Syzkaller hit 'panic: Assertion STAILQ_FIRST(&sb->uxst_mbq) failed at /home/markj/sb/main/src/sys/kern/uipc_usrreq.c:LINE' bug. login: panic: Assertion STAILQ_FIRST(&sb->uxst_mbq) failed at /home/markj/sb/main/src/sys/kern/uipc_usrreq.c:1356 cpuid = 0 time = 1740850085 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xde/frame 0xfffffe000fff6530 vpanic() at vpanic+0x804/frame 0xfffffe000fff66e0 panic() at panic+0x1dd/frame 0xfffffe000fff67f0 uipc_soreceive_stream_or_seqpacket() at uipc_soreceive_stream_or_seqpacket+0x3fe0/frame 0xfffffe000fff6a20 soreceive() at soreceive+0x291/frame 0xfffffe000fff6b00 kern_recvit() at kern_recvit+0xabf/frame 0xfffffe000fff6c90 sys_recvmsg() at sys_recvmsg+0x2fb/frame 0xfffffe000fff6d50 amd64_syscall() at amd64_syscall+0xef0/frame 0xfffffe000fff6f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe000fff6f30 --- syscall (0, FreeBSD ELF64, syscall), rip = 0x24ba5a, rsp = 0x822c9cf68, rbp = 0x822c9cfc0 --- KDB: enter: panic [ thread pid 970 tid 100143 ] Stopped at kdb_enter+0x1e3: movq $0x86c7bc10,%rdi db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0x68004c0 rdx 0xffffffff86c83000 msan_dummy_orig rbx 0xffffffff8607719e rsp 0xfffffe000fff64c0 rbp 0xfffffe000fff6530 rsi 0xfffffe0080000000 rdi 0xffffffff868004c0 panicstr r8 0 r9 0x2 r10 0xffffffffffffffff r11 0 r12 0 r13 0xfffffe0007f85000 r14 0xfffffe001d3ec008 r15 0 rip 0xffffffff83a09d73 kdb_enter+0x1e3 rflags 0x46 kdb_enter+0x1e3: movq $0x86c7bc10,%rdi db> show proc Process 970 (syz-executor1764241) at 0xfffffe0007f66000: state: NORMAL uid: 0 gids: 0, 0, 5 parent: pid 965 at 0xfffffe0007ef0b00 ABI: FreeBSD ELF64 flag: 0x10000080 flag2: 0 arguments: /root/syz-executor1764241267 reaper: 0xfffffe0007e07040 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe0007f77920 (map 0xfffffe0007f77920) (map.pmap 0xfffffe0007f779c0) (pmap 0xfffffe0007f77a30) threads: 3 100098 RunQ syz-executor1764241 100143 Run CPU 0 syz-executor1764241 100144 Run CPU 1 syz-executor1764241 db> ps pid ppid pgrp uid state wmesg wchan cmd 970 965 965 0 R (threaded) syz-executor1764241 100098 RunQ syz-executor1764241 100143 Run CPU 0 syz-executor1764241 100144 Run CPU 1 syz-executor1764241 965 964 965 0 Ss nanslp 0xffffffff86c630e0 syz-executor1764241 964 962 962 0 S select 0xfffffe001cf79940 sshd-session 962 925 962 0 Ss select 0xfffffe001cf7a7c0 sshd-session 944 1 944 0 Ss+ ttyin 0xfffffe0010ff88b0 getty 929 1 929 0 Ss nanslp 0xffffffff86c630e1 cron 925 1 925 0 Ss select 0xfffffe001d045340 sshd 807 1 807 0 Ss select 0xfffffe001d045440 syslogd 806 1 803 0 S select 0xfffffe001cf7a740 syslogd 803 1 803 0 Ss select 0xfffffe001d045540 syslogd 594 1 594 0 Ss select 0xfffffe001cf7a540 devd 380 1 380 65 Ss select 0xfffffe001cf7a640 dhclient 356 1 356 0 Ss select 0xfffffe00083eb540 dhclient 353 1 353 0 Ss select 0xfffffe0010f50e40 dhclient 160 0 0 0 DL pftm 0xffffffff87ba0820 [pf purge] 146 0 0 0 DL (threaded) [ng_queue] 100089 D sleep 0xffffffff87b38930 [ng_queue0] 100093 D sleep 0xffffffff87b38930 [ng_queue1] 15 0 0 0 DL syncer 0xffffffff86d519e8 [syncer] 9 0 0 0 DL vlruwt 0xfffffe0007e26b00 [vnlru] 8 0 0 0 DL (threaded) [bufdaemon] 100065 D psleep 0xffffffff86d509e8 [bufdaemon] 100068 D - 0xffffffff868021c0 [bufspacedaemon-0] 100084 D sdflush 0xfffffe001b2abce8 [/ worker] 7 0 0 0 DL psleep 0xffffffff86d85df8 [vmdaemon] 6 0 0 0 DL (threaded) [pagedaemon] 100063 D psleep 0xffffffff86d6c338 [dom0] 100069 D launds 0xffffffff86d6c344 [laundry: dom0] 100070 D umarcl 0xffffffff8505cc30 [uma] 5 0 0 0 DL - 0xffffffff86a648c0 [rand_harvestq] 4 0 0 0 DL (threaded) [cam] 100044 D - 0xffffffff86a36240 [doneq0] 100045 D - 0xffffffff86a361c0 [async] 100062 D - 0xffffffff86a36090 [scanner] 3 0 0 0 DL (threaded) [crypto] 100041 D crypto_ 0xffffffff86d697f0 [crypto] 100042 D crypto_ 0xfffffe0010eaa030 [crypto returns 0] 100043 D crypto_ 0xfffffe0010eaa080 [crypto returns 1] 14 0 0 0 DL seqstat 0xfffffe0008355488 [sequencer 00] 13 0 0 0 DL (threaded) [geom] 100035 D - 0xffffffff86c1eae0 [g_event] 100036 D - 0xffffffff86c1eae8 [g_up] 100037 D - 0xffffffff86c1eaf0 [g_down] 2 0 0 0 WL (threaded) [clock] 100031 I [clock (0)] 100032 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100046 I [irq40: virtio_pci0] 100047 I [irq41: virtio_pci0] 100048 I [irq42: virtio_pci0] 100051 I [irq43: virtio_pci1] 100052 I [irq44: virtio_pci1] 100053 I [irq1: atkbd0] 100054 I [irq12: psm0] 100055 I [swi0: uart uart++] 100094 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0007e07040 [init] 10 0 0 0 DL audit_w 0xffffffff86d69cf0 [audit] 0 0 0 0 RLs (threaded) [kernel] 100000 D parked 0xffffffff8742eff0 [swapper] 100005 D - 0xfffffe0007d6ad00 [softirq_0] 100006 D - 0xfffffe0007d6ac00 [softirq_1] 100007 D - 0xfffffe0007d6ab00 [if_io_tqg_0] 100008 D - 0xfffffe0007d6aa00 [if_io_tqg_1] 100009 D - 0xfffffe0007d6a900 [if_config_tqg_0] 100010 D - 0xfffffe0007d6a800 [pci_hp taskq] 100011 D - 0xfffffe0007d6a700 [kqueue_ctx taskq] 100012 D - 0xfffffe0007d6a600 [jail_remove taskq] 100015 RunQ [thread taskq] 100017 D - 0xfffffe0007d6a100 [aiod_kick taskq] 100018 D - 0xfffffe0007d6a000 [deferred_unmount ta] 100019 D - 0xfffffe0007d69e00 [inm_free taskq] 100020 D - 0xfffffe0007d69d00 [in6m_free taskq] 100021 D - 0xfffffe0007d69c00 [linuxkpi_irq_wq] 100022 D - 0xfffffe0007d69b00 [linuxkpi_short_wq_0] 100023 D - 0xfffffe0007d69b00 [linuxkpi_short_wq_1] 100024 D - 0xfffffe0007d69b00 [linuxkpi_short_wq_2] 100025 D - 0xfffffe0007d69b00 [linuxkpi_short_wq_3] 100026 D - 0xfffffe0007d69a00 [linuxkpi_long_wq_0] 100027 D - 0xfffffe0007d69a00 [linuxkpi_long_wq_1] 100028 D - 0xfffffe0007d69a00 [linuxkpi_long_wq_2] 100029 D - 0xfffffe0007d69a00 [linuxkpi_long_wq_3] 100034 D - 0xfffffe0007d69900 [firmware taskq] 100039 D - 0xfffffe0007d69800 [crypto_0] 100040 D - 0xfffffe0007d69800 [crypto_1] 100049 D - 0xfffffe0011004300 [vtnet0 rxq 0] 100050 D - 0xfffffe0011004200 [vtnet0 txq 0] 100056 D - 0xffffffff8623c210 [deadlkres] 100057 D - 0xfffffe0011004100 [acpi_task_0] 100058 D - 0xfffffe0011004100 [acpi_task_1] 100059 D - 0xfffffe0011004100 [acpi_task_2] 100061 D - 0xfffffe0007d69700 [CAM taskq] 100092 D - 0xfffffe0007d69300 [ipsec_offload] db> show all locks Process 970 (syz-executor1764241) thread 0xfffffe0007f85000 (100143) exclusive sleep mutex so_rcv (so_rcv) r = 0 (0xfffffe001b8d15e0) locked @ /home/markj/sb/main/src/sys/kern/uipc_usrreq.c:1326 exclusive sx so_rcv_sx (so_rcv_sx) r = 0 (0xfffffe001b8d15c0) locked @ /home/markj/sb/main/src/sys/kern/uipc_socket.c:4820 db> show malloc Type InUse MemUse Requests pf_hash 6 12804K 6 linker 