1*539726e8SPeter Holm#!/bin/sh 2*539726e8SPeter Holm 3*539726e8SPeter Holm# panic: freevnode: cannot lock vp 0xfffffe01634e4de0 for pollinfo destroy 4*539726e8SPeter Holm# cpuid = 7 5*539726e8SPeter Holm# time = 1762875612 6*539726e8SPeter Holm# KDB: stack backtrace: 7*539726e8SPeter Holm# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00ffce8bd0 8*539726e8SPeter Holm# vpanic() at vpanic+0x136/frame 0xfffffe00ffce8d00 9*539726e8SPeter Holm# panic() at panic+0x43/frame 0xfffffe00ffce8d60 10*539726e8SPeter Holm# freevnode() at freevnode+0x536/frame 0xfffffe00ffce8dc0 11*539726e8SPeter Holm# vput_final() at vput_final+0x96/frame 0xfffffe00ffce8e10 12*539726e8SPeter Holm# inotify_reap() at inotify_reap+0x6e/frame 0xfffffe00ffce8e40 13*539726e8SPeter Holm# taskqueue_run_locked() at taskqueue_run_locked+0x1c2/frame 0xfffffe00ffce8ec0 14*539726e8SPeter Holm# taskqueue_thread_loop() at taskqueue_thread_loop+0xd3/frame 0xfffffe00ffce8ef0 15*539726e8SPeter Holm# fork_exit() at fork_exit+0x82/frame 0xfffffe00ffce8f30 16*539726e8SPeter Holm# fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00ffce8f30 17*539726e8SPeter Holm# --- trap 0, rip = 0, rsp = 0, rbp = 0 --- 18*539726e8SPeter Holm# KDB: enter: panic 19*539726e8SPeter Holm# [ thread pid 0 tid 100045 ] 20*539726e8SPeter Holm# Stopped at $0,0x12129d2(%rip) 21*539726e8SPeter Holm# db> x/s version 22*539726e8SPeter Holm# version: FreeBSD 16.0-CURRENT #0 main-n281796-e1c6f4cb9bd2-dirty: Tue Nov 11 10:53:40 CET 2025 23*539726e8SPeter Holm# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO 24*539726e8SPeter Holm# db> 25*539726e8SPeter Holm 26*539726e8SPeter Holm[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 27*539726e8SPeter Holm 28*539726e8SPeter Holm. ../default.cfg 29*539726e8SPeter Holmset -u 30*539726e8SPeter Holmprog=$(basename "$0" .sh) 31*539726e8SPeter Holmcat > /tmp/$prog.c <<EOF 32*539726e8SPeter Holm// https://syzkaller.appspot.com/bug?id=8a22955cd068cf454dd8062d24e826c72b1c4542 33*539726e8SPeter Holm// autogenerated by syzkaller (https://github.com/google/syzkaller) 34*539726e8SPeter Holm// syzbot+6676b3ff282d590b0fb3@syzkaller.appspotmail.com 35*539726e8SPeter Holm 36*539726e8SPeter Holm#define _GNU_SOURCE 37*539726e8SPeter Holm 38*539726e8SPeter Holm#include <sys/types.h> 39*539726e8SPeter Holm 40*539726e8SPeter Holm#include <dirent.h> 41*539726e8SPeter Holm#include <errno.h> 42*539726e8SPeter Holm#include <pwd.h> 43*539726e8SPeter Holm#include <setjmp.h> 44*539726e8SPeter Holm#include <signal.h> 45*539726e8SPeter Holm#include <stdarg.h> 46*539726e8SPeter Holm#include <stdbool.h> 47*539726e8SPeter Holm#include <stdint.h> 48*539726e8SPeter Holm#include <stdio.h> 49*539726e8SPeter Holm#include <stdlib.h> 50*539726e8SPeter Holm#include <string.h> 51*539726e8SPeter Holm#include <sys/endian.h> 52*539726e8SPeter Holm#include <sys/stat.h> 53*539726e8SPeter Holm#include <sys/syscall.h> 54*539726e8SPeter Holm#include <sys/wait.h> 55*539726e8SPeter Holm#include <time.h> 56*539726e8SPeter Holm#include <unistd.h> 57*539726e8SPeter Holm 58*539726e8SPeter Holm#ifndef SYS___specialfd 