xref: /freebsd/tools/test/stress2/misc/syzkaller99.sh (revision 4f8a1b4dffa8a6fa5fbe7fce05278792afd83a82) 
1#!/bin/sh
2
3# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com>
4# Bug 293901 - panic: mutex ACPI global lock owned at ../../../kern/kern_event.c:LINE
5
6# No problems seen.
7
8[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
9
10. ../default.cfg
11set -u
12prog=$(basename "$0" .sh)
13cat > /tmp/$prog.c <<EOF
14// autogenerated by syzkaller (https://github.com/google/syzkaller)
15
16#define _GNU_SOURCE
17
18#include <pwd.h>
19#include <stdarg.h>
20#include <stdbool.h>
21#include <stdint.h>
22#include <stdio.h>
23#include <stdlib.h>
24#include <string.h>
25#include <sys/endian.h>
26#include <sys/syscall.h>
27#include <unistd.h>
28
29uint64_t r[1] = {0xffffffffffffffff};
30
31int main(void)
32{
33  syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
34          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
35          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
36          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
37  const char* reason;
38  (void)reason;
39  intptr_t res = 0;
40  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
41  }
42  //  openat\$bpf arguments: [
43  //    fd: const = 0xffffffffffffff9c (8 bytes)
44  //    file: ptr[in, buffer] {
45  //      buffer: {2f 64 65 76 2f 62 70 66 00} (length 0x9)
46  //    }
47  //    flags: open_flags = 0x80000 (4 bytes)
48  //    mode: const = 0x0 (4 bytes)
49  //  ]
50  //  returns fd_bpf
51  memcpy((void*)0x200000000000, "/dev/bpf\000", 9);
52  syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000000ul,
53          /*flags=O_TTY_INIT*/ 0x80000, /*mode=*/0);
54  //  openat\$consolectl_consolectl_devsw arguments: [
55  //    fd: const = 0xffffffffffffff9c (8 bytes)
56  //    file: ptr[in, buffer] {
57  //      buffer: {2f 64 65 76 2f 63 6f 6e 73 6f 6c 65 63 74 6c 00} (length
58  //      0x10)
59  //    }
60  //    flags: open_flags = 0x400000 (4 bytes)
61  //    mode: const = 0x0 (4 bytes)
62  //  ]
63  //  returns fd
64  memcpy((void*)0x200000000740, "/dev/consolectl\000", 16);
65  syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000740ul,
66          /*flags=O_PATH*/ 0x400000, /*mode=*/0);
67  //  openat\$pvclock_pvclock_cdev_cdevsw arguments: [
68  //    fd: const = 0xffffffffffffff9c (8 bytes)
69  //    path: ptr[in, buffer] {
70  //      buffer: {2f 64 65 76 2f 70 76 63 6c 6f 63 6b 00} (length 0xd)
71  //    }
72  //    flags: open_flags = 0x400000 (4 bytes)
73  //    mode: const = 0x0 (4 bytes)
74  //  ]
75  //  returns fd
76  memcpy((void*)0x200000000d00, "/dev/pvclock\000", 13);
77  syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*path=*/0x200000000d00ul,
78          /*flags=O_PATH*/ 0x400000, /*mode=*/0);
79  //  openat\$apm_apm_cdevsw arguments: [
80  //    fd: const = 0xffffffffffffff9c (8 bytes)
81  //    file: ptr[in, buffer] {
82  //      buffer: {2f 64 65 76 2f 61 70 6d 00} (length 0x9)
83  //    }
84  //    flags: open_flags = 0x2000000 (4 bytes)
85  //    mode: const = 0x0 (4 bytes)
86  //  ]
87  //  returns fd_apm_apm_cdevsw
88  memcpy((void*)0x200000000b40, "/dev/apm\000", 9);
89  syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000b40ul,
90          /*flags=O_EMPTY_PATH*/ 0x2000000, /*mode=*/0);
91  //  kqueue arguments: [
92  //  ]
93  //  returns kqueue
94  res = syscall(SYS_kqueue);
95  if (res != -1)
96    r[0] = res;
97  //  kevent arguments: [
98  //    kqueue: kqueue (resource)
99  //    changelist: ptr[in, array[kevent]] {
100  //      array[kevent] {
101  //        kevent {
102  //          ident: intptr = 0x6 (8 bytes)
103  //          filter: filters = 0xfffffffffffffff3 (2 bytes)
104  //          flags: evflags = 0x4035 (2 bytes)
105  //          fflags: fflags = 0x0 (4 bytes)
106  //          data: int64 = 0x5 (8 bytes)
107  //          udata: intptr = 0x40000000007 (8 bytes)
108  //          ext: array[int64] {
109  //            int64 = 0x4 (8 bytes)
110  //            int64 = 0x100000000 (8 bytes)
111  //            int64 = 0x4 (8 bytes)
112  //            int64 = 0x5 (8 bytes)
113  //          }
114  //        }
115  //      }
116  //    }
117  //    nchanges: len = 0x1 (8 bytes)
118  //    eventlist: nil
119  //    nevents: len = 0x0 (8 bytes)
120  //    timeout: nil
121  //  ]
122  *(uint64_t*)0x200000000400 = 6;
123  *(uint16_t*)0x200000000408 = 0xfff3;
124  *(uint16_t*)0x20000000040a = 0x4035;
125  *(uint32_t*)0x20000000040c = 0;
126  *(uint64_t*)0x200000000410 = 5;
127  *(uint64_t*)0x200000000418 = 0x40000000007;
128  *(uint64_t*)0x200000000420 = 4;
129  *(uint64_t*)0x200000000428 = 0x100000000;
130  *(uint64_t*)0x200000000430 = 4;
131  *(uint64_t*)0x200000000438 = 5;
132  syscall(SYS_kevent, /*kqueue=*/r[0], /*changelist=*/0x200000000400ul,
133          /*nchanges=*/1ul, /*eventlist=*/0ul, /*nevents=*/0ul,
134          /*timeout=*/0ul);
135  return 0;
136}
137EOF
138mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
139
140timeout 3m /tmp/$prog > /dev/null 2>&1
141
142rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core
143exit 0
144