xref: /freebsd/tools/test/stress2/misc/syzkaller91.sh (revision 4f8a1b4dffa8a6fa5fbe7fce05278792afd83a82) 
1#!/bin/sh
2
3#  Kernel page fault with the following non-sleepable locks held:
4#  exclusive sleep mutex CAM device lock (CAM device lock) r = 0 (0xfffff80006ad2cd0) locked @ cam/scsi/scsi_pass.c:1766
5#  stack backtrace:
6#  #0 0xffffffff80c4787c at witness_debugger+0x6c
7#  #1 0xffffffff80c49189 at witness_warn+0x4c9
8#  #2 0xffffffff81131d8c at trap_pfault+0x8c
9#  #3 0xffffffff811015a8 at calltrap+0x8
10#  #4 0xffffffff8039de7c at cam_periph_runccb+0xec
11#  #5 0xffffffff803d9160 at passsendccb+0x160
12#  #6 0xffffffff803d8821 at passdoioctl+0x3a1
13#  #7 0xffffffff803d8102 at passioctl+0x22
14#  #8 0xffffffff80a413b1 at devfs_ioctl+0xd1
15#  #9 0xffffffff81204821 at VOP_IOCTL_APV+0x51
16#  #10 0xffffffff80cf0890 at vn_ioctl+0x160
17#  #11 0xffffffff80a41a7e at devfs_ioctl_f+0x1e
18#  #12 0xffffffff80c4e3c1 at kern_ioctl+0x2a1
19#  #13 0xffffffff80c4e0bf at sys_ioctl+0x12f
20#  #14 0xffffffff811327d9 at amd64_syscall+0x169
21#  #15 0xffffffff81101e9b at fast_syscall_common+0xf8
22#
23#
24#  Fatal trap 12: page fault while in kernel mode
25#  cpuid = 9; apic id = 09
26#  fault virtual address   = 0x50
27#  fault code              = supervisor read data, page not present
28#  instruction pointer     = 0x20:0xffffffff803a1e9c
29#  stack pointer           = 0x28:0xfffffe01001f2930
30#  frame pointer           = 0x28:0xfffffe01001f2970
31#  code segment            = base 0x0, limit 0xfffff, type 0x1b
32#                          = DPL 0, pres 1, long 1, def32 0, gran 1
33#  processor eflags        = interrupt enabled, resume, IOPL = 0
34#  current process         = 3759 (syzkaller91)
35#  rdi: fffff80006ac0800 rsi: 0000000000000004 rdx: ffffffff81250a83
36#  rcx: 0000000000000010  r8: 0000000000000008  r9: 0000000000000000
37#  rax: 0000000000000010 rbx: fffff80006ac0800 rbp: fffffe01001f2970
38#  r10: fffff80006ac08c8 r11: 0000000000000001 r12: 0000000000000001
39#  r13: fffff80006ac0848 r14: fffff80006b9d2c0 r15: 0000000000000000
40#  trap number             = 12
41#  panic: page fault
42#  cpuid = 9
43#  time = 1773832077
44#  KDB: stack backtrace:
45#  db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01001f2660
46#  vpanic() at vpanic+0x136/frame 0xfffffe01001f2790
47#  panic() at panic+0x43/frame 0xfffffe01001f27f0
48#  trap_pfault() at trap_pfault+0x422/frame 0xfffffe01001f2860
49#  calltrap() at calltrap+0x8/frame 0xfffffe01001f2860
50#  --- trap 0xc, rip = 0xffffffff803a1e9c, rsp = 0xfffffe01001f2930, rbp = 0xfffffe01001f2970 ---
51#  xpt_action_default() at xpt_action_default+0x80c/frame 0xfffffe01001f2970
52#  cam_periph_runccb() at cam_periph_runccb+0xec/frame 0xfffffe01001f2ac0
53#  passsendccb() at passsendccb+0x160/frame 0xfffffe01001f2b30
54#  passdoioctl() at passdoioctl+0x3a1/frame 0xfffffe01001f2b80
55#  passioctl() at passioctl+0x22/frame 0xfffffe01001f2bc0
56#  devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe01001f2c10
57#  VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe01001f2c40
58#  vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe01001f2cb0
59#  devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe01001f2cd0
60#  kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe01001f2d40
61#  sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe01001f2e00
62#  amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe01001f2f30
63#  fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01001f2f30
64#  --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823e6feca, rsp = 0x820c6d558, rbp = 0x820c6d580 ---
65#  KDB: enter: panic
66#  [ thread pid 3759 tid 100348 ]
67#  Stopped at      kdb_enter+0x33: movq    $0,0x15e9d32(%rip)
68#  db> x/s version
69#  version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026
70#  pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
71#  db>
72
73# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com>
74# [Bug 293890] Fatal trap NUM: page fault while in kernel mode in cam_periph_runccb
75
76[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
77
78. ../default.cfg
79set -u
80prog=$(basename "$0" .sh)
81cat > /tmp/$prog.c <<EOF
82// autogenerated by syzkaller (https://github.com/google/syzkaller)
83
84#define _GNU_SOURCE
85
86#include <pwd.h>
87#include <stdarg.h>
88#include <stdbool.h>
89#include <stdint.h>
90#include <stdio.h>
91#include <stdlib.h>
92#include <string.h>
93#include <sys/endian.h>
94#include <sys/syscall.h>
95#include <unistd.h>
96
97uint64_t r[1] = {0xffffffffffffffff};
98
99int main(void)
100{
101  syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
102          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
103          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
104          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
105  const char* reason;
106  (void)reason;
107  intptr_t res = 0;
108  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
109  }
110  //  openat\$pass_pass_cdevsw arguments: [
111  //    fd: const = 0xffffffffffffff9c (8 bytes)
112  //    file: ptr[in, buffer] {
113  //      buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb)
114  //    }
115  //    flags: open_flags = 0x2 (4 bytes)
116  //    mode: const = 0x0 (4 bytes)
117  //  ]
118  //  returns fd_pass_pass_cdevsw
119  memcpy((void*)0x200000000100, "/dev/pass0\000", 11);
120  res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul,
121                /*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0);
122  if (res != -1)
123    r[0] = res;
124  //  ioctl\$CAMIOCOMMAND_pass_cdevsw arguments: [
125  //    fd: fd_pass_pass_cdevsw (resource)
126  //    cmd: const = 0xc4e01a02 (8 bytes)
127  //    arg: ptr[inout, ccb\$pass_cdevsw] {
128  //      union ccb\$pass_cdevsw {
129  //        ccb_h: ccb_hdr\$pass_cdevsw {
130  //          pinfo: cam_pinfo\$pass_cdevsw {
131  //            priority: int32 = 0x5 (4 bytes)
132  //            generation: int32 = 0x2 (4 bytes)
133  //            index: int32 = 0x3 (4 bytes)
134  //          }
135  //          pad = 0x0 (4 bytes)
136  //          xpt_links: camq_entry\$pass_cdevsw {
137  //            links_next: intptr = 0xb (8 bytes)
138  //            priority: int32 = 0x6 (4 bytes)
139  //            pad = 0x0 (4 bytes)
140  //          }
141  //          sim_links: camq_entry\$pass_cdevsw {
142  //            links_next: intptr = 0x8 (8 bytes)
143  //            priority: int32 = 0x6 (4 bytes)
144  //            pad = 0x0 (4 bytes)
145  //          }
146  //          periph_links: camq_entry\$pass_cdevsw {
147  //            links_next: intptr = 0xfe (8 bytes)
148  //            priority: int32 = 0x6 (4 bytes)
149  //            pad = 0x0 (4 bytes)
150  //          }
151  //          retry_count: int16 = 0x3 (2 bytes)
152  //          alloc_flags: int16 = 0x5 (2 bytes)
153  //          pad = 0x0 (4 bytes)
154  //          cbfcnp: intptr = 0xbfc (8 bytes)
155  //          func_code: int32 = 0x10 (4 bytes)
156  //          status: int32 = 0x4 (4 bytes)
157  //          path: intptr = 0x5 (8 bytes)
158  //          path_id: int32 = 0x0 (4 bytes)
159  //          target_id: int32 = 0x2 (4 bytes)
160  //          target_lun: int64 = 0x7e2 (8 bytes)
161  //          flags: int32 = 0x8 (4 bytes)
162  //          xflags: int32 = 0x3 (4 bytes)
163  //          periph_priv: buffer: {bc 09 6b 26 d7 02 3b 02 06 84 bf 81 a9 85 11
164  //          50} (length 0x10) sim_priv: buffer: {a5 da 75 ef af 1d 7f d5 40 94
165  //          02 67 14 f6 36 17} (length 0x10) qos: buffer: {74 70 33 74 c5 58
166  //          85 93 b4 d5 75 39 9f 79 94 a4} (length 0x10) timeout: int32 = 0x2
167  //          (4 bytes) pad = 0x0 (4 bytes) softtimeout: timeval {
168  //            sec: intptr = 0x6e (8 bytes)
169  //            usec: intptr = 0x400 (8 bytes)
170  //          }
171  //        }
172  //      }
173  //    }
174  //  ]
175  *(uint32_t*)0x200000000240 = 5;
176  *(uint32_t*)0x200000000244 = 2;
177  *(uint32_t*)0x200000000248 = 3;
178  *(uint64_t*)0x200000000250 = 0xb;
179  *(uint32_t*)0x200000000258 = 6;
180  *(uint64_t*)0x200000000260 = 8;
181  *(uint32_t*)0x200000000268 = 6;
182  *(uint64_t*)0x200000000270 = 0xfe;
183  *(uint32_t*)0x200000000278 = 6;
184  *(uint16_t*)0x200000000280 = 3;
185  *(uint16_t*)0x200000000282 = 5;
186  *(uint64_t*)0x200000000288 = 0xbfc;
187  *(uint32_t*)0x200000000290 = 0x10;
188  *(uint32_t*)0x200000000294 = 4;
189  *(uint64_t*)0x200000000298 = 5;
190  *(uint32_t*)0x2000000002a0 = 0;
191  *(uint32_t*)0x2000000002a4 = 2;
192  *(uint64_t*)0x2000000002a8 = 0x7e2;
193  *(uint32_t*)0x2000000002b0 = 8;
194  *(uint32_t*)0x2000000002b4 = 3;
195  memcpy((void*)0x2000000002b8,
196         "\xbc\x09\x6b\x26\xd7\x02\x3b\x02\x06\x84\xbf\x81\xa9\x85\x11\x50",
197         16);
198  memcpy((void*)0x2000000002c8,
199         "\xa5\xda\x75\xef\xaf\x1d\x7f\xd5\x40\x94\x02\x67\x14\xf6\x36\x17",
200         16);
201  memcpy((void*)0x2000000002d8,
202         "\x74\x70\x33\x74\xc5\x58\x85\x93\xb4\xd5\x75\x39\x9f\x79\x94\xa4",
203         16);
204  *(uint32_t*)0x2000000002e8 = 2;
205  *(uint64_t*)0x2000000002f0 = 0x6e;
206  *(uint64_t*)0x2000000002f8 = 0x400;
207  syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc4e01a02ul,
208          /*arg=*/0x200000000240ul);
209  return 0;
210}
211EOF
212mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
213
214timeout 3m /tmp/$prog > /dev/null 2>&1
215
216rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core
217exit 0
218