On 11/19/24 16:38, reveliofuzzing wrote: > Hello, > > We found a kernel crash at `unmap_vmas` when running a test generated > by Syzkaller on Linux kernel 6.10, both of which are unmodified. We would like Hello, 6.10 is EOL at this point. Does this also happen on 6.12, or 6.11.9? Thanks, Vlastimil > to report it for your reference because this crash has not been observed before. > > In a 2-core qemu-kvm VM, this crash took about 1 minute to happen. > > This report comes with: > - the console log of the guest VM > - the test (syzlang syntax) > - the test (c program) (url) > - the compiled test (url) > - kernel configuration (url) > - the compiled kernel (url) > > > - Crash > syzkaller login: [ 22.005245] program syz-executor is using a > deprecated SCSI ioctl, please convert it to SG_IO > [ 83.496476] ata1: lost interrupt (Status 0x58) > [ 84.532478] clocksource: Long readout interval, skipping watchdog > check: cs_nsec: 1455987654 wd_nsec: 1455987593 > [ 84.693047] ata1: found unknown device (class 0) > [ 84.696781] Oops: general protection fault, probably for > non-canonical address 0xdffffc0000000090: 0000 [#1] PREEMPT SMP KASAN > PTI > [ 84.699625] KASAN: null-ptr-deref in range > [0x0000000000000480-0x0000000000000487] > [ 84.701454] CPU: 1 PID: 232 Comm: syz-executor Not tainted 6.10.0 #2 > [ 84.702995] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), > BIOS 1.13.0-1ubuntu1.1 04/01/2014 > [ 84.705181] RIP: 0010:unmap_vmas+0x13e/0x3c0 > [ 84.706950] Code: 00 00 00 00 00 e8 22 ac 7f 02 48 8b 84 24 c8 00 > 00 00 48 ba 00 00 00 00 00 fc ff df 48 8d b8 80 04 00 00 48 89 f9 48 > c11 > [ 84.711418] RSP: 0018:ffff88800c3e78a0 EFLAGS: 00010206 > [ 84.712703] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000090 > [ 84.714430] RDX: dffffc0000000000 RSI: ffffffff81635b11 RDI: 0000000000000480 > [ 84.716152] RBP: ffff88800c681ee0 R08: ffffffffffffffff R09: ffffffffffffffff > [ 84.717909] R10: ffffed1000f67931 R11: ffff888007b3c98b R12: ffffffffffffffff > [ 84.719640] R13: dffffc0000000000 R14: ffffffffffffffff R15: 0000000000000000 > [ 84.721375] FS: 0000000000000000(0000) GS:ffff88806d300000(0000) > knlGS:0000000000000000 > [ 84.723361] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 84.724791] CR2: 000055cdc0a948a8 CR3: 0000000004e66000 CR4: 00000000000006f0 > [ 84.726545] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 84.728278] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > [ 84.730029] Call Trace: > [ 84.730672] <TASK> > [ 84.731232] ? show_regs+0x73/0x80 > [ 84.732100] ? __die_body+0x1f/0x70 > [ 84.732985] ? die_addr+0x4c/0x90 > [ 84.733833] ? exc_general_protection+0x15c/0x2a0 > [ 84.735024] ? asm_exc_general_protection+0x26/0x30 > [ 84.736434] ? unmap_vmas+0xb1/0x3c0 > [ 84.737364] ? unmap_vmas+0x13e/0x3c0 > [ 84.738320] ? __pfx_unmap_vmas+0x10/0x10 > [ 84.739340] ? free_ldt_pgtables+0x94/0x180 > [ 84.740388] ? mas_walk+0x986/0xd10 > [ 84.741285] ? mas_next_slot+0xed8/0x1be0 > [ 84.742300] ? stack_depot_save_flags+0x5ef/0x6f0 > [ 84.743482] exit_mmap+0x171/0x810 > [ 84.744358] ? __pfx_exit_mmap+0x10/0x10 > [ 84.745354] ? exit_aio+0x260/0x340 > [ 84.746257] ? mutex_unlock+0x7e/0xd0 > [ 84.747185] ? __pfx_mutex_unlock+0x10/0x10 > [ 84.748222] ? delayed_uprobe_remove+0x21/0x130 > [ 84.749356] mmput+0x64/0x290 > [ 84.750179] do_exit+0x7fd/0x2850 > [ 84.751060] ? blk_mq_run_hw_queue+0x321/0x520 > [ 84.752176] ? kasan_save_track+0x14/0x30 > [ 84.753194] ? __pfx_do_exit+0x10/0x10 > [ 84.754159] ? scsi_ioctl+0xa16/0x12c0 > [ 84.755107] ? _raw_spin_lock_irq+0x81/0xe0 > [ 84.756161] do_group_exit+0xb6/0x260 > [ 84.757107] get_signal+0x19e3/0x1b00 > [ 84.758041] ? __handle_mm_fault+0x644/0x21c0 > [ 84.759129] ? __pfx_get_signal+0x10/0x10 > [ 84.760135] arch_do_signal_or_restart+0x81/0x750 > [ 84.761304] ? __pfx_arch_do_signal_or_restart+0x10/0x10 > [ 84.762621] ? handle_mm_fault+0xe6/0x520 > [ 84.763624] ? __fget_light+0x175/0x510 > [ 84.764586] ? do_user_addr_fault+0x7de/0x1250 > [ 84.765699] syscall_exit_to_user_mode+0xf6/0x140 > [ 84.766879] do_syscall_64+0x57/0x110 > [ 84.767810] entry_SYSCALL_64_after_hwframe+0x76/0x7e > [ 84.769062] RIP: 0033:0x7f15ec6a6aad > [ 84.769968] Code: Unable to access opcode bytes at 0x7f15ec6a6a83. > [ 84.771469] RSP: 002b:00007ffe4c340428 EFLAGS: 00000246 ORIG_RAX: > 0000000000000010 > [ 84.773299] RAX: 0000000000000002 RBX: 00007ffe4c340450 RCX: 00007f15ec6a6aad > [ 84.775039] RDX: 0000000020000040 RSI: 0000000000000001 RDI: 0000000000000003 > [ 84.776795] RBP: 0000000000000000 R08: 0000000000000012 R09: 0000000000000000 > [ 84.778532] R10: 00007f15ec6f403c R11: 0000000000000246 R12: 00007ffe4c340460 > [ 84.780263] R13: 00007f15ec71edf0 R14: 0000000000000000 R15: 0000000000000000 > [ 84.782008] </TASK> > [ 84.782586] Modules linked in: > [ 84.783488] ---[ end trace 0000000000000000 ]--- > [ 84.784787] RIP: 0010:unmap_vmas+0x13e/0x3c0 > [ 84.785965] Code: 00 00 00 00 00 e8 22 ac 7f 02 48 8b 84 24 c8 00 > 00 00 48 ba 00 00 00 00 00 fc ff df 48 8d b8 80 04 00 00 48 89 f9 48 > c11 > [ 84.790487] RSP: 0018:ffff88800c3e78a0 EFLAGS: 00010206 > [ 84.791870] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000090 > [ 84.793702] RDX: dffffc0000000000 RSI: ffffffff81635b11 RDI: 0000000000000480 > [ 84.795546] RBP: ffff88800c681ee0 R08: ffffffffffffffff R09: ffffffffffffffff > [ 84.797424] R10: ffffed1000f67931 R11: ffff888007b3c98b R12: ffffffffffffffff > [ 84.799258] R13: dffffc0000000000 R14: ffffffffffffffff R15: 0000000000000000 > [ 84.801081] FS: 0000000000000000(0000) GS:ffff88806d300000(0000) > knlGS:0000000000000000 > [ 84.803135] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 84.804655] CR2: 000055cdc0a948a8 CR3: 0000000004e66000 CR4: 00000000000006f0 > [ 84.806521] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 84.808419] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > [ 84.810281] Fixing recursive fault but reboot is needed! > [ 84.811680] BUG: scheduling while atomic: syz-executor/232/0x00000000 > [ 84.813351] Modules linked in: > [ 84.814245] CPU: 1 PID: 232 Comm: syz-executor Tainted: G D > 6.10.0 #2 > [ 84.816151] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), > BIOS 1.13.0-1ubuntu1.1 04/01/2014 > [ 84.818353] Call Trace: > [ 84.818988] <TASK> > [ 84.819548] dump_stack_lvl+0x7d/0xa0 > [ 84.820470] __schedule_bug+0xaa/0xf0 > [ 84.821414] ? irq_work_queue+0x23/0x60 > [ 84.822404] __schedule+0x17ce/0x2010 > [ 84.823336] ? __wake_up_klogd.part.0+0x69/0x80 > [ 84.824469] ? vprintk_emit+0x239/0x300 > [ 84.825431] ? __pfx___schedule+0x10/0x10 > [ 84.826451] ? vprintk+0x6b/0x80 > [ 84.827276] ? _printk+0xbf/0x100 > [ 84.828123] ? __pfx__printk+0x10/0x10 > [ 84.829065] ? _raw_spin_lock_irqsave+0x86/0xe0 > [ 84.830214] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 > [ 84.831460] do_task_dead+0x9d/0xc0 > [ 84.832344] make_task_dead+0x2f6/0x340 > [ 84.833319] rewind_stack_and_make_dead+0x16/0x20 > [ 84.834504] RIP: 0033:0x7f15ec6a6aad > [ 84.835404] Code: Unable to access opcode bytes at 0x7f15ec6a6a83. > [ 84.836920] RSP: 002b:00007ffe4c340428 EFLAGS: 00000246 ORIG_RAX: > 0000000000000010 > [ 84.838751] RAX: 0000000000000002 RBX: 00007ffe4c340450 RCX: 00007f15ec6a6aad > [ 84.840474] RDX: 0000000020000040 RSI: 0000000000000001 RDI: 0000000000000003 > [ 84.842209] RBP: 0000000000000000 R08: 0000000000000012 R09: 0000000000000000 > [ 84.843932] R10: 00007f15ec6f403c R11: 0000000000000246 R12: 00007ffe4c340460 > [ 84.845654] R13: 00007f15ec71edf0 R14: 0000000000000000 R15: 0000000000000000 > [ 84.847402] </TASK> > > > - syzlang test > r0 = syz_open_dev$sg(&(0x7f0000000000), 0x0, 0x0) > ioctl$SCSI_IOCTL_SEND_COMMAND(r0, 0x1, > &(0x7f0000000040)=ANY=[@ANYBLOB="00000000420d0000850aaa", > @ANYRESHEX=r0]) > > > - c test > // autogenerated by syzkaller (https://github.com/google/syzkaller) > > #define _GNU_SOURCE > > #include <dirent.h> > #include <endian.h> > #include <errno.h> > #include <fcntl.h> > #include <sched.h> > #include <setjmp.h> > #include <signal.h> > #include <stdarg.h> > #include <stdbool.h> > #include <stdint.h> > #include <stdio.h> > #include <stdlib.h> > #include <string.h> > #include <sys/mount.h> > #include <sys/prctl.h> > #include <sys/resource.h> > #include <sys/stat.h> > #include <sys/syscall.h> > #include <sys/time.h> > #include <sys/types.h> > #include <sys/wait.h> > #include <time.h> > #include <unistd.h> > > #include <linux/capability.h> > > static unsigned long long procid; > > static __thread int clone_ongoing; > static __thread int skip_segv; > static __thread jmp_buf segv_env; > > static void segv_handler(int sig, siginfo_t* info, void* ctx) > { > if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) { > exit(sig); > } > uintptr_t addr = (uintptr_t)info->si_addr; > const uintptr_t prog_start = 1 << 20; > const uintptr_t prog_end = 100 << 20; > int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; > int valid = addr < prog_start || addr > prog_end; > if (skip && valid) { > _longjmp(segv_env, 1); > } > exit(sig); > } > > static void install_segv_handler(void) > { > struct sigaction sa; > memset(&sa, 0, sizeof(sa)); > sa.sa_handler = SIG_IGN; > syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); > syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); > memset(&sa, 0, sizeof(sa)); > sa.sa_sigaction = segv_handler; > sa.sa_flags = SA_NODEFER | SA_SIGINFO; > sigaction(SIGSEGV, &sa, NULL); > sigaction(SIGBUS, &sa, NULL); > } > > #define NONFAILING(...) ({ int ok = 1; __atomic_fetch_add(&skip_segv, > 1, __ATOMIC_SEQ_CST); if (_setjmp(segv_env) == 0) { __VA_ARGS__; } > else ok = 0; __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); ok; > }) > > static void sleep_ms(uint64_t ms) > { > usleep(ms * 1000); > } > > static uint64_t current_time_ms(void) > { > struct timespec ts; > if (clock_gettime(CLOCK_MONOTONIC, &ts)) > exit(1); > return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; > } > > static bool write_file(const char* file, const char* what, ...) > { > char buf[1024]; > va_list args; > va_start(args, what); > vsnprintf(buf, sizeof(buf), what, args); > va_end(args); > buf[sizeof(buf) - 1] = 0; > int len = strlen(buf); > int fd = open(file, O_WRONLY | O_CLOEXEC); > if (fd == -1) > return false; > if (write(fd, buf, len) != len) { > int err = errno; > close(fd); > errno = err; > return false; > } > close(fd); > return true; > } > > static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) > { > if (a0 == 0xc || a0 == 0xb) { > char buf[128]; > sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : > "block", (uint8_t)a1, (uint8_t)a2); > return open(buf, O_RDWR, 0); > } else { > char buf[1024]; > char* hash; > strncpy(buf, (char*)a0, sizeof(buf) - 1); > buf[sizeof(buf) - 1] = 0; > while ((hash = strchr(buf, '#'))) { > *hash = '0' + (char)(a1 % 10); > a1 /= 10; > } > return open(buf, a2, 0); > } > } > > static void setup_binderfs(); > static void setup_fusectl(); > static void sandbox_common_mount_tmpfs(void) > { > write_file("/proc/sys/fs/mount-max", "100000"); > if (mkdir("./syz-tmp", 0777)) > exit(1); > if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) > exit(1); > if (mkdir("./syz-tmp/newroot", 0777)) > exit(1); > if (mkdir("./syz-tmp/newroot/dev", 0700)) > exit(1); > unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; > if (mount("/dev", "./syz-tmp/newroot/dev", NULL, > bind_mount_flags, NULL)) > exit(1); > if (mkdir("./syz-tmp/newroot/proc", 0700)) > exit(1); > if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) > exit(1); > if (mkdir("./syz-tmp/newroot/selinux", 0700)) > exit(1); > const char* selinux_path = "./syz-tmp/newroot/selinux"; > if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { > if (errno != ENOENT) > exit(1); > if (mount("/sys/fs/selinux", selinux_path, NULL, > bind_mount_flags, NULL) && errno != ENOENT) > exit(1); > } > if (mkdir("./syz-tmp/newroot/sys", 0700)) > exit(1); > if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) > exit(1); > if (mount("/sys/kernel/debug", > "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && > errno != ENOENT) > exit(1); > if (mount("/sys/fs/smackfs", > "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && > errno != ENOENT) > exit(1); > if (mount("/proc/sys/fs/binfmt_misc", > "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, > NULL) && errno != ENOENT) > exit(1); > if (mkdir("./syz-tmp/pivot", 0777)) > exit(1); > if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { > if (chdir("./syz-tmp")) > exit(1); > } else { > if (chdir("/")) > exit(1); > if (umount2("./pivot", MNT_DETACH)) > exit(1); > } > if (chroot("./newroot")) > exit(1); > if (chdir("/")) > exit(1); > setup_binderfs(); > setup_fusectl(); > } > > static void setup_fusectl() > { > if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { > } > } > > static void setup_binderfs() > { > if (mkdir("/dev/binderfs", 0777)) { > } > if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { > } > if (symlink("/dev/binderfs", "./binderfs")) { > } > } > > static void loop(); > > static void sandbox_common() > { > prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); > if (getppid() == 1) > exit(1); > struct rlimit rlim; > rlim.rlim_cur = rlim.rlim_max = (200 << 20); > setrlimit(RLIMIT_AS, &rlim); > rlim.rlim_cur = rlim.rlim_max = 32 << 20; > setrlimit(RLIMIT_MEMLOCK, &rlim); > rlim.rlim_cur = rlim.rlim_max = 136 << 20; > setrlimit(RLIMIT_FSIZE, &rlim); > rlim.rlim_cur = rlim.rlim_max = 1 << 20; > setrlimit(RLIMIT_STACK, &rlim); > rlim.rlim_cur = rlim.rlim_max = 128 << 20; > setrlimit(RLIMIT_CORE, &rlim); > rlim.rlim_cur = rlim.rlim_max = 256; > setrlimit(RLIMIT_NOFILE, &rlim); > if (unshare(CLONE_NEWNS)) { > } > if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { > } > if (unshare(CLONE_NEWIPC)) { > } > if (unshare(0x02000000)) { > } > if (unshare(CLONE_NEWUTS)) { > } > if (unshare(CLONE_SYSVSEM)) { > } > typedef struct { > const char* name; > const char* value; > } sysctl_t; > static const sysctl_t sysctls[] = { > {"/proc/sys/kernel/shmmax", "16777216"}, > {"/proc/sys/kernel/shmall", "536870912"}, > {"/proc/sys/kernel/shmmni", "1024"}, > {"/proc/sys/kernel/msgmax", "8192"}, > {"/proc/sys/kernel/msgmni", "1024"}, > {"/proc/sys/kernel/msgmnb", "1024"}, > {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, > }; > unsigned i; > for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) > write_file(sysctls[i].name, sysctls[i].value); > } > > static int wait_for_loop(int pid) > { > if (pid < 0) > exit(1); > int status = 0; > while (waitpid(-1, &status, __WALL) != pid) { > } > return WEXITSTATUS(status); > } > > static void drop_caps(void) > { > struct __user_cap_header_struct cap_hdr = {}; > struct __user_cap_data_struct cap_data[2] = {}; > cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; > cap_hdr.pid = getpid(); > if (syscall(SYS_capget, &cap_hdr, &cap_data)) > exit(1); > const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); > cap_data[0].effective &= ~drop; > cap_data[0].permitted &= ~drop; > cap_data[0].inheritable &= ~drop; > if (syscall(SYS_capset, &cap_hdr, &cap_data)) > exit(1); > } > > static int do_sandbox_none(void) > { > if (unshare(CLONE_NEWPID)) { > } > int pid = fork(); > if (pid != 0) > return wait_for_loop(pid); > sandbox_common(); > drop_caps(); > if (unshare(CLONE_NEWNET)) { > } > write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); > sandbox_common_mount_tmpfs(); > loop(); > exit(1); > } > > static void kill_and_wait(int pid, int* status) > { > kill(-pid, SIGKILL); > kill(pid, SIGKILL); > for (int i = 0; i < 100; i++) { > if (waitpid(-1, status, WNOHANG | __WALL) == pid) > return; > usleep(1000); > } > DIR* dir = opendir("/sys/fs/fuse/connections"); > if (dir) { > for (;;) { > struct dirent* ent = readdir(dir); > if (!ent) > break; > if (strcmp(ent->d_name, ".") == 0 || > strcmp(ent->d_name, "..") == 0) > continue; > char abort[300]; > snprintf(abort, sizeof(abort), > "/sys/fs/fuse/connections/%s/abort", ent->d_name); > int fd = open(abort, O_WRONLY); > if (fd == -1) { > continue; > } > if (write(fd, abort, 1) < 0) { > } > close(fd); > } > closedir(dir); > } else { > } > while (waitpid(-1, status, __WALL) != pid) { > } > } > > static void setup_test() > { > prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); > setpgrp(); > write_file("/proc/self/oom_score_adj", "1000"); > } > > static void execute_one(void); > > #define WAIT_FLAGS __WALL > > static void loop(void) > { > int iter = 0; > for (;; iter++) { > int pid = fork(); > if (pid < 0) > exit(1); > if (pid == 0) { > setup_test(); > execute_one(); > exit(0); > } > int status = 0; > uint64_t start = current_time_ms(); > for (;;) { > sleep_ms(10); > if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) > break; > if (current_time_ms() - start < 5000) > continue; > kill_and_wait(pid, &status); > break; > } > } > } > > uint64_t r[1] = {0xffffffffffffffff}; > > void execute_one(void) > { > intptr_t res = 0; > if (write(1, "executing program\n", sizeof("executing > program\n") - 1)) {} > NONFAILING(memcpy((void*)0x20000000, "/dev/sg#\000", 9)); > res = -1; > NONFAILING(res = syz_open_dev(/*dev=*/0x20000000, /*id=*/0, > /*flags=*/0)); > if (res != -1) > r[0] = res; > NONFAILING(memcpy((void*)0x20000040, > "\x00\x00\x00\x00\x42\x0d\x00\x00\x85\x0a\xaa", 11)); > NONFAILING(sprintf((char*)0x2000004b, "0x%016llx", (long long)r[0])); > syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/1, /*arg=*/0x20000040ul); > > } > int main(void) > { > syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, > /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, > /*fd=*/-1, /*offset=*/0ul); > syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, > /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, > /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/-1, > /*offset=*/0ul); > syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, > /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, > /*fd=*/-1, /*offset=*/0ul); > const char* reason; > (void)reason; > install_segv_handler(); > for (procid = 0; procid < 4; procid++) { > if (fork() == 0) { > do_sandbox_none(); > } > } > sleep(1000000); > return 0; > } > > > - compiled test (please run inside VM) > https://drive.google.com/file/d/1Q9prtQKi5LVrOwrFJ162eXzTwTnDUq5X/view?usp=sharing > > - kernel config > https://drive.google.com/file/d/1LMJgfJPhTu78Cd2DfmDaRitF6cdxxcey/view?usp=sharing > > - compiled kernel > https://drive.google.com/file/d/1B22XKuDqrtk8gvWFFEMXR0o-VcVdYvB4/view?usp=sharing >
