1 /* SPDX-License-Identifier: MIT */
2 // https://syzkaller.appspot.com/bug?id=1f2ecd7a23dba87e5ca3505ec44514a462cfe8c0
3 // autogenerated by syzkaller (https://github.com/google/syzkaller)
4
5 #include <errno.h>
6 #include <fcntl.h>
7 #include <stdarg.h>
8 #include <stdbool.h>
9 #include <stdint.h>
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <string.h>
13 #include <sys/socket.h>
14 #include <sys/types.h>
15 #include <sys/mman.h>
16 #include <unistd.h>
17
18 #include "liburing.h"
19 #include "helpers.h"
20 #include "../src/syscall.h"
21
write_file(const char * file,const char * what,...)22 static bool write_file(const char* file, const char* what, ...)
23 {
24 char buf[1024];
25 va_list args;
26 va_start(args, what);
27 vsnprintf(buf, sizeof(buf), what, args);
28 va_end(args);
29 buf[sizeof(buf) - 1] = 0;
30 int len = strlen(buf);
31 int fd = open(file, O_WRONLY | O_CLOEXEC);
32 if (fd == -1)
33 return false;
34 if (write(fd, buf, len) != len) {
35 int err = errno;
36 close(fd);
37 errno = err;
38 return false;
39 }
40 close(fd);
41 return true;
42 }
43
inject_fault(int nth)44 static int inject_fault(int nth)
45 {
46 int fd;
47 fd = open("/proc/thread-self/fail-nth", O_RDWR);
48 if (fd == -1)
49 exit(1);
50 char buf[16];
51 sprintf(buf, "%d", nth + 1);
52 if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf))
53 exit(1);
54 return fd;
55 }
56
setup_fault(void)57 static int setup_fault(void)
58 {
59 static struct {
60 const char* file;
61 const char* val;
62 bool fatal;
63 } files[] = {
64 {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true},
65 {"/sys/kernel/debug/failslab/verbose", "0", false},
66 {"/sys/kernel/debug/fail_futex/ignore-private", "N", false},
67 {"/sys/kernel/debug/fail_page_alloc/verbose", "0", false},
68 {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false},
69 {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false},
70 {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false},
71 };
72 unsigned i;
73 for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) {
74 if (!write_file(files[i].file, files[i].val)) {
75 if (files[i].fatal)
76 return 1;
77 }
78 }
79 return 0;
80 }
81
82 static uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
83
main(int argc,char * argv[])84 int main(int argc, char *argv[])
85 {
86 if (argc > 1)
87 return T_EXIT_SKIP;
88 mmap((void *) 0x20000000ul, 0x1000000ul, 3ul, MAP_ANON|MAP_PRIVATE, -1, 0);
89 if (setup_fault()) {
90 printf("Test needs failslab/fail_futex/fail_page_alloc enabled, skipped\n");
91 return T_EXIT_SKIP;
92 }
93 intptr_t res = 0;
94 *(uint32_t*)0x20000000 = 0;
95 *(uint32_t*)0x20000004 = 0;
96 *(uint32_t*)0x20000008 = 0;
97 *(uint32_t*)0x2000000c = 0;
98 *(uint32_t*)0x20000010 = 0;
99 *(uint32_t*)0x20000014 = 0;
100 *(uint32_t*)0x20000018 = 0;
101 *(uint32_t*)0x2000001c = 0;
102 *(uint32_t*)0x20000020 = 0;
103 *(uint32_t*)0x20000024 = 0;
104 *(uint32_t*)0x20000028 = 0;
105 *(uint32_t*)0x2000002c = 0;
106 *(uint32_t*)0x20000030 = 0;
107 *(uint32_t*)0x20000034 = 0;
108 *(uint32_t*)0x20000038 = 0;
109 *(uint32_t*)0x2000003c = 0;
110 *(uint32_t*)0x20000040 = 0;
111 *(uint32_t*)0x20000044 = 0;
112 *(uint64_t*)0x20000048 = 0;
113 *(uint32_t*)0x20000050 = 0;
114 *(uint32_t*)0x20000054 = 0;
115 *(uint32_t*)0x20000058 = 0;
116 *(uint32_t*)0x2000005c = 0;
117 *(uint32_t*)0x20000060 = 0;
118 *(uint32_t*)0x20000064 = 0;
119 *(uint32_t*)0x20000068 = 0;
120 *(uint32_t*)0x2000006c = 0;
121 *(uint64_t*)0x20000070 = 0;
122 res = __sys_io_uring_setup(0x6a6, (struct io_uring_params *) 0x20000000ul);
123 if (res != -1)
124 r[0] = res;
125 res = socket(0x11ul, 2ul, 0x300ul);
126 if (res != -1)
127 r[1] = res;
128 *(uint32_t*)0x20000080 = r[1];
129 inject_fault(1);
130 __sys_io_uring_register(r[0], 2ul, (const void *) 0x20000080ul, 1ul);
131 return T_EXIT_PASS;
132 }
133