syzkaller-repros/linux/b09d267ce7293c2ed7895601b37cdd5dff79e96b.c

// BUG: unable to handle kernel paging request in htab_map_alloc
// https://syzkaller.appspot.com/bug?id=b09d267ce7293c2ed7895601b37cdd5dff79e96b
// status:invalid
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE
#include <endian.h>
#include <stdio.h>
#include <sys/syscall.h>
#include <unistd.h>

__attribute__((noreturn)) static void doexit(int status)
{
  volatile unsigned i;
  syscall(__NR_exit_group, status);
  for (i = 0;; i++) {
  }
}
#include <setjmp.h>
#include <signal.h>
#include <stdint.h>
#include <string.h>
#include <string.h>

static __thread int skip_segv;
static __thread jmp_buf segv_env;

static void segv_handler(int sig, siginfo_t* info, void* uctx)
{
  uintptr_t addr = (uintptr_t)info->si_addr;
  const uintptr_t prog_start = 1 << 20;
  const uintptr_t prog_end = 100 << 20;
  if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
      (addr < prog_start || addr > prog_end)) {
    _longjmp(segv_env, 1);
  }
  doexit(sig);
}

static void install_segv_handler()
{
  struct sigaction sa;

  memset(&sa, 0, sizeof(sa));
  sa.sa_handler = SIG_IGN;
  syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
  syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);

  memset(&sa, 0, sizeof(sa));
  sa.sa_sigaction = segv_handler;
  sa.sa_flags = SA_NODEFER | SA_SIGINFO;
  sigaction(SIGSEGV, &sa, NULL);
  sigaction(SIGBUS, &sa, NULL);
}

#define NONFAILING(...)                                                        \
  {                                                                            \
    __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
    if (_setjmp(segv_env) == 0) {                                              \
      __VA_ARGS__;                                                             \
    }                                                                          \
    __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
  }

static void execute_one();
extern unsigned long long procid;

void loop()
{
  while (1) {
    execute_one();
  }
}

#ifndef __NR_bpf
#define __NR_bpf 321
#endif

void execute_one()
{
  NONFAILING(*(uint32_t*)0x20214fd4 = 5);
  NONFAILING(*(uint32_t*)0x20214fd8 = 9);
  NONFAILING(*(uint32_t*)0x20214fdc = 4);
  NONFAILING(*(uint32_t*)0x20214fe0 = 0x208);
  NONFAILING(*(uint32_t*)0x20214fe4 = 0);
  NONFAILING(*(uint32_t*)0x20214fe8 = -1);
  NONFAILING(*(uint32_t*)0x20214fec = 0);
  NONFAILING(*(uint8_t*)0x20214ff0 = 0x5f);
  NONFAILING(*(uint8_t*)0x20214ff1 = 0xa);
  NONFAILING(*(uint8_t*)0x20214ff2 = 0);
  NONFAILING(*(uint8_t*)0x20214ff3 = 0);
  NONFAILING(*(uint8_t*)0x20214ff4 = 0);
  NONFAILING(*(uint8_t*)0x20214ff5 = 0);
  NONFAILING(*(uint8_t*)0x20214ff6 = 0);
  NONFAILING(*(uint8_t*)0x20214ff7 = 0);
  NONFAILING(*(uint8_t*)0x20214ff8 = 0);
  NONFAILING(*(uint8_t*)0x20214ff9 = 0);
  NONFAILING(*(uint8_t*)0x20214ffa = 0);
  NONFAILING(*(uint8_t*)0x20214ffb = 0);
  NONFAILING(*(uint8_t*)0x20214ffc = 0);
  NONFAILING(*(uint8_t*)0x20214ffd = 0);
  NONFAILING(*(uint8_t*)0x20214ffe = 0);
  NONFAILING(*(uint8_t*)0x20214fff = 0);
  syscall(__NR_bpf, 0, 0x20214fd4, 0x2c);
  NONFAILING(memcpy((void*)0x20000000, "/dev/dsp", 9));
  syscall(__NR_openat, 0xffffffffffffff9c, 0x20000000, 0, 0);
}

int main()
{
  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  install_segv_handler();
  for (;;) {
    loop();
  }
}