Skip to content

Instantly share code, notes, and snippets.

@xrivendell7

xrivendell7/report Secret

Created March 3, 2024 05:37
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save xrivendell7/744812c87156085e12c7f617ef237875 to your computer and use it in GitHub Desktop.
Save xrivendell7/744812c87156085e12c7f617ef237875 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
report
=====================================================
BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:110 [inline]
BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline]
BUG: KMSAN: uninit-value in crc32_le_base+0x475/0xe70 lib/crc32.c:197
crc32_body lib/crc32.c:110 [inline]
crc32_le_generic lib/crc32.c:179 [inline]
crc32_le_base+0x475/0xe70 lib/crc32.c:197
nilfs_segbuf_fill_in_data_crc fs/nilfs2/segbuf.c:224 [inline]
nilfs_add_checksums_on_logs+0xcb2/0x10a0 fs/nilfs2/segbuf.c:327
nilfs_segctor_do_construct+0xad1d/0xf640 fs/nilfs2/segment.c:2112
nilfs_segctor_construct+0x1fd/0xf30 fs/nilfs2/segment.c:2415
nilfs_segctor_thread_construct fs/nilfs2/segment.c:2523 [inline]
nilfs_segctor_thread+0x551/0x1350 fs/nilfs2/segment.c:2606
kthread+0x422/0x5a0 kernel/kthread.c:388
ret_from_fork+0x7f/0xa0 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
Uninit was created at:
__alloc_pages+0x9a8/0xe00 mm/page_alloc.c:4591
alloc_pages_mpol+0x6b3/0xaa0 mm/mempolicy.c:2133
alloc_pages mm/mempolicy.c:2204 [inline]
folio_alloc+0x218/0x3f0 mm/mempolicy.c:2211
filemap_alloc_folio+0xb8/0x4b0 mm/filemap.c:974
__filemap_get_folio+0xa8a/0x1910 mm/filemap.c:1918
pagecache_get_page+0x56/0x1d0 mm/folio-compat.c:99
grab_cache_page_write_begin+0x61/0x80 mm/folio-compat.c:109
block_write_begin+0x5a/0x4a0 fs/buffer.c:2223
nilfs_write_begin+0x107/0x220 fs/nilfs2/inode.c:261
generic_perform_write+0x417/0xce0 mm/filemap.c:3927
__generic_file_write_iter+0x233/0x4b0 mm/filemap.c:4022
generic_file_write_iter+0x10e/0x600 mm/filemap.c:4048
__kernel_write_iter+0x365/0xa00 fs/read_write.c:523
dump_emit_page fs/coredump.c:888 [inline]
dump_user_range+0x5d7/0xe00 fs/coredump.c:915
elf_core_dump+0x5847/0x5fa0 fs/binfmt_elf.c:2077
do_coredump+0x3bb6/0x4e60 fs/coredump.c:764
get_signal+0x28f7/0x30b0 kernel/signal.c:2890
arch_do_signal_or_restart+0x5e/0xda0 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
irqentry_exit_to_user_mode+0xaa/0x160 kernel/entry/common.c:225
irqentry_exit+0x16/0x40 kernel/entry/common.c:328
exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1566
asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570
CPU: 1 PID: 11178 Comm: segctord Not tainted 6.7.0-00562-g9f8413c4a66f-dirty #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
=====================================================
Raw
repro.c
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <sched.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#include <linux/futex.h>
#include <linux/loop.h>
#ifndef __NR_cachestat
#define __NR_cachestat 451
#endif
#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif
static unsigned long long procid;
static void sleep_ms(uint64_t ms) {
usleep(ms * 1000);
}
static uint64_t current_time_ms(void) {
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void thread_start(void* (*fn)(void*), void* arg) {
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i = 0;
for (; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
typedef struct {
int state;
} event_t;
static void event_init(event_t* ev) {
ev->state = 0;
}
static void event_reset(event_t* ev) {
ev->state = 0;
}
static void event_set(event_t* ev) {
if (ev->state)
exit(1);
__atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000);
}
static void event_wait(event_t* ev) {
while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
}
static int event_isset(event_t* ev) {
return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
}
static int event_timedwait(event_t* ev, uint64_t timeout) {
uint64_t start = current_time_ms();
uint64_t now = start;
for (;;) {
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
return 1;
now = current_time_ms();
if (now - start > timeout)
return 0;
}
}
static bool write_file(const char* file, const char* what, ...) {
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
static long syz_open_procfs(volatile long a0, volatile long a1) {
char buf[128];
memset(buf, 0, sizeof(buf));
if (a0 == 0) {
snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1);
} else if (a0 == -1) {
snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1);
} else {
snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1);
}
int fd = open(buf, O_RDWR);
if (fd == -1)
fd = open(buf, O_RDONLY);
return fd;
}
//% This code is derived from puff.{c,h}, found in the zlib development. The
//% original files come with the following copyright notice:
//% Copyright (C) 2002-2013 Mark Adler, all rights reserved
//% version 2.3, 21 Jan 2013
//% This software is provided 'as-is', without any express or implied
//% warranty. In no event will the author be held liable for any damages
//% arising from the use of this software.
//% Permission is granted to anyone to use this software for any purpose,
//% including commercial applications, and to alter it and redistribute it
//% freely, subject to the following restrictions:
//% 1. The origin of this software must not be misrepresented; you must not
//% claim that you wrote the original software. If you use this software
//% in a product, an acknowledgment in the product documentation would be
//% appreciated but is not required.
//% 2. Altered source versions must be plainly marked as such, and must not be
//% misrepresented as being the original software.
//% 3. This notice may not be removed or altered from any source distribution.
