syzkaller-repros/linux/3aacade388873fa82bd6d2efb6aaa9ab85964020.c - pub/scm/linux/kernel/git/shuah/linux-arts - Git at Google

 // KASAN: slab-out-of-bounds Read in do_jit
 // https://syzkaller.appspot.com/bug?id=3aacade388873fa82bd6d2efb6aaa9ab85964020
 // status:fixed
 // autogenerated by syzkaller (https://github.com/google/syzkaller)

 #define _GNU_SOURCE

 #include <endian.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
 #include <unistd.h>

 #ifndef __NR_bpf
 #define __NR_bpf 321
 #endif

 int main(void)
 {
   syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);

   *(uint32_t*)0x20000180 = 1;
   *(uint32_t*)0x20000184 = 4;
   *(uint64_t*)0x20000188 = 0x20001fd8;
   memcpy((void*)0x20001fd8, "\xb4\x00\x00\x00\x00\x00\x00\x00\xbf\x00\x00\x00"
                             "\x00\x00\x00\x00\x15\x00\xfd\xff\x00\x00\x40\x00"
                             "\x95\x00\x00\x00\x00\x00\x00\x00",
          32);
   *(uint64_t*)0x20000190 = 0x20000080;
   memcpy((void*)0x20000080,
          "GPL\004\2345\024\277w-\240z\350.vY\n6\366I>\301\253\221\263\227\344*"
          "\277\036\246\315\214\327t\'\374\232\236+qe\365+"
          "A\a\277\bP\330\231\334R\320\023\027]\333\033/F "
          "<*\005\267\"\343>Uo\262\343\363\232<"
          "\336\037\312Sd\0037\354\225aF\275\277\313\021Pp\031V1\336]!"
          "\245\352\236c\214+\333x\245\001\312Kn\243\023\330%h\3718,,?"
          "o\253\246\264\356Ty;N\322m\256>R\"P)\273*\300\000\177wuL?#"
          "\316\332\230\t\271\251hJ\224\n\274\252\214\374\307\023>"
          "\304\"\351\3108\2101\215A\351\244\223\360\031_"
          "\342Y\226Q\270\225\004\365\333\241F%\316#f\363=\225\333\251/"
          "\206ry\312\277J\316\335\310Z\212\367\240\372h\327g\316Q6\271\320\321"
          "\226lI\234\266\2774\302\230\206f\227\000\000\000\000\000\000\000\000"
          "\000\000\000",
          248);
   *(uint32_t*)0x20000198 = 0;
   *(uint32_t*)0x2000019c = 0;
   *(uint64_t*)0x200001a0 = 0;
   *(uint32_t*)0x200001a8 = 0;
   *(uint32_t*)0x200001ac = 0;
   *(uint8_t*)0x200001b0 = 0;
   *(uint8_t*)0x200001b1 = 0;
   *(uint8_t*)0x200001b2 = 0;
   *(uint8_t*)0x200001b3 = 0;
   *(uint8_t*)0x200001b4 = 0;
   *(uint8_t*)0x200001b5 = 0;
   *(uint8_t*)0x200001b6 = 0;
   *(uint8_t*)0x200001b7 = 0;
   *(uint8_t*)0x200001b8 = 0;
   *(uint8_t*)0x200001b9 = 0;
   *(uint8_t*)0x200001ba = 0;
   *(uint8_t*)0x200001bb = 0;
   *(uint8_t*)0x200001bc = 0;
   *(uint8_t*)0x200001bd = 0;
   *(uint8_t*)0x200001be = 0;
   *(uint8_t*)0x200001bf = 0;
   *(uint32_t*)0x200001c0 = 0;
   *(uint32_t*)0x200001c4 = 0;
   *(uint32_t*)0x200001c8 = -1;
   *(uint32_t*)0x200001cc = 8;
   *(uint64_t*)0x200001d0 = 0x20000000;
   *(uint32_t*)0x20000000 = 0;
   *(uint32_t*)0x20000004 = 0;
   *(uint32_t*)0x200001d8 = 0xffffffa6;
   *(uint32_t*)0x200001dc = 0x10;
   *(uint64_t*)0x200001e0 = 0x20000000;
   *(uint32_t*)0x20000000 = 0;
   *(uint32_t*)0x20000004 = 0;
   *(uint32_t*)0x20000008 = 0;
   *(uint32_t*)0x2000000c = 0;
   *(uint32_t*)0x200001e8 = 0x10;
   syscall(__NR_bpf, 5, 0x20000180, 0x46);
   return 0;
 }
	// KASAN: slab-out-of-bounds Read in do_jit
	// https://syzkaller.appspot.com/bug?id=3aacade388873fa82bd6d2efb6aaa9ab85964020
	// status:fixed
	// autogenerated by syzkaller (https://github.com/google/syzkaller)

	#define _GNU_SOURCE

	#include <endian.h>
	#include <stdint.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <sys/syscall.h>
	#include <sys/types.h>
	#include <unistd.h>

	#ifndef __NR_bpf
	#define __NR_bpf 321
	#endif

	int main(void)
	{
	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);

	(uint32_t)0x20000180 = 1;
	(uint32_t)0x20000184 = 4;
	(uint64_t)0x20000188 = 0x20001fd8;
	memcpy((void*)0x20001fd8, "\xb4\x00\x00\x00\x00\x00\x00\x00\xbf\x00\x00\x00"
	"\x00\x00\x00\x00\x15\x00\xfd\xff\x00\x00\x40\x00"
	"\x95\x00\x00\x00\x00\x00\x00\x00",
	32);
	(uint64_t)0x20000190 = 0x20000080;
	memcpy((void*)0x20000080,
	"GPL\004\2345\024\277w-\240z\350.vY\n6\366I>\301\253\221\263\227\344*"
	"\277\036\246\315\214\327t\'\374\232\236+qe\365+"
	"A\a\277\bP\330\231\334R\320\023\027]\333\033/F "
	"<*\005\267\"\343>Uo\262\343\363\232<"
	"\336\037\312Sd\0037\354\225aF\275\277\313\021Pp\031V1\336]!"
	"\245\352\236c\214+\333x\245\001\312Kn\243\023\330%h\3718,,?"
	"o\253\246\264\356Ty;N\322m\256>R\"P)\273*\300\000\177wuL?#"
	"\316\332\230\t\271\251hJ\224\n\274\252\214\374\307\023>"
	"\304\"\351\3108\2101\215A\351\244\223\360\031_"
	"\342Y\226Q\270\225\004\365\333\241F%\316#f\363=\225\333\251/"
	"\206ry\312\277J\316\335\310Z\212\367\240\372h\327g\316Q6\271\320\321"
	"\226lI\234\266\2774\302\230\206f\227\000\000\000\000\000\000\000\000"
	"\000\000\000",
	248);
	(uint32_t)0x20000198 = 0;
	(uint32_t)0x2000019c = 0;
	(uint64_t)0x200001a0 = 0;
	(uint32_t)0x200001a8 = 0;
	(uint32_t)0x200001ac = 0;
	(uint8_t)0x200001b0 = 0;
	(uint8_t)0x200001b1 = 0;
	(uint8_t)0x200001b2 = 0;
	(uint8_t)0x200001b3 = 0;
	(uint8_t)0x200001b4 = 0;
	(uint8_t)0x200001b5 = 0;
	(uint8_t)0x200001b6 = 0;
	(uint8_t)0x200001b7 = 0;
	(uint8_t)0x200001b8 = 0;
	(uint8_t)0x200001b9 = 0;
	(uint8_t)0x200001ba = 0;
	(uint8_t)0x200001bb = 0;
	(uint8_t)0x200001bc = 0;
	(uint8_t)0x200001bd = 0;
	(uint8_t)0x200001be = 0;
	(uint8_t)0x200001bf = 0;
	(uint32_t)0x200001c0 = 0;
	(uint32_t)0x200001c4 = 0;
	(uint32_t)0x200001c8 = -1;
	(uint32_t)0x200001cc = 8;
	(uint64_t)0x200001d0 = 0x20000000;
	(uint32_t)0x20000000 = 0;
	(uint32_t)0x20000004 = 0;
	(uint32_t)0x200001d8 = 0xffffffa6;
	(uint32_t)0x200001dc = 0x10;
	(uint64_t)0x200001e0 = 0x20000000;
	(uint32_t)0x20000000 = 0;
	(uint32_t)0x20000004 = 0;
	(uint32_t)0x20000008 = 0;
	(uint32_t)0x2000000c = 0;
	(uint32_t)0x200001e8 = 0x10;
	syscall(__NR_bpf, 5, 0x20000180, 0x46);
	return 0;
	}