From owner-svn-src-user@freebsd.org  Sun Apr 12 05:59:21 2020
Return-Path: <owner-svn-src-user@freebsd.org>
Delivered-To: svn-src-user@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 857202B36B7
 for <svn-src-user@mailman.nyi.freebsd.org>;
 Sun, 12 Apr 2020 05:59:21 +0000 (UTC) (envelope-from pho@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 490Lfx1Jnvz4g4K;
 Sun, 12 Apr 2020 05:59:21 +0000 (UTC) (envelope-from pho@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2826224B61;
 Sun, 12 Apr 2020 05:59:21 +0000 (UTC) (envelope-from pho@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 03C5xL2D099773;
 Sun, 12 Apr 2020 05:59:21 GMT (envelope-from pho@FreeBSD.org)
Received: (from pho@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 03C5xKI3099770;
 Sun, 12 Apr 2020 05:59:20 GMT (envelope-from pho@FreeBSD.org)
Message-Id: <202004120559.03C5xKI3099770@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: pho set sender to pho@FreeBSD.org
 using -f
From: Peter Holm <pho@FreeBSD.org>
Date: Sun, 12 Apr 2020 05:59:20 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-user@freebsd.org
Subject: svn commit: r359820 - user/pho/stress2/misc
X-SVN-Group: user
X-SVN-Commit-Author: pho
X-SVN-Commit-Paths: user/pho/stress2/misc
X-SVN-Commit-Revision: 359820
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-user@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the experimental &quot; user&quot;
 src tree" <svn-src-user.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-user>,
 <mailto:svn-src-user-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-user/>
List-Post: <mailto:svn-src-user@freebsd.org>
List-Help: <mailto:svn-src-user-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-user>,
 <mailto:svn-src-user-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Apr 2020 05:59:21 -0000

Author: pho
Date: Sun Apr 12 05:59:20 2020
New Revision: 359820
URL: https://svnweb.freebsd.org/changeset/base/359820

Log:
  Added more syzkaller reproducers.

Added:
  user/pho/stress2/misc/syzkaller5.sh   (contents, props changed)
  user/pho/stress2/misc/syzkaller6.sh   (contents, props changed)
  user/pho/stress2/misc/syzkaller7.sh   (contents, props changed)

Added: user/pho/stress2/misc/syzkaller5.sh
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ user/pho/stress2/misc/syzkaller5.sh	Sun Apr 12 05:59:20 2020	(r359820)
@@ -0,0 +1,84 @@
+#!/bin/sh
+
+# panic: to_ticks == 0 for timer type 11
+# cpuid = 0
+# time = 1585113766
+# KDB: stack backtrace:
+# db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe0024a5e4b0
+# vpanic() at vpanic+0x1c7/frame 0xfffffe0024a5e510
+# panic() at panic+0x43/frame 0xfffffe0024a5e570
+# sctp_timer_start() at sctp_timer_start+0xc7f/frame 0xfffffe0024a5e5d0
+# sctp_lower_sosend() at sctp_lower_sosend+0x4b9a/frame 0xfffffe0024a5e7b0
+# sctp_sosend() at sctp_sosend+0x501/frame 0xfffffe0024a5e8e0
+# sosend() at sosend+0xc6/frame 0xfffffe0024a5e950
+# kern_sendit() at kern_sendit+0x33d/frame 0xfffffe0024a5ea00
+# sendit() at sendit+0x224/frame 0xfffffe0024a5ea60
