ok github.com/google/syzkaller/dashboard/app 0.275s ? github.com/google/syzkaller/dashboard/dashapi [no test files] ok github.com/google/syzkaller/executor 0.452s ok github.com/google/syzkaller/pkg/ast 2.662s ok github.com/google/syzkaller/pkg/auth (cached) ok github.com/google/syzkaller/pkg/bisect 53.862s ok github.com/google/syzkaller/pkg/build 0.207s ok github.com/google/syzkaller/pkg/compiler 13.520s ? github.com/google/syzkaller/pkg/config [no test files] ok github.com/google/syzkaller/pkg/cover 0.095s ok github.com/google/syzkaller/pkg/cover/backend (cached) --- FAIL: TestGenerate (7.02s) --- FAIL: TestGenerate/freebsd/386 (1.23s) csource_test.go:52: seed=1633617484233609937 --- FAIL: TestGenerate/freebsd/386/0 (0.58s) csource_test.go:118: opts: {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: extattr_delete_file(&(0x7f0000000000)='./file0\x00', 0x1, &(0x7f0000000040)='/{[-*-:#!@(*\x00') (fail_nth: 1) r0 = accept4$inet6(0xffffffffffffffff, &(0x7f0000000080)={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @remote}, &(0x7f00000000c0)=0x1c, 0x30000000) utimensat(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', &(0x7f0000000140)={{0x7, 0x7}, {0x7, 0x5}}, 0x4000) setsockopt$inet_sctp_SCTP_EXPLICIT_EOR(0xffffffffffffffff, 0x84, 0x1b, &(0x7f0000000180)=0x2, 0x4) shm_open2(&(0x7f00000001c0)='./file1\x00', 0x0, 0x100, 0x4, &(0x7f0000000200)=')/,&o\x00') ioctl$DIOCRSETTFLAGS(0xffffffffffffffff, 0xc44c444a, &(0x7f00000002c0)={{"99db9cfd2ac3805e5c414473fb35f0dc56950924b894ab7861ea0b42084c297d5c3716935f4947bb1b6f0cee8031e0a43251c5c3cc4c19c1ab436a79df6533233baf318c6ceb2c35469ff07a6590518b57ef971405056efc80d5f5f428818fb37a2e2ecdb5ee34eff89223925473b8ef063f699bf006f5f441cacdf47482bf431693af0dfd4aae73d663f8bf695f1623658d319f25fb0425cc53f6b560f8aa392011f8d9053327ece9b0a45291c82370ca8c7d357cc38f7e821148ce013e78a54c1f2c143d8885d2f3b09ceb63c2a90fe246c13588adb977999395a006b767b5f03fb38ab2db97816325d95efeeeb071212b2bf0595c099628733f29454fbb97367d42dec2b01e8c666049bc8f83e4639735459bd8f1935a17d4d2b8ea235908551c196f3dfa3484451132908e5cfe22e537bf834fd87a77c689ba5f8c599dcfb4d825cd5747b2a90e195dc02f9e8ca04745f336e1b04a3c7a0e58bb6f17aff755b915334d57048646fbf3aa244a46437ce89ca2c0a72d1b71feecc0afdcf4691bce0b11f32c632fa6147dbcaa8bed3f2067b87c4e7db37eba3c6db7270d0dde21a64013c7980befc493cce308c4bbd102cc7704b927926212eeffe926b3c911ec7acfb899f521dc9325bff6073b5c13eeb2aad76a4c3d5c48cdccd0abea1ab9ab3995859cfd11e5449efb30512a17e17fcd357b1f6934d4ab0d27c86155838f939e7a801d32ac49ca9ef4628dcb194c7997775b69c11312584caaa67537c1835b274e4ecd58e836fe2d53ff9390b34db485f89b871ab7f1e5e69f8640b8fa5a704661a58819e125775be4e487f8cc4d3e9c1145f5781a690e420566b5ed39267ce4431df9610fa77ebf8254f160f4068c5fdecdc8f9cf6671513dfcf64dc7a37a927bfceb0762488b7dec6df18f8027bae091d85d0ded0f72108e5c21ddaf28ef52f424677ab3fa1eabb6d347789965ceb8bb451935958cc5ba87f46498783500319a2df3ed168af53581545ddea2d0515516bfbf8fea62a760193479c77e73a79dbfa82118c013bf418d3530c20e7f47ddd8ba80a023de383b545c29fc6338f277a73baf46551e855060b99184c54d1c11d3f744acb02e5b126df5a10571656ba6abb5e4ef9406c2f5380e691e46a4ca1c5dd7fc87d081ca94cd5ab7fb45a48c680fab761f9b1a17be449d74f1291b859c37ba0191b00998b7842933439002ca817bd3f5140481c957fe95ea9a50d05bc27f1c0f8dbc267c50776c774a694922a5ce1cc8fd7e1478a3e2cc58f570acda3a16cad5667e28d245dd78c78e5e3500e0aee91f10b6fc29d0d1bdfaae7ef66ee288d5d5b2b72d09776725eaf770ef1ee4ec089c1dbcdb87b864ac3fabdbf41d9dd35ad420098889e1f530305147be9e5c6709ec22be9076241dc4bf66079fda5f190d26d5977a4f2df8b5433da12f", "9f538c90e871041e5c20e4ce66046a7c616241a9680d8539866c5a96b1c8ecc9", 0x80000000, 0x1}, &(0x7f0000000240)="18167d1501224bddd48fc6e3f883d8f2dd60a2fad40d6c1520c6c51f84cedcc571c2e32e14abf447283e87a5f3f781bdba001c54edaeda7aa88c1911f54c8f0a9a42dce49508275dce74fd73cdab1eabf8aa104c74f7c3bb54d0500afc2b97", 0x9621, 0x2, 0x8, 0x800, 0x3, 0x10001, 0xfa, 0x7fff}) r1 = openat$ptmx(0xffffff9c, &(0x7f0000000740), 0x800, 0x0) ioctl$DIOCIGETIFACES(r1, 0xc0244457, &(0x7f0000000800)={0x10, &(0x7f0000000780)="85dffefc4efcb1b4016c842d2cc4b45bfa064e55869999bf6137689406754fe7c0b179029f2f35c516d93231a104813ea26f8ff7f1cf848188d9d0b6260500402ddca36fe8e1cd0ad5e81856a2f9f983f5981ace989e976f", 0x40000000, 0xff, 0x10001}) mmap(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2, 0x10, r0, 0x0) getsockopt$inet6_sctp_SCTP_RESET_STREAMS(r0, 0x84, 0x901, &(0x7f0000000840)={0x0, 0x8001, 0x4, [0x3f, 0xffff, 0x20, 0x4]}, &(0x7f0000000880)=0x10) syz_emit_ethernet(0xf3, &(0x7f0000000000)={@local, @local, [{[], {0x8100, 0x6, 0x1, 0x2}}], {@ipv4={0x800, {{0x9, 0x4, 0x2, 0x7, 0xe1, 0x65, 0x878, 0x4, 0x4d, 0x0, @empty, @multicast1, {[@generic={0x44, 0xd, "4de51ab866bb431c3dc521"}, @noop, @noop]}}, @generic="5ace0f0ff30bd68564f743a2ef2821a21c197ab27f80fcd10e900d506ab328909d636f25df603ad9e4ee16761ee679e24d1854d5cdd65b0172c27bed2165fdda7aa45a333f06d92d8d2beb389dcbc153d4e96a2792c39f0e07a5392ed08d386b6bf96b8f5801558093c009e7accdc8456fe898abba673e55c1330ee9454f4c2017e5e474c63c853817170734473727a7c0566eaf2be05daa6ed143d3ea4f0b39b87a60d41ed2d8ffd00e6472c06a0e8a98fae4c68ae1314f968bb3b931"}}}}) syz_execute_func(&(0x7f0000000100)="65fc670fa866dbd3c4c1d15ff2c4c18dfaf2c4e2553fd8c4e1b17c6099660f3a09c1898283df000000fec4c291915c8699") syz_extract_tcp_res(&(0x7f0000000140), 0x401, 0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef SYS_shm_open2 #define SYS_shm_open2 571 #endif uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x10000000, "./file0\000", 8); memcpy((void*)0x10000040, "/{[-*-:#!@(*\000", 13); inject_fault(1); syscall(SYS_extattr_delete_file, 0x10000000, 1, 0x10000040); *(uint32_t*)0x100000c0 = 0x1c; res = syscall(SYS_accept4, -1, 0x10000080, 0x100000c0, 0x30000000); if (res != -1) r[0] = res; memcpy((void*)0x10000100, "./file0\000", 8); *(uint32_t*)0x10000140 = 7; *(uint32_t*)0x10000144 = 7; *(uint32_t*)0x10000148 = 7; *(uint32_t*)0x1000014c = 5; syscall(SYS_utimensat, -1, 0x10000100, 0x10000140, 0x4000); *(uint32_t*)0x10000180 = 2; syscall(SYS_setsockopt, -1, 0x84, 0x1b, 0x10000180, 4); memcpy((void*)0x100001c0, "./file1\000", 8); memcpy((void*)0x10000200, ")/,&o\000", 6); syscall(SYS_shm_open2, 0x100001c0, 0, 0x100, 4, 0x10000200); memcpy((void*)0x100002c0, "\x99\xdb\x9c\xfd\x2a\xc3\x80\x5e\x5c\x41\x44\x73\xfb\x35\xf0\xdc\x56\x95\x09\x24\xb8\x94\xab\x78\x61\xea\x0b\x42\x08\x4c\x29\x7d\x5c\x37\x16\x93\x5f\x49\x47\xbb\x1b\x6f\x0c\xee\x80\x31\xe0\xa4\x32\x51\xc5\xc3\xcc\x4c\x19\xc1\xab\x43\x6a\x79\xdf\x65\x33\x23\x3b\xaf\x31\x8c\x6c\xeb\x2c\x35\x46\x9f\xf0\x7a\x65\x90\x51\x8b\x57\xef\x97\x14\x05\x05\x6e\xfc\x80\xd5\xf5\xf4\x28\x81\x8f\xb3\x7a\x2e\x2e\xcd\xb5\xee\x34\xef\xf8\x92\x23\x92\x54\x73\xb8\xef\x06\x3f\x69\x9b\xf0\x06\xf5\xf4\x41\xca\xcd\xf4\x74\x82\xbf\x43\x16\x93\xaf\x0d\xfd\x4a\xae\x73\xd6\x63\xf8\xbf\x69\x5f\x16\x23\x65\x8d\x31\x9f\x25\xfb\x04\x25\xcc\x53\xf6\xb5\x60\xf8\xaa\x39\x20\x11\xf8\xd9\x05\x33\x27\xec\xe9\xb0\xa4\x52\x91\xc8\x23\x70\xca\x8c\x7d\x35\x7c\xc3\x8f\x7e\x82\x11\x48\xce\x01\x3e\x78\xa5\x4c\x1f\x2c\x14\x3d\x88\x85\xd2\xf3\xb0\x9c\xeb\x63\xc2\xa9\x0f\xe2\x46\xc1\x35\x88\xad\xb9\x77\x99\x93\x95\xa0\x06\xb7\x67\xb5\xf0\x3f\xb3\x8a\xb2\xdb\x97\x81\x63\x25\xd9\x5e\xfe\xee\xb0\x71\x21\x2b\x2b\xf0\x59\x5c\x09\x96\x28\x73\x3f\x29\x45\x4f\xbb\x97\x36\x7d\x42\xde\xc2\xb0\x1e\x8c\x66\x60\x49\xbc\x8f\x83\xe4\x63\x97\x35\x45\x9b\xd8\xf1\x93\x5a\x17\xd4\xd2\xb8\xea\x23\x59\x08\x55\x1c\x19\x6f\x3d\xfa\x34\x84\x45\x11\x32\x90\x8e\x5c\xfe\x22\xe5\x37\xbf\x83\x4f\xd8\x7a\x77\xc6\x89\xba\x5f\x8c\x59\x9d\xcf\xb4\xd8\x25\xcd\x57\x47\xb2\xa9\x0e\x19\x5d\xc0\x2f\x9e\x8c\xa0\x47\x45\xf3\x36\xe1\xb0\x4a\x3c\x7a\x0e\x58\xbb\x6f\x17\xaf\xf7\x55\xb9\x15\x33\x4d\x57\x04\x86\x46\xfb\xf3\xaa\x24\x4a\x46\x43\x7c\xe8\x9c\xa2\xc0\xa7\x2d\x1b\x71\xfe\xec\xc0\xaf\xdc\xf4\x69\x1b\xce\x0b\x11\xf3\x2c\x63\x2f\xa6\x14\x7d\xbc\xaa\x8b\xed\x3f\x20\x67\xb8\x7c\x4e\x7d\xb3\x7e\xba\x3c\x6d\xb7\x27\x0d\x0d\xde\x21\xa6\x40\x13\xc7\x98\x0b\xef\xc4\x93\xcc\xe3\x08\xc4\xbb\xd1\x02\xcc\x77\x04\xb9\x27\x92\x62\x12\xee\xff\xe9\x26\xb3\xc9\x11\xec\x7a\xcf\xb8\x99\xf5\x21\xdc\x93\x25\xbf\xf6\x07\x3b\x5c\x13\xee\xb2\xaa\xd7\x6a\x4c\x3d\x5c\x48\xcd\xcc\xd0\xab\xea\x1a\xb9\xab\x39\x95\x85\x9c\xfd\x11\xe5\x44\x9e\xfb\x30\x51\x2a\x17\xe1\x7f\xcd\x35\x7b\x1f\x69\x34\xd4\xab\x0d\x27\xc8\x61\x55\x83\x8f\x93\x9e\x7a\x80\x1d\x32\xac\x49\xca\x9e\xf4\x62\x8d\xcb\x19\x4c\x79\x97\x77\x5b\x69\xc1\x13\x12\x58\x4c\xaa\xa6\x75\x37\xc1\x83\x5b\x27\x4e\x4e\xcd\x58\xe8\x36\xfe\x2d\x53\xff\x93\x90\xb3\x4d\xb4\x85\xf8\x9b\x87\x1a\xb7\xf1\xe5\xe6\x9f\x86\x40\xb8\xfa\x5a\x70\x46\x61\xa5\x88\x19\xe1\x25\x77\x5b\xe4\xe4\x87\xf8\xcc\x4d\x3e\x9c\x11\x45\xf5\x78\x1a\x69\x0e\x42\x05\x66\xb5\xed\x39\x26\x7c\xe4\x43\x1d\xf9\x61\x0f\xa7\x7e\xbf\x82\x54\xf1\x60\xf4\x06\x8c\x5f\xde\xcd\xc8\xf9\xcf\x66\x71\x51\x3d\xfc\xf6\x4d\xc7\xa3\x7a\x92\x7b\xfc\xeb\x07\x62\x48\x8b\x7d\xec\x6d\xf1\x8f\x80\x27\xba\xe0\x91\xd8\x5d\x0d\xed\x0f\x72\x10\x8e\x5c\x21\xdd\xaf\x28\xef\x52\xf4\x24\x67\x7a\xb3\xfa\x1e\xab\xb6\xd3\x47\x78\x99\x65\xce\xb8\xbb\x45\x19\x35\x95\x8c\xc5\xba\x87\xf4\x64\x98\x78\x35\x00\x31\x9a\x2d\xf3\xed\x16\x8a\xf5\x35\x81\x54\x5d\xde\xa2\xd0\x51\x55\x16\xbf\xbf\x8f\xea\x62\xa7\x60\x19\x34\x79\xc7\x7e\x73\xa7\x9d\xbf\xa8\x21\x18\xc0\x13\xbf\x41\x8d\x35\x30\xc2\x0e\x7f\x47\xdd\xd8\xba\x80\xa0\x23\xde\x38\x3b\x54\x5c\x29\xfc\x63\x38\xf2\x77\xa7\x3b\xaf\x46\x55\x1e\x85\x50\x60\xb9\x91\x84\xc5\x4d\x1c\x11\xd3\xf7\x44\xac\xb0\x2e\x5b\x12\x6d\xf5\xa1\x05\x71\x65\x6b\xa6\xab\xb5\xe4\xef\x94\x06\xc2\xf5\x38\x0e\x69\x1e\x46\xa4\xca\x1c\x5d\xd7\xfc\x87\xd0\x81\xca\x94\xcd\x5a\xb7\xfb\x45\xa4\x8c\x68\x0f\xab\x76\x1f\x9b\x1a\x17\xbe\x44\x9d\x74\xf1\x29\x1b\x85\x9c\x37\xba\x01\x91\xb0\x09\x98\xb7\x84\x29\x33\x43\x90\x02\xca\x81\x7b\xd3\xf5\x14\x04\x81\xc9\x57\xfe\x95\xea\x9a\x50\xd0\x5b\xc2\x7f\x1c\x0f\x8d\xbc\x26\x7c\x50\x77\x6c\x77\x4a\x69\x49\x22\xa5\xce\x1c\xc8\xfd\x7e\x14\x78\xa3\xe2\xcc\x58\xf5\x70\xac\xda\x3a\x16\xca\xd5\x66\x7e\x28\xd2\x45\xdd\x78\xc7\x8e\x5e\x35\x00\xe0\xae\xe9\x1f\x10\xb6\xfc\x29\xd0\xd1\xbd\xfa\xae\x7e\xf6\x6e\xe2\x88\xd5\xd5\xb2\xb7\x2d\x09\x77\x67\x25\xea\xf7\x70\xef\x1e\xe4\xec\x08\x9c\x1d\xbc\xdb\x87\xb8\x64\xac\x3f\xab\xdb\xf4\x1d\x9d\xd3\x5a\xd4\x20\x09\x88\x89\xe1\xf5\x30\x30\x51\x47\xbe\x9e\x5c\x67\x09\xec\x22\xbe\x90\x76\x24\x1d\xc4\xbf\x66\x07\x9f\xda\x5f\x19\x0d\x26\xd5\x97\x7a\x4f\x2d\xf8\xb5\x43\x3d\xa1\x2f", 1024); memcpy((void*)0x100006c0, "\x9f\x53\x8c\x90\xe8\x71\x04\x1e\x5c\x20\xe4\xce\x66\x04\x6a\x7c\x61\x62\x41\xa9\x68\x0d\x85\x39\x86\x6c\x5a\x96\xb1\xc8\xec\xc9", 32); *(uint32_t*)0x100006e0 = 0x80000000; *(uint8_t*)0x100006e4 = 1; *(uint32_t*)0x100006e8 = 0x10000240; memcpy((void*)0x10000240, "\x18\x16\x7d\x15\x01\x22\x4b\xdd\xd4\x8f\xc6\xe3\xf8\x83\xd8\xf2\xdd\x60\xa2\xfa\xd4\x0d\x6c\x15\x20\xc6\xc5\x1f\x84\xce\xdc\xc5\x71\xc2\xe3\x2e\x14\xab\xf4\x47\x28\x3e\x87\xa5\xf3\xf7\x81\xbd\xba\x00\x1c\x54\xed\xae\xda\x7a\xa8\x8c\x19\x11\xf5\x4c\x8f\x0a\x9a\x42\xdc\xe4\x95\x08\x27\x5d\xce\x74\xfd\x73\xcd\xab\x1e\xab\xf8\xaa\x10\x4c\x74\xf7\xc3\xbb\x54\xd0\x50\x0a\xfc\x2b\x97", 95); *(uint64_t*)0x100006ec = 0x9621; *(uint64_t*)0x100006f4 = 2; *(uint64_t*)0x100006fc = 8; *(uint64_t*)0x10000704 = 0x800; *(uint64_t*)0x1000070c = 3; *(uint64_t*)0x10000714 = 0x10001; *(uint64_t*)0x1000071c = 0xfa; *(uint32_t*)0x10000724 = 0x7fff; syscall(SYS_ioctl, -1, 0xc44c444a, 0x100002c0); memcpy((void*)0x10000740, "/dev/pf\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000740, 0x800, 0); if (res != -1) r[1] = res; *(uint8_t*)0x10000800 = 0x10; *(uint32_t*)0x10000804 = 0x10000780; memcpy((void*)0x10000780, "\x85\xdf\xfe\xfc\x4e\xfc\xb1\xb4\x01\x6c\x84\x2d\x2c\xc4\xb4\x5b\xfa\x06\x4e\x55\x86\x99\x99\xbf\x61\x37\x68\x94\x06\x75\x4f\xe7\xc0\xb1\x79\x02\x9f\x2f\x35\xc5\x16\xd9\x32\x31\xa1\x04\x81\x3e\xa2\x6f\x8f\xf7\xf1\xcf\x84\x81\x88\xd9\xd0\xb6\x26\x05\x00\x40\x2d\xdc\xa3\x6f\xe8\xe1\xcd\x0a\xd5\xe8\x18\x56\xa2\xf9\xf9\x83\xf5\x98\x1a\xce\x98\x9e\x97\x6f", 88); *(uint32_t*)0x10000808 = 0x40000000; *(uint32_t*)0x1000080c = 0xff; *(uint32_t*)0x10000810 = 0x10001; syscall(SYS_ioctl, (intptr_t)r[1], 0xc0244457, 0x10000800); syscall(SYS_mmap, 0x10ffc000, 0x3000, 2, 0x10, (intptr_t)r[0], 0); *(uint32_t*)0x10000840 = 0; *(uint16_t*)0x10000844 = 0x8001; *(uint16_t*)0x10000846 = 4; *(uint16_t*)0x10000848 = 0x3f; *(uint16_t*)0x1000084a = -1; *(uint16_t*)0x1000084c = 0x20; *(uint16_t*)0x1000084e = 4; *(uint32_t*)0x10000880 = 0x10; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 0x901, 0x10000840, 0x10000880); memcpy((void*)0x10000100, "\x65\xfc\x67\x0f\xa8\x66\xdb\xd3\xc4\xc1\xd1\x5f\xf2\xc4\xc1\x8d\xfa\xf2\xc4\xe2\x55\x3f\xd8\xc4\xe1\xb1\x7c\x60\x99\x66\x0f\x3a\x09\xc1\x89\x82\x83\xdf\x00\x00\x00\xfe\xc4\xc2\x91\x91\x5c\x86\x99", 49); syz_execute_func(0x10000100); } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :105:13: error: unused function 'csum_inet_init' [-Werror,-Wunused-function] static void csum_inet_init(struct csum_inet* csum) ^ :110:13: error: unused function 'csum_inet_update' [-Werror,-Wunused-function] static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) ^ :123:17: error: unused function 'csum_inet_digest' [-Werror,-Wunused-function] static uint16_t csum_inet_digest(struct csum_inet* csum) ^ 3 errors generated. compiler invocation: clang [-o /tmp/syz-executor870738770 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/11 (0.99s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: extattr_delete_file(&(0x7f0000000000)='./file0\x00', 0x1, &(0x7f0000000040)='/{[-*-:#!@(*\x00') (fail_nth: 1) r0 = accept4$inet6(0xffffffffffffffff, &(0x7f0000000080)={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @remote}, &(0x7f00000000c0)=0x1c, 0x30000000) utimensat(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', &(0x7f0000000140)={{0x7, 0x7}, {0x7, 0x5}}, 0x4000) setsockopt$inet_sctp_SCTP_EXPLICIT_EOR(0xffffffffffffffff, 0x84, 0x1b, &(0x7f0000000180)=0x2, 0x4) shm_open2(&(0x7f00000001c0)='./file1\x00', 0x0, 0x100, 0x4, &(0x7f0000000200)=')/,&o\x00') ioctl$DIOCRSETTFLAGS(0xffffffffffffffff, 0xc44c444a, &(0x7f00000002c0)={{"99db9cfd2ac3805e5c414473fb35f0dc56950924b894ab7861ea0b42084c297d5c3716935f4947bb1b6f0cee8031e0a43251c5c3cc4c19c1ab436a79df6533233baf318c6ceb2c35469ff07a6590518b57ef971405056efc80d5f5f428818fb37a2e2ecdb5ee34eff89223925473b8ef063f699bf006f5f441cacdf47482bf431693af0dfd4aae73d663f8bf695f1623658d319f25fb0425cc53f6b560f8aa392011f8d9053327ece9b0a45291c82370ca8c7d357cc38f7e821148ce013e78a54c1f2c143d8885d2f3b09ceb63c2a90fe246c13588adb977999395a006b767b5f03fb38ab2db97816325d95efeeeb071212b2bf0595c099628733f29454fbb97367d42dec2b01e8c666049bc8f83e4639735459bd8f1935a17d4d2b8ea235908551c196f3dfa3484451132908e5cfe22e537bf834fd87a77c689ba5f8c599dcfb4d825cd5747b2a90e195dc02f9e8ca04745f336e1b04a3c7a0e58bb6f17aff755b915334d57048646fbf3aa244a46437ce89ca2c0a72d1b71feecc0afdcf4691bce0b11f32c632fa6147dbcaa8bed3f2067b87c4e7db37eba3c6db7270d0dde21a64013c7980befc493cce308c4bbd102cc7704b927926212eeffe926b3c911ec7acfb899f521dc9325bff6073b5c13eeb2aad76a4c3d5c48cdccd0abea1ab9ab3995859cfd11e5449efb30512a17e17fcd357b1f6934d4ab0d27c86155838f939e7a801d32ac49ca9ef4628dcb194c7997775b69c11312584caaa67537c1835b274e4ecd58e836fe2d53ff9390b34db485f89b871ab7f1e5e69f8640b8fa5a704661a58819e125775be4e487f8cc4d3e9c1145f5781a690e420566b5ed39267ce4431df9610fa77ebf8254f160f4068c5fdecdc8f9cf6671513dfcf64dc7a37a927bfceb0762488b7dec6df18f8027bae091d85d0ded0f72108e5c21ddaf28ef52f424677ab3fa1eabb6d347789965ceb8bb451935958cc5ba87f46498783500319a2df3ed168af53581545ddea2d0515516bfbf8fea62a760193479c77e73a79dbfa82118c013bf418d3530c20e7f47ddd8ba80a023de383b545c29fc6338f277a73baf46551e855060b99184c54d1c11d3f744acb02e5b126df5a10571656ba6abb5e4ef9406c2f5380e691e46a4ca1c5dd7fc87d081ca94cd5ab7fb45a48c680fab761f9b1a17be449d74f1291b859c37ba0191b00998b7842933439002ca817bd3f5140481c957fe95ea9a50d05bc27f1c0f8dbc267c50776c774a694922a5ce1cc8fd7e1478a3e2cc58f570acda3a16cad5667e28d245dd78c78e5e3500e0aee91f10b6fc29d0d1bdfaae7ef66ee288d5d5b2b72d09776725eaf770ef1ee4ec089c1dbcdb87b864ac3fabdbf41d9dd35ad420098889e1f530305147be9e5c6709ec22be9076241dc4bf66079fda5f190d26d5977a4f2df8b5433da12f", "9f538c90e871041e5c20e4ce66046a7c616241a9680d8539866c5a96b1c8ecc9", 0x80000000, 0x1}, &(0x7f0000000240)="18167d1501224bddd48fc6e3f883d8f2dd60a2fad40d6c1520c6c51f84cedcc571c2e32e14abf447283e87a5f3f781bdba001c54edaeda7aa88c1911f54c8f0a9a42dce49508275dce74fd73cdab1eabf8aa104c74f7c3bb54d0500afc2b97", 0x9621, 0x2, 0x8, 0x800, 0x3, 0x10001, 0xfa, 0x7fff}) r1 = openat$ptmx(0xffffff9c, &(0x7f0000000740), 0x800, 0x0) ioctl$DIOCIGETIFACES(r1, 0xc0244457, &(0x7f0000000800)={0x10, &(0x7f0000000780)="85dffefc4efcb1b4016c842d2cc4b45bfa064e55869999bf6137689406754fe7c0b179029f2f35c516d93231a104813ea26f8ff7f1cf848188d9d0b6260500402ddca36fe8e1cd0ad5e81856a2f9f983f5981ace989e976f", 0x40000000, 0xff, 0x10001}) mmap(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2, 0x10, r0, 0x0) getsockopt$inet6_sctp_SCTP_RESET_STREAMS(r0, 0x84, 0x901, &(0x7f0000000840)={0x0, 0x8001, 0x4, [0x3f, 0xffff, 0x20, 0x4]}, &(0x7f0000000880)=0x10) syz_emit_ethernet(0xf3, &(0x7f0000000000)={@local, @local, [{[], {0x8100, 0x6, 0x1, 0x2}}], {@ipv4={0x800, {{0x9, 0x4, 0x2, 0x7, 0xe1, 0x65, 0x878, 0x4, 0x4d, 0x0, @empty, @multicast1, {[@generic={0x44, 0xd, "4de51ab866bb431c3dc521"}, @noop, @noop]}}, @generic="5ace0f0ff30bd68564f743a2ef2821a21c197ab27f80fcd10e900d506ab328909d636f25df603ad9e4ee16761ee679e24d1854d5cdd65b0172c27bed2165fdda7aa45a333f06d92d8d2beb389dcbc153d4e96a2792c39f0e07a5392ed08d386b6bf96b8f5801558093c009e7accdc8456fe898abba673e55c1330ee9454f4c2017e5e474c63c853817170734473727a7c0566eaf2be05daa6ed143d3ea4f0b39b87a60d41ed2d8ffd00e6472c06a0e8a98fae4c68ae1314f968bb3b931"}}}}) syz_execute_func(&(0x7f0000000100)="65fc670fa866dbd3c4c1d15ff2c4c18dfaf2c4e2553fd8c4e1b17c6099660f3a09c1898283df000000fec4c291915c8699") syz_extract_tcp_res(&(0x7f0000000140), 0x401, 0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } #ifndef SYS_shm_open2 #define SYS_shm_open2 571 #endif uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); memcpy((void*)0x10000040, "/{[-*-:#!