syzkaller-repros/linux/428c8ed806e13ec9b238250c2ef00807571716ba.c - pub/scm/linux/kernel/git/shuah/linux-arts - Git at Google

 // BUG: unable to handle kernel NULL pointer dereference in page_mapping
 // https://syzkaller.appspot.com/bug?id=428c8ed806e13ec9b238250c2ef00807571716ba
 // status:fixed
 // autogenerated by syzkaller (http://github.com/google/syzkaller)

 #define _GNU_SOURCE

 #include <sys/syscall.h>
 #include <unistd.h>

 #include <stdint.h>
 #include <string.h>

 long r[1];
 void loop()
 {
   memset(r, -1, sizeof(r));
   syscall(__NR_mmap, 0x20000000ul, 0xfcb000ul, 0x3ul, 0x32ul,
           0xfffffffffffffffful, 0x0ul);
   r[0] = syscall(__NR_socket, 0x40000000015ul, 0x5ul, 0x0ul);
   *(uint16_t*)0x20fc4ff0 = (uint16_t)0x2;
   *(uint16_t*)0x20fc4ff2 = (uint16_t)0x204e;
   *(uint32_t*)0x20fc4ff4 = (uint32_t)0x100007f;
   *(uint8_t*)0x20fc4ff8 = (uint8_t)0x0;
   *(uint8_t*)0x20fc4ff9 = (uint8_t)0x0;
   *(uint8_t*)0x20fc4ffa = (uint8_t)0x0;
   *(uint8_t*)0x20fc4ffb = (uint8_t)0x0;
   *(uint8_t*)0x20fc4ffc = (uint8_t)0x0;
   *(uint8_t*)0x20fc4ffd = (uint8_t)0x0;
   *(uint8_t*)0x20fc4ffe = (uint8_t)0x0;
   *(uint8_t*)0x20fc4fff = (uint8_t)0x0;
   syscall(__NR_bind, r[0], 0x20fc4ff0ul, 0x10ul);
   *(uint16_t*)0x20adf000 = (uint16_t)0x2;
   *(uint16_t*)0x20adf002 = (uint16_t)0x204e;
   *(uint32_t*)0x20adf004 = (uint32_t)0x100007f;
   *(uint8_t*)0x20adf008 = (uint8_t)0x0;
   *(uint8_t*)0x20adf009 = (uint8_t)0x0;
   *(uint8_t*)0x20adf00a = (uint8_t)0x0;
   *(uint8_t*)0x20adf00b = (uint8_t)0x0;
   *(uint8_t*)0x20adf00c = (uint8_t)0x0;
   *(uint8_t*)0x20adf00d = (uint8_t)0x0;
   *(uint8_t*)0x20adf00e = (uint8_t)0x0;
   *(uint8_t*)0x20adf00f = (uint8_t)0x0;
   syscall(__NR_connect, r[0], 0x20adf000ul, 0x10ul);
   *(uint64_t*)0x20002000 = (uint64_t)0x0;
   *(uint32_t*)0x20002008 = (uint32_t)0x0;
   *(uint64_t*)0x20002010 = (uint64_t)0x20fc8000;
   *(uint64_t*)0x20002018 = (uint64_t)0x2;
   *(uint64_t*)0x20002020 = (uint64_t)0x20000e8e;
   *(uint64_t*)0x20002028 = (uint64_t)0x130;
   *(uint32_t*)0x20002030 = (uint32_t)0x1;
   *(uint64_t*)0x20fc8000 = (uint64_t)0x20c1e000;
   *(uint64_t*)0x20fc8008 = (uint64_t)0x0;
   *(uint64_t*)0x20fc8010 = (uint64_t)0x20fc9000;
   *(uint64_t*)0x20fc8018 = (uint64_t)0x0;
   *(uint64_t*)0x20000e8e = (uint64_t)0x18;
   *(uint32_t*)0x20000e96 = (uint32_t)0x117;
   *(uint32_t*)0x20000e9a = (uint32_t)0x3;
   *(uint32_t*)0x20000e9e = (uint32_t)0x100000000;
   *(uint64_t*)0x20000ea6 = (uint64_t)0x18;
   *(uint32_t*)0x20000eae = (uint32_t)0x117;
   *(uint32_t*)0x20000eb2 = (uint32_t)0x3;
   *(uint32_t*)0x20000eb6 = (uint32_t)0x9;
   *(uint64_t*)0x20000ebe = (uint64_t)0x100;
   *(uint32_t*)0x20000ec6 = (uint32_t)0x114;
   *(uint32_t*)0x20000eca = (uint32_t)0x6;
   *(uint32_t*)0x20000ece = (uint32_t)0xe5;
   memcpy((void*)0x20000ed2,
          "\x13\x38\x4c\x0e\x64\x4f\xa5\x7a\x16\x74\x02\x77\x64\x53\x4a"
          "\x58\x5a\xf7\xfd\xcc\xd0\x35\xcd\x0d\xd2\x04\xb8\xf3\x77\xd3"
          "\x46\xa5\x8d\x66\x99\xda\x57\x65\xc3\x2b\x6f\x61\x19\x8d\xe4"
          "\x06\x2b\x3a\xcc\xd8\x7d\xdf\x4f\x8e\x64\x8b\xe0\x15\xa8\x9c"
          "\xcf\x85\xd5\x4b\xf0\x3c\x52\xa4\x24\x97\xb0\xcf\x97\xe1\xc0"
          "\xd8\x67\x80\x68\xc8\xac\xe8\x88\xbf\xff\x48\xe7\x4f\xa1\x65"
          "\x44\xe1\xe4\xc9\xf8\x68\x62\x0b\x9c\x44\x8b\xc8\x56\xb2\xe3"
          "\x87\xfc\xf2\xc1\x3a\xd0\xba\xa6\x35\x17\xac\xc2\x39\x61\x04"
          "\x9b\x1f\x0a\xe5\xb4\xc1\x4e\x90\xc8\x9e\x5e\xb0\x2f\x07\x6b"
          "\x55\x6a\xf8\x23\x1b\xa8\xcb\x3b\xb6\x45\x19\x13\x6b\x19\x24"
          "\xb6\x3c\x50\xd0\x63\x98\xa2\x23\xf9\xa2\xf7\xc0\x41\x34\x1c"
          "\x6d\xe4\x44\x9d\x06\x47\xff\x4c\xaa\xae\xc2\x67\x1d\x14\xfe"
          "\xe7\xc1\x2e\xb7\x14\x06\xcc\x21\xff\x36\xcb\xa8\xe7\xb2\xd2"
          "\xe8\x15\x00\x4b\x8e\x5c\x81\x96\x24\x64\xd1\x4a\xb6\xe2\xaa"
          "\xd3\xce\xe0\xc9\xe6\xa3\x3a\xea\xba\x0c\x66\xa7\xd6\xe8\x76"
          "\xb9\xd6\xf5\x14",
          229);
   syscall(__NR_sendmsg, r[0], 0x20002000ul, 0x0ul);
 }

 int main()
 {
   loop();
   return 0;
 }
	// BUG: unable to handle kernel NULL pointer dereference in page_mapping
	// https://syzkaller.appspot.com/bug?id=428c8ed806e13ec9b238250c2ef00807571716ba
	// status:fixed
	// autogenerated by syzkaller (http://github.com/google/syzkaller)

	#define _GNU_SOURCE

	#include <sys/syscall.h>
	#include <unistd.h>

	#include <stdint.h>
	#include <string.h>

	long r[1];
	void loop()
	{
	memset(r, -1, sizeof(r));
	syscall(__NR_mmap, 0x20000000ul, 0xfcb000ul, 0x3ul, 0x32ul,
	0xfffffffffffffffful, 0x0ul);
	r[0] = syscall(__NR_socket, 0x40000000015ul, 0x5ul, 0x0ul);
	(uint16_t)0x20fc4ff0 = (uint16_t)0x2;
	(uint16_t)0x20fc4ff2 = (uint16_t)0x204e;
	(uint32_t)0x20fc4ff4 = (uint32_t)0x100007f;
	(uint8_t)0x20fc4ff8 = (uint8_t)0x0;
	(uint8_t)0x20fc4ff9 = (uint8_t)0x0;
	(uint8_t)0x20fc4ffa = (uint8_t)0x0;
	(uint8_t)0x20fc4ffb = (uint8_t)0x0;
	(uint8_t)0x20fc4ffc = (uint8_t)0x0;
	(uint8_t)0x20fc4ffd = (uint8_t)0x0;
	(uint8_t)0x20fc4ffe = (uint8_t)0x0;
	(uint8_t)0x20fc4fff = (uint8_t)0x0;
	syscall(__NR_bind, r[0], 0x20fc4ff0ul, 0x10ul);
	(uint16_t)0x20adf000 = (uint16_t)0x2;
	(uint16_t)0x20adf002 = (uint16_t)0x204e;
	(uint32_t)0x20adf004 = (uint32_t)0x100007f;
	(uint8_t)0x20adf008 = (uint8_t)0x0;
	(uint8_t)0x20adf009 = (uint8_t)0x0;
	(uint8_t)0x20adf00a = (uint8_t)0x0;
	(uint8_t)0x20adf00b = (uint8_t)0x0;
	(uint8_t)0x20adf00c = (uint8_t)0x0;
	(uint8_t)0x20adf00d = (uint8_t)0x0;
	(uint8_t)0x20adf00e = (uint8_t)0x0;
	(uint8_t)0x20adf00f = (uint8_t)0x0;
	syscall(__NR_connect, r[0], 0x20adf000ul, 0x10ul);
	(uint64_t)0x20002000 = (uint64_t)0x0;
	(uint32_t)0x20002008 = (uint32_t)0x0;
	(uint64_t)0x20002010 = (uint64_t)0x20fc8000;
	(uint64_t)0x20002018 = (uint64_t)0x2;
	(uint64_t)0x20002020 = (uint64_t)0x20000e8e;
	(uint64_t)0x20002028 = (uint64_t)0x130;
	(uint32_t)0x20002030 = (uint32_t)0x1;
	(uint64_t)0x20fc8000 = (uint64_t)0x20c1e000;
	(uint64_t)0x20fc8008 = (uint64_t)0x0;
	(uint64_t)0x20fc8010 = (uint64_t)0x20fc9000;
	(uint64_t)0x20fc8018 = (uint64_t)0x0;
	(uint64_t)0x20000e8e = (uint64_t)0x18;
	(uint32_t)0x20000e96 = (uint32_t)0x117;
	(uint32_t)0x20000e9a = (uint32_t)0x3;
	(uint32_t)0x20000e9e = (uint32_t)0x100000000;
	(uint64_t)0x20000ea6 = (uint64_t)0x18;
	(uint32_t)0x20000eae = (uint32_t)0x117;
	(uint32_t)0x20000eb2 = (uint32_t)0x3;
	(uint32_t)0x20000eb6 = (uint32_t)0x9;
	(uint64_t)0x20000ebe = (uint64_t)0x100;
	(uint32_t)0x20000ec6 = (uint32_t)0x114;
	(uint32_t)0x20000eca = (uint32_t)0x6;
	(uint32_t)0x20000ece = (uint32_t)0xe5;
	memcpy((void*)0x20000ed2,
	"\x13\x38\x4c\x0e\x64\x4f\xa5\x7a\x16\x74\x02\x77\x64\x53\x4a"
	"\x58\x5a\xf7\xfd\xcc\xd0\x35\xcd\x0d\xd2\x04\xb8\xf3\x77\xd3"
	"\x46\xa5\x8d\x66\x99\xda\x57\x65\xc3\x2b\x6f\x61\x19\x8d\xe4"
	"\x06\x2b\x3a\xcc\xd8\x7d\xdf\x4f\x8e\x64\x8b\xe0\x15\xa8\x9c"
	"\xcf\x85\xd5\x4b\xf0\x3c\x52\xa4\x24\x97\xb0\xcf\x97\xe1\xc0"
	"\xd8\x67\x80\x68\xc8\xac\xe8\x88\xbf\xff\x48\xe7\x4f\xa1\x65"
	"\x44\xe1\xe4\xc9\xf8\x68\x62\x0b\x9c\x44\x8b\xc8\x56\xb2\xe3"
	"\x87\xfc\xf2\xc1\x3a\xd0\xba\xa6\x35\x17\xac\xc2\x39\x61\x04"
	"\x9b\x1f\x0a\xe5\xb4\xc1\x4e\x90\xc8\x9e\x5e\xb0\x2f\x07\x6b"
	"\x55\x6a\xf8\x23\x1b\xa8\xcb\x3b\xb6\x45\x19\x13\x6b\x19\x24"
	"\xb6\x3c\x50\xd0\x63\x98\xa2\x23\xf9\xa2\xf7\xc0\x41\x34\x1c"
	"\x6d\xe4\x44\x9d\x06\x47\xff\x4c\xaa\xae\xc2\x67\x1d\x14\xfe"
	"\xe7\xc1\x2e\xb7\x14\x06\xcc\x21\xff\x36\xcb\xa8\xe7\xb2\xd2"
	"\xe8\x15\x00\x4b\x8e\x5c\x81\x96\x24\x64\xd1\x4a\xb6\xe2\xaa"
	"\xd3\xce\xe0\xc9\xe6\xa3\x3a\xea\xba\x0c\x66\xa7\xd6\xe8\x76"
	"\xb9\xd6\xf5\x14",
	229);
	syscall(__NR_sendmsg, r[0], 0x20002000ul, 0x0ul);
	}

	int main()
	{
	loop();
	return 0;
	}