1#!/bin/sh 2 3# panic: proc_dtor: non-empty p_ktr 4# cpuid = 1 5# time = 1768834000 6# KDB: stack backtrace: 7# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0167884910 8# vpanic() at vpanic+0x136/frame 0xfffffe0167884a40 9# panic() at panic+0x43/frame 0xfffffe0167884aa0 10# proc_dtor() at proc_dtor+0x2cb/frame 0xfffffe0167884ae0 11# uma_zfree_arg() at uma_zfree_arg+0xaa/frame 0xfffffe0167884b30 12# proc_reap() at proc_reap+0x5b0/frame 0xfffffe0167884b70 13# proc_to_reap() at proc_to_reap+0x3be/frame 0xfffffe0167884bc0 14# kern_wait6() at kern_wait6+0x1ab/frame 0xfffffe0167884c60 15# sys_wait6() at sys_wait6+0x9f/frame 0xfffffe0167884e00 16# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe0167884f30 17# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0167884f30 18# --- syscall (532, FreeBSD ELF64, wait6), rip = 0x3228e1de521a, rsp = 0x3228e0f6e308, rbp = 0x3228e0f6e350 --- 19# KDB: enter: panic 20# [ thread pid 67906 tid 768579 ] 21# Stopped at kdb_enter+0x33: movq $0,0x11e6bc2(%rip) 22# db> x/s version 23# version: FreeBSD 16.0-CURRENT #0 main-n283239-11f954b021a1-dirty: Sun Jan 18 21:26:45 CET 2026 24# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO 25# db> 26 27# Fixed by: 6bb3f208617b - main - ktrace: do not enqueue request if the process' ktrioparams are freed 28 29[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 30 31. ../default.cfg 32set -u 33prog=$(basename "$0" .sh) 34cat > /tmp/$prog.c <<EOF 35// https://syzkaller.appspot.com/bug?id=2212d848f78d472dfeaec7a3cc9f5a31e2a44f42 36// autogenerated by syzkaller (https://github.com/google/syzkaller) 37// Reported-by: syzbot+25dabe4046a645a0566c@syzkaller.appspotmail.com 38 39#define _GNU_SOURCE 40 41#include <sys/types.h> 42 43#include <pwd.h> 44#include <signal.h> 45#include <stdarg.h> 46#include <stdbool.h> 47#include <stdint.h> 48#include <stdio.h> 49#include <stdlib.h> 50#include <string.h> 51#include <sys/endian.h> 52#include <sys/syscall.h> 53#include <sys/wait.h> 54#include <time.h> 55#include <unistd.h> 56 57static unsigned long long procid; 58 59static void kill_and_wait(int pid, int* status) 60{ 61 kill(pid, SIGKILL); 62 while (waitpid(-1, status, 0) != pid) { 63 } 64} 65 66static void sleep_ms(uint64_t ms) 67{ 68 usleep(ms * 1000); 69} 70 71static uint64_t current_time_ms(void) 72{ 73 struct timespec ts; 74 if (clock_gettime(CLOCK_MONOTONIC, &ts)) 75 exit(1); 76 return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; 77} 78 79static void execute_one(void); 80 81#define WAIT_FLAGS 0 82 83static void loop(void) 84{ 85 alarm(240); /* Added by pho */ 86 for (;;) { 87 int pid = fork(); 88 if (pid < 0) 89 exit(1); 90 if (pid == 0) { 91 execute_one(); 92 exit(0); 93 } 94 int status = 0; 95 uint64_t start = current_time_ms(); 96 for (;;) { 97 sleep_ms(10); 98 if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) 99 break; 100 if (current_time_ms() - start < 5000) 101 continue; 102 kill_and_wait(pid, &status); 103 break; 104 } 105 } 106} 107 108uint64_t r[3] = {0xffffffffffffffff, 0x0, 0xffffffffffffffff}; 109 110void execute_one(void) 111{ 112 intptr_t res = 0; 113 if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { 114 } 115 // open\$dir arguments: [ 116 // file: ptr[in, buffer] { 117 // buffer: {2e 2f 66 69 6c 65 30 00} (length 0x8) 118 // } 119 // flags: open_flags = 0x200 (8 bytes) 120 // mode: open_mode = 0x19c (8 bytes) 121 // ] 122 // returns fd_dir 123 memcpy((void*)0x200000000040, "./file0\000", 8); 124 syscall(SYS_open, /*file=*/0x200000000040ul, /*flags=O_CREAT*/ 0x200ul, 125 /*mode=S_IROTH|S_IXGRP|S_IWGRP|S_IWUSR|S_IRUSR*/ 0x19cul); 126 // setreuid arguments: [ 127 // ruid: uid (resource) 128 // euid: uid (resource) 129 // ] 130 syscall(SYS_setreuid, /*ruid=*/0xee00, /*euid=*/0); 131 // chown arguments: [ 132 // file: nil 133 // uid: uid (resource) 134 // gid: gid (resource) 135 // ] 136 syscall(SYS_chown, /*file=*/0ul, /*uid=*/0, /*gid=*/0); 137 // kqueue arguments: [ 138 // ] 139 // returns kqueue 140 res = syscall(SYS_kqueue); 141 if (res != -1) 142 r[0] = res; 143 // kevent arguments: [ 144 // kqueue: kqueue (resource) 145 // changelist: ptr[in, array[kevent]] { 146 // array[kevent] { 147 // kevent { 148 // ident: intptr = 0x0 (8 bytes) 149 // filter: filters = 0xfffffffffffffff9 (2 bytes) 150 // flags: evflags = 0x8009 (2 bytes) 151 // fflags: fflags = 0x8 (4 bytes) 152 // data: int64 = 0xe8c5 (8 bytes) 153 // udata: intptr = 0x0 (8 bytes) 154 // ext: array[int64] { 155 // int64 = 0x7ffffffffc (8 bytes) 156 // int64 = 0xfffffffffffffffc (8 bytes) 157 // int64 = 0x7 (8 bytes) 158 // int64 = 0x40000000000000 (8 bytes) 159 // } 160 // } 161 // } 162 // } 163 // nchanges: len = 0x1 (8 bytes) 164 // eventlist: nil 165 // nevents: len = 0x0 (8 bytes) 166 // timeout: nil 167 // ] 168 *(uint64_t*)0x200000000040 = 0; 169 *(uint16_t*)0x200000000048 = 0xfff9; 170 *(uint16_t*)0x20000000004a = 0x8009; 171 *(uint32_t*)0x20000000004c = 8; 172 *(uint64_t*)0x200000000050 = 0xe8c5; 173 *(uint64_t*)0x200000000058 = 0; 174 *(uint64_t*)0x200000000060 = 0x7ffffffffc; 175 *(uint64_t*)0x200000000068 = 0xfffffffffffffffc; 176 *(uint64_t*)0x200000000070 = 7; 177 *(uint64_t*)0x200000000078 = 0x40000000000000; 178 syscall(SYS_kevent, /*kqueue=*/r[0], /*changelist=*/0x200000000040ul, 179 /*nchanges=*/1ul, /*eventlist=*/0ul, /*nevents=*/0ul, 180 /*timeout=*/0ul); 181 // extattr_delete_fd arguments: [ 182 // fd: fd (resource) 183 // attrnamespace: attrnamespace_flags = 0x0 (8 bytes) 184 // attrname: ptr[in, buffer] { 185 // buffer: {27 17 2e 29 23 00} (length 0x6) 186 // } 187 // ] 188 memcpy((void*)0x2000000001c0, "\'\027.)#\000", 6); 189 syscall(SYS_extattr_delete_fd, /*fd=*/r[0], /*attrnamespace=*/0ul, 190 /*attrname=*/0x2000000001c0ul); 191 // freebsd11_mknod arguments: [ 192 // file: ptr[in, buffer] { 193 // buffer: {2e 2f 66 69 6c 65 30 00} (length 0x8) 194 // } 195 // mod: mknod_mode = 0x1000 (8 bytes) 196 // dev: int32 = 0x0 (4 bytes) 197 // ] 198 memcpy((void*)0x2000000000c0, "./file0\000", 8); 199 syscall(SYS_freebsd11_mknod, /*file=*/0x2000000000c0ul, 200 /*mod=S_IFIFO*/ 0x1000ul, /*dev=*/0); 201 // freebsd10_pipe arguments: [ 202 // pipefd: nil 203 // ] 204 syscall(SYS_freebsd10_pipe, /*pipefd=*/0ul); 205 // ksem_init arguments: [ 206 // idp: ptr[out, semid] { 207 // semid (resource) 208 // } 209 // value: int32 = 0x0 (4 bytes) 210 // ] 211 res = syscall(SYS_ksem_init, /*idp=*/0x200000000100ul, /*value=*/0); 212 if (res != -1) 213 r[1] = *(uint64_t*)0x200000000100; 214 // ksem_post arguments: [ 215 // id: semid (resource) 216 // ] 217 syscall(SYS_ksem_post, /*id=*/r[1]); 218 // openat\$bpf arguments: [ 219 // fd: const = 0xffffffffffffff9c (8 bytes) 220 // file: ptr[in, buffer] { 221 // buffer: {2f 64 65 76 2f 62 70 66 00} (length 0x9) 222 // } 223 // flags: open_flags = 0x40 (8 bytes) 224 // mode: const = 0x0 (8 bytes) 225 // ] 226 // returns fd_bpf 227 memcpy((void*)0x200000000040, "/dev/bpf\000", 9); 228 syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000040ul, 229 /*flags=FASYNC*/ 0x40ul, /*mode=*/0ul); 230 // kqueue arguments: [ 231 // ] 232 // returns kqueue 233 res = syscall(SYS_kqueue); 234 if (res != -1) 235 r[2] = res; 236 // kevent arguments: [ 237 // kqueue: kqueue (resource) 238 // changelist: nil 239 // nchanges: len = 0x0 (8 bytes) 240 // eventlist: nil 241 // nevents: len = 0x0 (8 bytes) 242 // timeout: nil 243 // ] 244 syscall(SYS_kevent, /*kqueue=*/r[2], /*changelist=*/0ul, /*nchanges=*/0ul, 245 /*eventlist=*/0ul, /*nevents=*/0ul, /*timeout=*/0ul); 246 // ktrace arguments: [ 247 // path: ptr[in, buffer] { 248 // buffer: {2e 2f 66 69 6c 65 30 00} (length 0x8) 249 // } 250 // ops: ktrace_ops = 0x4 (8 bytes) 251 // trpoints: ktrace_trpoints = 0x94659db2cce5c9d8 (8 bytes) 252 // pid: pid (resource) 253 // ] 254 memcpy((void*)0x2000000000c0, "./file0\000", 8); 255 syscall( 256 SYS_ktrace, /*path=*/0x2000000000c0ul, /*ops=KTRFLAG_DESCEND*/ 4ul, 257 /*trpoints=KTRFAC_INHERIT|KTRFAC_FAULTEND|KTRFAC_PROCDTOR|KTRFAC_STRUCT|KTRFAC_USER|KTRFAC_CSW|KTRFAC_GENIO|0x94659db28ce58008*/ 258 0x94659db2cce5c9d8ul, /*pid=*/0); 259 // rfork arguments: [ 260 // flags: rfork_flags = 0x96014 (8 bytes) 261 // ] 262 syscall(SYS_rfork, 263 /*flags=RFLINUXTHPN|RFTSIGZMB|RFSIGSHARE|RFTHREAD|RFFDG|RFPROC*/ 264 0x96014ul); 265 // ktrace arguments: [ 266 // path: ptr[in, buffer] { 267 // buffer: {2e 2f 66 69 6c 65 30 00} (length 0x8) 268 // } 269 // ops: ktrace_ops = 0x2 (8 bytes) 270 // trpoints: ktrace_trpoints = 0x180 (8 bytes) 271 // pid: pid (resource) 272 // ] 273 memcpy((void*)0x200000000000, "./file0\000", 8); 274 syscall(SYS_ktrace, /*path=*/0x200000000000ul, /*ops=KTROP_CLEARFILE*/ 2ul, 275 /*trpoints=KTRFAC_STRUCT|KTRFAC_USER*/ 0x180ul, /*pid=*/0); 276} 277int main(void) 278{ 279 syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, 280 /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, 281 /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, 282 /*fd=*/(intptr_t)-1, /*offset=*/0ul); 283 const char* reason; 284 (void)reason; 285 for (procid = 0; procid < 4; procid++) { 286 if (fork() == 0) { 287 loop(); 288 } 289 } 290 sleep(1000000); 291 return 0; 292} 293EOF 294mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c -lpthread || exit 1 295 296(cd ../testcases/swap; ./swap -t 3m -i 30 -l 100 > /dev/null 2>&1) & 297sleep 5 298 299kldstat | grep -q sem && loaded=0 || { kldload sem.ko && loaded=1; } 300work=/tmp/$prog.dir 301rm -rf $work 302mkdir $work 303cd /tmp/$prog.dir 304for i in `jot 30`; do 305 ( 306 mkdir d$i 307 cd d$i 308 timeout 3m /tmp/$prog > /dev/null 2>&1 & 309 ) 310done 311while pgrep -q $prog; do sleep 2; done 312while pkill swap; do :; done 313wait 314 315rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core $work 316[ $loaded -eq 1 ] && kldunload sem.ko 317exit 0 318