// https://syzkaller.appspot.com/bug?id=54f4ce6239e6e0d0d5583488421c6fa3ba7ed6b4 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include static void test(); void loop() { while (1) { test(); } } #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 long r[1]; uint64_t procid; void test() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); r[0] = syscall(__NR_socket, 0xf, 3, 2); *(uint32_t*)0x205f5000 = 0; *(uint32_t*)0x205f5004 = 0; *(uint32_t*)0x205f5008 = 0x208feff0; *(uint32_t*)0x205f500c = 1; *(uint32_t*)0x205f5010 = 0; *(uint32_t*)0x205f5014 = 0; *(uint32_t*)0x205f5018 = 0; *(uint32_t*)0x208feff0 = 0x208fe000; *(uint32_t*)0x208feff4 = 0x50; *(uint8_t*)0x208fe000 = 2; *(uint8_t*)0x208fe001 = 2; *(uint8_t*)0x208fe002 = 0; *(uint8_t*)0x208fe003 = 9; *(uint16_t*)0x208fe004 = 0xa; *(uint16_t*)0x208fe006 = 0; *(uint32_t*)0x208fe008 = 0x70bd25 + procid * 8; *(uint32_t*)0x208fe00c = 0x25dfdbfb + procid * 4; *(uint16_t*)0x208fe010 = 3; *(uint16_t*)0x208fe012 = 6; *(uint8_t*)0x208fe014 = 0; *(uint8_t*)0x208fe015 = 0; *(uint16_t*)0x208fe016 = 0; *(uint16_t*)0x208fe018 = 2; *(uint16_t*)0x208fe01a = htobe16(0x4e20 + procid * 4); *(uint32_t*)0x208fe01c = htobe32(0); *(uint8_t*)0x208fe020 = 0; *(uint8_t*)0x208fe021 = 0; *(uint8_t*)0x208fe022 = 0; *(uint8_t*)0x208fe023 = 0; *(uint8_t*)0x208fe024 = 0; *(uint8_t*)0x208fe025 = 0; *(uint8_t*)0x208fe026 = 0; *(uint8_t*)0x208fe027 = 0; *(uint16_t*)0x208fe028 = 2; *(uint16_t*)0x208fe02a = 1; *(uint32_t*)0x208fe02c = htobe32(0x4d2 + procid * 4); *(uint8_t*)0x208fe030 = 0; *(uint8_t*)0x208fe031 = 0; *(uint8_t*)0x208fe032 = 0; *(uint8_t*)0x208fe033 = 2; *(uint32_t*)0x208fe034 = 0; *(uint16_t*)0x208fe038 = 3; *(uint16_t*)0x208fe03a = 5; *(uint8_t*)0x208fe03c = 0; *(uint8_t*)0x208fe03d = 0; *(uint16_t*)0x208fe03e = 0; *(uint16_t*)0x208fe040 = 2; *(uint16_t*)0x208fe042 = htobe16(0x4e20 + procid * 4); *(uint32_t*)0x208fe044 = htobe32(0xe0000002); *(uint8_t*)0x208fe048 = 0; *(uint8_t*)0x208fe049 = 0; *(uint8_t*)0x208fe04a = 0; *(uint8_t*)0x208fe04b = 0; *(uint8_t*)0x208fe04c = 0; *(uint8_t*)0x208fe04d = 0; *(uint8_t*)0x208fe04e = 0; *(uint8_t*)0x208fe04f = 0; syscall(__NR_sendmsg, r[0], 0x205f5000, 0); } int main() { for (procid = 0; procid < 8; procid++) { if (fork() == 0) { for (;;) { loop(); } } } sleep(1000000); return 0; }