// https://syzkaller.appspot.com/bug?id=ef5db7606b46c2741e271d7c2a21e0dafb5e05d3 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include static void test(); void loop() { while (1) { test(); } } long r[20]; void* thr(void* arg) { switch ((long)arg) { case 0: r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); break; case 1: *(uint32_t*)0x20196000 = (uint32_t)0x0; r[2] = syscall(__NR_accept4, 0xfffffffffffffffful, 0x20000000ul, 0x20196000ul, 0x80800ul); break; case 2: r[3] = syscall(__NR_setsockopt, r[2], 0x107ul, 0x5ul, 0x20000000ul, 0x0ul); break; case 3: *(uint32_t*)0x2024cf0f = (uint32_t)0x0; *(uint32_t*)0x2024cf13 = (uint32_t)0x0; *(uint32_t*)0x20368ffc = (uint32_t)0x8; r[7] = syscall(__NR_getsockopt, 0xfffffffffffffffful, 0x84ul, 0x1bul, 0x2024cf0ful, 0x20368ffcul); break; case 4: r[8] = syscall(__NR_setsockopt, 0xfffffffffffffffful, 0x1ul, 0x0ul, 0x0ul, 0x0ul); break; case 5: *(uint32_t*)0x20001000 = (uint32_t)0x10000; *(uint32_t*)0x20001004 = (uint32_t)0x4; *(uint32_t*)0x20001008 = (uint32_t)0x10000; *(uint32_t*)0x2000100c = (uint32_t)0x4; r[13] = syscall(__NR_setsockopt, 0xfffffffffffffffful, 0x84ul, 0x0ul, 0x20001000ul, 0x10ul); break; case 6: r[14] = syscall(__NR_socket, 0x11ul, 0x80003ul, 0x8ul); break; case 7: *(uint16_t*)0x20cdeffc = (uint16_t)0x8001; *(uint8_t*)0x20cdeffe = (uint8_t)0x3; *(uint8_t*)0x20cdefff = (uint8_t)0x1000; r[18] = syscall(__NR_setsockopt, r[14], 0x107ul, 0x12ul, 0x20cdeffcul, 0x4ul); break; case 8: r[19] = syscall(__NR_setsockopt, r[14], 0x107ul, 0x5ul, 0x20001000ul, 0x47eul); break; } return 0; } void test() { long i; pthread_t th[18]; memset(r, -1, sizeof(r)); for (i = 0; i < 9; i++) { pthread_create(&th[i], 0, thr, (void*)i); usleep(rand() % 10000); } usleep(rand() % 100000); } int main() { int i; for (i = 0; i < 8; i++) { if (fork() == 0) { loop(); return 0; } } sleep(1000000); return 0; }