xrivendell7/report Secret

## report
TITLE: KMSAN: uninit-value in __bpf_strtoull
CORRUPTED: false ()
MAINTAINERS (TO): [linux-kernel@vger.kernel.org]
MAINTAINERS (CC): [andrii@kernel.org ast@kernel.org bpf@vger.kernel.org daniel@iogearbox.net eddyz87@gmail.com haoluo@google.com john.fastabend@gmail.com jolsa@kernel.org kpsingh@kernel.org martin.lau@linux.dev sdf@google.com song@kernel.org yonghong.song@linux.dev]

=====================================================
BUG: KMSAN: uninit-value in __bpf_strtoull+0x292/0x690 kernel/bpf/helpers.c:465
 __bpf_strtoull+0x292/0x690 kernel/bpf/helpers.c:465
 __bpf_strtoll kernel/bpf/helpers.c:504 [inline]
 ____bpf_strtol kernel/bpf/helpers.c:525 [inline]
 bpf_strtol+0x87/0x2c0 kernel/bpf/helpers.c:519
 ___bpf_prog_run+0x14de/0xec60 kernel/bpf/core.c:1997
 __bpf_prog_run96+0xc0/0xf0 kernel/bpf/core.c:2236
 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
 __bpf_prog_run include/linux/filter.h:657 [inline]
 bpf_prog_run_xdp include/net/xdp.h:514 [inline]
 bpf_test_run+0x464/0xcc0 net/bpf/test_run.c:423
 bpf_prog_test_run_xdp+0x101c/0x1c70 net/bpf/test_run.c:1269
 bpf_prog_test_run+0x754/0xba0 kernel/bpf/syscall.c:4240
 __sys_bpf+0x7a6/0x1010 kernel/bpf/syscall.c:5649
 __do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
 __x64_sys_bpf+0xa9/0xf0 kernel/bpf/syscall.c:5736
 do_syscall_64+0xd5/0x1f0
 entry_SYSCALL_64_after_hwframe+0x6d/0x75
Local variable stack created at:
 __bpf_prog_run96+0x50/0xf0 kernel/bpf/core.c:2236
 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
 __bpf_prog_run include/linux/filter.h:657 [inline]
 bpf_prog_run_xdp include/net/xdp.h:514 [inline]
 bpf_test_run+0x464/0xcc0 net/bpf/test_run.c:423
CPU: 2 PID: 8031 Comm: 6be Not tainted 6.8.0-05242-g32fa4366cc4d #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
=====================================================


TITLE: kernel panic: kmsan.panic set ...
CORRUPTED: false ()
MAINTAINERS (TO): [linux-kernel@vger.kernel.org]
MAINTAINERS (CC): [andrii@kernel.org ast@kernel.org bpf@vger.kernel.org daniel@iogearbox.net eddyz87@gmail.com haoluo@google.com john.fastabend@gmail.com jolsa@kernel.org kpsingh@kernel.org martin.lau@linux.dev sdf@google.com song@kernel.org yonghong.song@linux.dev]

