-
-
Save xrivendell7/744812c87156085e12c7f617ef237875 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
===================================================== | |
BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:110 [inline] | |
BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline] | |
BUG: KMSAN: uninit-value in crc32_le_base+0x475/0xe70 lib/crc32.c:197 | |
crc32_body lib/crc32.c:110 [inline] | |
crc32_le_generic lib/crc32.c:179 [inline] | |
crc32_le_base+0x475/0xe70 lib/crc32.c:197 | |
nilfs_segbuf_fill_in_data_crc fs/nilfs2/segbuf.c:224 [inline] | |
nilfs_add_checksums_on_logs+0xcb2/0x10a0 fs/nilfs2/segbuf.c:327 | |
nilfs_segctor_do_construct+0xad1d/0xf640 fs/nilfs2/segment.c:2112 | |
nilfs_segctor_construct+0x1fd/0xf30 fs/nilfs2/segment.c:2415 | |
nilfs_segctor_thread_construct fs/nilfs2/segment.c:2523 [inline] | |
nilfs_segctor_thread+0x551/0x1350 fs/nilfs2/segment.c:2606 | |
kthread+0x422/0x5a0 kernel/kthread.c:388 | |
ret_from_fork+0x7f/0xa0 arch/x86/kernel/process.c:147 | |
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 | |
Uninit was created at: | |
__alloc_pages+0x9a8/0xe00 mm/page_alloc.c:4591 | |
alloc_pages_mpol+0x6b3/0xaa0 mm/mempolicy.c:2133 | |
alloc_pages mm/mempolicy.c:2204 [inline] | |
folio_alloc+0x218/0x3f0 mm/mempolicy.c:2211 | |
filemap_alloc_folio+0xb8/0x4b0 mm/filemap.c:974 | |
__filemap_get_folio+0xa8a/0x1910 mm/filemap.c:1918 | |
pagecache_get_page+0x56/0x1d0 mm/folio-compat.c:99 | |
grab_cache_page_write_begin+0x61/0x80 mm/folio-compat.c:109 | |
block_write_begin+0x5a/0x4a0 fs/buffer.c:2223 | |
nilfs_write_begin+0x107/0x220 fs/nilfs2/inode.c:261 | |
generic_perform_write+0x417/0xce0 mm/filemap.c:3927 | |
__generic_file_write_iter+0x233/0x4b0 mm/filemap.c:4022 | |
generic_file_write_iter+0x10e/0x600 mm/filemap.c:4048 | |
__kernel_write_iter+0x365/0xa00 fs/read_write.c:523 | |
dump_emit_page fs/coredump.c:888 [inline] | |
dump_user_range+0x5d7/0xe00 fs/coredump.c:915 | |
elf_core_dump+0x5847/0x5fa0 fs/binfmt_elf.c:2077 | |
do_coredump+0x3bb6/0x4e60 fs/coredump.c:764 | |
get_signal+0x28f7/0x30b0 kernel/signal.c:2890 | |
arch_do_signal_or_restart+0x5e/0xda0 arch/x86/kernel/signal.c:309 | |
exit_to_user_mode_loop kernel/entry/common.c:105 [inline] | |
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] | |
irqentry_exit_to_user_mode+0xaa/0x160 kernel/entry/common.c:225 | |
irqentry_exit+0x16/0x40 kernel/entry/common.c:328 | |
exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1566 | |
asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570 | |
CPU: 1 PID: 11178 Comm: segctord Not tainted 6.7.0-00562-g9f8413c4a66f-dirty #2 | |
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 | |
===================================================== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// autogenerated by syzkaller (https://github.com/google/syzkaller) | |
#define _GNU_SOURCE | |
#include <dirent.h> | |
#include <endian.h> | |
#include <errno.h> | |
#include <fcntl.h> | |
#include <pthread.h> | |
#include <sched.h> | |
#include <setjmp.h> | |
#include <signal.h> | |
#include <stdarg.h> | |
#include <stdbool.h> | |
#include <stddef.h> | |
#include <stdint.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <string.h> | |
#include <sys/ioctl.h> | |
#include <sys/mman.h> | |
#include <sys/mount.h> | |
#include <sys/prctl.h> | |
#include <sys/stat.h> | |
#include <sys/syscall.h> | |
#include <sys/types.h> | |
#include <sys/wait.h> | |
#include <time.h> | |
#include <unistd.h> | |
#include <linux/futex.h> | |
#include <linux/loop.h> | |
#ifndef __NR_cachestat | |
#define __NR_cachestat 451 | |
#endif | |
#ifndef __NR_memfd_create | |
#define __NR_memfd_create 319 | |
#endif | |
static unsigned long long procid; | |
static void sleep_ms(uint64_t ms) { | |
usleep(ms * 1000); | |
} | |
static uint64_t current_time_ms(void) { | |
struct timespec ts; | |
if (clock_gettime(CLOCK_MONOTONIC, &ts)) | |
exit(1); | |
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; | |
} | |
static void thread_start(void* (*fn)(void*), void* arg) { | |
pthread_t th; | |
pthread_attr_t attr; | |
pthread_attr_init(&attr); | |
pthread_attr_setstacksize(&attr, 128 << 10); | |
int i = 0; | |
for (; i < 100; i++) { | |
if (pthread_create(&th, &attr, fn, arg) == 0) { | |
pthread_attr_destroy(&attr); | |
return; | |
} | |
if (errno == EAGAIN) { | |
usleep(50); | |
continue; | |
} | |
break; | |
} | |
exit(1); | |
} | |
typedef struct { | |
int state; | |
} event_t; | |
static void event_init(event_t* ev) { | |
ev->state = 0; | |
} | |
static void event_reset(event_t* ev) { | |
ev->state = 0; | |
} | |
static void event_set(event_t* ev) { | |
if (ev->state) | |
exit(1); | |
__atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); | |
syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); | |
} | |
static void event_wait(event_t* ev) { | |
while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) | |
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); | |
} | |
static int event_isset(event_t* ev) { | |
return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); | |
} | |
static int event_timedwait(event_t* ev, uint64_t timeout) { | |
uint64_t start = current_time_ms(); | |
uint64_t now = start; | |
for (;;) { | |
uint64_t remain = timeout - (now - start); | |
struct timespec ts; | |
ts.tv_sec = remain / 1000; | |
ts.tv_nsec = (remain % 1000) * 1000 * 1000; | |
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); | |
if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) | |
return 1; | |
now = current_time_ms(); | |
if (now - start > timeout) | |
return 0; | |
} | |
} | |
static bool write_file(const char* file, const char* what, ...) { | |
char buf[1024]; | |
va_list args; | |
va_start(args, what); | |
vsnprintf(buf, sizeof(buf), what, args); | |
va_end(args); | |
buf[sizeof(buf) - 1] = 0; | |
int len = strlen(buf); | |
int fd = open(file, O_WRONLY | O_CLOEXEC); | |
if (fd == -1) | |
return false; | |
if (write(fd, buf, len) != len) { | |
int err = errno; | |
close(fd); | |
errno = err; | |
return false; | |
} | |
close(fd); | |
return true; | |
} | |
static long syz_open_procfs(volatile long a0, volatile long a1) { | |
char buf[128]; | |
memset(buf, 0, sizeof(buf)); | |
if (a0 == 0) { | |
snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); | |
} else if (a0 == -1) { | |
snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); | |
} else { | |
snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); | |
} | |
int fd = open(buf, O_RDWR); | |
if (fd == -1) | |
fd = open(buf, O_RDONLY); | |
return fd; | |
} | |
//% This code is derived from puff.{c,h}, found in the zlib development. The | |
//% original files come with the following copyright notice: | |
//% Copyright (C) 2002-2013 Mark Adler, all rights reserved | |
//% version 2.3, 21 Jan 2013 | |
//% This software is provided 'as-is', without any express or implied | |
//% warranty. In no event will the author be held liable for any damages | |
//% arising from the use of this software. | |
//% Permission is granted to anyone to use this software for any purpose, | |
//% including commercial applications, and to alter it and redistribute it | |
//% freely, subject to the following restrictions: | |
//% 1. The origin of this software must not be misrepresented; you must not | |
//% claim that you wrote the original software. If you use this software | |
//% in a product, an acknowledgment in the product documentation would be | |
//% appreciated but is not required. | |
//% 2. Altered source versions must be plainly marked as such, and must not be | |
//% misrepresented as being the original software. | |
//% 3. This notice may not be removed or altered from any source distribution. | |
//% Mark Adler madler@alumni.caltech.edu | |
//% BEGIN CODE DERIVED FROM puff.{c,h} | |
#define MAXBITS 15 | |
#define MAXLCODES 286 | |
#define MAXDCODES 30 | |
#define MAXCODES (MAXLCODES + MAXDCODES) | |
#define FIXLCODES 288 | |
struct puff_state { | |
unsigned char* out; | |
unsigned long outlen; | |
unsigned long outcnt; | |
const unsigned char* in; | |
unsigned long inlen; | |
unsigned long incnt; | |
int bitbuf; | |
int bitcnt; | |
jmp_buf env; | |
}; | |
static int puff_bits(struct puff_state* s, int need) { | |
long val = s->bitbuf; | |
while (s->bitcnt < need) { | |
if (s->incnt == s->inlen) | |
longjmp(s->env, 1); | |
val |= (long)(s->in[s->incnt++]) << s->bitcnt; | |
s->bitcnt += 8; | |
} | |
s->bitbuf = (int)(val >> need); | |
s->bitcnt -= need; | |
return (int)(val & ((1L << need) - 1)); | |
} | |
static int puff_stored(struct puff_state* s) { | |
s->bitbuf = 0; | |
s->bitcnt = 0; | |
if (s->incnt + 4 > s->inlen) | |
return 2; | |
unsigned len = s->in[s->incnt++]; | |
len |= s->in[s->incnt++] << 8; | |
if (s->in[s->incnt++] != (~len & 0xff) || | |
s->in[s->incnt++] != ((~len >> 8) & 0xff)) | |
return -2; | |
if (s->incnt + len > s->inlen) | |
return 2; | |
if (s->outcnt + len > s->outlen) | |
return 1; | |
for (; len--; s->outcnt++, s->incnt++) { | |
if (s->in[s->incnt]) | |
s->out[s->outcnt] = s->in[s->incnt]; | |
} | |
return 0; | |
} | |
struct puff_huffman { | |
short* count; | |
short* symbol; | |
}; | |
static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { | |
int first = 0; | |
int index = 0; | |
int bitbuf = s->bitbuf; | |
int left = s->bitcnt; | |
int code = first = index = 0; | |
int len = 1; | |
short* next = h->count + 1; | |
while (1) { | |
while (left--) { | |
code |= bitbuf & 1; | |
bitbuf >>= 1; | |
int count = *next++; | |
if (code - count < first) { | |
s->bitbuf = bitbuf; | |
s->bitcnt = (s->bitcnt - len) & 7; | |
return h->symbol[index + (code - first)]; | |
} | |
index += count; | |
first += count; | |
first <<= 1; | |
code <<= 1; | |
len++; | |
} | |
left = (MAXBITS + 1) - len; | |
if (left == 0) | |
break; | |
if (s->incnt == s->inlen) | |
longjmp(s->env, 1); | |
bitbuf = s->in[s->incnt++]; | |
if (left > 8) | |
left = 8; | |
} | |
return -10; | |
} | |
static int puff_construct(struct puff_huffman* h, const short* length, int n) { | |
int len; | |
for (len = 0; len <= MAXBITS; len++) | |
h->count[len] = 0; | |
int symbol; | |
for (symbol = 0; symbol < n; symbol++) | |
(h->count[length[symbol]])++; | |
if (h->count[0] == n) | |
return 0; | |
int left = 1; | |
for (len = 1; len <= MAXBITS; len++) { | |
left <<= 1; | |
left -= h->count[len]; | |
if (left < 0) | |
return left; | |
} | |
short offs[MAXBITS + 1]; | |
offs[1] = 0; | |
for (len = 1; len < MAXBITS; len++) | |
offs[len + 1] = offs[len] + h->count[len]; | |
for (symbol = 0; symbol < n; symbol++) | |
if (length[symbol] != 0) | |
h->symbol[offs[length[symbol]]++] = symbol; | |
return left; | |
} | |
static int puff_codes(struct puff_state* s, | |
const struct puff_huffman* lencode, | |
const struct puff_huffman* distcode) { | |
static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13, | |
15, 17, 19, 23, 27, 31, 35, 43, 51, 59, | |
67, 83, 99, 115, 131, 163, 195, 227, 258}; | |
static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, | |
2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; | |
static const short dists[30] = { | |
1, 2, 3, 4, 5, 7, 9, 13, 17, 25, | |
33, 49, 65, 97, 129, 193, 257, 385, 513, 769, | |
1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; | |
static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3, | |
4, 4, 5, 5, 6, 6, 7, 7, 8, 8, | |
9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; | |
int symbol; | |
do { | |
symbol = puff_decode(s, lencode); | |
if (symbol < 0) | |
return symbol; | |
if (symbol < 256) { | |
if (s->outcnt == s->outlen) | |
return 1; | |
if (symbol) | |
s->out[s->outcnt] = symbol; | |
s->outcnt++; | |
} else if (symbol > 256) { | |
symbol -= 257; | |
if (symbol >= 29) | |
return -10; | |
int len = lens[symbol] + puff_bits(s, lext[symbol]); | |
symbol = puff_decode(s, distcode); | |
if (symbol < 0) | |
return symbol; | |
unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); | |
if (dist > s->outcnt) | |
return -11; | |
if (s->outcnt + len > s->outlen) | |
return 1; | |
while (len--) { | |
if (dist <= s->outcnt && s->out[s->outcnt - dist]) | |
s->out[s->outcnt] = s->out[s->outcnt - dist]; | |
s->outcnt++; | |
} | |
} | |
} while (symbol != 256); | |
return 0; | |
} | |
static int puff_fixed(struct puff_state* s) { | |
static int virgin = 1; | |
static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; | |
static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; | |
static struct puff_huffman lencode, distcode; | |
if (virgin) { | |
lencode.count = lencnt; | |
lencode.symbol = lensym; | |
distcode.count = distcnt; | |
distcode.symbol = distsym; | |
short lengths[FIXLCODES]; | |
int symbol; | |
for (symbol = 0; symbol < 144; symbol++) | |
lengths[symbol] = 8; | |
for (; symbol < 256; symbol++) | |
lengths[symbol] = 9; | |
for (; symbol < 280; symbol++) | |
lengths[symbol] = 7; | |
for (; symbol < FIXLCODES; symbol++) | |
lengths[symbol] = 8; | |
puff_construct(&lencode, lengths, FIXLCODES); | |
for (symbol = 0; symbol < MAXDCODES; symbol++) | |
lengths[symbol] = 5; | |
puff_construct(&distcode, lengths, MAXDCODES); | |
virgin = 0; | |
} | |
return puff_codes(s, &lencode, &distcode); | |
} | |
static int puff_dynamic(struct puff_state* s) { | |
static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, | |
11, 4, 12, 3, 13, 2, 14, 1, 15}; | |
int nlen = puff_bits(s, 5) + 257; | |
int ndist = puff_bits(s, 5) + 1; | |
int ncode = puff_bits(s, 4) + 4; | |
if (nlen > MAXLCODES || ndist > MAXDCODES) | |
return -3; | |
short lengths[MAXCODES]; | |
int index; | |
for (index = 0; index < ncode; index++) | |
lengths[order[index]] = puff_bits(s, 3); | |
for (; index < 19; index++) | |
lengths[order[index]] = 0; | |
short lencnt[MAXBITS + 1], lensym[MAXLCODES]; | |
struct puff_huffman lencode = {lencnt, lensym}; | |
int err = puff_construct(&lencode, lengths, 19); | |
if (err != 0) | |
return -4; | |
index = 0; | |
while (index < nlen + ndist) { | |
int symbol; | |
int len; | |
symbol = puff_decode(s, &lencode); | |
if (symbol < 0) | |
return symbol; | |
if (symbol < 16) | |
lengths[index++] = symbol; | |
else { | |
len = 0; | |
if (symbol == 16) { | |
if (index == 0) | |
return -5; | |
len = lengths[index - 1]; | |
symbol = 3 + puff_bits(s, 2); | |
} else if (symbol == 17) | |
symbol = 3 + puff_bits(s, 3); | |
else | |
symbol = 11 + puff_bits(s, 7); | |
if (index + symbol > nlen + ndist) | |
return -6; | |
while (symbol--) | |
lengths[index++] = len; | |
} | |
} | |
if (lengths[256] == 0) | |
return -9; | |
err = puff_construct(&lencode, lengths, nlen); | |
if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) | |
return -7; | |
short distcnt[MAXBITS + 1], distsym[MAXDCODES]; | |
struct puff_huffman distcode = {distcnt, distsym}; | |
err = puff_construct(&distcode, lengths + nlen, ndist); | |
