Hello,
The following program creates an unkillable process:
// autogenerated by syzkaller (http://github.com/google/syzkaller) #include <pthread.h> #include <stdint.h> #include <string.h> #include <sys/syscall.h> #include <unistd.h>
#ifndef SYS_mmap #define SYS_mmap 9 #endif #ifndef SYS_syz_open_dev #define SYS_syz_open_dev 1000001 #endif #ifndef SYS_write #define SYS_write 1 #endif #ifndef SYS_read #define SYS_read 0 #endif #ifndef SYS_sync_file_range #define SYS_sync_file_range 277 #endif
long r[61];
int main() { memset(r, -1, sizeof(r)); r[0] = syscall(SYS_mmap, 0x20000000ul, 0x5e000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); r[2] = syscall(SYS_open, "/dev/sequencer", 0x202ul, 0, 0, 0); *(uint8_t*)0x20057000 = (uint8_t)0x7; *(uint8_t*)0x20057001 = (uint8_t)0x6; *(uint8_t*)0x20057002 = (uint8_t)0x3; *(uint8_t*)0x20057003 = (uint8_t)0x99be; *(uint32_t*)0x2005700c = (uint32_t)0x4; *(uint8_t*)0x20057010 = (uint8_t)0x5; *(uint8_t*)0x20057011 = (uint8_t)0xffffffffffffffff; *(uint8_t*)0x20057012 = (uint8_t)0x100; *(uint8_t*)0x20057013 = (uint8_t)0x1; *(uint8_t*)0x20057024 = (uint8_t)0x8; *(uint8_t*)0x20057025 = (uint8_t)0xabe4; *(uint16_t*)0x20057026 = (uint16_t)0x3; *(uint64_t*)0x20057028 = (uint64_t)0x2005055c; *(uint8_t*)0x20057030 = (uint8_t)0xffffffffffffffe0; *(uint8_t*)0x20057031 = (uint8_t)0xffffffffffffffb8; *(uint8_t*)0x20057032 = (uint8_t)0x8; *(uint8_t*)0x20057033 = (uint8_t)0x7; *(uint32_t*)0x2005703c = (uint32_t)0x5; *(uint8_t*)0x20057040 = (uint8_t)0x5; *(uint8_t*)0x20057041 = (uint8_t)0x401; *(uint8_t*)0x20057042 = (uint8_t)0x8; *(uint8_t*)0x20057043 = (uint8_t)0x4; *(uint8_t*)0x2005704c = (uint8_t)0x0; *(uint8_t*)0x2005704d = (uint8_t)0x3; *(uint8_t*)0x2005704e = (uint8_t)0x200; *(uint8_t*)0x2005704f = (uint8_t)0xee; *(uint8_t*)0x20057050 = (uint8_t)0x2; *(uint8_t*)0x20057051 = (uint8_t)0x8; *(uint8_t*)0x20057052 = (uint8_t)0x800; *(uint8_t*)0x20057053 = (uint8_t)0xfffffffffffff000; *(uint64_t*)0x20057068 = (uint64_t)0x77359400; *(uint64_t*)0x20057070 = (uint64_t)0x0; *(uint8_t*)0x20057078 = (uint8_t)0x10000; *(uint8_t*)0x20057079 = (uint8_t)0x946; *(uint8_t*)0x2005707a = (uint8_t)0x1; *(uint8_t*)0x2005707b = (uint8_t)0x1ff; *(uint8_t*)0x2005708c = (uint8_t)0x3; *(uint32_t*)0x20057090 = (uint32_t)0x7; *(uint32_t*)0x20057094 = (uint32_t)0x1; *(uint8_t*)0x20057098 = (uint8_t)0x2; *(uint8_t*)0x20057099 = (uint8_t)0x7ff; *(uint8_t*)0x2005709a = (uint8_t)0x8; *(uint8_t*)0x2005709b = (uint8_t)0xdd8; *(uint64_t*)0x200570b0 = (uint64_t)0x1; *(uint64_t*)0x200570b8 = (uint64_t)0x0; *(uint8_t*)0x200570c0 = (uint8_t)0x9; *(uint8_t*)0x200570c1 = (uint8_t)0x3; *(uint8_t*)0x200570c2 = (uint8_t)0x7ff; *(uint8_t*)0x200570c3 = (uint8_t)0x8; *(uint32_t*)0x200570d4 = (uint32_t)0xec; *(uint64_t*)0x200570d8 = (uint64_t)0x20053f14; memcpy((void*)0x2005055c, "\xa4\x62\xd2\xb0\x88\xe0\x2b\xbd\xea\xa1\xa5\xf7\x7b\x89\xca" "\xb0\x43\xca\x19\x6d\x70\xb6\xa6\xcd\x30\xaa\x98\x07\xb3\xf3" "\xea\xf8\x44\x19\xc8\x83\xbc\xb7\x33\xd1\xd0\x5e\x8f\x34\x12" "\x82\xb4\xf8\xbd\x02\x63\x0b\xe7\x45\x23\x40\xa4\x51\x40\x23" "\x01\xcc\x57\x89\x40\x9c\xc1\x29\x36\xe2\xc0\x70\xe5\xda\xc9" "\x1f\x40\x25\xe0\x74\x98\x07\x75\xe9\x5a\xfc\x0e\x10\x3f\xd9" "\x4b\xc3\xc2\x48\xfa\x18\xb8\xda\x49\x3e\xeb\x69\x2c\x4b\xd2" "\xb7\xac\xc6\x5a\x1c\xfd", 111); memcpy((void*)0x20053f14, "\x1b\x4b\xa5\x94\xeb\xe1\xd9\x4b\x57\xf2\xeb\xab\xdd\xe5\xba" "\x24\xf2\xc8\x36\x90\x88\x21\x2c\xec\x8e\x5a\x0d\x24\x0f\x48" "\xcc\x0d\x3c\xab\x21\x8e\xfa\x8f\x0d\xcd\x8d\x14\x99\xc3\x64" "\xea\x7f\xf3\x88\xe9\xf7\x4f\x4c\x12\xe9\x0e\x23\xad\x73\x7d" "\xa3\x4c\x45\x3f\xb3\x48\xb7\x44\x89\x41\x20\x7b\x2c\xbd\xf2" "\x89\x16\x1f\xbd\x80\x24\x72\xa1\x8d\x4b\x13\x74\xb2\xf4\xdf" "\x49\xe0\x6c\x40\x0d\xf2\x7c\x8a\xbf\xf2\xb1\x62\xe0\x7e\x51" "\x9a\xd4\x60\x64\x49\x96\x4b\x83\x91\xe5\x51\x50\x94\x3c\x41" "\xf6\xd1\xef\x1f\x90\x5a\x48\xa5\xe2\xf8\xe3\xd9\xf9\x82\x5e" "\xa1\x5c\x85\x1c\xbe\x47\xa2\x29\xb7\x5a\xf4\x14\x24\x92\x11" "\x4b\x6b\x54\x95\x5e\x9f\x1b\xda\x02\xa3\x84\xb3\x2b\x07\x13" "\x18\x6b\x31\xb4\xc1\x04\x30\x5f\xa0\xa2\xe9\xe6\x50\x6f\xed" "\x15\x10\xf5\xda\xa1\xe5\x06\xaf\x28\xe0\x53\xea\x88\x49\xf8" "\x97\x52\x4b\xe8\xa2\xce\x9f\xc7\x47\x4f\xd6\xc0\xe2\xb7\xc1" "\x7f\xa9\x54\x3d\x11\xe4\x99\x28\x65\x39\xb1\xf3\xec\x48\x43" "\x58\x19\x12\xf6\x38\x5b\xee\xca\x33\x8e\x4d", 236); r[56] = syscall(SYS_write, r[2], 0x20057000ul, 0x9cul, 0, 0, 0); memcpy((void*)0x2005bfa7, "\x2f\x64\x65\x76\x2f\x76\x68\x63\x69\x00", 10); return 0; }
The hang stack is:
[<ffffffff85309f77>] snd_seq_oss_writeq_sync+0x327/0x790 sound/core/seq/oss/seq_oss_writeq.c:121 [<ffffffff852fa353>] snd_seq_oss_drain_write+0x113/0x160 sound/core/seq/oss/seq_oss_init.c:448 [<ffffffff852f8d04>] odev_release+0x44/0x80 sound/core/seq/oss/seq_oss.c:152 [<ffffffff817ccdc6>] __fput+0x236/0x780 fs/file_table.c:208 [<ffffffff817cd395>] ____fput+0x15/0x20 fs/file_table.c:244 [<ffffffff813b8db0>] task_work_run+0x170/0x210 kernel/task_work.c:115 [< inline >] exit_task_work include/linux/task_work.h:21 [<ffffffff81363ca0>] do_exit+0xaf0/0x2d20 kernel/exit.c:748 [<ffffffff81366048>] do_group_exit+0x108/0x330 kernel/exit.c:878 [< inline >] SYSC_exit_group kernel/exit.c:889 [<ffffffff8136628d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:887 [<ffffffff866a3236>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185
On commit fc77dbd34c5c99bce46d40a2491937c3bcbd10af (4.5-rc6).