388 6919K 499 sysctloid 32588 1918K 32632 kmsan 108 1728K 144 kobj 328 1312K 548 devbuf 1461 1160K 1484 newblk 1908 989K 1954 pcb 17 525K 44 vfscache 3 513K 3 callout 2 512K 2 intr 4 472K 4 inodedep 11 260K 68 ufs_quota 1 256K 1 vfs_hash 1 256K 1 vnet_data 2 224K 2 acpitask 1 224K 1 KTRACE 100 200K 100 subproc 88 149K 1027 bus-sc 31 148K 1014 tidhash 3 141K 3 SWAP 1 132K 1 tfo_ccache 1 128K 1 IP reass 1 128K 1 sem 4 106K 4 gtaskqueue 18 98K 18 DEVFS1 97 97K 106 filecaps 12 89K 473 vmem 5 88K 7 bus 969 78K 3389 mtx_pool 3 74K 3 syncache 1 68K 1 NFSD srvcache 3 68K 3 pagedep 4 65K 27 ddb_capture 1 64K 1 module 510 64K 510 acpica 420 39K 59430 temp 34 38K 7447 LRO 2 33K 2 hostcache 1 32K 1 shm 1 32K 1 msg 4 30K 4 umtx 240 30K 240 DEVFS3 120 30K 127 kdtrace 141 30K 1116 filedesc 4 29K 25 kbdmux 5 28K 5 DEVFS_RULE 61 22K 61 BPF 10 18K 10 ithread 95 18K 95 GEOM 106 17K 690 ufs_mount 4 17K 5 proc 3 17K 3 eventhandler 152 13K 152 devstat 6 13K 6 rman 99 12K 529 kenv 92 12K 92 ifaddr 29 11K 29 routetbl 42 10K 125 rpc 8 9K 8 bmsafemap 3 9K 67 UART 12 9K 12 netgraph_btsocks_hci_raw 1 8K 1 shmfd 1 8K 1 pfs_vncache 1 8K 1 audit_evclass 239 8K 301 taskqueue 62 7K 143 pfs_nodes 22 6K 22 ufs_dirhash 27 6K 27 sglist 3 6K 3 kqueue 35 5K 974 UMA 261 5K 261 ifnet 3 5K 3 io_apic 1 4K 1 tty 4 4K 4 evdev 4 4K 4 cred 15 4K 362 plimit 9 4K 293 pf_ifnet 5 3K 6 lltable 10 3K 10 acpidev 22 3K 22 acpisem 21 3K 21 toponodes 10 3K 10 hhook 8 3K 10 clone 9 3K 9 uidinfo 3 3K 8 local_apic 1 2K 1 ipsec-saq 2 2K 2 pwddesc 32 2K 976 CAM DEV 1 2K 2 selfd 27 2K 38414 msi 13 2K 13 in6_multi 15 2K 15 Unitno 25 2K 39 lockf 15 2K 18 proc-args 45 2K 1991 pci_link 16 2K 16 session 12 2K 31 mount 31 2K 105 ipsecpolicy 2 2K 2 ether_multi 17 2K 17 netgraph_node 6 2K 6 select 10 2K 76 netlink 2 2K 112 CAM queue 2 2K 5 softdep 1 1K 1 dirrem 4 1K 24 sahead 1 1K 1 secasvar 1 1K 1 vnodemarker 2 1K 16 NFSD session 1 1K 1 ipsec 3 1K 3 indirdep 3 1K 3 nhops 6 1K 6 pfil 6 1K 6 diradd 5 1K 74 crypto 4 1K 4 encap_export_host 12 1K 12 dumper 2 1K 2 CAM XPT 11 1K 12 mkdir 4 1K 24 freefile 4 1K 9 in_multi 2 1K 2 cdev 2 1K 2 lkpikmalloc 8 1K 9 osd 8 1K 43 ip6ndp 3 1K 3 CC Mem 3 1K 7 chacha20random 1 1K 1 biobuf 1 1K 1 procdesc 3 1K 27 CAM periph 2 1K 14 prison 10 1K 10 DEVFS 10 1K 11 MCA 2 1K 2 newdirblk 2 1K 12 mld 2 1K 2 igmp 2 1K 2 vnodes 1 1K 1 isadev 2 1K 3 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 feeder 7 1K 7 inpcbpolicy 6 1K 94 loginclass 3 1K 7 apmdev 1 1K 1 atkbddev 2 1K 2 vm_pgdata 1 1K 1 freework 1 1K 10 pmchooks 1 1K 1 DEVFSP 2 1K 2 CAM SIM 1 1K 1 soname 4 1K 1002 nexusdev 6 1K 6 tcpfunc 1 1K 1 vnet 1 1K 1 pmc 1 1K 1 acpiintr 1 1K 1 CAM dev queue 1 1K 1 cpus 2 1K 2 vnet_data_free 1 1K 1 iov 2 1K 6919 Per-cpu 1 1K 1 cache 1 1K 1 entropy 1 1K 86 CAM path 1 1K 12 fdesc_mount 1 1K 1 p1003.1b 1 1K 1 pf_table 0 0K 0 pf_rule 0 0K 0 pf_altq 0 0K 0 pf_osfp 0 0K 0 pf_krule_item 0 0K 0 pf_temp 0 0K 0 netgraph_l2cap 0 0K 0 netgraph_btsocks_sco 0 0K 0 netgraph_btsocks_rfcomm 0 0K 0 netgraph_btsocks_l2cap 0 0K 0 netgraph_btsocks_l2cap_raw 0 0K 0 netgraph_parse 0 0K 0 netgraph_item 0 0K 0 netgraph_hook 0 0K 0 netgraph_msg 0 0K 0 netgraph 0 0K 0 ipcomp 0 0K 0 esp 0 0K 0 ah 0 0K 0 filemon 0 0K 0 cryptodev 0 0K 0 p9fs_mount_tag 0 0K 0 uio 0 0K 0 p9fs_mount 0 0K 0 p9_client 