 __bpf_strtoull+0x292/0x690 kernel/bpf/helpers.c:465
 __bpf_strtoll kernel/bpf/helpers.c:504 [inline]
 ____bpf_strtol kernel/bpf/helpers.c:525 [inline]
 bpf_strtol+0x87/0x2c0 kernel/bpf/helpers.c:519
 ___bpf_prog_run+0x14de/0xec60 kernel/bpf/core.c:1997
 __bpf_prog_run96+0xc0/0xf0 kernel/bpf/core.c:2236
 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
 __bpf_prog_run include/linux/filter.h:657 [inline]
 bpf_prog_run_xdp include/net/xdp.h:514 [inline]
 bpf_test_run+0x464/0xcc0 net/bpf/test_run.c:423
 bpf_prog_test_run_xdp+0x101c/0x1c70 net/bpf/test_run.c:1269
 bpf_prog_test_run+0x754/0xba0 kernel/bpf/syscall.c:4240
 __sys_bpf+0x7a6/0x1010 kernel/bpf/syscall.c:5649
 __do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
 __x64_sys_bpf+0xa9/0xf0 kernel/bpf/syscall.c:5736
 do_syscall_64+0xd5/0x1f0
 entry_SYSCALL_64_after_hwframe+0x6d/0x75
Local variable stack created at:
 __bpf_prog_run96+0x50/0xf0 kernel/bpf/core.c:2236
 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
 __bpf_prog_run include/linux/filter.h:657 [inline]
 bpf_prog_run_xdp include/net/xdp.h:514 [inline]
 bpf_test_run+0x464/0xcc0 net/bpf/test_run.c:423
CPU: 2 PID: 8031 Comm: 6be Not tainted 6.8.0-05242-g32fa4366cc4d #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
=====================================================
Disabling lock debugging due to kernel taint
Kernel panic - not syncing: kmsan.panic set ...
CPU: 2 PID: 8031 Comm: 6be Tainted: G    B              6.8.0-05242-g32fa4366cc4d #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1f7/0x290 lib/dump_stack.c:106
 dump_stack+0x29/0x30 lib/dump_stack.c:113
 panic+0x506/0xd80 kernel/panic.c:344
 kmsan_report+0x2d5/0x2e0 mm/kmsan/report.c:216
 __msan_warning+0x95/0x120 mm/kmsan/instrumentation.c:317
 __bpf_strtoull+0x292/0x690 kernel/bpf/helpers.c:465
 __bpf_strtoll kernel/bpf/helpers.c:504 [inline]
 ____bpf_strtol kernel/bpf/helpers.c:525 [inline]
 bpf_strtol+0x87/0x2c0 kernel/bpf/helpers.c:519
 ___bpf_prog_run+0x14de/0xec60 kernel/bpf/core.c:1997
 __bpf_prog_run96+0xc0/0xf0 kernel/bpf/core.c:2236
 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
 __bpf_prog_run include/linux/filter.h:657 [inline]
 bpf_prog_run_xdp include/net/xdp.h:514 [inline]
 bpf_test_run+0x464/0xcc0 net/bpf/test_run.c:423
 bpf_prog_test_run_xdp+0x101c/0x1c70 net/bpf/test_run.c:1269
 bpf_prog_test_run+0x754/0xba0 kernel/bpf/syscall.c:4240
 __sys_bpf+0x7a6/0x1010 kernel/bpf/syscall.c:5649
 __do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
 __x64_sys_bpf+0xa9/0xf0 kernel/bpf/syscall.c:5736
 do_syscall_64+0xd5/0x1f0
 entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x432e39
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c8
RSP: 002b:00007ffd5c90c5a8 EFLAGS: 00000217 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007ffd5c90c7d8 RCX: 0000000000432e39
RDX: 0000000000000050 RSI: 0000000020000640 RDI: 000000000000000a
RBP: 00007ffd5c90c5c0 R08: 00007ffd5c90c5c0 R09: 00007ffd5c90c5c0
R10: 00007ffd5c90c5c0 R11: 0000000000000217 R12: 0000000000000001
R13: 00007ffd5c90c7c8 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..

## repro.c
#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

#ifndef __NR_bpf
#define __NR_bpf 321
#endif

static void sleep_ms(uint64_t ms) {
  usleep(ms * 1000);
}

static uint64_t current_time_ms(void) {
  struct timespec ts;
  if (clock_gettime(CLOCK_MONOTONIC, &ts))
    exit(1);
  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static bool write_file(const char* file, const char* what, ...) {
  char buf[1024];
  va_list args;
  va_start(args, what);
  vsnprintf(buf, sizeof(buf), what, args);
  va_end(args);
  buf[sizeof(buf) - 1] = 0;
  int len = strlen(buf);
  int fd = open(file, O_WRONLY | O_CLOEXEC);
  if (fd == -1)
    return false;
  if (write(fd, buf, len) != len) {
    int err = errno;
    close(fd);
    errno = err;
    return false;
  }
  close(fd);
  return true;
}

static void kill_and_wait(int pid, int* status) {
  kill(-pid, SIGKILL);
  kill(pid, SIGKILL);
  for (int i = 0; i < 100; i++) {
    if (waitpid(-1, status, WNOHANG | __WALL) == pid)
      return;
    usleep(1000);
  }
  DIR* dir = opendir("/sys/fs/fuse/connections");
  if (dir) {
    for (;;) {
      struct dirent* ent = readdir(dir);
      if (!ent)
        break;
      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
        continue;
      char abort[300];
      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
               ent->d_name);
      int fd = open(abort, O_WRONLY);
      if (fd == -1) {
        continue;
      }
      if (write(fd, abort, 1) < 0) {
      }
      close(fd);
    }
    closedir(dir);
  } else {
  }
  while (waitpid(-1, status, __WALL) != pid) {
  }
}

