1*25da2beaSAndroid Build Coastguard Worker /* SPDX-License-Identifier: MIT */
2*25da2beaSAndroid Build Coastguard Worker // autogenerated by syzkaller (https://github.com/google/syzkaller)
3*25da2beaSAndroid Build Coastguard Worker
4*25da2beaSAndroid Build Coastguard Worker #include <dirent.h>
5*25da2beaSAndroid Build Coastguard Worker #include <endian.h>
6*25da2beaSAndroid Build Coastguard Worker #include <errno.h>
7*25da2beaSAndroid Build Coastguard Worker #include <fcntl.h>
8*25da2beaSAndroid Build Coastguard Worker #include <signal.h>
9*25da2beaSAndroid Build Coastguard Worker #include <stdarg.h>
10*25da2beaSAndroid Build Coastguard Worker #include <stdbool.h>
11*25da2beaSAndroid Build Coastguard Worker #include <stdint.h>
12*25da2beaSAndroid Build Coastguard Worker #include <stdio.h>
13*25da2beaSAndroid Build Coastguard Worker #include <stdlib.h>
14*25da2beaSAndroid Build Coastguard Worker #include <string.h>
15*25da2beaSAndroid Build Coastguard Worker #include <sys/prctl.h>
16*25da2beaSAndroid Build Coastguard Worker #include <sys/stat.h>
17*25da2beaSAndroid Build Coastguard Worker #include <sys/types.h>
18*25da2beaSAndroid Build Coastguard Worker #include <sys/wait.h>
19*25da2beaSAndroid Build Coastguard Worker #include <sys/mman.h>
20*25da2beaSAndroid Build Coastguard Worker #include <time.h>
21*25da2beaSAndroid Build Coastguard Worker #include <unistd.h>
22*25da2beaSAndroid Build Coastguard Worker
23*25da2beaSAndroid Build Coastguard Worker #include "liburing.h"
24*25da2beaSAndroid Build Coastguard Worker #include "../src/syscall.h"
25*25da2beaSAndroid Build Coastguard Worker
sleep_ms(uint64_t ms)26*25da2beaSAndroid Build Coastguard Worker static void sleep_ms(uint64_t ms)
27*25da2beaSAndroid Build Coastguard Worker {
28*25da2beaSAndroid Build Coastguard Worker usleep(ms * 1000);
29*25da2beaSAndroid Build Coastguard Worker }
30*25da2beaSAndroid Build Coastguard Worker
current_time_ms(void)31*25da2beaSAndroid Build Coastguard Worker static uint64_t current_time_ms(void)
32*25da2beaSAndroid Build Coastguard Worker {
33*25da2beaSAndroid Build Coastguard Worker struct timespec ts;
34*25da2beaSAndroid Build Coastguard Worker if (clock_gettime(CLOCK_MONOTONIC, &ts))
35*25da2beaSAndroid Build Coastguard Worker exit(1);
36*25da2beaSAndroid Build Coastguard Worker return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
37*25da2beaSAndroid Build Coastguard Worker }
38*25da2beaSAndroid Build Coastguard Worker
write_file(const char * file,const char * what,...)39*25da2beaSAndroid Build Coastguard Worker static bool write_file(const char* file, const char* what, ...)
40*25da2beaSAndroid Build Coastguard Worker {
41*25da2beaSAndroid Build Coastguard Worker char buf[1024];
42*25da2beaSAndroid Build Coastguard Worker va_list args;
43*25da2beaSAndroid Build Coastguard Worker va_start(args, what);
44*25da2beaSAndroid Build Coastguard Worker vsnprintf(buf, sizeof(buf), what, args);
45*25da2beaSAndroid Build Coastguard Worker va_end(args);
46*25da2beaSAndroid Build Coastguard Worker buf[sizeof(buf) - 1] = 0;
47*25da2beaSAndroid Build Coastguard Worker int len = strlen(buf);
48*25da2beaSAndroid Build Coastguard Worker int fd = open(file, O_WRONLY | O_CLOEXEC);
49*25da2beaSAndroid Build Coastguard Worker if (fd == -1)
50*25da2beaSAndroid Build Coastguard Worker return false;
51*25da2beaSAndroid Build Coastguard Worker if (write(fd, buf, len) != len) {
52*25da2beaSAndroid Build Coastguard Worker int err = errno;
53*25da2beaSAndroid Build Coastguard Worker close(fd);
54*25da2beaSAndroid Build Coastguard Worker errno = err;
55*25da2beaSAndroid Build Coastguard Worker return false;
56*25da2beaSAndroid Build Coastguard Worker }
57*25da2beaSAndroid Build Coastguard Worker close(fd);
58*25da2beaSAndroid Build Coastguard Worker return true;
59*25da2beaSAndroid Build Coastguard Worker }
60*25da2beaSAndroid Build Coastguard Worker
kill_and_wait(int pid,int * status)61*25da2beaSAndroid Build Coastguard Worker static void kill_and_wait(int pid, int* status)
62*25da2beaSAndroid Build Coastguard Worker {
63*25da2beaSAndroid Build Coastguard Worker kill(-pid, SIGKILL);
64*25da2beaSAndroid Build Coastguard Worker kill(pid, SIGKILL);
65*25da2beaSAndroid Build Coastguard Worker int i;
66*25da2beaSAndroid Build Coastguard Worker for (i = 0; i < 100; i++) {
67*25da2beaSAndroid Build Coastguard Worker if (waitpid(-1, status, WNOHANG | __WALL) == pid)
68*25da2beaSAndroid Build Coastguard Worker return;
69*25da2beaSAndroid Build Coastguard Worker usleep(1000);
70*25da2beaSAndroid Build Coastguard Worker }
71*25da2beaSAndroid Build Coastguard Worker DIR* dir = opendir("/sys/fs/fuse/connections");
72*25da2beaSAndroid Build Coastguard Worker if (dir) {
73*25da2beaSAndroid Build Coastguard Worker for (;;) {
74*25da2beaSAndroid Build Coastguard Worker struct dirent* ent = readdir(dir);
75*25da2beaSAndroid Build Coastguard Worker if (!ent)
76*25da2beaSAndroid Build Coastguard Worker break;
77*25da2beaSAndroid Build Coastguard Worker if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
78*25da2beaSAndroid Build Coastguard Worker continue;
79*25da2beaSAndroid Build Coastguard Worker char abort[300];
80*25da2beaSAndroid Build Coastguard Worker snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
81*25da2beaSAndroid Build Coastguard Worker ent->d_name);
82*25da2beaSAndroid Build Coastguard Worker int fd = open(abort, O_WRONLY);
83*25da2beaSAndroid Build Coastguard Worker if (fd == -1) {
84*25da2beaSAndroid Build Coastguard Worker continue;
85*25da2beaSAndroid Build Coastguard Worker }
86*25da2beaSAndroid Build Coastguard Worker if (write(fd, abort, 1) < 0) {
87*25da2beaSAndroid Build Coastguard Worker }
88*25da2beaSAndroid Build Coastguard Worker close(fd);
89*25da2beaSAndroid Build Coastguard Worker }
90*25da2beaSAndroid Build Coastguard Worker closedir(dir);
91*25da2beaSAndroid Build Coastguard Worker } else {
92*25da2beaSAndroid Build Coastguard Worker }
93*25da2beaSAndroid Build Coastguard Worker while (waitpid(-1, status, __WALL) != pid) {
94*25da2beaSAndroid Build Coastguard Worker }
95*25da2beaSAndroid Build Coastguard Worker }
96*25da2beaSAndroid Build Coastguard Worker
setup_test()97*25da2beaSAndroid Build Coastguard Worker static void setup_test()
98*25da2beaSAndroid Build Coastguard Worker {
99*25da2beaSAndroid Build Coastguard Worker prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
100*25da2beaSAndroid Build Coastguard Worker setpgrp();
101*25da2beaSAndroid Build Coastguard Worker write_file("/proc/self/oom_score_adj", "1000");
102*25da2beaSAndroid Build Coastguard Worker }
103*25da2beaSAndroid Build Coastguard Worker
104*25da2beaSAndroid Build Coastguard Worker static void execute_one(void);
105*25da2beaSAndroid Build Coastguard Worker
106*25da2beaSAndroid Build Coastguard Worker #define WAIT_FLAGS __WALL
107*25da2beaSAndroid Build Coastguard Worker
loop(void)108*25da2beaSAndroid Build Coastguard Worker static void loop(void)
109*25da2beaSAndroid Build Coastguard Worker {
110*25da2beaSAndroid Build Coastguard Worker int iter;
111*25da2beaSAndroid Build Coastguard Worker for (iter = 0; iter < 5000; iter++) {
112*25da2beaSAndroid Build Coastguard Worker int pid = fork();
113*25da2beaSAndroid Build Coastguard Worker if (pid < 0)
114*25da2beaSAndroid Build Coastguard Worker exit(1);
115*25da2beaSAndroid Build Coastguard Worker if (pid == 0) {
116*25da2beaSAndroid Build Coastguard Worker setup_test();
117*25da2beaSAndroid Build Coastguard Worker execute_one();
118*25da2beaSAndroid Build Coastguard Worker exit(0);
119*25da2beaSAndroid Build Coastguard Worker }
120*25da2beaSAndroid Build Coastguard Worker int status = 0;
121*25da2beaSAndroid Build Coastguard Worker uint64_t start = current_time_ms();
122*25da2beaSAndroid Build Coastguard Worker for (;;) {
123*25da2beaSAndroid Build Coastguard Worker if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
124*25da2beaSAndroid Build Coastguard Worker break;
125*25da2beaSAndroid Build Coastguard Worker sleep_ms(1);
126*25da2beaSAndroid Build Coastguard Worker if (current_time_ms() - start < 5 * 1000)
127*25da2beaSAndroid Build Coastguard Worker continue;
128*25da2beaSAndroid Build Coastguard Worker kill_and_wait(pid, &status);
129*25da2beaSAndroid Build Coastguard Worker break;
130*25da2beaSAndroid Build Coastguard Worker }
131*25da2beaSAndroid Build Coastguard Worker }
132*25da2beaSAndroid Build Coastguard Worker }
133*25da2beaSAndroid Build Coastguard Worker
execute_one(void)134*25da2beaSAndroid Build Coastguard Worker void execute_one(void)
135*25da2beaSAndroid Build Coastguard Worker {
136*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x20000080 = 0;
137*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x20000084 = 0;
138*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x20000088 = 3;
139*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x2000008c = 3;
140*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x20000090 = 0x175;
141*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x20000094 = 0;
142*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x20000098 = 0;
143*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x2000009c = 0;
144*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000a0 = 0;
145*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000a4 = 0;
146*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000a8 = 0;
147*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000ac = 0;
148*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000b0 = 0;
149*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000b4 = 0;
150*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000b8 = 0;
151*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000bc = 0;
152*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000c0 = 0;
153*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000c4 = 0;
154*25da2beaSAndroid Build Coastguard Worker *(uint64_t*)0x200000c8 = 0;
155*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000d0 = 0;
156*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000d4 = 0;
157*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000d8 = 0;
158*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000dc = 0;
159*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000e0 = 0;
160*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000e4 = 0;
161*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000e8 = 0;
162*25da2beaSAndroid Build Coastguard Worker *(uint32_t*)0x200000ec = 0;
163*25da2beaSAndroid Build Coastguard Worker *(uint64_t*)0x200000f0 = 0;
164*25da2beaSAndroid Build Coastguard Worker __sys_io_uring_setup(0x983, (struct io_uring_params *) 0x20000080);
165*25da2beaSAndroid Build Coastguard Worker }
166*25da2beaSAndroid Build Coastguard Worker
sig_int(int sig)167*25da2beaSAndroid Build Coastguard Worker static void sig_int(int sig)
168*25da2beaSAndroid Build Coastguard Worker {
169*25da2beaSAndroid Build Coastguard Worker exit(0);
170*25da2beaSAndroid Build Coastguard Worker }
171*25da2beaSAndroid Build Coastguard Worker
main(int argc,char * argv[])172*25da2beaSAndroid Build Coastguard Worker int main(int argc, char *argv[])
173*25da2beaSAndroid Build Coastguard Worker {
174*25da2beaSAndroid Build Coastguard Worker if (argc > 1)
175*25da2beaSAndroid Build Coastguard Worker return 0;
176*25da2beaSAndroid Build Coastguard Worker signal(SIGINT, sig_int);
177*25da2beaSAndroid Build Coastguard Worker mmap((void *) 0x20000000, 0x1000000, 3, 0x32, -1, 0);
178*25da2beaSAndroid Build Coastguard Worker loop();
179*25da2beaSAndroid Build Coastguard Worker return 0;
180*25da2beaSAndroid Build Coastguard Worker }
181