// https://syzkaller.appspot.com/bug?id=287863da6facab13033356dd54ef185395b52fd7 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 7; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 3) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: // openat$kvm arguments: [ // fd: const = 0xffffffffffffff9c (8 bytes) // file: ptr[in, buffer] { // buffer: {2f 64 65 76 2f 6b 76 6d 00} (length 0x9) // } // flags: open_flags = 0x0 (4 bytes) // mode: const = 0x0 (2 bytes) // ] // returns fd_kvm memcpy((void*)0x200000000200, "/dev/kvm\000", 9); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000200ul, /*flags=*/0, /*mode=*/0); if (res != -1) r[0] = res; break; case 1: // ioctl$KVM_CREATE_VM arguments: [ // fd: fd_kvm (resource) // cmd: const = 0xae01 (4 bytes) // type: intptr = 0x0 (8 bytes) // ] // returns fd_kvmvm res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xae01, /*type=*/0ul); if (res != -1) r[1] = res; break; case 2: // ioctl$KVM_CREATE_VCPU arguments: [ // fd: fd_kvmvm (resource) // cmd: const = 0xae41 (4 bytes) // id: intptr = 0x0 (8 bytes) // ] // returns fd_kvmcpu res = syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xae41, /*id=*/0ul); if (res != -1) r[2] = res; break; case 3: // ioctl$KVM_SET_ONE_REG arguments: [ // fd: fd_kvmcpu (resource) // cmd: const = 0x4048aecb (4 bytes) // arg: ptr[in, kvm_one_reg] { // union kvm_one_reg { // arm64_ccsidr: // kvm_one_reg_arm64_range[0x6020000000110000:0x602000000011000d] { // id: int64 = 0x6020000000110009 (8 bytes) // addr: ptr[inout, int64] { // int64 = 0xd8 (8 bytes) // } // } // } // } // ] *(uint64_t*)0x200000000000 = 0x6020000000110009; *(uint64_t*)0x200000000008 = 0x200000000300; *(uint64_t*)0x200000000300 = 0xd8; syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0x4048aecb, /*arg=*/0x200000000000ul); break; case 4: // memfd_create arguments: [ // name: ptr[in, buffer] { // buffer: {fd 0f 6d 33 23 2f 00 6e aa aa e4 01 55 8b c2 0c 03 19 9c 8e // cb 90 00 00 ae 67 51 0e 94 5c 79 0f 55 32 40 27 8a 80 00 24 12 fc e4 // 2e 29 9b f2 40 f0 e0 db 1f e6 b4 67 63 13 da f9 cd 37 65 6c b7 e6 08 // 00 00 00 00 ef ff 00 76 6f 62 2f 7e c2 00 08 00 00 00 00 00 00 20 ff // f1 de 6d 9c 3b 25 b5 22 e4 f1 78 32 8a 19 70 04 5c aa 2d 93 d1 c4 20 // 29 bf 4b f7 45 f3 05 a0 d0 e6 25 97 15 f0 ab 86 90 6b 10 ce 72 14 e0 // 61 af ab fe d9 56 19 a5 64 16 8e 5d 3a 33 ff 09 e6 f7 b3 bf a3 08 5b // 3f b5 06 74 d3 8e c0 e8 ef 64 88 dd 7a a2 35 29 17 ef fb 34 ff db 09 // 8e eb 1d 5c f9 14 c7 0b a8 89 db 20 41 ba 42 41 6a fe 18 c3 2d 2b d6 // b0 4b ee 1b 2b c7 6c 41 84 a6 fe 8b 55 3c 26 1a e7 6d 86 b7 a1 41 f9 // 02 53 3b 43 99 07 2e 24 4b 83 33 82 7f 1b 27 6e 6a 06 08 b7 e8 5d 20 // 87 41 5b 79 dc 14 0c ce 74 00 1f 0f ef ca cf 7a 7f 04 6e 30 eb 42 b8 // 7d 26 dd c9 a7 1d 70 09 9a ce 62 20 81 aa 71 7b 48 88 df f8 80 5c 1c // 38 fe c4 e3 b0 90 cb 8b 31 72 94 9f 00 ce c8 c3 84 a0 c9 08 00 81 bd // d5 00 00 43 36 d6 13 b5 e0 38 36 45 7a 44 18 d5 16 88 45 c6 f0 41 39 // f1 75 b3 85 02 12 5c 53 70 f4 9a e8 96 5e e6 a8 4b 12 08 7d ff cb 7b // c6 f6 b4 8b b6 a8 59 f2 91 ee 52 0b 23 b5 29 b0 99 9b 2d 70 e3 17 04 // b0 dc 0f 6b 11 e1 9a 07 16 b7 9b 88 fa 1e 60 84 24 fc d7 f5 5e 58 d8 // 5b 7d 03 32 d0 84 db 79 94 56 70 a5 cd 28 ab b6 95 73 52 ab fc 8c 27 // 9c 16 51 ad bc b0 34 25 b7 e5 14 b1 60 87 23 58 5c 57 60 3b 27 5f 34 // c5 c9 92 31 3c d9 ad 9f 12 40 21 fa 49 88 ab ef 86 e9 07 3e dd 37 b7 // 8e 9c 30 2d 6f c9 ec 5f 7c 02 c8 52 75 95 a8 23 55 d6 4a 87 f6 58 b6 // 7b 11 24 00 c8 14 cb d1 6e 4b d8 b9 0e 9b 41 ed bc 73 1f 53 0d 12 4f // 83 15 cb 28 db b1 53 1f 25 04 9a a0 6c a3 7d e7 72 02 00 00 00 8a 65 // 68 3b 46 5b e2 1c 3c 4c aa 87 41 cd 4e 23 fb b0 f2 1e 0e 23 4a d0 68 // 42 3c c0 82 41 30 29 70 e7 26 4a 82 83 83 d1 34 01 cf 1b a9 1d 1e 66 // 0f 86 28 31 d6 6c d2 8f b0 ad 09 15 db 7c 87 f1 c4 b8 b2 9a d2 41 80 // c5 00 00 00 00 00 00 00 00 00 00 00 00 d6 80 00 00 00 00 00 00 00 88 // 26 7d d1 00 00 00 e6 af 09 9f 96 0d 4e c9 90 be ed 1a 64 14 e7 84 09 // 27 8b 00 dd c9 0f 14 76 b6 04 f2 55 b4 f6 be dd 54 cb 00 00 00 00 00 // 00 e9 00 00 00 00 00 00 6f 3a 7d a7 6a 6d 48 ed 6e 11 fe e2 0f 54 00 // 94 bc c6 7f 93 65 45 31 78 70 a3 dc d7 4b 39 4a 3c eb d2 21 f4 19 bd // 23 65 d4 3d 0f a9 71 b8 83 85 38 0a f8 12 5a 1a 12 fa cc 04 0d f3 f4 // 3b 0b 15 62 5e ea a2 04 20 e8 99 b3 97 9e 0d b0 05 bb 28 66 d0 85 c5 // 15 ae 23 12 51 ac 46 fb c8 bd cc 23 0b 00 00 00 00 00 00 8f 9b 00 03 // c8 7d 11 bc 01 8f 69 f5 7f af 11 fb 16 95 df 63 c9 8a 2f 26 81 77 df // 5d 61 6f 5c 88 f7 ce bd b0 a6 4a 7e 8d f1 e9 1c cf 6f b3 dc 04 59 8e // 0d f5 a0 ef 74 06 47 30 e3 44 d6 a3 4c ed 4e 0e dc 40 37 d8 5e ae ea // 92 be 9c f9 7e 63 c1 7c ca 8d 93 52 e5 ce 55 a5 0f bf d8 6c 96 60 0f // 00 65 8a 52 7b 17 59 15 6d 3e e2 36 20 19 6b 26 2e 7f 1d 7e da 49 d4 // 99 07 2b df 5d bc a6 c3 0f 99 57 9c 2d 74 0b c7 4a fd 91 85 33 d1 6a // 3b 19 57 96 56 8a 7a 2b f9 82 23 fa 43 a3 59 fd ff e8 da bc b2 68 8f // e0 c6 64 96 cc 79 b3 c2 98 1c ca de 22 ae 57 89 83 c2 73 42 e7 08 9b // 39 7e 7d c2 b3 1d cc 3f d1 89 ef ca 00 00 00 00 00 00 00 00 00 4a 5b // c4 04 c1 a6 10 c2 9d 11 09 7c c0 09 d9 28 80 e6 73 aa 88 8a d6 a2 01 // 10 57 5d 5a 8d f7 d1 50 f9 64 01 7c a3 03 68 53 71 95 8f e1 4a d3 23 // 2f 66 63 43 7a ff 80 e2 4d a3 2d 72 f6 1a d7 34 dc e1 e4 c3 9d 55 20 // 74 7d 02 9a 7b 43 7c 53 f4 98 05 b9 15 7d fa 22 dc c2 72 f9 07 ad 6e // 44 b6 06 d3 27 10 9f 7c 17 d6 89 4f 0c 98 40 85 a5 6d 9d 5c 26 17 6f // 11 5a 3d 6c fb 93 8e 78 5a 1c d1 31 fc a7 93 45 ff ff d0 ac 08 01 10 // cc cd 9a 30 d8 33 b6 0d bb e1 75 5f 4b 55 64 33 6c 86 32 6a 7e 21 d0 // 0c fe 56 a8 49 a7 8f fb ed db 6e bd be f0 2b 61 c8 4a 43 03 3a 26 39 // ae b8 d8 54 64 4d 66 5b 1c 0a 23 87 fc 81 4f 60 19 50 14 32 7e 7c df // bc af e4 5e ac a5 fb 79 79 cb 0c 14 7d 67 a7 c2} (length 0x4d0) // } // flags: memfd_flags = 0x0 (8 bytes) // ] // returns fd_memfd memcpy( (void*)0x200000000a40, "\375\017m3#/" "\000n\252\252\344\001U\213\302\f\003\031\234\216\313\220\000\000\256gQ" "\016\224\\y\017U2@\'\212\200\000$\022\374\344.)\233\362@" "\360\340\333\037\346\264gc\023\332\371\3157el\267\346\b\000\000\000" "\000\357\377\000vob/~\302\000\b\000\000\000\000\000\000 " "\377\361\336m\234;%\265\"\344\361x2\212\031p\004\\\252-\223\321\304 " ")\277K\367E\363\005\240\320\346%" "\227\025\360\253\206\220k\020\316r\024\340a\257\253\376\331V\031\245d" "\026\216]:3\377\t\346\367\263\277\243\b[?" "\265\006t\323\216\300\350\357d\210\335z\2425)" "\027\357\3734\377\333\t\216\353\035\\\371\024\307\v\250\211\333 " "A\272BAj\376\030\303-+\326\260K\356\033+\307lA\204\246\376\213U<&" "\032\347m\206\267\241A\371\002S;C\231\a.$" "K\2033\202\177\033\'nj\006\b\267\350] " "\207A[y\334\024\f\316t\000\037\017\357\312\317z\177\004n0\353B\270}&" "\335\311\247\035p\t\232\316b " "\201\252q{" "H\210\337\370\200\\\0348\376\304\343\260\220\313\2131r\224\237\000\316" "\310\303\204\240\311\b\000\201\275\325\000\000C6\326\023\265\34086EzD" "\030\325\026\210E\306\360A9\361u\263\205\002\022\\Sp\364\232\350\226^" "\346\250K\022\b}\377\313{\306\366\264\213\266\250Y\362\221\356R\v#" "\265)\260\231\233-" "p\343\027\004\260\334\017k\021\341\232\a\026\267\233\210\372\036`\204$" "\374\327\365^X\330[}\0032\320\204\333y\224Vp\245\315(" "\253\266\225sR\253\374\214\'\234\026Q\255\274\2604%\267\345\024\261`" "\207#X\\W`;\'_4\305\311\2221<\331\255\237\022@!" "\372I\210\253\357\206\351\a>\3357\267\216\2340-o\311\354_|" "\002\310Ru\225\250#U\326J\207\366X\266{\021$" "\000\310\024\313\321nK\330\271\016\233A\355\274s\037S\r\022O\203\025" "\313(\333\261S\037%\004\232\240l\243}\347r\002\000\000\000\212eh;F[" "\342\034" "\3426 " "\031k&.\177\035~\332I\324\231\a+\337]\274\246\303\017\231W\234-" "t\v\307J\375\221\2053\321j;\031W\226V\212z+\371\202#" "\372C\243Y\375\377\350\332\274\262h\217\340\306d\226\314y\263\302\230" "\034\312\336\"\256W\211\203\302sB\347\b\2339~}\302\263\035\314?" "\321\211\357\312\000\000\000\000\000\000\000\000\000J[" "\304\004\301\246\020\302\235\021\t|\300\t\331(" "\200\346s\252\210\212\326\242\001\020W]Z\215\367\321P\371d\001|" "\243\003hSq\225\217\341J\323#/" "fcCz\377\200\342M\243-r\366\032\3274\334\341\344\303\235U " "t}\002\232{C|S\364\230\005\271\025}" "\372\"\334\302r\371\a\255nD\266\006\323\'\020\237|\027\326\211O\f\230@" "\205\245m\235\\&\027o\021Z=" "l\373\223\216xZ\034\3211\374\247\223E\377\377\320\254\b\001\020\314" "\315\2320\3303\266\r\273\341u_KUd3l\2062j~!" "\320\f\376V\250I\247\217\373\355\333n\275\276\360+a\310JC\003:&" "9\256\270\330TdMf[\034\n#\207\374\201O`\031P\0242~|\337\274\257\344^" "\254\245\373yy\313\f\024}g\247\302", 1232); res = syscall(__NR_memfd_create, /*name=*/0x200000000a40ul, /*flags=*/0ul); if (res != -1) r[3] = res; break; case 5: // mmap arguments: [ // addr: VMA[0x7000] // len: len = 0x7000 (4 bytes) // prot: mmap_prot = 0x2000003 (8 bytes) // flags: mmap_flags = 0x97052 (8 bytes) // fd: fd (resource) // offset: intptr = 0x0 (8 bytes) // ] syscall( __NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x7000, /*prot=PROT_GROWSUP|PROT_WRITE|PROT_READ*/ 0x2000003ul, /*flags=MAP_SYNC|MAP_NORESERVE|MAP_NONBLOCK|MAP_LOCKED|MAP_FIXED|0x1042*/ 0x97052ul, /*fd=*/r[3], /*offset=*/0ul); break; case 6: // ioctl$KVM_RUN arguments: [ // fd: fd_kvmcpu (resource) // cmd: const = 0xae80 (4 bytes) // arg: const = 0x0 (8 bytes) // ] syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0xae80, /*arg=*/0ul); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; for (procid = 0; procid < 4; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }