syzkaller-repros/linux/f7a58ce0d580d25ffedb3c3176cc506796d6181f.c - pub/scm/linux/kernel/git/shuah/linux-arts - Git at Google

 // kernel BUG at net/l2tp/l2tp_ppp.c:LINE!
 // https://syzkaller.appspot.com/bug?id=f7a58ce0d580d25ffedb3c3176cc506796d6181f
 // status:fixed
 // autogenerated by syzkaller (http://github.com/google/syzkaller)

 #define _GNU_SOURCE
 #include <endian.h>
 #include <stdint.h>
 #include <string.h>
 #include <sys/syscall.h>
 #include <unistd.h>

 #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)

 #define BITMASK_LEN_OFF(type, bf_off, bf_len)                                  \
   (type)(BITMASK_LEN(type, (bf_len)) << (bf_off))

 #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len)                      \
   if ((bf_off) == 0 && (bf_len) == 0) {                                        \
     *(type*)(addr) = (type)(val);                                              \
   } else {                                                                     \
     type new_val = *(type*)(addr);                                             \
     new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len));                     \
     new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off);          \
     *(type*)(addr) = new_val;                                                  \
   }

 #ifndef __NR_bpf
 #define __NR_bpf 321
 #endif

 long r[4];
 void loop()
 {
   memset(r, -1, sizeof(r));
   syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
   r[0] = syscall(__NR_socket, 0xf, 3, 2);
   *(uint32_t*)0x20eb0fb8 = 1;
   *(uint32_t*)0x20eb0fbc = 3;
   *(uint64_t*)0x20eb0fc0 = 0x209ff000;
   *(uint64_t*)0x20eb0fc8 = 0x202bf000;
   *(uint32_t*)0x20eb0fd0 = 4;
   *(uint32_t*)0x20eb0fd4 = 0xb7;
   *(uint64_t*)0x20eb0fd8 = 0x20061f49;
   *(uint32_t*)0x20eb0fe0 = 0;
   *(uint32_t*)0x20eb0fe4 = 0;
   *(uint8_t*)0x20eb0fe8 = 0;
   *(uint8_t*)0x20eb0fe9 = 0;
   *(uint8_t*)0x20eb0fea = 0;
   *(uint8_t*)0x20eb0feb = 0;
   *(uint8_t*)0x20eb0fec = 0;
   *(uint8_t*)0x20eb0fed = 0;
   *(uint8_t*)0x20eb0fee = 0;
   *(uint8_t*)0x20eb0fef = 0;
   *(uint8_t*)0x20eb0ff0 = 0;
   *(uint8_t*)0x20eb0ff1 = 0;
   *(uint8_t*)0x20eb0ff2 = 0;
   *(uint8_t*)0x20eb0ff3 = 0;
   *(uint8_t*)0x20eb0ff4 = 0;
   *(uint8_t*)0x20eb0ff5 = 0;
   *(uint8_t*)0x20eb0ff6 = 0;
   *(uint8_t*)0x20eb0ff7 = 0;
   *(uint32_t*)0x20eb0ff8 = 0;
   *(uint8_t*)0x209ff000 = 0x18;
   STORE_BY_BITMASK(uint8_t, 0x209ff001, 0, 0, 4);
   STORE_BY_BITMASK(uint8_t, 0x209ff001, 0, 4, 4);
   *(uint16_t*)0x209ff002 = 0;
   *(uint32_t*)0x209ff004 = 0;
   *(uint8_t*)0x209ff008 = 0;
   *(uint8_t*)0x209ff009 = 0;
   *(uint16_t*)0x209ff00a = 0;
   *(uint32_t*)0x209ff00c = 0;
   *(uint8_t*)0x209ff010 = 0x95;
   *(uint8_t*)0x209ff011 = 0;
   *(uint16_t*)0x209ff012 = 0;
   *(uint32_t*)0x209ff014 = 0;
   memcpy((void*)0x202bf000, "syzkaller", 10);
   r[1] = syscall(__NR_bpf, 5, 0x20eb0fb8, 0x48);
   syscall(__NR_close, r[0]);
   r[2] = syscall(__NR_socket, 0x18, 0, 1);
   *(uint64_t*)0x20004fc4 = 0x20003000;
   *(uint32_t*)0x20004fcc = 0x1c;
   *(uint64_t*)0x20004fd4 = 0x20004fa0;
   *(uint64_t*)0x20004fdc = 1;
   *(uint64_t*)0x20004fe4 = 0x20002d30;
   *(uint64_t*)0x20004fec = 0;
   *(uint32_t*)0x20004ff4 = 0;
   *(uint32_t*)0x20004ffc = 0;
   *(uint16_t*)0x20003000 = 0xa;
   *(uint16_t*)0x20003002 = 0;
   *(uint32_t*)0x20003004 = 0;
   *(uint8_t*)0x20003008 = 0xfe;
   *(uint8_t*)0x20003009 = 0x80;
   *(uint8_t*)0x2000300a = 0;
   *(uint8_t*)0x2000300b = 0;
   *(uint8_t*)0x2000300c = 0;
   *(uint8_t*)0x2000300d = 0;
   *(uint8_t*)0x2000300e = 0;
   *(uint8_t*)0x2000300f = 0;
   *(uint8_t*)0x20003010 = 0;
   *(uint8_t*)0x20003011 = 0;
   *(uint8_t*)0x20003012 = 0;
   *(uint8_t*)0x20003013 = 0;
   *(uint8_t*)0x20003014 = 0;
   *(uint8_t*)0x20003015 = 0;
   *(uint8_t*)0x20003016 = 0;
   *(uint8_t*)0x20003017 = 0xbb;
   *(uint32_t*)0x20003018 = 0;
   *(uint64_t*)0x20004fa0 = 0x20002000;
   *(uint64_t*)0x20004fa8 = 0x1f;
   memcpy((void*)0x20002000, "\x4c\x56\x14\xc0\x04\x01\xa0\xdb\xf8\xa6\x69\xeb"
                             "\xde\xdd\x10\x2c\x4f\x7a\x79\xe6\x06\x45\x7d\xfd"
                             "\xf0\x9e\x2e\xc2\xed\x25\x3b",
          31);
   syscall(__NR_sendmmsg, -1, 0x20004fc4, 1, 0);
   *(uint16_t*)0x20002000 = 0x1f;
   *(uint8_t*)0x20002002 = 1;
   *(uint8_t*)0x20002003 = 0;
   *(uint8_t*)0x20002004 = 0;
   *(uint8_t*)0x20002005 = 0;
   *(uint8_t*)0x20002006 = 0;
   *(uint8_t*)0x20002007 = 0;
   syscall(__NR_connect, r[2], 0x20002000, 0x26);
   r[3] = syscall(__NR_socket, 0x29, 0x400000002, 0);
   *(uint32_t*)0x20186ff8 = r[0];
   *(uint32_t*)0x20186ffc = r[1];
   syscall(__NR_ioctl, r[3], 0x89e0, 0x20186ff8);
   *(uint64_t*)0x201fcfc8 = 0;
   *(uint32_t*)0x201fcfd0 = 0;
   *(uint64_t*)0x201fcfd8 = 0x200cfff0;
   *(uint64_t*)0x201fcfe0 = 1;
   *(uint64_t*)0x201fcfe8 = 0;
   *(uint64_t*)0x201fcff0 = 0;
   *(uint32_t*)0x201fcff8 = 0;
   *(uint64_t*)0x200cfff0 = 0x20e90ff0;
   *(uint64_t*)0x200cfff8 = 0xfd5f;
   *(uint8_t*)0x20e90ff0 = 2;
   *(uint8_t*)0x20e90ff1 = 0;
   *(uint8_t*)0x20e90ff2 = 0;
   *(uint8_t*)0x20e90ff3 = 0;
   *(uint16_t*)0x20e90ff4 = 2;
   *(uint16_t*)0x20e90ff6 = 0;
   *(uint32_t*)0x20e90ff8 = 0;
   *(uint32_t*)0x20e90ffc = 0;
   syscall(__NR_sendmsg, r[3], 0x201fcfc8, 0);
 }

