151*c1c58c00SPeter Holm 152*c1c58c00SPeter Holmwork=/tmp/$prog.dir 153*c1c58c00SPeter Holmrm -rf $work 154*c1c58c00SPeter Holmmkdir $work 155*c1c58c00SPeter Holmcd /tmp/$prog.dir 156*c1c58c00SPeter Holmfor i in `jot 30`; do 157*c1c58c00SPeter Holm ( 158*c1c58c00SPeter Holm mkdir d$i 159*c1c58c00SPeter Holm cd d$i 160*c1c58c00SPeter Holm timeout 3m /tmp/$prog > /dev/null 2>&1 & 161*c1c58c00SPeter Holm ) 162*c1c58c00SPeter Holmdone 163*c1c58c00SPeter Holmwhile pgrep -q $prog; do sleep 2; done 164*c1c58c00SPeter Holmwhile pkill swap; do :; done 165*c1c58c00SPeter Holmwait 166*c1c58c00SPeter Holm 167*c1c58c00SPeter Holmrm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core /tmp/$prog.?????? $work 168*c1c58c00SPeter Holmexit 0 169