0 0K 0 madt_table 0 0K 2 smartpqi 0 0K 0 ixl 0 0K 0 ice-resmgr 0 0K 0 ice-osdep 0 0K 0 ice 0 0K 0 iavf 0 0K 0 axgbe 0 0K 0 memdesc 0 0K 0 fpukern_ctx 0 0K 0 xen_intr 0 0K 0 xen_hvm 0 0K 0 legacydrv 0 0K 0 NMI handlers 0 0K 0 bounce 0 0K 0 busdma 0 0K 0 qpidrv 0 0K 0 dmar_idpgtbl 0 0K 0 dmar_dom 0 0K 0 dmar_ctx 0 0K 0 amdiommu_dom 0 0K 0 amdiommu_ctx 0 0K 0 isci 0 0K 0 iommu_dmamap 0 0K 0 hyperv_socket 0 0K 0 bxe_ilt 0 0K 0 aesni_data 0 0K 0 xenbus 0 0K 0 vm_fictitious 0 0K 0 UMAHash 0 0K 0 jblocks 0 0K 0 savedino 0 0K 6 sentinel 0 0K 0 jfsync 0 0K 0 jtrunc 0 0K 0 sbdep 0 0K 4 jsegdep 0 0K 0 jseg 0 0K 0 jfreefrag 0 0K 0 jfreeblk 0 0K 0 jnewblk 0 0K 0 jmvref 0 0K 0 jremref 0 0K 0 jaddref 0 0K 0 freedep 0 0K 0 freeblks 0 0K 9 freefrag 0 0K 0 allocindir 0 0K 0 allocdirect 0 0K 0 ufs_trim 0 0K 0 mactemp 0 0K 0 audit_trigger 0 0K 0 audit_pipe_presel 0 0K 0 audit_pipeent 0 0K 0 audit_pipe 0 0K 0 audit_evname 0 0K 0 audit_bsm 0 0K 0 audit_gidset 0 0K 0 audit_text 0 0K 0 audit_path 0 0K 0 audit_data 0 0K 0 audit_cred 0 0K 0 ktls_ocf 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5E_TLS_RX 0 0K 0 MLX5EEPROM 0 0K 0 MLX5E_TLS 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EN 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5DUMP 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 MLX5EEPROM 0 0K 0 simple_attr 0 0K 0 seq_file 0 0K 0 lkpiskb 0 0K 0 radix 0 0K 0 idr 0 0K 0 lkpindev 0 0K 0 lkpimhi 0 0K 0 lkpifw 0 0K 0 lkpi80211 0 0K 0 NLM 0 0K 0 ipsec-spdcache 0 0K 0 ipsec-reg 0 0K 0 ipsec-misc 0 0K 0 ipsecrequest 0 0K 0 ip6opt 0 0K 0 ip6_msource 0 0K 0 ip6_moptions 0 0K 0 in6_mfilter 0 0K 0 frag6 0 0K 0 tcplog 0 0K 0 ip_msource 0 0K 0 ip_moptions 0 0K 0 in_mfilter 0 0K 0 ipid 0 0K 0 80211scan 0 0K 0 80211ratectl 0 0K 0 80211power 0 0K 0 80211nodeie 0 0K 0 80211node 0 0K 0 80211mesh_gt 0 0K 0 80211mesh_rt 0 0K 0 80211perr 0 0K 0 80211prep 0 0K 0 80211preq 0 0K 0 80211dfs 0 0K 0 80211crypto 0 0K 0 80211vap 0 0K 0 iflib 0 0K 0 vlan 0 0K 0 tun 0 0K 0 gif 0 0K 0 ifdescr 0 0K 0 zlib 0 0K 12 fadvise 0 0K 0 VN POLL 0 0K 0 statfs 0 0K 18 namei_tracker 0 0K 0 export_host 0 0K 0 cl_savebuf 0 0K 5 aio 0 0K 0 lio 0 0K 0 acl 0 0K 0 mbuf_tag 0 0K 0 ktls 0 0K 0 accf 0 0K 0 pts 0 0K 0 timerfd 0 0K 0 ioctlops 0 0K 70 eventfd 0 0K 0 Witness 0 0K 0 terminal 0 0K 0 stack 0 0K 0 sbuf 0 0K 473 firmware 0 0K 0 compressor 0 0K 0 sysctltmp 0 0K 543 sysctl 0 0K 37 ekcd 0 0K 0 sendfile 0 0K 0 rctl 0 0K 0 kcovinfo 0 0K 0 prison_racct 0 0K 0 Fail Points 0 0K 0 sigio 0 0K 1 filedesc_to_leader 0 0K 0 pwd 0 0K 0 tty console 0 0K 0 boottrace 0 0K 0 isofs_node 0 0K 0 isofs_mount 0 0K 0 tr_raid5_data 0 0K 0 tr_raid1e_data 0 0K 0 tr_raid1_data 0 0K 0 tr_raid0_data 0 0K 0 tr_concat_data 0 0K 0 md_sii_data 0 0K 0 md_promise_data 0 0K 0 md_nvidia_data 0 0K 0 md_jmicron_data 0 0K 0 md_intel_data 0 0K 0 md_ddf_data 0 0K 0 raid_data 0 0K 108 geom_flashmap 0 0K 0 tmpfs dir 0 0K 0 tmpfs name 0 0K 0 tmpfs mount 0 0K 0 tmpfs extattr 0 0K 0 NFS FHA 0 0K 0 newnfsmnt 0 0K 0 newnfsclient_req 0 0K 0 NFSCL layrecall 0 0K 0 NFSCL session 0 0K 0 NFSCL sockreq 0 0K 0 NFSCL devinfo 0 0K 0 NFSCL flayout 0 0K 0 NFSCL layout 0 0K 0 NFSD rollback 0 0K 0 NFSCL diroff 0 0K 0 NEWNFSnode 0 0K 0 NFSCL lck 0 0K 0 NFSCL lckown 0 0K 0 NFSCL client 0 0K 0 NFSCL deleg 0 0K 0 NFSCL open 0 0K 0 NFSCL owner 0 0K 0 NFS fh 0 0K 0 NFS req 0 0K 0 NFSD usrgroup 0 0K 0 NFSD string 0 0K 0 NFSD V4lock 0 0K 0 NFSD V4state 0 0K 0 msdosfs_fat 0 0K 0 msdosfs_mount 0 0K 0 msdosfs_node 0 0K 0 DEVFS4 0 0K 0 DEVFS2 0 0K 0 gntdev 0 0K 0 privcmd_dev 0 0K 0 evtchn_dev 0 0K 0 xenstore 0 0K 0 xnb 0 0K 0 xen_acpi 0 0K 0 xbbd 0 0K 0 xbd 0 0K 0 Balloon 0 0K 0 sysmouse 0 0K 0 vtfont 0 0K 0 vt 0 0K 0 vtbuf 0 0K 0 pvscsi 0 0K 0 USBdev 0 0K 0 USB 0 0K 0 twsbuf 0 0K 0 tcp_log_dev 0 0K 0 midi buffers 0 0K 0 mixer 0 0K 0 ac97 0 0K 0 hdacc 0 0K 0 hdac 0 0K 0 hdaa 0 0K 0 SIIS driver 0 0K 0 PUC 0 0K 0 ppbusdev 0 0K 0 sr_iov 0 0K 0 OCS 0 0K 0 OCS 0 0K 0 nvme 0 0K 0 nvd 0 0K 0 netmap 0 0K 0 mwldev 0 0K 0 MVS driver 0 0K 0 mrsasbuf 0 0K 0 mpt_user 0 0K 0 mps_user 0 0K 0 MPSSAS 0 0K 0 mps 0 0K 0 mpr_user 0 0K 0 MPRSAS 0 0K 0 mpr 0 0K 0 mfibuf 0 0K 0 md_sectors 0 0K 0 md_disk 0 0K 0 malodev 0 0K 0 LED 0 0K 0 ix_sriov 0 0K 0 ix 0 0K 0 ipsbuf 0 0K 0 ciss_data 0 0K 0 BACKLIGHT 0 0K 0 ath_hal 0 0K 0 athdev 0 0K 0 ata_pci 0 0K 0 ata_dma 0 0K 0 ata_generic 0 0K 0 AHCI driver 0 0K 0 agp 0 0K 0 acpipwr 0 0K 0 acpi_perf 0 0K 0 acpicmbat 0 0K 0 aacraidcam 0 0K 0 aacraid_buf 0 0K 0 aaccam 0 0K 0 aacbuf 0 0K 0 zstd 0 0K 0 XZ_DEC 0 0K 0 nvlist 0 0K 0 SCSI ENC 0 0K 0 SCSI sa 0 0K 0 scsi_pass 0 0K 0 scsi_da 0 0K 0 ata_da 0 0K 0 scsi_ch 0 0K 0 scsi_cd 0 0K 0 nvme_da 0 0K 0 CAM CCB 0 0K 0 CAM ccb queue 0 0K 0 CAM I/O Scheduler 0 0K 0 db> show uma Zone Size Used Free Requests Sleeps Bucket Total Mem XFree mbuf_jumbo_page 4096 1088 944 44214 0 254 8323072 0 malloc-16384 16384 109 3 149 0 1 1835008 0 malloc-128 128 10744 230 10819 0 126 1404672 0 malloc-4096 4096 328 2 549 0 2 1351680 0 mbuf_cluster 2048 508 0 508 0 254 1040384 0 BUF TRIE 152 210 4600 1054 0 62 731120 0 mbuf 256 1347 950 67734 0 254 588032 0 RADIX NODE 152 3258 610 41790 0 62 587936 0 malloc-256 256 2135 40 2613 0 62 556800 0 malloc-512 512 1029 51 1043 0 30 552960 0 malloc-32768 32768 16 0 21 0 1 524288 0 socket 1024 22 486 1177 0 254 520192 0 lkpicurr 168 2 3094 2 0 62 520128 0 vmem btag 56 8908 131 8925 0 254 506184 0 malloc-65536 65536 6 1 7 0 1 458752 0 UMA Slabs 0 112 3670 32 3670 0 126 414624 0 malloc-2048 2048 131 13 131 0 8 294912 0 FPU_save_area 2432 110 10 154 0 4 291840 0 256 Bucket 2048 117 19 908 0 8 278528 0 malloc-65536 65536 4 0 4 0 1 262144 0 malloc-64 64 3778 317 4151 0 254 262080 0 VNODE 440 524 52 535 0 30 253440 0 VM OBJECT 264 851 109 14823 0 30 253440 0 malloc-2048 2048 102 10 315 0 8 229376 0 malloc-16 16 13749 501 15256 0 254 228000 0 pbuf 2624 0 86 9 0 2 225664 0 THREAD 1824 108 12 144 0 8 218880 0 DEVCTL 1024 0 196 94 0 0 200704 0 malloc-65536 65536 2 1 59 0 1 196608 0 UMA Zones 768 233 1 233 0 16 179712 0 lkpimm 56 1 3095 1 0 254 173376 0 malloc-32 32 4741 425 4973 0 254 165312 0 unpcb 320 15 501 1055 0 254 165120 0 malloc-4096 4096 32 6 971 0 2 155648 0 malloc-128 128 916 231 2129 0 126 146816 0 FFS2 dinode 256 499 71 508 0 62 145920 0 malloc-8192 8192 14 3 326 0 1 139264 0 MAP ENTRY 96 821 565 51333 0 126 133056 0 malloc-65536 65536 2 0 2 0 1 131072 0 malloc-65536 65536 2 0 2 0 1 131072 0 mbuf_packet 256 12 496 969 0 254 130048 0 S VFS Cache 104 956 214 999 0 126 121680 0 ksiginfo 112 39 1005 73 0 126 116928 0 malloc-16384 16384 4 3 82 0 1 114688 0 malloc-1024 