#!/bin/sh # panic: mutex pcbinfohash not owned at # /syzkaller/managers/main/kernel/sys/netinet6/in6_pcb.c:717 # cpuid = 0 # time = 1573247472 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame # 0xfffffe0022a56260 # vpanic() at vpanic+0x1c7/frame 0xfffffe0022a562d0 # panic() at panic+0x43/frame 0xfffffe0022a56330 # __mtx_assert() at __mtx_assert+0x18b/frame 0xfffffe0022a56370 # in6_pcblookup_local() at in6_pcblookup_local+0x53/frame 0xfffffe0022a563c0 # in_pcb_lport() at in_pcb_lport+0x3fd/frame 0xfffffe0022a56450 # in_pcbbind_setup() at in_pcbbind_setup+0x28b/frame 0xfffffe0022a564f0 # in_pcbconnect_setup() at in_pcbconnect_setup+0x4aa/frame 0xfffffe0022a565b0 # udp_send() at udp_send+0xee4/frame 0xfffffe0022a566c0 # udp6_send() at udp6_send+0x4e8/frame 0xfffffe0022a56870 # sosend_dgram() at sosend_dgram+0x54f/frame 0xfffffe0022a568e0 # sosend() at sosend+0xc6/frame 0xfffffe0022a56950 # kern_sendit() at kern_sendit+0x32d/frame 0xfffffe0022a56a00 # sendit() at sendit+0x226/frame 0xfffffe0022a56a60 # sys_sendto() at sys_sendto+0x5c/frame 0xfffffe0022a56ac0 # amd64_syscall() at amd64_syscall+0x473/frame 0xfffffe0022a56bf0 # fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0022a56bf0 # --- syscall (0, FreeBSD ELF64, nosys), rip = 0x41c3aa, rsp = . ../default.cfg cat > /tmp/syzkaller2.c < #include #include #include #include #include #include #include #include #include uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul); intptr_t res = 0; res = syscall(SYS_socket, 0x1cul, 2ul, 0ul); if (res != -1) r[0] = res; *(uint32_t*)0x200001c0 = 0; syscall(SYS_setsockopt, r[0], 0x29ul, 0x1bul, 0x200001c0ul, 4ul); *(uint8_t*)0x20000100 = 0x1c; *(uint8_t*)0x20000101 = 0x1c; *(uint16_t*)0x20000102 = htobe16(0x4e21); *(uint32_t*)0x20000104 = 0; *(uint8_t*)0x20000108 = 0; *(uint8_t*)0x20000109 = 0; *(uint8_t*)0x2000010a = 0; *(uint8_t*)0x2000010b = 0; *(uint8_t*)0x2000010c = 0; *(uint8_t*)0x2000010d = 0; *(uint8_t*)0x2000010e = 0; *(uint8_t*)0x2000010f = 0; *(uint8_t*)0x20000110 = 0; *(uint8_t*)0x20000111 = 0; *(uint8_t*)0x20000112 = -1; *(uint8_t*)0x20000113 = -1; *(uint8_t*)0x20000114 = 0xac; *(uint8_t*)0x20000115 = 0x14; *(uint8_t*)0x20000116 = 0; *(uint8_t*)0x20000117 = 0xaa; *(uint32_t*)0x20000118 = 0; syscall(SYS_sendto, r[0], 0ul, 0ul, 0ul, 0x20000100ul, 0x1cul); return 0; } EOF mycc -o /tmp/syzkaller2 -Wall -Wextra -O2 /tmp/syzkaller2.c || exit 1 rm /tmp/syzkaller2.c (cd /tmp; ./syzkaller2) rm -f /tmp/syzkaller2 /tmp/syzkaller2.core exit 0