ptr[in, buffer] { + // buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb) + // } + // flags: open_flags = 0x2 (4 bytes) + // mode: const = 0x0 (4 bytes) + // ] + // returns fd_pass_pass_cdevsw + memcpy((void*)0x200000000100, "/dev/pass0\000", 11); + res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, + /*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0); + if (res != -1) + r[0] = res; + // ioctl\$CAMIOCOMMAND_pass_cdevsw arguments: [ + // fd: fd_pass_pass_cdevsw (resource) + // cmd: const = 0xc4e01a02 (8 bytes) + // arg: ptr[inout, ccb\$pass_cdevsw] { + // union ccb\$pass_cdevsw { + // ccb_h: ccb_hdr\$pass_cdevsw { + // pinfo: cam_pinfo\$pass_cdevsw { + // priority: int32 = 0x5 (4 bytes) + // generation: int32 = 0x2 (4 bytes) + // index: int32 = 0x3 (4 bytes) + // } + // pad = 0x0 (4 bytes) + // xpt_links: camq_entry\$pass_cdevsw { + // links_next: intptr = 0xb (8 bytes) + // priority: int32 = 0x6 (4 bytes) + // pad = 0x0 (4 bytes) + // } + // sim_links: camq_entry\$pass_cdevsw { + // links_next: intptr = 0x8 (8 bytes) + // priority: int32 = 0x6 (4 bytes) + // pad = 0x0 (4 bytes) + // } + // periph_links: camq_entry\$pass_cdevsw { + // links_next: intptr = 0xfe (8 bytes) + // priority: int32 = 0x6 (4 bytes) + // pad = 0x0 (4 bytes) + // } + // retry_count: int16 = 0x3 (2 bytes) + // alloc_flags: int16 = 0x5 (2 bytes) + // pad = 0x0 (4 bytes) + // cbfcnp: intptr = 0xbfc (8 bytes) + // func_code: int32 = 0x10 (4 bytes) + // status: int32 = 0x4 (4 bytes) + // path: intptr = 0x5 (8 bytes) + // path_id: int32 = 0x0 (4 bytes) + // target_id: int32 = 0x2 (4 bytes) + // target_lun: int64 = 0x7e2 (8 bytes) + // flags: int32 = 0x8 (4 bytes) + // xflags: int32 = 0x3 (4 bytes) + // periph_priv: buffer: {bc 09 6b 26 d7 02 3b 02 06 84 bf 81 a9 85 11 + // 50} (length 0x10) sim_priv: buffer: {a5 da 75 ef af 1d 7f d5 40 94 + // 02 67 14 f6 36 17} (length 0x10) qos: buffer: {74 70 33 74 c5 58 + // 85 93 b4 d5 75 39 9f 79 94 a4} (length 0x10) timeout: int32 = 0x2 + // (4 bytes) pad = 0x0 (4 bytes) softtimeout: timeval { + // sec: intptr = 0x6e (8 bytes) + // usec: intptr = 0x400 (8 bytes) + // } + // } + // } + // } + // ] + *(uint32_t*)0x200000000240 = 5; + *(uint32_t*)0x200000000244 = 2; + *(uint32_t*)0x200000000248 = 3; + *(uint64_t*)0x200000000250 = 0xb; + *(uint32_t*)0x200000000258 = 6; + *(uint64_t*)0x200000000260 = 8; + *(uint32_t*)0x200000000268 = 6; + *(uint64_t*)0x200000000270 = 0xfe; + *(uint32_t*)0x200000000278 = 6; + *(uint16_t*)0x200000000280 = 3; + *(uint16_t*)0x200000000282 = 5; + *(uint64_t*)0x200000000288 = 0xbfc; + *(uint32_t*)0x200000000290 = 0x10; + *(uint32_t*)0x200000000294 = 4; + *(uint64_t*)0x200000000298 = 5; + *(uint32_t*)0x2000000002a0 = 0; + *(uint32_t*)0x2000000002a4 = 2; + *(uint64_t*)0x2000000002a8 = 0x7e2; + *(uint32_t*)0x2000000002b0 = 8; + *(uint32_t*)0x2000000002b4 = 3; + memcpy((void*)0x2000000002b8, + "\xbc\x09\x6b\x26\xd7\x02\x3b\x02\x06\x84\xbf\x81\xa9\x85\x11\x50", + 16); + memcpy((void*)0x2000000002c8, + "\xa5\xda\x75\xef\xaf\x1d\x7f\xd5\x40\x94\x02\x67\x14\xf6\x36\x17", + 16); + memcpy((void*)0x2000000002d8, + "\x74\x70\x33\x74\xc5\x58\x85\x93\xb4\xd5\x75\x39\x9f\x79\x94\xa4", + 16); + *(uint32_t*)0x2000000002e8 = 2; + *(uint64_t*)0x2000000002f0 = 0x6e; + *(uint64_t*)0x2000000002f8 = 0x400; + syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc4e01a02ul, + /*arg=*/0x200000000240ul); + return 0; +} +EOF +mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1 + +timeout 3m /tmp/$prog > /dev/null 2>&1 + +rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core +exit 0 diff --git a/tools/test/stress2/misc/syzkaller92.sh b/tools/test/stress2/misc/syzkaller92.sh new file mode 100755 index 000000000000..428fdaa8815d --- /dev/null +++ b/tools/test/stress2/misc/syzkaller92.sh @@ -0,0 +1,265 @@ +#!