1024 97 15 110 0 16 114688 0 FFS inode 200 499 61 508 0 62 112000 0 malloc-16384 16384 6 0 9 0 1 98304 0 malloc-4096 4096 19 3 21 0 2 90112 0 UMA Kegs 384 218 5 218 0 30 85632 0 128 Bucket 1024 43 40 255 0 16 84992 0 malloc-128 128 459 192 715 0 126 83328 0 PROC 1376 31 24 970 0 8 75680 0 malloc-128 128 266 261 28063 0 126 67456 0 malloc-32768 32768 0 2 53 0 1 65536 0 malloc-32768 32768 2 0 2 0 1 65536 0 malloc-8192 8192 6 2 74 0 1 65536 0 malloc-8192 8192 7 1 8 0 1 65536 0 ttyoutq 256 93 162 279 0 62 65280 0 malloc-256 256 142 113 155 0 62 65280 0 malloc-384 384 66 84 123 0 30 57600 0 64 Bucket 512 71 33 1526 0 30 53248 0 filedesc0 1072 32 17 976 0 8 52528 0 malloc-64 64 614 205 1840 0 254 52416 0 ttyinq 160 180 145 540 0 62 52000 0 32 Bucket 256 57 138 1254 0 62 49920 0 DIRHASH 1024 40 8 40 0 16 49152 0 NAMEI 1024 0 48 12048 0 16 49152 0 malloc-4096 4096 8 4 98 0 2 49152 0 malloc-2048 2048 2 22 39 0 8 49152 0 malloc-2048 2048 13 11 24 0 8 49152 0 pcpu-64 64 486 282 486 0 254 49152 0 syncache 168 0 264 5 0 254 44352 0 udp_inpcb 416 2 88 86 0 30 37440 0 malloc-64 64 6 561 26 0 254 36288 0 malloc-64 64 48 519 38459 0 254 36288 0 malloc-64 64 64 503 1028 0 254 36288 0 malloc-64 64 166 401 1110 0 254 36288 0 malloc-64 64 170 397 7816 0 254 36288 0 malloc-64 64 16 551 20 0 254 36288 0 malloc-128 128 15 264 47 0 126 35712 0 malloc-128 128 7 272 8 0 126 35712 0 malloc-128 128 68 211 97 0 126 35712 0 malloc-128 128 13 266 19 0 126 35712 0 routing nhops 256 7 128 12 0 62 34560 0 g_bio 384 0 90 5657 0 30 34560 0 malloc-384 384 56 34 56 0 30 34560 0 malloc-256 256 41 94 121 0 62 34560 0 malloc-256 256 51 84 296 0 62 34560 0 malloc-256 256 12 123 128 0 62 34560 0 malloc-256 256 41 94 599 0 62 34560 0 malloc-256 256 14 121 177 0 62 34560 0 malloc-256 256 3 132 30 0 62 34560 0 malloc-16384 16384 0 2 2 0 1 32768 0 malloc-8192 8192 4 0 4 0 1 32768 0 malloc-2048 2048 7 9 49 0 8 32768 0 malloc-2048 2048 5 11 6 0 8 32768 0 malloc-1024 1024 3 29 10 0 16 32768 0 malloc-1024 1024 11 21 1163 0 16 32768 0 malloc-1024 1024 8 24 8 0 16 32768 0 malloc-1024 1024 11 21 21 0 16 32768 0 malloc-1024 1024 5 27 7 0 16 32768 0 malloc-1024 1024 10 22 11 0 16 32768 0 malloc-512 512 2 62 10 0 30 32768 0 malloc-512 512 3 61 191 0 30 32768 0 malloc-512 512 10 54 10 0 30 32768 0 pcpu-8 8 3742 354 3760 0 254 32768 0 ertt_txseginfo 40 0 808 639 0 254 32320 0 Files 80 70 330 7569 0 126 32000 0 PGRP 120 12 252 31 0 126 31680 0 VMSPACE 584 15 34 956 0 16 28616 0 4 Bucket 48 5 583 34 0 254 28224 0 TURNSTILE 136 121 68 121 0 62 25704 0 cpuset 200 7 121 7 0 62 25600 0 malloc-8192 8192 1 2 13 0 1 24576 0 malloc-4096 4096 1 5 49 0 2 24576 0 PWD 40 10 596 70 0 254 24240 0 rtentry 168 10 134 12 0 62 24192 0 8 Bucket 80 38 262 241 0 126 24000 0 tcp_inpcb 1312 3 15 7 0 8 23616 0 malloc-384 384 7 53 12 0 30 23040 0 malloc-384 384 11 49 480 0 30 23040 0 malloc-384 384 7 53 7 0 30 23040 0 malloc-384 384 8 52 8 0 30 23040 0 malloc-384 384 2 58 5 0 30 23040 0 SLEEPQUEUE 88 121 135 121 0 126 22528 0 hostcache 64 1 314 1 0 254 20160 0 udp_inpcb ports 32 1 629 41 0 254 20160 0 ertt 72 3 277 7 0 126 20160 0 malloc-32 32 29 601 30 0 254 20160 0 malloc-32 32 112 518 227 0 254 20160 0 malloc-32 32 256 374 438 0 254 20160 0 malloc-32 32 50 580 641 0 254 20160 0 malloc-32 32 20 610 4883 0 254 20160 0 malloc-32 32 20 610 22 0 254 20160 0 16 Bucket 144 40 100 222 0 62 20160 0 2 Bucket 32 67 563 490 0 254 20160 0 malloc-16 16 314 936 6225 0 254 20000 0 vmem 1856 2 7 2 0 8 16704 0 epoch_record pcpu 256 4 60 4 0 62 16384 0 malloc-16384 16384 1 0 1 0 1 16384 0 malloc-8192 8192 2 0 2 0 1 16384 0 malloc-4096 4096 3 1 117 0 2 16384 0 malloc-4096 4096 3 1 7 0 2 16384 0 malloc-2048 2048 1 7 4 0 8 16384 0 malloc-2048 2048 1 7 1 0 8 16384 0 malloc-1024 1024 10 6 10 0 16 16384 0 malloc-512 512 1 31 1 0 30 16384 0 malloc-512 512 6 26 8 0 30 16384 0 SMR CPU 32 8 503 8 0 254 16352 0 pipe 736 5 17 426 0 16 16192 0 kenv 258 2 58 698 0 30 15480 0 SMR SHARED 24 8 503 8 0 254 12264 0 tcp_inpcb ports 32 1 377 1 0 254 12096 0 malloc-32 32 0 378 2 0 254 12096 0 KNOTE 160 10 65 10 0 62 12000 0 malloc-16 16 6 744 40 0 254 12000 0 malloc-16 16 28 722 67 0 254 12000 0 malloc-16 16 6 744 8 0 254 12000 0 malloc-16 16 174 576 1965 0 254 12000 0 malloc-16 16 33 717 26615 0 254 12000 0 malloc-16 16 12 738 15 0 254 12000 0 ripcb 384 1 29 1 0 30 11520 0 L VFS Cache 320 0 36 1 0 30 11520 0 malloc-384 384 24 6 32 0 30 11520 0 Mountpoints 2816 3 1 3 0 4 11264 0 clpbuf 2624 0 4 78 0 1 10496 0 malloc-8192 8192 1 0 1 0 1 8192 0 vtnet_tx_hdr 24 1 333 21942 0 254 8016 0 pcpu-16 16 4 252 4 0 254 4096 0 UMA Slabs 1 176 7 15 7 0 62 3872 0 KMAP ENTRY 96 32 7 41 0 0 3744 0 pf state scrubs 40 0 0 0 0 254 0 0 pf frag entries 40 0 0 0 0 254 0 0 pf frags 256 0 0 0 0 62 0 0 pf table entries 160 0 0 0 0 254 0 0 pf table entry counters 64 0 0 0 0 254 0 0 pf UDP mappings 104 0 0 0 0 126 0 0 pf source nodes 152 0 0 0 0 254 0 0 pf state keys 88 0 0 0 0 126 0 0 pf states 376 0 0 0 0 254 0 0 pf tags 104 0 0 0 0 126 0 0 pf mtags 184 0 0 0 0 62 0 0 NetGraph data items 72 0 0 0 0 254 0 0 NetGraph items 72 0 0 0 0 254 0 0 swblk 136 0 0 0 0 62 0 0 swpctrie 152 0 0 0 0 62 0 0 FFS1 dinode 128 0 0 0 0 126 0 0 da_ccb 544 0 0 0 0 16 0 0 ada_ccb 272 0 0 0 0 30 0 0 tfo_ccache_entries 80 0 0 0 0 126 0 0 tfo 4 0 0 0 0 254 0 0 sackhole 32 0 0 0 0 254 0 0 ipq 56 0 0 0 0 156 0 0 tcp_log_id_node 120 0 0 0 0 126 0 0 tcp_log_id_bucket 176 0 0 0 0 62 0 0 tcp_log 416 0 0 0 0 254 0 0 tcpreass 48 0 0 0 0 254 0 0 udplite_inpcb ports 32 0 0 0 0 254 0 0 udplite_inpcb 416 0 0 0 0 30 0 0 ripcb ports 32 0 0 0 0 254 0 0 IPsec SA lft_c 16 0 0 0 0 254 0 0 itimer 352 0 0 0 0 30 0 0 AIOLIO 272 0 0 0 0 30 0 0 AIOCB 552 0 0 0 0 16 0 0 AIO 208 0 0 0 0 62 0 0 p9fs io_buffer zone 8192 0 0 0 0 1 0 0 p9fs setattr zone 56 0 0 0 0 254 0 0 p9fs getattr zone 160 0 0 0 0 62 0 0 p9fs node zone 312 0 0 0 0 30 0 0 TMPFS node 240 0 0 0 0 62 0 0 NCLNODE 608 0 0 0 0 16 0 0 LTS VFS Cache 360 0 0 0 0 30 0 0 STS VFS Cache 144 0 0 0 0 62 0 0 p9fs buf zone 8224 0 0 0 0 1 0 0 p9fs req zone 16 0 0 0 0 254 0 0 p9fs fid zone 56 0 0 0 0 254 0 0 cryptop 280 0 0 0 0 30 0 0 linux_dma_object 32 0 0 0 0 254 0 0 linux_dma_pctrie 152 0 0 0 0 62 0 0 IOMMU_MAP_ENTRY 112 0 0 0 0 126 0 0 mbuf_jumbo_16k 16384 0 0 0 0 254 0 0 mbuf_jumbo_9k 9216 0 0 0 0 254 0 0 audit_record 1280 0 0 0 0 8 0 0 domainset 40 0 0 0 0 254 0 0 MAC labels 40 0 0 0 0 254 0 0 vnpbuf 2624 0 0 0 0 5 0 0 nfspbuf 2624 0 0 0 0 1 0 0 p9fs pbuf zone 2624 0 0 0 0 1 0 0 swwbuf 2624 0 0 0 0 1 0 0 swrbuf 2624 0 0 0 0 1 0 0 umtx_shm 88 0 0 0 0 126 0 0 umtx pi 96 0 0 0 0 126 0 0 rangeset pctrie nodes 152 0 0 0 0 62 0 0 rl_entry 48 0 0 0 0 254 0 0 malloc-65536 65536 0 0 0 0 1 0 0 malloc-65536 65536 0 0 0 0 1 0 0 malloc-65536 65536 0 0 0 0 1 0 0 malloc-32768 32768 0 0 0 0 1 0 0 malloc-32768 32768 0 0 0 0 1 0 0 malloc-32768 32768 0 0 0 0 1 0 0 malloc-32768 32768 0 0 0 0 1 0 0 malloc-32768 32768 0 0 0 0 1 0 0 malloc-16384 16384 0 0 0 0 1 0 0 malloc-16384 16384 0 0 0 0 1 0 0 malloc-16384 16384 0 0 0 0 1 0 0 malloc-8192 8192 0 0 0 0 1 0 0 malloc-4096 4096 0 0 0 0 2 0 0 malloc-512 512 0 0 0 0 30 0 0 malloc-512 512 0 0 0 0 30 0 0 pcpu-32 32 0 0 0 0 254 0 0 pcpu-4 4 0 0 0 0 254 0 0 fakepg 104 0 0 0 0 126 0 0 UMA Hash 256 0 0 0 0 62 0 0 Syzkaller reproducer: # {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} rfork(0x1020) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) recvmsg(r1, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, &(0x7f0000000140)=""/238, 0xee}, 0x0) (rerun: 64) sendmsg$unix(r0, &(0x7f0000001680)={0x0, 0x0, 0x0, 0x0, &(0x7f0000000980)=ANY=[@ANYBLOB="48020000ffff0000", @ANYRES32=r1], 0x248, 0x20001}, 0x80) (rerun: 64) C reproducer: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void reset_flags(const char* filename) { struct stat st; if (lstat(filename, &st)) exit(1); st.st_flags &= ~(SF_NOUNLINK | UF_NOUNLINK | SF_IMMUTABLE | UF_IMMUTABLE | SF_APPEND | UF_APPEND); if (lchflags(filename, st.st_flags)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) { if (errno == EPERM) { reset_flags(filename); reset_flags(dir); if (unlink(filename) == 0) continue; } exit(1); } } closedir(dp); while (rmdir(dir)) { if (errno == EPERM) { reset_flags(dir); if (rmdir(dir) == 0) break; } exit(1); } } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 4; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(SYS_rfork, /*flags=RFMEM|RFCFDG*/ 0x1020ul); break; case 1: res = syscall(SYS_socketpair, /*domain=*/1ul, /*type=SOCK_STREAM*/ 1ul, /*proto=*/0, /*fds=*/0x400000000080ul); if (res != -1) { r[0] = *(uint32_t*)0x400000000080; r[1] = *(uint32_t*)0x400000000084; } break; case 2: *(uint64_t*)0x400000000240 = 0; *(uint32_t*)0x400000000248 = 0; *(uint64_t*)0x400000000250 = 0; *(uint64_t*)0x400000000258 = 0; *(uint64_t*)0x400000000260 = 0x400000000140; *(uint64_t*)0x400000000268 = 0xee; *(uint32_t*)0x400000000270 = 0; syscall(SYS_recvmsg, /*fd=*/r[1], /*msg=*/0x400000000240ul, /*f=*/0ul); for (int i = 0; i < 64; i++) { syscall(SYS_recvmsg, /*fd=*/r[1], /*msg=*/0x400000000240ul, /*f=*/0ul); } break; case 3: *(uint64_t*)0x400000001680 = 0; *(uint32_t*)0x400000001688 = 0; *(uint64_t*)0x400000001690 = 0; *(uint64_t*)0x400000001698 = 0; *(uint64_t*)0x4000000016a0 = 0x400000000980; memcpy((void*)0x400000000980, "\x48\x02\x00\x00\xff\xff\x00\x00", 8); *(uint32_t*)0x400000000988 = r[1]; *(uint64_t*)0x4000000016a8 = 0x248; *(uint32_t*)0x4000000016b0 = 0x20001; syscall(SYS_sendmsg, /*fd=*/r[0], /*msg=*/0x400000001680ul, /*f=MSG_DONTWAIT*/ 0x80ul); for (int i = 0; i < 64; i++) { syscall(SYS_sendmsg, /*fd=*/r[0], /*msg=*/0x400000001680ul, /*f=MSG_DONTWAIT*/ 0x80ul); } break; } } int main(void) { syscall(SYS_mmap, /*addr=*/0x400000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, /*fd=*/-1, /*offset=*/0ul); const char* reason; (void)reason; use_temporary_dir(); do_sandbox_none(); return 0; }