? github.com/google/syzkaller/dashboard/api [no test files] ok github.com/google/syzkaller/dashboard/app (cached) ok github.com/google/syzkaller/dashboard/dashapi (cached) ok github.com/google/syzkaller/executor 1.507s ok github.com/google/syzkaller/pkg/asset (cached) ok github.com/google/syzkaller/pkg/ast (cached) ok github.com/google/syzkaller/pkg/auth (cached) ok github.com/google/syzkaller/pkg/bisect (cached) ok github.com/google/syzkaller/pkg/bisect/minimize (cached) ok github.com/google/syzkaller/pkg/build (cached) ? github.com/google/syzkaller/pkg/clangtool [no test files] ok github.com/google/syzkaller/pkg/compiler (cached) ok github.com/google/syzkaller/pkg/config (cached) ok github.com/google/syzkaller/pkg/corpus (cached) ok github.com/google/syzkaller/pkg/cover (cached) ok github.com/google/syzkaller/pkg/cover/backend (cached) ok github.com/google/syzkaller/pkg/coveragedb (cached) ? github.com/google/syzkaller/pkg/coveragedb/mocks [no test files] ? github.com/google/syzkaller/pkg/coveragedb/spannerclient [no test files] ok github.com/google/syzkaller/pkg/covermerger (cached) ? github.com/google/syzkaller/pkg/covermerger/mocks [no test files] --- FAIL: TestGenerate (16.76s) --- FAIL: TestGenerate/linux/mips64le (2.98s) testutil.go:35: seed=1760967426831504227 --- FAIL: TestGenerate/linux/mips64le/single_syz_io_uring_complete (0.02s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x5, 0x2000, 0xffffffffffffffff, 0x0) syz_io_uring_complete(r0) csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_mmap #define __NR_mmap 5009 #endif #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } uint64_t r[1] = {0x0}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} res = syscall(__NR_mmap, /*addr=*/0x200000ffb000ul, /*len=*/0x4000ul, /*prot=PROT_READ|PROT_EXEC*/5ul, /*flags=MAP_DENYWRITE*/0x2000ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); if (res != -1) r[0] = res; syz_io_uring_complete(/*ring_ptr=*/r[0]); return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor2068324057 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_io_uring_submit (0.02s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = mmap$IORING_OFF_SQES(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x2000010, 0x0, 0xffffffffffffffff, 0x10000000) syz_io_uring_submit(0x0, r0, &(0x7f0000000040)=@IORING_OP_PROVIDE_BUFFERS={0x1f, 0x0, 0x0, 0x2892, 0x2, &(0x7f0000000000)="12bbf40aee92dc4e118d91496de46482f7db60602a99d18d90b75458fd4aacfece58644faa", 0x7, 0x0, 0x2, {0x1}}) csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_mmap #define __NR_mmap 5009 #endif #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } uint64_t r[1] = {0x0}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} res = syscall(__NR_mmap, /*addr=*/0x200000ffb000ul, /*len=*/0x4000ul, /*prot=PROT_GROWSUP|PROT_SEM*/0x2000010ul, /*flags=*/0ul, /*fd=*/(intptr_t)-1, /*offset=*/0x10000000ul); if (res != -1) r[0] = res; *(uint8_t*)0x200000000040 = 0x1f; *(uint8_t*)0x200000000041 = 0; *(uint16_t*)0x200000000042 = 0; *(uint32_t*)0x200000000044 = 0x2892; *(uint64_t*)0x200000000048 = 2; *(uint64_t*)0x200000000050 = 0x200000000000; memcpy((void*)0x200000000000, "\x12\xbb\xf4\x0a\xee\x92\xdc\x4e\x11\x8d\x91\x49\x6d\xe4\x64\x82\xf7\xdb\x60\x60\x2a\x99\xd1\x8d\x90\xb7\x54\x58\xfd\x4a\xac\xfe\xce\x58\x64\x4f\xaa", 37); *(uint32_t*)0x200000000058 = 7; *(uint32_t*)0x20000000005c = 0; *(uint64_t*)0x200000000060 = 2; *(uint16_t*)0x200000000068 = 1; *(uint16_t*)0x20000000006a = 0; memset((void*)0x20000000006c, 0, 20); syz_io_uring_submit(/*ring_ptr=*/0, /*sqes_ptr=*/r[0], /*sqe=*/0x200000000040); return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor3403398211 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_extract_tcp_res (0.03s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_extract_tcp_res(&(0x7f0000000000), 0x1, 0x4) csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_mmap #define __NR_mmap 5009 #endif int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor817145196 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_80211_inject_frame (0.03s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_80211_inject_frame(&(0x7f0000000000)=@device_b, &(0x7f0000000040)=@ctrl_frame=@ack={{}, {0x482}, @device_b}, 0xa) csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_mmap #define __NR_mmap 5009 #endif #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} *(uint8_t*)0x200000000000 = 8; *(uint8_t*)0x200000000001 = 2; *(uint8_t*)0x200000000002 = 0x11; *(uint8_t*)0x200000000003 = 0; *(uint8_t*)0x200000000004 = 0; *(uint8_t*)0x200000000005 = 1; STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 1, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xd, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 6); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 0x482, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); *(uint8_t*)0x200000000044 = 8; *(uint8_t*)0x200000000045 = 2; *(uint8_t*)0x200000000046 = 0x11; *(uint8_t*)0x200000000047 = 0; *(uint8_t*)0x200000000048 = 0; *(uint8_t*)0x200000000049 = 1; syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0xa); return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor1844540265 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_io_uring_setup (0.03s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = prctl$auto_PR_SET_VMA_ANON_NAME(0x7, 0x0, 0x0, 0x40, 0x8) syz_io_uring_setup(0x733a, &(0x7f0000000000)={0x0, 0x82f1, 0x5d77677f038e5b0e, 0x3, 0xb4, 0x0, r0}, &(0x7f0000000080), &(0x7f00000000c0)) csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 5425 #endif #ifndef __NR_mmap #define __NR_mmap 