/bin/sh + +# Kernel page fault with the following non-sleepable locks held: +# exclusive sleep mutex CAM device lock (CAM device lock) r = 0 (0xfffff8000365ecd0) locked @ cam/scsi/scsi_pass.c:1973 +# stack backtrace: +# #0 0xffffffff80c4787c at witness_debugger+0x6c +# #1 0xffffffff80c49189 at witness_warn+0x4c9 +# #2 0xffffffff81131d8c at trap_pfault+0x8c +# #3 0xffffffff811015a8 at calltrap+0x8 +# #4 0xffffffff803d8e3e at passdoioctl+0x9be +# #5 0xffffffff803d8102 at passioctl+0x22 +# #6 0xffffffff80a413b1 at devfs_ioctl+0xd1 +# #7 0xffffffff81204821 at VOP_IOCTL_APV+0x51 +# #8 0xffffffff80cf0890 at vn_ioctl+0x160 +# #9 0xffffffff80a41a7e at devfs_ioctl_f+0x1e +# #10 0xffffffff80c4e3c1 at kern_ioctl+0x2a1 +# #11 0xffffffff80c4e0bf at sys_ioctl+0x12f +# #12 0xffffffff811327d9 at amd64_syscall+0x169 +# #13 0xffffffff81101e9b at fast_syscall_common+0xf8 +# +# +# Fatal trap 12: page fault while in kernel mode +# cpuid = 11; apic id = 0b +# fault virtual address = 0x50 +# fault code = supervisor read data, page not present +# instruction pointer = 0x20:0xffffffff803a1e9c +# stack pointer = 0x28:0xfffffe01000d5af0 +# frame pointer = 0x28:0xfffffe01000d5b30 +# code segment = base 0x0, limit 0xfffff, type 0x1b +# = DPL 0, pres 1, long 1, def32 0, gran 1 +# processor eflags = interrupt enabled, resume, IOPL = 0 +# current process = 4511 (syzkaller92) +# rdi: fffff8016ace27b8 rsi: fffff8016ace2f60 rdx: 0000000000000010 +# rcx: 0000000000000010 r8: fffff8000602ad80 r9: ffffffff8226dee8 +# rax: 0000000000000010 rbx: fffff8016ace27b8 rbp: fffffe01000d5b30 +# r10: fffff8016ace27b8 r11: fffff80066e42cd0 r12: fffff8016ace27b8 +# r13: 0000000000000016 r14: fffff80003676200 r15: 0000000000000000 +# trap number = 12 +# panic: page fault +# cpuid = 11 +# time = 1773833440 +# KDB: stack backtrace: +# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01000d5820 +# vpanic() at vpanic+0x136/frame 0xfffffe01000d5950 +# panic() at panic+0x43/frame 0xfffffe01000d59b0 +# trap_pfault() at trap_pfault+0x422/frame 0xfffffe01000d5a20 +# calltrap() at calltrap+0x8/frame 0xfffffe01000d5a20 +# --- trap 0xc, rip = 0xffffffff803a1e9c, rsp = 0xfffffe01000d5af0, rbp = 0xfffffe01000d5b30 --- +# xpt_action_default() at xpt_action_default+0x80c/frame 0xfffffe01000d5b30 +# passdoioctl() at passdoioctl+0x9be/frame 0xfffffe01000d5b80 +# passioctl() at passioctl+0x22/frame 0xfffffe01000d5bc0 +# devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe01000d5c10 +# VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe01000d5c40 +# vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe01000d5cb0 +# devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe01000d5cd0 +# kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe01000d5d40 +# sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe01000d5e00 +# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe01000d5f30 +# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01000d5f30 +# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x824057eca, rsp = 0x820f14468, rbp = 0x820f14490 --- +# KDB: enter: panic +# [ thread pid 4511 tid 100357 ] +# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip) +# db> x/s version +# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026 +# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO +# db> reset + +# Reproducer obtained from: Jiaming Zhang +# [Bug 293892] Fatal trap NUM: page fault while in kernel mode in passsendccb + +[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 + +. ../default.cfg +set -u +prog=$(basename "$0" .sh) +cat > /tmp/$prog.c < +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifndef SYS_aio_readv +#define SYS_aio_readv 579 +#endif + +uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; + +int