diff --git a/tools/test/stress2/misc/all.exclude b/tools/test/stress2/misc/all.exclude index 7ee33f258f87..dfd936abde70 100644 --- a/tools/test/stress2/misc/all.exclude +++ b/tools/test/stress2/misc/all.exclude @@ -1,107 +1,109 @@ # List of tests not to run, unless the '-a' option is used with run.sh # Exclude names must start in column 1 backingstore.sh g_vfs_done():md6a[WRITE(offset=...)]error = 28 20111220 backingstore2.sh panic: 43 vncache entries remaining 20111220 backingstore3.sh g_vfs_done():md6a[WRITE(offset=...)]error = 28 20111230 dd.sh CAM stuck in vmwait 20200116 devfs4.sh Hang seen 20210210 force4.sh https://people.freebsd.org/~pho/stress/log/log0082.txt 20210328 fsync.sh panic: Journal overflow 20190208 fuse.sh Memory corruption seen in log file kostik734.txt 20141114 fuse2.sh Deadlock seen 20121129 fuse3.sh Deadlock seen 20141120 getrandom.sh Known DoS issue 20201107 getrandom2.sh Known DoS issue 20200302 gjournal.sh panic: Journal overflow 20190626 gjournal2.sh panic: Journal overflow 20180125 gjournal3.sh panic: Bio not on queue 20171225 gjournal4.sh CAM stuck in vmwait 20180517 gnop7.sh Waiting for patch commit 20190820 gnop8.sh Waiting for patch commit 20201214 gnop9.sh Waiting for patch commit 20201214 gnop10.sh Waiting for patch commit 20210105 graid1_8.sh Known issue 20170909 graid1_9.sh panic: Bad effnlink 20180212 lockf5.sh Spinning threads seen 20160718 ifconfig.sh Bug 253824 20210322 ifconfig2.sh https://people.freebsd.org/~pho/stress/log/log0051.txt 20210210 maxvnodes2.sh https://people.freebsd.org/~pho/stress/log/log0083.txt 20210329 memguard.sh https://people.freebsd.org/~pho/stress/log/log0088.txt 20210402 memguard2.sh Waiting for fix commit memguard3.sh Waiting for fix commit memsetdomain.sh May change policy for random threads to to domainset_fixed 20210104 mlockall2.sh Unrecoverable OOM killing seen 20190203 mlockall7.sh Needs further investigation 20210123 nfs15lockd.sh panic: Assertion td->td_realucred == td->td_ucred failed ... 20210211 newfs4.sh watchdog fired. newbuf 20190225 nfs10.sh Double fault 20151013 nfs13.sh mount_nfs hangs in mntref 20191007 nfs16.sh panic: Failed to register NFS lock locally - error=11 20160608 oom2.sh Hang in pfault 20180324 overcommit2.sh CAM stuck in vmwait seen 20200112 pageout.sh panic: handle_written_filepage: not started 20190218 pmc8.sh panic: [pmc,2749] (ri21, rc1) waiting too long for pmc to ... 20210621 quota10.sh people.freebsd.org/~pho/stress/log/quota10-2.txt 20200525 quota2.sh panic: dqflush: stray dquot 20120221 quota3.sh panic: softdep_deallocate_dependencies: unrecovered ... 20111222 quota7.sh panic: dqflush: stray dquot 20120221 sctp3.sh panic: Queues are not empty when handling SHUTDOWN-COMPLETE 20210211 sendfile25.sh WiP 20200611 signal.sh Timing issues. Needs fixing 20171116 snap8.sh https://people.freebsd.org/~pho/stress/log/log0123.txt 20211008 swapoff2.sh swap_pager_force_pagein: read from swap failed 20171223 swapoff5.sh log0005.txt, known issue 20210111 systrace.sh WiP 20200227 systrace2.sh WiP 20200227 syzkaller11.sh WiP 20200721 syzkaller15.sh WiP 20200712 syzkaller16.sh WiP 20210722 syzkaller19.sh WiP 20200712 syzkaller25.sh WiP 20201116 syzkaller28.sh WiP 20201120 syzkaller29.sh May change policy for random threads to to domainset_fixed 20210104 syzkaller30.sh May change policy for random threads to to domainset_fixed 20210104 syzkaller31.sh panic: Bad tailq NEXT(0xfffffe0079608f00->tqh_last) != NULL 20210322 syzkaller32.sh Fatal trap 18: integer divide fault while in kernel mode 20210322 syzkaller33.sh Fatal trap 18: integer divide fault while in kernel mode 20210418 syzkaller39.sh WiP 20210607 syzkaller40.sh WiP 20210607 syzkaller41.sh WiP 20210607 syzkaller42.sh WiP 20210613 syzkaller43.sh WiP 20210906 +syzkaller46.sh WiP 20211026 +syzkaller47.sh WiP 20211026 truss3.sh WiP 20200915 unionfs.sh insmntque: non-locked vp: xx is not exclusive locked... 20130909 unionfs2.sh insmntque: mp-safe fs and non-locked vp is not ... 20111219 unionfs3.sh insmntque: mp-safe fs and non-locked vp is not ... 20111216 unionfs4.sh WiP 20210916 unionfs5.sh WiP 20210916 # Test not to run for other reasons: fuzz.sh A know issue marcus3.sh OK, but runs for a long time statfs.sh Not very interesting vunref.sh No problems ever seen vunref2.sh No problems ever seen # Snapshots has been disabled on SU+J suj15.sh suj16.sh suj19.sh suj20.sh suj21.sh suj22.sh suj24.sh suj25.sh suj26.sh suj27.sh suj28.sh # Exclude NFS loopback tests nfs2.sh panic: wrong diroffset 20140219 nfs5.sh nfs6.sh nfs11.sh vmwait deadlock 20151004 nullfs8.sh tmpfs18.sh mntref hang seen 20191019 diff --git a/tools/test/stress2/misc/syzkaller46.sh b/tools/test/stress2/misc/syzkaller46.sh new file mode 100755 index 000000000000..db1c9c27b221 --- /dev/null +++ b/tools/test/stress2/misc/syzkaller46.sh @@ -0,0 +1,118 @@ +#!/bin/sh + +# Fatal trap 12: page fault while in kernel mode +# cpuid = 4; apic id = 04 +# fault virtual address = 0x28 +# fault code = supervisor read data, page not present +# instruction pointer = 0x20:0xffffffff81549dea +# stack pointer = 0x28:0xfffffe01d8689480 +# frame pointer = 0x28:0xfffffe01d8689490 +# code segment = base 0x0, limit 0xfffff, type 0x1b +# = DPL 0, pres 1, long 1, def32 0, gran 1 +# processor eflags = interrupt enabled, resume, IOPL = 0 +# current process = 3050 (syzkaller46) +# trap number = 12 +# panic: page fault +# cpuid = 4 +# time = 1635158869 +# KDB: stack backtrace: +# db_trace_self_wrapper() at db_trace_self_wrapper+0xa5/frame 0xfffffe01d8688cb0 +# kdb_backtrace() at kdb_backtrace+0xc9/frame 0xfffffe01d8688e10 +# vpanic() at vpanic+0x248/frame 0xfffffe01d8688ef0 +# panic() at panic+0xb5/frame 0xfffffe01d8688fb0 +# trap_fatal() at trap_fatal+0x52e/frame 0xfffffe01d86890b0 +# trap_pfault() at trap_pfault+0x132/frame 0xfffffe01d86891d0 +# trap() at trap+0x53f/frame 0xfffffe01d86893b0 +# calltrap() at calltrap+0x8/frame 0xfffffe01d86893b0 +# --- trap 0xc, rip = 0xffffffff81549dea, rsp = 0xfffffe01d8689480, rbp = 0xfffffe01d8689490 --- +# filt_bpfwrite() filt_bpfwrite+0x4a/frame 0xfffffe01d8689490 +# kqueue_register() at kqueue_register+0xea3/frame 0xfffffe01d86895d0 +# kqueue_kevent() at kqueue_kevent+0x26a/frame 0xfffffe01d86899c0 +# kern_kevent_fp() at kern_kevent_fp+0xd2/frame 0xfffffe01d8689a10 +# kern_kevent() at kern_kevent+0x138/frame 0xfffffe01d8689b10 +# kern_kevent_generic() at kern_kevent_gene6/frame 0xfffffesys_kevent() at sys_kevent+0x1e1/frame 0xfffffe01d8689d30 +# amd64_syscall() at amd64_syscall+0x31e/frame 0xfffffe01d8689f30 +# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01d8689f30 +# --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8003adafa, rsp = 0x7fffffffe648, rbp = 0x7fffffffe670 --- +# KDB: enter: panic +# [ thread pid 3050 tid 100263 ] +# Stopped at kdb_enter+0x37: movq $0,0x2638c4e(%rip) +# db> x/s version +# version: FreeBSD 14.0-CURRENT #0 main-n250242-eab5358b9080-dirty: Mon Oct 25 11:32:45 CEST 2021 +# pho@mercat1.netperf.freebsd.org +# db> + + +[ `uname -p` != "amd64" ] && exit 0 +[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 + +. ../default.cfg +cat > /tmp/syzkaller46.c < +#include +#include +#include +#include +#include +#include +#include +#include +#include + +uint64_t r[1] = {0xffffffffffffffff}; + +int main(void) +{ + syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); + intptr_t res = 0; + memcpy((void*)0x20000040, "/dev/bpf\000", 9); + syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000040ul, 0ul, 0ul); + res = syscall(SYS_kqueue); + if (res != -1) + r[0] = res; + *(uint64_t*)0x20000480 = 0x284; + *(uint16_t*)0x20000488 = 0xfff8; + *(uint16_t*)0x2000048a = 0x10; + *(uint32_t*)0x2000048c = 1; + *(uint64_t*)0x20000490 = 0x401; + *(uint64_t*)0x20000498 = 5; + *(uint64_t*)0x200004a0 = 5; + *(uint64_t*)0x200004a8 = 0x24000000; + *(uint64_t*)0x200004b0 = 0x100000000; + *(uint64_t*)0x200004b8 = 0x3f; + *(uint64_t*)0x200004c0 = 3; + *(uint16_t*)0x200004c8 = 0xfffe; + *(uint16_t*)0x200004ca = 1; + *(uint32_t*)0x200004cc = 1; + *(uint64_t*)0x200004d0 = 1; + *(uint64_t*)0x200004d8 = 3; + *(uint64_t*)0x200004e0 = 9; + *(uint64_t*)0x200004e8 = 0x3ff; + *(uint64_t*)0x200004f0 = 0x100000001; + *(uint64_t*)0x200004f8 = 3; + *(uint64_t*)0x20000500 = 5; + *(uint16_t*)0x20000508 = 0xfffe; + *(uint16_t*)0x2000050a = 0x42; + *(uint32_t*)0x2000050c = 2; + *(uint64_t*)0x20000510 = 5; + *(uint64_t*)0x20000518 = 0x7f; + *(uint64_t*)0x20000520 = 9; + *(uint64_t*)0x20000528 = 0x600000000; + *(uint64_t*)0x20000530 = 0x1f; + *(uint64_t*)0x20000538 = 7; + syscall(SYS_kevent, r[0], 0x20000480ul, 3ul, 0x200001c0ul, 0xaul, 0ul); + return 0; +} +EOF +mycc -o /tmp/syzkaller46 -Wall -Wextra -O0 /tmp/syzkaller46.c -lpthread || exit 1 + +(cd /tmp; ./syzkaller46) + +rm -rf /tmp/syzkaller46 /tmp/syzkaller46.c /tmp/syzkaller.* +exit 0 diff --git a/tools/test/stress2/misc/syzkaller47.sh b/tools/test/stress2/misc/syzkaller47.sh new file mode 100755 index 000000000000..76561282a86b --- /dev/null +++ b/tools/test/stress2/misc/syzkaller47.sh @@ -0,0 +1,404 @@ +#!/bin/sh + +# panic: ASan: Invalid access, 32-byte read at 0xfffffe01f76145a0, UseAfterScope(f8) +# cpuid = 3 +# time = 1635158022 +# KDB: stack backtrace: +# db_trace_self_wrapper() at db_trace_self_wrapper+0xa5/frame 0xfffffe01f7614170 +# kdb_backtrace() at kdb_backtrace+0xc9/frame 0xfffffe01f76142d0 +# vpanic() at vpanic+0x248/frame 0xfffffe01f76143b0 +# panic() at panic+0xb5/frame 0xfffffe01f7614480 +# __asan_storeN() at __asan_storeN/frame 0xfffffe01f7614550 +# smp_masked_invlpg_range() at smp_masked_invlpg_range+0xb2/frame 0xfffffe01f7614630 +# pmap_invalidate_range() at pmap_invalidate_range+0x22b/frame 0xfffffe01f7614730 +# vm_thread_stack_create() at vm_thread_stack_create+0xf5/frame 0xfffffe01f7614910 +# kstack_import() at kstack_import+0xcache_alloc() at cache_alloc+0x556/frame 0xfffffe01f7614a10 +# cache_alloc_retry() at cache_alloc_retry+0x30/frame 0xfffffe01f7614a80 +# vm_thread_new() at vm_thread_new+0x61/frame 0xfffffe01f7614ab0 +# thread_alloc() at thread_alloc+0x5f/frame 0xfffffe01f7614af0 +# thread_create() at thread_create+0x1b3/frame 0xfffffe01f7614bf0 +# sys_thr_new() at sys_thr_new+0x15a/framd30 +# amd64_syscall() at amd64_syscall+0x31e/frame 0xfffffe01f7614f30 +# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01f7614f30 +# --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8003afafa, rsp = 0x7fffdfffdf58, rbp = 0x7fffdfffdf70 --- +# KDB: enter: panic +# [ thread pid 69407 tid 100937 ] +# Stopped at kdb_enter+0x37: movq $0,0x2638c4e(%rip) +# db> x/s version +# version: FreeBSD 14.0-CURRENT #0 main-n250242-eab5358b9080-dirty: Mon Oct 25 11:32:45 CEST 2021 +# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO-KASAN +# db> + +[ `uname -p` != "amd64" ] && exit 0 +[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 +[ "`sysctl -in kern.features.kasan`" != "1" ] && exit 0 + +. ../default.cfg +cat > /tmp/syzkaller47.c < + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static __thread int skip_segv; +static __thread jmp_buf segv_env; + +static void segv_handler(int sig, siginfo_t* info, void* ctx __unused) +{ + uintptr_t addr = (uintptr_t)info->si_addr; + const uintptr_t prog_start = 1 << 20; + const uintptr_t prog_end = 100 << 20; + int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; + int valid = addr < prog_start || addr > prog_end; + if (sig == SIGBUS) + valid = 1; + if (skip && valid) { + _longjmp(segv_env, 1); + } + exit(sig); +} + +static void install_segv_handler(void) +{ + struct sigaction sa; + memset(&sa, 0, sizeof(sa)); + sa.sa_sigaction = segv_handler; + sa.sa_flags = SA_NODEFER | SA_SIGINFO; + sigaction(SIGSEGV, &sa, NULL); + sigaction(SIGBUS, &sa, NULL); +} + +#define NONFAILING(...) \ + ({ \ + int ok = 1; \ + __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ + if (_setjmp(segv_env) == 0) { \ + __VA_ARGS__; \ + } else \ + ok = 0; \ + __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ + ok; \ + }) + +static void kill_and_wait(int pid, int* status) +{ + kill(pid, SIGKILL); + while (waitpid(-1, status, 0) != pid) { + } +} + +static void sleep_ms(uint64_t ms) +{ + usleep(ms * 1000); +} + +static uint64_t current_time_ms(void) +{ + struct timespec ts; + if (clock_gettime(CLOCK_MONOTONIC, &ts)) + exit(1); + return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; +} + +static void use_temporary_dir(void) +{ + char tmpdir_template[] = "./syzkaller.XXXXXX"; + char* tmpdir = mkdtemp(tmpdir_template); + if (!tmpdir) + exit(1); + if (chmod(tmpdir, 0777)) + exit(1); + if (chdir(tmpdir)) + exit(1); +} + +static void __attribute__((noinline)) remove_dir(const char* dir) +{ + DIR* dp = opendir(dir); + if (dp == NULL) { + if (errno == EACCES) { + if (rmdir(dir)) + exit(1); + return; + } + exit(1); + } + struct dirent* ep = 0; + while ((ep = readdir(dp))) { + if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) + continue; + char filename[FILENAME_MAX]; + snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); + struct stat st; + if (lstat(filename, &st)) + exit(1); + if (S_ISDIR(st.st_mode)) { + remove_dir(filename); + continue; + } + if (unlink(filename)) + exit(1); + } + closedir(dp); + if (rmdir(dir)) + exit(1); +} + +static void thread_start(void* (*fn)(void*), void* arg) +{ + pthread_t th; + pthread_attr_t attr; + pthread_attr_init(&attr); + pthread_attr_setstacksize(&attr, 128 << 10); + int i = 0; + for (; i < 100; i++) { + if (pthread_create(&th, &attr, fn, arg) == 0) { + pthread_attr_destroy(&attr); + return; + } + if (errno == EAGAIN) { + usleep(50); + continue; + } + break; + } + exit(1); +} + +typedef struct { + pthread_mutex_t mu; + pthread_cond_t cv; + int state; +} event_t; + +static void event_init(event_t* ev) +{ + if (pthread_mutex_init(&ev->mu, 0)) + exit(1); + if (pthread_cond_init(&ev->cv, 0)) + exit(1); + ev->state = 0; +} + +static void event_reset(event_t* ev) +{ + ev->state = 0; +} + +static void event_set(event_t* ev) +{ + pthread_mutex_lock(&ev->mu); + if (ev->state) + exit(1); + ev->state = 1; + pthread_mutex_unlock(&ev->mu); + pthread_cond_broadcast(&ev->cv); +} + +static void event_wait(event_t* ev) +{ + pthread_mutex_lock(&ev->mu); + while (!ev->state) + pthread_cond_wait(&ev->cv, &ev->mu); + pthread_mutex_unlock(&ev->mu); +} + +static int event_isset(event_t* ev) +{ + pthread_mutex_lock(&ev->mu); + int res = ev->state; + pthread_mutex_unlock(&ev->mu); + return res; +} + +static int event_timedwait(event_t* ev, uint64_t timeout) +{ + uint64_t start = current_time_ms(); + uint64_t now = start; + pthread_mutex_lock(&ev->mu); + for (;;) { + if (ev->state) + break; + uint64_t remain = timeout - (now - start); + struct timespec ts; + ts.tv_sec = remain / 1000; + ts.tv_nsec = (remain % 1000) * 1000 * 1000; + pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); + now = current_time_ms(); + if (now - start > timeout) + break; + } + int res = ev->state; + pthread_mutex_unlock(&ev->mu); + return res; +} + +static void sandbox_common() +{ + struct rlimit rlim; + rlim.rlim_cur = rlim.rlim_max = 128 << 20; + setrlimit(RLIMIT_AS, &rlim); + rlim.rlim_cur = rlim.rlim_max = 8 << 20; + setrlimit(RLIMIT_MEMLOCK, &rlim); + rlim.rlim_cur = rlim.rlim_max = 1 << 20; + setrlimit(RLIMIT_FSIZE, &rlim); + rlim.rlim_cur = rlim.rlim_max = 1 << 20; + setrlimit(RLIMIT_STACK, &rlim); + rlim.rlim_cur = rlim.rlim_max = 0; + setrlimit(RLIMIT_CORE, &rlim); + rlim.rlim_cur = rlim.rlim_max = 256; + setrlimit(RLIMIT_NOFILE, &rlim); +} + +static void loop(); + +static int do_sandbox_none(void) +{ + sandbox_common(); + loop(); + return 0; +} + +struct thread_t { + int created, call; + event_t ready, done; +}; + +static struct thread_t threads[16]; +static void execute_call(int call); +static int running; + +static void* thr(void* arg) +{ + struct thread_t* th = (struct thread_t*)arg; + for (;;) { + event_wait(&th->ready); + event_reset(&th->ready); + execute_call(th->call); + __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); + event_set(&th->done); + } + return 0; +} + +static void execute_one(void) +{ + int i, call, thread; + int collide = 0; +again: + for (call = 0; call < 2; call++) { + for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); + thread++) { + struct thread_t* th = &threads[thread]; + if (!th->created) { + th->created = 1; + event_init(&th->ready); + event_init(&th->done); + event_set(&th->done); + thread_start(thr, th); + } + if (!event_isset(&th->done)) + continue; + event_reset(&th->done); + th->call = call; + __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); + event_set(&th->ready); + if (collide && (call % 2) == 0) + break; + event_timedwait(&th->done, 50); + break; + } + } + for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) + sleep_ms(1); + if (!collide) { + collide = 1; + goto again; + } +} + +static void execute_one(void); + +#define WAIT_FLAGS 0 + +static void loop(void) +{ + int iter = 0; + for (;; iter++) { + char cwdbuf[32]; + sprintf(cwdbuf, "./%d", iter); + if (mkdir(cwdbuf, 0777)) + exit(1); + int pid = fork(); + if (pid < 0) + exit(1); + if (pid == 0) { + if (chdir(cwdbuf)) + exit(1); + execute_one(); + exit(0); + } + int status = 0; + uint64_t start = current_time_ms(); + for (;;) { + if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) + break; + sleep_ms(1); + if (current_time_ms() - start < 5000) + continue; + kill_and_wait(pid, &status); + break; + } + remove_dir(cwdbuf); + } +} + +void execute_call(int call) +{ + switch (call) { + case 0: + syscall(SYS_rfork, 0x4030ul); + break; + case 1: + syscall(SYS_thr_new, 0ul, 0ul); + break; + } +} +int main(void) +{ + syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); + install_segv_handler(); + use_temporary_dir(); + do_sandbox_none(); + return 0; +} +EOF +mycc -o /tmp/syzkaller47 -Wall -Wextra -O0 /tmp/syzkaller47.c -lpthread || exit 1 + +(cd /tmp; timeout 2m ./syzkaller47) + +rm -rf /tmp/syzkaller47 /tmp/syzkaller47.c /tmp/syzkaller.* +exit 0