| // BUG: sleeping function called from invalid context at mm/slab.h:LINE (4) |
| // https://syzkaller.appspot.com/bug?id=5a978b949b172f67a927db696a70b6ac84088ce2 |
| // status:fixed |
| // autogenerated by syzkaller (https://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| |
| #include <endian.h> |
| #include <stdint.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/syscall.h> |
| #include <sys/types.h> |
| #include <unistd.h> |
| |
| uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; |
| |
| int main(void) |
| { |
| syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); |
| long res = 0; |
| res = syscall(__NR_socket, 0x26, 5, 0); |
| if (res != -1) |
| r[0] = res; |
| *(uint16_t*)0x20000740 = 0x26; |
| memcpy((void*)0x20000742, |
| "\x73\x6b\x63\x69\x70\x68\x65\x72\x00\x00\x00\x00\x00\x00", 14); |
| *(uint32_t*)0x20000750 = 0; |
| *(uint32_t*)0x20000754 = 0; |
| memcpy((void*)0x20000758, |
| "\x63\x68\x61\x63\x68\x61\x32\x30\x2d\x73\x69\x6d\x64\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", |
| 64); |
| syscall(__NR_bind, r[0], 0x20000740, 0x58); |
| memcpy((void*)0x20000080, "\xb7\xf2\x28\x8a\x91\x19\x93\xf0\x26\x5d\xf5\xcf" |
| "\x1c\xdd\x8b\x55\xb0\x62\x95\x0b\x86\xbc\x01\xab" |
| "\xc8\x46\x4d\x4f\x8a\x90\x61\x51", |
| 32); |
| syscall(__NR_setsockopt, r[0], 0x117, 1, 0x20000080, 0x20); |
| res = syscall(__NR_accept, r[0], 0, 0); |
| if (res != -1) |
| r[1] = res; |
| memcpy((void*)0x200003c0, "#! ", 3); |
| memcpy((void*)0x200003c3, "./file0", 7); |
| *(uint8_t*)0x200003ca = 0xa; |
| memcpy((void*)0x200003cb, |
| "\x62\xfc\x15\xbb\xb6\x9c\x31\x93\xb6\xda\x50\xda\x27\x00\x3b\x38\x7e" |
| "\xd4\xba\xc1\x56\xe2\x84\x6e\x7d\x20\xd4\x3b\xf0\x74\xa1\x9f\x62\xf0" |
| "\x28\x47\x5b\x5b\xc8\xec\x8b\xb0\x9e\xe7\x7e\x02\x4f\xf6\xa7\x47\xf2" |
| "\x0a\xfc\x81\x11\xf4\x85\x12\x16\x38\x3b\xe5\x12\x43\xd3\xd7\xc1\x0f" |
| "\xd3\x6f\xcf\xe6\x2c\x2f\xb9\x89\x58\x9b\x85\x2f\x9d\x23\x6b\x72\xb1" |
| "\x72\x2a\xaa\xb9\x95\x44\x30\x03\x70\xaa\x74\x6c\xac\x2d\xfb\xf7\xc9" |
| "\xc2\x04\xae\xc6\xeb\x8f\xcc\x9a\xc5\x8a\x0d\xe5\x89\x44\x8f\xe9", |
| 118); |
| syscall(__NR_write, r[1], 0x200003c0, 0x81); |
| *(uint64_t*)0x2000a280 = 0; |
| *(uint32_t*)0x2000a288 = 0; |
| *(uint64_t*)0x2000a290 = 0x20002200; |
| *(uint64_t*)0x20002200 = 0x20001e40; |
| *(uint64_t*)0x20002208 = 0xd; |
| *(uint64_t*)0x20002210 = 0x20002100; |
| *(uint64_t*)0x20002218 = 0xd1; |
| *(uint64_t*)0x2000a298 = 2; |
| *(uint64_t*)0x2000a2a0 = 0; |
| *(uint64_t*)0x2000a2a8 = 0; |
| *(uint32_t*)0x2000a2b0 = 0; |
| *(uint32_t*)0x2000a2b8 = 0; |
| syscall(__NR_recvmmsg, r[1], 0x2000a280, 1, 0, 0); |
| return 0; |
| } |