stress2: Added syzkaller reproducers. Update the exclude file
This commit is contained in:
@@ -22,6 +22,7 @@ gjournal3.sh panic: Bio not on queue 20171225
|
||||
gjournal4.sh CAM stuck in vmwait 20180517
|
||||
gnop10.sh Waiting for fix 20230319
|
||||
gnop13.sh https://people.freebsd.org/~pho/stress/log/log0386.txt 20221113
|
||||
gnop3.sh CAM stuck in vmwait 20260219
|
||||
gnop7.sh Waiting for patch commit 20190820
|
||||
gnop8.sh Waiting for patch commit 20201214
|
||||
gnop9.sh Waiting for patch commit 20201214
|
||||
@@ -29,8 +30,6 @@ graid1_3.sh Hang seen 20250915
|
||||
graid1_8.sh Known issue 20170909
|
||||
graid1_9.sh panic: Bad effnlink 20180212
|
||||
gunion.sh CAM stuk in vmwait 20251226
|
||||
ifconfig.sh https://people.freebsd.org/~pho/stress/log/log0626.txt 20251217
|
||||
ifconfig2.sh Hang in ifnet_de, vlan_sx and sbwait 20250114
|
||||
lockf5.sh Spinning threads seen 20160718
|
||||
maxvnodes2.sh https://people.freebsd.org/~pho/stress/log/log0083.txt 20210329
|
||||
memguard.sh https://people.freebsd.org/~pho/stress/log/log0088.txt 20210402
|
||||
@@ -71,10 +70,18 @@ syzkaller16.sh zonelimit issue 20210722
|
||||
syzkaller28.sh panic: About to free ctl:0x... so:0x... and its in 1 20201120
|
||||
syzkaller55.sh https://people.freebsd.org/~pho/stress/log/log0533.txt 20240702
|
||||
syzkaller59.sh Page fault 20220625
|
||||
syzkaller68.sh Can not unload zfs.ko after this test 20260206
|
||||
syzkaller80.sh panic 20250711
|
||||
syzkaller82.sh panic: m_apply, length > size of mbuf chain 20250724
|
||||
syzkaller85.sh panic: Assertion uio->uio_resid < 0 failed 20250928
|
||||
syzkaller89.sh panic: MNT_DEFERRED requires MNT_RECURSE | MNT_FORCE 20241224
|
||||
syzkaller90.sh panic: general protection fault 20260318
|
||||
syzkaller91.sh Kernel page fault with the following non-sleepable locks held 20260318
|
||||
syzkaller92.sh Kernel page fault with the following non-sleepable locks held 20260318
|
||||
syzkaller93.sh panic: _free(0): addr 0xfffff802f7e5a7b8 slab 0xfffffffffffffff 20260318
|
||||
syzkaller94.sh panic: ata_action: ccb 0xfffff80347e777b8, func_code 0x1 should 20260318
|
||||
syzkaller95.sh Kernel page fault with the following non-sleepable locks held 20260318
|
||||
syzkaller97.sh panic: cam_periph_ccbwait: proceeding with incomplete ccb 20260318
|
||||
syzkaller98.sh panic: dst_m 0xfffffe00130fd920 is not wired 20260318
|
||||
quota3.sh https://people.freebsd.org/~pho/stress/log/log0604.txt 20250728
|
||||
quota6.sh https://people.freebsd.org/~pho/stress/log/log0456.txt 20240707
|
||||
truss3.sh WiP 20200915
|
||||
|
||||
Executable
+228
@@ -0,0 +1,228 @@
|
||||
#!/bin/sh
|
||||
|
||||
# cpuid = 4; apic id = 04
|
||||
# instruction pointer = 0x20:0xffffffff803a1e9c
|
||||
# stack pointer = 0x28:0xfffffe0202e4c930
|
||||
# frame pointer = 0x28:0xfffffe0202e4c970
|
||||
# code segment = base 0x0, limit 0xfffff, type 0x1b
|
||||
# = DPL 0, pres 1, long 1, def32 0, gran 1
|
||||
# processor eflags = interrupt enabled, resume, IOPL = 0
|
||||
# current process = 90315 (repro20)
|
||||
# rdi: fffff803157b7000 rsi: 0000000000000004 rdx: ffffffff81250a83
|
||||
# rcx: 0000000000000010 r8: 000000000000000e r9: 1627af6b9da6f5a7
|
||||
# rax: 0000000000000010 rbx: fffff803157b7000 rbp: fffffe0202e4c970
|
||||
# r10: fffff803157b70c8 r11: fffff807cf9bfcd0 r12: 0000000000000001
|
||||
# r13: fffff803157b7048 r14: fffff800035e0ac0 r15: 6e3642f32a3ae6f2
|
||||
# trap number = 9
|
||||
# panic: general protection fault
|
||||
# cpuid = 4
|
||||
# time = 1773820163
|
||||
# KDB: stack backtrace:
|
||||
# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0202e4c6b0
|
||||
# vpanic() at vpanic+0x136/frame 0xfffffe0202e4c7e0
|
||||
# panic() at panic+0x43/frame 0xfffffe0202e4c840
|
||||
# trap_fatal() at trap_fatal+0x68/frame 0xfffffe0202e4c860
|
||||
# calltrap() at calltrap+0x8/frame 0xfffffe0202e4c860
|
||||
# --- trap 0x9, rip = 0xffffffff803a1e9c, rsp = 0xfffffe0202e4c930, rbp = 0xfffffe0202e4c970 ---
|
||||
# xpt_action_default() at xpt_action_default+0x80c/frame 0xfffffe0202e4c970
|
||||
# cam_periph_runccb() at cam_periph_runccb+0xec/frame 0xfffffe0202e4cac0
|
||||
# passsendccb() at passsendccb+0x160/frame 0xfffffe0202e4cb30
|
||||
# passdoioctl() at passdoioctl+0x3a1/frame 0xfffffe0202e4cb80
|
||||
# passioctl() at passioctl+0x22/frame 0xfffffe0202e4cbc0
|
||||
# devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe0202e4cc10
|
||||
# VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe0202e4cc40
|
||||
# vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe0202e4ccb0
|
||||
# devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe0202e4ccd0
|
||||
# kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe0202e4cd40
|
||||
# sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe0202e4ce00
|
||||
# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe0202e4cf30
|
||||
# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0202e4cf30
|
||||
# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823e9deca, rsp = 0x820edf228, rbp = 0x820edf250 ---
|
||||
# KDB: enter: panic
|
||||
# [ thread pid 90315 tid 851795 ]
|
||||
# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip)
|
||||
# db> x/s version
|
||||
# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026
|
||||
# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
|
||||
# db>
|
||||
|
||||
# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com>
|
||||
# Bug 293888 - Fatal trap NUM: general protection fault while in kernel mode in cam_periph_runccb
|
||||
|
||||
[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
|
||||
|
||||
. ../default.cfg
|
||||
set -u
|
||||
prog=$(basename "$0" .sh)
|
||||
cat > /tmp/$prog.c <<EOF
|
||||
// Bug 293888 - Fatal trap NUM: general protection fault while in kernel mode in cam_periph_runccb
|
||||
// autogenerated by syzkaller (https://github.com/google/syzkaller)
|
||||
|
||||
#define _GNU_SOURCE
|
||||
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/endian.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <unistd.h>
|
||||
|
||||
uint64_t r[1] = {0xffffffffffffffff};
|
||||
|
||||
int main(void)
|
||||
{
|
||||
syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
|
||||
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
|
||||
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
|
||||
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
|
||||
const char* reason;
|
||||
(void)reason;
|
||||
intptr_t res = 0;
|
||||
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
|
||||
}
|
||||
// openat\$pass_pass_cdevsw arguments: [
|
||||
// fd: const = 0xffffffffffffff9c (8 bytes)
|
||||
// file: ptr[in, buffer] {
|
||||
// buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb)
|
||||
// }
|
||||
// flags: open_flags = 0x2 (4 bytes)
|
||||
// mode: const = 0x0 (4 bytes)
|
||||
// ]
|
||||
// returns fd_pass_pass_cdevsw
|
||||
memcpy((void*)0x200000000000, "/dev/pass0\000", 11);
|
||||
res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul,
|
||||
/*file=*/0x200000000000ul, /*flags=O_RDWR*/ 2, /*mode=*/0);
|
||||
if (res != -1)
|
||||
r[0] = res;
|
||||
// ioctl\$CAMIOCOMMAND_pass_cdevsw arguments: [
|
||||
// fd: fd_pass_pass_cdevsw (resource)
|
||||
// cmd: const = 0xc4e01a02 (8 bytes)
|
||||
// arg: ptr[inout, ccb\$pass_cdevsw] {
|
||||
// union ccb\$pass_cdevsw {
|
||||
// nvmeio: ccb_nvmeio\$pass_cdevsw {
|
||||
// ccb_h: ccb_hdr\$pass_cdevsw {
|
||||
// pinfo: cam_pinfo\$pass_cdevsw {
|
||||
// priority: int32 = 0x8 (4 bytes)
|
||||
// generation: int32 = 0x6 (4 bytes)
|
||||
// index: int32 = 0xb406 (4 bytes)
|
||||
// }
|
||||
// pad = 0x0 (4 bytes)
|
||||
// xpt_links: camq_entry\$pass_cdevsw {
|
||||
// links_next: intptr = 0x100000000 (8 bytes)
|
||||
// priority: int32 = 0x70 (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// sim_links: camq_entry\$pass_cdevsw {
|
||||
// links_next: intptr = 0x7 (8 bytes)
|
||||
// priority: int32 = 0x81 (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// periph_links: camq_entry\$pass_cdevsw {
|
||||
// links_next: intptr = 0x8000000000000000 (8 bytes)
|
||||
// priority: int32 = 0xffffffc0 (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// retry_count: int16 = 0xa5f (2 bytes)
|
||||
// alloc_flags: int16 = 0xb (2 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// cbfcnp: intptr = 0x3ff (8 bytes)
|
||||
// func_code: int32 = 0x10 (4 bytes)
|
||||
// status: int32 = 0x3 (4 bytes)
|
||||
// path: intptr = 0xe10 (8 bytes)
|
||||
// path_id: int32 = 0x8 (4 bytes)
|
||||
// target_id: int32 = 0x7fffffff (4 bytes)
|
||||
// target_lun: int64 = 0x4 (8 bytes)
|
||||
// flags: int32 = 0xe (4 bytes)
|
||||
// xflags: int32 = 0x130d (4 bytes)
|
||||
// periph_priv: buffer: {5c d8 48 b0 e1 42 d0 a6 b0 73 4f 56 fb 07
|
||||
// 08 b5} (length 0x10) sim_priv: buffer: {0f c0 f1 57 fc dc a5 76
|
||||
// 71 ad 9f 46 0c eb b2 fc} (length 0x10) qos: buffer: {7a 6f cd f8
|
||||
// b3 f0 65 53 2e 65 18 29 70 c1 63 f1} (length 0x10) timeout:
|
||||
// int32 = 0x8000 (4 bytes) pad = 0x0 (4 bytes) softtimeout:
|
||||
// timeval {
|
||||
// sec: intptr = 0x6 (8 bytes)
|
||||
// usec: intptr = 0x9 (8 bytes)
|
||||
// }
|
||||
// }
|
||||
// payload: buffer: {ec d6 eb 0c 55 29 7e 1e f2 e6 3a 2a f3 42 36 6e
|
||||
// a7 f5 a6 9d 6b af 27 16 0d 12 f7 c7 a6 d3 dc 8d 89 88 c3 75 c4 2c
|
||||
// a8 fb 0a 90 70 3d c6 5a 63 b8 ac 32 e2 21 4b 36 13 0e 64 c1 86 b2
|
||||
// 38 66 cc bf 6d c9 86 33 8c eb a1 fa b5 dd 55 c8 76 04 6d c2 b8 20
|
||||
// 31 11 5f 24 8b f4 d7 00 7c 7a 4f 00 4e fd 2f 0f 57 bc c2 00 22 b1
|
||||
// 23 4f 4b 19 c7 9a 47 1e b0 ea 60 87 f3 88 71 9d d1 e4 dd 15 da bf
|
||||
// 0d 03 34 d9 32 bf b5 80 9f 72 80 dc 37 b2 0e 79 d3 96 93 12 50 0c
|
||||
// 77 0b d9 9d 0c 93 0c b2 c8 03 bc 75 14 5a c0 50 dc 3f d3 92 ee 07
|
||||
// b5 a9 f2 85 76 a7 36 8d 6f 71 fb 8a cb ee 8c 0c 77 8d 81 b0 02 38
|
||||
// 70 4a 3d c9 1a f5 4f 91 e6 a1 14 93 3e be a0 e8 7a 69 33 cc e4 d2
|
||||
// 8c 88 af c9 05 d4 74 b0 87 a3 34 3b 0c 9e d4 42 bd 8e 03 24 91 2c
|
||||
// 94 1f 5b 88 7c 0c b2 07 af 68 43 d0 5b cb f9 b2 64 ce b6 c9}
|
||||
// (length 0x100)
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// ]
|
||||
*(uint32_t*)0x200000000140 = 8;
|
||||
*(uint32_t*)0x200000000144 = 6;
|
||||
*(uint32_t*)0x200000000148 = 0xb406;
|
||||
*(uint64_t*)0x200000000150 = 0x100000000;
|
||||
*(uint32_t*)0x200000000158 = 0x70;
|
||||
*(uint64_t*)0x200000000160 = 7;
|
||||
*(uint32_t*)0x200000000168 = 0x81;
|
||||
*(uint64_t*)0x200000000170 = 0x8000000000000000;
|
||||
*(uint32_t*)0x200000000178 = 0xffffffc0;
|
||||
*(uint16_t*)0x200000000180 = 0xa5f;
|
||||
*(uint16_t*)0x200000000182 = 0xb;
|
||||
*(uint64_t*)0x200000000188 = 0x3ff;
|
||||
*(uint32_t*)0x200000000190 = 0x10;
|
||||
*(uint32_t*)0x200000000194 = 3;
|
||||
*(uint64_t*)0x200000000198 = 0xe10;
|
||||
*(uint32_t*)0x2000000001a0 = 8;
|
||||
*(uint32_t*)0x2000000001a4 = 0x7fffffff;
|
||||
*(uint64_t*)0x2000000001a8 = 4;
|
||||
*(uint32_t*)0x2000000001b0 = 0xe;
|
||||
*(uint32_t*)0x2000000001b4 = 0x130d;
|
||||
memcpy((void*)0x2000000001b8,
|
||||
"\x5c\xd8\x48\xb0\xe1\x42\xd0\xa6\xb0\x73\x4f\x56\xfb\x07\x08\xb5",
|
||||
16);
|
||||
memcpy((void*)0x2000000001c8,
|
||||
"\x0f\xc0\xf1\x57\xfc\xdc\xa5\x76\x71\xad\x9f\x46\x0c\xeb\xb2\xfc",
|
||||
16);
|
||||
memcpy((void*)0x2000000001d8,
|
||||
"\x7a\x6f\xcd\xf8\xb3\xf0\x65\x53\x2e\x65\x18\x29\x70\xc1\x63\xf1",
|
||||
16);
|
||||
*(uint32_t*)0x2000000001e8 = 0x8000;
|
||||
*(uint64_t*)0x2000000001f0 = 6;
|
||||
*(uint64_t*)0x2000000001f8 = 9;
|
||||
memcpy(
|
||||
(void*)0x200000000200,
|
||||
"\xec\xd6\xeb\x0c\x55\x29\x7e\x1e\xf2\xe6\x3a\x2a\xf3\x42\x36\x6e\xa7\xf5"
|
||||