//% Mark Adler madler@alumni.caltech.edu
//% BEGIN CODE DERIVED FROM puff.{c,h}
#define MAXBITS 15
#define MAXLCODES 286
#define MAXDCODES 30
#define MAXCODES (MAXLCODES + MAXDCODES)
#define FIXLCODES 288
struct puff_state {
unsigned char* out;
unsigned long outlen;
unsigned long outcnt;
const unsigned char* in;
unsigned long inlen;
unsigned long incnt;
int bitbuf;
int bitcnt;
jmp_buf env;
};
static int puff_bits(struct puff_state* s, int need) {
long val = s->bitbuf;
while (s->bitcnt < need) {
if (s->incnt == s->inlen)
longjmp(s->env, 1);
val |= (long)(s->in[s->incnt++]) << s->bitcnt;
s->bitcnt += 8;
}
s->bitbuf = (int)(val >> need);
s->bitcnt -= need;
return (int)(val & ((1L << need) - 1));
}
static int puff_stored(struct puff_state* s) {
s->bitbuf = 0;
s->bitcnt = 0;
if (s->incnt + 4 > s->inlen)
return 2;
unsigned len = s->in[s->incnt++];
len |= s->in[s->incnt++] << 8;
if (s->in[s->incnt++] != (~len & 0xff) ||
s->in[s->incnt++] != ((~len >> 8) & 0xff))
return -2;
if (s->incnt + len > s->inlen)
return 2;
if (s->outcnt + len > s->outlen)
return 1;
for (; len--; s->outcnt++, s->incnt++) {
if (s->in[s->incnt])
s->out[s->outcnt] = s->in[s->incnt];
}
return 0;
}
struct puff_huffman {
short* count;
short* symbol;
};
static int puff_decode(struct puff_state* s, const struct puff_huffman* h) {
int first = 0;
int index = 0;
int bitbuf = s->bitbuf;
int left = s->bitcnt;
int code = first = index = 0;
int len = 1;
short* next = h->count + 1;
while (1) {
while (left--) {
code |= bitbuf & 1;
bitbuf >>= 1;
int count = *next++;
if (code - count < first) {
s->bitbuf = bitbuf;
s->bitcnt = (s->bitcnt - len) & 7;
return h->symbol[index + (code - first)];
}
index += count;
first += count;
first <<= 1;
code <<= 1;
len++;
}
left = (MAXBITS + 1) - len;
if (left == 0)
break;
if (s->incnt == s->inlen)
longjmp(s->env, 1);
bitbuf = s->in[s->incnt++];
if (left > 8)
left = 8;
}
return -10;
}
static int puff_construct(struct puff_huffman* h, const short* length, int n) {
int len;
for (len = 0; len <= MAXBITS; len++)
h->count[len] = 0;
int symbol;
for (symbol = 0; symbol < n; symbol++)
(h->count[length[symbol]])++;
if (h->count[0] == n)
return 0;
int left = 1;
for (len = 1; len <= MAXBITS; len++) {
left <<= 1;
left -= h->count[len];
if (left < 0)
return left;
}
short offs[MAXBITS + 1];
offs[1] = 0;
for (len = 1; len < MAXBITS; len++)
offs[len + 1] = offs[len] + h->count[len];
for (symbol = 0; symbol < n; symbol++)
if (length[symbol] != 0)
h->symbol[offs[length[symbol]]++] = symbol;
return left;
}
static int puff_codes(struct puff_state* s,
const struct puff_huffman* lencode,
const struct puff_huffman* distcode) {
static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13,
15, 17, 19, 23, 27, 31, 35, 43, 51, 59,
67, 83, 99, 115, 131, 163, 195, 227, 258};
static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2,
2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0};
static const short dists[30] = {
1, 2, 3, 4, 5, 7, 9, 13, 17, 25,
33, 49, 65, 97, 129, 193, 257, 385, 513, 769,
1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577};
static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3,
4, 4, 5, 5, 6, 6, 7, 7, 8, 8,
9, 9, 10, 10, 11, 11, 12, 12, 13, 13};
int symbol;
do {
symbol = puff_decode(s, lencode);
if (symbol < 0)
return symbol;
if (symbol < 256) {
if (s->outcnt == s->outlen)
return 1;
if (symbol)
s->out[s->outcnt] = symbol;
s->outcnt++;
} else if (symbol > 256) {
symbol -= 257;
if (symbol >= 29)
return -10;
int len = lens[symbol] + puff_bits(s, lext[symbol]);
symbol = puff_decode(s, distcode);
if (symbol < 0)
return symbol;
unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]);
if (dist > s->outcnt)
return -11;
if (s->outcnt + len > s->outlen)
return 1;
while (len--) {
if (dist <= s->outcnt && s->out[s->outcnt - dist])
