1 /* SPDX-License-Identifier: MIT */
2 // autogenerated by syzkaller (https://github.com/google/syzkaller)
3
4 #include <dirent.h>
5 #include <endian.h>
6 #include <errno.h>
7 #include <fcntl.h>
8 #include <pthread.h>
9 #include <signal.h>
10 #include <stdarg.h>
11 #include <stdbool.h>
12 #include <stdint.h>
13 #include <stdio.h>
14 #include <stdlib.h>
15 #include <string.h>
16 #include <sys/prctl.h>
17 #include <sys/stat.h>
18 #include <sys/syscall.h>
19 #include <sys/types.h>
20 #include <sys/wait.h>
21 #include <time.h>
22 #include <unistd.h>
23 #include <sys/mman.h>
24
25 #include <linux/futex.h>
26
27 #include "liburing.h"
28 #include "../src/syscall.h"
29
30 #if !defined(SYS_futex) && defined(SYS_futex_time64)
31 # define SYS_futex SYS_futex_time64
32 #endif
33
sleep_ms(uint64_t ms)34 static void sleep_ms(uint64_t ms)
35 {
36 usleep(ms * 1000);
37 }
38
current_time_ms(void)39 static uint64_t current_time_ms(void)
40 {
41 struct timespec ts;
42 if (clock_gettime(CLOCK_MONOTONIC, &ts))
43 exit(1);
44 return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
45 }
46
thread_start(void * (* fn)(void *),void * arg)47 static void thread_start(void* (*fn)(void*), void* arg)
48 {
49 pthread_t th;
50 pthread_attr_t attr;
51 pthread_attr_init(&attr);
52 pthread_attr_setstacksize(&attr, 128 << 10);
53 int i;
54 for (i = 0; i < 100; i++) {
55 if (pthread_create(&th, &attr, fn, arg) == 0) {
56 pthread_attr_destroy(&attr);
57 return;
58 }
59 if (errno == EAGAIN) {
60 usleep(50);
61 continue;
62 }
63 break;
64 }
65 exit(1);
66 }
67
68 typedef struct {
69 int state;
70 } event_t;
71
event_init(event_t * ev)72 static void event_init(event_t* ev)
73 {
74 ev->state = 0;
75 }
76
event_reset(event_t * ev)77 static void event_reset(event_t* ev)
78 {
79 ev->state = 0;
80 }
81
event_set(event_t * ev)82 static void event_set(event_t* ev)
83 {
84 if (ev->state)
85 exit(1);
86 __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
87 syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG);
88 }
89
event_wait(event_t * ev)90 static void event_wait(event_t* ev)
91 {
92 while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
93 syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
94 }
95
event_isset(event_t * ev)96 static int event_isset(event_t* ev)
97 {
98 return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
99 }
100
event_timedwait(event_t * ev,uint64_t timeout)101 static int event_timedwait(event_t* ev, uint64_t timeout)
102 {
103 uint64_t start = current_time_ms();
104 uint64_t now = start;
105 for (;;) {
106 uint64_t remain = timeout - (now - start);
107 struct timespec ts;
108 ts.tv_sec = remain / 1000;
109 ts.tv_nsec = (remain % 1000) * 1000 * 1000;
110 syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
111 if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED))
112 return 1;
113 now = current_time_ms();
114 if (now - start > timeout)
115 return 0;
116 }
117 }
118
write_file(const char * file,const char * what,...)119 static bool write_file(const char* file, const char* what, ...)
120 {
121 char buf[1024];
122 va_list args;
123 va_start(args, what);
124 vsnprintf(buf, sizeof(buf), what, args);
125 va_end(args);
126 buf[sizeof(buf) - 1] = 0;
127 int len = strlen(buf);
128 int fd = open(file, O_WRONLY | O_CLOEXEC);
129 if (fd == -1)
130 return false;
131 if (write(fd, buf, len) != len) {
132 int err = errno;
133 close(fd);
134 errno = err;
135 return false;
136 }
137 close(fd);
138 return true;
139 }
140
kill_and_wait(int pid,int * status)141 static void kill_and_wait(int pid, int* status)
142 {
143 kill(-pid, SIGKILL);
144 kill(pid, SIGKILL);
145 int i;
146 for (i = 0; i < 100; i++) {
147 if (waitpid(-1, status, WNOHANG | __WALL) == pid)
148 return;
149 usleep(1000);
150 }
151 DIR* dir = opendir("/sys/fs/fuse/connections");
152 if (dir) {
153 for (;;) {
154 struct dirent* ent = readdir(dir);
155 if (!ent)
156 break;
157 if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
158 continue;
159 char abort[300];
160 snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
161 ent->d_name);
162 int fd = open(abort, O_WRONLY);
163 if (fd == -1) {
164 continue;
165 }
166 if (write(fd, abort, 1) < 0) {
167 }
168 close(fd);
169 }
170 closedir(dir);
171 } else {
172 }
173 while (waitpid(-1, status, __WALL) != pid) {
174 }
175 }
176
177 #define SYZ_HAVE_SETUP_TEST 1
setup_test()178 static void setup_test()
179 {
180 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
181 setpgrp();
182 write_file("/proc/self/oom_score_adj", "1000");
183 }
184
185 struct thread_t {
186 int created, call;
187 event_t ready, done;
188 };
189
190 static struct thread_t threads[16];
191 static void execute_call(int call);
192 static int running;
193
thr(void * arg)194 static void* thr(void* arg)
195 {
196 struct thread_t* th = (struct thread_t*)arg;
197 for (;;) {
198 event_wait(&th->ready);
199 event_reset(&th->ready);
200 execute_call(th->call);
201 __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
202 event_set(&th->done);
203 }
204 return 0;
205 }
206
execute_one(void)207 static void execute_one(void)
208 {
209 int i, call, thread;
210 for (call = 0; call < 3; call++) {
211 for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
212 thread++) {
213 struct thread_t* th = &threads[thread];
214 if (!th->created) {
215 th->created = 1;
216 event_init(&th->ready);
217 event_init(&th->done);
218 event_set(&th->done);
219 thread_start(thr, th);
220 }
221 if (!event_isset(&th->done))
222 continue;
223 event_reset(&th->done);
224 th->call = call;
225 __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
226 event_set(&th->ready);
227 event_timedwait(&th->done, 45);
228 break;
229 }
230 }
231 for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
232 sleep_ms(1);
233 }
234
235 static void execute_one(void);
236
237 #define WAIT_FLAGS __WALL
238
loop(void)239 static void loop(void)
240 {
241 for (;;) {
242 int pid = fork();
243 if (pid < 0)
244 exit(1);
245 if (pid == 0) {
246 setup_test();
247 execute_one();
248 exit(0);
249 }
250 int status = 0;
251 uint64_t start = current_time_ms();
252 for (;;) {
253 if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
254 break;
255 sleep_ms(1);
256 if (current_time_ms() - start < 5 * 1000)
257 continue;
258 kill_and_wait(pid, &status);
259 break;
260 }
261 }
262 }
263
264 uint64_t r[1] = {0xffffffffffffffff};
265
execute_call(int call)266 void execute_call(int call)
267 {
268 long res;
269 switch (call) {
270 case 0:
271 *(uint32_t*)0x20000040 = 0;
272 *(uint32_t*)0x20000044 = 0;
273 *(uint32_t*)0x20000048 = 0;
274 *(uint32_t*)0x2000004c = 0;
275 *(uint32_t*)0x20000050 = 0;
276 *(uint32_t*)0x20000054 = 0;
277 *(uint32_t*)0x20000058 = 0;
278 *(uint32_t*)0x2000005c = 0;
279 *(uint32_t*)0x20000060 = 0;
280 *(uint32_t*)0x20000064 = 0;
281 *(uint32_t*)0x20000068 = 0;
282 *(uint32_t*)0x2000006c = 0;
283 *(uint32_t*)0x20000070 = 0;
284 *(uint32_t*)0x20000074 = 0;
285 *(uint32_t*)0x20000078 = 0;
286 *(uint32_t*)0x2000007c = 0;
287 *(uint32_t*)0x20000080 = 0;
288 *(uint32_t*)0x20000084 = 0;
289 *(uint64_t*)0x20000088 = 0;
290 *(uint32_t*)0x20000090 = 0;
291 *(uint32_t*)0x20000094 = 0;
292 *(uint32_t*)0x20000098 = 0;
293 *(uint32_t*)0x2000009c = 0;
294 *(uint32_t*)0x200000a0 = 0;
295 *(uint32_t*)0x200000a4 = 0;
296 *(uint32_t*)0x200000a8 = 0;
297 *(uint32_t*)0x200000ac = 0;
298 *(uint64_t*)0x200000b0 = 0;
299 res = __sys_io_uring_setup(0x64, (struct io_uring_params *) 0x20000040UL);
300 if (res != -1)
301 r[0] = res;
302 break;
303 case 1:
304 __sys_io_uring_register((long)r[0], 0, 0, 0);
305 break;
306 case 2:
307 __sys_io_uring_register((long)r[0], 0, 0, 0);
308 break;
309 }
310 }
311
sig_int(int sig)312 static void sig_int(int sig)
313 {
314 exit(0);
315 }
316
main(int argc,char * argv[])317 int main(int argc, char *argv[])
318 {
319 if (argc > 1)
320 return 0;
321 signal(SIGINT, sig_int);
322 mmap((void *) 0x20000000, 0x1000000, 3, 0x32, -1, 0);
323 signal(SIGALRM, sig_int);
324 alarm(5);
325
326 loop();
327 return 0;
328 }
329