5009 #endif #ifndef __NR_prctl #define __NR_prctl 5153 #endif #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} res = syscall(__NR_prctl, /*option=*/7, /*arg2=*/0ul, /*arg3=*/0, /*arg4=*/0x40ul, /*arg5=*/8ul); if (res != -1) r[0] = res; *(uint32_t*)0x200000000004 = 0x82f1; *(uint32_t*)0x200000000008 = 0x38e5b0e; *(uint32_t*)0x20000000000c = 3; *(uint32_t*)0x200000000010 = 0xb4; *(uint32_t*)0x200000000018 = r[0]; memset((void*)0x20000000001c, 0, 12); syz_io_uring_setup(/*entries=*/0x733a, /*params=*/0x200000000000, /*ring_ptr=*/0x200000000080, /*sqes_ptr=*/0x2000000000c0); return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor2113409555 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_clone (0.03s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_clone(0x18026000, &(0x7f0000000000)="ce90840bc74d00144c7d3eccb39924a5f692a25cadb328a246c7a30df81cf1886d6e3e205f49a5e6a67d856363cecf97b826edac62d2e43f4bdeea4fc14ae778b0c2f655fe77a740260f7751e37a804d9b42616bb2499c557ecb8757", 0x5c, &(0x7f0000000080), &(0x7f00000000c0), &(0x7f0000000100)="d6b5811dbcaafe1800a860661a3df409553f40c883d4cec5f171544ad50d0b99645c549cace5dead54bbc2efb18cec813c192c239cb17d1ce86920e3d19dc2bd53a5ceac91c13c0d07b2ab15efee4496bb598ed8b67b2c56bed02c67eca0af2ed91a897b115ef84eb1599c9f20651fe0e21931cbb8ac5c1841ae52391f213abe33f49b585bf5440adfd84bb1ca8dcf718e01b1bbff4f944ae7d4a56d230c683b7f4a3bafa7429e2b2a3893bdf55190") csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #ifndef __NR_clone #define __NR_clone 5055 #endif #ifndef __NR_exit #define __NR_exit 5058 #endif #ifndef __NR_mmap #define __NR_mmap 5009 #endif #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} memcpy((void*)0x200000000000, "\xce\x90\x84\x0b\xc7\x4d\x00\x14\x4c\x7d\x3e\xcc\xb3\x99\x24\xa5\xf6\x92\xa2\x5c\xad\xb3\x28\xa2\x46\xc7\xa3\x0d\xf8\x1c\xf1\x88\x6d\x6e\x3e\x20\x5f\x49\xa5\xe6\xa6\x7d\x85\x63\x63\xce\xcf\x97\xb8\x26\xed\xac\x62\xd2\xe4\x3f\x4b\xde\xea\x4f\xc1\x4a\xe7\x78\xb0\xc2\xf6\x55\xfe\x77\xa7\x40\x26\x0f\x77\x51\xe3\x7a\x80\x4d\x9b\x42\x61\x6b\xb2\x49\x9c\x55\x7e\xcb\x87\x57", 92); memcpy((void*)0x200000000100, "\xd6\xb5\x81\x1d\xbc\xaa\xfe\x18\x00\xa8\x60\x66\x1a\x3d\xf4\x09\x55\x3f\x40\xc8\x83\xd4\xce\xc5\xf1\x71\x54\x4a\xd5\x0d\x0b\x99\x64\x5c\x54\x9c\xac\xe5\xde\xad\x54\xbb\xc2\xef\xb1\x8c\xec\x81\x3c\x19\x2c\x23\x9c\xb1\x7d\x1c\xe8\x69\x20\xe3\xd1\x9d\xc2\xbd\x53\xa5\xce\xac\x91\xc1\x3c\x0d\x07\xb2\xab\x15\xef\xee\x44\x96\xbb\x59\x8e\xd8\xb6\x7b\x2c\x56\xbe\xd0\x2c\x67\xec\xa0\xaf\x2e\xd9\x1a\x89\x7b\x11\x5e\xf8\x4e\xb1\x59\x9c\x9f\x20\x65\x1f\xe0\xe2\x19\x31\xcb\xb8\xac\x5c\x18\x41\xae\x52\x39\x1f\x21\x3a\xbe\x33\xf4\x9b\x58\x5b\xf5\x44\x0a\xdf\xd8\x4b\xb1\xca\x8d\xcf\x71\x8e\x01\xb1\xbb\xff\x4f\x94\x4a\xe7\xd4\xa5\x6d\x23\x0c\x68\x3b\x7f\x4a\x3b\xaf\xa7\x42\x9e\x2b\x2a\x38\x93\xbd\xf5\x51\x90", 175); syz_clone(/*flags=CLONE_NEWUSER|CLONE_NEWIPC|CLONE_NEWNS|CLONE_VFORK|0x2000*/0x18026000, /*stack=*/0x200000000000, /*stack_len=*/0x5c, /*parentid=*/0x200000000080, /*childtid=*/0x2000000000c0, /*tls=*/0x200000000100); return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor2612577149 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_usb_control_io (0.04s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = syz_usb_connect$lan78xx(0x3, 0x3f, &(0x7f0000000000)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0x424, 0x7850, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d}}]}}, 0x0) syz_usb_control_io(r0, &(0x7f00000001c0)={0x2c, &(0x7f0000000040)={0x40, 0xe, 0x45, {0x45, 0x7, "60df28f7591ecf7b1ed4131426bd755fc2a54810c7748edc62252b443e1f62ba24203da01e4698b6c86bb62f32ddb501d8ff98fc3620161b3086c7cc8a289ae1e13be2"}}, &(0x7f00000000c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x455}}, &(0x7f0000000100)={0x0, 0xf, 0x38, {0x5, 0xf, 0x38, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x7d, 0x4, 0x10, 0x100, 0x4}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x1, 0x3, 0x1, 0x764}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x3, 0x40, 0x6, 0x6}, @ss_container_id={0x14, 0x10, 0x4, 0xdf, "d490c8e8daaa6f5ac328382da6012e46"}]}}, &(0x7f0000000140)={0x20, 0x29, 0xf, {0xf, 0x29, 0xb6, 0x3, 0x0, 0x9, "66cffb22", "923626e4"}}, &(0x7f0000000180)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x1, 0x1, 0xd, 0x81, 0x0, 0x9, 0x401}}}, &(0x7f0000000680)={0x84, &(0x7f0000000200)={0x20, 0x0, 0x81, "d0134de5875891ee10a4802b4deb9921c7d2713320c3a418c03c91a91392f6e6364f30362181801d0b518d412abb102e81f6c3d59c58ff6915a054c499d49d812d3b506e0fd3860df8472e1dc9e0c548e9074a90ebf6a27a00bc16386f49e6b5c4672d14f48a5b38e97ce2ac57870be891a3fc310f547f8a715829228629430b39"}, &(0x7f00000002c0)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000000300)={0x0, 0x8, 0x1, 0x1}, &(0x7f0000000340)={0x20, 0x0, 0x4, {0x1}}, &(0x7f0000000380)={0x20, 0x0, 0x4, {0x1c00, 0x20}}, &(0x7f00000003c0)={0x40, 0x7, 0x2, 0x6e5}, &(0x7f0000000400)={0x40, 0x9, 0x1, 0xd2}, &(0x7f0000000440)={0x40, 0xb, 0x2, '#a'}, &(0x7f0000000480)={0x40, 0xf, 0x2, 0xfffe}, &(0x7f00000004c0)={0x40, 0x13, 0x6, @remote}, &(0x7f0000000500)={0x40, 0x17, 0x6, @random="a1b2b5c87466"}, &(0x7f0000000540)={0x40, 0x19, 0x2, "1673"}, &(0x7f0000000580)={0x40, 0x1a, 0x2, 0x6}, &(0x7f00000005c0)={0x40, 0x1c, 0x1, 0x5}, &(0x7f0000000600)={0x40, 0x1e, 0x1, 0x2}, &(0x7f0000000640)={0x40, 0x21, 0x1, 0x4}}) csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_mmap #define __NR_mmap 5009 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} *(uint8_t*)0x200000000000 = 0x12; *(uint8_t*)0x200000000001 = 1; *(uint16_t*)0x200000000002 = 0x200; *(uint8_t*)0x200000000004 = -1; *(uint8_t*)0x200000000005 = -1; *(uint8_t*)0x200000000006 = -1; *(uint8_t*)0x200000000007 = 0x40; *(uint16_t*)0x200000000008 = 0x424; *(uint16_t*)0x20000000000a = 0x7850; *(uint16_t*)0x20000000000c = 0; *(uint8_t*)0x20000000000e = 1; *(uint8_t*)0x20000000000f = 2; *(uint8_t*)0x200000000010 = 3; *(uint8_t*)0x200000000011 = 1; *(uint8_t*)0x200000000012 = 9; *(uint8_t*)0x200000000013 = 2; *(uint16_t*)0x200000000014 = 0x2d; *(uint8_t*)0x200000000016 = 1; *(uint8_t*)0x200000000017 = 1; *(uint8_t*)0x200000000018 = 0; *(uint8_t*)0x200000000019 = 0x80; *(uint8_t*)0x20000000001a = 0xfa; *(uint8_t*)0x20000000001b = 9; *(uint8_t*)0x20000000001c = 4; *(uint8_t*)0x20000000001d = 0; *(uint8_t*)0x20000000001e = 0; *(uint8_t*)0x20000000001f = 3; *(uint8_t*)0x200000000020 = -1; *(uint8_t*)0x200000000021 = 0; *(uint8_t*)0x200000000022 = 0; *(uint8_t*)0x200000000023 = 0; *(uint8_t*)0x200000000024 = 9; *(uint8_t*)0x200000000025 = 5; *(uint8_t*)0x200000000026 = 0x81; *(uint8_t*)0x200000000027 = 2; *(uint16_t*)0x200000000028 = 0x200; *(uint8_t*)0x20000000002a = 0; *(uint8_t*)0x20000000002b = 0; *(uint8_t*)0x20000000002c = 0; *(uint8_t*)0x20000000002d = 9; *(uint8_t*)0x20000000002e = 5; *(uint8_t*)0x20000000002f = 2; *(uint8_t*)0x200000000030 = 2; *(uint16_t*)0x200000000031 = 0x200; *(uint8_t*)0x200000000033 = 0; *(uint8_t*)0x200000000034 = 0; *(uint8_t*)0x200000000035 = 0; *(uint8_t*)0x200000000036 = 9; *(uint8_t*)0x200000000037 = 5; *(uint8_t*)0x200000000038 = 0x83; *(uint8_t*)0x200000000039 = 3; *(uint16_t*)0x20000000003a = 0x40; *(uint8_t*)0x20000000003c = 1; *(uint8_t*)0x20000000003d = 0; *(uint8_t*)0x20000000003e = 0; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_HIGH*/3, /*dev_len=*/0x3f, /*dev=*/0x200000000000, /*conn_descs=*/0); if (res != -1) r[0] = res; *(uint32_t*)0x2000000001c0 = 0x2c; *(uint64_t*)0x2000000001c4 = 0x200000000040; *(uint8_t*)0x200000000040 = 0x40; *(uint8_t*)0x200000000041 = 0xe; *(uint32_t*)0x200000000042 = 0x45; *(uint8_t*)0x200000000046 = 0x45; *(uint8_t*)0x200000000047 = 7; memcpy((void*)0x200000000048, "\x60\xdf\x28\xf7\x59\x1e\xcf\x7b\x1e\xd4\x13\x14\x26\xbd\x75\x5f\xc2\xa5\x48\x10\xc7\x74\x8e\xdc\x62\x25\x2b\x44\x3e\x1f\x62\xba\x24\x20\x3d\xa0\x1e\x46\x98\xb6\xc8\x6b\xb6\x2f\x32\xdd\xb5\x01\xd8\xff\x98\xfc\x36\x20\x16\x1b\x30\x86\xc7\xcc\x8a\x28\x9a\xe1\xe1\x3b\xe2", 67); *(uint64_t*)0x2000000001cc = 0x2000000000c0; *(uint8_t*)0x2000000000c0 = 0; *(uint8_t*)0x2000000000c1 = 3; *(uint32_t*)0x2000000000c2 = 4; *(uint8_t*)0x2000000000c6 = 4; *(uint8_t*)0x2000000000c7 = 3; *(uint16_t*)0x2000000000c8 = 0x455; *(uint64_t*)0x2000000001d4 = 0x200000000100; *(uint8_t*)0x200000000100 = 0; *(uint8_t*)0x200000000101 = 0xf; *(uint32_t*)0x200000000102 = 0x38; *(uint8_t*)0x200000000106 = 5; *(uint8_t*)0x200000000107 = 0xf; *(uint16_t*)0x200000000108 = 0x38; *(uint8_t*)0x20000000010a = 4; *(uint8_t*)0x20000000010b = 0xb; *(uint8_t*)0x20000000010c = 0x10; *(uint8_t*)0x20000000010d = 1; *(uint8_t*)0x20000000010e = 0xc; *(uint16_t*)0x20000000010f = 0x7d; *(uint8_t*)0x200000000111 = 4; *(uint8_t*)0x200000000112 = 0x10; *(uint16_t*)0x200000000113 = 0x100; *(uint8_t*)0x200000000115 = 4; *(uint8_t*)0x200000000116 = 0xa; *(uint8_t*)0x200000000117 = 0x10; *(uint8_t*)0x200000000118 = 3; *(uint8_t*)0x200000000119 = 0; *(uint16_t*)0x20000000011a = 1; *(uint8_t*)0x20000000011c = 3; *(uint8_t*)0x20000000011d = 1; *(uint16_t*)0x20000000011e = 0x764; *(uint8_t*)0x200000000120 = 0xa; *(uint8_t*)0x200000000121 = 0x10; *(uint8_t*)0x200000000122 = 3; *(uint8_t*)0x200000000123 = 2; *(uint16_t*)0x200000000124 = 3; *(uint8_t*)0x200000000126 = 0x40; *(uint8_t*)0x200000000127 = 6; *(uint16_t*)0x200000000128 = 6; *(uint8_t*)0x20000000012a = 0x14; *(uint8_t*)0x20000000012b = 0x10; *(uint8_t*)0x20000000012c = 4; *(uint8_t*)0x20000000012d = 0xdf; memcpy((void*)0x20000000012e, "\xd4\x90\xc8\xe8\xda\xaa\x6f\x5a\xc3\x28\x38\x2d\xa6\x01\x2e\x46", 16); *(uint64_t*)0x2000000001dc = 0x200000000140; *(uint8_t*)0x200000000140 = 0x20; *(uint8_t*)0x200000000141 = 0x29; *(uint32_t*)0x200000000142 = 0xf; *(uint8_t*)0x200000000146 = 0xf; *(uint8_t*)0x200000000147 = 0x29; *(uint8_t*)0x200000000148 = 0xb6; *(uint16_t*)0x200000000149 = 3; *(uint8_t*)0x20000000014b = 0; *(uint8_t*)0x20000000014c = 9; memcpy((void*)0x20000000014d, "\x66\xcf\xfb\x22", 4); memcpy((void*)0x200000000151, "\x92\x36\x26\xe4", 4); *(uint64_t*)0x2000000001e4 = 0x200000000180; *(uint8_t*)0x200000000180 = 0x20; *(uint8_t*)0x200000000181 = 0x2a; *(uint32_t*)0x200000000182 = 0xc; *(uint8_t*)0x200000000186 = 0xc; *(uint8_t*)0x200000000187 = 0x2a; *(uint8_t*)0x200000000188 = 1; *(uint16_t*)0x200000000189 = 1; *(uint8_t*)0x20000000018b = 0xd; *(uint8_t*)0x20000000018c = 0x81; *(uint8_t*)0x20000000018d = 0; *(uint16_t*)0x20000000018e = 9; *(uint16_t*)0x200000000190 = 0x401; *(uint32_t*)0x200000000680 = 0x84; *(uint64_t*)0x200000000684 = 0x200000000200; *(uint8_t*)0x200000000200 = 0x20; *(uint8_t*)0x200000000201 = 0; *(uint32_t*)0x200000000202 = 0x81; memcpy((void*)0x200000000206, "\xd0\x13\x4d\xe5\x87\x58\x91\xee\x10\xa4\x80\x2b\x4d\xeb\x99\x21\xc7\xd2\x71\x33\x20\xc3\xa4\x18\xc0\x3c\x91\xa9\x13\x92\xf6\xe6\x36\x4f\x30\x36\x21\x81\x80\x1d\x0b\x51\x8d\x41\x2a\xbb\x10\x2e\x81\xf6\xc3\xd5\x9c\x58\xff\x69\x15\xa0\x54\xc4\x99\xd4\x9d\x81\x2d\x3b\x50\x6e\x0f\xd3\x86\x0d\xf8\x47\x2e\x1d\xc9\xe0\xc5\x48\xe9\x07\x4a\x90\xeb\xf6\xa2\x7a\x00\xbc\x16\x38\x6f\x49\xe6\xb5\xc4\x67\x2d\x14\xf4\x8a\x5b\x38\xe9\x7c\xe2\xac\x57\x87\x0b\xe8\x91\xa3\xfc\x31\x0f\x54\x7f\x8a\x71\x58\x29\x22\x86\x29\x43\x0b\x39", 129); *(uint64_t*)0x20000000068c = 0x2000000002c0; *(uint8_t*)0x2000000002c0 = 0; *(uint8_t*)0x2000000002c1 = 0xa; *(uint32_t*)0x2000000002c2 = 