diff --git a/tools/test/stress2/misc/syzkaller25.sh b/tools/test/stress2/misc/syzkaller25.sh index 6981ce061217..b5a71b5e6e0e 100755 --- a/tools/test/stress2/misc/syzkaller25.sh +++ b/tools/test/stress2/misc/syzkaller25.sh @@ -1,476 +1,476 @@ #!/bin/sh # Fatal trap 9: general protection fault while in kernel mode # cpuid = 5; apic id = 05 # instruction pointer = 0x20:0xffffffff8237cbac # stack pointer = 0x28:0xfffffe01026e4910 # frame pointer = 0x28:0xfffffe01026e4980 # code segment = base 0x0, limit 0xfffff, type 0x1b # = DPL 0, pres 1, long 1, def32 0, gran 1 # processor eflags = interrupt enabled, resume, IOPL = 0 # current process = 45836 (syzkaller25) # trap number = 9 # panic: general protection fault # cpuid = 5 # time = 1601745366 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01026e4620 # vpanic() at vpanic+0x182/frame 0xfffffe01026e4670 # panic() at panic+0x43/frame 0xfffffe01026e46d0 # trap_fatal() at trap_fatal+0x387/frame 0xfffffe01026e4730 # trap() at trap+0xa4/frame 0xfffffe01026e4840 # calltrap() at calltrap+0x8/frame 0xfffffe01026e4840 # --- trap 0x9, rip = 0xffffffff8237cbac, rsp = 0xfffffe01026e4910, rbp = 0xfffffe01026e4980 --- # sctp_inpcb_bind() at sctp_inpcb_bind+0x3cc/frame 0xfffffe01026e4980 # sctp_connect() at sctp_connect+0x14f/frame 0xfffffe01026e49e0 # soconnectat() at soconnectat+0xd0/frame 0xfffffe01026e4a30 # kern_connectat() at kern_connectat+0xe2/frame 0xfffffe01026e4a90 # sys_connect() at sys_connect+0x75/frame 0xfffffe01026e4ad0 # amd64_syscall() at amd64_syscall+0x14e/frame 0xfffffe01026e4bf0 # fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01026e4bf0 # --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8003b0a1a, rsp = 0x7fffdfffdbb8, rbp = 0x7fffdfffdf90 --- # KDB: enter: panic # [ thread pid 45836 tid 101772 ] # Stopped at kdb_enter+0x37: movq $0,0x10ac846(%rip) # db> x/s version # version: FreeBSD 13.0-CURRENT #0 r366401: Sat Oct 3 19:00:37 CEST 2020 # pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO # db> [ `uname -p` != "amd64" ] && exit 0 . ../default.cfg kldstat -v | grep -q sctp || kldload sctp.ko cat > /tmp/syzkaller25.c < #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx __unused) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; int valid = addr < prog_start || addr > prog_end; if (sig == SIGBUS) { valid = 1; } if (skip && valid) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ ({ \ int ok = 1; \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } else \ ok = 0; \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ ok; \ }) static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; int collide = 0; again: for (call = 0; call < 4; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(SYS_socket, 2ul, 5ul, 0x84); if (res != -1) r[0] = res; break; case 1: NONFAILING(*(uint8_t*)0x20000300 = 0x10); NONFAILING(*(uint8_t*)0x20000301 = 2); NONFAILING(*(uint16_t*)0x20000302 = htobe16(0x4e23 + procid * 4)); NONFAILING(*(uint32_t*)0x20000304 = htobe32(0)); NONFAILING(*(uint8_t*)0x20000308 = 0); NONFAILING(*(uint8_t*)0x20000309 = 0); NONFAILING(*(uint8_t*)0x2000030a = 0); NONFAILING(*(uint8_t*)0x2000030b = 0); NONFAILING(*(uint8_t*)0x2000030c = 0); NONFAILING(*(uint8_t*)0x2000030d = 0); NONFAILING(*(uint8_t*)0x2000030e = 0); NONFAILING(*(uint8_t*)0x2000030f = 0); syscall(SYS_bind, r[0], 0x20000300ul, 0x10ul); break; case 2: NONFAILING(*(uint8_t*)0x20000040 = 0x10); NONFAILING(*(uint8_t*)0x20000041 = 2); NONFAILING(*(uint16_t*)0x20000042 = htobe16(0x4e23 + procid * 4)); NONFAILING(*(uint32_t*)0x20000044 = htobe32(0x7f000001)); NONFAILING(*(uint8_t*)0x20000048 = 0); NONFAILING(*(uint8_t*)0x20000049 = 0); NONFAILING(*(uint8_t*)0x2000004a = 0); NONFAILING(*(uint8_t*)0x2000004b = 0); NONFAILING(*(uint8_t*)0x2000004c = 0); NONFAILING(*(uint8_t*)0x2000004d = 0); NONFAILING(*(uint8_t*)0x2000004e = 0); NONFAILING(*(uint8_t*)0x2000004f = 0); syscall(SYS_connect, r[0], 0x20000040ul, 0x10ul); break; case 3: NONFAILING(*(uint8_t*)0x20000000 = 0x10); NONFAILING(*(uint8_t*)0x20000001 = 2); NONFAILING(*(uint16_t*)0x20000002 = htobe16(0x4e23 + procid * 4)); NONFAILING(*(uint8_t*)0x20000004 = 0xac); NONFAILING(*(uint8_t*)0x20000005 = 0x14); NONFAILING(*(uint8_t*)0x20000006 = 0 + procid * 1); NONFAILING(*(uint8_t*)0x20000007 = 0xaa); NONFAILING(*(uint8_t*)0x20000008 = 0); NONFAILING(*(uint8_t*)0x20000009 = 0); NONFAILING(*(uint8_t*)0x2000000a = 0); NONFAILING(*(uint8_t*)0x2000000b = 0); NONFAILING(*(uint8_t*)0x2000000c = 0); NONFAILING(*(uint8_t*)0x2000000d = 0); NONFAILING(*(uint8_t*)0x2000000e = 0); NONFAILING(*(uint8_t*)0x2000000f = 0); syscall(SYS_connect, r[0], 0x20000000ul, 0x10ul); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); install_segv_handler(); for (procid = 0; procid < 4; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; } EOF mycc -o /tmp/syzkaller25 -Wall -Wextra -O0 /tmp/syzkaller25.c -lpthread || exit 1 (cd ../testcases/swap; ./swap -t 1m -i 20 -h > /dev/null 2>&1) & (cd /tmp; timeout 3m ./syzkaller25) while pkill swap; do :; done wait -rm -rf /tmp/syzkaller25 syzkaller25.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller25 /tmp/syzkaller25.c /tmp/syzkaller.* exit 0 diff --git a/tools/test/stress2/misc/syzkaller28.sh b/tools/test/stress2/misc/syzkaller28.sh index 1119b067f047..c6ba56d1e222 100755 --- a/tools/test/stress2/misc/syzkaller28.sh +++ b/tools/test/stress2/misc/syzkaller28.sh @@ -1,356 +1,356 @@ #!/bin/sh # panic: About to free ctl:0xfffff809b0ac1260 so:0xfffff80d97dde760 and its in 1 # cpuid = 9 # time = 1605860285 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0100b1e630 # vpanic() at vpanic+0x182/frame 0xfffffe0100b1e680 # panic() at panic+0x43/frame 0xfffffe0100b1e6e0 # sctp_sorecvmsg() at sctp_sorecvmsg+0x1a96/frame 0xfffffe0100b1e810 # sctp_soreceive() at sctp_soreceive+0x1b2/frame 0xfffffe0100b1ea00 # soreceive() at soreceive+0x59/frame 0xfffffe0100b1ea20 # dofileread() at dofileread+0x81/frame 0xfffffe0100b1ea70 # sys_readv() at sys_readv+0x6e/frame 0xfffffe0100b1eac0 # amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe0100b1ebf0 # fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0100b1ebf0 # --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8003aed4a, rsp = 0x7fffdfffdf68, rbp = 0x7fffdfffdf90 --- # KDB: enter: panic # [ thread pid 3933 tid 102941 ] # Stopped at kdb_enter+0x37: movq $0,0x10a91b6(%rip) # db> x/s version # version: FreeBSD 13.0-CURRENT #0 r367842: Thu Nov 19 13:08:17 CET 2020 # pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO # db> [ `uname -p` != "amd64" ] && exit 0 . ../default.cfg kldstat -v | grep -q sctp || kldload sctp.ko cat > /tmp/syzkaller28.c < #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 9; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(SYS_socket, 0x1cul, 1ul, 0x84); if (res != -1) r[0] = res; break; case 1: *(uint32_t*)0x20000040 = 0; syscall(SYS_setsockopt, r[0], 0x84, 0x11, 0x20000040ul, 4ul); break; case 2: *(uint8_t*)0x20000000 = 0x1c; *(uint8_t*)0x20000001 = 0x1c; *(uint16_t*)0x20000002 = htobe16(0x4e22 + procid * 4); *(uint32_t*)0x20000004 = 0; *(uint8_t*)0x20000008 = 0; *(uint8_t*)0x20000009 = 0; *(uint8_t*)0x2000000a = 0; *(uint8_t*)0x2000000b = 0; *(uint8_t*)0x2000000c = 0; *(uint8_t*)0x2000000d = 0; *(uint8_t*)0x2000000e = 0; *(uint8_t*)0x2000000f = 0; *(uint8_t*)0x20000010 = 0; *(uint8_t*)0x20000011 = 0; *(uint8_t*)0x20000012 = 0; *(uint8_t*)0x20000013 = 0; *(uint8_t*)0x20000014 = 0; *(uint8_t*)0x20000015 = 0; *(uint8_t*)0x20000016 = 0; *(uint8_t*)0x20000017 = 0; *(uint32_t*)0x20000018 = 6; syscall(SYS_bind, r[0], 0x20000000ul, 0x1cul); break; case 3: *(uint8_t*)0x20000180 = 0x5f; *(uint8_t*)0x20000181 = 0x1c; *(uint16_t*)0x20000182 = htobe16(0x4e22 + procid * 4); *(uint32_t*)0x20000184 = 0; *(uint64_t*)0x20000188 = htobe64(0); *(uint64_t*)0x20000190 = htobe64(1); *(uint32_t*)0x20000198 = 0; syscall(SYS_connect, r[0], 0x20000180ul, 0x1cul); break; case 4: *(uint64_t*)0x20001500 = 0x20000200; *(uint64_t*)0x20001508 = 0xb8; *(uint64_t*)0x20001510 = 0; *(uint64_t*)0x20001518 = 0; *(uint64_t*)0x20001520 = 0; *(uint64_t*)0x20001528 = 0; *(uint64_t*)0x20001530 = 0; *(uint64_t*)0x20001538 = 0; *(uint64_t*)0x20001540 = 0; *(uint64_t*)0x20001548 = 0; syscall(SYS_readv, r[0], 0x20001500ul, 5ul); break; case 5: *(uint32_t*)0x20000140 = 0xb2; syscall(SYS_setsockopt, r[0], 0x84, 0x1b, 0x20000140ul, 4ul); break; case 6: res = syscall(SYS_fcntl, r[0], 0ul, r[0]); if (res != -1) r[1] = res; break; case 7: *(uint64_t*)0x200004c0 = 0; *(uint32_t*)0x200004c8 = 0; *(uint64_t*)0x200004d0 = 0x200003c0; *(uint64_t*)0x200003c0 = 0x200001c0; memcpy((void*)0x200001c0, "\xb0", 1); *(uint64_t*)0x200003c8 = 1; *(uint32_t*)0x200004d8 = 1; *(uint64_t*)0x200004e0 = 0; *(uint32_t*)0x200004e8 = 0; *(uint32_t*)0x200004ec = 0; syscall(SYS_sendmsg, r[1], 0x200004c0ul, 0ul); break; case 8: syscall(SYS_shutdown, r[0], 1ul); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); for (procid = 0; procid < 4; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; } EOF mycc -o /tmp/syzkaller28 -Wall -Wextra -O0 /tmp/syzkaller28.c -lpthread || exit 1 (cd ../testcases/swap; ./swap -t 1m -i 20 -h > /dev/null 2>&1) & (cd /tmp; timeout 3m ./syzkaller28) while pkill swap; do :; done wait -rm -rf /tmp/syzkaller28 syzkaller28.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller28 /tmp/syzkaller28.c /tmp/syzkaller.* exit 0 diff --git a/tools/test/stress2/misc/syzkaller29.sh b/tools/test/stress2/misc/syzkaller29.sh index d7a00aaaec45..bc5dc94768d0 100755 --- a/tools/test/stress2/misc/syzkaller29.sh +++ b/tools/test/stress2/misc/syzkaller29.sh @@ -1,131 +1,131 @@ #!/bin/sh # panic: uma_zalloc_debug: called within spinlock or critical section # cpuid = 9 # time = 1606151277 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0101c628a0 # vpanic() at vpanic+0x181/frame 0xfffffe0101c628f0 # panic() at panic+0x43/frame 0xfffffe0101c62950 # uma_zalloc_arg() at uma_zalloc_arg+0x1e6/frame 0xfffffe0101c62990 # cpuset_modify_domain() at cpuset_modify_domain+0x1bf/frame 0xfffffe0101c62a10 # kern_cpuset_setdomain() at kern_cpuset_setdomain+0x402/frame 0xfffffe0101c62aa0 # sys_cpuset_setdomain() at sys_cpuset_setdomain+0x26/frame 0xfffffe0101c62ac0 # amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe0101c62bf0 # fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0101c62bf0 # --- syscall (0, FreeBSD ELF64, nosys), rip = 0x800380d4a, rsp = 0x7fffffffe4b8, rbp = 0x7fffffffe4f0 --- # KDB: enter: panic # [ thread pid 81187 tid 100369 ] # Stopped at kdb_enter+0x37: movq $0,0x10b3236(%rip) # db> x/s version # version: FreeBSD 13.0-CURRENT #0 r367945: Mon Nov 23 09:10:40 CET 2020 # pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO # db> [ `uname -p` != "amd64" ] && exit 0 # Fixed by r368116 # May change policy for random threads to to domainset_fixed exit 0 . ../default.cfg cat > /tmp/syzkaller29.c < #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } void execute_one(void) { *(uint64_t*)0x20000240 = 1; *(uint64_t*)0x20000248 = 0; *(uint64_t*)0x20000250 = 0; *(uint64_t*)0x20000258 = 0; syscall(SYS_cpuset_setdomain, 2ul, 2ul, 0ul, 0x20ul, 0x20000240ul, 4ul); *(uint64_t*)0x20000240 = 1; *(uint64_t*)0x20000248 = 0; *(uint64_t*)0x20000250 = 0; *(uint64_t*)0x20000258 = 0; syscall(SYS_cpuset_setdomain, 3ul, 2ul, 0ul, 0x20ul, 0x20000240ul, 1ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); loop(); return 0; } EOF mycc -o /tmp/syzkaller29 -Wall -Wextra -O0 /tmp/syzkaller29.c || exit 1 (cd /tmp; timeout 3m ./syzkaller29) -rm -rf /tmp/syzkaller29 syzkaller29.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller29 /tmp/syzkaller29.c /tmp/syzkaller.* exit 0 diff --git a/tools/test/stress2/misc/syzkaller30.sh b/tools/test/stress2/misc/syzkaller30.sh index 7b0c53674f45..f798386a83d1 100755 --- a/tools/test/stress2/misc/syzkaller30.sh +++ b/tools/test/stress2/misc/syzkaller30.sh @@ -1,70 +1,70 @@ #!/bin/sh # panic: sched_pickcpu: Failed to find a cpu. # cpuid = 1 # time = 1607419071 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01bb640770 # vpanic() at vpanic+0x181/frame 0xfffffe01bb6407c0 # panic() at panic+0x43/frame 0xfffffe01bb640820 # sched_pickcpu() at sched_pickcpu+0x4a2/frame 0xfffffe01bb6408d0 # sched_add() at sched_add+0x5d/frame 0xfffffe01bb640900 # setrunnable() at setrunnable+0x77/frame 0xfffffe01bb640930 # wakeup_one() at wakeup_one+0x1d/frame 0xfffffe01bb640950 # do_lock_umutex() at do_lock_umutex+0x64c/frame 0xfffffe01bb640a40 # __umtx_op_wait_umutex() at __umtx_op_wait_umutex+0x49/frame 0xfffffe01bb640a80 # sys__umtx_op() at sys__umtx_op+0x7a/frame 0xfffffe01bb640ac0 # amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe01bb640bf0 # fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01bb640bf0 # --- syscall (454, FreeBSD ELF64, sys__umtx_op), rip = 0x800254a8c, rsp = 0x7fffdf3f7e88, rbp = 0x7fffdf3f7eb0 --- # KDB: enter: panic # [ thread pid 58597 tid 106100 ] # Stopped at kdb_enter+0x37: movq $0,0x10a7766(%rip) # db> x/s version # version: FreeBSD 13.0-CURRENT #0 r368405: Mon Dec 7 10:33:35 CET 2020 # pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO # db> [ `uname -p` != "amd64" ] && exit 0 # Fixed by r368462 # May change policy for random threads to to domainset_fixed exit 0 . ../default.cfg cat > /tmp/syzkaller30.c < #include #include #include #include #include #include #include #include #include int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); *(uint64_t*)0x200000c0 = 0; syscall(SYS_cpuset_setaffinity, 2ul, 2ul, 0x100000000000000ul, 0x20ul, 0x200000c0ul); return 0; } EOF mycc -o /tmp/syzkaller30 -Wall -Wextra -O0 /tmp/syzkaller30.c || exit 1 (cd /tmp; timeout 3m ./syzkaller30) -rm -rf /tmp/syzkaller30 syzkaller30.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller30 /tmp/syzkaller30.c /tmp/syzkaller.* exit 0 diff --git a/tools/test/stress2/misc/syzkaller31.sh b/tools/test/stress2/misc/syzkaller31.sh index af93a89a127c..12eb98bd8c57 100755 --- a/tools/test/stress2/misc/syzkaller31.sh +++ b/tools/test/stress2/misc/syzkaller31.sh @@ -1,324 +1,324 @@ #!/bin/sh # panic: Bad tailq NEXT(0xfffffe0079608f00->tqh_last) != NULL # cpuid = 20 # time = 1616404997 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01af6d8580 # vpanic() at vpanic+0x181/frame 0xfffffe01af6d85d0 # panic() at panic+0x43/frame 0xfffffe01af6d8630 # sctp_ss_default_add() at sctp_ss_default_add+0xd7/frame 0xfffffe01af6d8660 # sctp_lower_sosend() at sctp_lower_sosend+0x3b24/frame 0xfffffe01af6d8830 # sctp_sosend() at sctp_sosend+0x344/frame 0xfffffe01af6d8950 # sosend() at sosend+0x66/frame 0xfffffe01af6d8980 # kern_sendit() at kern_sendit+0x1ec/frame 0xfffffe01af6d8a10 # sendit() at sendit+0x1db/frame 0xfffffe01af6d8a60 # sys_sendmsg() at sys_sendmsg+0x61/frame 0xfffffe01af6d8ac0 # amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe01af6d8bf0 # fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01af6d8bf0 # --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8003b042a, rsp = 0x7fffdffdcf68, rbp = 0x7fffdffdcf90 --- # KDB: enter: panic # [ thread pid 7402 tid 730532 ] # Stopped at kdb_enter+0x37: movq $0,0x1286f8e(%rip) # db> x/s version # version: FreeBSD 14.0-CURRENT #0 main-n245565-25bfa448602: Mon Mar 22 09:13:03 CET 2021 # pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO\012 # db> [ `uname -p` != "amd64" ] && exit 0 . ../default.cfg kldstat -v | grep -q sctp || kldload sctp.ko cat > /tmp/syzkaller31.c < #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; int collide = 0; again: for (call = 0; call < 3; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) { continue; } kill_and_wait(pid, &status); break; } } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(SYS_socket, 2ul, 5ul, 0x84); if (res != -1) r[0] = res; break; case 1: res = syscall(SYS_fcntl, r[0], 0ul, r[0]); if (res != -1) r[1] = res; break; case 2: *(uint64_t*)0x20000040 = 0x20000000; *(uint8_t*)0x20000000 = 0x1c; *(uint8_t*)0x20000001 = 0x1c; *(uint16_t*)0x20000002 = htobe16(0x4e22); *(uint32_t*)0x20000004 = 0; *(uint8_t*)0x20000008 = 0; *(uint8_t*)0x20000009 = 0; *(uint8_t*)0x2000000a = 0; *(uint8_t*)0x2000000b = 0; *(uint8_t*)0x2000000c = 0; *(uint8_t*)0x2000000d = 0; *(uint8_t*)0x2000000e = 0; *(uint8_t*)0x2000000f = 0; *(uint8_t*)0x20000010 = 0; *(uint8_t*)0x20000011 = 0; *(uint8_t*)0x20000012 = -1; *(uint8_t*)0x20000013 = -1; *(uint32_t*)0x20000014 = htobe32(0x203); *(uint32_t*)0x20000018 = 0; *(uint32_t*)0x20000048 = 0x1c; *(uint64_t*)0x20000050 = 0x20000100; *(uint64_t*)0x20000100 = 0x20000080; memcpy((void*)0x20000080, "\000", 1); *(uint64_t*)0x20000108 = 1; *(uint32_t*)0x20000058 = 1; *(uint64_t*)0x20000060 = 0x20000200; memcpy( (void*)0x20000200, "\x1c\x00\x00\x00\x84\x00\x00\x00\x01\x00\x00\x00\x40\x08\xec\x70\xa0", 17); *(uint32_t*)0x20000068 = 0x1c; *(uint32_t*)0x2000006c = 0; syscall(SYS_sendmsg, r[1], 0x20000040ul, 0ul); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); loop(); return 0; } EOF mycc -o /tmp/syzkaller31 -Wall -Wextra -O0 /tmp/syzkaller31.c -lpthread || exit 1 (cd ../testcases/swap; ./swap -t 1m -i 20 -h > /dev/null 2>&1) & (cd /tmp; timeout 3m ./syzkaller31) while pkill swap; do :; done wait -rm -rf /tmp/syzkaller31 syzkaller31.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller31 /tmp/syzkaller31.c /tmp/syzkaller.* exit 0 diff --git a/tools/test/stress2/misc/syzkaller32.sh b/tools/test/stress2/misc/syzkaller32.sh index a95871969d5c..03a13738c58a 100755 --- a/tools/test/stress2/misc/syzkaller32.sh +++ b/tools/test/stress2/misc/syzkaller32.sh @@ -1,299 +1,299 @@ #!/bin/sh # Fatal trap 18: integer divide fault while in kernel mode # cpuid = 0; apic id = 00 # instruction pointer = 0x20:0xffffffff80c2f828 # stack pointer = 0x0:0xfffffe0131a5d9e0 # frame pointer = 0x0:0xfffffe0131a5da30 # code segment = base 0x0, limit 0xfffff, type 0x1b # = DPL 0, pres 1, long 1, def32 0, gran 1 # processor eflags = interrupt enabled, resume, IOPL = 0 # current process = 12 (swi4: clock (0)) # trap number = 18 # panic: integer divide fault # cpuid = 0 # time = 1616401924 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0131a5d6f0 # vpanic() at vpanic+0x181/frame 0xfffffe0131a5d740 # panic() at panic+0x43/frame 0xfffffe0131a5d7a0 # trap_fatal() at trap_fatal+0x387/frame 0xfffffe0131a5d800 # trap() at trap+0xa4/frame 0xfffffe0131a5d910 # calltrap() at calltrap+0x8/frame 0xfffffe0131a5d910 # --- trap 0x12, rip = 0xffffffff80c2f828, rsp = 0xfffffe0131a5d9e0, rbp = 0xfffffe0131a5da30 --- # realtimer_expire() at realtimer_expire+0x1a8/frame 0xfffffe0131a5da30 # softclock_call_cc() at softclock_call_cc+0x15d/frame 0xfffffe0131a5db00 # softclock() at softclock+0x66/frame 0xfffffe0131a5db20 # ithread_loop() at ithread_loop+0x279/frame 0xfffffe0131a5dbb0 # fork_exit() at fork_exit+0x80/frame 0xfffffe0131a5dbf0 # fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0131a5dbf0 # --- trap 0, rip = 0, rsp = 0, rbp = 0 --- # KDB: enter: panic # [ thread pid 12 tid 100160 ] # Stopped at kdb_enter+0x37: movq $0,0x1286f8e(%rip) # db> x/s version # version: FreeBSD 14.0-CURRENT #0 main-n245565-25bfa448602: Mon Mar 22 09:13:03 CET 2021 # pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO\012 # db> [ `uname -p` != "amd64" ] && exit 0 . ../default.cfg cat > /tmp/syzkaller32.c < #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 2; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) { continue; } kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(SYS_ktimer_create, 4ul, 0ul, 0x20000500ul); if (res != -1) r[0] = *(uint32_t*)0x20000500; break; case 1: *(uint64_t*)0x20000100 = 0x200000000000000; *(uint64_t*)0x20000108 = 0; *(uint64_t*)0x20000110 = 0; *(uint64_t*)0x20000118 = 0x10000; syscall(SYS_ktimer_settime, r[0], 0ul, 0x20000100ul, 0ul); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); for (procid = 0; procid < 4; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; } EOF mycc -o /tmp/syzkaller32 -Wall -Wextra -O0 /tmp/syzkaller32.c -lpthread || exit 1 (cd ../testcases/swap; ./swap -t 1m -i 20 -h > /dev/null 2>&1) & (cd /tmp; timeout 3m ./syzkaller32) while pkill swap; do :; done wait -rm -rf /tmp/syzkaller32 syzkaller32.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller32 /tmp/syzkaller32.c /tmp/syzkaller.* exit 0 diff --git a/tools/test/stress2/misc/syzkaller33.sh b/tools/test/stress2/misc/syzkaller33.sh index 746cecbffaab..7f017cd167f1 100755 --- a/tools/test/stress2/misc/syzkaller33.sh +++ b/tools/test/stress2/misc/syzkaller33.sh @@ -1,142 +1,142 @@ #!/bin/sh # Fatal trap 18: integer divide fault while in kernel mode # cpuid = 0; apic id = 00 # instruction pointer = 0x20:0xffffffff80c310ee # stack pointer = 0x28:0xfffffe0131a629e0 # frame pointer = 0x28:0xfffffe0131a62a30 # code segment = base 0x0, limit 0xfffff, type 0x1b # = DPL 0, pres 1, long 1, def32 0, gran 1 # processor eflags = interrupt enabled, resume, IOPL = 0 # current process = 12 (swi4: clock (0)) # trap number = 18 # panic: integer divide fault # cpuid = 0 # time = 1618722013 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0131a626f0 # vpanic() at vpanic+0x181/frame 0xfffffe0131a62740 # panic() at panic+0x43/frame 0xfffffe0131a627a0 # trap_fatal() at trap_fatal+0x387/frame 0xfffffe0131a62800 # trap() at trap+0xa4/frame 0xfffffe0131a62910 # calltrap() at calltrap+0x8/frame 0xfffffe0131a62910 # --- trap 0x12, rip = 0xffffffff80c310ee, rsp = 0xfffffe0131a629e0, rbp = 0xfffffe0131a62a30 --- # realtimer_expire_l() at realtimer_expire_l+0xee/frame 0xfffffe0131a62a30 # softclock_call_cc() at softclock_call_cc+0x15d/frame 0xfffffe0131a62b00 # softclock() at softclock+0x66/frame 0xfffffe0131a62b20 # ithread_loop() at ithread_loop+0x279/frame 0xfffffe0131a62bb0 # fork_exit() at fork_exit+0x80/frame 0xfffffe0131a62bf0 # fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0131a62bf0 # --- trap 0, rip = 0, rsp = 0, rbp = 0 --- # KDB: enter: panic # [ thread pid 12 tid 100161 ] # Stopped at kdb_enter+0x37: movq $0,0x1283f9e(%rip) # db> x/s version # version: FreeBSD 14.0-CURRENT #0 main-n246123-21afed4b1d1-dirty: Sat Apr 17 07:39:42 CEST 2021 # pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO # db> [ `uname -p` != "amd64" ] && exit 0 . ../default.cfg cat > /tmp/syzkaller33.c < #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) { continue; } kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0x0}; void execute_one(void) { intptr_t res = 0; res = syscall(SYS_ktimer_create, 0ul, 0ul, 0x200011c0ul); if (res != -1) r[0] = *(uint32_t*)0x200011c0; *(uint64_t*)0x20001200 = 0x800000000000000; *(uint64_t*)0x20001208 = 0; *(uint64_t*)0x20001210 = 0; *(uint64_t*)0x20001218 = 0xa2b; syscall(SYS_ktimer_settime, r[0], 1ul, 0x20001200ul, 0ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); loop(); return 0; } EOF mycc -o /tmp/syzkaller33 -Wall -Wextra -O0 /tmp/syzkaller33.c || exit 1 (cd /tmp; timeout 3m ./syzkaller33) -rm -rf /tmp/syzkaller33 syzkaller33.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller33 /tmp/syzkaller33.c /tmp/syzkaller.* exit 0 diff --git a/tools/test/stress2/misc/syzkaller34.sh b/tools/test/stress2/misc/syzkaller34.sh index c426fef129b1..247079e1cd1a 100755 --- a/tools/test/stress2/misc/syzkaller34.sh +++ b/tools/test/stress2/misc/syzkaller34.sh @@ -1,119 +1,119 @@ #!/bin/sh # Fixed by git: 208256579804 - main - O_PATH: disable kqfilter for fifos # Submitted by markj@ [ `uname -p` != "amd64" ] && exit 0 . ../default.cfg cat > /tmp/syzkaller34.c < #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) { continue; } kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x20000000, "./file0\000", 8); syscall(SYS_mknodat, 0xffffff9c, 0x20000000ul, 0x1000ul, 0ul); memcpy((void*)0x20000040, "./file0\000", 8); syscall(SYS_open, 0x20000040ul, 0x400000ul, 0x72ul); res = syscall(SYS_kqueue); if (res != -1) r[0] = res; *(uint64_t*)0x20000100 = 3; *(uint16_t*)0x20000108 = -1; *(uint16_t*)0x2000010a = 0x4015; *(uint32_t*)0x2000010c = 0; *(uint64_t*)0x20000110 = 0x400000000; *(uint64_t*)0x20000118 = 5; *(uint64_t*)0x20000120 = 4; *(uint64_t*)0x20000128 = 0; *(uint64_t*)0x20000130 = 0; *(uint64_t*)0x20000138 = 0; syscall(SYS_kevent, r[0], 0x20000100ul, 0x2cul, 0ul, 0ul, 0ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); loop(); return 0; } EOF mycc -o /tmp/syzkaller34 -Wall -Wextra -O0 /tmp/syzkaller34.c || exit 1 (cd /tmp; timeout 3m ./syzkaller34) -rm -rf /tmp/syzkaller34 syzkaller34.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller34 /tmp/syzkaller34.c /tmp/syzkaller.* exit 0 diff --git a/tools/test/stress2/misc/syzkaller35.sh b/tools/test/stress2/misc/syzkaller35.sh index 14619c24ab9c..768fadd1f9b0 100755 --- a/tools/test/stress2/misc/syzkaller35.sh +++ b/tools/test/stress2/misc/syzkaller35.sh @@ -1,101 +1,101 @@ #!/bin/sh # panic: AEAD without a separate IV # cpuid = 18 # time = 1620305816 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01aeea25d0 # vpanic() at vpanic+0x181/frame 0xfffffe01aeea2620 # panic() at panic+0x43/frame 0xfffffe01aeea2680 # crp_sanity() at crp_sanity+0x4e9/frame 0xfffffe01aeea26b0 # crypto_dispatch() at crypto_dispatch+0xf/frame 0xfffffe01aeea26d0 # crypto_ioctl() at crypto_ioctl+0x1e33/frame 0xfffffe01aeea27e0 # devfs_ioctl() at devfs_ioctl+0xcd/frame 0xfffffe01aeea2830 # VOP_IOCTL_APV() at VOP_IOCTL_APV+0x59/frame 0xfffffe01aeea2850 # vn_ioctl() at vn_ioctl+0x133/frame 0xfffffe01aeea2960 # devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe01aeea2980 # kern_ioctl() at kern_ioctl+0x289/frame 0xfffffe01aeea29f0 # sys_ioctl() at sys_ioctl+0x12a/frame 0xfffffe01aeea2ac0 # amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe01aeea2bf0 # fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01aeea2bf0 # --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8003827da, rsp = 0x7fffffffe848, rbp = 0x7fffffffe890 --- # KDB: enter: panic # [ thread pid 4018 tid 100350 ] # Stopped at kdb_enter+0x37: movq $0,0x1282a9e(%rip) # db> x/s version # version: FreeBSD 14.0-CURRENT #0 main-n246502-49c894ddced: Thu May 6 09:17:33 CEST 2021 # pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO # db> [ `uname -p` != "amd64" ] && exit 0 [ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 . ../default.cfg cat > /tmp/syzkaller35.c < #include #include #include #include #include #include #include #include #include uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); intptr_t res = 0; memcpy((void*)0x20000340, "/dev/crypto\000", 12); res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000340ul, 0ul, 0ul); if (res != -1) r[0] = res; *(uint32_t*)0x20000440 = 0x28; *(uint32_t*)0x20000444 = 0; *(uint32_t*)0x20000448 = 0x10; *(uint64_t*)0x20000450 = 0x20000380; memcpy((void*)0x20000380, "\x3c\x02\x2e\x61\x79\x2e\xec\xb0\x7f\x8a\xee\x18\xe5\xaa\x35\x05", 16); *(uint32_t*)0x20000458 = 0; *(uint64_t*)0x20000460 = 0; *(uint32_t*)0x20000468 = 0; *(uint32_t*)0x2000046c = 0xfdffffff; *(uint32_t*)0x20000470 = 0; *(uint32_t*)0x20000474 = 0; *(uint32_t*)0x20000478 = 0; *(uint32_t*)0x2000047c = 0; syscall(SYS_ioctl, r[0], 0xc040636aul, 0x20000440ul); *(uint32_t*)0x20000280 = 0; *(uint16_t*)0x20000284 = 1; *(uint16_t*)0x20000286 = 0; *(uint32_t*)0x20000288 = 0xf0a; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint64_t*)0x20000298 = 0x20000480; *(uint64_t*)0x200002a0 = 0; *(uint64_t*)0x200002a8 = 0; *(uint64_t*)0x200002b0 = 0x20000680; *(uint64_t*)0x200002b8 = 0; syscall(SYS_ioctl, r[0], 0xc040636dul, 0x20000280ul); return 0; } EOF mycc -o /tmp/syzkaller35 -Wall -Wextra -O0 /tmp/syzkaller35.c || exit 1 kldload cryptodev.ko && loaded=1 (cd /tmp; timeout 3m ./syzkaller35) [ $loaded ] && kldunload cryptodev.ko -rm -rf /tmp/syzkaller35 syzkaller35.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller35 /tmp/syzkaller35.c /tmp/syzkaller.* exit 0 diff --git a/tools/test/stress2/misc/syzkaller36.sh b/tools/test/stress2/misc/syzkaller36.sh index ca4678408a25..8be90573431d 100755 --- a/tools/test/stress2/misc/syzkaller36.sh +++ b/tools/test/stress2/misc/syzkaller36.sh @@ -1,98 +1,98 @@ #!/bin/sh # panic: IV outside buffer length # cpuid = 22 # time = 1620355853 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01af19d5d0 # vpanic() at vpanic+0x181/frame 0xfffffe01af19d620 # panic() at panic+0x43/frame 0xfffffe01af19d680 # crp_sanity() at crp_sanity+0x212/frame 0xfffffe01af19d6b0 # crypto_dispatch() at crypto_dispatch+0xf/frame 0xfffffe01af19d6d0 # crypto_ioctl() at crypto_ioctl+0x18a9/frame 0xfffffe01af19d7e0 # devfs_ioctl() at devfs_ioctl+0xcd/frame 0xfffffe01af19d830 # VOP_IOCTL_APV() at VOP_IOCTL_APV+0x59/frame 0xfffffe01af19d850 # vn_ioctl() at vn_ioctl+0x133/frame 0xfffffe01af19d960 # devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe01af19d980 # kern_ioctl() at kern_ioctl+0x289/frame 0xfffffe01af19d9f0 # sys_ioctl() at sys_ioctl+0x12a/frame 0xfffffe01af19dac0 # amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe01af19dbf0 # fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01af19dbf0 # --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8003827da, rsp = 0x7fffffffe4f8, rbp = 0x7fffffffe540 --- # KDB: enter: panic # [ thread pid 2908 tid 100493 ] # Stopped at kdb_enter+0x37: movq $0,0x1282a9e(%rip) # db> x/s version # version: FreeBSD 14.0-CURRENT #1 main-n246506-be578b67b5a: Thu May 6 19:40:29 CEST 2021 # pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO # db> [ `uname -p` != "amd64" ] && exit 0 [ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 . ../default.cfg cat > /tmp/syzkaller36.c < #include #include #include #include #include #include #include #include #include uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); intptr_t res = 0; memcpy((void*)0x20000000, "/dev/crypto\000", 12); res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000000ul, 0ul, 0ul); if (res != -1) r[0] = res; *(uint32_t*)0x20000440 = 0x17; *(uint32_t*)0x20000444 = 0; *(uint32_t*)0x20000448 = 0x10; *(uint64_t*)0x20000450 = 0x200001c0; memcpy((void*)0x200001c0, "\x3c\x02\x2e\x61\x79\x2e\xec\xb0\x7f\x8a\xee\x18\xe5\xaa\x35\x05", 16); *(uint32_t*)0x20000458 = 0; *(uint64_t*)0x20000460 = 0; *(uint32_t*)0x20000468 = 0; *(uint32_t*)0x2000046c = 0xfdffffff; *(uint32_t*)0x20000470 = 0; *(uint32_t*)0x20000474 = 0; *(uint32_t*)0x20000478 = 0; *(uint32_t*)0x2000047c = 0; syscall(SYS_ioctl, r[0], 0xc040636aul, 0x20000440ul); *(uint32_t*)0x20000180 = 0; *(uint16_t*)0x20000184 = 1; *(uint16_t*)0x20000186 = 0; *(uint32_t*)0x20000188 = 7; *(uint64_t*)0x20000190 = 0x20000200; *(uint64_t*)0x20000198 = 0; *(uint64_t*)0x200001a0 = 0; *(uint64_t*)0x200001a8 = 0; syscall(SYS_ioctl, r[0], 0xc0306367ul, 0x20000180ul); return 0; } EOF mycc -o /tmp/syzkaller36 -Wall -Wextra -O0 /tmp/syzkaller36.c || exit 1 kldload cryptodev.ko && loaded=1 (cd /tmp; timeout 3m ./syzkaller36) [ $loaded ] && kldunload cryptodev.ko -rm -rf /tmp/syzkaller36 syzkaller36.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller36 /tmp/syzkaller36.c /tmp/syzkaller.* exit 0 diff --git a/tools/test/stress2/misc/syzkaller37.sh b/tools/test/stress2/misc/syzkaller37.sh index cda44530af85..4eef524bb3f8 100755 --- a/tools/test/stress2/misc/syzkaller37.sh +++ b/tools/test/stress2/misc/syzkaller37.sh @@ -1,99 +1,99 @@ #!/bin/sh # panic: crp_iv_start set when IV isn't used # cpuid = 15 # time = 1620460567 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe023ceef5d0 # vpanic() at vpanic+0x181/frame 0xfffffe023ceef620 # panic() at panic+0x43/frame 0xfffffe023ceef680 # crp_sanity() at crp_sanity+0x236/frame 0xfffffe023ceef6b0 # crypto_dispatch() at crypto_dispatch+0xf/frame 0xfffffe023ceef6d0 # crypto_ioctl() at crypto_ioctl+0x1e33/frame 0xfffffe023ceef7e0 # devfs_ioctl() at devfs_ioctl+0xcd/frame 0xfffffe023ceef830 # VOP_IOCTL_APV() at VOP_IOCTL_APV+0x59/frame 0xfffffe023ceef850 # vn_ioctl() at vn_ioctl+0x133/frame 0xfffffe023ceef960 # devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe023ceef980 # kern_ioctl() at kern_ioctl+0x289/frame 0xfffffe023ceef9f0 # sys_ioctl() at sys_ioctl+0x12a/frame 0xfffffe023ceefac0 # amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe023ceefbf0 # fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe023ceefbf0 # --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8003827da, rsp = 0x7fffffffe4e8, rbp = 0x7fffffffe540 --- # KDB: enter: panic # [ thread pid 18612 tid 109119 ] # Stopped at kdb_enter+0x37: movq $0,0x1281a2e(%rip) # db> x/s version # version: FreeBSD 14.0-CURRENT #0 main-n246560-2018d488628: Sat May 8 08:32:52 CEST 2021 # pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO # db> [ `uname -p` != "amd64" ] && exit 0 [ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 . ../default.cfg cat > /tmp/syzkaller37.c < #include #include #include #include #include #include #include #include #include uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); intptr_t res = 0; memcpy((void*)0x20000340, "/dev/crypto\000", 12); res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000340ul, 0ul, 0ul); if (res != -1) r[0] = res; *(uint32_t*)0x20000040 = 0x10; *(uint32_t*)0x20000044 = 0x1d; *(uint32_t*)0x20000048 = 1; *(uint64_t*)0x20000050 = 0x20000080; memset((void*)0x20000080, 66, 1); *(uint32_t*)0x20000058 = 0; *(uint64_t*)0x20000060 = 0; *(uint32_t*)0x20000068 = 0; *(uint32_t*)0x2000006c = 0xfdffffff; *(uint32_t*)0x20000070 = 0; *(uint32_t*)0x20000074 = 0; *(uint32_t*)0x20000078 = 0; *(uint32_t*)0x2000007c = 0; syscall(SYS_ioctl, r[0], 0xc040636aul, 0x20000040ul); *(uint32_t*)0x20000000 = 0; *(uint16_t*)0x20000004 = 2; *(uint16_t*)0x20000006 = 0; *(uint32_t*)0x20000008 = 0; *(uint32_t*)0x2000000c = 0x10001; *(uint32_t*)0x20000010 = 0; *(uint64_t*)0x20000018 = 0; *(uint64_t*)0x20000020 = 0; *(uint64_t*)0x20000028 = 0x200001c0; *(uint64_t*)0x20000030 = 0x20000380; *(uint64_t*)0x20000038 = 0; syscall(SYS_ioctl, r[0], 0xc040636dul, 0x20000000ul); return 0; } EOF mycc -o /tmp/syzkaller37 -Wall -Wextra -O0 /tmp/syzkaller37.c || exit 1 kldload cryptodev.ko && loaded=1 (cd /tmp; timeout 3m ./syzkaller37) [ $loaded ] && kldunload cryptodev.ko -rm -rf /tmp/syzkaller37 syzkaller37.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller37 /tmp/syzkaller37.c /tmp/syzkaller.* exit 0 diff --git a/tools/test/stress2/misc/syzkaller38.sh b/tools/test/stress2/misc/syzkaller38.sh index 2bd42e98a644..568e536ed00c 100755 --- a/tools/test/stress2/misc/syzkaller38.sh +++ b/tools/test/stress2/misc/syzkaller38.sh @@ -1,63 +1,63 @@ #!/bin/sh # panic: Assertion (cnp->cn_flags & (LOCKPARENT | WANTPARENT)) == 0 failed at ../../../kern/vfs_lookup.c:490 # cpuid = 22 # time = 1620845561 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01499e7690 # vpanic() at vpanic+0x181/frame 0xfffffe01499e76e0 # panic() at panic+0x43/frame 0xfffffe01499e7740 # namei() at namei+0xb4e/frame 0xfffffe01499e77f0 # vn_open_cred() at vn_open_cred+0x11d/frame 0xfffffe01499e7960 # kern_openat() at kern_openat+0x28f/frame 0xfffffe01499e7ac0 # amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe01499e7bf0 # fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01499e7bf0 # --- syscall (0, FreeBSD ELF64, nosys), rip = 0x80038254a, rsp = 0x7fffffffe4f8, rbp = 0x7fffffffe540 --- # KDB: enter: panic # [ thread pid 2990 tid 100320 ] # Stopped at kdb_enter+0x37: movq $0,0x12819de(%rip) # db> x/s version # version: FreeBSD 14.0-CURRENT #0 main-n246600-e681dd3e2c1-dirty: Wed May 12 07:56:58 CEST 2021 # pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO\012 # db> # Fixed by: 6de3cf14c47d - main - vn_open_cred(): disallow O_CREAT | O_EMPTY_PATH [ `uname -p` != "amd64" ] && exit 0 [ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 . ../default.cfg cat > /tmp/syzkaller38.c < #include #include #include #include #include #include #include #include #include int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); memset((void*)0x20000180, 0, 1); syscall(SYS_open, 0x20000180ul, 0x20c0200ul, 0ul); return 0; } EOF mycc -o /tmp/syzkaller38 -Wall -Wextra -O0 /tmp/syzkaller38.c || exit 1 (cd /tmp; timeout 3m ./syzkaller38) -rm -rf /tmp/syzkaller38 syzkaller38.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller38 /tmp/syzkaller38.c /tmp/syzkaller.* exit 0 diff --git a/tools/test/stress2/misc/syzkaller39.sh b/tools/test/stress2/misc/syzkaller39.sh index e19f19d2c751..ca1573ea6465 100755 --- a/tools/test/stress2/misc/syzkaller39.sh +++ b/tools/test/stress2/misc/syzkaller39.sh @@ -1,244 +1,244 @@ #!/bin/sh # panic: ktrace_enter: flag set # cpuid = 0 # time = 1621577415 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01c0025670 # vpanic() at vpanic+0x181/frame 0xfffffe01c00256c0 # panic() at panic+0x43/frame 0xfffffe01c0025720 # ktrnamei() at ktrnamei+0xdb/frame 0xfffffe01c0025750 # namei() at namei+0x805/frame 0xfffffe01c0025800 # vn_open_cred() at vn_open_cred+0x497/frame 0xfffffe01c0025970 # sys_ktrace() at sys_ktrace+0x1a0/frame 0xfffffe01c0025ac0 # amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe01c0025bf0 # fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01c0025bf0 # --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8003b054a, rsp = 0x7fffdfffdf68, rbp = 0x7fffdfffdf90 --- # KDB: enter: panic # [ thread pid 80729 tid 101297 ] # Stopped at kdb_enter+0x37: movq $0,0x1281d9e(%rip) # db> x/s version # version: FreeBSD 14.0-CURRENT #0 main-n246739-fc0dc94029d-dirty: Wed May 19 05:54:45 CEST 2021 # pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO # db> [ `uname -p` != "amd64" ] && exit 0 [ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 . ../default.cfg cat > /tmp/syzkaller39.c < #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; int collide = 0; again: for (call = 0; call < 3; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } uint64_t r[1] = {0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000140, "./file0\000", 8); syscall(SYS_open, 0x20000140ul, 0x200ul, 0ul); break; case 1: res = syscall(SYS_getpid); if (res != -1) r[0] = res; break; case 2: memcpy((void*)0x20000040, "./file0\000", 8); syscall(SYS_ktrace, 0x20000040ul, 0ul, 0x4722db8820f38dbbul, r[0]); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); loop(); return 0; } EOF mycc -o /tmp/syzkaller39 -Wall -Wextra -O0 /tmp/syzkaller39.c -lpthread || exit 1 (cd /tmp; timeout 3m ./syzkaller39) -rm -rf /tmp/syzkaller39 syzkaller39.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller39 /tmp/syzkaller39.c /tmp/syzkaller.* exit 0 diff --git a/tools/test/stress2/misc/syzkaller40.sh b/tools/test/stress2/misc/syzkaller40.sh index 8c4d3e4ee54e..e094ca15621a 100755 --- a/tools/test/stress2/misc/syzkaller40.sh +++ b/tools/test/stress2/misc/syzkaller40.sh @@ -1,85 +1,85 @@ #!/bin/sh # panic: mtx_lock() of spin mutex (null) @ ../../../kern/sys_socket.c:785 # cpuid = 7 # time = 1622878256 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01aaec6880 # vpanic() at vpanic+0x181/frame 0xfffffe01aaec68d0 # panic() at panic+0x43/frame 0xfffffe01aaec6930 # __mtx_lock_flags() at __mtx_lock_flags+0x13c/frame 0xfffffe01aaec6980 # soo_aio_cancel() at soo_aio_cancel+0x51/frame 0xfffffe01aaec69b0 # aio_cancel_job() at aio_cancel_job+0x95/frame 0xfffffe01aaec69f0 # aio_proc_rundown() at aio_proc_rundown+0xcf/frame 0xfffffe01aaec6a40 # exit1() at exit1+0x36e/frame 0xfffffe01aaec6ab0 # sys_sys_exit() at sys_sys_exit+0xd/frame 0xfffffe01aaec6ac0 # amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe01aaec6bf0 # fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01aaec6bf0 # --- syscall (1, FreeBSD ELF64, sys_sys_exit), rip = 0x8003b230a, rsp = 0x7fffffffe528, rbp = 0x7fffffffe540 --- # KDB: enter: panic # [ thread pid 3000 tid 100365 ] # Stopped at kdb_enter+0x37: movq $0,0x127fb8e(%rip) # db> x/s version # version: FreeBSD 14.0-CURRENT #0 main-n247181-1b5bc3a54b6: Sat Jun 5 04:12:19 CEST 2021 # pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO # db> [ `uname -p` != "amd64" ] && exit 0 [ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 . ../default.cfg cat > /tmp/syzkaller40.c < #include #include #include #include #include #include #include #include #include uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); intptr_t res = 0; res = syscall(SYS_socket, 0x1cul, 1ul, 0); if (res != -1) r[0] = res; *(uint32_t*)0x20000200 = r[0]; *(uint64_t*)0x20000208 = 8; *(uint64_t*)0x20000210 = 0; *(uint64_t*)0x20000218 = 0; *(uint32_t*)0x20000220 = 0x100; *(uint32_t*)0x20000224 = 9; *(uint64_t*)0x20000228 = 0x80000000; *(uint32_t*)0x20000230 = 5; *(uint32_t*)0x20000234 = 1; *(uint64_t*)0x20000238 = 6; *(uint64_t*)0x20000240 = 2; *(uint64_t*)0x20000248 = 0; *(uint32_t*)0x20000250 = 1; *(uint32_t*)0x20000254 = 3; *(uint64_t*)0x20000258 = 0x109; *(uint32_t*)0x20000260 = 0; syscall(SYS_aio_read, 0x20000200ul); syscall(SYS_listen, r[0], 0x8273); return 0; } EOF mycc -o /tmp/syzkaller40 -Wall -Wextra -O0 /tmp/syzkaller40.c -lpthread || exit 1 (cd /tmp; timeout 3m ./syzkaller40) -rm -rf /tmp/syzkaller40 syzkaller40.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller40 /tmp/syzkaller40.c /tmp/syzkaller.* exit 0 diff --git a/tools/test/stress2/misc/syzkaller41.sh b/tools/test/stress2/misc/syzkaller41.sh index 762f155e33bf..a2f87ef0260e 100755 --- a/tools/test/stress2/misc/syzkaller41.sh +++ b/tools/test/stress2/misc/syzkaller41.sh @@ -1,284 +1,284 @@ #!/bin/sh # Fatal trap 12: page fault while in kernel mode # cpuid = 23; apic id = 2b # fault virtual address = 0x0 # fault code = supervisor read instruction, page not present # instruction pointer = 0x20:0x0 # stack pointer = 0x28:0xfffffe0131d05b78 # frame pointer = 0x28:0xfffffe0131d05bb0 # code segment = base 0x0, limit 0xfffff, type 0x1b # = DPL 0, pres 1, long 1, def32 0, gran 1 # processor eflags = interrupt enabled, resume, IOPL = 0 # current process = 35 (soaiod1) # trap number = 12 # panic: page fault # cpuid = 23 # time = 1622994049 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0131d05820 # vpanic() at vpanic+0x181/frame 0xfffffe0131d05870 # panic() at panic+0x43/frame 0xfffffe0131d058d0 # trap_fatal() at trap_fatal+0x387/frame 0xfffffe0131d05930 # trap_pfault() at trap_pfault+0x97/frame 0xfffffe0131d05990 # trap() at trap+0x294/frame 0xfffffe0131d05aa0 # calltrap() at calltrap+0x8/frame 0xfffffe0131d05aa0 # --- trap 0xc, rip = 0, rsp = 0xfffffe0131d05b78, rbp = 0xfffffe0131d05bb0 --- # ??() at 0/frame 0xfffffe0131d05bb0 # fork_exit() at fork_exit+0x80/frame 0xfffffe0131d05bf0 # fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0131d05bf0 # --- trap 0, rip = 0, rsp = 0, rbp = 0 --- # KDB: enter: panic # [ thread pid 35 tid 100272 ] # Stopped at kdb_enter+0x37: movq $0,0x127fb8e(%rip) # db> x/s version # version: FreeBSD 14.0-CURRENT #0 main-n247181-1b5bc3a54b6: Sat Jun 5 04:12:19 CEST 2021 # pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO # db> [ `uname -p` != "amd64" ] && exit 0 [ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 . ../default.cfg cat > /tmp/syzkaller41.c < #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; for (call = 0; call < 4; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(SYS_socket, 0x1cul, 1ul, 0); if (res != -1) r[0] = res; break; case 1: *(uint32_t*)0x20000300 = r[0]; *(uint64_t*)0x20000308 = 0x9a6; *(uint64_t*)0x20000310 = 0; *(uint64_t*)0x20000318 = 0; *(uint32_t*)0x20000320 = 0xffe; *(uint32_t*)0x20000324 = 0x100; *(uint64_t*)0x20000328 = 0x2b8; *(uint32_t*)0x20000330 = 4; *(uint32_t*)0x20000334 = 0xfff; *(uint64_t*)0x20000338 = 3; *(uint64_t*)0x20000340 = 0x80000001; *(uint64_t*)0x20000348 = 0; *(uint32_t*)0x20000350 = 4; *(uint32_t*)0x20000354 = 0xb; *(uint64_t*)0x20000358 = 9; *(uint64_t*)0x20000360 = 0xa3c5; *(uint64_t*)0x20000368 = 0xfffffffffffffff7; *(uint64_t*)0x20000370 = 0x8000; *(uint64_t*)0x20000378 = 3; *(uint64_t*)0x20000380 = 0x498c; *(uint64_t*)0x20000388 = 8; *(uint64_t*)0x20000390 = 4; *(uint64_t*)0x20000398 = 3; syscall(SYS_aio_read, 0x20000300ul); break; case 2: *(uint8_t*)0x20000000 = 0x1c; *(uint8_t*)0x20000001 = 0x1c; *(uint16_t*)0x20000002 = htobe16(0x4e21); *(uint32_t*)0x20000004 = 0; *(uint8_t*)0x20000008 = 0xfe; *(uint8_t*)0x20000009 = 0x80; memset((void*)0x2000000a, 0, 12); *(uint8_t*)0x20000016 = 0; *(uint8_t*)0x20000017 = 0xaa; *(uint32_t*)0x20000018 = 1; syscall(SYS_connect, r[0], 0x20000000ul, 0x1cul); break; case 3: syscall(SYS_shutdown, r[0], 0ul); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); loop(); return 0; } EOF mycc -o /tmp/syzkaller41 -Wall -Wextra -O0 /tmp/syzkaller41.c -lpthread || exit 1 (cd /tmp; timeout 3m ./syzkaller41) -rm -rf /tmp/syzkaller41 syzkaller41.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller41 /tmp/syzkaller41.c /tmp/syzkaller.* exit 0 diff --git a/tools/test/stress2/misc/syzkaller42.sh b/tools/test/stress2/misc/syzkaller42.sh index 07425e4b8731..b5b234de9cd6 100755 --- a/tools/test/stress2/misc/syzkaller42.sh +++ b/tools/test/stress2/misc/syzkaller42.sh @@ -1,124 +1,124 @@ #!/bin/sh [ `uname -p` != "amd64" ] && exit 0 [ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 # panic: Assertion lock == sq->sq_lock failed at ../../../kern/subr_sleepqueue.c:371 # cpuid = 1 # time = 1623487895 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe06c14b4700 # vpanic() at vpanic+0x181/frame 0xfffffe06c14b4750 # panic() at panic+0x43/frame 0xfffffe06c14b47b0 # sleepq_add() at sleepq_add+0x3e6/frame 0xfffffe06c14b4800 # _sleep() at _sleep+0x20e/frame 0xfffffe06c14b48b0 # kern_sigtimedwait() at kern_sigtimedwait+0x532/frame 0xfffffe06c14b4a20 # sys_sigwaitinfo() at sys_sigwaitinfo+0x43/frame 0xfffffe06c14b4ac0 # amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe06c14b4bf0 # fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe06c14b4bf0 # --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8003af5fa, rsp = 0x7fffffffe5f8, rbp = 0x7fffffffe610 --- # KDB: enter: panic # [ thread pid 15370 tid 356127 ] # Stopped at kdb_enter+0x37: movq $0,0x1285b4e(%rip) # db> x/s version # version: FreeBSD 14.0-CURRENT #0 main-n247326-2349cda44fea: Sat Jun 12 03:57:33 CEST 2021 # pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO # db> . ../default.cfg cat > /tmp/syzkaller42.c < #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) { continue; } kill_and_wait(pid, &status); break; } } } void execute_one(void) { syscall(SYS_rfork, 0x14034ul); *(uint32_t*)0x20000140 = 0x80000002; *(uint32_t*)0x20000144 = 0xfffffff7; *(uint32_t*)0x20000148 = 0x41; *(uint32_t*)0x2000014c = 3; syscall(SYS_sigwaitinfo, 0x20000140ul, 0ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); loop(); return 0; } EOF mycc -o /tmp/syzkaller42 -Wall -Wextra -O0 /tmp/syzkaller42.c -lpthread || exit 1 (cd /tmp; timeout 3m ./syzkaller42) -rm -rf /tmp/syzkaller42 syzkaller42.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller42 /tmp/syzkaller42.c /tmp/syzkaller.* exit 0 diff --git a/tools/test/stress2/misc/syzkaller43.sh b/tools/test/stress2/misc/syzkaller43.sh index 025ee674132d..ffa6e1c6857c 100755 --- a/tools/test/stress2/misc/syzkaller43.sh +++ b/tools/test/stress2/misc/syzkaller43.sh @@ -1,327 +1,327 @@ #!/bin/sh # panic: Assertion done != job_total_nbytes failed at ../../../kern/sys_socket.c:672 # cpuid = 6 # time = 1630912129 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00e4f2fa10 # vpanic() at vpanic+0x187/frame 0xfffffe00e4f2fa70 # panic() at panic+0x43/frame 0xfffffe00e4f2fad0 # soaio_process_sb() at soaio_process_sb+0x79a/frame 0xfffffe00e4f2fb70 # soaio_kproc_loop() at soaio_kproc_loop+0x96/frame 0xfffffe00e4f2fbb0 # fork_exit() at fork_exit+0x80/frame 0xfffffe00e4f2fbf0 # fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00e4f2fbf0 # --- trap 0, rip = 0, rsp = 0, rbp = 0 --- # KDB: enter: panic # [ thread pid 26 tid 100163 ] # Stopped at kdb_enter+0x37: movq $0,0x127297e(%rip) # db> x/s version # version: FreeBSD 14.0-CURRENT #0 main-n249158-1f7a6325fe1b: Sun Sep 5 09:12:58 CEST 2021 # pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO # db> [ `uname -p` != "amd64" ] && exit 0 [ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 . ../default.cfg cat > /tmp/syzkaller43.c < #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 5; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) { continue; } kill_and_wait(pid, &status); break; } } } #ifndef SYS_aio_readv #define SYS_aio_readv 579 #endif uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(SYS_socket, 0x1cul, 5ul, 0x84); if (res != -1) r[0] = res; break; case 1: *(uint64_t*)0x20000440 = 0; *(uint32_t*)0x20000448 = 0; *(uint64_t*)0x20000450 = 0; *(uint64_t*)0x20000458 = 0; *(uint64_t*)0x20000460 = 0; *(uint64_t*)0x20000468 = 0; *(uint32_t*)0x20000470 = 0; syscall(SYS_recvmsg, r[0], 0x20000440ul, 0x40040ul); break; case 2: *(uint32_t*)0x200006c0 = r[0]; *(uint64_t*)0x200006c8 = 0x800; *(uint64_t*)0x200006d0 = 0; *(uint64_t*)0x200006d8 = 0; *(uint32_t*)0x200006e0 = -1; *(uint32_t*)0x200006e4 = 8; *(uint64_t*)0x200006e8 = 0xffffffffffff658c; *(uint32_t*)0x200006f0 = 4; *(uint32_t*)0x200006f4 = 0x1ff; *(uint64_t*)0x200006f8 = 0x40; *(uint64_t*)0x20000700 = 0; *(uint64_t*)0x20000708 = 0; *(uint32_t*)0x20000710 = 4; *(uint32_t*)0x20000714 = 8; *(uint32_t*)0x20000718 = 6; *(uint64_t*)0x20000720 = 0; *(uint64_t*)0x20000728 = 0; syscall(SYS_aio_readv, 0x200006c0ul); break; case 3: *(uint32_t*)0x20000140 = 0; *(uint16_t*)0x20000144 = 4; *(uint8_t*)0x20000146 = 1; syscall(SYS_setsockopt, r[0], 0x84, 0x1e, 0x20000140ul, 8ul); break; case 4: *(uint64_t*)0x20000580 = 0x20000080; *(uint8_t*)0x20000080 = 0x1c; *(uint8_t*)0x20000081 = 0x1c; *(uint16_t*)0x20000082 = htobe16(0x4e22); *(uint32_t*)0x20000084 = 0; *(uint64_t*)0x20000088 = htobe64(0); *(uint64_t*)0x20000090 = htobe64(1); *(uint32_t*)0x20000098 = 0; *(uint32_t*)0x20000588 = 0x1c; *(uint64_t*)0x20000590 = 0x20000400; *(uint64_t*)0x20000400 = 0x200000c0; memset((void*)0x200000c0, 239, 1); *(uint64_t*)0x20000408 = 1; *(uint32_t*)0x20000598 = 1; *(uint64_t*)0x200005a0 = 0; *(uint32_t*)0x200005a8 = 0xd0; *(uint32_t*)0x200005ac = 0; syscall(SYS_sendmsg, r[0], 0x20000580ul, 0ul); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); loop(); return 0; } EOF mycc -o /tmp/syzkaller43 -Wall -Wextra -O0 /tmp/syzkaller43.c -lpthread || exit 1 (cd /tmp; timeout 3m ./syzkaller43) -rm -rf /tmp/syzkaller43 syzkaller43.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller43 /tmp/syzkaller43.c /tmp/syzkaller.* exit 0 diff --git a/tools/test/stress2/misc/syzkaller50.sh b/tools/test/stress2/misc/syzkaller50.sh index 4acc144503b9..d50e90866b8c 100755 --- a/tools/test/stress2/misc/syzkaller50.sh +++ b/tools/test/stress2/misc/syzkaller50.sh @@ -1,169 +1,169 @@ #!/bin/sh # panic: Assertion done != job_total_nbytes failed at ../../../kern/sys_socket.c:670 # cpuid = 10 # time = 1649059964 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe069a27fd70 # vpanic() at vpanic+0x17f/frame 0xfffffe069a27fdc0 # panic() at panic+0x43/frame 0xfffffe069a27fe20 # soaio_process_sb() at soaio_process_sb+0x751/frame 0xfffffe069a27feb0 # soaio_kproc_loop() at soaio_kproc_loop+0xa9/frame 0xfffffe069a27fef0 # fork_exit() at fork_exit+0x80/frame 0xfffffe069a27ff30 # fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe069a27ff30 # --- trap 0xc, rip = 0x36633df4a5ca, rsp = 0x36633cd66d98, rbp = 0x36633cd66db0 --- # KDB: enter: panic # [ thread pid 36460 tid 546462 ] # Stopped at kdb_enter+0x37: movq $0,0x127b48e(%rip) # db> x/s version # version: FreeBSD 14.0-CURRENT #0 main-n254248-88b3e65fcff2a: Sun Apr 3 11:21:34 CEST 2022\012 pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO\012 # db> [ `uname -p` != "amd64" ] && exit 0 . ../default.cfg cat > /tmp/syzkaller50.c < #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; res = syscall(SYS_socket, 0x1cul, 1ul, 0x84); if (res != -1) r[0] = res; *(uint8_t*)0x20000240 = 0x1c; *(uint8_t*)0x20000241 = 0x1c; *(uint16_t*)0x20000242 = htobe16(0x4e23); *(uint32_t*)0x20000244 = 0; *(uint64_t*)0x20000248 = htobe64(0); *(uint64_t*)0x20000250 = htobe64(1); *(uint32_t*)0x20000258 = 0; syscall(SYS_bind, r[0], 0x20000240ul, 0x1cul); *(uint8_t*)0x20000080 = 0x1c; *(uint8_t*)0x20000081 = 0x1c; *(uint16_t*)0x20000082 = htobe16(0x4e23); *(uint32_t*)0x20000084 = 0; *(uint64_t*)0x20000088 = htobe64(0); *(uint64_t*)0x20000090 = htobe64(1); *(uint32_t*)0x20000098 = 0; syscall(SYS_connect, r[0], 0x20000080ul, 0x1cul); *(uint32_t*)0x20000000 = r[0]; *(uint64_t*)0x20000008 = 0; *(uint64_t*)0x20000010 = 0x200002c0; *(uint64_t*)0x20000018 = 0; *(uint32_t*)0x20000020 = 0; *(uint32_t*)0x20000024 = 0; *(uint64_t*)0x20000028 = 0; *(uint32_t*)0x20000030 = 0; *(uint32_t*)0x20000034 = 0; *(uint64_t*)0x20000038 = 0; *(uint64_t*)0x20000040 = 0; *(uint64_t*)0x20000048 = 0; *(uint32_t*)0x20000050 = 0; *(uint32_t*)0x20000054 = 0; *(uint32_t*)0x20000058 = 0; *(uint32_t*)0x20000060 = 0; syscall(SYS_aio_write, 0x20000000ul); res = syscall(SYS_fcntl, r[0], 0ul, r[0]); if (res != -1) r[1] = res; *(uint32_t*)0x20001540 = 0; memset((void*)0x20001544, 6, 1); syscall(SYS_setsockopt, r[1], 0x84, 0x901, 0x20001540ul, 8ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); loop(); return 0; } EOF mycc -o /tmp/syzkaller50 -Wall -Wextra -O0 /tmp/syzkaller50.c || exit 1 kldstat | grep -q sctp || { kldload sctp.ko && loaded=1; } (cd ../testcases/swap; ./swap -t 3m -i 10 -l 100) & for i in `jot 3`; do (cd /tmp; timeout 3m ./syzkaller50) & pids="$pids $!" done for pid in $pids; do wait $pid done while pkill swap; do :; done wait -rm -rf /tmp/syzkaller50 syzkaller50.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller50 /tmp/syzkaller50.c /tmp/syzkaller.* [ $loaded ] && kldunload sctp.ko exit 0 diff --git a/tools/test/stress2/misc/syzkaller51.sh b/tools/test/stress2/misc/syzkaller51.sh index ae18a30cfe4d..bd5b5da16d9a 100755 --- a/tools/test/stress2/misc/syzkaller51.sh +++ b/tools/test/stress2/misc/syzkaller51.sh @@ -1,195 +1,195 @@ #!/bin/sh # panic: Queues are not empty when handling SHUTDOWN-COMPLETE # cpuid = 10 # time = 1650546082 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00e49be680 # vpanic() at vpanic+0x17f/frame 0xfffffe00e49be6d0 # panic() at panic+0x43/frame 0xfffffe00e49be730 # sctp_handle_shutdown_complete() at sctp_handle_shutdown_complete+0xea/frame 0xfffffe00e49be750 # sctp_process_control() at sctp_process_control+0x1561/frame 0xfffffe00e49bea90 # sctp_common_input_processing() at sctp_common_input_processing+0x514/frame 0xfffffe00e49bec00 # sctp6_input_with_port() at sctp6_input_with_port+0x228/frame 0xfffffe00e49becf0 # sctp6_input() at sctp6_input+0xb/frame 0xfffffe00e49bed00 # ip6_input() at ip6_input+0xc2f/frame 0xfffffe00e49bede0 # swi_net() at swi_net+0x191/frame 0xfffffe00e49bee60 # ithread_loop() at ithread_loop+0x279/frame 0xfffffe00e49beef0 # fork_exit() at fork_exit+0x80/frame 0xfffffe00e49bef30 # fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00e49bef30 # --- trap 0, rip = 0, rsp = 0, rbp = 0 --- # KDB: enter: panic # [ thread pid 12 tid 100077 ] # Stopped at kdb_enter+0x32: movq $0,0x12797a3(%rip) # db> x/s version # FreeBSD 14.0-CURRENT #0 main-n254961-b91a48693a53e: Thu Apr 21 09:39:27 CEST 2022 # pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO # db> [ `uname -p` != "amd64" ] && exit 0 . ../default.cfg cat > /tmp/syzkaller51.c < #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; res = syscall(SYS_socket, 0x1cul, 1ul, 0x84); if (res != -1) r[0] = res; *(uint8_t*)0x20000000 = 0x1c; *(uint8_t*)0x20000001 = 0x1c; *(uint16_t*)0x20000002 = htobe16(0x4e22); *(uint32_t*)0x20000004 = 0; memset((void*)0x20000008, 0, 16); *(uint32_t*)0x20000018 = 0; syscall(SYS_bind, r[0], 0x20000000ul, 0x1cul); syscall(SYS_listen, r[0], 5); res = syscall(SYS_socket, 0x1cul, 1ul, 0x84); if (res != -1) r[1] = res; memset((void*)0x20000240, 202, 1); *(uint8_t*)0x20000040 = 0x1c; *(uint8_t*)0x20000041 = 0x1c; *(uint16_t*)0x20000042 = htobe16(0x4e22); *(uint32_t*)0x20000044 = 0; *(uint64_t*)0x20000048 = htobe64(0); *(uint64_t*)0x20000050 = htobe64(1); *(uint32_t*)0x20000058 = 0; syscall(SYS_sendto, r[1], 0x20000240ul, 1ul, 0ul, 0x20000040ul, 0x1cul); syscall(SYS_dup2, r[0], r[1]); res = syscall(SYS_accept, r[1], 0ul, 0ul); if (res != -1) r[2] = res; *(uint64_t*)0x20001980 = 0; *(uint32_t*)0x20001988 = 0; *(uint64_t*)0x20001990 = 0x200018c0; *(uint64_t*)0x200018c0 = 0x20000400; memcpy( (void*)0x20000400, "\xe1\xb9\x03\xdc\x43\xbc\x11\x92\xcb\x81\xb0\x96\xe0\x09\xde\x05\x09\x0b" "\x44\x42\x6a\x68\x20\x0d\x0a\x78\x94\x0a\xbc\xcb\x4d\x0b\x1d\x3e\xc6\x6a" "\xc2\x43\x46\x14\x08\x20\x01\x43\x3e\xf2\xc1\xb6\x6a\x0e\x5e\x13\xa8\xcf" "\x99\x01\x1d\x5a\xb4\xe1\x7e\xa4\x98\x7d\x56\xb5\x86\xa3\xbb\x1e\x3e\xb5" "\x85\x89\x43\xf9\x0d\xee\x7e\x8d\xc5\xac\x60\xed\x23\x62\xc7\x05\x0b\x3b" "\x37\x6c\x77\x77\x5f\x1e\x0f\xa0\x90\x50\xc1\x97\x45\x47\x7f\xe7\x64\xff" "\x92\x61\x9f\x9c\x06\xee\x37\x89\xf8\x81\x6e\xf7\xeb\xe5\xe1\xbd\xa8\xcc" "\x50\xce\x6b\x9b\x7e\x9a\x62\x5c\x71\xd4\x41\x55\x90\x6b\xe5\x92\x55\xe0" "\x3e\xc5\xfd\xfd\xbb\x5d\x2c\xf2\x70\x22\xdb\x96\x07\x02\xe6\xae\x67\xb2" "\xcd\x1b\xf6\xab\x30\x3a\xfd\x24\x5d\xb7\x37\x95\x21\x4c\xc6\x8a\x29\x50" "\xec\x8d\x33\x21\x6a\x93\x20\x30\x43\xe4\x54\xeb\x98\x2b\x40\x9a\x2a\x1d" "\x48\x77\xc8\xf3\x06\xdf\xa3\x80\x07\xab\x8c\x6e\x30\x13\x84\x4d\xf4\x48" "\x1e\x5b\x0f\xbd\x84\xe0\x17\xbe\x81\xc9\x47\xc5\x6b\x0b\xc0\x70\x74\xcb" "\x6d\xe1\xe3\xeb\xdc\xe8\xbf\x72\x22\x92\x0b\x2b\xfe\xda\x7f\xcf\x96", 251); *(uint64_t*)0x200018c8 = 0xfb; *(uint64_t*)0x200018d0 = 0; *(uint64_t*)0x200018d8 = 0; *(uint64_t*)0x200018e0 = 0x20000600; *(uint64_t*)0x200018e8 = 0; *(uint64_t*)0x200018f0 = 0; *(uint64_t*)0x200018f8 = 0; *(uint64_t*)0x20001900 = 0; *(uint64_t*)0x20001908 = 0; *(uint64_t*)0x20001910 = 0; *(uint64_t*)0x20001918 = 0; *(uint64_t*)0x20001920 = 0; *(uint64_t*)0x20001928 = 0; *(uint64_t*)0x20001930 = 0; *(uint64_t*)0x20001938 = 0; *(uint64_t*)0x20001940 = 0; *(uint64_t*)0x20001948 = 0; *(uint32_t*)0x20001998 = 9; *(uint64_t*)0x200019a0 = 0; *(uint32_t*)0x200019a8 = 0; *(uint32_t*)0x200019ac = 0x101; syscall(SYS_sendmsg, r[2], 0x20001980ul, 0x20104ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); loop(); return 0; } EOF mycc -o /tmp/syzkaller51 -Wall -Wextra -O0 /tmp/syzkaller51.c || exit 1 kldstat | grep -q sctp || { kldload sctp.ko && loaded=1; } (cd /tmp; timeout 3m ./syzkaller51) -rm -rf /tmp/syzkaller51 syzkaller51.c /tmp/syzkaller.* +rm -rf /tmp/syzkaller51 /tmp/syzkaller51.c /tmp/syzkaller.* [ $loaded ] && kldunload sctp.ko exit 0