@(*\000", 13); inject_fault(1); syscall(SYS_extattr_delete_file, 0x10000000, 1, 0x10000040); break; case 1: *(uint32_t*)0x100000c0 = 0x1c; res = syscall(SYS_accept4, -1, 0x10000080, 0x100000c0, 0x30000000); if (res != -1) r[0] = res; break; case 2: memcpy((void*)0x10000100, "./file0\000", 8); *(uint32_t*)0x10000140 = 7; *(uint32_t*)0x10000144 = 7; *(uint32_t*)0x10000148 = 7; *(uint32_t*)0x1000014c = 5; syscall(SYS_utimensat, -1, 0x10000100, 0x10000140, 0x4000); break; case 3: *(uint32_t*)0x10000180 = 2; syscall(SYS_setsockopt, -1, 0x84, 0x1b, 0x10000180, 4); break; case 4: memcpy((void*)0x100001c0, "./file1\000", 8); memcpy((void*)0x10000200, ")/,&o\000", 6); syscall(SYS_shm_open2, 0x100001c0, 0, 0x100, 4, 0x10000200); break; case 5: memcpy((void*)0x100002c0, "\x99\xdb\x9c\xfd\x2a\xc3\x80\x5e\x5c\x41\x44\x73\xfb\x35\xf0\xdc\x56\x95\x09\x24\xb8\x94\xab\x78\x61\xea\x0b\x42\x08\x4c\x29\x7d\x5c\x37\x16\x93\x5f\x49\x47\xbb\x1b\x6f\x0c\xee\x80\x31\xe0\xa4\x32\x51\xc5\xc3\xcc\x4c\x19\xc1\xab\x43\x6a\x79\xdf\x65\x33\x23\x3b\xaf\x31\x8c\x6c\xeb\x2c\x35\x46\x9f\xf0\x7a\x65\x90\x51\x8b\x57\xef\x97\x14\x05\x05\x6e\xfc\x80\xd5\xf5\xf4\x28\x81\x8f\xb3\x7a\x2e\x2e\xcd\xb5\xee\x34\xef\xf8\x92\x23\x92\x54\x73\xb8\xef\x06\x3f\x69\x9b\xf0\x06\xf5\xf4\x41\xca\xcd\xf4\x74\x82\xbf\x43\x16\x93\xaf\x0d\xfd\x4a\xae\x73\xd6\x63\xf8\xbf\x69\x5f\x16\x23\x65\x8d\x31\x9f\x25\xfb\x04\x25\xcc\x53\xf6\xb5\x60\xf8\xaa\x39\x20\x11\xf8\xd9\x05\x33\x27\xec\xe9\xb0\xa4\x52\x91\xc8\x23\x70\xca\x8c\x7d\x35\x7c\xc3\x8f\x7e\x82\x11\x48\xce\x01\x3e\x78\xa5\x4c\x1f\x2c\x14\x3d\x88\x85\xd2\xf3\xb0\x9c\xeb\x63\xc2\xa9\x0f\xe2\x46\xc1\x35\x88\xad\xb9\x77\x99\x93\x95\xa0\x06\xb7\x67\xb5\xf0\x3f\xb3\x8a\xb2\xdb\x97\x81\x63\x25\xd9\x5e\xfe\xee\xb0\x71\x21\x2b\x2b\xf0\x59\x5c\x09\x96\x28\x73\x3f\x29\x45\x4f\xbb\x97\x36\x7d\x42\xde\xc2\xb0\x1e\x8c\x66\x60\x49\xbc\x8f\x83\xe4\x63\x97\x35\x45\x9b\xd8\xf1\x93\x5a\x17\xd4\xd2\xb8\xea\x23\x59\x08\x55\x1c\x19\x6f\x3d\xfa\x34\x84\x45\x11\x32\x90\x8e\x5c\xfe\x22\xe5\x37\xbf\x83\x4f\xd8\x7a\x77\xc6\x89\xba\x5f\x8c\x59\x9d\xcf\xb4\xd8\x25\xcd\x57\x47\xb2\xa9\x0e\x19\x5d\xc0\x2f\x9e\x8c\xa0\x47\x45\xf3\x36\xe1\xb0\x4a\x3c\x7a\x0e\x58\xbb\x6f\x17\xaf\xf7\x55\xb9\x15\x33\x4d\x57\x04\x86\x46\xfb\xf3\xaa\x24\x4a\x46\x43\x7c\xe8\x9c\xa2\xc0\xa7\x2d\x1b\x71\xfe\xec\xc0\xaf\xdc\xf4\x69\x1b\xce\x0b\x11\xf3\x2c\x63\x2f\xa6\x14\x7d\xbc\xaa\x8b\xed\x3f\x20\x67\xb8\x7c\x4e\x7d\xb3\x7e\xba\x3c\x6d\xb7\x27\x0d\x0d\xde\x21\xa6\x40\x13\xc7\x98\x0b\xef\xc4\x93\xcc\xe3\x08\xc4\xbb\xd1\x02\xcc\x77\x04\xb9\x27\x92\x62\x12\xee\xff\xe9\x26\xb3\xc9\x11\xec\x7a\xcf\xb8\x99\xf5\x21\xdc\x93\x25\xbf\xf6\x07\x3b\x5c\x13\xee\xb2\xaa\xd7\x6a\x4c\x3d\x5c\x48\xcd\xcc\xd0\xab\xea\x1a\xb9\xab\x39\x95\x85\x9c\xfd\x11\xe5\x44\x9e\xfb\x30\x51\x2a\x17\xe1\x7f\xcd\x35\x7b\x1f\x69\x34\xd4\xab\x0d\x27\xc8\x61\x55\x83\x8f\x93\x9e\x7a\x80\x1d\x32\xac\x49\xca\x9e\xf4\x62\x8d\xcb\x19\x4c\x79\x97\x77\x5b\x69\xc1\x13\x12\x58\x4c\xaa\xa6\x75\x37\xc1\x83\x5b\x27\x4e\x4e\xcd\x58\xe8\x36\xfe\x2d\x53\xff\x93\x90\xb3\x4d\xb4\x85\xf8\x9b\x87\x1a\xb7\xf1\xe5\xe6\x9f\x86\x40\xb8\xfa\x5a\x70\x46\x61\xa5\x88\x19\xe1\x25\x77\x5b\xe4\xe4\x87\xf8\xcc\x4d\x3e\x9c\x11\x45\xf5\x78\x1a\x69\x0e\x42\x05\x66\xb5\xed\x39\x26\x7c\xe4\x43\x1d\xf9\x61\x0f\xa7\x7e\xbf\x82\x54\xf1\x60\xf4\x06\x8c\x5f\xde\xcd\xc8\xf9\xcf\x66\x71\x51\x3d\xfc\xf6\x4d\xc7\xa3\x7a\x92\x7b\xfc\xeb\x07\x62\x48\x8b\x7d\xec\x6d\xf1\x8f\x80\x27\xba\xe0\x91\xd8\x5d\x0d\xed\x0f\x72\x10\x8e\x5c\x21\xdd\xaf\x28\xef\x52\xf4\x24\x67\x7a\xb3\xfa\x1e\xab\xb6\xd3\x47\x78\x99\x65\xce\xb8\xbb\x45\x19\x35\x95\x8c\xc5\xba\x87\xf4\x64\x98\x78\x35\x00\x31\x9a\x2d\xf3\xed\x16\x8a\xf5\x35\x81\x54\x5d\xde\xa2\xd0\x51\x55\x16\xbf\xbf\x8f\xea\x62\xa7\x60\x19\x34\x79\xc7\x7e\x73\xa7\x9d\xbf\xa8\x21\x18\xc0\x13\xbf\x41\x8d\x35\x30\xc2\x0e\x7f\x47\xdd\xd8\xba\x80\xa0\x23\xde\x38\x3b\x54\x5c\x29\xfc\x63\x38\xf2\x77\xa7\x3b\xaf\x46\x55\x1e\x85\x50\x60\xb9\x91\x84\xc5\x4d\x1c\x11\xd3\xf7\x44\xac\xb0\x2e\x5b\x12\x6d\xf5\xa1\x05\x71\x65\x6b\xa6\xab\xb5\xe4\xef\x94\x06\xc2\xf5\x38\x0e\x69\x1e\x46\xa4\xca\x1c\x5d\xd7\xfc\x87\xd0\x81\xca\x94\xcd\x5a\xb7\xfb\x45\xa4\x8c\x68\x0f\xab\x76\x1f\x9b\x1a\x17\xbe\x44\x9d\x74\xf1\x29\x1b\x85\x9c\x37\xba\x01\x91\xb0\x09\x98\xb7\x84\x29\x33\x43\x90\x02\xca\x81\x7b\xd3\xf5\x14\x04\x81\xc9\x57\xfe\x95\xea\x9a\x50\xd0\x5b\xc2\x7f\x1c\x0f\x8d\xbc\x26\x7c\x50\x77\x6c\x77\x4a\x69\x49\x22\xa5\xce\x1c\xc8\xfd\x7e\x14\x78\xa3\xe2\xcc\x58\xf5\x70\xac\xda\x3a\x16\xca\xd5\x66\x7e\x28\xd2\x45\xdd\x78\xc7\x8e\x5e\x35\x00\xe0\xae\xe9\x1f\x10\xb6\xfc\x29\xd0\xd1\xbd\xfa\xae\x7e\xf6\x6e\xe2\x88\xd5\xd5\xb2\xb7\x2d\x09\x77\x67\x25\xea\xf7\x70\xef\x1e\xe4\xec\x08\x9c\x1d\xbc\xdb\x87\xb8\x64\xac\x3f\xab\xdb\xf4\x1d\x9d\xd3\x5a\xd4\x20\x09\x88\x89\xe1\xf5\x30\x30\x51\x47\xbe\x9e\x5c\x67\x09\xec\x22\xbe\x90\x76\x24\x1d\xc4\xbf\x66\x07\x9f\xda\x5f\x19\x0d\x26\xd5\x97\x7a\x4f\x2d\xf8\xb5\x43\x3d\xa1\x2f", 1024); memcpy((void*)0x100006c0, "\x9f\x53\x8c\x90\xe8\x71\x04\x1e\x5c\x20\xe4\xce\x66\x04\x6a\x7c\x61\x62\x41\xa9\x68\x0d\x85\x39\x86\x6c\x5a\x96\xb1\xc8\xec\xc9", 32); *(uint32_t*)0x100006e0 = 0x80000000; *(uint8_t*)0x100006e4 = 1; *(uint32_t*)0x100006e8 = 0x10000240; memcpy((void*)0x10000240, "\x18\x16\x7d\x15\x01\x22\x4b\xdd\xd4\x8f\xc6\xe3\xf8\x83\xd8\xf2\xdd\x60\xa2\xfa\xd4\x0d\x6c\x15\x20\xc6\xc5\x1f\x84\xce\xdc\xc5\x71\xc2\xe3\x2e\x14\xab\xf4\x47\x28\x3e\x87\xa5\xf3\xf7\x81\xbd\xba\x00\x1c\x54\xed\xae\xda\x7a\xa8\x8c\x19\x11\xf5\x4c\x8f\x0a\x9a\x42\xdc\xe4\x95\x08\x27\x5d\xce\x74\xfd\x73\xcd\xab\x1e\xab\xf8\xaa\x10\x4c\x74\xf7\xc3\xbb\x54\xd0\x50\x0a\xfc\x2b\x97", 95); *(uint64_t*)0x100006ec = 0x9621; *(uint64_t*)0x100006f4 = 2; *(uint64_t*)0x100006fc = 8; *(uint64_t*)0x10000704 = 0x800; *(uint64_t*)0x1000070c = 3; *(uint64_t*)0x10000714 = 0x10001; *(uint64_t*)0x1000071c = 0xfa; *(uint32_t*)0x10000724 = 0x7fff; syscall(SYS_ioctl, -1, 0xc44c444a, 0x100002c0); break; case 6: memcpy((void*)0x10000740, "/dev/pf\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000740, 0x800, 0); if (res != -1) r[1] = res; break; case 7: *(uint8_t*)0x10000800 = 0x10; *(uint32_t*)0x10000804 = 0x10000780; memcpy((void*)0x10000780, "\x85\xdf\xfe\xfc\x4e\xfc\xb1\xb4\x01\x6c\x84\x2d\x2c\xc4\xb4\x5b\xfa\x06\x4e\x55\x86\x99\x99\xbf\x61\x37\x68\x94\x06\x75\x4f\xe7\xc0\xb1\x79\x02\x9f\x2f\x35\xc5\x16\xd9\x32\x31\xa1\x04\x81\x3e\xa2\x6f\x8f\xf7\xf1\xcf\x84\x81\x88\xd9\xd0\xb6\x26\x05\x00\x40\x2d\xdc\xa3\x6f\xe8\xe1\xcd\x0a\xd5\xe8\x18\x56\xa2\xf9\xf9\x83\xf5\x98\x1a\xce\x98\x9e\x97\x6f", 88); *(uint32_t*)0x10000808 = 0x40000000; *(uint32_t*)0x1000080c = 0xff; *(uint32_t*)0x10000810 = 0x10001; syscall(SYS_ioctl, (intptr_t)r[1], 0xc0244457, 0x10000800); break; case 8: syscall(SYS_mmap, 0x10ffc000, 0x3000, 2, 0x10, (intptr_t)r[0], 0); break; case 9: *(uint32_t*)0x10000840 = 0; *(uint16_t*)0x10000844 = 0x8001; *(uint16_t*)0x10000846 = 4; *(uint16_t*)0x10000848 = 0x3f; *(uint16_t*)0x1000084a = -1; *(uint16_t*)0x1000084c = 0x20; *(uint16_t*)0x1000084e = 4; *(uint32_t*)0x10000880 = 0x10; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 0x901, 0x10000840, 0x10000880); break; case 10: memcpy((void*)0x10000100, "\x65\xfc\x67\x0f\xa8\x66\xdb\xd3\xc4\xc1\xd1\x5f\xf2\xc4\xc1\x8d\xfa\xf2\xc4\xe2\x55\x3f\xd8\xc4\xe1\xb1\x7c\x60\x99\x66\x0f\x3a\x09\xc1\x89\x82\x83\xdf\x00\x00\x00\xfe\xc4\xc2\x91\x91\x5c\x86\x99", 49); syz_execute_func(0x10000100); break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); setup_fault(); do_sandbox_none(); return 0; } :149:13: error: unused function 'csum_inet_init' [-Werror,-Wunused-function] static void csum_inet_init(struct csum_inet* csum) ^ :154:13: error: unused function 'csum_inet_update' [-Werror,-Wunused-function] static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) ^ :167:17: error: unused function 'csum_inet_digest' [-Werror,-Wunused-function] static uint16_t csum_inet_digest(struct csum_inet* csum) ^ 3 errors generated. compiler invocation: clang [-o /tmp/syz-executor923726932 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/8 (1.10s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: extattr_delete_file(&(0x7f0000000000)='./file0\x00', 0x1, &(0x7f0000000040)='/{[-*-:#!@(*\x00') (fail_nth: 1) r0 = accept4$inet6(0xffffffffffffffff, &(0x7f0000000080)={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @remote}, &(0x7f00000000c0)=0x1c, 0x30000000) utimensat(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', &(0x7f0000000140)={{0x7, 0x7}, {0x7, 0x5}}, 0x4000) setsockopt$inet_sctp_SCTP_EXPLICIT_EOR(0xffffffffffffffff, 0x84, 0x1b, &(0x7f0000000180)=0x2, 0x4) shm_open2(&(0x7f00000001c0)='./file1\x00', 0x0, 0x100, 0x4, &(0x7f0000000200)=')/,&o\x00') ioctl$DIOCRSETTFLAGS(0xffffffffffffffff, 0xc44c444a, &(0x7f00000002c0)={{"99db9cfd2ac3805e5c414473fb35f0dc56950924b894ab7861ea0b42084c297d5c3716935f4947bb1b6f0cee8031e0a43251c5c3cc4c19c1ab436a79df6533233baf318c6ceb2c35469ff07a6590518b57ef971405056efc80d5f5f428818fb37a2e2ecdb5ee34eff89223925473b8ef063f699bf006f5f441cacdf47482bf431693af0dfd4aae73d663f8bf695f1623658d319f25fb0425cc53f6b560f8aa392011f8d9053327ece9b0a45291c82370ca8c7d357cc38f7e821148ce013e78a54c1f2c143d8885d2f3b09ceb63c2a90fe246c13588adb977999395a006b767b5f03fb38ab2db97816325d95efeeeb071212b2bf0595c099628733f29454fbb97367d42dec2b01e8c666049bc8f83e4639735459bd8f1935a17d4d2b8ea235908551c196f3dfa3484451132908e5cfe22e537bf834fd87a77c689ba5f8c599dcfb4d825cd5747b2a90e195dc02f9e8ca04745f336e1b04a3c7a0e58bb6f17aff755b915334d57048646fbf3aa244a46437ce89ca2c0a72d1b71feecc0afdcf4691bce0b11f32c632fa6147dbcaa8bed3f2067b87c4e7db37eba3c6db7270d0dde21a64013c7980befc493cce308c4bbd102cc7704b927926212eeffe926b3c911ec7acfb899f521dc9325bff6073b5c13eeb2aad76a4c3d5c48cdccd0abea1ab9ab3995859cfd11e5449efb30512a17e17fcd357b1f6934d4ab0d27c86155838f939e7a801d32ac49ca9ef4628dcb194c7997775b69c11312584caaa67537c1835b274e4ecd58e836fe2d53ff9390b34db485f89b871ab7f1e5e69f8640b8fa5a704661a58819e125775be4e487f8cc4d3e9c1145f5781a690e420566b5ed39267ce4431df9610fa77ebf8254f160f4068c5fdecdc8f9cf6671513dfcf64dc7a37a927bfceb0762488b7dec6df18f8027bae091d85d0ded0f72108e5c21ddaf28ef52f424677ab3fa1eabb6d347789965ceb8bb451935958cc5ba87f46498783500319a2df3ed168af53581545ddea2d0515516bfbf8fea62a760193479c77e73a79dbfa82118c013bf418d3530c20e7f47ddd8ba80a023de383b545c29fc6338f277a73baf46551e855060b99184c54d1c11d3f744acb02e5b126df5a10571656ba6abb5e4ef9406c2f5380e691e46a4ca1c5dd7fc87d081ca94cd5ab7fb45a48c680fab761f9b1a17be449d74f1291b859c37ba0191b00998b7842933439002ca817bd3f5140481c957fe95ea9a50d05bc27f1c0f8dbc267c50776c774a694922a5ce1cc8fd7e1478a3e2cc58f570acda3a16cad5667e28d245dd78c78e5e3500e0aee91f10b6fc29d0d1bdfaae7ef66ee288d5d5b2b72d09776725eaf770ef1ee4ec089c1dbcdb87b864ac3fabdbf41d9dd35ad420098889e1f530305147be9e5c6709ec22be9076241dc4bf66079fda5f190d26d5977a4f2df8b5433da12f", "9f538c90e871041e5c20e4ce66046a7c616241a9680d8539866c5a96b1c8ecc9", 0x80000000, 0x1}, &(0x7f0000000240)="18167d1501224bddd48fc6e3f883d8f2dd60a2fad40d6c1520c6c51f84cedcc571c2e32e14abf447283e87a5f3f781bdba001c54edaeda7aa88c1911f54c8f0a9a42dce49508275dce74fd73cdab1eabf8aa104c74f7c3bb54d0500afc2b97", 0x9621, 0x2, 0x8, 0x800, 0x3, 0x10001, 0xfa, 0x7fff}) r1 = openat$ptmx(0xffffff9c, &(0x7f0000000740), 0x800, 0x0) ioctl$DIOCIGETIFACES(r1, 0xc0244457, &(0x7f0000000800)={0x10, &(0x7f0000000780)="85dffefc4efcb1b4016c842d2cc4b45bfa064e55869999bf6137689406754fe7c0b179029f2f35c516d93231a104813ea26f8ff7f1cf848188d9d0b6260500402ddca36fe8e1cd0ad5e81856a2f9f983f5981ace989e976f", 0x40000000, 0xff, 0x10001}) mmap(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2, 0x10, r0, 0x0) getsockopt$inet6_sctp_SCTP_RESET_STREAMS(r0, 0x84, 0x901, &(0x7f0000000840)={0x0, 0x8001, 0x4, [0x3f, 0xffff, 0x20, 0x4]}, &(0x7f0000000880)=0x10) syz_emit_ethernet(0xf3, &(0x7f0000000000)={@local, @local, [{[], {0x8100, 0x6, 0x1, 0x2}}], {@ipv4={0x800, {{0x9, 0x4, 0x2, 0x7, 0xe1, 0x65, 0x878, 0x4, 0x4d, 0x0, @empty, @multicast1, {[@generic={0x44, 0xd, "4de51ab866bb431c3dc521"}, @noop, @noop]}}, @generic="5ace0f0ff30bd68564f743a2ef2821a21c197ab27f80fcd10e900d506ab328909d636f25df603ad9e4ee16761ee679e24d1854d5cdd65b0172c27bed2165fdda7aa45a333f06d92d8d2beb389dcbc153d4e96a2792c39f0e07a5392ed08d386b6bf96b8f5801558093c009e7accdc8456fe898abba673e55c1330ee9454f4c2017e5e474c63c853817170734473727a7c0566eaf2be05daa6ed143d3ea4f0b39b87a60d41ed2d8ffd00e6472c06a0e8a98fae4c68ae1314f968bb3b931"}}}}) syz_execute_func(&(0x7f0000000100)="65fc670fa866dbd3c4c1d15ff2c4c18dfaf2c4e2553fd8c4e1b17c6099660f3a09c1898283df000000fec4c291915c8699") syz_extract_tcp_res(&(0x7f0000000140), 0x401, 0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef SYS_shm_open2 #define SYS_shm_open2 571 #endif uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); memcpy((void*)0x10000040, "/{[-*-:#!@(*\000", 13); inject_fault(1); syscall(SYS_extattr_delete_file, 0x10000000, 1, 0x10000040); break; case 1: *(uint32_t*)0x100000c0 = 0x1c; res = syscall(SYS_accept4, -1, 0x10000080, 0x100000c0, 0x30000000); if (res != -1) r[0] = res; break; case 2: memcpy((void*)0x10000100, "./file0\000", 8); *(uint32_t*)0x10000140 = 7; *(uint32_t*)0x10000144 = 7; *(uint32_t*)0x10000148 = 7; *(uint32_t*)0x1000014c = 5; syscall(SYS_utimensat, -1, 0x10000100, 0x10000140, 0x4000); break; case 3: *(uint32_t*)0x10000180 = 2; syscall(SYS_setsockopt, -1, 0x84, 0x1b, 0x10000180, 4); break; case 4: memcpy((void*)0x100001c0, "./file1\000", 8); memcpy((void*)0x10000200, ")/,&o\000", 6); syscall(SYS_shm_open2, 0x100001c0, 0, 0x100, 4, 0x10000200); break; case 5: memcpy((void*)0x100002c0, "\x99\xdb\x9c\xfd\x2a\xc3\x80\x5e\x5c\x41\x44\x73\xfb\x35\xf0\xdc\x56\x95\x09\x24\xb8\x94\xab\x78\x61\xea\x0b\x42\x08\x4c\x29\x7d\x5c\x37\x16\x93\x5f\x49\x47\xbb\x1b\x6f\x0c\xee\x80\x31\xe0\xa4\x32\x51\xc5\xc3\xcc\x4c\x19\xc1\xab\x43\x6a\x79\xdf\x65\x33\x23\x3b\xaf\x31\x8c\x6c\xeb\x2c\x35\x46\x9f\xf0\x7a\x65\x90\x51\x8b\x57\xef\x97\x14\x05\x05\x6e\xfc\x80\xd5\xf5\xf4\x28\x81\x8f\xb3\x7a\x2e\x2e\xcd\xb5\xee\x34\xef\xf8\x92\x23\x92\x54\x73\xb8\xef\x06\x3f\x69\x9b\xf0\x06\xf5\xf4\x41\xca\xcd\xf4\x74\x82\xbf\x43\x16\x93\xaf\x0d\xfd\x4a\xae\x73\xd6\x63\xf8\xbf\x69\x5f\x16\x23\x65\x8d\x31\x9f\x25\xfb\x04\x25\xcc\x53\xf6\xb5\x60\xf8\xaa\x39\x20\x11\xf8\xd9\x05\x33\x27\xec\xe9\xb0\xa4\x52\x91\xc8\x23\x70\xca\x8c\x7d\x35\x7c\xc3\x8f\x7e\x82\x11\x48\xce\x01\x3e\x78\xa5\x4c\x1f\x2c\x14\x3d\x88\x85\xd2\xf3\xb0\x9c\xeb\x63\xc2\xa9\x0f\xe2\x46\xc1\x35\x88\xad\xb9\x77\x99\x93\x95\xa0\x06\xb7\x67\xb5\xf0\x3f\xb3\x8a\xb2\xdb\x97\x81\x63\x25\xd9\x5e\xfe\xee\xb0\x71\x21\x2b\x2b\xf0\x59\x5c\x09\x96\x28\x73\x3f\x29\x45\x4f\xbb\x97\x36\x7d\x42\xde\xc2\xb0\x1e\x8c\x66\x60\x49\xbc\x8f\x83\xe4\x63\x97\x35\x45\x9b\xd8\xf1\x93\x5a\x17\xd4\xd2\xb8\xea\x23\x59\x08\x55\x1c\x19\x6f\x3d\xfa\x34\x84\x45\x11\x32\x90\x8e\x5c\xfe\x22\xe5\x37\xbf\x83\x4f\xd8\x7a\x77\xc6\x89\xba\x5f\x8c\x59\x9d\xcf\xb4\xd8\x25\xcd\x57\x47\xb2\xa9\x0e\x19\x5d\xc0\x2f\x9e\x8c\xa0\x47\x45\xf3\x36\xe1\xb0\x4a\x3c\x7a\x0e\x58\xbb\x6f\x17\xaf\xf7\x55\xb9\x15\x33\x4d\x57\x04\x86\x46\xfb\xf3\xaa\x24\x4a\x46\x43\x7c\xe8\x9c\xa2\xc0\xa7\x2d\x1b\x71\xfe\xec\xc0\xaf\xdc\xf4\x69\x1b\xce\x0b\x11\xf3\x2c\x63\x2f\xa6\x14\x7d\xbc\xaa\x8b\xed\x3f\x20\x67\xb8\x7c\x4e\x7d\xb3\x7e\xba\x3c\x6d\xb7\x27\x0d\x0d\xde\x21\xa6\x40\x13\xc7\x98\x0b\xef\xc4\x93\xcc\xe3\x08\xc4\xbb\xd1\x02\xcc\x77\x04\xb9\x27\x92\x62\x12\xee\xff\xe9\x26\xb3\xc9\x11\xec\x7a\xcf\xb8\x99\xf5\x21\xdc\x93\x25\xbf\xf6\x07\x3b\x5c\x13\xee\xb2\xaa\xd7\x6a\x4c\x3d\x5c\x48\xcd\xcc\xd0\xab\xea\x1a\xb9\xab\x39\x95\x85\x9c\xfd\x11\xe5\x44\x9e\xfb\x30\x51\x2a\x17\xe1\x7f\xcd\x35\x7b\x1f\x69\x34\xd4\xab\x0d\x27\xc8\x61\x55\x83\x8f\x93\x9e\x7a\x80\x1d\x32\xac\x49\xca\x9e\xf4\x62\x8d\xcb\x19\x4c\x79\x97\x77\x5b\x69\xc1\x13\x12\x58\x4c\xaa\xa6\x75\x37\xc1\x83\x5b\x27\x4e\x4e\xcd\x58\xe8\x36\xfe\x2d\x53\xff\x93\x90\xb3\x4d\xb4\x85\xf8\x9b\x87\x1a\xb7\xf1\xe5\xe6\x9f\x86\x40\xb8\xfa\x5a\x70\x46\x61\xa5\x88\x19\xe1\x25\x77\x5b\xe4\xe4\x87\xf8\xcc\x4d\x3e\x9c\x11\x45\xf5\x78\x1a\x69\x0e\x42\x05\x66\xb5\xed\x39\x26\x7c\xe4\x43\x1d\xf9\x61\x0f\xa7\x7e\xbf\x82\x54\xf1\x60\xf4\x06\x8c\x5f\xde\xcd\xc8\xf9\xcf\x66\x71\x51\x3d\xfc\xf6\x4d\xc7\xa3\x7a\x92\x7b\xfc\xeb\x07\x62\x48\x8b\x7d\xec\x6d\xf1\x8f\x80\x27\xba\xe0\x91\xd8\x5d\x0d\xed\x0f\x72\x10\x8e\x5c\x21\xdd\xaf\x28\xef\x52\xf4\x24\x67\x7a\xb3\xfa\x1e\xab\xb6\xd3\x47\x78\x99\x65\xce\xb8\xbb\x45\x19\x35\x95\x8c\xc5\xba\x87\xf4\x64\x98\x78\x35\x00\x31\x9a\x2d\xf3\xed\x16\x8a\xf5\x35\x81\x54\x5d\xde\xa2\xd0\x51\x55\x16\xbf\xbf\x8f\xea\x62\xa7\x60\x19\x34\x79\xc7\x7e\x73\xa7\x9d\xbf\xa8\x21\x18\xc0\x13\xbf\x41\x8d\x35\x30\xc2\x0e\x7f\x47\xdd\xd8\xba\x80\xa0\x23\xde\x38\x3b\x54\x5c\x29\xfc\x63\x38\xf2\x77\xa7\x3b\xaf\x46\x55\x1e\x85\x50\x60\xb9\x91\x84\xc5\x4d\x1c\x11\xd3\xf7\x44\xac\xb0\x2e\x5b\x12\x6d\xf5\xa1\x05\x71\x65\x6b\xa6\xab\xb5\xe4\xef\x94\x06\xc2\xf5\x38\x0e\x69\x1e\x46\xa4\xca\x1c\x5d\xd7\xfc\x87\xd0\x81\xca\x94\xcd\x5a\xb7\xfb\x45\xa4\x8c\x68\x0f\xab\x76\x1f\x9b\x1a\x17\xbe\x44\x9d\x74\xf1\x29\x1b\x85\x9c\x37\xba\x01\x91\xb0\x09\x98\xb7\x84\x29\x33\x43\x90\x02\xca\x81\x7b\xd3\xf5\x14\x04\x81\xc9\x57\xfe\x95\xea\x9a\x50\xd0\x5b\xc2\x7f\x1c\x0f\x8d\xbc\x26\x7c\x50\x77\x6c\x77\x4a\x69\x49\x22\xa5\xce\x1c\xc8\xfd\x7e\x14\x78\xa3\xe2\xcc\x58\xf5\x70\xac\xda\x3a\x16\xca\xd5\x66\x7e\x28\xd2\x45\xdd\x78\xc7\x8e\x5e\x35\x00\xe0\xae\xe9\x1f\x10\xb6\xfc\x29\xd0\xd1\xbd\xfa\xae\x7e\xf6\x6e\xe2\x88\xd5\xd5\xb2\xb7\x2d\x09\x77\x67\x25\xea\xf7\x70\xef\x1e\xe4\xec\x08\x9c\x1d\xbc\xdb\x87\xb8\x64\xac\x3f\xab\xdb\xf4\x1d\x9d\xd3\x5a\xd4\x20\x09\x88\x89\xe1\xf5\x30\x30\x51\x47\xbe\x9e\x5c\x67\x09\xec\x22\xbe\x90\x76\x24\x1d\xc4\xbf\x66\x07\x9f\xda\x5f\x19\x0d\x26\xd5\x97\x7a\x4f\x2d\xf8\xb5\x43\x3d\xa1\x2f", 1024); memcpy((void*)0x100006c0, "\x9f\x53\x8c\x90\xe8\x71\x04\x1e\x5c\x20\xe4\xce\x66\x04\x6a\x7c\x61\x62\x41\xa9\x68\x0d\x85\x39\x86\x6c\x5a\x96\xb1\xc8\xec\xc9", 32); *(uint32_t*)0x100006e0 = 0x80000000; *(uint8_t*)0x100006e4 = 1; *(uint32_t*)0x100006e8 = 0x10000240; memcpy((void*)0x10000240, "\x18\x16\x7d\x15\x01\x22\x4b\xdd\xd4\x8f\xc6\xe3\xf8\x83\xd8\xf2\xdd\x60\xa2\xfa\xd4\x0d\x6c\x15\x20\xc6\xc5\x1f\x84\xce\xdc\xc5\x71\xc2\xe3\x2e\x14\xab\xf4\x47\x28\x3e\x87\xa5\xf3\xf7\x81\xbd\xba\x00\x1c\x54\xed\xae\xda\x7a\xa8\x8c\x19\x11\xf5\x4c\x8f\x0a\x9a\x42\xdc\xe4\x95\x08\x27\x5d\xce\x74\xfd\x73\xcd\xab\x1e\xab\xf8\xaa\x10\x4c\x74\xf7\xc3\xbb\x54\xd0\x50\x0a\xfc\x2b\x97", 95); *(uint64_t*)0x100006ec = 0x9621; *(uint64_t*)0x100006f4 = 2; *(uint64_t*)0x100006fc = 8; *(uint64_t*)0x10000704 = 0x800; *(uint64_t*)0x1000070c = 3; *(uint64_t*)0x10000714 = 0x10001; *(uint64_t*)0x1000071c = 0xfa; *(uint32_t*)0x10000724 = 0x7fff; syscall(SYS_ioctl, -1, 0xc44c444a, 0x100002c0); break; case 6: memcpy((void*)0x10000740, "/dev/pf\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000740, 0x800, 0); if (res != -1) r[1] = res; break; case 7: *(uint8_t*)0x10000800 = 0x10; *(uint32_t*)0x10000804 = 0x10000780; memcpy((void*)0x10000780, "\x85\xdf\xfe\xfc\x4e\xfc\xb1\xb4\x01\x6c\x84\x2d\x2c\xc4\xb4\x5b\xfa\x06\x4e\x55\x86\x99\x99\xbf\x61\x37\x68\x94\x06\x75\x4f\xe7\xc0\xb1\x79\x02\x9f\x2f\x35\xc5\x16\xd9\x32\x31\xa1\x04\x81\x3e\xa2\x6f\x8f\xf7\xf1\xcf\x84\x81\x88\xd9\xd0\xb6\x26\x05\x00\x40\x2d\xdc\xa3\x6f\xe8\xe1\xcd\x0a\xd5\xe8\x18\x56\xa2\xf9\xf9\x83\xf5\x98\x1a\xce\x98\x9e\x97\x6f", 88); *(uint32_t*)0x10000808 = 0x40000000; *(uint32_t*)0x1000080c = 0xff; *(uint32_t*)0x10000810 = 0x10001; syscall(SYS_ioctl, (intptr_t)r[1], 0xc0244457, 0x10000800); break; case 8: syscall(SYS_mmap, 0x10ffc000, 0x3000, 2, 0x10, (intptr_t)r[0], 0); break; case 9: *(uint32_t*)0x10000840 = 0; *(uint16_t*)0x10000844 = 0x8001; *(uint16_t*)0x10000846 = 4; *(uint16_t*)0x10000848 = 0x3f; *(uint16_t*)0x1000084a = -1; *(uint16_t*)0x1000084c = 0x20; *(uint16_t*)0x1000084e = 4; *(uint32_t*)0x10000880 = 0x10; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 0x901, 0x10000840, 0x10000880); break; case 10: memcpy((void*)0x10000100, "\x65\xfc\x67\x0f\xa8\x66\xdb\xd3\xc4\xc1\xd1\x5f\xf2\xc4\xc1\x8d\xfa\xf2\xc4\xe2\x55\x3f\xd8\xc4\xe1\xb1\x7c\x60\x99\x66\x0f\x3a\x09\xc1\x89\x82\x83\xdf\x00\x00\x00\xfe\xc4\xc2\x91\x91\x5c\x86\x99", 49); syz_execute_func(0x10000100); break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); setup_fault(); use_temporary_dir(); loop(); return 0; } :194:13: error: unused function 'csum_inet_init' [-Werror,-Wunused-function] static void csum_inet_init(struct csum_inet* csum) ^ :199:13: error: unused function 'csum_inet_update' [-Werror,-Wunused-function] static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) ^ :212:17: error: unused function 'csum_inet_digest' [-Werror,-Wunused-function] static uint16_t csum_inet_digest(struct csum_inet* csum) ^ 3 errors generated. compiler invocation: clang [-o /tmp/syz-executor374443686 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/14 (1.13s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:true LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: extattr_delete_file(&(0x7f0000000000)='./file0\x00', 0x1, &(0x7f0000000040)='/{[-*-:#!@(*\x00') (fail_nth: 1) r0 = accept4$inet6(0xffffffffffffffff, &(0x7f0000000080)={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @remote}, &(0x7f00000000c0)=0x1c, 0x30000000) utimensat(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', &(0x7f0000000140)={{0x7, 0x7}, {0x7, 0x5}}, 0x4000) setsockopt$inet_sctp_SCTP_EXPLICIT_EOR(0xffffffffffffffff, 0x84, 0x1b, &(0x7f0000000180)=0x2, 0x4) shm_open2(&(0x7f00000001c0)='./file1\x00', 0x0, 0x100, 0x4, &(0x7f0000000200)=')/,&o\x00') ioctl$DIOCRSETTFLAGS(0xffffffffffffffff, 0xc44c444a, &(0x7f00000002c0)={{"99db9cfd2ac3805e5c414473fb35f0dc56950924b894ab7861ea0b42084c297d5c3716935f4947bb1b6f0cee8031e0a43251c5c3cc4c19c1ab436a79df6533233baf318c6ceb2c35469ff07a6590518b57ef971405056efc80d5f5f428818fb37a2e2ecdb5ee34eff89223925473b8ef063f699bf006f5f441cacdf47482bf431693af0dfd4aae73d663f8bf695f1623658d319f25fb0425cc53f6b560f8aa392011f8d9053327ece9b0a45291c82370ca8c7d357cc38f7e821148ce013e78a54c1f2c143d8885d2f3b09ceb63c2a90fe246c13588adb977999395a006b767b5f03fb38ab2db97816325d95efeeeb071212b2bf0595c099628733f29454fbb97367d42dec2b01e8c666049bc8f83e4639735459bd8f1935a17d4d2b8ea235908551c196f3dfa3484451132908e5cfe22e537bf834fd87a77c689ba5f8c599dcfb4d825cd5747b2a90e195dc02f9e8ca04745f336e1b04a3c7a0e58bb6f17aff755b915334d57048646fbf3aa244a46437ce89ca2c0a72d1b71feecc0afdcf4691bce0b11f32c632fa6147dbcaa8bed3f2067b87c4e7db37eba3c6db7270d0dde21a64013c7980befc493cce308c4bbd102cc7704b927926212eeffe926b3c911ec7acfb899f521dc9325bff6073b5c13eeb2aad76a4c3d5c48cdccd0abea1ab9ab3995859cfd11e5449efb30512a17e17fcd357b1f6934d4ab0d27c86155838f939e7a801d32ac49ca9ef4628dcb194c7997775b69c11312584caaa67537c1835b274e4ecd58e836fe2d53ff9390b34db485f89b871ab7f1e5e69f8640b8fa5a704661a58819e125775be4e487f8cc4d3e9c1145f5781a690e420566b5ed39267ce4431df9610fa77ebf8254f160f4068c5fdecdc8f9cf6671513dfcf64dc7a37a927bfceb0762488b7dec6df18f8027bae091d85d0ded0f72108e5c21ddaf28ef52f424677ab3fa1eabb6d347789965ceb8bb451935958cc5ba87f46498783500319a2df3ed168af53581545ddea2d0515516bfbf8fea62a760193479c77e73a79dbfa82118c013bf418d3530c20e7f47ddd8ba80a023de383b545c29fc6338f277a73baf46551e855060b99184c54d1c11d3f744acb02e5b126df5a10571656ba6abb5e4ef9406c2f5380e691e46a4ca1c5dd7fc87d081ca94cd5ab7fb45a48c680fab761f9b1a17be449d74f1291b859c37ba0191b00998b7842933439002ca817bd3f5140481c957fe95ea9a50d05bc27f1c0f8dbc267c50776c774a694922a5ce1cc8fd7e1478a3e2cc58f570acda3a16cad5667e28d245dd78c78e5e3500e0aee91f10b6fc29d0d1bdfaae7ef66ee288d5d5b2b72d09776725eaf770ef1ee4ec089c1dbcdb87b864ac3fabdbf41d9dd35ad420098889e1f530305147be9e5c6709ec22be9076241dc4bf66079fda5f190d26d5977a4f2df8b5433da12f", "9f538c90e871041e5c20e4ce66046a7c616241a9680d8539866c5a96b1c8ecc9", 0x80000000, 0x1}, &(0x7f0000000240)="18167d1501224bddd48fc6e3f883d8f2dd60a2fad40d6c1520c6c51f84cedcc571c2e32e14abf447283e87a5f3f781bdba001c54edaeda7aa88c1911f54c8f0a9a42dce49508275dce74fd73cdab1eabf8aa104c74f7c3bb54d0500afc2b97", 0x9621, 0x2, 0x8, 0x800, 0x3, 0x10001, 0xfa, 0x7fff}) r1 = openat$ptmx(0xffffff9c, &(0x7f0000000740), 0x800, 0x0) ioctl$DIOCIGETIFACES(r1, 0xc0244457, &(0x7f0000000800)={0x10, &(0x7f0000000780)="85dffefc4efcb1b4016c842d2cc4b45bfa064e55869999bf6137689406754fe7c0b179029f2f35c516d93231a104813ea26f8ff7f1cf848188d9d0b6260500402ddca36fe8e1cd0ad5e81856a2f9f983f5981ace989e976f", 0x40000000, 0xff, 0x10001}) mmap(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2, 0x10, r0, 0x0) getsockopt$inet6_sctp_SCTP_RESET_STREAMS(r0, 0x84, 0x901, &(0x7f0000000840)={0x0, 0x8001, 0x4, [0x3f, 0xffff, 0x20, 0x4]}, &(0x7f0000000880)=0x10) syz_emit_ethernet(0xf3, &(0x7f0000000000)={@local, @local, [{[], {0x8100, 0x6, 0x1, 0x2}}], {@ipv4={0x800, {{0x9, 0x4, 0x2, 0x7, 0xe1, 0x65, 0x878, 0x4, 0x4d, 0x0, @empty, @multicast1, {[@generic={0x44, 0xd, "4de51ab866bb431c3dc521"}, @noop, @noop]}}, @generic="5ace0f0ff30bd68564f743a2ef2821a21c197ab27f80fcd10e900d506ab328909d636f25df603ad9e4ee16761ee679e24d1854d5cdd65b0172c27bed2165fdda7aa45a333f06d92d8d2beb389dcbc153d4e96a2792c39f0e07a5392ed08d386b6bf96b8f5801558093c009e7accdc8456fe898abba673e55c1330ee9454f4c2017e5e474c63c853817170734473727a7c0566eaf2be05daa6ed143d3ea4f0b39b87a60d41ed2d8ffd00e6472c06a0e8a98fae4c68ae1314f968bb3b931"}}}}) syz_execute_func(&(0x7f0000000100)="65fc670fa866dbd3c4c1d15ff2c4c18dfaf2c4e2553fd8c4e1b17c6099660f3a09c1898283df000000fec4c291915c8699") syz_extract_tcp_res(&(0x7f0000000140), 0x401, 0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { fprintf(stderr, "### start\n"); int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef SYS_shm_open2 #define SYS_shm_open2 571 #endif uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); memcpy((void*)0x10000040, "/{[-*-:#!@(*\000", 13); inject_fault(1); res = syscall(SYS_extattr_delete_file, 0x10000000, 1, 0x10000040); fprintf(stderr, "### call=0 errno=%u\n", res == -1 ? errno : 0); break; case 1: *(uint32_t*)0x100000c0 = 0x1c; res = syscall(SYS_accept4, -1, 0x10000080, 0x100000c0, 0x30000000); fprintf(stderr, "### call=1 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[0] = res; break; case 2: memcpy((void*)0x10000100, "./file0\000", 8); *(uint32_t*)0x10000140 = 7; *(uint32_t*)0x10000144 = 7; *(uint32_t*)0x10000148 = 7; *(uint32_t*)0x1000014c = 5; res = syscall(SYS_utimensat, -1, 0x10000100, 0x10000140, 0x4000); fprintf(stderr, "### call=2 errno=%u\n", res == -1 ? errno : 0); break; case 3: *(uint32_t*)0x10000180 = 2; res = syscall(SYS_setsockopt, -1, 0x84, 0x1b, 0x10000180, 4); fprintf(stderr, "### call=3 errno=%u\n", res == -1 ? errno : 0); break; case 4: memcpy((void*)0x100001c0, "./file1\000", 8); memcpy((void*)0x10000200, ")/,&o\000", 6); res = syscall(SYS_shm_open2, 0x100001c0, 0, 0x100, 4, 0x10000200); fprintf(stderr, "### call=4 errno=%u\n", res == -1 ? errno : 0); break; case 5: memcpy((void*)0x100002c0, "\x99\xdb\x9c\xfd\x2a\xc3\x80\x5e\x5c\x41\x44\x73\xfb\x35\xf0\xdc\x56\x95\x09\x24\xb8\x94\xab\x78\x61\xea\x0b\x42\x08\x4c\x29\x7d\x5c\x37\x16\x93\x5f\x49\x47\xbb\x1b\x6f\x0c\xee\x80\x31\xe0\xa4\x32\x51\xc5\xc3\xcc\x4c\x19\xc1\xab\x43\x6a\x79\xdf\x65\x33\x23\x3b\xaf\x31\x8c\x6c\xeb\x2c\x35\x46\x9f\xf0\x7a\x65\x90\x51\x8b\x57\xef\x97\x14\x05\x05\x6e\xfc\x80\xd5\xf5\xf4\x28\x81\x8f\xb3\x7a\x2e\x2e\xcd\xb5\xee\x34\xef\xf8\x92\x23\x92\x54\x73\xb8\xef\x06\x3f\x69\x9b\xf0\x06\xf5\xf4\x41\xca\xcd\xf4\x74\x82\xbf\x43\x16\x93\xaf\x0d\xfd\x4a\xae\x73\xd6\x63\xf8\xbf\x69\x5f\x16\x23\x65\x8d\x31\x9f\x25\xfb\x04\x25\xcc\x53\xf6\xb5\x60\xf8\xaa\x39\x20\x11\xf8\xd9\x05\x33\x27\xec\xe9\xb0\xa4\x52\x91\xc8\x23\x70\xca\x8c\x7d\x35\x7c\xc3\x8f\x7e\x82\x11\x48\xce\x01\x3e\x78\xa5\x4c\x1f\x2c\x14\x3d\x88\x85\xd2\xf3\xb0\x9c\xeb\x63\xc2\xa9\x0f\xe2\x46\xc1\x35\x88\xad\xb9\x77\x99\x93\x95\xa0\x06\xb7\x67\xb5\xf0\x3f\xb3\x8a\xb2\xdb\x97\x81\x63\x25\xd9\x5e\xfe\xee\xb0\x71\x21\x2b\x2b\xf0\x59\x5c\x09\x96\x28\x73\x3f\x29\x45\x4f\xbb\x97\x36\x7d\x42\xde\xc2\xb0\x1e\x8c\x66\x60\x49\xbc\x8f\x83\xe4\x63\x97\x35\x45\x9b\xd8\xf1\x93\x5a\x17\xd4\xd2\xb8\xea\x23\x59\x08\x55\x1c\x19\x6f\x3d\xfa\x34\x84\x45\x11\x32\x90\x8e\x5c\xfe\x22\xe5\x37\xbf\x83\x4f\xd8\x7a\x77\xc6\x89\xba\x5f\x8c\x59\x9d\xcf\xb4\xd8\x25\xcd\x57\x47\xb2\xa9\x0e\x19\x5d\xc0\x2f\x9e\x8c\xa0\x47\x45\xf3\x36\xe1\xb0\x4a\x3c\x7a\x0e\x58\xbb\x6f\x17\xaf\xf7\x55\xb9\x15\x33\x4d\x57\x04\x86\x46\xfb\xf3\xaa\x24\x4a\x46\x43\x7c\xe8\x9c\xa2\xc0\xa7\x2d\x1b\x71\xfe\xec\xc0\xaf\xdc\xf4\x69\x1b\xce\x0b\x11\xf3\x2c\x63\x2f\xa6\x14\x7d\xbc\xaa\x8b\xed\x3f\x20\x67\xb8\x7c\x4e\x7d\xb3\x7e\xba\x3c\x6d\xb7\x27\x0d\x0d\xde\x21\xa6\x40\x13\xc7\x98\x0b\xef\xc4\x93\xcc\xe3\x08\xc4\xbb\xd1\x02\xcc\x77\x04\xb9\x27\x92\x62\x12\xee\xff\xe9\x26\xb3\xc9\x11\xec\x7a\xcf\xb8\x99\xf5\x21\xdc\x93\x25\xbf\xf6\x07\x3b\x5c\x13\xee\xb2\xaa\xd7\x6a\x4c\x3d\x5c\x48\xcd\xcc\xd0\xab\xea\x1a\xb9\xab\x39\x95\x85\x9c\xfd\x11\xe5\x44\x9e\xfb\x30\x51\x2a\x17\xe1\x7f\xcd\x35\x7b\x1f\x69\x34\xd4\xab\x0d\x27\xc8\x61\x55\x83\x8f\x93\x9e\x7a\x80\x1d\x32\xac\x49\xca\x9e\xf4\x62\x8d\xcb\x19\x4c\x79\x97\x77\x5b\x69\xc1\x13\x12\x58\x4c\xaa\xa6\x75\x37\xc1\x83\x5b\x27\x4e\x4e\xcd\x58\xe8\x36\xfe\x2d\x53\xff\x93\x90\xb3\x4d\xb4\x85\xf8\x9b\x87\x1a\xb7\xf1\xe5\xe6\x9f\x86\x40\xb8\xfa\x5a\x70\x46\x61\xa5\x88\x19\xe1\x25\x77\x5b\xe4\xe4\x87\xf8\xcc\x4d\x3e\x9c\x11\x45\xf5\x78\x1a\x69\x0e\x42\x05\x66\xb5\xed\x39\x26\x7c\xe4\x43\x1d\xf9\x61\x0f\xa7\x7e\xbf\x82\x54\xf1\x60\xf4\x06\x8c\x5f\xde\xcd\xc8\xf9\xcf\x66\x71\x51\x3d\xfc\xf6\x4d\xc7\xa3\x7a\x92\x7b\xfc\xeb\x07\x62\x48\x8b\x7d\xec\x6d\xf1\x8f\x80\x27\xba\xe0\x91\xd8\x5d\x0d\xed\x0f\x72\x10\x8e\x5c\x21\xdd\xaf\x28\xef\x52\xf4\x24\x67\x7a\xb3\xfa\x1e\xab\xb6\xd3\x47\x78\x99\x65\xce\xb8\xbb\x45\x19\x35\x95\x8c\xc5\xba\x87\xf4\x64\x98\x78\x35\x00\x31\x9a\x2d\xf3\xed\x16\x8a\xf5\x35\x81\x54\x5d\xde\xa2\xd0\x51\x55\x16\xbf\xbf\x8f\xea\x62\xa7\x60\x19\x34\x79\xc7\x7e\x73\xa7\x9d\xbf\xa8\x21\x18\xc0\x13\xbf\x41\x8d\x35\x30\xc2\x0e\x7f\x47\xdd\xd8\xba\x80\xa0\x23\xde\x38\x3b\x54\x5c\x29\xfc\x63\x38\xf2\x77\xa7\x3b\xaf\x46\x55\x1e\x85\x50\x60\xb9\x91\x84\xc5\x4d\x1c\x11\xd3\xf7\x44\xac\xb0\x2e\x5b\x12\x6d\xf5\xa1\x05\x71\x65\x6b\xa6\xab\xb5\xe4\xef\x94\x06\xc2\xf5\x38\x0e\x69\x1e\x46\xa4\xca\x1c\x5d\xd7\xfc\x87\xd0\x81\xca\x94\xcd\x5a\xb7\xfb\x45\xa4\x8c\x68\x0f\xab\x76\x1f\x9b\x1a\x17\xbe\x44\x9d\x74\xf1\x29\x1b\x85\x9c\x37\xba\x01\x91\xb0\x09\x98\xb7\x84\x29\x33\x43\x90\x02\xca\x81\x7b\xd3\xf5\x14\x04\x81\xc9\x57\xfe\x95\xea\x9a\x50\xd0\x5b\xc2\x7f\x1c\x0f\x8d\xbc\x26\x7c\x50\x77\x6c\x77\x4a\x69\x49\x22\xa5\xce\x1c\xc8\xfd\x7e\x14\x78\xa3\xe2\xcc\x58\xf5\x70\xac\xda\x3a\x16\xca\xd5\x66\x7e\x28\xd2\x45\xdd\x78\xc7\x8e\x5e\x35\x00\xe0\xae\xe9\x1f\x10\xb6\xfc\x29\xd0\xd1\xbd\xfa\xae\x7e\xf6\x6e\xe2\x88\xd5\xd5\xb2\xb7\x2d\x09\x77\x67\x25\xea\xf7\x70\xef\x1e\xe4\xec\x08\x9c\x1d\xbc\xdb\x87\xb8\x64\xac\x3f\xab\xdb\xf4\x1d\x9d\xd3\x5a\xd4\x20\x09\x88\x89\xe1\xf5\x30\x30\x51\x47\xbe\x9e\x5c\x67\x09\xec\x22\xbe\x90\x76\x24\x1d\xc4\xbf\x66\x07\x9f\xda\x5f\x19\x0d\x26\xd5\x97\x7a\x4f\x2d\xf8\xb5\x43\x3d\xa1\x2f", 1024); memcpy((void*)0x100006c0, "\x9f\x53\x8c\x90\xe8\x71\x04\x1e\x5c\x20\xe4\xce\x66\x04\x6a\x7c\x61\x62\x41\xa9\x68\x0d\x85\x39\x86\x6c\x5a\x96\xb1\xc8\xec\xc9", 32); *(uint32_t*)0x100006e0 = 0x80000000; *(uint8_t*)0x100006e4 = 1; *(uint32_t*)0x100006e8 = 0x10000240; memcpy((void*)0x10000240, "\x18\x16\x7d\x15\x01\x22\x4b\xdd\xd4\x8f\xc6\xe3\xf8\x83\xd8\xf2\xdd\x60\xa2\xfa\xd4\x0d\x6c\x15\x20\xc6\xc5\x1f\x84\xce\xdc\xc5\x71\xc2\xe3\x2e\x14\xab\xf4\x47\x28\x3e\x87\xa5\xf3\xf7\x81\xbd\xba\x00\x1c\x54\xed\xae\xda\x7a\xa8\x8c\x19\x11\xf5\x4c\x8f\x0a\x9a\x42\xdc\xe4\x95\x08\x27\x5d\xce\x74\xfd\x73\xcd\xab\x1e\xab\xf8\xaa\x10\x4c\x74\xf7\xc3\xbb\x54\xd0\x50\x0a\xfc\x2b\x97", 95); *(uint64_t*)0x100006ec = 0x9621; *(uint64_t*)0x100006f4 = 2; *(uint64_t*)0x100006fc = 8; *(uint64_t*)0x10000704 = 0x800; *(uint64_t*)0x1000070c = 3; *(uint64_t*)0x10000714 = 0x10001; *(uint64_t*)0x1000071c = 0xfa; *(uint32_t*)0x10000724 = 0x7fff; res = syscall(SYS_ioctl, -1, 0xc44c444a, 0x100002c0); fprintf(stderr, "### call=5 errno=%u\n", res == -1 ? errno : 0); break; case 6: memcpy((void*)0x10000740, "/dev/pf\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000740, 0x800, 0); fprintf(stderr, "### call=6 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[1] = res; break; case 7: *(uint8_t*)0x10000800 = 0x10; *(uint32_t*)0x10000804 = 0x10000780; memcpy((void*)0x10000780, "\x85\xdf\xfe\xfc\x4e\xfc\xb1\xb4\x01\x6c\x84\x2d\x2c\xc4\xb4\x5b\xfa\x06\x4e\x55\x86\x99\x99\xbf\x61\x37\x68\x94\x06\x75\x4f\xe7\xc0\xb1\x79\x02\x9f\x2f\x35\xc5\x16\xd9\x32\x31\xa1\x04\x81\x3e\xa2\x6f\x8f\xf7\xf1\xcf\x84\x81\x88\xd9\xd0\xb6\x26\x05\x00\x40\x2d\xdc\xa3\x6f\xe8\xe1\xcd\x0a\xd5\xe8\x18\x56\xa2\xf9\xf9\x83\xf5\x98\x1a\xce\x98\x9e\x97\x6f", 88); *(uint32_t*)0x10000808 = 0x40000000; *(uint32_t*)0x1000080c = 0xff; *(uint32_t*)0x10000810 = 0x10001; res = syscall(SYS_ioctl, (intptr_t)r[1], 0xc0244457, 0x10000800); fprintf(stderr, "### call=7 errno=%u\n", res == -1 ? errno : 0); break; case 8: res = syscall(SYS_mmap, 0x10ffc000, 0x3000, 2, 0x10, (intptr_t)r[0], 0); fprintf(stderr, "### call=8 errno=%u\n", res == -1 ? errno : 0); break; case 9: *(uint32_t*)0x10000840 = 0; *(uint16_t*)0x10000844 = 0x8001; *(uint16_t*)0x10000846 = 4; *(uint16_t*)0x10000848 = 0x3f; *(uint16_t*)0x1000084a = -1; *(uint16_t*)0x1000084c = 0x20; *(uint16_t*)0x1000084e = 4; *(uint32_t*)0x10000880 = 0x10; res = syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 0x901, 0x10000840, 0x10000880); fprintf(stderr, "### call=9 errno=%u\n", res == -1 ? errno : 0); break; case 10: memcpy((void*)0x10000100, "\x65\xfc\x67\x0f\xa8\x66\xdb\xd3\xc4\xc1\xd1\x5f\xf2\xc4\xc1\x8d\xfa\xf2\xc4\xe2\x55\x3f\xd8\xc4\xe1\xb1\x7c\x60\x99\x66\x0f\x3a\x09\xc1\x89\x82\x83\xdf\x00\x00\x00\xfe\xc4\xc2\x91\x91\x5c\x86\x99", 49); res = -1; errno = EFAULT; res = syz_execute_func(0x10000100); fprintf(stderr, "### call=10 errno=%u\n", res == -1 ? errno : 0); break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :195:13: error: unused function 'csum_inet_init' [-Werror,-Wunused-function] static void csum_inet_init(struct csum_inet* csum) ^ :200:13: error: unused function 'csum_inet_update' [-Werror,-Wunused-function] static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) ^ :213:17: error: unused function 'csum_inet_digest' [-Werror,-Wunused-function] static uint16_t csum_inet_digest(struct csum_inet* csum) ^ 3 errors generated. compiler invocation: clang [-o /tmp/syz-executor894766729 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/2 (1.11s) csource_test.go:118: opts: {Threaded:true Collide:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: extattr_delete_file(&(0x7f0000000000)='./file0\x00', 0x1, &(0x7f0000000040)='/{[-*-:#!@(*\x00') (fail_nth: 1) r0 = accept4$inet6(0xffffffffffffffff, &(0x7f0000000080)={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @remote}, &(0x7f00000000c0)=0x1c, 0x30000000) utimensat(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', &(0x7f0000000140)={{0x7, 0x7}, {0x7, 0x5}}, 0x4000) setsockopt$inet_sctp_SCTP_EXPLICIT_EOR(0xffffffffffffffff, 0x84, 0x1b, &(0x7f0000000180)=0x2, 0x4) shm_open2(&(0x7f00000001c0)='./file1\x00', 0x0, 0x100, 0x4, &(0x7f0000000200)=')/,&o\x00') ioctl$DIOCRSETTFLAGS(0xffffffffffffffff, 0xc44c444a, &(0x7f00000002c0)={{"99db9cfd2ac3805e5c414473fb35f0dc56950924b894ab7861ea0b42084c297d5c3716935f4947bb1b6f0cee8031e0a43251c5c3cc4c19c1ab436a79df6533233baf318c6ceb2c35469ff07a6590518b57ef971405056efc80d5f5f428818fb37a2e2ecdb5ee34eff89223925473b8ef063f699bf006f5f441cacdf47482bf431693af0dfd4aae73d663f8bf695f1623658d319f25fb0425cc53f6b560f8aa392011f8d9053327ece9b0a45291c82370ca8c7d357cc38f7e821148ce013e78a54c1f2c143d8885d2f3b09ceb63c2a90fe246c13588adb977999395a006b767b5f03fb38ab2db97816325d95efeeeb071212b2bf0595c099628733f29454fbb97367d42dec2b01e8c666049bc8f83e4639735459bd8f1935a17d4d2b8ea235908551c196f3dfa3484451132908e5cfe22e537bf834fd87a77c689ba5f8c599dcfb4d825cd5747b2a90e195dc02f9e8ca04745f336e1b04a3c7a0e58bb6f17aff755b915334d57048646fbf3aa244a46437ce89ca2c0a72d1b71feecc0afdcf4691bce0b11f32c632fa6147dbcaa8bed3f2067b87c4e7db37eba3c6db7270d0dde21a64013c7980befc493cce308c4bbd102cc7704b927926212eeffe926b3c911ec7acfb899f521dc9325bff6073b5c13eeb2aad76a4c3d5c48cdccd0abea1ab9ab3995859cfd11e5449efb30512a17e17fcd357b1f6934d4ab0d27c86155838f939e7a801d32ac49ca9ef4628dcb194c7997775b69c11312584caaa67537c1835b274e4ecd58e836fe2d53ff9390b34db485f89b871ab7f1e5e69f8640b8fa5a704661a58819e125775be4e487f8cc4d3e9c1145f5781a690e420566b5ed39267ce4431df9610fa77ebf8254f160f4068c5fdecdc8f9cf6671513dfcf64dc7a37a927bfceb0762488b7dec6df18f8027bae091d85d0ded0f72108e5c21ddaf28ef52f424677ab3fa1eabb6d347789965ceb8bb451935958cc5ba87f46498783500319a2df3ed168af53581545ddea2d0515516bfbf8fea62a760193479c77e73a79dbfa82118c013bf418d3530c20e7f47ddd8ba80a023de383b545c29fc6338f277a73baf46551e855060b99184c54d1c11d3f744acb02e5b126df5a10571656ba6abb5e4ef9406c2f5380e691e46a4ca1c5dd7fc87d081ca94cd5ab7fb45a48c680fab761f9b1a17be449d74f1291b859c37ba0191b00998b7842933439002ca817bd3f5140481c957fe95ea9a50d05bc27f1c0f8dbc267c50776c774a694922a5ce1cc8fd7e1478a3e2cc58f570acda3a16cad5667e28d245dd78c78e5e3500e0aee91f10b6fc29d0d1bdfaae7ef66ee288d5d5b2b72d09776725eaf770ef1ee4ec089c1dbcdb87b864ac3fabdbf41d9dd35ad420098889e1f530305147be9e5c6709ec22be9076241dc4bf66079fda5f190d26d5977a4f2df8b5433da12f", "9f538c90e871041e5c20e4ce66046a7c616241a9680d8539866c5a96b1c8ecc9", 0x80000000, 0x1}, &(0x7f0000000240)="18167d1501224bddd48fc6e3f883d8f2dd60a2fad40d6c1520c6c51f84cedcc571c2e32e14abf447283e87a5f3f781bdba001c54edaeda7aa88c1911f54c8f0a9a42dce49508275dce74fd73cdab1eabf8aa104c74f7c3bb54d0500afc2b97", 0x9621, 0x2, 0x8, 0x800, 0x3, 0x10001, 0xfa, 0x7fff}) r1 = openat$ptmx(0xffffff9c, &(0x7f0000000740), 0x800, 0x0) ioctl$DIOCIGETIFACES(r1, 0xc0244457, &(0x7f0000000800)={0x10, &(0x7f0000000780)="85dffefc4efcb1b4016c842d2cc4b45bfa064e55869999bf6137689406754fe7c0b179029f2f35c516d93231a104813ea26f8ff7f1cf848188d9d0b6260500402ddca36fe8e1cd0ad5e81856a2f9f983f5981ace989e976f", 0x40000000, 0xff, 0x10001}) mmap(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2, 0x10, r0, 0x0) getsockopt$inet6_sctp_SCTP_RESET_STREAMS(r0, 0x84, 0x901, &(0x7f0000000840)={0x0, 0x8001, 0x4, [0x3f, 0xffff, 0x20, 0x4]}, &(0x7f0000000880)=0x10) syz_emit_ethernet(0xf3, &(0x7f0000000000)={@local, @local, [{[], {0x8100, 0x6, 0x1, 0x2}}], {@ipv4={0x800, {{0x9, 0x4, 0x2, 0x7, 0xe1, 0x65, 0x878, 0x4, 0x4d, 0x0, @empty, @multicast1, {[@generic={0x44, 0xd, "4de51ab866bb431c3dc521"}, @noop, @noop]}}, @generic="5ace0f0ff30bd68564f743a2ef2821a21c197ab27f80fcd10e900d506ab328909d636f25df603ad9e4ee16761ee679e24d1854d5cdd65b0172c27bed2165fdda7aa45a333f06d92d8d2beb389dcbc153d4e96a2792c39f0e07a5392ed08d386b6bf96b8f5801558093c009e7accdc8456fe898abba673e55c1330ee9454f4c2017e5e474c63c853817170734473727a7c0566eaf2be05daa6ed143d3ea4f0b39b87a60d41ed2d8ffd00e6472c06a0e8a98fae4c68ae1314f968bb3b931"}}}}) syz_execute_func(&(0x7f0000000100)="65fc670fa866dbd3c4c1d15ff2c4c18dfaf2c4e2553fd8c4e1b17c6099660f3a09c1898283df000000fec4c291915c8699") syz_extract_tcp_res(&(0x7f0000000140), 0x401, 0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; int collide = 0; again: for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef SYS_shm_open2 #define SYS_shm_open2 571 #endif uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); memcpy((void*)0x10000040, "/{[-*-:#!@(*\000", 13); inject_fault(1); syscall(SYS_extattr_delete_file, 0x10000000, 1, 0x10000040); break; case 1: *(uint32_t*)0x100000c0 = 0x1c; res = syscall(SYS_accept4, -1, 0x10000080, 0x100000c0, 0x30000000); if (res != -1) r[0] = res; break; case 2: memcpy((void*)0x10000100, "./file0\000", 8); *(uint32_t*)0x10000140 = 7; *(uint32_t*)0x10000144 = 7; *(uint32_t*)0x10000148 = 7; *(uint32_t*)0x1000014c = 5; syscall(SYS_utimensat, -1, 0x10000100, 0x10000140, 0x4000); break; case 3: *(uint32_t*)0x10000180 = 2; syscall(SYS_setsockopt, -1, 0x84, 0x1b, 0x10000180, 4); break; case 4: memcpy((void*)0x100001c0, "./file1\000", 8); memcpy((void*)0x10000200, ")/,&o\000", 6); syscall(SYS_shm_open2, 0x100001c0, 0, 0x100, 4, 0x10000200); break; case 5: memcpy((void*)0x100002c0, "\x99\xdb\x9c\xfd\x2a\xc3\x80\x5e\x5c\x41\x44\x73\xfb\x35\xf0\xdc\x56\x95\x09\x24\xb8\x94\xab\x78\x61\xea\x0b\x42\x08\x4c\x29\x7d\x5c\x37\x16\x93\x5f\x49\x47\xbb\x1b\x6f\x0c\xee\x80\x31\xe0\xa4\x32\x51\xc5\xc3\xcc\x4c\x19\xc1\xab\x43\x6a\x79\xdf\x65\x33\x23\x3b\xaf\x31\x8c\x6c\xeb\x2c\x35\x46\x9f\xf0\x7a\x65\x90\x51\x8b\x57\xef\x97\x14\x05\x05\x6e\xfc\x80\xd5\xf5\xf4\x28\x81\x8f\xb3\x7a\x2e\x2e\xcd\xb5\xee\x34\xef\xf8\x92\x23\x92\x54\x73\xb8\xef\x06\x3f\x69\x9b\xf0\x06\xf5\xf4\x41\xca\xcd\xf4\x74\x82\xbf\x43\x16\x93\xaf\x0d\xfd\x4a\xae\x73\xd6\x63\xf8\xbf\x69\x5f\x16\x23\x65\x8d\x31\x9f\x25\xfb\x04\x25\xcc\x53\xf6\xb5\x60\xf8\xaa\x39\x20\x11\xf8\xd9\x05\x33\x27\xec\xe9\xb0\xa4\x52\x91\xc8\x23\x70\xca\x8c\x7d\x35\x7c\xc3\x8f\x7e\x82\x11\x48\xce\x01\x3e\x78\xa5\x4c\x1f\x2c\x14\x3d\x88\x85\xd2\xf3\xb0\x9c\xeb\x63\xc2\xa9\x0f\xe2\x46\xc1\x35\x88\xad\xb9\x77\x99\x93\x95\xa0\x06\xb7\x67\xb5\xf0\x3f\xb3\x8a\xb2\xdb\x97\x81\x63\x25\xd9\x5e\xfe\xee\xb0\x71\x21\x2b\x2b\xf0\x59\x5c\x09\x96\x28\x73\x3f\x29\x45\x4f\xbb\x97\x36\x7d\x42\xde\xc2\xb0\x1e\x8c\x66\x60\x49\xbc\x8f\x83\xe4\x63\x97\x35\x45\x9b\xd8\xf1\x93\x5a\x17\xd4\xd2\xb8\xea\x23\x59\x08\x55\x1c\x19\x6f\x3d\xfa\x34\x84\x45\x11\x32\x90\x8e\x5c\xfe\x22\xe5\x37\xbf\x83\x4f\xd8\x7a\x77\xc6\x89\xba\x5f\x8c\x59\x9d\xcf\xb4\xd8\x25\xcd\x57\x47\xb2\xa9\x0e\x19\x5d\xc0\x2f\x9e\x8c\xa0\x47\x45\xf3\x36\xe1\xb0\x4a\x3c\x7a\x0e\x58\xbb\x6f\x17\xaf\xf7\x55\xb9\x15\x33\x4d\x57\x04\x86\x46\xfb\xf3\xaa\x24\x4a\x46\x43\x7c\xe8\x9c\xa2\xc0\xa7\x2d\x1b\x71\xfe\xec\xc0\xaf\xdc\xf4\x69\x1b\xce\x0b\x11\xf3\x2c\x63\x2f\xa6\x14\x7d\xbc\xaa\x8b\xed\x3f\x20\x67\xb8\x7c\x4e\x7d\xb3\x7e\xba\x3c\x6d\xb7\x27\x0d\x0d\xde\x21\xa6\x40\x13\xc7\x98\x0b\xef\xc4\x93\xcc\xe3\x08\xc4\xbb\xd1\x02\xcc\x77\x04\xb9\x27\x92\x62\x12\xee\xff\xe9\x26\xb3\xc9\x11\xec\x7a\xcf\xb8\x99\xf5\x21\xdc\x93\x25\xbf\xf6\x07\x3b\x5c\x13\xee\xb2\xaa\xd7\x6a\x4c\x3d\x5c\x48\xcd\xcc\xd0\xab\xea\x1a\xb9\xab\x39\x95\x85\x9c\xfd\x11\xe5\x44\x9e\xfb\x30\x51\x2a\x17\xe1\x7f\xcd\x35\x7b\x1f\x69\x34\xd4\xab\x0d\x27\xc8\x61\x55\x83\x8f\x93\x9e\x7a\x80\x1d\x32\xac\x49\xca\x9e\xf4\x62\x8d\xcb\x19\x4c\x79\x97\x77\x5b\x69\xc1\x13\x12\x58\x4c\xaa\xa6\x75\x37\xc1\x83\x5b\x27\x4e\x4e\xcd\x58\xe8\x36\xfe\x2d\x53\xff\x93\x90\xb3\x4d\xb4\x85\xf8\x9b\x87\x1a\xb7\xf1\xe5\xe6\x9f\x86\x40\xb8\xfa\x5a\x70\x46\x61\xa5\x88\x19\xe1\x25\x77\x5b\xe4\xe4\x87\xf8\xcc\x4d\x3e\x9c\x11\x45\xf5\x78\x1a\x69\x0e\x42\x05\x66\xb5\xed\x39\x26\x7c\xe4\x43\x1d\xf9\x61\x0f\xa7\x7e\xbf\x82\x54\xf1\x60\xf4\x06\x8c\x5f\xde\xcd\xc8\xf9\xcf\x66\x71\x51\x3d\xfc\xf6\x4d\xc7\xa3\x7a\x92\x7b\xfc\xeb\x07\x62\x48\x8b\x7d\xec\x6d\xf1\x8f\x80\x27\xba\xe0\x91\xd8\x5d\x0d\xed\x0f\x72\x10\x8e\x5c\x21\xdd\xaf\x28\xef\x52\xf4\x24\x67\x7a\xb3\xfa\x1e\xab\xb6\xd3\x47\x78\x99\x65\xce\xb8\xbb\x45\x19\x35\x95\x8c\xc5\xba\x87\xf4\x64\x98\x78\x35\x00\x31\x9a\x2d\xf3\xed\x16\x8a\xf5\x35\x81\x54\x5d\xde\xa2\xd0\x51\x55\x16\xbf\xbf\x8f\xea\x62\xa7\x60\x19\x34\x79\xc7\x7e\x73\xa7\x9d\xbf\xa8\x21\x18\xc0\x13\xbf\x41\x8d\x35\x30\xc2\x0e\x7f\x47\xdd\xd8\xba\x80\xa0\x23\xde\x38\x3b\x54\x5c\x29\xfc\x63\x38\xf2\x77\xa7\x3b\xaf\x46\x55\x1e\x85\x50\x60\xb9\x91\x84\xc5\x4d\x1c\x11\xd3\xf7\x44\xac\xb0\x2e\x5b\x12\x6d\xf5\xa1\x05\x71\x65\x6b\xa6\xab\xb5\xe4\xef\x94\x06\xc2\xf5\x38\x0e\x69\x1e\x46\xa4\xca\x1c\x5d\xd7\xfc\x87\xd0\x81\xca\x94\xcd\x5a\xb7\xfb\x45\xa4\x8c\x68\x0f\xab\x76\x1f\x9b\x1a\x17\xbe\x44\x9d\x74\xf1\x29\x1b\x85\x9c\x37\xba\x01\x91\xb0\x09\x98\xb7\x84\x29\x33\x43\x90\x02\xca\x81\x7b\xd3\xf5\x14\x04\x81\xc9\x57\xfe\x95\xea\x9a\x50\xd0\x5b\xc2\x7f\x1c\x0f\x8d\xbc\x26\x7c\x50\x77\x6c\x77\x4a\x69\x49\x22\xa5\xce\x1c\xc8\xfd\x7e\x14\x78\xa3\xe2\xcc\x58\xf5\x70\xac\xda\x3a\x16\xca\xd5\x66\x7e\x28\xd2\x45\xdd\x78\xc7\x8e\x5e\x35\x00\xe0\xae\xe9\x1f\x10\xb6\xfc\x29\xd0\xd1\xbd\xfa\xae\x7e\xf6\x6e\xe2\x88\xd5\xd5\xb2\xb7\x2d\x09\x77\x67\x25\xea\xf7\x70\xef\x1e\xe4\xec\x08\x9c\x1d\xbc\xdb\x87\xb8\x64\xac\x3f\xab\xdb\xf4\x1d\x9d\xd3\x5a\xd4\x20\x09\x88\x89\xe1\xf5\x30\x30\x51\x47\xbe\x9e\x5c\x67\x09\xec\x22\xbe\x90\x76\x24\x1d\xc4\xbf\x66\x07\x9f\xda\x5f\x19\x0d\x26\xd5\x97\x7a\x4f\x2d\xf8\xb5\x43\x3d\xa1\x2f", 1024); memcpy((void*)0x100006c0, "\x9f\x53\x8c\x90\xe8\x71\x04\x1e\x5c\x20\xe4\xce\x66\x04\x6a\x7c\x61\x62\x41\xa9\x68\x0d\x85\x39\x86\x6c\x5a\x96\xb1\xc8\xec\xc9", 32); *(uint32_t*)0x100006e0 = 0x80000000; *(uint8_t*)0x100006e4 = 1; *(uint32_t*)0x100006e8 = 0x10000240; memcpy((void*)0x10000240, "\x18\x16\x7d\x15\x01\x22\x4b\xdd\xd4\x8f\xc6\xe3\xf8\x83\xd8\xf2\xdd\x60\xa2\xfa\xd4\x0d\x6c\x15\x20\xc6\xc5\x1f\x84\xce\xdc\xc5\x71\xc2\xe3\x2e\x14\xab\xf4\x47\x28\x3e\x87\xa5\xf3\xf7\x81\xbd\xba\x00\x1c\x54\xed\xae\xda\x7a\xa8\x8c\x19\x11\xf5\x4c\x8f\x0a\x9a\x42\xdc\xe4\x95\x08\x27\x5d\xce\x74\xfd\x73\xcd\xab\x1e\xab\xf8\xaa\x10\x4c\x74\xf7\xc3\xbb\x54\xd0\x50\x0a\xfc\x2b\x97", 95); *(uint64_t*)0x100006ec = 0x9621; *(uint64_t*)0x100006f4 = 2; *(uint64_t*)0x100006fc = 8; *(uint64_t*)0x10000704 = 0x800; *(uint64_t*)0x1000070c = 3; *(uint64_t*)0x10000714 = 0x10001; *(uint64_t*)0x1000071c = 0xfa; *(uint32_t*)0x10000724 = 0x7fff; syscall(SYS_ioctl, -1, 0xc44c444a, 0x100002c0); break; case 6: memcpy((void*)0x10000740, "/dev/pf\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000740, 0x800, 0); if (res != -1) r[1] = res; break; case 7: *(uint8_t*)0x10000800 = 0x10; *(uint32_t*)0x10000804 = 0x10000780; memcpy((void*)0x10000780, "\x85\xdf\xfe\xfc\x4e\xfc\xb1\xb4\x01\x6c\x84\x2d\x2c\xc4\xb4\x5b\xfa\x06\x4e\x55\x86\x99\x99\xbf\x61\x37\x68\x94\x06\x75\x4f\xe7\xc0\xb1\x79\x02\x9f\x2f\x35\xc5\x16\xd9\x32\x31\xa1\x04\x81\x3e\xa2\x6f\x8f\xf7\xf1\xcf\x84\x81\x88\xd9\xd0\xb6\x26\x05\x00\x40\x2d\xdc\xa3\x6f\xe8\xe1\xcd\x0a\xd5\xe8\x18\x56\xa2\xf9\xf9\x83\xf5\x98\x1a\xce\x98\x9e\x97\x6f", 88); *(uint32_t*)0x10000808 = 0x40000000; *(uint32_t*)0x1000080c = 0xff; *(uint32_t*)0x10000810 = 0x10001; syscall(SYS_ioctl, (intptr_t)r[1], 0xc0244457, 0x10000800); break; case 8: syscall(SYS_mmap, 0x10ffc000, 0x3000, 2, 0x10, (intptr_t)r[0], 0); break; case 9: *(uint32_t*)0x10000840 = 0; *(uint16_t*)0x10000844 = 0x8001; *(uint16_t*)0x10000846 = 4; *(uint16_t*)0x10000848 = 0x3f; *(uint16_t*)0x1000084a = -1; *(uint16_t*)0x1000084c = 0x20; *(uint16_t*)0x1000084e = 4; *(uint32_t*)0x10000880 = 0x10; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 0x901, 0x10000840, 0x10000880); break; case 10: memcpy((void*)0x10000100, "\x65\xfc\x67\x0f\xa8\x66\xdb\xd3\xc4\xc1\xd1\x5f\xf2\xc4\xc1\x8d\xfa\xf2\xc4\xe2\x55\x3f\xd8\xc4\xe1\xb1\x7c\x60\x99\x66\x0f\x3a\x09\xc1\x89\x82\x83\xdf\x00\x00\x00\xfe\xc4\xc2\x91\x91\x5c\x86\x99", 49); syz_execute_func(0x10000100); break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :195:13: error: unused function 'csum_inet_init' [-Werror,-Wunused-function] static void csum_inet_init(struct csum_inet* csum) ^ :200:13: error: unused function 'csum_inet_update' [-Werror,-Wunused-function] static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) ^ :213:17: error: unused function 'csum_inet_digest' [-Werror,-Wunused-function] static uint16_t csum_inet_digest(struct csum_inet* csum) ^ 3 errors generated. compiler invocation: clang [-o /tmp/syz-executor027195811 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/1 (0.98s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: extattr_delete_file(&(0x7f0000000000)='./file0\x00', 0x1, &(0x7f0000000040)='/{[-*-:#!@(*\x00') (fail_nth: 1) r0 = accept4$inet6(0xffffffffffffffff, &(0x7f0000000080)={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @remote}, &(0x7f00000000c0)=0x1c, 0x30000000) utimensat(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', &(0x7f0000000140)={{0x7, 0x7}, {0x7, 0x5}}, 0x4000) setsockopt$inet_sctp_SCTP_EXPLICIT_EOR(0xffffffffffffffff, 0x84, 0x1b, &(0x7f0000000180)=0x2, 0x4) shm_open2(&(0x7f00000001c0)='./file1\x00', 0x0, 0x100, 0x4, &(0x7f0000000200)=')/,&o\x00') ioctl$DIOCRSETTFLAGS(0xffffffffffffffff, 0xc44c444a, &(0x7f00000002c0)={{"99db9cfd2ac3805e5c414473fb35f0dc56950924b894ab7861ea0b42084c297d5c3716935f4947bb1b6f0cee8031e0a43251c5c3cc4c19c1ab436a79df6533233baf318c6ceb2c35469ff07a6590518b57ef971405056efc80d5f5f428818fb37a2e2ecdb5ee34eff89223925473b8ef063f699bf006f5f441cacdf47482bf431693af0dfd4aae73d663f8bf695f1623658d319f25fb0425cc53f6b560f8aa392011f8d9053327ece9b0a45291c82370ca8c7d357cc38f7e821148ce013e78a54c1f2c143d8885d2f3b09ceb63c2a90fe246c13588adb977999395a006b767b5f03fb38ab2db97816325d95efeeeb071212b2bf0595c099628733f29454fbb97367d42dec2b01e8c666049bc8f83e4639735459bd8f1935a17d4d2b8ea235908551c196f3dfa3484451132908e5cfe22e537bf834fd87a77c689ba5f8c599dcfb4d825cd5747b2a90e195dc02f9e8ca04745f336e1b04a3c7a0e58bb6f17aff755b915334d57048646fbf3aa244a46437ce89ca2c0a72d1b71feecc0afdcf4691bce0b11f32c632fa6147dbcaa8bed3f2067b87c4e7db37eba3c6db7270d0dde21a64013c7980befc493cce308c4bbd102cc7704b927926212eeffe926b3c911ec7acfb899f521dc9325bff6073b5c13eeb2aad76a4c3d5c48cdccd0abea1ab9ab3995859cfd11e5449efb30512a17e17fcd357b1f6934d4ab0d27c86155838f939e7a801d32ac49ca9ef4628dcb194c7997775b69c11312584caaa67537c1835b274e4ecd58e836fe2d53ff9390b34db485f89b871ab7f1e5e69f8640b8fa5a704661a58819e125775be4e487f8cc4d3e9c1145f5781a690e420566b5ed39267ce4431df9610fa77ebf8254f160f4068c5fdecdc8f9cf6671513dfcf64dc7a37a927bfceb0762488b7dec6df18f8027bae091d85d0ded0f72108e5c21ddaf28ef52f424677ab3fa1eabb6d347789965ceb8bb451935958cc5ba87f46498783500319a2df3ed168af53581545ddea2d0515516bfbf8fea62a760193479c77e73a79dbfa82118c013bf418d3530c20e7f47ddd8ba80a023de383b545c29fc6338f277a73baf46551e855060b99184c54d1c11d3f744acb02e5b126df5a10571656ba6abb5e4ef9406c2f5380e691e46a4ca1c5dd7fc87d081ca94cd5ab7fb45a48c680fab761f9b1a17be449d74f1291b859c37ba0191b00998b7842933439002ca817bd3f5140481c957fe95ea9a50d05bc27f1c0f8dbc267c50776c774a694922a5ce1cc8fd7e1478a3e2cc58f570acda3a16cad5667e28d245dd78c78e5e3500e0aee91f10b6fc29d0d1bdfaae7ef66ee288d5d5b2b72d09776725eaf770ef1ee4ec089c1dbcdb87b864ac3fabdbf41d9dd35ad420098889e1f530305147be9e5c6709ec22be9076241dc4bf66079fda5f190d26d5977a4f2df8b5433da12f", "9f538c90e871041e5c20e4ce66046a7c616241a9680d8539866c5a96b1c8ecc9", 0x80000000, 0x1}, &(0x7f0000000240)="18167d1501224bddd48fc6e3f883d8f2dd60a2fad40d6c1520c6c51f84cedcc571c2e32e14abf447283e87a5f3f781bdba001c54edaeda7aa88c1911f54c8f0a9a42dce49508275dce74fd73cdab1eabf8aa104c74f7c3bb54d0500afc2b97", 0x9621, 0x2, 0x8, 0x800, 0x3, 0x10001, 0xfa, 0x7fff}) r1 = openat$ptmx(0xffffff9c, &(0x7f0000000740), 0x800, 0x0) ioctl$DIOCIGETIFACES(r1, 0xc0244457, &(0x7f0000000800)={0x10, &(0x7f0000000780)="85dffefc4efcb1b4016c842d2cc4b45bfa064e55869999bf6137689406754fe7c0b179029f2f35c516d93231a104813ea26f8ff7f1cf848188d9d0b6260500402ddca36fe8e1cd0ad5e81856a2f9f983f5981ace989e976f", 0x40000000, 0xff, 0x10001}) mmap(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2, 0x10, r0, 0x0) getsockopt$inet6_sctp_SCTP_RESET_STREAMS(r0, 0x84, 0x901, &(0x7f0000000840)={0x0, 0x8001, 0x4, [0x3f, 0xffff, 0x20, 0x4]}, &(0x7f0000000880)=0x10) syz_emit_ethernet(0xf3, &(0x7f0000000000)={@local, @local, [{[], {0x8100, 0x6, 0x1, 0x2}}], {@ipv4={0x800, {{0x9, 0x4, 0x2, 0x7, 0xe1, 0x65, 0x878, 0x4, 0x4d, 0x0, @empty, @multicast1, {[@generic={0x44, 0xd, "4de51ab866bb431c3dc521"}, @noop, @noop]}}, @generic="5ace0f0ff30bd68564f743a2ef2821a21c197ab27f80fcd10e900d506ab328909d636f25df603ad9e4ee16761ee679e24d1854d5cdd65b0172c27bed2165fdda7aa45a333f06d92d8d2beb389dcbc153d4e96a2792c39f0e07a5392ed08d386b6bf96b8f5801558093c009e7accdc8456fe898abba673e55c1330ee9454f4c2017e5e474c63c853817170734473727a7c0566eaf2be05daa6ed143d3ea4f0b39b87a60d41ed2d8ffd00e6472c06a0e8a98fae4c68ae1314f968bb3b931"}}}}) syz_execute_func(&(0x7f0000000100)="65fc670fa866dbd3c4c1d15ff2c4c18dfaf2c4e2553fd8c4e1b17c6099660f3a09c1898283df000000fec4c291915c8699") syz_extract_tcp_res(&(0x7f0000000140), 0x401, 0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef SYS_shm_open2 #define SYS_shm_open2 571 #endif uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); memcpy((void*)0x10000040, "/{[-*-:#!@(*\000", 13); inject_fault(1); syscall(SYS_extattr_delete_file, 0x10000000, 1, 0x10000040); break; case 1: *(uint32_t*)0x100000c0 = 0x1c; res = syscall(SYS_accept4, -1, 0x10000080, 0x100000c0, 0x30000000); if (res != -1) r[0] = res; break; case 2: memcpy((void*)0x10000100, "./file0\000", 8); *(uint32_t*)0x10000140 = 7; *(uint32_t*)0x10000144 = 7; *(uint32_t*)0x10000148 = 7; *(uint32_t*)0x1000014c = 5; syscall(SYS_utimensat, -1, 0x10000100, 0x10000140, 0x4000); break; case 3: *(uint32_t*)0x10000180 = 2; syscall(SYS_setsockopt, -1, 0x84, 0x1b, 0x10000180, 4); break; case 4: memcpy((void*)0x100001c0, "./file1\000", 8); memcpy((void*)0x10000200, ")/,&o\000", 6); syscall(SYS_shm_open2, 0x100001c0, 0, 0x100, 4, 0x10000200); break; case 5: memcpy((void*)0x100002c0, "\x99\xdb\x9c\xfd\x2a\xc3\x80\x5e\x5c\x41\x44\x73\xfb\x35\xf0\xdc\x56\x95\x09\x24\xb8\x94\xab\x78\x61\xea\x0b\x42\x08\x4c\x29\x7d\x5c\x37\x16\x93\x5f\x49\x47\xbb\x1b\x6f\x0c\xee\x80\x31\xe0\xa4\x32\x51\xc5\xc3\xcc\x4c\x19\xc1\xab\x43\x6a\x79\xdf\x65\x33\x23\x3b\xaf\x31\x8c\x6c\xeb\x2c\x35\x46\x9f\xf0\x7a\x65\x90\x51\x8b\x57\xef\x97\x14\x05\x05\x6e\xfc\x80\xd5\xf5\xf4\x28\x81\x8f\xb3\x7a\x2e\x2e\xcd\xb5\xee\x34\xef\xf8\x92\x23\x92\x54\x73\xb8\xef\x06\x3f\x69\x9b\xf0\x06\xf5\xf4\x41\xca\xcd\xf4\x74\x82\xbf\x43\x16\x93\xaf\x0d\xfd\x4a\xae\x73\xd6\x63\xf8\xbf\x69\x5f\x16\x23\x65\x8d\x31\x9f\x25\xfb\x04\x25\xcc\x53\xf6\xb5\x60\xf8\xaa\x39\x20\x11\xf8\xd9\x05\x33\x27\xec\xe9\xb0\xa4\x52\x91\xc8\x23\x70\xca\x8c\x7d\x35\x7c\xc3\x8f\x7e\x82\x11\x48\xce\x01\x3e\x78\xa5\x4c\x1f\x2c\x14\x3d\x88\x85\xd2\xf3\xb0\x9c\xeb\x63\xc2\xa9\x0f\xe2\x46\xc1\x35\x88\xad\xb9\x77\x99\x93\x95\xa0\x06\xb7\x67\xb5\xf0\x3f\xb3\x8a\xb2\xdb\x97\x81\x63\x25\xd9\x5e\xfe\xee\xb0\x71\x21\x2b\x2b\xf0\x59\x5c\x09\x96\x28\x73\x3f\x29\x45\x4f\xbb\x97\x36\x7d\x42\xde\xc2\xb0\x1e\x8c\x66\x60\x49\xbc\x8f\x83\xe4\x63\x97\x35\x45\x9b\xd8\xf1\x93\x5a\x17\xd4\xd2\xb8\xea\x23\x59\x08\x55\x1c\x19\x6f\x3d\xfa\x34\x84\x45\x11\x32\x90\x8e\x5c\xfe\x22\xe5\x37\xbf\x83\x4f\xd8\x7a\x77\xc6\x89\xba\x5f\x8c\x59\x9d\xcf\xb4\xd8\x25\xcd\x57\x47\xb2\xa9\x0e\x19\x5d\xc0\x2f\x9e\x8c\xa0\x47\x45\xf3\x36\xe1\xb0\x4a\x3c\x7a\x0e\x58\xbb\x6f\x17\xaf\xf7\x55\xb9\x15\x33\x4d\x57\x04\x86\x46\xfb\xf3\xaa\x24\x4a\x46\x43\x7c\xe8\x9c\xa2\xc0\xa7\x2d\x1b\x71\xfe\xec\xc0\xaf\xdc\xf4\x69\x1b\xce\x0b\x11\xf3\x2c\x63\x2f\xa6\x14\x7d\xbc\xaa\x8b\xed\x3f\x20\x67\xb8\x7c\x4e\x7d\xb3\x7e\xba\x3c\x6d\xb7\x27\x0d\x0d\xde\x21\xa6\x40\x13\xc7\x98\x0b\xef\xc4\x93\xcc\xe3\x08\xc4\xbb\xd1\x02\xcc\x77\x04\xb9\x27\x92\x62\x12\xee\xff\xe9\x26\xb3\xc9\x11\xec\x7a\xcf\xb8\x99\xf5\x21\xdc\x93\x25\xbf\xf6\x07\x3b\x5c\x13\xee\xb2\xaa\xd7\x6a\x4c\x3d\x5c\x48\xcd\xcc\xd0\xab\xea\x1a\xb9\xab\x39\x95\x85\x9c\xfd\x11\xe5\x44\x9e\xfb\x30\x51\x2a\x17\xe1\x7f\xcd\x35\x7b\x1f\x69\x34\xd4\xab\x0d\x27\xc8\x61\x55\x83\x8f\x93\x9e\x7a\x80\x1d\x32\xac\x49\xca\x9e\xf4\x62\x8d\xcb\x19\x4c\x79\x97\x77\x5b\x69\xc1\x13\x12\x58\x4c\xaa\xa6\x75\x37\xc1\x83\x5b\x27\x4e\x4e\xcd\x58\xe8\x36\xfe\x2d\x53\xff\x93\x90\xb3\x4d\xb4\x85\xf8\x9b\x87\x1a\xb7\xf1\xe5\xe6\x9f\x86\x40\xb8\xfa\x5a\x70\x46\x61\xa5\x88\x19\xe1\x25\x77\x5b\xe4\xe4\x87\xf8\xcc\x4d\x3e\x9c\x11\x45\xf5\x78\x1a\x69\x0e\x42\x05\x66\xb5\xed\x39\x26\x7c\xe4\x43\x1d\xf9\x61\x0f\xa7\x7e\xbf\x82\x54\xf1\x60\xf4\x06\x8c\x5f\xde\xcd\xc8\xf9\xcf\x66\x71\x51\x3d\xfc\xf6\x4d\xc7\xa3\x7a\x92\x7b\xfc\xeb\x07\x62\x48\x8b\x7d\xec\x6d\xf1\x8f\x80\x27\xba\xe0\x91\xd8\x5d\x0d\xed\x0f\x72\x10\x8e\x5c\x21\xdd\xaf\x28\xef\x52\xf4\x24\x67\x7a\xb3\xfa\x1e\xab\xb6\xd3\x47\x78\x99\x65\xce\xb8\xbb\x45\x19\x35\x95\x8c\xc5\xba\x87\xf4\x64\x98\x78\x35\x00\x31\x9a\x2d\xf3\xed\x16\x8a\xf5\x35\x81\x54\x5d\xde\xa2\xd0\x51\x55\x16\xbf\xbf\x8f\xea\x62\xa7\x60\x19\x34\x79\xc7\x7e\x73\xa7\x9d\xbf\xa8\x21\x18\xc0\x13\xbf\x41\x8d\x35\x30\xc2\x0e\x7f\x47\xdd\xd8\xba\x80\xa0\x23\xde\x38\x3b\x54\x5c\x29\xfc\x63\x38\xf2\x77\xa7\x3b\xaf\x46\x55\x1e\x85\x50\x60\xb9\x91\x84\xc5\x4d\x1c\x11\xd3\xf7\x44\xac\xb0\x2e\x5b\x12\x6d\xf5\xa1\x05\x71\x65\x6b\xa6\xab\xb5\xe4\xef\x94\x06\xc2\xf5\x38\x0e\x69\x1e\x46\xa4\xca\x1c\x5d\xd7\xfc\x87\xd0\x81\xca\x94\xcd\x5a\xb7\xfb\x45\xa4\x8c\x68\x0f\xab\x76\x1f\x9b\x1a\x17\xbe\x44\x9d\x74\xf1\x29\x1b\x85\x9c\x37\xba\x01\x91\xb0\x09\x98\xb7\x84\x29\x33\x43\x90\x02\xca\x81\x7b\xd3\xf5\x14\x04\x81\xc9\x57\xfe\x95\xea\x9a\x50\xd0\x5b\xc2\x7f\x1c\x0f\x8d\xbc\x26\x7c\x50\x77\x6c\x77\x4a\x69\x49\x22\xa5\xce\x1c\xc8\xfd\x7e\x14\x78\xa3\xe2\xcc\x58\xf5\x70\xac\xda\x3a\x16\xca\xd5\x66\x7e\x28\xd2\x45\xdd\x78\xc7\x8e\x5e\x35\x00\xe0\xae\xe9\x1f\x10\xb6\xfc\x29\xd0\xd1\xbd\xfa\xae\x7e\xf6\x6e\xe2\x88\xd5\xd5\xb2\xb7\x2d\x09\x77\x67\x25\xea\xf7\x70\xef\x1e\xe4\xec\x08\x9c\x1d\xbc\xdb\x87\xb8\x64\xac\x3f\xab\xdb\xf4\x1d\x9d\xd3\x5a\xd4\x20\x09\x88\x89\xe1\xf5\x30\x30\x51\x47\xbe\x9e\x5c\x67\x09\xec\x22\xbe\x90\x76\x24\x1d\xc4\xbf\x66\x07\x9f\xda\x5f\x19\x0d\x26\xd5\x97\x7a\x4f\x2d\xf8\xb5\x43\x3d\xa1\x2f", 1024); memcpy((void*)0x100006c0, "\x9f\x53\x8c\x90\xe8\x71\x04\x1e\x5c\x20\xe4\xce\x66\x04\x6a\x7c\x61\x62\x41\xa9\x68\x0d\x85\x39\x86\x6c\x5a\x96\xb1\xc8\xec\xc9", 32); *(uint32_t*)0x100006e0 = 0x80000000; *(uint8_t*)0x100006e4 = 1; *(uint32_t*)0x100006e8 = 0x10000240; memcpy((void*)0x10000240, "\x18\x16\x7d\x15\x01\x22\x4b\xdd\xd4\x8f\xc6\xe3\xf8\x83\xd8\xf2\xdd\x60\xa2\xfa\xd4\x0d\x6c\x15\x20\xc6\xc5\x1f\x84\xce\xdc\xc5\x71\xc2\xe3\x2e\x14\xab\xf4\x47\x28\x3e\x87\xa5\xf3\xf7\x81\xbd\xba\x00\x1c\x54\xed\xae\xda\x7a\xa8\x8c\x19\x11\xf5\x4c\x8f\x0a\x9a\x42\xdc\xe4\x95\x08\x27\x5d\xce\x74\xfd\x73\xcd\xab\x1e\xab\xf8\xaa\x10\x4c\x74\xf7\xc3\xbb\x54\xd0\x50\x0a\xfc\x2b\x97", 95); *(uint64_t*)0x100006ec = 0x9621; *(uint64_t*)0x100006f4 = 2; *(uint64_t*)0x100006fc = 8; *(uint64_t*)0x10000704 = 0x800; *(uint64_t*)0x1000070c = 3; *(uint64_t*)0x10000714 = 0x10001; *(uint64_t*)0x1000071c = 0xfa; *(uint32_t*)0x10000724 = 0x7fff; syscall(SYS_ioctl, -1, 0xc44c444a, 0x100002c0); break; case 6: memcpy((void*)0x10000740, "/dev/pf\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000740, 0x800, 0); if (res != -1) r[1] = res; break; case 7: *(uint8_t*)0x10000800 = 0x10; *(uint32_t*)0x10000804 = 0x10000780; memcpy((void*)0x10000780, "\x85\xdf\xfe\xfc\x4e\xfc\xb1\xb4\x01\x6c\x84\x2d\x2c\xc4\xb4\x5b\xfa\x06\x4e\x55\x86\x99\x99\xbf\x61\x37\x68\x94\x06\x75\x4f\xe7\xc0\xb1\x79\x02\x9f\x2f\x35\xc5\x16\xd9\x32\x31\xa1\x04\x81\x3e\xa2\x6f\x8f\xf7\xf1\xcf\x84\x81\x88\xd9\xd0\xb6\x26\x05\x00\x40\x2d\xdc\xa3\x6f\xe8\xe1\xcd\x0a\xd5\xe8\x18\x56\xa2\xf9\xf9\x83\xf5\x98\x1a\xce\x98\x9e\x97\x6f", 88); *(uint32_t*)0x10000808 = 0x40000000; *(uint32_t*)0x1000080c = 0xff; *(uint32_t*)0x10000810 = 0x10001; syscall(SYS_ioctl, (intptr_t)r[1], 0xc0244457, 0x10000800); break; case 8: syscall(SYS_mmap, 0x10ffc000, 0x3000, 2, 0x10, (intptr_t)r[0], 0); break; case 9: *(uint32_t*)0x10000840 = 0; *(uint16_t*)0x10000844 = 0x8001; *(uint16_t*)0x10000846 = 4; *(uint16_t*)0x10000848 = 0x3f; *(uint16_t*)0x1000084a = -1; *(uint16_t*)0x1000084c = 0x20; *(uint16_t*)0x1000084e = 4; *(uint32_t*)0x10000880 = 0x10; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 0x901, 0x10000840, 0x10000880); break; case 10: memcpy((void*)0x10000100, "\x65\xfc\x67\x0f\xa8\x66\xdb\xd3\xc4\xc1\xd1\x5f\xf2\xc4\xc1\x8d\xfa\xf2\xc4\xe2\x55\x3f\xd8\xc4\xe1\xb1\x7c\x60\x99\x66\x0f\x3a\x09\xc1\x89\x82\x83\xdf\x00\x00\x00\xfe\xc4\xc2\x91\x91\x5c\x86\x99", 49); syz_execute_func(0x10000100); break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :195:13: error: unused function 'csum_inet_init' [-Werror,-Wunused-function] static void csum_inet_init(struct csum_inet* csum) ^ :200:13: error: unused function 'csum_inet_update' [-Werror,-Wunused-function] static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) ^ :213:17: error: unused function 'csum_inet_digest' [-Werror,-Wunused-function] static uint16_t csum_inet_digest(struct csum_inet* csum) ^ 3 errors generated. compiler invocation: clang [-o /tmp/syz-executor955750349 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/9 (0.87s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:setuid Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: extattr_delete_file(&(0x7f0000000000)='./file0\x00', 0x1, &(0x7f0000000040)='/{[-*-:#!@(*\x00') (fail_nth: 1) r0 = accept4$inet6(0xffffffffffffffff, &(0x7f0000000080)={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @remote}, &(0x7f00000000c0)=0x1c, 0x30000000) utimensat(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', &(0x7f0000000140)={{0x7, 0x7}, {0x7, 0x5}}, 0x4000) setsockopt$inet_sctp_SCTP_EXPLICIT_EOR(0xffffffffffffffff, 0x84, 0x1b, &(0x7f0000000180)=0x2, 0x4) shm_open2(&(0x7f00000001c0)='./file1\x00', 0x0, 0x100, 0x4, &(0x7f0000000200)=')/,&o\x00') ioctl$DIOCRSETTFLAGS(0xffffffffffffffff, 0xc44c444a, &(0x7f00000002c0)={{"99db9cfd2ac3805e5c414473fb35f0dc56950924b894ab7861ea0b42084c297d5c3716935f4947bb1b6f0cee8031e0a43251c5c3cc4c19c1ab436a79df6533233baf318c6ceb2c35469ff07a6590518b57ef971405056efc80d5f5f428818fb37a2e2ecdb5ee34eff89223925473b8ef063f699bf006f5f441cacdf47482bf431693af0dfd4aae73d663f8bf695f1623658d319f25fb0425cc53f6b560f8aa392011f8d9053327ece9b0a45291c82370ca8c7d357cc38f7e821148ce013e78a54c1f2c143d8885d2f3b09ceb63c2a90fe246c13588adb977999395a006b767b5f03fb38ab2db97816325d95efeeeb071212b2bf0595c099628733f29454fbb97367d42dec2b01e8c666049bc8f83e4639735459bd8f1935a17d4d2b8ea235908551c196f3dfa3484451132908e5cfe22e537bf834fd87a77c689ba5f8c599dcfb4d825cd5747b2a90e195dc02f9e8ca04745f336e1b04a3c7a0e58bb6f17aff755b915334d57048646fbf3aa244a46437ce89ca2c0a72d1b71feecc0afdcf4691bce0b11f32c632fa6147dbcaa8bed3f2067b87c4e7db37eba3c6db7270d0dde21a64013c7980befc493cce308c4bbd102cc7704b927926212eeffe926b3c911ec7acfb899f521dc9325bff6073b5c13eeb2aad76a4c3d5c48cdccd0abea1ab9ab3995859cfd11e5449efb30512a17e17fcd357b1f6934d4ab0d27c86155838f939e7a801d32ac49ca9ef4628dcb194c7997775b69c11312584caaa67537c1835b274e4ecd58e836fe2d53ff9390b34db485f89b871ab7f1e5e69f8640b8fa5a704661a58819e125775be4e487f8cc4d3e9c1145f5781a690e420566b5ed39267ce4431df9610fa77ebf8254f160f4068c5fdecdc8f9cf6671513dfcf64dc7a37a927bfceb0762488b7dec6df18f8027bae091d85d0ded0f72108e5c21ddaf28ef52f424677ab3fa1eabb6d347789965ceb8bb451935958cc5ba87f46498783500319a2df3ed168af53581545ddea2d0515516bfbf8fea62a760193479c77e73a79dbfa82118c013bf418d3530c20e7f47ddd8ba80a023de383b545c29fc6338f277a73baf46551e855060b99184c54d1c11d3f744acb02e5b126df5a10571656ba6abb5e4ef9406c2f5380e691e46a4ca1c5dd7fc87d081ca94cd5ab7fb45a48c680fab761f9b1a17be449d74f1291b859c37ba0191b00998b7842933439002ca817bd3f5140481c957fe95ea9a50d05bc27f1c0f8dbc267c50776c774a694922a5ce1cc8fd7e1478a3e2cc58f570acda3a16cad5667e28d245dd78c78e5e3500e0aee91f10b6fc29d0d1bdfaae7ef66ee288d5d5b2b72d09776725eaf770ef1ee4ec089c1dbcdb87b864ac3fabdbf41d9dd35ad420098889e1f530305147be9e5c6709ec22be9076241dc4bf66079fda5f190d26d5977a4f2df8b5433da12f", "9f538c90e871041e5c20e4ce66046a7c616241a9680d8539866c5a96b1c8ecc9", 0x80000000, 0x1}, &(0x7f0000000240)="18167d1501224bddd48fc6e3f883d8f2dd60a2fad40d6c1520c6c51f84cedcc571c2e32e14abf447283e87a5f3f781bdba001c54edaeda7aa88c1911f54c8f0a9a42dce49508275dce74fd73cdab1eabf8aa104c74f7c3bb54d0500afc2b97", 0x9621, 0x2, 0x8, 0x800, 0x3, 0x10001, 0xfa, 0x7fff}) r1 = openat$ptmx(0xffffff9c, &(0x7f0000000740), 0x800, 0x0) ioctl$DIOCIGETIFACES(r1, 0xc0244457, &(0x7f0000000800)={0x10, &(0x7f0000000780)="85dffefc4efcb1b4016c842d2cc4b45bfa064e55869999bf6137689406754fe7c0b179029f2f35c516d93231a104813ea26f8ff7f1cf848188d9d0b6260500402ddca36fe8e1cd0ad5e81856a2f9f983f5981ace989e976f", 0x40000000, 0xff, 0x10001}) mmap(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2, 0x10, r0, 0x0) getsockopt$inet6_sctp_SCTP_RESET_STREAMS(r0, 0x84, 0x901, &(0x7f0000000840)={0x0, 0x8001, 0x4, [0x3f, 0xffff, 0x20, 0x4]}, &(0x7f0000000880)=0x10) syz_emit_ethernet(0xf3, &(0x7f0000000000)={@local, @local, [{[], {0x8100, 0x6, 0x1, 0x2}}], {@ipv4={0x800, {{0x9, 0x4, 0x2, 0x7, 0xe1, 0x65, 0x878, 0x4, 0x4d, 0x0, @empty, @multicast1, {[@generic={0x44, 0xd, "4de51ab866bb431c3dc521"}, @noop, @noop]}}, @generic="5ace0f0ff30bd68564f743a2ef2821a21c197ab27f80fcd10e900d506ab328909d636f25df603ad9e4ee16761ee679e24d1854d5cdd65b0172c27bed2165fdda7aa45a333f06d92d8d2beb389dcbc153d4e96a2792c39f0e07a5392ed08d386b6bf96b8f5801558093c009e7accdc8456fe898abba673e55c1330ee9454f4c2017e5e474c63c853817170734473727a7c0566eaf2be05daa6ed143d3ea4f0b39b87a60d41ed2d8ffd00e6472c06a0e8a98fae4c68ae1314f968bb3b931"}}}}) syz_execute_func(&(0x7f0000000100)="65fc670fa866dbd3c4c1d15ff2c4c18dfaf2c4e2553fd8c4e1b17c6099660f3a09c1898283df000000fec4c291915c8699") syz_extract_tcp_res(&(0x7f0000000140), 0x401, 0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, WUNTRACED) != pid) { } return WEXITSTATUS(status); } static int do_sandbox_setuid(void) { int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); char pwbuf[1024]; struct passwd *pw, pwres; if (getpwnam_r("nobody", &pwres, pwbuf, sizeof(pwbuf), &pw) != 0 || !pw) exit(1); if (setgroups(0, NULL)) exit(1); if (setgid(pw->pw_gid)) exit(1); if (setuid(pw->pw_uid)) exit(1); loop(); exit(1); } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef SYS_shm_open2 #define SYS_shm_open2 571 #endif uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); memcpy((void*)0x10000040, "/{[-*-:#!@(*\000", 13); inject_fault(1); syscall(SYS_extattr_delete_file, 0x10000000, 1, 0x10000040); break; case 1: *(uint32_t*)0x100000c0 = 0x1c; res = syscall(SYS_accept4, -1, 0x10000080, 0x100000c0, 0x30000000); if (res != -1) r[0] = res; break; case 2: memcpy((void*)0x10000100, "./file0\000", 8); *(uint32_t*)0x10000140 = 7; *(uint32_t*)0x10000144 = 7; *(uint32_t*)0x10000148 = 7; *(uint32_t*)0x1000014c = 5; syscall(SYS_utimensat, -1, 0x10000100, 0x10000140, 0x4000); break; case 3: *(uint32_t*)0x10000180 = 2; syscall(SYS_setsockopt, -1, 0x84, 0x1b, 0x10000180, 4); break; case 4: memcpy((void*)0x100001c0, "./file1\000", 8); memcpy((void*)0x10000200, ")/,&o\000", 6); syscall(SYS_shm_open2, 0x100001c0, 0, 0x100, 4, 0x10000200); break; case 5: memcpy((void*)0x100002c0, "\x99\xdb\x9c\xfd\x2a\xc3\x80\x5e\x5c\x41\x44\x73\xfb\x35\xf0\xdc\x56\x95\x09\x24\xb8\x94\xab\x78\x61\xea\x0b\x42\x08\x4c\x29\x7d\x5c\x37\x16\x93\x5f\x49\x47\xbb\x1b\x6f\x0c\xee\x80\x31\xe0\xa4\x32\x51\xc5\xc3\xcc\x4c\x19\xc1\xab\x43\x6a\x79\xdf\x65\x33\x23\x3b\xaf\x31\x8c\x6c\xeb\x2c\x35\x46\x9f\xf0\x7a\x65\x90\x51\x8b\x57\xef\x97\x14\x05\x05\x6e\xfc\x80\xd5\xf5\xf4\x28\x81\x8f\xb3\x7a\x2e\x2e\xcd\xb5\xee\x34\xef\xf8\x92\x23\x92\x54\x73\xb8\xef\x06\x3f\x69\x9b\xf0\x06\xf5\xf4\x41\xca\xcd\xf4\x74\x82\xbf\x43\x16\x93\xaf\x0d\xfd\x4a\xae\x73\xd6\x63\xf8\xbf\x69\x5f\x16\x23\x65\x8d\x31\x9f\x25\xfb\x04\x25\xcc\x53\xf6\xb5\x60\xf8\xaa\x39\x20\x11\xf8\xd9\x05\x33\x27\xec\xe9\xb0\xa4\x52\x91\xc8\x23\x70\xca\x8c\x7d\x35\x7c\xc3\x8f\x7e\x82\x11\x48\xce\x01\x3e\x78\xa5\x4c\x1f\x2c\x14\x3d\x88\x85\xd2\xf3\xb0\x9c\xeb\x63\xc2\xa9\x0f\xe2\x46\xc1\x35\x88\xad\xb9\x77\x99\x93\x95\xa0\x06\xb7\x67\xb5\xf0\x3f\xb3\x8a\xb2\xdb\x97\x81\x63\x25\xd9\x5e\xfe\xee\xb0\x71\x21\x2b\x2b\xf0\x59\x5c\x09\x96\x28\x73\x3f\x29\x45\x4f\xbb\x97\x36\x7d\x42\xde\xc2\xb0\x1e\x8c\x66\x60\x49\xbc\x8f\x83\xe4\x63\x97\x35\x45\x9b\xd8\xf1\x93\x5a\x17\xd4\xd2\xb8\xea\x23\x59\x08\x55\x1c\x19\x6f\x3d\xfa\x34\x84\x45\x11\x32\x90\x8e\x5c\xfe\x22\xe5\x37\xbf\x83\x4f\xd8\x7a\x77\xc6\x89\xba\x5f\x8c\x59\x9d\xcf\xb4\xd8\x25\xcd\x57\x47\xb2\xa9\x0e\x19\x5d\xc0\x2f\x9e\x8c\xa0\x47\x45\xf3\x36\xe1\xb0\x4a\x3c\x7a\x0e\x58\xbb\x6f\x17\xaf\xf7\x55\xb9\x15\x33\x4d\x57\x04\x86\x46\xfb\xf3\xaa\x24\x4a\x46\x43\x7c\xe8\x9c\xa2\xc0\xa7\x2d\x1b\x71\xfe\xec\xc0\xaf\xdc\xf4\x69\x1b\xce\x0b\x11\xf3\x2c\x63\x2f\xa6\x14\x7d\xbc\xaa\x8b\xed\x3f\x20\x67\xb8\x7c\x4e\x7d\xb3\x7e\xba\x3c\x6d\xb7\x27\x0d\x0d\xde\x21\xa6\x40\x13\xc7\x98\x0b\xef\xc4\x93\xcc\xe3\x08\xc4\xbb\xd1\x02\xcc\x77\x04\xb9\x27\x92\x62\x12\xee\xff\xe9\x26\xb3\xc9\x11\xec\x7a\xcf\xb8\x99\xf5\x21\xdc\x93\x25\xbf\xf6\x07\x3b\x5c\x13\xee\xb2\xaa\xd7\x6a\x4c\x3d\x5c\x48\xcd\xcc\xd0\xab\xea\x1a\xb9\xab\x39\x95\x85\x9c\xfd\x11\xe5\x44\x9e\xfb\x30\x51\x2a\x17\xe1\x7f\xcd\x35\x7b\x1f\x69\x34\xd4\xab\x0d\x27\xc8\x61\x55\x83\x8f\x93\x9e\x7a\x80\x1d\x32\xac\x49\xca\x9e\xf4\x62\x8d\xcb\x19\x4c\x79\x97\x77\x5b\x69\xc1\x13\x12\x58\x4c\xaa\xa6\x75\x37\xc1\x83\x5b\x27\x4e\x4e\xcd\x58\xe8\x36\xfe\x2d\x53\xff\x93\x90\xb3\x4d\xb4\x85\xf8\x9b\x87\x1a\xb7\xf1\xe5\xe6\x9f\x86\x40\xb8\xfa\x5a\x70\x46\x61\xa5\x88\x19\xe1\x25\x77\x5b\xe4\xe4\x87\xf8\xcc\x4d\x3e\x9c\x11\x45\xf5\x78\x1a\x69\x0e\x42\x05\x66\xb5\xed\x39\x26\x7c\xe4\x43\x1d\xf9\x61\x0f\xa7\x7e\xbf\x82\x54\xf1\x60\xf4\x06\x8c\x5f\xde\xcd\xc8\xf9\xcf\x66\x71\x51\x3d\xfc\xf6\x4d\xc7\xa3\x7a\x92\x7b\xfc\xeb\x07\x62\x48\x8b\x7d\xec\x6d\xf1\x8f\x80\x27\xba\xe0\x91\xd8\x5d\x0d\xed\x0f\x72\x10\x8e\x5c\x21\xdd\xaf\x28\xef\x52\xf4\x24\x67\x7a\xb3\xfa\x1e\xab\xb6\xd3\x47\x78\x99\x65\xce\xb8\xbb\x45\x19\x35\x95\x8c\xc5\xba\x87\xf4\x64\x98\x78\x35\x00\x31\x9a\x2d\xf3\xed\x16\x8a\xf5\x35\x81\x54\x5d\xde\xa2\xd0\x51\x55\x16\xbf\xbf\x8f\xea\x62\xa7\x60\x19\x34\x79\xc7\x7e\x73\xa7\x9d\xbf\xa8\x21\x18\xc0\x13\xbf\x41\x8d\x35\x30\xc2\x0e\x7f\x47\xdd\xd8\xba\x80\xa0\x23\xde\x38\x3b\x54\x5c\x29\xfc\x63\x38\xf2\x77\xa7\x3b\xaf\x46\x55\x1e\x85\x50\x60\xb9\x91\x84\xc5\x4d\x1c\x11\xd3\xf7\x44\xac\xb0\x2e\x5b\x12\x6d\xf5\xa1\x05\x71\x65\x6b\xa6\xab\xb5\xe4\xef\x94\x06\xc2\xf5\x38\x0e\x69\x1e\x46\xa4\xca\x1c\x5d\xd7\xfc\x87\xd0\x81\xca\x94\xcd\x5a\xb7\xfb\x45\xa4\x8c\x68\x0f\xab\x76\x1f\x9b\x1a\x17\xbe\x44\x9d\x74\xf1\x29\x1b\x85\x9c\x37\xba\x01\x91\xb0\x09\x98\xb7\x84\x29\x33\x43\x90\x02\xca\x81\x7b\xd3\xf5\x14\x04\x81\xc9\x57\xfe\x95\xea\x9a\x50\xd0\x5b\xc2\x7f\x1c\x0f\x8d\xbc\x26\x7c\x50\x77\x6c\x77\x4a\x69\x49\x22\xa5\xce\x1c\xc8\xfd\x7e\x14\x78\xa3\xe2\xcc\x58\xf5\x70\xac\xda\x3a\x16\xca\xd5\x66\x7e\x28\xd2\x45\xdd\x78\xc7\x8e\x5e\x35\x00\xe0\xae\xe9\x1f\x10\xb6\xfc\x29\xd0\xd1\xbd\xfa\xae\x7e\xf6\x6e\xe2\x88\xd5\xd5\xb2\xb7\x2d\x09\x77\x67\x25\xea\xf7\x70\xef\x1e\xe4\xec\x08\x9c\x1d\xbc\xdb\x87\xb8\x64\xac\x3f\xab\xdb\xf4\x1d\x9d\xd3\x5a\xd4\x20\x09\x88\x89\xe1\xf5\x30\x30\x51\x47\xbe\x9e\x5c\x67\x09\xec\x22\xbe\x90\x76\x24\x1d\xc4\xbf\x66\x07\x9f\xda\x5f\x19\x0d\x26\xd5\x97\x7a\x4f\x2d\xf8\xb5\x43\x3d\xa1\x2f", 1024); memcpy((void*)0x100006c0, "\x9f\x53\x8c\x90\xe8\x71\x04\x1e\x5c\x20\xe4\xce\x66\x04\x6a\x7c\x61\x62\x41\xa9\x68\x0d\x85\x39\x86\x6c\x5a\x96\xb1\xc8\xec\xc9", 32); *(uint32_t*)0x100006e0 = 0x80000000; *(uint8_t*)0x100006e4 = 1; *(uint32_t*)0x100006e8 = 0x10000240; memcpy((void*)0x10000240, "\x18\x16\x7d\x15\x01\x22\x4b\xdd\xd4\x8f\xc6\xe3\xf8\x83\xd8\xf2\xdd\x60\xa2\xfa\xd4\x0d\x6c\x15\x20\xc6\xc5\x1f\x84\xce\xdc\xc5\x71\xc2\xe3\x2e\x14\xab\xf4\x47\x28\x3e\x87\xa5\xf3\xf7\x81\xbd\xba\x00\x1c\x54\xed\xae\xda\x7a\xa8\x8c\x19\x11\xf5\x4c\x8f\x0a\x9a\x42\xdc\xe4\x95\x08\x27\x5d\xce\x74\xfd\x73\xcd\xab\x1e\xab\xf8\xaa\x10\x4c\x74\xf7\xc3\xbb\x54\xd0\x50\x0a\xfc\x2b\x97", 95); *(uint64_t*)0x100006ec = 0x9621; *(uint64_t*)0x100006f4 = 2; *(uint64_t*)0x100006fc = 8; *(uint64_t*)0x10000704 = 0x800; *(uint64_t*)0x1000070c = 3; *(uint64_t*)0x10000714 = 0x10001; *(uint64_t*)0x1000071c = 0xfa; *(uint32_t*)0x10000724 = 0x7fff; syscall(SYS_ioctl, -1, 0xc44c444a, 0x100002c0); break; case 6: memcpy((void*)0x10000740, "/dev/pf\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000740, 0x800, 0); if (res != -1) r[1] = res; break; case 7: *(uint8_t*)0x10000800 = 0x10; *(uint32_t*)0x10000804 = 0x10000780; memcpy((void*)0x10000780, "\x85\xdf\xfe\xfc\x4e\xfc\xb1\xb4\x01\x6c\x84\x2d\x2c\xc4\xb4\x5b\xfa\x06\x4e\x55\x86\x99\x99\xbf\x61\x37\x68\x94\x06\x75\x4f\xe7\xc0\xb1\x79\x02\x9f\x2f\x35\xc5\x16\xd9\x32\x31\xa1\x04\x81\x3e\xa2\x6f\x8f\xf7\xf1\xcf\x84\x81\x88\xd9\xd0\xb6\x26\x05\x00\x40\x2d\xdc\xa3\x6f\xe8\xe1\xcd\x0a\xd5\xe8\x18\x56\xa2\xf9\xf9\x83\xf5\x98\x1a\xce\x98\x9e\x97\x6f", 88); *(uint32_t*)0x10000808 = 0x40000000; *(uint32_t*)0x1000080c = 0xff; *(uint32_t*)0x10000810 = 0x10001; syscall(SYS_ioctl, (intptr_t)r[1], 0xc0244457, 0x10000800); break; case 8: syscall(SYS_mmap, 0x10ffc000, 0x3000, 2, 0x10, (intptr_t)r[0], 0); break; case 9: *(uint32_t*)0x10000840 = 0; *(uint16_t*)0x10000844 = 0x8001; *(uint16_t*)0x10000846 = 4; *(uint16_t*)0x10000848 = 0x3f; *(uint16_t*)0x1000084a = -1; *(uint16_t*)0x1000084c = 0x20; *(uint16_t*)0x1000084e = 4; *(uint32_t*)0x10000880 = 0x10; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 0x901, 0x10000840, 0x10000880); break; case 10: memcpy((void*)0x10000100, "\x65\xfc\x67\x0f\xa8\x66\xdb\xd3\xc4\xc1\xd1\x5f\xf2\xc4\xc1\x8d\xfa\xf2\xc4\xe2\x55\x3f\xd8\xc4\xe1\xb1\x7c\x60\x99\x66\x0f\x3a\x09\xc1\x89\x82\x83\xdf\x00\x00\x00\xfe\xc4\xc2\x91\x91\x5c\x86\x99", 49); syz_execute_func(0x10000100); break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_setuid(); return 0; } :195:13: error: unused function 'csum_inet_init' [-Werror,-Wunused-function] static void csum_inet_init(struct csum_inet* csum) ^ :200:13: error: unused function 'csum_inet_update' [-Werror,-Wunused-function] static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) ^ :213:17: error: unused function 'csum_inet_digest' [-Werror,-Wunused-function] static uint16_t csum_inet_digest(struct csum_inet* csum) ^ 3 errors generated. compiler invocation: clang [-o /tmp/syz-executor592233160 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/15 (1.07s) csource_test.go:118: opts: {Threaded:true Collide:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:true Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: extattr_delete_file(&(0x7f0000000000)='./file0\x00', 0x1, &(0x7f0000000040)='/{[-*-:#!@(*\x00') (fail_nth: 1) r0 = accept4$inet6(0xffffffffffffffff, &(0x7f0000000080)={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @remote}, &(0x7f00000000c0)=0x1c, 0x30000000) utimensat(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', &(0x7f0000000140)={{0x7, 0x7}, {0x7, 0x5}}, 0x4000) setsockopt$inet_sctp_SCTP_EXPLICIT_EOR(0xffffffffffffffff, 0x84, 0x1b, &(0x7f0000000180)=0x2, 0x4) shm_open2(&(0x7f00000001c0)='./file1\x00', 0x0, 0x100, 0x4, &(0x7f0000000200)=')/,&o\x00') ioctl$DIOCRSETTFLAGS(0xffffffffffffffff, 0xc44c444a, &(0x7f00000002c0)={{"99db9cfd2ac3805e5c414473fb35f0dc56950924b894ab7861ea0b42084c297d5c3716935f4947bb1b6f0cee8031e0a43251c5c3cc4c19c1ab436a79df6533233baf318c6ceb2c35469ff07a6590518b57ef971405056efc80d5f5f428818fb37a2e2ecdb5ee34eff89223925473b8ef063f699bf006f5f441cacdf47482bf431693af0dfd4aae73d663f8bf695f1623658d319f25fb0425cc53f6b560f8aa392011f8d9053327ece9b0a45291c82370ca8c7d357cc38f7e821148ce013e78a54c1f2c143d8885d2f3b09ceb63c2a90fe246c13588adb977999395a006b767b5f03fb38ab2db97816325d95efeeeb071212b2bf0595c099628733f29454fbb97367d42dec2b01e8c666049bc8f83e4639735459bd8f1935a17d4d2b8ea235908551c196f3dfa3484451132908e5cfe22e537bf834fd87a77c689ba5f8c599dcfb4d825cd5747b2a90e195dc02f9e8ca04745f336e1b04a3c7a0e58bb6f17aff755b915334d57048646fbf3aa244a46437ce89ca2c0a72d1b71feecc0afdcf4691bce0b11f32c632fa6147dbcaa8bed3f2067b87c4e7db37eba3c6db7270d0dde21a64013c7980befc493cce308c4bbd102cc7704b927926212eeffe926b3c911ec7acfb899f521dc9325bff6073b5c13eeb2aad76a4c3d5c48cdccd0abea1ab9ab3995859cfd11e5449efb30512a17e17fcd357b1f6934d4ab0d27c86155838f939e7a801d32ac49ca9ef4628dcb194c7997775b69c11312584caaa67537c1835b274e4ecd58e836fe2d53ff9390b34db485f89b871ab7f1e5e69f8640b8fa5a704661a58819e125775be4e487f8cc4d3e9c1145f5781a690e420566b5ed39267ce4431df9610fa77ebf8254f160f4068c5fdecdc8f9cf6671513dfcf64dc7a37a927bfceb0762488b7dec6df18f8027bae091d85d0ded0f72108e5c21ddaf28ef52f424677ab3fa1eabb6d347789965ceb8bb451935958cc5ba87f46498783500319a2df3ed168af53581545ddea2d0515516bfbf8fea62a760193479c77e73a79dbfa82118c013bf418d3530c20e7f47ddd8ba80a023de383b545c29fc6338f277a73baf46551e855060b99184c54d1c11d3f744acb02e5b126df5a10571656ba6abb5e4ef9406c2f5380e691e46a4ca1c5dd7fc87d081ca94cd5ab7fb45a48c680fab761f9b1a17be449d74f1291b859c37ba0191b00998b7842933439002ca817bd3f5140481c957fe95ea9a50d05bc27f1c0f8dbc267c50776c774a694922a5ce1cc8fd7e1478a3e2cc58f570acda3a16cad5667e28d245dd78c78e5e3500e0aee91f10b6fc29d0d1bdfaae7ef66ee288d5d5b2b72d09776725eaf770ef1ee4ec089c1dbcdb87b864ac3fabdbf41d9dd35ad420098889e1f530305147be9e5c6709ec22be9076241dc4bf66079fda5f190d26d5977a4f2df8b5433da12f", "9f538c90e871041e5c20e4ce66046a7c616241a9680d8539866c5a96b1c8ecc9", 0x80000000, 0x1}, &(0x7f0000000240)="18167d1501224bddd48fc6e3f883d8f2dd60a2fad40d6c1520c6c51f84cedcc571c2e32e14abf447283e87a5f3f781bdba001c54edaeda7aa88c1911f54c8f0a9a42dce49508275dce74fd73cdab1eabf8aa104c74f7c3bb54d0500afc2b97", 0x9621, 0x2, 0x8, 0x800, 0x3, 0x10001, 0xfa, 0x7fff}) r1 = openat$ptmx(0xffffff9c, &(0x7f0000000740), 0x800, 0x0) ioctl$DIOCIGETIFACES(r1, 0xc0244457, &(0x7f0000000800)={0x10, &(0x7f0000000780)="85dffefc4efcb1b4016c842d2cc4b45bfa064e55869999bf6137689406754fe7c0b179029f2f35c516d93231a104813ea26f8ff7f1cf848188d9d0b6260500402ddca36fe8e1cd0ad5e81856a2f9f983f5981ace989e976f", 0x40000000, 0xff, 0x10001}) mmap(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2, 0x10, r0, 0x0) getsockopt$inet6_sctp_SCTP_RESET_STREAMS(r0, 0x84, 0x901, &(0x7f0000000840)={0x0, 0x8001, 0x4, [0x3f, 0xffff, 0x20, 0x4]}, &(0x7f0000000880)=0x10) syz_emit_ethernet(0xf3, &(0x7f0000000000)={@local, @local, [{[], {0x8100, 0x6, 0x1, 0x2}}], {@ipv4={0x800, {{0x9, 0x4, 0x2, 0x7, 0xe1, 0x65, 0x878, 0x4, 0x4d, 0x0, @empty, @multicast1, {[@generic={0x44, 0xd, "4de51ab866bb431c3dc521"}, @noop, @noop]}}, @generic="5ace0f0ff30bd68564f743a2ef2821a21c197ab27f80fcd10e900d506ab328909d636f25df603ad9e4ee16761ee679e24d1854d5cdd65b0172c27bed2165fdda7aa45a333f06d92d8d2beb389dcbc153d4e96a2792c39f0e07a5392ed08d386b6bf96b8f5801558093c009e7accdc8456fe898abba673e55c1330ee9454f4c2017e5e474c63c853817170734473727a7c0566eaf2be05daa6ed143d3ea4f0b39b87a60d41ed2d8ffd00e6472c06a0e8a98fae4c68ae1314f968bb3b931"}}}}) syz_execute_func(&(0x7f0000000100)="65fc670fa866dbd3c4c1d15ff2c4c18dfaf2c4e2553fd8c4e1b17c6099660f3a09c1898283df000000fec4c291915c8699") syz_extract_tcp_res(&(0x7f0000000140), 0x401, 0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; int collide = 0; again: for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef SYS_shm_open2 #define SYS_shm_open2 571 #endif uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); memcpy((void*)0x10000040, "/{[-*-:#!@(*\000", 13); inject_fault(1); syscall(SYS_extattr_delete_file, 0x10000000, 1, 0x10000040); break; case 1: *(uint32_t*)0x100000c0 = 0x1c; res = syscall(SYS_accept4, -1, 0x10000080, 0x100000c0, 0x30000000); if (res != -1) r[0] = res; break; case 2: memcpy((void*)0x10000100, "./file0\000", 8); *(uint32_t*)0x10000140 = 7; *(uint32_t*)0x10000144 = 7; *(uint32_t*)0x10000148 = 7; *(uint32_t*)0x1000014c = 5; syscall(SYS_utimensat, -1, 0x10000100, 0x10000140, 0x4000); break; case 3: *(uint32_t*)0x10000180 = 2; syscall(SYS_setsockopt, -1, 0x84, 0x1b, 0x10000180, 4); break; case 4: memcpy((void*)0x100001c0, "./file1\000", 8); memcpy((void*)0x10000200, ")/,&o\000", 6); syscall(SYS_shm_open2, 0x100001c0, 0, 0x100, 4, 0x10000200); break; case 5: memcpy((void*)0x100002c0, "\x99\xdb\x9c\xfd\x2a\xc3\x80\x5e\x5c\x41\x44\x73\xfb\x35\xf0\xdc\x56\x95\x09\x24\xb8\x94\xab\x78\x61\xea\x0b\x42\x08\x4c\x29\x7d\x5c\x37\x16\x93\x5f\x49\x47\xbb\x1b\x6f\x0c\xee\x80\x31\xe0\xa4\x32\x51\xc5\xc3\xcc\x4c\x19\xc1\xab\x43\x6a\x79\xdf\x65\x33\x23\x3b\xaf\x31\x8c\x6c\xeb\x2c\x35\x46\x9f\xf0\x7a\x65\x90\x51\x8b\x57\xef\x97\x14\x05\x05\x6e\xfc\x80\xd5\xf5\xf4\x28\x81\x8f\xb3\x7a\x2e\x2e\xcd\xb5\xee\x34\xef\xf8\x92\x23\x92\x54\x73\xb8\xef\x06\x3f\x69\x9b\xf0\x06\xf5\xf4\x41\xca\xcd\xf4\x74\x82\xbf\x43\x16\x93\xaf\x0d\xfd\x4a\xae\x73\xd6\x63\xf8\xbf\x69\x5f\x16\x23\x65\x8d\x31\x9f\x25\xfb\x04\x25\xcc\x53\xf6\xb5\x60\xf8\xaa\x39\x20\x11\xf8\xd9\x05\x33\x27\xec\xe9\xb0\xa4\x52\x91\xc8\x23\x70\xca\x8c\x7d\x35\x7c\xc3\x8f\x7e\x82\x11\x48\xce\x01\x3e\x78\xa5\x4c\x1f\x2c\x14\x3d\x88\x85\xd2\xf3\xb0\x9c\xeb\x63\xc2\xa9\x0f\xe2\x46\xc1\x35\x88\xad\xb9\x77\x99\x93\x95\xa0\x06\xb7\x67\xb5\xf0\x3f\xb3\x8a\xb2\xdb\x97\x81\x63\x25\xd9\x5e\xfe\xee\xb0\x71\x21\x2b\x2b\xf0\x59\x5c\x09\x96\x28\x73\x3f\x29\x45\x4f\xbb\x97\x36\x7d\x42\xde\xc2\xb0\x1e\x8c\x66\x60\x49\xbc\x8f\x83\xe4\x63\x97\x35\x45\x9b\xd8\xf1\x93\x5a\x17\xd4\xd2\xb8\xea\x23\x59\x08\x55\x1c\x19\x6f\x3d\xfa\x34\x84\x45\x11\x32\x90\x8e\x5c\xfe\x22\xe5\x37\xbf\x83\x4f\xd8\x7a\x77\xc6\x89\xba\x5f\x8c\x59\x9d\xcf\xb4\xd8\x25\xcd\x57\x47\xb2\xa9\x0e\x19\x5d\xc0\x2f\x9e\x8c\xa0\x47\x45\xf3\x36\xe1\xb0\x4a\x3c\x7a\x0e\x58\xbb\x6f\x17\xaf\xf7\x55\xb9\x15\x33\x4d\x57\x04\x86\x46\xfb\xf3\xaa\x24\x4a\x46\x43\x7c\xe8\x9c\xa2\xc0\xa7\x2d\x1b\x71\xfe\xec\xc0\xaf\xdc\xf4\x69\x1b\xce\x0b\x11\xf3\x2c\x63\x2f\xa6\x14\x7d\xbc\xaa\x8b\xed\x3f\x20\x67\xb8\x7c\x4e\x7d\xb3\x7e\xba\x3c\x6d\xb7\x27\x0d\x0d\xde\x21\xa6\x40\x13\xc7\x98\x0b\xef\xc4\x93\xcc\xe3\x08\xc4\xbb\xd1\x02\xcc\x77\x04\xb9\x27\x92\x62\x12\xee\xff\xe9\x26\xb3\xc9\x11\xec\x7a\xcf\xb8\x99\xf5\x21\xdc\x93\x25\xbf\xf6\x07\x3b\x5c\x13\xee\xb2\xaa\xd7\x6a\x4c\x3d\x5c\x48\xcd\xcc\xd0\xab\xea\x1a\xb9\xab\x39\x95\x85\x9c\xfd\x11\xe5\x44\x9e\xfb\x30\x51\x2a\x17\xe1\x7f\xcd\x35\x7b\x1f\x69\x34\xd4\xab\x0d\x27\xc8\x61\x55\x83\x8f\x93\x9e\x7a\x80\x1d\x32\xac\x49\xca\x9e\xf4\x62\x8d\xcb\x19\x4c\x79\x97\x77\x5b\x69\xc1\x13\x12\x58\x4c\xaa\xa6\x75\x37\xc1\x83\x5b\x27\x4e\x4e\xcd\x58\xe8\x36\xfe\x2d\x53\xff\x93\x90\xb3\x4d\xb4\x85\xf8\x9b\x87\x1a\xb7\xf1\xe5\xe6\x9f\x86\x40\xb8\xfa\x5a\x70\x46\x61\xa5\x88\x19\xe1\x25\x77\x5b\xe4\xe4\x87\xf8\xcc\x4d\x3e\x9c\x11\x45\xf5\x78\x1a\x69\x0e\x42\x05\x66\xb5\xed\x39\x26\x7c\xe4\x43\x1d\xf9\x61\x0f\xa7\x7e\xbf\x82\x54\xf1\x60\xf4\x06\x8c\x5f\xde\xcd\xc8\xf9\xcf\x66\x71\x51\x3d\xfc\xf6\x4d\xc7\xa3\x7a\x92\x7b\xfc\xeb\x07\x62\x48\x8b\x7d\xec\x6d\xf1\x8f\x80\x27\xba\xe0\x91\xd8\x5d\x0d\xed\x0f\x72\x10\x8e\x5c\x21\xdd\xaf\x28\xef\x52\xf4\x24\x67\x7a\xb3\xfa\x1e\xab\xb6\xd3\x47\x78\x99\x65\xce\xb8\xbb\x45\x19\x35\x95\x8c\xc5\xba\x87\xf4\x64\x98\x78\x35\x00\x31\x9a\x2d\xf3\xed\x16\x8a\xf5\x35\x81\x54\x5d\xde\xa2\xd0\x51\x55\x16\xbf\xbf\x8f\xea\x62\xa7\x60\x19\x34\x79\xc7\x7e\x73\xa7\x9d\xbf\xa8\x21\x18\xc0\x13\xbf\x41\x8d\x35\x30\xc2\x0e\x7f\x47\xdd\xd8\xba\x80\xa0\x23\xde\x38\x3b\x54\x5c\x29\xfc\x63\x38\xf2\x77\xa7\x3b\xaf\x46\x55\x1e\x85\x50\x60\xb9\x91\x84\xc5\x4d\x1c\x11\xd3\xf7\x44\xac\xb0\x2e\x5b\x12\x6d\xf5\xa1\x05\x71\x65\x6b\xa6\xab\xb5\xe4\xef\x94\x06\xc2\xf5\x38\x0e\x69\x1e\x46\xa4\xca\x1c\x5d\xd7\xfc\x87\xd0\x81\xca\x94\xcd\x5a\xb7\xfb\x45\xa4\x8c\x68\x0f\xab\x76\x1f\x9b\x1a\x17\xbe\x44\x9d\x74\xf1\x29\x1b\x85\x9c\x37\xba\x01\x91\xb0\x09\x98\xb7\x84\x29\x33\x43\x90\x02\xca\x81\x7b\xd3\xf5\x14\x04\x81\xc9\x57\xfe\x95\xea\x9a\x50\xd0\x5b\xc2\x7f\x1c\x0f\x8d\xbc\x26\x7c\x50\x77\x6c\x77\x4a\x69\x49\x22\xa5\xce\x1c\xc8\xfd\x7e\x14\x78\xa3\xe2\xcc\x58\xf5\x70\xac\xda\x3a\x16\xca\xd5\x66\x7e\x28\xd2\x45\xdd\x78\xc7\x8e\x5e\x35\x00\xe0\xae\xe9\x1f\x10\xb6\xfc\x29\xd0\xd1\xbd\xfa\xae\x7e\xf6\x6e\xe2\x88\xd5\xd5\xb2\xb7\x2d\x09\x77\x67\x25\xea\xf7\x70\xef\x1e\xe4\xec\x08\x9c\x1d\xbc\xdb\x87\xb8\x64\xac\x3f\xab\xdb\xf4\x1d\x9d\xd3\x5a\xd4\x20\x09\x88\x89\xe1\xf5\x30\x30\x51\x47\xbe\x9e\x5c\x67\x09\xec\x22\xbe\x90\x76\x24\x1d\xc4\xbf\x66\x07\x9f\xda\x5f\x19\x0d\x26\xd5\x97\x7a\x4f\x2d\xf8\xb5\x43\x3d\xa1\x2f", 1024); memcpy((void*)0x100006c0, "\x9f\x53\x8c\x90\xe8\x71\x04\x1e\x5c\x20\xe4\xce\x66\x04\x6a\x7c\x61\x62\x41\xa9\x68\x0d\x85\x39\x86\x6c\x5a\x96\xb1\xc8\xec\xc9", 32); *(uint32_t*)0x100006e0 = 0x80000000; *(uint8_t*)0x100006e4 = 1; *(uint32_t*)0x100006e8 = 0x10000240; memcpy((void*)0x10000240, "\x18\x16\x7d\x15\x01\x22\x4b\xdd\xd4\x8f\xc6\xe3\xf8\x83\xd8\xf2\xdd\x60\xa2\xfa\xd4\x0d\x6c\x15\x20\xc6\xc5\x1f\x84\xce\xdc\xc5\x71\xc2\xe3\x2e\x14\xab\xf4\x47\x28\x3e\x87\xa5\xf3\xf7\x81\xbd\xba\x00\x1c\x54\xed\xae\xda\x7a\xa8\x8c\x19\x11\xf5\x4c\x8f\x0a\x9a\x42\xdc\xe4\x95\x08\x27\x5d\xce\x74\xfd\x73\xcd\xab\x1e\xab\xf8\xaa\x10\x4c\x74\xf7\xc3\xbb\x54\xd0\x50\x0a\xfc\x2b\x97", 95); *(uint64_t*)0x100006ec = 0x9621; *(uint64_t*)0x100006f4 = 2; *(uint64_t*)0x100006fc = 8; *(uint64_t*)0x10000704 = 0x800; *(uint64_t*)0x1000070c = 3; *(uint64_t*)0x10000714 = 0x10001; *(uint64_t*)0x1000071c = 0xfa; *(uint32_t*)0x10000724 = 0x7fff; syscall(SYS_ioctl, -1, 0xc44c444a, 0x100002c0); break; case 6: memcpy((void*)0x10000740, "/dev/pf\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000740, 0x800, 0); if (res != -1) r[1] = res; break; case 7: *(uint8_t*)0x10000800 = 0x10; *(uint32_t*)0x10000804 = 0x10000780; memcpy((void*)0x10000780, "\x85\xdf\xfe\xfc\x4e\xfc\xb1\xb4\x01\x6c\x84\x2d\x2c\xc4\xb4\x5b\xfa\x06\x4e\x55\x86\x99\x99\xbf\x61\x37\x68\x94\x06\x75\x4f\xe7\xc0\xb1\x79\x02\x9f\x2f\x35\xc5\x16\xd9\x32\x31\xa1\x04\x81\x3e\xa2\x6f\x8f\xf7\xf1\xcf\x84\x81\x88\xd9\xd0\xb6\x26\x05\x00\x40\x2d\xdc\xa3\x6f\xe8\xe1\xcd\x0a\xd5\xe8\x18\x56\xa2\xf9\xf9\x83\xf5\x98\x1a\xce\x98\x9e\x97\x6f", 88); *(uint32_t*)0x10000808 = 0x40000000; *(uint32_t*)0x1000080c = 0xff; *(uint32_t*)0x10000810 = 0x10001; syscall(SYS_ioctl, (intptr_t)r[1], 0xc0244457, 0x10000800); break; case 8: syscall(SYS_mmap, 0x10ffc000, 0x3000, 2, 0x10, (intptr_t)r[0], 0); break; case 9: *(uint32_t*)0x10000840 = 0; *(uint16_t*)0x10000844 = 0x8001; *(uint16_t*)0x10000846 = 4; *(uint16_t*)0x10000848 = 0x3f; *(uint16_t*)0x1000084a = -1; *(uint16_t*)0x1000084c = 0x20; *(uint16_t*)0x1000084e = 4; *(uint32_t*)0x10000880 = 0x10; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 0x901, 0x10000840, 0x10000880); break; case 10: memcpy((void*)0x10000100, "\x65\xfc\x67\x0f\xa8\x66\xdb\xd3\xc4\xc1\xd1\x5f\xf2\xc4\xc1\x8d\xfa\xf2\xc4\xe2\x55\x3f\xd8\xc4\xe1\xb1\x7c\x60\x99\x66\x0f\x3a\x09\xc1\x89\x82\x83\xdf\x00\x00\x00\xfe\xc4\xc2\x91\x91\x5c\x86\x99", 49); syz_execute_func(0x10000100); break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); setup_fault(); for (procid = 0; procid < 2; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; } :197:13: error: unused function 'csum_inet_init' [-Werror,-Wunused-function] static void csum_inet_init(struct csum_inet* csum) ^ :202:13: error: unused function 'csum_inet_update' [-Werror,-Wunused-function] static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) ^ :215:17: error: unused function 'csum_inet_digest' [-Werror,-Wunused-function] static uint16_t csum_inet_digest(struct csum_inet* csum) ^ 3 errors generated. compiler invocation: clang [-o /tmp/syz-executor099841927 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/3 (1.02s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: extattr_delete_file(&(0x7f0000000000)='./file0\x00', 0x1, &(0x7f0000000040)='/{[-*-:#!@(*\x00') (fail_nth: 1) r0 = accept4$inet6(0xffffffffffffffff, &(0x7f0000000080)={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @remote}, &(0x7f00000000c0)=0x1c, 0x30000000) utimensat(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', &(0x7f0000000140)={{0x7, 0x7}, {0x7, 0x5}}, 0x4000) setsockopt$inet_sctp_SCTP_EXPLICIT_EOR(0xffffffffffffffff, 0x84, 0x1b, &(0x7f0000000180)=0x2, 0x4) shm_open2(&(0x7f00000001c0)='./file1\x00', 0x0, 0x100, 0x4, &(0x7f0000000200)=')/,&o\x00') ioctl$DIOCRSETTFLAGS(0xffffffffffffffff, 0xc44c444a, &(0x7f00000002c0)={{"99db9cfd2ac3805e5c414473fb35f0dc56950924b894ab7861ea0b42084c297d5c3716935f4947bb1b6f0cee8031e0a43251c5c3cc4c19c1ab436a79df6533233baf318c6ceb2c35469ff07a6590518b57ef971405056efc80d5f5f428818fb37a2e2ecdb5ee34eff89223925473b8ef063f699bf006f5f441cacdf47482bf431693af0dfd4aae73d663f8bf695f1623658d319f25fb0425cc53f6b560f8aa392011f8d9053327ece9b0a45291c82370ca8c7d357cc38f7e821148ce013e78a54c1f2c143d8885d2f3b09ceb63c2a90fe246c13588adb977999395a006b767b5f03fb38ab2db97816325d95efeeeb071212b2bf0595c099628733f29454fbb97367d42dec2b01e8c666049bc8f83e4639735459bd8f1935a17d4d2b8ea235908551c196f3dfa3484451132908e5cfe22e537bf834fd87a77c689ba5f8c599dcfb4d825cd5747b2a90e195dc02f9e8ca04745f336e1b04a3c7a0e58bb6f17aff755b915334d57048646fbf3aa244a46437ce89ca2c0a72d1b71feecc0afdcf4691bce0b11f32c632fa6147dbcaa8bed3f2067b87c4e7db37eba3c6db7270d0dde21a64013c7980befc493cce308c4bbd102cc7704b927926212eeffe926b3c911ec7acfb899f521dc9325bff6073b5c13eeb2aad76a4c3d5c48cdccd0abea1ab9ab3995859cfd11e5449efb30512a17e17fcd357b1f6934d4ab0d27c86155838f939e7a801d32ac49ca9ef4628dcb194c7997775b69c11312584caaa67537c1835b274e4ecd58e836fe2d53ff9390b34db485f89b871ab7f1e5e69f8640b8fa5a704661a58819e125775be4e487f8cc4d3e9c1145f5781a690e420566b5ed39267ce4431df9610fa77ebf8254f160f4068c5fdecdc8f9cf6671513dfcf64dc7a37a927bfceb0762488b7dec6df18f8027bae091d85d0ded0f72108e5c21ddaf28ef52f424677ab3fa1eabb6d347789965ceb8bb451935958cc5ba87f46498783500319a2df3ed168af53581545ddea2d0515516bfbf8fea62a760193479c77e73a79dbfa82118c013bf418d3530c20e7f47ddd8ba80a023de383b545c29fc6338f277a73baf46551e855060b99184c54d1c11d3f744acb02e5b126df5a10571656ba6abb5e4ef9406c2f5380e691e46a4ca1c5dd7fc87d081ca94cd5ab7fb45a48c680fab761f9b1a17be449d74f1291b859c37ba0191b00998b7842933439002ca817bd3f5140481c957fe95ea9a50d05bc27f1c0f8dbc267c50776c774a694922a5ce1cc8fd7e1478a3e2cc58f570acda3a16cad5667e28d245dd78c78e5e3500e0aee91f10b6fc29d0d1bdfaae7ef66ee288d5d5b2b72d09776725eaf770ef1ee4ec089c1dbcdb87b864ac3fabdbf41d9dd35ad420098889e1f530305147be9e5c6709ec22be9076241dc4bf66079fda5f190d26d5977a4f2df8b5433da12f", "9f538c90e871041e5c20e4ce66046a7c616241a9680d8539866c5a96b1c8ecc9", 0x80000000, 0x1}, &(0x7f0000000240)="18167d1501224bddd48fc6e3f883d8f2dd60a2fad40d6c1520c6c51f84cedcc571c2e32e14abf447283e87a5f3f781bdba001c54edaeda7aa88c1911f54c8f0a9a42dce49508275dce74fd73cdab1eabf8aa104c74f7c3bb54d0500afc2b97", 0x9621, 0x2, 0x8, 0x800, 0x3, 0x10001, 0xfa, 0x7fff}) r1 = openat$ptmx(0xffffff9c, &(0x7f0000000740), 0x800, 0x0) ioctl$DIOCIGETIFACES(r1, 0xc0244457, &(0x7f0000000800)={0x10, &(0x7f0000000780)="85dffefc4efcb1b4016c842d2cc4b45bfa064e55869999bf6137689406754fe7c0b179029f2f35c516d93231a104813ea26f8ff7f1cf848188d9d0b6260500402ddca36fe8e1cd0ad5e81856a2f9f983f5981ace989e976f", 0x40000000, 0xff, 0x10001}) mmap(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2, 0x10, r0, 0x0) getsockopt$inet6_sctp_SCTP_RESET_STREAMS(r0, 0x84, 0x901, &(0x7f0000000840)={0x0, 0x8001, 0x4, [0x3f, 0xffff, 0x20, 0x4]}, &(0x7f0000000880)=0x10) syz_emit_ethernet(0xf3, &(0x7f0000000000)={@local, @local, [{[], {0x8100, 0x6, 0x1, 0x2}}], {@ipv4={0x800, {{0x9, 0x4, 0x2, 0x7, 0xe1, 0x65, 0x878, 0x4, 0x4d, 0x0, @empty, @multicast1, {[@generic={0x44, 0xd, "4de51ab866bb431c3dc521"}, @noop, @noop]}}, @generic="5ace0f0ff30bd68564f743a2ef2821a21c197ab27f80fcd10e900d506ab328909d636f25df603ad9e4ee16761ee679e24d1854d5cdd65b0172c27bed2165fdda7aa45a333f06d92d8d2beb389dcbc153d4e96a2792c39f0e07a5392ed08d386b6bf96b8f5801558093c009e7accdc8456fe898abba673e55c1330ee9454f4c2017e5e474c63c853817170734473727a7c0566eaf2be05daa6ed143d3ea4f0b39b87a60d41ed2d8ffd00e6472c06a0e8a98fae4c68ae1314f968bb3b931"}}}}) syz_execute_func(&(0x7f0000000100)="65fc670fa866dbd3c4c1d15ff2c4c18dfaf2c4e2553fd8c4e1b17c6099660f3a09c1898283df000000fec4c291915c8699") syz_extract_tcp_res(&(0x7f0000000140), 0x401, 0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } #ifndef SYS_shm_open2 #define SYS_shm_open2 571 #endif uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); memcpy((void*)0x10000040, "/{[-*-:#!@(*\000", 13); inject_fault(1); syscall(SYS_extattr_delete_file, 0x10000000, 1, 0x10000040); break; case 1: *(uint32_t*)0x100000c0 = 0x1c; res = syscall(SYS_accept4, -1, 0x10000080, 0x100000c0, 0x30000000); if (res != -1) r[0] = res; break; case 2: memcpy((void*)0x10000100, "./file0\000", 8); *(uint32_t*)0x10000140 = 7; *(uint32_t*)0x10000144 = 7; *(uint32_t*)0x10000148 = 7; *(uint32_t*)0x1000014c = 5; syscall(SYS_utimensat, -1, 0x10000100, 0x10000140, 0x4000); break; case 3: *(uint32_t*)0x10000180 = 2; syscall(SYS_setsockopt, -1, 0x84, 0x1b, 0x10000180, 4); break; case 4: memcpy((void*)0x100001c0, "./file1\000", 8); memcpy((void*)0x10000200, ")/,&o\000", 6); syscall(SYS_shm_open2, 0x100001c0, 0, 0x100, 4, 0x10000200); break; case 5: memcpy((void*)0x100002c0, "\x99\xdb\x9c\xfd\x2a\xc3\x80\x5e\x5c\x41\x44\x73\xfb\x35\xf0\xdc\x56\x95\x09\x24\xb8\x94\xab\x78\x61\xea\x0b\x42\x08\x4c\x29\x7d\x5c\x37\x16\x93\x5f\x49\x47\xbb\x1b\x6f\x0c\xee\x80\x31\xe0\xa4\x32\x51\xc5\xc3\xcc\x4c\x19\xc1\xab\x43\x6a\x79\xdf\x65\x33\x23\x3b\xaf\x31\x8c\x6c\xeb\x2c\x35\x46\x9f\xf0\x7a\x65\x90\x51\x8b\x57\xef\x97\x14\x05\x05\x6e\xfc\x80\xd5\xf5\xf4\x28\x81\x8f\xb3\x7a\x2e\x2e\xcd\xb5\xee\x34\xef\xf8\x92\x23\x92\x54\x73\xb8\xef\x06\x3f\x69\x9b\xf0\x06\xf5\xf4\x41\xca\xcd\xf4\x74\x82\xbf\x43\x16\x93\xaf\x0d\xfd\x4a\xae\x73\xd6\x63\xf8\xbf\x69\x5f\x16\x23\x65\x8d\x31\x9f\x25\xfb\x04\x25\xcc\x53\xf6\xb5\x60\xf8\xaa\x39\x20\x11\xf8\xd9\x05\x33\x27\xec\xe9\xb0\xa4\x52\x91\xc8\x23\x70\xca\x8c\x7d\x35\x7c\xc3\x8f\x7e\x82\x11\x48\xce\x01\x3e\x78\xa5\x4c\x1f\x2c\x14\x3d\x88\x85\xd2\xf3\xb0\x9c\xeb\x63\xc2\xa9\x0f\xe2\x46\xc1\x35\x88\xad\xb9\x77\x99\x93\x95\xa0\x06\xb7\x67\xb5\xf0\x3f\xb3\x8a\xb2\xdb\x97\x81\x63\x25\xd9\x5e\xfe\xee\xb0\x71\x21\x2b\x2b\xf0\x59\x5c\x09\x96\x28\x73\x3f\x29\x45\x4f\xbb\x97\x36\x7d\x42\xde\xc2\xb0\x1e\x8c\x66\x60\x49\xbc\x8f\x83\xe4\x63\x97\x35\x45\x9b\xd8\xf1\x93\x5a\x17\xd4\xd2\xb8\xea\x23\x59\x08\x55\x1c\x19\x6f\x3d\xfa\x34\x84\x45\x11\x32\x90\x8e\x5c\xfe\x22\xe5\x37\xbf\x83\x4f\xd8\x7a\x77\xc6\x89\xba\x5f\x8c\x59\x9d\xcf\xb4\xd8\x25\xcd\x57\x47\xb2\xa9\x0e\x19\x5d\xc0\x2f\x9e\x8c\xa0\x47\x45\xf3\x36\xe1\xb0\x4a\x3c\x7a\x0e\x58\xbb\x6f\x17\xaf\xf7\x55\xb9\x15\x33\x4d\x57\x04\x86\x46\xfb\xf3\xaa\x24\x4a\x46\x43\x7c\xe8\x9c\xa2\xc0\xa7\x2d\x1b\x71\xfe\xec\xc0\xaf\xdc\xf4\x69\x1b\xce\x0b\x11\xf3\x2c\x63\x2f\xa6\x14\x7d\xbc\xaa\x8b\xed\x3f\x20\x67\xb8\x7c\x4e\x7d\xb3\x7e\xba\x3c\x6d\xb7\x27\x0d\x0d\xde\x21\xa6\x40\x13\xc7\x98\x0b\xef\xc4\x93\xcc\xe3\x08\xc4\xbb\xd1\x02\xcc\x77\x04\xb9\x27\x92\x62\x12\xee\xff\xe9\x26\xb3\xc9\x11\xec\x7a\xcf\xb8\x99\xf5\x21\xdc\x93\x25\xbf\xf6\x07\x3b\x5c\x13\xee\xb2\xaa\xd7\x6a\x4c\x3d\x5c\x48\xcd\xcc\xd0\xab\xea\x1a\xb9\xab\x39\x95\x85\x9c\xfd\x11\xe5\x44\x9e\xfb\x30\x51\x2a\x17\xe1\x7f\xcd\x35\x7b\x1f\x69\x34\xd4\xab\x0d\x27\xc8\x61\x55\x83\x8f\x93\x9e\x7a\x80\x1d\x32\xac\x49\xca\x9e\xf4\x62\x8d\xcb\x19\x4c\x79\x97\x77\x5b\x69\xc1\x13\x12\x58\x4c\xaa\xa6\x75\x37\xc1\x83\x5b\x27\x4e\x4e\xcd\x58\xe8\x36\xfe\x2d\x53\xff\x93\x90\xb3\x4d\xb4\x85\xf8\x9b\x87\x1a\xb7\xf1\xe5\xe6\x9f\x86\x40\xb8\xfa\x5a\x70\x46\x61\xa5\x88\x19\xe1\x25\x77\x5b\xe4\xe4\x87\xf8\xcc\x4d\x3e\x9c\x11\x45\xf5\x78\x1a\x69\x0e\x42\x05\x66\xb5\xed\x39\x26\x7c\xe4\x43\x1d\xf9\x61\x0f\xa7\x7e\xbf\x82\x54\xf1\x60\xf4\x06\x8c\x5f\xde\xcd\xc8\xf9\xcf\x66\x71\x51\x3d\xfc\xf6\x4d\xc7\xa3\x7a\x92\x7b\xfc\xeb\x07\x62\x48\x8b\x7d\xec\x6d\xf1\x8f\x80\x27\xba\xe0\x91\xd8\x5d\x0d\xed\x0f\x72\x10\x8e\x5c\x21\xdd\xaf\x28\xef\x52\xf4\x24\x67\x7a\xb3\xfa\x1e\xab\xb6\xd3\x47\x78\x99\x65\xce\xb8\xbb\x45\x19\x35\x95\x8c\xc5\xba\x87\xf4\x64\x98\x78\x35\x00\x31\x9a\x2d\xf3\xed\x16\x8a\xf5\x35\x81\x54\x5d\xde\xa2\xd0\x51\x55\x16\xbf\xbf\x8f\xea\x62\xa7\x60\x19\x34\x79\xc7\x7e\x73\xa7\x9d\xbf\xa8\x21\x18\xc0\x13\xbf\x41\x8d\x35\x30\xc2\x0e\x7f\x47\xdd\xd8\xba\x80\xa0\x23\xde\x38\x3b\x54\x5c\x29\xfc\x63\x38\xf2\x77\xa7\x3b\xaf\x46\x55\x1e\x85\x50\x60\xb9\x91\x84\xc5\x4d\x1c\x11\xd3\xf7\x44\xac\xb0\x2e\x5b\x12\x6d\xf5\xa1\x05\x71\x65\x6b\xa6\xab\xb5\xe4\xef\x94\x06\xc2\xf5\x38\x0e\x69\x1e\x46\xa4\xca\x1c\x5d\xd7\xfc\x87\xd0\x81\xca\x94\xcd\x5a\xb7\xfb\x45\xa4\x8c\x68\x0f\xab\x76\x1f\x9b\x1a\x17\xbe\x44\x9d\x74\xf1\x29\x1b\x85\x9c\x37\xba\x01\x91\xb0\x09\x98\xb7\x84\x29\x33\x43\x90\x02\xca\x81\x7b\xd3\xf5\x14\x04\x81\xc9\x57\xfe\x95\xea\x9a\x50\xd0\x5b\xc2\x7f\x1c\x0f\x8d\xbc\x26\x7c\x50\x77\x6c\x77\x4a\x69\x49\x22\xa5\xce\x1c\xc8\xfd\x7e\x14\x78\xa3\xe2\xcc\x58\xf5\x70\xac\xda\x3a\x16\xca\xd5\x66\x7e\x28\xd2\x45\xdd\x78\xc7\x8e\x5e\x35\x00\xe0\xae\xe9\x1f\x10\xb6\xfc\x29\xd0\xd1\xbd\xfa\xae\x7e\xf6\x6e\xe2\x88\xd5\xd5\xb2\xb7\x2d\x09\x77\x67\x25\xea\xf7\x70\xef\x1e\xe4\xec\x08\x9c\x1d\xbc\xdb\x87\xb8\x64\xac\x3f\xab\xdb\xf4\x1d\x9d\xd3\x5a\xd4\x20\x09\x88\x89\xe1\xf5\x30\x30\x51\x47\xbe\x9e\x5c\x67\x09\xec\x22\xbe\x90\x76\x24\x1d\xc4\xbf\x66\x07\x9f\xda\x5f\x19\x0d\x26\xd5\x97\x7a\x4f\x2d\xf8\xb5\x43\x3d\xa1\x2f", 1024); memcpy((void*)0x100006c0, "\x9f\x53\x8c\x90\xe8\x71\x04\x1e\x5c\x20\xe4\xce\x66\x04\x6a\x7c\x61\x62\x41\xa9\x68\x0d\x85\x39\x86\x6c\x5a\x96\xb1\xc8\xec\xc9", 32); *(uint32_t*)0x100006e0 = 0x80000000; *(uint8_t*)0x100006e4 = 1; *(uint32_t*)0x100006e8 = 0x10000240; memcpy((void*)0x10000240, "\x18\x16\x7d\x15\x01\x22\x4b\xdd\xd4\x8f\xc6\xe3\xf8\x83\xd8\xf2\xdd\x60\xa2\xfa\xd4\x0d\x6c\x15\x20\xc6\xc5\x1f\x84\xce\xdc\xc5\x71\xc2\xe3\x2e\x14\xab\xf4\x47\x28\x3e\x87\xa5\xf3\xf7\x81\xbd\xba\x00\x1c\x54\xed\xae\xda\x7a\xa8\x8c\x19\x11\xf5\x4c\x8f\x0a\x9a\x42\xdc\xe4\x95\x08\x27\x5d\xce\x74\xfd\x73\xcd\xab\x1e\xab\xf8\xaa\x10\x4c\x74\xf7\xc3\xbb\x54\xd0\x50\x0a\xfc\x2b\x97", 95); *(uint64_t*)0x100006ec = 0x9621; *(uint64_t*)0x100006f4 = 2; *(uint64_t*)0x100006fc = 8; *(uint64_t*)0x10000704 = 0x800; *(uint64_t*)0x1000070c = 3; *(uint64_t*)0x10000714 = 0x10001; *(uint64_t*)0x1000071c = 0xfa; *(uint32_t*)0x10000724 = 0x7fff; syscall(SYS_ioctl, -1, 0xc44c444a, 0x100002c0); break; case 6: memcpy((void*)0x10000740, "/dev/pf\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000740, 0x800, 0); if (res != -1) r[1] = res; break; case 7: *(uint8_t*)0x10000800 = 0x10; *(uint32_t*)0x10000804 = 0x10000780; memcpy((void*)0x10000780, "\x85\xdf\xfe\xfc\x4e\xfc\xb1\xb4\x01\x6c\x84\x2d\x2c\xc4\xb4\x5b\xfa\x06\x4e\x55\x86\x99\x99\xbf\x61\x37\x68\x94\x06\x75\x4f\xe7\xc0\xb1\x79\x02\x9f\x2f\x35\xc5\x16\xd9\x32\x31\xa1\x04\x81\x3e\xa2\x6f\x8f\xf7\xf1\xcf\x84\x81\x88\xd9\xd0\xb6\x26\x05\x00\x40\x2d\xdc\xa3\x6f\xe8\xe1\xcd\x0a\xd5\xe8\x18\x56\xa2\xf9\xf9\x83\xf5\x98\x1a\xce\x98\x9e\x97\x6f", 88); *(uint32_t*)0x10000808 = 0x40000000; *(uint32_t*)0x1000080c = 0xff; *(uint32_t*)0x10000810 = 0x10001; syscall(SYS_ioctl, (intptr_t)r[1], 0xc0244457, 0x10000800); break; case 8: syscall(SYS_mmap, 0x10ffc000, 0x3000, 2, 0x10, (intptr_t)r[0], 0); break; case 9: *(uint32_t*)0x10000840 = 0; *(uint16_t*)0x10000844 = 0x8001; *(uint16_t*)0x10000846 = 4; *(uint16_t*)0x10000848 = 0x3f; *(uint16_t*)0x1000084a = -1; *(uint16_t*)0x1000084c = 0x20; *(uint16_t*)0x1000084e = 4; *(uint32_t*)0x10000880 = 0x10; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 0x901, 0x10000840, 0x10000880); break; case 10: memcpy((void*)0x10000100, "\x65\xfc\x67\x0f\xa8\x66\xdb\xd3\xc4\xc1\xd1\x5f\xf2\xc4\xc1\x8d\xfa\xf2\xc4\xe2\x55\x3f\xd8\xc4\xe1\xb1\x7c\x60\x99\x66\x0f\x3a\x09\xc1\x89\x82\x83\xdf\x00\x00\x00\xfe\xc4\xc2\x91\x91\x5c\x86\x99", 49); syz_execute_func(0x10000100); break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :151:13: error: unused function 'csum_inet_init' [-Werror,-Wunused-function] static void csum_inet_init(struct csum_inet* csum) ^ :156:13: error: unused function 'csum_inet_update' [-Werror,-Wunused-function] static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) ^ :169:17: error: unused function 'csum_inet_digest' [-Werror,-Wunused-function] static uint16_t csum_inet_digest(struct csum_inet* csum) ^ 3 errors generated. compiler invocation: clang [-o /tmp/syz-executor306926394 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/5 (0.96s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: extattr_delete_file(&(0x7f0000000000)='./file0\x00', 0x1, &(0x7f0000000040)='/{[-*-:#!@(*\x00') (fail_nth: 1) r0 = accept4$inet6(0xffffffffffffffff, &(0x7f0000000080)={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @remote}, &(0x7f00000000c0)=0x1c, 0x30000000) utimensat(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', &(0x7f0000000140)={{0x7, 0x7}, {0x7, 0x5}}, 0x4000) setsockopt$inet_sctp_SCTP_EXPLICIT_EOR(0xffffffffffffffff, 0x84, 0x1b, &(0x7f0000000180)=0x2, 0x4) shm_open2(&(0x7f00000001c0)='./file1\x00', 0x0, 0x100, 0x4, &(0x7f0000000200)=')/,&o\x00') ioctl$DIOCRSETTFLAGS(0xffffffffffffffff, 0xc44c444a, &(0x7f00000002c0)={{"99db9cfd2ac3805e5c414473fb35f0dc56950924b894ab7861ea0b42084c297d5c3716935f4947bb1b6f0cee8031e0a43251c5c3cc4c19c1ab436a79df6533233baf318c6ceb2c35469ff07a6590518b57ef971405056efc80d5f5f428818fb37a2e2ecdb5ee34eff89223925473b8ef063f699bf006f5f441cacdf47482bf431693af0dfd4aae73d663f8bf695f1623658d319f25fb0425cc53f6b560f8aa392011f8d9053327ece9b0a45291c82370ca8c7d357cc38f7e821148ce013e78a54c1f2c143d8885d2f3b09ceb63c2a90fe246c13588adb977999395a006b767b5f03fb38ab2db97816325d95efeeeb071212b2bf0595c099628733f29454fbb97367d42dec2b01e8c666049bc8f83e4639735459bd8f1935a17d4d2b8ea235908551c196f3dfa3484451132908e5cfe22e537bf834fd87a77c689ba5f8c599dcfb4d825cd5747b2a90e195dc02f9e8ca04745f336e1b04a3c7a0e58bb6f17aff755b915334d57048646fbf3aa244a46437ce89ca2c0a72d1b71feecc0afdcf4691bce0b11f32c632fa6147dbcaa8bed3f2067b87c4e7db37eba3c6db7270d0dde21a64013c7980befc493cce308c4bbd102cc7704b927926212eeffe926b3c911ec7acfb899f521dc9325bff6073b5c13eeb2aad76a4c3d5c48cdccd0abea1ab9ab3995859cfd11e5449efb30512a17e17fcd357b1f6934d4ab0d27c86155838f939e7a801d32ac49ca9ef4628dcb194c7997775b69c11312584caaa67537c1835b274e4ecd58e836fe2d53ff9390b34db485f89b871ab7f1e5e69f8640b8fa5a704661a58819e125775be4e487f8cc4d3e9c1145f5781a690e420566b5ed39267ce4431df9610fa77ebf8254f160f4068c5fdecdc8f9cf6671513dfcf64dc7a37a927bfceb0762488b7dec6df18f8027bae091d85d0ded0f72108e5c21ddaf28ef52f424677ab3fa1eabb6d347789965ceb8bb451935958cc5ba87f46498783500319a2df3ed168af53581545ddea2d0515516bfbf8fea62a760193479c77e73a79dbfa82118c013bf418d3530c20e7f47ddd8ba80a023de383b545c29fc6338f277a73baf46551e855060b99184c54d1c11d3f744acb02e5b126df5a10571656ba6abb5e4ef9406c2f5380e691e46a4ca1c5dd7fc87d081ca94cd5ab7fb45a48c680fab761f9b1a17be449d74f1291b859c37ba0191b00998b7842933439002ca817bd3f5140481c957fe95ea9a50d05bc27f1c0f8dbc267c50776c774a694922a5ce1cc8fd7e1478a3e2cc58f570acda3a16cad5667e28d245dd78c78e5e3500e0aee91f10b6fc29d0d1bdfaae7ef66ee288d5d5b2b72d09776725eaf770ef1ee4ec089c1dbcdb87b864ac3fabdbf41d9dd35ad420098889e1f530305147be9e5c6709ec22be9076241dc4bf66079fda5f190d26d5977a4f2df8b5433da12f", "9f538c90e871041e5c20e4ce66046a7c616241a9680d8539866c5a96b1c8ecc9", 0x80000000, 0x1}, &(0x7f0000000240)="18167d1501224bddd48fc6e3f883d8f2dd60a2fad40d6c1520c6c51f84cedcc571c2e32e14abf447283e87a5f3f781bdba001c54edaeda7aa88c1911f54c8f0a9a42dce49508275dce74fd73cdab1eabf8aa104c74f7c3bb54d0500afc2b97", 0x9621, 0x2, 0x8, 0x800, 0x3, 0x10001, 0xfa, 0x7fff}) r1 = openat$ptmx(0xffffff9c, &(0x7f0000000740), 0x800, 0x0) ioctl$DIOCIGETIFACES(r1, 0xc0244457, &(0x7f0000000800)={0x10, &(0x7f0000000780)="85dffefc4efcb1b4016c842d2cc4b45bfa064e55869999bf6137689406754fe7c0b179029f2f35c516d93231a104813ea26f8ff7f1cf848188d9d0b6260500402ddca36fe8e1cd0ad5e81856a2f9f983f5981ace989e976f", 0x40000000, 0xff, 0x10001}) mmap(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2, 0x10, r0, 0x0) getsockopt$inet6_sctp_SCTP_RESET_STREAMS(r0, 0x84, 0x901, &(0x7f0000000840)={0x0, 0x8001, 0x4, [0x3f, 0xffff, 0x20, 0x4]}, &(0x7f0000000880)=0x10) syz_emit_ethernet(0xf3, &(0x7f0000000000)={@local, @local, [{[], {0x8100, 0x6, 0x1, 0x2}}], {@ipv4={0x800, {{0x9, 0x4, 0x2, 0x7, 0xe1, 0x65, 0x878, 0x4, 0x4d, 0x0, @empty, @multicast1, {[@generic={0x44, 0xd, "4de51ab866bb431c3dc521"}, @noop, @noop]}}, @generic="5ace0f0ff30bd68564f743a2ef2821a21c197ab27f80fcd10e900d506ab328909d636f25df603ad9e4ee16761ee679e24d1854d5cdd65b0172c27bed2165fdda7aa45a333f06d92d8d2beb389dcbc153d4e96a2792c39f0e07a5392ed08d386b6bf96b8f5801558093c009e7accdc8456fe898abba673e55c1330ee9454f4c2017e5e474c63c853817170734473727a7c0566eaf2be05daa6ed143d3ea4f0b39b87a60d41ed2d8ffd00e6472c06a0e8a98fae4c68ae1314f968bb3b931"}}}}) syz_execute_func(&(0x7f0000000100)="65fc670fa866dbd3c4c1d15ff2c4c18dfaf2c4e2553fd8c4e1b17c6099660f3a09c1898283df000000fec4c291915c8699") syz_extract_tcp_res(&(0x7f0000000140), 0x401, 0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef SYS_shm_open2 #define SYS_shm_open2 571 #endif uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); memcpy((void*)0x10000040, "/{[-*-:#!@(*\000", 13); inject_fault(1); syscall(SYS_extattr_delete_file, 0x10000000, 1, 0x10000040); break; case 1: *(uint32_t*)0x100000c0 = 0x1c; res = syscall(SYS_accept4, -1, 0x10000080, 0x100000c0, 0x30000000); if (res != -1) r[0] = res; break; case 2: memcpy((void*)0x10000100, "./file0\000", 8); *(uint32_t*)0x10000140 = 7; *(uint32_t*)0x10000144 = 7; *(uint32_t*)0x10000148 = 7; *(uint32_t*)0x1000014c = 5; syscall(SYS_utimensat, -1, 0x10000100, 0x10000140, 0x4000); break; case 3: *(uint32_t*)0x10000180 = 2; syscall(SYS_setsockopt, -1, 0x84, 0x1b, 0x10000180, 4); break; case 4: memcpy((void*)0x100001c0, "./file1\000", 8); memcpy((void*)0x10000200, ")/,&o\000", 6); syscall(SYS_shm_open2, 0x100001c0, 0, 0x100, 4, 0x10000200); break; case 5: memcpy((void*)0x100002c0, "\x99\xdb\x9c\xfd\x2a\xc3\x80\x5e\x5c\x41\x44\x73\xfb\x35\xf0\xdc\x56\x95\x09\x24\xb8\x94\xab\x78\x61\xea\x0b\x42\x08\x4c\x29\x7d\x5c\x37\x16\x93\x5f\x49\x47\xbb\x1b\x6f\x0c\xee\x80\x31\xe0\xa4\x32\x51\xc5\xc3\xcc\x4c\x19\xc1\xab\x43\x6a\x79\xdf\x65\x33\x23\x3b\xaf\x31\x8c\x6c\xeb\x2c\x35\x46\x9f\xf0\x7a\x65\x90\x51\x8b\x57\xef\x97\x14\x05\x05\x6e\xfc\x80\xd5\xf5\xf4\x28\x81\x8f\xb3\x7a\x2e\x2e\xcd\xb5\xee\x34\xef\xf8\x92\x23\x92\x54\x73\xb8\xef\x06\x3f\x69\x9b\xf0\x06\xf5\xf4\x41\xca\xcd\xf4\x74\x82\xbf\x43\x16\x93\xaf\x0d\xfd\x4a\xae\x73\xd6\x63\xf8\xbf\x69\x5f\x16\x23\x65\x8d\x31\x9f\x25\xfb\x04\x25\xcc\x53\xf6\xb5\x60\xf8\xaa\x39\x20\x11\xf8\xd9\x05\x33\x27\xec\xe9\xb0\xa4\x52\x91\xc8\x23\x70\xca\x8c\x7d\x35\x7c\xc3\x8f\x7e\x82\x11\x48\xce\x01\x3e\x78\xa5\x4c\x1f\x2c\x14\x3d\x88\x85\xd2\xf3\xb0\x9c\xeb\x63\xc2\xa9\x0f\xe2\x46\xc1\x35\x88\xad\xb9\x77\x99\x93\x95\xa0\x06\xb7\x67\xb5\xf0\x3f\xb3\x8a\xb2\xdb\x97\x81\x63\x25\xd9\x5e\xfe\xee\xb0\x71\x21\x2b\x2b\xf0\x59\x5c\x09\x96\x28\x73\x3f\x29\x45\x4f\xbb\x97\x36\x7d\x42\xde\xc2\xb0\x1e\x8c\x66\x60\x49\xbc\x8f\x83\xe4\x63\x97\x35\x45\x9b\xd8\xf1\x93\x5a\x17\xd4\xd2\xb8\xea\x23\x59\x08\x55\x1c\x19\x6f\x3d\xfa\x34\x84\x45\x11\x32\x90\x8e\x5c\xfe\x22\xe5\x37\xbf\x83\x4f\xd8\x7a\x77\xc6\x89\xba\x5f\x8c\x59\x9d\xcf\xb4\xd8\x25\xcd\x57\x47\xb2\xa9\x0e\x19\x5d\xc0\x2f\x9e\x8c\xa0\x47\x45\xf3\x36\xe1\xb0\x4a\x3c\x7a\x0e\x58\xbb\x6f\x17\xaf\xf7\x55\xb9\x15\x33\x4d\x57\x04\x86\x46\xfb\xf3\xaa\x24\x4a\x46\x43\x7c\xe8\x9c\xa2\xc0\xa7\x2d\x1b\x71\xfe\xec\xc0\xaf\xdc\xf4\x69\x1b\xce\x0b\x11\xf3\x2c\x63\x2f\xa6\x14\x7d\xbc\xaa\x8b\xed\x3f\x20\x67\xb8\x7c\x4e\x7d\xb3\x7e\xba\x3c\x6d\xb7\x27\x0d\x0d\xde\x21\xa6\x40\x13\xc7\x98\x0b\xef\xc4\x93\xcc\xe3\x08\xc4\xbb\xd1\x02\xcc\x77\x04\xb9\x27\x92\x62\x12\xee\xff\xe9\x26\xb3\xc9\x11\xec\x7a\xcf\xb8\x99\xf5\x21\xdc\x93\x25\xbf\xf6\x07\x3b\x5c\x13\xee\xb2\xaa\xd7\x6a\x4c\x3d\x5c\x48\xcd\xcc\xd0\xab\xea\x1a\xb9\xab\x39\x95\x85\x9c\xfd\x11\xe5\x44\x9e\xfb\x30\x51\x2a\x17\xe1\x7f\xcd\x35\x7b\x1f\x69\x34\xd4\xab\x0d\x27\xc8\x61\x55\x83\x8f\x93\x9e\x7a\x80\x1d\x32\xac\x49\xca\x9e\xf4\x62\x8d\xcb\x19\x4c\x79\x97\x77\x5b\x69\xc1\x13\x12\x58\x4c\xaa\xa6\x75\x37\xc1\x83\x5b\x27\x4e\x4e\xcd\x58\xe8\x36\xfe\x2d\x53\xff\x93\x90\xb3\x4d\xb4\x85\xf8\x9b\x87\x1a\xb7\xf1\xe5\xe6\x9f\x86\x40\xb8\xfa\x5a\x70\x46\x61\xa5\x88\x19\xe1\x25\x77\x5b\xe4\xe4\x87\xf8\xcc\x4d\x3e\x9c\x11\x45\xf5\x78\x1a\x69\x0e\x42\x05\x66\xb5\xed\x39\x26\x7c\xe4\x43\x1d\xf9\x61\x0f\xa7\x7e\xbf\x82\x54\xf1\x60\xf4\x06\x8c\x5f\xde\xcd\xc8\xf9\xcf\x66\x71\x51\x3d\xfc\xf6\x4d\xc7\xa3\x7a\x92\x7b\xfc\xeb\x07\x62\x48\x8b\x7d\xec\x6d\xf1\x8f\x80\x27\xba\xe0\x91\xd8\x5d\x0d\xed\x0f\x72\x10\x8e\x5c\x21\xdd\xaf\x28\xef\x52\xf4\x24\x67\x7a\xb3\xfa\x1e\xab\xb6\xd3\x47\x78\x99\x65\xce\xb8\xbb\x45\x19\x35\x95\x8c\xc5\xba\x87\xf4\x64\x98\x78\x35\x00\x31\x9a\x2d\xf3\xed\x16\x8a\xf5\x35\x81\x54\x5d\xde\xa2\xd0\x51\x55\x16\xbf\xbf\x8f\xea\x62\xa7\x60\x19\x34\x79\xc7\x7e\x73\xa7\x9d\xbf\xa8\x21\x18\xc0\x13\xbf\x41\x8d\x35\x30\xc2\x0e\x7f\x47\xdd\xd8\xba\x80\xa0\x23\xde\x38\x3b\x54\x5c\x29\xfc\x63\x38\xf2\x77\xa7\x3b\xaf\x46\x55\x1e\x85\x50\x60\xb9\x91\x84\xc5\x4d\x1c\x11\xd3\xf7\x44\xac\xb0\x2e\x5b\x12\x6d\xf5\xa1\x05\x71\x65\x6b\xa6\xab\xb5\xe4\xef\x94\x06\xc2\xf5\x38\x0e\x69\x1e\x46\xa4\xca\x1c\x5d\xd7\xfc\x87\xd0\x81\xca\x94\xcd\x5a\xb7\xfb\x45\xa4\x8c\x68\x0f\xab\x76\x1f\x9b\x1a\x17\xbe\x44\x9d\x74\xf1\x29\x1b\x85\x9c\x37\xba\x01\x91\xb0\x09\x98\xb7\x84\x29\x33\x43\x90\x02\xca\x81\x7b\xd3\xf5\x14\x04\x81\xc9\x57\xfe\x95\xea\x9a\x50\xd0\x5b\xc2\x7f\x1c\x0f\x8d\xbc\x26\x7c\x50\x77\x6c\x77\x4a\x69\x49\x22\xa5\xce\x1c\xc8\xfd\x7e\x14\x78\xa3\xe2\xcc\x58\xf5\x70\xac\xda\x3a\x16\xca\xd5\x66\x7e\x28\xd2\x45\xdd\x78\xc7\x8e\x5e\x35\x00\xe0\xae\xe9\x1f\x10\xb6\xfc\x29\xd0\xd1\xbd\xfa\xae\x7e\xf6\x6e\xe2\x88\xd5\xd5\xb2\xb7\x2d\x09\x77\x67\x25\xea\xf7\x70\xef\x1e\xe4\xec\x08\x9c\x1d\xbc\xdb\x87\xb8\x64\xac\x3f\xab\xdb\xf4\x1d\x9d\xd3\x5a\xd4\x20\x09\x88\x89\xe1\xf5\x30\x30\x51\x47\xbe\x9e\x5c\x67\x09\xec\x22\xbe\x90\x76\x24\x1d\xc4\xbf\x66\x07\x9f\xda\x5f\x19\x0d\x26\xd5\x97\x7a\x4f\x2d\xf8\xb5\x43\x3d\xa1\x2f", 1024); memcpy((void*)0x100006c0, "\x9f\x53\x8c\x90\xe8\x71\x04\x1e\x5c\x20\xe4\xce\x66\x04\x6a\x7c\x61\x62\x41\xa9\x68\x0d\x85\x39\x86\x6c\x5a\x96\xb1\xc8\xec\xc9", 32); *(uint32_t*)0x100006e0 = 0x80000000; *(uint8_t*)0x100006e4 = 1; *(uint32_t*)0x100006e8 = 0x10000240; memcpy((void*)0x10000240, "\x18\x16\x7d\x15\x01\x22\x4b\xdd\xd4\x8f\xc6\xe3\xf8\x83\xd8\xf2\xdd\x60\xa2\xfa\xd4\x0d\x6c\x15\x20\xc6\xc5\x1f\x84\xce\xdc\xc5\x71\xc2\xe3\x2e\x14\xab\xf4\x47\x28\x3e\x87\xa5\xf3\xf7\x81\xbd\xba\x00\x1c\x54\xed\xae\xda\x7a\xa8\x8c\x19\x11\xf5\x4c\x8f\x0a\x9a\x42\xdc\xe4\x95\x08\x27\x5d\xce\x74\xfd\x73\xcd\xab\x1e\xab\xf8\xaa\x10\x4c\x74\xf7\xc3\xbb\x54\xd0\x50\x0a\xfc\x2b\x97", 95); *(uint64_t*)0x100006ec = 0x9621; *(uint64_t*)0x100006f4 = 2; *(uint64_t*)0x100006fc = 8; *(uint64_t*)0x10000704 = 0x800; *(uint64_t*)0x1000070c = 3; *(uint64_t*)0x10000714 = 0x10001; *(uint64_t*)0x1000071c = 0xfa; *(uint32_t*)0x10000724 = 0x7fff; syscall(SYS_ioctl, -1, 0xc44c444a, 0x100002c0); break; case 6: memcpy((void*)0x10000740, "/dev/pf\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000740, 0x800, 0); if (res != -1) r[1] = res; break; case 7: *(uint8_t*)0x10000800 = 0x10; *(uint32_t*)0x10000804 = 0x10000780; memcpy((void*)0x10000780, "\x85\xdf\xfe\xfc\x4e\xfc\xb1\xb4\x01\x6c\x84\x2d\x2c\xc4\xb4\x5b\xfa\x06\x4e\x55\x86\x99\x99\xbf\x61\x37\x68\x94\x06\x75\x4f\xe7\xc0\xb1\x79\x02\x9f\x2f\x35\xc5\x16\xd9\x32\x31\xa1\x04\x81\x3e\xa2\x6f\x8f\xf7\xf1\xcf\x84\x81\x88\xd9\xd0\xb6\x26\x05\x00\x40\x2d\xdc\xa3\x6f\xe8\xe1\xcd\x0a\xd5\xe8\x18\x56\xa2\xf9\xf9\x83\xf5\x98\x1a\xce\x98\x9e\x97\x6f", 88); *(uint32_t*)0x10000808 = 0x40000000; *(uint32_t*)0x1000080c = 0xff; *(uint32_t*)0x10000810 = 0x10001; syscall(SYS_ioctl, (intptr_t)r[1], 0xc0244457, 0x10000800); break; case 8: syscall(SYS_mmap, 0x10ffc000, 0x3000, 2, 0x10, (intptr_t)r[0], 0); break; case 9: *(uint32_t*)0x10000840 = 0; *(uint16_t*)0x10000844 = 0x8001; *(uint16_t*)0x10000846 = 4; *(uint16_t*)0x10000848 = 0x3f; *(uint16_t*)0x1000084a = -1; *(uint16_t*)0x1000084c = 0x20; *(uint16_t*)0x1000084e = 4; *(uint32_t*)0x10000880 = 0x10; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 0x901, 0x10000840, 0x10000880); break; case 10: memcpy((void*)0x10000100, "\x65\xfc\x67\x0f\xa8\x66\xdb\xd3\xc4\xc1\xd1\x5f\xf2\xc4\xc1\x8d\xfa\xf2\xc4\xe2\x55\x3f\xd8\xc4\xe1\xb1\x7c\x60\x99\x66\x0f\x3a\x09\xc1\x89\x82\x83\xdf\x00\x00\x00\xfe\xc4\xc2\x91\x91\x5c\x86\x99", 49); syz_execute_func(0x10000100); break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :195:13: error: unused function 'csum_inet_init' [-Werror,-Wunused-function] static void csum_inet_init(struct csum_inet* csum) ^ :200:13: error: unused function 'csum_inet_update' [-Werror,-Wunused-function] static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) ^ :213:17: error: unused function 'csum_inet_digest' [-Werror,-Wunused-function] static uint16_t csum_inet_digest(struct csum_inet* csum) ^ 3 errors generated. compiler invocation: clang [-o /tmp/syz-executor310017873 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/7 (1.05s) csource_test.go:116: --- FAIL: TestGenerate/freebsd/386/6 (0.89s) csource_test.go:116: --- FAIL: TestGenerate/freebsd/386/13 (1.09s) csource_test.go:116: --- FAIL: TestGenerate/freebsd/386/4 (1.09s) csource_test.go:116: FAIL FAIL github.com/google/syzkaller/pkg/csource 12.317s ok github.com/google/syzkaller/pkg/db 4.128s ? github.com/google/syzkaller/pkg/debugtracer [no test files] ok github.com/google/syzkaller/pkg/email (cached) ? github.com/google/syzkaller/pkg/gce [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/hash [no test files] ok github.com/google/syzkaller/pkg/host (cached) ? github.com/google/syzkaller/pkg/html [no test files] ok github.com/google/syzkaller/pkg/ifuzz (cached) ? github.com/google/syzkaller/pkg/ifuzz/iset [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86 [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/generated [no test files] ok github.com/google/syzkaller/pkg/instance 2.246s ok github.com/google/syzkaller/pkg/ipc 5.370s ? github.com/google/syzkaller/pkg/ipc/ipcconfig [no test files] ? github.com/google/syzkaller/pkg/kcidb [no test files] ok github.com/google/syzkaller/pkg/kconfig 0.057s ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/mgrconfig 0.375s ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report (cached) ok github.com/google/syzkaller/pkg/repro 0.450s ? github.com/google/syzkaller/pkg/rpctype [no test files] ok github.com/google/syzkaller/pkg/runtest 53.192s ok github.com/google/syzkaller/pkg/serializer (cached) ? github.com/google/syzkaller/pkg/signal [no test files] ok github.com/google/syzkaller/pkg/symbolizer (cached) ok github.com/google/syzkaller/pkg/tool (cached) ok github.com/google/syzkaller/pkg/vcs 12.814s ok github.com/google/syzkaller/prog 16.005s ok github.com/google/syzkaller/prog/test 1.189s ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/akaros [no test files] ? github.com/google/syzkaller/sys/akaros/gen [no test files] ? github.com/google/syzkaller/sys/darwin [no test files] ? github.com/google/syzkaller/sys/darwin/gen [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/freebsd/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ok github.com/google/syzkaller/sys/linux 0.194s ? github.com/google/syzkaller/sys/linux/gen [no test files] ? github.com/google/syzkaller/sys/netbsd [no test files] ? github.com/google/syzkaller/sys/netbsd/gen [no test files] ok github.com/google/syzkaller/sys/openbsd 0.044s ? github.com/google/syzkaller/sys/openbsd/gen [no test files] ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/test/gen [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/trusty/gen [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ? github.com/google/syzkaller/sys/windows/gen [no test files] ok github.com/google/syzkaller/syz-ci 0.455s ok github.com/google/syzkaller/syz-fuzzer 0.754s ok github.com/google/syzkaller/syz-hub 0.175s ok github.com/google/syzkaller/syz-hub/state 0.246s ok github.com/google/syzkaller/syz-manager 1.650s ? github.com/google/syzkaller/syz-runner [no test files] ok github.com/google/syzkaller/syz-verifier 0.258s ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-build [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ? github.com/google/syzkaller/tools/syz-db [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-hubtool [no test files] ? github.com/google/syzkaller/tools/syz-kcidb [no test files] ok github.com/google/syzkaller/tools/syz-kconf 0.058s ok github.com/google/syzkaller/tools/syz-linter (cached) ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-minconfig [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-reporter [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-reprolist [no test files] ? github.com/google/syzkaller/tools/syz-runtest [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-stress [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ok github.com/google/syzkaller/tools/syz-trace2syz/parser 0.072s ok github.com/google/syzkaller/tools/syz-trace2syz/proggen 0.823s ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/vm 9.212s ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ok github.com/google/syzkaller/vm/isolated (cached) ? github.com/google/syzkaller/vm/kvm [no test files] ? github.com/google/syzkaller/vm/odroid [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ok github.com/google/syzkaller/vm/vmimpl (cached) ? github.com/google/syzkaller/vm/vmm [no test files] ? github.com/google/syzkaller/vm/vmware [no test files] FAIL