? github.com/google/syzkaller/dashboard/api [no test files] ok github.com/google/syzkaller/dashboard/app (cached) ok github.com/google/syzkaller/dashboard/dashapi (cached) ok github.com/google/syzkaller/executor 1.164s ok github.com/google/syzkaller/pkg/asset (cached) ok github.com/google/syzkaller/pkg/ast (cached) ok github.com/google/syzkaller/pkg/auth (cached) ok github.com/google/syzkaller/pkg/bisect (cached) ok github.com/google/syzkaller/pkg/bisect/minimize (cached) ok github.com/google/syzkaller/pkg/build (cached) ? github.com/google/syzkaller/pkg/clangtool [no test files] ok github.com/google/syzkaller/pkg/compiler (cached) ok github.com/google/syzkaller/pkg/config (cached) ok github.com/google/syzkaller/pkg/corpus (cached) ok github.com/google/syzkaller/pkg/cover (cached) ok github.com/google/syzkaller/pkg/cover/backend (cached) ok github.com/google/syzkaller/pkg/coveragedb (cached) ? github.com/google/syzkaller/pkg/coveragedb/mocks [no test files] ? github.com/google/syzkaller/pkg/coveragedb/spannerclient [no test files] ok github.com/google/syzkaller/pkg/covermerger (cached) ? github.com/google/syzkaller/pkg/covermerger/mocks [no test files] --- FAIL: TestGenerate (15.55s) --- FAIL: TestGenerate/linux/mips64le (2.75s) testutil.go:35: seed=1760967237810497648 --- FAIL: TestGenerate/linux/mips64le/single_syz_emit_vhci (0.07s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_emit_vhci(&(0x7f0000000000)=@HCI_VENDOR_PKT={0xff, 0x40}, 0x2) csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_mmap #define __NR_mmap 5009 #endif int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor2893326358 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_emit_ethernet (0.07s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_emit_ethernet(0x186, &(0x7f0000000000)={@link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x3}, @empty, @val={@void, {0x8100, 0x6, 0x0, 0x2}}, {@ipv6={0x86dd, @tipc_packet={0x5, 0x6, "d04174", 0x14c, 0x6, 0xff, @private2={0xfc, 0x2, '\x00', 0x1}, @local, {[@srh={0x3c, 0x6, 0x4, 0x3, 0x3, 0x0, 0x0, [@local, @loopback, @initdev={0xfe, 0x88, '\x00', 0x1, 0x0}]}, @srh={0x0, 0x4, 0x4, 0x2, 0xc, 0x8, 0x3, [@loopback, @ipv4={'\x00', '\xff\xff', @multicast2}]}], @name_distributor={{0xec, 0x0, 0x0, 0x0, 0x0, 0xa, 0xb, 0x2, 0x9, 0x0, 0x0, 0xc000, 0x9, 0x4, 0x4e20, 0x4e23, 0x3, 0x2, 0x0, 0x0, 0x1}, [{0x4, 0x51c0, 0x8, 0x10, 0x200, 0x9, 0xe, 0x4}, {0x6, 0x7, 0x3, 0x3, 0x2, 0x6, 0xe, 0x1ff}, {0x1000, 0xff, 0x1, 0x4, 0x7, 0x5, 0xc, 0x4}, {0x9, 0x207, 0x2, 0x0, 0xb2da, 0xbe7, 0x4, 0x4}, {0x7f, 0x101, 0x6, 0x0, 0x4000, 0xffff, 0x2}, {0x304, 0xa8f9, 0x7fff, 0x5, 0x0, 0x689, 0xc, 0x8}, {0xffffffff, 0x0, 0xc9, 0x0, 0x0, 0x1, 0x4, 0x10}]}}}}}}, &(0x7f00000001c0)={0x0, 0x4, [0xd01, 0x2a, 0x5ed, 0xcba]}) csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_mmap #define __NR_mmap 5009 #endif int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor3987240277 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_pidfd_open (0.07s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: ioctl$auto_XFS_IOC_FREESP64(0xffffffffffffffff, 0x40305825, &(0x7f0000000000)={0x3, 0xc, 0x1ff, 0x3, 0x4, 0xffffffffffffffff}) syz_pidfd_open(r0, 0x0) csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_ioctl #define __NR_ioctl 5015 #endif #ifndef __NR_mmap #define __NR_mmap 5009 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 5434 #endif static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } uint64_t r[1] = {0x0}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} *(uint16_t*)0x200000000000 = 3; *(uint16_t*)0x200000000002 = 0xc; *(uint64_t*)0x200000000008 = 0x1ff; *(uint64_t*)0x200000000010 = 3; *(uint32_t*)0x200000000018 = 4; *(uint32_t*)0x20000000001c = -1; memset((void*)0x200000000020, 0, 16); res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x40305825, /*arg=*/0x200000000000ul); if (res != -1) r[0] = *(uint32_t*)0x20000000001c; syz_pidfd_open(/*pid=*/r[0], /*flags=*/0); return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor1231757046 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_usbip_server_init (0.07s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_usbip_server_init(0x2) csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_mmap #define __NR_mmap 5009 #endif static unsigned long long procid; static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} syz_usbip_server_init(/*speed=USB_SPEED_FULL*/2); return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor928537343 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_init_net_socket (0.07s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_init_net_socket$802154_dgram(0x24, 0x1, 0x0) csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_mmap #define __NR_mmap 5009 #endif const int kInitNetNsFd = 201; static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { return syscall(__NR_socket, domain, type, proto); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} syz_init_net_socket(/*domain=*/0x24, /*type=*/1, /*proto=*/0); return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor2210961994 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_open_procfs (0.07s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: ioctl$DRM_IOCTL_GET_CLIENT(0xffffffffffffffff, 0xc0286405, &(0x7f0000000000)={0x1ff, 0x2, {0xffffffffffffffff}, {}, 0x1247c5d7, 0x2}) syz_open_procfs(r0, &(0x7f0000000040)='net/icmp\x00') csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #ifndef __NR_ioctl #define __NR_ioctl 5015 #endif #ifndef __NR_mmap #define __NR_mmap 5009 #endif static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } uint64_t r[1] = {0x0}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} *(uint32_t*)0x200000000000 = 0x1ff; *(uint32_t*)0x200000000004 = 2; *(uint32_t*)0x200000000008 = -1; *(uint32_t*)0x200000000010 = 0; *(uint64_t*)0x200000000018 = 0x1247c5d7; *(uint64_t*)0x200000000020 = 2; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0286405, /*arg=*/0x200000000000ul); if (res != -1) r[0] = *(uint32_t*)0x200000000008; memcpy((void*)0x200000000040, "net/icmp\000", 9); syz_open_procfs(/*pid=*/r[0], /*file=*/0x200000000040); return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor147979827 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_clone3 (0.07s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = semctl$auto_GETPID(0x4, 0x10001, 0xb, 0x0) r1 = gettid() r2 = openat$cgroup(0xffffffffffffffff, &(0x7f00000001c0)='syz1\x00', 0x200002, 0x0) syz_clone3(&(0x7f0000000200)={0x200906100, &(0x7f0000000000), &(0x7f0000000040), &(0x7f0000000080), {0x24}, &(0x7f00000000c0)=""/3, 0x3, &(0x7f0000000100)=""/116, &(0x7f0000000180)=[r0, r1], 0x2, {r2}}, 0x58) csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 5435 #endif #ifndef __NR_exit #define __NR_exit 5058 #endif #ifndef __NR_gettid #define __NR_gettid 5178 #endif #ifndef __NR_mmap #define __NR_mmap 5009 #endif #ifndef __NR_openat #define __NR_openat 5247 #endif #ifndef __NR_semctl #define __NR_semctl 5064 #endif #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } uint64_t r[3] = {0x0, 0x0, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} res = syscall(__NR_semctl, /*semid=*/4, /*semnum=*/0x10001, /*cmd=*/0xbul, /*arg=*/0ul); if (res != -1) r[0] = res; res = syscall(__NR_gettid); if (res != -1) r[1] = res; memcpy((void*)0x2000000001c0, "syz1\000", 5); res = syscall(__NR_openat, /*fd=*/(intptr_t)-1, /*file=*/0x2000000001c0ul, /*flags=*/0x200002, /*mode=*/0); if (res != -1) r[2] = res; *(uint64_t*)0x200000000200 = 0x200906100; *(uint64_t*)0x200000000208 = 0x200000000000; *(uint64_t*)0x200000000210 = 0x200000000040; *(uint64_t*)0x200000000218 = 0x200000000080; *(uint32_t*)0x200000000220 = 0x24; *(uint64_t*)0x200000000228 = 0x2000000000c0; *(uint64_t*)0x200000000230 = 3; *(uint64_t*)0x200000000238 = 0x200000000100; *(uint64_t*)0x200000000240 = 0x200000000180; *(uint32_t*)0x200000000180 = r[0]; *(uint32_t*)0x200000000184 = r[1]; *(uint64_t*)0x200000000248 = 2; *(uint32_t*)0x200000000250 = r[2]; syz_clone3(/*args=*/0x200000000200, /*size=*/0x58); return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor3371165796 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_clone (0.07s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_clone(0x212080, &(0x7f0000000000)="8ca244ab5b7b543f6680fc92bcb7bd7c8eb60d9c2c85f05297ba97692bdf70fc457fe4ebb5c1033fc5a3c899bfbcb6348f9811cd5a8101605c02dd3548a4bb66e15c0ebd4020b2eca71813b851320f431b", 0x51, &(0x7f0000000080), &(0x7f00000000c0), &(0x7f0000000100)="3248c343f64df8743a691d792c9d6663fd4d659d716e0d6d055ed8b0799c4de9facfba67e8bb3d2d3740062c1bb8fff81219740d5d8f12a7a1e6c94ec6d4c58d408ae70a8826d392eced3da02c236ebfb6387145b9bd359568bee8632cdfaa5775ada557d24ffe8a35f7d34e590d826e210453c97cdd86cf70b62e6fdea73fab6001dc4e2ca8f7e52b1b3a41e453488cb757ae7e2942a5e0787185a2576d0ecbe67a1a60c79eaf5285a752c21fe0eb988536ddefa124c0358f08817d035381") csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #ifndef __NR_clone #define __NR_clone 5055 #endif #ifndef __NR_exit #define __NR_exit 5058 #endif #ifndef __NR_mmap #define __NR_mmap 5009 #endif #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} memcpy((void*)0x200000000000, "\x8c\xa2\x44\xab\x5b\x7b\x54\x3f\x66\x80\xfc\x92\xbc\xb7\xbd\x7c\x8e\xb6\x0d\x9c\x2c\x85\xf0\x52\x97\xba\x97\x69\x2b\xdf\x70\xfc\x45\x7f\xe4\xeb\xb5\xc1\x03\x3f\xc5\xa3\xc8\x99\xbf\xbc\xb6\x34\x8f\x98\x11\xcd\x5a\x81\x01\x60\x5c\x02\xdd\x35\x48\xa4\xbb\x66\xe1\x5c\x0e\xbd\x40\x20\xb2\xec\xa7\x18\x13\xb8\x51\x32\x0f\x43\x1b", 81); memcpy((void*)0x200000000100, "\x32\x48\xc3\x43\xf6\x4d\xf8\x74\x3a\x69\x1d\x79\x2c\x9d\x66\x63\xfd\x4d\x65\x9d\x71\x6e\x0d\x6d\x05\x5e\xd8\xb0\x79\x9c\x4d\xe9\xfa\xcf\xba\x67\xe8\xbb\x3d\x2d\x37\x40\x06\x2c\x1b\xb8\xff\xf8\x12\x19\x74\x0d\x5d\x8f\x12\xa7\xa1\xe6\xc9\x4e\xc6\xd4\xc5\x8d\x40\x8a\xe7\x0a\x88\x26\xd3\x92\xec\xed\x3d\xa0\x2c\x23\x6e\xbf\xb6\x38\x71\x45\xb9\xbd\x35\x95\x68\xbe\xe8\x63\x2c\xdf\xaa\x57\x75\xad\xa5\x57\xd2\x4f\xfe\x8a\x35\xf7\xd3\x4e\x59\x0d\x82\x6e\x21\x04\x53\xc9\x7c\xdd\x86\xcf\x70\xb6\x2e\x6f\xde\xa7\x3f\xab\x60\x01\xdc\x4e\x2c\xa8\xf7\xe5\x2b\x1b\x3a\x41\xe4\x53\x48\x8c\xb7\x57\xae\x7e\x29\x42\xa5\xe0\x78\x71\x85\xa2\x57\x6d\x0e\xcb\xe6\x7a\x1a\x60\xc7\x9e\xaf\x52\x85\xa7\x52\xc2\x1f\xe0\xeb\x98\x85\x36\xdd\xef\xa1\x24\xc0\x35\x8f\x08\x81\x7d\x03\x53\x81", 191); syz_clone(/*flags=CLONE_NEWTIME|CLONE_CHILD_CLEARTID|CLONE_THREAD|CLONE_PTRACE*/0x212080, /*stack=*/0x200000000000, /*stack_len=*/0x51, /*parentid=*/0x200000000080, /*childtid=*/0x2000000000c0, /*tls=*/0x200000000100); return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor3196498645 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_genetlink_get_family_id (0.07s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_kvm_setup_cpu (0.07s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0x2000ae01, 0xf) syz_kvm_setup_cpu$ppc64(r0, 0xffffffffffffffff, &(0x7f0000fe6000/0x18000)=nil, &(0x7f0000000280)=[{0x0, &(0x7f0000000000)="0000203f000039630400397b00003967b81c39632401217f0000a03c0000a5600400a5780100a5640000a5600000403f00005a6304005a7b00005a6731005a6364ba4f7f41d8af130000603c000063600400637800006364d0f66360913b803ce5ed846004008478d23d8464f6128460d5dda03c1b33a5600400a5782eb5a5643a9fa560c2e6c03c8425c6600400c678922fc664a01ec660c762e03cb9b9e7600400e7782720e764fdf8e7604a54003d0afa08610400087916060865259408612036203d177d2961040029799643296590b32961020000440000603c0000636004006378000063640cef6360da3d803c082d84600400847809738464e8d18460ed4ea03c1a7ca5600400a578cb4da5642172a5609ec8c03cb0b6c6600400c678f565c6648aebc6604850e03cf764e7600400e7781433e7646553e76005eb003de8800861040008794fa20865964d08612f61203d2f64296104002979c99e2965d5742961220000440000003c0000006004000078000000640a0000600006203c00002160000020900000003c0000006004000078000000640a0000600000203cf4572160000020900000603c00006360040063780000636400f063600000803c0000846004008478000084640a008460220000440000603c000063600400637800006364bc006360f13a803cf3f784600400847834a38464a67084607997a03cc48da5600400a578f77da5645371a560220000446402004c0000203d000029610400297900002965260729610000c03e0000d6620400d67a0000d6660030d662a4cbe07e5ef99ded", 0x248}], 0x1, 0x1, &(0x7f00000002c0)=[@featur2={0x1, 0x9482}], 0x1) csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_ioctl #define __NR_ioctl 5015 #endif #ifndef __NR_mmap #define __NR_mmap 5009 #endif static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x2000ae01, /*type=*/0xful); if (res != -1) r[0] = res; *(uint64_t*)0x200000000280 = 0; *(uint64_t*)0x200000000288 = 0x200000000000; memcpy((void*)0x200000000000, "\x00\x00\x20\x3f\x00\x00\x39\x63\x04\x00\x39\x7b\x00\x00\x39\x67\xb8\x1c\x39\x63\x24\x01\x21\x7f\x00\x00\xa0\x3c\x00\x00\xa5\x60\x04\x00\xa5\x78\x01\x00\xa5\x64\x00\x00\xa5\x60\x00\x00\x40\x3f\x00\x00\x5a\x63\x04\x00\x5a\x7b\x00\x00\x5a\x67\x31\x00\x5a\x63\x64\xba\x4f\x7f\x41\xd8\xaf\x13\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\xd0\xf6\x63\x60\x91\x3b\x80\x3c\xe5\xed\x84\x60\x04\x00\x84\x78\xd2\x3d\x84\x64\xf6\x12\x84\x60\xd5\xdd\xa0\x3c\x1b\x33\xa5\x60\x04\x00\xa5\x78\x2e\xb5\xa5\x64\x3a\x9f\xa5\x60\xc2\xe6\xc0\x3c\x84\x25\xc6\x60\x04\x00\xc6\x78\x92\x2f\xc6\x64\xa0\x1e\xc6\x60\xc7\x62\xe0\x3c\xb9\xb9\xe7\x60\x04\x00\xe7\x78\x27\x20\xe7\x64\xfd\xf8\xe7\x60\x4a\x54\x00\x3d\x0a\xfa\x08\x61\x04\x00\x08\x79\x16\x06\x08\x65\x25\x94\x08\x61\x20\x36\x20\x3d\x17\x7d\x29\x61\x04\x00\x29\x79\x96\x43\x29\x65\x90\xb3\x29\x61\x02\x00\x00\x44\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x0c\xef\x63\x60\xda\x3d\x80\x3c\x08\x2d\x84\x60\x04\x00\x84\x78\x09\x73\x84\x64\xe8\xd1\x84\x60\xed\x4e\xa0\x3c\x1a\x7c\xa5\x60\x04\x00\xa5\x78\xcb\x4d\xa5\x64\x21\x72\xa5\x60\x9e\xc8\xc0\x3c\xb0\xb6\xc6\x60\x04\x00\xc6\x78\xf5\x65\xc6\x64\x8a\xeb\xc6\x60\x48\x50\xe0\x3c\xf7\x64\xe7\x60\x04\x00\xe7\x78\x14\x33\xe7\x64\x65\x53\xe7\x60\x05\xeb\x00\x3d\xe8\x80\x08\x61\x04\x00\x08\x79\x4f\xa2\x08\x65\x96\x4d\x08\x61\x2f\x61\x20\x3d\x2f\x64\x29\x61\x04\x00\x29\x79\xc9\x9e\x29\x65\xd5\x74\x29\x61\x22\x00\x00\x44\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x0a\x00\x00\x60\x00\x06\x20\x3c\x00\x00\x21\x60\x00\x00\x20\x90\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x0a\x00\x00\x60\x00\x00\x20\x3c\xf4\x57\x21\x60\x00\x00\x20\x90\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x0a\x00\x84\x60\x22\x00\x00\x44\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\xbc\x00\x63\x60\xf1\x3a\x80\x3c\xf3\xf7\x84\x60\x04\x00\x84\x78\x34\xa3\x84\x64\xa6\x70\x84\x60\x79\x97\xa0\x3c\xc4\x8d\xa5\x60\x04\x00\xa5\x78\xf7\x7d\xa5\x64\x53\x71\xa5\x60\x22\x00\x00\x44\x64\x02\x00\x4c\x00\x00\x20\x3d\x00\x00\x29\x61\x04\x00\x29\x79\x00\x00\x29\x65\x26\x07\x29\x61\x00\x00\xc0\x3e\x00\x00\xd6\x62\x04\x00\xd6\x7a\x00\x00\xd6\x66\x00\x30\xd6\x62\xa4\xcb\xe0\x7e\x5e\xf9\x9d\xed", 584); *(uint64_t*)0x200000000290 = 0x248; *(uint64_t*)0x2000000002c0 = 1; *(uint64_t*)0x2000000002c8 = 0x9482; syz_kvm_setup_cpu(/*fd=*/r[0], /*cpufd=*/-1, /*usermem=*/0x200000fe6000, /*text=*/0x200000000280, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_LE*/1, /*opts=*/0x2000000002c0, /*nopt=*/1); return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor812879771 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_io_uring_complete (0.07s) csource_test.go:148: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_io_uring_setup(0x27fb, &(0x7f0000000000)={0x0, 0xeeb8, 0x2000, 0x3, 0x1cf}, &(0x7f0000000080)=0x0, &(0x7f00000000c0)) syz_io_uring_complete(r0) csource_test.go:149: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 5425 #endif #ifndef __NR_mmap #define __NR_mmap 5009 #endif #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } uint64_t r[1] = {0x0}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|0x2*/0x812ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} *(uint32_t*)0x200000000004 = 0xeeb8; *(uint32_t*)0x200000000008 = 0x2000; *(uint32_t*)0x20000000000c = 3; *(uint32_t*)0x200000000010 = 0x1cf; *(uint32_t*)0x200000000018 = -1; memset((void*)0x20000000001c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x27fb, /*params=*/0x200000000000, /*ring_ptr=*/0x200000000080, /*sqes_ptr=*/0x2000000000c0); if (res != -1) r[0] = *(uint64_t*)0x200000000080; syz_io_uring_complete(/*ring_ptr=*/r[0]); return 0; } compiler invocation: mips64el-linux-gnuabi64-gcc [-o /tmp/syz-executor2027548553 -DGOOS_linux=1 -DGOARCH_mips64le=1 -DHOSTGOOS_linux=1 -x c - -march=mips64r2 -mabi=64 -EL -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/mips64le/single_syz_80211_join_ibss (0.07s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_80211_inject_frame (0.07s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_usb_ep_read (0.07s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_usb_disconnect (0.07s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_create_resource (0.08s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_io_uring_setup (0.08s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_open_pts (0.08s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_extract_tcp_res (0.08s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_open_dev (0.08s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_memcpy_off (0.08s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_pkey_set (0.08s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_io_uring_submit (0.08s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_socket_connect_nvme_tcp (0.08s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_mount_image (0.08s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_btf_id_by_name (0.08s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_usb_ep_write (0.08s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_usb_connect_ath9k (0.08s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_usb_control_io (0.08s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_usb_connect (0.09s) csource_test.go:146: --- FAIL: TestGenerate/linux/mips64le/single_syz_fuse_handle_req (0.11s) csource_test.go:146: FAIL FAIL github.com/google/syzkaller/pkg/csource 21.721s ok github.com/google/syzkaller/pkg/db (cached) ? github.com/google/syzkaller/pkg/debugtracer [no test files] ? github.com/google/syzkaller/pkg/declextract [no test files] ok github.com/google/syzkaller/pkg/email (cached) ok github.com/google/syzkaller/pkg/email/lore (cached) ok github.com/google/syzkaller/pkg/flatrpc (cached) ok github.com/google/syzkaller/pkg/fuzzer (cached) ok github.com/google/syzkaller/pkg/fuzzer/queue (cached) ok github.com/google/syzkaller/pkg/gce (cached) ? github.com/google/syzkaller/pkg/gcpsecret [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/gcs/mocks [no test files] ? github.com/google/syzkaller/pkg/hash [no test files] ? github.com/google/syzkaller/pkg/html [no test files] ok github.com/google/syzkaller/pkg/html/pages (cached) ok github.com/google/syzkaller/pkg/html/urlutil (cached) ? github.com/google/syzkaller/pkg/ifaceprobe [no test files] ok github.com/google/syzkaller/pkg/ifuzz (cached) ok github.com/google/syzkaller/pkg/ifuzz/arm64 (cached) ? github.com/google/syzkaller/pkg/ifuzz/arm64/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/arm64/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/iset [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86 [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/generated [no test files] ok github.com/google/syzkaller/pkg/image (cached) ok github.com/google/syzkaller/pkg/instance (cached) ? github.com/google/syzkaller/pkg/kcidb [no test files] ok github.com/google/syzkaller/pkg/kconfig (cached) ? github.com/google/syzkaller/pkg/kcov [no test files] ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/kfuzztest (cached) ? github.com/google/syzkaller/pkg/kfuzztest-executor [no test files] ? github.com/google/syzkaller/pkg/kfuzztest-manager [no test files] ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/manager (cached) ok github.com/google/syzkaller/pkg/mgrconfig (cached) ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report (cached) ? github.com/google/syzkaller/pkg/report/crash [no test files] ok github.com/google/syzkaller/pkg/repro (cached) ok github.com/google/syzkaller/pkg/rpcserver (cached) ? github.com/google/syzkaller/pkg/rpcserver/mocks [no test files] ? github.com/google/syzkaller/pkg/rpctype [no test files] ok github.com/google/syzkaller/pkg/runtest (cached) ok github.com/google/syzkaller/pkg/serializer (cached) ok github.com/google/syzkaller/pkg/signal (cached) ok github.com/google/syzkaller/pkg/stat (cached) ok github.com/google/syzkaller/pkg/stat/sample (cached) ? github.com/google/syzkaller/pkg/stat/syzbotstats [no test files] ok github.com/google/syzkaller/pkg/subsystem (cached) ok github.com/google/syzkaller/pkg/subsystem/linux (cached) ok github.com/google/syzkaller/pkg/subsystem/lists (cached) ok github.com/google/syzkaller/pkg/symbolizer (cached) ? github.com/google/syzkaller/pkg/testutil [no test files] ok github.com/google/syzkaller/pkg/tool (cached) ok github.com/google/syzkaller/pkg/validator (cached) ok github.com/google/syzkaller/pkg/vcs (cached) ok github.com/google/syzkaller/pkg/vminfo (cached) ok github.com/google/syzkaller/prog (cached) ok github.com/google/syzkaller/prog/test (cached) ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/darwin [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ? github.com/google/syzkaller/sys/generated [no test files] ok github.com/google/syzkaller/sys/linux (cached) ok github.com/google/syzkaller/sys/netbsd (cached) ok github.com/google/syzkaller/sys/openbsd (cached) ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ok github.com/google/syzkaller/syz-ci (cached) ok github.com/google/syzkaller/syz-cluster/controller 0.064s ok github.com/google/syzkaller/syz-cluster/dashboard 0.043s ok github.com/google/syzkaller/syz-cluster/email-reporter 0.047s ? github.com/google/syzkaller/syz-cluster/pkg/api [no test files] ? github.com/google/syzkaller/syz-cluster/pkg/app [no test files] ok github.com/google/syzkaller/syz-cluster/pkg/blob (cached) ok github.com/google/syzkaller/syz-cluster/pkg/controller 0.055s ok github.com/google/syzkaller/syz-cluster/pkg/db 0.064s ok github.com/google/syzkaller/syz-cluster/pkg/emailclient 0.060s ok github.com/google/syzkaller/syz-cluster/pkg/fuzzconfig 2.616s ok github.com/google/syzkaller/syz-cluster/pkg/report 0.060s ok github.com/google/syzkaller/syz-cluster/pkg/reporter 0.044s ? github.com/google/syzkaller/syz-cluster/pkg/service [no test files] ok github.com/google/syzkaller/syz-cluster/pkg/triage 0.287s ? github.com/google/syzkaller/syz-cluster/pkg/workflow [no test files] ? github.com/google/syzkaller/syz-cluster/reporter-server [no test files] ok github.com/google/syzkaller/syz-cluster/series-tracker 0.051s ? github.com/google/syzkaller/syz-cluster/tools/db-mgmt [no test files] ? github.com/google/syzkaller/syz-cluster/tools/send-test-email [no test files] ? github.com/google/syzkaller/syz-cluster/workflow/boot-step [no test files] ? github.com/google/syzkaller/syz-cluster/workflow/build-step [no test files] ok github.com/google/syzkaller/syz-cluster/workflow/fuzz-step 2.137s ? github.com/google/syzkaller/syz-cluster/workflow/triage-step [no test files] ok github.com/google/syzkaller/syz-hub (cached) ok github.com/google/syzkaller/syz-hub/state (cached) ? github.com/google/syzkaller/syz-kfuzztest [no test files] ok github.com/google/syzkaller/syz-manager (cached) ? github.com/google/syzkaller/tools/arm64 [no test files] ? github.com/google/syzkaller/tools/kfuzztest-gen [no test files] ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-build [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-covermerger [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ok github.com/google/syzkaller/tools/syz-db (cached) ? github.com/google/syzkaller/tools/syz-db-export [no test files] ok github.com/google/syzkaller/tools/syz-declextract (cached) ? github.com/google/syzkaller/tools/syz-diff [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fillreports [no test files] ? github.com/google/syzkaller/tools/syz-fix-analyzer [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-gemini-seed [no test files] ? github.com/google/syzkaller/tools/syz-hubtool [no test files] ok github.com/google/syzkaller/tools/syz-imagegen (cached) ? github.com/google/syzkaller/tools/syz-kcidb [no test files] ok github.com/google/syzkaller/tools/syz-kconf (cached) ok github.com/google/syzkaller/tools/syz-linter (cached) ? github.com/google/syzkaller/tools/syz-lore [no test files] ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-minconfig [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-query-subsystems [no test files] ? github.com/google/syzkaller/tools/syz-reporter [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ok github.com/google/syzkaller/tools/syz-testbed (cached) ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ok github.com/google/syzkaller/tools/syz-trace2syz/parser (cached) ok github.com/google/syzkaller/tools/syz-trace2syz/proggen (cached) ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/vm (cached) ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/cuttlefish [no test files] ok github.com/google/syzkaller/vm/dispatcher (cached) ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ok github.com/google/syzkaller/vm/isolated (cached) ok github.com/google/syzkaller/vm/proxyapp (cached) ? github.com/google/syzkaller/vm/proxyapp/mocks [no test files] ? github.com/google/syzkaller/vm/proxyapp/proxyrpc [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ? github.com/google/syzkaller/vm/starnix [no test files] ok github.com/google/syzkaller/vm/vmimpl (cached) ? github.com/google/syzkaller/vm/vmm [no test files] ? github.com/google/syzkaller/vm/vmware [no test files] FAIL