// https://syzkaller.appspot.com/bug?id=3f1bf0cf7c2132befac146ef89f0be4c65995296 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // openat$kvm arguments: [ // fd: const = 0xffffffffffffff9c (8 bytes) // file: ptr[in, buffer] { // buffer: {2f 64 65 76 2f 6b 76 6d 00} (length 0x9) // } // flags: open_flags = 0x0 (4 bytes) // mode: const = 0x0 (2 bytes) // ] // returns fd_kvm memcpy((void*)0x200000000000, "/dev/kvm\000", 9); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000000ul, /*flags=*/0, /*mode=*/0); if (res != -1) r[0] = res; // ioctl$KVM_CREATE_VM arguments: [ // fd: fd_kvm (resource) // cmd: const = 0xae01 (4 bytes) // type: intptr = 0x0 (8 bytes) // ] // returns fd_kvmvm res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xae01, /*type=*/0ul); if (res != -1) r[1] = res; // ioctl$KVM_CREATE_IRQCHIP arguments: [ // fd: fd_kvmvm (resource) // cmd: const = 0xae60 (4 bytes) // ] syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xae60, 0); // ioctl$KVM_CREATE_VCPU arguments: [ // fd: fd_kvmvm (resource) // cmd: const = 0xae41 (4 bytes) // id: intptr = 0x0 (8 bytes) // ] // returns fd_kvmcpu res = syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xae41, /*id=*/0ul); if (res != -1) r[2] = res; // ioctl$KVM_SET_LAPIC arguments: [ // fd: fd_kvmcpu (resource) // cmd: const = 0x4400ae8f (4 bytes) // arg: ptr[in, kvm_lapic_state] { // kvm_lapic_state { // regs: buffer: {56 81 39 cb 50 50 a7 a3 1e bf c4 33 0c 2b f6 8f 86 10 // 1d 9a 30 1c be 14 b1 5f 4f 23 03 1c eb 31 9d b0 1a 78 34 79 d6 b9 a1 // 20 1f b1 cc 72 35 f5 7f 42 51 31 b1 d5 9b 14 c7 58 8e 10 3a d2 3d 61 // fc 6b 05 b6 05 36 a1 61 1d a4 d3 a6 a0 6d 30 86 50 34 3e 59 d3 07 e3 // 4d 8c 2e c3 ef 05 62 9a 47 f9 94 dd 2e 9f 8b 9c e0 5b 33 8a e7 db 52 // 67 bc 40 82 bd 43 ca 93 b7 89 47 a7 c7 9e 82 df 46 6d 4f ee 2b 22 2f // 1e bd e9 76 d2 27 2a 4f 52 32 97 96 33 0e e9 17 cc 4f 5b 3e c4 5a c1 // ec da af 3d ff e0 3c 40 b7 c2 09 e4 4c fe b0 8a ad 00 e1 b4 8d a4 28 // 92 28 d7 d8 2d 4f 6a 66 19 42 ac e6 4f 11 5d 3c c6 ac 80 f7 44 20 c3 // 90 d8 9e 7a b2 13 35 67 aa 41 04 7d 77 5e 33 31 84 cc 0b 46 8e c5 eb // 9b c3 cb 0f a0 05 16 e5 45 2b f3 2a 9e 76 0f 07 ef d5 a5 e5 eb 37 ea // ff 28 ef 92 bb 59 49 83 69 80 8b dd 31 0a 4a 95 a5 41 4a 8f f4 50 41 // 1f f6 7d 31 67 ee c8 37 24 55 a1 9c 0c 5a 60 8a df eb de d6 97 46 60 // fd 85 30 8a 07 86 0e 16 f6 29 63 da 37 44 8d 6e 12 18 f2 09 2f b3 d1 // 66 28 04 62 3b 63 a0 7f 3e 5e 88 1d f9 a5 ac 27 ce 3f 15 19 00 31 18 // aa 61 70 ff 42 3e b2 92 dc 70 14 7b de 37 96 3f 72 d0 64 26 60 e7 10 // 77 53 16 78 86 fc 10 e1 08 63 1a 9e a4 d6 75 21 45 b8 64 61 87 ba 7e // 15 2b 6b cb ce dd 6b 83 fb 94 35 d5 c8 e8 d5 d2 5a 3f 17 37 45 ea b9 // 4a 4a 29 65 72 d4 59 a5 0d 62 2c 87 69 dc 57 a7 cd f7 ef e9 f2 59 dc // 36 f5 38 d1 83 63 62 f1 bc b2 c4 eb ce ae 7e 36 55 d5 e9 8b a4 81 90 // 6f 28 4b d0 37 16 c1 58 94 ec a8 cb f8 30 2d c8 e2 c2 17 36 b6 97 b5 // f8 68 e8 af 96 fa 8b bb 1a e5 65 71 61 6a 70 ce 05 97 0d 1e 41 42 f3 // 03 f7 58 6f d2 fc 6f 0e e3 dc e1 db 65 24 dd 6a a2 8f aa b0 46 e0 74 // df 38 43 0a 49 e8 a6 dd e7 10 28 f1 65 39 74 4b 78 67 e1 9c 85 6e 67 // 0e 8b 79 9d 52 da 43 5b b0 7b ee a6 27 4b f5 12 e7 d6 eb b8 ff 8f 83 // a5 2e 4d 13 60 2e 7d 46 75 a7 98 a1 2c 89 8a d5 b0 0c aa 34 31 3f f8 // fb 6c 34 07 cf 81 5e ca 97 95 cf fd 9a 24 95 96 53 cc 81 68 51 04 8e // bf 07 72 be bd d3 ff 9b 8c fb d2 c6 5c 30 e4 15 86 b0 0a 14 94 3e 48 // 15 36 17 89 15 81 39 d4 40 c4 f6 27 ed b8 ed 59 e1 ca 0b b0 c6 01 06 // e0 96 35 fa 93 35 67 73 37 c5 54 db 88 5f 75 b8 99 63 8e 8d f1 ea 97 // 96 f8 25 8d e3 66 36 34 6a b7 68 85 6b bd fc 51 84 3a 53 70 14 23 d7 // 5c 1f 43 be 24 46 9a a0 3d 36 6b bf b8 12 18 b3 1e 5c 0a d7 16 ef ea // 52 17 5c 2f a7 83 17 ca fb 16 ee 17 3e b5 e9 42 85 09 ca 4c 8f 9b f7 // 98 ad c7 da 17 58 a9 c0 33 4e 44 20 0c 05 78 49 5f f8 05 fc e8 44 56 // 20 5c aa 70 f0 97 6a 86 03 f8 4c b5 42 d0 df 14 16 60 23 21 c5 87 55 // 67 85 af 52 5d df 55 48 b4 f5 11 13 c5 2a 7a 17 04 2f af 6c 8c 02 d8 // d1 83 5e 0f 67 f6 0a b3 92 c2 0f c1 21 88 db 02 9e 45 bb 77 cf cc c4 // 23 67 1d 52 ec 5a 92 d0 8c 2b b2 7a 67 6b 66 f3 b8 9a c0 84 d9 9e 3f // 51 64 26 a0 15 26 8a 1f 3f b9 1b 13 c8 ba ba 49 a0 76 5a 30 5c 13 cd // 1f 47 b3 ea 7a 63 93 18 27 59 b6 14 a0 8d 36 19 2a 8b 68 ab ef 6e 5c // 16 84 94 52 c7 4a f3 a9 f8 54 e1 f2 bc 1c 2e ac 2f 05 5f 8f fd 8f da // a6 bb 04 a6 88 50 c5 85 f4 33 c0 e6 b8 db a1 40 1f ce 5a ab 11 d7 5d // 23 23 d8 07 98 91 17 50 96 e3 10 13 ca 0a 37 63 51 1c 86 f2 fb c3 1a // 33 45 8c 52 05 9e be 25 3d cd 3e 83 7f ed 39 76 5a 11 84 20 28 df 45 // 04 79 dd 56 e1 32 5c d8 d0 88 ff 12 a8 f7 dd 23 f2} (length 0x400) // } // } // ] memcpy( (void*)0x2000000001c0, "\x56\x81\x39\xcb\x50\x50\xa7\xa3\x1e\xbf\xc4\x33\x0c\x2b\xf6\x8f\x86\x10" "\x1d\x9a\x30\x1c\xbe\x14\xb1\x5f\x4f\x23\x03\x1c\xeb\x31\x9d\xb0\x1a\x78" "\x34\x79\xd6\xb9\xa1\x20\x1f\xb1\xcc\x72\x35\xf5\x7f\x42\x51\x31\xb1\xd5" "\x9b\x14\xc7\x58\x8e\x10\x3a\xd2\x3d\x61\xfc\x6b\x05\xb6\x05\x36\xa1\x61" "\x1d\xa4\xd3\xa6\xa0\x6d\x30\x86\x50\x34\x3e\x59\xd3\x07\xe3\x4d\x8c\x2e" "\xc3\xef\x05\x62\x9a\x47\xf9\x94\xdd\x2e\x9f\x8b\x9c\xe0\x5b\x33\x8a\xe7" "\xdb\x52\x67\xbc\x40\x82\xbd\x43\xca\x93\xb7\x89\x47\xa7\xc7\x9e\x82\xdf" "\x46\x6d\x4f\xee\x2b\x22\x2f\x1e\xbd\xe9\x76\xd2\x27\x2a\x4f\x52\x32\x97" "\x96\x33\x0e\xe9\x17\xcc\x4f\x5b\x3e\xc4\x5a\xc1\xec\xda\xaf\x3d\xff\xe0" "\x3c\x40\xb7\xc2\x09\xe4\x4c\xfe\xb0\x8a\xad\x00\xe1\xb4\x8d\xa4\x28\x92" "\x28\xd7\xd8\x2d\x4f\x6a\x66\x19\x42\xac\xe6\x4f\x11\x5d\x3c\xc6\xac\x80" "\xf7\x44\x20\xc3\x90\xd8\x9e\x7a\xb2\x13\x35\x67\xaa\x41\x04\x7d\x77\x5e" "\x33\x31\x84\xcc\x0b\x46\x8e\xc5\xeb\x9b\xc3\xcb\x0f\xa0\x05\x16\xe5\x45" "\x2b\xf3\x2a\x9e\x76\x0f\x07\xef\xd5\xa5\xe5\xeb\x37\xea\xff\x28\xef\x92" "\xbb\x59\x49\x83\x69\x80\x8b\xdd\x31\x0a\x4a\x95\xa5\x41\x4a\x8f\xf4\x50" "\x41\x1f\xf6\x7d\x31\x67\xee\xc8\x37\x24\x55\xa1\x9c\x0c\x5a\x60\x8a\xdf" "\xeb\xde\xd6\x97\x46\x60\xfd\x85\x30\x8a\x07\x86\x0e\x16\xf6\x29\x63\xda" "\x37\x44\x8d\x6e\x12\x18\xf2\x09\x2f\xb3\xd1\x66\x28\x04\x62\x3b\x63\xa0" "\x7f\x3e\x5e\x88\x1d\xf9\xa5\xac\x27\xce\x3f\x15\x19\x00\x31\x18\xaa\x61" "\x70\xff\x42\x3e\xb2\x92\xdc\x70\x14\x7b\xde\x37\x96\x3f\x72\xd0\x64\x26" "\x60\xe7\x10\x77\x53\x16\x78\x86\xfc\x10\xe1\x08\x63\x1a\x9e\xa4\xd6\x75" "\x21\x45\xb8\x64\x61\x87\xba\x7e\x15\x2b\x6b\xcb\xce\xdd\x6b\x83\xfb\x94" "\x35\xd5\xc8\xe8\xd5\xd2\x5a\x3f\x17\x37\x45\xea\xb9\x4a\x4a\x29\x65\x72" "\xd4\x59\xa5\x0d\x62\x2c\x87\x69\xdc\x57\xa7\xcd\xf7\xef\xe9\xf2\x59\xdc" "\x36\xf5\x38\xd1\x83\x63\x62\xf1\xbc\xb2\xc4\xeb\xce\xae\x7e\x36\x55\xd5" "\xe9\x8b\xa4\x81\x90\x6f\x28\x4b\xd0\x37\x16\xc1\x58\x94\xec\xa8\xcb\xf8" "\x30\x2d\xc8\xe2\xc2\x17\x36\xb6\x97\xb5\xf8\x68\xe8\xaf\x96\xfa\x8b\xbb" "\x1a\xe5\x65\x71\x61\x6a\x70\xce\x05\x97\x0d\x1e\x41\x42\xf3\x03\xf7\x58" "\x6f\xd2\xfc\x6f\x0e\xe3\xdc\xe1\xdb\x65\x24\xdd\x6a\xa2\x8f\xaa\xb0\x46" "\xe0\x74\xdf\x38\x43\x0a\x49\xe8\xa6\xdd\xe7\x10\x28\xf1\x65\x39\x74\x4b" "\x78\x67\xe1\x9c\x85\x6e\x67\x0e\x8b\x79\x9d\x52\xda\x43\x5b\xb0\x7b\xee" "\xa6\x27\x4b\xf5\x12\xe7\xd6\xeb\xb8\xff\x8f\x83\xa5\x2e\x4d\x13\x60\x2e" "\x7d\x46\x75\xa7\x98\xa1\x2c\x89\x8a\xd5\xb0\x0c\xaa\x34\x31\x3f\xf8\xfb" "\x6c\x34\x07\xcf\x81\x5e\xca\x97\x95\xcf\xfd\x9a\x24\x95\x96\x53\xcc\x81" "\x68\x51\x04\x8e\xbf\x07\x72\xbe\xbd\xd3\xff\x9b\x8c\xfb\xd2\xc6\x5c\x30" "\xe4\x15\x86\xb0\x0a\x14\x94\x3e\x48\x15\x36\x17\x89\x15\x81\x39\xd4\x40" "\xc4\xf6\x27\xed\xb8\xed\x59\xe1\xca\x0b\xb0\xc6\x01\x06\xe0\x96\x35\xfa" "\x93\x35\x67\x73\x37\xc5\x54\xdb\x88\x5f\x75\xb8\x99\x63\x8e\x8d\xf1\xea" "\x97\x96\xf8\x25\x8d\xe3\x66\x36\x34\x6a\xb7\x68\x85\x6b\xbd\xfc\x51\x84" "\x3a\x53\x70\x14\x23\xd7\x5c\x1f\x43\xbe\x24\x46\x9a\xa0\x3d\x36\x6b\xbf" "\xb8\x12\x18\xb3\x1e\x5c\x0a\xd7\x16\xef\xea\x52\x17\x5c\x2f\xa7\x83\x17" "\xca\xfb\x16\xee\x17\x3e\xb5\xe9\x42\x85\x09\xca\x4c\x8f\x9b\xf7\x98\xad" "\xc7\xda\x17\x58\xa9\xc0\x33\x4e\x44\x20\x0c\x05\x78\x49\x5f\xf8\x05\xfc" "\xe8\x44\x56\x20\x5c\xaa\x70\xf0\x97\x6a\x86\x03\xf8\x4c\xb5\x42\xd0\xdf" "\x14\x16\x60\x23\x21\xc5\x87\x55\x67\x85\xaf\x52\x5d\xdf\x55\x48\xb4\xf5" "\x11\x13\xc5\x2a\x7a\x17\x04\x2f\xaf\x6c\x8c\x02\xd8\xd1\x83\x5e\x0f\x67" "\xf6\x0a\xb3\x92\xc2\x0f\xc1\x21\x88\xdb\x02\x9e\x45\xbb\x77\xcf\xcc\xc4" "\x23\x67\x1d\x52\xec\x5a\x92\xd0\x8c\x2b\xb2\x7a\x67\x6b\x66\xf3\xb8\x9a" "\xc0\x84\xd9\x9e\x3f\x51\x64\x26\xa0\x15\x26\x8a\x1f\x3f\xb9\x1b\x13\xc8" "\xba\xba\x49\xa0\x76\x5a\x30\x5c\x13\xcd\x1f\x47\xb3\xea\x7a\x63\x93\x18" "\x27\x59\xb6\x14\xa0\x8d\x36\x19\x2a\x8b\x68\xab\xef\x6e\x5c\x16\x84\x94" "\x52\xc7\x4a\xf3\xa9\xf8\x54\xe1\xf2\xbc\x1c\x2e\xac\x2f\x05\x5f\x8f\xfd" "\x8f\xda\xa6\xbb\x04\xa6\x88\x50\xc5\x85\xf4\x33\xc0\xe6\xb8\xdb\xa1\x40" "\x1f\xce\x5a\xab\x11\xd7\x5d\x23\x23\xd8\x07\x98\x91\x17\x50\x96\xe3\x10" "\x13\xca\x0a\x37\x63\x51\x1c\x86\xf2\xfb\xc3\x1a\x33\x45\x8c\x52\x05\x9e" "\xbe\x25\x3d\xcd\x3e\x83\x7f\xed\x39\x76\x5a\x11\x84\x20\x28\xdf\x45\x04" "\x79\xdd\x56\xe1\x32\x5c\xd8\xd0\x88\xff\x12\xa8\xf7\xdd\x23\xf2", 1024); syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0x4400ae8f, /*arg=*/0x2000000001c0ul); // ioctl$KVM_CAP_HYPERV_SYNIC2 arguments: [ // fd: fd_kvmcpu (resource) // cmd: const = 0x4068aea3 (4 bytes) // arg: ptr[in, kvm_enable_cap[KVM_CAP_HYPERV_SYNIC2, const[0, int64]]] { // kvm_enable_cap[KVM_CAP_HYPERV_SYNIC2, const[0, int64]] { // cap: const = 0x94 (4 bytes) // flags: const = 0x0 (4 bytes) // args: const = 0x0 (8 bytes) // pad = 0x0 (88 bytes) // } // } // ] *(uint32_t*)0x200000000140 = 0x94; *(uint32_t*)0x200000000144 = 0; *(uint64_t*)0x200000000148 = 0; syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0x4068aea3, /*arg=*/0x200000000140ul); // prlimit64 arguments: [ // pid: pid (resource) // res: rlimit_type = 0xe (8 bytes) // new: ptr[in, rlimit] { // rlimit { // soft: intptr = 0x2 (8 bytes) // hard: intptr = 0x7 (8 bytes) // } // } // old: nil // ] *(uint64_t*)0x200000000000 = 2; *(uint64_t*)0x200000000008 = 7; syscall(__NR_prlimit64, /*pid=*/0, /*res=RLIMIT_RTPRIO*/ 0xeul, /*new=*/0x200000000000ul, /*old=*/0ul); // sched_setscheduler arguments: [ // pid: pid (resource) // policy: sched_policy = 0x2 (8 bytes) // prio: ptr[in, int32] { // int32 = 0x2 (4 bytes) // } // ] *(uint32_t*)0x200000000640 = 2; syscall(__NR_sched_setscheduler, /*pid=*/0, /*policy=SCHED_RR*/ 2ul, /*prio=*/0x200000000640ul); // ioctl$KVM_SET_MSRS arguments: [ // fd: fd_kvmcpu (resource) // cmd: const = 0x4008ae89 (4 bytes) // arg: ptr[in, kvm_msrs] { // kvm_msrs { // nmsrs: len = 0x2 (4 bytes) // pad: const = 0x0 (4 bytes) // entries: array[kvm_msr_entry] { // kvm_msr_entry { // index: msr_index = 0x400000b0 (4 bytes) // reserv: const = 0x0 (4 bytes) // data: int64 = 0x7fff (8 bytes) // } // kvm_msr_entry { // index: msr_index = 0x400000b1 (4 bytes) // reserv: const = 0x0 (4 bytes) // data: int64 = 0x8 (8 bytes) // } // } // } // } // ] *(uint32_t*)0x200000000040 = 2; *(uint32_t*)0x200000000044 = 0; *(uint32_t*)0x200000000048 = 0x400000b0; *(uint32_t*)0x20000000004c = 0; *(uint64_t*)0x200000000050 = 0x7fff; *(uint32_t*)0x200000000058 = 0x400000b1; *(uint32_t*)0x20000000005c = 0; *(uint64_t*)0x200000000060 = 8; syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0x4008ae89, /*arg=*/0x200000000040ul); // ioctl$KVM_RUN arguments: [ // fd: fd_kvmcpu (resource) // cmd: const = 0xae80 (4 bytes) // arg: const = 0x0 (8 bytes) // ] syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0xae80, /*arg=*/0ul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; for (procid = 0; procid < 4; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }