// https://syzkaller.appspot.com/bug?id=bd3860e571a12c18739719a7aff638acc9fe4072 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include const int kFailStatus = 67; const int kRetryStatus = 69; __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } __attribute__((noreturn)) static void fail(const char* msg, ...) { int e = errno; fflush(stdout); va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } __attribute__((noreturn)) static void exitf(const char* msg, ...) { int e = errno; fflush(stdout); va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit(kRetryStatus); } static uint64_t current_time_ms() { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) fail("clock_gettime failed"); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void test(); void loop() { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) fail("clone failed"); if (pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); test(); doexit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { int res = waitpid(-1, &status, __WALL | WNOHANG); if (res == pid) break; usleep(1000); if (current_time_ms() - start > 5 * 1000) { kill(-pid, SIGKILL); kill(pid, SIGKILL); while (waitpid(-1, &status, __WALL) != pid) { } break; } } } } long r[37]; void test() { memset(r, -1, sizeof(r)); r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); memcpy((void*)0x20aeaff7, "\x2f\x64\x65\x76\x2f\x6b\x76\x6d\x00", 9); r[2] = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20aeaff7ul, 0x0ul, 0x0ul); r[3] = syscall(__NR_ioctl, r[2], 0xae01ul, 0x0ul); r[4] = syscall(__NR_madvise, 0x20b71000ul, 0x4000ul, 0x3ul); *(uint32_t*)0x2001d000 = (uint32_t)0x2; *(uint32_t*)0x2001d004 = (uint32_t)0x78; *(uint8_t*)0x2001d008 = (uint8_t)0xd4e9; *(uint8_t*)0x2001d009 = (uint8_t)0x0; *(uint8_t*)0x2001d00a = (uint8_t)0x0; *(uint8_t*)0x2001d00b = (uint8_t)0x0; *(uint32_t*)0x2001d00c = (uint32_t)0x0; *(uint64_t*)0x2001d010 = (uint64_t)0x0; *(uint64_t*)0x2001d018 = (uint64_t)0x0; *(uint64_t*)0x2001d020 = (uint64_t)0x0; *(uint8_t*)0x2001d028 = (uint8_t)0xfe; *(uint8_t*)0x2001d029 = (uint8_t)0x0; *(uint8_t*)0x2001d02a = (uint8_t)0x0; *(uint8_t*)0x2001d02b = (uint8_t)0x0; *(uint32_t*)0x2001d02c = (uint32_t)0x0; *(uint32_t*)0x2001d030 = (uint32_t)0xfffffffffffffffd; *(uint32_t*)0x2001d034 = (uint32_t)0x0; *(uint64_t*)0x2001d038 = (uint64_t)0x4; *(uint64_t*)0x2001d040 = (uint64_t)0x0; *(uint64_t*)0x2001d048 = (uint64_t)0x0; *(uint64_t*)0x2001d050 = (uint64_t)0x0; *(uint64_t*)0x2001d058 = (uint64_t)0x0; *(uint32_t*)0x2001d060 = (uint32_t)0x0; *(uint64_t*)0x2001d068 = (uint64_t)0x0; *(uint32_t*)0x2001d070 = (uint32_t)0x0; *(uint16_t*)0x2001d074 = (uint16_t)0x100000000; *(uint16_t*)0x2001d076 = (uint16_t)0x0; r[32] = syscall(__NR_perf_event_open, 0x2001d000ul, 0x0ul, 0xfffffffffffffffful, 0xfffffffffffffffful, 0x0ul); r[33] = syscall(__NR_sched_getaffinity, 0x0ul, 0x8ul, 0x20c28ff8ul); memcpy( (void*)0x2076ac00, "\x4f\x50\x46\x6e\x1b\x42\x53\xc6\xef\x1c\x9c\xd9\x30\x71\x1c\x1a" "\xe8\x20\x28\xfd\x3e\xfd\x0a\x17\x21\x63\x49\x5f\x49\x60\x8e\x80" "\x3c\x6c\x57\xe9\x63\x67\x28\xd2\x0e\xce\x19\x39\xa5\xa6\x8f\x13" "\x00\x4d\xd1\x8a\xb1\xe6\xa3\xe7\x8e\x04\x00\x00\x00\x91\xc0\x1a" "\x8f\xd6\x9f\x43\xba\xb8\x69\xf3\x00\xaf\x07\x9b\x0e\xdf\xba\xd4" "\x47\x61\x51\xb0\x5c\xad\x0e\xf1\x2c\x1d\x5f\xff\x65\x39\xbd\x60" "\xb0\x69\xde\x17\x59\x8f\x88\x46\xaa\x35\xfb\xec\xd8\x7d\x4a\xfd" "\xe5\x01\x0e\x65\x5c\x89\x16\xaf\x1e\xee\xba\xd8\xa7\x46\xc5\x3f" "\x57\x1a\x5f\xc8\xf1\x02\xdc\x3a\x52\x48\xb6\x29\x86\x08\xcd\xa4" "\x54\x77\xb9\xeb\xac\x43\x38\x8d\xa6\xb7\x2f\x6c\xf2\xa3\x97\x8a" "\x8e\x4b\x6a\x4f\xb7\x54\xf0\x06\xd5\x18\xcb\xbf\x92\x42\x8d\x4a" "\x57\x60\xba\x12\x66\x6d\x62\xe6\xaa\x38\x0d\xe2\x6a\x9d\x4a\xc6" "\x74\x91\x1a\x45\xa1\xe1\xa0\x97\x55\x82\x26\x0c\xdb\x93\xc3\x56" "\x04\x98\xad\x45\x2e\x96\xec\x71\xd1\x33\xa6\x89\xe3\xf7\x06\x57" "\x00\x02\x50\x50\xc9\x9a\x77\xfc\x11\xd7\x79\x62\x44\x85\x22\x65" "\x0d\xa9\x75\xda\xe2\xc4\xe3\xc1\x27\x94\xe5\x84\x6e\x64\x6d\x85" "\xf2\x58\xc9\xb0\x98\xac\x45\x65\xaf\x0d\xb8\xb3\x28\xea\xc6\x7e" "\xa5\xf3\x7c\xe2\x4f\xe7\xdc\x4c\xf4\x5d\x46\x02\xb0\xe6\x25\x48" "\x00\xe6\x15\x68\x59\xd7\xb2\x56\x4a\x58\xa7\xeb\x80\xd1\x25\xa1" "\x36\x10\x31\x08\x26\x37\x1c\xea\x9c\x1d\x17\x6e\xc9\xde\xcd\xd8" "\xcb\x1a\xa7\x13\xf3\xfe\xe0\xd7\x6a\x36\xe6\x39\x07\x1b\x6f\x6f" "\xd9\x76\x6a\x83\x22\x2d\x2e\x90\x25\x0b\x5f\xb9\x3b\xbb\x58\xde" "\x8e\x90\xc3\x10\xcf\xad\x72\xe8\x40\x0d\x1b\x83\x43\x23\x48\xb8" "\x00\x00\x00\x00\x00\x00\x00\x01\xa9\xad\x2e\x90\x19\x8f\x20\x1f" "\x4b\x35\x12\x72\x42\x35\xfe\x48\x1a\xb5\xa7\xec\xfa\x9c\x69\x00" "\x24\x33\x41\x85\x3b\x08\x90\x76\x9a\xa0\x2d\xa3\xbb\x46\x04\x77" "\xb6\x19\xcc\x49\x8a\x8b\x80\x2e\x3d\x1d\x1d\xc3\x0e\x02\xc5\xf7" "\xab\xea\xd0\xa2\x20\x16\xdc\xd4\x55\xc1\x16\xba\x4e\xdc\x1f\x7a" "\xf4\x96\xfd\x82\xe1\x3d\xd2\xe0\x42\x40\x84\x79\x6a\xa6\xaf\xfc" "\x0b\x61\x75\x97\x9c\xea\x78\x2c\x10\xa8\x15\x83\x0e\x21\xc1\xad" "\x36\xa4\xd7\xcd\x6b\x1a\x12\x8a\x80\x6c\x0f\x6d\x83\xb1\xcd\x9d" "\xfe\x52\xa8\xc4\xf3\x4d\xd7\xb6\x63\x2a\xf7\xed\x5a\x3a\x7f\x7a" "\x03\xac\x65\x3d\x51\xad\x63\xaa\xe0\x28\x61\x0a\x55\xae\x54\xac" "\xf3\x1d\xf4\x51\x14\x29\xfe\xac\x44\xab\xce\x62\x7d\x3f\x12\x86" "\x8e\xed\xd0\x73\xa0\x65\x46\x8e\xe4\x33\xac\x9c\x6e\x61\xc4\x56" "\x8d\x35\x71\xa5\xaf\xdb\x01\xb6\x77\x65\xc3\x84\x0d\xf3\x6e\x73" "\x86\xbd\x7a\x78\x8c\x6d\x40\xd9\x2c\x68\x18\x0c\xed\x20\x7f\x66" "\x1c\xf1\x6c\xe3\x4b\x51\x11\xd9\xc2\x4c\x38\x3e\x94\x4a\xda\xbf" "\xbf\x20\xe5\x86\xc5\x75\xf4\x1e\xad\xc1\xe4\x8f\x2b\x58\xd6\x40" "\xfe\xb7\x8e\x01\x0e\xd9\xc4\x93\x4c\x8a\x6d\x65\xe3\xd1\xa3\x84" "\x25\xa0\x9a\x08\xa6\x97\x86\xb2\x2a\xc2\xe6\xd4\x37\xa8\xa3\x21" "\x6c\x1d\xbf\xc3\x59\xe6\x1d\x8c\x76\x27\x34\xb9\x7d\xbb\xb6\xf9" "\xd6\xc4\x77\x01\x00\xa4\xfc\x71\x26\xa2\x3b\x3c\x82\x75\x1a\x4c" "\xd8\x07\xca\x29\xf7\x99\x7c\xad\x4b\x9d\x1d\x82\xfc\xcc\x63\x76" "\x60\x8a\x01\x2a\x31\xa9\x5c\x86\x09\x51\xad\xef\x37\x98\xda\x05" "\x7c\x02\xfb\x59\x0b\xf8\xec\xf1\xce\xfc\x19\x2c\xc0\x30\xe6\x06" "\x16\x6a\x29\x66\x9a\x79\x25\xcb\x74\xc6\xd1\x9b\x8c\xe5\xc5\x15" "\x25\xf0\x90\x83\x10\xa4\xa8\xb9\x42\xaf\xd9\x02\x10\x1b\x3c\x5b" "\xe8\x68\xa1\x5f\x19\xe3\x53\xac\xcf\x2e\xea\x8a\x2f\xe8\x84\xd7" "\xdb\xbd\xbe\xcb\xab\xb3\x94\x0d\xe2\x0e\x0a\xcc\xa7\xa0\x74\xc8" "\x3d\x0d\x63\x95\x32\xb5\xc0\x54\x2f\x6b\xb7\xa9\xf5\x41\x95\x16" "\x1e\x3b\x33\xfe\x09\x8c\xd6\x17\xc2\x8b\xbd\x72\x94\x75\xb8\xf4" "\x41\xde\x85\x3a\x3f\x27\xd8\x12\x8e\xf0\xc8\x07\x09\x30\x59\x7b" "\x1d\xfb\x98\x5d\x3c\x70\x2e\x67\x6e\x12\xec\x87\x71\x5a\xa6\x72" "\xbf\xe5\xa1\x05\x8f\x91\xb7\xc1\xe6\x7a\x00\x61\x29\x5a\xc8\x80" "\xb2\x3b\x03\x34\x6e\xa2\xc2\xe8\x7b\xf3\xc3\x94\x75\x51\xa0\xd6" "\x27\x13\x1f\xe7\xd8\xc0\x30\x0e\xec\xf3\x76\xee\x36\x09\x72\xda" "\x94\x57\xa8\xc1\x40\xc2\x81\x23\xd0\x41\x31\xb0\xb3\x05\x81\x6e" "\x3c\x13\x31\xb2\xc1\x39\xbd\x88\xc3\x5c\x61\x3b\xd5\xed\x2a\x90" "\x70\x41\x47\x99\x29\x6c\x34\x21\x7d\x85\x5b\x76\xf8\xdb\x54\xa9" "\xdd\x9c\x17\x9a\xd6\x69\x82\xbd\xbb\x66\x20\x60\xa5\x44\x84\xac" "\x2d\x05\xc9\x70\xde\xd6\x05\x06\x34\x38\xe1\xc7\x7e\x58\xb7\x26" "\x3a\x8e\x75\x3e\x8f\x09\x40\x07\xa6\x76\xe9\x13\xc8\x2a\x30\x0b" "\x3a\x57\xf0\x64\x6f\x2b\xf0\xbf\x6b\xa2\x6a\x8d\xe1\x91\x5c" "\x7b", 1024); r[35] = syscall(__NR_ioctl, 0xfffffffffffffffful, 0x4400ae8ful, 0x2076ac00ul); r[36] = syscall(__NR_ioctl, 0xfffffffffffffffful, 0xae80ul, 0x0ul); } int main() { int i; for (i = 0; i < 8; i++) { if (fork() == 0) { loop(); return 0; } } sleep(1000000); return 0; }