59*539726e8SPeter Holm#define SYS___specialfd 577 60*539726e8SPeter Holm#endif 61*539726e8SPeter Holm#ifndef SYS_inotify_add_watch_at 62*539726e8SPeter Holm#define SYS_inotify_add_watch_at 593 63*539726e8SPeter Holm#endif 64*539726e8SPeter Holm 65*539726e8SPeter Holmstatic __thread int clone_ongoing; 66*539726e8SPeter Holmstatic __thread int skip_segv; 67*539726e8SPeter Holmstatic __thread jmp_buf segv_env; 68*539726e8SPeter Holm 69*539726e8SPeter Holmstatic void segv_handler(int sig, siginfo_t* info, void* ctx __unused) 70*539726e8SPeter Holm{ 71*539726e8SPeter Holm if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) { 72*539726e8SPeter Holm exit(sig); 73*539726e8SPeter Holm } 74*539726e8SPeter Holm uintptr_t addr = (uintptr_t)info->si_addr; 75*539726e8SPeter Holm const uintptr_t prog_start = 1 << 20; 76*539726e8SPeter Holm const uintptr_t prog_end = 100 << 20; 77*539726e8SPeter Holm int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; 78*539726e8SPeter Holm int valid = addr < prog_start || addr > prog_end; 79*539726e8SPeter Holm if (sig == SIGBUS) 80*539726e8SPeter Holm valid = 1; 81*539726e8SPeter Holm if (skip && valid) { 82*539726e8SPeter Holm _longjmp(segv_env, 1); 83*539726e8SPeter Holm } 84*539726e8SPeter Holm exit(sig); 85*539726e8SPeter Holm} 86*539726e8SPeter Holm 87*539726e8SPeter Holmstatic void install_segv_handler(void) 88*539726e8SPeter Holm{ 89*539726e8SPeter Holm struct sigaction sa; 90*539726e8SPeter Holm memset(&sa, 0, sizeof(sa)); 91*539726e8SPeter Holm sa.sa_sigaction = segv_handler; 92*539726e8SPeter Holm sa.sa_flags = SA_NODEFER | SA_SIGINFO; 93*539726e8SPeter Holm sigaction(SIGSEGV, &sa, NULL); 94*539726e8SPeter Holm sigaction(SIGBUS, &sa, NULL); 95*539726e8SPeter Holm} 96*539726e8SPeter Holm 97*539726e8SPeter Holm#define NONFAILING(...) \ 98*539726e8SPeter Holm ({ \ 99*539726e8SPeter Holm int ok = 1; \ 100*539726e8SPeter Holm __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ 101*539726e8SPeter Holm if (_setjmp(segv_env) == 0) { \ 102*539726e8SPeter Holm __VA_ARGS__; \ 103*539726e8SPeter Holm } else \ 104*539726e8SPeter Holm ok = 0; \ 105*539726e8SPeter Holm __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ 106*539726e8SPeter Holm ok; \ 107*539726e8SPeter Holm }) 108*539726e8SPeter Holm 109*539726e8SPeter Holmstatic void kill_and_wait(int pid, int* status) 110*539726e8SPeter Holm{ 111*539726e8SPeter Holm kill(pid, SIGKILL); 112*539726e8SPeter Holm while (waitpid(-1, status, 0) != pid) { 113*539726e8SPeter Holm } 114*539726e8SPeter Holm} 115*539726e8SPeter Holm 116*539726e8SPeter Holmstatic void sleep_ms(uint64_t ms) 117*539726e8SPeter Holm{ 118*539726e8SPeter Holm usleep(ms * 1000); 119*539726e8SPeter Holm} 120*539726e8SPeter Holm 121*539726e8SPeter Holmstatic uint64_t current_time_ms(void) 122*539726e8SPeter Holm{ 123*539726e8SPeter Holm struct timespec ts; 124*539726e8SPeter Holm if (clock_gettime(CLOCK_MONOTONIC, &ts)) 125*539726e8SPeter Holm exit(1); 126*539726e8SPeter Holm return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; 127*539726e8SPeter Holm} 128*539726e8SPeter Holm 129*539726e8SPeter Holmstatic void use_temporary_dir(void) 130*539726e8SPeter Holm{ 131*539726e8SPeter Holm char tmpdir_template[] = "./syzkaller.XXXXXX"; 132*539726e8SPeter Holm char* tmpdir = mkdtemp(tmpdir_template); 133*539726e8SPeter Holm if (!tmpdir) 134*539726e8SPeter Holm exit(1); 135*539726e8SPeter Holm if (chmod(tmpdir, 0777)) 136*539726e8SPeter Holm exit(1); 137*539726e8SPeter Holm if (chdir(tmpdir)) 138*539726e8SPeter Holm exit(1); 139*539726e8SPeter Holm} 140*539726e8SPeter Holm 141*539726e8SPeter Holmstatic void reset_flags(const char* filename) 142*539726e8SPeter Holm{ 143*539726e8SPeter Holm struct stat st; 144*539726e8SPeter Holm if (lstat(filename, &st)) 145*539726e8SPeter Holm exit(1); 146*539726e8SPeter Holm st.st_flags &= ~(SF_NOUNLINK | UF_NOUNLINK | SF_IMMUTABLE | UF_IMMUTABLE | 147*539726e8SPeter Holm SF_APPEND | UF_APPEND); 148*539726e8SPeter Holm if (lchflags(filename, st.st_flags)) 149*539726e8SPeter Holm exit(1); 150*539726e8SPeter Holm} 151*539726e8SPeter Holmstatic void __attribute__((noinline)) remove_dir(const char* dir) 152*539726e8SPeter Holm{ 153*539726e8SPeter Holm DIR* dp = opendir(dir); 154*539726e8SPeter Holm if (dp == NULL) { 155*539726e8SPeter Holm if (errno == EACCES) { 156*539726e8SPeter Holm if (rmdir(dir)) 157*539726e8SPeter Holm exit(1); 158*539726e8SPeter Holm return; 159*539726e8SPeter Holm } 160*539726e8SPeter Holm exit(1); 161*539726e8SPeter Holm } 162*539726e8SPeter Holm struct dirent* ep = 0; 163*539726e8SPeter Holm while ((ep = readdir(dp))) { 164*539726e8SPeter Holm if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) 165*539726e8SPeter Holm continue; 166*539726e8SPeter Holm char filename[FILENAME_MAX]; 167*539726e8SPeter Holm snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); 168*539726e8SPeter Holm struct stat st; 169*539726e8SPeter Holm if (lstat(filename, &st)) 170*539726e8SPeter Holm exit(1); 171*539726e8SPeter Holm if (S_ISDIR(st.st_mode)) { 172*539726e8SPeter Holm remove_dir(filename); 173*539726e8SPeter Holm continue; 174*539726e8SPeter Holm } 175*539726e8SPeter Holm if (unlink(filename)) { 176*539726e8SPeter Holm if (errno == EPERM) { 177*539726e8SPeter Holm reset_flags(filename); 178*539726e8SPeter Holm reset_flags(dir); 179*539726e8SPeter Holm if (unlink(filename) == 0) 180*539726e8SPeter Holm continue; 181*539726e8SPeter Holm } 182*539726e8SPeter Holm exit(1); 183*539726e8SPeter Holm } 184*539726e8SPeter Holm } 185*539726e8SPeter Holm closedir(dp); 186*539726e8SPeter Holm while (rmdir(dir)) { 187*539726e8SPeter Holm if (errno == EPERM) { 188*539726e8SPeter Holm reset_flags(dir); 189*539726e8SPeter Holm if (rmdir(dir) == 0) 190*539726e8SPeter Holm break; 191*539726e8SPeter Holm } 192*539726e8SPeter Holm exit(1); 193*539726e8SPeter Holm } 194*539726e8SPeter Holm} 195*539726e8SPeter Holm 196*539726e8SPeter Holmstatic void execute_one(void); 197*539726e8SPeter Holm 198*539726e8SPeter Holm#define WAIT_FLAGS 0 199*539726e8SPeter Holm 200*539726e8SPeter Holmstatic void loop(void) 201*539726e8SPeter Holm{ 202*539726e8SPeter Holm int iter = 0; 203*539726e8SPeter Holm for (;; iter++) { 204*539726e8SPeter Holm char cwdbuf[32]; 205*539726e8SPeter Holm sprintf(cwdbuf, "./%d", iter); 206*539726e8SPeter Holm if (mkdir(cwdbuf, 0777)) 207*539726e8SPeter Holm exit(1); 208*539726e8SPeter Holm int pid = fork(); 209*539726e8SPeter Holm if (pid < 0) 210*539726e8SPeter Holm exit(1); 211*539726e8SPeter Holm if (pid == 0) { 212*539726e8SPeter Holm if (chdir(cwdbuf)) 213*539726e8SPeter Holm exit(1); 214*539726e8SPeter Holm execute_one(); 215*539726e8SPeter Holm exit(0); 216*539726e8SPeter Holm } 217*539726e8SPeter Holm int status = 0; 218*539726e8SPeter Holm uint64_t start = current_time_ms(); 219*539726e8SPeter Holm for (;;) { 220*539726e8SPeter Holm sleep_ms(10); 221*539726e8SPeter Holm if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) 222*539726e8SPeter Holm break; 223*539726e8SPeter Holm if (current_time_ms() - start < 5000) 224*539726e8SPeter Holm continue; 225*539726e8SPeter Holm kill_and_wait(pid, &status); 226*539726e8SPeter Holm break; 227*539726e8SPeter Holm } 228*539726e8SPeter Holm remove_dir(cwdbuf); 229*539726e8SPeter Holm } 230*539726e8SPeter Holm} 231*539726e8SPeter Holm 232*539726e8SPeter Holmuint64_t r[1] = {0xffffffffffffffff}; 233*539726e8SPeter Holm 234*539726e8SPeter Holmvoid execute_one(void) 235*539726e8SPeter Holm{ 236*539726e8SPeter Holm intptr_t res = 0; 237*539726e8SPeter Holm if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { 238*539726e8SPeter Holm } 239*539726e8SPeter Holm // openat\$evdev arguments: [ 240*539726e8SPeter Holm // fd: const = 0xffffffffffffff9c (8 bytes) 241*539726e8SPeter Holm // file: ptr[in, buffer] { 242*539726e8SPeter Holm // buffer: {2f 64 65 76 2f 69 6e 70 75 74 2f 65 76 65 6e 74 4e 00} 243*539726e8SPeter Holm // (length 0x12) 244*539726e8SPeter Holm // } 245*539726e8SPeter Holm // flags: open_flags = 0x100 (8 bytes) 246*539726e8SPeter Holm // mode: const = 0x0 (8 bytes) 247*539726e8SPeter Holm // ] 248*539726e8SPeter Holm // returns fd_evdev 249*539726e8SPeter Holm NONFAILING(memcpy((void*)0x200000000040, "/dev/input/eventN\000", 18)); 250*539726e8SPeter Holm syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000040ul, 251*539726e8SPeter Holm /*flags=O_NOFOLLOW*/ 0x100ul, /*mode=*/0ul); 252*539726e8SPeter Holm // kqueue arguments: [ 253*539726e8SPeter Holm // ] 254*539726e8SPeter Holm // returns kqueue 255*539726e8SPeter Holm syscall(SYS_kqueue); 256*539726e8SPeter Holm // pipe2 arguments: [ 257*539726e8SPeter Holm // pipefd: ptr[out, pipefd] { 258*539726e8SPeter Holm // pipefd { 259*539726e8SPeter Holm // rfd: fd (resource) 260*539726e8SPeter Holm // wfd: fd (resource) 261*539726e8SPeter Holm // } 262*539726e8SPeter Holm // } 263*539726e8SPeter Holm // flags: pipe_flags = 0x0 (8 bytes) 264*539726e8SPeter Holm // ] 265*539726e8SPeter Holm syscall(SYS_pipe2, /*pipefd=*/0x200000000480ul, /*flags=*/0ul); 266*539726e8SPeter Holm // socket\$unix arguments: [ 267*539726e8SPeter Holm // domain: const = 0x1 (8 bytes) 268*539726e8SPeter Holm // type: unix_socket_type = 0x5 (8 bytes) 269*539726e8SPeter Holm // proto: const = 0x0 (1 bytes) 270*539726e8SPeter Holm // ] 271*539726e8SPeter Holm // returns sock_unix 272*539726e8SPeter Holm syscall(SYS_socket, /*domain=*/1ul, /*type=SOCK_SEQPACKET*/ 5ul, /*proto=*/0); 273*539726e8SPeter Holm // kqueue arguments: [ 274*539726e8SPeter Holm // ] 275*539726e8SPeter Holm // returns kqueue 276*539726e8SPeter Holm syscall(SYS_kqueue); 277*539726e8SPeter Holm // mprotect arguments: [ 278*539726e8SPeter Holm // addr: VMA[0x2000] 279*539726e8SPeter Holm // len: len = 0x2000 (8 bytes) 280*539726e8SPeter Holm // prot: mmap_prot = 0x5 (8 bytes) 281*539726e8SPeter Holm // ] 282*539726e8SPeter Holm syscall(SYS_mprotect, /*addr=*/0x200000000000ul, /*len=*/0x2000ul, 283*539726e8SPeter Holm /*prot=PROT_READ|PROT_EXEC*/ 5ul); 284*539726e8SPeter Holm // symlink arguments: [ 285*539726e8SPeter Holm // old: ptr[in, buffer] { 286*539726e8SPeter Holm // buffer: {2e 00} (length 0x2) 287*539726e8SPeter Holm // } 288*539726e8SPeter Holm // new: ptr[in, buffer] { 289*539726e8SPeter Holm // buffer: {2e 2f 66 69 6c 65 30 00} (length 0x8) 290*539726e8SPeter Holm // } 291*539726e8SPeter Holm // ] 292*539726e8SPeter Holm NONFAILING(memcpy((void*)0x200000000000, ".\000", 2)); 293*539726e8SPeter Holm NONFAILING(memcpy((void*)0x200000000040, "./file0\000", 8)); 294*539726e8SPeter Holm syscall(SYS_symlink, /*old=*/0x200000000000ul, /*new=*/0x200000000040ul); 295*539726e8SPeter Holm // __specialfd\$inotify arguments: [ 296*539726e8SPeter Holm // type: const = 0x2 (8 bytes) 297*539726e8SPeter Holm // req: ptr[in, specialfd_inotify] { 298*539726e8SPeter Holm // specialfd_inotify { 299*539726e8SPeter Holm // flags: inotify_flags = 0x0 (4 bytes) 300*539726e8SPeter Holm // } 301*539726e8SPeter Holm // } 302*539726e8SPeter Holm // len: len = 0x4 (8 bytes) 303*539726e8SPeter Holm // ] 304*539726e8SPeter Holm // returns fd_inotify 305*539726e8SPeter Holm NONFAILING(*(uint32_t*)0x200000000180 = 0); 306*539726e8SPeter Holm res = syscall(SYS___specialfd, /*type=*/2ul, /*req=*/0x200000000180ul, 307*539726e8SPeter Holm /*len=*/4ul); 308*539726e8SPeter Holm if (res != -1) 309*539726e8SPeter Holm r[0] = res; 310*539726e8SPeter Holm // inotify_add_watch_at arguments: [ 311*539726e8SPeter Holm // fd: fd_inotify (resource) 312*539726e8SPeter Holm // dfd: fd_dir (resource) 313*539726e8SPeter Holm // file: ptr[in, buffer] { 314*539726e8SPeter Holm // buffer: {2e 2f 66 69 6c 65 30 61 61 61 61 61 61 61 61 61 61 61 61 61 315*539726e8SPeter Holm // 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 316*539726e8SPeter Holm // 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 317*539726e8SPeter Holm // 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 318*539726e8SPeter Holm // 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 319*539726e8SPeter Holm // 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 320*539726e8SPeter Holm // 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 321*539726e8SPeter Holm // 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 322*539726e8SPeter Holm // 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 323*539726e8SPeter Holm // 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 324*539726e8SPeter Holm // 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 2f 66 325*539726e8SPeter Holm // 69 6c 65 30 00} (length 0xff) 326*539726e8SPeter Holm // } 327*539726e8SPeter Holm // mask: inotify_mask = 0x82000204 (8 bytes) 328*539726e8SPeter Holm // ] 329*539726e8SPeter Holm // returns inotifydesc 330*539726e8SPeter Holm NONFAILING( 331*539726e8SPeter Holm memcpy((void*)0x200000000040, 332*539726e8SPeter Holm "./" 333*539726e8SPeter Holm "file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 334*539726e8SPeter Holm "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 335*539726e8SPeter Holm "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 336*539726e8SPeter Holm "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/file0\000", 337*539726e8SPeter Holm 255)); 338*539726e8SPeter Holm syscall(SYS_inotify_add_watch_at, /*fd=*/r[0], /*dfd=*/(intptr_t)-1, 339*539726e8SPeter Holm /*file=*/0x200000000040ul, 340*539726e8SPeter Holm /*mask=IN_ONESHOT|IN_DONT_FOLLOW|IN_DELETE|IN_ATTRIB*/ 0x82000204ul); 341*539726e8SPeter Holm // unlink arguments: [ 342*539726e8SPeter Holm // path: ptr[in, buffer] { 343*539726e8SPeter Holm // buffer: {2e 2f 66 69 6c 65 30 00} (length 0x8) 344*539726e8SPeter Holm // } 345*539726e8SPeter Holm // ] 346*539726e8SPeter Holm NONFAILING(memcpy((void*)0x200000000040, "./file0\000", 8)); 347*539726e8SPeter Holm syscall(SYS_unlink, /*path=*/0x200000000040ul); 348*539726e8SPeter Holm} 349*539726e8SPeter Holmint main(void) 350*539726e8SPeter Holm{ 351*539726e8SPeter Holm syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, 352*539726e8SPeter Holm /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, 353*539726e8SPeter Holm /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, 354*539726e8SPeter Holm /*fd=*/(intptr_t)-1, /*offset=*/0ul); 355*539726e8SPeter Holm const char* reason; 356*539726e8SPeter Holm (void)reason; 357*539726e8SPeter Holm install_segv_handler(); 358*539726e8SPeter Holm use_temporary_dir(); 359*539726e8SPeter Holm loop(); 360*539726e8SPeter Holm return 0; 361*539726e8SPeter Holm} 362*539726e8SPeter HolmEOF 363*539726e8SPeter Holmmycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c -lpthread || exit 1 364*539726e8SPeter Holm 365*539726e8SPeter Holm(cd ../testcases/swap; ./swap -t 3m -i 30 -l 100 > /dev/null 2>&1) & 366*539726e8SPeter Holmsleep 5 367*539726e8SPeter Holm 368*539726e8SPeter Holmwork=/tmp/$prog.dir 369*539726e8SPeter Holmrm -rf $work 370*539726e8SPeter Holmmkdir $work 371*539726e8SPeter Holmcd /tmp/$prog.dir 372*539726e8SPeter Holmfor i in `jot 30`; do 373*539726e8SPeter Holm ( 374*539726e8SPeter Holm mkdir d$i 375*539726e8SPeter Holm cd d$i 376*539726e8SPeter Holm timeout 3m /tmp/$prog > /dev/null 2>&1 & 377*539726e8SPeter Holm ) 378*539726e8SPeter Holmdone 379*539726e8SPeter Holmwhile pgrep -q $prog; do sleep 2; done 380*539726e8SPeter Holmwhile pkill swap; do :; done 381*539726e8SPeter Holmwait 382*539726e8SPeter Holm 383*539726e8SPeter Holmrm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core /tmp/syzkaller.?????? $work 384*539726e8SPeter Holmexit 0 385