xref: /freebsd/tools/test/stress2/misc/syzkaller94.sh (revision 4f8a1b4dffa8a6fa5fbe7fce05278792afd83a82) 
1#!/bin/sh
2
3# panic: ata_action: ccb 0xfffff80347e777b8, func_code 0x1 should not be allocated from UMA zone
4# cpuid = 1
5# time = 1773837671
6# KDB: stack backtrace:
7# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0100044980
8# vpanic() at vpanic+0x136/frame 0xfffffe0100044ab0
9# panic() at panic+0x43/frame 0xfffffe0100044b10
10# ata_action() at ata_action+0x3bd/frame 0xfffffe0100044b30
11# passdoioctl() at passdoioctl+0x9be/frame 0xfffffe0100044b80
12# passioctl() at passioctl+0x22/frame 0xfffffe0100044bc0
13# devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe0100044c10
14# VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe0100044c40
15# vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe0100044cb0
16# devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe0100044cd0
17# kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe0100044d40
18# sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe0100044e00
19# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe0100044f30
20# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0100044f30
21# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823bc5eca, rsp = 0x820d83df8, rbp = 0x820d83e20 ---
22# KDB: enter: panic
23# [ thread pid 4628 tid 100215 ]
24# Stopped at      kdb_enter+0x33: movq    $0,0x15e9d32(%rip)
25# db> x/s version
26# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026
27# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
28# db>
29
30# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com>
31# Bug 293895 - panic: ata_action: ccb ADDR, func_code XXX should not be allocated from UMA zone
32
33[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
34
35. ../default.cfg
36set -u
37prog=$(basename "$0" .sh)
38cat > /tmp/$prog.c <<EOF
39// autogenerated by syzkaller (https://github.com/google/syzkaller)
40
41#define _GNU_SOURCE
42
43#include <pwd.h>
44#include <stdarg.h>
45#include <stdbool.h>
46#include <stdint.h>
47#include <stdio.h>
48#include <stdlib.h>
49#include <string.h>
50#include <sys/endian.h>
51#include <sys/syscall.h>
52#include <unistd.h>
53
54uint64_t r[1] = {0xffffffffffffffff};
55
56int main(void)
57{
58  syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
59          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
60          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
61          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
62  const char* reason;
63  (void)reason;
64  intptr_t res = 0;
65  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
66  }
67  //  sigaction arguments: [
68  //    signo: int32 = 0x68 (4 bytes)
69  //    act: ptr[in, sigaction] {
70  //      sigaction {
71  //        sigaction_u: nil
72  //        sa_flags: sigaction_flags = 0x2 (4 bytes)
73  //        sa_mask: sigset {
74  //          mask: array[int32] {
75  //            int32 = 0xe4 (4 bytes)
76  //            int32 = 0x1 (4 bytes)
77  //            int32 = 0x4000a (4 bytes)
78  //            int32 = 0xe (4 bytes)
79  //          }
80  //        }
81  //        pad = 0x0 (4 bytes)
82  //      }
83  //    }
84  //    oact: nil
85  //  ]
86  *(uint64_t*)0x200000000040 = 0;
87  *(uint32_t*)0x200000000048 = 2;
88  *(uint32_t*)0x20000000004c = 0xe4;
89  *(uint32_t*)0x200000000050 = 1;
90  *(uint32_t*)0x200000000054 = 0x4000a;
91  *(uint32_t*)0x200000000058 = 0xe;
92  syscall(SYS_sigaction, /*signo=*/0x68, /*act=*/0x200000000040ul,
93          /*oact=*/0ul);
94  //  mount\$nfs_newnfs_vnodeops_nosig arguments: [
95  //    fstype: ptr[in, buffer] {
96  //      buffer: {6e 66 73 00} (length 0x4)
97  //    }
98  //    dir: ptr[in, buffer] {
99  //      buffer: {2e 2f 66 69 6c 65 30 00} (length 0x8)
100  //    }
101  //    mnt_flags: mount_flags = 0x0 (4 bytes)
102  //    data: ptr[in, nfs_args\$newnfs_vnodeops_nosig] {
103  //      nfs_args\$newnfs_vnodeops_nosig {
104  //        version: const = 0x3 (4 bytes)
105  //        pad = 0x0 (4 bytes)
106  //        addr: nil
107  //        addrlen: len = 0x0 (4 bytes)
108  //        sotype: sock_type_newnfs_vnodeops_nosig = 0x2 (4 bytes)
109  //        proto: int32 = 0x4010003 (4 bytes)
110  //        pad = 0x0 (4 bytes)
111  //        fh: nil
112  //        fhsize: len = 0x0 (4 bytes)
113  //        nfs_flags: nfs_mount_flags_newnfs_vnodeops_nosig = 0x8cc006 (4
114  //        bytes) wsize: int32 = 0x7fff (4 bytes) rsize: int32 = 0xaf8 (4
115  //        bytes) readdirsize: int32 = 0x9 (4 bytes) timeo: int32 = 0x3 (4
116  //        bytes) retrans: int32 = 0x800 (4 bytes) maxgrouplist: int32 = 0x9 (4
117  //        bytes) readahead: int32 = 0x1 (4 bytes) wcommitsize: int32 = 0x7 (4
118  //        bytes) deadthresh: int32 = 0x1 (4 bytes) pad = 0x0 (4 bytes)
119  //        hostname: nil
120  //        acregmin: int32 = 0x204 (4 bytes)
121  //        acregmax: int32 = 0x0 (4 bytes)
122  //        acdirmin: int32 = 0xfffffff6 (4 bytes)
123  //        acdirmax: int32 = 0x3 (4 bytes)
124  //      }
125  //    }
126  //  ]
127  memcpy((void*)0x200000000040, "nfs\000", 4);
128  memcpy((void*)0x200000000080, "./file0\000", 8);
129  *(uint32_t*)0x200000000200 = 3;
130  *(uint64_t*)0x200000000208 = 0;
131  *(uint32_t*)0x200000000210 = 0;
132  *(uint32_t*)0x200000000214 = 2;
133  *(uint32_t*)0x200000000218 = 0x4010003;
134  *(uint64_t*)0x200000000220 = 0;
135  *(uint32_t*)0x200000000228 = 0;
136  *(uint32_t*)0x20000000022c = 0x8cc006;
137  *(uint32_t*)0x200000000230 = 0x7fff;
138  *(uint32_t*)0x200000000234 = 0xaf8;
139  *(uint32_t*)0x200000000238 = 9;
140  *(uint32_t*)0x20000000023c = 3;
141  *(uint32_t*)0x200000000240 = 0x800;
142  *(uint32_t*)0x200000000244 = 9;
143  *(uint32_t*)0x200000000248 = 1;
144  *(uint32_t*)0x20000000024c = 7;
145  *(uint32_t*)0x200000000250 = 1;
146  *(uint64_t*)0x200000000258 = 0;
147  *(uint32_t*)0x200000000260 = 0x204;
148  *(uint32_t*)0x200000000264 = 0;
149  *(uint32_t*)0x200000000268 = 0xfffffff6;
150  *(uint32_t*)0x20000000026c = 3;
151  syscall(SYS_mount, /*fstype=*/0x200000000040ul, /*dir=*/0x200000000080ul,
152          /*mnt_flags=*/0, /*data=*/0x200000000200ul);
153  //  openat\$pass_pass_cdevsw arguments: [
154  //    fd: const = 0xffffffffffffff9c (8 bytes)
155  //    file: ptr[in, buffer] {
156  //      buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb)
157  //    }
158  //    flags: open_flags = 0x2 (4 bytes)
159  //    mode: const = 0x0 (4 bytes)
160  //  ]
161  //  returns fd_pass_pass_cdevsw
162  memcpy((void*)0x200000000100, "/dev/pass0\000", 11);
163  res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul,
164                /*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0);
165  if (res != -1)
166    r[0] = res;
167  //  ioctl\$CAMIOQUEUE_pass_cdevsw arguments: [
168  //    fd: fd_pass_pass_cdevsw (resource)
169  //    cmd: const = 0x20001a04 (8 bytes)
170  //    arg: ptr[in, ptr[in, ccb\$pass_cdevsw]] {
171  //      nil
172  //    }
173  //  ]
174  *(uint64_t*)0x200000000000 = 0;
175  syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0x20001a04ul,
176          /*arg=*/0x200000000000ul);
177  return 0;
178}
179EOF
180mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
181
182timeout 3m /tmp/$prog > /dev/null 2>&1
183
184rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core
185exit 0
186