main(void) +{ + syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, + /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, + /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, + /*fd=*/(intptr_t)-1, /*offset=*/0ul); + const char* reason; + (void)reason; + intptr_t res = 0; + if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { + } + // rfork arguments: [ + // flags: rfork_flags = 0x14014 (8 bytes) + // ] + syscall(SYS_rfork, /*flags=RFLINUXTHPN|RFSIGSHARE|RFFDG|RFPROC*/ 0x14014ul); + // freebsd11_fhstatfs arguments: [ + // fhp: nil + // buf: nil + // ] + syscall(SYS_freebsd11_fhstatfs, /*fhp=*/0ul, /*buf=*/0ul); + // socket\$inet_tcp arguments: [ + // domain: const = 0x2 (8 bytes) + // type: const = 0x1 (8 bytes) + // proto: const = 0x0 (1 bytes) + // ] + // returns sock_tcp + syscall(SYS_socket, /*domain=*/2ul, /*type=*/1ul, /*proto=*/0); + // openat\$bpf arguments: [ + // fd: const = 0xffffffffffffff9c (8 bytes) + // file: ptr[in, buffer] { + // buffer: {2f 64 65 76 2f 62 70 66 00} (length 0x9) + // } + // flags: open_flags = 0x8408 (4 bytes) + // mode: const = 0x0 (4 bytes) + // ] + // returns fd_bpf + memcpy((void*)0x200000000980, "/dev/bpf\000", 9); + res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, + /*file=*/0x200000000980ul, + /*flags=O_TRUNC|O_NOCTTY|O_APPEND*/ 0x8408, /*mode=*/0); + if (res != -1) + r[0] = res; + // aio_readv arguments: [ + // iocb: ptr[in, aiocb] { + // aiocb { + // aio_fildes: fd (resource) + // pad = 0x0 (4 bytes) + // aio_offset: int64 = 0x81 (8 bytes) + // aio_buf: ptr[in, buffer] { + // buffer: {fa} (length 0x1) + // } + // aio_nbytes: len = 0x1 (8 bytes) + // spare: array[int32] { + // int32 = 0xffff (4 bytes) + // int32 = 0x7 (4 bytes) + // } + // spare2: intptr = 0x1 (8 bytes) + // aio_lio_opcode: lio_opcodes = 0x18 (4 bytes) + // aio_reqprio: int32 = 0x1ff (4 bytes) + // aiocb_private: aiocb_private { + // status: intptr = 0x37 (8 bytes) + // error: intptr = 0x24 (8 bytes) + // kernelinfo: nil + // } + // aio_sigevent: sigevent { + // notify: sigev_notify = 0x0 (4 bytes) + // signo: int32 = 0x13 (4 bytes) + // val: union sigval { + // sigval_int: int32 = 0x6 (4 bytes) + // } + // u: union sigevent_u { + // ke_flags: evflags = 0x8000 (2 bytes) + // } + // } + // } + // } + // ] + *(uint32_t*)0x200000000040 = r[0]; + *(uint64_t*)0x200000000048 = 0x81; + *(uint64_t*)0x200000000050 = 0x200000000000; + memset((void*)0x200000000000, 250, 1); + *(uint64_t*)0x200000000058 = 1; + *(uint32_t*)0x200000000060 = 0xffff; + *(uint32_t*)0x200000000064 = 7; + *(uint64_t*)0x200000000068 = 1; + *(uint32_t*)0x200000000070 = 0x18; + *(uint32_t*)0x200000000074 = 0x1ff; + *(uint64_t*)0x200000000078 = 0x37; + *(uint64_t*)0x200000000080 = 0x24; + *(uint64_t*)0x200000000088 = 0; + *(uint32_t*)0x200000000090 = 0; + *(uint32_t*)0x200000000094 = 0x13; + *(uint32_t*)0x200000000098 = 6; + *(uint16_t*)0x2000000000a0 = 0x8000; + syscall(SYS_aio_readv, /*iocb=*/0x200000000040ul); + // openat\$bpf arguments: [ + // fd: const = 0xffffffffffffff9c (8 bytes) + // file: ptr[in, buffer] { + // buffer: {2f 64 65 76 2f 62 70 66 00} (length 0x9) + // } + // flags: open_flags = 0x800 (4 bytes) + // mode: const = 0x0 (4 bytes) + // ] + // returns fd_bpf + memcpy((void*)0x200000000040, "/dev/bpf\000", 9); + syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000040ul, + /*flags=O_EXCL*/ 0x800, /*mode=*/0); + // sigaction arguments: [ + // signo: int32 = 0x6b (4 bytes) + // act: ptr[in, sigaction] { + // sigaction { + // sigaction_u: nil + // sa_flags: sigaction_flags = 0x0 (4 bytes) + // sa_mask: sigset { + // mask: array[int32] { + // int32 = 0x4 (4 bytes) + // int32 = 0x10 (4 bytes) + // int32 = 0x492d (4 bytes) + // int32 = 0x3 (4 bytes) + // } + // } + // pad = 0x0 (4 bytes) + // } + // } + // oact: nil + // ] + *(uint64_t*)0x200000000040 = 0; + *(uint32_t*)0x200000000048 = 0; + *(uint32_t*)0x20000000004c = 4; + *(uint32_t*)0x200000000050 = 0x10; + *(uint32_t*)0x200000000054 = 0x492d; + *(uint32_t*)0x200000000058 = 3; + syscall(SYS_sigaction, /*signo=*/0x6b, /*act=*/0x200000000040ul, + /*oact=*/0ul); + // openat\$pass_pass_cdevsw arguments: [ + // fd: const = 0xffffffffffffff9c (8 bytes) + // file: ptr[in, buffer] { + // buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb) + // } + // flags: open_flags = 0x2 (4 bytes) + // mode: const = 0x0 (4 bytes) + // ] + // returns fd_pass_pass_cdevsw + memcpy((void*)0x200000000100, "/dev/pass0\000", 11); + res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, + /*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0); + if (res != -1) + r[1] = res; + // ioctl\$CAMIOQUEUE_pass_cdevsw arguments: [ + // fd: fd_pass_pass_cdevsw (resource) + // cmd: const = 0x20001a04 (8 bytes) + // arg: ptr[in, ptr[in, ccb\$pass_cdevsw]] { + // nil + // } + // ] + *(uint64_t*)0x200000000000 = 0; + syscall(SYS_ioctl, /*fd=*/r[1], /*cmd=*/0x20001a04ul, + /*arg=*/0x200000000000ul); + return 0; +} +EOF +mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1 + +timeout 3m /tmp/$prog > /dev/null 2>&1 + +rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core +exit 0 diff --git a/tools/test/stress2/misc/syzkaller93.sh b/tools/test/stress2/misc/syzkaller93.sh new file mode 100755 index 000000000000..208b90d78516 --- /dev/null +++ b/tools/test/stress2/misc/syzkaller93.sh @@ -0,0 +1,137 @@ +#!/bin/sh + +# (pass0:ahcich1:0:0:0): xpt_action_default: CCB type 0x380 0x380 not supported +# panic: _free(0): addr 0xfffff802f7e5a7b8 slab 0xffffffffffffffff with unknown cookie 3 +# cpuid = 8 +# time = 1773835096 +# KDB: stack backtrace: +# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00ffe5fc60 +# vpanic() at vpanic+0x136/frame 0xfffffe00ffe5fd90 +# panic() at panic+0x43/frame 0xfffffe00ffe5fdf0 +# free() at free+0x213/frame 0xfffffe00ffe5fe30 +# xpt_release_ccb() at xpt_release_ccb+0x50/frame 0xfffffe00ffe5fe60 +# xpt_done_process() at xpt_done_process+0x3e0/frame 0xfffffe00ffe5fea0 +# xpt_done_td() at xpt_done_td+0x145/frame 0xfffffe00ffe5fef0 +# fork_exit() at fork_exit+0x82/frame 0xfffffe00ffe5ff30 +# fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00ffe5ff30 +# --- trap 0, rip = 0, rsp = 0, rbp = 0 --- +# KDB: enter: panic +# [ thread pid 4 tid 100122 ] +# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip) +# db> x/s version +# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026 +# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO +# db> + +# Reproducer obtained from: Jiaming Zhang +# [Bug 293893] panic: _free(NUM): address ADDR(ADDR) has not been allocated + +[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 + +. ../default.cfg +set -u +prog=$(basename "$0" .sh) +cat > /tmp/$prog.c < +#include +#include +#include +#include +#include +#include +#include +#include +#include + +uint64_t r[1] = {0xffffffffffffffff}; + +int main(void) +{ + syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, + /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, + /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, + /*fd=*/(intptr_t)-1, /*offset=*/0ul); + const char* reason; + (void)reason; + intptr_t res = 0; + if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { + } + // openat\$pass_pass_cdevsw arguments: [ + // fd: const = 0xffffffffffffff9c (8 bytes) + // file: ptr[in, buffer] { + // buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb) + // } + // flags: open_flags = 0x2 (4 bytes) + // mode: const = 0x0 (4 bytes) + // ] + // returns fd_pass_pass_cdevsw + memcpy((void*)0x200000000100, "/dev/pass0\000", 11); + res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, + /*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0); + if (res != -1) + r[0] = res; + // sendfile arguments: [ + // fd: fd (resource) + // s: sock_in (resource) + // offset: intptr = 0x4 (8 bytes) + // nbytes: int64 = 0x4 (8 bytes) + // hdtr: ptr[in, sf_hdtr] { + // sf_hdtr { + // headers: ptr[in, array[iovec_in]] { + // array[iovec_in] { + // iovec_in { + // addr: nil + // len: len = 0x0 (8 bytes) + // } + // iovec_in { + // addr: ptr[in, buffer] { + // buffer: {} (length 0x0) + // } + // len: len = 0x0 (8 bytes) + // } + // } + // } + // hdr_cnt: len = 0x2 (4 bytes) + // pad = 0x0 (4 bytes) + // trailers: nil + // trl_cnt: len = 0x0 (4 bytes) + // pad = 0x0 (4 bytes) + // } + // } + // sbytes: nil + // flags: sf_flags = 0x1 (8 bytes) + // ] + *(uint64_t*)0x200000001ac0 = 0x200000000280; + *(uint64_t*)0x200000000280 = 0; + *(uint64_t*)0x200000000288 = 0; + *(uint64_t*)0x200000000290 = 0x200000000380; + *(uint64_t*)0x200000000298 = 0; + *(uint32_t*)0x200000001ac8 = 2; + *(uint64_t*)0x200000001ad0 = 0; + *(uint32_t*)0x200000001ad8 = 0; + syscall(SYS_sendfile, /*fd=*/(intptr_t)-1, /*s=*/(intptr_t)-1, /*offset=*/4ul, + /*nbytes=*/4ul, /*hdtr=*/0x200000001ac0ul, /*sbytes=*/0ul, + /*flags=SF_NODISKIO*/ 1ul); + // ioctl\$CAMIOQUEUE_pass_cdevsw arguments: [ + // fd: fd_pass_pass_cdevsw (resource) + // cmd: const = 0x20001a04 (8 bytes) + // arg: ptr[in, ptr[in, ccb\$pass_cdevsw]] { + // nil + // } + // ] + *(uint64_t*)0x200000000240 = 0; + syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0x20001a04ul, + /*arg=*/0x200000000240ul); + return 0; +} +EOF +mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1 + +timeout 3m /tmp/$prog > /dev/null 2>&1 + +rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core +exit 0 diff --git a/tools/test/stress2/misc/syzkaller94.sh b/tools/test/stress2/misc/syzkaller94.sh new file mode 100755 index 000000000000..ae37ad964964 --- /dev/null +++ b/tools/test/stress2/misc/syzkaller94.sh @@ -0,0 +1,185 @@ +#!/bin/sh + +# panic: ata_action: ccb 0xfffff80347e777b8, func_code 0x1 should not be allocated from UMA zone +# cpuid = 1 +# time = 1773837671 +# KDB: stack backtrace: +# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0100044980 +# vpanic() at vpanic+0x136/frame 0xfffffe0100044ab0 +# panic() at panic+0x43/frame 0xfffffe0100044b10 +# ata_action() at ata_action+0x3bd/frame 0xfffffe0100044b30 +# passdoioctl() at passdoioctl+0x9be/frame 0xfffffe0100044b80 +# passioctl() at passioctl+0x22/frame 0xfffffe0100044bc0 +# devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe0100044c10 +# VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe0100044c40 +# vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe0100044cb0 +# devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe0100044cd0 +# kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe0100044d40 +# sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe0100044e00 +# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe0100044f30 +# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0100044f30 +# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823bc5eca, rsp = 0x820d83df8, rbp = 0x820d83e20 --- +# KDB: enter: panic +# [ thread pid 4628 tid 100215 ] +# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip) +# db> x/s version +# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026 +# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO +# db> + +# Reproducer obtained from: Jiaming Zhang +# Bug 293895 - panic: ata_action: ccb ADDR, func_code XXX should not be allocated from UMA zone + +[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 + +. ../default.cfg +set -u +prog=$(basename "$0" .sh) +cat > /tmp/$prog.c < +#include *** 1391 LINES SKIPPED ***