1 files changed, 235 insertions, 0 deletions
diff --git a/tools/test/stress2/misc/syzkaller76.sh b/tools/test/stress2/misc/syzkaller76.sh
new file mode 100755
index 000000000000..67a566cbfa00
--- /dev/null
+++ b/tools/test/stress2/misc/syzkaller76.sh
@@ -0,0 +1,235 @@
+#!/bin/sh
+
+# panic: aio_process_rw: opcode 70
+# cpuid = 7
+# time = 1746175480
+# KDB: stack backtrace:
+# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe010844ccb0
+# vpanic() at vpanic+0x136/frame 0xfffffe010844cde0
+# panic() at panic+0x43/frame 0xfffffe010844ce40
+# aio_process_rw() at aio_process_rw+0x28e/frame 0xfffffe010844cea0
+# aio_daemon() at aio_daemon+0x286/frame 0xfffffe010844cef0
+# fork_exit() at fork_exit+0x82/frame 0xfffffe010844cf30
+# fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe010844cf30
+# --- trap 0xc, rip = 0x2020f02a472a, rsp = 0x2020ec9bb8d8, rbp = 0x2020ec9bb9d0 ---
+# KDB: enter: panic
+# [ thread pid 71553 tid 100216 ]
+# Stopped at      kdb_enter+0x33: movq    $0,0x122f9c2(%rip)
+# db> x/s version
+# version: FreeBSD 15.0-CURRENT #0 main-n276945-2735c20d114f-dirty: Fri May  2 07:17:00 CEST 2025
+# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
+# db>
+
+[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
+
+. ../default.cfg
+set -u
+prog=$(basename "$0" .sh)
+cat > /tmp/$prog.c <<EOF
+// https://syzkaller.appspot.com/bug?id=0549d8c089382a2593078734cc8166a0fc9049f1
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+// syzbot+b6e15476c91852bb2264@syzkaller.appspotmail.com
+
+#define _GNU_SOURCE
+
+#include <pwd.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/endian.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+
+uint64_t r[1] = {0xffffffffffffffff};
+
+int main(void)
+{
+  syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
+          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
+          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
+          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
+  const char* reason;
+  (void)reason;
+  intptr_t res = 0;
+  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
+  }
+  res = syscall(SYS_freebsd10_pipe, /*pipefd=*/0x2000000005c0ul);
+  if (res != -1)
+    r[0] = *(uint32_t*)0x2000000005c4;
+  syscall(SYS_close, /*fd=*/r[0]);
+  memcpy((void*)0x200000000080, ".\000", 2);
+  syscall(SYS_open, /*file=*/0x200000000080ul, /*flags=*/0ul, /*mode=*/0ul);
+  *(uint32_t*)0x200000000080 = 0;
+  *(uint32_t*)0x200000000084 = 0;
+  *(uint32_t*)0x200000000088 = 4;
+  *(uint64_t*)0x200000000090 = 0;
+  *(uint64_t*)0x200000000098 = 0;
+  *(uint32_t*)0x2000000000a0 = 0;
+  *(uint32_t*)0x2000000000a4 = 8;
+  *(uint64_t*)0x2000000000a8 = 0x7fffffffffffffff;
+  *(uint32_t*)0x2000000000b0 = 0;
+  *(uint32_t*)0x2000000000b4 = 0x100;
+  *(uint64_t*)0x2000000000b8 = 0;
+  *(uint32_t*)0x2000000000c0 = 0;
