1 /* SPDX-License-Identifier: MIT */
2 // autogenerated by syzkaller (https://github.com/google/syzkaller)
3
4 #include <endian.h>
5 #include <stdint.h>
6 #include <stdio.h>
7 #include <stdlib.h>
8 #include <string.h>
9 #include <sys/mman.h>
10 #include <sys/syscall.h>
11 #include <sys/types.h>
12 #include <unistd.h>
13
14 #include "helpers.h"
15
16 #ifndef CONFIG_USE_SANITIZER
17 #ifndef __NR_io_uring_register
18 #define __NR_io_uring_register 427
19 #endif
20 #ifndef __NR_io_uring_setup
21 #define __NR_io_uring_setup 425
22 #endif
23
24 #define SIZEOF_IO_URING_SQE 64
25 #define SIZEOF_IO_URING_CQE 16
26 #define SQ_HEAD_OFFSET 0
27 #define SQ_TAIL_OFFSET 64
28 #define SQ_RING_MASK_OFFSET 256
29 #define SQ_RING_ENTRIES_OFFSET 264
30 #define SQ_FLAGS_OFFSET 276
31 #define SQ_DROPPED_OFFSET 272
32 #define CQ_HEAD_OFFSET 128
33 #define CQ_TAIL_OFFSET 192
34 #define CQ_RING_MASK_OFFSET 260
35 #define CQ_RING_ENTRIES_OFFSET 268
36 #define CQ_RING_OVERFLOW_OFFSET 284
37 #define CQ_FLAGS_OFFSET 280
38 #define CQ_CQES_OFFSET 320
39
syz_io_uring_setup(volatile long a0,volatile long a1,volatile long a2,volatile long a3,volatile long a4,volatile long a5)40 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5)
41 {
42 uint32_t entries = (uint32_t)a0;
43 struct io_uring_params* setup_params = (struct io_uring_params*)a1;
44 void* vma1 = (void*)a2;
45 void* vma2 = (void*)a3;
46 void** ring_ptr_out = (void**)a4;
47 void** sqes_ptr_out = (void**)a5;
48 uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params);
49 uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t);
50 uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE;
51 uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz;
52 *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING);
53 uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE;
54 *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES);
55 return fd_io_uring;
56 }
57
58 static uint64_t r[1] = {0xffffffffffffffff};
59
main(int argc,char * argv[])60 int main(int argc, char *argv[])
61 {
62 intptr_t res = 0;
63
64 if (argc > 1)
65 return T_EXIT_SKIP;
66
67 mmap((void *) 0x1ffff000ul, 0x1000ul, PROT_NONE,
68 MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0ul);
69 mmap((void *) 0x20000000ul, 0x1000000ul, PROT_READ|PROT_WRITE|PROT_EXEC,
70 MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0ul);
71 mmap((void *) 0x21000000ul, 0x1000ul, PROT_NONE,
72 MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0ul);
73
74 *(uint32_t*)0x20000684 = 0;
75 *(uint32_t*)0x20000688 = 0;
76 *(uint32_t*)0x2000068c = 0;
77 *(uint32_t*)0x20000690 = 0;
78 *(uint32_t*)0x20000698 = -1;
79 memset((void*)0x2000069c, 0, 12);
80
81 res = syz_io_uring_setup(0x2fd6, 0x20000680, 0x20ffd000, 0x20ffc000,
82 0x20000700, 0x20000740);
83 if (res != -1)
84 r[0] = res;
85
86 *(uint64_t*)0x20002840 = 0;
87 *(uint64_t*)0x20002848 = 0;
88 *(uint64_t*)0x20002850 = 0x20000840;
89 *(uint64_t*)0x20002858 = 0x1000;
90 syscall(__NR_io_uring_register, r[0], 0ul, 0x20002840ul, 2ul);
91 return T_EXIT_PASS;
92 }
93 #else
main(int argc,char * argv[])94 int main(int argc, char *argv[])
95 {
96 return T_EXIT_SKIP;
97 }
98 #endif
99