s->out[s->outcnt] = s->out[s->outcnt - dist];
s->outcnt++;
}
}
} while (symbol != 256);
return 0;
}
static int puff_fixed(struct puff_state* s) {
static int virgin = 1;
static short lencnt[MAXBITS + 1], lensym[FIXLCODES];
static short distcnt[MAXBITS + 1], distsym[MAXDCODES];
static struct puff_huffman lencode, distcode;
if (virgin) {
lencode.count = lencnt;
lencode.symbol = lensym;
distcode.count = distcnt;
distcode.symbol = distsym;
short lengths[FIXLCODES];
int symbol;
for (symbol = 0; symbol < 144; symbol++)
lengths[symbol] = 8;
for (; symbol < 256; symbol++)
lengths[symbol] = 9;
for (; symbol < 280; symbol++)
lengths[symbol] = 7;
for (; symbol < FIXLCODES; symbol++)
lengths[symbol] = 8;
puff_construct(&lencode, lengths, FIXLCODES);
for (symbol = 0; symbol < MAXDCODES; symbol++)
lengths[symbol] = 5;
puff_construct(&distcode, lengths, MAXDCODES);
virgin = 0;
}
return puff_codes(s, &lencode, &distcode);
}
static int puff_dynamic(struct puff_state* s) {
static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5,
11, 4, 12, 3, 13, 2, 14, 1, 15};
int nlen = puff_bits(s, 5) + 257;
int ndist = puff_bits(s, 5) + 1;
int ncode = puff_bits(s, 4) + 4;
if (nlen > MAXLCODES || ndist > MAXDCODES)
return -3;
short lengths[MAXCODES];
int index;
for (index = 0; index < ncode; index++)
lengths[order[index]] = puff_bits(s, 3);
for (; index < 19; index++)
lengths[order[index]] = 0;
short lencnt[MAXBITS + 1], lensym[MAXLCODES];
struct puff_huffman lencode = {lencnt, lensym};
int err = puff_construct(&lencode, lengths, 19);
if (err != 0)
return -4;
index = 0;
while (index < nlen + ndist) {
int symbol;
int len;
symbol = puff_decode(s, &lencode);
if (symbol < 0)
return symbol;
if (symbol < 16)
lengths[index++] = symbol;
else {
len = 0;
if (symbol == 16) {
if (index == 0)
return -5;
len = lengths[index - 1];
symbol = 3 + puff_bits(s, 2);
} else if (symbol == 17)
symbol = 3 + puff_bits(s, 3);
else
symbol = 11 + puff_bits(s, 7);
if (index + symbol > nlen + ndist)
return -6;
while (symbol--)
lengths[index++] = len;
}
}
if (lengths[256] == 0)
return -9;
err = puff_construct(&lencode, lengths, nlen);
if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1]))
return -7;
short distcnt[MAXBITS + 1], distsym[MAXDCODES];
struct puff_huffman distcode = {distcnt, distsym};
err = puff_construct(&distcode, lengths + nlen, ndist);
if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1]))
return -8;
return puff_codes(s, &lencode, &distcode);
}
static int puff(unsigned char* dest,
unsigned long* destlen,
const unsigned char* source,
unsigned long sourcelen) {
struct puff_state s = {
.out = dest,
.outlen = *destlen,
.outcnt = 0,
.in = source,
.inlen = sourcelen,
.incnt = 0,
.bitbuf = 0,
.bitcnt = 0,
};
int err;
if (setjmp(s.env) != 0)
err = 2;
else {
int last;
do {
last = puff_bits(&s, 1);
int type = puff_bits(&s, 2);
err = type == 0 ? puff_stored(&s)
: (type == 1 ? puff_fixed(&s)
: (type == 2 ? puff_dynamic(&s) : -1));
if (err != 0)
break;
} while (!last);
}
*destlen = s.outcnt;
return err;
}
//% END CODE DERIVED FROM puff.{c,h}
#define ZLIB_HEADER_WIDTH 2
static int puff_zlib_to_file(const unsigned char* source,
unsigned long sourcelen,
int dest_fd) {
if (sourcelen < ZLIB_HEADER_WIDTH)
return 0;
source += ZLIB_HEADER_WIDTH;
sourcelen -= ZLIB_HEADER_WIDTH;
const unsigned long max_destlen = 132 << 20;
void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ,
MAP_PRIVATE | MAP_ANON, -1, 0);
if (ret == MAP_FAILED)
return -1;
unsigned char* dest = (unsigned char*)ret;
unsigned long destlen = max_destlen;
int err = puff(dest, &destlen, source, sourcelen);
if (err) {
munmap(dest, max_destlen);
errno = -err;
return -1;
}
if (write(dest_fd, dest, destlen) != (ssize_t)destlen) {
munmap(dest, max_destlen);
return -1;
}
return munmap(dest, max_destlen);
}
static int setup_loop_device(unsigned char* data,
unsigned long size,
const char* loopname,
int* loopfd_p) {
int err = 0, loopfd = -1;
int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
if (memfd == -1) {
err = errno;
goto error;
}
if (puff_zlib_to_file(data, size, memfd)) {
err = errno;
goto error_close_memfd;
}
loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
err = errno;
goto error_close_memfd;
}
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
if (errno != EBUSY) {
err = errno;
goto error_close_loop;
}
ioctl(loopfd, LOOP_CLR_FD, 0);
usleep(1000);
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
err = errno;
goto error_close_loop;
}
}
close(memfd);
*loopfd_p = loopfd;
return 0;
error_close_loop:
close(loopfd);
error_close_memfd:
close(memfd);
error:
errno = err;
return -1;
}
static void reset_loop_device(const char* loopname) {
int loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
return;
}
if (ioctl(loopfd, LOOP_CLR_FD, 0)) {
}
close(loopfd);
}
static long syz_mount_image(volatile long fsarg,
volatile long dir,
volatile long flags,
volatile long optsarg,
volatile long change_dir,
volatile unsigned long size,
volatile long image) {
unsigned char* data = (unsigned char*)image;
int res = -1, err = 0, need_loop_device = !!size;
char* mount_opts = (char*)optsarg;
char* target = (char*)dir;
char* fs = (char*)fsarg;
char* source = NULL;
char loopname[64];
if (need_loop_device) {
int loopfd;
memset(loopname, 0, sizeof(loopname));
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
if (setup_loop_device(data, size, loopname, &loopfd) == -1)
return -1;
close(loopfd);
source = loopname;
}
mkdir(target, 0777);
char opts[256];
memset(opts, 0, sizeof(opts));
if (strlen(mount_opts) > (sizeof(opts) - 32)) {
}
strncpy(opts, mount_opts, sizeof(opts) - 32);
if (strcmp(fs, "iso9660") == 0) {
flags |= MS_RDONLY;
} else if (strncmp(fs, "ext", 3) == 0) {
bool has_remount_ro = false;
char* remount_ro_start = strstr(opts, "errors=remount-ro");
if (remount_ro_start != NULL) {
char after = *(remount_ro_start + strlen("errors=remount-ro"));
char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
has_remount_ro = ((before == '\0' || before == ',') &&
(after == '\0' || after == ','));
}
if (strstr(opts, "errors=panic") || !has_remount_ro)
strcat(opts, ",errors=continue");
} else if (strcmp(fs, "xfs") == 0) {
strcat(opts, ",nouuid");
}
res = mount(source, target, fs, flags, opts);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
res = open(target, O_RDONLY | O_DIRECTORY);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
if (change_dir) {
res = chdir(target);
if (res == -1) {
err = errno;
}
}
error_clear_loop:
if (need_loop_device)
reset_loop_device(loopname);
errno = err;
return res;
}
static void kill_and_wait(int pid, int* status) {
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void reset_loop() {
char buf[64];
snprintf(buf, sizeof(buf), "/dev/loop%llu", procid);
int loopfd = open(buf, O_RDWR);
if (loopfd != -1) {
ioctl(loopfd, LOOP_CLR_FD, 0);
close(loopfd);
}
}
static void setup_test() {
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}
#define USLEEP_FORKED_CHILD (3 * 50 * 1000)
static long handle_clone_ret(long ret) {
if (ret != 0) {
return ret;
}
usleep(USLEEP_FORKED_CHILD);
syscall(__NR_exit, 0);
while (1) {
}
}
static long syz_clone(volatile long flags,
volatile long stack,
volatile long stack_len,
volatile long ptid,
volatile long ctid,
volatile long tls) {
long sp = (stack + stack_len) & ~15;
long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls);
return handle_clone_ret(ret);
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg) {
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void execute_one(void) {
int i, call, thread;
for (call = 0; call < 12; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
if (call == 1 || call == 3 || call == 4 || call == 6 || call == 7 ||
call == 9 || call == 10)
break;
event_timedwait(&th->done, 50 + (call == 0 ? 4000 : 0));
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void) {
int iter = 0;
for (;; iter++) {
reset_loop();
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
setup_test();
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000)
continue;
kill_and_wait(pid, &status);
break;
}
}
}
uint64_t r[6] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff,
0xffffffffffffffff, 0xffffffffffffffff, 0x0};
void execute_call(int call) {
intptr_t res = 0;
switch (call) {
case 0:
memcpy((void*)0x20000000, "nilfs2\000", 7);
memcpy((void*)0x20000a80, "./file0\000", 8);
memcpy(
(void*)0x20001540,
"\x78\x9c\xec\xdd\x4d\x8c\x5b\x47\x1d\x00\xf0\xf1\xee\x7a\xd3\x7c\x94"
"\x38\x25\xa1\x4b\x1a\xda\x84\x42\x5b\x3e\xba\xdb\x6c\x96\xf0\x11\x41"
"\x52\x35\x42\x22\x6a\x2a\x6e\x95\x2a\x2e\x51\x9a\x96\x88\x34\x20\x52"
"\x09\x5a\xf5\x90\xe4\xc4\x8d\x56\x55\xb8\xf2\x21\x4e\xbd\x54\x80\x90"
"\xe8\x05\x45\x3d\x71\xa9\x44\x23\x55\x48\x3d\x15\x0e\x1c\x88\x82\x54"
"\x89\x03\x14\x92\x45\xf1\xce\x78\xed\x7f\x6c\x3d\x7b\xb3\x59\xaf\xd7"
"\xbf\x9f\x34\x3b\x9e\x37\x63\xcf\x3c\xef\xf3\xf3\xf3\x7b\x6f\x66\x12"
"\x30\xb6\x26\x9a\x7f\x17\x16\x66\x6a\x29\x5d\x7a\xeb\xf5\xa3\xff\x78"
"\xe8\xef\x9b\x6f\x2e\x39\xdc\x2a\xd1\x68\xfe\x9d\x6a\x4b\xd5\x53\x4a"
"\xb5\x9c\x9e\x0a\xaf\xf7\xc1\xe4\x52\x7c\xfd\xc3\x57\x4e\x76\x8b\x6b"
"\x69\xbe\xf9\xb7\xa4\xd3\x53\xd7\x5a\xcf\xdd\x9a\x52\x3a\x9f\xf6\xa6"
"\xcb\xa9\x91\x76\x5f\xba\xf2\xda\x3b\xf3\x4f\x1e\xbf\x70\xec\xe2\xbe"
"\x77\xdf\x38\x74\xf5\xce\xac\x3d\x00\x00\x8c\x97\x6f\x5f\x3e\xb4\xb0"
"\xeb\xaf\x7f\xbe\x6f\xc7\x47\x6f\xde\x7f\x24\x6d\x6a\x2d\x2f\xc7\xe7"
"\x8d\x9c\xde\x96\x8f\xfb\x8f\xe4\x03\xff\x72\xfc\x3f\x91\x3a\xd3\xb5"
"\xb6\xd0\x6e\x3a\x94\x9b\xca\x61\x22\x94\x9b\xec\x52\xae\xbd\x9e\x7a"
"\x28\x37\xd5\xa3\xfe\xe9\xf0\xba\xf5\x1e\xe5\x36\x55\xd4\x3f\xd9\xb6"
"\xac\xdb\x7a\xc3\x28\x2b\xdb\x71\x23\xd5\x26\x66\x3b\xd2\x13\x13\xb3"
"\xb3\x4b\xbf\xc9\x53\xf3\x77\xfd\x74\x6d\xf6\xec\xe9\x33\xcf\x9d\x1b"
"\x52\x43\x81\x55\xf7\xaf\x07\x52\x4a\x7b\x47\x28\x1c\x5e\x07\x6d\x58"
"\x61\x58\x5c\x07\x6d\x18\xc9\x70\x64\x1d\xb4\x61\x83\x86\xc5\xed\xc3"
"\xde\x03\x01\x2c\x89\xd7\x0b\x6f\x71\x3e\x9e\x59\xb8\x3d\xad\x57\x9b"
"\xea\xaf\xfe\x6b\x8f\x4f\x74\x7f\x3e\xac\x82\xb5\xde\xfe\xd5\x3f\x5a"
"\xf5\xff\xfa\x82\x3d\x0e\xab\x67\xa3\x6e\x4d\x65\xbd\xca\xe7\x68\x5b"
"\x4e\xc7\xeb\x08\xf1\xfe\xa5\xde\x9f\xbf\x78\xa5\xa3\x73\x69\xbc\x1e"
"\x51\xef\xb3\x9d\xbd\xae\x23\x8c\xca\xf5\x85\x5e\xed\x9c\x5c\xe3\x76"
"\xac\x54\xaf\xf6\xc7\xed\x62\xa3\xfa\x7a\x8e\xcb\xfb\xf0\x8d\x90\xdf"
"\xfe\xf9\x89\xff\xd3\x51\xf9\x1f\x03\xdd\xfd\x7b\xd4\xce\xff\x0b\xc2"
"\xb8\x87\xb4\x7a\xaf\xb5\x38\xe4\xfd\x0f\xb0\x7e\xc5\xfb\xe6\x16\xb3"
"\x92\x1f\xef\xeb\x8b\xf9\x9b\x2a\xf2\xef\xaa\xc8\xdf\x5c\x91\xbf\xa5"
"\x22\x7f\x6b\x45\x3e\x8c\xb3\xdf\xbd\xf8\xd3\xf4\x6a\x6d\xf9\x77\x7e"
"\xfc\x4d\x3f\xe8\xf9\xf0\x72\x9e\xed\xee\x1c\x7f\x6c\xc0\xf6\xc4\xf3"
"\x91\x83\xd6\x1f\xef\xfb\x1d\xd4\xed\xd6\x1f\xef\x27\x86\xf5\xec\x0f"
"\x27\x9e\x3e\xf5\x95\x67\x9f\xb9\xb2\x74\xff\x7f\xad\xb5\xfd\xdf\xc8"
"\xdb\x7b\xf9\xb9\xd1\xc8\x9f\xad\xcb\xb9\x40\x39\x5f\x18\xcf\xab\xb7"
"\xee\xfd\x6f\x74\xd6\x33\xd1\xa3\xdc\x3d\xa1\x3d\x77\x77\x29\xdf\x7c"
"\xbc\xb3\xb3\x5c\x6d\xe7\xf2\xeb\xa4\xb6\xfd\xcc\x2d\xed\x98\xe9\x7c"
"\xde\xf6\x5e\xe5\xf6\x74\x96\x6b\x84\x72\x9b\x73\xb8\x2b\xb4\x37\x1e"
"\x9f\x6c\x09\xcf\x2b\xc7\x1f\x65\xbf\x5a\xde\xaf\xa9\xb0\xbe\xf5\xb0"
"\x1e\xd3\xa1\x1d\x65\xbf\xb2\x23\xc7\xb1\x1d\xb0\x12\x65\x7b\xec\x75"
"\xff\x7f\xd9\x3e\x67\x52\xbd\xf6\xdc\xe9\x33\xa7\x1e\xcb\xe9\xb2\x9d"
"\xfe\x69\xb2\xbe\xe9\xe6\xf2\xfd\x6b\xdc\x6e\xe0\xf6\xf5\xdb\xff\x67"
"\x26\x75\xf6\xff\xd9\xd6\x5a\x5e\x9f\x68\xdf\x2f\x6c\x5f\x5e\x5e\x6b"
"\xdf\x2f\x34\xc2\xf2\xf9\x1e\xcb\x0f\xe4\x74\xf9\x9e\xfb\xee\xe4\xe6"
"\xe6\xf2\xd9\x93\xdf\x3f\xf3\xec\x6a\xaf\x3c\x8c\xb9\x73\x2f\xbd\xfc"
"\xbd\x13\x67\xce\x9c\xfa\xa1\x07\x2b\x7e\xf0\xcd\xf5\xd1\x0c\x0f\x3c"
"\x58\xc5\x07\xc3\xde\x33\x01\x77\xda\xdc\x8b\x2f\xfc\x60\xee\xdc\x4b"
"\x2f\x3f\x7a\xfa\x85\x13\xcf\x9f\x7a\xfe\xd4\xd9\x03\x07\x0f\x1e\x98"
"\x9f\x3f\xf8\xd5\x03\x0b\x73\xcd\xe3\xfa\xb9\xf6\xa3\x7b\x60\x23\x59"
"\xfe\xd2\x1f\x76\x4b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x7e\xfd"
"\xe8\xd8\xd1\x2b\xef\xbd\xfd\xe5\xf7\x97\xfa\xff\x2f\xf7\xff\x2b\xfd"
"\xff\xcb\x9d\xbf\xa5\xff\xff\x4f\x42\xff\xff\xd8\x4f\xbe\xf4\x83\x2f"
"\xfd\x00\x77\x74\xc9\x6f\x96\x09\x03\xac\x4e\x87\x72\xf5\x1c\x3e\x1e"
"\xda\xbb\x33\xd4\xb3\x2b\x3c\xef\x13\x39\x6e\xcd\xe3\x97\xfb\xff\x97"
"\xea\xe2\xb8\xae\xa5\x3d\xf7\x86\xe5\x71\xfc\xde\x52\x2e\x0c\x27\x70"
"\xcb\x78\x29\xd3\x61\x0c\x92\x38\x5f\xe0\xa7\x73\x7c\x31\xc7\xbf\x4a"
"\x30\x44\xb5\xcd\xdd\x17\xe7\xb8\x6a\x7c\xeb\xb2\xad\x97\xf1\x29\x8c"
"\x4b\x31\x9a\xca\xff\xad\x6c\x0d\x65\x1c\x93\xd2\xff\xbb\xeb\xb8\x4e"
"\x6d\xff\xec\x1d\x6b\xd0\x46\x56\xdf\x5a\x74\x27\x1c\xf6\x3a\x02\xdd"
"\xfd\xd3\xf8\xdf\x82\x30\xb6\x61\x71\xb1\xd7\x2c\x1e\xfd\xce\x60\x03"
"\xb0\x3a\x86\x3d\xff\x67\x39\xef\x59\xe2\xb3\x7f\xfc\xd6\x5d\x37\x43"
"\x29\x76\xed\xf1\xce\xfd\x65\x1c\xbf\x14\x06\xf1\x97\xf7\x3a\xd3\xeb"
"\x7d\xfe\x49\xf5\x6f\xac\xf9\x3f\x5b\xf3\xdf\xf5\xbd\xff\x0b\x33\xe6"
"\x35\x56\x56\xef\x7f\x7e\x7e\xf5\xfd\xb6\x6a\xd3\xee\x7e\xeb\x8f\xeb"
"\x5f\xc6\x81\xde\x39\x58\xfd\x1f\xe5\xfa\xcb\xda\x3c\x9c\xfa\xab\x7f"
"\xf1\x97\xa1\xfe\x78\x41\xa8\x4f\xff\x0d\xf5\x6f\xe9\xb3\xfe\x5b\xd6"
"\x7f\xcf\xca\xea\xff\x5f\xae\xbf\xbc\x6d\x8f\x3c\xd8\x6f\xfd\x4b\x2d"
"\xae\x4d\x74\xb6\x23\x9e\x37\x2e\xd7\xff\xe2\x79\xe3\xe2\x7a\x58\xff"
"\x32\xb6\xe7\xc0\xeb\xbf\xc2\x89\x1a\x6f\xe4\xfa\x61\x9c\x8d\xca\x3c"
"\xb3\x83\x0a\xf3\xff\xb6\x0e\xda\x57\x3e\xff\x6f\x76\x7e\x75\xe7\xff"
"\xed\x25\xde\x87\xf1\xa5\x9c\x2e\x3b\xc2\x72\x9f\x43\x9c\xef\x64\xd0"
"\xf6\x97\xfb\x2b\xca\xf7\xc0\xae\xf0\xfa\xb5\x8a\xef\x37\xf3\xff\x8e"
"\xb6\xaf\xe5\xb8\xea\xf3\x50\xe6\xff\x2d\xdb\x63\x23\x7f\xe5\xb7\xa5"
"\x9b\xef\x65\x49\xd7\xbb\xbc\xb7\x1b\x75\x5f\x03\xa3\xea\x03\xd7\xff"
"\x04\x61\xcd\x43\x6b\x9e\xb8\x21\xb7\x63\x71\x71\xf1\xce\x9e\xd0\xaa"
"\x30\xd4\xca\x19\xfa\xfb\x3f\xec\xdf\x09\xc3\xae\x7f\xd8\xef\x7f\x95"
"\x38\xff\x6f\x3c\x86\x8f\xf3\xff\xc6\xfc\x38\xff\x6f\xcc\x8f\xf3\xff"
"\xc6\xfc\x38\xbf\x5e\xcc\x8f\xf3\xff\xc6\xf7\x33\xce\xff\x1b\xf3\xef"
"\x0d\xaf\x1b\xe7\x07\x9e\xa9\xc8\xff\x64\x45\xfe\xee\xee\xf9\xad\x9f"
"\xed\xf7\x55\x3c\x7f\x4f\x45\xfe\xa7\x2a\xf2\xf7\x55\xe4\xdf\x5f\x91"
"\xff\x40\x45\xfe\x3d\x15\xf9\x0f\x56\xe4\x7f\xa6\x22\xff\xb3\x15\xf9"
"\x0f\x55\xe4\x3f\x52\x91\xff\xb9\x8a\xfc\x8d\xae\xf4\x47\x19\xd7\xf5"
"\x87\x71\x16\xfb\xe7\xf9\xfc\xc3\xf8\x28\xd7\x7f\x7a\x7d\xfe\x77\x56"
"\xe4\x03\xa3\xeb\x67\x6f\xee\x7f\xe2\x99\xdf\x7e\xa7\xb1\xd4\xff\x7f"
"\xba\x75\x3e\xa4\x5c\xc7\x3b\x92\xd3\xf5\xfc\xdb\xf9\xc7\x39\x1d\xaf"
"\x7b\xa7\xb6\xf4\xcd\xbc\xb7\x73\xfa\x6f\x21\x7f\xbd\x9f\xef\x80\x71"
"\x12\xc7\xcf\x88\xdf\xef\x0f\x57\xe4\x03\xa3\xab\xdc\xe7\xe5\xf3\x0d"
"\x63\xa8\xd6\x7d\xc4\x9e\x7e\xc7\xad\xea\x75\x9c\xcf\x68\xf9\x7c\x8e"
"\xbf\x90\xe3\x2f\xe6\xf8\xd1\x1c\xcf\xe6\x78\x2e\xc7\xfb\x73\x3c\xbf"
"\x46\xed\xe3\xce\x78\xe2\x37\xbf\x3f\xf4\x6a\x6d\xf9\xf7\xfe\xf6\x90"
"\xdf\xef\xfd\xe4\xb1\x3f\x50\xc7\x38\x51\x29\xa5\x03\x7d\xb6\x27\x9e"
"\x1f\x18\xf4\x7e\xf6\x38\x8e\xdf\xa0\x6e\xb7\xfe\x15\x76\x07\x03\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x18\x9a\x89\xe6\xdf\x85\x85\x99\x5a\x4a\x97"
"\xde\x7a\xfd\xe8\xd3\xc7\x4f\xcf\xdd\x5c\x72\xb8\x55\xa2\xd1\xfc\x3b"
"\xd5\x96\xaa\xb7\x9e\x97\xd2\x63\x39\x9e\xcc\xf1\x2f\xf2\x83\xeb\x1f"
"\xbe\x72\xb2\x3d\xbe\x91\xe3\x5a\x9a\x4f\xb5\x54\x6b\x2d\x4f\x4f\x5d"
"\x6b\xd5\xb4\x35\xa5\x74\x3e\xed\x4d\x97\x53\x23\xed\xbe\x74\xe5\xb5"
"\x77\xe6\x9f\x3c\x7e\xe1\xd8\xc5\x7d\xef\xbe\x71\xe8\xea\x9d\x7b\x07"
"\x00\x00\x00\x60\xe3\xfb\x7f\x00\x00\x00\xff\xff\xb0\xb8\x0e\x84",
2634);
syz_mount_image(/*fs=*/0x20000000, /*dir=*/0x20000a80,
/*flags=MS_NOEXEC|MS_NODIRATIME*/ 0x808,
/*opts=*/0x200000c0, /*chdir=*/1, /*size=*/0xa4a,
/*img=*/0x20001540);
break;
case 1:
memcpy((void*)0x20000000, "./bus\000", 6);
res = syscall(__NR_open, /*file=*/0x20000000ul, /*flags=*/0ul,
/*mode=*/0ul);
if (res != -1)
r[0] = res;
break;
case 2:
memcpy((void*)0x20007f80, "./bus\000", 6);
res = syscall(
__NR_open, /*file=*/0x20007f80ul,
/*flags=O_SYNC|O_NOCTTY|O_NOATIME|O_DIRECT|O_CREAT|0x2*/ 0x145142ul,
/*mode=*/0ul);
if (res != -1)
r[1] = res;
break;
case 3:
*(uint64_t*)0x200002c0 = 6;
*(uint64_t*)0x200002c8 = 0;
syscall(__NR_cachestat, /*fd=*/r[1], /*cstat_range=*/0x200002c0ul,
/*cstat=*/0x20000300ul, /*flags=*/0ul);
break;
case 4:
memcpy((void*)0x20000100, "mountinfo\000", 10);
res = -1;
res = syz_open_procfs(/*pid=*/-1, /*file=*/0x20000100);
if (res != -1)
r[2] = res;
break;
case 5:
memcpy((void*)0x20000a40, "./bus\000", 6);
res = syscall(__NR_open, /*file=*/0x20000a40ul,
/*flags=O_TRUNC|O_SYNC|O_NONBLOCK|O_NOATIME|O_CREAT|O_RDWR*/
0x141a42ul,
/*mode=*/0ul);
if (res != -1)
r[3] = res;
break;
case 6:
memcpy((void*)0x20000040, "/dev/adsp1\000", 11);
res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
/*file=*/0x20000040ul,
/*flags=O_NOFOLLOW*/ 0x20000ul, /*mode=*/0ul);
if (res != -1)
r[4] = res;
break;
case 7:
syscall(__NR_ptrace, /*req=PTRACE_ATTACH*/ 0x10ul, /*pid=*/0, 0, 0);
break;
case 8:
memcpy(
(void*)0x20000140,
"\x1d\x7f\x3e\xf3\xf0\xb0\x12\x9f\x8d\x08\x32\x26\x51\x0e\xcc\x07\x13"
"\xb2\xaf\x6e\x79\x01\xa6\x07\x53\x2f\xa2\xa7\x17\x6f\xef\xdd\x7e\x66"
"\xe6\x40\x2e\xf8\xb5\x79\xa0\x0d\xd8\x3d\x55\x51\x82\xaf\xa0\x44\xf6"
"\x5b\x0a\xc6\x68\xc2\x06\x3a\xc3\x3b\x34\xbb\x48\x41\x1c\x11\xd4\x56"
"\xd5\x84\xec\x41\x40\xae\xbe\x97\xe1\x95\x0a\xd7\xc4\xbd\x2b\xff\xce"
"\xf1\x75\x62\x5a\x27\xa1\x1f\x55\x9e\x8d\xdb\x03\x1d\x27\xc2\xbe\x3a"
"\x22\x16\xa1\xe9\xf8\x7f\x5d\x68\xb8\xb0\xb6\x90\xe6\x7b\xfc\xc8\xa8"
"\xec\x9a\xf9\x98\xc1\xa8\xea\xef\x21\x5c\x77\x1e\x45\xee\xe0\x15\xe8"
"\xce\x9b\x17\x01\x5d\xa7\x9c\x48\xa7\xb8\x74\x59\xc4\xa8\x87\x81\xff"
"\xd9\xd1\xec\x68\x70\xc4\xd7\x22\x0f\xfc\x6a\x66\xf7\x82\x8d\xb1\x29"
"\x7a\xa1\x2e\x00\x50\x3d\xde\x7a\x5c",
179);
memcpy((void*)0x20000200,
"\x99\x46\x65\xd2\xb9\xd5\x23\x9b\x78\x9d\x65\xf6\xec\x18\x4c\x1e"
"\xa6\x70\x03\xce\x8f\x47\x47\x55\xe4\x39\xf5\x85\x60\xc4\x2a\x24"
"\x1a\x31\xe5\x40\x47\x9e\x07\x52\xca\xd1\x78\x84\xd9\x02\x4c\xb8"
"\x54\xdc\x67\x98\xad\xa6\x25\x50\xc8\x26\x4b\x54\x88\xda\xff\x53"
"\x87\x41\x9b\x22\xf0\x1f\xa5\x76\x30\x31\x7e\x8c\x24\xac\x37\xd8"
"\x92\xd7\x0e\x38\x0b\x71\x64\xdf\xaa\x88\x6b\x72\xa1\x7f\x08\xdf"
"\x76\xc1\x05\x7a\x22\x68\xb3\x9a\xad\x4e\x0e\x75\x9e\xef\x1a\xbc"
"\x6e\x5e\x66\x4e\x7f\x30\x57\xc1\xd7\x0d\x89\x7b\xa5\x10\x46\x64"
"\xe9\x6d\x92\xc1\xd8\xbd\x42\x0f\x78\x36\x8f\x52\x21\x69\xf7\x13"
"\xed\x03\x31\x5d\x69\xde\x28\xd7\x7a\xf2\x7e\xc8\x88\x1f\x54\x63"
"\x3a\x5d\xd5\xd5\x46\x35\xe7\x4a\xd8\xc8\x96\x91\x8c",
173);
res = -1;
res = syz_clone(/*flags=CLONE_IO*/ 0x80000000, /*stack=*/0x20000140,
/*stack_len=*/0xb3, /*parentid=*/0x20000080,
/*childtid=*/0x200000c0, /*tls=*/0x20000200);
if (res != -1)
r[5] = res;
break;
case 9:
syscall(__NR_fcntl, /*fd=*/r[4], /*cmd=*/8ul, /*pid=*/r[5]);
break;
case 10:
syscall(__NR_sendfile, /*fdout=*/r[3], /*fdin=*/r[2], /*off=*/0ul,
/*count=*/0x100800001ul);
break;
case 11:
syscall(__NR_sendfile, /*fdout=*/r[0], /*fdin=*/r[1], /*off=*/0ul,
/*count=*/0x1000000201003ul);
break;
}
}
int main(void) {
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
loop();
return 0;
}
Raw
repro.txt
syz_mount_image$nilfs2(&(0x7f0000000000), &(0x7f0000000a80)='./file0\x00', 0x808, &(0x7f00000000c0)=ANY=[], 0x1, 0xa4a, &(0x7f0000001540)="$eJzs3U2MW0cdAPDx7nrTfJQ4JaFLGtqEQls+uttslvARQVI1QiJqKm6VKi5RmpaINCBSCVr1kOTEjVZVuPIhTr1UgJDoBUU9calEI1VIPRUOHIiCVIkDFJJF8c547X9sPXuzWa/Xv580O543Y8887/Pz83tvZhIwtiaafxcWZmopXXrr9aP/eOjvm28uOdwq0Wj+nWpL1VNKtZyeCq/3weRSfP3DV052i2tpvvm3pNNT11rP3ZpSOp/2psupkXZfuvLaO/NPHr9w7OK+d984dPXOrD0AAIyXb18+tLDrr3++b8dHb95/JG1qLS/H542c3paP+4/kA/9y/D+ROtO1ttBuOpSbymEilJvsUq69nnooN9Wj/unwuvUe5TZV1D/ZtqzbesMoK9txI9UmZjvSExOzs0u/yVPzd/10bfbs6TPPnRtSQ4FV968HUkp7RygcXgdtWGFYXAdtGMlwZB20YYOGxe3D3gMBLInXC29xPp5ZuD2tV5vqr/5rj090fz6sgrXe/tU/WvX/+oI9Dqtno25NZb3K52hbTsfrCPH+pd6fv3ilo3NpvB5R77Odva4jjMr1hV7tnFzjdqxUr/bH7WKj+nqOy/vwjZDf/vmJ/9NR+R8D3f171M7/C8K4h7R6r7U45P0PsH7F++YWs5If7+uL+Zsq8u+qyN9ckb+lIn9rRT6Ms9+9+NP0am35d378TT/o+fBynu3uHH9swPbE85GD1h/v+x3U7dYf7yeG9ewPJ54+9ZVnn7mydP9/rbX938jbe/m50cifrcu5QDlfGM+rt+79b3TWM9Gj3D2hPXd3Kd98vLOzXG3n8uuktv3MLe2Y6Xze9l7l9nSWa4Rym3O4K7Q3Hp9sCc8rxx9lv1rer6mwvvWwHtOhHWW/siPHsR2wEmV77HX/f9k+Z1K99tzpM6cey+mynf5psr7p5vL9a9xu4Pb12/9nJnX2/9nWWl6faN8vbF9eXmvfLzTC8vkeyw/kdPme++7k5uby2ZPfP/Psaq88jLlzL738vRNnzpz6oQcrfvDN9dEMDzxYxQfD3jMBd9rciy/8YO7cSy8/evqFE8+fev7U2QMHDx6Ynz/41QMLc83j+rn2o3tgI1n+0h92SwAAAAAAAAAAAIB+/ejY0Svvvf3l95f6/y/3/yv9/8udv6X//09C///YT770gy/9AHd0yW+WCQOsTody9Rw+Htq7M9SzKzzvEzluzeOX+/+X6uK4rqU994blcfzeUi4MJ3DLeCnTYQySOF/gp3N8Mce/SjBEtc3dF+e4anzrsq2X8SmMSzGayv+tbA1lHJPS/7vruE5t/+wda9BGVt9adCcc9joC3f3T+N+CMLZhcbHXLB79zmADsDqGPf9nOe9Z4rN//NZdN0Mpdu3xzv1lHL8UBvGX9zrT633+SfVvrPk/W/Pf9b3/CzPmNVZW739+fvX9tmrT7n7rj+tfxoHeOVj9H+X6y9o8nPqrf/GXof54QahP/w31b+mz/lvWf8/K6v9frr+8bY882G/9Sy2uTXS2I543Ltf/4nnj4npY/zK258Drv8KJGm/k+mGcjco8s4MK8/+2DtpXPv9vdn515//tJd6H8aWcLjvCcp9DnO9k0PaX+yvK98Cu8Pq1iu838/+Otq/luOrzUOb/LdtjI3/lt6Wb72VJ17u8txt1XwOj6gPX/wRhzUNrnrght2NxcfHOntCqMNTKGfr7P+zfCcOuf9jvf5U4/288ho/z/8b8OP9vzI/z/8b8OL9ezI/z/8b3M87/G/PvDa8b5weeqcj/ZEX+7u75rZ/t91U8f09F/qcq8vdV5N9fkf9ARf49FfkPVuR/piL/sxX5D1XkP1KR/7mK/I2u9EcZ1/WHcRb75/n8w/go1396ff53VuQDo+tnb+5/4pnffqex1P9/unU+pFzHO5LT9fzb+cc5Ha97p7b0zby3c/pvIX+9n++AcRLHz4jf7w9X5AOjq9zn5fMNY6jWfcSefset6nWcz2j5fI6/kOMv5vjRHM/meC7H+3M8v0bt48544je/P/Rqbfn3/vaQ3+/95LE/UMc4USmlA322J54fGPR+9jiO36But/4VdgcDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYmonm34WFmVpKl956/ejTx0/P3VxyuFWi0fw71Zaqt56X0mM5nszxL/KD6x++crI9vpHjWppPtVRrLU9PXWvVtDWldD7tTZdTI+2+dOW1d+afPH7h2MV9775x6OqdewcAAABg4/t/AAAA//+wuA6E")
r0 = open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) (async)
r1 = open(&(0x7f0000007f80)='./bus\x00', 0x145142, 0x0)
cachestat(r1, &(0x7f00000002c0)={0x6}, &(0x7f0000000300), 0x0) (async)
r2 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000100)='mountinfo\x00') (async)
r3 = open(&(0x7f0000000a40)='./bus\x00', 0x141a42, 0x0)
r4 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0x20000, 0x0) (async)
ptrace(0x10, 0x0) (async)
r5 = syz_clone(0x80000000, &(0x7f0000000140)="1d7f3ef3f0b0129f8d083226510ecc0713b2af6e7901a607532fa2a7176fefdd7e66e6402ef8b579a00dd83d555182afa044f65b0ac668c2063ac33b34bb48411c11d456d584ec4140aebe97e1950ad7c4bd2bffcef175625a27a11f559e8ddb031d27c2be3a2216a1e9f87f5d68b8b0b690e67bfcc8a8ec9af998c1a8eaef215c771e45eee015e8ce9b17015da79c48a7b87459c4a88781ffd9d1ec6870c4d7220ffc6a66f7828db1297aa12e00503dde7a5c", 0xb3, &(0x7f0000000080), &(0x7f00000000c0), &(0x7f0000000200)="994665d2b9d5239b789d65f6ec184c1ea67003ce8f474755e439f58560c42a241a31e540479e0752cad17884d9024cb854dc6798ada62550c8264b5488daff5387419b22f01fa57630317e8c24ac37d892d70e380b7164dfaa886b72a17f08df76c1057a2268b39aad4e0e759eef1abc6e5e664e7f3057c1d70d897ba5104664e96d92c1d8bd420f78368f522169f713ed03315d69de28d77af27ec8881f54633a5dd5d54635e74ad8c896918c")
fcntl$setown(r4, 0x8, r5) (async)
sendfile(r3, r2, 0x0, 0x100800001) (async)
sendfile(r0, r1, 0x0, 0x1000000201003)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment