chore: autopublish 2025-04-18T01:08:37Z

Author: github-actions[bot]

crepros/7b8a2c442d5a4859b680-102e8b24580000.c

@@ -0,0 +1,227 @@
+// https://syzkaller.appspot.com/bug?id=ac361c5db546855a3d27a34f1fa5b10793e54ba6
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <dirent.h>
+#include <endian.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/prctl.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+#ifndef __NR_bpf
+#define __NR_bpf 321
+#endif
+
+static void sleep_ms(uint64_t ms)
+{
+  usleep(ms * 1000);
+}
+
+static uint64_t current_time_ms(void)
+{
+  struct timespec ts;
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    exit(1);
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static bool write_file(const char* file, const char* what, ...)
+{
+  char buf[1024];
+  va_list args;
+  va_start(args, what);
+  vsnprintf(buf, sizeof(buf), what, args);
+  va_end(args);
+  buf[sizeof(buf) - 1] = 0;
+  int len = strlen(buf);
+  int fd = open(file, O_WRONLY | O_CLOEXEC);
+  if (fd == -1)
+    return false;
+  if (write(fd, buf, len) != len) {
+    int err = errno;
+    close(fd);
+    errno = err;
+    return false;
+  }
+  close(fd);
+  return true;
+}
+
+static void kill_and_wait(int pid, int* status)
+{
+  kill(-pid, SIGKILL);
+  kill(pid, SIGKILL);
+  for (int i = 0; i < 100; i++) {
+    if (waitpid(-1, status, WNOHANG | __WALL) == pid)
+      return;
+    usleep(1000);
+  }
+  DIR* dir = opendir("/sys/fs/fuse/connections");
+  if (dir) {
+    for (;;) {
+      struct dirent* ent = readdir(dir);
+      if (!ent)
+        break;
+      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
+        continue;
+      char abort[300];
+      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
+               ent->d_name);
+      int fd = open(abort, O_WRONLY);
+      if (fd == -1) {
+        continue;
+      }
+      if (write(fd, abort, 1) < 0) {
+      }
+      close(fd);
+    }
+    closedir(dir);
+  } else {
+  }
+  while (waitpid(-1, status, __WALL) != pid) {
+  }
+}
+
+static void setup_test()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  write_file("/proc/self/oom_score_adj", "1000");
+}
+
+static void execute_one(void);
+
+#define WAIT_FLAGS __WALL
+
+static void loop(void)
+{
+  int iter = 0;
+  for (;; iter++) {
+    int pid = fork();
+    if (pid < 0)
+      exit(1);
+    if (pid == 0) {
+      setup_test();
+      execute_one();
+      exit(0);
+    }
+    int status = 0;
+    uint64_t start = current_time_ms();
+    for (;;) {
+      sleep_ms(10);
+      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
+        break;
+      if (current_time_ms() - start < 5000)
+        continue;
+      kill_and_wait(pid, &status);
+      break;
+    }
+  }
+}
+
+uint64_t r[1] = {0xffffffffffffffff};
+
+void execute_one(void)
+{
+  intptr_t res = 0;
+  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
+  }
+  res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0);
+  if (res != -1)
+    r[0] = res;
+  memcpy((void*)0x200000000140,
+         "\x01\x00\x00\x00\x09\x00\x00\x00\x05\x00\x10\x00\x02\x00\x00\x00\x00"
+         "\x00\x00\x00",
+         20);
+  *(uint32_t*)0x200000000154 = -1;
+  *(uint32_t*)0x200000000158 = -1;
+  syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x200000000140ul, /*size=*/0x48ul);
+  *(uint64_t*)0x200000000180 = 0;
+  *(uint32_t*)0x200000000188 = 0;
+  *(uint64_t*)0x200000000190 = 0x200000000080;
+  *(uint64_t*)0x200000000080 = 0x200000000100;
+  *(uint32_t*)0x200000000100 = 0x44;
+  *(uint16_t*)0x200000000104 = 0x24;
+  *(uint16_t*)0x200000000106 = 0x800;
+  *(uint32_t*)0x200000000108 = 0x70bd29;
+  *(uint32_t*)0x20000000010c = 0x25dfdc00;
+  *(uint8_t*)0x200000000110 = 0x60;
+  *(uint8_t*)0x200000000111 = 0;
+  *(uint16_t*)0x200000000112 = 0;
+  *(uint32_t*)0x200000000114 = 0;
+  *(uint16_t*)0x200000000118 = 0xfff1;
+  *(uint16_t*)0x20000000011a = 0xfff2;
+  *(uint16_t*)0x20000000011c = 1;
+  *(uint16_t*)0x20000000011e = 0xc;
+  *(uint16_t*)0x200000000120 = 0xfff3;
+  *(uint16_t*)0x200000000122 = 8;
+  *(uint16_t*)0x200000000124 = 9;
+  *(uint16_t*)0x200000000126 = 1;
+  memcpy((void*)0x200000000128, "cake\000", 5);
+  *(uint16_t*)0x200000000130 = 0x14;
+  *(uint16_t*)0x200000000132 = 2;
+  *(uint16_t*)0x200000000134 = 8;
+  *(uint16_t*)0x200000000136 = 0xa;
+  *(uint32_t*)0x200000000138 = 0x80000000;
+  *(uint16_t*)0x20000000013c = 8;
+  *(uint16_t*)0x20000000013e = 0xf;
+  *(uint32_t*)0x200000000140 = 2;
+  *(uint64_t*)0x200000000088 = 0x44;
+  *(uint64_t*)0x200000000198 = 1;
+  *(uint64_t*)0x2000000001a0 = 0;
+  *(uint64_t*)0x2000000001a8 = 0;
+  *(uint32_t*)0x2000000001b0 = 0x44045;
+  syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x200000000180ul,
+          /*f=MSG_PROBE*/ 0x10ul);
+  *(uint64_t*)0x200000000000 = 0;
+  *(uint32_t*)0x200000000008 = 0;
+  *(uint64_t*)0x200000000010 = 0x200000000080;
+  *(uint64_t*)0x200000000080 = 0x200000000100;
+  memcpy((void*)0x200000000100,
+         "\x50\x00\x00\x00\x10\x00\x01\x04\x25\xbb\xe5\xad\x60\x00\x27\x84\x2c"
+         "\xf5\x23\x00",
+         20);
+  *(uint32_t*)0x200000000114 = 0;
+  memcpy((void*)0x200000000118,
+         "\x00\x00\x00\x00\x00\x00\x80\x00\x28\x00\x12\x80\x0a\x00\x01\x00\x76"
+         "\x78\x6c\x61\x6e",
+         21);
+  *(uint64_t*)0x200000000088 = 0x50;
+  *(uint64_t*)0x200000000018 = 1;
+  *(uint64_t*)0x200000000020 = 0;
+  *(uint64_t*)0x200000000028 = 0;
+  *(uint32_t*)0x200000000030 = 0;
+  syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x200000000000ul,
+          /*f=MSG_ZEROCOPY*/ 0x4000000ul);
+}
+int main(void)
+{
+  syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
+          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
+          /*offset=*/0ul);
+  syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
+          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
+          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
+          /*offset=*/0ul);
+  syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
+          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
+          /*offset=*/0ul);
+  const char* reason;
+  (void)reason;
+  loop();
+  return 0;
+}