Date: Mon, 23 Mar 2026 11:16:25 +0000 From: Peter Holm <pho@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 4f8a1b4dffa8 - main - stress2: Added syzkaller reproducers. Update the exclude file Message-ID: <69c12109.382de.5ee99536@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by pho: URL: https://cgit.FreeBSD.org/src/commit/?id=4f8a1b4dffa8a6fa5fbe7fce05278792afd83a82 commit 4f8a1b4dffa8a6fa5fbe7fce05278792afd83a82 Author: Peter Holm <pho@FreeBSD.org> AuthorDate: 2026-03-23 11:15:29 +0000 Commit: Peter Holm <pho@FreeBSD.org> CommitDate: 2026-03-23 11:15:29 +0000 stress2: Added syzkaller reproducers. Update the exclude file --- tools/test/stress2/misc/all.exclude | 13 +- tools/test/stress2/misc/syzkaller90.sh | 228 +++++++++++++++++ tools/test/stress2/misc/syzkaller91.sh | 217 ++++++++++++++++ tools/test/stress2/misc/syzkaller92.sh | 265 +++++++++++++++++++ tools/test/stress2/misc/syzkaller93.sh | 137 ++++++++++ tools/test/stress2/misc/syzkaller94.sh | 185 ++++++++++++++ tools/test/stress2/misc/syzkaller95.sh | 453 +++++++++++++++++++++++++++++++++ tools/test/stress2/misc/syzkaller96.sh | 162 ++++++++++++ tools/test/stress2/misc/syzkaller97.sh | 194 ++++++++++++++ tools/test/stress2/misc/syzkaller98.sh | 268 +++++++++++++++++++ tools/test/stress2/misc/syzkaller99.sh | 143 +++++++++++ 11 files changed, 2262 insertions(+), 3 deletions(-) diff --git a/tools/test/stress2/misc/all.exclude b/tools/test/stress2/misc/all.exclude index a802f7c21cb1..9ec5bffde0f6 100644 --- a/tools/test/stress2/misc/all.exclude +++ b/tools/test/stress2/misc/all.exclude @@ -22,6 +22,7 @@ gjournal3.sh panic: Bio not on queue 20171225 gjournal4.sh CAM stuck in vmwait 20180517 gnop10.sh Waiting for fix 20230319 gnop13.sh https://people.freebsd.org/~pho/stress/log/log0386.txt 20221113 +gnop3.sh CAM stuck in vmwait 20260219 gnop7.sh Waiting for patch commit 20190820 gnop8.sh Waiting for patch commit 20201214 gnop9.sh Waiting for patch commit 20201214 @@ -29,8 +30,6 @@ graid1_3.sh Hang seen 20250915 graid1_8.sh Known issue 20170909 graid1_9.sh panic: Bad effnlink 20180212 gunion.sh CAM stuk in vmwait 20251226 -ifconfig.sh https://people.freebsd.org/~pho/stress/log/log0626.txt 20251217 -ifconfig2.sh Hang in ifnet_de, vlan_sx and sbwait 20250114 lockf5.sh Spinning threads seen 20160718 maxvnodes2.sh https://people.freebsd.org/~pho/stress/log/log0083.txt 20210329 memguard.sh https://people.freebsd.org/~pho/stress/log/log0088.txt 20210402 @@ -71,10 +70,18 @@ syzkaller16.sh zonelimit issue 20210722 syzkaller28.sh panic: About to free ctl:0x... so:0x... and its in 1 20201120 syzkaller55.sh https://people.freebsd.org/~pho/stress/log/log0533.txt 20240702 syzkaller59.sh Page fault 20220625 +syzkaller68.sh Can not unload zfs.ko after this test 20260206 syzkaller80.sh panic 20250711 syzkaller82.sh panic: m_apply, length > size of mbuf chain 20250724 syzkaller85.sh panic: Assertion uio->uio_resid < 0 failed 20250928 -syzkaller89.sh panic: MNT_DEFERRED requires MNT_RECURSE | MNT_FORCE 20241224 +syzkaller90.sh panic: general protection fault 20260318 +syzkaller91.sh Kernel page fault with the following non-sleepable locks held 20260318 +syzkaller92.sh Kernel page fault with the following non-sleepable locks held 20260318 +syzkaller93.sh panic: _free(0): addr 0xfffff802f7e5a7b8 slab 0xfffffffffffffff 20260318 +syzkaller94.sh panic: ata_action: ccb 0xfffff80347e777b8, func_code 0x1 should 20260318 +syzkaller95.sh Kernel page fault with the following non-sleepable locks held 20260318 +syzkaller97.sh panic: cam_periph_ccbwait: proceeding with incomplete ccb 20260318 +syzkaller98.sh panic: dst_m 0xfffffe00130fd920 is not wired 20260318 quota3.sh https://people.freebsd.org/~pho/stress/log/log0604.txt 20250728 quota6.sh https://people.freebsd.org/~pho/stress/log/log0456.txt 20240707 truss3.sh WiP 20200915 diff --git a/tools/test/stress2/misc/syzkaller90.sh b/tools/test/stress2/misc/syzkaller90.sh new file mode 100755 index 000000000000..f7ff78ff5f65 --- /dev/null +++ b/tools/test/stress2/misc/syzkaller90.sh @@ -0,0 +1,228 @@ +#!/bin/sh + +# cpuid = 4; apic id = 04 +# instruction pointer = 0x20:0xffffffff803a1e9c +# stack pointer = 0x28:0xfffffe0202e4c930 +# frame pointer = 0x28:0xfffffe0202e4c970 +# code segment = base 0x0, limit 0xfffff, type 0x1b +# = DPL 0, pres 1, long 1, def32 0, gran 1 +# processor eflags = interrupt enabled, resume, IOPL = 0 +# current process = 90315 (repro20) +# rdi: fffff803157b7000 rsi: 0000000000000004 rdx: ffffffff81250a83 +# rcx: 0000000000000010 r8: 000000000000000e r9: 1627af6b9da6f5a7 +# rax: 0000000000000010 rbx: fffff803157b7000 rbp: fffffe0202e4c970 +# r10: fffff803157b70c8 r11: fffff807cf9bfcd0 r12: 0000000000000001 +# r13: fffff803157b7048 r14: fffff800035e0ac0 r15: 6e3642f32a3ae6f2 +# trap number = 9 +# panic: general protection fault +# cpuid = 4 +# time = 1773820163 +# KDB: stack backtrace: +# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0202e4c6b0 +# vpanic() at vpanic+0x136/frame 0xfffffe0202e4c7e0 +# panic() at panic+0x43/frame 0xfffffe0202e4c840 +# trap_fatal() at trap_fatal+0x68/frame 0xfffffe0202e4c860 +# calltrap() at calltrap+0x8/frame 0xfffffe0202e4c860 +# --- trap 0x9, rip = 0xffffffff803a1e9c, rsp = 0xfffffe0202e4c930, rbp = 0xfffffe0202e4c970 --- +# xpt_action_default() at xpt_action_default+0x80c/frame 0xfffffe0202e4c970 +# cam_periph_runccb() at cam_periph_runccb+0xec/frame 0xfffffe0202e4cac0 +# passsendccb() at passsendccb+0x160/frame 0xfffffe0202e4cb30 +# passdoioctl() at passdoioctl+0x3a1/frame 0xfffffe0202e4cb80 +# passioctl() at passioctl+0x22/frame 0xfffffe0202e4cbc0 +# devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe0202e4cc10 +# VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe0202e4cc40 +# vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe0202e4ccb0 +# devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe0202e4ccd0 +# kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe0202e4cd40 +# sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe0202e4ce00 +# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe0202e4cf30 +# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0202e4cf30 +# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823e9deca, rsp = 0x820edf228, rbp = 0x820edf250 --- +# KDB: enter: panic +# [ thread pid 90315 tid 851795 ] +# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip) +# db> x/s version +# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026 +# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO +# db> + +# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com> +# Bug 293888 - Fatal trap NUM: general protection fault while in kernel mode in cam_periph_runccb + +[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 + +. ../default.cfg +set -u +prog=$(basename "$0" .sh) +cat > /tmp/$prog.c <<EOF +// Bug 293888 - Fatal trap NUM: general protection fault while in kernel mode in cam_periph_runccb +// autogenerated by syzkaller (https://github.com/google/syzkaller) + +#define _GNU_SOURCE + +#include <pwd.h> +#include <stdarg.h> +#include <stdbool.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/endian.h> +#include <sys/syscall.h> +#include <unistd.h> + +uint64_t r[1] = {0xffffffffffffffff}; + +int main(void) +{ + syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, + /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, + /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, + /*fd=*/(intptr_t)-1, /*offset=*/0ul); + const char* reason; + (void)reason; + intptr_t res = 0; + if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { + } + // openat\$pass_pass_cdevsw arguments: [ + // fd: const = 0xffffffffffffff9c (8 bytes) + // file: ptr[in, buffer] { + // buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb) + // } + // flags: open_flags = 0x2 (4 bytes) + // mode: const = 0x0 (4 bytes) + // ] + // returns fd_pass_pass_cdevsw + memcpy((void*)0x200000000000, "/dev/pass0\000", 11); + res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, + /*file=*/0x200000000000ul, /*flags=O_RDWR*/ 2, /*mode=*/0); + if (res != -1) + r[0] = res; + // ioctl\$CAMIOCOMMAND_pass_cdevsw arguments: [ + // fd: fd_pass_pass_cdevsw (resource) + // cmd: const = 0xc4e01a02 (8 bytes) + // arg: ptr[inout, ccb\$pass_cdevsw] { + // union ccb\$pass_cdevsw { + // nvmeio: ccb_nvmeio\$pass_cdevsw { + // ccb_h: ccb_hdr\$pass_cdevsw { + // pinfo: cam_pinfo\$pass_cdevsw { + // priority: int32 = 0x8 (4 bytes) + // generation: int32 = 0x6 (4 bytes) + // index: int32 = 0xb406 (4 bytes) + // } + // pad = 0x0 (4 bytes) + // xpt_links: camq_entry\$pass_cdevsw { + // links_next: intptr = 0x100000000 (8 bytes) + // priority: int32 = 0x70 (4 bytes) + // pad = 0x0 (4 bytes) + // } + // sim_links: camq_entry\$pass_cdevsw { + // links_next: intptr = 0x7 (8 bytes) + // priority: int32 = 0x81 (4 bytes) + // pad = 0x0 (4 bytes) + // } + // periph_links: camq_entry\$pass_cdevsw { + // links_next: intptr = 0x8000000000000000 (8 bytes) + // priority: int32 = 0xffffffc0 (4 bytes) + // pad = 0x0 (4 bytes) + // } + // retry_count: int16 = 0xa5f (2 bytes) + // alloc_flags: int16 = 0xb (2 bytes) + // pad = 0x0 (4 bytes) + // cbfcnp: intptr = 0x3ff (8 bytes) + // func_code: int32 = 0x10 (4 bytes) + // status: int32 = 0x3 (4 bytes) + // path: intptr = 0xe10 (8 bytes) + // path_id: int32 = 0x8 (4 bytes) + // target_id: int32 = 0x7fffffff (4 bytes) + // target_lun: int64 = 0x4 (8 bytes) + // flags: int32 = 0xe (4 bytes) + // xflags: int32 = 0x130d (4 bytes) + // periph_priv: buffer: {5c d8 48 b0 e1 42 d0 a6 b0 73 4f 56 fb 07 + // 08 b5} (length 0x10) sim_priv: buffer: {0f c0 f1 57 fc dc a5 76 + // 71 ad 9f 46 0c eb b2 fc} (length 0x10) qos: buffer: {7a 6f cd f8 + // b3 f0 65 53 2e 65 18 29 70 c1 63 f1} (length 0x10) timeout: + // int32 = 0x8000 (4 bytes) pad = 0x0 (4 bytes) softtimeout: + // timeval { + // sec: intptr = 0x6 (8 bytes) + // usec: intptr = 0x9 (8 bytes) + // } + // } + // payload: buffer: {ec d6 eb 0c 55 29 7e 1e f2 e6 3a 2a f3 42 36 6e + // a7 f5 a6 9d 6b af 27 16 0d 12 f7 c7 a6 d3 dc 8d 89 88 c3 75 c4 2c + // a8 fb 0a 90 70 3d c6 5a 63 b8 ac 32 e2 21 4b 36 13 0e 64 c1 86 b2 + // 38 66 cc bf 6d c9 86 33 8c eb a1 fa b5 dd 55 c8 76 04 6d c2 b8 20 + // 31 11 5f 24 8b f4 d7 00 7c 7a 4f 00 4e fd 2f 0f 57 bc c2 00 22 b1 + // 23 4f 4b 19 c7 9a 47 1e b0 ea 60 87 f3 88 71 9d d1 e4 dd 15 da bf + // 0d 03 34 d9 32 bf b5 80 9f 72 80 dc 37 b2 0e 79 d3 96 93 12 50 0c + // 77 0b d9 9d 0c 93 0c b2 c8 03 bc 75 14 5a c0 50 dc 3f d3 92 ee 07 + // b5 a9 f2 85 76 a7 36 8d 6f 71 fb 8a cb ee 8c 0c 77 8d 81 b0 02 38 + // 70 4a 3d c9 1a f5 4f 91 e6 a1 14 93 3e be a0 e8 7a 69 33 cc e4 d2 + // 8c 88 af c9 05 d4 74 b0 87 a3 34 3b 0c 9e d4 42 bd 8e 03 24 91 2c + // 94 1f 5b 88 7c 0c b2 07 af 68 43 d0 5b cb f9 b2 64 ce b6 c9} + // (length 0x100) + // } + // } + // } + // ] + *(uint32_t*)0x200000000140 = 8; + *(uint32_t*)0x200000000144 = 6; + *(uint32_t*)0x200000000148 = 0xb406; + *(uint64_t*)0x200000000150 = 0x100000000; + *(uint32_t*)0x200000000158 = 0x70; + *(uint64_t*)0x200000000160 = 7; + *(uint32_t*)0x200000000168 = 0x81; + *(uint64_t*)0x200000000170 = 0x8000000000000000; + *(uint32_t*)0x200000000178 = 0xffffffc0; + *(uint16_t*)0x200000000180 = 0xa5f; + *(uint16_t*)0x200000000182 = 0xb; + *(uint64_t*)0x200000000188 = 0x3ff; + *(uint32_t*)0x200000000190 = 0x10; + *(uint32_t*)0x200000000194 = 3; + *(uint64_t*)0x200000000198 = 0xe10; + *(uint32_t*)0x2000000001a0 = 8; + *(uint32_t*)0x2000000001a4 = 0x7fffffff; + *(uint64_t*)0x2000000001a8 = 4; + *(uint32_t*)0x2000000001b0 = 0xe; + *(uint32_t*)0x2000000001b4 = 0x130d; + memcpy((void*)0x2000000001b8, + "\x5c\xd8\x48\xb0\xe1\x42\xd0\xa6\xb0\x73\x4f\x56\xfb\x07\x08\xb5", + 16); + memcpy((void*)0x2000000001c8, + "\x0f\xc0\xf1\x57\xfc\xdc\xa5\x76\x71\xad\x9f\x46\x0c\xeb\xb2\xfc", + 16); + memcpy((void*)0x2000000001d8, + "\x7a\x6f\xcd\xf8\xb3\xf0\x65\x53\x2e\x65\x18\x29\x70\xc1\x63\xf1", + 16); + *(uint32_t*)0x2000000001e8 = 0x8000; + *(uint64_t*)0x2000000001f0 = 6; + *(uint64_t*)0x2000000001f8 = 9; + memcpy( + (void*)0x200000000200, + "\xec\xd6\xeb\x0c\x55\x29\x7e\x1e\xf2\xe6\x3a\x2a\xf3\x42\x36\x6e\xa7\xf5" + "\xa6\x9d\x6b\xaf\x27\x16\x0d\x12\xf7\xc7\xa6\xd3\xdc\x8d\x89\x88\xc3\x75" + "\xc4\x2c\xa8\xfb\x0a\x90\x70\x3d\xc6\x5a\x63\xb8\xac\x32\xe2\x21\x4b\x36" + "\x13\x0e\x64\xc1\x86\xb2\x38\x66\xcc\xbf\x6d\xc9\x86\x33\x8c\xeb\xa1\xfa" + "\xb5\xdd\x55\xc8\x76\x04\x6d\xc2\xb8\x20\x31\x11\x5f\x24\x8b\xf4\xd7\x00" + "\x7c\x7a\x4f\x00\x4e\xfd\x2f\x0f\x57\xbc\xc2\x00\x22\xb1\x23\x4f\x4b\x19" + "\xc7\x9a\x47\x1e\xb0\xea\x60\x87\xf3\x88\x71\x9d\xd1\xe4\xdd\x15\xda\xbf" + "\x0d\x03\x34\xd9\x32\xbf\xb5\x80\x9f\x72\x80\xdc\x37\xb2\x0e\x79\xd3\x96" + "\x93\x12\x50\x0c\x77\x0b\xd9\x9d\x0c\x93\x0c\xb2\xc8\x03\xbc\x75\x14\x5a" + "\xc0\x50\xdc\x3f\xd3\x92\xee\x07\xb5\xa9\xf2\x85\x76\xa7\x36\x8d\x6f\x71" + "\xfb\x8a\xcb\xee\x8c\x0c\x77\x8d\x81\xb0\x02\x38\x70\x4a\x3d\xc9\x1a\xf5" + "\x4f\x91\xe6\xa1\x14\x93\x3e\xbe\xa0\xe8\x7a\x69\x33\xcc\xe4\xd2\x8c\x88" + "\xaf\xc9\x05\xd4\x74\xb0\x87\xa3\x34\x3b\x0c\x9e\xd4\x42\xbd\x8e\x03\x24" + "\x91\x2c\x94\x1f\x5b\x88\x7c\x0c\xb2\x07\xaf\x68\x43\xd0\x5b\xcb\xf9\xb2" + "\x64\xce\xb6\xc9", + 256); + syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc4e01a02ul, + /*arg=*/0x200000000140ul); + return 0; +} +EOF +mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1 + +timeout 3m /tmp/$prog > /dev/null 2>&1 + +rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core +exit 0 diff --git a/tools/test/stress2/misc/syzkaller91.sh b/tools/test/stress2/misc/syzkaller91.sh new file mode 100755 index 000000000000..7f11fe33a6ca --- /dev/null +++ b/tools/test/stress2/misc/syzkaller91.sh @@ -0,0 +1,217 @@ +#!