pkg/csource: TestGenerate/linux/amd64/single_syz_io_uring_submit failure #6468
Description
Detected on ci-qemu2-arm32 today: https://syzkaller.appspot.com/bug?id=42141887ff8d0973d435250053f7bd8075b12002
--- FAIL: TestGenerate (63.50s)
--- FAIL: TestGenerate/linux/amd64 (3.80s)
testutil.go:35: seed=1763633087729513960
--- FAIL: TestGenerate/linux/amd64/single_syz_io_uring_submit (0.34s)
csource_test.go:153: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}
program:
r0 = mmap$IORING_OFF_CQ_RING(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x8, 0x4000, 0xffffffffffffffff, 0x8000000)
r1 = mmap$IORING_OFF_SQES(&(0x7f0000800000/0x800000)=nil, 0x800000, 0x1000000, 0x10000, 0xffffffffffffffff, 0x10000000)
r2 = socketcall$auto_SYS_SOCKET(0x1, &(0x7f0000000000)=0x2)
r3 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0)
syz_io_uring_submit(r0, r1, &(0x7f0000000080)=@IORING_OP_MKDIRAT={0x25, 0x3d, 0x0, r2, 0x0, &(0x7f0000000040)='./file0\x00', 0x11, 0x0, 0x1, {0x0, r3}})
csource_test.go:154: failed to build program:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#ifndef __NR_io_uring_register
#define __NR_io_uring_register 427
#endif
#define SIZEOF_IO_URING_SQE 64
#define SIZEOF_IO_URING_CQE 16
#define SQ_HEAD_OFFSET 0
#define SQ_TAIL_OFFSET 64
#define SQ_RING_MASK_OFFSET 256
#define SQ_RING_ENTRIES_OFFSET 264
#define SQ_FLAGS_OFFSET 276
#define SQ_DROPPED_OFFSET 272
#define CQ_HEAD_OFFSET 128
#define CQ_TAIL_OFFSET 192
#define CQ_RING_MASK_OFFSET 260
#define CQ_RING_ENTRIES_OFFSET 268
#define CQ_RING_OVERFLOW_OFFSET 284
#define CQ_FLAGS_OFFSET 280
#define CQ_CQES_OFFSET 320
static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2)
{
char* ring_ptr = (char*)a0;
char* sqes_ptr = (char*)a1;
char* sqe = (char*)a2;
uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET);
uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET);
uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask;
char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE;
memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE);
uint32_t sq_tail_next = *sq_tail_ptr + 1;
__atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE);
return 0;
}
uint64_t r[4] = {0x0, 0x0, 0xffffffffffffffff, 0x0};
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul);
const char* reason;
(void)reason;
intptr_t res = 0;
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {}
res = syscall(__NR_mmap, /*addr=*/0x200000fff000ul, /*len=*/0x1000ul, /*prot=PROT_SEM*/8ul, /*flags=MAP_NORESERVE*/0x4000ul, /*fd=*/(intptr_t)-1, /*offset=*/0x8000000ul);
if (res != -1)
r[0] = res;
res = syscall(__NR_mmap, /*addr=*/0x200000800000ul, /*len=*/0x800000ul, /*prot=PROT_GROWSDOWN*/0x1000000ul, /*flags=MAP_NONBLOCK*/0x10000ul, /*fd=*/(intptr_t)-1, /*offset=*/0x10000000ul);
if (res != -1)
r[1] = res;
*(uint64_t*)0x200000000000 = 2;
res = syscall(__NR_socketcall, /*call=*/1ul, /*args=*/0x200000000000ul);
if (res != -1)
r[2] = res;
res = syscall(__NR_io_uring_register, /*fd=*/(intptr_t)-1, /*opcode=*/9ul, /*arg=*/0ul, /*nr_args=*/0ul);
if (res != -1)
r[3] = res;
*(uint8_t*)0x200000000080 = 0x25;
*(uint8_t*)0x200000000081 = 0x3d;
*(uint16_t*)0x200000000082 = 0;
*(uint32_t*)0x200000000084 = r[2];
*(uint64_t*)0x200000000088 = 0;
*(uint64_t*)0x200000000090 = 0x200000000040;
memcpy((void*)0x200000000040, "./file0\000", 8);
*(uint32_t*)0x200000000098 = 0x11;
*(uint32_t*)0x20000000009c = 0;
*(uint64_t*)0x2000000000a0 = 1;
*(uint16_t*)0x2000000000a8 = 0;
*(uint16_t*)0x2000000000aa = r[3];
memset((void*)0x2000000000ac, 0, 20);
syz_io_uring_submit(/*ring_ptr=*/r[0], /*sqes_ptr=*/r[1], /*sqe=*/0x200000000080);
return 0;
}
<stdin>: In function 'main':
<stdin>:67:16: error: '__NR_socketcall' undeclared (first use in this function)
<stdin>:67:16: note: each undeclared identifier is reported only once for each function it appears in
At top level:
cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics
compiler invocation: gcc [-o /tmp/syz-executor1229311340 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie]
FAIL
FAIL github.com/google/syzkaller/pkg/csource 74.815s