| // possible deadlock in do_io_accounting |
| // https://syzkaller.appspot.com/bug?id=2e84ac2704e45601307d5e6c228082e9f343f062 |
| // status:open |
| // autogenerated by syzkaller (https://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| |
| #include <endian.h> |
| #include <fcntl.h> |
| #include <stdint.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/stat.h> |
| #include <sys/syscall.h> |
| #include <sys/types.h> |
| #include <unistd.h> |
| |
| static long syz_open_procfs(volatile long a0, volatile long a1) |
| { |
| char buf[128]; |
| memset(buf, 0, sizeof(buf)); |
| if (a0 == 0) { |
| snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); |
| } else if (a0 == -1) { |
| snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); |
| } else { |
| snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); |
| } |
| int fd = open(buf, O_RDWR); |
| if (fd == -1) |
| fd = open(buf, O_RDONLY); |
| return fd; |
| } |
| |
| #ifndef __NR_execveat |
| #define __NR_execveat 322 |
| #endif |
| |
| uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; |
| |
| int main(void) |
| { |
| syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); |
| intptr_t res = 0; |
| memcpy((void*)0x20000500, "./file1\000", 8); |
| syscall(__NR_mkdir, 0x20000500, 0); |
| memcpy((void*)0x20000340, "./file0\000", 8); |
| syscall(__NR_mkdir, 0x20000340, 0); |
| memcpy((void*)0x20000300, "./file0\000", 8); |
| memcpy((void*)0x20000180, "overlay\000", 8); |
| memcpy((void*)0x200002c0, "upperdir=./file0,lowerdir=.:file0,workdir=./file1", |
| 49); |
| syscall(__NR_mount, 0x400000, 0x20000300, 0x20000180, 0, 0x200002c0); |
| memcpy((void*)0x20000080, "./file0\000", 8); |
| res = syscall(__NR_open, 0x20000080, 0, 0); |
| if (res != -1) |
| r[0] = res; |
| memcpy((void*)0x20000700, "./file1/../file0\000", 17); |
| memcpy((void*)0x20000740, "system.posix_acl_access\000", 24); |
| *(uint32_t*)0x20000e80 = 2; |
| *(uint16_t*)0x20000e84 = 1; |
| *(uint16_t*)0x20000e86 = 0; |
| *(uint32_t*)0x20000e88 = 0; |
| *(uint16_t*)0x20000e8c = 4; |
| *(uint16_t*)0x20000e8e = 0; |
| *(uint32_t*)0x20000e90 = 0; |
| *(uint16_t*)0x20000e94 = 0x10; |
| *(uint16_t*)0x20000e96 = 1; |
| *(uint32_t*)0x20000e98 = 0; |
| *(uint16_t*)0x20000e9c = 0x20; |
| *(uint16_t*)0x20000e9e = 7; |
| *(uint32_t*)0x20000ea0 = 0; |
| syscall(__NR_setxattr, 0x20000700, 0x20000740, 0x20000e80, 0x24, 0); |
| memcpy((void*)0x20000000, "./file1\000", 8); |
| syscall(__NR_execveat, r[0], 0x20000000, 0, 0, 0); |
| memcpy((void*)0x20000080, "io\000", 3); |
| res = syz_open_procfs(-1, 0x20000080); |
| if (res != -1) |
| r[1] = res; |
| memcpy((void*)0x20000440, "./bus\000", 6); |
| res = syscall(__NR_open, 0x20000440, 0x141042, 0); |
| if (res != -1) |
| r[2] = res; |
| syscall(__NR_sendfile, r[2], r[1], 0, 2); |
| return 0; |
| } |