+# sys_sendto() at sys_sendto+0x5c/frame 0xfffffe0024a5eac0
+# amd64_syscall() at amd64_syscall+0x2f4/frame 0xfffffe0024a5ebf0
+# fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0024a5ebf0
+
+# Fixed by r359405
+
+# $FreeBSD$
+
+[ `uname -p` = "i386" ] && exit 0
+
+. ../default.cfg
+cat > /tmp/syzkaller5.c <<EOF
+// https://syzkaller.appspot.com/bug?id=0cebb51a059e6a7e259573cc2dd635db8dffcb80
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <pwd.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/endian.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+
+uint64_t r[1] = {0xffffffffffffffff};
+
+int main(void)
+{
+  syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul);
+  intptr_t res = 0;
+  res = syscall(SYS_socket, 0x1cul, 5ul, 0x84);
+  if (res != -1)
+    r[0] = res;
+  *(uint32_t*)0x20000200 = 0;
+  *(uint32_t*)0x20000204 = 0;
+  *(uint32_t*)0x20000208 = 0xfffffffb;
+  *(uint32_t*)0x2000020c = 0;
+  syscall(SYS_setsockopt, r[0], 0x84, 1, 0x20000200ul, 0x3f6ul);
+  memcpy((void*)0x20000040, "\x11", 1);
+  *(uint8_t*)0x20000100 = 0x10;
+  *(uint8_t*)0x20000101 = 2;
+  *(uint16_t*)0x20000102 = htobe16(0x4e21);
+  *(uint8_t*)0x20000104 = 0xac;
+  *(uint8_t*)0x20000105 = 0x14;
+  *(uint8_t*)0x20000106 = 0;
+  *(uint8_t*)0x20000107 = 0xbb;
+  *(uint8_t*)0x20000108 = 0;
+  *(uint8_t*)0x20000109 = 0;
+  *(uint8_t*)0x2000010a = 0;
+  *(uint8_t*)0x2000010b = 0;
+  *(uint8_t*)0x2000010c = 0;
+  *(uint8_t*)0x2000010d = 0;
+  *(uint8_t*)0x2000010e = 0;
+  *(uint8_t*)0x2000010f = 0;
+  syscall(SYS_sendto, r[0], 0x20000040ul, 1ul, 0x104ul, 0x20000100ul, 0x10ul);
+  return 0;
+}
+EOF
+mycc -o /tmp/syzkaller5 -Wall -Wextra -O2 /tmp/syzkaller5.c -lpthread ||
+    exit 1
+
+(cd /tmp; ./syzkaller5)
+
+rm /tmp/syzkaller5 /tmp/syzkaller5.c
+exit 0

Added: user/pho/stress2/misc/syzkaller6.sh
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ user/pho/stress2/misc/syzkaller6.sh	Sun Apr 12 05:59:20 2020	(r359820)
@@ -0,0 +1,85 @@
+#!/bin/sh
+
+# panic: to_ticks == 0 for timer type 2
+# cpuid = 1
+# time = 1585113958
+# KDB: stack backtrace:
+# db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe0024a54420
+# vpanic() at vpanic+0x1c7/frame 0xfffffe0024a54480
+# panic() at panic+0x43/frame 0xfffffe0024a544e0
+# sctp_timer_start() at sctp_timer_start+0xc7f/frame 0xfffffe0024a54540
+# sctp_send_initiate() at sctp_send_initiate+0x10b/frame 0xfffffe0024a545d0
+# sctp_lower_sosend() at sctp_lower_sosend+0x3f54/frame 0xfffffe0024a547b0
+# sctp_sosend() at sctp_sosend+0x501/frame 0xfffffe0024a548e0
+# sosend() at sosend+0xc6/frame 0xfffffe0024a54950
+# kern_sendit() at kern_sendit+0x33d/frame 0xfffffe0024a54a00
+# sendit() at sendit+0x224/frame 0xfffffe0024a54a60
+# sys_sendto() at sys_sendto+0x5c/frame 0xfffffe0024a54ac0
+# amd64_syscall() at amd64_syscall+0x2f4/frame 0xfffffe0024a54bf0
+# fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0024a54bf0
+
+# $FreeBSD$
+
+# Fixed by r359405
+
+[ `uname -p` = "i386" ] && exit 0
+
+. ../default.cfg
+cat > /tmp/syzkaller6.c <<EOF
+// https://syzkaller.appspot.com/bug?id=86fc212419e315473f7db833b9c835be21f17029
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <pwd.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/endian.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+
+uint64_t r[1] = {0xffffffffffffffff};
+
+int main(void)
+{
+  syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul);
+  intptr_t res = 0;
+  res = syscall(SYS_socket, 0x1cul, 5ul, 0x84);
+  if (res != -1)
+    r[0] = res;
+  *(uint32_t*)0x20000200 = 0;
+  *(uint32_t*)0x20000204 = 0xfffffff9;
+  *(uint32_t*)0x20000208 = 0xfffffffb;
+  *(uint32_t*)0x2000020c = 0;
+  syscall(SYS_setsockopt, r[0], 0x84, 1, 0x20000200ul, 0x39eul);
+  memcpy((void*)0x20000040, "\x11", 1);
+  *(uint8_t*)0x20000100 = 0x10;
+  *(uint8_t*)0x20000101 = 2;
+  *(uint16_t*)0x20000102 = htobe16(0x4e21);
+  *(uint8_t*)0x20000104 = 0xac;
+  *(uint8_t*)0x20000105 = 0x14;
+  *(uint8_t*)0x20000106 = 0;
+  *(uint8_t*)0x20000107 = 0xbb;
+  *(uint8_t*)0x20000108 = 0;
+  *(uint8_t*)0x20000109 = 0;
+  *(uint8_t*)0x2000010a = 0;
+  *(uint8_t*)0x2000010b = 0;
+  *(uint8_t*)0x2000010c = 0;
+  *(uint8_t*)0x2000010d = 0;
+  *(uint8_t*)0x2000010e = 0;
+  *(uint8_t*)0x2000010f = 0;
+  syscall(SYS_sendto, r[0], 0x20000040ul, 1ul, 0ul, 0x20000100ul, 0x10ul);
+  return 0;
+}
+EOF
+mycc -o /tmp/syzkaller6 -Wall -Wextra -O2 /tmp/syzkaller6.c -lpthread ||
+    exit 1
+
+(cd /tmp; ./syzkaller6)
+
+rm /tmp/syzkaller6 /tmp/syzkaller6.c
+exit 0

Added: user/pho/stress2/misc/syzkaller7.sh
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ user/pho/stress2/misc/syzkaller7.sh	Sun Apr 12 05:59:20 2020	(r359820)
@@ -0,0 +1,163 @@
+#!/bin/sh
+
+# panic: Duplicate free of 0xfffff800049ad800 from zone 
+# 0xfffff800041e82c0(mbuf) slab 0xfffff800049adf90(8)
+#
+# KDB: stack backtrace:
+# db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 
+# 0xfffffe0016b2c4a0
+# vpanic() at vpanic+0x1e0/frame 0xfffffe0016b2c500
+# panic() at panic+0x43/frame 0xfffffe0016b2c560
+# uma_dbg_free() at uma_dbg_free+0x246/frame 0xfffffe0016b2c5b0
+# uma_zfree_arg() at uma_zfree_arg+0x1aa/frame 0xfffffe0016b2c640
+# uipc_ready() at uipc_ready+0x19f/frame 0xfffffe0016b2c690
+# sendfile_iodone() at sendfile_iodone+0x342/frame 0xfffffe0016b2c6f0
+# vnode_pager_generic_getpages_done_async() at 
+# vnode_pager_generic_getpages_done_async+0x4a/frame 0xfffffe0016b2c720
+# bufdone() at bufdone+0xa1/frame 0xfffffe0016b2c7a0
+# g_io_deliver() at g_io_deliver+0x35b/frame 0xfffffe0016b2c800
+# g_io_deliver() at g_io_deliver+0x35b/frame 0xfffffe0016b2c860
+# g_io_deliver() at g_io_deliver+0x35b/frame 0xfffffe0016b2c8c0
+# g_disk_done() at g_disk_done+0x179/frame 0xfffffe0016b2c910
+# dadone() at dadone+0x655/frame 0xfffffe0016b2c9a0
+# xpt_done_process() at xpt_done_process+0x5b2/frame 0xfffffe0016b2ca00
+# xpt_done_td() at xpt_done_td+0x175/frame 0xfffffe0016b2ca60
+# fork_exit() at fork_exit+0xb0/frame 0xfffffe0016b2cab0
+# fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0016b2cab0
+# --- trap 0, rip = 0, rsp = 0, rbp = 0 ---
+
+# $FreeBSD$
+
+# Not reproduced on r359769
+# Fixed by r359779
+
+[ `uname -p` = "i386" ] && exit 0
+
+. ../default.cfg
+cat > /tmp/syzkaller7.c <<EOF
+// https://syzkaller.appspot.com/bug?id=3a27f6d4656356facc22a9329be797ef1143d0ad
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <sys/types.h>
+
+#include <pwd.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/endian.h>
+#include <sys/syscall.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+static void kill_and_wait(int pid, int* status)
+{
+  kill(pid, SIGKILL);
+  while (waitpid(-1, status, 0) != pid) {
+  }
+}
+
+static void sleep_ms(uint64_t ms)
+{
+  usleep(ms * 1000);
+}
+
+static uint64_t current_time_ms(void)
+{
+  struct timespec ts;
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    exit(1);
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static void execute_one(void);
+
+#define WAIT_FLAGS 0
+
+static void loop(void)
+{
+  int iter;
+  for (iter = 0;; iter++) {
+    int pid = fork();
+    if (pid < 0)
+      exit(1);
+    if (pid == 0) {
+      execute_one();
+      exit(0);
+    }
+    int status = 0;
+    uint64_t start = current_time_ms();
+    for (;;) {
+      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
+        break;
+      sleep_ms(1);
+      if (current_time_ms() - start < 5 * 1000)
+        continue;
+      kill_and_wait(pid, &status);
+      break;
+    }
+  }
+}
+
+uint64_t r[5] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff,
+                 0xffffffffffffffff, 0xffffffffffffffff};
+
+void execute_one(void)
+{
+  long res = 0;
+  memcpy((void*)0x20001180, "./file0\000", 8);
+  res = syscall(SYS_open, 0x20001180, 0x8240, 0);
+  if (res != -1)
+    r[0] = res;
+  res = syscall(SYS_socketpair, 1, 1, 0, 0x20000100);
+  if (res != -1) {
+    r[1] = *(uint32_t*)0x20000100;
+    r[2] = *(uint32_t*)0x20000104;
+  }
+  memcpy((void*)0x20000480, "./file0\000", 8);
+  res = syscall(SYS_open, 0x20000480, 0x80000000000206, 0);
+  if (res != -1)
+    r[3] = res;
+  res = syscall(SYS_dup, r[3]);
+  if (res != -1)
+    r[4] = res;
+  *(uint64_t*)0x20000100 = 0x200002c0;
+  memcpy((void*)0x200002c0, "\xdd", 1);
+  *(uint64_t*)0x20000108 = 1;
+  syscall(SYS_pwritev, r[4], 0x20000100, 1, 0);
+  *(uint64_t*)0x20002e80 = 0x20000540;
+  memcpy((void*)0x20000540, "\x7f", 1);
+  *(uint64_t*)0x20002e88 = 1;
+  syscall(SYS_pwritev, r[3], 0x20002e80, 1, 0xbf24);
+  memcpy((void*)0x200004c0,
+         "\x89\x88\xaa\x4a\xc3\x95\x23\x77\x54\xee\x66\xf3\x8d\xa4\xae\xf3\x47"
+         "\x6d\x78\xb7\x1f\xe6\x0d\xb7\x4a\x9f\xb9\xc9\x99\x91\x6c\x98",
+         32);
+  syscall(SYS_setsockopt, r[2], 0, 2, 0x200004c0, 0x20);
+  syscall(SYS_fcntl, r[4], 4, 0x10044);
+  syscall(SYS_read, r[4], 0x20000000, 0x6d999);
+  syscall(SYS_sendfile, r[0], r[1], 0, 2);
+}
+int main(void)
+{
+  syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0);
+  loop();
+  return 0;
+}
+EOF
+mycc -o /tmp/syzkaller7 -Wall -Wextra -O2 /tmp/syzkaller7.c -lpthread ||
+    exit 1
+
+(cd /tmp; ./syzkaller7) &
+sleep 60
+pkill -9 syzkaller7
+wait
+
+rm -f /tmp/syzkaller7 /tmp/syzkaller7.c /tmp/syzkaller7.core /tmp/file0
+exit 0