syzkaller-repros/linux/b7259acb8c8386e8716c66b5491883b413cf53ce.c - pub/scm/linux/kernel/git/shuah/linux-arts - Git at Google

 // general protection fault in nfulnl_recv_config
 // https://syzkaller.appspot.com/bug?id=b7259acb8c8386e8716c66b5491883b413cf53ce
 // status:open
 // autogenerated by syzkaller (http://github.com/google/syzkaller)

 #define _GNU_SOURCE
 #include <endian.h>
 #include <stdint.h>
 #include <string.h>
 #include <sys/syscall.h>
 #include <unistd.h>

 long r[1];
 void loop()
 {
   memset(r, -1, sizeof(r));
   syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
   r[0] = syscall(__NR_socket, 0x10, 3, 0xc);
   *(uint64_t*)0x20dddfc8 = 0x20f8d000;
   *(uint32_t*)0x20dddfd0 = 0xc;
   *(uint64_t*)0x20dddfd8 = 0x208a7000;
   *(uint64_t*)0x20dddfe0 = 1;
   *(uint64_t*)0x20dddfe8 = 0;
   *(uint64_t*)0x20dddff0 = 0;
   *(uint32_t*)0x20dddff8 = 0;
   *(uint16_t*)0x20f8d000 = 0x10;
   *(uint16_t*)0x20f8d002 = 0;
   *(uint32_t*)0x20f8d004 = 0;
   *(uint32_t*)0x20f8d008 = 0;
   *(uint64_t*)0x208a7000 = 0x2023df9c;
   *(uint64_t*)0x208a7008 = 0x2c;
   *(uint32_t*)0x2023df9c = 0x2c;
   *(uint8_t*)0x2023dfa0 = 1;
   *(uint8_t*)0x2023dfa1 = 4;
   *(uint16_t*)0x2023dfa2 = 0x101;
   *(uint32_t*)0x2023dfa4 = 0;
   *(uint32_t*)0x2023dfa8 = 0;
   *(uint8_t*)0x2023dfac = 0;
   *(uint8_t*)0x2023dfad = 0;
   *(uint16_t*)0x2023dfae = htobe16(0);
   *(uint16_t*)0x2023dfb0 = 0xc;
   *(uint16_t*)0x2023dfb2 = 1;
   *(uint32_t*)0x2023dfb8 = htobe32(0x7f000001);
   *(uint16_t*)0x2023dfbc = 0xc;
   *(uint16_t*)0x2023dfbe = 2;
   memcpy((void*)0x2023dfc0, "\xbb\xaf\xad\xb6\x7d", 5);
   syscall(__NR_sendmsg, r[0], 0x20dddfc8, 0);
 }

 int main()
 {
   loop();
   return 0;
 }
	// general protection fault in nfulnl_recv_config
	// https://syzkaller.appspot.com/bug?id=b7259acb8c8386e8716c66b5491883b413cf53ce
	// status:open
	// autogenerated by syzkaller (http://github.com/google/syzkaller)

	#define _GNU_SOURCE
	#include <endian.h>
	#include <stdint.h>
	#include <string.h>
	#include <sys/syscall.h>
	#include <unistd.h>

	long r[1];
	void loop()
	{
	memset(r, -1, sizeof(r));
	syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
	r[0] = syscall(__NR_socket, 0x10, 3, 0xc);
	(uint64_t)0x20dddfc8 = 0x20f8d000;
	(uint32_t)0x20dddfd0 = 0xc;
	(uint64_t)0x20dddfd8 = 0x208a7000;
	(uint64_t)0x20dddfe0 = 1;
	(uint64_t)0x20dddfe8 = 0;
	(uint64_t)0x20dddff0 = 0;
	(uint32_t)0x20dddff8 = 0;
	(uint16_t)0x20f8d000 = 0x10;
	(uint16_t)0x20f8d002 = 0;
	(uint32_t)0x20f8d004 = 0;
	(uint32_t)0x20f8d008 = 0;
	(uint64_t)0x208a7000 = 0x2023df9c;
	(uint64_t)0x208a7008 = 0x2c;
	(uint32_t)0x2023df9c = 0x2c;
	(uint8_t)0x2023dfa0 = 1;
	(uint8_t)0x2023dfa1 = 4;
	(uint16_t)0x2023dfa2 = 0x101;
	(uint32_t)0x2023dfa4 = 0;
	(uint32_t)0x2023dfa8 = 0;
	(uint8_t)0x2023dfac = 0;
	(uint8_t)0x2023dfad = 0;
	(uint16_t)0x2023dfae = htobe16(0);
	(uint16_t)0x2023dfb0 = 0xc;
	(uint16_t)0x2023dfb2 = 1;
	(uint32_t)0x2023dfb8 = htobe32(0x7f000001);
	(uint16_t)0x2023dfbc = 0xc;
	(uint16_t)0x2023dfbe = 2;
	memcpy((void*)0x2023dfc0, "\xbb\xaf\xad\xb6\x7d", 5);
	syscall(__NR_sendmsg, r[0], 0x20dddfc8, 0);
	}

	int main()
	{
	loop();
	return 0;
	}