// https://syzkaller.appspot.com/bug?id=acc91fc5738dacbfaa1163219fc6bf0685224b60 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 15000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x20001700, "/dev/ptmx\000", 10); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20001700ul, 0xfb3f12eae2187916ul, 0ul); if (res != -1) r[0] = res; memcpy((void*)0x20000140, "syz1", 4); memcpy( (void*)0x20000144, "\x4a\x1e\x9f\x08\x06\xf5\x9a\x90\x4c\x7d\x65\xc3\x53\x6c\x58\xdb\x76\x84" "\x6d\xbe\xee\x10\xa4\xb7\xc0\xd2\xf6\xe8\xd0\x18\xb6\xea\xfc\x35\x78\xd2" "\x31\x0b\x5e\x39\xe4\x4e\x25\x58\x74\xd1\x96\x3c\x1f\x57\x31\xe8\x87\x35" "\x61\xe3\x5b\x67\x4f\x85\x96\xd8\x3a\x83\x53\x52\x50\x9c\x16\x7f\x16\x21" "\x13\xde\xed\xf1\x50\x0a\xbd\x30\xf2\xe1\x2f\x90\xfd\xb9\xe8\x3b\x28\x47" "\xd4\x5b\x14\xa7\x81\xfa\x5d\xda\x2e\x45\xfe\xb8\x49\x20\xec\xb7\x4e\x3e" "\xd1\x96\xbb\x21\xab\xa3\x5a\x17\x14\x87\x33\x6a\x67\xd7\x95\xf6\x8d\x49" "\x0c\x94\x5a\x64\x73\x7c\xf7\xab\x5d\x4e\xdb\xaa\x8a\xc6\xef\x2f\x4f\xec" "\x4b\x87\xcf\x52\x32\xf4\x4d\x03\xf4\xf2\xe2\xd2\x59\x02\x18\x8d\x04\xb0" "\xc6\x68\x8b\xb0\xfd\x33\x08\x2a\xfd\xc0\x1b\xee\xf6\x79\x86\x7c\xc3\x80" "\x14\x70\xd7\x3c\x3f\x3f\xd0\xa9\x36\x48\xb1\x94\x22\xf0\xf5\x4b\x24\x5d" "\xd9\x3a\x74\xea\xa8\x6b\xab\x54\xf5\xbd\x70\x98\x23\x63\xc9\x22\xd5\x8a" "\x67\x84\x9b\xbe\x38\xe6\xa3\x12\x82\xf5\xfd\xf9\x8a\x5b\x0c\xce\x40\xe8" "\xc4\xde\xbf\xf3\xd6\x54\x0b\x52\x90\xd7\x59\x29\xc5\x29\x06\xbd\xe0\x1c" "\xeb\xb2\xff\xb4\xbb\x06\x92\x9f\xc7\x60\xb0\xeb\x51\xd4\x8c\x9c\x92\x8c" "\x98\xf2\x35\xa9\xe9\xe7\x18\x4c\xec\x43\xae\x20\x6e\x21\x0e\xb4\xa3\x46" "\x9a\x1b\x35\x10\xdd\x2a\x11\xf1\x11\xba\x5d\x41\x7a\x30\xf3\xea\xad\xa3" "\x69\x97\x74\x10\x88\x72\xd7\x93\x39\xf7\x99\x6b\x20\x36\x7a\xe1\xc1\xb5" "\x54\x1f\x0f\x15\xf2\x68\x6f\x56\xfe\xe6\xb3\xe3\xff\x59\xf2\x38\xb0\x6a" "\x11\x2c\xc0\x0e\x9e\x91\xf7\x8b\x3c\x87\x73\x52\xe2\x72\xb8\x01\x6c\xfa" "\x80\xed\xd4\x7a\xe8\xbf\x3d\x75\x3a\x40\x10\x5b\x2d\xfd\x99\xe2\x1f\xc9" "\x51\x48\x5b\x71\x6b\x57\x85\xe8\x00\x4c\x00\x6d\x6c\x2f\x60\x77\x03\x42" "\x89\x58\x19\x0f\x5e\x7f\x9a\x25\x62\x7e\xad\x78\x41\xbb\x3d\xbd\x42\x8a" "\xb1\xe4\x4d\x82\x91\xac\xfd\x2a\x8c\xfe\x9d\xb3\x49\x13\x9a\x69\x8c\x42" "\x9c\x2c\x04\x6d\xfe\x86\x57\xc9\xf4\xe4\x7c\xc0\x3c\x9c\x9b\x01\xb1\x8d" "\xa5\x39\x75\x69\x22\x89\x8b\xfa\x85\x4f\x79\x5b\xc3\xe4\x9d\xbb\xf5\x68" "\xa5\x3f\x4a\x18\x2d\x69\x21\x1d\x11\xe2\x8e\x1c\x79\x68\xcf\x30\x4f\x92" "\x2b\x00\xcf\xd7\xfd\xf9\x18\x1a\x54\x88\x13\x80\x5d\x59\x61\x59\x7b\x84" "\xe6\x2b\x24\x34\xa9\xc3\xd7\xb8\x64\x7e\x99\xe9\x9d\x9f\xa6\xa9\xba\xf0" "\xf4\x26\x88\x5d\xeb\x30\xa8\x86\x9c\x61\x21\x95\x51\x78\x64\x53\xac\x87" "\x27\x8f\x0c\xa6\x19\xac\xa6\xc7\x6e\x7c\xb4\x60\x2f\x87\xba\x50\xbb\xf2" "\xe5\xa5\xb1\x67\x0f\xe3\xe4\xcf\x60\x72\xa3\x18\xed\x48\xbb\xc8\xd6\x0b" "\x29\xd5\x07\xde\x8e\xf7\x5c\x80\x98\x57\x6c\x23\xd2\x63\x03\xc7\xd3\x35" "\xe4\x56\x02\x53\x13\x12\x9f\x39\x87\xd6\x07\x12\xc1\xfe\x01\x9e\x61\xf9" "\x2d\x4b\xfb\x5e\xa9\x25\xd2\xf2\xfe\x50\x66\xb3\x0b\xe0\x10\xd0\x82\x5d" "\xb9\x2d\xcc\x76\xd6\xa5\x93\x9e\xa9\x39\xaa\xb2\x13\x42\x67\x8b\x37\x7d" "\x31\x45\x22\xc6\x1a\xf2\xae\x8b\xae\xb7\xd1\x88\x82\x62\x50\xc7\x97\xaf" "\xfd\x9a\x1a\xc4\xdc\x6d\x61\xaf\x1b\xb0\xa4\x78\xa0\xc1\x56\x2e\xad\x8e" "\xc8\xff\xba\xa3\xc5\x7d\x12\x8f\x66\xe5\x66\xb5\x45\x72\x0e\x5d\xba\x1b" "\x63\xea\x1c\xca\x71\x02\x26\x48\xa7\x44\x81\x43\x23\x4e\x56\xf7\xbe\x47" "\xa5\x0c\xa4\xba\xc0\xa8\xd3\x89\x61\x20\xf1\x13\x99\x85\xef\x1d\x49\x11" "\x38\xec\x13\x03\x8d\x25\xc3\xb8\x2f\x10\x4c\x61\xcf\xda\xa3\x48\xba\x02" "\x25\x9c\x96\x1f\xf2\xb1\xa9\x56\xfc\x30\xa8\x58\x39\xd9\xe9\xe9\x0a\x5e" "\x8d\x83\xae\xe3\xeb\x40\x23\x9f\x3c\x5d\x34\x28\xfe\xad\x5a\x74\xdc\xe6" "\xe8\x8b\x9a\x2b\x6e\x39\xf1\x0e\x21\x9e\xd1\xc1\xbe\xfb\xd0\xc5\x63\x0c" "\xbf\x57\xdb\x1d\x4c\x7d\x3f\x3c\x0f\x70\xe9\x44\x06\x1b\xe5\xcb\x46\xf3" "\x36\x5f\x04\x68\x9a\xae\x60\x99\x3e\xf0\x9d\xa1\x5a\x68\xf7\xac\x3b\x91" "\x1c\xe2\x5e\xb9\xac\x61\x07\x53\x21\x63\x3e\x79\x74\x58\xd5\xd2\x18\xbe" "\xcd\x65\xd5\xab\xb6\xb3\x3f\x65\xe6\x2c\xd5\x19\x63\xa0\x04\xf7\xa7\xea" "\x85\x7a\x45\x1a\x8f\xaa\x7e\x17\x47\xe1\xa6\xa1\x96\x01\xcf\x41\xf1\xed" "\xfb\x94\x4f\xca\xe7\x29\xb8\x50\xd5\x86\x88\x57\xdc\x14\x4a\x87\x53\xf0" "\xfe\x0e\x10\x6a\x3c\xbb\x32\x3a\x28\x29\x6d\x70\x6c\x26\xa7\x91\x77\x43" "\x30\x07\x06\xfb\x80\xce\xa7\xdb\xc6\x54\xe8\xcc\x1b\xb5\xa5\x60\xcf\xf5" "\xc0\xa4\x19\x05\x86\x2d\xf5\xa8\xf0\xcb\x90\xd2\xdf\xe6\xa2\x1a\xed\xf6" "\x1c\xf8\x91\x9d\x2a\x2d\x26\x9f\x00\xbf\x2a\xc6\x0d", 985); syscall(__NR_write, r[0], 0x20000140ul, 0x3ddul); syscall(__NR_ioctl, r[0], 0x5403, 0ul); } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); loop(); return 0; }