 int main()
 {
   loop();
   return 0;
 }
	// kernel BUG at net/l2tp/l2tp_ppp.c:LINE!
	// https://syzkaller.appspot.com/bug?id=f7a58ce0d580d25ffedb3c3176cc506796d6181f
	// status:fixed
	// autogenerated by syzkaller (http://github.com/google/syzkaller)

	#define _GNU_SOURCE
	#include <endian.h>
	#include <stdint.h>
	#include <string.h>
	#include <sys/syscall.h>
	#include <unistd.h>

	#define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)

	#define BITMASK_LEN_OFF(type, bf_off, bf_len) \
	(type)(BITMASK_LEN(type, (bf_len)) << (bf_off))

	#define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \
	if ((bf_off) == 0 && (bf_len) == 0) { \
	(type)(addr) = (type)(val); \
	} else { \
	type new_val = (type)(addr); \
	new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \
	new_val \|= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \
	(type)(addr) = new_val; \
	}

	#ifndef __NR_bpf
	#define __NR_bpf 321
	#endif

	long r[4];
	void loop()
	{
	memset(r, -1, sizeof(r));
	syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
	r[0] = syscall(__NR_socket, 0xf, 3, 2);
	(uint32_t)0x20eb0fb8 = 1;
	(uint32_t)0x20eb0fbc = 3;
	(uint64_t)0x20eb0fc0 = 0x209ff000;
	(uint64_t)0x20eb0fc8 = 0x202bf000;
	(uint32_t)0x20eb0fd0 = 4;
	(uint32_t)0x20eb0fd4 = 0xb7;
	(uint64_t)0x20eb0fd8 = 0x20061f49;
	(uint32_t)0x20eb0fe0 = 0;
	(uint32_t)0x20eb0fe4 = 0;
	(uint8_t)0x20eb0fe8 = 0;
	(uint8_t)0x20eb0fe9 = 0;
	(uint8_t)0x20eb0fea = 0;
	(uint8_t)0x20eb0feb = 0;
	(uint8_t)0x20eb0fec = 0;
	(uint8_t)0x20eb0fed = 0;
	(uint8_t)0x20eb0fee = 0;
	(uint8_t)0x20eb0fef = 0;
	(uint8_t)0x20eb0ff0 = 0;
	(uint8_t)0x20eb0ff1 = 0;
	(uint8_t)0x20eb0ff2 = 0;
	(uint8_t)0x20eb0ff3 = 0;
	(uint8_t)0x20eb0ff4 = 0;
	(uint8_t)0x20eb0ff5 = 0;
	(uint8_t)0x20eb0ff6 = 0;
	(uint8_t)0x20eb0ff7 = 0;
	(uint32_t)0x20eb0ff8 = 0;
	(uint8_t)0x209ff000 = 0x18;
	STORE_BY_BITMASK(uint8_t, 0x209ff001, 0, 0, 4);
	STORE_BY_BITMASK(uint8_t, 0x209ff001, 0, 4, 4);
	(uint16_t)0x209ff002 = 0;
	(uint32_t)0x209ff004 = 0;
	(uint8_t)0x209ff008 = 0;
	(uint8_t)0x209ff009 = 0;
	(uint16_t)0x209ff00a = 0;
	(uint32_t)0x209ff00c = 0;
	(uint8_t)0x209ff010 = 0x95;
	(uint8_t)0x209ff011 = 0;
	(uint16_t)0x209ff012 = 0;
	(uint32_t)0x209ff014 = 0;
	memcpy((void*)0x202bf000, "syzkaller", 10);
	r[1] = syscall(__NR_bpf, 5, 0x20eb0fb8, 0x48);
	syscall(__NR_close, r[0]);
	r[2] = syscall(__NR_socket, 0x18, 0, 1);
	(uint64_t)0x20004fc4 = 0x20003000;
	(uint32_t)0x20004fcc = 0x1c;
	(uint64_t)0x20004fd4 = 0x20004fa0;
	(uint64_t)0x20004fdc = 1;
	(uint64_t)0x20004fe4 = 0x20002d30;
	(uint64_t)0x20004fec = 0;
	(uint32_t)0x20004ff4 = 0;
	(uint32_t)0x20004ffc = 0;
	(uint16_t)0x20003000 = 0xa;
	(uint16_t)0x20003002 = 0;
	(uint32_t)0x20003004 = 0;
	(uint8_t)0x20003008 = 0xfe;
	(uint8_t)0x20003009 = 0x80;
	(uint8_t)0x2000300a = 0;
	(uint8_t)0x2000300b = 0;
	(uint8_t)0x2000300c = 0;
	(uint8_t)0x2000300d = 0;
	(uint8_t)0x2000300e = 0;
	(uint8_t)0x2000300f = 0;
	(uint8_t)0x20003010 = 0;
	(uint8_t)0x20003011 = 0;
	(uint8_t)0x20003012 = 0;
	(uint8_t)0x20003013 = 0;
	(uint8_t)0x20003014 = 0;
	(uint8_t)0x20003015 = 0;
	(uint8_t)0x20003016 = 0;
	(uint8_t)0x20003017 = 0xbb;
	(uint32_t)0x20003018 = 0;
	(uint64_t)0x20004fa0 = 0x20002000;
	(uint64_t)0x20004fa8 = 0x1f;
	memcpy((void*)0x20002000, "\x4c\x56\x14\xc0\x04\x01\xa0\xdb\xf8\xa6\x69\xeb"
	"\xde\xdd\x10\x2c\x4f\x7a\x79\xe6\x06\x45\x7d\xfd"
	"\xf0\x9e\x2e\xc2\xed\x25\x3b",
	31);
	syscall(__NR_sendmmsg, -1, 0x20004fc4, 1, 0);
	(uint16_t)0x20002000 = 0x1f;
	(uint8_t)0x20002002 = 1;
	(uint8_t)0x20002003 = 0;
	(uint8_t)0x20002004 = 0;
	(uint8_t)0x20002005 = 0;
	(uint8_t)0x20002006 = 0;
	(uint8_t)0x20002007 = 0;
	syscall(__NR_connect, r[2], 0x20002000, 0x26);
	r[3] = syscall(__NR_socket, 0x29, 0x400000002, 0);
	(uint32_t)0x20186ff8 = r[0];
	(uint32_t)0x20186ffc = r[1];
	syscall(__NR_ioctl, r[3], 0x89e0, 0x20186ff8);
	(uint64_t)0x201fcfc8 = 0;
	(uint32_t)0x201fcfd0 = 0;
	(uint64_t)0x201fcfd8 = 0x200cfff0;
	(uint64_t)0x201fcfe0 = 1;
	(uint64_t)0x201fcfe8 = 0;
	(uint64_t)0x201fcff0 = 0;
	(uint32_t)0x201fcff8 = 0;
	(uint64_t)0x200cfff0 = 0x20e90ff0;
	(uint64_t)0x200cfff8 = 0xfd5f;
	(uint8_t)0x20e90ff0 = 2;
	(uint8_t)0x20e90ff1 = 0;
	(uint8_t)0x20e90ff2 = 0;
	(uint8_t)0x20e90ff3 = 0;
	(uint16_t)0x20e90ff4 = 2;
	(uint16_t)0x20e90ff6 = 0;
	(uint32_t)0x20e90ff8 = 0;
	(uint32_t)0x20e90ffc = 0;
	syscall(__NR_sendmsg, r[3], 0x201fcfc8, 0);
	}

	int main()
	{
	loop();
	return 0;
	}