static void setup_test() {
  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
  setpgrp();
  write_file("/proc/self/oom_score_adj", "1000");
}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void) {
  int iter = 0;
  for (;; iter++) {
    int pid = fork();
    if (pid < 0)
      exit(1);
    if (pid == 0) {
      setup_test();
      execute_one();
      exit(0);
    }
    int status = 0;
    uint64_t start = current_time_ms();
    for (;;) {
      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
        break;
      sleep_ms(1);
      if (current_time_ms() - start < 5000)
        continue;
      kill_and_wait(pid, &status);
      break;
    }
  }
}

uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};

void execute_one(void) {
  intptr_t res = 0;
  *(uint32_t*)0x20000340 = 2;
  *(uint32_t*)0x20000344 = 4;
  *(uint32_t*)0x20000348 = 8;
  *(uint32_t*)0x2000034c = 1;
  *(uint32_t*)0x20000350 = 0x80;
  *(uint32_t*)0x20000354 = 0;
  *(uint32_t*)0x20000358 = 0;
  memset((void*)0x2000035c, 0, 16);
  *(uint32_t*)0x2000036c = 0;
  *(uint32_t*)0x20000370 = 0;
  *(uint32_t*)0x20000374 = 0;
  *(uint32_t*)0x20000378 = 0;
  *(uint32_t*)0x2000037c = 0;
  *(uint64_t*)0x20000380 = 0;
  res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x20000340ul, /*size=*/0x48ul);
  if (res != -1)
    r[0] = res;
  *(uint32_t*)0x200004c0 = 6;
  *(uint32_t*)0x200004c4 = 0x10;
  *(uint64_t*)0x200004c8 = 0x20000000;
  memcpy((void*)0x20000000,
         "\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb7"
         "\x08\x00\x00\x00\x00\x00\x00\x7b\x8a\xb8\xff\x00\x00\x00\x00\xb7\x08"
         "\x00\x00\x00\x00\x00\x00\x7b\x8a\xf0\xff\x00\x00\x00\x00\xbf\xa1\x00"
         "\x00\x00\x00\x00\x00\x07\x01\x00\x00\xf8\xff\xff\xff\xbf\xa4\x00\x00"
         "\x00\x00\x00\x00\x07\x04\x00\x00\xf0\xff\xff\xff\xb7\x02\x00\x00\x08"
         "\x00\x00\x00\x18\x23\x00\x00",
         92);
  *(uint32_t*)0x2000005c = r[0];
  memcpy((void*)0x20000060,
         "\x00\x00\x00\x00\x00\x00\x00\x00\xb7\x03\x00\x00\x00\x00\x00\x00\x85"
         "\x00\x00\x00\x69\x00\x00\x00\x95",
         25);
  *(uint64_t*)0x200004d0 = 0x20000600;
  memcpy((void*)0x20000600, "GPL\000", 4);
  *(uint32_t*)0x200004d8 = 0;
  *(uint32_t*)0x200004dc = 0;
  *(uint64_t*)0x200004e0 = 0;
  *(uint32_t*)0x200004e8 = 0;
  *(uint32_t*)0x200004ec = 0;
  memset((void*)0x200004f0, 0, 16);
  *(uint32_t*)0x20000500 = 0;
  *(uint32_t*)0x20000504 = 0;
  *(uint32_t*)0x20000508 = 0;
  *(uint32_t*)0x2000050c = 0;
  *(uint64_t*)0x20000510 = 0;
  *(uint32_t*)0x20000518 = 0;
  *(uint32_t*)0x2000051c = 0;
  *(uint64_t*)0x20000520 = 0;
  *(uint32_t*)0x20000528 = 0;
  *(uint32_t*)0x2000052c = 0;
  *(uint32_t*)0x20000530 = 0;
  *(uint32_t*)0x20000534 = 0;
  *(uint64_t*)0x20000538 = 0;
  *(uint64_t*)0x20000540 = 0;
  *(uint32_t*)0x20000548 = 0;
  *(uint32_t*)0x2000054c = 0;
  res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200004c0ul, /*size=*/0x90ul);
  if (res != -1)
    r[1] = res;
  *(uint32_t*)0x20000640 = r[1];
  *(uint32_t*)0x20000644 = 5;
  *(uint32_t*)0x20000648 = 0;
  *(uint32_t*)0x2000064c = 0;
  *(uint64_t*)0x20000650 = 0;
  *(uint64_t*)0x20000658 = 0;
  *(uint32_t*)0x20000660 = 0;
  *(uint32_t*)0x20000664 = 0;
  *(uint32_t*)0x20000668 = 0;
  *(uint32_t*)0x2000066c = 0;
  *(uint64_t*)0x20000670 = 0;
  *(uint64_t*)0x20000678 = 0;
  *(uint32_t*)0x20000680 = 0;
  *(uint32_t*)0x20000684 = 0;
  *(uint32_t*)0x20000688 = 0;
  syscall(__NR_bpf, /*cmd=*/0xaul, /*arg=*/0x20000640ul, /*size=*/0x50ul);
}
int main(void) {
  syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
          /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
          /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
          /*offset=*/0ul);
  loop();
  return 0;
}