"\xa6\x9d\x6b\xaf\x27\x16\x0d\x12\xf7\xc7\xa6\xd3\xdc\x8d\x89\x88\xc3\x75"
|
||||
"\xc4\x2c\xa8\xfb\x0a\x90\x70\x3d\xc6\x5a\x63\xb8\xac\x32\xe2\x21\x4b\x36"
|
||||
"\x13\x0e\x64\xc1\x86\xb2\x38\x66\xcc\xbf\x6d\xc9\x86\x33\x8c\xeb\xa1\xfa"
|
||||
"\xb5\xdd\x55\xc8\x76\x04\x6d\xc2\xb8\x20\x31\x11\x5f\x24\x8b\xf4\xd7\x00"
|
||||
"\x7c\x7a\x4f\x00\x4e\xfd\x2f\x0f\x57\xbc\xc2\x00\x22\xb1\x23\x4f\x4b\x19"
|
||||
"\xc7\x9a\x47\x1e\xb0\xea\x60\x87\xf3\x88\x71\x9d\xd1\xe4\xdd\x15\xda\xbf"
|
||||
"\x0d\x03\x34\xd9\x32\xbf\xb5\x80\x9f\x72\x80\xdc\x37\xb2\x0e\x79\xd3\x96"
|
||||
"\x93\x12\x50\x0c\x77\x0b\xd9\x9d\x0c\x93\x0c\xb2\xc8\x03\xbc\x75\x14\x5a"
|
||||
"\xc0\x50\xdc\x3f\xd3\x92\xee\x07\xb5\xa9\xf2\x85\x76\xa7\x36\x8d\x6f\x71"
|
||||
"\xfb\x8a\xcb\xee\x8c\x0c\x77\x8d\x81\xb0\x02\x38\x70\x4a\x3d\xc9\x1a\xf5"
|
||||
"\x4f\x91\xe6\xa1\x14\x93\x3e\xbe\xa0\xe8\x7a\x69\x33\xcc\xe4\xd2\x8c\x88"
|
||||
"\xaf\xc9\x05\xd4\x74\xb0\x87\xa3\x34\x3b\x0c\x9e\xd4\x42\xbd\x8e\x03\x24"
|
||||
"\x91\x2c\x94\x1f\x5b\x88\x7c\x0c\xb2\x07\xaf\x68\x43\xd0\x5b\xcb\xf9\xb2"
|
||||
"\x64\xce\xb6\xc9",
|
||||
256);
|
||||
syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc4e01a02ul,
|
||||
/*arg=*/0x200000000140ul);
|
||||
return 0;
|
||||
}
|
||||
EOF
|
||||
mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
|
||||
|
||||
timeout 3m /tmp/$prog > /dev/null 2>&1
|
||||
|
||||
rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core
|
||||
exit 0
|
||||
Executable
+217
@@ -0,0 +1,217 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Kernel page fault with the following non-sleepable locks held:
|
||||
# exclusive sleep mutex CAM device lock (CAM device lock) r = 0 (0xfffff80006ad2cd0) locked @ cam/scsi/scsi_pass.c:1766
|
||||
# stack backtrace:
|
||||
# #0 0xffffffff80c4787c at witness_debugger+0x6c
|
||||
# #1 0xffffffff80c49189 at witness_warn+0x4c9
|
||||
# #2 0xffffffff81131d8c at trap_pfault+0x8c
|
||||
# #3 0xffffffff811015a8 at calltrap+0x8
|
||||
# #4 0xffffffff8039de7c at cam_periph_runccb+0xec
|
||||
# #5 0xffffffff803d9160 at passsendccb+0x160
|
||||
# #6 0xffffffff803d8821 at passdoioctl+0x3a1
|
||||
# #7 0xffffffff803d8102 at passioctl+0x22
|
||||
# #8 0xffffffff80a413b1 at devfs_ioctl+0xd1
|
||||
# #9 0xffffffff81204821 at VOP_IOCTL_APV+0x51
|
||||
# #10 0xffffffff80cf0890 at vn_ioctl+0x160
|
||||
# #11 0xffffffff80a41a7e at devfs_ioctl_f+0x1e
|
||||
# #12 0xffffffff80c4e3c1 at kern_ioctl+0x2a1
|
||||
# #13 0xffffffff80c4e0bf at sys_ioctl+0x12f
|
||||
# #14 0xffffffff811327d9 at amd64_syscall+0x169
|
||||
# #15 0xffffffff81101e9b at fast_syscall_common+0xf8
|
||||
#
|
||||
#
|
||||
# Fatal trap 12: page fault while in kernel mode
|
||||
# cpuid = 9; apic id = 09
|
||||
# fault virtual address = 0x50
|
||||
# fault code = supervisor read data, page not present
|
||||
# instruction pointer = 0x20:0xffffffff803a1e9c
|
||||
# stack pointer = 0x28:0xfffffe01001f2930
|
||||
# frame pointer = 0x28:0xfffffe01001f2970
|
||||
# code segment = base 0x0, limit 0xfffff, type 0x1b
|
||||
# = DPL 0, pres 1, long 1, def32 0, gran 1
|
||||
# processor eflags = interrupt enabled, resume, IOPL = 0
|
||||
# current process = 3759 (syzkaller91)
|
||||
# rdi: fffff80006ac0800 rsi: 0000000000000004 rdx: ffffffff81250a83
|
||||
# rcx: 0000000000000010 r8: 0000000000000008 r9: 0000000000000000
|
||||
# rax: 0000000000000010 rbx: fffff80006ac0800 rbp: fffffe01001f2970
|
||||
# r10: fffff80006ac08c8 r11: 0000000000000001 r12: 0000000000000001
|
||||
# r13: fffff80006ac0848 r14: fffff80006b9d2c0 r15: 0000000000000000
|
||||
# trap number = 12
|
||||
# panic: page fault
|
||||
# cpuid = 9
|
||||
# time = 1773832077
|
||||
# KDB: stack backtrace:
|
||||
# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01001f2660
|
||||
# vpanic() at vpanic+0x136/frame 0xfffffe01001f2790
|
||||
# panic() at panic+0x43/frame 0xfffffe01001f27f0
|
||||
# trap_pfault() at trap_pfault+0x422/frame 0xfffffe01001f2860
|
||||
# calltrap() at calltrap+0x8/frame 0xfffffe01001f2860
|
||||
# --- trap 0xc, rip = 0xffffffff803a1e9c, rsp = 0xfffffe01001f2930, rbp = 0xfffffe01001f2970 ---
|
||||
# xpt_action_default() at xpt_action_default+0x80c/frame 0xfffffe01001f2970
|
||||
# cam_periph_runccb() at cam_periph_runccb+0xec/frame 0xfffffe01001f2ac0
|
||||
# passsendccb() at passsendccb+0x160/frame 0xfffffe01001f2b30
|
||||
# passdoioctl() at passdoioctl+0x3a1/frame 0xfffffe01001f2b80
|
||||
# passioctl() at passioctl+0x22/frame 0xfffffe01001f2bc0
|
||||
# devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe01001f2c10
|
||||
# VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe01001f2c40
|
||||
# vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe01001f2cb0
|
||||
# devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe01001f2cd0
|
||||
# kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe01001f2d40
|
||||
# sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe01001f2e00
|
||||
# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe01001f2f30
|
||||
# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01001f2f30
|
||||
# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823e6feca, rsp = 0x820c6d558, rbp = 0x820c6d580 ---
|
||||
# KDB: enter: panic
|
||||
# [ thread pid 3759 tid 100348 ]
|
||||
# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip)
|
||||
# db> x/s version
|
||||
# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026
|
||||
# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
|
||||
# db>
|
||||
|
||||
# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com>
|
||||
# [Bug 293890] Fatal trap NUM: page fault while in kernel mode in cam_periph_runccb
|
||||
|
||||
[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
|
||||
|
||||
. ../default.cfg
|
||||
set -u
|
||||
prog=$(basename "$0" .sh)
|
||||
cat > /tmp/$prog.c <<EOF
|
||||
// autogenerated by syzkaller (https://github.com/google/syzkaller)
|
||||
|
||||
#define _GNU_SOURCE
|
||||
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/endian.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <unistd.h>
|
||||
|
||||
uint64_t r[1] = {0xffffffffffffffff};
|
||||
|
||||
int main(void)
|
||||
{
|
||||
syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
|
||||
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
|
||||
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
|
||||
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
|
||||
const char* reason;
|
||||
(void)reason;
|
||||
intptr_t res = 0;
|
||||
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
|
||||
}
|
||||
// openat\$pass_pass_cdevsw arguments: [
|
||||
// fd: const = 0xffffffffffffff9c (8 bytes)
|
||||
// file: ptr[in, buffer] {
|
||||
// buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb)
|
||||
// }
|
||||
// flags: open_flags = 0x2 (4 bytes)
|
||||
// mode: const = 0x0 (4 bytes)
|
||||
// ]
|
||||
// returns fd_pass_pass_cdevsw
|
||||
memcpy((void*)0x200000000100, "/dev/pass0\000", 11);
|
||||
res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul,
|
||||
/*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0);
|
||||
if (res != -1)
|
||||
r[0] = res;
|
||||
// ioctl\$CAMIOCOMMAND_pass_cdevsw arguments: [
|
||||
// fd: fd_pass_pass_cdevsw (resource)
|
||||
// cmd: const = 0xc4e01a02 (8 bytes)
|
||||
// arg: ptr[inout, ccb\$pass_cdevsw] {
|
||||
// union ccb\$pass_cdevsw {
|
||||
// ccb_h: ccb_hdr\$pass_cdevsw {
|
||||
// pinfo: cam_pinfo\$pass_cdevsw {
|
||||
// priority: int32 = 0x5 (4 bytes)
|
||||
// generation: int32 = 0x2 (4 bytes)
|
||||
// index: int32 = 0x3 (4 bytes)
|
||||
// }
|
||||
// pad = 0x0 (4 bytes)
|
||||
// xpt_links: camq_entry\$pass_cdevsw {
|
||||
// links_next: intptr = 0xb (8 bytes)
|
||||
// priority: int32 = 0x6 (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// sim_links: camq_entry\$pass_cdevsw {
|
||||
// links_next: intptr = 0x8 (8 bytes)
|
||||
// priority: int32 = 0x6 (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// periph_links: camq_entry\$pass_cdevsw {
|
||||
// links_next: intptr = 0xfe (8 bytes)
|
||||
// priority: int32 = 0x6 (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// retry_count: int16 = 0x3 (2 bytes)
|
||||
// alloc_flags: int16 = 0x5 (2 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// cbfcnp: intptr = 0xbfc (8 bytes)
|
||||
// func_code: int32 = 0x10 (4 bytes)
|
||||
// status: int32 = 0x4 (4 bytes)
|
||||
// path: intptr = 0x5 (8 bytes)
|
||||
// path_id: int32 = 0x0 (4 bytes)
|
||||
// target_id: int32 = 0x2 (4 bytes)
|
||||
// target_lun: int64 = 0x7e2 (8 bytes)
|
||||
// flags: int32 = 0x8 (4 bytes)
|
||||
// xflags: int32 = 0x3 (4 bytes)
|
||||
// periph_priv: buffer: {bc 09 6b 26 d7 02 3b 02 06 84 bf 81 a9 85 11
|
||||
// 50} (length 0x10) sim_priv: buffer: {a5 da 75 ef af 1d 7f d5 40 94
|
||||
// 02 67 14 f6 36 17} (length 0x10) qos: buffer: {74 70 33 74 c5 58
|
||||
// 85 93 b4 d5 75 39 9f 79 94 a4} (length 0x10) timeout: int32 = 0x2
|
||||
// (4 bytes) pad = 0x0 (4 bytes) softtimeout: timeval {
|
||||
// sec: intptr = 0x6e (8 bytes)
|
||||
// usec: intptr = 0x400 (8 bytes)
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// ]
|
||||
*(uint32_t*)0x200000000240 = 5;
|
||||
*(uint32_t*)0x200000000244 = 2;
|
||||
*(uint32_t*)0x200000000248 = 3;
|
||||
*(uint64_t*)0x200000000250 = 0xb;
|
||||
*(uint32_t*)0x200000000258 = 6;
|
||||
*(uint64_t*)0x200000000260 = 8;
|
||||
*(uint32_t*)0x200000000268 = 6;
|
||||
*(uint64_t*)0x200000000270 = 0xfe;
|
||||
*(uint32_t*)0x200000000278 = 6;
|
||||
*(uint16_t*)0x200000000280 = 3;
|
||||
*(uint16_t*)0x200000000282 = 5;
|
||||
*(uint64_t*)0x200000000288 = 0xbfc;
|
||||
*(uint32_t*)0x200000000290 = 0x10;
|
||||
*(uint32_t*)0x200000000294 = 4;
|
||||
*(uint64_t*)0x200000000298 = 5;
|
||||
*(uint32_t*)0x2000000002a0 = 0;
|
||||
*(uint32_t*)0x2000000002a4 = 2;
|
||||
*(uint64_t*)0x2000000002a8 = 0x7e2;
|
||||
*(uint32_t*)0x2000000002b0 = 8;
|
||||
*(uint32_t*)0x2000000002b4 = 3;
|
||||
memcpy((void*)0x2000000002b8,
|
||||
"\xbc\x09\x6b\x26\xd7\x02\x3b\x02\x06\x84\xbf\x81\xa9\x85\x11\x50",
|
||||
16);
|
||||
memcpy((void*)0x2000000002c8,
|
||||
"\xa5\xda\x75\xef\xaf\x1d\x7f\xd5\x40\x94\x02\x67\x14\xf6\x36\x17",
|
||||
16);
|
||||
memcpy((void*)0x2000000002d8,
|
||||
"\x74\x70\x33\x74\xc5\x58\x85\x93\xb4\xd5\x75\x39\x9f\x79\x94\xa4",
|
||||
16);
|
||||
*(uint32_t*)0x2000000002e8 = 2;
|
||||
*(uint64_t*)0x2000000002f0 = 0x6e;
|
||||
*(uint64_t*)0x2000000002f8 = 0x400;
|
||||
syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc4e01a02ul,
|
||||
/*arg=*/0x200000000240ul);
|
||||
return 0;
|
||||
}
|
||||
EOF
|
||||
mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
|
||||
|
||||
timeout 3m /tmp/$prog > /dev/null 2>&1
|
||||
|
||||
rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core
|
||||
exit 0
|
||||
Executable
+265
@@ -0,0 +1,265 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Kernel page fault with the following non-sleepable locks held:
|
||||
# exclusive sleep mutex CAM device lock (CAM device lock) r = 0 (0xfffff8000365ecd0) locked @ cam/scsi/scsi_pass.c:1973
|
||||
# stack backtrace:
|
||||
# #0 0xffffffff80c4787c at witness_debugger+0x6c
|
||||
# #1 0xffffffff80c49189 at witness_warn+0x4c9
|
||||
# #2 0xffffffff81131d8c at trap_pfault+0x8c
|
||||
# #3 0xffffffff811015a8 at calltrap+0x8
|
||||
# #4 0xffffffff803d8e3e at passdoioctl+0x9be
|
||||
# #5 0xffffffff803d8102 at passioctl+0x22
|
||||
# #6 0xffffffff80a413b1 at devfs_ioctl+0xd1
|
||||
# #7 0xffffffff81204821 at VOP_IOCTL_APV+0x51
|
||||
# #8 0xffffffff80cf0890 at vn_ioctl+0x160
|
||||
# #9 0xffffffff80a41a7e at devfs_ioctl_f+0x1e
|
||||
# #10 0xffffffff80c4e3c1 at kern_ioctl+0x2a1
|
||||
# #11 0xffffffff80c4e0bf at sys_ioctl+0x12f
|
||||
# #12 0xffffffff811327d9 at amd64_syscall+0x169
|
||||
# #13 0xffffffff81101e9b at fast_syscall_common+0xf8
|
||||
#
|
||||
#
|
||||
# Fatal trap 12: page fault while in kernel mode
|
||||
# cpuid = 11; apic id = 0b
|
||||
# fault virtual address = 0x50
|
||||
# fault code = supervisor read data, page not present
|
||||
# instruction pointer = 0x20:0xffffffff803a1e9c
|
||||
# stack pointer = 0x28:0xfffffe01000d5af0
|
||||
# frame pointer = 0x28:0xfffffe01000d5b30
|
||||
# code segment = base 0x0, limit 0xfffff, type 0x1b
|
||||
# = DPL 0, pres 1, long 1, def32 0, gran 1
|
||||
# processor eflags = interrupt enabled, resume, IOPL = 0
|
||||
# current process = 4511 (syzkaller92)
|
||||
# rdi: fffff8016ace27b8 rsi: fffff8016ace2f60 rdx: 0000000000000010
|
||||
# rcx: 0000000000000010 r8: fffff8000602ad80 r9: ffffffff8226dee8
|
||||
# rax: 0000000000000010 rbx: fffff8016ace27b8 rbp: fffffe01000d5b30
|
||||
# r10: fffff8016ace27b8 r11: fffff80066e42cd0 r12: fffff8016ace27b8
|
||||
# r13: 0000000000000016 r14: fffff80003676200 r15: 0000000000000000
|
||||
# trap number = 12
|
||||
# panic: page fault
|
||||
# cpuid = 11
|
||||
# time = 1773833440
|
||||
# KDB: stack backtrace:
|
||||
# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01000d5820
|
||||
# vpanic() at vpanic+0x136/frame 0xfffffe01000d5950
|
||||
# panic() at panic+0x43/frame 0xfffffe01000d59b0
|
||||
# trap_pfault() at trap_pfault+0x422/frame 0xfffffe01000d5a20
|
||||
# calltrap() at calltrap+0x8/frame 0xfffffe01000d5a20
|
||||
# --- trap 0xc, rip = 0xffffffff803a1e9c, rsp = 0xfffffe01000d5af0, rbp = 0xfffffe01000d5b30 ---
|
||||
# xpt_action_default() at xpt_action_default+0x80c/frame 0xfffffe01000d5b30
|
||||
# passdoioctl() at passdoioctl+0x9be/frame 0xfffffe01000d5b80
|
||||
# passioctl() at passioctl+0x22/frame 0xfffffe01000d5bc0
|
||||
# devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe01000d5c10
|
||||
# VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe01000d5c40
|
||||
# vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe01000d5cb0
|
||||
# devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe01000d5cd0
|
||||
# kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe01000d5d40
|
||||
# sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe01000d5e00
|
||||
# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe01000d5f30
|
||||
# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01000d5f30
|
||||
# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x824057eca, rsp = 0x820f14468, rbp = 0x820f14490 ---
|
||||
# KDB: enter: panic
|
||||
# [ thread pid 4511 tid 100357 ]
|
||||
# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip)
|
||||
# db> x/s version
|
||||
# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026
|
||||
# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
|
||||
# db> reset
|
||||
|
||||
# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com>
|
||||
# [Bug 293892] Fatal trap NUM: page fault while in kernel mode in passsendccb
|
||||
|
||||
[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
|
||||
|
||||
. ../default.cfg
|
||||
set -u
|
||||
prog=$(basename "$0" .sh)
|
||||
cat > /tmp/$prog.c <<EOF
|
||||
// autogenerated by syzkaller (https://github.com/google/syzkaller)
|
||||
|
||||
#define _GNU_SOURCE
|
||||
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/endian.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#ifndef SYS_aio_readv
|
||||
#define SYS_aio_readv 579
|
||||
#endif
|
||||
|
||||
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
|
||||
|
||||
int main(void)
|
||||
{
|
||||
syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
|
||||
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
|
||||
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
|
||||
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
|
||||
const char* reason;
|
||||
(void)reason;
|
||||
intptr_t res = 0;
|
||||
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
|
||||
}
|
||||
// rfork arguments: [
|
||||
// flags: rfork_flags = 0x14014 (8 bytes)
|
||||
// ]
|
||||
syscall(SYS_rfork, /*flags=RFLINUXTHPN|RFSIGSHARE|RFFDG|RFPROC*/ 0x14014ul);
|
||||
// freebsd11_fhstatfs arguments: [
|
||||
// fhp: nil
|
||||
// buf: nil
|
||||
// ]
|
||||
syscall(SYS_freebsd11_fhstatfs, /*fhp=*/0ul, /*buf=*/0ul);
|
||||
// socket\$inet_tcp arguments: [
|
||||
// domain: const = 0x2 (8 bytes)
|
||||
// type: const = 0x1 (8 bytes)
|
||||
// proto: const = 0x0 (1 bytes)
|
||||
// ]
|
||||
// returns sock_tcp
|
||||
syscall(SYS_socket, /*domain=*/2ul, /*type=*/1ul, /*proto=*/0);
|
||||
// openat\$bpf arguments: [
|
||||
// fd: const = 0xffffffffffffff9c (8 bytes)
|
||||
// file: ptr[in, buffer] {
|
||||
// buffer: {2f 64 65 76 2f 62 70 66 00} (length 0x9)
|
||||
// }
|
||||
// flags: open_flags = 0x8408 (4 bytes)
|
||||
// mode: const = 0x0 (4 bytes)
|
||||
// ]
|
||||
// returns fd_bpf
|
||||
memcpy((void*)0x200000000980, "/dev/bpf\000", 9);
|
||||
res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul,
|
||||
/*file=*/0x200000000980ul,
|
||||
/*flags=O_TRUNC|O_NOCTTY|O_APPEND*/ 0x8408, /*mode=*/0);
|
||||
if (res != -1)
|
||||
r[0] = res;
|
||||
// aio_readv arguments: [
|
||||
// iocb: ptr[in, aiocb] {
|
||||
// aiocb {
|
||||
// aio_fildes: fd (resource)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// aio_offset: int64 = 0x81 (8 bytes)
|
||||
// aio_buf: ptr[in, buffer] {
|
||||
// buffer: {fa} (length 0x1)
|
||||
// }
|
||||
// aio_nbytes: len = 0x1 (8 bytes)
|
||||
// spare: array[int32] {
|
||||
// int32 = 0xffff (4 bytes)
|
||||
// int32 = 0x7 (4 bytes)
|
||||
// }
|
||||
// spare2: intptr = 0x1 (8 bytes)
|
||||
// aio_lio_opcode: lio_opcodes = 0x18 (4 bytes)
|
||||
// aio_reqprio: int32 = 0x1ff (4 bytes)
|
||||
// aiocb_private: aiocb_private {
|
||||
// status: intptr = 0x37 (8 bytes)
|
||||
// error: intptr = 0x24 (8 bytes)
|
||||
// kernelinfo: nil
|
||||
// }
|
||||
// aio_sigevent: sigevent {
|
||||
// notify: sigev_notify = 0x0 (4 bytes)
|
||||
// signo: int32 = 0x13 (4 bytes)
|
||||
// val: union sigval {
|
||||
// sigval_int: int32 = 0x6 (4 bytes)
|
||||
// }
|
||||
// u: union sigevent_u {
|
||||
// ke_flags: evflags = 0x8000 (2 bytes)
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// ]
|
||||
*(uint32_t*)0x200000000040 = r[0];
|
||||
*(uint64_t*)0x200000000048 = 0x81;
|
||||
*(uint64_t*)0x200000000050 = 0x200000000000;
|
||||
memset((void*)0x200000000000, 250, 1);
|
||||
*(uint64_t*)0x200000000058 = 1;
|
||||
*(uint32_t*)0x200000000060 = 0xffff;
|
||||
*(uint32_t*)0x200000000064 = 7;
|
||||
*(uint64_t*)0x200000000068 = 1;
|
||||
*(uint32_t*)0x200000000070 = 0x18;
|
||||
*(uint32_t*)0x200000000074 = 0x1ff;
|
||||
*(uint64_t*)0x200000000078 = 0x37;
|
||||
*(uint64_t*)0x200000000080 = 0x24;
|
||||
*(uint64_t*)0x200000000088 = 0;
|
||||
*(uint32_t*)0x200000000090 = 0;
|
||||
*(uint32_t*)0x200000000094 = 0x13;
|
||||
*(uint32_t*)0x200000000098 = 6;
|
||||
*(uint16_t*)0x2000000000a0 = 0x8000;
|
||||
syscall(SYS_aio_readv, /*iocb=*/0x200000000040ul);
|
||||
// openat\$bpf arguments: [
|
||||
// fd: const = 0xffffffffffffff9c (8 bytes)
|
||||
// file: ptr[in, buffer] {
|
||||
// buffer: {2f 64 65 76 2f 62 70 66 00} (length 0x9)
|
||||
// }
|
||||
// flags: open_flags = 0x800 (4 bytes)
|
||||
// mode: const = 0x0 (4 bytes)
|
||||
// ]
|
||||
// returns fd_bpf
|
||||
memcpy((void*)0x200000000040, "/dev/bpf\000", 9);
|
||||
syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000040ul,
|
||||
/*flags=O_EXCL*/ 0x800, /*mode=*/0);
|
||||
// sigaction arguments: [
|
||||
// signo: int32 = 0x6b (4 bytes)
|
||||
// act: ptr[in, sigaction] {
|
||||
// sigaction {
|
||||
// sigaction_u: nil
|
||||
// sa_flags: sigaction_flags = 0x0 (4 bytes)
|
||||
// sa_mask: sigset {
|
||||
// mask: array[int32] {
|
||||
// int32 = 0x4 (4 bytes)
|
||||
// int32 = 0x10 (4 bytes)
|
||||
// int32 = 0x492d (4 bytes)
|
||||
// int32 = 0x3 (4 bytes)
|
||||
// }
|
||||
// }
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// }
|
||||
// oact: nil
|
||||
// ]
|
||||
*(uint64_t*)0x200000000040 = 0;
|
||||
*(uint32_t*)0x200000000048 = 0;
|
||||
*(uint32_t*)0x20000000004c = 4;
|
||||
*(uint32_t*)0x200000000050 = 0x10;
|
||||
*(uint32_t*)0x200000000054 = 0x492d;
|
||||
*(uint32_t*)0x200000000058 = 3;
|
||||
syscall(SYS_sigaction, /*signo=*/0x6b, /*act=*/0x200000000040ul,
|
||||
/*oact=*/0ul);
|
||||
// openat\$pass_pass_cdevsw arguments: [
|
||||
// fd: const = 0xffffffffffffff9c (8 bytes)
|
||||
// file: ptr[in, buffer] {
|
||||
// buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb)
|
||||
// }
|
||||
// flags: open_flags = 0x2 (4 bytes)
|
||||
// mode: const = 0x0 (4 bytes)
|
||||
// ]
|
||||
// returns fd_pass_pass_cdevsw
|
||||
memcpy((void*)0x200000000100, "/dev/pass0\000", 11);
|
||||
res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul,
|
||||
/*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0);
|
||||
if (res != -1)
|
||||
r[1] = res;
|
||||
// ioctl\$CAMIOQUEUE_pass_cdevsw arguments: [
|
||||
// fd: fd_pass_pass_cdevsw (resource)
|
||||
// cmd: const = 0x20001a04 (8 bytes)
|
||||
// arg: ptr[in, ptr[in, ccb\$pass_cdevsw]] {
|
||||
// nil
|
||||
// }
|
||||
// ]
|
||||
*(uint64_t*)0x200000000000 = 0;
|
||||
syscall(SYS_ioctl, /*fd=*/r[1], /*cmd=*/0x20001a04ul,
|
||||
/*arg=*/0x200000000000ul);
|
||||
return 0;
|
||||
}
|
||||
EOF
|
||||
mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
|
||||
|
||||
timeout 3m /tmp/$prog > /dev/null 2>&1
|
||||
|
||||
rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core
|
||||
exit 0
|
||||
Executable
+137
@@ -0,0 +1,137 @@
|
||||
#!/bin/sh
|
||||
|
||||
# (pass0:ahcich1:0:0:0): xpt_action_default: CCB type 0x380 0x380 not supported
|
||||
# panic: _free(0): addr 0xfffff802f7e5a7b8 slab 0xffffffffffffffff with unknown cookie 3
|
||||
# cpuid = 8
|
||||
# time = 1773835096
|
||||
# KDB: stack backtrace:
|
||||
# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00ffe5fc60
|
||||
# vpanic() at vpanic+0x136/frame 0xfffffe00ffe5fd90
|
||||
# panic() at panic+0x43/frame 0xfffffe00ffe5fdf0
|
||||
# free() at free+0x213/frame 0xfffffe00ffe5fe30
|
||||
# xpt_release_ccb() at xpt_release_ccb+0x50/frame 0xfffffe00ffe5fe60
|
||||
# xpt_done_process() at xpt_done_process+0x3e0/frame 0xfffffe00ffe5fea0
|
||||
# xpt_done_td() at xpt_done_td+0x145/frame 0xfffffe00ffe5fef0
|
||||
# fork_exit() at fork_exit+0x82/frame 0xfffffe00ffe5ff30
|
||||
# fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00ffe5ff30
|
||||
# --- trap 0, rip = 0, rsp = 0, rbp = 0 ---
|
||||
# KDB: enter: panic
|
||||
# [ thread pid 4 tid 100122 ]
|
||||
# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip)
|
||||
# db> x/s version
|
||||
# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026
|
||||
# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
|
||||
# db>
|
||||
|
||||
# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com>
|
||||
# [Bug 293893] panic: _free(NUM): address ADDR(ADDR) has not been allocated
|
||||
|
||||
[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
|
||||
|
||||
. ../default.cfg
|
||||
set -u
|
||||
prog=$(basename "$0" .sh)
|
||||
cat > /tmp/$prog.c <<EOF
|
||||
// autogenerated by syzkaller (https://github.com/google/syzkaller)
|
||||
|
||||
#define _GNU_SOURCE
|
||||
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/endian.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <unistd.h>
|
||||
|
||||
uint64_t r[1] = {0xffffffffffffffff};
|
||||
|
||||
int main(void)
|
||||
{
|
||||
syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
|
||||
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
|
||||
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
|
||||
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
|
||||
const char* reason;
|
||||
(void)reason;
|
||||
intptr_t res = 0;
|
||||
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
|
||||
}
|
||||
// openat\$pass_pass_cdevsw arguments: [
|
||||
// fd: const = 0xffffffffffffff9c (8 bytes)
|
||||
// file: ptr[in, buffer] {
|
||||
// buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb)
|
||||
// }
|
||||
// flags: open_flags = 0x2 (4 bytes)
|
||||
// mode: const = 0x0 (4 bytes)
|
||||
// ]
|
||||
// returns fd_pass_pass_cdevsw
|
||||
memcpy((void*)0x200000000100, "/dev/pass0\000", 11);
|
||||
res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul,
|
||||
/*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0);
|
||||
if (res != -1)
|
||||
r[0] = res;
|
||||
// sendfile arguments: [
|
||||
// fd: fd (resource)
|
||||
// s: sock_in (resource)
|
||||
// offset: intptr = 0x4 (8 bytes)
|
||||
// nbytes: int64 = 0x4 (8 bytes)
|
||||
// hdtr: ptr[in, sf_hdtr] {
|
||||
// sf_hdtr {
|
||||
// headers: ptr[in, array[iovec_in]] {
|
||||
// array[iovec_in] {
|
||||
// iovec_in {
|
||||
// addr: nil
|
||||
// len: len = 0x0 (8 bytes)
|
||||
// }
|
||||
// iovec_in {
|
||||
// addr: ptr[in, buffer] {
|
||||
// buffer: {} (length 0x0)
|
||||
// }
|
||||
// len: len = 0x0 (8 bytes)
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// hdr_cnt: len = 0x2 (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// trailers: nil
|
||||
// trl_cnt: len = 0x0 (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// }
|
||||
// sbytes: nil
|
||||
// flags: sf_flags = 0x1 (8 bytes)
|
||||
// ]
|
||||
*(uint64_t*)0x200000001ac0 = 0x200000000280;
|
||||
*(uint64_t*)0x200000000280 = 0;
|
||||
*(uint64_t*)0x200000000288 = 0;
|
||||
*(uint64_t*)0x200000000290 = 0x200000000380;
|
||||
*(uint64_t*)0x200000000298 = 0;
|
||||
*(uint32_t*)0x200000001ac8 = 2;
|
||||
*(uint64_t*)0x200000001ad0 = 0;
|
||||
*(uint32_t*)0x200000001ad8 = 0;
|
||||
syscall(SYS_sendfile, /*fd=*/(intptr_t)-1, /*s=*/(intptr_t)-1, /*offset=*/4ul,
|
||||
/*nbytes=*/4ul, /*hdtr=*/0x200000001ac0ul, /*sbytes=*/0ul,
|
||||
/*flags=SF_NODISKIO*/ 1ul);
|
||||
// ioctl\$CAMIOQUEUE_pass_cdevsw arguments: [
|
||||
// fd: fd_pass_pass_cdevsw (resource)
|
||||
// cmd: const = 0x20001a04 (8 bytes)
|
||||
// arg: ptr[in, ptr[in, ccb\$pass_cdevsw]] {
|
||||
// nil
|
||||
// }
|
||||
// ]
|
||||
*(uint64_t*)0x200000000240 = 0;
|
||||
syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0x20001a04ul,
|
||||
/*arg=*/0x200000000240ul);
|
||||
return 0;
|
||||
}
|
||||
EOF
|
||||
mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
|
||||
|
||||
timeout 3m /tmp/$prog > /dev/null 2>&1
|
||||
|
||||
rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core
|
||||
exit 0
|
||||
Executable
+185
@@ -0,0 +1,185 @@
|
||||
#!/bin/sh
|
||||
|
||||
# panic: ata_action: ccb 0xfffff80347e777b8, func_code 0x1 should not be allocated from UMA zone
|
||||
# cpuid = 1
|
||||
# time = 1773837671
|
||||
# KDB: stack backtrace:
|
||||
# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0100044980
|
||||
# vpanic() at vpanic+0x136/frame 0xfffffe0100044ab0
|
||||
# panic() at panic+0x43/frame 0xfffffe0100044b10
|
||||
# ata_action() at ata_action+0x3bd/frame 0xfffffe0100044b30
|
||||
# passdoioctl() at passdoioctl+0x9be/frame 0xfffffe0100044b80
|
||||
# passioctl() at passioctl+0x22/frame 0xfffffe0100044bc0
|
||||
# devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe0100044c10
|
||||
# VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe0100044c40
|
||||
# vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe0100044cb0
|
||||
# devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe0100044cd0
|
||||
# kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe0100044d40
|
||||
# sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe0100044e00
|
||||
# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe0100044f30
|
||||
# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0100044f30
|
||||
# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823bc5eca, rsp = 0x820d83df8, rbp = 0x820d83e20 ---
|
||||
# KDB: enter: panic
|
||||
# [ thread pid 4628 tid 100215 ]
|
||||
# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip)
|
||||
# db> x/s version
|
||||
# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026
|
||||
# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
|
||||
# db>
|
||||
|
||||
# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com>
|
||||
# Bug 293895 - panic: ata_action: ccb ADDR, func_code XXX should not be allocated from UMA zone
|
||||
|
||||
[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
|
||||
|
||||
. ../default.cfg
|
||||
set -u
|
||||
prog=$(basename "$0" .sh)
|
||||
cat > /tmp/$prog.c <<EOF
|
||||
// autogenerated by syzkaller (https://github.com/google/syzkaller)
|
||||
|
||||
#define _GNU_SOURCE
|
||||
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/endian.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <unistd.h>
|
||||
|
||||
uint64_t r[1] = {0xffffffffffffffff};
|
||||
|
||||
int main(void)
|
||||
{
|
||||
syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
|
||||
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
|
||||
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
|
||||
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
|
||||
const char* reason;
|
||||
(void)reason;
|
||||
intptr_t res = 0;
|
||||
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
|
||||
}
|
||||
// sigaction arguments: [
|
||||
// signo: int32 = 0x68 (4 bytes)
|
||||
// act: ptr[in, sigaction] {
|
||||
// sigaction {
|
||||
// sigaction_u: nil
|
||||
// sa_flags: sigaction_flags = 0x2 (4 bytes)
|
||||
// sa_mask: sigset {
|
||||
// mask: array[int32] {
|
||||
// int32 = 0xe4 (4 bytes)
|
||||
// int32 = 0x1 (4 bytes)
|
||||
// int32 = 0x4000a (4 bytes)
|
||||
// int32 = 0xe (4 bytes)
|
||||
// }
|
||||
// }
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// }
|
||||
// oact: nil
|
||||
// ]
|
||||
*(uint64_t*)0x200000000040 = 0;
|
||||
*(uint32_t*)0x200000000048 = 2;
|
||||
*(uint32_t*)0x20000000004c = 0xe4;
|
||||
*(uint32_t*)0x200000000050 = 1;
|
||||
*(uint32_t*)0x200000000054 = 0x4000a;
|
||||
*(uint32_t*)0x200000000058 = 0xe;
|
||||
syscall(SYS_sigaction, /*signo=*/0x68, /*act=*/0x200000000040ul,
|
||||
/*oact=*/0ul);
|
||||
// mount\$nfs_newnfs_vnodeops_nosig arguments: [
|
||||
// fstype: ptr[in, buffer] {
|
||||
// buffer: {6e 66 73 00} (length 0x4)
|
||||
// }
|
||||
// dir: ptr[in, buffer] {
|
||||
// buffer: {2e 2f 66 69 6c 65 30 00} (length 0x8)
|
||||
// }
|
||||
// mnt_flags: mount_flags = 0x0 (4 bytes)
|
||||
// data: ptr[in, nfs_args\$newnfs_vnodeops_nosig] {
|
||||
// nfs_args\$newnfs_vnodeops_nosig {
|
||||
// version: const = 0x3 (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// addr: nil
|
||||
// addrlen: len = 0x0 (4 bytes)
|
||||
// sotype: sock_type_newnfs_vnodeops_nosig = 0x2 (4 bytes)
|
||||
// proto: int32 = 0x4010003 (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// fh: nil
|
||||
// fhsize: len = 0x0 (4 bytes)
|
||||
// nfs_flags: nfs_mount_flags_newnfs_vnodeops_nosig = 0x8cc006 (4
|
||||
// bytes) wsize: int32 = 0x7fff (4 bytes) rsize: int32 = 0xaf8 (4
|
||||
// bytes) readdirsize: int32 = 0x9 (4 bytes) timeo: int32 = 0x3 (4
|
||||
// bytes) retrans: int32 = 0x800 (4 bytes) maxgrouplist: int32 = 0x9 (4
|
||||
// bytes) readahead: int32 = 0x1 (4 bytes) wcommitsize: int32 = 0x7 (4
|
||||
// bytes) deadthresh: int32 = 0x1 (4 bytes) pad = 0x0 (4 bytes)
|
||||
// hostname: nil
|
||||
// acregmin: int32 = 0x204 (4 bytes)
|
||||
// acregmax: int32 = 0x0 (4 bytes)
|
||||
// acdirmin: int32 = 0xfffffff6 (4 bytes)
|
||||
// acdirmax: int32 = 0x3 (4 bytes)
|
||||
// }
|
||||
// }
|
||||
// ]
|
||||
memcpy((void*)0x200000000040, "nfs\000", 4);
|
||||
memcpy((void*)0x200000000080, "./file0\000", 8);
|
||||
*(uint32_t*)0x200000000200 = 3;
|
||||
*(uint64_t*)0x200000000208 = 0;
|
||||
*(uint32_t*)0x200000000210 = 0;
|
||||
*(uint32_t*)0x200000000214 = 2;
|
||||
*(uint32_t*)0x200000000218 = 0x4010003;
|
||||
*(uint64_t*)0x200000000220 = 0;
|
||||
*(uint32_t*)0x200000000228 = 0;
|
||||
*(uint32_t*)0x20000000022c = 0x8cc006;
|
||||
*(uint32_t*)0x200000000230 = 0x7fff;
|
||||
*(uint32_t*)0x200000000234 = 0xaf8;
|
||||
*(uint32_t*)0x200000000238 = 9;
|
||||
*(uint32_t*)0x20000000023c = 3;
|
||||
*(uint32_t*)0x200000000240 = 0x800;
|
||||
*(uint32_t*)0x200000000244 = 9;
|
||||
*(uint32_t*)0x200000000248 = 1;
|
||||
*(uint32_t*)0x20000000024c = 7;
|
||||
*(uint32_t*)0x200000000250 = 1;
|
||||
*(uint64_t*)0x200000000258 = 0;
|
||||
*(uint32_t*)0x200000000260 = 0x204;
|
||||
*(uint32_t*)0x200000000264 = 0;
|
||||
*(uint32_t*)0x200000000268 = 0xfffffff6;
|
||||
*(uint32_t*)0x20000000026c = 3;
|
||||
syscall(SYS_mount, /*fstype=*/0x200000000040ul, /*dir=*/0x200000000080ul,
|
||||
/*mnt_flags=*/0, /*data=*/0x200000000200ul);
|
||||
// openat\$pass_pass_cdevsw arguments: [
|
||||
// fd: const = 0xffffffffffffff9c (8 bytes)
|
||||
// file: ptr[in, buffer] {
|
||||
// buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb)
|
||||
// }
|
||||
// flags: open_flags = 0x2 (4 bytes)
|
||||
// mode: const = 0x0 (4 bytes)
|
||||
// ]
|
||||
// returns fd_pass_pass_cdevsw
|
||||
memcpy((void*)0x200000000100, "/dev/pass0\000", 11);
|
||||
res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul,
|
||||
/*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0);
|
||||
if (res != -1)
|
||||
r[0] = res;
|
||||
// ioctl\$CAMIOQUEUE_pass_cdevsw arguments: [
|
||||
// fd: fd_pass_pass_cdevsw (resource)
|
||||
// cmd: const = 0x20001a04 (8 bytes)
|
||||
// arg: ptr[in, ptr[in, ccb\$pass_cdevsw]] {
|
||||
// nil
|
||||
// }
|
||||
// ]
|
||||
*(uint64_t*)0x200000000000 = 0;
|
||||
syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0x20001a04ul,
|
||||
/*arg=*/0x200000000000ul);
|
||||
return 0;
|
||||
}
|
||||
EOF
|
||||
mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
|
||||
|
||||
timeout 3m /tmp/$prog > /dev/null 2>&1
|
||||
|
||||
rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core
|
||||
exit 0
|
||||
Executable
+453
@@ -0,0 +1,453 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Kernel page fault with the following non-sleepable locks held:
|
||||
# exclusive sleep mutex CAM device lock (CAM device lock) r = 0 (0xfffff80006bd2cd0) locked @ cam/scsi/scsi_pass.c:1766
|
||||
# stack backtrace:
|
||||
# #0 0xffffffff80c4787c at witness_debugger+0x6c
|
||||
# #1 0xffffffff80c49189 at witness_warn+0x4c9
|
||||
# #2 0xffffffff81131d8c at trap_pfault+0x8c
|
||||
# #3 0xffffffff811015a8 at calltrap+0x8
|
||||
# #4 0xffffffff803d9061 at passsendccb+0x61
|
||||
# #5 0xffffffff803d8821 at passdoioctl+0x3a1
|
||||
# #6 0xffffffff803d8102 at passioctl+0x22
|
||||
# #7 0xffffffff80a413b1 at devfs_ioctl+0xd1
|
||||
# #8 0xffffffff81204821 at VOP_IOCTL_APV+0x51
|
||||
# #9 0xffffffff80cf0890 at vn_ioctl+0x160
|
||||
# #10 0xffffffff80a41a7e at devfs_ioctl_f+0x1e
|
||||
# #11 0xffffffff80c4e3c1 at kern_ioctl+0x2a1
|
||||
# #12 0xffffffff80c4e0bf at sys_ioctl+0x12f
|
||||
# #13 0xffffffff811327d9 at amd64_syscall+0x169
|
||||
# #14 0xffffffff81101e9b at fast_syscall_common+0xf8
|
||||
#
|
||||
#
|
||||
# Fatal trap 12: page fault while in kernel mode
|
||||
# cpuid = 4; apic id = 04
|
||||
# fault virtual address = 0x800000006
|
||||
# fault code = supervisor read data, page not present
|
||||
# instruction pointer = 0x20:0xffffffff8112edf5
|
||||
# frame pointer = 0x28:0xfffffe010003fab0
|
||||
# code segment = base 0x0, limit 0xfffff, type 0x1b
|
||||
# = DPL 0, pres 1, long 1, def32 0, gran 1
|
||||
# processor eflags = interrupt enabled, resume, IOPL = 0
|
||||
# current process = 5440 (syzkaller95)
|
||||
# rdi: fffffe010003fac0 rsi: 0000000800000006 rdx: 0000000000000002
|
||||
# rcx: 0000000000000002 r8: 0000000800000006 r9: 06eb28196e3b02c0
|
||||
# rax: 0000000000000000 rbx: fffff80003e97800 rbp: fffffe010003fab0
|
||||
# r10: fffff80003e978c8 r11: fffff800048e5550 r12: fffffe010003fac0
|
||||
# r13: fffff80006350d80 r14: fffff80306280800 r15: fffff80006bd6100
|
||||
# trap number = 12
|
||||
# panic: page fault
|
||||
# cpuid = 4
|
||||
# time = 1773848380
|
||||
# KDB: stack backtrace:
|
||||
# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe010003f7e0
|
||||
# vpanic() at vpanic+0x136/frame 0xfffffe010003f910
|
||||
# panic() at panic+0x43/frame 0xfffffe010003f970
|
||||
# trap_pfault() at trap_pfault+0x422/frame 0xfffffe010003f9e0
|
||||
# calltrap() at calltrap+0x8/frame 0xfffffe010003f9e0
|
||||
# --- trap 0xc, rip = 0xffffffff8112edf5, rsp = 0xfffffe010003fab0, rbp = 0xfffffe010003fab0 ---
|
||||
# copyin_nosmap_erms() at copyin_nosmap_erms+0x115/frame 0xfffffe010003fab0
|
||||
# passsendccb() at passsendccb+0x61/frame 0xfffffe010003fb30
|
||||
# passdoioctl() at passdoioctl+0x3a1/frame 0xfffffe010003fb80
|
||||
# passioctl() at passioctl+0x22/frame 0xfffffe010003fbc0
|
||||
# devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe010003fc10
|
||||
# VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe010003fc40
|
||||
# vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe010003fcb0
|
||||
# devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe010003fcd0
|
||||
# kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe010003fd40
|
||||
# sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe010003fe00
|
||||
# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe010003ff30
|
||||
# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe010003ff30
|
||||
# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823c07eca, rsp = 0x8209c6ce8, rbp = 0x8209c6d10 ---
|
||||
# KDB: enter: panic
|
||||
# [ thread pid 5440 tid 100235 ]
|
||||
# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip)
|
||||
# db> x/s version
|
||||
# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026
|
||||
# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
|
||||
# db>
|
||||
|
||||
# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com>
|
||||
# Bug 293892 - Fatal trap NUM: page fault while in kernel mode in passsendccb
|
||||
|
||||
[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
|
||||
|
||||
. ../default.cfg
|
||||
set -u
|
||||
prog=$(basename "$0" .sh)
|
||||
cat > /tmp/$prog.c <<EOF
|
||||
// autogenerated by syzkaller (https://github.com/google/syzkaller)
|
||||
|
||||
#define _GNU_SOURCE
|
||||
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/endian.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <unistd.h>
|
||||
|
||||
uint64_t r[1] = {0xffffffffffffffff};
|
||||
|
||||
int main(void)
|
||||
{
|
||||
syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
|
||||
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
|
||||
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
|
||||
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
|
||||
const char* reason;
|
||||
(void)reason;
|
||||
intptr_t res = 0;
|
||||
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
|
||||
}
|
||||
// ioctl\$MDIOCDETACH arguments: [
|
||||
// fd: fd_md (resource)
|
||||
// cmd: const = 0xc1c06d01 (8 bytes)
|
||||
// arg: ptr[inout, md_ioctl] {
|
||||
// md_ioctl {
|
||||
// md_version: int32 = 0xe (4 bytes)
|
||||
// md_unit: int32 = 0x3 (4 bytes)
|
||||
// md_type: md_types_flags = 0x0 (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// md_file: nil
|
||||
// md_mediasize: int64 = 0x81 (8 bytes)
|
||||
// md_sectorsize: int32 = 0x4 (4 bytes)
|
||||
// md_options: int32 = 0x5 (4 bytes)
|
||||
// md_base: int64 = 0x6 (8 bytes)
|
||||
// md_fwheads: int32 = 0x4 (4 bytes)
|
||||
// md_fwsectors: int32 = 0x1 (4 bytes)
|
||||
// md_label: nil
|
||||
// md_pad: array[int32] {
|
||||
// int32 = 0x8 (4 bytes)
|
||||
// int32 = 0x5 (4 bytes)
|
||||
// int32 = 0x6 (4 bytes)
|
||||
// int32 = 0xc3b (4 bytes)
|
||||
// int32 = 0x2 (4 bytes)
|
||||
// int32 = 0x4 (4 bytes)
|
||||
// int32 = 0xa (4 bytes)
|
||||
// int32 = 0xfffffffe (4 bytes)
|
||||
// int32 = 0x2 (4 bytes)
|
||||
// int32 = 0x80 (4 bytes)
|
||||
// int32 = 0xd22 (4 bytes)
|
||||
// int32 = 0xa1a5 (4 bytes)
|
||||
// int32 = 0x0 (4 bytes)
|
||||
// int32 = 0xfffffff8 (4 bytes)
|
||||
// int32 = 0x4 (4 bytes)
|
||||
// int32 = 0xffffffff (4 bytes)
|
||||
// int32 = 0x100 (4 bytes)
|
||||
// int32 = 0x4 (4 bytes)
|
||||
// int32 = 0x8 (4 bytes)
|
||||
// int32 = 0x5b8f6f5f (4 bytes)
|
||||
// int32 = 0x9 (4 bytes)
|
||||
// int32 = 0xfffffffb (4 bytes)
|
||||
// int32 = 0x2 (4 bytes)
|
||||
// int32 = 0x3 (4 bytes)
|
||||
// int32 = 0x6 (4 bytes)
|
||||
// int32 = 0x1 (4 bytes)
|
||||
// int32 = 0x800 (4 bytes)
|
||||
// int32 = 0x6b0000 (4 bytes)
|
||||
// int32 = 0x4 (4 bytes)
|
||||
// int32 = 0x4 (4 bytes)
|
||||
// int32 = 0x7ff (4 bytes)
|
||||
// int32 = 0x2 (4 bytes)
|
||||
// int32 = 0x7 (4 bytes)
|
||||
// int32 = 0x9 (4 bytes)
|
||||
// int32 = 0x9 (4 bytes)
|
||||
// int32 = 0x8000 (4 bytes)
|
||||
// int32 = 0x2 (4 bytes)
|
||||
// int32 = 0x5be (4 bytes)
|
||||
// int32 = 0xf0000000 (4 bytes)
|
||||
// int32 = 0x1db (4 bytes)
|
||||
// int32 = 0x3 (4 bytes)
|
||||
// int32 = 0x0 (4 bytes)
|
||||
// int32 = 0x8 (4 bytes)
|
||||
// int32 = 0x18000000 (4 bytes)
|
||||
// int32 = 0xfd6 (4 bytes)
|
||||
// int32 = 0x1 (4 bytes)
|
||||
// int32 = 0x8 (4 bytes)
|
||||
// int32 = 0x4 (4 bytes)
|
||||
// int32 = 0x0 (4 bytes)
|
||||
// int32 = 0x2 (4 bytes)
|
||||
// int32 = 0xe2 (4 bytes)
|
||||
// int32 = 0x0 (4 bytes)
|
||||
// int32 = 0x5 (4 bytes)
|
||||
// int32 = 0x1cd (4 bytes)
|
||||
// int32 = 0xcf58 (4 bytes)
|
||||
// int32 = 0x6 (4 bytes)
|
||||
// int32 = 0x2e7 (4 bytes)
|
||||
// int32 = 0x64d (4 bytes)
|
||||
// int32 = 0x2a4 (4 bytes)
|
||||
// int32 = 0x7 (4 bytes)
|
||||
// int32 = 0x6 (4 bytes)
|
||||
// int32 = 0x8 (4 bytes)
|
||||
// int32 = 0x9 (4 bytes)
|
||||
// int32 = 0x7 (4 bytes)
|
||||
// int32 = 0x6 (4 bytes)
|
||||
// int32 = 0x9 (4 bytes)
|
||||
// int32 = 0x2 (4 bytes)
|
||||
// int32 = 0xfffffff8 (4 bytes)
|
||||
// int32 = 0x5 (4 bytes)
|
||||
// int32 = 0xe53 (4 bytes)
|
||||
// int32 = 0x81 (4 bytes)
|
||||
// int32 = 0x3 (4 bytes)
|
||||
// int32 = 0x0 (4 bytes)
|
||||
// int32 = 0x80000001 (4 bytes)
|
||||
// int32 = 0x5 (4 bytes)
|
||||
// int32 = 0x54 (4 bytes)
|
||||
// int32 = 0x401 (4 bytes)
|
||||
// int32 = 0x9 (4 bytes)
|
||||
// int32 = 0x3 (4 bytes)
|
||||
// int32 = 0x4 (4 bytes)
|
||||
// int32 = 0x2 (4 bytes)
|
||||
// int32 = 0x1 (4 bytes)
|
||||
// int32 = 0x9 (4 bytes)
|
||||
// int32 = 0xed (4 bytes)
|
||||
// int32 = 0x1f (4 bytes)
|
||||
// int32 = 0x5 (4 bytes)
|
||||
// int32 = 0xd (4 bytes)
|
||||
// int32 = 0x8001 (4 bytes)
|
||||
// int32 = 0xfff (4 bytes)
|
||||
// int32 = 0x2 (4 bytes)
|
||||
// int32 = 0x7fffffff (4 bytes)
|
||||
// int32 = 0xd (4 bytes)
|
||||
// int32 = 0x1 (4 bytes)
|
||||
// int32 = 0x401 (4 bytes)
|
||||
// int32 = 0x4 (4 bytes)
|
||||
// int32 = 0xa043 (4 bytes)
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// ]
|
||||
*(uint32_t*)0x200000000300 = 0xe;
|
||||
*(uint32_t*)0x200000000304 = 3;
|
||||
*(uint32_t*)0x200000000308 = 0;
|
||||
*(uint64_t*)0x200000000310 = 0;
|
||||
*(uint64_t*)0x200000000318 = 0x81;
|
||||
*(uint32_t*)0x200000000320 = 4;
|
||||
*(uint32_t*)0x200000000324 = 5;
|
||||
*(uint64_t*)0x200000000328 = 6;
|
||||
*(uint32_t*)0x200000000330 = 4;
|
||||
*(uint32_t*)0x200000000334 = 1;
|
||||
*(uint64_t*)0x200000000338 = 0;
|
||||
*(uint32_t*)0x200000000340 = 8;
|
||||
*(uint32_t*)0x200000000344 = 5;
|
||||
*(uint32_t*)0x200000000348 = 6;
|
||||
*(uint32_t*)0x20000000034c = 0xc3b;
|
||||
*(uint32_t*)0x200000000350 = 2;
|
||||
*(uint32_t*)0x200000000354 = 4;
|
||||
*(uint32_t*)0x200000000358 = 0xa;
|
||||
*(uint32_t*)0x20000000035c = 0xfffffffe;
|
||||
*(uint32_t*)0x200000000360 = 2;
|
||||
*(uint32_t*)0x200000000364 = 0x80;
|
||||
*(uint32_t*)0x200000000368 = 0xd22;
|
||||
*(uint32_t*)0x20000000036c = 0xa1a5;
|
||||
*(uint32_t*)0x200000000370 = 0;
|
||||
*(uint32_t*)0x200000000374 = 0xfffffff8;
|
||||
*(uint32_t*)0x200000000378 = 4;
|
||||
*(uint32_t*)0x20000000037c = -1;
|
||||
*(uint32_t*)0x200000000380 = 0x100;
|
||||
*(uint32_t*)0x200000000384 = 4;
|
||||
*(uint32_t*)0x200000000388 = 8;
|
||||
*(uint32_t*)0x20000000038c = 0x5b8f6f5f;
|
||||
*(uint32_t*)0x200000000390 = 9;
|
||||
*(uint32_t*)0x200000000394 = 0xfffffffb;
|
||||
*(uint32_t*)0x200000000398 = 2;
|
||||
*(uint32_t*)0x20000000039c = 3;
|
||||
*(uint32_t*)0x2000000003a0 = 6;
|
||||
*(uint32_t*)0x2000000003a4 = 1;
|
||||
*(uint32_t*)0x2000000003a8 = 0x800;
|
||||
*(uint32_t*)0x2000000003ac = 0x6b0000;
|
||||
*(uint32_t*)0x2000000003b0 = 4;
|
||||
*(uint32_t*)0x2000000003b4 = 4;
|
||||
*(uint32_t*)0x2000000003b8 = 0x7ff;
|
||||
*(uint32_t*)0x2000000003bc = 2;
|
||||
*(uint32_t*)0x2000000003c0 = 7;
|
||||
*(uint32_t*)0x2000000003c4 = 9;
|
||||
*(uint32_t*)0x2000000003c8 = 9;
|
||||
*(uint32_t*)0x2000000003cc = 0x8000;
|
||||
*(uint32_t*)0x2000000003d0 = 2;
|
||||
*(uint32_t*)0x2000000003d4 = 0x5be;
|
||||
*(uint32_t*)0x2000000003d8 = 0xf0000000;
|
||||
*(uint32_t*)0x2000000003dc = 0x1db;
|
||||
*(uint32_t*)0x2000000003e0 = 3;
|
||||
*(uint32_t*)0x2000000003e4 = 0;
|
||||
*(uint32_t*)0x2000000003e8 = 8;
|
||||
*(uint32_t*)0x2000000003ec = 0x18000000;
|
||||
*(uint32_t*)0x2000000003f0 = 0xfd6;
|
||||
*(uint32_t*)0x2000000003f4 = 1;
|
||||
*(uint32_t*)0x2000000003f8 = 8;
|
||||
*(uint32_t*)0x2000000003fc = 4;
|
||||
*(uint32_t*)0x200000000400 = 0;
|
||||
*(uint32_t*)0x200000000404 = 2;
|
||||
*(uint32_t*)0x200000000408 = 0xe2;
|
||||
*(uint32_t*)0x20000000040c = 0;
|
||||
*(uint32_t*)0x200000000410 = 5;
|
||||
*(uint32_t*)0x200000000414 = 0x1cd;
|
||||
*(uint32_t*)0x200000000418 = 0xcf58;
|
||||
*(uint32_t*)0x20000000041c = 6;
|
||||
*(uint32_t*)0x200000000420 = 0x2e7;
|
||||
*(uint32_t*)0x200000000424 = 0x64d;
|
||||
*(uint32_t*)0x200000000428 = 0x2a4;
|
||||
*(uint32_t*)0x20000000042c = 7;
|
||||
*(uint32_t*)0x200000000430 = 6;
|
||||
*(uint32_t*)0x200000000434 = 8;
|
||||
*(uint32_t*)0x200000000438 = 9;
|
||||
*(uint32_t*)0x20000000043c = 7;
|
||||
*(uint32_t*)0x200000000440 = 6;
|
||||
*(uint32_t*)0x200000000444 = 9;
|
||||
*(uint32_t*)0x200000000448 = 2;
|
||||
*(uint32_t*)0x20000000044c = 0xfffffff8;
|
||||
*(uint32_t*)0x200000000450 = 5;
|
||||
*(uint32_t*)0x200000000454 = 0xe53;
|
||||
*(uint32_t*)0x200000000458 = 0x81;
|
||||
*(uint32_t*)0x20000000045c = 3;
|
||||
*(uint32_t*)0x200000000460 = 0;
|
||||
*(uint32_t*)0x200000000464 = 0x80000001;
|
||||
*(uint32_t*)0x200000000468 = 5;
|
||||
*(uint32_t*)0x20000000046c = 0x54;
|
||||
*(uint32_t*)0x200000000470 = 0x401;
|
||||
*(uint32_t*)0x200000000474 = 9;
|
||||
*(uint32_t*)0x200000000478 = 3;
|
||||
*(uint32_t*)0x20000000047c = 4;
|
||||
*(uint32_t*)0x200000000480 = 2;
|
||||
*(uint32_t*)0x200000000484 = 1;
|
||||
*(uint32_t*)0x200000000488 = 9;
|
||||
*(uint32_t*)0x20000000048c = 0xed;
|
||||
*(uint32_t*)0x200000000490 = 0x1f;
|
||||
*(uint32_t*)0x200000000494 = 5;
|
||||
*(uint32_t*)0x200000000498 = 0xd;
|
||||
*(uint32_t*)0x20000000049c = 0x8001;
|
||||
*(uint32_t*)0x2000000004a0 = 0xfff;
|
||||
*(uint32_t*)0x2000000004a4 = 2;
|
||||
*(uint32_t*)0x2000000004a8 = 0x7fffffff;
|
||||
*(uint32_t*)0x2000000004ac = 0xd;
|
||||
*(uint32_t*)0x2000000004b0 = 1;
|
||||
*(uint32_t*)0x2000000004b4 = 0x401;
|
||||
*(uint32_t*)0x2000000004b8 = 4;
|
||||
*(uint32_t*)0x2000000004bc = 0xa043;
|
||||
syscall(SYS_ioctl, /*fd=*/0xffffff9c, /*cmd=*/0xc1c06d01ul,
|
||||
/*arg=*/0x200000000300ul);
|
||||
// openat\$pass_pass_cdevsw arguments: [
|
||||
// fd: const = 0xffffffffffffff9c (8 bytes)
|
||||
// file: ptr[in, buffer] {
|
||||
// buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb)
|
||||
// }
|
||||
// flags: open_flags = 0x2 (4 bytes)
|
||||
// mode: const = 0x0 (4 bytes)
|
||||
// ]
|
||||
// returns fd_pass_pass_cdevsw
|
||||
memcpy((void*)0x200000000100, "/dev/pass0\000", 11);
|
||||
res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul,
|
||||
/*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0);
|
||||
if (res != -1)
|
||||
r[0] = res;
|
||||
// ioctl\$CAMIOCOMMAND_pass_cdevsw arguments: [
|
||||
// fd: fd_pass_pass_cdevsw (resource)
|
||||
// cmd: const = 0xc4e01a02 (8 bytes)
|
||||
// arg: ptr[inout, ccb\$pass_cdevsw] {
|
||||
// union ccb\$pass_cdevsw {
|
||||
// cqa: ccb_que_ais\$pass_cdevsw {
|
||||
// ccb_h: ccb_hdr\$pass_cdevsw {
|
||||
// pinfo: cam_pinfo\$pass_cdevsw {
|
||||
// priority: int32 = 0x2 (4 bytes)
|
||||
// generation: int32 = 0x1 (4 bytes)
|
||||
// index: int32 = 0x2000000 (4 bytes)
|
||||
// }
|
||||
// pad = 0x0 (4 bytes)
|
||||
// xpt_links: camq_entry\$pass_cdevsw {
|
||||
// links_next: intptr = 0xfec (8 bytes)
|
||||
// priority: int32 = 0xfffffffc (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// sim_links: camq_entry\$pass_cdevsw {
|
||||
// links_next: intptr = 0x5 (8 bytes)
|
||||
// priority: int32 = 0x7 (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// periph_links: camq_entry\$pass_cdevsw {
|
||||
// links_next: intptr = 0x80 (8 bytes)
|
||||
// priority: int32 = 0x2 (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// retry_count: int16 = 0x1 (2 bytes)
|
||||
// alloc_flags: int16 = 0x6b4 (2 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// cbfcnp: intptr = 0x0 (8 bytes)
|
||||
// func_code: int32 = 0x8 (4 bytes)
|
||||
// status: int32 = 0x4 (4 bytes)
|
||||
// path: intptr = 0xfffffffffffffffc (8 bytes)
|
||||
// path_id: int32 = 0x9 (4 bytes)
|
||||
// target_id: int32 = 0x8 (4 bytes)
|
||||
// target_lun: int64 = 0x7d44 (8 bytes)
|
||||
// flags: int32 = 0x1 (4 bytes)
|
||||
// xflags: int32 = 0xfffffff8 (4 bytes)
|
||||
// periph_priv: buffer: {69 32 82 68 e7 3f ef 85 2d 76 56 88 e5 d9
|
||||
// 10 17} (length 0x10) sim_priv: buffer: {19 45 5e bb 27 da 45 05
|
||||
// 43 c5 32 70 9e cb 83 a1} (length 0x10) qos: buffer: {f6 7d 0f 00
|
||||
// 10 00 00 00 00 32 e5 67 b7 bc 75 2d} (length 0x10) timeout:
|
||||
// int32 = 0x7 (4 bytes) pad = 0x0 (4 bytes) softtimeout: timeval {
|
||||
// sec: intptr = 0x5 (8 bytes)
|
||||
// usec: intptr = 0x4 (8 bytes)
|
||||
// }
|
||||
// }
|
||||
// payload: buffer: {f5 6a 42 5c 52 66 05 e3 50 a5 72 71 cd 88 ce 58
|
||||
// c0 02 3b 6e 19 28 eb 06 ee d4 11 85 f4 29 8a 46 09 8a 1d be bf 87
|
||||
// fb 73 a4 9e 3f 64 4f f0 18 b6 64 8f ab 32 a0 7b 8f 4a ba a5 02 ba
|
||||
// 96 f8 1d fc} (length 0x40)
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// ]
|
||||
*(uint32_t*)0x200000000240 = 2;
|
||||
*(uint32_t*)0x200000000244 = 1;
|
||||
*(uint32_t*)0x200000000248 = 0x2000000;
|
||||
*(uint64_t*)0x200000000250 = 0xfec;
|
||||
*(uint32_t*)0x200000000258 = 0xfffffffc;
|
||||
*(uint64_t*)0x200000000260 = 5;
|
||||
*(uint32_t*)0x200000000268 = 7;
|
||||
*(uint64_t*)0x200000000270 = 0x80;
|
||||
*(uint32_t*)0x200000000278 = 2;
|
||||
*(uint16_t*)0x200000000280 = 1;
|
||||
*(uint16_t*)0x200000000282 = 0x6b4;
|
||||
*(uint64_t*)0x200000000288 = 0;
|
||||
*(uint32_t*)0x200000000290 = 8;
|
||||
*(uint32_t*)0x200000000294 = 4;
|
||||
*(uint64_t*)0x200000000298 = 0xfffffffffffffffc;
|
||||
*(uint32_t*)0x2000000002a0 = 9;
|
||||
*(uint32_t*)0x2000000002a4 = 8;
|
||||
*(uint64_t*)0x2000000002a8 = 0x7d44;
|
||||
*(uint32_t*)0x2000000002b0 = 1;
|
||||
*(uint32_t*)0x2000000002b4 = 0xfffffff8;
|
||||
memcpy((void*)0x2000000002b8,
|
||||
"\x69\x32\x82\x68\xe7\x3f\xef\x85\x2d\x76\x56\x88\xe5\xd9\x10\x17",
|
||||
16);
|
||||
memcpy((void*)0x2000000002c8,
|
||||
"\x19\x45\x5e\xbb\x27\xda\x45\x05\x43\xc5\x32\x70\x9e\xcb\x83\xa1",
|
||||
16);
|
||||
memcpy((void*)0x2000000002d8,
|
||||
"\xf6\x7d\x0f\x00\x10\x00\x00\x00\x00\x32\xe5\x67\xb7\xbc\x75\x2d",
|
||||
16);
|
||||
*(uint32_t*)0x2000000002e8 = 7;
|
||||
*(uint64_t*)0x2000000002f0 = 5;
|
||||
*(uint64_t*)0x2000000002f8 = 4;
|
||||
memcpy((void*)0x200000000300,
|
||||
"\xf5\x6a\x42\x5c\x52\x66\x05\xe3\x50\xa5\x72\x71\xcd\x88\xce\x58\xc0"
|
||||
"\x02\x3b\x6e\x19\x28\xeb\x06\xee\xd4\x11\x85\xf4\x29\x8a\x46\x09\x8a"
|
||||
"\x1d\xbe\xbf\x87\xfb\x73\xa4\x9e\x3f\x64\x4f\xf0\x18\xb6\x64\x8f\xab"
|
||||
"\x32\xa0\x7b\x8f\x4a\xba\xa5\x02\xba\x96\xf8\x1d\xfc",
|
||||
64);
|
||||
syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc4e01a02ul,
|
||||
/*arg=*/0x200000000240ul);
|
||||
return 0;
|
||||
}
|
||||
EOF
|
||||
mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
|
||||
|
||||
timeout 3m /tmp/$prog > /dev/null 2>&1
|
||||
|
||||
rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core
|
||||
exit 0
|
||||
Executable
+162
@@ -0,0 +1,162 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com>
|
||||
# Bug 293898 - panic: AUX register unsupported
|
||||
|
||||
# No problems seen.
|
||||
|
||||
[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
|
||||
|
||||
. ../default.cfg
|
||||
set -u
|
||||
prog=$(basename "$0" .sh)
|
||||
cat > /tmp/$prog.c <<EOF
|
||||
// autogenerated by syzkaller (https://github.com/google/syzkaller)
|
||||
|
||||
#define _GNU_SOURCE
|
||||
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/endian.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <unistd.h>
|
||||
|
||||
uint64_t r[1] = {0xffffffffffffffff};
|
||||
|
||||
int main(void)
|
||||
{
|
||||
syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
|
||||
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
|
||||
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
|
||||
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
|
||||
const char* reason;
|
||||
(void)reason;
|
||||
intptr_t res = 0;
|
||||
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
|
||||
}
|
||||
// openat\$pass_pass_cdevsw arguments: [
|
||||
// fd: const = 0xffffffffffffff9c (8 bytes)
|
||||
// file: ptr[in, buffer] {
|
||||
// buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb)
|
||||
// }
|
||||
// flags: open_flags = 0x2 (4 bytes)
|
||||
// mode: const = 0x0 (4 bytes)
|
||||
// ]
|
||||
// returns fd_pass_pass_cdevsw
|
||||
memcpy((void*)0x200000000100, "/dev/pass0\000", 11);
|
||||
res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul,
|
||||
/*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0);
|
||||
if (res != -1)
|
||||
r[0] = res;
|
||||
// ioctl\$CAMIOCOMMAND_pass_cdevsw arguments: [
|
||||
// fd: fd_pass_pass_cdevsw (resource)
|
||||
// cmd: const = 0xc4e01a02 (8 bytes)
|
||||
// arg: ptr[inout, ccb\$pass_cdevsw] {
|
||||
// union ccb\$pass_cdevsw {
|
||||
// cqa: ccb_que_ais\$pass_cdevsw {
|
||||
// ccb_h: ccb_hdr\$pass_cdevsw {
|
||||
// pinfo: cam_pinfo\$pass_cdevsw {
|
||||
// priority: int32 = 0x0 (4 bytes)
|
||||
// generation: int32 = 0x3 (4 bytes)
|
||||
// index: int32 = 0x2000000 (4 bytes)
|
||||
// }
|
||||
// pad = 0x0 (4 bytes)
|
||||
// xpt_links: camq_entry\$pass_cdevsw {
|
||||
// links_next: intptr = 0xfea (8 bytes)
|
||||
// priority: int32 = 0xfffffffb (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// sim_links: camq_entry\$pass_cdevsw {
|
||||
// links_next: intptr = 0x2 (8 bytes)
|
||||
// priority: int32 = 0x6 (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// periph_links: camq_entry\$pass_cdevsw {
|
||||
// links_next: intptr = 0x83 (8 bytes)
|
||||
// priority: int32 = 0xd (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// retry_count: int16 = 0x1 (2 bytes)
|
||||
// alloc_flags: int16 = 0x6b4 (2 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// cbfcnp: intptr = 0x0 (8 bytes)
|
||||
// func_code: int32 = 0x918 (4 bytes)
|
||||
// status: int32 = 0x4 (4 bytes)
|
||||
// path: intptr = 0xfffffffffffffffc (8 bytes)
|
||||
// path_id: int32 = 0x9 (4 bytes)
|
||||
// target_id: int32 = 0x8 (4 bytes)
|
||||
// target_lun: int64 = 0x7d44 (8 bytes)
|
||||
// flags: int32 = 0x1 (4 bytes)
|
||||
// xflags: int32 = 0xfffffff8 (4 bytes)
|
||||
// periph_priv: buffer: {69 32 82 68 e7 3f ef 85 2d 76 56 88 e5 d9
|
||||
// 10 17} (length 0x10) sim_priv: buffer: {00 00 00 00 00 00 00 00
|
||||
// 00 00 00 00 00 00 80 00} (length 0x10) qos: buffer: {f6 7d 0f 00
|
||||
// 10 00 00 00 00 32 e5 67 b7 bc 75 2d} (length 0x10) timeout:
|
||||
// int32 = 0xffffffff (4 bytes) pad = 0x0 (4 bytes) softtimeout:
|
||||
// timeval {
|
||||
// sec: intptr = 0x5 (8 bytes)
|
||||
// usec: intptr = 0x4 (8 bytes)
|
||||
// }
|
||||
// }
|
||||
// payload: buffer: {f5 6a 42 5c 52 f4 74 e3 39 a5 05 00 00 00 ce 58
|
||||
// c0 19 28 cb 06 ee d4 11 85 f4 29 8a 46 09 8a 1d be bf 87 fb 73 a4
|
||||
// 9e 3f 64 4f f0 18 b6 64 8f ab 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
// 00 00 00 00} (length 0x40)
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// ]
|
||||
*(uint32_t*)0x200000000000 = 0;
|
||||
*(uint32_t*)0x200000000004 = 3;
|
||||
*(uint32_t*)0x200000000008 = 0x2000000;
|
||||
*(uint64_t*)0x200000000010 = 0xfea;
|
||||
*(uint32_t*)0x200000000018 = 0xfffffffb;
|
||||
*(uint64_t*)0x200000000020 = 2;
|
||||
*(uint32_t*)0x200000000028 = 6;
|
||||
*(uint64_t*)0x200000000030 = 0x83;
|
||||
*(uint32_t*)0x200000000038 = 0xd;
|
||||
*(uint16_t*)0x200000000040 = 1;
|
||||
*(uint16_t*)0x200000000042 = 0x6b4;
|
||||
*(uint64_t*)0x200000000048 = 0;
|
||||
*(uint32_t*)0x200000000050 = 0x918;
|
||||
*(uint32_t*)0x200000000054 = 4;
|
||||
*(uint64_t*)0x200000000058 = 0xfffffffffffffffc;
|
||||
*(uint32_t*)0x200000000060 = 9;
|
||||
*(uint32_t*)0x200000000064 = 8;
|
||||
*(uint64_t*)0x200000000068 = 0x7d44;
|
||||
*(uint32_t*)0x200000000070 = 1;
|
||||
*(uint32_t*)0x200000000074 = 0xfffffff8;
|
||||
memcpy((void*)0x200000000078,
|
||||
"\x69\x32\x82\x68\xe7\x3f\xef\x85\x2d\x76\x56\x88\xe5\xd9\x10\x17",
|
||||
16);
|
||||
memcpy((void*)0x200000000088,
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00",
|
||||
16);
|
||||
memcpy((void*)0x200000000098,
|
||||
"\xf6\x7d\x0f\x00\x10\x00\x00\x00\x00\x32\xe5\x67\xb7\xbc\x75\x2d",
|
||||
16);
|
||||
*(uint32_t*)0x2000000000a8 = -1;
|
||||
*(uint64_t*)0x2000000000b0 = 5;
|
||||
*(uint64_t*)0x2000000000b8 = 4;
|
||||
memcpy((void*)0x2000000000c0,
|
||||
"\xf5\x6a\x42\x5c\x52\xf4\x74\xe3\x39\xa5\x05\x00\x00\x00\xce\x58\xc0"
|
||||
"\x19\x28\xcb\x06\xee\xd4\x11\x85\xf4\x29\x8a\x46\x09\x8a\x1d\xbe\xbf"
|
||||
"\x87\xfb\x73\xa4\x9e\x3f\x64\x4f\xf0\x18\xb6\x64\x8f\xab\x00\x00\x00"
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
|
||||
64);
|
||||
syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc4e01a02ul,
|
||||
/*arg=*/0x200000000000ul);
|
||||
return 0;
|
||||
}
|
||||
EOF
|
||||
mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
|
||||
|
||||
timeout 3m /tmp/$prog > /dev/null 2>&1
|
||||
|
||||
rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core
|
||||
exit 0
|
||||
Executable
+194
@@ -0,0 +1,194 @@
|
||||
#!/bin/sh
|
||||
|
||||
# panic: cam_periph_ccbwait: proceeding with incomplete ccb: ccb=0xfffff80006171800, func_code=0x3, status=0, index=-1
|
||||
# cpuid = 3
|
||||
# time = 1773850497
|
||||
# KDB: stack backtrace:
|
||||
# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01001de7e0
|
||||
# vpanic() at vpanic+0x136/frame 0xfffffe01001de910
|
||||
# panic() at panic+0x43/frame 0xfffffe01001de970
|
||||
# cam_periph_runccb() at cam_periph_runccb+0x2ec/frame 0xfffffe01001deac0
|
||||
# passsendccb() at passsendccb+0x160/frame 0xfffffe01001deb30
|
||||
# passdoioctl() at passdoioctl+0x3a1/frame 0xfffffe01001deb80
|
||||
# passioctl() at passioctl+0x22/frame 0xfffffe01001debc0
|
||||
# devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe01001dec10
|
||||
# VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe01001dec40
|
||||
# vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe01001decb0
|
||||
# devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe01001decd0
|
||||
# kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe01001ded40
|
||||
# sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe01001dee00
|
||||
# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe01001def30
|
||||
# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01001def30
|
||||
# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823b1eeca, rsp = 0x820adb1c8, rbp = 0x820adb1f0 ---
|
||||
# KDB: enter: panic
|
||||
# [ thread pid 4950 tid 100344 ]
|
||||
# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip)
|
||||
# db> x/s version
|
||||
# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026
|
||||
# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
|
||||
# db>
|
||||
|
||||
# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com>
|
||||
# Bug 293899 - panic: cam_periph_ccbwait: proceeding with incomplete ccb: ccb=ADDR, func_code=0x3, status=NUM, index=-NUM
|
||||
|
||||
[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
|
||||
|
||||
. ../default.cfg
|
||||
set -u
|
||||
prog=$(basename "$0" .sh)
|
||||
cat > /tmp/$prog.c <<EOF
|
||||
// autogenerated by syzkaller (https://github.com/google/syzkaller)
|
||||
|
||||
#define _GNU_SOURCE
|
||||
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/endian.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <unistd.h>
|
||||
|
||||
uint64_t r[1] = {0xffffffffffffffff};
|
||||
|
||||
int main(void)
|
||||
{
|
||||
syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
|
||||
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
|
||||
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
|
||||
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
|
||||
const char* reason;
|
||||
(void)reason;
|
||||
intptr_t res = 0;
|
||||
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
|
||||
}
|
||||
// openat\$pass_pass_cdevsw arguments: [
|
||||
// fd: const = 0xffffffffffffff9c (8 bytes)
|
||||
// file: ptr[in, buffer] {
|
||||
// buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb)
|
||||
// }
|
||||
// flags: open_flags = 0x2 (4 bytes)
|
||||
// mode: const = 0x0 (4 bytes)
|
||||
// ]
|
||||
// returns fd_pass_pass_cdevsw
|
||||
memcpy((void*)0x200000000100, "/dev/pass0\000", 11);
|
||||
res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul,
|
||||
/*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0);
|
||||
if (res != -1)
|
||||
r[0] = res;
|
||||
// ioctl\$CAMIOCOMMAND_pass_cdevsw arguments: [
|
||||
// fd: fd_pass_pass_cdevsw (resource)
|
||||
// cmd: const = 0xc4e01a02 (8 bytes)
|
||||
// arg: ptr[inout, ccb\$pass_cdevsw] {
|
||||
// union ccb\$pass_cdevsw {
|
||||
// cqc: ccb_query_config\$pass_cdevsw {
|
||||
// ccb_h: ccb_hdr\$pass_cdevsw {
|
||||
// pinfo: cam_pinfo\$pass_cdevsw {
|
||||
// priority: int32 = 0x7 (4 bytes)
|
||||
// generation: int32 = 0x8 (4 bytes)
|
||||
// index: int32 = 0x4 (4 bytes)
|
||||
// }
|
||||
// pad = 0x0 (4 bytes)
|
||||
// xpt_links: camq_entry\$pass_cdevsw {
|
||||
// links_next: intptr = 0xfffffffffffffffe (8 bytes)
|
||||
// priority: int32 = 0xd (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// sim_links: camq_entry\$pass_cdevsw {
|
||||
// links_next: intptr = 0x1000 (8 bytes)
|
||||
// priority: int32 = 0x7fff (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// periph_links: camq_entry\$pass_cdevsw {
|
||||
// links_next: intptr = 0x100000001 (8 bytes)
|
||||
// priority: int32 = 0x3 (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// }
|
||||
// retry_count: int16 = 0x8 (2 bytes)
|
||||
// alloc_flags: int16 = 0x84ce (2 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// cbfcnp: intptr = 0xffffffff (8 bytes)
|
||||
// func_code: int32 = 0x3 (4 bytes)
|
||||
// status: int32 = 0x6 (4 bytes)
|
||||
// path: intptr = 0x8000000000000001 (8 bytes)
|
||||
// path_id: int32 = 0x3 (4 bytes)
|
||||
// target_id: int32 = 0x800 (4 bytes)
|
||||
// target_lun: int64 = 0x12 (8 bytes)
|
||||
// flags: int32 = 0x5 (4 bytes)
|
||||
// xflags: int32 = 0x8 (4 bytes)
|
||||
// periph_priv: buffer: {ff 00 fc 8b be 26 59 c1 e3 be e5 97 9a b9
|
||||
// a8 da} (length 0x10) sim_priv: buffer: {bc 62 8a da 83 8f 2b 49
|
||||
// f1 67 50 3f 43 71 98 c8} (length 0x10) qos: buffer: {5e 98 6e af
|
||||
// a2 b9 ac 4a 3a d1 ed 97 4e f6 f6 e2} (length 0x10) timeout:
|
||||
// int32 = 0x8 (4 bytes) pad = 0x0 (4 bytes) softtimeout: timeval {
|
||||
// sec: intptr = 0x4 (8 bytes)
|
||||
// usec: intptr = 0x1 (8 bytes)
|
||||
// }
|
||||
// }
|
||||
// payload: buffer: {ac f7 a5 7c b5 71 08 e5 db bd f4 df d0 16 4a 33
|
||||
// 68 b1 76 63 b8 c0 6b b7 31 4e 7d 97 28 be ee e6 5b 35 e8 8a cf a8
|
||||
// 49 62 11 9b 25 b5 fc 67 8f ef a1 44 b2 e5 a7 9b 5a 06 34 ae a0 56
|
||||
// fe 95 69 61 27 4a ba aa 92 e2 b9 ea 97 e6 1c cf 24 6b 8e 8f f7 b7
|
||||
// c8 3a cf b7 97 c8 32 12 f1 4d bc 0b 8b ef 30 11 62 5d f1 0f af c2
|
||||
// 67 76 65 be 11 2e 10 5f 65 70 58 e2 3b c2 91 99 3b 2e 00 00 00 00
|
||||
// 00 00} (length 0x80)
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// ]
|
||||
*(uint32_t*)0x200000000ec0 = 7;
|
||||
*(uint32_t*)0x200000000ec4 = 8;
|
||||
*(uint32_t*)0x200000000ec8 = 4;
|
||||
*(uint64_t*)0x200000000ed0 = 0xfffffffffffffffe;
|
||||
*(uint32_t*)0x200000000ed8 = 0xd;
|
||||
*(uint64_t*)0x200000000ee0 = 0x1000;
|
||||
*(uint32_t*)0x200000000ee8 = 0x7fff;
|
||||
*(uint64_t*)0x200000000ef0 = 0x100000001;
|
||||
*(uint32_t*)0x200000000ef8 = 3;
|
||||
*(uint16_t*)0x200000000f00 = 8;
|
||||
*(uint16_t*)0x200000000f02 = 0x84ce;
|
||||
*(uint64_t*)0x200000000f08 = 0xffffffff;
|
||||
*(uint32_t*)0x200000000f10 = 3;
|
||||
*(uint32_t*)0x200000000f14 = 6;
|
||||
*(uint64_t*)0x200000000f18 = 0x8000000000000001;
|
||||
*(uint32_t*)0x200000000f20 = 3;
|
||||
*(uint32_t*)0x200000000f24 = 0x800;
|
||||
*(uint64_t*)0x200000000f28 = 0x12;
|
||||
*(uint32_t*)0x200000000f30 = 5;
|
||||
*(uint32_t*)0x200000000f34 = 8;
|
||||
memcpy((void*)0x200000000f38,
|
||||
"\xff\x00\xfc\x8b\xbe\x26\x59\xc1\xe3\xbe\xe5\x97\x9a\xb9\xa8\xda",
|
||||
16);
|
||||
memcpy((void*)0x200000000f48,
|
||||
"\xbc\x62\x8a\xda\x83\x8f\x2b\x49\xf1\x67\x50\x3f\x43\x71\x98\xc8",
|
||||
16);
|
||||
memcpy((void*)0x200000000f58,
|
||||
"\x5e\x98\x6e\xaf\xa2\xb9\xac\x4a\x3a\xd1\xed\x97\x4e\xf6\xf6\xe2",
|
||||
16);
|
||||
*(uint32_t*)0x200000000f68 = 8;
|
||||
*(uint64_t*)0x200000000f70 = 4;
|
||||
*(uint64_t*)0x200000000f78 = 1;
|
||||
memcpy((void*)0x200000000f80,
|
||||
"\xac\xf7\xa5\x7c\xb5\x71\x08\xe5\xdb\xbd\xf4\xdf\xd0\x16\x4a\x33\x68"
|
||||
"\xb1\x76\x63\xb8\xc0\x6b\xb7\x31\x4e\x7d\x97\x28\xbe\xee\xe6\x5b\x35"
|
||||
"\xe8\x8a\xcf\xa8\x49\x62\x11\x9b\x25\xb5\xfc\x67\x8f\xef\xa1\x44\xb2"
|
||||
"\xe5\xa7\x9b\x5a\x06\x34\xae\xa0\x56\xfe\x95\x69\x61\x27\x4a\xba\xaa"
|
||||
"\x92\xe2\xb9\xea\x97\xe6\x1c\xcf\x24\x6b\x8e\x8f\xf7\xb7\xc8\x3a\xcf"
|
||||
"\xb7\x97\xc8\x32\x12\xf1\x4d\xbc\x0b\x8b\xef\x30\x11\x62\x5d\xf1\x0f"
|
||||
"\xaf\xc2\x67\x76\x65\xbe\x11\x2e\x10\x5f\x65\x70\x58\xe2\x3b\xc2\x91"
|
||||
"\x99\x3b\x2e\x00\x00\x00\x00\x00\x00",
|
||||
128);
|
||||
syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc4e01a02ul,
|
||||
/*arg=*/0x200000000ec0ul);
|
||||
return 0;
|
||||
}
|
||||
EOF
|
||||
mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
|
||||
|
||||
timeout 3m /tmp/$prog > /dev/null 2>&1
|
||||
|
||||
rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core
|
||||
exit 0
|
||||
Executable
+268
@@ -0,0 +1,268 @@
|
||||
#!/bin/sh
|
||||
|
||||
# 806.906239 [ 653] nm_os_extmem_delete freeing 1000000 bytes
|
||||
# panic: dst_m 0xfffffe00130fd920 is not wired
|
||||
# cpuid = 7
|
||||
# time = 1773855806
|
||||
# KDB: stack backtrace:
|
||||
# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe010022eb00
|
||||
# vpanic() at vpanic+0x136/frame 0xfffffe010022ec30
|
||||
# panic() at panic+0x43/frame 0xfffffe010022ec90
|
||||
# vm_fault_copy_entry() at vm_fault_copy_entry+0x54e/frame 0xfffffe010022ed60
|
||||
# vm_map_protect() at vm_map_protect+0x714/frame 0xfffffe010022edf0
|
||||
# sys_mprotect() at sys_mprotect+0x9f/frame 0xfffffe010022ee00
|
||||
# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe010022ef30
|
||||
# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe010022ef30
|
||||
# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x822fa9eca, rsp = 0x820c270e8, rbp = 0x820c27110 ---
|
||||
# KDB: enter: panic
|
||||
# [ thread pid 4510 tid 100369 ]
|
||||
# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip)
|
||||
# db> x/s version
|
||||
# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026
|
||||
# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
|
||||
# db>
|
||||
|
||||
# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com>
|
||||
# Bug 293900 - panic: dst_m ADDR is not wired
|
||||
|
||||
[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
|
||||
|
||||
. ../default.cfg
|
||||
set -u
|
||||
prog=$(basename "$0" .sh)
|
||||
cat > /tmp/$prog.c <<EOF
|
||||
// autogenerated by syzkaller (https://github.com/google/syzkaller)
|
||||
|
||||
#define _GNU_SOURCE
|
||||
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/endian.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <unistd.h>
|
||||
|
||||
uint64_t r[1] = {0xffffffffffffffff};
|
||||
|
||||
int main(void)
|
||||
{
|
||||
syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
|
||||
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
|
||||
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
|
||||
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
|
||||
const char* reason;
|
||||
(void)reason;
|
||||
intptr_t res = 0;
|
||||
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
|
||||
}
|
||||
// mlock arguments: [
|
||||
// addr: VMA[0x1000]
|
||||
// size: len = 0x1000 (8 bytes)
|
||||
// ]
|
||||
syscall(SYS_mlock, /*addr=*/0x200000ffc000ul, /*size=*/0x1000ul);
|
||||
// munlock arguments: [
|
||||
// addr: VMA[0x4000]
|
||||
// size: len = 0x4000 (8 bytes)
|
||||
// ]
|
||||
syscall(SYS_munlock, /*addr=*/0x200000ff9000ul, /*size=*/0x4000ul);
|
||||
// fork arguments: [
|
||||
// ]
|
||||
// returns pid
|
||||
syscall(SYS_fork);
|
||||
// mkdir arguments: [
|
||||
// path: ptr[in, buffer] {
|
||||
// buffer: {2e 2f 66 69 6c 65 30 00} (length 0x8)
|
||||
// }
|
||||
// mode: open_mode = 0x109 (8 bytes)
|
||||
// ]
|
||||
memcpy((void*)0x200000000300, "./file0\000", 8);
|
||||
syscall(SYS_mkdir, /*path=*/0x200000000300ul,
|
||||
/*mode=S_IXOTH|S_IXGRP|S_IRUSR*/ 0x109ul);
|
||||
// mprotect arguments: [
|
||||
// addr: VMA[0x4000]
|
||||
// len: len = 0x4000 (8 bytes)
|
||||
// prot: mmap_prot = 0x4 (8 bytes)
|
||||
// ]
|
||||
syscall(SYS_mprotect, /*addr=*/0x200000ffc000ul, /*len=*/0x4000ul,
|
||||
/*prot=PROT_EXEC*/ 4ul);
|
||||
// mlock arguments: [
|
||||
// addr: VMA[0x4000]
|
||||
// size: len = 0x4000 (8 bytes)
|
||||
// ]
|
||||
syscall(SYS_mlock, /*addr=*/0x200000ffb000ul, /*size=*/0x4000ul);
|
||||
// mount\$nfs_newnfs_vnodeops_nosig arguments: [
|
||||
// fstype: nil
|
||||
// dir: nil
|
||||
// mnt_flags: mount_flags = 0x58000000 (4 bytes)
|
||||
// data: ptr[in, nfs_args\$newnfs_vnodeops_nosig] {
|
||||
// nfs_args\$newnfs_vnodeops_nosig {
|
||||
// version: const = 0x3 (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// addr: nil
|
||||
// addrlen: len = 0x0 (4 bytes)
|
||||
// sotype: sock_type_newnfs_vnodeops_nosig = 0x4 (4 bytes)
|
||||
// proto: int32 = 0xb (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// fh: nil
|
||||
// fhsize: len = 0x0 (4 bytes)
|
||||
// nfs_flags: nfs_mount_flags_newnfs_vnodeops_nosig = 0x8 (4 bytes)
|
||||
// wsize: int32 = 0x5 (4 bytes)
|
||||
// rsize: int32 = 0x6 (4 bytes)
|
||||
// readdirsize: int32 = 0x0 (4 bytes)
|
||||
// timeo: int32 = 0x8 (4 bytes)
|
||||
// retrans: int32 = 0x1 (4 bytes)
|
||||
// maxgrouplist: int32 = 0x4 (4 bytes)
|
||||
// readahead: int32 = 0x800 (4 bytes)
|
||||
// wcommitsize: int32 = 0x4 (4 bytes)
|
||||
// deadthresh: int32 = 0x200 (4 bytes)
|
||||
// pad = 0x0 (4 bytes)
|
||||
// hostname: nil
|
||||
// acregmin: int32 = 0x80 (4 bytes)
|
||||
// acregmax: int32 = 0x1 (4 bytes)
|
||||
// acdirmin: int32 = 0x2 (4 bytes)
|
||||
// acdirmax: int32 = 0xa92 (4 bytes)
|
||||
// }
|
||||
// }
|
||||
// ]
|
||||
*(uint32_t*)0x200000000240 = 3;
|
||||
*(uint64_t*)0x200000000248 = 0;
|
||||
*(uint32_t*)0x200000000250 = 0;
|
||||
*(uint32_t*)0x200000000254 = 4;
|
||||
*(uint32_t*)0x200000000258 = 0xb;
|
||||
*(uint64_t*)0x200000000260 = 0;
|
||||
*(uint32_t*)0x200000000268 = 0;
|
||||
*(uint32_t*)0x20000000026c = 8;
|
||||
*(uint32_t*)0x200000000270 = 5;
|
||||
*(uint32_t*)0x200000000274 = 6;
|
||||
*(uint32_t*)0x200000000278 = 0;
|
||||
*(uint32_t*)0x20000000027c = 8;
|
||||
*(uint32_t*)0x200000000280 = 1;
|
||||
*(uint32_t*)0x200000000284 = 4;
|
||||
*(uint32_t*)0x200000000288 = 0x800;
|
||||
*(uint32_t*)0x20000000028c = 4;
|
||||
*(uint32_t*)0x200000000290 = 0x200;
|
||||
*(uint64_t*)0x200000000298 = 0;
|
||||
*(uint32_t*)0x2000000002a0 = 0x80;
|
||||
*(uint32_t*)0x2000000002a4 = 1;
|
||||
*(uint32_t*)0x2000000002a8 = 2;
|
||||
*(uint32_t*)0x2000000002ac = 0xa92;
|
||||
syscall(SYS_mount, /*fstype=*/0ul, /*dir=*/0ul,
|
||||
/*mnt_flags=MNT_ACLS|MNT_NOCLUSTERR|MNT_NOATIME*/ 0x58000000,
|
||||
/*data=*/0x200000000240ul);
|
||||
// openat\$netmap_netmap_cdevsw arguments: [
|
||||
// fd: const = 0xffffffffffffff9c (8 bytes)
|
||||
// file: ptr[in, buffer] {
|
||||
// buffer: {2f 64 65 76 2f 6e 65 74 6d 61 70 00} (length 0xc)
|
||||
// }
|
||||
// flags: open_flags = 0x8 (4 bytes)
|
||||
// mode: const = 0x0 (4 bytes)
|
||||
// ]
|
||||
// returns fd_netmap_netmap_cdevsw
|
||||
memcpy((void*)0x200000000080, "/dev/netmap\000", 12);
|
||||
res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul,
|
||||
/*file=*/0x200000000080ul, /*flags=O_APPEND*/ 8, /*mode=*/0);
|
||||
if (res != -1)
|
||||
r[0] = res;
|
||||
// ioctl\$NIOCCTRL_netmap_cdevsw arguments: [
|
||||
// fd: fd_netmap_netmap_cdevsw (resource)
|
||||
// cmd: const = 0xc0586997 (8 bytes)
|
||||
// arg: ptr[inout, nmreq_header\$netmap_cdevsw] {
|
||||
// nmreq_header\$netmap_cdevsw {
|
||||
// nr_version: const = 0xe (2 bytes)
|
||||
// nr_reqtype: netmap_req_types_netmap_cdevsw = 0x1 (2 bytes)
|
||||
// nr_reserved: const = 0x0 (4 bytes)
|
||||
// nr_name: buffer: {fd dc df f0 57 4f 3c 7c e4 5f 8c a0 60 dd 3e f8 85
|
||||
// 76 39 53 90 de 06 ef fd a7 de 31 18 a2 d4 3a c7 d3 2a a5 0a c1 17 23
|
||||
// 6a fe eb 89 29 84 f2 62 d2 83 53 b7 67 c7 b2 ee 8c 39 68 f1 3f 73 52
|
||||
// b4} (length 0x40) nr_options: ptr[inout,
|
||||
// nmreq_option_types\$netmap_cdevsw] {
|
||||
// union nmreq_option_types\$netmap_cdevsw {
|
||||
// kloop_fds: nmreq_opt_sync_kloop_eventfds\$netmap_cdevsw {
|
||||
// nro_next: ptr[in, nmreq_option_types\$netmap_cdevsw] {
|
||||
// union nmreq_option_types\$netmap_cdevsw {
|
||||
// extmem: nmreq_opt_extmem\$netmap_cdevsw {
|
||||
// nro_next: nil
|
||||
// nro_reqtype: const = 0x1 (4 bytes)
|
||||
// nro_status: int32 = 0x80000000 (4 bytes)
|
||||
// nro_size: len = 0x28 (8 bytes)
|
||||
// nro_usrptr: VMA[0x3000]
|
||||
// nro_info: int32 = 0x100000 (4 bytes)
|
||||
// nro_size_ptr: len = 0x3000 (4 bytes)
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// nro_reqtype: const = 0x2 (4 bytes)
|
||||
// nro_status: int32 = 0x0 (4 bytes)
|
||||
// nro_size: len = 0x18 (8 bytes)
|
||||
// eventfds:
|
||||
// array[nmreq_opt_sync_kloop_eventfd_pair\$netmap_cdevsw] {
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// nr_body: ptr[inout, nmreq_body\$netmap_cdevsw] {
|
||||
// union nmreq_body\$netmap_cdevsw {
|
||||
// reg: nmreq_register\$netmap_cdevsw {
|
||||
// nr_name: buffer: {c4 c0 99 4a 5e 6e 71 96 98 b6 cc 78 3c 37 aa
|
||||
// 7c} (length 0x10) nr_mode: nmreq_register_mode_netmap_cdevsw =
|
||||
// 0x1 (4 bytes) nr_ringid: nmreq_register_ringid_netmap_cdevsw =
|
||||
// 0x2000 (4 bytes) nr_flags: nmreq_register_flags_netmap_cdevsw
|
||||
// = 0x0 (4 bytes) nr_mem_id: int32 = 0x9 (4 bytes) nr_spare:
|
||||
// buffer: {00 00 00 00 00 00 00 00} (length 0x8)
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// ]
|
||||
*(uint16_t*)0x200000000140 = 0xe;
|
||||
*(uint16_t*)0x200000000142 = 1;
|
||||
*(uint32_t*)0x200000000144 = 0;
|
||||
memcpy((void*)0x200000000148,
|
||||
"\xfd\xdc\xdf\xf0\x57\x4f\x3c\x7c\xe4\x5f\x8c\xa0\x60\xdd\x3e\xf8\x85"
|
||||
"\x76\x39\x53\x90\xde\x06\xef\xfd\xa7\xde\x31\x18\xa2\xd4\x3a\xc7\xd3"
|
||||
"\x2a\xa5\x0a\xc1\x17\x23\x6a\xfe\xeb\x89\x29\x84\xf2\x62\xd2\x83\x53"
|
||||
"\xb7\x67\xc7\xb2\xee\x8c\x39\x68\xf1\x3f\x73\x52\xb4",
|
||||
64);
|
||||
*(uint64_t*)0x200000000188 = 0x200000000340;
|
||||
*(uint64_t*)0x200000000340 = 0x200000000240;
|
||||
*(uint64_t*)0x200000000240 = 0;
|
||||
*(uint32_t*)0x200000000248 = 1;
|
||||
*(uint32_t*)0x20000000024c = 0x80000000;
|
||||
*(uint64_t*)0x200000000250 = 0x28;
|
||||
*(uint64_t*)0x200000000258 = 0x200000ffa000;
|
||||
*(uint32_t*)0x200000000260 = 0x100000;
|
||||
*(uint32_t*)0x200000000264 = 0x3000;
|
||||
*(uint32_t*)0x200000000348 = 2;
|
||||
*(uint64_t*)0x200000000350 = 0x18;
|
||||
*(uint64_t*)0x200000000190 = 0x200000000040;
|
||||
memcpy((void*)0x200000000040,
|
||||
"\xc4\xc0\x99\x4a\x5e\x6e\x71\x96\x98\xb6\xcc\x78\x3c\x37\xaa\x7c",
|
||||
16);
|
||||
*(uint32_t*)0x200000000050 = 1;
|
||||
*(uint32_t*)0x200000000054 = 0x2000;
|
||||
*(uint32_t*)0x200000000058 = 0;
|
||||
*(uint32_t*)0x20000000005c = 9;
|
||||
memset((void*)0x200000000060, 0, 8);
|
||||
syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc0586997ul,
|
||||
/*arg=*/0x200000000140ul);
|
||||
// mprotect arguments: [
|
||||
// addr: VMA[0x4000]
|
||||
// len: len = 0x4000 (8 bytes)
|
||||
// prot: mmap_prot = 0x6 (8 bytes)
|
||||
// ]
|
||||
syscall(SYS_mprotect, /*addr=*/0x200000ffc000ul, /*len=*/0x4000ul,
|
||||
/*prot=PROT_WRITE|PROT_EXEC*/ 6ul);
|
||||
return 0;
|
||||
}
|
||||
EOF
|
||||
mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
|
||||
|
||||
timeout 3m /tmp/$prog > /dev/null 2>&1
|
||||
|
||||
rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core
|
||||
exit 0
|
||||
Executable
+143
@@ -0,0 +1,143 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com>
|
||||
# Bug 293901 - panic: mutex ACPI global lock owned at ../../../kern/kern_event.c:LINE
|
||||
|
||||
# No problems seen.
|
||||
|
||||
[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
|
||||
|
||||
. ../default.cfg
|
||||
set -u
|
||||
prog=$(basename "$0" .sh)
|
||||
cat > /tmp/$prog.c <<EOF
|
||||
// autogenerated by syzkaller (https://github.com/google/syzkaller)
|
||||
|
||||
#define _GNU_SOURCE
|
||||
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/endian.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <unistd.h>
|
||||
|
||||
uint64_t r[1] = {0xffffffffffffffff};
|
||||
|
||||
int main(void)
|
||||
{
|
||||
syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
|
||||
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
|
||||
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
|
||||
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
|
||||
const char* reason;
|
||||
(void)reason;
|
||||
intptr_t res = 0;
|
||||
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
|
||||
}
|
||||
// openat\$bpf arguments: [
|
||||
// fd: const = 0xffffffffffffff9c (8 bytes)
|
||||
// file: ptr[in, buffer] {
|
||||
// buffer: {2f 64 65 76 2f 62 70 66 00} (length 0x9)
|
||||
// }
|
||||
// flags: open_flags = 0x80000 (4 bytes)
|
||||
// mode: const = 0x0 (4 bytes)
|
||||
// ]
|
||||
// returns fd_bpf
|
||||
memcpy((void*)0x200000000000, "/dev/bpf\000", 9);
|
||||
syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000000ul,
|
||||
/*flags=O_TTY_INIT*/ 0x80000, /*mode=*/0);
|
||||
// openat\$consolectl_consolectl_devsw arguments: [
|
||||
// fd: const = 0xffffffffffffff9c (8 bytes)
|
||||
// file: ptr[in, buffer] {
|
||||
// buffer: {2f 64 65 76 2f 63 6f 6e 73 6f 6c 65 63 74 6c 00} (length
|
||||
// 0x10)
|
||||
// }
|
||||
// flags: open_flags = 0x400000 (4 bytes)
|
||||
// mode: const = 0x0 (4 bytes)
|
||||
// ]
|
||||
// returns fd
|
||||
memcpy((void*)0x200000000740, "/dev/consolectl\000", 16);
|
||||
syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000740ul,
|
||||
/*flags=O_PATH*/ 0x400000, /*mode=*/0);
|
||||
// openat\$pvclock_pvclock_cdev_cdevsw arguments: [
|
||||
// fd: const = 0xffffffffffffff9c (8 bytes)
|
||||
// path: ptr[in, buffer] {
|
||||
// buffer: {2f 64 65 76 2f 70 76 63 6c 6f 63 6b 00} (length 0xd)
|
||||
// }
|
||||
// flags: open_flags = 0x400000 (4 bytes)
|
||||
// mode: const = 0x0 (4 bytes)
|
||||
// ]
|
||||
// returns fd
|
||||
memcpy((void*)0x200000000d00, "/dev/pvclock\000", 13);
|
||||
syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*path=*/0x200000000d00ul,
|
||||
/*flags=O_PATH*/ 0x400000, /*mode=*/0);
|
||||
// openat\$apm_apm_cdevsw arguments: [
|
||||
// fd: const = 0xffffffffffffff9c (8 bytes)
|
||||
// file: ptr[in, buffer] {
|
||||
// buffer: {2f 64 65 76 2f 61 70 6d 00} (length 0x9)
|
||||
// }
|
||||
// flags: open_flags = 0x2000000 (4 bytes)
|
||||
// mode: const = 0x0 (4 bytes)
|
||||
// ]
|
||||
// returns fd_apm_apm_cdevsw
|
||||
memcpy((void*)0x200000000b40, "/dev/apm\000", 9);
|
||||
syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000b40ul,
|
||||
/*flags=O_EMPTY_PATH*/ 0x2000000, /*mode=*/0);
|
||||
// kqueue arguments: [
|
||||
// ]
|
||||
// returns kqueue
|
||||
res = syscall(SYS_kqueue);
|
||||
if (res != -1)
|
||||
r[0] = res;
|
||||
// kevent arguments: [
|
||||
// kqueue: kqueue (resource)
|
||||
// changelist: ptr[in, array[kevent]] {
|
||||
// array[kevent] {
|
||||
// kevent {
|
||||
// ident: intptr = 0x6 (8 bytes)
|
||||
// filter: filters = 0xfffffffffffffff3 (2 bytes)
|
||||
// flags: evflags = 0x4035 (2 bytes)
|
||||
// fflags: fflags = 0x0 (4 bytes)
|
||||
// data: int64 = 0x5 (8 bytes)
|
||||
// udata: intptr = 0x40000000007 (8 bytes)
|
||||
// ext: array[int64] {
|
||||
// int64 = 0x4 (8 bytes)
|
||||
// int64 = 0x100000000 (8 bytes)
|
||||
// int64 = 0x4 (8 bytes)
|
||||
// int64 = 0x5 (8 bytes)
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// nchanges: len = 0x1 (8 bytes)
|
||||
// eventlist: nil
|
||||
// nevents: len = 0x0 (8 bytes)
|
||||
// timeout: nil
|
||||
// ]
|
||||
*(uint64_t*)0x200000000400 = 6;
|
||||
*(uint16_t*)0x200000000408 = 0xfff3;
|
||||
*(uint16_t*)0x20000000040a = 0x4035;
|
||||
*(uint32_t*)0x20000000040c = 0;
|
||||
*(uint64_t*)0x200000000410 = 5;
|
||||
*(uint64_t*)0x200000000418 = 0x40000000007;
|
||||
*(uint64_t*)0x200000000420 = 4;
|
||||
*(uint64_t*)0x200000000428 = 0x100000000;
|
||||
*(uint64_t*)0x200000000430 = 4;
|
||||
*(uint64_t*)0x200000000438 = 5;
|
||||
syscall(SYS_kevent, /*kqueue=*/r[0], /*changelist=*/0x200000000400ul,
|
||||
/*nchanges=*/1ul, /*eventlist=*/0ul, /*nevents=*/0ul,
|
||||
/*timeout=*/0ul);
|
||||
return 0;
|
||||
}
|
||||
EOF
|
||||
mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
|
||||
|
||||
timeout 3m /tmp/$prog > /dev/null 2>&1
|
||||
|
||||
rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core
|
||||
exit 0
|
||||
Reference in New Issue
Block a user