diff --git a/tools/test/stress2/misc/all.exclude b/tools/test/stress2/misc/all.exclude index 833e4fb0dbd3..9b33cf1a1f23 100644 --- a/tools/test/stress2/misc/all.exclude +++ b/tools/test/stress2/misc/all.exclude @@ -1,102 +1,104 @@ # List of tests not to run, unless the '-a' option is used with run.sh # Exclude names must start in column 1 backingstore.sh g_vfs_done():md6a[WRITE(offset=...)]error = 28 20111220 backingstore2.sh panic: 43 vncache entries remaining 20111220 backingstore3.sh g_vfs_done():md6a[WRITE(offset=...)]error = 28 20111230 dd.sh CAM stuck in vmwait 20200116 devfs4.sh Hang seen 20210210 force4.sh https://people.freebsd.org/~pho/stress/log/log0082.txt 20210328 fsync.sh panic: Journal overflow 20190208 fuse.sh Memory corruption seen in log file kostik734.txt 20141114 fuse2.sh Deadlock seen 20121129 fuse3.sh Deadlock seen 20141120 getrandom.sh Known DoS issue 20201107 getrandom2.sh Known DoS issue 20200302 gjournal.sh panic: Journal overflow 20190626 gjournal2.sh panic: Journal overflow 20180125 gjournal3.sh panic: Bio not on queue 20171225 gjournal4.sh CAM stuck in vmwait 20180517 gnop7.sh Waiting for patch commit 20190820 gnop8.sh Waiting for patch commit 20201214 gnop9.sh Waiting for patch commit 20201214 gnop10.sh Waiting for patch commit 20210105 graid1_8.sh Known issue 20170909 graid1_9.sh panic: Bad effnlink 20180212 lockf5.sh Spinning threads seen 20160718 ifconfig.sh Bug 253824 20210322 ifconfig2.sh https://people.freebsd.org/~pho/stress/log/log0051.txt 20210210 maxvnodes2.sh https://people.freebsd.org/~pho/stress/log/log0083.txt 20210329 memguard.sh https://people.freebsd.org/~pho/stress/log/log0088.txt 20210402 memguard2.sh Waiting for fix commit memguard3.sh Waiting for fix commit memsetdomain.sh May change policy for random threads to to domainset_fixed 20210104 mlockall2.sh Unrecoverable OOM killing seen 20190203 mlockall7.sh Needs further investigation 20210123 nfs15lockd.sh panic: Assertion td->td_realucred == td->td_ucred failed ... 20210211 newfs4.sh watchdog fired. newbuf 20190225 nfs10.sh Double fault 20151013 nfs13.sh mount_nfs hangs in mntref 20191007 nfs16.sh panic: Failed to register NFS lock locally - error=11 20160608 oom2.sh Hang in pfault 20180324 overcommit2.sh CAM stuck in vmwait seen 20200112 pageout.sh panic: handle_written_filepage: not started 20190218 pmc4.sh ld: error: /usr/lib/libpmc.so: undefined reference 20210124 pmc5.sh ld: error: /usr/lib/libpmc.so: undefined reference 20210124 pmc6.sh ld: error: /usr/lib/libpmc.so: undefined reference 20210124 quota10.sh people.freebsd.org/~pho/stress/log/quota10-2.txt 20200525 quota2.sh panic: dqflush: stray dquot 20120221 quota3.sh panic: softdep_deallocate_dependencies: unrecovered ... 20111222 quota7.sh panic: dqflush: stray dquot 20120221 sctp3.sh panic: Queues are not empty when handling SHUTDOWN-COMPLETE 20210211 sendfile25.sh WiP 20200611 signal.sh Timing issues. Needs fixing 20171116 swapoff2.sh swap_pager_force_pagein: read from swap failed 20171223 swapoff5.sh log0005.txt, known issue 20210111 systrace.sh WiP 20200227 systrace2.sh WiP 20200227 syzkaller11.sh WiP 20200721 +syzkaller15.sh WiP 20200712 syzkaller19.sh WiP 20200712 syzkaller25.sh WiP 20201116 syzkaller28.sh WiP 20201120 syzkaller29.sh May change policy for random threads to to domainset_fixed 20210104 syzkaller30.sh May change policy for random threads to to domainset_fixed 20210104 syzkaller31.sh panic: Bad tailq NEXT(0xfffffe0079608f00->tqh_last) != NULL 20210322 syzkaller32.sh Fatal trap 18: integer divide fault while in kernel mode 20210322 syzkaller33.sh Fatal trap 18: integer divide fault while in kernel mode 20210418 syzkaller39.sh WiP 20210607 syzkaller40.sh WiP 20210607 syzkaller41.sh WiP 20210607 +syzkaller42.sh WiP 20210613 truss3.sh WiP 20200915 unionfs.sh insmntque: non-locked vp: xx is not exclusive locked... 20130909 unionfs2.sh insmntque: mp-safe fs and non-locked vp is not ... 20111219 unionfs3.sh insmntque: mp-safe fs and non-locked vp is not ... 20111216 # Test not to run for other reasons: fuzz.sh A know issue marcus3.sh OK, but runs for a long time statfs.sh Not very interesting vunref.sh No problems ever seen vunref2.sh No problems ever seen # Snapshots has been disabled on SU+J suj15.sh suj16.sh suj19.sh suj20.sh suj21.sh suj22.sh suj24.sh suj25.sh suj26.sh suj27.sh suj28.sh # Exclude NFS loopback tests nfs2.sh panic: wrong diroffset 20140219 nfs5.sh nfs6.sh nfs11.sh vmwait deadlock 20151004 nullfs8.sh tmpfs18.sh mntref hang seen 20191019 diff --git a/tools/test/stress2/misc/syscall4.sh b/tools/test/stress2/misc/syscall4.sh index 824089760ba7..209a00f7af9b 100755 --- a/tools/test/stress2/misc/syscall4.sh +++ b/tools/test/stress2/misc/syscall4.sh @@ -1,385 +1,382 @@ #!/bin/sh # # Copyright (c) 2011-2013 Peter Holm # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # Threaded syscall(2) fuzz test inspired by the iknowthis test suite # by Tavis Ormandy # Usage: syscall4.sh [syscall number] # Without an argument random syscall numbers are tested. # With an argument only the specified syscall number is tested. # Sample problems found: # Thread stuck in stopprof. # http://people.freebsd.org/~pho/stress/log/kostik732.txt # Fixed by r275121. # panic: td 0xcbe1ac40 is not suspended. # https://people.freebsd.org/~pho/stress/log/kostik807.txt # Fixed by r282944. [ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 . ../default.cfg odir=`pwd` cd /tmp sed '1,/^EOF/d' < $odir/$0 > syscall4.c sed -i '' -e "s#MNTPOINT#$mntpoint#" syscall4.c rm -f /tmp/syscall4 mycc -o syscall4 -Wall -Wextra -O2 -g syscall4.c -lpthread || exit 1 rm -f syscall4.c kldstat -v | grep -q sysvmsg || $stress2tools/kldload.sh sysvmsg kldstat -v | grep -q sysvsem || $stress2tools/kldload.sh sysvsem kldstat -v | grep -q sysvshm || $stress2tools/kldload.sh sysvshm kldstat -v | grep -q aio || $stress2tools/kldload.sh aio kldstat -v | grep -q mqueuefs || $stress2tools/kldload.sh mqueuefs mount | grep -q "on $mntpoint " && umount -f $mntpoint [ -c /dev/md$mdstart ] && mdconfig -d -u $mdstart mdconfig -a -t swap -s 2g -u $mdstart || exit 1 bsdlabel -w md$mdstart auto newfs $newfs_flags -n md${mdstart}$part > /dev/null mount /dev/md${mdstart}$part $mntpoint chmod 777 $mntpoint [ -z "$noswap" ] && daemon sh -c "(cd $odir/../testcases/swap; ./swap -t 10m -i 20 -k)" > \ /dev/null sleeptime=${sleeptime:-12} st=`date '+%s'` while [ $((`date '+%s'` - st)) -lt $((10 * sleeptime)) ]; do (cd $mntpoint; /tmp/syscall4 $* 1>>stdout 2>>stderr) & start=`date '+%s'` while [ $((`date '+%s'` - start)) -lt $sleeptime ]; do pgrep syscall4 > /dev/null || break sleep .5 done while pkill -9 syscall4; do :; done wait ipcs | grep nobody | awk '/^(q|m|s)/ {print " -" $1, $2}' | xargs -L 1 ipcrm done while pkill -9 swap; do :; done while pkill -9 syscall4; do :; done for i in `jot 10`; do mount | grep -q md${mdstart}$part && \ umount $mntpoint && mdconfig -d -u $mdstart && break sleep 10 done if mount | grep -q md${mdstart}$part; then fstat $mntpoint echo "umount $mntpoint failed" exit 1 fi rm -f /tmp/syscall4 exit 0 EOF #include #include #include #include #include #include #include #include #include #include #include #include #include #if defined(__FreeBSD__) #include #define __NP__ #endif #include #include #include #include #include #include #include static int ignore[] = { SYS_syscall, SYS_exit, SYS_fork, 11, /* 11 is obsolete execv */ SYS_reboot, SYS_vfork, 109, /* 109 is old sigblock */ 111, /* 111 is old sigsuspend */ SYS_shutdown, SYS___syscall, 216, /* custom syscall */ SYS_rfork, - SYS_sigsuspend, SYS_mac_syscall, - SYS_sigtimedwait, - SYS_sigwaitinfo, }; static int fd[900], fds[2], kq, socketpr[2]; #ifndef nitems #define nitems(x) (sizeof((x)) / sizeof((x)[0])) #endif #define N 4096 #define MAGIC 1664 #define RUNTIME 120 #define THREADS 50 static uint32_t r[N]; static int magic1, syscallno, magic2; static int random_int(int mi, int ma) { return (arc4random() % (ma - mi + 1) + mi); } static void hand(int i __unused) { /* handler */ exit(1); } static unsigned long makearg(void) { unsigned int i; unsigned long val; val = arc4random(); i = arc4random() % 100; if (i < 20) val = val & 0xff; if (i >= 20 && i < 40) val = val & 0xffff; if (i >= 40 && i < 60) val = (unsigned long)(r) | (val & 0xffff); #if defined(__LP64__) if (i >= 60) { val = (val << 32) | arc4random(); if (i > 80) val = val & 0x00007fffffffffffUL; } #endif return(val); } static void * test(void *arg __unused) { FTS *fts; FTSENT *p; time_t start; int ftsoptions, i, numfiles; char *args[] = { "/dev", "/proc", "MNTPOINT", "mnt2", ".", NULL, }; #ifdef __NP__ pthread_set_name_np(pthread_self(), __func__); #endif numfiles = 0; ftsoptions = FTS_PHYSICAL; start = time(NULL); while (time(NULL) - start < 2) { for (i = 0; i < N; i++) r[i] = arc4random(); if (pipe(fds) == -1) err(1, "pipe()"); if (socketpair(PF_UNIX, SOCK_SEQPACKET, 0, socketpr) == -1) err(1, "socketpair()"); kq = kqueue(); if ((fts = fts_open(args, ftsoptions, NULL)) == NULL) err(1, "fts_open"); i = 0; while ((p = fts_read(fts)) != NULL) { if (fd[i] > 0) close(fd[i]); if ((fd[i] = open(p->fts_path, O_RDWR)) == -1) if ((fd[i] = open(p->fts_path, O_WRONLY)) == -1) if ((fd[i] = open(p->fts_path, O_RDONLY)) == -1) continue; i++; i = i % nitems(fd); if (numfiles++ < 10) { fprintf(stderr, "%d: pts_path = %s\n", numfiles, p->fts_path); } } if (fts_close(fts) == -1) warn("fts_close()"); sleep(1); close(socketpr[0]); close(socketpr[1]); close(fds[0]); close(fds[1]); close(kq); } return(NULL); } static void * calls(void *arg __unused) { time_t start; int i, j, num; unsigned long arg1, arg2, arg3, arg4, arg5, arg6, arg7; #ifdef __NP__ pthread_set_name_np(pthread_self(), __func__); #endif start = time(NULL); for (i = 0; time(NULL) - start < 10; i++) { num = syscallno; while (num == 0) { num = random_int(0, SYS_MAXSYSCALL); for (j = 0; j < (int)nitems(ignore); j++) if (num == ignore[j]) { num = 0; break; } } arg1 = makearg(); arg2 = makearg(); arg3 = makearg(); arg4 = makearg(); arg5 = makearg(); arg6 = makearg(); arg7 = makearg(); #if 0 /* Debug mode */ fprintf(stderr, "%2d : syscall(%3d, %lx, %lx, %lx, %lx, %lx," " %lx, %lx)\n", i, num, arg1, arg2, arg3, arg4, arg5, arg6, arg7); sleep(2); #endif alarm(1); syscall(num, arg1, arg2, arg3, arg4, arg5, arg6, arg7); num = 0; if (magic1 != MAGIC || magic2 != MAGIC) exit(1); } return (NULL); } int main(int argc, char **argv) { struct passwd *pw; struct rlimit limit; pthread_t rp, cp[THREADS]; time_t start; int e, j; magic1 = magic2 = MAGIC; if ((pw = getpwnam("nobody")) == NULL) err(1, "failed to resolve nobody"); if (getenv("USE_ROOT") && argc == 2) fprintf(stderr, "Running syscall4 as root for %s.\n", argv[1]); else { if (setgroups(1, &pw->pw_gid) || setegid(pw->pw_gid) || setgid(pw->pw_gid) || seteuid(pw->pw_uid) || setuid(pw->pw_uid)) err(1, "Can't drop privileges to \"nobody\""); endpwent(); } limit.rlim_cur = limit.rlim_max = 1000; #if defined(RLIMIT_NPTS) if (setrlimit(RLIMIT_NPTS, &limit) < 0) err(1, "setrlimit"); #endif signal(SIGALRM, hand); signal(SIGILL, hand); signal(SIGFPE, hand); signal(SIGSEGV, hand); signal(SIGBUS, hand); signal(SIGURG, hand); signal(SIGSYS, hand); signal(SIGTRAP, hand); if (argc > 2) { fprintf(stderr, "usage: %s [syscall-num]\n", argv[0]); exit(1); } if (argc == 2) { syscallno = atoi(argv[1]); for (j = 0; j < (int)nitems(ignore); j++) if (syscallno == ignore[j]) errx(0, "syscall #%d is on the ignore list.", syscallno); } if (daemon(1, 1) == -1) err(1, "daemon()"); system("touch aaa bbb ccc; mkdir -p ddd"); start = time(NULL); while ((time(NULL) - start) < RUNTIME) { if (fork() == 0) { if ((e = pthread_create(&rp, NULL, test, NULL)) != 0) errc(1, e, "pthread_create"); usleep(1000); for (j = 0; j < THREADS; j++) if ((e = pthread_create(&cp[j], NULL, calls, NULL)) != 0) errc(1, e, "pthread_create"); for (j = 0; j < THREADS; j++) pthread_join(cp[j], NULL); if ((e = pthread_kill(rp, SIGINT)) != 0) errc(1, e, "pthread_kill"); exit(0); } wait(NULL); usleep(10000); } return (0); } diff --git a/tools/test/stress2/misc/syzkaller42.sh b/tools/test/stress2/misc/syzkaller42.sh new file mode 100755 index 000000000000..07425e4b8731 --- /dev/null +++ b/tools/test/stress2/misc/syzkaller42.sh @@ -0,0 +1,124 @@ +#!/bin/sh + +[ `uname -p` != "amd64" ] && exit 0 +[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 + +# panic: Assertion lock == sq->sq_lock failed at ../../../kern/subr_sleepqueue.c:371 +# cpuid = 1 +# time = 1623487895 +# KDB: stack backtrace: +# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe06c14b4700 +# vpanic() at vpanic+0x181/frame 0xfffffe06c14b4750 +# panic() at panic+0x43/frame 0xfffffe06c14b47b0 +# sleepq_add() at sleepq_add+0x3e6/frame 0xfffffe06c14b4800 +# _sleep() at _sleep+0x20e/frame 0xfffffe06c14b48b0 +# kern_sigtimedwait() at kern_sigtimedwait+0x532/frame 0xfffffe06c14b4a20 +# sys_sigwaitinfo() at sys_sigwaitinfo+0x43/frame 0xfffffe06c14b4ac0 +# amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe06c14b4bf0 +# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe06c14b4bf0 +# --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8003af5fa, rsp = 0x7fffffffe5f8, rbp = 0x7fffffffe610 --- +# KDB: enter: panic +# [ thread pid 15370 tid 356127 ] +# Stopped at kdb_enter+0x37: movq $0,0x1285b4e(%rip) +# db> x/s version +# version: FreeBSD 14.0-CURRENT #0 main-n247326-2349cda44fea: Sat Jun 12 03:57:33 CEST 2021 +# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO +# db> + +. ../default.cfg +cat > /tmp/syzkaller42.c < + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static void kill_and_wait(int pid, int* status) +{ + kill(pid, SIGKILL); + while (waitpid(-1, status, 0) != pid) { + } +} + +static void sleep_ms(uint64_t ms) +{ + usleep(ms * 1000); +} + +static uint64_t current_time_ms(void) +{ + struct timespec ts; + if (clock_gettime(CLOCK_MONOTONIC, &ts)) + exit(1); + return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; +} + +static void execute_one(void); + +#define WAIT_FLAGS 0 + +static void loop(void) +{ + int iter = 0; + for (;; iter++) { + int pid = fork(); + if (pid < 0) + exit(1); + if (pid == 0) { + execute_one(); + exit(0); + } + int status = 0; + uint64_t start = current_time_ms(); + for (;;) { + if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) + break; + sleep_ms(1); + if (current_time_ms() - start < 5000) { + continue; + } + kill_and_wait(pid, &status); + break; + } + } +} + +void execute_one(void) +{ + syscall(SYS_rfork, 0x14034ul); + *(uint32_t*)0x20000140 = 0x80000002; + *(uint32_t*)0x20000144 = 0xfffffff7; + *(uint32_t*)0x20000148 = 0x41; + *(uint32_t*)0x2000014c = 3; + syscall(SYS_sigwaitinfo, 0x20000140ul, 0ul); +} +int main(void) +{ + syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); + loop(); + return 0; +} +EOF +mycc -o /tmp/syzkaller42 -Wall -Wextra -O0 /tmp/syzkaller42.c -lpthread || + exit 1 + +(cd /tmp; timeout 3m ./syzkaller42) + +rm -rf /tmp/syzkaller42 syzkaller42.c /tmp/syzkaller.* +exit 0