+  *(uint32_t*)0x2000000000c4 = 0;
+  *(uint32_t*)0x2000000000c8 = 0;
+  *(uint32_t*)0x2000000000cc = 3;
+  *(uint32_t*)0x2000000000d0 = 0;
+  *(uint32_t*)0x2000000000d4 = 0;
+  *(uint32_t*)0x2000000000d8 = 0x400008;
+  *(uint32_t*)0x2000000000dc = 0x8e;
+  *(uint32_t*)0x2000000000e0 = 0xfffffffd;
+  *(uint32_t*)0x2000000000e4 = 0xf;
+  *(uint32_t*)0x2000000000e8 = 0xfffffffc;
+  *(uint32_t*)0x2000000000ec = 0;
+  *(uint32_t*)0x2000000000f0 = 0;
+  *(uint32_t*)0x2000000000f4 = 0;
+  *(uint32_t*)0x2000000000f8 = 0xff;
+  *(uint32_t*)0x2000000000fc = 0;
+  *(uint32_t*)0x200000000100 = 0;
+  *(uint32_t*)0x200000000104 = 2;
+  *(uint32_t*)0x200000000108 = 0;
+  *(uint32_t*)0x20000000010c = 2;
+  *(uint32_t*)0x200000000110 = 2;
+  *(uint32_t*)0x200000000114 = 0x5bee;
+  *(uint32_t*)0x200000000118 = 0;
+  *(uint32_t*)0x20000000011c = 0xc;
+  *(uint32_t*)0x200000000120 = 3;
+  *(uint32_t*)0x200000000124 = 2;
+  *(uint32_t*)0x200000000128 = 0;
+  *(uint32_t*)0x20000000012c = 0x10000000;
+  *(uint32_t*)0x200000000130 = 0;
+  *(uint32_t*)0x200000000134 = 1;
+  *(uint32_t*)0x200000000138 = 0;
+  *(uint32_t*)0x20000000013c = 0x83;
+  *(uint32_t*)0x200000000140 = 0;
+  *(uint32_t*)0x200000000144 = 0;
+  *(uint32_t*)0x200000000148 = 0;
+  *(uint32_t*)0x20000000014c = 0;
+  *(uint32_t*)0x200000000150 = 0;
+  *(uint32_t*)0x200000000154 = 0xfff;
+  *(uint32_t*)0x200000000158 = 1;
+  *(uint32_t*)0x20000000015c = 0x4c;
+  *(uint32_t*)0x200000000160 = 0x1fffffc;
+  *(uint32_t*)0x200000000164 = 4;
+  *(uint32_t*)0x200000000168 = 0x40000001;
+  *(uint32_t*)0x20000000016c = 0;
+  *(uint32_t*)0x200000000170 = 8;
+  *(uint32_t*)0x200000000174 = 0;
+  *(uint32_t*)0x200000000178 = 0;
+  *(uint32_t*)0x20000000017c = 0x100001;
+  *(uint32_t*)0x200000000180 = 0;
+  *(uint32_t*)0x200000000184 = 0x1ff;
+  *(uint32_t*)0x200000000188 = 0xe;
+  *(uint32_t*)0x20000000018c = 8;
+  *(uint32_t*)0x200000000190 = 0;
+  *(uint32_t*)0x200000000194 = 0;
+  *(uint32_t*)0x200000000198 = 0;
+  *(uint32_t*)0x20000000019c = 0xc;
+  *(uint32_t*)0x2000000001a0 = 9;
+  *(uint32_t*)0x2000000001a4 = 2;
+  *(uint32_t*)0x2000000001a8 = 0x10000002;
+  *(uint32_t*)0x2000000001ac = 0x100000;
+  *(uint32_t*)0x2000000001b0 = 0x46;
+  *(uint32_t*)0x2000000001b4 = 6;
+  *(uint32_t*)0x2000000001b8 = 0x3ff;
+  *(uint32_t*)0x2000000001bc = 2;
+  *(uint32_t*)0x2000000001c0 = 0;
+  *(uint32_t*)0x2000000001c4 = 0xfffffffa;
+  *(uint32_t*)0x2000000001c8 = 0x200;
+  *(uint32_t*)0x2000000001cc = 0;
+  *(uint32_t*)0x2000000001d0 = 1;
+  *(uint32_t*)0x2000000001d4 = 3;
+  *(uint32_t*)0x2000000001d8 = 0;
+  *(uint32_t*)0x2000000001dc = 0x100;
+  *(uint32_t*)0x2000000001e0 = 0;
+  *(uint32_t*)0x2000000001e4 = 8;
+  *(uint32_t*)0x2000000001e8 = 0x108c6b2;
+  *(uint32_t*)0x2000000001ec = 0xfffffffa;
+  *(uint32_t*)0x2000000001f0 = 0;
+  *(uint32_t*)0x2000000001f4 = 5;
+  *(uint32_t*)0x2000000001f8 = 0;
+  *(uint32_t*)0x2000000001fc = 0;
+  *(uint32_t*)0x200000000200 = 0;
+  *(uint32_t*)0x200000000204 = 0;
+  *(uint32_t*)0x200000000208 = 0;
+  *(uint32_t*)0x20000000020c = 0x80;
+  *(uint32_t*)0x200000000210 = 0;
+  *(uint32_t*)0x200000000214 = 1;
+  *(uint32_t*)0x200000000218 = 0;
+  *(uint32_t*)0x20000000021c = 6;
+  *(uint32_t*)0x200000000220 = 0;
+  *(uint32_t*)0x200000000224 = 0;
+  *(uint32_t*)0x200000000228 = 0;
+  *(uint32_t*)0x20000000022c = 6;
+  *(uint32_t*)0x200000000230 = 0;
+  *(uint32_t*)0x200000000234 = 0;
+  *(uint32_t*)0x200000000238 = 0;
+  *(uint32_t*)0x20000000023c = 0xa9f;
+  syscall(SYS_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc1c06d02ul,
+          /*arg=*/0x200000000080ul);
+  *(uint32_t*)0x200000000580 = -1;
+  *(uint64_t*)0x200000000588 = 0;
+  *(uint64_t*)0x200000000590 = 0x200000000180;
+  *(uint64_t*)0x200000000598 = 0;
+  *(uint32_t*)0x2000000005a0 = 0xfffff000;
+  *(uint32_t*)0x2000000005a4 = 3;
+  *(uint64_t*)0x2000000005a8 = 0;
+  *(uint32_t*)0x2000000005b0 = 0;
+  *(uint32_t*)0x2000000005b4 = 0;
+  *(uint64_t*)0x2000000005b8 = 0;
+  *(uint64_t*)0x2000000005c0 = 0;
+  *(uint64_t*)0x2000000005c8 = 0;
+  *(uint32_t*)0x2000000005d0 = 0;
+  *(uint32_t*)0x2000000005d4 = 0;
+  *(uint64_t*)0x2000000005d8 = 0;
+  *(uint16_t*)0x2000000005e0 = 0x4043;
+  *(uint32_t*)0x200000000620 = -1;
+  *(uint64_t*)0x200000000628 = 0;
+  *(uint64_t*)0x200000000630 = 0;
+  *(uint64_t*)0x200000000638 = 0;
+  *(uint32_t*)0x200000000640 = 0x10;
+  *(uint32_t*)0x200000000644 = 0;
+  *(uint64_t*)0x200000000648 = 0;
+  *(uint32_t*)0x200000000650 = 0;
+  *(uint32_t*)0x200000000654 = 0;
+  *(uint64_t*)0x200000000658 = 8;
+  *(uint64_t*)0x200000000660 = 0x3ff;
+  *(uint64_t*)0x200000000668 = 0;
+  *(uint32_t*)0x200000000670 = 1;
+  *(uint32_t*)0x200000000674 = 0;
+  *(uint32_t*)0x200000000678 = 3;
+  *(uint16_t*)0x200000000680 = 0;
+  *(uint32_t*)0x2000000006c0 = -1;
+  *(uint64_t*)0x2000000006c8 = 0;
+  *(uint64_t*)0x2000000006d0 = 0;
+  *(uint64_t*)0x2000000006d8 = 0;
+  *(uint32_t*)0x2000000006e0 = 0;
+  *(uint32_t*)0x2000000006e4 = 0;
+  *(uint64_t*)0x2000000006e8 = 2;
+  *(uint32_t*)0x2000000006f0 = 0;
+  *(uint32_t*)0x2000000006f4 = 0;
+  *(uint64_t*)0x2000000006f8 = 0x101;
+  *(uint64_t*)0x200000000700 = 0xb3;
+  *(uint64_t*)0x200000000708 = 0;
+  *(uint32_t*)0x200000000710 = 0;
+  *(uint32_t*)0x200000000714 = 0xa;
+  *(uint64_t*)0x200000000718 = 3;
+  *(uint32_t*)0x200000000720 = 0;
+  syscall(SYS_lio_listio, /*mode=*/0ul, /*list=*/0x200000000580ul, /*nent=*/3ul,
+          /*sig=*/0ul);
+  return 0;
+}
+EOF
+mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c -lpthread || exit 1
+work=/tmp/$prog.dir
+rm -rf $work
+mkdir $work
+cd /tmp/$prog.dir
+timeout 3m /tmp/$prog > /dev/null 2>&1
+
+rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core /tmp/$prog.?????? $work
+exit 0