| // WARNING in __put_task_struct (2) |
| // https://syzkaller.appspot.com/bug?id=e1854417677586ce3d00f498f19816cb4fd15676 |
| // status:fixed |
| // autogenerated by syzkaller (https://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| |
| #include <endian.h> |
| #include <errno.h> |
| #include <pthread.h> |
| #include <sched.h> |
| #include <stdint.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/mount.h> |
| #include <sys/prctl.h> |
| #include <sys/resource.h> |
| #include <sys/stat.h> |
| #include <sys/syscall.h> |
| #include <sys/time.h> |
| #include <sys/types.h> |
| #include <sys/wait.h> |
| #include <time.h> |
| #include <unistd.h> |
| |
| #include <linux/futex.h> |
| |
| static void sleep_ms(uint64_t ms) |
| { |
| usleep(ms * 1000); |
| } |
| |
| static uint64_t current_time_ms(void) |
| { |
| struct timespec ts; |
| if (clock_gettime(CLOCK_MONOTONIC, &ts)) |
| exit(1); |
| return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; |
| } |
| |
| static void use_temporary_dir(void) |
| { |
| char tmpdir_template[] = "./syzkaller.XXXXXX"; |
| char* tmpdir = mkdtemp(tmpdir_template); |
| if (!tmpdir) |
| exit(1); |
| if (chmod(tmpdir, 0777)) |
| exit(1); |
| if (chdir(tmpdir)) |
| exit(1); |
| } |
| |
| static void thread_start(void* (*fn)(void*), void* arg) |
| { |
| pthread_t th; |
| pthread_attr_t attr; |
| pthread_attr_init(&attr); |
| pthread_attr_setstacksize(&attr, 128 << 10); |
| if (pthread_create(&th, &attr, fn, arg)) |
| exit(1); |
| pthread_attr_destroy(&attr); |
| } |
| |
| typedef struct { |
| int state; |
| } event_t; |
| |
| static void event_init(event_t* ev) |
| { |
| ev->state = 0; |
| } |
| |
| static void event_reset(event_t* ev) |
| { |
| ev->state = 0; |
| } |
| |
| static void event_set(event_t* ev) |
| { |
| if (ev->state) |
| exit(1); |
| __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); |
| syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG); |
| } |
| |
| static void event_wait(event_t* ev) |
| { |
| while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) |
| syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); |
| } |
| |
| static int event_isset(event_t* ev) |
| { |
| return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); |
| } |
| |
| static int event_timedwait(event_t* ev, uint64_t timeout) |
| { |
| uint64_t start = current_time_ms(); |
| uint64_t now = start; |
| for (;;) { |
| uint64_t remain = timeout - (now - start); |
| struct timespec ts; |
| ts.tv_sec = remain / 1000; |
| ts.tv_nsec = (remain % 1000) * 1000 * 1000; |
| syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); |
| if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) |
| return 1; |
| now = current_time_ms(); |
| if (now - start > timeout) |
| return 0; |
| } |
| } |
| |
| static void setup_common() |
| { |
| if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { |
| } |
| } |
| |
| static void loop(); |
| |
| static void sandbox_common() |
| { |
| prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); |
| setpgrp(); |
| setsid(); |
| struct rlimit rlim; |
| rlim.rlim_cur = rlim.rlim_max = 200 << 20; |
| setrlimit(RLIMIT_AS, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 32 << 20; |
| setrlimit(RLIMIT_MEMLOCK, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 136 << 20; |
| setrlimit(RLIMIT_FSIZE, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 1 << 20; |
| setrlimit(RLIMIT_STACK, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 0; |
| setrlimit(RLIMIT_CORE, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 256; |
| setrlimit(RLIMIT_NOFILE, &rlim); |
| if (unshare(CLONE_NEWNS)) { |
| } |
| if (unshare(CLONE_NEWIPC)) { |
| } |
| if (unshare(0x02000000)) { |
| } |
| if (unshare(CLONE_NEWUTS)) { |
| } |
| if (unshare(CLONE_SYSVSEM)) { |
| } |
| } |
| |
| int wait_for_loop(int pid) |
| { |
| if (pid < 0) |
| exit(1); |
| int status = 0; |
| while (waitpid(-1, &status, __WALL) != pid) { |
| } |
| return WEXITSTATUS(status); |
| } |
| |
| static int do_sandbox_none(void) |
| { |
| if (unshare(CLONE_NEWPID)) { |
| } |
| int pid = fork(); |
| if (pid != 0) |
| return wait_for_loop(pid); |
| setup_common(); |
| sandbox_common(); |
| if (unshare(CLONE_NEWNET)) { |
| } |
| loop(); |
| exit(1); |
| } |
| |
| struct thread_t { |
| int created, call; |
| event_t ready, done; |
| }; |
| |
| static struct thread_t threads[16]; |
| static void execute_call(int call); |
| static int running; |
| |
| static void* thr(void* arg) |
| { |
| struct thread_t* th = (struct thread_t*)arg; |
| for (;;) { |
| event_wait(&th->ready); |
| event_reset(&th->ready); |
| execute_call(th->call); |
| __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); |
| event_set(&th->done); |
| } |
| return 0; |
| } |
| |
| static void loop(void) |
| { |
| int i, call, thread; |
| int collide = 0; |
| again: |
| for (call = 0; call < 4; call++) { |
| for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); |
| thread++) { |
| struct thread_t* th = &threads[thread]; |
| if (!th->created) { |
| th->created = 1; |
| event_init(&th->ready); |
| event_init(&th->done); |
| event_set(&th->done); |
| thread_start(thr, th); |
| } |
| if (!event_isset(&th->done)) |
| continue; |
| event_reset(&th->done); |
| th->call = call; |
| __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); |
| event_set(&th->ready); |
| if (collide && (call % 2) == 0) |
| break; |
| event_timedwait(&th->done, 45); |
| break; |
| } |
| } |
| for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) |
| sleep_ms(1); |
| if (!collide) { |
| collide = 1; |
| goto again; |
| } |
| } |
| |
| uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; |
| |
| void execute_call(int call) |
| { |
| long res; |
| switch (call) { |
| case 0: |
| memcpy((void*)0x20000380, "/dev/infiniband/rdma_cm", 24); |
| res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000380, 2, 0); |
| if (res != -1) |
| r[0] = res; |
| break; |
| case 1: |
| *(uint32_t*)0x20000280 = 0; |
| *(uint16_t*)0x20000284 = 0x18; |
| *(uint16_t*)0x20000286 = 0xfa00; |
| *(uint64_t*)0x20000288 = 0; |
| *(uint64_t*)0x20000290 = 0x20000080; |
| *(uint16_t*)0x20000298 = 0x13f; |
| *(uint8_t*)0x2000029a = 0; |
| *(uint8_t*)0x2000029b = 0; |
| *(uint8_t*)0x2000029c = 0; |
| *(uint8_t*)0x2000029d = 0; |
| *(uint8_t*)0x2000029e = 0; |
| *(uint8_t*)0x2000029f = 0; |
| res = syscall(__NR_write, r[0], 0x20000280, 0x20); |
| if (res != -1) |
| r[1] = *(uint32_t*)0x20000080; |
| break; |
| case 2: |
| *(uint32_t*)0x200001c0 = 3; |
| *(uint16_t*)0x200001c4 = 0x40; |
| *(uint16_t*)0x200001c6 = 0xfa00; |
| *(uint16_t*)0x200001c8 = 0xa; |
| *(uint16_t*)0x200001ca = htobe16(0x4e23); |
| *(uint32_t*)0x200001cc = 0; |
| *(uint64_t*)0x200001d0 = htobe64(0); |
| *(uint64_t*)0x200001d8 = htobe64(1); |
| *(uint32_t*)0x200001e0 = 0; |
| *(uint16_t*)0x200001e4 = 0xa; |
| *(uint16_t*)0x200001e6 = htobe16(0); |
| *(uint32_t*)0x200001e8 = 0; |
| *(uint8_t*)0x200001ec = 0xfe; |
| *(uint8_t*)0x200001ed = 0x80; |
| *(uint8_t*)0x200001ee = 0; |
| *(uint8_t*)0x200001ef = 0; |
| *(uint8_t*)0x200001f0 = 0; |
| *(uint8_t*)0x200001f1 = 0; |
| *(uint8_t*)0x200001f2 = 0; |
| *(uint8_t*)0x200001f3 = 0; |
| *(uint8_t*)0x200001f4 = 0; |
| *(uint8_t*)0x200001f5 = 0; |
| *(uint8_t*)0x200001f6 = 0; |
| *(uint8_t*)0x200001f7 = 0; |
| *(uint8_t*)0x200001f8 = 0; |
| *(uint8_t*)0x200001f9 = 0; |
| *(uint8_t*)0x200001fa = 0; |
| *(uint8_t*)0x200001fb = 0; |
| *(uint32_t*)0x200001fc = 0; |
| *(uint32_t*)0x20000200 = r[1]; |
| *(uint32_t*)0x20000204 = 0; |
| syscall(__NR_write, r[0], 0x200001c0, 0x48); |
| break; |
| case 3: |
| *(uint32_t*)0x20000000 = 3; |
| *(uint16_t*)0x20000004 = 0x40; |
| *(uint16_t*)0x20000006 = 0xfa00; |
| *(uint16_t*)0x20000008 = 0xa; |
| *(uint16_t*)0x2000000a = htobe16(0x4e23); |
| *(uint32_t*)0x2000000c = 7; |
| *(uint8_t*)0x20000010 = 0; |
| *(uint8_t*)0x20000011 = 0; |
| *(uint8_t*)0x20000012 = 0; |
| *(uint8_t*)0x20000013 = 0; |
| *(uint8_t*)0x20000014 = 0; |
| *(uint8_t*)0x20000015 = 0; |
| *(uint8_t*)0x20000016 = 0; |
| *(uint8_t*)0x20000017 = 0; |
| *(uint8_t*)0x20000018 = 0; |
| *(uint8_t*)0x20000019 = 0; |
| *(uint8_t*)0x2000001a = 0; |
| *(uint8_t*)0x2000001b = 0; |
| *(uint8_t*)0x2000001c = 0; |
| *(uint8_t*)0x2000001d = 0; |
| *(uint8_t*)0x2000001e = 0; |
| *(uint8_t*)0x2000001f = 0; |
| *(uint32_t*)0x20000020 = 3; |
| *(uint16_t*)0x20000024 = 0xa; |
| *(uint16_t*)0x20000026 = htobe16(0x4e23); |
| *(uint32_t*)0x20000028 = 7; |
| *(uint8_t*)0x2000002c = -1; |
| *(uint8_t*)0x2000002d = 1; |
| *(uint8_t*)0x2000002e = 0; |
| *(uint8_t*)0x2000002f = 0; |
| *(uint8_t*)0x20000030 = 0; |
| *(uint8_t*)0x20000031 = 0; |
| *(uint8_t*)0x20000032 = 0; |
| *(uint8_t*)0x20000033 = 0; |
| *(uint8_t*)0x20000034 = 0; |
| *(uint8_t*)0x20000035 = 0; |
| *(uint8_t*)0x20000036 = 0; |
| *(uint8_t*)0x20000037 = 0; |
| *(uint8_t*)0x20000038 = 0; |
| *(uint8_t*)0x20000039 = 0; |
| *(uint8_t*)0x2000003a = 0; |
| *(uint8_t*)0x2000003b = 1; |
| *(uint32_t*)0x2000003c = 7; |
| *(uint32_t*)0x20000040 = r[1]; |
| *(uint32_t*)0x20000044 = 1; |
| syscall(__NR_write, r[0], 0x20000000, 0x48); |
| break; |
| } |
| } |
| int main(void) |
| { |
| syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); |
| use_temporary_dir(); |
| do_sandbox_none(); |
| return 0; |
| } |