| // KASAN: null-ptr-deref Read in refcount_sub_and_test_checked |
| // https://syzkaller.appspot.com/bug?id=5f31b30406d84a86d4b7a42c103f6eda07eed137 |
| // status:fixed |
| // autogenerated by syzkaller (https://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| |
| #include <endian.h> |
| #include <fcntl.h> |
| #include <stdint.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/stat.h> |
| #include <sys/syscall.h> |
| #include <sys/types.h> |
| #include <unistd.h> |
| |
| static long syz_open_dev(long a0, long a1, long a2) |
| { |
| if (a0 == 0xc || a0 == 0xb) { |
| char buf[128]; |
| sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, |
| (uint8_t)a2); |
| return open(buf, O_RDWR, 0); |
| } else { |
| char buf[1024]; |
| char* hash; |
| strncpy(buf, (char*)a0, sizeof(buf) - 1); |
| buf[sizeof(buf) - 1] = 0; |
| while ((hash = strchr(buf, '#'))) { |
| *hash = '0' + (char)(a1 % 10); |
| a1 /= 10; |
| } |
| return open(buf, a2, 0); |
| } |
| } |
| |
| uint64_t r[1] = {0xffffffffffffffff}; |
| |
| int main(void) |
| { |
| syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); |
| long res = 0; |
| memcpy((void*)0x20000000, "/dev/video#", 12); |
| res = syz_open_dev(0x20000000, 0xe15, 0); |
| if (res != -1) |
| r[0] = res; |
| *(uint32_t*)0x20000100 = 5; |
| *(uint32_t*)0x20000104 = 2; |
| *(uint32_t*)0x20000108 = 1; |
| *(uint32_t*)0x2000010c = 0; |
| *(uint32_t*)0x20000110 = 0; |
| syscall(__NR_ioctl, r[0], 0xc0145608, 0x20000100); |
| *(uint32_t*)0x20000140 = 0x5f56e7c2; |
| *(uint32_t*)0x20000144 = 0xffff; |
| *(uint32_t*)0x20000148 = 2; |
| *(uint32_t*)0x20000150 = 2; |
| *(uint16_t*)0x20000158 = 4; |
| *(uint16_t*)0x2000015a = 0xfff; |
| *(uint16_t*)0x2000015c = 0x400; |
| *(uint16_t*)0x2000015e = 0x81; |
| *(uint16_t*)0x20000160 = 5; |
| *(uint16_t*)0x20000162 = 5; |
| *(uint16_t*)0x20000164 = 0; |
| *(uint16_t*)0x20000166 = 5; |
| *(uint16_t*)0x20000168 = 0xfff8; |
| *(uint16_t*)0x2000016a = 7; |
| *(uint16_t*)0x2000016c = 0x40; |
| *(uint16_t*)0x2000016e = 0x1f; |
| *(uint16_t*)0x20000170 = 8; |
| *(uint16_t*)0x20000172 = 1; |
| *(uint16_t*)0x20000174 = 0xead8; |
| *(uint16_t*)0x20000176 = 6; |
| *(uint16_t*)0x20000178 = 9; |
| *(uint16_t*)0x2000017a = 3; |
| *(uint16_t*)0x2000017c = 0x7b; |
| *(uint16_t*)0x2000017e = 5; |
| *(uint16_t*)0x20000180 = 7; |
| *(uint16_t*)0x20000182 = 0x645; |
| *(uint16_t*)0x20000184 = 0x409; |
| *(uint16_t*)0x20000186 = 3; |
| *(uint16_t*)0x20000188 = 0x100; |
| *(uint16_t*)0x2000018a = -1; |
| *(uint16_t*)0x2000018c = 0xfff; |
| *(uint16_t*)0x2000018e = 9; |
| *(uint16_t*)0x20000190 = 0; |
| *(uint16_t*)0x20000192 = 0x97fc; |
| *(uint16_t*)0x20000194 = 0x7ff; |
| *(uint16_t*)0x20000196 = 5; |
| *(uint16_t*)0x20000198 = 5; |
| *(uint16_t*)0x2000019a = 6; |
| *(uint16_t*)0x2000019c = 0x100; |
| *(uint16_t*)0x2000019e = 0xf413; |
| *(uint16_t*)0x200001a0 = 3; |
| *(uint16_t*)0x200001a2 = 0x1aef; |
| *(uint16_t*)0x200001a4 = -1; |
| *(uint16_t*)0x200001a6 = 8; |
| *(uint16_t*)0x200001a8 = 0x80; |
| *(uint16_t*)0x200001aa = 1; |
| *(uint16_t*)0x200001ac = 7; |
| *(uint16_t*)0x200001ae = 0xf870; |
| *(uint16_t*)0x200001b0 = 7; |
| *(uint16_t*)0x200001b2 = 4; |
| *(uint16_t*)0x200001b4 = 1; |
| *(uint16_t*)0x200001b6 = 6; |
| *(uint16_t*)0x200001b8 = 0xd4a; |
| *(uint32_t*)0x200001bc = 0x34; |
| *(uint32_t*)0x200001c0 = 0; |
| *(uint32_t*)0x200001c4 = 0; |
| *(uint32_t*)0x20000220 = 0; |
| *(uint32_t*)0x20000224 = 0; |
| *(uint32_t*)0x20000228 = 0; |
| *(uint32_t*)0x2000022c = 0; |
| *(uint32_t*)0x20000230 = 0; |
| *(uint32_t*)0x20000234 = 0; |
| *(uint32_t*)0x20000238 = 0; |
| *(uint32_t*)0x2000023c = 0; |
| syscall(__NR_ioctl, r[0], 0xc100565c, 0x20000140); |
| return 0; |
| } |