1; *(uint8_t*)0x2000000002c6 = 9; *(uint64_t*)0x200000000694 = 0x200000000300; *(uint8_t*)0x200000000300 = 0; *(uint8_t*)0x200000000301 = 8; *(uint32_t*)0x200000000302 = 1; *(uint8_t*)0x200000000306 = 1; *(uint64_t*)0x20000000069c = 0x200000000340; *(uint8_t*)0x200000000340 = 0x20; *(uint8_t*)0x200000000341 = 0; *(uint32_t*)0x200000000342 = 4; *(uint16_t*)0x200000000346 = 1; *(uint16_t*)0x200000000348 = 0; *(uint64_t*)0x2000000006a4 = 0x200000000380; *(uint8_t*)0x200000000380 = 0x20; *(uint8_t*)0x200000000381 = 0; *(uint32_t*)0x200000000382 = 4; *(uint16_t*)0x200000000386 = 0x1c00; *(uint16_t*)0x200000000388 = 0x20; *(uint64_t*)0x2000000006ac = 0x2000000003c0; *(uint8_t*)0x2000000003c0 = 0x40; *(uint8_t*)0x2000000003c1 = 7; *(uint32_t*)0x2000000003c2 = 2; *(uint16_t*)0x2000000003c6 = 0x6e5; *(uint64_t*)0x2000000006b4 = 0x200000000400; *(uint8_t*)0x200000000400 = 0x40; *(uint8_t*)0x200000000401 = 9; *(uint32_t*)0x200000000402 = 1; *(uint8_t*)0x200000000406 = 0xd2; *(uint64_t*)0x2000000006bc = 0x200000000440; *(uint8_t*)0x200000000440 = 0x40; *(uint8_t*)0x200000000441 = 0xb; *(uint32_t*)0x200000000442 = 2; memcpy((void*)0x200000000446, "#a", 2); *(uint64_t*)0x2000000006c4 = 0x200000000480; *(uint8_t*)0x200000000480 = 0x40; *(uint8_t*)0x200000000481 = 0xf; *(uint32_t*)0x200000000482 = 2; *(uint16_t*)0x200000000486 = 0xfffe; *(uint64_t*)0x2000000006cc = 0x2000000004c0; *(uint8_t*)0x2000000004c0 = 0x40; *(uint8_t*)0x2000000004c1 = 0x13; *(uint32_t*)0x2000000004c2 = 6; memset((void*)0x2000000004c6, 170, 5); *(uint8_t*)0x2000000004cb = 0xbb; *(uint64_t*)0x2000000006d4 = 0x200000000500; *(uint8_t*)0x200000000500 = 0x40; *(uint8_t*)0x200000000501 = 0x17; *(uint32_t*)0x200000000502 = 6; memcpy((void*)0x200000000506, "\xa1\xb2\xb5\xc8\x74\x66", 6); *(uint64_t*)0x2000000006dc = 0x200000000540; *(uint8_t*)0x200000000540 = 0x40; *(uint8_t*)0x200000000541 = 0x19; *(uint32_t*)0x200000000542 = 2; memcpy((void*)0x200000000546, "\x16\x73", 2); *(uint64_t*)0x2000000006e4 = 0x200000000580; *(uint8_t*)0x200000000580 = 0x40; *(uint8_t*)0x200000000581 = 0x1a; *(uint32_t*)0x200000000582 = 2; *(uint16_t*)0x200000000586 = 6; *(uint64_t*)0x2000000006ec = 0x2000000005c0; *(uint8_t*)0x2000000005c0 = 0x40; *(uint8_t*)0x2000000005c1 = 0x1c; *(uint32_t*)0x2000000005c2 = 1; *(uint8_t*)0x2000000005c6 = 5; *(uint64_t*)0x2000000006f4 = 0x200000000600; *(uint8_t*)0x200000000600 = 0x40; *(uint8_t*)0x200000000601 = 0x1e; *(uint32_t*)0x200000000602 = 1; *(uint8_t*)0x200000000606 = 2; *(uint64_t*)0x2000000006fc = 0x200000000640; *(uint8_t*)0x200000000640 = 0x40; *(uint8_t*)0x200000000641 = 0x21; *(uint32_t*)0x200000000642 = 1; *(uint8_t*)0x200000000646 = 4; syz_usb_control_io(/*fd=*/r[0], /*descs=*/0x2000000001c0, /*resps=*/0x200000000680); return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor2642456387 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_genetlink_get_family_id (0.04s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$SEG6(&(0x7f0000000000), r0) csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_mmap #define __NR_mmap 5009 #endif #ifndef __NR_socket #define __NR_socket 5040 #endif struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0x10); if (res != -1) r[0] = res; memcpy((void*)0x200000000000, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x200000000000, /*fd=*/r[0]); return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor334841720 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_usb_ep_read (0.04s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = syz_usb_connect$cdc_ncm(0x5, 0x7e, &(0x7f0000000000)={{0x12, 0x1, 0x300, 0x2, 0x0, 0x0, 0xff, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6c, 0x2, 0x1, 0x0, 0x10, 0x2, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x5}, {0x5, 0x24, 0x0, 0xe}, {0xd, 0x24, 0xf, 0x1, 0xffffffff, 0xd, 0x0, 0x5}, {0x6, 0x24, 0x1a, 0x2, 0xa}, [@acm={0x4}, @call_mgmt={0x5, 0x24, 0x1, 0x2, 0x4}, @dmm={0x7, 0x24, 0x14, 0xc3b, 0x5}]}, {{0x9, 0x5, 0x81, 0x3, 0x3ff, 0x8b, 0x0, 0x4}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x8, 0x5, 0x6, 0xfe}}, {{0x9, 0x5, 0x3, 0x2, 0x200, 0x8, 0x6, 0xc}}}}}}}]}}, &(0x7f0000000600)={0xa, &(0x7f0000000080)={0xa, 0x6, 0x310, 0x62, 0xf0, 0x4, 0x20, 0x9}, 0x94, &(0x7f00000000c0)={0x5, 0xf, 0x94, 0x6, [@ss_container_id={0x14, 0x10, 0x4, 0x9, "b50811da6f1341e6b689e3db9f07577d"}, @ssp_cap={0x14, 0x10, 0xa, 0x10, 0x2, 0x0, 0x0, 0x4, [0x30, 0x0]}, @ssp_cap={0x24, 0x10, 0xa, 0x10, 0x6, 0x2, 0xf, 0x8, [0x3fc0, 0x3fcf, 0x0, 0xbe00, 0xf, 0xc011]}, @ptm_cap={0x3}, @ssp_cap={0x20, 0x10, 0xa, 0x40, 0x5, 0xff, 0xff1e, 0xbc1, [0x600f, 0xc000, 0xff3f3f, 0x30, 0x30]}, @ssp_cap={0x20, 0x10, 0xa, 0x66, 0x5, 0x8, 0xf, 0xfffa, [0xc0, 0xff000f, 0xff5faf, 0xc000, 0x3fc0]}]}, 0xa, [{0xf0, &(0x7f0000000180)=@string={0xf0, 0x3, "74296990523e238a08d329bd701d4292ae575e82c186225839e118c05d32a15312b60a485ad7c74b506e6b907b1ff9049a8c1ea04aa61cfc571f5bf4a677d4f5da5466405b2c353797dd47dd1ccf790cdf15b7b7d126ab2d5a10a27f4c79556d3ab151841b16ab3498193770b4c3a8ba0169c4b37e0d82e0d13bd0de5c94a1518716c6b6a4977537e2456623c13bfd211fa457580d82f10e28f712b4c5b3fd230ec14744d09060f53dd14b226a80cc775b48331d7b521c5a21488796e28909a5c7008be6351a96e3cc30cb55ccba31af7a8e50bd98bd337e4bb048f549fe637b0a5b5841a1b0b36f256e5184b338"}}, {0x73, &(0x7f0000000280)=@string={0x73, 0x3, "768ad23923001ba0d6ad83c811cfdfee860354e74ac6abbafa64227bd92157905a2d5c3d409108948ba8e2f06e1c95888ed7ecb94969e83dc5d9837df1616643b3c8b8e5e45581eb426b609cd11845e2e29774124d108285274120ea46de5bb8e9b01494ca78b8477e3be542d1968d6b17"}}, {0x11, &(0x7f0000000300)=@string={0x11, 0x3, "8f0486772dd885bd6a28134a625b45"}}, {0xf2, &(0x7f0000000340)=@string={0xf2, 