// https://syzkaller.appspot.com/bug?id=401730da81cc65b97da6fa48aa9c0d392463f1b5 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include #include #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void exitf(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit(kRetryStatus); } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static int inject_fault(int nth) { int fd; char buf[16]; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exitf("failed to open /proc/thread-self/fail-nth"); sprintf(buf, "%d", nth + 1); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exitf("failed to write /proc/thread-self/fail-nth"); return fd; } static void execute_one(); extern unsigned long long procid; void loop() { while (1) { execute_one(); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one() { long res = 0; res = syscall(__NR_socket, 0xa, 0x408000000001, 0x84); if (res != -1) r[0] = res; *(uint16_t*)0x20cf6fe4 = 0xa; *(uint16_t*)0x20cf6fe6 = htobe16(0x4e23); *(uint32_t*)0x20cf6fe8 = 0; *(uint64_t*)0x20cf6fec = htobe64(0); *(uint64_t*)0x20cf6ff4 = htobe64(1); *(uint32_t*)0x20cf6ffc = 0; syscall(__NR_setsockopt, r[0], 0x84, 0x64, 0x20cf6fe4, 0x1c); *(uint16_t*)0x208c0000 = 0xa; *(uint16_t*)0x208c0002 = htobe16(0x4e23); *(uint32_t*)0x208c0004 = 0; *(uint64_t*)0x208c0008 = htobe64(0); *(uint64_t*)0x208c0010 = htobe64(1); *(uint32_t*)0x208c0018 = 0; syscall(__NR_connect, r[0], 0x208c0000, 0x1c); *(uint64_t*)0x20007c00 = 0; *(uint32_t*)0x20007c08 = 0; *(uint64_t*)0x20007c10 = 0x200016c0; *(uint64_t*)0x200016c0 = 0x20001600; memcpy((void*)0x20001600, "\x19", 1); *(uint64_t*)0x200016c8 = 1; *(uint64_t*)0x20007c18 = 1; *(uint64_t*)0x20007c20 = 0x20001740; *(uint64_t*)0x20007c28 = 0; *(uint32_t*)0x20007c30 = 0; *(uint32_t*)0x20007c38 = 0; *(uint64_t*)0x20007c40 = 0x20004800; *(uint16_t*)0x20004800 = 0x18; *(uint32_t*)0x20004802 = 1; *(uint32_t*)0x20004806 = 0; *(uint32_t*)0x2000480a = -1; *(uint32_t*)0x2000480e = 0; *(uint32_t*)0x20004812 = 0; *(uint32_t*)0x20004816 = 0; *(uint32_t*)0x2000481a = 0; *(uint16_t*)0x2000481e = 0xa; *(uint16_t*)0x20004820 = htobe16(0); *(uint32_t*)0x20004822 = 0; *(uint8_t*)0x20004826 = -1; *(uint8_t*)0x20004827 = 1; *(uint8_t*)0x20004828 = 0; *(uint8_t*)0x20004829 = 0; *(uint8_t*)0x2000482a = 0; *(uint8_t*)0x2000482b = 0; *(uint8_t*)0x2000482c = 0; *(uint8_t*)0x2000482d = 0; *(uint8_t*)0x2000482e = 0; *(uint8_t*)0x2000482f = 0; *(uint8_t*)0x20004830 = 0; *(uint8_t*)0x20004831 = 0; *(uint8_t*)0x20004832 = 0; *(uint8_t*)0x20004833 = 0; *(uint8_t*)0x20004834 = 0; *(uint8_t*)0x20004835 = 1; *(uint32_t*)0x20004836 = 0; *(uint32_t*)0x20007c48 = 0x80; *(uint64_t*)0x20007c50 = 0x20004880; *(uint64_t*)0x20007c58 = 0; *(uint64_t*)0x20007c60 = 0x200048c0; *(uint64_t*)0x20007c68 = 0; *(uint32_t*)0x20007c70 = 0; *(uint32_t*)0x20007c78 = 0; write_file("/sys/kernel/debug/failslab/ignore-gfp-wait", "N"); write_file("/sys/kernel/debug/fail_futex/ignore-private", "N"); inject_fault(0); syscall(__NR_sendmmsg, r[0], 0x20007c00, 2, 0); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); for (;;) { loop(); } }