Index: user/pho/stress2/misc/syzkaller5.sh =================================================================== --- user/pho/stress2/misc/syzkaller5.sh (nonexistent) +++ user/pho/stress2/misc/syzkaller5.sh (revision 359820) @@ -0,0 +1,84 @@ +#!/bin/sh + +# panic: to_ticks == 0 for timer type 11 +# cpuid = 0 +# time = 1585113766 +# KDB: stack backtrace: +# db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe0024a5e4b0 +# vpanic() at vpanic+0x1c7/frame 0xfffffe0024a5e510 +# panic() at panic+0x43/frame 0xfffffe0024a5e570 +# sctp_timer_start() at sctp_timer_start+0xc7f/frame 0xfffffe0024a5e5d0 +# sctp_lower_sosend() at sctp_lower_sosend+0x4b9a/frame 0xfffffe0024a5e7b0 +# sctp_sosend() at sctp_sosend+0x501/frame 0xfffffe0024a5e8e0 +# sosend() at sosend+0xc6/frame 0xfffffe0024a5e950 +# kern_sendit() at kern_sendit+0x33d/frame 0xfffffe0024a5ea00 +# sendit() at sendit+0x224/frame 0xfffffe0024a5ea60 +# sys_sendto() at sys_sendto+0x5c/frame 0xfffffe0024a5eac0 +# amd64_syscall() at amd64_syscall+0x2f4/frame 0xfffffe0024a5ebf0 +# fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0024a5ebf0 + +# Fixed by r359405 + +# $FreeBSD$ + +[ `uname -p` = "i386" ] && exit 0 + +. ../default.cfg +cat > /tmp/syzkaller5.c < +#include +#include +#include +#include +#include +#include +#include +#include +#include + +uint64_t r[1] = {0xffffffffffffffff}; + +int main(void) +{ + syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul); + intptr_t res = 0; + res = syscall(SYS_socket, 0x1cul, 5ul, 0x84); + if (res != -1) + r[0] = res; + *(uint32_t*)0x20000200 = 0; + *(uint32_t*)0x20000204 = 0; + *(uint32_t*)0x20000208 = 0xfffffffb; + *(uint32_t*)0x2000020c = 0; + syscall(SYS_setsockopt, r[0], 0x84, 1, 0x20000200ul, 0x3f6ul); + memcpy((void*)0x20000040, "\x11", 1); + *(uint8_t*)0x20000100 = 0x10; + *(uint8_t*)0x20000101 = 2; + *(uint16_t*)0x20000102 = htobe16(0x4e21); + *(uint8_t*)0x20000104 = 0xac; + *(uint8_t*)0x20000105 = 0x14; + *(uint8_t*)0x20000106 = 0; + *(uint8_t*)0x20000107 = 0xbb; + *(uint8_t*)0x20000108 = 0; + *(uint8_t*)0x20000109 = 0; + *(uint8_t*)0x2000010a = 0; + *(uint8_t*)0x2000010b = 0; + *(uint8_t*)0x2000010c = 0; + *(uint8_t*)0x2000010d = 0; + *(uint8_t*)0x2000010e = 0; + *(uint8_t*)0x2000010f = 0; + syscall(SYS_sendto, r[0], 0x20000040ul, 1ul, 0x104ul, 0x20000100ul, 0x10ul); + return 0; +} +EOF +mycc -o /tmp/syzkaller5 -Wall -Wextra -O2 /tmp/syzkaller5.c -lpthread || + exit 1 + +(cd /tmp; ./syzkaller5) + +rm /tmp/syzkaller5 /tmp/syzkaller5.c +exit 0 Property changes on: user/pho/stress2/misc/syzkaller5.sh ___________________________________________________________________ Added: svn:executable ## -0,0 +1 ## +* \ No newline at end of property Index: user/pho/stress2/misc/syzkaller6.sh =================================================================== --- user/pho/stress2/misc/syzkaller6.sh (nonexistent) +++ user/pho/stress2/misc/syzkaller6.sh (revision 359820) @@ -0,0 +1,85 @@ +#!/bin/sh + +# panic: to_ticks == 0 for timer type 2 +# cpuid = 1 +# time = 1585113958 +# KDB: stack backtrace: +# db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe0024a54420 +# vpanic() at vpanic+0x1c7/frame 0xfffffe0024a54480 +# panic() at panic+0x43/frame 0xfffffe0024a544e0 +# sctp_timer_start() at sctp_timer_start+0xc7f/frame 0xfffffe0024a54540 +# sctp_send_initiate() at sctp_send_initiate+0x10b/frame 0xfffffe0024a545d0 +# sctp_lower_sosend() at sctp_lower_sosend+0x3f54/frame 0xfffffe0024a547b0 +# sctp_sosend() at sctp_sosend+0x501/frame 0xfffffe0024a548e0 +# sosend() at sosend+0xc6/frame 0xfffffe0024a54950 +# kern_sendit() at kern_sendit+0x33d/frame 0xfffffe0024a54a00 +# sendit() at sendit+0x224/frame 0xfffffe0024a54a60 +# sys_sendto() at sys_sendto+0x5c/frame 0xfffffe0024a54ac0 +# amd64_syscall() at amd64_syscall+0x2f4/frame 0xfffffe0024a54bf0 +# fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0024a54bf0 + +# $FreeBSD$ + +# Fixed by r359405 + +[ `uname -p` = "i386" ] && exit 0 + +. ../default.cfg +cat > /tmp/syzkaller6.c < +#include +#include +#include +#include +#include +#include +#include +#include +#include + +uint64_t r[1] = {0xffffffffffffffff}; + +int main(void) +{ + syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul); + intptr_t res = 0; + res = syscall(SYS_socket, 0x1cul, 5ul, 0x84); + if (res != -1) + r[0] = res; + *(uint32_t*)0x20000200 = 0; + *(uint32_t*)0x20000204 = 0xfffffff9; + *(uint32_t*)0x20000208 = 0xfffffffb; + *(uint32_t*)0x2000020c = 0; + syscall(SYS_setsockopt, r[0], 0x84, 1, 0x20000200ul, 0x39eul); + memcpy((void*)0x20000040, "\x11", 1); + *(uint8_t*)0x20000100 = 0x10; + *(uint8_t*)0x20000101 = 2; + *(uint16_t*)0x20000102 = htobe16(0x4e21); + *(uint8_t*)0x20000104 = 0xac; + *(uint8_t*)0x20000105 = 0x14; + *(uint8_t*)0x20000106 = 0; + *(uint8_t*)0x20000107 = 0xbb; + *(uint8_t*)0x20000108 = 0; + *(uint8_t*)0x20000109 = 0; + *(uint8_t*)0x2000010a = 0; + *(uint8_t*)0x2000010b = 0; + *(uint8_t*)0x2000010c = 0; + *(uint8_t*)0x2000010d = 0; + *(uint8_t*)0x2000010e = 0; + *(uint8_t*)0x2000010f = 0; + syscall(SYS_sendto, r[0], 0x20000040ul, 1ul, 0ul, 0x20000100ul, 0x10ul); + return 0; +} +EOF +mycc -o /tmp/syzkaller6 -Wall -Wextra -O2 /tmp/syzkaller6.c -lpthread || + exit 1 + +(cd /tmp; ./syzkaller6) + +rm /tmp/syzkaller6 /tmp/syzkaller6.c +exit 0 Property changes on: user/pho/stress2/misc/syzkaller6.sh ___________________________________________________________________ Added: svn:executable ## -0,0 +1 ## +* \ No newline at end of property Index: user/pho/stress2/misc/syzkaller7.sh =================================================================== --- user/pho/stress2/misc/syzkaller7.sh (nonexistent) +++ user/pho/stress2/misc/syzkaller7.sh (revision 359820) @@ -0,0 +1,163 @@ +#!/bin/sh + +# panic: Duplicate free of 0xfffff800049ad800 from zone +# 0xfffff800041e82c0(mbuf) slab 0xfffff800049adf90(8) +# +# KDB: stack backtrace: +# db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame +# 0xfffffe0016b2c4a0 +# vpanic() at vpanic+0x1e0/frame 0xfffffe0016b2c500 +# panic() at panic+0x43/frame 0xfffffe0016b2c560 +# uma_dbg_free() at uma_dbg_free+0x246/frame 0xfffffe0016b2c5b0 +# uma_zfree_arg() at uma_zfree_arg+0x1aa/frame 0xfffffe0016b2c640 +# uipc_ready() at uipc_ready+0x19f/frame 0xfffffe0016b2c690 +# sendfile_iodone() at sendfile_iodone+0x342/frame 0xfffffe0016b2c6f0 +# vnode_pager_generic_getpages_done_async() at +# vnode_pager_generic_getpages_done_async+0x4a/frame 0xfffffe0016b2c720 +# bufdone() at bufdone+0xa1/frame 0xfffffe0016b2c7a0 +# g_io_deliver() at g_io_deliver+0x35b/frame 0xfffffe0016b2c800 +# g_io_deliver() at g_io_deliver+0x35b/frame 0xfffffe0016b2c860 +# g_io_deliver() at g_io_deliver+0x35b/frame 0xfffffe0016b2c8c0 +# g_disk_done() at g_disk_done+0x179/frame 0xfffffe0016b2c910 +# dadone() at dadone+0x655/frame 0xfffffe0016b2c9a0 +# xpt_done_process() at xpt_done_process+0x5b2/frame 0xfffffe0016b2ca00 +# xpt_done_td() at xpt_done_td+0x175/frame 0xfffffe0016b2ca60 +# fork_exit() at fork_exit+0xb0/frame 0xfffffe0016b2cab0 +# fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0016b2cab0 +# --- trap 0, rip = 0, rsp = 0, rbp = 0 --- + +# $FreeBSD$ + +# Not reproduced on r359769 +# Fixed by r359779 + +[ `uname -p` = "i386" ] && exit 0 + +. ../default.cfg +cat > /tmp/syzkaller7.c < + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static void kill_and_wait(int pid, int* status) +{ + kill(pid, SIGKILL); + while (waitpid(-1, status, 0) != pid) { + } +} + +static void sleep_ms(uint64_t ms) +{ + usleep(ms * 1000); +} + +static uint64_t current_time_ms(void) +{ + struct timespec ts; + if (clock_gettime(CLOCK_MONOTONIC, &ts)) + exit(1); + return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; +} + +static void execute_one(void); + +#define WAIT_FLAGS 0 + +static void loop(void) +{ + int iter; + for (iter = 0;; iter++) { + int pid = fork(); + if (pid < 0) + exit(1); + if (pid == 0) { + execute_one(); + exit(0); + } + int status = 0; + uint64_t start = current_time_ms(); + for (;;) { + if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) + break; + sleep_ms(1); + if (current_time_ms() - start < 5 * 1000) + continue; + kill_and_wait(pid, &status); + break; + } + } +} + +uint64_t r[5] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, + 0xffffffffffffffff, 0xffffffffffffffff}; + +void execute_one(void) +{ + long res = 0; + memcpy((void*)0x20001180, "./file0\000", 8); + res = syscall(SYS_open, 0x20001180, 0x8240, 0); + if (res != -1) + r[0] = res; + res = syscall(SYS_socketpair, 1, 1, 0, 0x20000100); + if (res != -1) { + r[1] = *(uint32_t*)0x20000100; + r[2] = *(uint32_t*)0x20000104; + } + memcpy((void*)0x20000480, "./file0\000", 8); + res = syscall(SYS_open, 0x20000480, 0x80000000000206, 0); + if (res != -1) + r[3] = res; + res = syscall(SYS_dup, r[3]); + if (res != -1) + r[4] = res; + *(uint64_t*)0x20000100 = 0x200002c0; + memcpy((void*)0x200002c0, "\xdd", 1); + *(uint64_t*)0x20000108 = 1; + syscall(SYS_pwritev, r[4], 0x20000100, 1, 0); + *(uint64_t*)0x20002e80 = 0x20000540; + memcpy((void*)0x20000540, "\x7f", 1); + *(uint64_t*)0x20002e88 = 1; + syscall(SYS_pwritev, r[3], 0x20002e80, 1, 0xbf24); + memcpy((void*)0x200004c0, + "\x89\x88\xaa\x4a\xc3\x95\x23\x77\x54\xee\x66\xf3\x8d\xa4\xae\xf3\x47" + "\x6d\x78\xb7\x1f\xe6\x0d\xb7\x4a\x9f\xb9\xc9\x99\x91\x6c\x98", + 32); + syscall(SYS_setsockopt, r[2], 0, 2, 0x200004c0, 0x20); + syscall(SYS_fcntl, r[4], 4, 0x10044); + syscall(SYS_read, r[4], 0x20000000, 0x6d999); + syscall(SYS_sendfile, r[0], r[1], 0, 2); +} +int main(void) +{ + syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0); + loop(); + return 0; +} +EOF +mycc -o /tmp/syzkaller7 -Wall -Wextra -O2 /tmp/syzkaller7.c -lpthread || + exit 1 + +(cd /tmp; ./syzkaller7) & +sleep 60 +pkill -9 syzkaller7 +wait + +rm -f /tmp/syzkaller7 /tmp/syzkaller7.c /tmp/syzkaller7.core /tmp/file0 +exit 0 Property changes on: user/pho/stress2/misc/syzkaller7.sh ___________________________________________________________________ Added: svn:executable ## -0,0 +1 ## +* \ No newline at end of property