## repro.txt
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
r1 = bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x6, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8ab8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r0, @ANYBLOB="0000000000000000b703000000000000850000006900000095"], &(0x7f0000000600)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000640)={r1, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x50)
	TITLE: KMSAN: uninit-value in __bpf_strtoull
	CORRUPTED: false ()
	MAINTAINERS (TO): [linux-kernel@vger.kernel.org]
	MAINTAINERS (CC): [andrii@kernel.org ast@kernel.org bpf@vger.kernel.org daniel@iogearbox.net eddyz87@gmail.com haoluo@google.com john.fastabend@gmail.com jolsa@kernel.org kpsingh@kernel.org martin.lau@linux.dev sdf@google.com song@kernel.org yonghong.song@linux.dev]

	=====================================================
	BUG: KMSAN: uninit-value in __bpf_strtoull+0x292/0x690 kernel/bpf/helpers.c:465
	__bpf_strtoull+0x292/0x690 kernel/bpf/helpers.c:465
	__bpf_strtoll kernel/bpf/helpers.c:504 [inline]
	____bpf_strtol kernel/bpf/helpers.c:525 [inline]
	bpf_strtol+0x87/0x2c0 kernel/bpf/helpers.c:519
	___bpf_prog_run+0x14de/0xec60 kernel/bpf/core.c:1997
	__bpf_prog_run96+0xc0/0xf0 kernel/bpf/core.c:2236
	bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
	__bpf_prog_run include/linux/filter.h:657 [inline]
	bpf_prog_run_xdp include/net/xdp.h:514 [inline]
	bpf_test_run+0x464/0xcc0 net/bpf/test_run.c:423
	bpf_prog_test_run_xdp+0x101c/0x1c70 net/bpf/test_run.c:1269
	bpf_prog_test_run+0x754/0xba0 kernel/bpf/syscall.c:4240
	__sys_bpf+0x7a6/0x1010 kernel/bpf/syscall.c:5649
	__do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
	__se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
	__x64_sys_bpf+0xa9/0xf0 kernel/bpf/syscall.c:5736
	do_syscall_64+0xd5/0x1f0
	entry_SYSCALL_64_after_hwframe+0x6d/0x75
	Local variable stack created at:
	__bpf_prog_run96+0x50/0xf0 kernel/bpf/core.c:2236
	bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
	__bpf_prog_run include/linux/filter.h:657 [inline]
	bpf_prog_run_xdp include/net/xdp.h:514 [inline]
	bpf_test_run+0x464/0xcc0 net/bpf/test_run.c:423
	CPU: 2 PID: 8031 Comm: 6be Not tainted 6.8.0-05242-g32fa4366cc4d #3
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
	=====================================================


	TITLE: kernel panic: kmsan.panic set ...
	CORRUPTED: false ()
	MAINTAINERS (TO): [linux-kernel@vger.kernel.org]
	MAINTAINERS (CC): [andrii@kernel.org ast@kernel.org bpf@vger.kernel.org daniel@iogearbox.net eddyz87@gmail.com haoluo@google.com john.fastabend@gmail.com jolsa@kernel.org kpsingh@kernel.org martin.lau@linux.dev sdf@google.com song@kernel.org yonghong.song@linux.dev]

	__bpf_strtoull+0x292/0x690 kernel/bpf/helpers.c:465
	__bpf_strtoll kernel/bpf/helpers.c:504 [inline]
	____bpf_strtol kernel/bpf/helpers.c:525 [inline]
	bpf_strtol+0x87/0x2c0 kernel/bpf/helpers.c:519
	___bpf_prog_run+0x14de/0xec60 kernel/bpf/core.c:1997
	__bpf_prog_run96+0xc0/0xf0 kernel/bpf/core.c:2236
	bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
	__bpf_prog_run include/linux/filter.h:657 [inline]
	bpf_prog_run_xdp include/net/xdp.h:514 [inline]
	bpf_test_run+0x464/0xcc0 net/bpf/test_run.c:423
	bpf_prog_test_run_xdp+0x101c/0x1c70 net/bpf/test_run.c:1269
	bpf_prog_test_run+0x754/0xba0 kernel/bpf/syscall.c:4240
	__sys_bpf+0x7a6/0x1010 kernel/bpf/syscall.c:5649
	__do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
	__se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
	__x64_sys_bpf+0xa9/0xf0 kernel/bpf/syscall.c:5736
	do_syscall_64+0xd5/0x1f0
	entry_SYSCALL_64_after_hwframe+0x6d/0x75
	Local variable stack created at:
	__bpf_prog_run96+0x50/0xf0 kernel/bpf/core.c:2236
	bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
	__bpf_prog_run include/linux/filter.h:657 [inline]
	bpf_prog_run_xdp include/net/xdp.h:514 [inline]
	bpf_test_run+0x464/0xcc0 net/bpf/test_run.c:423
	CPU: 2 PID: 8031 Comm: 6be Not tainted 6.8.0-05242-g32fa4366cc4d #3
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
	=====================================================
	Disabling lock debugging due to kernel taint
	Kernel panic - not syncing: kmsan.panic set ...
	CPU: 2 PID: 8031 Comm: 6be Tainted: G B 6.8.0-05242-g32fa4366cc4d #3
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0x1f7/0x290 lib/dump_stack.c:106
	dump_stack+0x29/0x30 lib/dump_stack.c:113
	panic+0x506/0xd80 kernel/panic.c:344
	kmsan_report+0x2d5/0x2e0 mm/kmsan/report.c:216
	__msan_warning+0x95/0x120 mm/kmsan/instrumentation.c:317
	__bpf_strtoull+0x292/0x690 kernel/bpf/helpers.c:465
	__bpf_strtoll kernel/bpf/helpers.c:504 [inline]
	____bpf_strtol kernel/bpf/helpers.c:525 [inline]
	bpf_strtol+0x87/0x2c0 kernel/bpf/helpers.c:519
	___bpf_prog_run+0x14de/0xec60 kernel/bpf/core.c:1997
	__bpf_prog_run96+0xc0/0xf0 kernel/bpf/core.c:2236
	bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
	__bpf_prog_run include/linux/filter.h:657 [inline]
	bpf_prog_run_xdp include/net/xdp.h:514 [inline]
	bpf_test_run+0x464/0xcc0 net/bpf/test_run.c:423
	bpf_prog_test_run_xdp+0x101c/0x1c70 net/bpf/test_run.c:1269
	bpf_prog_test_run+0x754/0xba0 kernel/bpf/syscall.c:4240
	__sys_bpf+0x7a6/0x1010 kernel/bpf/syscall.c:5649
	__do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
	__se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
	__x64_sys_bpf+0xa9/0xf0 kernel/bpf/syscall.c:5736
	do_syscall_64+0xd5/0x1f0
	entry_SYSCALL_64_after_hwframe+0x6d/0x75
	RIP: 0033:0x432e39
	Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c8
	RSP: 002b:00007ffd5c90c5a8 EFLAGS: 00000217 ORIG_RAX: 0000000000000141
	RAX: ffffffffffffffda RBX: 00007ffd5c90c7d8 RCX: 0000000000432e39
	RDX: 0000000000000050 RSI: 0000000020000640 RDI: 000000000000000a
	RBP: 00007ffd5c90c5c0 R08: 00007ffd5c90c5c0 R09: 00007ffd5c90c5c0
	R10: 00007ffd5c90c5c0 R11: 0000000000000217 R12: 0000000000000001
	R13: 00007ffd5c90c7c8 R14: 0000000000000001 R15: 0000000000000001
	</TASK>
	Kernel Offset: disabled
	Rebooting in 86400 seconds..
	#define _GNU_SOURCE

	#include <dirent.h>
	#include <endian.h>
	#include <errno.h>
	#include <fcntl.h>
	#include <signal.h>
	#include <stdarg.h>
	#include <stdbool.h>
	#include <stdint.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <sys/prctl.h>
	#include <sys/stat.h>
	#include <sys/syscall.h>
	#include <sys/types.h>
	#include <sys/wait.h>
	#include <time.h>
	#include <unistd.h>

	#ifndef __NR_bpf
	#define __NR_bpf 321
	#endif

	static void sleep_ms(uint64_t ms) {
	usleep(ms * 1000);
	}

	static uint64_t current_time_ms(void) {
	struct timespec ts;
	if (clock_gettime(CLOCK_MONOTONIC, &ts))
	exit(1);
	return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
	}

	static bool write_file(const char* file, const char* what, ...) {
	char buf[1024];
	va_list args;
	va_start(args, what);
	vsnprintf(buf, sizeof(buf), what, args);
	va_end(args);
	buf[sizeof(buf) - 1] = 0;
	int len = strlen(buf);
	int fd = open(file, O_WRONLY \| O_CLOEXEC);
	if (fd == -1)
	return false;
	if (write(fd, buf, len) != len) {
	int err = errno;
	close(fd);
	errno = err;
	return false;
	}
	close(fd);
	return true;
	}

	static void kill_and_wait(int pid, int* status) {
	kill(-pid, SIGKILL);
	kill(pid, SIGKILL);
	for (int i = 0; i < 100; i++) {
	if (waitpid(-1, status, WNOHANG \| __WALL) == pid)
	return;
	usleep(1000);
	}
	DIR* dir = opendir("/sys/fs/fuse/connections");
	if (dir) {
	for (;;) {
	struct dirent* ent = readdir(dir);
	if (!ent)
	break;
	if (strcmp(ent->d_name, ".") == 0 \|\| strcmp(ent->d_name, "..") == 0)
	continue;
	char abort[300];
	snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
	ent->d_name);
	int fd = open(abort, O_WRONLY);
	if (fd == -1) {
	continue;
	}
	if (write(fd, abort, 1) < 0) {
	}
	close(fd);
	}
	closedir(dir);
	} else {
	}
	while (waitpid(-1, status, __WALL) != pid) {
	}
	}

	static void setup_test() {
	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
	setpgrp();
	write_file("/proc/self/oom_score_adj", "1000");
	}

	static void execute_one(void);

	#define WAIT_FLAGS __WALL

	static void loop(void) {
	int iter = 0;
	for (;; iter++) {
	int pid = fork();
	if (pid < 0)
	exit(1);
	if (pid == 0) {
	setup_test();
	execute_one();
	exit(0);
	}
	int status = 0;
	uint64_t start = current_time_ms();
	for (;;) {
	if (waitpid(-1, &status, WNOHANG \| WAIT_FLAGS) == pid)
	break;
	sleep_ms(1);
	if (current_time_ms() - start < 5000)
	continue;
	kill_and_wait(pid, &status);
	break;
	}
	}
	}

	uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};

