syzkaller-repros/linux/2e4dbe448183da06b2940dd080287aa26c02baf3.c - pub/scm/linux/kernel/git/shuah/linux-arts - Git at Google

 // KASAN: use-after-free Read in v4l2_ctrl_grab
 // https://syzkaller.appspot.com/bug?id=2e4dbe448183da06b2940dd080287aa26c02baf3
 // status:open
 // autogenerated by syzkaller (https://github.com/google/syzkaller)

 #define _GNU_SOURCE

 #include <endian.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
 #include <unistd.h>

 uint64_t r[1] = {0xffffffffffffffff};

 int main(void)
 {
   syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
   long res = 0;
   memcpy((void*)0x200000c0, "/dev/video36\000", 13);
   res = syscall(__NR_openat, 0xffffffffffffff9c, 0x200000c0, 2, 0);
   if (res != -1)
     r[0] = res;
   *(uint32_t*)0x200002c0 = 0;
   *(uint32_t*)0x200002c4 = 1;
   *(uint32_t*)0x200002c8 = 4;
   *(uint32_t*)0x200002d0 = 2;
   memcpy((void*)0x200002d8,
          "\x37\xef\xf2\x65\x34\x30\xa4\x31\xc6\x4f\xbf\xa3\x0c\x2a\x38\xda\xc2"
          "\xbf\xec\x39\x1e\x57\xa0\x58\x48\x86\x81\x81\x8c\x09\xf6\x96\xcb\x92"
          "\x79\x86\x14\x9d\x14\x7e\x5b\xdb\x18\x80\x52\x95\x5e\x73\xdb\xf4\x6d"
          "\x0c\x32\xae\xef\xcf\x9e\x6d\x9c\x6d\xfa\x4d\x83\x7c\x7d\x89\xba\xad"
          "\x90\x1a\x0c\x27\xda\xdb\x0b\x97\x76\x31\x6a\x2c\x36\xb3\x36\x46\x11"
          "\x53\x76\xe3\x60\x23\x46\xde\x9a\x65\xe5\xd8\x12\xec\xf6\xee\xb8\x8f"
          "\x24\x7e\xd3\x1a\xbc\x08\x44\x29\xe7\xd6\xa0\xf8\x93\x5c\x80\x8a\xc4"
          "\xa8\x05\x48\x7b\x55\x67\xeb\xe4\x50\x05\x27\x12\x60\x78\x0a\x78\xab"
          "\xcf\x70\xde\xaf\xf6\x6b\xcc\xb3\x6c\x3d\x9f\xb3\xc8\x31\xa9\xe5\x76"
          "\xad\x07\xf3\xce\x72\x20\x03\xc5\x4f\x90\xa4\xdf\xba\x0e\x81\x09\x5a"
          "\xd2\xf4\xc1\x08\x90\x03\xcd\xd5\x92\xbb\x47\xb8\x6b\x42\x24\xfe\xe3"
          "\x6f\xbe\x35\x86\x5d\x14\x83\x3c\x40\x94\xde\x11\xb3",
          200);
   *(uint32_t*)0x200003a0 = 0;
   *(uint32_t*)0x200003a4 = 0;
   *(uint32_t*)0x200003a8 = 0;
   *(uint32_t*)0x200003ac = 0;
   *(uint32_t*)0x200003b0 = 0;
   *(uint32_t*)0x200003b4 = 0;
   *(uint32_t*)0x200003b8 = 0;
   *(uint32_t*)0x200003bc = 0;
   syscall(__NR_ioctl, r[0], 0xc100565c, 0x200002c0);
   *(uint32_t*)0x20000080 = 2;
   syscall(__NR_ioctl, r[0], 0x40045612, 0x20000080);
   return 0;
 }
	// KASAN: use-after-free Read in v4l2_ctrl_grab
	// https://syzkaller.appspot.com/bug?id=2e4dbe448183da06b2940dd080287aa26c02baf3
	// status:open
	// autogenerated by syzkaller (https://github.com/google/syzkaller)

	#define _GNU_SOURCE

	#include <endian.h>
	#include <stdint.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <sys/syscall.h>
	#include <sys/types.h>
	#include <unistd.h>

	uint64_t r[1] = {0xffffffffffffffff};

	int main(void)
	{
	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
	long res = 0;
	memcpy((void*)0x200000c0, "/dev/video36\000", 13);
	res = syscall(__NR_openat, 0xffffffffffffff9c, 0x200000c0, 2, 0);
	if (res != -1)
	r[0] = res;
	(uint32_t)0x200002c0 = 0;
	(uint32_t)0x200002c4 = 1;
	(uint32_t)0x200002c8 = 4;
	(uint32_t)0x200002d0 = 2;
	memcpy((void*)0x200002d8,
	"\x37\xef\xf2\x65\x34\x30\xa4\x31\xc6\x4f\xbf\xa3\x0c\x2a\x38\xda\xc2"
	"\xbf\xec\x39\x1e\x57\xa0\x58\x48\x86\x81\x81\x8c\x09\xf6\x96\xcb\x92"
	"\x79\x86\x14\x9d\x14\x7e\x5b\xdb\x18\x80\x52\x95\x5e\x73\xdb\xf4\x6d"
	"\x0c\x32\xae\xef\xcf\x9e\x6d\x9c\x6d\xfa\x4d\x83\x7c\x7d\x89\xba\xad"
	"\x90\x1a\x0c\x27\xda\xdb\x0b\x97\x76\x31\x6a\x2c\x36\xb3\x36\x46\x11"
	"\x53\x76\xe3\x60\x23\x46\xde\x9a\x65\xe5\xd8\x12\xec\xf6\xee\xb8\x8f"
	"\x24\x7e\xd3\x1a\xbc\x08\x44\x29\xe7\xd6\xa0\xf8\x93\x5c\x80\x8a\xc4"
	"\xa8\x05\x48\x7b\x55\x67\xeb\xe4\x50\x05\x27\x12\x60\x78\x0a\x78\xab"
	"\xcf\x70\xde\xaf\xf6\x6b\xcc\xb3\x6c\x3d\x9f\xb3\xc8\x31\xa9\xe5\x76"
	"\xad\x07\xf3\xce\x72\x20\x03\xc5\x4f\x90\xa4\xdf\xba\x0e\x81\x09\x5a"
	"\xd2\xf4\xc1\x08\x90\x03\xcd\xd5\x92\xbb\x47\xb8\x6b\x42\x24\xfe\xe3"
	"\x6f\xbe\x35\x86\x5d\x14\x83\x3c\x40\x94\xde\x11\xb3",
	200);
	(uint32_t)0x200003a0 = 0;
	(uint32_t)0x200003a4 = 0;
	(uint32_t)0x200003a8 = 0;
	(uint32_t)0x200003ac = 0;
	(uint32_t)0x200003b0 = 0;
	(uint32_t)0x200003b4 = 0;
	(uint32_t)0x200003b8 = 0;
	(uint32_t)0x200003bc = 0;
	syscall(__NR_ioctl, r[0], 0xc100565c, 0x200002c0);
	(uint32_t)0x20000080 = 2;
	syscall(__NR_ioctl, r[0], 0x40045612, 0x20000080);
	return 0;
	}