/bin/sh + +# Kernel page fault with the following non-sleepable locks held: +# exclusive sleep mutex CAM device lock (CAM device lock) r = 0 (0xfffff80006ad2cd0) locked @ cam/scsi/scsi_pass.c:1766 +# stack backtrace: +# #0 0xffffffff80c4787c at witness_debugger+0x6c +# #1 0xffffffff80c49189 at witness_warn+0x4c9 +# #2 0xffffffff81131d8c at trap_pfault+0x8c +# #3 0xffffffff811015a8 at calltrap+0x8 +# #4 0xffffffff8039de7c at cam_periph_runccb+0xec +# #5 0xffffffff803d9160 at passsendccb+0x160 +# #6 0xffffffff803d8821 at passdoioctl+0x3a1 +# #7 0xffffffff803d8102 at passioctl+0x22 +# #8 0xffffffff80a413b1 at devfs_ioctl+0xd1 +# #9 0xffffffff81204821 at VOP_IOCTL_APV+0x51 +# #10 0xffffffff80cf0890 at vn_ioctl+0x160 +# #11 0xffffffff80a41a7e at devfs_ioctl_f+0x1e +# #12 0xffffffff80c4e3c1 at kern_ioctl+0x2a1 +# #13 0xffffffff80c4e0bf at sys_ioctl+0x12f +# #14 0xffffffff811327d9 at amd64_syscall+0x169 +# #15 0xffffffff81101e9b at fast_syscall_common+0xf8 +# +# +# Fatal trap 12: page fault while in kernel mode +# cpuid = 9; apic id = 09 +# fault virtual address = 0x50 +# fault code = supervisor read data, page not present +# instruction pointer = 0x20:0xffffffff803a1e9c +# stack pointer = 0x28:0xfffffe01001f2930 +# frame pointer = 0x28:0xfffffe01001f2970 +# code segment = base 0x0, limit 0xfffff, type 0x1b +# = DPL 0, pres 1, long 1, def32 0, gran 1 +# processor eflags = interrupt enabled, resume, IOPL = 0 +# current process = 3759 (syzkaller91) +# rdi: fffff80006ac0800 rsi: 0000000000000004 rdx: ffffffff81250a83 +# rcx: 0000000000000010 r8: 0000000000000008 r9: 0000000000000000 +# rax: 0000000000000010 rbx: fffff80006ac0800 rbp: fffffe01001f2970 +# r10: fffff80006ac08c8 r11: 0000000000000001 r12: 0000000000000001 +# r13: fffff80006ac0848 r14: fffff80006b9d2c0 r15: 0000000000000000 +# trap number = 12 +# panic: page fault +# cpuid = 9 +# time = 1773832077 +# KDB: stack backtrace: +# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01001f2660 +# vpanic() at vpanic+0x136/frame 0xfffffe01001f2790 +# panic() at panic+0x43/frame 0xfffffe01001f27f0 +# trap_pfault() at trap_pfault+0x422/frame 0xfffffe01001f2860 +# calltrap() at calltrap+0x8/frame 0xfffffe01001f2860 +# --- trap 0xc, rip = 0xffffffff803a1e9c, rsp = 0xfffffe01001f2930, rbp = 0xfffffe01001f2970 --- +# xpt_action_default() at xpt_action_default+0x80c/frame 0xfffffe01001f2970 +# cam_periph_runccb() at cam_periph_runccb+0xec/frame 0xfffffe01001f2ac0 +# passsendccb() at passsendccb+0x160/frame 0xfffffe01001f2b30 +# passdoioctl() at passdoioctl+0x3a1/frame 0xfffffe01001f2b80 +# passioctl() at passioctl+0x22/frame 0xfffffe01001f2bc0 +# devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe01001f2c10 +# VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe01001f2c40 +# vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe01001f2cb0 +# devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe01001f2cd0 +# kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe01001f2d40 +# sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe01001f2e00 +# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe01001f2f30 +# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01001f2f30 +# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823e6feca, rsp = 0x820c6d558, rbp = 0x820c6d580 --- +# KDB: enter: panic +# [ thread pid 3759 tid 100348 ] +# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip) +# db> x/s version +# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026 +# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO +# db> + +# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com> +# [Bug 293890] Fatal trap NUM: page fault while in kernel mode in cam_periph_runccb + +[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 + +. ../default.cfg +set -u +prog=$(basename "$0" .sh) +cat > /tmp/$prog.c <<EOF +// autogenerated by syzkaller (https://github.com/google/syzkaller) + +#define _GNU_SOURCE + +#include <pwd.h> +#include <stdarg.h> +#include <stdbool.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/endian.h> +#include <sys/syscall.h> +#include <unistd.h> + +uint64_t r[1] = {0xffffffffffffffff}; + +int main(void) +{ + syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, + /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, + /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, + /*fd=*/(intptr_t)-1, /*offset=*/0ul); + const char* reason; + (void)reason; + intptr_t res = 0; + if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { + } + // openat\$pass_pass_cdevsw arguments: [ + // fd: const = 0xffffffffffffff9c (8 bytes) + // file: ptr[in, buffer] { + // buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb) + // } + // flags: open_flags = 0x2 (4 bytes) + // mode: const = 0x0 (4 bytes) + // ] + // returns fd_pass_pass_cdevsw + memcpy((void*)0x200000000100, "/dev/pass0\000", 11); + res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, + /*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0); + if (res != -1) + r[0] = res; + // ioctl\$CAMIOCOMMAND_pass_cdevsw arguments: [ + // fd: fd_pass_pass_cdevsw (resource) + // cmd: const = 0xc4e01a02 (8 bytes) + // arg: ptr[inout, ccb\$pass_cdevsw] { + // union ccb\$pass_cdevsw { + // ccb_h: ccb_hdr\$pass_cdevsw { + // pinfo: cam_pinfo\$pass_cdevsw { + // priority: int32 = 0x5 (4 bytes) + // generation: int32 = 0x2 (4 bytes) + // index: int32 = 0x3 (4 bytes) + // } + // pad = 0x0 (4 bytes) + // xpt_links: camq_entry\$pass_cdevsw { + // links_next: intptr = 0xb (8 bytes) + // priority: int32 = 0x6 (4 bytes) + // pad = 0x0 (4 bytes) + // } + // sim_links: camq_entry\$pass_cdevsw { + // links_next: intptr = 0x8 (8 bytes) + // priority: int32 = 0x6 (4 bytes) + // pad = 0x0 (4 bytes) + // } + // periph_links: camq_entry\$pass_cdevsw { + // links_next: intptr = 0xfe (8 bytes) + // priority: int32 = 0x6 (4 bytes) + // pad = 0x0 (4 bytes) + // } + // retry_count: int16 = 0x3 (2 bytes) + // alloc_flags: int16 = 0x5 (2 bytes) + // pad = 0x0 (4 bytes) + // cbfcnp: intptr = 0xbfc (8 bytes) + // func_code: int32 = 0x10 (4 bytes) + // status: int32 = 0x4 (4 bytes) + // path: intptr = 0x5 (8 bytes) + // path_id: int32 = 0x0 (4 bytes) + // target_id: int32 = 0x2 (4 bytes) + // target_lun: int64 = 0x7e2 (8 bytes) + // flags: int32 = 0x8 (4 bytes) + // xflags: int32 = 0x3 (4 bytes) + // periph_priv: buffer: {bc 09 6b 26 d7 02 3b 02 06 84 bf 81 a9 85 11 + // 50} (length 0x10) sim_priv: buffer: {a5 da 75 ef af 1d 7f d5 40 94 + // 02 67 14 f6 36 17} (length 0x10) qos: buffer: {74 70 33 74 c5 58 + // 85 93 b4 d5 75 39 9f 79 94 a4} (length 0x10) timeout: int32 = 0x2 + // (4 bytes) pad = 0x0 (4 bytes) softtimeout: timeval { + // sec: intptr = 0x6e (8 bytes) + // usec: intptr = 0x400 (8 bytes) + // } + // } + // } + // } + // ] + *(uint32_t*)0x200000000240 = 5; + *(uint32_t*)0x200000000244 = 2; + *(uint32_t*)0x200000000248 = 3; + *(uint64_t*)0x200000000250 = 0xb; + *(uint32_t*)0x200000000258 = 6; + *(uint64_t*)0x200000000260 = 8; + *(uint32_t*)0x200000000268 = 6; + *(uint64_t*)0x200000000270 = 0xfe; + *(uint32_t*)0x200000000278 = 6; + *(uint16_t*)0x200000000280 = 3; + *(uint16_t*)0x200000000282 = 5; + *(uint64_t*)0x200000000288 = 0xbfc; + *(uint32_t*)0x200000000290 = 0x10; + *(uint32_t*)0x200000000294 = 4; + *(uint64_t*)0x200000000298 = 5; + *(uint32_t*)0x2000000002a0 = 0; + *(uint32_t*)0x2000000002a4 = 2; + *(uint64_t*)0x2000000002a8 = 0x7e2; + *(uint32_t*)0x2000000002b0 = 8; + *(uint32_t*)0x2000000002b4 = 3; + memcpy((void*)0x2000000002b8, + "\xbc\x09\x6b\x26\xd7\x02\x3b\x02\x06\x84\xbf\x81\xa9\x85\x11\x50", + 16); + memcpy((void*)0x2000000002c8, + "\xa5\xda\x75\xef\xaf\x1d\x7f\xd5\x40\x94\x02\x67\x14\xf6\x36\x17", + 16); + memcpy((void*)0x2000000002d8, + "\x74\x70\x33\x74\xc5\x58\x85\x93\xb4\xd5\x75\x39\x9f\x79\x94\xa4", + 16); + *(uint32_t*)0x2000000002e8 = 2; + *(uint64_t*)0x2000000002f0 = 0x6e; + *(uint64_t*)0x2000000002f8 = 0x400; + syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc4e01a02ul, + /*arg=*/0x200000000240ul); + return 0; +} +EOF +mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1 + +timeout 3m /tmp/$prog > /dev/null 2>&1 + +rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core +exit 0 diff --git a/tools/test/stress2/misc/syzkaller92.sh b/tools/test/stress2/misc/syzkaller92.sh new file mode 100755 index 000000000000..428fdaa8815d --- /dev/null +++ b/tools/test/stress2/misc/syzkaller92.sh @@ -0,0 +1,265 @@ +#!/bin/sh + +# Kernel page fault with the following non-sleepable locks held: +# exclusive sleep mutex CAM device lock (CAM device lock) r = 0 (0xfffff8000365ecd0) locked @ cam/scsi/scsi_pass.c:1973 +# stack backtrace: +# #0 0xffffffff80c4787c at witness_debugger+0x6c +# #1 0xffffffff80c49189 at witness_warn+0x4c9 +# #2 0xffffffff81131d8c at trap_pfault+0x8c +# #3 0xffffffff811015a8 at calltrap+0x8 +# #4 0xffffffff803d8e3e at passdoioctl+0x9be +# #5 0xffffffff803d8102 at passioctl+0x22 +# #6 0xffffffff80a413b1 at devfs_ioctl+0xd1 +# #7 0xffffffff81204821 at VOP_IOCTL_APV+0x51 +# #8 0xffffffff80cf0890 at vn_ioctl+0x160 +# #9 0xffffffff80a41a7e at devfs_ioctl_f+0x1e +# #10 0xffffffff80c4e3c1 at kern_ioctl+0x2a1 +# #11 0xffffffff80c4e0bf at sys_ioctl+0x12f +# #12 0xffffffff811327d9 at amd64_syscall+0x169 +# #13 0xffffffff81101e9b at fast_syscall_common+0xf8 +# +# +# Fatal trap 12: page fault while in kernel mode +# cpuid = 11; apic id = 0b +# fault virtual address = 0x50 +# fault code = supervisor read data, page not present +# instruction pointer = 0x20:0xffffffff803a1e9c +# stack pointer = 0x28:0xfffffe01000d5af0 +# frame pointer = 0x28:0xfffffe01000d5b30 +# code segment = base 0x0, limit 0xfffff, type 0x1b +# = DPL 0, pres 1, long 1, def32 0, gran 1 +# processor eflags = interrupt enabled, resume, IOPL = 0 +# current process = 4511 (syzkaller92) +# rdi: fffff8016ace27b8 rsi: fffff8016ace2f60 rdx: 0000000000000010 +# rcx: 0000000000000010 r8: fffff8000602ad80 r9: ffffffff8226dee8 +# rax: 0000000000000010 rbx: fffff8016ace27b8 rbp: fffffe01000d5b30 +# r10: fffff8016ace27b8 r11: fffff80066e42cd0 r12: fffff8016ace27b8 +# r13: 0000000000000016 r14: fffff80003676200 r15: 0000000000000000 +# trap number = 12 +# panic: page fault +# cpuid = 11 +# time = 1773833440 +# KDB: stack backtrace: +# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01000d5820 +# vpanic() at vpanic+0x136/frame 0xfffffe01000d5950 +# panic() at panic+0x43/frame 0xfffffe01000d59b0 +# trap_pfault() at trap_pfault+0x422/frame 0xfffffe01000d5a20 +# calltrap() at calltrap+0x8/frame 0xfffffe01000d5a20 +# --- trap 0xc, rip = 0xffffffff803a1e9c, rsp = 0xfffffe01000d5af0, rbp = 0xfffffe01000d5b30 --- +# xpt_action_default() at xpt_action_default+0x80c/frame 0xfffffe01000d5b30 +# passdoioctl() at passdoioctl+0x9be/frame 0xfffffe01000d5b80 +# passioctl() at passioctl+0x22/frame 0xfffffe01000d5bc0 +# devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe01000d5c10 +# VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe01000d5c40 +# vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe01000d5cb0 +# devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe01000d5cd0 +# kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe01000d5d40 +# sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe01000d5e00 +# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe01000d5f30 +# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01000d5f30 +# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x824057eca, rsp = 0x820f14468, rbp = 0x820f14490 --- +# KDB: enter: panic +# [ thread pid 4511 tid 100357 ] +# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip) +# db> x/s version +# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026 +# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO +# db> reset + +# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com> +# [Bug 293892] Fatal trap NUM: page fault while in kernel mode in passsendccb + +[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 + +. ../default.cfg +set -u +prog=$(basename "$0" .sh) +cat > /tmp/$prog.c <<EOF +// autogenerated by syzkaller (https://github.com/google/syzkaller) + +#define _GNU_SOURCE + +#include <pwd.h> +#include <stdarg.h> +#include <stdbool.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/endian.h> +#include <sys/syscall.h> +#include <unistd.h> + +#ifndef SYS_aio_readv +#define SYS_aio_readv 579 +#endif + +uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; + +int main(void) +{ + syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, + /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, + /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, + /*fd=*/(intptr_t)-1, /*offset=*/0ul); + const char* reason; + (void)reason; + intptr_t res = 0; + if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { + } + // rfork arguments: [ + // flags: rfork_flags = 0x14014 (8 bytes) + // ] + syscall(SYS_rfork, /*flags=RFLINUXTHPN|RFSIGSHARE|RFFDG|RFPROC*/ 0x14014ul); + // freebsd11_fhstatfs arguments: [ + // fhp: nil + // buf: nil + // ] + syscall(SYS_freebsd11_fhstatfs, /*fhp=*/0ul, /*buf=*/0ul); + // socket\$inet_tcp arguments: [ + // domain: const = 0x2 (8 bytes) + // type: const = 0x1 (8 bytes) + // proto: const = 0x0 (1 bytes) + // ] + // returns sock_tcp + syscall(SYS_socket, /*domain=*/2ul, /*type=*/1ul, /*proto=*/0); + // openat\$bpf arguments: [ + // fd: const = 0xffffffffffffff9c (8 bytes) + // file: ptr[in, buffer] { + // buffer: {2f 64 65 76 2f 62 70 66 00} (length 0x9) + // } + // flags: open_flags = 0x8408 (4 bytes) + // mode: const = 0x0 (4 bytes) + // ] + // returns fd_bpf + memcpy((void*)0x200000000980, "/dev/bpf\000", 9); + res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, + /*file=*/0x200000000980ul, + /*flags=O_TRUNC|O_NOCTTY|O_APPEND*/ 0x8408, /*mode=*/0); + if (res != -1) + r[0] = res; + // aio_readv arguments: [ + // iocb: ptr[in, aiocb] { + // aiocb { + // aio_fildes: fd (resource) + // pad = 0x0 (4 bytes) + // aio_offset: int64 = 0x81 (8 bytes) + // aio_buf: ptr[in, buffer] { + // buffer: {fa} (length 0x1) + // } + // aio_nbytes: len = 0x1 (8 bytes) + // spare: array[int32] { + // int32 = 0xffff (4 bytes) + // int32 = 0x7 (4 bytes) + // } + // spare2: intptr = 0x1 (8 bytes) + // aio_lio_opcode: lio_opcodes = 0x18 (4 bytes) + // aio_reqprio: int32 = 0x1ff (4 bytes) + // aiocb_private: aiocb_private { + // status: intptr = 0x37 (8 bytes) + // error: intptr = 0x24 (8 bytes) + // kernelinfo: nil + // } + // aio_sigevent: sigevent { + // notify: sigev_notify = 0x0 (4 bytes) + // signo: int32 = 0x13 (4 bytes) + // val: union sigval { + // sigval_int: int32 = 0x6 (4 bytes) + // } + // u: union sigevent_u { + // ke_flags: evflags = 0x8000 (2 bytes) + // } + // } + // } + // } + // ] + *(uint32_t*)0x200000000040 = r[0]; + *(uint64_t*)0x200000000048 = 0x81; + *(uint64_t*)0x200000000050 = 0x200000000000; + memset((void*)0x200000000000, 250, 1); + *(uint64_t*)0x200000000058 = 1; + *(uint32_t*)0x200000000060 = 0xffff; + *(uint32_t*)0x200000000064 = 7; + *(uint64_t*)0x200000000068 = 1; + *(uint32_t*)0x200000000070 = 0x18; + *(uint32_t*)0x200000000074 = 0x1ff; + *(uint64_t*)0x200000000078 = 0x37; + *(uint64_t*)0x200000000080 = 0x24; + *(uint64_t*)0x200000000088 = 0; + *(uint32_t*)0x200000000090 = 0; + *(uint32_t*)0x200000000094 = 0x13; + *(uint32_t*)0x200000000098 = 6; + *(uint16_t*)0x2000000000a0 = 0x8000; + syscall(SYS_aio_readv, /*iocb=*/0x200000000040ul); + // openat\$bpf arguments: [ + // fd: const = 0xffffffffffffff9c (8 bytes) + // file: ptr[in, buffer] { + // buffer: {2f 64 65 76 2f 62 70 66 00} (length 0x9) + // } + // flags: open_flags = 0x800 (4 bytes) + // mode: const = 0x0 (4 bytes) + // ] + // returns fd_bpf + memcpy((void*)0x200000000040, "/dev/bpf\000", 9); + syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000040ul, + /*flags=O_EXCL*/ 0x800, /*mode=*/0); + // sigaction arguments: [ + // signo: int32 = 0x6b (4 bytes) + // act: ptr[in, sigaction] { + // sigaction { + // sigaction_u: nil + // sa_flags: sigaction_flags = 0x0 (4 bytes) + // sa_mask: sigset { + // mask: array[int32] { + // int32 = 0x4 (4 bytes) + // int32 = 0x10 (4 bytes) + // int32 = 0x492d (4 bytes) + // int32 = 0x3 (4 bytes) + // } + // } + // pad = 0x0 (4 bytes) + // } + // } + // oact: nil + // ] + *(uint64_t*)0x200000000040 = 0; + *(uint32_t*)0x200000000048 = 0; + *(uint32_t*)0x20000000004c = 4; + *(uint32_t*)0x200000000050 = 0x10; + *(uint32_t*)0x200000000054 = 0x492d; + *(uint32_t*)0x200000000058 = 3; + syscall(SYS_sigaction, /*signo=*/0x6b, /*act=*/0x200000000040ul, + /*oact=*/0ul); + // openat\$pass_pass_cdevsw arguments: [ + // fd: const = 0xffffffffffffff9c (8 bytes) + // file: ptr[in, buffer] { + // buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb) + // } + // flags: open_flags = 0x2 (4 bytes) + // mode: const = 0x0 (4 bytes) + // ] + // returns fd_pass_pass_cdevsw + memcpy((void*)0x200000000100, "/dev/pass0\000", 11); + res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, + /*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0); + if (res != -1) + r[1] = res; + // ioctl\$CAMIOQUEUE_pass_cdevsw arguments: [ + // fd: fd_pass_pass_cdevsw (resource) + // cmd: const = 0x20001a04 (8 bytes) + // arg: ptr[in, ptr[in, ccb\$pass_cdevsw]] { + // nil + // } + // ] + *(uint64_t*)0x200000000000 = 0; + syscall(SYS_ioctl, /*fd=*/r[1], /*cmd=*/0x20001a04ul, + /*arg=*/0x200000000000ul); + return 0; +} +EOF +mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1 + +timeout 3m /tmp/$prog > /dev/null 2>&1 + +rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core +exit 0 diff --git a/tools/test/stress2/misc/syzkaller93.sh b/tools/test/stress2/misc/syzkaller93.sh new file mode 100755 index 000000000000..208b90d78516 --- /dev/null +++ b/tools/test/stress2/misc/syzkaller93.sh @@ -0,0 +1,137 @@ +#!/bin/sh + +# (pass0:ahcich1:0:0:0): xpt_action_default: CCB type 0x380 0x380 not supported +# panic: _free(0): addr 0xfffff802f7e5a7b8 slab 0xffffffffffffffff with unknown cookie 3 +# cpuid = 8 +# time = 1773835096 +# KDB: stack backtrace: +# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00ffe5fc60 +# vpanic() at vpanic+0x136/frame 0xfffffe00ffe5fd90 +# panic() at panic+0x43/frame 0xfffffe00ffe5fdf0 +# free() at free+0x213/frame 0xfffffe00ffe5fe30 +# xpt_release_ccb() at xpt_release_ccb+0x50/frame 0xfffffe00ffe5fe60 +# xpt_done_process() at xpt_done_process+0x3e0/frame 0xfffffe00ffe5fea0 +# xpt_done_td() at xpt_done_td+0x145/frame 0xfffffe00ffe5fef0 +# fork_exit() at fork_exit+0x82/frame 0xfffffe00ffe5ff30 +# fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00ffe5ff30 +# --- trap 0, rip = 0, rsp = 0, rbp = 0 --- +# KDB: enter: panic +# [ thread pid 4 tid 100122 ] +# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip) +# db> x/s version +# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026 +# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO +# db> + +# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com> +# [Bug 293893] panic: _free(NUM): address ADDR(ADDR) has not been allocated + +[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 + +. ../default.cfg +set -u +prog=$(basename "$0" .sh) +cat > /tmp/$prog.c <<EOF +// autogenerated by syzkaller (https://github.com/google/syzkaller) + +#define _GNU_SOURCE + +#include <pwd.h> +#include <stdarg.h> +#include <stdbool.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/endian.h> +#include <sys/syscall.h> +#include <unistd.h> + +uint64_t r[1] = {0xffffffffffffffff}; + +int main(void) +{ + syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, + /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, + /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, + /*fd=*/(intptr_t)-1, /*offset=*/0ul); + const char* reason; + (void)reason; + intptr_t res = 0; + if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { + } + // openat\$pass_pass_cdevsw arguments: [ + // fd: const = 0xffffffffffffff9c (8 bytes) + // file: ptr[in, buffer] { + // buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb) + // } + // flags: open_flags = 0x2 (4 bytes) + // mode: const = 0x0 (4 bytes) + // ] + // returns fd_pass_pass_cdevsw + memcpy((void*)0x200000000100, "/dev/pass0\000", 11); + res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, + /*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0); + if (res != -1) + r[0] = res; + // sendfile arguments: [ + // fd: fd (resource) + // s: sock_in (resource) + // offset: intptr = 0x4 (8 bytes) + // nbytes: int64 = 0x4 (8 bytes) + // hdtr: ptr[in, sf_hdtr] { + // sf_hdtr { + // headers: ptr[in, array[iovec_in]] { + // array[iovec_in] { + // iovec_in { + // addr: nil + // len: len = 0x0 (8 bytes) + // } + // iovec_in { + // addr: ptr[in, buffer] { + // buffer: {} (length 0x0) + // } + // len: len = 0x0 (8 bytes) + // } + // } + // } + // hdr_cnt: len = 0x2 (4 bytes) + // pad = 0x0 (4 bytes) + // trailers: nil + // trl_cnt: len = 0x0 (4 bytes) + // pad = 0x0 (4 bytes) + // } + // } + // sbytes: nil + // flags: sf_flags = 0x1 (8 bytes) + // ] + *(uint64_t*)0x200000001ac0 = 0x200000000280; + *(uint64_t*)0x200000000280 = 0; + *(uint64_t*)0x200000000288 = 0; + *(uint64_t*)0x200000000290 = 0x200000000380; + *(uint64_t*)0x200000000298 = 0; + *(uint32_t*)0x200000001ac8 = 2; + *(uint64_t*)0x200000001ad0 = 0; + *(uint32_t*)0x200000001ad8 = 0; + syscall(SYS_sendfile, /*fd=*/(intptr_t)-1, /*s=*/(intptr_t)-1, /*offset=*/4ul, + /*nbytes=*/4ul, /*hdtr=*/0x200000001ac0ul, /*sbytes=*/0ul, + /*flags=SF_NODISKIO*/ 1ul); + // ioctl\$CAMIOQUEUE_pass_cdevsw arguments: [ + // fd: fd_pass_pass_cdevsw (resource) + // cmd: const = 0x20001a04 (8 bytes) + // arg: ptr[in, ptr[in, ccb\$pass_cdevsw]] { + // nil + // } + // ] + *(uint64_t*)0x200000000240 = 0; + syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0x20001a04ul, + /*arg=*/0x200000000240ul); + return 0; +} +EOF +mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1 + +timeout 3m /tmp/$prog > /dev/null 2>&1 + +rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core +exit 0 diff --git a/tools/test/stress2/misc/syzkaller94.sh b/tools/test/stress2/misc/syzkaller94.sh new file mode 100755 index 000000000000..ae37ad964964 --- /dev/null +++ b/tools/test/stress2/misc/syzkaller94.sh @@ -0,0 +1,185 @@ +#!/bin/sh + +# panic: ata_action: ccb 0xfffff80347e777b8, func_code 0x1 should not be allocated from UMA zone +# cpuid = 1 +# time = 1773837671 +# KDB: stack backtrace: +# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0100044980 +# vpanic() at vpanic+0x136/frame 0xfffffe0100044ab0 +# panic() at panic+0x43/frame 0xfffffe0100044b10 +# ata_action() at ata_action+0x3bd/frame 0xfffffe0100044b30 +# passdoioctl() at passdoioctl+0x9be/frame 0xfffffe0100044b80 +# passioctl() at passioctl+0x22/frame 0xfffffe0100044bc0 +# devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe0100044c10 +# VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe0100044c40 +# vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe0100044cb0 +# devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe0100044cd0 +# kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe0100044d40 +# sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe0100044e00 +# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe0100044f30 +# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0100044f30 +# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823bc5eca, rsp = 0x820d83df8, rbp = 0x820d83e20 --- +# KDB: enter: panic +# [ thread pid 4628 tid 100215 ] +# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip) +# db> x/s version +# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026 +# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO +# db> + +# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com> +# Bug 293895 - panic: ata_action: ccb ADDR, func_code XXX should not be allocated from UMA zone + +[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 + +. ../default.cfg +set -u +prog=$(basename "$0" .sh) +cat > /tmp/$prog.c <<EOF +// autogenerated by syzkaller (https://github.com/google/syzkaller) + +#define _GNU_SOURCE + +#include <pwd.h> +#include <stdarg.h> *** 1391 LINES SKIPPED ***home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69c12109.382de.5ee99536>