	void execute_one(void) {
	intptr_t res = 0;
	(uint32_t)0x20000340 = 2;
	(uint32_t)0x20000344 = 4;
	(uint32_t)0x20000348 = 8;
	(uint32_t)0x2000034c = 1;
	(uint32_t)0x20000350 = 0x80;
	(uint32_t)0x20000354 = 0;
	(uint32_t)0x20000358 = 0;
	memset((void*)0x2000035c, 0, 16);
	(uint32_t)0x2000036c = 0;
	(uint32_t)0x20000370 = 0;
	(uint32_t)0x20000374 = 0;
	(uint32_t)0x20000378 = 0;
	(uint32_t)0x2000037c = 0;
	(uint64_t)0x20000380 = 0;
	res = syscall(__NR_bpf, /cmd=/0ul, /arg=/0x20000340ul, /size=/0x48ul);
	if (res != -1)
	r[0] = res;
	(uint32_t)0x200004c0 = 6;
	(uint32_t)0x200004c4 = 0x10;
	(uint64_t)0x200004c8 = 0x20000000;
	memcpy((void*)0x20000000,
	"\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb7"
	"\x08\x00\x00\x00\x00\x00\x00\x7b\x8a\xb8\xff\x00\x00\x00\x00\xb7\x08"
	"\x00\x00\x00\x00\x00\x00\x7b\x8a\xf0\xff\x00\x00\x00\x00\xbf\xa1\x00"
	"\x00\x00\x00\x00\x00\x07\x01\x00\x00\xf8\xff\xff\xff\xbf\xa4\x00\x00"
	"\x00\x00\x00\x00\x07\x04\x00\x00\xf0\xff\xff\xff\xb7\x02\x00\x00\x08"
	"\x00\x00\x00\x18\x23\x00\x00",
	92);
	(uint32_t)0x2000005c = r[0];
	memcpy((void*)0x20000060,
	"\x00\x00\x00\x00\x00\x00\x00\x00\xb7\x03\x00\x00\x00\x00\x00\x00\x85"
	"\x00\x00\x00\x69\x00\x00\x00\x95",
	25);
	(uint64_t)0x200004d0 = 0x20000600;
	memcpy((void*)0x20000600, "GPL\000", 4);
	(uint32_t)0x200004d8 = 0;
	(uint32_t)0x200004dc = 0;
	(uint64_t)0x200004e0 = 0;
	(uint32_t)0x200004e8 = 0;
	(uint32_t)0x200004ec = 0;
	memset((void*)0x200004f0, 0, 16);
	(uint32_t)0x20000500 = 0;
	(uint32_t)0x20000504 = 0;
	(uint32_t)0x20000508 = 0;
	(uint32_t)0x2000050c = 0;
	(uint64_t)0x20000510 = 0;
	(uint32_t)0x20000518 = 0;
	(uint32_t)0x2000051c = 0;
	(uint64_t)0x20000520 = 0;
	(uint32_t)0x20000528 = 0;
	(uint32_t)0x2000052c = 0;
	(uint32_t)0x20000530 = 0;
	(uint32_t)0x20000534 = 0;
	(uint64_t)0x20000538 = 0;
	(uint64_t)0x20000540 = 0;
	(uint32_t)0x20000548 = 0;
	(uint32_t)0x2000054c = 0;
	res = syscall(__NR_bpf, /cmd=/5ul, /arg=/0x200004c0ul, /size=/0x90ul);
	if (res != -1)
	r[1] = res;
	(uint32_t)0x20000640 = r[1];
	(uint32_t)0x20000644 = 5;
	(uint32_t)0x20000648 = 0;
	(uint32_t)0x2000064c = 0;
	(uint64_t)0x20000650 = 0;
	(uint64_t)0x20000658 = 0;
	(uint32_t)0x20000660 = 0;
	(uint32_t)0x20000664 = 0;
	(uint32_t)0x20000668 = 0;
	(uint32_t)0x2000066c = 0;
	(uint64_t)0x20000670 = 0;
	(uint64_t)0x20000678 = 0;
	(uint32_t)0x20000680 = 0;
	(uint32_t)0x20000684 = 0;
	(uint32_t)0x20000688 = 0;
	syscall(__NR_bpf, /cmd=/0xaul, /arg=/0x20000640ul, /size=/0x50ul);
	}
	int main(void) {
	syscall(__NR_mmap, /addr=/0x1ffff000ul, /len=/0x1000ul, /prot=/0ul,
	/flags=MAP_FIXED\|MAP_ANONYMOUS\|MAP_PRIVATE/ 0x32ul, /fd=/-1,
	/offset=/0ul);
	syscall(__NR_mmap, /addr=/0x20000000ul, /len=/0x1000000ul,
	/prot=PROT_WRITE\|PROT_READ\|PROT_EXEC/ 7ul,
	/flags=MAP_FIXED\|MAP_ANONYMOUS\|MAP_PRIVATE/ 0x32ul, /fd=/-1,
	/offset=/0ul);
	syscall(__NR_mmap, /addr=/0x21000000ul, /len=/0x1000ul, /prot=/0ul,
	/flags=MAP_FIXED\|MAP_ANONYMOUS\|MAP_PRIVATE/ 0x32ul, /fd=/-1,
	/offset=/0ul);
	loop();
	return 0;
	}
	r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
	r1 = bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x6, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8ab8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r0, @ANYBLOB="0000000000000000b703000000000000850000006900000095"], &(0x7f0000000600)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
	bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000640)={r1, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x50)