0x3, "73378e52efe432718bc5c4d8b931084c3eba0aadb561af4d7e213b6c820b7f8db7ab8347008d304367047576e4c61f9f22803d2771d0a9e050f746e295f7d56c324c1c0b81510d6ed54b63e2a308264857eef8ff86bf009b338ccf19b0b3351b9a9e81d3e40ffdc24e73fe9ea763e06a3fcf9c231904a25913a9640d4d133a0b4d6246bf76dd4d74fbd4d5cfe91fe4efaef41ae4450e583b0b1cf9be2245a87e03c822427e373afcda0d2050154db6de40ada8660a76b85c05efd61ac9779a1cfdc5d23eb2a48814a138e3a7261518ed8954f34ca02097f1b91d72d877337bef8dadd330b0ba08c5483bef371fd34be1"}}, {0x4, &(0x7f0000000440)=@lang_id={0x4, 0x3, 0x3c01}}, {0x4, &(0x7f0000000480)=@lang_id={0x4, 0x3, 0x416}}, {0x4, &(0x7f00000004c0)=@lang_id={0x4, 0x3, 0x827}}, {0x69, &(0x7f0000000500)=@string={0x69, 0x3, "7ad9d020335ba5392391f23df76aef57875689715112d56ce1d411516440e432dea290b5158dd94d71a31ae8c66bd47bfc54dfa3e7fa392a21a33ed7c21f6ff99395ab81fb656b0ef2162e100ddde610c5c683bad2215459e5c27443f727b38299500ed5c752d7"}}, {0x4, &(0x7f0000000580)=@lang_id={0x4, 0x3, 0x430}}, {0x4, &(0x7f00000005c0)=@lang_id={0x4}}]}) syz_usb_ep_read(r0, 0xe, 0xf0, &(0x7f00000006c0)=""/240) csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_mmap #define __NR_mmap 5009 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} *(uint8_t*)0x200000000000 = 0x12; *(uint8_t*)0x200000000001 = 1; *(uint16_t*)0x200000000002 = 0x300; *(uint8_t*)0x200000000004 = 2; *(uint8_t*)0x200000000005 = 0; *(uint8_t*)0x200000000006 = 0; *(uint8_t*)0x200000000007 = -1; *(uint16_t*)0x200000000008 = 0x525; *(uint16_t*)0x20000000000a = 0xa4a1; *(uint16_t*)0x20000000000c = 0x40; *(uint8_t*)0x20000000000e = 1; *(uint8_t*)0x20000000000f = 2; *(uint8_t*)0x200000000010 = 3; *(uint8_t*)0x200000000011 = 1; *(uint8_t*)0x200000000012 = 9; *(uint8_t*)0x200000000013 = 2; *(uint16_t*)0x200000000014 = 0x6c; *(uint8_t*)0x200000000016 = 2; *(uint8_t*)0x200000000017 = 1; *(uint8_t*)0x200000000018 = 0; *(uint8_t*)0x200000000019 = 0x10; *(uint8_t*)0x20000000001a = 2; *(uint8_t*)0x20000000001b = 9; *(uint8_t*)0x20000000001c = 4; *(uint8_t*)0x20000000001d = 0; *(uint8_t*)0x20000000001e = 0; *(uint8_t*)0x20000000001f = 1; *(uint8_t*)0x200000000020 = 2; *(uint8_t*)0x200000000021 = 0xd; *(uint8_t*)0x200000000022 = 0; *(uint8_t*)0x200000000023 = 0; *(uint8_t*)0x200000000024 = 5; *(uint8_t*)0x200000000025 = 0x24; *(uint8_t*)0x200000000026 = 6; *(uint8_t*)0x200000000027 = 0; *(uint8_t*)0x200000000028 = 1; *(uint8_t*)0x200000000029 = 5; *(uint8_t*)0x20000000002a = 0x24; *(uint8_t*)0x20000000002b = 0; *(uint16_t*)0x20000000002c = 0xe; *(uint8_t*)0x20000000002e = 0xd; *(uint8_t*)0x20000000002f = 0x24; *(uint8_t*)0x200000000030 = 0xf; *(uint8_t*)0x200000000031 = 1; *(uint32_t*)0x200000000032 = -1; *(uint16_t*)0x200000000036 = 0xd; *(uint16_t*)0x200000000038 = 0; *(uint8_t*)0x20000000003a = 5; *(uint8_t*)0x20000000003b = 6; *(uint8_t*)0x20000000003c = 0x24; *(uint8_t*)0x20000000003d = 0x1a; *(uint16_t*)0x20000000003e = 2; *(uint8_t*)0x200000000040 = 0xa; *(uint8_t*)0x200000000041 = 4; *(uint8_t*)0x200000000042 = 0x24; *(uint8_t*)0x200000000043 = 2; *(uint8_t*)0x200000000044 = 0; *(uint8_t*)0x200000000045 = 5; *(uint8_t*)0x200000000046 = 0x24; *(uint8_t*)0x200000000047 = 1; *(uint8_t*)0x200000000048 = 2; *(uint8_t*)0x200000000049 = 4; *(uint8_t*)0x20000000004a = 7; *(uint8_t*)0x20000000004b = 0x24; *(uint8_t*)0x20000000004c = 0x14; *(uint16_t*)0x20000000004d = 0xc3b; *(uint16_t*)0x20000000004f = 5; *(uint8_t*)0x200000000051 = 9; *(uint8_t*)0x200000000052 = 5; *(uint8_t*)0x200000000053 = 0x81; *(uint8_t*)0x200000000054 = 3; *(uint16_t*)0x200000000055 = 0x3ff; *(uint8_t*)0x200000000057 = 0x8b; *(uint8_t*)0x200000000058 = 0; *(uint8_t*)0x200000000059 = 4; *(uint8_t*)0x20000000005a = 9; *(uint8_t*)0x20000000005b = 4; *(uint8_t*)0x20000000005c = 1; *(uint8_t*)0x20000000005d = 0; *(uint8_t*)0x20000000005e = 0; *(uint8_t*)0x20000000005f = 2; *(uint8_t*)0x200000000060 = 0xd; *(uint8_t*)0x200000000061 = 0; *(uint8_t*)0x200000000062 = 0; *(uint8_t*)0x200000000063 = 9; *(uint8_t*)0x200000000064 = 4; *(uint8_t*)0x200000000065 = 1; *(uint8_t*)0x200000000066 = 1; *(uint8_t*)0x200000000067 = 2; *(uint8_t*)0x200000000068 = 2; *(uint8_t*)0x200000000069 = 0xd; *(uint8_t*)0x20000000006a = 0; *(uint8_t*)0x20000000006b = 0; *(uint8_t*)0x20000000006c = 9; *(uint8_t*)0x20000000006d = 5; *(uint8_t*)0x20000000006e = 0x82; *(uint8_t*)0x20000000006f = 2; *(uint16_t*)0x200000000070 = 8; *(uint8_t*)0x200000000072 = 5; *(uint8_t*)0x200000000073 = 6; *(uint8_t*)0x200000000074 = 0xfe; *(uint8_t*)0x200000000075 = 9; *(uint8_t*)0x200000000076 = 5; *(uint8_t*)0x200000000077 = 3; *(uint8_t*)0x200000000078 = 2; *(uint16_t*)0x200000000079 = 0x200; *(uint8_t*)0x20000000007b = 8; *(uint8_t*)0x20000000007c = 6; *(uint8_t*)0x20000000007d = 0xc; *(uint32_t*)0x200000000600 = 0xa; *(uint64_t*)0x200000000604 = 0x200000000080; *(uint8_t*)0x200000000080 = 0xa; *(uint8_t*)0x200000000081 = 6; *(uint16_t*)0x200000000082 = 0x310; *(uint8_t*)0x200000000084 = 0x62; *(uint8_t*)0x200000000085 = 0xf0; *(uint8_t*)0x200000000086 = 4; *(uint8_t*)0x200000000087 = 0x20; *(uint8_t*)0x200000000088 = 9; *(uint8_t*)0x200000000089 = 0; *(uint32_t*)0x20000000060c = 0x94; *(uint64_t*)0x200000000610 = 0x2000000000c0; *(uint8_t*)0x2000000000c0 = 5; *(uint8_t*)0x2000000000c1 = 0xf; *(uint16_t*)0x2000000000c2 = 0x94; *(uint8_t*)0x2000000000c4 = 6; *(uint8_t*)0x2000000000c5 = 0x14; *(uint8_t*)0x2000000000c6 = 0x10; *(uint8_t*)0x2000000000c7 = 4; *(uint8_t*)0x2000000000c8 = 9; memcpy((void*)0x2000000000c9, "\xb5\x08\x11\xda\x6f\x13\x41\xe6\xb6\x89\xe3\xdb\x9f\x07\x57\x7d", 16); *(uint8_t*)0x2000000000d9 = 0x14; *(uint8_t*)0x2000000000da = 0x10; *(uint8_t*)0x2000000000db = 0xa; *(uint8_t*)0x2000000000dc = 0x10; STORE_BY_BITMASK(uint32_t, , 0x2000000000dd, 2, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000000dd, 0, 5, 27); *(uint16_t*)0x2000000000e1 = 0; *(uint16_t*)0x2000000000e3 = 4; *(uint32_t*)0x2000000000e5 = 0x30; *(uint32_t*)0x2000000000e9 = 0; *(uint8_t*)0x2000000000ed = 0x24; *(uint8_t*)0x2000000000ee = 0x10; *(uint8_t*)0x2000000000ef = 0xa; *(uint8_t*)0x2000000000f0 = 0x10; STORE_BY_BITMASK(uint32_t, , 0x2000000000f1, 6, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000000f1, 2, 5, 27); *(uint16_t*)0x2000000000f5 = 0xf; *(uint16_t*)0x2000000000f7 = 8; *(uint32_t*)0x2000000000f9 = 0x3fc0; *(uint32_t*)0x2000000000fd = 0x3fcf; *(uint32_t*)0x200000000101 = 0; *(uint32_t*)0x200000000105 = 0xbe00; *(uint32_t*)0x200000000109 = 0xf; *(uint32_t*)0x20000000010d = 0xc011; *(uint8_t*)0x200000000111 = 3; *(uint8_t*)0x200000000112 = 0x10; *(uint8_t*)0x200000000113 = 0xb; *(uint8_t*)0x200000000114 = 0x20; *(uint8_t*)0x200000000115 = 0x10; *(uint8_t*)0x200000000116 = 0xa; *(uint8_t*)0x200000000117 = 0x40; STORE_BY_BITMASK(uint32_t, , 0x200000000118, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200000000118, 0xff, 5, 27); *(uint16_t*)0x20000000011c = 0xff1e; *(uint16_t*)0x20000000011e = 0xbc1; *(uint32_t*)0x200000000120 = 0x600f; *(uint32_t*)0x200000000124 = 0xc000; *(uint32_t*)0x200000000128 = 0xff3f3f; *(uint32_t*)0x20000000012c = 0x30; *(uint32_t*)0x200000000130 = 0x30; *(uint8_t*)0x200000000134 = 0x20; *(uint8_t*)0x200000000135 = 0x10; *(uint8_t*)0x200000000136 = 0xa; *(uint8_t*)0x200000000137 = 0x66; STORE_BY_BITMASK(uint32_t, , 0x200000000138, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200000000138, 8, 5, 27); *(uint16_t*)0x20000000013c = 0xf; *(uint16_t*)0x20000000013e = 0xfffa; *(uint32_t*)0x200000000140 = 0xc0; *(uint32_t*)0x200000000144 = 0xff000f; *(uint32_t*)0x200000000148 = 0xff5faf; *(uint32_t*)0x20000000014c = 0xc000; *(uint32_t*)0x200000000150 = 0x3fc0; *(uint32_t*)0x200000000618 = 0xa; *(uint32_t*)0x20000000061c = 0xf0; *(uint64_t*)0x200000000620 = 0x200000000180; *(uint8_t*)0x200000000180 = 0xf0; *(uint8_t*)0x200000000181 = 3; memcpy((void*)0x200000000182, "\x74\x29\x69\x90\x52\x3e\x23\x8a\x08\xd3\x29\xbd\x70\x1d\x42\x92\xae\x57\x5e\x82\xc1\x86\x22\x58\x39\xe1\x18\xc0\x5d\x32\xa1\x53\x12\xb6\x0a\x48\x5a\xd7\xc7\x4b\x50\x6e\x6b\x90\x7b\x1f\xf9\x04\x9a\x8c\x1e\xa0\x4a\xa6\x1c\xfc\x57\x1f\x5b\xf4\xa6\x77\xd4\xf5\xda\x54\x66\x40\x5b\x2c\x35\x37\x97\xdd\x47\xdd\x1c\xcf\x79\x0c\xdf\x15\xb7\xb7\xd1\x26\xab\x2d\x5a\x10\xa2\x7f\x4c\x79\x55\x6d\x3a\xb1\x51\x84\x1b\x16\xab\x34\x98\x19\x37\x70\xb4\xc3\xa8\xba\x01\x69\xc4\xb3\x7e\x0d\x82\xe0\xd1\x3b\xd0\xde\x5c\x94\xa1\x51\x87\x16\xc6\xb6\xa4\x97\x75\x37\xe2\x45\x66\x23\xc1\x3b\xfd\x21\x1f\xa4\x57\x58\x0d\x82\xf1\x0e\x28\xf7\x12\xb4\xc5\xb3\xfd\x23\x0e\xc1\x47\x44\xd0\x90\x60\xf5\x3d\xd1\x4b\x22\x6a\x80\xcc\x77\x5b\x48\x33\x1d\x7b\x52\x1c\x5a\x21\x48\x87\x96\xe2\x89\x09\xa5\xc7\x00\x8b\xe6\x35\x1a\x96\xe3\xcc\x30\xcb\x55\xcc\xba\x31\xaf\x7a\x8e\x50\xbd\x98\xbd\x33\x7e\x4b\xb0\x48\xf5\x49\xfe\x63\x7b\x0a\x5b\x58\x41\xa1\xb0\xb3\x6f\x25\x6e\x51\x84\xb3\x38", 238); *(uint32_t*)0x200000000628 = 0x73; *(uint64_t*)0x20000000062c = 0x200000000280; *(uint8_t*)0x200000000280 = 0x73; *(uint8_t*)0x200000000281 = 3; memcpy((void*)0x200000000282, "\x76\x8a\xd2\x39\x23\x00\x1b\xa0\xd6\xad\x83\xc8\x11\xcf\xdf\xee\x86\x03\x54\xe7\x4a\xc6\xab\xba\xfa\x64\x22\x7b\xd9\x21\x57\x90\x5a\x2d\x5c\x3d\x40\x91\x08\x94\x8b\xa8\xe2\xf0\x6e\x1c\x95\x88\x8e\xd7\xec\xb9\x49\x69\xe8\x3d\xc5\xd9\x83\x7d\xf1\x61\x66\x43\xb3\xc8\xb8\xe5\xe4\x55\x81\xeb\x42\x6b\x60\x9c\xd1\x18\x45\xe2\xe2\x97\x74\x12\x4d\x10\x82\x85\x27\x41\x20\xea\x46\xde\x5b\xb8\xe9\xb0\x14\x94\xca\x78\xb8\x47\x7e\x3b\xe5\x42\xd1\x96\x8d\x6b\x17", 113); *(uint32_t*)0x200000000634 = 0x11; *(uint64_t*)0x200000000638 = 0x200000000300; *(uint8_t*)0x200000000300 = 0x11; *(uint8_t*)0x200000000301 = 3; memcpy((void*)0x200000000302, "\x8f\x04\x86\x77\x2d\xd8\x85\xbd\x6a\x28\x13\x4a\x62\x5b\x45", 15); *(uint32_t*)0x200000000640 = 0xf2; *(uint64_t*)0x200000000644 = 0x200000000340; *(uint8_t*)0x200000000340 = 0xf2; *(uint8_t*)0x200000000341 = 3; memcpy((void*)0x200000000342, "\x73\x37\x8e\x52\xef\xe4\x32\x71\x8b\xc5\xc4\xd8\xb9\x31\x08\x4c\x3e\xba\x0a\xad\xb5\x61\xaf\x4d\x7e\x21\x3b\x6c\x82\x0b\x7f\x8d\xb7\xab\x83\x47\x00\x8d\x30\x43\x67\x04\x75\x76\xe4\xc6\x1f\x9f\x22\x80\x3d\x27\x71\xd0\xa9\xe0\x50\xf7\x46\xe2\x95\xf7\xd5\x6c\x32\x4c\x1c\x0b\x81\x51\x0d\x6e\xd5\x4b\x63\xe2\xa3\x08\x26\x48\x57\xee\xf8\xff\x86\xbf\x00\x9b\x33\x8c\xcf\x19\xb0\xb3\x35\x1b\x9a\x9e\x81\xd3\xe4\x0f\xfd\xc2\x4e\x73\xfe\x9e\xa7\x63\xe0\x6a\x3f\xcf\x9c\x23\x19\x04\xa2\x59\x13\xa9\x64\x0d\x4d\x13\x3a\x0b\x4d\x62\x46\xbf\x76\xdd\x4d\x74\xfb\xd4\xd5\xcf\xe9\x1f\xe4\xef\xae\xf4\x1a\xe4\x45\x0e\x58\x3b\x0b\x1c\xf9\xbe\x22\x45\xa8\x7e\x03\xc8\x22\x42\x7e\x37\x3a\xfc\xda\x0d\x20\x50\x15\x4d\xb6\xde\x40\xad\xa8\x66\x0a\x76\xb8\x5c\x05\xef\xd6\x1a\xc9\x77\x9a\x1c\xfd\xc5\xd2\x3e\xb2\xa4\x88\x14\xa1\x38\xe3\xa7\x26\x15\x18\xed\x89\x54\xf3\x4c\xa0\x20\x97\xf1\xb9\x1d\x72\xd8\x77\x33\x7b\xef\x8d\xad\xd3\x30\xb0\xba\x08\xc5\x48\x3b\xef\x37\x1f\xd3\x4b\xe1", 240); *(uint32_t*)0x20000000064c = 4; *(uint64_t*)0x200000000650 = 0x200000000440; *(uint8_t*)0x200000000440 = 4; *(uint8_t*)0x200000000441 = 3; *(uint16_t*)0x200000000442 = 0x3c01; *(uint32_t*)0x200000000658 = 4; *(uint64_t*)0x20000000065c = 0x200000000480; *(uint8_t*)0x200000000480 = 4; *(uint8_t*)0x200000000481 = 3; *(uint16_t*)0x200000000482 = 0x416; *(uint32_t*)0x200000000664 = 4; *(uint64_t*)0x200000000668 = 0x2000000004c0; *(uint8_t*)0x2000000004c0 = 4; *(uint8_t*)0x2000000004c1 = 3; *(uint16_t*)0x2000000004c2 = 0x827; *(uint32_t*)0x200000000670 = 0x69; *(uint64_t*)0x200000000674 = 0x200000000500; *(uint8_t*)0x200000000500 = 0x69; *(uint8_t*)0x200000000501 = 3; memcpy((void*)0x200000000502, "\x7a\xd9\xd0\x20\x33\x5b\xa5\x39\x23\x91\xf2\x3d\xf7\x6a\xef\x57\x87\x56\x89\x71\x51\x12\xd5\x6c\xe1\xd4\x11\x51\x64\x40\xe4\x32\xde\xa2\x90\xb5\x15\x8d\xd9\x4d\x71\xa3\x1a\xe8\xc6\x6b\xd4\x7b\xfc\x54\xdf\xa3\xe7\xfa\x39\x2a\x21\xa3\x3e\xd7\xc2\x1f\x6f\xf9\x93\x95\xab\x81\xfb\x65\x6b\x0e\xf2\x16\x2e\x10\x0d\xdd\xe6\x10\xc5\xc6\x83\xba\xd2\x21\x54\x59\xe5\xc2\x74\x43\xf7\x27\xb3\x82\x99\x50\x0e\xd5\xc7\x52\xd7", 103); *(uint32_t*)0x20000000067c = 4; *(uint64_t*)0x200000000680 = 0x200000000580; *(uint8_t*)0x200000000580 = 4; *(uint8_t*)0x200000000581 = 3; *(uint16_t*)0x200000000582 = 0x430; *(uint32_t*)0x200000000688 = 4; *(uint64_t*)0x20000000068c = 0x2000000005c0; *(uint8_t*)0x2000000005c0 = 4; *(uint8_t*)0x2000000005c1 = 3; *(uint16_t*)0x2000000005c2 = 0; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_SUPER*/5, /*dev_len=*/0x7e, /*dev=*/0x200000000000, /*conn_descs=*/0x200000000600); if (res != -1) r[0] = res; syz_usb_ep_read(/*fd=*/r[0], /*ep=*/0xe, /*len=*/0xf0, /*data=*/0x2000000006c0); return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor4025448787 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_init_net_socket (0.10s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_init_net_socket$802154_dgram(0x24, 0x1, 0x0) csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_mmap #define __NR_mmap 5009 #endif const int kInitNetNsFd = 201; static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { return syscall(__NR_socket, domain, type, proto); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} syz_init_net_socket(/*domain=*/0x24, /*type=*/1, /*proto=*/0); return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor1850810919 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_emit_vhci (0.10s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_clone3 (0.11s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_usb_disconnect (0.11s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_pidfd_open (0.11s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_open_procfs (0.10s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_usb_connect_ath9k (0.11s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_btf_id_by_name (0.11s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_80211_join_ibss (0.11s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_open_dev (0.11s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_memcpy_off (0.12s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_usbip_server_init (0.12s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_fuse_handle_req (0.13s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_create_resource (0.13s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_socket_connect_nvme_tcp (0.20s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_open_pts (0.20s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_pkey_set (0.20s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_usb_ep_write (0.20s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_emit_ethernet (0.20s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_kvm_setup_cpu (0.21s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_mount_image (0.21s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_usb_connect (0.22s) csource_test.go:146: FAIL FAIL github.com/google/syzkaller/pkg/csource 23.869s ok github.com/google/syzkaller/pkg/db (cached) ? github.com/google/syzkaller/pkg/debugtracer [no test files] ? github.com/google/syzkaller/pkg/declextract [no test files] ok github.com/google/syzkaller/pkg/email (cached) ok github.com/google/syzkaller/pkg/email/lore (cached) ok github.com/google/syzkaller/pkg/flatrpc (cached) ok github.com/google/syzkaller/pkg/fuzzer (cached) ok github.com/google/syzkaller/pkg/fuzzer/queue (cached) ok github.com/google/syzkaller/pkg/gce (cached) ? github.com/google/syzkaller/pkg/gcpsecret [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/gcs/mocks [no test files] ? github.com/google/syzkaller/pkg/hash [no test files] ? github.com/google/syzkaller/pkg/html [no test files] ok github.com/google/syzkaller/pkg/html/pages (cached) ok github.com/google/syzkaller/pkg/html/urlutil (cached) ? github.com/google/syzkaller/pkg/ifaceprobe [no test files] ok github.com/google/syzkaller/pkg/ifuzz (cached) ok github.com/google/syzkaller/pkg/ifuzz/arm64 (cached) ? github.com/google/syzkaller/pkg/ifuzz/arm64/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/arm64/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/iset [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86 [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/generated [no test files] ok github.com/google/syzkaller/pkg/image (cached) ok github.com/google/syzkaller/pkg/instance (cached) ? github.com/google/syzkaller/pkg/kcidb [no test files] ok github.com/google/syzkaller/pkg/kconfig (cached) ? github.com/google/syzkaller/pkg/kcov [no test files] ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/kfuzztest (cached) ? github.com/google/syzkaller/pkg/kfuzztest-executor [no test files] ? github.com/google/syzkaller/pkg/kfuzztest-manager [no test files] ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/manager (cached) ok github.com/google/syzkaller/pkg/mgrconfig (cached) ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report (cached) ? github.com/google/syzkaller/pkg/report/crash [no test files] ok github.com/google/syzkaller/pkg/repro (cached) ok github.com/google/syzkaller/pkg/rpcserver (cached) ? github.com/google/syzkaller/pkg/rpcserver/mocks [no test files] ? github.com/google/syzkaller/pkg/rpctype [no test files] ok github.com/google/syzkaller/pkg/runtest (cached) ok github.com/google/syzkaller/pkg/serializer (cached) ok github.com/google/syzkaller/pkg/signal (cached) ok github.com/google/syzkaller/pkg/stat (cached) ok github.com/google/syzkaller/pkg/stat/sample (cached) ? github.com/google/syzkaller/pkg/stat/syzbotstats [no test files] ok github.com/google/syzkaller/pkg/subsystem (cached) ok github.com/google/syzkaller/pkg/subsystem/linux (cached) ok github.com/google/syzkaller/pkg/subsystem/lists (cached) ok github.com/google/syzkaller/pkg/symbolizer (cached) ? github.com/google/syzkaller/pkg/testutil [no test files] ok github.com/google/syzkaller/pkg/tool (cached) ok github.com/google/syzkaller/pkg/validator (cached) ok github.com/google/syzkaller/pkg/vcs (cached) ok github.com/google/syzkaller/pkg/vminfo (cached) ok github.com/google/syzkaller/prog (cached) ok github.com/google/syzkaller/prog/test (cached) ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/darwin [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ? github.com/google/syzkaller/sys/generated [no test files] ok github.com/google/syzkaller/sys/linux (cached) ok github.com/google/syzkaller/sys/netbsd (cached) ok github.com/google/syzkaller/sys/openbsd (cached) ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ok github.com/google/syzkaller/syz-ci (cached) ok github.com/google/syzkaller/syz-cluster/controller (cached) ok github.com/google/syzkaller/syz-cluster/dashboard (cached) ok github.com/google/syzkaller/syz-cluster/email-reporter (cached) ? github.com/google/syzkaller/syz-cluster/pkg/api [no test files] ? github.com/google/syzkaller/syz-cluster/pkg/app [no test files] ok github.com/google/syzkaller/syz-cluster/pkg/blob (cached) ok github.com/google/syzkaller/syz-cluster/pkg/controller (cached) ok github.com/google/syzkaller/syz-cluster/pkg/db (cached) ok github.com/google/syzkaller/syz-cluster/pkg/emailclient (cached) ok github.com/google/syzkaller/syz-cluster/pkg/fuzzconfig (cached) ok github.com/google/syzkaller/syz-cluster/pkg/report (cached) ok github.com/google/syzkaller/syz-cluster/pkg/reporter (cached) ? github.com/google/syzkaller/syz-cluster/pkg/service [no test files] ok github.com/google/syzkaller/syz-cluster/pkg/triage (cached) ? github.com/google/syzkaller/syz-cluster/pkg/workflow [no test files] ? github.com/google/syzkaller/syz-cluster/reporter-server [no test files] ok github.com/google/syzkaller/syz-cluster/series-tracker (cached) ? github.com/google/syzkaller/syz-cluster/tools/db-mgmt [no test files] ? github.com/google/syzkaller/syz-cluster/tools/send-test-email [no test files] ? github.com/google/syzkaller/syz-cluster/workflow/boot-step [no test files] ? github.com/google/syzkaller/syz-cluster/workflow/build-step [no test files] ok github.com/google/syzkaller/syz-cluster/workflow/fuzz-step (cached) ? github.com/google/syzkaller/syz-cluster/workflow/triage-step [no test files] ok github.com/google/syzkaller/syz-hub (cached) ok github.com/google/syzkaller/syz-hub/state (cached) ? github.com/google/syzkaller/syz-kfuzztest [no test files] ok github.com/google/syzkaller/syz-manager (cached) ? github.com/google/syzkaller/tools/arm64 [no test files] ? github.com/google/syzkaller/tools/kfuzztest-gen [no test files] ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-build [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-covermerger [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ok github.com/google/syzkaller/tools/syz-db (cached) ? github.com/google/syzkaller/tools/syz-db-export [no test files] ok github.com/google/syzkaller/tools/syz-declextract (cached) ? github.com/google/syzkaller/tools/syz-diff [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fillreports [no test files] ? github.com/google/syzkaller/tools/syz-fix-analyzer [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-gemini-seed [no test files] ? github.com/google/syzkaller/tools/syz-hubtool [no test files] ok github.com/google/syzkaller/tools/syz-imagegen (cached) ? github.com/google/syzkaller/tools/syz-kcidb [no test files] ok github.com/google/syzkaller/tools/syz-kconf (cached) ok github.com/google/syzkaller/tools/syz-linter (cached) ? github.com/google/syzkaller/tools/syz-lore [no test files] ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-minconfig [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-query-subsystems [no test files] ? github.com/google/syzkaller/tools/syz-reporter [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ok github.com/google/syzkaller/tools/syz-testbed (cached) ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ok github.com/google/syzkaller/tools/syz-trace2syz/parser (cached) ok github.com/google/syzkaller/tools/syz-trace2syz/proggen (cached) ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/vm (cached) ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/cuttlefish [no test files] ok github.com/google/syzkaller/vm/dispatcher (cached) ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ok github.com/google/syzkaller/vm/isolated (cached) ok github.com/google/syzkaller/vm/proxyapp (cached) ? github.com/google/syzkaller/vm/proxyapp/mocks [no test files] ? github.com/google/syzkaller/vm/proxyapp/proxyrpc [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ? github.com/google/syzkaller/vm/starnix [no test files] ok github.com/google/syzkaller/vm/vmimpl (cached) ? github.com/google/syzkaller/vm/vmm [no test files] ? github.com/google/syzkaller/vm/vmware [no test files] FAIL