if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) | |
return -8; | |
return puff_codes(s, &lencode, &distcode); | |
} | |
static int puff(unsigned char* dest, | |
unsigned long* destlen, | |
const unsigned char* source, | |
unsigned long sourcelen) { | |
struct puff_state s = { | |
.out = dest, | |
.outlen = *destlen, | |
.outcnt = 0, | |
.in = source, | |
.inlen = sourcelen, | |
.incnt = 0, | |
.bitbuf = 0, | |
.bitcnt = 0, | |
}; | |
int err; | |
if (setjmp(s.env) != 0) | |
err = 2; | |
else { | |
int last; | |
do { | |
last = puff_bits(&s, 1); | |
int type = puff_bits(&s, 2); | |
err = type == 0 ? puff_stored(&s) | |
: (type == 1 ? puff_fixed(&s) | |
: (type == 2 ? puff_dynamic(&s) : -1)); | |
if (err != 0) | |
break; | |
} while (!last); | |
} | |
*destlen = s.outcnt; | |
return err; | |
} | |
//% END CODE DERIVED FROM puff.{c,h} | |
#define ZLIB_HEADER_WIDTH 2 | |
static int puff_zlib_to_file(const unsigned char* source, | |
unsigned long sourcelen, | |
int dest_fd) { | |
if (sourcelen < ZLIB_HEADER_WIDTH) | |
return 0; | |
source += ZLIB_HEADER_WIDTH; | |
sourcelen -= ZLIB_HEADER_WIDTH; | |
const unsigned long max_destlen = 132 << 20; | |
void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, | |
MAP_PRIVATE | MAP_ANON, -1, 0); | |
if (ret == MAP_FAILED) | |
return -1; | |
unsigned char* dest = (unsigned char*)ret; | |
unsigned long destlen = max_destlen; | |
int err = puff(dest, &destlen, source, sourcelen); | |
if (err) { | |
munmap(dest, max_destlen); | |
errno = -err; | |
return -1; | |
} | |
if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { | |
munmap(dest, max_destlen); | |
return -1; | |
} | |
return munmap(dest, max_destlen); | |
} | |
static int setup_loop_device(unsigned char* data, | |
unsigned long size, | |
const char* loopname, | |
int* loopfd_p) { | |
int err = 0, loopfd = -1; | |
int memfd = syscall(__NR_memfd_create, "syzkaller", 0); | |
if (memfd == -1) { | |
err = errno; | |
goto error; | |
} | |
if (puff_zlib_to_file(data, size, memfd)) { | |
err = errno; | |
goto error_close_memfd; | |
} | |
loopfd = open(loopname, O_RDWR); | |
if (loopfd == -1) { | |
err = errno; | |
goto error_close_memfd; | |
} | |
if (ioctl(loopfd, LOOP_SET_FD, memfd)) { | |
if (errno != EBUSY) { | |
err = errno; | |
goto error_close_loop; | |
} | |
ioctl(loopfd, LOOP_CLR_FD, 0); | |
usleep(1000); | |
if (ioctl(loopfd, LOOP_SET_FD, memfd)) { | |
err = errno; | |
goto error_close_loop; | |
} | |
} | |
close(memfd); | |
*loopfd_p = loopfd; | |
return 0; | |
error_close_loop: | |
close(loopfd); | |
error_close_memfd: | |
close(memfd); | |
error: | |
errno = err; | |
return -1; | |
} | |
static void reset_loop_device(const char* loopname) { | |
int loopfd = open(loopname, O_RDWR); | |
if (loopfd == -1) { | |
return; | |
} | |
if (ioctl(loopfd, LOOP_CLR_FD, 0)) { | |
} | |
close(loopfd); | |
} | |
static long syz_mount_image(volatile long fsarg, | |
volatile long dir, | |
volatile long flags, | |
volatile long optsarg, | |
volatile long change_dir, | |
volatile unsigned long size, | |
volatile long image) { | |
unsigned char* data = (unsigned char*)image; | |
int res = -1, err = 0, need_loop_device = !!size; | |
char* mount_opts = (char*)optsarg; | |
char* target = (char*)dir; | |
char* fs = (char*)fsarg; | |
char* source = NULL; | |
char loopname[64]; | |
if (need_loop_device) { | |
int loopfd; | |
memset(loopname, 0, sizeof(loopname)); | |
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); | |
if (setup_loop_device(data, size, loopname, &loopfd) == -1) | |
return -1; | |
close(loopfd); | |
source = loopname; | |
} | |
mkdir(target, 0777); | |
char opts[256]; | |
memset(opts, 0, sizeof(opts)); | |
if (strlen(mount_opts) > (sizeof(opts) - 32)) { | |
} | |
strncpy(opts, mount_opts, sizeof(opts) - 32); | |
if (strcmp(fs, "iso9660") == 0) { | |
flags |= MS_RDONLY; | |
} else if (strncmp(fs, "ext", 3) == 0) { | |
bool has_remount_ro = false; | |
char* remount_ro_start = strstr(opts, "errors=remount-ro"); | |
if (remount_ro_start != NULL) { | |
char after = *(remount_ro_start + strlen("errors=remount-ro")); | |
char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); | |
has_remount_ro = ((before == '\0' || before == ',') && | |
(after == '\0' || after == ',')); | |
} | |
if (strstr(opts, "errors=panic") || !has_remount_ro) | |
strcat(opts, ",errors=continue"); | |
} else if (strcmp(fs, "xfs") == 0) { | |
strcat(opts, ",nouuid"); | |
} | |
res = mount(source, target, fs, flags, opts); | |
if (res == -1) { | |
err = errno; | |
goto error_clear_loop; | |
} | |
res = open(target, O_RDONLY | O_DIRECTORY); | |
if (res == -1) { | |
err = errno; | |
goto error_clear_loop; | |
} | |
if (change_dir) { | |
res = chdir(target); | |
if (res == -1) { | |
err = errno; | |
} | |
} | |
error_clear_loop: | |
if (need_loop_device) | |
reset_loop_device(loopname); | |
errno = err; | |
return res; | |
} | |
static void kill_and_wait(int pid, int* status) { | |
kill(-pid, SIGKILL); | |
kill(pid, SIGKILL); | |
for (int i = 0; i < 100; i++) { | |
if (waitpid(-1, status, WNOHANG | __WALL) == pid) | |
return; | |
usleep(1000); | |
} | |
DIR* dir = opendir("/sys/fs/fuse/connections"); | |
if (dir) { | |
for (;;) { | |
struct dirent* ent = readdir(dir); | |
if (!ent) | |
break; | |
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) | |
continue; | |
char abort[300]; | |
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", | |
ent->d_name); | |
int fd = open(abort, O_WRONLY); | |
if (fd == -1) { | |
continue; | |
} | |
if (write(fd, abort, 1) < 0) { | |
} | |
close(fd); | |
} | |
closedir(dir); | |
} else { | |
} | |
while (waitpid(-1, status, __WALL) != pid) { | |
} | |
} | |
static void reset_loop() { | |
char buf[64]; | |
snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); | |
int loopfd = open(buf, O_RDWR); | |
if (loopfd != -1) { | |
ioctl(loopfd, LOOP_CLR_FD, 0); | |
close(loopfd); | |
} | |
} | |
static void setup_test() { | |
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); | |
setpgrp(); | |
write_file("/proc/self/oom_score_adj", "1000"); | |
} | |
#define USLEEP_FORKED_CHILD (3 * 50 * 1000) | |
static long handle_clone_ret(long ret) { | |
if (ret != 0) { | |
return ret; | |
} | |
usleep(USLEEP_FORKED_CHILD); | |
syscall(__NR_exit, 0); | |
while (1) { | |
} | |
} | |
static long syz_clone(volatile long flags, | |
volatile long stack, | |
volatile long stack_len, | |
volatile long ptid, | |
volatile long ctid, | |
volatile long tls) { | |
long sp = (stack + stack_len) & ~15; | |
long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); | |
return handle_clone_ret(ret); | |
} | |
struct thread_t { | |
int created, call; | |
event_t ready, done; | |
}; | |
static struct thread_t threads[16]; | |
static void execute_call(int call); | |
static int running; | |
static void* thr(void* arg) { | |
struct thread_t* th = (struct thread_t*)arg; | |
for (;;) { | |
event_wait(&th->ready); | |
event_reset(&th->ready); | |
execute_call(th->call); | |
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); | |
event_set(&th->done); | |
} | |
return 0; | |
} | |
static void execute_one(void) { | |
int i, call, thread; | |
for (call = 0; call < 12; call++) { | |
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); | |
thread++) { | |
struct thread_t* th = &threads[thread]; | |
if (!th->created) { | |
th->created = 1; | |
event_init(&th->ready); | |
event_init(&th->done); | |
event_set(&th->done); | |
thread_start(thr, th); | |
} | |
if (!event_isset(&th->done)) | |
continue; | |
event_reset(&th->done); | |
th->call = call; | |
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); | |
event_set(&th->ready); | |
if (call == 1 || call == 3 || call == 4 || call == 6 || call == 7 || | |
call == 9 || call == 10) | |
break; | |
event_timedwait(&th->done, 50 + (call == 0 ? 4000 : 0)); | |
break; | |
} | |
} | |
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) | |
sleep_ms(1); | |
} | |
static void execute_one(void); | |
#define WAIT_FLAGS __WALL | |
static void loop(void) { | |
int iter = 0; | |
for (;; iter++) { | |
reset_loop(); | |
int pid = fork(); | |
if (pid < 0) | |
exit(1); | |
if (pid == 0) { | |
setup_test(); | |
execute_one(); | |
exit(0); | |
} | |
int status = 0; | |
uint64_t start = current_time_ms(); | |
for (;;) { | |
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) | |
break; | |
sleep_ms(1); | |
if (current_time_ms() - start < 5000) | |
continue; | |
kill_and_wait(pid, &status); | |
break; | |
} | |
} | |
} | |
uint64_t r[6] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, | |
0xffffffffffffffff, 0xffffffffffffffff, 0x0}; | |
void execute_call(int call) { | |
intptr_t res = 0; | |
switch (call) { | |
case 0: | |
memcpy((void*)0x20000000, "nilfs2\000", 7); | |
memcpy((void*)0x20000a80, "./file0\000", 8); | |
memcpy( | |
(void*)0x20001540, | |
"\x78\x9c\xec\xdd\x4d\x8c\x5b\x47\x1d\x00\xf0\xf1\xee\x7a\xd3\x7c\x94" | |
"\x38\x25\xa1\x4b\x1a\xda\x84\x42\x5b\x3e\xba\xdb\x6c\x96\xf0\x11\x41" | |
"\x52\x35\x42\x22\x6a\x2a\x6e\x95\x2a\x2e\x51\x9a\x96\x88\x34\x20\x52" | |
"\x09\x5a\xf5\x90\xe4\xc4\x8d\x56\x55\xb8\xf2\x21\x4e\xbd\x54\x80\x90" | |
"\xe8\x05\x45\x3d\x71\xa9\x44\x23\x55\x48\x3d\x15\x0e\x1c\x88\x82\x54" | |
"\x89\x03\x14\x92\x45\xf1\xce\x78\xed\x7f\x6c\x3d\x7b\xb3\x59\xaf\xd7" | |
"\xbf\x9f\x34\x3b\x9e\x37\x63\xcf\x3c\xef\xf3\xf3\xf3\x7b\x6f\x66\x12" | |
"\x30\xb6\x26\x9a\x7f\x17\x16\x66\x6a\x29\x5d\x7a\xeb\xf5\xa3\xff\x78" | |
"\xe8\xef\x9b\x6f\x2e\x39\xdc\x2a\xd1\x68\xfe\x9d\x6a\x4b\xd5\x53\x4a" | |
"\xb5\x9c\x9e\x0a\xaf\xf7\xc1\xe4\x52\x7c\xfd\xc3\x57\x4e\x76\x8b\x6b" | |
"\x69\xbe\xf9\xb7\xa4\xd3\x53\xd7\x5a\xcf\xdd\x9a\x52\x3a\x9f\xf6\xa6" | |
"\xcb\xa9\x91\x76\x5f\xba\xf2\xda\x3b\xf3\x4f\x1e\xbf\x70\xec\xe2\xbe" | |
"\x77\xdf\x38\x74\xf5\xce\xac\x3d\x00\x00\x8c\x97\x6f\x5f\x3e\xb4\xb0" | |
"\xeb\xaf\x7f\xbe\x6f\xc7\x47\x6f\xde\x7f\x24\x6d\x6a\x2d\x2f\xc7\xe7" | |
"\x8d\x9c\xde\x96\x8f\xfb\x8f\xe4\x03\xff\x72\xfc\x3f\x91\x3a\xd3\xb5" | |
"\xb6\xd0\x6e\x3a\x94\x9b\xca\x61\x22\x94\x9b\xec\x52\xae\xbd\x9e\x7a" | |
"\x28\x37\xd5\xa3\xfe\xe9\xf0\xba\xf5\x1e\xe5\x36\x55\xd4\x3f\xd9\xb6" | |
"\xac\xdb\x7a\xc3\x28\x2b\xdb\x71\x23\xd5\x26\x66\x3b\xd2\x13\x13\xb3" | |
"\xb3\x4b\xbf\xc9\x53\xf3\x77\xfd\x74\x6d\xf6\xec\xe9\x33\xcf\x9d\x1b" | |
"\x52\x43\x81\x55\xf7\xaf\x07\x52\x4a\x7b\x47\x28\x1c\x5e\x07\x6d\x58" | |
"\x61\x58\x5c\x07\x6d\x18\xc9\x70\x64\x1d\xb4\x61\x83\x86\xc5\xed\xc3" | |
"\xde\x03\x01\x2c\x89\xd7\x0b\x6f\x71\x3e\x9e\x59\xb8\x3d\xad\x57\x9b" | |
"\xea\xaf\xfe\x6b\x8f\x4f\x74\x7f\x3e\xac\x82\xb5\xde\xfe\xd5\x3f\x5a" | |
"\xf5\xff\xfa\x82\x3d\x0e\xab\x67\xa3\x6e\x4d\x65\xbd\xca\xe7\x68\x5b" | |
"\x4e\xc7\xeb\x08\xf1\xfe\xa5\xde\x9f\xbf\x78\xa5\xa3\x73\x69\xbc\x1e" | |
"\x51\xef\xb3\x9d\xbd\xae\x23\x8c\xca\xf5\x85\x5e\xed\x9c\x5c\xe3\x76" | |
"\xac\x54\xaf\xf6\xc7\xed\x62\xa3\xfa\x7a\x8e\xcb\xfb\xf0\x8d\x90\xdf" | |
"\xfe\xf9\x89\xff\xd3\x51\xf9\x1f\x03\xdd\xfd\x7b\xd4\xce\xff\x0b\xc2" | |
"\xb8\x87\xb4\x7a\xaf\xb5\x38\xe4\xfd\x0f\xb0\x7e\xc5\xfb\xe6\x16\xb3" | |
"\x92\x1f\xef\xeb\x8b\xf9\x9b\x2a\xf2\xef\xaa\xc8\xdf\x5c\x91\xbf\xa5" | |
"\x22\x7f\x6b\x45\x3e\x8c\xb3\xdf\xbd\xf8\xd3\xf4\x6a\x6d\xf9\x77\x7e" | |
"\xfc\x4d\x3f\xe8\xf9\xf0\x72\x9e\xed\xee\x1c\x7f\x6c\xc0\xf6\xc4\xf3" | |
"\x91\x83\xd6\x1f\xef\xfb\x1d\xd4\xed\xd6\x1f\xef\x27\x86\xf5\xec\x0f" | |
"\x27\x9e\x3e\xf5\x95\x67\x9f\xb9\xb2\x74\xff\x7f\xad\xb5\xfd\xdf\xc8" | |
"\xdb\x7b\xf9\xb9\xd1\xc8\x9f\xad\xcb\xb9\x40\x39\x5f\x18\xcf\xab\xb7" | |
"\xee\xfd\x6f\x74\xd6\x33\xd1\xa3\xdc\x3d\xa1\x3d\x77\x77\x29\xdf\x7c" | |
"\xbc\xb3\xb3\x5c\x6d\xe7\xf2\xeb\xa4\xb6\xfd\xcc\x2d\xed\x98\xe9\x7c" | |
"\xde\xf6\x5e\xe5\xf6\x74\x96\x6b\x84\x72\x9b\x73\xb8\x2b\xb4\x37\x1e" | |
"\x9f\x6c\x09\xcf\x2b\xc7\x1f\x65\xbf\x5a\xde\xaf\xa9\xb0\xbe\xf5\xb0" | |
"\x1e\xd3\xa1\x1d\x65\xbf\xb2\x23\xc7\xb1\x1d\xb0\x12\x65\x7b\xec\x75" | |
"\xff\x7f\xd9\x3e\x67\x52\xbd\xf6\xdc\xe9\x33\xa7\x1e\xcb\xe9\xb2\x9d" | |
"\xfe\x69\xb2\xbe\xe9\xe6\xf2\xfd\x6b\xdc\x6e\xe0\xf6\xf5\xdb\xff\x67" | |
"\x26\x75\xf6\xff\xd9\xd6\x5a\x5e\x9f\x68\xdf\x2f\x6c\x5f\x5e\x5e\x6b" | |
"\xdf\x2f\x34\xc2\xf2\xf9\x1e\xcb\x0f\xe4\x74\xf9\x9e\xfb\xee\xe4\xe6" | |
"\xe6\xf2\xd9\x93\xdf\x3f\xf3\xec\x6a\xaf\x3c\x8c\xb9\x73\x2f\xbd\xfc" | |
"\xbd\x13\x67\xce\x9c\xfa\xa1\x07\x2b\x7e\xf0\xcd\xf5\xd1\x0c\x0f\x3c" | |
"\x58\xc5\x07\xc3\xde\x33\x01\x77\xda\xdc\x8b\x2f\xfc\x60\xee\xdc\x4b" | |
"\x2f\x3f\x7a\xfa\x85\x13\xcf\x9f\x7a\xfe\xd4\xd9\x03\x07\x0f\x1e\x98" | |
"\x9f\x3f\xf8\xd5\x03\x0b\x73\xcd\xe3\xfa\xb9\xf6\xa3\x7b\x60\x23\x59" | |
"\xfe\xd2\x1f\x76\x4b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x7e\xfd" | |
"\xe8\xd8\xd1\x2b\xef\xbd\xfd\xe5\xf7\x97\xfa\xff\x2f\xf7\xff\x2b\xfd" | |
"\xff\xcb\x9d\xbf\xa5\xff\xff\x4f\x42\xff\xff\xd8\x4f\xbe\xf4\x83\x2f" | |
"\xfd\x00\x77\x74\xc9\x6f\x96\x09\x03\xac\x4e\x87\x72\xf5\x1c\x3e\x1e" | |
"\xda\xbb\x33\xd4\xb3\x2b\x3c\xef\x13\x39\x6e\xcd\xe3\x97\xfb\xff\x97" | |
"\xea\xe2\xb8\xae\xa5\x3d\xf7\x86\xe5\x71\xfc\xde\x52\x2e\x0c\x27\x70" | |
"\xcb\x78\x29\xd3\x61\x0c\x92\x38\x5f\xe0\xa7\x73\x7c\x31\xc7\xbf\x4a" | |
"\x30\x44\xb5\xcd\xdd\x17\xe7\xb8\x6a\x7c\xeb\xb2\xad\x97\xf1\x29\x8c" | |
"\x4b\x31\x9a\xca\xff\xad\x6c\x0d\x65\x1c\x93\xd2\xff\xbb\xeb\xb8\x4e" | |
"\x6d\xff\xec\x1d\x6b\xd0\x46\x56\xdf\x5a\x74\x27\x1c\xf6\x3a\x02\xdd" | |
"\xfd\xd3\xf8\xdf\x82\x30\xb6\x61\x71\xb1\xd7\x2c\x1e\xfd\xce\x60\x03" | |
"\xb0\x3a\x86\x3d\xff\x67\x39\xef\x59\xe2\xb3\x7f\xfc\xd6\x5d\x37\x43" | |
"\x29\x76\xed\xf1\xce\xfd\x65\x1c\xbf\x14\x06\xf1\x97\xf7\x3a\xd3\xeb" | |
"\x7d\xfe\x49\xf5\x6f\xac\xf9\x3f\x5b\xf3\xdf\xf5\xbd\xff\x0b\x33\xe6" | |
"\x35\x56\x56\xef\x7f\x7e\x7e\xf5\xfd\xb6\x6a\xd3\xee\x7e\xeb\x8f\xeb" | |
"\x5f\xc6\x81\xde\x39\x58\xfd\x1f\xe5\xfa\xcb\xda\x3c\x9c\xfa\xab\x7f" | |
"\xf1\x97\xa1\xfe\x78\x41\xa8\x4f\xff\x0d\xf5\x6f\xe9\xb3\xfe\x5b\xd6" | |
"\x7f\xcf\xca\xea\xff\x5f\xae\xbf\xbc\x6d\x8f\x3c\xd8\x6f\xfd\x4b\x2d" | |
"\xae\x4d\x74\xb6\x23\x9e\x37\x2e\xd7\xff\xe2\x79\xe3\xe2\x7a\x58\xff" | |
"\x32\xb6\xe7\xc0\xeb\xbf\xc2\x89\x1a\x6f\xe4\xfa\x61\x9c\x8d\xca\x3c" | |
"\xb3\x83\x0a\xf3\xff\xb6\x0e\xda\x57\x3e\xff\x6f\x76\x7e\x75\xe7\xff" | |
"\xed\x25\xde\x87\xf1\xa5\x9c\x2e\x3b\xc2\x72\x9f\x43\x9c\xef\x64\xd0" | |
"\xf6\x97\xfb\x2b\xca\xf7\xc0\xae\xf0\xfa\xb5\x8a\xef\x37\xf3\xff\x8e" | |
"\xb6\xaf\xe5\xb8\xea\xf3\x50\xe6\xff\x2d\xdb\x63\x23\x7f\xe5\xb7\xa5" | |
"\x9b\xef\x65\x49\xd7\xbb\xbc\xb7\x1b\x75\x5f\x03\xa3\xea\x03\xd7\xff" | |
"\x04\x61\xcd\x43\x6b\x9e\xb8\x21\xb7\x63\x71\x71\xf1\xce\x9e\xd0\xaa" | |
"\x30\xd4\xca\x19\xfa\xfb\x3f\xec\xdf\x09\xc3\xae\x7f\xd8\xef\x7f\x95" | |
"\x38\xff\x6f\x3c\x86\x8f\xf3\xff\xc6\xfc\x38\xff\x6f\xcc\x8f\xf3\xff" | |
"\xc6\xfc\x38\xbf\x5e\xcc\x8f\xf3\xff\xc6\xf7\x33\xce\xff\x1b\xf3\xef" | |
"\x0d\xaf\x1b\xe7\x07\x9e\xa9\xc8\xff\x64\x45\xfe\xee\xee\xf9\xad\x9f" | |
"\xed\xf7\x55\x3c\x7f\x4f\x45\xfe\xa7\x2a\xf2\xf7\x55\xe4\xdf\x5f\x91" | |
"\xff\x40\x45\xfe\x3d\x15\xf9\x0f\x56\xe4\x7f\xa6\x22\xff\xb3\x15\xf9" | |
"\x0f\x55\xe4\x3f\x52\x91\xff\xb9\x8a\xfc\x8d\xae\xf4\x47\x19\xd7\xf5" | |
"\x87\x71\x16\xfb\xe7\xf9\xfc\xc3\xf8\x28\xd7\x7f\x7a\x7d\xfe\x77\x56" | |
"\xe4\x03\xa3\xeb\x67\x6f\xee\x7f\xe2\x99\xdf\x7e\xa7\xb1\xd4\xff\x7f" | |
"\xba\x75\x3e\xa4\x5c\xc7\x3b\x92\xd3\xf5\xfc\xdb\xf9\xc7\x39\x1d\xaf" | |
"\x7b\xa7\xb6\xf4\xcd\xbc\xb7\x73\xfa\x6f\x21\x7f\xbd\x9f\xef\x80\x71" | |
"\x12\xc7\xcf\x88\xdf\xef\x0f\x57\xe4\x03\xa3\xab\xdc\xe7\xe5\xf3\x0d" | |
"\x63\xa8\xd6\x7d\xc4\x9e\x7e\xc7\xad\xea\x75\x9c\xcf\x68\xf9\x7c\x8e" | |
"\xbf\x90\xe3\x2f\xe6\xf8\xd1\x1c\xcf\xe6\x78\x2e\xc7\xfb\x73\x3c\xbf" | |
"\x46\xed\xe3\xce\x78\xe2\x37\xbf\x3f\xf4\x6a\x6d\xf9\xf7\xfe\xf6\x90" | |
"\xdf\xef\xfd\xe4\xb1\x3f\x50\xc7\x38\x51\x29\xa5\x03\x7d\xb6\x27\x9e" | |
"\x1f\x18\xf4\x7e\xf6\x38\x8e\xdf\xa0\x6e\xb7\xfe\x15\x76\x07\x03\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x18\x9a\x89\xe6\xdf\x85\x85\x99\x5a\x4a\x97" | |
"\xde\x7a\xfd\xe8\xd3\xc7\x4f\xcf\xdd\x5c\x72\xb8\x55\xa2\xd1\xfc\x3b" | |
"\xd5\x96\xaa\xb7\x9e\x97\xd2\x63\x39\x9e\xcc\xf1\x2f\xf2\x83\xeb\x1f" | |
"\xbe\x72\xb2\x3d\xbe\x91\xe3\x5a\x9a\x4f\xb5\x54\x6b\x2d\x4f\x4f\x5d" | |
"\x6b\xd5\xb4\x35\xa5\x74\x3e\xed\x4d\x97\x53\x23\xed\xbe\x74\xe5\xb5" | |
"\x77\xe6\x9f\x3c\x7e\xe1\xd8\xc5\x7d\xef\xbe\x71\xe8\xea\x9d\x7b\x07" | |
"\x00\x00\x00\x60\xe3\xfb\x7f\x00\x00\x00\xff\xff\xb0\xb8\x0e\x84", | |
2634); | |
syz_mount_image(/*fs=*/0x20000000, /*dir=*/0x20000a80, | |
/*flags=MS_NOEXEC|MS_NODIRATIME*/ 0x808, | |
/*opts=*/0x200000c0, /*chdir=*/1, /*size=*/0xa4a, | |
/*img=*/0x20001540); | |
break; | |
case 1: | |
memcpy((void*)0x20000000, "./bus\000", 6); | |
res = syscall(__NR_open, /*file=*/0x20000000ul, /*flags=*/0ul, | |
/*mode=*/0ul); | |
if (res != -1) | |
r[0] = res; | |
break; | |
case 2: | |
memcpy((void*)0x20007f80, "./bus\000", 6); | |
res = syscall( | |
__NR_open, /*file=*/0x20007f80ul, | |
/*flags=O_SYNC|O_NOCTTY|O_NOATIME|O_DIRECT|O_CREAT|0x2*/ 0x145142ul, | |
/*mode=*/0ul); | |
if (res != -1) | |
r[1] = res; | |
break; | |
case 3: | |
*(uint64_t*)0x200002c0 = 6; | |
*(uint64_t*)0x200002c8 = 0; | |
syscall(__NR_cachestat, /*fd=*/r[1], /*cstat_range=*/0x200002c0ul, | |
/*cstat=*/0x20000300ul, /*flags=*/0ul); | |
break; | |
case 4: | |
memcpy((void*)0x20000100, "mountinfo\000", 10); | |
res = -1; | |
res = syz_open_procfs(/*pid=*/-1, /*file=*/0x20000100); | |
if (res != -1) | |
r[2] = res; | |
break; | |
case 5: | |
memcpy((void*)0x20000a40, "./bus\000", 6); | |
res = syscall(__NR_open, /*file=*/0x20000a40ul, | |
/*flags=O_TRUNC|O_SYNC|O_NONBLOCK|O_NOATIME|O_CREAT|O_RDWR*/ | |
0x141a42ul, | |
/*mode=*/0ul); | |
if (res != -1) | |
r[3] = res; | |
break; | |
case 6: | |
memcpy((void*)0x20000040, "/dev/adsp1\000", 11); | |
res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, | |
/*file=*/0x20000040ul, | |
/*flags=O_NOFOLLOW*/ 0x20000ul, /*mode=*/0ul); | |
if (res != -1) | |
r[4] = res; | |
break; | |
case 7: | |
syscall(__NR_ptrace, /*req=PTRACE_ATTACH*/ 0x10ul, /*pid=*/0, 0, 0); | |
break; | |
case 8: | |
memcpy( | |
(void*)0x20000140, | |
"\x1d\x7f\x3e\xf3\xf0\xb0\x12\x9f\x8d\x08\x32\x26\x51\x0e\xcc\x07\x13" | |
"\xb2\xaf\x6e\x79\x01\xa6\x07\x53\x2f\xa2\xa7\x17\x6f\xef\xdd\x7e\x66" | |
"\xe6\x40\x2e\xf8\xb5\x79\xa0\x0d\xd8\x3d\x55\x51\x82\xaf\xa0\x44\xf6" | |
"\x5b\x0a\xc6\x68\xc2\x06\x3a\xc3\x3b\x34\xbb\x48\x41\x1c\x11\xd4\x56" | |
"\xd5\x84\xec\x41\x40\xae\xbe\x97\xe1\x95\x0a\xd7\xc4\xbd\x2b\xff\xce" | |
"\xf1\x75\x62\x5a\x27\xa1\x1f\x55\x9e\x8d\xdb\x03\x1d\x27\xc2\xbe\x3a" | |
"\x22\x16\xa1\xe9\xf8\x7f\x5d\x68\xb8\xb0\xb6\x90\xe6\x7b\xfc\xc8\xa8" | |
"\xec\x9a\xf9\x98\xc1\xa8\xea\xef\x21\x5c\x77\x1e\x45\xee\xe0\x15\xe8" | |
"\xce\x9b\x17\x01\x5d\xa7\x9c\x48\xa7\xb8\x74\x59\xc4\xa8\x87\x81\xff" | |
"\xd9\xd1\xec\x68\x70\xc4\xd7\x22\x0f\xfc\x6a\x66\xf7\x82\x8d\xb1\x29" | |
"\x7a\xa1\x2e\x00\x50\x3d\xde\x7a\x5c", | |
179); | |
memcpy((void*)0x20000200, | |
"\x99\x46\x65\xd2\xb9\xd5\x23\x9b\x78\x9d\x65\xf6\xec\x18\x4c\x1e" | |
"\xa6\x70\x03\xce\x8f\x47\x47\x55\xe4\x39\xf5\x85\x60\xc4\x2a\x24" | |
"\x1a\x31\xe5\x40\x47\x9e\x07\x52\xca\xd1\x78\x84\xd9\x02\x4c\xb8" | |
"\x54\xdc\x67\x98\xad\xa6\x25\x50\xc8\x26\x4b\x54\x88\xda\xff\x53" | |
"\x87\x41\x9b\x22\xf0\x1f\xa5\x76\x30\x31\x7e\x8c\x24\xac\x37\xd8" | |
"\x92\xd7\x0e\x38\x0b\x71\x64\xdf\xaa\x88\x6b\x72\xa1\x7f\x08\xdf" | |
"\x76\xc1\x05\x7a\x22\x68\xb3\x9a\xad\x4e\x0e\x75\x9e\xef\x1a\xbc" | |
"\x6e\x5e\x66\x4e\x7f\x30\x57\xc1\xd7\x0d\x89\x7b\xa5\x10\x46\x64" | |
"\xe9\x6d\x92\xc1\xd8\xbd\x42\x0f\x78\x36\x8f\x52\x21\x69\xf7\x13" | |
"\xed\x03\x31\x5d\x69\xde\x28\xd7\x7a\xf2\x7e\xc8\x88\x1f\x54\x63" | |
"\x3a\x5d\xd5\xd5\x46\x35\xe7\x4a\xd8\xc8\x96\x91\x8c", | |
173); | |
res = -1; | |
res = syz_clone(/*flags=CLONE_IO*/ 0x80000000, /*stack=*/0x20000140, | |
/*stack_len=*/0xb3, /*parentid=*/0x20000080, | |
/*childtid=*/0x200000c0, /*tls=*/0x20000200); | |
if (res != -1) | |
r[5] = res; | |
break; | |
case 9: | |
syscall(__NR_fcntl, /*fd=*/r[4], /*cmd=*/8ul, /*pid=*/r[5]); | |
break; | |
case 10: | |
syscall(__NR_sendfile, /*fdout=*/r[3], /*fdin=*/r[2], /*off=*/0ul, | |
/*count=*/0x100800001ul); | |
break; | |
case 11: | |
syscall(__NR_sendfile, /*fdout=*/r[0], /*fdin=*/r[1], /*off=*/0ul, | |
/*count=*/0x1000000201003ul); | |
break; | |
} | |
} | |
int main(void) { | |
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, | |
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, | |
/*offset=*/0ul); | |
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, | |
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, | |
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, | |
/*offset=*/0ul); | |
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, | |
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, | |
/*offset=*/0ul); | |
loop(); | |
return 0; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
syz_mount_image$nilfs2(&(0x7f0000000000), &(0x7f0000000a80)='./file0\x00', 0x808, &(0x7f00000000c0)=ANY=[], 0x1, 0xa4a, &(0x7f0000001540)="$eJzs3U2MW0cdAPDx7nrTfJQ4JaFLGtqEQls+uttslvARQVI1QiJqKm6VKi5RmpaINCBSCVr1kOTEjVZVuPIhTr1UgJDoBUU9calEI1VIPRUOHIiCVIkDFJJF8c547X9sPXuzWa/Xv580O543Y8887/Pz83tvZhIwtiaafxcWZmopXXrr9aP/eOjvm28uOdwq0Wj+nWpL1VNKtZyeCq/3weRSfP3DV052i2tpvvm3pNNT11rP3ZpSOp/2psupkXZfuvLaO/NPHr9w7OK+d984dPXOrD0AAIyXb18+tLDrr3++b8dHb95/JG1qLS/H542c3paP+4/kA/9y/D+ROtO1ttBuOpSbymEilJvsUq69nnooN9Wj/unwuvUe5TZV1D/ZtqzbesMoK9txI9UmZjvSExOzs0u/yVPzd/10bfbs6TPPnRtSQ4FV968HUkp7RygcXgdtWGFYXAdtGMlwZB20YYOGxe3D3gMBLInXC29xPp5ZuD2tV5vqr/5rj090fz6sgrXe/tU/WvX/+oI9Dqtno25NZb3K52hbTsfrCPH+pd6fv3ilo3NpvB5R77Odva4jjMr1hV7tnFzjdqxUr/bH7WKj+nqOy/vwjZDf/vmJ/9NR+R8D3f171M7/C8K4h7R6r7U45P0PsH7F++YWs5If7+uL+Zsq8u+qyN9ckb+lIn9rRT6Ms9+9+NP0am35d378TT/o+fBynu3uHH9swPbE85GD1h/v+x3U7dYf7yeG9ewPJ54+9ZVnn7mydP9/rbX938jbe/m50cifrcu5QDlfGM+rt+79b3TWM9Gj3D2hPXd3Kd98vLOzXG3n8uuktv3MLe2Y6Xze9l7l9nSWa4Rym3O4K7Q3Hp9sCc8rxx9lv1rer6mwvvWwHtOhHWW/siPHsR2wEmV77HX/f9k+Z1K99tzpM6cey+mynf5psr7p5vL9a9xu4Pb12/9nJnX2/9nWWl6faN8vbF9eXmvfLzTC8vkeyw/kdPme++7k5uby2ZPfP/Psaq88jLlzL738vRNnzpz6oQcrfvDN9dEMDzxYxQfD3jMBd9rciy/8YO7cSy8/evqFE8+fev7U2QMHDx6Ynz/41QMLc83j+rn2o3tgI1n+0h92SwAAAAAAAAAAAIB+/ejY0Svvvf3l95f6/y/3/yv9/8udv6X//09C///YT770gy/9AHd0yW+WCQOsTody9Rw+Htq7M9SzKzzvEzluzeOX+/+X6uK4rqU994blcfzeUi4MJ3DLeCnTYQySOF/gp3N8Mce/SjBEtc3dF+e4anzrsq2X8SmMSzGayv+tbA1lHJPS/7vruE5t/+wda9BGVt9adCcc9joC3f3T+N+CMLZhcbHXLB79zmADsDqGPf9nOe9Z4rN//NZdN0Mpdu3xzv1lHL8UBvGX9zrT633+SfVvrPk/W/Pf9b3/CzPmNVZW739+fvX9tmrT7n7rj+tfxoHeOVj9H+X6y9o8nPqrf/GXof54QahP/w31b+mz/lvWf8/K6v9frr+8bY882G/9Sy2uTXS2I543Ltf/4nnj4npY/zK258Drv8KJGm/k+mGcjco8s4MK8/+2DtpXPv9vdn515//tJd6H8aWcLjvCcp9DnO9k0PaX+yvK98Cu8Pq1iu838/+Otq/luOrzUOb/LdtjI3/lt6Wb72VJ17u8txt1XwOj6gPX/wRhzUNrnrght2NxcfHOntCqMNTKGfr7P+zfCcOuf9jvf5U4/288ho/z/8b8OP9vzI/z/8b8OL9ezI/z/8b3M87/G/PvDa8b5weeqcj/ZEX+7u75rZ/t91U8f09F/qcq8vdV5N9fkf9ARf49FfkPVuR/piL/sxX5D1XkP1KR/7mK/I2u9EcZ1/WHcRb75/n8w/go1396ff53VuQDo+tnb+5/4pnffqex1P9/unU+pFzHO5LT9fzb+cc5Ha97p7b0zby3c/pvIX+9n++AcRLHz4jf7w9X5AOjq9zn5fMNY6jWfcSefset6nWcz2j5fI6/kOMv5vjRHM/meC7H+3M8v0bt48544je/P/Rqbfn3/vaQ3+/95LE/UMc4USmlA322J54fGPR+9jiO36But/4VdgcDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYmonm34WFmVpKl956/ejTx0/P3VxyuFWi0fw71Zaqt56X0mM5nszxL/KD6x++crI9vpHjWppPtVRrLU9PXWvVtDWldD7tTZdTI+2+dOW1d+afPH7h2MV9775x6OqdewcAAABg4/t/AAAA//+wuA6E") | |
r0 = open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) (async) | |
r1 = open(&(0x7f0000007f80)='./bus\x00', 0x145142, 0x0) | |
cachestat(r1, &(0x7f00000002c0)={0x6}, &(0x7f0000000300), 0x0) (async) | |
r2 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000100)='mountinfo\x00') (async) | |
r3 = open(&(0x7f0000000a40)='./bus\x00', 0x141a42, 0x0) | |
r4 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0x20000, 0x0) (async) | |
ptrace(0x10, 0x0) (async) | |
r5 = syz_clone(0x80000000, &(0x7f0000000140)="1d7f3ef3f0b0129f8d083226510ecc0713b2af6e7901a607532fa2a7176fefdd7e66e6402ef8b579a00dd83d555182afa044f65b0ac668c2063ac33b34bb48411c11d456d584ec4140aebe97e1950ad7c4bd2bffcef175625a27a11f559e8ddb031d27c2be3a2216a1e9f87f5d68b8b0b690e67bfcc8a8ec9af998c1a8eaef215c771e45eee015e8ce9b17015da79c48a7b87459c4a88781ffd9d1ec6870c4d7220ffc6a66f7828db1297aa12e00503dde7a5c", 0xb3, &(0x7f0000000080), &(0x7f00000000c0), &(0x7f0000000200)="994665d2b9d5239b789d65f6ec184c1ea67003ce8f474755e439f58560c42a241a31e540479e0752cad17884d9024cb854dc6798ada62550c8264b5488daff5387419b22f01fa57630317e8c24ac37d892d70e380b7164dfaa886b72a17f08df76c1057a2268b39aad4e0e759eef1abc6e5e664e7f3057c1d70d897ba5104664e96d92c1d8bd420f78368f522169f713ed03315d69de28d77af27ec8881f54633a5dd5d54635e74ad8c896918c") | |
fcntl$setown(r4, 0x8, r5) (async) | |
sendfile(r3, r2, 0x0, 0x100800001) (async) | |
sendfile(r0, r1, 0x0, 0x1000000201003) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment