// https://syzkaller.appspot.com/bug?id=8234a9dfd3aafbf092cc5a7cd9842e3ebc45fc42
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <setjmp.h>
#include <signal.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#ifndef __NR_io_uring_setup
#define __NR_io_uring_setup 425
#endif
#ifndef __NR_memfd_secret
#define __NR_memfd_secret 447
#endif
static __thread int clone_ongoing;
static __thread int skip_segv;
static __thread jmp_buf segv_env;
static void segv_handler(int sig, siginfo_t* info, void* ctx)
{
if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) {
exit(sig);
}
uintptr_t addr = (uintptr_t)info->si_addr;
const uintptr_t prog_start = 1 << 20;
const uintptr_t prog_end = 100 << 20;
int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0;
int valid = addr < prog_start || addr > prog_end;
if (skip && valid) {
_longjmp(segv_env, 1);
}
exit(sig);
}
static void install_segv_handler(void)
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = SIG_IGN;
syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = segv_handler;
sa.sa_flags = SA_NODEFER | SA_SIGINFO;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}
#define NONFAILING(...) \
({ \
int ok = 1; \
__atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \
if (_setjmp(segv_env) == 0) { \
__VA_ARGS__; \
} else \
ok = 0; \
__atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \
ok; \
})
#define SIZEOF_IO_URING_SQE 64
#define SIZEOF_IO_URING_CQE 16
#define SQ_HEAD_OFFSET 0
#define SQ_TAIL_OFFSET 64
#define SQ_RING_MASK_OFFSET 256
#define SQ_RING_ENTRIES_OFFSET 264
#define SQ_FLAGS_OFFSET 276
#define SQ_DROPPED_OFFSET 272
#define CQ_HEAD_OFFSET 128
#define CQ_TAIL_OFFSET 192
#define CQ_RING_MASK_OFFSET 260
#define CQ_RING_ENTRIES_OFFSET 268
#define CQ_RING_OVERFLOW_OFFSET 284
#define CQ_FLAGS_OFFSET 280
#define CQ_CQES_OFFSET 320
struct io_sqring_offsets {
uint32_t head;
uint32_t tail;
uint32_t ring_mask;
uint32_t ring_entries;
uint32_t flags;
uint32_t dropped;
uint32_t array;
uint32_t resv1;
uint64_t resv2;
};
struct io_cqring_offsets {
uint32_t head;
uint32_t tail;
uint32_t ring_mask;
uint32_t ring_entries;
uint32_t overflow;
uint32_t cqes;
uint64_t resv[2];
};
struct io_uring_params {
uint32_t sq_entries;
uint32_t cq_entries;
uint32_t flags;
uint32_t sq_thread_cpu;
uint32_t sq_thread_idle;
uint32_t features;
uint32_t resv[4];
struct io_sqring_offsets sq_off;
struct io_cqring_offsets cq_off;
};
#define IORING_OFF_SQ_RING 0
#define IORING_OFF_SQES 0x10000000ULL
static long syz_io_uring_setup(volatile long a0, volatile long a1,
volatile long a2, volatile long a3,
volatile long a4, volatile long a5)
{
uint32_t entries = (uint32_t)a0;
struct io_uring_params* setup_params = (struct io_uring_params*)a1;
void* vma1 = (void*)a2;
void* vma2 = (void*)a3;
void** ring_ptr_out = (void**)a4;
void** sqes_ptr_out = (void**)a5;
uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params);
uint32_t sq_ring_sz =
setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t);
uint32_t cq_ring_sz = setup_params->cq_off.cqes +
setup_params->cq_entries * SIZEOF_IO_URING_CQE;
uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz;
*ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring,
IORING_OFF_SQ_RING);
uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE;
*sqes_ptr_out =
mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES);
return fd_io_uring;
}
static long syz_io_uring_submit(volatile long a0, volatile long a1,
volatile long a2, volatile long a3)
{
char* ring_ptr = (char*)a0;
char* sqes_ptr = (char*)a1;
char* sqe = (char*)a2;
uint32_t sqes_index = (uint32_t)a3;
uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET);
uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET);
uint32_t sq_array_off =
(CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63;
if (sq_ring_entries)
sqes_index %= sq_ring_entries;
char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE;
memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE);
uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET);
uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET);
uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask;
uint32_t sq_tail_next = *sq_tail_ptr + 1;
uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off);
*(sq_array + sq_tail) = sqes_index;
__atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE);
return 0;
}
uint64_t r[5] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff,
0xffffffffffffffff, 0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
install_segv_handler();
intptr_t res = 0;
NONFAILING(*(uint32_t*)0x20000244 = 0);
NONFAILING(*(uint32_t*)0x20000248 = 0);
NONFAILING(*(uint32_t*)0x2000024c = 0);
NONFAILING(*(uint32_t*)0x20000250 = 0);
NONFAILING(*(uint32_t*)0x20000258 = -1);
NONFAILING(memset((void*)0x2000025c, 0, 12));
NONFAILING(
syz_io_uring_setup(0x66f2, 0x20000240, 0x202a2000, 0x200bf000, 0, 0));
NONFAILING(*(uint32_t*)0x200001c4 = 0);
NONFAILING(*(uint32_t*)0x200001c8 = 0);
NONFAILING(*(uint32_t*)0x200001cc = 0);
NONFAILING(*(uint32_t*)0x200001d0 = 0);
NONFAILING(*(uint32_t*)0x200001d8 = -1);
NONFAILING(memset((void*)0x200001dc, 0, 12));
NONFAILING(
syz_io_uring_setup(0x18eb, 0x200001c0, 0x20acc000, 0x2046d000, 0, 0));
NONFAILING(memcpy((void*)0x20000100, "/dev/video2\000", 12));
syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000100ul, 2ul, 0ul);
NONFAILING(*(uint8_t*)0x20000000 = 0x16);
NONFAILING(*(uint8_t*)0x20000001 = 0);
NONFAILING(*(uint16_t*)0x20000002 = 0);
NONFAILING(*(uint32_t*)0x20000004 = 0);
NONFAILING(*(uint64_t*)0x20000008 = 0);
NONFAILING(*(uint64_t*)0x20000010 = 0x20000040);
NONFAILING(*(uint32_t*)0x20000018 = 0x12);
NONFAILING(*(uint32_t*)0x2000001c = 0);
NONFAILING(*(uint64_t*)0x20000020 = 0);
NONFAILING(*(uint16_t*)0x20000028 = 0);
NONFAILING(*(uint16_t*)0x2000002a = 0);
NONFAILING(memset((void*)0x2000002c, 0, 20));
NONFAILING(syz_io_uring_submit(0, 0, 0x20000000, 0));
NONFAILING(*(uint64_t*)0x200047c0 = 0);
NONFAILING(*(uint32_t*)0x200047c8 = 0);
NONFAILING(*(uint64_t*)0x200047d0 = 0x20000000);
NONFAILING(*(uint64_t*)0x20000000 = 0);
NONFAILING(*(uint64_t*)0x20000008 = 0xfffffffffffffd85);
NONFAILING(*(uint64_t*)0x200047d8 = 1);
NONFAILING(*(uint64_t*)0x200047e0 = 0);
NONFAILING(*(uint64_t*)0x200047e8 = 0);
NONFAILING(*(uint32_t*)0x200047f0 = 0);
syscall(__NR_sendmsg, -1, 0x200047c0ul, 0ul);
syscall(__NR_memfd_secret, 0ul);
res = syscall(__NR_socket, 0x10ul, 3ul, 0);
if (res != -1)
r[0] = res;
NONFAILING(memcpy((void*)0x20000180, "/dev/kvm\000", 9));
res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000180ul, 0ul, 0ul);
if (res != -1)
r[1] = res;
res = syscall(__NR_ioctl, r[1], 0xae01, 0ul);
if (res != -1)
r[2] = res;
NONFAILING(memcpy((void*)0x20000040, "memory.current\000", 15));
res = syscall(__NR_openat, 0xffffff9c, 0x20000040ul, 0x275aul, 0ul);
if (res != -1)
r[3] = res;
NONFAILING(*(uint32_t*)0x20000000 = r[0]);
syscall(__NR_write, r[3], 0x20000000ul, 0x208e24bul);
syscall(__NR_mmap, 0x20000000ul, 0xb36000ul, 2ul, 0x28011ul, r[3], 0ul);
NONFAILING(*(uint64_t*)0x200015c0 = 0x20000080);
NONFAILING(*(uint64_t*)0x200015c8 = 0xffffffff000);
syscall(__NR_preadv, r[3], 0x200015c0ul, 5ul, 0, 0);
res = syscall(__NR_ioctl, r[2], 0xae41, 0ul);
if (res != -1)
r[4] = res;
syscall(__NR_ioctl, r[4], 0x4048aecb, 0x20003680ul);
syscall(__NR_ioctl, r[4], 0x4048aecb, 0x20003680ul);
return 0;
}