// autogenerated by syzkaller (http://github.com/google/syzkaller) #include #include #include #include #include #include #include #include #include #include #include #include long r6 = -1; long r8 = -1; long r89 = -1; long r93 = -1; #define NMAP 3 #define SIZE (1<<20) void *maps[NMAP]; void *thr(void *arg) { switch ((long)arg) { case 0: syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); break; case 1: syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); break; case 2: syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); break; case 3: memcpy((void*)0x2000059f, "\x73\x79\x73\x74\x65\x6d\x74\x72\x75\x73\x74\x65\x64\x00", 14); memcpy((void*)0x20000fd8, "\x6d\x69\x6d\x65\x5f\x74\x79\x70\x65\x70\x72\x6f\x63\x73\x65\x6c\x69\x6e\x75\x78\x2d\x5c\x2a\xc7\x6d\x69\x6d\x65\x5f\x74\x79\x70\x65\x2e\x2f\x65\x74\x68\x31\x00", 40); memcpy((void*)0x20000624, "\x10\x22\x8c\x5c\x6c\xc8\x04\x26\x47\xa1\x41\xd1\x5a\x3e\x4e\x84\xdd\x39\x5d\x57\x09\x1d\x61\x0e\x51\xea\x31\xcd\xcf\x68\x91\x47\x66\xba\x2d\x9c\x23\x52\x26\x52\x86\x78\x29\x39\xa8\xaa\x95\x02\xbd\x29\x19\xd6\xc8\x76\x6a\x30\x4c\x77\x75\x2d\x91\x98\x77\x19\x29\x03\xe4\xf4\x49\x68\xde\xf8\x22\x8c\xec\xc3\x3f\x92\x3c\x46\x41\xba\x6c\x64\x52\x1e\x76\x4d\x71\x7d\xd2\x6c\x9a\x17\x85\x2a\x14\xca\x35\x65\xad\x32\x81\x16\xb1\xfa\x38\x94\xce\x41\x4b\x09\xfe\x03\xbf\x9f\x60\xcc\x76\x97\x5d\x7a\xd6\x66\x3e\xcb\x03\x4c\x58\xa3\xc2\xc5\xb6\x6f\xa2\xb3\x70\x4e\x0b\x67\x22\xfd\xa9\xba\x42\xf7\xb5\x0c\xdb\x22\xd1\x20", 152); r6 = syscall(SYS_add_key, 0x2000059ful, 0x20000fd8ul, 0x20000624ul, 0x98ul, 0xde337a1cb4cf849dul, 0); break; case 4: syscall(SYS_msync, 0x20c0f000ul, 0x4000ul, 0x1ul, 0, 0, 0); break; case 5: r8 = syscall(SYS_gettid, 0, 0, 0, 0, 0, 0); break; case 6: syscall(SYS_mmap, 0x20001000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); *(uint32_t*)0x20001fd0 = 0x30; *(uint32_t*)0x20001fd4 = 0x0; *(uint64_t*)0x20001fd8 = 0x1; *(uint32_t*)0x20001fe0 = 0x2; *(uint32_t*)0x20001fe4 = 0x2; *(uint64_t*)0x20001fe8 = 0x7; *(uint64_t*)0x20001ff0 = 0x1; *(uint64_t*)0x20001ff8 = 0x9; syscall(SYS_sched_setattr, r8, 0x20001fd0ul, 0x0ul, 0, 0, 0); break; case 7: syscall(SYS_keyctl, 0xful, r6, 0x4ul, 0, 0, 0); break; case 8: syscall(SYS_sync, 0, 0, 0, 0, 0, 0); break; case 9: syscall(SYS_mmap, 0x20003000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); break; case 10: syscall(SYS_shmget, 0xfffffffffffff727ul, 0x1000ul, 0x80ul, 0x20001000ul, 0, 0); break; case 11: syscall(SYS_tkill, r8, 0x4ul, 0, 0, 0, 0); break; case 12: syscall(SYS_keyctl, 0x3ul, r6, 0, 0, 0, 0); break; case 13: syscall(SYS_mmap, 0x20004000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); break; case 14: memcpy((void*)0x20004000, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8); r89 = syscall(SYS_openat, 0x1869ful, 0x20004000ul, 0x0ul, 0x140ul, 0, 0); break; case 15: syscall(SYS_mmap, 0x20004000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); break; case 16: syscall(SYS_mmap, 0x20004000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); break; case 17: memcpy((void*)0x2000475e, "\x2e\x2f\x62\x75\x73\x00", 6); r93 = syscall(SYS_open, 0x2000475eul, 0x101000ul, 0x50ul, 0, 0, 0); break; case 18: syscall(SYS_mmap, 0x20004000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); break; case 19: memcpy((void*)0x20004000, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8); memcpy((void*)0x20004ffb, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8); syscall(SYS_linkat, r89, 0x20004000ul, r93, 0x20004ffbul, 0x1000ul, 0); break; case 20: syscall(SYS_mmap, 0x20005000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); break; case 21: syscall(SYS_mmap, 0x20005000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); break; case 22: { unsigned long old, new; old = 1; new = 2; migrate_pages(getpid(), 2, &old, &new); break; } case 23: { unsigned long old, new; old = 2; new = 1; migrate_pages(getpid(), 2, &old, &new); break; } } return 0; } void worker(void) { const int N = 24; const int K = 2; int i, j; pthread_t th[K*N]; void *p; char buf[128]; sprintf(buf, "/tmp/myprivate%d", getpid()); int fd = open(buf, O_RDWR|O_CREAT, 0600); ftruncate(fd, 100<<20); p = mmap(0, 100<<20, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); if (p != MAP_FAILED) { for (i = 0; i < (100<<20); i += (4<<10)) ((volatile char*)p)[i]++; munmap(p, 100<<20); } close(fd); unlink(buf); for (i = 0; i < NMAP; i++) { for (j = 0; j < SIZE; j += 4<<10) ((volatile char*)maps[i])[j] = 1; } for (i = 0; i < K*N; i++) { pthread_create(&th[i], 0, thr, (void*)(long)i); usleep(20); } for (i = 0; i < K*N; i++) pthread_join(th[i], 0); } void forkworker(void) { int i, j; for (i = 0; i < NMAP; i++) { for (j = 0; j < SIZE; j += 4<<10) ((volatile char*)maps[i])[j] = 1; } if (fork() == 0) { worker(); exit(0); } } int main(int argc, char **argv) { int i; for (i = 0; i < NMAP; i++) { char buf[128]; sprintf(buf, "/tmp/myshared%d", i); int fd = open(buf, O_RDWR|O_CREAT, 0600); ftruncate(fd, SIZE); maps[i] = mmap(0, SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); } for (i = 0; i < 8; i++) forkworker(); for (;;) if (wait(0) != -1) forkworker(); }