syzkaller-repros/linux/9b0d1b176be765385ff290f833f1a86c40101dbe.c - pub/scm/linux/kernel/git/shuah/linux-arts - Git at Google

 // KASAN: slab-out-of-bounds Read in _autofs_dev_ioctl
 // https://syzkaller.appspot.com/bug?id=9b0d1b176be765385ff290f833f1a86c40101dbe
 // status:fixed
 // autogenerated by syzkaller (https://github.com/google/syzkaller)

 #define _GNU_SOURCE

 #include <endian.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
 #include <unistd.h>

 uint64_t r[1] = {0xffffffffffffffff};

 int main()
 {
   syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
   long res = 0;
   syscall(__NR_socket, 0xa, 0x1000000000002, 0);
   memcpy((void*)0x200013c0, "./file0", 8);
   syscall(__NR_mkdir, 0x200013c0, 0);
   memcpy((void*)0x20000080, "./file0", 8);
   memcpy((void*)0x20026ff8, "./file0", 8);
   memcpy((void*)0x2000c000, "ramfs", 6);
   syscall(__NR_mount, 0x20000080, 0x20026ff8, 0x2000c000, 0, 0x2000a000);
   memcpy((void*)0x20000000, "./file0", 8);
   syscall(__NR_chdir, 0x20000000);
   memcpy((void*)0x20000100, "./bus", 6);
   syscall(__NR_creat, 0x20000100, 0);
   memcpy((void*)0x20000040, "/dev/autofs", 12);
   res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
   if (res != -1)
     r[0] = res;
   memcpy((void*)0x20000180, "\x01\x00\x00\x00\x00\x00\x00\x00\x18\x01\x00\x00"
                             "\x04\x00\x00\x00\xfc\x23\x2f\xf4\x1c\xd8\x49\x83"
                             "\x2f",
          25);
   syscall(__NR_ioctl, r[0], 0x800000000000937e, 0x20000180);
   return 0;
 }
	// KASAN: slab-out-of-bounds Read in _autofs_dev_ioctl
	// https://syzkaller.appspot.com/bug?id=9b0d1b176be765385ff290f833f1a86c40101dbe
	// status:fixed
	// autogenerated by syzkaller (https://github.com/google/syzkaller)

	#define _GNU_SOURCE

	#include <endian.h>
	#include <stdint.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <sys/syscall.h>
	#include <sys/types.h>
	#include <unistd.h>

	uint64_t r[1] = {0xffffffffffffffff};

	int main()
	{
	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
	long res = 0;
	syscall(__NR_socket, 0xa, 0x1000000000002, 0);
	memcpy((void*)0x200013c0, "./file0", 8);
	syscall(__NR_mkdir, 0x200013c0, 0);
	memcpy((void*)0x20000080, "./file0", 8);
	memcpy((void*)0x20026ff8, "./file0", 8);
	memcpy((void*)0x2000c000, "ramfs", 6);
	syscall(__NR_mount, 0x20000080, 0x20026ff8, 0x2000c000, 0, 0x2000a000);
	memcpy((void*)0x20000000, "./file0", 8);
	syscall(__NR_chdir, 0x20000000);
	memcpy((void*)0x20000100, "./bus", 6);
	syscall(__NR_creat, 0x20000100, 0);
	memcpy((void*)0x20000040, "/dev/autofs", 12);
	res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
	if (res != -1)
	r[0] = res;
	memcpy((void*)0x20000180, "\x01\x00\x00\x00\x00\x00\x00\x00\x18\x01\x00\x00"
	"\x04\x00\x00\x00\xfc\x23\x2f\xf4\x1c\xd8\x49\x83"
	"\x2f",
	25);
	syscall(__NR_ioctl, r[0], 0x800000000000937e, 0x20000180);
	return 0;
	}