#!/bin/sh

# panic: aio_process_rw: opcode 70
# cpuid = 7
# time = 1746175480
# KDB: stack backtrace:
# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe010844ccb0
# vpanic() at vpanic+0x136/frame 0xfffffe010844cde0
# panic() at panic+0x43/frame 0xfffffe010844ce40
# aio_process_rw() at aio_process_rw+0x28e/frame 0xfffffe010844cea0
# aio_daemon() at aio_daemon+0x286/frame 0xfffffe010844cef0
# fork_exit() at fork_exit+0x82/frame 0xfffffe010844cf30
# fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe010844cf30
# --- trap 0xc, rip = 0x2020f02a472a, rsp = 0x2020ec9bb8d8, rbp = 0x2020ec9bb9d0 ---
# KDB: enter: panic
# [ thread pid 71553 tid 100216 ]
# Stopped at      kdb_enter+0x33: movq    $0,0x122f9c2(%rip)
# db> x/s version
# version: FreeBSD 15.0-CURRENT #0 main-n276945-2735c20d114f-dirty: Fri May  2 07:17:00 CEST 2025
# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
# db>

[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1

. ../default.cfg
set -u
prog=$(basename "$0" .sh)
cat > /tmp/$prog.c <<EOF
// https://syzkaller.appspot.com/bug?id=0549d8c089382a2593078734cc8166a0fc9049f1
// autogenerated by syzkaller (https://github.com/google/syzkaller)
// syzbot+b6e15476c91852bb2264@syzkaller.appspotmail.com

#define _GNU_SOURCE

#include <pwd.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/endian.h>
#include <sys/syscall.h>
#include <unistd.h>

uint64_t r[1] = {0xffffffffffffffff};

int main(void)
{
  syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  const char* reason;
  (void)reason;
  intptr_t res = 0;
  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
  }
  res = syscall(SYS_freebsd10_pipe, /*pipefd=*/0x2000000005c0ul);
  if (res != -1)
    r[0] = *(uint32_t*)0x2000000005c4;
  syscall(SYS_close, /*fd=*/r[0]);
  memcpy((void*)0x200000000080, ".\000", 2);
  syscall(SYS_open, /*file=*/0x200000000080ul, /*flags=*/0ul, /*mode=*/0ul);
  *(uint32_t*)0x200000000080 = 0;
  *(uint32_t*)0x200000000084 = 0;
  *(uint32_t*)0x200000000088 = 4;
  *(uint64_t*)0x200000000090 = 0;
  *(uint64_t*)0x200000000098 = 0;
  *(uint32_t*)0x2000000000a0 = 0;
  *(uint32_t*)0x2000000000a4 = 8;
  *(uint64_t*)0x2000000000a8 = 0x7fffffffffffffff;
  *(uint32_t*)0x2000000000b0 = 0;
  *(uint32_t*)0x2000000000b4 = 0x100;
  *(uint64_t*)0x2000000000b8 = 0;
  *(uint32_t*)0x2000000000c0 = 0;
  *(uint32_t*)0x2000000000c4 = 0;
  *(uint32_t*)0x2000000000c8 = 0;
  *(uint32_t*)0x2000000000cc = 3;
  *(uint32_t*)0x2000000000d0 = 0;
  *(uint32_t*)0x2000000000d4 = 0;
  *(uint32_t*)0x2000000000d8 = 0x400008;
  *(uint32_t*)0x2000000000dc = 0x8e;
  *(uint32_t*)0x2000000000e0 = 0xfffffffd;
  *(uint32_t*)0x2000000000e4 = 0xf;
  *(uint32_t*)0x2000000000e8 = 0xfffffffc;
  *(uint32_t*)0x2000000000ec = 0;
  *(uint32_t*)0x2000000000f0 = 0;
  *(uint32_t*)0x2000000000f4 = 0;
  *(uint32_t*)0x2000000000f8 = 0xff;
  *(uint32_t*)0x2000000000fc = 0;
  *(uint32_t*)0x200000000100 = 0;
  *(uint32_t*)0x200000000104 = 2;
  *(uint32_t*)0x200000000108 = 0;
  *(uint32_t*)0x20000000010c = 2;
  *(uint32_t*)0x200000000110 = 2;
  *(uint32_t*)0x200000000114 = 0x5bee;
  *(uint32_t*)0x200000000118 = 0;
  *(uint32_t*)0x20000000011c = 0xc;
  *(uint32_t*)0x200000000120 = 3;
  *(uint32_t*)0x200000000124 = 2;
  *(uint32_t*)0x200000000128 = 0;
  *(uint32_t*)0x20000000012c = 0x10000000;
  *(uint32_t*)0x200000000130 = 0;
  *(uint32_t*)0x200000000134 = 1;
  *(uint32_t*)0x200000000138 = 0;
  *(uint32_t*)0x20000000013c = 0x83;
  *(uint32_t*)0x200000000140 = 0;
  *(uint32_t*)0x200000000144 = 0;
  *(uint32_t*)0x200000000148 = 0;
  *(uint32_t*)0x20000000014c = 0;
  *(uint32_t*)0x200000000150 = 0;
  *(uint32_t*)0x200000000154 = 0xfff;
  *(uint32_t*)0x200000000158 = 1;
  *(uint32_t*)0x20000000015c = 0x4c;
  *(uint32_t*)0x200000000160 = 0x1fffffc;
  *(uint32_t*)0x200000000164 = 4;
  *(uint32_t*)0x200000000168 = 0x40000001;
  *(uint32_t*)0x20000000016c = 0;
  *(uint32_t*)0x200000000170 = 8;
  *(uint32_t*)0x200000000174 = 0;
  *(uint32_t*)0x200000000178 = 0;
  *(uint32_t*)0x20000000017c = 0x100001;
  *(uint32_t*)0x200000000180 = 0;
  *(uint32_t*)0x200000000184 = 0x1ff;
  *(uint32_t*)0x200000000188 = 0xe;
  *(uint32_t*)0x20000000018c = 8;
  *(uint32_t*)0x200000000190 = 0;
  *(uint32_t*)0x200000000194 = 0;
  *(uint32_t*)0x200000000198 = 0;
  *(uint32_t*)0x20000000019c = 0xc;
  *(uint32_t*)0x2000000001a0 = 9;
  *(uint32_t*)0x2000000001a4 = 2;
  *(uint32_t*)0x2000000001a8 = 0x10000002;
  *(uint32_t*)0x2000000001ac = 0x100000;
  *(uint32_t*)0x2000000001b0 = 0x46;
  *(uint32_t*)0x2000000001b4 = 6;
  *(uint32_t*)0x2000000001b8 = 0x3ff;
  *(uint32_t*)0x2000000001bc = 2;
  *(uint32_t*)0x2000000001c0 = 0;
  *(uint32_t*)0x2000000001c4 = 0xfffffffa;
  *(uint32_t*)0x2000000001c8 = 0x200;
  *(uint32_t*)0x2000000001cc = 0;
  *(uint32_t*)0x2000000001d0 = 1;
  *(uint32_t*)0x2000000001d4 = 3;
  *(uint32_t*)0x2000000001d8 = 0;
  *(uint32_t*)0x2000000001dc = 0x100;
  *(uint32_t*)0x2000000001e0 = 0;
  *(uint32_t*)0x2000000001e4 = 8;
  *(uint32_t*)0x2000000001e8 = 0x108c6b2;
  *(uint32_t*)0x2000000001ec = 0xfffffffa;
  *(uint32_t*)0x2000000001f0 = 0;
  *(uint32_t*)0x2000000001f4 = 5;
  *(uint32_t*)0x2000000001f8 = 0;
  *(uint32_t*)0x2000000001fc = 0;
  *(uint32_t*)0x200000000200 = 0;
  *(uint32_t*)0x200000000204 = 0;
  *(uint32_t*)0x200000000208 = 0;
  *(uint32_t*)0x20000000020c = 0x80;
  *(uint32_t*)0x200000000210 = 0;
  *(uint32_t*)0x200000000214 = 1;
  *(uint32_t*)0x200000000218 = 0;
  *(uint32_t*)0x20000000021c = 6;
  *(uint32_t*)0x200000000220 = 0;
  *(uint32_t*)0x200000000224 = 0;
  *(uint32_t*)0x200000000228 = 0;
  *(uint32_t*)0x20000000022c = 6;
  *(uint32_t*)0x200000000230 = 0;
  *(uint32_t*)0x200000000234 = 0;
  *(uint32_t*)0x200000000238 = 0;
  *(uint32_t*)0x20000000023c = 0xa9f;
  syscall(SYS_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc1c06d02ul,
          /*arg=*/0x200000000080ul);
  *(uint32_t*)0x200000000580 = -1;
  *(uint64_t*)0x200000000588 = 0;
  *(uint64_t*)0x200000000590 = 0x200000000180;
  *(uint64_t*)0x200000000598 = 0;
  *(uint32_t*)0x2000000005a0 = 0xfffff000;
  *(uint32_t*)0x2000000005a4 = 3;
  *(uint64_t*)0x2000000005a8 = 0;
  *(uint32_t*)0x2000000005b0 = 0;
  *(uint32_t*)0x2000000005b4 = 0;
  *(uint64_t*)0x2000000005b8 = 0;
  *(uint64_t*)0x2000000005c0 = 0;
  *(uint64_t*)0x2000000005c8 = 0;
  *(uint32_t*)0x2000000005d0 = 0;
  *(uint32_t*)0x2000000005d4 = 0;
  *(uint64_t*)0x2000000005d8 = 0;
  *(uint16_t*)0x2000000005e0 = 0x4043;
  *(uint32_t*)0x200000000620 = -1;
  *(uint64_t*)0x200000000628 = 0;
  *(uint64_t*)0x200000000630 = 0;
  *(uint64_t*)0x200000000638 = 0;
  *(uint32_t*)0x200000000640 = 0x10;
  *(uint32_t*)0x200000000644 = 0;
  *(uint64_t*)0x200000000648 = 0;
  *(uint32_t*)0x200000000650 = 0;
  *(uint32_t*)0x200000000654 = 0;
  *(uint64_t*)0x200000000658 = 8;
  *(uint64_t*)0x200000000660 = 0x3ff;
  *(uint64_t*)0x200000000668 = 0;
  *(uint32_t*)0x200000000670 = 1;
  *(uint32_t*)0x200000000674 = 0;
  *(uint32_t*)0x200000000678 = 3;
  *(uint16_t*)0x200000000680 = 0;
  *(uint32_t*)0x2000000006c0 = -1;
  *(uint64_t*)0x2000000006c8 = 0;
  *(uint64_t*)0x2000000006d0 = 0;
  *(uint64_t*)0x2000000006d8 = 0;
  *(uint32_t*)0x2000000006e0 = 0;
  *(uint32_t*)0x2000000006e4 = 0;
  *(uint64_t*)0x2000000006e8 = 2;
  *(uint32_t*)0x2000000006f0 = 0;
  *(uint32_t*)0x2000000006f4 = 0;
  *(uint64_t*)0x2000000006f8 = 0x101;
  *(uint64_t*)0x200000000700 = 0xb3;
  *(uint64_t*)0x200000000708 = 0;
  *(uint32_t*)0x200000000710 = 0;
  *(uint32_t*)0x200000000714 = 0xa;
  *(uint64_t*)0x200000000718 = 3;
  *(uint32_t*)0x200000000720 = 0;
  syscall(SYS_lio_listio, /*mode=*/0ul, /*list=*/0x200000000580ul, /*nent=*/3ul,
          /*sig=*/0ul);
  return 0;
}
EOF
mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c -lpthread || exit 1
work=/tmp/$prog.dir
rm -rf $work
mkdir $work
cd /tmp/$prog.dir
timeout 3m /tmp/$prog > /dev/null 2>&1

rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core /tmp/$prog.?????? $work
exit 0